1 /* $NetBSD: isakmp_xauth.c,v 1.22 2011/03/14 15:50:36 vanhu Exp $ */
2
3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
4
5 /*
6 * Copyright (C) 2004-2005 Emmanuel Dreyfus
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "config.h"
35
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40
41 #include <netinet/in.h>
42
43 #include <assert.h>
44 #include <stdlib.h>
45 #include <stdio.h>
46 #include <string.h>
47 #include <errno.h>
48 #include <pwd.h>
49 #include <grp.h>
50 #if TIME_WITH_SYS_TIME
51 # include <sys/time.h>
52 # include <time.h>
53 #else
54 # if HAVE_SYS_TIME_H
55 # include <sys/time.h>
56 # else
57 # include <time.h>
58 # endif
59 #endif
60 #include <netdb.h>
61 #ifdef HAVE_UNISTD_H
62 #include <unistd.h>
63 #endif
64 #include <ctype.h>
65 #include <resolv.h>
66
67 #ifdef HAVE_SHADOW_H
68 #include <shadow.h>
69 #endif
70
71 #include "var.h"
72 #include "misc.h"
73 #include "vmbuf.h"
74 #include "plog.h"
75 #include "sockmisc.h"
76 #include "schedule.h"
77 #include "debug.h"
78
79 #include "crypto_openssl.h"
80 #include "isakmp_var.h"
81 #include "isakmp.h"
82 #include "admin.h"
83 #include "privsep.h"
84 #include "evt.h"
85 #include "handler.h"
86 #include "throttle.h"
87 #include "remoteconf.h"
88 #include "isakmp_inf.h"
89 #include "isakmp_xauth.h"
90 #include "isakmp_unity.h"
91 #include "isakmp_cfg.h"
92 #include "strnames.h"
93 #include "ipsec_doi.h"
94 #include "remoteconf.h"
95 #include "localconf.h"
96
97 #ifdef HAVE_LIBRADIUS
98 #include <radlib.h>
99 struct rad_handle *radius_auth_state = NULL;
100 struct rad_handle *radius_acct_state = NULL;
101 struct xauth_rad_config xauth_rad_config;
102 #endif
103
104 #ifdef HAVE_LIBPAM
105 #include <security/pam_appl.h>
106
107 static char *PAM_usr = NULL;
108 static char *PAM_pwd = NULL;
109 static int PAM_conv(int, const struct pam_message **,
110 struct pam_response **, void *);
111 static struct pam_conv PAM_chat = { &PAM_conv, NULL };
112 #endif
113
114 #ifdef HAVE_LIBLDAP
115 #include "ldap.h"
116 #include <arpa/inet.h>
117 struct xauth_ldap_config xauth_ldap_config;
118 #endif
119
120 void
xauth_sendreq(iph1)121 xauth_sendreq(iph1)
122 struct ph1handle *iph1;
123 {
124 vchar_t *buffer;
125 struct isakmp_pl_attr *attr;
126 struct isakmp_data *typeattr;
127 struct isakmp_data *usrattr;
128 struct isakmp_data *pwdattr;
129 struct xauth_state *xst = &iph1->mode_cfg->xauth;
130 size_t tlen;
131
132 /* Status checks */
133 if (iph1->status < PHASE1ST_ESTABLISHED) {
134 plog(LLV_ERROR, LOCATION, NULL,
135 "Xauth request while phase 1 is not completed\n");
136 return;
137 }
138
139 if (xst->status != XAUTHST_NOTYET) {
140 plog(LLV_ERROR, LOCATION, NULL,
141 "Xauth request whith Xauth state %d\n", xst->status);
142 return;
143 }
144
145 plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n");
146
147 tlen = sizeof(*attr) +
148 + sizeof(*typeattr) +
149 + sizeof(*usrattr) +
150 + sizeof(*pwdattr);
151
152 if ((buffer = vmalloc(tlen)) == NULL) {
153 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
154 return;
155 }
156
157 attr = (struct isakmp_pl_attr *)buffer->v;
158 memset(attr, 0, tlen);
159
160 attr->h.len = htons(tlen);
161 attr->type = ISAKMP_CFG_REQUEST;
162 attr->id = htons(eay_random());
163
164 typeattr = (struct isakmp_data *)(attr + 1);
165 typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV);
166 typeattr->lorv = htons(XAUTH_TYPE_GENERIC);
167
168 usrattr = (struct isakmp_data *)(typeattr + 1);
169 usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV);
170 usrattr->lorv = htons(0);
171
172 pwdattr = (struct isakmp_data *)(usrattr + 1);
173 pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV);
174 pwdattr->lorv = htons(0);
175
176 isakmp_cfg_send(iph1, buffer,
177 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
178
179 vfree(buffer);
180
181 xst->status = XAUTHST_REQSENT;
182
183 return;
184 }
185
186 int
xauth_attr_reply(iph1,attr,id)187 xauth_attr_reply(iph1, attr, id)
188 struct ph1handle *iph1;
189 struct isakmp_data *attr;
190 int id;
191 {
192 char **outlet = NULL;
193 size_t alen = 0;
194 int type;
195 struct xauth_state *xst = &iph1->mode_cfg->xauth;
196
197 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
198 plog(LLV_ERROR, LOCATION, NULL,
199 "Xauth reply but peer did not declare "
200 "itself as Xauth capable\n");
201 return -1;
202 }
203
204 if (xst->status != XAUTHST_REQSENT) {
205 plog(LLV_ERROR, LOCATION, NULL,
206 "Xauth reply while Xauth state is %d\n", xst->status);
207 return -1;
208 }
209
210 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
211 switch (type) {
212 case XAUTH_TYPE:
213 switch (ntohs(attr->lorv)) {
214 case XAUTH_TYPE_GENERIC:
215 xst->authtype = XAUTH_TYPE_GENERIC;
216 break;
217 default:
218 plog(LLV_WARNING, LOCATION, NULL,
219 "Unexpected authentication type %d\n",
220 ntohs(type));
221 return -1;
222 }
223 break;
224
225 case XAUTH_USER_NAME:
226 outlet = &xst->authdata.generic.usr;
227 break;
228
229 case XAUTH_USER_PASSWORD:
230 outlet = &xst->authdata.generic.pwd;
231 break;
232
233 default:
234 plog(LLV_WARNING, LOCATION, NULL,
235 "ignored Xauth attribute %d\n", type);
236 break;
237 }
238
239 if (outlet != NULL) {
240 alen = ntohs(attr->lorv);
241
242 if ((*outlet = racoon_malloc(alen + 1)) == NULL) {
243 plog(LLV_ERROR, LOCATION, NULL,
244 "Cannot allocate memory for Xauth Data\n");
245 return -1;
246 }
247
248 memcpy(*outlet, attr + 1, alen);
249 (*outlet)[alen] = '\0';
250 outlet = NULL;
251 }
252
253
254 if ((xst->authdata.generic.usr != NULL) &&
255 (xst->authdata.generic.pwd != NULL)) {
256 int port;
257 int res;
258 char *usr = xst->authdata.generic.usr;
259 char *pwd = xst->authdata.generic.pwd;
260 time_t throttle_delay = 0;
261
262 #if 0 /* Real debug, don't do that at home */
263 plog(LLV_DEBUG, LOCATION, NULL,
264 "Got username \"%s\", password \"%s\"\n", usr, pwd);
265 #endif
266 strncpy(iph1->mode_cfg->login, usr, LOGINLEN);
267 iph1->mode_cfg->login[LOGINLEN] = '\0';
268
269 res = -1;
270 if ((port = isakmp_cfg_getport(iph1)) == -1) {
271 plog(LLV_ERROR, LOCATION, NULL,
272 "Port pool depleted\n");
273 goto skip_auth;
274 }
275
276 switch (isakmp_cfg_config.authsource) {
277 case ISAKMP_CFG_AUTH_SYSTEM:
278 res = privsep_xauth_login_system(usr, pwd);
279 break;
280 #ifdef HAVE_LIBRADIUS
281 case ISAKMP_CFG_AUTH_RADIUS:
282 res = xauth_login_radius(iph1, usr, pwd);
283 break;
284 #endif
285 #ifdef HAVE_LIBPAM
286 case ISAKMP_CFG_AUTH_PAM:
287 res = privsep_xauth_login_pam(iph1->mode_cfg->port,
288 iph1->remote, usr, pwd);
289 break;
290 #endif
291 #ifdef HAVE_LIBLDAP
292 case ISAKMP_CFG_AUTH_LDAP:
293 res = xauth_login_ldap(iph1, usr, pwd);
294 break;
295 #endif
296 default:
297 plog(LLV_ERROR, LOCATION, NULL,
298 "Unexpected authentication source\n");
299 res = -1;
300 break;
301 }
302
303 /*
304 * Optional group authentication
305 */
306 if (!res && (isakmp_cfg_config.groupcount))
307 res = group_check(iph1,
308 isakmp_cfg_config.grouplist,
309 isakmp_cfg_config.groupcount);
310
311 /*
312 * On failure, throttle the connexion for the remote host
313 * in order to make password attacks more difficult.
