Add an optional radius configuration section to the racoon.conf file. This trunk
authormgrooms <mgrooms@NetBSD.org>
Tue, 22 Jul 2008 01:30:02 +0000
branchtrunk
changeset 171809 f2015bd53260
parent 171808 36a98744663c
child 171810 315e64786a4b
Add an optional radius configuration section to the racoon.conf file. This is similar to the the LDAP configuration section and overrides settings in the system radius configuration file.
crypto/dist/ipsec-tools/ChangeLog
crypto/dist/ipsec-tools/src/racoon/cfparse.y
crypto/dist/ipsec-tools/src/racoon/cftoken.l
crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c
crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h
crypto/dist/ipsec-tools/src/racoon/main.c
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
crypto/dist/ipsec-tools/src/racoon/session.c
--- a/crypto/dist/ipsec-tools/ChangeLog	Mon Jul 21 23:39:55 2008 +0000
+++ b/crypto/dist/ipsec-tools/ChangeLog	Tue Jul 22 01:30:02 2008 +0000
@@ -1,3 +1,15 @@
+2008-07-21  Matthew Grooms
+	* src/racoon/cfparse.y
+	  src/racoon/cftoken.l
+	  src/racoon/isakmp_cfg.c
+	  src/racoon/isakmp_xauth.c
+	  src/racoon/isakmp_xauth.h
+	  src/racoon/main.c
+	  src/racoon/racoon.conf.5
+	  src/racoon/session.c : add radius config options for racoon.conf
+
+src/racoon/isakmp_cfg.c : fix hybrid enabled builds
+
 2008-07-21  Timo Teras  <timo.teras@iki.fi>
 	* src/racoon/cfparse.y : do not set default gss id if xauth is used
 	* src/racoon/isakmp_agg.c
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Mon Jul 21 23:39:55 2008 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Tue Jul 22 01:30:02 2008 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.28 2008/07/21 09:43:03 tron Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.29 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -196,6 +196,8 @@
 	/* ldap config */
 %token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
+	/* radius config */
+%token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
 	/* modecfg */
 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
@@ -271,6 +273,7 @@
 	|	padding_statement
 	|	listen_statement
 	|	ldapcfg_statement
+	|	radcfg_statement
 	|	modecfg_statement
 	|	timer_statement
 	|	sainfo_statement
@@ -506,6 +509,119 @@
 	|	PORT		{ $$ = $1; }
 	;
 
