1 /* $NetBSD: isakmp_xauth.c,v 1.11.6.2 2009/04/20 13:35:36 tteras Exp $ */
2
3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 2004-2005 Emmanuel Dreyfus
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42
43 #include <stdlib.h>
44 #include <stdio.h>
45 #include <string.h>
46 #include <errno.h>
47 #include <pwd.h>
48 #include <grp.h>
49 #if TIME_WITH_SYS_TIME
50 # include <sys/time.h>
51 # include <time.h>
52 #else
53 # if HAVE_SYS_TIME_H
54 # include <sys/time.h>
55 # else
56 # include <time.h>
57 # endif
58 #endif
59 #include <netdb.h>
60 #ifdef HAVE_UNISTD_H
61 #include <unistd.h>
62 #endif
63 #include <ctype.h>
64 #include <resolv.h>
65
66 #ifdef HAVE_SHADOW_H
67 #include <shadow.h>
68 #endif
69
70 #include "var.h"
71 #include "misc.h"
72 #include "vmbuf.h"
73 #include "plog.h"
74 #include "sockmisc.h"
75 #include "schedule.h"
76 #include "debug.h"
77
78 #include "crypto_openssl.h"
79 #include "isakmp_var.h"
80 #include "isakmp.h"
81 #include "admin.h"
82 #include "privsep.h"
83 #include "evt.h"
84 #include "handler.h"
85 #include "throttle.h"
86 #include "remoteconf.h"
87 #include "isakmp_inf.h"
88 #include "isakmp_xauth.h"
89 #include "isakmp_unity.h"
90 #include "isakmp_cfg.h"
91 #include "strnames.h"
92 #include "ipsec_doi.h"
93 #include "remoteconf.h"
94 #include "localconf.h"
95
96 #ifdef HAVE_LIBRADIUS
97 #include <radlib.h>
98
99 struct rad_handle *radius_auth_state = NULL;
100 struct rad_handle *radius_acct_state = NULL;
101 #endif
102
103 #ifdef HAVE_LIBPAM
104 #include <security/pam_appl.h>
105
106 static char *PAM_usr = NULL;
107 static char *PAM_pwd = NULL;
108 static int PAM_conv(int, const struct pam_message **,
109 struct pam_response **, void *);
110 static struct pam_conv PAM_chat = { &PAM_conv, NULL };
111 #endif
112
113 #ifdef HAVE_LIBLDAP
114 #include "ldap.h"
115 #include <arpa/inet.h>
116 struct xauth_ldap_config xauth_ldap_config;
117 #endif
118
119 void
xauth_sendreq(iph1)120 xauth_sendreq(iph1)
121 struct ph1handle *iph1;
122 {
123 vchar_t *buffer;
124 struct isakmp_pl_attr *attr;
125 struct isakmp_data *typeattr;
126 struct isakmp_data *usrattr;
127 struct isakmp_data *pwdattr;
128 struct xauth_state *xst = &iph1->mode_cfg->xauth;
129 size_t tlen;
130
131 /* Status checks */
132 if (iph1->status != PHASE1ST_ESTABLISHED) {
133 plog(LLV_ERROR, LOCATION, NULL,
134 "Xauth request while phase 1 is not completed\n");
135 return;
136 }
137
138 if (xst->status != XAUTHST_NOTYET) {
139 plog(LLV_ERROR, LOCATION, NULL,
140 "Xauth request whith Xauth state %d\n", xst->status);
141 return;
142 }
143
144 plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n");
145
146 tlen = sizeof(*attr) +
147 + sizeof(*typeattr) +
148 + sizeof(*usrattr) +
149 + sizeof(*pwdattr);
150
151 if ((buffer = vmalloc(tlen)) == NULL) {
152 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
153 return;
154 }
155
156 attr = (struct isakmp_pl_attr *)buffer->v;
157 memset(attr, 0, tlen);
158
159 attr->h.len = htons(tlen);
160 attr->type = ISAKMP_CFG_REQUEST;
161 attr->id = htons(eay_random());
162
163 typeattr = (struct isakmp_data *)(attr + 1);
164 typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV);
165 typeattr->lorv = htons(XAUTH_TYPE_GENERIC);
166
167 usrattr = (struct isakmp_data *)(typeattr + 1);
168 usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV);
169 usrattr->lorv = htons(0);
170
171 pwdattr = (struct isakmp_data *)(usrattr + 1);
172 pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV);
173 pwdattr->lorv = htons(0);
174
175 isakmp_cfg_send(iph1, buffer,
176 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
177
178 vfree(buffer);
179
180 xst->status = XAUTHST_REQSENT;
181
182 return;
183 }
184
185 int
xauth_attr_reply(iph1,attr,id)186 xauth_attr_reply(iph1, attr, id)
187 struct ph1handle *iph1;
188 struct isakmp_data *attr;
189 int id;
190 {
191 char **outlet = NULL;
192 size_t alen = 0;
193 int type;
194 struct xauth_state *xst = &iph1->mode_cfg->xauth;
195
196 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
197 plog(LLV_ERROR, LOCATION, NULL,
198 "Xauth reply but peer did not declare "
199 "itself as Xauth capable\n");
200 return -1;
201 }
202
203 if (xst->status != XAUTHST_REQSENT) {
204 plog(LLV_ERROR, LOCATION, NULL,
205 "Xauth reply while Xauth state is %d\n", xst->status);
206 return -1;
207 }
208
209 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
210 switch (type) {
211 case XAUTH_TYPE:
212 switch (ntohs(attr->lorv)) {
213 case XAUTH_TYPE_GENERIC:
214 xst->authtype = XAUTH_TYPE_GENERIC;
215 break;
216 default:
217 plog(LLV_WARNING, LOCATION, NULL,
218 "Unexpected authentication type %d\n",
219 ntohs(type));
220 return -1;
221 }
222 break;
223
224 case XAUTH_USER_NAME:
225 outlet = &xst->authdata.generic.usr;
226 break;
227
228 case XAUTH_USER_PASSWORD:
229 outlet = &xst->authdata.generic.pwd;
230 break;
231
232 default:
233 plog(LLV_WARNING, LOCATION, NULL,
234 "ignored Xauth attribute %d\n", type);
235 break;
236 }
237
238 if (outlet != NULL) {
239 alen = ntohs(attr->lorv);
240
241 if ((*outlet = racoon_malloc(alen + 1)) == NULL) {
242 plog(LLV_ERROR, LOCATION, NULL,
