]>
Commit | Line | Data |
---|---|---|
1 | /* $NetBSD: cfparse.y,v 1.18.4.3 2007/08/01 11:52:19 vanhu Exp $ */ | |
2 | ||
3 | /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ | |
4 | ||
5 | %{ | |
6 | /* | |
7 | * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project. | |
8 | * All rights reserved. | |
9 | * | |
10 | * Redistribution and use in source and binary forms, with or without | |
11 | * modification, are permitted provided that the following conditions | |
12 | * are met: | |
13 | * 1. Redistributions of source code must retain the above copyright | |
14 | * notice, this list of conditions and the following disclaimer. | |
15 | * 2. Redistributions in binary form must reproduce the above copyright | |
16 | * notice, this list of conditions and the following disclaimer in the | |
17 | * documentation and/or other materials provided with the distribution. | |
18 | * 3. Neither the name of the project nor the names of its contributors | |
19 | * may be used to endorse or promote products derived from this software | |
20 | * without specific prior written permission. | |
21 | * | |
22 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND | |
23 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
24 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
25 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | |
26 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
27 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
28 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
29 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
30 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
31 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
32 | * SUCH DAMAGE. | |
33 | */ | |
34 | ||
35 | #include "config.h" | |
36 | ||
37 | #include <sys/types.h> | |
38 | #include <sys/param.h> | |
39 | #include <sys/queue.h> | |
40 | #include <sys/socket.h> | |
41 | ||
42 | #include <netinet/in.h> | |
43 | #ifdef HAVE_NETINET6_IPSEC | |
44 | # include <netinet6/ipsec.h> | |
45 | #else | |
46 | # include <netinet/ipsec.h> | |
47 | #endif | |
48 | ||
49 | #ifdef ENABLE_HYBRID | |
50 | #include <arpa/inet.h> | |
51 | #endif | |
52 | ||
53 | #include <stdlib.h> | |
54 | #include <stdio.h> | |
55 | #include <string.h> | |
56 | #include <errno.h> | |
57 | #include <netdb.h> | |
58 | #include <pwd.h> | |
59 | #include <grp.h> | |
60 | #include <signal.h> | |
61 | ||
62 | #include "var.h" | |
63 | #include "misc.h" | |
64 | #include "vmbuf.h" | |
65 | #include "plog.h" | |
66 | #include "sockmisc.h" | |
67 | #include "str2val.h" | |
68 | #include "genlist.h" | |
69 | #include "debug.h" | |
70 | ||
71 | #include "admin.h" | |
72 | #include "privsep.h" | |
73 | #include "cfparse_proto.h" | |
74 | #include "cftoken_proto.h" | |
75 | #include "algorithm.h" | |
76 | #include "localconf.h" | |
77 | #include "policy.h" | |
78 | #include "sainfo.h" | |
79 | #include "oakley.h" | |
80 | #include "pfkey.h" | |
81 | #include "remoteconf.h" | |
82 | #include "grabmyaddr.h" | |
83 | #include "isakmp_var.h" | |
84 | #include "handler.h" | |
85 | #include "isakmp.h" | |
86 | #include "nattraversal.h" | |
87 | #include "isakmp_frag.h" | |
88 | #ifdef ENABLE_HYBRID | |
89 | #include "resolv.h" | |
90 | #include "isakmp_unity.h" | |
91 | #include "isakmp_xauth.h" | |
92 | #include "isakmp_cfg.h" | |
93 | #endif | |
94 | #include "ipsec_doi.h" | |
95 | #include "strnames.h" | |
96 | #include "gcmalloc.h" | |
97 | #ifdef HAVE_GSSAPI | |
98 | #include "gssapi.h" | |
99 | #endif | |
100 | #include "vendorid.h" | |
101 | #ifdef HAVE_OPENSSL | |
102 | #include "rsalist.h" | |
103 | #endif | |
104 | #include "ipsecConfigTracer.h" | |
105 | #include "ipsecMessageTracer.h" | |
106 | ||
107 | ||
108 | static int num2dhgroup[] = { | |
109 | 0, | |
110 | OAKLEY_ATTR_GRP_DESC_MODP768, | |
111 | OAKLEY_ATTR_GRP_DESC_MODP1024, | |
112 | OAKLEY_ATTR_GRP_DESC_EC2N155, | |
113 | OAKLEY_ATTR_GRP_DESC_EC2N185, | |
114 | OAKLEY_ATTR_GRP_DESC_MODP1536, | |
115 | 0, | |
116 | 0, | |
117 | 0, | |
118 | 0, | |
119 | 0, | |
120 | 0, | |
121 | 0, | |
122 | 0, | |
123 | OAKLEY_ATTR_GRP_DESC_MODP2048, | |
124 | OAKLEY_ATTR_GRP_DESC_MODP3072, | |
125 | OAKLEY_ATTR_GRP_DESC_MODP4096, | |
126 | OAKLEY_ATTR_GRP_DESC_MODP6144, | |
127 | OAKLEY_ATTR_GRP_DESC_MODP8192 | |
128 | }; | |
129 | ||
130 | static struct remoteconf *cur_rmconf; | |
131 | static int tmpalgtype[MAXALGCLASS]; | |
132 | static struct sainfo *cur_sainfo; | |
133 | static int cur_algclass; | |
134 | static int oldloglevel = LLV_BASE; | |
135 | ||
136 | static struct proposalspec *newprspec __P((void)); | |
137 | static void insprspec __P((struct proposalspec *, struct proposalspec **)); | |
138 | static struct secprotospec *newspspec __P((void)); | |
139 | static void insspspec __P((struct secprotospec *, struct proposalspec **)); | |
140 | static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int)); | |
141 | ||
142 | static int set_isakmp_proposal | |
143 | __P((struct remoteconf *, struct proposalspec *)); | |
144 | static void clean_tmpalgtype __P((void)); | |
145 | static int expand_isakmpspec __P((int, int, int *, | |
146 | int, int, time_t, int, int, int, char *, struct remoteconf *)); | |
147 | static int listen_addr __P((struct sockaddr *addr, int udp_encap)); | |
148 | ||
149 | void freeetypes (struct etypes **etypes); | |
150 | ||
151 | #if 0 | |
152 | static int fix_lifebyte __P((u_long)); | |
153 | #endif | |
154 | %} | |
155 | ||
156 | %union { | |
157 | unsigned long num; | |
158 | vchar_t *val; | |
159 | struct remoteconf *rmconf; | |
160 | struct sockaddr *saddr; | |
161 | struct sainfoalg *alg; | |
162 | } | |
163 | ||
164 | /* privsep */ | |
165 | %token PRIVSEP USER GROUP CHROOT | |
166 | /* path */ | |
167 | %token PATH PATHTYPE | |
168 | /* include */ | |
169 | %token INCLUDE | |
170 | /* self information */ | |
171 | %token IDENTIFIER VENDORID | |
172 | /* logging */ | |
173 | %token LOGGING LOGLEV | |
174 | /* padding */ | |
175 | %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL | |
176 | /* listen */ | |
177 | %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED | |
178 | /* modecfg */ | |
179 | %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN | |
180 | %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE | |
181 | %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE | |
182 | %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS | |
183 | %token CFG_PFS_GROUP CFG_SAVE_PASSWD | |
184 | /* timer */ | |
185 | %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND | |
186 | %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA AUTO_EXIT_DELAY | |
187 | /* algorithm */ | |
188 | %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE | |
189 | /* sainfo */ | |
190 | %token SAINFO FROM | |
191 | /* remote */ | |
192 | %token REMOTE ANONYMOUS INHERIT | |
193 | %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE | |
194 | %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE | |
195 | %token VERIFY_CERT SEND_CERT SEND_CR | |
196 | %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER | |
197 | %token PEERS_IDENTIFIER VERIFY_IDENTIFIER | |
198 | %token SHARED_SECRET SECRETTYPE | |
199 | %token OPEN_DIR_AUTH_GROUP IN_KEYCHAIN | |
200 | %token CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION | |
201 | %token DNSSEC CERT_X509 CERT_PLAINRSA | |
202 | %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT | |
203 | %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL NAT_TRAVERSAL_LEVEL NAT_TRAVERSAL_MULTI_USER NAT_TRAVERSAL_KEEPALIVE | |
204 | %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL | |
205 | %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY | |
206 | %token PROPOSAL | |
207 | %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE | |
208 | %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE | |
209 | %token COMPLEX_BUNDLE | |
210 | %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL DPD_ALGORITHM | |
211 | %token DISCONNECT_ON_IDLE IDLE_TIMEOUT IDLE_DIRECTION | |
212 | %token XAUTH_LOGIN WEAK_PHASE1_CHECK | |
213 | ||
214 | %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG | |
215 | %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID | |
216 | ||
217 | %token SCRIPT PHASE1_UP PHASE1_DOWN | |
218 | ||
219 | %token NUMBER SWITCH BOOLEAN | |
220 | %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE | |
221 | %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES | |
222 | %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR | |
223 | %token EOS BOC EOC COMMA | |
224 | %token DPD_ALGO_TYPE_DEFAULT DPD_ALGO_TYPE_INBOUND DPD_ALGO_TYPE_BLACKHOLE | |
225 | %token IDLE_DIRECTION_IN IDLE_DIRECTION_OUT IDLE_DIRECTION_ANY | |
226 | ||
227 | %type <num> NUMBER BOOLEAN SWITCH keylength | |
228 | %type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE | |
229 | %type <num> SECRETTYPE | |
230 | %type <num> ALGORITHM_CLASS dh_group_num | |
231 | %type <num> ALGORITHMTYPE STRENGTHTYPE | |
232 | %type <num> PREFIX prefix PORT port ike_port | |
233 | %type <num> ul_proto UL_PROTO | |
234 | %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE | |
235 | %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL | |
236 | %type <num> VERIFICATION_MODULE VERIFICATION_OPTION | |
237 | %type <num> unittype_time unittype_byte | |
238 | %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id | |
239 | %type <val> identifierstring | |
240 | %type <saddr> remote_index ike_addrinfo_port | |
241 | %type <alg> algorithm | |
242 | %type <num> dpd_algo_type | |
243 | %type <num> idle_dir_type | |
244 | ||
245 | %% | |
246 | ||
247 | statements | |
248 | : /* nothing */ | |
249 | | statements statement | |
250 | ; | |
251 | statement | |
252 | : privsep_statement | |
253 | | path_statement | |
254 | | include_statement | |
255 | | gssenc_statement | |
256 | | identifier_statement | |
257 | | logging_statement | |
258 | | padding_statement | |
259 | | listen_statement | |
260 | | modecfg_statement | |
261 | | timer_statement | |
262 | | sainfo_statement | |
263 | | remote_statement | |
264 | | special_statement | |
265 | ; | |
266 | ||
267 | /* privsep */ | |
268 | privsep_statement | |
269 | : PRIVSEP BOC privsep_stmts EOC | |
270 | ; | |
271 | privsep_stmts | |
272 | : /* nothing */ | |
273 | | privsep_stmts privsep_stmt | |
274 | ; | |
275 | privsep_stmt | |
276 | : USER QUOTEDSTRING | |
277 | { | |
