1 /* $KAME: cfparse.y,v 1.114 2003/02/03 08:27:50 itojun Exp $ */
7 #include <sys/socket.h>
9 #include <netinet/in.h>
10 #include <netinet6/ipsec.h>
11 #include <netkey/key_var.h>
19 #if !defined(HAVE_GETADDRINFO) || !defined(HAVE_GETNAMEINFO)
31 /*#include "cfparse.h"*/
33 #include "algorithm.h"
34 #include "localconf.h"
39 #include "remoteconf.h"
40 #include "grabmyaddr.h"
41 #include "isakmp_var.h"
44 #include "ipsec_doi.h"
51 #include <CoreFoundation/CFData.h>
54 time_t lifetime; /* for isakmp/ipsec */
55 int lifebyte; /* for isakmp/ipsec */
56 struct secprotospec *spspec; /* the head is always current spec. */
57 struct proposalspec *next; /* the tail is the most prefered. */
58 struct proposalspec *prev;
64 int strength; /* for isakmp/ipsec */
65 int encklen; /* for isakmp/ipsec */
66 time_t lifetime; /* for isakmp */
67 int lifebyte; /* for isakmp */
68 int proto_id; /* for ipsec (isakmp?) */
69 int ipsec_level; /* for ipsec */
70 int encmode; /* for ipsec */
71 int vendorid; /* for isakmp */
73 struct sockaddr *remote;
74 int algclass[MAXALGCLASS];
76 struct secprotospec *next; /* the tail is the most prefiered. */
77 struct secprotospec *prev;
78 struct proposalspec *back;
81 static int num2dhgroup[] = {
83 OAKLEY_ATTR_GRP_DESC_MODP768,
84 OAKLEY_ATTR_GRP_DESC_MODP1024,
85 OAKLEY_ATTR_GRP_DESC_EC2N155,
86 OAKLEY_ATTR_GRP_DESC_EC2N185,
87 OAKLEY_ATTR_GRP_DESC_MODP1536,
90 static struct remoteconf *cur_rmconf;
91 static int tmpalgtype[MAXALGCLASS];
92 static struct sainfo *cur_sainfo;
93 static int cur_algclass;
95 static struct proposalspec *prhead; /* the head is always current. */
97 static struct proposalspec *newprspec __P((void));
98 static void cleanprhead __P((void));
99 static void insprspec __P((struct proposalspec *, struct proposalspec **));
100 static struct secprotospec *newspspec __P((void));
101 static void insspspec __P((struct secprotospec *, struct proposalspec **));
103 static int set_isakmp_proposal
104 __P((struct remoteconf *, struct proposalspec *));
105 static void clean_tmpalgtype __P((void));
106 static int expand_isakmpspec __P((int, int, int *,
107 int, int, time_t, int, int, int, char *, struct remoteconf *));
109 static int base64toCFData(vchar_t *, CFDataRef*);
112 static int fix_lifebyte __P((u_long));
119 struct remoteconf *rmconf;
120 struct sockaddr *saddr;
121 struct sainfoalg *alg;
128 /* self information */
129 %token IDENTIFIER VENDORID
131 %token LOGGING LOGLEV
133 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
135 %token LISTEN X_ISAKMP X_ADMIN STRICT_ADDRESS
137 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
138 %token RETRY_PHASE1 RETRY_PHASE2
140 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
144 %token REMOTE ANONYMOUS
145 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
146 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE VERIFY_CERT SEND_CERT SEND_CR
147 %token IDENTIFIERTYPE MY_IDENTIFIER PEERS_IDENTIFIER VERIFY_IDENTIFIER
148 %token SHARED_SECRET SECRETTYPE
149 %token OPEN_DIR_AUTH_GROUP IN_KEYCHAIN
150 %token CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
151 %token DNSSEC CERT_X509
152 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
153 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
154 %token GENERATE_POLICY SUPPORT_MIP6
156 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
158 %token COMPLEX_BUNDLE
160 %token PREFIX PORT PORTANY UL_PROTO ANY
161 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH
163 %token NUMBER SWITCH BOOLEAN
164 %token HEXSTRING QUOTEDSTRING ADDRSTRING
165 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
166 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
167 %token EOS BOC EOC COMMA
169 %type <num> NUMBER BOOLEAN SWITCH keylength
170 %type <num> PATHTYPE IDENTIFIERTYPE LOGLEV
171 %type <num> SECRETTYPE
