Add an optional radius configuration section to the racoon.conf file. This

is similar to the the LDAP configuration section and overrides settings in
the system radius configuration file.

crypto/dist/ipsec-tools/ChangeLog

@@ -1,3 +1,15 @@
+2008-07-21  Matthew Grooms
+	* src/racoon/cfparse.y
+	  src/racoon/cftoken.l
+	  src/racoon/isakmp_cfg.c
+	  src/racoon/isakmp_xauth.c
+	  src/racoon/isakmp_xauth.h
+	  src/racoon/main.c
+	  src/racoon/racoon.conf.5
+	  src/racoon/session.c : add radius config options for racoon.conf
+
+src/racoon/isakmp_cfg.c : fix hybrid enabled builds
+
 2008-07-21  Timo Teras  <timo.teras@iki.fi>
 	* src/racoon/cfparse.y : do not set default gss id if xauth is used
 	* src/racoon/isakmp_agg.c

crypto/dist/ipsec-tools/src/racoon/cfparse.y

@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.28 2008/07/21 09:43:03 tron Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.29 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -196,6 +196,8 @@ static int fix_lifebyte __P((u_long));
 	/* ldap config */
 %token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
+	/* radius config */
+%token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
 	/* modecfg */
 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
@@ -271,6 +273,7 @@ statement
 	|	padding_statement
 	|	listen_statement
 	|	ldapcfg_statement
+	|	radcfg_statement
 	|	modecfg_statement
 	|	timer_statement
 	|	sainfo_statement
@@ -506,6 +509,119 @@ ike_port
 	|	PORT		{ $$ = $1; }
 	;
 
+	/* radius configuration */
+radcfg_statement
+	:	RADCFG {
+#ifndef ENABLE_HYBRID
+			yyerror("racoon not configured with --enable-hybrid");
+			return -1;
+#endif
+#ifndef HAVE_LIBRADIUS
+			yyerror("racoon not configured with --with-libradius");
+			return -1;
+#endif
+			xauth_rad_config.timeout = 3;
+			xauth_rad_config.retries = 3;
+
+		} BOC radcfg_stmts EOC
+	;
+radcfg_stmts
+	:	/* nothing */
+	|	radcfg_stmts radcfg_stmt
+	;
+radcfg_stmt
+	:	RAD_AUTH QUOTEDSTRING QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			int i = xauth_rad_config.auth_server_count;
+			if (i == RADIUS_MAX_SERVERS) {
+				yyerror("maximum radius auth servers exceeded");
+				return -1;
+			}
+
+			xauth_rad_config.auth_server_list[i].host = vdup($2);
+			xauth_rad_config.auth_server_list[i].secret = vdup($3);
+			xauth_rad_config.auth_server_list[i].port = 0; // default port
+			xauth_rad_config.auth_server_count++;
+#endif
+#endif
+		}
+		EOS
+	|	RAD_AUTH QUOTEDSTRING NUMBER QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			int i = xauth_rad_config.auth_server_count;
+			if (i == RADIUS_MAX_SERVERS) {
+				yyerror("maximum radius auth servers exceeded");
+				return -1;
+			}
+
+			xauth_rad_config.auth_server_list[i].host = vdup($2);
+			xauth_rad_config.auth_server_list[i].secret = vdup($4);
+			xauth_rad_config.auth_server_list[i].port = $3;
+			xauth_rad_config.auth_server_count++;
+#endif
+#endif
+		}
+		EOS
+	|	RAD_ACCT QUOTEDSTRING QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			int i = xauth_rad_config.acct_server_count;
+			if (i == RADIUS_MAX_SERVERS) {
+				yyerror("maximum radius account servers exceeded");
+				return -1;
+			}
+
+			xauth_rad_config.acct_server_list[i].host = vdup($2);
+			xauth_rad_config.acct_server_list[i].secret = vdup($3);
+			xauth_rad_config.acct_server_list[i].port = 0; // default port
+			xauth_rad_config.acct_server_count++;
+#endif
+#endif
+		}
+		EOS
+	|	RAD_ACCT QUOTEDSTRING NUMBER QUOTEDSTRING
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			int i = xauth_rad_config.acct_server_count;
+			if (i == RADIUS_MAX_SERVERS) {
+				yyerror("maximum radius account servers exceeded");
+				return -1;
+			}
+
+			xauth_rad_config.acct_server_list[i].host = vdup($2);
+			xauth_rad_config.acct_server_list[i].secret = vdup($4);
+			xauth_rad_config.acct_server_list[i].port = $3;
+			xauth_rad_config.acct_server_count++;
+#endif
+#endif
+		}
+		EOS
+	|	RAD_TIMEOUT NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			xauth_rad_config.timeout = $2;
+#endif
+#endif
+		}
+		EOS
+	|	RAD_RETRIES NUMBER
+		{
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+			xauth_rad_config.retries = $2;
+#endif
+#endif
+		}
+		EOS
+	;
+
 	/* ldap configuration */
 ldapcfg_statement
 	:	LDAPCFG {

crypto/dist/ipsec-tools/src/racoon/cftoken.l

@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.14 2007/09/12 23:39:50 mgrooms Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.15 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -214,6 +214,15 @@ hexstring	0x{hexdigit}+
 <S_LST>strict_address	{ YYD; return(STRICT_ADDRESS); }
 <S_LST>{ecl}		{ BEGIN S_INI; return(EOC); }
 
