1 /* $NetBSD: isakmp_xauth.c,v 1.22 2011/03/14 15:50:36 vanhu Exp $ */ 2 3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 2004-2005 Emmanuel Dreyfus 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <netinet/in.h> 42 43 #include <assert.h> 44 #include <stdlib.h> 45 #include <stdio.h> 46 #include <string.h> 47 #include <errno.h> 48 #include <pwd.h> 49 #include <grp.h> 50 #if TIME_WITH_SYS_TIME 51 # include <sys/time.h> 52 # include <time.h> 53 #else 54 # if HAVE_SYS_TIME_H 55 # include <sys/time.h> 56 # else 57 # include <time.h> 58 # endif 59 #endif 60 #include <netdb.h> 61 #ifdef HAVE_UNISTD_H 62 #include <unistd.h> 63 #endif 64 #include <ctype.h> 65 #include <resolv.h> 66 67 #ifdef HAVE_SHADOW_H 68 #include <shadow.h> 69 #endif 70 71 #include "var.h" 72 #include "misc.h" 73 #include "vmbuf.h" 74 #include "plog.h" 75 #include "sockmisc.h" 76 #include "schedule.h" 77 #include "debug.h" 78 79 #include "crypto_openssl.h" 80 #include "isakmp_var.h" 81 #include "isakmp.h" 82 #include "admin.h" 83 #include "privsep.h" 84 #include "evt.h" 85 #include "handler.h" 86 #include "throttle.h" 87 #include "remoteconf.h" 88 #include "isakmp_inf.h" 89 #include "isakmp_xauth.h" 90 #include "isakmp_unity.h" 91 #include "isakmp_cfg.h" 92 #include "strnames.h" 93 #include "ipsec_doi.h" 94 #include "remoteconf.h" 95 #include "localconf.h" 96 97 #ifdef HAVE_LIBRADIUS 98 #include <radlib.h> 99 struct rad_handle *radius_auth_state = NULL; 100 struct rad_handle *radius_acct_state = NULL; 101 struct xauth_rad_config xauth_rad_config; 102 #endif 103 104 #ifdef HAVE_LIBPAM 105 #include <security/pam_appl.h> 106 107 static char *PAM_usr = NULL; 108 static char *PAM_pwd = NULL; 109 static int PAM_conv(int, const struct pam_message **, 110 struct pam_response **, void *); 111 static struct pam_conv PAM_chat = { &PAM_conv, NULL }; 112 #endif 113 114 #ifdef HAVE_LIBLDAP 115 #include "ldap.h" 116 #include <arpa/inet.h> 117 struct xauth_ldap_config xauth_ldap_config; 118 #endif 119 120 void 121 xauth_sendreq(iph1) 122 struct ph1handle *iph1; 123 { 124 vchar_t *buffer; 125 struct isakmp_pl_attr *attr; 126 struct isakmp_data *typeattr; 127 struct isakmp_data *usrattr; 128 struct isakmp_data *pwdattr; 129 struct xauth_state *xst = &iph1->mode_cfg->xauth; 130 size_t tlen; 131 132 /* Status checks */ 133 if (iph1->status < PHASE1ST_ESTABLISHED) { 134 plog(LLV_ERROR, LOCATION, NULL, 135 "Xauth request while phase 1 is not completed\n"); 136 return; 137 } 138 139 if (xst->status != XAUTHST_NOTYET) { 140 plog(LLV_ERROR, LOCATION, NULL, 141 "Xauth request whith Xauth state %d\n", xst->status); 142 return; 143 } 144 145 plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n"); 146 147 tlen = sizeof(*attr) + 148 + sizeof(*typeattr) + 149 + sizeof(*usrattr) + 150 + sizeof(*pwdattr); 151 152 if ((buffer = vmalloc(tlen)) == NULL) { 153 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 154 return; 155 } 156 157 attr = (struct isakmp_pl_attr *)buffer->v; 158 memset(attr, 0, tlen); 159 160 attr->h.len = htons(tlen); 161 attr->type = ISAKMP_CFG_REQUEST; 162 attr->id = htons(eay_random()); 163 164 typeattr = (struct isakmp_data *)(attr + 1); 165 typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV); 166 typeattr->lorv = htons(XAUTH_TYPE_GENERIC); 167 168 usrattr = (struct isakmp_data *)(typeattr + 1); 169 usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV); 170 usrattr->lorv = htons(0); 171 172 pwdattr = (struct isakmp_data *)(usrattr + 1); 173 pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV); 174 pwdattr->lorv = htons(0); 175 176 isakmp_cfg_send(iph1, buffer, 177 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 178 179 vfree(buffer); 180 181 xst->status = XAUTHST_REQSENT; 182 183 return; 184 } 185 186 int 187 xauth_attr_reply(iph1, attr, id) 188 struct ph1handle *iph1; 189 struct isakmp_data *attr; 190 int id; 191 { 192 char **outlet = NULL; 193 size_t alen = 0; 194 int type; 195 struct xauth_state *xst = &iph1->mode_cfg->xauth; 196 197 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 198 plog(LLV_ERROR, LOCATION, NULL, 199 "Xauth reply but peer did not declare " 200 "itself as Xauth capable\n"); 201 return -1; 202 } 203 204 if (xst->status != XAUTHST_REQSENT) { 205 plog(LLV_ERROR, LOCATION, NULL, 206 "Xauth reply while Xauth state is %d\n", xst->status); 207 return -1; 208 } 209 210 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 211 switch (type) { 212 case XAUTH_TYPE: 213 switch (ntohs(attr->lorv)) { 214 case XAUTH_TYPE_GENERIC: 215 xst->authtype = XAUTH_TYPE_GENERIC; 216 break; 217 default: 218 plog(LLV_WARNING, LOCATION, NULL, 219 "Unexpected authentication type %d\n", 220 ntohs(type)); 221 return -1; 222 } 223 break; 224 225 case XAUTH_USER_NAME: 226 outlet = &xst->authdata.generic.usr; 227 break; 228 229 case XAUTH_USER_PASSWORD: 230 outlet = &xst->authdata.generic.pwd; 231 break; 232 233 default: 234 plog(LLV_WARNING, LOCATION, NULL, 235 "ignored Xauth attribute %d\n", type); 236 break; 237 } 238 239 if (outlet != NULL) { 240 alen = ntohs(attr->lorv); 241 242 if ((*outlet = racoon_malloc(alen + 1)) == NULL) { 243 plog(LLV_ERROR, LOCATION, NULL, 244 "Cannot allocate memory for Xauth Data\n"); 245 return -1; 246 } 247 248 memcpy(*outlet, attr + 1, alen); 249 (*outlet)[alen] = '\0'; 250 outlet = NULL; 251 } 252 253 254 if ((xst->authdata.generic.usr != NULL) && 255 (xst->authdata.generic.pwd != NULL)) { 256 int port; 257 int res; 258 char *usr = xst->authdata.generic.usr; 259 char *pwd = xst->authdata.generic.pwd; 260 time_t throttle_delay = 0; 261 262 #if 0 /* Real debug, don't do that at home */ 263 plog(LLV_DEBUG, LOCATION, NULL, 264 "Got username \"%s\", password \"%s\"\n", usr, pwd); 265 #endif 266 