]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/cfparse.y
projects / apple / ipsec.git / blob
? search:


5024ad11c75a0715b8aee27009a838f8c7d2088f
[apple/ipsec.git] / ipsec-tools / racoon / cfparse.y
1 /* $NetBSD: cfparse.y,v 1.18.4.3 2007/08/01 11:52:19 vanhu Exp $ */
2
3 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
4
5 %{
6 /*
7 * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the project nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include "config.h"
36
37 #include <sys/types.h>
38 #include <sys/param.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
41
42 #include <netinet/in.h>
43 #ifdef HAVE_NETINET6_IPSEC
44 # include <netinet6/ipsec.h>
45 #else
46 # include <netinet/ipsec.h>
47 #endif
48
49 #ifdef ENABLE_HYBRID
50 #include <arpa/inet.h>
51 #endif
52
53 #include <stdlib.h>
54 #include <stdio.h>
55 #include <string.h>
56 #include <errno.h>
57 #include <netdb.h>
58 #include <pwd.h>
59 #include <grp.h>
60 #include <signal.h>
61
62 #include "var.h"
63 #include "misc.h"
64 #include "vmbuf.h"
65 #include "plog.h"
66 #include "sockmisc.h"
67 #include "str2val.h"
68 #include "genlist.h"
69 #include "debug.h"
70
71 #include "admin.h"
72 #include "privsep.h"
73 #include "cfparse_proto.h"
74 #include "cftoken_proto.h"
75 #include "algorithm.h"
76 #include "localconf.h"
77 #include "policy.h"
78 #include "sainfo.h"
79 #include "oakley.h"
80 #include "pfkey.h"
81 #include "remoteconf.h"
82 #include "grabmyaddr.h"
83 #include "isakmp_var.h"
84 #include "handler.h"
85 #include "isakmp.h"
86 #include "nattraversal.h"
87 #include "isakmp_frag.h"
88 #ifdef ENABLE_HYBRID
89 #include "resolv.h"
90 #include "isakmp_unity.h"
91 #include "isakmp_xauth.h"
92 #include "isakmp_cfg.h"
93 #endif
94 #include "ipsec_doi.h"
95 #include "strnames.h"
96 #include "gcmalloc.h"
97 #ifdef HAVE_GSSAPI
98 #include "gssapi.h"
99 #endif
100 #include "vendorid.h"
101 #ifdef HAVE_OPENSSL
102 #include "rsalist.h"
103 #endif
104 #include "ipsecConfigTracer.h"
105 #include "ipsecMessageTracer.h"
106
107
108 static int num2dhgroup[] = {
109 0,
110 OAKLEY_ATTR_GRP_DESC_MODP768,
111 OAKLEY_ATTR_GRP_DESC_MODP1024,
112 OAKLEY_ATTR_GRP_DESC_EC2N155,
113 OAKLEY_ATTR_GRP_DESC_EC2N185,
114 OAKLEY_ATTR_GRP_DESC_MODP1536,
115 0,
116 0,
117 0,
118 0,
119 0,
120 0,
121 0,
122 0,
123 OAKLEY_ATTR_GRP_DESC_MODP2048,
124 OAKLEY_ATTR_GRP_DESC_MODP3072,
125 OAKLEY_ATTR_GRP_DESC_MODP4096,
126 OAKLEY_ATTR_GRP_DESC_MODP6144,
127 OAKLEY_ATTR_GRP_DESC_MODP8192
128 };
129
130 static struct remoteconf *cur_rmconf;
131 static int tmpalgtype[MAXALGCLASS];
132 static struct sainfo *cur_sainfo;
133 static int cur_algclass;
134 static int oldloglevel = LLV_BASE;
135
136 static struct proposalspec *newprspec __P((void));
137 static void insprspec __P((struct proposalspec *, struct proposalspec **));
138 static struct secprotospec *newspspec __P((void));
139 static void insspspec __P((struct secprotospec *, struct proposalspec **));
140 static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
141
142 static int set_isakmp_proposal
143 __P((struct remoteconf *, struct proposalspec *));
144 static void clean_tmpalgtype __P((void));
145 static int expand_isakmpspec __P((int, int, int *,
146 int, int, time_t, int, int, int, char *, struct remoteconf *));
147 static int listen_addr __P((struct sockaddr *addr, int udp_encap));
148
149 void freeetypes (struct etypes **etypes);
150
151 #if 0
152 static int fix_lifebyte __P((u_long));
153 #endif
154 %}
155
156 %union {
157 unsigned long num;
158 vchar_t *val;
159 struct remoteconf *rmconf;
160 struct sockaddr *saddr;
161 struct sainfoalg *alg;
162 }
163
164 /* privsep */
165 %token PRIVSEP USER GROUP CHROOT
166 /* path */
167 %token PATH PATHTYPE
168 /* include */
169 %token INCLUDE
170 /* self information */
171 %token IDENTIFIER VENDORID
172 /* logging */
173 %token LOGGING LOGLEV
174 /* padding */
175 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
176 /* listen */
177 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
178 /* modecfg */
179 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
180 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
181 %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
182 %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
183 %token CFG_PFS_GROUP CFG_SAVE_PASSWD
184 /* timer */
185 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
186 %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA AUTO_EXIT_DELAY
187 /* algorithm */
188 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
189 /* sainfo */
190 %token SAINFO FROM
191 /* remote */
192 %token REMOTE ANONYMOUS INHERIT
193 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
194 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
195 %token VERIFY_CERT SEND_CERT SEND_CR
196 %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER
197 %token PEERS_IDENTIFIER VERIFY_IDENTIFIER
198 %token SHARED_SECRET SECRETTYPE
199 %token OPEN_DIR_AUTH_GROUP IN_KEYCHAIN
200 %token CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
201 %token DNSSEC CERT_X509 CERT_PLAINRSA
202 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
203 %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL NAT_TRAVERSAL_LEVEL NAT_TRAVERSAL_MULTI_USER NAT_TRAVERSAL_KEEPALIVE
204 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
205 %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
206 %token PROPOSAL
207 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
208 %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
209 %token COMPLEX_BUNDLE
210 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL DPD_ALGORITHM
211 %token DISCONNECT_ON_IDLE IDLE_TIMEOUT IDLE_DIRECTION
212 %token XAUTH_LOGIN WEAK_PHASE1_CHECK
213
214 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
215 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
216
217 %token SCRIPT PHASE1_UP PHASE1_DOWN
218
219 %token NUMBER SWITCH BOOLEAN
220 %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
221 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
222 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
223 %token EOS BOC EOC COMMA
224 %token DPD_ALGO_TYPE_DEFAULT DPD_ALGO_TYPE_INBOUND DPD_ALGO_TYPE_BLACKHOLE
225 %token IDLE_DIRECTION_IN IDLE_DIRECTION_OUT IDLE_DIRECTION_ANY
226
227 %type <num> NUMBER BOOLEAN SWITCH keylength
228 %type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE
229 %type <num> SECRETTYPE
230 %type <num> ALGORITHM_CLASS dh_group_num
231 %type <num> ALGORITHMTYPE STRENGTHTYPE
232 %type <num> PREFIX prefix PORT port ike_port
233 %type <num> ul_proto UL_PROTO
234 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
235 %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL
236 %type <num> VERIFICATION_MODULE VERIFICATION_OPTION
237 %type <num> unittype_time unittype_byte
238 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
239 %type <val> identifierstring
240 %type <saddr> remote_index ike_addrinfo_port
241 %type <alg> algorithm
242 %type <num> dpd_algo_type
243 %type <num> idle_dir_type
244
245 %%
246
247 statements
248 : /* nothing */
249 | statements statement
250 ;
251 statement
252 : privsep_statement
253 | path_statement
254 | include_statement
255 | gssenc_statement
256 | identifier_statement
257 | logging_statement
258 | padding_statement
259 | listen_statement
260 | modecfg_statement
261 | timer_statement
262 | sainfo_statement
263 | remote_statement
264 | special_statement
265 ;
266
267 /* privsep */
268 privsep_statement
269 : PRIVSEP BOC privsep_stmts EOC
270 ;
271 privsep_stmts
272 : /* nothing */
273 | privsep_stmts privsep_stmt
274 ;
275 privsep_stmt
276 : USER QUOTEDSTRING
277 {
278 struct passwd *pw;
279
280 if ((pw = getpwnam($2->v)) == NULL) {
281 yyerror("unknown user \"%s\"", $2->v);
282 return -1;
283 }
284 lcconf->uid = pw->pw_uid;
285 }
286 EOS
287 | USER NUMBER { lcconf->uid = $2; } EOS
288 | GROUP QUOTEDSTRING
289 {
290 struct group *gr;
291
292 if ((gr = getgrnam($2->v)) == NULL) {
293 yyerror("unknown group \"%s\"", $2->v);
294 return -1;
295 }
296 lcconf->gid = gr->gr_gid;
297 }
298 EOS
299 | GROUP NUMBER { lcconf->gid = $2; } EOS
300 | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
301 ;
302
303 /* path */
304 path_statement
305 : PATH PATHTYPE QUOTEDSTRING
306 {
307 if ($2 >= LC_PATHTYPE_MAX) {
308 yyerror("invalid path type %d", $2);
309 return -1;
310 }
311
312 /* free old pathinfo */
313 if (lcconf->pathinfo[$2])
314 racoon_free(lcconf->pathinfo[$2]);
315
316 /* set new pathinfo */
317 lcconf->pathinfo[$2] = racoon_strdup($3->v);
318 STRDUP_FATAL(lcconf->pathinfo[$2]);
319 vfree($3);
320 }
321 EOS
322 ;
323
324 /* special */
325 special_statement
326 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
327 ;
328
329 /* include */
330 include_statement
331 : INCLUDE QUOTEDSTRING EOS
332 {
333 char path[MAXPATHLEN];
334
335 getpathname(path, sizeof(path),
336 LC_PATHTYPE_INCLUDE, $2->v);
337 vfree($2);
338 if (yycf_switch_buffer(path) != 0)
339 return -1;
340 }
341 ;
342
343 /* gss_id_enc */
344 gssenc_statement
345 : GSS_ID_ENC GSS_ID_ENCTYPE EOS
346 {
347 if ($2 >= LC_GSSENC_MAX) {
348 yyerror("invalid GSS ID encoding %d", $2);
349 return -1;
350 }
351 lcconf->gss_id_enc = $2;
352 }
353 ;
354
355 /* self information */
356 identifier_statement
357 : IDENTIFIER identifier_stmt
358 ;
359 identifier_stmt
360 : VENDORID
361 {
362 /*XXX to be deleted */
363 }
364 QUOTEDSTRING EOS
365 | IDENTIFIERTYPE QUOTEDSTRING
366 {
367 /*XXX to be deleted */
368 $2->l--; /* nuke '\0' */
369 lcconf->ident[$1] = $2;
370 if (lcconf->ident[$1] == NULL) {
371 yyerror("failed to set my ident: %s",
372 strerror(errno));
373 return -1;
374 }
375 }
376 EOS
377 ;
378
379 /* logging */
380 logging_statement
381 : LOGGING log_level EOS
382 ;
383 log_level
384 : HEXSTRING
385 {
386 /*
387 * XXX ignore it because this specification
388 * will be obsoleted.