314 */
315 throttle_delay = throttle_host(iph1->remote, res);
316 if (throttle_delay > 0) {
317 char *str;
318
319 str = saddrwop2str(iph1->remote);
320
321 plog(LLV_ERROR, LOCATION, NULL,
322 "Throttling in action for %s: delay %lds\n",
323 str, (unsigned long)throttle_delay);
324 res = -1;
325 } else {
326 throttle_delay = 0;
327 }
328
329 skip_auth:
330 if (throttle_delay != 0) {
331 struct xauth_reply_arg *xra;
332
333 if ((xra = racoon_calloc(1, sizeof(*xra))) == NULL) {
334 plog(LLV_ERROR, LOCATION, NULL,
335 "malloc failed, bypass throttling\n");
336 return xauth_reply(iph1, port, id, res);
337 }
338
339 /*
340 * We need to store the ph1, but it might have
341 * disapeared when xauth_reply is called, so
342 * store the index instead.
343 */
344 xra->index = iph1->index;
345 xra->port = port;
346 xra->id = id;
347 xra->res = res;
348 sched_schedule(&xra->sc, throttle_delay,
349 xauth_reply_stub);
350 } else {
351 return xauth_reply(iph1, port, id, res);
352 }
353 }
354
355 return 0;
356 }
357
358 void
xauth_reply_stub(sc)359 xauth_reply_stub(sc)
360 struct sched *sc;
361 {
362 struct xauth_reply_arg *xra = container_of(sc, struct xauth_reply_arg, sc);
363 struct ph1handle *iph1;
364
365 if ((iph1 = getph1byindex(&xra->index)) != NULL)
366 (void)xauth_reply(iph1, xra->port, xra->id, xra->res);
367 else
368 plog(LLV_ERROR, LOCATION, NULL,
369 "Delayed Xauth reply: phase 1 no longer exists.\n");
370
371 racoon_free(xra);
372 }
373
374 int
xauth_reply(iph1,port,id,res)375 xauth_reply(iph1, port, id, res)
376 struct ph1handle *iph1;
377 int port;
378 int id;
379 {
380 struct xauth_state *xst = &iph1->mode_cfg->xauth;
381 char *usr = xst->authdata.generic.usr;
382
383 if (res != 0) {
384 if (port != -1)
385 isakmp_cfg_putport(iph1, port);
386
387 plog(LLV_INFO, LOCATION, NULL,
388 "login failed for user \"%s\"\n", usr);
389
390 xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id);
391 xst->status = XAUTHST_NOTYET;
392
393 /* Delete Phase 1 SA */
394 if (iph1->status >= PHASE1ST_ESTABLISHED)
395 isakmp_info_send_d1(iph1);
396 remph1(iph1);
397 delph1(iph1);
398
399 return -1;
400 }
401
402 xst->status = XAUTHST_OK;
403 plog(LLV_INFO, LOCATION, NULL,
404 "login succeeded for user \"%s\"\n", usr);
405
406 xauth_sendstatus(iph1, XAUTH_STATUS_OK, id);
407
408 return 0;
409 }
410
411 void
xauth_sendstatus(iph1,status,id)412 xauth_sendstatus(iph1, status, id)
413 struct ph1handle *iph1;
414 int status;
415 int id;
416 {
417 vchar_t *buffer;
418 struct isakmp_pl_attr *attr;
419 struct isakmp_data *stattr;
420 size_t tlen;
421
422 tlen = sizeof(*attr) +
423 + sizeof(*stattr);
424
425 if ((buffer = vmalloc(tlen)) == NULL) {
426 plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
427 return;
428 }
429
430 attr = (struct isakmp_pl_attr *)buffer->v;
431 memset(attr, 0, tlen);
432
433 attr->h.len = htons(tlen);
434 attr->type = ISAKMP_CFG_SET;
435 attr->id = htons(id);
436
437 stattr = (struct isakmp_data *)(attr + 1);
438 stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV);
439 stattr->lorv = htons(status);
440
441 isakmp_cfg_send(iph1, buffer,
442 ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
443
444 vfree(buffer);
445
446 return;
447 }
448
449 #ifdef HAVE_LIBRADIUS
450 int
xauth_radius_init_conf(int free)451 xauth_radius_init_conf(int free)
452 {
453 /* free radius config resources */
454 if (free) {
455 int i;
456 for (i = 0; i < xauth_rad_config.auth_server_count; i++) {
457 vfree(xauth_rad_config.auth_server_list[i].host);
458 vfree(xauth_rad_config.auth_server_list[i].secret);
459 }
460 for (i = 0; i < xauth_rad_config.acct_server_count; i++) {
461 vfree(xauth_rad_config.acct_server_list[i].host);
462 vfree(xauth_rad_config.acct_server_list[i].secret);
463 }
464 if (radius_auth_state != NULL)
465 rad_close(radius_auth_state);
466 if (radius_acct_state != NULL)
467 rad_close(radius_acct_state);
468 }
469
470 /* initialize radius config */
471 memset(&xauth_rad_config, 0, sizeof(xauth_rad_config));
472 return 0;
473 }
474
475 int
xauth_radius_init(void)476 xauth_radius_init(void)
477 {
478 /* For first time use, initialize Radius */
479 if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) &&
480 (radius_auth_state == NULL)) {
481 if ((radius_auth_state = rad_auth_open()) == NULL) {
482 plog(LLV_ERROR, LOCATION, NULL,
483 "Cannot init libradius\n");
484 return -1;
485 }
486
487 int auth_count = xauth_rad_config.auth_server_count;
488 int auth_added = 0;
489 if (auth_count) {
490 int i;
491 for (i = 0; i < auth_count; i++) {
492 if(!rad_add_server(
493 radius_auth_state,
494 xauth_rad_config.auth_server_list[i].host->v,
495 xauth_rad_config.auth_server_list[i].port,
496 xauth_rad_config.auth_server_list[i].secret->v,
497 xauth_rad_config.timeout,
498 xauth_rad_config.retries ))
499 auth_added++;
500 else
501 plog(LLV_WARNING, LOCATION, NULL,
502 "could not add radius auth server %s\n",
503 xauth_rad_config.auth_server_list[i].host->v);
504 }
505 }
506
507 if (!auth_added) {
508 if (rad_config(radius_auth_state, NULL) != 0) {
509 plog(LLV_ERROR, LOCATION, NULL,
510 "Cannot open libradius config file: %s\n",
511 rad_strerror(radius_auth_state));
512 rad_close(radius_auth_state);
513 radius_auth_state = NULL;
514 return -1;
