]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/cfparse.y
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-93.6.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / cfparse.y
1 /* $NetBSD: cfparse.y,v 1.18.4.3 2007/08/01 11:52:19 vanhu Exp $ */
2
3 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
4
5 %{
6 /*
7 * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the project nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include "config.h"
36
37 #include <sys/types.h>
38 #include <sys/param.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
41
42 #include <netinet/in.h>
43 #ifdef HAVE_NETINET6_IPSEC
44 # include <netinet6/ipsec.h>
45 #else
46 # include <netinet/ipsec.h>
47 #endif
48
49 #ifdef ENABLE_HYBRID
50 #include <arpa/inet.h>
51 #endif
52
53 #include <stdlib.h>
54 #include <stdio.h>
55 #include <string.h>
56 #include <errno.h>
57 #include <netdb.h>
58 #include <pwd.h>
59 #include <grp.h>
60 #include <signal.h>
61
62 #include "var.h"
63 #include "misc.h"
64 #include "vmbuf.h"
65 #include "plog.h"
66 #include "sockmisc.h"
67 #include "str2val.h"
68 #include "genlist.h"
69 #include "debug.h"
70
71 #include "admin.h"
72 #include "privsep.h"
73 #include "cfparse_proto.h"
74 #include "cftoken_proto.h"
75 #include "algorithm.h"
76 #include "localconf.h"
77 #include "policy.h"
78 #include "sainfo.h"
79 #include "oakley.h"
80 #include "pfkey.h"
81 #include "remoteconf.h"
82 #include "grabmyaddr.h"
83 #include "isakmp_var.h"
84 #include "handler.h"
85 #include "isakmp.h"
86 #include "nattraversal.h"
87 #include "isakmp_frag.h"
88 #ifdef ENABLE_HYBRID
89 #include "resolv.h"
90 #include "isakmp_unity.h"
91 #include "isakmp_xauth.h"
92 #include "isakmp_cfg.h"
93 #endif
94 #include "ipsec_doi.h"
95 #include "strnames.h"
96 #include "gcmalloc.h"
97 #ifdef HAVE_GSSAPI
98 #include "gssapi.h"
99 #endif
100 #include "vendorid.h"
101 #include "rsalist.h"
102 #include "ipsecConfigTracer.h"
103 #include "ipsecMessageTracer.h"
104
105
106 static int num2dhgroup[] = {
107 0,
108 OAKLEY_ATTR_GRP_DESC_MODP768,
109 OAKLEY_ATTR_GRP_DESC_MODP1024,
110 OAKLEY_ATTR_GRP_DESC_EC2N155,
111 OAKLEY_ATTR_GRP_DESC_EC2N185,
112 OAKLEY_ATTR_GRP_DESC_MODP1536,
113 0,
114 0,
115 0,
116 0,
117 0,
118 0,
119 0,
120 0,
121 OAKLEY_ATTR_GRP_DESC_MODP2048,
122 OAKLEY_ATTR_GRP_DESC_MODP3072,
123 OAKLEY_ATTR_GRP_DESC_MODP4096,
124 OAKLEY_ATTR_GRP_DESC_MODP6144,
125 OAKLEY_ATTR_GRP_DESC_MODP8192
126 };
127
128 static struct remoteconf *cur_rmconf;
129 static int tmpalgtype[MAXALGCLASS];
130 static struct sainfo *cur_sainfo;
131 static int cur_algclass;
132 static int oldloglevel = LLV_BASE;
133
134 static struct proposalspec *newprspec __P((void));
135 static void insprspec __P((struct proposalspec *, struct proposalspec **));
136 static struct secprotospec *newspspec __P((void));
137 static void insspspec __P((struct secprotospec *, struct proposalspec **));
138 static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
139
140 static int set_isakmp_proposal
141 __P((struct remoteconf *, struct proposalspec *));
142 static void clean_tmpalgtype __P((void));
143 static int expand_isakmpspec __P((int, int, int *,
144 int, int, time_t, int, int, int, char *, struct remoteconf *));
145 static int listen_addr __P((struct sockaddr *addr, int udp_encap));
146
147 void freeetypes (struct etypes **etypes);
148
149 #if 0
150 static int fix_lifebyte __P((u_long));
151 #endif
152 %}
153
154 %union {
155 unsigned long num;
156 vchar_t *val;
157 struct remoteconf *rmconf;
158 struct sockaddr *saddr;
159 struct sainfoalg *alg;
160 }
161
162 /* privsep */
163 %token PRIVSEP USER GROUP CHROOT
164 /* path */
165 %token PATH PATHTYPE
166 /* include */
167 %token INCLUDE
168 /* self information */
169 %token IDENTIFIER VENDORID
170 /* logging */
171 %token LOGGING LOGLEV
172 /* padding */
173 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
174 /* listen */
175 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
176 /* modecfg */
177 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
178 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
179 %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
180 %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
181 %token CFG_PFS_GROUP CFG_SAVE_PASSWD
182 /* timer */
183 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
184 %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA AUTO_EXIT_DELAY
185 /* algorithm */
186 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
187 /* sainfo */
188 %token SAINFO FROM
189 /* remote */
190 %token REMOTE ANONYMOUS INHERIT
191 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
192 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
193 %token VERIFY_CERT SEND_CERT SEND_CR
194 %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER
195 %token PEERS_IDENTIFIER VERIFY_IDENTIFIER
196 %token SHARED_SECRET SECRETTYPE
197 %token OPEN_DIR_AUTH_GROUP IN_KEYCHAIN
198 %token CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
199 %token DNSSEC CERT_X509 CERT_PLAINRSA
200 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
201 %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL NAT_TRAVERSAL_LEVEL NAT_TRAVERSAL_MULTI_USER NAT_TRAVERSAL_KEEPALIVE
202 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
203 %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
204 %token PROPOSAL
205 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
206 %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
207 %token COMPLEX_BUNDLE
208 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL DPD_ALGORITHM
209 %token DISCONNECT_ON_IDLE IDLE_TIMEOUT IDLE_DIRECTION
210 %token XAUTH_LOGIN WEAK_PHASE1_CHECK
211
212 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
213 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
214
215 %token SCRIPT PHASE1_UP PHASE1_DOWN
216
217 %token NUMBER SWITCH BOOLEAN
218 %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
219 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
220 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
221 %token EOS BOC EOC COMMA
222 %token DPD_ALGO_TYPE_DEFAULT DPD_ALGO_TYPE_INBOUND DPD_ALGO_TYPE_BLACKHOLE
223 %token IDLE_DIRECTION_IN IDLE_DIRECTION_OUT IDLE_DIRECTION_ANY
224
225 %type <num> NUMBER BOOLEAN SWITCH keylength
226 %type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE
227 %type <num> SECRETTYPE
228 %type <num> ALGORITHM_CLASS dh_group_num
229 %type <num> ALGORITHMTYPE STRENGTHTYPE
230 %type <num> PREFIX prefix PORT port ike_port
231 %type <num> ul_proto UL_PROTO
232 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
233 %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL
234 %type <num> VERIFICATION_MODULE VERIFICATION_OPTION
235 %type <num> unittype_time unittype_byte
236 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
237 %type <val> identifierstring
238 %type <saddr> remote_index ike_addrinfo_port
239 %type <alg> algorithm
240 %type <num> dpd_algo_type
241 %type <num> idle_dir_type
242
243 %%
244
245 statements
246 : /* nothing */
247 | statements statement
248 ;
249 statement
250 : privsep_statement
251 | path_statement
252 | include_statement
253 | gssenc_statement
254 | identifier_statement
255 | logging_statement
256 | padding_statement
257 | listen_statement
258 | modecfg_statement
259 | timer_statement
260 | sainfo_statement
261 | remote_statement
262 | special_statement
263 ;
264
265 /* privsep */
266 privsep_statement
267 : PRIVSEP BOC privsep_stmts EOC
268 ;
269 privsep_stmts
270 : /* nothing */
271 | privsep_stmts privsep_stmt
272 ;
273 privsep_stmt
274 : USER QUOTEDSTRING
275 {
276 struct passwd *pw;
277
278 if ((pw = getpwnam($2->v)) == NULL) {
279 yyerror("unknown user \"%s\"", $2->v);
280 return -1;
281 }
282 lcconf->uid = pw->pw_uid;
283 }
284 EOS
285 | USER NUMBER { lcconf->uid = $2; } EOS
286 | GROUP QUOTEDSTRING
287 {
288 struct group *gr;
289
290 if ((gr = getgrnam($2->v)) == NULL) {
291 yyerror("unknown group \"%s\"", $2->v);
292 return -1;
293 }
294 lcconf->gid = gr->gr_gid;
295 }
296 EOS
297 | GROUP NUMBER { lcconf->gid = $2; } EOS
298 | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
299 ;
300
301 /* path */
302 path_statement
303 : PATH PATHTYPE QUOTEDSTRING
304 {
305 if ($2 >= LC_PATHTYPE_MAX) {
306 yyerror("invalid path type %d", $2);
307 return -1;
308 }
309
310 /* free old pathinfo */
311 if (lcconf->pathinfo[$2])
312 racoon_free(lcconf->pathinfo[$2]);
313
314 /* set new pathinfo */
315 lcconf->pathinfo[$2] = racoon_strdup($3->v);
316 STRDUP_FATAL(lcconf->pathinfo[$2]);
317 vfree($3);
318 }
319 EOS
320 ;
321
322 /* special */
323 special_statement
324 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
325 ;
326
327 /* include */
328 include_statement
329 : INCLUDE QUOTEDSTRING EOS
330 {
331 char path[MAXPATHLEN];
332
333 getpathname(path, sizeof(path),
334 LC_PATHTYPE_INCLUDE, $2->v);
335 vfree($2);
336 if (yycf_switch_buffer(path) != 0)
337 return -1;
338 }
339 ;
340
341 /* gss_id_enc */
342 gssenc_statement
343 : GSS_ID_ENC GSS_ID_ENCTYPE EOS
344 {
345 if ($2 >= LC_GSSENC_MAX) {
346 yyerror("invalid GSS ID encoding %d", $2);
347 return -1;
348 }
349 lcconf->gss_id_enc = $2;
350 }
351 ;
352
353 /* self information */
354 identifier_statement
355 : IDENTIFIER identifier_stmt
356 ;
357 identifier_stmt
358 : VENDORID
359 {
360 /*XXX to be deleted */
361 }
362 QUOTEDSTRING EOS
363 | IDENTIFIERTYPE QUOTEDSTRING
364 {
365 /*XXX to be deleted */
366 $2->l--; /* nuke '\0' */
367 lcconf->ident[$1] = $2;
368 if (lcconf->ident[$1] == NULL) {
369 yyerror("failed to set my ident: %s",
370 strerror(errno));
371 return -1;
372 }
373 }
374 EOS
375 ;
376
377 /* logging */
378 logging_statement
379 : LOGGING log_level EOS
380 ;
381 log_level
382 : HEXSTRING
383 {
384 /*
385 * XXX ignore it because this specification
386 * will be obsoleted.
