xref: /freebsd/lib/libpam/modules/pam_radius/pam_radius.c (revision f0cfa1b168014f56c02b83e5f28412cc5f78d117)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright 1998 Juniper Networks, Inc.
5  * All rights reserved.
6  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
7  * All rights reserved.
8  *
9  * Portions of this software were developed for the FreeBSD Project by
10  * ThinkSec AS and NAI Labs, the Security Research Division of Network
11  * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
12  * ("CBOSS"), as part of the DARPA CHATS research program.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  * 3. The name of the author may not be used to endorse or promote
23  *    products derived from this software without specific prior written
24  *    permission.
25  *
26  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36  * SUCH DAMAGE.
37  */
38 
39 #include <sys/cdefs.h>
40 __FBSDID("$FreeBSD$");
41 
42 #include <sys/param.h>
43 #include <sys/socket.h>
44 #include <netdb.h>
45 #include <pwd.h>
46 #include <radlib.h>
47 #include <stdlib.h>
48 #include <string.h>
49 #include <syslog.h>
50 #include <unistd.h>
51 
52 #define PAM_SM_AUTH
53 
54 #include <security/pam_appl.h>
55 #include <security/pam_modules.h>
56 #include <security/pam_mod_misc.h>
57 
58 #define PAM_OPT_CONF		"conf"
59 #define PAM_OPT_TEMPLATE_USER	"template_user"
60 #define PAM_OPT_NAS_ID		"nas_id"
61 #define PAM_OPT_NAS_IPADDR	"nas_ipaddr"
62 
63 #define	MAX_CHALLENGE_MSGS	10
64 #define	PASSWORD_PROMPT		"RADIUS Password:"
65 
66 static int	 build_access_request(struct rad_handle *, const char *,
67 		    const char *, const char *, const char *, const char *,
68 		    const void *, size_t);
69 static int	 do_accept(pam_handle_t *, struct rad_handle *);
70 static int	 do_challenge(pam_handle_t *, struct rad_handle *,
71 		    const char *, const char *, const char *, const char *);
72 
73 /*
74  * Construct an access request, but don't send it.  Returns 0 on success,
75  * -1 on failure.
76  */
77 static int
78 build_access_request(struct rad_handle *radh, const char *user,
79     const char *pass, const char *nas_id, const char *nas_ipaddr,
80     const char *rhost, const void *state, size_t state_len)
81 {
82 	int error;
83 	char host[MAXHOSTNAMELEN];
84 	struct sockaddr_in *haddr;
85 	struct addrinfo hints;
86 	struct addrinfo *res;
87 
88 	if (rad_create_request(radh, RAD_ACCESS_REQUEST) == -1) {
89 		syslog(LOG_CRIT, "rad_create_request: %s", rad_strerror(radh));
90 		return (-1);
91 	}
92 	if (nas_id == NULL ||
93 	    (nas_ipaddr != NULL && strlen(nas_ipaddr) == 0)) {
94 		if (gethostname(host, sizeof host) != -1) {
95 			if (nas_id == NULL)
96 				nas_id = host;
97 			if (nas_ipaddr != NULL && strlen(nas_ipaddr) == 0)
98 				nas_ipaddr = host;
99 		}
100 	}
101 	if ((user != NULL &&
102 	    rad_put_string(radh, RAD_USER_NAME, user) == -1) ||
103 	    (pass != NULL &&
104 	    rad_put_string(radh, RAD_USER_PASSWORD, pass) == -1) ||
105 	    (nas_id != NULL &&
106 	    rad_put_string(radh, RAD_NAS_IDENTIFIER, nas_id) == -1)) {
107 		syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh));
108 		return (-1);
109 	}
110 	if (nas_ipaddr != NULL) {
111 		memset(&hints, 0, sizeof(hints));
112 		hints.ai_family = AF_INET;
113 		if (getaddrinfo(nas_ipaddr, NULL, &hints, &res) == 0 &&
114 		    res != NULL && res->ai_family == AF_INET) {
115 			haddr = (struct sockaddr_in *)res->ai_addr;
116 			error = rad_put_addr(radh, RAD_NAS_IP_ADDRESS,
117 			    haddr->sin_addr);
118 			freeaddrinfo(res);
119 			if (error == -1) {
120 				syslog(LOG_CRIT, "rad_put_addr: %s",
