1 /* $NetBSD: isakmp_xauth.c,v 1.34 2021/12/05 02:59:50 msaitoh Exp $ */
2
3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 2004-2005 Emmanuel Dreyfus
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42
43 #include <assert.h>
44 #include <stdlib.h>
45 #include <stdio.h>
46 #include <string.h>
47 #include <errno.h>
48 #include <pwd.h>
49 #include <grp.h>
50 #if TIME_WITH_SYS_TIME
51 # include <sys/time.h>
52 # include <time.h>
53 #else
54 # if HAVE_SYS_TIME_H
55 # include <sys/time.h>
56 # else
57 # include <time.h>
58 # endif
59 #endif
60 #include <netdb.h>
61 #ifdef HAVE_UNISTD_H
62 #include <unistd.h>
63 #endif
64 #include <ctype.h>
65 #include <resolv.h>
66
67 #ifdef HAVE_SHADOW_H
68 #include <shadow.h>
69 #endif
70
71 #include "var.h"
72 #include "misc.h"
73 #include "vmbuf.h"
74 #include "plog.h"
75 #include "sockmisc.h"
76 #include "schedule.h"
77 #include "debug.h"
78
79 #include "crypto_openssl.h"
80 #include "isakmp_var.h"
81 #include "isakmp.h"
82 #include "admin.h"
83 #include "privsep.h"
84 #include "evt.h"
85 #include "handler.h"
86 #include "throttle.h"
87 #include "remoteconf.h"
88 #include "isakmp_inf.h"
89 #include "isakmp_xauth.h"
90 #include "isakmp_unity.h"
91 #include "isakmp_cfg.h"
92 #include "strnames.h"
93 #include "ipsec_doi.h"
94 #include "remoteconf.h"
95 #include "localconf.h"
96
97 #ifdef HAVE_LIBRADIUS
98 #include <radlib.h>
99 struct rad_handle *radius_auth_state = NULL;
100 struct rad_handle *radius_acct_state = NULL;
101 struct xauth_rad_config xauth_rad_config;
102 #endif
103
104 #ifdef HAVE_LIBPAM
105 #include <security/pam_appl.h>
106
107 static char *PAM_usr = NULL;
108 static char *PAM_pwd = NULL;
109 static int PAM_conv(int, const struct pam_message **,
110 struct pam_response **, void *);
111 static struct pam_conv PAM_chat = { &PAM_conv, NULL };
112 #endif
113
114 #ifdef HAVE_LIBLDAP
115 #include "ldap.h"
116 #include <arpa/inet.h>
117 struct xauth_ldap_config xauth_ldap_config;
118 #endif
119
120 void
xauth_sendreq(iph1)121 xauth_sendreq(iph1)
122 struct ph1handle *iph1;
123 {
124 vchar_t *buffer;
125 struct isakmp_pl_attr *attr;
126 struct isakmp_data *typeattr;
127 struct isakmp_data *usrattr;
128 struct isakmp_data *pwdattr;
129 struct xauth_state *xst = &iph1->mode_cfg->xauth;
130 size_t tlen;
131
132 /* Status checks */
133 if (iph1->status < PHASE1ST_ESTABLISHED) {
134 plog(LLV_ERROR, LOCATION, NULL,
135 "Xauth request while phase 1 is not completed\n");
136 return;
137 }
138
139 if (xst->status != XAUTHST_NOTYET) {
140 plog(LLV_ERROR, LOCATION, NULL,
141 "Xauth request whith Xauth state %d\n", xst->status);
142 return;
143 }
144
145 plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n");
146
147 tlen = sizeof(*attr) +
148 + sizeof(*typeattr) +
149 + sizeof(*usrattr) +
150 + sizeof(*pwdattr);
151
152 if ((buffer = vmalloc(tlen)) == NULL) {
153 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
154 return;
155 }
156
157 attr = (struct isakmp_pl_attr *)buffer->v;
158 memset(attr, 0, tlen);
159
160 attr->h.len = htons(tlen);
161 attr->type = ISAKMP_CFG_REQUEST;
162 attr->id = htons(eay_random());
163
164 typeattr = (struct isakmp_data *)(attr + 1);
165 typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV);
166 typeattr->lorv = htons(XAUTH_TYPE_GENERIC);
167
168 usrattr = (struct isakmp_data *)(typeattr + 1);
169 usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV);
170 usrattr->lorv = htons(0);
171
172 pwdattr = (struct isakmp_data *)(usrattr + 1);
173 pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV);
174 pwdattr->lorv = htons(0);
175
176 isakmp_cfg_send(iph1, buffer,
177 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
178
179 vfree(buffer);
180
181 xst->status = XAUTHST_REQSENT;
182
183 return;
184 }
185
186 int
xauth_attr_reply(iph1,attr,id)187 xauth_attr_reply(iph1, attr, id)
188 struct ph1handle *iph1;
189 struct isakmp_data *attr;
190 int id;
191 {
192 char **outlet = NULL;
193 size_t alen = 0;
194 int type;
195 struct xauth_state *xst = &iph1->mode_cfg->xauth;
196
197 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
198 plog(LLV_ERROR, LOCATION, NULL,
199 "Xauth reply but peer did not declare "
200 "itself as Xauth capable\n");
201 return -1;
202 }
203
204 if (xst->status != XAUTHST_REQSENT) {
205 plog(LLV_ERROR, LOCATION, NULL,
206 "Xauth reply while Xauth state is %d\n", xst->status);
207 return -1;
208 }
209
210 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
211 switch (type) {
212 case XAUTH_TYPE:
213 switch (ntohs(attr->lorv)) {
214 case XAUTH_TYPE_GENERIC:
215 xst->authtype = XAUTH_TYPE_GENERIC;
216 break;
217 default:
218 plog(LLV_WARNING, LOCATION, NULL,
219 "Unexpected authentication type %d\n",
220 ntohs(type));
221 return -1;
222 }
223 break;
224
225 case XAUTH_USER_NAME:
226 outlet = &xst->authdata.generic.usr;
227 break;
228
229 case XAUTH_USER_PASSWORD:
230 outlet = &xst->authdata.generic.pwd;
231 break;
232
233 default:
234 plog(LLV_WARNING, LOCATION, NULL,
235 "ignored Xauth attribute %d\n", type);
236 break;
237 }
238
239 if (outlet != NULL) {
240 alen = ntohs(attr->lorv);
241
242 if ((*outlet = racoon_malloc(alen + 1)) == NULL) {
243 plog(LLV_ERROR, LOCATION, NULL,
244 "Cannot allocate memory for Xauth Data\n");
245 return -1;
246 }
247
248 memcpy(*outlet, attr + 1, alen);
249 (*outlet)[alen] = '\0';
250 outlet = NULL;
251 }
252
253
254 if ((xst->authdata.generic.usr != NULL) &&
255 (xst->authdata.generic.pwd != NULL)) {
256 int port;
257 int res;
258 char *usr = xst->authdata.generic.usr;
259 char *pwd = xst->authdata.generic.pwd;
260 time_t throttle_delay = 0;
261
262 #if 0 /* Real debug, don't do that at home */
263 plog(LLV_DEBUG, LOCATION, NULL,
264 "Got username \"%s\", password \"%s\"\n", usr, pwd);
265 #endif
266 strncpy(iph1->mode_cfg->login, usr, LOGINLEN);
267 iph1->mode_cfg->login[LOGINLEN] = '\0';
268
269 res = -1;
270 if ((port = isakmp_cfg_getport(iph1)) == -1) {
271 plog(LLV_ERROR, LOCATION, NULL,
272 "Port pool depleted\n");
273 goto skip_auth;
274 }
275
276 switch (isakmp_cfg_config.authsource) {
277 case ISAKMP_CFG_AUTH_SYSTEM:
278 res = privsep_xauth_login_system(usr, pwd);
279 break;
280 #ifdef HAVE_LIBRADIUS
281 case ISAKMP_CFG_AUTH_RADIUS:
282 res = xauth_login_radius(iph1, usr, pwd);
283 break;
284 #endif
285 #ifdef HAVE_LIBPAM
286 case ISAKMP_CFG_AUTH_PAM:
287 res = privsep_xauth_login_pam(iph1->mode_cfg->port,
288 iph1->remote, usr, pwd);
289 break;
290 #endif
291 #ifdef HAVE_LIBLDAP
292 case ISAKMP_CFG_AUTH_LDAP:
293 res = xauth_login_ldap(iph1, usr, pwd);
294 break;
295 #endif
296 default:
297 plog(LLV_ERROR, LOCATION, NULL,
298 "Unexpected authentication source\n");
299 res = -1;
300 break;
301 }
302
303 /*
304 * Optional group authentication
305 */
306 if (!res && (isakmp_cfg_config.groupcount))
307 res = group_check(iph1,
308 isakmp_cfg_config.grouplist,
309 isakmp_cfg_config.groupcount);
310
311 /*
312 * On failure, throttle the connexion for the remote host
313 * in order to make password attacks more difficult.
