Added support for radius authentication

src/Makefile.am

@@ -62,7 +62,8 @@ endif
 COMMON_SOURCES=common.c common.h system.c system.h setproctitle.c setproctitle.h
 
 # Authentication module sources
-AUTH_SOURCES=auth/pam.c auth/pam.h auth/plain.c auth/plain.h
+AUTH_SOURCES=auth/pam.c auth/pam.h auth/plain.c auth/plain.h auth/radius.c auth/radius.h \
+	auth/common.c auth/common.h
 
 ocserv_SOURCES = main.c main-auth.c worker-vpn.c worker-auth.c tlslib.c \
 	cookies.c main-misc.c ip-lease.c ip-lease.h \
@@ -87,7 +88,8 @@ ocserv_SOURCES += ipc.pb-c.h ipc.pb-c.c ctl.pb-c.c ctl.pb-c.h
 ocserv_LDADD = ../gl/libgnu.a $(NEEDED_LIBOPTS) libcmd-ocserv.a
 ocserv_LDADD += $(LIBGNUTLS_LIBS) $(PAM_LIBS) $(LIBUTIL) \
 	$(LIBSECCOMP) $(LIBWRAP) $(LIBCRYPT) $(NEEDED_HTTP_PARSER_LIBS) \
-	$(LIBPROTOBUF_C_LIBS) $(LIBSYSTEMD_DAEMON) $(LIBTALLOC_LIBS)
+	$(LIBPROTOBUF_C_LIBS) $(LIBSYSTEMD_DAEMON) $(LIBTALLOC_LIBS) \
+	$(FREERADIUS_CLIENT_LIBS)
 
 
 if PCL

src/auth/common.c

@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This file is part of ocserv.
+ *
+ * ocserv is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * ocserv is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <auth/common.h>
+
+const char* pass_msg_first = "Please enter your password.";
+const char* pass_msg_second = "Please enter your challenge password.";
+const char* pass_msg_failed = "Login failed.\nPlease enter your password.";
+

src/auth/common.h

@@ -0,0 +1,10 @@
+#ifndef AUTH_COMMON_H
+# define AUTH_COMMON_H
+
+#define MAX_TRIES 3
+
+extern const char* pass_msg_first;
+extern const char* pass_msg_second;
+extern const char* pass_msg_failed;
+
+#endif

src/auth/plain.c

@@ -29,14 +29,11 @@
 #include <vpn.h>
 #include <c-ctype.h>
 #include "plain.h"
+#include "auth/common.h"
 #include <ccan/htable/htable.h>
 #include <ccan/hash/hash.h>
 
 #define MAX_CPASS_SIZE 128
-#define MAX_TRIES 3
-
-const char* pass_msg_first = "Please enter your password.";
-const char* pass_msg_failed = "Login failed.\nPlease enter your password.";
 
 struct plain_ctx_st {
 	char username[MAX_USERNAME_SIZE];

