1 /* $NetBSD: cfparse.y,v 1.49 2016/02/17 20:11:17 christos Exp $ */ 2 3 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ 4 5 %{ 6 /* 7 * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the project nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #include "config.h" 36 37 #include <sys/types.h> 38 #include <sys/param.h> 39 #include <sys/queue.h> 40 #include <sys/socket.h> 41 42 #include <netinet/in.h> 43 #include PATH_IPSEC_H 44 45 #ifdef ENABLE_HYBRID 46 #include <arpa/inet.h> 47 #endif 48 49 #include <stdlib.h> 50 #include <stdio.h> 51 #include <string.h> 52 #include <errno.h> 53 #include <netdb.h> 54 #include <pwd.h> 55 #include <grp.h> 56 57 #include "var.h" 58 #include "misc.h" 59 #include "vmbuf.h" 60 #include "plog.h" 61 #include "sockmisc.h" 62 #include "str2val.h" 63 #include "genlist.h" 64 #include "debug.h" 65 66 #include "admin.h" 67 #include "privsep.h" 68 #include "cfparse_proto.h" 69 #include "cftoken_proto.h" 70 #include "algorithm.h" 71 #include "localconf.h" 72 #include "policy.h" 73 #include "sainfo.h" 74 #include "oakley.h" 75 #include "pfkey.h" 76 #include "remoteconf.h" 77 #include "grabmyaddr.h" 78 #include "isakmp_var.h" 79 #include "handler.h" 80 #include "isakmp.h" 81 #include "nattraversal.h" 82 #include "isakmp_frag.h" 83 #ifdef ENABLE_HYBRID 84 #include "resolv.h" 85 #include "isakmp_unity.h" 86 #include "isakmp_xauth.h" 87 #include "isakmp_cfg.h" 88 #endif 89 #include "ipsec_doi.h" 90 #include "strnames.h" 91 #include "gcmalloc.h" 92 #ifdef HAVE_GSSAPI 93 #include "gssapi.h" 94 #endif 95 #include "vendorid.h" 96 #include "rsalist.h" 97 #include "crypto_openssl.h" 98 99 struct secprotospec { 100 int prop_no; 101 int trns_no; 102 int strength; /* for isakmp/ipsec */ 103 int encklen; /* for isakmp/ipsec */ 104 time_t lifetime; /* for isakmp */ 105 int lifebyte; /* for isakmp */ 106 int proto_id; /* for ipsec (isakmp?) */ 107 int ipsec_level; /* for ipsec */ 108 int encmode; /* for ipsec */ 109 int vendorid; /* for isakmp */ 110 char *gssid; 111 struct sockaddr *remote; 112 int algclass[MAXALGCLASS]; 113 114 struct secprotospec *next; /* the tail is the most prefiered. */ 115 struct secprotospec *prev; 116 }; 117 118 static int num2dhgroup[] = { 119 0, 120 OAKLEY_ATTR_GRP_DESC_MODP768, 121 OAKLEY_ATTR_GRP_DESC_MODP1024, 122 OAKLEY_ATTR_GRP_DESC_EC2N155, 123 OAKLEY_ATTR_GRP_DESC_EC2N185, 124 OAKLEY_ATTR_GRP_DESC_MODP1536, 125 0, 126 0, 127 0, 128 0, 129 0, 130 0, 131 0, 132 0, 133 OAKLEY_ATTR_GRP_DESC_MODP2048, 134 OAKLEY_ATTR_GRP_DESC_MODP3072, 135 OAKLEY_ATTR_GRP_DESC_MODP4096, 136 OAKLEY_ATTR_GRP_DESC_MODP6144, 137 OAKLEY_ATTR_GRP_DESC_MODP8192 138 }; 139 140 static struct remoteconf *cur_rmconf = NULL; 141 static int tmpalgtype[MAXALGCLASS] = {0}; 142 static struct sainfo *cur_sainfo = NULL; 143 static int cur_algclass = 0; 144 static int oldloglevel = LLV_BASE; 145 146 static struct secprotospec *newspspec __P((void)); 147 static void insspspec __P((struct remoteconf *, struct secprotospec *)); 148 void dupspspec_list __P((struct remoteconf *dst, struct remoteconf *src)); 149 void flushspspec __P((struct remoteconf *)); 150 static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int)); 151 152 static int set_isakmp_proposal __P((struct remoteconf *)); 153 static void clean_tmpalgtype __P((void)); 154 static int expand_isakmpspec __P((int, int, int *, 155 int, int, time_t, int, int, int, char *, struct remoteconf *)); 156 157 void freeetypes (struct etypes **etypes); 158 159 static int load_x509(const char *file, char **filenameptr, 160 vchar_t **certptr) 161 { 162 char path[PATH_MAX]; 163 164 getpathname(path, sizeof(path), LC_PATHTYPE_CERT, file); 165 *certptr = eay_get_x509cert(path); 166 if (*certptr == NULL) 167 return -1; 168 169 *filenameptr = racoon_strdup(file); 170 STRDUP_FATAL(*filenameptr); 171 172 return 0; 173 } 174 175 static int process_rmconf() 176 { 177 178 /* check a exchange mode */ 179 if (cur_rmconf->etypes == NULL) { 180 yyerror("no exchange mode specified.\n"); 181 return -1; 182 } 183 184 if (cur_rmconf->idvtype == IDTYPE_UNDEFINED) 185 cur_rmconf->idvtype = IDTYPE_ADDRESS; 186 187 if (cur_rmconf->idvtype == IDTYPE_ASN1DN) { 188 if (cur_rmconf->mycertfile) { 189 if (cur_rmconf->idv) 190 yywarn("Both CERT and ASN1 ID " 191 "are set. Hope this is OK.\n"); 192 /* TODO: Preparse the DN here */ 193 } else if (cur_rmconf->idv) { 194 /* OK, using asn1dn without X.509. */ 195 } else { 196 yyerror("ASN1 ID not specified " 197 "and no CERT defined!\n"); 198 return -1; 199 } 200 } 201 202 if (duprmconf_finish(cur_rmconf)) 203 return -1; 204 205 if (set_isakmp_proposal(cur_rmconf) != 0) 206 return -1; 207 208 /* DH group settting if aggressive mode is there. */ 209 if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) { 210 struct isakmpsa *p; 211 int b = 0; 212 213 /* DH group */ 214 for (p = cur_rmconf->proposal; p; p = p->next) { 215 if (b == 0 || (b && b == p->dh_group)) { 216 b = p->dh_group; 217 continue; 218 } 219 yyerror("DH group must be equal " 220 "in all proposals " 221 "when aggressive mode is " 222 "used.\n"); 223 return -1; 224 } 225 cur_rmconf->dh_group = b; 226 227 if (cur_rmconf->dh_group == 0) { 228 yyerror("DH group must be set in the proposal.\n"); 229 return -1; 230 } 231 232 /* DH group settting if PFS is required. */ 233 if (oakley_setdhgroup(cur_rmconf->dh_group, 234 &cur_rmconf->dhgrp) < 0) { 235 yyerror("failed to set DH value.\n"); 236 return -1; 237 } 238 } 239 240 insrmconf(cur_rmconf); 241 cur_rmconf = NULL; 242 243 return 0; 244 } 245 246 /* some frequently used warning texts */ 247 static const char error_message_hybrid_config_not_configured[] = "racoon not configured with --enable-hybrid\n"; 248 static const char error_message_ldap_config_not_configured[] = "racoon not configured with --with-libldap\n"; 249 static const char error_message_admin_port_not_compiled_in[] = "admin port support not compiled in\n"; 250 static const char error_message_natt_not_compiled_in[] = "NAT-T support not compiled in\n"; 251 static const char error_message_dpd_not_compiled_in[] = "DPD support not compiled in\n"; 252 253 /* macros for aborting the parsing with freeing up allocated memory */ 254 #define ABORT_CLEANUP {delrmconf(cur_rmconf); delsainfo(cur_sainfo); YYABORT;} 255 #define ABORT() ABORT_CLEANUP 256 257 #define ABORT_AND_VFREE(val0) {\ 258 vfree(val0); val0 = NULL;\ 259 ABORT_CLEANUP} 260 261 #define ABORT_AND_RACOON_FREE(val0) {\ 262 racoon_free(val0); val0 = NULL;\ 263 ABORT_CLEANUP} 264 265 #define ABORT_AND_VFREE2(val0, val1) {\ 266 vfree(val0); val0 = NULL;\ 267 vfree(val1); val1 = NULL;\ 268 ABORT_CLEANUP} 269 270 #define ABORT_AND_RACOON_FREE2(val0, val1) {\ 271 racoon_free(val0); val0 = NULL;\ 272 racoon_free(val1); val1 = NULL;\ 273 ABORT_CLEANUP} 274 %} 275 276 %union { 277 unsigned long num; 278 vchar_t *val; 279 struct remoteconf *rmconf; 280 struct sockaddr *saddr; 281 struct sainfoalg *alg; 282 } 283 284 /* privsep */ 285 %token PRIVSEP USER GROUP CHROOT 286 /* path */ 287 %token PATH PATHTYPE 288 /* include */ 289 %token INCLUDE 290 /* PFKEY_BUFFER */ 291 %token PFKEY_BUFFER 292 /* logging */ 293 %token LOGGING LOGLEV 294 /* padding */ 295 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL 296 /* listen */ 297 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED 298 /* ldap config */ 299 %token LDAPCFG LDAP_HOST LDAP_PORT LDAP_TLS LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE 300 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER 301 /* radius config */ 302 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES 303 /* modecfg */ 304 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN 305 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE 306 %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE 307 %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS 308 %token CFG_PFS_GROUP CFG_SAVE_PASSWD 309 310 /* timer */ 311 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND 312 %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA 313 /* algorithm */ 314 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE 315 /* sainfo */ 316 %token SAINFO FROM 317 /* remote */ 318 %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS 319 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE 320 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE 321 %token VERIFY_CERT SEND_CERT SEND_CR MATCH_EMPTY_CR 322 %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER 323 %token PEERS_IDENTIFIER VERIFY_IDENTIFIER 324 %token DNSSEC CERT_X509 CERT_PLAINRSA 325 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT 326 %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL 327 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL 328 %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY 329 %token PROPOSAL 330 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE 331 %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE 332 %token COMPLEX_BUNDLE 333 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL 334 %token PH1ID 335 %token XAUTH_LOGIN WEAK_PHASE1_CHECK 336 %token REKEY 337 338 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG 339 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID 340 341 %token SCRIPT PHASE1_UP PHASE1_DOWN PHASE1_DEAD 342 343 %token NUMBER