314 */
315 throttle_delay = throttle_host(iph1->remote, res);
316 if (throttle_delay > 0) {
317 char *str;
318
319 str = saddrwop2str(iph1->remote);
320
321 plog(LLV_ERROR, LOCATION, NULL,
322 "Throttling in action for %s: delay %lds\n",
323 str, (unsigned long)throttle_delay);
324 res = -1;
325 } else {
326 throttle_delay = 0;
327 }
328
329 skip_auth:
330 if (throttle_delay != 0) {
331 struct xauth_reply_arg *xra;
332
333 if ((xra = racoon_calloc(1, sizeof(*xra))) == NULL) {
334 plog(LLV_ERROR, LOCATION, NULL,
335 "malloc failed, bypass throttling\n");
336 return xauth_reply(iph1, port, id, res);
337 }
338
339 /*
340 * We need to store the ph1, but it might have
341 * disapeared when xauth_reply is called, so
342 * store the index instead.
343 */
344 xra->index = iph1->index;
345 xra->port = port;
346 xra->id = id;
347 xra->res = res;
348 sched_schedule(&xra->sc, throttle_delay,
349 xauth_reply_stub);
350 } else {
351 return xauth_reply(iph1, port, id, res);
352 }
353 }
354
355 return 0;
356 }
357
358 void
xauth_reply_stub(sc)359 xauth_reply_stub(sc)
360 struct sched *sc;
361 {
362 struct xauth_reply_arg *xra = container_of(sc, struct xauth_reply_arg, sc);
363 struct ph1handle *iph1;
364
365 if ((iph1 = getph1byindex(&xra->index)) != NULL)
366 (void)xauth_reply(iph1, xra->port, xra->id, xra->res);
367 else
368 plog(LLV_ERROR, LOCATION, NULL,
369 "Delayed Xauth reply: phase 1 no longer exists.\n");
370
371 racoon_free(xra);
372 }
373
374 int
xauth_reply(struct ph1handle * iph1,int port,int id,int res)375 xauth_reply(struct ph1handle *iph1, int port, int id, int res)
376 {
377 struct xauth_state *xst = &iph1->mode_cfg->xauth;
378 char *usr = xst->authdata.generic.usr;
379
380 if (res != 0) {
381 if (port != -1)
382 isakmp_cfg_putport(iph1, port);
383
384 plog(LLV_INFO, LOCATION, NULL,
385 "login failed for user \"%s\"\n", usr);
386
387 xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id);
388 xst->status = XAUTHST_NOTYET;
389
390 /* Delete Phase 1 SA */
391 if (iph1->status >= PHASE1ST_ESTABLISHED)
392 isakmp_info_send_d1(iph1);
393 remph1(iph1);
394 delph1(iph1);
395
396 return -1;
397 }
398
399 xst->status = XAUTHST_OK;
400 plog(LLV_INFO, LOCATION, NULL,
401 "login succeeded for user \"%s\"\n", usr);
402
403 xauth_sendstatus(iph1, XAUTH_STATUS_OK, id);
404
405 return 0;
406 }
407
408 void
xauth_sendstatus(iph1,status,id)409 xauth_sendstatus(iph1, status, id)
410 struct ph1handle *iph1;
411 int status;
412 int id;
413 {
414 vchar_t *buffer;
415 struct isakmp_pl_attr *attr;
416 struct isakmp_data *stattr;
417 size_t tlen;
418
419 tlen = sizeof(*attr) +
420 + sizeof(*stattr);
421
422 if ((buffer = vmalloc(tlen)) == NULL) {
423 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
424 return;
425 }
426
427 attr = (struct isakmp_pl_attr *)buffer->v;
428 memset(attr, 0, tlen);
429
430 attr->h.len = htons(tlen);
431 attr->type = ISAKMP_CFG_SET;
432 attr->id = htons(id);
433
434 stattr = (struct isakmp_data *)(attr + 1);
435 stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV);
436 stattr->lorv = htons(status);
437
438 isakmp_cfg_send(iph1, buffer,
439 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
440
441 vfree(buffer);
442
443 return;
444 }
445
446 #ifdef HAVE_LIBRADIUS
447 int
xauth_radius_init_conf(int free)448 xauth_radius_init_conf(int free)
449 {
450 /* free radius config resources */
451 if (free) {
452 int i;
453 for (i = 0; i < xauth_rad_config.auth_server_count; i++) {
454 vfree(xauth_rad_config.auth_server_list[i].host);
455 vfree(xauth_rad_config.auth_server_list[i].secret);
456 }
457 for (i = 0; i < xauth_rad_config.acct_server_count; i++) {
458 vfree(xauth_rad_config.acct_server_list[i].host);
459 vfree(xauth_rad_config.acct_server_list[i].secret);
460 }
461 if (radius_auth_state != NULL) {
462 rad_close(radius_auth_state);
463 radius_auth_state = NULL;
464 }
465 if (radius_acct_state != NULL) {
466 rad_close(radius_acct_state);
467 radius_acct_state = NULL;
468 }
469 }
470
471 /* initialize radius config */
472 memset(&xauth_rad_config, 0, sizeof(xauth_rad_config));
473 return 0;
474 }
475
476 int
xauth_radius_init(void)477 xauth_radius_init(void)
478 {
479 /* For first time use, initialize Radius */
480 if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) &&
481 (radius_auth_state == NULL)) {
482 if ((radius_auth_state = rad_auth_open()) == NULL) {
483 plog(LLV_ERROR, LOCATION, NULL,
484 "Cannot init libradius\n");
485 return -1;
486 }
487
488 int auth_count = xauth_rad_config.auth_server_count;
489 int auth_added = 0;
490 if (auth_count) {
491 int i;
492 for (i = 0; i < auth_count; i++) {
493 if(!rad_add_server(
494 radius_auth_state,
495 xauth_rad_config.auth_server_list[i].host->v,
496 xauth_rad_config.auth_server_list[i].port,
497 xauth_rad_config.auth_server_list[i].secret->v,
498 xauth_rad_config.timeout,
499 xauth_rad_config.retries ))
500 auth_added++;
501 else
502 plog(LLV_WARNING, LOCATION, NULL,
503 "could not add radius auth server %s\n",
504 xauth_rad_config.auth_server_list[i].host->v);
505 }
506 }
507
508 if (!auth_added) {
509 if (rad_config(radius_auth_state, NULL) != 0) {
510 plog(LLV_ERROR, LOCATION, NULL,
511 "Cannot open libradius config file: %s\n",
512 rad_strerror(radius_auth_state));
513 rad_close(radius_auth_state);
514 radius_auth_state = NULL;
515 return -1;
516 }
517 }
518 }
519
520 if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) &&
521 (radius_acct_state == NULL)) {
522 if ((radius_acct_state = rad_acct_open()) == NULL) {
523 plog(LLV_ERROR, LOCATION, NULL,
524 "Cannot init libradius\n");
525 return -1;
526 }
527
528 int acct_count = xauth_rad_config.acct_server_count;
529 int acct_added = 0;
530 if (acct_count) {
531 int i;
532 for (i = 0; i < acct_count; i++) {
533 if(!rad_add_server(
534 radius_acct_state,