278 | struct passwd *pw; | |
279 | ||
280 | if ((pw = getpwnam($2->v)) == NULL) { | |
281 | yyerror("unknown user \"%s\"", $2->v); | |
282 | return -1; | |
283 | } | |
284 | lcconf->uid = pw->pw_uid; | |
285 | } | |
286 | EOS | |
287 | | USER NUMBER { lcconf->uid = $2; } EOS | |
288 | | GROUP QUOTEDSTRING | |
289 | { | |
290 | struct group *gr; | |
291 | ||
292 | if ((gr = getgrnam($2->v)) == NULL) { | |
293 | yyerror("unknown group \"%s\"", $2->v); | |
294 | return -1; | |
295 | } | |
296 | lcconf->gid = gr->gr_gid; | |
297 | } | |
298 | EOS | |
299 | | GROUP NUMBER { lcconf->gid = $2; } EOS | |
300 | | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS | |
301 | ; | |
302 | ||
303 | /* path */ | |
304 | path_statement | |
305 | : PATH PATHTYPE QUOTEDSTRING | |
306 | { | |
307 | if ($2 >= LC_PATHTYPE_MAX) { | |
308 | yyerror("invalid path type %d", $2); | |
309 | return -1; | |
310 | } | |
311 | ||
312 | /* free old pathinfo */ | |
313 | if (lcconf->pathinfo[$2]) | |
314 | racoon_free(lcconf->pathinfo[$2]); | |
315 | ||
316 | /* set new pathinfo */ | |
317 | lcconf->pathinfo[$2] = racoon_strdup($3->v); | |
318 | STRDUP_FATAL(lcconf->pathinfo[$2]); | |
319 | vfree($3); | |
320 | } | |
321 | EOS | |
322 | ; | |
323 | ||
324 | /* special */ | |
325 | special_statement | |
326 | : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS | |
327 | ; | |
328 | ||
329 | /* include */ | |
330 | include_statement | |
331 | : INCLUDE QUOTEDSTRING EOS | |
332 | { | |
333 | char path[MAXPATHLEN]; | |
334 | ||
335 | getpathname(path, sizeof(path), | |
336 | LC_PATHTYPE_INCLUDE, $2->v); | |
337 | vfree($2); | |
338 | if (yycf_switch_buffer(path) != 0) | |
339 | return -1; | |
340 | } | |
341 | ; | |
342 | ||
343 | /* gss_id_enc */ | |
344 | gssenc_statement | |
345 | : GSS_ID_ENC GSS_ID_ENCTYPE EOS | |
346 | { | |
347 | if ($2 >= LC_GSSENC_MAX) { | |
348 | yyerror("invalid GSS ID encoding %d", $2); | |
349 | return -1; | |
350 | } | |
351 | lcconf->gss_id_enc = $2; | |
352 | } | |
353 | ; | |
354 | ||
355 | /* self information */ | |
356 | identifier_statement | |
357 | : IDENTIFIER identifier_stmt | |
358 | ; | |
359 | identifier_stmt | |
360 | : VENDORID | |
361 | { | |
362 | /*XXX to be deleted */ | |
363 | } | |
364 | QUOTEDSTRING EOS | |
365 | | IDENTIFIERTYPE QUOTEDSTRING | |
366 | { | |
367 | /*XXX to be deleted */ | |
368 | $2->l--; /* nuke '\0' */ | |
369 | lcconf->ident[$1] = $2; | |
370 | if (lcconf->ident[$1] == NULL) { | |
371 | yyerror("failed to set my ident: %s", | |
372 | strerror(errno)); | |
373 | return -1; | |
374 | } | |
375 | } | |
376 | EOS | |
377 | ; | |
378 | ||
379 | /* logging */ | |
380 | logging_statement | |
381 | : LOGGING log_level EOS | |
382 | ; | |
383 | log_level | |
384 | : HEXSTRING | |
385 | { | |
386 | /* | |
387 | * XXX ignore it because this specification | |
388 | * will be obsoleted. | |
389 | */ | |
390 | yywarn("see racoon.conf(5), such a log specification will be obsoleted."); | |
391 | vfree($1); | |
392 | } | |
393 | | LOGLEV | |
394 | { | |
395 | /* | |
396 | * set the loglevel to the value specified | |
397 | * in the configuration file plus the number | |
398 | * of -d options specified on the command line | |
399 | */ | |
400 | loglevel += $1 - oldloglevel; | |
401 | oldloglevel = $1; | |
402 | } | |
403 | ; | |
404 | ||
405 | /* padding */ | |
406 | padding_statement | |
407 | : PADDING BOC padding_stmts EOC | |
408 | ; | |
409 | padding_stmts | |
410 | : /* nothing */ | |
411 | | padding_stmts padding_stmt | |
412 | ; | |
413 | padding_stmt | |
414 | : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS | |
415 | | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS | |
416 | | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS | |
417 | | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS | |
418 | | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS | |
419 | ; | |
420 | ||
421 | /* listen */ | |
422 | listen_statement | |
423 | : LISTEN BOC listen_stmts EOC | |
424 | ; | |
425 | listen_stmts | |
426 | : /* nothing */ | |
427 | | listen_stmts listen_stmt | |
428 | ; | |
429 | listen_stmt | |
430 | : X_ISAKMP ike_addrinfo_port | |
431 | { | |
432 | listen_addr ($2, 0); | |
433 | } | |
434 | EOS | |
435 | | X_ISAKMP_NATT ike_addrinfo_port | |
436 | { | |
437 | #ifdef ENABLE_NATT | |
438 | listen_addr ($2, 1); | |
439 | #else | |
440 | yyerror("NAT-T support not compiled in."); | |
441 | #endif | |
442 | } | |
443 | EOS | |
444 | | X_ADMIN | |
445 | { | |
446 | yyerror("admin directive is obsoleted."); | |
447 | } | |
448 | PORT EOS | |
449 | | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER | |
450 | { | |
451 | #ifdef ENABLE_ADMINPORT | |
452 | adminsock_conf($2, $3, $4, $5); | |
453 | #else | |
454 | yywarn("admin port support not compiled in"); | |
455 | #endif | |
456 | } | |
457 | EOS | |
458 | | ADMINSOCK QUOTEDSTRING | |
459 | { | |
460 | #ifdef ENABLE_ADMINPORT | |
461 | adminsock_conf($2, NULL, NULL, -1); | |
462 | #else | |
463 | yywarn("admin port support not compiled in"); | |
464 | #endif | |
465 | } | |
466 | EOS | |
467 | | ADMINSOCK DISABLED | |
468 | { | |
469 | #ifdef ENABLE_ADMINPORT | |
470 | adminsock_path = NULL; | |
471 | #else | |
472 | yywarn("admin port support not compiled in"); | |
473 | #endif | |
474 | } | |
475 | EOS | |
476 | | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS | |
477 | ; | |
478 | ike_addrinfo_port | |
479 | : ADDRSTRING ike_port | |
480 | { | |
481 | char portbuf[10]; | |
482 | ||
483 | snprintf(portbuf, sizeof(portbuf), "%ld", $2); | |
484 | $$ = str2saddr($1->v, portbuf); | |
485 | vfree($1); | |
486 | if (!$$) | |
487 | return -1; | |
488 | } | |
489 | ; | |
490 | ike_port | |
491 | : /* nothing */ { $$ = PORT_ISAKMP; } | |
492 | | PORT { $$ = $1; } | |
493 | ; | |
494 | /* modecfg */ | |
495 | modecfg_statement | |
496 | : MODECFG BOC modecfg_stmts EOC | |
497 | ; | |
498 | modecfg_stmts | |
499 | : /* nothing */ | |
500 | | modecfg_stmts modecfg_stmt | |
501 | ; | |
502 | modecfg_stmt | |
503 | : CFG_NET4 ADDRSTRING | |
504 | { | |
505 | #ifdef ENABLE_HYBRID | |
506 | if (inet_pton(AF_INET, $2->v, | |
507 | &isakmp_cfg_config.network4) != 1) | |
508 | yyerror("bad IPv4 network address."); | |
509 | vfree($2); | |
510 | #else | |
511 | yyerror("racoon not configured with --enable-hybrid"); | |
512 | #endif | |
513 | } | |
514 | EOS | |
515 | | CFG_MASK4 ADDRSTRING | |
516 | { | |
517 | #ifdef ENABLE_HYBRID | |
518 | if (inet_pton(AF_INET, $2->v, | |
519 | &isakmp_cfg_config.netmask4) != 1) | |
520 | yyerror("bad IPv4 netmask address."); | |
521 | vfree($2); | |
522 | #else | |
523 | yyerror("racoon not configured with --enable-hybrid"); | |
524 | #endif | |
525 | } | |
526 | EOS | |
527 | | CFG_DNS4 addrdnslist | |
528 | EOS | |
529 | | CFG_NBNS4 addrwinslist | |
530 | EOS | |
531 | | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist | |
532 | { | |
533 | #ifdef ENABLE_HYBRID | |
534 | isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN; | |
535 | #else | |
536 | yyerror("racoon not configured with --enable-hybrid"); | |
537 | #endif | |
538 | } | |
539 | EOS | |
540 | | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist | |
541 | { | |
542 | #ifdef ENABLE_HYBRID | |
543 | isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE; | |
544 | #else | |
545 | yyerror("racoon not configured with --enable-hybrid"); | |
546 | #endif | |
547 | } | |
548 | EOS | |
549 | | CFG_SPLIT_DNS splitdnslist | |
550 | { | |
551 | #ifndef ENABLE_HYBRID | |
552 | yyerror("racoon not configured with --enable-hybrid"); | |
553 | #endif | |
554 | } | |
555 | EOS | |
556 | | CFG_DEFAULT_DOMAIN QUOTEDSTRING | |
557 | { | |
558 | #ifdef ENABLE_HYBRID | |
559 | strlcpy(&isakmp_cfg_config.default_domain[0], | |
560 | $2->v, sizeof(isakmp_cfg_config.default_domain)); | |
561 | vfree($2); | |
562 | #else | |
563 | yyerror("racoon not configured with --enable-hybrid"); | |
564 | #endif | |
565 | } | |
566 | EOS | |
567 | | CFG_AUTH_SOURCE CFG_SYSTEM | |
568 | { | |
569 | #ifdef ENABLE_HYBRID | |
570 | isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM; | |
571 | #else | |
572 | yyerror("racoon not configured with --enable-hybrid"); | |
573 | #endif | |
574 | } | |
575 | EOS | |
576 | | CFG_AUTH_SOURCE CFG_RADIUS | |
577 | { | |
578 | #ifdef ENABLE_HYBRID | |
579 | #ifdef HAVE_LIBRADIUS | |
580 | isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS; | |
581 | #else /* HAVE_LIBRADIUS */ | |
582 | yyerror("racoon not configured with --with-libradius"); | |
583 | #endif /* HAVE_LIBRADIUS */ | |
584 | #else /* ENABLE_HYBRID */ | |
585 | yyerror("racoon not configured with --enable-hybrid"); | |
586 | #endif /* ENABLE_HYBRID */ | |
587 | } | |
588 | EOS | |
589 | | CFG_AUTH_SOURCE CFG_PAM | |
590 | { | |
591 | #ifdef ENABLE_HYBRID | |
592 | #ifdef HAVE_LIBPAM | |
593 | isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM; | |
594 | #else /* HAVE_LIBPAM */ | |
595 | yyerror("racoon not configured with --with-libpam"); | |
596 | #endif /* HAVE_LIBPAM */ | |
597 | #else /* ENABLE_HYBRID */ | |
598 | yyerror("racoon not configured with --enable-hybrid"); | |
599 | #endif /* ENABLE_HYBRID */ | |
600 | } | |
601 | EOS | |
602 | | CFG_AUTH_SOURCE CFG_LDAP | |
603 | { | |
604 | #ifdef ENABLE_HYBRID | |
605 | #ifdef HAVE_LIBLDAP | |
606 | isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP; | |
607 | #else /* HAVE_LIBLDAP */ | |
608 | yyerror("racoon not configured with --with-libldap"); | |
609 | #endif /* HAVE_LIBLDAP */ | |
610 | #else /* ENABLE_HYBRID */ | |
611 | yyerror("racoon not configured with --enable-hybrid"); | |
612 | #endif /* ENABLE_HYBRID */ | |
613 | } | |
614 | EOS | |
615 | | CFG_AUTH_GROUPS authgrouplist | |
616 | { | |
617 | #ifndef ENABLE_HYBRID | |
618 | yyerror("racoon not configured with --enable-hybrid"); | |
619 | #endif | |
620 | } | |
621 | EOS | |
622 | | CFG_GROUP_SOURCE CFG_SYSTEM | |
623 | { | |
624 | #ifdef ENABLE_HYBRID | |
625 | isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM; | |
626 | #else | |
627 | yyerror("racoon not configured with --enable-hybrid"); | |
628 | #endif | |
629 | } | |
630 | EOS | |
631 | | CFG_GROUP_SOURCE CFG_LDAP | |
632 | { | |
633 | #ifdef ENABLE_HYBRID | |
634 | #ifdef HAVE_LIBLDAP | |
635 | isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP; | |
636 | #else /* HAVE_LIBLDAP */ | |
637 | yyerror("racoon not configured with --with-libldap"); | |
