1/* $NetBSD: cfparse.y,v 1.18.4.3 2007/08/01 11:52:19 vanhu Exp $ */ 2 3/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ 4 5%{ 6/* 7 * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the project nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35#include "config.h" 36 37#include <sys/types.h> 38#include <sys/param.h> 39#include <sys/queue.h> 40#include <sys/socket.h> 41 42#include <netinet/in.h> 43#ifdef HAVE_NETINET6_IPSEC 44# include <netinet6/ipsec.h> 45#else 46# include <netinet/ipsec.h> 47#endif 48 49#ifdef ENABLE_HYBRID 50#include <arpa/inet.h> 51#endif 52 53#include <stdlib.h> 54#include <stdio.h> 55#include <string.h> 56#include <errno.h> 57#include <netdb.h> 58#include <pwd.h> 59#include <grp.h> 60#include <signal.h> 61 62#include "var.h" 63#include "misc.h" 64#include "vmbuf.h" 65#include "plog.h" 66#include "sockmisc.h" 67#include "str2val.h" 68#include "genlist.h" 69#include "debug.h" 70 71#include "cfparse_proto.h" 72#include "cftoken_proto.h" 73#include "algorithm.h" 74#include "localconf.h" 75#include "policy.h" 76#include "sainfo.h" 77#include "oakley.h" 78#include "pfkey.h" 79#include "remoteconf.h" 80#include "grabmyaddr.h" 81#include "isakmp_var.h" 82#include "handler.h" 83#include "isakmp.h" 84#include "nattraversal.h" 85#include "isakmp_frag.h" 86#include "session.h" 87#ifdef ENABLE_HYBRID 88#include "resolv.h" 89#include "isakmp_unity.h" 90#include "isakmp_xauth.h" 91#include "isakmp_cfg.h" 92#endif 93#include "ipsec_doi.h" 94#include "strnames.h" 95#include "gcmalloc.h" 96#include "vendorid.h" 97#include "ipsecConfigTracer.h" 98#include "ipsecMessageTracer.h" 99 100static int num2dhgroup[] = { 101 0, 102 OAKLEY_ATTR_GRP_DESC_MODP768, 103 OAKLEY_ATTR_GRP_DESC_MODP1024, 104 OAKLEY_ATTR_GRP_DESC_EC2N155, 105 OAKLEY_ATTR_GRP_DESC_EC2N185, 106 OAKLEY_ATTR_GRP_DESC_MODP1536, 107 0, 108 0, 109 0, 110 0, 111 0, 112 0, 113 0, 114 0, 115 OAKLEY_ATTR_GRP_DESC_MODP2048, 116 OAKLEY_ATTR_GRP_DESC_MODP3072, 117 OAKLEY_ATTR_GRP_DESC_MODP4096, 118 OAKLEY_ATTR_GRP_DESC_MODP6144, 119 OAKLEY_ATTR_GRP_DESC_MODP8192 120}; 121 122struct remote_index_val { 123 int prefix; 124 struct sockaddr_storage *addr; 125}; 126 127static struct remoteconf *cur_rmconf; 128static int tmpalgtype[MAXALGCLASS]; 129static struct sainfo *cur_sainfo; 130static int cur_algclass; 131 132static struct proposalspec *newprspec (void); 133static void insprspec (struct proposalspec *, struct proposalspec **); 134static struct secprotospec *newspspec (void); 135static void insspspec (struct secprotospec *, struct proposalspec **); 136 137static int set_isakmp_proposal (struct remoteconf *, struct proposalspec *); 138static void clean_tmpalgtype (void); 139static int expand_isakmpspec (int, int, int *, 140 int, int, time_t, int, int, int, char *, struct remoteconf *); 141static int listen_addr (struct sockaddr_storage *addr, int udp_encap); 142 143void freeetypes (struct etypes **etypes); 144 145#if 0 146static int fix_lifebyte (u_long); 147#endif 148%} 149 150%union { 151 unsigned long num; 152 vchar_t *val; 153 struct remoteconf *rmconf; 154 struct sockaddr_storage *saddr; 155 struct sainfoalg *alg; 156 struct remote_index_val *rmidx; 157} 158 159 /* path */ 160%token PATH PATHTYPE 161 /* include */ 162%token INCLUDE 163 /* self information */ 164%token IDENTIFIER VENDORID 165 /* logging */ 166%token LOGGING LOGLEV 167 /* padding */ 168%token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL 169 /* listen */ 170%token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED 171 /* modecfg */ 172%token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN 173%token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE 174%token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE 175%token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS 176%token CFG_PFS_GROUP CFG_SAVE_PASSWD 177 /* timer */ 178%token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND 179%token RETRY_PHASE1 RETRY_PHASE2 NATT_KA AUTO_EXIT_DELAY 180 /* algorithm */ 181%token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE 182 /* sainfo */ 183%token SAINFO FROM GROUP 184 /* remote */ 185%token REMOTE ANONYMOUS INHERIT 186%token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE 187%token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE 188%token VERIFY_CERT SEND_CERT SEND_CR 189%token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER 190%token PEERS_IDENTIFIER VERIFY_IDENTIFIER 191%token LOCAL_ADDRESS 192%token SHARED_SECRET SECRETTYPE 193%token OPEN_DIR_AUTH_GROUP IN_KEYCHAIN 194%token CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION 195%token DNSSEC CERT_X509 CERT_PLAINRSA 196%token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT 197%token NAT_TRAVERSAL REMOTE_FORCE_LEVEL NAT_TRAVERSAL_LEVEL NAT_TRAVERSAL_MULTI_USER NAT_TRAVERSAL_KEEPALIVE 198%token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL 199%token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY 200%token PROPOSAL 201%token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE 202%token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE 203%token COMPLEX_BUNDLE 204%token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL DPD_ALGORITHM 205%token DISCONNECT_ON_IDLE IDLE_TIMEOUT IDLE_DIRECTION 206%token XAUTH_LOGIN WEAK_PHASE1_CHECK 207 208%token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG 209%token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID 210 211%token NUMBER SWITCH BOOLEAN 212%token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE 213%token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES 214%token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR 215%token EOS BOC EOC COMMA 216%token DPD_ALGO_TYPE_DEFAULT DPD_ALGO_TYPE_INBOUND DPD_ALGO_TYPE_BLACKHOLE 217%token IDLE_DIRECTION_IN IDLE_DIRECTION_OUT IDLE_DIRECTION_ANY IKE_VERSION 218 219%type <num> NUMBER BOOLEAN SWITCH keylength 220%type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE 221%type <num> SECRETTYPE 222%type <num> ALGORITHM_CLASS dh_group_num 223%type <num> ALGORITHMTYPE STRENGTHTYPE 224%type <num> PREFIX prefix PORT port ike_port 225%type <num> ul_proto UL_PROTO 226%type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE 227%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL 228%type <num> VERIFICATION_MODULE VERIFICATION_OPTION 229%type <num> unittype_time unittype_byte 230%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id 231%type <val> identifierstring 232%type <saddr> ike_addrinfo_port 233%type <alg> algorithm 234%type <num> dpd_algo_type 235%type <num> idle_dir_type 236%type <rmidx> remote_index ike_addrinfo_prefix_port 237 238%% 239 240statements 241 : /* nothing */ 242 | statements statement 243 ; 244statement 245 : path_statement 246 | include_statement 247 | identifier_statement 248 | logging_statement 249 | padding_statement 250 | listen_statement 251 | modecfg_statement 252 | timer_statement 253 | sainfo_statement 254 | remote_statement 255 | special_statement 256 ; 257 258 /* path */ 259path_statement 260 : PATH PATHTYPE QUOTEDSTRING 261 { 262 if ($2 >= LC_PATHTYPE_MAX) { 263 racoon_yyerror("invalid path type %d", $2); 264 return -1; 265 } 266 267 /* free old pathinfo */ 268 if (lcconf->pathinfo[$2]) 269 racoon_free(lcconf->pathinfo[$2]); 270 271 /* set new pathinfo */ 272 lcconf->pathinfo[$2] = racoon_strdup($3->v); 273 STRDUP_FATAL(lcconf->pathinfo[$2]); 274 vfree($3); 275 } 276 EOS 277 ; 278 279 /* special */ 280special_statement 281 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS 282 ; 283 284 /* include */ 285include_statement 286 : INCLUDE QUOTEDSTRING EOS 287 { 288 char path[MAXPATHLEN]; 289 290 getpathname(path, sizeof(path), 291 LC_PATHTYPE_INCLUDE, $2->v); 292 vfree($2); 293 if (yycf_switch_buffer(path) != 0) 294 return -1; 295 } 296 ; 297 298 /* self information */ 299identifier_statement 300 : IDENTIFIER identifier_stmt 301 ; 302identifier_stmt 303 : VENDORID 304 { 305 /*XXX to be deleted */ 306 } 307 QUOTEDSTRING EOS 308 | IDENTIFIERTYPE QUOTEDSTRING 309 { 310 /*XXX to be deleted */ 311 $2->l--; /* nuke '\0' */ 312 lcconf->ident[$1] = $2; 313 if (lcconf->ident[$1] == NULL) { 314 racoon_yyerror("failed to set my ident: %s", 315 strerror(errno)); 316 return -1; 317 } 318 } 319 EOS 320 ; 321 322 /* logging */ 323logging_statement 324 : LOGGING log_level EOS 325 ; 326log_level 327 : QUOTEDSTRING 328 { 329 /* 330 * XXX ignore it because this specification 331 * will be obsoleted. 