172 %type <num> ALGORITHM_CLASS dh_group_num
173 %type <num> ALGORITHMTYPE STRENGTHTYPE
174 %type <num> PREFIX prefix PORT port ike_port
175 %type <num> ul_proto UL_PROTO
176 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
177 %type <num> CERTTYPE CERT_X509 PROPOSAL_CHECK_LEVEL
178 %type <num> VERIFICATION_MODULE VERIFICATION_OPTION
179 %type <num> unittype_time unittype_byte
180 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING sainfo_id
181 %type <val> identifierstring
182 %type <saddr> remote_index ike_addrinfo_port
183 %type <alg> algorithm
189 | statements statement
194 | identifier_statement
206 : PATH PATHTYPE QUOTEDSTRING
208 if ($2 > LC_PATHTYPE_MAX) {
209 yyerror("invalid path type %d", $2);
213 /* free old pathinfo */
214 if (lcconf->pathinfo[$2])
215 racoon_free(lcconf->pathinfo[$2]);
217 /* set new pathinfo */
218 lcconf->pathinfo[$2] = strdup($3->v);
226 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
231 : INCLUDE QUOTEDSTRING EOS
233 char path[MAXPATHLEN];
235 getpathname(path, sizeof(path),
236 LC_PATHTYPE_INCLUDE, $2->v);
238 if (yycf_switch_buffer(path) != 0)
243 /* self infomation */
245 : IDENTIFIER identifier_stmt
250 /*XXX to be deleted */
253 | IDENTIFIERTYPE QUOTEDSTRING
255 /*XXX to be deleted */
256 $2->l--; /* nuke '\0' */
257 lcconf->ident[$1] = $2;
258 if (lcconf->ident[$1] == NULL) {
259 yyerror("failed to set my ident: %s",
269 : LOGGING log_level EOS
275 * XXX ignore it because this specification
278 yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
284 * set the loglevel by configuration file only when
285 * the command line did not specify any loglevel.
287 if (loglevel <= LLV_BASE)
294 : PADDING BOC padding_stmts EOC
298 | padding_stmts padding_stmt
301 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
302 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
303 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
304 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
305 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
310 : LISTEN BOC listen_stmts EOC
314 | listen_stmts listen_stmt
317 : X_ISAKMP ike_addrinfo_port
323 yyerror("failed to allocate myaddrs");
327 if (p->addr == NULL) {
328 yyerror("failed to copy sockaddr ");
335 insmyaddr(p, &lcconf->myaddrs);
337 lcconf->autograbaddr = 0;
342 yyerror("admin directive is obsoleted.");
345 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
348 : ADDRSTRING ike_port
352 snprintf(portbuf, sizeof(portbuf), "%ld", $2);
353 $$ = str2saddr($1->v, portbuf);
360 : /* nothing */ { $$ = PORT_ISAKMP; }
366 : RETRY BOC timer_stmts EOC
370 | timer_stmts timer_stmt
373 : RETRY_COUNTER NUMBER
375 lcconf->retry_counter = $2;
378 | RETRY_INTERVAL NUMBER unittype_time
380 lcconf->retry_interval = $2 * $3;
383 | RETRY_PERSEND NUMBER
385 lcconf->count_persend = $2;
388 | RETRY_PHASE1 NUMBER unittype_time
390 lcconf->retry_checkph1 = $2 * $3;
393 | RETRY_PHASE2 NUMBER unittype_time
395 lcconf->wait_ph2complete = $2 * $3;
404 cur_sainfo = newsainfo();
405 if (cur_sainfo == NULL) {
406 yyerror("failed to allocate sainfo");
410 sainfo_name BOC sainfo_specs
412 struct sainfo *check;
415 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
416 yyerror("no encryption algorithm at %s",
417 sainfo2str(cur_sainfo));
420 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
421 yyerror("no authentication algorithm at %s",
422 sainfo2str(cur_sainfo));
425 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
426 yyerror("no compression algorithm at %s",
427 sainfo2str(cur_sainfo));
431 /* duplicate check */
432 check = getsainfo(cur_sainfo->idsrc, cur_sainfo->iddst);
433 if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
434 yyerror("duplicated sainfo: %s",
435 sainfo2str(cur_sainfo));
438 inssainfo(cur_sainfo);
445 cur_sainfo->idsrc = NULL;
446 cur_sainfo->iddst = NULL;
448 | sainfo_id sainfo_id
