/src/etc/inc/openvpn.auth-user.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/openvpn.auth-user.php @ 89f3ec04

1	cb7d18d5	Renato Botelho	#!/usr/local/bin/php-cgi -f
2	3c11bd3c	Matthew Grooms	<?php
3			/* $Id$ */
4			/*
5	ce77a9c4	Phil Davis	openvpn.auth-user.php
6	3c11bd3c	Matthew Grooms
7	ce77a9c4	Phil Davis	Copyright (C) 2008 Shrew Soft Inc
8			Copyright (C) 2010 Ermal Luçi
9			Copyright (C) 2013-2015 Electric Sheep Fencing, LP
10			All rights reserved.
11	3c11bd3c	Matthew Grooms
12	ce77a9c4	Phil Davis	Redistribution and use in source and binary forms, with or without
13			modification, are permitted provided that the following conditions are met:
14	3c11bd3c	Matthew Grooms
15	ce77a9c4	Phil Davis	1. Redistributions of source code must retain the above copyright notice,
16			this list of conditions and the following disclaimer.
17	3c11bd3c	Matthew Grooms
18	ce77a9c4	Phil Davis	2. Redistributions in binary form must reproduce the above copyright
19			notice, this list of conditions and the following disclaimer in the
20			documentation and/or other materials provided with the distribution.
21	3c11bd3c	Matthew Grooms
22	ce77a9c4	Phil Davis	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
23			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
24			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
26			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31			POSSIBILITY OF SUCH DAMAGE.
32	1f5309a3	Matthew Grooms
33	3c11bd3c	Matthew Grooms	*/
34	523855b0	Scott Ullrich	/*
35	b37a2e8c	Phil Davis	pfSense_BUILDER_BINARIES:
36	523855b0	Scott Ullrich	pfSense_MODULE: openvpn
37			*/
38	3c11bd3c	Matthew Grooms	/*
39			* OpenVPN calls this script to authenticate a user
40			* based on a username and password. We lookup these
41			* in our config.xml file and check the credentials.
42			*/
43
44	befad728	Ermal	require_once("globals.inc");
45	3c11bd3c	Matthew Grooms	require_once("config.inc");
46	cc686d98	Ermal Lu?i	require_once("radius.inc");
47	a13ce628	Ermal Lu?i	require_once("auth.inc");
48	cc686d98	Ermal Lu?i	require_once("interfaces.inc");
49	3c11bd3c	Matthew Grooms
50	cc686d98	Ermal Lu?i	/**
51			* Get the NAS-Identifier
52			*
53			* We will use our local hostname to make up the nas_id
54			*/
55			if (!function_exists("getNasID")) {
56	086cf944	Phil Davis	function getNasID() {
57	b37a2e8c	Phil Davis	global $g;
58	cc686d98	Ermal Lu?i
59	b37a2e8c	Phil Davis	$nasId = gethostname();
60			if (empty($nasId)) {
61			$nasId = $g['product_name'];
62			}
63			return $nasId;
64	cc686d98	Ermal Lu?i	}
65			}
66
67			/**
68			* Get the NAS-IP-Address based on the current wan address
69			*
70			* Use functions in interfaces.inc to find this out
71			*
72			*/
73			if (!function_exists("getNasIP")) {
74	086cf944	Phil Davis	function getNasIP() {
75	b37a2e8c	Phil Davis	$nasIp = get_interface_ip();
76			if (!$nasIp) {
77			$nasIp = "0.0.0.0";
78			}
79			return $nasIp;
80	cc686d98	Ermal Lu?i	}
81			}
82	3c11bd3c	Matthew Grooms	/* setup syslog logging */
83			openlog("openvpn", LOG_ODELAY, LOG_AUTH);
84
85	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
86	5e28dad4	Ermal	$authmodes = explode(",", $_GET['authcfg']);
87	fdf6fcb3	Ermal LUÇI	$username = base64_decode(str_replace('%3D', '=', $_GET['username']));
88	e821f30e	Ermal LUÇI	$password = base64_decode(str_replace('%3D', '=', $_GET['password']));
89	5e28dad4	Ermal	$common_name = $_GET['cn'];
90			$modeid = $_GET['modeid'];
91			$strictusercn = $_GET['strictcn'] == "false" ? false : true;
92			} else {
93			/* read data from environment */
94			$username = getenv("username");
95			$password = getenv("password");
96			$common_name = getenv("common_name");
97			}
98	3c11bd3c	Matthew Grooms
99			if (!$username \|\| !$password) {
100	1f5309a3	Matthew Grooms	syslog(LOG_ERR, "invalid user authentication environment");
101	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
102	5e28dad4	Ermal	echo "FAILED";