535 xauth_rad_config.acct_server_list[i].host->v,
536 xauth_rad_config.acct_server_list[i].port,
537 xauth_rad_config.acct_server_list[i].secret->v,
538 xauth_rad_config.timeout,
539 xauth_rad_config.retries ))
540 acct_added++;
541 else
542 plog(LLV_WARNING, LOCATION, NULL,
543 "could not add radius account server %s\n",
544 xauth_rad_config.acct_server_list[i].host->v);
545 }
546 }
547
548 if (!acct_added) {
549 if (rad_config(radius_acct_state, NULL) != 0) {
550 plog(LLV_ERROR, LOCATION, NULL,
551 "Cannot open libradius config file: %s\n",
552 rad_strerror(radius_acct_state));
553 rad_close(radius_acct_state);
554 radius_acct_state = NULL;
555 return -1;
556 }
557 }
558 }
559
560 return 0;
561 }
562
563 int
xauth_login_radius(iph1,usr,pwd)564 xauth_login_radius(iph1, usr, pwd)
565 struct ph1handle *iph1;
566 char *usr;
567 char *pwd;
568 {
569 int res;
570 const void *data;
571 size_t len;
572 int type;
573
574 if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) {
575 plog(LLV_ERROR, LOCATION, NULL,
576 "rad_create_request failed: %s\n",
577 rad_strerror(radius_auth_state));
578 return -1;
579 }
580
581 if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) {
582 plog(LLV_ERROR, LOCATION, NULL,
583 "rad_put_string failed: %s\n",
584 rad_strerror(radius_auth_state));
585 return -1;
586 }
587
588 if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) {
589 plog(LLV_ERROR, LOCATION, NULL,
590 "rad_put_string failed: %s\n",
591 rad_strerror(radius_auth_state));
592 return -1;
593 }
594
595 if (rad_put_string(radius_auth_state, RAD_CALLING_STATION_ID,
596 saddr2str(iph1->remote)) != 0)
597 return -1;
598
599 if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0)
600 return -1;
601
602 switch (res = rad_send_request(radius_auth_state)) {
603 case RAD_ACCESS_ACCEPT:
604 while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) {
605 switch (type) {
606 case RAD_FRAMED_IP_ADDRESS:
607 iph1->mode_cfg->addr4 = rad_cvt_addr(data);
608 iph1->mode_cfg->flags
609 |= ISAKMP_CFG_ADDR4_EXTERN;
610 break;
611
612 case RAD_FRAMED_IP_NETMASK:
613 iph1->mode_cfg->mask4 = rad_cvt_addr(data);
614 iph1->mode_cfg->flags
615 |= ISAKMP_CFG_MASK4_EXTERN;
616 break;
617
618 default:
619 plog(LLV_INFO, LOCATION, NULL,
620 "Unexpected attribute: %d\n", type);
621 break;
622 }
623 }
624
625 return 0;
626 break;
627
628 case RAD_ACCESS_REJECT:
629 return -1;
630 break;
631
632 case -1:
633 plog(LLV_ERROR, LOCATION, NULL,
634 "rad_send_request failed: %s\n",
635 rad_strerror(radius_auth_state));
636 return -1;
637 break;
638 default:
639 plog(LLV_ERROR, LOCATION, NULL,
640 "rad_send_request returned %d\n", res);
641 return -1;
642 break;
643 }
644
645 return -1;
646 }
647 #endif
648
649 #ifdef HAVE_LIBPAM
650 static int
PAM_conv(msg_count,msg,rsp,dontcare)651 PAM_conv(msg_count, msg, rsp, dontcare)
652 int msg_count;
653 const struct pam_message **msg;
654 struct pam_response **rsp;
655 void *dontcare;
656 {
657 int i;
658 struct pam_response *reply = NULL;
659
660 if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL)
661 return PAM_CONV_ERR;
662 bzero(reply, sizeof(*reply) * msg_count);
663
664 for (i = 0; i < msg_count; i++) {
665 switch (msg[i]->msg_style) {
666 case PAM_PROMPT_ECHO_ON:
667 /* Send the username, libpam frees resp */
668 reply[i].resp_retcode = PAM_SUCCESS;
669 if ((reply[i].resp = strdup(PAM_usr)) == NULL) {
670 plog(LLV_ERROR, LOCATION,
671 NULL, "strdup failed\n");
672 exit(1);
673 }
674 break;
675
676 case PAM_PROMPT_ECHO_OFF:
677 /* Send the password, libpam frees resp */
678 reply[i].resp_retcode = PAM_SUCCESS;
679 if ((reply[i].resp = strdup(PAM_pwd)) == NULL) {
680 plog(LLV_ERROR, LOCATION,
681 NULL, "strdup failed\n");
682 exit(1);
683 }
684 break;
685
686 case PAM_TEXT_INFO:
687 case PAM_ERROR_MSG:
688 reply[i].resp_retcode = PAM_SUCCESS;
689 reply[i].resp = NULL;
690 break;
691
692 default:
693 if (reply != NULL)
694 racoon_free(reply);
695 return PAM_CONV_ERR;
696 break;
697 }
698 }
699
700 if (reply != NULL)
701 *rsp = reply;
702
703 return PAM_SUCCESS;
704 }
705
706 int
xauth_login_pam(port,raddr,usr,pwd)707 xauth_login_pam(port, raddr, usr, pwd)
708 int port;
709 struct sockaddr *raddr;
710 char *usr;
711 char *pwd;
712 {
713 int error;
714 char *remote = NULL;
715 pam_handle_t *pam = NULL;
716
717 if (isakmp_cfg_config.port_pool == NULL) {
718 plog(LLV_ERROR, LOCATION, NULL,
719 "isakmp_cfg_config.port_pool == NULL\n");
720 return -1;
721 }
722
723 if ((error = pam_start("racoon", usr,
724 &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) {
725 if (isakmp_cfg_config.port_pool[port].pam == NULL) {
726 plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n");
727 return -1;
728 } else {
729 plog(LLV_ERROR, LOCATION, NULL,
730 "pam_start failed: %s\n",
731 pam_strerror(isakmp_cfg_config.port_pool[port].pam,
732 error));
733 goto out;
734 }
735 }
736 pam = isakmp_cfg_config.port_pool[port].pam;
737
738 if ((remote = strdup(saddrwop2str(raddr))) == NULL) {
739 plog(LLV_ERROR, LOCATION, NULL,
740 "cannot allocate memory: %s\n", strerror(errno));
741 goto out;
742 }
743
744 if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) {
745 plog(LLV_ERROR, LOCATION, NULL,
746 "pam_set_item failed: %s\n",
747 pam_strerror(pam, error));
748 goto out;
749 }
750
751 if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) {
752 plog(LLV_ERROR, LOCATION, NULL,
753 "pam_set_item failed: %s\n",
754 pam_strerror(pam, error));
755 goto out;
756 }
757
758 PAM_usr = usr;
759 PAM_pwd = pwd;
760 error = pam_authenticate(pam, 0);
761 PAM_usr = NULL;
762 PAM_pwd = NULL;
763 if (error != 0) {
764 plog(LLV_ERROR, LOCATION, NULL,
765 "pam_authenticate failed: %s\n",
766 pam_strerror(pam, error));
767 goto out;
768 }
769
770 if ((error = pam_acct_mgmt(pam, 0)) != 0) {
771 plog(LLV_ERROR, LOCATION, NULL,