SWITCH BOOLEAN 344 %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE 345 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES 346 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR 347 %token EOS BOC EOC COMMA 348 349 %type <num> NUMBER BOOLEAN SWITCH keylength 350 %type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE 351 %type <num> ALGORITHM_CLASS dh_group_num 352 %type <num> ALGORITHMTYPE STRENGTHTYPE 353 %type <num> PREFIX prefix PORT port ike_port 354 %type <num> ul_proto UL_PROTO 355 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE 356 %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL 357 %type <num> unittype_time unittype_byte 358 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id 359 %type <val> identifierstring 360 %type <saddr> remote_index ike_addrinfo_port 361 %type <alg> algorithm 362 %type <saddr> ike_addrinfo_port_natt 363 %type <num> ike_port_natt 364 365 %% 366 367 statements 368 : /* nothing */ 369 | statements statement 370 ; 371 statement 372 : privsep_statement 373 | path_statement 374 | include_statement 375 | pfkey_statement 376 | gssenc_statement 377 | logging_statement 378 | padding_statement 379 | listen_statement 380 | ldapcfg_statement 381 | radcfg_statement 382 | modecfg_statement 383 | timer_statement 384 | sainfo_statement 385 | remote_statement 386 | special_statement 387 ; 388 389 /* privsep */ 390 privsep_statement 391 : PRIVSEP BOC privsep_stmts EOC 392 ; 393 privsep_stmts 394 : /* nothing */ 395 | privsep_stmts privsep_stmt 396 ; 397 privsep_stmt 398 : USER QUOTEDSTRING 399 { 400 struct passwd *pw = getpwnam($2->v); 401 vfree($2); 402 403 if (pw == NULL) { 404 yyerror("unknown user \"%s\"", $2->v); 405 ABORT(); 406 } 407 408 lcconf->uid = pw->pw_uid; 409 } 410 EOS 411 | USER NUMBER { lcconf->uid = $2; } EOS 412 | GROUP QUOTEDSTRING 413 { 414 struct group *gr = getgrnam($2->v); 415 vfree($2); 416 417 if (gr == NULL) { 418 yyerror("unknown group \"%s\"", $2->v); 419 ABORT(); 420 } 421 422 lcconf->gid = gr->gr_gid; 423 } 424 EOS 425 | GROUP NUMBER { lcconf->gid = $2; } EOS 426 | CHROOT QUOTEDSTRING 427 { 428 lcconf_setchroot(racoon_strdup($2->v)); 429 vfree($2); 430 } EOS 431 ; 432 433 /* path */ 434 path_statement 435 : PATH PATHTYPE QUOTEDSTRING 436 { 437 char * path = racoon_strdup($3->v); 438 439 if (path == NULL) { 440 yyerror("copy string fatal error: %s", $3->v); 441 ABORT_AND_VFREE($3); 442 } 443 444 if (lcconf_setpath(path, $2) < 0) { 445 yyerror("invalid path type %d", $2); 446 ABORT_AND_VFREE($3); 447 } 448 449 vfree($3); 450 } 451 EOS 452 ; 453 454 /* special */ 455 special_statement 456 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS 457 ; 458 459 /* include */ 460 include_statement 461 : INCLUDE QUOTEDSTRING EOS 462 { 463 char path[MAXPATHLEN]; 464 465 getpathname(path, sizeof(path), 466 LC_PATHTYPE_INCLUDE, $2->v); 467 vfree($2); 468 if (yycf_switch_buffer(path) != 0) 469 ABORT(); 470 } 471 ; 472 473 /* pfkey_buffer */ 474 pfkey_statement 475 : PFKEY_BUFFER NUMBER EOS 476 { 477 lcconf->pfkey_buffer_size = $2; 478 } 479 ; 480 /* gss_id_enc */ 481 gssenc_statement 482 : GSS_ID_ENC GSS_ID_ENCTYPE EOS 483 { 484 if ($2 >= LC_GSSENC_MAX) { 485 yyerror("invalid GSS ID encoding %d", $2); 486 ABORT(); 487 } 488 489 lcconf->gss_id_enc = $2; 490 } 491 ; 492 493 /* logging */ 494 logging_statement 495 : LOGGING log_level EOS 496 ; 497 log_level 498 : LOGLEV 499 { 500 /* 501 * set the loglevel to the value specified 502 * in the configuration file plus the number 503 * of -d options specified on the command line 504 */ 505 loglevel += $1 - oldloglevel; 506 oldloglevel = $1; 507 } 508 ; 509 510 /* padding */ 511 padding_statement 512 : PADDING BOC padding_stmts EOC 513 ; 514 padding_stmts 515 : /* nothing */ 516 | padding_stmts padding_stmt 517 ; 518 padding_stmt 519 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS 520 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS 521 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS 522 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS 523 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS 524 ; 525 526 /* listen */ 527 listen_statement 528 : LISTEN BOC listen_stmts EOC 529 ; 530 listen_stmts 531 : /* nothing */ 532 | listen_stmts listen_stmt 533 ; 534 listen_stmt 535 : X_ISAKMP ike_addrinfo_port 536 { 537 myaddr_listen($2, FALSE); 538 racoon_free($2); 539 } 540 EOS 541 | X_ISAKMP_NATT ike_addrinfo_port_natt 542 { 543 #ifdef ENABLE_NATT 544 myaddr_listen($2, TRUE); 545 #else 546 547 yywarn(error_message_natt_not_compiled_in); 548 #endif 549 racoon_free($2); 550 } 551 EOS 552 | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER 553 { 554 #ifdef ENABLE_ADMINPORT 555 adminsock_conf($2, $3, $4, $5); 556 #else 557 yywarn(error_message_admin_port_not_compiled_in); 558 #endif 559 vfree($2);vfree($3);vfree($4); 560 } 561 EOS 562 | ADMINSOCK QUOTEDSTRING 563 { 564 #ifdef ENABLE_ADMINPORT 565 adminsock_conf($2, NULL, NULL, -1); 566 #else 567 yywarn(error_message_admin_port_not_compiled_in); 568 #endif 569 vfree($2); 570 } 571 EOS 572 | ADMINSOCK DISABLED 573 { 574 #ifdef ENABLE_ADMINPORT 575 adminsock_path = NULL; 576 #else 577 yywarn(error_message_admin_port_not_compiled_in); 578 #endif 579 } 580 EOS 581 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS 582 ; 583 ike_addrinfo_port 584 : ADDRSTRING ike_port 585 { 586 char portbuf[10]; 587 588 snprintf(portbuf, sizeof(portbuf), "%ld", $2); 589 $$ = str2saddr($1->v, portbuf); 590 591 vfree($1); 592 if (!$$) 593 ABORT(); 594 } 595 ; 596 ike_addrinfo_port_natt 597 : ADDRSTRING ike_port_natt 598 { 599 char portbuf[10]; 600 601 snprintf(portbuf, sizeof(portbuf), "%ld", $2); 602 $$ = str2saddr($1->v, portbuf); 603 604 vfree($1); 605 if (!$$) 606 ABORT(); 607 } 608 ; 609 ike_port 610 : /* nothing */ { $$ = lcconf->port_isakmp; } 611 | PORT { $$ = $1; } 612 ; 613 ike_port_natt 614 : /* nothing */ 615 { 616 $$ = lcconf->port_isakmp_natt; 617 } 618 | PORT 619 { 620 $$ = $1; 621 #ifndef ENABLE_NATT 622 yywarn(error_message_natt_not_compiled_in); 623 #endif 624 } 625 ; 626 /* radius configuration */ 627 radcfg_statement 628 : RADCFG { 629 #ifndef ENABLE_HYBRID 630 yyerror(error_message_hybrid_config_not_configured); 631 ABORT(); 632 #endif 633 #ifndef HAVE_LIBRADIUS 634 yyerror("racoon not configured with --with-libradius"); 635 ABORT(); 636 #endif 637 #ifdef ENABLE_HYBRID 638 #ifdef HAVE_LIBRADIUS 639 xauth_rad_config.timeout = 3; 640 xauth_rad_config.retries = 3; 641 #endif 642 #endif 643 } BOC radcfg_stmts EOC 644 ; 645 radcfg_stmts 646 : /* nothing */ 647 | radcfg_stmts radcfg_stmt 648 ; 649 radcfg_stmt 650 : RAD_AUTH QUOTEDSTRING QUOTEDSTRING 651 { 652 #ifdef ENABLE_HYBRID 653 #ifdef HAVE_LIBRADIUS 654 int i = xauth_rad_config.auth_server_count; 655 if (i == RADIUS_MAX_SERVERS) { 656 yyerror("maximum radius auth servers exceeded"); 657 ABORT_AND_VFREE2($2, $3); 658 } 659 660 xauth_rad_config.auth_server_list[i].host = vdup($2); 661 xauth_rad_config.auth_server_list[i].secret = vdup($3); 662 xauth_rad_config.auth_server_list[i].port = 0; /* default port */ 663 xauth_rad_config.auth_server_count++; 664 #endif 665 #endif 666 vfree($2); vfree($3); 667 } 668 EOS 669 | RAD_AUTH QUOTEDSTRING NUMBER QUOTEDSTRING 670 { 671 #ifdef ENABLE_HYBRID 672 #ifdef HAVE_LIBRADIUS 673 int i = xauth_rad_config.auth_server_count; 674 if (i == RADIUS_MAX_SERVERS) { 675 yyerror("maximum radius auth servers exceeded"); 676 ABORT_AND_VFREE2($2, $4); 677 } 678 679 xauth_rad_config.auth_server_list[i].host = vdup($2); 680 xauth_rad_config.auth_server_list[i].secret = vdup($4); 681 xauth_rad_config.auth_server_list[i].port = $3; 682 xauth_rad_config.auth_server_count++; 683 #endif 684 #endif 685 vfree($2); vfree($4); 686 } 687 EOS 688 | RAD_ACCT QUOTEDSTRING QUOTEDSTRING 689 { 690 #ifdef ENABLE_HYBRID 691 #ifdef HAVE_LIBRADIUS 692 int i = xauth_rad_config.acct_server_count; 693 if (i == RADIUS_MAX_SERVERS) { 694 yyerror("maximum radius account servers exceeded"); 695 ABORT_AND_VFREE2($2, $3); 696 } 697 698 xauth_rad_config.acct_server_list[i].host = vdup($2); 699 xauth_rad_config.acct_server_list[i].secret = vdup($3); 700 xauth_rad_config.acct_server_list[i].port = 0; /* default port */ 701 xauth_rad_config.acct_server_count++; 702 #endif 703 #endif 704 vfree($2); vfree($3); 705 } 706 EOS 707 | RAD_ACCT QUOTEDSTRING NUMBER QUOTEDSTRING 708 { 709 #ifdef ENABLE_HYBRID 710 #ifdef HAVE_LIBRADIUS 711 int i = xauth_rad_config.acct_server_count; 712 if (i == RADIUS_MAX_SERVERS) { 713 yyerror("maximum radius account servers exceeded"); 714 ABORT_AND_VFREE2($2, $4); 715 } 716 717 xauth_rad_config.acct_server_list[i].host = vdup($2); 718 xauth_rad_config.acct_server_list[i].secret = vdup($4); 719 xauth_rad_config.acct_server_list[i].port = $3; 720 xauth_rad_config.acct_server_count++; 721 #endif 722 #endif 723 vfree($2); vfree($4); 724 } 725 EOS 726 | RAD_TIMEOUT NUMBER 727 { 728 #ifdef ENABLE_HYBRID 729 #ifdef HAVE_LIBRADIUS 730 xauth_rad_config.timeout = $2; 731 #endif 732 #endif 733 } 734 EOS 735 | RAD_RETRIES NUMBER 736 { 737 #ifdef ENABLE_HYBRID 738 #ifdef HAVE_LIBRADIUS 739 xauth_rad_config.retries = $2; 740 #endif 741 #endif 742 } 743 EOS 744 ; 745 746 /* ldap configuration */ 747 ldapcfg_statement 748 : LDAPCFG { 749 #ifndef ENABLE_HYBRID 750 yyerror(error_message_hybrid_config_not_configured); 751 ABORT(); 752 #endif 753 #ifndef HAVE_LIBLDAP 754 yyerror(error_message_ldap_config_not_configured); 755 ABORT(); 756 #endif 757 } BOC ldapcfg_stmts EOC 758 ; 759 ldapcfg_stmts 760 : /* nothing */ 761 | ldapcfg_stmts ldapcfg_stmt 762 ; 763 ldapcfg_stmt 764 : LDAP_PVER NUMBER 765 { 766 #ifdef ENABLE_HYBRID 767 #ifdef HAVE_LIBLDAP 768 if (($2<2)||($2>3)) 769 yywarn("invalid ldap protocol version (2|3)"); 770 771 xauth_ldap_config.pver = $2; 772 #endif 773 #endif 774 } 775 EOS 776 | LDAP_HOST QUOTEDSTRING 777 { 778 #ifdef ENABLE_HYBRID 779 #ifdef HAVE_LIBLDAP 780 if (xauth_ldap_config.host != NULL) 781 vfree(xauth_ldap_config.host); 782 783 xauth_ldap_config.host = vdup($2); 784 #endif 785 #endif 786 vfree($2); 787 } 788 EOS 789 | LDAP_PORT NUMBER 790 { 791 #ifdef ENABLE_HYBRID 792 #ifdef HAVE_LIBLDAP 793 xauth_ldap_config.port = $2; 794 #endif 795 #endif 796 } 797 EOS 798 | LDAP_TLS SWITCH 799 { 800 #ifdef ENABLE_HYBRID 801 #ifdef HAVE_LIBLDAP 802 xauth_ldap_config.tls = $2; 803 #endif 804 #endif 805 } 806 EOS 807 | LDAP_BASE QUOTEDSTRING 808 { 809 #ifdef ENABLE_HYBRID 810 #ifdef HAVE_LIBLDAP 811 if (xauth_ldap_config.base != NULL) 812 vfree(xauth_ldap_config.base); 813 814 xauth_ldap_config.base = vdup($2); 815 #endif 816 #endif 817 vfree($2); 818 } 819 EOS 820 | LDAP_SUBTREE SWITCH 821 { 822 #ifdef ENABLE_HYBRID 823 #ifdef HAVE_LIBLDAP 824 xauth_ldap_config.subtree = $2; 825 #endif 826 #endif 827 } 828 EOS 829 | LDAP_BIND_DN QUOTEDSTRING 830 { 831 #ifdef ENABLE_HYBRID 832 #ifdef HAVE_LIBLDAP 833 if (xauth_ldap_config.bind_dn != NULL) 834 vfree(xauth_ldap_config.bind_dn); 835 836 xauth_ldap_config.bind_dn = vdup($2); 837 #endif 838 #endif 839 vfree($2); 840 } 841 EOS 842 | LDAP_BIND_PW QUOTEDSTRING 843 { 844 #ifdef ENABLE_HYBRID 845 #ifdef HAVE_LIBLDAP 846 if (xauth_ldap_config.bind_pw != NULL) 847 vfree(xauth_ldap_config.bind_pw); 848 849 xauth_ldap_config.bind_pw = vdup($2); 850 #endif 851 #endif 852 vfree($2); 853 } 854 EOS 855 | LDAP_ATTR_USER QUOTEDSTRING 856 { 857 #ifdef ENABLE_HYBRID 858 #ifdef HAVE_LIBLDAP 859 if (xauth_ldap_config.attr_user != NULL) 860 vfree(xauth_ldap_config.attr_user); 861 862 xauth_ldap_config.attr_user = vdup($2); 863 #endif 864 #endif 865 vfree($2); 866 } 867 EOS 868 | LDAP_ATTR_ADDR QUOTEDSTRING 869 { 870 #ifdef ENABLE_HYBRID 871 #ifdef HAVE_LIBLDAP 872 if (xauth_ldap_config.attr_addr != NULL) 873 vfree(xauth_ldap_config.attr_addr); 874 875 xauth_ldap_config.attr_addr = vdup($2); 876 #endif 877 #endif 878 vfree($2); 879 } 880 EOS 881 | LDAP_ATTR_MASK QUOTEDSTRING 882 { 883 #ifdef ENABLE_HYBRID 884 #ifdef HAVE_LIBLDAP 885 if (xauth_ldap_config.attr_mask != NULL) 886 vfree(xauth_ldap_config.attr_mask); 887 888 xauth_ldap_config.attr_mask = vdup($2); 889 #endif 890 #endif 891 vfree($2); 892 } 893 EOS 894 | LDAP_ATTR_GROUP QUOTEDSTRING 895 { 896 #ifdef ENABLE_HYBRID 897 #ifdef HAVE_LIBLDAP 898 if (xauth_ldap_config.attr_group != NULL) 899 vfree(xauth_ldap_config.attr_group); 900 901 xauth_ldap_config.attr_group = vdup($2); 902 #endif 903 #endif 904 vfree($2); 905 } 906 EOS 907 | LDAP_ATTR_MEMBER QUOTEDSTRING 908 { 909 #ifdef ENABLE_HYBRID 910 #ifdef HAVE_LIBLDAP 911 if (xauth_ldap_config.attr_member != NULL) 912 vfree(xauth_ldap_config.attr_member); 913 914 xauth_ldap_config.attr_member = vdup($2); 915 #endif 916 #endif 917 vfree($2); 918 } 919 EOS 920 ; 921 922 /* modecfg */ 923 modecfg_statement 924 : MODECFG BOC modecfg_stmts EOC 925 ; 926 modecfg_stmts 927 : /* nothing */ 928 | modecfg_stmts modecfg_stmt 929 ; 930 modecfg_stmt 931 : CFG_NET4 ADDRSTRING 932 { 933 #ifdef ENABLE_HYBRID 934 if (inet_pton(AF_INET, $2->v, 935 &isakmp_cfg_config.network4) != 1) 936 yyerror("bad IPv4 network address."); 937 #else 938 yywarn(error_message_hybrid_config_not_configured); 939 #endif 940 vfree($2); 941 } 942 EOS 943 | CFG_MASK4 ADDRSTRING 944 { 945 #ifdef ENABLE_HYBRID 946 if (inet_pton(AF_INET, $2->v, 947 &isakmp_cfg_config.netmask4) != 1) 948 yyerror("bad IPv4 netmask address."); 949 #else 950 yywarn(error_message_hybrid_config_not_configured); 951 #endif 952 vfree($2); 953 } 954 EOS 955 | CFG_DNS4 addrdnslist 956 EOS 957 | CFG_NBNS4 addrwinslist 958 EOS 959 | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist 960 { 961 #ifdef ENABLE_HYBRID 962 isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN; 963 #else 964 yywarn(error_message_hybrid_config_not_configured); 965 #endif 966 } 967 EOS 968 | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist 969 { 970 #ifdef ENABLE_HYBRID 971 isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE; 972 #else 973 yywarn(error_message_hybrid_config_not_configured); 974 #endif 975 } 976 EOS 977 | CFG_SPLIT_DNS splitdnslist 978 { 979 #ifndef ENABLE_HYBRID 980 yywarn(error_message_hybrid_config_not_configured); 981 #endif 982 } 983 EOS 984 | CFG_DEFAULT_DOMAIN QUOTEDSTRING 985 { 986 #ifdef ENABLE_HYBRID 987 strncpy(&isakmp_cfg_config.default_domain[0], 988 $2->v, MAXPATHLEN); 989 isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0'; 990 #else 991 yyerror(error_message_hybrid_config_not_configured); 992 #endif 993 vfree($2); 994 } 995 EOS 996 | CFG_AUTH_SOURCE CFG_SYSTEM 997 { 998 #ifdef ENABLE_HYBRID 999 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM; 1000 #else 1001 yywarn(error_message_hybrid_config_not_configured); 1002 #endif 1003 } 1004 EOS 1005 | CFG_AUTH_SOURCE CFG_RADIUS 1006 { 1007 #ifdef ENABLE_HYBRID 1008 #ifdef HAVE_LIBRADIUS 1009 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS; 1010 #else /* HAVE_LIBRADIUS */ 1011 yyerror("racoon not configured with --with-libradius"); 1012 #endif /* HAVE_LIBRADIUS */ 1013 #else /* ENABLE_HYBRID */ 1014 yywarn(error_message_hybrid_config_not_configured); 1015 #endif /* ENABLE_HYBRID */ 1016 } 1017 EOS 1018 | CFG_AUTH_SOURCE CFG_PAM 1019 { 1020 #ifdef ENABLE_HYBRID 1021 #ifdef HAVE_LIBPAM 1022 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM; 1023 #else /* HAVE_LIBPAM */ 1024 yyerror("racoon not configured with --with-libpam"); 1025 #endif /* HAVE_LIBPAM */ 1026 #else /* ENABLE_HYBRID */ 1027 yywarn(error_message_hybrid_config_not_configured); 1028 #endif /* ENABLE_HYBRID */ 1029 } 1030 EOS 1031 | CFG_AUTH_SOURCE CFG_LDAP 1032 { 1033 #ifdef ENABLE_HYBRID 1034 #ifdef HAVE_LIBLDAP 1035 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP; 1036 #else /* HAVE_LIBLDAP */ 1037 yywarn(error_message_ldap_config_not_configured); 1038 #endif /* HAVE_LIBLDAP */ 1039 #else /* ENABLE_HYBRID */ 1040 yywarn(error_message_hybrid_config_not_configured); 1041 #endif /* ENABLE_HYBRID */ 1042 } 1043 EOS 1044 | CFG_AUTH_GROUPS authgrouplist 1045 { 1046 #ifndef ENABLE_HYBRID 1047 yywarn(error_message_hybrid_config_not_configured); 1048 #endif 1049 } 1050 EOS 1051 | CFG_GROUP_SOURCE CFG_SYSTEM 1052 { 1053 #ifdef ENABLE_HYBRID 1054 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM; 1055 #else 1056 yywarn(error_message_hybrid_config_not_configured); 1057 #endif 1058 } 1059 EOS 1060 | CFG_GROUP_SOURCE CFG_LDAP 1061 { 1062 #ifdef ENABLE_HYBRID 1063 #ifdef HAVE_LIBLDAP 1064 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP; 1065 #else /* HAVE_LIBLDAP */ 1066 yywarn(error_message_ldap_config_not_configured); 1067 #endif /* HAVE_LIBLDAP */ 1068 #else /* ENABLE_HYBRID */ 1069 yywarn(error_message_hybrid_config_not_configured); 1070 #endif /* ENABLE_HYBRID */ 1071 } 1072 EOS 1073 | CFG_ACCOUNTING CFG_NONE 1074 { 1075 #ifdef ENABLE_HYBRID 1076 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE; 1077 #else 1078 yywarn(error_message_hybrid_config_not_configured); 1079 #endif 1080 } 1081 EOS 1082 | CFG_ACCOUNTING CFG_SYSTEM 1083 { 1084 #ifdef ENABLE_HYBRID 1085 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM; 1086 #else 1087 yywarn(error_message_hybrid_config_not_configured); 1088 #endif 1089 } 1090 EOS 1091 | CFG_ACCOUNTING CFG_RADIUS 1092 { 1093 #ifdef ENABLE_HYBRID 1094 #ifdef HAVE_LIBRADIUS 1095 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS; 1096 #else /* HAVE_LIBRADIUS */ 1097 yyerror("racoon not configured with --with-libradius"); 1098 #endif /* HAVE_LIBRADIUS */ 1099 #else /* ENABLE_HYBRID */ 1100 yywarn(error_message_hybrid_config_not_configured); 1101 #endif /* ENABLE_HYBRID */ 1102 } 1103 EOS 1104 | CFG_ACCOUNTING CFG_PAM 1105 { 1106 #ifdef ENABLE_HYBRID 1107 #ifdef HAVE_LIBPAM 1108 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM; 1109 #else /* HAVE_LIBPAM */ 1110 yyerror("racoon not configured with --with-libpam"); 1111 #endif /* HAVE_LIBPAM */ 1112 #else /* ENABLE_HYBRID */ 1113 yywarn(error_message_hybrid_config_not_configured); 1114 #endif /* ENABLE_HYBRID */ 1115 } 1116 EOS 1117 | CFG_POOL_SIZE NUMBER 1118 { 1119 #ifdef ENABLE_HYBRID 1120 if (isakmp_cfg_resize_pool($2) != 0) 1121 yyerror("cannot allocate memory for pool"); 1122 #else /* ENABLE_HYBRID */ 1123 yywarn(error_message_hybrid_config_not_configured); 1124 #endif /* ENABLE_HYBRID */ 1125 } 1126 EOS 1127 | CFG_PFS_GROUP NUMBER 1128 { 1129 #ifdef ENABLE_HYBRID 1130 isakmp_cfg_config.pfs_group = $2; 1131 #else /* ENABLE_HYBRID */ 1132 yywarn(error_message_hybrid_config_not_configured); 1133 #endif /* ENABLE_HYBRID */ 1134 } 1135 EOS 1136 | CFG_SAVE_PASSWD SWITCH 1137 { 1138 #ifdef ENABLE_HYBRID 1139 isakmp_cfg_config.save_passwd = $2; 1140 #else /* ENABLE_HYBRID */ 1141 yywarn(error_message_hybrid_config_not_configured); 1142 #endif /* ENABLE_HYBRID */ 1143 } 1144 EOS 1145 | CFG_AUTH_THROTTLE NUMBER 1146 { 1147 #ifdef ENABLE_HYBRID 1148 isakmp_cfg_config.auth_throttle = $2; 1149 #else /* ENABLE_HYBRID */ 1150 yywarn(error_message_hybrid_config_not_configured); 1151 #endif /* ENABLE_HYBRID */ 1152 } 1153 EOS 1154 | CFG_CONF_SOURCE CFG_LOCAL 1155 { 1156 #ifdef ENABLE_HYBRID 1157 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL; 1158 #else /* ENABLE_HYBRID */ 1159 yywarn(error_message_hybrid_config_not_configured); 1160 #endif /* ENABLE_HYBRID */ 1161 } 1162 EOS 1163 | CFG_CONF_SOURCE CFG_RADIUS 1164 { 1165 #ifdef ENABLE_HYBRID 1166 #ifdef HAVE_LIBRADIUS 1167 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS; 1168 #else /* HAVE_LIBRADIUS */ 1169 yyerror("racoon not configured with --with-libradius"); 1170 #endif /* HAVE_LIBRADIUS */ 1171 #else /* ENABLE_HYBRID */ 1172 yywarn(error_message_hybrid_config_not_configured); 1173 #endif /* ENABLE_HYBRID */ 1174 } 1175 EOS 1176 | CFG_CONF_SOURCE CFG_LDAP 1177 { 1178 #ifdef ENABLE_HYBRID 1179 #ifdef HAVE_LIBLDAP 1180 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP; 1181 #else /* HAVE_LIBLDAP */ 1182 yywarn(error_message_ldap_config_not_configured); 1183 #endif /* HAVE_LIBLDAP */ 1184 #else /* ENABLE_HYBRID */ 1185 yywarn(error_message_hybrid_config_not_configured); 1186 #endif /* ENABLE_HYBRID */ 1187 } 1188 EOS 1189 | CFG_MOTD QUOTEDSTRING 1190 { 1191 #ifdef ENABLE_HYBRID 1192 strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN); 1193 isakmp_cfg_config.motd[MAXPATHLEN] = '\0'; 1194 #else 1195 yywarn(error_message_hybrid_config_not_configured); 1196 #endif 1197 vfree($2); 1198 } 1199 EOS 1200 ; 1201 1202 addrdnslist 1203 : addrdns 1204 | addrdns COMMA addrdnslist 1205 ; 1206 addrdns 1207 : ADDRSTRING 1208 { 1209 #ifdef ENABLE_HYBRID 1210 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1211 1212 if (icc->dns4_index > MAXNS) 1213 yyerror("No more than %d DNS", MAXNS); 1214 if (inet_pton(AF_INET, $1->v, 1215 &icc->dns4[icc->dns4_index++]) != 1) 1216 yyerror("bad IPv4 DNS address."); 1217 #else 1218 yywarn(error_message_hybrid_config_not_configured); 1219 #endif 1220 vfree($1); 1221 } 1222 ; 1223 1224 addrwinslist 1225 : addrwins 1226 | addrwins COMMA addrwinslist 1227 ; 1228 addrwins 1229 : ADDRSTRING 1230 { 1231 #ifdef ENABLE_HYBRID 1232 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1233 1234 if (icc->nbns4_index > MAXWINS) 1235 yyerror("No more than %d WINS", MAXWINS); 1236 if (inet_pton(AF_INET, $1->v, 1237 &icc->nbns4[icc->nbns4_index++]) != 1) 1238 yyerror("bad IPv4 WINS address."); 1239 #else 1240 yywarn(error_message_hybrid_config_not_configured); 1241 #endif 1242 vfree($1); 1243 } 1244 ; 1245 1246 splitnetlist 1247 : splitnet 1248 | splitnetlist COMMA splitnet 1249 ; 1250 splitnet 1251 : ADDRSTRING PREFIX 1252 { 1253 #ifdef ENABLE_HYBRID 1254 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1255 struct unity_network network; 1256 memset(&network,0,sizeof(network)); 1257 1258 if (inet_pton(AF_INET, $1->v, &network.addr4) != 1) 1259 yyerror("bad IPv4 SPLIT address."); 1260 1261 /* Turn $2 (the prefix) into a subnet mask */ 1262 network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0; 1263 1264 /* add the network to our list */ 1265 if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count)) 1266 yyerror("Unable to allocate split network"); 1267 #else 1268 yywarn(error_message_hybrid_config_not_configured); 1269 #endif 1270 vfree($1); 1271 } 1272 ; 1273 1274 authgrouplist 1275 : authgroup 1276 | authgroup COMMA authgrouplist 1277 ; 1278 authgroup 1279 : QUOTEDSTRING 1280 { 1281 #ifdef ENABLE_HYBRID 1282 char * groupname = NULL; 1283 char ** grouplist = NULL; 1284 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1285 1286 grouplist = racoon_realloc(icc->grouplist, 1287 sizeof(char**)*(icc->groupcount+1)); 1288 if (grouplist == NULL) { 1289 yyerror("unable to allocate auth group list"); 1290 ABORT_AND_VFREE($1); 1291 } 1292 1293 1294 groupname = racoon_malloc($1->l+1); 1295 if (groupname == NULL) { 1296 yyerror("unable to allocate auth group name"); 1297 ABORT_AND_VFREE($1); 1298 } 1299 1300 memcpy(groupname,$1->v,$1->l); 1301 groupname[$1->l]=0; 1302 grouplist[icc->groupcount]=groupname; 1303 icc->grouplist = grouplist; 1304 icc->groupcount++; 1305 1306 #else 1307 yywarn(error_message_hybrid_config_not_configured); 1308 #endif 1309 vfree($1); 1310 } 1311 ; 1312 1313 splitdnslist 1314 : splitdns 1315 | splitdns COMMA splitdnslist 1316 ; 1317 splitdns 1318 : QUOTEDSTRING 1319 { 1320 #ifdef ENABLE_HYBRID 1321 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 1322 1323 if (!icc->splitdns_len) 1324 { 1325 icc->splitdns_list = racoon_malloc($1->l); 1326 if (icc->splitdns_list == NULL) { 1327 yyerror("error allocating splitdns list buffer"); 1328 ABORT_AND_VFREE($1); 1329 } 1330 1331 memcpy(icc->splitdns_list,$1->v,$1->l); 1332 icc->splitdns_len = $1->l; 1333 } 1334 else 1335 { 1336 int len = icc->splitdns_len + $1->l + 1; 1337 icc->splitdns_list = racoon_realloc(icc->splitdns_list,len); 1338 if (icc->splitdns_list == NULL) { 1339 yyerror("error allocating splitdns list buffer"); 1340 ABORT_AND_VFREE($1); 1341 } 1342 1343 icc->splitdns_list[icc->splitdns_len] = ','; 1344 memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l); 1345 icc->splitdns_len = len; 1346 } 1347 #else 1348 yywarn(error_message_hybrid_config_not_configured); 1349 #endif 1350 vfree($1); 1351 } 1352 ; 1353 1354 1355 /* timer */ 1356 timer_statement 1357 : RETRY BOC timer_stmts EOC 1358 ; 1359 timer_stmts 1360 : /* nothing */ 1361 | timer_stmts timer_stmt 1362 ; 1363 timer_stmt 1364 : RETRY_COUNTER NUMBER 1365 { 1366 lcconf->retry_counter = $2; 1367 } 1368 EOS 1369 | RETRY_INTERVAL NUMBER unittype_time 1370 { 1371 lcconf->retry_interval = $2 * $3; 1372 } 1373 EOS 1374 | RETRY_PERSEND NUMBER 1375 { 1376 lcconf->count_persend = $2; 1377 } 1378 EOS 1379 | RETRY_PHASE1 NUMBER unittype_time 1380 { 1381 lcconf->retry_checkph1 = $2 * $3; 1382 } 1383 EOS 1384 | RETRY_PHASE2 NUMBER unittype_time 1385 { 1386 lcconf->wait_ph2complete = $2 * $3; 1387 } 1388 EOS 1389 | NATT_KA NUMBER unittype_time 1390 { 1391 #ifdef ENABLE_NATT 1392 if (libipsec_opt & LIBIPSEC_OPT_NATT) 1393 lcconf->natt_ka_interval = $2 * $3; 1394 else 1395 yyerror("libipsec lacks NAT-T support"); 1396 #else 1397 yyerror(error_message_natt_not_compiled_in); 1398 #endif 1399 } 1400 EOS 1401 ; 1402 1403 /* sainfo */ 1404 sainfo_statement 1405 : SAINFO 1406 { 1407 delsainfo(cur_sainfo); 1408 cur_sainfo = newsainfo(); 1409 if (cur_sainfo == NULL) { 1410 yyerror("failed to allocate sainfo"); 1411 ABORT(); 1412 } 1413 1414 } 1415 sainfo_name sainfo_param BOC sainfo_specs 1416 { 1417 struct sainfo *check; 1418 1419 /* default */ 1420 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) { 1421 yyerror("no encryption algorithm at %s", 1422 sainfo2str(cur_sainfo)); 1423 return -1; 1424 } 1425 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) { 1426 yyerror("no authentication algorithm at %s", 1427 sainfo2str(cur_sainfo)); 1428 return -1; 1429 } 1430 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) { 1431 yyerror("no compression algorithm at %s", 1432 sainfo2str(cur_sainfo)); 1433 return -1; 1434 } 1435 1436 /* duplicate check */ 1437 check = getsainfo(cur_sainfo->idsrc, 1438 cur_sainfo->iddst, 1439 cur_sainfo->id_i, 1440 NULL, 1441 cur_sainfo->remoteid); 1442 1443 if (check && ((check->idsrc != SAINFO_ANONYMOUS) && 1444 (cur_sainfo->idsrc != SAINFO_ANONYMOUS))) { 1445 yyerror("duplicated sainfo: %s", 1446 sainfo2str(cur_sainfo)); 1447 return -1; 1448 } 1449 1450 inssainfo(cur_sainfo); 1451 cur_sainfo = NULL; 1452 } 1453 EOC 1454 ; 1455 sainfo_name 1456 : ANONYMOUS 1457 { 1458 cur_sainfo->idsrc = SAINFO_ANONYMOUS; 1459 cur_sainfo->iddst = SAINFO_ANONYMOUS; 1460 } 1461 | ANONYMOUS CLIENTADDR 1462 { 1463 cur_sainfo->idsrc = SAINFO_ANONYMOUS; 1464 cur_sainfo->iddst = SAINFO_CLIENTADDR; 1465 } 1466 | ANONYMOUS sainfo_id 1467 { 1468 cur_sainfo->idsrc = SAINFO_ANONYMOUS; 1469 cur_sainfo->iddst = $2; 1470 } 1471 | sainfo_id ANONYMOUS 1472 { 1473 cur_sainfo->idsrc = $1; 1474 cur_sainfo->iddst = SAINFO_ANONYMOUS; 1475 } 1476 | sainfo_id CLIENTADDR 1477 { 1478 cur_sainfo->idsrc = $1; 1479 cur_sainfo->iddst = SAINFO_CLIENTADDR; 1480 } 1481 | sainfo_id sainfo_id 1482 { 1483 cur_sainfo->idsrc = $1; 1484 cur_sainfo->iddst = $2; 1485 } 1486 ; 1487 sainfo_id 1488 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto 1489 { 1490 char portbuf[10]; 1491 struct sockaddr *saddr; 1492 1493 switch ($5) { 1494 case IPPROTO_ICMP: 1495 case IPPROTO_ICMPV6: 1496 if ($4 == IPSEC_PORT_ANY) 1497 break; 1498 yyerror("port must be \"any\" for icmp{,6}."); 1499 return -1; 1500 default: 1501 break; 1502 } 1503 1504 snprintf(portbuf, sizeof(portbuf), "%lu", $4); 1505 saddr = str2saddr($2->v, portbuf); 1506 vfree($2); 1507 if (saddr == NULL) 1508 return -1; 1509 1510 switch (saddr->sa_family) { 1511 case AF_INET: 1512 if ($5 == IPPROTO_ICMPV6) { 1513 yyerror("upper layer protocol mismatched.