1 /* $NetBSD: cfparse.y,v 1.25 2008/03/05 22:27:50 mgrooms Exp $ */ 2 3 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ 4 5 %{ 6 /* 7 * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the project nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #include "config.h" 36 37 #include <sys/types.h> 38 #include <sys/param.h> 39 #include <sys/queue.h> 40 #include <sys/socket.h> 41 42 #include <netinet/in.h> 43 #include PATH_IPSEC_H 44 45 #ifdef ENABLE_HYBRID 46 #include <arpa/inet.h> 47 #endif 48 49 #include <stdlib.h> 50 #include <stdio.h> 51 #include <string.h> 52 #include <errno.h> 53 #include <netdb.h> 54 #include <pwd.h> 55 #include <grp.h> 56 57 #include "var.h" 58 #include "misc.h" 59 #include "vmbuf.h" 60 #include "plog.h" 61 #include "sockmisc.h" 62 #include "str2val.h" 63 #include "genlist.h" 64 #include "debug.h" 65 66 #include "admin.h" 67 #include "privsep.h" 68 #include "cfparse_proto.h" 69 #include "cftoken_proto.h" 70 #include "algorithm.h" 71 #include "localconf.h" 72 #include "policy.h" 73 #include "sainfo.h" 74 #include "oakley.h" 75 #include "pfkey.h" 76 #include "remoteconf.h" 77 #include "grabmyaddr.h" 78 #include "isakmp_var.h" 79 #include "handler.h" 80 #include "isakmp.h" 81 #include "nattraversal.h" 82 #include "isakmp_frag.h" 83 #ifdef ENABLE_HYBRID 84 #include "resolv.h" 85 #include "isakmp_unity.h" 86 #include "isakmp_xauth.h" 87 #include "isakmp_cfg.h" 88 #endif 89 #include "ipsec_doi.h" 90 #include "strnames.h" 91 #include "gcmalloc.h" 92 #ifdef HAVE_GSSAPI 93 #include "gssapi.h" 94 #endif 95 #include "vendorid.h" 96 #include "rsalist.h" 97 98 struct proposalspec { 99 time_t lifetime; /* for isakmp/ipsec */ 100 int lifebyte; /* for isakmp/ipsec */ 101 struct secprotospec *spspec; /* the head is always current spec. */ 102 struct proposalspec *next; /* the tail is the most prefered. */ 103 struct proposalspec *prev; 104 }; 105 106 struct secprotospec { 107 int prop_no; 108 int trns_no; 109 int strength; /* for isakmp/ipsec */ 110 int encklen; /* for isakmp/ipsec */ 111 time_t lifetime; /* for isakmp */ 112 int lifebyte; /* for isakmp */ 113 int proto_id; /* for ipsec (isakmp?) */ 114 int ipsec_level; /* for ipsec */ 115 int encmode; /* for ipsec */ 116 int vendorid; /* for isakmp */ 117 char *gssid; 118 struct sockaddr *remote; 119 int algclass[MAXALGCLASS]; 120 121 struct secprotospec *next; /* the tail is the most prefiered. */ 122 struct secprotospec *prev; 123 struct proposalspec *back; 124 }; 125 126 static int num2dhgroup[] = { 127 0, 128 OAKLEY_ATTR_GRP_DESC_MODP768, 129 OAKLEY_ATTR_GRP_DESC_MODP1024, 130 OAKLEY_ATTR_GRP_DESC_EC2N155, 131 OAKLEY_ATTR_GRP_DESC_EC2N185, 132 OAKLEY_ATTR_GRP_DESC_MODP1536, 133 0, 134 0, 135 0, 136 0, 137 0, 138 0, 139 0, 140 0, 141 OAKLEY_ATTR_GRP_DESC_MODP2048, 142 OAKLEY_ATTR_GRP_DESC_MODP3072, 143 OAKLEY_ATTR_GRP_DESC_MODP4096, 144 OAKLEY_ATTR_GRP_DESC_MODP6144, 145 OAKLEY_ATTR_GRP_DESC_MODP8192 146 }; 147 148 static struct remoteconf *cur_rmconf; 149 static int tmpalgtype[MAXALGCLASS]; 150 static struct sainfo *cur_sainfo; 151 static int cur_algclass; 152 static int oldloglevel = LLV_BASE; 153 154 static struct proposalspec *newprspec __P((void)); 155 static void insprspec __P((struct proposalspec *, struct proposalspec **)); 156 static struct secprotospec *newspspec __P((void)); 157 static void insspspec __P((struct secprotospec *, struct proposalspec **)); 158 static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int)); 159 160 static int set_isakmp_proposal 161 __P((struct remoteconf *, struct proposalspec *)); 162 static void clean_tmpalgtype __P((void)); 163 static int expand_isakmpspec __P((int, int, int *, 164 int, int, time_t, int, int, int, char *, struct remoteconf *)); 165 static int listen_addr __P((struct sockaddr *addr, int udp_encap)); 166 167 void freeetypes (struct etypes **etypes); 168 169 #if 0 170 static int fix_lifebyte __P((u_long)); 171 #endif 172 %} 173 174 %union { 175 unsigned long num; 176 vchar_t *val; 177 struct remoteconf *rmconf; 178 struct sockaddr *saddr; 179 struct sainfoalg *alg; 180 } 181 182 /* privsep */ 183 %token PRIVSEP USER GROUP CHROOT 184 /* path */ 185 %token PATH PATHTYPE 186 /* include */ 187 %token INCLUDE 188 /* self information */ 189 %token IDENTIFIER VENDORID 190 /* logging */ 191 %token LOGGING LOGLEV 192 /* padding */ 193 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL 194 /* listen */ 195 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED 196 /* ldap config */ 197 %token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE 198 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER 199 /* modecfg */ 200 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN 201 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE 202 %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE 203 %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS 204 %token CFG_PFS_GROUP CFG_SAVE_PASSWD 205 206 /* timer */ 207 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND 208 %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA 209 /* algorithm */ 210 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE 211 /* sainfo */ 212 %token SAINFO FROM 213 /* remote */ 214 %token REMOTE ANONYMOUS CLIENTADDR INHERIT 215 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE 216 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE 217 %token VERIFY_CERT SEND_CERT SEND_CR 218 %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER 219 %token PEERS_IDENTIFIER VERIFY_IDENTIFIER 220 %token DNSSEC CERT_X509 CERT_PLAINRSA 221 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT 222 %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL 223 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL 224 %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY 225 %token PROPOSAL 226 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE 227 %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE 228 %token COMPLEX_BUNDLE 229 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL 230 %token PH1ID 231 %token XAUTH_LOGIN WEAK_PHASE1_CHECK 232 233 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG 234 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID 235 236 %token SCRIPT PHASE1_UP PHASE1_DOWN 237 238 %token NUMBER SWITCH BOOLEAN 239 %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE 240 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES 241 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR 242 %token EOS BOC EOC COMMA 243 244 %type <num> NUMBER BOOLEAN SWITCH keylength 245 %type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE 246 %type <num> ALGORITHM_CLASS dh_group_num 247 %type <num> ALGORITHMTYPE STRENGTHTYPE 248 %type <num> PREFIX prefix PORT port ike_port 249 %type <num> ul_proto UL_PROTO 250 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE 251 %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL 252 %type <num> unittype_time unittype_byte 253 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id 254 %type <val> identifierstring 255 %type <saddr> remote_index ike_addrinfo_port 256 %type <alg> algorithm 257 258 %% 259 260 statements 261 : /* nothing */ 262 | statements statement 263 ; 264 statement 265 : privsep_statement 266 | path_statement 267 | include_statement 268 | gssenc_statement 269 | identifier_statement 270 | logging_statement 271 | padding_statement 272 | listen_statement 273 | ldapcfg_statement 274 | modecfg_statement 275 | timer_statement 276 | sainfo_statement 277 | remote_statement 278 | special_statement 279 ; 280 281 /* privsep */ 282 privsep_statement 283 : PRIVSEP BOC privsep_stmts EOC 284 ; 285 privsep_stmts 286 : /* nothing */ 287 | privsep_stmts privsep_stmt 288 ; 289 privsep_stmt 290 : USER QUOTEDSTRING 291 { 292 struct passwd *pw; 293 294 if ((pw = getpwnam($2->v)) == NULL) { 295 yyerror("unknown user \"%s\"", $2->v); 296 return -1; 297 } 298 lcconf->uid = pw->pw_uid; 299 } 300 EOS 301 | USER NUMBER { lcconf->uid = $2; } EOS 302 | GROUP QUOTEDSTRING 303 { 304 struct group *gr; 305 306 if ((gr = getgrnam($2->v)) == NULL) { 307 yyerror("unknown group \"%s\"", $2->v); 308 return -1; 309 } 310 lcconf->gid = gr->gr_gid; 311 } 312 EOS 313 | GROUP NUMBER { lcconf->gid = $2; } EOS 314 | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS 315 ; 316 317 /* path */ 318 path_statement 319 : PATH PATHTYPE QUOTEDSTRING 320 { 321 if ($2 >= LC_PATHTYPE_MAX) { 322 yyerror("invalid path type %d", $2); 323 return -1; 324 } 325 326 /* free old pathinfo */ 327 if (lcconf->pathinfo[$2]) 328 racoon_free(lcconf->pathinfo[$2]); 329 330 /* set new pathinfo */ 331 lcconf->pathinfo[$2] = racoon_strdup($3->v); 332 STRDUP_FATAL(lcconf->pathinfo[$2]); 333 vfree($3); 334 } 335 EOS 336 ; 337 338 /* special */ 339 special_statement 340 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS 341 ; 342 343 /* include */ 344 include_statement 345 : INCLUDE QUOTEDSTRING EOS 346 { 347 char path[MAXPATHLEN]; 348 349 getpathname(path, sizeof(path), 350 LC_PATHTYPE_INCLUDE, $2->v); 351 vfree($2); 352 if (yycf_switch_buffer(path) != 0) 353 return -1; 354 } 355 ; 356 357 /* gss_id_enc */ 358 gssenc_statement 359 : GSS_ID_ENC GSS_ID_ENCTYPE EOS 360 { 361 if ($2 >= LC_GSSENC_MAX) { 362 yyerror("invalid GSS ID encoding %d", $2); 363 return -1; 364 } 365 lcconf->gss_id_enc = $2; 366 } 367 ; 368 369 /* self information */ 370 identifier_statement 371 : IDENTIFIER identifier_stmt 372 ; 373 identifier_stmt 374 : VENDORID 375 { 376 /*XXX to be deleted */ 377 } 378 QUOTEDSTRING EOS 379 | IDENTIFIERTYPE QUOTEDSTRING 380 { 381 /*XXX to be deleted */ 382 $2->l--; /* nuke '\0' */ 383 lcconf->ident[$1] = $2; 384 if (lcconf->ident[$1] == NULL) { 385 yyerror("failed to set my ident: %s", 386 strerror(errno)); 387 return -1; 388 } 389 } 390 EOS 391 ; 392 393 /* logging */ 394 logging_statement 395 : LOGGING log_level EOS 396 ; 397 log_level 398 : HEXSTRING 399 { 400 /* 401 * XXX ignore it because this specification 402 * will be obsoleted. 403 */ 404 yywarn("see racoon.conf(5), such a log specification will be obsoleted."); 405 vfree($1); 406 } 407 | LOGLEV 408 { 409 /* 410 * set the loglevel to the value specified 411 * in the configuration file plus the number 412 * of -d options specified on the command line 413 */ 414 loglevel += $1 - oldloglevel; 415 oldloglevel = $1; 416 } 417 ; 418 419 /* padding */ 420 padding_statement 421 : PADDING BOC padding_stmts EOC 422 ; 423 padding_stmts 424 : /* nothing */ 425 | padding_stmts padding_stmt 426 ; 427 padding_stmt 428 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS 429 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS 430 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS 431 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS 432 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS 433 ; 434 435 /* listen */ 436 listen_statement 437 : LISTEN BOC listen_stmts EOC 438 ; 439 listen_stmts 440 : /* nothing */ 441 | listen_stmts listen_stmt 442 ; 443 listen_stmt 444 : X_ISAKMP ike_addrinfo_port 445 { 446 listen_addr ($2, 0); 447 } 448 EOS 449 | X_ISAKMP_NATT ike_addrinfo_port 450 { 451 #ifdef ENABLE_NATT 452 listen_addr ($2, 1); 453 #else 454 yyerror("NAT-T support not compiled in."); 455 #endif 456 } 457 EOS 458 | X_ADMIN 459 { 460 yyerror("admin directive is obsoleted."); 461 } 462 PORT EOS 463 | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER 464 { 465 #ifdef ENABLE_ADMINPORT 466 adminsock_conf($2, $3, $4, $5); 467 #else 468 yywarn("admin port support not compiled in"); 469 #endif 470 } 471 EOS 472 | ADMINSOCK QUOTEDSTRING 473 { 474 #ifdef ENABLE_ADMINPORT 475 adminsock_conf($2, NULL, NULL, -1); 476 #else 477 yywarn("admin port support not compiled in"); 478 #endif 479 } 480 EOS 481 | ADMINSOCK DISABLED 482 { 483 #ifdef ENABLE_ADMINPORT 484 adminsock_path = NULL; 485 #else 486 yywarn("admin port support not compiled in"); 487 #endif 488 } 489 EOS 490 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS 491 ; 492 ike_addrinfo_port 493 : ADDRSTRING ike_port 494 { 495 char portbuf[10]; 496 497 snprintf(portbuf, sizeof(portbuf), "%ld", $2); 498 $$ = str2saddr($1->v, portbuf); 499 vfree($1); 500 if (!$$) 501 return -1; 502 } 503 ; 504 ike_port 505 : /* nothing */ { $$ = PORT_ISAKMP; } 506 | PORT { $$ = $1; } 507 ; 508 509 /* ldap configuration */ 510 ldapcfg_statement 511 : LDAPCFG { 512 #ifndef ENABLE_HYBRID 513 yyerror("racoon not configured with --enable-hybrid"); 514 return -1; 515 #endif 516 #ifndef HAVE_LIBLDAP 517 yyerror("racoon not configured with --with-libldap"); 518 return -1; 519 #endif 520 } BOC ldapcfg_stmts EOC 521 ; 522 ldapcfg_stmts 523 : /* nothing */ 524 | ldapcfg_stmts ldapcfg_stmt 525 ; 526 ldapcfg_stmt 527 : LDAP_PVER NUMBER 528 { 529 #ifdef ENABLE_HYBRID 530 #ifdef HAVE_LIBLDAP 531 if (($2<2)||($2>3)) 532 yyerror("invalid ldap protocol version (2|3)"); 533 xauth_ldap_config.pver = $2; 534 #endif 535 #endif 536 } 537 EOS 538 | LDAP_HOST QUOTEDSTRING 539 { 540 #ifdef ENABLE_HYBRID 541 #ifdef HAVE_LIBLDAP 542 if (xauth_ldap_config.host != NULL) 543 vfree(xauth_ldap_config.host); 544 xauth_ldap_config.host = vdup($2); 545 #endif 546 #endif 547 } 548 EOS 549 | LDAP_PORT NUMBER 550 { 551 #ifdef ENABLE_HYBRID 552 #ifdef HAVE_LIBLDAP 553 xauth_ldap_config.port = $2; 554 #endif 555 #endif 556 } 557 EOS 558 | LDAP_BASE QUOTEDSTRING 559 { 560 #ifdef ENABLE_HYBRID 561 #ifdef HAVE_LIBLDAP 562 if (xauth_ldap_config.base != NULL) 563 vfree(xauth_ldap_config.base); 564 xauth_ldap_config.base = vdup($2); 565 #endif 566 #endif 567 } 568 EOS 569 | LDAP_SUBTREE SWITCH 570 { 571 #ifdef ENABLE_HYBRID 572 #ifdef HAVE_LIBLDAP 573 xauth_ldap_config.subtree = $2; 574 #endif 575 #endif 576 } 577 EOS 578 | LDAP_BIND_DN QUOTEDSTRING 579 { 580 #ifdef ENABLE_HYBRID 581 #ifdef HAVE_LIBLDAP 582 if (xauth_ldap_config.bind_dn != NULL) 583 vfree(xauth_ldap_config.bind_dn); 584 xauth_ldap_config.bind_dn = vdup($2); 585 #endif 586 #endif 587 } 588 EOS 589 | LDAP_BIND_PW QUOTEDSTRING 590 { 591 #ifdef ENABLE_HYBRID 592 #ifdef HAVE_LIBLDAP 593 if (xauth_ldap_config.bind_pw != NULL) 594 vfree(xauth_ldap_config.bind_pw); 595 xauth_ldap_config.bind_pw = vdup($2); 596 #endif 597 #endif 598 } 599 EOS 600 | LDAP_ATTR_USER QUOTEDSTRING 601 { 602 #ifdef ENABLE_HYBRID 603 #ifdef HAVE_LIBLDAP 604 if (xauth_ldap_config.attr_user != NULL) 605 vfree(xauth_ldap_config.attr_user); 606 xauth_ldap_config.attr_user = vdup($2); 607 #endif 608 #endif 609 } 610 EOS 611 | LDAP_ATTR_ADDR QUOTEDSTRING 612 { 613 #ifdef ENABLE_HYBRID 614 #ifdef HAVE_LIBLDAP 615 if (xauth_ldap_config.attr_addr != NULL) 616 vfree(xauth_ldap_config.attr_addr); 617 xauth_ldap_config.attr_addr = vdup($2); 618 #endif 619 #endif 620 } 621 EOS 622 | LDAP_ATTR_MASK QUOTEDSTRING 623 { 624 #ifdef ENABLE_HYBRID 625 #ifdef HAVE_LIBLDAP 626 if (xauth_ldap_config.attr_mask != NULL) 627 vfree(xauth_ldap_config.attr_mask); 628 xauth_ldap_config.attr_mask = vdup($2); 629 #endif 630 #endif 631 } 632 EOS 633 | LDAP_ATTR_GROUP QUOTEDSTRING 634 { 635 #ifdef ENABLE_HYBRID 636 #ifdef HAVE_LIBLDAP 637 if (xauth_ldap_config.attr_group != NULL) 638 vfree(xauth_ldap_config.attr_group); 639 xauth_ldap_config.attr_group = vdup($2); 640 #endif 641 #endif 642 } 643 EOS 644 | LDAP_ATTR_MEMBER QUOTEDSTRING 645 { 646 #ifdef ENABLE_HYBRID 647 #ifdef HAVE_LIBLDAP 648 if (xauth_ldap_config.attr_member != NULL) 649 vfree(xauth_ldap_config.attr_member); 650 xauth_ldap_config.attr_member = vdup($2); 651 #endif 652 #endif 653 } 654 EOS 655 ; 656 657 /* modecfg */ 658 modecfg_statement 659 : MODECFG BOC modecfg_stmts EOC 660 ; 661 modecfg_stmts 662 : /* nothing */ 663 | modecfg_stmts modecfg_stmt 664 ; 665 modecfg_stmt 666 : CFG_NET4 ADDRSTRING 667 { 668 #ifdef ENABLE_HYBRID 669 if (inet_pton(AF_INET, $2->v, 670 &isakmp_cfg_config.network4) != 1) 671 yyerror("bad IPv4 network address."); 672 #else 673 yyerror("racoon not configured with --enable-hybrid"); 674 #endif 675 } 676 EOS 677 | CFG_MASK4 ADDRSTRING 678 { 679 #ifdef ENABLE_HYBRID 680 if (inet_pton(AF_INET, $2->v, 681 &isakmp_cfg_config.netmask4) != 1) 682 yyerror("bad IPv4 netmask address."); 683 #else 684 yyerror("racoon not configured with --enable-hybrid"); 685 #endif 686 } 687 EOS 688 | CFG_DNS4 addrdnslist 689 EOS 690 | CFG_NBNS4 addrwinslist 691 EOS 692 | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist 693 { 694 #ifdef ENABLE_HYBRID 695 isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN; 696 #else 697 yyerror("racoon not configured with --enable-hybrid"); 698 #endif 699 } 700 EOS 701 | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist 702 { 703 #ifdef ENABLE_HYBRID 704 isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE; 705 #else 706 yyerror("racoon not configured with --enable-hybrid"); 707 #endif 708 } 709 EOS 710 | CFG_SPLIT_DNS splitdnslist 711 { 712 #ifndef ENABLE_HYBRID 713 yyerror("racoon not configured with --enable-hybrid"); 714 #endif 715 } 716 EOS 717 | CFG_DEFAULT_DOMAIN QUOTEDSTRING 718 { 719 #ifdef ENABLE_HYBRID 720 strncpy(&isakmp_cfg_config.default_domain[0], 721 $2->v, MAXPATHLEN); 722 isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0'; 723 vfree($2); 724 #else 725 yyerror("racoon not configured with --enable-hybrid"); 726 #endif 727 } 728 EOS 729 | CFG_AUTH_SOURCE CFG_SYSTEM 730 { 731 #ifdef ENABLE_HYBRID 732 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM; 733 #else 734 yyerror("racoon not configured with --enable-hybrid"); 735 #endif 736 } 737 EOS 738 | CFG_AUTH_SOURCE CFG_RADIUS 739 { 740 #ifdef ENABLE_HYBRID 741 #ifdef HAVE_LIBRADIUS 742 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS; 743 #else /* HAVE_LIBRADIUS */ 744 yyerror("racoon not configured with --with-libradius"); 745 #endif /* HAVE_LIBRADIUS */ 746 #else /* ENABLE_HYBRID */ 747 yyerror("racoon not configured with --enable-hybrid"); 748 #endif /* ENABLE_HYBRID */ 749 } 750 EOS 751 | CFG_AUTH_SOURCE CFG_PAM 752 { 753 #ifdef ENABLE_HYBRID 754 #ifdef HAVE_LIBPAM 755 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM; 756 #else /* HAVE_LIBPAM */ 757 yyerror("racoon not configured with --with-libpam"); 758 #endif /* HAVE_LIBPAM */ 759 #else /* ENABLE_HYBRID */ 760 yyerror("racoon not configured with --enable-hybrid"); 761 #endif /* ENABLE_HYBRID */ 762 } 763 EOS 764 | CFG_AUTH_SOURCE CFG_LDAP 765 { 766 #ifdef ENABLE_HYBRID 767 #ifdef HAVE_LIBLDAP 768 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP; 769 #else /* HAVE_LIBLDAP */ 770 yyerror("racoon not configured with --with-libldap"); 771 #endif /* HAVE_LIBLDAP */ 772 #else /* ENABLE_HYBRID */ 773 yyerror("racoon not configured with --enable-hybrid"); 774 #endif /* ENABLE_HYBRID */ 775 } 776 EOS 777 | CFG_AUTH_GROUPS authgrouplist 778 { 779 #ifndef ENABLE_HYBRID 780 yyerror("racoon not configured with --enable-hybrid"); 781 #endif 782 } 783 EOS 784 | CFG_GROUP_SOURCE CFG_SYSTEM 785 { 786 #ifdef ENABLE_HYBRID 787 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM; 788 #else 789 yyerror("racoon not configured with --enable-hybrid"); 790 #endif 791 } 792 EOS 793 | CFG_GROUP_SOURCE CFG_LDAP 794 { 795 #ifdef ENABLE_HYBRID 796 #ifdef HAVE_LIBLDAP 797 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP; 798 #else /* HAVE_LIBLDAP */ 799 yyerror("racoon not configured with --with-libldap"); 800 #endif /* HAVE_LIBLDAP */ 801 #else /* ENABLE_HYBRID */ 802 yyerror("racoon not configured with --enable-hybrid"); 803 #endif /* ENABLE_HYBRID */ 804 } 805 EOS 806 | CFG_ACCOUNTING CFG_NONE 807 { 808 #ifdef ENABLE_HYBRID 809 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE; 810 #else 811 yyerror("racoon not configured with --enable-hybrid"); 812 #endif 813 } 814 EOS 815 | CFG_ACCOUNTING CFG_SYSTEM 816 { 817 #ifdef ENABLE_HYBRID 818 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM; 819 #else 820 yyerror("racoon not configured with --enable-hybrid"); 821 #endif 822 } 823 EOS 824 | CFG_ACCOUNTING CFG_RADIUS 825 { 826 #ifdef ENABLE_HYBRID 827 #ifdef HAVE_LIBRADIUS 828 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS; 829 #else /* HAVE_LIBRADIUS */ 830 yyerror("racoon not configured with --with-libradius"); 831 #endif /* HAVE_LIBRADIUS */ 832 #else /* ENABLE_HYBRID */ 833 yyerror("racoon not configured with --enable-hybrid"); 834 #endif /* ENABLE_HYBRID */ 835 } 836 EOS 837 | CFG_ACCOUNTING CFG_PAM 838 { 839 #ifdef ENABLE_HYBRID 840 #ifdef HAVE_LIBPAM 841 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM; 842 #else /* HAVE_LIBPAM */ 843 yyerror("racoon not configured with --with-libpam"); 844 #endif /* HAVE_LIBPAM */ 845 #else /* ENABLE_HYBRID */ 846 yyerror("racoon not configured with --enable-hybrid"); 847 #endif /* ENABLE_HYBRID */ 848 } 849 EOS 850 | CFG_POOL_SIZE NUMBER 851 { 852 #ifdef ENABLE_HYBRID 853 if (isakmp_cfg_resize_pool($2) != 0) 854 yyerror("cannot allocate memory for pool"); 855 #else /* ENABLE_HYBRID */ 856 yyerror("racoon not configured with --enable-hybrid"); 857 #endif /* ENABLE_HYBRID */ 858 } 859 EOS 860 | CFG_PFS_GROUP NUMBER 861 { 862 #ifdef ENABLE_HYBRID 863 isakmp_cfg_config.pfs_group = $2; 864 #else /* ENABLE_HYBRID */ 865 yyerror("racoon not configured with --enable-hybrid"); 866 #endif /* ENABLE_HYBRID */ 867 } 868 EOS 869 | CFG_SAVE_PASSWD SWITCH 870 { 871 #ifdef ENABLE_HYBRID 872 isakmp_cfg_config.save_passwd = $2; 873 #else /* ENABLE_HYBRID */ 874 yyerror("racoon not configured with --enable-hybrid"); 875 #endif /* ENABLE_HYBRID */ 876 } 877 EOS 878 | CFG_AUTH_THROTTLE NUMBER 879 { 880 #ifdef ENABLE_HYBRID 881 isakmp_cfg_config.auth_throttle = $2; 882 #else /* ENABLE_HYBRID */ 883 yyerror("racoon not configured with --enable-hybrid"); 884 #endif /* ENABLE_HYBRID */ 885 } 886 EOS 887 | CFG_CONF_SOURCE CFG_LOCAL 888 { 889 #ifdef ENABLE_HYBRID 890 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL; 891 #else /* ENABLE_HYBRID */ 892 yyerror("racoon not configured with --enable-hybrid"); 893 #endif /* ENABLE_HYBRID */ 894 } 895 EOS 896 | CFG_CONF_SOURCE CFG_RADIUS 897 { 898 #ifdef ENABLE_HYBRID 899 #ifdef HAVE_LIBRADIUS 900 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS; 901 #else /* HAVE_LIBRADIUS */ 902 yyerror("racoon not configured with --with-libradius"); 903 #endif /* HAVE_LIBRADIUS */ 904 #else /* ENABLE_HYBRID */ 905 yyerror("racoon not configured with --enable-hybrid"); 906 #endif /* ENABLE_HYBRID */ 907 } 908 EOS 909 | CFG_CONF_SOURCE CFG_LDAP 910 { 911 #ifdef ENABLE_HYBRID 912 #ifdef HAVE_LIBLDAP 913 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP; 914 #else /* HAVE_LIBLDAP */ 915 yyerror("racoon not configured with --with-libldap"); 916 #endif /* HAVE_LIBLDAP */ 917 #else /* ENABLE_HYBRID */ 918 yyerror("racoon not configured with --enable-hybrid"); 919 #endif /* ENABLE_HYBRID */ 920 } 921 EOS 922 | CFG_MOTD QUOTEDSTRING 923 { 924 #ifdef ENABLE_HYBRID 925 strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN); 926 isakmp_cfg_config.motd[MAXPATHLEN] = '\0'; 927 vfree($2); 928 #else 929 yyerror("racoon not configured with --enable-hybrid"); 930 #endif 931 } 932 EOS 933 ; 934 935 addrdnslist 936 : addrdns 937 | addrdns COMMA addrdnslist 938 ; 939 addrdns 940 : ADDRSTRING 941 { 942 #ifdef ENABLE_HYBRID 943 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 944 945 if (icc->dns4_index > MAXNS) 946 yyerror("No more than %d DNS", MAXNS); 947 if (inet_pton(AF_INET, $1->v, 948 &icc->dns4[icc->dns4_index++]) != 1) 949 yyerror("bad IPv4 DNS address."); 950 #else 951 yyerror("racoon not configured with --enable-hybrid"); 952 #endif 953 } 954 ; 955 956 addrwinslist 957 : addrwins 958 | addrwins COMMA addrwinslist 959 ; 960 addrwins 961 : ADDRSTRING 962 { 963 #ifdef ENABLE_HYBRID 964 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 965 966 if (icc->nbns4_index > MAXWINS) 967 yyerror("No more than %d WINS", MAXWINS); 968 if (inet_pton(AF_INET, $1->v, 969 &icc->nbns4[icc->nbns4_index++]) != 1) 970 yyerror("bad IPv4 WINS address."); 971 #else 972 yyerror("racoon not configured with --enable-hybrid"); 973 #endif 974 } 975 ; 976 977 splitnetlist 978 : splitnet 979 | splitnetlist COMMA splitnet 980 ; 981 splitnet 982 : ADDRSTRING PREFIX 983 { 984 #ifdef ENABLE_HYBRID 985 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 986 struct unity_network network; 987 memset(&network,0,sizeof(network)); 988 989 if (inet_pton(AF_INET, $1->v, &network.addr4) != 1) 990 yyerror("bad IPv4 SPLIT address."); 991 992 /* Turn $2 (the prefix) into a subnet mask */ 993 network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0; 994 995 /* add the network to our list */ 996 