243 "Cannot allocate memory for Xauth Data\n");
244 return -1;
245 }
246
247 memcpy(*outlet, attr + 1, alen);
248 (*outlet)[alen] = '\0';
249 outlet = NULL;
250 }
251
252
253 if ((xst->authdata.generic.usr != NULL) &&
254 (xst->authdata.generic.pwd != NULL)) {
255 int port;
256 int res;
257 char *usr = xst->authdata.generic.usr;
258 char *pwd = xst->authdata.generic.pwd;
259 time_t throttle_delay = 0;
260
261 #if 0 /* Real debug, don't do that at home */
262 plog(LLV_DEBUG, LOCATION, NULL,
263 "Got username \"%s\", password \"%s\"\n", usr, pwd);
264 #endif
265 strncpy(iph1->mode_cfg->login, usr, LOGINLEN);
266 iph1->mode_cfg->login[LOGINLEN] = '\0';
267
268 res = -1;
269 if ((port = isakmp_cfg_getport(iph1)) == -1) {
270 plog(LLV_ERROR, LOCATION, NULL,
271 "Port pool depleted\n");
272 goto skip_auth;
273 }
274
275 switch (isakmp_cfg_config.authsource) {
276 case ISAKMP_CFG_AUTH_SYSTEM:
277 res = privsep_xauth_login_system(usr, pwd);
278 break;
279 #ifdef HAVE_LIBRADIUS
280 case ISAKMP_CFG_AUTH_RADIUS:
281 res = xauth_login_radius(iph1, usr, pwd);
282 break;
283 #endif
284 #ifdef HAVE_LIBPAM
285 case ISAKMP_CFG_AUTH_PAM:
286 res = privsep_xauth_login_pam(iph1->mode_cfg->port,
287 iph1->remote, usr, pwd);
288 break;
289 #endif
290 #ifdef HAVE_LIBLDAP
291 case ISAKMP_CFG_AUTH_LDAP:
292 res = xauth_login_ldap(iph1, usr, pwd);
293 break;
294 #endif
295 default:
296 plog(LLV_ERROR, LOCATION, NULL,
297 "Unexpected authentication source\n");
298 res = -1;
299 break;
300 }
301
302 /*
303 * Optional group authentication
304 */
305 if (!res && (isakmp_cfg_config.groupcount))
306 res = group_check(iph1,
307 isakmp_cfg_config.grouplist,
308 isakmp_cfg_config.groupcount);
309
310 /*
311 * On failure, throttle the connexion for the remote host
312 * in order to make password attacks more difficult.
313 */
314 throttle_delay = throttle_host(iph1->remote, res) - time(NULL);
315 if (throttle_delay > 0) {
316 char *str;
317
318 str = saddrwop2str(iph1->remote);
319
320 plog(LLV_ERROR, LOCATION, NULL,
321 "Throttling in action for %s: delay %lds\n",
322 str, (unsigned long)throttle_delay);
323 res = -1;
324 } else {
325 throttle_delay = 0;
326 }
327
328 skip_auth:
329 if (throttle_delay != 0) {
330 struct xauth_reply_arg *xra;
331
332 if ((xra = racoon_malloc(sizeof(*xra))) == NULL) {
333 plog(LLV_ERROR, LOCATION, NULL,
334 "malloc failed, bypass throttling\n");
335 return xauth_reply(iph1, port, id, res);
336 }
337
338 /*
339 * We need to store the ph1, but it might have
340 * disapeared when xauth_reply is called, so
341 * store the index instead.
342 */
343 xra->index = iph1->index;
344 xra->port = port;
345 xra->id = id;
346 xra->res = res;
347 sched_new(throttle_delay, xauth_reply_stub, xra);
348 } else {
349 return xauth_reply(iph1, port, id, res);
350 }
351 }
352
353 return 0;
354 }
355
356 void
xauth_reply_stub(args)357 xauth_reply_stub(args)
358 void *args;
359 {
360 struct xauth_reply_arg *xra = (struct xauth_reply_arg *)args;
361 struct ph1handle *iph1;
362
363 if ((iph1 = getph1byindex(&xra->index)) != NULL)
364 (void)xauth_reply(iph1, xra->port, xra->id, xra->res);
365 else
366 plog(LLV_ERROR, LOCATION, NULL,
367 "Delayed Xauth reply: phase 1 no longer exists.\n");
368
369 racoon_free(xra);
370 return;
371 }
372
373 int
xauth_reply(iph1,port,id,res)374 xauth_reply(iph1, port, id, res)
375 struct ph1handle *iph1;
376 int port;
377 int id;
378 #if defined(ANDROID_CHANGES)
379 int res;
380 #endif
381 {
382 struct xauth_state *xst = &iph1->mode_cfg->xauth;
383 char *usr = xst->authdata.generic.usr;
384
385 if (res != 0) {
386 if (port != -1)
387 isakmp_cfg_putport(iph1, port);
388
389 plog(LLV_INFO, LOCATION, NULL,
390 "login failed for user \"%s\"\n", usr);
391
392 xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id);
393 xst->status = XAUTHST_NOTYET;
394
395 /* Delete Phase 1 SA */
396 if (iph1->status == PHASE1ST_ESTABLISHED)
397 isakmp_info_send_d1(iph1);
398 remph1(iph1);
399 delph1(iph1);
400
401 return -1;
402 }
403
404 xst->status = XAUTHST_OK;
405 plog(LLV_INFO, LOCATION, NULL,
406 "login succeeded for user \"%s\"\n", usr);
407
408 xauth_sendstatus(iph1, XAUTH_STATUS_OK, id);
409
410 return 0;
411 }
412
413 void
xauth_sendstatus(iph1,status,id)414 xauth_sendstatus(iph1, status, id)
415 struct ph1handle *iph1;
416 int status;
417 int id;
418 {
419 vchar_t *buffer;
420 struct isakmp_pl_attr *attr;
421 struct isakmp_data *stattr;
422 size_t tlen;
423
424 tlen = sizeof(*attr) +
425 + sizeof(*stattr);
426
427 if ((buffer = vmalloc(tlen)) == NULL) {
428 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
429 return;
430 }
431
432 attr = (struct isakmp_pl_attr *)buffer->v;
433 memset(attr, 0, tlen);
434
435 attr->h.len = htons(tlen);
436 attr->type = ISAKMP_CFG_SET;
437 attr->id = htons(id);
438
439 stattr = (struct isakmp_data *)(attr + 1);
440 stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV);
441 stattr->lorv = htons(status);
442
443 isakmp_cfg_send(iph1, buffer,
444 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
445
446 vfree(buffer);
447
448 return;
449 }
450
451 #ifdef HAVE_LIBRADIUS
452 int