389 */
390 yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
391 vfree($1);
392 }
393 | LOGLEV
394 {
395 /*
396 * set the loglevel to the value specified
397 * in the configuration file plus the number
398 * of -d options specified on the command line
399 */
400 loglevel += $1 - oldloglevel;
401 oldloglevel = $1;
402 }
403 ;
404
405 /* padding */
406 padding_statement
407 : PADDING BOC padding_stmts EOC
408 ;
409 padding_stmts
410 : /* nothing */
411 | padding_stmts padding_stmt
412 ;
413 padding_stmt
414 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
415 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
416 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
417 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
418 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
419 ;
420
421 /* listen */
422 listen_statement
423 : LISTEN BOC listen_stmts EOC
424 ;
425 listen_stmts
426 : /* nothing */
427 | listen_stmts listen_stmt
428 ;
429 listen_stmt
430 : X_ISAKMP ike_addrinfo_port
431 {
432 listen_addr ($2, 0);
433 }
434 EOS
435 | X_ISAKMP_NATT ike_addrinfo_port
436 {
437 #ifdef ENABLE_NATT
438 listen_addr ($2, 1);
439 #else
440 yyerror("NAT-T support not compiled in.");
441 #endif
442 }
443 EOS
444 | X_ADMIN
445 {
446 yyerror("admin directive is obsoleted.");
447 }
448 PORT EOS
449 | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
450 {
451 #ifdef ENABLE_ADMINPORT
452 adminsock_conf($2, $3, $4, $5);
453 #else
454 yywarn("admin port support not compiled in");
455 #endif
456 }
457 EOS
458 | ADMINSOCK QUOTEDSTRING
459 {
460 #ifdef ENABLE_ADMINPORT
461 adminsock_conf($2, NULL, NULL, -1);
462 #else
463 yywarn("admin port support not compiled in");
464 #endif
465 }
466 EOS
467 | ADMINSOCK DISABLED
468 {
469 #ifdef ENABLE_ADMINPORT
470 adminsock_path = NULL;
471 #else
472 yywarn("admin port support not compiled in");
473 #endif
474 }
475 EOS
476 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
477 ;
478 ike_addrinfo_port
479 : ADDRSTRING ike_port
480 {
481 char portbuf[10];
482
483 snprintf(portbuf, sizeof(portbuf), "%ld", $2);
484 $$ = str2saddr($1->v, portbuf);
485 vfree($1);
486 if (!$$)
487 return -1;
488 }
489 ;
490 ike_port
491 : /* nothing */ { $$ = PORT_ISAKMP; }
492 | PORT { $$ = $1; }
493 ;
494 /* modecfg */
495 modecfg_statement
496 : MODECFG BOC modecfg_stmts EOC
497 ;
498 modecfg_stmts
499 : /* nothing */
500 | modecfg_stmts modecfg_stmt
501 ;
502 modecfg_stmt
503 : CFG_NET4 ADDRSTRING
504 {
505 #ifdef ENABLE_HYBRID
506 if (inet_pton(AF_INET, $2->v,
507 &isakmp_cfg_config.network4) != 1)
508 yyerror("bad IPv4 network address.");
509 vfree($2);
510 #else
511 yyerror("racoon not configured with --enable-hybrid");
512 #endif
513 }
514 EOS
515 | CFG_MASK4 ADDRSTRING
516 {
517 #ifdef ENABLE_HYBRID
518 if (inet_pton(AF_INET, $2->v,
519 &isakmp_cfg_config.netmask4) != 1)
520 yyerror("bad IPv4 netmask address.");
521 vfree($2);
522 #else
523 yyerror("racoon not configured with --enable-hybrid");
524 #endif
525 }
526 EOS
527 | CFG_DNS4 addrdnslist
528 EOS
529 | CFG_NBNS4 addrwinslist
530 EOS
531 | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
532 {
533 #ifdef ENABLE_HYBRID
534 isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
535 #else
536 yyerror("racoon not configured with --enable-hybrid");
537 #endif
538 }
539 EOS
540 | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
541 {
542 #ifdef ENABLE_HYBRID
543 isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
544 #else
545 yyerror("racoon not configured with --enable-hybrid");
546 #endif
547 }
548 EOS
549 | CFG_SPLIT_DNS splitdnslist
550 {
551 #ifndef ENABLE_HYBRID
552 yyerror("racoon not configured with --enable-hybrid");
553 #endif
554 }
555 EOS
556 | CFG_DEFAULT_DOMAIN QUOTEDSTRING
557 {
558 #ifdef ENABLE_HYBRID
559 strlcpy(&isakmp_cfg_config.default_domain[0],
560 $2->v, sizeof(isakmp_cfg_config.default_domain));
561 vfree($2);
562 #else
563 yyerror("racoon not configured with --enable-hybrid");
564 #endif
565 }
566 EOS
567 | CFG_AUTH_SOURCE CFG_SYSTEM
568 {
569 #ifdef ENABLE_HYBRID
570 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
571 #else
572 yyerror("racoon not configured with --enable-hybrid");
573 #endif
574 }
575 EOS
576 | CFG_AUTH_SOURCE CFG_RADIUS
577 {
578 #ifdef ENABLE_HYBRID
579 #ifdef HAVE_LIBRADIUS
580 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
581 #else /* HAVE_LIBRADIUS */
582 yyerror("racoon not configured with --with-libradius");
583 #endif /* HAVE_LIBRADIUS */
584 #else /* ENABLE_HYBRID */
585 yyerror("racoon not configured with --enable-hybrid");
586 #endif /* ENABLE_HYBRID */
587 }
588 EOS
589 | CFG_AUTH_SOURCE CFG_PAM
590 {
591 #ifdef ENABLE_HYBRID
592 #ifdef HAVE_LIBPAM
593 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
594 #else /* HAVE_LIBPAM */
595 yyerror("racoon not configured with --with-libpam");
596 #endif /* HAVE_LIBPAM */
597 #else /* ENABLE_HYBRID */
598 yyerror("racoon not configured with --enable-hybrid");
599 #endif /* ENABLE_HYBRID */
600 }
601 EOS
602 | CFG_AUTH_SOURCE CFG_LDAP
603 {
604 #ifdef ENABLE_HYBRID
605 #ifdef HAVE_LIBLDAP
606 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
607 #else /* HAVE_LIBLDAP */
608 yyerror("racoon not configured with --with-libldap");
609 #endif /* HAVE_LIBLDAP */
610 #else /* ENABLE_HYBRID */
611 yyerror("racoon not configured with --enable-hybrid");
612 #endif /* ENABLE_HYBRID */
613 }
614 EOS
615 | CFG_AUTH_GROUPS authgrouplist
616 {
617 #ifndef ENABLE_HYBRID
618 yyerror("racoon not configured with --enable-hybrid");
619 #endif
620 }
621 EOS
622 | CFG_GROUP_SOURCE CFG_SYSTEM
623 {
624 #ifdef ENABLE_HYBRID
625 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
626 #else
627 yyerror("racoon not configured with --enable-hybrid");
628 #endif
629 }
630 EOS
631 | CFG_GROUP_SOURCE CFG_LDAP
632 {
633 #ifdef ENABLE_HYBRID
634 #ifdef HAVE_LIBLDAP
635 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
636 #else /* HAVE_LIBLDAP */
637 yyerror("racoon not configured with --with-libldap");
638 #endif /* HAVE_LIBLDAP */
639 #else /* ENABLE_HYBRID */
640 yyerror("racoon not configured with --enable-hybrid");
641 #endif /* ENABLE_HYBRID */
642 }
643 EOS
644 | CFG_ACCOUNTING CFG_NONE
645 {
646 #ifdef ENABLE_HYBRID
647 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
648 #else
649 yyerror("racoon not configured with --enable-hybrid");
650 #endif
651 }
652 EOS
653 | CFG_ACCOUNTING CFG_SYSTEM
654 {
655 #ifdef ENABLE_HYBRID
656 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
657 #else
658 yyerror("racoon not configured with --enable-hybrid");
659 #endif
660 }
661 EOS
662 | CFG_ACCOUNTING CFG_RADIUS
663 {
664 #ifdef ENABLE_HYBRID
665 #ifdef HAVE_LIBRADIUS
666 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
667 #else /* HAVE_LIBRADIUS */
668 yyerror("racoon not configured with --with-libradius");
669 #endif /* HAVE_LIBRADIUS */
670 #else /* ENABLE_HYBRID */
671 yyerror("racoon not configured with --enable-hybrid");
672 #endif /* ENABLE_HYBRID */
673 }
674 EOS
675 | CFG_ACCOUNTING CFG_PAM
676 {
677 #ifdef ENABLE_HYBRID
678 #ifdef HAVE_LIBPAM
679 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
680 #else /* HAVE_LIBPAM */
681 yyerror("racoon not configured with --with-libpam");
682 #endif /* HAVE_LIBPAM */
683 #else /* ENABLE_HYBRID */
684 yyerror("racoon not configured with --enable-hybrid");
685 #endif /* ENABLE_HYBRID */
686 }
687 EOS
688 | CFG_POOL_SIZE NUMBER
689 {
690 #ifdef ENABLE_HYBRID
691 if (isakmp_cfg_resize_pool($2) != 0)
692 yyerror("cannot allocate memory for pool");
693 #else /* ENABLE_HYBRID */
694 yyerror("racoon not configured with --enable-hybrid");
695 #endif /* ENABLE_HYBRID */
696 }
697 EOS
698 | CFG_PFS_GROUP NUMBER
699 {
700 #ifdef ENABLE_HYBRID
701 isakmp_cfg_config.pfs_group = $2;
702 #ifndef HAVE_OPENSSL
703 if (isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024
704 && isakmp_cfg_config.pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) {
705 yyerror("PFS group must be 2 or 5");
706 return -1;
707 }
708 #endif
709 #else /* ENABLE_HYBRID */
710 yyerror("racoon not configured with --enable-hybrid");
711 #endif /* ENABLE_HYBRID */
712 }
713 EOS
714 | CFG_SAVE_PASSWD SWITCH
715 {
716 #ifdef ENABLE_HYBRID
717 isakmp_cfg_config.save_passwd = $2;
718 #else /* ENABLE_HYBRID */
719 yyerror("racoon not configured with --enable-hybrid");
720 #endif /* ENABLE_HYBRID */
721 }
722 EOS
723 | CFG_AUTH_THROTTLE NUMBER
724 {
725 #ifdef ENABLE_HYBRID
726 isakmp_cfg_config.auth_throttle = $2;
727 #else /* ENABLE_HYBRID */
728 yyerror("racoon not configured with --enable-hybrid");
729 #endif /* ENABLE_HYBRID */
