1 /*	$NetBSD: isakmp_xauth.c,v 1.11.6.2 2009/04/20 13:35:36 tteras Exp $	*/
2 
3 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
4 
5 /*
6  * Copyright (C) 2004-2005 Emmanuel Dreyfus
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "config.h"
35 
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
39 #include <sys/queue.h>
40 
41 #include <netinet/in.h>
42 
43 #include <stdlib.h>
44 #include <stdio.h>
45 #include <string.h>
46 #include <errno.h>
47 #include <pwd.h>
48 #include <grp.h>
49 #if TIME_WITH_SYS_TIME
50 # include <sys/time.h>
51 # include <time.h>
52 #else
53 # if HAVE_SYS_TIME_H
54 #  include <sys/time.h>
55 # else
56 #  include <time.h>
57 # endif
58 #endif
59 #include <netdb.h>
60 #ifdef HAVE_UNISTD_H
61 #include <unistd.h>
62 #endif
63 #include <ctype.h>
64 #include <resolv.h>
65 
66 #ifdef HAVE_SHADOW_H
67 #include <shadow.h>
68 #endif
69 
70 #include "var.h"
71 #include "misc.h"
72 #include "vmbuf.h"
73 #include "plog.h"
74 #include "sockmisc.h"
75 #include "schedule.h"
76 #include "debug.h"
77 
78 #include "crypto_openssl.h"
79 #include "isakmp_var.h"
80 #include "isakmp.h"
81 #include "admin.h"
82 #include "privsep.h"
83 #include "evt.h"
84 #include "handler.h"
85 #include "throttle.h"
86 #include "remoteconf.h"
87 #include "isakmp_inf.h"
88 #include "isakmp_xauth.h"
89 #include "isakmp_unity.h"
90 #include "isakmp_cfg.h"
91 #include "strnames.h"
92 #include "ipsec_doi.h"
93 #include "remoteconf.h"
94 #include "localconf.h"
95 
96 #ifdef HAVE_LIBRADIUS
97 #include <radlib.h>
98 
99 struct rad_handle *radius_auth_state = NULL;
100 struct rad_handle *radius_acct_state = NULL;
101 #endif
102 
103 #ifdef HAVE_LIBPAM
104 #include <security/pam_appl.h>
105 
106 static char *PAM_usr = NULL;
107 static char *PAM_pwd = NULL;
108 static int PAM_conv(int, const struct pam_message **,
109     struct pam_response **, void *);
110 static struct pam_conv PAM_chat = { &PAM_conv, NULL };
111 #endif
112 
113 #ifdef HAVE_LIBLDAP
114 #include "ldap.h"
115 #include <arpa/inet.h>
116 struct xauth_ldap_config xauth_ldap_config;
117 #endif
118 
119 void
xauth_sendreq(iph1)120 xauth_sendreq(iph1)
121 	struct ph1handle *iph1;
122 {
123 	vchar_t *buffer;
124 	struct isakmp_pl_attr *attr;
125 	struct isakmp_data *typeattr;
126 	struct isakmp_data *usrattr;
127 	struct isakmp_data *pwdattr;
128 	struct xauth_state *xst = &iph1->mode_cfg->xauth;
129 	size_t tlen;
130 
131 	/* Status checks */
132 	if (iph1->status != PHASE1ST_ESTABLISHED) {
133 		plog(LLV_ERROR, LOCATION, NULL,
134 		    "Xauth request while phase 1 is not completed\n");
135 		return;
136 	}
137 
138 	if (xst->status != XAUTHST_NOTYET) {
139 		plog(LLV_ERROR, LOCATION, NULL,
140 		    "Xauth request whith Xauth state %d\n", xst->status);
141 		return;
142 	}
143 
144 	plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n");
145 
146 	tlen = sizeof(*attr) +
147 	       + sizeof(*typeattr) +
148 	       + sizeof(*usrattr) +
149 	       + sizeof(*pwdattr);
150 
151 	if ((buffer = vmalloc(tlen)) == NULL) {
152 		plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
153 		return;
154 	}
155 
156 	attr = (struct isakmp_pl_attr *)buffer->v;
157 	memset(attr, 0, tlen);
158 
159 	attr->h.len = htons(tlen);
160 	attr->type = ISAKMP_CFG_REQUEST;
161 	attr->id = htons(eay_random());
162 
163 	typeattr = (struct isakmp_data *)(attr + 1);
164 	typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV);
165 	typeattr->lorv = htons(XAUTH_TYPE_GENERIC);
166 
167 	usrattr = (struct isakmp_data *)(typeattr + 1);
168 	usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV);
169 	usrattr->lorv = htons(0);
170 
171 	pwdattr = (struct isakmp_data *)(usrattr + 1);
172 	pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV);
173 	pwdattr->lorv = htons(0);
174 
175 	isakmp_cfg_send(iph1, buffer,
176 	    ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
177 
178 	vfree(buffer);
179 
180 	xst->status = XAUTHST_REQSENT;
181 
182 	return;
183 }
184 
185 int
xauth_attr_reply(iph1,attr,id)186 xauth_attr_reply(iph1, attr, id)
187 	struct ph1handle *iph1;
188 	struct isakmp_data *attr;
189 	int id;
190 {
191 	char **outlet = NULL;
192 	size_t alen = 0;
193 	int type;
194 	struct xauth_state *xst = &iph1->mode_cfg->xauth;
195 
196 	if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
197 		plog(LLV_ERROR, LOCATION, NULL,
198 		    "Xauth reply but peer did not declare "
199 		    "itself as Xauth capable\n");
200 		return -1;
201 	}
202 
203 	if (xst->status != XAUTHST_REQSENT) {
204 		plog(LLV_ERROR, LOCATION, NULL,
205 		    "Xauth reply while Xauth state is %d\n", xst->status);
206 		return -1;
207 	}
208 
209 	type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
210 	switch (type) {
211 	case XAUTH_TYPE:
212 		switch (ntohs(attr->lorv)) {
213 		case XAUTH_TYPE_GENERIC:
214 			xst->authtype = XAUTH_TYPE_GENERIC;
215 			break;
216 		default:
217 			plog(LLV_WARNING, LOCATION, NULL,
218 			    "Unexpected authentication type %d\n",
219 			    ntohs(type));
220 			return -1;
221 		}
222 		break;
223 
224 	case XAUTH_USER_NAME:
225 		outlet = &xst->authdata.generic.usr;
226 		break;
227 
228 	case XAUTH_USER_PASSWORD:
229 		outlet = &xst->authdata.generic.pwd;
230 		break;
231 
232 	default:
233 		plog(LLV_WARNING, LOCATION, NULL,
234 		    "ignored Xauth attribute %d\n", type);
235 		break;
236 	}
237 
238 	if (outlet != NULL) {
239 		alen = ntohs(attr->lorv);
240 
241 		if ((*outlet = racoon_malloc(alen + 1)) == NULL) {
242 			plog(LLV_ERROR, LOCATION, NULL,
