1 /* $OpenBSD: conf.c,v 1.107 2017/10/27 08:29:32 mpi Exp $ */ 2 /* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */ 3 4 /* 5 * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 2000, 2001, 2002 H�kan Olsson. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /* 30 * This code was written under funding by Ericsson Radio Systems. 31 */ 32 33 #include <sys/types.h> 34 #include <sys/mman.h> 35 #include <sys/queue.h> 36 #include <sys/socket.h> 37 #include <sys/stat.h> 38 #include <netinet/in.h> 39 #include <arpa/inet.h> 40 #include <ctype.h> 41 #include <fcntl.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <unistd.h> 46 #include <errno.h> 47 48 #include "app.h" 49 #include "conf.h" 50 #include "log.h" 51 #include "monitor.h" 52 #include "util.h" 53 54 static char *conf_get_trans_str(int, char *, char *); 55 static void conf_load_defaults(int); 56 #if 0 57 static int conf_find_trans_xf(int, char *); 58 #endif 59 60 struct conf_trans { 61 TAILQ_ENTRY(conf_trans) link; 62 int trans; 63 enum conf_op { 64 CONF_SET, CONF_REMOVE, CONF_REMOVE_SECTION 65 } op; 66 char *section; 67 char *tag; 68 char *value; 69 int override; 70 int is_default; 71 }; 72 73 #define CONF_SECT_MAX 256 74 75 TAILQ_HEAD(conf_trans_head, conf_trans) conf_trans_queue; 76 77 struct conf_binding { 78 LIST_ENTRY(conf_binding) link; 79 char *section; 80 char *tag; 81 char *value; 82 int is_default; 83 }; 84 85 char *conf_path = CONFIG_FILE; 86 LIST_HEAD(conf_bindings, conf_binding) conf_bindings[256]; 87 88 static char *conf_addr; 89 static __inline__ u_int8_t 90 conf_hash(char *s) 91 { 92 u_int8_t hash = 0; 93 94 while (*s) { 95 hash = ((hash << 1) | (hash >> 7)) ^ tolower((unsigned char)*s); 96 s++; 97 } 98 return hash; 99 } 100 101 /* 102 * Insert a tag-value combination from LINE (the equal sign is at POS) 103 */ 104 static int 105 conf_remove_now(char *section, char *tag) 106 { 107 struct conf_binding *cb, *next; 108 109 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; 110 cb = next) { 111 next = LIST_NEXT(cb, link); 112 if (strcasecmp(cb->section, section) == 0 && 113 strcasecmp(cb->tag, tag) == 0) { 114 LIST_REMOVE(cb, link); 115 LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section, 116 tag, cb->value)); 117 free(cb->section); 118 free(cb->tag); 119 free(cb->value); 120 free(cb); 121 return 0; 122 } 123 } 124 return 1; 125 } 126 127 static int 128 conf_remove_section_now(char *section) 129 { 130 struct conf_binding *cb, *next; 131 int unseen = 1; 132 133 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; 134 cb = next) { 135 next = LIST_NEXT(cb, link); 136 if (strcasecmp(cb->section, section) == 0) { 137 unseen = 0; 138 LIST_REMOVE(cb, link); 139 LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section, 140 cb->tag, cb->value)); 141 free(cb->section); 142 free(cb->tag); 143 free(cb->value); 144 free(cb); 145 } 146 } 147 return unseen; 148 } 149 150 /* 151 * Insert a tag-value combination from LINE (the equal sign is at POS) 152 * into SECTION of our configuration database. 153 */ 154 static int 155 conf_set_now(char *section, char *tag, char *value, int override, 156 int is_default) 157 { 158 struct conf_binding *node = 0; 159 160 if (override) 161 conf_remove_now(section, tag); 162 else if (conf_get_str(section, tag)) { 163 if (!is_default) 164 log_print("conf_set_now: duplicate tag [%s]:%s, " 165 "ignoring...