1 /* $OpenBSD: parse.y,v 1.148 2024/11/04 02:44:28 dlg Exp $ */ 2 3 /* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 7 * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * Copyright (c) 2001 Markus Friedl. All rights reserved. 9 * Copyright (c) 2001 Daniel Hartmeier. All rights reserved. 10 * Copyright (c) 2001 Theo de Raadt. All rights reserved. 11 * 12 * Permission to use, copy, modify, and distribute this software for any 13 * purpose with or without fee is hereby granted, provided that the above 14 * copyright notice and this permission notice appear in all copies. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 17 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 18 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 19 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 20 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 21 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 22 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 23 */ 24 25 %{ 26 #include <sys/types.h> 27 #include <sys/ioctl.h> 28 #include <sys/queue.h> 29 #include <sys/socket.h> 30 #include <sys/stat.h> 31 #include <net/if.h> 32 #include <netinet/in.h> 33 #include <netinet/ip_ipsp.h> 34 #include <arpa/inet.h> 35 36 #include <ctype.h> 37 #include <err.h> 38 #include <errno.h> 39 #include <fcntl.h> 40 #include <ifaddrs.h> 41 #include <inttypes.h> 42 #include <limits.h> 43 #include <netdb.h> 44 #include <radius.h> 45 #include <stdarg.h> 46 #include <stddef.h> 47 #include <stdio.h> 48 #include <stdlib.h> 49 #include <string.h> 50 #include <syslog.h> 51 #include <unistd.h> 52 #include <event.h> 53 54 #include "iked.h" 55 #include "ikev2.h" 56 #include "eap.h" 57 58 TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files); 59 static struct file { 60 TAILQ_ENTRY(file) entry; 61 FILE *stream; 62 char *name; 63 size_t ungetpos; 64 size_t ungetsize; 65 u_char *ungetbuf; 66 int eof_reached; 67 int lineno; 68 int errors; 69 } *file, *topfile; 70 struct file *pushfile(const char *, int); 71 int popfile(void); 72 int check_file_secrecy(int, const char *); 73 int yyparse(void); 74 int yylex(void); 75 int yyerror(const char *, ...) 76 __attribute__((__format__ (printf, 1, 2))) 77 __attribute__((__nonnull__ (1))); 78 int kw_cmp(const void *, const void *); 79 int lookup(char *); 80 int igetc(void); 81 int lgetc(int); 82 void lungetc(int); 83 int findeol(void); 84 85 TAILQ_HEAD(symhead, sym) symhead = TAILQ_HEAD_INITIALIZER(symhead); 86 struct sym { 87 TAILQ_ENTRY(sym) entry; 88 int used; 89 int persist; 90 char *nam; 91 char *val; 92 }; 93 int symset(const char *, const char *, int); 94 char *symget(const char *); 95 96 #define KEYSIZE_LIMIT 1024 97 98 static struct iked *env = NULL; 99 static int debug = 0; 100 static int rules = 0; 101 static int passive = 0; 102 static int decouple = 0; 103 static int mobike = 1; 104 static int enforcesingleikesa = 0; 105 static int stickyaddress = 0; 106 static int fragmentation = 0; 107 static int vendorid = 1; 108 static int dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT; 109 static char *ocsp_url = NULL; 110 static long ocsp_tolerate = 0; 111 static long ocsp_maxage = -1; 112 static int cert_partial_chain = 0; 113 static struct iked_radopts 114 radauth, radacct; 115 116 struct iked_transform ikev2_default_ike_transforms[] = { 117 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 }, 118 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 }, 119 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 }, 120 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_3DES }, 121 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_256 }, 122 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_384 }, 123 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_512 }, 124 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA1 }, 125 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, 126 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, 127 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, 128 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, 129 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_CURVE25519 }, 130 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_521 }, 131 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_384 }, 132 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_256 }, 133 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_4096 }, 134 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_3072 }, 135 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_2048 }, 136 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1536 }, 137 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1024 }, 138 { 0 } 139 }; 140 size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) / 141 sizeof(ikev2_default_ike_transforms[0])) - 1); 142 143 struct iked_transform ikev2_default_ike_transforms_noauth[] = { 144 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 128 }, 145 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 256 }, 146 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_256 }, 147 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_384 }, 148 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_512 }, 149 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA1 }, 150 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_CURVE25519 }, 151 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_521 }, 152 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_384 }, 153 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_256 }, 154 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_4096 }, 155 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_3072 }, 156 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_2048 }, 157 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1536 }, 158 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1024 }, 159 { 0 } 160 }; 161 size_t ikev2_default_nike_transforms_noauth = 162 ((sizeof(ikev2_default_ike_transforms_noauth) / 163 sizeof(ikev2_default_ike_transforms_noauth[0])) - 1); 164 165 struct iked_transform ikev2_default_esp_transforms[] = { 166 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 }, 167 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 }, 168 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 }, 169 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, 170 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, 171 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, 172 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, 173 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_NONE }, 174 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_ESN }, 175 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_NONE }, 176 { 0 } 177 }; 178 size_t ikev2_default_nesp_transforms = ((sizeof(ikev2_default_esp_transforms) / 179 sizeof(ikev2_default_esp_transforms[0])) - 1); 180 181 struct iked_transform ikev2_default_esp_transforms_noauth[] = { 182 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 128 }, 183 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 256 }, 184 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_NONE }, 185 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_ESN }, 186 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_NONE }, 187 { 0 } 188 }; 189 size_t ikev2_default_nesp_transforms_noauth = 190 ((sizeof(ikev2_default_esp_transforms_noauth) / 191 sizeof(ikev2_default_esp_transforms_noauth[0])) - 1); 192 193 const struct ipsec_xf authxfs[] = { 194 { "hmac-md5", IKEV2_XFORMAUTH_HMAC_MD5_96, 16 }, 195 { "hmac-sha1", IKEV2_XFORMAUTH_HMAC_SHA1_96, 20 }, 196 { "hmac-sha2-256", IKEV2_XFORMAUTH_HMAC_SHA2_256_128, 32 }, 197 { "hmac-sha2-384", IKEV2_XFORMAUTH_HMAC_SHA2_384_192, 48 }, 198 { "hmac-sha2-512", IKEV2_XFORMAUTH_HMAC_SHA2_512_256, 64 }, 199 { NULL } 200 }; 201 202 const struct ipsec_xf prfxfs[] = { 203 { "hmac-md5", IKEV2_XFORMPRF_HMAC_MD5, 16 }, 204 { "hmac-sha1", IKEV2_XFORMPRF_HMAC_SHA1, 20 }, 205 { "hmac-sha2-256", IKEV2_XFORMPRF_HMAC_SHA2_256, 32 }, 206 { "hmac-sha2-384", IKEV2_XFORMPRF_HMAC_SHA2_384, 48 }, 207 { "hmac-sha2-512", IKEV2_XFORMPRF_HMAC_SHA2_512, 64 }, 208 { NULL } 209 }; 210 211 const struct ipsec_xf *encxfs = NULL; 212 213 const struct ipsec_xf ikeencxfs[] = { 214 { "3des", IKEV2_XFORMENCR_3DES, 24 }, 215 { "3des-cbc", IKEV2_XFORMENCR_3DES, 24 }, 216 { "aes-128", IKEV2_XFORMENCR_AES_CBC, 16, 16 }, 217 { "aes-192", IKEV2_XFORMENCR_AES_CBC, 24, 24 }, 218 { "aes-256", IKEV2_XFORMENCR_AES_CBC, 32, 32 }, 219 { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_16, 16, 16, 4, 1 }, 220 { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_16, 32, 32, 4, 1 }, 221 { "aes-128-gcm-12", IKEV2_XFORMENCR_AES_GCM_12, 16, 16, 4, 1 }, 222 { "aes-256-gcm-12", IKEV2_XFORMENCR_AES_GCM_12, 32, 32, 4, 1 }, 223 { NULL } 224 }; 225 226 const struct ipsec_xf ipsecencxfs[] = { 227 { "3des", IKEV2_XFORMENCR_3DES, 24 }, 228 { "3des-cbc", IKEV2_XFORMENCR_3DES, 24 }, 229 { "aes-128", IKEV2_XFORMENCR_AES_CBC, 16, 16 }, 230 { "aes-192", IKEV2_XFORMENCR_AES_CBC, 24, 24 }, 231 { "aes-256", IKEV2_XFORMENCR_AES_CBC, 32, 32 }, 232 { "aes-128-ctr", IKEV2_XFORMENCR_AES_CTR, 16, 16, 4 }, 233 { "aes-192-ctr", IKEV2_XFORMENCR_AES_CTR, 24, 24, 4 }, 234 { "aes-256-ctr", IKEV2_XFORMENCR_AES_CTR, 32, 32, 4 }, 235 { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_16, 16, 16, 4, 1 }, 236 { "aes-192-gcm", IKEV2_XFORMENCR_AES_GCM_16, 24, 24, 4, 1 }, 237 { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_16, 32, 32, 4, 1 }, 238 { "aes-128-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC, 16, 16, 4, 1 }, 239 { "aes-192-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC, 24, 24, 4, 1 }, 240 { "aes-256-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC, 32, 32, 4, 1 }, 241 { "blowfish", IKEV2_XFORMENCR_BLOWFISH, 20, 20 }, 242 { "cast", IKEV2_XFORMENCR_CAST, 16, 16 }, 243 { "chacha20-poly1305", IKEV2_XFORMENCR_CHACHA20_POLY1305, 244 32, 32, 4, 1 }, 245 { "null", IKEV2_XFORMENCR_NULL, 0, 0 }, 246 { NULL } 247 }; 248 249 const struct ipsec_xf groupxfs[] = { 250 { "none", IKEV2_XFORMDH_NONE }, 251 { "modp768", IKEV2_XFORMDH_MODP_768 }, 252 { "grp1", IKEV2_XFORMDH_MODP_768 }, 253 { "modp1024", IKEV2_XFORMDH_MODP_1024 }, 254 { "grp2", IKEV2_XFORMDH_MODP_1024 }, 255 { "modp1536", IKEV2_XFORMDH_MODP_1536 }, 256 { "grp5", IKEV2_XFORMDH_MODP_1536 }, 257 { "modp2048", IKEV2_XFORMDH_MODP_2048 }, 258 { "grp14", IKEV2_XFORMDH_MODP_2048 }, 259 { "modp3072", IKEV2_XFORMDH_MODP_3072 }, 260 { "grp15", IKEV2_XFORMDH_MODP_3072 }, 261 { "modp4096", IKEV2_XFORMDH_MODP_4096 }, 262 { "grp16", IKEV2_XFORMDH_MODP_4096 }, 263 { "modp6144", IKEV2_XFORMDH_MODP_6144 }, 264 { "grp17", IKEV2_XFORMDH_MODP_6144 }, 265 { "modp8192", IKEV2_XFORMDH_MODP_8192 }, 266 { "grp18", IKEV2_XFORMDH_MODP_8192 }, 267 { "ecp256", IKEV2_XFORMDH_ECP_256 }, 268 { "grp19", IKEV2_XFORMDH_ECP_256 }, 269 { "ecp384", IKEV2_XFORMDH_ECP_384 }, 270 { "grp20", IKEV2_XFORMDH_ECP_384 }, 271 { "ecp521", IKEV2_XFORMDH_ECP_521 }, 272 { "grp21", IKEV2_XFORMDH_ECP_521 }, 273 { "ecp192", IKEV2_XFORMDH_ECP_192 }, 274 { "grp25", IKEV2_XFORMDH_ECP_192 }, 275 { "ecp224", IKEV2_XFORMDH_ECP_224 }, 276 { "grp26", IKEV2_XFORMDH_ECP_224 }, 277 { "brainpool224", IKEV2_XFORMDH_BRAINPOOL_P224R1 }, 278 { "grp27", IKEV2_XFORMDH_BRAINPOOL_P224R1 }, 279 { "brainpool256", IKEV2_XFORMDH_BRAINPOOL_P256R1 }, 280 { "grp28", IKEV2_XFORMDH_BRAINPOOL_P256R1 }, 281 { "brainpool384", IKEV2_XFORMDH_BRAINPOOL_P384R1 }, 282 { "grp29", IKEV2_XFORMDH_BRAINPOOL_P384R1 }, 283 { "brainpool512", IKEV2_XFORMDH_BRAINPOOL_P512R1 }, 284 { "grp30", IKEV2_XFORMDH_BRAINPOOL_P512R1 }, 285 { "curve25519", IKEV2_XFORMDH_CURVE25519 }, 286 { "grp31", IKEV2_XFORMDH_CURVE25519 }, 287 { "sntrup761x25519", IKEV2_XFORMDH_X_SNTRUP761X25519 }, 288 { NULL } 289 }; 290 291 const struct ipsec_xf esnxfs[] = { 292 { "esn", IKEV2_XFORMESN_ESN }, 293 { "noesn", IKEV2_XFORMESN_NONE }, 294 { NULL } 295 }; 296 297 const struct ipsec_xf methodxfs[] = { 298 { "none", IKEV2_AUTH_NONE }, 299 { "rsa", IKEV2_AUTH_RSA_SIG }, 300 { "ecdsa256", IKEV2_AUTH_ECDSA_256 }, 301 { "ecdsa384", IKEV2_AUTH_ECDSA_384 }, 302 { "ecdsa521", IKEV2_AUTH_ECDSA_521 }, 303 { "rfc7427", IKEV2_AUTH_SIG }, 304 { "signature", IKEV2_AUTH_SIG_ANY }, 305 { NULL } 306 }; 307 308 const struct ipsec_xf saxfs[] = { 309 { "esp", IKEV2_SAPROTO_ESP }, 310 { "ah", IKEV2_SAPROTO_AH }, 311 { NULL } 312 }; 313 314 const struct ipsec_xf cpxfs[] = { 315 { "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS, AF_INET }, 316 { "netmask", IKEV2_CFG_INTERNAL_IP4_NETMASK, AF_INET }, 317 { "name-server", IKEV2_CFG_INTERNAL_IP4_DNS, AF_INET }, 318 { "netbios-server", IKEV2_CFG_INTERNAL_IP4_NBNS, AF_INET }, 319 { "dhcp-server", IKEV2_CFG_INTERNAL_IP4_DHCP, AF_INET }, 320 { "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS, AF_INET6 }, 321 { "name-server", IKEV2_CFG_INTERNAL_IP6_DNS, AF_INET6 }, 322 { "netbios-server", IKEV2_CFG_INTERNAL_IP6_NBNS, AF_INET6 }, 323 { "dhcp-server", IKEV2_CFG_INTERNAL_IP6_DHCP, AF_INET6 }, 324 { "protected-subnet", IKEV2_CFG_INTERNAL_IP4_SUBNET, AF_INET }, 325 { "protected-subnet", IKEV2_CFG_INTERNAL_IP6_SUBNET, AF_INET6 }, 326 { "access-server", IKEV2_CFG_INTERNAL_IP4_SERVER, AF_INET }, 327 { "access-server", IKEV2_CFG_INTERNAL_IP6_SERVER, AF_INET6 }, 328 { NULL } 329 }; 330 331 const struct iked_lifetime deflifetime = { 332 IKED_LIFETIME_BYTES, 333 IKED_LIFETIME_SECONDS 334 }; 335 336 #define IPSEC_ADDR_ANY (0x1) 337 #define IPSEC_ADDR_DYNAMIC (0x2) 338 339 struct ipsec_addr_wrap { 340 struct sockaddr_storage address; 341 uint8_t mask; 342 int netaddress; 343 sa_family_t af; 344 unsigned int type; 345 unsigned int action; 346 uint16_t port; 347 char *name; 348 struct ipsec_addr_wrap *next; 349 struct ipsec_addr_wrap *tail; 350 struct ipsec_addr_wrap *srcnat; 351 }; 352 353 struct ipsec_hosts { 354 struct ipsec_addr_wrap *src; 355 struct ipsec_addr_wrap *dst; 356 }; 357 358 struct ipsec_filters { 359 char *tag; 360 unsigned int tap; 361 }; 362 363 void copy_sockaddrtoipa(struct ipsec_addr_wrap *, 364 struct sockaddr *); 365 struct ipsec_addr_wrap *host(const char *); 366 struct ipsec_addr_wrap *host_ip(const char *, int); 367 struct ipsec_addr_wrap *host_dns(const char *, int); 368 struct ipsec_addr_wrap *host_if(const char *, int); 369 struct ipsec_addr_wrap *host_any(void); 370 struct ipsec_addr_wrap *host_dynamic(void); 371 void ifa_load(void); 372 int ifa_exists(const char *); 373 struct ipsec_addr_wrap *ifa_lookup(const char *ifa_name); 374 struct ipsec_addr_wrap *ifa_grouplookup(const char *); 375 void set_ipmask(struct ipsec_addr_wrap *, int); 376 const struct ipsec_xf *parse_xf(const char *, unsigned int, 377 const struct ipsec_xf *); 378 void copy_transforms(unsigned int, 379 const struct ipsec_xf **, unsigned int, 380 struct iked_transform **, unsigned int *, 381 struct iked_transform *, size_t); 382 int create_ike(char *, int, struct ipsec_addr_wrap *, 383 int, struct ipsec_hosts *, 384 struct ipsec_hosts *, struct ipsec_mode *, 385 struct ipsec_mode *, uint8_t, 386 unsigned int, char *, char *, 387 uint32_t, struct iked_lifetime *, 388 struct iked_auth *, struct ipsec_filters *, 389 struct ipsec_addr_wrap *, char *); 390 int create_user(const char *, const char *); 391 int get_id_type(char *); 392 uint8_t x2i(unsigned char *); 393 int parsekey(unsigned char *, size_t, struct iked_auth *); 394 int parsekeyfile(char *, struct iked_auth *); 395 void iaw_free(struct ipsec_addr_wrap *); 396 static int create_flow(struct iked_policy *pol, int, struct ipsec_addr_wrap *ipa, 397 struct ipsec_addr_wrap *ipb); 398 static int expand_flows(struct iked_policy *, int, struct ipsec_addr_wrap *, 399 struct ipsec_addr_wrap *); 400 static struct ipsec_addr_wrap * 401 expand_keyword(struct ipsec_addr_wrap *); 402 struct iked_radserver * 403 create_radserver(const char *, u_short, const char *); 404 405 struct ipsec_transforms *ipsec_transforms; 406 struct ipsec_filters *ipsec_filters; 407 struct ipsec_mode *ipsec_mode; 408 /* interface lookup routintes */ 409 struct ipsec_addr_wrap *iftab; 410 411 typedef struct { 412 union { 413 int64_t number; 414 unsigned int ikemode; 415 uint8_t dir; 416 uint8_t satype; 417 uint8_t accounting; 418 char *string; 419 uint16_t port; 420 struct ipsec_hosts *hosts; 421 struct ipsec_hosts peers; 422 struct ipsec_addr_wrap *anyhost; 423 struct ipsec_addr_wrap *host; 424 struct ipsec_addr_wrap *cfg; 425 struct ipsec_addr_wrap *proto; 426 struct { 427 char *srcid; 428 char *dstid; 429 } ids; 430 char *id; 431 uint8_t type; 432 struct iked_lifetime lifetime; 433 struct iked_auth ikeauth; 434 struct iked_auth ikekey; 435 struct ipsec_transforms *transforms; 436 struct ipsec_filters *filters; 437 struct ipsec_mode *mode; 438 struct { 439 uint32_t vendorid; 440 uint8_t attrtype; 441 } radattr; 442 } v; 443 int lineno; 444 } YYSTYPE; 445 446 %} 447 448 %token FROM ESP AH IN PEER ON OUT TO SRCID DSTID PSK PORT 449 %token FILENAME AUTHXF PRFXF ENCXF ERROR IKEV2 IKESA CHILDSA ESN NOESN 450 %token PASSIVE ACTIVE ANY TAG TAP PROTO LOCAL GROUP NAME CONFIG EAP USER 451 %token IKEV1 FLOW SA TCPMD5 TUNNEL TRANSPORT COUPLE DECOUPLE SET 452 %token INCLUDE LIFETIME BYTES INET INET6 QUICK SKIP DEFAULT 453 %token IPCOMP OCSP IKELIFETIME MOBIKE NOMOBIKE RDOMAIN 454 %token FRAGMENTATION NOFRAGMENTATION DPD_CHECK_INTERVAL 455 %token ENFORCESINGLEIKESA NOENFORCESINGLEIKESA 456 %token STICKYADDRESS NOSTICKYADDRESS 457 %token VENDORID NOVENDORID 458 %token TOLERATE MAXAGE DYNAMIC 459 %token CERTPARTIALCHAIN 460 %token REQUEST IFACE 461 %token RADIUS ACCOUNTING SERVER SECRET MAX_TRIES MAX_FAILOVERS 462 %token CLIENT DAE LISTEN ON NATT 463 %token <v.string> STRING 464 %token <v.number> NUMBER 465 %type <v.string> string 466 %type <v.satype> satype 467 %type <v.proto> proto proto_list protoval 468 %type <v.hosts> hosts hosts_list 469 %type <v.port> port 470 %type <v.number> portval af rdomain hexdecnumber 471 %type <v.peers> peers 472 %type <v.anyhost> anyhost 473 %type <v.host> host host_spec 474 %type <v.ids> ids 475 %type <v.id> id 476 %type <v.transforms> transforms 477 %type <v.filters> filters 478 %type <v.ikemode> ikeflags 479 %type <v.ikemode> ikematch ikemode ipcomp tmode natt_force 480 %type <v.ikeauth> ikeauth 481 %type <v.ikekey> keyspec 482 %type <v.mode> ike_sas child_sas 483 %type <v.lifetime> lifetime 484 %type <v.number> byte_spec time_spec ikelifetime 485 %type <v.string> name iface 486 %type <v.cfg> cfg ikecfg ikecfgvals 487 %type <v.string> transform_esn 488 %type <v.accounting> accounting 489 %type <v.radattr> radattr 490 %% 491 492 grammar : /* empty */ 493 | grammar include '\n' 494 | grammar '\n' 495 | grammar set '\n' 496 | grammar user '\n' 497 | grammar ikev2rule '\n' 498 | grammar radius '\n' 499 | grammar varset '\n' 500 | grammar otherrule skipline '\n' 501 | grammar error '\n' { file->errors++; } 502 ; 503 504 comma : ',' 505 | /* empty */ 506 ; 507 508 include : INCLUDE STRING { 509 struct file *nfile; 510 511 if ((nfile = pushfile($2, 1)) == NULL) { 512 yyerror("failed to include file %s", $2); 513 free($2); 514 YYERROR; 515 } 516 free($2); 517 518 file = nfile; 519 lungetc('\n'); 520 } 521 ; 522 523 set : SET ACTIVE { passive = 0; } 524 | SET PASSIVE { passive = 1; } 525 | SET COUPLE { decouple = 0; } 526 | SET DECOUPLE { decouple = 1; } 527 | SET FRAGMENTATION { fragmentation = 1; } 528 | SET NOFRAGMENTATION { fragmentation = 0; } 529 | SET MOBIKE { mobike = 1; } 530 | SET NOMOBIKE { mobike = 0; } 531 | SET VENDORID { vendorid = 1; } 532 | SET NOVENDORID { vendorid = 0; } 533 | SET ENFORCESINGLEIKESA { enforcesingleikesa = 1; } 534 | SET NOENFORCESINGLEIKESA { enforcesingleikesa = 0; } 535 | SET STICKYADDRESS { stickyaddress = 1; } 536 | SET NOSTICKYADDRESS { stickyaddress = 0; } 537 | SET OCSP STRING { 538 ocsp_url = $3; 539 } 540 | SET OCSP STRING TOLERATE time_spec { 541 ocsp_url = $3; 542 ocsp_tolerate = $5; 543 } 544 | SET OCSP STRING TOLERATE time_spec MAXAGE time_spec { 545 ocsp_url = $3; 546 ocsp_tolerate = $5; 547 ocsp_maxage = $7; 548 } 549 | SET CERTPARTIALCHAIN { 550 cert_partial_chain = 1; 551 } 552 | SET DPD_CHECK_INTERVAL NUMBER { 553 if ($3 < 0) { 554 yyerror("timeout outside range"); 555 YYERROR; 556 } 557 dpd_interval = $3; 558 } 559 ; 560 561 user : USER STRING STRING { 562 if (create_user($2, $3) == -1) 563 YYERROR; 564 free($2); 565 freezero($3, strlen($3)); 566 } 567 ; 568 569 ikev2rule : IKEV2 name ikeflags satype af proto rdomain hosts_list peers 570 ike_sas child_sas ids ikelifetime lifetime ikeauth ikecfg 571 iface filters { 572 if (create_ike($2, $5, $6, $7, $8, &$9, $10, $11, $4, 573 $3, $12.srcid, $12.dstid, $13, &$14, &$15, 574 $18, $16, $17) == -1) { 575 yyerror("create_ike failed"); 576 YYERROR; 577 } 578 } 579 ; 580 581 ikecfg : /* empty */ { $$ = NULL; } 582 | ikecfgvals { $$ = $1; } 583 ; 584 585 ikecfgvals : cfg { $$ = $1; } 586 | ikecfgvals cfg { 587 if ($2 == NULL) 588 $$ = $1; 589 else if ($1 == NULL) 590 $$ = $2; 591 else { 592 $1->tail->next = $2; 593 $1->tail = $2->tail; 594 $$ = $1; 595 } 596 } 597 ; 598 599 cfg : CONFIG STRING host_spec { 600 const struct ipsec_xf *xf; 601 602 if ((xf = parse_xf($2, $3->af, cpxfs)) == NULL) { 603 yyerror("not a valid ikecfg option"); 604 free($2); 605 free($3); 606 YYERROR; 607 } 608 free($2); 609 $$ = $3; 610 $$->type = xf->id; 611 $$->action = IKEV2_CP_REPLY; /* XXX */ 612 } 613 | REQUEST STRING anyhost { 614 const struct ipsec_xf *xf; 615 616 if ((xf = parse_xf($2, $3->af, cpxfs)) == NULL) { 617 yyerror("not a valid ikecfg option"); 618 free($2); 619 free($3); 620 YYERROR; 621 } 622 free($2); 623 $$ = $3; 624 $$->type = xf->id; 625 $$->action = IKEV2_CP_REQUEST; /* XXX */ 626 } 627 ; 628 629 name : /* empty */ { $$ = NULL; } 630 | STRING { 631 $$ = $1; 632 } 633 634 satype : /* empty */ { $$ = IKEV2_SAPROTO_ESP; } 635 | ESP { $$ = IKEV2_SAPROTO_ESP; } 636 | AH { $$ = IKEV2_SAPROTO_AH; } 637 ; 638 639 af : /* empty */ { $$ = AF_UNSPEC; } 640 | INET { $$ = AF_INET; } 641 | INET6 { $$ = AF_INET6; } 642 ; 643 644 proto : /* empty */ { $$ = NULL; } 645 | PROTO protoval { $$ = $2; } 646 | PROTO '{' proto_list '}' { $$ = $3; } 647 ; 648 649 proto_list : protoval { $$ = $1; } 650 | proto_list comma protoval { 651 if ($3 == NULL) 652 $$ = $1; 653 else if ($1 == NULL) 654 $$ = $3; 655 else { 656 $1->tail->next = $3; 657 $1->tail = $3->tail; 658 $$ = $1; 659 } 660 } 661 ; 662 663 protoval : STRING { 664 struct protoent *p; 665 666 p = getprotobyname($1); 667 if (p == NULL) { 668 yyerror("unknown