+	/* radius config */
+<S_INI>radiuscfg	{ BEGIN S_LDAP; YYDB; return(RADCFG); }
+<S_LDAP>{bcl}		{ return(BOC); }
+<S_LDAP>auth		{ YYD; return(RAD_AUTH); }
+<S_LDAP>acct		{ YYD; return(RAD_ACCT); }
+<S_LDAP>timeout		{ YYD; return(RAD_TIMEOUT); }
+<S_LDAP>retries		{ YYD; return(RAD_RETRIES); }
+<S_LDAP>{ecl}		{ BEGIN S_INI; return(EOC); }
+
 	/* ldap config */
 <S_INI>ldapcfg		{ BEGIN S_LDAP; YYDB; return(LDAPCFG); }
 <S_LDAP>{bcl}		{ return(BOC); }

crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_cfg.c,v 1.17 2008/07/15 02:16:58 mgrooms Exp $	*/
+/*	$NetBSD: isakmp_cfg.c,v 1.18 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
 
@@ -1491,24 +1491,6 @@ isakmp_cfg_accounting_radius(iph1, inout)
 	struct ph1handle *iph1;
 	int inout;
 {
-	/* For first time use, initialize Radius */
-	if (radius_acct_state == NULL) {
-		if ((radius_acct_state = rad_acct_open()) == NULL) {
-			plog(LLV_ERROR, LOCATION, NULL,
-			    "Cannot init librradius\n");
-			return -1;
-		}
-
-		if (rad_config(radius_acct_state, NULL) != 0) {
-			 plog(LLV_ERROR, LOCATION, NULL,
-			     "Cannot open librarius config file: %s\n",
-			     rad_strerror(radius_acct_state));
-			  rad_close(radius_acct_state);
-			  radius_acct_state = NULL;
-			  return -1;
-		}
-	}
-
 	if (rad_create_request(radius_acct_state, 
 	    RAD_ACCOUNTING_REQUEST) != 0) {
 		plog(LLV_ERROR, LOCATION, NULL,

crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.c,v 1.14 2008/03/06 00:34:11 mgrooms Exp $	*/
+/*	$NetBSD: isakmp_xauth.c,v 1.15 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
 
@@ -40,6 +40,7 @@
 
 #include <netinet/in.h>
 
+#include <assert.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -95,9 +96,9 @@
 
 #ifdef HAVE_LIBRADIUS
 #include <radlib.h>
-
 struct rad_handle *radius_auth_state = NULL;
 struct rad_handle *radius_acct_state = NULL;
+struct xauth_rad_config xauth_rad_config;
 #endif
 
 #ifdef HAVE_LIBPAM
@@ -446,6 +447,31 @@ xauth_sendstatus(iph1, status, id)
 }
 
 #ifdef HAVE_LIBRADIUS
+int
+xauth_radius_init_conf(int free)
+{
+	/* free radius config resources */
+	if (free) {
+		int i;
+		for (i = 0; i < xauth_rad_config.auth_server_count; i++) {
+			vfree(xauth_rad_config.auth_server_list[i].host);
+			vfree(xauth_rad_config.auth_server_list[i].secret);
+		}
+		for (i = 0; i < xauth_rad_config.acct_server_count; i++) {
+			vfree(xauth_rad_config.acct_server_list[i].host);
+			vfree(xauth_rad_config.acct_server_list[i].secret);
+		}
+		if (radius_auth_state != NULL)
+			rad_close(radius_auth_state);
+		if (radius_acct_state != NULL)
+			rad_close(radius_acct_state);
+	}
+
+	/* initialize radius config */
+	memset(&xauth_rad_config, 0, sizeof(xauth_rad_config));
+	return 0;
+}
+
 int
 xauth_radius_init(void)
 {
@@ -458,13 +484,35 @@ xauth_radius_init(void)
 			return -1;
 		}
 
