openvpn/openvpn-auth_mysql/auth-mysql.c

/*
 *  Copyright (C) 2006 Torben H. Nielsen<torben@t-hoerup.dk>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2
 *  as published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program (see the file COPYING included with this
 *  distribution); if not, write to the Free Software Foundation, Inc.,
 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */


#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <mysql.h>
#include <time.h>

#include "openvpn-plugin.h"

#define ERR_ADMINLOCK 1
#define ERR_EXPIRED 2
#define ERR_ZEROPASS 3
#define ERR_WRONGPASS 4
#define ERR_NOSUCHUSER 5
#define ERR_AUTOLOCKED 6


/*
 * Our context, where we keep our state.
 */
struct plugin_context {
  char *host;
  char *username;
  char *password;
  char *db;
  char *table;
  char *log;
  int port;
};

/*
 * Given an environmental variable name, search
 * the envp array for its value, returning it
 * if found or NULL otherwise.
 */
static const char *
get_arg (const char *name, const char *envp[])
{
  if (envp)
    {
      int i;
      const int namelen = strlen (name);
      for (i = 0; envp[i]; ++i)
        {
          if (!strncmp (envp[i], name, namelen))
            {
              const char *cp = envp[i] + namelen;
              if (*cp == '=')
                return cp + 1;
            }
        }
    }
  return NULL;
}

OPENVPN_EXPORT openvpn_plugin_handle_t
openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
{
  struct plugin_context *context;
  const char *tmp;
  
  /*
   * Allocate our context
   */
  context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));

  /*
   * Set the sql connection info
   */
 
  tmp = get_arg("host", argv);
  if (tmp == NULL)
    context->host = "localhost";
  else {
    context->host = malloc(strlen(tmp)+1);
    strcpy(context->host, tmp);
  }
  
  tmp = get_arg("username", argv);
  if (tmp == NULL)
    context->username = "vpnauth";
  else {
    context->username = malloc(strlen(tmp)+1);
    strcpy(context->username, tmp);
  }

  tmp = get_arg("password", argv);
  if (tmp == NULL)
    context->password = "vpnauth";
  else {
    context->password = malloc(strlen(tmp)+1);
    strcpy(context->password, tmp);
  } 

  tmp = get_arg("db", argv);
  if (tmp == NULL)
    context->db = "vpnauth";
  else {
    context->db = malloc(strlen(tmp)+1);
    strcpy(context->db, tmp);
  }
  
  tmp = get_arg("table", argv);
  if (tmp == NULL)
    context->table = "vpnauth";
  else {
    context->table = malloc(strlen(tmp)+1);
    strcpy(context->table, tmp);
  }

  tmp = get_arg("log", argv);
  if (tmp == NULL)
    context->log = "";
  else {
    context->log = malloc(strlen(tmp)+1);
    strcpy(context->log, tmp);
  }

  tmp = get_arg("port", argv);
  if (tmp != NULL)
    context->port = atol(tmp);
  else
    context->port = 3306;

  /* stdout is redirected to openvpn's logfile - so normal printf is ok */
  printf("auth-mysql: connect to %s:%i/%s.%s as %s\n", context->host, context->port, context->db, context->table, context->username);
  

  /*
   * We are only interested in intercepting the
   * --auth-user-pass-verify callback.
   */
  *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);

  
  return (openvpn_plugin_handle_t) context;
}

OPENVPN_EXPORT int
openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
{
  MYSQL *authdb=0;
  MYSQL_RES *res=0;
  MYSQL_ROW row=0;
  int fail = 0;  
  char *sql;
  char *escaped_user;
  char *escaped_pass;
  int failcount=0;
  int locked;
  long expire;
  struct plugin_context *context;

  context = (struct plugin_context *) handle;
  
  /* get username/password from envp string array */
  const char *username = get_arg ("username", envp);
  const char *password = get_arg ("password", envp);

  printf("auth-mysql: authenticating %s\n", username);
  
  authdb = mysql_init( authdb );
  if (! mysql_real_connect(authdb, context->host, context->username, context->password, context->db, context->port, NULL,0)) {
    printf("auth-mysql: ERROR, could not connect to database: %s\n", mysql_error(authdb) );
    return OPENVPN_PLUGIN_FUNC_ERROR;
  } 
  
  escaped_user = malloc( (strlen(username)*2)+1);
  if (escaped_user == 0) { /* could not allocate memory */
    return OPENVPN_PLUGIN_FUNC_ERROR;
  }

  escaped_pass = malloc( (strlen(password)*2)+1);
  if (escaped_pass == 0) { /* could not allocate memory */
    return OPENVPN_PLUGIN_FUNC_ERROR;
    free (escaped_user);
  }
 