src/auth/radius.c

@@ -0,0 +1,292 @@
+/*
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This file is part of ocserv.
+ *
+ * ocserv is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * ocserv is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <vpn.h>
+#include <c-ctype.h>
+#include <arpa/inet.h> /* inet_ntop */
+#include "radius.h"
+#include "auth/common.h"
+
+#ifdef HAVE_RADIUS
+
+#include <freeradius-client.h>
+
+#define RAD_GROUP_NAME 1030
+
+int rc_aaa(rc_handle *rh, uint32_t client_port, VALUE_PAIR *send, VALUE_PAIR **received,
+    char *msg, int add_nas_port, int request_type);
+
+static rc_handle *rh = NULL;
+
+struct radius_ctx_st {
+	char username[MAX_USERNAME_SIZE*2];
+	char groupname[MAX_GROUPNAME_SIZE];
+	char msg[4096];
+
+	char ipv4[MAX_IP_STR];
+	char ipv6[MAX_IP_STR];
+
+	const char *config;	/* radius config file */
+	const char *pass_msg;
+	unsigned retries;
+};
+
+static void radius_global_init(void *pool, void *additional)
+{
+	rh = rc_read_config(additional);
+	if (rh == NULL) {
+		fprintf(stderr, "radius initialization error\n");
+		exit(1);
+	}
+
+	if (rc_read_dictionary(rh, rc_conf_str(rh, "dictionary")) != 0) {
+		fprintf(stderr, "error reading the radius dictionary\n");
+		exit(1);
+	}
+
+	return;
+}
+
+static void radius_global_deinit()
+{
+	if (rh != NULL)
+		rc_destroy(rh);
+}
+
+static int radius_auth_init(void **ctx, void *pool, const char *username, const char *ip,
+			   void *additional)
+{
+	struct radius_ctx_st *pctx;
+	char *default_realm;
+
+	pctx = talloc_zero(pool, struct radius_ctx_st);
+	if (pctx == NULL)
+		return ERR_AUTH_FAIL;
+
+	snprintf(pctx->username, sizeof(pctx->username), "%s", username);
+	pctx->config = additional;
+	pctx->pass_msg = pass_msg_first;
+
+	default_realm = rc_conf_str(rh, "default_realm");
+	
+	if ((strchr(username, '@') == NULL) && default_realm &&
+	    default_realm[0] != 0) {
+		snprintf(pctx->username, sizeof(pctx->username), "%s@%s", username, default_realm);
+	} else {
+		strcpy(pctx->username, username);
+	}
+
+
+	*ctx = pctx;
+
+	return 0;
+}
+
+static int radius_auth_group(void *ctx, const char *suggested, char *groupname, int groupname_size)
+{
+	struct radius_ctx_st *pctx = ctx;
+
+	groupname[0] = 0;
+
+	if (suggested != NULL) {
+		if (strcmp(suggested, pctx->groupname) == 0) {
+			snprintf(groupname, groupname_size, "%s", pctx->groupname);
+			return 0;
+		}
+
+		syslog(LOG_AUTH,
+		       "user '%s' requested group '%s' but is not a member",
+		       pctx->username, suggested);
+		return -1;
+	}
+
+	if (pctx->groupname[0] != 0 && groupname[0] == 0) {
+		snprintf(groupname, groupname_size, "%s", pctx->groupname);
+	}
+	return 0;
+}
+
+static int radius_auth_user(void *ctx, char *username, int username_size)
+{
+	/* do not update username */
+	return -1;
+}
+
+/* Returns 0 if the user is successfully authenticated, and sets the appropriate group name.
+ */
+static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
+{
+	struct radius_ctx_st *pctx = ctx;
+	VALUE_PAIR *send = NULL, *recvd = NULL;
+	uint32_t service;
+	int ret;
+
+	syslog(LOG_DEBUG, "communicating username (%s) and password to radius", pctx->username);
+	if (rc_avpair_add(rh, &send, PW_USER_NAME, pctx->username, -1, 0) == NULL) {
+		syslog(LOG_ERR,
+		       "%s:%u: user '%s' auth error", __func__, __LINE__,
+		       pctx->username);
+		return ERR_AUTH_FAIL;
+	}
+
+	if (rc_avpair_add(rh, &send, PW_USER_PASSWORD, (char*)pass, -1, 0) == NULL) {
+		syslog(LOG_ERR,
+		       "%s:%u: user '%s' auth error", __func__, __LINE__,
+		       pctx->username);