121 				    rad_strerror(radh));
122 				return (-1);
123 			}
124 		}
125 	}
126 	if (rhost != NULL &&
127 	    rad_put_string(radh, RAD_CALLING_STATION_ID, rhost) == -1) {
128 		syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh));
129 		return (-1);
130 	}
131 	if (state != NULL &&
132 	    rad_put_attr(radh, RAD_STATE, state, state_len) == -1) {
133 		syslog(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh));
134 		return (-1);
135 	}
136 	if (rad_put_int(radh, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) == -1) {
137 		syslog(LOG_CRIT, "rad_put_int: %s", rad_strerror(radh));
138 		return (-1);
139 	}
140 	return (0);
141 }
142 
143 static int
144 do_accept(pam_handle_t *pamh, struct rad_handle *radh)
145 {
146 	int attrtype;
147 	const void *attrval;
148 	size_t attrlen;
149 	char *s;
150 
151 	while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
152 		if (attrtype == RAD_USER_NAME) {
153 			s = rad_cvt_string(attrval, attrlen);
154 			if (s == NULL) {
155 				syslog(LOG_CRIT,
156 				    "rad_cvt_string: out of memory");
157 				return (-1);
158 			}
159 			pam_set_item(pamh, PAM_USER, s);
160 			free(s);
161 		}
162 	}
163 	if (attrtype == -1) {
164 		syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
165 		return (-1);
166 	}
167 	return (0);
168 }
169 
170 static int
171 do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user,
172     const char *nas_id, const char *nas_ipaddr, const char *rhost)
173 {
174 	int retval;
175 	int attrtype;
176 	const void *attrval;
177 	size_t attrlen;
178 	const void *state;
179 	size_t statelen;
180 	struct pam_message msgs[MAX_CHALLENGE_MSGS];
181 	const struct pam_message *msg_ptrs[MAX_CHALLENGE_MSGS];
182 	struct pam_response *resp;
183 	int num_msgs;
184 	const void *item;
185 	const struct pam_conv *conv;
186 
187 	state = NULL;
188 	statelen = 0;
189 	num_msgs = 0;
190 	while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
191 		switch (attrtype) {
192 
193 		case RAD_STATE:
194 			state = attrval;
195 			statelen = attrlen;
196 			break;
197 
198 		case RAD_REPLY_MESSAGE:
199 			if (num_msgs >= MAX_CHALLENGE_MSGS) {
200 				syslog(LOG_CRIT,
201 				    "Too many RADIUS challenge messages");
202 				return (PAM_SERVICE_ERR);
203 			}
204 			msgs[num_msgs].msg = rad_cvt_string(attrval, attrlen);
205 			if (msgs[num_msgs].msg == NULL) {
206 				syslog(LOG_CRIT,
207 				    "rad_cvt_string: out of memory");
208 				return (PAM_SERVICE_ERR);
209 			}
210 			msgs[num_msgs].msg_style = PAM_TEXT_INFO;
211 			msg_ptrs[num_msgs] = &msgs[num_msgs];
212 			num_msgs++;
213 			break;
214 		}
215 	}
216 	if (attrtype == -1) {
217 		syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
218 		return (PAM_SERVICE_ERR);
219 	}
220 	if (num_msgs == 0) {
221 		msgs[num_msgs].msg = strdup("(null RADIUS challenge): ");
222 		if (msgs[num_msgs].msg == NULL) {
223 			syslog(LOG_CRIT, "Out of memory");
224 			return (PAM_SERVICE_ERR);
225 		}
226 		msgs[num_msgs].msg_style = PAM_TEXT_INFO;
227 		msg_ptrs[num_msgs] = &msgs[num_msgs];
228 		num_msgs++;
229 	}
230 	msgs[num_msgs-1].msg_style = PAM_PROMPT_ECHO_ON;
231 	if ((retval = pam_get_item(pamh, PAM_CONV, &item)) != PAM_SUCCESS) {
232 		syslog(LOG_CRIT, "do_challenge: cannot get PAM_CONV");
233 		return (retval);
234 	}
235 	conv = (const struct pam_conv *)item;
236 	if ((retval = conv->conv(num_msgs, msg_ptrs, &resp,
237 	    conv->appdata_ptr)) != PAM_SUCCESS)
238 		return (retval);
239 	if (build_access_request(radh, user, resp[num_msgs-1].resp, nas_id,
240 	    nas_ipaddr, rhost, state, statelen) == -1)
241 		return (PAM_SERVICE_ERR);
