/* Update certificates info. This function should be called after handshake
* or renegotiation successfully completed.
*/
static void update_certs_info(pj_ssl_sock_t *ssock)
{
const CX509Certificate *x;
pj_assert(ssock && ssock->sock &&
ssock->sock->GetState() == CPjSSLSocket::SSL_STATE_ESTABLISHED);
/* Active remote certificate */
x = ssock->sock->GetPeerCert();
if (x) {
get_cert_info(ssock->pool, &ssock->remote_cert_info, x);
} else {
pj_bzero(&ssock->remote_cert_info, sizeof(pj_ssl_cert_info));
}
}
/* sends a cookie authentication request to main thread and waits for
* a reply.
* Returns 0 on success.
*/
int auth_cookie(worker_st * ws, void *cookie, size_t cookie_size)
{
int ret;
AuthCookieRequestMsg msg = AUTH_COOKIE_REQUEST_MSG__INIT;
if ((ws->selected_auth->type & AUTH_TYPE_CERTIFICATE)
&& ws->config->cisco_client_compat == 0) {
if (ws->cert_auth_ok == 0) {
oclog(ws, LOG_INFO,
"no certificate provided for cookie authentication");
return -1;
} else {
ret = get_cert_info(ws);
if (ret < 0) {
oclog(ws, LOG_INFO, "cannot obtain certificate info");
return -1;
}
}
}
msg.cookie.data = cookie;
msg.cookie.len = cookie_size;
ret = send_msg_to_main(ws, AUTH_COOKIE_REQ, &msg, (pack_size_func)
auth_cookie_request_msg__get_packed_size,
(pack_func) auth_cookie_request_msg__pack);
if (ret < 0) {
oclog(ws, LOG_INFO,
"error sending cookie authentication request");
return ret;
}
ret = recv_cookie_auth_reply(ws);
if (ret < 0) {
oclog(ws, LOG_INFO,
"error receiving cookie authentication reply");
return ret;
}
return 0;
}
int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg)
{
int ret;
char context[BASE64_LENGTH(SID_SIZE) + 1];
unsigned int i, j;
str_st str;
const char *login_msg_start;
const char *login_msg_end;
if (ws->req.user_agent_type == AGENT_OPENCONNECT_V3) {
login_msg_start = OCV3_LOGIN_MSG_START;
login_msg_end = ocv3_login_msg_end;
} else {
login_msg_start = OC_LOGIN_MSG_START;
login_msg_end = oc_login_msg_end;
}
if (ws->selected_auth->type & AUTH_TYPE_GSSAPI && ws->auth_state < S_AUTH_COOKIE) {
if (ws->req.authorization == NULL || ws->req.authorization_size == 0)
return basic_auth_handler(ws, http_ver, NULL);
else
return post_auth_handler(ws, http_ver);
}
str_init(&str, ws);
oclog(ws, LOG_HTTP_DEBUG, "HTTP sending: 200 OK");
cstp_cork(ws);
ret = cstp_printf(ws, "HTTP/1.%u 200 OK\r\n", http_ver);
if (ret < 0)
return -1;
if (ws->sid_set != 0) {
base64_encode((char *)ws->sid, sizeof(ws->sid), (char *)context,
sizeof(context));
ret =
cstp_printf(ws,
"Set-Cookie: webvpncontext=%s; Max-Age=%u; Secure\r\n",
context, (unsigned)ws->config->cookie_timeout);
if (ret < 0)
return -1;
oclog(ws, LOG_DEBUG, "sent sid: %s", context);
} else {
ret =
cstp_puts(ws,
"Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure\r\n");
if (ret < 0)
return -1;
}
ret = cstp_puts(ws, "Content-Type: text/xml\r\n");
if (ret < 0) {
ret = -1;
goto cleanup;
}
if (ws->auth_state == S_AUTH_REQ) {
/* only ask password */
if (pmsg == NULL)
pmsg = "Please enter your password";
ret = str_append_printf(&str, login_msg_start, pmsg);
