]> git.saurik.com Git - apple/network_cmds.git/blob - racoon.tproj/cfparse.y
projects / apple / network_cmds.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
network_cmds-115.2.tar.gz
[apple/network_cmds.git] / racoon.tproj / cfparse.y
1 /* $KAME: cfparse.y,v 1.111 2001/12/31 20:13:40 thorpej Exp $ */
2
3 %{
4 #include <sys/types.h>
5 #include <sys/param.h>
6 #include <sys/queue.h>
7 #include <sys/socket.h>
8
9 #include <netinet/in.h>
10 #include <netinet6/ipsec.h>
11 #include <netkey/key_var.h>
12
13 #include <stdlib.h>
14 #include <stdio.h>
15 #include <string.h>
16 #include <errno.h>
17 #include <netdb.h>
18 #if !defined(HAVE_GETADDRINFO) || !defined(HAVE_GETNAMEINFO)
19 #include "addrinfo.h"
20 #endif
21
22 #include "var.h"
23 #include "misc.h"
24 #include "vmbuf.h"
25 #include "plog.h"
26 #include "sockmisc.h"
27 #include "str2val.h"
28 #include "debug.h"
29
30 /*#include "cfparse.h"*/
31 #include "cftoken.h"
32 #include "algorithm.h"
33 #include "localconf.h"
34 #include "policy.h"
35 #include "sainfo.h"
36 #include "oakley.h"
37 #include "pfkey.h"
38 #include "remoteconf.h"
39 #include "grabmyaddr.h"
40 #include "isakmp_var.h"
41 #include "handler.h"
42 #include "isakmp.h"
43 #include "ipsec_doi.h"
44 #include "strnames.h"
45 #include "gcmalloc.h"
46 #ifdef HAVE_GSSAPI
47 #include "gssapi.h"
48 #endif
49 #include "vendorid.h"
50
51 struct proposalspec {
52 time_t lifetime; /* for isakmp/ipsec */
53 int lifebyte; /* for isakmp/ipsec */
54 struct secprotospec *spspec; /* the head is always current spec. */
55 struct proposalspec *next; /* the tail is the most prefered. */
56 struct proposalspec *prev;
57 };
58
59 struct secprotospec {
60 int prop_no;
61 int trns_no;
62 int strength; /* for isakmp/ipsec */
63 int encklen; /* for isakmp/ipsec */
64 time_t lifetime; /* for isakmp */
65 int lifebyte; /* for isakmp */
66 int proto_id; /* for ipsec (isakmp?) */
67 int ipsec_level; /* for ipsec */
68 int encmode; /* for ipsec */
69 int vendorid; /* for isakmp */
70 char *gssid;
71 struct sockaddr *remote;
72 int algclass[MAXALGCLASS];
73
74 struct secprotospec *next; /* the tail is the most prefiered. */
75 struct secprotospec *prev;
76 struct proposalspec *back;
77 };
78
79 static int num2dhgroup[] = {
80 0,
81 OAKLEY_ATTR_GRP_DESC_MODP768,
82 OAKLEY_ATTR_GRP_DESC_MODP1024,
83 OAKLEY_ATTR_GRP_DESC_EC2N155,
84 OAKLEY_ATTR_GRP_DESC_EC2N185,
85 OAKLEY_ATTR_GRP_DESC_MODP1536,
86 };
87
88 static struct remoteconf *cur_rmconf;
89 static int tmpalgtype[MAXALGCLASS];
90 static struct sainfo *cur_sainfo;
91 static int cur_algclass;
92
93 static struct proposalspec *prhead; /* the head is always current. */
94
95 static struct proposalspec *newprspec __P((void));
96 static void cleanprhead __P((void));
97 static void insprspec __P((struct proposalspec *, struct proposalspec **));
98 static struct secprotospec *newspspec __P((void));
99 static void insspspec __P((struct secprotospec *, struct proposalspec **));
100
101 static int set_isakmp_proposal
102 __P((struct remoteconf *, struct proposalspec *));
103 static void clean_tmpalgtype __P((void));
104 static int expand_isakmpspec __P((int, int, int *,
105 int, int, time_t, int, int, int, char *, struct remoteconf *));
106
107 #if 0
108 static int fix_lifebyte __P((u_long));
109 #endif
110 %}
111
112 %union {
113 unsigned long num;
114 vchar_t *val;
115 struct remoteconf *rmconf;
116 struct sockaddr *saddr;
117 struct sainfoalg *alg;
118 }
119
120 /* path */
121 %token PATH PATHTYPE
122 /* include */
123 %token INCLUDE
124 /* self information */
125 %token IDENTIFIER VENDORID
126 /* logging */
127 %token LOGGING LOGLEV
128 /* padding */
129 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
130 /* listen */