xauth_radius_init(void)453 xauth_radius_init(void)
454 {
455 /* For first time use, initialize Radius */
456 if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) &&
457 (radius_auth_state == NULL)) {
458 if ((radius_auth_state = rad_auth_open()) == NULL) {
459 plog(LLV_ERROR, LOCATION, NULL,
460 "Cannot init libradius\n");
461 return -1;
462 }
463
464 if (rad_config(radius_auth_state, NULL) != 0) {
465 plog(LLV_ERROR, LOCATION, NULL,
466 "Cannot open librarius config file: %s\n",
467 rad_strerror(radius_auth_state));
468 rad_close(radius_auth_state);
469 radius_auth_state = NULL;
470 return -1;
471 }
472 }
473
474 if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) &&
475 (radius_acct_state == NULL)) {
476 if ((radius_acct_state = rad_acct_open()) == NULL) {
477 plog(LLV_ERROR, LOCATION, NULL,
478 "Cannot init libradius\n");
479 return -1;
480 }
481
482 if (rad_config(radius_acct_state, NULL) != 0) {
483 plog(LLV_ERROR, LOCATION, NULL,
484 "Cannot open librarius config file: %s\n",
485 rad_strerror(radius_acct_state));
486 rad_close(radius_acct_state);
487 radius_acct_state = NULL;
488 return -1;
489 }
490 }
491
492 return 0;
493 }
494
495 int
xauth_login_radius(iph1,usr,pwd)496 xauth_login_radius(iph1, usr, pwd)
497 struct ph1handle *iph1;
498 char *usr;
499 char *pwd;
500 {
501 int res;
502 const void *data;
503 size_t len;
504 int type;
505
506 if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) {
507 plog(LLV_ERROR, LOCATION, NULL,
508 "rad_create_request failed: %s\n",
509 rad_strerror(radius_auth_state));
510 return -1;
511 }
512
513 if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) {
514 plog(LLV_ERROR, LOCATION, NULL,
515 "rad_put_string failed: %s\n",
516 rad_strerror(radius_auth_state));
517 return -1;
518 }
519
520 if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) {
521 plog(LLV_ERROR, LOCATION, NULL,
522 "rad_put_string failed: %s\n",
523 rad_strerror(radius_auth_state));
524 return -1;
525 }
526
527 if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0)
528 return -1;
529
530 switch (res = rad_send_request(radius_auth_state)) {
531 case RAD_ACCESS_ACCEPT:
532 while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) {
533 switch (type) {
534 case RAD_FRAMED_IP_ADDRESS:
535 iph1->mode_cfg->addr4 = rad_cvt_addr(data);
536 iph1->mode_cfg->flags
537 |= ISAKMP_CFG_ADDR4_EXTERN;
538 break;
539
540 case RAD_FRAMED_IP_NETMASK:
541 iph1->mode_cfg->mask4 = rad_cvt_addr(data);
542 iph1->mode_cfg->flags
543 |= ISAKMP_CFG_MASK4_EXTERN;
544 break;
545
546 default:
547 plog(LLV_INFO, LOCATION, NULL,
548 "Unexpected attribute: %d\n", type);
549 break;
550 }
551 }
552
553 return 0;
554 break;
555
556 case RAD_ACCESS_REJECT:
557 return -1;
558 break;
559
560 case -1:
561 plog(LLV_ERROR, LOCATION, NULL,
562 "rad_send_request failed: %s\n",
563 rad_strerror(radius_auth_state));
564 return -1;
565 break;
566 default:
567 plog(LLV_ERROR, LOCATION, NULL,
568 "rad_send_request returned %d\n", res);
569 return -1;
570 break;
571 }
572
573 return -1;
574 }
575 #endif
576
577 #ifdef HAVE_LIBPAM
578 static int
PAM_conv(msg_count,msg,rsp,dontcare)579 PAM_conv(msg_count, msg, rsp, dontcare)
580 int msg_count;
581 const struct pam_message **msg;
582 struct pam_response **rsp;
583 void *dontcare;
584 {
585 int i;
586 int replies = 0;
587 struct pam_response *reply = NULL;
588
589 if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL)
590 return PAM_CONV_ERR;
591 bzero(reply, sizeof(*reply) * msg_count);
592
593 for (i = 0; i < msg_count; i++) {
594 switch (msg[i]->msg_style) {
595 case PAM_PROMPT_ECHO_ON:
596 /* Send the username, libpam frees resp */
597 reply[i].resp_retcode = PAM_SUCCESS;
598 if ((reply[i].resp = strdup(PAM_usr)) == NULL) {
599 plog(LLV_ERROR, LOCATION,
600 NULL, "strdup failed\n");
601 exit(1);
602 }
603 break;
604
605 case PAM_PROMPT_ECHO_OFF:
606 /* Send the password, libpam frees resp */
607 reply[i].resp_retcode = PAM_SUCCESS;
608 if ((reply[i].resp = strdup(PAM_pwd)) == NULL) {
609 plog(LLV_ERROR, LOCATION,
610 NULL, "strdup failed\n");
611 exit(1);
612 }
613 break;
614
615 case PAM_TEXT_INFO:
616 case PAM_ERROR_MSG:
617 reply[i].resp_retcode = PAM_SUCCESS;
618 reply[i].resp = NULL;
619 break;
620
621 default:
622 if (reply != NULL)
623 racoon_free(reply);
624 return PAM_CONV_ERR;
625 break;
626 }
627 }
628
629 if (reply != NULL)
630 *rsp = reply;
631
632 return PAM_SUCCESS;
633 }
634
635 int
xauth_login_pam(port,raddr,usr,pwd)636 xauth_login_pam(port, raddr, usr, pwd)
637 int port;
638 struct sockaddr *raddr;
639 char *usr;
640 char *pwd;
641 {
642 int error;
643 int res;
644 const void *data;
645 size_t len;
646 int type;
647 char *remote = NULL;
648 pam_handle_t *pam = NULL;
649
650 if (isakmp_cfg_config.port_pool == NULL) {
651 plog(LLV_ERROR, LOCATION, NULL,
652 "isakmp_cfg_config.port_pool == NULL\n");
653 return -1;
654 }
655
656 if ((error = pam_start("racoon", usr,
657 &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) {
658 if (isakmp_cfg_config.port_pool[port].pam == NULL) {
659 plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n");
660 return -1;
661 } else {
