• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*	$NetBSD: isakmp_xauth.c,v 1.11.6.2 2009/04/20 13:35:36 tteras Exp $	*/
2 
3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
4 
5 /*
6  * Copyright (C) 2004-2005 Emmanuel Dreyfus
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "config.h"
35 
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40 
41 #include <netinet/in.h>
42 
43 #include <stdlib.h>
44 #include <stdio.h>
45 #include <string.h>
46 #include <errno.h>
47 #include <pwd.h>
48 #include <grp.h>
49 #if TIME_WITH_SYS_TIME
50 # include <sys/time.h>
51 # include <time.h>
52 #else
53 # if HAVE_SYS_TIME_H
54 #  include <sys/time.h>
55 # else
56 #  include <time.h>
57 # endif
58 #endif
59 #include <netdb.h>
60 #ifdef HAVE_UNISTD_H
61 #include <unistd.h>
62 #endif
63 #include <ctype.h>
64 #include <resolv.h>
65 
66 #ifdef HAVE_SHADOW_H
67 #include <shadow.h>
68 #endif
69 
70 #include "var.h"
71 #include "misc.h"
72 #include "vmbuf.h"
73 #include "plog.h"
74 #include "sockmisc.h"
75 #include "schedule.h"
76 #include "debug.h"
77 
78 #include "crypto_openssl.h"
79 #include "isakmp_var.h"
80 #include "isakmp.h"
81 #include "admin.h"
82 #include "privsep.h"
83 #include "evt.h"
84 #include "handler.h"
85 #include "throttle.h"
86 #include "remoteconf.h"
87 #include "isakmp_inf.h"
88 #include "isakmp_xauth.h"
89 #include "isakmp_unity.h"
90 #include "isakmp_cfg.h"
91 #include "strnames.h"
92 #include "ipsec_doi.h"
93 #include "remoteconf.h"
94 #include "localconf.h"
95 
96 #ifdef HAVE_LIBRADIUS
97 #include <radlib.h>
98 
99 struct rad_handle *radius_auth_state = NULL;
100 struct rad_handle *radius_acct_state = NULL;
101 #endif
102 
103 #ifdef HAVE_LIBPAM
104 #include <security/pam_appl.h>
105 
106 static char *PAM_usr = NULL;
107 static char *PAM_pwd = NULL;
108 static int PAM_conv(int, const struct pam_message **,
109     struct pam_response **, void *);
110 static struct pam_conv PAM_chat = { &PAM_conv, NULL };
111 #endif
112 
113 #ifdef HAVE_LIBLDAP
114 #include "ldap.h"
115 #include <arpa/inet.h>
116 struct xauth_ldap_config xauth_ldap_config;
117 #endif
118 
119 void
xauth_sendreq(iph1)120 xauth_sendreq(iph1)
121 	struct ph1handle *iph1;
122 {
123 	vchar_t *buffer;
124 	struct isakmp_pl_attr *attr;
125 	struct isakmp_data *typeattr;
126 	struct isakmp_data *usrattr;
127 	struct isakmp_data *pwdattr;
128 	struct xauth_state *xst = &iph1->mode_cfg->xauth;
129 	size_t tlen;
130 
131 	/* Status checks */
132 	if (iph1->status != PHASE1ST_ESTABLISHED) {
133 		plog(LLV_ERROR, LOCATION, NULL,
134 		    "Xauth request while phase 1 is not completed\n");
135 		return;
136 	}
137 
138 	if (xst->status != XAUTHST_NOTYET) {
139 		plog(LLV_ERROR, LOCATION, NULL,
140 		    "Xauth request whith Xauth state %d\n", xst->status);
141 		return;
142 	}
143 
144 	plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n");
145 
146 	tlen = sizeof(*attr) +
147 	       + sizeof(*typeattr) +
148 	       + sizeof(*usrattr) +
149 	       + sizeof(*pwdattr);
150 
151 	if ((buffer = vmalloc(tlen)) == NULL) {
152 		plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
153 		return;
154 	}
155 
156 	attr = (struct isakmp_pl_attr *)buffer->v;
157 	memset(attr, 0, tlen);
158 
159 	attr->h.len = htons(tlen);
160 	attr->type = ISAKMP_CFG_REQUEST;
161 	attr->id = htons(eay_random());
162 
163 	typeattr = (struct isakmp_data *)(attr + 1);
164 	typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV);
165 	typeattr->lorv = htons(XAUTH_TYPE_GENERIC);
166 
167 	usrattr = (struct isakmp_data *)(typeattr + 1);
168 	usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV);
169 	usrattr->lorv = htons(0);
170 
171 	pwdattr = (struct isakmp_data *)(usrattr + 1);
172 	pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV);
173 	pwdattr->lorv = htons(0);
174 
175 	isakmp_cfg_send(iph1, buffer,
176 	    ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
177 
178 	vfree(buffer);
179 
180 	xst->status = XAUTHST_REQSENT;
181 
182 	return;
183 }
184 
185 int
xauth_attr_reply(iph1,attr,id)186 xauth_attr_reply(iph1, attr, id)
187 	struct ph1handle *iph1;
188 	struct isakmp_data *attr;
189 	int id;
190 {
191 	char **outlet = NULL;
192 	size_t alen = 0;
193 	int type;
194 	struct xauth_state *xst = &iph1->mode_cfg->xauth;
195 
196 	if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
197 		plog(LLV_ERROR, LOCATION, NULL,
198 		    "Xauth reply but peer did not declare "
199 		    "itself as Xauth capable\n");
200 		return -1;
201 	}
202 
203 	if (xst->status != XAUTHST_REQSENT) {
204 		plog(LLV_ERROR, LOCATION, NULL,
205 		    "Xauth reply while Xauth state is %d\n", xst->status);
206 		return -1;
207 	}
208 
209 	type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
210 	switch (type) {
211 	case XAUTH_TYPE:
212 		switch (ntohs(attr->lorv)) {
213 		case XAUTH_TYPE_GENERIC:
214 			xst->authtype = XAUTH_TYPE_GENERIC;
215 			break;
216 		default:
217 			plog(LLV_WARNING, LOCATION, NULL,
218 			    "Unexpected authentication type %d\n",
219 			    ntohs(type));
220 			return -1;
221 		}
222 		break;
223 
224 	case XAUTH_USER_NAME:
225 		outlet = &xst->authdata.generic.usr;
226 		break;
227 
228 	case XAUTH_USER_PASSWORD:
229 		outlet = &xst->authdata.generic.pwd;
230 		break;
231 
232 	default:
233 		plog(LLV_WARNING, LOCATION, NULL,
234 		    "ignored Xauth attribute %d\n", type);
235 		break;
236 	}
237 
238 	if (outlet != NULL) {
239 		alen = ntohs(attr->lorv);
240 
241 		if ((*outlet = racoon_malloc(alen + 1)) == NULL) {