strncpy(iph1->mode_cfg->login, usr, LOGINLEN); 267 iph1->mode_cfg->login[LOGINLEN] = '\0'; 268 269 res = -1; 270 if ((port = isakmp_cfg_getport(iph1)) == -1) { 271 plog(LLV_ERROR, LOCATION, NULL, 272 "Port pool depleted\n"); 273 goto skip_auth; 274 } 275 276 switch (isakmp_cfg_config.authsource) { 277 case ISAKMP_CFG_AUTH_SYSTEM: 278 res = privsep_xauth_login_system(usr, pwd); 279 break; 280 #ifdef HAVE_LIBRADIUS 281 case ISAKMP_CFG_AUTH_RADIUS: 282 res = xauth_login_radius(iph1, usr, pwd); 283 break; 284 #endif 285 #ifdef HAVE_LIBPAM 286 case ISAKMP_CFG_AUTH_PAM: 287 res = privsep_xauth_login_pam(iph1->mode_cfg->port, 288 iph1->remote, usr, pwd); 289 break; 290 #endif 291 #ifdef HAVE_LIBLDAP 292 case ISAKMP_CFG_AUTH_LDAP: 293 res = xauth_login_ldap(iph1, usr, pwd); 294 break; 295 #endif 296 default: 297 plog(LLV_ERROR, LOCATION, NULL, 298 "Unexpected authentication source\n"); 299 res = -1; 300 break; 301 } 302 303 /* 304 * Optional group authentication 305 */ 306 if (!res && (isakmp_cfg_config.groupcount)) 307 res = group_check(iph1, 308 isakmp_cfg_config.grouplist, 309 isakmp_cfg_config.groupcount); 310 311 /* 312 * On failure, throttle the connexion for the remote host 313 * in order to make password attacks more difficult. 314 */ 315 throttle_delay = throttle_host(iph1->remote, res); 316 if (throttle_delay > 0) { 317 char *str; 318 319 str = saddrwop2str(iph1->remote); 320 321 plog(LLV_ERROR, LOCATION, NULL, 322 "Throttling in action for %s: delay %lds\n", 323 str, (unsigned long)throttle_delay); 324 res = -1; 325 } else { 326 throttle_delay = 0; 327 } 328 329 skip_auth: 330 if (throttle_delay != 0) { 331 struct xauth_reply_arg *xra; 332 333 if ((xra = racoon_calloc(1, sizeof(*xra))) == NULL) { 334 plog(LLV_ERROR, LOCATION, NULL, 335 "malloc failed, bypass throttling\n"); 336 return xauth_reply(iph1, port, id, res); 337 } 338 339 /* 340 * We need to store the ph1, but it might have 341 * disapeared when xauth_reply is called, so 342 * store the index instead. 343 */ 344 xra->index = iph1->index; 345 xra->port = port; 346 xra->id = id; 347 xra->res = res; 348 sched_schedule(&xra->sc, throttle_delay, 349 xauth_reply_stub); 350 } else { 351 return xauth_reply(iph1, port, id, res); 352 } 353 } 354 355 return 0; 356 } 357 358 void 359 xauth_reply_stub(sc) 360 struct sched *sc; 361 { 362 struct xauth_reply_arg *xra = container_of(sc, struct xauth_reply_arg, sc); 363 struct ph1handle *iph1; 364 365 if ((iph1 = getph1byindex(&xra->index)) != NULL) 366 (void)xauth_reply(iph1, xra->port, xra->id, xra->res); 367 else 368 plog(LLV_ERROR, LOCATION, NULL, 369 "Delayed Xauth reply: phase 1 no longer exists.\n"); 370 371 racoon_free(xra); 372 } 373 374 int 375 xauth_reply(iph1, port, id, res) 376 struct ph1handle *iph1; 377 int port; 378 int id; 379 { 380 struct xauth_state *xst = &iph1->mode_cfg->xauth; 381 char *usr = xst->authdata.generic.usr; 382 383 if (res != 0) { 384 if (port != -1) 385 isakmp_cfg_putport(iph1, port); 386 387 plog(LLV_INFO, LOCATION, NULL, 388 "login failed for user \"%s\"\n", usr); 389 390 xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id); 391 xst->status = XAUTHST_NOTYET; 392 393 /* Delete Phase 1 SA */ 394 if (iph1->status >= PHASE1ST_ESTABLISHED) 395 isakmp_info_send_d1(iph1); 396 remph1(iph1); 397 delph1(iph1); 398 399 return -1; 400 } 401 402 xst->status = XAUTHST_OK; 403 plog(LLV_INFO, LOCATION, NULL, 404 "login succeeded for user \"%s\"\n", usr); 405 406 xauth_sendstatus(iph1, XAUTH_STATUS_OK, id); 407 408 return 0; 409 } 410 411 void 412 xauth_sendstatus(iph1, status, id) 413 struct ph1handle *iph1; 414 int status; 415 int id; 416 { 417 vchar_t *buffer; 418 struct isakmp_pl_attr *attr; 419 struct isakmp_data *stattr; 420 size_t tlen; 421 422 tlen = sizeof(*attr) + 423 + sizeof(*stattr); 424 425 if ((buffer = vmalloc(tlen)) == NULL) { 426 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 427 return; 428 } 429 430 attr = (struct isakmp_pl_attr *)buffer->v; 431 memset(attr, 0, tlen); 432 433 attr->h.len = htons(tlen); 434 attr->type = ISAKMP_CFG_SET; 435 attr->id = htons(id); 436 437 stattr = (struct isakmp_data *)(attr + 1); 438 stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV); 439 stattr->lorv = htons(status); 440 441 isakmp_cfg_send(iph1, buffer, 442 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 443 444 vfree(buffer); 445 446 return; 447 } 448 449 #ifdef HAVE_LIBRADIUS 450 int 451 xauth_radius_init_conf(int free) 452 { 453 /* free radius config resources */ 454 if (free) { 455 int i; 456 for (i = 0; i < xauth_rad_config.auth_server_count; i++) { 457 vfree(xauth_rad_config.auth_server_list[i].host); 458 vfree(xauth_rad_config.auth_server_list[i].secret); 459 } 460 for (i = 0; i < xauth_rad_config.acct_server_count; i++) { 461 vfree(xauth_rad_config.acct_server_list[i].host); 462 vfree(xauth_rad_config.acct_server_list[i].secret); 463 } 464 if (radius_auth_state != NULL) 465 rad_close(radius_auth_state); 466 if (radius_acct_state != NULL) 467 rad_close(radius_acct_state); 468 } 469 470 /* initialize radius config */ 471 memset(&xauth_rad_config, 0, sizeof(xauth_rad_config)); 472 return 0; 473 } 474 475 int 476 xauth_radius_init(void) 477 { 478 /* For first time use, initialize Radius */ 479 if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) && 480 (radius_auth_state == NULL)) { 481 if ((radius_auth_state = rad_auth_open()) == NULL) { 482 plog(LLV_ERROR, LOCATION, NULL, 483 "Cannot init libradius\n"); 484 return -1; 485 } 486 487 int auth_count = xauth_rad_config.auth_server_count; 488 int auth_added = 0; 489 if (auth_count) { 490 int i; 491 for (i = 0; i < auth_count; i++) { 492 if(!rad_add_server( 493 radius_auth_state, 494 xauth_rad_config.auth_server_list[i].host->v, 495 