![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to isakmp_xauth.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon|
Return to isakmp_xauth.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon |
1.1 misho 1: /* $NetBSD: isakmp_xauth.c,v 1.22 2011/03/14 15:50:36 vanhu Exp $ */
2:
3: /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
4:
5: /*
6: * Copyright (C) 2004-2005 Emmanuel Dreyfus
7: * All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: * 3. Neither the name of the project nor the names of its contributors
18: * may be used to endorse or promote products derived from this software
19: * without specific prior written permission.
20: *
21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31: * SUCH DAMAGE.
32: */
33:
34: #include "config.h"
35:
36: #include <sys/types.h>
37: #include <sys/param.h>
38: #include <sys/socket.h>
39: #include <sys/queue.h>
40:
41: #include <netinet/in.h>
42:
43: #include <assert.h>
44: #include <stdlib.h>
45: #include <stdio.h>
46: #include <string.h>
47: #include <errno.h>
48: #include <pwd.h>
49: #include <grp.h>
50: #if TIME_WITH_SYS_TIME
51: # include <sys/time.h>
52: # include <time.h>
53: #else
54: # if HAVE_SYS_TIME_H
55: # include <sys/time.h>
56: # else
57: # include <time.h>
58: # endif
59: #endif
60: #include <netdb.h>
61: #ifdef HAVE_UNISTD_H
62: #include <unistd.h>
63: #endif
64: #include <ctype.h>
65: #include <resolv.h>
66:
67: #ifdef HAVE_SHADOW_H
68: #include <shadow.h>
69: #endif
70:
71: #include "var.h"
72: #include "misc.h"
73: #include "vmbuf.h"
74: #include "plog.h"
75: #include "sockmisc.h"
76: #include "schedule.h"
77: #include "debug.h"
78:
79: #include "crypto_openssl.h"
80: #include "isakmp_var.h"
81: #include "isakmp.h"
82: #include "admin.h"
83: #include "privsep.h"
84: #include "evt.h"
85: #include "handler.h"
86: #include "throttle.h"
87: #include "remoteconf.h"
88: #include "isakmp_inf.h"
89: #include "isakmp_xauth.h"
90: #include "isakmp_unity.h"
91: #include "isakmp_cfg.h"
92: #include "strnames.h"
93: #include "ipsec_doi.h"
94: #include "remoteconf.h"
95: #include "localconf.h"
96:
97: #ifdef HAVE_LIBRADIUS
98: #include <radlib.h>
99: struct rad_handle *radius_auth_state = NULL;
100: struct rad_handle *radius_acct_state = NULL;
101: struct xauth_rad_config xauth_rad_config;
102: #endif
103:
104: #ifdef HAVE_LIBPAM
105: #include <security/pam_appl.h>
106:
107: static char *PAM_usr = NULL;
108: static char *PAM_pwd = NULL;
109: static int PAM_conv(int, const struct pam_message **,
110: struct pam_response **, void *);
111: static struct pam_conv PAM_chat = { &PAM_conv, NULL };
112: #endif
113:
114: #ifdef HAVE_LIBLDAP
115: #include "ldap.h"
116: #include <arpa/inet.h>
117: struct xauth_ldap_config xauth_ldap_config;
118: #endif
119:
120: void
121: xauth_sendreq(iph1)
122: struct ph1handle *iph1;
123: {
124: vchar_t *buffer;
125: struct isakmp_pl_attr *attr;
126: struct isakmp_data *typeattr;
127: struct isakmp_data *usrattr;
128: struct isakmp_data *pwdattr;
129: struct xauth_state *xst = &iph1->mode_cfg->xauth;
130: size_t tlen;
131:
132: /* Status checks */
133: if (iph1->status < PHASE1ST_ESTABLISHED) {
134: plog(LLV_ERROR, LOCATION, NULL,
135: "Xauth request while phase 1 is not completed\n");
136: return;
137: }
138:
139: if (xst->status != XAUTHST_NOTYET) {
140: plog(LLV_ERROR, LOCATION, NULL,
141: "Xauth request whith Xauth state %d\n", xst->status);
142: return;
143: }
144:
145: plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n");
146:
147: tlen = sizeof(*attr) +
148: + sizeof(*typeattr) +
149: + sizeof(*usrattr) +
150: + sizeof(*pwdattr);
151:
152: if ((buffer = vmalloc(tlen)) == NULL) {
153: plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
154: return;
155: }
156:
157: attr = (struct isakmp_pl_attr *)buffer->v;
158: memset(attr, 0, tlen);
159:
160: attr->h.len = htons(tlen);
161: attr->type = ISAKMP_CFG_REQUEST;
162: attr->id = htons(eay_random());
163:
164: typeattr = (struct isakmp_data *)(attr + 1);
165: typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV);
166: typeattr->lorv = htons(XAUTH_TYPE_GENERIC);
167:
168: usrattr = (struct isakmp_data *)(typeattr + 1);
169: usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV);
170: usrattr->lorv = htons(0);
171:
172: pwdattr = (struct isakmp_data *)(usrattr + 1);
173: pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV);
174: pwdattr->lorv = htons(0);
175:
176: isakmp_cfg_send(iph1, buffer,
177: ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
178:
179: vfree(buffer);
180:
181: xst->status = XAUTHST_REQSENT;
182:
183: return;
184: }
185:
186: int
187: xauth_attr_reply(iph1, attr, id)
188: struct ph1handle *iph1;
189: struct isakmp_data *attr;
190: int id;
191: {
192: char **outlet = NULL;
193: size_t alen = 0;
194: int type;
195: struct xauth_state *xst = &iph1->mode_cfg->xauth;
196:
197: if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
198: plog(LLV_ERROR, LOCATION, NULL,
199: "Xauth reply but peer did not declare "
200: "itself as Xauth capable\n");
201: return -1;
202: }
203:
204: if (xst->status != XAUTHST_REQSENT) {
205: plog(LLV_ERROR, LOCATION, NULL,
206: "Xauth reply while Xauth state is %d\n", xst->status);
207: return -1;
208: }
209:
210: type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
211: switch (type) {
212: case XAUTH_TYPE:
213: switch (ntohs(attr->lorv)) {
214: case XAUTH_TYPE_GENERIC:
215: xst->authtype = XAUTH_TYPE_GENERIC;
216: break;
217: default:
218: plog(LLV_WARNING, LOCATION, NULL,
219: "Unexpected authentication type %d\n",
220: ntohs(type));
221: return -1;
222: }
223: break;
224:
225: case XAUTH_USER_NAME:
226: outlet = &xst->authdata.generic.usr;
227: break;
228:
229: case XAUTH_USER_PASSWORD:
230: outlet = &xst->authdata.generic.pwd;
231: break;
232:
233: default:
234: plog(LLV_WARNING, LOCATION, NULL,
235: "ignored Xauth attribute %d\n", type);
236: break;
237: }
238:
239: if (outlet != NULL) {
240: alen = ntohs(attr->lorv);
241:
242: if ((*outlet = racoon_malloc(alen + 1)) == NULL) {
243: plog(LLV_ERROR, LOCATION, NULL,
244: "Cannot allocate memory for Xauth Data\n");
245: return -1;
246: }
247:
248: memcpy(*outlet, attr + 1, alen);
249: (*outlet)[alen] = '\0';
250: outlet = NULL;
251: }
252:
253:
254: if ((xst->authdata.generic.usr != NULL) &&
255: (xst->authdata.generic.pwd != NULL)) {
256: int port;
257: int res;
258: char *usr = xst->authdata.generic.usr;
259: char *pwd = xst->authdata.generic.pwd;
260: time_t throttle_delay = 0;
261:
262: #if 0 /* Real debug, don't do that at home */
263: plog(LLV_DEBUG, LOCATION, NULL,
264: "Got username \"%s\", password \"%s\"\n", usr, pwd);
265: #endif
266: strncpy(iph1->mode_cfg->login, usr, LOGINLEN);
267: iph1->mode_cfg->login[LOGINLEN] = '\0';
268:
269: res = -1;
270: if ((port = isakmp_cfg_getport(iph1)) == -1) {
271: plog(LLV_ERROR, LOCATION, NULL,
272: "Port pool depleted\n");
273: goto skip_auth;
274: }
275:
276: switch (isakmp_cfg_config.authsource) {
277: case ISAKMP_CFG_AUTH_SYSTEM:
278: res = privsep_xauth_login_system(usr, pwd);
279: break;
280: #ifdef HAVE_LIBRADIUS
281: case ISAKMP_CFG_AUTH_RADIUS:
282: res = xauth_login_radius(iph1, usr, pwd);
283: break;
284: #endif
285: #ifdef HAVE_LIBPAM
286: case ISAKMP_CFG_AUTH_PAM:
287: res = privsep_xauth_login_pam(iph1->mode_cfg->port,
288: iph1->remote, usr, pwd);
289: break;
290: #endif
291: #ifdef HAVE_LIBLDAP
292: case ISAKMP_CFG_AUTH_LDAP:
293: res = xauth_login_ldap(iph1, usr, pwd);
294: break;
295: #endif
296: default:
297: plog(LLV_ERROR, LOCATION, NULL,
298: "Unexpected authentication source\n");
299: res = -1;
300: break;
301: }
302:
303: /*
304: * Optional group authentication
305: */
306: if (!res && (isakmp_cfg_config.groupcount))
307: res = group_check(iph1,
308: isakmp_cfg_config.grouplist,
309: isakmp_cfg_config.groupcount);
310:
311: /*
312: * On failure, throttle the connexion for the remote host
313: * in order to make password attacks more difficult.
314: */
315: throttle_delay = throttle_host(iph1->remote, res);
316: if (throttle_delay > 0) {
317: char *str;
318:
319: str = saddrwop2str(iph1->remote);
320:
321: plog(LLV_ERROR, LOCATION, NULL,
322: "Throttling in action for %s: delay %lds\n",
323: str, (unsigned long)throttle_delay);
324: res = -1;
325: } else {
326: throttle_delay = 0;
327: }
328:
329: skip_auth:
330: if (throttle_delay != 0) {
331: struct xauth_reply_arg *xra;
332:
333: if ((xra = racoon_calloc(1, sizeof(*xra))) == NULL) {
334: plog(LLV_ERROR, LOCATION, NULL,
335: "malloc failed, bypass throttling\n");
336: return xauth_reply(iph1, port, id, res);
337: }
338:
339: /*
340: * We need to store the ph1, but it might have
341: * disapeared when xauth_reply is called, so
342: * store the index instead.
343: */
344: xra->index = iph1->index;
345: xra->port = port;
346: xra->id = id;
347: xra->res = res;
348: sched_schedule(&xra->sc, throttle_delay,
349: xauth_reply_stub);
350: } else {
351: return xauth_reply(iph1, port, id, res);
352: }
353: }
354:
355: return 0;
356: }
357:
358: void
359: xauth_reply_stub(sc)
360: struct sched *sc;
361: {
362: struct xauth_reply_arg *xra = container_of(sc, struct xauth_reply_arg, sc);
363: struct ph1handle *iph1;
364:
365: if ((iph1 = getph1byindex(&xra->index)) != NULL)
366: (void)xauth_reply(iph1, xra->port, xra->id, xra->res);
367: else
368: plog(LLV_ERROR, LOCATION, NULL,
369: "Delayed Xauth reply: phase 1 no longer exists.\n");
370:
371: racoon_free(xra);
372: }
373:
374: int
375: xauth_reply(iph1, port, id, res)
376: struct ph1handle *iph1;
377: int port;
378: int id;
379: {
380: struct xauth_state *xst = &iph1->mode_cfg->xauth;
381: char *usr = xst->authdata.generic.usr;
382:
383: if (res != 0) {
384: if (port != -1)
385: isakmp_cfg_putport(iph1, port);
386:
387: plog(LLV_INFO, LOCATION, NULL,
388: "login failed for user \"%s\"\n", usr);
389:
390: xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id);
391: xst->status = XAUTHST_NOTYET;
392:
393: /* Delete Phase 1 SA */
394: if (iph1->status >= PHASE1ST_ESTABLISHED)
395: isakmp_info_send_d1(iph1);
396: remph1(iph1);
397: delph1(iph1);
398:
399: return -1;
400: }
401:
402: xst->status = XAUTHST_OK;
403: plog(LLV_INFO, LOCATION, NULL,
404: "login succeeded for user \"%s\"\n", usr);
405:
406: xauth_sendstatus(iph1, XAUTH_STATUS_OK, id);
407:
408: return 0;
409: }
410:
411: void
412: xauth_sendstatus(iph1, status, id)
413: struct ph1handle *iph1;
414: int status;
415: int id;
416: {
417: vchar_t *buffer;
418: struct isakmp_pl_attr *attr;
419: struct isakmp_data *stattr;
420: size_t tlen;
421:
422: tlen = sizeof(*attr) +
423: + sizeof(*stattr);
424:
425: if ((buffer = vmalloc(tlen)) == NULL) {
426: plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
427: return;
428: }
429:
430: attr = (struct isakmp_pl_attr *)buffer->v;
431: memset(attr, 0, tlen);
432:
433: attr->h.len = htons(tlen);
434: attr->type = ISAKMP_CFG_SET;
435: attr->id = htons(id);
436:
437: stattr = (struct isakmp_data *)(attr + 1);
438: stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV);
439: stattr->lorv = htons(status);
440:
441: isakmp_cfg_send(iph1, buffer,
442: ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
443:
444: vfree(buffer);
445:
446: return;
447: }
448:
449: #ifdef HAVE_LIBRADIUS
450: int
451: xauth_radius_init_conf(int free)
452: {
453: /* free radius config resources */
454: if (free) {
455: int i;
456: for (i = 0; i < xauth_rad_config.auth_server_count; i++) {
457: vfree(xauth_rad_config.auth_server_list[i].host);
458: vfree(xauth_rad_config.auth_server_list[i].secret);
459: }
460: for (i = 0; i < xauth_rad_config.acct_server_count; i++) {
461: vfree(xauth_rad_config.acct_server_list[i].host);
462: vfree(xauth_rad_config.acct_server_list[i].secret);
463: }
464: if (radius_auth_state != NULL)
465: rad_close(radius_auth_state);
466: if (radius_acct_state != NULL)
467: rad_close(radius_acct_state);
468: }
469:
470: /* initialize radius config */
471: memset(&xauth_rad_config, 0, sizeof(xauth_rad_config));