+		return ERR_AUTH_FAIL;
+	}
+
+	service = PW_AUTHENTICATE_ONLY;
+	if (rc_avpair_add(rh, &send, PW_SERVICE_TYPE, &service, -1, 0) == NULL) {
+		syslog(LOG_ERR,
+		       "%s:%u: user '%s' auth error", __func__, __LINE__,
+		       pctx->username);
+		return ERR_AUTH_FAIL;
+	}
+
+	ret = rc_aaa(rh, 0, send, &recvd, pctx->msg, 1, PW_ACCESS_REQUEST);
+
+	if (ret == OK_RC) {
+		VALUE_PAIR *vp = recvd;
+		while(vp != NULL) {
+			if (vp->attribute == PW_SERVICE_TYPE && vp->lvalue != PW_FRAMED) {
+				syslog(LOG_ERR,
+				       "%s:%u: unknown radius service type '%d'", __func__, __LINE__,
+				       (int)vp->lvalue);
+				goto fail;
+			} else if (vp->attribute == RAD_GROUP_NAME && vp->type == PW_TYPE_STRING) {
+				snprintf(pctx->groupname, sizeof(pctx->groupname), "%s", vp->strvalue);
+			} else if (vp->attribute == PW_FRAMED_IP_ADDRESS && vp->type == PW_TYPE_IPADDR) {
+				inet_ntop(AF_INET, &vp->lvalue, pctx->ipv4, sizeof(pctx->ipv4));
+			} else {
+				syslog(LOG_DEBUG, "radius: ignoring server's value %u of type %u", (int)vp->attribute, (int)vp->type);
+			}
+			vp = vp->next;
+		}
+
+		if (recvd != NULL)
+			rc_avpair_free(recvd);
+		return 0;
+	} else {
+ fail:
+		if (recvd != NULL)
+			rc_avpair_free(recvd);
+
+		if (ret == PW_ACCESS_CHALLENGE) {
+			pctx->pass_msg = pass_msg_second;
+			return ERR_AUTH_CONTINUE;
+		} else if ( pctx->retries++ < MAX_TRIES) {
+			pctx->pass_msg = pass_msg_failed;
+			return ERR_AUTH_CONTINUE;
+		} else {
+			syslog(LOG_AUTH,
+			       "radius-auth: error authenticating user '%s'",
+			       pctx->username);
+			return ERR_AUTH_FAIL;
+		}
+	}
+}
+
+static int radius_auth_msg(void *ctx, char *msg, size_t msg_size)
+{
+	struct radius_ctx_st *pctx = ctx;
+
+	snprintf(msg, msg_size, "%s", pctx->pass_msg);
+	return 0;
+}
+
+static void radius_auth_deinit(void *ctx)
+{
+	struct radius_ctx_st *pctx = ctx;
+	talloc_free(pctx);
+}
+
+
+static int radius_auth_open_session(void* ctx)
+{
+struct radius_ctx_st * pctx = ctx;
+int ret;
+uint32_t status_type;
+VALUE_PAIR *send = NULL, *recvd = NULL;
+
+	status_type = PW_STATUS_START;
+
+	syslog(LOG_DEBUG, "opening session with radius");
+	if (rc_avpair_add(rh, &send, PW_ACCT_STATUS_TYPE, &status_type, -1, 0) == NULL)
+		return -1;
+
+	ret = rc_aaa(rh, 0, send, &recvd, pctx->msg, 1, PW_ACCOUNTING_REQUEST);
+	if (recvd != NULL)
+		rc_avpair_free(recvd);
+
+	if (ret != OK_RC) {
+		syslog(LOG_AUTH, "radius-auth: radius_open_session: %d", ret);
+		return -1;
+	}
+
+	return 0;
+}
+
+static void radius_auth_close_session(void* ctx)
+{
+struct radius_ctx_st * pctx = ctx;
+int ret;
+uint32_t status_type;
+VALUE_PAIR *send = NULL, *recvd = NULL;
+
+	status_type = PW_STATUS_STOP;
+
+	syslog(LOG_DEBUG, "closing session with radius");
+	if (rc_avpair_add(rh, &send, PW_ACCT_STATUS_TYPE, &status_type, -1, 0) == NULL)
+		return;
+
+	ret = rc_aaa(rh, 0, send, &recvd, pctx->msg, 1, PW_ACCOUNTING_REQUEST);
+	if (recvd != NULL)
+		rc_avpair_free(recvd);
+
+	if (ret != OK_RC) {
+		syslog(LOG_INFO, "radius-auth: radius_close_session: %d", ret);
+		return;
+	}
+
+	return;
+}
+
+const struct auth_mod_st radius_auth_funcs = {
+	.type = AUTH_TYPE_RADIUS | AUTH_TYPE_USERNAME_PASS,
+	.global_init = radius_global_init,
+	.global_deinit = radius_global_deinit,
+	.auth_init = radius_auth_init,
+	.auth_deinit = radius_auth_deinit,
+	.auth_msg = radius_auth_msg,
+	.auth_pass = radius_auth_pass,
+	.auth_user = radius_auth_user,
+	.auth_group = radius_auth_group,
+	.open_session = radius_auth_open_session,
+	.close_session = radius_auth_close_session,
+	.group_list = NULL
+};
+
+#endif