+	/* radius configuration */
+radcfg_statement
+	:	RADCFG {
+#ifndef ENABLE_HYBRID
+			yyerror("racoon not configured with --enable-hybrid");
+			return -1;
+#endif
+#ifndef HAVE_LIBRADIUS
+			yyerror("racoon not configured with --with-libradius");
+			return -1;
+#endif
+			xauth_rad_config.timeout = 3;
+			xauth_rad_config.retries = 3;
+
+		} BOC radcfg_stmts EOC
+	;
+radcfg_stmts
+	:	/* nothing */
+	|	radcfg_stmts radcfg_stmt
+	;
+radcfg_stmt
+	:	RAD_AUTH QUOTEDSTRING QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			int i = xauth_rad_config.auth_server_count;
+			if (i == RADIUS_MAX_SERVERS) {
+				yyerror("maximum radius auth servers exceeded");
+				return -1;
+			}
+
+			xauth_rad_config.auth_server_list[i].host = vdup($2);
+			xauth_rad_config.auth_server_list[i].secret = vdup($3);
+			xauth_rad_config.auth_server_list[i].port = 0; // default port
+			xauth_rad_config.auth_server_count++;
+#endif
+#endif
+		}
+		EOS
+	|	RAD_AUTH QUOTEDSTRING NUMBER QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			int i = xauth_rad_config.auth_server_count;
+			if (i == RADIUS_MAX_SERVERS) {
+				yyerror("maximum radius auth servers exceeded");
+				return -1;
+			}
+
+			xauth_rad_config.auth_server_list[i].host = vdup($2);
+			xauth_rad_config.auth_server_list[i].secret = vdup($4);
+			xauth_rad_config.auth_server_list[i].port = $3;
+			xauth_rad_config.auth_server_count++;
+#endif
+#endif
+		}
+		EOS
+	|	RAD_ACCT QUOTEDSTRING QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			int i = xauth_rad_config.acct_server_count;
+			if (i == RADIUS_MAX_SERVERS) {
+				yyerror("maximum radius account servers exceeded");
+				return -1;
+			}
+
+			xauth_rad_config.acct_server_list[i].host = vdup($2);
+			xauth_rad_config.acct_server_list[i].secret = vdup($3);
+			xauth_rad_config.acct_server_list[i].port = 0; // default port
+			xauth_rad_config.acct_server_count++;
+#endif
+#endif
+		}
+		EOS
+	|	RAD_ACCT QUOTEDSTRING NUMBER QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			int i = xauth_rad_config.acct_server_count;
+			if (i == RADIUS_MAX_SERVERS) {
+				yyerror("maximum radius account servers exceeded");
+				return -1;
+			}
+
+			xauth_rad_config.acct_server_list[i].host = vdup($2);
+			xauth_rad_config.acct_server_list[i].secret = vdup($4);
+			xauth_rad_config.acct_server_list[i].port = $3;
+			xauth_rad_config.acct_server_count++;
+#endif
+#endif
+		}
+		EOS
+	|	RAD_TIMEOUT NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			xauth_rad_config.timeout = $2;
+#endif
+#endif
+		}
+		EOS
+	|	RAD_RETRIES NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			xauth_rad_config.retries = $2;
+#endif
+#endif
+		}
+		EOS
+	;
+
 	/* ldap configuration */
 ldapcfg_statement
 	:	LDAPCFG {
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Mon Jul 21 23:39:55 2008 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Tue Jul 22 01:30:02 2008 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.14 2007/09/12 23:39:50 mgrooms Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.15 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -214,6 +214,15 @@
 <S_LST>strict_address	{ YYD; return(STRICT_ADDRESS); }
 <S_LST>{ecl}		{ BEGIN S_INI; return(EOC); }
 
+	/* radius config */
+<S_INI>radiuscfg	{ BEGIN S_LDAP; YYDB; return(RADCFG); }
+<S_LDAP>{bcl}		{ return(BOC); }
+<S_LDAP>auth		{ YYD; return(RAD_AUTH); }
+<S_LDAP>acct		{ YYD; return(RAD_ACCT); }
+<S_LDAP>timeout		{ YYD; return(RAD_TIMEOUT); }
+<S_LDAP>retries		{ YYD; return(RAD_RETRIES); }
+<S_LDAP>{ecl}		{ BEGIN S_INI; return(EOC); }
+
 	/* ldap config */
 <S_INI>ldapcfg		{ BEGIN S_LDAP; YYDB; return(LDAPCFG); }
 <S_LDAP>{bcl}		{ return(BOC); }
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Mon Jul 21 23:39:55 2008 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c	Tue Jul 22 01:30:02 2008 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.17 2008/07/15 02:16:58 mgrooms Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.18 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1491,24 +1491,6 @@
 	struct ph1handle *iph1;
 	int inout;
 {
-	/* For first time use, initialize Radius */
-	if (radius_acct_state == NULL) {
-		if ((radius_acct_state = rad_acct_open()) == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL,
-			    "Cannot init librradius\n");
-			return -1;
-		}
-
-		if (rad_config(radius_acct_state, NULL) != 0) {
-			 plog(LLV_ERROR, LOCATION, NULL,
-			     "Cannot open librarius config file: %s\n",
-			     rad_strerror(radius_acct_state));
-			  rad_close(radius_acct_state);
-			  radius_acct_state = NULL;
-			  return -1;
-		}
-	}
-
 	if (rad_create_request(radius_acct_state, 
 	    RAD_ACCOUNTING_REQUEST) != 0) {
 		plog(LLV_ERROR, LOCATION, NULL,
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Mon Jul 21 23:39:55 2008 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c	Tue Jul 22 01:30:02 2008 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.14 2008/03/06 00:34:11 mgrooms Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.15 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -40,6 +40,7 @@
 