472: return 0;
473: }
474:
475: int
476: xauth_radius_init(void)
477: {
478: /* For first time use, initialize Radius */
479: if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) &&
480: (radius_auth_state == NULL)) {
481: if ((radius_auth_state = rad_auth_open()) == NULL) {
482: plog(LLV_ERROR, LOCATION, NULL,
483: "Cannot init libradius\n");
484: return -1;
485: }
486:
487: int auth_count = xauth_rad_config.auth_server_count;
488: int auth_added = 0;
489: if (auth_count) {
490: int i;
491: for (i = 0; i < auth_count; i++) {
492: if(!rad_add_server(
493: radius_auth_state,
494: xauth_rad_config.auth_server_list[i].host->v,
495: xauth_rad_config.auth_server_list[i].port,
496: xauth_rad_config.auth_server_list[i].secret->v,
497: xauth_rad_config.timeout,
498: xauth_rad_config.retries ))
499: auth_added++;
500: else
501: plog(LLV_WARNING, LOCATION, NULL,
502: "could not add radius auth server %s\n",
503: xauth_rad_config.auth_server_list[i].host->v);
504: }
505: }
506:
507: if (!auth_added) {
508: if (rad_config(radius_auth_state, NULL) != 0) {
509: plog(LLV_ERROR, LOCATION, NULL,
510: "Cannot open libradius config file: %s\n",
511: rad_strerror(radius_auth_state));
512: rad_close(radius_auth_state);
513: radius_auth_state = NULL;
514: return -1;
515: }
516: }
517: }
518:
519: if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) &&
520: (radius_acct_state == NULL)) {
521: if ((radius_acct_state = rad_acct_open()) == NULL) {
522: plog(LLV_ERROR, LOCATION, NULL,
523: "Cannot init libradius\n");
524: return -1;
525: }
526:
527: int acct_count = xauth_rad_config.acct_server_count;
528: int acct_added = 0;
529: if (acct_count) {
530: int i;
531: for (i = 0; i < acct_count; i++) {
532: if(!rad_add_server(
533: radius_acct_state,
534: xauth_rad_config.acct_server_list[i].host->v,
535: xauth_rad_config.acct_server_list[i].port,
536: xauth_rad_config.acct_server_list[i].secret->v,
537: xauth_rad_config.timeout,
538: xauth_rad_config.retries ))
539: acct_added++;
540: else
541: plog(LLV_WARNING, LOCATION, NULL,
542: "could not add radius account server %s\n",
543: xauth_rad_config.acct_server_list[i].host->v);
544: }
545: }
546:
547: if (!acct_added) {
548: if (rad_config(radius_acct_state, NULL) != 0) {
549: plog(LLV_ERROR, LOCATION, NULL,
550: "Cannot open libradius config file: %s\n",
551: rad_strerror(radius_acct_state));
552: rad_close(radius_acct_state);
553: radius_acct_state = NULL;
554: return -1;
555: }
556: }
557: }
558:
559: return 0;
560: }
561:
562: int
563: xauth_login_radius(iph1, usr, pwd)
564: struct ph1handle *iph1;
565: char *usr;
566: char *pwd;
567: {
568: int res;
569: const void *data;
570: size_t len;
571: int type;
572:
573: if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) {
574: plog(LLV_ERROR, LOCATION, NULL,
575: "rad_create_request failed: %s\n",
576: rad_strerror(radius_auth_state));
577: return -1;
578: }
579:
580: if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) {
581: plog(LLV_ERROR, LOCATION, NULL,
582: "rad_put_string failed: %s\n",
583: rad_strerror(radius_auth_state));
584: return -1;
585: }
586:
587: if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) {
588: plog(LLV_ERROR, LOCATION, NULL,
589: "rad_put_string failed: %s\n",
590: rad_strerror(radius_auth_state));
591: return -1;
592: }
593:
594: if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0)
595: return -1;
596:
597: switch (res = rad_send_request(radius_auth_state)) {
598: case RAD_ACCESS_ACCEPT:
599: while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) {
600: switch (type) {
601: case RAD_FRAMED_IP_ADDRESS:
602: iph1->mode_cfg->addr4 = rad_cvt_addr(data);
603: iph1->mode_cfg->flags
604: |= ISAKMP_CFG_ADDR4_EXTERN;
605: break;
606:
607: case RAD_FRAMED_IP_NETMASK:
608: iph1->mode_cfg->mask4 = rad_cvt_addr(data);
609: iph1->mode_cfg->flags
610: |= ISAKMP_CFG_MASK4_EXTERN;
611: break;
612:
613: default:
614: plog(LLV_INFO, LOCATION, NULL,
615: "Unexpected attribute: %d\n", type);
616: break;
617: }
618: }
619:
620: return 0;
621: break;
622:
623: case RAD_ACCESS_REJECT:
624: return -1;
625: break;
626:
627: case -1:
628: plog(LLV_ERROR, LOCATION, NULL,
629: "rad_send_request failed: %s\n",
630: rad_strerror(radius_auth_state));
631: return -1;
632: break;
633: default:
634: plog(LLV_ERROR, LOCATION, NULL,
635: "rad_send_request returned %d\n", res);
636: return -1;
637: break;
638: }
639:
640: return -1;
641: }
642: #endif
643:
644: #ifdef HAVE_LIBPAM
645: static int
646: PAM_conv(msg_count, msg, rsp, dontcare)
647: int msg_count;
648: const struct pam_message **msg;
649: struct pam_response **rsp;
650: void *dontcare;
651: {
652: int i;
653: int replies = 0;
654: struct pam_response *reply = NULL;
655:
656: if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL)
657: return PAM_CONV_ERR;
658: bzero(reply, sizeof(*reply) * msg_count);
659:
660: for (i = 0; i < msg_count; i++) {
661: switch (msg[i]->msg_style) {
662: case PAM_PROMPT_ECHO_ON:
663: /* Send the username, libpam frees resp */
664: reply[i].resp_retcode = PAM_SUCCESS;
665: if ((reply[i].resp = strdup(PAM_usr)) == NULL) {
666: plog(LLV_ERROR, LOCATION,
667: NULL, "strdup failed\n");
668: exit(1);
669: }
670: break;
671:
672: case PAM_PROMPT_ECHO_OFF:
673: /* Send the password, libpam frees resp */
674: reply[i].resp_retcode = PAM_SUCCESS;
675: if ((reply[i].resp = strdup(PAM_pwd)) == NULL) {
676: plog(LLV_ERROR, LOCATION,
677: NULL, "strdup failed\n");
678: exit(1);
679: }
680: break;
681:
682: case PAM_TEXT_INFO:
683: case PAM_ERROR_MSG:
684: reply[i].resp_retcode = PAM_SUCCESS;
685: reply[i].resp = NULL;
686: break;
687:
688: default:
689: if (reply != NULL)
690: racoon_free(reply);
691: return PAM_CONV_ERR;
692: break;
693: }
694: }
695:
696: if (reply != NULL)
697: *rsp = reply;
698:
699: return PAM_SUCCESS;
700: }
701:
702: int
703: xauth_login_pam(port, raddr, usr, pwd)
704: int port;
705: struct sockaddr *raddr;
706: char *usr;
707: char *pwd;
708: {
709: int error;
710: int res;