515 }
516 }
517 }
518
519 if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) &&
520 (radius_acct_state == NULL)) {
521 if ((radius_acct_state = rad_acct_open()) == NULL) {
522 plog(LLV_ERROR, LOCATION, NULL,
523 "Cannot init libradius\n");
524 return -1;
525 }
526
527 int acct_count = xauth_rad_config.acct_server_count;
528 int acct_added = 0;
529 if (acct_count) {
530 int i;
531 for (i = 0; i < acct_count; i++) {
532 if(!rad_add_server(
533 radius_acct_state,
534 xauth_rad_config.acct_server_list[i].host->v,
535 xauth_rad_config.acct_server_list[i].port,
536 xauth_rad_config.acct_server_list[i].secret->v,
537 xauth_rad_config.timeout,
538 xauth_rad_config.retries ))
539 acct_added++;
540 else
541 plog(LLV_WARNING, LOCATION, NULL,
542 "could not add radius account server %s\n",
543 xauth_rad_config.acct_server_list[i].host->v);
544 }
545 }
546
547 if (!acct_added) {
548 if (rad_config(radius_acct_state, NULL) != 0) {
549 plog(LLV_ERROR, LOCATION, NULL,
550 "Cannot open libradius config file: %s\n",
551 rad_strerror(radius_acct_state));
552 rad_close(radius_acct_state);
553 radius_acct_state = NULL;
554 return -1;
555 }
556 }
557 }
558
559 return 0;
560 }
561
562 int
xauth_login_radius(iph1,usr,pwd)563 xauth_login_radius(iph1, usr, pwd)
564 struct ph1handle *iph1;
565 char *usr;
566 char *pwd;
567 {
568 int res;
569 const void *data;
570 size_t len;
571 int type;
572
573 if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) {
574 plog(LLV_ERROR, LOCATION, NULL,
575 "rad_create_request failed: %s\n",
576 rad_strerror(radius_auth_state));
577 return -1;
578 }
579
580 if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) {
581 plog(LLV_ERROR, LOCATION, NULL,
582 "rad_put_string failed: %s\n",
583 rad_strerror(radius_auth_state));
584 return -1;
585 }
586
587 if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) {
588 plog(LLV_ERROR, LOCATION, NULL,
589 "rad_put_string failed: %s\n",
590 rad_strerror(radius_auth_state));
591 return -1;
592 }
593
594 if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0)
595 return -1;
596
597 switch (res = rad_send_request(radius_auth_state)) {
598 case RAD_ACCESS_ACCEPT:
599 while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) {
600 switch (type) {
601 case RAD_FRAMED_IP_ADDRESS:
602 iph1->mode_cfg->addr4 = rad_cvt_addr(data);
603 iph1->mode_cfg->flags
604 |= ISAKMP_CFG_ADDR4_EXTERN;
605 break;
606
607 case RAD_FRAMED_IP_NETMASK:
608 iph1->mode_cfg->mask4 = rad_cvt_addr(data);
609 iph1->mode_cfg->flags
610 |= ISAKMP_CFG_MASK4_EXTERN;
611 break;
612
613 default:
614 plog(LLV_INFO, LOCATION, NULL,
615 "Unexpected attribute: %d\n", type);
616 break;
617 }
618 }
619
620 return 0;
621 break;
622
623 case RAD_ACCESS_REJECT:
624 return -1;
625 break;
626
627 case -1:
628 plog(LLV_ERROR, LOCATION, NULL,
629 "rad_send_request failed: %s\n",
630 rad_strerror(radius_auth_state));
631 return -1;
632 break;
633 default:
634 plog(LLV_ERROR, LOCATION, NULL,
635 "rad_send_request returned %d\n", res);
636 return -1;
637 break;
638 }
639
640 return -1;
641 }
642 #endif
643
644 #ifdef HAVE_LIBPAM
645 static int
PAM_conv(msg_count,msg,rsp,dontcare)646 PAM_conv(msg_count, msg, rsp, dontcare)
647 int msg_count;
648 const struct pam_message **msg;
649 struct pam_response **rsp;
650 void *dontcare;
651 {
652 int i;
653 int replies = 0;
654 struct pam_response *reply = NULL;
655
656 if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL)
657 return PAM_CONV_ERR;
658 bzero(reply, sizeof(*reply) * msg_count);
659
660 for (i = 0; i < msg_count; i++) {
661 switch (msg[i]->msg_style) {
662 case PAM_PROMPT_ECHO_ON:
663 /* Send the username, libpam frees resp */
664 reply[i].resp_retcode = PAM_SUCCESS;
665 if ((reply[i].resp = strdup(PAM_usr)) == NULL) {
666 plog(LLV_ERROR, LOCATION,
667 NULL, "strdup failed\n");
668 exit(1);
669 }
670 break;
671
672 case PAM_PROMPT_ECHO_OFF:
673 /* Send the password, libpam frees resp */
674 reply[i].resp_retcode = PAM_SUCCESS;
675 if ((reply[i].resp = strdup(PAM_pwd)) == NULL) {
676 plog(LLV_ERROR, LOCATION,
677 NULL, "strdup failed\n");
678 exit(1);
679 }
680 break;
681
682 case PAM_TEXT_INFO:
683 case PAM_ERROR_MSG:
684 reply[i].resp_retcode = PAM_SUCCESS;
685 reply[i].resp = NULL;
686 break;
687
688 default:
689 if (reply != NULL)
690 racoon_free(reply);
691 return PAM_CONV_ERR;
692 break;
693 }
694 }
695
696 if (reply != NULL)
697 *rsp = reply;
698
699 return PAM_SUCCESS;
700 }
701
702 int
xauth_login_pam(port,raddr,usr,pwd)703 xauth_login_pam(port, raddr, usr, pwd)
704 int port;
705 struct sockaddr *raddr;
706 char *usr;
707 char *pwd;
708 {
709 int error;
710 int res;
711 const void *data;
712 size_t len;
713 int type;
714 char *remote = NULL;
715 pam_handle_t *pam = NULL;
716
717 if (isakmp_cfg_config.port_pool == NULL) {
718 plog(LLV_ERROR, LOCATION, NULL,
719 "isakmp_cfg_config.port_pool == NULL\n");
720 return -1;
721 }
722
723 if ((error = pam_start("racoon", usr,
724 &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) {
725 if (isakmp_cfg_config.port_pool[port].pam == NULL) {
726 plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n");
727 return -1;
728 } else {
729 plog(LLV_ERROR, LOCATION, NULL,
730 "pam_start failed: %s\n",
