Commit 2b5188cb authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner

(ipsec, xauth) cleanup ipsec.auth-user.php script before moving to pam.

The old script had a lot of unused code in it, either stuff that couldn't be configured from OPNsense or dead code.

(cherry picked from commit 9ba2b2f6)
parent 6369d1b9
...@@ -39,217 +39,21 @@ require_once("auth.inc"); ...@@ -39,217 +39,21 @@ require_once("auth.inc");
require_once("interfaces.inc"); require_once("interfaces.inc");
require_once("util.inc"); require_once("util.inc");
function cisco_to_cidr($addr)
{
if (!is_ipaddr($addr)) {
return 0;
}
$mask = decbin(~ip2long($addr));
$mask = substr($mask, -32);
$k = 0;
for ($i = 0; $i <= 32; $i++) {
$k += intval($mask[$i]);
}
return $k;
}
function cisco_extract_index($prule)
{
$index = explode("#", $prule);
if (is_numeric($index[1])) {
return intval($index[1]);
} else {
syslog(LOG_WARNING, "Error parsing rule {$prule}: Could not extract index");
}
return -1;;
}
function parse_cisco_acl($attribs)
{
global $attributes;
if (!is_array($attribs)) {
return "";
}
$devname = "enc0";
$finalrules = "";
if (is_array($attribs['ciscoavpair'])) {
$inrules = array();
$outrules = array();
foreach ($attribs['ciscoavpair'] as $avrules) {
$rule = explode("=", $avrules);
$dir = "";
if (strstr($rule[0], "inacl")) {
$dir = "in";
} elseif (strstr($rule[0], "outacl")) {
$dir = "out";
} elseif (strstr($rule[0], "dns-servers")) {
$attributes['dns-servers'] = explode(" ", $rule[1]);
continue;
} else if (strstr($rule[0], "route")) {
if (!is_array($attributes['routes'])) {
$attributes['routes'] = array();
}
$attributes['routes'][] = $rule[1];
continue;
}
$rindex = cisco_extract_index($rule[0]);
if ($rindex < 0) {
continue;
}
$rule = $rule[1];
$rule = explode(" ", $rule);
$tmprule = "";
$index = 0;
$isblock = false;
if ($rule[$index] == "permit") {
$tmprule = "pass {$dir} quick on {$devname} ";
} elseif ($rule[$index] == "deny") {
//continue;
$isblock = true;
$tmprule = "block {$dir} quick on {$devname} ";
} else {
continue;
}
$index++;
switch ($rule[$index]) {
case "tcp":
case "udp":
$tmprule .= "proto {$rule[$index]} ";
break;
}
$index++;
/* Source */
if (trim($rule[$index]) == "host") {
$index++;
$tmprule .= "from {$rule[$index]} ";
$index++;
if ($isblock == true) {
$isblock = false;
}
} else if (trim($rule[$index]) == "any") {
$tmprule .= "from any";
$index++;
} else {
$tmprule .= "from {$rule[$index]}";
$index++;
$netmask = cisco_to_cidr($rule[$index]);
$tmprule .= "/{$netmask} ";
$index++;
if ($isblock == true) {
$isblock = false;
}
}
/* Destination */
if (trim($rule[$index]) == "host") {
$index++;
$tmprule .= "to {$rule[$index]} ";
$index++;
if ($isblock == true) {
$isblock = false;
}
} else if (trim($rule[$index]) == "any") {
$index++;
$tmprule .= "to any";
} else {
$tmprule .= "to {$rule[$index]}";
$index++;
$netmask = cisco_to_cidr($rule[$index]);
$tmprule .= "/{$netmask} ";
$index++;
if ($isblock == true) {
$isblock = false;
}
}
if ($isblock == true) {
continue;
}
if ($dir == "in") {
$inrules[$rindex] = $tmprule;
} elseif ($dir == "out") {
$outrules[$rindex] = $tmprule;
}
}
$state = "";
if (!empty($outrules)) {
$state = "no state";
}
ksort($inrules, SORT_NUMERIC);
foreach ($inrules as $inrule) {
$finalrules .= "{$inrule} {$state}\n";
}
if (!empty($outrules)) {
ksort($outrules, SORT_NUMERIC);
foreach ($outrules as $outrule) {
$finalrules .= "{$outrule} {$state}\n";
}
}
}
return $finalrules;
}
/**
* Get the NAS-Identifier
*
* We will use our local hostname to make up the nas_id
*/
if (!function_exists("getNasID")) {
function getNasID()
{
global $g;
$nasId = gethostname();
if (empty($nasId)) {
$nasId = $g['product_name'];
}
return $nasId;
}
}
/* setup syslog logging */ /* setup syslog logging */
openlog("charon", LOG_ODELAY, LOG_AUTH); openlog("charon", LOG_ODELAY, LOG_AUTH);
/* read data from environment */ /* read data from environment */
$username = getenv("username"); $username = getenv("username");
$password = getenv("password"); $password = getenv("password");
$common_name = getenv("common_name");
$authmodes = explode(",", getenv("authcfg")); $authmodes = explode(",", getenv("authcfg"));
if (!$username || !$password) { if (!$username || !$password) {
syslog(LOG_ERR, "invalid user authentication environment"); syslog(LOG_ERR, "invalid user authentication environment");
if (isset($_GET['username'])) { closelog();
echo "FAILED"; exit(-1);
closelog();
return;
} else {
closelog();
exit(-1);
}
} }
$authenticated = false; $authenticated = false;
if (($strictusercn === true) && ($common_name != $username)) {
syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
if (isset($_GET['username'])) {
echo "FAILED";
closelog();
return;
} else {
closelog();
exit(1);
}
}
$attributes = array();
foreach ($authmodes as $authmode) { foreach ($authmodes as $authmode) {
$authcfg = auth_get_authserver($authmode); $authcfg = auth_get_authserver($authmode);
if (!$authcfg && $authmode != "local") { if (!$authcfg && $authmode != "local") {
...@@ -272,33 +76,9 @@ foreach ($authmodes as $authmode) { ...@@ -272,33 +76,9 @@ foreach ($authmodes as $authmode) {
if ($authenticated == false) { if ($authenticated == false) {
syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n"); syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
if (isset($_GET['username'])) { exit(-1);
echo "FAILED"; } else {
closelog(); syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
return; closelog();
} else { exit(0);
closelog();
exit(-1);
}
}
if (empty($common_name)) {
$common_name = getenv("common_name");
if (empty($common_name)) {
$common_name = getenv("username");
}
} }
$rules = parse_cisco_acl($attributes);
if (!empty($rules)) {
$pid = getmypid();
@file_put_contents("/tmp/ipsec_{$pid}{$common_name}.rules", $rules);
mwexec("/sbin/pfctl -a " . escapeshellarg("ipsec/{$common_name}") . " -f /tmp/ipsec_{$pid}" . escapeshellarg($common_name) . ".rules");
@unlink("/tmp/ipsec_{$pid}{$common_name}.rules");
}
syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
closelog();
exit(0);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment