/src/etc/inc/openvpn.auth-user.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/openvpn.auth-user.php @ 592b9dfa

1	3c11bd3c	Matthew Grooms	<?php
2			/*
3	ac24dc24	Renato Botelho	* openvpn.auth-user.php
4			*
5			* part of pfSense (https://www.pfsense.org)
6	c5d81585	Renato Botelho	* Copyright (c) 2008 Shrew Soft Inc
7	b8f91b7c	Luiz Souza	* Copyright (c) 2008-2018 Rubicon Communications, LLC (Netgate)
8	ac24dc24	Renato Botelho	* All rights reserved.
9			*
10	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
11			* you may not use this file except in compliance with the License.
12			* You may obtain a copy of the License at
13	ac24dc24	Renato Botelho	*
14	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
15	ac24dc24	Renato Botelho	*
16	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
17			* distributed under the License is distributed on an "AS IS" BASIS,
18			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19			* See the License for the specific language governing permissions and
20			* limitations under the License.
21	ac24dc24	Renato Botelho	*/
22	09221bc3	Renato Botelho
23	3c11bd3c	Matthew Grooms	/*
24			* OpenVPN calls this script to authenticate a user
25			* based on a username and password. We lookup these
26			* in our config.xml file and check the credentials.
27			*/
28
29	befad728	Ermal	require_once("globals.inc");
30	3c11bd3c	Matthew Grooms	require_once("config.inc");
31	cc686d98	Ermal Lu?i	require_once("radius.inc");
32	a13ce628	Ermal Lu?i	require_once("auth.inc");
33	cc686d98	Ermal Lu?i	require_once("interfaces.inc");
34	3c11bd3c	Matthew Grooms
35	cc686d98	Ermal Lu?i	/**
36			* Get the NAS-Identifier
37			*
38	a409a857	Kacper	* We will return "openVPN" so that connections can be distinguished by the Radius
39	cc686d98	Ermal Lu?i	*/
40			if (!function_exists("getNasID")) {
41	086cf944	Phil Davis	function getNasID() {
42	a409a857	Kacper	return "openVPN";
43	cc686d98	Ermal Lu?i	}
44			}
45
46			/**
47			* Get the NAS-IP-Address based on the current wan address
48			*
49			* Use functions in interfaces.inc to find this out
50			*
51			*/
52			if (!function_exists("getNasIP")) {
53	086cf944	Phil Davis	function getNasIP() {
54	b37a2e8c	Phil Davis	$nasIp = get_interface_ip();
55			if (!$nasIp) {
56			$nasIp = "0.0.0.0";
57			}
58			return $nasIp;
59	cc686d98	Ermal Lu?i	}
60			}
61	a409a857	Kacper
62			/**
63			* Set the NAS-Port-Type
64			*
65			* Should be "Virtual" since that denotes VPN connections
66			*/
67			if (!function_exists("getNasPortType")) {
68			function getNasPortType() {
69			return RADIUS_VIRTUAL;
70			}
71			}
72
73			/**
74			* Set the NAS-Port
75			*
76			* We will return the port the client connected to
77			*/
78			if (!function_exists("getNasPort")) {
79			function getNasPort() {
80			return $_GET['nas_port'];
81			}
82			}
83
84			/**
85			* Set the Called-Station-ID
86			*
87			* We will return the IP and port the client connected to
88			*/
89			if (!function_exists("getCalledStationId")) {
90			function getCalledStationId() {
91			return get_interface_ip() . ":" . getNasPort();
92			}
93			}
94
95	3c11bd3c	Matthew Grooms	/* setup syslog logging */
96			openlog("openvpn", LOG_ODELAY, LOG_AUTH);
97
98	a2e92e18	jim-p	global $common_name, $username;
99
100	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
101	c165a17e	jim-p	$authmodes = explode(",", base64_decode($_GET['authcfg']));
102	a3d88018	Edin Sarajlic	/* Any string retrieved through $_GET is automatically urlDecoded */
103			$username = base64_decode($_GET['username']);
104			$password = base64_decode($_GET['password']);
105	5e28dad4	Ermal	$common_name = $_GET['cn'];
106			$modeid = $_GET['modeid'];
107			$strictusercn = $_GET['strictcn'] == "false" ? false : true;
108			} else {
109			/* read data from environment */
110			$username = getenv("username");
111			$password = getenv("password");
112			$common_name = getenv("common_name");
113			}
114	3c11bd3c	Matthew Grooms
115			if (!$username \|\| !$password) {
116	1f5309a3	Matthew Grooms	syslog(LOG_ERR, "invalid user authentication environment");