xauth_rad_config.auth_server_list[i].port, 496 xauth_rad_config.auth_server_list[i].secret->v, 497 xauth_rad_config.timeout, 498 xauth_rad_config.retries )) 499 auth_added++; 500 else 501 plog(LLV_WARNING, LOCATION, NULL, 502 "could not add radius auth server %s\n", 503 xauth_rad_config.auth_server_list[i].host->v); 504 } 505 } 506 507 if (!auth_added) { 508 if (rad_config(radius_auth_state, NULL) != 0) { 509 plog(LLV_ERROR, LOCATION, NULL, 510 "Cannot open libradius config file: %s\n", 511 rad_strerror(radius_auth_state)); 512 rad_close(radius_auth_state); 513 radius_auth_state = NULL; 514 return -1; 515 } 516 } 517 } 518 519 if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) && 520 (radius_acct_state == NULL)) { 521 if ((radius_acct_state = rad_acct_open()) == NULL) { 522 plog(LLV_ERROR, LOCATION, NULL, 523 "Cannot init libradius\n"); 524 return -1; 525 } 526 527 int acct_count = xauth_rad_config.acct_server_count; 528 int acct_added = 0; 529 if (acct_count) { 530 int i; 531 for (i = 0; i < acct_count; i++) { 532 if(!rad_add_server( 533 radius_acct_state, 534 xauth_rad_config.acct_server_list[i].host->v, 535 xauth_rad_config.acct_server_list[i].port, 536 xauth_rad_config.acct_server_list[i].secret->v, 537 xauth_rad_config.timeout, 538 xauth_rad_config.retries )) 539 acct_added++; 540 else 541 plog(LLV_WARNING, LOCATION, NULL, 542 "could not add radius account server %s\n", 543 xauth_rad_config.acct_server_list[i].host->v); 544 } 545 } 546 547 if (!acct_added) { 548 if (rad_config(radius_acct_state, NULL) != 0) { 549 plog(LLV_ERROR, LOCATION, NULL, 550 "Cannot open libradius config file: %s\n", 551 rad_strerror(radius_acct_state)); 552 rad_close(radius_acct_state); 553 radius_acct_state = NULL; 554 return -1; 555 } 556 } 557 } 558 559 return 0; 560 } 561 562 int 563 xauth_login_radius(iph1, usr, pwd) 564 struct ph1handle *iph1; 565 char *usr; 566 char *pwd; 567 { 568 int res; 569 const void *data; 570 size_t len; 571 int type; 572 573 if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) { 574 plog(LLV_ERROR, LOCATION, NULL, 575 "rad_create_request failed: %s\n", 576 rad_strerror(radius_auth_state)); 577 return -1; 578 } 579 580 if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) { 581 plog(LLV_ERROR, LOCATION, NULL, 582 "rad_put_string failed: %s\n", 583 rad_strerror(radius_auth_state)); 584 return -1; 585 } 586 587 if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) { 588 plog(LLV_ERROR, LOCATION, NULL, 589 "rad_put_string failed: %s\n", 590 rad_strerror(radius_auth_state)); 591 return -1; 592 } 593 594 if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0) 595 return -1; 596 597 switch (res = rad_send_request(radius_auth_state)) { 598 case RAD_ACCESS_ACCEPT: 599 while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) { 600 switch (type) { 601 case RAD_FRAMED_IP_ADDRESS: 602 iph1->mode_cfg->addr4 = rad_cvt_addr(data); 603 iph1->mode_cfg->flags 604 |= ISAKMP_CFG_ADDR4_EXTERN; 605 break; 606 607 case RAD_FRAMED_IP_NETMASK: 608 iph1->mode_cfg->mask4 = rad_cvt_addr(data); 609 iph1->mode_cfg->flags 610 |= ISAKMP_CFG_MASK4_EXTERN; 611 break; 612 613 default: 614 plog(LLV_INFO, LOCATION, NULL, 615 "Unexpected attribute: %d\n", type); 616 break; 617 } 618 } 619 620 return 0; 621 break; 622 623 case RAD_ACCESS_REJECT: 624 return -1; 625 break; 626 627 case -1: 628 plog(LLV_ERROR, LOCATION, NULL, 629 "rad_send_request failed: %s\n", 630 rad_strerror(radius_auth_state)); 631 return -1; 632 break; 633 default: 634 plog(LLV_ERROR, LOCATION, NULL, 635 "rad_send_request returned %d\n", res); 636 return -1; 637 break; 638 } 639 640 return -1; 641 } 642 #endif 643 644 #ifdef HAVE_LIBPAM 645 static int 646 PAM_conv(msg_count, msg, rsp, dontcare) 647 int msg_count; 648 const struct pam_message **msg; 649 struct pam_response **rsp; 650 void *dontcare; 651 { 652 int i; 653 int replies = 0; 654 struct pam_response *reply = NULL; 655 656 if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL) 657 return PAM_CONV_ERR; 658 bzero(reply, sizeof(*reply) * msg_count); 659 660 for (i = 0; i < msg_count; i++) { 661 switch (msg[i]->msg_style) { 662 case PAM_PROMPT_ECHO_ON: 663 /* Send the username, libpam frees resp */ 664 reply[i].resp_retcode = PAM_SUCCESS; 665 if ((reply[i].resp = strdup(PAM_usr)) == NULL) { 666 plog(LLV_ERROR, LOCATION, 667 NULL, "strdup failed\n"); 668 exit(1); 669 } 670 break; 671 672 case PAM_PROMPT_ECHO_OFF: 673 /* Send the password, libpam frees resp */ 674 reply[i].resp_retcode = PAM_SUCCESS; 675 if ((reply[i].resp = strdup(PAM_pwd)) == NULL) { 676 plog(LLV_ERROR, LOCATION, 677 NULL, "strdup failed\n"); 678 exit(1); 679 } 680 break; 681 682 case PAM_TEXT_INFO: 683 case PAM_ERROR_MSG: 684 reply[i].resp_retcode = PAM_SUCCESS; 685 reply[i].resp = NULL; 686 break; 687 688 default: 689 if (reply != NULL) 690 racoon_free(reply); 691 return PAM_CONV_ERR; 692 break; 693 } 694 } 695 696 if (reply != NULL) 697 *rsp = reply; 698 699 return PAM_SUCCESS; 700 } 701 702 int 703 xauth_login_pam(port, raddr, usr, pwd) 704 int port; 705 struct sockaddr *raddr; 706 char *usr; 707 char *pwd; 708 { 709 int error; 710 int res; 711 const void *data; 712 size_t len; 713 int type; 714 char *remote = NULL; 715 pam_handle_t *pam = NULL; 716 717 if (isakmp_cfg_config.port_pool == NULL) { 718 plog(LLV_ERROR, LOCATION, NULL, 719 "isakmp_cfg_config.port_pool == NULL\n"); 720 return -1; 721 } 722 723 if ((error = pam_start("racoon", usr, 724 &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) { 725 if (isakmp_cfg_config.port_pool[port].pam == NULL) { 726 plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n"); 727 return -1; 728 } else { 729 plog(LLV_ERROR, LOCATION, NULL, 730 "pam_start failed: %s\n", 731 