if (ret < 0) {
ret = -1;
goto cleanup;
}
ret = str_append_str(&str, login_msg_password);
if (ret < 0) {
ret = -1;
goto cleanup;
}
ret = str_append_str(&str, login_msg_end);
if (ret < 0) {
ret = -1;
goto cleanup;
}
} else {
if (pmsg == NULL)
pmsg = "Please enter your username";
/* ask for username and groups */
ret = str_append_printf(&str, login_msg_start, pmsg);
if (ret < 0) {
ret = -1;
goto cleanup;
}
if (ws->selected_auth->type & AUTH_TYPE_USERNAME_PASS) {
ret = str_append_str(&str, login_msg_user);
if (ret < 0) {
ret = -1;
goto cleanup;
}
}
if (ws->selected_auth->type & AUTH_TYPE_CERTIFICATE && ws->cert_auth_ok != 0) {
ret = get_cert_info(ws);
if (ret < 0) {
ret = -1;
oclog(ws, LOG_WARNING, "cannot obtain certificate information");
goto cleanup;
}
}
/* send groups */
if (ws->config->group_list_size > 0 || ws->cert_groups_size > 0) {
ret = str_append_str(&str, "<select name=\"group_list\" label=\"GROUP:\">\n");
if (ret < 0) {
ret = -1;
goto cleanup;
}
/* Several anyconnect clients (and openconnect) submit the group name
* separately in that form. In that case they expect that we re-order
* the list and we place the group they selected first. WTF! No respect
* to server time.
*/
if (ws->groupname[0] != 0) {
ret = append_group_str(ws, &str, ws->groupname);
if (ret < 0) {
ret = -1;
goto cleanup;
}
}
if (ws->config->default_select_group) {
ret = str_append_printf(&str, "<option>%s</option>\n", ws->config->default_select_group);
if (ret < 0) {
ret = -1;
goto cleanup;
}
}
/* append any groups available in the certificate */
if (ws->selected_auth->type & AUTH_TYPE_CERTIFICATE && ws->cert_auth_ok != 0) {
unsigned dup;
for (i=0;i<ws->cert_groups_size;i++) {
dup = 0;
for (j=0;j<ws->config->group_list_size;j++) {
if (strcmp(ws->cert_groups[i], ws->config->group_list[j]) == 0) {
dup = 1;
break;
}
}
if (dup == 0 && ws->groupname[0] != 0 && strcmp(ws->groupname, ws->cert_groups[i]) == 0)
dup = 1;
if (dup != 0)
continue;
ret = str_append_printf(&str, "<option>%s</option>\n", ws->cert_groups[i]);
if (ret < 0) {
ret = -1;
goto cleanup;
}
}
}
for (i=0;i<ws->config->group_list_size;i++) {
if (ws->groupname[0] != 0 && strcmp(ws->groupname, ws->config->group_list[i]) == 0)
continue;
ret = append_group_idx(ws, &str, i);
if (ret < 0) {
ret = -1;
goto cleanup;
}
}
ret = str_append_str(&str, "</select>\n");
if (ret < 0) {
ret = -1;
goto cleanup;
}
}
ret = str_append_str(&str, login_msg_end);
if (ret < 0) {
ret = -1;
goto cleanup;
}
}
ret =
cstp_printf(ws, "Content-Length: %u\r\n",
(unsigned int)str.length);
if (ret < 0) {
ret = -1;
goto cleanup;
}
ret = cstp_puts(ws, "X-Transcend-Version: 1\r\n");
if (ret < 0) {
ret = -1;
goto cleanup;
}
ret = cstp_puts(ws, "\r\n");
if (ret < 0) {
ret = -1;
goto cleanup;
}
ret = cstp_send(ws, str.data, str.length);
if (ret < 0) {
ret = -1;
goto cleanup;
}
ret = cstp_uncork(ws);
if (ret < 0) {
ret = -1;
goto cleanup;
}
ret = 0;
cleanup:
str_clear(&str);
return ret;
}
int post_auth_handler(worker_st * ws, unsigned http_ver)
{
int ret = -1, sd = -1;
struct http_req_st *req = &ws->req;