242 			plog(LLV_ERROR, LOCATION, NULL,
243 			    "Cannot allocate memory for Xauth Data\n");
244 			return -1;
245 		}
246 
247 		memcpy(*outlet, attr + 1, alen);
248 		(*outlet)[alen] = '\0';
249 		outlet = NULL;
250 	}
251 
252 
253 	if ((xst->authdata.generic.usr != NULL) &&
254 	   (xst->authdata.generic.pwd != NULL)) {
255 		int port;
256 		int res;
257 		char *usr = xst->authdata.generic.usr;
258 		char *pwd = xst->authdata.generic.pwd;
259 		time_t throttle_delay = 0;
260 
261 #if 0	/* Real debug, don't do that at home */
262 		plog(LLV_DEBUG, LOCATION, NULL,
263 		    "Got username \"%s\", password \"%s\"\n", usr, pwd);
264 #endif
265 		strncpy(iph1->mode_cfg->login, usr, LOGINLEN);
266 		iph1->mode_cfg->login[LOGINLEN] = '\0';
267 
268 		res = -1;
269 		if ((port = isakmp_cfg_getport(iph1)) == -1) {
270 			plog(LLV_ERROR, LOCATION, NULL,
271 			    "Port pool depleted\n");
272 			goto skip_auth;
273 		}
274 
275 		switch (isakmp_cfg_config.authsource) {
276 		case ISAKMP_CFG_AUTH_SYSTEM:
277 			res = privsep_xauth_login_system(usr, pwd);
278 			break;
279 #ifdef HAVE_LIBRADIUS
280 		case ISAKMP_CFG_AUTH_RADIUS:
281 			res = xauth_login_radius(iph1, usr, pwd);
282 			break;
283 #endif
284 #ifdef HAVE_LIBPAM
285 		case ISAKMP_CFG_AUTH_PAM:
286 			res = privsep_xauth_login_pam(iph1->mode_cfg->port,
287 			    iph1->remote, usr, pwd);
288 			break;
289 #endif
290 #ifdef HAVE_LIBLDAP
291 		case ISAKMP_CFG_AUTH_LDAP:
292 			res = xauth_login_ldap(iph1, usr, pwd);
293 			break;
294 #endif
295 		default:
296 			plog(LLV_ERROR, LOCATION, NULL,
297 			    "Unexpected authentication source\n");
298 			res = -1;
299 			break;
300 		}
301 
302 		/*
303 		 * Optional group authentication
304 		 */
305 		if (!res && (isakmp_cfg_config.groupcount))
306 			res = group_check(iph1,
307 				isakmp_cfg_config.grouplist,
308 				isakmp_cfg_config.groupcount);
309 
310 		/*
311 		 * On failure, throttle the connexion for the remote host
312 		 * in order to make password attacks more difficult.
313 		 */
314 		throttle_delay = throttle_host(iph1->remote, res) - time(NULL);
315 		if (throttle_delay > 0) {
316 			char *str;
317 
318 			str = saddrwop2str(iph1->remote);
319 
320 			plog(LLV_ERROR, LOCATION, NULL,
321 			    "Throttling in action for %s: delay %lds\n",
322 			    str, (unsigned long)throttle_delay);
323 			res = -1;
324 		} else {
325 			throttle_delay = 0;
326 		}
327 
328 skip_auth:
329 		if (throttle_delay != 0) {
330 			struct xauth_reply_arg *xra;
331 
332 			if ((xra = racoon_malloc(sizeof(*xra))) == NULL) {
333 				plog(LLV_ERROR, LOCATION, NULL,
334 				    "malloc failed, bypass throttling\n");
335 				return xauth_reply(iph1, port, id, res);
336 			}
337 
338 			/*
339 			 * We need to store the ph1, but it might have
340 			 * disapeared when xauth_reply is called, so
341 			 * store the index instead.
342 			 */
343 			xra->index = iph1->index;
344 			xra->port = port;
345 			xra->id = id;
346 			xra->res = res;
347 			sched_new(throttle_delay, xauth_reply_stub, xra);
348 		} else {
349 			return xauth_reply(iph1, port, id, res);
350 		}
351 	}
352 
353 	return 0;
354 }
355 
356 void
xauth_reply_stub(args)357 xauth_reply_stub(args)
358 	void *args;
359 {
360 	struct xauth_reply_arg *xra = (struct xauth_reply_arg *)args;
361 	struct ph1handle *iph1;
362 
363 	if ((iph1 = getph1byindex(&xra->index)) != NULL)
364 		(void)xauth_reply(iph1, xra->port, xra->id, xra->res);
365 	else
366 		plog(LLV_ERROR, LOCATION, NULL,
367 		    "Delayed Xauth reply: phase 1 no longer exists.\n");
368 
369 	racoon_free(xra);
370 	return;
371 }
372 
373 int
xauth_reply(iph1,port,id,res)374 xauth_reply(iph1, port, id, res)
375 	struct ph1handle *iph1;
376 	int port;
377 	int id;
378 {
379 	struct xauth_state *xst = &iph1->mode_cfg->xauth;
380 	char *usr = xst->authdata.generic.usr;
381 
382 	if (res != 0) {
383 		if (port != -1)
384 			isakmp_cfg_putport(iph1, port);
385 
386 		plog(LLV_INFO, LOCATION, NULL,
387 		    "login failed for user \"%s\"\n", usr);
388 
389 		xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id);
390 		xst->status = XAUTHST_NOTYET;
391 
392 		/* Delete Phase 1 SA */
393 		if (iph1->status == PHASE1ST_ESTABLISHED)
394 			isakmp_info_send_d1(iph1);
395 		remph1(iph1);
396 		delph1(iph1);
397 
398 		return -1;
399 	}
400 
401 	xst->status = XAUTHST_OK;
402 	plog(LLV_INFO, LOCATION, NULL,
403 	    "login succeeded for user \"%s\"\n", usr);
404 
405 	xauth_sendstatus(iph1, XAUTH_STATUS_OK, id);
406 
407 	return 0;
408 }
409 
410 void
xauth_sendstatus(iph1,status,id)411 xauth_sendstatus(iph1, status, id)
412 	struct ph1handle *iph1;
413 	int status;
414 	int id;
415 {
416 	vchar_t *buffer;
417 	struct isakmp_pl_attr *attr;
418 	struct isakmp_data *stattr;
419 	size_t tlen;
420 
421 	tlen = sizeof(*attr) +
422 	       + sizeof(*stattr);
423 
424 	if ((buffer = vmalloc(tlen)) == NULL) {
425 		plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
426 		return;
427 	}
428 
429 	attr = (struct isakmp_pl_attr *)buffer->v;
430 	memset(attr, 0, tlen);
431 
432 	attr->h.len = htons(tlen);
433 	attr->type = ISAKMP_CFG_SET;
434 	attr->id = htons(id);
435 
436 	stattr = (struct isakmp_data *)(attr + 1);
437 	stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV);
438 	stattr->lorv = htons(status);
439 
440 	isakmp_cfg_send(iph1, buffer,
441 	    ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
442 
443 	vfree(buffer);
444 
445 	return;
446 }
447 
448 #ifdef HAVE_LIBRADIUS
449 int