pam_strerror(isakmp_cfg_config.port_pool[port].pam, 732 error)); 733 goto out; 734 } 735 } 736 pam = isakmp_cfg_config.port_pool[port].pam; 737 738 if ((remote = strdup(saddrwop2str(raddr))) == NULL) { 739 plog(LLV_ERROR, LOCATION, NULL, 740 "cannot allocate memory: %s\n", strerror(errno)); 741 goto out; 742 } 743 744 if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) { 745 plog(LLV_ERROR, LOCATION, NULL, 746 "pam_set_item failed: %s\n", 747 pam_strerror(pam, error)); 748 goto out; 749 } 750 751 if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) { 752 plog(LLV_ERROR, LOCATION, NULL, 753 "pam_set_item failed: %s\n", 754 pam_strerror(pam, error)); 755 goto out; 756 } 757 758 PAM_usr = usr; 759 PAM_pwd = pwd; 760 error = pam_authenticate(pam, 0); 761 PAM_usr = NULL; 762 PAM_pwd = NULL; 763 if (error != 0) { 764 plog(LLV_ERROR, LOCATION, NULL, 765 "pam_authenticate failed: %s\n", 766 pam_strerror(pam, error)); 767 goto out; 768 } 769 770 if ((error = pam_acct_mgmt(pam, 0)) != 0) { 771 plog(LLV_ERROR, LOCATION, NULL, 772 "pam_acct_mgmt failed: %s\n", 773 pam_strerror(pam, error)); 774 goto out; 775 } 776 777 if ((error = pam_setcred(pam, 0)) != 0) { 778 plog(LLV_ERROR, LOCATION, NULL, 779 "pam_setcred failed: %s\n", 780 pam_strerror(pam, error)); 781 goto out; 782 } 783 784 if (remote != NULL) 785 free(remote); 786 787 return 0; 788 789 out: 790 pam_end(pam, error); 791 isakmp_cfg_config.port_pool[port].pam = NULL; 792 if (remote != NULL) 793 free(remote); 794 return -1; 795 } 796 #endif 797 798 #ifdef HAVE_LIBLDAP 799 int 800 xauth_ldap_init_conf(void) 801 { 802 int tmplen; 803 int error = -1; 804 805 xauth_ldap_config.pver = 3; 806 xauth_ldap_config.host = NULL; 807 xauth_ldap_config.port = LDAP_PORT; 808 xauth_ldap_config.base = NULL; 809 xauth_ldap_config.subtree = 0; 810 xauth_ldap_config.bind_dn = NULL; 811 xauth_ldap_config.bind_pw = NULL; 812 xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE; 813 xauth_ldap_config.attr_user = NULL; 814 xauth_ldap_config.attr_addr = NULL; 815 xauth_ldap_config.attr_mask = NULL; 816 xauth_ldap_config.attr_group = NULL; 817 xauth_ldap_config.attr_member = NULL; 818 819 /* set default host */ 820 tmplen = strlen(LDAP_DFLT_HOST); 821 xauth_ldap_config.host = vmalloc(tmplen); 822 if (xauth_ldap_config.host == NULL) 823 goto out; 824 memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen); 825 826 /* set default user naming attribute */ 827 tmplen = strlen(LDAP_DFLT_USER); 828 xauth_ldap_config.attr_user = vmalloc(tmplen); 829 if (xauth_ldap_config.attr_user == NULL) 830 goto out; 831 memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen); 832 833 /* set default address attribute */ 834 tmplen = strlen(LDAP_DFLT_ADDR); 835 xauth_ldap_config.attr_addr = vmalloc(tmplen); 836 if (xauth_ldap_config.attr_addr == NULL) 837 goto out; 838 memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen); 839 840 /* set default netmask attribute */ 841 tmplen = strlen(LDAP_DFLT_MASK); 842 xauth_ldap_config.attr_mask = vmalloc(tmplen); 843 if (xauth_ldap_config.attr_mask == NULL) 844 goto out; 845 memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen); 846 847 /* set default group naming attribute */ 848 tmplen = strlen(LDAP_DFLT_GROUP); 849 xauth_ldap_config.attr_group = vmalloc(tmplen); 850 if (xauth_ldap_config.attr_group == NULL) 851 goto out; 852 memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen); 853 854 /* set default member attribute */ 855 tmplen = strlen(LDAP_DFLT_MEMBER); 856 xauth_ldap_config.attr_member = vmalloc(tmplen); 857 if (xauth_ldap_config.attr_member == NULL) 858 goto out; 859 memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen); 860 861 error = 0; 862 out: 863 if (error != 0) 864 plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n"); 865 866 return error; 867 } 868 869 int 870 xauth_login_ldap(iph1, usr, pwd) 871 struct ph1handle *iph1; 872 char *usr; 873 char *pwd; 874 { 875 int rtn = -1; 876 int res = -1; 877 LDAP *ld = NULL; 878 LDAPMessage *lr = NULL; 879 LDAPMessage *le = NULL; 880 struct berval cred; 881 struct berval **bv = NULL; 882 struct timeval timeout; 883 char *init = NULL; 884 char *filter = NULL; 885 char *atlist[3]; 886 char *basedn = NULL; 887 char *userdn = NULL; 888 int tmplen = 0; 889 int ecount = 0; 890 int scope = LDAP_SCOPE_ONE; 891 892 atlist[0] = NULL; 893 atlist[1] = NULL; 894 atlist[2] = NULL; 895 896 /* build our initialization url */ 897 tmplen = strlen("ldap://:") + 17; 898 tmplen += strlen(xauth_ldap_config.host->v); 899 init = racoon_malloc(tmplen); 900 if (init == NULL) { 901 plog(LLV_ERROR, LOCATION, NULL, 902 "unable to alloc ldap init url\n"); 903 goto ldap_end; 904 } 905 sprintf(init,"ldap://%s:%d", 906 xauth_ldap_config.host->v, 907 xauth_ldap_config.port ); 908 909 /* initialize the ldap handle */ 910 res = ldap_initialize(&ld, init); 911 if (res != LDAP_SUCCESS) { 912 plog(LLV_ERROR, LOCATION, NULL, 913 "ldap_initialize failed: %s\n", 914 ldap_err2string(res)); 915 goto ldap_end; 916 } 917 918 /* initialize the protocol version */ 919 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 920 &xauth_ldap_config.pver); 921 922 /* 923 * attempt to bind to the ldap server. 924 * default to anonymous bind unless a 925 * user dn and password has been 926 * specified in our configuration 927 */ 928 if ((xauth_ldap_config.bind_dn != NULL)&& 929 (xauth_ldap_config.bind_pw != NULL)) 930 { 931 cred.bv_val = xauth_ldap_config.bind_pw->v; 932 cred.bv_len = strlen( cred.bv_val ); 933 res = ldap_sasl_bind_s(ld, 934 xauth_ldap_config.bind_dn->v, NULL, &cred, 935 NULL, NULL, NULL); 936 } 937 else 938 { 939 res = ldap_sasl_bind_s(ld, 940 NULL, NULL, NULL, 941 NULL, NULL, NULL); 942 } 943 944 if (res!