117	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
118	5e28dad4	Ermal	echo "FAILED";
119	b2af12ad	Ermal	closelog();
120	5e28dad4	Ermal	return;
121	b2af12ad	Ermal	} else {
122			closelog();
123	52550ca5	Ermal LUÇI	return (-1);
124	b2af12ad	Ermal	}
125	3c11bd3c	Matthew Grooms	}
126
127	b37a2e8c	Phil Davis	/* Replaced by a sed with proper variables used below(ldap parameters). */
128	c61e4626	Ermal Lu?i	//<template>
129
130	1492e02c	Ermal	if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) {
131			putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca");
132			putenv("LDAPTLS_REQCERT=never");
133			}
134
135	c61e4626	Ermal Lu?i	$authenticated = false;
136	8901958c	jim-p
137	5319cf40	Talle	if (($strictusercn === true) && (mb_strtolower($common_name) !== mb_strtolower($username))) {
138	8901958c	jim-p	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
139	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
140	5e28dad4	Ermal	echo "FAILED";
141	b2af12ad	Ermal	closelog();
142	5e28dad4	Ermal	return;
143	b2af12ad	Ermal	} else {
144			closelog();
145	52550ca5	Ermal LUÇI	return (1);
146	b2af12ad	Ermal	}
147	5e28dad4	Ermal	}
148
149			if (!is_array($authmodes)) {
150			syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}");
151	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
152	5e28dad4	Ermal	echo "FAILED";
153	b2af12ad	Ermal	closelog();
154	5e28dad4	Ermal	return;
155	b2af12ad	Ermal	} else {
156			closelog();
157	52550ca5	Ermal LUÇI	return (1);
158	b2af12ad	Ermal	}
159	8901958c	jim-p	}
160
161	1492e02c	Ermal	$attributes = array();
162	c61e4626	Ermal Lu?i	foreach ($authmodes as $authmode) {
163			$authcfg = auth_get_authserver($authmode);
164	821a4351	Renato Botelho	if (!$authcfg && $authmode != "Local Database") {
165	c61e4626	Ermal Lu?i	continue;
166	b37a2e8c	Phil Davis	}
167	c61e4626	Ermal Lu?i
168	1492e02c	Ermal	$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
169	b37a2e8c	Phil Davis	if ($authenticated == true) {
170	006a162f	Ermal Lu?i	break;
171	b37a2e8c	Phil Davis	}
172	c61e4626	Ermal Lu?i	}
173
174			if ($authenticated == false) {
175	3260b82f	Ermal	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
176	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
177	5e28dad4	Ermal	echo "FAILED";
178	b2af12ad	Ermal	closelog();
179	5e28dad4	Ermal	return;
180	b2af12ad	Ermal	} else {
181			closelog();
182	52550ca5	Ermal LUÇI	return (-1);
183	b2af12ad	Ermal	}
184	3c11bd3c	Matthew Grooms	}
185
186	b37a2e8c	Phil Davis	if (file_exists("/etc/inc/openvpn.attributes.php")) {
187			include_once("/etc/inc/openvpn.attributes.php");
188			}
189
190	1492e02c	Ermal	$content = "";
191			if (is_array($attributes['dns-servers'])) {
192	b37a2e8c	Phil Davis	foreach ($attributes['dns-servers'] as $dnssrv) {
193			if (is_ipaddr($dnssrv)) {
194			$content .= "push \"dhcp-option DNS {$dnssrv}\"\n";
195			}
196			}
197	1492e02c	Ermal	}
198			if (is_array($attributes['routes'])) {
199	b37a2e8c	Phil Davis	foreach ($attributes['routes'] as $route) {
200	5e28dad4	Ermal	$content .= "push \"route {$route} vpn_gateway\"\n";
201	b37a2e8c	Phil Davis	}
202	1492e02c	Ermal	}
203
204			if (isset($attributes['framed_ip'])) {
205	ee8f9940	doktornotor	if (isset($attributes['framed_mask'])) {
206	b37a2e8c	Phil Davis	$content .= "topology subnet\n";
207			$content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}";
208			} else {
209	ee8f9940	doktornotor	$content .= "topology net30\n";
210	356ec787	doktornotor	$content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) - 1));
211	ee8f9940	doktornotor	}
212	b37a2e8c	Phil Davis	}
213
214			if (!empty($content)) {
215			@file_put_contents("{$g['tmp_path']}/{$username}", $content);
216	1492e02c	Ermal	}
217
218	3260b82f	Ermal	syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
219	b2af12ad	Ermal	closelog();
220	a13ce628	Ermal Lu?i
221	b37a2e8c	Phil Davis	if (isset($_GET['username'])) {
222	5e28dad4	Ermal	echo "OK";
223	b37a2e8c	Phil Davis	} else {
224	52550ca5	Ermal LUÇI	return (0);
225	b37a2e8c	Phil Davis	}
226	3c11bd3c	Matthew Grooms
227	fe2031ab	Ermal	?>

Project

General

Profile

pfSense