1/* $NetBSD: cfparse.y,v 1.18.4.3 2007/08/01 11:52:19 vanhu Exp $ */ 2 3/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */ 4 5%{ 6/* 7 * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the project nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35#include "config.h" 36 37#include <sys/types.h> 38#include <sys/param.h> 39#include <sys/queue.h> 40#include <sys/socket.h> 41 42#include <netinet/in.h> 43#ifdef HAVE_NETINET6_IPSEC 44# include <netinet6/ipsec.h> 45#else 46# include <netinet/ipsec.h> 47#endif 48 49#ifdef ENABLE_HYBRID 50#include <arpa/inet.h> 51#endif 52 53#include <stdlib.h> 54#include <stdio.h> 55#include <string.h> 56#include <errno.h> 57#include <netdb.h> 58#include <pwd.h> 59#include <grp.h> 60#include <signal.h> 61 62#include "var.h" 63#include "misc.h" 64#include "vmbuf.h" 65#include "plog.h" 66#include "sockmisc.h" 67#include "str2val.h" 68#include "genlist.h" 69#include "debug.h" 70 71#include "cfparse_proto.h" 72#include "cftoken_proto.h" 73#include "algorithm.h" 74#include "localconf.h" 75#include "policy.h" 76#include "sainfo.h" 77#include "oakley.h" 78#include "pfkey.h" 79#include "remoteconf.h" 80#include "grabmyaddr.h" 81#include "isakmp_var.h" 82#include "handler.h" 83#include "isakmp.h" 84#include "nattraversal.h" 85#include "isakmp_frag.h" 86#include "session.h" 87#ifdef ENABLE_HYBRID 88#include "resolv.h" 89#include "isakmp_unity.h" 90#include "isakmp_xauth.h" 91#include "isakmp_cfg.h" 92#endif 93#include "ipsec_doi.h" 94#include "strnames.h" 95#include "gcmalloc.h" 96#include "vendorid.h" 97#include "ipsecConfigTracer.h" 98#include "ipsecMessageTracer.h" 99 100static int num2dhgroup[] = { 101 0, 102 OAKLEY_ATTR_GRP_DESC_MODP768, 103 OAKLEY_ATTR_GRP_DESC_MODP1024, 104 OAKLEY_ATTR_GRP_DESC_EC2N155, 105 OAKLEY_ATTR_GRP_DESC_EC2N185, 106 OAKLEY_ATTR_GRP_DESC_MODP1536, 107 0, 108 0, 109 0, 110 0, 111 0, 112 0, 113 0, 114 0, 115 OAKLEY_ATTR_GRP_DESC_MODP2048, 116 OAKLEY_ATTR_GRP_DESC_MODP3072, 117 OAKLEY_ATTR_GRP_DESC_MODP4096, 118 OAKLEY_ATTR_GRP_DESC_MODP6144, 119 OAKLEY_ATTR_GRP_DESC_MODP8192 120}; 121 122struct remote_index_val { 123 int prefix; 124 struct sockaddr_storage *addr; 125}; 126 127static struct remoteconf *cur_rmconf; 128static int tmpalgtype[MAXALGCLASS]; 129static struct sainfo *cur_sainfo; 130static int cur_algclass; 131 132static struct proposalspec *newprspec (void); 133static void insprspec (struct proposalspec *, struct proposalspec **); 134static struct secprotospec *newspspec (void); 135static void insspspec (struct secprotospec *, struct proposalspec **); 136 137static int set_isakmp_proposal (struct remoteconf *, struct proposalspec *); 138static void clean_tmpalgtype (void); 139static int expand_isakmpspec (int, int, int *, 140 int, int, time_t, int, int, int, char *, struct remoteconf *); 141static int listen_addr (struct sockaddr_storage *addr, int udp_encap); 142 143void freeetypes (struct etypes **etypes); 144 145#if 0 146static int fix_lifebyte (u_long); 147#endif 148%} 149 150%union { 151 unsigned long num; 152 vchar_t *val; 153 struct remoteconf *rmconf; 154 struct sockaddr_storage *saddr; 155 struct sainfoalg *alg; 156 struct remote_index_val *rmidx; 157} 158 159 /* path */ 160%token PATH PATHTYPE 161 /* include */ 162%token INCLUDE 163 /* self information */ 164%token IDENTIFIER VENDORID 165 /* logging */ 166%token LOGGING LOGLEV 167 /* padding */ 168%token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL 169 /* listen */ 170%token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED 171 /* modecfg */ 172%token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN 173%token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE 174%token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE 175%token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS 176%token CFG_PFS_GROUP CFG_SAVE_PASSWD 177 /* timer */ 178%token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND 179%token RETRY_PHASE1 RETRY_PHASE2 NATT_KA AUTO_EXIT_DELAY 180 /* algorithm */ 181%token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE 182 /* sainfo */ 183%token SAINFO FROM GROUP 184 /* remote */ 185%token REMOTE ANONYMOUS INHERIT 186%token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE 187%token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE 188%token VERIFY_CERT SEND_CERT SEND_CR 189%token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER 190%token PEERS_IDENTIFIER VERIFY_IDENTIFIER 191%token SHARED_SECRET SECRETTYPE 192%token OPEN_DIR_AUTH_GROUP IN_KEYCHAIN 193%token CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION 194%token DNSSEC CERT_X509 CERT_PLAINRSA 195%token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT 196%token NAT_TRAVERSAL REMOTE_FORCE_LEVEL NAT_TRAVERSAL_LEVEL NAT_TRAVERSAL_MULTI_USER NAT_TRAVERSAL_KEEPALIVE 197%token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL 198%token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY 199%token PROPOSAL 200%token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE 201%token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE 202%token COMPLEX_BUNDLE 203%token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL DPD_ALGORITHM 204%token DISCONNECT_ON_IDLE IDLE_TIMEOUT IDLE_DIRECTION 205%token XAUTH_LOGIN WEAK_PHASE1_CHECK 206%token EAP_TYPE EAP_TYPES EAP_OPTIONS 207 208%token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG 209%token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID 210 211%token NUMBER SWITCH BOOLEAN 212%token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE 213%token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES 214%token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR 215%token EOS BOC EOC COMMA 216%token DPD_ALGO_TYPE_DEFAULT DPD_ALGO_TYPE_INBOUND DPD_ALGO_TYPE_BLACKHOLE 217%token IDLE_DIRECTION_IN IDLE_DIRECTION_OUT IDLE_DIRECTION_ANY IKE_VERSION 218 219%type <num> NUMBER BOOLEAN SWITCH keylength 220%type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE 221%type <num> SECRETTYPE 222%type <num> ALGORITHM_CLASS dh_group_num 223%type <num> ALGORITHMTYPE STRENGTHTYPE 224%type <num> PREFIX prefix PORT port ike_port 225%type <num> ul_proto UL_PROTO 226%type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE EAP_TYPE 227%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL 228%type <num> VERIFICATION_MODULE VERIFICATION_OPTION 229%type <num> unittype_time unittype_byte 230%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id 231%type <val> identifierstring 232%type <saddr> ike_addrinfo_port 233%type <alg> algorithm 234%type <num> dpd_algo_type 235%type <num> idle_dir_type 236%type <rmidx> remote_index ike_addrinfo_prefix_port 237 238%% 239 240statements 241 : /* nothing */ 242 | statements statement 243 ; 244statement 245 : path_statement 246 | include_statement 247 | identifier_statement 248 | logging_statement 249 | padding_statement 250 | listen_statement 251 | modecfg_statement 252 | timer_statement 253 | sainfo_statement 254 | remote_statement 255 | special_statement 256 ; 257 258 /* path */ 259path_statement 260 : PATH PATHTYPE QUOTEDSTRING 261 { 262 if ($2 >= LC_PATHTYPE_MAX) { 263 racoon_yyerror("invalid path type %d", $2); 264 return -1; 265 } 266 267 /* free old pathinfo */ 268 if (lcconf->pathinfo[$2]) 269 racoon_free(lcconf->pathinfo[$2]); 270 271 /* set new pathinfo */ 272 lcconf->pathinfo[$2] = racoon_strdup($3->v); 273 STRDUP_FATAL(lcconf->pathinfo[$2]); 274 vfree($3); 275 } 276 EOS 277 ; 278 279 /* special */ 280special_statement 281 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS 282 ; 283 284 /* include */ 285include_statement 286 : INCLUDE QUOTEDSTRING EOS 287 { 288 char path[MAXPATHLEN]; 289 290 getpathname(path, sizeof(path), 291 LC_PATHTYPE_INCLUDE, $2->v); 292 vfree($2); 293 if (yycf_switch_buffer(path) != 0) 294 return -1; 295 } 296 ; 297 298 /* self information */ 299identifier_statement 300 : IDENTIFIER identifier_stmt 301 ; 302identifier_stmt 303 : VENDORID 304 { 305 /*XXX to be deleted */ 306 } 307 QUOTEDSTRING EOS 308 | IDENTIFIERTYPE QUOTEDSTRING 309 { 310 /*XXX to be deleted */ 311 $2->l--; /* nuke '\0' */ 312 lcconf->ident[$1] = $2; 313 if (lcconf->ident[$1] == NULL) { 314 racoon_yyerror("failed to set my ident: %s", 315 strerror(errno)); 316 return -1; 317 } 318 } 319 EOS 320 ; 321 322 /* logging */ 323logging_statement 324 : LOGGING log_level EOS 325 ; 326log_level 327 : QUOTEDSTRING 328 { 329 /* 330 * XXX ignore it because this specification 331 * will be obsoleted. 