protocol: %s", $1); 669 YYERROR; 670 } 671 672 if (($$ = calloc(1, sizeof(*$$))) == NULL) 673 err(1, "protoval: calloc"); 674 675 $$->type = p->p_proto; 676 $$->tail = $$; 677 free($1); 678 } 679 | NUMBER { 680 if ($1 > 255 || $1 < 0) { 681 yyerror("protocol outside range"); 682 YYERROR; 683 } 684 if (($$ = calloc(1, sizeof(*$$))) == NULL) 685 err(1, "protoval: calloc"); 686 687 $$->type = $1; 688 $$->tail = $$; 689 } 690 ; 691 692 rdomain : /* empty */ { $$ = -1; } 693 | RDOMAIN NUMBER { 694 if ($2 > 255 || $2 < 0) { 695 yyerror("rdomain outside range"); 696 YYERROR; 697 } 698 $$ = $2; 699 } 700 701 hosts_list : hosts { $$ = $1; } 702 | hosts_list comma hosts { 703 if ($3 == NULL) 704 $$ = $1; 705 else if ($1 == NULL) 706 $$ = $3; 707 else { 708 $1->src->tail->next = $3->src; 709 $1->src->tail = $3->src->tail; 710 $1->dst->tail->next = $3->dst; 711 $1->dst->tail = $3->dst->tail; 712 $$ = $1; 713 free($3); 714 } 715 } 716 ; 717 718 hosts : FROM host port TO host port { 719 struct ipsec_addr_wrap *ipa; 720 for (ipa = $5; ipa; ipa = ipa->next) { 721 if (ipa->srcnat) { 722 yyerror("no flow NAT support for" 723 " destination network: %s", 724 ipa->name); 725 YYERROR; 726 } 727 } 728 729 if (($$ = calloc(1, sizeof(*$$))) == NULL) 730 err(1, "hosts: calloc"); 731 732 $$->src = $2; 733 $$->src->port = $3; 734 $$->dst = $5; 735 $$->dst->port = $6; 736 } 737 | TO host port FROM host port { 738 struct ipsec_addr_wrap *ipa; 739 for (ipa = $2; ipa; ipa = ipa->next) { 740 if (ipa->srcnat) { 741 yyerror("no flow NAT support for" 742 " destination network: %s", 743 ipa->name); 744 YYERROR; 745 } 746 } 747 if (($$ = calloc(1, sizeof(*$$))) == NULL) 748 err(1, "hosts: calloc"); 749 750 $$->src = $5; 751 $$->src->port = $6; 752 $$->dst = $2; 753 $$->dst->port = $3; 754 } 755 ; 756 757 port : /* empty */ { $$ = 0; } 758 | PORT portval { $$ = $2; } 759 ; 760 761 portval : STRING { 762 struct servent *s; 763 764 if ((s = getservbyname($1, "tcp")) != NULL || 765 (s = getservbyname($1, "udp")) != NULL) { 766 $$ = s->s_port; 767 } else { 768 yyerror("unknown port: %s", $1); 769 YYERROR; 770 } 771 free($1); 772 } 773 | NUMBER { 774 if ($1 > USHRT_MAX || $1 < 0) { 775 yyerror("port outside range"); 776 YYERROR; 777 } 778 $$ = htons($1); 779 } 780 ; 781 782 peers : /* empty */ { 783 $$.dst = NULL; 784 $$.src = NULL; 785 } 786 | PEER anyhost LOCAL anyhost { 787 $$.dst = $2; 788 $$.src = $4; 789 } 790 | LOCAL anyhost PEER anyhost { 791 $$.dst = $4; 792 $$.src = $2; 793 } 794 | PEER anyhost { 795 $$.dst = $2; 796 $$.src = NULL; 797 } 798 | LOCAL anyhost { 799 $$.dst = NULL; 800 $$.src = $2; 801 } 802 ; 803 804 anyhost : host_spec { $$ = $1; } 805 | ANY { 806 $$ = host_any(); 807 } 808 809 host_spec : STRING { 810 if (($$ = host($1)) == NULL) { 811 free($1); 812 yyerror("could not parse host specification"); 813 YYERROR; 814 } 815 free($1); 816 } 817 | STRING '/' NUMBER { 818 char *buf; 819 820 if (asprintf(&buf, "%s/%lld", $1, $3) == -1) 821 err(1, "host: asprintf"); 822 free($1); 823 if (($$ = host(buf)) == NULL) { 824 free(buf); 825 yyerror("could not parse host specification"); 826 YYERROR; 827 } 828 free(buf); 829 } 830 ; 831 832 host : host_spec { $$ = $1; } 833 | host_spec '(' host_spec ')' { 834 if (($1->af != AF_UNSPEC) && ($3->af != AF_UNSPEC) && 835 ($3->af != $1->af)) { 836 yyerror("Flow NAT address family mismatch"); 837 YYERROR; 838 } 839 $$ = $1; 840 $$->srcnat = $3; 841 } 842 | ANY { 843 $$ = host_any(); 844 } 845 | DYNAMIC { 846 $$ = host_dynamic(); 847 } 848 ; 849 850 ids : /* empty */ { 851 $$.srcid = NULL; 852 $$.dstid = NULL; 853 } 854 | SRCID id DSTID id { 855 $$.srcid = $2; 856 $$.dstid = $4; 857 } 858 | SRCID id { 859 $$.srcid = $2; 860 $$.dstid = NULL; 861 } 862 | DSTID id { 863 $$.srcid = NULL; 864 $$.dstid = $2; 865 } 866 ; 867 868 id : STRING { $$ = $1; } 869 ; 870 871 transforms : { 872 if ((ipsec_transforms = calloc(1, 873 sizeof(struct ipsec_transforms))) == NULL) 874 err(1, "transforms: calloc"); 875 } 876 transforms_l { 877 $$ = ipsec_transforms; 878 } 879 | /* empty */ { 880 $$ = NULL; 881 } 882 ; 883 884 transforms_l : transforms_l transform 885 | transform 886 ; 887 888 transform : AUTHXF STRING { 889 const struct ipsec_xf **xfs = ipsec_transforms->authxf; 890 size_t nxfs = ipsec_transforms->nauthxf; 891 xfs = recallocarray(xfs, nxfs, nxfs + 1, 892 sizeof(struct ipsec_xf *)); 893 if (xfs == NULL) 894 err(1, "transform: recallocarray"); 895 if ((xfs[nxfs] = parse_xf($2, 0, authxfs)) == NULL) { 896 yyerror("%s not a valid transform", $2); 897 YYERROR; 898 } 899 free($2); 900 ipsec_transforms->authxf = xfs; 901 ipsec_transforms->nauthxf++; 902 } 903 | ENCXF STRING { 904 const struct ipsec_xf **xfs = ipsec_transforms->encxf; 905 size_t nxfs = ipsec_transforms->nencxf; 906 xfs = recallocarray(xfs, nxfs, nxfs + 1, 907 sizeof(struct ipsec_xf *)); 908 if (xfs == NULL) 909 err(1, "transform: recallocarray"); 910 if ((xfs[nxfs] = parse_xf($2, 0, encxfs)) == NULL) { 911 yyerror("%s not a valid transform", $2); 912 YYERROR; 913 } 914 free($2); 915 ipsec_transforms->encxf = xfs; 916 ipsec_transforms->nencxf++; 917 } 918 | PRFXF STRING { 919 const struct ipsec_xf **xfs = ipsec_transforms->prfxf; 920 size_t nxfs = ipsec_transforms->nprfxf; 921 xfs = recallocarray(xfs, nxfs, nxfs + 1, 922 sizeof(struct ipsec_xf *)); 923 if (xfs == NULL) 924 err(1, "transform: recallocarray"); 925 if ((xfs[nxfs] = parse_xf($2, 0, prfxfs)) == NULL) { 926 yyerror("%s not a valid transform", $2); 927 YYERROR; 928 } 929 free($2); 930 ipsec_transforms->prfxf = xfs; 931 ipsec_transforms->nprfxf++; 932 } 933 | GROUP STRING { 934 const struct ipsec_xf **xfs = ipsec_transforms->groupxf; 935 size_t nxfs = ipsec_transforms->ngroupxf; 936 xfs = recallocarray(xfs, nxfs, nxfs + 1, 937 sizeof(struct ipsec_xf *)); 938 if (xfs == NULL) 939 err(1, "transform: recallocarray"); 940 if ((xfs[nxfs] = parse_xf($2, 0, groupxfs)) == NULL) { 941 yyerror("%s not a valid transform", $2); 942 YYERROR; 943 } 944 free($2); 945 ipsec_transforms->groupxf = xfs; 946 ipsec_transforms->ngroupxf++; 947 } 948 | transform_esn { 949 const struct ipsec_xf **xfs = ipsec_transforms->esnxf; 950 size_t nxfs = ipsec_transforms->nesnxf; 951 xfs = recallocarray(xfs, nxfs, nxfs + 1, 952 sizeof(struct ipsec_xf *)); 953 if (xfs == NULL) 954 err(1, "transform: recallocarray"); 955 if ((xfs[nxfs] = parse_xf($1, 0, esnxfs)) == NULL) { 956 yyerror("%s not a valid transform", $1); 957 YYERROR; 958 } 959 ipsec_transforms->esnxf = xfs; 960 ipsec_transforms->nesnxf++; 961 } 962 ; 963 964 transform_esn : ESN { $$ = "esn"; } 965 | NOESN { $$ = "noesn"; } 966 ; 967 968 ike_sas : { 969 if ((ipsec_mode = calloc(1, 970 sizeof(struct ipsec_mode))) == NULL) 971 err(1, "ike_sas: calloc"); 972 } 973 ike_sas_l { 974 $$ = ipsec_mode; 975 } 976 | /* empty */ { 977 $$ = NULL; 978 } 979 ; 980 981 ike_sas_l : ike_sas_l ike_sa 982 | ike_sa 983 ; 984 985 ike_sa : IKESA { 986 if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs, 987 ipsec_mode->nxfs, ipsec_mode->nxfs + 1, 988 sizeof(struct ipsec_transforms *))) == NULL) 989 err(1, "ike_sa: recallocarray"); 990 ipsec_mode->nxfs++; 991 encxfs = ikeencxfs; 992 } transforms { 993 ipsec_mode->xfs[ipsec_mode->nxfs - 1] = $3; 994 } 995 ; 996 997 child_sas : { 998 if ((ipsec_mode = calloc(1, 999 sizeof(struct ipsec_mode))) == NULL) 1000 err(1, "child_sas: calloc"); 1001 } 1002 child_sas_l { 1003 $$ = ipsec_mode; 1004 } 1005 | /* empty */ { 1006 $$ = NULL; 1007 } 1008 ; 1009 1010 child_sas_l : child_sas_l child_sa 1011 | child_sa 1012 ; 1013 1014 child_sa : CHILDSA { 1015 if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs, 1016 ipsec_mode->nxfs, ipsec_mode->nxfs + 1, 1017 sizeof(struct ipsec_transforms *))) == NULL) 1018 err(1, "child_sa: recallocarray"); 1019 ipsec_mode->nxfs++; 1020 encxfs = ipsecencxfs; 1021 } transforms { 1022 ipsec_mode->xfs[ipsec_mode->nxfs - 1] = $3; 1023 } 1024 ; 1025 1026 ikeflags : ikematch ikemode ipcomp tmode natt_force { 1027 $$ = $1 | $2 | $3 | $4 | $5; 1028 } 1029 ; 1030 1031 ikematch : /* empty */ { $$ = 0; } 1032 | QUICK { $$ = IKED_POLICY_QUICK; } 1033 | SKIP { $$ = IKED_POLICY_SKIP; } 1034 | DEFAULT { $$ = IKED_POLICY_DEFAULT; } 1035 ; 1036 1037 ikemode : /* empty */ { $$ = IKED_POLICY_PASSIVE; } 1038 | PASSIVE { $$ = IKED_POLICY_PASSIVE; } 1039 | ACTIVE { $$ = IKED_POLICY_ACTIVE; } 1040 ; 1041 1042 ipcomp : /* empty */ { $$ = 0; } 1043 | IPCOMP { $$ = IKED_POLICY_IPCOMP; } 1044 ; 1045 1046 tmode : /* empty */ { $$ = 0; } 1047 | TUNNEL { $$ = 0; } 1048 | TRANSPORT { $$ = IKED_POLICY_TRANSPORT; } 1049 ; 1050 1051 natt_force : /* empty */ { $$ = 0; } 1052 | NATT { $$ = IKED_POLICY_NATT_FORCE; } 1053 ; 1054 1055 ikeauth : /* empty */ { 1056 $$.auth_method = IKEV2_AUTH_SIG_ANY; /* default */ 1057 $$.auth_eap = 0; 1058 $$.auth_length = 0; 1059 } 1060 | PSK keyspec { 1061 memcpy(&$$, &$2, sizeof($$)); 1062 $$.auth_method = IKEV2_AUTH_SHARED_KEY_MIC; 1063 $$.auth_eap = 0; 1064 explicit_bzero(&$2, sizeof($2)); 1065 } 1066 | EAP RADIUS { 1067 $$.auth_method = IKEV2_AUTH_SIG_ANY; 1068 $$.auth_eap = EAP_TYPE_RADIUS; 1069 $$.auth_length = 0; 1070 } 1071 | EAP STRING { 1072 unsigned int i; 1073 1074 for (i = 0; i < strlen($2); i++) 1075 if ($2[i] == '-') 1076 $2[i] = '_'; 1077 1078 if (strcasecmp("mschap_v2", $2) == 0) 1079 $$.auth_eap = EAP_TYPE_MSCHAP_V2; 1080 else if (strcasecmp("radius", $2) == 0) 1081 $$.auth_eap = EAP_TYPE_RADIUS; 1082 else { 1083 yyerror("unsupported EAP method: %s", $2); 1084 free($2); 1085 YYERROR; 1086 } 1087 free($2); 1088 1089 $$.auth_method = IKEV2_AUTH_SIG_ANY; 1090 $$.auth_length = 0; 1091 } 1092 | STRING { 1093 const struct ipsec_xf *xf; 1094 1095 if ((xf = parse_xf($1, 0, methodxfs)) == NULL || 1096 xf->id == IKEV2_AUTH_NONE) { 1097 yyerror("not a valid authentication mode"); 1098 free($1); 1099 YYERROR; 1100 } 1101 free($1); 1102 1103 $$.auth_method = xf->id; 1104 $$.auth_eap = 0; 1105 $$.auth_length = 0; 1106 } 1107 ; 1108 1109 byte_spec : NUMBER { 1110 $$ = $1; 1111 } 1112 | STRING { 1113 uint64_t bytes = 0; 1114 char unit = 0; 1115 1116 if (sscanf($1, "%llu%c", &bytes, &unit) != 2) { 1117 yyerror("invalid byte specification: %s", $1); 1118 YYERROR; 1119 } 1120 free($1); 1121 switch (toupper((unsigned char)unit)) { 1122 case 'K': 1123 bytes *= 1024; 1124 break; 1125 case 'M': 1126 bytes *= 1024 * 1024; 1127 break; 1128 case 'G': 1129 bytes *= 1024 * 1024 * 1024; 1130 break; 1131 default: 1132 yyerror("invalid byte unit"); 1133 YYERROR; 1134 } 1135 $$ = bytes; 1136 } 1137 ; 1138 1139 time_spec : NUMBER { 1140 $$ = $1; 1141 } 1142 | STRING { 1143 uint64_t seconds = 0; 1144 char unit = 0; 1145 1146 if (sscanf($1, "%llu%c", &seconds, &unit) != 2) { 1147 yyerror("invalid time specification: %s", $1); 1148 YYERROR; 1149 } 1150 free($1); 1151 switch (tolower((unsigned char)unit)) { 1152 case 'm': 1153 seconds *= 60; 1154 break; 1155 case 'h': 1156 seconds *= 60 * 60; 1157 break; 1158 default: 1159 yyerror("invalid time unit"); 1160 YYERROR; 1161 } 1162 $$ = seconds; 1163 } 1164 ; 1165 1166 lifetime : /* empty */ { 1167 $$ = deflifetime; 1168 } 1169 | LIFETIME time_spec { 1170 $$.lt_seconds = $2; 1171 $$.lt_bytes = deflifetime.lt_bytes; 1172 } 1173 | LIFETIME time_spec BYTES byte_spec { 1174 $$.lt_seconds = $2; 1175 $$.lt_bytes = $4; 1176 } 1177 ; 1178 1179 ikelifetime : /* empty */ { 1180 $$ = 0; 1181 } 1182 | IKELIFETIME time_spec { 1183 $$ = $2; 1184 } 1185 1186 keyspec : STRING { 1187 uint8_t *hex; 1188 1189 bzero(&$$, sizeof($$)); 1190 1191 hex = $1; 1192 if (strncmp(hex, "0x", 2) == 0) { 1193 hex += 2; 1194 if (parsekey(hex, strlen(hex), &$$) != 0) { 1195 free($1); 1196 YYERROR; 1197 } 1198 } else { 1199 if (strlen($1) > sizeof($$.auth_data)) { 1200 yyerror("psk too long"); 1201 free($1); 1202 YYERROR; 1203 } 1204 strlcpy($$.auth_data, $1, 1205 sizeof($$.auth_data)); 1206 $$.auth_length = strlen($1); 1207 } 1208 freezero($1, strlen($1)); 1209 } 1210 | FILENAME STRING { 1211 if (parsekeyfile($2, &$$) != 0) { 1212 free($2); 1213 YYERROR; 1214 } 1215 free($2); 1216 } 1217 ; 1218 1219 filters : { 1220 if ((ipsec_filters = calloc(1, 1221 sizeof(struct ipsec_filters))) == NULL) 1222 err(1, "filters: calloc"); 1223 } 1224 filters_l { 1225 $$ = ipsec_filters; 1226 } 1227 | /* empty */ { 1228 $$ = NULL; 1229 } 1230 ; 1231 1232 filters_l : filters_l filter 1233 | filter 1234 ; 1235 1236 filter : TAG STRING 1237 { 1238 ipsec_filters->tag = $2; 1239 } 1240 | TAP STRING 1241 { 1242 const char *errstr = NULL; 1243 size_t len; 1244 1245 len = strcspn($2, "0123456789"); 1246 if (strlen("enc") != len || 1247 strncmp("enc", $2, len) != 0) { 1248 yyerror("invalid tap interface name: %s", $2); 1249 free($2); 1250 YYERROR; 1251 } 1252 ipsec_filters->tap = 1253 strtonum($2 + len, 0, UINT_MAX, &errstr); 1254 free($2); 1255 if (errstr != NULL) { 1256 yyerror("invalid tap interface unit: %s", 1257 errstr); 1258 YYERROR; 1259 } 1260 } 1261 ; 1262 1263 iface : { 1264 $$ = NULL; 1265 } 1266 | IFACE STRING { 1267 $$ = $2; 1268 } 1269 1270 string : string STRING 1271 { 1272 if (asprintf(&$$, "%s %s", $1, $2) == -1) 1273 err(1, "string: asprintf"); 1274 free($1); 1275 free($2); 1276 } 1277 | STRING 1278 ; 1279 1280 radius : RADIUS accounting SERVER STRING port SECRET STRING 1281 { 1282 int ret, gai_err; 1283 struct addrinfo hints, *ai; 1284 u_short port; 1285 1286 memset(&hints, 0, sizeof(hints)); 1287 hints.ai_family = PF_UNSPEC; 1288 hints.ai_socktype = SOCK_DGRAM; 1289 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; 1290 if ((gai_err = getaddrinfo($4, NULL, &hints, &ai)) 1291 != 0) { 1292 yyerror("could not parse the address: %s: %s", 1293 $4, gai_strerror(gai_err)); 1294 free($4); 1295 explicit_bzero($7, strlen($7)); 1296 free($7); 1297 YYERROR; 1298 } 1299 port = $5; 1300 if (port == 0) 1301 port = htons((!$2)? RADIUS_DEFAULT_PORT : 1302 RADIUS_ACCT_DEFAULT_PORT); 1303 socket_af(ai->ai_addr, port); 1304 if ((ret = config_setradserver(env, ai->ai_addr, 1305 ai->ai_addrlen, $7, $2)) != 0) { 1306 yyerror("could not set radius server"); 1307 free($4); 1308 explicit_bzero($7, strlen($7)); 1309 free($7); 1310 YYERROR; 1311 } 1312 explicit_bzero($7, strlen($7)); 1313 freeaddrinfo(ai); 1314 free($4); 1315 free($7); 1316 } 1317 | RADIUS accounting MAX_TRIES NUMBER { 1318 if ($4 <= 0) { 1319 yyerror("max-tries must a positive value"); 1320 YYERROR; 1321 } 1322 if ($2) 1323 radacct.max_tries = $4; 1324 else 1325 radauth.max_tries = $4; 1326 } 1327 | RADIUS accounting MAX_FAILOVERS NUMBER { 1328 if ($4 < 0) { 1329 yyerror("max-failovers must be 0 or a " 1330 "positive value"); 1331 YYERROR; 1332 } 1333 if ($2) 1334 radacct.max_failovers = $4; 1335 else 1336 radauth.max_failovers = $4; 1337 } 1338 | RADIUS CONFIG af STRING radattr { 1339 const struct ipsec_xf *xf; 1340 int af, cfgtype; 1341 1342 af = $3; 1343 if (af == AF_UNSPEC) 1344 af = AF_INET; 1345 if (strcmp($4, "none") == 0) 1346 cfgtype = 0; 1347 else { 1348 if ((xf = parse_xf($4, af, cpxfs)) == NULL || 1349 xf->id == IKEV2_CFG_INTERNAL_IP4_SUBNET || 1350 xf->id == IKEV2_CFG_INTERNAL_IP6_SUBNET) { 1351 yyerror("not a valid ikecfg option"); 1352 free($4); 1353 YYERROR; 1354 } 1355 cfgtype = xf->id; 1356 } 1357 free($4); 1358 config_setradcfgmap(env, cfgtype, $5.vendorid, 1359 $5.attrtype); 1360 } 1361 | RADIUS DAE LISTEN ON STRING port { 1362 int ret, gai_err; 1363 struct addrinfo hints, *ai; 1364 u_short port; 1365 1366 memset(&hints, 0, sizeof(hints)); 1367 hints.ai_family = PF_UNSPEC; 1368 hints.ai_socktype = SOCK_DGRAM; 1369 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; 1370 if ((gai_err = getaddrinfo($5, NULL, &hints, &ai)) 1371 != 0) { 1372 yyerror("could not parse the address: %s: %s", 1373 $5, gai_strerror(gai_err)); 1374 free($5); 1375 YYERROR; 1376 } 1377 port = $6; 1378 if (port == 0) 1379 port = htons(RADIUS_DAE_DEFAULT_PORT); 1380 socket_af(ai->ai_addr, port); 1381 if ((ret = config_setraddae(env, ai->ai_addr, 1382 ai->ai_addrlen)) != 0) { 1383 yyerror("could not set radius server"); 1384 free($5); 1385 YYERROR; 1386 } 1387 freeaddrinfo(ai); 1388 free($5); 1389 } 1390 | RADIUS DAE CLIENT STRING SECRET STRING { 1391 int gai_err; 1392 struct addrinfo hints, *ai; 1393 1394 memset(&hints, 0, sizeof(hints)); 1395 hints.ai_family = PF_UNSPEC; 1396 hints.ai_socktype = SOCK_DGRAM; 1397 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; 1398 if ((gai_err = getaddrinfo($4, NULL, &hints, &ai)) 1399 != 0) { 1400 yyerror("could not parse the address: %s: %s", 1401 $4, gai_strerror(gai_err)); 1402 free($4); 1403 explicit_bzero($6, strlen($6)); 1404 free($6); 1405 YYERROR; 1406 } 1407 config_setradclient(env, ai->ai_addr, ai->ai_addrlen, 1408 $6); 1409 free($4); 1410 explicit_bzero($6, strlen($6)); 1411 free($6); 1412 freeaddrinfo(ai); 1413 } 1414 ; 1415 1416 radattr : hexdecnumber hexdecnumber { 1417 if ($1 < 0 || 0xffffffL < $1) { 1418 yyerror("vendor-id must be in 0-0xffffff"); 1419 YYERROR; 1420 } 1421 if ($2 < 0 || 256 <= $2) { 1422 yyerror("attribute type must be in 0-255"); 1423 YYERROR; 1424 } 1425 $$.vendorid = $1; 1426 $$.attrtype = $2; 1427 } 1428 | hexdecnumber { 1429 if ($1 < 0 || 256 <= $1) { 1430 yyerror("attribute type must be in 0-255"); 1431 YYERROR; 1432 } 1433 $$.vendorid = 0; 1434 $$.attrtype = $1; 1435 } 1436 1437 hexdecnumber : STRING { 1438 const char *errstr; 1439 char *ep; 1440 uintmax_t ul; 1441 1442 if ($1[0] == '0' && $1[1] == 'x' && isxdigit($1[2])) { 1443 ul = strtoumax($1 + 2, &ep, 16); 1444 if (*ep != '\0') { 1445 yyerror("`%s' is not a number", $1); 1446 free($1); 1447 YYERROR; 1448 } 1449 if (ul == UINTMAX_MAX || ul > UINT64_MAX) { 1450 yyerror("`%s' is out-of-range", $1); 1451 free($1); 1452 YYERROR; 1453 } 1454 $$ = ul; 1455 } else { 1456 $$ = strtonum($1, 0, UINT64_MAX, &errstr); 1457 if (errstr != NULL) { 1458 yyerror("`%s' is %s", $1, errstr); 1459 free($1); 1460 YYERROR; 1461 } 1462 } 1463 free($1); 1464 } 1465 | NUMBER 1466 ; 1467 1468 accounting : { 1469 $$ = 0; 1470 } 1471 | ACCOUNTING { 1472 $$ = 1; 1473 } 1474 ; 1475 1476 varset : STRING '=' string 1477 { 1478 char *s = $1; 1479 log_debug("%s = \"%s\"\n", $1, $3); 1480 while (*s++) { 1481 if (isspace((unsigned char)*s)) { 1482 yyerror("macro name cannot contain " 1483 "whitespace"); 1484 free($1); 1485 free($3); 1486 YYERROR; 1487 } 1488 } 1489 if (symset($1, $3, 0) == -1) 1490 err(1, "cannot store variable"); 1491 free($1); 1492 free($3); 1493 } 1494 ; 1495 1496 /* 1497 * ignore IKEv1/manual keying rules in ipsec.conf 1498 */ 1499 otherrule : IKEV1 1500 | sarule 1501 | FLOW 1502 | TCPMD5 1503 ; 1504 1505 /* manual keying SAs might start with the following keywords */ 1506 sarule : SA 1507 | FROM 1508 | TO 1509 | TUNNEL 1510 | TRANSPORT 1511 ; 1512 1513 /* ignore everything to the end of the line */ 1514 skipline : 1515 { 1516 int c; 1517 1518 while ((c = lgetc(0)) != '\n' && c != EOF) 1519 ; /* nothing */ 1520 if (c == '\n') 1521 lungetc(c); 1522 } 1523 ; 1524 %% 1525 1526 struct keywords { 1527 const char *k_name; 1528 int k_val; 1529 }; 1530 1531 void 1532 copy_sockaddrtoipa(struct ipsec_addr_wrap *ipa, struct sockaddr *sa) 1533 { 1534 if (sa->sa_family == AF_INET6) 1535 memcpy(&ipa->address, sa, sizeof(struct sockaddr_in6)); 1536 else if (sa->sa_family == AF_INET) 1537 memcpy(&ipa->address, sa, sizeof(struct sockaddr_in)); 1538 else 1539 warnx("unhandled af %d", sa->sa_family); 1540 } 1541 1542 int 1543 yyerror(const char *fmt, ...) 1544 { 1545 va_list ap; 1546 1547 file->errors++; 1548 va_start(ap, fmt); 1549 fprintf(stderr, "%s: %d: ", file->name, yylval.lineno); 1550 vfprintf(stderr, fmt, ap); 1551 fprintf(stderr, "\n"); 1552 va_end(ap); 1553 return (0); 1554 } 1555 1556 int 1557 kw_cmp(const void *k, const void *e) 1558 { 1559 return (strcmp(k, ((const struct keywords *)e)->k_name)); 1560 } 1561 1562 int 1563 lookup(char *s) 1564 { 1565 /* this has to be sorted always */ 1566 static const struct keywords keywords[] = { 1567 { "accounting", ACCOUNTING }, 1568 { "active", ACTIVE }, 1569 { "ah", AH }, 1570 { "any", ANY }, 1571 { "auth", AUTHXF }, 1572 { "bytes", BYTES }, 1573 { "cert_partial_chain", CERTPARTIALCHAIN }, 1574 { "childsa", CHILDSA }, 1575 { "client", CLIENT }, 1576 { "config", CONFIG }, 1577 { "couple", COUPLE }, 1578 { "dae", DAE }, 1579 { "decouple", DECOUPLE }, 1580 { "default", DEFAULT }, 1581 { "dpd_check_interval", DPD_CHECK_INTERVAL }, 1582 { "dstid", DSTID }, 1583 { "dynamic", DYNAMIC }, 1584 { "eap", EAP }, 1585 { "enc", ENCXF }, 1586 { "enforcesingleikesa", ENFORCESINGLEIKESA }, 1587 { "esn", ESN }, 1588 { "esp", ESP }, 1589 { "file", FILENAME }, 1590 { "flow", FLOW }, 1591 { "fragmentation", FRAGMENTATION }, 1592 { "from", FROM }, 1593 { "group", GROUP }, 1594 { "iface", IFACE }, 1595 { "ike", IKEV1 }, 1596 { "ikelifetime", IKELIFETIME }, 1597 { "ikesa", IKESA }, 1598 { "ikev2", IKEV2 }, 1599 { "include", INCLUDE }, 1600 { "inet", INET }, 1601 { "inet6", INET6 }, 1602 { "ipcomp", IPCOMP }, 1603 { "lifetime", LIFETIME }, 1604 { "listen", LISTEN }, 1605 { "local", LOCAL }, 1606 { "max-failovers", MAX_FAILOVERS}, 1607 { "max-tries", MAX_TRIES }, 1608 { "maxage", MAXAGE }, 1609 { "mobike", MOBIKE }, 1610 { "name", NAME }, 1611 { "natt", NATT }, 1612 { "noenforcesingleikesa", NOENFORCESINGLEIKESA }, 1613 { "noesn", NOESN }, 1614 { "nofragmentation", NOFRAGMENTATION }, 1615 { "nomobike", NOMOBIKE }, 1616 { "nostickyaddress", NOSTICKYADDRESS }, 1617 { "novendorid", NOVENDORID }, 1618 { "ocsp", OCSP }, 1619 { "on", ON }, 1620 { "passive", PASSIVE }, 1621 { "peer", PEER }, 1622 { "port", PORT }, 1623 { "prf", PRFXF }, 1624 { "proto", PROTO }, 1625 { "psk", PSK }, 1626 { "quick", QUICK }, 1627 { "radius", RADIUS }, 1628 { "rdomain", RDOMAIN }, 1629 { "request", REQUEST }, 1630 { "sa", SA }, 1631 { "secret", SECRET }, 1632 { "server", SERVER }, 1633 { "set", SET }, 1634 { "skip", SKIP }, 1635 { "srcid", SRCID }, 1636 { "stickyaddress", STICKYADDRESS }, 1637 { "tag", TAG }, 1638 { "tap", TAP }, 1639 { "tcpmd5", TCPMD5 }, 1640 { "to", TO }, 1641 { "tolerate", TOLERATE }, 1642 { "transport", TRANSPORT }, 1643 { "tunnel", TUNNEL }, 1644 { "user", USER }, 1645 { "vendorid", VENDORID } 1646 }; 1647 const struct keywords *p; 1648 1649 p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]), 1650 sizeof(keywords[0]), kw_cmp); 1651 1652 if (p) { 1653 if (debug > 1) 1654 fprintf(stderr, "%s: %d\n", s, p->k_val); 1655 return (p->k_val); 1656 } else { 1657 if (debug > 1) 1658 fprintf(stderr, "string: %s\n", s); 1659 return (STRING); 1660 } 1661 } 1662 1663 #define START_EXPAND 1 1664 #define DONE_EXPAND 2 1665 1666 static int expanding; 1667 1668 int 1669 igetc(void) 1670 { 1671 int c; 1672 1673 while (1) { 1674 if (file->ungetpos > 0) 1675 c = file->ungetbuf[--file->ungetpos]; 1676 else 1677 c = getc(file->stream); 1678 1679 if (c == START_EXPAND) 1680 expanding = 1; 1681 else if (c == DONE_EXPAND) 1682 expanding = 0; 1683 else 1684 break; 1685 } 1686 return (c); 1687 } 1688 1689 int 1690 lgetc(int quotec) 1691 { 1692 int c, next; 1693 1694 if (quotec) { 1695 if ((c = igetc()) == EOF) { 1696 yyerror("reached end of file while parsing " 1697 "quoted string"); 1698 if (file == topfile || popfile() == EOF) 1699 return (EOF); 1700 return (quotec); 1701 } 1702 return (c); 1703 } 1704 1705 while ((c = igetc()) == '\\') { 1706 next = igetc(); 1707 if (next != '\n') { 1708 c = next; 1709 break; 1710 } 1711 yylval.lineno = file->lineno; 1712 file->lineno++; 1713 } 1714 1715 while (c == EOF) { 1716 /* 1717 * Fake EOL when hit EOF for the first time. This gets line 1718 * count right if last line in included file is syntactically 1719 * invalid and has no newline. 1720 */ 1721 if (file->eof_reached == 0) { 1722 file->eof_reached = 1; 1723 return ('\n'); 1724 } 1725 while (c == EOF) { 1726 if (file == topfile || popfile() == EOF) 1727 return (EOF); 1728 c = igetc(); 1729 } 1730 } 1731 return (c); 1732 } 1733 1734 void 1735 lungetc(int c) 1736 { 1737 if (c == EOF) 1738 return; 1739 1740 if (file->ungetpos >= file->ungetsize) { 1741 void *p = reallocarray(file->ungetbuf, file->ungetsize, 2); 1742 if (p == NULL) 1743 err(1, "lungetc"); 1744 file->ungetbuf = p; 1745 file->ungetsize *= 2; 1746 } 1747 file->ungetbuf[file->ungetpos++] = c; 1748 } 1749 1750 int 1751 findeol(void) 1752 { 1753 int c; 1754 1755 /* skip to either EOF or the first real EOL */ 1756 while (1) { 1757 c = lgetc(0); 1758 if (c == '\n') { 1759 file->lineno++; 1760 break; 1761 } 1762 if (c == EOF) 1763 break; 1764 } 1765 return (ERROR); 1766 } 1767 1768 int 1769 yylex(void) 1770 { 1771 char buf[8096]; 1772 char *p, *val; 1773 int quotec, next, c; 1774 int token; 1775 1776 top: 1777 p = buf; 1778 while ((c = lgetc(0)) == ' ' || c == '\t') 1779 ; /* nothing */ 1780 1781 yylval.lineno = file->lineno; 1782 if (c == '#') 1783 while ((c = lgetc(0)) != '\n' && c != EOF) 1784 ; /* nothing */ 1785 if (c == '$' && !expanding) { 1786 while (1) { 1787 if ((c = lgetc(0)) == EOF) 1788 return (0); 1789 1790 if (p + 1 >= buf + sizeof(buf) - 1) { 1791 yyerror("string too long"); 1792 return (findeol()); 1793 } 1794 if (isalnum(c) || c == '_') { 1795 *p++ = c; 1796 continue; 1797 } 1798 *p = '\0'; 1799 lungetc(c); 1800 break; 1801 } 1802 val = symget(buf); 1803 if (val == NULL) { 1804 yyerror("macro '%s' not defined", buf); 1805 return (findeol()); 1806 } 1807 p = val + strlen(val) - 1; 1808 lungetc(DONE_EXPAND); 1809 while (p >= val) { 1810 lungetc((unsigned char)*p); 1811 p--; 1812 } 1813 lungetc(START_EXPAND); 1814 goto top; 1815 } 1816 1817 switch (c) { 1818 case '\'': 1819 case '"': 1820 quotec = c; 1821 while (1) { 1822 if ((c = lgetc(quotec)) == EOF) 1823 return (0); 1824 if (c == '\n') { 1825 file->lineno++; 1826 continue; 1827 } else if (c == '\\') { 1828 if ((next = lgetc(quotec)) == EOF) 1829 return (0); 1830 if (next == quotec || next == ' ' || 1831 next == '\t') 1832 c = next; 1833 else if (next == '\n') { 1834 file->lineno++; 1835 continue; 1836 } else 1837 lungetc(next); 1838 } else if (c == quotec) { 1839 *p = '\0'; 1840 break; 1841 } else if (c == '\0') { 1842 yyerror("syntax error"); 1843 return (findeol()); 1844 } 1845 if (p + 1 >= buf + sizeof(buf) - 1) { 1846 yyerror("string too long"); 1847 return (findeol()); 1848 } 1849 *p++ = c; 1850 } 1851 yylval.v.string = strdup(buf); 1852 if (yylval.v.string == NULL) 1853 err(1, "%s", __func__); 1854 return (STRING); 1855 } 1856 1857 #define allowed_to_end_number(x) \ 1858 (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') 1859 1860 if (c == '-' || isdigit(c)) { 1861 do { 1862 *p++ = c; 1863 if ((size_t)(p-buf) >= sizeof(buf)) { 1864 yyerror("string too long"); 1865 return (findeol()); 1866 } 1867 } while ((c = lgetc(0)) != EOF && isdigit(c)); 1868 lungetc(c); 1869 if (p == buf + 1 && buf[0] == '-') 1870 goto nodigits; 1871 if (c == EOF || allowed_to_end_number(c)) { 1872 const char *errstr = NULL; 1873 1874 *p = '\0'; 1875 yylval.v.number = strtonum(buf, LLONG_MIN, 1876 LLONG_MAX, &errstr); 1877 if (errstr) { 1878 yyerror("\"%s\" invalid number: %s", 1879 buf, errstr); 1880 return (findeol()); 1881 } 1882 return (NUMBER); 1883 } else { 1884 nodigits: 1885 while (p > buf + 1) 1886 lungetc((unsigned char)*--p); 1887 c = (unsigned char)*--p; 1888 if (c == '-') 1889 return (c); 1890 } 1891 } 1892 1893 #define allowed_in_string(x) \ 1894 (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \ 1895 x != '{' && x != '}' && x != '<' && x != '>' && \ 1896 x != '!' && x != '=' && x != '/' && x != '#' && \ 1897 x != ',')) 1898 1899 if (isalnum(c) || c == ':' || c == '_' || c == '*') { 1900 do { 1901 *p++ = c; 1902 if ((size_t)(p-buf) >= sizeof(buf)) { 1903 yyerror("string too long"); 1904 return (findeol()); 1905 } 1906 } while ((c = lgetc(0)) != EOF && (allowed_in_string(c))); 1907 lungetc(c); 1908 *p = '\0'; 1909 if ((token = lookup(buf)) == STRING) 1910 if ((yylval.v.string = strdup(buf)) == NULL) 1911 err(1, "%s", __func__); 1912 return (token); 1913 } 1914 if (c == '\n') { 1915 yylval.lineno = file->lineno; 1916 file->lineno++; 1917 } 1918 if (c == EOF) 1919 return (0); 1920 return (c); 1921 } 1922 1923 int 1924 check_file_secrecy(int fd, const char *fname) 1925 { 1926 struct stat st; 1927 1928 if (fstat(fd, &st)) { 1929 warn("cannot stat %s", fname); 1930 return (-1); 1931 } 1932 if (st.st_uid != 0 && st.st_uid != getuid()) { 1933 warnx("%s: owner not root or current user", fname); 1934 return (-1); 1935 } 1936 if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) { 1937 warnx("%s: group writable or world read/writable", fname); 1938 return (-1); 1939 } 1940 return (0); 1941 } 1942 1943 struct file * 1944 pushfile(const char *name, int secret) 1945 { 1946 struct file *nfile; 1947 1948 if ((nfile = calloc(1, sizeof(struct file))) == NULL) { 1949 warn("%s", __func__); 1950 return (NULL); 1951 } 1952 if ((nfile->name = strdup(name)) == NULL) { 1953 warn("%s", __func__); 1954 free(nfile); 1955 return (NULL); 1956 } 1957 if (TAILQ_FIRST(&files) == NULL && strcmp(nfile->name, "-") == 0) { 1958 nfile->stream = stdin; 1959 free(nfile->name); 1960 if ((nfile->name = strdup("stdin")) == NULL) { 1961 warn("%s", __func__); 1962 free(nfile); 1963 return (NULL); 1964 } 1965 } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) { 1966 warn("%s: %s", __func__, nfile->name); 1967 free(nfile->name); 1968 free(nfile); 1969 return (NULL); 1970 } else if (secret && 1971 check_file_secrecy(fileno(nfile->stream), nfile->name)) { 1972 fclose(nfile->stream); 1973 free(nfile->name); 1974 free(nfile); 1975 return (NULL); 1976 } 1977 nfile->lineno = TAILQ_EMPTY(&files) ? 1 : 0; 1978 nfile->ungetsize = 16; 1979 nfile->ungetbuf = malloc(nfile->ungetsize); 1980 if (nfile->ungetbuf == NULL) { 1981 warn("%s", __func__); 1982 fclose(nfile->stream); 1983 free(nfile->name); 1984 free(nfile); 1985 return (NULL); 1986 } 1987 TAILQ_INSERT_TAIL(&files, nfile, entry); 1988 return (nfile); 1989 } 1990 1991 int 1992 popfile(void) 1993 { 1994 struct file *prev; 1995 1996 if ((prev = TAILQ_PREV(file, files, entry)) != NULL) 1997 prev->errors += file->errors; 1998 1999 TAILQ_REMOVE(&files, file, entry); 2000 fclose(file->stream); 2001 free(file->name); 2002 free(file->ungetbuf); 2003 free(file); 2004 file = prev; 2005 2006 return (file ? 0 : EOF); 2007 } 2008 2009 int 2010 parse_config(const char *filename, struct iked *x_env) 2011 { 2012 struct sym *sym; 2013 int errors = 0; 2014 2015 env = x_env; 2016 rules = 0; 2017 2018 if ((file = pushfile(filename, 1)) == NULL) 2019 return (-1); 2020 topfile = file; 2021 2022 free(ocsp_url); 2023 2024 mobike = 1; 2025 enforcesingleikesa = stickyaddress = 0; 2026 cert_partial_chain = decouple = passive = 0; 2027 ocsp_tolerate = 0; 2028 ocsp_url = NULL; 2029 ocsp_maxage = -1; 2030 fragmentation = 0; 2031 dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT; 2032 decouple = passive = 0; 2033 ocsp_url = NULL; 2034 radauth.max_tries = 3; 2035 radauth.max_failovers = 0; 2036 radacct.max_tries = 3; 2037 radacct.max_failovers = 0; 2038 2039 if (env->sc_opts & IKED_OPT_PASSIVE) 2040 passive = 1; 2041 2042 yyparse(); 2043 errors = file->errors; 2044 popfile(); 2045 2046 env->sc_passive = passive ? 1 : 0; 2047 env->sc_decoupled = decouple ? 1 : 0; 2048 env->sc_mobike = mobike; 2049 env->sc_enforcesingleikesa = enforcesingleikesa; 2050 env->sc_stickyaddress = stickyaddress; 2051 env->sc_frag = fragmentation; 2052 env->sc_alive_timeout = dpd_interval; 2053 env->sc_ocsp_url = ocsp_url; 2054 env->sc_ocsp_tolerate = ocsp_tolerate; 2055 env->sc_ocsp_maxage = ocsp_maxage; 2056 env->sc_cert_partial_chain = cert_partial_chain; 2057 env->sc_vendorid = vendorid; 2058 env->sc_radauth = radauth; 2059 env->sc_radacct = radacct; 2060 2061 if (!rules) 2062 log_warnx("%s: no valid configuration rules found", 2063 filename); 2064 else 2065 log_debug("%s: loaded %d configuration rules", 2066 filename, rules); 2067 2068 /* Free macros and check which have not been used. */ 2069 while ((sym = TAILQ_FIRST(&symhead))) { 2070 if (!sym->used) 2071 log_debug("warning: macro '%s' not " 2072 "used\n", sym->nam); 2073 free(sym->nam); 2074 free(sym->val); 2075 TAILQ_REMOVE(&symhead, sym, entry); 2076 free(sym); 2077 } 2078 2079 iaw_free(iftab); 2080 iftab = NULL; 2081 2082 return (errors ? -1 : 0); 2083 } 2084 2085 int 2086 symset(const char *nam, const char *val, int persist) 2087 { 2088 struct sym *sym; 2089 2090 TAILQ_FOREACH(sym, &symhead, entry) { 2091 if (strcmp(nam, sym->nam) == 0) 2092 break; 2093 } 2094 2095 if (sym != NULL) { 2096 if (sym->persist == 1) 2097 return (0); 2098 else { 2099 free(sym->nam); 2100 free(sym->val); 2101 TAILQ_REMOVE(&symhead, sym, entry); 2102 free(sym); 2103 } 2104 } 2105 if ((sym = calloc(1, sizeof(*sym))) == NULL) 2106 return (-1); 2107 2108 sym->nam = strdup(nam); 2109 if (sym->nam == NULL) { 2110 free(sym); 2111 return (-1); 2112 } 2113 sym->val = strdup(val); 2114 if (sym->val == NULL) { 2115 free(sym->nam); 2116 free(sym); 2117 return (-1); 2118 } 2119 sym->used = 0; 2120 sym->persist = persist; 2121 TAILQ_INSERT_TAIL(&symhead, sym, entry); 2122 return (0); 2123 } 2124 2125 int 2126 cmdline_symset(char *s) 2127 { 2128 char *sym, *val; 2129 int ret; 2130 2131 if ((val = strrchr(s, '=')) == NULL) 2132 return (-1); 2133 2134 sym = strndup(s, val - s); 2135 if (sym == NULL) 2136 err(1, "%s", __func__); 2137 ret = symset(sym, val + 1, 1); 2138 free(sym); 2139 2140 return (ret); 2141 } 2142 2143 char * 2144 symget(const char *nam) 2145 { 2146 struct sym *sym; 2147 2148 TAILQ_FOREACH(sym, &symhead, entry) { 2149 if (strcmp(nam, sym->nam) == 0) { 2150 sym->used = 1; 2151 return (sym->val); 2152 } 2153 } 2154 return (NULL); 2155 } 2156 2157 uint8_t 2158 x2i(unsigned char *s) 2159 { 2160 char ss[3]; 2161 2162 ss[0] = s[0]; 2163 ss[1] = s[1]; 2164 ss[2] = 0; 2165 2166 if (!isxdigit(s[0]) || !isxdigit(s[1])) { 2167 yyerror("keys need to be specified in hex digits"); 2168 return (-1); 2169 } 2170 return ((uint8_t)strtoul(ss, NULL, 16)); 2171 } 2172 2173 int 2174 parsekey(unsigned char *hexkey, size_t len, struct iked_auth *auth) 2175 { 2176 unsigned int i; 2177 2178 bzero(auth, sizeof(*auth)); 2179 if ((len / 2) > sizeof(auth->auth_data)) 2180 return (-1); 2181 auth->auth_length = len / 2; 2182 2183 for (i = 0; i < auth->auth_length; i++) 2184 auth->auth_data[i] = x2i(hexkey + 2 * i); 2185 2186 return (0); 2187 } 2188 2189 int 2190 parsekeyfile(char *filename, struct iked_auth *auth) 2191 { 2192 struct stat sb; 2193 int fd, ret; 2194 unsigned char *hex; 2195 2196 if ((fd = open(filename, O_RDONLY)) == -1) 2197 err(1, "open %s", filename); 2198 if (check_file_secrecy(fd, filename) == -1) 2199 exit(1); 2200 if (fstat(fd, &sb) == -1) 2201 err(1, "parsekeyfile: stat %s", filename); 2202 if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0)) 2203 errx(1, "%s: key too %s", filename, sb.st_size ? "large" : 2204 "small"); 2205 if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL) 2206 err(1, "parsekeyfile: calloc"); 2207 if (read(fd, hex, sb.st_size) < sb.st_size) 2208 err(1, "parsekeyfile: read"); 2209 close(fd); 2210 ret = parsekey(hex, sb.st_size, auth); 2211 free(hex); 2212 return (ret); 2213 } 2214 2215 int 2216 get_id_type(char *string) 2217 { 2218 struct in6_addr ia; 2219 2220 if (string == NULL) 2221 return (IKEV2_ID_NONE); 2222 2223 if (*string == '/') 2224 return (IKEV2_ID_ASN1_DN); 2225 else if (inet_pton(AF_INET, string, &ia) == 1) 2226 return (IKEV2_ID_IPV4); 2227 else if (inet_pton(AF_INET6, string, &ia) == 1) 2228 return (IKEV2_ID_IPV6); 2229 else if (strchr(string, '@')) 2230 return (IKEV2_ID_UFQDN); 2231 else 2232 return (IKEV2_ID_FQDN); 2233 } 2234 2235 struct ipsec_addr_wrap * 2236 host(const char *s) 2237 { 2238 struct ipsec_addr_wrap *ipa = NULL; 2239 int mask = -1; 2240 char *p, *ps; 2241 const char *errstr; 2242 2243 if ((ps = strdup(s)) == NULL) 2244 err(1, "%s: strdup", __func__); 2245 2246 if ((p = strchr(ps, '/')) != NULL) { 2247 mask = strtonum(p+1, 0, 128, &errstr); 2248 if (errstr) { 2249 fprintf(stderr, "netmask is %s: %s\n", errstr, p); 2250 goto error; 2251 } 2252 p[0] = '\0'; 2253 } 2254 2255 if ((ipa = host_if(ps, mask)) == NULL && 2256 (ipa = host_ip(ps, mask)) == NULL && 2257 (ipa = host_dns(ps, mask)) == NULL) 2258 fprintf(stderr, "no IP address found for %s\n", s); 2259 2260 error: 2261 free(ps); 2262 return (ipa); 2263 } 2264 2265 struct ipsec_addr_wrap * 2266 host_ip(const char *s, int mask) 2267 { 2268 struct ipsec_addr_wrap *ipa = NULL; 2269 struct addrinfo hints, *res; 2270 char hbuf[NI_MAXHOST]; 2271 2272 bzero(&hints, sizeof(struct addrinfo)); 2273 hints.ai_family = AF_UNSPEC; 2274 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 2275 hints.ai_flags = AI_NUMERICHOST; 2276 if (getaddrinfo(s, NULL, &hints, &res)) 2277 return (NULL); 2278 if (res->ai_next) 2279 err(1, "%s: %s expanded to multiple item", __func__, s); 2280 2281 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 2282 if (ipa == NULL) 2283 err(1, "%s", __func__); 2284 ipa->af = res->ai_family; 2285 copy_sockaddrtoipa(ipa, res->ai_addr); 2286 ipa->next = NULL; 2287 ipa->tail = ipa; 2288 2289 set_ipmask(ipa, mask); 2290 if (getnameinfo(res->ai_addr, res->ai_addrlen, 2291 hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) { 2292 errx(1, "could not get a numeric hostname"); 2293 } 2294 2295 if (mask > -1) { 2296 ipa->netaddress = 1; 2297 if (asprintf(&ipa->name, "%s/%d", hbuf, mask) == -1) 2298 err(1, "%s", __func__); 2299 } else { 2300 if ((ipa->name = strdup(hbuf)) == NULL) 2301 err(1, "%s", __func__); 2302 } 2303 2304 freeaddrinfo(res); 2305 2306 return (ipa); 2307 } 2308 2309 struct ipsec_addr_wrap * 2310 host_dns(const char *s, int mask) 2311 { 2312 struct ipsec_addr_wrap *ipa = NULL, *head = NULL; 2313 struct addrinfo hints, *res0, *res; 2314 int error; 2315 char hbuf[NI_MAXHOST]; 2316 2317 bzero(&hints, sizeof(struct addrinfo)); 2318 hints.ai_family = PF_UNSPEC; 2319 hints.ai_socktype = SOCK_STREAM; 2320 hints.ai_flags = AI_ADDRCONFIG; 2321 error = getaddrinfo(s, NULL, &hints, &res0); 2322 if (error) 2323 return (NULL); 2324 2325 for (res = res0; res; res = res->ai_next) { 2326 if (res->ai_family != AF_INET && res->ai_family != AF_INET6) 2327 continue; 2328 2329 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 2330 if (ipa == NULL) 2331 err(1, "%s", __func__); 2332 copy_sockaddrtoipa(ipa, res->ai_addr); 2333 error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, 2334 sizeof(hbuf), NULL, 0, NI_NUMERICHOST); 2335 if (error) 2336 err(1, "host_dns: getnameinfo"); 2337 ipa->name = strdup(hbuf); 2338 if (ipa->name == NULL) 2339 err(1, "%s", __func__); 2340 ipa->af = res->ai_family; 2341 ipa->next = NULL; 2342 ipa->tail = ipa; 2343 if (head == NULL) 2344 head = ipa; 2345 else { 2346 head->tail->next = ipa; 2347 head->tail = ipa; 2348 } 2349 2350 /* 2351 * XXX for now, no netmask support for IPv6. 2352 * but since there's no way to specify address family, once you 2353 * have IPv6 address on a host, you cannot use dns/netmask 2354 * syntax. 2355 */ 2356 if (ipa->af == AF_INET) 2357 set_ipmask(ipa, mask == -1 ? 32 : mask); 2358 else 2359 if (mask != -1) 2360 err(1, "host_dns: cannot apply netmask " 2361 "on non-IPv4 address"); 2362 } 2363 freeaddrinfo(res0); 2364 2365 return (head); 2366 } 2367 2368 struct ipsec_addr_wrap * 2369 host_if(const char *s, int mask) 2370 { 2371 struct ipsec_addr_wrap *ipa = NULL; 2372 2373 if (ifa_exists(s)) 2374 ipa = ifa_lookup(s); 2375 2376 return (ipa); 2377 } 2378 2379 struct ipsec_addr_wrap * 2380 host_any(void) 2381 { 2382 struct ipsec_addr_wrap *ipa; 2383 2384 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 2385 if (ipa == NULL) 2386 err(1, "%s", __func__); 2387 ipa->af = AF_UNSPEC; 2388 ipa->netaddress = 1; 2389 ipa->tail = ipa; 2390 ipa->type = IPSEC_ADDR_ANY; 2391 return (ipa); 2392 } 2393 2394 struct ipsec_addr_wrap * 2395 host_dynamic(void) 2396 { 2397 struct ipsec_addr_wrap *ipa; 2398 2399 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 2400 if (ipa == NULL) 2401 err(1, "%s", __func__); 2402 ipa->af = AF_UNSPEC; 2403 ipa->tail = ipa; 2404 ipa->type = IPSEC_ADDR_DYNAMIC; 2405 return (ipa); 2406 } 2407 2408 void 2409 ifa_load(void) 2410 { 2411 struct ifaddrs *ifap, *ifa; 2412 struct ipsec_addr_wrap *n = NULL, *h = NULL; 2413 struct sockaddr_in *sa_in; 2414 struct sockaddr_in6 *sa_in6; 2415 2416 if (getifaddrs(&ifap) == -1) 2417 err(1, "ifa_load: getifaddrs"); 2418 2419 for (ifa = ifap; ifa; ifa = ifa->ifa_next) { 2420 if (ifa->ifa_addr == NULL || 2421 !(ifa->ifa_addr->sa_family == AF_INET || 2422 ifa->ifa_addr->sa_family == AF_INET6 || 2423 ifa->ifa_addr->sa_family == AF_LINK)) 2424 continue; 2425 n = calloc(1, sizeof(struct ipsec_addr_wrap)); 2426 if (n == NULL) 2427 err(1, "%s", __func__); 2428 n->af = ifa->ifa_addr->sa_family; 2429 if ((n->name = strdup(ifa->ifa_name)) == NULL) 2430 err(1, "%s", __func__); 2431 if (n->af == AF_INET) { 2432 sa_in = (struct sockaddr_in *)ifa->ifa_addr; 2433 memcpy(&n->address, sa_in, sizeof(*sa_in)); 2434 sa_in = (struct sockaddr_in *)ifa->ifa_netmask; 2435 n->mask = mask2prefixlen((struct sockaddr *)sa_in); 2436 } else if (n->af == AF_INET6) { 2437 sa_in6 = (struct sockaddr_in6 *)ifa->ifa_addr; 2438 memcpy(&n->address, sa_in6, sizeof(*sa_in6)); 2439 sa_in6 = (struct sockaddr_in6 *)ifa->ifa_netmask; 2440 n->mask = mask2prefixlen6((struct sockaddr *)sa_in6); 2441 } 2442 n->next = NULL; 2443 n->tail = n; 2444 if (h == NULL) 2445 h = n; 2446 else { 2447 h->tail->next = n; 2448 h->tail = n; 2449 } 2450 } 2451 2452 iftab = h; 2453 freeifaddrs(ifap); 2454 } 2455 2456 int 2457 ifa_exists(const char *ifa_name) 2458 { 2459 struct ipsec_addr_wrap *n; 2460 struct ifgroupreq ifgr; 2461 int s; 2462 2463 if (iftab == NULL) 2464 ifa_load(); 2465 2466 /* check wether this is a group */ 2467 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) 2468 err(1, "ifa_exists: socket"); 2469 bzero(&ifgr, sizeof(ifgr)); 2470 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); 2471 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == 0) { 2472 close(s); 2473 return (1); 2474 } 2475 close(s); 2476 2477 for (n = iftab; n; n = n->next) { 2478 if (n->af == AF_LINK && !strncmp(n->name, ifa_name, 2479 IFNAMSIZ)) 2480 return (1); 2481 } 2482 2483 return (0); 2484 } 2485 2486 struct ipsec_addr_wrap * 2487 ifa_grouplookup(const char *ifa_name) 2488 { 2489 struct ifg_req *ifg; 2490 struct ifgroupreq ifgr; 2491 int s; 2492 size_t len; 2493 struct ipsec_addr_wrap *n, *h = NULL, *hn; 2494 2495 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) 2496 err(1, "socket"); 2497 bzero(&ifgr, sizeof(ifgr)); 2498 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); 2499 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) { 2500 close(s); 2501 return (NULL); 2502 } 2503 2504 len = ifgr.ifgr_len; 2505 if ((ifgr.ifgr_groups = calloc(1, len)) == NULL) 2506 err(1, "%s", __func__); 2507 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) 2508 err(1, "ioctl"); 2509 2510 for (ifg = ifgr.ifgr_groups; ifg && len >= sizeof(struct ifg_req); 2511 ifg++) { 2512 len -= sizeof(struct ifg_req); 2513 if ((n = ifa_lookup(ifg->ifgrq_member)) == NULL) 2514 continue; 2515 if (h == NULL) 2516 h = n; 2517 else { 2518 for (hn = h; hn->next != NULL; hn = hn->next) 2519 ; /* nothing */ 2520 hn->next = n; 2521 n->tail = hn; 2522 } 2523 } 2524 free(ifgr.ifgr_groups); 2525 close(s); 2526 2527 return (h); 2528 } 2529 2530 struct ipsec_addr_wrap * 2531 ifa_lookup(const char *ifa_name) 2532 { 2533 struct ipsec_addr_wrap *p = NULL, *h = NULL, *n = NULL; 2534 struct sockaddr_in6 *in6; 2535 uint8_t *s6; 2536 2537 if (iftab == NULL) 2538 ifa_load(); 2539 2540 if ((n = ifa_grouplookup(ifa_name)) != NULL) 2541 return (n); 2542 2543 for (p = iftab; p; p = p->next) { 2544 if (p->af != AF_INET && p->af != AF_INET6) 2545 continue; 2546 if (strncmp(p->name, ifa_name, IFNAMSIZ)) 2547 continue; 2548 n = calloc(1, sizeof(struct ipsec_addr_wrap)); 2549 if (n == NULL) 2550 err(1, "%s", __func__); 2551 memcpy(n, p, sizeof(struct ipsec_addr_wrap)); 2552 if ((n->name = strdup(p->name)) == NULL) 2553 err(1, "%s", __func__); 2554 switch (n->af) { 2555 case AF_INET: 2556 set_ipmask(n, 32); 2557 break; 2558 case AF_INET6: 2559 in6 = (struct sockaddr_in6 *)&n->address; 2560 s6 = (uint8_t *)&in6->sin6_addr.s6_addr; 2561 2562 /* route/show.c and bgpd/util.c give KAME credit */ 2563 if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)) { 2564 uint16_t tmp16; 2565 2566 /* for now we can not handle link local, 2567 * therefore bail for now 2568 */ 2569 free(n->name); 2570 free(n); 2571 continue; 2572 2573 memcpy(&tmp16, &s6[2], sizeof(tmp16)); 2574 /* use this when we support link-local 2575 * n->??.scopeid = ntohs(tmp16); 2576 */ 2577 s6[2] = 0; 2578 s6[3] = 0; 2579 } 2580 set_ipmask(n, 128); 2581 break; 2582 } 2583 2584 n->next = NULL; 2585 n->tail = n; 2586 if (h == NULL) 2587 h = n; 2588 else { 2589 h->tail->next = n; 2590 h->tail = n; 2591 } 2592 } 2593 2594 return (h); 2595 } 2596 2597 void 2598 set_ipmask(struct ipsec_addr_wrap *address, int b) 2599 { 2600 if (b == -1) 2601 address->mask = address->af == AF_INET ? 32 : 128; 2602 else 2603 address->mask = b; 2604 } 2605 2606 const struct ipsec_xf * 2607 parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[]) 2608 { 2609 int i; 2610 2611 for (i = 0; xfs[i].name != NULL; i++) { 2612 if (strncmp(name, xfs[i].name, strlen(name))) 2613 continue; 2614 if (length == 0 || length == xfs[i].length) 2615 return &xfs[i]; 2616 } 2617 return (NULL); 2618 } 2619 2620 int 2621 encxf_noauth(unsigned int id) 2622 { 2623 int i; 2624 2625 for (i = 0; ikeencxfs[i].name != NULL; i++) 2626 if (ikeencxfs[i].id == id) 2627 return ikeencxfs[i].noauth; 2628 return (0); 2629 } 2630 2631 size_t 2632 keylength_xf(unsigned int saproto, unsigned int type, unsigned int id) 2633 { 2634 int i; 2635 const struct ipsec_xf *xfs; 2636 2637 switch (type) { 2638 case IKEV2_XFORMTYPE_ENCR: 2639 if (saproto == IKEV2_SAPROTO_IKE) 2640 xfs = ikeencxfs; 2641 else 2642 xfs = ipsecencxfs; 2643 break; 2644 case IKEV2_XFORMTYPE_INTEGR: 2645 xfs = authxfs; 2646 break; 2647 default: 2648 return (0); 2649 } 2650 2651 for (i = 0; xfs[i].name != NULL; i++) { 2652 if (xfs[i].id == id) 2653 return (xfs[i].length * 8); 2654 } 2655 return (0); 2656 } 2657 2658 size_t 2659 noncelength_xf(unsigned int type, unsigned int id) 2660 { 2661 const struct ipsec_xf *xfs = ipsecencxfs; 2662 int i; 2663 2664 if (type != IKEV2_XFORMTYPE_ENCR) 2665 return (0); 2666 2667 for (i = 0; xfs[i].name != NULL; i++) 2668 if (xfs[i].id == id) 2669 return (xfs[i].nonce * 8); 2670 return (0); 2671 } 2672 2673 void 2674 copy_transforms(unsigned int type, 2675 const struct ipsec_xf **xfs, unsigned int nxfs, 2676 struct iked_transform **dst, unsigned int *ndst, 2677 struct iked_transform *src, size_t nsrc) 2678 { 2679 unsigned int i; 2680 struct iked_transform *a, *b; 2681 const struct ipsec_xf *xf; 2682 2683 if (nxfs) { 2684 for (i = 0; i < nxfs; i++) { 2685 xf = xfs[i]; 2686 *dst = recallocarray(*dst, *ndst, 2687 *ndst + 1, sizeof(struct iked_transform)); 2688 if (*dst == NULL) 2689 err(1, "%s", __func__); 2690 b = *dst + (*ndst)++; 2691 2692 b->xform_type = type; 2693 b->xform_id = xf->id; 2694 b->xform_keylength = xf->length * 8; 2695 b->xform_length = xf->keylength * 8; 2696 } 2697 return; 2698 } 2699 2700 for (i = 0; i < nsrc; i++) { 2701 a = src + i; 2702 if (a->xform_type != type) 2703 continue; 2704 *dst = recallocarray(*dst, *ndst, 2705 *ndst + 1, sizeof(struct iked_transform)); 2706 if (*dst == NULL) 2707 err(1, "%s", __func__); 2708 b = *dst + (*ndst)++; 2709 memcpy(b, a, sizeof(*b)); 2710 } 2711 } 2712 2713 int 2714 create_ike(char *name, int af, struct ipsec_addr_wrap *ipproto, 2715 int rdomain, struct ipsec_hosts *hosts, 2716 struct ipsec_hosts *peers, struct ipsec_mode *ike_sa, 2717 struct ipsec_mode *ipsec_sa, uint8_t saproto, 2718 unsigned int flags, char *srcid, char *dstid, 2719 uint32_t ikelifetime, struct iked_lifetime *lt, 2720 struct iked_auth *authtype, struct ipsec_filters *filter, 2721 struct ipsec_addr_wrap *ikecfg, char *iface) 2722 { 2723 char idstr[IKED_ID_SIZE]; 2724 struct ipsec_addr_wrap *ipa, *ipb, *ipp; 2725 struct iked_auth *ikeauth; 2726 struct iked_policy pol; 2727 struct iked_proposal *p, *ptmp; 2728 struct iked_transform *xf; 2729 unsigned int i, j, xfi, noauth, auth; 2730 unsigned int ikepropid = 1, ipsecpropid = 1; 2731 struct iked_flow *flow, *ftmp; 2732 static unsigned int policy_id = 0; 2733 struct iked_cfg *cfg; 2734 int ret = -1; 2735 2736 bzero(&pol, sizeof(pol)); 2737 bzero(idstr, sizeof(idstr)); 2738 2739 pol.pol_id = ++policy_id; 2740 pol.pol_certreqtype = env->sc_certreqtype; 2741 pol.pol_af = af; 2742 pol.pol_saproto = saproto; 2743 for (i = 0, ipp = ipproto; ipp; ipp = ipp->next, i++) { 2744 if (i >= IKED_IPPROTO_MAX) { 2745 yyerror("too many protocols"); 2746 return (-1); 2747 } 2748 pol.pol_ipproto[i] = ipp->type; 2749 pol.pol_nipproto++; 2750 } 2751 2752 pol.pol_flags = flags; 2753 pol.pol_rdomain = rdomain; 2754 memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth)); 2755 explicit_bzero(authtype, sizeof(*authtype)); 2756 2757 if (name != NULL) { 2758 if (strlcpy(pol.pol_name, name, 2759 sizeof(pol.pol_name)) >= sizeof(pol.pol_name)) { 2760 yyerror("name too long"); 2761 return (-1); 2762 } 2763 } else { 2764 snprintf(pol.pol_name, sizeof(pol.pol_name), 2765 "policy%d", policy_id); 2766 } 2767 2768 if (iface != NULL) { 2769 /* sec(4) */ 2770 if (strncmp("sec", iface, strlen("sec")) == 0) 2771 pol.pol_flags |= IKED_POLICY_ROUTING; 2772 2773 pol.pol_iface = if_nametoindex(iface); 2774 if (pol.pol_iface == 0) { 2775 yyerror("invalid iface"); 2776 return (-1); 2777 } 2778 } 2779 2780 if (srcid) { 2781 pol.pol_localid.id_type = get_id_type(srcid); 2782 pol.pol_localid.id_length = strlen(srcid); 2783 if (strlcpy((char *)pol.pol_localid.id_data, 2784 srcid, IKED_ID_SIZE) >= IKED_ID_SIZE) { 2785 yyerror("srcid too long"); 2786 return (-1); 2787 } 2788 } 2789 if (dstid) { 2790 pol.pol_peerid.id_type = get_id_type(dstid); 2791 pol.pol_peerid.id_length = strlen(dstid); 2792 if (strlcpy((char *)pol.pol_peerid.id_data, 2793 dstid, IKED_ID_SIZE) >= IKED_ID_SIZE) { 2794 yyerror("dstid too long"); 2795 return (-1); 2796 } 2797 } 2798 2799 if (filter != NULL) { 2800 if (filter->tag) 2801 strlcpy(pol.pol_tag, filter->tag, sizeof(pol.pol_tag)); 2802 pol.pol_tap = filter->tap; 2803 } 2804 2805 if (peers == NULL) { 2806 if (pol.pol_flags & IKED_POLICY_ACTIVE) { 2807 yyerror("active mode requires peer specification"); 2808 return (-1); 2809 } 2810 pol.pol_flags |= IKED_POLICY_DEFAULT|IKED_POLICY_SKIP; 2811 } 2812 2813 if (peers && peers->src && peers->dst && 2814 (peers->src->af != AF_UNSPEC) && (peers->dst->af != AF_UNSPEC) && 2815 (peers->src->af != peers->dst->af)) 2816 fatalx("create_ike: peer address family mismatch"); 2817 2818 if (peers && (pol.pol_af != AF_UNSPEC) && 2819 ((peers->src && (peers->src->af != AF_UNSPEC) && 2820 (peers->src->af != pol.pol_af)) || 2821 (peers->dst && (peers->dst->af != AF_UNSPEC) && 2822 (peers->dst->af != pol.pol_af)))) 2823 fatalx("create_ike: policy address family mismatch"); 2824 2825 ipa = ipb = NULL; 2826 if (peers) { 2827 if (peers->src) 2828 ipa = peers->src; 2829 if (peers->dst) 2830 ipb = peers->dst; 2831 if (ipa == NULL && ipb == NULL) { 2832 if (hosts->src && hosts->src->next == NULL) 2833 ipa = hosts->src; 2834 if (hosts->dst && hosts->dst->next == NULL) 2835 ipb = hosts->dst; 2836 } 2837 } 2838 if (ipa == NULL && ipb == NULL) { 2839 yyerror("could not get local/peer specification"); 2840 return (-1); 2841 } 2842 if (pol.pol_flags & IKED_POLICY_ACTIVE) { 2843 if (ipb == NULL || ipb->netaddress || 2844 (ipa != NULL && ipa->netaddress)) { 2845 yyerror("active mode requires local/peer address"); 2846 return (-1); 2847 } 2848 } 2849 if (ipa) { 2850 memcpy(&pol.pol_local.addr, &ipa->address, 2851 sizeof(ipa->address)); 2852 pol.pol_local.addr_af = ipa->af; 2853 pol.pol_local.addr_mask = ipa->mask; 2854 pol.pol_local.addr_net = ipa->netaddress; 2855 if (pol.pol_af == AF_UNSPEC) 2856 pol.pol_af = ipa->af; 2857 } 2858 if (ipb) { 2859 memcpy(&pol.pol_peer.addr, &ipb->address, 2860 sizeof(ipb->address)); 2861 pol.pol_peer.addr_af = ipb->af; 2862 pol.pol_peer.addr_mask = ipb->mask; 2863 pol.pol_peer.addr_net = ipb->netaddress; 2864 if (pol.pol_af == AF_UNSPEC) 2865 pol.pol_af = ipb->af; 2866 } 2867 2868 if (ikelifetime) 2869 pol.pol_rekey = ikelifetime; 2870 2871 if (lt) 2872 pol.pol_lifetime = *lt; 2873 else 2874 pol.pol_lifetime = deflifetime; 2875 2876 TAILQ_INIT(&pol.pol_proposals); 2877 RB_INIT(&pol.pol_flows); 2878 2879 if (ike_sa == NULL || ike_sa->nxfs == 0) { 2880 /* AES-GCM proposal */ 2881 if ((p = calloc(1, sizeof(*p))) == NULL) 2882 err(1, "%s", __func__); 2883 p->prop_id = ikepropid++; 2884 p->prop_protoid = IKEV2_SAPROTO_IKE; 2885 p->prop_nxforms = ikev2_default_nike_transforms_noauth; 2886 p->prop_xforms = ikev2_default_ike_transforms_noauth; 2887 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2888 pol.pol_nproposals++; 2889 2890 /* Non GCM proposal */ 2891 if ((p = calloc(1, sizeof(*p))) == NULL) 2892 err(1, "%s", __func__); 2893 p->prop_id = ikepropid++; 2894 p->prop_protoid = IKEV2_SAPROTO_IKE; 2895 p->prop_nxforms = ikev2_default_nike_transforms; 2896 p->prop_xforms = ikev2_default_ike_transforms; 2897 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2898 pol.pol_nproposals++; 2899 } else { 2900 for (i = 0; i < ike_sa->nxfs; i++) { 2901 noauth = auth = 0; 2902 for (j = 0; j < ike_sa->xfs[i]->nencxf; j++) { 2903 if (ike_sa->xfs[i]->encxf[j]->noauth) 2904 noauth++; 2905 else 2906 auth++; 2907 } 2908 for (j = 0; j < ike_sa->xfs[i]->ngroupxf; j++) { 2909 if (ike_sa->xfs[i]->groupxf[j]->id 2910 == IKEV2_XFORMDH_NONE) { 2911 yyerror("IKE group can not be \"none\"."); 2912 goto done; 2913 } 2914 } 2915 if (ike_sa->xfs[i]->nauthxf) 2916 auth++; 2917 2918 if (ike_sa->xfs[i]->nesnxf) { 2919 yyerror("cannot use ESN with ikesa."); 2920 goto done; 2921 } 2922 if (noauth && noauth != ike_sa->xfs[i]->nencxf) { 2923 yyerror("cannot mix encryption transforms with " 2924 "implicit and non-implicit authentication"); 2925 goto done; 2926 } 2927 if (noauth && ike_sa->xfs[i]->nauthxf) { 2928 yyerror("authentication is implicit for given " 2929 "encryption transforms"); 2930 goto done; 2931 } 2932 2933 if (!auth) { 2934 if ((p = calloc(1, sizeof(*p))) == NULL) 2935 err(1, "%s", __func__); 2936 2937 xf = NULL; 2938 xfi = 0; 2939 copy_transforms(IKEV2_XFORMTYPE_ENCR, 2940 ike_sa->xfs[i]->encxf, 2941 ike_sa->xfs[i]->nencxf, &xf, &xfi, 2942 ikev2_default_ike_transforms_noauth, 2943 ikev2_default_nike_transforms_noauth); 2944 copy_transforms(IKEV2_XFORMTYPE_DH, 2945 ike_sa->xfs[i]->groupxf, 2946 ike_sa->xfs[i]->ngroupxf, &xf, &xfi, 2947 ikev2_default_ike_transforms_noauth, 2948 ikev2_default_nike_transforms_noauth); 2949 copy_transforms(IKEV2_XFORMTYPE_PRF, 2950 ike_sa->xfs[i]->prfxf, 2951 ike_sa->xfs[i]->nprfxf, &xf, &xfi, 2952 ikev2_default_ike_transforms_noauth, 2953 ikev2_default_nike_transforms_noauth); 2954 2955 p->prop_id = ikepropid++; 2956 p->prop_protoid = IKEV2_SAPROTO_IKE; 2957 p->prop_xforms = xf; 2958 p->prop_nxforms = xfi; 2959 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2960 pol.pol_nproposals++; 2961 } 2962 if (!noauth) { 2963 if ((p = calloc(1, sizeof(*p))) == NULL) 2964 err(1, "%s", __func__); 2965 2966 xf = NULL; 2967 xfi = 0; 2968 copy_transforms(IKEV2_XFORMTYPE_INTEGR, 2969 ike_sa->xfs[i]->authxf, 2970 ike_sa->xfs[i]->nauthxf, &xf, &xfi, 2971 ikev2_default_ike_transforms, 2972 ikev2_default_nike_transforms); 2973 copy_transforms(IKEV2_XFORMTYPE_ENCR, 2974 ike_sa->xfs[i]->encxf, 2975 ike_sa->xfs[i]->nencxf, &xf, &xfi, 2976 ikev2_default_ike_transforms, 2977 ikev2_default_nike_transforms); 2978 copy_transforms(IKEV2_XFORMTYPE_DH, 2979 ike_sa->xfs[i]->groupxf, 2980 ike_sa->xfs[i]->ngroupxf, &xf, &xfi, 2981 ikev2_default_ike_transforms, 2982 ikev2_default_nike_transforms); 2983 copy_transforms(IKEV2_XFORMTYPE_PRF, 2984 ike_sa->xfs[i]->prfxf, 2985 ike_sa->xfs[i]->nprfxf, &xf, &xfi, 2986 ikev2_default_ike_transforms, 2987 ikev2_default_nike_transforms); 2988 2989 p->prop_id = ikepropid++; 2990 p->prop_protoid = IKEV2_SAPROTO_IKE; 2991 p->prop_xforms = xf; 2992 p->prop_nxforms = xfi; 2993 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2994 