638 | #endif /* HAVE_LIBLDAP */ | |
639 | #else /* ENABLE_HYBRID */ | |
640 | yyerror("racoon not configured with --enable-hybrid"); | |
641 | #endif /* ENABLE_HYBRID */ | |
642 | } | |
643 | EOS | |
644 | | CFG_ACCOUNTING CFG_NONE | |
645 | { | |
646 | #ifdef ENABLE_HYBRID | |
647 | isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE; | |
648 | #else | |
649 | yyerror("racoon not configured with --enable-hybrid"); | |
650 | #endif | |
651 | } | |
652 | EOS | |
653 | | CFG_ACCOUNTING CFG_SYSTEM | |
654 | { | |
655 | #ifdef ENABLE_HYBRID | |
656 | isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM; | |
657 | #else | |
658 | yyerror("racoon not configured with --enable-hybrid"); | |
659 | #endif | |
660 | } | |
661 | EOS | |
662 | | CFG_ACCOUNTING CFG_RADIUS | |
663 | { | |
664 | #ifdef ENABLE_HYBRID | |
665 | #ifdef HAVE_LIBRADIUS | |
666 | isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS; | |
667 | #else /* HAVE_LIBRADIUS */ | |
668 | yyerror("racoon not configured with --with-libradius"); | |
669 | #endif /* HAVE_LIBRADIUS */ | |
670 | #else /* ENABLE_HYBRID */ | |
671 | yyerror("racoon not configured with --enable-hybrid"); | |
672 | #endif /* ENABLE_HYBRID */ | |
673 | } | |
674 | EOS | |
675 | | CFG_ACCOUNTING CFG_PAM | |
676 | { | |
677 | #ifdef ENABLE_HYBRID | |
678 | #ifdef HAVE_LIBPAM | |
679 | isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM; | |
680 | #else /* HAVE_LIBPAM */ | |
681 | yyerror("racoon not configured with --with-libpam"); | |
682 | #endif /* HAVE_LIBPAM */ | |
683 | #else /* ENABLE_HYBRID */ | |
684 | yyerror("racoon not configured with --enable-hybrid"); | |
685 | #endif /* ENABLE_HYBRID */ | |
686 | } | |
687 | EOS | |
688 | | CFG_POOL_SIZE NUMBER | |
689 | { | |
690 | #ifdef ENABLE_HYBRID | |
691 | if (isakmp_cfg_resize_pool($2) != 0) | |
692 | yyerror("cannot allocate memory for pool"); | |
693 | #else /* ENABLE_HYBRID */ | |
694 | yyerror("racoon not configured with --enable-hybrid"); | |
695 | #endif /* ENABLE_HYBRID */ | |
696 | } | |
697 | EOS | |
698 | | CFG_PFS_GROUP NUMBER | |
699 | { | |
700 | #ifdef ENABLE_HYBRID | |
701 | isakmp_cfg_config.pfs_group = $2; | |
702 | #ifndef HAVE_OPENSSL | |
703 | if (isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024 | |
704 | && isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) { | |
705 | yyerror("PFS group must be 2 or 5"); | |
706 | return -1; | |
707 | } | |
708 | #endif | |
709 | #else /* ENABLE_HYBRID */ | |
710 | yyerror("racoon not configured with --enable-hybrid"); | |
711 | #endif /* ENABLE_HYBRID */ | |
712 | } | |
713 | EOS | |
714 | | CFG_SAVE_PASSWD SWITCH | |
715 | { | |
716 | #ifdef ENABLE_HYBRID | |
717 | isakmp_cfg_config.save_passwd = $2; | |
718 | #else /* ENABLE_HYBRID */ | |
719 | yyerror("racoon not configured with --enable-hybrid"); | |
720 | #endif /* ENABLE_HYBRID */ | |
721 | } | |
722 | EOS | |
723 | | CFG_AUTH_THROTTLE NUMBER | |
724 | { | |
725 | #ifdef ENABLE_HYBRID | |
726 | isakmp_cfg_config.auth_throttle = $2; | |
727 | #else /* ENABLE_HYBRID */ | |
728 | yyerror("racoon not configured with --enable-hybrid"); | |
729 | #endif /* ENABLE_HYBRID */ | |
730 | } | |
731 | EOS | |
732 | | CFG_CONF_SOURCE CFG_LOCAL | |
733 | { | |
734 | #ifdef ENABLE_HYBRID | |
735 | isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL; | |
736 | #else /* ENABLE_HYBRID */ | |
737 | yyerror("racoon not configured with --enable-hybrid"); | |
738 | #endif /* ENABLE_HYBRID */ | |
739 | } | |
740 | EOS | |
741 | | CFG_CONF_SOURCE CFG_RADIUS | |
742 | { | |
743 | #ifdef ENABLE_HYBRID | |
744 | #ifdef HAVE_LIBRADIUS | |
745 | isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS; | |
746 | #else /* HAVE_LIBRADIUS */ | |
747 | yyerror("racoon not configured with --with-libradius"); | |
748 | #endif /* HAVE_LIBRADIUS */ | |
749 | #else /* ENABLE_HYBRID */ | |
750 | yyerror("racoon not configured with --enable-hybrid"); | |
751 | #endif /* ENABLE_HYBRID */ | |
752 | } | |
753 | EOS | |
754 | | CFG_CONF_SOURCE CFG_LDAP | |
755 | { | |
756 | #ifdef ENABLE_HYBRID | |
757 | #ifdef HAVE_LIBLDAP | |
758 | isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP; | |
759 | #else /* HAVE_LIBLDAP */ | |
760 | yyerror("racoon not configured with --with-libldap"); | |
761 | #endif /* HAVE_LIBLDAP */ | |
762 | #else /* ENABLE_HYBRID */ | |
763 | yyerror("racoon not configured with --enable-hybrid"); | |
764 | #endif /* ENABLE_HYBRID */ | |
765 | } | |
766 | EOS | |
767 | | CFG_MOTD QUOTEDSTRING | |
768 | { | |
769 | #ifdef ENABLE_HYBRID | |
770 | strlcpy(&isakmp_cfg_config.motd[0], $2->v, sizeof(isakmp_cfg_config.motd)); | |
771 | vfree($2); | |
772 | #else | |
773 | yyerror("racoon not configured with --enable-hybrid"); | |
774 | #endif | |
775 | } | |
776 | EOS | |
777 | ; | |
778 | ||
779 | addrdnslist | |
780 | : addrdns | |
781 | | addrdns COMMA addrdnslist | |
782 | ; | |
783 | addrdns | |
784 | : ADDRSTRING | |
785 | { | |
786 | #ifdef ENABLE_HYBRID | |
787 | struct isakmp_cfg_config *icc = &isakmp_cfg_config; | |
788 | ||
789 | if (icc->dns4_index > MAXNS) | |
790 | yyerror("No more than %d DNS", MAXNS); | |
791 | if (inet_pton(AF_INET, $1->v, | |
792 | &icc->dns4[icc->dns4_index++]) != 1) | |
793 | yyerror("bad IPv4 DNS address."); | |
794 | ||
795 | vfree($1); | |
796 | #else | |
797 | yyerror("racoon not configured with --enable-hybrid"); | |
798 | #endif | |
799 | } | |
800 | ; | |
801 | ||
802 | addrwinslist | |
803 | : addrwins | |
804 | | addrwins COMMA addrwinslist | |
805 | ; | |
806 | addrwins | |
807 | : ADDRSTRING | |
808 | { | |
809 | #ifdef ENABLE_HYBRID | |
810 | struct isakmp_cfg_config *icc = &isakmp_cfg_config; | |
811 | ||
812 | if (icc->nbns4_index > MAXWINS) | |
813 | yyerror("No more than %d WINS", MAXWINS); | |
814 | if (inet_pton(AF_INET, $1->v, | |
815 | &icc->nbns4[icc->nbns4_index++]) != 1) | |
816 | yyerror("bad IPv4 WINS address."); | |
817 | ||
818 | vfree($1); | |
819 | #else | |
820 | yyerror("racoon not configured with --enable-hybrid"); | |
821 | #endif | |
822 | } | |
823 | ; | |
824 | ||
825 | splitnetlist | |
826 | : splitnet | |
827 | | splitnetlist COMMA splitnet | |
828 | ; | |
829 | splitnet | |
830 | : ADDRSTRING PREFIX | |
831 | { | |
832 | #ifdef ENABLE_HYBRID | |
833 | struct isakmp_cfg_config *icc = &isakmp_cfg_config; | |
834 | struct unity_network network; | |
835 | ||
836 | if (inet_pton(AF_INET, $1->v, &network.addr4) != 1) | |
837 | yyerror("bad IPv4 SPLIT address."); | |
838 | ||
839 | /* Turn $2 (the prefix) into a subnet mask */ | |
840 | network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0; | |
841 | ||
842 | /* add the network to our list */ | |
843 | if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count)) | |
844 | yyerror("Unable to allocate split network"); | |
845 | ||
846 | vfree($1); | |
847 | #else | |
848 | yyerror("racoon not configured with --enable-hybrid"); | |
849 | #endif | |
850 | } | |
851 | ; | |
852 | ||
853 | authgrouplist | |
854 | : authgroup | |
855 | | authgroup COMMA authgrouplist | |
856 | ; | |
857 | authgroup | |
858 | : QUOTEDSTRING | |
859 | { | |
860 | #ifdef ENABLE_HYBRID | |
861 | char * groupname = NULL; | |
862 | char ** grouplist = NULL; | |
863 | struct isakmp_cfg_config *icc = &isakmp_cfg_config; | |
864 | ||
865 | grouplist = racoon_realloc(icc->grouplist, | |
866 | sizeof(char**)*(icc->groupcount+1)); | |
867 | if (grouplist == NULL) | |
868 | yyerror("unable to allocate auth group list"); | |
869 | ||
870 | groupname = racoon_malloc($1->l+1); | |
871 | if (groupname == NULL) | |
872 | yyerror("unable to allocate auth group name"); | |
873 | ||
874 | memcpy(groupname,$1->v,$1->l); | |
875 | groupname[$1->l]=0; | |
876 | grouplist[icc->groupcount]=groupname; | |
877 | icc->grouplist = grouplist; | |
878 | icc->groupcount++; | |
879 | ||
880 | vfree($1); | |
881 | #else | |
882 | yyerror("racoon not configured with --enable-hybrid"); | |
883 | #endif | |
884 | } | |
885 | ; | |
886 | ||
887 | splitdnslist | |
888 | : splitdns | |
889 | | splitdns COMMA splitdnslist | |
890 | ; | |
891 | splitdns | |
892 | : QUOTEDSTRING | |
893 | { | |
894 | #ifdef ENABLE_HYBRID | |
895 | struct isakmp_cfg_config *icc = &isakmp_cfg_config; | |
896 | ||
897 | if (!icc->splitdns_len) | |
898 | { | |
899 | icc->splitdns_list = racoon_malloc($1->l); | |
900 | if(icc->splitdns_list == NULL) | |
901 | yyerror("error allocating splitdns list buffer"); | |
902 | memcpy(icc->splitdns_list,$1->v,$1->l); | |
903 | icc->splitdns_len = $1->l; | |
904 | } | |
905 | else | |
906 | { | |
907 | int len = icc->splitdns_len + $1->l + 1; | |
908 | icc->splitdns_list = racoon_realloc(icc->splitdns_list,len); | |
909 | if(icc->splitdns_list == NULL) | |
910 | yyerror("error allocating splitdns list buffer"); | |
911 | icc->splitdns_list[icc->splitdns_len] = ','; | |
912 | memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l); | |
913 | icc->splitdns_len = len; | |
914 | } | |
915 | vfree($1); | |
916 | #else | |
917 | yyerror("racoon not configured with --enable-hybrid"); | |
918 | #endif | |
919 | } | |
920 | ; | |
921 | ||
922 | ||
923 | /* timer */ | |
924 | timer_statement | |
925 | : RETRY BOC timer_stmts EOC | |
926 | ; | |
927 | timer_stmts | |
928 | : /* nothing */ | |
929 | | timer_stmts timer_stmt | |
930 | ; | |
931 | timer_stmt | |
932 | : RETRY_COUNTER NUMBER | |
933 | { | |
934 | lcconf->retry_counter = $2; | |
935 | } | |
936 | EOS | |
937 | | RETRY_INTERVAL NUMBER unittype_time | |
938 | { | |
939 | lcconf->retry_interval = $2 * $3; | |
940 | } | |
941 | EOS | |
942 | | RETRY_PERSEND NUMBER | |
943 | { | |
944 | lcconf->count_persend = $2; | |
945 | } | |
946 | EOS | |
947 | | RETRY_PHASE1 NUMBER unittype_time | |
948 | { | |
949 | lcconf->retry_checkph1 = $2 * $3; | |
950 | } | |
951 | EOS | |
952 | | RETRY_PHASE2 NUMBER unittype_time | |
953 | { | |
954 | lcconf->wait_ph2complete = $2 * $3; | |
955 | } | |
956 | EOS | |
957 | | AUTO_EXIT_DELAY NUMBER unittype_time | |
958 | { | |
959 | lcconf->auto_exit_delay = $2 * $3; | |
960 | lcconf->auto_exit_state |= LC_AUTOEXITSTATE_SET; | |
961 | } | |
962 | EOS | |
963 | ||
964 | | NATT_KA NUMBER unittype_time | |
965 | { | |
966 | #ifdef ENABLE_NATT | |
967 | lcconf->natt_ka_interval = $2 * $3; | |
968 | #else | |
969 | yyerror("NAT-T support not compiled in."); | |
970 | #endif | |
971 | } | |
972 | EOS | |
973 | ; | |
974 | ||
975 | /* sainfo */ | |
976 | sainfo_statement | |