450 cur_sainfo->idsrc = $1;
451 cur_sainfo->iddst = $2;
455 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
458 struct sockaddr *saddr;
460 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
461 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
462 yyerror("port number must be \"any\".");
466 snprintf(portbuf, sizeof(portbuf), "%lu", $4);
467 saddr = str2saddr($2->v, portbuf);
472 switch (saddr->sa_family) {
474 if ($5 == IPPROTO_ICMPV6) {
475 yyerror("upper layer protocol mismatched.\n");
479 $$ = ipsecdoi_sockaddr2id(saddr,
480 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
485 if ($5 == IPPROTO_ICMP) {
486 yyerror("upper layer protocol mismatched.\n");
490 $$ = ipsecdoi_sockaddr2id(saddr,
491 $3 == ~0 ? (sizeof(struct in6_addr) << 3) : $3,
496 yyerror("invalid family: %d", saddr->sa_family);
503 | IDENTIFIERTYPE QUOTEDSTRING
505 struct ipsecdoi_id_b *id_b;
507 if ($1 == IDTYPE_ASN1DN) {
508 yyerror("id type forbidden: %d", $1);
514 $$ = vmalloc(sizeof(*id_b) + $2->l);
516 yyerror("failed to allocate identifier");
520 id_b = (struct ipsecdoi_id_b *)$$->v;
521 id_b->type = idtype2doi($1);
526 memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
531 | sainfo_specs sainfo_spec
534 : PFS_GROUP dh_group_num
536 cur_sainfo->pfs_group = $2;
539 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
541 cur_sainfo->lifetime = $3 * $4;
544 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
547 yyerror("byte lifetime support is deprecated");
550 cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
551 if (cur_sainfo->lifebyte == 0)
560 | IDENTIFIER IDENTIFIERTYPE
562 yyerror("it's deprecated to specify a identifier in phase 2");
565 | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
567 yyerror("it's deprecated to specify a identifier in phase 2");
575 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
579 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
584 : ALGORITHMTYPE keylength
590 yyerror("failed to get algorithm allocation");
594 $$->alg = algtype2doi(cur_algclass, $1);
596 yyerror("algorithm mismatched");
601 defklen = default_keylen(cur_algclass, $1);
604 yyerror("keylen not allowed");
609 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
610 yyerror("invalid keylen %d", $2);
619 $$->encklen = defklen;
621 /* check if it's supported algorithm by kernel */
622 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
623 && pk_checkalg(cur_algclass, $1, $$->encklen)) {
624 int a = algclass2doi(cur_algclass);
625 int b = algtype2doi(cur_algclass, $1);
626 if (a == IPSECDOI_ATTR_AUTH)
627 a = IPSECDOI_PROTO_IPSEC_AH;
628 yyerror("algorithm %s not supported",
629 s_ipsecdoi_trns(a, b));
636 : /* nothing */ { $$ = ~0; }
637 | PREFIX { $$ = $1; }
640 : /* nothing */ { $$ = IPSEC_PORT_ANY; }
642 | PORTANY { $$ = IPSEC_PORT_ANY; }
645 : NUMBER { $$ = $1; }
646 | UL_PROTO { $$ = $1; }
647 | ANY { $$ = IPSEC_ULPROTO_ANY; }
650 : /* nothing */ { $$ = 0; }
651 | NUMBER { $$ = $1; }
656 : REMOTE remote_index
658 struct remoteconf *new;
659 struct proposalspec *prspec;
663 yyerror("failed to get new remoteconf.");
670 prspec = newprspec();
673 prspec->lifetime = oakley_get_defaultlifetime();
674 insprspec(prspec, &prhead);
678 /* check a exchange mode */
679 if (cur_rmconf->etypes == NULL) {
680 yyerror("no exchange mode specified.\n");
684 if (cur_rmconf->idvtype == IDTYPE_ASN1DN
685 && cur_rmconf->mycertfile == NULL
686 && cur_rmconf->identity_in_keychain == 0) {
687 yyerror("id type mismatched due to "
688 "no CERT defined.\n");
692 if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER
693 && cur_rmconf->idv_p == NULL) {
694 yyerror("peers_identifier required for specified certificate "
695 "verification option.\n");
699 if (set_isakmp_proposal(cur_rmconf, prhead) != 0)
702 /* DH group settting if aggressive mode is there. */