src/auth/radius.h

@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of ocserv.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ */
+#ifndef RADIUS_H
+#define RADIUS_H
+
+#include <sec-mod-auth.h>
+
+extern const struct auth_mod_st radius_auth_funcs;
+
+#endif

src/config.c

@@ -32,6 +32,7 @@
 #include <c-strcase.h>
 #include <c-ctype.h>
 #include <auth/pam.h>
+#include <auth/radius.h>
 #include <auth/plain.h>
 
 #include <vpn.h>
@@ -45,6 +46,7 @@
 
 static char pid_file[_POSIX_PATH_MAX] = "";
 static const char* cfg_file = DEFAULT_CFG_FILE;
+static const struct auth_mod_st *amod = NULL;
 
 struct cfg_options {
 	const char* name;
@@ -324,6 +326,11 @@ static char *get_brackets_string(void *pool, const char *str)
 	return talloc_strndup(pool, p, len);
 }
 
+const struct auth_mod_st *get_auth_mod(void)
+{
+	return amod;
+}
+
 static void parse_cfg_file(const char* file, struct cfg_st *config, unsigned reload)
 {
 tOptionValue const * pov;
@@ -332,7 +339,6 @@ unsigned j, i, mand;
 char** auth = NULL;
 unsigned auth_size = 0;
 unsigned prefix = 0, auto_select_group = 0;
-const struct auth_mod_st *amod = NULL;
 char *tmp;
 unsigned force_cert_auth;
 
@@ -369,7 +375,7 @@ unsigned force_cert_auth;
 				exit(1);
 			}
 #ifdef HAVE_PAM
-			config->auth_types |= AUTH_TYPE_PAM;
+			config->auth_types |= amod->type;
 			amod = &pam_auth_funcs;
 #else
 			fprintf(stderr, "PAM support is disabled\n");
@@ -387,7 +393,25 @@ unsigned force_cert_auth;
 				exit(1);
 			}
 			amod = &plain_auth_funcs;
-			config->auth_types |= AUTH_TYPE_PLAIN;
+			config->auth_types |= amod->type;
+		} else if (strncasecmp(auth[j], "radius", 6) == 0) {
+			if ((config->auth_types & AUTH_TYPE_USERNAME_PASS) != 0) {
+				fprintf(stderr, "You cannot mix multiple username/password authentication methods\n");
+				exit(1);
+			}
+
+#ifdef HAVE_RADIUS
+			config->auth_additional = get_brackets_string(config, auth[j]+6);
+			if (config->auth_additional == NULL) {
+				fprintf(stderr, "No configuration specified; error in %s\n", auth[j]);
+				exit(1);
+			}
+			amod = &radius_auth_funcs;
+			config->auth_types |= amod->type;
+#else
+			fprintf(stderr, "Radius support is disabled\n");
+			exit(1);
+#endif
 		} else if (c_strcasecmp(auth[j], "certificate") == 0) {
 			config->auth_types |= AUTH_TYPE_CERTIFICATE;
 		} else if (c_strcasecmp(auth[j], "certificate[optional]") == 0) {
@@ -821,6 +845,9 @@ void print_version(tOptions *opts, tOptDesc *desc)
 #ifdef HAVE_LIBWRAP
 	fprintf(stderr, "tcp-wrappers, ");
 #endif
+#ifdef HAVE_RADIUS
+	fprintf(stderr, "radius, ");
+#endif
 #ifdef HAVE_PAM
 	fprintf(stderr, "PAM, ");
 #endif

src/main.h

@@ -304,4 +304,6 @@ int send_socket_msg_to_worker(main_server_st* s, struct proc_st* proc, uint8_t c
 void request_reload(int signo);
 void request_stop(int signo);
 