  mysql_real_escape_string ( authdb, escaped_user, username, strlen(username) );
  mysql_real_escape_string ( authdb, escaped_pass, password, strlen(password) );


  sql = malloc( strlen(escaped_user) + strlen(context->table) + strlen(escaped_user)+ 120 );
  if (sql == 0) { /* could not allocate memory */
    free (escaped_user); 
    free (escaped_pass);
    return OPENVPN_PLUGIN_FUNC_ERROR;
  }

  sprintf(sql, "SELECT id,user,pass=md5('%s') as passcheck,locked, UNIX_TIMESTAMP(expires),failcount FROM %s WHERE user='%s'", escaped_pass, context->table, escaped_user);
  printf("auth-mysql: sql=%s\n", sql);

  if ( mysql_query( authdb, sql)) { /*mysql error */
    printf("auth-mysql: error: %s\n", mysql_error(authdb));
    mysql_close (authdb);         
    free(escaped_user);
    free(escaped_pass);
    free(sql);
    return OPENVPN_PLUGIN_FUNC_ERROR;
  } 
  
  res = mysql_store_result( authdb );
  if (res == 0) { /* could not allocate res */
    mysql_close( authdb);
    free(escaped_user);
    free(escaped_pass);
    return OPENVPN_PLUGIN_FUNC_ERROR;
  }


  if (strlen(password) == 0) {
    printf("auth-mysql: zero length password (%s)\n", username);
    fail = ERR_ZEROPASS;
  }
  
  if ( fail==0 && mysql_num_rows(res) == 0) {
    printf("auth-mysql: user does not exist (%s)\n", username);
    fail = ERR_NOSUCHUSER;
  }

  if (fail==0)
    row = mysql_fetch_row(res); 
  
  if (fail==0) {
    if (  atol(row[2])==0  ) {
      fail = ERR_WRONGPASS;
      printf("auth-mysql: user provided wrong password (%s)\n", username);
    }
  }

  if (fail==0) {
    locked = atol( row[3] );
    if (locked != 0) {
      fail = ERR_ADMINLOCK;
      printf("auth-mysql: account is locked (%s)\n", username);
    }
  }

  if (fail==0) {
    expire = atol( row[4] );
    if (expire != 0) {
      if ( (expire-time(0))<0) {
        fail = ERR_EXPIRED;
        printf("auth-mysql: account has expired (%s)\n", username);
      }  
    }
  }
  
  if (fail==0) {
    failcount = atol( row[5] );
    if (failcount >= 3 && fail==0) {
      fail = ERR_AUTOLOCKED;
      printf("auth-mysql: account failcount was larger than or equal 3 (%s)\n", username);
    }
  }

  
  /* if user/pass is ok - reset failcount, and set lastlogin to now() */
  if ( fail == 0 ) {
    sprintf(sql, "UPDATE %s SET failcount=0,lastlogin=now() WHERE user='%s'", context->table, escaped_user);
    mysql_query( authdb, sql);
  }

  /* if user entered wrong password, increment failcount */
  if ( fail == ERR_WRONGPASS ) {
    failcount++;
    sprintf(sql, "UPDATE %s SET failcount=%i WHERE user='%s'", context->table, failcount, escaped_user);
    mysql_query( authdb, sql);
  }

  if ( strlen(context->log)>0) { /* enable log table */
    sprintf(sql, "INSERT INTO %s (username,time,msgid) VALUES ('%s',now(), %d)", context->log, escaped_user, fail);
    mysql_query( authdb, sql);
  }
  
  free(sql);
  free(escaped_user);
  free(escaped_pass);
  mysql_free_result(res);
  mysql_close( authdb );
  