=LDAP_SUCCESS) { 945 plog(LLV_ERROR, LOCATION, NULL, 946 "ldap_sasl_bind_s (search) failed: %s\n", 947 ldap_err2string(res)); 948 goto ldap_end; 949 } 950 951 /* build an ldap user search filter */ 952 tmplen = strlen(xauth_ldap_config.attr_user->v); 953 tmplen += 1; 954 tmplen += strlen(usr); 955 tmplen += 1; 956 filter = racoon_malloc(tmplen); 957 if (filter == NULL) { 958 plog(LLV_ERROR, LOCATION, NULL, 959 "unable to alloc ldap search filter buffer\n"); 960 goto ldap_end; 961 } 962 sprintf(filter, "%s=%s", 963 xauth_ldap_config.attr_user->v, usr); 964 965 /* build our return attribute list */ 966 tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1; 967 atlist[0] = racoon_malloc(tmplen); 968 tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1; 969 atlist[1] = racoon_malloc(tmplen); 970 if ((atlist[0] == NULL)||(atlist[1] == NULL)) { 971 plog(LLV_ERROR, LOCATION, NULL, 972 "unable to alloc ldap attrib list buffer\n"); 973 goto ldap_end; 974 } 975 strcpy(atlist[0],xauth_ldap_config.attr_addr->v); 976 strcpy(atlist[1],xauth_ldap_config.attr_mask->v); 977 978 /* attempt to locate the user dn */ 979 if (xauth_ldap_config.base != NULL) 980 basedn = xauth_ldap_config.base->v; 981 if (xauth_ldap_config.subtree) 982 scope = LDAP_SCOPE_SUBTREE; 983 timeout.tv_sec = 15; 984 timeout.tv_usec = 0; 985 res = ldap_search_ext_s(ld, basedn, scope, 986 filter, atlist, 0, NULL, NULL, 987 &timeout, 2, &lr); 988 if (res != LDAP_SUCCESS) { 989 plog(LLV_ERROR, LOCATION, NULL, 990 "ldap_search_ext_s failed: %s\n", 991 ldap_err2string(res)); 992 goto ldap_end; 993 } 994 995 /* check the number of ldap entries returned */ 996 ecount = ldap_count_entries(ld, lr); 997 if (ecount < 1) { 998 plog(LLV_WARNING, LOCATION, NULL, 999 "no ldap results for filter \'%s\'\n", 1000 filter); 1001 goto ldap_end; 1002 } 1003 if (ecount > 1) { 1004 plog(LLV_WARNING, LOCATION, NULL, 1005 "multiple (%i) ldap results for filter \'%s\'\n", 1006 ecount, filter); 1007 } 1008 1009 /* obtain the dn from the first result */ 1010 le = ldap_first_entry(ld, lr); 1011 if (le == NULL) { 1012 plog(LLV_ERROR, LOCATION, NULL, 1013 "ldap_first_entry failed: invalid entry returned\n"); 1014 goto ldap_end; 1015 } 1016 userdn = ldap_get_dn(ld, le); 1017 if (userdn == NULL) { 1018 plog(LLV_ERROR, LOCATION, NULL, 1019 "ldap_get_dn failed: invalid string returned\n"); 1020 goto ldap_end; 1021 } 1022 1023 /* cache the user dn in the xauth state */ 1024 iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1); 1025 strcpy(iph1->mode_cfg->xauth.udn,userdn); 1026 1027 /* retrieve modecfg address */ 1028 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v); 1029 if (bv != NULL) { 1030 char tmpaddr[16]; 1031 /* sanity check for address value */ 1032 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 1033 plog(LLV_DEBUG, LOCATION, NULL, 1034 "ldap returned invalid modecfg address\n"); 1035 ldap_value_free_len(bv); 1036 goto ldap_end; 1037 } 1038 memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len); 1039 tmpaddr[bv[0]->bv_len]=0; 1040 iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr); 1041 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN; 1042 plog(LLV_INFO, LOCATION, NULL, 1043 "ldap returned modecfg address %s\n", tmpaddr); 1044 ldap_value_free_len(bv); 1045 } 1046 1047 /* retrieve modecfg netmask */ 1048 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v); 1049 if (bv != NULL) { 1050 char tmpmask[16]; 1051 /* sanity check for netmask value */ 1052 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 1053 plog(LLV_DEBUG, LOCATION, NULL, 1054 "ldap returned invalid modecfg netmask\n"); 1055 ldap_value_free_len(bv); 1056 goto ldap_end; 1057 } 1058 memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len); 1059 tmpmask[bv[0]->bv_len]=0; 1060 iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask); 1061 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN; 1062 plog(LLV_INFO, LOCATION, NULL, 1063 "ldap returned modecfg netmask %s\n", tmpmask); 1064 ldap_value_free_len(bv); 1065 } 1066 1067 /* 1068 * finally, use the dn and the xauth 1069 * password to check the users given 1070 * credentials by attempting to bind 1071 * to the ldap server 1072 */ 1073 plog(LLV_INFO, LOCATION, NULL, 1074 "attempting ldap bind for dn \'%s\'\n", userdn); 1075 cred.bv_val = pwd; 1076 cred.bv_len = strlen( cred.bv_val ); 1077 res = ldap_sasl_bind_s(ld, 1078 userdn, NULL, &cred, 1079 NULL, NULL, NULL); 1080 if(res==LDAP_SUCCESS) 1081 rtn = 0; 1082 1083 ldap_end: 1084 1085 /* free ldap resources */ 1086 if (userdn != NULL) 1087 ldap_memfree(userdn); 1088 if (atlist[0] != NULL) 1089 racoon_free(atlist[0]); 1090 if (atlist[1] != NULL) 1091 racoon_free(atlist[1]); 1092 if (filter != NULL) 1093 racoon_free(filter); 1094 if (lr != NULL) 1095 ldap_msgfree(lr); 1096 if (init != NULL) 1097 racoon_free(init); 1098 1099 ldap_unbind_ext_s(ld, NULL, NULL); 1100 1101 return rtn; 1102 } 1103 1104 int 1105 xauth_group_ldap(udn, grp) 1106 char * udn; 1107 char * grp; 1108 { 1109 int rtn = -1; 1110 int res = -1; 1111 LDAP *ld = NULL; 1112 LDAPMessage *lr = NULL; 1113 LDAPMessage *le = NULL; 1114 struct berval cred; 1115 struct timeval timeout; 1116 char *init = NULL; 1117 char *filter = NULL; 1118 char *basedn = NULL; 1119 char *groupdn = NULL; 1120 int tmplen = 0; 1121 int ecount = 0; 1122 int scope = LDAP_SCOPE_ONE; 1123 1124 /* build our initialization url */ 1125 tmplen = strlen("ldap://:") + 17; 1126 tmplen += strlen(xauth_ldap_config.host->v); 1127 init = racoon_malloc(tmplen); 1128 if (init == NULL) { 1129 plog(LLV_ERROR, LOCATION, NULL, 1130 "unable to alloc ldap init url\n"); 1131 goto ldap_group_end; 1132 } 1133 sprintf(init,"ldap://%s:%d", 1134 xauth_ldap_config.host->v, 1135 xauth_ldap_config.port ); 1136 1137 /* initialize the ldap handle */ 1138 res = ldap_initialize(&ld, init); 1139 if (res != LDAP_SUCCESS) { 1140 plog(LLV_ERROR, LOCATION, NULL, 1141 "ldap_initialize failed: %s\n", 1142 ldap_err2string(res)); 1143 goto ldap_group_end; 1144 } 1145 1146 /* initialize the protocol version */ 1147 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 1148 &xauth_ldap_config.pver); 1149 1150 /* 1151 * attempt to bind to the ldap server. 