/* $NetBSD: cfparse.y,v 1.18.4.3 2007/08/01 11:52:19 vanhu Exp $ */ /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ %{ /* * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "config.h" #include #include #include #include #include #ifdef HAVE_NETINET6_IPSEC # include #else # include #endif #ifdef ENABLE_HYBRID #include #endif #include #include #include #include #include #include #include #include #include "var.h" #include "misc.h" #include "vmbuf.h" #include "plog.h" #include "sockmisc.h" #include "str2val.h" #include "genlist.h" #include "debug.h" #include "admin.h" #include "privsep.h" #include "cfparse_proto.h" #include "cftoken_proto.h" #include "algorithm.h" #include "localconf.h" #include "policy.h" #include "sainfo.h" #include "oakley.h" #include "pfkey.h" #include "remoteconf.h" #include "grabmyaddr.h" #include "isakmp_var.h" #include "handler.h" #include "isakmp.h" #include "nattraversal.h" #include "isakmp_frag.h" #ifdef ENABLE_HYBRID #include "resolv.h" #include "isakmp_unity.h" #include "isakmp_xauth.h" #include "isakmp_cfg.h" #endif #include "ipsec_doi.h" #include "strnames.h" #include "gcmalloc.h" #ifdef HAVE_GSSAPI #include "gssapi.h" #endif #include "vendorid.h" #include "rsalist.h" #include "ipsecConfigTracer.h" #include "ipsecMessageTracer.h" static int num2dhgroup[] = { 0, OAKLEY_ATTR_GRP_DESC_MODP768, OAKLEY_ATTR_GRP_DESC_MODP1024, OAKLEY_ATTR_GRP_DESC_EC2N155, OAKLEY_ATTR_GRP_DESC_EC2N185, OAKLEY_ATTR_GRP_DESC_MODP1536, 0, 0, 0, 0, 0, 0, 0, 0, OAKLEY_ATTR_GRP_DESC_MODP2048, OAKLEY_ATTR_GRP_DESC_MODP3072, OAKLEY_ATTR_GRP_DESC_MODP4096, OAKLEY_ATTR_GRP_DESC_MODP6144, OAKLEY_ATTR_GRP_DESC_MODP8192 }; static struct remoteconf *cur_rmconf; static int tmpalgtype[MAXALGCLASS]; static struct sainfo *cur_sainfo; static int cur_algclass; static int oldloglevel = LLV_BASE; static struct proposalspec *newprspec __P((void)); static void insprspec __P((struct proposalspec *, struct proposalspec **)); static struct secprotospec *newspspec __P((void)); static void insspspec __P((struct secprotospec *, struct proposalspec **)); static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int)); static int set_isakmp_proposal __P((struct remoteconf *, struct proposalspec *)); static void clean_tmpalgtype __P((void)); static int expand_isakmpspec __P((int, int, int *, int, int, time_t, int, int, int, char *, struct remoteconf *)); static int listen_addr __P((struct sockaddr *addr, int udp_encap)); void freeetypes (struct etypes **etypes); #if 0 static int fix_lifebyte __P((u_long)); #endif %} %union { unsigned long num; vchar_t *val; struct remoteconf *rmconf; struct sockaddr *saddr; struct sainfoalg *alg; } /* privsep */ %token PRIVSEP USER GROUP CHROOT /* path */ %token PATH PATHTYPE /* include */ %token INCLUDE /* self information */ %token IDENTIFIER VENDORID /* logging */ %token LOGGING LOGLEV /* padding */ %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL /* listen */ %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED /* modecfg */ %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS %token CFG_PFS_GROUP CFG_SAVE_PASSWD /* timer */ %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA AUTO_EXIT_DELAY /* algorithm */ %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE /* sainfo */ %token SAINFO FROM /* remote */ %token REMOTE ANONYMOUS INHERIT %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE %token VERIFY_CERT SEND_CERT SEND_CR %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER %token PEERS_IDENTIFIER VERIFY_IDENTIFIER %token SHARED_SECRET SECRETTYPE %token OPEN_DIR_AUTH_GROUP IN_KEYCHAIN %token CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION %token DNSSEC CERT_X509 CERT_PLAINRSA %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL NAT_TRAVERSAL_LEVEL NAT_TRAVERSAL_MULTI_USER NAT_TRAVERSAL_KEEPALIVE %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY %token PROPOSAL %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE %token COMPLEX_BUNDLE %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL DPD_ALGORITHM %token DISCONNECT_ON_IDLE IDLE_TIMEOUT IDLE_DIRECTION %token XAUTH_LOGIN WEAK_PHASE1_CHECK %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID %token SCRIPT PHASE1_UP PHASE1_DOWN %token NUMBER SWITCH BOOLEAN %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR %token EOS BOC EOC COMMA %token DPD_ALGO_TYPE_DEFAULT DPD_ALGO_TYPE_INBOUND DPD_ALGO_TYPE_BLACKHOLE %token IDLE_DIRECTION_IN IDLE_DIRECTION_OUT IDLE_DIRECTION_ANY %type NUMBER BOOLEAN SWITCH keylength %type PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE %type SECRETTYPE %type ALGORITHM_CLASS dh_group_num %type ALGORITHMTYPE STRENGTHTYPE %type PREFIX prefix PORT port ike_port %type ul_proto UL_PROTO %type EXCHANGETYPE DOITYPE SITUATIONTYPE %type CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL %type VERIFICATION_MODULE VERIFICATION_OPTION %type unittype_time unittype_byte %type QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id %type identifierstring %type remote_index ike_addrinfo_port %type algorithm %type dpd_algo_type %type idle_dir_type %% statements : /* nothing */ | statements statement ; statement : privsep_statement | path_statement | include_statement | gssenc_statement | identifier_statement | logging_statement | padding_statement | listen_statement | modecfg_statement | timer_statement | sainfo_statement | remote_statement | special_statement ; /* privsep */ privsep_statement : PRIVSEP BOC privsep_stmts EOC ; privsep_stmts : /* nothing */ | privsep_stmts privsep_stmt ; privsep_stmt : USER QUOTEDSTRING { struct passwd *pw; if ((pw = getpwnam($2->v)) == NULL) { yyerror("unknown user \"%s\"", $2->v); return -1; } lcconf->uid = pw->pw_uid; } EOS | USER NUMBER { lcconf->uid = $2; } EOS | GROUP QUOTEDSTRING { struct group *gr; if ((gr = getgrnam($2->v)) == NULL) { yyerror("unknown group \"%s\"", $2->v); return -1; } lcconf->gid = gr->gr_gid; } EOS | GROUP NUMBER { lcconf->gid = $2; } EOS | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS ; /* path */ path_statement : PATH PATHTYPE QUOTEDSTRING { if ($2 >= LC_PATHTYPE_MAX) { yyerror("invalid path type %d", $2); return -1; } /* free old pathinfo */ if (lcconf->pathinfo[$2]) racoon_free(lcconf->pathinfo[$2]); /* set new pathinfo */ lcconf->pathinfo[$2] = racoon_strdup($3->v); STRDUP_FATAL(lcconf->pathinfo[$2]); vfree($3); } EOS ; /* special */ special_statement : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS ; /* include */ include_statement : INCLUDE QUOTEDSTRING EOS { char path[MAXPATHLEN]; getpathname(path, sizeof(path), LC_PATHTYPE_INCLUDE, $2->v); vfree($2); if (yycf_switch_buffer(path) != 0) return -1; } ; /* gss_id_enc */ gssenc_statement : GSS_ID_ENC GSS_ID_ENCTYPE EOS { if ($2 >= LC_GSSENC_MAX) { yyerror("invalid GSS ID encoding %d", $2); return -1; } lcconf->gss_id_enc = $2; } ; /* self information */ identifier_statement : IDENTIFIER identifier_stmt ; identifier_stmt : VENDORID { /*XXX to be deleted */ } QUOTEDSTRING EOS | IDENTIFIERTYPE QUOTEDSTRING { /*XXX to be deleted */ $2->l--; /* nuke '\0' */ lcconf->ident[$1] = $2; if (lcconf->ident[$1] == NULL) { yyerror("failed to set my ident: %s", strerror(errno)); return -1; } } EOS ; /* logging */ logging_statement : LOGGING log_level EOS ; log_level : HEXSTRING { /* * XXX ignore it because this specification * will be obsoleted. */ yywarn("see racoon.conf(5), such a log specification will be obsoleted."); vfree($1); } | LOGLEV { /* * set the loglevel to the value specified * in the configuration file plus the number * of -d options specified on the command line */ loglevel += $1 - oldloglevel; oldloglevel = $1; } ; /* padding */ padding_statement : PADDING BOC padding_stmts EOC ; padding_stmts : /* nothing */ | padding_stmts padding_stmt ; padding_stmt : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS ; /* listen */ listen_statement : LISTEN BOC listen_stmts EOC ; listen_stmts : /* nothing */ | listen_stmts listen_stmt ; listen_stmt : X_ISAKMP ike_addrinfo_port { listen_addr ($2, 0); } EOS | X_ISAKMP_NATT ike_addrinfo_port { #ifdef ENABLE_NATT listen_addr ($2, 1); #else yyerror("NAT-T support not compiled in."); #endif } EOS | X_ADMIN { yyerror("admin directive is obsoleted."); } PORT EOS | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER { #ifdef ENABLE_ADMINPORT adminsock_conf($2, $3, $4, $5); #else yywarn("admin port support not compiled in"); #endif } EOS | ADMINSOCK QUOTEDSTRING { #ifdef ENABLE_ADMINPORT adminsock_conf($2, NULL, NULL, -1); #else yywarn("admin port support not compiled in"); #endif } EOS | ADMINSOCK DISABLED { #ifdef ENABLE_ADMINPORT adminsock_path = NULL; #else yywarn("admin port support not compiled in"); #endif } EOS | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS ; ike_addrinfo_port : ADDRSTRING ike_port { char portbuf[10]; snprintf(portbuf, sizeof(portbuf), "%ld", $2); $$ = str2saddr($1->v, portbuf); vfree($1); if (!$$) return -1; } ; ike_port : /* nothing */ { $$ = PORT_ISAKMP; } | PORT { $$ = $1; } ; /* modecfg */ modecfg_statement : MODECFG BOC modecfg_stmts EOC ; modecfg_stmts : /* nothing */ | modecfg_stmts modecfg_stmt ; modecfg_stmt : CFG_NET4 ADDRSTRING { #ifdef ENABLE_HYBRID if (inet_pton(AF_INET, $2->v, &isakmp_cfg_config.network4) != 1) yyerror("bad IPv4 network address."); vfree($2); #else yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_MASK4 ADDRSTRING { #ifdef ENABLE_HYBRID if (inet_pton(AF_INET, $2->v, &isakmp_cfg_config.netmask4) != 1) yyerror("bad IPv4 netmask address."); vfree($2); #else yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_DNS4 addrdnslist EOS | CFG_NBNS4 addrwinslist EOS | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist { #ifdef ENABLE_HYBRID isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN; #else yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist { #ifdef ENABLE_HYBRID isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE; #else yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_SPLIT_DNS splitdnslist { #ifndef ENABLE_HYBRID yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_DEFAULT_DOMAIN QUOTEDSTRING { #ifdef ENABLE_HYBRID strlcpy(&isakmp_cfg_config.default_domain[0], $2->v, sizeof(isakmp_cfg_config.default_domain)); vfree($2); #else yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_AUTH_SOURCE CFG_SYSTEM { #ifdef ENABLE_HYBRID isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM; #else yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_AUTH_SOURCE CFG_RADIUS { #ifdef ENABLE_HYBRID #ifdef HAVE_LIBRADIUS isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS; #else /* HAVE_LIBRADIUS */ yyerror("racoon not configured with --with-libradius"); #endif /* HAVE_LIBRADIUS */ #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_AUTH_SOURCE CFG_PAM { #ifdef ENABLE_HYBRID #ifdef HAVE_LIBPAM isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM; #else /* HAVE_LIBPAM */ yyerror("racoon not configured with --with-libpam"); #endif /* HAVE_LIBPAM */ #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_AUTH_SOURCE CFG_LDAP { #ifdef ENABLE_HYBRID #ifdef HAVE_LIBLDAP isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP; #else /* HAVE_LIBLDAP */ yyerror("racoon not configured with --with-libldap"); #endif /* HAVE_LIBLDAP */ #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_AUTH_GROUPS authgrouplist { #ifndef ENABLE_HYBRID yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_GROUP_SOURCE CFG_SYSTEM { #ifdef ENABLE_HYBRID isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM; #else yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_GROUP_SOURCE CFG_LDAP { #ifdef ENABLE_HYBRID #ifdef HAVE_LIBLDAP isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP; #else /* HAVE_LIBLDAP */ yyerror("racoon not configured with --with-libldap"); #endif /* HAVE_LIBLDAP */ #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_ACCOUNTING CFG_NONE { #ifdef ENABLE_HYBRID isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE; #else yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_ACCOUNTING CFG_SYSTEM { #ifdef ENABLE_HYBRID isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM; #else yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | CFG_ACCOUNTING CFG_RADIUS { #ifdef ENABLE_HYBRID #ifdef HAVE_LIBRADIUS isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS; #else /* HAVE_LIBRADIUS */ yyerror("racoon not configured with --with-libradius"); #endif /* HAVE_LIBRADIUS */ #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_ACCOUNTING CFG_PAM { #ifdef ENABLE_HYBRID #ifdef HAVE_LIBPAM isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM; #else /* HAVE_LIBPAM */ yyerror("racoon not configured with --with-libpam"); #endif /* HAVE_LIBPAM */ #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_POOL_SIZE NUMBER { #ifdef ENABLE_HYBRID if (isakmp_cfg_resize_pool($2) != 0) yyerror("cannot allocate memory for pool"); #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_PFS_GROUP NUMBER { #ifdef ENABLE_HYBRID isakmp_cfg_config.pfs_group = $2; #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_SAVE_PASSWD SWITCH { #ifdef ENABLE_HYBRID isakmp_cfg_config.save_passwd = $2; #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_AUTH_THROTTLE NUMBER { #ifdef ENABLE_HYBRID isakmp_cfg_config.auth_throttle = $2; #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_CONF_SOURCE CFG_LOCAL { #ifdef ENABLE_HYBRID isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL; #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_CONF_SOURCE CFG_RADIUS { #ifdef ENABLE_HYBRID #ifdef HAVE_LIBRADIUS isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS; #else /* HAVE_LIBRADIUS */ yyerror("racoon not configured with --with-libradius"); #endif /* HAVE_LIBRADIUS */ #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_CONF_SOURCE CFG_LDAP { #ifdef ENABLE_HYBRID #ifdef HAVE_LIBLDAP isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP; #else /* HAVE_LIBLDAP */ yyerror("racoon not configured with --with-libldap"); #endif /* HAVE_LIBLDAP */ #else /* ENABLE_HYBRID */ yyerror("racoon not configured with --enable-hybrid"); #endif /* ENABLE_HYBRID */ } EOS | CFG_MOTD QUOTEDSTRING { #ifdef ENABLE_HYBRID strlcpy(&isakmp_cfg_config.motd[0], $2->v, sizeof(isakmp_cfg_config.motd)); vfree($2); #else yyerror("racoon not configured with --enable-hybrid"); #endif } EOS ; addrdnslist : addrdns | addrdns COMMA addrdnslist ; addrdns : ADDRSTRING { #ifdef ENABLE_HYBRID struct isakmp_cfg_config *icc = &isakmp_cfg_config; if (icc->dns4_index > MAXNS) yyerror("No more than %d DNS", MAXNS); if (inet_pton(AF_INET, $1->v, &icc->dns4[icc->dns4_index++]) != 1) yyerror("bad IPv4 DNS address."); vfree($1); #else yyerror("racoon not configured with --enable-hybrid"); #endif } ; addrwinslist : addrwins | addrwins COMMA addrwinslist ; addrwins : ADDRSTRING { #ifdef ENABLE_HYBRID struct isakmp_cfg_config *icc = &isakmp_cfg_config; if (icc->nbns4_index > MAXWINS) yyerror("No more than %d WINS", MAXWINS); if (inet_pton(AF_INET, $1->v, &icc->nbns4[icc->nbns4_index++]) != 1) yyerror("bad IPv4 WINS address."); vfree($1); #else yyerror("racoon not configured with --enable-hybrid"); #endif } ; splitnetlist : splitnet | splitnetlist COMMA splitnet ; splitnet : ADDRSTRING PREFIX { #ifdef ENABLE_HYBRID struct isakmp_cfg_config *icc = &isakmp_cfg_config; struct unity_network network; if (inet_pton(AF_INET, $1->v, &network.addr4) != 1) yyerror("bad IPv4 SPLIT address."); /* Turn $2 (the prefix) into a subnet mask */ network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0; /* add the network to our list */ if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count)) yyerror("Unable to allocate split network"); vfree($1); #else yyerror("racoon not configured with --enable-hybrid"); #endif } ; authgrouplist : authgroup | authgroup COMMA authgrouplist ; authgroup : QUOTEDSTRING { #ifdef ENABLE_HYBRID char * groupname = NULL; char ** grouplist = NULL; struct isakmp_cfg_config *icc = &isakmp_cfg_config; grouplist = racoon_realloc(icc->grouplist, sizeof(char**)*(icc->groupcount+1)); if (grouplist == NULL) yyerror("unable to allocate auth group list"); groupname = racoon_malloc($1->l+1); if (groupname == NULL) yyerror("unable to allocate auth group name"); memcpy(groupname,$1->v,$1->l); groupname[$1->l]=0; grouplist[icc->groupcount]=groupname; icc->grouplist = grouplist; icc->groupcount++; vfree($1); #else yyerror("racoon not configured with --enable-hybrid"); #endif } ; splitdnslist : splitdns | splitdns COMMA splitdnslist ; splitdns : QUOTEDSTRING { #ifdef ENABLE_HYBRID struct isakmp_cfg_config *icc = &isakmp_cfg_config; if (!icc->splitdns_len) { icc->splitdns_list = racoon_malloc($1->l); if(icc->splitdns_list == NULL) yyerror("error allocating splitdns list buffer"); memcpy(icc->splitdns_list,$1->v,$1->l); icc->splitdns_len = $1->l; } else { int len = icc->splitdns_len + $1->l + 1; icc->splitdns_list = racoon_realloc(icc->splitdns_list,len); if(icc->splitdns_list == NULL) yyerror("error allocating splitdns list buffer"); icc->splitdns_list[icc->splitdns_len] = ','; memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l); icc->splitdns_len = len; } vfree($1); #else yyerror("racoon not configured with --enable-hybrid"); #endif } ; /* timer */ timer_statement : RETRY BOC timer_stmts EOC ; timer_stmts : /* nothing */ | timer_stmts timer_stmt ; timer_stmt : RETRY_COUNTER NUMBER { lcconf->retry_counter = $2; } EOS | RETRY_INTERVAL NUMBER unittype_time { lcconf->retry_interval = $2 * $3; } EOS | RETRY_PERSEND NUMBER { lcconf->count_persend = $2; } EOS | RETRY_PHASE1 NUMBER unittype_time { lcconf->retry_checkph1 = $2 * $3; } EOS | RETRY_PHASE2 NUMBER unittype_time { lcconf->wait_ph2complete = $2 * $3; } EOS | AUTO_EXIT_DELAY NUMBER unittype_time { lcconf->auto_exit_delay = $2 * $3; lcconf->auto_exit_state |= LC_AUTOEXITSTATE_SET; } EOS | NATT_KA NUMBER unittype_time { #ifdef ENABLE_NATT lcconf->natt_ka_interval = $2 * $3; #else yyerror("NAT-T support not compiled in."); #endif } EOS ; /* sainfo */ sainfo_statement : SAINFO { cur_sainfo = newsainfo(); if (cur_sainfo == NULL) { yyerror("failed to allocate sainfo"); return -1; } } sainfo_name sainfo_param BOC sainfo_specs { struct sainfo *check; /* default */ if (cur_sainfo->algs[algclass_ipsec_enc] == 0) { yyerror("no encryption algorithm at %s", sainfo2str(cur_sainfo)); return -1; } if (cur_sainfo->algs[algclass_ipsec_auth] == 0) { yyerror("no authentication algorithm at %s", sainfo2str(cur_sainfo)); return -1; } if (cur_sainfo->algs[algclass_ipsec_comp] == 0) { yyerror("no compression algorithm at %s", sainfo2str(cur_sainfo)); return -1; } /* duplicate check */ check = getsainfo(cur_sainfo->idsrc, cur_sainfo->iddst, cur_sainfo->id_i, 0); if (check && (!check->idsrc && !cur_sainfo->idsrc)) { yyerror("duplicated sainfo: %s", sainfo2str(cur_sainfo)); return -1; } inssainfo(cur_sainfo); } EOC ; sainfo_name : ANONYMOUS { cur_sainfo->idsrc = NULL; cur_sainfo->iddst = NULL; } | ANONYMOUS sainfo_id { cur_sainfo->idsrc = NULL; cur_sainfo->iddst = $2; } | sainfo_id ANONYMOUS { cur_sainfo->idsrc = $1; cur_sainfo->iddst = NULL; } | sainfo_id sainfo_id { cur_sainfo->idsrc = $1; cur_sainfo->iddst = $2; } ; sainfo_id : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto { char portbuf[10]; struct sockaddr *saddr; if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6) && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) { yyerror("port number must be \"any\"."); return -1; } snprintf(portbuf, sizeof(portbuf), "%lu", $4); saddr = str2saddr($2->v, portbuf); vfree($2); if (saddr == NULL) return -1; switch (saddr->sa_family) { case AF_INET: if ($5 == IPPROTO_ICMPV6) { yyerror("upper layer protocol mismatched.