xref: /freebsd/lib/libpam/modules/pam_radius/pam_radius.c (revision af23369a6deaaeb612ab266eb88b8bb8d560c322) 
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright 1998 Juniper Networks, Inc.
5  * All rights reserved.
6  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
7  * All rights reserved.
8  * Copyright (c) 2015-2018 The University of Oslo
9  * All rights reserved.
10  *
11  * Portions of this software were developed for the FreeBSD Project by
12  * ThinkSec AS and NAI Labs, the Security Research Division of Network
13  * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
14  * ("CBOSS"), as part of the DARPA CHATS research program.
15  *
16  * Redistribution and use in source and binary forms, with or without
17  * modification, are permitted provided that the following conditions
18  * are met:
19  * 1. Redistributions of source code must retain the above copyright
20  *    notice, this list of conditions and the following disclaimer.
21  * 2. Redistributions in binary form must reproduce the above copyright
22  *    notice, this list of conditions and the following disclaimer in the
23  *    documentation and/or other materials provided with the distribution.
24  * 3. The name of the author may not be used to endorse or promote
25  *    products derived from this software without specific prior written
26  *    permission.
27  *
28  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
29  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
32  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38  * SUCH DAMAGE.
39  */
40 
41 #include <sys/cdefs.h>
42 __FBSDID("$FreeBSD$");
43 
44 #include <sys/param.h>
45 #include <sys/socket.h>
46 #include <netdb.h>
47 #include <pwd.h>
48 #include <radlib.h>
49 #include <stdlib.h>
50 #include <string.h>
51 #include <syslog.h>
52 #include <unistd.h>
53 
54 #define PAM_SM_AUTH
55 
56 #include <security/pam_appl.h>
57 #include <security/pam_modules.h>
58 #include <security/pam_mod_misc.h>
59 
60 #define PAM_OPT_CONF		"conf"
61 #define PAM_OPT_TEMPLATE_USER	"template_user"
62 #define PAM_OPT_NAS_ID		"nas_id"
63 #define PAM_OPT_NAS_IPADDR	"nas_ipaddr"
64 #define PAM_OPT_NO_REPLYMSG	"no_reply_message"
65 
66 #define	MAX_CHALLENGE_MSGS	10
67 #define	PASSWORD_PROMPT		"RADIUS Password:"
68 
69 static int	 build_access_request(struct rad_handle *, const char *,
70 		    const char *, const char *, const char *, const char *,
71 		    const void *, size_t);
72 static int	 do_accept(pam_handle_t *, struct rad_handle *);
73 static int	 do_challenge(pam_handle_t *, struct rad_handle *,
74 		    const char *, const char *, const char *, const char *);
75 
76 /*
77  * Construct an access request, but don't send it.  Returns 0 on success,
78  * -1 on failure.
79  */
80 static int
81 build_access_request(struct rad_handle *radh, const char *user,
82     const char *pass, const char *nas_id, const char *nas_ipaddr,
83     const char *rhost, const void *state, size_t state_len)
84 {
85 	int error;
86 	char host[MAXHOSTNAMELEN];
87 	struct sockaddr_in *haddr;
88 	struct addrinfo hints;
89 	struct addrinfo *res;
90 
91 	if (rad_create_request(radh, RAD_ACCESS_REQUEST) == -1) {
92 		syslog(LOG_CRIT, "rad_create_request: %s", rad_strerror(radh));
93 		return (-1);
94 	}
95 	if (nas_id == NULL ||
96 	    (nas_ipaddr != NULL && strlen(nas_ipaddr) == 0)) {
97 		if (gethostname(host, sizeof host) != -1) {
98 			if (nas_id == NULL)
99 				nas_id = host;
100 			if (nas_ipaddr != NULL && strlen(nas_ipaddr) == 0)
101 				nas_ipaddr = host;
102 		}
103 	}
104 	if ((user != NULL &&
105 	    rad_put_string(radh, RAD_USER_NAME, user) == -1) ||
106 	    (pass != NULL &&
107 	    rad_put_string(radh, RAD_USER_PASSWORD, pass) == -1) ||
108 	    (nas_id != NULL &&
109 	    rad_put_string(radh, RAD_NAS_IDENTIFIER, nas_id) == -1)) {
110 		syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh));
111 		return (-1);
112 	}
113 	if (nas_ipaddr != NULL) {
114 		memset(&hints, 0, sizeof(hints));
115 		hints.ai_family = AF_INET;
116 		if (getaddrinfo(nas_ipaddr, NULL, &hints, &res) == 0 &&
117 		    res != NULL && res->ai_family == AF_INET) {
118 			haddr = (struct sockaddr_in *)res->ai_addr;
119 			error = rad_put_addr(radh, RAD_NAS_IP_ADDRESS,
120 			    haddr->sin_addr);