772 "pam_acct_mgmt failed: %s\n",
773 pam_strerror(pam, error));
774 goto out;
775 }
776
777 if ((error = pam_setcred(pam, 0)) != 0) {
778 plog(LLV_ERROR, LOCATION, NULL,
779 "pam_setcred failed: %s\n",
780 pam_strerror(pam, error));
781 goto out;
782 }
783
784 if (remote != NULL)
785 free(remote);
786
787 return 0;
788
789 out:
790 pam_end(pam, error);
791 isakmp_cfg_config.port_pool[port].pam = NULL;
792 if (remote != NULL)
793 free(remote);
794 return -1;
795 }
796 #endif
797
798 #ifdef HAVE_LIBLDAP
799 int
xauth_ldap_init_conf(void)800 xauth_ldap_init_conf(void)
801 {
802 int tmplen;
803 int error = -1;
804
805 xauth_ldap_config.pver = 3;
806 xauth_ldap_config.debug = 0;
807 xauth_ldap_config.timeout = -1;
808 xauth_ldap_config.uri = NULL;
809 xauth_ldap_config.host = NULL;
810 xauth_ldap_config.port = LDAP_PORT;
811 xauth_ldap_config.tls = 0;
812 xauth_ldap_config.base = NULL;
813 xauth_ldap_config.subtree = 0;
814 xauth_ldap_config.bind_dn = NULL;
815 xauth_ldap_config.bind_pw = NULL;
816 xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE;
817 xauth_ldap_config.attr_user = NULL;
818 xauth_ldap_config.attr_addr = NULL;
819 xauth_ldap_config.attr_mask = NULL;
820 xauth_ldap_config.attr_group = NULL;
821 xauth_ldap_config.attr_member = NULL;
822
823 /* set default host */
824 tmplen = strlen(LDAP_DFLT_HOST);
825 xauth_ldap_config.host = vmalloc(tmplen);
826 if (xauth_ldap_config.host == NULL)
827 goto out;
828 memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen);
829
830 /* set default user naming attribute */
831 tmplen = strlen(LDAP_DFLT_USER);
832 xauth_ldap_config.attr_user = vmalloc(tmplen);
833 if (xauth_ldap_config.attr_user == NULL)
834 goto out;
835 memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen);
836
837 /* set default address attribute */
838 tmplen = strlen(LDAP_DFLT_ADDR);
839 xauth_ldap_config.attr_addr = vmalloc(tmplen);
840 if (xauth_ldap_config.attr_addr == NULL)
841 goto out;
842 memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen);
843
844 /* set default netmask attribute */
845 tmplen = strlen(LDAP_DFLT_MASK);
846 xauth_ldap_config.attr_mask = vmalloc(tmplen);
847 if (xauth_ldap_config.attr_mask == NULL)
848 goto out;
849 memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen);
850
851 /* set default group naming attribute */
852 tmplen = strlen(LDAP_DFLT_GROUP);
853 xauth_ldap_config.attr_group = vmalloc(tmplen);
854 if (xauth_ldap_config.attr_group == NULL)
855 goto out;
856 memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen);
857
858 /* set default member attribute */
859 tmplen = strlen(LDAP_DFLT_MEMBER);
860 xauth_ldap_config.attr_member = vmalloc(tmplen);
861 if (xauth_ldap_config.attr_member == NULL)
862 goto out;
863 memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen);
864
865 error = 0;
866 out:
867 if (error != 0)
868 plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n");
869
870 return error;
871 }
872
873 int
xauth_login_ldap(iph1,usr,pwd)874 xauth_login_ldap(iph1, usr, pwd)
875 struct ph1handle *iph1;
876 char *usr;
877 char *pwd;
878 {
879 int rtn = -1;
880 int res = -1;
881 LDAP *ld = NULL;
882 LDAPMessage *lr = NULL;
883 LDAPMessage *le = NULL;
884 struct berval cred;
885 struct berval **bv = NULL;
886 struct timeval timeout;
887 char *init = NULL;
888 char *filter = NULL;
889 char *atlist[3];
890 char *basedn = NULL;
891 char *userdn = NULL;
892 int tmplen = 0;
893 int ecount = 0;
894 int scope = LDAP_SCOPE_ONE;
895
896 atlist[0] = NULL;
897 atlist[1] = NULL;
898 atlist[2] = NULL;
899
900 if (xauth_ldap_config.uri != NULL) {
901 tmplen = strlen(xauth_ldap_config.uri->v);
902 init = racoon_malloc(tmplen);
903 if (init == NULL) {
904 plog(LLV_ERROR, LOCATION, NULL,
905 "unable to alloc ldap init url\n");
906 goto ldap_end;
907 }
908 sprintf(init,"%s", xauth_ldap_config.uri->v);
909 } else {
910 /* build our initialization url */
911 tmplen = strlen("ldap://:") + 17;
912 tmplen += strlen(xauth_ldap_config.host->v);
913 init = racoon_malloc(tmplen);
914 if (init == NULL) {
915 plog(LLV_ERROR, LOCATION, NULL,
916 "unable to alloc ldap init url\n");
917 goto ldap_end;
918 }
919 sprintf(init,"ldap://%s:%d",
920 xauth_ldap_config.host->v,
921 xauth_ldap_config.port );
922 }
923 /* initialize the debug level */
924 ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug);
925 ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug);
926
927 plog(LLV_DEBUG, LOCATION, NULL, "ldap URI: %s\n", init);
928 /* initialize the ldap handle */
929 res = ldap_initialize(&ld, init);
930 if (res != LDAP_SUCCESS) {
931 plog(LLV_ERROR, LOCATION, NULL,
932 "ldap_initialize failed: %s\n",
933 ldap_err2string(res));
934 goto ldap_end;
935 }
936
937 /* initialize the protocol version */
938 if ((res = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
939 &xauth_ldap_config.pver)) != LDAP_OPT_SUCCESS) {
940 plog(LLV_ERROR, LOCATION, NULL,
941 "LDAP_OPT_PROTOCOL_VERSION %d failed: %s\n",
942 xauth_ldap_config.pver,
943 ldap_err2string(res));
944 goto ldap_end;
945 }
946
947 if (xauth_ldap_config.timeout > 0) {
948 static struct timeval timeout;
949 timeout.tv_sec = xauth_ldap_config.timeout;
950 timeout.tv_usec = 0;
951 if ((res = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT,
952 (void *)&timeout)) != LDAP_OPT_SUCCESS) {
953 plog(LLV_ERROR, LOCATION, NULL,
954 "LDAP_OPT_NETWORK_TIMEOUT %d failed: %s\n",
955 xauth_ldap_config.timeout,
956 ldap_err2string(res));
957 goto ldap_end;
958 }
959 }
960
961 /* Enable TLS */
962 if (xauth_ldap_config.tls) {
963 res = ldap_start_tls_s(ld, NULL, NULL);
964 if (res != LDAP_SUCCESS) {
965 plog(LLV_ERROR, LOCATION, NULL,
966 "ldap_start_tls_s failed: %s\n",
967 ldap_err2string(res));
968 goto ldap_end;
969 }
970 }
971
972 /*
973 * attempt to bind to the ldap server.
