/src/etc/inc/openvpn.auth-user.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/openvpn.auth-user.php @ 0f29b3a0

1	cb7d18d5	Renato Botelho	#!/usr/local/bin/php-cgi -f
2	3c11bd3c	Matthew Grooms	<?php
3			/*
4	8acd654a	Renato Botelho	* openvpn.auth-user.php
5			*
6			* part of pfSense (https://www.pfsense.org)
7	aaec5634	Renato Botelho	* Copyright (c) 2008 Shrew Soft Inc
8	2a2396a6	Renato Botelho	* Copyright (c) 2008-2016 Rubicon Communications, LLC (Netgate)
9	8acd654a	Renato Botelho	* All rights reserved.
10			*
11			* Redistribution and use in source and binary forms, with or without
12			* modification, are permitted provided that the following conditions are met:
13			*
14			* 1. Redistributions of source code must retain the above copyright notice,
15			* this list of conditions and the following disclaimer.
16			*
17			* 2. Redistributions in binary form must reproduce the above copyright
18			* notice, this list of conditions and the following disclaimer in
19			* the documentation and/or other materials provided with the
20			* distribution.
21			*
22			* 3. All advertising materials mentioning features or use of this software
23			* must display the following acknowledgment:
24			* "This product includes software developed by the pfSense Project
25			* for use in the pfSense® software distribution. (http://www.pfsense.org/).
26			*
27			* 4. The names "pfSense" and "pfSense Project" must not be used to
28			* endorse or promote products derived from this software without
29			* prior written permission. For written permission, please contact
30			* coreteam@pfsense.org.
31			*
32			* 5. Products derived from this software may not be called "pfSense"
33			* nor may "pfSense" appear in their names without prior written
34			* permission of the Electric Sheep Fencing, LLC.
35			*
36			* 6. Redistributions of any form whatsoever must retain the following
37			* acknowledgment:
38			*
39			* "This product includes software developed by the pfSense Project
40			* for use in the pfSense software distribution (http://www.pfsense.org/).
41			*
42			* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
43			* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
44			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
45			* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
46			* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
47			* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
48			* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
49			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
50			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
51			* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
52			* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
53			* OF THE POSSIBILITY OF SUCH DAMAGE.
54			*/
55	3c11bd3c	Matthew Grooms
56			/*
57			* OpenVPN calls this script to authenticate a user
58			* based on a username and password. We lookup these
59			* in our config.xml file and check the credentials.
60			*/
61
62	befad728	Ermal	require_once("globals.inc");
63	3c11bd3c	Matthew Grooms	require_once("config.inc");
64	cc686d98	Ermal Lu?i	require_once("radius.inc");
65	a13ce628	Ermal Lu?i	require_once("auth.inc");
66	cc686d98	Ermal Lu?i	require_once("interfaces.inc");
67	3c11bd3c	Matthew Grooms
68	cc686d98	Ermal Lu?i	/**
69			* Get the NAS-Identifier
70			*
71	10d4fe2e	Phil Davis	* We will return "openVPN" so that connections can be distinguished by the Radius
72	cc686d98	Ermal Lu?i	*/
73			if (!function_exists("getNasID")) {
74	086cf944	Phil Davis	function getNasID() {
75	10d4fe2e	Phil Davis	return "openVPN";
76	cc686d98	Ermal Lu?i	}
77			}
78
79			/**
80			* Get the NAS-IP-Address based on the current wan address
81			*
82			* Use functions in interfaces.inc to find this out
83			*
84			*/
85			if (!function_exists("getNasIP")) {
86	086cf944	Phil Davis	function getNasIP() {
87	b37a2e8c	Phil Davis	$nasIp = get_interface_ip();
88			if (!$nasIp) {
89			$nasIp = "0.0.0.0";
90			}
91			return $nasIp;
92	cc686d98	Ermal Lu?i	}
93			}
94	10d4fe2e	Phil Davis
95			/**
96			* Set the NAS-Port-Type
97			*
98			* Should be "Virtual" since that denotes VPN connections
99			*/
100			if (!function_exists("getNasPortType")) {
101			function getNasPortType() {
102			return RADIUS_VIRTUAL;
103			}
104			}
105
106			/**
107			* Set the NAS-Port
108			*
109			* We will return the port the client connected to
110			*/
111			if (!function_exists("getNasPort")) {
112			function getNasPort() {
113			return $_GET['nas_port'];
114			}
115			}
116
117			/**
118			* Set the Called-Station-ID
119			*
120			* We will return the IP and port the client connected to
121			*/
122			if (!function_exists("getCalledStationId")) {
123			function getCalledStationId() {
124			return get_interface_ip() . ":" . getNasPort();
125			}
126			}
127
128	3c11bd3c	Matthew Grooms	/* setup syslog logging */
129			openlog("openvpn", LOG_ODELAY, LOG_AUTH);