387 */
388 yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
389 vfree($1);
390 }
391 | LOGLEV
392 {
393 /*
394 * set the loglevel to the value specified
395 * in the configuration file plus the number
396 * of -d options specified on the command line
397 */
398 loglevel += $1 - oldloglevel;
399 oldloglevel = $1;
400 }
401 ;
402
403 /* padding */
404 padding_statement
405 : PADDING BOC padding_stmts EOC
406 ;
407 padding_stmts
408 : /* nothing */
409 | padding_stmts padding_stmt
410 ;
411 padding_stmt
412 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
413 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
414 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
415 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
416 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
417 ;
418
419 /* listen */
420 listen_statement
421 : LISTEN BOC listen_stmts EOC
422 ;
423 listen_stmts
424 : /* nothing */
425 | listen_stmts listen_stmt
426 ;
427 listen_stmt
428 : X_ISAKMP ike_addrinfo_port
429 {
430 listen_addr ($2, 0);
431 }
432 EOS
433 | X_ISAKMP_NATT ike_addrinfo_port
434 {
435 #ifdef ENABLE_NATT
436 listen_addr ($2, 1);
437 #else
438 yyerror("NAT-T support not compiled in.");
439 #endif
440 }
441 EOS
442 | X_ADMIN
443 {
444 yyerror("admin directive is obsoleted.");
445 }
446 PORT EOS
447 | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
448 {
449 #ifdef ENABLE_ADMINPORT
450 adminsock_conf($2, $3, $4, $5);
451 #else
452 yywarn("admin port support not compiled in");
453 #endif
454 }
455 EOS
456 | ADMINSOCK QUOTEDSTRING
457 {
458 #ifdef ENABLE_ADMINPORT
459 adminsock_conf($2, NULL, NULL, -1);
460 #else
461 yywarn("admin port support not compiled in");
462 #endif
463 }
464 EOS
465 | ADMINSOCK DISABLED
466 {
467 #ifdef ENABLE_ADMINPORT
468 adminsock_path = NULL;
469 #else
470 yywarn("admin port support not compiled in");
471 #endif
472 }
473 EOS
474 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
475 ;
476 ike_addrinfo_port
477 : ADDRSTRING ike_port
478 {
479 char portbuf[10];
480
481 snprintf(portbuf, sizeof(portbuf), "%ld", $2);
482 $$ = str2saddr($1->v, portbuf);
483 vfree($1);
484 if (!$$)
485 return -1;
486 }
487 ;
488 ike_port
489 : /* nothing */ { $$ = PORT_ISAKMP; }
490 | PORT { $$ = $1; }
491 ;
492 /* modecfg */
493 modecfg_statement
494 : MODECFG BOC modecfg_stmts EOC
495 ;
496 modecfg_stmts
497 : /* nothing */
498 | modecfg_stmts modecfg_stmt
499 ;
500 modecfg_stmt
501 : CFG_NET4 ADDRSTRING
502 {
503 #ifdef ENABLE_HYBRID
504 if (inet_pton(AF_INET, $2->v,
505 &isakmp_cfg_config.network4) != 1)
506 yyerror("bad IPv4 network address.");
507 vfree($2);
508 #else
509 yyerror("racoon not configured with --enable-hybrid");
510 #endif
511 }
512 EOS
513 | CFG_MASK4 ADDRSTRING
514 {
515 #ifdef ENABLE_HYBRID
516 if (inet_pton(AF_INET, $2->v,
517 &isakmp_cfg_config.netmask4) != 1)
518 yyerror("bad IPv4 netmask address.");
519 vfree($2);
520 #else
521 yyerror("racoon not configured with --enable-hybrid");
522 #endif
523 }
524 EOS
525 | CFG_DNS4 addrdnslist
526 EOS
527 | CFG_NBNS4 addrwinslist
528 EOS
529 | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
530 {
531 #ifdef ENABLE_HYBRID
532 isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
533 #else
534 yyerror("racoon not configured with --enable-hybrid");
535 #endif
536 }
537 EOS
538 | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
539 {
540 #ifdef ENABLE_HYBRID
541 isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
542 #else
543 yyerror("racoon not configured with --enable-hybrid");
544 #endif
545 }
546 EOS
547 | CFG_SPLIT_DNS splitdnslist
548 {
549 #ifndef ENABLE_HYBRID
550 yyerror("racoon not configured with --enable-hybrid");
551 #endif
552 }
553 EOS
554 | CFG_DEFAULT_DOMAIN QUOTEDSTRING
555 {
556 #ifdef ENABLE_HYBRID
557 strlcpy(&isakmp_cfg_config.default_domain[0],
558 $2->v, sizeof(isakmp_cfg_config.default_domain));
559 vfree($2);
560 #else
561 yyerror("racoon not configured with --enable-hybrid");
562 #endif
563 }
564 EOS
565 | CFG_AUTH_SOURCE CFG_SYSTEM
566 {
567 #ifdef ENABLE_HYBRID
568 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
569 #else
570 yyerror("racoon not configured with --enable-hybrid");
571 #endif
572 }
573 EOS
574 | CFG_AUTH_SOURCE CFG_RADIUS
575 {
576 #ifdef ENABLE_HYBRID
577 #ifdef HAVE_LIBRADIUS
578 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
579 #else /* HAVE_LIBRADIUS */
580 yyerror("racoon not configured with --with-libradius");
581 #endif /* HAVE_LIBRADIUS */
582 #else /* ENABLE_HYBRID */
583 yyerror("racoon not configured with --enable-hybrid");
584 #endif /* ENABLE_HYBRID */
585 }
586 EOS
587 | CFG_AUTH_SOURCE CFG_PAM
588 {
589 #ifdef ENABLE_HYBRID
590 #ifdef HAVE_LIBPAM
591 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
592 #else /* HAVE_LIBPAM */
593 yyerror("racoon not configured with --with-libpam");
594 #endif /* HAVE_LIBPAM */
595 #else /* ENABLE_HYBRID */
596 yyerror("racoon not configured with --enable-hybrid");
597 #endif /* ENABLE_HYBRID */
598 }
599 EOS
600 | CFG_AUTH_SOURCE CFG_LDAP
601 {
602 #ifdef ENABLE_HYBRID
603 #ifdef HAVE_LIBLDAP
604 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
605 #else /* HAVE_LIBLDAP */
606 yyerror("racoon not configured with --with-libldap");
607 #endif /* HAVE_LIBLDAP */
608 #else /* ENABLE_HYBRID */
609 yyerror("racoon not configured with --enable-hybrid");
610 #endif /* ENABLE_HYBRID */
611 }
612 EOS
613 | CFG_AUTH_GROUPS authgrouplist
614 {
615 #ifndef ENABLE_HYBRID
616 yyerror("racoon not configured with --enable-hybrid");
617 #endif
618 }
619 EOS
620 | CFG_GROUP_SOURCE CFG_SYSTEM
621 {
622 #ifdef ENABLE_HYBRID
623 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
624 #else
625 yyerror("racoon not configured with --enable-hybrid");
626 #endif
627 }
628 EOS
629 | CFG_GROUP_SOURCE CFG_LDAP
630 {
631 #ifdef ENABLE_HYBRID
632 #ifdef HAVE_LIBLDAP
633 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
634 #else /* HAVE_LIBLDAP */
635 yyerror("racoon not configured with --with-libldap");
636 #endif /* HAVE_LIBLDAP */
637 #else /* ENABLE_HYBRID */
638 yyerror("racoon not configured with --enable-hybrid");
639 #endif /* ENABLE_HYBRID */
640 }
641 EOS
642 | CFG_ACCOUNTING CFG_NONE
643 {
644 #ifdef ENABLE_HYBRID
645 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
646 #else
647 yyerror("racoon not configured with --enable-hybrid");
648 #endif
649 }
650 EOS
651 | CFG_ACCOUNTING CFG_SYSTEM
652 {
653 #ifdef ENABLE_HYBRID
654 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
655 #else
656 yyerror("racoon not configured with --enable-hybrid");
657 #endif
658 }
659 EOS
660 | CFG_ACCOUNTING CFG_RADIUS
661 {
662 #ifdef ENABLE_HYBRID
663 #ifdef HAVE_LIBRADIUS
664 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
665 #else /* HAVE_LIBRADIUS */
666 yyerror("racoon not configured with --with-libradius");
667 #endif /* HAVE_LIBRADIUS */
668 #else /* ENABLE_HYBRID */
669 yyerror("racoon not configured with --enable-hybrid");
670 #endif /* ENABLE_HYBRID */
671 }
672 EOS
673 | CFG_ACCOUNTING CFG_PAM
674 {
675 #ifdef ENABLE_HYBRID
676 #ifdef HAVE_LIBPAM
677 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
678 #else /* HAVE_LIBPAM */
679 yyerror("racoon not configured with --with-libpam");
680 #endif /* HAVE_LIBPAM */
681 #else /* ENABLE_HYBRID */
682 yyerror("racoon not configured with --enable-hybrid");
683 #endif /* ENABLE_HYBRID */
684 }
685 EOS
686 | CFG_POOL_SIZE NUMBER
687 {
688 #ifdef ENABLE_HYBRID
689 if (isakmp_cfg_resize_pool($2) != 0)
690 yyerror("cannot allocate memory for pool");
691 #else /* ENABLE_HYBRID */
692 yyerror("racoon not configured with --enable-hybrid");
693 #endif /* ENABLE_HYBRID */
694 }
695 EOS
696 | CFG_PFS_GROUP NUMBER
697 {
698 #ifdef ENABLE_HYBRID
699 isakmp_cfg_config.pfs_group = $2;
700 #else /* ENABLE_HYBRID */
701 yyerror("racoon not configured with --enable-hybrid");
702 #endif /* ENABLE_HYBRID */
703 }
704 EOS
705 | CFG_SAVE_PASSWD SWITCH
706 {
707 #ifdef ENABLE_HYBRID
708 isakmp_cfg_config.save_passwd = $2;
709 #else /* ENABLE_HYBRID */
710 yyerror("racoon not configured with --enable-hybrid");
711 #endif /* ENABLE_HYBRID */
712 }
713 EOS
714 | CFG_AUTH_THROTTLE NUMBER
715 {
716 #ifdef ENABLE_HYBRID
717 isakmp_cfg_config.auth_throttle = $2;
718 #else /* ENABLE_HYBRID */
719 yyerror("racoon not configured with --enable-hybrid");
720 #endif /* ENABLE_HYBRID */
721 }
722 EOS
723 | CFG_CONF_SOURCE CFG_LOCAL
724 {
725 #ifdef ENABLE_HYBRID
726 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
