1 /* $NetBSD: isakmp_xauth.c,v 1.11.6.2 2009/04/20 13:35:36 tteras Exp $ */ 2 3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */ 4 5 /* 6 * Copyright (C) 2004-2005 Emmanuel Dreyfus 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "config.h" 35 36 #include <sys/types.h> 37 #include <sys/param.h> 38 #include <sys/socket.h> 39 #include <sys/queue.h> 40 41 #include <netinet/in.h> 42 43 #include <stdlib.h> 44 #include <stdio.h> 45 #include <string.h> 46 #include <errno.h> 47 #include <pwd.h> 48 #include <grp.h> 49 #if TIME_WITH_SYS_TIME 50 # include <sys/time.h> 51 # include <time.h> 52 #else 53 # if HAVE_SYS_TIME_H 54 # include <sys/time.h> 55 # else 56 # include <time.h> 57 # endif 58 #endif 59 #include <netdb.h> 60 #ifdef HAVE_UNISTD_H 61 #include <unistd.h> 62 #endif 63 #include <ctype.h> 64 #include <resolv.h> 65 66 #ifdef HAVE_SHADOW_H 67 #include <shadow.h> 68 #endif 69 70 #include "var.h" 71 #include "misc.h" 72 #include "vmbuf.h" 73 #include "plog.h" 74 #include "sockmisc.h" 75 #include "schedule.h" 76 #include "debug.h" 77 78 #include "crypto_openssl.h" 79 #include "isakmp_var.h" 80 #include "isakmp.h" 81 #include "admin.h" 82 #include "privsep.h" 83 #include "evt.h" 84 #include "handler.h" 85 #include "throttle.h" 86 #include "remoteconf.h" 87 #include "isakmp_inf.h" 88 #include "isakmp_xauth.h" 89 #include "isakmp_unity.h" 90 #include "isakmp_cfg.h" 91 #include "strnames.h" 92 #include "ipsec_doi.h" 93 #include "remoteconf.h" 94 #include "localconf.h" 95 96 #ifdef HAVE_LIBRADIUS 97 #include <radlib.h> 98 99 struct rad_handle *radius_auth_state = NULL; 100 struct rad_handle *radius_acct_state = NULL; 101 #endif 102 103 #ifdef HAVE_LIBPAM 104 #include <security/pam_appl.h> 105 106 static char *PAM_usr = NULL; 107 static char *PAM_pwd = NULL; 108 static int PAM_conv(int, const struct pam_message **, 109 struct pam_response **, void *); 110 static struct pam_conv PAM_chat = { &PAM_conv, NULL }; 111 #endif 112 113 #ifdef HAVE_LIBLDAP 114 #include "ldap.h" 115 #include <arpa/inet.h> 116 struct xauth_ldap_config xauth_ldap_config; 117 #endif 118 119 void 120 xauth_sendreq(iph1) 121 struct ph1handle *iph1; 122 { 123 vchar_t *buffer; 124 struct isakmp_pl_attr *attr; 125 struct isakmp_data *typeattr; 126 struct isakmp_data *usrattr; 127 struct isakmp_data *pwdattr; 128 struct xauth_state *xst = &iph1->mode_cfg->xauth; 129 size_t tlen; 130 131 /* Status checks */ 132 if (iph1->status != PHASE1ST_ESTABLISHED) { 133 plog(LLV_ERROR, LOCATION, NULL, 134 "Xauth request while phase 1 is not completed\n"); 135 return; 136 } 137 138 if (xst->status != XAUTHST_NOTYET) { 139 plog(LLV_ERROR, LOCATION, NULL, 140 "Xauth request whith Xauth state %d\n", xst->status); 141 return; 142 } 143 144 plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n"); 145 146 tlen = sizeof(*attr) + 147 + sizeof(*typeattr) + 148 + sizeof(*usrattr) + 149 + sizeof(*pwdattr); 150 151 if ((buffer = vmalloc(tlen)) == NULL) { 152 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 153 return; 154 } 155 156 attr = (struct isakmp_pl_attr *)buffer->v; 157 memset(attr, 0, tlen); 158 159 attr->h.len = htons(tlen); 160 attr->type = ISAKMP_CFG_REQUEST; 161 attr->id = htons(eay_random()); 162 163 typeattr = (struct isakmp_data *)(attr + 1); 164 typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV); 165 typeattr->lorv = htons(XAUTH_TYPE_GENERIC); 166 167 usrattr = (struct isakmp_data *)(typeattr + 1); 168 usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV); 169 usrattr->lorv = htons(0); 170 171 pwdattr = (struct isakmp_data *)(usrattr + 1); 172 pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV); 173 pwdattr->lorv = htons(0); 174 175 isakmp_cfg_send(iph1, buffer, 176 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 177 178 vfree(buffer); 179 180 xst->status = XAUTHST_REQSENT; 181 182 return; 183 } 184 185 int 186 xauth_attr_reply(iph1, attr, id) 187 struct ph1handle *iph1; 188 struct isakmp_data *attr; 189 int id; 190 { 191 char **outlet = NULL; 192 size_t alen = 0; 193 int type; 194 struct xauth_state *xst = &iph1->mode_cfg->xauth; 195 196 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 197 plog(LLV_ERROR, LOCATION, NULL, 198 "Xauth reply but peer did not declare " 199 "itself as Xauth capable\n"); 200 return -1; 201 } 202 203 if (xst->status != XAUTHST_REQSENT) { 204 plog(LLV_ERROR, LOCATION, NULL, 205 "Xauth reply while Xauth state is %d\n", xst->status); 206 return -1; 207 } 208 209 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 210 switch (type) { 211 case XAUTH_TYPE: 212 switch (ntohs(attr->lorv)) { 213 case XAUTH_TYPE_GENERIC: 214 xst->authtype = XAUTH_TYPE_GENERIC; 215 break; 216 default: 217 plog(LLV_WARNING, LOCATION, NULL, 218 "Unexpected authentication type %d\n", 219 ntohs(type)); 220 return -1; 221 } 222 break; 223 224 case XAUTH_USER_NAME: 225 outlet = &xst->authdata.generic.usr; 226 break; 227 228 case XAUTH_USER_PASSWORD: 229 outlet = &xst->authdata.generic.pwd; 230 break; 231 232 default: 233 plog(LLV_WARNING, LOCATION, NULL, 234 "ignored Xauth attribute %d\n", type); 235 break; 236 } 237 238 if (outlet != NULL) { 239 alen = ntohs(attr->lorv); 240 241 if ((*outlet = racoon_malloc(alen + 1)) == NULL) { 242 plog(LLV_ERROR, LOCATION, NULL, 243 "Cannot allocate memory for Xauth Data\n"); 244 return -1; 245 } 246 247 memcpy(*outlet, attr + 1, alen); 