974 * default to anonymous bind unless a
975 * user dn and password has been
976 * specified in our configuration
977 */
978 if ((xauth_ldap_config.bind_dn != NULL)&&
979 (xauth_ldap_config.bind_pw != NULL))
980 {
981 cred.bv_val = xauth_ldap_config.bind_pw->v;
982 cred.bv_len = strlen( cred.bv_val );
983 res = ldap_sasl_bind_s(ld,
984 xauth_ldap_config.bind_dn->v, LDAP_SASL_SIMPLE, &cred,
985 NULL, NULL, NULL);
986 }
987 else
988 {
989 cred.bv_val = NULL;
990 cred.bv_len = 0;
991 res = ldap_sasl_bind_s(ld,
992 NULL, LDAP_SASL_SIMPLE, &cred,
993 NULL, NULL, NULL);
994 }
995
996 if (res!=LDAP_SUCCESS) {
997 plog(LLV_ERROR, LOCATION, NULL,
998 "ldap_sasl_bind_s (search) failed: %s\n",
999 ldap_err2string(res));
1000 goto ldap_end;
1001 }
1002
1003 /* build an ldap user search filter */
1004 tmplen = strlen(xauth_ldap_config.attr_user->v);
1005 tmplen += 1;
1006 tmplen += strlen(usr);
1007 tmplen += 1;
1008 filter = racoon_malloc(tmplen);
1009 if (filter == NULL) {
1010 plog(LLV_ERROR, LOCATION, NULL,
1011 "unable to alloc ldap search filter buffer\n");
1012 goto ldap_end;
1013 }
1014 sprintf(filter, "%s=%s",
1015 xauth_ldap_config.attr_user->v, usr);
1016
1017 /* build our return attribute list */
1018 tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1;
1019 atlist[0] = racoon_malloc(tmplen);
1020 tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1;
1021 atlist[1] = racoon_malloc(tmplen);
1022 if ((atlist[0] == NULL)||(atlist[1] == NULL)) {
1023 plog(LLV_ERROR, LOCATION, NULL,
1024 "unable to alloc ldap attrib list buffer\n");
1025 goto ldap_end;
1026 }
1027 strcpy(atlist[0],xauth_ldap_config.attr_addr->v);
1028 strcpy(atlist[1],xauth_ldap_config.attr_mask->v);
1029
1030 /* attempt to locate the user dn */
1031 if (xauth_ldap_config.base != NULL)
1032 basedn = xauth_ldap_config.base->v;
1033 if (xauth_ldap_config.subtree)
1034 scope = LDAP_SCOPE_SUBTREE;
1035 timeout.tv_sec = 15;
1036 timeout.tv_usec = 0;
1037 res = ldap_search_ext_s(ld, basedn, scope,
1038 filter, atlist, 0, NULL, NULL,
1039 &timeout, 2, &lr);
1040 if (res != LDAP_SUCCESS) {
1041 plog(LLV_ERROR, LOCATION, NULL,
1042 "ldap_search_ext_s failed: %s\n",
1043 ldap_err2string(res));
1044 goto ldap_end;
1045 }
1046
1047 /* check the number of ldap entries returned */
1048 ecount = ldap_count_entries(ld, lr);
1049 if (ecount < 1) {
1050 plog(LLV_WARNING, LOCATION, NULL,
1051 "no ldap results for filter \'%s\'\n",
1052 filter);
1053 goto ldap_end;
1054 }
1055 if (ecount > 1) {
1056 plog(LLV_WARNING, LOCATION, NULL,
1057 "multiple (%i) ldap results for filter \'%s\'\n",
1058 ecount, filter);
1059 }
1060
1061 /* obtain the dn from the first result */
1062 le = ldap_first_entry(ld, lr);
1063 if (le == NULL) {
1064 plog(LLV_ERROR, LOCATION, NULL,
1065 "ldap_first_entry failed: invalid entry returned\n");
1066 goto ldap_end;
1067 }
1068 userdn = ldap_get_dn(ld, le);
1069 if (userdn == NULL) {
1070 plog(LLV_ERROR, LOCATION, NULL,
1071 "ldap_get_dn failed: invalid string returned\n");
1072 goto ldap_end;
1073 }
1074
1075 /* cache the user dn in the xauth state */
1076 iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1);
1077 strcpy(iph1->mode_cfg->xauth.udn,userdn);
1078
1079 /* retrieve modecfg address */
1080 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v);
1081 if (bv != NULL) {
1082 char tmpaddr[16];
1083 /* sanity check for address value */
1084 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
1085 plog(LLV_DEBUG, LOCATION, NULL,
1086 "ldap returned invalid modecfg address\n");
1087 ldap_value_free_len(bv);
1088 goto ldap_end;
1089 }
1090 memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len);
1091 tmpaddr[bv[0]->bv_len]=0;
1092 iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr);
1093 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN;
1094 plog(LLV_INFO, LOCATION, NULL,
1095 "ldap returned modecfg address %s\n", tmpaddr);
1096 ldap_value_free_len(bv);
1097 }
1098
1099 /* retrieve modecfg netmask */
1100 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v);
1101 if (bv != NULL) {
1102 char tmpmask[16];
1103 /* sanity check for netmask value */
1104 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
1105 plog(LLV_DEBUG, LOCATION, NULL,
1106 "ldap returned invalid modecfg netmask\n");
1107 ldap_value_free_len(bv);
1108 goto ldap_end;
1109 }
1110 memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len);
1111 tmpmask[bv[0]->bv_len]=0;
1112 iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask);
1113 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN;
1114 plog(LLV_INFO, LOCATION, NULL,
1115 "ldap returned modecfg netmask %s\n", tmpmask);
1116 ldap_value_free_len(bv);
1117 }
1118
1119 /*
1120 * finally, use the dn and the xauth
1121 * password to check the users given
1122 * credentials by attempting to bind
1123 * to the ldap server
1124 */
1125 plog(LLV_INFO, LOCATION, NULL,
1126 "attempting ldap bind for dn \'%s\'\n", userdn);
1127 cred.bv_val = pwd;
1128 cred.bv_len = strlen( cred.bv_val );
1129 res = ldap_sasl_bind_s(ld,
1130 userdn, NULL, &cred,
1131 NULL, NULL, NULL);
1132 if(res==LDAP_SUCCESS)
1133 rtn = 0;
1134
1135 ldap_end:
1136
1137 /* free ldap resources */
1138 if (userdn != NULL)
1139 ldap_memfree(userdn);
1140 if (atlist[0] != NULL)
1141 racoon_free(atlist[0]);
1142 if (atlist[1] != NULL)
1143 racoon_free(atlist[1]);
1144 if (filter != NULL)
1145 racoon_free(filter);
1146 if (lr != NULL)
1147 ldap_msgfree(lr);
1148 if (init != NULL)
1149 racoon_free(init);
1150
1151 ldap_unbind_ext_s(ld, NULL, NULL);
1152
1153 return rtn;
1154 }
1155
1156 int
xauth_group_ldap(udn,grp)1157 xauth_group_ldap(udn, grp)
1158 char * udn;
1159 char * grp;
1160 {
1161 int rtn = -1;
1162 int res = -1;
1163 LDAP *ld = NULL;
1164 LDAPMessage *lr = NULL;
1165 LDAPMessage *le = NULL;
1166 struct berval cred;
1167 struct timeval timeout;
1168 char *init = NULL;
1169 char *filter = NULL;
1170 char *basedn = NULL;
1171 char *groupdn = NULL;
1172 int tmplen = 0;
1173 int ecount = 0;
1174 int scope = LDAP_SCOPE_ONE;
1175
1176 /* build our initialization url */
1177 tmplen = strlen("ldap://:") + 17;
1178 tmplen += strlen(xauth_ldap_config.host->v);
1179 init = racoon_malloc(tmplen);
1180 if (init == NULL) {
1181 plog(LLV_ERROR, LOCATION, NULL,
1182 "unable to alloc ldap init url\n");
1183 goto ldap_group_end;
1184 }
1185 sprintf(init,"ldap://%s:%d",
1186 xauth_ldap_config.host->v,
1187 xauth_ldap_config.port );
1188
1189 /* initialize the ldap handle */
1190 res = ldap_initialize(&ld, init);
1191 if (res != LDAP_SUCCESS) {
1192 plog(LLV_ERROR, LOCATION, NULL,
1193 "ldap_initialize failed: %s\n",
1194 ldap_err2string(res));
1195 goto ldap_group_end;
1196 }
1197
1198 /* initialize the protocol version */
1199 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
1200 &xauth_ldap_config.pver);
1201
1202 /* Enable TLS */
1203 if (xauth_ldap_config.tls) {
1204 res = ldap_start_tls_s(ld, NULL, NULL);
1205 if (res != LDAP_SUCCESS) {
1206 plog(LLV_ERROR, LOCATION, NULL,
1207 "ldap_start_tls_s failed: %s\n",
1208 ldap_err2string(res));
1209 goto ldap_group_end;
1210 }
1211 }
1212
1213 /*
1214 * attempt to bind to the ldap server.