pol.pol_nproposals++; 2995 } 2996 } 2997 } 2998 2999 if (ipsec_sa == NULL || ipsec_sa->nxfs == 0) { 3000 if ((p = calloc(1, sizeof(*p))) == NULL) 3001 err(1, "%s", __func__); 3002 p->prop_id = ipsecpropid++; 3003 p->prop_protoid = saproto; 3004 p->prop_nxforms = ikev2_default_nesp_transforms_noauth; 3005 p->prop_xforms = ikev2_default_esp_transforms_noauth; 3006 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 3007 pol.pol_nproposals++; 3008 3009 if ((p = calloc(1, sizeof(*p))) == NULL) 3010 err(1, "%s", __func__); 3011 p->prop_id = ipsecpropid++; 3012 p->prop_protoid = saproto; 3013 p->prop_nxforms = ikev2_default_nesp_transforms; 3014 p->prop_xforms = ikev2_default_esp_transforms; 3015 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 3016 pol.pol_nproposals++; 3017 } else { 3018 for (i = 0; i < ipsec_sa->nxfs; i++) { 3019 noauth = auth = 0; 3020 for (j = 0; j < ipsec_sa->xfs[i]->nencxf; j++) { 3021 if (ipsec_sa->xfs[i]->encxf[j]->noauth) 3022 noauth++; 3023 else 3024 auth++; 3025 } 3026 if (ipsec_sa->xfs[i]->nauthxf) 3027 auth++; 3028 3029 if (noauth && noauth != ipsec_sa->xfs[i]->nencxf) { 3030 yyerror("cannot mix encryption transforms with " 3031 "implicit and non-implicit authentication"); 3032 goto done; 3033 } 3034 if (noauth && ipsec_sa->xfs[i]->nauthxf) { 3035 yyerror("authentication is implicit for given " 3036 "encryption transforms"); 3037 goto done; 3038 } 3039 3040 if (!auth) { 3041 if ((p = calloc(1, sizeof(*p))) == NULL) 3042 err(1, "%s", __func__); 3043 3044 xf = NULL; 3045 xfi = 0; 3046 copy_transforms(IKEV2_XFORMTYPE_ENCR, 3047 ipsec_sa->xfs[i]->encxf, 3048 ipsec_sa->xfs[i]->nencxf, &xf, &xfi, 3049 ikev2_default_esp_transforms_noauth, 3050 ikev2_default_nesp_transforms_noauth); 3051 copy_transforms(IKEV2_XFORMTYPE_DH, 3052 ipsec_sa->xfs[i]->groupxf, 3053 ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi, 3054 ikev2_default_esp_transforms_noauth, 3055 ikev2_default_nesp_transforms_noauth); 3056 copy_transforms(IKEV2_XFORMTYPE_ESN, 3057 ipsec_sa->xfs[i]->esnxf, 3058 ipsec_sa->xfs[i]->nesnxf, &xf, &xfi, 3059 ikev2_default_esp_transforms_noauth, 3060 ikev2_default_nesp_transforms_noauth); 3061 3062 p->prop_id = ipsecpropid++; 3063 p->prop_protoid = saproto; 3064 p->prop_xforms = xf; 3065 p->prop_nxforms = xfi; 3066 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 3067 pol.pol_nproposals++; 3068 } 3069 if (!noauth) { 3070 if ((p = calloc(1, sizeof(*p))) == NULL) 3071 err(1, "%s", __func__); 3072 3073 xf = NULL; 3074 xfi = 0; 3075 copy_transforms(IKEV2_XFORMTYPE_INTEGR, 3076 ipsec_sa->xfs[i]->authxf, 3077 ipsec_sa->xfs[i]->nauthxf, &xf, &xfi, 3078 ikev2_default_esp_transforms, 3079 ikev2_default_nesp_transforms); 3080 copy_transforms(IKEV2_XFORMTYPE_ENCR, 3081 ipsec_sa->xfs[i]->encxf, 3082 ipsec_sa->xfs[i]->nencxf, &xf, &xfi, 3083 ikev2_default_esp_transforms, 3084 ikev2_default_nesp_transforms); 3085 copy_transforms(IKEV2_XFORMTYPE_DH, 3086 ipsec_sa->xfs[i]->groupxf, 3087 ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi, 3088 ikev2_default_esp_transforms, 3089 ikev2_default_nesp_transforms); 3090 copy_transforms(IKEV2_XFORMTYPE_ESN, 3091 ipsec_sa->xfs[i]->esnxf, 3092 ipsec_sa->xfs[i]->nesnxf, &xf, &xfi, 3093 ikev2_default_esp_transforms, 3094 ikev2_default_nesp_transforms); 3095 3096 p->prop_id = ipsecpropid++; 3097 p->prop_protoid = saproto; 3098 p->prop_xforms = xf; 3099 p->prop_nxforms = xfi; 3100 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 3101 pol.pol_nproposals++; 3102 } 3103 } 3104 } 3105 3106 for (ipa = hosts->src, ipb = hosts->dst; ipa && ipb; 3107 ipa = ipa->next, ipb = ipb->next) { 3108 for (j = 0; j < pol.pol_nipproto; j++) 3109 if (expand_flows(&pol, pol.pol_ipproto[j], ipa, ipb)) 3110 fatalx("create_ike: invalid flow"); 3111 if (pol.pol_nipproto == 0) 3112 if (expand_flows(&pol, 0, ipa, ipb)) 3113 fatalx("create_ike: invalid flow"); 3114 } 3115 3116 for (j = 0, ipa = ikecfg; ipa; ipa = ipa->next, j++) { 3117 if (j >= IKED_CFG_MAX) 3118 break; 3119 cfg = &pol.pol_cfg[j]; 3120 pol.pol_ncfg++; 3121 3122 cfg->cfg_action = ipa->action; 3123 cfg->cfg_type = ipa->type; 3124 memcpy(&cfg->cfg.address.addr, &ipa->address, 3125 sizeof(ipa->address)); 3126 cfg->cfg.address.addr_mask = ipa->mask; 3127 cfg->cfg.address.addr_net = ipa->netaddress; 3128 cfg->cfg.address.addr_af = ipa->af; 3129 } 3130 3131 if (dstid) 3132 strlcpy(idstr, dstid, sizeof(idstr)); 3133 else if (!pol.pol_peer.addr_net) 3134 strlcpy(idstr, print_addr(&pol.pol_peer.addr), sizeof(idstr)); 3135 3136 ikeauth = &pol.pol_auth; 3137 switch (ikeauth->auth_method) { 3138 case IKEV2_AUTH_RSA_SIG: 3139 pol.pol_certreqtype = IKEV2_CERT_RSA_KEY; 3140 break; 3141 case IKEV2_AUTH_ECDSA_256: 3142 case IKEV2_AUTH_ECDSA_384: 3143 case IKEV2_AUTH_ECDSA_521: 3144 pol.pol_certreqtype = IKEV2_CERT_ECDSA; 3145 break; 3146 default: 3147 pol.pol_certreqtype = IKEV2_CERT_NONE; 3148 break; 3149 } 3150 3151 log_debug("%s: using %s for peer %s", __func__, 3152 print_xf(ikeauth->auth_method, 0, methodxfs), idstr); 3153 3154 config_setpolicy(env, &pol, PROC_IKEV2); 3155 config_setflow(env, &pol, PROC_IKEV2); 3156 3157 rules++; 3158 ret = 0; 3159 3160 done: 3161 if (ike_sa) { 3162 for (i = 0; i < ike_sa->nxfs; i++) { 3163 free(ike_sa->xfs[i]->authxf); 3164 free(ike_sa->xfs[i]->encxf); 3165 free(ike_sa->xfs[i]->groupxf); 3166 free(ike_sa->xfs[i]->prfxf); 3167 free(ike_sa->xfs[i]); 3168 } 3169 free(ike_sa->xfs); 3170 free(ike_sa); 3171 } 3172 if (ipsec_sa) { 3173 for (i = 0; i < ipsec_sa->nxfs; i++) { 3174 free(ipsec_sa->xfs[i]->authxf); 3175 free(ipsec_sa->xfs[i]->encxf); 3176 free(ipsec_sa->xfs[i]->groupxf); 3177 free(ipsec_sa->xfs[i]->prfxf); 3178 free(ipsec_sa->xfs[i]->esnxf); 3179 free(ipsec_sa->xfs[i]); 3180 } 3181 free(ipsec_sa->xfs); 3182 free(ipsec_sa); 3183 } 3184 TAILQ_FOREACH_SAFE(p, &pol.pol_proposals, prop_entry, ptmp) { 3185 if (p->prop_xforms != ikev2_default_ike_transforms && 3186 p->prop_xforms != ikev2_default_ike_transforms_noauth && 3187 p->prop_xforms != ikev2_default_esp_transforms && 3188 p->prop_xforms != ikev2_default_esp_transforms_noauth) 3189 free(p->prop_xforms); 3190 free(p); 3191 } 3192 if (peers != NULL) { 3193 iaw_free(peers->src); 3194 iaw_free(peers->dst); 3195 /* peers is static, cannot be freed */ 3196 } 3197 if (hosts != NULL) { 3198 iaw_free(hosts->src); 3199 iaw_free(hosts->dst); 3200 free(hosts); 3201 } 3202 iaw_free(ikecfg); 3203 iaw_free(ipproto); 3204 RB_FOREACH_SAFE(flow, iked_flows, &pol.pol_flows, ftmp) { 3205 RB_REMOVE(iked_flows, &pol.pol_flows, flow); 3206 free(flow); 3207 } 3208 free(name); 3209 free(srcid); 3210 free(dstid); 3211 return (ret); 3212 } 3213 3214 static int 3215 create_flow(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *ipa, 3216 struct ipsec_addr_wrap *ipb) 3217 { 3218 struct iked_flow *flow; 3219 struct ipsec_addr_wrap *ippn; 3220 3221 if (ipa->af != ipb->af) { 3222 yyerror("cannot mix different address families."); 3223 return (-1); 3224 } 3225 3226 if ((flow = calloc(1, sizeof(struct iked_flow))) == NULL) 3227 fatalx("%s: failed to alloc flow.", __func__); 3228 3229 memcpy(&flow->flow_src.addr, &ipa->address, 3230 sizeof(ipa->address)); 3231 flow->flow_src.addr_af = ipa->af; 3232 flow->flow_src.addr_mask = ipa->mask; 3233 flow->flow_src.addr_net = ipa->netaddress; 3234 flow->flow_src.addr_port = ipa->port; 3235 3236 memcpy(&flow->flow_dst.addr, &ipb->address, 3237 sizeof(ipb->address)); 3238 flow->flow_dst.addr_af = ipb->af; 3239 flow->flow_dst.addr_mask = ipb->mask; 3240 flow->flow_dst.addr_net = ipb->netaddress; 3241 flow->flow_dst.addr_port = ipb->port; 3242 3243 ippn = ipa->srcnat; 3244 if (ippn) { 3245 memcpy(&flow->flow_prenat.addr, &ippn->address, 3246 sizeof(ippn->address)); 3247 flow->flow_prenat.addr_af = ippn->af; 3248 flow->flow_prenat.addr_mask = ippn->mask; 3249 flow->flow_prenat.addr_net = ippn->netaddress; 3250 } else { 3251 flow->flow_prenat.addr_af = 0; 3252 } 3253 3254 flow->flow_dir = IPSP_DIRECTION_OUT; 3255 flow->flow_ipproto = proto; 3256 flow->flow_saproto = pol->pol_saproto; 3257 flow->flow_rdomain = pol->pol_rdomain; 3258 3259 if (RB_INSERT(iked_flows, &pol->pol_flows, flow) == NULL) 3260 pol->pol_nflows++; 3261 else { 3262 warnx("create_ike: duplicate flow"); 3263 free(flow); 3264 } 3265 3266 return (0); 3267 } 3268 3269 static int 3270 expand_flows(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *src, 3271 struct ipsec_addr_wrap *dst) 3272 { 3273 struct ipsec_addr_wrap *ipa = NULL, *ipb = NULL; 3274 int ret = -1; 3275 int srcaf, dstaf; 3276 3277 srcaf = src->af; 3278 dstaf = dst->af; 3279 3280 if (src->af == AF_UNSPEC && 3281 dst->af == AF_UNSPEC) { 3282 /* Need both IPv4 and IPv6 flows */ 3283 src->af = dst->af = AF_INET; 3284 ipa = expand_keyword(src); 3285 ipb = expand_keyword(dst); 3286 if (!ipa || !ipb) 3287 goto done; 3288 if (create_flow(pol, proto, ipa, ipb)) 3289 goto done; 3290 3291 iaw_free(ipa); 3292 iaw_free(ipb); 3293 src->af = dst->af = AF_INET6; 3294 ipa = expand_keyword(src); 3295 ipb = expand_keyword(dst); 3296 if (!ipa || !ipb) 3297 goto done; 3298 if (create_flow(pol, proto, ipa, ipb)) 3299 goto done; 3300 } else if (src->af == AF_UNSPEC) { 3301 src->af = dst->af; 3302 ipa = expand_keyword(src); 3303 if (!ipa) 3304 goto done; 3305 if (create_flow(pol, proto, ipa, dst)) 3306 goto done; 3307 } else if (dst->af == AF_UNSPEC) { 3308 dst->af = src->af; 3309 ipa = expand_keyword(dst); 3310 if (!ipa) 3311 goto done; 3312 if (create_flow(pol, proto, src, ipa)) 3313 goto done; 3314 } else if (create_flow(pol, proto, src, dst)) 3315 goto done; 3316 ret = 0; 3317 done: 3318 src->af = srcaf; 3319 dst->af = dstaf; 3320 iaw_free(ipa); 3321 iaw_free(ipb); 3322 return (ret); 3323 } 3324 3325 static struct ipsec_addr_wrap * 3326 expand_keyword(struct ipsec_addr_wrap *ip) 3327 { 3328 switch(ip->af) { 3329 case AF_INET: 3330 switch(ip->type) { 3331 case IPSEC_ADDR_ANY: 3332 return (host("0.0.0.0/0")); 3333 case IPSEC_ADDR_DYNAMIC: 3334 return (host("0.0.0.0")); 3335 } 3336 break; 3337 case AF_INET6: 3338 switch(ip->type) { 3339 case IPSEC_ADDR_ANY: 3340 return (host("::/0")); 3341 case IPSEC_ADDR_DYNAMIC: 3342 return (host("::")); 3343 } 3344 } 3345 return (NULL); 3346 } 3347 3348 int 3349 create_user(const char *user, const char *pass) 3350 { 3351 struct iked_user usr; 3352 3353 bzero(&usr, sizeof(usr)); 3354 3355 if (*user == '\0' || (strlcpy(usr.usr_name, user, 3356 sizeof(usr.usr_name)) >= sizeof(usr.usr_name))) { 3357 yyerror("invalid user name"); 3358 return (-1); 3359 } 3360 if (*pass == '\0' || (strlcpy(usr.usr_pass, pass, 3361 sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) { 3362 yyerror("invalid password"); 3363 explicit_bzero(&usr, sizeof usr); /* zap partial password */ 3364 return (-1); 3365 } 3366 3367 config_setuser(env, &usr, PROC_IKEV2); 3368 3369 rules++; 3370 3371 explicit_bzero(&usr, sizeof usr); 3372 return (0); 3373 } 3374 3375 void 3376 iaw_free(struct ipsec_addr_wrap *head) 3377 { 3378 struct ipsec_addr_wrap *n, *cur; 3379 3380 if (head == NULL) 3381 return; 3382 3383 for (n = head; n != NULL; ) { 3384 cur = n; 3385 n = n->next; 3386 if (cur->srcnat != NULL) { 3387 free(cur->srcnat->name); 3388 free(cur->srcnat); 3389 } 3390 free(cur->name); 3391 free(cur); 3392 } 3393 } 3394