977 | : SAINFO | |
978 | { | |
979 | cur_sainfo = newsainfo(); | |
980 | if (cur_sainfo == NULL) { | |
981 | yyerror("failed to allocate sainfo"); | |
982 | return -1; | |
983 | } | |
984 | } | |
985 | sainfo_name sainfo_param BOC sainfo_specs | |
986 | { | |
987 | struct sainfo *check; | |
988 | ||
989 | /* default */ | |
990 | if (cur_sainfo->algs[algclass_ipsec_enc] == 0) { | |
991 | yyerror("no encryption algorithm at %s", | |
992 | sainfo2str(cur_sainfo)); | |
993 | return -1; | |
994 | } | |
995 | if (cur_sainfo->algs[algclass_ipsec_auth] == 0) { | |
996 | yyerror("no authentication algorithm at %s", | |
997 | sainfo2str(cur_sainfo)); | |
998 | return -1; | |
999 | } | |
1000 | if (cur_sainfo->algs[algclass_ipsec_comp] == 0) { | |
1001 | yyerror("no compression algorithm at %s", | |
1002 | sainfo2str(cur_sainfo)); | |
1003 | return -1; | |
1004 | } | |
1005 | ||
1006 | /* duplicate check */ | |
1007 | check = getsainfo(cur_sainfo->idsrc, | |
1008 | cur_sainfo->iddst, | |
1009 | cur_sainfo->id_i, 0); | |
1010 | if (check && (!check->idsrc && !cur_sainfo->idsrc)) { | |
1011 | yyerror("duplicated sainfo: %s", | |
1012 | sainfo2str(cur_sainfo)); | |
1013 | return -1; | |
1014 | } | |
1015 | inssainfo(cur_sainfo); | |
1016 | } | |
1017 | EOC | |
1018 | ; | |
1019 | sainfo_name | |
1020 | : ANONYMOUS | |
1021 | { | |
1022 | cur_sainfo->idsrc = NULL; | |
1023 | cur_sainfo->iddst = NULL; | |
1024 | } | |
1025 | | ANONYMOUS sainfo_id | |
1026 | { | |
1027 | cur_sainfo->idsrc = NULL; | |
1028 | cur_sainfo->iddst = $2; | |
1029 | } | |
1030 | | sainfo_id ANONYMOUS | |
1031 | { | |
1032 | cur_sainfo->idsrc = $1; | |
1033 | cur_sainfo->iddst = NULL; | |
1034 | } | |
1035 | | sainfo_id sainfo_id | |
1036 | { | |
1037 | cur_sainfo->idsrc = $1; | |
1038 | cur_sainfo->iddst = $2; | |
1039 | } | |
1040 | ; | |
1041 | sainfo_id | |
1042 | : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto | |
1043 | { | |
1044 | char portbuf[10]; | |
1045 | struct sockaddr *saddr; | |
1046 | ||
1047 | if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6) | |
1048 | && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) { | |
1049 | yyerror("port number must be \"any\"."); | |
1050 | return -1; | |
1051 | } | |
1052 | ||
1053 | snprintf(portbuf, sizeof(portbuf), "%lu", $4); | |
1054 | saddr = str2saddr($2->v, portbuf); | |
1055 | vfree($2); | |
1056 | if (saddr == NULL) | |
1057 | return -1; | |
1058 | ||
1059 | switch (saddr->sa_family) { | |
1060 | case AF_INET: | |
1061 | if ($5 == IPPROTO_ICMPV6) { | |
1062 | yyerror("upper layer protocol mismatched.\n"); | |
1063 | racoon_free(saddr); | |
1064 | return -1; | |
1065 | } | |
1066 | $$ = ipsecdoi_sockaddr2id(saddr, | |
1067 | $3 == ~0 ? (sizeof(struct in_addr) << 3): $3, | |
1068 | $5); | |
1069 | break; | |
1070 | #ifdef INET6 | |
1071 | case AF_INET6: | |
1072 | if ($5 == IPPROTO_ICMP) { | |
1073 | yyerror("upper layer protocol mismatched.\n"); | |
1074 | racoon_free(saddr); | |
1075 | return -1; | |
1076 | } | |
1077 | $$ = ipsecdoi_sockaddr2id(saddr, | |
1078 | $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3, | |
1079 | $5); | |
1080 | break; | |
1081 | #endif | |
1082 | default: | |
1083 | yyerror("invalid family: %d", saddr->sa_family); | |
1084 | $$ = NULL; | |
1085 | break; | |
1086 | } | |
1087 | racoon_free(saddr); | |
1088 | if ($$ == NULL) | |
1089 | return -1; | |
1090 | } | |
1091 | | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto | |
1092 | { | |
1093 | char portbuf[10]; | |
1094 | struct sockaddr *laddr = NULL, *haddr = NULL; | |
1095 | char *cur = NULL; | |
1096 | ||
1097 | if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6) | |
1098 | && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) { | |
1099 | yyerror("port number must be \"any\"."); | |
1100 | return -1; | |
1101 | } | |
1102 | ||
1103 | snprintf(portbuf, sizeof(portbuf), "%lu", $5); | |
1104 | ||
1105 | laddr = str2saddr($2->v, portbuf); | |
1106 | if (laddr == NULL) { | |
1107 | return -1; | |
1108 | } | |
1109 | vfree($2); | |
1110 | haddr = str2saddr($3->v, portbuf); | |
1111 | if (haddr == NULL) { | |
1112 | racoon_free(laddr); | |
1113 | return -1; | |
1114 | } | |
1115 | vfree($3); | |
1116 | ||
1117 | switch (laddr->sa_family) { | |
1118 | case AF_INET: | |
1119 | if ($6 == IPPROTO_ICMPV6) { | |
1120 | yyerror("upper layer protocol mismatched.\n"); | |
1121 | if (laddr) | |
1122 | racoon_free(laddr); | |
1123 | if (haddr) | |
1124 | racoon_free(haddr); | |
1125 | return -1; | |
1126 | } | |
1127 | $$ = ipsecdoi_sockrange2id(laddr, haddr, | |
1128 | $6); | |
1129 | break; | |
1130 | #ifdef INET6 | |
1131 | case AF_INET6: | |
1132 | if ($6 == IPPROTO_ICMP) { | |
1133 | yyerror("upper layer protocol mismatched.\n"); | |
1134 | if (laddr) | |
1135 | racoon_free(laddr); | |
1136 | if (haddr) | |
1137 | racoon_free(haddr); | |
1138 | return -1; | |
1139 | } | |
1140 | $$ = ipsecdoi_sockrange2id(laddr, haddr, | |
1141 | $6); | |
1142 | break; | |
1143 | #endif | |
1144 | default: | |
1145 | yyerror("invalid family: %d", laddr->sa_family); | |
1146 | $$ = NULL; | |
1147 | break; | |
1148 | } | |
1149 | if (laddr) | |
1150 | racoon_free(laddr); | |
1151 | if (haddr) | |
1152 | racoon_free(haddr); | |
1153 | if ($$ == NULL) | |
1154 | return -1; | |
1155 | } | |
1156 | | IDENTIFIERTYPE QUOTEDSTRING | |
1157 | { | |
1158 | struct ipsecdoi_id_b *id_b; | |
1159 | ||
1160 | if ($1 == IDTYPE_ASN1DN) { | |
1161 | yyerror("id type forbidden: %d", $1); | |
1162 | $$ = NULL; | |
1163 | return -1; | |
1164 | } | |
1165 | ||
1166 | $2->l--; | |
1167 | ||
1168 | $$ = vmalloc(sizeof(*id_b) + $2->l); | |
1169 | if ($$ == NULL) { | |
1170 | yyerror("failed to allocate identifier"); | |
1171 | return -1; | |
1172 | } | |
1173 | ||
1174 | id_b = (struct ipsecdoi_id_b *)$$->v; | |
1175 | id_b->type = idtype2doi($1); | |
1176 | ||
1177 | id_b->proto_id = 0; | |
1178 | id_b->port = 0; | |
1179 | ||
1180 | memcpy($$->v + sizeof(*id_b), $2->v, $2->l); | |
1181 | } | |
1182 | ; | |
1183 | sainfo_param | |
1184 | : /* nothing */ | |
1185 | { | |
1186 | cur_sainfo->id_i = NULL; | |
1187 | } | |
1188 | ||
1189 | | FROM IDENTIFIERTYPE identifierstring | |
1190 | { | |
1191 | struct ipsecdoi_id_b *id_b; | |
1192 | vchar_t *idv; | |
1193 | ||
1194 | if (set_identifier(&idv, $2, $3) != 0) { | |
1195 | yyerror("failed to set identifer.\n"); | |
1196 | return -1; | |
1197 | } | |
1198 | cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l); | |
1199 | if (cur_sainfo->id_i == NULL) { | |
1200 | yyerror("failed to allocate identifier"); | |
1201 | return -1; | |
1202 | } | |
1203 | ||
1204 | id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v; | |
1205 | id_b->type = idtype2doi($2); | |
1206 | ||
1207 | id_b->proto_id = 0; | |
1208 | id_b->port = 0; | |
1209 | ||
1210 | memcpy(cur_sainfo->id_i->v + sizeof(*id_b), | |
1211 | idv->v, idv->l); | |
1212 | vfree(idv); | |
1213 | } | |
1214 | | GROUP QUOTEDSTRING | |
1215 | { | |
1216 | #ifdef ENABLE_HYBRID | |
1217 | if ((cur_sainfo->group = vdup($2)) == NULL) { | |
1218 | yyerror("failed to set sainfo xauth group.\n"); | |
1219 | return -1; | |
1220 | } | |
1221 | #else | |
1222 | yyerror("racoon not configured with --enable-hybrid"); | |
1223 | return -1; | |
1224 | #endif | |
1225 | } | |
1226 | ; | |
1227 | sainfo_specs | |
1228 | : /* nothing */ | |
1229 | | sainfo_specs sainfo_spec | |
1230 | ; | |
1231 | sainfo_spec | |
1232 | : PFS_GROUP dh_group_num | |
1233 | { | |
1234 | cur_sainfo->pfs_group = $2; | |
1235 | #ifndef HAVE_OPENSSL | |
1236 | if (cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024 | |
1237 | && cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) { | |
1238 | yyerror("PFS group must be 2 or 5"); | |
1239 | return -1; | |
1240 | } | |
1241 | #endif | |
1242 | } | |
1243 | EOS | |
1244 | | LIFETIME LIFETYPE_TIME NUMBER unittype_time | |
1245 | { | |
1246 | cur_sainfo->lifetime = $3 * $4; | |
1247 | } | |
1248 | EOS | |
1249 | | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte | |
1250 | { | |
1251 | #if 1 | |
1252 | yyerror("byte lifetime support is deprecated"); | |
1253 | return -1; | |
1254 | #else | |
1255 | cur_sainfo->lifebyte = fix_lifebyte($3 * $4); | |
1256 | if (cur_sainfo->lifebyte == 0) | |
1257 | return -1; | |
1258 | #endif | |
1259 | } | |
1260 | EOS | |
1261 | | ALGORITHM_CLASS { | |
1262 | cur_algclass = $1; | |
1263 | } | |
1264 | algorithms EOS | |
1265 | | IDENTIFIER IDENTIFIERTYPE | |
1266 | { | |
1267 | yyerror("it's deprecated to specify a identifier in phase 2"); | |
1268 | } | |
1269 | EOS | |
1270 | | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING | |
1271 | { | |
1272 | yyerror("it's deprecated to specify a identifier in phase 2"); | |
1273 | } | |
1274 | EOS | |
1275 | ; | |
1276 | ||
1277 | algorithms | |
1278 | : algorithm | |
1279 | { | |
1280 | inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); | |
1281 | } | |
1282 | | algorithm | |
1283 | { | |
1284 | inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); | |
1285 | } | |
1286 | COMMA algorithms | |
1287 | ; | |
1288 | algorithm | |
1289 | : ALGORITHMTYPE keylength | |
1290 | { | |
1291 | int defklen; | |
1292 | ||
1293 | $$ = newsainfoalg(); | |
1294 | if ($$ == NULL) { | |
1295 | yyerror("failed to get algorithm allocation"); | |
1296 | return -1; | |
1297 | } | |
1298 | ||
1299 | $$->alg = algtype2doi(cur_algclass, $1); | |
1300 | if ($$->alg == -1) { | |
1301 | yyerror("algorithm mismatched"); | |
1302 | racoon_free($$); | |
1303 | $$ = NULL; | |
1304 | return -1; | |
1305 | } | |
1306 | ||
1307 | defklen = default_keylen(cur_algclass, $1); | |
1308 | if (defklen == 0) { | |
1309 | if ($2) { | |
1310 | yyerror("keylen not allowed"); | |
1311 | racoon_free($$); | |
1312 | $$ = NULL; | |
1313 | return -1; | |
1314 | } | |
1315 | } else { | |
1316 | if ($2 && check_keylen(cur_algclass, $1, $2) < 0) { | |
1317 | yyerror("invalid keylen %d", $2); | |
1318 | racoon_free($$); | |
1319 | $$ = NULL; | |
1320 | return -1; | |
1321 | } | |
1322 | } | |
1323 | ||
1324 | if ($2) | |
1325 | $$->encklen = $2; | |
1326 | else | |
1327 | $$->encklen = defklen; | |
1328 | ||
1329 | /* check if it's supported algorithm by kernel */ | |
1330 | if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth) | |
1331 | && pk_checkalg(cur_algclass, $1, $$->encklen)) { | |
1332 | int a = algclass2doi(cur_algclass); | |
1333 | int b = algtype2doi(cur_algclass, $1); | |
