1 /* $NetBSD: isakmp_xauth.c,v 1.35 2025/03/07 15:55:29 christos Exp $ */ 2 3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 2004-2005 Emmanuel Dreyfus 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <netinet/in.h> 42 43 #include <assert.h> 44 #include <stdlib.h> 45 #include <stdio.h> 46 #include <string.h> 47 #include <errno.h> 48 #include <pwd.h> 49 #include <grp.h> 50 #if TIME_WITH_SYS_TIME 51 # include <sys/time.h> 52 # include <time.h> 53 #else 54 # if HAVE_SYS_TIME_H 55 # include <sys/time.h> 56 # else 57 # include <time.h> 58 # endif 59 #endif 60 #include <netdb.h> 61 #ifdef HAVE_UNISTD_H 62 #include <unistd.h> 63 #endif 64 #include <ctype.h> 65 #include <resolv.h> 66 67 #ifdef HAVE_SHADOW_H 68 #include <shadow.h> 69 #endif 70 71 #include "var.h" 72 #include "misc.h" 73 #include "vmbuf.h" 74 #include "plog.h" 75 #include "sockmisc.h" 76 #include "schedule.h" 77 #include "debug.h" 78 79 #include "crypto_openssl.h" 80 #include "isakmp_var.h" 81 #include "isakmp.h" 82 #include "admin.h" 83 #include "privsep.h" 84 #include "evt.h" 85 #include "handler.h" 86 #include "throttle.h" 87 #include "remoteconf.h" 88 #include "isakmp_inf.h" 89 #include "isakmp_xauth.h" 90 #include "isakmp_unity.h" 91 #include "isakmp_cfg.h" 92 #include "strnames.h" 93 #include "ipsec_doi.h" 94 #include "remoteconf.h" 95 #include "localconf.h" 96 97 #ifdef HAVE_LIBRADIUS 98 #include <radlib.h> 99 static struct rad_handle *radius_auth_state = NULL; 100 struct rad_handle *radius_acct_state = NULL; 101 struct xauth_rad_config xauth_rad_config; 102 #endif 103 104 #ifdef HAVE_LIBPAM 105 #include <security/pam_appl.h> 106 107 static char *PAM_usr = NULL; 108 static char *PAM_pwd = NULL; 109 static int PAM_conv(int, const struct pam_message **, 110 struct pam_response **, void *); 111 static struct pam_conv PAM_chat = { &PAM_conv, NULL }; 112 #endif 113 114 #ifdef HAVE_LIBLDAP 115 #include "ldap.h" 116 #include <arpa/inet.h> 117 struct xauth_ldap_config xauth_ldap_config; 118 #endif 119 120 void 121 xauth_sendreq(struct ph1handle *iph1) 122 { 123 vchar_t *buffer; 124 struct isakmp_pl_attr *attr; 125 struct isakmp_data *typeattr; 126 struct isakmp_data *usrattr; 127 struct isakmp_data *pwdattr; 128 struct xauth_state *xst = &iph1->mode_cfg->xauth; 129 size_t tlen; 130 131 /* Status checks */ 132 if (iph1->status < PHASE1ST_ESTABLISHED) { 133 plog(LLV_ERROR, LOCATION, NULL, 134 "Xauth request while phase 1 is not completed\n"); 135 return; 136 } 137 138 if (xst->status != XAUTHST_NOTYET) { 139 plog(LLV_ERROR, LOCATION, NULL, 140 "Xauth request whith Xauth state %d\n", xst->status); 141 return; 142 } 143 144 plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n"); 145 146 tlen = sizeof(*attr) + 147 + sizeof(*typeattr) + 148 + sizeof(*usrattr) + 149 + sizeof(*pwdattr); 150 151 if ((buffer = vmalloc(tlen)) == NULL) { 152 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 153 return; 154 } 155 156 attr = (struct isakmp_pl_attr *)buffer->v; 157 memset(attr, 0, tlen); 158 159 attr->h.len = htons(tlen); 160 attr->type = ISAKMP_CFG_REQUEST; 161 attr->id = htons(eay_random()); 162 163 typeattr = (struct isakmp_data *)(attr + 1); 164 typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV); 165 typeattr->lorv = htons(XAUTH_TYPE_GENERIC); 166 167 usrattr = (struct isakmp_data *)(typeattr + 1); 168 usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV); 169 usrattr->lorv = htons(0); 170 171 pwdattr = (struct isakmp_data *)(usrattr + 1); 172 pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV); 173 pwdattr->lorv = htons(0); 174 175 isakmp_cfg_send(iph1, buffer, 176 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 177 178 vfree(buffer); 179 180 xst->status = XAUTHST_REQSENT; 181 182 return; 183 } 184 185 int 186 xauth_attr_reply(struct ph1handle *iph1, struct isakmp_data *attr, int id) 187 { 188 char **outlet = NULL; 189 size_t alen = 0; 190 int type; 191 struct xauth_state *xst = &iph1->mode_cfg->xauth; 192 193 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 194 plog(LLV_ERROR, LOCATION, NULL, 195 "Xauth reply but peer did not declare " 196 "itself as Xauth capable\n"); 197 return -1; 198 } 199 200 if (xst->status != XAUTHST_REQSENT) { 201 plog(LLV_ERROR, LOCATION, NULL, 202 "Xauth reply while Xauth state is %d\n", xst->status); 203 return -1; 204 } 205 206 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 207 switch (type) { 208 case XAUTH_TYPE: 209 switch (ntohs(attr->lorv)) { 210 case XAUTH_TYPE_GENERIC: 211 xst->authtype = XAUTH_TYPE_GENERIC; 212 break; 213 default: 214 plog(LLV_WARNING, LOCATION, NULL, 215 "Unexpected authentication type %d\n", 216 ntohs(type)); 217 return -1; 218 } 219 break; 220 221 case XAUTH_USER_NAME: 222 outlet = &xst->authdata.generic.usr; 223 break; 224 225 case XAUTH_USER_PASSWORD: 226 outlet = &xst->authdata.generic.pwd; 227 break; 228 229 default: 230 plog(LLV_WARNING, LOCATION, NULL, 231 "ignored Xauth attribute %d\n", type); 232 break; 233 } 234 235 if (outlet != NULL) { 236 alen = ntohs(attr->lorv); 237 238 if ((*outlet = racoon_malloc(alen + 1)) == NULL) { 239 plog(LLV_ERROR, LOCATION, NULL, 240 "Cannot allocate memory for Xauth Data\n"); 241 return -1; 242 } 243 244 memcpy(*outlet, attr + 1, alen); 245 (*outlet)[alen] = '\0'; 246 outlet = NULL; 247 } 248 249 250 if ((xst->authdata.generic.usr != NULL) && 251 (xst->authdata.generic.pwd != NULL)) { 252 int port; 253 int res; 254 char *usr = xst->authdata.generic.usr; 255 char *pwd = xst->authdata.generic.pwd; 256 time_t throttle_delay = 0; 257 258 #if 0 /* Real debug, don't do that at home */ 259 plog(LLV_DEBUG, LOCATION, NULL, 260 "Got username \"%s\", password \"%s\"\n", usr, pwd); 261 #endif 262 strncpy(iph1->mode_cfg->login, usr, LOGINLEN); 263 iph1->mode_cfg->login[LOGINLEN] = '\0'; 264 265 res = -1; 266 if ((port = isakmp_cfg_getport(iph1)) == -1) { 267 plog(LLV_ERROR, LOCATION, NULL, 268 "Port pool