1215 * default to anonymous bind unless a
1216 * user dn and password has been
1217 * specified in our configuration
1218 */
1219 if ((xauth_ldap_config.bind_dn != NULL)&&
1220 (xauth_ldap_config.bind_pw != NULL))
1221 {
1222 cred.bv_val = xauth_ldap_config.bind_pw->v;
1223 cred.bv_len = strlen( cred.bv_val );
1224 res = ldap_sasl_bind_s(ld,
1225 xauth_ldap_config.bind_dn->v, NULL, &cred,
1226 NULL, NULL, NULL);
1227 }
1228 else
1229 {
1230 res = ldap_sasl_bind_s(ld,
1231 NULL, NULL, NULL,
1232 NULL, NULL, NULL);
1233 }
1234
1235 if (res!=LDAP_SUCCESS) {
1236 plog(LLV_ERROR, LOCATION, NULL,
1237 "ldap_sasl_bind_s (search) failed: %s\n",
1238 ldap_err2string(res));
1239 goto ldap_group_end;
1240 }
1241
1242 /* build an ldap group search filter */
1243 tmplen = strlen("(&(=)(=))") + 1;
1244 tmplen += strlen(xauth_ldap_config.attr_group->v);
1245 tmplen += strlen(grp);
1246 tmplen += strlen(xauth_ldap_config.attr_member->v);
1247 tmplen += strlen(udn);
1248 filter = racoon_malloc(tmplen);
1249 if (filter == NULL) {
1250 plog(LLV_ERROR, LOCATION, NULL,
1251 "unable to alloc ldap search filter buffer\n");
1252 goto ldap_group_end;
1253 }
1254 sprintf(filter, "(&(%s=%s)(%s=%s))",
1255 xauth_ldap_config.attr_group->v, grp,
1256 xauth_ldap_config.attr_member->v, udn);
1257
1258 /* attempt to locate the group dn */
1259 if (xauth_ldap_config.base != NULL)
1260 basedn = xauth_ldap_config.base->v;
1261 if (xauth_ldap_config.subtree)
1262 scope = LDAP_SCOPE_SUBTREE;
1263 timeout.tv_sec = 15;
1264 timeout.tv_usec = 0;
1265 res = ldap_search_ext_s(ld, basedn, scope,
1266 filter, NULL, 0, NULL, NULL,
1267 &timeout, 2, &lr);
1268 if (res != LDAP_SUCCESS) {
1269 plog(LLV_ERROR, LOCATION, NULL,
1270 "ldap_search_ext_s failed: %s\n",
1271 ldap_err2string(res));
1272 goto ldap_group_end;
1273 }
1274
1275 /* check the number of ldap entries returned */
1276 ecount = ldap_count_entries(ld, lr);
1277 if (ecount < 1) {
1278 plog(LLV_WARNING, LOCATION, NULL,
1279 "no ldap results for filter \'%s\'\n",
1280 filter);
1281 goto ldap_group_end;
1282 }
1283
1284 /* success */
1285 rtn = 0;
1286
1287 /* obtain the dn from the first result */
1288 le = ldap_first_entry(ld, lr);
1289 if (le == NULL) {
1290 plog(LLV_ERROR, LOCATION, NULL,
1291 "ldap_first_entry failed: invalid entry returned\n");
1292 goto ldap_group_end;
1293 }
1294 groupdn = ldap_get_dn(ld, le);
1295 if (groupdn == NULL) {
1296 plog(LLV_ERROR, LOCATION, NULL,
1297 "ldap_get_dn failed: invalid string returned\n");
1298 goto ldap_group_end;
1299 }
1300
1301 plog(LLV_INFO, LOCATION, NULL,
1302 "ldap membership group returned \'%s\'\n", groupdn);
1303 ldap_group_end:
1304
1305 /* free ldap resources */
1306 if (groupdn != NULL)
1307 ldap_memfree(groupdn);
1308 if (filter != NULL)
1309 racoon_free(filter);
1310 if (lr != NULL)
1311 ldap_msgfree(lr);
1312 if (init != NULL)
1313 racoon_free(init);
1314
1315 ldap_unbind_ext_s(ld, NULL, NULL);
1316
1317 return rtn;
1318 }
1319
1320 #endif
1321
1322 int
xauth_login_system(usr,pwd)1323 xauth_login_system(usr, pwd)
1324 char *usr;
1325 char *pwd;
1326 {
1327 struct passwd *pw;
1328 char *cryptpwd;
1329 char *syscryptpwd;
1330 #ifdef HAVE_SHADOW_H
1331 struct spwd *spw;
1332
1333 if ((spw = getspnam(usr)) == NULL)
1334 return -1;
1335
1336 syscryptpwd = spw->sp_pwdp;
1337 #endif
1338
1339 if ((pw = getpwnam(usr)) == NULL)
1340 return -1;
1341
1342 #ifndef HAVE_SHADOW_H
1343 syscryptpwd = pw->pw_passwd;
1344 #endif
1345
1346 /* No root login. Ever. */
1347 if (pw->pw_uid == 0)
1348 return -1;
1349
1350 if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL)
1351 return -1;
1352
1353 if (strcmp(cryptpwd, syscryptpwd) == 0)
1354 return 0;
1355
1356 return -1;
1357 }
1358
1359 static int
xauth_group_system(char * usr,char * grp)1360 xauth_group_system(char *usr, char *grp)
1361 {
1362 struct group * gr;
1363 char * member;
1364 int index = 0;
1365
1366 gr = getgrnam(grp);
1367 if (gr == NULL) {
1368 plog(LLV_ERROR, LOCATION, NULL,
1369 "the system group name \'%s\' is unknown\n",
1370 grp);
1371 return -1;
1372 }
1373
1374 while ((member = gr->gr_mem[index++])!=NULL) {
1375 if (!strcmp(member,usr)) {
1376 plog(LLV_INFO, LOCATION, NULL,
1377 "membership validated\n");
1378 return 0;
1379 }
1380 }
1381
1382 return -1;
1383 }
1384
1385 int
xauth_check(iph1)1386 xauth_check(iph1)
1387 struct ph1handle *iph1;
1388 {
1389 struct xauth_state *xst = &iph1->mode_cfg->xauth;
1390
1391 /*
1392 * Only the server side (edge device) really check for Xauth
1393 * status. It does it if the chose authmethod is using Xauth.