1334 | if (a == IPSECDOI_ATTR_AUTH) | |
1335 | a = IPSECDOI_PROTO_IPSEC_AH; | |
1336 | yyerror("algorithm %s not supported by the kernel (missing module?)", | |
1337 | s_ipsecdoi_trns(a, b)); | |
1338 | racoon_free($$); | |
1339 | $$ = NULL; | |
1340 | return -1; | |
1341 | } | |
1342 | } | |
1343 | ; | |
1344 | prefix | |
1345 | : /* nothing */ { $$ = ~0; } | |
1346 | | PREFIX { $$ = $1; } | |
1347 | ; | |
1348 | port | |
1349 | : /* nothing */ { $$ = IPSEC_PORT_ANY; } | |
1350 | | PORT { $$ = $1; } | |
1351 | | PORTANY { $$ = IPSEC_PORT_ANY; } | |
1352 | ; | |
1353 | ul_proto | |
1354 | : NUMBER { $$ = $1; } | |
1355 | | UL_PROTO { $$ = $1; } | |
1356 | | ANY { $$ = IPSEC_ULPROTO_ANY; } | |
1357 | ; | |
1358 | keylength | |
1359 | : /* nothing */ { $$ = 0; } | |
1360 | | NUMBER { $$ = $1; } | |
1361 | ; | |
1362 | ||
1363 | /* remote */ | |
1364 | remote_statement | |
1365 | : REMOTE remote_index INHERIT remote_index | |
1366 | { | |
1367 | struct remoteconf *new; | |
1368 | struct proposalspec *prspec; | |
1369 | ||
1370 | new = copyrmconf($4); | |
1371 | if (new == NULL) { | |
1372 | yyerror("failed to get remoteconf for %s.", saddr2str ($4)); | |
1373 | return -1; | |
1374 | } | |
1375 | ||
1376 | new->remote = $2; | |
1377 | new->inherited_from = getrmconf_strict($4, 1); | |
1378 | new->proposal = NULL; | |
1379 | new->prhead = NULL; | |
1380 | cur_rmconf = new; | |
1381 | ||
1382 | prspec = newprspec(); | |
1383 | if (prspec == NULL || !cur_rmconf->inherited_from | |
1384 | || !cur_rmconf->inherited_from->proposal) | |
1385 | return -1; | |
1386 | prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime; | |
1387 | prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte; | |
1388 | insprspec(prspec, &cur_rmconf->prhead); | |
1389 | } | |
1390 | remote_specs_block | |
1391 | | REMOTE remote_index | |
1392 | { | |
1393 | struct remoteconf *new; | |
1394 | struct proposalspec *prspec; | |
1395 | ||
1396 | new = newrmconf(); | |
1397 | if (new == NULL) { | |
1398 | yyerror("failed to get new remoteconf."); | |
1399 | return -1; | |
1400 | } | |
1401 | ||
1402 | new->remote = $2; | |
1403 | cur_rmconf = new; | |
1404 | ||
1405 | prspec = newprspec(); | |
1406 | if (prspec == NULL) | |
1407 | return -1; | |
1408 | prspec->lifetime = oakley_get_defaultlifetime(); | |
1409 | insprspec(prspec, &cur_rmconf->prhead); | |
1410 | } | |
1411 | remote_specs_block | |
1412 | ; | |
1413 | ||
1414 | remote_specs_block | |
1415 | : BOC remote_specs EOC | |
1416 | { | |
1417 | /* check a exchange mode */ | |
1418 | if (cur_rmconf->etypes == NULL) { | |
1419 | yyerror("no exchange mode specified.\n"); | |
1420 | return -1; | |
1421 | } | |
1422 | ||
1423 | if (cur_rmconf->idvtype == IDTYPE_UNDEFINED) | |
1424 | cur_rmconf->idvtype = IDTYPE_ADDRESS; | |
1425 | ||
1426 | ||
1427 | if (cur_rmconf->idvtype == IDTYPE_ASN1DN) { | |
1428 | if (cur_rmconf->mycertfile | |
1429 | || cur_rmconf->identity_in_keychain) | |
1430 | { | |
1431 | if (cur_rmconf->idv) | |
1432 | yywarn("Both CERT and ASN1 ID " | |
1433 | "are set. Hope this is OK.\n"); | |
1434 | /* TODO: Preparse the DN here */ | |
1435 | } else if (cur_rmconf->idv) { | |
1436 | /* OK, using asn1dn without X.509. */ | |
1437 | } else { | |
1438 | yyerror("ASN1 ID not specified " | |
1439 | "and no CERT defined!\n"); | |
1440 | return -1; | |
1441 | } | |
1442 | } | |
1443 | ||
1444 | if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) { | |
1445 | struct genlist_entry *gpb; | |
1446 | if (genlist_next(cur_rmconf->idvl_p, &gpb) == NULL) { | |
1447 | yyerror("peers_identifier required for specified certificate " | |
1448 | "verification option.\n"); | |
1449 | return -1; | |
1450 | } | |
1451 | } | |
1452 | ||
1453 | if (cur_rmconf->prhead->spspec == NULL | |
1454 | && cur_rmconf->inherited_from | |
1455 | && cur_rmconf->inherited_from->prhead) { | |
1456 | cur_rmconf->prhead->spspec = cur_rmconf->inherited_from->prhead->spspec; | |
1457 | } | |
1458 | if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0) | |
1459 | return -1; | |
1460 | ||
1461 | /* DH group settting if aggressive mode is there. */ | |
1462 | if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) { | |
1463 | struct isakmpsa *p; | |
1464 | int b = 0; | |
1465 | ||
1466 | /* DH group */ | |
1467 | for (p = cur_rmconf->proposal; p; p = p->next) { | |
1468 | if (b == 0 || (b && b == p->dh_group)) { | |
1469 | b = p->dh_group; | |
1470 | continue; | |
1471 | } | |
1472 | yyerror("DH group must be equal " | |
1473 | "in all proposals " | |
1474 | "when aggressive mode is " | |
1475 | "used.\n"); | |
1476 | return -1; | |
1477 | } | |
1478 | cur_rmconf->dh_group = b; | |
1479 | ||
1480 | if (cur_rmconf->dh_group == 0) { | |
1481 | yyerror("DH group must be set in the proposal.\n"); | |
1482 | return -1; | |
1483 | } | |
1484 | ||
1485 | /* DH group settting if PFS is required. */ | |
1486 | if (oakley_setdhgroup(cur_rmconf->dh_group, | |
1487 | &cur_rmconf->dhgrp) < 0) { | |
1488 | yyerror("failed to set DH value.\n"); | |
1489 | return -1; | |
1490 | } | |
1491 | } | |
1492 | ||
1493 | insrmconf(cur_rmconf); | |
1494 | } | |
1495 | ; | |
1496 | remote_index | |
1497 | : ANONYMOUS ike_port | |
1498 | { | |
1499 | $$ = newsaddr(sizeof(struct sockaddr)); | |
1500 | $$->sa_family = AF_UNSPEC; | |
1501 | ((struct sockaddr_in *)$$)->sin_port = htons($2); | |
1502 | } | |
1503 | | ike_addrinfo_port | |
1504 | { | |
1505 | $$ = $1; | |
1506 | if ($$ == NULL) { | |
1507 | yyerror("failed to allocate sockaddr"); | |
1508 | return -1; | |
1509 | } | |
1510 | } | |
1511 | ; | |
1512 | remote_specs | |
1513 | : /* nothing */ | |
1514 | | remote_specs remote_spec | |
1515 | ; | |
1516 | remote_spec | |
1517 | : EXCHANGE_MODE | |
1518 | { | |
1519 | cur_rmconf->etypes = NULL; | |
1520 | } | |
1521 | exchange_types EOS | |
1522 | | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS | |
1523 | | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS | |
1524 | | CERTIFICATE_TYPE cert_spec | |
1525 | | PEERS_CERTFILE QUOTEDSTRING | |
1526 | { | |
1527 | #ifdef HAVE_OPENSSL | |
1528 | yywarn("This directive without certtype will be removed!\n"); | |
1529 | yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v); | |
1530 | cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; | |
1531 | ||
1532 | if (cur_rmconf->peerscertfile != NULL) | |
1533 | racoon_free(cur_rmconf->peerscertfile); | |
1534 | cur_rmconf->peerscertfile = racoon_strdup($2->v); | |
1535 | STRDUP_FATAL(cur_rmconf->peerscertfile); | |
1536 | vfree($2); | |
1537 | #else | |
1538 | yyerror("cert files not supported.\n"); | |
1539 | return -1; | |
1540 | #endif | |
1541 | } | |
1542 | EOS | |
1543 | | CA_TYPE CERT_X509 QUOTEDSTRING | |
1544 | { | |
1545 | #ifdef HAVE_OPENSSL | |
1546 | cur_rmconf->cacerttype = $2; | |
1547 | cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE; | |
1548 | if (cur_rmconf->cacertfile != NULL) | |
1549 | racoon_free(cur_rmconf->cacertfile); | |
1550 | cur_rmconf->cacertfile = racoon_strdup($3->v); | |
1551 | STRDUP_FATAL(cur_rmconf->cacertfile); | |
1552 | vfree($3); | |
1553 | #else | |
1554 | yyerror("cert files not supported.\n"); | |
1555 | return -1; | |
1556 | #endif | |
1557 | ||
1558 | } | |
1559 | EOS | |
1560 | | PEERS_CERTFILE CERT_X509 QUOTEDSTRING | |
1561 | { | |
1562 | #ifdef HAVE_OPENSSL | |
1563 | cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; | |
1564 | if (cur_rmconf->peerscertfile != NULL) | |
1565 | racoon_free(cur_rmconf->peerscertfile); | |
1566 | cur_rmconf->peerscertfile = racoon_strdup($3->v); | |
1567 | STRDUP_FATAL(cur_rmconf->peerscertfile); | |
1568 | vfree($3); | |
1569 | #else | |
1570 | yyerror("cert files not supported.\n"); | |
1571 | return -1; | |
1572 | #endif | |
1573 | ||
1574 | } | |
1575 | EOS | |
1576 | | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING | |
1577 | { | |
1578 | #ifdef HAVE_OPENSSL | |
1579 | char path[MAXPATHLEN]; | |
1580 | int ret = 0; | |
1581 | ||
1582 | getpathname(path, sizeof(path), | |
1583 | LC_PATHTYPE_CERT, $3->v); | |
1584 | vfree($3); | |
1585 | ||
1586 | if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) { | |
1587 | yyerror("Different peers_certfile method " | |
1588 | "already defined: %d!\n", | |
1589 | cur_rmconf->getcert_method); | |
1590 | return -1; | |
1591 | } | |
1592 | cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; | |
1593 | if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) { | |
1594 | yyerror("Couldn't parse keyfile.\n", path); | |
1595 | return -1; | |
1596 | } | |
1597 | plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path); | |
1598 | #else | |
1599 | yyerror("plainrsa not supported.\n"); | |
1600 | return -1; | |
1601 | #endif | |
1602 | } | |
1603 | EOS | |
1604 | | PEERS_CERTFILE DNSSEC | |
1605 | { | |
1606 | if (cur_rmconf->getcert_method) { | |
1607 | yyerror("Different peers_certfile method already defined!\n"); | |
1608 | return -1; | |
1609 | } | |
1610 | cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS; | |
1611 | cur_rmconf->peerscertfile = NULL; | |
1612 | } | |
1613 | EOS | |
1614 | | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS | |
1615 | | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS | |
1616 | | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS | |
1617 | | CERTIFICATE_VERIFICATION VERIFICATION_MODULE | |
1618 | { | |
1619 | cur_rmconf->cert_verification = $2; | |
1620 | } EOS | |
1621 | | CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION | |
1622 | { | |
1623 | cur_rmconf->cert_verification = $2; | |
1624 | cur_rmconf->cert_verification_option = $3; | |
1625 | } | |
1626 | EOS | |
1627 | | OPEN_DIR_AUTH_GROUP QUOTEDSTRING | |
1628 | { | |
1629 | #if HAVE_OPENDIR | |
1630 | cur_rmconf->open_dir_auth_group = $2; | |
1631 | #else | |
1632 | yyerror("Apple specific features not compiled in."); | |
1633 | return -1; | |
1634 | #endif | |
1635 | } EOS | |
1636 | | MY_IDENTIFIER IDENTIFIERTYPE identifierstring | |
1637 | { | |
1638 | if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) { | |
1639 | yyerror("failed to set identifer.\n"); | |
1640 | vfree($3); //%%% BUG FIX - memory leak | |
1641 | return -1; | |
1642 | } | |
1643 | vfree($3); //%%% BUG FIX - memory leak | |
1644 | cur_rmconf->idvtype = $2; | |
1645 | } | |
1646 | EOS | |
1647 | | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring | |
1648 | { | |