711: const void *data;
712: size_t len;
713: int type;
714: char *remote = NULL;
715: pam_handle_t *pam = NULL;
716:
717: if (isakmp_cfg_config.port_pool == NULL) {
718: plog(LLV_ERROR, LOCATION, NULL,
719: "isakmp_cfg_config.port_pool == NULL\n");
720: return -1;
721: }
722:
723: if ((error = pam_start("racoon", usr,
724: &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) {
725: if (isakmp_cfg_config.port_pool[port].pam == NULL) {
726: plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n");
727: return -1;
728: } else {
729: plog(LLV_ERROR, LOCATION, NULL,
730: "pam_start failed: %s\n",
731: pam_strerror(isakmp_cfg_config.port_pool[port].pam,
732: error));
733: goto out;
734: }
735: }
736: pam = isakmp_cfg_config.port_pool[port].pam;
737:
738: if ((remote = strdup(saddrwop2str(raddr))) == NULL) {
739: plog(LLV_ERROR, LOCATION, NULL,
740: "cannot allocate memory: %s\n", strerror(errno));
741: goto out;
742: }
743:
744: if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) {
745: plog(LLV_ERROR, LOCATION, NULL,
746: "pam_set_item failed: %s\n",
747: pam_strerror(pam, error));
748: goto out;
749: }
750:
751: if ((error = pam_set_item(pam, PAM_RUSER, usr)) != 0) {
752: plog(LLV_ERROR, LOCATION, NULL,
753: "pam_set_item failed: %s\n",
754: pam_strerror(pam, error));
755: goto out;
756: }
757:
758: PAM_usr = usr;
759: PAM_pwd = pwd;
760: error = pam_authenticate(pam, 0);
761: PAM_usr = NULL;
762: PAM_pwd = NULL;
763: if (error != 0) {
764: plog(LLV_ERROR, LOCATION, NULL,
765: "pam_authenticate failed: %s\n",
766: pam_strerror(pam, error));
767: goto out;
768: }
769:
770: if ((error = pam_acct_mgmt(pam, 0)) != 0) {
771: plog(LLV_ERROR, LOCATION, NULL,
772: "pam_acct_mgmt failed: %s\n",
773: pam_strerror(pam, error));
774: goto out;
775: }
776:
777: if ((error = pam_setcred(pam, 0)) != 0) {
778: plog(LLV_ERROR, LOCATION, NULL,
779: "pam_setcred failed: %s\n",
780: pam_strerror(pam, error));
781: goto out;
782: }
783:
784: if (remote != NULL)
785: free(remote);
786:
787: return 0;
788:
789: out:
790: pam_end(pam, error);
791: isakmp_cfg_config.port_pool[port].pam = NULL;
792: if (remote != NULL)
793: free(remote);
794: return -1;
795: }
796: #endif
797:
798: #ifdef HAVE_LIBLDAP
799: int
800: xauth_ldap_init_conf(void)
801: {
802: int tmplen;
803: int error = -1;
804:
805: xauth_ldap_config.pver = 3;
806: xauth_ldap_config.host = NULL;
807: xauth_ldap_config.port = LDAP_PORT;
808: xauth_ldap_config.base = NULL;
809: xauth_ldap_config.subtree = 0;
810: xauth_ldap_config.bind_dn = NULL;
811: xauth_ldap_config.bind_pw = NULL;
812: xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE;
813: xauth_ldap_config.attr_user = NULL;
814: xauth_ldap_config.attr_addr = NULL;
815: xauth_ldap_config.attr_mask = NULL;
816: xauth_ldap_config.attr_group = NULL;
817: xauth_ldap_config.attr_member = NULL;
818:
819: /* set default host */
820: tmplen = strlen(LDAP_DFLT_HOST);
821: xauth_ldap_config.host = vmalloc(tmplen);
822: if (xauth_ldap_config.host == NULL)
823: goto out;
824: memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen);
825:
826: /* set default user naming attribute */
827: tmplen = strlen(LDAP_DFLT_USER);
828: xauth_ldap_config.attr_user = vmalloc(tmplen);
829: if (xauth_ldap_config.attr_user == NULL)
830: goto out;
831: memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen);
832:
833: /* set default address attribute */
834: tmplen = strlen(LDAP_DFLT_ADDR);
835: xauth_ldap_config.attr_addr = vmalloc(tmplen);
836: if (xauth_ldap_config.attr_addr == NULL)
837: goto out;
838: memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen);
839:
840: /* set default netmask attribute */
841: tmplen = strlen(LDAP_DFLT_MASK);
842: xauth_ldap_config.attr_mask = vmalloc(tmplen);
843: if (xauth_ldap_config.attr_mask == NULL)
844: goto out;
845: memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen);
846:
847: /* set default group naming attribute */
848: tmplen = strlen(LDAP_DFLT_GROUP);
849: xauth_ldap_config.attr_group = vmalloc(tmplen);
850: if (xauth_ldap_config.attr_group == NULL)
851: goto out;
852: memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen);
853:
854: /* set default member attribute */
855: tmplen = strlen(LDAP_DFLT_MEMBER);
856: xauth_ldap_config.attr_member = vmalloc(tmplen);
857: if (xauth_ldap_config.attr_member == NULL)
858: goto out;
859: memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen);
860:
861: error = 0;
862: out:
863: if (error != 0)
864: plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n");
865:
866: return error;
867: }
868:
869: int
870: xauth_login_ldap(iph1, usr, pwd)
871: struct ph1handle *iph1;
872: char *usr;
873: char *pwd;
874: {
875: int rtn = -1;
876: int res = -1;
877: LDAP *ld = NULL;
878: LDAPMessage *lr = NULL;
879: LDAPMessage *le = NULL;
880: struct berval cred;
881: struct berval **bv = NULL;
882: struct timeval timeout;
883: char *init = NULL;
884: char *filter = NULL;
885: char *atlist[3];
886: char *basedn = NULL;
887: char *userdn = NULL;
888: int tmplen = 0;
889: int ecount = 0;
890: int scope = LDAP_SCOPE_ONE;
891:
892: atlist[0] = NULL;
893: atlist[1] = NULL;
894: atlist[2] = NULL;
895:
896: /* build our initialization url */
897: tmplen = strlen("ldap://:") + 17;
898: tmplen += strlen(xauth_ldap_config.host->v);
899: init = racoon_malloc(tmplen);
900: if (init == NULL) {
901: plog(LLV_ERROR, LOCATION, NULL,
902: "unable to alloc ldap init url\n");
903: goto ldap_end;
904: }
905: sprintf(init,"ldap://%s:%d",
906: xauth_ldap_config.host->v,
907: xauth_ldap_config.port );
908:
909: /* initialize the ldap handle */
910: res = ldap_initialize(&ld, init);
911: if (res != LDAP_SUCCESS) {
912: plog(LLV_ERROR, LOCATION, NULL,
913: "ldap_initialize failed: %s\n",
914: ldap_err2string(res));
915: goto ldap_end;
916: }
917:
918: /* initialize the protocol version */
919: ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
920: &xauth_ldap_config.pver);
921:
922: /*
923: * attempt to bind to the ldap server.