\n"); 1514 racoon_free(saddr); 1515 return -1; 1516 } 1517 $$ = ipsecdoi_sockaddr2id(saddr, 1518 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3, 1519 $5); 1520 break; 1521 #ifdef INET6 1522 case AF_INET6: 1523 if ($5 == IPPROTO_ICMP) { 1524 yyerror("upper layer protocol mismatched.\n"); 1525 racoon_free(saddr); 1526 return -1; 1527 } 1528 $$ = ipsecdoi_sockaddr2id(saddr, 1529 $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3, 1530 $5); 1531 break; 1532 #endif 1533 default: 1534 yyerror("invalid family: %d", saddr->sa_family); 1535 $$ = NULL; 1536 break; 1537 } 1538 racoon_free(saddr); 1539 if ($$ == NULL) 1540 return -1; 1541 } 1542 | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto 1543 { 1544 char portbuf[10]; 1545 struct sockaddr *laddr = NULL, *haddr = NULL; 1546 char *cur = NULL; 1547 1548 if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6) 1549 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) { 1550 yyerror("port number must be \"any\"."); 1551 return -1; 1552 } 1553 1554 snprintf(portbuf, sizeof(portbuf), "%lu", $5); 1555 1556 laddr = str2saddr($2->v, portbuf); 1557 if (laddr == NULL) { 1558 return -1; 1559 } 1560 vfree($2); 1561 haddr = str2saddr($3->v, portbuf); 1562 if (haddr == NULL) { 1563 racoon_free(laddr); 1564 return -1; 1565 } 1566 vfree($3); 1567 1568 switch (laddr->sa_family) { 1569 case AF_INET: 1570 if ($6 == IPPROTO_ICMPV6) { 1571 yyerror("upper layer protocol mismatched.\n"); 1572 if (laddr) 1573 racoon_free(laddr); 1574 if (haddr) 1575 racoon_free(haddr); 1576 return -1; 1577 } 1578 $$ = ipsecdoi_sockrange2id(laddr, haddr, 1579 $6); 1580 break; 1581 #ifdef INET6 1582 case AF_INET6: 1583 if ($6 == IPPROTO_ICMP) { 1584 yyerror("upper layer protocol mismatched.\n"); 1585 if (laddr) 1586 racoon_free(laddr); 1587 if (haddr) 1588 racoon_free(haddr); 1589 return -1; 1590 } 1591 $$ = ipsecdoi_sockrange2id(laddr, haddr, 1592 $6); 1593 break; 1594 #endif 1595 default: 1596 yyerror("invalid family: %d", laddr->sa_family); 1597 $$ = NULL; 1598 break; 1599 } 1600 if (laddr) 1601 racoon_free(laddr); 1602 if (haddr) 1603 racoon_free(haddr); 1604 if ($$ == NULL) 1605 return -1; 1606 } 1607 | IDENTIFIERTYPE QUOTEDSTRING 1608 { 1609 struct ipsecdoi_id_b *id_b; 1610 1611 if ($1 == IDTYPE_ASN1DN) { 1612 yyerror("id type forbidden: %d", $1); 1613 $$ = NULL; 1614 return -1; 1615 } 1616 1617 $2->l--; 1618 1619 $$ = vmalloc(sizeof(*id_b) + $2->l); 1620 if ($$ == NULL) { 1621 yyerror("failed to allocate identifier"); 1622 return -1; 1623 } 1624 1625 id_b = (struct ipsecdoi_id_b *)$$->v; 1626 id_b->type = idtype2doi($1); 1627 1628 id_b->proto_id = 0; 1629 id_b->port = 0; 1630 1631 memcpy($$->v + sizeof(*id_b), $2->v, $2->l); 1632 } 1633 ; 1634 sainfo_param 1635 : /* nothing */ 1636 { 1637 cur_sainfo->id_i = NULL; 1638 } 1639 | FROM IDENTIFIERTYPE identifierstring 1640 { 1641 struct ipsecdoi_id_b *id_b; 1642 vchar_t *idv; 1643 1644 if (set_identifier(&idv, $2, $3) != 0) { 1645 yyerror("failed to set identifer.\n"); 1646 return -1; 1647 } 1648 cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l); 1649 if (cur_sainfo->id_i == NULL) { 1650 yyerror("failed to allocate identifier"); 1651 return -1; 1652 } 1653 1654 id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v; 1655 id_b->type = idtype2doi($2); 1656 1657 id_b->proto_id = 0; 1658 id_b->port = 0; 1659 1660 memcpy(cur_sainfo->id_i->v + sizeof(*id_b), 1661 idv->v, idv->l); 1662 vfree(idv); 1663 } 1664 | GROUP QUOTEDSTRING 1665 { 1666 #ifdef ENABLE_HYBRID 1667 if ((cur_sainfo->group = vdup($2)) == NULL) { 1668 yyerror("failed to set sainfo xauth group.\n"); 1669 return -1; 1670 } 1671 #else 1672 yywarn(error_message_hybrid_config_not_configured); 1673 ABORT_AND_VFREE($2); 1674 #endif 1675 } 1676 ; 1677 sainfo_specs 1678 : /* nothing */ 1679 | sainfo_specs sainfo_spec 1680 ; 1681 sainfo_spec 1682 : PFS_GROUP dh_group_num 1683 { 1684 cur_sainfo->pfs_group = $2; 1685 } 1686 EOS 1687 | REMOTEID NUMBER 1688 { 1689 cur_sainfo->remoteid = $2; 1690 } 1691 EOS 1692 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 1693 { 1694 cur_sainfo->lifetime = $3 * $4; 1695 } 1696 EOS 1697 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 1698 { 1699 #if 1 1700 yyerror("byte lifetime support is deprecated"); 1701 ABORT(); 1702 #else 1703 cur_sainfo->lifebyte = fix_lifebyte($3 * $4); 1704 if (cur_sainfo->lifebyte == 0) 1705 ABORT(); 1706 #endif 1707 } 1708 EOS 1709 | ALGORITHM_CLASS { 1710 cur_algclass = $1; 1711 } 1712 algorithms EOS 1713 ; 1714 1715 algorithms 1716 : algorithm 1717 { 1718 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); 1719 } 1720 | algorithm 1721 { 1722 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); 1723 } 1724 COMMA algorithms 1725 ; 1726 algorithm 1727 : ALGORITHMTYPE keylength 1728 { 1729 int defklen; 1730 int encklen_tmp; 1731 1732 $$ = newsainfoalg(); 1733 if ($$ == NULL) { 1734 yyerror("failed to get algorithm allocation"); 1735 ABORT(); 1736 } 1737 1738 $$->alg = algtype2doi(cur_algclass, $1); 1739 if ($$->alg == -1) { 1740 yyerror("algorithm mismatched"); 1741 ABORT_AND_RACOON_FREE($$); 1742 } 1743 1744 defklen = default_keylen(cur_algclass, $1); 1745 if (defklen == 0) { 1746 if ($2) { 1747 yyerror("keylen not allowed"); 1748 ABORT_AND_RACOON_FREE($$); 1749 } 1750 1751 } else { 1752 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) { 1753 yyerror("invalid keylen %d", $2); 1754 ABORT_AND_RACOON_FREE($$); 1755 } 1756 } 1757 1758 if ($2) 1759 $$->encklen = $2; 1760 else 1761 $$->encklen = defklen; 1762 1763 /* Check keymat size instead of "human" key size 1764 * because kernel store keymat size instead of "human key size". 1765 * For example, the keymat size of aes_gcm_16 128 is 160 bits 1766 * (128 bits + 4 bytes) instead of 128 bits. 1767 * 1768 * Currently, it is only useful for aes_gcm_16 (ipsec_enc). 1769 */ 1770 if (cur_algclass == algclass_ipsec_enc) 1771 { 1772 encklen_tmp = alg_ipsec_encdef_keylen($$->alg, $$->encklen); 1773 if (encklen_tmp < 0) 1774 { 1775 yyerror("Failed to convert keylen %d to keymat len for alg %d", 1776 $$->encklen, $$->alg); 1777 racoon_free($$); 1778 $$ = NULL; 1779 return -1; 1780 } 1781 } 1782 else 1783 { 1784 /* XXX Convert key size to keymat size for other algorithm ? 1785 */ 1786 encklen_tmp = $$->encklen; 1787 } 1788 1789 /* check if it's supported algorithm by kernel */ 1790 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth) 1791 && pk_checkalg(cur_algclass, $1, encklen_tmp)) { 1792 int a = algclass2doi(cur_algclass); 1793 int b = algtype2doi(cur_algclass, $1); 1794 if (a == IPSECDOI_ATTR_AUTH) 1795 a = IPSECDOI_PROTO_IPSEC_AH; 1796 yyerror("algorithm %s not supported by the kernel (missing module?)", 1797 s_ipsecdoi_trns(a, b)); 1798 ABORT_AND_RACOON_FREE($$); 1799 } 1800 } 1801 ; 1802 prefix 1803 : /* nothing */ { $$ = ~0; } 1804 | PREFIX { $$ = $1; } 1805 ; 1806 port 1807 : /* nothing */ { $$ = IPSEC_PORT_ANY; } 1808 | PORT { $$ = $1; } 1809 | PORTANY { $$ = IPSEC_PORT_ANY; } 1810 ; 1811 ul_proto 1812 : NUMBER { $$ = $1; } 1813 | UL_PROTO { $$ = $1; } 1814 | ANY { $$ = IPSEC_ULPROTO_ANY; } 1815 ; 1816 keylength 1817 : /* nothing */ { $$ = 0; } 1818 | NUMBER { $$ = $1; } 1819 ; 1820 1821 /* remote */ 1822 remote_statement 1823 : REMOTE QUOTEDSTRING INHERIT QUOTEDSTRING 1824 { 1825 struct remoteconf *from, *new; 1826 1827 if (getrmconf_by_name($2->v) != NULL) { 1828 yyerror("named remoteconf \"%s\" already exists.", 1829 $2->v); 1830 ABORT_AND_VFREE2($2, $4); 1831 } 1832 1833 from = getrmconf_by_name($4->v); 1834 if (from == NULL) { 1835 yyerror("named parent remoteconf \"%s\" does not exist.", 1836 $4->v); 1837 ABORT_AND_VFREE2($2, $4); 1838 } 1839 1840 new = duprmconf_shallow(from); 1841 if (new == NULL) { 1842 yyerror("failed to duplicate remoteconf from \"%s\".", 1843 $4->v); 1844 ABORT_AND_VFREE2($2, $4); 1845 } 1846 1847 new->name = racoon_strdup($2->v); 1848 1849 delrmconf(cur_rmconf); 1850 cur_rmconf = new; 1851 1852 vfree($2); 1853 vfree($4); 1854 } 1855 remote_specs_inherit_block 1856 | REMOTE QUOTEDSTRING 1857 { 1858 struct remoteconf *new; 1859 1860 if (getrmconf_by_name($2->v) != NULL) { 1861 yyerror("Named remoteconf \"%s\" already exists.", 1862 $2->v); 1863 ABORT_AND_VFREE($2); 1864 } 1865 1866 new = newrmconf(); 1867 if (new == NULL) { 1868 yyerror("failed to get new remoteconf."); 1869 ABORT_AND_VFREE($2); 1870 } 1871 1872 new->name = racoon_strdup($2->v); 1873 1874 delrmconf(cur_rmconf); 1875 cur_rmconf = new; 1876 1877 vfree($2); 1878 } 1879 remote_specs_block 1880 | REMOTE remote_index INHERIT remote_index 1881 { 1882 struct remoteconf *from, *new; 1883 1884 from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS); 1885 if (from == NULL) { 1886 yyerror("failed to get remoteconf for %s.", 1887 saddr2str($4)); 1888 ABORT_AND_RACOON_FREE2($2, $4); 1889 } 1890 1891 new = duprmconf_shallow(from); 1892 if (new == NULL) { 1893 yyerror("failed to duplicate remoteconf from %s.", 1894 saddr2str($4)); 1895 ABORT_AND_RACOON_FREE2($2, $4); 1896 } 1897 1898 racoon_free($4); 1899 new->remote = $2; 1900 delrmconf(cur_rmconf); 1901 cur_rmconf = new; 1902 } 1903 remote_specs_inherit_block 1904 | REMOTE remote_index 1905 { 1906 struct remoteconf *new; 1907 1908 new = newrmconf(); 1909 if (new == NULL) { 1910 yyerror("failed to get new remoteconf."); 1911 ABORT_AND_RACOON_FREE($2); 1912 } 1913 1914 new->remote = $2; 1915 delrmconf(cur_rmconf); 1916 cur_rmconf = new; 1917 } 1918 remote_specs_block 1919 ; 1920 1921 remote_specs_inherit_block 1922 : remote_specs_block 1923 | EOS /* inheritance without overriding any settings */ 1924 { 1925 if (process_rmconf() != 0) 1926 ABORT(); 1927 } 1928 ; 1929 1930 remote_specs_block 1931 : BOC remote_specs EOC 1932 { 1933 if (process_rmconf() != 0) 1934 ABORT(); 1935 } 1936 ; 1937 1938 remote_index 1939 : ANONYMOUS ike_port 1940 { 1941 $$ = newsaddr(sizeof(struct sockaddr)); 1942 $$->sa_family = AF_UNSPEC; 1943 ((struct sockaddr_in *)$$)->sin_port = htons($2); 1944 } 1945 | ike_addrinfo_port 1946 { 1947 $$ = $1; 1948 if ($$ == NULL) { 1949 yyerror("failed to allocate sockaddr\n"); 1950 ABORT(); 1951 } 1952 } 1953 ; 1954 remote_specs 1955 : /* nothing */ 1956 | remote_specs remote_spec 1957 ; 1958 remote_spec 1959 : REMOTE_ADDRESS ike_addrinfo_port 1960 { 1961 if (cur_rmconf->remote != NULL) { 1962 yyerror("remote_address already specified\n"); 1963 ABORT_AND_RACOON_FREE($2); 1964 } 1965 1966 cur_rmconf->remote = $2; 1967 } 1968 EOS 1969 | EXCHANGE_MODE 1970 { 1971 cur_rmconf->etypes = NULL; 1972 } 1973 exchange_types EOS 1974 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS 1975 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS 1976 | CERTIFICATE_TYPE cert_spec 1977 | PEERS_CERTFILE QUOTEDSTRING 1978 { 1979 yywarn("This directive without certtype will be removed!