-		if (rad_config(radius_auth_state, NULL) != 0) {
-			plog(LLV_ERROR, LOCATION, NULL, 
-			    "Cannot open librarius config file: %s\n", 
-			    rad_strerror(radius_auth_state));
-			rad_close(radius_auth_state);
-			radius_auth_state = NULL;
-			return -1;
+		int auth_count = xauth_rad_config.auth_server_count;
+		int auth_added = 0;
+		if (auth_count) {
+			int i;
+			for (i = 0; i < auth_count; i++) {
+				if(!rad_add_server(
+					radius_auth_state,
+					xauth_rad_config.auth_server_list[i].host->v,
+					xauth_rad_config.auth_server_list[i].port,
+					xauth_rad_config.auth_server_list[i].secret->v,
+					xauth_rad_config.timeout,
+					xauth_rad_config.retries ))
+					auth_added++;
+				else
+					plog(LLV_WARNING, LOCATION, NULL,
+						"could not add radius auth server %s\n",
+						xauth_rad_config.auth_server_list[i].host->v);
+			}
+		}
+
+		if (!auth_added) {
+			if (rad_config(radius_auth_state, NULL) != 0) {
+				plog(LLV_ERROR, LOCATION, NULL, 
+				    "Cannot open librarius config file: %s\n", 
+				    rad_strerror(radius_auth_state));
+				rad_close(radius_auth_state);
+				radius_auth_state = NULL;
+				return -1;
+			}
 		}
 	}
 
@@ -476,13 +524,35 @@ xauth_radius_init(void)
 			return -1;
 		}
 
-		if (rad_config(radius_acct_state, NULL) != 0) {
-			plog(LLV_ERROR, LOCATION, NULL, 
-			    "Cannot open librarius config file: %s\n", 
-			    rad_strerror(radius_acct_state));
-			rad_close(radius_acct_state);
-			radius_acct_state = NULL;
-			return -1;
+		int acct_count = xauth_rad_config.acct_server_count;
+		int acct_added = 0;
+		if (acct_count) {
+			int i;
+			for (i = 0; i < acct_count; i++) {
+				if(!rad_add_server(
+					radius_acct_state,
+					xauth_rad_config.acct_server_list[i].host->v,
+					xauth_rad_config.acct_server_list[i].port,
+					xauth_rad_config.acct_server_list[i].secret->v,
+					xauth_rad_config.timeout,
+					xauth_rad_config.retries ))
+					acct_added++;
+				else
+					plog(LLV_WARNING, LOCATION, NULL,
+						"could not add radius account server %s\n",
+						xauth_rad_config.acct_server_list[i].host->v);
+			}
+		}
+
+		if (!acct_added) {
+			if (rad_config(radius_acct_state, NULL) != 0) {
+				plog(LLV_ERROR, LOCATION, NULL, 
+				    "Cannot open librarius config file: %s\n", 
+				    rad_strerror(radius_acct_state));
+				rad_close(radius_acct_state);
+				radius_acct_state = NULL;
+				return -1;
+			}
 		}
 	}
 
@@ -727,7 +797,7 @@ out:
 
 #ifdef HAVE_LIBLDAP
 int 
-xauth_ldap_init(void)
+xauth_ldap_init_conf(void)
 {
 	int tmplen;
 	int error = -1;

crypto/dist/ipsec-tools/src/racoon/isakmp_xauth.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_xauth.h,v 1.4 2006/09/09 16:22:09 manu Exp $	*/
+/*	$NetBSD: isakmp_xauth.h,v 1.5 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /*	$KAME$ */
 
@@ -112,15 +112,37 @@ int xauth_reply(struct ph1handle *, int, int, int);
 int xauth_rmconf_used(struct xauth_rmconf **);
 void xauth_rmconf_delete(struct xauth_rmconf **);
 
-#ifdef HAVE_LIBRADIUS
-int xauth_login_radius(struct ph1handle *, char *, char *);
-int xauth_radius_init(void);
-#endif
-
 #ifdef HAVE_LIBPAM
 int xauth_login_pam(int, struct sockaddr *, char *, char *);
 #endif
 
+#ifdef HAVE_LIBRADIUS
+
+#define RADIUS_MAX_SERVERS 5
+
+struct rad_serv {
+	vchar_t		*host;
+	int		port;
+	vchar_t		*secret;
+};
+
+struct xauth_rad_config {
+	struct rad_serv	auth_server_list[RADIUS_MAX_SERVERS];
+	int		auth_server_count;
+	struct rad_serv	acct_server_list[RADIUS_MAX_SERVERS];
+	int		acct_server_count;
+	int		timeout;
+	int		retries;
+};
+
+extern struct xauth_rad_config xauth_rad_config;
+
+int xauth_radius_init_conf(int free);
+int xauth_radius_init(void);
+int xauth_login_radius(struct ph1handle *, char *, char *);
+
+#endif
+
 #ifdef HAVE_LIBLDAP
 
 #define LDAP_DFLT_HOST		"localhost"
@@ -148,8 +170,9 @@ struct xauth_ldap_config {
 
 extern struct xauth_ldap_config xauth_ldap_config;
 