703 if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
708 for (p = cur_rmconf->proposal; p; p = p->next) {
709 if (b == 0 || (b && b == p->dh_group)) {
713 yyerror("DH group must be equal "
714 "to each proposals's "
715 "when aggressive mode is "
719 cur_rmconf->dh_group = b;
721 if (cur_rmconf->dh_group == 0) {
722 yyerror("DH group must be required.\n");
726 /* DH group settting if PFS is required. */
727 if (oakley_setdhgroup(cur_rmconf->dh_group,
728 &cur_rmconf->dhgrp) < 0) {
729 yyerror("failed to set DH value.\n");
734 insrmconf(cur_rmconf);
743 $$ = newsaddr(sizeof(struct sockaddr *));
744 $$->sa_family = AF_UNSPEC;
745 ((struct sockaddr_in *)$$)->sin_port = htons($2);
751 yyerror("failed to allocate sockaddr");
758 | remote_specs remote_spec
761 : EXCHANGE_MODE exchange_types EOS
762 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
763 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
764 | CERTIFICATE_TYPE cert_spec
765 | PEERS_CERTFILE QUOTEDSTRING
767 #ifdef HAVE_SIGNING_C
768 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
769 cur_rmconf->peerscertfile = strdup($2->v);
772 yyerror("directive not supported");
777 | PEERS_CERTFILE DNSSEC
779 #ifdef HAVE_SIGNING_C
780 cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
781 cur_rmconf->peerscertfile = NULL;
783 yyerror("directive not supported");
788 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
789 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
790 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
791 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE { cur_rmconf->cert_verification = $2; } EOS
792 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
794 cur_rmconf->cert_verification = $2;
795 cur_rmconf->cert_verification_option = $3;
798 | OPEN_DIR_AUTH_GROUP QUOTEDSTRING { cur_rmconf->open_dir_auth_group = $2; } EOS
799 | IDENTIFIER IDENTIFIERTYPE
801 /*XXX to be deleted */
802 cur_rmconf->idvtype = $2;
805 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
807 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
808 yyerror("failed to set identifer.\n");
813 cur_rmconf->idvtype = $2;
816 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
818 if (set_identifier(&cur_rmconf->idv_p, $2, $3) != 0) {
819 yyerror("failed to set identifer.\n");
824 cur_rmconf->idvtype_p = $2;
827 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
828 | SHARED_SECRET SECRETTYPE QUOTEDSTRING { cur_rmconf->secrettype = $2; cur_rmconf->shared_secret = $3; } EOS
829 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
832 yyerror("dh_group cannot be defined here.");
836 | KEEPALIVE { cur_rmconf->keepalive = TRUE; } EOS
837 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
838 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
839 | SUPPORT_MIP6 SWITCH { cur_rmconf->support_mip6 = $2; } EOS
840 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
841 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
842 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
844 prhead->lifetime = $3 * $4;
847 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
850 yyerror("byte lifetime support is deprecated");
853 yywarn("the lifetime of bytes in phase 1 "
854 "will be ignored at the moment.");
855 prhead->lifebyte = fix_lifebyte($3 * $4);
856 if (prhead->lifebyte == 0)
863 struct secprotospec *spspec;
865 spspec = newspspec();
868 insspspec(spspec, &prhead);
870 BOC isakmpproposal_specs EOC
874 | exchange_types EXCHANGETYPE
877 new = racoon_malloc(sizeof(struct etypes));
879 yyerror("filed to allocate etypes");
884 if (cur_rmconf->etypes == NULL)
885 cur_rmconf->etypes = new;
888 for (p = cur_rmconf->etypes;
897 : CERT_X509 QUOTEDSTRING QUOTEDSTRING
899 #ifdef HAVE_SIGNING_C
900 cur_rmconf->certtype = $1;
901 cur_rmconf->mycertfile = strdup($2->v);
903 cur_rmconf->myprivfile = strdup($3->v);