\n", section, tag); 166 return 1; 167 } 168 node = calloc(1, sizeof *node); 169 if (!node) { 170 log_error("conf_set_now: calloc (1, %lu) failed", 171 (unsigned long)sizeof *node); 172 return 1; 173 } 174 node->section = node->tag = node->value = NULL; 175 if ((node->section = strdup(section)) == NULL) 176 goto fail; 177 if ((node->tag = strdup(tag)) == NULL) 178 goto fail; 179 if ((node->value = strdup(value)) == NULL) 180 goto fail; 181 node->is_default = is_default; 182 183 LIST_INSERT_HEAD(&conf_bindings[conf_hash(section)], node, link); 184 LOG_DBG((LOG_MISC, 95, "conf_set_now: [%s]:%s->%s", node->section, 185 node->tag, node->value)); 186 return 0; 187 fail: 188 free(node->value); 189 free(node->tag); 190 free(node->section); 191 free(node); 192 return 1; 193 } 194 195 /* 196 * Parse the line LINE of SZ bytes. Skip Comments, recognize section 197 * headers and feed tag-value pairs into our configuration database. 198 */ 199 static void 200 conf_parse_line(int trans, char *line, int ln, size_t sz) 201 { 202 char *val; 203 size_t i; 204 int j; 205 static char *section = 0; 206 207 /* Lines starting with '#' or ';' are comments. */ 208 if (*line == '#' || *line == ';') 209 return; 210 211 /* '[section]' parsing... */ 212 if (*line == '[') { 213 for (i = 1; i < sz; i++) 214 if (line[i] == ']') 215 break; 216 free(section); 217 if (i == sz) { 218 log_print("conf_parse_line: %d:" 219 "unmatched ']', ignoring until next section", ln); 220 section = 0; 221 return; 222 } 223 section = malloc(i); 224 if (!section) { 225 log_print("conf_parse_line: %d: malloc (%lu) failed", 226 ln, (unsigned long)i); 227 return; 228 } 229 strlcpy(section, line + 1, i); 230 return; 231 } 232 /* Deal with assignments. */ 233 for (i = 0; i < sz; i++) 234 if (line[i] == '=') { 235 /* If no section, we are ignoring the lines. */ 236 if (!section) { 237 log_print("conf_parse_line: %d: ignoring line " 238 "due to no section", ln); 239 return; 240 } 241 line[strcspn(line, " \t=")] = '\0'; 242 val = line + i + 1 + strspn(line + i + 1, " \t"); 243 /* Skip trailing whitespace, if any */ 244 for (j = sz - (val - line) - 1; j > 0 && 245 isspace((unsigned char)val[j]); j--) 246 val[j] = '\0'; 247 /* XXX Perhaps should we not ignore errors? */ 248 conf_set(trans, section, line, val, 0, 0); 249 return; 250 } 251 /* Other non-empty lines are weird. */ 252 i = strspn(line, " \t"); 253 if (line[i]) 254 log_print("conf_parse_line: %d: syntax error", ln); 255 } 256 257 /* Parse the mapped configuration file. */ 258 static void 259 conf_parse(int trans, char *buf, size_t sz) 260 { 261 char *cp = buf; 262 char *bufend = buf + sz; 263 char *line; 264 int ln = 1; 265 266 line = cp; 267 while (cp < bufend) { 268 if (*cp == '\n') { 269 /* Check for escaped newlines. */ 270 if (cp > buf && *(cp - 1) == '\\') 271 *(cp - 1) = *cp = ' '; 272 else { 273 *cp = '\0'; 274 conf_parse_line(trans, line, ln, cp - line); 275 line = cp + 1; 276 } 277 ln++; 278 } 279 cp++; 280 } 281 if (cp != line) 282 log_print("conf_parse: last line unterminated, ignored."); 283 } 284 285 /* 286 * Auto-generate default configuration values for the transforms and 287 * suites the user wants. 288 * 289 * Resulting section names can be: 290 * For main mode: 291 * {BLF,3DES,CAST,AES,AES-{128,192,256}-{MD5,SHA,SHA2-{256,384,512}} \ 292 * [-GRP{1,2,5,14-21,25-30}][-{DSS,RSA_SIG}] 293 * For quick mode: 294 * QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE 295 * where 296 * {proto} = ESP, AH 297 * {cipher} = 3DES, CAST, BLF, AES, AES-{128,192,256}, AESCTR 298 * {hash} = MD5, SHA, RIPEMD, SHA2-{256,384,512} 299 * {group} = GRP{1,2,5,14-21,25-30} 300 * 301 * DH group defaults to MODP_1024. 