const char *reason = "Authentication failed";
char *username = NULL;
char *password = NULL;
char *groupname = NULL;
char *msg = NULL;
unsigned def_group = 0;
if (req->body_length > 0) {
oclog(ws, LOG_HTTP_DEBUG, "POST body: '%.*s'", (int)req->body_length,
req->body);
}
if (ws->sid_set && ws->auth_state == S_AUTH_INACTIVE)
ws->auth_state = S_AUTH_INIT;
if (ws->auth_state == S_AUTH_INACTIVE) {
SecAuthInitMsg ireq = SEC_AUTH_INIT_MSG__INIT;
ret = parse_reply(ws, req->body, req->body_length,
GROUPNAME_FIELD, sizeof(GROUPNAME_FIELD)-1,
GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
&groupname);
if (ret < 0) {
ret = parse_reply(ws, req->body, req->body_length,
GROUPNAME_FIELD2, sizeof(GROUPNAME_FIELD2)-1,
GROUPNAME_FIELD_XML, sizeof(GROUPNAME_FIELD_XML)-1,
&groupname);
}
if (ret < 0) {
oclog(ws, LOG_HTTP_DEBUG, "failed reading groupname");
} else {
if (ws->config->default_select_group != NULL &&
strcmp(groupname, ws->config->default_select_group) == 0) {
def_group = 1;
} else {
strlcpy(ws->groupname, groupname, sizeof(ws->groupname));
ireq.group_name = ws->groupname;
}
}
talloc_free(groupname);
if (ws->selected_auth->type & AUTH_TYPE_GSSAPI) {
if (req->authorization == NULL || req->authorization_size == 0)
return basic_auth_handler(ws, http_ver, NULL);
if (req->authorization_size > 10) {
ireq.user_name = req->authorization + 10;
ireq.auth_type |= AUTH_TYPE_GSSAPI;
} else {
oclog(ws, LOG_HTTP_DEBUG, "Invalid authorization data: %.*s", req->authorization_size, req->authorization);
goto auth_fail;
}
}
if (ws->selected_auth->type & AUTH_TYPE_USERNAME_PASS) {
ret = parse_reply(ws, req->body, req->body_length,
USERNAME_FIELD, sizeof(USERNAME_FIELD)-1,
NULL, 0,
&username);
if (ret < 0) {
oclog(ws, LOG_HTTP_DEBUG, "failed reading username");
goto ask_auth;
}
strlcpy(ws->username, username, sizeof(ws->username));
talloc_free(username);
ireq.user_name = ws->username;
ireq.auth_type |= AUTH_TYPE_USERNAME_PASS;
}
if (ws->selected_auth->type & AUTH_TYPE_CERTIFICATE) {
if (ws->cert_auth_ok == 0) {
reason = MSG_NO_CERT_ERROR;
oclog(ws, LOG_INFO,
"no certificate provided for authentication");
goto auth_fail;
} else {
ret = get_cert_info(ws);
if (ret < 0) {
reason = MSG_CERT_READ_ERROR;
oclog(ws, LOG_ERR,
"failed reading certificate info");
goto auth_fail;
}
}
if (def_group == 0 && ws->cert_groups_size > 0 && ws->groupname[0] == 0) {
oclog(ws, LOG_HTTP_DEBUG, "user has not selected a group");
return get_auth_handler2(ws, http_ver, "Please select your group");
}
ireq.tls_auth_ok = ws->cert_auth_ok;
ireq.cert_user_name = ws->cert_username;
ireq.cert_group_names = ws->cert_groups;
ireq.n_cert_group_names = ws->cert_groups_size;
ireq.auth_type |= AUTH_TYPE_CERTIFICATE;
}
ireq.hostname = req->hostname;
ireq.ip = ws->remote_ip_str;
sd = connect_to_secmod(ws);
if (sd == -1) {
reason = MSG_INTERNAL_ERROR;
oclog(ws, LOG_ERR, "failed connecting to sec mod");
goto auth_fail;
}
ret = send_msg_to_secmod(ws, sd, SM_CMD_AUTH_INIT,
&ireq, (pack_size_func)
sec_auth_init_msg__get_packed_size,
(pack_func) sec_auth_init_msg__pack);