332 */ 333 plogsetlevelquotedstr($1->v); 334 vfree($1); 335 } 336 | LOGLEV 337 { 338 plogsetlevel($1); 339 } 340 ; 341 342 /* padding */ 343padding_statement 344 : PADDING BOC padding_stmts EOC 345 ; 346padding_stmts 347 : /* nothing */ 348 | padding_stmts padding_stmt 349 ; 350padding_stmt 351 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS 352 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS 353 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS 354 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS 355 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS 356 ; 357 358 /* listen */ 359listen_statement 360 : LISTEN BOC listen_stmts EOC 361 ; 362listen_stmts 363 : /* nothing */ 364 | listen_stmts listen_stmt 365 ; 366listen_stmt 367 : X_ISAKMP ike_addrinfo_port 368 { 369 listen_addr ($2, 0); 370 } 371 EOS 372 | X_ISAKMP_NATT ike_addrinfo_port 373 { 374#ifdef ENABLE_NATT 375 listen_addr ($2, 1); 376#else 377 racoon_yyerror("NAT-T support not compiled in."); 378#endif 379 } 380 EOS 381 | X_ADMIN 382 { 383 racoon_yyerror("admin directive is obsoleted."); 384 } 385 PORT EOS 386 | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER 387 { 388 racoon_yywarn("admin port support not compiled in"); 389 } 390 EOS 391 | ADMINSOCK QUOTEDSTRING 392 { 393 racoon_yywarn("admin port support not compiled in"); 394 } 395 EOS 396 | ADMINSOCK DISABLED 397 { 398 racoon_yywarn("admin port support not compiled in"); 399 } 400 EOS 401 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS 402 ; 403ike_addrinfo_port 404 : ADDRSTRING ike_port 405 { 406 char portbuf[10]; 407 408 snprintf(portbuf, sizeof(portbuf), "%ld", $2); 409 $$ = str2saddr($1->v, portbuf); 410 vfree($1); 411 if (!$$) 412 return -1; 413 } 414 ; 415ike_addrinfo_prefix_port 416 : ADDRSTRING prefix ike_port 417 { 418 char portbuf[10]; 419 struct remote_index_val *new; 420 421 new = racoon_calloc(1, sizeof(*new)); 422 if (new == NULL) { 423 racoon_yyerror("failed to allocate remote index struct"); 424 vfree($1); 425 return -1; 426 } 427 snprintf(portbuf, sizeof(portbuf), "%ld", $3); 428 new->addr = str2saddr($1->v, portbuf); 429 vfree($1); 430 if (!new->addr) { 431 racoon_yyerror("failed to allocate sockaddr storage"); 432 return -1; 433 } 434 new->prefix = $2; 435 $$ = new; 436 } 437 ; 438ike_port 439 : /* nothing */ { $$ = PORT_ISAKMP; } 440 | PORT { $$ = $1; } 441 ; 442 /* modecfg */ 443modecfg_statement 444 : MODECFG BOC modecfg_stmts EOC 445 ; 446modecfg_stmts 447 : /* nothing */ 448 | modecfg_stmts modecfg_stmt 449 ; 450modecfg_stmt 451 : CFG_NET4 ADDRSTRING 452 { 453#ifdef ENABLE_HYBRID 454 if (inet_pton(AF_INET, $2->v, 455 &isakmp_cfg_config.network4) != 1) 456 racoon_yyerror("bad IPv4 network address."); 457 vfree($2); 458#else 459 racoon_yyerror("racoon not configured with --enable-hybrid"); 460#endif 461 } 462 EOS 463 | CFG_MASK4 ADDRSTRING 464 { 465#ifdef ENABLE_HYBRID 466 if (inet_pton(AF_INET, $2->v, 467 &isakmp_cfg_config.netmask4) != 1) 468 racoon_yyerror("bad IPv4 netmask address."); 469 vfree($2); 470#else 471 racoon_yyerror("racoon not configured with --enable-hybrid"); 472#endif 473 } 474 EOS 475 | CFG_DNS4 addrdnslist 476 EOS 477 | CFG_NBNS4 addrwinslist 478 EOS 479 | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist 480 { 481#ifdef ENABLE_HYBRID 482 isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN; 483#else 484 racoon_yyerror("racoon not configured with --enable-hybrid"); 485#endif 486 } 487 EOS 488 | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist 489 { 490#ifdef ENABLE_HYBRID 491 isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE; 492#else 493 racoon_yyerror("racoon not configured with --enable-hybrid"); 494#endif 495 } 496 EOS 497 | CFG_SPLIT_DNS splitdnslist 498 { 499#ifndef ENABLE_HYBRID 500 racoon_yyerror("racoon not configured with --enable-hybrid"); 501#endif 502 } 503 EOS 504 | CFG_DEFAULT_DOMAIN QUOTEDSTRING 505 { 506#ifdef ENABLE_HYBRID 507 strlcpy(&isakmp_cfg_config.default_domain[0], 508 $2->v, sizeof(isakmp_cfg_config.default_domain)); 509 vfree($2); 510#else 511 racoon_yyerror("racoon not configured with --enable-hybrid"); 512#endif 513 } 514 EOS 515 | CFG_AUTH_SOURCE CFG_SYSTEM 516 { 517#ifdef ENABLE_HYBRID 518 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM; 519#else 520 racoon_yyerror("racoon not configured with --enable-hybrid"); 521#endif 522 } 523 EOS 524 | CFG_AUTH_SOURCE CFG_RADIUS 525 { 526#ifdef ENABLE_HYBRID 527 racoon_yyerror("racoon not configured with --with-libradius"); 528#else /* ENABLE_HYBRID */ 529 racoon_yyerror("racoon not configured with --enable-hybrid"); 530#endif /* ENABLE_HYBRID */ 531 } 532 EOS 533 | CFG_AUTH_SOURCE CFG_PAM 534 { 535#ifdef ENABLE_HYBRID 536 racoon_yyerror("racoon not configured with --with-libpam"); 537#else /* ENABLE_HYBRID */ 538 racoon_yyerror("racoon not configured with --enable-hybrid"); 539#endif /* ENABLE_HYBRID */ 540 } 541 EOS 542 | CFG_AUTH_SOURCE CFG_LDAP 543 { 544#ifdef ENABLE_HYBRID 545 racoon_yyerror("racoon not configured with --with-libldap"); 546#else /* ENABLE_HYBRID */ 547 racoon_yyerror("racoon not configured with --enable-hybrid"); 548#endif /* ENABLE_HYBRID */ 549 } 550 EOS 551 | CFG_AUTH_GROUPS authgrouplist 552 { 553#ifndef ENABLE_HYBRID 554 racoon_yyerror("racoon not configured with --enable-hybrid"); 555#endif 556 } 557 EOS 558 | CFG_GROUP_SOURCE CFG_SYSTEM 559 { 560#ifdef ENABLE_HYBRID 561 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM; 562#else 563 racoon_yyerror("racoon not configured with --enable-hybrid"); 564#endif 565 } 566 EOS 567 | CFG_GROUP_SOURCE CFG_LDAP 568 { 569#ifdef ENABLE_HYBRID 570 racoon_yyerror("racoon not configured with --with-libldap"); 571#else /* ENABLE_HYBRID */ 572 racoon_yyerror("racoon not configured with --enable-hybrid"); 573#endif /* ENABLE_HYBRID */ 574 } 575 EOS 576 | CFG_ACCOUNTING CFG_NONE 577 { 578#ifdef ENABLE_HYBRID 579 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE; 580#else 581 racoon_yyerror("racoon not configured with --enable-hybrid"); 582#endif 583 } 584 EOS 585 | CFG_ACCOUNTING CFG_SYSTEM 586 { 587#ifdef ENABLE_HYBRID 588 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM; 589#else 590 racoon_yyerror("racoon not configured with --enable-hybrid"); 591#endif 592 } 593 EOS 594 | CFG_ACCOUNTING CFG_RADIUS 595 { 596#ifdef ENABLE_HYBRID 597 racoon_yyerror("racoon not configured with --with-libradius"); 598#else /* ENABLE_HYBRID */ 599 racoon_yyerror("racoon not configured with --enable-hybrid"); 600#endif /* ENABLE_HYBRID */ 601 } 602 EOS 603 | CFG_ACCOUNTING CFG_PAM 604 { 605#ifdef ENABLE_HYBRID 606 racoon_yyerror("racoon not configured with --with-libpam"); 607#else /* ENABLE_HYBRID */ 608 racoon_yyerror("racoon not configured with --enable-hybrid"); 609#endif /* ENABLE_HYBRID */ 610 } 611 EOS 612 | CFG_POOL_SIZE NUMBER 613 { 614#ifdef