924: * default to anonymous bind unless a
925: * user dn and password has been
926: * specified in our configuration
927: */
928: if ((xauth_ldap_config.bind_dn != NULL)&&
929: (xauth_ldap_config.bind_pw != NULL))
930: {
931: cred.bv_val = xauth_ldap_config.bind_pw->v;
932: cred.bv_len = strlen( cred.bv_val );
933: res = ldap_sasl_bind_s(ld,
934: xauth_ldap_config.bind_dn->v, NULL, &cred,
935: NULL, NULL, NULL);
936: }
937: else
938: {
939: res = ldap_sasl_bind_s(ld,
940: NULL, NULL, NULL,
941: NULL, NULL, NULL);
942: }
943:
944: if (res!=LDAP_SUCCESS) {
945: plog(LLV_ERROR, LOCATION, NULL,
946: "ldap_sasl_bind_s (search) failed: %s\n",
947: ldap_err2string(res));
948: goto ldap_end;
949: }
950:
951: /* build an ldap user search filter */
952: tmplen = strlen(xauth_ldap_config.attr_user->v);
953: tmplen += 1;
954: tmplen += strlen(usr);
955: tmplen += 1;
956: filter = racoon_malloc(tmplen);
957: if (filter == NULL) {
958: plog(LLV_ERROR, LOCATION, NULL,
959: "unable to alloc ldap search filter buffer\n");
960: goto ldap_end;
961: }
962: sprintf(filter, "%s=%s",
963: xauth_ldap_config.attr_user->v, usr);
964:
965: /* build our return attribute list */
966: tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1;
967: atlist[0] = racoon_malloc(tmplen);
968: tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1;
969: atlist[1] = racoon_malloc(tmplen);
970: if ((atlist[0] == NULL)||(atlist[1] == NULL)) {
971: plog(LLV_ERROR, LOCATION, NULL,
972: "unable to alloc ldap attrib list buffer\n");
973: goto ldap_end;
974: }
975: strcpy(atlist[0],xauth_ldap_config.attr_addr->v);
976: strcpy(atlist[1],xauth_ldap_config.attr_mask->v);
977:
978: /* attempt to locate the user dn */
979: if (xauth_ldap_config.base != NULL)
980: basedn = xauth_ldap_config.base->v;
981: if (xauth_ldap_config.subtree)
982: scope = LDAP_SCOPE_SUBTREE;
983: timeout.tv_sec = 15;
984: timeout.tv_usec = 0;
985: res = ldap_search_ext_s(ld, basedn, scope,
986: filter, atlist, 0, NULL, NULL,
987: &timeout, 2, &lr);
988: if (res != LDAP_SUCCESS) {
989: plog(LLV_ERROR, LOCATION, NULL,
990: "ldap_search_ext_s failed: %s\n",
991: ldap_err2string(res));
992: goto ldap_end;
993: }
994:
995: /* check the number of ldap entries returned */
996: ecount = ldap_count_entries(ld, lr);
997: if (ecount < 1) {
998: plog(LLV_WARNING, LOCATION, NULL,
999: "no ldap results for filter \'%s\'\n",
1000: filter);
1001: goto ldap_end;
1002: }
1003: if (ecount > 1) {
1004: plog(LLV_WARNING, LOCATION, NULL,
1005: "multiple (%i) ldap results for filter \'%s\'\n",
1006: ecount, filter);
1007: }
1008:
1009: /* obtain the dn from the first result */
1010: le = ldap_first_entry(ld, lr);
1011: if (le == NULL) {
1012: plog(LLV_ERROR, LOCATION, NULL,
1013: "ldap_first_entry failed: invalid entry returned\n");
1014: goto ldap_end;
1015: }
1016: userdn = ldap_get_dn(ld, le);
1017: if (userdn == NULL) {
1018: plog(LLV_ERROR, LOCATION, NULL,
1019: "ldap_get_dn failed: invalid string returned\n");
1020: goto ldap_end;
1021: }
1022:
1023: /* cache the user dn in the xauth state */
1024: iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1);
1025: strcpy(iph1->mode_cfg->xauth.udn,userdn);
1026:
1027: /* retrieve modecfg address */
1028: bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v);
1029: if (bv != NULL) {
1030: char tmpaddr[16];
1031: /* sanity check for address value */
1032: if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
1033: plog(LLV_DEBUG, LOCATION, NULL,
1034: "ldap returned invalid modecfg address\n");
1035: ldap_value_free_len(bv);
1036: goto ldap_end;
1037: }
1038: memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len);
1039: tmpaddr[bv[0]->bv_len]=0;
1040: iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr);
1041: iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN;
1042: plog(LLV_INFO, LOCATION, NULL,
1043: "ldap returned modecfg address %s\n", tmpaddr);
1044: ldap_value_free_len(bv);
1045: }
1046:
1047: /* retrieve modecfg netmask */
1048: bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v);
1049: if (bv != NULL) {
1050: char tmpmask[16];
1051: /* sanity check for netmask value */
1052: if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
1053: plog(LLV_DEBUG, LOCATION, NULL,
1054: "ldap returned invalid modecfg netmask\n");
1055: ldap_value_free_len(bv);
1056: goto ldap_end;
1057: }
1058: memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len);
1059: tmpmask[bv[0]->bv_len]=0;
1060: iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask);
1061: iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN;
1062: plog(LLV_INFO, LOCATION, NULL,
1063: "ldap returned modecfg netmask %s\n", tmpmask);
1064: ldap_value_free_len(bv);
1065: }
1066:
1067: /*
1068: * finally, use the dn and the xauth
1069: * password to check the users given
1070: * credentials by attempting to bind
1071: * to the ldap server
1072: */
1073: plog(LLV_INFO, LOCATION, NULL,
1074: "attempting ldap bind for dn \'%s\'\n", userdn);
1075: cred.bv_val = pwd;
1076: cred.bv_len = strlen( cred.bv_val );
1077: res = ldap_sasl_bind_s(ld,
1078: userdn, NULL, &cred,
1079: NULL, NULL, NULL);
1080: if(res==LDAP_SUCCESS)
1081: rtn = 0;
1082:
1083: ldap_end:
1084:
1085: /* free ldap resources */
1086: if (userdn != NULL)
1087: ldap_memfree(userdn);
1088: if (atlist[0] != NULL)
1089: racoon_free(atlist[0]);
1090: if (atlist[1] != NULL)
1091: racoon_free(atlist[1]);
1092: if (filter != NULL)
1093: racoon_free(filter);
1094: if (lr != NULL)
1095: ldap_msgfree(lr);
1096: if (init != NULL)
1097: racoon_free(init);
1098:
1099: ldap_unbind_ext_s(ld, NULL, NULL);
1100:
1101: return rtn;
1102: }
1103:
1104: int
1105: xauth_group_ldap(udn, grp)
1106: char * udn;
1107: char * grp;
1108: {
1109: int rtn = -1;
1110: int res = -1;
1111: LDAP *ld = NULL;
1112: LDAPMessage *lr = NULL;
1113: LDAPMessage *le = NULL;
1114: struct berval cred;
1115: struct timeval timeout;
1116: char *init = NULL;
1117: char *filter = NULL;
1118: char *basedn = NULL;
1119: char *groupdn = NULL;
1120: int tmplen = 0;
1121: int ecount = 0;
1122: int scope = LDAP_SCOPE_ONE;
1123:
1124: /* build our initialization url */
1125: tmplen = strlen("ldap://:") + 17;
1126: tmplen += strlen(xauth_ldap_config.host->v);
1127: init = racoon_malloc(tmplen);
1128: if (init == NULL) {
1129: plog(LLV_ERROR, LOCATION, NULL,
1130: "unable to alloc ldap init url\n");
1131: goto ldap_group_end;
1132: }
1133: sprintf(init,"ldap://%s:%d",
1134: xauth_ldap_config.host->v,
1135: xauth_ldap_config.port );
1136:
1137: /* initialize the ldap handle */
1138: res = ldap_initialize(&ld, init);
1139: if (res != LDAP_SUCCESS) {
1140: plog(LLV_ERROR, LOCATION, NULL,
1141: "ldap_initialize failed: %s\n",
1142: ldap_err2string(res));
1143: goto ldap_group_end;
1144: }
1145:
1146: /* initialize the protocol version */
1147: ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
1148: &xauth_ldap_config.pver);
1149:
1150: /*
1151: * attempt to bind to the ldap server.
