1 /* $NetBSD: cfparse.y,v 1.48 2012/11/29 15:31:24 vanhu Exp $ */ 2 3 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ 4 5 %{ 6 /* 7 * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the project nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #include "config.h" 36 37 #include <sys/types.h> 38 #include <sys/param.h> 39 #include <sys/queue.h> 40 #include <sys/socket.h> 41 42 #include <netinet/in.h> 43 #include PATH_IPSEC_H 44 45 #ifdef ENABLE_HYBRID 46 #include <arpa/inet.h> 47 #endif 48 49 #include <stdlib.h> 50 #include <stdio.h> 51 #include <string.h> 52 #include <errno.h> 53 #include <netdb.h> 54 #include <pwd.h> 55 #include <grp.h> 56 57 #include "var.h" 58 #include "misc.h" 59 #include "vmbuf.h" 60 #include "plog.h" 61 #include "sockmisc.h" 62 #include "str2val.h" 63 #include "genlist.h" 64 #include "debug.h" 65 66 #include "admin.h" 67 #include "privsep.h" 68 #include "cfparse_proto.h" 69 #include "cftoken_proto.h" 70 #include "algorithm.h" 71 #include "localconf.h" 72 #include "policy.h" 73 #include "sainfo.h" 74 #include "oakley.h" 75 #include "pfkey.h" 76 #include "remoteconf.h" 77 #include "grabmyaddr.h" 78 #include "isakmp_var.h" 79 #include "handler.h" 80 #include "isakmp.h" 81 #include "nattraversal.h" 82 #include "isakmp_frag.h" 83 #ifdef ENABLE_HYBRID 84 #include "resolv.h" 85 #include "isakmp_unity.h" 86 #include "isakmp_xauth.h" 87 #include "isakmp_cfg.h" 88 #endif 89 #include "ipsec_doi.h" 90 #include "strnames.h" 91 #include "gcmalloc.h" 92 #ifdef HAVE_GSSAPI 93 #include "gssapi.h" 94 #endif 95 #include "vendorid.h" 96 #include "rsalist.h" 97 #include "crypto_openssl.h" 98 99 struct secprotospec { 100 int prop_no; 101 int trns_no; 102 int strength; /* for isakmp/ipsec */ 103 int encklen; /* for isakmp/ipsec */ 104 time_t lifetime; /* for isakmp */ 105 int lifebyte; /* for isakmp */ 106 int proto_id; /* for ipsec (isakmp?) */ 107 int ipsec_level; /* for ipsec */ 108 int encmode; /* for ipsec */ 109 int vendorid; /* for isakmp */ 110 char *gssid; 111 struct sockaddr *remote; 112 int algclass[MAXALGCLASS]; 113 114 struct secprotospec *next; /* the tail is the most prefiered. */ 115 struct secprotospec *prev; 116 }; 117 118 static int num2dhgroup[] = { 119 0, 120 OAKLEY_ATTR_GRP_DESC_MODP768, 121 OAKLEY_ATTR_GRP_DESC_MODP1024, 122 OAKLEY_ATTR_GRP_DESC_EC2N155, 123 OAKLEY_ATTR_GRP_DESC_EC2N185, 124 OAKLEY_ATTR_GRP_DESC_MODP1536, 125 0, 126 0, 127 0, 128 0, 129 0, 130 0, 131 0, 132 0, 133 OAKLEY_ATTR_GRP_DESC_MODP2048, 134 OAKLEY_ATTR_GRP_DESC_MODP3072, 135 OAKLEY_ATTR_GRP_DESC_MODP4096, 136 OAKLEY_ATTR_GRP_DESC_MODP6144, 137 OAKLEY_ATTR_GRP_DESC_MODP8192 138 }; 139 140 static struct remoteconf *cur_rmconf = NULL; 141 static int tmpalgtype[MAXALGCLASS] = {0}; 142 static struct sainfo *cur_sainfo = NULL; 143 static int cur_algclass = 0; 144 static int oldloglevel = LLV_BASE; 145 146 static struct secprotospec *newspspec __P((void)); 147 static void insspspec __P((struct remoteconf *, struct secprotospec *)); 148 void dupspspec_list __P((struct remoteconf *dst, struct remoteconf *src)); 149 void flushspspec __P((struct remoteconf *)); 150 static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int)); 151 152 static int set_isakmp_proposal __P((struct remoteconf *)); 153 static void clean_tmpalgtype __P((void)); 154 static int expand_isakmpspec __P((int, int, int *, 155 int, int, time_t, int, int, int, char *, struct remoteconf *)); 156 157 void freeetypes (struct etypes **etypes); 158 159 static int load_x509(const char *file, char **filenameptr, 160 vchar_t **certptr) 161 { 162 char path[PATH_MAX]; 163 164 getpathname(path, sizeof(path), LC_PATHTYPE_CERT, file); 165 *certptr = eay_get_x509cert(path); 166 if (*certptr == NULL) 167 return -1; 168 169 *filenameptr = racoon_strdup(file); 170 STRDUP_FATAL(*filenameptr); 171 172 return 0; 173 } 174 175 static int process_rmconf() 176 { 177 178 /* check a exchange mode */ 179 if (cur_rmconf->etypes == NULL) { 180 yyerror("no exchange mode specified.\n"); 181 return -1; 182 } 183 184 if (cur_rmconf->idvtype == IDTYPE_UNDEFINED) 185 cur_rmconf->idvtype = IDTYPE_ADDRESS; 186 187 if (cur_rmconf->idvtype == IDTYPE_ASN1DN) { 188 if (cur_rmconf->mycertfile) { 189 if (cur_rmconf->idv) 190 yywarn("Both CERT and ASN1 ID " 191 "are set. Hope this is OK.\n"); 192 /* TODO: Preparse the DN here */ 193 } else if (cur_rmconf->idv) { 194 /* OK, using asn1dn without X.509. */ 195 } else { 196 yyerror("ASN1 ID not specified " 197 "and no CERT defined!\n"); 198 return -1; 199 } 200 } 201 202 if (duprmconf_finish(cur_rmconf)) 203 return -1; 204 205 if (set_isakmp_proposal(cur_rmconf) != 0) 206 return -1; 207 208 /* DH group settting if aggressive mode is there. */ 209 if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) { 210 struct isakmpsa *p; 211 int b = 0; 212 213 /* DH group */ 214 for (p = cur_rmconf->proposal; p; p = p->next) { 215 if (b == 0 || (b && b == p->dh_group)) { 216 b = p->dh_group; 217 continue; 218 } 219 yyerror("DH group must be equal " 220 "in all proposals " 221 "when aggressive mode is " 222 "used.\n"); 223 return -1; 224 } 225 cur_rmconf->dh_group = b; 226 227 if (cur_rmconf->dh_group == 0) { 228 yyerror("DH group must be set in the proposal.\n"); 229 return -1; 230 } 231 232 /* DH group settting if PFS is required. */ 233 if (oakley_setdhgroup(cur_rmconf->dh_group, 234 &cur_rmconf->dhgrp) < 0) { 235 yyerror("failed to set DH value.\n"); 236 return -1; 237 } 238 } 239 240 insrmconf(cur_rmconf); 241 cur_rmconf = NULL; 242 243 return 0; 244 } 245 246 /* some frequently used warning texts */ 247 static const char error_message_hybrid_config_not_configured[] = "racoon not configured with --enable-hybrid\n"; 248 static const char error_message_ldap_config_not_configured[] = "racoon not configured with --with-libldap\n"; 249 static const char error_message_admin_port_not_compiled_in[] = "admin port support not compiled in\n"; 250 static const char error_message_natt_not_compiled_in[] = "NAT-T support not compiled in\n"; 251 static const char error_message_dpd_not_compiled_in[] = "DPD support not compiled in\n"; 252 253 /* macros for aborting the parsing with freeing up allocated memory */ 254 #define ABORT_CLEANUP {delrmconf(cur_rmconf); delsainfo(cur_sainfo); YYABORT;} 255 #define ABORT() ABORT_CLEANUP 256 257 #define ABORT_AND_VFREE(val0) {\ 258 vfree(val0); val0 = NULL;\ 259 ABORT_CLEANUP} 260 261 #define ABORT_AND_RACOON_FREE(val0) {\ 262 racoon_free(val0); val0 = NULL;\ 263 ABORT_CLEANUP} 264 265 #define ABORT_AND_VFREE2(val0, val1) {\ 266 vfree(val0); val0 = NULL;\ 267 vfree(val1); val1 = NULL;\ 268 ABORT_CLEANUP} 269 270 #define ABORT_AND_RACOON_FREE2(val0, val1) {\ 271 racoon_free(val0); val0 = NULL;\ 272 racoon_free(val1); val1 = NULL;\ 273 ABORT_CLEANUP} 274 %} 275 276 %union { 277 unsigned long num; 278 vchar_t *val; 279 struct remoteconf *rmconf; 280 struct sockaddr *saddr; 281 struct sainfoalg *alg; 282 } 283 284 /* privsep */ 285 %token PRIVSEP USER GROUP CHROOT 286 /* path */ 287 %token PATH PATHTYPE 288 /* include */ 289 %token INCLUDE 290 /* PFKEY_BUFFER */ 291 %token PFKEY_BUFFER 292 /* logging */ 293 %token LOGGING LOGLEV 294 /* padding */ 295 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL 296 /* listen */ 297 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED 298 /* ldap config */ 299 %token LDAPCFG LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE 300 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER 301 /* radius config */ 302 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES 303 /* modecfg */ 304 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN 305 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE 306 %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE 307 %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS 308 %token CFG_PFS_GROUP CFG_SAVE_PASSWD 309 310 /* timer */ 311 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND 312 %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA 313 /* algorithm */ 314 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE 315 /* sainfo */ 316 %token SAINFO FROM 317 /* remote */ 318 %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS 319 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE 320 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE 321 %token VERIFY_CERT SEND_CERT SEND_CR MATCH_EMPTY_CR 322 %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER 323 %token PEERS_IDENTIFIER VERIFY_IDENTIFIER 324 %token DNSSEC CERT_X509 CERT_PLAINRSA 325 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT 326 %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL 327 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL 328 %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY 329 %token PROPOSAL 330 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE 331 %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE 332 %token COMPLEX_BUNDLE 333 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL 334 %token PH1ID 335 %token XAUTH_LOGIN WEAK_PHASE1_CHECK 336 %token REKEY 337 338 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG 339 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID 340 341 %token SCRIPT PHASE1_UP PHASE1_DOWN PHASE1_DEAD 342 343 %token NUMBER SWITCH BOOLEAN 344 %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE 345 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES 346 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR 347 %token EOS BOC EOC COMMA 348 349 %type <num> NUMBER BOOLEAN SWITCH keylength 350 %type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE 351 %type <num> ALGORITHM_CLASS dh_group_num 352 %type <num> ALGORITHMTYPE STRENGTHTYPE 353 %type <num> PREFIX prefix PORT port ike_port 354 %type <num> ul_proto UL_PROTO 355 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE 356 %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL 357 %type <num> unittype_time unittype_byte 358 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id 359 %type <val> identifierstring 360 %type <saddr> remote_index ike_addrinfo_port 361 %type <alg> algorithm 362 %type <saddr> ike_addrinfo_port_natt 363 %type <num> ike_port_natt 364 365 %% 366 367 statements 368 : /* nothing */ 369 | statements statement 370 ; 371 statement 372 : privsep_statement 373 | path_statement 374 | include_statement 375 | pfkey_statement 376 | gssenc_statement 377 | logging_statement 378 | padding_statement 379 | listen_statement 380 | ldapcfg_statement 381 | radcfg_statement 382 | modecfg_statement 383 | timer_statement 384 | sainfo_statement 385 | remote_statement 386 | special_statement 387 ; 388 389 /* privsep */ 390 privsep_statement 391 : PRIVSEP BOC privsep_stmts EOC 392 ; 393 privsep_stmts 394 : /* nothing */ 395 | privsep_stmts privsep_stmt 396 ; 397 privsep_stmt 398 : USER QUOTEDSTRING 399 { 400 struct passwd *pw = getpwnam($2->v); 401 vfree($2); 402 403 if (pw == NULL) { 404 yyerror("unknown user \"%s\"", $2->v); 405 ABORT(); 406 } 407 408 lcconf->uid = pw->pw_uid; 409 } 410 EOS 411 | USER NUMBER { lcconf->uid = $2; } EOS 412 | GROUP QUOTEDSTRING 413 { 414 struct group *gr = getgrnam($2->v); 415 vfree($2); 416 417 if (gr == NULL) { 418 yyerror("unknown group \"%s\"", $2->v); 419 ABORT(); 420 } 421 422 lcconf->gid = gr->gr_gid; 423 } 424 EOS 425 | GROUP NUMBER { lcconf->gid = $2; } EOS 426 | CHROOT QUOTEDSTRING 427 { 428 lcconf_setchroot(racoon_strdup($2->v)); 429 vfree($2); 430 } EOS 431 ; 432 433 /* path */ 434 path_statement 435 : PATH PATHTYPE QUOTEDSTRING 436 { 437 char * path = racoon_strdup($3->v); 438 439 if (path == NULL) { 440 yyerror("copy string fatal error: %s", $3->v); 441 ABORT_AND_VFREE($3); 442 } 443 444 if (lcconf_setpath(path, $2) < 0) { 445 yyerror("invalid path type %d", $2); 446 ABORT_AND_VFREE($3); 447 } 448 449 vfree($3); 450 } 451 EOS 452 ; 453 454 /* special */ 455 special_statement 456 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS 457 ; 458 459 /* include */ 460 include_statement 461 : INCLUDE QUOTEDSTRING EOS 462 { 463 char path[MAXPATHLEN]; 464 465 getpathname(path, sizeof(path), 466 LC_PATHTYPE_INCLUDE, $2->v); 467 vfree($2); 468 if (yycf_switch_buffer(path) != 0) 469 ABORT(); 470 } 471 ; 472 473 /* pfkey_buffer */ 474 pfkey_statement 475 : PFKEY_BUFFER NUMBER EOS 476 { 477 lcconf->pfkey_buffer_size = $2; 478 } 479 ; 480 /* gss_id_enc */ 481 gssenc_statement 482 : GSS_ID_ENC GSS_ID_ENCTYPE EOS 483 { 484 if ($2 >= LC_GSSENC_MAX) { 485 yyerror("invalid GSS ID encoding %d", $2); 486 ABORT(); 487 } 488 489 lcconf->gss_id_enc = $2; 490 } 491 ; 492 493 /* logging */ 494 logging_statement 495 : LOGGING log_level EOS 496 ; 497 log_level 498 : LOGLEV 499 { 500 /* 501 * set the loglevel to the value specified 502 * in the configuration file plus the number 503 * of -d options specified on the command line 504 */ 505 loglevel += $1 - oldloglevel; 506 oldloglevel = $1; 507 } 508 ; 509 510 /* padding */ 511 padding_statement 512 : PADDING BOC padding_stmts EOC 513 ; 514 padding_stmts 515 : /* nothing */ 516 | padding_stmts padding_stmt 517 ; 518 padding_stmt 519 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS 520 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS 521 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS 522 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS 523 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS 524 ; 525 526 /* listen */ 527 listen_statement 528 : LISTEN BOC listen_stmts EOC 529 ; 530 listen_stmts 531 : /* nothing */ 532 | listen_stmts listen_stmt 533 ; 534 listen_stmt 535 : X_ISAKMP ike_addrinfo_port 536 { 537 myaddr_listen($2, FALSE); 538 racoon_free($2); 539 } 540 EOS 541 | X_ISAKMP_NATT ike_addrinfo_port_natt 542 { 543 #ifdef ENABLE_NATT 544 myaddr_listen($2, TRUE); 545 #else 546 547 yywarn(error_message_natt_not_compiled_in); 548 #endif 549 racoon_free($2); 550 } 551 EOS 552 | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER 553 { 554 #ifdef ENABLE_ADMINPORT 555 adminsock_conf($2, $3, $4, $5); 556 #else 557 yywarn(error_message_admin_port_not_compiled_in); 558 #endif 559 vfree($2);vfree($3);vfree($4); 560 } 561 EOS 562 | ADMINSOCK QUOTEDSTRING 563 { 564 #ifdef ENABLE_ADMINPORT 565 adminsock_conf($2, NULL, NULL, -1); 566 #else 567 yywarn(error_message_admin_port_not_compiled_in); 568 #endif 569 vfree($2); 570 } 571 EOS 572 | ADMINSOCK DISABLED 573 { 574 #ifdef ENABLE_ADMINPORT 575 adminsock_path = NULL; 576 #else 577 yywarn(error_message_admin_port_not_compiled_in); 578 #endif 579 } 580 EOS 581 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS 582 ; 583 ike_addrinfo_port 584 : ADDRSTRING ike_port 585 { 586 char portbuf[10]; 587 588 snprintf(portbuf, sizeof(portbuf), "%ld", $2); 589 $$ = str2saddr($1->v, portbuf); 590 591 vfree($1); 592 if (!$$) 593 ABORT(); 594 } 595 ; 596 ike_addrinfo_port_natt 597 : ADDRSTRING ike_port_natt 598 { 599 char portbuf[10]; 600 601 snprintf(portbuf, sizeof(portbuf), "%ld", $2); 602 $$ = str2saddr($1->v, portbuf); 603 604 vfree($1); 605 if (!$$) 606 ABORT(); 607 } 608 ; 609 ike_port 610 : /* nothing */ { $$ = lcconf->port_isakmp; } 611 | PORT { $$ = $1; } 612 ; 613 ike_port_natt 614 : /* nothing */ 615 { 616 $$ = lcconf->port_isakmp_natt; 617 } 618 | PORT 619 { 620 $$ = $1; 621 #ifndef ENABLE_NATT 622 yywarn(error_message_natt_not_compiled_in); 623 #endif 624 } 625 ; 626 /* radius configuration */ 627 radcfg_statement 628 : RADCFG { 629 #ifndef ENABLE_HYBRID 630 yyerror(error_message_hybrid_config_not_configured); 631 ABORT(); 632 #endif 633 #ifndef HAVE_LIBRADIUS 634 yyerror("racoon not configured with --with-libradius"); 635 ABORT(); 636 #endif 637 #ifdef ENABLE_HYBRID 638 #ifdef HAVE_LIBRADIUS 639 xauth_rad_config.timeout = 3; 640 xauth_rad_config.retries = 3; 641 #endif 642 #endif 643 } BOC radcfg_stmts EOC 644 ; 645 radcfg_stmts 646 : /* nothing */ 647 | radcfg_stmts radcfg_stmt 648 ; 649 radcfg_stmt 650 : RAD_AUTH QUOTEDSTRING QUOTEDSTRING 651 { 652 #ifdef ENABLE_HYBRID 653 #ifdef HAVE_LIBRADIUS 654 int i = xauth_rad_config.auth_server_count; 655 if (i == RADIUS_MAX_SERVERS) { 656 yyerror("maximum radius auth servers exceeded"); 657 ABORT_AND_VFREE2($2, $3); 658 } 659 660 xauth_rad_config.auth_server_list[i].host = vdup($2); 661 xauth_rad_config.auth_server_list[i].secret = vdup($3); 662 xauth_rad_config.auth_server_list[i].port = 0; /* default port */ 663 xauth_rad_config.auth_server_count++; 664 #endif 665 #endif 666 vfree($2); vfree($3); 667 } 668 EOS 669 | RAD_AUTH QUOTEDSTRING NUMBER QUOTEDSTRING 670 { 671 #ifdef ENABLE_HYBRID 672 #ifdef HAVE_LIBRADIUS 673 int i = xauth_rad_config.auth_server_count; 674 if (i == RADIUS_MAX_SERVERS) { 675 yyerror("maximum radius auth servers exceeded"); 676 ABORT_AND_VFREE2($2, $4); 677 } 678 679 xauth_rad_config.auth_server_list[i].host = vdup($2); 680 xauth_rad_config.auth_server_list[i].secret = vdup($4); 681 xauth_rad_config.auth_server_list[i].port = $3; 682 xauth_rad_config.auth_server_count++; 683 #endif 684 #endif 685 vfree($2); vfree($4); 686 } 687 EOS 688 | RAD_ACCT QUOTEDSTRING QUOTEDSTRING 689 { 690 #ifdef ENABLE_HYBRID 691 #ifdef HAVE_LIBRADIUS 692 int i = xauth_rad_config.acct_server_count; 693 if (i == RADIUS_MAX_SERVERS) { 694 yyerror("maximum radius account servers exceeded"); 695 ABORT_AND_VFREE2($2, $3); 696 } 697 698 xauth_rad_config.acct_server_list[i].host = vdup($2); 699 xauth_rad_config.acct_server_list[i].secret = vdup($3); 700 xauth_rad_config.acct_server_list[i].port = 0; /* default port */ 701 xauth_rad_config.acct_server_count++; 702 #endif 703 #endif 704 vfree($2); vfree($3); 705 } 706 EOS 707 | RAD_ACCT QUOTEDSTRING NUMBER QUOTEDSTRING 708 { 709 #ifdef ENABLE_HYBRID 710 #ifdef HAVE_LIBRADIUS 711 int i = xauth_rad_config.acct_server_count; 712 if (i == RADIUS_MAX_SERVERS) { 713 yyerror("maximum radius account servers exceeded"); 714 ABORT_AND_VFREE2($2, $4); 715 } 716 717 xauth_rad_config.acct_server_list[i].host = vdup($2); 718 xauth_rad_config.acct_server_list[i].secret = vdup($4); 719 xauth_rad_config.acct_server_list[i].port = $3; 720 xauth_rad_config.acct_server_count++; 721 #endif 722 #endif 723 vfree($2); vfree($4); 724 } 725 EOS 726 | RAD_TIMEOUT NUMBER 727 { 728 #ifdef ENABLE_HYBRID 729 #ifdef HAVE_LIBRADIUS 730 xauth_rad_config.timeout = $2; 731 #endif 732 #endif 733 } 734 EOS 735 | RAD_RETRIES NUMBER 736 { 737 #ifdef ENABLE_HYBRID 738 #ifdef HAVE_LIBRADIUS 739 xauth_rad_config.retries = $2; 740 #endif 741 #endif 742 } 743 EOS 744 ; 745 746 /* ldap configuration */ 747 ldapcfg_statement 748 : LDAPCFG { 749 #ifndef ENABLE_HYBRID 750 