+const struct auth_mod_st *get_auth_mod(void);
+
 #endif

src/ocserv-args.def

@@ -76,7 +76,7 @@ An example configuration file follows.
 # User authentication method. Could be set multiple times and in 
 # that case all should succeed. To enable multiple methods use
 # multiple auth directives. Available options: certificate, certificate[optional],
-# plain, pam. 
+# plain, pam, radius[config]. 
 #auth = "certificate"
 #auth = "pam"
 
@@ -96,6 +96,10 @@ An example configuration file follows.
 # to generate password entries.
 #auth = "plain[/etc/ocserv/ocpasswd]"
 
+# The radius option requires specifying freeradius-client configuration
+# file.
+#auth = "radius[/etc/radiusclient/radiusclient.conf]"
+
 # Whether to enable seccomp worker isolation. That restricts the number of 
 # system calls allowed to a worker process, in order to reduce damage from a
 # bug in the worker process. It is available on Linux systems at a performance cost.

src/sec-mod-auth.c

@@ -53,16 +53,12 @@
 
 static const struct auth_mod_st *module = NULL;
 
-void sec_auth_init(struct cfg_st *config)
+void sec_auth_init(void *pool, struct cfg_st *config)
 {
-#ifdef HAVE_PAM
-	if ((config->auth_types & pam_auth_funcs.type) == pam_auth_funcs.type)
-		module = &pam_auth_funcs;
-	else
-#endif
-	if ((config->auth_types & plain_auth_funcs.type) ==
-		    plain_auth_funcs.type) {
-		module = &plain_auth_funcs;
+	module = get_auth_mod();
+
+	if (module->global_init) {
+		module->global_init(pool, config->auth_additional);
 	}
 }
 

src/sec-mod-auth.h

@@ -28,6 +28,8 @@
 
 struct auth_mod_st {
 	unsigned int type;
+	void (*global_init)(void *pool, void* additional);
+	void (*global_deinit)(void);
 	int (*auth_init)(void** ctx, void *pool, const char* username, const char* ip, void* additional);
 	int (*auth_msg)(void* ctx, char* msg, size_t msg_size);
 	int (*auth_pass)(void* ctx, const char* pass, unsigned pass_len);

src/sec-mod.c

@@ -472,7 +472,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
 
 	alarm(MAINTAINANCE_TIME);
 
-	sec_auth_init(config);
+	sec_auth_init(sec, config);
 
 #ifdef HAVE_PKCS11
 	ret = gnutls_pkcs11_reinit();

src/sec-mod.h

@@ -86,7 +86,7 @@ void cleanup_client_entries(sec_mod_st *sec);
 	}
 #endif
 
-void sec_auth_init(struct cfg_st *config);
+void sec_auth_init(void *pool, struct cfg_st *config);
 
 int handle_sec_auth_init(sec_mod_st *sec, const SecAuthInitMsg * req);
 int handle_sec_auth_cont(sec_mod_st *sec, const SecAuthContMsg * req);

src/vpn.h

@@ -76,6 +76,7 @@ extern int syslog_open;
 #define AUTH_TYPE_PLAIN (1<<2 | AUTH_TYPE_USERNAME_PASS)
 #define AUTH_TYPE_CERTIFICATE (1<<3)
 #define AUTH_TYPE_CERTIFICATE_OPT (1<<4|AUTH_TYPE_CERTIFICATE)
+#define AUTH_TYPE_RADIUS (1<<5 | AUTH_TYPE_USERNAME_PASS)
 
 #define ERR_SUCCESS 0
 #define ERR_BAD_COMMAND -2