/etc/inc/openvpn.auth-user.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/openvpn.auth-user.php @ b2448aa0

1	3c11bd3c	Matthew Grooms	#!/usr/local/bin/php -f
2			<?php
3			/* $Id$ */
4			/*
5			openvpn.auth-user.php
6
7			Copyright (C) 2008 Shrew Soft Inc
8	1d7ba683	ayvis	Copyright (C) 2010 Ermal Luçi
9	29aef6c4	Jim Thompson	Copyright (C) 2013-2014 Electric Sheep Fencing, LP
10	3c11bd3c	Matthew Grooms	All rights reserved.
11
12			Redistribution and use in source and binary forms, with or without
13			modification, are permitted provided that the following conditions are met:
14
15			1. Redistributions of source code must retain the above copyright notice,
16			this list of conditions and the following disclaimer.
17
18			2. Redistributions in binary form must reproduce the above copyright
19			notice, this list of conditions and the following disclaimer in the
20			documentation and/or other materials provided with the distribution.
21
22			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
23			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
24			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
26			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
28			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
29			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
31			POSSIBILITY OF SUCH DAMAGE.
32	1f5309a3	Matthew Grooms
33	3c11bd3c	Matthew Grooms	*/
34	523855b0	Scott Ullrich	/*
35			pfSense_BUILDER_BINARIES:
36			pfSense_MODULE: openvpn
37			*/
38	3c11bd3c	Matthew Grooms	/*
39			* OpenVPN calls this script to authenticate a user
40			* based on a username and password. We lookup these
41			* in our config.xml file and check the credentials.
42			*/
43
44	befad728	Ermal	require_once("globals.inc");
45	3c11bd3c	Matthew Grooms	require_once("config.inc");
46	cc686d98	Ermal Lu?i	require_once("radius.inc");
47	a13ce628	Ermal Lu?i	require_once("auth.inc");
48	cc686d98	Ermal Lu?i	require_once("interfaces.inc");
49	3c11bd3c	Matthew Grooms
50	cc686d98	Ermal Lu?i	/**
51			* Get the NAS-Identifier
52			*
53			* We will use our local hostname to make up the nas_id
54			*/
55			if (!function_exists("getNasID")) {
56			function getNasID()
57			{
58			global $g;
59
60	f1777174	Renato Botelho	$nasId = gethostname();
61			if(empty($nasId))
62			$nasId = $g['product_name'];
63			return $nasId;
64	cc686d98	Ermal Lu?i	}
65			}
66
67			/**
68			* Get the NAS-IP-Address based on the current wan address
69			*
70			* Use functions in interfaces.inc to find this out
71			*
72			*/
73			if (!function_exists("getNasIP")) {
74			function getNasIP()
75			{
76			$nasIp = get_interface_ip();
77			if(!$nasIp)
78			$nasIp = "0.0.0.0";
79			return $nasIp;
80			}
81			}
82	3c11bd3c	Matthew Grooms	/* setup syslog logging */
83			openlog("openvpn", LOG_ODELAY, LOG_AUTH);
84
85	5e28dad4	Ermal	if (isset($_GET)) {
86			$authmodes = explode(",", $_GET['authcfg']);
87			$username = $_GET['username'];
88			$password = urldecode($_GET['password']);
89			$common_name = $_GET['cn'];
90			$modeid = $_GET['modeid'];
91			$strictusercn = $_GET['strictcn'] == "false" ? false : true;
92			} else {
93			/* read data from environment */
94			$username = getenv("username");
95			$password = getenv("password");
96			$common_name = getenv("common_name");
97			}
98	3c11bd3c	Matthew Grooms
99			if (!$username \|\| !$password) {
100	1f5309a3	Matthew Grooms	syslog(LOG_ERR, "invalid user authentication environment");
101	5e28dad4	Ermal	if (isset($_GET)) {