xauth_radius_init(void)450 xauth_radius_init(void)
451 {
452 	/* For first time use, initialize Radius */
453 	if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) &&
454 	    (radius_auth_state == NULL)) {
455 		if ((radius_auth_state = rad_auth_open()) == NULL) {
456 			plog(LLV_ERROR, LOCATION, NULL,
457 			    "Cannot init libradius\n");
458 			return -1;
459 		}
460 
461 		if (rad_config(radius_auth_state, NULL) != 0) {
462 			plog(LLV_ERROR, LOCATION, NULL,
463 			    "Cannot open librarius config file: %s\n",
464 			    rad_strerror(radius_auth_state));
465 			rad_close(radius_auth_state);
466 			radius_auth_state = NULL;
467 			return -1;
468 		}
469 	}
470 
471 	if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) &&
472 	    (radius_acct_state == NULL)) {
473 		if ((radius_acct_state = rad_acct_open()) == NULL) {
474 			plog(LLV_ERROR, LOCATION, NULL,
475 			    "Cannot init libradius\n");
476 			return -1;
477 		}
478 
479 		if (rad_config(radius_acct_state, NULL) != 0) {
480 			plog(LLV_ERROR, LOCATION, NULL,
481 			    "Cannot open librarius config file: %s\n",
482 			    rad_strerror(radius_acct_state));
483 			rad_close(radius_acct_state);
484 			radius_acct_state = NULL;
485 			return -1;
486 		}
487 	}
488 
489 	return 0;
490 }
491 
492 int
xauth_login_radius(iph1,usr,pwd)493 xauth_login_radius(iph1, usr, pwd)
494 	struct ph1handle *iph1;
495 	char *usr;
496 	char *pwd;
497 {
498 	int res;
499 	const void *data;
500 	size_t len;
501 	int type;
502 
503 	if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) {
504 		plog(LLV_ERROR, LOCATION, NULL,
505 		    "rad_create_request failed: %s\n",
506 		    rad_strerror(radius_auth_state));
507 		return -1;
508 	}
509 
510 	if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) {
511 		plog(LLV_ERROR, LOCATION, NULL,
512 		    "rad_put_string failed: %s\n",
513 		    rad_strerror(radius_auth_state));
514 		return -1;
515 	}
516 
517 	if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) {
518 		plog(LLV_ERROR, LOCATION, NULL,
519 		    "rad_put_string failed: %s\n",
520 		    rad_strerror(radius_auth_state));
521 		return -1;
522 	}
523 
524 	if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0)
525 		return -1;
526 
527 	switch (res = rad_send_request(radius_auth_state)) {
528 	case RAD_ACCESS_ACCEPT:
529 		while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) {
530 			switch (type) {
531 			case RAD_FRAMED_IP_ADDRESS:
532 				iph1->mode_cfg->addr4 = rad_cvt_addr(data);
533 				iph1->mode_cfg->flags
534 				    |= ISAKMP_CFG_ADDR4_EXTERN;
535 				break;
536 
537 			case RAD_FRAMED_IP_NETMASK:
538 				iph1->mode_cfg->mask4 = rad_cvt_addr(data);
539 				iph1->mode_cfg->flags
540 				    |= ISAKMP_CFG_MASK4_EXTERN;
541 				break;
542 
543 			default:
544 				plog(LLV_INFO, LOCATION, NULL,
545 				    "Unexpected attribute: %d\n", type);
546 				break;
547 			}
548 		}
549 
550 		return 0;
551 		break;
552 
553 	case RAD_ACCESS_REJECT:
554 		return -1;
555 		break;
556 
557 	case -1:
558 		plog(LLV_ERROR, LOCATION, NULL,
559 		    "rad_send_request failed: %s\n",
560 		    rad_strerror(radius_auth_state));
561 		return -1;
562 		break;
563 	default:
564 		plog(LLV_ERROR, LOCATION, NULL,
565 		    "rad_send_request returned %d\n", res);
566 		return -1;
567 		break;
568 	}
569 
570 	return -1;
571 }
572 #endif
573 
574 #ifdef HAVE_LIBPAM
575 static int
PAM_conv(msg_count,msg,rsp,dontcare)576 PAM_conv(msg_count, msg, rsp, dontcare)
577 	int msg_count;
578 	const struct pam_message **msg;
579 	struct pam_response **rsp;
580 	void *dontcare;
581 {
582 	int i;
583 	int replies = 0;
584 	struct pam_response *reply = NULL;
585 
586 	if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL)
587 		return PAM_CONV_ERR;
588 	bzero(reply, sizeof(*reply) * msg_count);
589 
590 	for (i = 0; i < msg_count; i++) {
591 		switch (msg[i]->msg_style) {
592 		case PAM_PROMPT_ECHO_ON:
593 			/* Send the username, libpam frees resp */
594 			reply[i].resp_retcode = PAM_SUCCESS;
595 			if ((reply[i].resp = strdup(PAM_usr)) == NULL) {
596 				plog(LLV_ERROR, LOCATION,
597 				    NULL, "strdup failed\n");
598 				exit(1);
599 			}
600 			break;
601 
602 		case PAM_PROMPT_ECHO_OFF:
603 			/* Send the password, libpam frees resp */
604 			reply[i].resp_retcode = PAM_SUCCESS;
605 			if ((reply[i].resp = strdup(PAM_pwd)) == NULL) {
606 				plog(LLV_ERROR, LOCATION,
607 				    NULL, "strdup failed\n");
608 				exit(1);
609 			}
610 			break;
611 
612 		case PAM_TEXT_INFO:
613 		case PAM_ERROR_MSG:
614 			reply[i].resp_retcode = PAM_SUCCESS;
615 			reply[i].resp = NULL;
616 			break;
617 
618 		default:
619 			if (reply != NULL)
620 				racoon_free(reply);
621 			return PAM_CONV_ERR;
622 			break;
623 		}
624 	}
625 
626 	if (reply != NULL)
627 		*rsp = reply;
628 
629 	return PAM_SUCCESS;
630 }
631 
632 int
xauth_login_pam(port,raddr,usr,pwd)633 xauth_login_pam(port, raddr, usr, pwd)
634 	int port;
635 	struct sockaddr *raddr;
636 	char *usr;
637 	char *pwd;
638 {
639 	int error;
640 	int res;
641 	const void *data;
642 	size_t len;
643 	int type;
644 	char *remote = NULL;
645 	pam_handle_t *pam = NULL;
646 
647 	if (isakmp_cfg_config.port_pool == NULL) {
648 		plog(LLV_ERROR, LOCATION, NULL,
649 		    "isakmp_cfg_config.port_pool == NULL\n");
650 		return -1;
651 	}
652 
653 	if ((error = pam_start("racoon", usr,
654 	    &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) {
655 		if (isakmp_cfg_config.port_pool[port].pam == NULL) {