302 * 303 * XXX We may want to support USE_TRIPLEDES, etc... 304 * XXX No EC2N DH support here yet. 305 */ 306 307 /* Find the value for a section+tag in the transaction list. */ 308 static char * 309 conf_get_trans_str(int trans, char *section, char *tag) 310 { 311 struct conf_trans *node, *nf = 0; 312 313 for (node = TAILQ_FIRST(&conf_trans_queue); node; 314 node = TAILQ_NEXT(node, link)) 315 if (node->trans == trans && strcasecmp(section, node->section) 316 == 0 && strcasecmp(tag, node->tag) == 0) { 317 if (!nf) 318 nf = node; 319 else if (node->override) 320 nf = node; 321 } 322 return nf ? nf->value : 0; 323 } 324 325 #if 0 326 /* XXX Currently unused. */ 327 static int 328 conf_find_trans_xf(int phase, char *xf) 329 { 330 struct conf_trans *node; 331 char *p; 332 333 /* Find the relevant transforms and suites, if any. */ 334 for (node = TAILQ_FIRST(&conf_trans_queue); node; 335 node = TAILQ_NEXT(node, link)) 336 if ((phase == 1 && strcmp("Transforms", node->tag) == 0) || 337 (phase == 2 && strcmp("Suites", node->tag) == 0)) { 338 p = node->value; 339 while ((p = strstr(p, xf)) != NULL) 340 if (*(p + strlen(p)) && 341 *(p + strlen(p)) != ',') 342 p += strlen(p); 343 else 344 return 1; 345 } 346 return 0; 347 } 348 #endif 349 350 static void 351 conf_load_defaults_mm(int tr, char *mme, char *mmh, char *mma, char *dhg, 352 char *mme_p, char *mma_p, char *dhg_p, char *mmh_p) 353 { 354 char sect[CONF_SECT_MAX]; 355 356 snprintf(sect, sizeof sect, "%s%s%s%s", mme_p, mmh_p, dhg_p, mma_p); 357 358 LOG_DBG((LOG_MISC, 95, "conf_load_defaults_mm: main mode %s", sect)); 359 360 conf_set(tr, sect, "ENCRYPTION_ALGORITHM", mme, 0, 1); 361 if (strcmp(mme, "BLOWFISH_CBC") == 0) 362 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0, 363 1); 364 else if (strcmp(mme_p, "AES-128") == 0) 365 conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1); 366 else if (strcmp(mme_p, "AES-192") == 0) 367 conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1); 368 else if (strcmp(mme_p, "AES-256") == 0) 369 conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1); 370 else if (strcmp(mme, "AES_CBC") == 0) 371 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0, 372 1); 373 374 conf_set(tr, sect, "HASH_ALGORITHM", mmh, 0, 1); 375 conf_set(tr, sect, "AUTHENTICATION_METHOD", mma, 0, 1); 376 conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1); 377 conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_MAIN_MODE, 0, 1); 378 } 379 380 static void 381 conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p, 382 char *qmh_p, char *qm_ah_id, char *dhg_p, int proto, int mode, int pfs) 383 { 384 char sect[CONF_SECT_MAX], tmp[CONF_SECT_MAX]; 385 386 /* Helper #defines, incl abbreviations. */ 387 #define PROTO(x) ((x) ? "AH" : "ESP") 388 #define PFS(x) ((x) ? "-PFS" : "") 389 #define MODE(x) ((x) ? "TRANSPORT" : "TUNNEL") 390 #define MODE_p(x) ((x) ? "-TRP" : "") 391 392 /* For AH a hash must be present and no encryption is allowed */ 393 if (proto == 1 && (strcmp(qmh, "NONE") == 0 || 394 strcmp(qme, "NONE") != 0)) 395 return; 396 397 /* For ESP encryption must be provided, an empty hash is ok. */ 398 if (proto == 0 && strcmp(qme, "NONE") == 0) 399 return; 400 401 /* When PFS is disabled no DH group must be specified. */ 402 if (pfs == 0 && strcmp(dhg_p, "")) 403 return; 404 405 /* For GCM no additional authentication must be specified */ 406 if (proto == 0 && strcmp(qmh, "NONE") != 0 && 407 (strcmp(qme, "AES_GCM_16") == 0 || strcmp(qme, "AES_GMAC") == 0)) 408 return; 409 410 snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto), 411 MODE_p(mode), qme_p, qmh_p, PFS(pfs), dhg_p); 412 413 strlcpy(sect, tmp, CONF_SECT_MAX); 414 strlcat(sect, "-SUITE", CONF_SECT_MAX); 415 416 LOG_DBG((LOG_MISC, 95, "conf_load_defaults_qm: quick mode %s", sect)); 417 418 conf_set(tr, sect, "Protocols", tmp, 0, 1); 419 snprintf(sect, sizeof sect, "IPSEC_%s", PROTO(proto)); 420 conf_set(tr, tmp, "PROTOCOL_ID", sect, 0, 1); 421 strlcpy(sect, tmp, CONF_SECT_MAX); 422 strlcat(sect, "-XF", CONF_SECT_MAX); 423 conf_set(tr, tmp, "Transforms", sect, 0, 1); 424 425 /* 426 * XXX For now, defaults 427 * contain one xf per protocol. 