depleted\n"); 269 goto skip_auth; 270 } 271 272 switch (isakmp_cfg_config.authsource) { 273 case ISAKMP_CFG_AUTH_SYSTEM: 274 res = privsep_xauth_login_system(usr, pwd); 275 break; 276 #ifdef HAVE_LIBRADIUS 277 case ISAKMP_CFG_AUTH_RADIUS: 278 res = xauth_login_radius(iph1, usr, pwd); 279 break; 280 #endif 281 #ifdef HAVE_LIBPAM 282 case ISAKMP_CFG_AUTH_PAM: 283 res = privsep_xauth_login_pam(iph1->mode_cfg->port, 284 iph1->remote, usr, pwd); 285 break; 286 #endif 287 #ifdef HAVE_LIBLDAP 288 case ISAKMP_CFG_AUTH_LDAP: 289 res = xauth_login_ldap(iph1, usr, pwd); 290 break; 291 #endif 292 default: 293 plog(LLV_ERROR, LOCATION, NULL, 294 "Unexpected authentication source\n"); 295 res = -1; 296 break; 297 } 298 299 /* 300 * Optional group authentication 301 */ 302 if (!res && (isakmp_cfg_config.groupcount)) 303 res = group_check(iph1, 304 isakmp_cfg_config.grouplist, 305 isakmp_cfg_config.groupcount); 306 307 /* 308 * On failure, throttle the connexion for the remote host 309 * in order to make password attacks more difficult. 310 */ 311 throttle_delay = throttle_host(iph1->remote, res); 312 if (throttle_delay > 0) { 313 char *str; 314 315 str = saddrwop2str(iph1->remote); 316 317 plog(LLV_ERROR, LOCATION, NULL, 318 "Throttling in action for %s: delay %lds\n", 319 str, (unsigned long)throttle_delay); 320 res = -1; 321 } else { 322 throttle_delay = 0; 323 } 324 325 skip_auth: 326 if (throttle_delay != 0) { 327 struct xauth_reply_arg *xra; 328 329 if ((xra = racoon_calloc(1, sizeof(*xra))) == NULL) { 330 plog(LLV_ERROR, LOCATION, NULL, 331 "malloc failed, bypass throttling\n"); 332 return xauth_reply(iph1, port, id, res); 333 } 334 335 /* 336 * We need to store the ph1, but it might have 337 * disapeared when xauth_reply is called, so 338 * store the index instead. 339 */ 340 xra->index = iph1->index; 341 xra->port = port; 342 xra->id = id; 343 xra->res = res; 344 sched_schedule(&xra->sc, throttle_delay, 345 xauth_reply_stub); 346 } else { 347 return xauth_reply(iph1, port, id, res); 348 } 349 } 350 351 return 0; 352 } 353 354 void 355 xauth_reply_stub(struct sched *sc) 356 { 357 struct xauth_reply_arg *xra = container_of(sc, struct xauth_reply_arg, sc); 358 struct ph1handle *iph1; 359 360 if ((iph1 = getph1byindex(&xra->index)) != NULL) 361 (void)xauth_reply(iph1, xra->port, xra->id, xra->res); 362 else 363 plog(LLV_ERROR, LOCATION, NULL, 364 "Delayed Xauth reply: phase 1 no longer exists.\n"); 365 366 racoon_free(xra); 367 } 368 369 int 370 xauth_reply(struct ph1handle *iph1, int port, int id, int res) 371 { 372 struct xauth_state *xst = &iph1->mode_cfg->xauth; 373 char *usr = xst->authdata.generic.usr; 374 375 if (res != 0) { 376 if (port != -1) 377 isakmp_cfg_putport(iph1, port); 378 379 plog(LLV_INFO, LOCATION, NULL, 380 "login failed for user \"%s\"\n", usr); 381 382 xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id); 383 xst->status = XAUTHST_NOTYET; 384 385 /* Delete Phase 1 SA */ 386 if (iph1->status >= PHASE1ST_ESTABLISHED) 387 isakmp_info_send_d1(iph1); 388 remph1(iph1); 389 delph1(iph1); 390 391 return -1; 392 } 393 394 xst->status = XAUTHST_OK; 395 plog(LLV_INFO, LOCATION, NULL, 396 "login succeeded for user \"%s\"\n", usr); 397 398 xauth_sendstatus(iph1, XAUTH_STATUS_OK, id); 399 400 return 0; 401 } 402 403 void 404 xauth_sendstatus(struct ph1handle *iph1, int status, int id) 405 { 406 vchar_t *buffer; 407 struct isakmp_pl_attr *attr; 408 struct isakmp_data *stattr; 409 size_t tlen; 410 411 tlen = sizeof(*attr) + 412 + sizeof(*stattr); 413 414 if ((buffer = vmalloc(tlen)) == NULL) { 415 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 416 return; 417 } 418 419 attr = (struct isakmp_pl_attr *)buffer->v; 420 memset(attr, 0, tlen); 421 422 attr->h.len = htons(tlen); 423 attr->type = ISAKMP_CFG_SET; 424 attr->id = htons(id); 425 426 stattr = (struct isakmp_data *)(attr + 1); 427 stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV); 428 stattr->lorv = htons(status); 429 430 isakmp_cfg_send(iph1, buffer, 431 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 432 433 vfree(buffer); 434 435 return; 436 } 437 438 #ifdef HAVE_LIBRADIUS 439 int 440 xauth_radius_init_conf(int free) 441 { 442 /* free radius config resources */ 443 if (free) { 444 int i; 445 for (i = 0; i < xauth_rad_config.auth_server_count; i++) { 446 vfree(xauth_rad_config.auth_server_list[i].host); 447 vfree(xauth_rad_config.auth_server_list[i].secret); 448 } 449 for (i = 0; i < xauth_rad_config.acct_server_count; i++) { 450 vfree(xauth_rad_config.acct_server_list[i].host); 451 vfree(xauth_rad_config.acct_server_list[i].secret); 452 } 453 if (radius_auth_state != NULL) { 454 rad_close(radius_auth_state); 455 radius_auth_state = NULL; 456 } 457 if (radius_acct_state != NULL) { 458 rad_close(radius_acct_state); 459 radius_acct_state = NULL; 460 } 461 } 462 463 /* initialize radius config */ 464 memset(&xauth_rad_config, 0, sizeof(xauth_rad_config)); 465 return 0; 466 } 467 468 int 469 xauth_radius_init(void) 470 { 471 /* For first time use, initialize Radius */ 472 if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) && 473 (radius_auth_state == NULL)) { 474 if ((radius_auth_state = rad_auth_open()) == NULL) { 475 plog(LLV_ERROR, LOCATION, NULL, 476 "Cannot init libradius\n"); 477 return -1; 478 } 479 480 int auth_count = xauth_rad_config.auth_server_count; 481 int auth_added = 0; 482 if (auth_count) { 483 int i; 484 for (i = 0; i < auth_count; i++) { 485 if(!rad_add_server( 486 radius_auth_state, 487 xauth_rad_config.auth_server_list[i].host->v, 488 xauth_rad_config.auth_server_list[i].port, 489 xauth_rad_config.auth_server_list[i].secret->v, 490 xauth_rad_config.timeout, 491 xauth_rad_config.retries )) 492 auth_added++; 493 else 494 plog(LLV_WARNING, LOCATION, NULL, 495 "could not add radius auth server %s\n", 496 xauth_rad_config.auth_server_list[i].host->v); 497 } 498 } 499 500 if (!auth_added) { 