248 (*outlet)[alen] = '\0'; 249 outlet = NULL; 250 } 251 252 253 if ((xst->authdata.generic.usr != NULL) && 254 (xst->authdata.generic.pwd != NULL)) { 255 int port; 256 int res; 257 char *usr = xst->authdata.generic.usr; 258 char *pwd = xst->authdata.generic.pwd; 259 time_t throttle_delay = 0; 260 261 #if 0 /* Real debug, don't do that at home */ 262 plog(LLV_DEBUG, LOCATION, NULL, 263 "Got username \"%s\", password \"%s\"\n", usr, pwd); 264 #endif 265 strncpy(iph1->mode_cfg->login, usr, LOGINLEN); 266 iph1->mode_cfg->login[LOGINLEN] = '\0'; 267 268 res = -1; 269 if ((port = isakmp_cfg_getport(iph1)) == -1) { 270 plog(LLV_ERROR, LOCATION, NULL, 271 "Port pool depleted\n"); 272 goto skip_auth; 273 } 274 275 switch (isakmp_cfg_config.authsource) { 276 case ISAKMP_CFG_AUTH_SYSTEM: 277 res = privsep_xauth_login_system(usr, pwd); 278 break; 279 #ifdef HAVE_LIBRADIUS 280 case ISAKMP_CFG_AUTH_RADIUS: 281 res = xauth_login_radius(iph1, usr, pwd); 282 break; 283 #endif 284 #ifdef HAVE_LIBPAM 285 case ISAKMP_CFG_AUTH_PAM: 286 res = privsep_xauth_login_pam(iph1->mode_cfg->port, 287 iph1->remote, usr, pwd); 288 break; 289 #endif 290 #ifdef HAVE_LIBLDAP 291 case ISAKMP_CFG_AUTH_LDAP: 292 res = xauth_login_ldap(iph1, usr, pwd); 293 break; 294 #endif 295 default: 296 plog(LLV_ERROR, LOCATION, NULL, 297 "Unexpected authentication source\n"); 298 res = -1; 299 break; 300 } 301 302 /* 303 * Optional group authentication 304 */ 305 if (!res && (isakmp_cfg_config.groupcount)) 306 res = group_check(iph1, 307 isakmp_cfg_config.grouplist, 308 isakmp_cfg_config.groupcount); 309 310 /* 311 * On failure, throttle the connexion for the remote host 312 * in order to make password attacks more difficult. 313 */ 314 throttle_delay = throttle_host(iph1->remote, res) - time(NULL); 315 if (throttle_delay > 0) { 316 char *str; 317 318 str = saddrwop2str(iph1->remote); 319 320 plog(LLV_ERROR, LOCATION, NULL, 321 "Throttling in action for %s: delay %lds\n", 322 str, (unsigned long)throttle_delay); 323 res = -1; 324 } else { 325 throttle_delay = 0; 326 } 327 328 skip_auth: 329 if (throttle_delay != 0) { 330 struct xauth_reply_arg *xra; 331 332 if ((xra = racoon_malloc(sizeof(*xra))) == NULL) { 333 plog(LLV_ERROR, LOCATION, NULL, 334 "malloc failed, bypass throttling\n"); 335 return xauth_reply(iph1, port, id, res); 336 } 337 338 /* 339 * We need to store the ph1, but it might have 340 * disapeared when xauth_reply is called, so 341 * store the index instead. 342 */ 343 xra->index = iph1->index; 344 xra->port = port; 345 xra->id = id; 346 xra->res = res; 347 sched_new(throttle_delay, xauth_reply_stub, xra); 348 } else { 349 return xauth_reply(iph1, port, id, res); 350 } 351 } 352 353 return 0; 354 } 355 356 void 357 xauth_reply_stub(args) 358 void *args; 359 { 360 struct xauth_reply_arg *xra = (struct xauth_reply_arg *)args; 361 struct ph1handle *iph1; 362 363 if ((iph1 = getph1byindex(&xra->index)) != NULL) 364 (void)xauth_reply(iph1, xra->port, xra->id, xra->res); 365 else 366 plog(LLV_ERROR, LOCATION, NULL, 367 "Delayed Xauth reply: phase 1 no longer exists.\n"); 368 369 racoon_free(xra); 370 return; 371 } 372 373 int 374 xauth_reply(iph1, port, id, res) 375 struct ph1handle *iph1; 376 int port; 377 int id; 378 #if defined(ANDROID_CHANGES) 379 int res; 380 #endif 381 { 382 struct xauth_state *xst = &iph1->mode_cfg->xauth; 383 char *usr = xst->authdata.generic.usr; 384 385 if (res != 0) { 386 if (port != -1) 387 isakmp_cfg_putport(iph1, port); 388 389 plog(LLV_INFO, LOCATION, NULL, 390 "login failed for user \"%s\"\n", usr); 391 392 xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id); 393 xst->status = XAUTHST_NOTYET; 394 395 /* Delete Phase 1 SA */ 396 if (iph1->status == PHASE1ST_ESTABLISHED) 397 isakmp_info_send_d1(iph1); 398 remph1(iph1); 399 delph1(iph1); 400 401 return -1; 402 } 403 404 xst->status = XAUTHST_OK; 405 plog(LLV_INFO, LOCATION, NULL, 406 "login succeeded for user \"%s\"\n", usr); 407 408 xauth_sendstatus(iph1, XAUTH_STATUS_OK, id); 409 410 return 0; 411 } 412 413 void 414 xauth_sendstatus(iph1, status, id) 415 struct ph1handle *iph1; 416 int status; 417 int id; 418 { 419 vchar_t *buffer; 420 struct isakmp_pl_attr *attr; 421 struct isakmp_data *stattr; 422 size_t tlen; 423 424 tlen = sizeof(*attr) + 425 + sizeof(*stattr); 426 427 if ((buffer = vmalloc(tlen)) == NULL) { 428 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n"); 429 return; 430 } 431 432 attr = (struct isakmp_pl_attr *)buffer->v; 433 memset(attr, 0, tlen); 434 435 attr->h.len = htons(tlen); 436 attr->type = ISAKMP_CFG_SET; 437 attr->id = htons(id); 438 439 stattr = (struct isakmp_data *)(attr + 1); 440 stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV); 441 stattr->lorv = htons(status); 442 443 isakmp_cfg_send(iph1, buffer, 444 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1); 445 446 vfree(buffer); 447 448 return; 449 } 450 451 #ifdef HAVE_LIBRADIUS 452 int 453 xauth_radius_init(void) 454 { 455 /* For first time use, initialize Radius */ 456 if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) && 457 (radius_auth_state == NULL)) { 458 if ((radius_auth_state = rad_auth_open()) == NULL) { 459 plog(LLV_ERROR, LOCATION, NULL, 460 "Cannot init libradius\n"); 461 return -1; 462 } 463 464 if (rad_config(radius_auth_state, NULL) != 0) { 465 plog(LLV_ERROR, LOCATION, NULL, 466 "Cannot