1152: * default to anonymous bind unless a
1153: * user dn and password has been
1154: * specified in our configuration
1155: */
1156: if ((xauth_ldap_config.bind_dn != NULL)&&
1157: (xauth_ldap_config.bind_pw != NULL))
1158: {
1159: cred.bv_val = xauth_ldap_config.bind_pw->v;
1160: cred.bv_len = strlen( cred.bv_val );
1161: res = ldap_sasl_bind_s(ld,
1162: xauth_ldap_config.bind_dn->v, NULL, &cred,
1163: NULL, NULL, NULL);
1164: }
1165: else
1166: {
1167: res = ldap_sasl_bind_s(ld,
1168: NULL, NULL, NULL,
1169: NULL, NULL, NULL);
1170: }
1171:
1172: if (res!=LDAP_SUCCESS) {
1173: plog(LLV_ERROR, LOCATION, NULL,
1174: "ldap_sasl_bind_s (search) failed: %s\n",
1175: ldap_err2string(res));
1176: goto ldap_group_end;
1177: }
1178:
1179: /* build an ldap group search filter */
1180: tmplen = strlen("(&(=)(=))") + 1;
1181: tmplen += strlen(xauth_ldap_config.attr_group->v);
1182: tmplen += strlen(grp);
1183: tmplen += strlen(xauth_ldap_config.attr_member->v);
1184: tmplen += strlen(udn);
1185: filter = racoon_malloc(tmplen);
1186: if (filter == NULL) {
1187: plog(LLV_ERROR, LOCATION, NULL,
1188: "unable to alloc ldap search filter buffer\n");
1189: goto ldap_group_end;
1190: }
1191: sprintf(filter, "(&(%s=%s)(%s=%s))",
1192: xauth_ldap_config.attr_group->v, grp,
1193: xauth_ldap_config.attr_member->v, udn);
1194:
1195: /* attempt to locate the group dn */
1196: if (xauth_ldap_config.base != NULL)
1197: basedn = xauth_ldap_config.base->v;
1198: if (xauth_ldap_config.subtree)
1199: scope = LDAP_SCOPE_SUBTREE;
1200: timeout.tv_sec = 15;
1201: timeout.tv_usec = 0;
1202: res = ldap_search_ext_s(ld, basedn, scope,
1203: filter, NULL, 0, NULL, NULL,
1204: &timeout, 2, &lr);
1205: if (res != LDAP_SUCCESS) {
1206: plog(LLV_ERROR, LOCATION, NULL,
1207: "ldap_search_ext_s failed: %s\n",
1208: ldap_err2string(res));
1209: goto ldap_group_end;
1210: }
1211:
1212: /* check the number of ldap entries returned */
1213: ecount = ldap_count_entries(ld, lr);
1214: if (ecount < 1) {
1215: plog(LLV_WARNING, LOCATION, NULL,
1216: "no ldap results for filter \'%s\'\n",
1217: filter);
1218: goto ldap_group_end;
1219: }
1220:
1221: /* success */
1222: rtn = 0;
1223:
1224: /* obtain the dn from the first result */
1225: le = ldap_first_entry(ld, lr);
1226: if (le == NULL) {
1227: plog(LLV_ERROR, LOCATION, NULL,
1228: "ldap_first_entry failed: invalid entry returned\n");
1229: goto ldap_group_end;
1230: }
1231: groupdn = ldap_get_dn(ld, le);
1232: if (groupdn == NULL) {
1233: plog(LLV_ERROR, LOCATION, NULL,
1234: "ldap_get_dn failed: invalid string returned\n");
1235: goto ldap_group_end;
1236: }
1237:
1238: plog(LLV_INFO, LOCATION, NULL,
1239: "ldap membership group returned \'%s\'\n", groupdn);
1240: ldap_group_end:
1241:
1242: /* free ldap resources */
1243: if (groupdn != NULL)
1244: ldap_memfree(groupdn);
1245: if (filter != NULL)
1246: racoon_free(filter);
1247: if (lr != NULL)
1248: ldap_msgfree(lr);
1249: if (init != NULL)
1250: racoon_free(init);
1251:
1252: ldap_unbind_ext_s(ld, NULL, NULL);
1253:
1254: return rtn;
1255: }
1256:
1257: #endif
1258:
1259: int
1260: xauth_login_system(usr, pwd)
1261: char *usr;
1262: char *pwd;
1263: {
1264: struct passwd *pw;
1265: char *cryptpwd;
1266: char *syscryptpwd;
1267: #ifdef HAVE_SHADOW_H
1268: struct spwd *spw;
1269:
1270: if ((spw = getspnam(usr)) == NULL)
1271: return -1;
1272:
1273: syscryptpwd = spw->sp_pwdp;
1274: #endif
1275:
1276: if ((pw = getpwnam(usr)) == NULL)
1277: return -1;
1278:
1279: #ifndef HAVE_SHADOW_H
1280: syscryptpwd = pw->pw_passwd;
1281: #endif
1282:
1283: /* No root login. Ever. */
1284: if (pw->pw_uid == 0)
1285: return -1;
1286:
1287: if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL)
1288: return -1;
1289:
1290: if (strcmp(cryptpwd, syscryptpwd) == 0)
1291: return 0;
1292:
1293: return -1;
1294: }
1295:
1296: int
1297: xauth_group_system(usr, grp)
1298: char * usr;
1299: char * grp;
1300: {
1301: struct group * gr;
1302: char * member;
1303: int index = 0;
1304:
1305: gr = getgrnam(grp);
1306: if (gr == NULL) {
1307: plog(LLV_ERROR, LOCATION, NULL,
1308: "the system group name \'%s\' is unknown\n",
1309: grp);
1310: return -1;
1311: }
1312:
1313: while ((member = gr->gr_mem[index++])!=NULL) {
1314: if (!strcmp(member,usr)) {
1315: plog(LLV_INFO, LOCATION, NULL,
1316: "membership validated\n");
1317: return 0;
1318: }
1319: }
1320:
1321: return -1;
1322: }
1323:
1324: int
1325: xauth_check(iph1)
1326: struct ph1handle *iph1;
1327: {
1328: struct xauth_state *xst = &iph1->mode_cfg->xauth;
1329:
1330: /*
1331: * Only the server side (edge device) really check for Xauth
1332: * status. It does it if the chose authmethod is using Xauth.
1333: * On the client side (roadwarrior), we don't check anything.