ENABLE_HYBRID 615 if (isakmp_cfg_resize_pool($2) != 0) 616 racoon_yyerror("cannot allocate memory for pool"); 617#else /* ENABLE_HYBRID */ 618 racoon_yyerror("racoon not configured with --enable-hybrid"); 619#endif /* ENABLE_HYBRID */ 620 } 621 EOS 622 | CFG_PFS_GROUP NUMBER 623 { 624#ifdef ENABLE_HYBRID 625 isakmp_cfg_config.pfs_group = $2; 626 switch (isakmp_cfg_config.pfs_group) 627 { 628 case OAKLEY_ATTR_GRP_DESC_MODP768: 629 case OAKLEY_ATTR_GRP_DESC_MODP1024: 630 case OAKLEY_ATTR_GRP_DESC_MODP1536: 631 case OAKLEY_ATTR_GRP_DESC_MODP2048: 632 case OAKLEY_ATTR_GRP_DESC_MODP3072: 633 case OAKLEY_ATTR_GRP_DESC_MODP4096: 634 case OAKLEY_ATTR_GRP_DESC_MODP6144: 635 case OAKLEY_ATTR_GRP_DESC_MODP8192: 636 break; 637 default: 638 racoon_yyerror("Invalid PFS group specified"); 639 return -1; 640 break; 641 } 642#else /* ENABLE_HYBRID */ 643 racoon_yyerror("racoon not configured with --enable-hybrid"); 644#endif /* ENABLE_HYBRID */ 645 } 646 EOS 647 | CFG_SAVE_PASSWD SWITCH 648 { 649#ifdef ENABLE_HYBRID 650 isakmp_cfg_config.save_passwd = $2; 651#else /* ENABLE_HYBRID */ 652 racoon_yyerror("racoon not configured with --enable-hybrid"); 653#endif /* ENABLE_HYBRID */ 654 } 655 EOS 656 | CFG_AUTH_THROTTLE NUMBER 657 { 658#ifdef ENABLE_HYBRID 659 isakmp_cfg_config.auth_throttle = $2; 660#else /* ENABLE_HYBRID */ 661 racoon_yyerror("racoon not configured with --enable-hybrid"); 662#endif /* ENABLE_HYBRID */ 663 } 664 EOS 665 | CFG_CONF_SOURCE CFG_LOCAL 666 { 667#ifdef ENABLE_HYBRID 668 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL; 669#else /* ENABLE_HYBRID */ 670 racoon_yyerror("racoon not configured with --enable-hybrid"); 671#endif /* ENABLE_HYBRID */ 672 } 673 EOS 674 | CFG_CONF_SOURCE CFG_RADIUS 675 { 676#ifdef ENABLE_HYBRID 677 racoon_yyerror("racoon not configured with --with-libradius"); 678#else /* ENABLE_HYBRID */ 679 racoon_yyerror("racoon not configured with --enable-hybrid"); 680#endif /* ENABLE_HYBRID */ 681 } 682 EOS 683 | CFG_CONF_SOURCE CFG_LDAP 684 { 685#ifdef ENABLE_HYBRID 686 racoon_yyerror("racoon not configured with --with-libldap"); 687#else /* ENABLE_HYBRID */ 688 racoon_yyerror("racoon not configured with --enable-hybrid"); 689#endif /* ENABLE_HYBRID */ 690 } 691 EOS 692 | CFG_MOTD QUOTEDSTRING 693 { 694#ifdef ENABLE_HYBRID 695 strlcpy(&isakmp_cfg_config.motd[0], $2->v, sizeof(isakmp_cfg_config.motd)); 696 vfree($2); 697#else 698 racoon_yyerror("racoon not configured with --enable-hybrid"); 699#endif 700 } 701 EOS 702 ; 703 704addrdnslist 705 : addrdns 706 | addrdns COMMA addrdnslist 707 ; 708addrdns 709 : ADDRSTRING 710 { 711#ifdef ENABLE_HYBRID 712 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 713 714 if (icc->dns4_index > MAXNS) { 715 racoon_yyerror("No more than %d DNS", MAXNS); 716 return -1; 717 } 718 if (inet_pton(AF_INET, $1->v, 719 &icc->dns4[icc->dns4_index++]) != 1) 720 racoon_yyerror("bad IPv4 DNS address."); 721 722 vfree($1); 723#else 724 racoon_yyerror("racoon not configured with --enable-hybrid"); 725#endif 726 } 727 ; 728 729addrwinslist 730 : addrwins 731 | addrwins COMMA addrwinslist 732 ; 733addrwins 734 : ADDRSTRING 735 { 736#ifdef ENABLE_HYBRID 737 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 738 739 if (icc->nbns4_index > MAXWINS) { 740 racoon_yyerror("No more than %d WINS", MAXWINS); 741 return -1; 742 } 743 if (inet_pton(AF_INET, $1->v, 744 &icc->nbns4[icc->nbns4_index++]) != 1) 745 racoon_yyerror("bad IPv4 WINS address."); 746 747 vfree($1); 748#else 749 racoon_yyerror("racoon not configured with --enable-hybrid"); 750#endif 751 } 752 ; 753 754splitnetlist 755 : splitnet 756 | splitnetlist COMMA splitnet 757 ; 758splitnet 759 : ADDRSTRING PREFIX 760 { 761#ifdef ENABLE_HYBRID 762 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 763 struct unity_network network; 764 765 if (inet_pton(AF_INET, $1->v, &network.addr4) != 1) 766 racoon_yyerror("bad IPv4 SPLIT address."); 767 768 /* Turn $2 (the prefix) into a subnet mask */ 769 network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0; 770 771 /* add the network to our list */ 772 if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count)) 773 racoon_yyerror("Unable to allocate split network"); 774 775 vfree($1); 776#else 777 racoon_yyerror("racoon not configured with --enable-hybrid"); 778#endif 779 } 780 ; 781 782authgrouplist 783 : authgroup 784 | authgroup COMMA authgrouplist 785 ; 786authgroup 787 : QUOTEDSTRING 788 { 789#ifdef ENABLE_HYBRID 790 char * groupname = NULL; 791 char ** grouplist = NULL; 792 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 793 794 grouplist = racoon_realloc(icc->grouplist, 795 sizeof(char**)*(icc->groupcount+1)); 796 if (grouplist == NULL) 797 racoon_yyerror("unable to allocate auth group list"); 798 799 groupname = racoon_malloc($1->l+1); 800 if (groupname == NULL) 801 racoon_yyerror("unable to allocate auth group name"); 802 803 memcpy(groupname,$1->v,$1->l); 804 groupname[$1->l]=0; 805 grouplist[icc->groupcount]=groupname; 806 icc->grouplist = grouplist; 807 icc->groupcount++; 808 809 vfree($1); 810#else 811 racoon_yyerror("racoon not configured with --enable-hybrid"); 812#endif 813 } 814 ; 815 816splitdnslist 817 : splitdns 818 | splitdns COMMA splitdnslist 819 ; 820splitdns 821 : QUOTEDSTRING 822 { 823#ifdef ENABLE_HYBRID 824 struct isakmp_cfg_config *icc = &isakmp_cfg_config; 825 826 if (!icc->splitdns_len) 827 { 828 icc->splitdns_list = racoon_malloc($1->l); 829 if(icc->splitdns_list == NULL) 830 racoon_yyerror("error allocating splitdns list buffer"); 831 memcpy(icc->splitdns_list,$1->v,$1->l); 832 icc->splitdns_len = $1->l; 833 } 834 else 835 { 836 int len = icc->splitdns_len + $1->l + 1; 837 icc->splitdns_list = racoon_realloc(icc->splitdns_list,len); 838 if(icc->splitdns_list == NULL) 839 racoon_yyerror("error allocating splitdns list buffer"); 840 icc->splitdns_list[icc->splitdns_len] = ','; 841 memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l); 842 icc->splitdns_len = len; 843 } 844 vfree($1); 845#else 846 racoon_yyerror("racoon not configured with --enable-hybrid"); 847#endif 848 } 849 ; 850 851 852 /* timer */ 853timer_statement 854 : RETRY BOC timer_stmts EOC 855 ; 856timer_stmts 857 : /* nothing */ 858 | timer_stmts timer_stmt 859 ; 860timer_stmt 861 : RETRY_COUNTER NUMBER 862 { 863 lcconf->retry_counter = $2; 864 } 865 EOS 866 | RETRY_INTERVAL NUMBER unittype_time 867 { 868 lcconf->retry_interval = $2 * $3; 869 } 870 EOS 871 | RETRY_PERSEND NUMBER 872 { 873 lcconf->count_persend = $2; 874 } 875 EOS 876 | RETRY_PHASE1 NUMBER unittype_time 877 { 878 lcconf->retry_checkph1 = $2 * $3; 879 } 880 EOS 881 | RETRY_PHASE2 NUMBER unittype_time 882 { 883 lcconf->wait_ph2complete = $2 * $3; 884 } 885 EOS 886 | AUTO_EXIT_DELAY NUMBER unittype_time 887 { 888 lcconf->auto_exit_delay = $2 * $3; 889 lcconf->auto_exit_state |= LC_AUTOEXITSTATE_SET; 890 } 891 EOS 892 893 | NATT_KA NUMBER unittype_time 894 { 895#ifdef ENABLE_NATT 896 lcconf->natt_ka_interval = $2 * $3; 897#else 898 racoon_yyerror("NAT-T support not compiled in."); 899#endif 900 } 901 EOS 902 ; 903 904 /* sainfo */ 905sainfo_statement 906 : SAINFO 907 { 908 cur_sainfo = create_sainfo(); 909 if (cur_sainfo == NULL) { 910 racoon_yyerror("failed to allocate sainfo"); 911 return -1; 912 } 913 } 914 sainfo_name sainfo_param BOC sainfo_specs 915 { 916 struct sainfo *check; 917 918 /* default */ 919 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) { 920 racoon_yyerror("no encryption algorithm at %s", 921 sainfo2str(cur_sainfo)); 922 return -1; 923 } 924 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) { 925 racoon_yyerror("no authentication algorithm at %s", 926 sainfo2str(cur_sainfo)); 