yyerror(error_message_hybrid_config_not_configured); 751 ABORT(); 752 #endif 753 #ifndef HAVE_LIBLDAP 754 yyerror(error_message_ldap_config_not_configured); 755 ABORT(); 756 #endif 757 } BOC ldapcfg_stmts EOC 758 ; 759 ldapcfg_stmts 760 : /* nothing */ 761 | ldapcfg_stmts ldapcfg_stmt 762 ; 763 ldapcfg_stmt 764 : LDAP_PVER NUMBER 765 { 766 #ifdef ENABLE_HYBRID 767 #ifdef HAVE_LIBLDAP 768 if (($2<2)||($2>3)) 769 yywarn("invalid ldap protocol version (2|3)"); 770 771 xauth_ldap_config.pver = $2; 772 #endif 773 #endif 774 } 775 EOS 776 | LDAP_HOST QUOTEDSTRING 777 { 778 #ifdef ENABLE_HYBRID 779 #ifdef HAVE_LIBLDAP 780 if (xauth_ldap_config.host != NULL) 781 vfree(xauth_ldap_config.host); 782 783 xauth_ldap_config.host = vdup($2); 784 #endif 785 #endif 786 vfree($2); 787 } 788 EOS 789 | LDAP_PORT NUMBER 790 { 791 #ifdef ENABLE_HYBRID 792 #ifdef HAVE_LIBLDAP 793 xauth_ldap_config.port = $2; 794 #endif 795 #endif 796 } 797 EOS 798 | LDAP_TLS SWITCH 799 { 800 #ifdef ENABLE_HYBRID 801 #ifdef HAVE_LIBLDAP 802 xauth_ldap_config.tls = $2; 803 #endif 804 #endif 805 } 806 EOS 807 | LDAP_BASE QUOTEDSTRING 808 { 809 #ifdef ENABLE_HYBRID 810 #ifdef HAVE_LIBLDAP 811 if (xauth_ldap_config.base != NULL) 812 vfree(xauth_ldap_config.base); 813 814 xauth_ldap_config.base = vdup($2); 815 #endif 816 #endif 817 vfree($2); 818 } 819 EOS 820 | LDAP_SUBTREE SWITCH 821 { 822 #ifdef ENABLE_HYBRID 823 #ifdef HAVE_LIBLDAP 824 xauth_ldap_config.subtree = $2; 825 #endif 826 #endif 827 } 828 EOS 829 | LDAP_BIND_DN QUOTEDSTRING 830 { 831 #ifdef ENABLE_HYBRID 832 #ifdef HAVE_LIBLDAP 833 if (xauth_ldap_config.bind_dn != NULL) 834 vfree(xauth_ldap_config.bind_dn); 835 836 xauth_ldap_config.bind_dn = vdup($2); 837 #endif 838 #endif 839 vfree($2); 840 } 841 EOS 842 | LDAP_BIND_PW QUOTEDSTRING 843 { 844 #ifdef ENABLE_HYBRID 845 #ifdef HAVE_LIBLDAP 846 if (xauth_ldap_config.bind_pw != NULL) 847 vfree(xauth_ldap_config.bind_pw); 848 849 xauth_ldap_config.bind_pw = vdup($2); 850 #endif 851 #endif 852 vfree($2); 853 } 854 EOS 855 | LDAP_ATTR_USER QUOTEDSTRING 856 { 857 #ifdef ENABLE_HYBRID 858 #ifdef HAVE_LIBLDAP 859 if (xauth_ldap_config.attr_user != NULL) 860 vfree(xauth_ldap_config.attr_user); 861 862 xauth_ldap_config.attr_user = vdup($2); 863 #endif 864 #endif 865 vfree($2); 866 } 867 EOS 868 | LDAP_ATTR_ADDR QUOTEDSTRING 869 { 870 #ifdef ENABLE_HYBRID 871 #ifdef HAVE_LIBLDAP 872 if (xauth_ldap_config.attr_addr != NULL) 873 vfree(xauth_ldap_config.attr_addr); 874 875 xauth_ldap_config.attr_addr = vdup($2); 876 #endif 877 #endif 878 vfree($2); 879 } 880 EOS 881 | LDAP_ATTR_MASK QUOTEDSTRING 882 { 883 #ifdef ENABLE_HYBRID 884 #ifdef HAVE_LIBLDAP 885 if (xauth_ldap_config.attr_mask != NULL) 886 vfree(xauth_ldap_config.attr_mask); 887 888 xauth_ldap_config.attr_mask = vdup($2); 889 #endif 890 #endif 891 vfree($2); 892 } 893 EOS 894 | LDAP_ATTR_GROUP QUOTEDSTRING 895 { 896 #ifdef ENABLE_HYBRID 897 #ifdef HAVE_LIBLDAP 898 if (xauth_ldap_config.attr_group != NULL) 899 vfree(xauth_ldap_config.attr_group); 900 901 xauth_ldap_config.attr_group = vdup($2); 902 #endif 903 #endif 904 vfree($2); 905 } 906 EOS 907 | LDAP_ATTR_MEMBER QUOTEDSTRING 908 { 909 #ifdef ENABLE_HYBRID 910 #ifdef HAVE_LIBLDAP 911 if (xauth_ldap_config.attr_member != NULL) 912 vfree(xauth_ldap_config.attr_member); 913 914 xauth_ldap_config.attr_member = vdup($2); 915 #endif 916 #endif 917 vfree($2); 918 } 919 EOS 920 ; 921 922 /* modecfg */ 923 modecfg_statement 924 : MODECFG BOC modecfg_stmts EOC 925 ; 926 modecfg_stmts 927 : /* nothing */ 928 | modecfg_stmts modecfg_stmt 929 ; 930 modecfg_stmt 931 : CFG_NET4 ADDRSTRING 932 { 933 #ifdef ENABLE_HYBRID 934 if (inet_pton(AF_INET, $2->v, 935 &isakmp_cfg_config.network4) != 1) 936 yyerror("bad IPv4 network address."); 937 #else 938 yywarn(error_message_hybrid_config_not_configured); 939 #endif 940 vfree($2); 941 } 942 EOS 943 | CFG_MASK4 ADDRSTRING 944 { 945 #ifdef ENABLE_HYBRID 946 if (inet_pton(AF_INET, $2->v, 947 &isakmp_cfg_config.netmask4) != 1) 948 yyerror("bad IPv4 netmask address."); 949 #else 950 yywarn(error_message_hybrid_config_not_configured); 951 #endif 952 vfree($2); 953 } 954 EOS 955 | CFG_DNS4 addrdnslist 956 EOS 957 | CFG_NBNS4 addrwinslist 958 EOS 959 | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist 960 { 961 #ifdef ENABLE_HYBRID 962 isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN; 963 #else 964 yywarn(error_message_hybrid_config_not_configured); 965 #endif 966 } 967 EOS 968 | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist 969 { 970 #ifdef ENABLE_HYBRID 971 isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE; 972 #else 973 yywarn(error_message_hybrid_config_not_configured); 974 #endif 975 } 976 EOS 977 | CFG_SPLIT_DNS splitdnslist 978 { 979 #ifndef ENABLE_HYBRID 980 yywarn(error_message_hybrid_config_not_configured); 981 #endif 982 } 983 EOS 984 | CFG_DEFAULT_DOMAIN QUOTEDSTRING 985 { 986 #ifdef ENABLE_HYBRID 987 strncpy(&isakmp_cfg_config.default_domain[0], 988 $2->v, MAXPATHLEN); 989 isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0'; 990 #else 991 yyerror(error_message_hybrid_config_not_configured); 992 #endif 993 vfree($2); 994 } 995 EOS 996 | CFG_AUTH_SOURCE CFG_SYSTEM 997 { 998 #ifdef ENABLE_HYBRID 999 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM; 1000 #else 1001 yywarn(error_message_hybrid_config_not_configured); 1002 #endif 1003 } 1004 EOS 1005 | CFG_AUTH_SOURCE CFG_RADIUS 1006 { 1007 #ifdef ENABLE_HYBRID 1008 #ifdef HAVE_LIBRADIUS 1009 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS; 1010 #else /* HAVE_LIBRADIUS */ 1011 yyerror("racoon not configured with --with-libradius"); 1012 #endif /* HAVE_LIBRADIUS */ 1013 #else /* ENABLE_HYBRID */ 1014 yywarn(error_message_hybrid_config_not_configured); 1015 #endif /* ENABLE_HYBRID */ 1016 } 1017 EOS 1018 | CFG_AUTH_SOURCE CFG_PAM 1019 { 1020 #ifdef ENABLE_HYBRID 1021 #ifdef HAVE_LIBPAM 1022 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM; 1023 #else /* HAVE_LIBPAM */ 1024 yyerror("racoon not configured with --with-libpam"); 1025 #endif /* HAVE_LIBPAM */ 1026 #else /* ENABLE_HYBRID */ 1027 yywarn(error_message_hybrid_config_not_configured); 1028 #endif /* ENABLE_HYBRID */ 1029 } 1030 EOS 1031 | CFG_AUTH_SOURCE CFG_LDAP 1032 { 1033 #ifdef ENABLE_HYBRID 1034 #ifdef HAVE_LIBLDAP 1035 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP; 1036 #else /* HAVE_LIBLDAP */ 1037 yywarn(error_message_ldap_config_not_configured); 1038 #endif /* HAVE_LIBLDAP */ 1039 #else /* ENABLE_HYBRID */ 1040 yywarn(error_message_hybrid_config_not_configured); 1041 #endif /* ENABLE_HYBRID */ 1042 } 1043 EOS 1044 | CFG_AUTH_GROUPS authgrouplist 1045 { 1046 #ifndef ENABLE_HYBRID 1047 yywarn(error_message_hybrid_config_not_configured); 1048 #endif 1049 } 1050 EOS 1051 | CFG_GROUP_SOURCE CFG_SYSTEM 1052 { 1053 #ifdef ENABLE_HYBRID 1054 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM; 1055 #else 1056 yywarn(error_message_hybrid_config_not_configured); 1057 #endif 1058 } 1059 EOS 1060 | CFG_GROUP_SOURCE CFG_LDAP 1061 { 1062 #ifdef ENABLE_HYBRID 1063 #ifdef HAVE_LIBLDAP 1064 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP; 1065 #else /* HAVE_LIBLDAP */ 1066 yywarn(error_message_ldap_config_not_configured); 1067 #endif /* HAVE_LIBLDAP */ 1068 #else /* ENABLE_HYBRID */ 1069 yywarn(error_message_hybrid_config_not_configured); 1070 #endif /* ENABLE_HYBRID */ 1071 } 1072 EOS 1073 | CFG_ACCOUNTING CFG_NONE 1074 { 1075 #ifdef ENABLE_HYBRID 1076 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE; 1077 #else 1078 yywarn(error_message_hybrid_config_not_configured); 1079 #endif 1080 } 1081 EOS 1082 | CFG_ACCOUNTING CFG_SYSTEM 1083 { 1084 #ifdef ENABLE_HYBRID 1085 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM; 1086 #else 1087 yywarn(error_message_hybrid_config_not_configured); 1088 #endif 1089 } 1090 EOS 1091 | CFG_ACCOUNTING CFG_RADIUS 1092 { 1093 #ifdef ENABLE_HYBRID 1094 #ifdef HAVE_LIBRADIUS 1095 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS; 1096 #else /* HAVE_LIBRADIUS */ 1097 yyerror("racoon not configured with --with-libradius"); 1098 #endif /* HAVE_LIBRADIUS */ 1099 #else /* ENABLE_HYBRID */ 1100 yywarn(error_message_hybrid_config_not_configured); 1101 #endif /* ENABLE_HYBRID */ 1102 } 1103 EOS 1104 | CFG_ACCOUNTING CFG_PAM 1105 { 1106 #ifdef ENABLE_HYBRID 1107 #ifdef HAVE_LIBPAM 1108 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM; 1109 #else /* HAVE_LIBPAM */ 1110 yyerror("racoon not configured with --with-libpam"); 1111 #endif /* HAVE_LIBPAM */ 1112 #else /* ENABLE_HYBRID */ 1113 yywarn(error_message_hybrid_config_not_configured); 1114 #endif /* ENABLE_HYBRID */ 1115 } 1116 EOS 1117 | CFG_POOL_SIZE NUMBER 1118 { 1119 #ifdef ENABLE_HYBRID 1120 if (isakmp_cfg_resize_pool($2) != 0) 1121 yyerror("cannot allocate memory for pool"); 1122 #else /* ENABLE_HYBRID */ 1123 yywarn(error_message_hybrid_config_not_configured); 1124 #endif /* ENABLE_HYBRID */ 1125 } 1126 EOS 1127 | CFG_PFS_GROUP NUMBER 1128 { 1129 #ifdef ENABLE_HYBRID 1130 isakmp_cfg_config.pfs_group = $2; 1131 #else /* ENABLE_HYBRID */ 1132 yywarn(error_message_hybrid_config_not_configured); 1133 #endif /* ENABLE_HYBRID */ 1134 } 1135 EOS 1136 | CFG_SAVE_PASSWD SWITCH 1137 { 1138 #ifdef ENABLE_HYBRID 1139 isakmp_cfg_config.save_passwd = $2; 1140 #else /* ENABLE_HYBRID */ 1141 yywarn(error_message_hybrid_config_not_configured); 1142 #endif /* ENABLE_HYBRID */ 1143 } 1144 EOS 1145 | CFG_AUTH_THROTTLE NUMBER 1146 { 1147 #ifdef ENABLE_HYBRID 1148 isakmp_cfg_config.auth_throttle = $2; 1149 #else /* ENABLE_HYBRID */ 1150 yywarn(error_message_hybrid_config_not_configured); 1151 #endif /* ENABLE_HYBRID */ 1152 } 1153 EOS 1154 | CFG_CONF_SOURCE CFG_LOCAL 1155 { 1156 #ifdef ENABLE_HYBRID 1157 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL; 1158 #else /* ENABLE_HYBRID */ 1159 yywarn(error_message_hybrid_config_not_configured); 1160 #endif /* ENABLE_HYBRID */ 1161 } 1162 EOS 1163 | CFG_CONF_SOURCE CFG_RADIUS 1164 { 1165 #ifdef ENABLE_HYBRID 1166 #ifdef HAVE_LIBRADIUS 1167 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS; 1168 #else /* HAVE_LIBRADIUS */ 1169 yyerror("racoon not configured with --with-libradius"); 1170 #endif /* HAVE_LIBRADIUS */ 1171 #else /* ENABLE_HYBRID */ 1172 yywarn(error_message_hybrid_config_not_configured); 1173 #endif /* ENABLE_HYBRID */ 1174 } 1175 EOS 1176 | CFG_CONF_SOURCE CFG_LDAP 1177 { 1178 #ifdef ENABLE_HYBRID 1179 #ifdef HAVE_LIBLDAP 1180 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP; 1181 #else /* HAVE_LIBLDAP */ 1182 yywarn(error_message_ldap_config_not_configured); 1183 #endif /* HAVE_LIBLDAP */ 1184 #else /* ENABLE_HYBRID */ 1185 yywarn(error_message_hybrid_config_not_configured); 1186 #endif /* ENABLE_HYBRID */ 1187 } 1188 EOS 1189 | CFG_MOTD QUOTEDSTRING 1190 { 1191 #ifdef ENABLE_HYBRID 1192 strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN); 1193 isakmp_cfg_config.motd[MAXPATHLEN] = '\0'; 1194 #else 1195 yywarn(error_message_hybrid_config_not_configured); 1196 #endif 1197 vfree($2); 1198 } 1199 EOS 1200 ; 1201 1202 addrdnslist 1203 : addrdns 1204 | addrdns COMMA addrdnslist 1205 ; 1206 addrdns 1207 : ADDRSTRING 1208 { 1209 #ifdef ENABLE_HYBRID 1210 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1211 1212 if (icc->dns4_index > MAXNS) 1213 yyerror("No more than %d DNS", MAXNS); 1214 if (inet_pton(AF_INET, $1->v, 1215 &icc->dns4[icc->dns4_index++]) != 1) 1216 yyerror("bad IPv4 DNS address."); 1217 #else 1218 yywarn(error_message_hybrid_config_not_configured); 1219 #endif 1220 vfree($1); 1221 } 1222 ; 1223 1224 addrwinslist 1225 : addrwins 1226 | addrwins COMMA addrwinslist 1227 ; 1228 addrwins 1229 : ADDRSTRING 1230 { 1231 #ifdef ENABLE_HYBRID 1232 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1233 1234 if (icc->nbns4_index > MAXWINS) 1235 yyerror("No more than %d WINS", MAXWINS); 1236 if (inet_pton(AF_INET, $1->v, 1237 &icc->nbns4[icc->nbns4_index++]) != 1) 1238 yyerror("bad IPv4 WINS address."); 1239 #else 1240 yywarn(error_message_hybrid_config_not_configured); 1241 #endif 1242 vfree($1); 1243 } 1244 ; 1245 1246 splitnetlist 1247 : splitnet 1248 | splitnetlist COMMA splitnet 1249 ; 1250 splitnet 1251 : ADDRSTRING PREFIX 1252 { 1253 #ifdef ENABLE_HYBRID 1254 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1255 struct unity_network network; 1256 memset(&network,0,sizeof(network)); 1257 1258 if (inet_pton(AF_INET, $1->v, &network.addr4) != 1) 1259 yyerror("bad IPv4 SPLIT address."); 1260 1261 /* Turn $2 (the prefix) into a subnet mask */ 1262 network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0; 1263 1264 /* add the network to our list */ 1265 if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count)) 1266 yyerror("Unable to allocate split network"); 1267 #else 1268 yywarn(error_message_hybrid_config_not_configured); 1269 #endif 1270 vfree($1); 1271 } 1272 ; 1273 1274 authgrouplist 1275 : authgroup 1276 | authgroup COMMA authgrouplist 1277 ; 1278 authgroup 1279 : QUOTEDSTRING 1280 { 1281 #ifdef ENABLE_HYBRID 1282 char * groupname = NULL; 1283 char ** grouplist = NULL; 1284 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1285 1286 grouplist = racoon_realloc(icc->grouplist, 1287 sizeof(char**)*(icc->groupcount+1)); 1288 if (grouplist == NULL) { 1289 yyerror("unable to allocate auth group list"); 1290 ABORT_AND_VFREE($1); 1291 } 1292 1293 1294 groupname = racoon_malloc($1->l+1); 1295 if (groupname == NULL) { 1296 yyerror("unable to allocate auth group name"); 1297 ABORT_AND_VFREE($1); 1298 } 1299 1300 memcpy(groupname,$1->v,$1->l); 1301 groupname[$1->l]=0; 1302 grouplist[icc->groupcount]=groupname; 1303 icc->grouplist = grouplist; 1304 icc->groupcount++; 1305 1306 #else 1307 yywarn(error_message_hybrid_config_not_configured); 1308 #endif 1309 vfree($1); 1310 } 1311 ; 1312 1313 splitdnslist 1314 : splitdns 1315 | splitdns COMMA splitdnslist 1316 ; 1317 splitdns 1318 : QUOTEDSTRING 1319 { 1320 #ifdef ENABLE_HYBRID 1321 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1322 1323 if (!icc->splitdns_len) 1324 { 1325 icc->splitdns_list = racoon_malloc($1->l); 1326 if (icc->splitdns_list == NULL) { 1327 yyerror("error allocating splitdns list buffer"); 1328 ABORT_AND_VFREE($1); 1329 } 1330 1331 memcpy(icc->splitdns_list,$1->v,$1->l); 1332 icc->splitdns_len = $1->l; 1333 } 1334 else 1335 { 1336 int len = icc->splitdns_len + $1->l + 1; 1337 icc->splitdns_list = racoon_realloc(icc->splitdns_list,len); 1338 if (icc->splitdns_list == NULL) { 1339 yyerror("error allocating splitdns list buffer"); 1340 ABORT_AND_VFREE($1); 1341 } 1342 1343 icc->splitdns_list[icc->splitdns_len] = ','; 1344 memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l); 1345 icc->splitdns_len = len; 1346 } 1347 #else 1348 yywarn(error_message_hybrid_config_not_configured); 1349 #endif 1350 vfree($1); 1351 } 1352 ; 1353 1354 1355 /* timer */ 1356 timer_statement 1357 : RETRY BOC timer_stmts EOC 1358 ; 1359 timer_stmts 1360 : /* nothing */ 1361 | timer_stmts timer_stmt 1362 ; 1363 timer_stmt 1364 : RETRY_COUNTER NUMBER 1365 { 1366 lcconf->retry_counter = $2; 1367 } 1368 EOS 1369 | RETRY_INTERVAL NUMBER unittype_time 1370 { 1371 lcconf->retry_interval = $2 * $3; 1372 } 1373 EOS 1374 | RETRY_PERSEND NUMBER 1375 { 1376 lcconf->count_persend = $2; 1377 } 1378 EOS 1379 | RETRY_PHASE1 NUMBER unittype_time 1380 { 1381 lcconf->retry_checkph1 = $2 * $3; 1382 } 1383 EOS 1384 | RETRY_PHASE2 NUMBER unittype_time 1385 { 1386 lcconf->wait_ph2complete = $2 * $3; 1387 } 1388 EOS 1389 | NATT_KA NUMBER unittype_time 1390 { 1391 #ifdef ENABLE_NATT 1392 if (libipsec_opt & LIBIPSEC_OPT_NATT) 1393 lcconf->natt_ka_interval = $2 * $3; 1394 else 1395 yyerror("libipsec lacks NAT-T support"); 1396 #else 1397 yyerror(error_message_natt_not_compiled_in); 1398 #endif 1399 } 1400 EOS 1401 ; 1402 1403 /* sainfo */ 1404 sainfo_statement 1405 : SAINFO 1406 { 1407 delsainfo(cur_sainfo); 1408 cur_sainfo = newsainfo(); 1409 if (cur_sainfo == NULL) { 1410 yyerror("failed to allocate sainfo"); 1411 ABORT(); 1412 } 1413 1414 } 1415 sainfo_name sainfo_param BOC sainfo_specs 1416 { 1417 struct sainfo *check; 1418 1419 /* default */ 1420 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) { 1421 yyerror("no encryption algorithm at %s", 1422 sainfo2str(cur_sainfo)); 1423 return -1; 1424 } 1425 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) { 1426 yyerror("no authentication algorithm at %s", 1427 sainfo2str(cur_sainfo)); 1428 return -1; 1429 } 1430 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) { 1431 yyerror("no compression algorithm at %s", 1432 sainfo2str(cur_sainfo)); 1433 return -1; 1434 } 1435 1436 /* duplicate check */ 1437 check = getsainfo(cur_sainfo->idsrc, 1438 cur_sainfo->iddst, 1439 cur_sainfo->id_i, 1440 NULL, 1441 cur_sainfo->remoteid); 1442 1443 if (check && ((check->idsrc != SAINFO_ANONYMOUS) && 1444 (cur_sainfo->idsrc != SAINFO_ANONYMOUS))) { 1445 yyerror("duplicated sainfo: %s", 1446 sainfo2str(cur_sainfo)); 1447 return -1; 1448 } 1449 1450 inssainfo(cur_sainfo); 1451 cur_sainfo = NULL; 1452 } 1453 EOC 1454 ; 1455 sainfo_name 1456 : ANONYMOUS 1457 { 1458 cur_sainfo->idsrc = SAINFO_ANONYMOUS; 1459 cur_sainfo->iddst = SAINFO_ANONYMOUS; 1460 } 1461 | ANONYMOUS CLIENTADDR 1462 { 1463 cur_sainfo->idsrc = SAINFO_ANONYMOUS; 1464 cur_sainfo->iddst = SAINFO_CLIENTADDR; 1465 } 1466 | ANONYMOUS sainfo_id 1467 { 1468 cur_sainfo->idsrc = SAINFO_ANONYMOUS; 1469 cur_sainfo->iddst = $2; 1470 } 1471 | sainfo_id ANONYMOUS 1472 { 1473 cur_sainfo->idsrc = $1; 1474 cur_sainfo->iddst = SAINFO_ANONYMOUS; 1475 } 1476 | sainfo_id CLIENTADDR 1477 { 1478 cur_sainfo->idsrc = $1; 1479 cur_sainfo->iddst = SAINFO_CLIENTADDR; 1480 } 1481 | sainfo_id sainfo_id 1482 { 1483 cur_sainfo->idsrc = $1; 1484 cur_sainfo->iddst = $2; 1485 } 1486 ; 1487 sainfo_id 1488 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto 1489 { 1490 char portbuf[10]; 1491 struct sockaddr *saddr; 1492 1493 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6) 1494 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) { 1495 yyerror("port number must be \"any\"."); 1496 return -1; 1497 } 1498 1499 snprintf(portbuf, sizeof(portbuf), "%lu", $4); 1500 saddr = str2saddr($2->v, portbuf); 1501 vfree($2); 1502 if (saddr == NULL) 1503 return -1; 1504 1505 switch (saddr->sa_family) { 1506 case AF_INET: 1507 if ($5 == IPPROTO_ICMPV6) { 1508 yyerror("upper layer protocol mismatched.\n"); 1509 racoon_free(saddr); 1510 return -1; 1511 } 1512 $$ = ipsecdoi_sockaddr2id(saddr, 1513 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3, 1514 $5); 1515 break; 1516 #ifdef INET6 1517 case AF_INET6: 1518 if ($5 == IPPROTO_ICMP) { 1519 yyerror("upper layer protocol mismatched.