|
 |
c580b4 |
diff -Naur libreswan-3.15-orig/programs/pluto/ikev1_xauth.c libreswan-3.15/programs/pluto/ikev1_xauth.c
|
|
|
c580b4 |
--- libreswan-3.15-orig/programs/pluto/ikev1_xauth.c 2015-08-24 16:52:43.000000000 -0400
|
|
|
c580b4 |
+++ libreswan-3.15/programs/pluto/ikev1_xauth.c 2015-09-03 11:32:27.525000000 -0400
|
|
|
c580b4 |
@@ -1001,81 +1001,6 @@
|
|
|
c580b4 |
return STF_OK;
|
|
|
c580b4 |
}
|
|
|
c580b4 |
|
|
|
c580b4 |
-#ifdef XAUTH_HAVE_PAM
|
|
|
c580b4 |
-
|
|
|
c580b4 |
-/** Do authentication via PAM (Plugable Authentication Modules)
|
|
|
c580b4 |
- *
|
|
|
c580b4 |
- * We try to authenticate the user in our own PAM session.
|
|
|
c580b4 |
- *
|
|
|
c580b4 |
- * @return bool success
|
|
|
c580b4 |
- */
|
|
|
c580b4 |
-/* IN AN AUTH THREAD */
|
|
|
c580b4 |
-static bool do_pam_authentication(void *varg)
|
|
|
c580b4 |
-{
|
|
|
c580b4 |
- struct xauth_thread_arg *arg = varg;
|
|
|
c580b4 |
- int retval;
|
|
|
c580b4 |
- pam_handle_t *pamh = NULL;
|
|
|
c580b4 |
- struct pam_conv conv;
|
|
|
c580b4 |
- const char *what;
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- /* This do-while structure is designed to allow a logical cascade
|
|
|
c580b4 |
- * without excessive indentation. No actual looping happens.
|
|
|
c580b4 |
- * Failure is handled by "break".
|
|
|
c580b4 |
- */
|
|
|
c580b4 |
- do {
|
|
|
c580b4 |
- ipstr_buf ra;
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- conv.conv = pam_conv;
|
|
|
c580b4 |
- conv.appdata_ptr = varg;
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- what = "pam_start";
|
|
|
c580b4 |
- retval = pam_start("pluto", arg->name, &conv, &pamh);
|
|
|
c580b4 |
- if (retval != PAM_SUCCESS)
|
|
|
c580b4 |
- break;
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- DBG(DBG_CONTROL, DBG_log("pam_start SUCCESS"));
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- /* Send the remote host address to PAM */
|
|
|
c580b4 |
- what = "pam_set_item";
|
|
|
c580b4 |
- retval = pam_set_item(pamh, PAM_RHOST,
|
|
|
c580b4 |
- ipstr(&arg->st->st_remoteaddr, &ra);;
|
|
|
c580b4 |
- if (retval != PAM_SUCCESS)
|
|
|
c580b4 |
- break;
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- DBG(DBG_CONTROL, DBG_log("pam_set_item SUCCESS"));
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- /* Two factor authentication - Check that the user is valid,
|
|
|
c580b4 |
- * and then check if they are permitted access
|
|
|
c580b4 |
- */
|
|
|
c580b4 |
- what = "pam_authenticate";
|
|
|
c580b4 |
- retval = pam_authenticate(pamh, PAM_SILENT); /* is user really user? */
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- if (retval != PAM_SUCCESS)
|
|
|
c580b4 |
- break;
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- DBG(DBG_CONTROL, DBG_log("pam_authenticate SUCCESS"));
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- what = "pam_acct_mgmt";
|
|
|
c580b4 |
- retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
|
|
|
c580b4 |
- if (retval != PAM_SUCCESS)
|
|
|
c580b4 |
- break;
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- /* success! */
|
|
|
c580b4 |
- libreswan_log("XAUTH: PAM_SUCCESS");
|
|
|
c580b4 |
- pam_end(pamh, PAM_SUCCESS);
|
|
|
c580b4 |
- return TRUE;
|
|
|
c580b4 |
- } while (FALSE);
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- /* common failure code */
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- DBG(DBG_CONTROL,
|
|
|
c580b4 |
- DBG_log("%s failed with '%s", what, pam_strerror(pamh, retval)));
|
|
|
c580b4 |
- libreswan_log("XAUTH: %s failed with '%s'", what, pam_strerror(pamh, retval));
|
|
|
c580b4 |
- pam_end(pamh, retval);
|
|
|
c580b4 |
- return FALSE;
|
|
|
c580b4 |
-}
|
|
|
c580b4 |
-#endif /* XAUTH_HAVE_PAM */
|
|
|
c580b4 |
-
|
|
|
c580b4 |
/** Do authentication via /etc/ipsec.d/passwd file using MD5 passwords
|
|
|
c580b4 |
*
|
|
|
c580b4 |
* Structure is one entry per line.