332 */ 333 plogsetlevelquotedstr($1->v); 334 vfree($1); 335 } 336 | LOGLEV 337 { 338 plogsetlevel($1); 339 } 340 ; 341 342 /* padding */ 343padding_statement 344 : PADDING BOC padding_stmts EOC 345 ; 346padding_stmts 347 : /* nothing */ 348 | padding_stmts padding_stmt 349 ; 350padding_stmt 351 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS 352 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS 353 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS 354 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS 355 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS 356 ; 357 358 /* listen */ 359listen_statement 360 : LISTEN BOC listen_stmts EOC 361 ; 362listen_stmts 363 : /* nothing */ 364 | listen_stmts listen_stmt 365 ; 366listen_stmt 367 : X_ISAKMP ike_addrinfo_port 368 { 369 listen_addr ($2, 0); 370 } 371 EOS 372 | X_ISAKMP_NATT ike_addrinfo_port 373 { 374#ifdef ENABLE_NATT 375 listen_addr ($2, 1); 376#else 377 racoon_yyerror("NAT-T support not compiled in."); 378#endif 379 } 380 EOS 381 | X_ADMIN 382 { 383 racoon_yyerror("admin directive is obsoleted."); 384 } 385 PORT EOS 386 | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER 387 { 388 racoon_yywarn("admin port support not compiled in"); 389 } 390 EOS 391 | ADMINSOCK QUOTEDSTRING 392 { 393 racoon_yywarn("admin port support not compiled in"); 394 } 395 EOS 396 | ADMINSOCK DISABLED 397 { 398 racoon_yywarn("admin port support not compiled in"); 399 } 400 EOS 401 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS 402 ; 403ike_addrinfo_port 404 : ADDRSTRING ike_port 405 { 406 char portbuf[10]; 407 408 snprintf(portbuf, sizeof(portbuf), "%ld", $2); 409 $$ = str2saddr($1->v, portbuf); 410 vfree($1); 411 if (!$$) 412 return -1; 413 } 414 ; 415ike_addrinfo_prefix_port 416 : ADDRSTRING prefix ike_port 417 { 418 char portbuf[10]; 419 struct remote_index_val *new; 420 421 new = racoon_calloc(1, sizeof(*new)); 422 if (new == NULL) { 423 racoon_yyerror("failed to allocate remote index struct"); 424 vfree($1); 425 return -1; 426 } 427 snprintf(portbuf, sizeof(portbuf), "%ld", $3); 428 new->addr = str2saddr($1->v, portbuf); 429 vfree($1); 430 if (!new->addr) { 431 racoon_yyerror("failed to allocate sockaddr storage"); 432 return -1; 433 } 434 new->prefix = $2; 435 $$ = new; 436 } 437 ; 438ike_port 439 : /* nothing */ { $$ = PORT_ISAKMP; } 440 | PORT { $$ = $1; } 441 ; 442 /* modecfg */ 443modecfg_statement 444 : MODECFG BOC modecfg_stmts EOC 445 ; 446modecfg_stmts 447 : /* nothing */ 448 | modecfg_stmts modecfg_stmt 449 ; 450modecfg_stmt 451 : CFG_NET4 ADDRSTRING 452 { 453#ifdef ENABLE_HYBRID 454 if (inet_pton(AF_INET, $2->v, 455 &isakmp_cfg_config.network4) != 1) 456 racoon_yyerror("bad IPv4 network address."); 457 vfree($2); 458#else 459 racoon_yyerror("racoon not configured with --enable-hybrid"); 460#endif 461 } 462 EOS 463 | CFG_MASK4 ADDRSTRING 464 { 465#ifdef ENABLE_HYBRID 466 if (inet_pton(AF_INET, $2->v, 467 &isakmp_cfg_config.netmask4) != 1) 468 racoon_yyerror("bad IPv4 netmask address."); 469 vfree($2); 470#else 471 racoon_yyerror("racoon not configured with --enable-hybrid"); 472#endif 473 } 474 EOS 475 | CFG_DNS4 addrdnslist 476 EOS 477 | CFG_NBNS4 addrwinslist 478 EOS 479 | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist 480 { 481#ifdef ENABLE_HYBRID 482 isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN; 483#else 484 racoon_yyerror("racoon not configured with --enable-hybrid"); 485#endif 486 } 487 EOS 488 | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist 489 { 490#ifdef ENABLE_HYBRID 491 isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE; 492#else 493 racoon_yyerror("racoon not configured with --enable-hybrid"); 494#endif 495 } 496 EOS 497 | CFG_SPLIT_DNS splitdnslist 498 { 499#ifndef ENABLE_HYBRID 500 racoon_yyerror("racoon not configured with --enable-hybrid"); 501#endif 502 } 503 EOS 504 | CFG_DEFAULT_DOMAIN QUOTEDSTRING 505 { 506#ifdef ENABLE_HYBRID 507 strlcpy(&isakmp_cfg_config.default_domain[0], 508 $2->v, sizeof(isakmp_cfg_config.default_domain)); 509 vfree($2); 510#else 511 racoon_yyerror("racoon not configured with --enable-hybrid"); 512#endif 513 } 514 EOS 515 | CFG_AUTH_SOURCE CFG_SYSTEM 516 { 517#ifdef ENABLE_HYBRID 518 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM; 519#else 520 racoon_yyerror("racoon not configured with --enable-hybrid"); 521#endif 522 } 523 EOS 524 | CFG_AUTH_SOURCE CFG_RADIUS 525 { 526#ifdef ENABLE_HYBRID 527 racoon_yyerror("racoon not configured with --with-libradius"); 528#else /* ENABLE_HYBRID */ 529 racoon_yyerror("racoon not configured with --enable-hybrid"); 530#endif /* ENABLE_HYBRID */ 531 } 532 EOS 533 | CFG_AUTH_SOURCE CFG_PAM 534 { 535#ifdef ENABLE_HYBRID 536 racoon_yyerror("racoon not configured with --with-libpam"); 537#else /* ENABLE_HYBRID */ 538 racoon_yyerror("racoon not configured with --enable-hybrid"); 539#endif /* ENABLE_HYBRID */ 540 } 541 EOS 542 | CFG_AUTH_SOURCE CFG_LDAP 543 { 544#ifdef ENABLE_HYBRID 545 racoon_yyerror("racoon not configured with --with-libldap"); 546#else /* ENABLE_HYBRID */ 547 racoon_yyerror("racoon not configured with --enable-hybrid"); 548#endif /* ENABLE_HYBRID */ 549 } 550 EOS 551 | CFG_AUTH_GROUPS authgrouplist 552 { 553#ifndef ENABLE_HYBRID 554 racoon_yyerror("racoon not configured with --enable-hybrid"); 555#endif 556 } 557 EOS 558 | CFG_GROUP_SOURCE CFG_SYSTEM 559 { 560#ifdef ENABLE_HYBRID 561 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM; 562#else 563 racoon_yyerror("racoon not configured with --enable-hybrid"); 564#endif 565 } 566 EOS 567 | CFG_GROUP_SOURCE CFG_LDAP 568 { 569#ifdef ENABLE_HYBRID 570 racoon_yyerror("racoon not configured with --with-libldap"); 571#else /* ENABLE_HYBRID */ 572 racoon_yyerror("racoon not configured with --enable-hybrid"); 573#endif /* ENABLE_HYBRID */ 574 } 575 EOS 576 | CFG_ACCOUNTING CFG_NONE 577 { 578#ifdef ENABLE_HYBRID 579 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE; 580#else 581 racoon_yyerror("racoon not configured with --enable-hybrid"); 582#endif 583 } 584 EOS 585 | CFG_ACCOUNTING CFG_SYSTEM 586 { 587#ifdef ENABLE_HYBRID 588 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM; 589#else 590 racoon_yyerror("racoon not configured with --enable-hybrid"); 591#endif 592 } 593 EOS 594 | CFG_ACCOUNTING CFG_RADIUS 595 { 596#ifdef ENABLE_HYBRID 597 racoon_yyerror("racoon not configured with --with-libradius"); 598#else /* ENABLE_HYBRID */ 599 racoon_yyerror("racoon not configured with --enable-hybrid"); 600#endif /* ENABLE_HYBRID */ 601 } 602 EOS 603 | CFG_ACCOUNTING CFG_PAM 604 { 605#ifdef ENABLE_HYBRID 606 racoon_yyerror("racoon not configured with --with-libpam"); 607#else /* ENABLE_HYBRID */ 608 racoon_yyerror("racoon not configured with --enable-hybrid"); 609#endif /* ENABLE_HYBRID */ 610 } 611 EOS 612 | CFG_POOL_SIZE NUMBER 613 { 614#ifdef ENABLE_HYBRID 615 if (isakmp_cfg_resize_pool($2) != 0) 616 racoon_yyerror("cannot allocate memory for pool"); 617#else /* ENABLE_HYBRID */ 618 racoon_yyerror("racoon not configured with --enable-hybrid"); 619#endif /* ENABLE_HYBRID */ 620 } 621 EOS 622 | CFG_PFS_GROUP NUMBER 623 { 624#ifdef ENABLE_HYBRID 625 isakmp_cfg_config.pfs_group = $2; 626 switch (isakmp_cfg_config.pfs_group) 627 { 628 case OAKLEY_ATTR_GRP_DESC_MODP768: 629 case OAKLEY_ATTR_GRP_DESC_MODP1024: 630 case OAKLEY_ATTR_GRP_DESC_MODP1536: 631 case OAKLEY_ATTR_GRP_DESC_MODP2048: 632 case OAKLEY_ATTR_GRP_DESC_MODP3072: 633 case OAKLEY_ATTR_GRP_DESC_MODP4096: 634 case OAKLEY_ATTR_GRP_DESC_MODP6144: 635 case OAKLEY_ATTR_GRP_DESC_MODP8192: 636 break; 637 default: 638 racoon_yyerror("Invalid PFS group specified"); 639 return -1; 640 break; 641 } 642#else /* ENABLE_HYBRID */ 643 racoon_yyerror("racoon not configured with --enable-hybrid"); 644#endif /* ENABLE_HYBRID */ 645 } 646 EOS 647 | CFG_SAVE_PASSWD SWITCH 648 { 649#ifdef ENABLE_HYBRID 650 isakmp_cfg_config.save_passwd = $2; 651#else /* ENABLE_HYBRID */ 652 racoon_yyerror("racoon not configured with --enable-hybrid"); 653#endif /* ENABLE_HYBRID */ 654 } 655 EOS 656 | CFG_AUTH_THROTTLE NUMBER 657 { 658#ifdef ENABLE_HYBRID 659 isakmp_cfg_config.auth_throttle = $2; 660#else /* ENABLE_HYBRID */ 661 racoon_yyerror("racoon not configured with --enable-hybrid"); 662#endif /* ENABLE_HYBRID */ 663 } 664 EOS 665 | CFG_CONF_SOURCE CFG_LOCAL 666 { 667#ifdef ENABLE_HYBRID 668 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL; 669#else /* ENABLE_HYBRID */ 670 racoon_yyerror("racoon not configured with --enable-hybrid"); 671#endif /* ENABLE_HYBRID */ 672 } 673 EOS 674 | CFG_CONF_SOURCE CFG_RADIUS 675 { 676#ifdef ENABLE_HYBRID 677 racoon_yyerror("racoon not configured with --with-libradius"); 678#else /* ENABLE_HYBRID */ 679 racoon_yyerror("racoon not configured with --enable-hybrid"); 680#endif /* ENABLE_HYBRID */ 681 } 682 EOS 683 | CFG_CONF_SOURCE CFG_LDAP 684 { 685#ifdef ENABLE_HYBRID 686 racoon_yyerror("racoon not configured with --with-libldap"); 687#else /* ENABLE_HYBRID */ 688 racoon_yyerror("racoon not configured with --enable-hybrid"); 689#endif /* ENABLE_HYBRID */ 690 } 691 EOS 692 | CFG_MOTD QUOTEDSTRING 693 { 694#ifdef ENABLE_HYBRID 695 strlcpy(&isakmp_cfg_config.motd[0], $2->v, sizeof(isakmp_cfg_config.motd)); 696 vfree($2); 697#else 698 racoon_yyerror("racoon not configured with --enable-hybrid"); 699#endif 700 } 701 EOS 702 ; 703 704addrdnslist 705 : addrdns 706 | addrdns COMMA addrdnslist 707 ; 708addrdns 709 : ADDRSTRING 710 { 711#ifdef ENABLE_HYBRID 712 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 713 714 if (icc->dns4_index > MAXNS) { 715 racoon_yyerror("No more than %d DNS", MAXNS); 716 return -1; 717 } 718 if (inet_pton(AF_INET, $1->v, 719 &icc->dns4[icc->dns4_index++]) != 1) 720 racoon_yyerror("bad IPv4 DNS address."); 721 722 vfree($1); 723#else 724 racoon_yyerror("racoon not configured with --enable-hybrid"); 725#endif 726 } 727 ; 728 729addrwinslist 730 : addrwins 731 | addrwins COMMA addrwinslist 732 ; 733addrwins 734 : ADDRSTRING 735 { 736#ifdef ENABLE_HYBRID 737 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 738 739 if (icc->nbns4_index > MAXWINS) { 740 racoon_yyerror("No more than %d WINS", MAXWINS); 741 return -1; 742 } 743 if (inet_pton(AF_INET, $1->v, 744 &icc->nbns4[icc->nbns4_index++]) != 1) 745 racoon_yyerror("bad IPv4 WINS address."); 746 747 vfree($1); 748#else 749 racoon_yyerror("racoon not configured with --enable-hybrid"); 750#endif 751 } 752 ; 753 754splitnetlist 755 : splitnet 756 | splitnetlist COMMA splitnet 757 ; 758splitnet 759 : ADDRSTRING PREFIX 760 { 761#ifdef ENABLE_HYBRID 762 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 763 struct unity_network network; 764 765 if (inet_pton(AF_INET, $1->v, &network.addr4) != 1) 766 racoon_yyerror("bad IPv4 SPLIT address."); 767 768 /* Turn $2 (the prefix) into a subnet mask */ 769 network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0; 770 771 /* add the network to our list */ 772 if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count)) 773 racoon_yyerror("Unable to allocate split network"); 774 775 vfree($1); 776#else 777 racoon_yyerror("racoon not configured with --enable-hybrid"); 778#endif 779 } 780 ; 781 782authgrouplist 783 : authgroup 784 | authgroup COMMA authgrouplist 785 ; 786authgroup 787 : QUOTEDSTRING 788 { 789#ifdef ENABLE_HYBRID 790 char * groupname = NULL; 791 char ** grouplist = NULL; 792 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 793 794 grouplist = racoon_realloc(icc->grouplist, 795 sizeof(char**)*(icc->groupcount+1)); 796 if (grouplist == NULL) 797 racoon_yyerror("unable to allocate auth group list"); 798 799 groupname = racoon_malloc($1->l+1); 800 if (groupname == NULL) 801 racoon_yyerror("unable to allocate auth group name"); 802 803 memcpy(groupname,$1->v,$1->l); 804 groupname[$1->l]=0; 805 grouplist[icc->groupcount]=groupname; 806 icc->grouplist = grouplist; 807 icc->groupcount++; 808 809 vfree($1); 810#else 811 racoon_yyerror("racoon not configured with --enable-hybrid"); 812#endif 813 } 814 ; 815 816splitdnslist 817 : splitdns 818 | splitdns COMMA splitdnslist 819 ; 820splitdns 821 : QUOTEDSTRING 822 { 823#ifdef ENABLE_HYBRID 824 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 825 826 if (!icc->splitdns_len) 827 { 828 icc->splitdns_list = racoon_malloc($1->l); 829 if(icc->splitdns_list == NULL) 830 racoon_yyerror("error allocating splitdns list buffer"); 831 memcpy(icc->splitdns_list,$1->v,$1->l); 832 icc->splitdns_len = $1->l; 833 } 834 else 835 { 836 int len = icc->splitdns_len + $1->l + 1; 837 icc->splitdns_list = racoon_realloc(icc->splitdns_list,len); 838 if(icc->splitdns_list == NULL) 839 racoon_yyerror("error allocating splitdns list buffer"); 840 icc->splitdns_list[icc->splitdns_len] = ','; 841 memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l); 842 icc->splitdns_len = len; 843 } 844 vfree($1); 845#else 846 racoon_yyerror("racoon not configured with --enable-hybrid"); 847#endif 848 } 849 ; 850 851 852 /* timer */ 853timer_statement 854 : RETRY BOC timer_stmts EOC 855 ; 856timer_stmts 857 : /* nothing */ 858 | timer_stmts timer_stmt 859 ; 860timer_stmt 861 : RETRY_COUNTER NUMBER 862 { 863 lcconf->retry_counter = $2; 864 } 865 EOS 866 | RETRY_INTERVAL NUMBER unittype_time 867 { 868 lcconf->retry_interval = $2 * $3; 869 } 870 EOS 871 | RETRY_PERSEND NUMBER 872 { 873 lcconf->count_persend = $2; 874 } 875 EOS 876 | RETRY_PHASE1 NUMBER unittype_time 877 { 878 lcconf->retry_checkph1 = $2 * $3; 879 } 880 EOS 881 | RETRY_PHASE2 NUMBER unittype_time 882 { 883 lcconf->wait_ph2complete = $2 * $3; 884 } 885 EOS 886 | AUTO_EXIT_DELAY NUMBER unittype_time 887 { 888 lcconf->auto_exit_delay = $2 * $3; 889 lcconf->auto_exit_state |= LC_AUTOEXITSTATE_SET; 890 } 891 EOS 892 893 | NATT_KA NUMBER unittype_time 894 { 895#ifdef ENABLE_NATT 896 lcconf->natt_ka_interval = $2 * $3; 897#else 898 racoon_yyerror("NAT-T support not compiled in."); 899#endif 900 } 901 EOS 902 ; 903 904 /* sainfo */ 905sainfo_statement 906 : SAINFO 907 { 908 cur_sainfo = create_sainfo(); 909 if (cur_sainfo == NULL) { 910 racoon_yyerror("failed to allocate sainfo"); 911 return -1; 912 } 913 } 914 sainfo_name sainfo_param BOC sainfo_specs 915 { 916 struct sainfo *check; 917 918 /* default */ 919 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) { 920 racoon_yyerror("no encryption algorithm at %s", 921 sainfo2str(cur_sainfo)); 922 return -1; 923 } 924 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) { 925 racoon_yyerror("no authentication algorithm at %s", 926 sainfo2str(cur_sainfo)); 927 return -1; 928 } 929 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) { 930 racoon_yyerror("no compression algorithm at %s", 931 sainfo2str(cur_sainfo)); 932 return -1; 933 } 934 935 /* duplicate check */ 936 check = getsainfo(cur_sainfo->idsrc, 937 cur_sainfo->iddst, 938 cur_sainfo->id_i, 0); 939 if (check && (!check->idsrc && !cur_sainfo->idsrc)) { 940 racoon_yyerror("duplicated sainfo: %s", 941 sainfo2str(cur_sainfo)); 942 return -1; 943 } 944 inssainfo(cur_sainfo); 945 } 946 EOC 947 ; 948sainfo_name 949 : ANONYMOUS 950 { 951 cur_sainfo->idsrc = NULL; 952 cur_sainfo->iddst = NULL; 953 } 954 | ANONYMOUS sainfo_id 955 { 956 cur_sainfo->idsrc = NULL; 957 cur_sainfo->iddst = $2; 958 } 959 | sainfo_id ANONYMOUS 960 { 961 cur_sainfo->idsrc = $1; 962 cur_sainfo->iddst = NULL; 963 } 964 | sainfo_id sainfo_id 965 { 966 cur_sainfo->idsrc = $1; 967 cur_sainfo->iddst = $2; 968 } 969 ; 970sainfo_id 971 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto 972 { 973 char portbuf[10]; 974 struct sockaddr_storage *saddr; 975 976 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6) 977 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) { 978 racoon_yyerror("port number must be \"any\"."); 979 return -1; 980 } 981 982 snprintf(portbuf, sizeof(portbuf), "%lu", $4); 983 saddr = str2saddr($2->v, portbuf); 984 vfree($2); 985 if (saddr == NULL) 986 return -1; 987 988 switch (saddr->ss_family) { 989 case AF_INET: 990 if ($5 == IPPROTO_ICMPV6) { 991 racoon_yyerror("upper layer protocol mismatched.\n"); 992 racoon_free(saddr); 993 return -1; 994 } 995 $$ = ipsecdoi_sockaddr2id(saddr, 996 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3, 997 $5); 998 break; 999#ifdef INET6 1000 case AF_INET6: 1001 if ($5 == IPPROTO_ICMP) { 1002 racoon_yyerror("upper layer protocol mismatched.\n"); 1003 racoon_free(saddr); 1004 return -1; 1005 } 1006 $$ = ipsecdoi_sockaddr2id(saddr, 1007 $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3, 1008 $5); 1009 break; 1010#endif 1011 default: 1012 racoon_yyerror("invalid family: %d", saddr->ss_family); 1013 $$ = NULL; 1014 break; 1015 } 1016 racoon_free(saddr); 1017 if ($$ == NULL) 1018 return -1; 1019 } 1020 | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto 1021 { 1022 char portbuf[10]; 1023 struct sockaddr_storage *laddr = NULL, *haddr = NULL; 1024 1025 if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6) 1026 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) { 1027 racoon_yyerror("port number must be \"any\"."); 1028 return -1; 1029 } 1030 1031 snprintf(portbuf, sizeof(portbuf), "%lu", $5); 1032 1033 laddr = str2saddr($2->v, portbuf); 1034 if (laddr == NULL) { 1035 return -1; 1036 } 1037 vfree($2); 1038 haddr = str2saddr($3->v, portbuf); 1039 if (haddr == NULL) { 1040 racoon_free(laddr); 1041 return -1; 1042 } 1043 vfree($3); 1044 1045 switch (laddr->ss_family) { 1046 case AF_INET: 1047 if ($6 == IPPROTO_ICMPV6) { 1048 racoon_yyerror("upper layer protocol mismatched.\n"); 1049 if (laddr) 1050 racoon_free(laddr); 1051 if (haddr) 1052 racoon_free(haddr); 1053 return -1; 1054 } 1055 $$ = ipsecdoi_sockrange2id(laddr, haddr, 1056 $6); 1057 break; 1058#ifdef INET6 1059 case AF_INET6: 1060 if ($6 == IPPROTO_ICMP) { 1061 racoon_yyerror("upper layer protocol mismatched.\n"); 1062 if (laddr) 1063 racoon_free(laddr); 1064 if (haddr) 1065 racoon_free(haddr); 1066 return -1; 1067 } 1068 $$ = ipsecdoi_sockrange2id(laddr, haddr, 1069 $6); 1070 break; 1071#endif 1072 default: 1073 racoon_yyerror("invalid family: %d", laddr->ss_family); 1074 $$ = NULL; 1075 break; 1076 } 1077 if (laddr) 1078 racoon_free(laddr); 1079 if (haddr) 1080 racoon_free(haddr); 1081 if ($$ == NULL) 1082 return -1; 1083 } 1084 | IDENTIFIERTYPE QUOTEDSTRING 1085 { 1086 struct ipsecdoi_id_b *id_b; 1087 1088 if ($1 == IDTYPE_ASN1DN) { 1089 racoon_yyerror("id type forbidden: %d", $1); 1090 $$ = NULL; 1091 return -1; 1092 } 1093 1094 $2->l--; 1095 1096 $$ = vmalloc(sizeof(*id_b) + $2->l); 1097 if ($$ == NULL) { 1098 racoon_yyerror("failed to allocate identifier"); 1099 return -1; 1100 } 1101 1102 id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)$$->v; 1103 id_b->type = idtype2doi($1); 1104 1105 id_b->proto_id = 0; 1106 id_b->port = 0; 1107 1108 memcpy($$->v + sizeof(*id_b), $2->v, $2->l); 1109 } 1110 ; 1111sainfo_param 1112 : /* nothing */ 1113 { 1114 cur_sainfo->id_i = NULL; 1115 } 1116 1117 | FROM IDENTIFIERTYPE identifierstring 1118 { 1119 struct ipsecdoi_id_b *id_b; 1120 vchar_t *idv; 1121 1122 if (set_identifier(&idv, $2, $3) != 0) { 1123 racoon_yyerror("failed to set identifer.\n"); 1124 return -1; 1125 } 1126 cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l); 1127 if (cur_sainfo->id_i == NULL) { 1128 racoon_yyerror("failed to allocate identifier"); 1129 return -1; 1130 } 1131 1132 id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)cur_sainfo->id_i->v; 1133 id_b->type = idtype2doi($2); 1134 1135 id_b->proto_id = 0; 1136 id_b->port = 0; 1137 1138 memcpy(cur_sainfo->id_i->v + sizeof(*id_b), 1139 idv->v, idv->l); 1140 vfree(idv); 1141 } 1142 | GROUP QUOTEDSTRING 1143 { 1144#ifdef ENABLE_HYBRID 1145 if ((cur_sainfo->group = vdup($2)) == NULL) { 1146 racoon_yyerror("failed to set sainfo xauth group.\n"); 1147 return -1; 1148 } 1149#else 1150 racoon_yyerror("racoon not configured with --enable-hybrid"); 1151 return -1; 1152#endif 1153 } 1154 ; 1155sainfo_specs 1156 : /* nothing */ 1157 | sainfo_specs sainfo_spec 1158 ; 1159sainfo_spec 1160 : PFS_GROUP dh_group_num 1161 { 1162 cur_sainfo->pfs_group = $2; 1163 switch (cur_sainfo->pfs_group) 1164 { 1165 case OAKLEY_ATTR_GRP_DESC_MODP768: 1166 case OAKLEY_ATTR_GRP_DESC_MODP1024: 1167 case OAKLEY_ATTR_GRP_DESC_MODP1536: 1168 case OAKLEY_ATTR_GRP_DESC_MODP2048: 1169 case OAKLEY_ATTR_GRP_DESC_MODP3072: 1170 case OAKLEY_ATTR_GRP_DESC_MODP4096: 1171 case OAKLEY_ATTR_GRP_DESC_MODP6144: 1172 case OAKLEY_ATTR_GRP_DESC_MODP8192: 1173 break; 1174 default: 1175 racoon_yyerror("Invalid PFS group specified"); 1176 return -1; 1177 break; 1178 } 1179 } 1180 EOS 1181 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 1182 { 1183 cur_sainfo->lifetime = $3 * $4; 1184 } 1185 EOS 1186 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 1187 { 1188#if 1 1189 racoon_yyerror("byte lifetime support is deprecated"); 1190 return -1; 1191#else 1192 cur_sainfo->lifebyte = fix_lifebyte($3 * $4); 1193 if (cur_sainfo->lifebyte == 0) 1194 return -1; 1195#endif 1196 } 1197 EOS 1198 | ALGORITHM_CLASS { 1199 cur_algclass = $1; 1200 } 1201 algorithms EOS 1202 | IDENTIFIER IDENTIFIERTYPE 1203 { 1204 racoon_yyerror("it's deprecated to specify a identifier in phase 2"); 1205 } 1206 EOS 1207 | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING 1208 { 1209 racoon_yyerror("it's deprecated to specify a identifier in phase 2"); 1210 } 1211 EOS 1212 ; 1213 1214algorithms 1215 : algorithm 1216 { 1217 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); 1218 } 1219 | algorithm 1220 { 1221 