\n"); 1520 racoon_free(saddr); 1521 return -1; 1522 } 1523 $$ = ipsecdoi_sockaddr2id(saddr, 1524 $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3, 1525 $5); 1526 break; 1527 #endif 1528 default: 1529 yyerror("invalid family: %d", saddr->sa_family); 1530 $$ = NULL; 1531 break; 1532 } 1533 racoon_free(saddr); 1534 if ($$ == NULL) 1535 return -1; 1536 } 1537 | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto 1538 { 1539 char portbuf[10]; 1540 struct sockaddr *laddr = NULL, *haddr = NULL; 1541 char *cur = NULL; 1542 1543 if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6) 1544 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) { 1545 yyerror("port number must be \"any\"."); 1546 return -1; 1547 } 1548 1549 snprintf(portbuf, sizeof(portbuf), "%lu", $5); 1550 1551 laddr = str2saddr($2->v, portbuf); 1552 if (laddr == NULL) { 1553 return -1; 1554 } 1555 vfree($2); 1556 haddr = str2saddr($3->v, portbuf); 1557 if (haddr == NULL) { 1558 racoon_free(laddr); 1559 return -1; 1560 } 1561 vfree($3); 1562 1563 switch (laddr->sa_family) { 1564 case AF_INET: 1565 if ($6 == IPPROTO_ICMPV6) { 1566 yyerror("upper layer protocol mismatched.\n"); 1567 if (laddr) 1568 racoon_free(laddr); 1569 if (haddr) 1570 racoon_free(haddr); 1571 return -1; 1572 } 1573 $$ = ipsecdoi_sockrange2id(laddr, haddr, 1574 $6); 1575 break; 1576 #ifdef INET6 1577 case AF_INET6: 1578 if ($6 == IPPROTO_ICMP) { 1579 yyerror("upper layer protocol mismatched.\n"); 1580 if (laddr) 1581 racoon_free(laddr); 1582 if (haddr) 1583 racoon_free(haddr); 1584 return -1; 1585 } 1586 $$ = ipsecdoi_sockrange2id(laddr, haddr, 1587 $6); 1588 break; 1589 #endif 1590 default: 1591 yyerror("invalid family: %d", laddr->sa_family); 1592 $$ = NULL; 1593 break; 1594 } 1595 if (laddr) 1596 racoon_free(laddr); 1597 if (haddr) 1598 racoon_free(haddr); 1599 if ($$ == NULL) 1600 return -1; 1601 } 1602 | IDENTIFIERTYPE QUOTEDSTRING 1603 { 1604 struct ipsecdoi_id_b *id_b; 1605 1606 if ($1 == IDTYPE_ASN1DN) { 1607 yyerror("id type forbidden: %d", $1); 1608 $$ = NULL; 1609 return -1; 1610 } 1611 1612 $2->l--; 1613 1614 $$ = vmalloc(sizeof(*id_b) + $2->l); 1615 if ($$ == NULL) { 1616 yyerror("failed to allocate identifier"); 1617 return -1; 1618 } 1619 1620 id_b = (struct ipsecdoi_id_b *)$$->v; 1621 id_b->type = idtype2doi($1); 1622 1623 id_b->proto_id = 0; 1624 id_b->port = 0; 1625 1626 memcpy($$->v + sizeof(*id_b), $2->v, $2->l); 1627 } 1628 ; 1629 sainfo_param 1630 : /* nothing */ 1631 { 1632 cur_sainfo->id_i = NULL; 1633 } 1634 | FROM IDENTIFIERTYPE identifierstring 1635 { 1636 struct ipsecdoi_id_b *id_b; 1637 vchar_t *idv; 1638 1639 if (set_identifier(&idv, $2, $3) != 0) { 1640 yyerror("failed to set identifer.\n"); 1641 return -1; 1642 } 1643 cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l); 1644 if (cur_sainfo->id_i == NULL) { 1645 yyerror("failed to allocate identifier"); 1646 return -1; 1647 } 1648 1649 id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v; 1650 id_b->type = idtype2doi($2); 1651 1652 id_b->proto_id = 0; 1653 id_b->port = 0; 1654 1655 memcpy(cur_sainfo->id_i->v + sizeof(*id_b), 1656 idv->v, idv->l); 1657 vfree(idv); 1658 } 1659 | GROUP QUOTEDSTRING 1660 { 1661 #ifdef ENABLE_HYBRID 1662 if ((cur_sainfo->group = vdup($2)) == NULL) { 1663 yyerror("failed to set sainfo xauth group.\n"); 1664 return -1; 1665 } 1666 #else 1667 yywarn(error_message_hybrid_config_not_configured); 1668 ABORT_AND_VFREE($2); 1669 #endif 1670 } 1671 ; 1672 sainfo_specs 1673 : /* nothing */ 1674 | sainfo_specs sainfo_spec 1675 ; 1676 sainfo_spec 1677 : PFS_GROUP dh_group_num 1678 { 1679 cur_sainfo->pfs_group = $2; 1680 } 1681 EOS 1682 | REMOTEID NUMBER 1683 { 1684 cur_sainfo->remoteid = $2; 1685 } 1686 EOS 1687 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 1688 { 1689 cur_sainfo->lifetime = $3 * $4; 1690 } 1691 EOS 1692 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 1693 { 1694 #if 1 1695 yyerror("byte lifetime support is deprecated"); 1696 ABORT(); 1697 #else 1698 cur_sainfo->lifebyte = fix_lifebyte($3 * $4); 1699 if (cur_sainfo->lifebyte == 0) 1700 ABORT(); 1701 #endif 1702 } 1703 EOS 1704 | ALGORITHM_CLASS { 1705 cur_algclass = $1; 1706 } 1707 algorithms EOS 1708 ; 1709 1710 algorithms 1711 : algorithm 1712 { 1713 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); 1714 } 1715 | algorithm 1716 { 1717 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); 1718 } 1719 COMMA algorithms 1720 ; 1721 algorithm 1722 : ALGORITHMTYPE keylength 1723 { 1724 int defklen; 1725 int encklen_tmp; 1726 1727 $$ = newsainfoalg(); 1728 if ($$ == NULL) { 1729 yyerror("failed to get algorithm allocation"); 1730 ABORT(); 1731 } 1732 1733 $$->alg = algtype2doi(cur_algclass, $1); 1734 if ($$->alg == -1) { 1735 yyerror("algorithm mismatched"); 1736 ABORT_AND_RACOON_FREE($$); 1737 } 1738 1739 defklen = default_keylen(cur_algclass, $1); 1740 if (defklen == 0) { 1741 if ($2) { 1742 yyerror("keylen not allowed"); 1743 ABORT_AND_RACOON_FREE($$); 1744 } 1745 1746 } else { 1747 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) { 1748 yyerror("invalid keylen %d", $2); 1749 ABORT_AND_RACOON_FREE($$); 1750 } 1751 } 1752 1753 if ($2) 1754 $$->encklen = $2; 1755 else 1756 $$->encklen = defklen; 1757 1758 /* Check keymat size instead of "human" key size 1759 * because kernel store keymat size instead of "human key size". 1760 * For example, the keymat size of aes_gcm_16 128 is 160 bits 1761 * (128 bits + 4 bytes) instead of 128 bits. 1762 * 1763 * Currently, it is only useful for aes_gcm_16 (ipsec_enc). 1764 */ 1765 if (cur_algclass == algclass_ipsec_enc) 1766 { 1767 encklen_tmp = alg_ipsec_encdef_keylen($$->alg, $$->encklen); 1768 if (encklen_tmp < 0) 1769 { 1770 yyerror("Failed to convert keylen %d to keymat len for alg %d", 1771 $$->encklen, $$->alg); 1772 racoon_free($$); 1773 $$ = NULL; 1774 return -1; 1775 } 1776 } 1777 else 1778 { 1779 /* XXX Convert key size to keymat size for other algorithm ? 1780 */ 1781 encklen_tmp = $$->encklen; 1782 } 1783 1784 /* check if it's supported algorithm by kernel */ 1785 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth) 1786 && pk_checkalg(cur_algclass, $1, encklen_tmp)) { 1787 int a = algclass2doi(cur_algclass); 1788 int b = algtype2doi(cur_algclass, $1); 1789 if (a == IPSECDOI_ATTR_AUTH) 1790 a = IPSECDOI_PROTO_IPSEC_AH; 1791 yyerror("algorithm %s not supported by the kernel (missing module?)", 1792 s_ipsecdoi_trns(a, b)); 1793 ABORT_AND_RACOON_FREE($$); 1794 } 1795 } 1796 ; 1797 prefix 1798 : /* nothing */ { $$ = ~0; } 1799 | PREFIX { $$ = $1; } 1800 ; 1801 port 1802 : /* nothing */ { $$ = IPSEC_PORT_ANY; } 1803 | PORT { $$ = $1; } 1804 | PORTANY { $$ = IPSEC_PORT_ANY; } 1805 ; 1806 ul_proto 1807 : NUMBER { $$ = $1; } 1808 | UL_PROTO { $$ = $1; } 1809 | ANY { $$ = IPSEC_ULPROTO_ANY; } 1810 ; 1811 keylength 1812 : /* nothing */ { $$ = 0; } 1813 | NUMBER { $$ = $1; } 1814 ; 1815 1816 /* remote */ 1817 remote_statement 1818 : REMOTE QUOTEDSTRING INHERIT QUOTEDSTRING 1819 { 1820 struct remoteconf *from, *new; 1821 1822 if (getrmconf_by_name($2->v) != NULL) { 1823 yyerror("named remoteconf \"%s\" already exists.", 1824 $2->v); 1825 ABORT_AND_VFREE2($2, $4); 1826 } 1827 1828 from = getrmconf_by_name($4->v); 1829 if (from == NULL) { 1830 yyerror("named parent remoteconf \"%s\" does not exist.", 1831 $4->v); 1832 ABORT_AND_VFREE2($2, $4); 1833 } 1834 1835 new = duprmconf_shallow(from); 1836 if (new == NULL) { 1837 yyerror("failed to duplicate remoteconf from \"%s\".", 1838 $4->v); 1839 ABORT_AND_VFREE2($2, $4); 1840 } 1841 1842 new->name = racoon_strdup($2->v); 1843 1844 delrmconf(cur_rmconf); 1845 cur_rmconf = new; 1846 1847 vfree($2); 1848 vfree($4); 1849 } 1850 remote_specs_inherit_block 1851 | REMOTE QUOTEDSTRING 1852 { 1853 struct remoteconf *new; 1854 1855 if (getrmconf_by_name($2->v) != NULL) { 1856 yyerror("Named remoteconf \"%s\" already exists.", 1857 $2->v); 1858 ABORT_AND_VFREE($2); 1859 } 1860 1861 new = newrmconf(); 1862 if (new == NULL) { 1863 yyerror("failed to get new remoteconf."); 1864 ABORT_AND_VFREE($2); 1865 } 1866 1867 new->name = racoon_strdup($2->v); 1868 1869 delrmconf(cur_rmconf); 1870 cur_rmconf = new; 1871 1872 vfree($2); 1873 } 1874 remote_specs_block 1875 | REMOTE remote_index INHERIT remote_index 1876 { 1877 struct remoteconf *from, *new; 1878 1879 from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS); 1880 if (from == NULL) { 1881 yyerror("failed to get remoteconf for %s.", 1882 saddr2str($4)); 1883 ABORT_AND_RACOON_FREE2($2, $4); 1884 } 1885 1886 new = duprmconf_shallow(from); 1887 if (new == NULL) { 1888 yyerror("failed to duplicate remoteconf from %s.", 1889 saddr2str($4)); 1890 ABORT_AND_RACOON_FREE2($2, $4); 1891 } 1892 1893 racoon_free($4); 1894 new->remote = $2; 1895 delrmconf(cur_rmconf); 1896 cur_rmconf = new; 1897 } 1898 remote_specs_inherit_block 1899 | REMOTE remote_index 1900 { 1901 struct remoteconf *new; 1902 1903 new = newrmconf(); 1904 if (new == NULL) { 1905 yyerror("failed to get new remoteconf."); 1906 ABORT_AND_RACOON_FREE($2); 1907 } 1908 1909 new->remote = $2; 1910 delrmconf(cur_rmconf); 1911 cur_rmconf = new; 1912 } 1913 remote_specs_block 1914 ; 1915 1916 remote_specs_inherit_block 1917 : remote_specs_block 1918 | EOS /* inheritance without overriding any settings */ 1919 { 1920 if (process_rmconf() != 0) 1921 ABORT(); 1922 } 1923 ; 1924 1925 remote_specs_block 1926 : BOC remote_specs EOC 1927 { 1928 if (process_rmconf() != 0) 1929 ABORT(); 1930 } 1931 ; 1932 1933 remote_index 1934 : ANONYMOUS ike_port 1935 { 1936 $$ = newsaddr(sizeof(struct sockaddr)); 1937 $$->sa_family = AF_UNSPEC; 1938 ((struct sockaddr_in *)$$)->sin_port = htons($2); 1939 } 1940 | ike_addrinfo_port 1941 { 1942 $$ = $1; 1943 if ($$ == NULL) { 1944 yyerror("failed to allocate sockaddr\n"); 1945 ABORT(); 1946 } 1947 } 1948 ; 1949 remote_specs 1950 : /* nothing */ 1951 | remote_specs remote_spec 1952 ; 1953 remote_spec 1954 : REMOTE_ADDRESS ike_addrinfo_port 1955 { 1956 if (cur_rmconf->remote != NULL) { 1957 yyerror("remote_address already specified\n"); 1958 ABORT_AND_RACOON_FREE($2); 1959 } 1960 1961 cur_rmconf->remote = $2; 1962 } 1963 EOS 1964 | EXCHANGE_MODE 1965 { 1966 cur_rmconf->etypes = NULL; 1967 } 1968 exchange_types EOS 1969 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS 1970 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS 1971 | CERTIFICATE_TYPE cert_spec 1972 | PEERS_CERTFILE QUOTEDSTRING 1973 { 1974 yywarn("This directive without certtype will be removed!