Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon From Vincent Bernat <bern...
details: https://anonhg.NetBSD.org/src/rev/7ce03c363a13
branches: trunk
changeset: 771232:7ce03c363a13
user: tteras <tteras%NetBSD.org@localhost>
date: Tue Nov 15 13:51:23 2011 +0000
description:
>From Vincent Bernat <bernat%luffy.cx@localhost>: TLS support for LDAP
diffstat:
crypto/dist/ipsec-tools/src/racoon/cfparse.y | 13 ++++++++++-
crypto/dist/ipsec-tools/src/racoon/cftoken.l | 3 +-
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c | 25 ++++++++++++++++++++++-
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h | 3 +-
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 | 6 ++++-
5 files changed, 44 insertions(+), 6 deletions(-)
diffs (141 lines):
diff -r 3c72edc980bf -r 7ce03c363a13 crypto/dist/ipsec-tools/src/racoon/cfparse.y
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y Tue Nov 15 13:25:44 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y Tue Nov 15 13:51:23 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.43 2011/08/19 05:36:47 tteras Exp $ */
+/* $NetBSD: cfparse.y,v 1.44 2011/11/15 13:51:23 tteras Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -267,7 +267,7 @@
/* listen */
%token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
/* ldap config */
-%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
%token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
/* radius config */
%token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -720,6 +720,15 @@
#endif
}
EOS
+ | LDAP_TLS SWITCH
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ xauth_ldap_config.tls = $2;
+#endif
+#endif
+ }
+ EOS
| LDAP_BASE QUOTEDSTRING
{
#ifdef ENABLE_HYBRID
diff -r 3c72edc980bf -r 7ce03c363a13 crypto/dist/ipsec-tools/src/racoon/cftoken.l
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken.l Tue Nov 15 13:25:44 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken.l Tue Nov 15 13:51:23 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cftoken.l,v 1.24 2011/08/19 05:36:47 tteras Exp $ */
+/* $NetBSD: cftoken.l,v 1.25 2011/11/15 13:51:23 tteras Exp $ */
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
@@ -226,6 +226,7 @@
<S_LDAP>version { YYD; return(LDAP_PVER); }
<S_LDAP>host { YYD; return(LDAP_HOST); }
<S_LDAP>port { YYD; return(LDAP_PORT); }
+<S_LDAP>tls { YYD; return(LDAP_TLS); }
<S_LDAP>base { YYD; return(LDAP_BASE); }
<S_LDAP>subtree { YYD; return(LDAP_SUBTREE); }
<S_LDAP>bind_dn { YYD; return(LDAP_BIND_DN); }
diff -r 3c72edc980bf -r 7ce03c363a13 crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Tue Nov 15 13:25:44 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c Tue Nov 15 13:51:23 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.c,v 1.23 2011/05/15 17:13:23 christos Exp $ */
+/* $NetBSD: isakmp_xauth.c,v 1.24 2011/11/15 13:51:23 tteras Exp $ */
/* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
@@ -802,6 +802,7 @@
xauth_ldap_config.pver = 3;
xauth_ldap_config.host = NULL;
xauth_ldap_config.port = LDAP_PORT;
+ xauth_ldap_config.tls = 0;
xauth_ldap_config.base = NULL;
xauth_ldap_config.subtree = 0;
xauth_ldap_config.bind_dn = NULL;
@@ -916,6 +917,17 @@
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
&xauth_ldap_config.pver);
+ /* Enable TLS */
+ if (xauth_ldap_config.tls) {
+ res = ldap_start_tls_s(ld, NULL, NULL);
+ if (res != LDAP_SUCCESS) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ldap_start_tls_s failed: %s\n",
+ ldap_err2string(res));
+ goto ldap_end;
+ }
+ }
+
/*
* attempt to bind to the ldap server.
* default to anonymous bind unless a
@@ -1144,6 +1156,17 @@
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
&xauth_ldap_config.pver);
+ /* Enable TLS */
+ if (xauth_ldap_config.tls) {
+ res = ldap_start_tls_s(ld, NULL, NULL);
+ if (res != LDAP_SUCCESS) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "ldap_start_tls_s failed: %s\n",
+ ldap_err2string(res));
+ goto ldap_group_end;
+ }
+ }
+
/*
* attempt to bind to the ldap server.
* default to anonymous bind unless a
diff -r 3c72edc980bf -r 7ce03c363a13 crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h Tue Nov 15 13:25:44 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h Tue Nov 15 13:51:23 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: isakmp_xauth.h,v 1.7 2011/03/14 15:50:36 vanhu Exp $ */
+/* $NetBSD: isakmp_xauth.h,v 1.8 2011/11/15 13:51:23 tteras Exp $ */
/* $KAME$ */
@@ -160,6 +160,7 @@
int pver;
vchar_t *host;
int port;
+ int tls;
vchar_t *base;
int subtree;
vchar_t *bind_dn;
diff -r 3c72edc980bf -r 7ce03c363a13 crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Tue Nov 15 13:25:44 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Tue Nov 15 13:51:23 2011 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: racoon.conf.5,v 1.62 2011/08/19 05:36:47 tteras Exp $
+.\" $NetBSD: racoon.conf.5,v 1.63 2011/11/15 13:51:23 tteras Exp $
.\"
.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
.\"
@@ -1350,6 +1350,10 @@
The port that the ldap server is configured to listen on.
The default is
.Ic 389 .
+.It Ic tls (on | off) ;
+Use TLS with the ldap server.
+The default is
+.Ic off .
.It Ic base Ar distinguished name ;
The ldap search base.
This option has no default value.
Home |
Main Index |
Thread Index |
Old Index