656 			plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n");
657 			return -1;
658 		} else {
659 			plog(LLV_ERROR, LOCATION, NULL,
660 			    "pam_start failed: %s\n",
661 			    pam_strerror(isakmp_cfg_config.port_pool[port].pam,
662 			    error));
663 			goto out;
664 		}
665 	}
666 	pam = isakmp_cfg_config.port_pool[port].pam;
667 
668 	if ((remote = strdup(saddrwop2str(raddr))) == NULL) {
669 		plog(LLV_ERROR, LOCATION, NULL,
670 		    "cannot allocate memory: %s\n", strerror(errno));
671 		goto out;
672 	}
673 
674 	if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) {
675 		plog(LLV_ERROR, LOCATION, NULL,
676 		    "pam_set_item failed: %s\n",
677 		    pam_strerror(pam, error));
678 		goto out;
679 	}
680 
681 	PAM_usr = usr;
682 	PAM_pwd = pwd;
683 	error = pam_authenticate(pam, 0);
684 	PAM_usr = NULL;
685 	PAM_pwd = NULL;
686 	if (error != 0) {
687 		plog(LLV_ERROR, LOCATION, NULL,
688 		    "pam_authenticate failed: %s\n",
689 		    pam_strerror(pam, error));
690 		goto out;
691 	}
692 
693 	if ((error = pam_acct_mgmt(pam, 0)) != 0) {
694 		plog(LLV_ERROR, LOCATION, NULL,
695 		    "pam_acct_mgmt failed: %s\n",
696 		    pam_strerror(pam, error));
697 		goto out;
698 	}
699 
700 	if ((error = pam_setcred(pam, 0)) != 0) {
701 		plog(LLV_ERROR, LOCATION, NULL,
702 		    "pam_setcred failed: %s\n",
703 		    pam_strerror(pam, error));
704 		goto out;
705 	}
706 
707 	if (remote != NULL)
708 		free(remote);
709 
710 	return 0;
711 
712 out:
713 	pam_end(pam, error);
714 	isakmp_cfg_config.port_pool[port].pam = NULL;
715 	if (remote != NULL)
716 		free(remote);
717 	return -1;
718 }
719 #endif
720 
721 #ifdef HAVE_LIBLDAP
722 int
xauth_ldap_init(void)723 xauth_ldap_init(void)
724 {
725 	int tmplen;
726 	int error = -1;
727 
728 	xauth_ldap_config.pver = 3;
729 	xauth_ldap_config.host = NULL;
730 	xauth_ldap_config.port = LDAP_PORT;
731 	xauth_ldap_config.base = NULL;
732 	xauth_ldap_config.subtree = 0;
733 	xauth_ldap_config.bind_dn = NULL;
734 	xauth_ldap_config.bind_pw = NULL;
735 	xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE;
736 	xauth_ldap_config.attr_user = NULL;
737 	xauth_ldap_config.attr_addr = NULL;
738 	xauth_ldap_config.attr_mask = NULL;
739 	xauth_ldap_config.attr_group = NULL;
740 	xauth_ldap_config.attr_member = NULL;
741 
742 	/* set default host */
743 	tmplen = strlen(LDAP_DFLT_HOST);
744 	xauth_ldap_config.host = vmalloc(tmplen);
745 	if (xauth_ldap_config.host == NULL)
746 		goto out;
747 	memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen);
748 
749 	/* set default user naming attribute */
750 	tmplen = strlen(LDAP_DFLT_USER);
751 	xauth_ldap_config.attr_user = vmalloc(tmplen);
752 	if (xauth_ldap_config.attr_user == NULL)
753 		goto out;
754 	memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen);
755 
756 	/* set default address attribute */
757 	tmplen = strlen(LDAP_DFLT_ADDR);
758 	xauth_ldap_config.attr_addr = vmalloc(tmplen);
759 	if (xauth_ldap_config.attr_addr == NULL)
760 		goto out;
761 	memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen);
762 
763 	/* set default netmask attribute */
764 	tmplen = strlen(LDAP_DFLT_MASK);
765 	xauth_ldap_config.attr_mask = vmalloc(tmplen);
766 	if (xauth_ldap_config.attr_mask == NULL)
767 		goto out;
768 	memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen);
769 
770 	/* set default group naming attribute */
771 	tmplen = strlen(LDAP_DFLT_GROUP);
772 	xauth_ldap_config.attr_group = vmalloc(tmplen);
773 	if (xauth_ldap_config.attr_group == NULL)
774 		goto out;
775 	memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen);
776 
777 	/* set default member attribute */
778 	tmplen = strlen(LDAP_DFLT_MEMBER);
779 	xauth_ldap_config.attr_member = vmalloc(tmplen);
780 	if (xauth_ldap_config.attr_member == NULL)
781 		goto out;
782 	memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen);
783 
784 	error = 0;
785 out:
786 	if (error != 0)
787 		plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n");
788 
789 	return error;
790 }
791 
792 int
xauth_login_ldap(iph1,usr,pwd)793 xauth_login_ldap(iph1, usr, pwd)
794 	struct ph1handle *iph1;
795 	char *usr;
796 	char *pwd;
797 {
798 	int rtn = -1;
799 	int res = -1;
800 	LDAP *ld = NULL;
801 	LDAPMessage *lr = NULL;
802 	LDAPMessage *le = NULL;
803 	struct berval cred;
804 	struct berval **bv = NULL;
805 	struct timeval timeout;
806 	char *init = NULL;
807 	char *filter = NULL;
808 	char *atlist[3];
809 	char *basedn = NULL;
810 	char *userdn = NULL;
811 	int tmplen = 0;
812 	int ecount = 0;
813 	int scope = LDAP_SCOPE_ONE;
814 
815 	atlist[0] = NULL;
816 	atlist[1] = NULL;
817 	atlist[2] = NULL;
818 
819 	/* build our initialization url */
820 	tmplen = strlen("ldap://:") + 17;
821 	tmplen += strlen(xauth_ldap_config.host->v);
822 	init = racoon_malloc(tmplen);
823 	if (init == NULL) {
824 		plog(LLV_ERROR, LOCATION, NULL,
825 			"unable to alloc ldap init url\n");
826 		goto ldap_end;
827 	}
828 	sprintf(init,"ldap://%s:%d",
829 		xauth_ldap_config.host->v,
830 		xauth_ldap_config.port );
831 
832 	/* initialize the ldap handle */
833 	res = ldap_initialize(&ld, init);
834 	if (res != LDAP_SUCCESS) {
835 		plog(LLV_ERROR, LOCATION, NULL,
836 			"ldap_initialize failed: %s\n",
837 			ldap_err2string(res));
838 		goto ldap_end;
839 	}
840 
841 	/* initialize the protocol version */
842 	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
843 		&xauth_ldap_config.pver);
844 
845 	/*
846 	 * attempt to bind to the ldap server.