103	b2af12ad	Ermal	closelog();
104	5e28dad4	Ermal	return;
105	b2af12ad	Ermal	} else {
106			closelog();
107	52550ca5	Ermal LUÇI	return (-1);
108	b2af12ad	Ermal	}
109	3c11bd3c	Matthew Grooms	}
110
111	b37a2e8c	Phil Davis	/* Replaced by a sed with proper variables used below(ldap parameters). */
112	c61e4626	Ermal Lu?i	//<template>
113
114	1492e02c	Ermal	if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) {
115			putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca");
116			putenv("LDAPTLS_REQCERT=never");
117			}
118
119	c61e4626	Ermal Lu?i	$authenticated = false;
120	8901958c	jim-p
121			if (($strictusercn === true) && ($common_name != $username)) {
122			syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
123	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
124	5e28dad4	Ermal	echo "FAILED";
125	b2af12ad	Ermal	closelog();
126	5e28dad4	Ermal	return;
127	b2af12ad	Ermal	} else {
128			closelog();
129	52550ca5	Ermal LUÇI	return (1);
130	b2af12ad	Ermal	}
131	5e28dad4	Ermal	}
132
133			if (!is_array($authmodes)) {
134			syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}");
135	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
136	5e28dad4	Ermal	echo "FAILED";
137	b2af12ad	Ermal	closelog();
138	5e28dad4	Ermal	return;
139	b2af12ad	Ermal	} else {
140			closelog();
141	52550ca5	Ermal LUÇI	return (1);
142	b2af12ad	Ermal	}
143	8901958c	jim-p	}
144
145	1492e02c	Ermal	$attributes = array();
146	c61e4626	Ermal Lu?i	foreach ($authmodes as $authmode) {
147			$authcfg = auth_get_authserver($authmode);
148	b37a2e8c	Phil Davis	if (!$authcfg && $authmode != "local") {
149	c61e4626	Ermal Lu?i	continue;
150	b37a2e8c	Phil Davis	}
151	c61e4626	Ermal Lu?i
152	1492e02c	Ermal	$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
153	b37a2e8c	Phil Davis	if ($authenticated == true) {
154	006a162f	Ermal Lu?i	break;
155	b37a2e8c	Phil Davis	}
156	c61e4626	Ermal Lu?i	}
157
158			if ($authenticated == false) {
159	3260b82f	Ermal	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
160	8fa0a534	Ermal LUÇI	if (isset($_GET['username'])) {
161	5e28dad4	Ermal	echo "FAILED";
162	b2af12ad	Ermal	closelog();
163	5e28dad4	Ermal	return;
164	b2af12ad	Ermal	} else {
165			closelog();
166	52550ca5	Ermal LUÇI	return (-1);
167	b2af12ad	Ermal	}
168	3c11bd3c	Matthew Grooms	}
169
170	b37a2e8c	Phil Davis	if (file_exists("/etc/inc/openvpn.attributes.php")) {
171			include_once("/etc/inc/openvpn.attributes.php");
172			}
173
174	1492e02c	Ermal	$content = "";
175			if (is_array($attributes['dns-servers'])) {
176	b37a2e8c	Phil Davis	foreach ($attributes['dns-servers'] as $dnssrv) {
177			if (is_ipaddr($dnssrv)) {
178			$content .= "push \"dhcp-option DNS {$dnssrv}\"\n";
179			}
180			}
181	1492e02c	Ermal	}
182			if (is_array($attributes['routes'])) {
183	b37a2e8c	Phil Davis	foreach ($attributes['routes'] as $route) {
184	5e28dad4	Ermal	$content .= "push \"route {$route} vpn_gateway\"\n";
185	b37a2e8c	Phil Davis	}
186	1492e02c	Ermal	}
187
188			if (isset($attributes['framed_ip'])) {
189	ee8f9940	doktornotor	if (isset($attributes['framed_mask'])) {
190	b37a2e8c	Phil Davis	$content .= "topology subnet\n";
191			$content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}";
192			} else {
193	ee8f9940	doktornotor	$content .= "topology net30\n";
194	356ec787	doktornotor	$content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) - 1));
195	ee8f9940	doktornotor	}
196	b37a2e8c	Phil Davis	}
197
198			if (!empty($content)) {
199			@file_put_contents("{$g['tmp_path']}/{$username}", $content);
200	1492e02c	Ermal	}
201
202	3260b82f	Ermal	syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
203	b2af12ad	Ermal	closelog();
204	a13ce628	Ermal Lu?i
205	b37a2e8c	Phil Davis	if (isset($_GET['username'])) {
206	5e28dad4	Ermal	echo "OK";
207	b37a2e8c	Phil Davis	} else {
208	52550ca5	Ermal LUÇI	return (0);
209	b37a2e8c	Phil Davis	}
210	3c11bd3c	Matthew Grooms
211	fe2031ab	Ermal	?>

Project

General

Profile

pfSense