501 if (rad_config(radius_auth_state, NULL) != 0) { 502 plog(LLV_ERROR, LOCATION, NULL, 503 "Cannot open libradius config file: %s\n", 504 rad_strerror(radius_auth_state)); 505 rad_close(radius_auth_state); 506 radius_auth_state = NULL; 507 return -1; 508 } 509 } 510 } 511 512 if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) && 513 (radius_acct_state == NULL)) { 514 if ((radius_acct_state = rad_acct_open()) == NULL) { 515 plog(LLV_ERROR, LOCATION, NULL, 516 "Cannot init libradius\n"); 517 return -1; 518 } 519 520 int acct_count = xauth_rad_config.acct_server_count; 521 int acct_added = 0; 522 if (acct_count) { 523 int i; 524 for (i = 0; i < acct_count; i++) { 525 if(!rad_add_server( 526 radius_acct_state, 527 xauth_rad_config.acct_server_list[i].host->v, 528 xauth_rad_config.acct_server_list[i].port, 529 xauth_rad_config.acct_server_list[i].secret->v, 530 xauth_rad_config.timeout, 531 xauth_rad_config.retries )) 532 acct_added++; 533 else 534 plog(LLV_WARNING, LOCATION, NULL, 535 "could not add radius account server %s\n", 536 xauth_rad_config.acct_server_list[i].host->v); 537 } 538 } 539 540 if (!acct_added) { 541 if (rad_config(radius_acct_state, NULL) != 0) { 542 plog(LLV_ERROR, LOCATION, NULL, 543 "Cannot open libradius config file: %s\n", 544 rad_strerror(radius_acct_state)); 545 rad_close(radius_acct_state); 546 radius_acct_state = NULL; 547 return -1; 548 } 549 } 550 } 551 552 return 0; 553 } 554 555 int 556 xauth_login_radius(struct ph1handle *iph1, char *usr, char *pwd) 557 { 558 int res; 559 const void *data; 560 size_t len; 561 int type; 562 563 if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) { 564 plog(LLV_ERROR, LOCATION, NULL, 565 "rad_create_request failed: %s\n", 566 rad_strerror(radius_auth_state)); 567 return -1; 568 } 569 570 if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) { 571 plog(LLV_ERROR, LOCATION, NULL, 572 "rad_put_string failed: %s\n", 573 rad_strerror(radius_auth_state)); 574 return -1; 575 } 576 577 if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) { 578 plog(LLV_ERROR, LOCATION, NULL, 579 "rad_put_string failed: %s\n", 580 rad_strerror(radius_auth_state)); 581 return -1; 582 } 583 584 if (rad_put_string(radius_auth_state, RAD_CALLING_STATION_ID, 585 saddr2str(iph1->remote)) != 0) 586 return -1; 587 588 if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0) 589 return -1; 590 591 switch (res = rad_send_request(radius_auth_state)) { 592 case RAD_ACCESS_ACCEPT: 593 while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) { 594 switch (type) { 595 case RAD_FRAMED_IP_ADDRESS: 596 iph1->mode_cfg->addr4 = rad_cvt_addr(data); 597 iph1->mode_cfg->flags 598 |= ISAKMP_CFG_ADDR4_EXTERN; 599 break; 600 601 case RAD_FRAMED_IP_NETMASK: 602 iph1->mode_cfg->mask4 = rad_cvt_addr(data); 603 iph1->mode_cfg->flags 604 |= ISAKMP_CFG_MASK4_EXTERN; 605 break; 606 607 default: 608 plog(LLV_INFO, LOCATION, NULL, 609 "Unexpected attribute: %d\n", type); 610 break; 611 } 612 } 613 614 return 0; 615 616 case RAD_ACCESS_REJECT: 617 return -1; 618 619 case -1: 620 plog(LLV_ERROR, LOCATION, NULL, 621 "rad_send_request failed: %s\n", 622 rad_strerror(radius_auth_state)); 623 return -1; 624 default: 625 plog(LLV_ERROR, LOCATION, NULL, 626 "rad_send_request returned %d\n", res); 627 return -1; 628 } 629 630 } 631 #endif 632 633 #ifdef HAVE_LIBPAM 634 /*ARGSUSED*/ 635 static int 636 PAM_conv(int msg_count, const struct pam_message **msg, 637 struct pam_response **rsp, void *dontcare __unused) 638 { 639 int i; 640 struct pam_response *reply = NULL; 641 642 if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL) 643 return PAM_CONV_ERR; 644 bzero(reply, sizeof(*reply) * msg_count); 645 646 for (i = 0; i < msg_count; i++) { 647 switch (msg[i]->msg_style) { 648 case PAM_PROMPT_ECHO_ON: 649 /* Send the username, libpam frees resp */ 650 reply[i].resp_retcode = PAM_SUCCESS; 651 if ((reply[i].resp = strdup(PAM_usr)) == NULL) { 652 plog(LLV_ERROR, LOCATION, 653 NULL, "strdup failed\n"); 654 exit(1); 655 } 656 break; 657 658 case PAM_PROMPT_ECHO_OFF: 659 /* Send the password, libpam frees resp */ 660 reply[i].resp_retcode = PAM_SUCCESS; 661 if ((reply[i].resp = strdup(PAM_pwd)) == NULL) { 662 plog(LLV_ERROR, LOCATION, 663 NULL, "strdup failed\n"); 664 exit(1); 665 } 666 break; 667 668 case PAM_TEXT_INFO: 669 case PAM_ERROR_MSG: 670 reply[i].resp_retcode = PAM_SUCCESS; 671 reply[i].resp = NULL; 672 break; 673 674 default: 675 if (reply != NULL) 676 racoon_free(reply); 677 return PAM_CONV_ERR; 678 } 679 } 680 681 if (reply != NULL) 682 *rsp = reply; 683 684 return PAM_SUCCESS; 685 } 686 687 int 688 xauth_login_pam(int port, struct sockaddr *raddr, char *usr, char *pwd) 689 { 690 int error; 691 char *remote = NULL; 692 pam_handle_t *pam = NULL; 693 694 if (isakmp_cfg_config.port_pool == NULL) { 695 plog(LLV_ERROR, LOCATION, NULL, 696 "isakmp_cfg_config.port_pool == NULL\n"); 697 return -1; 698 } 699 700 if ((error = pam_start("racoon", usr, 701 &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) { 702 if (isakmp_cfg_config.port_pool[port].pam == NULL) { 703 plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n"); 704 return -1; 705 } else { 706 plog(LLV_ERROR, LOCATION, NULL, 707 "pam_start failed: %s\n", 708 pam_strerror(isakmp_cfg_config.port_pool[port].pam, 709 error)); 710 goto out; 711 } 712 } 713 pam = isakmp_cfg_config.port_pool[port].pam; 714 715 if ((remote = strdup(saddrwop2str(raddr))) == NULL) { 716 plog(LLV_ERROR, LOCATION, NULL, 717 "cannot allocate memory: %s\n", strerror(errno)); 718 goto out; 719 } 720 721 if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) { 722 plog(LLV_ERROR, LOCATION, NULL, 723 "pam_set_item failed: %s\n", 724 pam_strerror(pam, error)); 725 goto out; 726 } 727 728 if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) { 729 plog(LLV_ERROR, LOCATION, NULL, 730 "pam_set_item failed: %s\n", 731 pam_strerror(pam, error)); 