From Vincent Bernat <bernat@luffy.cx>: TLS support for LDAP trunk
authortteras <tteras@NetBSD.org>
Tue, 15 Nov 2011 13:51:23 +0000
branchtrunk
changeset 206847 8fa66140a7b6
parent 206846 f96067661ea0
child 206848 24b3a6f286f0
From Vincent Bernat <bernat@luffy.cx>: TLS support for LDAP
crypto/dist/ipsec-tools/src/racoon/cfparse.y
crypto/dist/ipsec-tools/src/racoon/cftoken.l
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Tue Nov 15 13:25:44 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Tue Nov 15 13:51:23 2011 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.43 2011/08/19 05:36:47 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.44 2011/11/15 13:51:23 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -267,7 +267,7 @@
 	/* listen */
 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
 	/* ldap config */
-%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
 	/* radius config */
 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
@@ -720,6 +720,15 @@
 #endif
 		}
 		EOS
+	|	LDAP_TLS SWITCH
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+			xauth_ldap_config.tls = $2;
+#endif
+#endif
+		}
+		EOS
 	|	LDAP_BASE QUOTEDSTRING
 		{
 #ifdef ENABLE_HYBRID
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Tue Nov 15 13:25:44 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Tue Nov 15 13:51:23 2011 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.24 2011/08/19 05:36:47 tteras Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.25 2011/11/15 13:51:23 tteras Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -226,6 +226,7 @@
 <S_LDAP>version		{ YYD; return(LDAP_PVER); }
 <S_LDAP>host		{ YYD; return(LDAP_HOST); }
 <S_LDAP>port		{ YYD; return(LDAP_PORT); }
+<S_LDAP>tls		{ YYD; return(LDAP_TLS); }
 <S_LDAP>base		{ YYD; return(LDAP_BASE); }
 <S_LDAP>subtree		{ YYD; return(LDAP_SUBTREE); }
 <S_LDAP>bind_dn		{ YYD; return(LDAP_BIND_DN); }
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Tue Nov 15 13:25:44 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Tue Nov 15 13:51:23 2011 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.23 2011/05/15 17:13:23 christos Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.24 2011/11/15 13:51:23 tteras Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -802,6 +802,7 @@
 	xauth_ldap_config.pver = 3;
 	xauth_ldap_config.host = NULL;
 	xauth_ldap_config.port = LDAP_PORT;
+	xauth_ldap_config.tls = 0;
 	xauth_ldap_config.base = NULL;
 	xauth_ldap_config.subtree = 0;
 	xauth_ldap_config.bind_dn = NULL;
@@ -916,6 +917,17 @@
 	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
 		&xauth_ldap_config.pver);
 
+	/* Enable TLS */
+	if (xauth_ldap_config.tls) {
+		res = ldap_start_tls_s(ld, NULL, NULL);
+		if (res != LDAP_SUCCESS) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			     "ldap_start_tls_s failed: %s\n",
+			     ldap_err2string(res));
+			goto ldap_end;
+		}
+	}
+
 	/*
 	 * attempt to bind to the ldap server.
          * default to anonymous bind unless a
@@ -1144,6 +1156,17 @@
 	ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
 		&xauth_ldap_config.pver);
 
+	/* Enable TLS */
+	if (xauth_ldap_config.tls) {
+		res = ldap_start_tls_s(ld, NULL, NULL);
+		if (res != LDAP_SUCCESS) {
+			plog(LLV_ERROR, LOCATION, NULL,
+			     "ldap_start_tls_s failed: %s\n",
+			     ldap_err2string(res));
+			goto ldap_group_end;
+		}
+	}
+
 	/*
 	 * attempt to bind to the ldap server.
          * default to anonymous bind unless a
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h	Tue Nov 15 13:25:44 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h	Tue Nov 15 13:51:23 2011 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.h,v 1.7 2011/03/14 15:50:36 vanhu Exp $	*/
+/*	$NetBSD: isakmp_xauth.h,v 1.8 2011/11/15 13:51:23 tteras Exp $	*/
 
 /*	$KAME$ */
 
@@ -160,6 +160,7 @@
 	int		pver;
 	vchar_t 	*host;
 	int		port;
+	int		tls;
 	vchar_t		*base;
 	int		subtree;
 	vchar_t		*bind_dn;
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Tue Nov 15 13:25:44 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Tue Nov 15 13:51:23 2011 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.62 2011/08/19 05:36:47 tteras Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.63 2011/11/15 13:51:23 tteras Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -1350,6 +1350,10 @@
 The port that the ldap server is configured to listen on.
 The default is
 .Ic 389 .
+.It Ic tls (on | off) ;
+Use TLS with the ldap server.
+The default is
+.Ic off .
 .It Ic base Ar distinguished name ;
 The ldap search base.
 This option has no default value.