if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count)) 997 yyerror("Unable to allocate split network"); 998 #else 999 yyerror("racoon not configured with --enable-hybrid"); 1000 #endif 1001 } 1002 ; 1003 1004 authgrouplist 1005 : authgroup 1006 | authgroup COMMA authgrouplist 1007 ; 1008 authgroup 1009 : QUOTEDSTRING 1010 { 1011 #ifdef ENABLE_HYBRID 1012 char * groupname = NULL; 1013 char ** grouplist = NULL; 1014 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1015 1016 grouplist = racoon_realloc(icc->grouplist, 1017 sizeof(char**)*(icc->groupcount+1)); 1018 if (grouplist == NULL) { 1019 yyerror("unable to allocate auth group list"); 1020 return -1; 1021 } 1022 1023 groupname = racoon_malloc($1->l+1); 1024 if (groupname == NULL) { 1025 yyerror("unable to allocate auth group name"); 1026 return -1; 1027 } 1028 1029 memcpy(groupname,$1->v,$1->l); 1030 groupname[$1->l]=0; 1031 grouplist[icc->groupcount]=groupname; 1032 icc->grouplist = grouplist; 1033 icc->groupcount++; 1034 1035 vfree($1); 1036 #else 1037 yyerror("racoon not configured with --enable-hybrid"); 1038 #endif 1039 } 1040 ; 1041 1042 splitdnslist 1043 : splitdns 1044 | splitdns COMMA splitdnslist 1045 ; 1046 splitdns 1047 : QUOTEDSTRING 1048 { 1049 #ifdef ENABLE_HYBRID 1050 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1051 1052 if (!icc->splitdns_len) 1053 { 1054 icc->splitdns_list = racoon_malloc($1->l); 1055 if(icc->splitdns_list == NULL) { 1056 yyerror("error allocating splitdns list buffer"); 1057 return -1; 1058 } 1059 memcpy(icc->splitdns_list,$1->v,$1->l); 1060 icc->splitdns_len = $1->l; 1061 } 1062 else 1063 { 1064 int len = icc->splitdns_len + $1->l + 1; 1065 icc->splitdns_list = racoon_realloc(icc->splitdns_list,len); 1066 if(icc->splitdns_list == NULL) { 1067 yyerror("error allocating splitdns list buffer"); 1068 return -1; 1069 } 1070 icc->splitdns_list[icc->splitdns_len] = ','; 1071 memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l); 1072 icc->splitdns_len = len; 1073 } 1074 vfree($1); 1075 #else 1076 yyerror("racoon not configured with --enable-hybrid"); 1077 #endif 1078 } 1079 ; 1080 1081 1082 /* timer */ 1083 timer_statement 1084 : RETRY BOC timer_stmts EOC 1085 ; 1086 timer_stmts 1087 : /* nothing */ 1088 | timer_stmts timer_stmt 1089 ; 1090 timer_stmt 1091 : RETRY_COUNTER NUMBER 1092 { 1093 lcconf->retry_counter = $2; 1094 } 1095 EOS 1096 | RETRY_INTERVAL NUMBER unittype_time 1097 { 1098 lcconf->retry_interval = $2 * $3; 1099 } 1100 EOS 1101 | RETRY_PERSEND NUMBER 1102 { 1103 lcconf->count_persend = $2; 1104 } 1105 EOS 1106 | RETRY_PHASE1 NUMBER unittype_time 1107 { 1108 lcconf->retry_checkph1 = $2 * $3; 1109 } 1110 EOS 1111 | RETRY_PHASE2 NUMBER unittype_time 1112 { 1113 lcconf->wait_ph2complete = $2 * $3; 1114 } 1115 EOS 1116 | NATT_KA NUMBER unittype_time 1117 { 1118 #ifdef ENABLE_NATT 1119 if (libipsec_opt & LIBIPSEC_OPT_NATT) 1120 lcconf->natt_ka_interval = $2 * $3; 1121 else 1122 yyerror("libipsec lacks NAT-T support"); 1123 #else 1124 yyerror("NAT-T support not compiled in."); 1125 #endif 1126 } 1127 EOS 1128 ; 1129 1130 /* sainfo */ 1131 sainfo_statement 1132 : SAINFO 1133 { 1134 cur_sainfo = newsainfo(); 1135 if (cur_sainfo == NULL) { 1136 yyerror("failed to allocate sainfo"); 1137 return -1; 1138 } 1139 } 1140 sainfo_name sainfo_param BOC sainfo_specs 1141 { 1142 struct sainfo *check; 1143 1144 /* default */ 1145 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) { 1146 yyerror("no encryption algorithm at %s", 1147 sainfo2str(cur_sainfo)); 1148 return -1; 1149 } 1150 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) { 1151 yyerror("no authentication algorithm at %s", 1152 sainfo2str(cur_sainfo)); 1153 return -1; 1154 } 1155 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) { 1156 yyerror("no compression algorithm at %s", 1157 sainfo2str(cur_sainfo)); 1158 return -1; 1159 } 1160 1161 /* duplicate check */ 1162 check = getsainfo(cur_sainfo->idsrc, 1163 cur_sainfo->iddst, 1164 cur_sainfo->id_i, 1165 NULL, 1166 cur_sainfo->remoteid); 1167 1168 if (check && ((check->idsrc != SAINFO_ANONYMOUS) && 1169 (cur_sainfo->idsrc != SAINFO_ANONYMOUS))) { 1170 yyerror("duplicated sainfo: %s", 1171 sainfo2str(cur_sainfo)); 1172 return -1; 1173 } 1174 1175 inssainfo(cur_sainfo); 1176 } 1177 EOC 1178 ; 1179 sainfo_name 1180 : ANONYMOUS 1181 { 1182 cur_sainfo->idsrc = SAINFO_ANONYMOUS; 1183 cur_sainfo->iddst = SAINFO_ANONYMOUS; 1184 } 1185 | ANONYMOUS CLIENTADDR 1186 { 1187 cur_sainfo->idsrc = SAINFO_ANONYMOUS; 1188 cur_sainfo->iddst = SAINFO_CLIENTADDR; 1189 } 1190 | ANONYMOUS sainfo_id 1191 { 1192 cur_sainfo->idsrc = SAINFO_ANONYMOUS; 1193 cur_sainfo->iddst = $2; 1194 } 1195 | sainfo_id ANONYMOUS 1196 { 1197 cur_sainfo->idsrc = $1; 1198 cur_sainfo->iddst = SAINFO_ANONYMOUS; 1199 } 1200 | sainfo_id CLIENTADDR 1201 { 1202 cur_sainfo->idsrc = $1; 1203 cur_sainfo->iddst = SAINFO_CLIENTADDR; 1204 } 1205 | sainfo_id sainfo_id 1206 { 1207 cur_sainfo->idsrc = $1; 1208 cur_sainfo->iddst = $2; 1209 } 1210 ; 1211 sainfo_id 1212 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto 1213 { 1214 char portbuf[10]; 1215 struct sockaddr *saddr; 1216 1217 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6) 1218 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) { 1219 yyerror("port number must be \"any\"."); 1220 return -1; 1221 } 1222 1223 snprintf(portbuf, sizeof(portbuf), "%lu", $4); 1224 saddr = str2saddr($2->v, portbuf); 1225 vfree($2); 1226 if (saddr == NULL) 1227 return -1; 1228 1229 switch (saddr->sa_family) { 1230 case AF_INET: 1231 if ($5 == IPPROTO_ICMPV6) { 1232 yyerror("upper layer protocol mismatched.\n"); 1233 racoon_free(saddr); 1234 return -1; 1235 } 1236 $$ = ipsecdoi_sockaddr2id(saddr, 1237 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3, 1238 $5); 1239 break; 1240 #ifdef INET6 1241 case AF_INET6: 1242 if ($5 == IPPROTO_ICMP) { 1243 yyerror("upper layer protocol mismatched.\n"); 1244 racoon_free(saddr); 1245 return -1; 1246 } 1247 $$ = ipsecdoi_sockaddr2id(saddr, 1248 $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3, 1249 $5); 1250 break; 1251 #endif 1252 default: 1253 yyerror("invalid family: %d", saddr->sa_family); 1254 $$ = NULL; 1255 break; 1256 } 1257 racoon_free(saddr); 1258 if ($$ == NULL) 1259 return -1; 1260 } 1261 | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto 1262 { 1263 char portbuf[10]; 1264 struct sockaddr *laddr = NULL, *haddr = NULL; 1265 char *cur = NULL; 1266 1267 if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6) 1268 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) { 1269 yyerror("port number must be \"any\"."); 1270 return -1; 1271 } 1272 1273 snprintf(portbuf, sizeof(portbuf), "%lu", $5); 1274 1275 laddr = str2saddr($2->v, portbuf); 1276 if (laddr == NULL) { 1277 return -1; 1278 } 1279 vfree($2); 1280 haddr = str2saddr($3->v, portbuf); 1281 if (haddr == NULL) { 1282 racoon_free(laddr); 1283 return -1; 1284 } 1285 vfree($3); 1286 1287 switch (laddr->sa_family) { 1288 case AF_INET: 1289 if ($6 == IPPROTO_ICMPV6) { 1290 yyerror("upper layer protocol mismatched.\n"); 1291 if (laddr) 1292 racoon_free(laddr); 1293 if (haddr) 1294 racoon_free(haddr); 1295 return -1; 1296 } 1297 $$ = ipsecdoi_sockrange2id(laddr, haddr, 1298 $6); 1299 break; 1300 #ifdef INET6 1301 case AF_INET6: 1302 if ($6 == IPPROTO_ICMP) { 1303 yyerror("upper layer protocol mismatched.\n"); 1304 if (laddr) 1305 racoon_free(laddr); 1306 if (haddr) 1307 racoon_free(haddr); 1308 return -1; 1309 } 1310 $$ = ipsecdoi_sockrange2id(laddr, haddr, 1311 $6); 1312 break; 1313 #endif 1314 default: 1315 yyerror("invalid family: %d", laddr->sa_family); 1316 $$ = NULL; 1317 break; 1318 } 1319 if (laddr) 1320 racoon_free(laddr); 1321 if (haddr) 1322 racoon_free(haddr); 1323 if ($$ == NULL) 1324 return -1; 1325 } 1326 | IDENTIFIERTYPE QUOTEDSTRING 1327 { 1328 struct ipsecdoi_id_b *id_b; 1329 1330 if ($1 == IDTYPE_ASN1DN) { 1331 yyerror("id type forbidden: %d", $1); 1332 $$ = NULL; 1333 return -1; 1334 } 1335 1336 $2->l--; 1337 1338 $$ = vmalloc(sizeof(*id_b) + $2->l); 1339 if ($$ == NULL) { 1340 yyerror("failed to allocate identifier"); 1341 return -1; 1342 } 1343 1344 id_b = (struct ipsecdoi_id_b *)$$->v; 1345 id_b->type = idtype2doi($1); 1346 1347 id_b->proto_id = 0; 1348 id_b->port = 0; 1349 1350 memcpy($$->v + sizeof(*id_b), $2->v, $2->l); 1351 } 1352 ; 1353 sainfo_param 1354 : /* nothing */ 1355 { 1356 cur_sainfo->id_i = NULL; 1357 } 1358 | FROM IDENTIFIERTYPE identifierstring 1359 { 1360 struct ipsecdoi_id_b *id_b; 1361 vchar_t *idv; 1362 1363 if (set_identifier(&idv, $2, $3) != 0) { 1364 yyerror("failed to set identifer.