732 goto out; 733 } 734 735 PAM_usr = usr; 736 PAM_pwd = pwd; 737 error = pam_authenticate(pam, 0); 738 PAM_usr = NULL; 739 PAM_pwd = NULL; 740 if (error != 0) { 741 plog(LLV_ERROR, LOCATION, NULL, 742 "pam_authenticate failed: %s\n", 743 pam_strerror(pam, error)); 744 goto out; 745 } 746 747 if ((error = pam_acct_mgmt(pam, 0)) != 0) { 748 plog(LLV_ERROR, LOCATION, NULL, 749 "pam_acct_mgmt failed: %s\n", 750 pam_strerror(pam, error)); 751 goto out; 752 } 753 754 if ((error = pam_setcred(pam, 0)) != 0) { 755 plog(LLV_ERROR, LOCATION, NULL, 756 "pam_setcred failed: %s\n", 757 pam_strerror(pam, error)); 758 goto out; 759 } 760 761 if (remote != NULL) 762 free(remote); 763 764 return 0; 765 766 out: 767 pam_end(pam, error); 768 isakmp_cfg_config.port_pool[port].pam = NULL; 769 if (remote != NULL) 770 free(remote); 771 return -1; 772 } 773 #endif 774 775 #ifdef HAVE_LIBLDAP 776 int 777 xauth_ldap_init_conf(void) 778 { 779 size_t tmplen; 780 int error = -1; 781 782 xauth_ldap_config.pver = 3; 783 xauth_ldap_config.debug = 0; 784 xauth_ldap_config.timeout = -1; 785 xauth_ldap_config.uri = NULL; 786 xauth_ldap_config.host = NULL; 787 xauth_ldap_config.port = LDAP_PORT; 788 xauth_ldap_config.tls = 0; 789 xauth_ldap_config.base = NULL; 790 xauth_ldap_config.subtree = 0; 791 xauth_ldap_config.bind_dn = NULL; 792 xauth_ldap_config.bind_pw = NULL; 793 xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE; 794 xauth_ldap_config.attr_user = NULL; 795 xauth_ldap_config.attr_addr = NULL; 796 xauth_ldap_config.attr_mask = NULL; 797 xauth_ldap_config.attr_group = NULL; 798 xauth_ldap_config.attr_member = NULL; 799 800 /* set default host */ 801 tmplen = strlen(LDAP_DFLT_HOST); 802 xauth_ldap_config.host = vmalloc(tmplen); 803 if (xauth_ldap_config.host == NULL) 804 goto out; 805 memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen); 806 807 /* set default user naming attribute */ 808 tmplen = strlen(LDAP_DFLT_USER); 809 xauth_ldap_config.attr_user = vmalloc(tmplen); 810 if (xauth_ldap_config.attr_user == NULL) 811 goto out; 812 memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen); 813 814 /* set default address attribute */ 815 tmplen = strlen(LDAP_DFLT_ADDR); 816 xauth_ldap_config.attr_addr = vmalloc(tmplen); 817 if (xauth_ldap_config.attr_addr == NULL) 818 goto out; 819 memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen); 820 821 /* set default netmask attribute */ 822 tmplen = strlen(LDAP_DFLT_MASK); 823 xauth_ldap_config.attr_mask = vmalloc(tmplen); 824 if (xauth_ldap_config.attr_mask == NULL) 825 goto out; 826 memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen); 827 828 /* set default group naming attribute */ 829 tmplen = strlen(LDAP_DFLT_GROUP); 830 xauth_ldap_config.attr_group = vmalloc(tmplen); 831 if (xauth_ldap_config.attr_group == NULL) 832 goto out; 833 memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen); 834 835 /* set default member attribute */ 836 tmplen = strlen(LDAP_DFLT_MEMBER); 837 xauth_ldap_config.attr_member = vmalloc(tmplen); 838 if (xauth_ldap_config.attr_member == NULL) 839 goto out; 840 memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen); 841 842 error = 0; 843 out: 844 if (error != 0) 845 plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n"); 846 847 return error; 848 } 849 850 int 851 xauth_login_ldap(struct ph1handle *iph1, char *usr, char *pwd) 852 { 853 int rtn = -1; 854 int res = -1; 855 LDAP *ld = NULL; 856 LDAPMessage *lr = NULL; 857 LDAPMessage *le = NULL; 858 struct berval cred; 859 struct berval **bv = NULL; 860 struct timeval timeout; 861 char *init = NULL; 862 char *filter = NULL; 863 char *atlist[3]; 864 char *basedn = NULL; 865 char *userdn = NULL; 866 size_t tmplen = 0; 867 int ecount = 0; 868 int scope = LDAP_SCOPE_ONE; 869 870 atlist[0] = NULL; 871 atlist[1] = NULL; 872 atlist[2] = NULL; 873 874 if (xauth_ldap_config.uri != NULL) { 875 tmplen = strlen(xauth_ldap_config.uri->v); 876 init = racoon_malloc(tmplen); 877 if (init == NULL) { 878 plog(LLV_ERROR, LOCATION, NULL, 879 "unable to alloc ldap init url\n"); 880 goto ldap_end; 881 } 882 sprintf(init,"%s", xauth_ldap_config.uri->v); 883 } else { 884 /* build our initialization url */ 885 tmplen = strlen("ldap://:") + 17; 886 tmplen += strlen(xauth_ldap_config.host->v); 887 init = racoon_malloc(tmplen); 888 if (init == NULL) { 889 plog(LLV_ERROR, LOCATION, NULL, 890 "unable to alloc ldap init url\n"); 891 goto ldap_end; 892 } 893 sprintf(init,"ldap://%s:%d", 894 xauth_ldap_config.host->v, 895 xauth_ldap_config.port ); 896 } 897 /* initialize the debug level */ 898 ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug); 899 ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug); 900 901 plog(LLV_DEBUG, LOCATION, NULL, "ldap URI: %s\n", init); 902 /* initialize the ldap handle */ 903 res = ldap_initialize(&ld, init); 904 if (res != LDAP_SUCCESS) { 905 plog(LLV_ERROR, LOCATION, NULL, 906 "ldap_initialize failed: %s\n", 907 ldap_err2string(res)); 908 goto ldap_end; 909 } 910 911 /* initialize the protocol version */ 912 if ((res = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 913 &xauth_ldap_config.pver)) != LDAP_OPT_SUCCESS) { 914 plog(LLV_ERROR, LOCATION, NULL, 915 "LDAP_OPT_PROTOCOL_VERSION %d failed: %s\n", 916 xauth_ldap_config.pver, 917 ldap_err2string(res)); 918 goto ldap_end; 919 } 920 921 if (xauth_ldap_config.timeout > 0) { 922 static struct timeval timeout1; 923 timeout1.tv_sec = xauth_ldap_config.timeout; 924 timeout1.tv_usec = 0; 925 if ((res = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, 926 (void *)&timeout1)) != LDAP_OPT_SUCCESS) { 927 plog(LLV_ERROR, LOCATION, NULL, 928 "LDAP_OPT_NETWORK_TIMEOUT %d failed: %s\n", 929 xauth_ldap_config.timeout, 930 ldap_err2string(res)); 931 goto ldap_end; 932 } 933 } 934 935 /* Enable TLS */ 936 if (xauth_ldap_config.tls) { 937 res = ldap_start_tls_s(ld, NULL, NULL); 938 if (res != LDAP_SUCCESS) { 939 plog(LLV_ERROR, LOCATION, NULL, 940 "ldap_start_tls_s failed: %s\n", 941 ldap_err2string(res)); 942 goto ldap_end; 943 } 944 } 945 946 /* 947 * attempt to bind to the ldap server. 