\n"); racoon_free(saddr); return -1; } $$ = ipsecdoi_sockaddr2id(saddr, $3 == ~0 ? (sizeof(struct in_addr) << 3): $3, $5); break; #ifdef INET6 case AF_INET6: if ($5 == IPPROTO_ICMP) { yyerror("upper layer protocol mismatched.\n"); racoon_free(saddr); return -1; } $$ = ipsecdoi_sockaddr2id(saddr, $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3, $5); break; #endif default: yyerror("invalid family: %d", saddr->sa_family); $$ = NULL; break; } racoon_free(saddr); if ($$ == NULL) return -1; } | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto { char portbuf[10]; struct sockaddr *laddr = NULL, *haddr = NULL; char *cur = NULL; if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6) && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) { yyerror("port number must be \"any\"."); return -1; } snprintf(portbuf, sizeof(portbuf), "%lu", $5); laddr = str2saddr($2->v, portbuf); if (laddr == NULL) { return -1; } vfree($2); haddr = str2saddr($3->v, portbuf); if (haddr == NULL) { racoon_free(laddr); return -1; } vfree($3); switch (laddr->sa_family) { case AF_INET: if ($6 == IPPROTO_ICMPV6) { yyerror("upper layer protocol mismatched.\n"); if (laddr) racoon_free(laddr); if (haddr) racoon_free(haddr); return -1; } $$ = ipsecdoi_sockrange2id(laddr, haddr, $6); break; #ifdef INET6 case AF_INET6: if ($6 == IPPROTO_ICMP) { yyerror("upper layer protocol mismatched.\n"); if (laddr) racoon_free(laddr); if (haddr) racoon_free(haddr); return -1; } $$ = ipsecdoi_sockrange2id(laddr, haddr, $6); break; #endif default: yyerror("invalid family: %d", laddr->sa_family); $$ = NULL; break; } if (laddr) racoon_free(laddr); if (haddr) racoon_free(haddr); if ($$ == NULL) return -1; } | IDENTIFIERTYPE QUOTEDSTRING { struct ipsecdoi_id_b *id_b; if ($1 == IDTYPE_ASN1DN) { yyerror("id type forbidden: %d", $1); $$ = NULL; return -1; } $2->l--; $$ = vmalloc(sizeof(*id_b) + $2->l); if ($$ == NULL) { yyerror("failed to allocate identifier"); return -1; } id_b = (struct ipsecdoi_id_b *)$$->v; id_b->type = idtype2doi($1); id_b->proto_id = 0; id_b->port = 0; memcpy($$->v + sizeof(*id_b), $2->v, $2->l); } ; sainfo_param : /* nothing */ { cur_sainfo->id_i = NULL; } | FROM IDENTIFIERTYPE identifierstring { struct ipsecdoi_id_b *id_b; vchar_t *idv; if (set_identifier(&idv, $2, $3) != 0) { yyerror("failed to set identifer.\n"); return -1; } cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l); if (cur_sainfo->id_i == NULL) { yyerror("failed to allocate identifier"); return -1; } id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v; id_b->type = idtype2doi($2); id_b->proto_id = 0; id_b->port = 0; memcpy(cur_sainfo->id_i->v + sizeof(*id_b), idv->v, idv->l); vfree(idv); } | GROUP QUOTEDSTRING { #ifdef ENABLE_HYBRID if ((cur_sainfo->group = vdup($2)) == NULL) { yyerror("failed to set sainfo xauth group.\n"); return -1; } #else yyerror("racoon not configured with --enable-hybrid"); return -1; #endif } ; sainfo_specs : /* nothing */ | sainfo_specs sainfo_spec ; sainfo_spec : PFS_GROUP dh_group_num { cur_sainfo->pfs_group = $2; } EOS | LIFETIME LIFETYPE_TIME NUMBER unittype_time { cur_sainfo->lifetime = $3 * $4; } EOS | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte { #if 1 yyerror("byte lifetime support is deprecated"); return -1; #else cur_sainfo->lifebyte = fix_lifebyte($3 * $4); if (cur_sainfo->lifebyte == 0) return -1; #endif } EOS | ALGORITHM_CLASS { cur_algclass = $1; } algorithms EOS | IDENTIFIER IDENTIFIERTYPE { yyerror("it's deprecated to specify a identifier in phase 2"); } EOS | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING { yyerror("it's deprecated to specify a identifier in phase 2"); } EOS ; algorithms : algorithm { inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); } | algorithm { inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); } COMMA algorithms ; algorithm : ALGORITHMTYPE keylength { int defklen; $$ = newsainfoalg(); if ($$ == NULL) { yyerror("failed to get algorithm allocation"); return -1; } $$->alg = algtype2doi(cur_algclass, $1); if ($$->alg == -1) { yyerror("algorithm mismatched"); racoon_free($$); $$ = NULL; return -1; } defklen = default_keylen(cur_algclass, $1); if (defklen == 0) { if ($2) { yyerror("keylen not allowed"); racoon_free($$); $$ = NULL; return -1; } } else { if ($2 && check_keylen(cur_algclass, $1, $2) < 0) { yyerror("invalid keylen %d", $2); racoon_free($$); $$ = NULL; return -1; } } if ($2) $$->encklen = $2; else $$->encklen = defklen; /* check if it's supported algorithm by kernel */ if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth) && pk_checkalg(cur_algclass, $1, $$->encklen)) { int a = algclass2doi(cur_algclass); int b = algtype2doi(cur_algclass, $1); if (a == IPSECDOI_ATTR_AUTH) a = IPSECDOI_PROTO_IPSEC_AH; yyerror("algorithm %s not supported by the kernel (missing module?)", s_ipsecdoi_trns(a, b)); racoon_free($$); $$ = NULL; return -1; } } ; prefix : /* nothing */ { $$ = ~0; } | PREFIX { $$ = $1; } ; port : /* nothing */ { $$ = IPSEC_PORT_ANY; } | PORT { $$ = $1; } | PORTANY { $$ = IPSEC_PORT_ANY; } ; ul_proto : NUMBER { $$ = $1; } | UL_PROTO { $$ = $1; } | ANY { $$ = IPSEC_ULPROTO_ANY; } ; keylength : /* nothing */ { $$ = 0; } | NUMBER { $$ = $1; } ; /* remote */ remote_statement : REMOTE remote_index INHERIT remote_index { struct remoteconf *new; struct proposalspec *prspec; new = copyrmconf($4); if (new == NULL) { yyerror("failed to get remoteconf for %s.", saddr2str ($4)); return -1; } new->remote = $2; new->inherited_from = getrmconf_strict($4, 1); new->proposal = NULL; new->prhead = NULL; cur_rmconf = new; prspec = newprspec(); if (prspec == NULL || !cur_rmconf->inherited_from || !cur_rmconf->inherited_from->proposal) return -1; prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime; prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte; insprspec(prspec, &cur_rmconf->prhead); } remote_specs_block | REMOTE remote_index { struct remoteconf *new; struct proposalspec *prspec; new = newrmconf(); if (new == NULL) { yyerror("failed to get new remoteconf."); return -1; } new->remote = $2; cur_rmconf = new; prspec = newprspec(); if (prspec == NULL) return -1; prspec->lifetime = oakley_get_defaultlifetime(); insprspec(prspec, &cur_rmconf->prhead); } remote_specs_block ; remote_specs_block : BOC remote_specs EOC { /* check a exchange mode */ if (cur_rmconf->etypes == NULL) { yyerror("no exchange mode specified.