428 */ 429 if (proto == 0) 430 conf_set(tr, sect, "TRANSFORM_ID", qme, 0, 1); 431 else 432 conf_set(tr, sect, "TRANSFORM_ID", qm_ah_id, 0, 1); 433 if (strcmp(qme ,"BLOWFISH") == 0) 434 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0, 435 1); 436 else if (strcmp(qme_p, "-AES-128") == 0 || 437 strcmp(qme_p, "-AESCTR-128") == 0 || 438 strcmp(qme_p, "-AESGCM-128") == 0 || 439 strcmp(qme_p, "-AESGMAC-128") == 0) 440 conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1); 441 else if (strcmp(qme_p, "-AES-192") == 0 || 442 strcmp(qme_p, "-AESCTR-192") == 0 || 443 strcmp(qme_p, "-AESGCM-192") == 0 || 444 strcmp(qme_p, "-AESGMAC-192") == 0) 445 conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1); 446 else if (strcmp(qme_p, "-AES-256") == 0 || 447 strcmp(qme_p, "-AESCTR-256") == 0 || 448 strcmp(qme_p, "-AESGCM-256") == 0 || 449 strcmp(qme_p, "-AESGMAC-256") == 0) 450 conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1); 451 else if (strcmp(qme, "AES") == 0) 452 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0, 453 1); 454 455 conf_set(tr, sect, "ENCAPSULATION_MODE", MODE(mode), 0, 1); 456 if (strcmp(qmh, "NONE")) { 457 conf_set(tr, sect, "AUTHENTICATION_ALGORITHM", qmh, 0, 1); 458 459 /* XXX Another shortcut to keep length down */ 460 if (pfs) 461 conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1); 462 } 463 464 /* XXX Lifetimes depending on enc/auth strength? */ 465 conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_QUICK_MODE, 0, 1); 466 } 467 468 static void 469 conf_load_defaults(int tr) 470 { 471 int enc, auth, hash, group, proto, mode, pfs; 472 char *dflt; 473 474 char *mm_auth[] = {"PRE_SHARED", "DSS", "RSA_SIG", 0}; 475 char *mm_auth_p[] = {"", "-DSS", "-RSA_SIG", 0}; 476 char *mm_hash[] = {"MD5", "SHA", "SHA2_256", "SHA2_384", "SHA2_512", 477 0}; 478 char *mm_hash_p[] = {"-MD5", "-SHA", "-SHA2-256", "-SHA2-384", 479 "-SHA2-512", "", 0 }; 480 char *mm_enc[] = {"BLOWFISH_CBC", "3DES_CBC", "CAST_CBC", 481 "AES_CBC", "AES_CBC", "AES_CBC", "AES_CBC", 0}; 482 char *mm_enc_p[] = {"BLF", "3DES", "CAST", "AES", "AES-128", 483 "AES-192", "AES-256", 0}; 484 char *dhgroup[] = {"MODP_1024", "MODP_768", "MODP_1024", 485 "MODP_1536", "MODP_2048", "MODP_3072", "MODP_4096", 486 "MODP_6144", "MODP_8192", 487 "ECP_256", "ECP_384", "ECP_521", "ECP_192", "ECP_224", 488 "BP_224", "BP_256", "BP_384", "BP_512", 0}; 489 char *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14", 490 "-GRP15", "-GRP16", "-GRP17", "-GRP18", "-GRP19", "-GRP20", 491 "-GRP21", "-GRP25", "-GRP26", "-GRP27", "-GRP28", "-GRP29", 492 "-GRP30", 0}; 493 char *qm_enc[] = {"3DES", "CAST", "BLOWFISH", "AES", 494 "AES", "AES", "AES", "AES_CTR", "AES_CTR", "AES_CTR", 495 "AES_CTR", "AES_GCM_16", 496 "AES_GCM_16", "AES_GCM_16", "AES_GMAC", "AES_GMAC", 497 "AES_GMAC", "NULL", "NONE", 0}; 498 char *qm_enc_p[] = {"-3DES", "-CAST", "-BLF", "-AES", 499 "-AES-128", "-AES-192", "-AES-256", "-AESCTR", 500 "-AESCTR-128", "-AESCTR-192", "-AESCTR-256", 501 "-AESGCM-128", "-AESGCM-192", "-AESGCM-256", 502 "-AESGMAC-128", "-AESGMAC-192", "-AESGMAC-256", "-NULL", 503 "", 0}; 504 char *qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD", 505 "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE", 506 0}; 507 char *qm_hash_p[] = {"-MD5", "-SHA", "-RIPEMD", "-SHA2-256", 508 "-SHA2-384", "-SHA2-512", "", 0}; 509 char *qm_ah_id[] = {"MD5", "SHA", "RIPEMD", "SHA2_256", "SHA2_384", 510 "SHA2_512", "", 0}; 511 512 /* General and X509 defaults */ 513 conf_set(tr, "General", "Retransmits", CONF_DFLT_RETRANSMITS, 0, 1); 514 conf_set(tr, "General", "Exchange-max-time", CONF_DFLT_EXCH_MAX_TIME, 515 0, 1); 516 conf_set(tr, "General", "Use-Keynote", CONF_DFLT_USE_KEYNOTE, 0, 1); 517 conf_set(tr, "General", "Policy-file", CONF_DFLT_POLICY_FILE, 0, 1); 518 conf_set(tr, "General", "Pubkey-directory", CONF_DFLT_PUBKEY_DIR, 0, 519 1); 520 521 conf_set(tr, "X509-certificates", "CA-directory", 522 CONF_DFLT_X509_CA_DIR, 0, 1); 523 conf_set(tr, "X509-certificates", "Cert-directory", 524 CONF_DFLT_X509_CERT_DIR, 0, 1); 525 conf_set(tr, "X509-certificates", "Private-key", 526 CONF_DFLT_X509_PRIVATE_KEY, 0, 1); 527 conf_set(tr, "X509-certificates", "Private-key-directory", 528 CONF_DFLT_X509_PRIVATE_KEY_DIR, 0, 1); 529 conf_set(tr, "X509-certificates", "CRL-directory", 530 CONF_DFLT_X509_CRL_DIR, 0, 1); 531 532 conf_set(tr, "KeyNote", "Credential-directory", 533 CONF_DFLT_KEYNOTE_CRED_DIR, 0, 1); 534 535 conf_set(tr, "General", "Delete-SAs", CONF_DFLT_DELETE_SAS, 0, 1); 536 537 /* Lifetimes. XXX p1/p2 vs main/quick mode may be unclear. */ 538 dflt = conf_get_trans_str(tr, "General", "Default-phase-1-lifetime"); 539 conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_TYPE", 540 CONF_DFLT_TYPE_LIFE_MAIN_MODE, 0, 1); 541 conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_DURATION", 542 (dflt ? dflt : CONF_DFLT_VAL_LIFE_MAIN_MODE), 0, 1); 543 544 dflt = conf_get_trans_str(tr, "General", "Default-phase-2-lifetime"); 545 conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_TYPE", 546 CONF_DFLT_TYPE_LIFE_QUICK_MODE, 0, 1); 547 conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_DURATION", 548 (dflt ? dflt : CONF_DFLT_VAL_LIFE_QUICK_MODE), 0, 1); 549 550 /* Default Phase-1 Configuration section */ 551 conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "EXCHANGE_TYPE", 552 CONF_DFLT_PHASE1_EXCH_TYPE, 0, 1); 553 conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "Transforms", 554 CONF_DFLT_PHASE1_TRANSFORMS, 0, 1); 555 556 /* Main modes */ 557 for (enc = 0; mm_enc[enc]; enc++) 558 for (hash = 0; mm_hash[hash]; hash++) 559 for (auth = 0; mm_auth[auth]; auth++) 560 for (group = 0; dhgroup_p[group]; group++) 561 conf_load_defaults_mm (tr, mm_enc[enc], 562 mm_hash[hash], mm_auth[auth], 563 dhgroup[group], mm_enc_p[enc], 564 mm_auth_p[auth], dhgroup_p[group], 565 mm_hash_p[hash]); 566 567 /* Setup a default Phase 1 entry */ 568 conf_set(tr, "Phase 1", "Default", "Default-phase-1", 0, 1); 569 conf_set(tr, "Default-phase-1", "Phase", "1", 0, 1); 570 conf_set(tr, "Default-phase-1", "Configuration", 571 "Default-phase-1-configuration", 0, 1); 572 dflt = conf_get_trans_str(tr, "General", "Default-phase-1-ID"); 573 if (dflt) 574 conf_set(tr, "Default-phase-1", "ID", dflt, 0, 1); 575 576 /* Quick modes */ 577 for (enc = 0; qm_enc[enc]; enc++) 578 for (proto = 0; proto < 2; proto++) 579 for (mode = 0; mode < 2; mode++) 580 for (pfs = 0; pfs < 2; pfs++) 581 for (hash = 0; qm_hash[hash]; hash++) 582 for (group = 0; 583 dhgroup_p[group]; group++) 584 conf_load_defaults_qm( 585 tr, qm_enc[enc], 586 qm_hash[hash], 587 dhgroup[group], 588 qm_enc_p[enc], 589 qm_hash_p[hash], 590 qm_ah_id[hash], 591 dhgroup_p[group], 592 proto, mode, pfs); 593 } 594 595 void 596 conf_init(void) 597 { 598 unsigned int i; 599 600 for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++) 601 LIST_INIT(&conf_bindings[i]); 