948 * default to anonymous bind unless a 949 * user dn and password has been 950 * specified in our configuration 951 */ 952 if ((xauth_ldap_config.bind_dn != NULL)&& 953 (xauth_ldap_config.bind_pw != NULL)) 954 { 955 cred.bv_val = xauth_ldap_config.bind_pw->v; 956 cred.bv_len = strlen( cred.bv_val ); 957 res = ldap_sasl_bind_s(ld, 958 xauth_ldap_config.bind_dn->v, LDAP_SASL_SIMPLE, &cred, 959 NULL, NULL, NULL); 960 } 961 else 962 { 963 cred.bv_val = NULL; 964 cred.bv_len = 0; 965 res = ldap_sasl_bind_s(ld, 966 NULL, LDAP_SASL_SIMPLE, &cred, 967 NULL, NULL, NULL); 968 } 969 970 if (res!=LDAP_SUCCESS) { 971 plog(LLV_ERROR, LOCATION, NULL, 972 "ldap_sasl_bind_s (search) failed: %s\n", 973 ldap_err2string(res)); 974 goto ldap_end; 975 } 976 977 /* build an ldap user search filter */ 978 tmplen = strlen(xauth_ldap_config.attr_user->v); 979 tmplen += 1; 980 tmplen += strlen(usr); 981 tmplen += 1; 982 filter = racoon_malloc(tmplen); 983 if (filter == NULL) { 984 plog(LLV_ERROR, LOCATION, NULL, 985 "unable to alloc ldap search filter buffer\n"); 986 goto ldap_end; 987 } 988 sprintf(filter, "%s=%s", 989 xauth_ldap_config.attr_user->v, usr); 990 991 /* build our return attribute list */ 992 tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1; 993 atlist[0] = racoon_malloc(tmplen); 994 tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1; 995 atlist[1] = racoon_malloc(tmplen); 996 if ((atlist[0] == NULL)||(atlist[1] == NULL)) { 997 plog(LLV_ERROR, LOCATION, NULL, 998 "unable to alloc ldap attrib list buffer\n"); 999 goto ldap_end; 1000 } 1001 strcpy(atlist[0],xauth_ldap_config.attr_addr->v); 1002 strcpy(atlist[1],xauth_ldap_config.attr_mask->v); 1003 1004 /* attempt to locate the user dn */ 1005 if (xauth_ldap_config.base != NULL) 1006 basedn = xauth_ldap_config.base->v; 1007 if (xauth_ldap_config.subtree) 1008 scope = LDAP_SCOPE_SUBTREE; 1009 timeout.tv_sec = 15; 1010 timeout.tv_usec = 0; 1011 res = ldap_search_ext_s(ld, basedn, scope, 1012 filter, atlist, 0, NULL, NULL, 1013 &timeout, 2, &lr); 1014 if (res != LDAP_SUCCESS) { 1015 plog(LLV_ERROR, LOCATION, NULL, 1016 "ldap_search_ext_s failed: %s\n", 1017 ldap_err2string(res)); 1018 goto ldap_end; 1019 } 1020 1021 /* check the number of ldap entries returned */ 1022 ecount = ldap_count_entries(ld, lr); 1023 if (ecount < 1) { 1024 plog(LLV_WARNING, LOCATION, NULL, 1025 "no ldap results for filter \'%s\'\n", 1026 filter); 1027 goto ldap_end; 1028 } 1029 if (ecount > 1) { 1030 plog(LLV_WARNING, LOCATION, NULL, 1031 "multiple (%i) ldap results for filter \'%s\'\n", 1032 ecount, filter); 1033 } 1034 1035 /* obtain the dn from the first result */ 1036 le = ldap_first_entry(ld, lr); 1037 if (le == NULL) { 1038 plog(LLV_ERROR, LOCATION, NULL, 1039 "ldap_first_entry failed: invalid entry returned\n"); 1040 goto ldap_end; 1041 } 1042 userdn = ldap_get_dn(ld, le); 1043 if (userdn == NULL) { 1044 plog(LLV_ERROR, LOCATION, NULL, 1045 "ldap_get_dn failed: invalid string returned\n"); 1046 goto ldap_end; 1047 } 1048 1049 /* cache the user dn in the xauth state */ 1050 iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1); 1051 strcpy(iph1->mode_cfg->xauth.udn,userdn); 1052 1053 /* retrieve modecfg address */ 1054 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v); 1055 if (bv != NULL) { 1056 char tmpaddr[16]; 1057 /* sanity check for address value */ 1058 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 1059 plog(LLV_DEBUG, LOCATION, NULL, 1060 "ldap returned invalid modecfg address\n"); 1061 ldap_value_free_len(bv); 1062 goto ldap_end; 1063 } 1064 memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len); 1065 tmpaddr[bv[0]->bv_len]=0; 1066 iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr); 1067 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN; 1068 plog(LLV_INFO, LOCATION, NULL, 1069 "ldap returned modecfg address %s\n", tmpaddr); 1070 ldap_value_free_len(bv); 1071 } 1072 1073 /* retrieve modecfg netmask */ 1074 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v); 1075 if (bv != NULL) { 1076 char tmpmask[16]; 1077 /* sanity check for netmask value */ 1078 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 1079 plog(LLV_DEBUG, LOCATION, NULL, 1080 "ldap returned invalid modecfg netmask\n"); 1081 ldap_value_free_len(bv); 1082 goto ldap_end; 1083 } 1084 memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len); 1085 tmpmask[bv[0]->bv_len]=0; 1086 iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask); 1087 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN; 1088 plog(LLV_INFO, LOCATION, NULL, 1089 "ldap returned modecfg netmask %s\n", tmpmask); 1090 ldap_value_free_len(bv); 1091 } 1092 1093 /* 1094 * finally, use the dn and the xauth 1095 * password to check the users given 1096 * credentials by attempting to bind 1097 * to the ldap server 1098 */ 1099 plog(LLV_INFO, LOCATION, NULL, 1100 "attempting ldap bind for dn \'%s\'\n", userdn); 1101 cred.bv_val = pwd; 1102 cred.bv_len = strlen( cred.bv_val ); 1103 res = ldap_sasl_bind_s(ld, 1104 userdn, NULL, &cred, 1105 NULL, NULL, NULL); 1106 if(res==LDAP_SUCCESS) 1107 rtn = 0; 1108 1109 ldap_end: 1110 1111 /* free ldap resources */ 1112 if (userdn != NULL) 1113 ldap_memfree(userdn); 1114 if (atlist[0] != NULL) 1115 racoon_free(atlist[0]); 1116 if (atlist[1] != NULL) 1117 racoon_free(atlist[1]); 1118 if (filter != NULL) 1119 racoon_free(filter); 1120 if (lr != NULL) 1121 ldap_msgfree(lr); 1122 if (init != NULL) 1123 racoon_free(init); 1124 1125 ldap_unbind_ext_s(ld, NULL, NULL); 1126 1127 return rtn; 1128 } 1129 1130 static int 1131 xauth_group_ldap(char * udn, char * grp) 1132 { 1133 int rtn = -1; 1134 int res = -1; 1135 LDAP *ld = NULL; 1136 LDAPMessage *lr = NULL; 1137 