\n"); 1975 yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v); 1976 1977 if (cur_rmconf->peerscert != NULL) { 1978 yyerror("peers_certfile already defined\n"); 1979 ABORT_AND_VFREE($2); 1980 } 1981 1982 if (load_x509($2->v, &cur_rmconf->peerscertfile, 1983 &cur_rmconf->peerscert)) { 1984 yyerror("failed to load certificate \"%s\"\n", 1985 $2->v); 1986 ABORT_AND_VFREE($2); 1987 } 1988 1989 vfree($2); 1990 } 1991 EOS 1992 | PEERS_CERTFILE CERT_X509 QUOTEDSTRING 1993 { 1994 if (cur_rmconf->peerscert != NULL) { 1995 yyerror("peers_certfile already defined\n"); 1996 ABORT_AND_VFREE($3); 1997 } 1998 1999 if (load_x509($3->v, &cur_rmconf->peerscertfile, 2000 &cur_rmconf->peerscert)) { 2001 yyerror("failed to load certificate \"%s\"\n", 2002 $3->v); 2003 ABORT_AND_VFREE($3); 2004 } 2005 vfree($3); 2006 } 2007 EOS 2008 | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING 2009 { 2010 char path[MAXPATHLEN]; 2011 int ret = 0; 2012 2013 if (cur_rmconf->peerscert != NULL) { 2014 yyerror("peers_certfile already defined\n"); 2015 ABORT_AND_VFREE($3); 2016 } 2017 2018 cur_rmconf->peerscert = vmalloc(1); 2019 if (cur_rmconf->peerscert == NULL) { 2020 yyerror("failed to allocate peerscert\n"); 2021 ABORT_AND_VFREE($3); 2022 } 2023 2024 cur_rmconf->peerscert->v[0] = ISAKMP_CERT_PLAINRSA; 2025 2026 getpathname(path, sizeof(path), 2027 LC_PATHTYPE_CERT, $3->v); 2028 if (rsa_parse_file(cur_rmconf->rsa_public, path, 2029 RSA_TYPE_PUBLIC)) { 2030 yyerror("Couldn't parse keyfile.\n", path); 2031 ABORT_AND_VFREE2(cur_rmconf->peerscert, $3); 2032 } 2033 2034 plog(LLV_DEBUG, LOCATION, NULL, 2035 "Public PlainRSA keyfile parsed: %s\n", path); 2036 2037 vfree($3); 2038 } 2039 EOS 2040 | PEERS_CERTFILE DNSSEC 2041 { 2042 if (cur_rmconf->peerscert != NULL) { 2043 yyerror("peers_certfile already defined\n"); 2044 ABORT(); 2045 } 2046 2047 cur_rmconf->peerscert = vmalloc(1); 2048 if (cur_rmconf->peerscert == NULL) { 2049 yyerror("failed to allocate peerscert\n"); 2050 ABORT(); 2051 } 2052 2053 cur_rmconf->peerscert->v[0] = ISAKMP_CERT_DNS; 2054 } 2055 EOS 2056 | CA_TYPE CERT_X509 QUOTEDSTRING 2057 { 2058 if (cur_rmconf->cacert != NULL) { 2059 yyerror("ca_type already defined\n"); 2060 ABORT_AND_VFREE($3); 2061 } 2062 2063 if (load_x509($3->v, &cur_rmconf->cacertfile, 2064 &cur_rmconf->cacert)) { 2065 yyerror("failed to load certificate \"%s\"\n", 2066 $3->v); 2067 ABORT_AND_VFREE($3); 2068 } 2069 2070 vfree($3); 2071 } 2072 EOS 2073 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS 2074 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS 2075 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS 2076 | MATCH_EMPTY_CR SWITCH { cur_rmconf->match_empty_cr = $2; } EOS 2077 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring 2078 { 2079 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) { 2080 yyerror("failed to set identifer.\n"); 2081 ABORT_AND_VFREE($3); 2082 } 2083 2084 cur_rmconf->idvtype = $2; 2085 vfree($3); 2086 } 2087 EOS 2088 | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring 2089 { 2090 if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) { 2091 yyerror("failed to set identifer.\n"); 2092 ABORT_AND_VFREE($4); 2093 } 2094 2095 cur_rmconf->idvtype = $2; 2096 vfree($4); 2097 } 2098 EOS 2099 | XAUTH_LOGIN identifierstring 2100 { 2101 #ifdef ENABLE_HYBRID 2102 /* formerly identifier type login */ 2103 if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) { 2104 yyerror("failed to allocate xauth state\n"); 2105 ABORT_AND_VFREE($2); 2106 } 2107 2108 if ((cur_rmconf->xauth->login = vdup($2)) == NULL) { 2109 yyerror("failed to set identifer\n"); 2110 ABORT_AND_VFREE($2); 2111 } 2112 2113 #else 2114 yywarn(error_message_hybrid_config_not_configured); 2115 #endif 2116 vfree($2); 2117 } 2118 EOS 2119 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring 2120 { 2121 struct idspec *idspec = NULL; 2122 vchar_t* id = NULL; 2123 if (set_identifier(&id, $2, $3) != 0) { 2124 yyerror("failed to set identifer\n"); 2125 ABORT_AND_VFREE2(id, $3); 2126 } 2127 2128 if ((idspec = newidspec()) == NULL) { 2129 yyerror("failed to allocate idspec\n"); 2130 ABORT_AND_VFREE2(id, $3); 2131 } 2132 2133 idspec->id = id; /* hand over id to idspec. */ 2134 idspec->idtype = $2; 2135 genlist_append (cur_rmconf->idvl_p, idspec); 2136 vfree($3); 2137 } 2138 EOS 2139 | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring 2140 { 2141 struct idspec *idspec = NULL; 2142 { 2143 vchar_t* id = NULL; 2144 if (set_identifier_qual(&id, $2, $4, $3) != 0) { 2145 yyerror("failed to set identifer\n"); 2146 ABORT_AND_VFREE2(id, $4); 2147 } 2148 2149 if ((idspec = newidspec()) == NULL) { 2150 yyerror("failed to allocate idspec\n"); 2151 ABORT_AND_VFREE2(id, $4); 2152 } 2153 2154 idspec->id = id; /* hand over id to idspec. */ 2155 } 2156 idspec->idtype = $2; 2157 genlist_append (cur_rmconf->idvl_p, idspec); 2158 2159 vfree($4); 2160 } 2161 EOS 2162 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS 2163 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS 2164 | DH_GROUP 2165 { 2166 yyerror("dh_group cannot be defined here\n"); 2167 ABORT(); 2168 } 2169 dh_group_num EOS 2170 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS 2171 | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS 2172 | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS 2173 | ESP_FRAG NUMBER { 2174 #ifdef SADB_X_EXT_NAT_T_FRAG 2175 if (libipsec_opt & LIBIPSEC_OPT_FRAG) 2176 cur_rmconf->esp_frag = $2; 2177 else 2178 yywarn("libipsec lacks IKE frag support\n"); 2179 #else 2180 yywarn("Your kernel does not support esp_frag\n"); 2181 #endif 2182 } EOS 2183 | SCRIPT QUOTEDSTRING PHASE1_UP { 2184 if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL) 2185 vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]); 2186 2187 cur_rmconf->script[SCRIPT_PHASE1_UP] = 2188 script_path_add(vdup($2)); 2189 2190 vfree($2); 2191 } EOS 2192 | SCRIPT QUOTEDSTRING PHASE1_DOWN { 2193 if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL) 2194 vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]); 2195 2196 cur_rmconf->script[SCRIPT_PHASE1_DOWN] = 2197 script_path_add(vdup($2)); 2198 2199 vfree($2); 2200 } EOS 2201 | SCRIPT QUOTEDSTRING PHASE1_DEAD { 2202 if (cur_rmconf->script[SCRIPT_PHASE1_DEAD] != NULL) 2203 vfree(cur_rmconf->script[SCRIPT_PHASE1_DEAD]); 2204 2205 cur_rmconf->script[SCRIPT_PHASE1_DEAD] = 2206 script_path_add(vdup($2)); 2207 2208 vfree($2); 2209 } EOS 2210 | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS 2211 | WEAK_PHASE1_CHECK SWITCH { 2212 cur_rmconf->weak_phase1_check = $2; 2213 } EOS 2214 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS 2215 | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS 2216 | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS 2217 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS 2218 | NAT_TRAVERSAL SWITCH 2219 { 2220 #ifdef ENABLE_NATT 2221 if (libipsec_opt & LIBIPSEC_OPT_NATT) 2222 cur_rmconf->nat_traversal = $2; 2223 else 2224 yywarn("libipsec lacks NAT-T support\n"); 2225 #else 2226 yywarn(error_message_natt_not_compiled_in); 2227 #endif 2228 } EOS 2229 | NAT_TRAVERSAL REMOTE_FORCE_LEVEL 2230 { 2231 #ifdef ENABLE_NATT 2232 if (libipsec_opt & LIBIPSEC_OPT_NATT) 2233 cur_rmconf->nat_traversal = NATT_FORCE; 2234 else 2235 yyerror("libipsec lacks NAT-T support"); 2236 #else 2237 yywarn(error_message_natt_not_compiled_in); 2238 #endif 2239 } EOS 2240 | DPD SWITCH 2241 { 2242 #ifdef ENABLE_DPD 2243 cur_rmconf->dpd = $2; 2244 #else 2245 yywarn(error_message_dpd_not_compiled_in); 2246 #endif 2247 } EOS 2248 | DPD_DELAY NUMBER 2249 { 2250 #ifdef ENABLE_DPD 2251 cur_rmconf->dpd_interval = $2; 2252 #else 2253 yywarn(error_message_dpd_not_compiled_in); 2254 #endif 2255 } 2256 EOS 2257 | DPD_RETRY NUMBER 2258 { 2259 #ifdef ENABLE_DPD 2260 cur_rmconf->dpd_retry = $2; 2261 #else 2262 yywarn(error_message_dpd_not_compiled_in); 2263 #endif 2264 } 2265 EOS 2266 | DPD_MAXFAIL NUMBER 2267 { 2268 #ifdef ENABLE_DPD 2269 cur_rmconf->dpd_maxfails = $2; 2270 #else 2271 yywarn(error_message_dpd_not_compiled_in); 2272 #endif 2273 } 2274 EOS 2275 | REKEY SWITCH { cur_rmconf->rekey = $2; } EOS 2276 | REKEY REMOTE_FORCE_LEVEL { cur_rmconf->rekey = REKEY_FORCE; } EOS 2277 | PH1ID NUMBER 2278 { 2279 cur_rmconf->ph1id = $2; 2280 } 2281 EOS 2282 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 2283 { 2284 cur_rmconf->lifetime = $3 * $4; 2285 } 2286 EOS 2287 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS 2288 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 2289 { 2290 #if 1 2291 yyerror("byte lifetime support is deprecated in Phase1"); 2292 return -1; 2293 #else 2294 yywarn("the lifetime of bytes in phase 1 " 2295 "will be ignored at the moment."); 2296 cur_rmconf->lifebyte = fix_lifebyte($3 * $4); 2297 if (cur_rmconf->lifebyte == 0) 2298 ABORT(); 2299 #endif 2300 } 2301 EOS 2302 | PROPOSAL 2303 { 2304 struct secprotospec *spspec = newspspec(); 2305 if (spspec == NULL) 2306 ABORT(); 2307 2308 insspspec(cur_rmconf, spspec); 2309 } 2310 BOC isakmpproposal_specs EOC 2311 ; 2312 exchange_types 2313 : /* nothing */ 2314 | exchange_types EXCHANGETYPE 2315 { 2316 struct etypes *new = racoon_malloc(sizeof(struct etypes)); 2317 if (new == NULL) { 2318 yyerror("failed to allocate etypes"); 2319 ABORT(); 2320 } 2321 2322 new->next = NULL; new->type = $2; 2323 if (cur_rmconf->etypes == NULL) 2324 cur_rmconf->etypes = new; 2325 else { 2326 struct etypes *p; 2327 for (p = cur_rmconf->etypes; 2328 p->next != NULL; 2329 p = p->next) 2330 ; 2331 p->next = new; 2332 } 2333 } 2334 ; 2335 cert_spec 2336 : CERT_X509 QUOTEDSTRING QUOTEDSTRING 2337 { 2338 if (cur_rmconf->mycert != NULL) { 2339 yyerror("certificate_type already defined\n"); 2340 ABORT_AND_VFREE2($2, $3); 2341 } 2342 2343 if (load_x509($2->v, &cur_rmconf->mycertfile, 2344 &cur_rmconf->mycert)) { 2345 yyerror("failed to load certificate \"%s\"\n", 2346 $2->v); 2347 ABORT_AND_VFREE2($2, $3); 2348 } 2349 2350 cur_rmconf->myprivfile = racoon_strdup($3->v); 2351 if (!cur_rmconf->myprivfile) { 2352 yyerror("failed to allocate myprivfile\n"); 2353 ABORT_AND_VFREE2($2, $3); 2354 } 2355 2356 vfree($2); 2357 vfree($3); 2358 } 2359 EOS 2360 | CERT_PLAINRSA QUOTEDSTRING 2361 { 2362 char path[MAXPATHLEN]; 2363 int ret = 0; 2364 2365 if (cur_rmconf->mycert != NULL) { 2366 yyerror("certificate_type already defined\n"); 2367 ABORT_AND_VFREE($2); 2368 } 2369 2370 cur_rmconf->mycert = vmalloc(1); 2371 if (cur_rmconf->mycert == NULL) { 2372 yyerror("failed to allocate mycert\n"); 2373 ABORT_AND_VFREE($2); 2374 } 2375 2376 cur_rmconf->mycert->v[0] = ISAKMP_CERT_PLAINRSA; 2377 2378 getpathname(path, sizeof(path), 2379 LC_PATHTYPE_CERT, $2->v); 2380 cur_rmconf->send_cr = FALSE; 2381 cur_rmconf->send_cert = FALSE; 2382 cur_rmconf->verify_cert = FALSE; 2383 if (rsa_parse_file(cur_rmconf->rsa_private, path, 2384 RSA_TYPE_PRIVATE)) { 2385 yyerror("Couldn't parse keyfile %s\n", path); 2386 ABORT_AND_VFREE($2); 2387 } 2388 2389 plog(LLV_DEBUG, LOCATION, NULL, 2390 "Private PlainRSA keyfile parsed: %s\n", path); 2391 vfree($2); 2392 } 2393 EOS 2394 ; 2395 dh_group_num 2396 : ALGORITHMTYPE 2397 { 2398 $$ = algtype2doi(algclass_isakmp_dh, $1); 2399 if ($$ == -1) { 2400 yyerror("must be DH group\n"); 2401 ABORT(); 2402 } 2403 } 2404 | NUMBER 2405 { 2406 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) { 2407 $$ = num2dhgroup[$1]; 2408 } else { 2409 $$ = 0; 2410 yyerror("must be DH group\n"); 2411 ABORT(); 2412 } 2413 } 2414 ; 2415 identifierstring 2416 : /* nothing */ { $$ = NULL; } 2417 | ADDRSTRING { $$ = $1; } 2418 | QUOTEDSTRING { $$ = $1; } 2419 ; 2420 isakmpproposal_specs 2421 : /* nothing */ 2422 | isakmpproposal_specs isakmpproposal_spec 2423 ; 2424 isakmpproposal_spec 2425 : LIFETIME LIFETYPE_TIME NUMBER unittype_time 2426 { 2427 cur_rmconf->spspec->lifetime = $3 * $4; 2428 } 2429 EOS 2430 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 2431 { 2432 #if 1 2433 yyerror("byte lifetime support is deprecated\n"); 2434 ABORT(); 2435 #else 2436 cur_rmconf->spspec->lifebyte = fix_lifebyte($3 * $4); 2437 if (cur_rmconf->spspec->lifebyte == 0) 2438 ABORT(); 2439 #endif 2440 } 2441 EOS 2442 | DH_GROUP dh_group_num 2443 { 2444 cur_rmconf->spspec->algclass[algclass_isakmp_dh] = $2; 2445 } 2446 EOS 2447 | GSS_ID QUOTEDSTRING 2448 { 2449 if (cur_rmconf->spspec->vendorid != VENDORID_GSSAPI) { 2450 yyerror("wrong Vendor ID for gssapi_id\n"); 2451 ABORT_AND_VFREE($2); 2452 } 2453 2454 if (cur_rmconf->spspec->gssid != NULL) 2455 racoon_free(cur_rmconf->spspec->gssid); 2456 cur_rmconf->spspec->gssid = 2457 racoon_strdup($2->v); 2458 if (!cur_rmconf->spspec->gssid) { 2459 yyerror("failed to allocate gssid\n"); 2460 ABORT_AND_VFREE($2); 2461 } 2462 } 2463 EOS 2464 | ALGORITHM_CLASS ALGORITHMTYPE keylength 2465 { 2466 int doi; 2467 int defklen; 2468 2469 doi = algtype2doi($1, $2); 2470 if (doi == -1) { 2471 yyerror("algorithm mismatched 1\n"); 2472 ABORT(); 2473 } 2474 2475 switch ($1) { 2476 case algclass_isakmp_enc: 2477 /* reject suppressed algorithms */ 2478 #ifndef HAVE_OPENSSL_RC5_H 2479 if ($2 == algtype_rc5) { 2480 yyerror("algorithm %s not supported\n", 2481 s_attr_isakmp_enc(doi)); 2482 ABORT(); 2483 } 2484 #endif 2485 #ifndef HAVE_OPENSSL_IDEA_H 2486 if ($2 == algtype_idea) { 2487 yyerror("algorithm %s not supported\n", 2488 s_attr_isakmp_enc(doi)); 2489 ABORT(); 2490 } 2491 #endif 2492 2493 cur_rmconf->spspec->algclass[algclass_isakmp_enc] = doi; 2494 defklen = default_keylen($1, $2); 2495 if (defklen == 0) { 2496 if ($3) { 2497 yyerror("keylen not allowed\n"); 2498 ABORT(); 2499 } 2500 } else { 2501 if ($3 && check_keylen($1, $2, $3) < 0) { 2502 yyerror("invalid keylen %d\n", $3); 2503 ABORT(); 2504 } 2505 } 2506 if ($3) 2507 cur_rmconf->spspec->encklen = $3; 2508 else 2509 cur_rmconf->spspec->encklen = defklen; 2510 break; 2511 case algclass_isakmp_hash: 2512 cur_rmconf->spspec->algclass[algclass_isakmp_hash] = doi; 2513 break; 2514 case algclass_isakmp_ameth: 2515 cur_rmconf->spspec->algclass[algclass_isakmp_ameth] = doi; 2516 /* 2517 * We may have to set the Vendor ID for the 2518 * authentication method we're using. 2519 */ 2520 switch ($2) { 2521 case algtype_gssapikrb: 2522 if (cur_rmconf->spspec->vendorid != 2523 VENDORID_UNKNOWN) { 2524 yyerror("Vendor ID mismatch for auth method\n"); 2525 ABORT(); 2526 } 2527 /* 2528 * For interoperability with Win2k, 2529 * we set the Vendor ID to "GSSAPI". 2530 */ 2531 cur_rmconf->spspec->vendorid = 2532 VENDORID_GSSAPI; 2533 break; 2534 case algtype_rsasig: 2535 if (oakley_get_certtype(cur_rmconf->peerscert) == ISAKMP_CERT_PLAINRSA) { 2536 if (rsa_list_count(cur_rmconf->rsa_private) == 0) { 2537 yyerror ("Private PlainRSA key not set." 2538 "Use directive 'certificate_type plainrsa ...'\n"); 2539 ABORT(); 2540 } 2541 2542 if (rsa_list_count(cur_rmconf->rsa_public) == 0) { 2543 yyerror ("Public PlainRSA keys not set." 2544 "Use directive 'peers_certfile plainrsa ...'\n"); 2545 ABORT(); 2546 } 2547 } 2548 break; 2549 default: 2550 break; 2551 } 2552 break; 2553 default: 2554 yyerror("algorithm mismatched 2\n"); 2555 ABORT(); 2556 } 2557 } 2558 EOS 2559 ; 2560 2561 unittype_time 2562 : UNITTYPE_SEC { $$ = 1; } 2563 | UNITTYPE_MIN { $$ = 60; } 2564 | UNITTYPE_HOUR { $$ = (60 * 60); } 2565 ; 2566 unittype_byte 2567 : UNITTYPE_BYTE { $$ = 1; } 2568 | UNITTYPE_KBYTES { $$ = 1024; } 2569 | UNITTYPE_MBYTES { $$ = (1024 * 1024); } 2570 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); } 2571 ; 2572 %% 2573 2574 static struct secprotospec * 2575 newspspec() 2576 { 2577 struct secprotospec *new; 2578 2579 new = racoon_calloc(1, sizeof(*new)); 2580 if (new == NULL) { 2581 yyerror("failed to allocate spproto"); 2582 return NULL; 2583 } 2584 2585 new->encklen = 0; /*XXX*/ 2586 2587 /* 2588 * Default to "uknown" vendor -- we will override this 2589 * as necessary. When we send a Vendor ID payload, an 2590 * "unknown" will be translated to a KAME/racoon ID. 2591 */ 2592 new->vendorid = VENDORID_UNKNOWN; 2593 2594 return new; 2595 } 2596 2597 /* 2598 * insert into head of list. 2599 */ 2600 static void 2601 insspspec(rmconf, spspec) 2602 struct remoteconf *rmconf; 2603 struct secprotospec *spspec; 2604 { 2605 if (rmconf->spspec != NULL) 2606 rmconf->spspec->prev = spspec; 2607 spspec->next = rmconf->spspec; 2608 rmconf->spspec = spspec; 2609 } 2610 2611 static struct secprotospec * 2612 dupspspec(spspec) 2613 struct secprotospec *spspec; 2614 { 2615 struct secprotospec *new; 2616 2617 new = newspspec(); 2618 if (new == NULL) { 2619 plog(LLV_ERROR, LOCATION, NULL, 2620 "dupspspec: malloc failed\n"); 2621 return NULL; 2622 } 2623 memcpy(new, spspec, sizeof(*new)); 2624 2625 if (spspec->gssid) { 2626 new->gssid = racoon_strdup(spspec->gssid); 2627 STRDUP_FATAL(new->gssid); 2628 } 2629 if (spspec->remote) { 2630 new->remote = racoon_malloc(sizeof(*new->remote)); 2631 if (new->remote == NULL) { 2632 plog(LLV_ERROR, LOCATION, NULL, 2633 "dupspspec: malloc failed (remote)\n"); 2634 return NULL; 2635 } 2636 memcpy(new->remote, spspec->remote, sizeof(*new->remote)); 2637 } 2638 2639 return new; 2640 } 2641 2642 /* 2643 * copy the whole list 2644 */ 2645 void 2646 dupspspec_list(dst, src) 2647 struct remoteconf *dst, *src; 2648 { 2649 struct secprotospec *p, *new, *last; 2650 2651 for(p = src->spspec, last = NULL; p; p = p->next, last = new) { 2652 new = dupspspec(p); 2653 if (new == NULL) 2654 exit(1); 2655 2656 new->prev = last; 2657 new->next = NULL; /* not necessary but clean */ 2658 2659 if (last) 2660 last->next = new; 2661 else /* first element */ 2662 dst->spspec = new; 2663 2664 } 2665 } 2666 2667 /* 2668 * delete the whole list 2669 */ 2670 void 2671 flushspspec(rmconf) 2672 struct remoteconf *rmconf; 2673 { 2674 struct secprotospec *p; 2675 2676 while(rmconf->spspec != NULL) { 2677 p = rmconf->spspec; 2678 rmconf->spspec = p->next; 2679 if (p->next != NULL) 2680 p->next->prev = NULL; /* not necessary but clean */ 2681 2682 if (p->gssid) 2683 racoon_free(p->gssid); 2684 if (p->remote) 2685 racoon_free(p->remote); 2686 racoon_free(p); 2687 } 2688 rmconf->spspec = NULL; 2689 } 2690 2691 /* set final acceptable proposal */ 2692 static int 2693 set_isakmp_proposal(rmconf) 2694 struct remoteconf *rmconf; 2695 { 2696 struct secprotospec *s; 2697 int prop_no = 1; 2698 int trns_no = 1; 2699 int32_t types[MAXALGCLASS]; 2700 2701 /* mandatory check */ 2702 if (rmconf->spspec == NULL) { 2703 yyerror("no remote specification found: %s.