open librarius config file: %s\n", 467 rad_strerror(radius_auth_state)); 468 rad_close(radius_auth_state); 469 radius_auth_state = NULL; 470 return -1; 471 } 472 } 473 474 if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) && 475 (radius_acct_state == NULL)) { 476 if ((radius_acct_state = rad_acct_open()) == NULL) { 477 plog(LLV_ERROR, LOCATION, NULL, 478 "Cannot init libradius\n"); 479 return -1; 480 } 481 482 if (rad_config(radius_acct_state, NULL) != 0) { 483 plog(LLV_ERROR, LOCATION, NULL, 484 "Cannot open librarius config file: %s\n", 485 rad_strerror(radius_acct_state)); 486 rad_close(radius_acct_state); 487 radius_acct_state = NULL; 488 return -1; 489 } 490 } 491 492 return 0; 493 } 494 495 int 496 xauth_login_radius(iph1, usr, pwd) 497 struct ph1handle *iph1; 498 char *usr; 499 char *pwd; 500 { 501 int res; 502 const void *data; 503 size_t len; 504 int type; 505 506 if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) { 507 plog(LLV_ERROR, LOCATION, NULL, 508 "rad_create_request failed: %s\n", 509 rad_strerror(radius_auth_state)); 510 return -1; 511 } 512 513 if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) { 514 plog(LLV_ERROR, LOCATION, NULL, 515 "rad_put_string failed: %s\n", 516 rad_strerror(radius_auth_state)); 517 return -1; 518 } 519 520 if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) { 521 plog(LLV_ERROR, LOCATION, NULL, 522 "rad_put_string failed: %s\n", 523 rad_strerror(radius_auth_state)); 524 return -1; 525 } 526 527 if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0) 528 return -1; 529 530 switch (res = rad_send_request(radius_auth_state)) { 531 case RAD_ACCESS_ACCEPT: 532 while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) { 533 switch (type) { 534 case RAD_FRAMED_IP_ADDRESS: 535 iph1->mode_cfg->addr4 = rad_cvt_addr(data); 536 iph1->mode_cfg->flags 537 |= ISAKMP_CFG_ADDR4_EXTERN; 538 break; 539 540 case RAD_FRAMED_IP_NETMASK: 541 iph1->mode_cfg->mask4 = rad_cvt_addr(data); 542 iph1->mode_cfg->flags 543 |= ISAKMP_CFG_MASK4_EXTERN; 544 break; 545 546 default: 547 plog(LLV_INFO, LOCATION, NULL, 548 "Unexpected attribute: %d\n", type); 549 break; 550 } 551 } 552 553 return 0; 554 break; 555 556 case RAD_ACCESS_REJECT: 557 return -1; 558 break; 559 560 case -1: 561 plog(LLV_ERROR, LOCATION, NULL, 562 "rad_send_request failed: %s\n", 563 rad_strerror(radius_auth_state)); 564 return -1; 565 break; 566 default: 567 plog(LLV_ERROR, LOCATION, NULL, 568 "rad_send_request returned %d\n", res); 569 return -1; 570 break; 571 } 572 573 return -1; 574 } 575 #endif 576 577 #ifdef HAVE_LIBPAM 578 static int 579 PAM_conv(msg_count, msg, rsp, dontcare) 580 int msg_count; 581 const struct pam_message **msg; 582 struct pam_response **rsp; 583 void *dontcare; 584 { 585 int i; 586 int replies = 0; 587 struct pam_response *reply = NULL; 588 589 if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL) 590 return PAM_CONV_ERR; 591 bzero(reply, sizeof(*reply) * msg_count); 592 593 for (i = 0; i < msg_count; i++) { 594 switch (msg[i]->msg_style) { 595 case PAM_PROMPT_ECHO_ON: 596 /* Send the username, libpam frees resp */ 597 reply[i].resp_retcode = PAM_SUCCESS; 598 if ((reply[i].resp = strdup(PAM_usr)) == NULL) { 599 plog(LLV_ERROR, LOCATION, 600 NULL, "strdup failed\n"); 601 exit(1); 602 } 603 break; 604 605 case PAM_PROMPT_ECHO_OFF: 606 /* Send the password, libpam frees resp */ 607 reply[i].resp_retcode = PAM_SUCCESS; 608 if ((reply[i].resp = strdup(PAM_pwd)) == NULL) { 609 plog(LLV_ERROR, LOCATION, 610 NULL, "strdup failed\n"); 611 exit(1); 612 } 613 break; 614 615 case PAM_TEXT_INFO: 616 case PAM_ERROR_MSG: 617 reply[i].resp_retcode = PAM_SUCCESS; 618 reply[i].resp = NULL; 619 break; 620 621 default: 622 if (reply != NULL) 623 racoon_free(reply); 624 return PAM_CONV_ERR; 625 break; 626 } 627 } 628 629 if (reply != NULL) 630 *rsp = reply; 631 632 return PAM_SUCCESS; 633 } 634 635 int 636 xauth_login_pam(port, raddr, usr, pwd) 637 int port; 638 struct sockaddr *raddr; 639 char *usr; 640 char *pwd; 641 { 642 int error; 643 int res; 644 const void *data; 645 size_t len; 646 int type; 647 char *remote = NULL; 648 pam_handle_t *pam = NULL; 649 650 if (isakmp_cfg_config.port_pool == NULL) { 651 plog(LLV_ERROR, LOCATION, NULL, 652 "isakmp_cfg_config.port_pool == NULL\n"); 653 return -1; 654 } 655 656 if ((error = pam_start("racoon", usr, 657 &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) { 658 if (isakmp_cfg_config.port_pool[port].pam == NULL) { 659 plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n"); 660 return -1; 661 } else { 662 plog(LLV_ERROR, LOCATION, NULL, 663 "pam_start failed: %s\n", 664 pam_strerror(isakmp_cfg_config.port_pool[port].pam, 665 error)); 666 goto out; 667 } 668 } 669 pam = isakmp_cfg_config.port_pool[port].pam; 670 671 if ((remote = strdup(saddrwop2str(raddr))) == NULL) { 672 plog(LLV_ERROR, LOCATION, NULL, 673 "cannot allocate memory: %s\n", strerror(errno)); 674 goto out; 675 } 676 677 if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) { 678 plog(LLV_ERROR, LOCATION, NULL, 679 "pam_set_item failed: %s\n", 680 pam_strerror(pam, error)); 681 goto out; 682 } 683 684 PAM_usr = usr; 685 PAM_pwd = pwd; 686 error = pam_authenticate(pam, 0); 687 PAM_usr = NULL; 688 PAM_pwd = NULL; 689 if (error != 0) { 690 plog(LLV_ERROR, LOCATION, NULL, 691 "pam_authenticate failed: %s\n", 692 