Module Name: src Committed By: bouyer Date: Wed Nov 25 18:11:00 UTC 2020
Modified Files: src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l isakmp_xauth.c isakmp_xauth.h racoon.conf.5 Log Message: Add ldap parameters debug and timeout. Fix bug when using URI (use correct len for malloc) document ldap parameters uri, debug and timeout. To generate a diff of this commit: cvs rdiff -u -r1.52 -r1.53 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y cvs rdiff -u -r1.28 -r1.29 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l cvs rdiff -u -r1.32 -r1.33 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c cvs rdiff -u -r1.9 -r1.10 \ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h cvs rdiff -u -r1.68 -r1.69 \ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.53 --- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.52 Wed Nov 25 16:42:53 2020 +++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Wed Nov 25 18:11:00 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: cfparse.y,v 1.52 2020/11/25 16:42:53 bouyer Exp $ */ +/* $NetBSD: cfparse.y,v 1.53 2020/11/25 18:11:00 bouyer Exp $ */ /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ @@ -296,7 +296,7 @@ static const char error_message_dpd_not_ /* listen */ %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED /* ldap config */ -%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE +%token LDAPCFG LDAP_URI LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_DEBUG LDAP_TIMEOUT LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER /* radius config */ %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES @@ -773,6 +773,24 @@ ldapcfg_stmt #endif } EOS + | LDAP_DEBUG NUMBER + { +#ifdef ENABLE_HYBRID +#ifdef HAVE_LIBLDAP + xauth_ldap_config.debug = $2; +#endif +#endif + } + EOS + | LDAP_TIMEOUT NUMBER + { +#ifdef ENABLE_HYBRID +#ifdef HAVE_LIBLDAP + xauth_ldap_config.timeout = $2; +#endif +#endif + } + EOS | LDAP_URI QUOTEDSTRING { #ifdef ENABLE_HYBRID Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.29 --- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.28 Wed Nov 25 16:42:53 2020 +++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l Wed Nov 25 18:11:00 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: cftoken.l,v 1.28 2020/11/25 16:42:53 bouyer Exp $ */ +/* $NetBSD: cftoken.l,v 1.29 2020/11/25 18:11:00 bouyer Exp $ */ /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */ @@ -224,6 +224,8 @@ hexstring 0x{hexdigit}+ <S_INI>ldapcfg { BEGIN S_LDAP; YYDB; return(LDAPCFG); } <S_LDAP>{bcl} { return(BOC); } <S_LDAP>version { YYD; return(LDAP_PVER); } +<S_LDAP>debug { YYD; return(LDAP_DEBUG); } +<S_LDAP>timeout { YYD; return(LDAP_TIMEOUT); } <S_LDAP>uri { YYD; return(LDAP_URI); } <S_LDAP>host { YYD; return(LDAP_HOST); } <S_LDAP>port { YYD; return(LDAP_PORT); } Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.33 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.32 Wed Nov 25 16:42:53 2020 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Wed Nov 25 18:11:00 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_xauth.c,v 1.32 2020/11/25 16:42:53 bouyer Exp $ */ +/* $NetBSD: isakmp_xauth.c,v 1.33 2020/11/25 18:11:00 bouyer Exp $ */ /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */ @@ -803,6 +803,8 @@ xauth_ldap_init_conf(void) int error = -1; xauth_ldap_config.pver = 3; + xauth_ldap_config.debug = 0; + xauth_ldap_config.timeout = -1; xauth_ldap_config.uri = NULL; xauth_ldap_config.host = NULL; xauth_ldap_config.port = LDAP_PORT; @@ -896,7 +898,7 @@ xauth_login_ldap(iph1, usr, pwd) atlist[2] = NULL; if (xauth_ldap_config.uri != NULL) { - tmplen = strlen(xauth_ldap_config.host->v); + tmplen = strlen(xauth_ldap_config.uri->v); init = racoon_malloc(tmplen); if (init == NULL) { plog(LLV_ERROR, LOCATION, NULL, @@ -918,6 +920,9 @@ xauth_login_ldap(iph1, usr, pwd) xauth_ldap_config.host->v, xauth_ldap_config.port ); } + /* initialize the debug level */ + ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug); + ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &xauth_ldap_config.debug); plog(LLV_DEBUG, LOCATION, NULL, "ldap URI: %s\n", init); /* initialize the ldap handle */ @@ -933,12 +938,26 @@ xauth_login_ldap(iph1, usr, pwd) if ((res = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &xauth_ldap_config.pver)) != LDAP_OPT_SUCCESS) { plog(LLV_ERROR, LOCATION, NULL, - "LDAP_OPT_PROTOCOL_VERSION %s failed: %s\n", + "LDAP_OPT_PROTOCOL_VERSION %d failed: %s\n", xauth_ldap_config.pver, ldap_err2string(res)); goto ldap_end; } - + + if (xauth_ldap_config.timeout > 0) { + static struct timeval timeout; + timeout.tv_sec = xauth_ldap_config.timeout; + timeout.tv_usec = 0; + if ((res = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, + (void *)&timeout)) != LDAP_OPT_SUCCESS) { + plog(LLV_ERROR, LOCATION, NULL, + "LDAP_OPT_NETWORK_TIMEOUT %d failed: %s\n", + xauth_ldap_config.timeout, + ldap_err2string(res)); + goto ldap_end; + } + } + /* Enable TLS */ if (xauth_ldap_config.tls) { res = ldap_start_tls_s(ld, NULL, NULL); Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h:1.9 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h:1.10 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h:1.9 Wed Nov 25 16:42:53 2020 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h Wed Nov 25 18:11:00 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp_xauth.h,v 1.9 2020/11/25 16:42:53 bouyer Exp $ */ +/* $NetBSD: isakmp_xauth.h,v 1.10 2020/11/25 18:11:00 bouyer Exp $ */ /* $KAME$ */ @@ -158,6 +158,8 @@ int xauth_login_radius(struct ph1handle struct xauth_ldap_config { int pver; + int debug; + int timeout; vchar_t *uri; vchar_t *host; int port; Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.68 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.69 --- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.68 Sat Oct 13 15:38:28 2018 +++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Wed Nov 25 18:11:00 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: racoon.conf.5,v 1.68 2018/10/13 15:38:28 maxv Exp $ +.\" $NetBSD: racoon.conf.5,v 1.69 2020/11/25 18:11:00 bouyer Exp $ .\" .\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd October 13, 2018 +.Dd November 25, 2020 .Dt RACOON.CONF 5 .Os .\" @@ -1349,6 +1349,14 @@ The default is The port that the ldap server is configured to listen on. The default is .Ic 389 . +.It Ic uri Ar (ldapuri) ; +URI(s) referring to the ldap server(s); a list of URI, separated by +whitespace or commas. +It takes precedence over +.Ic host/port . +.It Ic timeout Ar (number) ; +network timeout connecting to the ldap server(s). +The default is the default connect timeout from the underlying protocol. .It Ic tls (on | off) ; Use TLS with the ldap server. The default is @@ -1393,6 +1401,9 @@ The default value is The attribute used to specify group membership in an ldap directory. The default value is .Ic member . +.It Ic debug Ar (number) ; +Set ldap debug level. +The default value is 0. .El .El .Ss Radius configuration settings