121 			freeaddrinfo(res);
122 			if (error == -1) {
123 				syslog(LOG_CRIT, "rad_put_addr: %s",
124 				    rad_strerror(radh));
125 				return (-1);
126 			}
127 		}
128 	}
129 	if (rhost != NULL &&
130 	    rad_put_string(radh, RAD_CALLING_STATION_ID, rhost) == -1) {
131 		syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh));
132 		return (-1);
133 	}
134 	if (state != NULL &&
135 	    rad_put_attr(radh, RAD_STATE, state, state_len) == -1) {
136 		syslog(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh));
137 		return (-1);
138 	}
139 	if (rad_put_int(radh, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) == -1) {
140 		syslog(LOG_CRIT, "rad_put_int: %s", rad_strerror(radh));
141 		return (-1);
142 	}
143 	return (0);
144 }
145 
146 static int
147 do_accept(pam_handle_t *pamh, struct rad_handle *radh)
148 {
149 	int attrtype;
150 	const void *attrval;
151 	size_t attrlen;
152 	char *s;
153 
154 	while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
155 		switch (attrtype) {
156 		case RAD_USER_NAME:
157 			if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
158 				goto enomem;
159 			pam_set_item(pamh, PAM_USER, s);
160 			free(s);
161 			break;
162 		case RAD_REPLY_MESSAGE:
163 			if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
164 				goto enomem;
165 			if (!openpam_get_option(pamh, PAM_OPT_NO_REPLYMSG))
166 				pam_info(pamh, "%s", s);
167 			free(s);
168 			break;
169 		default:
170 			PAM_LOG("%s(): ignoring RADIUS attribute %d",
171 			    __func__, attrtype);
172 		}
173 	}
174 	if (attrtype == -1) {
175 		syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
176 		return (-1);
177 	}
178 	return (0);
179 enomem:
180 	syslog(LOG_CRIT, "%s(): out of memory", __func__);
181 	return (-1);
182 }
183 
184 static int
185 do_reject(pam_handle_t *pamh, struct rad_handle *radh)
186 {
187 	int attrtype;
188 	const void *attrval;
189 	size_t attrlen;
190 	char *s;
191 
192 	while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
193 		switch (attrtype) {
194 		case RAD_REPLY_MESSAGE:
195 			if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
196 				goto enomem;
197 			if (!openpam_get_option(pamh, PAM_OPT_NO_REPLYMSG))
198 				pam_error(pamh, "%s", s);
199 			free(s);
200 			break;
201 		default:
202 			PAM_LOG("%s(): ignoring RADIUS attribute %d",
203 			    __func__, attrtype);
204 		}
205 	}
206 	if (attrtype < 0) {
207 		syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
208 		return (-1);
209 	}
210 	return (0);
211 enomem:
212 	syslog(LOG_CRIT, "%s(): out of memory", __func__);
213 	return (-1);
214 }
215 
216 static int
217 do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user,
218     const char *nas_id, const char *nas_ipaddr, const char *rhost)
219 {
220 	int retval;
221 	int attrtype;
222 	const void *attrval;
223 	size_t attrlen;
224 	const void *state;
225 	size_t statelen;
226 	struct pam_message msgs[MAX_CHALLENGE_MSGS];
227 	const struct pam_message *msg_ptrs[MAX_CHALLENGE_MSGS];
228 	struct pam_response *resp;
229 	int num_msgs;
230 	const void *item;
231 	const struct pam_conv *conv;
232 
233 	state = NULL;
234 	statelen = 0;
235 	num_msgs = 0;
236 	while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
237 		switch (attrtype) {
238 
239 		case RAD_STATE:
240 			state = attrval;
241 			statelen = attrlen;
242 			break;
243 
244 		case RAD_REPLY_MESSAGE:
245 			if (num_msgs >= MAX_CHALLENGE_MSGS) {
246 				syslog(LOG_CRIT,
247 				    "Too many RADIUS challenge messages");
248 				return (PAM_SERVICE_ERR);
249 			}
250 			msgs[num_msgs].msg = rad_cvt_string(attrval, attrlen);
251 			if (msgs[num_msgs].msg == NULL) {
252 				syslog(LOG_CRIT,
253 				    "rad_cvt_string: out of memory");
254 				return (PAM_SERVICE_ERR);
255 			}
256 			msgs[num_msgs].msg_style = PAM_TEXT_INFO;
257 			msg_ptrs[num_msgs] = &msgs[num_msgs];
258 			num_msgs++;
259 			break;
260 		}
261 	}
262 	if (attrtype == -1) {
263 		syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
264 		return (PAM_SERVICE_ERR);
265 	}
266 	if (num_msgs == 0) {
267 		msgs[num_msgs].msg = strdup("(null RADIUS challenge): ");
268 		if (msgs[num_msgs].msg == NULL) {
269 			syslog(LOG_CRIT, "Out of memory");
270 			return (PAM_SERVICE_ERR);
271 		}
272 		msgs[num_msgs].msg_style = PAM_TEXT_INFO;