662 plog(LLV_ERROR, LOCATION, NULL,
663 "pam_start failed: %s\n",
664 pam_strerror(isakmp_cfg_config.port_pool[port].pam,
665 error));
666 goto out;
667 }
668 }
669 pam = isakmp_cfg_config.port_pool[port].pam;
670
671 if ((remote = strdup(saddrwop2str(raddr))) == NULL) {
672 plog(LLV_ERROR, LOCATION, NULL,
673 "cannot allocate memory: %s\n", strerror(errno));
674 goto out;
675 }
676
677 if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) {
678 plog(LLV_ERROR, LOCATION, NULL,
679 "pam_set_item failed: %s\n",
680 pam_strerror(pam, error));
681 goto out;
682 }
683
684 PAM_usr = usr;
685 PAM_pwd = pwd;
686 error = pam_authenticate(pam, 0);
687 PAM_usr = NULL;
688 PAM_pwd = NULL;
689 if (error != 0) {
690 plog(LLV_ERROR, LOCATION, NULL,
691 "pam_authenticate failed: %s\n",
692 pam_strerror(pam, error));
693 goto out;
694 }
695
696 if ((error = pam_acct_mgmt(pam, 0)) != 0) {
697 plog(LLV_ERROR, LOCATION, NULL,
698 "pam_acct_mgmt failed: %s\n",
699 pam_strerror(pam, error));
700 goto out;
701 }
702
703 if ((error = pam_setcred(pam, 0)) != 0) {
704 plog(LLV_ERROR, LOCATION, NULL,
705 "pam_setcred failed: %s\n",
706 pam_strerror(pam, error));
707 goto out;
708 }
709
710 if (remote != NULL)
711 free(remote);
712
713 return 0;
714
715 out:
716 pam_end(pam, error);
717 isakmp_cfg_config.port_pool[port].pam = NULL;
718 if (remote != NULL)
719 free(remote);
720 return -1;
721 }
722 #endif
723
724 #ifdef HAVE_LIBLDAP
725 int
xauth_ldap_init(void)726 xauth_ldap_init(void)
727 {
728 int tmplen;
729 int error = -1;
730
731 xauth_ldap_config.pver = 3;
732 xauth_ldap_config.host = NULL;
733 xauth_ldap_config.port = LDAP_PORT;
734 xauth_ldap_config.base = NULL;
735 xauth_ldap_config.subtree = 0;
736 xauth_ldap_config.bind_dn = NULL;
737 xauth_ldap_config.bind_pw = NULL;
738 xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE;
739 xauth_ldap_config.attr_user = NULL;
740 xauth_ldap_config.attr_addr = NULL;
741 xauth_ldap_config.attr_mask = NULL;
742 xauth_ldap_config.attr_group = NULL;
743 xauth_ldap_config.attr_member = NULL;
744
745 /* set default host */
746 tmplen = strlen(LDAP_DFLT_HOST);
747 xauth_ldap_config.host = vmalloc(tmplen);
748 if (xauth_ldap_config.host == NULL)
749 goto out;
750 memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen);
751
752 /* set default user naming attribute */
753 tmplen = strlen(LDAP_DFLT_USER);
754 xauth_ldap_config.attr_user = vmalloc(tmplen);
755 if (xauth_ldap_config.attr_user == NULL)
756 goto out;
757 memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen);
758
759 /* set default address attribute */
760 tmplen = strlen(LDAP_DFLT_ADDR);
761 xauth_ldap_config.attr_addr = vmalloc(tmplen);
762 if (xauth_ldap_config.attr_addr == NULL)
763 goto out;
764 memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen);
765
766 /* set default netmask attribute */
767 tmplen = strlen(LDAP_DFLT_MASK);
768 xauth_ldap_config.attr_mask = vmalloc(tmplen);
769 if (xauth_ldap_config.attr_mask == NULL)
770 goto out;
771 memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen);
772
773 /* set default group naming attribute */
774 tmplen = strlen(LDAP_DFLT_GROUP);
775 xauth_ldap_config.attr_group = vmalloc(tmplen);
776 if (xauth_ldap_config.attr_group == NULL)
777 goto out;
778 memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen);
779
780 /* set default member attribute */
781 tmplen = strlen(LDAP_DFLT_MEMBER);
782 xauth_ldap_config.attr_member = vmalloc(tmplen);
783 if (xauth_ldap_config.attr_member == NULL)
784 goto out;
785 memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen);
786
787 error = 0;
788 out:
789 if (error != 0)
790 plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n");
791
792 return error;
793 }
794
795 int
xauth_login_ldap(iph1,usr,pwd)796 xauth_login_ldap(iph1, usr, pwd)
797 struct ph1handle *iph1;
798 char *usr;
799 char *pwd;
800 {
801 int rtn = -1;
802 int res = -1;
803 LDAP *ld = NULL;
804 LDAPMessage *lr = NULL;
805 LDAPMessage *le = NULL;
806 struct berval cred;
807 struct berval **bv = NULL;
808 struct timeval timeout;
809 char *init = NULL;
810 char *filter = NULL;
811 char *atlist[3];
812 char *basedn = NULL;
813 char *userdn = NULL;
814 int tmplen = 0;
815 int ecount = 0;
816 int scope = LDAP_SCOPE_ONE;
817
818 atlist[0] = NULL;
819 atlist[1] = NULL;
820 atlist[2] = NULL;
821
822 /* build our initialization url */
823 tmplen = strlen("ldap://:") + 17;
824 tmplen += strlen(xauth_ldap_config.host->v);
825 init = racoon_malloc(tmplen);
826 if (init == NULL) {
827 plog(LLV_ERROR, LOCATION, NULL,
828 "unable to alloc ldap init url\n");
829 goto ldap_end;
830 }
831 sprintf(init,"ldap://%s:%d",
832 xauth_ldap_config.host->v,
833 xauth_ldap_config.port );
834
835 /* initialize the ldap handle */
836 res = ldap_initialize(&ld, init);
837 if (res != LDAP_SUCCESS) {
838 plog(LLV_ERROR, LOCATION, NULL,
839 "ldap_initialize failed: %s\n",
840 ldap_err2string(res));
841 goto ldap_end;
842 }
843
844 /* initialize the protocol version */
845 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
846 &xauth_ldap_config.pver);
847
848 /*
849 * attempt to bind to the ldap server.