731 pam_strerror(isakmp_cfg_config.port_pool[port].pam,
732 error));
733 goto out;
734 }
735 }
736 pam = isakmp_cfg_config.port_pool[port].pam;
737
738 if ((remote = strdup(saddrwop2str(raddr))) == NULL) {
739 plog(LLV_ERROR, LOCATION, NULL,
740 "cannot allocate memory: %s\n", strerror(errno));
741 goto out;
742 }
743
744 if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) {
745 plog(LLV_ERROR, LOCATION, NULL,
746 "pam_set_item failed: %s\n",
747 pam_strerror(pam, error));
748 goto out;
749 }
750
751 if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) {
752 plog(LLV_ERROR, LOCATION, NULL,
753 "pam_set_item failed: %s\n",
754 pam_strerror(pam, error));
755 goto out;
756 }
757
758 PAM_usr = usr;
759 PAM_pwd = pwd;
760 error = pam_authenticate(pam, 0);
761 PAM_usr = NULL;
762 PAM_pwd = NULL;
763 if (error != 0) {
764 plog(LLV_ERROR, LOCATION, NULL,
765 "pam_authenticate failed: %s\n",
766 pam_strerror(pam, error));
767 goto out;
768 }
769
770 if ((error = pam_acct_mgmt(pam, 0)) != 0) {
771 plog(LLV_ERROR, LOCATION, NULL,
772 "pam_acct_mgmt failed: %s\n",
773 pam_strerror(pam, error));
774 goto out;
775 }
776
777 if ((error = pam_setcred(pam, 0)) != 0) {
778 plog(LLV_ERROR, LOCATION, NULL,
779 "pam_setcred failed: %s\n",
780 pam_strerror(pam, error));
781 goto out;
782 }
783
784 if (remote != NULL)
785 free(remote);
786
787 return 0;
788
789 out:
790 pam_end(pam, error);
791 isakmp_cfg_config.port_pool[port].pam = NULL;
792 if (remote != NULL)
793 free(remote);
794 return -1;
795 }
796 #endif
797
798 #ifdef HAVE_LIBLDAP
799 int
xauth_ldap_init_conf(void)800 xauth_ldap_init_conf(void)
801 {
802 int tmplen;
803 int error = -1;
804
805 xauth_ldap_config.pver = 3;
806 xauth_ldap_config.host = NULL;
807 xauth_ldap_config.port = LDAP_PORT;
808 xauth_ldap_config.base = NULL;
809 xauth_ldap_config.subtree = 0;
810 xauth_ldap_config.bind_dn = NULL;
811 xauth_ldap_config.bind_pw = NULL;
812 xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE;
813 xauth_ldap_config.attr_user = NULL;
814 xauth_ldap_config.attr_addr = NULL;
815 xauth_ldap_config.attr_mask = NULL;
816 xauth_ldap_config.attr_group = NULL;
817 xauth_ldap_config.attr_member = NULL;
818
819 /* set default host */
820 tmplen = strlen(LDAP_DFLT_HOST);
821 xauth_ldap_config.host = vmalloc(tmplen);
822 if (xauth_ldap_config.host == NULL)
823 goto out;
824 memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen);
825
826 /* set default user naming attribute */
827 tmplen = strlen(LDAP_DFLT_USER);
828 xauth_ldap_config.attr_user = vmalloc(tmplen);
829 if (xauth_ldap_config.attr_user == NULL)
830 goto out;
831 memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen);
832
833 /* set default address attribute */
834 tmplen = strlen(LDAP_DFLT_ADDR);
835 xauth_ldap_config.attr_addr = vmalloc(tmplen);
836 if (xauth_ldap_config.attr_addr == NULL)
837 goto out;
838 memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen);
839
840 /* set default netmask attribute */
841 tmplen = strlen(LDAP_DFLT_MASK);
842 xauth_ldap_config.attr_mask = vmalloc(tmplen);
843 if (xauth_ldap_config.attr_mask == NULL)
844 goto out;
845 memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen);
846
847 /* set default group naming attribute */
848 tmplen = strlen(LDAP_DFLT_GROUP);
849 xauth_ldap_config.attr_group = vmalloc(tmplen);
850 if (xauth_ldap_config.attr_group == NULL)
851 goto out;
852 memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen);
853
854 /* set default member attribute */
855 tmplen = strlen(LDAP_DFLT_MEMBER);
856 xauth_ldap_config.attr_member = vmalloc(tmplen);
857 if (xauth_ldap_config.attr_member == NULL)
858 goto out;
859 memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen);
860
861 error = 0;
862 out:
863 if (error != 0)
864 plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n");
865
866 return error;
867 }
868
869 int
xauth_login_ldap(iph1,usr,pwd)870 xauth_login_ldap(iph1, usr, pwd)
871 struct ph1handle *iph1;
872 char *usr;
873 char *pwd;
874 {
875 int rtn = -1;
876 int res = -1;
877 LDAP *ld = NULL;
878 LDAPMessage *lr = NULL;
879 LDAPMessage *le = NULL;
880 struct berval cred;
881 struct berval **bv = NULL;
882 struct timeval timeout;
883 char *init = NULL;
884 char *filter = NULL;
885 char *atlist[3];
886 char *basedn = NULL;
887 char *userdn = NULL;
888 int tmplen = 0;
889 int ecount = 0;
890 int scope = LDAP_SCOPE_ONE;
891
892 atlist[0] = NULL;
893 atlist[1] = NULL;
894 atlist[2] = NULL;
895
896 /* build our initialization url */
897 tmplen = strlen("ldap://:") + 17;
898 tmplen += strlen(xauth_ldap_config.host->v);
899 init = racoon_malloc(tmplen);
900 if (init == NULL) {
901 plog(LLV_ERROR, LOCATION, NULL,
902 "unable to alloc ldap init url\n");
903 goto ldap_end;
904 }
905 sprintf(init,"ldap://%s:%d",
906 xauth_ldap_config.host->v,
907 xauth_ldap_config.port );
908
909 /* initialize the ldap handle */
910 res = ldap_initialize(&ld, init);
911 if (res != LDAP_SUCCESS) {
912 plog(LLV_ERROR, LOCATION, NULL,
913 "ldap_initialize failed: %s\n",
914 ldap_err2string(res));
915 goto ldap_end;
916 }
917
918 /* initialize the protocol version */
919 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
920 &xauth_ldap_config.pver);
921
922 /*
923 * attempt to bind to the ldap server.