243 			    "Cannot allocate memory for Xauth Data\n");
244 			return -1;
245 		}
246 
247 		memcpy(*outlet, attr + 1, alen);
248 		(*outlet)[alen] = '\0';
249 		outlet = NULL;
250 	}
251 
252 
253 	if ((xst->authdata.generic.usr != NULL) &&
254 	   (xst->authdata.generic.pwd != NULL)) {
255 		int port;
256 		int res;
257 		char *usr = xst->authdata.generic.usr;
258 		char *pwd = xst->authdata.generic.pwd;
259 		time_t throttle_delay = 0;
260 
261 #if 0	/* Real debug, don't do that at home */
262 		plog(LLV_DEBUG, LOCATION, NULL,
263 		    "Got username \"%s\", password \"%s\"\n", usr, pwd);
264 #endif
265 		strncpy(iph1->mode_cfg->login, usr, LOGINLEN);
266 		iph1->mode_cfg->login[LOGINLEN] = '\0';
267 
268 		res = -1;
269 		if ((port = isakmp_cfg_getport(iph1)) == -1) {
270 			plog(LLV_ERROR, LOCATION, NULL,
271 			    "Port pool depleted\n");
272 			goto skip_auth;
273 		}
274 
275 		switch (isakmp_cfg_config.authsource) {
276 		case ISAKMP_CFG_AUTH_SYSTEM:
277 			res = privsep_xauth_login_system(usr, pwd);
278 			break;
279 #ifdef HAVE_LIBRADIUS
280 		case ISAKMP_CFG_AUTH_RADIUS:
281 			res = xauth_login_radius(iph1, usr, pwd);
282 			break;
283 #endif
284 #ifdef HAVE_LIBPAM
285 		case ISAKMP_CFG_AUTH_PAM:
286 			res = privsep_xauth_login_pam(iph1->mode_cfg->port,
287 			    iph1->remote, usr, pwd);
288 			break;
289 #endif
290 #ifdef HAVE_LIBLDAP
291 		case ISAKMP_CFG_AUTH_LDAP:
292 			res = xauth_login_ldap(iph1, usr, pwd);
293 			break;
294 #endif
295 		default:
296 			plog(LLV_ERROR, LOCATION, NULL,
297 			    "Unexpected authentication source\n");
298 			res = -1;
299 			break;
300 		}
301 
302 		/*
303 		 * Optional group authentication
304 		 */
305 		if (!res && (isakmp_cfg_config.groupcount))
306 			res = group_check(iph1,
307 				isakmp_cfg_config.grouplist,
308 				isakmp_cfg_config.groupcount);
309 
310 		/*
311 		 * On failure, throttle the connexion for the remote host
312 		 * in order to make password attacks more difficult.
313 		 */
314 		throttle_delay = throttle_host(iph1->remote, res) - time(NULL);
315 		if (throttle_delay > 0) {
316 			char *str;
317 
318 			str = saddrwop2str(iph1->remote);
319 
320 			plog(LLV_ERROR, LOCATION, NULL,
321 			    "Throttling in action for %s: delay %lds\n",
322 			    str, (unsigned long)throttle_delay);
323 			res = -1;
324 		} else {
325 			throttle_delay = 0;
326 		}
327 
328 skip_auth:
329 		if (throttle_delay != 0) {
330 			struct xauth_reply_arg *xra;
331 
332 			if ((xra = racoon_malloc(sizeof(*xra))) == NULL) {
333 				plog(LLV_ERROR, LOCATION, NULL,
334 				    "malloc failed, bypass throttling\n");
335 				return xauth_reply(iph1, port, id, res);
336 			}
337 
338 			/*
339 			 * We need to store the ph1, but it might have
340 			 * disapeared when xauth_reply is called, so
341 			 * store the index instead.
342 			 */
343 			xra->index = iph1->index;
344 			xra->port = port;
345 			xra->id = id;
346 			xra->res = res;
347 			sched_new(throttle_delay, xauth_reply_stub, xra);
348 		} else {
349 			return xauth_reply(iph1, port, id, res);
350 		}
351 	}
352 
353 	return 0;
354 }
355 
356 void
xauth_reply_stub(args)357 xauth_reply_stub(args)
358 	void *args;
359 {
360 	struct xauth_reply_arg *xra = (struct xauth_reply_arg *)args;
361 	struct ph1handle *iph1;
362 
363 	if ((iph1 = getph1byindex(&xra->index)) != NULL)
364 		(void)xauth_reply(iph1, xra->port, xra->id, xra->res);
365 	else
366 		plog(LLV_ERROR, LOCATION, NULL,
367 		    "Delayed Xauth reply: phase 1 no longer exists.\n");
368 
369 	racoon_free(xra);
370 	return;
371 }
372 
373 int
xauth_reply(iph1,port,id,res)374 xauth_reply(iph1, port, id, res)
375 	struct ph1handle *iph1;
376 	int port;
377 	int id;
378 #if defined(ANDROID_CHANGES)
379 	int res;
380 #endif
381 {
382 	struct xauth_state *xst = &iph1->mode_cfg->xauth;
383 	char *usr = xst->authdata.generic.usr;
384 
385 	if (res != 0) {
386 		if (port != -1)
387 			isakmp_cfg_putport(iph1, port);
388 
389 		plog(LLV_INFO, LOCATION, NULL,
390 		    "login failed for user \"%s\"\n", usr);
391 
392 		xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id);
393 		xst->status = XAUTHST_NOTYET;
394 
395 		/* Delete Phase 1 SA */
396 		if (iph1->status == PHASE1ST_ESTABLISHED)
397 			isakmp_info_send_d1(iph1);
398 		remph1(iph1);
399 		delph1(iph1);
400 
401 		return -1;
402 	}
403 
404 	xst->status = XAUTHST_OK;
405 	plog(LLV_INFO, LOCATION, NULL,
406 	    "login succeeded for user \"%s\"\n", usr);
407 
408 	xauth_sendstatus(iph1, XAUTH_STATUS_OK, id);
409 
410 	return 0;
411 }
412 
413 void
xauth_sendstatus(iph1,status,id)414 xauth_sendstatus(iph1, status, id)
415 	struct ph1handle *iph1;
416 	int status;
417 	int id;
418 {
419 	vchar_t *buffer;
420 	struct isakmp_pl_attr *attr;
421 	struct isakmp_data *stattr;
422 	size_t tlen;
423 
424 	tlen = sizeof(*attr) +
425 	       + sizeof(*stattr);
426 
427 	if ((buffer = vmalloc(tlen)) == NULL) {
428 		plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
429 		return;
430 	}
431 
432 	attr = (struct isakmp_pl_attr *)buffer->v;
433 	memset(attr, 0, tlen);
434 
435 	attr->h.len = htons(tlen);
436 	attr->type = ISAKMP_CFG_SET;
437 	attr->id = htons(id);
438 
439 	stattr = (struct isakmp_data *)(attr + 1);
440 	stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV);
441 	stattr->lorv = htons(status);
442 
443 	isakmp_cfg_send(iph1, buffer,
444 	    ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
445 
446 	vfree(buffer);
447 
448 	return;
449 }
450 
451 #ifdef HAVE_LIBRADIUS
