(ipsec, xauth) cleanup ipsec.auth-user.php script before moving to pam.

The old script had a lot of unused code in it, either stuff that couldn't be configured from OPNsense or dead code. (cherry picked from commit 9ba2b2f6)

(ipsec, xauth) cleanup ipsec.auth-user.php script before moving to pam.
The old script had a lot of unused code in it, either stuff that couldn't be configured from OPNsense or dead code. (cherry picked from commit 9ba2b2f6)
2b5188cb · Ad Schellevis · Franco Fichtner · 6369d1b9 · 2b5188cb
Commit 2b5188cb authored Sep 12, 2016 by Ad Schellevis Committed by Franco Fichtner Sep 21, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 227 deletions

ipsec.auth-user.php src/etc/inc/ipsec.auth-user.php +7 -227

No files found.
--- a/src/etc/inc/ipsec.auth-user.php
+++ b/src/etc/inc/ipsec.auth-user.php
@@ -39,217 +39,21 @@ require_once("auth.inc");
 require_once("interfaces.inc");
 require_once("util.inc");

-function cisco_to_cidr($addr)
-{
-    if (!is_ipaddr($addr)) {
-        return 0;
-    }
-
-    $mask = decbin(~ip2long($addr));
-    $mask = substr($mask, -32);
-    $k = 0;
-    for ($i = 0; $i <= 32; $i++) {
-        $k += intval($mask[$i]);
-    }
-    return $k;
-}
-
-function cisco_extract_index($prule)
-{
-    $index = explode("#", $prule);
-    if (is_numeric($index[1])) {
-        return intval($index[1]);
-    } else {
-        syslog(LOG_WARNING, "Error parsing rule {$prule}: Could not extract index");
-    }
-    return -1;;
-}
-
-function parse_cisco_acl($attribs)
-{
-    global $attributes;
-    if (!is_array($attribs)) {
-        return "";
-    }
-
-    $devname = "enc0";
-    $finalrules = "";
-    if (is_array($attribs['ciscoavpair'])) {
-        $inrules = array();
-        $outrules = array();
-        foreach ($attribs['ciscoavpair'] as $avrules) {
-            $rule = explode("=", $avrules);
-            $dir = "";
-            if (strstr($rule[0], "inacl")) {
-                $dir = "in";
-            } elseif (strstr($rule[0], "outacl")) {
-                $dir = "out";
-            } elseif (strstr($rule[0], "dns-servers")) {
-                $attributes['dns-servers'] = explode(" ", $rule[1]);
-                continue;
-            } else if (strstr($rule[0], "route")) {
-                if (!is_array($attributes['routes'])) {
-                    $attributes['routes'] = array();
-                }
-                $attributes['routes'][] = $rule[1];
-                continue;
-            }
-            $rindex = cisco_extract_index($rule[0]);
-            if ($rindex < 0) {
-                continue;
-            }
-
-            $rule = $rule[1];
-            $rule = explode(" ", $rule);
-            $tmprule = "";
-            $index = 0;
-            $isblock = false;
-            if ($rule[$index] == "permit") {
-                $tmprule = "pass {$dir} quick on {$devname} ";
-            } elseif ($rule[$index] == "deny") {
-                //continue;
-                $isblock = true;
-                $tmprule = "block {$dir} quick on {$devname} ";
-            } else {
-                continue;
-            }
-
-            $index++;
-
-            switch ($rule[$index]) {
-                case "tcp":
-                case "udp":
-                    $tmprule .= "proto {$rule[$index]} ";
-                    break;
-            }
-
-            $index++;
-            /* Source */
-            if (trim($rule[$index]) == "host") {
-                $index++;
-                $tmprule .= "from {$rule[$index]} ";
-                $index++;
-                if ($isblock == true) {
-                    $isblock = false;
-                }
-            } else if (trim($rule[$index]) == "any") {
-                $tmprule .= "from any";
-                $index++;
-            } else {
-                $tmprule .= "from {$rule[$index]}";
-                $index++;
-                $netmask = cisco_to_cidr($rule[$index]);
-                $tmprule .= "/{$netmask} ";
-                $index++;
-                if ($isblock == true) {
-                    $isblock = false;
-                }
-            }
-            /* Destination */
-            if (trim($rule[$index]) == "host") {
-                $index++;
-                $tmprule .= "to {$rule[$index]} ";
-                $index++;
-                if ($isblock == true) {
-                    $isblock = false;
-                }
-            } else if (trim($rule[$index]) == "any") {
-                $index++;
-                $tmprule .= "to any";
-            } else {
-                $tmprule .= "to {$rule[$index]}";
-                $index++;
-                $netmask = cisco_to_cidr($rule[$index]);
-                $tmprule .= "/{$netmask} ";
-                $index++;
-                if ($isblock == true) {
-                    $isblock = false;
-                }
-            }
-
-            if ($isblock == true) {
-                continue;
-            }
-
-            if ($dir == "in") {
-                $inrules[$rindex] = $tmprule;
-            } elseif ($dir == "out") {
-                $outrules[$rindex] = $tmprule;
-            }
-        }
-
-        $state = "";
-        if (!empty($outrules)) {
-            $state = "no state";
-        }
-        ksort($inrules, SORT_NUMERIC);
-        foreach ($inrules as $inrule) {
-            $finalrules .= "{$inrule} {$state}\n";
-        }
-        if (!empty($outrules)) {
-            ksort($outrules, SORT_NUMERIC);
-            foreach ($outrules as $outrule) {
-                $finalrules .= "{$outrule} {$state}\n";
-            }
-        }
-    }
-    return $finalrules;
-}
-
-
-/**
- * Get the NAS-Identifier
- *
- * We will use our local hostname to make up the nas_id
- */
-if (!function_exists("getNasID")) {
-    function getNasID()
-    {
-        global $g;
-        $nasId = gethostname();
-        if (empty($nasId)) {
-            $nasId = $g['product_name'];
-        }
-        return $nasId;
-    }
-}
-
 /* setup syslog logging */
 openlog("charon", LOG_ODELAY, LOG_AUTH);