 #include <netinet/in.h>
 
+#include <assert.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -95,9 +96,9 @@
 
 #ifdef HAVE_LIBRADIUS
 #include <radlib.h>
-
 struct rad_handle *radius_auth_state = NULL;
 struct rad_handle *radius_acct_state = NULL;
+struct xauth_rad_config xauth_rad_config;
 #endif
 
 #ifdef HAVE_LIBPAM
@@ -447,6 +448,31 @@
 
 #ifdef HAVE_LIBRADIUS
 int
+xauth_radius_init_conf(int free)
+{
+	/* free radius config resources */
+	if (free) {
+		int i;
+		for (i = 0; i < xauth_rad_config.auth_server_count; i++) {
+			vfree(xauth_rad_config.auth_server_list[i].host);
+			vfree(xauth_rad_config.auth_server_list[i].secret);
+		}
+		for (i = 0; i < xauth_rad_config.acct_server_count; i++) {
+			vfree(xauth_rad_config.acct_server_list[i].host);
+			vfree(xauth_rad_config.acct_server_list[i].secret);
+		}
+		if (radius_auth_state != NULL)
+			rad_close(radius_auth_state);
+		if (radius_acct_state != NULL)
+			rad_close(radius_acct_state);
+	}
+
+	/* initialize radius config */
+	memset(&xauth_rad_config, 0, sizeof(xauth_rad_config));
+	return 0;
+}
+
+int
 xauth_radius_init(void)
 {
 	/* For first time use, initialize Radius */
@@ -458,13 +484,35 @@
 			return -1;
 		}
 
-		if (rad_config(radius_auth_state, NULL) != 0) {
-			plog(LLV_ERROR, LOCATION, NULL, 
-			    "Cannot open librarius config file: %s\n", 
-			    rad_strerror(radius_auth_state));
-			rad_close(radius_auth_state);
-			radius_auth_state = NULL;
-			return -1;
+		int auth_count = xauth_rad_config.auth_server_count;
+		int auth_added = 0;
+		if (auth_count) {
+			int i;
+			for (i = 0; i < auth_count; i++) {
+				if(!rad_add_server(
+					radius_auth_state,
+					xauth_rad_config.auth_server_list[i].host->v,
+					xauth_rad_config.auth_server_list[i].port,
+					xauth_rad_config.auth_server_list[i].secret->v,
+					xauth_rad_config.timeout,
+					xauth_rad_config.retries ))
+					auth_added++;
+				else
+					plog(LLV_WARNING, LOCATION, NULL,
+						"could not add radius auth server %s\n",
+						xauth_rad_config.auth_server_list[i].host->v);
+			}
+		}
+
+		if (!auth_added) {
+			if (rad_config(radius_auth_state, NULL) != 0) {
+				plog(LLV_ERROR, LOCATION, NULL, 
+				    "Cannot open librarius config file: %s\n", 
+				    rad_strerror(radius_auth_state));
+				rad_close(radius_auth_state);
+				radius_auth_state = NULL;
+				return -1;
+			}
 		}
 	}
 