-int xauth_ldap_init(void);
+int xauth_ldap_init_conf(void);
 int xauth_login_ldap(struct ph1handle *, char *, char *);
+
 #endif
 
 #endif /* _ISAKMP_XAUTH_H */

crypto/dist/ipsec-tools/src/racoon/main.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.7 2007/05/31 19:54:55 manu Exp $	*/
+/*	$NetBSD: main.c,v 1.8 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */
 
@@ -198,8 +198,15 @@ main(ac, av)
 #endif
 
 #ifdef HAVE_LIBLDAP
-	if (xauth_ldap_init() != 0)
-		errx(1, "could not initialize libldap");
+	if (xauth_ldap_init_conf() != 0)
+		errx(1, "could not initialize ldap config");
+#endif
+
+#ifdef HAVE_LIBRADIUS
+	if (xauth_radius_init_conf(0) != 0) {
+		errx(1, "could not initialize radius config");
+		/* NOTREACHED*/
+	}
 #endif
 
 	/*

crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.43 2007/12/01 19:24:47 wiz Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.44 2008/07/22 01:30:02 mgrooms Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -1116,8 +1116,9 @@ means to use a RADIUS server.
 It works only if
 .Xr racoon 8
 was built with libradius support.
-Radius configuration is handled by
-.Xr radius.conf 5 .
+Radius configuration is handled by statements in the
+.Ic radiuscfg
+section.
 .Ar pam
 means to use PAM.
 It works only if
@@ -1163,8 +1164,9 @@ means to use a RADIUS server.
 It works only if
 .Xr racoon 8
 was built with libradius support and requires RADIUS authentication.
-RADIUS configuration is handled by
-.Xr radius.conf 5 .
+RADIUS configuration is handled by statements in the
+.Ic radiuscfg
+section.
 .Ar ldap
 means to use an LDAP server.
 It works only if
@@ -1189,8 +1191,9 @@ enables RADIUS accounting.
 It works only if
 .Xr racoon 8
 was built with libradius support and requires RADIUS authentication.
-RADIUS configuration is handled by
-.Xr radius.conf 5 .
+RADIUS configuration is handled by statements in the
+.Ic radiuscfg
+section.
 Specifying
 .Ar pam
 enables PAM accounting.
@@ -1327,6 +1330,39 @@ The default value is
 .Ic member .
 .El
 .El
+.Ss Radius configuration settings
+.Bl -tag -width Ds -compact
+.It Ic radiuscfg { Ar statements Ic }
+Defines the parameters that will be used to communicate with radius
+servers for
+.Ic xauth
+authentication. If radius is selected as the xauth authentication or
+accounting source and no servers are defined in this section, settings
+from the system
+.Xr radius.conf 5
+configuration file will be used instead.
+.Pp
+The following are valid statements:
+.Bl -tag -width Ds -compact
+.It Ic auth Ar (hostname | address) [port] sharedsecret;
+The host name or ip address, optional port value and shared secret value
+of a radius authentication server. Up to 5 radius authentication servers
+may be specified using multiple lines.
+.It Ic acct Ar (hostname | address) [port] sharedsecret;
+The host name or ip address, optional port value and shared secret value
+of a radius accounting server. Up to 5 radius accounting servers may be
+specified using multiple lines.
+.It Ic timeout Ar seconds ;
+The timeout for receiving replies from radius servers.
+The default is
+.Ic 3 .
+.It Ic retries Ar count ;
+The maximum number of repeated requests to make before giving up
+on a radius server.
+The default is
+.Ic 3 .
+.El
+.El
 .Ss Special directives
 .Bl -tag -width Ds -compact
 .It Ic complex_bundle (on | off) ;

crypto/dist/ipsec-tools/src/racoon/session.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: session.c,v 1.12 2008/03/06 04:29:20 manu Exp $	*/
+/*	$NetBSD: session.c,v 1.13 2008/07/22 01:30:02 mgrooms Exp $	*/
 
 /*	$KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $	*/
 
@@ -78,6 +78,7 @@
 #include "cfparse_proto.h"
 #include "isakmp_var.h"
 #include "isakmp_xauth.h"
+#include "isakmp_xauth.h"
 #include "isakmp_cfg.h"
 #include "admin_var.h"
 #include "admin.h"
@@ -368,6 +369,9 @@ static void reload_conf(){
 	save_rmconf();
 	initrmconf();
 
+	/* free and init radius configuration */
+	xauth_radius_init_conf(1);
+
 	pfkey_reload();
 
 	save_params();
@@ -384,6 +388,9 @@ static void reload_conf(){
 		dumprmconf ();
 #endif
 
+	/* re-initialize radius state */
+	xauth_radius_init();
+
 	/* 
 	 * init_myaddr() ?
 	 * If running in privilege separation, do not reinitialize