130
131	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
132	f24b6fb6	jim-p	$authmodes = explode(",", base64_decode($_GET['authcfg']));
133	a3d88018	Edin Sarajlic	/* Any string retrieved through $_GET is automatically urlDecoded */
134			$username = base64_decode($_GET['username']);
135			$password = base64_decode($_GET['password']);
136	5e28dad4	Ermal	$common_name = $_GET['cn'];
137			$modeid = $_GET['modeid'];
138			$strictusercn = $_GET['strictcn'] == "false" ? false : true;
139			} else {
140			/* read data from environment */
141			$username = getenv("username");
142			$password = getenv("password");
143			$common_name = getenv("common_name");
144			}
145	3c11bd3c	Matthew Grooms
146			if (!$username \|\| !$password) {
147	1f5309a3	Matthew Grooms	syslog(LOG_ERR, "invalid user authentication environment");
148	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
149	5e28dad4	Ermal	echo "FAILED";
150	b2af12ad	Ermal	closelog();
151	5e28dad4	Ermal	return;
152	b2af12ad	Ermal	} else {
153			closelog();
154	52550ca5	Ermal LUÇI	return (-1);
155	b2af12ad	Ermal	}
156	3c11bd3c	Matthew Grooms	}
157
158	b37a2e8c	Phil Davis	/* Replaced by a sed with proper variables used below(ldap parameters). */
159	c61e4626	Ermal Lu?i	//<template>
160
161	1492e02c	Ermal	if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) {
162			putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca");
163			putenv("LDAPTLS_REQCERT=never");
164			}
165
166	c61e4626	Ermal Lu?i	$authenticated = false;
167	8901958c	jim-p
168	5319cf40	Talle	if (($strictusercn === true) && (mb_strtolower($common_name) !== mb_strtolower($username))) {
169	8901958c	jim-p	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
170	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
171	5e28dad4	Ermal	echo "FAILED";
172	b2af12ad	Ermal	closelog();
173	5e28dad4	Ermal	return;
174	b2af12ad	Ermal	} else {
175			closelog();
176	52550ca5	Ermal LUÇI	return (1);
177	b2af12ad	Ermal	}
178	5e28dad4	Ermal	}
179
180			if (!is_array($authmodes)) {
181			syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}");
182	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
183	5e28dad4	Ermal	echo "FAILED";
184	b2af12ad	Ermal	closelog();
185	5e28dad4	Ermal	return;
186	b2af12ad	Ermal	} else {
187			closelog();
188	52550ca5	Ermal LUÇI	return (1);
189	b2af12ad	Ermal	}
190	8901958c	jim-p	}
191
192	1492e02c	Ermal	$attributes = array();
193	c61e4626	Ermal Lu?i	foreach ($authmodes as $authmode) {
194			$authcfg = auth_get_authserver($authmode);
195	821a4351	Renato Botelho	if (!$authcfg && $authmode != "Local Database") {
196	c61e4626	Ermal Lu?i	continue;
197	b37a2e8c	Phil Davis	}
198	c61e4626	Ermal Lu?i
199	1492e02c	Ermal	$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
200	b37a2e8c	Phil Davis	if ($authenticated == true) {
201	006a162f	Ermal Lu?i	break;
202	b37a2e8c	Phil Davis	}
203	c61e4626	Ermal Lu?i	}
204
205			if ($authenticated == false) {
206	3260b82f	Ermal	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
207	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
208	5e28dad4	Ermal	echo "FAILED";
209	b2af12ad	Ermal	closelog();
210	5e28dad4	Ermal	return;
211	b2af12ad	Ermal	} else {
212			closelog();
213	52550ca5	Ermal LUÇI	return (-1);
214	b2af12ad	Ermal	}
215	3c11bd3c	Matthew Grooms	}
216
217	b37a2e8c	Phil Davis	if (file_exists("/etc/inc/openvpn.attributes.php")) {
218			include_once("/etc/inc/openvpn.attributes.php");
219			}
220
221	1492e02c	Ermal	$content = "";
222			if (is_array($attributes['dns-servers'])) {
223	b37a2e8c	Phil Davis	foreach ($attributes['dns-servers'] as $dnssrv) {
224			if (is_ipaddr($dnssrv)) {
225			$content .= "push \"dhcp-option DNS {$dnssrv}\"\n";
226			}
227			}
228	1492e02c	Ermal	}
229			if (is_array($attributes['routes'])) {
230	b37a2e8c	Phil Davis	foreach ($attributes['routes'] as $route) {
231	5e28dad4	Ermal	$content .= "push \"route {$route} vpn_gateway\"\n";
232	b37a2e8c	Phil Davis	}
233	1492e02c	Ermal	}
234
235			if (isset($attributes['framed_ip'])) {
236	ee8f9940	doktornotor	if (isset($attributes['framed_mask'])) {
237	b37a2e8c	Phil Davis	$content .= "topology subnet\n";
238			$content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}";
239			} else {
240	ee8f9940	doktornotor	$content .= "topology net30\n";
241	356ec787	doktornotor	$content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) - 1));
242	ee8f9940	doktornotor	}
243	b37a2e8c	Phil Davis	}
244
245			if (!empty($content)) {
246			@file_put_contents("{$g['tmp_path']}/{$username}", $content);
247	1492e02c	Ermal	}
248
249	3260b82f	Ermal	syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
250	b2af12ad	Ermal	closelog();
251	a13ce628	Ermal Lu?i
252	b37a2e8c	Phil Davis	if (isset($_GET['username'])) {
253	5e28dad4	Ermal	echo "OK";
254	b37a2e8c	Phil Davis	} else {
255	52550ca5	Ermal LUÇI	return (0);
256	b37a2e8c	Phil Davis	}
257	3c11bd3c	Matthew Grooms
258	fe2031ab	Ermal	?>

Project

General

Profile

pfSense