602 TAILQ_INIT(&conf_trans_queue); 603 conf_reinit(); 604 } 605 606 /* Open the config file and map it into our address space, then parse it. */ 607 void 608 conf_reinit(void) 609 { 610 struct conf_binding *cb = 0; 611 int fd, trans; 612 unsigned int i; 613 size_t sz; 614 char *new_conf_addr = 0; 615 616 fd = monitor_open(conf_path, O_RDONLY, 0); 617 if (fd == -1 || check_file_secrecy_fd(fd, conf_path, &sz) == -1) { 618 if (fd == -1 && errno != ENOENT) 619 log_error("conf_reinit: open(\"%s\", O_RDONLY, 0) " 620 "failed", conf_path); 621 if (fd != -1) 622 close(fd); 623 624 trans = conf_begin(); 625 } else { 626 new_conf_addr = malloc(sz); 627 if (!new_conf_addr) { 628 log_error("conf_reinit: malloc (%lu) failed", 629 (unsigned long)sz); 630 goto fail; 631 } 632 /* XXX I assume short reads won't happen here. */ 633 if (read(fd, new_conf_addr, sz) != (int)sz) { 634 log_error("conf_reinit: read (%d, %p, %lu) failed", 635 fd, new_conf_addr, (unsigned long)sz); 636 goto fail; 637 } 638 close(fd); 639 640 trans = conf_begin(); 641 642 /* XXX Should we not care about errors and rollback? */ 643 conf_parse(trans, new_conf_addr, sz); 644 } 645 646 /* Load default configuration values. */ 647 conf_load_defaults(trans); 648 649 /* Free potential existing configuration. */ 650 if (conf_addr) { 651 for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; 652 i++) 653 for (cb = LIST_FIRST(&conf_bindings[i]); cb; 654 cb = LIST_FIRST(&conf_bindings[i])) 655 conf_remove_now(cb->section, cb->tag); 656 free(conf_addr); 657 } 658 conf_end(trans, 1); 659 conf_addr = new_conf_addr; 660 return; 661 662 fail: 663 free(new_conf_addr); 664 close(fd); 665 } 666 667 /* 668 * Return the numeric value denoted by TAG in section SECTION or DEF 669 * if that tag does not exist. 670 */ 671 int 672 conf_get_num(char *section, char *tag, int def) 673 { 674 char *value = conf_get_str(section, tag); 675 676 if (value) 677 return atoi(value); 678 return def; 679 } 680 681 /* 682 * Return the socket endpoint address denoted by TAG in SECTION as a 683 * struct sockaddr. It is the callers responsibility to deallocate 684 * this structure when it is finished with it. 685 */ 686 struct sockaddr * 687 conf_get_address(char *section, char *tag) 688 { 689 char *value = conf_get_str(section, tag); 690 struct sockaddr *sa; 691 692 if (!value) 693 return 0; 694 if (text2sockaddr(value, 0, &sa, 0, 0) == -1) 695 return 0; 696 return sa; 697 } 698 699 /* Validate X according to the range denoted by TAG in section SECTION. */ 700 int 701 conf_match_num(char *section, char *tag, int x) 702 { 703 char *value = conf_get_str(section, tag); 704 int val, min, max, n; 705 706 if (!value) 707 return 0; 708 n = sscanf(value, "%d,%d:%d", &val, &min, &max); 709 switch (n) { 710 case 1: 711 LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d==%d?", 712 section, tag, val, x)); 713 return x == val; 714 case 3: 715 LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d<=%d<=%d?", 716 section, tag, min, x, max)); 717 return min <= x && max >= x; 718 default: 719 log_error("conf_match_num: section %s tag %s: invalid number " 720 "spec %s", section, tag, value); 721 } 722 return 0; 723 } 724 725 /* Return the string value denoted by TAG in section SECTION. */ 726 char * 727 conf_get_str(char *section, char *tag) 728 { 729 struct conf_binding *cb; 730 731 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; 732 cb = LIST_NEXT(cb, link)) 733 if (strcasecmp(section, cb->section) == 0 && 734 strcasecmp(tag, cb->tag) == 0) { 735 LOG_DBG((LOG_MISC, 95, "conf_get_str: [%s]:%s->%s", 736 section, tag, cb->value)); 737 return cb->value; 738 } 739 LOG_DBG((LOG_MISC, 95, 740 "conf_get_str: configuration value not found [%s]:%s", section, 741 tag)); 742 return 0; 743 } 744 745 /* 746 * Build a list of string values out of the comma separated value denoted by 747 * TAG in SECTION. 