131 %token LISTEN X_ISAKMP X_ADMIN STRICT_ADDRESS
132 /* timer */
133 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
134 %token RETRY_PHASE1 RETRY_PHASE2
135 /* algorithm */
136 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
137 /* sainfo */
138 %token SAINFO
139 /* remote */
140 %token REMOTE ANONYMOUS
141 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
142 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE VERIFY_CERT SEND_CERT SEND_CR
143 %token IDENTIFIERTYPE MY_IDENTIFIER PEERS_IDENTIFIER VERIFY_IDENTIFIER
144 %token DNSSEC CERT_X509
145 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
146 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
147 %token GENERATE_POLICY SUPPORT_MIP6
148 %token PROPOSAL
149 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
150 %token GSSAPI_ID
151 %token COMPLEX_BUNDLE
152
153 %token PREFIX PORT PORTANY UL_PROTO ANY
154 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH
155
156 %token NUMBER SWITCH BOOLEAN
157 %token HEXSTRING QUOTEDSTRING ADDRSTRING
158 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
159 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
160 %token EOS BOC EOC COMMA
161
162 %type <num> NUMBER BOOLEAN SWITCH keylength
163 %type <num> PATHTYPE IDENTIFIERTYPE LOGLEV
164 %type <num> ALGORITHM_CLASS dh_group_num
165 %type <num> ALGORITHMTYPE STRENGTHTYPE
166 %type <num> PREFIX prefix PORT port ike_port
167 %type <num> ul_proto UL_PROTO
168 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
169 %type <num> CERTTYPE CERT_X509 PROPOSAL_CHECK_LEVEL
170 %type <num> unittype_time unittype_byte
171 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING sainfo_id
172 %type <val> identifierstring
173 %type <saddr> remote_index ike_addrinfo_port
174 %type <alg> algorithm
175
176 %%
177
178 statements
179 : /* nothing */
180 | statements statement
181 ;
182 statement
183 : path_statement
184 | include_statement
185 | identifier_statement
186 | logging_statement
187 | padding_statement
188 | listen_statement
189 | timer_statement
190 | sainfo_statement
191 | remote_statement
192 | special_statement
193 ;
194
195 /* path */
196 path_statement
197 : PATH PATHTYPE QUOTEDSTRING
198 {
199 if ($2 > LC_PATHTYPE_MAX) {
200 yyerror("invalid path type %d", $2);
201 return -1;
202 }
203
204 /* free old pathinfo */
205 if (lcconf->pathinfo[$2])
206 racoon_free(lcconf->pathinfo[$2]);
207
208 /* set new pathinfo */
209 lcconf->pathinfo[$2] = strdup($3->v);
210 vfree($3);
211 }
212 EOS
213 ;
214
215 /* special */
216 special_statement
217 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
218 ;
219
220 /* include */
221 include_statement
222 : INCLUDE QUOTEDSTRING
223 {
224 char path[MAXPATHLEN];
225
226 getpathname(path, sizeof(path),
227 LC_PATHTYPE_INCLUDE, $2->v);
228 vfree($2);
229 if (yycf_switch_buffer(path) != 0)
230 return -1;
231 }
232 EOS
233 ;
234
235 /* self infomation */
236 identifier_statement
237 : IDENTIFIER identifier_stmt
238 ;
239 identifier_stmt
240 : VENDORID
241 {
242 /*XXX to be deleted */
243 }
244 QUOTEDSTRING EOS
245 | IDENTIFIERTYPE QUOTEDSTRING
246 {
247 /*XXX to be deleted */
248 $2->l--; /* nuke '\0' */
249 lcconf->ident[$1] = $2;
250 if (lcconf->ident[$1] == NULL) {
251 yyerror("failed to set my ident: %s",
252 strerror(errno));
253 return -1;
254 }
255 }
256 EOS
257 ;
258
259 /* logging */
260 logging_statement
261 : LOGGING log_level EOS
262 ;
263 log_level
264 : HEXSTRING
265 {
266 /*
267 * XXX ignore it because this specification
268 * will be obsoleted.
269 */
270 yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
271 vfree($1);
272 }
273 | LOGLEV
274 {
275 /*
276 * set the loglevel by configuration file only when
277 * the command line did not specify any loglevel.
278 */
279 if (loglevel <= LLV_BASE)
280 loglevel += $1;
281 }
282 ;
283
284 /* padding */
285 padding_statement
286 : PADDING BOC padding_stmts EOC
287 ;
288 padding_stmts
289 : /* nothing */
290 | padding_stmts padding_stmt
291 ;
292 padding_stmt
293 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
294 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
295 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
296 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
297 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
298 ;
299
300 /* listen */
301 listen_statement
302 : LISTEN BOC listen_stmts EOC
303 ;
304 listen_stmts
305 : /* nothing */
306 | listen_stmts listen_stmt
307 ;
308 listen_stmt
309 : X_ISAKMP ike_addrinfo_port
310 {
311 struct myaddrs *p;
312
313 p = newmyaddr();
314 if (p == NULL) {
315 yyerror("failed to allocate myaddrs");
316 return -1;
317 }
318 p->addr = $2;
319 if (p->addr == NULL) {
320 yyerror("failed to copy sockaddr ");
321 delmyaddr(p);
322 return -1;
323 }
324
325 insmyaddr(p, &lcconf->myaddrs);
326
327 lcconf->autograbaddr = 0;
328 }
329 EOS
330 | X_ADMIN
331 {
332 yyerror("admin directive is obsoleted.");
333 }
334 PORT EOS
335 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
336 ;
337 ike_addrinfo_port
338 : ADDRSTRING ike_port
339 {
340 char portbuf[10];
341
342 snprintf(portbuf, sizeof(portbuf), "%ld", $2);
343 $$ = str2saddr($1->v, portbuf);
344 vfree($1);
345 if (!$$)
346 return -1;
347 }
348 ;
349 ike_port
350 : /* nothing */ { $$ = PORT_ISAKMP; }
351 | PORT { $$ = $1; }
352 ;
353
354 /* timer */
355 timer_statement
356 : RETRY BOC timer_stmts EOC
357 ;
358 timer_stmts
359 : /* nothing */
360 | timer_stmts timer_stmt
361 ;
362 timer_stmt
363 : RETRY_COUNTER NUMBER
364 {
365 lcconf->retry_counter = $2;
366 }
367 EOS
368 | RETRY_INTERVAL NUMBER unittype_time
369 {
370 lcconf->retry_interval = $2 * $3;
371 }
372 EOS
373 | RETRY_PERSEND NUMBER
374 {
375 lcconf->count_persend = $2;
376 }
377 EOS
378 | RETRY_PHASE1 NUMBER unittype_time
379 {
380 lcconf->retry_checkph1 = $2 * $3;
381 }
382 EOS
383 | RETRY_PHASE2 NUMBER unittype_time
384 {
385 lcconf->wait_ph2complete = $2 * $3;
386 }
387 EOS
388 ;
389
390 /* sainfo */
391 sainfo_statement
392 : SAINFO
393 {
394 cur_sainfo = newsainfo();
395 if (cur_sainfo == NULL) {
396 yyerror("failed to allocate sainfo");
397 return -1;
398 }
399 }
400 sainfo_name BOC sainfo_specs
401 {
402 struct sainfo *check;
403
404 /* default */
405 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
406 yyerror("no encryption algorithm at %s",
407 sainfo2str(cur_sainfo));
408 return -1;
409 }
410 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
411 yyerror("no authentication algorithm at %s",
412 sainfo2str(cur_sainfo));
413 return -1;
414 }
415 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
416 yyerror("no compression algorithm at %s",
417 sainfo2str(cur_sainfo));
418 return -1;
419 }
420
421 /* duplicate check */
422 check = getsainfo(cur_sainfo->idsrc, cur_sainfo->iddst);
423 if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
424 yyerror("duplicated sainfo: %s",
425 sainfo2str(cur_sainfo));
426 return -1;
427 }
428 inssainfo(cur_sainfo);
429 }
430 EOC
431 ;
432 sainfo_name
433 : ANONYMOUS
434 {
435 cur_sainfo->idsrc = NULL;
436 cur_sainfo->iddst = NULL;
437 }
438 | sainfo_id sainfo_id
439 {
440 cur_sainfo->idsrc = $1;
441 cur_sainfo->iddst = $2;
442 }
443 ;
444 sainfo_id
445 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
446 {
447 char portbuf[10];
448 struct sockaddr *saddr;
449
450 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
451 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
452 yyerror("port number must be \"any\".");
453 return -1;
454 }
455
456 snprintf(portbuf, sizeof(portbuf), "%lu", $4);
457 saddr = str2saddr($2->v, portbuf);
458 vfree($2);
459 if (saddr == NULL)
460 return -1;
461
462 switch (saddr->sa_family) {
463 case AF_INET:
464 if ($5 == IPPROTO_ICMPV6) {
465 yyerror("upper layer protocol mismatched.\n");
466 racoon_free(saddr);
467 return -1;
468 }
469 $$ = ipsecdoi_sockaddr2id(saddr,
470 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
471 $5);
472 break;
473 #ifdef INET6
474 case AF_INET6:
475 if ($5 == IPPROTO_ICMP) {
476 yyerror("upper layer protocol mismatched.\n");
477 racoon_free(saddr);
478 return -1;
479 }
480 $$ = ipsecdoi_sockaddr2id(saddr,
481 $3 == ~0 ? (sizeof(struct in6_addr) << 3) : $3,
482 $5);
483 break;
484 #endif
485 default:
486 yyerror("invalid family: %d", saddr->sa_family);
487 break;
488 }
489 racoon_free(saddr);
490 if ($$ == NULL)
491 return -1;
492 }
493 | IDENTIFIERTYPE QUOTEDSTRING
494 {
495 struct ipsecdoi_id_b *id_b;
496
497 if ($1 == IDTYPE_ASN1DN) {
498 yyerror("id type forbidden: %d", $1);
499 return -1;
500 }
501
502 $2->l--;
503
504 $$ = vmalloc(sizeof(*id_b) + $2->l);
505 if ($$ == NULL) {
506 yyerror("failed to allocate identifier");
507 return -1;
508 }
509
510 id_b = (struct ipsecdoi_id_b *)$$->v;
511 id_b->type = idtype2doi($1);
512
513 id_b->proto_id = 0;
514 id_b->port = 0;
515
516 memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
517 }
518 ;
519 sainfo_specs
520 : /* nothing */
521 | sainfo_specs sainfo_spec
522 ;
523 sainfo_spec
524 : PFS_GROUP dh_group_num
525 {
526 cur_sainfo->pfs_group = $2;
527 }
528 EOS
529 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
530 {
531 cur_sainfo->lifetime = $3 * $4;
532 }
533 EOS
534 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
535 {
536 #if 1
537 yyerror("byte lifetime support is deprecated");
538 return -1;
539 #else
540 cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
541 if (cur_sainfo->lifebyte == 0)
542 return -1;
543 #endif
544 }
545 EOS
546 | ALGORITHM_CLASS {
547 cur_algclass = $1;
548 }
549 algorithms EOS
550 | IDENTIFIER IDENTIFIERTYPE
551 {
552 yyerror("it's deprecated to specify a identifier in phase 2");
553 }
554 EOS
555 | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
556 {
557 yyerror("it's deprecated to specify a identifier in phase 2");
558 }
559 EOS
560 ;
561
562 algorithms
563 : algorithm
564 {
565 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
566 }
567 | algorithm
568 {
569 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
570 }
571 COMMA algorithms
572 ;
573 algorithm
574 : ALGORITHMTYPE keylength
575 {
576 int defklen;
577
578 $$ = newsainfoalg();
579 if ($$ == NULL) {
580 yyerror("failed to get algorithm alocation");
581 return -1;
582 }
583
584 $$->alg = algtype2doi(cur_algclass, $1);
585 if ($$->alg == -1) {
586 yyerror("algorithm mismatched");
587 racoon_free($$);
588 return -1;
589 }
590
591 defklen = default_keylen(cur_algclass, $1);
592 if (defklen == 0) {
593 if ($2) {
594 yyerror("keylen not allowed");
595 racoon_free($$);
596 return -1;
597 }
598 } else {
599 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
600 yyerror("invalid keylen %d", $2);
601 racoon_free($$);
602 return -1;
603 }
604 }
605
606 if ($2)
607 $$->encklen = $2;
608 else
609 $$->encklen = defklen;
610
611 /* check if it's supported algorithm by kernel */
612 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
613 && pk_checkalg(cur_algclass, $1, $$->encklen)) {
614 int a = algclass2doi(cur_algclass);
615 int b = algtype2doi(cur_algclass, $1);
616 if (a == IPSECDOI_ATTR_AUTH)
617 a = IPSECDOI_PROTO_IPSEC_AH;
618 yyerror("algorithm %s not supported",
619 s_ipsecdoi_trns(a, b));
620 racoon_free($$);
621 return -1;
622 }
623 }
624 ;
625 prefix
626 : /* nothing */ { $$ = ~0; }
627 | PREFIX { $$ = $1; }
628 ;
629 port
630 : /* nothing */ { $$ = IPSEC_PORT_ANY; }
631 | PORT { $$ = $1; }
632 | PORTANY { $$ = IPSEC_PORT_ANY; }
633 ;
634 ul_proto
635 : NUMBER { $$ = $1; }
636 | UL_PROTO { $$ = $1; }
637 | ANY { $$ = IPSEC_ULPROTO_ANY; }
638 ;
639 keylength
640 : /* nothing */ { $$ = 0; }
641 | NUMBER { $$ = $1; }
642 ;
643
644 /* remote */
645 remote_statement
646 : REMOTE remote_index
647 {
648 struct remoteconf *new;
649 struct proposalspec *prspec;
650
651 new = newrmconf();
652 if (new == NULL) {
653 yyerror("failed to get new remoteconf.");
654 return -1;
655 }
656
657 new->remote = $2;
658 cur_rmconf = new;
659
660 prspec = newprspec();
661 if (prspec == NULL)
662 return -1;
663 prspec->lifetime = oakley_get_defaultlifetime();
664 insprspec(prspec, &prhead);
665 }
666 BOC remote_specs
667 {
668 /* check a exchange mode */
669 if (cur_rmconf->etypes == NULL) {
670 yyerror("no exchange mode specified.\n");
671 return -1;
672 }
673
674 if (cur_rmconf->idvtype == IDTYPE_ASN1DN
675 && cur_rmconf->mycertfile == NULL) {
676 yyerror("id type mismatched due to "
677 "no CERT defined.\n");
678 return -1;
679 }
680
681 if (set_isakmp_proposal(cur_rmconf, prhead) != 0)
682 return -1;
683
684 /* DH group settting if aggressive mode is there. */
685 if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
686 struct isakmpsa *p;
687 int b = 0;
688
689 /* DH group */
690 for (p = cur_rmconf->proposal; p; p = p->next) {
691 if (b == 0 || (b && b == p->dh_group)) {
692 b = p->dh_group;
693 continue;
694 }
695 yyerror("DH group must be equal "
696 "to each proposals's "
697 "when aggressive mode is "
698 "used.\n");
699 return -1;
700 }
701 cur_rmconf->dh_group = b;
702
703 if (cur_rmconf->dh_group == 0) {
704 yyerror("DH group must be required.\n");
705 return -1;
706 }
707
708 /* DH group settting if PFS is required. */
709 if (oakley_setdhgroup(cur_rmconf->dh_group,
710 &cur_rmconf->dhgrp) < 0) {
711 yyerror("failed to set DH value.\n");
712 return -1;
713 }
714 }
715
716 insrmconf(cur_rmconf);
717
718 cleanprhead();
719 }
720 EOC
721 ;
722 remote_index
723 : ANONYMOUS ike_port
724 {
725 $$ = newsaddr(sizeof(struct sockaddr *));
726 $$->sa_family = AF_UNSPEC;
727 ((struct sockaddr_in *)$$)->sin_port = htons($2);
728 }
729 | ike_addrinfo_port
730 {
731 $$ = $1;
732 if ($$ == NULL) {
733 yyerror("failed to allocate sockaddr");
734 return -1;
735 }
736 }
737 ;
738 remote_specs
739 : /* nothing */
740 | remote_specs remote_spec
741 ;
742 remote_spec
743 : EXCHANGE_MODE exchange_types EOS
744 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
745 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
746 | CERTIFICATE_TYPE cert_spec
747 | PEERS_CERTFILE QUOTEDSTRING
748 {
749 #ifdef HAVE_SIGNING_C
750 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
751 cur_rmconf->peerscertfile = strdup($2->v);
752 vfree($2);
753 #else
754 yyerror("directive not supported");
755 return -1;
756 #endif
757 }
758 EOS
759 | PEERS_CERTFILE DNSSEC
760 {
761 #ifdef HAVE_SIGNING_C
762 cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
763 cur_rmconf->peerscertfile = NULL;
764 #else
765 yyerror("directive not supported");
766 return -1;
767 #endif
768 }
769 EOS
770 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
771 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
772 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
773 | IDENTIFIER IDENTIFIERTYPE
774 {
775 /*XXX to be deleted */
776 cur_rmconf->idvtype = $2;
777 }
778 EOS
779 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
780 {
781 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
782 yyerror("failed to set identifer.\n");
783 return -1;
784 }
785 cur_rmconf->idvtype = $2;
786 }
787 EOS
788 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
789 {
790 if (set_identifier(&cur_rmconf->idv_p, $2, $3) != 0) {
791 yyerror("failed to set identifer.\n");
792 return -1;
793 }
794 cur_rmconf->idvtype_p = $2;
795 }
796 EOS
797 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
798 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
799 | DH_GROUP
800 {
801 yyerror("dh_group cannot be defined here.");
802 return -1;
803 }
804 dh_group_num EOS
805 | KEEPALIVE { cur_rmconf->keepalive = TRUE; } EOS
806 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
807 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
808 | SUPPORT_MIP6 SWITCH { cur_rmconf->support_mip6 = $2; } EOS
809 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
810 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
811 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
812 {
813 prhead->lifetime = $3 * $4;
814 }
815 EOS
816 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
817 {
818 #if 1
819 yyerror("byte lifetime support is deprecated");
820 return -1;
821 #else
822 yywarn("the lifetime of bytes in phase 1 "
823 "will be ignored at the moment.");
824 prhead->lifebyte = fix_lifebyte($3 * $4);
825 if (prhead->lifebyte == 0)
826 return -1;
827 #endif
828 }
829 EOS
830 | PROPOSAL
831 {
832 struct secprotospec *spspec;
833
834 spspec = newspspec();
835 if (spspec == NULL)
836 return -1;
837 insspspec(spspec, &prhead);
838 }
839 BOC isakmpproposal_specs EOC
840 ;
841 exchange_types
842 : /* nothing */
843 | exchange_types EXCHANGETYPE
844 {
845 struct etypes *new;
846 new = racoon_malloc(sizeof(struct etypes));
847 if (new == NULL) {
848 yyerror("filed to allocate etypes");
849 return -1;
850 }
851 new->type = $2;
852 new->next = NULL;
853 if (cur_rmconf->etypes == NULL)
854 cur_rmconf->etypes = new;
855 else {
856 struct etypes *p;
857 for (p = cur_rmconf->etypes;
858 p->next != NULL;
859 p = p->next)
860 ;
861 p->next = new;
862 }
863 }
864 ;
865 cert_spec
866 : CERT_X509 QUOTEDSTRING QUOTEDSTRING
867 {
868 #ifdef HAVE_SIGNING_C
869 cur_rmconf->certtype = $1;
870 cur_rmconf->mycertfile = strdup($2->v);
871 vfree($2);
872 cur_rmconf->myprivfile = strdup($3->v);
873 vfree($3);
874 #else
875 yyerror("directive not supported");
876 return -1;
877 #endif
878 }
879 EOS
880 ;
881 dh_group_num
882 : ALGORITHMTYPE
883 {
884 $$ = algtype2doi(algclass_isakmp_dh, $1);
885 if ($$ == -1) {
886 yyerror("must be DH group");
887 return -1;
888 }
889 }
890 | NUMBER
891 {
892 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
893 $$ = num2dhgroup[$1];
894 } else {
895 yyerror("must be DH group");
896 return -1;
897 }
898 }
899 ;
900 identifierstring
901 : /* nothing */ { $$ = NULL; }
902 | ADDRSTRING { $$ = $1; }
903 | QUOTEDSTRING { $$ = $1; }
904 ;
905 isakmpproposal_specs
906 : /* nothing */
907 | isakmpproposal_specs isakmpproposal_spec
908 ;
909 isakmpproposal_spec
910 : STRENGTH
911 {
912 yyerror("strength directive is obsoleted.");
913 } STRENGTHTYPE EOS
914 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
915 {
916 prhead->spspec->lifetime = $3 * $4;
917 }
918 EOS
919 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
920 {
921 #if 1
922 yyerror("byte lifetime support is deprecated");
923 return -1;
924 #else
925 prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
926 if (prhead->spspec->lifebyte == 0)
927 return -1;
928 #endif
929 }
930 EOS
931 | DH_GROUP dh_group_num
932 {
933 prhead->spspec->algclass[algclass_isakmp_dh] = $2;
934 }
935 EOS
936 | GSSAPI_ID QUOTEDSTRING
937 {
938 if (prhead->spspec->vendorid != VENDORID_GSSAPI) {
939 yyerror("wrong Vendor ID for gssapi_id");
940 return -1;
941 }
942 prhead->spspec->gssid = strdup($2->v);
943 }
944 EOS
945 | ALGORITHM_CLASS ALGORITHMTYPE keylength
946 {
947 int doi;
948 int defklen;
949
950 doi = algtype2doi($1, $2);
951 if (doi == -1) {
952 yyerror("algorithm mismatched 1");
953 return -1;
954 }
955
956 switch ($1) {
957 case algclass_isakmp_enc:
958 /* reject suppressed algorithms */
959 #ifndef HAVE_OPENSSL_RC5_H
960 if ($2 == algtype_rc5) {
961 yyerror("algorithm %s not supported",
962 s_attr_isakmp_enc(doi));
963 return -1;
964 }
965 #endif
966 #ifndef HAVE_OPENSSL_IDEA_H
967 if ($2 == algtype_idea) {
968 yyerror("algorithm %s not supported",
969 s_attr_isakmp_enc(doi));
970 return -1;
971 }
972 #endif
973
974 prhead->spspec->algclass[algclass_isakmp_enc] = doi;
975 defklen = default_keylen($1, $2);
976 if (defklen == 0) {
977 if ($3) {
978 yyerror("keylen not allowed");
979 return -1;
980 }
981 } else {
982 if ($3 && check_keylen($1, $2, $3) < 0) {
983 yyerror("invalid keylen %d", $3);
984 return -1;
985 }
986 }
987 if ($3)
988 prhead->spspec->encklen = $3;
989 else
990 prhead->spspec->encklen = defklen;
991 break;
992 case algclass_isakmp_hash:
993 prhead->spspec->algclass[algclass_isakmp_hash] = doi;
994 break;
995 case algclass_isakmp_ameth:
996 prhead->spspec->algclass[algclass_isakmp_ameth] = doi;
997 /*
998 * We may have to set the Vendor ID for the
999 * authentication method we're using.
1000 */
1001 switch ($2) {
1002 case algtype_gssapikrb:
1003 if (prhead->spspec->vendorid !=
1004 VENDORID_UNKNOWN) {
1005 yyerror("Vendor ID mismatch "
1006 "for auth method");
1007 return -1;
1008 }
1009 /*
1010 * For interoperability with Win2k,
1011 * we set the Vendor ID to "GSSAPI".
1012 */
1013 prhead->spspec->vendorid =
1014 VENDORID_GSSAPI;
1015 break;
1016 default:
1017 break;
1018 }
1019 break;
1020 default:
1021 yyerror("algorithm mismatched 2");
1022 return -1;
1023 }
1024 }
1025 EOS
1026 ;
1027
1028 unittype_time
1029 : UNITTYPE_SEC { $$ = 1; }
1030 | UNITTYPE_MIN { $$ = 60; }
1031 | UNITTYPE_HOUR { $$ = (60 * 60); }
1032 ;
1033 unittype_byte
1034 : UNITTYPE_BYTE { $$ = 1; }
1035 | UNITTYPE_KBYTES { $$ = 1024; }
1036 | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
1037 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
1038 ;
1039 %%
1040
1041 static struct proposalspec *
1042 newprspec()
1043 {
1044 struct proposalspec *new;
1045
1046 new = racoon_calloc(1, sizeof(*new));
1047 if (new == NULL)
1048 yyerror("failed to allocate proposal");
1049
1050 return new;
1051 }
1052
1053 static void
1054 cleanprhead()
1055 {
1056 struct proposalspec *p, *next;
1057
1058 if (prhead == NULL)
1059 return;
1060
1061 for (p = prhead; p != NULL; p = next) {
1062 next = p->next;
1063 racoon_free(p);
1064 }
1065
1066 prhead = NULL;
1067 }
1068
1069 /*
1070 * insert into head of list.
1071 */
1072 static void
1073 insprspec(prspec, head)
1074 struct proposalspec *prspec;
1075 struct proposalspec **head;
1076 {
1077 if (*head != NULL)
1078 (*head)->prev = prspec;
1079 prspec->next = *head;
1080 *head = prspec;
1081 }
1082
1083 static struct secprotospec *
1084 newspspec()
1085 {
1086 struct secprotospec *new;
1087
1088 new = racoon_calloc(1, sizeof(*new));
1089 if (new == NULL) {
1090 yyerror("failed to allocate spproto");
1091 return NULL;
1092 }
1093
1094 new->encklen = 0; /*XXX*/
1095
1096 /*
1097 * Default to "uknown" vendor -- we will override this
1098 * as necessary. When we send a Vendor ID payload, an
1099 * "unknown" will be translated to a KAME/racoon ID.
1100 */
1101 new->vendorid = VENDORID_UNKNOWN;
1102
1103 return new;
1104 }
1105
1106 /*
1107 * insert into head of list.
1108 */
1109 static void
1110 insspspec(spspec, head)
1111 struct secprotospec *spspec;
1112 struct proposalspec **head;
1113 {
1114 spspec->back = *head;
1115
1116 if ((*head)->spspec != NULL)
1117 (*head)->spspec->prev = spspec;
1118 spspec->next = (*head)->spspec;
1119 (*head)->spspec = spspec;
1120 }
1121
1122 /* set final acceptable proposal */
1123 static int
1124 set_isakmp_proposal(rmconf, prspec)
1125 struct remoteconf *rmconf;
1126 struct proposalspec *prspec;
1127 {
1128 struct proposalspec *p;
1129 struct secprotospec *s;
1130 int prop_no = 1;
1131 int trns_no = 1;
1132 u_int32_t types[MAXALGCLASS];
1133
1134 p = prspec;
1135 if (p->next != 0) {
1136 plog(LLV_ERROR, LOCATION, NULL,
1137 "multiple proposal definition.\n");
1138 return -1;
1139 }
1140
1141 /* mandatory check */
1142 if (p->spspec == NULL) {
1143 yyerror("no remote specification found: %s.\n",
1144 rm2str(rmconf));
1145 return -1;
1146 }
1147 for (s = p->spspec; s != NULL; s = s->next) {
1148 /* XXX need more to check */
1149 if (s->algclass[algclass_isakmp_enc] == 0) {
1150 yyerror("encryption algorithm required.");
1151 return -1;
1152 }
1153 if (s->algclass[algclass_isakmp_hash] == 0) {
1154 yyerror("hash algorithm required.");
1155 return -1;
1156 }
1157 if (s->algclass[algclass_isakmp_dh] == 0) {
1158 yyerror("DH group required.");
1159 return -1;
1160 }
1161 if (s->algclass[algclass_isakmp_ameth] == 0) {
1162 yyerror("authentication method required.");
1163 return -1;
1164 }
1165 }
1166
1167 /* skip to last part */
1168 for (s = p->spspec; s->next != NULL; s = s->next)
1169 ;
1170
1171 while (s != NULL) {
1172 plog(LLV_DEBUG2, LOCATION, NULL,
1173 "lifetime = %ld\n", (long)
1174 (s->lifetime ? s->lifetime : p->lifetime));
1175 plog(LLV_DEBUG2, LOCATION, NULL,
1176 "lifebyte = %d\n",
1177 s->lifebyte ? s->lifebyte : p->lifebyte);
1178 plog(LLV_DEBUG2, LOCATION, NULL,
1179 "encklen=%d\n", s->encklen);
1180
1181 memset(types, 0, ARRAYLEN(types));
1182 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
1183 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
1184 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
1185 types[algclass_isakmp_ameth] =
1186 s->algclass[algclass_isakmp_ameth];
1187
1188 /* expanding spspec */
1189 clean_tmpalgtype();
1190 trns_no = expand_isakmpspec(prop_no, trns_no, types,
1191 algclass_isakmp_enc, algclass_isakmp_ameth + 1,
1192 s->lifetime ? s->lifetime : p->lifetime,
1193 s->lifebyte ? s->lifebyte : p->lifebyte,
1194 s->encklen, s->vendorid, s->gssid,
1195 rmconf);
1196 if (trns_no == -1) {
1197 plog(LLV_ERROR, LOCATION, NULL,
1198 "failed to expand isakmp proposal.\n");
1199 return -1;
1200 }
1201
1202 s = s->prev;
1203 }
1204
1205 if (rmconf->proposal == NULL) {
1206 plog(LLV_ERROR, LOCATION, NULL,
1207 "no proposal found.\n");
1208 return -1;
1209 }
1210
1211 return 0;
1212 }
1213
1214 static void
1215 clean_tmpalgtype()
1216 {
1217 int i;
1218 for (i = 0; i < MAXALGCLASS; i++)
1219 tmpalgtype[i] = 0; /* means algorithm undefined. */
1220 }
1221
1222 static int
1223 expand_isakmpspec(prop_no, trns_no, types,
1224 class, last, lifetime, lifebyte, encklen, vendorid, gssid,
1225 rmconf)
1226 int prop_no, trns_no;
1227 int *types, class, last;
1228 time_t lifetime;
1229 int lifebyte;
1230 int encklen;
1231 int vendorid;
1232 char *gssid;
1233 struct remoteconf *rmconf;
1234 {
1235 struct isakmpsa *new;
1236
1237 /* debugging */
1238 {
1239 int j;
1240 char tb[10];
1241 plog(LLV_DEBUG2, LOCATION, NULL,
1242 "p:%d t:%d\n", prop_no, trns_no);
1243 for (j = class; j < MAXALGCLASS; j++) {
1244 snprintf(tb, sizeof(tb), "%d", types[j]);
1245 plog(LLV_DEBUG2, LOCATION, NULL,
1246 "%s%s%s%s\n",
1247 s_algtype(j, types[j]),
1248 types[j] ? "(" : "",
1249 tb[0] == '0' ? "" : tb,
1250 types[j] ? ")" : "");
1251 }
1252 plog(LLV_DEBUG2, LOCATION, NULL, "\n");
1253 }
1254
1255 #define TMPALGTYPE2STR(n) \
1256 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
1257 /* check mandatory values */
1258 if (types[algclass_isakmp_enc] == 0
1259 || types[algclass_isakmp_ameth] == 0
1260 || types[algclass_isakmp_hash] == 0
1261 || types[algclass_isakmp_dh] == 0) {
1262 yyerror("few definition of algorithm "
1263 "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
1264 TMPALGTYPE2STR(enc),
1265 TMPALGTYPE2STR(ameth),
1266 TMPALGTYPE2STR(hash),
1267 TMPALGTYPE2STR(dh));
1268 return -1;
1269 }
1270 #undef TMPALGTYPE2STR
1271
1272 /* set new sa */
1273 new = newisakmpsa();
1274 if (new == NULL) {
1275 yyerror("failed to allocate isakmp sa");
1276 return -1;
1277 }
1278 new->prop_no = prop_no;
1279 new->trns_no = trns_no++;
1280 new->lifetime = lifetime;
1281 new->lifebyte = lifebyte;
1282 new->enctype = types[algclass_isakmp_enc];
1283 new->encklen = encklen;
1284 new->authmethod = types[algclass_isakmp_ameth];
1285 new->hashtype = types[algclass_isakmp_hash];
1286 new->dh_group = types[algclass_isakmp_dh];
1287 new->vendorid = vendorid;
1288 #ifdef HAVE_GSSAPI
1289 if (gssid != NULL) {
1290 new->gssid = vmalloc(strlen(gssid) + 1);
1291 memcpy(new->gssid->v, gssid, new->gssid->l);
1292 racoon_free(gssid);
1293 } else
1294 new->gssid = NULL;
1295 #endif
1296 insisakmpsa(new, rmconf);
1297
1298 return trns_no;
1299 }
1300
1301 #if 0
1302 /*
1303 * fix lifebyte.
1304 * Must be more than 1024B because its unit is kilobytes.
1305 * That is defined RFC2407.
1306 */
1307 static int
1308 fix_lifebyte(t)
1309 unsigned long t;
1310 {
1311 if (t < 1024) {
1312 yyerror("byte size should be more than 1024B.");
1313 return 0;
1314 }
1315
1316 return(t / 1024);
1317 }
1318 #endif
1319
1320 int
1321 cfparse()
1322 {
1323 int error;
1324
1325 yycf_init_buffer();
1326
1327 if (yycf_set_buffer(lcconf->racoon_conf) != 0)
1328 return -1;
1329
1330 prhead = NULL;
1331
1332 error = yyparse();
1333 if (error != 0) {
1334 if (yyerrorcount) {
1335 plog(LLV_ERROR, LOCATION, NULL,
1336 "fatal parse failure (%d errors)\n",
1337 yyerrorcount);
1338 } else {
1339 plog(LLV_ERROR, LOCATION, NULL,
1340 "fatal parse failure.\n");
1341 }
1342 return -1;
1343 }
1344
1345 if (error == 0 && yyerrorcount) {
1346 plog(LLV_ERROR, LOCATION, NULL,
1347 "parse error is nothing, but yyerrorcount is %d.\n",
1348 yyerrorcount);
1349 exit(1);
1350 }
1351
1352 yycf_clean_buffer();
1353
1354 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
1355
1356 return 0;
1357 }
1358
1359 int
1360 cfreparse()
1361 {
1362 flushph2();
1363 flushph1();
1364 flushrmconf();
1365 cleanprhead();
1366 clean_tmpalgtype();
1367 yycf_init_buffer();
1368
1369 if (yycf_set_buffer(lcconf->racoon_conf) != 0)
1370 return -1;
1371
1372 return(cfparse());
1373 }
1374
mirror of network_cmds