1334: */
1335: switch (iph1->approval->authmethod) {
1336: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1337: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1338: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1339: /* The following are not yet implemented */
1340: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1341: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1342: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1343: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1344: if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1345: plog(LLV_ERROR, LOCATION, NULL,
1346: "Hybrid auth negotiated but peer did not "
1347: "announced as Xauth capable\n");
1348: return -1;
1349: }
1350:
1351: if (xst->status != XAUTHST_OK) {
1352: plog(LLV_ERROR, LOCATION, NULL,
1353: "Hybrid auth negotiated but peer did not "
1354: "succeed Xauth exchange\n");
1355: return -1;
1356: }
1357:
1358: return 0;
1359: break;
1360: default:
1361: return 0;
1362: break;
1363: }
1364:
1365: return 0;
1366: }
1367:
1368: int
1369: group_check(iph1, grp_list, grp_count)
1370: struct ph1handle *iph1;
1371: char **grp_list;
1372: int grp_count;
1373: {
1374: int res = -1;
1375: int grp_index = 0;
1376: char * usr = NULL;
1377:
1378: /* check for presence of modecfg data */
1379:
1380: if(iph1->mode_cfg == NULL) {
1381: plog(LLV_ERROR, LOCATION, NULL,
1382: "xauth group specified but modecfg not found\n");
1383: return res;
1384: }
1385:
1386: /* loop through our group list */
1387:
1388: for(; grp_index < grp_count; grp_index++) {
1389:
1390: /* check for presence of xauth data */
1391:
1392: usr = iph1->mode_cfg->xauth.authdata.generic.usr;
1393:
1394: if(usr == NULL) {
1395: plog(LLV_ERROR, LOCATION, NULL,
1396: "xauth group specified but xauth not found\n");
1397: return res;
1398: }
1399:
1400: /* call appropriate group validation funtion */
1401:
1402: switch (isakmp_cfg_config.groupsource) {
1403:
1404: case ISAKMP_CFG_GROUP_SYSTEM:
1405: res = xauth_group_system(
1406: usr,
1407: grp_list[grp_index]);
1408: break;
1409:
1410: #ifdef HAVE_LIBLDAP
1411: case ISAKMP_CFG_GROUP_LDAP:
1412: res = xauth_group_ldap(
1413: iph1->mode_cfg->xauth.udn,
1414: grp_list[grp_index]);
1415: break;
1416: #endif
1417:
1418: default:
1419: /* we should never get here */
1420: plog(LLV_ERROR, LOCATION, NULL,
1421: "Unknown group auth source\n");
1422: break;
1423: }
1424:
1425: if( !res ) {
1426: plog(LLV_INFO, LOCATION, NULL,
1427: "user \"%s\" is a member of group \"%s\"\n",
1428: usr,
1429: grp_list[grp_index]);
1430: break;
1431: } else {
1432: plog(LLV_INFO, LOCATION, NULL,
1433: "user \"%s\" is not a member of group \"%s\"\n",
1434: usr,
1435: grp_list[grp_index]);
1436: }
1437: }
1438:
1439: return res;
1440: }
1441:
1442: vchar_t *
1443: isakmp_xauth_req(iph1, attr)
1444: struct ph1handle *iph1;
1445: struct isakmp_data *attr;
1446: {
1447: int type;
1448: size_t dlen = 0;
1449: int ashort = 0;
1450: int value = 0;
1451: vchar_t *buffer = NULL;
1452: char *mraw = NULL, *mdata;
1453: char *data;
1454: vchar_t *usr = NULL;
1455: vchar_t *pwd = NULL;
1456: size_t skip = 0;
1457: int freepwd = 0;
1458:
1459: if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1460: plog(LLV_ERROR, LOCATION, NULL,
1461: "Xauth mode config request but peer "
1462: "did not declare itself as Xauth capable\n");
1463: return NULL;
1464: }
1465:
1466: type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1467:
1468: /* Sanity checks */
1469: switch(type) {
1470: case XAUTH_TYPE:
1471: if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1472: plog(LLV_ERROR, LOCATION, NULL,
1473: "Unexpected long XAUTH_TYPE attribute\n");
1474: return NULL;
1475: }
1476: if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) {
1477: plog(LLV_ERROR, LOCATION, NULL,
1478: "Unsupported Xauth authentication %d\n",
1479: ntohs(attr->lorv));
1480: return NULL;
1481: }
1482: ashort = 1;
1483: dlen = 0;
1484: value = XAUTH_TYPE_GENERIC;
1485: break;
1486:
1487: case XAUTH_USER_NAME:
1488: if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) {
1489: plog(LLV_ERROR, LOCATION, NULL, "Xauth performed "
1490: "with no login supplied\n");
1491: return NULL;
1492: }
1493:
1494: dlen = iph1->rmconf->xauth->login->l - 1;
1495: iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME;
1496: break;
1497:
1498: case XAUTH_USER_PASSWORD:
1499: if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login)
1500: return NULL;
1501:
1502: skip = sizeof(struct ipsecdoi_id_b);
1503: usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip);
1504: if (usr == NULL) {
1505: plog(LLV_ERROR, LOCATION, NULL,
1506: "Cannot allocate memory\n");
1507: return NULL;
1508: }
1509: memset(usr->v, 0, skip);
1510: memcpy(usr->v + skip,
1511: iph1->rmconf->xauth->login->v,
1512: iph1->rmconf->xauth->login->l - 1);
1513:
1514: if (iph1->rmconf->xauth->pass) {
1515: /* A key given through racoonctl */
1516: pwd = iph1->rmconf->xauth->pass;
1517: } else {
1518: if ((pwd = getpskbyname(usr)) == NULL) {
1519: plog(LLV_ERROR, LOCATION, NULL,
1520: "No password was found for login %s\n",
1521: iph1->rmconf->xauth->login->v);
1522: vfree(usr);
1523: return NULL;
1524: }
1525: /* We have to free it before returning */
1526: freepwd = 1;
1527: }
1528: vfree(usr);
1529:
1530: iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD;
1531: dlen = pwd->l;
1532:
1533: break;
1534: case XAUTH_MESSAGE:
1535: if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1536: dlen = ntohs(attr->lorv);
1537: if (dlen > 0) {
1538: mraw = (char*)(attr + 1);
1539: mdata = binsanitize(mraw, dlen);
1540: if (mdata == NULL) {
1541: plog(LLV_ERROR, LOCATION, iph1->remote,
1542: "Cannot allocate memory\n");
1543: return NULL;
1544: }
1545: plog(LLV_NOTIFY,LOCATION, iph1->remote,
1546: "XAUTH Message: '%s'.\n",
1547: mdata);
1548: racoon_free(mdata);
1549: }
1550: }
1551: return NULL;
1552: default:
1553: plog(LLV_WARNING, LOCATION, NULL,
1554: "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1555: return NULL;
1556: break;
1557: }
1558:
1559: if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) {
1560: plog(LLV_ERROR, LOCATION, NULL,
1561: "Cannot allocate memory\n");
1562: goto out;
1563: }
1564:
1565: attr = (struct isakmp_data *)buffer->v;
1566: if (ashort) {
1567: attr->type = htons(type | ISAKMP_GEN_TV);
1568: attr->lorv = htons(value);
1569: goto out;
1570: }
1571:
1572: attr->type = htons(type | ISAKMP_GEN_TLV);
1573: attr->lorv = htons(dlen);
1574: data = (char *)(attr + 1);
1575:
1576: switch(type) {
1577: case XAUTH_USER_NAME:
1578: /*
1579: * iph1->rmconf->xauth->login->v is valid,
1580: * we just checked it in the previous switch case
1581: */
1582: memcpy(data, iph1->rmconf->xauth->login->v, dlen);
1583: break;
1584: case XAUTH_USER_PASSWORD:
1585: memcpy(data, pwd->v, dlen);
1586: break;
1587: default:
1588: break;
1589: }
1590:
1591: out:
1592: if (freepwd)
1593: vfree(pwd);
1594:
1595: return buffer;
1596: }
1597:
1598: vchar_t *
1599: isakmp_xauth_set(iph1, attr)
1600: struct ph1handle *iph1;
1601: struct isakmp_data *attr;
1602: {
1603: int type;
1604: vchar_t *buffer = NULL;
1605: char *data;
1606: struct xauth_state *xst;
1607: size_t dlen = 0;
1608: char* mraw = NULL, *mdata;
1609:
1610: if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1611: plog(LLV_ERROR, LOCATION, NULL,
1612: "Xauth mode config set but peer "
1613: "did not declare itself as Xauth capable\n");
1614: return NULL;
1615: }
1616:
1617: type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1618:
1619: switch(type) {
1620: case XAUTH_STATUS:
1621: /*
1622: * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS
1623: * when running as a client (initiator).