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); 1222 } 1223 COMMA algorithms 1224 ; 1225algorithm 1226 : ALGORITHMTYPE keylength 1227 { 1228 int defklen; 1229 1230 $$ = newsainfoalg(); 1231 if ($$ == NULL) { 1232 racoon_yyerror("failed to get algorithm allocation"); 1233 return -1; 1234 } 1235 1236 $$->alg = algtype2doi(cur_algclass, $1); 1237 if ($$->alg == -1) { 1238 racoon_yyerror("algorithm mismatched"); 1239 racoon_free($$); 1240 $$ = NULL; 1241 return -1; 1242 } 1243 1244 defklen = default_keylen(cur_algclass, $1); 1245 if (defklen == 0) { 1246 if ($2) { 1247 racoon_yyerror("keylen not allowed"); 1248 racoon_free($$); 1249 $$ = NULL; 1250 return -1; 1251 } 1252 } else { 1253 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) { 1254 racoon_yyerror("invalid keylen %d", $2); 1255 racoon_free($$); 1256 $$ = NULL; 1257 return -1; 1258 } 1259 } 1260 1261 if ($2) 1262 $$->encklen = $2; 1263 else 1264 $$->encklen = defklen; 1265 1266 /* check if it's supported algorithm by kernel */ 1267 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth) 1268 && pk_checkalg(cur_algclass, $1, $$->encklen)) { 1269 int a = algclass2doi(cur_algclass); 1270 int b = algtype2doi(cur_algclass, $1); 1271 if (a == IPSECDOI_ATTR_AUTH) 1272 a = IPSECDOI_PROTO_IPSEC_AH; 1273 racoon_yyerror("algorithm %s not supported by the kernel (missing module?)", 1274 s_ipsecdoi_trns(a, b)); 1275 racoon_free($$); 1276 $$ = NULL; 1277 return -1; 1278 } 1279 } 1280 ; 1281prefix 1282 : /* nothing */ { $$ = ~0; } 1283 | PREFIX { $$ = $1; } 1284 ; 1285port 1286 : /* nothing */ { $$ = IPSEC_PORT_ANY; } 1287 | PORT { $$ = $1; } 1288 | PORTANY { $$ = IPSEC_PORT_ANY; } 1289 ; 1290ul_proto 1291 : NUMBER { $$ = $1; } 1292 | UL_PROTO { $$ = $1; } 1293 | ANY { $$ = IPSEC_ULPROTO_ANY; } 1294 ; 1295keylength 1296 : /* nothing */ { $$ = 0; } 1297 | NUMBER { $$ = $1; } 1298 ; 1299 1300 /* remote */ 1301remote_statement 1302 : REMOTE remote_index INHERIT remote_index 1303 { 1304 struct remoteconf *new; 1305 struct proposalspec *prspec; 1306 1307 new = copyrmconf($4->addr); 1308 if (new == NULL) { 1309 racoon_yyerror("failed to get remoteconf for %s.", saddr2str((struct sockaddr *)$4)); 1310 racoon_free($2->addr); 1311 racoon_free($2); 1312 racoon_free($4->addr); 1313 racoon_free($4); 1314 return -1; 1315 } 1316 1317 new->remote = $2->addr; 1318 new->remote_prefix = ($2->prefix == ~0 ? 0 : $2->prefix); 1319 new->inherited_from = getrmconf_strict($4->addr, 1); 1320 new->proposal = NULL; 1321 new->prhead = NULL; 1322 cur_rmconf = new; 1323 racoon_free($2); 1324 racoon_free($4->addr); 1325 racoon_free($4); 1326 1327 prspec = newprspec(); 1328 if (prspec == NULL || !cur_rmconf->inherited_from 1329 || !cur_rmconf->inherited_from->proposal) 1330 return -1; 1331 prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime; 1332 prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte; 1333 insprspec(prspec, &cur_rmconf->prhead); 1334 } 1335 remote_specs_block 1336 | REMOTE remote_index 1337 { 1338 struct remoteconf *new; 1339 struct proposalspec *prspec; 1340 1341 new = create_rmconf(); 1342 if (new == NULL) { 1343 racoon_yyerror("failed to get new remoteconf."); 1344 racoon_free($2->addr); 1345 racoon_free($2); 1346 return -1; 1347 } 1348 new->remote = $2->addr; 1349 new->remote_prefix = ($2->prefix == ~0 ? 0 : $2->prefix); 1350 cur_rmconf = new; 1351 racoon_free($2); 1352 1353 prspec = newprspec(); 1354 if (prspec == NULL) 1355 return -1; 1356 prspec->lifetime = oakley_get_defaultlifetime(); 1357 insprspec(prspec, &cur_rmconf->prhead); 1358 } 1359 remote_specs_block 1360 ; 1361 1362remote_specs_block 1363 : BOC remote_specs EOC 1364 { 1365 /* check a exchange mode */ 1366 if (cur_rmconf->etypes == NULL) { 1367 racoon_yyerror("no exchange mode specified.\n"); 1368 return -1; 1369 } 1370 1371 if (cur_rmconf->idvtype == IDTYPE_UNDEFINED) 1372 cur_rmconf->idvtype = IDTYPE_ADDRESS; 1373 1374 1375 if (cur_rmconf->idvtype == IDTYPE_ASN1DN) { 1376 if (cur_rmconf->identity_in_keychain) 1377 { 1378 if (cur_rmconf->idv) 1379 racoon_yywarn("Both CERT and ASN1 ID " 1380 "are set. Hope this is OK.\n"); 1381 /* TODO: Preparse the DN here */ 1382 } else if (cur_rmconf->idv) { 1383 /* OK, using asn1dn without X.509. */ 1384 } else { 1385 racoon_yyerror("ASN1 ID not specified " 1386 "and no CERT defined!\n"); 1387 return -1; 1388 } 1389 } 1390 1391 if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) { 1392 struct genlist_entry *gpb; 1393 if (genlist_next(cur_rmconf->idvl_p, &gpb) == NULL) { 1394 racoon_yyerror("peers_identifier required for specified certificate " 1395 "verification option.\n"); 1396 return -1; 1397 } 1398 } 1399 1400 if (cur_rmconf->prhead->spspec == NULL 1401 && cur_rmconf->inherited_from 1402 && cur_rmconf->inherited_from->prhead) { 1403 cur_rmconf->prhead->spspec = cur_rmconf->inherited_from->prhead->spspec; 1404 } 1405 if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0) 1406 return -1; 1407 1408 /* DH group setting if aggressive mode or IKEv2. */ 1409 if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) { 1410 struct isakmpsa *p; 1411 int b = 0; 1412 1413 /* DH group */ 1414 for (p = cur_rmconf->proposal; p; p = p->next) { 1415 if (b == 0 || (b && b == p->dh_group)) { 1416 b = p->dh_group; 1417 continue; 1418 } 1419 racoon_yyerror("DH group must be equal " 1420 "in all proposals " 1421 "when aggressive mode is " 1422 "used.\n"); 1423 return -1; 1424 } 1425 cur_rmconf->dh_group = b; 1426 1427 if (cur_rmconf->dh_group == 0) { 1428 racoon_yyerror("DH group must be set in the proposal.\n"); 1429 return -1; 1430 } 1431 1432 /* DH group settting if PFS is required. */ 1433 if (oakley_setdhgroup(cur_rmconf->dh_group, 1434 &cur_rmconf->dhgrp) < 0) { 1435 racoon_yyerror("failed to set DH value.\n"); 1436 return -1; 1437 } 1438 } 1439 1440 insrmconf(cur_rmconf); 1441 } 1442 ; 1443remote_index 1444 : ANONYMOUS ike_port 1445 { 1446 1447 struct remote_index_val *new; 1448 1449 new = racoon_calloc(1, sizeof(*new)); 1450 if (new == NULL) { 1451 racoon_yyerror("failed to allocate remote index struct"); 1452 return -1; 1453 } 1454 new->addr = newsaddr(sizeof(struct sockaddr_storage)); 1455 if (new->addr == NULL) { 1456 racoon_yyerror("failed to allocate sockaddr storage"); 1457 racoon_free(new); 1458 return -1; 1459 } 1460 new->addr->ss_family = AF_UNSPEC; 1461 (ALIGNED_CAST(struct sockaddr_in *)new->addr)->sin_port = htons($2); 1462 new->prefix = ~0; 1463 $$ = new; 1464 } 1465 | ike_addrinfo_prefix_port 1466 { 1467 $$ = $1; 1468 if ($$ == NULL) { 1469 racoon_yyerror("failed to allocate sockaddr_storage"); 1470 return -1; 1471 } 1472 } 1473 ; 1474remote_specs 1475 : /* nothing */ 1476 | remote_specs remote_spec 1477 ; 1478remote_spec 1479 : EXCHANGE_MODE 1480 { 1481 cur_rmconf->etypes = NULL; 1482 } 1483 exchange_types EOS 1484 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS 1485 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS 1486 | IKE_VERSION NUMBER 1487 { 1488 if ($2 == 1) 1489 cur_rmconf->ike_version = ISAKMP_VERSION_NUMBER_IKEV1; 1490 else { 1491 racoon_yyerror("invalid IKE version specified.\n"); 1492 return -1; 1493 } 1494 } EOS 1495 | CERTIFICATE_TYPE cert_spec 1496 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS 1497 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS 1498 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS 1499 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE 1500 { 1501 cur_rmconf->cert_verification = $2; 1502 } EOS 1503 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION 1504 { 1505 cur_rmconf->cert_verification = $2; 1506 cur_rmconf->cert_verification_option = $3; 1507 } 1508 EOS 1509 | OPEN_DIR_AUTH_GROUP QUOTEDSTRING 1510 { 1511#if HAVE_OPENDIR 1512 cur_rmconf->open_dir_auth_group = $2; 1513#else 1514 racoon_yyerror("Apple specific features not compiled in."); 1515 return -1; 1516#endif 1517 } EOS 1518 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring 1519 { 1520 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) { 1521 racoon_yyerror("failed to set identifer.\n"); 1522 vfree($3); //%%% BUG FIX - memory leak 1523 return -1; 1524 } 1525 vfree($3); //%%% BUG FIX - memory leak 1526 cur_rmconf->idvtype = $2; 1527 } 1528 EOS 1529 | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring 1530 { 1531 if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) { 1532 racoon_yyerror("failed to set identifer.\n"); 1533 return -1; 1534 } 1535 cur_rmconf->idvtype = $2; 1536 } 1537 EOS 1538 | XAUTH_LOGIN identifierstring 1539 { 1540#ifdef ENABLE_HYBRID 1541 /* formerly identifier type login */ 1542 if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) { 1543 racoon_yyerror("failed to allocate xauth state\n"); 1544 return -1; 1545 } 1546 if ((cur_rmconf->xauth->login = vdup($2)) == NULL) { 1547 racoon_yyerror("failed to set identifer.\n"); 1548 return -1; 1549 } 1550 vfree($2); //%%% BUG FIX - memory leak 1551#else 1552 racoon_yyerror("racoon not configured with --enable-hybrid"); 1553#endif 1554 } 1555 EOS 1556 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring 1557 { 1558 struct idspec *id; 1559 id = newidspec(); 1560 if (id == NULL) { 1561 racoon_yyerror("failed to allocate idspec"); 1562 return -1; 1563 } 1564 if (set_identifier(&id->id, $2, $3) != 0) { 1565 racoon_yyerror("failed to set identifer.\n"); 1566 racoon_free(id); 1567 vfree($3); //%%% BUG FIX - memory leak 1568 return -1; 1569 } 1570 vfree($3); //%%% BUG FIX - memory leak 1571 id->idtype = $2; 1572 genlist_append (cur_rmconf->idvl_p, id); 1573 } 1574 EOS 1575 | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring 1576 { 1577 struct idspec *id; 1578 id = newidspec(); 1579 if (id == NULL) { 1580 racoon_yyerror("failed to allocate idspec"); 1581 return -1; 1582 } 1583 if (set_identifier_qual(&id->id, $2, $4, $3) != 0) { 1584 racoon_yyerror("failed to set identifer.\n"); 1585 racoon_free(id); 1586 return -1; 1587 } 1588 id->idtype = $2; 1589 genlist_append (cur_rmconf->idvl_p, id); 1590 } 1591 EOS 1592 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS 1593 | LOCAL_ADDRESS ADDRSTRING 1594 { 1595 struct sockaddr_storage *saddr; 1596 saddr = str2saddr($2->v, NULL); 1597 vfree($2); 1598 if (saddr == NULL) 1599 return -1; 1600 cur_rmconf->forced_local = saddr; 1601 } EOS 1602 | SHARED_SECRET SECRETTYPE QUOTEDSTRING 1603 { 1604 cur_rmconf->secrettype = $2; 1605 cur_rmconf->shared_secret = $3; 1606 } EOS 1607 | SHARED_SECRET SECRETTYPE 1608 { 1609 if ($2 != SECRETTYPE_KEYCHAIN_BY_ID) { 1610 racoon_yyerror("shared secret value missing.\n"); 1611 return -1; 1612 } 1613 cur_rmconf->secrettype = $2; 1614 } EOS 1615 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS 1616 | DH_GROUP 1617 { 1618 racoon_yyerror("dh_group cannot be defined here."); 1619 return -1; 1620 } 1621 dh_group_num EOS 1622 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS 1623 | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS 1624 | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS 1625 | ESP_FRAG NUMBER { 1626#ifdef SADB_X_EXT_NAT_T_FRAG 1627 if (libipsec_opt & LIBIPSEC_OPT_FRAG) 1628 cur_rmconf->esp_frag = $2; 1629 else 1630 racoon_yywarn("libipsec lacks IKE frag support"); 1631#else 1632 racoon_yywarn("Your kernel does not support esp_frag"); 1633#endif 1634 } EOS 1635 | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS 1636 | WEAK_PHASE1_CHECK SWITCH { 1637 cur_rmconf->weak_phase1_check = $2; 1638 } EOS 1639 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS 1640 | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS 1641 | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS 1642 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS 1643 | NAT_TRAVERSAL SWITCH 1644 { 1645#ifdef ENABLE_NATT 1646 cur_rmconf->nat_traversal = $2; 1647#else 1648 racoon_yyerror("NAT-T support not compiled in."); 1649#endif 1650 } EOS 1651 | NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL 1652 { 1653#ifdef ENABLE_NATT 1654 cur_rmconf->nat_traversal = $2; 1655#else 1656 racoon_yyerror("NAT-T support not compiled in."); 1657#endif 1658 } EOS 1659 | NAT_TRAVERSAL_MULTI_USER SWITCH 1660 { 1661#ifdef ENABLE_NATT 1662 cur_rmconf->natt_multiple_user = $2; 1663#else 1664 racoon_yyerror("NAT-T support not compiled in."); 1665#endif 1666 } EOS 1667 | NAT_TRAVERSAL_KEEPALIVE SWITCH 1668 { 1669#ifdef ENABLE_NATT 1670 cur_rmconf->natt_keepalive = $2; 1671#else 1672 racoon_yyerror("NAT-T support not compiled in."); 1673#endif 1674 } EOS 1675| DPD SWITCH 1676 { 1677#ifdef ENABLE_DPD 1678 cur_rmconf->dpd = $2; 1679#else 1680 racoon_yyerror("DPD support not compiled in."); 1681#endif 1682 } EOS 1683 | DPD_DELAY NUMBER 1684 { 1685#ifdef ENABLE_DPD 1686 cur_rmconf->dpd_interval = $2; 1687#else 1688 racoon_yyerror("DPD support not compiled in."); 1689#endif 1690 } 1691 EOS 1692 | DPD_RETRY NUMBER 1693 { 1694#ifdef ENABLE_DPD 1695 cur_rmconf->dpd_retry = $2; 1696#else 1697 racoon_yyerror("DPD support not compiled in."); 1698#endif 1699 } 1700 EOS 1701 | DPD_MAXFAIL NUMBER 1702 { 1703#ifdef ENABLE_DPD 1704 cur_rmconf->dpd_maxfails = $2; 1705#else 1706 racoon_yyerror("DPD support not compiled in."); 1707#endif 1708 } 1709 EOS 1710 | DPD_ALGORITHM dpd_algo_type 1711 { 1712#ifdef ENABLE_DPD 1713 cur_rmconf->dpd_algo = $2; 1714#else 1715 racoon_yyerror("DPD support not compiled in."); 1716#endif 1717 } 1718 EOS 1719 | DISCONNECT_ON_IDLE IDLE_TIMEOUT NUMBER IDLE_DIRECTION idle_dir_type 1720 { 1721 cur_rmconf->idle_timeout = $3; 1722 cur_rmconf->idle_timeout_dir = $5; 1723 } 1724 EOS 1725 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 1726 { 1727 cur_rmconf->prhead->lifetime = $3 * $4; 1728 } 1729 EOS 1730 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS 1731 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 1732 { 1733#if 1 1734 racoon_yyerror("byte lifetime support is deprecated in Phase 1"); 1735 return -1; 1736#else 1737 racoon_yywarn("the lifetime of bytes in phase 1 " 1738 "will be ignored at the moment."); 1739 cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4); 1740 if (cur_rmconf->prhead->lifebyte == 0) 1741 return -1; 1742#endif 1743 } 1744 EOS 1745 | PROPOSAL 1746 { 1747 struct secprotospec *spspec; 1748 1749 spspec = newspspec(); 1750 if (spspec == NULL) 1751 return -1; 1752 insspspec(spspec, &cur_rmconf->prhead); 1753 } 1754 BOC isakmpproposal_specs EOC 1755 ; 1756exchange_types 1757 : /* nothing */ 1758 | exchange_types EXCHANGETYPE 1759 { 1760 struct etypes *new; 1761 new = racoon_malloc(sizeof(struct etypes)); 1762 if (new == NULL) { 1763 racoon_yyerror("failed to allocate etypes"); 1764 return -1; 1765 } 1766 new->type = $2; 1767 new->next = NULL; 1768 if (cur_rmconf->etypes == NULL) 1769 cur_rmconf->etypes = new; 1770 else { 1771 struct etypes *p; 1772 for (p = cur_rmconf->etypes; 1773 p->next != NULL; 1774 p = p->next) 1775 ; 1776 p->next = new; 1777 } 1778 } 1779 ; 1780cert_spec 1781 : CERT_X509 IN_KEYCHAIN 1782 { 1783 cur_rmconf->certtype = $1; 1784 cur_rmconf->identity_in_keychain = 1; 1785 cur_rmconf->keychainCertRef = NULL; 1786 } 1787 EOS 1788 ; 1789 | CERT_X509 IN_KEYCHAIN QUOTEDSTRING 1790 { 1791 cur_rmconf->certtype = $1; 1792 cur_rmconf->identity_in_keychain = 1; 1793 cur_rmconf->keychainCertRef = $3; 1794 } 1795 EOS 1796 ; 1797dh_group_num 1798 : ALGORITHMTYPE 1799 { 1800 $$ = algtype2doi(algclass_isakmp_dh, $1); 1801 if ($$ == -1) { 1802 racoon_yyerror("must be DH group"); 1803 return -1; 1804 } 1805 switch ($$) 1806 { 1807 case OAKLEY_ATTR_GRP_DESC_MODP768: 1808 case OAKLEY_ATTR_GRP_DESC_MODP1024: 1809 case OAKLEY_ATTR_GRP_DESC_MODP1536: 1810 case OAKLEY_ATTR_GRP_DESC_MODP2048: 1811 case OAKLEY_ATTR_GRP_DESC_MODP3072: 1812 case OAKLEY_ATTR_GRP_DESC_MODP4096: 1813 case OAKLEY_ATTR_GRP_DESC_MODP6144: 1814 case OAKLEY_ATTR_GRP_DESC_MODP8192: 1815 break; 1816 default: 1817 racoon_yyerror("Invalid DH group specified"); 1818 return -1; 1819 break; 1820 } 1821 } 1822 | NUMBER 1823 { 1824 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) { 1825 $$ = num2dhgroup[$1]; 1826 } else { 1827 racoon_yyerror("must be DH group"); 1828 $$ = 0; 1829 return -1; 1830 } 1831 switch ($$) 1832 { 1833 case OAKLEY_ATTR_GRP_DESC_MODP768: 1834 case OAKLEY_ATTR_GRP_DESC_MODP1024: 1835 case OAKLEY_ATTR_GRP_DESC_MODP1536: 1836 case OAKLEY_ATTR_GRP_DESC_MODP2048: 1837 case OAKLEY_ATTR_GRP_DESC_MODP3072: 1838 case OAKLEY_ATTR_GRP_DESC_MODP4096: 1839 case OAKLEY_ATTR_GRP_DESC_MODP6144: 1840 case OAKLEY_ATTR_GRP_DESC_MODP8192: 1841 break; 1842 default: 1843 racoon_yyerror("Invalid DH group specified"); 1844 return -1; 1845 break; 1846 } 1847 } 1848 ; 1849identifierstring 1850 : /* nothing */ { $$ = NULL; } 1851 | ADDRSTRING { $$ = $1; } 1852 | QUOTEDSTRING { $$ = $1; } 1853 ; 1854isakmpproposal_specs 1855 : /* nothing */ 1856 | isakmpproposal_specs isakmpproposal_spec 1857 ; 1858isakmpproposal_spec 1859 : STRENGTH 1860 { 1861 racoon_yyerror("strength directive is obsoleted."); 1862 } STRENGTHTYPE EOS 1863 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 1864 { 1865 cur_rmconf->prhead->spspec->lifetime = $3 * $4; 1866 } 1867 EOS 1868 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 1869 { 1870#if 1 1871 racoon_yyerror("byte lifetime support is deprecated"); 1872 return -1; 1873#else 1874 cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4); 1875 if (cur_rmconf->prhead->spspec->lifebyte == 0) 1876 return -1; 1877#endif 1878 } 1879 EOS 1880 | DH_GROUP dh_group_num 1881 { 1882 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_dh] = $2; 1883 } 1884 EOS 1885 | GSS_ID QUOTEDSTRING 1886 { 1887 if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) { 1888 racoon_yyerror("wrong Vendor ID for gssapi_id"); 1889 return -1; 1890 } 1891 if (cur_rmconf->prhead->spspec->gssid != NULL) 1892 racoon_free(cur_rmconf->prhead->spspec->gssid); 1893 cur_rmconf->prhead->spspec->gssid = 1894 racoon_strdup($2->v); 1895 STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid); 1896 } 1897 EOS 1898 | ALGORITHM_CLASS ALGORITHMTYPE keylength 1899 { 1900 int doi; 1901 int defklen; 1902 { 1903 doi = algtype2doi($1, $2); 1904 if (doi == -1) { 1905 racoon_yyerror("algorithm mismatched 1"); 1906 return -1; 1907 } 1908 } 1909 1910 switch ($1) { 1911 case algclass_isakmp_enc: 1912 /* reject suppressed algorithms */ 1913 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi; 1914 defklen = default_keylen($1, $2); 1915 if (defklen == 0) { 1916 if ($3) { 1917 racoon_yyerror("keylen not allowed"); 1918 return -1; 1919 } 1920 } else { 1921 if ($3 && check_keylen($1, $2, $3) < 0) { 1922 racoon_yyerror("invalid keylen %d", $3); 1923 return -1; 1924 } 1925 } 1926 if ($3) 1927 cur_rmconf->prhead->spspec->encklen = $3; 1928 else 1929 cur_rmconf->prhead->spspec->encklen = defklen; 1930 break; 1931 case algclass_isakmp_hash: 1932 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_hash] = doi; 1933 break; 1934 case algclass_isakmp_ameth: 1935 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_ameth] = doi; 1936 /* 1937 * We may have to set the Vendor ID for the 1938 * authentication method we're using. 1939 */ 1940 switch ($2) { 1941 case algtype_gssapikrb: 1942 if (cur_rmconf->prhead->spspec->vendorid != 1943 VENDORID_UNKNOWN) { 1944 racoon_yyerror("Vendor ID mismatch " 1945 "for auth method"); 1946 return -1; 1947 } 1948 /* 1949 * For interoperability with Win2k, 1950 * we set the Vendor ID to "GSSAPI". 1951 */ 1952 cur_rmconf->prhead->spspec->vendorid = 1953 VENDORID_GSSAPI; 1954 break; 1955 default: 1956 break; 1957 } 1958 break; 1959 default: 1960 racoon_yyerror("algorithm mismatched 2"); 1961 return -1; 1962 } 1963 } 1964 EOS 1965 ; 1966 1967unittype_time 1968 : UNITTYPE_SEC { $$ = 1; } 1969 | UNITTYPE_MIN { $$ = 60; } 1970 | UNITTYPE_HOUR { $$ = (60 * 60); } 1971 ; 1972unittype_byte 1973 : UNITTYPE_BYTE { $$ = 1; } 1974 | UNITTYPE_KBYTES { $$ = 1024; } 1975 | UNITTYPE_MBYTES { $$ = (1024 * 1024); } 1976 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); } 1977 ; 1978dpd_algo_type 1979 : DPD_ALGO_TYPE_DEFAULT { $$ = DPD_ALGO_DEFAULT; } 1980 | DPD_ALGO_TYPE_INBOUND { $$ = DPD_ALGO_INBOUND_DETECT; } 1981 | DPD_ALGO_TYPE_BLACKHOLE { $$ = DPD_ALGO_BLACKHOLE_DETECT; } 1982 ; 1983idle_dir_type 1984 : IDLE_DIRECTION_ANY { $$ = IPSEC_DIR_ANY; } 1985 | IDLE_DIRECTION_IN { $$ = IPSEC_DIR_INBOUND; } 1986 | IDLE_DIRECTION_OUT { $$ = IPSEC_DIR_OUTBOUND; } 1987 ; 1988%% 1989 1990static struct proposalspec * 1991newprspec() 1992{ 1993 struct proposalspec *new; 1994 1995 new = racoon_calloc(1, sizeof(*new)); 1996 if (new == NULL) 1997 racoon_yyerror("failed to allocate proposal"); 1998 1999 return new; 2000} 2001 2002/* 2003 * insert into head of list. 2004 */ 2005static void 2006insprspec(prspec, head) 2007 struct proposalspec *prspec; 2008 struct proposalspec **head; 2009{ 2010 if (*head != NULL) 2011 (*head)->prev = prspec; 2012 prspec->next = *head; 2013 *head = prspec; 2014} 2015 2016static struct secprotospec * 2017newspspec() 2018{ 2019 struct secprotospec *new; 2020 2021 new = racoon_calloc(1, sizeof(*new)); 2022 if (new == NULL) { 2023 racoon_yyerror("failed to allocate spproto"); 2024 return NULL; 2025 } 2026 2027 new->encklen = 0; /*XXX*/ 2028 2029 /* 2030 * Default to "uknown" vendor -- we will override this 2031 * as necessary. When we send a Vendor ID payload, an 2032 * "unknown" will be translated to a KAME/racoon ID. 2033 */ 2034 new->vendorid = VENDORID_UNKNOWN; 2035 2036 return new; 2037} 2038 2039/* 2040 * insert into head of list. 2041 */ 2042static void 2043insspspec(spspec, head) 2044 struct secprotospec *spspec; 2045 struct proposalspec **head; 2046{ 2047 spspec->back = *head; 2048 2049 if ((*head)->spspec != NULL) 2050 (*head)->spspec->prev = spspec; 2051 spspec->next = (*head)->spspec; 2052 (*head)->spspec = spspec; 2053} 2054 2055/* set final acceptable proposal */ 2056static int 2057set_isakmp_proposal(rmconf, prspec) 2058 struct remoteconf *rmconf; 2059 struct proposalspec *prspec; 2060{ 2061 struct proposalspec *p; 2062 struct secprotospec *s; 2063 int prop_no = 1; 2064 int trns_no = 1; 2065 int32_t types[MAXALGCLASS]; 2066 2067 p = prspec; 2068 if (p->next != 0) { 2069 plog(ASL_LEVEL_ERR, 2070 "multiple proposal definition.\n"); 2071 return -1; 2072 } 2073 2074 /* mandatory check */ 2075 if (p->spspec == NULL) { 2076 racoon_yyerror("no remote specification found: %s.