 /* read data from environment */
 $username = getenv("username");
 $password = getenv("password");
-$common_name = getenv("common_name");
 $authmodes = explode(",", getenv("authcfg"));

 if (!$username || !$password) {
    syslog(LOG_ERR, "invalid user authentication environment");
-    if (isset($_GET['username'])) {
-        echo "FAILED";
-        closelog();
-        return;
-    } else {
-        closelog();
-        exit(-1);
-    }
+    closelog();
+    exit(-1);
 }

 $authenticated = false;
-
-if (($strictusercn === true) && ($common_name != $username)) {
-    syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
-    if (isset($_GET['username'])) {
-        echo "FAILED";
-        closelog();
-        return;
-    } else {
-        closelog();
-        exit(1);
-    }
-}
-
-$attributes = array();
 foreach ($authmodes as $authmode) {
    $authcfg = auth_get_authserver($authmode);
    if (!$authcfg && $authmode != "local") {
@@ -272,33 +76,9 @@ foreach ($authmodes as $authmode) {

 if ($authenticated == false) {
    syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
-    if (isset($_GET['username'])) {
-        echo "FAILED";
-        closelog();
-        return;
-    } else {
-        closelog();
-        exit(-1);
-    }
-}
-
-if (empty($common_name)) {
-    $common_name = getenv("common_name");
-    if (empty($common_name)) {
-        $common_name = getenv("username");
-    }
+    exit(-1);
+} else {
+    syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
+    closelog();
+    exit(0);
 }
-
-
-$rules = parse_cisco_acl($attributes);
-if (!empty($rules)) {
-    $pid = getmypid();
-    @file_put_contents("/tmp/ipsec_{$pid}{$common_name}.rules", $rules);
-    mwexec("/sbin/pfctl -a " . escapeshellarg("ipsec/{$common_name}") . " -f /tmp/ipsec_{$pid}" . escapeshellarg($common_name) . ".rules");
-    @unlink("/tmp/ipsec_{$pid}{$common_name}.rules");
-}
-
-syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
-closelog();
-
-exit(0);