727 #else /* ENABLE_HYBRID */
728 yyerror("racoon not configured with --enable-hybrid");
729 #endif /* ENABLE_HYBRID */
730 }
731 EOS
732 | CFG_CONF_SOURCE CFG_RADIUS
733 {
734 #ifdef ENABLE_HYBRID
735 #ifdef HAVE_LIBRADIUS
736 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
737 #else /* HAVE_LIBRADIUS */
738 yyerror("racoon not configured with --with-libradius");
739 #endif /* HAVE_LIBRADIUS */
740 #else /* ENABLE_HYBRID */
741 yyerror("racoon not configured with --enable-hybrid");
742 #endif /* ENABLE_HYBRID */
743 }
744 EOS
745 | CFG_CONF_SOURCE CFG_LDAP
746 {
747 #ifdef ENABLE_HYBRID
748 #ifdef HAVE_LIBLDAP
749 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
750 #else /* HAVE_LIBLDAP */
751 yyerror("racoon not configured with --with-libldap");
752 #endif /* HAVE_LIBLDAP */
753 #else /* ENABLE_HYBRID */
754 yyerror("racoon not configured with --enable-hybrid");
755 #endif /* ENABLE_HYBRID */
756 }
757 EOS
758 | CFG_MOTD QUOTEDSTRING
759 {
760 #ifdef ENABLE_HYBRID
761 strlcpy(&isakmp_cfg_config.motd[0], $2->v, sizeof(isakmp_cfg_config.motd));
762 vfree($2);
763 #else
764 yyerror("racoon not configured with --enable-hybrid");
765 #endif
766 }
767 EOS
768 ;
769
770 addrdnslist
771 : addrdns
772 | addrdns COMMA addrdnslist
773 ;
774 addrdns
775 : ADDRSTRING
776 {
777 #ifdef ENABLE_HYBRID
778 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
779
780 if (icc->dns4_index > MAXNS)
781 yyerror("No more than %d DNS", MAXNS);
782 if (inet_pton(AF_INET, $1->v,
783 &icc->dns4[icc->dns4_index++]) != 1)
784 yyerror("bad IPv4 DNS address.");
785
786 vfree($1);
787 #else
788 yyerror("racoon not configured with --enable-hybrid");
789 #endif
790 }
791 ;
792
793 addrwinslist
794 : addrwins
795 | addrwins COMMA addrwinslist
796 ;
797 addrwins
798 : ADDRSTRING
799 {
800 #ifdef ENABLE_HYBRID
801 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
802
803 if (icc->nbns4_index > MAXWINS)
804 yyerror("No more than %d WINS", MAXWINS);
805 if (inet_pton(AF_INET, $1->v,
806 &icc->nbns4[icc->nbns4_index++]) != 1)
807 yyerror("bad IPv4 WINS address.");
808
809 vfree($1);
810 #else
811 yyerror("racoon not configured with --enable-hybrid");
812 #endif
813 }
814 ;
815
816 splitnetlist
817 : splitnet
818 | splitnetlist COMMA splitnet
819 ;
820 splitnet
821 : ADDRSTRING PREFIX
822 {
823 #ifdef ENABLE_HYBRID
824 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
825 struct unity_network network;
826
827 if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
828 yyerror("bad IPv4 SPLIT address.");
829
830 /* Turn $2 (the prefix) into a subnet mask */
831 network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
832
833 /* add the network to our list */
834 if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
835 yyerror("Unable to allocate split network");
836
837 vfree($1);
838 #else
839 yyerror("racoon not configured with --enable-hybrid");
840 #endif
841 }
842 ;
843
844 authgrouplist
845 : authgroup
846 | authgroup COMMA authgrouplist
847 ;
848 authgroup
849 : QUOTEDSTRING
850 {
851 #ifdef ENABLE_HYBRID
852 char * groupname = NULL;
853 char ** grouplist = NULL;
854 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
855
856 grouplist = racoon_realloc(icc->grouplist,
857 sizeof(char**)*(icc->groupcount+1));
858 if (grouplist == NULL)
859 yyerror("unable to allocate auth group list");
860
861 groupname = racoon_malloc($1->l+1);
862 if (groupname == NULL)
863 yyerror("unable to allocate auth group name");
864
865 memcpy(groupname,$1->v,$1->l);
866 groupname[$1->l]=0;
867 grouplist[icc->groupcount]=groupname;
868 icc->grouplist = grouplist;
869 icc->groupcount++;
870
871 vfree($1);
872 #else
873 yyerror("racoon not configured with --enable-hybrid");
874 #endif
875 }
876 ;
877
878 splitdnslist
879 : splitdns
880 | splitdns COMMA splitdnslist
881 ;
882 splitdns
883 : QUOTEDSTRING
884 {
885 #ifdef ENABLE_HYBRID
886 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
887
888 if (!icc->splitdns_len)
889 {
890 icc->splitdns_list = racoon_malloc($1->l);
891 if(icc->splitdns_list == NULL)
892 yyerror("error allocating splitdns list buffer");
893 memcpy(icc->splitdns_list,$1->v,$1->l);
894 icc->splitdns_len = $1->l;
895 }
896 else
897 {
898 int len = icc->splitdns_len + $1->l + 1;
899 icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
900 if(icc->splitdns_list == NULL)
901 yyerror("error allocating splitdns list buffer");
902 icc->splitdns_list[icc->splitdns_len] = ',';
903 memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
904 icc->splitdns_len = len;
905 }
906 vfree($1);
907 #else
908 yyerror("racoon not configured with --enable-hybrid");
909 #endif
910 }
911 ;
912
913
914 /* timer */
915 timer_statement
916 : RETRY BOC timer_stmts EOC
917 ;
918 timer_stmts
919 : /* nothing */
920 | timer_stmts timer_stmt
921 ;
922 timer_stmt
923 : RETRY_COUNTER NUMBER
924 {
925 lcconf->retry_counter = $2;
926 }
927 EOS
928 | RETRY_INTERVAL NUMBER unittype_time
929 {
930 lcconf->retry_interval = $2 * $3;
931 }
932 EOS
933 | RETRY_PERSEND NUMBER
934 {
935 lcconf->count_persend = $2;
936 }
937 EOS
938 | RETRY_PHASE1 NUMBER unittype_time
939 {
940 lcconf->retry_checkph1 = $2 * $3;
941 }
942 EOS
943 | RETRY_PHASE2 NUMBER unittype_time
944 {
945 lcconf->wait_ph2complete = $2 * $3;
946 }
947 EOS
948 | AUTO_EXIT_DELAY NUMBER unittype_time
949 {
950 lcconf->auto_exit_delay = $2 * $3;
951 lcconf->auto_exit_state |= LC_AUTOEXITSTATE_SET;
952 }
953 EOS
954
955 | NATT_KA NUMBER unittype_time
956 {
957 #ifdef ENABLE_NATT
958 lcconf->natt_ka_interval = $2 * $3;
959 #else
960 yyerror("NAT-T support not compiled in.");
961 #endif
962 }
963 EOS
964 ;
965
966 /* sainfo */
967 sainfo_statement
968 : SAINFO
969 {
970 cur_sainfo = newsainfo();
971 if (cur_sainfo == NULL) {
972 yyerror("failed to allocate sainfo");
973 return -1;
974 }
975 }
976 sainfo_name sainfo_param BOC sainfo_specs
977 {
978 struct sainfo *check;
979
980 /* default */
981 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
982 yyerror("no encryption algorithm at %s",
983 sainfo2str(cur_sainfo));
984 return -1;
985 }
986 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
987 yyerror("no authentication algorithm at %s",
988 sainfo2str(cur_sainfo));
989 return -1;
990 }
991 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
992 yyerror("no compression algorithm at %s",
993 sainfo2str(cur_sainfo));
994 return -1;
995 }
996
997 /* duplicate check */
998 check = getsainfo(cur_sainfo->idsrc,
999 cur_sainfo->iddst,
1000 cur_sainfo->id_i, 0);
1001 if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
1002 yyerror("duplicated sainfo: %s",
1003 sainfo2str(cur_sainfo));
1004 return -1;
1005 }
1006 inssainfo(cur_sainfo);
1007 }
1008 EOC
1009 ;
1010 sainfo_name
1011 : ANONYMOUS
1012 {
1013 cur_sainfo->idsrc = NULL;
1014 cur_sainfo->iddst = NULL;
1015 }
1016 | ANONYMOUS sainfo_id
1017 {
1018 cur_sainfo->idsrc = NULL;
1019 cur_sainfo->iddst = $2;
1020 }
1021 | sainfo_id ANONYMOUS
1022 {
1023 cur_sainfo->idsrc = $1;
1024 cur_sainfo->iddst = NULL;
1025 }
1026 | sainfo_id sainfo_id
1027 {
1028 cur_sainfo->idsrc = $1;
1029 cur_sainfo->iddst = $2;
1030 }
1031 ;
1032 sainfo_id
1033 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
1034 {
1035 char portbuf[10];
1036 struct sockaddr *saddr;
1037
1038 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
1039 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
1040 yyerror("port number must be \"any\".");
1041 return -1;
1042 }
1043
1044 snprintf(portbuf, sizeof(portbuf), "%lu", $4);
1045 saddr = str2saddr($2->v, portbuf);
1046 vfree($2);
1047 if (saddr == NULL)
1048 return -1;
1049
1050 switch (saddr->sa_family) {
1051 case AF_INET:
1052 if ($5 == IPPROTO_ICMPV6) {
1053 yyerror("upper layer protocol mismatched.\n");
1054 racoon_free(saddr);
1055 return -1;
1056 }
1057 $$ = ipsecdoi_sockaddr2id(saddr,
1058 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
1059 $5);
1060 break;
1061 #ifdef INET6
1062 case AF_INET6:
1063 if ($5 == IPPROTO_ICMP) {
1064 yyerror("upper layer protocol mismatched.\n");
1065 racoon_free(saddr);
1066 return -1;
1067 }
1068 $$ = ipsecdoi_sockaddr2id(saddr,
1069 $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
1070 $5);
1071 break;
1072 #endif
1073 default:
1074 yyerror("invalid family: %d", saddr->sa_family);
1075 $$ = NULL;
1076 break;
1077 }
1078 racoon_free(saddr);
1079 if ($$ == NULL)
1080 return -1;
1081 }
1082 | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
1083 {
1084 char portbuf[10];