1394 * On the client side (roadwarrior), we don't check anything.
1395 */
1396 switch (iph1->approval->authmethod) {
1397 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1398 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1399 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1400 /* The following are not yet implemented */
1401 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1402 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1403 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1404 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1405 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1406 plog(LLV_ERROR, LOCATION, NULL,
1407 "Hybrid auth negotiated but peer did not "
1408 "announced as Xauth capable\n");
1409 return -1;
1410 }
1411
1412 if (xst->status != XAUTHST_OK) {
1413 plog(LLV_ERROR, LOCATION, NULL,
1414 "Hybrid auth negotiated but peer did not "
1415 "succeed Xauth exchange\n");
1416 return -1;
1417 }
1418
1419 return 0;
1420 break;
1421 default:
1422 return 0;
1423 break;
1424 }
1425
1426 return 0;
1427 }
1428
1429 int
group_check(iph1,grp_list,grp_count)1430 group_check(iph1, grp_list, grp_count)
1431 struct ph1handle *iph1;
1432 char **grp_list;
1433 int grp_count;
1434 {
1435 int res = -1;
1436 int grp_index = 0;
1437 char * usr = NULL;
1438
1439 /* check for presence of modecfg data */
1440
1441 if(iph1->mode_cfg == NULL) {
1442 plog(LLV_ERROR, LOCATION, NULL,
1443 "xauth group specified but modecfg not found\n");
1444 return res;
1445 }
1446
1447 /* loop through our group list */
1448
1449 for(; grp_index < grp_count; grp_index++) {
1450
1451 /* check for presence of xauth data */
1452
1453 usr = iph1->mode_cfg->xauth.authdata.generic.usr;
1454
1455 if(usr == NULL) {
1456 plog(LLV_ERROR, LOCATION, NULL,
1457 "xauth group specified but xauth not found\n");
1458 return res;
1459 }
1460
1461 /* call appropriate group validation function */
1462
1463 switch (isakmp_cfg_config.groupsource) {
1464
1465 case ISAKMP_CFG_GROUP_SYSTEM:
1466 res = xauth_group_system(
1467 usr,
1468 grp_list[grp_index]);
1469 break;
1470
1471 #ifdef HAVE_LIBLDAP
1472 case ISAKMP_CFG_GROUP_LDAP:
1473 res = xauth_group_ldap(
1474 iph1->mode_cfg->xauth.udn,
1475 grp_list[grp_index]);
1476 break;
1477 #endif
1478
1479 default:
1480 /* we should never get here */
1481 plog(LLV_ERROR, LOCATION, NULL,
1482 "Unknown group auth source\n");
1483 break;
1484 }
1485
1486 if( !res ) {
1487 plog(LLV_INFO, LOCATION, NULL,
1488 "user \"%s\" is a member of group \"%s\"\n",
1489 usr,
1490 grp_list[grp_index]);
1491 break;
1492 } else {
1493 plog(LLV_INFO, LOCATION, NULL,
1494 "user \"%s\" is not a member of group \"%s\"\n",
1495 usr,
1496 grp_list[grp_index]);
1497 }
1498 }
1499
1500 return res;
1501 }
1502
1503 vchar_t *
isakmp_xauth_req(iph1,attr)1504 isakmp_xauth_req(iph1, attr)
1505 struct ph1handle *iph1;
1506 struct isakmp_data *attr;
1507 {
1508 int type;
1509 size_t dlen = 0;
1510 int ashort = 0;
1511 int value = 0;
1512 vchar_t *buffer = NULL;
1513 char *mraw = NULL, *mdata;
1514 char *data;
1515 vchar_t *usr = NULL;
1516 vchar_t *pwd = NULL;
1517 size_t skip = 0;
1518 int freepwd = 0;
1519
1520 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1521 plog(LLV_ERROR, LOCATION, NULL,
1522 "Xauth mode config request but peer "
1523 "did not declare itself as Xauth capable\n");
1524 return NULL;
1525 }
1526
1527 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1528
1529 /* Sanity checks */
1530 switch(type) {
1531 case XAUTH_TYPE:
1532 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1533 plog(LLV_ERROR, LOCATION, NULL,
1534 "Unexpected long XAUTH_TYPE attribute\n");
1535 return NULL;
1536 }
1537 if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) {
1538 plog(LLV_ERROR, LOCATION, NULL,
1539 "Unsupported Xauth authentication %d\n",
1540 ntohs(attr->lorv));
1541 return NULL;
1542 }
1543 ashort = 1;
1544 dlen = 0;
1545 value = XAUTH_TYPE_GENERIC;
1546 break;
1547
1548 case XAUTH_USER_NAME:
1549 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) {
1550 plog(LLV_ERROR, LOCATION, NULL, "Xauth performed "
1551 "with no login supplied\n");
1552 return NULL;
1553 }
1554
1555 dlen = iph1->rmconf->xauth->login->l - 1;
1556 iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME;
1557 break;
1558
1559 case XAUTH_USER_PASSWORD:
1560 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login)
1561 return NULL;
1562
1563 skip = sizeof(struct ipsecdoi_id_b);
1564 usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip);
1565 if (usr == NULL) {
1566 plog(LLV_ERROR, LOCATION, NULL,
1567 "Cannot allocate memory\n");
1568 return NULL;
1569 }
1570 memset(usr->v, 0, skip);
1571 memcpy(usr->v + skip,
1572 iph1->rmconf->xauth->login->v,
1573 iph1->rmconf->xauth->login->l - 1);
1574
1575 if (iph1->rmconf->xauth->pass) {
1576 /* A key given through racoonctl */
1577 pwd = iph1->rmconf->xauth->pass;
1578 } else {
1579 if ((pwd = getpskbyname(usr)) == NULL) {
1580 plog(LLV_ERROR, LOCATION, NULL,
1581 "No password was found for login %s\n",
1582 iph1->rmconf->xauth->login->v);
1583 vfree(usr);
1584 return NULL;
1585 }
1586 /* We have to free it before returning */
1587 freepwd = 1;
1588 }
1589 vfree(usr);
1590
1591 iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD;
1592 dlen = pwd->l;
1593
1594 break;
1595 case XAUTH_MESSAGE:
1596 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1597 dlen = ntohs(attr->lorv);
1598 if (dlen > 0) {
1599 mraw = (char*)(attr + 1);
1600 mdata = binsanitize(mraw, dlen);
1601 if (mdata == NULL) {
1602 plog(LLV_ERROR, LOCATION, iph1->remote,
1603 "Cannot allocate memory\n");
1604 return NULL;
1605 }
1606 plog(LLV_NOTIFY,LOCATION, iph1->remote,
1607 "XAUTH Message: '%s'.\n",
1608 mdata);
1609 racoon_free(mdata);
1610 }
1611 }
1612 return NULL;
1613 default:
1614 plog(LLV_WARNING, LOCATION, NULL,
1615 "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1616 return NULL;
1617 break;
1618 }
1619
1620 if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) {
1621 plog(LLV_ERROR, LOCATION, NULL,
1622 "Cannot allocate memory\n");
1623 goto out;
1624 }
1625
1626 attr = (struct isakmp_data *)buffer->v;
1627 if (ashort) {
1628 attr->type = htons(type | ISAKMP_GEN_TV);
1629 attr->lorv = htons(value);
1630 goto out;
1631 }
1632
1633 attr->type = htons(type | ISAKMP_GEN_TLV);
1634 attr->lorv = htons(dlen);
1635 data = (char *)(attr + 1);
1636
1637 switch(type) {
1638 case XAUTH_USER_NAME:
1639 /*
1640 * iph1->rmconf->xauth->login->v is valid,
1641 * we just checked it in the previous switch case
1642 */
1643 memcpy(data, iph1->rmconf->xauth->login->v, dlen);
1644 break;
1645 case XAUTH_USER_PASSWORD:
1646 memcpy(data, pwd->v, dlen);
1647 break;
1648 default:
1649 break;
1650 }
1651
1652 out:
1653 if (freepwd)
1654 vfree(pwd);
1655
1656 return buffer;
1657 }
1658
1659 vchar_t *
isakmp_xauth_set(iph1,attr)1660 isakmp_xauth_set(iph1, attr)
1661 struct ph1handle *iph1;
1662 struct isakmp_data *attr;
1663 {
1664 int type;
1665 vchar_t *buffer = NULL;
1666 struct xauth_state *xst;
1667 size_t dlen = 0;
1668 char* mraw = NULL, *mdata;
1669
1670 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1671 plog(LLV_ERROR, LOCATION, NULL,
1672 "Xauth mode config set but peer "
1673 "did not declare itself as Xauth capable\n");
1674 return NULL;
1675 }
1676
1677 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1678
1679 switch(type) {
1680 case XAUTH_STATUS:
1681 /*
1682 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS
1683 * when running as a client (initiator).