242 	memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp));
243 	free(resp[num_msgs-1].resp);
244 	free(resp);
245 	while (num_msgs > 0)
246 		free(msgs[--num_msgs].msg);
247 	return (PAM_SUCCESS);
248 }
249 
250 PAM_EXTERN int
251 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
252     int argc __unused, const char *argv[] __unused)
253 {
254 	struct rad_handle *radh;
255 	const char *user, *pass;
256 	const void *rhost, *tmpuser;
257 	const char *conf_file, *template_user, *nas_id, *nas_ipaddr;
258 	int retval;
259 	int e;
260 
261 	conf_file = openpam_get_option(pamh, PAM_OPT_CONF);
262 	template_user = openpam_get_option(pamh, PAM_OPT_TEMPLATE_USER);
263 	nas_id = openpam_get_option(pamh, PAM_OPT_NAS_ID);
264 	nas_ipaddr = openpam_get_option(pamh, PAM_OPT_NAS_IPADDR);
265 	pam_get_item(pamh, PAM_RHOST, &rhost);
266 
267 	retval = pam_get_user(pamh, &user, NULL);
268 	if (retval != PAM_SUCCESS)
269 		return (retval);
270 
271 	PAM_LOG("Got user: %s", user);
272 
273 	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
274 	if (retval != PAM_SUCCESS)
275 		return (retval);
276 
277 	PAM_LOG("Got password");
278 
279 	radh = rad_open();
280 	if (radh == NULL) {
281 		syslog(LOG_CRIT, "rad_open failed");
282 		return (PAM_SERVICE_ERR);
283 	}
284 
285 	PAM_LOG("Radius opened");
286 
287 	if (rad_config(radh, conf_file) == -1) {
288 		syslog(LOG_ALERT, "rad_config: %s", rad_strerror(radh));
289 		rad_close(radh);
290 		return (PAM_SERVICE_ERR);
291 	}
292 
293 	PAM_LOG("Radius config file read");
294 
295 	if (build_access_request(radh, user, pass, nas_id, nas_ipaddr, rhost,
296 	    NULL, 0) == -1) {
297 		rad_close(radh);
298 		return (PAM_SERVICE_ERR);
299 	}
300 
301 	PAM_LOG("Radius build access done");
302 
303 	for (;;) {
304 		switch (rad_send_request(radh)) {
305 
306 		case RAD_ACCESS_ACCEPT:
307 			e = do_accept(pamh, radh);
308 			rad_close(radh);
309 			if (e == -1)
310 				return (PAM_SERVICE_ERR);
311 			if (template_user != NULL) {
312 
313 				PAM_LOG("Trying template user: %s",
314 				    template_user);
315 
316 				/*
317 				 * If the given user name doesn't exist in
318 				 * the local password database, change it
319 				 * to the value given in the "template_user"
320 				 * option.
321 				 */
322 				retval = pam_get_item(pamh, PAM_USER, &tmpuser);
323 				if (retval != PAM_SUCCESS)
324 					return (retval);
325 				if (getpwnam(tmpuser) == NULL) {
326 					pam_set_item(pamh, PAM_USER,
327 					    template_user);
328 					PAM_LOG("Using template user");
329 				}
330 
331 			}
332 			return (PAM_SUCCESS);
333 
334 		case RAD_ACCESS_REJECT:
335 			rad_close(radh);
336 			PAM_VERBOSE_ERROR("Radius rejection");
337 			return (PAM_AUTH_ERR);
338 
339 		case RAD_ACCESS_CHALLENGE:
340 			retval = do_challenge(pamh, radh, user, nas_id,
341 			    nas_ipaddr, rhost);
342 			if (retval != PAM_SUCCESS) {
343 				rad_close(radh);
344 				return (retval);
345 			}
346 			break;
347 
348 		case -1:
349 			syslog(LOG_CRIT, "rad_send_request: %s",
350 			    rad_strerror(radh));
351 			rad_close(radh);
352 			PAM_VERBOSE_ERROR("Radius failure");
353 			return (PAM_AUTHINFO_UNAVAIL);
354 
355 		default:
356 			syslog(LOG_CRIT,
357 			    "rad_send_request: unexpected return value");
358 			rad_close(radh);
359 			PAM_VERBOSE_ERROR("Radius error");
360 			return (PAM_SERVICE_ERR);
361 		}
362 	}
363 }
364 
365 PAM_EXTERN int
366 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
367     int argc __unused, const char *argv[] __unused)
368 {
369 
370 	return (PAM_SUCCESS);
371 }
372 
373 PAM_MODULE_ENTRY("pam_radius");
374