1085 struct sockaddr *laddr = NULL, *haddr = NULL;
1086 char *cur = NULL;
1087
1088 if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
1089 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
1090 yyerror("port number must be \"any\".");
1091 return -1;
1092 }
1093
1094 snprintf(portbuf, sizeof(portbuf), "%lu", $5);
1095
1096 laddr = str2saddr($2->v, portbuf);
1097 if (laddr == NULL) {
1098 return -1;
1099 }
1100 vfree($2);
1101 haddr = str2saddr($3->v, portbuf);
1102 if (haddr == NULL) {
1103 racoon_free(laddr);
1104 return -1;
1105 }
1106 vfree($3);
1107
1108 switch (laddr->sa_family) {
1109 case AF_INET:
1110 if ($6 == IPPROTO_ICMPV6) {
1111 yyerror("upper layer protocol mismatched.\n");
1112 if (laddr)
1113 racoon_free(laddr);
1114 if (haddr)
1115 racoon_free(haddr);
1116 return -1;
1117 }
1118 $$ = ipsecdoi_sockrange2id(laddr, haddr,
1119 $6);
1120 break;
1121 #ifdef INET6
1122 case AF_INET6:
1123 if ($6 == IPPROTO_ICMP) {
1124 yyerror("upper layer protocol mismatched.\n");
1125 if (laddr)
1126 racoon_free(laddr);
1127 if (haddr)
1128 racoon_free(haddr);
1129 return -1;
1130 }
1131 $$ = ipsecdoi_sockrange2id(laddr, haddr,
1132 $6);
1133 break;
1134 #endif
1135 default:
1136 yyerror("invalid family: %d", laddr->sa_family);
1137 $$ = NULL;
1138 break;
1139 }
1140 if (laddr)
1141 racoon_free(laddr);
1142 if (haddr)
1143 racoon_free(haddr);
1144 if ($$ == NULL)
1145 return -1;
1146 }
1147 | IDENTIFIERTYPE QUOTEDSTRING
1148 {
1149 struct ipsecdoi_id_b *id_b;
1150
1151 if ($1 == IDTYPE_ASN1DN) {
1152 yyerror("id type forbidden: %d", $1);
1153 $$ = NULL;
1154 return -1;
1155 }
1156
1157 $2->l--;
1158
1159 $$ = vmalloc(sizeof(*id_b) + $2->l);
1160 if ($$ == NULL) {
1161 yyerror("failed to allocate identifier");
1162 return -1;
1163 }
1164
1165 id_b = (struct ipsecdoi_id_b *)$$->v;
1166 id_b->type = idtype2doi($1);
1167
1168 id_b->proto_id = 0;
1169 id_b->port = 0;
1170
1171 memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
1172 }
1173 ;
1174 sainfo_param
1175 : /* nothing */
1176 {
1177 cur_sainfo->id_i = NULL;
1178 }
1179
1180 | FROM IDENTIFIERTYPE identifierstring
1181 {
1182 struct ipsecdoi_id_b *id_b;
1183 vchar_t *idv;
1184
1185 if (set_identifier(&idv, $2, $3) != 0) {
1186 yyerror("failed to set identifer.\n");
1187 return -1;
1188 }
1189 cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
1190 if (cur_sainfo->id_i == NULL) {
1191 yyerror("failed to allocate identifier");
1192 return -1;
1193 }
1194
1195 id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
1196 id_b->type = idtype2doi($2);
1197
1198 id_b->proto_id = 0;
1199 id_b->port = 0;
1200
1201 memcpy(cur_sainfo->id_i->v + sizeof(*id_b),
1202 idv->v, idv->l);
1203 vfree(idv);
1204 }
1205 | GROUP QUOTEDSTRING
1206 {
1207 #ifdef ENABLE_HYBRID
1208 if ((cur_sainfo->group = vdup($2)) == NULL) {
1209 yyerror("failed to set sainfo xauth group.\n");
1210 return -1;
1211 }
1212 #else
1213 yyerror("racoon not configured with --enable-hybrid");
1214 return -1;
1215 #endif
1216 }
1217 ;
1218 sainfo_specs
1219 : /* nothing */
1220 | sainfo_specs sainfo_spec
1221 ;
1222 sainfo_spec
1223 : PFS_GROUP dh_group_num
1224 {
1225 cur_sainfo->pfs_group = $2;
1226 }
1227 EOS
1228 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
1229 {
1230 cur_sainfo->lifetime = $3 * $4;
1231 }
1232 EOS
1233 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1234 {
1235 #if 1
1236 yyerror("byte lifetime support is deprecated");
1237 return -1;
1238 #else
1239 cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
1240 if (cur_sainfo->lifebyte == 0)
1241 return -1;
1242 #endif
1243 }
1244 EOS
1245 | ALGORITHM_CLASS {
1246 cur_algclass = $1;
1247 }
1248 algorithms EOS
1249 | IDENTIFIER IDENTIFIERTYPE
1250 {
1251 yyerror("it's deprecated to specify a identifier in phase 2");
1252 }
1253 EOS
1254 | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
1255 {
1256 yyerror("it's deprecated to specify a identifier in phase 2");
1257 }
1258 EOS
1259 ;
1260
1261 algorithms
1262 : algorithm
1263 {
1264 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1265 }
1266 | algorithm
1267 {
1268 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1269 }
1270 COMMA algorithms
1271 ;
1272 algorithm
1273 : ALGORITHMTYPE keylength
1274 {
1275 int defklen;
1276
1277 $$ = newsainfoalg();
1278 if ($$ == NULL) {
1279 yyerror("failed to get algorithm allocation");
1280 return -1;
1281 }
1282
1283 $$->alg = algtype2doi(cur_algclass, $1);
1284 if ($$->alg == -1) {
1285 yyerror("algorithm mismatched");
1286 racoon_free($$);
1287 $$ = NULL;
1288 return -1;
1289 }
1290
1291 defklen = default_keylen(cur_algclass, $1);
1292 if (defklen == 0) {
1293 if ($2) {
1294 yyerror("keylen not allowed");
1295 racoon_free($$);
1296 $$ = NULL;
1297 return -1;
1298 }
1299 } else {
1300 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
1301 yyerror("invalid keylen %d", $2);
1302 racoon_free($$);
1303 $$ = NULL;
1304 return -1;
1305 }
1306 }
1307
1308 if ($2)
1309 $$->encklen = $2;
1310 else
1311 $$->encklen = defklen;
1312
1313 /* check if it's supported algorithm by kernel */
1314 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
1315 && pk_checkalg(cur_algclass, $1, $$->encklen)) {
1316 int a = algclass2doi(cur_algclass);
1317 int b = algtype2doi(cur_algclass, $1);
1318 if (a == IPSECDOI_ATTR_AUTH)
1319 a = IPSECDOI_PROTO_IPSEC_AH;
1320 yyerror("algorithm %s not supported by the kernel (missing module?)",
1321 s_ipsecdoi_trns(a, b));
1322 racoon_free($$);
1323 $$ = NULL;
1324 return -1;
1325 }
1326 }
1327 ;
1328 prefix
1329 : /* nothing */ { $$ = ~0; }
1330 | PREFIX { $$ = $1; }
1331 ;
1332 port
1333 : /* nothing */ { $$ = IPSEC_PORT_ANY; }
1334 | PORT { $$ = $1; }
1335 | PORTANY { $$ = IPSEC_PORT_ANY; }
1336 ;
1337 ul_proto
1338 : NUMBER { $$ = $1; }
1339 | UL_PROTO { $$ = $1; }
1340 | ANY { $$ = IPSEC_ULPROTO_ANY; }
1341 ;
1342 keylength
1343 : /* nothing */ { $$ = 0; }
1344 | NUMBER { $$ = $1; }
1345 ;
1346
1347 /* remote */
1348 remote_statement
1349 : REMOTE remote_index INHERIT remote_index
1350 {
1351 struct remoteconf *new;
1352 struct proposalspec *prspec;
1353
1354 new = copyrmconf($4);
1355 if (new == NULL) {
1356 yyerror("failed to get remoteconf for %s.", saddr2str ($4));
1357 return -1;
1358 }
1359
1360 new->remote = $2;
1361 new->inherited_from = getrmconf_strict($4, 1);
1362 new->proposal = NULL;
1363 new->prhead = NULL;
1364 cur_rmconf = new;
1365
1366 prspec = newprspec();
1367 if (prspec == NULL || !cur_rmconf->inherited_from
1368 || !cur_rmconf->inherited_from->proposal)
1369 return -1;
1370 prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime;
1371 prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte;
1372 insprspec(prspec, &cur_rmconf->prhead);
1373 }
1374 remote_specs_block
1375 | REMOTE remote_index
1376 {
1377 struct remoteconf *new;
1378 struct proposalspec *prspec;
1379
1380 new = newrmconf();
1381 if (new == NULL) {
1382 yyerror("failed to get new remoteconf.");
1383 return -1;
1384 }
1385
1386 new->remote = $2;
1387 cur_rmconf = new;
1388
1389 prspec = newprspec();
1390 if (prspec == NULL)
1391 return -1;
1392 prspec->lifetime = oakley_get_defaultlifetime();
1393 insprspec(prspec, &cur_rmconf->prhead);
1394 }
1395 remote_specs_block
1396 ;
1397
1398 remote_specs_block
1399 : BOC remote_specs EOC
1400 {
1401 /* check a exchange mode */
1402 if (cur_rmconf->etypes == NULL) {
1403 yyerror("no exchange mode specified.\n");
1404 return -1;
1405 }
1406
1407 if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
1408 cur_rmconf->idvtype = IDTYPE_ADDRESS;
1409
1410
1411 if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
1412 if (cur_rmconf->mycertfile
1413 #ifdef __APPLE__
1414 || cur_rmconf->identity_in_keychain)
1415 #endif
1416 {
1417 if (cur_rmconf->idv)
1418 yywarn("Both CERT and ASN1 ID "
1419 "are set. Hope this is OK.\n");
1420 /* TODO: Preparse the DN here */
1421 } else if (cur_rmconf->idv) {
1422 /* OK, using asn1dn without X.509. */
1423 } else {
1424 yyerror("ASN1 ID not specified "
1425 "and no CERT defined!\n");
1426 return -1;
1427 }
1428 }
1429
1430 #ifdef __APPLE__
1431 if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) {
1432 struct genlist_entry *gpb;
1433 if (genlist_next(cur_rmconf->idvl_p, &gpb) == NULL) {
1434 yyerror("peers_identifier required for specified certificate "
1435 "verification option.\n");
1436 return -1;
1437 }
1438 }
1439 #endif
1440
1441 if (cur_rmconf->prhead->spspec == NULL
1442 && cur_rmconf->inherited_from
1443 && cur_rmconf->inherited_from->prhead) {