924 * default to anonymous bind unless a
925 * user dn and password has been
926 * specified in our configuration
927 */
928 if ((xauth_ldap_config.bind_dn != NULL)&&
929 (xauth_ldap_config.bind_pw != NULL))
930 {
931 cred.bv_val = xauth_ldap_config.bind_pw->v;
932 cred.bv_len = strlen( cred.bv_val );
933 res = ldap_sasl_bind_s(ld,
934 xauth_ldap_config.bind_dn->v, NULL, &cred,
935 NULL, NULL, NULL);
936 }
937 else
938 {
939 res = ldap_sasl_bind_s(ld,
940 NULL, NULL, NULL,
941 NULL, NULL, NULL);
942 }
943
944 if (res!=LDAP_SUCCESS) {
945 plog(LLV_ERROR, LOCATION, NULL,
946 "ldap_sasl_bind_s (search) failed: %s\n",
947 ldap_err2string(res));
948 goto ldap_end;
949 }
950
951 /* build an ldap user search filter */
952 tmplen = strlen(xauth_ldap_config.attr_user->v);
953 tmplen += 1;
954 tmplen += strlen(usr);
955 tmplen += 1;
956 filter = racoon_malloc(tmplen);
957 if (filter == NULL) {
958 plog(LLV_ERROR, LOCATION, NULL,
959 "unable to alloc ldap search filter buffer\n");
960 goto ldap_end;
961 }
962 sprintf(filter, "%s=%s",
963 xauth_ldap_config.attr_user->v, usr);
964
965 /* build our return attribute list */
966 tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1;
967 atlist[0] = racoon_malloc(tmplen);
968 tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1;
969 atlist[1] = racoon_malloc(tmplen);
970 if ((atlist[0] == NULL)||(atlist[1] == NULL)) {
971 plog(LLV_ERROR, LOCATION, NULL,
972 "unable to alloc ldap attrib list buffer\n");
973 goto ldap_end;
974 }
975 strcpy(atlist[0],xauth_ldap_config.attr_addr->v);
976 strcpy(atlist[1],xauth_ldap_config.attr_mask->v);
977
978 /* attempt to locate the user dn */
979 if (xauth_ldap_config.base != NULL)
980 basedn = xauth_ldap_config.base->v;
981 if (xauth_ldap_config.subtree)
982 scope = LDAP_SCOPE_SUBTREE;
983 timeout.tv_sec = 15;
984 timeout.tv_usec = 0;
985 res = ldap_search_ext_s(ld, basedn, scope,
986 filter, atlist, 0, NULL, NULL,
987 &timeout, 2, &lr);
988 if (res != LDAP_SUCCESS) {
989 plog(LLV_ERROR, LOCATION, NULL,
990 "ldap_search_ext_s failed: %s\n",
991 ldap_err2string(res));
992 goto ldap_end;
993 }
994
995 /* check the number of ldap entries returned */
996 ecount = ldap_count_entries(ld, lr);
997 if (ecount < 1) {
998 plog(LLV_WARNING, LOCATION, NULL,
999 "no ldap results for filter \'%s\'\n",
1000 filter);
1001 goto ldap_end;
1002 }
1003 if (ecount > 1) {
1004 plog(LLV_WARNING, LOCATION, NULL,
1005 "multiple (%i) ldap results for filter \'%s\'\n",
1006 ecount, filter);
1007 }
1008
1009 /* obtain the dn from the first result */
1010 le = ldap_first_entry(ld, lr);
1011 if (le == NULL) {
1012 plog(LLV_ERROR, LOCATION, NULL,
1013 "ldap_first_entry failed: invalid entry returned\n");
1014 goto ldap_end;
1015 }
1016 userdn = ldap_get_dn(ld, le);
1017 if (userdn == NULL) {
1018 plog(LLV_ERROR, LOCATION, NULL,
1019 "ldap_get_dn failed: invalid string returned\n");
1020 goto ldap_end;
1021 }
1022
1023 /* cache the user dn in the xauth state */
1024 iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1);
1025 strcpy(iph1->mode_cfg->xauth.udn,userdn);
1026
1027 /* retrieve modecfg address */
1028 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v);
1029 if (bv != NULL) {
1030 char tmpaddr[16];
1031 /* sanity check for address value */
1032 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
1033 plog(LLV_DEBUG, LOCATION, NULL,
1034 "ldap returned invalid modecfg address\n");
1035 ldap_value_free_len(bv);
1036 goto ldap_end;
1037 }
1038 memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len);
1039 tmpaddr[bv[0]->bv_len]=0;
1040 iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr);
1041 iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN;
1042 plog(LLV_INFO, LOCATION, NULL,
1043 "ldap returned modecfg address %s\n", tmpaddr);
1044 ldap_value_free_len(bv);
1045 }
1046
1047 /* retrieve modecfg netmask */
1048 bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v);
1049 if (bv != NULL) {
1050 char tmpmask[16];
1051 /* sanity check for netmask value */
1052 if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
1053 plog(LLV_DEBUG, LOCATION, NULL,
1054 "ldap returned invalid modecfg netmask\n");
1055 ldap_value_free_len(bv);
1056 goto ldap_end;
1057 }
1058 memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len);
1059 tmpmask[bv[0]->bv_len]=0;
1060 iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask);
1061 iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN;
1062 plog(LLV_INFO, LOCATION, NULL,
1063 "ldap returned modecfg netmask %s\n", tmpmask);
1064 ldap_value_free_len(bv);
1065 }
1066
1067 /*
1068 * finally, use the dn and the xauth
1069 * password to check the users given
1070 * credentials by attempting to bind
1071 * to the ldap server
1072 */
1073 plog(LLV_INFO, LOCATION, NULL,
1074 "attempting ldap bind for dn \'%s\'\n", userdn);
1075 cred.bv_val = pwd;
1076 cred.bv_len = strlen( cred.bv_val );
1077 res = ldap_sasl_bind_s(ld,
1078 userdn, NULL, &cred,
1079 NULL, NULL, NULL);
1080 if(res==LDAP_SUCCESS)
1081 rtn = 0;
1082
1083 ldap_end:
1084
1085 /* free ldap resources */
1086 if (userdn != NULL)
1087 ldap_memfree(userdn);
1088 if (atlist[0] != NULL)
1089 racoon_free(atlist[0]);
1090 if (atlist[1] != NULL)
1091 racoon_free(atlist[1]);
1092 if (filter != NULL)
1093 racoon_free(filter);
1094 if (lr != NULL)
1095 ldap_msgfree(lr);
1096 if (init != NULL)
1097 racoon_free(init);
1098
1099 ldap_unbind_ext_s(ld, NULL, NULL);
1100
1101 return rtn;
1102 }
1103
1104 int
xauth_group_ldap(udn,grp)1105 xauth_group_ldap(udn, grp)
1106 char * udn;
1107 char * grp;
1108 {
1109 int rtn = -1;
1110 int res = -1;
1111 LDAP *ld = NULL;
1112 LDAPMessage *lr = NULL;
1113 LDAPMessage *le = NULL;
1114 struct berval cred;
1115 struct timeval timeout;
1116 char *init = NULL;
1117 char *filter = NULL;
1118 char *basedn = NULL;
1119 char *groupdn = NULL;
1120 int tmplen = 0;
1121 int ecount = 0;
1122 int scope = LDAP_SCOPE_ONE;
1123
1124 /* build our initialization url */
1125 tmplen = strlen("ldap://:") + 17;
1126 tmplen += strlen(xauth_ldap_config.host->v);
1127 init = racoon_malloc(tmplen);
1128 if (init == NULL) {
1129 plog(LLV_ERROR, LOCATION, NULL,
1130 "unable to alloc ldap init url\n");
1131 goto ldap_group_end;
1132 }
1133 sprintf(init,"ldap://%s:%d",
1134 xauth_ldap_config.host->v,
1135 xauth_ldap_config.port );
1136
1137 /* initialize the ldap handle */
1138 res = ldap_initialize(&ld, init);
1139 if (res != LDAP_SUCCESS) {
1140 plog(LLV_ERROR, LOCATION, NULL,
1141 "ldap_initialize failed: %s\n",
1142 ldap_err2string(res));
1143 goto ldap_group_end;
1144 }
1145
1146 /* initialize the protocol version */
1147 ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
1148 &xauth_ldap_config.pver);
1149
1150 /*
1151 * attempt to bind to the ldap server.