847          * default to anonymous bind unless a
848 	 * user dn and password has been
849 	 * specified in our configuration
850          */
851 	if ((xauth_ldap_config.bind_dn != NULL)&&
852 	    (xauth_ldap_config.bind_pw != NULL))
853 	{
854 		cred.bv_val = xauth_ldap_config.bind_pw->v;
855 		cred.bv_len = strlen( cred.bv_val );
856 		res = ldap_sasl_bind_s(ld,
857 			xauth_ldap_config.bind_dn->v, NULL, &cred,
858 			NULL, NULL, NULL);
859 	}
860 	else
861 	{
862 		res = ldap_sasl_bind_s(ld,
863 			NULL, NULL, NULL,
864 			NULL, NULL, NULL);
865 	}
866 
867 	if (res!=LDAP_SUCCESS) {
868 		plog(LLV_ERROR, LOCATION, NULL,
869 			"ldap_sasl_bind_s (search) failed: %s\n",
870 			ldap_err2string(res));
871 		goto ldap_end;
872 	}
873 
874 	/* build an ldap user search filter */
875 	tmplen = strlen(xauth_ldap_config.attr_user->v);
876 	tmplen += 1;
877 	tmplen += strlen(usr);
878 	tmplen += 1;
879 	filter = racoon_malloc(tmplen);
880 	if (filter == NULL) {
881 		plog(LLV_ERROR, LOCATION, NULL,
882 			"unable to alloc ldap search filter buffer\n");
883 		goto ldap_end;
884 	}
885 	sprintf(filter, "%s=%s",
886 		xauth_ldap_config.attr_user->v, usr);
887 
888 	/* build our return attribute list */
889 	tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1;
890 	atlist[0] = racoon_malloc(tmplen);
891 	tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1;
892 	atlist[1] = racoon_malloc(tmplen);
893 	if ((atlist[0] == NULL)||(atlist[1] == NULL)) {
894 		plog(LLV_ERROR, LOCATION, NULL,
895 			"unable to alloc ldap attrib list buffer\n");
896 		goto ldap_end;
897 	}
898 	strcpy(atlist[0],xauth_ldap_config.attr_addr->v);
899 	strcpy(atlist[1],xauth_ldap_config.attr_mask->v);
900 
901 	/* attempt to locate the user dn */
902 	if (xauth_ldap_config.base != NULL)
903 		basedn = xauth_ldap_config.base->v;
904 	if (xauth_ldap_config.subtree)
905 		scope = LDAP_SCOPE_SUBTREE;
906 	timeout.tv_sec = 15;
907 	timeout.tv_usec = 0;
908 	res = ldap_search_ext_s(ld, basedn, scope,
909 		filter, atlist, 0, NULL, NULL,
910 		&timeout, 2, &lr);
911 	if (res != LDAP_SUCCESS) {
912 		plog(LLV_ERROR, LOCATION, NULL,
913 			"ldap_search_ext_s failed: %s\n",
914 			ldap_err2string(res));
915 		goto ldap_end;
916 	}
917 
918 	/* check the number of ldap entries returned */
919 	ecount = ldap_count_entries(ld, lr);
920 	if (ecount < 1) {
921 		plog(LLV_WARNING, LOCATION, NULL,
922 			"no ldap results for filter \'%s\'\n",
923 			 filter);
924 		goto ldap_end;
925 	}
926 	if (ecount > 1) {
927 		plog(LLV_WARNING, LOCATION, NULL,
928 			"multiple (%i) ldap results for filter \'%s\'\n",
929 			ecount, filter);
930 	}
931 
932 	/* obtain the dn from the first result */
933 	le = ldap_first_entry(ld, lr);
934 	if (le == NULL) {
935 		plog(LLV_ERROR, LOCATION, NULL,
936 			"ldap_first_entry failed: invalid entry returned\n");
937 		goto ldap_end;
938 	}
939 	userdn = ldap_get_dn(ld, le);
940 	if (userdn == NULL) {
941 		plog(LLV_ERROR, LOCATION, NULL,
942 			"ldap_get_dn failed: invalid string returned\n");
943 		goto ldap_end;
944 	}
945 
946 	/* cache the user dn in the xauth state */
947 	iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1);
948 	strcpy(iph1->mode_cfg->xauth.udn,userdn);
949 
950 	/* retrieve modecfg address */
951 	bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v);
952 	if (bv != NULL)	{
953 		char tmpaddr[16];
954 		/* sanity check for address value */
955 		if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
956 			plog(LLV_DEBUG, LOCATION, NULL,
957 				"ldap returned invalid modecfg address\n");
958 			ldap_value_free_len(bv);
959 			goto ldap_end;
960 		}
961 		memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len);
962 		tmpaddr[bv[0]->bv_len]=0;
963 		iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr);
964 		iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN;
965 		plog(LLV_INFO, LOCATION, NULL,
966 			"ldap returned modecfg address %s\n", tmpaddr);
967 		ldap_value_free_len(bv);
968 	}
969 
970 	/* retrieve modecfg netmask */
971 	bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v);
972 	if (bv != NULL)	{
973 		char tmpmask[16];
974 		/* sanity check for netmask value */
975 		if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
976 			plog(LLV_DEBUG, LOCATION, NULL,
977 				"ldap returned invalid modecfg netmask\n");
978 			ldap_value_free_len(bv);
979 			goto ldap_end;
980 		}
981 		memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len);
982 		tmpmask[bv[0]->bv_len]=0;
983 		iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask);
984 		iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN;
985 		plog(LLV_INFO, LOCATION, NULL,
986 			"ldap returned modecfg netmask %s\n", tmpmask);
987 		ldap_value_free_len(bv);
988 	}
989 
990 	/*
991 	 * finally, use the dn and the xauth
992 	 * password to check the users given
993 	 * credentials by attempting to bind
994 	 * to the ldap server
995 	 */
996 	plog(LLV_INFO, LOCATION, NULL,
997 		"attempting ldap bind for dn \'%s\'\n", userdn);
998 	cred.bv_val = pwd;
999 	cred.bv_len = strlen( cred.bv_val );
1000 	res = ldap_sasl_bind_s(ld,
1001 		userdn, NULL, &cred,
1002 		NULL, NULL, NULL);
1003         if(res==LDAP_SUCCESS)
1004 		rtn = 0;
1005 
1006 ldap_end:
1007 
1008 	/* free ldap resources */
1009 	if (userdn != NULL)
1010 		ldap_memfree(userdn);
1011 	if (atlist[0] != NULL)
1012 		racoon_free(atlist[0]);
1013 	if (atlist[1] != NULL)
1014 		racoon_free(atlist[1]);
1015 	if (filter != NULL)
1016 		racoon_free(filter);
1017 	if (lr != NULL)
1018 		ldap_msgfree(lr);
1019 	if (init != NULL)
1020 		racoon_free(init);
1021 
1022 	ldap_unbind_ext_s(ld, NULL, NULL);
1023 
1024 	return rtn;
1025 }
1026 
1027 int
xauth_group_ldap(udn,grp)1028 xauth_group_ldap(udn, grp)
1029 	char * udn;
1030 	char * grp;
1031 {
1032 	int rtn = -1;
1033 	int res = -1;
1034 	LDAP *ld = NULL;
1035 	LDAPMessage *lr = NULL;
1036 	LDAPMessage *le = NULL;
1037 	struct berval cred;
1038 	struct timeval timeout;
1039 	char *init = NULL;
1040 	char *filter = NULL;
1041 	char *basedn = NULL;
1042 	char *groupdn = NULL;
1043 	int tmplen = 0;
1044 	int ecount = 0;
1045 	int scope = LDAP_SCOPE_ONE;
1046 
1047 	/* build our initialization url */
1048 	tmplen = strlen("ldap://:") + 17;
1049 	tmplen += strlen(xauth_ldap_config.host->v);
1050 	init = racoon_malloc(tmplen);
1051 	if (init == NULL) {
1052 		plog(LLV_ERROR, LOCATION, NULL,
1053 			"unable to alloc ldap init url\n");
1054 		goto ldap_group_end;
1055 	}
1056 	sprintf(init,"ldap://%s:%d",
1057 		xauth_ldap_config.host->v,
1058 		xauth_ldap_config.port );
1059 
1060 	/* initialize the ldap handle */
1061 	res = ldap_initialize(&ld, init);
1062 	if (res != LDAP_SUCCESS) {
1063 		plog(LLV_ERROR, LOCATION, NULL,
1064 			"ldap_initialize failed: %s\n",
1065 			ldap_err2string(res));
1066 		goto ldap_group_end;
1067 	}
1068 
1069 	/* initialize the protocol version */
1070 	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
1071 		&xauth_ldap_config.pver);
1072 
1073 	/*
1074 	 * attempt to bind to the ldap server.
1075          * default to anonymous bind unless a
1076 	 * user dn and password has been
1077 	 * specified in our configuration
1078          */
1079 	if ((xauth_ldap_config.bind_dn != NULL)&&
1080 	    (xauth_ldap_config.bind_pw != NULL))
1081 	{
1082 		cred.bv_val = xauth_ldap_config.bind_pw->v;
1083 		cred.bv_len = strlen( cred.bv_val );
1084 		res = ldap_sasl_bind_s(ld,
1085 			xauth_ldap_config.bind_dn->v, NULL, &cred,
1086 			NULL, NULL, NULL);
1087 	}
1088 	else
1089 	{
1090 		res = ldap_sasl_bind_s(ld,
1091 			NULL, NULL, NULL,
1092 			NULL, NULL, NULL);
1093 	}
1094 
1095 	if (res!=LDAP_SUCCESS) {
1096 		plog(LLV_ERROR, LOCATION, NULL,
1097 			"ldap_sasl_bind_s (search) failed: %s\n",
1098 			ldap_err2string(res));
1099 		goto ldap_group_end;
1100 	}
1101 
1102 	/* build an ldap group search filter */
1103 	tmplen = strlen("(&(=)(=))") + 1;
1104 	tmplen += strlen(xauth_ldap_config.attr_group->v);
1105 	tmplen += strlen(grp);
1106 	tmplen += strlen(xauth_ldap_config.attr_member->v);
1107 	tmplen += strlen(udn);
1108 	filter = racoon_malloc(tmplen);
1109 	if (filter == NULL) {
1110 		plog(LLV_ERROR, LOCATION, NULL,
1111 			"unable to alloc ldap search filter buffer\n");
1112 		goto ldap_group_end;
1113 	}
1114 	sprintf(filter, "(&(%s=%s)(%s=%s))",
1115 		xauth_ldap_config.attr_group->v, grp,
1116 		xauth_ldap_config.attr_member->v, udn);
1117 
1118 	/* attempt to locate the group dn */
1119 	if (xauth_ldap_config.base != NULL)
1120 		basedn = xauth_ldap_config.base->v;
1121 	if (xauth_ldap_config.subtree)
1122 		scope = LDAP_SCOPE_SUBTREE;
1123 	timeout.tv_sec = 15;
1124 	timeout.tv_usec = 0;
1125 	res = ldap_search_ext_s(ld, basedn, scope,
1126 		filter, NULL, 0, NULL, NULL,
1127 		&timeout, 2, &lr);
1128 	if (res != LDAP_SUCCESS) {
1129 		plog(LLV_ERROR, LOCATION, NULL,
1130 			"ldap_search_ext_s failed: %s\n",
1131 			ldap_err2string(res));
1132 		goto ldap_group_end;
1133 	}
1134 
1135 	/* check the number of ldap entries returned */
1136 	ecount = ldap_count_entries(ld, lr);
1137 	if (ecount < 1) {
1138 		plog(LLV_WARNING, LOCATION, NULL,
1139 			"no ldap results for filter \'%s\'\n",
1140 			 filter);
1141 		goto ldap_group_end;
1142 	}
1143 
1144 	/* success */
1145 	rtn = 0;
1146 
1147 	/* obtain the dn from the first result */
1148 	le = ldap_first_entry(ld, lr);
1149 	if (le == NULL) {
1150 		plog(LLV_ERROR, LOCATION, NULL,
1151 			"ldap_first_entry failed: invalid entry returned\n");
1152 		goto ldap_group_end;
1153 	}
1154 	groupdn = ldap_get_dn(ld, le);
1155 	if (groupdn == NULL) {
1156 		plog(LLV_ERROR, LOCATION, NULL,
1157 			"ldap_get_dn failed: invalid string returned\n");
1158 		goto ldap_group_end;
1159 	}
1160 
1161 	plog(LLV_INFO, LOCATION, NULL,
1162 		"ldap membership group returned \'%s\'\n", groupdn);
1163 ldap_group_end:
1164 
1165 	/* free ldap resources */
1166 	if (groupdn != NULL)
1167 		ldap_memfree(groupdn);
1168 	if (filter != NULL)
1169 		racoon_free(filter);
1170 	if (lr != NULL)
1171 		ldap_msgfree(lr);
1172 	if (init != NULL)
1173 		racoon_free(init);
1174 
1175 	ldap_unbind_ext_s(ld, NULL, NULL);
1176 
1177 	return rtn;
1178 }
1179 
1180 #endif
1181 
1182 #ifndef ANDROID_PATCHED
1183 
1184 int
xauth_login_system(usr,pwd)1185 xauth_login_system(usr, pwd)
1186 	char *usr;
1187 	char *pwd;
1188 {
1189 	struct passwd *pw;
1190 	char *cryptpwd;
1191 	char *syscryptpwd;
1192 #ifdef HAVE_SHADOW_H
1193 	struct spwd *spw;
1194 
1195 	if ((spw = getspnam(usr)) == NULL)
1196 		return -1;
1197 
1198 	syscryptpwd = spw->sp_pwdp;
1199 #endif
1200 
1201 	if ((pw = getpwnam(usr)) == NULL)
1202 		return -1;
1203 
1204 #ifndef HAVE_SHADOW_H
1205 	syscryptpwd = pw->pw_passwd;
1206 #endif
1207 
1208 	/* No root login. Ever. */
1209 	if (pw->pw_uid == 0)
1210 		return -1;
1211 
1212 	if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL)
1213 		return -1;
1214 
1215 	if (strcmp(cryptpwd, syscryptpwd) == 0)
1216 		return 0;
1217 
1218 	return -1;
1219 }
1220 
1221 #endif
1222 
1223 int
xauth_group_system(usr,grp)1224 xauth_group_system(usr, grp)
1225 	char * usr;
1226 	char * grp;
1227 {
1228 	struct group * gr;
1229 	char * member;
1230 	int index = 0;
1231 
1232 	gr = getgrnam(grp);
1233 	if (gr == NULL) {
1234 		plog(LLV_ERROR, LOCATION, NULL,
1235 			"the system group name \'%s\' is unknown\n",
1236 			grp);
1237 		return -1;
1238 	}
1239 
1240 	while ((member = gr->gr_mem[index++])!=NULL) {
1241 		if (!strcmp(member,usr)) {
1242 			plog(LLV_INFO, LOCATION, NULL,
1243 		                "membership validated\n");
1244 			return 0;
1245 		}
1246 	}
1247 
1248 	return -1;
1249 }
1250 
1251 int
xauth_check(iph1)1252 xauth_check(iph1)
1253 	struct ph1handle *iph1;
1254 {
1255 	struct xauth_state *xst = &iph1->mode_cfg->xauth;
1256 
1257 	/*
1258  	 * Only the server side (edge device) really check for Xauth
1259 	 * status. It does it if the chose authmethod is using Xauth.
1260 	 * On the client side (roadwarrior), we don't check anything.