748 */ 749 struct conf_list * 750 conf_get_list(char *section, char *tag) 751 { 752 char *liststr = 0, *p, *field, *t; 753 struct conf_list *list = 0; 754 struct conf_list_node *node = 0; 755 756 list = malloc(sizeof *list); 757 if (!list) 758 goto cleanup; 759 TAILQ_INIT(&list->fields); 760 list->cnt = 0; 761 liststr = conf_get_str(section, tag); 762 if (!liststr) 763 goto cleanup; 764 liststr = strdup(liststr); 765 if (!liststr) 766 goto cleanup; 767 p = liststr; 768 while ((field = strsep(&p, ",")) != NULL) { 769 /* Skip leading whitespace */ 770 while (isspace((unsigned char)*field)) 771 field++; 772 /* Skip trailing whitespace */ 773 if (p) 774 for (t = p - 1; t > field && isspace((unsigned char)*t); t--) 775 *t = '\0'; 776 if (*field == '\0') { 777 log_print("conf_get_list: empty field, ignoring..."); 778 continue; 779 } 780 list->cnt++; 781 node = calloc(1, sizeof *node); 782 if (!node) 783 goto cleanup; 784 node->field = strdup(field); 785 if (!node->field) 786 goto cleanup; 787 TAILQ_INSERT_TAIL(&list->fields, node, link); 788 } 789 free(liststr); 790 return list; 791 792 cleanup: 793 free(node); 794 if (list) 795 conf_free_list(list); 796 free(liststr); 797 return 0; 798 } 799 800 struct conf_list * 801 conf_get_tag_list(char *section) 802 { 803 struct conf_list *list = 0; 804 struct conf_list_node *node = 0; 805 struct conf_binding *cb; 806 807 list = malloc(sizeof *list); 808 if (!list) 809 goto cleanup; 810 TAILQ_INIT(&list->fields); 811 list->cnt = 0; 812 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; 813 cb = LIST_NEXT(cb, link)) 814 if (strcasecmp(section, cb->section) == 0) { 815 list->cnt++; 816 node = calloc(1, sizeof *node); 817 if (!node) 818 goto cleanup; 819 node->field = strdup(cb->tag); 820 if (!node->field) 821 goto cleanup; 822 TAILQ_INSERT_TAIL(&list->fields, node, link); 823 } 824 return list; 825 826 cleanup: 827 free(node); 828 if (list) 829 conf_free_list(list); 830 return 0; 831 } 832 833 void 834 conf_free_list(struct conf_list *list) 835 { 836 struct conf_list_node *node = TAILQ_FIRST(&list->fields); 837 838 while (node) { 839 TAILQ_REMOVE(&list->fields, node, link); 840 free(node->field); 841 free(node); 842 node = TAILQ_FIRST(&list->fields); 843 } 844 free(list); 845 } 846 847 int 848 conf_begin(void) 849 { 850 static int seq = 0; 851 852 return ++seq; 853 } 854 855 static int 856 conf_trans_node(int transaction, enum conf_op op, char *section, char *tag, 857 char *value, int override, int is_default) 858 { 859 struct conf_trans *node; 860 861 node = calloc(1, sizeof *node); 862 if (!node) { 863 log_error("conf_trans_node: calloc (1, %lu) failed", 864 (unsigned long)sizeof *node); 865 return 1; 866 } 867 node->trans = transaction; 868 node->op = op; 869 node->override = override; 870 node->is_default = is_default; 871 if (section && (node->section = strdup(section)) == NULL) 872 goto fail; 873 if (tag && (node->tag = strdup(tag)) == NULL) 874 goto fail; 875 if (value && (node->value = strdup(value)) == NULL) 876 goto fail; 877 TAILQ_INSERT_TAIL(&conf_trans_queue, node, link); 878 return 0; 879 880 fail: 881 free(node->section); 882 free(node->tag); 883 free(node->value); 884 free(node); 885 return 1; 886 } 887 888 /* Queue a set operation. */ 889 int 890 conf_set(int transaction, char *section, char *tag, char *value, int override, 891 int is_default) 