1684 */
1685 xst = &iph1->mode_cfg->xauth;
1686 switch (iph1->approval->authmethod) {
1687 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1688 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
1689 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1690 /* Not implemented ... */
1691 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1692 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1693 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1694 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1695 break;
1696 default:
1697 plog(LLV_ERROR, LOCATION, NULL,
1698 "Unexpected XAUTH_STATUS_OK\n");
1699 return NULL;
1700 break;
1701 }
1702
1703 /* If we got a failure, delete iph1 */
1704 if (ntohs(attr->lorv) != XAUTH_STATUS_OK) {
1705 plog(LLV_ERROR, LOCATION, NULL,
1706 "Xauth authentication failed\n");
1707
1708 evt_phase1(iph1, EVT_PHASE1_XAUTH_FAILED, NULL);
1709
1710 iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
1711 } else {
1712 evt_phase1(iph1, EVT_PHASE1_XAUTH_SUCCESS, NULL);
1713 }
1714
1715
1716 /* We acknowledge it */
1717 break;
1718 case XAUTH_MESSAGE:
1719 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1720 dlen = ntohs(attr->lorv);
1721 if (dlen > 0) {
1722 mraw = (char*)(attr + 1);
1723 mdata = binsanitize(mraw, dlen);
1724 if (mdata == NULL) {
1725 plog(LLV_ERROR, LOCATION, iph1->remote,
1726 "Cannot allocate memory\n");
1727 return NULL;
1728 }
1729 plog(LLV_NOTIFY,LOCATION, iph1->remote,
1730 "XAUTH Message: '%s'.\n",
1731 mdata);
1732 racoon_free(mdata);
1733 }
1734 }
1735
1736 default:
1737 plog(LLV_WARNING, LOCATION, NULL,
1738 "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1739 return NULL;
1740 break;
1741 }
1742
1743 if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
1744 plog(LLV_ERROR, LOCATION, NULL,
1745 "Cannot allocate memory\n");
1746 return NULL;
1747 }
1748
1749 attr = (struct isakmp_data *)buffer->v;
1750 attr->type = htons(type | ISAKMP_GEN_TV);
1751 attr->lorv = htons(0);
1752
1753 return buffer;
1754 }
1755
1756
1757 void
xauth_rmstate(xst)1758 xauth_rmstate(xst)
1759 struct xauth_state *xst;
1760 {
1761 switch (xst->authtype) {
1762 case XAUTH_TYPE_GENERIC:
1763 if (xst->authdata.generic.usr)
1764 racoon_free(xst->authdata.generic.usr);
1765
1766 if (xst->authdata.generic.pwd)
1767 racoon_free(xst->authdata.generic.pwd);
1768
1769 break;
1770
1771 case XAUTH_TYPE_CHAP:
1772 case XAUTH_TYPE_OTP:
1773 case XAUTH_TYPE_SKEY:
1774 plog(LLV_WARNING, LOCATION, NULL,
1775 "Unsupported authtype %d\n", xst->authtype);
1776 break;
1777
1778 default:
1779 plog(LLV_WARNING, LOCATION, NULL,
1780 "Unexpected authtype %d\n", xst->authtype);
1781 break;
1782 }
1783
1784 #ifdef HAVE_LIBLDAP
1785 if (xst->udn != NULL)
1786 racoon_free(xst->udn);
1787 #endif
1788 return;
1789 }
1790
1791 int
xauth_rmconf_used(xauth_rmconf)1792 xauth_rmconf_used(xauth_rmconf)
1793 struct xauth_rmconf **xauth_rmconf;
1794 {
1795 if (*xauth_rmconf == NULL) {
1796 *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf));
1797 if (*xauth_rmconf == NULL) {
1798 plog(LLV_ERROR, LOCATION, NULL,
1799 "xauth_rmconf_used: malloc failed\n");
1800 return -1;
1801 }
1802
1803 (*xauth_rmconf)->login = NULL;
1804 (*xauth_rmconf)->pass = NULL;
1805 (*xauth_rmconf)->state = 0;
1806 }
1807
1808 return 0;
1809 }
1810
1811 void
xauth_rmconf_delete(xauth_rmconf)1812 xauth_rmconf_delete(xauth_rmconf)
1813 struct xauth_rmconf **xauth_rmconf;
1814 {
1815 if (*xauth_rmconf != NULL) {
1816 if ((*xauth_rmconf)->login != NULL)
1817 vfree((*xauth_rmconf)->login);
1818 if ((*xauth_rmconf)->pass != NULL)
1819 vfree((*xauth_rmconf)->pass);
1820
1821 racoon_free(*xauth_rmconf);
1822 *xauth_rmconf = NULL;
1823 }
1824
1825 return;
1826 }
1827
1828 struct xauth_rmconf *
xauth_rmconf_dup(xauth_rmconf)1829 xauth_rmconf_dup(xauth_rmconf)
1830 struct xauth_rmconf *xauth_rmconf;
1831 {
1832 struct xauth_rmconf *new;
1833
1834 if (xauth_rmconf != NULL) {
1835 new = racoon_malloc(sizeof(*new));
1836 if (new == NULL) {
1837 plog(LLV_ERROR, LOCATION, NULL,
1838 "%s: malloc failed\n", __func__);
1839 return NULL;
1840 }
1841
1842 memcpy(new, xauth_rmconf, sizeof(*new));
1843
1844 if (xauth_rmconf->login != NULL) {
1845 new->login = vdup(xauth_rmconf->login);
1846 if (new->login == NULL) {
1847 plog(LLV_ERROR, LOCATION, NULL,
1848 "%s: malloc failed (login)\n", __func__);
1849 goto out;
1850 }
1851 }
1852 if (xauth_rmconf->pass != NULL) {
1853 new->pass = vdup(xauth_rmconf->pass);
1854 if (new->pass == NULL) {
1855 plog(LLV_ERROR, LOCATION, NULL,
1856 "%s: malloc failed (password)\n", __func__);
1857 goto out;
1858 }
1859 }
1860
1861 return new;
1862 }
1863
1864 return NULL;
1865 out:
1866 vfree(new->login);
1867 racoon_free(new);
1868 return NULL;
1869 }
1870