906 yyerror("directive not supported");
911 | CERT_X509 IN_KEYCHAIN
913 cur_rmconf->certtype = $1;
914 cur_rmconf->identity_in_keychain = 1;
915 cur_rmconf->keychainCertRef = 0;
919 | CERT_X509 IN_KEYCHAIN QUOTEDSTRING
923 cur_rmconf->certtype = $1;
924 cur_rmconf->identity_in_keychain = 1;
925 result = base64toCFData($3, &cur_rmconf->keychainCertRef);
936 $$ = algtype2doi(algclass_isakmp_dh, $1);
938 yyerror("must be DH group");
944 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
945 $$ = num2dhgroup[$1];
947 yyerror("must be DH group");
953 : /* nothing */ { $$ = NULL; }
954 | ADDRSTRING { $$ = $1; }
955 | QUOTEDSTRING { $$ = $1; }
959 | isakmpproposal_specs isakmpproposal_spec
964 yyerror("strength directive is obsoleted.");
966 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
968 prhead->spspec->lifetime = $3 * $4;
971 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
974 yyerror("byte lifetime support is deprecated");
977 prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
978 if (prhead->spspec->lifebyte == 0)
983 | DH_GROUP dh_group_num
985 prhead->spspec->algclass[algclass_isakmp_dh] = $2;
988 | GSSAPI_ID QUOTEDSTRING
990 if (prhead->spspec->vendorid != VENDORID_GSSAPI) {
991 yyerror("wrong Vendor ID for gssapi_id");
994 prhead->spspec->gssid = strdup($2->v);
997 | ALGORITHM_CLASS ALGORITHMTYPE keylength
1002 doi = algtype2doi($1, $2);
1004 yyerror("algorithm mismatched 1");
1009 case algclass_isakmp_enc:
1010 /* reject suppressed algorithms */
1011 #ifndef HAVE_OPENSSL_RC5_H
1012 if ($2 == algtype_rc5) {
1013 yyerror("algorithm %s not supported",
1014 s_attr_isakmp_enc(doi));
1018 #ifndef HAVE_OPENSSL_IDEA_H
1019 if ($2 == algtype_idea) {
1020 yyerror("algorithm %s not supported",
1021 s_attr_isakmp_enc(doi));
1026 prhead->spspec->algclass[algclass_isakmp_enc] = doi;
1027 defklen = default_keylen($1, $2);
1030 yyerror("keylen not allowed");
1034 if ($3 && check_keylen($1, $2, $3) < 0) {
1035 yyerror("invalid keylen %d", $3);
1040 prhead->spspec->encklen = $3;
1042 prhead->spspec->encklen = defklen;
1044 case algclass_isakmp_hash:
1045 prhead->spspec->algclass[algclass_isakmp_hash] = doi;
1047 case algclass_isakmp_ameth:
1048 prhead->spspec->algclass[algclass_isakmp_ameth] = doi;
1050 * We may have to set the Vendor ID for the
1051 * authentication method we're using.
1054 case algtype_gssapikrb:
1055 if (prhead->spspec->vendorid !=
1057 yyerror("Vendor ID mismatch "
1062 * For interoperability with Win2k,
1063 * we set the Vendor ID to "GSSAPI".
1065 prhead->spspec->vendorid =
1073 yyerror("algorithm mismatched 2");
1081 : UNITTYPE_SEC { $$ = 1; }
1082 | UNITTYPE_MIN { $$ = 60; }
1083 | UNITTYPE_HOUR { $$ = (60 * 60); }
1086 : UNITTYPE_BYTE { $$ = 1; }
1087 | UNITTYPE_KBYTES { $$ = 1024; }
1088 | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
1089 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
1093 static struct proposalspec *
1096 struct proposalspec *new;
1098 new = racoon_calloc(1, sizeof(*new));
1100 yyerror("failed to allocate proposal");
1108 struct proposalspec *p, *next;
1113 for (p = prhead; p != NULL; p = next) {
1114 struct secprotospec *psp, *nextsp;
1115 for (psp = p->spspec; psp; psp = nextsp) {
1117 racoon_free(p->spspec);
1127 * insert into head of list.
1130 insprspec(prspec, head)
1131 struct proposalspec *prspec;
1132 struct proposalspec **head;
1135 (*head)->prev = prspec;
1136 prspec->next = *head;
1140 static struct secprotospec *
1143 struct secprotospec *new;
1145 new = racoon_calloc(1, sizeof(*new));
1147 yyerror("failed to allocate spproto");
1151 new->encklen = 0; /*XXX*/
1154 * Default to "uknown" vendor -- we will override this
1155 * as necessary. When we send a Vendor ID payload, an
1156 * "unknown" will be translated to a KAME/racoon ID.
1158 new->vendorid = VENDORID_UNKNOWN;
1164 * insert into head of list.