LDAPMessage *le = NULL; 1138 struct berval cred; 1139 struct timeval timeout; 1140 char *init = NULL; 1141 char *filter = NULL; 1142 char *basedn = NULL; 1143 char *groupdn = NULL; 1144 size_t tmplen = 0; 1145 int ecount = 0; 1146 int scope = LDAP_SCOPE_ONE; 1147 1148 /* build our initialization url */ 1149 tmplen = strlen("ldap://:") + 17; 1150 tmplen += strlen(xauth_ldap_config.host->v); 1151 init = racoon_malloc(tmplen); 1152 if (init == NULL) { 1153 plog(LLV_ERROR, LOCATION, NULL, 1154 "unable to alloc ldap init url\n"); 1155 goto ldap_group_end; 1156 } 1157 sprintf(init,"ldap://%s:%d", 1158 xauth_ldap_config.host->v, 1159 xauth_ldap_config.port ); 1160 1161 /* initialize the ldap handle */ 1162 res = ldap_initialize(&ld, init); 1163 if (res != LDAP_SUCCESS) { 1164 plog(LLV_ERROR, LOCATION, NULL, 1165 "ldap_initialize failed: %s\n", 1166 ldap_err2string(res)); 1167 goto ldap_group_end; 1168 } 1169 1170 /* initialize the protocol version */ 1171 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 1172 &xauth_ldap_config.pver); 1173 1174 /* Enable TLS */ 1175 if (xauth_ldap_config.tls) { 1176 res = ldap_start_tls_s(ld, NULL, NULL); 1177 if (res != LDAP_SUCCESS) { 1178 plog(LLV_ERROR, LOCATION, NULL, 1179 "ldap_start_tls_s failed: %s\n", 1180 ldap_err2string(res)); 1181 goto ldap_group_end; 1182 } 1183 } 1184 1185 /* 1186 * attempt to bind to the ldap server. 1187 * default to anonymous bind unless a 1188 * user dn and password has been 1189 * specified in our configuration 1190 */ 1191 if ((xauth_ldap_config.bind_dn != NULL)&& 1192 (xauth_ldap_config.bind_pw != NULL)) 1193 { 1194 cred.bv_val = xauth_ldap_config.bind_pw->v; 1195 cred.bv_len = strlen( cred.bv_val ); 1196 res = ldap_sasl_bind_s(ld, 1197 xauth_ldap_config.bind_dn->v, NULL, &cred, 1198 NULL, NULL, NULL); 1199 } 1200 else 1201 { 1202 res = ldap_sasl_bind_s(ld, 1203 NULL, NULL, NULL, 1204 NULL, NULL, NULL); 1205 } 1206 1207 if (res!=LDAP_SUCCESS) { 1208 plog(LLV_ERROR, LOCATION, NULL, 1209 "ldap_sasl_bind_s (search) failed: %s\n", 1210 ldap_err2string(res)); 1211 goto ldap_group_end; 1212 } 1213 1214 /* build an ldap group search filter */ 1215 tmplen = strlen("(&(=)(=))") + 1; 1216 tmplen += strlen(xauth_ldap_config.attr_group->v); 1217 tmplen += strlen(grp); 1218 tmplen += strlen(xauth_ldap_config.attr_member->v); 1219 tmplen += strlen(udn); 1220 filter = racoon_malloc(tmplen); 1221 if (filter == NULL) { 1222 plog(LLV_ERROR, LOCATION, NULL, 1223 "unable to alloc ldap search filter buffer\n"); 1224 goto ldap_group_end; 1225 } 1226 sprintf(filter, "(&(%s=%s)(%s=%s))", 1227 xauth_ldap_config.attr_group->v, grp, 1228 xauth_ldap_config.attr_member->v, udn); 1229 1230 /* attempt to locate the group dn */ 1231 if (xauth_ldap_config.base != NULL) 1232 basedn = xauth_ldap_config.base->v; 1233 if (xauth_ldap_config.subtree) 1234 scope = LDAP_SCOPE_SUBTREE; 1235 timeout.tv_sec = 15; 1236 timeout.tv_usec = 0; 1237 res = ldap_search_ext_s(ld, basedn, scope, 1238 filter, NULL, 0, NULL, NULL, 1239 &timeout, 2, &lr); 1240 if (res != LDAP_SUCCESS) { 1241 plog(LLV_ERROR, LOCATION, NULL, 1242 "ldap_search_ext_s failed: %s\n", 1243 ldap_err2string(res)); 1244 goto ldap_group_end; 1245 } 1246 1247 /* check the number of ldap entries returned */ 1248 ecount = ldap_count_entries(ld, lr); 1249 if (ecount < 1) { 1250 plog(LLV_WARNING, LOCATION, NULL, 1251 "no ldap results for filter \'%s\'\n", 1252 filter); 1253 goto ldap_group_end; 1254 } 1255 1256 /* success */ 1257 rtn = 0; 1258 1259 /* obtain the dn from the first result */ 1260 le = ldap_first_entry(ld, lr); 1261 if (le == NULL) { 1262 plog(LLV_ERROR, LOCATION, NULL, 1263 "ldap_first_entry failed: invalid entry returned\n"); 1264 goto ldap_group_end; 1265 } 1266 groupdn = ldap_get_dn(ld, le); 1267 if (groupdn == NULL) { 1268 plog(LLV_ERROR, LOCATION, NULL, 1269 "ldap_get_dn failed: invalid string returned\n"); 1270 goto ldap_group_end; 1271 } 1272 1273 plog(LLV_INFO, LOCATION, NULL, 1274 "ldap membership group returned \'%s\'\n", groupdn); 1275 ldap_group_end: 1276 1277 /* free ldap resources */ 1278 if (groupdn != NULL) 1279 ldap_memfree(groupdn); 1280 if (filter != NULL) 1281 racoon_free(filter); 1282 if (lr != NULL) 1283 ldap_msgfree(lr); 1284 if (init != NULL) 1285 racoon_free(init); 1286 1287 ldap_unbind_ext_s(ld, NULL, NULL); 1288 1289 return rtn; 1290 } 1291 1292 #endif 1293 1294 int 1295 xauth_login_system(char *usr, char *pwd) 1296 { 1297 struct passwd *pw; 1298 char *cryptpwd; 1299 char *syscryptpwd; 1300 #ifdef HAVE_SHADOW_H 1301 struct spwd *spw; 1302 1303 if ((spw = getspnam(usr)) == NULL) 1304 return -1; 1305 1306 syscryptpwd = spw->sp_pwdp; 1307 #endif 1308 1309 if ((pw = getpwnam(usr)) == NULL) 1310 return -1; 1311 1312 #ifndef HAVE_SHADOW_H 1313 syscryptpwd = pw->pw_passwd; 1314 #endif 1315 1316 /* No root login. Ever. */ 1317 if (pw->pw_uid == 0) 1318 return -1; 1319 1320 if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL) 1321 return -1; 1322 1323 if (strcmp(cryptpwd, syscryptpwd) == 0) 1324 return 0; 1325 1326 return -1; 1327 } 1328 1329 static int 1330 xauth_group_system(char *usr, char *grp) 1331 { 1332 struct group * gr; 1333 char * member; 1334 int index1 = 0; 1335 1336 gr = getgrnam(grp); 1337 if (gr == NULL) { 1338 plog(LLV_ERROR, LOCATION, NULL, 1339 "the system group name \'%s\' is unknown\n", 1340 grp); 1341 return -1; 1342 } 1343 1344 while ((member = gr->gr_mem[index1++])!=NULL) { 1345 if (!strcmp(member,usr)) { 1346 plog(LLV_INFO, LOCATION, NULL, 1347 "membership validated\n"); 1348 return 0; 1349 } 1350 } 1351 1352 return -1; 1353 } 1354 1355 int 1356 xauth_check(struct ph1handle *iph1) 1357 { 1358 struct xauth_state *xst = &iph1->mode_cfg->xauth; 1359 1360 /* 1361 * Only the server side (edge device) really check for Xauth 1362 * status. It does it if the chose authmethod is using Xauth. 1363 * On the client side (roadwarrior), we don't check anything. 