]> git.saurik.com Git - apple/network_cmds.git/blob - racoon.tproj/cfparse.y
projects / apple / network_cmds.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
network_cmds-201.tar.gz
[apple/network_cmds.git] / racoon.tproj / cfparse.y
1 /* $KAME: cfparse.y,v 1.114 2003/02/03 08:27:50 itojun Exp $ */
2
3 %{
4 #include <sys/types.h>
5 #include <sys/param.h>
6 #include <sys/queue.h>
7 #include <sys/socket.h>
8
9 #include <netinet/in.h>
10 #include <netinet6/ipsec.h>
11 #include <netkey/key_var.h>
12
13 #include <stdlib.h>
14 #include <stdio.h>
15 #include <string.h>
16 #include <errno.h>
17 #include <netdb.h>
18 #if !defined(HAVE_GETADDRINFO) || !defined(HAVE_GETNAMEINFO)
19 #include "addrinfo.h"
20 #endif
21
22 #include "var.h"
23 #include "misc.h"
24 #include "vmbuf.h"
25 #include "plog.h"
26 #include "sockmisc.h"
27 #include "str2val.h"
28 #include "debug.h"
29
30 /*#include "cfparse.h"*/
31 #include "cftoken.h"
32 #include "algorithm.h"
33 #include "localconf.h"
34 #include "policy.h"
35 #include "sainfo.h"
36 #include "oakley.h"
37 #include "pfkey.h"
38 #include "remoteconf.h"
39 #include "grabmyaddr.h"
40 #include "isakmp_var.h"
41 #include "handler.h"
42 #include "isakmp.h"
43 #include "ipsec_doi.h"
44 #include "strnames.h"
45 #include "gcmalloc.h"
46 #ifdef HAVE_GSSAPI
47 #include "gssapi.h"
48 #endif
49 #include "vendorid.h"
50
51 struct proposalspec {
52 time_t lifetime; /* for isakmp/ipsec */
53 int lifebyte; /* for isakmp/ipsec */
54 struct secprotospec *spspec; /* the head is always current spec. */
55 struct proposalspec *next; /* the tail is the most prefered. */
56 struct proposalspec *prev;
57 };
58
59 struct secprotospec {
60 int prop_no;
61 int trns_no;
62 int strength; /* for isakmp/ipsec */
63 int encklen; /* for isakmp/ipsec */
64 time_t lifetime; /* for isakmp */
65 int lifebyte; /* for isakmp */
66 int proto_id; /* for ipsec (isakmp?) */
67 int ipsec_level; /* for ipsec */
68 int encmode; /* for ipsec */
69 int vendorid; /* for isakmp */
70 char *gssid;
71 struct sockaddr *remote;
72 int algclass[MAXALGCLASS];
73
74 struct secprotospec *next; /* the tail is the most prefiered. */
75 struct secprotospec *prev;
76 struct proposalspec *back;
77 };
78
79 static int num2dhgroup[] = {
80 0,
81 OAKLEY_ATTR_GRP_DESC_MODP768,
82 OAKLEY_ATTR_GRP_DESC_MODP1024,
83 OAKLEY_ATTR_GRP_DESC_EC2N155,
84 OAKLEY_ATTR_GRP_DESC_EC2N185,
85 OAKLEY_ATTR_GRP_DESC_MODP1536,
86 };
87
88 static struct remoteconf *cur_rmconf;
89 static int tmpalgtype[MAXALGCLASS];
90 static struct sainfo *cur_sainfo;
91 static int cur_algclass;
92
93 static struct proposalspec *prhead; /* the head is always current. */
94
95 static struct proposalspec *newprspec __P((void));
96 static void cleanprhead __P((void));
97 static void insprspec __P((struct proposalspec *, struct proposalspec **));
98 static struct secprotospec *newspspec __P((void));
99 static void insspspec __P((struct secprotospec *, struct proposalspec **));
100
101 static int set_isakmp_proposal
102 __P((struct remoteconf *, struct proposalspec *));
103 static void clean_tmpalgtype __P((void));
104 static int expand_isakmpspec __P((int, int, int *,
105 int, int, time_t, int, int, int, char *, struct remoteconf *));
106
107 #if 0
108 static int fix_lifebyte __P((u_long));
109 #endif
110 %}
111
112 %union {
113 unsigned long num;
114 vchar_t *val;
115 struct remoteconf *rmconf;
116 struct sockaddr *saddr;
117 struct sainfoalg *alg;
118 }
119
120 /* path */
121 %token PATH PATHTYPE
122 /* include */
123 %token INCLUDE
124 /* self information */
125 %token IDENTIFIER VENDORID
126 /* logging */
127 %token LOGGING LOGLEV
128 /* padding */
129 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
130 /* listen */
131 %token LISTEN X_ISAKMP X_ADMIN STRICT_ADDRESS
132 /* timer */
133 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
134 %token RETRY_PHASE1 RETRY_PHASE2
135 /* algorithm */
136 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
137 /* sainfo */
138 %token SAINFO
139 /* remote */
140 %token REMOTE ANONYMOUS
141 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
142 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE VERIFY_CERT SEND_CERT SEND_CR
143 %token IDENTIFIERTYPE MY_IDENTIFIER PEERS_IDENTIFIER VERIFY_IDENTIFIER
144 %token SHARED_SECRET SECRETTYPE
145 %token DNSSEC CERT_X509
146 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
147 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
148 %token GENERATE_POLICY SUPPORT_MIP6
149 %token PROPOSAL
150 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
151 %token GSSAPI_ID
152 %token COMPLEX_BUNDLE
153
154 %token PREFIX PORT PORTANY UL_PROTO ANY
155 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH
156
157 %token NUMBER SWITCH BOOLEAN
158 %token HEXSTRING QUOTEDSTRING ADDRSTRING
159 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
160 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
161 %token EOS BOC EOC COMMA
162
163 %type <num> NUMBER BOOLEAN SWITCH keylength
164 %type <num> PATHTYPE IDENTIFIERTYPE LOGLEV
165 %type <num> SECRETTYPE
166 %type <num> ALGORITHM_CLASS dh_group_num
167 %type <num> ALGORITHMTYPE STRENGTHTYPE
168 %type <num> PREFIX prefix PORT port ike_port
169 %type <num> ul_proto UL_PROTO
170 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
171 %type <num> CERTTYPE CERT_X509 PROPOSAL_CHECK_LEVEL
172 %type <num> unittype_time unittype_byte
173 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING sainfo_id
174 %type <val> identifierstring
175 %type <saddr> remote_index ike_addrinfo_port
176 %type <alg> algorithm
177
178 %%
179
180 statements
181 : /* nothing */
182 | statements statement
183 ;
184 statement
185 : path_statement
186 | include_statement
187 | identifier_statement
188 | logging_statement
189 | padding_statement
190 | listen_statement
191 | timer_statement
192 | sainfo_statement
193 | remote_statement
194 | special_statement
195 ;
196
197 /* path */
198 path_statement
199 : PATH PATHTYPE QUOTEDSTRING
200 {
201 if ($2 > LC_PATHTYPE_MAX) {
202 yyerror("invalid path type %d", $2);
203 return -1;
204 }
205
206 /* free old pathinfo */
207 if (lcconf->pathinfo[$2])
208 racoon_free(lcconf->pathinfo[$2]);
209
210 /* set new pathinfo */
211 lcconf->pathinfo[$2] = strdup($3->v);
212 vfree($3);
213 }
214 EOS
215 ;
216
217 /* special */
218 special_statement
219 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
220 ;
221
222 /* include */
223 include_statement
224 : INCLUDE QUOTEDSTRING EOS
225 {
226 char path[MAXPATHLEN];
227
228 getpathname(path, sizeof(path),
229 LC_PATHTYPE_INCLUDE, $2->v);
230 vfree($2);
231 if (yycf_switch_buffer(path) != 0)
232 return -1;
233 }
234 ;
235
236 /* self infomation */
237 identifier_statement
238 : IDENTIFIER identifier_stmt
239 ;
240 identifier_stmt
241 : VENDORID
242 {
243 /*XXX to be deleted */
244 }
245 QUOTEDSTRING EOS
246 | IDENTIFIERTYPE QUOTEDSTRING
247 {
248 /*XXX to be deleted */
249 $2->l--; /* nuke '\0' */
250 lcconf->ident[$1] = $2;
251 if (lcconf->ident[$1] == NULL) {
252 yyerror("failed to set my ident: %s",
253 strerror(errno));
254 return -1;
255 }
256 }
257 EOS
258 ;
259
260 /* logging */
261 logging_statement
262 : LOGGING log_level EOS
263 ;
264 log_level
265 : HEXSTRING
266 {
267 /*
268 * XXX ignore it because this specification
269 * will be obsoleted.
270 */
271 yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
272 vfree($1);
273 }
274 | LOGLEV
275 {
276 /*
277 * set the loglevel by configuration file only when
278 * the command line did not specify any loglevel.
279 */
280 if (loglevel <= LLV_BASE)
281 loglevel += $1;
282 }
283 ;
284
285 /* padding */
286 padding_statement
287 : PADDING BOC padding_stmts EOC
288 ;
289 padding_stmts
290 : /* nothing */
291 | padding_stmts padding_stmt
292 ;
293 padding_stmt
294 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
295 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
296 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
297 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
298 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
299 ;
300
301 /* listen */
302 listen_statement
303 : LISTEN BOC listen_stmts EOC
304 ;
305 listen_stmts
306 : /* nothing */
307 | listen_stmts listen_stmt
308 ;
309 listen_stmt
310 : X_ISAKMP ike_addrinfo_port
311 {
312 struct myaddrs *p;
313
314 p = newmyaddr();
315 if (p == NULL) {
316 yyerror("failed to allocate myaddrs");
317 return -1;
318 }
319 p->addr = $2;
320 if (p->addr == NULL) {
321 yyerror("failed to copy sockaddr ");
322 delmyaddr(p);
323 return -1;
324 }
325
326 insmyaddr(p, &lcconf->myaddrs);
327
328 lcconf->autograbaddr = 0;
329 }
330 EOS
331 | X_ADMIN
332 {
333 yyerror("admin directive is obsoleted.");
334 }
335 PORT EOS
336 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
337 ;
338 ike_addrinfo_port
339 : ADDRSTRING ike_port
340 {
341 char portbuf[10];
342
343 snprintf(portbuf, sizeof(portbuf), "%ld", $2);
344 $$ = str2saddr($1->v, portbuf);
345 vfree($1);
346 if (!$$)
347 return -1;
348 }
349 ;
350 ike_port
351 : /* nothing */ { $$ = PORT_ISAKMP; }
352 | PORT { $$ = $1; }
353 ;
354
355 /* timer */
356 timer_statement
357 : RETRY BOC timer_stmts EOC
358 ;
359 timer_stmts
360 : /* nothing */
361 | timer_stmts timer_stmt
362 ;
363 timer_stmt
364 : RETRY_COUNTER NUMBER
365 {
366 lcconf->retry_counter = $2;
367 }
368 EOS
369 | RETRY_INTERVAL NUMBER unittype_time
370 {
371 lcconf->retry_interval = $2 * $3;
372 }
373 EOS
374 | RETRY_PERSEND NUMBER
375 {
376 lcconf->count_persend = $2;
377 }
378 EOS
379 | RETRY_PHASE1 NUMBER unittype_time
380 {
381 lcconf->retry_checkph1 = $2 * $3;
382 }
383 EOS
384 | RETRY_PHASE2 NUMBER unittype_time
385 {
386 lcconf->wait_ph2complete = $2 * $3;
387 }
388 EOS
389 ;
390
391 /* sainfo */
392 sainfo_statement
393 : SAINFO
394 {
395 cur_sainfo = newsainfo();
396 if (cur_sainfo == NULL) {
397 yyerror("failed to allocate sainfo");
398 return -1;
399 }
400 }
401 sainfo_name BOC sainfo_specs
402 {
403 struct sainfo *check;
404
405 /* default */
406 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
407 yyerror("no encryption algorithm at %s",
408 sainfo2str(cur_sainfo));
409 return -1;
410 }
411 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
412 yyerror("no authentication algorithm at %s",
413 sainfo2str(cur_sainfo));
414 return -1;
415 }
416 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
417 yyerror("no compression algorithm at %s",
418 sainfo2str(cur_sainfo));
419 return -1;
420 }
421
422 /* duplicate check */
423 check = getsainfo(cur_sainfo->idsrc, cur_sainfo->iddst);
424 if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
425 yyerror("duplicated sainfo: %s",
426 sainfo2str(cur_sainfo));
427 return -1;
428 }
429 inssainfo(cur_sainfo);
430 }
431 EOC
432 ;
433 sainfo_name
434 : ANONYMOUS
435 {
436 cur_sainfo->idsrc = NULL;
437 cur_sainfo->iddst = NULL;
438 }
439 | sainfo_id sainfo_id
440 {
441 cur_sainfo->idsrc = $1;
442 cur_sainfo->iddst = $2;
443 }
444 ;
445 sainfo_id
446 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
447 {
448 char portbuf[10];
449 struct sockaddr *saddr;
450
451 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
452 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
453 yyerror("port number must be \"any\".");
454 return -1;
455 }
456
457 snprintf(portbuf, sizeof(portbuf), "%lu", $4);
458 saddr = str2saddr($2->v, portbuf);
459 vfree($2);
460 if (saddr == NULL)
461 return -1;
462
463 switch (saddr->sa_family) {
464 case AF_INET:
465 if ($5 == IPPROTO_ICMPV6) {
466 yyerror("upper layer protocol mismatched.\n");
467 racoon_free(saddr);
468 return -1;
469 }
470 $$ = ipsecdoi_sockaddr2id(saddr,
471 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
472 $5);
473 break;
474 #ifdef INET6
475 case AF_INET6:
476 if ($5 == IPPROTO_ICMP) {
477 yyerror("upper layer protocol mismatched.\n");
478 racoon_free(saddr);
479 return -1;
480 }
481 $$ = ipsecdoi_sockaddr2id(saddr,
482 $3 == ~0 ? (sizeof(struct in6_addr) << 3) : $3,
483 $5);
484 break;
485 #endif
486 default:
487 yyerror("invalid family: %d", saddr->sa_family);
488 break;
489 }
490 racoon_free(saddr);
491 if ($$ == NULL)
492 return -1;
493 }
494 | IDENTIFIERTYPE QUOTEDSTRING
495 {
496 struct ipsecdoi_id_b *id_b;
497
498 if ($1 == IDTYPE_ASN1DN) {
499 yyerror("id type forbidden: %d", $1);
500 return -1;
501 }
502
503 $2->l--;
504
505 $$ = vmalloc(sizeof(*id_b) + $2->l);
506 if ($$ == NULL) {
507 yyerror("failed to allocate identifier");
508 return -1;
509 }
510
511 id_b = (struct ipsecdoi_id_b *)$$->v;
512 id_b->type = idtype2doi($1);
513
514 id_b->proto_id = 0;
515 id_b->port = 0;
516
517 memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
518 }
519 ;
520 sainfo_specs
521 : /* nothing */
522 | sainfo_specs sainfo_spec
523 ;
524 sainfo_spec
525 : PFS_GROUP dh_group_num
526 {
527 cur_sainfo->pfs_group = $2;
528 }
529 EOS
530 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
531 {
532 cur_sainfo->lifetime = $3 * $4;
533 }
534 EOS
535 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
536 {
537 #if 1
538 yyerror("byte lifetime support is deprecated");
539 return -1;
540 #else
541 cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
542 if (cur_sainfo->lifebyte == 0)
543 return -1;
544 #endif
545 }
546 EOS
547 | ALGORITHM_CLASS {
548 cur_algclass = $1;
549 }
550 algorithms EOS
551 | IDENTIFIER IDENTIFIERTYPE
552 {
553 yyerror("it's deprecated to specify a identifier in phase 2");
554 }
555 EOS
556 | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
557 {
558 yyerror("it's deprecated to specify a identifier in phase 2");
559 }
560 EOS
561 ;
562
563 algorithms
564 : algorithm
565 {
566 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
567 }
568 | algorithm
569 {
570 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
571 }
572 COMMA algorithms
573 ;
574 algorithm
575 : ALGORITHMTYPE keylength
576 {
577 int defklen;
578
579 $$ = newsainfoalg();
580 if ($$ == NULL) {
581 yyerror("failed to get algorithm allocation");
582 return -1;
583 }
584
585 $$->alg = algtype2doi(cur_algclass, $1);
586 if ($$->alg == -1) {
587 yyerror("algorithm mismatched");
588 racoon_free($$);
589 return -1;
590 }
591
592 defklen = default_keylen(cur_algclass, $1);
593 if (defklen == 0) {
594 if ($2) {
595 yyerror("keylen not allowed");
596 racoon_free($$);
597 return -1;
598 }
599 } else {
600 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
601 yyerror("invalid keylen %d", $2);
602 racoon_free($$);
603 return -1;
604 }
605 }
606
607 if ($2)
608 $$->encklen = $2;
609 else
610 $$->encklen = defklen;
611
612 /* check if it's supported algorithm by kernel */
613 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
614 && pk_checkalg(cur_algclass, $1, $$->encklen)) {
615 int a = algclass2doi(cur_algclass);
616 int b = algtype2doi(cur_algclass, $1);
617 if (a == IPSECDOI_ATTR_AUTH)
618 a = IPSECDOI_PROTO_IPSEC_AH;
619 yyerror("algorithm %s not supported",
620 s_ipsecdoi_trns(a, b));
621 racoon_free($$);
622 return -1;
623 }
624 }
625 ;
626 prefix
627 : /* nothing */ { $$ = ~0; }
628 | PREFIX { $$ = $1; }
629 ;
630 port
631 : /* nothing */ { $$ = IPSEC_PORT_ANY; }
632 | PORT { $$ = $1; }
633 | PORTANY { $$ = IPSEC_PORT_ANY; }
634 ;
635 ul_proto
636 : NUMBER { $$ = $1; }
637 | UL_PROTO { $$ = $1; }
638 | ANY { $$ = IPSEC_ULPROTO_ANY; }
639 ;
640 keylength
641 : /* nothing */ { $$ = 0; }
642 | NUMBER { $$ = $1; }
643 ;
644
645 /* remote */
646 remote_statement
647 : REMOTE remote_index
648 {
649 struct remoteconf *new;
650 struct proposalspec *prspec;
651
652 new = newrmconf();
653 if (new == NULL) {
654 yyerror("failed to get new remoteconf.");
655 return -1;
656 }
657
658 new->remote = $2;
659 cur_rmconf = new;
660
661 prspec = newprspec();
662 if (prspec == NULL)
663 return -1;
664 prspec->lifetime = oakley_get_defaultlifetime();
665 insprspec(prspec, &prhead);
666 }
667 BOC remote_specs
668 {
669 /* check a exchange mode */
670 if (cur_rmconf->etypes == NULL) {
671 yyerror("no exchange mode specified.\n");
672 return -1;
673 }
674
675 if (cur_rmconf->idvtype == IDTYPE_ASN1DN
676 && cur_rmconf->mycertfile == NULL) {
677 yyerror("id type mismatched due to "
678 "no CERT defined.\n");
679 return -1;
680 }
681
682 if (set_isakmp_proposal(cur_rmconf, prhead) != 0)
683 return -1;
684
685 /* DH group settting if aggressive mode is there. */
686 if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
687 struct isakmpsa *p;
688 int b = 0;
689
690 /* DH group */
691 for (p = cur_rmconf->proposal; p; p = p->next) {
692 if (b == 0 || (b && b == p->dh_group)) {
693 b = p->dh_group;
694 continue;
695 }
696 yyerror("DH group must be equal "
697 "to each proposals's "
698 "when aggressive mode is "
699 "used.\n");
700 return -1;
701 }
702 cur_rmconf->dh_group = b;
703
704 if (cur_rmconf->dh_group == 0) {
705 yyerror("DH group must be required.\n");
706 return -1;
707 }
708
709 /* DH group settting if PFS is required. */
710 if (oakley_setdhgroup(cur_rmconf->dh_group,
711 &cur_rmconf->dhgrp) < 0) {
712 yyerror("failed to set DH value.\n");
713 return -1;
714 }
715 }
716
717 insrmconf(cur_rmconf);
718
719 cleanprhead();
720 }
721 EOC
722 ;
723 remote_index
724 : ANONYMOUS ike_port
725 {
726 $$ = newsaddr(sizeof(struct sockaddr *));
727 $$->sa_family = AF_UNSPEC;
728 ((struct sockaddr_in *)$$)->sin_port = htons($2);
729 }
730 | ike_addrinfo_port
731 {
732 $$ = $1;
733 if ($$ == NULL) {
734 yyerror("failed to allocate sockaddr");
735 return -1;
736 }
737 }
738 ;
739 remote_specs
740 : /* nothing */
741 | remote_specs remote_spec
742 ;
743 remote_spec
744 : EXCHANGE_MODE exchange_types EOS
745 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
746 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
747 | CERTIFICATE_TYPE cert_spec
748 | PEERS_CERTFILE QUOTEDSTRING
749 {
750 #ifdef HAVE_SIGNING_C
751 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
752 cur_rmconf->peerscertfile = strdup($2->v);
753 vfree($2);
754 #else
755 yyerror("directive not supported");
756 return -1;
757 #endif
758 }
759 EOS
760 | PEERS_CERTFILE DNSSEC
761 {
762 #ifdef HAVE_SIGNING_C
763 cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
764 cur_rmconf->peerscertfile = NULL;
765 #else
766 yyerror("directive not supported");
767 return -1;
768 #endif
769 }
770 EOS
771 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
772 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
773 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
774 | IDENTIFIER IDENTIFIERTYPE
775 {
776 /*XXX to be deleted */
777 cur_rmconf->idvtype = $2;
778 }
779 EOS
780 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
781 {
782 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
783 yyerror("failed to set identifer.\n");
784 return -1;
785 }
786 vfree($3);
787 cur_rmconf->idvtype = $2;
788 }
789 EOS
790 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
791 {
792 if (set_identifier(&cur_rmconf->idv_p, $2, $3) != 0) {
793 yyerror("failed to set identifer.\n");
794 return -1;
795 }
796 vfree($3);
797 cur_rmconf->idvtype_p = $2;
798 }
799 EOS
800 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
801 | SHARED_SECRET SECRETTYPE QUOTEDSTRING { cur_rmconf->secrettype = $2; cur_rmconf->shared_secret = $3; } EOS
802 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
803 | DH_GROUP
804 {
805 yyerror("dh_group cannot be defined here.");
806 return -1;
807 }
808 dh_group_num EOS
809 | KEEPALIVE { cur_rmconf->keepalive = TRUE; } EOS
810 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
811 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
812 | SUPPORT_MIP6 SWITCH { cur_rmconf->support_mip6 = $2; } EOS
813 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
814 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
815 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
816 {
817 prhead->lifetime = $3 * $4;
818 }
819 EOS
820 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
821 {
822 #if 1
823 yyerror("byte lifetime support is deprecated");
824 return -1;
825 #else
826 yywarn("the lifetime of bytes in phase 1 "
827 "will be ignored at the moment.");
828 prhead->lifebyte = fix_lifebyte($3 * $4);
829 if (prhead->lifebyte == 0)
830 return -1;
831 #endif
832 }
833 EOS
834 | PROPOSAL
835 {
836 struct secprotospec *spspec;
837
838 spspec = newspspec();
839 if (spspec == NULL)
840 return -1;
841 insspspec(spspec, &prhead);
842 }
843 BOC isakmpproposal_specs EOC
844 ;
845 exchange_types
846 : /* nothing */
847 | exchange_types EXCHANGETYPE
848 {
849 struct etypes *new;
850 new = racoon_malloc(sizeof(struct etypes));
851 if (new == NULL) {
852 yyerror("filed to allocate etypes");
853 return -1;
854 }
855 new->type = $2;
856 new->next = NULL;
857 if (cur_rmconf->etypes == NULL)
858 cur_rmconf->etypes = new;
859 else {
860 struct etypes *p;
861 for (p = cur_rmconf->etypes;
862 p->next != NULL;
863 p = p->next)
864 ;
865 p->next = new;
866 }
867 }
868 ;
869 cert_spec
870 : CERT_X509 QUOTEDSTRING QUOTEDSTRING
871 {
872 #ifdef HAVE_SIGNING_C
873 cur_rmconf->certtype = $1;
874 cur_rmconf->mycertfile = strdup($2->v);
875 vfree($2);
876 cur_rmconf->myprivfile = strdup($3->v);
877 vfree($3);
878 #else
879 yyerror("directive not supported");
880 return -1;
881 #endif
882 }
883 EOS
884 ;
885 dh_group_num
886 : ALGORITHMTYPE
887 {
888 $$ = algtype2doi(algclass_isakmp_dh, $1);
889 if ($$ == -1) {
890 yyerror("must be DH group");
891 return -1;
892 }
893 }
894 | NUMBER
895 {
896 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
897 $$ = num2dhgroup[$1];
898 } else {
899 yyerror("must be DH group");
900 return -1;
901 }
902 }
903 ;
904 identifierstring
905 : /* nothing */ { $$ = NULL; }
906 | ADDRSTRING { $$ = $1; }
907 | QUOTEDSTRING { $$ = $1; }
908 ;
909 isakmpproposal_specs
910 : /* nothing */
911 | isakmpproposal_specs isakmpproposal_spec
912 ;
913 isakmpproposal_spec
914 : STRENGTH
915 {
916 yyerror("strength directive is obsoleted.");
917 } STRENGTHTYPE EOS
918 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
919 {
920 prhead->spspec->lifetime = $3 * $4;
921 }
922 EOS
923 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
924 {
925 #if 1
926 yyerror("byte lifetime support is deprecated");
927 return -1;
928 #else
929 prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
930 if (prhead->spspec->lifebyte == 0)
931 return -1;
932 #endif
933 }
934 EOS
935 | DH_GROUP dh_group_num
936 {
937 prhead->spspec->algclass[algclass_isakmp_dh] = $2;
938 }
939 EOS
940 | GSSAPI_ID QUOTEDSTRING
941 {
942 if (prhead->spspec->vendorid != VENDORID_GSSAPI) {
943 yyerror("wrong Vendor ID for gssapi_id");
944 return -1;
945 }
946 prhead->spspec->gssid = strdup($2->v);
947 }
948 EOS
949 | ALGORITHM_CLASS ALGORITHMTYPE keylength
950 {
951 int doi;
952 int defklen;
953
954 doi = algtype2doi($1, $2);
955 if (doi == -1) {
956 yyerror("algorithm mismatched 1");
957 return -1;
958 }
959
960 switch ($1) {
961 case algclass_isakmp_enc:
962 /* reject suppressed algorithms */
963 #ifndef HAVE_OPENSSL_RC5_H
964 if ($2 == algtype_rc5) {
965 yyerror("algorithm %s not supported",
966 s_attr_isakmp_enc(doi));
967 return -1;
968 }
969 #endif
970 #ifndef HAVE_OPENSSL_IDEA_H
971 if ($2 == algtype_idea) {
972 yyerror("algorithm %s not supported",
973 s_attr_isakmp_enc(doi));
974 return -1;
975 }
976 #endif
977
978 prhead->spspec->algclass[algclass_isakmp_enc] = doi;
979 defklen = default_keylen($1, $2);
980 if (defklen == 0) {
981 if ($3) {
982 yyerror("keylen not allowed");
983 return -1;
984 }
985 } else {
986 if ($3 && check_keylen($1, $2, $3) < 0) {
987 yyerror("invalid keylen %d", $3);
988 return -1;
989 }
990 }
991 if ($3)
992 prhead->spspec->encklen = $3;
993 else
994 prhead->spspec->encklen = defklen;
995 break;
996 case algclass_isakmp_hash:
997 prhead->spspec->algclass[algclass_isakmp_hash] = doi;
998 break;
999 case algclass_isakmp_ameth:
1000 prhead->spspec->algclass[algclass_isakmp_ameth] = doi;
1001 /*
1002 * We may have to set the Vendor ID for the
1003 * authentication method we're using.
1004 */
1005 switch ($2) {
1006 case algtype_gssapikrb:
1007 if (prhead->spspec->vendorid !=
1008 VENDORID_UNKNOWN) {
1009 yyerror("Vendor ID mismatch "
1010 "for auth method");
1011 return -1;
1012 }
1013 /*
1014 * For interoperability with Win2k,
1015 * we set the Vendor ID to "GSSAPI".
1016 */
1017 prhead->spspec->vendorid =
1018 VENDORID_GSSAPI;
1019 break;
1020 default:
1021 break;
1022 }
1023 break;
1024 default:
1025 yyerror("algorithm mismatched 2");
1026 return -1;
1027 }
1028 }
1029 EOS
1030 ;
1031
1032 unittype_time
1033 : UNITTYPE_SEC { $$ = 1; }
1034 | UNITTYPE_MIN { $$ = 60; }
1035 | UNITTYPE_HOUR { $$ = (60 * 60); }
1036 ;
1037 unittype_byte
1038 : UNITTYPE_BYTE { $$ = 1; }
1039 | UNITTYPE_KBYTES { $$ = 1024; }
1040 | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
1041 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
1042 ;
1043 %%
1044
1045 static struct proposalspec *
1046 newprspec()
1047 {
1048 struct proposalspec *new;
1049
1050 new = racoon_calloc(1, sizeof(*new));
1051 if (new == NULL)
1052 yyerror("failed to allocate proposal");
1053
1054 return new;
1055 }
1056
1057 static void
1058 cleanprhead()
1059 {
1060 struct proposalspec *p, *next;
1061
1062 if (prhead == NULL)
1063 return;
1064
1065 for (p = prhead; p != NULL; p = next) {
1066 struct secprotospec *psp, *nextsp;
1067 for (psp = p->spspec; psp; psp = nextsp) {
1068 nextsp = psp->next;
1069 racoon_free(p->spspec);
1070 }
1071 next = p->next;
1072 racoon_free(p);
1073 }
1074
1075 prhead = NULL;
1076 }
1077
1078 /*
1079 * insert into head of list.
1080 */
1081 static void
1082 insprspec(prspec, head)
1083 struct proposalspec *prspec;
1084 struct proposalspec **head;
1085 {
1086 if (*head != NULL)
1087 (*head)->prev = prspec;
1088 prspec->next = *head;
1089 *head = prspec;
1090 }
1091
1092 static struct secprotospec *
1093 newspspec()
1094 {
1095 struct secprotospec *new;
1096
1097 new = racoon_calloc(1, sizeof(*new));
1098 if (new == NULL) {
1099 yyerror("failed to allocate spproto");
1100 return NULL;
1101 }
1102
1103 new->encklen = 0; /*XXX*/
1104
1105 /*
1106 * Default to "uknown" vendor -- we will override this
1107 * as necessary. When we send a Vendor ID payload, an
1108 * "unknown" will be translated to a KAME/racoon ID.
1109 */
1110 new->vendorid = VENDORID_UNKNOWN;
1111
1112 return new;
1113 }
1114
1115 /*
1116 * insert into head of list.
1117 */
1118 static void
1119 insspspec(spspec, head)
1120 struct secprotospec *spspec;
1121 struct proposalspec **head;
1122 {
1123 spspec->back = *head;
1124
1125 if ((*head)->spspec != NULL)
1126 (*head)->spspec->prev = spspec;
1127 spspec->next = (*head)->spspec;
1128 (*head)->spspec = spspec;
1129 }
1130
1131 /* set final acceptable proposal */
1132 static int
1133 set_isakmp_proposal(rmconf, prspec)
1134 struct remoteconf *rmconf;
1135 struct proposalspec *prspec;
1136 {
1137 struct proposalspec *p;
1138 struct secprotospec *s;
1139 int prop_no = 1;
1140 int trns_no = 1;
1141 u_int32_t types[MAXALGCLASS];
1142
1143 p = prspec;
1144 if (p->next != 0) {
1145 plog(LLV_ERROR, LOCATION, NULL,
1146 "multiple proposal definition.\n");
1147 return -1;
1148 }
1149
1150 /* mandatory check */
1151 if (p->spspec == NULL) {
1152 yyerror("no remote specification found: %s.\n",
1153 rm2str(rmconf));
1154 return -1;
1155 }
1156 for (s = p->spspec; s != NULL; s = s->next) {
1157 /* XXX need more to check */
1158 if (s->algclass[algclass_isakmp_enc] == 0) {
1159 yyerror("encryption algorithm required.");
1160 return -1;
1161 }
1162 if (s->algclass[algclass_isakmp_hash] == 0) {
1163 yyerror("hash algorithm required.");
1164 return -1;
1165 }
1166 if (s->algclass[algclass_isakmp_dh] == 0) {
1167 yyerror("DH group required.");
1168 return -1;
1169 }
1170 if (s->algclass[algclass_isakmp_ameth] == 0) {
1171 yyerror("authentication method required.");
1172 return -1;
1173 }
1174 }
1175
1176 /* skip to last part */
1177 for (s = p->spspec; s->next != NULL; s = s->next)
1178 ;
1179
1180 while (s != NULL) {
1181 plog(LLV_DEBUG2, LOCATION, NULL,
1182 "lifetime = %ld\n", (long)
1183 (s->lifetime ? s->lifetime : p->lifetime));
1184 plog(LLV_DEBUG2, LOCATION, NULL,
1185 "lifebyte = %d\n",
1186 s->lifebyte ? s->lifebyte : p->lifebyte);
1187 plog(LLV_DEBUG2, LOCATION, NULL,
1188 "encklen=%d\n", s->encklen);
1189
1190 memset(types, 0, ARRAYLEN(types));
1191 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
1192 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
1193 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
1194 types[algclass_isakmp_ameth] =
1195 s->algclass[algclass_isakmp_ameth];
1196
1197 /* expanding spspec */
1198 clean_tmpalgtype();
1199 trns_no = expand_isakmpspec(prop_no, trns_no, types,
1200 algclass_isakmp_enc, algclass_isakmp_ameth + 1,
1201 s->lifetime ? s->lifetime : p->lifetime,
1202 s->lifebyte ? s->lifebyte : p->lifebyte,
1203 s->encklen, s->vendorid, s->gssid,
1204 rmconf);
1205 if (trns_no == -1) {
1206 plog(LLV_ERROR, LOCATION, NULL,
1207 "failed to expand isakmp proposal.\n");
1208 return -1;
1209 }
1210
1211 s = s->prev;
1212 }
1213
1214 if (rmconf->proposal == NULL) {
1215 plog(LLV_ERROR, LOCATION, NULL,
1216 "no proposal found.\n");
1217 return -1;
1218 }
1219
1220 return 0;
1221 }
1222
1223 static void
1224 clean_tmpalgtype()