452 int
xauth_radius_init(void)453 xauth_radius_init(void)
454 {
455 	/* For first time use, initialize Radius */
456 	if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) &&
457 	    (radius_auth_state == NULL)) {
458 		if ((radius_auth_state = rad_auth_open()) == NULL) {
459 			plog(LLV_ERROR, LOCATION, NULL,
460 			    "Cannot init libradius\n");
461 			return -1;
462 		}
463 
464 		if (rad_config(radius_auth_state, NULL) != 0) {
465 			plog(LLV_ERROR, LOCATION, NULL,
466 			    "Cannot open librarius config file: %s\n",
467 			    rad_strerror(radius_auth_state));
468 			rad_close(radius_auth_state);
469 			radius_auth_state = NULL;
470 			return -1;
471 		}
472 	}
473 
474 	if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) &&
475 	    (radius_acct_state == NULL)) {
476 		if ((radius_acct_state = rad_acct_open()) == NULL) {
477 			plog(LLV_ERROR, LOCATION, NULL,
478 			    "Cannot init libradius\n");
479 			return -1;
480 		}
481 
482 		if (rad_config(radius_acct_state, NULL) != 0) {
483 			plog(LLV_ERROR, LOCATION, NULL,
484 			    "Cannot open librarius config file: %s\n",
485 			    rad_strerror(radius_acct_state));
486 			rad_close(radius_acct_state);
487 			radius_acct_state = NULL;
488 			return -1;
489 		}
490 	}
491 
492 	return 0;
493 }
494 
495 int
xauth_login_radius(iph1,usr,pwd)496 xauth_login_radius(iph1, usr, pwd)
497 	struct ph1handle *iph1;
498 	char *usr;
499 	char *pwd;
500 {
501 	int res;
502 	const void *data;
503 	size_t len;
504 	int type;
505 
506 	if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) {
507 		plog(LLV_ERROR, LOCATION, NULL,
508 		    "rad_create_request failed: %s\n",
509 		    rad_strerror(radius_auth_state));
510 		return -1;
511 	}
512 
513 	if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) {
514 		plog(LLV_ERROR, LOCATION, NULL,
515 		    "rad_put_string failed: %s\n",
516 		    rad_strerror(radius_auth_state));
517 		return -1;
518 	}
519 
520 	if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) {
521 		plog(LLV_ERROR, LOCATION, NULL,
522 		    "rad_put_string failed: %s\n",
523 		    rad_strerror(radius_auth_state));
524 		return -1;
525 	}
526 
527 	if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0)
528 		return -1;
529 
530 	switch (res = rad_send_request(radius_auth_state)) {
531 	case RAD_ACCESS_ACCEPT:
532 		while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) {
533 			switch (type) {
534 			case RAD_FRAMED_IP_ADDRESS:
535 				iph1->mode_cfg->addr4 = rad_cvt_addr(data);
536 				iph1->mode_cfg->flags
537 				    |= ISAKMP_CFG_ADDR4_EXTERN;
538 				break;
539 
540 			case RAD_FRAMED_IP_NETMASK:
541 				iph1->mode_cfg->mask4 = rad_cvt_addr(data);
542 				iph1->mode_cfg->flags
543 				    |= ISAKMP_CFG_MASK4_EXTERN;
544 				break;
545 
546 			default:
547 				plog(LLV_INFO, LOCATION, NULL,
548 				    "Unexpected attribute: %d\n", type);
549 				break;
550 			}
551 		}
552 
553 		return 0;
554 		break;
555 
556 	case RAD_ACCESS_REJECT:
557 		return -1;
558 		break;
559 
560 	case -1:
561 		plog(LLV_ERROR, LOCATION, NULL,
562 		    "rad_send_request failed: %s\n",
563 		    rad_strerror(radius_auth_state));
564 		return -1;
565 		break;
566 	default:
567 		plog(LLV_ERROR, LOCATION, NULL,
568 		    "rad_send_request returned %d\n", res);
569 		return -1;
570 		break;
571 	}
572 
573 	return -1;
574 }
575 #endif
576 
577 #ifdef HAVE_LIBPAM
578 static int
PAM_conv(msg_count,msg,rsp,dontcare)579 PAM_conv(msg_count, msg, rsp, dontcare)
580 	int msg_count;
581 	const struct pam_message **msg;
582 	struct pam_response **rsp;
583 	void *dontcare;
584 {
585 	int i;
586 	int replies = 0;
587 	struct pam_response *reply = NULL;
588 
589 	if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL)
590 		return PAM_CONV_ERR;
591 	bzero(reply, sizeof(*reply) * msg_count);
592 
593 	for (i = 0; i < msg_count; i++) {
594 		switch (msg[i]->msg_style) {
595 		case PAM_PROMPT_ECHO_ON:
596 			/* Send the username, libpam frees resp */
597 			reply[i].resp_retcode = PAM_SUCCESS;
598 			if ((reply[i].resp = strdup(PAM_usr)) == NULL) {
599 				plog(LLV_ERROR, LOCATION,
600 				    NULL, "strdup failed\n");
601 				exit(1);
602 			}
603 			break;
604 
605 		case PAM_PROMPT_ECHO_OFF:
606 			/* Send the password, libpam frees resp */
607 			reply[i].resp_retcode = PAM_SUCCESS;
608 			if ((reply[i].resp = strdup(PAM_pwd)) == NULL) {
609 				plog(LLV_ERROR, LOCATION,
610 				    NULL, "strdup failed\n");
611 				exit(1);
612 			}
613 			break;
614 
615 		case PAM_TEXT_INFO:
616 		case PAM_ERROR_MSG:
617 			reply[i].resp_retcode = PAM_SUCCESS;
618 			reply[i].resp = NULL;
619 			break;
620 
621 		default:
622 			if (reply != NULL)
623 				racoon_free(reply);
624 			return PAM_CONV_ERR;
625 			break;
626 		}
627 	}
628 
629 	if (reply != NULL)
630 		*rsp = reply;
631 
632 	return PAM_SUCCESS;
633 }
634 
635 int
xauth_login_pam(port,raddr,usr,pwd)636 xauth_login_pam(port, raddr, usr, pwd)
637 	int port;
638 	struct sockaddr *raddr;
639 	char *usr;
640 	char *pwd;
641 {
642 	int error;
643 	int res;
644 	const void *data;
645 	size_t len;
646 	int type;
647 	char *remote = NULL;
648 	pam_handle_t *pam = NULL;
649 
650 	if (isakmp_cfg_config.port_pool == NULL) {
651 		plog(LLV_ERROR, LOCATION, NULL,
652 		    "isakmp_cfg_config.port_pool == NULL\n");
653 		return -1;
654 	}
655 
656 	if ((error = pam_start("racoon", usr,
657 	    &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) {
658 		if (isakmp_cfg_config.port_pool[port].pam == NULL) {