1649 | if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) { | |
1650 | yyerror("failed to set identifer.\n"); | |
1651 | return -1; | |
1652 | } | |
1653 | cur_rmconf->idvtype = $2; | |
1654 | } | |
1655 | EOS | |
1656 | | XAUTH_LOGIN identifierstring | |
1657 | { | |
1658 | #ifdef ENABLE_HYBRID | |
1659 | /* formerly identifier type login */ | |
1660 | if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) { | |
1661 | yyerror("failed to allocate xauth state\n"); | |
1662 | return -1; | |
1663 | } | |
1664 | if ((cur_rmconf->xauth->login = vdup($2)) == NULL) { | |
1665 | yyerror("failed to set identifer.\n"); | |
1666 | return -1; | |
1667 | } | |
1668 | vfree($2); //%%% BUG FIX - memory leak | |
1669 | #else | |
1670 | yyerror("racoon not configured with --enable-hybrid"); | |
1671 | #endif | |
1672 | } | |
1673 | EOS | |
1674 | | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring | |
1675 | { | |
1676 | struct idspec *id; | |
1677 | id = newidspec(); | |
1678 | if (id == NULL) { | |
1679 | yyerror("failed to allocate idspec"); | |
1680 | return -1; | |
1681 | } | |
1682 | if (set_identifier(&id->id, $2, $3) != 0) { | |
1683 | yyerror("failed to set identifer.\n"); | |
1684 | racoon_free(id); | |
1685 | vfree($3); //%%% BUG FIX - memory leak | |
1686 | return -1; | |
1687 | } | |
1688 | vfree($3); //%%% BUG FIX - memory leak | |
1689 | id->idtype = $2; | |
1690 | genlist_append (cur_rmconf->idvl_p, id); | |
1691 | } | |
1692 | EOS | |
1693 | | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring | |
1694 | { | |
1695 | struct idspec *id; | |
1696 | id = newidspec(); | |
1697 | if (id == NULL) { | |
1698 | yyerror("failed to allocate idspec"); | |
1699 | return -1; | |
1700 | } | |
1701 | if (set_identifier_qual(&id->id, $2, $4, $3) != 0) { | |
1702 | yyerror("failed to set identifer.\n"); | |
1703 | racoon_free(id); | |
1704 | return -1; | |
1705 | } | |
1706 | id->idtype = $2; | |
1707 | genlist_append (cur_rmconf->idvl_p, id); | |
1708 | } | |
1709 | EOS | |
1710 | | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS | |
1711 | | SHARED_SECRET SECRETTYPE QUOTEDSTRING | |
1712 | { | |
1713 | cur_rmconf->secrettype = $2; | |
1714 | cur_rmconf->shared_secret = $3; | |
1715 | } EOS | |
1716 | | SHARED_SECRET SECRETTYPE | |
1717 | { | |
1718 | if ($2 != SECRETTYPE_KEYCHAIN_BY_ID) { | |
1719 | yyerror("shared secret value missing.\n"); | |
1720 | return -1; | |
1721 | } | |
1722 | cur_rmconf->secrettype = $2; | |
1723 | } EOS | |
1724 | | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS | |
1725 | | DH_GROUP | |
1726 | { | |
1727 | yyerror("dh_group cannot be defined here."); | |
1728 | return -1; | |
1729 | } | |
1730 | dh_group_num EOS | |
1731 | | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS | |
1732 | | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS | |
1733 | | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS | |
1734 | | ESP_FRAG NUMBER { | |
1735 | #ifdef SADB_X_EXT_NAT_T_FRAG | |
1736 | if (libipsec_opt & LIBIPSEC_OPT_FRAG) | |
1737 | cur_rmconf->esp_frag = $2; | |
1738 | else | |
1739 | yywarn("libipsec lacks IKE frag support"); | |
1740 | #else | |
1741 | yywarn("Your kernel does not support esp_frag"); | |
1742 | #endif | |
1743 | } EOS | |
1744 | | SCRIPT QUOTEDSTRING PHASE1_UP { | |
1745 | if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL) | |
1746 | vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]); | |
1747 | ||
1748 | cur_rmconf->script[SCRIPT_PHASE1_UP] = | |
1749 | script_path_add(vdup($2)); | |
1750 | } EOS | |
1751 | | SCRIPT QUOTEDSTRING PHASE1_DOWN { | |
1752 | if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL) | |
1753 | vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]); | |
1754 | ||
1755 | cur_rmconf->script[SCRIPT_PHASE1_DOWN] = | |
1756 | script_path_add(vdup($2)); | |
1757 | } EOS | |
1758 | | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS | |
1759 | | WEAK_PHASE1_CHECK SWITCH { | |
1760 | cur_rmconf->weak_phase1_check = $2; | |
1761 | } EOS | |
1762 | | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS | |
1763 | | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS | |
1764 | | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS | |
1765 | | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS | |
1766 | | NAT_TRAVERSAL SWITCH | |
1767 | { | |
1768 | #ifdef ENABLE_NATT | |
1769 | cur_rmconf->nat_traversal = $2; | |
1770 | #else | |
1771 | yyerror("NAT-T support not compiled in."); | |
1772 | #endif | |
1773 | } EOS | |
1774 | | NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL | |
1775 | { | |
1776 | #ifdef ENABLE_NATT | |
1777 | cur_rmconf->nat_traversal = $2; | |
1778 | #else | |
1779 | yyerror("NAT-T support not compiled in."); | |
1780 | #endif | |
1781 | } EOS | |
1782 | | NAT_TRAVERSAL_MULTI_USER SWITCH | |
1783 | { | |
1784 | #ifdef ENABLE_NATT | |
1785 | cur_rmconf->natt_multiple_user = $2; | |
1786 | #else | |
1787 | yyerror("NAT-T support not compiled in."); | |
1788 | #endif | |
1789 | } EOS | |
1790 | | NAT_TRAVERSAL_KEEPALIVE SWITCH | |
1791 | { | |
1792 | #ifdef ENABLE_NATT | |
1793 | cur_rmconf->natt_keepalive = $2; | |
1794 | #else | |
1795 | yyerror("NAT-T support not compiled in."); | |
1796 | #endif | |
1797 | } EOS | |
1798 | | DPD SWITCH | |
1799 | { | |
1800 | #ifdef ENABLE_DPD | |
1801 | cur_rmconf->dpd = $2; | |
1802 | #else | |
1803 | yyerror("DPD support not compiled in."); | |
1804 | #endif | |
1805 | } EOS | |
1806 | | DPD_DELAY NUMBER | |
1807 | { | |
1808 | #ifdef ENABLE_DPD | |
1809 | cur_rmconf->dpd_interval = $2; | |
1810 | #else | |
1811 | yyerror("DPD support not compiled in."); | |
1812 | #endif | |
1813 | } | |
1814 | EOS | |
1815 | | DPD_RETRY NUMBER | |
1816 | { | |
1817 | #ifdef ENABLE_DPD | |
1818 | cur_rmconf->dpd_retry = $2; | |
1819 | #else | |
1820 | yyerror("DPD support not compiled in."); | |
1821 | #endif | |
1822 | } | |
1823 | EOS | |
1824 | | DPD_MAXFAIL NUMBER | |
1825 | { | |
1826 | #ifdef ENABLE_DPD | |
1827 | cur_rmconf->dpd_maxfails = $2; | |
1828 | #else | |
1829 | yyerror("DPD support not compiled in."); | |
1830 | #endif | |
1831 | } | |
1832 | EOS | |
1833 | | DPD_ALGORITHM dpd_algo_type | |
1834 | { | |
1835 | #ifdef ENABLE_DPD | |
1836 | cur_rmconf->dpd_algo = $2; | |
1837 | #else | |
1838 | yyerror("DPD support not compiled in."); | |
1839 | #endif | |
1840 | } | |
1841 | EOS | |
1842 | | DISCONNECT_ON_IDLE IDLE_TIMEOUT NUMBER IDLE_DIRECTION idle_dir_type | |
1843 | { | |
1844 | cur_rmconf->idle_timeout = $3; | |
1845 | cur_rmconf->idle_timeout_dir = $5; | |
1846 | } | |
1847 | EOS | |
1848 | | LIFETIME LIFETYPE_TIME NUMBER unittype_time | |
1849 | { | |
1850 | cur_rmconf->prhead->lifetime = $3 * $4; | |
1851 | } | |
1852 | EOS | |
1853 | | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS | |
1854 | | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte | |
1855 | { | |
1856 | #if 1 | |
1857 | yyerror("byte lifetime support is deprecated in Phase1"); | |
1858 | return -1; | |
1859 | #else | |
1860 | yywarn("the lifetime of bytes in phase 1 " | |
1861 | "will be ignored at the moment."); | |
1862 | cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4); | |
1863 | if (cur_rmconf->prhead->lifebyte == 0) | |
1864 | return -1; | |
1865 | #endif | |
1866 | } | |
1867 | EOS | |
1868 | | PROPOSAL | |
1869 | { | |
1870 | struct secprotospec *spspec; | |
1871 | ||
1872 | spspec = newspspec(); | |
1873 | if (spspec == NULL) | |
1874 | return -1; | |
1875 | insspspec(spspec, &cur_rmconf->prhead); | |
1876 | } | |
1877 | BOC isakmpproposal_specs EOC | |
1878 | ; | |
1879 | exchange_types | |
1880 | : /* nothing */ | |
1881 | | exchange_types EXCHANGETYPE | |
1882 | { | |
1883 | struct etypes *new; | |
1884 | new = racoon_malloc(sizeof(struct etypes)); | |
1885 | if (new == NULL) { | |
1886 | yyerror("failed to allocate etypes"); | |
1887 | return -1; | |
1888 | } | |
1889 | new->type = $2; | |
1890 | new->next = NULL; | |
1891 | if (cur_rmconf->etypes == NULL) | |
1892 | cur_rmconf->etypes = new; | |
1893 | else { | |
1894 | struct etypes *p; | |
1895 | for (p = cur_rmconf->etypes; | |
1896 | p->next != NULL; | |
1897 | p = p->next) | |
1898 | ; | |
1899 | p->next = new; | |
1900 | } | |
1901 | } | |
1902 | ; | |
1903 | cert_spec | |
1904 | : CERT_X509 QUOTEDSTRING QUOTEDSTRING | |
1905 | { | |
1906 | cur_rmconf->certtype = $1; | |
1907 | if (cur_rmconf->mycertfile != NULL) | |
1908 | racoon_free(cur_rmconf->mycertfile); | |
1909 | cur_rmconf->mycertfile = racoon_strdup($2->v); | |
1910 | STRDUP_FATAL(cur_rmconf->mycertfile); | |
1911 | vfree($2); | |
1912 | if (cur_rmconf->myprivfile != NULL) | |
1913 | racoon_free(cur_rmconf->myprivfile); | |
1914 | cur_rmconf->myprivfile = racoon_strdup($3->v); | |
1915 | STRDUP_FATAL(cur_rmconf->myprivfile); | |
1916 | vfree($3); | |
1917 | } | |
1918 | EOS | |
1919 | | CERT_X509 IN_KEYCHAIN | |
1920 | { | |
1921 | cur_rmconf->certtype = $1; | |
1922 | cur_rmconf->identity_in_keychain = 1; | |
1923 | cur_rmconf->keychainCertRef = NULL; | |
1924 | } | |
1925 | EOS | |
1926 | ; | |
1927 | | CERT_X509 IN_KEYCHAIN QUOTEDSTRING | |
1928 | { | |
1929 | cur_rmconf->certtype = $1; | |
1930 | cur_rmconf->identity_in_keychain = 1; | |
1931 | cur_rmconf->keychainCertRef = $3; | |
1932 | } | |
1933 | EOS | |
1934 | ; | |
1935 | | CERT_PLAINRSA QUOTEDSTRING | |
1936 | { | |
1937 | #ifdef HAVE_OPENSSL | |
1938 | char path[MAXPATHLEN]; | |
1939 | int ret = 0; | |
1940 | ||
1941 | getpathname(path, sizeof(path), | |
1942 | LC_PATHTYPE_CERT, $2->v); | |
1943 | vfree($2); | |
1944 | ||
1945 | cur_rmconf->certtype = $1; | |
1946 | cur_rmconf->send_cr = FALSE; | |
1947 | cur_rmconf->send_cert = FALSE; | |
1948 | cur_rmconf->verify_cert = FALSE; | |
1949 | if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) { | |
1950 | yyerror("Couldn't parse keyfile.\n", path); | |
1951 | return -1; | |
1952 | } | |
1953 | plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path); | |
1954 | #else | |
1955 | yyerror("plainrsa not supported.\n"); | |
1956 | return -1; | |
1957 | #endif | |
1958 | } | |
1959 | EOS | |
1960 | ; | |
1961 | dh_group_num | |
1962 | : ALGORITHMTYPE | |
1963 | { | |
1964 | $$ = algtype2doi(algclass_isakmp_dh, $1); | |
1965 | if ($$ == -1) { | |
1966 | yyerror("must be DH group"); | |
1967 | return -1; | |
1968 | } | |
1969 | #ifndef HAVE_OPENSSL | |
1970 | if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) { | |