1167 insspspec(spspec, head)
1168 struct secprotospec *spspec;
1169 struct proposalspec **head;
1171 spspec->back = *head;
1173 if ((*head)->spspec != NULL)
1174 (*head)->spspec->prev = spspec;
1175 spspec->next = (*head)->spspec;
1176 (*head)->spspec = spspec;
1179 /* set final acceptable proposal */
1181 set_isakmp_proposal(rmconf, prspec)
1182 struct remoteconf *rmconf;
1183 struct proposalspec *prspec;
1185 struct proposalspec *p;
1186 struct secprotospec *s;
1189 u_int32_t types[MAXALGCLASS];
1193 plog(LLV_ERROR, LOCATION, NULL,
1194 "multiple proposal definition.\n");
1198 /* mandatory check */
1199 if (p->spspec == NULL) {
1200 yyerror("no remote specification found: %s.\n",
1204 for (s = p->spspec; s != NULL; s = s->next) {
1205 /* XXX need more to check */
1206 if (s->algclass[algclass_isakmp_enc] == 0) {
1207 yyerror("encryption algorithm required.");
1210 if (s->algclass[algclass_isakmp_hash] == 0) {
1211 yyerror("hash algorithm required.");
1214 if (s->algclass[algclass_isakmp_dh] == 0) {
1215 yyerror("DH group required.");
1218 if (s->algclass[algclass_isakmp_ameth] == 0) {
1219 yyerror("authentication method required.");
1224 /* skip to last part */
1225 for (s = p->spspec; s->next != NULL; s = s->next)
1229 plog(LLV_DEBUG2, LOCATION, NULL,
1230 "lifetime = %ld\n", (long)
1231 (s->lifetime ? s->lifetime : p->lifetime));
1232 plog(LLV_DEBUG2, LOCATION, NULL,
1234 s->lifebyte ? s->lifebyte : p->lifebyte);
1235 plog(LLV_DEBUG2, LOCATION, NULL,
1236 "encklen=%d\n", s->encklen);
1238 memset(types, 0, ARRAYLEN(types));
1239 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
1240 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
1241 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
1242 types[algclass_isakmp_ameth] =
1243 s->algclass[algclass_isakmp_ameth];
1245 /* expanding spspec */
1247 trns_no = expand_isakmpspec(prop_no, trns_no, types,
1248 algclass_isakmp_enc, algclass_isakmp_ameth + 1,
1249 s->lifetime ? s->lifetime : p->lifetime,
1250 s->lifebyte ? s->lifebyte : p->lifebyte,
1251 s->encklen, s->vendorid, s->gssid,
1253 if (trns_no == -1) {
1254 plog(LLV_ERROR, LOCATION, NULL,
1255 "failed to expand isakmp proposal.\n");
1262 if (rmconf->proposal == NULL) {
1263 plog(LLV_ERROR, LOCATION, NULL,
1264 "no proposal found.\n");
1275 for (i = 0; i < MAXALGCLASS; i++)
1276 tmpalgtype[i] = 0; /* means algorithm undefined. */
1280 expand_isakmpspec(prop_no, trns_no, types,
1281 class, last, lifetime, lifebyte, encklen, vendorid, gssid,
1283 int prop_no, trns_no;
1284 int *types, class, last;
1290 struct remoteconf *rmconf;
1292 struct isakmpsa *new;
1298 plog(LLV_DEBUG2, LOCATION, NULL,
1299 "p:%d t:%d\n", prop_no, trns_no);
1300 for (j = class; j < MAXALGCLASS; j++) {
1301 snprintf(tb, sizeof(tb), "%d", types[j]);
1302 plog(LLV_DEBUG2, LOCATION, NULL,
1304 s_algtype(j, types[j]),
1305 types[j] ? "(" : "",
1306 tb[0] == '0' ? "" : tb,
1307 types[j] ? ")" : "");
1309 plog(LLV_DEBUG2, LOCATION, NULL, "\n");
1312 #define TMPALGTYPE2STR(n) \
1313 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
1314 /* check mandatory values */
1315 if (types[algclass_isakmp_enc] == 0
1316 || types[algclass_isakmp_ameth] == 0
1317 || types[algclass_isakmp_hash] == 0
1318 || types[algclass_isakmp_dh] == 0) {
1319 yyerror("few definition of algorithm "
1320 "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
1321 TMPALGTYPE2STR(enc),
1322 TMPALGTYPE2STR(ameth),
1323 TMPALGTYPE2STR(hash),
1324 TMPALGTYPE2STR(dh));
1327 #undef TMPALGTYPE2STR
1330 new = newisakmpsa();
1332 yyerror("failed to allocate isakmp sa");
1335 new->prop_no = prop_no;
1336 new->trns_no = trns_no++;
1337 new->lifetime = lifetime;
1338 new->lifebyte = lifebyte;
1339 new->enctype = types[algclass_isakmp_enc];
1340 new->encklen = encklen;
1341 new->authmethod = types[algclass_isakmp_ameth];
1342 new->hashtype = types[algclass_isakmp_hash];
1343 new->dh_group = types[algclass_isakmp_dh];
1344 new->vendorid = vendorid;
1346 if (gssid != NULL) {
1347 new->gssid = vmalloc(strlen(gssid) + 1);
1348 memcpy(new->gssid->v, gssid, new->gssid->l);
1353 insisakmpsa(new, rmconf);
1361 * Must be more than 1024B because its unit is kilobytes.