1364 */ 1365 switch (iph1->approval->authmethod) { 1366 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1367 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1368 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1369 /* The following are not yet implemented */ 1370 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1371 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1372 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1373 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1374 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1375 plog(LLV_ERROR, LOCATION, NULL, 1376 "Hybrid auth negotiated but peer did not " 1377 "announced as Xauth capable\n"); 1378 return -1; 1379 } 1380 1381 if (xst->status != XAUTHST_OK) { 1382 plog(LLV_ERROR, LOCATION, NULL, 1383 "Hybrid auth negotiated but peer did not " 1384 "succeed Xauth exchange\n"); 1385 return -1; 1386 } 1387 1388 return 0; 1389 default: 1390 return 0; 1391 } 1392 } 1393 1394 int 1395 group_check(struct ph1handle *iph1, char **grp_list, int grp_count) 1396 { 1397 int res = -1; 1398 int grp_index = 0; 1399 char * usr = NULL; 1400 1401 /* check for presence of modecfg data */ 1402 1403 if(iph1->mode_cfg == NULL) { 1404 plog(LLV_ERROR, LOCATION, NULL, 1405 "xauth group specified but modecfg not found\n"); 1406 return res; 1407 } 1408 1409 /* loop through our group list */ 1410 1411 for(; grp_index < grp_count; grp_index++) { 1412 1413 /* check for presence of xauth data */ 1414 1415 usr = iph1->mode_cfg->xauth.authdata.generic.usr; 1416 1417 if(usr == NULL) { 1418 plog(LLV_ERROR, LOCATION, NULL, 1419 "xauth group specified but xauth not found\n"); 1420 return res; 1421 } 1422 1423 /* call appropriate group validation function */ 1424 1425 switch (isakmp_cfg_config.groupsource) { 1426 1427 case ISAKMP_CFG_GROUP_SYSTEM: 1428 res = xauth_group_system( 1429 usr, 1430 grp_list[grp_index]); 1431 break; 1432 1433 #ifdef HAVE_LIBLDAP 1434 case ISAKMP_CFG_GROUP_LDAP: 1435 res = xauth_group_ldap( 1436 iph1->mode_cfg->xauth.udn, 1437 grp_list[grp_index]); 1438 break; 1439 #endif 1440 1441 default: 1442 /* we should never get here */ 1443 plog(LLV_ERROR, LOCATION, NULL, 1444 "Unknown group auth source\n"); 1445 break; 1446 } 1447 1448 if( !res ) { 1449 plog(LLV_INFO, LOCATION, NULL, 1450 "user \"%s\" is a member of group \"%s\"\n", 1451 usr, 1452 grp_list[grp_index]); 1453 break; 1454 } else { 1455 plog(LLV_INFO, LOCATION, NULL, 1456 "user \"%s\" is not a member of group \"%s\"\n", 1457 usr, 1458 grp_list[grp_index]); 1459 } 1460 } 1461 1462 return res; 1463 } 1464 1465 vchar_t * 1466 isakmp_xauth_req(struct ph1handle *iph1, struct isakmp_data *attr) 1467 { 1468 int type; 1469 size_t dlen = 0; 1470 int ashort = 0; 1471 int value = 0; 1472 vchar_t *buffer = NULL; 1473 char *mraw = NULL, *mdata; 1474 char *data; 1475 vchar_t *usr = NULL; 1476 vchar_t *pwd = NULL; 1477 size_t skip = 0; 1478 int freepwd = 0; 1479 1480 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1481 plog(LLV_ERROR, LOCATION, NULL, 1482 "Xauth mode config request but peer " 1483 "did not declare itself as Xauth capable\n"); 1484 return NULL; 1485 } 1486 1487 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1488 1489 /* Sanity checks */ 1490 switch(type) { 1491 case XAUTH_TYPE: 1492 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1493 plog(LLV_ERROR, LOCATION, NULL, 1494 "Unexpected long XAUTH_TYPE attribute\n"); 1495 return NULL; 1496 } 1497 if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) { 1498 plog(LLV_ERROR, LOCATION, NULL, 1499 "Unsupported Xauth authentication %d\n", 1500 ntohs(attr->lorv)); 1501 return NULL; 1502 } 1503 ashort = 1; 1504 dlen = 0; 1505 value = XAUTH_TYPE_GENERIC; 1506 break; 1507 1508 case XAUTH_USER_NAME: 1509 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) { 1510 plog(LLV_ERROR, LOCATION, NULL, "Xauth performed " 1511 "with no login supplied\n"); 1512 return NULL; 1513 } 1514 1515 dlen = iph1->rmconf->xauth->login->l - 1; 1516 iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME; 1517 break; 1518 1519 case XAUTH_USER_PASSWORD: 1520 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) 1521 return NULL; 1522 1523 skip = sizeof(struct ipsecdoi_id_b); 1524 usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip); 1525 if (usr == NULL) { 1526 plog(LLV_ERROR, LOCATION, NULL, 1527 "Cannot allocate memory\n"); 1528 return NULL; 1529 } 1530 memset(usr->v, 0, skip); 1531 memcpy(usr->v + skip, 1532 iph1->rmconf->xauth->login->v, 1533 iph1->rmconf->xauth->login->l - 1); 1534 1535 if (iph1->rmconf->xauth->pass) { 1536 /* A key given through racoonctl */ 1537 pwd = iph1->rmconf->xauth->pass; 1538 } else { 1539 if ((pwd = getpskbyname(usr)) == NULL) { 1540 plog(LLV_ERROR, LOCATION, NULL, 1541 "No password was found for login %s\n", 1542 iph1->rmconf->xauth->login->v); 1543 vfree(usr); 1544 return NULL; 1545 } 1546 /* We have to free it before returning */ 1547 freepwd = 1; 1548 } 1549 vfree(usr); 1550 1551 iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD; 1552 dlen = pwd->l; 1553 1554 break; 1555 case XAUTH_MESSAGE: 1556 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1557 dlen = ntohs(attr->lorv); 1558 if (dlen > 0) { 1559 mraw = (char*)(attr + 1); 1560 mdata = binsanitize(mraw, dlen); 1561 if (mdata == NULL) { 1562 plog(LLV_ERROR, LOCATION, iph1->remote, 1563 "Cannot allocate memory\n"); 1564 return NULL; 1565 } 1566 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1567 "XAUTH Message: '%s'.