1261 	 */
1262 	switch (AUTHMETHOD(iph1)) {
1263 	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1264 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1265 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1266 	/* The following are not yet implemented */
1267 	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1268 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1269 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1270 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1271 		if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1272 			plog(LLV_ERROR, LOCATION, NULL,
1273 			    "Hybrid auth negotiated but peer did not "
1274 			    "announced as Xauth capable\n");
1275 			return -1;
1276 		}
1277 
1278 		if (xst->status != XAUTHST_OK) {
1279 			plog(LLV_ERROR, LOCATION, NULL,
1280 			    "Hybrid auth negotiated but peer did not "
1281 			    "succeed Xauth exchange\n");
1282 			return -1;
1283 		}
1284 
1285 		return 0;
1286 		break;
1287 	default:
1288 		return 0;
1289 		break;
1290 	}
1291 
1292 	return 0;
1293 }
1294 
1295 int
group_check(iph1,grp_list,grp_count)1296 group_check(iph1, grp_list, grp_count)
1297 	struct ph1handle *iph1;
1298 	char **grp_list;
1299 	int grp_count;
1300 {
1301 	int res = -1;
1302 	int grp_index = 0;
1303 	char * usr = NULL;
1304 
1305 	/* check for presence of modecfg data */
1306 
1307 	if(iph1->mode_cfg == NULL) {
1308 		plog(LLV_ERROR, LOCATION, NULL,
1309 			"xauth group specified but modecfg not found\n");
1310 		return res;
1311 	}
1312 
1313 	/* loop through our group list */
1314 
1315 	for(; grp_index < grp_count; grp_index++) {
1316 
1317 		/* check for presence of xauth data */
1318 
1319 		usr = iph1->mode_cfg->xauth.authdata.generic.usr;
1320 
1321 		if(usr == NULL) {
1322 			plog(LLV_ERROR, LOCATION, NULL,
1323 				"xauth group specified but xauth not found\n");
1324 			return res;
1325 		}
1326 
1327 		/* call appropriate group validation funtion */
1328 
1329 		switch (isakmp_cfg_config.groupsource) {
1330 
1331 			case ISAKMP_CFG_GROUP_SYSTEM:
1332 				res = xauth_group_system(
1333 					usr,
1334 					grp_list[grp_index]);
1335 				break;
1336 
1337 #ifdef HAVE_LIBLDAP
1338 			case ISAKMP_CFG_GROUP_LDAP:
1339 				res = xauth_group_ldap(
1340 					iph1->mode_cfg->xauth.udn,
1341 					grp_list[grp_index]);
1342 				break;
1343 #endif
1344 
1345 			default:
1346 				/* we should never get here */
1347 				plog(LLV_ERROR, LOCATION, NULL,
1348 				    "Unknown group auth source\n");
1349 				break;
1350 		}
1351 
1352 		if( !res ) {
1353 			plog(LLV_INFO, LOCATION, NULL,
1354 				"user \"%s\" is a member of group \"%s\"\n",
1355 				usr,
1356 				grp_list[grp_index]);
1357 			break;
1358 		} else {
1359 			plog(LLV_INFO, LOCATION, NULL,
1360 				"user \"%s\" is not a member of group \"%s\"\n",
1361 				usr,
1362 				grp_list[grp_index]);
1363 		}
1364 	}
1365 
1366 	return res;
1367 }
1368 
1369 vchar_t *
isakmp_xauth_req(iph1,attr)1370 isakmp_xauth_req(iph1, attr)
1371 	struct ph1handle *iph1;
1372 	struct isakmp_data *attr;
1373 {
1374 	int type;
1375 	size_t dlen = 0;
1376 	int ashort = 0;
1377 	int value = 0;
1378 	vchar_t *buffer = NULL;
1379 	char *mraw = NULL, *mdata;
1380 	char *data;
1381 	vchar_t *usr = NULL;
1382 	vchar_t *pwd = NULL;
1383 	size_t skip = 0;
1384 	int freepwd = 0;
1385 
1386 	if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1387 		plog(LLV_ERROR, LOCATION, NULL,
1388 		    "Xauth mode config request but peer "
1389 		    "did not declare itself as Xauth capable\n");
1390 		return NULL;
1391 	}
1392 
1393 	type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1394 
1395 	/* Sanity checks */
1396 	switch(type) {
1397 	case XAUTH_TYPE:
1398 		if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1399 			plog(LLV_ERROR, LOCATION, NULL,
1400 			    "Unexpected long XAUTH_TYPE attribute\n");
1401 			return NULL;
1402 		}
1403 		if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) {
1404 			plog(LLV_ERROR, LOCATION, NULL,
1405 			    "Unsupported Xauth authentication %d\n",
1406 			    ntohs(attr->lorv));
1407 			return NULL;
1408 		}
1409 		ashort = 1;
1410 		dlen = 0;
1411 		value = XAUTH_TYPE_GENERIC;
1412 		break;
1413 
1414 	case XAUTH_USER_NAME:
1415 		if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) {
1416 			plog(LLV_ERROR, LOCATION, NULL, "Xauth performed "
1417 			    "with no login supplied\n");
1418 			return NULL;
1419 		}
1420 
1421 		dlen = iph1->rmconf->xauth->login->l - 1;
1422 		iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME;
1423 		break;
1424 
1425 #ifdef ANDROID_PATCHED
1426         case XAUTH_PASSCODE:
1427 #endif
1428 	case XAUTH_USER_PASSWORD:
1429 		if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login)
1430 			return NULL;
1431 
1432 		skip = sizeof(struct ipsecdoi_id_b);
1433 		usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip);
1434 		if (usr == NULL) {
1435 			plog(LLV_ERROR, LOCATION, NULL,
1436 			    "Cannot allocate memory\n");
1437 			return NULL;
1438 		}
1439 		memset(usr->v, 0, skip);
1440 		memcpy(usr->v + skip,
1441 		    iph1->rmconf->xauth->login->v,
1442 		    iph1->rmconf->xauth->login->l - 1);
1443 
1444 		if (iph1->rmconf->xauth->pass) {
1445 			/* A key given through racoonctl */
1446 			pwd = iph1->rmconf->xauth->pass;
1447 		} else {
1448 			if ((pwd = getpskbyname(usr)) == NULL) {
1449 				plog(LLV_ERROR, LOCATION, NULL,
1450 				    "No password was found for login %s\n",
1451 				    iph1->rmconf->xauth->login->v);
1452 				vfree(usr);
1453 				return NULL;
1454 			}
1455 			/* We have to free it before returning */
1456 			freepwd = 1;
1457 		}
1458 		vfree(usr);
1459 
1460 		iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD;
1461 		dlen = pwd->l;
1462 
1463 		break;
1464 	case XAUTH_MESSAGE:
1465 		if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1466 			dlen = ntohs(attr->lorv);
1467 			if (dlen > 0) {
1468 				mraw = (char*)(attr + 1);
1469 				mdata = binsanitize(mraw, dlen);
1470 				if (mdata == NULL) {
1471 					plog(LLV_ERROR, LOCATION, iph1->remote,
1472 					    "Cannot allocate memory\n");
1473 					return NULL;
1474 				}