1444 cur_rmconf->prhead->spspec = cur_rmconf->inherited_from->prhead->spspec;
1445 }
1446 if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0)
1447 return -1;
1448
1449 /* DH group settting if aggressive mode is there. */
1450 if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
1451 struct isakmpsa *p;
1452 int b = 0;
1453
1454 /* DH group */
1455 for (p = cur_rmconf->proposal; p; p = p->next) {
1456 if (b == 0 || (b && b == p->dh_group)) {
1457 b = p->dh_group;
1458 continue;
1459 }
1460 yyerror("DH group must be equal "
1461 "in all proposals "
1462 "when aggressive mode is "
1463 "used.\n");
1464 return -1;
1465 }
1466 cur_rmconf->dh_group = b;
1467
1468 if (cur_rmconf->dh_group == 0) {
1469 yyerror("DH group must be set in the proposal.\n");
1470 return -1;
1471 }
1472
1473 /* DH group settting if PFS is required. */
1474 if (oakley_setdhgroup(cur_rmconf->dh_group,
1475 &cur_rmconf->dhgrp) < 0) {
1476 yyerror("failed to set DH value.\n");
1477 return -1;
1478 }
1479 }
1480
1481 insrmconf(cur_rmconf);
1482 }
1483 ;
1484 remote_index
1485 : ANONYMOUS ike_port
1486 {
1487 $$ = newsaddr(sizeof(struct sockaddr));
1488 $$->sa_family = AF_UNSPEC;
1489 ((struct sockaddr_in *)$$)->sin_port = htons($2);
1490 }
1491 | ike_addrinfo_port
1492 {
1493 $$ = $1;
1494 if ($$ == NULL) {
1495 yyerror("failed to allocate sockaddr");
1496 return -1;
1497 }
1498 }
1499 ;
1500 remote_specs
1501 : /* nothing */
1502 | remote_specs remote_spec
1503 ;
1504 remote_spec
1505 : EXCHANGE_MODE
1506 {
1507 cur_rmconf->etypes = NULL;
1508 }
1509 exchange_types EOS
1510 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
1511 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
1512 | CERTIFICATE_TYPE cert_spec
1513 | PEERS_CERTFILE QUOTEDSTRING
1514 {
1515 yywarn("This directive without certtype will be removed!\n");
1516 yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
1517 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1518
1519 if (cur_rmconf->peerscertfile != NULL)
1520 racoon_free(cur_rmconf->peerscertfile);
1521 cur_rmconf->peerscertfile = racoon_strdup($2->v);
1522 STRDUP_FATAL(cur_rmconf->peerscertfile);
1523 vfree($2);
1524 }
1525 EOS
1526 | CA_TYPE CERT_X509 QUOTEDSTRING
1527 {
1528 cur_rmconf->cacerttype = $2;
1529 cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
1530 if (cur_rmconf->cacertfile != NULL)
1531 racoon_free(cur_rmconf->cacertfile);
1532 cur_rmconf->cacertfile = racoon_strdup($3->v);
1533 STRDUP_FATAL(cur_rmconf->cacertfile);
1534 vfree($3);
1535 }
1536 EOS
1537 | PEERS_CERTFILE CERT_X509 QUOTEDSTRING
1538 {
1539 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1540 if (cur_rmconf->peerscertfile != NULL)
1541 racoon_free(cur_rmconf->peerscertfile);
1542 cur_rmconf->peerscertfile = racoon_strdup($3->v);
1543 STRDUP_FATAL(cur_rmconf->peerscertfile);
1544 vfree($3);
1545 }
1546 EOS
1547 | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
1548 {
1549 char path[MAXPATHLEN];
1550 int ret = 0;
1551
1552 getpathname(path, sizeof(path),
1553 LC_PATHTYPE_CERT, $3->v);
1554 vfree($3);
1555
1556 if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) {
1557 yyerror("Different peers_certfile method "
1558 "already defined: %d!\n",
1559 cur_rmconf->getcert_method);
1560 return -1;
1561 }
1562 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1563 if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) {
1564 yyerror("Couldn't parse keyfile.\n", path);
1565 return -1;
1566 }
1567 plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path);
1568 }
1569 EOS
1570 | PEERS_CERTFILE DNSSEC
1571 {
1572 if (cur_rmconf->getcert_method) {
1573 yyerror("Different peers_certfile method already defined!\n");
1574 return -1;
1575 }
1576 cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
1577 cur_rmconf->peerscertfile = NULL;
1578 }
1579 EOS
1580 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
1581 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
1582 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
1583 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE
1584 {
1585 #ifdef __APPLE__
1586 cur_rmconf->cert_verification = $2;
1587 #else
1588 yyerror("Apple specific features not compiled in.");
1589 return -1;
1590 #endif
1591 } EOS
1592 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
1593 {
1594 #ifdef __APPLE__
1595 cur_rmconf->cert_verification = $2;
1596 cur_rmconf->cert_verification_option = $3;
1597 #else
1598 yyerror("Apple specific features not compiled in.");
1599 return -1;
1600 #endif
1601 }
1602 EOS
1603 | OPEN_DIR_AUTH_GROUP QUOTEDSTRING
1604 {
1605 #if defined(__APPLE__) && HAVE_OPENDIR
1606 cur_rmconf->open_dir_auth_group = $2;
1607 #else
1608 yyerror("Apple specific features not compiled in.");
1609 return -1;
1610 #endif
1611 } EOS
1612 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
1613 {
1614 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
1615 yyerror("failed to set identifer.\n");
1616 vfree($3); //%%% BUG FIX - memory leak
1617 return -1;
1618 }
1619 vfree($3); //%%% BUG FIX - memory leak
1620 cur_rmconf->idvtype = $2;
1621 }
1622 EOS
1623 | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1624 {
1625 if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
1626 yyerror("failed to set identifer.\n");
1627 return -1;
1628 }
1629 cur_rmconf->idvtype = $2;
1630 }
1631 EOS
1632 | XAUTH_LOGIN identifierstring
1633 {
1634 #ifdef ENABLE_HYBRID
1635 /* formerly identifier type login */
1636 if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
1637 yyerror("failed to allocate xauth state\n");
1638 return -1;
1639 }
1640 if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
1641 yyerror("failed to set identifer.\n");
1642 return -1;
1643 }
1644 vfree($2); //%%% BUG FIX - memory leak
1645 #else
1646 yyerror("racoon not configured with --enable-hybrid");
1647 #endif
1648 }
1649 EOS
1650 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
1651 {
1652 struct idspec *id;
1653 id = newidspec();
1654 if (id == NULL) {
1655 yyerror("failed to allocate idspec");
1656 return -1;
1657 }
1658 if (set_identifier(&id->id, $2, $3) != 0) {
1659 yyerror("failed to set identifer.\n");
1660 racoon_free(id);
1661 vfree($3); //%%% BUG FIX - memory leak
1662 return -1;
1663 }
1664 vfree($3); //%%% BUG FIX - memory leak
1665 id->idtype = $2;
1666 genlist_append (cur_rmconf->idvl_p, id);
1667 }
1668 EOS
1669 | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1670 {
1671 struct idspec *id;
1672 id = newidspec();
1673 if (id == NULL) {
1674 yyerror("failed to allocate idspec");
1675 return -1;
1676 }
1677 if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
1678 yyerror("failed to set identifer.\n");
1679 racoon_free(id);
1680 return -1;
1681 }
1682 id->idtype = $2;
1683 genlist_append (cur_rmconf->idvl_p, id);
1684 }
1685 EOS
1686 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
1687 | SHARED_SECRET SECRETTYPE QUOTEDSTRING
1688 {
1689 #ifdef __APPLE__
1690 cur_rmconf->secrettype = $2;
1691 cur_rmconf->shared_secret = $3;
1692 #else
1693 yyerror("Apple specific features not compiled in.");
1694 return -1;
1695 #endif
1696 } EOS
1697 | SHARED_SECRET SECRETTYPE
1698 {
1699 #ifdef __APPLE__
1700 if ($2 != SECRETTYPE_KEYCHAIN_BY_ID) {
1701 yyerror("shared secret value missing.\n");
1702 return -1;
1703 }
1704 cur_rmconf->secrettype = $2;
1705 #else
1706 yyerror("Apple specific features not compiled in.");
1707 return -1;
1708 #endif
1709
1710 } EOS
1711 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
1712 | DH_GROUP
1713 {
1714 yyerror("dh_group cannot be defined here.");
1715 return -1;
1716 }
1717 dh_group_num EOS
1718 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
1719 | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
1720 | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
1721 | ESP_FRAG NUMBER {
1722 #ifdef SADB_X_EXT_NAT_T_FRAG
1723 if (libipsec_opt & LIBIPSEC_OPT_FRAG)
1724 cur_rmconf->esp_frag = $2;
1725 else
1726 yywarn("libipsec lacks IKE frag support");
1727 #else
1728 yywarn("Your kernel does not support esp_frag");
1729 #endif
1730 } EOS
1731 | SCRIPT QUOTEDSTRING PHASE1_UP {
1732 if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL)
1733 vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]);
1734
1735 cur_rmconf->script[SCRIPT_PHASE1_UP] =
1736 script_path_add(vdup($2));
1737 } EOS
1738 | SCRIPT QUOTEDSTRING PHASE1_DOWN {
1739 if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL)
1740 vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]);