1152 * default to anonymous bind unless a
1153 * user dn and password has been
1154 * specified in our configuration
1155 */
1156 if ((xauth_ldap_config.bind_dn != NULL)&&
1157 (xauth_ldap_config.bind_pw != NULL))
1158 {
1159 cred.bv_val = xauth_ldap_config.bind_pw->v;
1160 cred.bv_len = strlen( cred.bv_val );
1161 res = ldap_sasl_bind_s(ld,
1162 xauth_ldap_config.bind_dn->v, NULL, &cred,
1163 NULL, NULL, NULL);
1164 }
1165 else
1166 {
1167 res = ldap_sasl_bind_s(ld,
1168 NULL, NULL, NULL,
1169 NULL, NULL, NULL);
1170 }
1171
1172 if (res!=LDAP_SUCCESS) {
1173 plog(LLV_ERROR, LOCATION, NULL,
1174 "ldap_sasl_bind_s (search) failed: %s\n",
1175 ldap_err2string(res));
1176 goto ldap_group_end;
1177 }
1178
1179 /* build an ldap group search filter */
1180 tmplen = strlen("(&(=)(=))") + 1;
1181 tmplen += strlen(xauth_ldap_config.attr_group->v);
1182 tmplen += strlen(grp);
1183 tmplen += strlen(xauth_ldap_config.attr_member->v);
1184 tmplen += strlen(udn);
1185 filter = racoon_malloc(tmplen);
1186 if (filter == NULL) {
1187 plog(LLV_ERROR, LOCATION, NULL,
1188 "unable to alloc ldap search filter buffer\n");
1189 goto ldap_group_end;
1190 }
1191 sprintf(filter, "(&(%s=%s)(%s=%s))",
1192 xauth_ldap_config.attr_group->v, grp,
1193 xauth_ldap_config.attr_member->v, udn);
1194
1195 /* attempt to locate the group dn */
1196 if (xauth_ldap_config.base != NULL)
1197 basedn = xauth_ldap_config.base->v;
1198 if (xauth_ldap_config.subtree)
1199 scope = LDAP_SCOPE_SUBTREE;
1200 timeout.tv_sec = 15;
1201 timeout.tv_usec = 0;
1202 res = ldap_search_ext_s(ld, basedn, scope,
1203 filter, NULL, 0, NULL, NULL,
1204 &timeout, 2, &lr);
1205 if (res != LDAP_SUCCESS) {
1206 plog(LLV_ERROR, LOCATION, NULL,
1207 "ldap_search_ext_s failed: %s\n",
1208 ldap_err2string(res));
1209 goto ldap_group_end;
1210 }
1211
1212 /* check the number of ldap entries returned */
1213 ecount = ldap_count_entries(ld, lr);
1214 if (ecount < 1) {
1215 plog(LLV_WARNING, LOCATION, NULL,
1216 "no ldap results for filter \'%s\'\n",
1217 filter);
1218 goto ldap_group_end;
1219 }
1220
1221 /* success */
1222 rtn = 0;
1223
1224 /* obtain the dn from the first result */
1225 le = ldap_first_entry(ld, lr);
1226 if (le == NULL) {
1227 plog(LLV_ERROR, LOCATION, NULL,
1228 "ldap_first_entry failed: invalid entry returned\n");
1229 goto ldap_group_end;
1230 }
1231 groupdn = ldap_get_dn(ld, le);
1232 if (groupdn == NULL) {
1233 plog(LLV_ERROR, LOCATION, NULL,
1234 "ldap_get_dn failed: invalid string returned\n");
1235 goto ldap_group_end;
1236 }
1237
1238 plog(LLV_INFO, LOCATION, NULL,
1239 "ldap membership group returned \'%s\'\n", groupdn);
1240 ldap_group_end:
1241
1242 /* free ldap resources */
1243 if (groupdn != NULL)
1244 ldap_memfree(groupdn);
1245 if (filter != NULL)
1246 racoon_free(filter);
1247 if (lr != NULL)
1248 ldap_msgfree(lr);
1249 if (init != NULL)
1250 racoon_free(init);
1251
1252 ldap_unbind_ext_s(ld, NULL, NULL);
1253
1254 return rtn;
1255 }
1256
1257 #endif
1258
1259 #ifndef ANDROID_PATCHED
1260
1261 int
xauth_login_system(usr,pwd)1262 xauth_login_system(usr, pwd)
1263 char *usr;
1264 char *pwd;
1265 {
1266 struct passwd *pw;
1267 char *cryptpwd;
1268 char *syscryptpwd;
1269 #ifdef HAVE_SHADOW_H
1270 struct spwd *spw;
1271
1272 if ((spw = getspnam(usr)) == NULL)
1273 return -1;
1274
1275 syscryptpwd = spw->sp_pwdp;
1276 #endif
1277
1278 if ((pw = getpwnam(usr)) == NULL)
1279 return -1;
1280
1281 #ifndef HAVE_SHADOW_H
1282 syscryptpwd = pw->pw_passwd;
1283 #endif
1284
1285 /* No root login. Ever. */
1286 if (pw->pw_uid == 0)
1287 return -1;
1288
1289 if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL)
1290 return -1;
1291
1292 if (strcmp(cryptpwd, syscryptpwd) == 0)
1293 return 0;
1294
1295 return -1;
1296 }
1297
1298 #endif
1299
1300 int
xauth_group_system(usr,grp)1301 xauth_group_system(usr, grp)
1302 char * usr;
1303 char * grp;
1304 {
1305 struct group * gr;
1306 char * member;
1307 int index = 0;
1308
1309 gr = getgrnam(grp);
1310 if (gr == NULL) {
1311 plog(LLV_ERROR, LOCATION, NULL,
1312 "the system group name \'%s\' is unknown\n",
1313 grp);
1314 return -1;
1315 }
1316
1317 while ((member = gr->gr_mem[index++])!=NULL) {
1318 if (!strcmp(member,usr)) {
1319 plog(LLV_INFO, LOCATION, NULL,
1320 "membership validated\n");
1321 return 0;
1322 }
1323 }
1324
1325 return -1;
1326 }
1327
1328 int
xauth_check(iph1)1329 xauth_check(iph1)
1330 struct ph1handle *iph1;
1331 {
1332 struct xauth_state *xst = &iph1->mode_cfg->xauth;
1333
1334 /*
1335 * Only the server side (edge device) really check for Xauth
1336 * status. It does it if the chose authmethod is using Xauth.
1337 * On the client side (roadwarrior), we don't check anything.