1152 * default to anonymous bind unless a 1153 * user dn and password has been 1154 * specified in our configuration 1155 */ 1156 if ((xauth_ldap_config.bind_dn != NULL)&& 1157 (xauth_ldap_config.bind_pw != NULL)) 1158 { 1159 cred.bv_val = xauth_ldap_config.bind_pw->v; 1160 cred.bv_len = strlen( cred.bv_val ); 1161 res = ldap_sasl_bind_s(ld, 1162 xauth_ldap_config.bind_dn->v, NULL, &cred, 1163 NULL, NULL, NULL); 1164 } 1165 else 1166 { 1167 res = ldap_sasl_bind_s(ld, 1168 NULL, NULL, NULL, 1169 NULL, NULL, NULL); 1170 } 1171 1172 if (res!=LDAP_SUCCESS) { 1173 plog(LLV_ERROR, LOCATION, NULL, 1174 "ldap_sasl_bind_s (search) failed: %s\n", 1175 ldap_err2string(res)); 1176 goto ldap_group_end; 1177 } 1178 1179 /* build an ldap group search filter */ 1180 tmplen = strlen("(&(=)(=))") + 1; 1181 tmplen += strlen(xauth_ldap_config.attr_group->v); 1182 tmplen += strlen(grp); 1183 tmplen += strlen(xauth_ldap_config.attr_member->v); 1184 tmplen += strlen(udn); 1185 filter = racoon_malloc(tmplen); 1186 if (filter == NULL) { 1187 plog(LLV_ERROR, LOCATION, NULL, 1188 "unable to alloc ldap search filter buffer\n"); 1189 goto ldap_group_end; 1190 } 1191 sprintf(filter, "(&(%s=%s)(%s=%s))", 1192 xauth_ldap_config.attr_group->v, grp, 1193 xauth_ldap_config.attr_member->v, udn); 1194 1195 /* attempt to locate the group dn */ 1196 if (xauth_ldap_config.base != NULL) 1197 basedn = xauth_ldap_config.base->v; 1198 if (xauth_ldap_config.subtree) 1199 scope = LDAP_SCOPE_SUBTREE; 1200 timeout.tv_sec = 15; 1201 timeout.tv_usec = 0; 1202 res = ldap_search_ext_s(ld, basedn, scope, 1203 filter, NULL, 0, NULL, NULL, 1204 &timeout, 2, &lr); 1205 if (res != LDAP_SUCCESS) { 1206 plog(LLV_ERROR, LOCATION, NULL, 1207 "ldap_search_ext_s failed: %s\n", 1208 ldap_err2string(res)); 1209 goto ldap_group_end; 1210 } 1211 1212 /* check the number of ldap entries returned */ 1213 ecount = ldap_count_entries(ld, lr); 1214 if (ecount < 1) { 1215 plog(LLV_WARNING, LOCATION, NULL, 1216 "no ldap results for filter \'%s\'\n", 1217 filter); 1218 goto ldap_group_end; 1219 } 1220 1221 /* success */ 1222 rtn = 0; 1223 1224 /* obtain the dn from the first result */ 1225 le = ldap_first_entry(ld, lr); 1226 if (le == NULL) { 1227 plog(LLV_ERROR, LOCATION, NULL, 1228 "ldap_first_entry failed: invalid entry returned\n"); 1229 goto ldap_group_end; 1230 } 1231 groupdn = ldap_get_dn(ld, le); 1232 if (groupdn == NULL) { 1233 plog(LLV_ERROR, LOCATION, NULL, 1234 "ldap_get_dn failed: invalid string returned\n"); 1235 goto ldap_group_end; 1236 } 1237 1238 plog(LLV_INFO, LOCATION, NULL, 1239 "ldap membership group returned \'%s\'\n", groupdn); 1240 ldap_group_end: 1241 1242 /* free ldap resources */ 1243 if (groupdn != NULL) 1244 ldap_memfree(groupdn); 1245 if (filter != NULL) 1246 racoon_free(filter); 1247 if (lr != NULL) 1248 ldap_msgfree(lr); 1249 if (init != NULL) 1250 racoon_free(init); 1251 1252 ldap_unbind_ext_s(ld, NULL, NULL); 1253 1254 return rtn; 1255 } 1256 1257 #endif 1258 1259 #ifndef ANDROID_PATCHED 1260 1261 int 1262 xauth_login_system(usr, pwd) 1263 char *usr; 1264 char *pwd; 1265 { 1266 struct passwd *pw; 1267 char *cryptpwd; 1268 char *syscryptpwd; 1269 #ifdef HAVE_SHADOW_H 1270 struct spwd *spw; 1271 1272 if ((spw = getspnam(usr)) == NULL) 1273 return -1; 1274 1275 syscryptpwd = spw->sp_pwdp; 1276 #endif 1277 1278 if ((pw = getpwnam(usr)) == NULL) 1279 return -1; 1280 1281 #ifndef HAVE_SHADOW_H 1282 syscryptpwd = pw->pw_passwd; 1283 #endif 1284 1285 /* No root login. Ever. */ 1286 if (pw->pw_uid == 0) 1287 return -1; 1288 1289 if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL) 1290 return -1; 1291 1292 if (strcmp(cryptpwd, syscryptpwd) == 0) 1293 return 0; 1294 1295 return -1; 1296 } 1297 1298 #endif 1299 1300 int 1301 xauth_group_system(usr, grp) 1302 char * usr; 1303 char * grp; 1304 { 1305 struct group * gr; 1306 char * member; 1307 int index = 0; 1308 1309 gr = getgrnam(grp); 1310 if (gr == NULL) { 1311 plog(LLV_ERROR, LOCATION, NULL, 1312 "the system group name \'%s\' is unknown\n", 1313 grp); 1314 return -1; 1315 } 1316 1317 while ((member = gr->gr_mem[index++])!=NULL) { 1318 if (!strcmp(member,usr)) { 1319 plog(LLV_INFO, LOCATION, NULL, 1320 "membership validated\n"); 1321 return 0; 1322 } 1323 } 1324 1325 return -1; 1326 } 1327 1328 int 1329 xauth_check(iph1) 1330 struct ph1handle *iph1; 1331 { 1332 struct xauth_state *xst = &iph1->mode_cfg->xauth; 1333 1334 /* 1335 * Only the server side (edge device) really check for Xauth 1336 * status. It does it if the chose authmethod is using Xauth. 1337 * On the client side (roadwarrior), we don't check anything. 