1741
1742 cur_rmconf->script[SCRIPT_PHASE1_DOWN] =
1743 script_path_add(vdup($2));
1744 } EOS
1745 | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
1746 | WEAK_PHASE1_CHECK SWITCH {
1747 cur_rmconf->weak_phase1_check = $2;
1748 } EOS
1749 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
1750 | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
1751 | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
1752 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
1753 | NAT_TRAVERSAL SWITCH
1754 {
1755 #ifdef ENABLE_NATT
1756 cur_rmconf->nat_traversal = $2;
1757 #else
1758 yyerror("NAT-T support not compiled in.");
1759 #endif
1760 } EOS
1761 | NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL
1762 {
1763 #ifdef ENABLE_NATT
1764 cur_rmconf->nat_traversal = $2;
1765 #else
1766 yyerror("NAT-T support not compiled in.");
1767 #endif
1768 } EOS
1769 | NAT_TRAVERSAL_MULTI_USER SWITCH
1770 {
1771 #ifdef ENABLE_NATT
1772 #ifdef __APPLE__
1773 cur_rmconf->natt_multiple_user = $2;
1774 #else
1775 yyerror("Apple specific features not compiled in.");
1776 #endif
1777 #else
1778 yyerror("NAT-T support not compiled in.");
1779 #endif
1780 } EOS
1781 | NAT_TRAVERSAL_KEEPALIVE SWITCH
1782 {
1783 #ifdef ENABLE_NATT
1784 #ifdef __APPLE__
1785 cur_rmconf->natt_keepalive = $2;
1786 #else
1787 yyerror("Apple specific features not compiled in.");
1788 #endif
1789 #else
1790 yyerror("NAT-T support not compiled in.");
1791 #endif
1792 } EOS
1793 | DPD SWITCH
1794 {
1795 #ifdef ENABLE_DPD
1796 cur_rmconf->dpd = $2;
1797 #else
1798 yyerror("DPD support not compiled in.");
1799 #endif
1800 } EOS
1801 | DPD_DELAY NUMBER
1802 {
1803 #ifdef ENABLE_DPD
1804 cur_rmconf->dpd_interval = $2;
1805 #else
1806 yyerror("DPD support not compiled in.");
1807 #endif
1808 }
1809 EOS
1810 | DPD_RETRY NUMBER
1811 {
1812 #ifdef ENABLE_DPD
1813 cur_rmconf->dpd_retry = $2;
1814 #else
1815 yyerror("DPD support not compiled in.");
1816 #endif
1817 }
1818 EOS
1819 | DPD_MAXFAIL NUMBER
1820 {
1821 #ifdef ENABLE_DPD
1822 cur_rmconf->dpd_maxfails = $2;
1823 #else
1824 yyerror("DPD support not compiled in.");
1825 #endif
1826 }
1827 EOS
1828 | DPD_ALGORITHM dpd_algo_type
1829 {
1830 #ifdef ENABLE_DPD
1831 cur_rmconf->dpd_algo = $2;
1832 #else
1833 yyerror("DPD support not compiled in.");
1834 #endif
1835 }
1836 EOS
1837 | DISCONNECT_ON_IDLE IDLE_TIMEOUT NUMBER IDLE_DIRECTION idle_dir_type
1838 {
1839 cur_rmconf->idle_timeout = $3;
1840 cur_rmconf->idle_timeout_dir = $5;
1841 }
1842 EOS
1843 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
1844 {
1845 cur_rmconf->prhead->lifetime = $3 * $4;
1846 }
1847 EOS
1848 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
1849 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1850 {
1851 #if 1
1852 yyerror("byte lifetime support is deprecated in Phase1");
1853 return -1;
1854 #else
1855 yywarn("the lifetime of bytes in phase 1 "
1856 "will be ignored at the moment.");
1857 cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4);
1858 if (cur_rmconf->prhead->lifebyte == 0)
1859 return -1;
1860 #endif
1861 }
1862 EOS
1863 | PROPOSAL
1864 {
1865 struct secprotospec *spspec;
1866
1867 spspec = newspspec();
1868 if (spspec == NULL)
1869 return -1;
1870 insspspec(spspec, &cur_rmconf->prhead);
1871 }
1872 BOC isakmpproposal_specs EOC
1873 ;
1874 exchange_types
1875 : /* nothing */
1876 | exchange_types EXCHANGETYPE
1877 {
1878 struct etypes *new;
1879 new = racoon_malloc(sizeof(struct etypes));
1880 if (new == NULL) {
1881 yyerror("failed to allocate etypes");
1882 return -1;
1883 }
1884 new->type = $2;
1885 new->next = NULL;
1886 if (cur_rmconf->etypes == NULL)
1887 cur_rmconf->etypes = new;
1888 else {
1889 struct etypes *p;
1890 for (p = cur_rmconf->etypes;
1891 p->next != NULL;
1892 p = p->next)
1893 ;
1894 p->next = new;
1895 }
1896 }
1897 ;
1898 cert_spec
1899 : CERT_X509 QUOTEDSTRING QUOTEDSTRING
1900 {
1901 cur_rmconf->certtype = $1;
1902 if (cur_rmconf->mycertfile != NULL)
1903 racoon_free(cur_rmconf->mycertfile);
1904 cur_rmconf->mycertfile = racoon_strdup($2->v);
1905 STRDUP_FATAL(cur_rmconf->mycertfile);
1906 vfree($2);
1907 if (cur_rmconf->myprivfile != NULL)
1908 racoon_free(cur_rmconf->myprivfile);
1909 cur_rmconf->myprivfile = racoon_strdup($3->v);
1910 STRDUP_FATAL(cur_rmconf->myprivfile);
1911 vfree($3);
1912 }
1913 EOS
1914 | CERT_X509 IN_KEYCHAIN
1915 {
1916 #ifdef __APPLE__
1917 cur_rmconf->certtype = $1;
1918 cur_rmconf->identity_in_keychain = 1;
1919 cur_rmconf->keychainCertRef = NULL;
1920 #endif
1921 }
1922 EOS
1923 ;
1924 | CERT_X509 IN_KEYCHAIN QUOTEDSTRING
1925 {
1926 #ifdef __APPLE__
1927
1928 cur_rmconf->certtype = $1;
1929 cur_rmconf->identity_in_keychain = 1;
1930 cur_rmconf->keychainCertRef = $3;
1931 #endif
1932 }
1933 EOS
1934 ;
1935 | CERT_PLAINRSA QUOTEDSTRING
1936 {
1937 char path[MAXPATHLEN];
1938 int ret = 0;
1939
1940 getpathname(path, sizeof(path),
1941 LC_PATHTYPE_CERT, $2->v);
1942 vfree($2);
1943
1944 cur_rmconf->certtype = $1;
1945 cur_rmconf->send_cr = FALSE;
1946 cur_rmconf->send_cert = FALSE;
1947 cur_rmconf->verify_cert = FALSE;
1948 if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) {
1949 yyerror("Couldn't parse keyfile.\n", path);
1950 return -1;
1951 }
1952 plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path);
1953 }
1954 EOS
1955 ;
1956 dh_group_num
1957 : ALGORITHMTYPE
1958 {
1959 $$ = algtype2doi(algclass_isakmp_dh, $1);
1960 if ($$ == -1) {
1961 yyerror("must be DH group");
1962 return -1;
1963 }
1964 }
1965 | NUMBER
1966 {
1967 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
1968 $$ = num2dhgroup[$1];
1969 } else {
1970 yyerror("must be DH group");
1971 $$ = 0;
1972 return -1;
1973 }
1974 }
1975 ;
1976 identifierstring
1977 : /* nothing */ { $$ = NULL; }
1978 | ADDRSTRING { $$ = $1; }
1979 | QUOTEDSTRING { $$ = $1; }
1980 ;
1981 isakmpproposal_specs
1982 : /* nothing */
1983 | isakmpproposal_specs isakmpproposal_spec
1984 ;
1985 isakmpproposal_spec
1986 : STRENGTH
1987 {
1988 yyerror("strength directive is obsoleted.");
1989 } STRENGTHTYPE EOS
1990 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
1991 {
1992 cur_rmconf->prhead->spspec->lifetime = $3 * $4;
1993 }
1994 EOS
1995 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1996 {
1997 #if 1
1998 yyerror("byte lifetime support is deprecated");
1999 return -1;
2000 #else
2001 cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
2002 if (cur_rmconf->prhead->spspec->lifebyte == 0)
2003 return -1;
2004 #endif
2005 }
2006 EOS
2007 | DH_GROUP dh_group_num
2008 {
2009 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_dh] = $2;
2010 }
2011 EOS
2012 | GSS_ID QUOTEDSTRING
2013 {
2014 if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) {
2015 yyerror("wrong Vendor ID for gssapi_id");
2016 return -1;
2017 }
2018 if (cur_rmconf->prhead->spspec->gssid != NULL)
2019 racoon_free(cur_rmconf->prhead->spspec->gssid);
2020 cur_rmconf->prhead->spspec->gssid =
2021 racoon_strdup($2->v);
2022 STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid);
2023 }
2024 EOS
2025 | ALGORITHM_CLASS ALGORITHMTYPE keylength
2026 {
2027 int doi;
2028 int defklen;
2029
2030 doi = algtype2doi($1, $2);
2031 if (doi == -1) {
2032 yyerror("algorithm mismatched 1");
2033 return -1;
2034 }
2035
2036 switch ($1) {
2037 case algclass_isakmp_enc:
2038 /* reject suppressed algorithms */
2039 #ifndef HAVE_OPENSSL_RC5_H
2040 if ($2 == algtype_rc5) {
2041 yyerror("algorithm %s not supported",
2042 s_attr_isakmp_enc(doi));
2043 return -1;
2044 }
2045 #endif
2046 #ifndef HAVE_OPENSSL_IDEA_H
2047 if ($2 == algtype_idea) {
2048 yyerror("algorithm %s not supported",
2049 s_attr_isakmp_enc(doi));
2050 return -1;
2051 }
2052 #endif
2053
2054 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi;
2055 defklen = default_keylen($1, $2);
2056 if (defklen == 0) {
2057 if ($3) {
2058 yyerror("keylen not allowed");
2059 return -1;
2060 }
2061 } else {
2062 if ($3 && check_keylen($1, $2, $3) < 0) {
2063 yyerror("invalid keylen %d", $3);
2064 return -1;
2065 }
2066 }
2067 if ($3)
2068 cur_rmconf->prhead->spspec->encklen = $3;
2069 else
2070 cur_rmconf->prhead->spspec->encklen = defklen;
2071 break;
2072 case algclass_isakmp_hash:
2073 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_hash] = doi;
2074 break;
2075 case algclass_isakmp_ameth:
2076 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_ameth] = doi;
2077 /*
2078 * We may have to set the Vendor ID for the
2079 * authentication method we're using.