\n"); 1980 yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v); 1981 1982 if (cur_rmconf->peerscert != NULL) { 1983 yyerror("peers_certfile already defined\n"); 1984 ABORT_AND_VFREE($2); 1985 } 1986 1987 if (load_x509($2->v, &cur_rmconf->peerscertfile, 1988 &cur_rmconf->peerscert)) { 1989 yyerror("failed to load certificate \"%s\"\n", 1990 $2->v); 1991 ABORT_AND_VFREE($2); 1992 } 1993 1994 vfree($2); 1995 } 1996 EOS 1997 | PEERS_CERTFILE CERT_X509 QUOTEDSTRING 1998 { 1999 if (cur_rmconf->peerscert != NULL) { 2000 yyerror("peers_certfile already defined\n"); 2001 ABORT_AND_VFREE($3); 2002 } 2003 2004 if (load_x509($3->v, &cur_rmconf->peerscertfile, 2005 &cur_rmconf->peerscert)) { 2006 yyerror("failed to load certificate \"%s\"\n", 2007 $3->v); 2008 ABORT_AND_VFREE($3); 2009 } 2010 vfree($3); 2011 } 2012 EOS 2013 | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING 2014 { 2015 char path[MAXPATHLEN]; 2016 int ret = 0; 2017 2018 if (cur_rmconf->peerscert != NULL) { 2019 yyerror("peers_certfile already defined\n"); 2020 ABORT_AND_VFREE($3); 2021 } 2022 2023 cur_rmconf->peerscert = vmalloc(1); 2024 if (cur_rmconf->peerscert == NULL) { 2025 yyerror("failed to allocate peerscert\n"); 2026 ABORT_AND_VFREE($3); 2027 } 2028 2029 cur_rmconf->peerscert->v[0] = ISAKMP_CERT_PLAINRSA; 2030 2031 getpathname(path, sizeof(path), 2032 LC_PATHTYPE_CERT, $3->v); 2033 if (rsa_parse_file(cur_rmconf->rsa_public, path, 2034 RSA_TYPE_PUBLIC)) { 2035 yyerror("Couldn't parse keyfile.\n", path); 2036 ABORT_AND_VFREE2(cur_rmconf->peerscert, $3); 2037 } 2038 2039 plog(LLV_DEBUG, LOCATION, NULL, 2040 "Public PlainRSA keyfile parsed: %s\n", path); 2041 2042 vfree($3); 2043 } 2044 EOS 2045 | PEERS_CERTFILE DNSSEC 2046 { 2047 if (cur_rmconf->peerscert != NULL) { 2048 yyerror("peers_certfile already defined\n"); 2049 ABORT(); 2050 } 2051 2052 cur_rmconf->peerscert = vmalloc(1); 2053 if (cur_rmconf->peerscert == NULL) { 2054 yyerror("failed to allocate peerscert\n"); 2055 ABORT(); 2056 } 2057 2058 cur_rmconf->peerscert->v[0] = ISAKMP_CERT_DNS; 2059 } 2060 EOS 2061 | CA_TYPE CERT_X509 QUOTEDSTRING 2062 { 2063 if (cur_rmconf->cacert != NULL) { 2064 yyerror("ca_type already defined\n"); 2065 ABORT_AND_VFREE($3); 2066 } 2067 2068 if (load_x509($3->v, &cur_rmconf->cacertfile, 2069 &cur_rmconf->cacert)) { 2070 yyerror("failed to load certificate \"%s\"\n", 2071 $3->v); 2072 ABORT_AND_VFREE($3); 2073 } 2074 2075 vfree($3); 2076 } 2077 EOS 2078 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS 2079 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS 2080 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS 2081 | MATCH_EMPTY_CR SWITCH { cur_rmconf->match_empty_cr = $2; } EOS 2082 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring 2083 { 2084 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) { 2085 yyerror("failed to set identifer.\n"); 2086 ABORT_AND_VFREE($3); 2087 } 2088 2089 cur_rmconf->idvtype = $2; 2090 vfree($3); 2091 } 2092 EOS 2093 | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring 2094 { 2095 if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) { 2096 yyerror("failed to set identifer.\n"); 2097 ABORT_AND_VFREE($4); 2098 } 2099 2100 cur_rmconf->idvtype = $2; 2101 vfree($4); 2102 } 2103 EOS 2104 | XAUTH_LOGIN identifierstring 2105 { 2106 #ifdef ENABLE_HYBRID 2107 /* formerly identifier type login */ 2108 if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) { 2109 yyerror("failed to allocate xauth state\n"); 2110 ABORT_AND_VFREE($2); 2111 } 2112 2113 if ((cur_rmconf->xauth->login = vdup($2)) == NULL) { 2114 yyerror("failed to set identifer\n"); 2115 ABORT_AND_VFREE($2); 2116 } 2117 2118 #else 2119 yywarn(error_message_hybrid_config_not_configured); 2120 #endif 2121 vfree($2); 2122 } 2123 EOS 2124 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring 2125 { 2126 struct idspec *idspec = NULL; 2127 vchar_t* id = NULL; 2128 if (set_identifier(&id, $2, $3) != 0) { 2129 yyerror("failed to set identifer\n"); 2130 ABORT_AND_VFREE2(id, $3); 2131 } 2132 2133 if ((idspec = newidspec()) == NULL) { 2134 yyerror("failed to allocate idspec\n"); 2135 ABORT_AND_VFREE2(id, $3); 2136 } 2137 2138 idspec->id = id; /* hand over id to idspec. */ 2139 idspec->idtype = $2; 2140 genlist_append (cur_rmconf->idvl_p, idspec); 2141 vfree($3); 2142 } 2143 EOS 2144 | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring 2145 { 2146 struct idspec *idspec = NULL; 2147 { 2148 vchar_t* id = NULL; 2149 if (set_identifier_qual(&id, $2, $4, $3) != 0) { 2150 yyerror("failed to set identifer\n"); 2151 ABORT_AND_VFREE2(id, $4); 2152 } 2153 2154 if ((idspec = newidspec()) == NULL) { 2155 yyerror("failed to allocate idspec\n"); 2156 ABORT_AND_VFREE2(id, $4); 2157 } 2158 2159 idspec->id = id; /* hand over id to idspec. */ 2160 } 2161 idspec->idtype = $2; 2162 genlist_append (cur_rmconf->idvl_p, idspec); 2163 2164 vfree($4); 2165 } 2166 EOS 2167 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS 2168 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS 2169 | DH_GROUP 2170 { 2171 yyerror("dh_group cannot be defined here\n"); 2172 ABORT(); 2173 } 2174 dh_group_num EOS 2175 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS 2176 | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS 2177 | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS 2178 | ESP_FRAG NUMBER { 2179 #ifdef SADB_X_EXT_NAT_T_FRAG 2180 if (libipsec_opt & LIBIPSEC_OPT_FRAG) 2181 cur_rmconf->esp_frag = $2; 2182 else 2183 yywarn("libipsec lacks IKE frag support\n"); 2184 #else 2185 yywarn("Your kernel does not support esp_frag\n"); 2186 #endif 2187 } EOS 2188 | SCRIPT QUOTEDSTRING PHASE1_UP { 2189 if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL) 2190 vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]); 2191 2192 cur_rmconf->script[SCRIPT_PHASE1_UP] = 2193 script_path_add(vdup($2)); 2194 2195 vfree($2); 2196 } EOS 2197 | SCRIPT QUOTEDSTRING PHASE1_DOWN { 2198 if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL) 2199 vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]); 2200 2201 cur_rmconf->script[SCRIPT_PHASE1_DOWN] = 2202 script_path_add(vdup($2)); 2203 2204 vfree($2); 2205 } EOS 2206 | SCRIPT QUOTEDSTRING PHASE1_DEAD { 2207 if (cur_rmconf->script[SCRIPT_PHASE1_DEAD] != NULL) 2208 vfree(cur_rmconf->script[SCRIPT_PHASE1_DEAD]); 2209 2210 cur_rmconf->script[SCRIPT_PHASE1_DEAD] = 2211 script_path_add(vdup($2)); 2212 2213 vfree($2); 2214 } EOS 2215 | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS 2216 | WEAK_PHASE1_CHECK SWITCH { 2217 cur_rmconf->weak_phase1_check = $2; 2218 } EOS 2219 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS 2220 | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS 2221 | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS 2222 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS 2223 | NAT_TRAVERSAL SWITCH 2224 { 2225 #ifdef ENABLE_NATT 2226 if (libipsec_opt & LIBIPSEC_OPT_NATT) 2227 cur_rmconf->nat_traversal = $2; 2228 else 2229 yywarn("libipsec lacks NAT-T support\n"); 2230 #else 2231 yywarn(error_message_natt_not_compiled_in); 2232 #endif 2233 } EOS 2234 | NAT_TRAVERSAL REMOTE_FORCE_LEVEL 2235 { 2236 #ifdef ENABLE_NATT 2237 if (libipsec_opt & LIBIPSEC_OPT_NATT) 2238 cur_rmconf->nat_traversal = NATT_FORCE; 2239 else 2240 yyerror("libipsec lacks NAT-T support"); 2241 #else 2242 yywarn(error_message_natt_not_compiled_in); 2243 #endif 2244 } EOS 2245 | DPD SWITCH 2246 { 2247 #ifdef ENABLE_DPD 2248 cur_rmconf->dpd = $2; 2249 #else 2250 yywarn(error_message_dpd_not_compiled_in); 2251 #endif 2252 } EOS 2253 | DPD_DELAY NUMBER 2254 { 2255 #ifdef ENABLE_DPD 2256 cur_rmconf->dpd_interval = $2; 2257 #else 2258 yywarn(error_message_dpd_not_compiled_in); 2259 #endif 2260 } 2261 EOS 2262 | DPD_RETRY NUMBER 2263 { 2264 #ifdef ENABLE_DPD 2265 cur_rmconf->dpd_retry = $2; 2266 #else 2267 yywarn(error_message_dpd_not_compiled_in); 2268 #endif 2269 } 2270 