|
|
|
c580b4 |
@@ -1256,6 +1181,43 @@
|
|
|
c580b4 |
return win;
|
|
|
c580b4 |
}
|
|
|
c580b4 |
|
|
|
c580b4 |
+/* IN AN AUTH THREAD */
|
|
|
c580b4 |
+static bool ikev1_do_pam_authentication(const struct xauth_thread_arg *arg)
|
|
|
c580b4 |
+{
|
|
|
c580b4 |
+ struct state *st = arg->st;
|
|
|
c580b4 |
+ libreswan_log("XAUTH: pam authentication being called to authenticate user %s",
|
|
|
c580b4 |
+ arg->name);
|
|
|
c580b4 |
+ struct pam_thread_arg parg;
|
|
|
c580b4 |
+ ipstr_buf ra;
|
|
|
c580b4 |
+ struct timeval start_time;
|
|
|
c580b4 |
+ struct timeval served_time;
|
|
|
c580b4 |
+ struct timeval served_delta;
|
|
|
c580b4 |
+ bool results = FALSE;
|
|
|
c580b4 |
+
|
|
|
c580b4 |
+ parg.name = arg->name;
|
|
|
c580b4 |
+ parg.password = arg->password;
|
|
|
c580b4 |
+ parg.c_name = arg->connname;
|
|
|
c580b4 |
+ parg.ra = clone_str(ipstr(&st->st_remoteaddr, &ra), "st remote address");
|
|
|
c580b4 |
+ parg.st_serialno = st->st_serialno;
|
|
|
c580b4 |
+ parg.c_instance_serial = st->st_connection->instance_serial;
|
|
|
c580b4 |
+ parg.atype = "XAUTH";
|
|
|
c580b4 |
+ gettimeofday(&start_time, NULL);
|
|
|
c580b4 |
+ results = do_pam_authentication(&parg;;
|
|
|
c580b4 |
+ gettimeofday(&served_time, NULL);
|
|
|
c580b4 |
+ timersub(&served_time, &start_time, &served_delta);
|
|
|
c580b4 |
+ DBG(DBG_CONTROL, DBG_log("XAUTH PAM helper thread call "
|
|
|
c580b4 |
+ "state #%lu, %s[%lu] user=%s %s. "
|
|
|
c580b4 |
+ "elapsed time %lu.%06lu",
|
|
|
c580b4 |
+ parg.st_serialno, parg.c_name,
|
|
|
c580b4 |
+ parg.c_instance_serial, parg.name,
|
|
|
c580b4 |
+ results ? "SUCCESS" : "FAIL",
|
|
|
c580b4 |
+ (unsigned long)served_delta.tv_sec,
|
|
|
c580b4 |
+ (unsigned long)(served_delta.tv_usec * 1000000)));
|
|
|
c580b4 |
+
|
|
|
c580b4 |
+ pfreeany(parg.ra);
|
|
|
c580b4 |
+ return (results);
|
|
|
c580b4 |
+}
|
|
|
c580b4 |
+
|
|
|
c580b4 |
/*
|
|
|
c580b4 |
* Main authentication routine will then call the actual compiled-in
|
|
|
c580b4 |
* method to verify the user/password
|
|
|
c580b4 |
@@ -1330,10 +1292,7 @@
|
|
|
c580b4 |
switch (st->st_connection->xauthby) {
|
|
|
c580b4 |
#ifdef XAUTH_HAVE_PAM
|
|
|
c580b4 |
case XAUTHBY_PAM:
|
|
|
c580b4 |
- libreswan_log(
|
|
|
c580b4 |
- "XAUTH: pam authentication being called to authenticate user %s",
|
|
|
c580b4 |
- arg->name);
|
|
|
c580b4 |
- results = do_pam_authentication(varg);
|
|
|
c580b4 |
+ results = ikev1_do_pam_authentication(arg);
|
|
|
c580b4 |
break;
|
|
|
c580b4 |
#endif
|
|
|
c580b4 |
case XAUTHBY_FILE:
|
|
|
c580b4 |
diff -Naur libreswan-3.15-orig/programs/pluto/ikev2_parent.c libreswan-3.15/programs/pluto/ikev2_parent.c
|
|
|
c580b4 |
--- libreswan-3.15-orig/programs/pluto/ikev2_parent.c 2015-09-03 11:29:05.518000000 -0400
|
|
|
c580b4 |
+++ libreswan-3.15/programs/pluto/ikev2_parent.c 2015-09-03 11:32:27.526000000 -0400