@@ -476,13 +524,35 @@
 			return -1;
 		}
 
-		if (rad_config(radius_acct_state, NULL) != 0) {
-			plog(LLV_ERROR, LOCATION, NULL, 
-			    "Cannot open librarius config file: %s\n", 
-			    rad_strerror(radius_acct_state));
-			rad_close(radius_acct_state);
-			radius_acct_state = NULL;
-			return -1;
+		int acct_count = xauth_rad_config.acct_server_count;
+		int acct_added = 0;
+		if (acct_count) {
+			int i;
+			for (i = 0; i < acct_count; i++) {
+				if(!rad_add_server(
+					radius_acct_state,
+					xauth_rad_config.acct_server_list[i].host->v,
+					xauth_rad_config.acct_server_list[i].port,
+					xauth_rad_config.acct_server_list[i].secret->v,
+					xauth_rad_config.timeout,
+					xauth_rad_config.retries ))
+					acct_added++;
+				else
+					plog(LLV_WARNING, LOCATION, NULL,
+						"could not add radius account server %s\n",
+						xauth_rad_config.acct_server_list[i].host->v);
+			}
+		}
+
+		if (!acct_added) {
+			if (rad_config(radius_acct_state, NULL) != 0) {
+				plog(LLV_ERROR, LOCATION, NULL, 
+				    "Cannot open librarius config file: %s\n", 
+				    rad_strerror(radius_acct_state));
+				rad_close(radius_acct_state);
+				radius_acct_state = NULL;
+				return -1;
+			}
 		}
 	}
 
@@ -727,7 +797,7 @@
 
 #ifdef HAVE_LIBLDAP
 int 
-xauth_ldap_init(void)
+xauth_ldap_init_conf(void)
 {
 	int tmplen;
 	int error = -1;
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h	Mon Jul 21 23:39:55 2008 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h	Tue Jul 22 01:30:02 2008 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: isakmp_xauth.h,v 1.5 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /*	$KAME$ */
 
@@ -112,13 +112,35 @@
 int xauth_rmconf_used(struct xauth_rmconf **);
 void xauth_rmconf_delete(struct xauth_rmconf **);
 
-#ifdef HAVE_LIBRADIUS
-int xauth_login_radius(struct ph1handle *, char *, char *);
-int xauth_radius_init(void);
+#ifdef HAVE_LIBPAM
+int xauth_login_pam(int, struct sockaddr *, char *, char *);
 #endif
 
-#ifdef HAVE_LIBPAM
-int xauth_login_pam(int, struct sockaddr *, char *, char *);
+#ifdef HAVE_LIBRADIUS
+
+#define RADIUS_MAX_SERVERS 5
+
+struct rad_serv {
+	vchar_t		*host;
+	int		port;
+	vchar_t		*secret;
+};
+
+struct xauth_rad_config {
+	struct rad_serv	auth_server_list[RADIUS_MAX_SERVERS];
+	int		auth_server_count;
+	struct rad_serv	acct_server_list[RADIUS_MAX_SERVERS];
+	int		acct_server_count;
+	int		timeout;
+	int		retries;
+};
+
+extern struct xauth_rad_config xauth_rad_config;
+
+int xauth_radius_init_conf(int free);
+int xauth_radius_init(void);
+int xauth_login_radius(struct ph1handle *, char *, char *);
+
 #endif
 
 #ifdef HAVE_LIBLDAP
@@ -148,8 +170,9 @@
 
 extern struct xauth_ldap_config xauth_ldap_config;
 
-int xauth_ldap_init(void);
+int xauth_ldap_init_conf(void);
 int xauth_login_ldap(struct ph1handle *, char *, char *);
+
 #endif
 
 #endif /* _ISAKMP_XAUTH_H */
--- a/crypto/dist/ipsec-tools/src/racoon/main.c	Mon Jul 21 23:39:55 2008 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/main.c	Tue Jul 22 01:30:02 2008 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.7 2007/05/31 19:54:55 manu Exp $	*/
+/*	$NetBSD: main.c,v 1.8 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */
 
@@ -198,8 +198,15 @@
 #endif
 
 #ifdef HAVE_LIBLDAP
-	if (xauth_ldap_init() != 0)
-		errx(1, "could not initialize libldap");
+	if (xauth_ldap_init_conf() != 0)
+		errx(1, "could not initialize ldap config");
+#endif
+
+#ifdef HAVE_LIBRADIUS
+	if (xauth_radius_init_conf(0) != 0) {
+		errx(1, "could not initialize radius config");
+		/* NOTREACHED*/
+	}
 #endif
 