2080 */
2081 switch ($2) {
2082 case algtype_gssapikrb:
2083 if (cur_rmconf->prhead->spspec->vendorid !=
2084 VENDORID_UNKNOWN) {
2085 yyerror("Vendor ID mismatch "
2086 "for auth method");
2087 return -1;
2088 }
2089 /*
2090 * For interoperability with Win2k,
2091 * we set the Vendor ID to "GSSAPI".
2092 */
2093 cur_rmconf->prhead->spspec->vendorid =
2094 VENDORID_GSSAPI;
2095 break;
2096 case algtype_rsasig:
2097 if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) {
2098 if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
2099 yyerror ("Private PlainRSA key not set. "
2100 "Use directive 'certificate_type plainrsa ...'\n");
2101 return -1;
2102 }
2103 if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
2104 yyerror ("Public PlainRSA keys not set. "
2105 "Use directive 'peers_certfile plainrsa ...'\n");
2106 return -1;
2107 }
2108 }
2109 break;
2110 default:
2111 break;
2112 }
2113 break;
2114 default:
2115 yyerror("algorithm mismatched 2");
2116 return -1;
2117 }
2118 }
2119 EOS
2120 ;
2121
2122 unittype_time
2123 : UNITTYPE_SEC { $$ = 1; }
2124 | UNITTYPE_MIN { $$ = 60; }
2125 | UNITTYPE_HOUR { $$ = (60 * 60); }
2126 ;
2127 unittype_byte
2128 : UNITTYPE_BYTE { $$ = 1; }
2129 | UNITTYPE_KBYTES { $$ = 1024; }
2130 | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
2131 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
2132 ;
2133 dpd_algo_type
2134 : DPD_ALGO_TYPE_DEFAULT { $$ = DPD_ALGO_DEFAULT; }
2135 | DPD_ALGO_TYPE_INBOUND { $$ = DPD_ALGO_INBOUND_DETECT; }
2136 | DPD_ALGO_TYPE_BLACKHOLE { $$ = DPD_ALGO_BLACKHOLE_DETECT; }
2137 ;
2138 idle_dir_type
2139 : IDLE_DIRECTION_ANY { $$ = IPSEC_DIR_ANY; }
2140 | IDLE_DIRECTION_IN { $$ = IPSEC_DIR_INBOUND; }
2141 | IDLE_DIRECTION_OUT { $$ = IPSEC_DIR_OUTBOUND; }
2142 ;
2143 %%
2144
2145 static struct proposalspec *
2146 newprspec()
2147 {
2148 struct proposalspec *new;
2149
2150 new = racoon_calloc(1, sizeof(*new));
2151 if (new == NULL)
2152 yyerror("failed to allocate proposal");
2153
2154 return new;
2155 }
2156
2157 /*
2158 * insert into head of list.
2159 */
2160 static void
2161 insprspec(prspec, head)
2162 struct proposalspec *prspec;
2163 struct proposalspec **head;
2164 {
2165 if (*head != NULL)
2166 (*head)->prev = prspec;
2167 prspec->next = *head;
2168 *head = prspec;
2169 }
2170
2171 static struct secprotospec *
2172 newspspec()
2173 {
2174 struct secprotospec *new;
2175
2176 new = racoon_calloc(1, sizeof(*new));
2177 if (new == NULL) {
2178 yyerror("failed to allocate spproto");
2179 return NULL;
2180 }
2181
2182 new->encklen = 0; /*XXX*/
2183
2184 /*
2185 * Default to "uknown" vendor -- we will override this
2186 * as necessary. When we send a Vendor ID payload, an
2187 * "unknown" will be translated to a KAME/racoon ID.
2188 */
2189 new->vendorid = VENDORID_UNKNOWN;
2190
2191 return new;
2192 }
2193
2194 /*
2195 * insert into head of list.
2196 */
2197 static void
2198 insspspec(spspec, head)
2199 struct secprotospec *spspec;
2200 struct proposalspec **head;
2201 {
2202 spspec->back = *head;
2203
2204 if ((*head)->spspec != NULL)
2205 (*head)->spspec->prev = spspec;
2206 spspec->next = (*head)->spspec;
2207 (*head)->spspec = spspec;
2208 }
2209
2210 /* set final acceptable proposal */
2211 static int
2212 set_isakmp_proposal(rmconf, prspec)
2213 struct remoteconf *rmconf;
2214 struct proposalspec *prspec;
2215 {
2216 struct proposalspec *p;
2217 struct secprotospec *s;
2218 int prop_no = 1;
2219 int trns_no = 1;
2220 int32_t types[MAXALGCLASS];
2221
2222 p = prspec;
2223 if (p->next != 0) {
2224 plog(LLV_ERROR, LOCATION, NULL,
2225 "multiple proposal definition.\n");
2226 return -1;
2227 }
2228
2229 /* mandatory check */
2230 if (p->spspec == NULL) {
2231 yyerror("no remote specification found: %s.\n",
2232 saddr2str(rmconf->remote));
2233 return -1;
2234 }
2235 for (s = p->spspec; s != NULL; s = s->next) {
2236 /* XXX need more to check */
2237 if (s->algclass[algclass_isakmp_enc] == 0) {
2238 yyerror("encryption algorithm required.");
2239 return -1;
2240 }
2241 if (s->algclass[algclass_isakmp_hash] == 0) {
2242 yyerror("hash algorithm required.");
2243 return -1;
2244 }
2245 if (s->algclass[algclass_isakmp_dh] == 0) {
2246 yyerror("DH group required.");
2247 return -1;
2248 }
2249 if (s->algclass[algclass_isakmp_ameth] == 0) {
2250 yyerror("authentication method required.");
2251 return -1;
2252 }
2253 }
2254
2255 /* skip to last part */
2256 for (s = p->spspec; s->next != NULL; s = s->next)
2257 ;
2258
2259 while (s != NULL) {
2260 plog(LLV_DEBUG2, LOCATION, NULL,
2261 "lifetime = %ld\n", (long)
2262 (s->lifetime ? s->lifetime : p->lifetime));
2263 plog(LLV_DEBUG2, LOCATION, NULL,
2264 "lifebyte = %d\n",
2265 s->lifebyte ? s->lifebyte : p->lifebyte);
2266 plog(LLV_DEBUG2, LOCATION, NULL,
2267 "encklen=%d\n", s->encklen);
2268
2269 memset(types, 0, ARRAYLEN(types));
2270 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
2271 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
2272 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
2273 types[algclass_isakmp_ameth] =
2274 s->algclass[algclass_isakmp_ameth];
2275
2276 /* expanding spspec */
2277 clean_tmpalgtype();
2278 trns_no = expand_isakmpspec(prop_no, trns_no, types,
2279 algclass_isakmp_enc, algclass_isakmp_ameth + 1,
2280 s->lifetime ? s->lifetime : p->lifetime,
2281 s->lifebyte ? s->lifebyte : p->lifebyte,
2282 s->encklen, s->vendorid, s->gssid,
2283 rmconf);
2284 if (trns_no == -1) {
2285 plog(LLV_ERROR, LOCATION, NULL,
2286 "failed to expand isakmp proposal.\n");
2287 return -1;
2288 }
2289
2290 s = s->prev;
2291 }
2292
2293 if (rmconf->proposal == NULL) {
2294 plog(LLV_ERROR, LOCATION, NULL,
2295 "no proposal found.\n");
2296 return -1;
2297 }
2298
2299 return 0;
2300 }
2301
2302 static void
2303 clean_tmpalgtype()
2304 {
2305 int i;
2306 for (i = 0; i < MAXALGCLASS; i++)
2307 tmpalgtype[i] = 0; /* means algorithm undefined. */
2308 }
2309
2310 static int
2311 expand_isakmpspec(prop_no, trns_no, types,
2312 class, last, lifetime, lifebyte, encklen, vendorid, gssid,
2313 rmconf)
2314 int prop_no, trns_no;
2315 int *types, class, last;
2316 time_t lifetime;
2317 int lifebyte;
2318 int encklen;
2319 int vendorid;
2320 char *gssid;
2321 struct remoteconf *rmconf;
2322 {
2323 struct isakmpsa *new;
2324
2325 /* debugging */
2326 {
2327 int j;
2328 char tb[10];
2329 plog(LLV_DEBUG2, LOCATION, NULL,
2330 "p:%d t:%d\n", prop_no, trns_no);
2331 for (j = class; j < MAXALGCLASS; j++) {
2332 snprintf(tb, sizeof(tb), "%d", types[j]);
2333 plog(LLV_DEBUG2, LOCATION, NULL,
2334 "%s%s%s%s\n",
2335 s_algtype(j, types[j]),
2336 types[j] ? "(" : "",
2337 tb[0] == '0' ? "" : tb,
2338 types[j] ? ")" : "");
2339 }
2340 plog(LLV_DEBUG2, LOCATION, NULL, "\n");
2341 }
2342
2343 #define TMPALGTYPE2STR(n) \
2344 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
2345 /* check mandatory values */
2346 if (types[algclass_isakmp_enc] == 0
