Module Name: src
Committed By: tteras
Date: Tue Nov 15 13:51:24 UTC 2011
Modified Files:
src/crypto/dist/ipsec-tools/src/racoon: cfparse.y cftoken.l
isakmp_xauth.c isakmp_xauth.h racoon.conf.5
Log Message:
>From Vincent Bernat <[email protected]>: TLS support for LDAP
To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.24 -r1.25 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.23 -r1.24 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
cvs rdiff -u -r1.62 -r1.63 \
src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.43 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.44
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.43 Fri Aug 19 05:36:47 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.43 2011/08/19 05:36:47 tteras Exp $ */
+/* $NetBSD: cfparse.y,v 1.44 2011/11/15 13:51:23 tteras Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -267,7 +267,7 @@ static int process_rmconf()
/* listen */
%token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
/* ldap config */
-%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
%token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
/* radius config */
%token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -720,6 +720,15 @@ ldapcfg_stmt
#endif
}
EOS
+ | LDAP_TLS SWITCH
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ xauth_ldap_config.tls = $2;
+#endif
+#endif
+ }
+ EOS
| LDAP_BASE QUOTEDSTRING
{
#ifdef ENABLE_HYBRID
Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.24 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.25
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.24 Fri Aug 19 05:36:47 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: cftoken.l,v 1.24 2011/08/19 05:36:47 tteras Exp $ */
+/* $NetBSD: cftoken.l,v 1.25 2011/11/15 13:51:23 tteras Exp $ */
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
@@ -226,6 +226,7 @@ hexstring 0x{hexdigit}+
<S_LDAP>version { YYD; return(LDAP_PVER); }
<S_LDAP>host { YYD; return(LDAP_HOST); }
<S_LDAP>port { YYD; return(LDAP_PORT); }
+<S_LDAP>tls { YYD; return(LDAP_TLS); }
<S_LDAP>base { YYD; return(LDAP_BASE); }
<S_LDAP>subtree { YYD; return(LDAP_SUBTREE); }
<S_LDAP>bind_dn { YYD; return(LDAP_BIND_DN); }
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.23 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.24
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c:1.23 Sun May 15 17:13:23 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.c,v 1.23 2011/05/15 17:13:23 christos Exp $ */
+/* $NetBSD: isakmp_xauth.c,v 1.24 2011/11/15 13:51:23 tteras Exp $ */
/* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
@@ -802,6 +802,7 @@ xauth_ldap_init_conf(void)
xauth_ldap_config.pver = 3;
xauth_ldap_config.host = NULL;
xauth_ldap_config.port = LDAP_PORT;
+ xauth_ldap_config.tls = 0;
xauth_ldap_config.base = NULL;
xauth_ldap_config.subtree = 0;
xauth_ldap_config.bind_dn = NULL;
@@ -916,6 +917,17 @@ xauth_login_ldap(iph1, usr, pwd)
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
&xauth_ldap_config.pver);
+ /* Enable TLS */
+ if (xauth_ldap_config.tls) {
+ res = ldap_start_tls_s(ld, NULL, NULL);
+ if (res != LDAP_SUCCESS) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ldap_start_tls_s failed: %s\n",
+ ldap_err2string(res));
+ goto ldap_end;
+ }
+ }
+
/*
* attempt to bind to the ldap server.
* default to anonymous bind unless a
@@ -1144,6 +1156,17 @@ xauth_group_ldap(udn, grp)
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
&xauth_ldap_config.pver);
+ /* Enable TLS */
+ if (xauth_ldap_config.tls) {
+ res = ldap_start_tls_s(ld, NULL, NULL);
+ if (res != LDAP_SUCCESS) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ldap_start_tls_s failed: %s\n",
+ ldap_err2string(res));
+ goto ldap_group_end;
+ }
+ }
+
/*
* attempt to bind to the ldap server.
* default to anonymous bind unless a
Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h:1.7 src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h:1.8
--- src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h:1.7 Mon Mar 14 15:50:36 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.h,v 1.7 2011/03/14 15:50:36 vanhu Exp $ */
+/* $NetBSD: isakmp_xauth.h,v 1.8 2011/11/15 13:51:23 tteras Exp $ */
/* $KAME$ */
@@ -160,6 +160,7 @@ struct xauth_ldap_config {
int pver;
vchar_t *host;
int port;
+ int tls;
vchar_t *base;
int subtree;
vchar_t *bind_dn;
Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.62 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.63
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.62 Fri Aug 19 05:36:47 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Tue Nov 15 13:51:23 2011
@@ -1,4 +1,4 @@
-.\" $NetBSD: racoon.conf.5,v 1.62 2011/08/19 05:36:47 tteras Exp $
+.\" $NetBSD: racoon.conf.5,v 1.63 2011/11/15 13:51:23 tteras Exp $
.\"
.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
.\"
@@ -1350,6 +1350,10 @@ The default is
The port that the ldap server is configured to listen on.
The default is
.Ic 389 .
+.It Ic tls (on | off) ;
+Use TLS with the ldap server.
+The default is
+.Ic off .
.It Ic base Ar distinguished name ;
The ldap search base.
This option has no default value.
