parse.y revision 1.152
1/* $OpenBSD: parse.y,v 1.152 2011/12/20 13:27:51 mikeb Exp $ */ 2 3/* 4 * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> 5 * Copyright (c) 2001 Markus Friedl. All rights reserved. 6 * Copyright (c) 2001 Daniel Hartmeier. All rights reserved. 7 * Copyright (c) 2001 Theo de Raadt. All rights reserved. 8 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 9 * 10 * Permission to use, copy, modify, and distribute this software for any 11 * purpose with or without fee is hereby granted, provided that the above 12 * copyright notice and this permission notice appear in all copies. 13 * 14 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 15 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 17 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 18 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 19 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 20 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21 */ 22 23%{ 24#include <sys/types.h> 25#include <sys/ioctl.h> 26#include <sys/queue.h> 27#include <sys/socket.h> 28#include <sys/stat.h> 29#include <net/if.h> 30#include <netinet/in.h> 31#include <netinet/ip_ipsp.h> 32#include <arpa/inet.h> 33 34#include <ctype.h> 35#include <err.h> 36#include <errno.h> 37#include <fcntl.h> 38#include <ifaddrs.h> 39#include <limits.h> 40#include <netdb.h> 41#include <stdarg.h> 42#include <stdio.h> 43#include <string.h> 44#include <syslog.h> 45#include <unistd.h> 46#include <netdb.h> 47 48#include "ipsecctl.h" 49 50TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files); 51static struct file { 52 TAILQ_ENTRY(file) entry; 53 FILE *stream; 54 char *name; 55 int lineno; 56 int errors; 57} *file; 58struct file *pushfile(const char *, int); 59int popfile(void); 60int check_file_secrecy(int, const char *); 61int yyparse(void); 62int yylex(void); 63int yyerror(const char *, ...); 64int yywarn(const char *, ...); 65int kw_cmp(const void *, const void *); 66int lookup(char *); 67int lgetc(int); 68int lungetc(int); 69int findeol(void); 70 71TAILQ_HEAD(symhead, sym) symhead = TAILQ_HEAD_INITIALIZER(symhead); 72struct sym { 73 TAILQ_ENTRY(sym) entry; 74 int used; 75 int persist; 76 char *nam; 77 char *val; 78}; 79int symset(const char *, const char *, int); 80char *symget(const char *); 81int cmdline_symset(char *); 82 83#define KEYSIZE_LIMIT 1024 84 85static struct ipsecctl *ipsec = NULL; 86static int debug = 0; 87 88const struct ipsec_xf authxfs[] = { 89 { "unknown", AUTHXF_UNKNOWN, 0, 0 }, 90 { "none", AUTHXF_NONE, 0, 0 }, 91 { "hmac-md5", AUTHXF_HMAC_MD5, 16, 0 }, 92 { "hmac-ripemd160", AUTHXF_HMAC_RIPEMD160, 20, 0 }, 93 { "hmac-sha1", AUTHXF_HMAC_SHA1, 20, 0 }, 94 { "hmac-sha2-256", AUTHXF_HMAC_SHA2_256, 32, 0 }, 95 { "hmac-sha2-384", AUTHXF_HMAC_SHA2_384, 48, 0 }, 96 { "hmac-sha2-512", AUTHXF_HMAC_SHA2_512, 64, 0 }, 97 { NULL, 0, 0, 0 }, 98}; 99 100const struct ipsec_xf encxfs[] = { 101 { "unknown", ENCXF_UNKNOWN, 0, 0, 0 }, 102 { "none", ENCXF_NONE, 0, 0, 0 }, 103 { "3des-cbc", ENCXF_3DES_CBC, 24, 24, 0 }, 104 { "des-cbc", ENCXF_DES_CBC, 8, 8, 0 }, 105 { "aes", ENCXF_AES, 16, 32, 0 }, 106 { "aes-128", ENCXF_AES_128, 16, 16, 0 }, 107 { "aes-192", ENCXF_AES_192, 24, 24, 0 }, 108 { "aes-256", ENCXF_AES_256, 32, 32, 0 }, 109 { "aesctr", ENCXF_AESCTR, 16+4, 32+4, 0 }, 110 { "aes-128-gcm", ENCXF_AES_128_GCM, 16+4, 16+4, 1 }, 111 { "aes-192-gcm", ENCXF_AES_192_GCM, 24+4, 24+4, 1 }, 112 { "aes-256-gcm", ENCXF_AES_256_GCM, 32+4, 32+4, 1 }, 113 { "aes-128-gmac", ENCXF_AES_128_GMAC, 16+4, 16+4, 1 }, 114 { "aes-192-gmac", ENCXF_AES_192_GMAC, 24+4, 24+4, 1 }, 115 { "aes-256-gmac", ENCXF_AES_256_GMAC, 32+4, 32+4, 1 }, 116 { "blowfish", ENCXF_BLOWFISH, 5, 56, 0 }, 117 { "cast128", ENCXF_CAST128, 5, 16, 0 }, 118 { "null", ENCXF_NULL, 0, 0, 0 }, 119 { NULL, 0, 0, 0, 0 }, 120}; 121 122const struct ipsec_xf compxfs[] = { 123 { "unknown", COMPXF_UNKNOWN, 0, 0 }, 124 { "deflate", COMPXF_DEFLATE, 0, 0 }, 125 { "lzs", COMPXF_LZS, 0, 0 }, 126 { NULL, 0, 0, 0 }, 127}; 128 129const struct ipsec_xf groupxfs[] = { 130 { "unknown", GROUPXF_UNKNOWN, 0, 0 }, 131 { "none", GROUPXF_NONE, 0, 0 }, 132 { "modp768", GROUPXF_768, 768, 0 }, 133 { "grp1", GROUPXF_768, 768, 0 }, 134 { "modp1024", GROUPXF_1024, 1024, 0 }, 135 { "grp2", GROUPXF_1024, 1024, 0 }, 136 { "modp1536", GROUPXF_1536, 1536, 0 }, 137 { "grp5", GROUPXF_1536, 1536, 0 }, 138 { "modp2048", GROUPXF_2048, 2048, 0 }, 139 { "grp14", GROUPXF_2048, 2048, 0 }, 140 { "modp3072", GROUPXF_3072, 3072, 0 }, 141 { "grp15", GROUPXF_3072, 3072, 0 }, 142 { "modp4096", GROUPXF_4096, 4096, 0 }, 143 { "grp16", GROUPXF_4096, 4096, 0 }, 144 { "modp6144", GROUPXF_6144, 6144, 0 }, 145 { "grp17", GROUPXF_6144, 6144, 0 }, 146 { "modp8192", GROUPXF_8192, 8192, 0 }, 147 { "grp18", GROUPXF_8192, 8192, 0 }, 148 { NULL, 0, 0, 0 }, 149}; 150 151int atoul(char *, u_long *); 152int atospi(char *, u_int32_t *); 153u_int8_t x2i(unsigned char *); 154struct ipsec_key *parsekey(unsigned char *, size_t); 155struct ipsec_key *parsekeyfile(char *); 156struct ipsec_addr_wrap *host(const char *); 157struct ipsec_addr_wrap *host_v6(const char *, int); 158struct ipsec_addr_wrap *host_v4(const char *, int); 159struct ipsec_addr_wrap *host_dns(const char *, int); 160struct ipsec_addr_wrap *host_if(const char *, int); 161struct ipsec_addr_wrap *host_any(void); 162void ifa_load(void); 163int ifa_exists(const char *); 164struct ipsec_addr_wrap *ifa_lookup(const char *ifa_name); 165struct ipsec_addr_wrap *ifa_grouplookup(const char *); 166void set_ipmask(struct ipsec_addr_wrap *, u_int8_t); 167const struct ipsec_xf *parse_xf(const char *, const struct ipsec_xf *); 168struct ipsec_life *parse_life(int); 169struct ipsec_transforms *copytransforms(const struct ipsec_transforms *); 170struct ipsec_life *copylife(const struct ipsec_life *); 171struct ipsec_auth *copyipsecauth(const struct ipsec_auth *); 172struct ike_auth *copyikeauth(const struct ike_auth *); 173struct ipsec_key *copykey(struct ipsec_key *); 174struct ipsec_addr_wrap *copyhost(const struct ipsec_addr_wrap *); 175char *copytag(const char *); 176struct ipsec_rule *copyrule(struct ipsec_rule *); 177int validate_af(struct ipsec_addr_wrap *, 178 struct ipsec_addr_wrap *); 179int validate_sa(u_int32_t, u_int8_t, 180 struct ipsec_transforms *, struct ipsec_key *, 181 struct ipsec_key *, u_int8_t); 182struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_hosts *, 183 u_int32_t, struct ipsec_transforms *, 184 struct ipsec_key *, struct ipsec_key *); 185struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t, 186 struct ipsec_key *, struct ipsec_key *); 187struct ipsec_rule *create_sagroup(struct ipsec_addr_wrap *, u_int8_t, 188 u_int32_t, struct ipsec_addr_wrap *, u_int8_t, 189 u_int32_t); 190struct ipsec_rule *create_flow(u_int8_t, u_int8_t, struct ipsec_hosts *, 191 u_int8_t, char *, char *, u_int8_t); 192int set_rule_peers(struct ipsec_rule *r, 193 struct ipsec_hosts *peers); 194void expand_any(struct ipsec_addr_wrap *); 195int expand_rule(struct ipsec_rule *, struct ipsec_hosts *, 196 u_int8_t, u_int32_t, struct ipsec_key *, 197 struct ipsec_key *, int); 198struct ipsec_rule *reverse_rule(struct ipsec_rule *); 199struct ipsec_rule *create_ike(u_int8_t, struct ipsec_hosts *, 200 struct ike_mode *, struct ike_mode *, u_int8_t, 201 u_int8_t, u_int8_t, char *, char *, 202 struct ike_auth *, char *); 203int add_sagroup(struct ipsec_rule *); 204int get_id_type(char *); 205 206struct ipsec_transforms *ipsec_transforms; 207 208typedef struct { 209 union { 210 int64_t number; 211 u_int8_t ikemode; 212 u_int8_t dir; 213 u_int8_t satype; /* encapsulating prococol */ 214 u_int8_t proto; /* encapsulated protocol */ 215 u_int8_t tmode; 216 char *string; 217 u_int16_t port; 218 struct ipsec_hosts hosts; 219 struct ipsec_hosts peers; 220 struct ipsec_addr_wrap *anyhost; 221 struct ipsec_addr_wrap *singlehost; 222 struct ipsec_addr_wrap *host; 223 struct { 224 char *srcid; 225 char *dstid; 226 } ids; 227 char *id; 228 u_int8_t type; 229 struct ike_auth ikeauth; 230 struct { 231 u_int32_t spiout; 232 u_int32_t spiin; 233 } spis; 234 struct { 235 struct ipsec_key *keyout; 236 struct ipsec_key *keyin; 237 } authkeys; 238 struct { 239 struct ipsec_key *keyout; 240 struct ipsec_key *keyin; 241 } enckeys; 242 struct { 243 struct ipsec_key *keyout; 244 struct ipsec_key *keyin; 245 } keys; 246 struct ipsec_transforms *transforms; 247 struct ipsec_life *life; 248 struct ike_mode *mode; 249 } v; 250 int lineno; 251} YYSTYPE; 252 253%} 254 255%token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI 256%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK AGGRESSIVE 257%token PASSIVE ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC LIFE 258%token TYPE DENY BYPASS LOCAL PROTO USE ACQUIRE REQUIRE DONTACQ GROUP PORT TAG 259%token INCLUDE 260%token <v.string> STRING 261%token <v.number> NUMBER 262%type <v.string> string 263%type <v.dir> dir 264%type <v.satype> satype 265%type <v.proto> proto 266%type <v.number> protoval 267%type <v.tmode> tmode 268%type <v.hosts> hosts 269%type <v.port> port 270%type <v.number> portval 271%type <v.peers> peers 272%type <v.anyhost> anyhost 273%type <v.singlehost> singlehost 274%type <v.host> host host_list host_spec 275%type <v.ids> ids 276%type <v.id> id 277%type <v.spis> spispec 278%type <v.authkeys> authkeyspec 279%type <v.enckeys> enckeyspec 280%type <v.keys> keyspec 281%type <v.transforms> transforms 282%type <v.ikemode> ikemode 283%type <v.ikeauth> ikeauth 284%type <v.type> type 285%type <v.life> life 286%type <v.mode> phase1mode phase2mode 287%type <v.string> tag 288%% 289 290grammar : /* empty */ 291 | grammar include '\n' 292 | grammar '\n' 293 | grammar ikerule '\n' 294 | grammar flowrule '\n' 295 | grammar sarule '\n' 296 | grammar tcpmd5rule '\n' 297 | grammar varset '\n' 298 | grammar error '\n' { file->errors++; } 299 ; 300 301comma : ',' 302 | /* empty */ 303 ; 304 305include : INCLUDE STRING { 306 struct file *nfile; 307 308 if ((nfile = pushfile($2, 0)) == NULL) { 309 yyerror("failed to include file %s", $2); 310 free($2); 311 YYERROR; 312 } 313 free($2); 314 315 file = nfile; 316 lungetc('\n'); 317 } 318 ; 319 320tcpmd5rule : TCPMD5 hosts spispec authkeyspec { 321 struct ipsec_rule *r; 322 323 r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, &$2, 324 $3.spiout, NULL, $4.keyout, NULL); 325 if (r == NULL) 326 YYERROR; 327 328 if (expand_rule(r, NULL, 0, $3.spiin, $4.keyin, NULL, 329 0)) 330 errx(1, "tcpmd5rule: expand_rule"); 331 } 332 ; 333 334sarule : satype tmode hosts spispec transforms authkeyspec 335 enckeyspec { 336 struct ipsec_rule *r; 337 338 r = create_sa($1, $2, &$3, $4.spiout, $5, $6.keyout, 339 $7.keyout); 340 if (r == NULL) 341 YYERROR; 342 343 if (expand_rule(r, NULL, 0, $4.spiin, $6.keyin, 344 $7.keyin, 1)) 345 errx(1, "sarule: expand_rule"); 346 } 347 ; 348 349flowrule : FLOW satype dir proto hosts peers ids type { 350 struct ipsec_rule *r; 351 352 r = create_flow($3, $4, &$5, $2, $7.srcid, 353 $7.dstid, $8); 354 if (r == NULL) 355 YYERROR; 356 357 if (expand_rule(r, &$6, $3, 0, NULL, NULL, 0)) 358 errx(1, "flowrule: expand_rule"); 359 } 360 ; 361 362ikerule : IKE ikemode satype tmode proto hosts peers 363 phase1mode phase2mode ids ikeauth tag { 364 struct ipsec_rule *r; 365 366 r = create_ike($5, &$6, $8, $9, $3, $4, $2, 367 $10.srcid, $10.dstid, &$11, $12); 368 if (r == NULL) 369 YYERROR; 370 371 if (expand_rule(r, &$7, 0, 0, NULL, NULL, 0)) 372 errx(1, "ikerule: expand_rule"); 373 } 374 ; 375 376satype : /* empty */ { $$ = IPSEC_ESP; } 377 | ESP { $$ = IPSEC_ESP; } 378 | AH { $$ = IPSEC_AH; } 379 | IPCOMP { $$ = IPSEC_IPCOMP; } 380 | IPIP { $$ = IPSEC_IPIP; } 381 ; 382 383proto : /* empty */ { $$ = 0; } 384 | PROTO protoval { $$ = $2; } 385 | PROTO ESP { $$ = IPPROTO_ESP; } 386 | PROTO AH { $$ = IPPROTO_AH; } 387 ; 388 389protoval : STRING { 390 struct protoent *p; 391 392 p = getprotobyname($1); 393 if (p == NULL) { 394 yyerror("unknown protocol: %s", $1); 395 YYERROR; 396 } 397 $$ = p->p_proto; 398 free($1); 399 } 400 | NUMBER { 401 if ($1 > 255 || $1 < 0) { 402 yyerror("protocol outside range"); 403 YYERROR; 404 } 405 } 406 ; 407 408tmode : /* empty */ { $$ = IPSEC_TUNNEL; } 409 | TUNNEL { $$ = IPSEC_TUNNEL; } 410 | TRANSPORT { $$ = IPSEC_TRANSPORT; } 411 ; 412 413dir : /* empty */ { $$ = IPSEC_INOUT; } 414 | IN { $$ = IPSEC_IN; } 415 | OUT { $$ = IPSEC_OUT; } 416 ; 417 418hosts : FROM host port TO host port { 419 struct ipsec_addr_wrap *ipa; 420 for (ipa = $5; ipa; ipa = ipa->next) { 421 if (ipa->srcnat) { 422 yyerror("no flow NAT support for" 423 " destination network: %s", ipa->name); 424 YYERROR; 425 } 426 } 427 $$.src = $2; 428 $$.sport = $3; 429 $$.dst = $5; 430 $$.dport = $6; 431 } 432 | TO host port FROM host port { 433 struct ipsec_addr_wrap *ipa; 434 for (ipa = $2; ipa; ipa = ipa->next) { 435 if (ipa->srcnat) { 436 yyerror("no flow NAT support for" 437 " destination network: %s", ipa->name); 438 YYERROR; 439 } 440 } 441 $$.src = $5; 442 $$.sport = $6; 443 $$.dst = $2; 444 $$.dport = $3; 445 } 446 ; 447 448port : /* empty */ { $$ = 0; } 449 | PORT portval { $$ = $2; } 450 ; 451 452portval : STRING { 453 struct servent *s; 454 455 if ((s = getservbyname($1, "tcp")) != NULL || 456 (s = getservbyname($1, "udp")) != NULL) { 457 $$ = s->s_port; 458 } else { 459 yyerror("unknown port: %s", $1); 460 YYERROR; 461 } 462 } 463 | NUMBER { 464 if ($1 > USHRT_MAX || $1 < 0) { 465 yyerror("port outside range"); 466 YYERROR; 467 } 468 $$ = htons($1); 469 } 470 ; 471 472peers : /* empty */ { 473 $$.dst = NULL; 474 $$.src = NULL; 475 } 476 | PEER anyhost LOCAL singlehost { 477 $$.dst = $2; 478 $$.src = $4; 479 } 480 | LOCAL singlehost PEER anyhost { 481 $$.dst = $4; 482 $$.src = $2; 483 } 484 | PEER anyhost { 485 $$.dst = $2; 486 $$.src = NULL; 487 } 488 | LOCAL singlehost { 489 $$.dst = NULL; 490 $$.src = $2; 491 } 492 ; 493 494anyhost : singlehost { $$ = $1; } 495 | ANY { 496 $$ = host_any(); 497 } 498 499singlehost : /* empty */ { $$ = NULL; } 500 | STRING { 501 if (($$ = host($1)) == NULL) { 502 free($1); 503 yyerror("could not parse host specification"); 504 YYERROR; 505 } 506 free($1); 507 } 508 ; 509 510host_list : host { $$ = $1; } 511 | host_list comma host { 512 if ($3 == NULL) 513 $$ = $1; 514 else if ($1 == NULL) 515 $$ = $3; 516 else { 517 $1->tail->next = $3; 518 $1->tail = $3->tail; 519 $$ = $1; 520 } 521 } 522 ; 523 524host_spec : STRING { 525 if (($$ = host($1)) == NULL) { 526 free($1); 527 yyerror("could not parse host specification"); 528 YYERROR; 529 } 530 free($1); 531 } 532 | STRING '/' NUMBER { 533 char *buf; 534 535 if (asprintf(&buf, "%s/%lld", $1, $3) == -1) 536 err(1, "host: asprintf"); 537 free($1); 538 if (($$ = host(buf)) == NULL) { 539 free(buf); 540 yyerror("could not parse host specification"); 541 YYERROR; 542 } 543 free(buf); 544 } 545 ; 546 547host : host_spec { $$ = $1; } 548 | host_spec '(' host_spec ')' { 549 if ($3->af != $1->af) { 550 yyerror("Flow NAT address family mismatch"); 551 YYERROR; 552 } 553 $$ = $1; 554 $$->srcnat = $3; 555 } 556 | ANY { 557 $$ = host_any(); 558 } 559 | '{' host_list '}' { $$ = $2; } 560 ; 561 562ids : /* empty */ { 563 $$.srcid = NULL; 564 $$.dstid = NULL; 565 } 566 | SRCID id DSTID id { 567 $$.srcid = $2; 568 $$.dstid = $4; 569 } 570 | SRCID id { 571 $$.srcid = $2; 572 $$.dstid = NULL; 573 } 574 | DSTID id { 575 $$.srcid = NULL; 576 $$.dstid = $2; 577 } 578 ; 579 580type : /* empty */ { 581 $$ = TYPE_UNKNOWN; 582 } 583 | TYPE USE { 584 $$ = TYPE_USE; 585 } 586 | TYPE ACQUIRE { 587 $$ = TYPE_ACQUIRE; 588 } 589 | TYPE REQUIRE { 590 $$ = TYPE_REQUIRE; 591 } 592 | TYPE DENY { 593 $$ = TYPE_DENY; 594 } 595 | TYPE BYPASS { 596 $$ = TYPE_BYPASS; 597 } 598 | TYPE DONTACQ { 599 $$ = TYPE_DONTACQ; 600 } 601 ; 602 603id : STRING { $$ = $1; } 604 ; 605 606spispec : SPI STRING { 607 u_int32_t spi; 608 char *p = strchr($2, ':'); 609 610 if (p != NULL) { 611 *p++ = 0; 612 613 if (atospi(p, &spi) == -1) { 614 free($2); 615 YYERROR; 616 } 617 $$.spiin = spi; 618 } else 619 $$.spiin = 0; 620 621 if (atospi($2, &spi) == -1) { 622 free($2); 623 YYERROR; 624 } 625 $$.spiout = spi; 626 627 628 free($2); 629 } 630 | SPI NUMBER { 631 if ($2 > UINT_MAX || $2 < 0) { 632 yyerror("%lld not a valid spi", $2); 633 YYERROR; 634 } 635 if ($2 >= SPI_RESERVED_MIN && $2 <= SPI_RESERVED_MAX) { 636 yyerror("%lld within reserved spi range", $2); 637 YYERROR; 638 } 639 640 $$.spiin = 0; 641 $$.spiout = $2; 642 } 643 ; 644 645transforms : { 646 if ((ipsec_transforms = calloc(1, 647 sizeof(struct ipsec_transforms))) == NULL) 648 err(1, "transforms: calloc"); 649 } 650 transforms_l 651 { $$ = ipsec_transforms; } 652 | /* empty */ { 653 if (($$ = calloc(1, 654 sizeof(struct ipsec_transforms))) == NULL) 655 err(1, "transforms: calloc"); 656 } 657 ; 658 659transforms_l : transforms_l transform 660 | transform 661 ; 662 663transform : AUTHXF STRING { 664 if (ipsec_transforms->authxf) 665 yyerror("auth already set"); 666 else { 667 ipsec_transforms->authxf = parse_xf($2, 668 authxfs); 669 if (!ipsec_transforms->authxf) 670 yyerror("%s not a valid transform", $2); 671 } 672 } 673 | ENCXF STRING { 674 if (ipsec_transforms->encxf) 675 yyerror("enc already set"); 676 else { 677 ipsec_transforms->encxf = parse_xf($2, encxfs); 678 if (!ipsec_transforms->encxf) 679 yyerror("%s not a valid transform", $2); 680 } 681 } 682 | COMPXF STRING { 683 if (ipsec_transforms->compxf) 684 yyerror("comp already set"); 685 else { 686 ipsec_transforms->compxf = parse_xf($2, 687 compxfs); 688 if (!ipsec_transforms->compxf) 689 yyerror("%s not a valid transform", $2); 690 } 691 } 692 | GROUP STRING { 693 if (ipsec_transforms->groupxf) 694 yyerror("group already set"); 695 else { 696 ipsec_transforms->groupxf = parse_xf($2, 697 groupxfs); 698 if (!ipsec_transforms->groupxf) 699 yyerror("%s not a valid transform", $2); 700 } 701 } 702 ; 703 704phase1mode : /* empty */ { 705 struct ike_mode *p1; 706 707 /* We create just an empty main mode */ 708 if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL) 709 err(1, "phase1mode: calloc"); 710 p1->ike_exch = IKE_MM; 711 $$ = p1; 712 } 713 | MAIN transforms life { 714 struct ike_mode *p1; 715 716 if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL) 717 err(1, "phase1mode: calloc"); 718 p1->xfs = $2; 719 p1->life = $3; 720 p1->ike_exch = IKE_MM; 721 $$ = p1; 722 } 723 | AGGRESSIVE transforms life { 724 struct ike_mode *p1; 725 726 if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL) 727 err(1, "phase1mode: calloc"); 728 p1->xfs = $2; 729 p1->life = $3; 730 p1->ike_exch = IKE_AM; 731 $$ = p1; 732 } 733 ; 734 735phase2mode : /* empty */ { 736 struct ike_mode *p2; 737 738 /* We create just an empty quick mode */ 739 if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL) 740 err(1, "phase1mode: calloc"); 741 p2->ike_exch = IKE_QM; 742 $$ = p2; 743 } 744 | QUICK transforms life { 745 struct ike_mode *p2; 746 747 if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL) 748 err(1, "phase1mode: calloc"); 749 p2->xfs = $2; 750 p2->life = $3; 751 p2->ike_exch = IKE_QM; 752 $$ = p2; 753 } 754 ; 755 756life : /* empty */ { 757 struct ipsec_life *life; 758 759 /* We create just an empty transform */ 760 if ((life = calloc(1, sizeof(struct ipsec_life))) 761 == NULL) 762 err(1, "life: calloc"); 763 life->lifetime = -1; 764 life->lifevolume = -1; 765 $$ = life; 766 } 767 | LIFE NUMBER { 768 if ($2 > INT_MAX || $2 < 0) { 769 yyerror("%lld not a valid lifetime", $2); 770 YYERROR; 771 } 772 $$ = parse_life($2); 773 } 774 ; 775 776authkeyspec : /* empty */ { 777 $$.keyout = NULL; 778 $$.keyin = NULL; 779 } 780 | AUTHKEY keyspec { 781 $$.keyout = $2.keyout; 782 $$.keyin = $2.keyin; 783 } 784 ; 785 786enckeyspec : /* empty */ { 787 $$.keyout = NULL; 788 $$.keyin = NULL; 789 } 790 | ENCKEY keyspec { 791 $$.keyout = $2.keyout; 792 $$.keyin = $2.keyin; 793 } 794 ; 795 796keyspec : STRING { 797 unsigned char *hex; 798 unsigned char *p = strchr($1, ':'); 799 800 if (p != NULL ) { 801 *p++ = 0; 802 803 if (!strncmp(p, "0x", 2)) 804 p += 2; 805 $$.keyin = parsekey(p, strlen(p)); 806 } else 807 $$.keyin = NULL; 808 809 hex = $1; 810 if (!strncmp(hex, "0x", 2)) 811 hex += 2; 812 $$.keyout = parsekey(hex, strlen(hex)); 813 814 free($1); 815 } 816 | FILENAME STRING { 817 unsigned char *p = strchr($2, ':'); 818 819 if (p != NULL) { 820 *p++ = 0; 821 $$.keyin = parsekeyfile(p); 822 } 823 $$.keyout = parsekeyfile($2); 824 free($2); 825 } 826 ; 827 828ikemode : /* empty */ { $$ = IKE_ACTIVE; } 829 | PASSIVE { $$ = IKE_PASSIVE; } 830 | DYNAMIC { $$ = IKE_DYNAMIC; } 831 | ACTIVE { $$ = IKE_ACTIVE; } 832 ; 833 834ikeauth : /* empty */ { 835 $$.type = IKE_AUTH_RSA; 836 $$.string = NULL; 837 } 838 | RSA { 839 $$.type = IKE_AUTH_RSA; 840 $$.string = NULL; 841 } 842 | PSK STRING { 843 $$.type = IKE_AUTH_PSK; 844 if (($$.string = strdup($2)) == NULL) 845 err(1, "ikeauth: strdup"); 846 } 847 ; 848 849tag : /* empty */ 850 { 851 $$ = NULL; 852 } 853 | TAG STRING 854 { 855 $$ = $2; 856 } 857 ; 858 859string : string STRING 860 { 861 if (asprintf(&$$, "%s %s", $1, $2) == -1) 862 err(1, "string: asprintf"); 863 free($1); 864 free($2); 865 } 866 | STRING 867 ; 868 869varset : STRING '=' string 870 { 871 if (ipsec->opts & IPSECCTL_OPT_VERBOSE) 872 printf("%s = \"%s\"\n", $1, $3); 873 if (symset($1, $3, 0) == -1) 874 err(1, "cannot store variable"); 875 free($1); 876 free($3); 877 } 878 ; 879 880%% 881 882struct keywords { 883 const char *k_name; 884 int k_val; 885}; 886 887int 888yyerror(const char *fmt, ...) 889{ 890 va_list ap; 891 892 file->errors++; 893 va_start(ap, fmt); 894 fprintf(stderr, "%s: %d: ", file->name, yylval.lineno); 895 vfprintf(stderr, fmt, ap); 896 fprintf(stderr, "\n"); 897 va_end(ap); 898 return (0); 899} 900 901int 902yywarn(const char *fmt, ...) 