\n"); return -1; } if (cur_rmconf->idvtype == IDTYPE_UNDEFINED) cur_rmconf->idvtype = IDTYPE_ADDRESS; if (cur_rmconf->idvtype == IDTYPE_ASN1DN) { if (cur_rmconf->mycertfile #ifdef __APPLE__ || cur_rmconf->identity_in_keychain) #endif { if (cur_rmconf->idv) yywarn("Both CERT and ASN1 ID " "are set. Hope this is OK.\n"); /* TODO: Preparse the DN here */ } else if (cur_rmconf->idv) { /* OK, using asn1dn without X.509. */ } else { yyerror("ASN1 ID not specified " "and no CERT defined!\n"); return -1; } } #ifdef __APPLE__ if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) { struct genlist_entry *gpb; if (genlist_next(cur_rmconf->idvl_p, &gpb) == NULL) { yyerror("peers_identifier required for specified certificate " "verification option.\n"); return -1; } } #endif if (cur_rmconf->prhead->spspec == NULL && cur_rmconf->inherited_from && cur_rmconf->inherited_from->prhead) { cur_rmconf->prhead->spspec = cur_rmconf->inherited_from->prhead->spspec; } if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0) return -1; /* DH group settting if aggressive mode is there. */ if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) { struct isakmpsa *p; int b = 0; /* DH group */ for (p = cur_rmconf->proposal; p; p = p->next) { if (b == 0 || (b && b == p->dh_group)) { b = p->dh_group; continue; } yyerror("DH group must be equal " "in all proposals " "when aggressive mode is " "used.\n"); return -1; } cur_rmconf->dh_group = b; if (cur_rmconf->dh_group == 0) { yyerror("DH group must be set in the proposal.\n"); return -1; } /* DH group settting if PFS is required. */ if (oakley_setdhgroup(cur_rmconf->dh_group, &cur_rmconf->dhgrp) < 0) { yyerror("failed to set DH value.\n"); return -1; } } insrmconf(cur_rmconf); } ; remote_index : ANONYMOUS ike_port { $$ = newsaddr(sizeof(struct sockaddr)); $$->sa_family = AF_UNSPEC; ((struct sockaddr_in *)$$)->sin_port = htons($2); } | ike_addrinfo_port { $$ = $1; if ($$ == NULL) { yyerror("failed to allocate sockaddr"); return -1; } } ; remote_specs : /* nothing */ | remote_specs remote_spec ; remote_spec : EXCHANGE_MODE { cur_rmconf->etypes = NULL; } exchange_types EOS | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS | CERTIFICATE_TYPE cert_spec | PEERS_CERTFILE QUOTEDSTRING { yywarn("This directive without certtype will be removed!\n"); yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v); cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; if (cur_rmconf->peerscertfile != NULL) racoon_free(cur_rmconf->peerscertfile); cur_rmconf->peerscertfile = racoon_strdup($2->v); STRDUP_FATAL(cur_rmconf->peerscertfile); vfree($2); } EOS | CA_TYPE CERT_X509 QUOTEDSTRING { cur_rmconf->cacerttype = $2; cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE; if (cur_rmconf->cacertfile != NULL) racoon_free(cur_rmconf->cacertfile); cur_rmconf->cacertfile = racoon_strdup($3->v); STRDUP_FATAL(cur_rmconf->cacertfile); vfree($3); } EOS | PEERS_CERTFILE CERT_X509 QUOTEDSTRING { cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; if (cur_rmconf->peerscertfile != NULL) racoon_free(cur_rmconf->peerscertfile); cur_rmconf->peerscertfile = racoon_strdup($3->v); STRDUP_FATAL(cur_rmconf->peerscertfile); vfree($3); } EOS | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING { char path[MAXPATHLEN]; int ret = 0; getpathname(path, sizeof(path), LC_PATHTYPE_CERT, $3->v); vfree($3); if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) { yyerror("Different peers_certfile method " "already defined: %d!\n", cur_rmconf->getcert_method); return -1; } cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) { yyerror("Couldn't parse keyfile.\n", path); return -1; } plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path); } EOS | PEERS_CERTFILE DNSSEC { if (cur_rmconf->getcert_method) { yyerror("Different peers_certfile method already defined!\n"); return -1; } cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS; cur_rmconf->peerscertfile = NULL; } EOS | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS | CERTIFICATE_VERIFICATION VERIFICATION_MODULE { #ifdef __APPLE__ cur_rmconf->cert_verification = $2; #else yyerror("Apple specific features not compiled in."); return -1; #endif } EOS | CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION { #ifdef __APPLE__ cur_rmconf->cert_verification = $2; cur_rmconf->cert_verification_option = $3; #else yyerror("Apple specific features not compiled in."); return -1; #endif } EOS | OPEN_DIR_AUTH_GROUP QUOTEDSTRING { #if defined(__APPLE__) && HAVE_OPENDIR cur_rmconf->open_dir_auth_group = $2; #else yyerror("Apple specific features not compiled in."); return -1; #endif } EOS | MY_IDENTIFIER IDENTIFIERTYPE identifierstring { if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) { yyerror("failed to set identifer.\n"); vfree($3); //%%% BUG FIX - memory leak return -1; } vfree($3); //%%% BUG FIX - memory leak cur_rmconf->idvtype = $2; } EOS | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring { if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) { yyerror("failed to set identifer.\n"); return -1; } cur_rmconf->idvtype = $2; } EOS | XAUTH_LOGIN identifierstring { #ifdef ENABLE_HYBRID /* formerly identifier type login */ if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) { yyerror("failed to allocate xauth state\n"); return -1; } if ((cur_rmconf->xauth->login = vdup($2)) == NULL) { yyerror("failed to set identifer.\n"); return -1; } vfree($2); //%%% BUG FIX - memory leak #else yyerror("racoon not configured with --enable-hybrid"); #endif } EOS | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring { struct idspec *id; id = newidspec(); if (id == NULL) { yyerror("failed to allocate idspec"); return -1; } if (set_identifier(&id->id, $2, $3) != 0) { yyerror("failed to set identifer.