927 return -1; 928 } 929 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) { 930 racoon_yyerror("no compression algorithm at %s", 931 sainfo2str(cur_sainfo)); 932 return -1; 933 } 934 935 /* duplicate check */ 936 check = getsainfo(cur_sainfo->idsrc, 937 cur_sainfo->iddst, 938 cur_sainfo->id_i, 0); 939 if (check && (!check->idsrc && !cur_sainfo->idsrc)) { 940 racoon_yyerror("duplicated sainfo: %s", 941 sainfo2str(cur_sainfo)); 942 return -1; 943 } 944 inssainfo(cur_sainfo); 945 } 946 EOC 947 ; 948sainfo_name 949 : ANONYMOUS 950 { 951 cur_sainfo->idsrc = NULL; 952 cur_sainfo->iddst = NULL; 953 } 954 | ANONYMOUS sainfo_id 955 { 956 cur_sainfo->idsrc = NULL; 957 cur_sainfo->iddst = $2; 958 } 959 | sainfo_id ANONYMOUS 960 { 961 cur_sainfo->idsrc = $1; 962 cur_sainfo->iddst = NULL; 963 } 964 | sainfo_id sainfo_id 965 { 966 cur_sainfo->idsrc = $1; 967 cur_sainfo->iddst = $2; 968 } 969 ; 970sainfo_id 971 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto 972 { 973 char portbuf[10]; 974 struct sockaddr_storage *saddr; 975 976 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6) 977 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) { 978 racoon_yyerror("port number must be \"any\"."); 979 return -1; 980 } 981 982 snprintf(portbuf, sizeof(portbuf), "%lu", $4); 983 saddr = str2saddr($2->v, portbuf); 984 vfree($2); 985 if (saddr == NULL) 986 return -1; 987 988 switch (saddr->ss_family) { 989 case AF_INET: 990 if ($5 == IPPROTO_ICMPV6) { 991 racoon_yyerror("upper layer protocol mismatched.\n"); 992 racoon_free(saddr); 993 return -1; 994 } 995 $$ = ipsecdoi_sockaddr2id(saddr, 996 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3, 997 $5); 998 break; 999#ifdef INET6 1000 case AF_INET6: 1001 if ($5 == IPPROTO_ICMP) { 1002 racoon_yyerror("upper layer protocol mismatched.\n"); 1003 racoon_free(saddr); 1004 return -1; 1005 } 1006 $$ = ipsecdoi_sockaddr2id(saddr, 1007 $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3, 1008 $5); 1009 break; 1010#endif 1011 default: 1012 racoon_yyerror("invalid family: %d", saddr->ss_family); 1013 $$ = NULL; 1014 break; 1015 } 1016 racoon_free(saddr); 1017 if ($$ == NULL) 1018 return -1; 1019 } 1020 | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto 1021 { 1022 char portbuf[10]; 1023 struct sockaddr_storage *laddr = NULL, *haddr = NULL; 1024 1025 if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6) 1026 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) { 1027 racoon_yyerror("port number must be \"any\"."); 1028 return -1; 1029 } 1030 1031 snprintf(portbuf, sizeof(portbuf), "%lu", $5); 1032 1033 laddr = str2saddr($2->v, portbuf); 1034 if (laddr == NULL) { 1035 return -1; 1036 } 1037 vfree($2); 1038 haddr = str2saddr($3->v, portbuf); 1039 if (haddr == NULL) { 1040 racoon_free(laddr); 1041 return -1; 1042 } 1043 vfree($3); 1044 1045 switch (laddr->ss_family) { 1046 case AF_INET: 1047 if ($6 == IPPROTO_ICMPV6) { 1048 racoon_yyerror("upper layer protocol mismatched.\n"); 1049 if (laddr) 1050 racoon_free(laddr); 1051 if (haddr) 1052 racoon_free(haddr); 1053 return -1; 1054 } 1055 $$ = ipsecdoi_sockrange2id(laddr, haddr, 1056 $6); 1057 break; 1058#ifdef INET6 1059 case AF_INET6: 1060 if ($6 == IPPROTO_ICMP) { 1061 racoon_yyerror("upper layer protocol mismatched.\n"); 1062 if (laddr) 1063 racoon_free(laddr); 1064 if (haddr) 1065 racoon_free(haddr); 1066 return -1; 1067 } 1068 $$ = ipsecdoi_sockrange2id(laddr, haddr, 1069 $6); 1070 break; 1071#endif 1072 default: 1073 racoon_yyerror("invalid family: %d", laddr->ss_family); 1074 $$ = NULL; 1075 break; 1076 } 1077 if (laddr) 1078 racoon_free(laddr); 1079 if (haddr) 1080 racoon_free(haddr); 1081 if ($$ == NULL) 1082 return -1; 1083 } 1084 | IDENTIFIERTYPE QUOTEDSTRING 1085 { 1086 struct ipsecdoi_id_b *id_b; 1087 1088 if ($1 == IDTYPE_ASN1DN) { 1089 racoon_yyerror("id type forbidden: %d", $1); 1090 $$ = NULL; 1091 return -1; 1092 } 1093 1094 $2->l--; 1095 1096 $$ = vmalloc(sizeof(*id_b) + $2->l); 1097 if ($$ == NULL) { 1098 racoon_yyerror("failed to allocate identifier"); 1099 return -1; 1100 } 1101 1102 id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)$$->v; 1103 id_b->type = idtype2doi($1); 1104 1105 id_b->proto_id = 0; 1106 id_b->port = 0; 1107 1108 memcpy($$->v + sizeof(*id_b), $2->v, $2->l); 1109 } 1110 ; 1111sainfo_param 1112 : /* nothing */ 1113 { 1114 cur_sainfo->id_i = NULL; 1115 } 1116 1117 | FROM IDENTIFIERTYPE identifierstring 1118 { 1119 struct ipsecdoi_id_b *id_b; 1120 vchar_t *idv; 1121 1122 if (set_identifier(&idv, $2, $3) != 0) { 1123 racoon_yyerror("failed to set identifer.\n"); 1124 return -1; 1125 } 1126 cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l); 1127 if (cur_sainfo->id_i == NULL) { 1128 racoon_yyerror("failed to allocate identifier"); 1129 return -1; 1130 } 1131 1132 id_b = ALIGNED_CAST(struct ipsecdoi_id_b *)cur_sainfo->id_i->v; 1133 id_b->type = idtype2doi($2); 1134 1135 id_b->proto_id = 0; 1136 id_b->port = 0; 1137 1138 memcpy(cur_sainfo->id_i->v + sizeof(*id_b), 1139 idv->v, idv->l); 1140 vfree(idv); 1141 } 1142 | GROUP QUOTEDSTRING 1143 { 1144#ifdef ENABLE_HYBRID 1145 if ((cur_sainfo->group = vdup($2)) == NULL) { 1146 racoon_yyerror("failed to set sainfo xauth group.\n"); 1147 return -1; 1148 } 1149#else 1150 racoon_yyerror("racoon not configured with --enable-hybrid"); 1151 return -1; 1152#endif 1153 } 1154 ; 1155sainfo_specs 1156 : /* nothing */ 1157 | sainfo_specs sainfo_spec 1158 ; 1159sainfo_spec 1160 : PFS_GROUP dh_group_num 1161 { 1162 cur_sainfo->pfs_group = $2; 1163 switch (cur_sainfo->pfs_group) 1164 { 1165 case OAKLEY_ATTR_GRP_DESC_MODP768: 1166 case OAKLEY_ATTR_GRP_DESC_MODP1024: 1167 case OAKLEY_ATTR_GRP_DESC_MODP1536: 1168 case OAKLEY_ATTR_GRP_DESC_MODP2048: 1169 case OAKLEY_ATTR_GRP_DESC_MODP3072: 1170 case OAKLEY_ATTR_GRP_DESC_MODP4096: 1171 case OAKLEY_ATTR_GRP_DESC_MODP6144: 1172 case OAKLEY_ATTR_GRP_DESC_MODP8192: 1173 break; 1174 default: 1175 racoon_yyerror("Invalid PFS group specified"); 1176 return -1; 1177 break; 1178 } 1179 } 1180 EOS 1181 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 1182 { 1183 cur_sainfo->lifetime = $3 * $4; 1184 } 1185 EOS 1186 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 1187 { 1188#if 1 1189 racoon_yyerror("byte lifetime support is deprecated"); 1190 return -1; 1191#else 1192 cur_sainfo->lifebyte = fix_lifebyte($3 * $4); 1193 if (cur_sainfo->lifebyte == 0) 1194 return -1; 1195#endif 1196 } 1197 EOS 1198 | ALGORITHM_CLASS { 1199 cur_algclass = $1; 1200 } 1201 algorithms EOS 1202 | IDENTIFIER IDENTIFIERTYPE 1203 { 1204 racoon_yyerror("it's deprecated to specify a identifier in phase 2"); 1205 } 1206 EOS 1207 | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING 1208 { 1209 racoon_yyerror("it's deprecated to specify a identifier in phase 2"); 1210 } 1211 EOS 1212 ; 1213 1214algorithms 1215 : algorithm 1216 { 1217 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); 1218 } 1219 | algorithm 1220 { 1221 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); 1222 } 1223 COMMA algorithms 1224 ; 1225algorithm 1226 : ALGORITHMTYPE keylength 1227 { 1228 int defklen; 1229 1230 $$ = newsainfoalg(); 1231 if ($$ == NULL) { 1232 racoon_yyerror("failed to get algorithm allocation"); 1233 return -1; 1234 } 1235 1236 $$->alg = algtype2doi(cur_algclass, $1); 1237 if ($$->alg == -1) { 1238 racoon_yyerror("algorithm mismatched"); 1239 racoon_free($$); 1240 $$ = NULL; 1241 return -1; 1242 } 1243 1244 defklen = default_keylen(cur_algclass, $1); 1245 if (defklen == 0) { 1246 if ($2) { 1247 racoon_yyerror("keylen not allowed"); 1248 racoon_free($$); 1249 $$ = NULL; 1250 return -1; 1251 } 1252 } else { 1253 