EOS 2271 | DPD_MAXFAIL NUMBER 2272 { 2273 #ifdef ENABLE_DPD 2274 cur_rmconf->dpd_maxfails = $2; 2275 #else 2276 yywarn(error_message_dpd_not_compiled_in); 2277 #endif 2278 } 2279 EOS 2280 | REKEY SWITCH { cur_rmconf->rekey = $2; } EOS 2281 | REKEY REMOTE_FORCE_LEVEL { cur_rmconf->rekey = REKEY_FORCE; } EOS 2282 | PH1ID NUMBER 2283 { 2284 cur_rmconf->ph1id = $2; 2285 } 2286 EOS 2287 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 2288 { 2289 cur_rmconf->lifetime = $3 * $4; 2290 } 2291 EOS 2292 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS 2293 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 2294 { 2295 #if 1 2296 yyerror("byte lifetime support is deprecated in Phase1"); 2297 return -1; 2298 #else 2299 yywarn("the lifetime of bytes in phase 1 " 2300 "will be ignored at the moment."); 2301 cur_rmconf->lifebyte = fix_lifebyte($3 * $4); 2302 if (cur_rmconf->lifebyte == 0) 2303 ABORT(); 2304 #endif 2305 } 2306 EOS 2307 | PROPOSAL 2308 { 2309 struct secprotospec *spspec = newspspec(); 2310 if (spspec == NULL) 2311 ABORT(); 2312 2313 insspspec(cur_rmconf, spspec); 2314 } 2315 BOC isakmpproposal_specs EOC 2316 ; 2317 exchange_types 2318 : /* nothing */ 2319 | exchange_types EXCHANGETYPE 2320 { 2321 struct etypes *new = racoon_malloc(sizeof(struct etypes)); 2322 if (new == NULL) { 2323 yyerror("failed to allocate etypes"); 2324 ABORT(); 2325 } 2326 2327 new->next = NULL; new->type = $2; 2328 if (cur_rmconf->etypes == NULL) 2329 cur_rmconf->etypes = new; 2330 else { 2331 struct etypes *p; 2332 for (p = cur_rmconf->etypes; 2333 p->next != NULL; 2334 p = p->next) 2335 ; 2336 p->next = new; 2337 } 2338 } 2339 ; 2340 cert_spec 2341 : CERT_X509 QUOTEDSTRING QUOTEDSTRING 2342 { 2343 if (cur_rmconf->mycert != NULL) { 2344 yyerror("certificate_type already defined\n"); 2345 ABORT_AND_VFREE2($2, $3); 2346 } 2347 2348 if (load_x509($2->v, &cur_rmconf->mycertfile, 2349 &cur_rmconf->mycert)) { 2350 yyerror("failed to load certificate \"%s\"\n", 2351 $2->v); 2352 ABORT_AND_VFREE2($2, $3); 2353 } 2354 2355 cur_rmconf->myprivfile = racoon_strdup($3->v); 2356 if (!cur_rmconf->myprivfile) { 2357 yyerror("failed to allocate myprivfile\n"); 2358 ABORT_AND_VFREE2($2, $3); 2359 } 2360 2361 vfree($2); 2362 vfree($3); 2363 } 2364 EOS 2365 | CERT_PLAINRSA QUOTEDSTRING 2366 { 2367 char path[MAXPATHLEN]; 2368 int ret = 0; 2369 2370 if (cur_rmconf->mycert != NULL) { 2371 yyerror("certificate_type already defined\n"); 2372 ABORT_AND_VFREE($2); 2373 } 2374 2375 cur_rmconf->mycert = vmalloc(1); 2376 if (cur_rmconf->mycert == NULL) { 2377 yyerror("failed to allocate mycert\n"); 2378 ABORT_AND_VFREE($2); 2379 } 2380 2381 cur_rmconf->mycert->v[0] = ISAKMP_CERT_PLAINRSA; 2382 2383 getpathname(path, sizeof(path), 2384 LC_PATHTYPE_CERT, $2->v); 2385 cur_rmconf->send_cr = FALSE; 2386 cur_rmconf->send_cert = FALSE; 2387 cur_rmconf->verify_cert = FALSE; 2388 if (rsa_parse_file(cur_rmconf->rsa_private, path, 2389 RSA_TYPE_PRIVATE)) { 2390 yyerror("Couldn't parse keyfile %s\n", path); 2391 ABORT_AND_VFREE($2); 2392 } 2393 2394 plog(LLV_DEBUG, LOCATION, NULL, 2395 "Private PlainRSA keyfile parsed: %s\n", path); 2396 vfree($2); 2397 } 2398 EOS 2399 ; 2400 dh_group_num 2401 : ALGORITHMTYPE 2402 { 2403 $$ = algtype2doi(algclass_isakmp_dh, $1); 2404 if ($$ == -1) { 2405 yyerror("must be DH group\n"); 2406 ABORT(); 2407 } 2408 } 2409 | NUMBER 2410 { 2411 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) { 2412 $$ = num2dhgroup[$1]; 2413 } else { 2414 $$ = 0; 2415 yyerror("must be DH group\n"); 2416 ABORT(); 2417 } 2418 } 2419 ; 2420 identifierstring 2421 : /* nothing */ { $$ = NULL; } 2422 | ADDRSTRING { $$ = $1; } 2423 | QUOTEDSTRING { $$ = $1; } 2424 ; 2425 isakmpproposal_specs 2426 : /* nothing */ 2427 | isakmpproposal_specs isakmpproposal_spec 2428 ; 2429 isakmpproposal_spec 2430 : LIFETIME LIFETYPE_TIME NUMBER unittype_time 2431 { 2432 cur_rmconf->spspec->lifetime = $3 * $4; 2433 } 2434 EOS 2435 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 2436 { 2437 #if 1 2438 yyerror("byte lifetime support is deprecated\n"); 2439 ABORT(); 2440 #else 2441 cur_rmconf->spspec->lifebyte = fix_lifebyte($3 * $4); 2442 if (cur_rmconf->spspec->lifebyte == 0) 2443 ABORT(); 2444 #endif 2445 } 2446 EOS 2447 | DH_GROUP dh_group_num 2448 { 2449 cur_rmconf->spspec->algclass[algclass_isakmp_dh] = $2; 2450 } 2451 EOS 2452 | GSS_ID QUOTEDSTRING 2453 { 2454 if (cur_rmconf->spspec->vendorid != VENDORID_GSSAPI) { 2455 yyerror("wrong Vendor ID for gssapi_id\n"); 2456 ABORT_AND_VFREE($2); 2457 } 2458 2459 if (cur_rmconf->spspec->gssid != NULL) 2460 racoon_free(cur_rmconf->spspec->gssid); 2461 cur_rmconf->spspec->gssid = 2462 racoon_strdup($2->v); 2463 if (!cur_rmconf->spspec->gssid) { 2464 yyerror("failed to allocate gssid\n"); 2465 ABORT_AND_VFREE($2); 2466 } 2467 } 2468 EOS 2469 | ALGORITHM_CLASS ALGORITHMTYPE keylength 2470 { 2471 int doi; 2472 int defklen; 2473 2474 doi = algtype2doi($1, $2); 2475 if (doi == -1) { 2476 yyerror("algorithm mismatched 1\n"); 2477 ABORT(); 2478 } 2479 2480 switch ($1) { 2481 case algclass_isakmp_enc: 2482 /* reject suppressed algorithms */ 2483 #ifndef HAVE_OPENSSL_RC5_H 2484 if ($2 == algtype_rc5) { 2485 yyerror("algorithm %s not supported\n", 2486 s_attr_isakmp_enc(doi)); 2487 ABORT(); 2488 } 2489 #endif 2490 #ifndef HAVE_OPENSSL_IDEA_H 2491 if ($2 == algtype_idea) { 2492 yyerror("algorithm %s not supported\n", 2493 s_attr_isakmp_enc(doi)); 2494 ABORT(); 2495 } 2496 #endif 2497 2498 cur_rmconf->spspec->algclass[algclass_isakmp_enc] = doi; 2499 defklen = default_keylen($1, $2); 2500 if (defklen == 0) { 2501 if ($3) { 2502 yyerror("keylen not allowed\n"); 2503 ABORT(); 2504 } 2505 } else { 2506 if ($3 && check_keylen($1, $2, $3) < 0) { 2507 yyerror("invalid keylen %d\n", $3); 2508 ABORT(); 2509 } 2510 } 2511 if ($3) 2512 cur_rmconf->spspec->encklen = $3; 2513 else 2514 cur_rmconf->spspec->encklen = defklen; 2515 break; 2516 case algclass_isakmp_hash: 2517 cur_rmconf->spspec->algclass[algclass_isakmp_hash] = doi; 2518 break; 2519 case algclass_isakmp_ameth: 2520 cur_rmconf->spspec->algclass[algclass_isakmp_ameth] = doi; 2521 /* 2522 * We may have to set the Vendor ID for the 2523 * authentication method we're using. 2524 */ 2525 switch ($2) { 2526 case algtype_gssapikrb: 2527 if (cur_rmconf->spspec->vendorid != 2528 VENDORID_UNKNOWN) { 2529 yyerror("Vendor ID mismatch for auth method\n"); 2530 ABORT(); 2531 } 2532 /* 2533 * For interoperability with Win2k, 2534 * we set the Vendor ID to "GSSAPI". 2535 */ 2536 cur_rmconf->spspec->vendorid = 2537 VENDORID_GSSAPI; 2538 break; 2539 case algtype_rsasig: 2540 if (oakley_get_certtype(cur_rmconf->peerscert) == ISAKMP_CERT_PLAINRSA) { 2541 if (rsa_list_count(cur_rmconf->rsa_private) == 0) { 2542 yyerror ("Private PlainRSA key not set." 2543 "Use directive 'certificate_type plainrsa ...'\n"); 2544 ABORT(); 2545 } 2546 2547 if (rsa_list_count(cur_rmconf->rsa_public) == 0) { 2548 yyerror ("Public PlainRSA keys not set." 2549 "Use directive 'peers_certfile plainrsa ...'\n"); 2550 ABORT(); 2551 } 2552 } 2553 break; 2554 default: 2555 break; 2556 } 2557 break; 2558 default: 2559 yyerror("algorithm mismatched 2\n"); 2560 ABORT(); 2561 } 2562 } 2563 EOS 2564 ; 2565 2566 unittype_time 2567 : UNITTYPE_SEC { $$ = 1; } 2568 | UNITTYPE_MIN { $$ = 60; } 2569 | UNITTYPE_HOUR { $$ = (60 * 60); } 2570 ; 2571 unittype_byte 2572 : UNITTYPE_BYTE { $$ = 1; } 2573 | UNITTYPE_KBYTES { $$ = 1024; } 2574 | UNITTYPE_MBYTES { $$ = (1024 * 1024); } 2575 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); } 2576 ; 2577 %% 2578 2579 static struct secprotospec * 2580 newspspec() 2581 { 2582 struct secprotospec *new; 2583 2584 new = racoon_calloc(1, sizeof(*new)); 2585 if (new == NULL) { 2586 yyerror("failed to allocate spproto"); 2587 return NULL; 2588 } 2589 2590 new->encklen = 0; /*XXX*/ 2591 2592 /* 2593 * Default to "uknown" vendor -- we will override this 2594 * as necessary. When we send a Vendor ID payload, an 2595 * "unknown" will be translated to a KAME/racoon ID. 2596 */ 2597 new->vendorid = VENDORID_UNKNOWN; 2598 2599 return new; 2600 } 2601 2602 /* 2603 * insert into head of list. 2604 */ 2605 static void 2606 insspspec(rmconf, spspec) 2607 struct remoteconf *rmconf; 2608 struct secprotospec *spspec; 2609 { 2610 if (rmconf->spspec != NULL) 2611 rmconf->spspec->prev = spspec; 2612 spspec->next = rmconf->spspec; 2613 rmconf->spspec = spspec; 2614 } 2615 2616 static struct secprotospec * 2617 dupspspec(spspec) 2618 struct secprotospec *spspec; 2619 { 2620 struct secprotospec *new; 2621 2622 new = newspspec(); 2623 if (new == NULL) { 2624 plog(LLV_ERROR, LOCATION, NULL, 2625 "dupspspec: malloc failed\n"); 2626 return NULL; 2627 } 2628 memcpy(new, spspec, sizeof(*new)); 2629 2630 if (spspec->gssid) { 2631 new->gssid = racoon_strdup(spspec->gssid); 2632 STRDUP_FATAL(new->gssid); 2633 } 2634 if (spspec->remote) { 2635 new->remote = racoon_malloc(sizeof(*new->remote)); 2636 if (new->remote == NULL) { 2637 plog(LLV_ERROR, LOCATION, NULL, 2638 "dupspspec: malloc failed (remote)\n"); 2639 return NULL; 2640 } 2641 memcpy(new->remote, spspec->remote, sizeof(*new->remote)); 2642 } 2643 2644 return new; 2645 } 2646 2647 /* 2648 * copy the whole list 2649 */ 2650 void 2651 dupspspec_list(dst, src) 2652 struct remoteconf *dst, *src; 2653 { 2654 struct secprotospec *p, *new, *last; 2655 2656 for(p = src->spspec, last = NULL; p; p = p->next, last = new) { 2657 new = dupspspec(p); 2658 if (new == NULL) 2659 exit(1); 2660 2661 new->prev = last; 2662 new->next = NULL; /* not necessary but clean */ 2663 2664 if (last) 2665 last->next = new; 2666 else /* first element */ 2667 dst->spspec = new; 2668 2669 } 2670 } 2671 2672 /* 2673 * delete the whole list 2674 */ 2675 void 2676 flushspspec(rmconf) 2677 struct remoteconf *rmconf; 2678 { 2679 struct secprotospec *p; 2680 2681 while(rmconf->spspec != NULL) { 2682 p = rmconf->spspec; 2683 rmconf->spspec = p->next; 2684 if (p->next != NULL) 2685 p->next->prev = NULL; /* not necessary but clean */ 2686 2687 if (p->gssid) 2688 racoon_free(p->gssid); 2689 if (p->remote) 2690 racoon_free(p->remote); 2691 racoon_free(p); 2692 } 2693 rmconf->spspec = NULL; 2694 } 2695 2696 /* set final acceptable proposal */ 2697 static int 2698 set_isakmp_proposal(rmconf) 2699 struct remoteconf *rmconf; 2700 { 2701 struct secprotospec *s; 2702 int prop_no = 1; 2703 int trns_no = 1; 2704 int32_t types[MAXALGCLASS]; 2705 2706 /* mandatory check */ 2707 if (rmconf->spspec == NULL) { 2708 yyerror("no remote specification found: %s.