659 			plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n");
660 			return -1;
661 		} else {
662 			plog(LLV_ERROR, LOCATION, NULL,
663 			    "pam_start failed: %s\n",
664 			    pam_strerror(isakmp_cfg_config.port_pool[port].pam,
665 			    error));
666 			goto out;
667 		}
668 	}
669 	pam = isakmp_cfg_config.port_pool[port].pam;
670 
671 	if ((remote = strdup(saddrwop2str(raddr))) == NULL) {
672 		plog(LLV_ERROR, LOCATION, NULL,
673 		    "cannot allocate memory: %s\n", strerror(errno));
674 		goto out;
675 	}
676 
677 	if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) {
678 		plog(LLV_ERROR, LOCATION, NULL,
679 		    "pam_set_item failed: %s\n",
680 		    pam_strerror(pam, error));
681 		goto out;
682 	}
683 
684 	PAM_usr = usr;
685 	PAM_pwd = pwd;
686 	error = pam_authenticate(pam, 0);
687 	PAM_usr = NULL;
688 	PAM_pwd = NULL;
689 	if (error != 0) {
690 		plog(LLV_ERROR, LOCATION, NULL,
691 		    "pam_authenticate failed: %s\n",
692 		    pam_strerror(pam, error));
693 		goto out;
694 	}
695 
696 	if ((error = pam_acct_mgmt(pam, 0)) != 0) {
697 		plog(LLV_ERROR, LOCATION, NULL,
698 		    "pam_acct_mgmt failed: %s\n",
699 		    pam_strerror(pam, error));
700 		goto out;
701 	}
702 
703 	if ((error = pam_setcred(pam, 0)) != 0) {
704 		plog(LLV_ERROR, LOCATION, NULL,
705 		    "pam_setcred failed: %s\n",
706 		    pam_strerror(pam, error));
707 		goto out;
708 	}
709 
710 	if (remote != NULL)
711 		free(remote);
712 
713 	return 0;
714 
715 out:
716 	pam_end(pam, error);
717 	isakmp_cfg_config.port_pool[port].pam = NULL;
718 	if (remote != NULL)
719 		free(remote);
720 	return -1;
721 }
722 #endif
723 
724 #ifdef HAVE_LIBLDAP
725 int
xauth_ldap_init(void)726 xauth_ldap_init(void)
727 {
728 	int tmplen;
729 	int error = -1;
730 
731 	xauth_ldap_config.pver = 3;
732 	xauth_ldap_config.host = NULL;
733 	xauth_ldap_config.port = LDAP_PORT;
734 	xauth_ldap_config.base = NULL;
735 	xauth_ldap_config.subtree = 0;
736 	xauth_ldap_config.bind_dn = NULL;
737 	xauth_ldap_config.bind_pw = NULL;
738 	xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE;
739 	xauth_ldap_config.attr_user = NULL;
740 	xauth_ldap_config.attr_addr = NULL;
741 	xauth_ldap_config.attr_mask = NULL;
742 	xauth_ldap_config.attr_group = NULL;
743 	xauth_ldap_config.attr_member = NULL;
744 
745 	/* set default host */
746 	tmplen = strlen(LDAP_DFLT_HOST);
747 	xauth_ldap_config.host = vmalloc(tmplen);
748 	if (xauth_ldap_config.host == NULL)
749 		goto out;
750 	memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen);
751 
752 	/* set default user naming attribute */
753 	tmplen = strlen(LDAP_DFLT_USER);
754 	xauth_ldap_config.attr_user = vmalloc(tmplen);
755 	if (xauth_ldap_config.attr_user == NULL)
756 		goto out;
757 	memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen);
758 
759 	/* set default address attribute */
760 	tmplen = strlen(LDAP_DFLT_ADDR);
761 	xauth_ldap_config.attr_addr = vmalloc(tmplen);
762 	if (xauth_ldap_config.attr_addr == NULL)
763 		goto out;
764 	memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen);
765 
766 	/* set default netmask attribute */
767 	tmplen = strlen(LDAP_DFLT_MASK);
768 	xauth_ldap_config.attr_mask = vmalloc(tmplen);
769 	if (xauth_ldap_config.attr_mask == NULL)
770 		goto out;
771 	memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen);
772 
773 	/* set default group naming attribute */
774 	tmplen = strlen(LDAP_DFLT_GROUP);
775 	xauth_ldap_config.attr_group = vmalloc(tmplen);
776 	if (xauth_ldap_config.attr_group == NULL)
777 		goto out;
778 	memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen);
779 
780 	/* set default member attribute */
781 	tmplen = strlen(LDAP_DFLT_MEMBER);
782 	xauth_ldap_config.attr_member = vmalloc(tmplen);
783 	if (xauth_ldap_config.attr_member == NULL)
784 		goto out;
785 	memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen);
786 
787 	error = 0;
788 out:
789 	if (error != 0)
790 		plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n");
791 
792 	return error;
793 }
794 
795 int
xauth_login_ldap(iph1,usr,pwd)796 xauth_login_ldap(iph1, usr, pwd)
797 	struct ph1handle *iph1;
798 	char *usr;
799 	char *pwd;
800 {
801 	int rtn = -1;
802 	int res = -1;
803 	LDAP *ld = NULL;
804 	LDAPMessage *lr = NULL;
805 	LDAPMessage *le = NULL;
806 	struct berval cred;
807 	struct berval **bv = NULL;
808 	struct timeval timeout;
809 	char *init = NULL;
810 	char *filter = NULL;
811 	char *atlist[3];
812 	char *basedn = NULL;
813 	char *userdn = NULL;
814 	int tmplen = 0;
815 	int ecount = 0;
816 	int scope = LDAP_SCOPE_ONE;
817 
818 	atlist[0] = NULL;
819 	atlist[1] = NULL;
820 	atlist[2] = NULL;
821 
822 	/* build our initialization url */
823 	tmplen = strlen("ldap://:") + 17;
824 	tmplen += strlen(xauth_ldap_config.host->v);
825 	init = racoon_malloc(tmplen);
826 	if (init == NULL) {
827 		plog(LLV_ERROR, LOCATION, NULL,
828 			"unable to alloc ldap init url\n");
829 		goto ldap_end;
830 	}
831 	sprintf(init,"ldap://%s:%d",
832 		xauth_ldap_config.host->v,
833 		xauth_ldap_config.port );
834 
835 	/* initialize the ldap handle */
836 	res = ldap_initialize(&ld, init);
837 	if (res != LDAP_SUCCESS) {
838 		plog(LLV_ERROR, LOCATION, NULL,
839 			"ldap_initialize failed: %s\n",
840 			ldap_err2string(res));
841 		goto ldap_end;
842 	}
843 
844 	/* initialize the protocol version */
845 	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
846 		&xauth_ldap_config.pver);
847 
848 	/*
849 	 * attempt to bind to the ldap server.