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) { 1254 racoon_yyerror("invalid keylen %d", $2); 1255 racoon_free($$); 1256 $$ = NULL; 1257 return -1; 1258 } 1259 } 1260 1261 if ($2) 1262 $$->encklen = $2; 1263 else 1264 $$->encklen = defklen; 1265 1266 /* check if it's supported algorithm by kernel */ 1267 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth) 1268 && pk_checkalg(cur_algclass, $1, $$->encklen)) { 1269 int a = algclass2doi(cur_algclass); 1270 int b = algtype2doi(cur_algclass, $1); 1271 if (a == IPSECDOI_ATTR_AUTH) 1272 a = IPSECDOI_PROTO_IPSEC_AH; 1273 racoon_yyerror("algorithm %s not supported by the kernel (missing module?)", 1274 s_ipsecdoi_trns(a, b)); 1275 racoon_free($$); 1276 $$ = NULL; 1277 return -1; 1278 } 1279 } 1280 ; 1281prefix 1282 : /* nothing */ { $$ = ~0; } 1283 | PREFIX { $$ = $1; } 1284 ; 1285port 1286 : /* nothing */ { $$ = IPSEC_PORT_ANY; } 1287 | PORT { $$ = $1; } 1288 | PORTANY { $$ = IPSEC_PORT_ANY; } 1289 ; 1290ul_proto 1291 : NUMBER { $$ = $1; } 1292 | UL_PROTO { $$ = $1; } 1293 | ANY { $$ = IPSEC_ULPROTO_ANY; } 1294 ; 1295keylength 1296 : /* nothing */ { $$ = 0; } 1297 | NUMBER { $$ = $1; } 1298 ; 1299 1300 /* remote */ 1301remote_statement 1302 : REMOTE remote_index INHERIT remote_index 1303 { 1304 struct remoteconf *new; 1305 struct proposalspec *prspec; 1306 1307 new = copyrmconf($4->addr); 1308 if (new == NULL) { 1309 racoon_yyerror("failed to get remoteconf for %s.", saddr2str((struct sockaddr *)$4)); 1310 racoon_free($2->addr); 1311 racoon_free($2); 1312 racoon_free($4->addr); 1313 racoon_free($4); 1314 return -1; 1315 } 1316 1317 new->remote = $2->addr; 1318 new->remote_prefix = ($2->prefix == ~0 ? 0 : $2->prefix); 1319 new->inherited_from = getrmconf_strict($4->addr, 1); 1320 new->proposal = NULL; 1321 new->prhead = NULL; 1322 cur_rmconf = new; 1323 racoon_free($2); 1324 racoon_free($4->addr); 1325 racoon_free($4); 1326 1327 prspec = newprspec(); 1328 if (prspec == NULL || !cur_rmconf->inherited_from 1329 || !cur_rmconf->inherited_from->proposal) 1330 return -1; 1331 prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime; 1332 prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte; 1333 insprspec(prspec, &cur_rmconf->prhead); 1334 } 1335 remote_specs_block 1336 | REMOTE remote_index 1337 { 1338 struct remoteconf *new; 1339 struct proposalspec *prspec; 1340 1341 new = create_rmconf(); 1342 if (new == NULL) { 1343 racoon_yyerror("failed to get new remoteconf."); 1344 racoon_free($2->addr); 1345 racoon_free($2); 1346 return -1; 1347 } 1348 new->remote = $2->addr; 1349 new->remote_prefix = ($2->prefix == ~0 ? 0 : $2->prefix); 1350 cur_rmconf = new; 1351 racoon_free($2); 1352 1353 prspec = newprspec(); 1354 if (prspec == NULL) 1355 return -1; 1356 prspec->lifetime = oakley_get_defaultlifetime(); 1357 insprspec(prspec, &cur_rmconf->prhead); 1358 } 1359 remote_specs_block 1360 ; 1361 1362remote_specs_block 1363 : BOC remote_specs EOC 1364 { 1365 /* check a exchange mode */ 1366 if (cur_rmconf->etypes == NULL) { 1367 racoon_yyerror("no exchange mode specified.\n"); 1368 return -1; 1369 } 1370 1371 if (cur_rmconf->idvtype == IDTYPE_UNDEFINED) 1372 cur_rmconf->idvtype = IDTYPE_ADDRESS; 1373 1374 1375 if (cur_rmconf->idvtype == IDTYPE_ASN1DN) { 1376 if (cur_rmconf->identity_in_keychain) 1377 { 1378 if (cur_rmconf->idv) 1379 racoon_yywarn("Both CERT and ASN1 ID " 1380 "are set. Hope this is OK.\n"); 1381 /* TODO: Preparse the DN here */ 1382 } else if (cur_rmconf->idv) { 1383 /* OK, using asn1dn without X.509. */ 1384 } else { 1385 racoon_yyerror("ASN1 ID not specified " 1386 "and no CERT defined!\n"); 1387 return -1; 1388 } 1389 } 1390 1391 if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER) { 1392 struct genlist_entry *gpb; 1393 if (genlist_next(cur_rmconf->idvl_p, &gpb) == NULL) { 1394 racoon_yyerror("peers_identifier required for specified certificate " 1395 "verification option.\n"); 1396 return -1; 1397 } 1398 } 1399 1400 if (cur_rmconf->prhead->spspec == NULL 1401 && cur_rmconf->inherited_from 1402 && cur_rmconf->inherited_from->prhead) { 1403 cur_rmconf->prhead->spspec = cur_rmconf->inherited_from->prhead->spspec; 1404 } 1405 if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0) 1406 return -1; 1407 1408 /* DH group settting if aggressive mode or IKEv2. */ 1409 if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL 1410 ) { 1411 struct isakmpsa *p; 1412 int b = 0; 1413 1414 /* DH group */ 1415 for (p = cur_rmconf->proposal; p; p = p->next) { 1416 if (b == 0 || (b && b == p->dh_group)) { 1417 b = p->dh_group; 1418 continue; 1419 } 1420 racoon_yyerror("DH group must be equal " 1421 "in all proposals " 1422 "when aggressive mode is " 1423 "used.\n"); 1424 return -1; 1425 } 1426 cur_rmconf->dh_group = b; 1427 1428 if (cur_rmconf->dh_group == 0) { 1429 racoon_yyerror("DH group must be set in the proposal.\n"); 1430 return -1; 1431 } 1432 1433 /* DH group settting if PFS is required. */ 1434 if (oakley_setdhgroup(cur_rmconf->dh_group, 1435 &cur_rmconf->dhgrp) < 0) { 1436 racoon_yyerror("failed to set DH value.\n"); 1437 return -1; 1438 } 1439 } 1440 1441 insrmconf(cur_rmconf); 1442 } 1443 ; 1444remote_index 1445 : ANONYMOUS ike_port 1446 { 1447 1448 struct remote_index_val *new; 1449 1450 new = racoon_calloc(1, sizeof(*new)); 1451 if (new == NULL) { 1452 racoon_yyerror("failed to allocate remote index struct"); 1453 return -1; 1454 } 1455 new->addr = newsaddr(sizeof(struct sockaddr_storage)); 1456 if (new->addr == NULL) { 1457 racoon_yyerror("failed to allocate sockaddr storage"); 1458 racoon_free(new); 1459 return -1; 1460 } 1461 new->addr->ss_family = AF_UNSPEC; 1462 (ALIGNED_CAST(struct sockaddr_in *)new->addr)->sin_port = htons($2); 1463 new->prefix = ~0; 1464 $$ = new; 1465 } 1466 | ike_addrinfo_prefix_port 1467 { 1468 $$ = $1; 1469 if ($$ == NULL) { 1470 racoon_yyerror("failed to allocate sockaddr_storage"); 1471 return -1; 1472 } 1473 } 1474 ; 1475remote_specs 1476 : /* nothing */ 1477 | remote_specs remote_spec 1478 ; 1479remote_spec 1480 : EXCHANGE_MODE 1481 { 1482 cur_rmconf->etypes = NULL; 1483 } 1484 exchange_types EOS 1485 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS 1486 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS 1487 | IKE_VERSION NUMBER 1488 { 1489 if ($2 == 1) 1490 cur_rmconf->ike_version = ISAKMP_VERSION_NUMBER_IKEV1; 1491 else { 1492 racoon_yyerror("invalid IKE version specified.\n"); 1493 return -1; 1494 } 1495 } EOS 1496 | CERTIFICATE_TYPE cert_spec 1497 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS 1498 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS 1499 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS 1500 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE 1501 { 1502 cur_rmconf->cert_verification = $2; 1503 } EOS 1504 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION 1505 { 1506 cur_rmconf->cert_verification = $2; 1507 cur_rmconf->cert_verification_option = $3; 1508 } 1509 EOS 1510 | OPEN_DIR_AUTH_GROUP QUOTEDSTRING 1511 { 1512#if HAVE_OPENDIR 1513 cur_rmconf->open_dir_auth_group = $2; 1514#else 1515 racoon_yyerror("Apple specific features not compiled in."); 1516 return -1; 1517#endif 1518 } EOS 1519 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring 1520 { 1521 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) { 1522 racoon_yyerror("failed to set identifer.\n"); 1523 vfree($3); //%%% BUG FIX - memory leak 1524 return -1; 1525 } 1526 vfree($3); //%%% BUG FIX - memory leak 1527 cur_rmconf->idvtype = $2; 1528 } 1529 EOS 1530 | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring 1531 { 1532 if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) { 1533 racoon_yyerror("failed to set identifer.