1338 */ 1339 switch (iph1->approval->authmethod) { 1340 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1341 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1342 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1343 /* The following are not yet implemented */ 1344 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1345 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1346 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1347 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1348 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1349 plog(LLV_ERROR, LOCATION, NULL, 1350 "Hybrid auth negotiated but peer did not " 1351 "announced as Xauth capable\n"); 1352 return -1; 1353 } 1354 1355 if (xst->status != XAUTHST_OK) { 1356 plog(LLV_ERROR, LOCATION, NULL, 1357 "Hybrid auth negotiated but peer did not " 1358 "succeed Xauth exchange\n"); 1359 return -1; 1360 } 1361 1362 return 0; 1363 break; 1364 default: 1365 return 0; 1366 break; 1367 } 1368 1369 return 0; 1370 } 1371 1372 int 1373 group_check(iph1, grp_list, grp_count) 1374 struct ph1handle *iph1; 1375 char **grp_list; 1376 int grp_count; 1377 { 1378 int res = -1; 1379 int grp_index = 0; 1380 char * usr = NULL; 1381 1382 /* check for presence of modecfg data */ 1383 1384 if(iph1->mode_cfg == NULL) { 1385 plog(LLV_ERROR, LOCATION, NULL, 1386 "xauth group specified but modecfg not found\n"); 1387 return res; 1388 } 1389 1390 /* loop through our group list */ 1391 1392 for(; grp_index < grp_count; grp_index++) { 1393 1394 /* check for presence of xauth data */ 1395 1396 usr = iph1->mode_cfg->xauth.authdata.generic.usr; 1397 1398 if(usr == NULL) { 1399 plog(LLV_ERROR, LOCATION, NULL, 1400 "xauth group specified but xauth not found\n"); 1401 return res; 1402 } 1403 1404 /* call appropriate group validation funtion */ 1405 1406 switch (isakmp_cfg_config.groupsource) { 1407 1408 case ISAKMP_CFG_GROUP_SYSTEM: 1409 res = xauth_group_system( 1410 usr, 1411 grp_list[grp_index]); 1412 break; 1413 1414 #ifdef HAVE_LIBLDAP 1415 case ISAKMP_CFG_GROUP_LDAP: 1416 res = xauth_group_ldap( 1417 iph1->mode_cfg->xauth.udn, 1418 grp_list[grp_index]); 1419 break; 1420 #endif 1421 1422 default: 1423 /* we should never get here */ 1424 plog(LLV_ERROR, LOCATION, NULL, 1425 "Unknown group auth source\n"); 1426 break; 1427 } 1428 1429 if( !res ) { 1430 plog(LLV_INFO, LOCATION, NULL, 1431 "user \"%s\" is a member of group \"%s\"\n", 1432 usr, 1433 grp_list[grp_index]); 1434 break; 1435 } else { 1436 plog(LLV_INFO, LOCATION, NULL, 1437 "user \"%s\" is not a member of group \"%s\"\n", 1438 usr, 1439 grp_list[grp_index]); 1440 } 1441 } 1442 1443 return res; 1444 } 1445 1446 vchar_t * 1447 isakmp_xauth_req(iph1, attr) 1448 struct ph1handle *iph1; 1449 struct isakmp_data *attr; 1450 { 1451 int type; 1452 size_t dlen = 0; 1453 int ashort = 0; 1454 int value = 0; 1455 vchar_t *buffer = NULL; 1456 char *mraw = NULL, *mdata; 1457 char *data; 1458 vchar_t *usr = NULL; 1459 vchar_t *pwd = NULL; 1460 size_t skip = 0; 1461 int freepwd = 0; 1462 1463 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1464 plog(LLV_ERROR, LOCATION, NULL, 1465 "Xauth mode config request but peer " 1466 "did not declare itself as Xauth capable\n"); 1467 return NULL; 1468 } 1469 1470 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1471 1472 /* Sanity checks */ 1473 switch(type) { 1474 case XAUTH_TYPE: 1475 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1476 plog(LLV_ERROR, LOCATION, NULL, 1477 "Unexpected long XAUTH_TYPE attribute\n"); 1478 return NULL; 1479 } 1480 if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) { 1481 plog(LLV_ERROR, LOCATION, NULL, 1482 "Unsupported Xauth authentication %d\n", 1483 ntohs(attr->lorv)); 1484 return NULL; 1485 } 1486 ashort = 1; 1487 dlen = 0; 1488 value = XAUTH_TYPE_GENERIC; 1489 break; 1490 1491 case XAUTH_USER_NAME: 1492 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) { 1493 plog(LLV_ERROR, LOCATION, NULL, "Xauth performed " 1494 "with no login supplied\n"); 1495 return NULL; 1496 } 1497 1498 dlen = iph1->rmconf->xauth->login->l - 1; 1499 iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME; 1500 break; 1501 1502 #ifdef ANDROID_PATCHED 1503 case XAUTH_PASSCODE: 1504 #endif 1505 case XAUTH_USER_PASSWORD: 1506 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) 1507 return NULL; 1508 1509 skip = sizeof(struct ipsecdoi_id_b); 1510 usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip); 1511 if (usr == NULL) { 1512 plog(LLV_ERROR, LOCATION, NULL, 1513 "Cannot allocate memory\n"); 1514 return NULL; 1515 } 1516 memset(usr->v, 0, skip); 1517 memcpy(usr->v + skip, 1518 iph1->rmconf->xauth->login->v, 1519 iph1->rmconf->xauth->login->l - 1); 1520 1521 if (iph1->rmconf->xauth->pass) { 1522 /* A key given through racoonctl */ 1523 pwd = iph1->rmconf->xauth->pass; 1524 } else { 1525 if ((pwd = getpskbyname(usr)) == NULL) { 1526 plog(LLV_ERROR, LOCATION, NULL, 1527 "No password was found for login %s\n", 1528 iph1->rmconf->xauth->login->v); 1529 vfree(usr); 1530 return NULL; 1531 } 1532 /* We have to free it before returning */ 1533 freepwd = 1; 1534 } 1535 vfree(usr); 1536 1537 iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD; 1538 dlen = pwd->l; 1539 1540 break; 1541 case XAUTH_MESSAGE: 1542 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1543 dlen = ntohs(attr->lorv); 1544 if (dlen > 0) { 1545 mraw = (char*)(attr + 1); 1546 mdata = binsanitize(mraw, dlen); 1547 if (mdata == NULL) { 1548 plog(LLV_ERROR, LOCATION, iph1->remote, 1549 "Cannot allocate memory\n"); 1550 return NULL; 1551 } 1552 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1553 "XAUTH Message: '%s'.