\n", 1568 mdata); 1569 racoon_free(mdata); 1570 } 1571 } 1572 return NULL; 1573 default: 1574 plog(LLV_WARNING, LOCATION, NULL, 1575 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1576 return NULL; 1577 } 1578 1579 if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) { 1580 plog(LLV_ERROR, LOCATION, NULL, 1581 "Cannot allocate memory\n"); 1582 goto out; 1583 } 1584 1585 attr = (struct isakmp_data *)buffer->v; 1586 if (ashort) { 1587 attr->type = htons(type | ISAKMP_GEN_TV); 1588 attr->lorv = htons(value); 1589 goto out; 1590 } 1591 1592 attr->type = htons(type | ISAKMP_GEN_TLV); 1593 attr->lorv = htons(dlen); 1594 data = (char *)(attr + 1); 1595 1596 switch(type) { 1597 case XAUTH_USER_NAME: 1598 /* 1599 * iph1->rmconf->xauth->login->v is valid, 1600 * we just checked it in the previous switch case 1601 */ 1602 memcpy(data, iph1->rmconf->xauth->login->v, dlen); 1603 break; 1604 case XAUTH_USER_PASSWORD: 1605 memcpy(data, pwd->v, dlen); 1606 break; 1607 default: 1608 break; 1609 } 1610 1611 out: 1612 if (freepwd) 1613 vfree(pwd); 1614 1615 return buffer; 1616 } 1617 1618 vchar_t * 1619 isakmp_xauth_set(struct ph1handle *iph1, struct isakmp_data *attr) 1620 { 1621 int type; 1622 vchar_t *buffer = NULL; 1623 size_t dlen = 0; 1624 char* mraw = NULL, *mdata; 1625 1626 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1627 plog(LLV_ERROR, LOCATION, NULL, 1628 "Xauth mode config set but peer " 1629 "did not declare itself as Xauth capable\n"); 1630 return NULL; 1631 } 1632 1633 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1634 1635 switch(type) { 1636 case XAUTH_STATUS: 1637 /* 1638 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS 1639 * when running as a client (initiator). 1640 */ 1641 switch (iph1->approval->authmethod) { 1642 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1643 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 1644 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1645 /* Not implemented ... */ 1646 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1647 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1648 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 1649 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 1650 break; 1651 default: 1652 plog(LLV_ERROR, LOCATION, NULL, 1653 "Unexpected XAUTH_STATUS_OK\n"); 1654 return NULL; 1655 } 1656 1657 /* If we got a failure, delete iph1 */ 1658 if (ntohs(attr->lorv) != XAUTH_STATUS_OK) { 1659 plog(LLV_ERROR, LOCATION, NULL, 1660 "Xauth authentication failed\n"); 1661 1662 evt_phase1(iph1, EVT_PHASE1_XAUTH_FAILED, NULL); 1663 1664 iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1; 1665 } else { 1666 evt_phase1(iph1, EVT_PHASE1_XAUTH_SUCCESS, NULL); 1667 } 1668 1669 1670 /* We acknowledge it */ 1671 break; 1672 case XAUTH_MESSAGE: 1673 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1674 dlen = ntohs(attr->lorv); 1675 if (dlen > 0) { 1676 mraw = (char*)(attr + 1); 1677 mdata = binsanitize(mraw, dlen); 1678 if (mdata == NULL) { 1679 plog(LLV_ERROR, LOCATION, iph1->remote, 1680 "Cannot allocate memory\n"); 1681 return NULL; 1682 } 1683 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1684 "XAUTH Message: '%s'.\n", 1685 mdata); 1686 racoon_free(mdata); 1687 } 1688 } 1689 break; 1690 1691 default: 1692 plog(LLV_WARNING, LOCATION, NULL, 1693 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1694 return NULL; 1695 } 1696 1697 if ((buffer = vmalloc(sizeof(*attr))) == NULL) { 1698 plog(LLV_ERROR, LOCATION, NULL, 1699 "Cannot allocate memory\n"); 1700 return NULL; 1701 } 1702 1703 attr = (struct isakmp_data *)buffer->v; 1704 attr->type = htons(type | ISAKMP_GEN_TV); 1705 attr->lorv = htons(0); 1706 1707 return buffer; 1708 } 1709 1710 1711 void 1712 xauth_rmstate(struct xauth_state *xst) 1713 { 1714 switch (xst->authtype) { 1715 case XAUTH_TYPE_GENERIC: 1716 if (xst->authdata.generic.usr) 1717 racoon_free(xst->authdata.generic.usr); 1718 1719 if (xst->authdata.generic.pwd) 1720 racoon_free(xst->authdata.generic.pwd); 1721 1722 break; 1723 1724 case XAUTH_TYPE_CHAP: 1725 case XAUTH_TYPE_OTP: 1726 case XAUTH_TYPE_SKEY: 1727 plog(LLV_WARNING, LOCATION, NULL, 1728 "Unsupported authtype %d\n", xst->authtype); 1729 break; 1730 1731 default: 1732 plog(LLV_WARNING, LOCATION, NULL, 1733 "Unexpected authtype %d\n", xst->authtype); 1734 break; 1735 } 1736 1737 #ifdef HAVE_LIBLDAP 1738 if (xst->udn != NULL) 1739 racoon_free(xst->udn); 1740 #endif 1741 return; 1742 } 1743 1744 int 1745 xauth_rmconf_used(struct xauth_rmconf **xauth_rmconf) 1746 { 1747 if (*xauth_rmconf == NULL) { 1748 *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf)); 1749 if (*xauth_rmconf == NULL) { 1750 plog(LLV_ERROR, LOCATION, NULL, 1751 "xauth_rmconf_used: malloc failed\n"); 1752 return -1; 1753 } 1754 1755 (*xauth_rmconf)->login = NULL; 1756 (*xauth_rmconf)->pass = NULL; 1757 (*xauth_rmconf)->state = 0; 1758 } 1759 1760 return 0; 1761 } 1762 1763 void 1764 xauth_rmconf_delete(struct xauth_rmconf **xauth_rmconf) 1765 { 1766 if (*xauth_rmconf != NULL) { 1767 if ((*xauth_rmconf)->login != NULL) 1768 vfree((*xauth_rmconf)->login); 1769 if ((*xauth_rmconf)->pass != NULL) 1770 vfree((*xauth_rmconf)->pass); 1771 1772 racoon_free(*xauth_rmconf); 1773 *xauth_rmconf = NULL; 1774 } 1775 1776 return; 1777 } 1778 1779 struct xauth_rmconf * 1780 xauth_rmconf_dup(struct xauth_rmconf *xauth_rmconf) 1781 { 1782 struct xauth_rmconf *new; 1783 1784 if (xauth_rmconf != NULL) { 1785 new = racoon_malloc(sizeof(*new)); 1786 if (new == NULL) { 1787 plog(LLV_ERROR, LOCATION, NULL, 1788 "%s: malloc failed\n", __func__); 1789 return NULL; 1790 } 1791 1792 memcpy(new, xauth_rmconf, sizeof(*new)); 1793 1794 if (xauth_rmconf->login != NULL) { 1795 new->login = vdup(xauth_rmconf->login); 1796 if (new->login == NULL) { 1797 plog(LLV_ERROR, LOCATION, NULL, 1798 "%s: malloc failed (login)\n", __func__); 1799 goto out; 1800 } 1801 } 1802 if (xauth_rmconf->pass != NULL) { 1803 new->pass = vdup(xauth_rmconf->pass); 1804 if (new->pass == NULL) { 1805 plog(LLV_ERROR, LOCATION, NULL, 1806 "%s: malloc failed (password)\n", __func__); 1807 goto out; 1808 } 1809 } 1810 1811 return new; 1812 } 1813 1814 return NULL; 1815 out: 1816 vfree(new->login); 1817 racoon_free(new); 1818 return NULL; 1819 } 1820
Indexes created Thu Jun 11 00:25:07 UTC 2026