730 }
731 EOS
732 | CFG_CONF_SOURCE CFG_LOCAL
733 {
734 #ifdef ENABLE_HYBRID
735 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
736 #else /* ENABLE_HYBRID */
737 yyerror("racoon not configured with --enable-hybrid");
738 #endif /* ENABLE_HYBRID */
739 }
740 EOS
741 | CFG_CONF_SOURCE CFG_RADIUS
742 {
743 #ifdef ENABLE_HYBRID
744 #ifdef HAVE_LIBRADIUS
745 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
746 #else /* HAVE_LIBRADIUS */
747 yyerror("racoon not configured with --with-libradius");
748 #endif /* HAVE_LIBRADIUS */
749 #else /* ENABLE_HYBRID */
750 yyerror("racoon not configured with --enable-hybrid");
751 #endif /* ENABLE_HYBRID */
752 }
753 EOS
754 | CFG_CONF_SOURCE CFG_LDAP
755 {
756 #ifdef ENABLE_HYBRID
757 #ifdef HAVE_LIBLDAP
758 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
759 #else /* HAVE_LIBLDAP */
760 yyerror("racoon not configured with --with-libldap");
761 #endif /* HAVE_LIBLDAP */
762 #else /* ENABLE_HYBRID */
763 yyerror("racoon not configured with --enable-hybrid");
764 #endif /* ENABLE_HYBRID */
765 }
766 EOS
767 | CFG_MOTD QUOTEDSTRING
768 {
769 #ifdef ENABLE_HYBRID
770 strlcpy(&isakmp_cfg_config.motd[0], $2->v, sizeof(isakmp_cfg_config.motd));
771 vfree($2);
772 #else
773 yyerror("racoon not configured with --enable-hybrid");
774 #endif
775 }
776 EOS
777 ;
778
779 addrdnslist
780 : addrdns
781 | addrdns COMMA addrdnslist
782 ;
783 addrdns
784 : ADDRSTRING
785 {
786 #ifdef ENABLE_HYBRID
787 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
788
789 if (icc->dns4_index > MAXNS)
790 yyerror("No more than %d DNS", MAXNS);
791 if (inet_pton(AF_INET, $1->v,
792 &icc->dns4[icc->dns4_index++]) != 1)
793 yyerror("bad IPv4 DNS address.");
794
795 vfree($1);
796 #else
797 yyerror("racoon not configured with --enable-hybrid");
798 #endif
799 }
800 ;
801
802 addrwinslist
803 : addrwins
804 | addrwins COMMA addrwinslist
805 ;
806 addrwins
807 : ADDRSTRING
808 {
809 #ifdef ENABLE_HYBRID
810 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
811
812 if (icc->nbns4_index > MAXWINS)
813 yyerror("No more than %d WINS", MAXWINS);
814 if (inet_pton(AF_INET, $1->v,
815 &icc->nbns4[icc->nbns4_index++]) != 1)
816 yyerror("bad IPv4 WINS address.");
817
818 vfree($1);
819 #else
820 yyerror("racoon not configured with --enable-hybrid");
821 #endif
822 }
823 ;
824
825 splitnetlist
826 : splitnet
827 | splitnetlist COMMA splitnet
828 ;
829 splitnet
830 : ADDRSTRING PREFIX
831 {
832 #ifdef ENABLE_HYBRID
833 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
834 struct unity_network network;
835
836 if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
837 yyerror("bad IPv4 SPLIT address.");
838
839 /* Turn $2 (the prefix) into a subnet mask */
840 network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
841
842 /* add the network to our list */
843 if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
844 yyerror("Unable to allocate split network");
845
846 vfree($1);
847 #else
848 yyerror("racoon not configured with --enable-hybrid");
849 #endif
850 }
851 ;
852
853 authgrouplist
854 : authgroup
855 | authgroup COMMA authgrouplist
856 ;
857 authgroup
858 : QUOTEDSTRING
859 {
860 #ifdef ENABLE_HYBRID
861 char * groupname = NULL;
862 char ** grouplist = NULL;
863 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
864
865 grouplist = racoon_realloc(icc->grouplist,
866 sizeof(char**)*(icc->groupcount+1));
867 if (grouplist == NULL)
868 yyerror("unable to allocate auth group list");
869
870 groupname = racoon_malloc($1->l+1);
871 if (groupname == NULL)
872 yyerror("unable to allocate auth group name");
873
874 memcpy(groupname,$1->v,$1->l);
875 groupname[$1->l]=0;
876 grouplist[icc->groupcount]=groupname;
877 icc->grouplist = grouplist;
878 icc->groupcount++;
879
880 vfree($1);
881 #else
882 yyerror("racoon not configured with --enable-hybrid");
883 #endif
884 }
885 ;
886
887 splitdnslist
888 : splitdns
889 | splitdns COMMA splitdnslist
890 ;
891 splitdns
892 : QUOTEDSTRING
893 {
894 #ifdef ENABLE_HYBRID
895 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
896
897 if (!icc->splitdns_len)
898 {
899 icc->splitdns_list = racoon_malloc($1->l);
900 if(icc->splitdns_list == NULL)
901 yyerror("error allocating splitdns list buffer");
902 memcpy(icc->splitdns_list,$1->v,$1->l);
903 icc->splitdns_len = $1->l;
904 }
905 else
906 {
907 int len = icc->splitdns_len + $1->l + 1;
908 icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
909 if(icc->splitdns_list == NULL)
910 yyerror("error allocating splitdns list buffer");
911 icc->splitdns_list[icc->splitdns_len] = ',';
912 memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
913 icc->splitdns_len = len;
914 }
915 vfree($1);
916 #else
917 yyerror("racoon not configured with --enable-hybrid");
918 #endif
919 }
920 ;
921
922
923 /* timer */
924 timer_statement
925 : RETRY BOC timer_stmts EOC
926 ;
927 timer_stmts
928 : /* nothing */
929 | timer_stmts timer_stmt
930 ;
931 timer_stmt
932 : RETRY_COUNTER NUMBER
933 {
934 lcconf->retry_counter = $2;
935 }
936 EOS
937 | RETRY_INTERVAL NUMBER unittype_time
938 {
939 lcconf->retry_interval = $2 * $3;
940 }
941 EOS
942 | RETRY_PERSEND NUMBER
943 {
944 lcconf->count_persend = $2;
945 }
946 EOS
947 | RETRY_PHASE1 NUMBER unittype_time
948 {
949 lcconf->retry_checkph1 = $2 * $3;
950 }
951 EOS
952 | RETRY_PHASE2 NUMBER unittype_time
953 {
954 lcconf->wait_ph2complete = $2 * $3;
955 }
956 EOS
957 | AUTO_EXIT_DELAY NUMBER unittype_time
958 {
959 lcconf->auto_exit_delay = $2 * $3;
960 lcconf->auto_exit_state |= LC_AUTOEXITSTATE_SET;
961 }
962 EOS
963
964 | NATT_KA NUMBER unittype_time
965 {
966 #ifdef ENABLE_NATT
967 lcconf->natt_ka_interval = $2 * $3;
968 #else
969 yyerror("NAT-T support not compiled in.");
970 #endif
971 }
972 EOS
973 ;
974
975 /* sainfo */
976 sainfo_statement
977 : SAINFO
978 {
979 cur_sainfo = newsainfo();
980 if (cur_sainfo == NULL) {
981 yyerror("failed to allocate sainfo");
982 return -1;
983 }
984 }
985 sainfo_name sainfo_param BOC sainfo_specs
986 {
987 struct sainfo *check;
988
989 /* default */
990 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
991 yyerror("no encryption algorithm at %s",
992 sainfo2str(cur_sainfo));
993 return -1;
994 }
995 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
996 yyerror("no authentication algorithm at %s",
997 sainfo2str(cur_sainfo));
998 return -1;
999 }
1000 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
1001 yyerror("no compression algorithm at %s",
1002 sainfo2str(cur_sainfo));
1003 return -1;
1004 }
1005
1006 /* duplicate check */
1007 check = getsainfo(cur_sainfo->idsrc,
1008 cur_sainfo->iddst,
1009 cur_sainfo->id_i, 0);
1010 if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
1011 yyerror("duplicated sainfo: %s",
1012 sainfo2str(cur_sainfo));
1013 return -1;
1014 }
1015 inssainfo(cur_sainfo);
1016 }
1017 EOC
1018 ;
1019 sainfo_name
1020 : ANONYMOUS
1021 {
1022 cur_sainfo->idsrc = NULL;
1023 cur_sainfo->iddst = NULL;
1024 }
1025 | ANONYMOUS sainfo_id
1026 {
1027 cur_sainfo->idsrc = NULL;
1028 cur_sainfo->iddst = $2;
1029 }
1030 | sainfo_id ANONYMOUS
1031 {
1032 cur_sainfo->idsrc = $1;
1033 cur_sainfo->iddst = NULL;
1034 }
1035 | sainfo_id sainfo_id
1036 {
1037 cur_sainfo->idsrc = $1;
1038 cur_sainfo->iddst = $2;
1039 }
1040 ;
1041 sainfo_id
1042 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
1043 {
1044 char portbuf[10];
1045 struct sockaddr *saddr;
1046
1047 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
1048 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
1049 yyerror("port number must be \"any\".");
1050 return -1;
1051 }
1052
1053 snprintf(portbuf, sizeof(portbuf), "%lu", $4);
1054 saddr = str2saddr($2->v, portbuf);
1055 vfree($2);
1056 if (saddr == NULL)
1057 return -1;
1058
1059 switch (saddr->sa_family) {
1060 case AF_INET:
1061 if ($5 == IPPROTO_ICMPV6) {
1062 yyerror("upper layer protocol mismatched.\n");
1063 racoon_free(saddr);
1064 return -1;
1065 }
1066 $$ = ipsecdoi_sockaddr2id(saddr,
1067 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
1068 $5);
1069 break;
1070 #ifdef INET6
1071 case AF_INET6:
1072 if ($5 == IPPROTO_ICMP) {
1073 yyerror("upper layer protocol mismatched.\n");
1074 racoon_free(saddr);
1075 return -1;
1076 }
1077 $$ = ipsecdoi_sockaddr2id(saddr,
1078 $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
1079 $5);
1080 break;
1081 #endif
1082 default:
1083 yyerror("invalid family: %d", saddr->sa_family);
1084 $$ = NULL;
1085 break;
1086 }
1087 racoon_free(saddr);
1088 if ($$ == NULL)
1089 return -1;
1090 }
1091 | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
1092 {