pam_strerror(pam, error)); 693 goto out; 694 } 695 696 if ((error = pam_acct_mgmt(pam, 0)) != 0) { 697 plog(LLV_ERROR, LOCATION, NULL, 698 "pam_acct_mgmt failed: %s\n", 699 pam_strerror(pam, error)); 700 goto out; 701 } 702 703 if ((error = pam_setcred(pam, 0)) != 0) { 704 plog(LLV_ERROR, LOCATION, NULL, 705 "pam_setcred failed: %s\n", 706 pam_strerror(pam, error)); 707 goto out; 708 } 709 710 if (remote != NULL) 711 free(remote); 712 713 return 0; 714 715 out: 716 pam_end(pam, error); 717 isakmp_cfg_config.port_pool[port].pam = NULL; 718 if (remote != NULL) 719 free(remote); 720 return -1; 721 } 722 #endif 723 724 #ifdef HAVE_LIBLDAP 725 int 726 xauth_ldap_init(void) 727 { 728 int tmplen; 729 int error = -1; 730 731 xauth_ldap_config.pver = 3; 732 xauth_ldap_config.host = NULL; 733 xauth_ldap_config.port = LDAP_PORT; 734 xauth_ldap_config.base = NULL; 735 xauth_ldap_config.subtree = 0; 736 xauth_ldap_config.bind_dn = NULL; 737 xauth_ldap_config.bind_pw = NULL; 738 xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE; 739 xauth_ldap_config.attr_user = NULL; 740 xauth_ldap_config.attr_addr = NULL; 741 xauth_ldap_config.attr_mask = NULL; 742 xauth_ldap_config.attr_group = NULL; 743 xauth_ldap_config.attr_member = NULL; 744 745 /* set default host */ 746 tmplen = strlen(LDAP_DFLT_HOST); 747 xauth_ldap_config.host = vmalloc(tmplen); 748 if (xauth_ldap_config.host == NULL) 749 goto out; 750 memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen); 751 752 /* set default user naming attribute */ 753 tmplen = strlen(LDAP_DFLT_USER); 754 xauth_ldap_config.attr_user = vmalloc(tmplen); 755 if (xauth_ldap_config.attr_user == NULL) 756 goto out; 757 memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen); 758 759 /* set default address attribute */ 760 tmplen = strlen(LDAP_DFLT_ADDR); 761 xauth_ldap_config.attr_addr = vmalloc(tmplen); 762 if (xauth_ldap_config.attr_addr == NULL) 763 goto out; 764 memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen); 765 766 /* set default netmask attribute */ 767 tmplen = strlen(LDAP_DFLT_MASK); 768 xauth_ldap_config.attr_mask = vmalloc(tmplen); 769 if (xauth_ldap_config.attr_mask == NULL) 770 goto out; 771 memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen); 772 773 /* set default group naming attribute */ 774 tmplen = strlen(LDAP_DFLT_GROUP); 775 xauth_ldap_config.attr_group = vmalloc(tmplen); 776 if (xauth_ldap_config.attr_group == NULL) 777 goto out; 778 memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen); 779 780 /* set default member attribute */ 781 tmplen = strlen(LDAP_DFLT_MEMBER); 782 xauth_ldap_config.attr_member = vmalloc(tmplen); 783 if (xauth_ldap_config.attr_member == NULL) 784 goto out; 785 memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen); 786 787 error = 0; 788 out: 789 if (error != 0) 790 plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n"); 791 792 return error; 793 } 794 795 int 796 xauth_login_ldap(iph1, usr, pwd) 797 struct ph1handle *iph1; 798 char *usr; 799 char *pwd; 800 { 801 int rtn = -1; 802 int res = -1; 803 LDAP *ld = NULL; 804 LDAPMessage *lr = NULL; 805 LDAPMessage *le = NULL; 806 struct berval cred; 807 struct berval **bv = NULL; 808 struct timeval timeout; 809 char *init = NULL; 810 char *filter = NULL; 811 char *atlist[3]; 812 char *basedn = NULL; 813 char *userdn = NULL; 814 int tmplen = 0; 815 int ecount = 0; 816 int scope = LDAP_SCOPE_ONE; 817 818 atlist[0] = NULL; 819 atlist[1] = NULL; 820 atlist[2] = NULL; 821 822 /* build our initialization url */ 823 tmplen = strlen("ldap://:") + 17; 824 tmplen += strlen(xauth_ldap_config.host->v); 825 init = racoon_malloc(tmplen); 826 if (init == NULL) { 827 plog(LLV_ERROR, LOCATION, NULL, 828 "unable to alloc ldap init url\n"); 829 goto ldap_end; 830 } 831 sprintf(init,"ldap://%s:%d", 832 xauth_ldap_config.host->v, 833 xauth_ldap_config.port ); 834 835 /* initialize the ldap handle */ 836 res = ldap_initialize(&ld, init); 837 if (res != LDAP_SUCCESS) { 838 plog(LLV_ERROR, LOCATION, NULL, 839 "ldap_initialize failed: %s\n", 840 ldap_err2string(res)); 841 goto ldap_end; 842 } 843 844 /* initialize the protocol version */ 845 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 846 &xauth_ldap_config.pver); 847 848 /* 849 * attempt to bind to the ldap server. 850 * default to anonymous bind unless a 851 * user dn and password has been 852 * specified in our configuration 853 */ 854 if ((xauth_ldap_config.bind_dn != NULL)&& 855 (xauth_ldap_config.bind_pw != NULL)) 856 { 857 cred.bv_val = xauth_ldap_config.bind_pw->v; 858 cred.bv_len = strlen( cred.bv_val ); 859 res = ldap_sasl_bind_s(ld, 860 xauth_ldap_config.bind_dn->v, NULL, &cred, 861 NULL, NULL, NULL); 862 } 863 else 864 { 865 res = ldap_sasl_bind_s(ld, 866 NULL, NULL, NULL, 867 NULL, NULL, NULL); 868 } 869 870 if (res!