1624: */
1625: xst = &iph1->mode_cfg->xauth;
1626: switch (iph1->approval->authmethod) {
1627: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1628: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
1629: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1630: /* Not implemented ... */
1631: case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1632: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1633: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1634: case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1635: break;
1636: default:
1637: plog(LLV_ERROR, LOCATION, NULL,
1638: "Unexpected XAUTH_STATUS_OK\n");
1639: return NULL;
1640: break;
1641: }
1642:
1643: /* If we got a failure, delete iph1 */
1644: if (ntohs(attr->lorv) != XAUTH_STATUS_OK) {
1645: plog(LLV_ERROR, LOCATION, NULL,
1646: "Xauth authentication failed\n");
1647:
1648: evt_phase1(iph1, EVT_PHASE1_XAUTH_FAILED, NULL);
1649:
1650: iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
1651: } else {
1652: evt_phase1(iph1, EVT_PHASE1_XAUTH_SUCCESS, NULL);
1653: }
1654:
1655:
1656: /* We acknowledge it */
1657: break;
1658: case XAUTH_MESSAGE:
1659: if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1660: dlen = ntohs(attr->lorv);
1661: if (dlen > 0) {
1662: mraw = (char*)(attr + 1);
1663: mdata = binsanitize(mraw, dlen);
1664: if (mdata == NULL) {
1665: plog(LLV_ERROR, LOCATION, iph1->remote,
1666: "Cannot allocate memory\n");
1667: return NULL;
1668: }
1669: plog(LLV_NOTIFY,LOCATION, iph1->remote,
1670: "XAUTH Message: '%s'.\n",
1671: mdata);
1672: racoon_free(mdata);
1673: }
1674: }
1675:
1676: default:
1677: plog(LLV_WARNING, LOCATION, NULL,
1678: "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1679: return NULL;
1680: break;
1681: }
1682:
1683: if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
1684: plog(LLV_ERROR, LOCATION, NULL,
1685: "Cannot allocate memory\n");
1686: return NULL;
1687: }
1688:
1689: attr = (struct isakmp_data *)buffer->v;
1690: attr->type = htons(type | ISAKMP_GEN_TV);
1691: attr->lorv = htons(0);
1692:
1693: return buffer;
1694: }
1695:
1696:
1697: void
1698: xauth_rmstate(xst)
1699: struct xauth_state *xst;
1700: {
1701: switch (xst->authtype) {
1702: case XAUTH_TYPE_GENERIC:
1703: if (xst->authdata.generic.usr)
1704: racoon_free(xst->authdata.generic.usr);
1705:
1706: if (xst->authdata.generic.pwd)
1707: racoon_free(xst->authdata.generic.pwd);
1708:
1709: break;
1710:
1711: case XAUTH_TYPE_CHAP:
1712: case XAUTH_TYPE_OTP:
1713: case XAUTH_TYPE_SKEY:
1714: plog(LLV_WARNING, LOCATION, NULL,
1715: "Unsupported authtype %d\n", xst->authtype);
1716: break;
1717:
1718: default:
1719: plog(LLV_WARNING, LOCATION, NULL,
1720: "Unexpected authtype %d\n", xst->authtype);
1721: break;
1722: }
1723:
1724: #ifdef HAVE_LIBLDAP
1725: if (xst->udn != NULL)
1726: racoon_free(xst->udn);
1727: #endif
1728: return;
1729: }
1730:
1731: int
1732: xauth_rmconf_used(xauth_rmconf)
1733: struct xauth_rmconf **xauth_rmconf;
1734: {
1735: if (*xauth_rmconf == NULL) {
1736: *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf));
1737: if (*xauth_rmconf == NULL) {
1738: plog(LLV_ERROR, LOCATION, NULL,
1739: "xauth_rmconf_used: malloc failed\n");
1740: return -1;
1741: }
1742:
1743: (*xauth_rmconf)->login = NULL;
1744: (*xauth_rmconf)->pass = NULL;
1745: (*xauth_rmconf)->state = 0;
1746: }
1747:
1748: return 0;
1749: }
1750:
1751: void
1752: xauth_rmconf_delete(xauth_rmconf)
1753: struct xauth_rmconf **xauth_rmconf;
1754: {
1755: if (*xauth_rmconf != NULL) {
1756: if ((*xauth_rmconf)->login != NULL)
1757: vfree((*xauth_rmconf)->login);
1758: if ((*xauth_rmconf)->pass != NULL)
1759: vfree((*xauth_rmconf)->pass);
1760:
1761: racoon_free(*xauth_rmconf);
1762: *xauth_rmconf = NULL;
1763: }
1764:
1765: return;
1766: }
1767:
1768: struct xauth_rmconf *
1769: xauth_rmconf_dup(xauth_rmconf)
1770: struct xauth_rmconf *xauth_rmconf;
1771: {
1772: struct xauth_rmconf *new;
1773:
1774: if (xauth_rmconf != NULL) {
1775: new = racoon_malloc(sizeof(*new));
1776: if (new == NULL) {
1777: plog(LLV_ERROR, LOCATION, NULL,
1778: "xauth_rmconf_dup: malloc failed\n");
1779: return NULL;
1780: }
1781:
1782: memcpy(new, xauth_rmconf, sizeof(*new));
1783:
1784: if (xauth_rmconf->login != NULL) {
1785: new->login = vdup(xauth_rmconf->login);
1786: if (new->login == NULL) {
1787: plog(LLV_ERROR, LOCATION, NULL,
1788: "xauth_rmconf_dup: malloc failed (login)\n");
1789: return NULL;
1790: }
1791: }
1792: if (xauth_rmconf->pass != NULL) {
1793: new->pass = vdup(xauth_rmconf->pass);
1794: if (new->pass == NULL) {
1795: plog(LLV_ERROR, LOCATION, NULL,
1796: "xauth_rmconf_dup: malloc failed (password)\n");
1797: return NULL;
1798: }
1799: }
1800:
1801: return new;
1802: }
1803:
1804: return NULL;
1805: }