\n"); 1365 return -1; 1366 } 1367 cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l); 1368 if (cur_sainfo->id_i == NULL) { 1369 yyerror("failed to allocate identifier"); 1370 return -1; 1371 } 1372 1373 id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v; 1374 id_b->type = idtype2doi($2); 1375 1376 id_b->proto_id = 0; 1377 id_b->port = 0; 1378 1379 memcpy(cur_sainfo->id_i->v + sizeof(*id_b), 1380 idv->v, idv->l); 1381 vfree(idv); 1382 } 1383 | GROUP QUOTEDSTRING 1384 { 1385 #ifdef ENABLE_HYBRID 1386 if ((cur_sainfo->group = vdup($2)) == NULL) { 1387 yyerror("failed to set sainfo xauth group.\n"); 1388 return -1; 1389 } 1390 #else 1391 yyerror("racoon not configured with --enable-hybrid"); 1392 return -1; 1393 #endif 1394 } 1395 ; 1396 sainfo_specs 1397 : /* nothing */ 1398 | sainfo_specs sainfo_spec 1399 ; 1400 sainfo_spec 1401 : PFS_GROUP dh_group_num 1402 { 1403 cur_sainfo->pfs_group = $2; 1404 } 1405 EOS 1406 | REMOTEID NUMBER 1407 { 1408 cur_sainfo->remoteid = $2; 1409 } 1410 EOS 1411 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 1412 { 1413 cur_sainfo->lifetime = $3 * $4; 1414 } 1415 EOS 1416 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 1417 { 1418 #if 1 1419 yyerror("byte lifetime support is deprecated"); 1420 return -1; 1421 #else 1422 cur_sainfo->lifebyte = fix_lifebyte($3 * $4); 1423 if (cur_sainfo->lifebyte == 0) 1424 return -1; 1425 #endif 1426 } 1427 EOS 1428 | ALGORITHM_CLASS { 1429 cur_algclass = $1; 1430 } 1431 algorithms EOS 1432 | IDENTIFIER IDENTIFIERTYPE 1433 { 1434 yyerror("it's deprecated to specify a identifier in phase 2"); 1435 } 1436 EOS 1437 | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING 1438 { 1439 yyerror("it's deprecated to specify a identifier in phase 2"); 1440 } 1441 EOS 1442 ; 1443 1444 algorithms 1445 : algorithm 1446 { 1447 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); 1448 } 1449 | algorithm 1450 { 1451 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); 1452 } 1453 COMMA algorithms 1454 ; 1455 algorithm 1456 : ALGORITHMTYPE keylength 1457 { 1458 int defklen; 1459 1460 $$ = newsainfoalg(); 1461 if ($$ == NULL) { 1462 yyerror("failed to get algorithm allocation"); 1463 return -1; 1464 } 1465 1466 $$->alg = algtype2doi(cur_algclass, $1); 1467 if ($$->alg == -1) { 1468 yyerror("algorithm mismatched"); 1469 racoon_free($$); 1470 $$ = NULL; 1471 return -1; 1472 } 1473 1474 defklen = default_keylen(cur_algclass, $1); 1475 if (defklen == 0) { 1476 if ($2) { 1477 yyerror("keylen not allowed"); 1478 racoon_free($$); 1479 $$ = NULL; 1480 return -1; 1481 } 1482 } else { 1483 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) { 1484 yyerror("invalid keylen %d", $2); 1485 racoon_free($$); 1486 $$ = NULL; 1487 return -1; 1488 } 1489 } 1490 1491 if ($2) 1492 $$->encklen = $2; 1493 else 1494 $$->encklen = defklen; 1495 1496 /* check if it's supported algorithm by kernel */ 1497 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth) 1498 && pk_checkalg(cur_algclass, $1, $$->encklen)) { 1499 int a = algclass2doi(cur_algclass); 1500 int b = algtype2doi(cur_algclass, $1); 1501 if (a == IPSECDOI_ATTR_AUTH) 1502 a = IPSECDOI_PROTO_IPSEC_AH; 1503 yyerror("algorithm %s not supported by the kernel (missing module?)", 1504 s_ipsecdoi_trns(a, b)); 1505 racoon_free($$); 1506 $$ = NULL; 1507 return -1; 1508 } 1509 } 1510 ; 1511 prefix 1512 : /* nothing */ { $$ = ~0; } 1513 | PREFIX { $$ = $1; } 1514 ; 1515 port 1516 : /* nothing */ { $$ = IPSEC_PORT_ANY; } 1517 | PORT { $$ = $1; } 1518 | PORTANY { $$ = IPSEC_PORT_ANY; } 1519 ; 1520 ul_proto 1521 : NUMBER { $$ = $1; } 1522 | UL_PROTO { $$ = $1; } 1523 | ANY { $$ = IPSEC_ULPROTO_ANY; } 1524 ; 1525 keylength 1526 : /* nothing */ { $$ = 0; } 1527 | NUMBER { $$ = $1; } 1528 ; 1529 1530 /* remote */ 1531 remote_statement 1532 : REMOTE remote_index INHERIT remote_index 1533 { 1534 struct remoteconf *new; 1535 struct proposalspec *prspec; 1536 1537 new = copyrmconf($4); 1538 if (new == NULL) { 1539 yyerror("failed to get remoteconf for %s.", saddr2str ($4)); 1540 return -1; 1541 } 1542 1543 new->remote = $2; 1544 new->inherited_from = getrmconf_strict($4, 1); 1545 new->proposal = NULL; 1546 new->prhead = NULL; 1547 cur_rmconf = new; 1548 1549 prspec = newprspec(); 1550 if (prspec == NULL || !cur_rmconf->inherited_from 1551 || !cur_rmconf->inherited_from->proposal) 1552 return -1; 1553 prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime; 1554 prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte; 1555 insprspec(prspec, &cur_rmconf->prhead); 1556 } 1557 remote_specs_block 1558 | REMOTE remote_index 1559 { 1560 struct remoteconf *new; 1561 struct proposalspec *prspec; 1562 1563 new = newrmconf(); 1564 if (new == NULL) { 1565 yyerror("failed to get new remoteconf."); 1566 return -1; 1567 } 1568 1569 new->remote = $2; 1570 cur_rmconf = new; 1571 1572 prspec = newprspec(); 1573 if (prspec == NULL) 1574 return -1; 1575 prspec->lifetime = oakley_get_defaultlifetime(); 1576 insprspec(prspec, &cur_rmconf->prhead); 1577 } 1578 remote_specs_block 1579 ; 1580 1581 remote_specs_block 1582 : BOC remote_specs EOC 1583 { 1584 /* check a exchange mode */ 1585 if (cur_rmconf->etypes == NULL) { 1586 yyerror("no exchange mode specified.\n"); 1587 return -1; 1588 } 1589 1590 if (cur_rmconf->idvtype == IDTYPE_UNDEFINED) 1591 cur_rmconf->idvtype = IDTYPE_ADDRESS; 1592 1593 1594 if (cur_rmconf->idvtype == IDTYPE_ASN1DN) { 1595 if (cur_rmconf->mycertfile) { 1596 if (cur_rmconf->idv) 1597 yywarn("Both CERT and ASN1 ID " 1598 "are set. Hope this is OK.\n"); 1599 /* TODO: Preparse the DN here */ 1600 } else if (cur_rmconf->idv) { 1601 /* OK, using asn1dn without X.509. */ 1602 } else { 1603 yyerror("ASN1 ID not specified " 1604 "and no CERT defined!\n"); 1605 return -1; 1606 } 1607 } 1608 1609 if (cur_rmconf->prhead->spspec == NULL 1610 && cur_rmconf->inherited_from 1611 && cur_rmconf->inherited_from->prhead) { 1612 cur_rmconf->prhead->spspec = cur_rmconf->inherited_from->prhead->spspec; 1613 } 1614 if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0) 1615 return -1; 1616 1617 /* DH group settting if aggressive mode is there. */ 1618 if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) { 1619 struct isakmpsa *p; 1620 int b = 0; 1621 1622 /* DH group */ 1623 for (p = cur_rmconf->proposal; p; p = p->next) { 1624 if (b == 0 || (b && b == p->dh_group)) { 1625 b = p->dh_group; 1626 continue; 1627 } 1628 yyerror("DH group must be equal " 1629 "in all proposals " 1630 "when aggressive mode is " 1631 "used.\n"); 1632 return -1; 1633 } 1634 cur_rmconf->dh_group = b; 1635 1636 if (cur_rmconf->dh_group == 0) { 1637 yyerror("DH group must be set in the proposal.\n"); 1638 return -1; 1639 } 1640 1641 /* DH group settting if PFS is required. */ 1642 if (oakley_setdhgroup(cur_rmconf->dh_group, 1643 &cur_rmconf->dhgrp) < 0) { 1644 yyerror("failed to set DH value.\n"); 1645 return -1; 1646 } 1647 } 1648 1649 insrmconf(cur_rmconf); 1650 } 1651 ; 1652 remote_index 1653 : ANONYMOUS ike_port 1654 { 1655 $$ = newsaddr(sizeof(struct sockaddr)); 1656 $$->sa_family = AF_UNSPEC; 1657 ((struct sockaddr_in *)$$)->sin_port = htons($2); 1658 } 1659 | ike_addrinfo_port 1660 { 1661 $$ = $1; 1662 if ($$ == NULL) { 1663 yyerror("failed to allocate sockaddr"); 1664 return -1; 1665 } 1666 } 1667 ; 1668 remote_specs 1669 : /* nothing */ 1670 | remote_specs remote_spec 1671 ; 1672 remote_spec 1673 : EXCHANGE_MODE 1674 { 1675 cur_rmconf->etypes = NULL; 1676 } 1677 exchange_types EOS 1678 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS 1679 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS 1680 | CERTIFICATE_TYPE cert_spec 1681 | PEERS_CERTFILE QUOTEDSTRING 1682 { 1683 yywarn("This directive without certtype will be removed!