850 * default to anonymous bind unless a
851 * user dn and password has been
852 * specified in our configuration
853 */
854 if ((xauth_ldap_config.bind_dn != NULL)&&
855 (xauth_ldap_config.bind_pw != NULL))
856 {
857 cred.bv_val = xauth_ldap_config.bind_pw->v;
858 cred.bv_len = strlen( cred.bv_val );
859 res = ldap_sasl_bind_s(ld,
860 xauth_ldap_config.bind_dn->v, NULL, &cred,
861 NULL, NULL, NULL);
862 }
863 else
864 {
865 res = ldap_sasl_bind_s(ld,
866 NULL, NULL, NULL,
867 NULL, NULL, NULL);
868 }
869
870 if (res!=LDAP_SUCCESS) {
871 plog(LLV_ERROR, LOCATION, NULL,
872 "ldap_sasl_bind_s (search) failed: %s\n",
873 ldap_err2string(res));
874 goto ldap_end;
875 }
876
877 /* build an ldap user search filter */
878 tmplen = strlen(xauth_ldap_config.attr_user->v);
879 tmplen += 1;
880 tmplen += strlen(usr);
881 tmplen += 1;
882 filter = racoon_malloc(tmplen);
883 if (filter == NULL) {
884 plog(LLV_ERROR, LOCATION, NULL,
885 "unable to alloc ldap search filter buffer\n");
886 goto ldap_end;
887 }
888 sprintf(filter, "%s=%s",
889 xauth_ldap_config.attr_user->v, usr);
890
891 /* build our return attribute list */
892 tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1;
893 atlist[0] = racoon_malloc(tmplen);
894 tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1;
895 atlist[1] = racoon_malloc(tmplen);
896 if ((atlist[0] == NULL)||(atlist[1] == NULL)) {
897 plog(LLV_ERROR, LOCATION, NULL,
898 "unable to alloc ldap attrib list buffer\n");
899 goto ldap_end;
900 }
901 strcpy(atlist[0],xauth_ldap_config.attr_addr->v);
902 strcpy(atlist[1],xauth_ldap_config.attr_mask->v);
903
904 /* attempt to locate the user dn */
905 if (xauth_ldap_config.base != NULL)
906 basedn = xauth_ldap_config.base->v;
907 if (xauth_ldap_config.subtree)
908 scope = LDAP_SCOPE_SUBTREE;
909 timeout.tv_sec = 15;
910 timeout.tv_usec = 0;
911 res = ldap_search_ext_s(ld, basedn, scope,
912 filter, atlist, 0, NULL, NULL,
913 &timeout, 2, &lr);
914 if (res != LDAP_SUCCESS) {
915 plog(LLV_ERROR, LOCATION, NULL,
916 "ldap_search_ext_s failed: %s\n",
917 ldap_err2string(res));
918 goto ldap_end;
919 }
920
921 /* check the number of ldap entries returned */
922 ecount = ldap_count_entries(ld, lr);
923 if (ecount < 1) {
924 plog(LLV_WARNING, LOCATION, NULL,
925 "no ldap results for filter \'%s\'\n",
926 filter);
927 goto ldap_end;
928 }
929 if (ecount > 1) {
930 plog(LLV_WARNING, LOCATION, NULL,
931 "multiple (%i) ldap results for filter \'%s\'\n",
932 ecount, filter);
933 }
934
935 /* obtain the dn from the first result */
936 le = ldap_first_entry(ld, lr);
937 if (le == NULL) {
938 plog(LLV_ERROR, LOCATION, NULL,
939 "ldap_first_entry failed: invalid entry returned\n");
940 goto ldap_end;
941 }
942 userdn = ldap_get_dn(ld, le);
943 if (userdn == NULL) {
944 plog(LLV_ERROR, LOCATION, NULL,
945 "ldap_get_dn failed: invalid string returned\n");
946 goto ldap_end;
947 }
948
949 /* cache the user dn in the xauth state */
950 iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1);
951 strcpy(iph1->mode_cfg->xauth.udn,userdn);
952
953 /* retrieve modecfg address */
954 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v);
955 if (bv != NULL) {
956 char tmpaddr[16];
957 /* sanity check for address value */
958 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
959 plog(LLV_DEBUG, LOCATION, NULL,
960 "ldap returned invalid modecfg address\n");
961 ldap_value_free_len(bv);
962 goto ldap_end;
963 }
964 memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len);
965 tmpaddr[bv[0]->bv_len]=0;
966 iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr);
967 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN;
968 plog(LLV_INFO, LOCATION, NULL,
969 "ldap returned modecfg address %s\n", tmpaddr);
970 ldap_value_free_len(bv);
971 }
972
973 /* retrieve modecfg netmask */
974 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v);
975 if (bv != NULL) {
976 char tmpmask[16];
977 /* sanity check for netmask value */
978 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
979 plog(LLV_DEBUG, LOCATION, NULL,
980 "ldap returned invalid modecfg netmask\n");
981 ldap_value_free_len(bv);
982 goto ldap_end;
983 }
984 memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len);
985 tmpmask[bv[0]->bv_len]=0;
986 iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask);
987 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN;
988 plog(LLV_INFO, LOCATION, NULL,
989 "ldap returned modecfg netmask %s\n", tmpmask);
990 ldap_value_free_len(bv);
991 }
992
993 /*
994 * finally, use the dn and the xauth
995 * password to check the users given
996 * credentials by attempting to bind
997 * to the ldap server
998 */
999 plog(LLV_INFO, LOCATION, NULL,
1000 "attempting ldap bind for dn \'%s\'\n", userdn);
1001 cred.bv_val = pwd;
1002 cred.bv_len = strlen( cred.bv_val );
1003 res = ldap_sasl_bind_s(ld,
1004 userdn, NULL, &cred,
1005 NULL, NULL, NULL);
1006 if(res==LDAP_SUCCESS)
1007 rtn = 0;
1008
1009 ldap_end:
1010
1011 /* free ldap resources */
1012 if (userdn != NULL)
1013 ldap_memfree(userdn);
1014 if (atlist[0] != NULL)
1015 racoon_free(atlist[0]);
1016 if (atlist[1] != NULL)
1017 racoon_free(atlist[1]);
1018 if (filter != NULL)
1019 racoon_free(filter);
1020 if (lr != NULL)
1021 ldap_msgfree(lr);
1022 if (init != NULL)
1023 racoon_free(init);
1024
1025 ldap_unbind_ext_s(ld, NULL, NULL);
1026
1027 return rtn;
1028 }
1029
1030 int
xauth_group_ldap(udn,grp)1031 xauth_group_ldap(udn, grp)
1032 char * udn;
1033 char * grp;
1034 {
1035 int rtn = -1;
1036 int res = -1;
1037 LDAP *ld = NULL;
1038 LDAPMessage *lr = NULL;
1039 LDAPMessage *le = NULL;
1040 struct berval cred;
1041 struct timeval timeout;
1042 char *init = NULL;
1043 char *filter = NULL;
1044 char *basedn = NULL;
1045 char *groupdn = NULL;
1046 int tmplen = 0;
1047 int ecount = 0;
1048 int scope = LDAP_SCOPE_ONE;
1049
1050 /* build our initialization url */
1051 tmplen = strlen("ldap://:") + 17;
1052 tmplen += strlen(xauth_ldap_config.host->v);
1053 init = racoon_malloc(tmplen);
1054 if (init == NULL) {
1055 plog(LLV_ERROR, LOCATION, NULL,
1056 "unable to alloc ldap init url\n");
1057 goto ldap_group_end;
1058 }
1059 sprintf(init,"ldap://%s:%d",
1060 xauth_ldap_config.host->v,
1061 xauth_ldap_config.port );
1062
1063 /* initialize the ldap handle */
1064 res = ldap_initialize(&ld, init);
1065 if (res != LDAP_SUCCESS) {
1066 plog(LLV_ERROR, LOCATION, NULL,
1067 "ldap_initialize failed: %s\n",
1068 ldap_err2string(res));
1069 goto ldap_group_end;
1070 }
1071
1072 /* initialize the protocol version */
1073 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
1074 &xauth_ldap_config.pver);
1075
1076 /*
1077 * attempt to bind to the ldap server.