1338 */
1339 switch (iph1->approval->authmethod) {
1340 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1341 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1342 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1343 /* The following are not yet implemented */
1344 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1345 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1346 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1347 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1348 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1349 plog(LLV_ERROR, LOCATION, NULL,
1350 "Hybrid auth negotiated but peer did not "
1351 "announced as Xauth capable\n");
1352 return -1;
1353 }
1354
1355 if (xst->status != XAUTHST_OK) {
1356 plog(LLV_ERROR, LOCATION, NULL,
1357 "Hybrid auth negotiated but peer did not "
1358 "succeed Xauth exchange\n");
1359 return -1;
1360 }
1361
1362 return 0;
1363 break;
1364 default:
1365 return 0;
1366 break;
1367 }
1368
1369 return 0;
1370 }
1371
1372 int
group_check(iph1,grp_list,grp_count)1373 group_check(iph1, grp_list, grp_count)
1374 struct ph1handle *iph1;
1375 char **grp_list;
1376 int grp_count;
1377 {
1378 int res = -1;
1379 int grp_index = 0;
1380 char * usr = NULL;
1381
1382 /* check for presence of modecfg data */
1383
1384 if(iph1->mode_cfg == NULL) {
1385 plog(LLV_ERROR, LOCATION, NULL,
1386 "xauth group specified but modecfg not found\n");
1387 return res;
1388 }
1389
1390 /* loop through our group list */
1391
1392 for(; grp_index < grp_count; grp_index++) {
1393
1394 /* check for presence of xauth data */
1395
1396 usr = iph1->mode_cfg->xauth.authdata.generic.usr;
1397
1398 if(usr == NULL) {
1399 plog(LLV_ERROR, LOCATION, NULL,
1400 "xauth group specified but xauth not found\n");
1401 return res;
1402 }
1403
1404 /* call appropriate group validation funtion */
1405
1406 switch (isakmp_cfg_config.groupsource) {
1407
1408 case ISAKMP_CFG_GROUP_SYSTEM:
1409 res = xauth_group_system(
1410 usr,
1411 grp_list[grp_index]);
1412 break;
1413
1414 #ifdef HAVE_LIBLDAP
1415 case ISAKMP_CFG_GROUP_LDAP:
1416 res = xauth_group_ldap(
1417 iph1->mode_cfg->xauth.udn,
1418 grp_list[grp_index]);
1419 break;
1420 #endif
1421
1422 default:
1423 /* we should never get here */
1424 plog(LLV_ERROR, LOCATION, NULL,
1425 "Unknown group auth source\n");
1426 break;
1427 }
1428
1429 if( !res ) {
1430 plog(LLV_INFO, LOCATION, NULL,
1431 "user \"%s\" is a member of group \"%s\"\n",
1432 usr,
1433 grp_list[grp_index]);
1434 break;
1435 } else {
1436 plog(LLV_INFO, LOCATION, NULL,
1437 "user \"%s\" is not a member of group \"%s\"\n",
1438 usr,
1439 grp_list[grp_index]);
1440 }
1441 }
1442
1443 return res;
1444 }
1445
1446 vchar_t *
isakmp_xauth_req(iph1,attr)1447 isakmp_xauth_req(iph1, attr)
1448 struct ph1handle *iph1;
1449 struct isakmp_data *attr;
1450 {
1451 int type;
1452 size_t dlen = 0;
1453 int ashort = 0;
1454 int value = 0;
1455 vchar_t *buffer = NULL;
1456 char *mraw = NULL, *mdata;
1457 char *data;
1458 vchar_t *usr = NULL;
1459 vchar_t *pwd = NULL;
1460 size_t skip = 0;
1461 int freepwd = 0;
1462
1463 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1464 plog(LLV_ERROR, LOCATION, NULL,
1465 "Xauth mode config request but peer "
1466 "did not declare itself as Xauth capable\n");
1467 return NULL;
1468 }
1469
1470 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1471
1472 /* Sanity checks */
1473 switch(type) {
1474 case XAUTH_TYPE:
1475 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1476 plog(LLV_ERROR, LOCATION, NULL,
1477 "Unexpected long XAUTH_TYPE attribute\n");
1478 return NULL;
1479 }
1480 if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) {
1481 plog(LLV_ERROR, LOCATION, NULL,
1482 "Unsupported Xauth authentication %d\n",
1483 ntohs(attr->lorv));
1484 return NULL;
1485 }
1486 ashort = 1;
1487 dlen = 0;
1488 value = XAUTH_TYPE_GENERIC;
1489 break;
1490
1491 case XAUTH_USER_NAME:
1492 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) {
1493 plog(LLV_ERROR, LOCATION, NULL, "Xauth performed "
1494 "with no login supplied\n");
1495 return NULL;
1496 }
1497
1498 dlen = iph1->rmconf->xauth->login->l - 1;
1499 iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME;
1500 break;
1501
1502 #ifdef ANDROID_PATCHED
1503 case XAUTH_PASSCODE:
1504 #endif
1505 case XAUTH_USER_PASSWORD:
1506 if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login)
1507 return NULL;
1508
1509 skip = sizeof(struct ipsecdoi_id_b);
1510 usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip);
1511 if (usr == NULL) {
1512 plog(LLV_ERROR, LOCATION, NULL,
1513 "Cannot allocate memory\n");
1514 return NULL;
1515 }
1516 memset(usr->v, 0, skip);
1517 memcpy(usr->v + skip,
1518 iph1->rmconf->xauth->login->v,
1519 iph1->rmconf->xauth->login->l - 1);
1520
1521 if (iph1->rmconf->xauth->pass) {
1522 /* A key given through racoonctl */
1523 pwd = iph1->rmconf->xauth->pass;
1524 } else {
1525 if ((pwd = getpskbyname(usr)) == NULL) {
1526 plog(LLV_ERROR, LOCATION, NULL,
1527 "No password was found for login %s\n",
1528 iph1->rmconf->xauth->login->v);
1529 vfree(usr);
1530 return NULL;
1531 }
1532 /* We have to free it before returning */
1533 freepwd = 1;
1534 }
1535 vfree(usr);
1536
1537 iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD;
1538 dlen = pwd->l;
1539
1540 break;
1541 case XAUTH_MESSAGE:
1542 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1543 dlen = ntohs(attr->lorv);
1544 if (dlen > 0) {
1545 mraw = (char*)(attr + 1);
1546 mdata = binsanitize(mraw, dlen);
1547 if (mdata == NULL) {
1548 plog(LLV_ERROR, LOCATION, iph1->remote,
1549 "Cannot allocate memory\n");
1550 return NULL;
1551 }
1552 plog(LLV_NOTIFY,LOCATION, iph1->remote,
1553 "XAUTH Message: '%s'.\n",
1554 mdata);
1555 racoon_free(mdata);
1556 }
1557 }
1558 return NULL;
1559 default:
1560 plog(LLV_WARNING, LOCATION, NULL,
1561 "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1562 return NULL;
1563 break;
1564 }
1565
1566 if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) {
1567 plog(LLV_ERROR, LOCATION, NULL,
1568 "Cannot allocate memory\n");
1569 goto out;
1570 }
1571
1572 attr = (struct isakmp_data *)buffer->v;
1573 if (ashort) {
1574 attr->type = htons(type | ISAKMP_GEN_TV);
1575 attr->lorv = htons(value);
1576 goto out;
1577 }
1578
1579 attr->type = htons(type | ISAKMP_GEN_TLV);
1580 attr->lorv = htons(dlen);
1581 data = (char *)(attr + 1);
1582
1583 switch(type) {
1584 case XAUTH_USER_NAME:
1585 /*
1586 * iph1->rmconf->xauth->login->v is valid,
1587 * we just checked it in the previous switch case
1588 */
1589 memcpy(data, iph1->rmconf->xauth->login->v, dlen);
1590 break;
1591 #ifdef ANDROID_PATCHED
1592 case XAUTH_PASSCODE:
1593 #endif
1594 case XAUTH_USER_PASSWORD:
1595 memcpy(data, pwd->v, dlen);
1596 break;
1597 default:
1598 break;
1599 }
1600
1601 out:
1602 if (freepwd)
1603 vfree(pwd);
1604
1605 return buffer;
1606 }
1607
1608 vchar_t *
isakmp_xauth_set(iph1,attr)1609 isakmp_xauth_set(iph1, attr)
1610 struct ph1handle *iph1;
1611 struct isakmp_data *attr;
1612 {
1613 int type;
1614 vchar_t *buffer = NULL;
1615 char *data;
1616 struct xauth_state *xst;
1617 size_t dlen = 0;
1618 char* mraw = NULL, *mdata;
1619
1620 if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1621 plog(LLV_ERROR, LOCATION, NULL,
1622 "Xauth mode config set but peer "
1623 "did not declare itself as Xauth capable\n");
1624 return NULL;
1625 }
1626
1627 type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1628
1629 switch(type) {
1630 case XAUTH_STATUS:
1631 /*
1632 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS
1633 * when running as a client (initiator).