102			echo "FAILED";
103	b2af12ad	Ermal	closelog();
104	5e28dad4	Ermal	return;
105	b2af12ad	Ermal	} else {
106			closelog();
107	52550ca5	Ermal LUÇI	return (-1);
108	b2af12ad	Ermal	}
109	3c11bd3c	Matthew Grooms	}
110
111	c61e4626	Ermal Lu?i	/* Replaced by a sed with propper variables used below(ldap parameters). */
112			//<template>
113
114	1492e02c	Ermal	if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) {
115			putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca");
116			putenv("LDAPTLS_REQCERT=never");
117			}
118
119	c61e4626	Ermal Lu?i	$authenticated = false;
120	8901958c	jim-p
121			if (($strictusercn === true) && ($common_name != $username)) {
122			syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
123	5e28dad4	Ermal	if (isset($_GET)) {
124			echo "FAILED";
125	b2af12ad	Ermal	closelog();
126	5e28dad4	Ermal	return;
127	b2af12ad	Ermal	} else {
128			closelog();
129	52550ca5	Ermal LUÇI	return (1);
130	b2af12ad	Ermal	}
131	5e28dad4	Ermal	}
132
133			if (!is_array($authmodes)) {
134			syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}");
135			if (isset($_GET)) {
136			echo "FAILED";
137	b2af12ad	Ermal	closelog();
138	5e28dad4	Ermal	return;
139	b2af12ad	Ermal	} else {
140			closelog();
141	52550ca5	Ermal LUÇI	return (1);
142	b2af12ad	Ermal	}
143	8901958c	jim-p	}
144
145	1492e02c	Ermal	$attributes = array();
146	c61e4626	Ermal Lu?i	foreach ($authmodes as $authmode) {
147			$authcfg = auth_get_authserver($authmode);
148	006a162f	Ermal Lu?i	if (!$authcfg && $authmode != "local")
149	c61e4626	Ermal Lu?i	continue;
150
151	1492e02c	Ermal	$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
152	006a162f	Ermal Lu?i	if ($authenticated == true)
153			break;
154	c61e4626	Ermal Lu?i	}
155
156			if ($authenticated == false) {
157	3260b82f	Ermal	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
158	5e28dad4	Ermal	if (isset($_GET)) {
159			echo "FAILED";
160	b2af12ad	Ermal	closelog();
161	5e28dad4	Ermal	return;
162	b2af12ad	Ermal	} else {
163			closelog();
164	52550ca5	Ermal LUÇI	return (-1);
165	b2af12ad	Ermal	}
166	3c11bd3c	Matthew Grooms	}
167
168	1492e02c	Ermal	if (file_exists("/etc/inc/openvpn.attributes.php"))
169			include_once("/etc/inc/openvpn.attributes.php");
170
171			$content = "";
172			if (is_array($attributes['dns-servers'])) {
173			foreach ($attributes['dns-servers'] as $dnssrv) {
174			if (is_ipaddr($dnssrv))
175			$content .= "push \"dhcp-option DNS {$dnssrv}\"\n";
176			}
177			}
178			if (is_array($attributes['routes'])) {
179			foreach ($attributes['routes'] as $route)
180	5e28dad4	Ermal	$content .= "push \"route {$route} vpn_gateway\"\n";
181	1492e02c	Ermal	}
182
183			if (isset($attributes['framed_ip'])) {
184			/* XXX: only use when TAP windows driver >= 8.2.x */
185			/* if (isset($attributes['framed_mask'])) {
186			$content .= "topology subnet\n";
187			$content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}";
188			} else {
189			*/
190			$content .= "topology net30\n";
191			$content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) + 1));
192			// }
193			}
194
195			if (!empty($content))
196			@file_put_contents("{$g['tmp_path']}/{$username}", $content);
197
198	3260b82f	Ermal	syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
199	b2af12ad	Ermal	closelog();
200	a13ce628	Ermal Lu?i
201	5e28dad4	Ermal	if (isset($_GET))
202			echo "OK";
203			else
204	52550ca5	Ermal LUÇI	return (0);
205	3c11bd3c	Matthew Grooms
206	fe2031ab	Ermal	?>

Project

General

Profile

pfSense