1093 char portbuf[10];
1094 struct sockaddr *laddr = NULL, *haddr = NULL;
1095 char *cur = NULL;
1096
1097 if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
1098 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
1099 yyerror("port number must be \"any\".");
1100 return -1;
1101 }
1102
1103 snprintf(portbuf, sizeof(portbuf), "%lu", $5);
1104
1105 laddr = str2saddr($2->v, portbuf);
1106 if (laddr == NULL) {
1107 return -1;
1108 }
1109 vfree($2);
1110 haddr = str2saddr($3->v, portbuf);
1111 if (haddr == NULL) {
1112 racoon_free(laddr);
1113 return -1;
1114 }
1115 vfree($3);
1116
1117 switch (laddr->sa_family) {
1118 case AF_INET:
1119 if ($6 == IPPROTO_ICMPV6) {
1120 yyerror("upper layer protocol mismatched.\n");
1121 if (laddr)
1122 racoon_free(laddr);
1123 if (haddr)
1124 racoon_free(haddr);
1125 return -1;
1126 }
1127 $$ = ipsecdoi_sockrange2id(laddr, haddr,
1128 $6);
1129 break;
1130 #ifdef INET6
1131 case AF_INET6:
1132 if ($6 == IPPROTO_ICMP) {
1133 yyerror("upper layer protocol mismatched.\n");
1134 if (laddr)
1135 racoon_free(laddr);
1136 if (haddr)
1137 racoon_free(haddr);
1138 return -1;
1139 }
1140 $$ = ipsecdoi_sockrange2id(laddr, haddr,
1141 $6);
1142 break;
1143 #endif
1144 default:
1145 yyerror("invalid family: %d", laddr->sa_family);
1146 $$ = NULL;
1147 break;
1148 }
1149 if (laddr)
1150 racoon_free(laddr);
1151 if (haddr)
1152 racoon_free(haddr);
1153 if ($$ == NULL)
1154 return -1;
1155 }
1156 | IDENTIFIERTYPE QUOTEDSTRING
1157 {
1158 struct ipsecdoi_id_b *id_b;
1159
1160 if ($1 == IDTYPE_ASN1DN) {
1161 yyerror("id type forbidden: %d", $1);
1162 $$ = NULL;
1163 return -1;
1164 }
1165
1166 $2->l--;
1167
1168 $$ = vmalloc(sizeof(*id_b) + $2->l);
1169 if ($$ == NULL) {
1170 yyerror("failed to allocate identifier");
1171 return -1;
1172 }
1173
1174 id_b = (struct ipsecdoi_id_b *)$$->v;
1175 id_b->type = idtype2doi($1);
1176
1177 id_b->proto_id = 0;
1178 id_b->port = 0;
1179
1180 memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
1181 }
1182 ;
1183 sainfo_param
1184 : /* nothing */
1185 {
1186 cur_sainfo->id_i = NULL;
1187 }
1188
1189 | FROM IDENTIFIERTYPE identifierstring
1190 {
1191 struct ipsecdoi_id_b *id_b;
1192 vchar_t *idv;
1193
1194 if (set_identifier(&idv, $2, $3) != 0) {
1195 yyerror("failed to set identifer.\n");
1196 return -1;
1197 }
1198 cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
1199 if (cur_sainfo->id_i == NULL) {
1200 yyerror("failed to allocate identifier");
1201 return -1;
1202 }
1203
1204 id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
1205 id_b->type = idtype2doi($2);
1206
1207 id_b->proto_id = 0;
1208 id_b->port = 0;
1209
1210 memcpy(cur_sainfo->id_i->v + sizeof(*id_b),
1211 idv->v, idv->l);
1212 vfree(idv);
1213 }
1214 | GROUP QUOTEDSTRING
1215 {
1216 #ifdef ENABLE_HYBRID
1217 if ((cur_sainfo->group = vdup($2)) == NULL) {
1218 yyerror("failed to set sainfo xauth group.\n");
1219 return -1;
1220 }
1221 #else
1222 yyerror("racoon not configured with --enable-hybrid");
1223 return -1;
1224 #endif
1225 }
1226 ;
1227 sainfo_specs
1228 : /* nothing */
1229 | sainfo_specs sainfo_spec
1230 ;
1231 sainfo_spec
1232 : PFS_GROUP dh_group_num
1233 {
1234 cur_sainfo->pfs_group = $2;
1235 #ifndef HAVE_OPENSSL
1236 if (cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1024
1237 && cur_sainfo->pfs_group != OAKLEY_ATTR_GRP_DESC_MODP1536) {
1238 yyerror("PFS group must be 2 or 5");
1239 return -1;
1240 }
1241 #endif
1242 }
1243 EOS
1244 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
1245 {
1246 cur_sainfo->lifetime = $3 * $4;
1247 }
1248 EOS
1249 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1250 {
1251 #if 1
1252 yyerror("byte lifetime support is deprecated");
1253 return -1;
1254 #else
1255 cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
1256 if (cur_sainfo->lifebyte == 0)
1257 return -1;
1258 #endif
1259 }
1260 EOS
1261 | ALGORITHM_CLASS {
1262 cur_algclass = $1;
1263 }
1264 algorithms EOS
1265 | IDENTIFIER IDENTIFIERTYPE
1266 {
1267 yyerror("it's deprecated to specify a identifier in phase 2");
1268 }
1269 EOS
1270 | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
1271 {
1272 yyerror("it's deprecated to specify a identifier in phase 2");
1273 }
1274 EOS
1275 ;
1276
1277 algorithms
1278 : algorithm
1279 {
1280 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1281 }
1282 | algorithm
1283 {
1284 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1285 }
1286 COMMA algorithms
1287 ;
1288 algorithm
1289 : ALGORITHMTYPE keylength
1290 {
1291 int defklen;
1292
1293 $$ = newsainfoalg();
1294 if ($$ == NULL) {
1295 yyerror("failed to get algorithm allocation");
1296 return -1;
1297 }
1298
1299 $$->alg = algtype2doi(cur_algclass, $1);
1300 if ($$->alg == -1) {
1301 yyerror("algorithm mismatched");
1302 racoon_free($$);
1303 $$ = NULL;
1304 return -1;
1305 }
1306
1307 defklen = default_keylen(cur_algclass, $1);
1308 if (defklen == 0) {
1309 if ($2) {
1310 yyerror("keylen not allowed");
1311 racoon_free($$);
1312 $$ = NULL;
1313 return -1;
1314 }
1315 } else {
1316 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
1317 yyerror("invalid keylen %d", $2);
1318 racoon_free($$);
1319 $$ = NULL;
1320 return -1;
1321 }
1322 }
1323
1324 if ($2)
1325 $$->encklen = $2;
1326 else
1327 $$->encklen = defklen;
1328
1329 /* check if it's supported algorithm by kernel */
1330 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
1331 && pk_checkalg(cur_algclass, $1, $$->encklen)) {
1332 int a = algclass2doi(cur_algclass);
1333 int b = algtype2doi(cur_algclass, $1);
1334 if (a == IPSECDOI_ATTR_AUTH)
1335 a = IPSECDOI_PROTO_IPSEC_AH;
1336 yyerror("algorithm %s not supported by the kernel (missing module?)",
1337 s_ipsecdoi_trns(a, b));
1338 racoon_free($$);
1339 $$ = NULL;
1340 return -1;
1341 }
1342 }
1343 ;
1344 prefix
1345 : /* nothing */ { $$ = ~0; }
1346 | PREFIX { $$ = $1; }
1347 ;
1348 port
1349 : /* nothing */ { $$ = IPSEC_PORT_ANY; }
1350 | PORT { $$ = $1; }
1351 | PORTANY { $$ = IPSEC_PORT_ANY; }
1352 ;
1353 ul_proto
1354 : NUMBER { $$ = $1; }
1355 | UL_PROTO { $$ = $1; }
1356 | ANY { $$ = IPSEC_ULPROTO_ANY; }
1357 ;
1358 keylength
1359 : /* nothing */ { $$ = 0; }
1360 | NUMBER { $$ = $1; }
1361 ;
1362
1363 /* remote */
1364 remote_statement
1365 : REMOTE remote_index INHERIT remote_index
1366 {
1367 struct remoteconf *new;
1368 struct proposalspec *prspec;
1369
1370 new = copyrmconf($4);
1371 if (new == NULL) {
1372 yyerror("failed to get remoteconf for %s.", saddr2str ($4));
1373 return -1;
1374 }
1375
1376 new->remote = $2;
1377 new->inherited_from = getrmconf_strict($4, 1);
1378 new->proposal = NULL;
1379 new->prhead = NULL;
1380 cur_rmconf = new;
1381
1382 prspec = newprspec();
1383 if (prspec == NULL || !cur_rmconf->inherited_from
1384 || !cur_rmconf->inherited_from->proposal)
1385 return -1;
1386 prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime;
1387 prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte;
1388 insprspec(prspec, &cur_rmconf->prhead);
1389 }
1390 remote_specs_block
1391 | REMOTE remote_index
1392 {
1393 struct remoteconf *new;
1394 struct proposalspec *prspec;
1395
1396 new = newrmconf();
1397 if (new == NULL) {
1398 yyerror("failed to get new remoteconf.");
1399 return -1;
1400 }
1401
1402 new->remote = $2;
1403 cur_rmconf = new;
1404
1405 prspec = newprspec();
1406 if (prspec == NULL)
1407 return -1;
1408 prspec->lifetime = oakley_get_defaultlifetime();
1409 insprspec(prspec, &cur_rmconf->prhead);
1410 }
1411 remote_specs_block
1412 ;
1413
1414 remote_specs_block
1415 : BOC remote_specs EOC
1416 {
1417 /* check a exchange mode */
1418 if (cur_rmconf->etypes == NULL) {
1419 yyerror("no exchange mode specified.\n");
1420 return -1;
1421 }
1422
1423 if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
1424 cur_rmconf->idvtype = IDTYPE_ADDRESS;
1425
1426
1427 if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
1428 if (cur_rmconf->mycertfile
1429 || cur_rmconf->identity_in_keychain)
1430 {
1431 if (cur_rmconf->idv)
1432 yywarn("Both CERT and ASN1 ID "
1433 "are set. Hope this is OK.\n");
1434 /* TODO: Preparse the DN here */
1435 } else if (cur_rmconf->idv) {
1436 /* OK, using asn1dn without X.509. */
1437 } else {
1438 yyerror("ASN1 ID not specified "
1439 "and no CERT defined!\n");
1440 return -1;
1441 }
1442 }
1443
1444 if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) {
1445 struct genlist_entry *gpb;
1446 if (genlist_next(cur_rmconf->idvl_p, &gpb) == NULL) {
1447 yyerror("peers_identifier required for specified certificate "
1448 "verification option.\n");
1449 return -1;
1450 }
1451 }
1452