\n"); 1534 return -1; 1535 } 1536 cur_rmconf->idvtype = $2; 1537 } 1538 EOS 1539 | XAUTH_LOGIN identifierstring 1540 { 1541#ifdef ENABLE_HYBRID 1542 /* formerly identifier type login */ 1543 if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) { 1544 racoon_yyerror("failed to allocate xauth state\n"); 1545 return -1; 1546 } 1547 if ((cur_rmconf->xauth->login = vdup($2)) == NULL) { 1548 racoon_yyerror("failed to set identifer.\n"); 1549 return -1; 1550 } 1551 vfree($2); //%%% BUG FIX - memory leak 1552#else 1553 racoon_yyerror("racoon not configured with --enable-hybrid"); 1554#endif 1555 } 1556 EOS 1557 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring 1558 { 1559 struct idspec *id; 1560 id = newidspec(); 1561 if (id == NULL) { 1562 racoon_yyerror("failed to allocate idspec"); 1563 return -1; 1564 } 1565 if (set_identifier(&id->id, $2, $3) != 0) { 1566 racoon_yyerror("failed to set identifer.\n"); 1567 racoon_free(id); 1568 vfree($3); //%%% BUG FIX - memory leak 1569 return -1; 1570 } 1571 vfree($3); //%%% BUG FIX - memory leak 1572 id->idtype = $2; 1573 genlist_append (cur_rmconf->idvl_p, id); 1574 } 1575 EOS 1576 | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring 1577 { 1578 struct idspec *id; 1579 id = newidspec(); 1580 if (id == NULL) { 1581 racoon_yyerror("failed to allocate idspec"); 1582 return -1; 1583 } 1584 if (set_identifier_qual(&id->id, $2, $4, $3) != 0) { 1585 racoon_yyerror("failed to set identifer.\n"); 1586 racoon_free(id); 1587 return -1; 1588 } 1589 id->idtype = $2; 1590 genlist_append (cur_rmconf->idvl_p, id); 1591 } 1592 EOS 1593 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS 1594 | SHARED_SECRET SECRETTYPE QUOTEDSTRING 1595 { 1596 cur_rmconf->secrettype = $2; 1597 cur_rmconf->shared_secret = $3; 1598 } EOS 1599 | SHARED_SECRET SECRETTYPE 1600 { 1601 if ($2 != SECRETTYPE_KEYCHAIN_BY_ID) { 1602 racoon_yyerror("shared secret value missing.\n"); 1603 return -1; 1604 } 1605 cur_rmconf->secrettype = $2; 1606 } EOS 1607 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS 1608 | DH_GROUP 1609 { 1610 racoon_yyerror("dh_group cannot be defined here."); 1611 return -1; 1612 } 1613 dh_group_num EOS 1614 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS 1615 | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS 1616 | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS 1617 | ESP_FRAG NUMBER { 1618#ifdef SADB_X_EXT_NAT_T_FRAG 1619 if (libipsec_opt & LIBIPSEC_OPT_FRAG) 1620 cur_rmconf->esp_frag = $2; 1621 else 1622 racoon_yywarn("libipsec lacks IKE frag support"); 1623#else 1624 racoon_yywarn("Your kernel does not support esp_frag"); 1625#endif 1626 } EOS 1627 | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS 1628 | WEAK_PHASE1_CHECK SWITCH { 1629 cur_rmconf->weak_phase1_check = $2; 1630 } EOS 1631 | EAP_TYPES { cur_rmconf->eap_types = NULL; } eap_types EOS 1632 | EAP_OPTIONS QUOTEDSTRING { 1633 vchar_t *options_path = $2; 1634 cur_rmconf->eap_options = NULL; 1635 if (options_path) { 1636 CFStringRef option_path_str = CFStringCreateWithCString(kCFAllocatorDefault, options_path->v, kCFStringEncodingASCII); 1637 if (option_path_str) { 1638 CFURLRef plist_url = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, option_path_str, kCFURLPOSIXPathStyle, false); 1639 if (plist_url) { 1640 CFReadStreamRef read_stream = CFReadStreamCreateWithFile(kCFAllocatorDefault, plist_url); 1641 if (read_stream) { 1642 CFReadStreamOpen (read_stream); 1643 cur_rmconf->eap_options = CFPropertyListCreateWithStream(kCFAllocatorDefault, read_stream, 0, kCFPropertyListImmutable, NULL, NULL); 1644 CFRelease (read_stream); 1645 } 1646 CFRelease (plist_url); 1647 } else { 1648 racoon_yywarn("eap_options must contain a path to a property list"); 1649 } 1650 CFRelease(option_path_str); 1651 } else { 1652 racoon_yywarn("eap_options string could not be processed"); 1653 } 1654 vfree(options_path); 1655 } 1656 } EOS 1657 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS 1658 | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS 1659 | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS 1660 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS 1661 | NAT_TRAVERSAL SWITCH 1662 { 1663#ifdef ENABLE_NATT 1664 cur_rmconf->nat_traversal = $2; 1665#else 1666 racoon_yyerror("NAT-T support not compiled in."); 1667#endif 1668 } EOS 1669 | NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL 1670 { 1671#ifdef ENABLE_NATT 1672 cur_rmconf->nat_traversal = $2; 1673#else 1674 racoon_yyerror("NAT-T support not compiled in."); 1675#endif 1676 } EOS 1677 | NAT_TRAVERSAL_MULTI_USER SWITCH 1678 { 1679#ifdef ENABLE_NATT 1680 cur_rmconf->natt_multiple_user = $2; 1681#else 1682 racoon_yyerror("NAT-T support not compiled in."); 1683#endif 1684 } EOS 1685 | NAT_TRAVERSAL_KEEPALIVE SWITCH 1686 { 1687#ifdef ENABLE_NATT 1688 cur_rmconf->natt_keepalive = $2; 1689#else 1690 racoon_yyerror("NAT-T support not compiled in."); 1691#endif 1692 } EOS 1693| DPD SWITCH 1694 { 1695#ifdef ENABLE_DPD 1696 cur_rmconf->dpd = $2; 1697#else 1698 racoon_yyerror("DPD support not compiled in."); 1699#endif 1700 } EOS 1701 | DPD_DELAY NUMBER 1702 { 1703#ifdef ENABLE_DPD 1704 cur_rmconf->dpd_interval = $2; 1705#else 1706 racoon_yyerror("DPD support not compiled in."); 1707#endif 1708 } 1709 EOS 1710 | DPD_RETRY NUMBER 1711 { 1712#ifdef ENABLE_DPD 1713 cur_rmconf->dpd_retry = $2; 1714#else 1715 racoon_yyerror("DPD support not compiled in."); 1716#endif 1717 } 1718 EOS 1719 | DPD_MAXFAIL NUMBER 1720 { 1721#ifdef ENABLE_DPD 1722 cur_rmconf->dpd_maxfails = $2; 1723#else 1724 racoon_yyerror("DPD support not compiled in."); 1725#endif 1726 } 1727 EOS 1728 | DPD_ALGORITHM dpd_algo_type 1729 { 1730#ifdef ENABLE_DPD 1731 cur_rmconf->dpd_algo = $2; 1732#else 1733 racoon_yyerror("DPD support not compiled in."); 1734#endif 1735 } 1736 EOS 1737 | DISCONNECT_ON_IDLE IDLE_TIMEOUT NUMBER IDLE_DIRECTION idle_dir_type 1738 { 1739 cur_rmconf->idle_timeout = $3; 1740 cur_rmconf->idle_timeout_dir = $5; 1741 } 1742 EOS 1743 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 1744 { 1745 cur_rmconf->prhead->lifetime = $3 * $4; 1746 } 1747 EOS 1748 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS 1749 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 1750 { 1751#if 1 1752 racoon_yyerror("byte lifetime support is deprecated in Phase 1"); 1753 return -1; 1754#else 1755 racoon_yywarn("the lifetime of bytes in phase 1 " 1756 "will be ignored at the moment."); 1757 cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4); 1758 if (cur_rmconf->prhead->lifebyte == 0) 1759 return -1; 1760#endif 1761 } 1762 EOS 1763 | PROPOSAL 1764 { 1765 struct secprotospec *spspec; 1766 1767 spspec = newspspec(); 1768 if (spspec == NULL) 1769 return -1; 1770 insspspec(spspec, &cur_rmconf->prhead); 1771 } 1772 BOC isakmpproposal_specs EOC 1773 ; 1774exchange_types 1775 : /* nothing */ 1776 | exchange_types EXCHANGETYPE 1777 { 1778 struct etypes *new; 1779 new = racoon_malloc(sizeof(struct etypes)); 1780 if (new == NULL) { 1781 racoon_yyerror("failed to allocate etypes"); 1782 return -1; 1783 } 1784 new->type = $2; 1785 new->next = NULL; 1786 if (cur_rmconf->etypes == NULL) 1787 cur_rmconf->etypes = new; 1788 else { 1789 struct etypes *p; 1790 for (p = cur_rmconf->etypes; 1791 p->next != NULL; 1792 p = p->next) 1793 ; 1794 p->next = new; 1795 } 1796 } 1797 ; 1798eap_types 1799 : /* nothing */ 1800 | eap_types EAP_TYPE 1801 { 1802 struct etypes *new_eaps; 1803 new_eaps = racoon_malloc(sizeof(struct etypes)); 1804 if (new_eaps == NULL) { 1805 racoon_yyerror("failed to allocate etypes"); 1806 return -1; 1807 } 1808 new_eaps->type = $2; 1809 