=LDAP_SUCCESS) { 871 plog(LLV_ERROR, LOCATION, NULL, 872 "ldap_sasl_bind_s (search) failed: %s\n", 873 ldap_err2string(res)); 874 goto ldap_end; 875 } 876 877 /* build an ldap user search filter */ 878 tmplen = strlen(xauth_ldap_config.attr_user->v); 879 tmplen += 1; 880 tmplen += strlen(usr); 881 tmplen += 1; 882 filter = racoon_malloc(tmplen); 883 if (filter == NULL) { 884 plog(LLV_ERROR, LOCATION, NULL, 885 "unable to alloc ldap search filter buffer\n"); 886 goto ldap_end; 887 } 888 sprintf(filter, "%s=%s", 889 xauth_ldap_config.attr_user->v, usr); 890 891 /* build our return attribute list */ 892 tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1; 893 atlist[0] = racoon_malloc(tmplen); 894 tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1; 895 atlist[1] = racoon_malloc(tmplen); 896 if ((atlist[0] == NULL)||(atlist[1] == NULL)) { 897 plog(LLV_ERROR, LOCATION, NULL, 898 "unable to alloc ldap attrib list buffer\n"); 899 goto ldap_end; 900 } 901 strcpy(atlist[0],xauth_ldap_config.attr_addr->v); 902 strcpy(atlist[1],xauth_ldap_config.attr_mask->v); 903 904 /* attempt to locate the user dn */ 905 if (xauth_ldap_config.base != NULL) 906 basedn = xauth_ldap_config.base->v; 907 if (xauth_ldap_config.subtree) 908 scope = LDAP_SCOPE_SUBTREE; 909 timeout.tv_sec = 15; 910 timeout.tv_usec = 0; 911 res = ldap_search_ext_s(ld, basedn, scope, 912 filter, atlist, 0, NULL, NULL, 913 &timeout, 2, &lr); 914 if (res != LDAP_SUCCESS) { 915 plog(LLV_ERROR, LOCATION, NULL, 916 "ldap_search_ext_s failed: %s\n", 917 ldap_err2string(res)); 918 goto ldap_end; 919 } 920 921 /* check the number of ldap entries returned */ 922 ecount = ldap_count_entries(ld, lr); 923 if (ecount < 1) { 924 plog(LLV_WARNING, LOCATION, NULL, 925 "no ldap results for filter \'%s\'\n", 926 filter); 927 goto ldap_end; 928 } 929 if (ecount > 1) { 930 plog(LLV_WARNING, LOCATION, NULL, 931 "multiple (%i) ldap results for filter \'%s\'\n", 932 ecount, filter); 933 } 934 935 /* obtain the dn from the first result */ 936 le = ldap_first_entry(ld, lr); 937 if (le == NULL) { 938 plog(LLV_ERROR, LOCATION, NULL, 939 "ldap_first_entry failed: invalid entry returned\n"); 940 goto ldap_end; 941 } 942 userdn = ldap_get_dn(ld, le); 943 if (userdn == NULL) { 944 plog(LLV_ERROR, LOCATION, NULL, 945 "ldap_get_dn failed: invalid string returned\n"); 946 goto ldap_end; 947 } 948 949 /* cache the user dn in the xauth state */ 950 iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1); 951 strcpy(iph1->mode_cfg->xauth.udn,userdn); 952 953 /* retrieve modecfg address */ 954 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v); 955 if (bv != NULL) { 956 char tmpaddr[16]; 957 /* sanity check for address value */ 958 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 959 plog(LLV_DEBUG, LOCATION, NULL, 960 "ldap returned invalid modecfg address\n"); 961 ldap_value_free_len(bv); 962 goto ldap_end; 963 } 964 memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len); 965 tmpaddr[bv[0]->bv_len]=0; 966 iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr); 967 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN; 968 plog(LLV_INFO, LOCATION, NULL, 969 "ldap returned modecfg address %s\n", tmpaddr); 970 ldap_value_free_len(bv); 971 } 972 973 /* retrieve modecfg netmask */ 974 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v); 975 if (bv != NULL) { 976 char tmpmask[16]; 977 /* sanity check for netmask value */ 978 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) { 979 plog(LLV_DEBUG, LOCATION, NULL, 980 "ldap returned invalid modecfg netmask\n"); 981 ldap_value_free_len(bv); 982 goto ldap_end; 983 } 984 memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len); 985 tmpmask[bv[0]->bv_len]=0; 986 iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask); 987 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN; 988 plog(LLV_INFO, LOCATION, NULL, 989 "ldap returned modecfg netmask %s\n", tmpmask); 990 ldap_value_free_len(bv); 991 } 992 993 /* 994 * finally, use the dn and the xauth 995 * password to check the users given 996 * credentials by attempting to bind 997 * to the ldap server 998 */ 999 plog(LLV_INFO, LOCATION, NULL, 1000 "attempting ldap bind for dn \'%s\'\n", userdn); 1001 cred.bv_val = pwd; 1002 cred.bv_len = strlen( cred.bv_val ); 1003 res = ldap_sasl_bind_s(ld, 1004 userdn, NULL, &cred, 1005 NULL, NULL, NULL); 1006 if(res==LDAP_SUCCESS) 1007 rtn = 0; 1008 1009 ldap_end: 1010 1011 /* free ldap resources */ 1012 if (userdn != NULL) 1013 ldap_memfree(userdn); 1014 if (atlist[0] != NULL) 1015 racoon_free(atlist[0]); 1016 if (atlist[1] != NULL) 1017 racoon_free(atlist[1]); 1018 if (filter != NULL) 1019 racoon_free(filter); 1020 if (lr != NULL) 1021 ldap_msgfree(lr); 1022 if (init != NULL) 1023 racoon_free(init); 1024 1025 ldap_unbind_ext_s(ld, NULL, NULL); 1026 1027 return rtn; 1028 } 1029 1030 int 1031 xauth_group_ldap(udn, grp) 1032 char * udn; 1033 char * grp; 1034 { 1035 int rtn = -1; 1036 int res = -1; 1037 LDAP *ld = NULL; 1038 LDAPMessage *lr = NULL; 1039 LDAPMessage *le = NULL; 1040 struct berval cred; 1041 struct timeval timeout; 1042 char *init = NULL; 1043 char *filter = NULL; 1044 char *basedn = NULL; 1045 char *groupdn = NULL; 1046 int tmplen = 0; 1047 int ecount = 0; 1048 int scope = LDAP_SCOPE_ONE; 1049 1050 /* build our initialization url */ 1051 tmplen = strlen("ldap://:") + 17; 1052 tmplen += strlen(xauth_ldap_config.host->v); 1053 init = racoon_malloc(tmplen); 1054 if (init == NULL) { 1055 plog(LLV_ERROR, LOCATION, NULL, 1056 "unable to alloc ldap init url\n"); 1057 goto ldap_group_end; 1058 } 1059 sprintf(init,"ldap://%s:%d", 1060 xauth_ldap_config.host->v, 1061 xauth_ldap_config.port ); 1062 1063 /* initialize the ldap handle */ 1064 res = ldap_initialize(&ld, init); 1065 if (res != LDAP_SUCCESS) { 1066 plog(LLV_ERROR, LOCATION, NULL, 1067 "ldap_initialize failed: %s\n", 1068 ldap_err2string(res)); 1069 goto ldap_group_end; 1070 } 1071 1072 /* initialize the protocol version */ 1073 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, 1074 &xauth_ldap_config.pver); 1075 1076 /* 1077 * attempt to bind to the ldap server. 