\n", 1554 mdata); 1555 racoon_free(mdata); 1556 } 1557 } 1558 return NULL; 1559 default: 1560 plog(LLV_WARNING, LOCATION, NULL, 1561 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1562 return NULL; 1563 break; 1564 } 1565 1566 if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) { 1567 plog(LLV_ERROR, LOCATION, NULL, 1568 "Cannot allocate memory\n"); 1569 goto out; 1570 } 1571 1572 attr = (struct isakmp_data *)buffer->v; 1573 if (ashort) { 1574 attr->type = htons(type | ISAKMP_GEN_TV); 1575 attr->lorv = htons(value); 1576 goto out; 1577 } 1578 1579 attr->type = htons(type | ISAKMP_GEN_TLV); 1580 attr->lorv = htons(dlen); 1581 data = (char *)(attr + 1); 1582 1583 switch(type) { 1584 case XAUTH_USER_NAME: 1585 /* 1586 * iph1->rmconf->xauth->login->v is valid, 1587 * we just checked it in the previous switch case 1588 */ 1589 memcpy(data, iph1->rmconf->xauth->login->v, dlen); 1590 break; 1591 #ifdef ANDROID_PATCHED 1592 case XAUTH_PASSCODE: 1593 #endif 1594 case XAUTH_USER_PASSWORD: 1595 memcpy(data, pwd->v, dlen); 1596 break; 1597 default: 1598 break; 1599 } 1600 1601 out: 1602 if (freepwd) 1603 vfree(pwd); 1604 1605 return buffer; 1606 } 1607 1608 vchar_t * 1609 isakmp_xauth_set(iph1, attr) 1610 struct ph1handle *iph1; 1611 struct isakmp_data *attr; 1612 { 1613 int type; 1614 vchar_t *buffer = NULL; 1615 char *data; 1616 struct xauth_state *xst; 1617 size_t dlen = 0; 1618 char* mraw = NULL, *mdata; 1619 1620 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1621 plog(LLV_ERROR, LOCATION, NULL, 1622 "Xauth mode config set but peer " 1623 "did not declare itself as Xauth capable\n"); 1624 return NULL; 1625 } 1626 1627 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1628 1629 switch(type) { 1630 case XAUTH_STATUS: 1631 /* 1632 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS 1633 * when running as a client (initiator). 1634 */ 1635 xst = &iph1->mode_cfg->xauth; 1636 switch (iph1->approval->authmethod) { 1637 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1638 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I: 1639 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1640 /* Not implemented ... */ 1641 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1642 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1643 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 1644 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 1645 break; 1646 default: 1647 plog(LLV_ERROR, LOCATION, NULL, 1648 "Unexpected XAUTH_STATUS_OK\n"); 1649 return NULL; 1650 break; 1651 } 1652 1653 /* If we got a failure, delete iph1 */ 1654 if (ntohs(attr->lorv) != XAUTH_STATUS_OK) { 1655 plog(LLV_ERROR, LOCATION, NULL, 1656 "Xauth authentication failed\n"); 1657 1658 evt_phase1(iph1, EVT_PHASE1_XAUTH_FAILED, NULL); 1659 1660 iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1; 1661 } else { 1662 evt_phase1(iph1, EVT_PHASE1_XAUTH_SUCCESS, NULL); 1663 } 1664 1665 1666 /* We acknowledge it */ 1667 break; 1668 case XAUTH_MESSAGE: 1669 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1670 dlen = ntohs(attr->lorv); 1671 if (dlen > 0) { 1672 mraw = (char*)(attr + 1); 1673 mdata = binsanitize(mraw, dlen); 1674 if (mdata == NULL) { 1675 plog(LLV_ERROR, LOCATION, iph1->remote, 1676 "Cannot allocate memory\n"); 1677 return NULL; 1678 } 1679 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1680 "XAUTH Message: '%s'.\n", 1681 mdata); 1682 racoon_free(mdata); 1683 } 1684 } 1685 1686 default: 1687 plog(LLV_WARNING, LOCATION, NULL, 1688 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1689 return NULL; 1690 break; 1691 } 1692 1693 if ((buffer = vmalloc(sizeof(*attr))) == NULL) { 1694 plog(LLV_ERROR, LOCATION, NULL, 1695 "Cannot allocate memory\n"); 1696 return NULL; 1697 } 1698 1699 attr = (struct isakmp_data *)buffer->v; 1700 attr->type = htons(type | ISAKMP_GEN_TV); 1701 attr->lorv = htons(0); 1702 1703 return buffer; 1704 } 1705 1706 1707 void 1708 xauth_rmstate(xst) 1709 struct xauth_state *xst; 1710 { 1711 switch (xst->authtype) { 1712 case XAUTH_TYPE_GENERIC: 1713 if (xst->authdata.generic.usr) 1714 racoon_free(xst->authdata.generic.usr); 1715 1716 if (xst->authdata.generic.pwd) 1717 racoon_free(xst->authdata.generic.pwd); 1718 1719 break; 1720 1721 case XAUTH_TYPE_CHAP: 1722 case XAUTH_TYPE_OTP: 1723 case XAUTH_TYPE_SKEY: 1724 plog(LLV_WARNING, LOCATION, NULL, 1725 "Unsupported authtype %d\n", xst->authtype); 1726 break; 1727 1728 default: 1729 plog(LLV_WARNING, LOCATION, NULL, 1730 "Unexpected authtype %d\n", xst->authtype); 1731 break; 1732 } 1733 1734 #ifdef HAVE_LIBLDAP 1735 if (xst->udn != NULL) 1736 racoon_free(xst->udn); 1737 #endif 1738 return; 1739 } 1740 1741 int 1742 xauth_rmconf_used(xauth_rmconf) 1743 struct xauth_rmconf **xauth_rmconf; 1744 { 1745 if (*xauth_rmconf == NULL) { 1746 *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf)); 1747 if (*xauth_rmconf == NULL) { 1748 plog(LLV_ERROR, LOCATION, NULL, 1749 "xauth_rmconf_used: malloc failed\n"); 1750 return -1; 1751 } 1752 1753 (*xauth_rmconf)->login = NULL; 1754 (*xauth_rmconf)->pass = NULL; 1755 (*xauth_rmconf)->state = 0; 1756 } 1757 1758 return 0; 1759 } 1760 1761 void 1762 xauth_rmconf_delete(xauth_rmconf) 1763 struct xauth_rmconf **xauth_rmconf; 1764 { 1765 if (*xauth_rmconf != NULL) { 1766 if ((*xauth_rmconf)->login != NULL) 1767 vfree((*xauth_rmconf)->login); 1768 if ((*xauth_rmconf)->pass != NULL) 1769 vfree((*xauth_rmconf)->pass); 1770 1771 racoon_free(*xauth_rmconf); 1772 *xauth_rmconf = NULL; 1773 } 1774 1775 return; 1776 } 1777 1778 struct xauth_rmconf * 1779 xauth_rmconf_dup(xauth_rmconf) 1780 struct xauth_rmconf *xauth_rmconf; 1781 { 1782 struct xauth_rmconf *new; 1783 1784 if (xauth_rmconf != NULL) { 1785 new = racoon_malloc(sizeof(*new)); 1786 if (new == NULL) { 1787 plog(LLV_ERROR, LOCATION, NULL, 1788 "xauth_rmconf_dup: malloc failed\n"); 1789 return NULL; 1790 } 1791 1792 memcpy(new, xauth_rmconf, sizeof(*new)); 1793 1794 if (xauth_rmconf->login != NULL) { 1795 new->login = vdup(xauth_rmconf->login); 1796 if (new->login == NULL) { 1797 plog(LLV_ERROR, LOCATION, NULL, 1798 "xauth_rmconf_dup: malloc failed (login)\n"); 1799 return NULL; 1800 } 1801 } 1802 if (xauth_rmconf->pass != NULL) { 1803 new->pass = vdup(xauth_rmconf->pass); 1804 if (new->pass == NULL) { 1805 plog(LLV_ERROR, LOCATION, NULL, 1806 "xauth_rmconf_dup: malloc failed (password)\n"); 1807 return NULL; 1808 } 1809 } 1810 1811 return new; 1812 } 1813 1814 return NULL; 1815 } 1816