1078 * default to anonymous bind unless a
1079 * user dn and password has been
1080 * specified in our configuration
1081 */
1082 if ((xauth_ldap_config.bind_dn != NULL)&&
1083 (xauth_ldap_config.bind_pw != NULL))
1084 {
1085 cred.bv_val = xauth_ldap_config.bind_pw->v;
1086 cred.bv_len = strlen( cred.bv_val );
1087 res = ldap_sasl_bind_s(ld,
1088 xauth_ldap_config.bind_dn->v, NULL, &cred,
1089 NULL, NULL, NULL);
1090 }
1091 else
1092 {
1093 res = ldap_sasl_bind_s(ld,
1094 NULL, NULL, NULL,
1095 NULL, NULL, NULL);
1096 }
1097
1098 if (res!=LDAP_SUCCESS) {
1099 plog(LLV_ERROR, LOCATION, NULL,
1100 "ldap_sasl_bind_s (search) failed: %s\n",
1101 ldap_err2string(res));
1102 goto ldap_group_end;
1103 }
1104
1105 /* build an ldap group search filter */
1106 tmplen = strlen("(&(=)(=))") + 1;
1107 tmplen += strlen(xauth_ldap_config.attr_group->v);
1108 tmplen += strlen(grp);
1109 tmplen += strlen(xauth_ldap_config.attr_member->v);
1110 tmplen += strlen(udn);
1111 filter = racoon_malloc(tmplen);
1112 if (filter == NULL) {
1113 plog(LLV_ERROR, LOCATION, NULL,
1114 "unable to alloc ldap search filter buffer\n");
1115 goto ldap_group_end;
1116 }
1117 sprintf(filter, "(&(%s=%s)(%s=%s))",
1118 xauth_ldap_config.attr_group->v, grp,
1119 xauth_ldap_config.attr_member->v, udn);
1120
1121 /* attempt to locate the group dn */
1122 if (xauth_ldap_config.base != NULL)
1123 basedn = xauth_ldap_config.base->v;
1124 if (xauth_ldap_config.subtree)
1125 scope = LDAP_SCOPE_SUBTREE;
1126 timeout.tv_sec = 15;
1127 timeout.tv_usec = 0;
1128 res = ldap_search_ext_s(ld, basedn, scope,
1129 filter, NULL, 0, NULL, NULL,
1130 &timeout, 2, &lr);
1131 if (res != LDAP_SUCCESS) {
1132 plog(LLV_ERROR, LOCATION, NULL,
1133 "ldap_search_ext_s failed: %s\n",
1134 ldap_err2string(res));
1135 goto ldap_group_end;
1136 }
1137
1138 /* check the number of ldap entries returned */
1139 ecount = ldap_count_entries(ld, lr);
1140 if (ecount < 1) {
1141 plog(LLV_WARNING, LOCATION, NULL,
1142 "no ldap results for filter \'%s\'\n",
1143 filter);
1144 goto ldap_group_end;
1145 }
1146
1147 /* success */
1148 rtn = 0;
1149
1150 /* obtain the dn from the first result */
1151 le = ldap_first_entry(ld, lr);
1152 if (le == NULL) {
1153 plog(LLV_ERROR, LOCATION, NULL,
1154 "ldap_first_entry failed: invalid entry returned\n");
1155 goto ldap_group_end;
1156 }
1157 groupdn = ldap_get_dn(ld, le);
1158 if (groupdn == NULL) {
1159 plog(LLV_ERROR, LOCATION, NULL,
1160 "ldap_get_dn failed: invalid string returned\n");
1161 goto ldap_group_end;
1162 }
1163
1164 plog(LLV_INFO, LOCATION, NULL,
1165 "ldap membership group returned \'%s\'\n", groupdn);
1166 ldap_group_end:
1167
1168 /* free ldap resources */
1169 if (groupdn != NULL)
1170 ldap_memfree(groupdn);
1171 if (filter != NULL)
1172 racoon_free(filter);
1173 if (lr != NULL)
1174 ldap_msgfree(lr);
1175 if (init != NULL)
1176 racoon_free(init);
1177
1178 ldap_unbind_ext_s(ld, NULL, NULL);
1179
1180 return rtn;
1181 }
1182
1183 #endif
1184
1185 #ifndef ANDROID_PATCHED
1186
1187 int
xauth_login_system(usr,pwd)1188 xauth_login_system(usr, pwd)
1189 char *usr;
1190 char *pwd;
1191 {
1192 struct passwd *pw;
1193 char *cryptpwd;
1194 char *syscryptpwd;
1195 #ifdef HAVE_SHADOW_H
1196 struct spwd *spw;
1197
1198 if ((spw = getspnam(usr)) == NULL)
1199 return -1;
1200
1201 syscryptpwd = spw->sp_pwdp;
1202 #endif
1203
1204 if ((pw = getpwnam(usr)) == NULL)
1205 return -1;
1206
1207 #ifndef HAVE_SHADOW_H
1208 syscryptpwd = pw->pw_passwd;
1209 #endif
1210
1211 /* No root login. Ever. */
1212 if (pw->pw_uid == 0)
1213 return -1;
1214
1215 if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL)
1216 return -1;
1217
1218 if (strcmp(cryptpwd, syscryptpwd) == 0)
1219 return 0;
1220
1221 return -1;
1222 }
1223
1224 #endif
1225
1226 int
xauth_group_system(usr,grp)1227 xauth_group_system(usr, grp)
1228 char * usr;
1229 char * grp;
1230 {
1231 struct group * gr;
1232 char * member;
1233 int index = 0;
1234
1235 gr = getgrnam(grp);
1236 if (gr == NULL) {
1237 plog(LLV_ERROR, LOCATION, NULL,
1238 "the system group name \'%s\' is unknown\n",
1239 grp);
1240 return -1;
1241 }
1242
1243 while ((member = gr->gr_mem[index++])!=NULL) {
1244 if (!strcmp(member,usr)) {
1245 plog(LLV_INFO, LOCATION, NULL,
1246 "membership validated\n");
1247 return 0;
1248 }
1249 }
1250
1251 return -1;
1252 }
1253
1254 int
xauth_check(iph1)1255 xauth_check(iph1)
1256 struct ph1handle *iph1;
1257 {
1258 struct xauth_state *xst = &iph1->mode_cfg->xauth;
1259
1260 /*
1261 * Only the server side (edge device) really check for Xauth
1262 * status. It does it if the chose authmethod is using Xauth.
1263 * On the client side (roadwarrior), we don't check anything.