903{ 904 va_list ap; 905 906 va_start(ap, fmt); 907 fprintf(stderr, "%s: %d: ", file->name, yylval.lineno); 908 vfprintf(stderr, fmt, ap); 909 fprintf(stderr, "\n"); 910 va_end(ap); 911 return (0); 912} 913 914int 915kw_cmp(const void *k, const void *e) 916{ 917 return (strcmp(k, ((const struct keywords *)e)->k_name)); 918} 919 920int 921lookup(char *s) 922{ 923 /* this has to be sorted always */ 924 static const struct keywords keywords[] = { 925 { "acquire", ACQUIRE }, 926 { "active", ACTIVE }, 927 { "aggressive", AGGRESSIVE }, 928 { "ah", AH }, 929 { "any", ANY }, 930 { "auth", AUTHXF }, 931 { "authkey", AUTHKEY }, 932 { "bypass", BYPASS }, 933 { "comp", COMPXF }, 934 { "deny", DENY }, 935 { "dontacq", DONTACQ }, 936 { "dstid", DSTID }, 937 { "dynamic", DYNAMIC }, 938 { "enc", ENCXF }, 939 { "enckey", ENCKEY }, 940 { "esp", ESP }, 941 { "file", FILENAME }, 942 { "flow", FLOW }, 943 { "from", FROM }, 944 { "group", GROUP }, 945 { "ike", IKE }, 946 { "in", IN }, 947 { "include", INCLUDE }, 948 { "ipcomp", IPCOMP }, 949 { "ipip", IPIP }, 950 { "life", LIFE }, 951 { "local", LOCAL }, 952 { "main", MAIN }, 953 { "out", OUT }, 954 { "passive", PASSIVE }, 955 { "peer", PEER }, 956 { "port", PORT }, 957 { "proto", PROTO }, 958 { "psk", PSK }, 959 { "quick", QUICK }, 960 { "require", REQUIRE }, 961 { "rsa", RSA }, 962 { "spi", SPI }, 963 { "srcid", SRCID }, 964 { "tag", TAG }, 965 { "tcpmd5", TCPMD5 }, 966 { "to", TO }, 967 { "transport", TRANSPORT }, 968 { "tunnel", TUNNEL }, 969 { "type", TYPE }, 970 { "use", USE } 971 }; 972 const struct keywords *p; 973 974 p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]), 975 sizeof(keywords[0]), kw_cmp); 976 977 if (p) { 978 if (debug > 1) 979 fprintf(stderr, "%s: %d\n", s, p->k_val); 980 return (p->k_val); 981 } else { 982 if (debug > 1) 983 fprintf(stderr, "string: %s\n", s); 984 return (STRING); 985 } 986} 987 988#define MAXPUSHBACK 128 989 990char *parsebuf; 991int parseindex; 992char pushback_buffer[MAXPUSHBACK]; 993int pushback_index = 0; 994 995int 996lgetc(int quotec) 997{ 998 int c, next; 999 1000 if (parsebuf) { 1001 /* Read character from the parsebuffer instead of input. */ 1002 if (parseindex >= 0) { 1003 c = parsebuf[parseindex++]; 1004 if (c != '\0') 1005 return (c); 1006 parsebuf = NULL; 1007 } else 1008 parseindex++; 1009 } 1010 1011 if (pushback_index) 1012 return (pushback_buffer[--pushback_index]); 1013 1014 if (quotec) { 1015 if ((c = getc(file->stream)) == EOF) { 1016 yyerror("reached end of file while parsing quoted string"); 1017 if (popfile() == EOF) 1018 return (EOF); 1019 return (quotec); 1020 } 1021 return (c); 1022 } 1023 1024 while ((c = getc(file->stream)) == '\\') { 1025 next = getc(file->stream); 1026 if (next != '\n') { 1027 c = next; 1028 break; 1029 } 1030 yylval.lineno = file->lineno; 1031 file->lineno++; 1032 } 1033 1034 while (c == EOF) { 1035 if (popfile() == EOF) 1036 return (EOF); 1037 c = getc(file->stream); 1038 } 1039 return (c); 1040} 1041 1042int 1043lungetc(int c) 1044{ 1045 if (c == EOF) 1046 return (EOF); 1047 if (parsebuf) { 1048 parseindex--; 1049 if (parseindex >= 0) 1050 return (c); 1051 } 1052 if (pushback_index < MAXPUSHBACK-1) 1053 return (pushback_buffer[pushback_index++] = c); 1054 else 1055 return (EOF); 1056} 1057 1058int 1059findeol(void) 1060{ 1061 int c; 1062 1063 parsebuf = NULL; 1064 1065 /* skip to either EOF or the first real EOL */ 1066 while (1) { 1067 if (pushback_index) 1068 c = pushback_buffer[--pushback_index]; 1069 else 1070 c = lgetc(0); 1071 if (c == '\n') { 1072 file->lineno++; 1073 break; 1074 } 1075 if (c == EOF) 1076 break; 1077 } 1078 return (ERROR); 1079} 1080 1081int 1082yylex(void) 1083{ 1084 char buf[8096]; 1085 char *p, *val; 1086 int quotec, next, c; 1087 int token; 1088 1089top: 1090 p = buf; 1091 while ((c = lgetc(0)) == ' ' || c == '\t') 1092 ; /* nothing */ 1093 1094 yylval.lineno = file->lineno; 1095 if (c == '#') 1096 while ((c = lgetc(0)) != '\n' && c != EOF) 1097 ; /* nothing */ 1098 if (c == '$' && parsebuf == NULL) { 1099 while (1) { 1100 if ((c = lgetc(0)) == EOF) 1101 return (0); 1102 1103 if (p + 1 >= buf + sizeof(buf) - 1) { 1104 yyerror("string too long"); 1105 return (findeol()); 1106 } 1107 if (isalnum(c) || c == '_') { 1108 *p++ = (char)c; 1109 continue; 1110 } 1111 *p = '\0'; 1112 lungetc(c); 1113 break; 1114 } 1115 val = symget(buf); 1116 if (val == NULL) { 1117 yyerror("macro '%s' not defined", buf); 1118 return (findeol()); 1119 } 1120 parsebuf = val; 1121 parseindex = 0; 1122 goto top; 1123 } 1124 1125 switch (c) { 1126 case '\'': 1127 case '"': 1128 quotec = c; 1129 while (1) { 1130 if ((c = lgetc(quotec)) == EOF) 1131 return (0); 1132 if (c == '\n') { 1133 file->lineno++; 1134 continue; 1135 } else if (c == '\\') { 1136 if ((next = lgetc(quotec)) == EOF) 1137 return (0); 1138 if (next == quotec || c == ' ' || c == '\t') 1139 c = next; 1140 else if (next == '\n') { 1141 file->lineno++; 1142 continue; 1143 } else 1144 lungetc(next); 1145 } else if (c == quotec) { 1146 *p = '\0'; 1147 break; 1148 } 1149 if (p + 1 >= buf + sizeof(buf) - 1) { 1150 yyerror("string too long"); 1151 return (findeol()); 1152 } 1153 *p++ = (char)c; 1154 } 1155 yylval.v.string = strdup(buf); 1156 if (yylval.v.string == NULL) 1157 err(1, "yylex: strdup"); 1158 return (STRING); 1159 } 1160 1161#define allowed_to_end_number(x) \ 