new_eaps->next = NULL; 1810 if (cur_rmconf->eap_types == NULL) 1811 cur_rmconf->eap_types = new_eaps; 1812 else { 1813 struct etypes *p; 1814 for (p = cur_rmconf->eap_types; 1815 p->next != NULL; 1816 p = p->next) 1817 ; 1818 p->next = new_eaps; 1819 } 1820 } 1821 ; 1822cert_spec 1823 : CERT_X509 IN_KEYCHAIN 1824 { 1825 cur_rmconf->certtype = $1; 1826 cur_rmconf->identity_in_keychain = 1; 1827 cur_rmconf->keychainCertRef = NULL; 1828 } 1829 EOS 1830 ; 1831 | CERT_X509 IN_KEYCHAIN QUOTEDSTRING 1832 { 1833 cur_rmconf->certtype = $1; 1834 cur_rmconf->identity_in_keychain = 1; 1835 cur_rmconf->keychainCertRef = $3; 1836 } 1837 EOS 1838 ; 1839dh_group_num 1840 : ALGORITHMTYPE 1841 { 1842 $$ = algtype2doi(algclass_isakmp_dh, $1); 1843 if ($$ == -1) { 1844 racoon_yyerror("must be DH group"); 1845 return -1; 1846 } 1847 switch ($$) 1848 { 1849 case OAKLEY_ATTR_GRP_DESC_MODP768: 1850 case OAKLEY_ATTR_GRP_DESC_MODP1024: 1851 case OAKLEY_ATTR_GRP_DESC_MODP1536: 1852 case OAKLEY_ATTR_GRP_DESC_MODP2048: 1853 case OAKLEY_ATTR_GRP_DESC_MODP3072: 1854 case OAKLEY_ATTR_GRP_DESC_MODP4096: 1855 case OAKLEY_ATTR_GRP_DESC_MODP6144: 1856 case OAKLEY_ATTR_GRP_DESC_MODP8192: 1857 break; 1858 default: 1859 racoon_yyerror("Invalid DH group specified"); 1860 return -1; 1861 break; 1862 } 1863 } 1864 | NUMBER 1865 { 1866 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) { 1867 $$ = num2dhgroup[$1]; 1868 } else { 1869 racoon_yyerror("must be DH group"); 1870 $$ = 0; 1871 return -1; 1872 } 1873 switch ($$) 1874 { 1875 case OAKLEY_ATTR_GRP_DESC_MODP768: 1876 case OAKLEY_ATTR_GRP_DESC_MODP1024: 1877 case OAKLEY_ATTR_GRP_DESC_MODP1536: 1878 case OAKLEY_ATTR_GRP_DESC_MODP2048: 1879 case OAKLEY_ATTR_GRP_DESC_MODP3072: 1880 case OAKLEY_ATTR_GRP_DESC_MODP4096: 1881 case OAKLEY_ATTR_GRP_DESC_MODP6144: 1882 case OAKLEY_ATTR_GRP_DESC_MODP8192: 1883 break; 1884 default: 1885 racoon_yyerror("Invalid DH group specified"); 1886 return -1; 1887 break; 1888 } 1889 } 1890 ; 1891identifierstring 1892 : /* nothing */ { $$ = NULL; } 1893 | ADDRSTRING { $$ = $1; } 1894 | QUOTEDSTRING { $$ = $1; } 1895 ; 1896isakmpproposal_specs 1897 : /* nothing */ 1898 | isakmpproposal_specs isakmpproposal_spec 1899 ; 1900isakmpproposal_spec 1901 : STRENGTH 1902 { 1903 racoon_yyerror("strength directive is obsoleted."); 1904 } STRENGTHTYPE EOS 1905 | LIFETIME LIFETYPE_TIME NUMBER unittype_time 1906 { 1907 cur_rmconf->prhead->spspec->lifetime = $3 * $4; 1908 } 1909 EOS 1910 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte 1911 { 1912#if 1 1913 racoon_yyerror("byte lifetime support is deprecated"); 1914 return -1; 1915#else 1916 cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4); 1917 if (cur_rmconf->prhead->spspec->lifebyte == 0) 1918 return -1; 1919#endif 1920 } 1921 EOS 1922 | DH_GROUP dh_group_num 1923 { 1924 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_dh] = $2; 1925 } 1926 EOS 1927 | GSS_ID QUOTEDSTRING 1928 { 1929 if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) { 1930 racoon_yyerror("wrong Vendor ID for gssapi_id"); 1931 return -1; 1932 } 1933 if (cur_rmconf->prhead->spspec->gssid != NULL) 1934 racoon_free(cur_rmconf->prhead->spspec->gssid); 1935 cur_rmconf->prhead->spspec->gssid = 1936 racoon_strdup($2->v); 1937 STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid); 1938 } 1939 EOS 1940 | ALGORITHM_CLASS ALGORITHMTYPE keylength 1941 { 1942 int doi; 1943 int defklen; 1944 { 1945 doi = algtype2doi($1, $2); 1946 if (doi == -1) { 1947 racoon_yyerror("algorithm mismatched 1"); 1948 return -1; 1949 } 1950 } 1951 1952 switch ($1) { 1953 case algclass_isakmp_enc: 1954 /* reject suppressed algorithms */ 1955 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi; 1956 defklen = default_keylen($1, $2); 1957 if (defklen == 0) { 1958 if ($3) { 1959 racoon_yyerror("keylen not allowed"); 1960 return -1; 1961 } 1962 } else { 1963 if ($3 && check_keylen($1, $2, $3) < 0) { 1964 racoon_yyerror("invalid keylen %d", $3); 1965 return -1; 1966 } 1967 } 1968 if ($3) 1969 cur_rmconf->prhead->spspec->encklen = $3; 1970 else 1971 cur_rmconf->prhead->spspec->encklen = defklen; 1972 break; 1973 case algclass_isakmp_hash: 1974 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_hash] = doi; 1975 break; 1976 case algclass_isakmp_ameth: 1977 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_ameth] = doi; 1978 /* 1979 * We may have to set the Vendor ID for the 1980 * authentication method we're using. 1981 */ 1982 switch ($2) { 1983 case algtype_gssapikrb: 1984 if (cur_rmconf->prhead->spspec->vendorid != 1985 VENDORID_UNKNOWN) { 1986 racoon_yyerror("Vendor ID mismatch " 1987 "for auth method"); 1988 return -1; 1989 } 1990 /* 1991 * For interoperability with Win2k, 1992 * we set the Vendor ID to "GSSAPI". 1993 */ 1994 cur_rmconf->prhead->spspec->vendorid = 1995 VENDORID_GSSAPI; 1996 break; 1997 default: 1998 break; 1999 } 2000 break; 2001 default: 2002 racoon_yyerror("algorithm mismatched 2"); 2003 return -1; 2004 } 2005 } 2006 EOS 2007 ; 2008 2009unittype_time 2010 : UNITTYPE_SEC { $$ = 1; } 2011 | UNITTYPE_MIN { $$ = 60; } 2012 | UNITTYPE_HOUR { $$ = (60 * 60); } 2013 ; 2014unittype_byte 2015 : UNITTYPE_BYTE { $$ = 1; } 2016 | UNITTYPE_KBYTES { $$ = 1024; } 2017 | UNITTYPE_MBYTES { $$ = (1024 * 1024); } 2018 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); } 2019 ; 2020dpd_algo_type 2021 : DPD_ALGO_TYPE_DEFAULT { $$ = DPD_ALGO_DEFAULT; } 2022 | DPD_ALGO_TYPE_INBOUND { $$ = DPD_ALGO_INBOUND_DETECT; } 2023 | DPD_ALGO_TYPE_BLACKHOLE { $$ = DPD_ALGO_BLACKHOLE_DETECT; } 2024 ; 2025idle_dir_type 2026 : IDLE_DIRECTION_ANY { $$ = IPSEC_DIR_ANY; } 2027 | IDLE_DIRECTION_IN { $$ = IPSEC_DIR_INBOUND; } 2028 | IDLE_DIRECTION_OUT { $$ = IPSEC_DIR_OUTBOUND; } 2029 ; 2030%% 2031 2032static struct proposalspec * 2033newprspec() 2034{ 2035 struct proposalspec *new; 2036 2037 new = racoon_calloc(1, sizeof(*new)); 2038 if (new == NULL) 2039 racoon_yyerror("failed to allocate proposal"); 2040 2041 return new; 2042} 2043 2044/* 2045 * insert into head of list. 2046 */ 2047static void 2048insprspec(prspec, head) 2049 struct proposalspec *prspec; 2050 struct proposalspec **head; 2051{ 2052 if (*head != NULL) 2053 (*head)->prev = prspec; 2054 prspec->next = *head; 2055 *head = prspec; 2056} 2057 2058static struct secprotospec * 2059newspspec() 2060{ 2061 struct secprotospec *new; 2062 2063 new = racoon_calloc(1, sizeof(*new)); 2064 if (new == NULL) { 2065 racoon_yyerror("failed to allocate spproto"); 2066 return NULL; 2067 } 2068 2069 new->encklen = 0; /*XXX*/ 2070 2071 /* 2072 * Default to "uknown" vendor -- we will override this 2073 * as necessary. When we send a Vendor ID payload, an 2074 * "unknown" will be translated to a KAME/racoon ID. 2075 */ 2076 new->vendorid = VENDORID_UNKNOWN; 2077 2078 return new; 2079} 2080 2081/* 2082 * insert into head of list. 2083 */ 2084static void 2085insspspec(spspec, head) 2086 struct secprotospec *spspec; 2087 struct proposalspec **head; 2088{ 2089 spspec->back = *head; 2090 2091 if ((*head)->spspec != NULL) 2092 (*head)->spspec->prev = spspec; 2093 spspec->next = (*head)->spspec; 2094 (*head)->spspec = spspec; 2095} 2096 2097/* set final acceptable proposal */ 2098static int 2099set_isakmp_proposal(rmconf, prspec) 2100 struct remoteconf *rmconf; 2101 struct proposalspec *prspec; 2102{ 2103 struct proposalspec *p; 2104 struct secprotospec *s; 2105 int prop_no = 1; 2106 int trns_no = 1; 2107 int32_t types[MAXALGCLASS]; 2108 2109 p = prspec; 2110 if (p->next != 0) { 2111 plog(ASL_LEVEL_ERR, 2112 "multiple proposal definition.\n"); 2113 return -1; 2114 } 2115 2116 /* mandatory check */ 2117 if (p->spspec == NULL) { 2118 racoon_yyerror("no remote specification found: %s.