\n"); 1684 yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v); 1685 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; 1686 1687 if (cur_rmconf->peerscertfile != NULL) 1688 racoon_free(cur_rmconf->peerscertfile); 1689 cur_rmconf->peerscertfile = racoon_strdup($2->v); 1690 STRDUP_FATAL(cur_rmconf->peerscertfile); 1691 vfree($2); 1692 } 1693 EOS 1694 | CA_TYPE CERT_X509 QUOTEDSTRING 1695 { 1696 cur_rmconf->cacerttype = $2; 1697 cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE; 1698 if (cur_rmconf->cacertfile != NULL) 1699 racoon_free(cur_rmconf->cacertfile); 1700 cur_rmconf->cacertfile = racoon_strdup($3->v); 1701 STRDUP_FATAL(cur_rmconf->cacertfile); 1702 vfree($3); 1703 } 1704 EOS 1705 | PEERS_CERTFILE CERT_X509 QUOTEDSTRING 1706 { 1707 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; 1708 if (cur_rmconf->peerscertfile != NULL) 1709 racoon_free(cur_rmconf->peerscertfile); 1710 cur_rmconf->peerscertfile = racoon_strdup($3->v); 1711 STRDUP_FATAL(cur_rmconf->peerscertfile); 1712 vfree($3); 1713 } 1714 EOS 1715 | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING 1716 { 1717 char path[MAXPATHLEN]; 1718 int ret = 0; 1719 1720 getpathname(path, sizeof(path), 1721 LC_PATHTYPE_CERT, $3->v); 1722 vfree($3); 1723 1724 if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) { 1725 yyerror("Different peers_certfile method " 1726 "already defined: %d!\n", 1727 cur_rmconf->getcert_method); 1728 return -1; 1729 } 1730 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; 1731 if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) { 1732 yyerror("Couldn't parse keyfile.\n", path); 1733 return -1; 1734 } 1735 plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path); 1736 } 1737 EOS 1738 | PEERS_CERTFILE DNSSEC 1739 { 1740 if (cur_rmconf->getcert_method) { 1741 yyerror("Different peers_certfile method already defined!\n"); 1742 return -1; 1743 } 1744 cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS; 1745 cur_rmconf->peerscertfile = NULL; 1746 } 1747 EOS 1748 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS 1749 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS 1750 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS 1751 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring 1752 { 1753 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) { 1754 yyerror("failed to set identifer.\n"); 1755 return -1; 1756 } 1757 cur_rmconf->idvtype = $2; 1758 } 1759 EOS 1760 | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring 1761 { 1762 if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) { 1763 yyerror("failed to set identifer.\n"); 1764 return -1; 1765 } 1766 cur_rmconf->idvtype = $2; 1767 } 1768 EOS 1769 | XAUTH_LOGIN identifierstring 1770 { 1771 #ifdef ENABLE_HYBRID 1772 /* formerly identifier type login */ 1773 if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) { 1774 yyerror("failed to allocate xauth state\n"); 1775 return -1; 1776 } 1777 if ((cur_rmconf->xauth->login = vdup($2)) == NULL) { 1778 yyerror("failed to set identifer.\n"); 1779 return -1; 1780 } 1781 #else 1782 yyerror("racoon not configured with --enable-hybrid"); 1783 #endif 1784 } 1785 EOS 1786 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring 1787 { 1788 struct idspec *id; 1789 id = newidspec(); 1790 if (id == NULL) { 1791 yyerror("failed to allocate idspec"); 1792 return -1; 1793 } 1794 if (set_identifier(&id->id, $2, $3) != 0) { 1795 yyerror("failed to set identifer.\n"); 1796 racoon_free(id); 1797 return -1; 1798 } 1799 id->idtype = $2; 1800 genlist_append (cur_rmconf->idvl_p, id); 1801 } 1802 EOS 1803 | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring 1804 { 1805 struct idspec *id; 1806 id = newidspec(); 1807 if (id == NULL) { 1808 yyerror("failed to allocate idspec"); 1809 return -1; 1810 } 1811 if (set_identifier_qual(&id->id, $2, $4, $3) != 0) { 1812 yyerror("failed to set identifer.\n"); 1813 racoon_free(id); 1814 return -1; 1815 } 1816 id->idtype = $2; 1817 genlist_append (cur_rmconf->idvl_p, id); 1818 } 1819 EOS 1820 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS 1821 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS 1822 | DH_GROUP 1823 { 1824 yyerror("dh_group cannot be defined here."); 1825 return -1; 1826 } 1827 dh_group_num EOS 1828 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS 1829 | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS 1830 | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS 1831 | ESP_FRAG NUMBER { 1832 #ifdef SADB_X_EXT_NAT_T_FRAG 1833 if (libipsec_opt & LIBIPSEC_OPT_FRAG) 1834 cur_rmconf->esp_frag = $2; 1835 else 1836 yywarn("libipsec lacks IKE frag support"); 1837 #else 1838 yywarn("Your kernel does not support esp_frag"); 1839 #endif 1840 } EOS 1841 | SCRIPT QUOTEDSTRING PHASE1_UP { 1842 if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL) 1843 vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]); 1844 1845 cur_rmconf->script[SCRIPT_PHASE1_UP] = 1846 script_path_add(vdup($2)); 1847 } EOS 1848 | SCRIPT QUOTEDSTRING PHASE1_DOWN { 1849 if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL) 1850 vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]); 1851 1852 cur_rmconf->script[SCRIPT_PHASE1_DOWN] = 1853 script_path_add(vdup($2)); 1854 } EOS 1855 | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS 1856 | WEAK_PHASE1_CHECK SWITCH { 1857 cur_rmconf->weak_phase1_check = $2; 1858 } EOS 1859 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS 1860 | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS 1861 | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS 1862 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS 1863 | NAT_TRAVERSAL SWITCH 1864 { 1865 #ifdef ENABLE_NATT 1866 if (libipsec_opt & LIBIPSEC_OPT_NATT) 1867 cur_rmconf->nat_traversal = $2; 1868 else 1869 yyerror("libipsec lacks NAT-T support"); 1870 #else 1871 yyerror("NAT-T support not compiled in."); 1872 #endif 1873 } EOS 1874 | NAT_TRAVERSAL REMOTE_FORCE_LEVEL 1875 { 1876 #ifdef ENABLE_NATT 1877 if (libipsec_opt & LIBIPSEC_OPT_NATT) 1878 cur_rmconf->nat_traversal = NATT_FORCE; 1879 else 1880 yyerror("libipsec lacks NAT-T support"); 1881 #else 1882 yyerror("NAT-T support not compiled in."); 1883 #endif 1884 } EOS 1885 | DPD SWITCH 1886 { 1887 #ifdef ENABLE_DPD 1888 cur_rmconf->dpd = $2; 1889 #else 1890 yyerror("DPD support not compiled in."); 1891 #endif 1892 } EOS 1893 | DPD_DELAY NUMBER 1894 { 1895 #ifdef ENABLE_DPD 1896 cur_rmconf->dpd_interval = $2; 1897 #else 1898 yyerror("DPD support not compiled in."); 1899 #endif 1900 } 1901 EOS 1902 | DPD_RETRY NUMBER 1903 { 1904 #ifdef ENABLE_DPD 1905 cur_rmconf->dpd_retry = $2; 1906 #else 1907 yyerror("DPD support not compiled in."); 1908 #endif 1909 } 1910 EOS 1911 | DPD_MAXFAIL NUMBER 1912 { 1913 #ifdef ENABLE_DPD 1914 cur_rmconf->dpd_maxfails = $2; 1915 #else 1916 yyerror("DPD support not compiled in."); 1917 #endif 1918 } 1919 EOS 1920 | PH1ID NUMBER 1921 { 1922 cur_rmconf->ph1id = $2; 1923 } 1924 EOS 1925 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 1926 { 1927 cur_rmconf->prhead->lifetime = $3 * $4; 1928 } 1929 EOS 1930 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS 1931 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 1932 { 1933 #if 1 1934 yyerror("byte lifetime support is deprecated in Phase1"); 1935 return -1; 1936 #else 1937 yywarn("the lifetime of bytes in phase 1 " 1938 "will be ignored at the moment."); 1939 cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4); 1940 if (cur_rmconf->prhead->lifebyte == 0) 1941 return -1; 1942 #endif 1943 } 1944 EOS 1945 | PROPOSAL 1946 { 1947 struct secprotospec *spspec; 1948 1949 spspec = newspspec(); 1950 if (spspec == NULL) 1951 return -1; 1952 insspspec(spspec, &cur_rmconf->prhead); 1953 } 1954 BOC isakmpproposal_specs EOC 1955 ; 1956 exchange_types 1957 : /* nothing */ 1958 | exchange_types EXCHANGETYPE 1959 { 1960 struct etypes *new; 1961 new = racoon_malloc(sizeof(struct etypes)); 1962 if (new == NULL) { 1963 yyerror("failed to allocate etypes"); 1964 return -1; 1965 } 1966 new->type = $2; 1967 new->next = NULL; 1968 if (cur_rmconf->etypes == NULL) 1969 cur_rmconf->etypes = new; 1970 else { 1971 struct etypes *p; 1972 for (p = cur_rmconf->etypes; 1973 p->next != NULL; 1974 p = p->next) 1975 ; 1976 p->next = new; 1977 } 1978 } 1979 ; 1980 cert_spec 1981 : CERT_X509 QUOTEDSTRING QUOTEDSTRING 1982 { 1983 cur_rmconf->certtype = $1; 1984 if (cur_rmconf->mycertfile != NULL) 1985 racoon_free(cur_rmconf->mycertfile); 1986 cur_rmconf->mycertfile = racoon_strdup($2->v); 1987 STRDUP_FATAL(cur_rmconf->mycertfile); 1988 vfree($2); 1989 if (cur_rmconf->myprivfile != NULL) 1990 racoon_free(cur_rmconf->myprivfile); 1991 cur_rmconf->myprivfile = racoon_strdup($3->v); 1992 STRDUP_FATAL(cur_rmconf->myprivfile); 1993 vfree($3); 1994 } 1995 EOS 1996 | CERT_PLAINRSA QUOTEDSTRING 1997 { 1998 char path[MAXPATHLEN]; 1999 int ret = 0; 2000 2001 getpathname(path, sizeof(path), 2002 LC_PATHTYPE_CERT, $2->v); 2003 vfree($2); 2004 2005 cur_rmconf->certtype = $1; 2006 cur_rmconf->send_cr = FALSE; 2007 cur_rmconf->send_cert = FALSE; 2008 cur_rmconf->verify_cert = FALSE; 2009 if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) { 2010 yyerror("Couldn't parse keyfile.