850          * default to anonymous bind unless a
851 	 * user dn and password has been
852 	 * specified in our configuration
853          */
854 	if ((xauth_ldap_config.bind_dn != NULL)&&
855 	    (xauth_ldap_config.bind_pw != NULL))
856 	{
857 		cred.bv_val = xauth_ldap_config.bind_pw->v;
858 		cred.bv_len = strlen( cred.bv_val );
859 		res = ldap_sasl_bind_s(ld,
860 			xauth_ldap_config.bind_dn->v, NULL, &cred,
861 			NULL, NULL, NULL);
862 	}
863 	else
864 	{
865 		res = ldap_sasl_bind_s(ld,
866 			NULL, NULL, NULL,
867 			NULL, NULL, NULL);
868 	}
869 
870 	if (res!=LDAP_SUCCESS) {
871 		plog(LLV_ERROR, LOCATION, NULL,
872 			"ldap_sasl_bind_s (search) failed: %s\n",
873 			ldap_err2string(res));
874 		goto ldap_end;
875 	}
876 
877 	/* build an ldap user search filter */
878 	tmplen = strlen(xauth_ldap_config.attr_user->v);
879 	tmplen += 1;
880 	tmplen += strlen(usr);
881 	tmplen += 1;
882 	filter = racoon_malloc(tmplen);
883 	if (filter == NULL) {
884 		plog(LLV_ERROR, LOCATION, NULL,
885 			"unable to alloc ldap search filter buffer\n");
886 		goto ldap_end;
887 	}
888 	sprintf(filter, "%s=%s",
889 		xauth_ldap_config.attr_user->v, usr);
890 
891 	/* build our return attribute list */
892 	tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1;
893 	atlist[0] = racoon_malloc(tmplen);
894 	tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1;
895 	atlist[1] = racoon_malloc(tmplen);
896 	if ((atlist[0] == NULL)||(atlist[1] == NULL)) {
897 		plog(LLV_ERROR, LOCATION, NULL,
898 			"unable to alloc ldap attrib list buffer\n");
899 		goto ldap_end;
900 	}
901 	strcpy(atlist[0],xauth_ldap_config.attr_addr->v);
902 	strcpy(atlist[1],xauth_ldap_config.attr_mask->v);
903 
904 	/* attempt to locate the user dn */
905 	if (xauth_ldap_config.base != NULL)
906 		basedn = xauth_ldap_config.base->v;
907 	if (xauth_ldap_config.subtree)
908 		scope = LDAP_SCOPE_SUBTREE;
909 	timeout.tv_sec = 15;
910 	timeout.tv_usec = 0;
911 	res = ldap_search_ext_s(ld, basedn, scope,
912 		filter, atlist, 0, NULL, NULL,
913 		&timeout, 2, &lr);
914 	if (res != LDAP_SUCCESS) {
915 		plog(LLV_ERROR, LOCATION, NULL,
916 			"ldap_search_ext_s failed: %s\n",
917 			ldap_err2string(res));
918 		goto ldap_end;
919 	}
920 
921 	/* check the number of ldap entries returned */
922 	ecount = ldap_count_entries(ld, lr);
923 	if (ecount < 1) {
924 		plog(LLV_WARNING, LOCATION, NULL,
925 			"no ldap results for filter \'%s\'\n",
926 			 filter);
927 		goto ldap_end;
928 	}
929 	if (ecount > 1) {
930 		plog(LLV_WARNING, LOCATION, NULL,
931 			"multiple (%i) ldap results for filter \'%s\'\n",
932 			ecount, filter);
933 	}
934 
935 	/* obtain the dn from the first result */
936 	le = ldap_first_entry(ld, lr);
937 	if (le == NULL) {
938 		plog(LLV_ERROR, LOCATION, NULL,
939 			"ldap_first_entry failed: invalid entry returned\n");
940 		goto ldap_end;
941 	}
942 	userdn = ldap_get_dn(ld, le);
943 	if (userdn == NULL) {
944 		plog(LLV_ERROR, LOCATION, NULL,
945 			"ldap_get_dn failed: invalid string returned\n");
946 		goto ldap_end;
947 	}
948 
949 	/* cache the user dn in the xauth state */
950 	iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1);
951 	strcpy(iph1->mode_cfg->xauth.udn,userdn);
952 
953 	/* retrieve modecfg address */
954 	bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v);
955 	if (bv != NULL)	{
956 		char tmpaddr[16];
957 		/* sanity check for address value */
958 		if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
959 			plog(LLV_DEBUG, LOCATION, NULL,
960 				"ldap returned invalid modecfg address\n");
961 			ldap_value_free_len(bv);
962 			goto ldap_end;
963 		}
964 		memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len);
965 		tmpaddr[bv[0]->bv_len]=0;
966 		iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr);
967 		iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN;
968 		plog(LLV_INFO, LOCATION, NULL,
969 			"ldap returned modecfg address %s\n", tmpaddr);
970 		ldap_value_free_len(bv);
971 	}
972 
973 	/* retrieve modecfg netmask */
974 	bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v);
975 	if (bv != NULL)	{
976 		char tmpmask[16];
977 		/* sanity check for netmask value */
978 		if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
979 			plog(LLV_DEBUG, LOCATION, NULL,
980 				"ldap returned invalid modecfg netmask\n");
981 			ldap_value_free_len(bv);
982 			goto ldap_end;
983 		}
984 		memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len);
985 		tmpmask[bv[0]->bv_len]=0;
986 		iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask);
987 		iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN;
988 		plog(LLV_INFO, LOCATION, NULL,
989 			"ldap returned modecfg netmask %s\n", tmpmask);
990 		ldap_value_free_len(bv);
991 	}
992 
993 	/*
994 	 * finally, use the dn and the xauth
995 	 * password to check the users given
996 	 * credentials by attempting to bind
997 	 * to the ldap server
998 	 */
999 	plog(LLV_INFO, LOCATION, NULL,
1000 		"attempting ldap bind for dn \'%s\'\n", userdn);
1001 	cred.bv_val = pwd;
1002 	cred.bv_len = strlen( cred.bv_val );
1003 	res = ldap_sasl_bind_s(ld,
1004 		userdn, NULL, &cred,
1005 		NULL, NULL, NULL);
1006         if(res==LDAP_SUCCESS)
1007 		rtn = 0;
1008 
1009 ldap_end:
1010 
1011 	/* free ldap resources */
1012 	if (userdn != NULL)
1013 		ldap_memfree(userdn);
1014 	if (atlist[0] != NULL)
1015 		racoon_free(atlist[0]);
1016 	if (atlist[1] != NULL)
1017 		racoon_free(atlist[1]);
1018 	if (filter != NULL)
1019 		racoon_free(filter);
1020 	if (lr != NULL)
1021 		ldap_msgfree(lr);
1022 	if (init != NULL)
1023 		racoon_free(init);
1024 
1025 	ldap_unbind_ext_s(ld, NULL, NULL);
1026 
1027 	return rtn;
1028 }
1029 
1030 int
xauth_group_ldap(udn,grp)1031 xauth_group_ldap(udn, grp)
1032 	char * udn;
1033 	char * grp;
1034 {
1035 	int rtn = -1;
1036 	int res = -1;
1037 	LDAP *ld = NULL;
1038 	LDAPMessage *lr = NULL;
1039 	LDAPMessage *le = NULL;
1040 	struct berval cred;
1041 	struct timeval timeout;
1042 	char *init = NULL;
1043 	char *filter = NULL;
1044 	char *basedn = NULL;
1045 	char *groupdn = NULL;
1046 	int tmplen = 0;
1047 	int ecount = 0;
1048 	int scope = LDAP_SCOPE_ONE;
1049 
1050 	/* build our initialization url */
1051 	tmplen = strlen("ldap://:") + 17;
1052 	tmplen += strlen(xauth_ldap_config.host->v);
1053 	init = racoon_malloc(tmplen);
1054 	if (init == NULL) {
1055 		plog(LLV_ERROR, LOCATION, NULL,
1056 			"unable to alloc ldap init url\n");
1057 		goto ldap_group_end;
1058 	}
1059 	sprintf(init,"ldap://%s:%d",
1060 		xauth_ldap_config.host->v,
1061 		xauth_ldap_config.port );
1062 
1063 	/* initialize the ldap handle */
1064 	res = ldap_initialize(&ld, init);
1065 	if (res != LDAP_SUCCESS) {
1066 		plog(LLV_ERROR, LOCATION, NULL,
1067 			"ldap_initialize failed: %s\n",
1068 			ldap_err2string(res));
1069 		goto ldap_group_end;
1070 	}
1071 
1072 	/* initialize the protocol version */
1073 	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
1074 		&xauth_ldap_config.pver);
1075 
1076 	/*
1077 	 * attempt to bind to the ldap server.