2347 || types[algclass_isakmp_ameth] == 0
2348 || types[algclass_isakmp_hash] == 0
2349 || types[algclass_isakmp_dh] == 0) {
2350 yyerror("few definition of algorithm "
2351 "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
2352 TMPALGTYPE2STR(enc),
2353 TMPALGTYPE2STR(ameth),
2354 TMPALGTYPE2STR(hash),
2355 TMPALGTYPE2STR(dh));
2356 return -1;
2357 }
2358 #undef TMPALGTYPE2STR
2359
2360 /* set new sa */
2361 new = newisakmpsa();
2362 if (new == NULL) {
2363 yyerror("failed to allocate isakmp sa");
2364 return -1;
2365 }
2366 new->prop_no = prop_no;
2367 new->trns_no = trns_no++;
2368 new->lifetime = lifetime;
2369 new->lifebyte = lifebyte;
2370 new->enctype = types[algclass_isakmp_enc];
2371 new->encklen = encklen;
2372 new->authmethod = types[algclass_isakmp_ameth];
2373 new->hashtype = types[algclass_isakmp_hash];
2374 new->dh_group = types[algclass_isakmp_dh];
2375 new->vendorid = vendorid;
2376 #ifdef HAVE_GSSAPI
2377 if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
2378 if (gssid != NULL) {
2379 if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
2380 racoon_free(new);
2381 yyerror("failed to allocate gssid");
2382 return -1;
2383 }
2384 memcpy(new->gssid->v, gssid, new->gssid->l);
2385 racoon_free(gssid);
2386 } else {
2387 /*
2388 * Allocate the default ID so that it gets put
2389 * into a GSS ID attribute during the Phase 1
2390 * exchange.
2391 */
2392 new->gssid = gssapi_get_default_gss_id();
2393 }
2394 }
2395 #endif
2396 insisakmpsa(new, rmconf);
2397
2398 return trns_no;
2399 }
2400
2401 static int
2402 listen_addr (struct sockaddr *addr, int udp_encap)
2403 {
2404 struct myaddrs *p;
2405
2406 p = newmyaddr();
2407 if (p == NULL) {
2408 yyerror("failed to allocate myaddrs");
2409 return -1;
2410 }
2411 p->addr = addr;
2412 if (p->addr == NULL) {
2413 yyerror("failed to copy sockaddr ");
2414 delmyaddr(p);
2415 return -1;
2416 }
2417 p->udp_encap = udp_encap;
2418 #ifdef __APPLE__
2419 /* These need to be initialized for Apple modifications
2420 * to open code for isakmp sockets
2421 */
2422 p->sock = -1;
2423 p->in_use = 1;
2424 #endif
2425
2426 insmyaddr(p, &lcconf->myaddrs);
2427
2428 lcconf->autograbaddr = 0;
2429 return 0;
2430 }
2431
2432 #if 0
2433 /*
2434 * fix lifebyte.
2435 * Must be more than 1024B because its unit is kilobytes.
2436 * That is defined RFC2407.
2437 */
2438 static int
2439 fix_lifebyte(t)
2440 unsigned long t;
2441 {
2442 if (t < 1024) {
2443 yyerror("byte size should be more than 1024B.");
2444 return 0;
2445 }
2446
2447 return(t / 1024);
2448 }
2449 #endif
2450
2451 int
2452 cfparse()
2453 {
2454 int error;
2455
2456 plog(LLV_DEBUG, LOCATION, NULL, "===== parse config\n");
2457
2458 yycf_init_buffer();
2459
2460 if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
2461 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
2462 IPSECCONFIGEVENTCODE_PARSE_ERROR,
2463 CONSTSTR("could not read configuration file"),
2464 CONSTSTR("cfparse: yycf_switch_buffer erred"));
2465 plog(LLV_ERROR, LOCATION, NULL,
2466 "could not read configuration file \"%s\"\n",
2467 lcconf->racoon_conf);
2468 return -1;
2469 }
2470
2471 error = yyparse();
2472 if (error != 0) {
2473 if (yyerrorcount) {
2474 plog(LLV_ERROR, LOCATION, NULL,
2475 "fatal parse failure (%d errors)\n",
2476 yyerrorcount);
2477 } else {
2478 plog(LLV_ERROR, LOCATION, NULL,
2479 "fatal parse failure.\n");
2480 }
2481 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
2482 IPSECCONFIGEVENTCODE_PARSE_ERROR,
2483 CONSTSTR("fatal parse failure"),
2484 CONSTSTR("cfparse: yyparse erred"));
2485 yycf_clean_buffer();
2486 return -1;
2487 }
2488
2489 if (error == 0 && yyerrorcount) {
2490 plog(LLV_ERROR, LOCATION, NULL,
2491 "parse error is nothing, but yyerrorcount is %d.\n",
2492 yyerrorcount);
2493 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf),
2494 IPSECCONFIGEVENTCODE_PARSE_ERROR,
2495 CONSTSTR("ambivalent error code"),
2496 CONSTSTR("cfparse: error == 0 && yerrorcount"));
2497 yycf_clean_buffer();
2498 exit(1);
2499 }
2500
2501 yycf_clean_buffer();
2502
2503 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
2504
2505 return 0;
2506 }
2507
2508 int
2509 cfreparse(int sig)
2510 {
2511 int ignore_established_handles = (sig == SIGUSR1);
2512
2513 if (sig >= 0 && sig < NSIG) {
2514 plog(LLV_DEBUG, LOCATION, NULL, "==== Got %s signal - re-parsing.\n", sys_signame[sig]);
2515 } else {
2516 plog(LLV_ERROR, LOCATION, NULL, "==== Got Unknown signal - re-parsing.\n");
2517 IPSECCONFIGTRACEREVENT(CONSTSTR("reparse"),
2518 IPSECCONFIGEVENTCODE_REPARSE_ERROR,
2519 CONSTSTR("Unknown signal"),
2520 CONSTSTR("cfreparse: triggered by unknown signal"));
2521 }
2522
2523 flushph2(ignore_established_handles);
2524 flushph1(ignore_established_handles);
2525 flushrmconf();
2526 flushsainfo();
2527 flushlcconf();
2528 #ifdef HAVE_LIBLDAP
2529 xauth_ldap_flush();
2530 #endif
2531 check_auto_exit(); /* check/change state of auto exit */
2532 clean_tmpalgtype();
2533
2534 return(cfparse());
2535 }
2536
2537
2538 #ifdef ENABLE_ADMINPORT
2539 static void
2540 adminsock_conf(path, owner, group, mode_dec)
2541 vchar_t *path;
2542 vchar_t *owner;
2543 vchar_t *group;
2544 int mode_dec;
2545 {
2546 struct passwd *pw = NULL;
2547 struct group *gr = NULL;
2548 mode_t mode = 0;
2549 uid_t uid;
2550 gid_t gid;
2551 int isnum;
2552
2553 adminsock_path = path->v;
2554
2555 if (owner == NULL)
2556 return;
2557
2558 errno = 0;
2559 uid = atoi(owner->v);
2560 isnum = !errno;
2561 if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
2562 yyerror("User \"%s\" does not exist", owner->v);
2563
2564 if (pw)
2565 adminsock_owner = pw->pw_uid;
2566 else
2567 adminsock_owner = uid;
2568
2569 if (group == NULL)
2570 return;
2571
2572 errno = 0;
2573 gid = atoi(group->v);
2574 isnum = !errno;
2575 if (((gr = getgrnam(group->v)) == NULL) && !isnum)
2576 yyerror("Group \"%s\" does not exist", group->v);
2577
2578 if (gr)
2579 adminsock_group = gr->gr_gid;
2580 else
2581 adminsock_group = gid;
2582
2583 if (mode_dec == -1)
2584 return;
2585
2586 if (mode_dec > 777)
2587 yyerror("Mode 0%03o is invalid", mode_dec);
2588 if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
2589 if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
2590 if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
2591
2592 if (mode_dec > 77)
2593 yyerror("Mode 0%03o is invalid", mode_dec);
2594 if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
2595 if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
2596 if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
2597
2598 if (mode_dec > 7)
2599 yyerror("Mode 0%03o is invalid", mode_dec);
2600 if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
2601 if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
2602 if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
2603
2604 adminsock_mode = mode;
2605
2606 return;
2607 }
2608 #endif
mirror of ipsec