\n", path); 2011 return -1; 2012 } 2013 plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path); 2014 } 2015 EOS 2016 ; 2017 dh_group_num 2018 : ALGORITHMTYPE 2019 { 2020 $$ = algtype2doi(algclass_isakmp_dh, $1); 2021 if ($$ == -1) { 2022 yyerror("must be DH group"); 2023 return -1; 2024 } 2025 } 2026 | NUMBER 2027 { 2028 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) { 2029 $$ = num2dhgroup[$1]; 2030 } else { 2031 yyerror("must be DH group"); 2032 $$ = 0; 2033 return -1; 2034 } 2035 } 2036 ; 2037 identifierstring 2038 : /* nothing */ { $$ = NULL; } 2039 | ADDRSTRING { $$ = $1; } 2040 | QUOTEDSTRING { $$ = $1; } 2041 ; 2042 isakmpproposal_specs 2043 : /* nothing */ 2044 | isakmpproposal_specs isakmpproposal_spec 2045 ; 2046 isakmpproposal_spec 2047 : STRENGTH 2048 { 2049 yyerror("strength directive is obsoleted."); 2050 } STRENGTHTYPE EOS 2051 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 2052 { 2053 cur_rmconf->prhead->spspec->lifetime = $3 * $4; 2054 } 2055 EOS 2056 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 2057 { 2058 #if 1 2059 yyerror("byte lifetime support is deprecated"); 2060 return -1; 2061 #else 2062 cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4); 2063 if (cur_rmconf->prhead->spspec->lifebyte == 0) 2064 return -1; 2065 #endif 2066 } 2067 EOS 2068 | DH_GROUP dh_group_num 2069 { 2070 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_dh] = $2; 2071 } 2072 EOS 2073 | GSS_ID QUOTEDSTRING 2074 { 2075 if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) { 2076 yyerror("wrong Vendor ID for gssapi_id"); 2077 return -1; 2078 } 2079 if (cur_rmconf->prhead->spspec->gssid != NULL) 2080 racoon_free(cur_rmconf->prhead->spspec->gssid); 2081 cur_rmconf->prhead->spspec->gssid = 2082 racoon_strdup($2->v); 2083 STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid); 2084 } 2085 EOS 2086 | ALGORITHM_CLASS ALGORITHMTYPE keylength 2087 { 2088 int doi; 2089 int defklen; 2090 2091 doi = algtype2doi($1, $2); 2092 if (doi == -1) { 2093 yyerror("algorithm mismatched 1"); 2094 return -1; 2095 } 2096 2097 switch ($1) { 2098 case algclass_isakmp_enc: 2099 /* reject suppressed algorithms */ 2100 #ifndef HAVE_OPENSSL_RC5_H 2101 if ($2 == algtype_rc5) { 2102 yyerror("algorithm %s not supported", 2103 s_attr_isakmp_enc(doi)); 2104 return -1; 2105 } 2106 #endif 2107 #ifndef HAVE_OPENSSL_IDEA_H 2108 if ($2 == algtype_idea) { 2109 yyerror("algorithm %s not supported", 2110 s_attr_isakmp_enc(doi)); 2111 return -1; 2112 } 2113 #endif 2114 2115 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi; 2116 defklen = default_keylen($1, $2); 2117 if (defklen == 0) { 2118 if ($3) { 2119 yyerror("keylen not allowed"); 2120 return -1; 2121 } 2122 } else { 2123 if ($3 && check_keylen($1, $2, $3) < 0) { 2124 yyerror("invalid keylen %d", $3); 2125 return -1; 2126 } 2127 } 2128 if ($3) 2129 cur_rmconf->prhead->spspec->encklen = $3; 2130 else 2131 cur_rmconf->prhead->spspec->encklen = defklen; 2132 break; 2133 case algclass_isakmp_hash: 2134 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_hash] = doi; 2135 break; 2136 case algclass_isakmp_ameth: 2137 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_ameth] = doi; 2138 /* 2139 * We may have to set the Vendor ID for the 2140 * authentication method we're using. 2141 */ 2142 switch ($2) { 2143 case algtype_gssapikrb: 2144 if (cur_rmconf->prhead->spspec->vendorid != 2145 VENDORID_UNKNOWN) { 2146 yyerror("Vendor ID mismatch " 2147 "for auth method"); 2148 return -1; 2149 } 2150 /* 2151 * For interoperability with Win2k, 2152 * we set the Vendor ID to "GSSAPI". 2153 */ 2154 cur_rmconf->prhead->spspec->vendorid = 2155 VENDORID_GSSAPI; 2156 break; 2157 case algtype_rsasig: 2158 if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) { 2159 if (rsa_list_count(cur_rmconf->rsa_private) == 0) { 2160 yyerror ("Private PlainRSA key not set. " 2161 "Use directive 'certificate_type plainrsa ...'\n"); 2162 return -1; 2163 } 2164 if (rsa_list_count(cur_rmconf->rsa_public) == 0) { 2165 yyerror ("Public PlainRSA keys not set. " 2166 "Use directive 'peers_certfile plainrsa ...'\n"); 2167 return -1; 2168 } 2169 } 2170 break; 2171 default: 2172 break; 2173 } 2174 break; 2175 default: 2176 yyerror("algorithm mismatched 2"); 2177 return -1; 2178 } 2179 } 2180 EOS 2181 ; 2182 2183 unittype_time 2184 : UNITTYPE_SEC { $$ = 1; } 2185 | UNITTYPE_MIN { $$ = 60; } 2186 | UNITTYPE_HOUR { $$ = (60 * 60); } 2187 ; 2188 unittype_byte 2189 : UNITTYPE_BYTE { $$ = 1; } 2190 | UNITTYPE_KBYTES { $$ = 1024; } 2191 | UNITTYPE_MBYTES { $$ = (1024 * 1024); } 2192 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); } 2193 ; 2194 %% 2195 2196 static struct proposalspec * 2197 newprspec() 2198 { 2199 struct proposalspec *new; 2200 2201 new = racoon_calloc(1, sizeof(*new)); 2202 if (new == NULL) 2203 yyerror("failed to allocate proposal"); 2204 2205 return new; 2206 } 2207 2208 /* 2209 * insert into head of list. 2210 */ 2211 static void 2212 insprspec(prspec, head) 2213 struct proposalspec *prspec; 2214 struct proposalspec **head; 2215 { 2216 if (*head != NULL) 2217 (*head)->prev = prspec; 2218 prspec->next = *head; 2219 *head = prspec; 2220 } 2221 2222 static struct secprotospec * 2223 newspspec() 2224 { 2225 struct secprotospec *new; 2226 2227 new = racoon_calloc(1, sizeof(*new)); 2228 if (new == NULL) { 2229 yyerror("failed to allocate spproto"); 2230 return NULL; 2231 } 2232 2233 new->encklen = 0; /*XXX*/ 2234 2235 /* 2236 * Default to "uknown" vendor -- we will override this 2237 * as necessary. When we send a Vendor ID payload, an 2238 * "unknown" will be translated to a KAME/racoon ID. 2239 */ 2240 new->vendorid = VENDORID_UNKNOWN; 2241 2242 return new; 2243 } 2244 2245 /* 2246 * insert into head of list. 2247 */ 2248 static void 2249 insspspec(spspec, head) 2250 struct secprotospec *spspec; 2251 struct proposalspec **head; 2252 { 2253 spspec->back = *head; 2254 2255 if ((*head)->spspec != NULL) 2256 (*head)->spspec->prev = spspec; 2257 spspec->next = (*head)->spspec; 2258 (*head)->spspec = spspec; 2259 } 2260 2261 /* set final acceptable proposal */ 2262 static int 2263 set_isakmp_proposal(rmconf, prspec) 2264 struct remoteconf *rmconf; 2265 struct proposalspec *prspec; 2266 { 2267 struct proposalspec *p; 2268 struct secprotospec *s; 2269 int prop_no = 1; 2270 int trns_no = 1; 2271 int32_t types[MAXALGCLASS]; 2272 2273 p = prspec; 2274 if (p->next != 0) { 2275 plog(LLV_ERROR, LOCATION, NULL, 2276 "multiple proposal definition.\n"); 2277 return -1; 2278 } 2279 2280 /* mandatory check */ 2281 if (p->spspec == NULL) { 2282 yyerror("no remote specification found: %s.