|
|
|
c580b4 |
@@ -2417,7 +2417,7 @@
|
|
|
c580b4 |
pthread_setcanceltype (PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
|
|
|
c580b4 |
pthread_setcancelstate (PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
|
|
|
c580b4 |
|
|
|
c580b4 |
- p->pam_status = ikev2_do_pam_authentication(&p->pam);
|
|
|
c580b4 |
+ p->pam_status = do_pam_authentication(&p->pam);
|
|
|
c580b4 |
gettimeofday(&p->done_time, NULL);
|
|
|
c580b4 |
timersub(&p->done_time, &p->start_time, &done_delta);
|
|
|
c580b4 |
|
|
|
c580b4 |
@@ -2580,6 +2580,7 @@
|
|
|
c580b4 |
p->pam.ra = clone_str(ipstr(&st->st_remoteaddr, &ra), "st remote address");
|
|
|
c580b4 |
p->pam.c_instance_serial = st->st_connection->instance_serial;
|
|
|
c580b4 |
p->pam.st_serialno = st->st_serialno;
|
|
|
c580b4 |
+ p->pam.atype = "IKEv2";
|
|
|
c580b4 |
|
|
|
c580b4 |
p->next = pluto_v2_pam_helpers;
|
|
|
c580b4 |
pluto_v2_pam_helpers = p;
|
|
|
c580b4 |
diff -Naur libreswan-3.15-orig/programs/pluto/pam_conv.c libreswan-3.15/programs/pluto/pam_conv.c
|
|
|
c580b4 |
--- libreswan-3.15-orig/programs/pluto/pam_conv.c 2015-08-24 16:52:43.000000000 -0400
|
|
|
c580b4 |
+++ libreswan-3.15/programs/pluto/pam_conv.c 2015-09-03 11:32:27.526000000 -0400
|
|
|
c580b4 |
@@ -10,7 +10,7 @@
|
|
|
c580b4 |
* Copyright (C) 2012-2013 Paul Wouters <pwouters@redhat.com>
|
|
|
c580b4 |
* Copyright (C) 2012-2013 Philippe Vouters <philippe.vouters@laposte.net>
|
|
|
c580b4 |
* Copyright (C) 2013 David McCullough <ucdevel@gmail.com>
|
|
|
c580b4 |
- * Copyright (C) 2013 Antony Antony <antony@phenome.org>
|
|
|
c580b4 |
+ * Copyright (C) 2013-2015 Antony Antony <antony@phenome.org>
|
|
|
c580b4 |
*
|
|
|
c580b4 |
* This program is free software; you can redistribute it and/or modify it
|
|
|
c580b4 |
* under the terms of the GNU General Public License as published by the
|
|
|
c580b4 |
@@ -109,15 +109,25 @@
|
|
|
c580b4 |
return PAM_SUCCESS;
|
|
|
c580b4 |
}
|
|
|
c580b4 |
|
|
|
c580b4 |
+static void log_pam_step(const struct pam_thread_arg *arg, const char *what,
|
|
|
c580b4 |
+ const char *how)
|
|
|
c580b4 |
+{
|
|
|
c580b4 |
+ DBG(DBG_CONTROL, DBG_log("%s helper thread %s %s for "
|
|
|
c580b4 |
+ "state #%lu, %s[%lu] user=%s.",
|
|
|
c580b4 |
+ arg->atype, what, how,
|
|
|
c580b4 |
+ arg->st_serialno, arg->c_name,
|
|
|
c580b4 |
+ arg->c_instance_serial, arg->name));
|
|
|
c580b4 |
+
|
|
|
c580b4 |
+}
|
|
|
c580b4 |
+
|
|
|
c580b4 |
/*
|
|
|
c580b4 |
* Do IKEv2 second authentication via PAM (Plugable Authentication Modules)
|
|
|
c580b4 |
*
|
|
|
c580b4 |
* @return bool success
|
|
|
c580b4 |
*/
|
|
|
c580b4 |
/* IN AN AUTH THREAD */
|
|
|
c580b4 |
-bool ikev2_do_pam_authentication(void *varg)
|
|
|
c580b4 |
+bool do_pam_authentication(struct pam_thread_arg *arg)
|
|
|
c580b4 |
{
|
|
|
c580b4 |