if (ret < 0) {
reason = MSG_INTERNAL_ERROR;
oclog(ws, LOG_ERR,
"failed sending auth init message to sec mod");
goto auth_fail;
}
ws->auth_state = S_AUTH_INIT;
} else if (ws->auth_state == S_AUTH_INIT
|| ws->auth_state == S_AUTH_REQ) {
SecAuthContMsg areq = SEC_AUTH_CONT_MSG__INIT;
areq.ip = ws->remote_ip_str;
if (ws->selected_auth->type & AUTH_TYPE_GSSAPI) {
if (req->authorization == NULL || req->authorization_size <= 10) {
if (req->authorization != NULL)
oclog(ws, LOG_HTTP_DEBUG, "Invalid authorization data: %.*s", req->authorization_size, req->authorization);
goto auth_fail;
}
areq.password = req->authorization + 10;
}
if (areq.password == NULL && ws->selected_auth->type & AUTH_TYPE_USERNAME_PASS) {
ret = parse_reply(ws, req->body, req->body_length,
PASSWORD_FIELD, sizeof(PASSWORD_FIELD)-1,
NULL, 0,
&password);
if (ret < 0) {
reason = MSG_NO_PASSWORD_ERROR;
oclog(ws, LOG_ERR, "failed reading password");
goto auth_fail;
}
areq.password = password;
}
if (areq.password != NULL) {
if (ws->sid_set != 0) {
areq.sid.data = ws->sid;
areq.sid.len = sizeof(ws->sid);
}
sd = connect_to_secmod(ws);
if (sd == -1) {
reason = MSG_INTERNAL_ERROR;
oclog(ws, LOG_ERR,
"failed connecting to sec mod");
goto auth_fail;
}
ret =
send_msg_to_secmod(ws, sd, SM_CMD_AUTH_CONT, &areq,
(pack_size_func)
sec_auth_cont_msg__get_packed_size,
(pack_func)
sec_auth_cont_msg__pack);
talloc_free(password);
if (ret < 0) {
reason = MSG_INTERNAL_ERROR;
oclog(ws, LOG_ERR,
"failed sending auth req message to main");
goto auth_fail;
}
ws->auth_state = S_AUTH_REQ;
} else
goto auth_fail;
} else {
oclog(ws, LOG_ERR, "unexpected POST request in auth state %u",
(unsigned)ws->auth_state);
goto auth_fail;
}
ret = recv_auth_reply(ws, sd, &msg);
if (sd != -1) {
close(sd);
sd = -1;
}
if (ret == ERR_AUTH_CONTINUE) {
oclog(ws, LOG_DEBUG, "continuing authentication for '%s'",
ws->username);
ws->auth_state = S_AUTH_REQ;
if (ws->selected_auth->type & AUTH_TYPE_GSSAPI) {
ret = basic_auth_handler(ws, http_ver, msg);
} else {
ret = get_auth_handler2(ws, http_ver, msg);
}
goto cleanup;
} else if (ret < 0) {
if (ws->selected_auth->type & AUTH_TYPE_GSSAPI) {
/* Fallback from GSSAPI to USERNAME-PASSWORD */
ws_disable_auth(ws, AUTH_TYPE_GSSAPI);
oclog(ws, LOG_ERR, "failed gssapi authentication");
if (ws_switch_auth_to(ws, AUTH_TYPE_USERNAME_PASS) == 0)
goto auth_fail;
ws->auth_state = S_AUTH_INACTIVE;
ws->sid_set = 0;
goto ask_auth;
} else {
oclog(ws, LOG_ERR, "failed authentication for '%s'",
ws->username);
goto auth_fail;
}
}
oclog(ws, LOG_HTTP_DEBUG, "user '%s' obtained cookie", ws->username);
ws->auth_state = S_AUTH_COOKIE;
ret = post_common_handler(ws, http_ver, msg);
goto cleanup;
ask_auth:
return get_auth_handler(ws, http_ver);
auth_fail:
if (sd != -1)
close(sd);
oclog(ws, LOG_HTTP_DEBUG, "HTTP sending: 401 Unauthorized");
cstp_printf(ws,
"HTTP/1.%d 401 Unauthorized\r\nContent-Length: 0\r\nX-Reason: %s\r\n\r\n",
http_ver, reason);
cstp_fatal_close(ws, GNUTLS_A_ACCESS_DENIED);
talloc_free(msg);
exit_worker(ws);
cleanup:
talloc_free(msg);
return ret;
}