1078          * default to anonymous bind unless a
1079 	 * user dn and password has been
1080 	 * specified in our configuration
1081          */
1082 	if ((xauth_ldap_config.bind_dn != NULL)&&
1083 	    (xauth_ldap_config.bind_pw != NULL))
1084 	{
1085 		cred.bv_val = xauth_ldap_config.bind_pw->v;
1086 		cred.bv_len = strlen( cred.bv_val );
1087 		res = ldap_sasl_bind_s(ld,
1088 			xauth_ldap_config.bind_dn->v, NULL, &cred,
1089 			NULL, NULL, NULL);
1090 	}
1091 	else
1092 	{
1093 		res = ldap_sasl_bind_s(ld,
1094 			NULL, NULL, NULL,
1095 			NULL, NULL, NULL);
1096 	}
1097 
1098 	if (res!=LDAP_SUCCESS) {
1099 		plog(LLV_ERROR, LOCATION, NULL,
1100 			"ldap_sasl_bind_s (search) failed: %s\n",
1101 			ldap_err2string(res));
1102 		goto ldap_group_end;
1103 	}
1104 
1105 	/* build an ldap group search filter */
1106 	tmplen = strlen("(&(=)(=))") + 1;
1107 	tmplen += strlen(xauth_ldap_config.attr_group->v);
1108 	tmplen += strlen(grp);
1109 	tmplen += strlen(xauth_ldap_config.attr_member->v);
1110 	tmplen += strlen(udn);
1111 	filter = racoon_malloc(tmplen);
1112 	if (filter == NULL) {
1113 		plog(LLV_ERROR, LOCATION, NULL,
1114 			"unable to alloc ldap search filter buffer\n");
1115 		goto ldap_group_end;
1116 	}
1117 	sprintf(filter, "(&(%s=%s)(%s=%s))",
1118 		xauth_ldap_config.attr_group->v, grp,
1119 		xauth_ldap_config.attr_member->v, udn);
1120 
1121 	/* attempt to locate the group dn */
1122 	if (xauth_ldap_config.base != NULL)
1123 		basedn = xauth_ldap_config.base->v;
1124 	if (xauth_ldap_config.subtree)
1125 		scope = LDAP_SCOPE_SUBTREE;
1126 	timeout.tv_sec = 15;
1127 	timeout.tv_usec = 0;
1128 	res = ldap_search_ext_s(ld, basedn, scope,
1129 		filter, NULL, 0, NULL, NULL,
1130 		&timeout, 2, &lr);
1131 	if (res != LDAP_SUCCESS) {
1132 		plog(LLV_ERROR, LOCATION, NULL,
1133 			"ldap_search_ext_s failed: %s\n",
1134 			ldap_err2string(res));
1135 		goto ldap_group_end;
1136 	}
1137 
1138 	/* check the number of ldap entries returned */
1139 	ecount = ldap_count_entries(ld, lr);
1140 	if (ecount < 1) {
1141 		plog(LLV_WARNING, LOCATION, NULL,
1142 			"no ldap results for filter \'%s\'\n",
1143 			 filter);
1144 		goto ldap_group_end;
1145 	}
1146 
1147 	/* success */
1148 	rtn = 0;
1149 
1150 	/* obtain the dn from the first result */
1151 	le = ldap_first_entry(ld, lr);
1152 	if (le == NULL) {
1153 		plog(LLV_ERROR, LOCATION, NULL,
1154 			"ldap_first_entry failed: invalid entry returned\n");
1155 		goto ldap_group_end;
1156 	}
1157 	groupdn = ldap_get_dn(ld, le);
1158 	if (groupdn == NULL) {
1159 		plog(LLV_ERROR, LOCATION, NULL,
1160 			"ldap_get_dn failed: invalid string returned\n");
1161 		goto ldap_group_end;
1162 	}
1163 
1164 	plog(LLV_INFO, LOCATION, NULL,
1165 		"ldap membership group returned \'%s\'\n", groupdn);
1166 ldap_group_end:
1167 
1168 	/* free ldap resources */
1169 	if (groupdn != NULL)
1170 		ldap_memfree(groupdn);
1171 	if (filter != NULL)
1172 		racoon_free(filter);
1173 	if (lr != NULL)
1174 		ldap_msgfree(lr);
1175 	if (init != NULL)
1176 		racoon_free(init);
1177 
1178 	ldap_unbind_ext_s(ld, NULL, NULL);
1179 
1180 	return rtn;
1181 }
1182 
1183 #endif
1184 
1185 #ifndef ANDROID_PATCHED
1186 
1187 int
xauth_login_system(usr,pwd)1188 xauth_login_system(usr, pwd)
1189 	char *usr;
1190 	char *pwd;
1191 {
1192 	struct passwd *pw;
1193 	char *cryptpwd;
1194 	char *syscryptpwd;
1195 #ifdef HAVE_SHADOW_H
1196 	struct spwd *spw;
1197 
1198 	if ((spw = getspnam(usr)) == NULL)
1199 		return -1;
1200 
1201 	syscryptpwd = spw->sp_pwdp;
1202 #endif
1203 
1204 	if ((pw = getpwnam(usr)) == NULL)
1205 		return -1;
1206 
1207 #ifndef HAVE_SHADOW_H
1208 	syscryptpwd = pw->pw_passwd;
1209 #endif
1210 
1211 	/* No root login. Ever. */
1212 	if (pw->pw_uid == 0)
1213 		return -1;
1214 
1215 	if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL)
1216 		return -1;
1217 
1218 	if (strcmp(cryptpwd, syscryptpwd) == 0)
1219 		return 0;
1220 
1221 	return -1;
1222 }
1223 
1224 #endif
1225 
1226 int
xauth_group_system(usr,grp)1227 xauth_group_system(usr, grp)
1228 	char * usr;
1229 	char * grp;
1230 {
1231 	struct group * gr;
1232 	char * member;
1233 	int index = 0;
1234 
1235 	gr = getgrnam(grp);
1236 	if (gr == NULL) {
1237 		plog(LLV_ERROR, LOCATION, NULL,
1238 			"the system group name \'%s\' is unknown\n",
1239 			grp);
1240 		return -1;
1241 	}
1242 
1243 	while ((member = gr->gr_mem[index++])!=NULL) {
1244 		if (!strcmp(member,usr)) {
1245 			plog(LLV_INFO, LOCATION, NULL,
1246 		                "membership validated\n");
1247 			return 0;
1248 		}
1249 	}
1250 
1251 	return -1;
1252 }
1253 
1254 int
xauth_check(iph1)1255 xauth_check(iph1)
1256 	struct ph1handle *iph1;
1257 {
1258 	struct xauth_state *xst = &iph1->mode_cfg->xauth;
1259 
1260 	/*
1261  	 * Only the server side (edge device) really check for Xauth
1262 	 * status. It does it if the chose authmethod is using Xauth.
1263 	 * On the client side (roadwarrior), we don't check anything.