- struct pam_thread_arg *arg = varg;
|
|
|
c580b4 |
int retval;
|
|
|
c580b4 |
pam_handle_t *pamh = NULL;
|
|
|
c580b4 |
struct pam_conv conv;
|
|
|
c580b4 |
@@ -129,22 +139,20 @@
|
|
|
c580b4 |
*/
|
|
|
c580b4 |
do {
|
|
|
c580b4 |
conv.conv = pam_conv;
|
|
|
c580b4 |
- conv.appdata_ptr = varg;
|
|
|
c580b4 |
+ conv.appdata_ptr = arg;
|
|
|
c580b4 |
|
|
|
c580b4 |
what = "pam_start";
|
|
|
c580b4 |
retval = pam_start("pluto", arg->name, &conv, &pamh);
|
|
|
c580b4 |
if (retval != PAM_SUCCESS)
|
|
|
c580b4 |
break;
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- DBG(DBG_CONTROL, DBG_log("pam_start SUCCESS"));
|
|
|
c580b4 |
+ log_pam_step(arg, what, "SUCCESS");
|
|
|
c580b4 |
|
|
|
c580b4 |
/* Send the remote host address to PAM */
|
|
|
c580b4 |
what = "pam_set_item";
|
|
|
c580b4 |
retval = pam_set_item(pamh, PAM_RHOST, arg->ra);
|
|
|
c580b4 |
if (retval != PAM_SUCCESS)
|
|
|
c580b4 |
break;
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- DBG(DBG_CONTROL, DBG_log("pam_set_item SUCCESS"));
|
|
|
c580b4 |
+ log_pam_step(arg, what, "SUCCESS");
|
|
|
c580b4 |
|
|
|
c580b4 |
/* Two factor authentication - Check that the user is valid,
|
|
|
c580b4 |
* and then check if they are permitted access
|
|
|
c580b4 |
@@ -154,16 +162,16 @@
|
|
|
c580b4 |
|
|
|
c580b4 |
if (retval != PAM_SUCCESS)
|
|
|
c580b4 |
break;
|
|
|
c580b4 |
+ log_pam_step(arg, what, "SUCCESS");
|
|
|
c580b4 |
|
|
|
c580b4 |
- DBG(DBG_CONTROL, DBG_log("pam_authenticate SUCCESS"));
|
|
|
c580b4 |
-
|
|
|
c580b4 |
- what = "pam_acct_mgmt";
|
|
|
c580b4 |
retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
|
|
|
c580b4 |
if (retval != PAM_SUCCESS)
|
|
|
c580b4 |
break;
|
|
|
c580b4 |
|
|
|
c580b4 |
+ what = "pam";
|
|
|
c580b4 |
+ log_pam_step(arg, what, "SUCCESS");
|
|
|
c580b4 |
+
|
|
|
c580b4 |
/* success! */
|
|
|
c580b4 |
- libreswan_log("IKEv2: PAM_SUCCESS");
|
|
|
c580b4 |
pam_end(pamh, PAM_SUCCESS);
|
|
|
c580b4 |
return TRUE;
|
|
|
c580b4 |
} while (FALSE);
|
|
|
c580b4 |
diff -Naur libreswan-3.15-orig/programs/pluto/pam_conv.h libreswan-3.15/programs/pluto/pam_conv.h
|
|
|
c580b4 |
--- libreswan-3.15-orig/programs/pluto/pam_conv.h 2015-08-24 16:52:43.000000000 -0400
|
|
|
c580b4 |
+++ libreswan-3.15/programs/pluto/pam_conv.h 2015-09-03 11:32:27.527000000 -0400
|
|
|
c580b4 |
@@ -23,9 +23,10 @@
|
|
|
c580b4 |
char *ra;
|
|
|
c580b4 |
so_serial_t st_serialno;
|
|
|
c580b4 |
unsigned long c_instance_serial;
|
|
|
c580b4 |
+ char *atype; /* string XAUTH or IKEv2 */
|
|
|
c580b4 |
};
|
|
|
c580b4 |
|
|
|
c580b4 |
-extern bool ikev2_do_pam_authentication(void *varg);
|
|
|
c580b4 |
+extern bool do_pam_authentication(struct pam_thread_arg *arg);
|
|
|
c580b4 |
int pam_conv(int num_msg, const struct pam_message **msgm,
|
|
|
c580b4 |
struct pam_response **response, void
|
|
|
c580b4 |
*appdata_ptr);
|