1453 if (cur_rmconf->prhead->spspec == NULL
1454 && cur_rmconf->inherited_from
1455 && cur_rmconf->inherited_from->prhead) {
1456 cur_rmconf->prhead->spspec = cur_rmconf->inherited_from->prhead->spspec;
1457 }
1458 if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0)
1459 return -1;
1460
1461 /* DH group settting if aggressive mode is there. */
1462 if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
1463 struct isakmpsa *p;
1464 int b = 0;
1465
1466 /* DH group */
1467 for (p = cur_rmconf->proposal; p; p = p->next) {
1468 if (b == 0 || (b && b == p->dh_group)) {
1469 b = p->dh_group;
1470 continue;
1471 }
1472 yyerror("DH group must be equal "
1473 "in all proposals "
1474 "when aggressive mode is "
1475 "used.\n");
1476 return -1;
1477 }
1478 cur_rmconf->dh_group = b;
1479
1480 if (cur_rmconf->dh_group == 0) {
1481 yyerror("DH group must be set in the proposal.\n");
1482 return -1;
1483 }
1484
1485 /* DH group settting if PFS is required. */
1486 if (oakley_setdhgroup(cur_rmconf->dh_group,
1487 &cur_rmconf->dhgrp) < 0) {
1488 yyerror("failed to set DH value.\n");
1489 return -1;
1490 }
1491 }
1492
1493 insrmconf(cur_rmconf);
1494 }
1495 ;
1496 remote_index
1497 : ANONYMOUS ike_port
1498 {
1499 $$ = newsaddr(sizeof(struct sockaddr));
1500 $$->sa_family = AF_UNSPEC;
1501 ((struct sockaddr_in *)$$)->sin_port = htons($2);
1502 }
1503 | ike_addrinfo_port
1504 {
1505 $$ = $1;
1506 if ($$ == NULL) {
1507 yyerror("failed to allocate sockaddr");
1508 return -1;
1509 }
1510 }
1511 ;
1512 remote_specs
1513 : /* nothing */
1514 | remote_specs remote_spec
1515 ;
1516 remote_spec
1517 : EXCHANGE_MODE
1518 {
1519 cur_rmconf->etypes = NULL;
1520 }
1521 exchange_types EOS
1522 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
1523 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
1524 | CERTIFICATE_TYPE cert_spec
1525 | PEERS_CERTFILE QUOTEDSTRING
1526 {
1527 #ifdef HAVE_OPENSSL
1528 yywarn("This directive without certtype will be removed!\n");
1529 yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
1530 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1531
1532 if (cur_rmconf->peerscertfile != NULL)
1533 racoon_free(cur_rmconf->peerscertfile);
1534 cur_rmconf->peerscertfile = racoon_strdup($2->v);
1535 STRDUP_FATAL(cur_rmconf->peerscertfile);
1536 vfree($2);
1537 #else
1538 yyerror("cert files not supported.\n");
1539 return -1;
1540 #endif
1541 }
1542 EOS
1543 | CA_TYPE CERT_X509 QUOTEDSTRING
1544 {
1545 #ifdef HAVE_OPENSSL
1546 cur_rmconf->cacerttype = $2;
1547 cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
1548 if (cur_rmconf->cacertfile != NULL)
1549 racoon_free(cur_rmconf->cacertfile);
1550 cur_rmconf->cacertfile = racoon_strdup($3->v);
1551 STRDUP_FATAL(cur_rmconf->cacertfile);
1552 vfree($3);
1553 #else
1554 yyerror("cert files not supported.\n");
1555 return -1;
1556 #endif
1557
1558 }
1559 EOS
1560 | PEERS_CERTFILE CERT_X509 QUOTEDSTRING
1561 {
1562 #ifdef HAVE_OPENSSL
1563 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1564 if (cur_rmconf->peerscertfile != NULL)
1565 racoon_free(cur_rmconf->peerscertfile);
1566 cur_rmconf->peerscertfile = racoon_strdup($3->v);
1567 STRDUP_FATAL(cur_rmconf->peerscertfile);
1568 vfree($3);
1569 #else
1570 yyerror("cert files not supported.\n");
1571 return -1;
1572 #endif
1573
1574 }
1575 EOS
1576 | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
1577 {
1578 #ifdef HAVE_OPENSSL
1579 char path[MAXPATHLEN];
1580 int ret = 0;
1581
1582 getpathname(path, sizeof(path),
1583 LC_PATHTYPE_CERT, $3->v);
1584 vfree($3);
1585
1586 if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) {
1587 yyerror("Different peers_certfile method "
1588 "already defined: %d!\n",
1589 cur_rmconf->getcert_method);
1590 return -1;
1591 }
1592 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1593 if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) {
1594 yyerror("Couldn't parse keyfile.\n", path);
1595 return -1;
1596 }
1597 plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path);
1598 #else
1599 yyerror("plainrsa not supported.\n");
1600 return -1;
1601 #endif
1602 }
1603 EOS
1604 | PEERS_CERTFILE DNSSEC
1605 {
1606 if (cur_rmconf->getcert_method) {
1607 yyerror("Different peers_certfile method already defined!\n");
1608 return -1;
1609 }
1610 cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
1611 cur_rmconf->peerscertfile = NULL;
1612 }
1613 EOS
1614 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
1615 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
1616 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
1617 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE
1618 {
1619 cur_rmconf->cert_verification = $2;
1620 } EOS
1621 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
1622 {
1623 cur_rmconf->cert_verification = $2;
1624 cur_rmconf->cert_verification_option = $3;
1625 }
1626 EOS
1627 | OPEN_DIR_AUTH_GROUP QUOTEDSTRING
1628 {
1629 #if HAVE_OPENDIR
1630 cur_rmconf->open_dir_auth_group = $2;
1631 #else
1632 yyerror("Apple specific features not compiled in.");
1633 return -1;
1634 #endif
1635 } EOS
1636 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
1637 {
1638 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
1639 yyerror("failed to set identifer.\n");
1640 vfree($3); //%%% BUG FIX - memory leak
1641 return -1;
1642 }
1643 vfree($3); //%%% BUG FIX - memory leak
1644 cur_rmconf->idvtype = $2;
1645 }
1646 EOS
1647 | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1648 {
1649 if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
1650 yyerror("failed to set identifer.\n");
1651 return -1;
1652 }
1653 cur_rmconf->idvtype = $2;
1654 }
1655 EOS
1656 | XAUTH_LOGIN identifierstring
1657 {
1658 #ifdef ENABLE_HYBRID
1659 /* formerly identifier type login */
1660 if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
1661 yyerror("failed to allocate xauth state\n");
1662 return -1;
1663 }
1664 if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
1665 yyerror("failed to set identifer.\n");
1666 return -1;
1667 }
1668 vfree($2); //%%% BUG FIX - memory leak
1669 #else
1670 yyerror("racoon not configured with --enable-hybrid");
1671 #endif
1672 }
1673 EOS
1674 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
1675 {
1676 struct idspec *id;
1677 id = newidspec();
1678 if (id == NULL) {
1679 yyerror("failed to allocate idspec");
1680 return -1;
1681 }
1682 if (set_identifier(&id->id, $2, $3) != 0) {
1683 yyerror("failed to set identifer.\n");
1684 racoon_free(id);
1685 vfree($3); //%%% BUG FIX - memory leak
1686 return -1;
1687 }
1688 vfree($3); //%%% BUG FIX - memory leak
1689 id->idtype = $2;
1690 genlist_append (cur_rmconf->idvl_p, id);
1691 }
1692 EOS
1693 | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1694 {
1695 struct idspec *id;
1696 id = newidspec();
1697 if (id == NULL) {
1698 yyerror("failed to allocate idspec");
1699 return -1;
1700 }
1701 if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
1702 yyerror("failed to set identifer.\n");
1703 racoon_free(id);
1704 return -1;
1705 }
1706 id->idtype = $2;
1707 genlist_append (cur_rmconf->idvl_p, id);
1708 }
1709 EOS
1710 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
1711 | SHARED_SECRET SECRETTYPE QUOTEDSTRING
1712 {
1713 cur_rmconf->secrettype = $2;
1714 cur_rmconf->shared_secret = $3;
1715 } EOS
1716 | SHARED_SECRET SECRETTYPE
1717 {
1718 if ($2 != SECRETTYPE_KEYCHAIN_BY_ID) {
1719 yyerror("shared secret value missing.\n");
1720 return -1;
1721 }
1722 cur_rmconf->secrettype = $2;
1723 } EOS
1724 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
1725 | DH_GROUP
1726 {
1727 yyerror("dh_group cannot be defined here.");
1728 return -1;
1729 }
1730 dh_group_num EOS
1731 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
1732 | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
1733 | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
1734 | ESP_FRAG NUMBER {
1735 #ifdef SADB_X_EXT_NAT_T_FRAG
1736 if (libipsec_opt & LIBIPSEC_OPT_FRAG)
1737 cur_rmconf->esp_frag = $2;
1738 else
1739 yywarn("libipsec lacks IKE frag support");
1740 #else
1741 yywarn("Your kernel does not support esp_frag");
1742 #endif
1743 } EOS
1744 | SCRIPT QUOTEDSTRING PHASE1_UP {
1745 if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL)
1746 vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]);
1747
1748 cur_rmconf->script[SCRIPT_PHASE1_UP] =
1749 script_path_add(vdup($2));
1750 } EOS
1751 | SCRIPT QUOTEDSTRING PHASE1_DOWN {
1752 if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL)
1753 vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]);
1754
1755 cur_rmconf->script[SCRIPT_PHASE1_DOWN] =