1078 * default to anonymous bind unless a 1079 * user dn and password has been 1080 * specified in our configuration 1081 */ 1082 if ((xauth_ldap_config.bind_dn != NULL)&& 1083 (xauth_ldap_config.bind_pw != NULL)) 1084 { 1085 cred.bv_val = xauth_ldap_config.bind_pw->v; 1086 cred.bv_len = strlen( cred.bv_val ); 1087 res = ldap_sasl_bind_s(ld, 1088 xauth_ldap_config.bind_dn->v, NULL, &cred, 1089 NULL, NULL, NULL); 1090 } 1091 else 1092 { 1093 res = ldap_sasl_bind_s(ld, 1094 NULL, NULL, NULL, 1095 NULL, NULL, NULL); 1096 } 1097 1098 if (res!=LDAP_SUCCESS) { 1099 plog(LLV_ERROR, LOCATION, NULL, 1100 "ldap_sasl_bind_s (search) failed: %s\n", 1101 ldap_err2string(res)); 1102 goto ldap_group_end; 1103 } 1104 1105 /* build an ldap group search filter */ 1106 tmplen = strlen("(&(=)(=))") + 1; 1107 tmplen += strlen(xauth_ldap_config.attr_group->v); 1108 tmplen += strlen(grp); 1109 tmplen += strlen(xauth_ldap_config.attr_member->v); 1110 tmplen += strlen(udn); 1111 filter = racoon_malloc(tmplen); 1112 if (filter == NULL) { 1113 plog(LLV_ERROR, LOCATION, NULL, 1114 "unable to alloc ldap search filter buffer\n"); 1115 goto ldap_group_end; 1116 } 1117 sprintf(filter, "(&(%s=%s)(%s=%s))", 1118 xauth_ldap_config.attr_group->v, grp, 1119 xauth_ldap_config.attr_member->v, udn); 1120 1121 /* attempt to locate the group dn */ 1122 if (xauth_ldap_config.base != NULL) 1123 basedn = xauth_ldap_config.base->v; 1124 if (xauth_ldap_config.subtree) 1125 scope = LDAP_SCOPE_SUBTREE; 1126 timeout.tv_sec = 15; 1127 timeout.tv_usec = 0; 1128 res = ldap_search_ext_s(ld, basedn, scope, 1129 filter, NULL, 0, NULL, NULL, 1130 &timeout, 2, &lr); 1131 if (res != LDAP_SUCCESS) { 1132 plog(LLV_ERROR, LOCATION, NULL, 1133 "ldap_search_ext_s failed: %s\n", 1134 ldap_err2string(res)); 1135 goto ldap_group_end; 1136 } 1137 1138 /* check the number of ldap entries returned */ 1139 ecount = ldap_count_entries(ld, lr); 1140 if (ecount < 1) { 1141 plog(LLV_WARNING, LOCATION, NULL, 1142 "no ldap results for filter \'%s\'\n", 1143 filter); 1144 goto ldap_group_end; 1145 } 1146 1147 /* success */ 1148 rtn = 0; 1149 1150 /* obtain the dn from the first result */ 1151 le = ldap_first_entry(ld, lr); 1152 if (le == NULL) { 1153 plog(LLV_ERROR, LOCATION, NULL, 1154 "ldap_first_entry failed: invalid entry returned\n"); 1155 goto ldap_group_end; 1156 } 1157 groupdn = ldap_get_dn(ld, le); 1158 if (groupdn == NULL) { 1159 plog(LLV_ERROR, LOCATION, NULL, 1160 "ldap_get_dn failed: invalid string returned\n"); 1161 goto ldap_group_end; 1162 } 1163 1164 plog(LLV_INFO, LOCATION, NULL, 1165 "ldap membership group returned \'%s\'\n", groupdn); 1166 ldap_group_end: 1167 1168 /* free ldap resources */ 1169 if (groupdn != NULL) 1170 ldap_memfree(groupdn); 1171 if (filter != NULL) 1172 racoon_free(filter); 1173 if (lr != NULL) 1174 ldap_msgfree(lr); 1175 if (init != NULL) 1176 racoon_free(init); 1177 1178 ldap_unbind_ext_s(ld, NULL, NULL); 1179 1180 return rtn; 1181 } 1182 1183 #endif 1184 1185 #ifndef ANDROID_PATCHED 1186 1187 int 1188 xauth_login_system(usr, pwd) 1189 char *usr; 1190 char *pwd; 1191 { 1192 struct passwd *pw; 1193 char *cryptpwd; 1194 char *syscryptpwd; 1195 #ifdef HAVE_SHADOW_H 1196 struct spwd *spw; 1197 1198 if ((spw = getspnam(usr)) == NULL) 1199 return -1; 1200 1201 syscryptpwd = spw->sp_pwdp; 1202 #endif 1203 1204 if ((pw = getpwnam(usr)) == NULL) 1205 return -1; 1206 1207 #ifndef HAVE_SHADOW_H 1208 syscryptpwd = pw->pw_passwd; 1209 #endif 1210 1211 /* No root login. Ever. */ 1212 if (pw->pw_uid == 0) 1213 return -1; 1214 1215 if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL) 1216 return -1; 1217 1218 if (strcmp(cryptpwd, syscryptpwd) == 0) 1219 return 0; 1220 1221 return -1; 1222 } 1223 1224 #endif 1225 1226 int 1227 xauth_group_system(usr, grp) 1228 char * usr; 1229 char * grp; 1230 { 1231 struct group * gr; 1232 char * member; 1233 int index = 0; 1234 1235 gr = getgrnam(grp); 1236 if (gr == NULL) { 1237 plog(LLV_ERROR, LOCATION, NULL, 1238 "the system group name \'%s\' is unknown\n", 1239 grp); 1240 return -1; 1241 } 1242 1243 while ((member = gr->gr_mem[index++])!=NULL) { 1244 if (!strcmp(member,usr)) { 1245 plog(LLV_INFO, LOCATION, NULL, 1246 "membership validated\n"); 1247 return 0; 1248 } 1249 } 1250 1251 return -1; 1252 } 1253 1254 int 1255 xauth_check(iph1) 1256 struct ph1handle *iph1; 1257 { 1258 struct xauth_state *xst = &iph1->mode_cfg->xauth; 1259 1260 /* 1261 * Only the server side (edge device) really check for Xauth 1262 * status. It does it if the chose authmethod is using Xauth. 1263 * On the client side (roadwarrior), we don't check anything. 