\n"); racoon_free(id); vfree($3); //%%% BUG FIX - memory leak return -1; } vfree($3); //%%% BUG FIX - memory leak id->idtype = $2; genlist_append (cur_rmconf->idvl_p, id); } EOS | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring { struct idspec *id; id = newidspec(); if (id == NULL) { yyerror("failed to allocate idspec"); return -1; } if (set_identifier_qual(&id->id, $2, $4, $3) != 0) { yyerror("failed to set identifer.\n"); racoon_free(id); return -1; } id->idtype = $2; genlist_append (cur_rmconf->idvl_p, id); } EOS | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS | SHARED_SECRET SECRETTYPE QUOTEDSTRING { #ifdef __APPLE__ cur_rmconf->secrettype = $2; cur_rmconf->shared_secret = $3; #else yyerror("Apple specific features not compiled in."); return -1; #endif } EOS | SHARED_SECRET SECRETTYPE { #ifdef __APPLE__ if ($2 != SECRETTYPE_KEYCHAIN_BY_ID) { yyerror("shared secret value missing.\n"); return -1; } cur_rmconf->secrettype = $2; #else yyerror("Apple specific features not compiled in."); return -1; #endif } EOS | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS | DH_GROUP { yyerror("dh_group cannot be defined here."); return -1; } dh_group_num EOS | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS | ESP_FRAG NUMBER { #ifdef SADB_X_EXT_NAT_T_FRAG if (libipsec_opt & LIBIPSEC_OPT_FRAG) cur_rmconf->esp_frag = $2; else yywarn("libipsec lacks IKE frag support"); #else yywarn("Your kernel does not support esp_frag"); #endif } EOS | SCRIPT QUOTEDSTRING PHASE1_UP { if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL) vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]); cur_rmconf->script[SCRIPT_PHASE1_UP] = script_path_add(vdup($2)); } EOS | SCRIPT QUOTEDSTRING PHASE1_DOWN { if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL) vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]); cur_rmconf->script[SCRIPT_PHASE1_DOWN] = script_path_add(vdup($2)); } EOS | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS | WEAK_PHASE1_CHECK SWITCH { cur_rmconf->weak_phase1_check = $2; } EOS | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS | NAT_TRAVERSAL SWITCH { #ifdef ENABLE_NATT cur_rmconf->nat_traversal = $2; #else yyerror("NAT-T support not compiled in."); #endif } EOS | NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL { #ifdef ENABLE_NATT cur_rmconf->nat_traversal = $2; #else yyerror("NAT-T support not compiled in."); #endif } EOS | NAT_TRAVERSAL_MULTI_USER SWITCH { #ifdef ENABLE_NATT #ifdef __APPLE__ cur_rmconf->natt_multiple_user = $2; #else yyerror("Apple specific features not compiled in."); #endif #else yyerror("NAT-T support not compiled in."); #endif } EOS | NAT_TRAVERSAL_KEEPALIVE SWITCH { #ifdef ENABLE_NATT #ifdef __APPLE__ cur_rmconf->natt_keepalive = $2; #else yyerror("Apple specific features not compiled in."); #endif #else yyerror("NAT-T support not compiled in."); #endif } EOS | DPD SWITCH { #ifdef ENABLE_DPD cur_rmconf->dpd = $2; #else yyerror("DPD support not compiled in."); #endif } EOS | DPD_DELAY NUMBER { #ifdef ENABLE_DPD cur_rmconf->dpd_interval = $2; #else yyerror("DPD support not compiled in."); #endif } EOS | DPD_RETRY NUMBER { #ifdef ENABLE_DPD cur_rmconf->dpd_retry = $2; #else yyerror("DPD support not compiled in."); #endif } EOS | DPD_MAXFAIL NUMBER { #ifdef ENABLE_DPD cur_rmconf->dpd_maxfails = $2; #else yyerror("DPD support not compiled in."); #endif } EOS | DPD_ALGORITHM dpd_algo_type { #ifdef ENABLE_DPD cur_rmconf->dpd_algo = $2; #else yyerror("DPD support not compiled in."); #endif } EOS | DISCONNECT_ON_IDLE IDLE_TIMEOUT NUMBER IDLE_DIRECTION idle_dir_type { cur_rmconf->idle_timeout = $3; cur_rmconf->idle_timeout_dir = $5; } EOS | LIFETIME LIFETYPE_TIME NUMBER unittype_time { cur_rmconf->prhead->lifetime = $3 * $4; } EOS | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte { #if 1 yyerror("byte lifetime support is deprecated in Phase1"); return -1; #else yywarn("the lifetime of bytes in phase 1 " "will be ignored at the moment."); cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4); if (cur_rmconf->prhead->lifebyte == 0) return -1; #endif } EOS | PROPOSAL { struct secprotospec *spspec; spspec = newspspec(); if (spspec == NULL) return -1; insspspec(spspec, &cur_rmconf->prhead); } BOC isakmpproposal_specs EOC ; exchange_types : /* nothing */ | exchange_types EXCHANGETYPE { struct etypes *new; new = racoon_malloc(sizeof(struct etypes)); if (new == NULL) { yyerror("failed to allocate etypes"); return -1; } new->type = $2; new->next = NULL; if (cur_rmconf->etypes == NULL) cur_rmconf->etypes = new; else { struct etypes *p; for (p = cur_rmconf->etypes; p->next != NULL; p = p->next) ; p->next = new; } } ; cert_spec : CERT_X509 QUOTEDSTRING QUOTEDSTRING { cur_rmconf->certtype = $1; if (cur_rmconf->mycertfile != NULL) racoon_free(cur_rmconf->mycertfile); cur_rmconf->mycertfile = racoon_strdup($2->v); STRDUP_FATAL(cur_rmconf->mycertfile); vfree($2); if (cur_rmconf->myprivfile != NULL) racoon_free(cur_rmconf->myprivfile); cur_rmconf->myprivfile = racoon_strdup($3->v); STRDUP_FATAL(cur_rmconf->myprivfile); vfree($3); } EOS | CERT_X509 IN_KEYCHAIN { #ifdef __APPLE__ cur_rmconf->certtype = $1; cur_rmconf->identity_in_keychain = 1; cur_rmconf->keychainCertRef = NULL; #endif } EOS ; | CERT_X509 IN_KEYCHAIN QUOTEDSTRING { #ifdef __APPLE__ cur_rmconf->certtype = $1; cur_rmconf->identity_in_keychain = 1; cur_rmconf->keychainCertRef = $3; #endif } EOS ; | CERT_PLAINRSA QUOTEDSTRING { char path[MAXPATHLEN]; int ret = 0; getpathname(path, sizeof(path), LC_PATHTYPE_CERT, $2->v); vfree($2); cur_rmconf->certtype = $1; cur_rmconf->send_cr = FALSE; cur_rmconf->send_cert = FALSE; cur_rmconf->verify_cert = FALSE; if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) { yyerror("Couldn't parse keyfile.