1162 (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') 1163 1164 if (c == '-' || isdigit(c)) { 1165 do { 1166 *p++ = c; 1167 if ((unsigned)(p-buf) >= sizeof(buf)) { 1168 yyerror("string too long"); 1169 return (findeol()); 1170 } 1171 } while ((c = lgetc(0)) != EOF && isdigit(c)); 1172 lungetc(c); 1173 if (p == buf + 1 && buf[0] == '-') 1174 goto nodigits; 1175 if (c == EOF || allowed_to_end_number(c)) { 1176 const char *errstr = NULL; 1177 1178 *p = '\0'; 1179 yylval.v.number = strtonum(buf, LLONG_MIN, 1180 LLONG_MAX, &errstr); 1181 if (errstr) { 1182 yyerror("\"%s\" invalid number: %s", 1183 buf, errstr); 1184 return (findeol()); 1185 } 1186 return (NUMBER); 1187 } else { 1188nodigits: 1189 while (p > buf + 1) 1190 lungetc(*--p); 1191 c = *--p; 1192 if (c == '-') 1193 return (c); 1194 } 1195 } 1196 1197#define allowed_in_string(x) \ 1198 (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \ 1199 x != '{' && x != '}' && x != '<' && x != '>' && \ 1200 x != '!' && x != '=' && x != '/' && x != '#' && \ 1201 x != ',')) 1202 1203 if (isalnum(c) || c == ':' || c == '_' || c == '*') { 1204 do { 1205 *p++ = c; 1206 if ((unsigned)(p-buf) >= sizeof(buf)) { 1207 yyerror("string too long"); 1208 return (findeol()); 1209 } 1210 } while ((c = lgetc(0)) != EOF && (allowed_in_string(c))); 1211 lungetc(c); 1212 *p = '\0'; 1213 if ((token = lookup(buf)) == STRING) 1214 if ((yylval.v.string = strdup(buf)) == NULL) 1215 err(1, "yylex: strdup"); 1216 return (token); 1217 } 1218 if (c == '\n') { 1219 yylval.lineno = file->lineno; 1220 file->lineno++; 1221 } 1222 if (c == EOF) 1223 return (0); 1224 return (c); 1225} 1226 1227int 1228check_file_secrecy(int fd, const char *fname) 1229{ 1230 struct stat st; 1231 1232 if (fstat(fd, &st)) { 1233 warn("cannot stat %s", fname); 1234 return (-1); 1235 } 1236 if (st.st_uid != 0 && st.st_uid != getuid()) { 1237 warnx("%s: owner not root or current user", fname); 1238 return (-1); 1239 } 1240 if (st.st_mode & (S_IRWXG | S_IRWXO)) { 1241 warnx("%s: group/world readable/writeable", fname); 1242 return (-1); 1243 } 1244 return (0); 1245} 1246 1247struct file * 1248pushfile(const char *name, int secret) 1249{ 1250 struct file *nfile; 1251 1252 if ((nfile = calloc(1, sizeof(struct file))) == NULL) { 1253 warn("malloc"); 1254 return (NULL); 1255 } 1256 if ((nfile->name = strdup(name)) == NULL) { 1257 warn("malloc"); 1258 free(nfile); 1259 return (NULL); 1260 } 1261 if (TAILQ_FIRST(&files) == NULL && strcmp(nfile->name, "-") == 0) { 1262 nfile->stream = stdin; 1263 free(nfile->name); 1264 if ((nfile->name = strdup("stdin")) == NULL) { 1265 warn("strdup"); 1266 free(nfile); 1267 return (NULL); 1268 } 1269 } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) { 1270 warn("%s", nfile->name); 1271 free(nfile->name); 1272 free(nfile); 1273 return (NULL); 1274 } else if (secret && 1275 check_file_secrecy(fileno(nfile->stream), nfile->name)) { 1276 fclose(nfile->stream); 1277 free(nfile->name); 1278 free(nfile); 1279 return (NULL); 1280 } 1281 nfile->lineno = 1; 1282 TAILQ_INSERT_TAIL(&files, nfile, entry); 1283 return (nfile); 1284} 1285 1286int 1287popfile(void) 1288{ 1289 struct file *prev; 1290 1291 if ((prev = TAILQ_PREV(file, files, entry)) != NULL) { 1292 prev->errors += file->errors; 1293 TAILQ_REMOVE(&files, file, entry); 1294 fclose(file->stream); 1295 free(file->name); 1296 free(file); 1297 file = prev; 1298 return (0); 1299 } 1300 return (EOF); 1301} 1302 1303int 1304parse_rules(const char *filename, struct ipsecctl *ipsecx) 1305{ 1306 struct sym *sym; 1307 int errors = 0; 1308 1309 ipsec = ipsecx; 1310 1311 if ((file = pushfile(filename, 1)) == NULL) { 1312 return (-1); 1313 } 1314 1315 yyparse(); 1316 errors = file->errors; 1317 popfile(); 1318 1319 /* Free macros and check which have not been used. */ 1320 while ((sym = TAILQ_FIRST(&symhead))) { 1321 if ((ipsec->opts & IPSECCTL_OPT_VERBOSE2) && !sym->used) 1322 fprintf(stderr, "warning: macro '%s' not " 1323 "used\n", sym->nam); 1324 free(sym->nam); 1325 free(sym->val); 1326 TAILQ_REMOVE(&symhead, sym, entry); 1327 free(sym); 1328 } 1329 1330 return (errors ? -1 : 0); 1331} 1332 1333int 1334symset(const char *nam, const char *val, int persist) 1335{ 1336 struct sym *sym; 1337 1338 for (sym = TAILQ_FIRST(&symhead); sym && strcmp(nam, sym->nam); 1339 sym = TAILQ_NEXT(sym, entry)) 1340 ; /* nothing */ 1341 1342 if (sym != NULL) { 1343 if (sym->persist == 1) 1344 return (0); 1345 else { 1346 free(sym->nam); 1347 free(sym->val); 1348 TAILQ_REMOVE(&symhead, sym, entry); 1349 free(sym); 1350 } 1351 } 1352 if ((sym = calloc(1, sizeof(*sym))) == NULL) 1353 return (-1); 1354 1355 sym->nam = strdup(nam); 1356 if (sym->nam == NULL) { 1357 free(sym); 1358 return (-1); 1359 } 1360 sym->val = strdup(val); 1361 if (sym->val == NULL) { 1362 free(sym->nam); 1363 free(sym); 1364 return (-1); 1365 } 1366 sym->used = 0; 1367 sym->persist = persist; 1368 TAILQ_INSERT_TAIL(&symhead, sym, entry); 1369 return (0); 1370} 1371 1372int 1373cmdline_symset(char *s) 1374{ 1375 char *sym, *val; 1376 int ret; 1377 size_t len; 1378 1379 if ((val = strrchr(s, '=')) == NULL) 1380 return (-1); 1381 1382 len = strlen(s) - strlen(val) + 1; 1383 if ((sym = malloc(len)) == NULL) 1384 err(1, "cmdline_symset: malloc"); 1385 1386 strlcpy(sym, s, len); 1387 1388 ret = symset(sym, val + 1, 1); 1389 free(sym); 1390 1391 return (ret); 1392} 1393 1394char * 1395symget(const char *nam) 1396{ 1397 struct sym *sym; 1398 1399 TAILQ_FOREACH(sym, &symhead, entry) 1400 if (strcmp(nam, sym->nam) == 0) { 1401 sym->used = 1; 1402 return (sym->val); 1403 } 1404 return (NULL); 1405} 1406 1407int 1408atoul(char *s, u_long *ulvalp) 1409{ 1410 u_long ulval; 1411 char *ep; 1412 1413 errno = 0; 1414 ulval = strtoul(s, &ep, 0); 1415 if (s[0] == '\0' || *ep != '\0') 1416 return (-1); 1417 if (errno == ERANGE && ulval == ULONG_MAX) 1418 return (-1); 1419 *ulvalp = ulval; 1420 return (0); 1421} 1422 1423int 1424atospi(char *s, u_int32_t *spivalp) 1425{ 1426 unsigned long ulval; 1427 1428 if (atoul(s, &ulval) == -1) 1429 return (-1); 1430 if (ulval > UINT_MAX) { 1431 yyerror("%lu not a valid spi", ulval); 1432 return (-1); 1433 } 1434 if (ulval >= SPI_RESERVED_MIN && ulval <= SPI_RESERVED_MAX) { 1435 yyerror("%lu within reserved spi range", ulval); 1436 return (-1); 1437 } 1438 *spivalp = ulval; 1439 return (0); 1440} 1441 1442u_int8_t 1443x2i(unsigned char *s) 1444{ 1445 char ss[3]; 1446 1447 ss[0] = s[0]; 1448 ss[1] = s[1]; 1449 ss[2] = 0; 1450 1451 if (!isxdigit(s[0]) || !isxdigit(s[1])) { 1452 yyerror("keys need to be specified in hex digits"); 1453 return (-1); 1454 } 1455 return ((u_int8_t)strtoul(ss, NULL, 16)); 1456} 1457 1458struct ipsec_key * 1459parsekey(unsigned char *hexkey, size_t len) 1460{ 1461 struct ipsec_key *key; 1462 int i; 1463 1464 key = calloc(1, sizeof(struct ipsec_key)); 1465 if (key == NULL) 1466 err(1, "parsekey: calloc"); 1467 1468 key->len = len / 2; 1469 key->data = calloc(key->len, sizeof(u_int8_t)); 1470 if (key->data == NULL) 1471 err(1, "parsekey: calloc"); 1472 1473 for (i = 0; i < (int)key->len; i++) 1474 key->data[i] = x2i(hexkey + 2 * i); 1475 1476 return (key); 1477} 1478 1479struct ipsec_key * 1480parsekeyfile(char *filename) 1481{ 1482 struct stat sb; 1483 int fd; 1484 unsigned char *hex; 1485 1486 if ((fd = open(filename, O_RDONLY)) < 0) 1487 err(1, "open %s", filename); 1488 if (fstat(fd, &sb) < 0) 1489 err(1, "parsekeyfile: stat %s", filename); 1490 if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0)) 1491 errx(1, "%s: key too %s", filename, sb.st_size ? "large" : 1492 "small"); 1493 if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL) 1494 err(1, "parsekeyfile: calloc"); 1495 if (read(fd, hex, sb.st_size) < sb.st_size) 1496 err(1, "parsekeyfile: read"); 1497 close(fd); 1498 return (parsekey(hex, sb.st_size)); 1499} 1500 1501int 1502get_id_type(char *string) 1503{ 1504 struct in6_addr ia; 1505 1506 if (string == NULL) 1507 return (ID_UNKNOWN); 1508 1509 if (inet_pton(AF_INET, string, &ia) == 1) 1510 return (ID_IPV4); 1511 else if (inet_pton(AF_INET6, string, &ia) == 1) 1512 return (ID_IPV6); 1513 else if (strchr(string, '@')) 1514 return (ID_UFQDN); 1515 else 1516 return (ID_FQDN); 1517} 1518 1519struct ipsec_addr_wrap * 1520host(const char *s) 1521{ 1522 struct ipsec_addr_wrap *ipa = NULL; 1523 int mask, cont = 1; 1524 char *p, *q, *ps; 1525 1526 if ((p = strrchr(s, '/')) != NULL) { 1527 errno = 0; 1528 mask = strtol(p + 1, &q, 0); 1529 if (errno == ERANGE || !q || *q || mask > 128 || q == (p + 1)) 1530 errx(1, "host: invalid netmask '%s'", p); 1531 if ((ps = malloc(strlen(s) - strlen(p) + 1)) == NULL) 1532 err(1, "host: calloc"); 1533 strlcpy(ps, s, strlen(s) - strlen(p) + 1); 1534 } else { 1535 if ((ps = strdup(s)) == NULL) 1536 err(1, "host: strdup"); 1537 mask = -1; 1538 } 1539 1540 /* Does interface with this name exist? */ 1541 if (cont && (ipa = host_if(ps, mask)) != NULL) 1542 cont = 0; 1543 1544 /* IPv4 address? */ 1545 if (cont && (ipa = host_v4(s, mask == -1 ? 32 : mask)) != NULL) 1546 cont = 0; 1547 1548 /* IPv6 address? */ 1549 if (cont && (ipa = host_v6(ps, mask == -1 ? 128 : mask)) != NULL) 1550 cont = 0; 1551 1552 /* dns lookup */ 1553 if (cont && mask == -1 && (ipa = host_dns(s, mask)) != NULL) 1554 cont = 0; 1555 free(ps); 1556 1557 if (ipa == NULL || cont == 1) { 1558 fprintf(stderr, "no IP address found for %s\n", s); 1559 return (NULL); 1560 } 1561 return (ipa); 1562} 1563 1564struct ipsec_addr_wrap * 1565host_v6(const char *s, int prefixlen) 1566{ 1567 struct ipsec_addr_wrap *ipa = NULL; 1568 struct addrinfo hints, *res; 1569 char hbuf[NI_MAXHOST]; 1570 1571 bzero(&hints, sizeof(struct addrinfo)); 1572 hints.ai_family = AF_INET6; 1573 hints.ai_socktype = SOCK_STREAM; 1574 hints.ai_flags = AI_NUMERICHOST; 1575 if (getaddrinfo(s, NULL, &hints, &res)) 1576 return (NULL); 1577 if (res->ai_next) 1578 err(1, "host_v6: numeric hostname expanded to multiple item"); 1579 1580 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 1581 if (ipa == NULL) 1582 err(1, "host_v6: calloc"); 1583 ipa->af = res->ai_family; 1584 memcpy(&ipa->address.v6, 1585 &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, 1586 sizeof(struct in6_addr)); 1587 if (prefixlen > 128) 1588 prefixlen = 128; 1589 ipa->next = NULL; 1590 ipa->tail = ipa; 1591 1592 set_ipmask(ipa, prefixlen); 1593 if (getnameinfo(res->ai_addr, res->ai_addrlen, 1594 hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) { 1595 errx(1, "could not get a numeric hostname"); 1596 } 1597 1598 if (prefixlen != 128) { 1599 ipa->netaddress = 1; 1600 asprintf(&ipa->name, "%s/%d", hbuf, prefixlen); 1601 } else 1602 ipa->name = strdup(hbuf); 1603 if (ipa->name == NULL) 1604 err(1, "host_v6: strdup"); 1605 1606 freeaddrinfo(res); 1607 1608 return (ipa); 1609} 1610 1611struct ipsec_addr_wrap * 1612host_v4(const