1971 | yyerror("DH group must be 2 or 5"); | |
1972 | return -1; | |
1973 | } | |
1974 | #endif | |
1975 | } | |
1976 | | NUMBER | |
1977 | { | |
1978 | if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) { | |
1979 | $$ = num2dhgroup[$1]; | |
1980 | } else { | |
1981 | yyerror("must be DH group"); | |
1982 | $$ = 0; | |
1983 | return -1; | |
1984 | } | |
1985 | #ifndef HAVE_OPENSSL | |
1986 | if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) { | |
1987 | yyerror("DH group must be 2 or 5"); | |
1988 | return -1; | |
1989 | } | |
1990 | #endif | |
1991 | } | |
1992 | ; | |
1993 | identifierstring | |
1994 | : /* nothing */ { $$ = NULL; } | |
1995 | | ADDRSTRING { $$ = $1; } | |
1996 | | QUOTEDSTRING { $$ = $1; } | |
1997 | ; | |
1998 | isakmpproposal_specs | |
1999 | : /* nothing */ | |
2000 | | isakmpproposal_specs isakmpproposal_spec | |
2001 | ; | |
2002 | isakmpproposal_spec | |
2003 | : STRENGTH | |
2004 | { | |
2005 | yyerror("strength directive is obsoleted."); | |
2006 | } STRENGTHTYPE EOS | |
2007 | | LIFETIME LIFETYPE_TIME NUMBER unittype_time | |
2008 | { | |
2009 | cur_rmconf->prhead->spspec->lifetime = $3 * $4; | |
2010 | } | |
2011 | EOS | |
2012 | | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte | |
2013 | { | |
2014 | #if 1 | |
2015 | yyerror("byte lifetime support is deprecated"); | |
2016 | return -1; | |
2017 | #else | |
2018 | cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4); | |
2019 | if (cur_rmconf->prhead->spspec->lifebyte == 0) | |
2020 | return -1; | |
2021 | #endif | |
2022 | } | |
2023 | EOS | |
2024 | | DH_GROUP dh_group_num | |
2025 | { | |
2026 | cur_rmconf->prhead->spspec->algclass[algclass_isakmp_dh] = $2; | |
2027 | } | |
2028 | EOS | |
2029 | | GSS_ID QUOTEDSTRING | |
2030 | { | |
2031 | if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) { | |
2032 | yyerror("wrong Vendor ID for gssapi_id"); | |
2033 | return -1; | |
2034 | } | |
2035 | if (cur_rmconf->prhead->spspec->gssid != NULL) | |
2036 | racoon_free(cur_rmconf->prhead->spspec->gssid); | |
2037 | cur_rmconf->prhead->spspec->gssid = | |
2038 | racoon_strdup($2->v); | |
2039 | STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid); | |
2040 | } | |
2041 | EOS | |
2042 | | ALGORITHM_CLASS ALGORITHMTYPE keylength | |
2043 | { | |
2044 | int doi; | |
2045 | int defklen; | |
2046 | ||
2047 | doi = algtype2doi($1, $2); | |
2048 | if (doi == -1) { | |
2049 | yyerror("algorithm mismatched 1"); | |
2050 | return -1; | |
2051 | } | |
2052 | ||
2053 | switch ($1) { | |
2054 | case algclass_isakmp_enc: | |
2055 | /* reject suppressed algorithms */ | |
2056 | #ifndef HAVE_OPENSSL_RC5_H | |
2057 | if ($2 == algtype_rc5) { | |
2058 | yyerror("algorithm %s not supported", | |
2059 | s_attr_isakmp_enc(doi)); | |
2060 | return -1; | |
2061 | } | |
2062 | #endif | |
2063 | #ifndef HAVE_OPENSSL_IDEA_H | |
2064 | if ($2 == algtype_idea) { | |
2065 | yyerror("algorithm %s not supported", | |
2066 | s_attr_isakmp_enc(doi)); | |
2067 | return -1; | |
2068 | } | |
2069 | #endif | |
2070 | ||
2071 | cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi; | |
2072 | defklen = default_keylen($1, $2); | |
2073 | if (defklen == 0) { | |
2074 | if ($3) { | |
2075 | yyerror("keylen not allowed"); | |
2076 | return -1; | |
2077 | } | |
2078 | } else { | |
2079 | if ($3 && check_keylen($1, $2, $3) < 0) { | |
2080 | yyerror("invalid keylen %d", $3); | |
2081 | return -1; | |
2082 | } | |
2083 | } | |
2084 | if ($3) | |
2085 | cur_rmconf->prhead->spspec->encklen = $3; | |
2086 | else | |
2087 | cur_rmconf->prhead->spspec->encklen = defklen; | |
2088 | break; | |
2089 | case algclass_isakmp_hash: | |
2090 | cur_rmconf->prhead->spspec->algclass[algclass_isakmp_hash] = doi; | |
2091 | break; | |
2092 | case algclass_isakmp_ameth: | |
2093 | cur_rmconf->prhead->spspec->algclass[algclass_isakmp_ameth] = doi; | |
2094 | /* | |
2095 | * We may have to set the Vendor ID for the | |
2096 | * authentication method we're using. | |
2097 | */ | |
2098 | switch ($2) { | |
2099 | case algtype_gssapikrb: | |
2100 | if (cur_rmconf->prhead->spspec->vendorid != | |
2101 | VENDORID_UNKNOWN) { | |
2102 | yyerror("Vendor ID mismatch " | |
2103 | "for auth method"); | |
2104 | return -1; | |
2105 | } | |
2106 | /* | |
2107 | * For interoperability with Win2k, | |
2108 | * we set the Vendor ID to "GSSAPI". | |
2109 | */ | |
2110 | cur_rmconf->prhead->spspec->vendorid = | |
2111 | VENDORID_GSSAPI; | |
2112 | break; | |
2113 | #ifdef HAVE_OPENSSL | |
2114 | case algtype_rsasig: | |
2115 | if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) { | |
2116 | if (rsa_list_count(cur_rmconf->rsa_private) == 0) { | |
2117 | yyerror ("Private PlainRSA key not set. " | |
2118 | "Use directive 'certificate_type plainrsa ...'\n"); | |
2119 | return -1; | |
2120 | } | |
2121 | if (rsa_list_count(cur_rmconf->rsa_public) == 0) { | |
2122 | yyerror ("Public PlainRSA keys not set. " | |
2123 | "Use directive 'peers_certfile plainrsa ...'\n"); | |
2124 | return -1; | |
2125 | } | |
2126 | } | |
2127 | break; | |
2128 | #endif | |
2129 | default: | |
2130 | break; | |
2131 | } | |
2132 | break; | |
2133 | default: | |
2134 | yyerror("algorithm mismatched 2"); | |
2135 | return -1; | |
2136 | } | |
2137 | } | |
2138 | EOS | |
2139 | ; | |
2140 | ||
2141 | unittype_time | |
2142 | : UNITTYPE_SEC { $$ = 1; } | |
2143 | | UNITTYPE_MIN { $$ = 60; } | |
2144 | | UNITTYPE_HOUR { $$ = (60 * 60); } | |
2145 | ; | |
2146 | unittype_byte | |
2147 | : UNITTYPE_BYTE { $$ = 1; } | |
2148 | | UNITTYPE_KBYTES { $$ = 1024; } | |
2149 | | UNITTYPE_MBYTES { $$ = (1024 * 1024); } | |
2150 | | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); } | |
2151 | ; | |
2152 | dpd_algo_type | |
2153 | : DPD_ALGO_TYPE_DEFAULT { $$ = DPD_ALGO_DEFAULT; } | |
2154 | | DPD_ALGO_TYPE_INBOUND { $$ = DPD_ALGO_INBOUND_DETECT; } | |
2155 | | DPD_ALGO_TYPE_BLACKHOLE { $$ = DPD_ALGO_BLACKHOLE_DETECT; } | |
2156 | ; | |
2157 | idle_dir_type | |
2158 | : IDLE_DIRECTION_ANY { $$ = IPSEC_DIR_ANY; } | |
2159 | | IDLE_DIRECTION_IN { $$ = IPSEC_DIR_INBOUND; } | |
2160 | | IDLE_DIRECTION_OUT { $$ = IPSEC_DIR_OUTBOUND; } | |
2161 | ; | |
2162 | %% | |
2163 | ||
2164 | static struct proposalspec * | |
2165 | newprspec() | |
2166 | { | |
2167 | struct proposalspec *new; | |
2168 | ||
2169 | new = racoon_calloc(1, sizeof(*new)); | |
2170 | if (new == NULL) | |
2171 | yyerror("failed to allocate proposal"); | |
2172 | ||
2173 | return new; | |
2174 | } | |
2175 | ||
2176 | /* | |
2177 | * insert into head of list. | |
2178 | */ | |
2179 | static void | |
2180 | insprspec(prspec, head) | |
2181 | struct proposalspec *prspec; | |
2182 | struct proposalspec **head; | |
2183 | { | |
2184 | if (*head != NULL) | |
2185 | (*head)->prev = prspec; | |
2186 | prspec->next = *head; | |
2187 | *head = prspec; | |
2188 | } | |
2189 | ||
2190 | static struct secprotospec * | |
2191 | newspspec() | |
2192 | { | |
2193 | struct secprotospec *new; | |
2194 | ||
2195 | new = racoon_calloc(1, sizeof(*new)); | |
2196 | if (new == NULL) { | |
2197 | yyerror("failed to allocate spproto"); | |
2198 | return NULL; | |
2199 | } | |
2200 | ||
2201 | new->encklen = 0; /*XXX*/ | |
2202 | ||
2203 | /* | |
2204 | * Default to "uknown" vendor -- we will override this | |
2205 | * as necessary. When we send a Vendor ID payload, an | |
2206 | * "unknown" will be translated to a KAME/racoon ID. | |
2207 | */ | |
2208 | new->vendorid = VENDORID_UNKNOWN; | |
2209 | ||
2210 | return new; | |
2211 | } | |
2212 | ||
2213 | /* | |
2214 | * insert into head of list. | |
2215 | */ | |
2216 | static void | |
2217 | insspspec(spspec, head) | |
2218 | struct secprotospec *spspec; | |
2219 | struct proposalspec **head; | |
2220 | { | |
2221 | spspec->back = *head; | |
2222 | ||
2223 | if ((*head)->spspec != NULL) | |
2224 | (*head)->spspec->prev = spspec; | |
2225 | spspec->next = (*head)->spspec; | |
2226 | (*head)->spspec = spspec; | |
2227 | } | |
2228 | ||
2229 | /* set final acceptable proposal */ | |
2230 | static int | |
2231 | set_isakmp_proposal(rmconf, prspec) | |
2232 | struct remoteconf *rmconf; | |
2233 | struct proposalspec *prspec; | |
2234 | { | |
2235 | struct proposalspec *p; | |
2236 | struct secprotospec *s; | |
2237 | int prop_no = 1; | |
2238 | int trns_no = 1; | |
2239 | int32_t types[MAXALGCLASS]; | |
2240 | ||
2241 | p = prspec; | |
2242 | if (p->next != 0) { | |
2243 | plog(LLV_ERROR, LOCATION, NULL, | |
2244 | "multiple proposal definition.\n"); | |
2245 | return -1; | |
2246 | } | |
2247 | ||
2248 | /* mandatory check */ | |
2249 | if (p->spspec == NULL) { | |
2250 | yyerror("no remote specification found: %s.\n", | |
2251 | saddr2str(rmconf->remote)); | |
2252 | return -1; | |
2253 | } | |
2254 | for (s = p->spspec; s != NULL; s = s->next) { | |
2255 | /* XXX need more to check */ | |
2256 | if (s->algclass[algclass_isakmp_enc] == 0) { | |
2257 | yyerror("encryption algorithm required."); | |
2258 | return -1; | |
2259 | } | |
2260 | if (s->algclass[algclass_isakmp_hash] == 0) { | |
2261 | yyerror("hash algorithm required."); | |
2262 | return -1; | |
2263 | } | |
2264 | if (s->algclass[algclass_isakmp_dh] == 0) { | |
2265 | yyerror("DH group required."); | |
2266 | return -1; | |
2267 | } | |
2268 | if (s->algclass[algclass_isakmp_ameth] == 0) { | |
2269 | yyerror("authentication method required."); | |
2270 | return -1; | |
2271 | } | |
2272 | } | |
2273 | ||
2274 | /* skip to last part */ | |
2275 | for (s = p->spspec; s->next != NULL; s = s->next) | |
2276 | ; | |
2277 | ||
2278 | while (s != NULL) { | |
2279 | plog(LLV_DEBUG2, LOCATION, NULL, | |
2280 | "lifetime = %ld\n", (long) | |
2281 | (s->lifetime ? s->lifetime : p->lifetime)); | |
2282 | plog(LLV_DEBUG2, LOCATION, NULL, | |
2283 | "lifebyte = %d\n", | |
2284 | s->lifebyte ? s->lifebyte : p->lifebyte); | |
2285 | plog(LLV_DEBUG2, LOCATION, NULL, | |
2286 | "encklen=%d\n", s->encklen); | |
2287 | ||
2288 | memset(types, 0, ARRAYLEN(types)); | |
2289 | types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; | |
2290 | types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; | |
2291 | types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; | |
2292 | types[algclass_isakmp_ameth] = | |
2293 | s->algclass[algclass_isakmp_ameth]; | |
2294 | ||
2295 | /* expanding spspec */ | |
2296 | clean_tmpalgtype(); | |
2297 | trns_no = expand_isakmpspec(prop_no, trns_no, types, | |