1475 				plog(LLV_NOTIFY,LOCATION, iph1->remote,
1476 					"XAUTH Message: '%s'.\n",
1477 					mdata);
1478 				racoon_free(mdata);
1479 			}
1480 		}
1481 		return NULL;
1482 	default:
1483 		plog(LLV_WARNING, LOCATION, NULL,
1484 		    "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1485 		return NULL;
1486 		break;
1487 	}
1488 
1489 	if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) {
1490 		plog(LLV_ERROR, LOCATION, NULL,
1491 		    "Cannot allocate memory\n");
1492 		goto out;
1493 	}
1494 
1495 	attr = (struct isakmp_data *)buffer->v;
1496 	if (ashort) {
1497 		attr->type = htons(type | ISAKMP_GEN_TV);
1498 		attr->lorv = htons(value);
1499 		goto out;
1500 	}
1501 
1502 	attr->type = htons(type | ISAKMP_GEN_TLV);
1503 	attr->lorv = htons(dlen);
1504 	data = (char *)(attr + 1);
1505 
1506 	switch(type) {
1507 	case XAUTH_USER_NAME:
1508 		/*
1509 		 * iph1->rmconf->xauth->login->v is valid,
1510 		 * we just checked it in the previous switch case
1511 		 */
1512 		memcpy(data, iph1->rmconf->xauth->login->v, dlen);
1513 		break;
1514 #ifdef ANDROID_PATCHED
1515         case XAUTH_PASSCODE:
1516 #endif
1517 	case XAUTH_USER_PASSWORD:
1518 		memcpy(data, pwd->v, dlen);
1519 		break;
1520 	default:
1521 		break;
1522 	}
1523 
1524 out:
1525 	if (freepwd)
1526 		vfree(pwd);
1527 
1528 	return buffer;
1529 }
1530 
1531 vchar_t *
isakmp_xauth_set(iph1,attr)1532 isakmp_xauth_set(iph1, attr)
1533 	struct ph1handle *iph1;
1534 	struct isakmp_data *attr;
1535 {
1536 	int type;
1537 	vchar_t *buffer = NULL;
1538 	char *data;
1539 	struct xauth_state *xst;
1540 	size_t dlen = 0;
1541 	char* mraw = NULL, *mdata;
1542 
1543 	if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1544 		plog(LLV_ERROR, LOCATION, NULL,
1545 		    "Xauth mode config set but peer "
1546 		    "did not declare itself as Xauth capable\n");
1547 		return NULL;
1548 	}
1549 
1550 	type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1551 
1552 	switch(type) {
1553 	case XAUTH_STATUS:
1554 		/*
1555 		 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS
1556 		 * when running as a client (initiator).
1557 		 */
1558 		xst = &iph1->mode_cfg->xauth;
1559 		switch(AUTHMETHOD(iph1)) {
1560 		case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1561 		case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
1562 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1563 		/* Not implemented ... */
1564 		case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1565 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1566 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1567 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1568 			break;
1569 		default:
1570 			plog(LLV_ERROR, LOCATION, NULL,
1571 			    "Unexpected XAUTH_STATUS_OK\n");
1572 			return NULL;
1573 			break;
1574 		}
1575 
1576 		/* If we got a failure, delete iph1 */
1577 		if (ntohs(attr->lorv) != XAUTH_STATUS_OK) {
1578 			plog(LLV_ERROR, LOCATION, NULL,
1579 			    "Xauth authentication failed\n");
1580 
1581 			EVT_PUSH(iph1->local, iph1->remote,
1582 			    EVTT_XAUTH_FAILED, NULL);
1583 
1584 			iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
1585 		} else {
1586 			EVT_PUSH(iph1->local, iph1->remote,
1587 			    EVTT_XAUTH_SUCCESS, NULL);
1588 		}
1589 
1590 
1591 		/* We acknowledge it */
1592 		break;
1593 	case XAUTH_MESSAGE:
1594 		if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1595 			dlen = ntohs(attr->lorv);
1596 			if (dlen > 0) {
1597 				mraw = (char*)(attr + 1);
1598 				mdata = binsanitize(mraw, dlen);
1599 				if (mdata == NULL) {
1600 					plog(LLV_ERROR, LOCATION, iph1->remote,
1601 					    "Cannot allocate memory\n");
1602 					return NULL;
1603 				}
1604 				plog(LLV_NOTIFY,LOCATION, iph1->remote,
1605 					"XAUTH Message: '%s'.\n",
1606 					mdata);
1607 				racoon_free(mdata);
1608 			}
1609 		}
1610 
1611 	default:
1612 		plog(LLV_WARNING, LOCATION, NULL,
1613 		    "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1614 		return NULL;
1615 		break;
1616 	}
1617 
1618 	if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
1619 		plog(LLV_ERROR, LOCATION, NULL,
1620 		    "Cannot allocate memory\n");
1621 		return NULL;
1622 	}
1623 
1624 	attr = (struct isakmp_data *)buffer->v;
1625 	attr->type = htons(type | ISAKMP_GEN_TV);
1626 	attr->lorv = htons(0);
1627 
1628 	return buffer;
1629 }
1630 
1631 
1632 void
xauth_rmstate(xst)1633 xauth_rmstate(xst)
1634 	struct xauth_state *xst;
1635 {
1636 	switch (xst->authtype) {
1637 	case XAUTH_TYPE_GENERIC:
1638 		if (xst->authdata.generic.usr)
1639 			racoon_free(xst->authdata.generic.usr);
1640 
1641 		if (xst->authdata.generic.pwd)
1642 			racoon_free(xst->authdata.generic.pwd);
1643 
1644 		break;
1645 
1646 	case XAUTH_TYPE_CHAP:
1647 	case XAUTH_TYPE_OTP:
1648 	case XAUTH_TYPE_SKEY:
1649 		plog(LLV_WARNING, LOCATION, NULL,
1650 		    "Unsupported authtype %d\n", xst->authtype);
1651 		break;
1652 
1653 	default:
1654 		plog(LLV_WARNING, LOCATION, NULL,
1655 		    "Unexpected authtype %d\n", xst->authtype);
1656 		break;
1657 	}
1658 
1659 #ifdef HAVE_LIBLDAP
1660 	if (xst->udn != NULL)
1661 		racoon_free(xst->udn);
1662 #endif
1663 	return;
1664 }
1665 
1666 int
xauth_rmconf_used(xauth_rmconf)1667 xauth_rmconf_used(xauth_rmconf)
1668 	struct xauth_rmconf **xauth_rmconf;
1669 {
1670 	if (*xauth_rmconf == NULL) {
1671 		*xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf));
1672 		if (*xauth_rmconf == NULL) {
1673 			plog(LLV_ERROR, LOCATION, NULL,
1674 			    "xauth_rmconf_used: malloc failed\n");
1675 			return -1;
1676 		}
1677 
1678 		(*xauth_rmconf)->login = NULL;
1679 		(*xauth_rmconf)->pass = NULL;
1680 		(*xauth_rmconf)->state = 0;
1681 	}
1682 
1683 	return 0;
1684 }
1685 
1686 void
xauth_rmconf_delete(xauth_rmconf)1687 xauth_rmconf_delete(xauth_rmconf)
1688 	struct xauth_rmconf **xauth_rmconf;
1689 {
1690 	if (*xauth_rmconf != NULL) {
1691 		if ((*xauth_rmconf)->login != NULL)
1692 			vfree((*xauth_rmconf)->login);
1693 		if ((*xauth_rmconf)->pass != NULL)
1694 			vfree((*xauth_rmconf)->pass);
1695 
1696 		racoon_free(*xauth_rmconf);
1697 		*xauth_rmconf = NULL;
1698 	}
1699 
1700 	return;
1701 }
1702