1264 */
1265 switch (AUTHMETHOD(iph1)) {
1266 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1267 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1268 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1269 /* The following are not yet implemented */
1270 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1271 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1272 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1273 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1274 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1275 plog(LLV_ERROR, LOCATION, NULL,
1276 "Hybrid auth negotiated but peer did not "
1277 "announced as Xauth capable\n");
1278 return -1;
1279 }
1280
1281 if (xst->status != XAUTHST_OK) {
1282 plog(LLV_ERROR, LOCATION, NULL,
1283 "Hybrid auth negotiated but peer did not "
1284 "succeed Xauth exchange\n");
1285 return -1;
1286 }
1287
1288 return 0;
1289 break;
1290 default:
1291 return 0;
1292 break;
1293 }
1294
1295 return 0;
1296 }
1297
1298 int
group_check(iph1,grp_list,grp_count)1299 group_check(iph1, grp_list, grp_count)
1300 struct ph1handle *iph1;
1301 char **grp_list;
1302 int grp_count;
1303 {
1304 int res = -1;
1305 int grp_index = 0;
1306 char * usr = NULL;
1307
1308 /* check for presence of modecfg data */
1309
1310 if(iph1->mode_cfg == NULL) {
1311 plog(LLV_ERROR, LOCATION, NULL,
1312 "xauth group specified but modecfg not found\n");
1313 return res;
1314 }
1315
1316 /* loop through our group list */
1317
1318 for(; grp_index < grp_count; grp_index++) {
1319
1320 /* check for presence of xauth data */
1321
1322 usr = iph1->mode_cfg->xauth.authdata.generic.usr;
1323
1324 if(usr == NULL) {
1325 plog(LLV_ERROR, LOCATION, NULL,
1326 "xauth group specified but xauth not found\n");
1327 return res;
1328 }
1329
1330 /* call appropriate group validation funtion */
1331
1332 switch (isakmp_cfg_config.groupsource) {
1333
1334 case ISAKMP_CFG_GROUP_SYSTEM:
1335 res = xauth_group_system(
1336 usr,
1337 grp_list[grp_index]);
1338 break;
1339
1340 #ifdef HAVE_LIBLDAP
1341 case ISAKMP_CFG_GROUP_LDAP:
1342 res = xauth_group_ldap(
1343 iph1->mode_cfg->xauth.udn,
1344 grp_list[grp_index]);
1345 break;
1346 #endif
1347
1348 default:
1349 /* we should never get here */
1350 plog(LLV_ERROR, LOCATION, NULL,
1351 "Unknown group auth source\n");
1352 break;
1353 }
1354
1355 if( !res ) {
1356 plog(LLV_INFO, LOCATION, NULL,
1357 "user \"%s\" is a member of group \"%s\"\n",
1358 usr,
1359 grp_list[grp_index]);
1360 break;
1361 } else {
1362 plog(LLV_INFO, LOCATION, NULL,
1363 "user \"%s\" is not a member of group \"%s\"\n",
1364 usr,
1365 grp_list[grp_index]);
1366 }
1367 }
1368
1369 return res;
1370 }
1371
1372 vchar_t *
isakmp_xauth_req(iph1,attr)1373 isakmp_xauth_req(iph1, attr)
1374 struct ph1handle *iph1;
1375 struct isakmp_data *attr;
1376 {
1377 int type;
1378 size_t dlen = 0;
1379 int ashort = 0;
1380 int value = 0;
1381 vchar_t *buffer = NULL;
1382 char *mraw = NULL, *mdata;
1383 char *data;
1384 vchar_t *usr = NULL;
1385 vchar_t *pwd = NULL;
1386 size_t skip = 0;
1387 int freepwd = 0;
1388
1389 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1390 plog(LLV_ERROR, LOCATION, NULL,
1391 "Xauth mode config request but peer "
1392 "did not declare itself as Xauth capable\n");
1393 return NULL;
1394 }
1395
1396 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1397
1398 /* Sanity checks */
1399 switch(type) {
1400 case XAUTH_TYPE:
1401 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1402 plog(LLV_ERROR, LOCATION, NULL,
1403 "Unexpected long XAUTH_TYPE attribute\n");
1404 return NULL;
1405 }
1406 if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) {
1407 plog(LLV_ERROR, LOCATION, NULL,
1408 "Unsupported Xauth authentication %d\n",
1409 ntohs(attr->lorv));
1410 return NULL;
1411 }
1412 ashort = 1;
1413 dlen = 0;
1414 value = XAUTH_TYPE_GENERIC;
1415 break;
1416
1417 case XAUTH_USER_NAME:
1418 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) {
1419 plog(LLV_ERROR, LOCATION, NULL, "Xauth performed "
1420 "with no login supplied\n");
1421 return NULL;
1422 }
1423
1424 dlen = iph1->rmconf->xauth->login->l - 1;
1425 iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME;
1426 break;
1427
1428 #ifdef ANDROID_PATCHED
1429 case XAUTH_PASSCODE:
1430 #endif
1431 case XAUTH_USER_PASSWORD:
1432 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login)
1433 return NULL;
1434
1435 skip = sizeof(struct ipsecdoi_id_b);
1436 usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip);
1437 if (usr == NULL) {
1438 plog(LLV_ERROR, LOCATION, NULL,
1439 "Cannot allocate memory\n");
1440 return NULL;
1441 }
1442 memset(usr->v, 0, skip);
1443 memcpy(usr->v + skip,
1444 iph1->rmconf->xauth->login->v,
1445 iph1->rmconf->xauth->login->l - 1);
1446
1447 if (iph1->rmconf->xauth->pass) {
1448 /* A key given through racoonctl */
1449 pwd = iph1->rmconf->xauth->pass;
1450 } else {
1451 if ((pwd = getpskbyname(usr)) == NULL) {
1452 plog(LLV_ERROR, LOCATION, NULL,
1453 "No password was found for login %s\n",
1454 iph1->rmconf->xauth->login->v);
1455 vfree(usr);
1456 return NULL;
1457 }
1458 /* We have to free it before returning */
1459 freepwd = 1;
1460 }
1461 vfree(usr);
1462
1463 iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD;
1464 dlen = pwd->l;
1465
1466 break;
1467 case XAUTH_MESSAGE:
1468 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1469 dlen = ntohs(attr->lorv);
1470 if (dlen > 0) {
1471 mraw = (char*)(attr + 1);
1472 mdata = binsanitize(mraw, dlen);
1473 if (mdata == NULL) {
1474 plog(LLV_ERROR, LOCATION, iph1->remote,
1475 "Cannot allocate memory\n");
1476 return NULL;
1477 }
1478 plog(LLV_NOTIFY,LOCATION, iph1->remote,