\n", 2709 saddr2str(rmconf->remote)); 2710 return -1; 2711 } 2712 for (s = rmconf->spspec; s != NULL; s = s->next) { 2713 /* XXX need more to check */ 2714 if (s->algclass[algclass_isakmp_enc] == 0) { 2715 yyerror("encryption algorithm required."); 2716 return -1; 2717 } 2718 if (s->algclass[algclass_isakmp_hash] == 0) { 2719 yyerror("hash algorithm required."); 2720 return -1; 2721 } 2722 if (s->algclass[algclass_isakmp_dh] == 0) { 2723 yyerror("DH group required."); 2724 return -1; 2725 } 2726 if (s->algclass[algclass_isakmp_ameth] == 0) { 2727 yyerror("authentication method required."); 2728 return -1; 2729 } 2730 } 2731 2732 /* skip to last part */ 2733 for (s = rmconf->spspec; s->next != NULL; s = s->next) 2734 ; 2735 2736 while (s != NULL) { 2737 plog(LLV_DEBUG2, LOCATION, NULL, 2738 "lifetime = %ld\n", (long) 2739 (s->lifetime ? s->lifetime : rmconf->lifetime)); 2740 plog(LLV_DEBUG2, LOCATION, NULL, 2741 "lifebyte = %d\n", 2742 s->lifebyte ? s->lifebyte : rmconf->lifebyte); 2743 plog(LLV_DEBUG2, LOCATION, NULL, 2744 "encklen=%d\n", s->encklen); 2745 2746 memset(types, 0, ARRAYLEN(types)); 2747 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; 2748 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; 2749 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; 2750 types[algclass_isakmp_ameth] = 2751 s->algclass[algclass_isakmp_ameth]; 2752 2753 /* expanding spspec */ 2754 clean_tmpalgtype(); 2755 trns_no = expand_isakmpspec(prop_no, trns_no, types, 2756 algclass_isakmp_enc, algclass_isakmp_ameth + 1, 2757 s->lifetime ? s->lifetime : rmconf->lifetime, 2758 s->lifebyte ? s->lifebyte : rmconf->lifebyte, 2759 s->encklen, s->vendorid, s->gssid, 2760 rmconf); 2761 if (trns_no == -1) { 2762 plog(LLV_ERROR, LOCATION, NULL, 2763 "failed to expand isakmp proposal.\n"); 2764 return -1; 2765 } 2766 2767 s = s->prev; 2768 } 2769 2770 if (rmconf->proposal == NULL) { 2771 plog(LLV_ERROR, LOCATION, NULL, 2772 "no proposal found.\n"); 2773 return -1; 2774 } 2775 2776 return 0; 2777 } 2778 2779 static void 2780 clean_tmpalgtype() 2781 { 2782 int i; 2783 for (i = 0; i < MAXALGCLASS; i++) 2784 tmpalgtype[i] = 0; /* means algorithm undefined. */ 2785 } 2786 2787 static int 2788 expand_isakmpspec(prop_no, trns_no, types, 2789 class, last, lifetime, lifebyte, encklen, vendorid, gssid, 2790 rmconf) 2791 int prop_no, trns_no; 2792 int *types, class, last; 2793 time_t lifetime; 2794 int lifebyte; 2795 int encklen; 2796 int vendorid; 2797 char *gssid; 2798 struct remoteconf *rmconf; 2799 { 2800 struct isakmpsa *new; 2801 2802 /* debugging */ 2803 { 2804 int j; 2805 char tb[10]; 2806 plog(LLV_DEBUG2, LOCATION, NULL, 2807 "p:%d t:%d\n", prop_no, trns_no); 2808 for (j = class; j < MAXALGCLASS; j++) { 2809 snprintf(tb, sizeof(tb), "%d", types[j]); 2810 plog(LLV_DEBUG2, LOCATION, NULL, 2811 "%s%s%s%s\n", 2812 s_algtype(j, types[j]), 2813 types[j] ? "(" : "", 2814 tb[0] == '0' ? "" : tb, 2815 types[j] ? ")" : ""); 2816 } 2817 plog(LLV_DEBUG2, LOCATION, NULL, "\n"); 2818 } 2819 2820 #define TMPALGTYPE2STR(n) \ 2821 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n]) 2822 /* check mandatory values */ 2823 if (types[algclass_isakmp_enc] == 0 2824 || types[algclass_isakmp_ameth] == 0 2825 || types[algclass_isakmp_hash] == 0 2826 || types[algclass_isakmp_dh] == 0) { 2827 yyerror("few definition of algorithm " 2828 "enc=%s ameth=%s hash=%s dhgroup=%s.\n", 2829 TMPALGTYPE2STR(enc), 2830 TMPALGTYPE2STR(ameth), 2831 TMPALGTYPE2STR(hash), 2832 TMPALGTYPE2STR(dh)); 2833 return -1; 2834 } 2835 #undef TMPALGTYPE2STR 2836 2837 /* set new sa */ 2838 new = newisakmpsa(); 2839 if (new == NULL) { 2840 yyerror("failed to allocate isakmp sa"); 2841 return -1; 2842 } 2843 new->prop_no = prop_no; 2844 new->trns_no = trns_no++; 2845 new->lifetime = lifetime; 2846 new->lifebyte = lifebyte; 2847 new->enctype = types[algclass_isakmp_enc]; 2848 new->encklen = encklen; 2849 new->authmethod = types[algclass_isakmp_ameth]; 2850 new->hashtype = types[algclass_isakmp_hash]; 2851 new->dh_group = types[algclass_isakmp_dh]; 2852 new->vendorid = vendorid; 2853 #ifdef HAVE_GSSAPI 2854 if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { 2855 if (gssid != NULL) { 2856 if ((new->gssid = vmalloc(strlen(gssid))) == NULL) { 2857 racoon_free(new); 2858 yyerror("failed to allocate gssid"); 2859 return -1; 2860 } 2861 memcpy(new->gssid->v, gssid, new->gssid->l); 2862 racoon_free(gssid); 2863 } else { 2864 /* 2865 * Allocate the default ID so that it gets put 2866 * into a GSS ID attribute during the Phase 1 2867 * exchange. 2868 */ 2869 new->gssid = gssapi_get_default_gss_id(); 2870 } 2871 } 2872 #endif 2873 insisakmpsa(new, rmconf); 2874 2875 return trns_no; 2876 } 2877 2878 #if 0 2879 /* 2880 * fix lifebyte. 2881 * Must be more than 1024B because its unit is kilobytes. 2882 * That is defined RFC2407. 2883 */ 2884 static int 2885 fix_lifebyte(t) 2886 unsigned long t; 2887 { 2888 if (t < 1024) { 2889 yyerror("byte size should be more than 1024B."); 2890 return 0; 2891 } 2892 2893 return(t / 1024); 2894 } 2895 #endif 2896 2897 int 2898 cfparse() 2899 { 2900 int error; 2901 2902 yyerrorcount = 0; 2903 yycf_init_buffer(); 2904 2905 if (yycf_switch_buffer(lcconf->racoon_conf) != 0) { 2906 plog(LLV_ERROR, LOCATION, NULL, 2907 "could not read configuration file \"%s\"\n", 2908 lcconf->racoon_conf); 2909 return -1; 2910 } 2911 2912 error = yyparse(); 2913 if (error != 0) { 2914 if (yyerrorcount) { 2915 plog(LLV_ERROR, LOCATION, NULL, 2916 "fatal parse failure (%d errors)\n", 2917 yyerrorcount); 2918 } else { 2919 plog(LLV_ERROR, LOCATION, NULL, 2920 "fatal parse failure.\n"); 2921 } 2922 return -1; 2923 } 2924 2925 if (error == 0 && yyerrorcount) { 2926 plog(LLV_ERROR, LOCATION, NULL, 2927 "parse error is nothing, but yyerrorcount is %d.\n", 2928 yyerrorcount); 2929 exit(1); 2930 } 2931 2932 yycf_clean_buffer(); 2933 2934 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n"); 2935 2936 return 0; 2937 } 2938 2939 int 2940 cfreparse() 2941 { 2942 flushph2(); 2943 flushph1(); 2944 flushrmconf(); 2945 flushsainfo(); 2946 clean_tmpalgtype(); 2947 return(cfparse()); 2948 } 2949 2950 #ifdef ENABLE_ADMINPORT 2951 static void 2952 adminsock_conf(path, owner, group, mode_dec) 2953 vchar_t *path; 2954 vchar_t *owner; 2955 vchar_t *group; 2956 int mode_dec; 2957 { 2958 struct passwd *pw = NULL; 2959 struct group *gr = NULL; 2960 mode_t mode = 0; 2961 uid_t uid; 2962 gid_t gid; 2963 int isnum; 2964 2965 adminsock_path = path->v; 2966 2967 if (owner == NULL) 2968 return; 2969 2970 errno = 0; 2971 uid = atoi(owner->v); 2972 isnum = !errno; 2973 if (((pw = getpwnam(owner->v)) == NULL) && !isnum) 2974 yywarn("User \"%s\" does not exist\n", owner->v); 2975 2976 if (pw) 2977 adminsock_owner = pw->pw_uid; 2978 else 2979 adminsock_owner = uid; 2980 2981 if (group == NULL) 2982 return; 2983 2984 errno = 0; 2985 gid = atoi(group->v); 2986 isnum = !errno; 2987 if (((gr = getgrnam(group->v)) == NULL) && !isnum) 2988 yywarn("Group \"%s\" does not exist\n", group->v); 2989 2990 if (gr) 2991 adminsock_group = gr->gr_gid; 2992 else 2993 adminsock_group = gid; 2994 2995 if (mode_dec == -1) 2996 return; 2997 2998 if (mode_dec > 777) 2999 yywarn("Mode 0%03o is invalid\n", mode_dec); 3000 3001 if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; } 3002 if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; } 3003 if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; } 3004 3005 if (mode_dec > 77) 3006 yywarn("Mode 0%03o is invalid\n", mode_dec); 3007 3008 if (mode_dec >= 40) { mode += 040; mode_dec -= 40; } 3009 if (mode_dec >= 20) { mode += 020; mode_dec -= 20; } 3010 if (mode_dec >= 10) { mode += 020; mode_dec -= 10; } 3011 3012 if (mode_dec > 7) 3013 yywarn("Mode 0%03o is invalid\n", mode_dec); 3014 3015 if (mode_dec >= 4) { mode += 04; mode_dec -= 4; } 3016 if (mode_dec >= 2) { mode += 02; mode_dec -= 2; } 3017 if (mode_dec >= 1) { mode += 02; mode_dec -= 1; } 3018 3019 adminsock_mode = mode; 3020 3021 return; 3022 } 3023 #endif 3024