1362 * That is defined RFC2407.
1369 yyerror("byte size should be more than 1024B.");
1377 extern int yyparse(void);
1386 if (yycf_switch_buffer(lcconf->racoon_conf) != 0)
1394 plog(LLV_ERROR, LOCATION, NULL,
1395 "fatal parse failure (%d errors)\n",
1398 plog(LLV_ERROR, LOCATION, NULL,
1399 "fatal parse failure.\n");
1404 if (error == 0 && yyerrorcount) {
1405 plog(LLV_ERROR, LOCATION, NULL,
1406 "parse error is nothing, but yyerrorcount is %d.\n",
1411 yycf_clean_buffer();
1413 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
1432 /* -----------------------------------------------------------------------------
1433 The base-64 encoding packs three 8-bit bytes into four 7-bit ASCII
1434 characters. If the number of bytes in the original data isn't divisable
1435 by three, "=" characters are used to pad the encoded data. The complete
1436 set of characters used in base-64 are:
1444 ----------------------------------------------------------------------------- */
1445 static const signed char base64_DecodeTable[128] = {
1446 /* 000 */ -1, -1, -1, -1, -1, -1, -1, -1,
1447 /* 010 */ -1, -1, -1, -1, -1, -1, -1, -1,
1448 /* 020 */ -1, -1, -1, -1, -1, -1, -1, -1,
1449 /* 030 */ -1, -1, -1, -1, -1, -1, -1, -1,
1450 /* ' ' */ -1, -1, -1, -1, -1, -1, -1, -1,
1451 /* '(' */ -1, -1, -1, 62, -1, -1, -1, 63,
1452 /* '0' */ 52, 53, 54, 55, 56, 57, 58, 59,
1453 /* '8' */ 60, 61, -1, -1, -1, 0, -1, -1,
1454 /* '@' */ -1, 0, 1, 2, 3, 4, 5, 6,
1455 /* 'H' */ 7, 8, 9, 10, 11, 12, 13, 14,
1456 /* 'P' */ 15, 16, 17, 18, 19, 20, 21, 22,
1457 /* 'X' */ 23, 24, 25, -1, -1, -1, -1, -1,
1458 /* '`' */ -1, 26, 27, 28, 29, 30, 31, 32,
1459 /* 'h' */ 33, 34, 35, 36, 37, 38, 39, 40,
1460 /* 'p' */ 41, 42, 43, 44, 45, 46, 47, 48,
1461 /* 'x' */ 49, 50, 51, -1, -1, -1, -1, -1
1464 static int base64toCFData(vchar_t *textin, CFDataRef *dataRef)
1472 uint8_t *textcur = textin->v;
1473 int len = textin->l;
1476 tmpbuf = malloc(len); // len of result will be less than encoded len
1477 if (tmpbuf == NULL) {
1478 yyerror("memory error - could not allocate buffer for certificate reference conversion from base-64.");
1482 for (i = 0; i < len; i++) {
1486 else if (!isspace(c))
1488 if (base64_DecodeTable[c] < 0)
1492 acc += base64_DecodeTable[c];
1493 if (0 == (cntr & 0x3)) {
1494 tmpbuf[tmpbufpos++] = (acc >> 16) & 0xff;
1496 tmpbuf[tmpbufpos++] = (acc >> 8) & 0xff;
1498 tmpbuf[tmpbufpos++] = acc & 0xff;
1501 *dataRef = CFDataCreate(NULL, tmpbuf, tmpbufpos);