1634 */
1635 xst = &iph1->mode_cfg->xauth;
1636 switch (iph1->approval->authmethod) {
1637 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1638 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
1639 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1640 /* Not implemented ... */
1641 case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1642 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1643 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1644 case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1645 break;
1646 default:
1647 plog(LLV_ERROR, LOCATION, NULL,
1648 "Unexpected XAUTH_STATUS_OK\n");
1649 return NULL;
1650 break;
1651 }
1652
1653 /* If we got a failure, delete iph1 */
1654 if (ntohs(attr->lorv) != XAUTH_STATUS_OK) {
1655 plog(LLV_ERROR, LOCATION, NULL,
1656 "Xauth authentication failed\n");
1657
1658 evt_phase1(iph1, EVT_PHASE1_XAUTH_FAILED, NULL);
1659
1660 iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
1661 } else {
1662 evt_phase1(iph1, EVT_PHASE1_XAUTH_SUCCESS, NULL);
1663 }
1664
1665
1666 /* We acknowledge it */
1667 break;
1668 case XAUTH_MESSAGE:
1669 if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1670 dlen = ntohs(attr->lorv);
1671 if (dlen > 0) {
1672 mraw = (char*)(attr + 1);
1673 mdata = binsanitize(mraw, dlen);
1674 if (mdata == NULL) {
1675 plog(LLV_ERROR, LOCATION, iph1->remote,
1676 "Cannot allocate memory\n");
1677 return NULL;
1678 }
1679 plog(LLV_NOTIFY,LOCATION, iph1->remote,
1680 "XAUTH Message: '%s'.\n",
1681 mdata);
1682 racoon_free(mdata);
1683 }
1684 }
1685
1686 default:
1687 plog(LLV_WARNING, LOCATION, NULL,
1688 "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1689 return NULL;
1690 break;
1691 }
1692
1693 if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
1694 plog(LLV_ERROR, LOCATION, NULL,
1695 "Cannot allocate memory\n");
1696 return NULL;
1697 }
1698
1699 attr = (struct isakmp_data *)buffer->v;
1700 attr->type = htons(type | ISAKMP_GEN_TV);
1701 attr->lorv = htons(0);
1702
1703 return buffer;
1704 }
1705
1706
1707 void
xauth_rmstate(xst)1708 xauth_rmstate(xst)
1709 struct xauth_state *xst;
1710 {
1711 switch (xst->authtype) {
1712 case XAUTH_TYPE_GENERIC:
1713 if (xst->authdata.generic.usr)
1714 racoon_free(xst->authdata.generic.usr);
1715
1716 if (xst->authdata.generic.pwd)
1717 racoon_free(xst->authdata.generic.pwd);
1718
1719 break;
1720
1721 case XAUTH_TYPE_CHAP:
1722 case XAUTH_TYPE_OTP:
1723 case XAUTH_TYPE_SKEY:
1724 plog(LLV_WARNING, LOCATION, NULL,
1725 "Unsupported authtype %d\n", xst->authtype);
1726 break;
1727
1728 default:
1729 plog(LLV_WARNING, LOCATION, NULL,
1730 "Unexpected authtype %d\n", xst->authtype);
1731 break;
1732 }
1733
1734 #ifdef HAVE_LIBLDAP
1735 if (xst->udn != NULL)
1736 racoon_free(xst->udn);
1737 #endif
1738 return;
1739 }
1740
1741 int
xauth_rmconf_used(xauth_rmconf)1742 xauth_rmconf_used(xauth_rmconf)
1743 struct xauth_rmconf **xauth_rmconf;
1744 {
1745 if (*xauth_rmconf == NULL) {
1746 *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf));
1747 if (*xauth_rmconf == NULL) {
1748 plog(LLV_ERROR, LOCATION, NULL,
1749 "xauth_rmconf_used: malloc failed\n");
1750 return -1;
1751 }
1752
1753 (*xauth_rmconf)->login = NULL;
1754 (*xauth_rmconf)->pass = NULL;
1755 (*xauth_rmconf)->state = 0;
1756 }
1757
1758 return 0;
1759 }
1760
1761 void
xauth_rmconf_delete(xauth_rmconf)1762 xauth_rmconf_delete(xauth_rmconf)
1763 struct xauth_rmconf **xauth_rmconf;
1764 {
1765 if (*xauth_rmconf != NULL) {
1766 if ((*xauth_rmconf)->login != NULL)
1767 vfree((*xauth_rmconf)->login);
1768 if ((*xauth_rmconf)->pass != NULL)
1769 vfree((*xauth_rmconf)->pass);
1770
1771 racoon_free(*xauth_rmconf);
1772 *xauth_rmconf = NULL;
1773 }
1774
1775 return;
1776 }
1777
1778 struct xauth_rmconf *
xauth_rmconf_dup(xauth_rmconf)1779 xauth_rmconf_dup(xauth_rmconf)
1780 struct xauth_rmconf *xauth_rmconf;
1781 {
1782 struct xauth_rmconf *new;
1783
1784 if (xauth_rmconf != NULL) {
1785 new = racoon_malloc(sizeof(*new));
1786 if (new == NULL) {
1787 plog(LLV_ERROR, LOCATION, NULL,
1788 "xauth_rmconf_dup: malloc failed\n");
1789 return NULL;
1790 }
1791
1792 memcpy(new, xauth_rmconf, sizeof(*new));
1793
1794 if (xauth_rmconf->login != NULL) {
1795 new->login = vdup(xauth_rmconf->login);
1796 if (new->login == NULL) {
1797 plog(LLV_ERROR, LOCATION, NULL,
1798 "xauth_rmconf_dup: malloc failed (login)\n");
1799 return NULL;
1800 }
1801 }
1802 if (xauth_rmconf->pass != NULL) {
1803 new->pass = vdup(xauth_rmconf->pass);
1804 if (new->pass == NULL) {
1805 plog(LLV_ERROR, LOCATION, NULL,
1806 "xauth_rmconf_dup: malloc failed (password)\n");
1807 return NULL;
1808 }
1809 }
1810
1811 return new;
1812 }
1813
1814 return NULL;
1815 }
1816