\n", path); return -1; } plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path); } EOS ; dh_group_num : ALGORITHMTYPE { $$ = algtype2doi(algclass_isakmp_dh, $1); if ($$ == -1) { yyerror("must be DH group"); return -1; } } | NUMBER { if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) { $$ = num2dhgroup[$1]; } else { yyerror("must be DH group"); $$ = 0; return -1; } } ; identifierstring : /* nothing */ { $$ = NULL; } | ADDRSTRING { $$ = $1; } | QUOTEDSTRING { $$ = $1; } ; isakmpproposal_specs : /* nothing */ | isakmpproposal_specs isakmpproposal_spec ; isakmpproposal_spec : STRENGTH { yyerror("strength directive is obsoleted."); } STRENGTHTYPE EOS | LIFETIME LIFETYPE_TIME NUMBER unittype_time { cur_rmconf->prhead->spspec->lifetime = $3 * $4; } EOS | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte { #if 1 yyerror("byte lifetime support is deprecated"); return -1; #else cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4); if (cur_rmconf->prhead->spspec->lifebyte == 0) return -1; #endif } EOS | DH_GROUP dh_group_num { cur_rmconf->prhead->spspec->algclass[algclass_isakmp_dh] = $2; } EOS | GSS_ID QUOTEDSTRING { if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) { yyerror("wrong Vendor ID for gssapi_id"); return -1; } if (cur_rmconf->prhead->spspec->gssid != NULL) racoon_free(cur_rmconf->prhead->spspec->gssid); cur_rmconf->prhead->spspec->gssid = racoon_strdup($2->v); STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid); } EOS | ALGORITHM_CLASS ALGORITHMTYPE keylength { int doi; int defklen; doi = algtype2doi($1, $2); if (doi == -1) { yyerror("algorithm mismatched 1"); return -1; } switch ($1) { case algclass_isakmp_enc: /* reject suppressed algorithms */ #ifndef HAVE_OPENSSL_RC5_H if ($2 == algtype_rc5) { yyerror("algorithm %s not supported", s_attr_isakmp_enc(doi)); return -1; } #endif #ifndef HAVE_OPENSSL_IDEA_H if ($2 == algtype_idea) { yyerror("algorithm %s not supported", s_attr_isakmp_enc(doi)); return -1; } #endif cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi; defklen = default_keylen($1, $2); if (defklen == 0) { if ($3) { yyerror("keylen not allowed"); return -1; } } else { if ($3 && check_keylen($1, $2, $3) < 0) { yyerror("invalid keylen %d", $3); return -1; } } if ($3) cur_rmconf->prhead->spspec->encklen = $3; else cur_rmconf->prhead->spspec->encklen = defklen; break; case algclass_isakmp_hash: cur_rmconf->prhead->spspec->algclass[algclass_isakmp_hash] = doi; break; case algclass_isakmp_ameth: cur_rmconf->prhead->spspec->algclass[algclass_isakmp_ameth] = doi; /* * We may have to set the Vendor ID for the * authentication method we're using. */ switch ($2) { case algtype_gssapikrb: if (cur_rmconf->prhead->spspec->vendorid != VENDORID_UNKNOWN) { yyerror("Vendor ID mismatch " "for auth method"); return -1; } /* * For interoperability with Win2k, * we set the Vendor ID to "GSSAPI". */ cur_rmconf->prhead->spspec->vendorid = VENDORID_GSSAPI; break; case algtype_rsasig: if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) { if (rsa_list_count(cur_rmconf->rsa_private) == 0) { yyerror ("Private PlainRSA key not set. " "Use directive 'certificate_type plainrsa ...'\n"); return -1; } if (rsa_list_count(cur_rmconf->rsa_public) == 0) { yyerror ("Public PlainRSA keys not set. " "Use directive 'peers_certfile plainrsa ...'\n"); return -1; } } break; default: break; } break; default: yyerror("algorithm mismatched 2"); return -1; } } EOS ; unittype_time : UNITTYPE_SEC { $$ = 1; } | UNITTYPE_MIN { $$ = 60; } | UNITTYPE_HOUR { $$ = (60 * 60); } ; unittype_byte : UNITTYPE_BYTE { $$ = 1; } | UNITTYPE_KBYTES { $$ = 1024; } | UNITTYPE_MBYTES { $$ = (1024 * 1024); } | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); } ; dpd_algo_type : DPD_ALGO_TYPE_DEFAULT { $$ = DPD_ALGO_DEFAULT; } | DPD_ALGO_TYPE_INBOUND { $$ = DPD_ALGO_INBOUND_DETECT; } | DPD_ALGO_TYPE_BLACKHOLE { $$ = DPD_ALGO_BLACKHOLE_DETECT; } ; idle_dir_type : IDLE_DIRECTION_ANY { $$ = IPSEC_DIR_ANY; } | IDLE_DIRECTION_IN { $$ = IPSEC_DIR_INBOUND; } | IDLE_DIRECTION_OUT { $$ = IPSEC_DIR_OUTBOUND; } ; %% static struct proposalspec * newprspec() { struct proposalspec *new; new = racoon_calloc(1, sizeof(*new)); if (new == NULL) yyerror("failed to allocate proposal"); return new; } /* * insert into head of list. */ static void insprspec(prspec, head) struct proposalspec *prspec; struct proposalspec **head; { if (*head != NULL) (*head)->prev = prspec; prspec->next = *head; *head = prspec; } static struct secprotospec * newspspec() { struct secprotospec *new; new = racoon_calloc(1, sizeof(*new)); if (new == NULL) { yyerror("failed to allocate spproto"); return NULL; } new->encklen = 0; /*XXX*/ /* * Default to "uknown" vendor -- we will override this * as necessary. When we send a Vendor ID payload, an * "unknown" will be translated to a KAME/racoon ID. */ new->vendorid = VENDORID_UNKNOWN; return new; } /* * insert into head of list. */ static void insspspec(spspec, head) struct secprotospec *spspec; struct proposalspec **head; { spspec->back = *head; if ((*head)->spspec != NULL) (*head)->spspec->prev = spspec; spspec->next = (*head)->spspec; (*head)->spspec = spspec; } /* set final acceptable proposal */ static int set_isakmp_proposal(rmconf, prspec) struct remoteconf *rmconf; struct proposalspec *prspec; { struct proposalspec *p; struct secprotospec *s; int prop_no = 1; int trns_no = 1; int32_t types[MAXALGCLASS]; p = prspec; if (p->next != 0) { plog(LLV_ERROR, LOCATION, NULL, "multiple proposal definition.\n"); return -1; } /* mandatory check */ if (p->spspec == NULL) { yyerror("no remote specification found: %s.\n", saddr2str(rmconf->remote)); return -1; } for (s = p->spspec; s != NULL; s = s->next) { /* XXX need more to check */ if (s->algclass[algclass_isakmp_enc] == 0) { yyerror("encryption algorithm required."); return -1; } if (s->algclass[algclass_isakmp_hash] == 0) { yyerror("hash algorithm required."); return -1; } if (s->algclass[algclass_isakmp_dh] == 0) { yyerror("DH group required."); return -1; } if (s->algclass[algclass_isakmp_ameth] == 0) { yyerror("authentication method required."); return -1; } } /* skip to last part */ for (s = p->spspec; s->next != NULL; s = s->next) ; while (s != NULL) { plog(LLV_DEBUG2, LOCATION, NULL, "lifetime = %ld\n", (long) (s->lifetime ? s->lifetime : p->lifetime)); plog(LLV_DEBUG2, LOCATION, NULL, "lifebyte = %d\n", s->lifebyte ? s->lifebyte : p->lifebyte); plog(LLV_DEBUG2, LOCATION, NULL, "encklen=%d\n", s->encklen); memset(types, 0, ARRAYLEN(types)); types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; types[algclass_isakmp_ameth] = s->algclass[algclass_isakmp_ameth]; /* expanding spspec */ clean_tmpalgtype(); trns_no = expand_isakmpspec(prop_no, trns_no, types, algclass_isakmp_enc, algclass_isakmp_ameth + 1, s->lifetime ? s->lifetime : p->lifetime, s->lifebyte ? s->lifebyte : p->lifebyte, s->encklen, s->vendorid, s->gssid, rmconf); if (trns_no == -1) { plog(LLV_ERROR, LOCATION, NULL, "failed to expand isakmp proposal.\n"); return -1; } s = s->prev; } if (rmconf->proposal == NULL) { plog(LLV_ERROR, LOCATION, NULL, "no proposal found.