273 		msg_ptrs[num_msgs] = &msgs[num_msgs];
274 		num_msgs++;
275 	}
276 	msgs[num_msgs-1].msg_style = PAM_PROMPT_ECHO_ON;
277 	if ((retval = pam_get_item(pamh, PAM_CONV, &item)) != PAM_SUCCESS) {
278 		syslog(LOG_CRIT, "do_challenge: cannot get PAM_CONV");
279 		return (retval);
280 	}
281 	conv = (const struct pam_conv *)item;
282 	if ((retval = conv->conv(num_msgs, msg_ptrs, &resp,
283 	    conv->appdata_ptr)) != PAM_SUCCESS)
284 		return (retval);
285 	if (build_access_request(radh, user, resp[num_msgs-1].resp, nas_id,
286 	    nas_ipaddr, rhost, state, statelen) == -1)
287 		return (PAM_SERVICE_ERR);
288 	memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp));
289 	free(resp[num_msgs-1].resp);
290 	free(resp);
291 	while (num_msgs > 0)
292 		free(msgs[--num_msgs].msg);
293 	return (PAM_SUCCESS);
294 }
295 
296 PAM_EXTERN int
297 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
298     int argc __unused, const char *argv[] __unused)
299 {
300 	struct rad_handle *radh;
301 	const char *user, *pass;
302 	const void *rhost, *tmpuser;
303 	const char *conf_file, *template_user, *nas_id, *nas_ipaddr;
304 	int retval;
305 	int e;
306 
307 	conf_file = openpam_get_option(pamh, PAM_OPT_CONF);
308 	template_user = openpam_get_option(pamh, PAM_OPT_TEMPLATE_USER);
309 	nas_id = openpam_get_option(pamh, PAM_OPT_NAS_ID);
310 	nas_ipaddr = openpam_get_option(pamh, PAM_OPT_NAS_IPADDR);
311 	pam_get_item(pamh, PAM_RHOST, &rhost);
312 
313 	retval = pam_get_user(pamh, &user, NULL);
314 	if (retval != PAM_SUCCESS)
315 		return (retval);
316 
317 	PAM_LOG("Got user: %s", user);
318 
319 	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
320 	if (retval != PAM_SUCCESS)
321 		return (retval);
322 
323 	PAM_LOG("Got password");
324 
325 	radh = rad_open();
326 	if (radh == NULL) {
327 		syslog(LOG_CRIT, "rad_open failed");
328 		return (PAM_SERVICE_ERR);
329 	}
330 
331 	PAM_LOG("Radius opened");
332 
333 	if (rad_config(radh, conf_file) == -1) {
334 		syslog(LOG_ALERT, "rad_config: %s", rad_strerror(radh));
335 		rad_close(radh);
336 		return (PAM_SERVICE_ERR);
337 	}
338 
339 	PAM_LOG("Radius config file read");
340 
341 	if (build_access_request(radh, user, pass, nas_id, nas_ipaddr, rhost,
342 	    NULL, 0) == -1) {
343 		rad_close(radh);
344 		return (PAM_SERVICE_ERR);
345 	}
346 
347 	PAM_LOG("Radius build access done");
348 
349 	for (;;) {
350 		switch (rad_send_request(radh)) {
351 
352 		case RAD_ACCESS_ACCEPT:
353 			e = do_accept(pamh, radh);
354 			rad_close(radh);
355 			if (e == -1)
356 				return (PAM_SERVICE_ERR);
357 			if (template_user != NULL) {
358 
359 				PAM_LOG("Trying template user: %s",
360 				    template_user);
361 
362 				/*
363 				 * If the given user name doesn't exist in
364 				 * the local password database, change it
365 				 * to the value given in the "template_user"
366 				 * option.
367 				 */
368 				retval = pam_get_item(pamh, PAM_USER, &tmpuser);
369 				if (retval != PAM_SUCCESS)
370 					return (retval);
371 				if (getpwnam(tmpuser) == NULL) {
372 					pam_set_item(pamh, PAM_USER,
373 					    template_user);
374 					PAM_LOG("Using template user");
375 				}
376 
377 			}
378 			return (PAM_SUCCESS);
379 
380 		case RAD_ACCESS_REJECT:
381 			retval = do_reject(pamh, radh);
382 			rad_close(radh);
383 			PAM_VERBOSE_ERROR("Radius rejection");
384 			return (PAM_AUTH_ERR);
385 
386 		case RAD_ACCESS_CHALLENGE:
387 			retval = do_challenge(pamh, radh, user, nas_id,
388 			    nas_ipaddr, rhost);
389 			if (retval != PAM_SUCCESS) {
390 				rad_close(radh);
391 				return (retval);
392 			}
393 			break;
394 
395 		case -1:
396 			syslog(LOG_CRIT, "rad_send_request: %s",
397 			    rad_strerror(radh));
398 			rad_close(radh);
399 			PAM_VERBOSE_ERROR("Radius failure");
400 			return (PAM_AUTHINFO_UNAVAIL);
401 
402 		default:
403 			syslog(LOG_CRIT,
404 			    "rad_send_request: unexpected return value");
405 			rad_close(radh);
406 			PAM_VERBOSE_ERROR("Radius error");
407 			return (PAM_SERVICE_ERR);
408 		}
409 	}
410 }
411 
412 PAM_EXTERN int
413 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
414     int argc __unused, const char *argv[] __unused)
415 {
416 
417 	return (PAM_SUCCESS);
418 }
419 
420 PAM_MODULE_ENTRY("pam_radius");
421