1264 */ 1265 switch (AUTHMETHOD(iph1)) { 1266 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R: 1267 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R: 1268 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R: 1269 /* The following are not yet implemented */ 1270 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R: 1271 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R: 1272 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R: 1273 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R: 1274 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1275 plog(LLV_ERROR, LOCATION, NULL, 1276 "Hybrid auth negotiated but peer did not " 1277 "announced as Xauth capable\n"); 1278 return -1; 1279 } 1280 1281 if (xst->status != XAUTHST_OK) { 1282 plog(LLV_ERROR, LOCATION, NULL, 1283 "Hybrid auth negotiated but peer did not " 1284 "succeed Xauth exchange\n"); 1285 return -1; 1286 } 1287 1288 return 0; 1289 break; 1290 default: 1291 return 0; 1292 break; 1293 } 1294 1295 return 0; 1296 } 1297 1298 int 1299 group_check(iph1, grp_list, grp_count) 1300 struct ph1handle *iph1; 1301 char **grp_list; 1302 int grp_count; 1303 { 1304 int res = -1; 1305 int grp_index = 0; 1306 char * usr = NULL; 1307 1308 /* check for presence of modecfg data */ 1309 1310 if(iph1->mode_cfg == NULL) { 1311 plog(LLV_ERROR, LOCATION, NULL, 1312 "xauth group specified but modecfg not found\n"); 1313 return res; 1314 } 1315 1316 /* loop through our group list */ 1317 1318 for(; grp_index < grp_count; grp_index++) { 1319 1320 /* check for presence of xauth data */ 1321 1322 usr = iph1->mode_cfg->xauth.authdata.generic.usr; 1323 1324 if(usr == NULL) { 1325 plog(LLV_ERROR, LOCATION, NULL, 1326 "xauth group specified but xauth not found\n"); 1327 return res; 1328 } 1329 1330 /* call appropriate group validation funtion */ 1331 1332 switch (isakmp_cfg_config.groupsource) { 1333 1334 case ISAKMP_CFG_GROUP_SYSTEM: 1335 res = xauth_group_system( 1336 usr, 1337 grp_list[grp_index]); 1338 break; 1339 1340 #ifdef HAVE_LIBLDAP 1341 case ISAKMP_CFG_GROUP_LDAP: 1342 res = xauth_group_ldap( 1343 iph1->mode_cfg->xauth.udn, 1344 grp_list[grp_index]); 1345 break; 1346 #endif 1347 1348 default: 1349 /* we should never get here */ 1350 plog(LLV_ERROR, LOCATION, NULL, 1351 "Unknown group auth source\n"); 1352 break; 1353 } 1354 1355 if( !res ) { 1356 plog(LLV_INFO, LOCATION, NULL, 1357 "user \"%s\" is a member of group \"%s\"\n", 1358 usr, 1359 grp_list[grp_index]); 1360 break; 1361 } else { 1362 plog(LLV_INFO, LOCATION, NULL, 1363 "user \"%s\" is not a member of group \"%s\"\n", 1364 usr, 1365 grp_list[grp_index]); 1366 } 1367 } 1368 1369 return res; 1370 } 1371 1372 vchar_t * 1373 isakmp_xauth_req(iph1, attr) 1374 struct ph1handle *iph1; 1375 struct isakmp_data *attr; 1376 { 1377 int type; 1378 size_t dlen = 0; 1379 int ashort = 0; 1380 int value = 0; 1381 vchar_t *buffer = NULL; 1382 char *mraw = NULL, *mdata; 1383 char *data; 1384 vchar_t *usr = NULL; 1385 vchar_t *pwd = NULL; 1386 size_t skip = 0; 1387 int freepwd = 0; 1388 1389 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1390 plog(LLV_ERROR, LOCATION, NULL, 1391 "Xauth mode config request but peer " 1392 "did not declare itself as Xauth capable\n"); 1393 return NULL; 1394 } 1395 1396 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1397 1398 /* Sanity checks */ 1399 switch(type) { 1400 case XAUTH_TYPE: 1401 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1402 plog(LLV_ERROR, LOCATION, NULL, 1403 "Unexpected long XAUTH_TYPE attribute\n"); 1404 return NULL; 1405 } 1406 if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) { 1407 plog(LLV_ERROR, LOCATION, NULL, 1408 "Unsupported Xauth authentication %d\n", 1409 ntohs(attr->lorv)); 1410 return NULL; 1411 } 1412 ashort = 1; 1413 dlen = 0; 1414 value = XAUTH_TYPE_GENERIC; 1415 break; 1416 1417 case XAUTH_USER_NAME: 1418 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) { 1419 plog(LLV_ERROR, LOCATION, NULL, "Xauth performed " 1420 "with no login supplied\n"); 1421 return NULL; 1422 } 1423 1424 dlen = iph1->rmconf->xauth->login->l - 1; 1425 iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME; 1426 break; 1427 1428 #ifdef ANDROID_PATCHED 1429 case XAUTH_PASSCODE: 1430 #endif 1431 case XAUTH_USER_PASSWORD: 1432 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) 1433 return NULL; 1434 1435 skip = sizeof(struct ipsecdoi_id_b); 1436 usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip); 1437 if (usr == NULL) { 1438 plog(LLV_ERROR, LOCATION, NULL, 1439 "Cannot allocate memory\n"); 1440 return NULL; 1441 } 1442 memset(usr->v, 0, skip); 1443 memcpy(usr->v + skip, 1444 iph1->rmconf->xauth->login->v, 1445 iph1->rmconf->xauth->login->l - 1); 1446 1447 if (iph1->rmconf->xauth->pass) { 1448 /* A key given through racoonctl */ 1449 pwd = iph1->rmconf->xauth->pass; 1450 } else { 1451 if ((pwd = getpskbyname(usr)) == NULL) { 1452 plog(LLV_ERROR, LOCATION, NULL, 1453 "No password was found for login %s\n", 1454 iph1->rmconf->xauth->login->v); 1455 vfree(usr); 1456 return NULL; 1457 } 1458 /* We have to free it before returning */ 1459 freepwd = 1; 1460 } 1461 vfree(usr); 1462 1463 iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD; 1464 dlen = pwd->l; 1465 1466 break; 1467 case XAUTH_MESSAGE: 1468 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1469 dlen = ntohs(attr->lorv); 1470 if (dlen > 0) { 1471 mraw = (char*)(attr + 1); 1472 mdata = binsanitize(mraw, dlen); 1473 if (mdata == NULL) { 1474 plog(LLV_ERROR, LOCATION, iph1->remote, 1475 "Cannot allocate memory\n"); 1476 return NULL; 1477 } 1478 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1479 "XAUTH Message: '%s'.