1264 	 */
1265 	switch (AUTHMETHOD(iph1)) {
1266 	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
1267 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
1268 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
1269 	/* The following are not yet implemented */
1270 	case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
1271 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
1272 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
1273 	case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
1274 		if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1275 			plog(LLV_ERROR, LOCATION, NULL,
1276 			    "Hybrid auth negotiated but peer did not "
1277 			    "announced as Xauth capable\n");
1278 			return -1;
1279 		}
1280 
1281 		if (xst->status != XAUTHST_OK) {
1282 			plog(LLV_ERROR, LOCATION, NULL,
1283 			    "Hybrid auth negotiated but peer did not "
1284 			    "succeed Xauth exchange\n");
1285 			return -1;
1286 		}
1287 
1288 		return 0;
1289 		break;
1290 	default:
1291 		return 0;
1292 		break;
1293 	}
1294 
1295 	return 0;
1296 }
1297 
1298 int
group_check(iph1,grp_list,grp_count)1299 group_check(iph1, grp_list, grp_count)
1300 	struct ph1handle *iph1;
1301 	char **grp_list;
1302 	int grp_count;
1303 {
1304 	int res = -1;
1305 	int grp_index = 0;
1306 	char * usr = NULL;
1307 
1308 	/* check for presence of modecfg data */
1309 
1310 	if(iph1->mode_cfg == NULL) {
1311 		plog(LLV_ERROR, LOCATION, NULL,
1312 			"xauth group specified but modecfg not found\n");
1313 		return res;
1314 	}
1315 
1316 	/* loop through our group list */
1317 
1318 	for(; grp_index < grp_count; grp_index++) {
1319 
1320 		/* check for presence of xauth data */
1321 
1322 		usr = iph1->mode_cfg->xauth.authdata.generic.usr;
1323 
1324 		if(usr == NULL) {
1325 			plog(LLV_ERROR, LOCATION, NULL,
1326 				"xauth group specified but xauth not found\n");
1327 			return res;
1328 		}
1329 
1330 		/* call appropriate group validation funtion */
1331 
1332 		switch (isakmp_cfg_config.groupsource) {
1333 
1334 			case ISAKMP_CFG_GROUP_SYSTEM:
1335 				res = xauth_group_system(
1336 					usr,
1337 					grp_list[grp_index]);
1338 				break;
1339 
1340 #ifdef HAVE_LIBLDAP
1341 			case ISAKMP_CFG_GROUP_LDAP:
1342 				res = xauth_group_ldap(
1343 					iph1->mode_cfg->xauth.udn,
1344 					grp_list[grp_index]);
1345 				break;
1346 #endif
1347 
1348 			default:
1349 				/* we should never get here */
1350 				plog(LLV_ERROR, LOCATION, NULL,
1351 				    "Unknown group auth source\n");
1352 				break;
1353 		}
1354 
1355 		if( !res ) {
1356 			plog(LLV_INFO, LOCATION, NULL,
1357 				"user \"%s\" is a member of group \"%s\"\n",
1358 				usr,
1359 				grp_list[grp_index]);
1360 			break;
1361 		} else {
1362 			plog(LLV_INFO, LOCATION, NULL,
1363 				"user \"%s\" is not a member of group \"%s\"\n",
1364 				usr,
1365 				grp_list[grp_index]);
1366 		}
1367 	}
1368 
1369 	return res;
1370 }
1371 
1372 vchar_t *
isakmp_xauth_req(iph1,attr)1373 isakmp_xauth_req(iph1, attr)
1374 	struct ph1handle *iph1;
1375 	struct isakmp_data *attr;
1376 {
1377 	int type;
1378 	size_t dlen = 0;
1379 	int ashort = 0;
1380 	int value = 0;
1381 	vchar_t *buffer = NULL;
1382 	char *mraw = NULL, *mdata;
1383 	char *data;
1384 	vchar_t *usr = NULL;
1385 	vchar_t *pwd = NULL;
1386 	size_t skip = 0;
1387 	int freepwd = 0;
1388 
1389 	if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1390 		plog(LLV_ERROR, LOCATION, NULL,
1391 		    "Xauth mode config request but peer "
1392 		    "did not declare itself as Xauth capable\n");
1393 		return NULL;
1394 	}
1395 
1396 	type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1397 
1398 	/* Sanity checks */
1399 	switch(type) {
1400 	case XAUTH_TYPE:
1401 		if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1402 			plog(LLV_ERROR, LOCATION, NULL,
1403 			    "Unexpected long XAUTH_TYPE attribute\n");
1404 			return NULL;
1405 		}
1406 		if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) {
1407 			plog(LLV_ERROR, LOCATION, NULL,
1408 			    "Unsupported Xauth authentication %d\n",
1409 			    ntohs(attr->lorv));
1410 			return NULL;
1411 		}
1412 		ashort = 1;
1413 		dlen = 0;
1414 		value = XAUTH_TYPE_GENERIC;
1415 		break;
1416 
1417 	case XAUTH_USER_NAME:
1418 		if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) {
1419 			plog(LLV_ERROR, LOCATION, NULL, "Xauth performed "
1420 			    "with no login supplied\n");
1421 			return NULL;
1422 		}
1423 
1424 		dlen = iph1->rmconf->xauth->login->l - 1;
1425 		iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME;
1426 		break;
1427 
1428 #ifdef ANDROID_PATCHED
1429         case XAUTH_PASSCODE:
1430 #endif
1431 	case XAUTH_USER_PASSWORD:
1432 		if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login)
1433 			return NULL;
1434 
1435 		skip = sizeof(struct ipsecdoi_id_b);
1436 		usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip);
1437 		if (usr == NULL) {
1438 			plog(LLV_ERROR, LOCATION, NULL,
1439 			    "Cannot allocate memory\n");
1440 			return NULL;
1441 		}
1442 		memset(usr->v, 0, skip);
1443 		memcpy(usr->v + skip,
1444 		    iph1->rmconf->xauth->login->v,
1445 		    iph1->rmconf->xauth->login->l - 1);
1446 
1447 		if (iph1->rmconf->xauth->pass) {
1448 			/* A key given through racoonctl */
1449 			pwd = iph1->rmconf->xauth->pass;
1450 		} else {
1451 			if ((pwd = getpskbyname(usr)) == NULL) {
1452 				plog(LLV_ERROR, LOCATION, NULL,
1453 				    "No password was found for login %s\n",
1454 				    iph1->rmconf->xauth->login->v);
1455 				vfree(usr);
1456 				return NULL;
1457 			}
1458 			/* We have to free it before returning */
1459 			freepwd = 1;
1460 		}
1461 		vfree(usr);
1462 
1463 		iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD;
1464 		dlen = pwd->l;
1465 
1466 		break;
1467 	case XAUTH_MESSAGE:
1468 		if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1469 			dlen = ntohs(attr->lorv);
1470 			if (dlen > 0) {
1471 				mraw = (char*)(attr + 1);
1472 				mdata = binsanitize(mraw, dlen);
1473 				if (mdata == NULL) {
1474 					plog(LLV_ERROR, LOCATION, iph1->remote,
1475 					    "Cannot allocate memory\n");
1476 					return NULL;
1477 				}
1478 				plog(LLV_NOTIFY,LOCATION, iph1->remote,
1479 					"XAUTH Message: '%s'.\n",
1480 					mdata);
1481 				racoon_free(mdata);
1482 			}
1483 		}
1484 		return NULL;
1485 	default:
1486 		plog(LLV_WARNING, LOCATION, NULL,
1487 		    "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1488 		return NULL;
1489 		break;
1490 	}
1491 
1492 	if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) {
1493 		plog(LLV_ERROR, LOCATION, NULL,
1494 		    "Cannot allocate memory\n");
1495 		goto out;
1496 	}
1497 
1498 	attr = (struct isakmp_data *)buffer->v;
1499 	if (ashort) {
1500 		attr->type = htons(type | ISAKMP_GEN_TV);
1501 		attr->lorv = htons(value);
1502 		goto out;
1503 	}
1504 
1505 	attr->type = htons(type | ISAKMP_GEN_TLV);
1506 	attr->lorv = htons(dlen);
1507 	data = (char *)(attr + 1);
1508 
1509 	switch(type) {
1510 	case XAUTH_USER_NAME:
1511 		/*
1512 		 * iph1->rmconf->xauth->login->v is valid,
1513 		 * we just checked it in the previous switch case
1514 		 */
1515 		memcpy(data, iph1->rmconf->xauth->login->v, dlen);
1516 		break;
1517 #ifdef ANDROID_PATCHED
1518         case XAUTH_PASSCODE:
1519 #endif
1520 	case XAUTH_USER_PASSWORD:
1521 		memcpy(data, pwd->v, dlen);
1522 		break;
1523 	default:
1524 		break;
1525 	}
1526 
1527 out:
1528 	if (freepwd)
1529 		vfree(pwd);
1530 
1531 	return buffer;
1532 }
1533 
1534 vchar_t *
isakmp_xauth_set(iph1,attr)1535 isakmp_xauth_set(iph1, attr)
1536 	struct ph1handle *iph1;
1537 	struct isakmp_data *attr;
1538 {
1539 	int type;
1540 	vchar_t *buffer = NULL;
1541 	char *data;
1542 	struct xauth_state *xst;
1543 	size_t dlen = 0;
1544 	char* mraw = NULL, *mdata;
1545 
1546 	if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
1547 		plog(LLV_ERROR, LOCATION, NULL,
1548 		    "Xauth mode config set but peer "
1549 		    "did not declare itself as Xauth capable\n");
1550 		return NULL;
1551 	}
1552 
1553 	type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
1554 
1555 	switch(type) {
1556 	case XAUTH_STATUS:
1557 		/*
1558 		 * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS
1559 		 * when running as a client (initiator).