 	/*
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Mon Jul 21 23:39:55 2008 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Tue Jul 22 01:30:02 2008 +0000
@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.43 2007/12/01 19:24:47 wiz Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.44 2008/07/22 01:30:02 mgrooms Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -1116,8 +1116,9 @@
 It works only if
 .Xr racoon 8
 was built with libradius support.
-Radius configuration is handled by
-.Xr radius.conf 5 .
+Radius configuration is handled by statements in the
+.Ic radiuscfg
+section.
 .Ar pam
 means to use PAM.
 It works only if
@@ -1163,8 +1164,9 @@
 It works only if
 .Xr racoon 8
 was built with libradius support and requires RADIUS authentication.
-RADIUS configuration is handled by
-.Xr radius.conf 5 .
+RADIUS configuration is handled by statements in the
+.Ic radiuscfg
+section.
 .Ar ldap
 means to use an LDAP server.
 It works only if
@@ -1189,8 +1191,9 @@
 It works only if
 .Xr racoon 8
 was built with libradius support and requires RADIUS authentication.
-RADIUS configuration is handled by
-.Xr radius.conf 5 .
+RADIUS configuration is handled by statements in the
+.Ic radiuscfg
+section.
 Specifying
 .Ar pam
 enables PAM accounting.
@@ -1327,6 +1330,39 @@
 .Ic member .
 .El
 .El
+.Ss Radius configuration settings
+.Bl -tag -width Ds -compact
+.It Ic radiuscfg { Ar statements Ic }
+Defines the parameters that will be used to communicate with radius
+servers for
+.Ic xauth
+authentication. If radius is selected as the xauth authentication or
+accounting source and no servers are defined in this section, settings
+from the system
+.Xr radius.conf 5
+configuration file will be used instead.
+.Pp
+The following are valid statements:
+.Bl -tag -width Ds -compact
+.It Ic auth Ar (hostname | address) [port] sharedsecret;
+The host name or ip address, optional port value and shared secret value
+of a radius authentication server. Up to 5 radius authentication servers
+may be specified using multiple lines.
+.It Ic acct Ar (hostname | address) [port] sharedsecret;
+The host name or ip address, optional port value and shared secret value
+of a radius accounting server. Up to 5 radius accounting servers may be
+specified using multiple lines.
+.It Ic timeout Ar seconds ;
+The timeout for receiving replies from radius servers.
+The default is
+.Ic 3 .
+.It Ic retries Ar count ;
+The maximum number of repeated requests to make before giving up
+on a radius server.
+The default is
+.Ic 3 .
+.El
+.El
 .Ss Special directives
 .Bl -tag -width Ds -compact
 .It Ic complex_bundle (on | off) ;
--- a/crypto/dist/ipsec-tools/src/racoon/session.c	Mon Jul 21 23:39:55 2008 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/session.c	Tue Jul 22 01:30:02 2008 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: session.c,v 1.12 2008/03/06 04:29:20 manu Exp $	*/
+/*	$NetBSD: session.c,v 1.13 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /*	$KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $	*/
 
@@ -78,6 +78,7 @@
 #include "cfparse_proto.h"
 #include "isakmp_var.h"
 #include "isakmp_xauth.h"
+#include "isakmp_xauth.h"
 #include "isakmp_cfg.h"
 #include "admin_var.h"
 #include "admin.h"
@@ -368,6 +369,9 @@
 	save_rmconf();
 	initrmconf();
 
+	/* free and init radius configuration */
+	xauth_radius_init_conf(1);
+
 	pfkey_reload();
 
 	save_params();
@@ -384,6 +388,9 @@
 		dumprmconf ();
 #endif
 
+	/* re-initialize radius state */
+	xauth_radius_init();
+
 	/* 
 	 * init_myaddr() ?
 	 * If running in privilege separation, do not reinitialize