  return (fail == 0) ? OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR;
}

OPENVPN_EXPORT void
openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
{
  struct plugin_context *context = (struct plugin_context *) handle;
  free (context);
}
1	torben	113	/*
2			* Copyright (C) 2006 Torben H. Nielsen<torben@t-hoerup.dk>
3			*
4			* This program is free software; you can redistribute it and/or modify
5			* it under the terms of the GNU General Public License version 2
6			* as published by the Free Software Foundation.
7			*
8			* This program is distributed in the hope that it will be useful,
9			* but WITHOUT ANY WARRANTY; without even the implied warranty of
10			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11			* GNU General Public License for more details.
12			*
13			* You should have received a copy of the GNU General Public License
14			* along with this program (see the file COPYING included with this
15			* distribution); if not, write to the Free Software Foundation, Inc.,
16			* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17			*/
18
19
20			#include <stdio.h>
21			#include <string.h>
22			#include <stdlib.h>
23			#include <mysql.h>
24			#include <time.h>
25
26			#include "openvpn-plugin.h"
27
28			#define ERR_ADMINLOCK 1
29			#define ERR_EXPIRED 2
30			#define ERR_ZEROPASS 3
31			#define ERR_WRONGPASS 4
32			#define ERR_NOSUCHUSER 5
33			#define ERR_AUTOLOCKED 6
34
35
36			/*
37			* Our context, where we keep our state.
38			*/
39			struct plugin_context {
40			char *host;
41			char *username;
42			char *password;
43			char *db;
44			char *table;
45			char *log;
46			int port;
47			};
48
49			/*
50			* Given an environmental variable name, search
51			* the envp array for its value, returning it
52			* if found or NULL otherwise.
53			*/
54			static const char *
55			get_arg (const char name, const char envp[])
56			{
57			if (envp)
58			{
59			int i;
60			const int namelen = strlen (name);
61			for (i = 0; envp[i]; ++i)
62			{
63			if (!strncmp (envp[i], name, namelen))
64			{
65			const char *cp = envp[i] + namelen;
66			if (*cp == '=')
67			return cp + 1;
68			}
69			}
70			}
71			return NULL;
72			}
73
74			OPENVPN_EXPORT openvpn_plugin_handle_t
75			openvpn_plugin_open_v1 (unsigned int type_mask, const char argv[], const char *envp[])
76			{
77			struct plugin_context *context;
78			const char *tmp;
79
80			/*
81			* Allocate our context
82			*/
83			context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
84
85			/*
86			* Set the sql connection info
87			*/
88
89			tmp = get_arg("host", argv);
90			if (tmp == NULL)
91			context->host = "localhost";
92			else {
93			context->host = malloc(strlen(tmp)+1);
94			strcpy(context->host, tmp);
95			}
96
97			tmp = get_arg("username", argv);
98			if (tmp == NULL)
99			context->username = "vpnauth";
100			else {
101			context->username = malloc(strlen(tmp)+1);
102			strcpy(context->username, tmp);
103			}
104
105			tmp = get_arg("password", argv);
106			if (tmp == NULL)
107			context->password = "vpnauth";
108			else {
109			context->password = malloc(strlen(tmp)+1);
110			strcpy(context->password, tmp);
111			}
112
113			tmp = get_arg("db", argv);
114			if (tmp == NULL)
115			context->db = "vpnauth";
116			else {
117			context->db = malloc(strlen(tmp)+1);
118			strcpy(context->db, tmp);
119			}
120
121			tmp = get_arg("table", argv);
122			if (tmp == NULL)
123			context->table = "vpnauth";
124			else {
125			context->table = malloc(strlen(tmp)+1);
126			strcpy(context->table, tmp);
127			}
128
129			tmp = get_arg("log", argv);
130			if (tmp == NULL)
131			context->log = "";
132			else {
133			context->log = malloc(strlen(tmp)+1);
134			strcpy(context->log, tmp);
135			}
136
137			tmp = get_arg("port", argv);
138			if (tmp != NULL)
139			context->port = atol(tmp);
140			else
141			context->port = 3306;
142
143			/* stdout is redirected to openvpn's logfile - so normal printf is ok */
144			printf("auth-mysql: connect to %s:%i/%s.%s as %s\n", context->host, context->port, context->db, context->table, context->username);
145
146
147			/*
148			* We are only interested in intercepting the
149			* --auth-user-pass-verify callback.
150			*/
151			*type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
152
153
154			return (openvpn_plugin_handle_t) context;
155			}
156
157			OPENVPN_EXPORT int
158			openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char argv[], const char envp[])
159			{
160			MYSQL *authdb=0;
161			MYSQL_RES *res=0;
162			MYSQL_ROW row=0;
163			int fail = 0;
164			char *sql;
165			char *escaped_user;