1479 "XAUTH Message: '%s'.\n",
1480 mdata);
1481 racoon_free(mdata);
1482 }
1483 }
1484 return NULL;
1485 default:
1486 plog(LLV_WARNING, LOCATION, NULL,
1487 "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1488 return NULL;
1489 break;
1490 }
1491
1492 if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) {
1493 plog(LLV_ERROR, LOCATION, NULL,
1494 "Cannot allocate memory\n");
1495 goto out;
1496 }
1497
1498 attr = (struct isakmp_data *)buffer->v;
1499 if (ashort) {
1500 attr->type = htons(type | ISAKMP_GEN_TV);
1501 attr->lorv = htons(value);
1502 goto out;
1503 }
1504
1505 attr->type = htons(type | ISAKMP_GEN_TLV);
1506 attr->lorv = htons(dlen);
1507 data = (char *)(attr + 1);
1508
1509 switch(type) {
1510 case XAUTH_USER_NAME:
1511 /*
1512 * iph1->rmconf->xauth->login->v is valid,
1513 * we just checked it in the previous switch case
1514 */
1515 memcpy(data, iph1->rmconf->xauth->login->v, dlen);
1516 break;
1517 #ifdef ANDROID_PATCHED
1518 case XAUTH_PASSCODE:
1519 #endif
1520 case XAUTH_USER_PASSWORD:
1521 memcpy(data, pwd->v, dlen);
1522 break;
1523 default:
1524 break;
1525 }
1526
1527 out:
1528 if (freepwd)
1529 vfree(pwd);
1530
1531 return buffer;
1532 }
1533
1534 vchar_t *
isakmp_xauth_set(iph1,attr)1535 isakmp_xauth_set(iph1, attr)
1536 struct ph1handle *iph1;
1537 struct isakmp_data *attr;
1538 {
1539 int type;
1540 vchar_t *buffer = NULL;
1541 char *data;
1542 struct xauth_state *xst;
1543 size_t dlen = 0;
1544 char* mraw = NULL, *mdata;
1545
1546 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1547 plog(LLV_ERROR, LOCATION, NULL,
1548 "Xauth mode config set but peer "
1549 "did not declare itself as Xauth capable\n");
1550 return NULL;
1551 }
1552
1553 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1554
1555 switch(type) {
1556 case XAUTH_STATUS:
1557 /*
1558 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS
1559 * when running as a client (initiator).
1560 */
1561 xst = &iph1->mode_cfg->xauth;
1562 switch(AUTHMETHOD(iph1)) {
1563 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1564 case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
1565 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1566 /* Not implemented ... */
1567 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1568 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1569 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1570 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1571 break;
1572 default:
1573 plog(LLV_ERROR, LOCATION, NULL,
1574 "Unexpected XAUTH_STATUS_OK\n");
1575 return NULL;
1576 break;
1577 }
1578
1579 /* If we got a failure, delete iph1 */
1580 if (ntohs(attr->lorv) != XAUTH_STATUS_OK) {
1581 plog(LLV_ERROR, LOCATION, NULL,
1582 "Xauth authentication failed\n");
1583
1584 EVT_PUSH(iph1->local, iph1->remote,
1585 EVTT_XAUTH_FAILED, NULL);
1586
1587 iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
1588 } else {
1589 EVT_PUSH(iph1->local, iph1->remote,
1590 EVTT_XAUTH_SUCCESS, NULL);
1591 }
1592
1593
1594 /* We acknowledge it */
1595 break;
1596 case XAUTH_MESSAGE:
1597 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1598 dlen = ntohs(attr->lorv);
1599 if (dlen > 0) {
1600 mraw = (char*)(attr + 1);
1601 mdata = binsanitize(mraw, dlen);
1602 if (mdata == NULL) {
1603 plog(LLV_ERROR, LOCATION, iph1->remote,
1604 "Cannot allocate memory\n");
1605 return NULL;
1606 }
1607 plog(LLV_NOTIFY,LOCATION, iph1->remote,
1608 "XAUTH Message: '%s'.\n",
1609 mdata);
1610 racoon_free(mdata);
1611 }
1612 }
1613
1614 default:
1615 plog(LLV_WARNING, LOCATION, NULL,
1616 "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1617 return NULL;
1618 break;
1619 }
1620
1621 if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
1622 plog(LLV_ERROR, LOCATION, NULL,
1623 "Cannot allocate memory\n");
1624 return NULL;
1625 }
1626
1627 attr = (struct isakmp_data *)buffer->v;
1628 attr->type = htons(type | ISAKMP_GEN_TV);
1629 attr->lorv = htons(0);
1630
1631 return buffer;
1632 }
1633
1634
1635 void
xauth_rmstate(xst)1636 xauth_rmstate(xst)
1637 struct xauth_state *xst;
1638 {
1639 switch (xst->authtype) {
1640 case XAUTH_TYPE_GENERIC:
1641 if (xst->authdata.generic.usr)
1642 racoon_free(xst->authdata.generic.usr);
1643
1644 if (xst->authdata.generic.pwd)
1645 racoon_free(xst->authdata.generic.pwd);
1646
1647 break;
1648
1649 case XAUTH_TYPE_CHAP:
1650 case XAUTH_TYPE_OTP:
1651 case XAUTH_TYPE_SKEY:
1652 plog(LLV_WARNING, LOCATION, NULL,
1653 "Unsupported authtype %d\n", xst->authtype);
1654 break;
1655
1656 default:
1657 plog(LLV_WARNING, LOCATION, NULL,
1658 "Unexpected authtype %d\n", xst->authtype);
1659 break;
1660 }
1661
1662 #ifdef HAVE_LIBLDAP
1663 if (xst->udn != NULL)
1664 racoon_free(xst->udn);
1665 #endif
1666 return;
1667 }
1668
1669 int
xauth_rmconf_used(xauth_rmconf)1670 xauth_rmconf_used(xauth_rmconf)
1671 struct xauth_rmconf **xauth_rmconf;
1672 {
1673 if (*xauth_rmconf == NULL) {
1674 *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf));
1675 if (*xauth_rmconf == NULL) {
1676 plog(LLV_ERROR, LOCATION, NULL,
1677 "xauth_rmconf_used: malloc failed\n");
1678 return -1;
1679 }
1680
1681 (*xauth_rmconf)->login = NULL;
1682 (*xauth_rmconf)->pass = NULL;
1683 (*xauth_rmconf)->state = 0;
1684 }
1685
1686 return 0;
1687 }
1688
1689 void
xauth_rmconf_delete(xauth_rmconf)1690 xauth_rmconf_delete(xauth_rmconf)
1691 struct xauth_rmconf **xauth_rmconf;
1692 {
1693 if (*xauth_rmconf != NULL) {
1694 if ((*xauth_rmconf)->login != NULL)
1695 vfree((*xauth_rmconf)->login);
1696 if ((*xauth_rmconf)->pass != NULL)
1697 vfree((*xauth_rmconf)->pass);
1698
1699 racoon_free(*xauth_rmconf);
1700 *xauth_rmconf = NULL;
1701 }
1702
1703 return;
1704 }
1705