892 { 893 return conf_trans_node(transaction, CONF_SET, section, tag, value, 894 override, is_default); 895 } 896 897 /* Queue a remove operation. */ 898 int 899 conf_remove(int transaction, char *section, char *tag) 900 { 901 return conf_trans_node(transaction, CONF_REMOVE, section, tag, NULL, 902 0, 0); 903 } 904 905 /* Queue a remove section operation. */ 906 int 907 conf_remove_section(int transaction, char *section) 908 { 909 return conf_trans_node(transaction, CONF_REMOVE_SECTION, section, NULL, 910 NULL, 0, 0); 911 } 912 913 /* Execute all queued operations for this transaction. Cleanup. */ 914 int 915 conf_end(int transaction, int commit) 916 { 917 struct conf_trans *node, *next; 918 919 for (node = TAILQ_FIRST(&conf_trans_queue); node; node = next) { 920 next = TAILQ_NEXT(node, link); 921 if (node->trans == transaction) { 922 if (commit) 923 switch (node->op) { 924 case CONF_SET: 925 conf_set_now(node->section, node->tag, 926 node->value, node->override, 927 node->is_default); 928 break; 929 case CONF_REMOVE: 930 conf_remove_now(node->section, 931 node->tag); 932 break; 933 case CONF_REMOVE_SECTION: 934 conf_remove_section_now(node->section); 935 break; 936 default: 937 log_print("conf_end: unknown " 938 "operation: %d", node->op); 939 } 940 TAILQ_REMOVE(&conf_trans_queue, node, link); 941 free(node->section); 942 free(node->tag); 943 free(node->value); 944 free(node); 945 } 946 } 947 return 0; 948 } 949 950 /* 951 * Dump running configuration upon SIGUSR1. 952 * Configuration is "stored in reverse order", so reverse it again. 953 */ 954 struct dumper { 955 char *s, *v; 956 struct dumper *next; 957 }; 958 959 static void 960 conf_report_dump(struct dumper *node) 961 { 962 /* Recursive, cleanup when we're done. */ 963 964 if (node->next) 965 conf_report_dump(node->next); 966 967 if (node->v) 968 LOG_DBG((LOG_REPORT, 0, "%s=\t%s", node->s, node->v)); 969 else if (node->s) { 970 LOG_DBG((LOG_REPORT, 0, "%s", node->s)); 971 if (strlen(node->s) > 0) 972 free(node->s); 973 } 974 free(node); 975 } 976 977 void 978 conf_report(void) 979 { 980 struct conf_binding *cb, *last = 0; 981 unsigned int i; 982 char *current_section = NULL; 983 struct dumper *dumper, *dnode; 984 985 dumper = dnode = calloc(1, sizeof *dumper); 986 if (!dumper) 987 goto mem_fail; 988 989 LOG_DBG((LOG_REPORT, 0, "conf_report: dumping running configuration")); 990 991 for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++) 992 for (cb = LIST_FIRST(&conf_bindings[i]); cb; 993 cb = LIST_NEXT(cb, link)) { 994 if (!cb->is_default) { 995 /* Dump this entry. */ 996 if (!current_section || strcmp(cb->section, 997 current_section)) { 998 if (current_section) { 999 if (asprintf(&dnode->s, "[%s]", 1000 current_section) == -1) 1001 goto mem_fail; 1002 dnode->next = calloc(1, 1003 sizeof(struct dumper)); 1004 dnode = dnode->next; 1005 if (!dnode) 1006 goto mem_fail; 1007 1008 dnode->s = ""; 1009 dnode->next = calloc(1, 1010 sizeof(struct dumper)); 1011 dnode = dnode->next; 1012 if (!dnode) 1013 goto mem_fail; 1014 } 1015 current_section = cb->section; 1016 } 1017 dnode->s = cb->tag; 1018 dnode->v = cb->value; 1019 dnode->next = calloc(1, sizeof(struct dumper)); 1020 dnode = dnode->next; 1021 if (!dnode) 1022 goto mem_fail; 1023 last = cb; 1024 } 1025 } 1026 1027 if (last) 1028 if (asprintf(&dnode->s, "[%s]", last->section) == -1) 1029 goto mem_fail; 1030 conf_report_dump(dumper); 1031 1032 return; 1033 1034 mem_fail: 1035 log_error("conf_report: malloc/calloc failed"); 1036 while ((dnode = dumper) != 0) { 1037 dumper = dumper->next; 1038 free(dnode->s); 1039 free(dnode); 1040 } 1041 } 1042