1560 		 */
1561 		xst = &iph1->mode_cfg->xauth;
1562 		switch(AUTHMETHOD(iph1)) {
1563 		case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
1564 		case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
1565 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
1566 		/* Not implemented ... */
1567 		case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
1568 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
1569 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
1570 		case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
1571 			break;
1572 		default:
1573 			plog(LLV_ERROR, LOCATION, NULL,
1574 			    "Unexpected XAUTH_STATUS_OK\n");
1575 			return NULL;
1576 			break;
1577 		}
1578 
1579 		/* If we got a failure, delete iph1 */
1580 		if (ntohs(attr->lorv) != XAUTH_STATUS_OK) {
1581 			plog(LLV_ERROR, LOCATION, NULL,
1582 			    "Xauth authentication failed\n");
1583 
1584 			EVT_PUSH(iph1->local, iph1->remote,
1585 			    EVTT_XAUTH_FAILED, NULL);
1586 
1587 			iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
1588 		} else {
1589 			EVT_PUSH(iph1->local, iph1->remote,
1590 			    EVTT_XAUTH_SUCCESS, NULL);
1591 		}
1592 
1593 
1594 		/* We acknowledge it */
1595 		break;
1596 	case XAUTH_MESSAGE:
1597 		if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
1598 			dlen = ntohs(attr->lorv);
1599 			if (dlen > 0) {
1600 				mraw = (char*)(attr + 1);
1601 				mdata = binsanitize(mraw, dlen);
1602 				if (mdata == NULL) {
1603 					plog(LLV_ERROR, LOCATION, iph1->remote,
1604 					    "Cannot allocate memory\n");
1605 					return NULL;
1606 				}
1607 				plog(LLV_NOTIFY,LOCATION, iph1->remote,
1608 					"XAUTH Message: '%s'.\n",
1609 					mdata);
1610 				racoon_free(mdata);
1611 			}
1612 		}
1613 
1614 	default:
1615 		plog(LLV_WARNING, LOCATION, NULL,
1616 		    "Ignored attribute %s\n", s_isakmp_cfg_type(type));
1617 		return NULL;
1618 		break;
1619 	}
1620 
1621 	if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
1622 		plog(LLV_ERROR, LOCATION, NULL,
1623 		    "Cannot allocate memory\n");
1624 		return NULL;
1625 	}
1626 
1627 	attr = (struct isakmp_data *)buffer->v;
1628 	attr->type = htons(type | ISAKMP_GEN_TV);
1629 	attr->lorv = htons(0);
1630 
1631 	return buffer;
1632 }
1633 
1634 
1635 void
xauth_rmstate(xst)1636 xauth_rmstate(xst)
1637 	struct xauth_state *xst;
1638 {
1639 	switch (xst->authtype) {
1640 	case XAUTH_TYPE_GENERIC:
1641 		if (xst->authdata.generic.usr)
1642 			racoon_free(xst->authdata.generic.usr);
1643 
1644 		if (xst->authdata.generic.pwd)
1645 			racoon_free(xst->authdata.generic.pwd);
1646 
1647 		break;
1648 
1649 	case XAUTH_TYPE_CHAP:
1650 	case XAUTH_TYPE_OTP:
1651 	case XAUTH_TYPE_SKEY:
1652 		plog(LLV_WARNING, LOCATION, NULL,
1653 		    "Unsupported authtype %d\n", xst->authtype);
1654 		break;
1655 
1656 	default:
1657 		plog(LLV_WARNING, LOCATION, NULL,
1658 		    "Unexpected authtype %d\n", xst->authtype);
1659 		break;
1660 	}
1661 
1662 #ifdef HAVE_LIBLDAP
1663 	if (xst->udn != NULL)
1664 		racoon_free(xst->udn);
1665 #endif
1666 	return;
1667 }
1668 
1669 int
xauth_rmconf_used(xauth_rmconf)1670 xauth_rmconf_used(xauth_rmconf)
1671 	struct xauth_rmconf **xauth_rmconf;
1672 {
1673 	if (*xauth_rmconf == NULL) {
1674 		*xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf));
1675 		if (*xauth_rmconf == NULL) {
1676 			plog(LLV_ERROR, LOCATION, NULL,
1677 			    "xauth_rmconf_used: malloc failed\n");
1678 			return -1;
1679 		}
1680 
1681 		(*xauth_rmconf)->login = NULL;
1682 		(*xauth_rmconf)->pass = NULL;
1683 		(*xauth_rmconf)->state = 0;
1684 	}
1685 
1686 	return 0;
1687 }
1688 
1689 void
xauth_rmconf_delete(xauth_rmconf)1690 xauth_rmconf_delete(xauth_rmconf)
1691 	struct xauth_rmconf **xauth_rmconf;
1692 {
1693 	if (*xauth_rmconf != NULL) {
1694 		if ((*xauth_rmconf)->login != NULL)
1695 			vfree((*xauth_rmconf)->login);
1696 		if ((*xauth_rmconf)->pass != NULL)
1697 			vfree((*xauth_rmconf)->pass);
1698 
1699 		racoon_free(*xauth_rmconf);
1700 		*xauth_rmconf = NULL;
1701 	}
1702 
1703 	return;
1704 }
1705