1756 script_path_add(vdup($2));
1757 } EOS
1758 | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
1759 | WEAK_PHASE1_CHECK SWITCH {
1760 cur_rmconf->weak_phase1_check = $2;
1761 } EOS
1762 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
1763 | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
1764 | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
1765 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
1766 | NAT_TRAVERSAL SWITCH
1767 {
1768 #ifdef ENABLE_NATT
1769 cur_rmconf->nat_traversal = $2;
1770 #else
1771 yyerror("NAT-T support not compiled in.");
1772 #endif
1773 } EOS
1774 | NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL
1775 {
1776 #ifdef ENABLE_NATT
1777 cur_rmconf->nat_traversal = $2;
1778 #else
1779 yyerror("NAT-T support not compiled in.");
1780 #endif
1781 } EOS
1782 | NAT_TRAVERSAL_MULTI_USER SWITCH
1783 {
1784 #ifdef ENABLE_NATT
1785 cur_rmconf->natt_multiple_user = $2;
1786 #else
1787 yyerror("NAT-T support not compiled in.");
1788 #endif
1789 } EOS
1790 | NAT_TRAVERSAL_KEEPALIVE SWITCH
1791 {
1792 #ifdef ENABLE_NATT
1793 cur_rmconf->natt_keepalive = $2;
1794 #else
1795 yyerror("NAT-T support not compiled in.");
1796 #endif
1797 } EOS
1798 | DPD SWITCH
1799 {
1800 #ifdef ENABLE_DPD
1801 cur_rmconf->dpd = $2;
1802 #else
1803 yyerror("DPD support not compiled in.");
1804 #endif
1805 } EOS
1806 | DPD_DELAY NUMBER
1807 {
1808 #ifdef ENABLE_DPD
1809 cur_rmconf->dpd_interval = $2;
1810 #else
1811 yyerror("DPD support not compiled in.");
1812 #endif
1813 }
1814 EOS
1815 | DPD_RETRY NUMBER
1816 {
1817 #ifdef ENABLE_DPD
1818 cur_rmconf->dpd_retry = $2;
1819 #else
1820 yyerror("DPD support not compiled in.");
1821 #endif
1822 }
1823 EOS
1824 | DPD_MAXFAIL NUMBER
1825 {
1826 #ifdef ENABLE_DPD
1827 cur_rmconf->dpd_maxfails = $2;
1828 #else
1829 yyerror("DPD support not compiled in.");
1830 #endif
1831 }
1832 EOS
1833 | DPD_ALGORITHM dpd_algo_type
1834 {
1835 #ifdef ENABLE_DPD
1836 cur_rmconf->dpd_algo = $2;
1837 #else
1838 yyerror("DPD support not compiled in.");
1839 #endif
1840 }
1841 EOS
1842 | DISCONNECT_ON_IDLE IDLE_TIMEOUT NUMBER IDLE_DIRECTION idle_dir_type
1843 {
1844 cur_rmconf->idle_timeout = $3;
1845 cur_rmconf->idle_timeout_dir = $5;
1846 }
1847 EOS
1848 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
1849 {
1850 cur_rmconf->prhead->lifetime = $3 * $4;
1851 }
1852 EOS
1853 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
1854 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1855 {
1856 #if 1
1857 yyerror("byte lifetime support is deprecated in Phase1");
1858 return -1;
1859 #else
1860 yywarn("the lifetime of bytes in phase 1 "
1861 "will be ignored at the moment.");
1862 cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4);
1863 if (cur_rmconf->prhead->lifebyte == 0)
1864 return -1;
1865 #endif
1866 }
1867 EOS
1868 | PROPOSAL
1869 {
1870 struct secprotospec *spspec;
1871
1872 spspec = newspspec();
1873 if (spspec == NULL)
1874 return -1;
1875 insspspec(spspec, &cur_rmconf->prhead);
1876 }
1877 BOC isakmpproposal_specs EOC
1878 ;
1879 exchange_types
1880 : /* nothing */
1881 | exchange_types EXCHANGETYPE
1882 {
1883 struct etypes *new;
1884 new = racoon_malloc(sizeof(struct etypes));
1885 if (new == NULL) {
1886 yyerror("failed to allocate etypes");
1887 return -1;
1888 }
1889 new->type = $2;
1890 new->next = NULL;
1891 if (cur_rmconf->etypes == NULL)
1892 cur_rmconf->etypes = new;
1893 else {
1894 struct etypes *p;
1895 for (p = cur_rmconf->etypes;
1896 p->next != NULL;
1897 p = p->next)
1898 ;
1899 p->next = new;
1900 }
1901 }
1902 ;
1903 cert_spec
1904 : CERT_X509 QUOTEDSTRING QUOTEDSTRING
1905 {
1906 cur_rmconf->certtype = $1;
1907 if (cur_rmconf->mycertfile != NULL)
1908 racoon_free(cur_rmconf->mycertfile);
1909 cur_rmconf->mycertfile = racoon_strdup($2->v);
1910 STRDUP_FATAL(cur_rmconf->mycertfile);
1911 vfree($2);
1912 if (cur_rmconf->myprivfile != NULL)
1913 racoon_free(cur_rmconf->myprivfile);
1914 cur_rmconf->myprivfile = racoon_strdup($3->v);
1915 STRDUP_FATAL(cur_rmconf->myprivfile);
1916 vfree($3);
1917 }
1918 EOS
1919 | CERT_X509 IN_KEYCHAIN
1920 {
1921 cur_rmconf->certtype = $1;
1922 cur_rmconf->identity_in_keychain = 1;
1923 cur_rmconf->keychainCertRef = NULL;
1924 }
1925 EOS
1926 ;
1927 | CERT_X509 IN_KEYCHAIN QUOTEDSTRING
1928 {
1929 cur_rmconf->certtype = $1;
1930 cur_rmconf->identity_in_keychain = 1;
1931 cur_rmconf->keychainCertRef = $3;
1932 }
1933 EOS
1934 ;
1935 | CERT_PLAINRSA QUOTEDSTRING
1936 {
1937 #ifdef HAVE_OPENSSL
1938 char path[MAXPATHLEN];
1939 int ret = 0;
1940
1941 getpathname(path, sizeof(path),
1942 LC_PATHTYPE_CERT, $2->v);
1943 vfree($2);
1944
1945 cur_rmconf->certtype = $1;
1946 cur_rmconf->send_cr = FALSE;
1947 cur_rmconf->send_cert = FALSE;
1948 cur_rmconf->verify_cert = FALSE;
1949 if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) {
1950 yyerror("Couldn't parse keyfile.\n", path);
1951 return -1;
1952 }
1953 plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path);
1954 #else
1955 yyerror("plainrsa not supported.\n");
1956 return -1;
1957 #endif
1958 }
1959 EOS
1960 ;
1961 dh_group_num
1962 : ALGORITHMTYPE
1963 {
1964 $$ = algtype2doi(algclass_isakmp_dh, $1);
1965 if ($$ == -1) {
1966 yyerror("must be DH group");
1967 return -1;
1968 }
1969 #ifndef HAVE_OPENSSL
1970 if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) {
1971 yyerror("DH group must be 2 or 5");
1972 return -1;
1973 }
1974 #endif
1975 }
1976 | NUMBER
1977 {
1978 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
1979 $$ = num2dhgroup[$1];
1980 } else {
1981 yyerror("must be DH group");
1982 $$ = 0;
1983 return -1;
1984 }
1985 #ifndef HAVE_OPENSSL
1986 if ($$ != OAKLEY_ATTR_GRP_DESC_MODP1024 && $$ != OAKLEY_ATTR_GRP_DESC_MODP1536) {
1987 yyerror("DH group must be 2 or 5");
1988 return -1;
1989 }
1990 #endif
1991 }
1992 ;
1993 identifierstring
1994 : /* nothing */ { $$ = NULL; }
1995 | ADDRSTRING { $$ = $1; }
1996 | QUOTEDSTRING { $$ = $1; }
1997 ;
1998 isakmpproposal_specs
1999 : /* nothing */
2000 | isakmpproposal_specs isakmpproposal_spec
2001 ;
2002 isakmpproposal_spec
2003 : STRENGTH
2004 {
2005 yyerror("strength directive is obsoleted.");
2006 } STRENGTHTYPE EOS
2007 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
2008 {
2009 cur_rmconf->prhead->spspec->lifetime = $3 * $4;
2010 }
2011 EOS
2012 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
2013 {
2014 #if 1
2015 yyerror("byte lifetime support is deprecated");
2016 return -1;
2017 #else
2018 cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
2019 if (cur_rmconf->prhead->spspec->lifebyte == 0)
2020 return -1;
2021 #endif
2022 }
2023 EOS
2024 | DH_GROUP dh_group_num
2025 {
2026 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_dh] = $2;
2027 }
2028 EOS
2029 | GSS_ID QUOTEDSTRING
2030 {
2031 if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) {
2032 yyerror("wrong Vendor ID for gssapi_id");
2033 return -1;
2034 }
2035 if (cur_rmconf->prhead->spspec->gssid != NULL)
2036 racoon_free(cur_rmconf->prhead->spspec->gssid);
2037 cur_rmconf->prhead->spspec->gssid =
2038 racoon_strdup($2->v);
2039 STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid);
2040 }
2041 EOS
2042 | ALGORITHM_CLASS ALGORITHMTYPE keylength
2043 {
2044 int doi;
2045 int defklen;
2046
2047 doi = algtype2doi($1, $2);
2048 if (doi == -1) {
2049 yyerror("algorithm mismatched 1");
2050 return -1;
2051 }
2052
2053 switch ($1) {
2054 case algclass_isakmp_enc:
2055 /* reject suppressed algorithms */
2056 #ifndef HAVE_OPENSSL_RC5_H
2057 if ($2 == algtype_rc5) {
2058 yyerror("algorithm %s not supported",
2059 s_attr_isakmp_enc(doi));
2060 return -1;
2061 }
2062 #endif
2063 #ifndef HAVE_OPENSSL_IDEA_H
2064 if ($2 == algtype_idea) {
2065 yyerror("algorithm %s not supported",
2066 s_attr_isakmp_enc(doi));
2067 return -1;
2068 }
2069 #endif
2070
2071 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi;
2072 defklen = default_keylen($1, $2);
2073 if (defklen == 0) {
2074 if ($3) {
2075 yyerror("keylen not allowed");
2076 return -1;
2077 }
2078 } else {
2079 if ($3 && check_keylen($1, $2, $3) < 0) {
2080 yyerror("invalid keylen %d", $3);
2081 return -1;
2082 }
2083 }
2084 if ($3)
2085 cur_rmconf->prhead->spspec->encklen = $3;
2086 else
2087 cur_rmconf->prhead->spspec->encklen = defklen;
2088 break;
2089 case algclass_isakmp_hash:
2090 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_hash] = doi;
2091 break;
2092 case algclass_isakmp_ameth:
2093 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_ameth] = doi;
2094 /*
2095 * We may have to set the Vendor ID for the
2096 * authentication method we're using.