\n", 1480 mdata); 1481 racoon_free(mdata); 1482 } 1483 } 1484 return NULL; 1485 default: 1486 plog(LLV_WARNING, LOCATION, NULL, 1487 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1488 return NULL; 1489 break; 1490 } 1491 1492 if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) { 1493 plog(LLV_ERROR, LOCATION, NULL, 1494 "Cannot allocate memory\n"); 1495 goto out; 1496 } 1497 1498 attr = (struct isakmp_data *)buffer->v; 1499 if (ashort) { 1500 attr->type = htons(type | ISAKMP_GEN_TV); 1501 attr->lorv = htons(value); 1502 goto out; 1503 } 1504 1505 attr->type = htons(type | ISAKMP_GEN_TLV); 1506 attr->lorv = htons(dlen); 1507 data = (char *)(attr + 1); 1508 1509 switch(type) { 1510 case XAUTH_USER_NAME: 1511 /* 1512 * iph1->rmconf->xauth->login->v is valid, 1513 * we just checked it in the previous switch case 1514 */ 1515 memcpy(data, iph1->rmconf->xauth->login->v, dlen); 1516 break; 1517 #ifdef ANDROID_PATCHED 1518 case XAUTH_PASSCODE: 1519 #endif 1520 case XAUTH_USER_PASSWORD: 1521 memcpy(data, pwd->v, dlen); 1522 break; 1523 default: 1524 break; 1525 } 1526 1527 out: 1528 if (freepwd) 1529 vfree(pwd); 1530 1531 return buffer; 1532 } 1533 1534 vchar_t * 1535 isakmp_xauth_set(iph1, attr) 1536 struct ph1handle *iph1; 1537 struct isakmp_data *attr; 1538 { 1539 int type; 1540 vchar_t *buffer = NULL; 1541 char *data; 1542 struct xauth_state *xst; 1543 size_t dlen = 0; 1544 char* mraw = NULL, *mdata; 1545 1546 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) { 1547 plog(LLV_ERROR, LOCATION, NULL, 1548 "Xauth mode config set but peer " 1549 "did not declare itself as Xauth capable\n"); 1550 return NULL; 1551 } 1552 1553 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK; 1554 1555 switch(type) { 1556 case XAUTH_STATUS: 1557 /* 1558 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS 1559 * when running as a client (initiator). 1560 */ 1561 xst = &iph1->mode_cfg->xauth; 1562 switch(AUTHMETHOD(iph1)) { 1563 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I: 1564 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I: 1565 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I: 1566 /* Not implemented ... */ 1567 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I: 1568 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I: 1569 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I: 1570 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I: 1571 break; 1572 default: 1573 plog(LLV_ERROR, LOCATION, NULL, 1574 "Unexpected XAUTH_STATUS_OK\n"); 1575 return NULL; 1576 break; 1577 } 1578 1579 /* If we got a failure, delete iph1 */ 1580 if (ntohs(attr->lorv) != XAUTH_STATUS_OK) { 1581 plog(LLV_ERROR, LOCATION, NULL, 1582 "Xauth authentication failed\n"); 1583 1584 EVT_PUSH(iph1->local, iph1->remote, 1585 EVTT_XAUTH_FAILED, NULL); 1586 1587 iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1; 1588 } else { 1589 EVT_PUSH(iph1->local, iph1->remote, 1590 EVTT_XAUTH_SUCCESS, NULL); 1591 } 1592 1593 1594 /* We acknowledge it */ 1595 break; 1596 case XAUTH_MESSAGE: 1597 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) { 1598 dlen = ntohs(attr->lorv); 1599 if (dlen > 0) { 1600 mraw = (char*)(attr + 1); 1601 mdata = binsanitize(mraw, dlen); 1602 if (mdata == NULL) { 1603 plog(LLV_ERROR, LOCATION, iph1->remote, 1604 "Cannot allocate memory\n"); 1605 return NULL; 1606 } 1607 plog(LLV_NOTIFY,LOCATION, iph1->remote, 1608 "XAUTH Message: '%s'.\n", 1609 mdata); 1610 racoon_free(mdata); 1611 } 1612 } 1613 1614 default: 1615 plog(LLV_WARNING, LOCATION, NULL, 1616 "Ignored attribute %s\n", s_isakmp_cfg_type(type)); 1617 return NULL; 1618 break; 1619 } 1620 1621 if ((buffer = vmalloc(sizeof(*attr))) == NULL) { 1622 plog(LLV_ERROR, LOCATION, NULL, 1623 "Cannot allocate memory\n"); 1624 return NULL; 1625 } 1626 1627 attr = (struct isakmp_data *)buffer->v; 1628 attr->type = htons(type | ISAKMP_GEN_TV); 1629 attr->lorv = htons(0); 1630 1631 return buffer; 1632 } 1633 1634 1635 void 1636 xauth_rmstate(xst) 1637 struct xauth_state *xst; 1638 { 1639 switch (xst->authtype) { 1640 case XAUTH_TYPE_GENERIC: 1641 if (xst->authdata.generic.usr) 1642 racoon_free(xst->authdata.generic.usr); 1643 1644 if (xst->authdata.generic.pwd) 1645 racoon_free(xst->authdata.generic.pwd); 1646 1647 break; 1648 1649 case XAUTH_TYPE_CHAP: 1650 case XAUTH_TYPE_OTP: 1651 case XAUTH_TYPE_SKEY: 1652 plog(LLV_WARNING, LOCATION, NULL, 1653 "Unsupported authtype %d\n", xst->authtype); 1654 break; 1655 1656 default: 1657 plog(LLV_WARNING, LOCATION, NULL, 1658 "Unexpected authtype %d\n", xst->authtype); 1659 break; 1660 } 1661 1662 #ifdef HAVE_LIBLDAP 1663 if (xst->udn != NULL) 1664 racoon_free(xst->udn); 1665 #endif 1666 return; 1667 } 1668 1669 int 1670 xauth_rmconf_used(xauth_rmconf) 1671 struct xauth_rmconf **xauth_rmconf; 1672 { 1673 if (*xauth_rmconf == NULL) { 1674 *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf)); 1675 if (*xauth_rmconf == NULL) { 1676 plog(LLV_ERROR, LOCATION, NULL, 1677 "xauth_rmconf_used: malloc failed\n"); 1678 return -1; 1679 } 1680 1681 (*xauth_rmconf)->login = NULL; 1682 (*xauth_rmconf)->pass = NULL; 1683 (*xauth_rmconf)->state = 0; 1684 } 1685 1686 return 0; 1687 } 1688 1689 void 1690 xauth_rmconf_delete(xauth_rmconf) 1691 struct xauth_rmconf **xauth_rmconf; 1692 { 1693 if (*xauth_rmconf != NULL) { 1694 if ((*xauth_rmconf)->login != NULL) 1695 vfree((*xauth_rmconf)->login); 1696 if ((*xauth_rmconf)->pass != NULL) 1697 vfree((*xauth_rmconf)->pass); 1698 1699 racoon_free(*xauth_rmconf); 1700 *xauth_rmconf = NULL; 1701 } 1702 1703 return; 1704 } 1705