\n", 2119 saddr2str((struct sockaddr *)rmconf->remote)); 2120 return -1; 2121 } 2122 for (s = p->spspec; s != NULL; s = s->next) { 2123 /* XXX need more to check */ 2124 if (s->algclass[algclass_isakmp_enc] == 0) { 2125 racoon_yyerror("encryption algorithm required."); 2126 return -1; 2127 } 2128 if (s->algclass[algclass_isakmp_hash] == 0) { 2129 racoon_yyerror("hash algorithm required."); 2130 return -1; 2131 } 2132 if (s->algclass[algclass_isakmp_dh] == 0) { 2133 racoon_yyerror("DH group required."); 2134 return -1; 2135 } 2136 if (s->algclass[algclass_isakmp_ameth] == 0) { 2137 racoon_yyerror("authentication method required."); 2138 return -1; 2139 } 2140 } 2141 2142 /* skip to last part */ 2143 for (s = p->spspec; s->next != NULL; s = s->next) 2144 ; 2145 2146 while (s != NULL) { 2147 plog(ASL_LEVEL_DEBUG, 2148 "lifetime = %ld\n", (long) 2149 (s->lifetime ? s->lifetime : p->lifetime)); 2150 plog(ASL_LEVEL_DEBUG, 2151 "lifebyte = %d\n", 2152 s->lifebyte ? s->lifebyte : p->lifebyte); 2153 plog(ASL_LEVEL_DEBUG, 2154 "encklen=%d\n", s->encklen); 2155 2156 memset(types, 0, ARRAYLEN(types)); 2157 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; 2158 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; 2159 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; 2160 types[algclass_isakmp_ameth] = 2161 s->algclass[algclass_isakmp_ameth]; 2162 2163 /* expanding spspec */ 2164 clean_tmpalgtype(); 2165 trns_no = expand_isakmpspec(prop_no, trns_no, types, 2166 algclass_isakmp_enc, algclass_isakmp_ameth + 1, 2167 s->lifetime ? s->lifetime : p->lifetime, 2168 s->lifebyte ? s->lifebyte : p->lifebyte, 2169 s->encklen, s->vendorid, s->gssid, 2170 rmconf); 2171 if (trns_no == -1) { 2172 plog(ASL_LEVEL_ERR, 2173 "failed to expand isakmp proposal.\n"); 2174 return -1; 2175 } 2176 2177 s = s->prev; 2178 } 2179 2180 if (rmconf->proposal == NULL) { 2181 plog(ASL_LEVEL_ERR, 2182 "no proposal found.\n"); 2183 return -1; 2184 } 2185 2186 return 0; 2187} 2188 2189static void 2190clean_tmpalgtype() 2191{ 2192 int i; 2193 for (i = 0; i < MAXALGCLASS; i++) 2194 tmpalgtype[i] = 0; /* means algorithm undefined. */ 2195} 2196 2197static int 2198expand_isakmpspec(prop_no, trns_no, types, 2199 class, last, lifetime, lifebyte, encklen, vendorid, gssid, 2200 rmconf) 2201 int prop_no, trns_no; 2202 int *types, class, last; 2203 time_t lifetime; 2204 int lifebyte; 2205 int encklen; 2206 int vendorid; 2207 char *gssid; 2208 struct remoteconf *rmconf; 2209{ 2210 struct isakmpsa *new; 2211 2212 /* debugging */ 2213 { 2214 int j; 2215 char tb[10]; 2216 plog(ASL_LEVEL_DEBUG, 2217 "p:%d t:%d\n", prop_no, trns_no); 2218 for (j = class; j < MAXALGCLASS; j++) { 2219 snprintf(tb, sizeof(tb), "%d", types[j]); 2220 plog(ASL_LEVEL_DEBUG, 2221 "%s%s%s%s\n", 2222 s_algtype(j, types[j]), 2223 types[j] ? "(" : "", 2224 tb[0] == '0' ? "" : tb, 2225 types[j] ? ")" : ""); 2226 } 2227 plog(ASL_LEVEL_DEBUG, "\n"); 2228 } 2229 2230#define TMPALGTYPE2STR(n) \ 2231 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n]) 2232 /* check mandatory values */ 2233 if (types[algclass_isakmp_enc] == 0 2234 || types[algclass_isakmp_ameth] == 0 2235 || types[algclass_isakmp_dh] == 0) { 2236 racoon_yyerror("few definition of algorithm " 2237 "enc=%s ameth=%s hash=%s dhgroup=%s.\n", 2238 TMPALGTYPE2STR(enc), 2239 TMPALGTYPE2STR(ameth), 2240 TMPALGTYPE2STR(hash), 2241 TMPALGTYPE2STR(dh)); 2242 return -1; 2243 } 2244#undef TMPALGTYPE2STR 2245 2246 /* set new sa */ 2247 new = newisakmpsa(); 2248 if (new == NULL) { 2249 racoon_yyerror("failed to allocate isakmp sa"); 2250 return -1; 2251 } 2252 new->prop_no = prop_no; 2253 new->trns_no = trns_no++; 2254 new->lifetime = lifetime; 2255 new->lifebyte = lifebyte; 2256 new->enctype = types[algclass_isakmp_enc]; 2257 new->encklen = encklen; 2258 new->authmethod = types[algclass_isakmp_ameth]; 2259 new->hashtype = types[algclass_isakmp_hash]; 2260 new->prf = types[algclass_isakmp_hash]; 2261 new->dh_group = types[algclass_isakmp_dh]; 2262 new->vendorid = vendorid; 2263 insisakmpsa(new, rmconf); 2264 2265 return trns_no; 2266} 2267 2268static int 2269listen_addr (struct sockaddr_storage *addr, int udp_encap) 2270{ 2271 struct myaddrs *p; 2272 2273 p = newmyaddr(); 2274 if (p == NULL) { 2275 racoon_yyerror("failed to allocate myaddrs"); 2276 return -1; 2277 } 2278 p->addr = addr; 2279 if (p->addr == NULL) { 2280 racoon_yyerror("failed to copy sockaddr_storage "); 2281 delmyaddr(p); 2282 return -1; 2283 } 2284 p->udp_encap = udp_encap; 2285 /* These need to be initialized for Apple modifications 2286 * to open code for isakmp sockets 2287 */ 2288 p->sock = -1; 2289 p->in_use = 1; 2290 2291 insmyaddr(p, &lcconf->myaddrs); 2292 2293 lcconf->autograbaddr = 0; 2294 return 0; 2295} 2296 2297#if 0 2298/* 2299 * fix lifebyte. 2300 * Must be more than 1024B because its unit is kilobytes. 2301 * That is defined RFC2407. 2302 */ 2303static int 2304fix_lifebyte(t) 2305 unsigned long t; 2306{ 2307 if (t < 1024) { 2308 racoon_yyerror("byte size should be more than 1024B."); 2309 return 0; 2310 } 2311 2312 return(t / 1024); 2313} 2314#endif 2315 2316int 2317cfparse() 2318{ 2319 int error; 2320 2321 plog(ASL_LEVEL_DEBUG, "===== parsing configuration\n"); 2322 2323 yycf_init_buffer(); 2324 2325 if (yycf_switch_buffer(lcconf->racoon_conf) != 0) { 2326 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), 2327 IPSECCONFIGEVENTCODE_PARSE_ERROR, 2328 CONSTSTR("could not read configuration file"), 2329 CONSTSTR("cfparse: yycf_switch_buffer erred")); 2330 plog(ASL_LEVEL_ERR, 2331 "could not read configuration file \"%s\"\n", 2332 lcconf->racoon_conf); 2333 return -1; 2334 } 2335 2336 error = yyparse(); 2337 if (error != 0) { 2338 if (yyerrorcount) { 2339 plog(ASL_LEVEL_ERR, 2340 "fatal parse failure (%d errors)\n", 2341 yyerrorcount); 2342 } else { 2343 plog(ASL_LEVEL_ERR, 2344 "fatal parse failure.\n"); 2345 } 2346 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), 2347 IPSECCONFIGEVENTCODE_PARSE_ERROR, 2348 CONSTSTR("fatal parse failure"), 2349 CONSTSTR("cfparse: yyparse erred")); 2350 yycf_clean_buffer(); 2351 return -1; 2352 } 2353 2354 if (error == 0 && yyerrorcount) { 2355 plog(ASL_LEVEL_ERR, 2356 "parse error is nothing, but yyerrorcount is %d.\n", 2357 yyerrorcount); 2358 IPSECCONFIGTRACEREVENT(CONSTSTR(lcconf->racoon_conf), 2359 IPSECCONFIGEVENTCODE_PARSE_ERROR, 2360 CONSTSTR("ambivalent error code"), 2361 CONSTSTR("cfparse: error == 0 && yerrorcount")); 2362 yycf_clean_buffer(); 2363 exit(1); 2364 } 2365 2366 yycf_clean_buffer(); 2367 2368 plog(ASL_LEVEL_DEBUG, "parse succeeded.\n"); 2369 2370 return 0; 2371} 2372 2373int 2374cfreparse(int sig) 2375{ 2376 int result; 2377 int ignore_estab_or_assert_handles = (sig == SIGUSR1); 2378 2379 if (sig >= 0 && sig < NSIG) { 2380 plog(ASL_LEVEL_DEBUG, "==== Got %s signal - re-parsing configuration.\n", sys_signame[sig]); 2381 } else { 2382 plog(ASL_LEVEL_ERR, "==== Got Unknown signal - re-parsing configuration.\n"); 2383 IPSECCONFIGTRACEREVENT(CONSTSTR("reparse"), 2384 IPSECCONFIGEVENTCODE_REPARSE_ERROR, 2385 CONSTSTR("Unknown signal"), 2386 CONSTSTR("cfreparse: triggered by unknown signal")); 2387 } 2388 plog(ASL_LEVEL_DEBUG, "==== %s sessions.\n", ignore_estab_or_assert_handles? "flush negotiating" : "flush all"); 2389 2390 ike_session_flush_all_phase2(ignore_estab_or_assert_handles); 2391 ike_session_flush_all_phase1(ignore_estab_or_assert_handles); 2392 flushrmconf(); 2393 flushsainfo(); 2394 check_auto_exit(); /* check/change state of auto exit */ 2395 clean_tmpalgtype(); 2396 savelcconf(); 2397 result = cfparse(); 2398 restorelcconf(); 2399 return result; 2400} 2401 2402 2403