2097 */
2098 switch ($2) {
2099 case algtype_gssapikrb:
2100 if (cur_rmconf->prhead->spspec->vendorid !=
2101 VENDORID_UNKNOWN) {
2102 yyerror("Vendor ID mismatch "
2103 "for auth method");
2104 return -1;
2105 }
2106 /*
2107 * For interoperability with Win2k,
2108 * we set the Vendor ID to "GSSAPI".
2109 */
2110 cur_rmconf->prhead->spspec->vendorid =
2111 VENDORID_GSSAPI;
2112 break;
2113 #ifdef HAVE_OPENSSL
2114 case algtype_rsasig:
2115 if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) {
2116 if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
2117 yyerror ("Private PlainRSA key not set. "
2118 "Use directive 'certificate_type plainrsa ...'\n");
2119 return -1;
2120 }
2121 if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
2122 yyerror ("Public PlainRSA keys not set. "
2123 "Use directive 'peers_certfile plainrsa ...'\n");
2124 return -1;
2125 }
2126 }
2127 break;
2128 #endif
2129 default:
2130 break;
2131 }
2132 break;
2133 default:
2134 yyerror("algorithm mismatched 2");
2135 return -1;
2136 }
2137 }
2138 EOS
2139 ;
2140
2141 unittype_time
2142 : UNITTYPE_SEC { $$ = 1; }
2143 | UNITTYPE_MIN { $$ = 60; }
2144 | UNITTYPE_HOUR { $$ = (60 * 60); }
2145 ;
2146 unittype_byte
2147 : UNITTYPE_BYTE { $$ = 1; }
2148 | UNITTYPE_KBYTES { $$ = 1024; }
2149 | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
2150 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
2151 ;
2152 dpd_algo_type
2153 : DPD_ALGO_TYPE_DEFAULT { $$ = DPD_ALGO_DEFAULT; }
2154 | DPD_ALGO_TYPE_INBOUND { $$ = DPD_ALGO_INBOUND_DETECT; }
2155 | DPD_ALGO_TYPE_BLACKHOLE { $$ = DPD_ALGO_BLACKHOLE_DETECT; }
2156 ;
2157 idle_dir_type
2158 : IDLE_DIRECTION_ANY { $$ = IPSEC_DIR_ANY; }
2159 | IDLE_DIRECTION_IN { $$ = IPSEC_DIR_INBOUND; }
2160 | IDLE_DIRECTION_OUT { $$ = IPSEC_DIR_OUTBOUND; }
2161 ;
2162 %%
2163
2164 static struct proposalspec *
2165 newprspec()
2166 {
2167 struct proposalspec *new;
2168
2169 new = racoon_calloc(1, sizeof(*new));
2170 if (new == NULL)
2171 yyerror("failed to allocate proposal");
2172
2173 return new;
2174 }
2175
2176 /*
2177 * insert into head of list.
2178 */
2179 static void
2180 insprspec(prspec, head)
2181 struct proposalspec *prspec;
2182 struct proposalspec **head;
2183 {
2184 if (*head != NULL)
2185 (*head)->prev = prspec;
2186 prspec->next = *head;
2187 *head = prspec;
2188 }
2189
2190 static struct secprotospec *
2191 newspspec()
2192 {
2193 struct secprotospec *new;
2194
2195 new = racoon_calloc(1, sizeof(*new));
2196 if (new == NULL) {
2197 yyerror("failed to allocate spproto");
2198 return NULL;
2199 }
2200
2201 new->encklen = 0; /*XXX*/
2202
2203 /*
2204 * Default to "uknown" vendor -- we will override this
2205 * as necessary. When we send a Vendor ID payload, an
2206 * "unknown" will be translated to a KAME/racoon ID.
2207 */
2208 new->vendorid = VENDORID_UNKNOWN;
2209
2210 return new;
2211 }
2212
2213 /*
2214 * insert into head of list.
2215 */
2216 static void
2217 insspspec(spspec, head)
2218 struct secprotospec *spspec;
2219 struct proposalspec **head;
2220 {
2221 spspec->back = *head;
2222
2223 if ((*head)->spspec != NULL)
2224 (*head)->spspec->prev = spspec;
2225 spspec->next = (*head)->spspec;
2226 (*head)->spspec = spspec;
2227 }
2228
2229 /* set final acceptable proposal */
2230 static int
2231 set_isakmp_proposal(rmconf, prspec)
2232 struct remoteconf *rmconf;
2233 struct proposalspec *prspec;
2234 {
2235 struct proposalspec *p;
2236 struct secprotospec *s;
2237 int prop_no = 1;
2238 int trns_no = 1;
2239 int32_t types[MAXALGCLASS];
2240
2241 p = prspec;
2242 if (p->next != 0) {
2243 plog(LLV_ERROR, LOCATION, NULL,
2244 "multiple proposal definition.\n");
2245 return -1;
2246 }
2247
2248 /* mandatory check */
2249 if (p->spspec == NULL) {
2250 yyerror("no remote specification found: %s.\n",
2251 saddr2str(rmconf->remote));
2252 return -1;
2253 }
2254 for (s = p->spspec; s != NULL; s = s->next) {
2255 /* XXX need more to check */
2256 if (s->algclass[algclass_isakmp_enc] == 0) {
2257 yyerror("encryption algorithm required.");
2258 return -1;
2259 }
2260 if (s->algclass[algclass_isakmp_hash] == 0) {
2261 yyerror("hash algorithm required.");
2262 return -1;
2263 }
2264 if (s->algclass[algclass_isakmp_dh] == 0) {
2265 yyerror("DH group required.");
2266 return -1;
2267 }
2268 if (s->algclass[algclass_isakmp_ameth] == 0) {
2269 yyerror("authentication method required.");
2270 return -1;
2271 }
2272 }
2273
2274 /* skip to last part */
2275 for (s = p->spspec; s->next != NULL; s = s->next)
2276 ;
2277
2278 while (s != NULL) {
2279 plog(LLV_DEBUG2, LOCATION, NULL,
2280 "lifetime = %ld\n", (long)
2281 (s->lifetime ? s->lifetime : p->lifetime));
2282 plog(LLV_DEBUG2, LOCATION, NULL,
2283 "lifebyte = %d\n",
2284 s->lifebyte ? s->lifebyte : p->lifebyte);
2285 plog(LLV_DEBUG2, LOCATION, NULL,
2286 "encklen=%d\n", s->encklen);
2287
2288 memset(types, 0, ARRAYLEN(types));
2289 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
2290 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
2291 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
2292 types[algclass_isakmp_ameth] =
2293 s->algclass[algclass_isakmp_ameth];
2294
2295 /* expanding spspec */
2296 clean_tmpalgtype();
2297 trns_no = expand_isakmpspec(prop_no, trns_no, types,
2298 algclass_isakmp_enc, algclass_isakmp_ameth + 1,
2299 s->lifetime ? s->lifetime : p->lifetime,
2300 s->lifebyte ? s->lifebyte : p->lifebyte,
2301 s->encklen, s->vendorid, s->gssid,
2302 rmconf);
2303 if (trns_no == -1) {
2304 plog(LLV_ERROR, LOCATION, NULL,
2305 "failed to expand isakmp proposal.\n");
2306 return -1;
2307 }
2308
2309 s = s->prev;
2310 }
2311
2312 if (rmconf->proposal == NULL) {
2313 plog(LLV_ERROR, LOCATION, NULL,
2314 "no proposal found.\n");
2315 return -1;
2316 }
2317
2318 return 0;
2319 }
2320
2321 static void
2322 clean_tmpalgtype()
2323 {
2324 int i;
2325 for (i = 0; i < MAXALGCLASS; i++)
2326 tmpalgtype[i] = 0; /* means algorithm undefined. */
2327 }
2328
2329 static int
2330 expand_isakmpspec(prop_no, trns_no, types,
2331 class, last, lifetime, lifebyte, encklen, vendorid, gssid,
2332 rmconf)
2333 int prop_no, trns_no;
2334 int *types, class, last;
2335 time_t lifetime;
2336 int lifebyte;
2337 int encklen;
2338 int vendorid;
2339 char *gssid;
2340 struct remoteconf *rmconf;
2341 {
2342 struct isakmpsa *new;
2343
2344 /* debugging */
2345 {
2346 int j;
2347 char tb[10];
2348 plog(LLV_DEBUG2, LOCATION, NULL,
2349 "p:%d t:%d\n", prop_no, trns_no);
2350 for (j = class; j < MAXALGCLASS; j++) {
2351 snprintf(tb, sizeof(tb), "%d", types[j]);
2352 plog(LLV_DEBUG2, LOCATION, NULL,
2353 "%s%s%s%s\n",
2354 s_algtype(j, types[j]),
2355 types[j] ? "(" : "",
2356 tb[0] == '0' ? "" : tb,
2357 types[j] ? ")" : "");
2358 }
2359 plog(LLV_DEBUG2, LOCATION, NULL, "\n");
2360 }
2361
2362 #define TMPALGTYPE2STR(n) \
2363 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
2364 /* check mandatory values */