\n"); return -1; } return 0; } static void clean_tmpalgtype() { int i; for (i = 0; i < MAXALGCLASS; i++) tmpalgtype[i] = 0; /* means algorithm undefined. */ } static int expand_isakmpspec(prop_no, trns_no, types, class, last, lifetime, lifebyte, encklen, vendorid, gssid, rmconf) int prop_no, trns_no; int *types, class, last; time_t lifetime; int lifebyte; int encklen; int vendorid; char *gssid; struct remoteconf *rmconf; { struct isakmpsa *new; /* debugging */ { int j; char tb[10]; plog(LLV_DEBUG2, LOCATION, NULL, "p:%d t:%d\n", prop_no, trns_no); for (j = class; j < MAXALGCLASS; j++) { snprintf(tb, sizeof(tb), "%d", types[j]); plog(LLV_DEBUG2, LOCATION, NULL, "%s%s%s%s\n", s_algtype(j, types[j]), types[j] ? "(" : "", tb[0] == '0' ? "" : tb, types[j] ? ")" : ""); } plog(LLV_DEBUG2, LOCATION, NULL, "\n"); } #define TMPALGTYPE2STR(n) \ s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n]) /* check mandatory values */ if (types[algclass_isakmp_enc] == 0 || types[algclass_isakmp_ameth] == 0 || types[algclass_isakmp_hash] == 0 || types[algclass_isakmp_dh] == 0) { yyerror("few definition of algorithm " "enc=%s ameth=%s hash=%s dhgroup=%s.\n", TMPALGTYPE2STR(enc), TMPALGTYPE2STR(ameth), TMPALGTYPE2STR(hash), TMPALGTYPE2STR(dh)); return -1; } #undef TMPALGTYPE2STR /* set new sa */ new = newisakmpsa(); if (new == NULL) { yyerror("failed to allocate isakmp sa"); return -1; } new->prop_no = prop_no; new->trns_no = trns_no++; new->lifetime = lifetime; new->lifebyte = lifebyte; new->enctype = types[algclass_isakmp_enc]; new->encklen = encklen; new->authmethod = types[algclass_isakmp_ameth]; new->hashtype = types[algclass_isakmp_hash]; new->dh_group = types[algclass_isakmp_dh]; new->vendorid = vendorid; #ifdef HAVE_GSSAPI if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { if (gssid != NULL) { if ((new->gssid = vmalloc(strlen(gssid))) == NULL) { racoon_free(new); yyerror("failed to allocate gssid"); return -1; } memcpy(new->gssid->v, gssid, new->gssid->l); racoon_free(gssid); } else { /* * Allocate the default ID so that it gets put * into a GSS ID attribute during the Phase 1 * exchange. */ new->gssid = gssapi_get_default_gss_id(); } } #endif insisakmpsa(new, rmconf); return trns_no; } static int listen_addr (struct sockaddr *addr, int udp_encap) { struct myaddrs *p; p = newmyaddr(); if (p == NULL) { yyerror("failed to allocate myaddrs"); return -1; } p->addr = addr; if (p->addr == NULL) { yyerror("failed to copy sockaddr "); delmyaddr(p); return -1; } p->udp_encap = udp_encap; #ifdef __APPLE__ /* These need to be initialized for Apple modifications * to open code for isakmp sockets */ p->sock = -1; p->in_use = 1; #endif insmyaddr(p, &lcconf->myaddrs); lcconf->autograbaddr = 0; return 0; } #if 0 /* * fix lifebyte. * Must be more than 1024B because its unit is kilobytes. * That is defined RFC2407. */ static int fix_lifebyte(t) unsigned long t; { if (t < 1024) { yyerror("byte size should be more than 1024B."); return 0; } return(t / 1024); } #endif int cfparse() { int error; plog(LLV_DEBUG, LOCATION, NULL, "===== parse config\n"); yycf_init_buffer(); if (yycf_switch_buffer(lcconf->racoon_conf) != 0) { IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), IPSECCONFIGEVENTCODE_PARSE_ERROR, CONSTSTR("could not read configuration file"), CONSTSTR("cfparse: yycf_switch_buffer erred")); plog(LLV_ERROR, LOCATION, NULL, "could not read configuration file \"%s\"\n", lcconf->racoon_conf); return -1; } error = yyparse(); if (error != 0) { if (yyerrorcount) { plog(LLV_ERROR, LOCATION, NULL, "fatal parse failure (%d errors)\n", yyerrorcount); } else { plog(LLV_ERROR, LOCATION, NULL, "fatal parse failure.\n"); } IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), IPSECCONFIGEVENTCODE_PARSE_ERROR, CONSTSTR("fatal parse failure"), CONSTSTR("cfparse: yyparse erred")); yycf_clean_buffer(); return -1; } if (error == 0 && yyerrorcount) { plog(LLV_ERROR, LOCATION, NULL, "parse error is nothing, but yyerrorcount is %d.\n", yyerrorcount); IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), IPSECCONFIGEVENTCODE_PARSE_ERROR, CONSTSTR("ambivalent error code"), CONSTSTR("cfparse: error == 0 && yerrorcount")); yycf_clean_buffer(); exit(1); } yycf_clean_buffer(); plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n"); return 0; } int cfreparse(int sig) { int ignore_established_handles = (sig == SIGUSR1); if (sig >= 0 && sig < NSIG) { plog(LLV_DEBUG, LOCATION, NULL, "==== Got %s signal - re-parsing.\n", sys_signame[sig]); } else { plog(LLV_ERROR, LOCATION, NULL, "==== Got Unknown signal - re-parsing.\n"); IPSECCONFIGTRACEREVENT(CONSTSTR("reparse"), IPSECCONFIGEVENTCODE_REPARSE_ERROR, CONSTSTR("Unknown signal"), CONSTSTR("cfreparse: triggered by unknown signal")); } flushph2(ignore_established_handles); flushph1(ignore_established_handles); flushrmconf(); flushsainfo(); flushlcconf(); #ifdef HAVE_LIBLDAP xauth_ldap_flush(); #endif check_auto_exit(); /* check/change state of auto exit */ clean_tmpalgtype(); return(cfparse()); } #ifdef ENABLE_ADMINPORT static void adminsock_conf(path, owner, group, mode_dec) vchar_t *path; vchar_t *owner; vchar_t *group; int mode_dec; { struct passwd *pw = NULL; struct group *gr = NULL; mode_t mode = 0; uid_t uid; gid_t gid; int isnum; adminsock_path = path->v; if (owner == NULL) return; errno = 0; uid = atoi(owner->v); isnum = !errno; if (((pw = getpwnam(owner->v)) == NULL) && !isnum) yyerror("User \"%s\" does not exist", owner->v); if (pw) adminsock_owner = pw->pw_uid; else adminsock_owner = uid; if (group == NULL) return; errno = 0; gid = atoi(group->v); isnum = !errno; if (((gr = getgrnam(group->v)) == NULL) && !isnum) yyerror("Group \"%s\" does not exist", group->v); if (gr) adminsock_group = gr->gr_gid; else adminsock_group = gid; if (mode_dec == -1) return; if (mode_dec > 777) yyerror("Mode 0%03o is invalid", mode_dec); if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; } if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; } if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; } if (mode_dec > 77) yyerror("Mode 0%03o is invalid", mode_dec); if (mode_dec >= 40) { mode += 040; mode_dec -= 40; } if (mode_dec >= 20) { mode += 020; mode_dec -= 20; } if (mode_dec >= 10) { mode += 020; mode_dec -= 10; } if (mode_dec > 7) yyerror("Mode 0%03o is invalid", mode_dec); if (mode_dec >= 4) { mode += 04; mode_dec -= 4; } if (mode_dec >= 2) { mode += 02; mode_dec -= 2; } if (mode_dec >= 1) { mode += 02; mode_dec -= 1; } adminsock_mode = mode; return; } #endif