\n", 2077 saddr2str((struct sockaddr *)rmconf->remote)); 2078 return -1; 2079 } 2080 for (s = p->spspec; s != NULL; s = s->next) { 2081 /* XXX need more to check */ 2082 if (s->algclass[algclass_isakmp_enc] == 0) { 2083 racoon_yyerror("encryption algorithm required."); 2084 return -1; 2085 } 2086 if (s->algclass[algclass_isakmp_hash] == 0) { 2087 racoon_yyerror("hash algorithm required."); 2088 return -1; 2089 } 2090 if (s->algclass[algclass_isakmp_dh] == 0) { 2091 racoon_yyerror("DH group required."); 2092 return -1; 2093 } 2094 if (s->algclass[algclass_isakmp_ameth] == 0) { 2095 racoon_yyerror("authentication method required."); 2096 return -1; 2097 } 2098 } 2099 2100 /* skip to last part */ 2101 for (s = p->spspec; s->next != NULL; s = s->next) 2102 ; 2103 2104 while (s != NULL) { 2105 plog(ASL_LEVEL_DEBUG, 2106 "lifetime = %ld\n", (long) 2107 (s->lifetime ? s->lifetime : p->lifetime)); 2108 plog(ASL_LEVEL_DEBUG, 2109 "lifebyte = %d\n", 2110 s->lifebyte ? s->lifebyte : p->lifebyte); 2111 plog(ASL_LEVEL_DEBUG, 2112 "encklen=%d\n", s->encklen); 2113 2114 memset(types, 0, ARRAYLEN(types)); 2115 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; 2116 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; 2117 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; 2118 types[algclass_isakmp_ameth] = 2119 s->algclass[algclass_isakmp_ameth]; 2120 2121 /* expanding spspec */ 2122 clean_tmpalgtype(); 2123 trns_no = expand_isakmpspec(prop_no, trns_no, types, 2124 algclass_isakmp_enc, algclass_isakmp_ameth + 1, 2125 s->lifetime ? s->lifetime : p->lifetime, 2126 s->lifebyte ? s->lifebyte : p->lifebyte, 2127 s->encklen, s->vendorid, s->gssid, 2128 rmconf); 2129 if (trns_no == -1) { 2130 plog(ASL_LEVEL_ERR, 2131 "failed to expand isakmp proposal.\n"); 2132 return -1; 2133 } 2134 2135 s = s->prev; 2136 } 2137 2138 if (rmconf->proposal == NULL) { 2139 plog(ASL_LEVEL_ERR, 2140 "no proposal found.\n"); 2141 return -1; 2142 } 2143 2144 return 0; 2145} 2146 2147static void 2148clean_tmpalgtype() 2149{ 2150 int i; 2151 for (i = 0; i < MAXALGCLASS; i++) 2152 tmpalgtype[i] = 0; /* means algorithm undefined. */ 2153} 2154 2155static int 2156expand_isakmpspec(prop_no, trns_no, types, 2157 class, last, lifetime, lifebyte, encklen, vendorid, gssid, 2158 rmconf) 2159 int prop_no, trns_no; 2160 int *types, class, last; 2161 time_t lifetime; 2162 int lifebyte; 2163 int encklen; 2164 int vendorid; 2165 char *gssid; 2166 struct remoteconf *rmconf; 2167{ 2168 struct isakmpsa *new; 2169 2170 /* debugging */ 2171 { 2172 int j; 2173 char tb[10]; 2174 plog(ASL_LEVEL_DEBUG, 2175 "p:%d t:%d\n", prop_no, trns_no); 2176 for (j = class; j < MAXALGCLASS; j++) { 2177 snprintf(tb, sizeof(tb), "%d", types[j]); 2178 plog(ASL_LEVEL_DEBUG, 2179 "%s%s%s%s\n", 2180 s_algtype(j, types[j]), 2181 types[j] ? "(" : "", 2182 tb[0] == '0' ? "" : tb, 2183 types[j] ? ")" : ""); 2184 } 2185 plog(ASL_LEVEL_DEBUG, "\n"); 2186 } 2187 2188#define TMPALGTYPE2STR(n) \ 2189 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n]) 2190 /* check mandatory values */ 2191 if (types[algclass_isakmp_enc] == 0 2192 || types[algclass_isakmp_ameth] == 0 2193 || types[algclass_isakmp_dh] == 0) { 2194 racoon_yyerror("few definition of algorithm " 2195 "enc=%s ameth=%s hash=%s dhgroup=%s.\n", 2196 TMPALGTYPE2STR(enc), 2197 TMPALGTYPE2STR(ameth), 2198 TMPALGTYPE2STR(hash), 2199 TMPALGTYPE2STR(dh)); 2200 return -1; 2201 } 2202#undef TMPALGTYPE2STR 2203 2204 /* set new sa */ 2205 new = newisakmpsa(); 2206 if (new == NULL) { 2207 racoon_yyerror("failed to allocate isakmp sa"); 2208 return -1; 2209 } 2210 new->prop_no = prop_no; 2211 new->trns_no = trns_no++; 2212 new->lifetime = lifetime; 2213 new->lifebyte = lifebyte; 2214 new->enctype = types[algclass_isakmp_enc]; 2215 new->encklen = encklen; 2216 new->authmethod = types[algclass_isakmp_ameth]; 2217 new->hashtype = types[algclass_isakmp_hash]; 2218 new->prf = types[algclass_isakmp_hash]; 2219 new->dh_group = types[algclass_isakmp_dh]; 2220 new->vendorid = vendorid; 2221 insisakmpsa(new, rmconf); 2222 2223 return trns_no; 2224} 2225 2226static int 2227listen_addr (struct sockaddr_storage *addr, int udp_encap) 2228{ 2229 struct myaddrs *p; 2230 2231 p = newmyaddr(); 2232 if (p == NULL) { 2233 racoon_yyerror("failed to allocate myaddrs"); 2234 return -1; 2235 } 2236 p->addr = addr; 2237 if (p->addr == NULL) { 2238 racoon_yyerror("failed to copy sockaddr_storage "); 2239 delmyaddr(p); 2240 return -1; 2241 } 2242 p->udp_encap = udp_encap; 2243 /* These need to be initialized for Apple modifications 2244 * to open code for isakmp sockets 2245 */ 2246 p->sock = -1; 2247 p->in_use = 1; 2248 2249 insmyaddr(p, &lcconf->myaddrs); 2250 2251 lcconf->autograbaddr = 0; 2252 return 0; 2253} 2254 2255#if 0 2256/* 2257 * fix lifebyte. 2258 * Must be more than 1024B because its unit is kilobytes. 2259 * That is defined RFC2407. 2260 */ 2261static int 2262fix_lifebyte(t) 2263 unsigned long t; 2264{ 2265 if (t < 1024) { 2266 racoon_yyerror("byte size should be more than 1024B."); 2267 return 0; 2268 } 2269 2270 return(t / 1024); 2271} 2272#endif 2273 2274int 2275cfparse() 2276{ 2277 int error; 2278 2279 plog(ASL_LEVEL_DEBUG, "===== parsing configuration\n"); 2280 2281 yycf_init_buffer(); 2282 2283 if (yycf_switch_buffer(lcconf->racoon_conf) != 0) { 2284 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), 2285 IPSECCONFIGEVENTCODE_PARSE_ERROR, 2286 CONSTSTR("could not read configuration file"), 2287 CONSTSTR("cfparse: yycf_switch_buffer erred")); 2288 plog(ASL_LEVEL_ERR, 2289 "could not read configuration file \"%s\"\n", 2290 lcconf->racoon_conf); 2291 return -1; 2292 } 2293 2294 error = yyparse(); 2295 if (error != 0) { 2296 if (yyerrorcount) { 2297 plog(ASL_LEVEL_ERR, 2298 "fatal parse failure (%d errors)\n", 2299 yyerrorcount); 2300 } else { 2301 plog(ASL_LEVEL_ERR, 2302 "fatal parse failure.\n"); 2303 } 2304 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), 2305 IPSECCONFIGEVENTCODE_PARSE_ERROR, 2306 CONSTSTR("fatal parse failure"), 2307 CONSTSTR("cfparse: yyparse erred")); 2308 yycf_clean_buffer(); 2309 return -1; 2310 } 2311 2312 if (error == 0 && yyerrorcount) { 2313 plog(ASL_LEVEL_ERR, 2314 "parse error is nothing, but yyerrorcount is %d.\n", 2315 yyerrorcount); 2316 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), 2317 IPSECCONFIGEVENTCODE_PARSE_ERROR, 2318 CONSTSTR("ambivalent error code"), 2319 CONSTSTR("cfparse: error == 0 && yerrorcount")); 2320 yycf_clean_buffer(); 2321 exit(1); 2322 } 2323 2324 yycf_clean_buffer(); 2325 2326 plog(ASL_LEVEL_DEBUG, "parse succeeded.\n"); 2327 2328 return 0; 2329} 2330 2331int 2332cfreparse(int sig) 2333{ 2334 int result; 2335 int ignore_estab_or_assert_handles = (sig == SIGUSR1); 2336 2337 if (sig >= 0 && sig < NSIG) { 2338 plog(ASL_LEVEL_DEBUG, "==== Got %s signal - re-parsing configuration.\n", sys_signame[sig]); 2339 } else { 2340 plog(ASL_LEVEL_ERR, "==== Got Unknown signal - re-parsing configuration.\n"); 2341 IPSECCONFIGTRACEREVENT(CONSTSTR("reparse"), 2342 IPSECCONFIGEVENTCODE_REPARSE_ERROR, 2343 CONSTSTR("Unknown signal"), 2344 CONSTSTR("cfreparse: triggered by unknown signal")); 2345 } 2346 plog(ASL_LEVEL_DEBUG, "==== %s sessions.\n", ignore_estab_or_assert_handles? "flush negotiating" : "flush all"); 2347 2348 ike_session_flush_all_phase2(ignore_estab_or_assert_handles); 2349 ike_session_flush_all_phase1(ignore_estab_or_assert_handles); 2350 flushrmconf(); 2351 flushsainfo(); 2352 check_auto_exit(); /* check/change state of auto exit */ 2353 clean_tmpalgtype(); 2354 savelcconf(); 2355 result = cfparse(); 2356 restorelcconf(); 2357 return result; 2358} 2359 2360 2361