2365 if (types[algclass_isakmp_enc] == 0
2366 || types[algclass_isakmp_ameth] == 0
2367 || types[algclass_isakmp_hash] == 0
2368 || types[algclass_isakmp_dh] == 0) {
2369 yyerror("few definition of algorithm "
2370 "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
2371 TMPALGTYPE2STR(enc),
2372 TMPALGTYPE2STR(ameth),
2373 TMPALGTYPE2STR(hash),
2374 TMPALGTYPE2STR(dh));
2375 return -1;
2376 }
2377 #undef TMPALGTYPE2STR
2378
2379 /* set new sa */
2380 new = newisakmpsa();
2381 if (new == NULL) {
2382 yyerror("failed to allocate isakmp sa");
2383 return -1;
2384 }
2385 new->prop_no = prop_no;
2386 new->trns_no = trns_no++;
2387 new->lifetime = lifetime;
2388 new->lifebyte = lifebyte;
2389 new->enctype = types[algclass_isakmp_enc];
2390 new->encklen = encklen;
2391 new->authmethod = types[algclass_isakmp_ameth];
2392 new->hashtype = types[algclass_isakmp_hash];
2393 new->dh_group = types[algclass_isakmp_dh];
2394 new->vendorid = vendorid;
2395 #ifdef HAVE_GSSAPI
2396 if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
2397 if (gssid != NULL) {
2398 if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
2399 racoon_free(new);
2400 yyerror("failed to allocate gssid");
2401 return -1;
2402 }
2403 memcpy(new->gssid->v, gssid, new->gssid->l);
2404 racoon_free(gssid);
2405 } else {
2406 /*
2407 * Allocate the default ID so that it gets put
2408 * into a GSS ID attribute during the Phase 1
2409 * exchange.
2410 */
2411 new->gssid = gssapi_get_default_gss_id();
2412 }
2413 }
2414 #endif
2415 insisakmpsa(new, rmconf);
2416
2417 return trns_no;
2418 }
2419
2420 static int
2421 listen_addr (struct sockaddr *addr, int udp_encap)
2422 {
2423 struct myaddrs *p;
2424
2425 p = newmyaddr();
2426 if (p == NULL) {
2427 yyerror("failed to allocate myaddrs");
2428 return -1;
2429 }
2430 p->addr = addr;
2431 if (p->addr == NULL) {
2432 yyerror("failed to copy sockaddr ");
2433 delmyaddr(p);
2434 return -1;
2435 }
2436 p->udp_encap = udp_encap;
2437 /* These need to be initialized for Apple modifications
2438 * to open code for isakmp sockets
2439 */
2440 p->sock = -1;
2441 p->in_use = 1;
2442
2443 insmyaddr(p, &lcconf->myaddrs);
2444
2445 lcconf->autograbaddr = 0;
2446 return 0;
2447 }
2448
2449 #if 0
2450 /*
2451 * fix lifebyte.
2452 * Must be more than 1024B because its unit is kilobytes.
2453 * That is defined RFC2407.
2454 */
2455 static int
2456 fix_lifebyte(t)
2457 unsigned long t;
2458 {
2459 if (t < 1024) {
2460 yyerror("byte size should be more than 1024B.");
2461 return 0;
2462 }
2463
2464 return(t / 1024);
2465 }
2466 #endif
2467
2468 int
2469 cfparse()
2470 {
2471 int error;
2472
2473 plog(LLV_DEBUG, LOCATION, NULL, "===== parse config\n");
2474
2475 yycf_init_buffer();
2476
2477 if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
2478 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
2479 IPSECCONFIGEVENTCODE_PARSE_ERROR,
2480 CONSTSTR("could not read configuration file"),
2481 CONSTSTR("cfparse: yycf_switch_buffer erred"));
2482 plog(LLV_ERROR, LOCATION, NULL,
2483 "could not read configuration file \"%s\"\n",
2484 lcconf->racoon_conf);
2485 return -1;
2486 }
2487
2488 error = yyparse();
2489 if (error != 0) {
2490 if (yyerrorcount) {
2491 plog(LLV_ERROR, LOCATION, NULL,
2492 "fatal parse failure (%d errors)\n",
2493 yyerrorcount);
2494 } else {
2495 plog(LLV_ERROR, LOCATION, NULL,
2496 "fatal parse failure.\n");
2497 }
2498 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
2499 IPSECCONFIGEVENTCODE_PARSE_ERROR,
2500 CONSTSTR("fatal parse failure"),
2501 CONSTSTR("cfparse: yyparse erred"));
2502 yycf_clean_buffer();
2503 return -1;
2504 }
2505
2506 if (error == 0 && yyerrorcount) {
2507 plog(LLV_ERROR, LOCATION, NULL,
2508 "parse error is nothing, but yyerrorcount is %d.\n",
2509 yyerrorcount);
2510 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
2511 IPSECCONFIGEVENTCODE_PARSE_ERROR,
2512 CONSTSTR("ambivalent error code"),
2513 CONSTSTR("cfparse: error == 0 && yerrorcount"));
2514 yycf_clean_buffer();
2515 exit(1);
2516 }
2517
2518 yycf_clean_buffer();
2519
2520 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
2521
2522 return 0;
2523 }
2524
2525 int
2526 cfreparse(int sig)
2527 {
2528 int ignore_estab_or_assert_handles = (sig == SIGUSR1);
2529
2530 if (sig >= 0 && sig < NSIG) {
2531 plog(LLV_DEBUG, LOCATION, NULL, "==== Got %s signal - re-parsing.\n", sys_signame[sig]);
2532 } else {
2533 plog(LLV_ERROR, LOCATION, NULL, "==== Got Unknown signal - re-parsing.\n");
2534 IPSECCONFIGTRACEREVENT(CONSTSTR("reparse"),
2535 IPSECCONFIGEVENTCODE_REPARSE_ERROR,
2536 CONSTSTR("Unknown signal"),
2537 CONSTSTR("cfreparse: triggered by unknown signal"));
2538 }
2539
2540 flushph2(ignore_estab_or_assert_handles);
2541 flushph1(ignore_estab_or_assert_handles);
2542 flushrmconf();
2543 flushsainfo();
2544 flushlcconf();
2545 #ifdef HAVE_LIBLDAP
2546 xauth_ldap_flush();
2547 #endif
2548 check_auto_exit(); /* check/change state of auto exit */
2549 clean_tmpalgtype();
2550
2551 return(cfparse());
2552 }
2553
2554
2555 #ifdef ENABLE_ADMINPORT
2556 static void
2557 adminsock_conf(path, owner, group, mode_dec)
2558 vchar_t *path;
2559 vchar_t *owner;
2560 vchar_t *group;
2561 int mode_dec;
2562 {
2563 struct passwd *pw = NULL;
2564 struct group *gr = NULL;
2565 mode_t mode = 0;
2566 uid_t uid;
2567 gid_t gid;
2568 int isnum;
2569
2570 adminsock_path = path->v;
2571
2572 if (owner == NULL)
2573 return;
2574
2575 errno = 0;
2576 uid = atoi(owner->v);
2577 isnum = !errno;
2578 if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
2579 yyerror("User \"%s\" does not exist", owner->v);
2580
2581 if (pw)
2582 adminsock_owner = pw->pw_uid;
2583 else
2584 adminsock_owner = uid;
2585
2586 if (group == NULL)
2587 return;
2588
2589 errno = 0;
2590 gid = atoi(group->v);
2591 isnum = !errno;
2592 if (((gr = getgrnam(group->v)) == NULL) && !isnum)
2593 yyerror("Group \"%s\" does not exist", group->v);
2594
2595 if (gr)
2596 adminsock_group = gr->gr_gid;
2597 else
2598 adminsock_group = gid;
2599
2600 if (mode_dec == -1)
2601 return;
2602
2603 if (mode_dec > 777)
2604 yyerror("Mode 0%03o is invalid", mode_dec);
2605 if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
2606 if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
2607 if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
2608
2609 if (mode_dec > 77)
2610 yyerror("Mode 0%03o is invalid", mode_dec);
2611 if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
2612 if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
2613 if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
2614
2615 if (mode_dec > 7)
2616 yyerror("Mode 0%03o is invalid", mode_dec);
2617 if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
2618 if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
2619 if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
2620
2621 adminsock_mode = mode;
2622
2623 return;
2624 }
2625 #endif
mirror of ipsec