2298 | algclass_isakmp_enc, algclass_isakmp_ameth + 1, | |
2299 | s->lifetime ? s->lifetime : p->lifetime, | |
2300 | s->lifebyte ? s->lifebyte : p->lifebyte, | |
2301 | s->encklen, s->vendorid, s->gssid, | |
2302 | rmconf); | |
2303 | if (trns_no == -1) { | |
2304 | plog(LLV_ERROR, LOCATION, NULL, | |
2305 | "failed to expand isakmp proposal.\n"); | |
2306 | return -1; | |
2307 | } | |
2308 | ||
2309 | s = s->prev; | |
2310 | } | |
2311 | ||
2312 | if (rmconf->proposal == NULL) { | |
2313 | plog(LLV_ERROR, LOCATION, NULL, | |
2314 | "no proposal found.\n"); | |
2315 | return -1; | |
2316 | } | |
2317 | ||
2318 | return 0; | |
2319 | } | |
2320 | ||
2321 | static void | |
2322 | clean_tmpalgtype() | |
2323 | { | |
2324 | int i; | |
2325 | for (i = 0; i < MAXALGCLASS; i++) | |
2326 | tmpalgtype[i] = 0; /* means algorithm undefined. */ | |
2327 | } | |
2328 | ||
2329 | static int | |
2330 | expand_isakmpspec(prop_no, trns_no, types, | |
2331 | class, last, lifetime, lifebyte, encklen, vendorid, gssid, | |
2332 | rmconf) | |
2333 | int prop_no, trns_no; | |
2334 | int *types, class, last; | |
2335 | time_t lifetime; | |
2336 | int lifebyte; | |
2337 | int encklen; | |
2338 | int vendorid; | |
2339 | char *gssid; | |
2340 | struct remoteconf *rmconf; | |
2341 | { | |
2342 | struct isakmpsa *new; | |
2343 | ||
2344 | /* debugging */ | |
2345 | { | |
2346 | int j; | |
2347 | char tb[10]; | |
2348 | plog(LLV_DEBUG2, LOCATION, NULL, | |
2349 | "p:%d t:%d\n", prop_no, trns_no); | |
2350 | for (j = class; j < MAXALGCLASS; j++) { | |
2351 | snprintf(tb, sizeof(tb), "%d", types[j]); | |
2352 | plog(LLV_DEBUG2, LOCATION, NULL, | |
2353 | "%s%s%s%s\n", | |
2354 | s_algtype(j, types[j]), | |
2355 | types[j] ? "(" : "", | |
2356 | tb[0] == '0' ? "" : tb, | |
2357 | types[j] ? ")" : ""); | |
2358 | } | |
2359 | plog(LLV_DEBUG2, LOCATION, NULL, "\n"); | |
2360 | } | |
2361 | ||
2362 | #define TMPALGTYPE2STR(n) \ | |
2363 | s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n]) | |
2364 | /* check mandatory values */ | |
2365 | if (types[algclass_isakmp_enc] == 0 | |
2366 | || types[algclass_isakmp_ameth] == 0 | |
2367 | || types[algclass_isakmp_hash] == 0 | |
2368 | || types[algclass_isakmp_dh] == 0) { | |
2369 | yyerror("few definition of algorithm " | |
2370 | "enc=%s ameth=%s hash=%s dhgroup=%s.\n", | |
2371 | TMPALGTYPE2STR(enc), | |
2372 | TMPALGTYPE2STR(ameth), | |
2373 | TMPALGTYPE2STR(hash), | |
2374 | TMPALGTYPE2STR(dh)); | |
2375 | return -1; | |
2376 | } | |
2377 | #undef TMPALGTYPE2STR | |
2378 | ||
2379 | /* set new sa */ | |
2380 | new = newisakmpsa(); | |
2381 | if (new == NULL) { | |
2382 | yyerror("failed to allocate isakmp sa"); | |
2383 | return -1; | |
2384 | } | |
2385 | new->prop_no = prop_no; | |
2386 | new->trns_no = trns_no++; | |
2387 | new->lifetime = lifetime; | |
2388 | new->lifebyte = lifebyte; | |
2389 | new->enctype = types[algclass_isakmp_enc]; | |
2390 | new->encklen = encklen; | |
2391 | new->authmethod = types[algclass_isakmp_ameth]; | |
2392 | new->hashtype = types[algclass_isakmp_hash]; | |
2393 | new->dh_group = types[algclass_isakmp_dh]; | |
2394 | new->vendorid = vendorid; | |
2395 | #ifdef HAVE_GSSAPI | |
2396 | if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { | |
2397 | if (gssid != NULL) { | |
2398 | if ((new->gssid = vmalloc(strlen(gssid))) == NULL) { | |
2399 | racoon_free(new); | |
2400 | yyerror("failed to allocate gssid"); | |
2401 | return -1; | |
2402 | } | |
2403 | memcpy(new->gssid->v, gssid, new->gssid->l); | |
2404 | racoon_free(gssid); | |
2405 | } else { | |
2406 | /* | |
2407 | * Allocate the default ID so that it gets put | |
2408 | * into a GSS ID attribute during the Phase 1 | |
2409 | * exchange. | |
2410 | */ | |
2411 | new->gssid = gssapi_get_default_gss_id(); | |
2412 | } | |
2413 | } | |
2414 | #endif | |
2415 | insisakmpsa(new, rmconf); | |
2416 | ||
2417 | return trns_no; | |
2418 | } | |
2419 | ||
2420 | static int | |
2421 | listen_addr (struct sockaddr *addr, int udp_encap) | |
2422 | { | |
2423 | struct myaddrs *p; | |
2424 | ||
2425 | p = newmyaddr(); | |
2426 | if (p == NULL) { | |
2427 | yyerror("failed to allocate myaddrs"); | |
2428 | return -1; | |
2429 | } | |
2430 | p->addr = addr; | |
2431 | if (p->addr == NULL) { | |
2432 | yyerror("failed to copy sockaddr "); | |
2433 | delmyaddr(p); | |
2434 | return -1; | |
2435 | } | |
2436 | p->udp_encap = udp_encap; | |
2437 | /* These need to be initialized for Apple modifications | |
2438 | * to open code for isakmp sockets | |
2439 | */ | |
2440 | p->sock = -1; | |
2441 | p->in_use = 1; | |
2442 | ||
2443 | insmyaddr(p, &lcconf->myaddrs); | |
2444 | ||
2445 | lcconf->autograbaddr = 0; | |
2446 | return 0; | |
2447 | } | |
2448 | ||
2449 | #if 0 | |
2450 | /* | |
2451 | * fix lifebyte. | |
2452 | * Must be more than 1024B because its unit is kilobytes. | |
2453 | * That is defined RFC2407. | |
2454 | */ | |
2455 | static int | |
2456 | fix_lifebyte(t) | |
2457 | unsigned long t; | |
2458 | { | |
2459 | if (t < 1024) { | |
2460 | yyerror("byte size should be more than 1024B."); | |
2461 | return 0; | |
2462 | } | |
2463 | ||
2464 | return(t / 1024); | |
2465 | } | |
2466 | #endif | |
2467 | ||
2468 | int | |
2469 | cfparse() | |
2470 | { | |
2471 | int error; | |
2472 | ||
2473 | plog(LLV_DEBUG, LOCATION, NULL, "===== parse config\n"); | |
2474 | ||
2475 | yycf_init_buffer(); | |
2476 | ||
2477 | if (yycf_switch_buffer(lcconf->racoon_conf) != 0) { | |
2478 | IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), | |
2479 | IPSECCONFIGEVENTCODE_PARSE_ERROR, | |
2480 | CONSTSTR("could not read configuration file"), | |
2481 | CONSTSTR("cfparse: yycf_switch_buffer erred")); | |
2482 | plog(LLV_ERROR, LOCATION, NULL, | |
2483 | "could not read configuration file \"%s\"\n", | |
2484 | lcconf->racoon_conf); | |
2485 | return -1; | |
2486 | } | |
2487 | ||
2488 | error = yyparse(); | |
2489 | if (error != 0) { | |
2490 | if (yyerrorcount) { | |
2491 | plog(LLV_ERROR, LOCATION, NULL, | |
2492 | "fatal parse failure (%d errors)\n", | |
2493 | yyerrorcount); | |
2494 | } else { | |
2495 | plog(LLV_ERROR, LOCATION, NULL, | |
2496 | "fatal parse failure.\n"); | |
2497 | } | |
2498 | IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), | |
2499 | IPSECCONFIGEVENTCODE_PARSE_ERROR, | |
2500 | CONSTSTR("fatal parse failure"), | |
2501 | CONSTSTR("cfparse: yyparse erred")); | |
2502 | yycf_clean_buffer(); | |
2503 | return -1; | |
2504 | } | |
2505 | ||
2506 | if (error == 0 && yyerrorcount) { | |
2507 | plog(LLV_ERROR, LOCATION, NULL, | |
2508 | "parse error is nothing, but yyerrorcount is %d.\n", | |
2509 | yyerrorcount); | |
2510 | IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), | |
2511 | IPSECCONFIGEVENTCODE_PARSE_ERROR, | |
2512 | CONSTSTR("ambivalent error code"), | |
2513 | CONSTSTR("cfparse: error == 0 && yerrorcount")); | |
2514 | yycf_clean_buffer(); | |
2515 | exit(1); | |
2516 | } | |
2517 | ||
2518 | yycf_clean_buffer(); | |
2519 | ||
2520 | plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n"); | |
2521 | ||
2522 | return 0; | |
2523 | } | |
2524 | ||
2525 | int | |
2526 | cfreparse(int sig) | |
2527 | { | |
2528 | int ignore_estab_or_assert_handles = (sig == SIGUSR1); | |
2529 | ||
2530 | if (sig >= 0 && sig < NSIG) { | |
2531 | plog(LLV_DEBUG, LOCATION, NULL, "==== Got %s signal - re-parsing.\n", sys_signame[sig]); | |
2532 | } else { | |
2533 | plog(LLV_ERROR, LOCATION, NULL, "==== Got Unknown signal - re-parsing.\n"); | |
2534 | IPSECCONFIGTRACEREVENT(CONSTSTR("reparse"), | |
2535 | IPSECCONFIGEVENTCODE_REPARSE_ERROR, | |
2536 | CONSTSTR("Unknown signal"), | |
2537 | CONSTSTR("cfreparse: triggered by unknown signal")); | |
2538 | } | |
2539 | ||
2540 | flushph2(ignore_estab_or_assert_handles); | |
2541 | flushph1(ignore_estab_or_assert_handles); | |
2542 | flushrmconf(); | |
2543 | flushsainfo(); | |
2544 | flushlcconf(); | |
2545 | #ifdef HAVE_LIBLDAP | |
2546 | xauth_ldap_flush(); | |
2547 | #endif | |
2548 | check_auto_exit(); /* check/change state of auto exit */ | |
2549 | clean_tmpalgtype(); | |
2550 | ||
2551 | return(cfparse()); | |
2552 | } | |
2553 | ||
2554 | ||
2555 | #ifdef ENABLE_ADMINPORT | |
2556 | static void | |
2557 | adminsock_conf(path, owner, group, mode_dec) | |
2558 | vchar_t *path; | |
2559 | vchar_t *owner; | |
2560 | vchar_t *group; | |
2561 | int mode_dec; | |
2562 | { | |
2563 | struct passwd *pw = NULL; | |
2564 | struct group *gr = NULL; | |
2565 | mode_t mode = 0; | |
2566 | uid_t uid; | |
2567 | gid_t gid; | |
2568 | int isnum; | |
2569 | ||
2570 | adminsock_path = path->v; | |
2571 | ||
2572 | if (owner == NULL) | |
2573 | return; | |
2574 | ||
2575 | errno = 0; | |
2576 | uid = atoi(owner->v); | |
2577 | isnum = !errno; | |
2578 | if (((pw = getpwnam(owner->v)) == NULL) && !isnum) | |
2579 | yyerror("User \"%s\" does not exist", owner->v); | |
2580 | ||
2581 | if (pw) | |
2582 | adminsock_owner = pw->pw_uid; | |
2583 | else | |
2584 | adminsock_owner = uid; | |
2585 | ||
2586 | if (group == NULL) | |
2587 | return; | |
2588 | ||
2589 | errno = 0; | |
2590 | gid = atoi(group->v); | |
2591 | isnum = !errno; | |
2592 | if (((gr = getgrnam(group->v)) == NULL) && !isnum) | |
2593 | yyerror("Group \"%s\" does not exist", group->v); | |
2594 | ||
2595 | if (gr) | |
2596 | adminsock_group = gr->gr_gid; | |
2597 | else | |
2598 | adminsock_group = gid; | |
2599 | ||
2600 | if (mode_dec == -1) | |
2601 | return; | |
2602 | ||
2603 | if (mode_dec > 777) | |
2604 | yyerror("Mode 0%03o is invalid", mode_dec); | |
2605 | if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; } | |
2606 | if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; } | |
2607 | if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; } | |
2608 | ||
2609 | if (mode_dec > 77) | |
2610 | yyerror("Mode 0%03o is invalid", mode_dec); | |
2611 | if (mode_dec >= 40) { mode += 040; mode_dec -= 40; } | |
2612 | if (mode_dec >= 20) { mode += 020; mode_dec -= 20; } | |
2613 | if (mode_dec >= 10) { mode += 020; mode_dec -= 10; } | |
2614 | ||
2615 | if (mode_dec > 7) | |
2616 | yyerror("Mode 0%03o is invalid", mode_dec); | |
2617 | if (mode_dec >= 4) { mode += 04; mode_dec -= 4; } | |
2618 | if (mode_dec >= 2) { mode += 02; mode_dec -= 2; } | |
2619 | if (mode_dec >= 1) { mode += 02; mode_dec -= 1; } | |
2620 | ||
2621 | adminsock_mode = mode; | |
2622 | ||
2623 | return; | |
2624 | } | |
2625 | #endif |