\n", 2283 saddr2str(rmconf->remote)); 2284 return -1; 2285 } 2286 for (s = p->spspec; s != NULL; s = s->next) { 2287 /* XXX need more to check */ 2288 if (s->algclass[algclass_isakmp_enc] == 0) { 2289 yyerror("encryption algorithm required."); 2290 return -1; 2291 } 2292 if (s->algclass[algclass_isakmp_hash] == 0) { 2293 yyerror("hash algorithm required."); 2294 return -1; 2295 } 2296 if (s->algclass[algclass_isakmp_dh] == 0) { 2297 yyerror("DH group required."); 2298 return -1; 2299 } 2300 if (s->algclass[algclass_isakmp_ameth] == 0) { 2301 yyerror("authentication method required."); 2302 return -1; 2303 } 2304 } 2305 2306 /* skip to last part */ 2307 for (s = p->spspec; s->next != NULL; s = s->next) 2308 ; 2309 2310 while (s != NULL) { 2311 plog(LLV_DEBUG2, LOCATION, NULL, 2312 "lifetime = %ld\n", (long) 2313 (s->lifetime ? s->lifetime : p->lifetime)); 2314 plog(LLV_DEBUG2, LOCATION, NULL, 2315 "lifebyte = %d\n", 2316 s->lifebyte ? s->lifebyte : p->lifebyte); 2317 plog(LLV_DEBUG2, LOCATION, NULL, 2318 "encklen=%d\n", s->encklen); 2319 2320 memset(types, 0, ARRAYLEN(types)); 2321 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; 2322 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; 2323 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; 2324 types[algclass_isakmp_ameth] = 2325 s->algclass[algclass_isakmp_ameth]; 2326 2327 /* expanding spspec */ 2328 clean_tmpalgtype(); 2329 trns_no = expand_isakmpspec(prop_no, trns_no, types, 2330 algclass_isakmp_enc, algclass_isakmp_ameth + 1, 2331 s->lifetime ? s->lifetime : p->lifetime, 2332 s->lifebyte ? s->lifebyte : p->lifebyte, 2333 s->encklen, s->vendorid, s->gssid, 2334 rmconf); 2335 if (trns_no == -1) { 2336 plog(LLV_ERROR, LOCATION, NULL, 2337 "failed to expand isakmp proposal.\n"); 2338 return -1; 2339 } 2340 2341 s = s->prev; 2342 } 2343 2344 if (rmconf->proposal == NULL) { 2345 plog(LLV_ERROR, LOCATION, NULL, 2346 "no proposal found.\n"); 2347 return -1; 2348 } 2349 2350 return 0; 2351 } 2352 2353 static void 2354 clean_tmpalgtype() 2355 { 2356 int i; 2357 for (i = 0; i < MAXALGCLASS; i++) 2358 tmpalgtype[i] = 0; /* means algorithm undefined. */ 2359 } 2360 2361 static int 2362 expand_isakmpspec(prop_no, trns_no, types, 2363 class, last, lifetime, lifebyte, encklen, vendorid, gssid, 2364 rmconf) 2365 int prop_no, trns_no; 2366 int *types, class, last; 2367 time_t lifetime; 2368 int lifebyte; 2369 int encklen; 2370 int vendorid; 2371 char *gssid; 2372 struct remoteconf *rmconf; 2373 { 2374 struct isakmpsa *new; 2375 2376 /* debugging */ 2377 { 2378 int j; 2379 char tb[10]; 2380 plog(LLV_DEBUG2, LOCATION, NULL, 2381 "p:%d t:%d\n", prop_no, trns_no); 2382 for (j = class; j < MAXALGCLASS; j++) { 2383 snprintf(tb, sizeof(tb), "%d", types[j]); 2384 plog(LLV_DEBUG2, LOCATION, NULL, 2385 "%s%s%s%s\n", 2386 s_algtype(j, types[j]), 2387 types[j] ? "(" : "", 2388 tb[0] == '0' ? "" : tb, 2389 types[j] ? ")" : ""); 2390 } 2391 plog(LLV_DEBUG2, LOCATION, NULL, "\n"); 2392 } 2393 2394 #define TMPALGTYPE2STR(n) \ 2395 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n]) 2396 /* check mandatory values */ 2397 if (types[algclass_isakmp_enc] == 0 2398 || types[algclass_isakmp_ameth] == 0 2399 || types[algclass_isakmp_hash] == 0 2400 || types[algclass_isakmp_dh] == 0) { 2401 yyerror("few definition of algorithm " 2402 "enc=%s ameth=%s hash=%s dhgroup=%s.\n", 2403 TMPALGTYPE2STR(enc), 2404 TMPALGTYPE2STR(ameth), 2405 TMPALGTYPE2STR(hash), 2406 TMPALGTYPE2STR(dh)); 2407 return -1; 2408 } 2409 #undef TMPALGTYPE2STR 2410 2411 /* set new sa */ 2412 new = newisakmpsa(); 2413 if (new == NULL) { 2414 yyerror("failed to allocate isakmp sa"); 2415 return -1; 2416 } 2417 new->prop_no = prop_no; 2418 new->trns_no = trns_no++; 2419 new->lifetime = lifetime; 2420 new->lifebyte = lifebyte; 2421 new->enctype = types[algclass_isakmp_enc]; 2422 new->encklen = encklen; 2423 new->authmethod = types[algclass_isakmp_ameth]; 2424 new->hashtype = types[algclass_isakmp_hash]; 2425 new->dh_group = types[algclass_isakmp_dh]; 2426 new->vendorid = vendorid; 2427 #ifdef HAVE_GSSAPI 2428 if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { 2429 if (gssid != NULL) { 2430 if ((new->gssid = vmalloc(strlen(gssid))) == NULL) { 2431 racoon_free(new); 2432 yyerror("failed to allocate gssid"); 2433 return -1; 2434 } 2435 memcpy(new->gssid->v, gssid, new->gssid->l); 2436 racoon_free(gssid); 2437 } else { 2438 /* 2439 * Allocate the default ID so that it gets put 2440 * into a GSS ID attribute during the Phase 1 2441 * exchange. 2442 */ 2443 new->gssid = gssapi_get_default_gss_id(); 2444 } 2445 } 2446 #endif 2447 insisakmpsa(new, rmconf); 2448 2449 return trns_no; 2450 } 2451 2452 static int 2453 listen_addr (struct sockaddr *addr, int udp_encap) 2454 { 2455 struct myaddrs *p; 2456 2457 p = newmyaddr(); 2458 if (p == NULL) { 2459 yyerror("failed to allocate myaddrs"); 2460 return -1; 2461 } 2462 p->addr = addr; 2463 if (p->addr == NULL) { 2464 yyerror("failed to copy sockaddr "); 2465 delmyaddr(p); 2466 return -1; 2467 } 2468 p->udp_encap = udp_encap; 2469 2470 insmyaddr(p, &lcconf->myaddrs); 2471 2472 lcconf->autograbaddr = 0; 2473 return 0; 2474 } 2475 2476 #if 0 2477 /* 2478 * fix lifebyte. 2479 * Must be more than 1024B because its unit is kilobytes. 2480 * That is defined RFC2407. 2481 */ 2482 static int 2483 fix_lifebyte(t) 2484 unsigned long t; 2485 { 2486 if (t < 1024) { 2487 yyerror("byte size should be more than 1024B."); 2488 return 0; 2489 } 2490 2491 return(t / 1024); 2492 } 2493 #endif 2494 2495 int 2496 cfparse() 2497 { 2498 int error; 2499 2500 yycf_init_buffer(); 2501 2502 if (yycf_switch_buffer(lcconf->racoon_conf) != 0) { 2503 plog(LLV_ERROR, LOCATION, NULL, 2504 "could not read configuration file \"%s\"\n", 2505 lcconf->racoon_conf); 2506 return -1; 2507 } 2508 2509 error = yyparse(); 2510 if (error != 0) { 2511 if (yyerrorcount) { 2512 plog(LLV_ERROR, LOCATION, NULL, 2513 "fatal parse failure (%d errors)\n", 2514 yyerrorcount); 2515 } else { 2516 plog(LLV_ERROR, LOCATION, NULL, 2517 "fatal parse failure.\n"); 2518 } 2519 return -1; 2520 } 2521 2522 if (error == 0 && yyerrorcount) { 2523 plog(LLV_ERROR, LOCATION, NULL, 2524 "parse error is nothing, but yyerrorcount is %d.\n", 2525 yyerrorcount); 2526 exit(1); 2527 } 2528 2529 yycf_clean_buffer(); 2530 2531 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n"); 2532 2533 return 0; 2534 } 2535 2536 int 2537 cfreparse() 2538 { 2539 flushph2(); 2540 flushph1(); 2541 flushrmconf(); 2542 flushsainfo(); 2543 clean_tmpalgtype(); 2544 yycf_init_buffer(); 2545 2546 if (yycf_switch_buffer(lcconf->racoon_conf) != 0) 2547 return -1; 2548 2549 return(cfparse()); 2550 } 2551 2552 #ifdef ENABLE_ADMINPORT 2553 static void 2554 adminsock_conf(path, owner, group, mode_dec) 2555 vchar_t *path; 2556 vchar_t *owner; 2557 vchar_t *group; 2558 int mode_dec; 2559 { 2560 struct passwd *pw = NULL; 2561 struct group *gr = NULL; 2562 mode_t mode = 0; 2563 uid_t uid; 2564 gid_t gid; 2565 int isnum; 2566 2567 adminsock_path = path->v; 2568 2569 if (owner == NULL) 2570 return; 2571 2572 errno = 0; 2573 uid = atoi(owner->v); 2574 isnum = !errno; 2575 if (((pw = getpwnam(owner->v)) == NULL) && !isnum) 2576 yyerror("User \"%s\" does not exist", owner->v); 2577 2578 if (pw) 2579 adminsock_owner = pw->pw_uid; 2580 else 2581 adminsock_owner = uid; 2582 2583 if (group == NULL) 2584 return; 2585 2586 errno = 0; 2587 gid = atoi(group->v); 2588 isnum = !errno; 2589 if (((gr = getgrnam(group->v)) == NULL) && !isnum) 2590 yyerror("Group \"%s\" does not exist", group->v); 2591 2592 if (gr) 2593 adminsock_group = gr->gr_gid; 2594 else 2595 adminsock_group = gid; 2596 2597 if (mode_dec == -1) 2598 return; 2599 2600 if (mode_dec > 777) 2601 yyerror("Mode 0%03o is invalid", mode_dec); 2602 if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; } 2603 if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; } 2604 if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; } 2605 2606 if (mode_dec > 77) 2607 yyerror("Mode 0%03o is invalid", mode_dec); 2608 if (mode_dec >= 40) { mode += 040; mode_dec -= 40; } 2609 if (mode_dec >= 20) { mode += 020; mode_dec -= 20; } 2610 if (mode_dec >= 10) { mode += 020; mode_dec -= 10; } 2611 2612 if (mode_dec > 7) 2613 yyerror("Mode 0%03o is invalid", mode_dec); 2614 if (mode_dec >= 4) { mode += 04; mode_dec -= 4; } 2615 if (mode_dec >= 2) { mode += 02; mode_dec -= 2; } 2616 if (mode_dec >= 1) { mode += 02; mode_dec -= 1; } 2617 2618 adminsock_mode = mode; 2619 2620 return; 2621 } 2622 #endif 2623