166			char *escaped_pass;
167			int failcount=0;
168			int locked;
169			long expire;
170			struct plugin_context *context;
171
172			context = (struct plugin_context *) handle;
173
174			/* get username/password from envp string array */
175			const char *username = get_arg ("username", envp);
176			const char *password = get_arg ("password", envp);
177
178			printf("auth-mysql: authenticating %s\n", username);
179
180			authdb = mysql_init( authdb );
181			if (! mysql_real_connect(authdb, context->host, context->username, context->password, context->db, context->port, NULL,0)) {
182			printf("auth-mysql: ERROR, could not connect to database: %s\n", mysql_error(authdb) );
183			return OPENVPN_PLUGIN_FUNC_ERROR;
184			}
185
186			escaped_user = malloc( (strlen(username)*2)+1);
187			if (escaped_user == 0) { /* could not allocate memory */
188			return OPENVPN_PLUGIN_FUNC_ERROR;
189			}
190
191			escaped_pass = malloc( (strlen(password)*2)+1);
192			if (escaped_pass == 0) { /* could not allocate memory */
193			return OPENVPN_PLUGIN_FUNC_ERROR;
194			free (escaped_user);
195			}
196
197			mysql_real_escape_string ( authdb, escaped_user, username, strlen(username) );
198			mysql_real_escape_string ( authdb, escaped_pass, password, strlen(password) );
199
200
201			sql = malloc( strlen(escaped_user) + strlen(context->table) + strlen(escaped_user)+ 120 );
202			if (sql == 0) { /* could not allocate memory */
203			free (escaped_user);
204			free (escaped_pass);
205			return OPENVPN_PLUGIN_FUNC_ERROR;
206			}
207
208			sprintf(sql, "SELECT id,user,pass=md5('%s') as passcheck,locked, UNIX_TIMESTAMP(expires),failcount FROM %s WHERE user='%s'", escaped_pass, context->table, escaped_user);
209			printf("auth-mysql: sql=%s\n", sql);
210
211			if ( mysql_query( authdb, sql)) { /mysql error /
212			printf("auth-mysql: error: %s\n", mysql_error(authdb));
213			mysql_close (authdb);
214			free(escaped_user);
215			free(escaped_pass);
216			free(sql);
217			return OPENVPN_PLUGIN_FUNC_ERROR;
218			}
219
220			res = mysql_store_result( authdb );
221			if (res == 0) { /* could not allocate res */
222			mysql_close( authdb);
223			free(escaped_user);
224			free(escaped_pass);
225			return OPENVPN_PLUGIN_FUNC_ERROR;
226			}
227
228
229			if (strlen(password) == 0) {
230			printf("auth-mysql: zero length password (%s)\n", username);
231			fail = ERR_ZEROPASS;
232			}
233
234			if ( fail==0 && mysql_num_rows(res) == 0) {
235			printf("auth-mysql: user does not exist (%s)\n", username);
236			fail = ERR_NOSUCHUSER;
237			}
238
239			if (fail==0)
240			row = mysql_fetch_row(res);
241
242			if (fail==0) {
243			if ( atol(row[2])==0 ) {
244			fail = ERR_WRONGPASS;
245			printf("auth-mysql: user provided wrong password (%s)\n", username);
246			}
247			}
248
249			if (fail==0) {
250			locked = atol( row[3] );
251			if (locked != 0) {
252			fail = ERR_ADMINLOCK;
253			printf("auth-mysql: account is locked (%s)\n", username);
254			}
255			}
256
257			if (fail==0) {
258			expire = atol( row[4] );
259			if (expire != 0) {
260			if ( (expire-time(0))<0) {
261			fail = ERR_EXPIRED;
262			printf("auth-mysql: account has expired (%s)\n", username);
263			}
264			}
265			}
266
267			if (fail==0) {
268			failcount = atol( row[5] );
269			if (failcount >= 3 && fail==0) {
270			fail = ERR_AUTOLOCKED;
271			printf("auth-mysql: account failcount was larger than or equal 3 (%s)\n", username);
272			}
273			}
274
275
276			/* if user/pass is ok - reset failcount, and set lastlogin to now() */
277			if ( fail == 0 ) {
278			sprintf(sql, "UPDATE %s SET failcount=0,lastlogin=now() WHERE user='%s'", context->table, escaped_user);
279			mysql_query( authdb, sql);
280			}
281
282			/* if user entered wrong password, increment failcount */
283			if ( fail == ERR_WRONGPASS ) {
284			failcount++;
285			sprintf(sql, "UPDATE %s SET failcount=%i WHERE user='%s'", context->table, failcount, escaped_user);
286			mysql_query( authdb, sql);
287			}
288
289			if ( strlen(context->log)>0) { /* enable log table */
290			sprintf(sql, "INSERT INTO %s (username,time,msgid) VALUES ('%s',now(), %d)", context->log, escaped_user, fail);
291			mysql_query( authdb, sql);
292			}
293
294			free(sql);
295			free(escaped_user);
296			free(escaped_pass);
297			mysql_free_result(res);
298			mysql_close( authdb );
299
300			return (fail == 0) ? OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR;
301			}
302
303			OPENVPN_EXPORT void
304			openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
305			{
306			struct plugin_context context = (struct plugin_context ) handle;
307			free (context);
308			}