\n", 2704 saddr2str(rmconf->remote)); 2705 return -1; 2706 } 2707 for (s = rmconf->spspec; s != NULL; s = s->next) { 2708 /* XXX need more to check */ 2709 if (s->algclass[algclass_isakmp_enc] == 0) { 2710 yyerror("encryption algorithm required."); 2711 return -1; 2712 } 2713 if (s->algclass[algclass_isakmp_hash] == 0) { 2714 yyerror("hash algorithm required."); 2715 return -1; 2716 } 2717 if (s->algclass[algclass_isakmp_dh] == 0) { 2718 yyerror("DH group required."); 2719 return -1; 2720 } 2721 if (s->algclass[algclass_isakmp_ameth] == 0) { 2722 yyerror("authentication method required."); 2723 return -1; 2724 } 2725 } 2726 2727 /* skip to last part */ 2728 for (s = rmconf->spspec; s->next != NULL; s = s->next) 2729 ; 2730 2731 while (s != NULL) { 2732 plog(LLV_DEBUG2, LOCATION, NULL, 2733 "lifetime = %ld\n", (long) 2734 (s->lifetime ? s->lifetime : rmconf->lifetime)); 2735 plog(LLV_DEBUG2, LOCATION, NULL, 2736 "lifebyte = %d\n", 2737 s->lifebyte ? s->lifebyte : rmconf->lifebyte); 2738 plog(LLV_DEBUG2, LOCATION, NULL, 2739 "encklen=%d\n", s->encklen); 2740 2741 memset(types, 0, ARRAYLEN(types)); 2742 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; 2743 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; 2744 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; 2745 types[algclass_isakmp_ameth] = 2746 s->algclass[algclass_isakmp_ameth]; 2747 2748 /* expanding spspec */ 2749 clean_tmpalgtype(); 2750 trns_no = expand_isakmpspec(prop_no, trns_no, types, 2751 algclass_isakmp_enc, algclass_isakmp_ameth + 1, 2752 s->lifetime ? s->lifetime : rmconf->lifetime, 2753 s->lifebyte ? s->lifebyte : rmconf->lifebyte, 2754 s->encklen, s->vendorid, s->gssid, 2755 rmconf); 2756 if (trns_no == -1) { 2757 plog(LLV_ERROR, LOCATION, NULL, 2758 "failed to expand isakmp proposal.\n"); 2759 return -1; 2760 } 2761 2762 s = s->prev; 2763 } 2764 2765 if (rmconf->proposal == NULL) { 2766 plog(LLV_ERROR, LOCATION, NULL, 2767 "no proposal found.\n"); 2768 return -1; 2769 } 2770 2771 return 0; 2772 } 2773 2774 static void 2775 clean_tmpalgtype() 2776 { 2777 int i; 2778 for (i = 0; i < MAXALGCLASS; i++) 2779 tmpalgtype[i] = 0; /* means algorithm undefined. */ 2780 } 2781 2782 static int 2783 expand_isakmpspec(prop_no, trns_no, types, 2784 class, last, lifetime, lifebyte, encklen, vendorid, gssid, 2785 rmconf) 2786 int prop_no, trns_no; 2787 int *types, class, last; 2788 time_t lifetime; 2789 int lifebyte; 2790 int encklen; 2791 int vendorid; 2792 char *gssid; 2793 struct remoteconf *rmconf; 2794 { 2795 struct isakmpsa *new; 2796 2797 /* debugging */ 2798 { 2799 int j; 2800 char tb[10]; 2801 plog(LLV_DEBUG2, LOCATION, NULL, 2802 "p:%d t:%d\n", prop_no, trns_no); 2803 for (j = class; j < MAXALGCLASS; j++) { 2804 snprintf(tb, sizeof(tb), "%d", types[j]); 2805 plog(LLV_DEBUG2, LOCATION, NULL, 2806 "%s%s%s%s\n", 2807 s_algtype(j, types[j]), 2808 types[j] ? "(" : "", 2809 tb[0] == '0' ? "" : tb, 2810 types[j] ? ")" : ""); 2811 } 2812 plog(LLV_DEBUG2, LOCATION, NULL, "\n"); 2813 } 2814 2815 #define TMPALGTYPE2STR(n) \ 2816 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n]) 2817 /* check mandatory values */ 2818 if (types[algclass_isakmp_enc] == 0 2819 || types[algclass_isakmp_ameth] == 0 2820 || types[algclass_isakmp_hash] == 0 2821 || types[algclass_isakmp_dh] == 0) { 2822 yyerror("few definition of algorithm " 2823 "enc=%s ameth=%s hash=%s dhgroup=%s.\n", 2824 TMPALGTYPE2STR(enc), 2825 TMPALGTYPE2STR(ameth), 2826 TMPALGTYPE2STR(hash), 2827 TMPALGTYPE2STR(dh)); 2828 return -1; 2829 } 2830 #undef TMPALGTYPE2STR 2831 2832 /* set new sa */ 2833 new = newisakmpsa(); 2834 if (new == NULL) { 2835 yyerror("failed to allocate isakmp sa"); 2836 return -1; 2837 } 2838 new->prop_no = prop_no; 2839 new->trns_no = trns_no++; 2840 new->lifetime = lifetime; 2841 new->lifebyte = lifebyte; 2842 new->enctype = types[algclass_isakmp_enc]; 2843 new->encklen = encklen; 2844 new->authmethod = types[algclass_isakmp_ameth]; 2845 new->hashtype = types[algclass_isakmp_hash]; 2846 new->dh_group = types[algclass_isakmp_dh]; 2847 new->vendorid = vendorid; 2848 #ifdef HAVE_GSSAPI 2849 if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { 2850 if (gssid != NULL) { 2851 if ((new->gssid = vmalloc(strlen(gssid))) == NULL) { 2852 racoon_free(new); 2853 yyerror("failed to allocate gssid"); 2854 return -1; 2855 } 2856 memcpy(new->gssid->v, gssid, new->gssid->l); 2857 racoon_free(gssid); 2858 } else { 2859 /* 2860 * Allocate the default ID so that it gets put 2861 * into a GSS ID attribute during the Phase 1 2862 * exchange. 2863 */ 2864 new->gssid = gssapi_get_default_gss_id(); 2865 } 2866 } 2867 #endif 2868 insisakmpsa(new, rmconf); 2869 2870 return trns_no; 2871 } 2872 2873 #if 0 2874 /* 2875 * fix lifebyte. 2876 * Must be more than 1024B because its unit is kilobytes. 2877 * That is defined RFC2407. 2878 */ 2879 static int 2880 fix_lifebyte(t) 2881 unsigned long t; 2882 { 2883 if (t < 1024) { 2884 yyerror("byte size should be more than 1024B."); 2885 return 0; 2886 } 2887 2888 return(t / 1024); 2889 } 2890 #endif 2891 2892 int 2893 cfparse() 2894 { 2895 int error; 2896 2897 yyerrorcount = 0; 2898 yycf_init_buffer(); 2899 2900 if (yycf_switch_buffer(lcconf->racoon_conf) != 0) { 2901 plog(LLV_ERROR, LOCATION, NULL, 2902 "could not read configuration file \"%s\"\n", 2903 lcconf->racoon_conf); 2904 return -1; 2905 } 2906 2907 error = yyparse(); 2908 if (error != 0) { 2909 if (yyerrorcount) { 2910 plog(LLV_ERROR, LOCATION, NULL, 2911 "fatal parse failure (%d errors)\n", 2912 yyerrorcount); 2913 } else { 2914 plog(LLV_ERROR, LOCATION, NULL, 2915 "fatal parse failure.\n"); 2916 } 2917 return -1; 2918 } 2919 2920 if (error == 0 && yyerrorcount) { 2921 plog(LLV_ERROR, LOCATION, NULL, 2922 "parse error is nothing, but yyerrorcount is %d.\n", 2923 yyerrorcount); 2924 exit(1); 2925 } 2926 2927 yycf_clean_buffer(); 2928 2929 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n"); 2930 2931 return 0; 2932 } 2933 2934 int 2935 cfreparse() 2936 { 2937 flushph2(); 2938 flushph1(); 2939 flushrmconf(); 2940 flushsainfo(); 2941 clean_tmpalgtype(); 2942 return(cfparse()); 2943 } 2944 2945 #ifdef ENABLE_ADMINPORT 2946 static void 2947 adminsock_conf(path, owner, group, mode_dec) 2948 vchar_t *path; 2949 vchar_t *owner; 2950 vchar_t *group; 2951 int mode_dec; 2952 { 2953 struct passwd *pw = NULL; 2954 struct group *gr = NULL; 2955 mode_t mode = 0; 2956 uid_t uid; 2957 gid_t gid; 2958 int isnum; 2959 2960 adminsock_path = path->v; 2961 2962 if (owner == NULL) 2963 return; 2964 2965 errno = 0; 2966 uid = atoi(owner->v); 2967 isnum = !errno; 2968 if (((pw = getpwnam(owner->v)) == NULL) && !isnum) 2969 yywarn("User \"%s\" does not exist\n", owner->v); 2970 2971 if (pw) 2972 adminsock_owner = pw->pw_uid; 2973 else 2974 adminsock_owner = uid; 2975 2976 if (group == NULL) 2977 return; 2978 2979 errno = 0; 2980 gid = atoi(group->v); 2981 isnum = !errno; 2982 if (((gr = getgrnam(group->v)) == NULL) && !isnum) 2983 yywarn("Group \"%s\" does not exist\n", group->v); 2984 2985 if (gr) 2986 adminsock_group = gr->gr_gid; 2987 else 2988 adminsock_group = gid; 2989 2990 if (mode_dec == -1) 2991 return; 2992 2993 if (mode_dec > 777) 2994 yywarn("Mode 0%03o is invalid\n", mode_dec); 2995 2996 if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; } 2997 if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; } 2998 if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; } 2999 3000 if (mode_dec > 77) 3001 yywarn("Mode 0%03o is invalid\n", mode_dec); 3002 3003 if (mode_dec >= 40) { mode += 040; mode_dec -= 40; } 3004 if (mode_dec >= 20) { mode += 020; mode_dec -= 20; } 3005 if (mode_dec >= 10) { mode += 020; mode_dec -= 10; } 3006 3007 if (mode_dec > 7) 3008 yywarn("Mode 0%03o is invalid\n", mode_dec); 3009 3010 if (mode_dec >= 4) { mode += 04; mode_dec -= 4; } 3011 if (mode_dec >= 2) { mode += 02; mode_dec -= 2; } 3012 if (mode_dec >= 1) { mode += 02; mode_dec -= 1; } 3013 3014 adminsock_mode = mode; 3015 3016 return; 3017 } 3018 #endif 3019