1225 {
1226 int i;
1227 for (i = 0; i < MAXALGCLASS; i++)
1228 tmpalgtype[i] = 0; /* means algorithm undefined. */
1229 }
1230
1231 static int
1232 expand_isakmpspec(prop_no, trns_no, types,
1233 class, last, lifetime, lifebyte, encklen, vendorid, gssid,
1234 rmconf)
1235 int prop_no, trns_no;
1236 int *types, class, last;
1237 time_t lifetime;
1238 int lifebyte;
1239 int encklen;
1240 int vendorid;
1241 char *gssid;
1242 struct remoteconf *rmconf;
1243 {
1244 struct isakmpsa *new;
1245
1246 /* debugging */
1247 {
1248 int j;
1249 char tb[10];
1250 plog(LLV_DEBUG2, LOCATION, NULL,
1251 "p:%d t:%d\n", prop_no, trns_no);
1252 for (j = class; j < MAXALGCLASS; j++) {
1253 snprintf(tb, sizeof(tb), "%d", types[j]);
1254 plog(LLV_DEBUG2, LOCATION, NULL,
1255 "%s%s%s%s\n",
1256 s_algtype(j, types[j]),
1257 types[j] ? "(" : "",
1258 tb[0] == '0' ? "" : tb,
1259 types[j] ? ")" : "");
1260 }
1261 plog(LLV_DEBUG2, LOCATION, NULL, "\n");
1262 }
1263
1264 #define TMPALGTYPE2STR(n) \
1265 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
1266 /* check mandatory values */
1267 if (types[algclass_isakmp_enc] == 0
1268 || types[algclass_isakmp_ameth] == 0
1269 || types[algclass_isakmp_hash] == 0
1270 || types[algclass_isakmp_dh] == 0) {
1271 yyerror("few definition of algorithm "
1272 "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
1273 TMPALGTYPE2STR(enc),
1274 TMPALGTYPE2STR(ameth),
1275 TMPALGTYPE2STR(hash),
1276 TMPALGTYPE2STR(dh));
1277 return -1;
1278 }
1279 #undef TMPALGTYPE2STR
1280
1281 /* set new sa */
1282 new = newisakmpsa();
1283 if (new == NULL) {
1284 yyerror("failed to allocate isakmp sa");
1285 return -1;
1286 }
1287 new->prop_no = prop_no;
1288 new->trns_no = trns_no++;
1289 new->lifetime = lifetime;
1290 new->lifebyte = lifebyte;
1291 new->enctype = types[algclass_isakmp_enc];
1292 new->encklen = encklen;
1293 new->authmethod = types[algclass_isakmp_ameth];
1294 new->hashtype = types[algclass_isakmp_hash];
1295 new->dh_group = types[algclass_isakmp_dh];
1296 new->vendorid = vendorid;
1297 #ifdef HAVE_GSSAPI
1298 if (gssid != NULL) {
1299 new->gssid = vmalloc(strlen(gssid) + 1);
1300 memcpy(new->gssid->v, gssid, new->gssid->l);
1301 racoon_free(gssid);
1302 } else
1303 new->gssid = NULL;
1304 #endif
1305 insisakmpsa(new, rmconf);
1306
1307 return trns_no;
1308 }
1309
1310 #if 0
1311 /*
1312 * fix lifebyte.
1313 * Must be more than 1024B because its unit is kilobytes.
1314 * That is defined RFC2407.
1315 */
1316 static int
1317 fix_lifebyte(t)
1318 unsigned long t;
1319 {
1320 if (t < 1024) {
1321 yyerror("byte size should be more than 1024B.");
1322 return 0;
1323 }
1324
1325 return(t / 1024);
1326 }
1327 #endif
1328
1329 extern int yyparse(void);
1330
1331 int
1332 cfparse()
1333 {
1334 int error;
1335
1336 yycf_init_buffer();
1337
1338 if (yycf_switch_buffer(lcconf->racoon_conf) != 0)
1339 return -1;
1340
1341 prhead = NULL;
1342
1343 error = yyparse();
1344 if (error != 0) {
1345 if (yyerrorcount) {
1346 plog(LLV_ERROR, LOCATION, NULL,
1347 "fatal parse failure (%d errors)\n",
1348 yyerrorcount);
1349 } else {
1350 plog(LLV_ERROR, LOCATION, NULL,
1351 "fatal parse failure.\n");
1352 }
1353 return -1;
1354 }
1355
1356 if (error == 0 && yyerrorcount) {
1357 plog(LLV_ERROR, LOCATION, NULL,
1358 "parse error is nothing, but yyerrorcount is %d.\n",
1359 yyerrorcount);
1360 exit(1);
1361 }
1362
1363 yycf_clean_buffer();
1364
1365 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
1366
1367 return 0;
1368 }
1369
1370 int
1371 cfreparse()
1372 {
1373 flushph2();
1374 flushph1();
1375 flushrmconf();
1376 flushsainfo();
1377 cleanprhead();
1378 clean_tmpalgtype();
1379
1380 return(cfparse());
1381 }
1382
mirror of network_cmds