char *s, int mask) 1613{ 1614 struct ipsec_addr_wrap *ipa = NULL; 1615 struct in_addr ina; 1616 int bits = 32; 1617 1618 bzero(&ina, sizeof(struct in_addr)); 1619 if (strrchr(s, '/') != NULL) { 1620 if ((bits = inet_net_pton(AF_INET, s, &ina, sizeof(ina))) == -1) 1621 return (NULL); 1622 } else { 1623 if (inet_pton(AF_INET, s, &ina) != 1) 1624 return (NULL); 1625 } 1626 1627 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 1628 if (ipa == NULL) 1629 err(1, "host_v4: calloc"); 1630 1631 ipa->address.v4 = ina; 1632 ipa->name = strdup(s); 1633 if (ipa->name == NULL) 1634 err(1, "host_v4: strdup"); 1635 ipa->af = AF_INET; 1636 ipa->next = NULL; 1637 ipa->tail = ipa; 1638 1639 set_ipmask(ipa, bits); 1640 if (strrchr(s, '/') != NULL) 1641 ipa->netaddress = 1; 1642 1643 return (ipa); 1644} 1645 1646struct ipsec_addr_wrap * 1647host_dns(const char *s, int mask) 1648{ 1649 struct ipsec_addr_wrap *ipa = NULL, *head = NULL; 1650 struct addrinfo hints, *res0, *res; 1651 int error; 1652 char hbuf[NI_MAXHOST]; 1653 1654 bzero(&hints, sizeof(struct addrinfo)); 1655 hints.ai_family = PF_UNSPEC; 1656 hints.ai_socktype = SOCK_STREAM; 1657 error = getaddrinfo(s, NULL, &hints, &res0); 1658 if (error) 1659 return (NULL); 1660 1661 for (res = res0; res; res = res->ai_next) { 1662 if (res->ai_family != AF_INET && res->ai_family != AF_INET6) 1663 continue; 1664 1665 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 1666 if (ipa == NULL) 1667 err(1, "host_dns: calloc"); 1668 switch (res->ai_family) { 1669 case AF_INET: 1670 memcpy(&ipa->address.v4, 1671 &((struct sockaddr_in *)res->ai_addr)->sin_addr, 1672 sizeof(struct in_addr)); 1673 break; 1674 case AF_INET6: 1675 /* XXX we do not support scoped IPv6 address yet */ 1676 if (((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) { 1677 free(ipa); 1678 continue; 1679 } 1680 memcpy(&ipa->address.v6, 1681 &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, 1682 sizeof(struct in6_addr)); 1683 break; 1684 } 1685 error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, 1686 sizeof(hbuf), NULL, 0, NI_NUMERICHOST); 1687 if (error) 1688 err(1, "host_dns: getnameinfo"); 1689 ipa->name = strdup(hbuf); 1690 if (ipa->name == NULL) 1691 err(1, "host_dns: strdup"); 1692 ipa->af = res->ai_family; 1693 ipa->next = NULL; 1694 ipa->tail = ipa; 1695 if (head == NULL) 1696 head = ipa; 1697 else { 1698 head->tail->next = ipa; 1699 head->tail = ipa; 1700 } 1701 1702 /* 1703 * XXX for now, no netmask support for IPv6. 1704 * but since there's no way to specify address family, once you 1705 * have IPv6 address on a host, you cannot use dns/netmask 1706 * syntax. 1707 */ 1708 if (ipa->af == AF_INET) 1709 set_ipmask(ipa, mask == -1 ? 32 : mask); 1710 else 1711 if (mask != -1) 1712 err(1, "host_dns: cannot apply netmask " 1713 "on non-IPv4 address"); 1714 } 1715 freeaddrinfo(res0); 1716 1717 return (head); 1718} 1719 1720struct ipsec_addr_wrap * 1721host_if(const char *s, int mask) 1722{ 1723 struct ipsec_addr_wrap *ipa = NULL; 1724 1725 if (ifa_exists(s)) 1726 ipa = ifa_lookup(s); 1727 1728 return (ipa); 1729} 1730 1731struct ipsec_addr_wrap * 1732host_any(void) 1733{ 1734 struct ipsec_addr_wrap *ipa; 1735 1736 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 1737 if (ipa == NULL) 1738 err(1, "host_any: calloc"); 1739 ipa->af = AF_UNSPEC; 1740 ipa->netaddress = 1; 1741 ipa->tail = ipa; 1742 return (ipa); 1743} 1744 1745/* interface lookup routintes */ 1746 1747struct ipsec_addr_wrap *iftab; 1748 1749void 1750ifa_load(void) 1751{ 1752 struct ifaddrs *ifap, *ifa; 1753 struct ipsec_addr_wrap *n = NULL, *h = NULL; 1754 1755 if (getifaddrs(&ifap) < 0) 1756 err(1, "ifa_load: getifaddrs"); 1757 1758 for (ifa = ifap; ifa; ifa = ifa->ifa_next) { 1759 if (!(ifa->ifa_addr->sa_family == AF_INET || 1760 ifa->ifa_addr->sa_family == AF_INET6 || 1761 ifa->ifa_addr->sa_family == AF_LINK)) 1762 continue; 1763 n = calloc(1, sizeof(struct ipsec_addr_wrap)); 1764 if (n == NULL) 1765 err(1, "ifa_load: calloc"); 1766 n->af = ifa->ifa_addr->sa_family; 1767 if ((n->name = strdup(ifa->ifa_name)) == NULL) 1768 err(1, "ifa_load: strdup"); 1769 if (n->af == AF_INET) { 1770 n->af = AF_INET; 1771 memcpy(&n->address.v4, &((struct sockaddr_in *) 1772 ifa->ifa_addr)->sin_addr, 1773 sizeof(struct in_addr)); 1774 memcpy(&n->mask.v4, &((struct sockaddr_in *) 1775 ifa->ifa_netmask)->sin_addr, 1776 sizeof(struct in_addr)); 1777 } else if (n->af == AF_INET6) { 1778 n->af = AF_INET6; 1779 memcpy(&n->address.v6, &((struct sockaddr_in6 *) 1780 ifa->ifa_addr)->sin6_addr, 1781 sizeof(struct in6_addr)); 1782 memcpy(&n->mask.v6, &((struct sockaddr_in6 *) 1783 ifa->ifa_netmask)->sin6_addr, 1784 sizeof(struct in6_addr)); 1785 } 1786 n->next = NULL; 1787 n->tail = n; 1788 if (h == NULL) 1789 h = n; 1790 else { 1791 h->tail->next = n; 1792 h->tail = n; 1793 } 1794 } 1795 1796 iftab = h; 1797 freeifaddrs(ifap); 1798} 1799 1800int 1801ifa_exists(const char *ifa_name) 1802{ 1803 struct ipsec_addr_wrap *n; 1804 struct ifgroupreq ifgr; 1805 int s; 1806 1807 if (iftab == NULL) 1808 ifa_load(); 1809 1810 /* check whether this is a group */ 1811 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) 1812 err(1, "ifa_exists: socket"); 1813 bzero(&ifgr, sizeof(ifgr)); 1814 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); 1815 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == 0) { 1816 close(s); 1817 return (1); 1818 } 1819 close(s); 1820 1821 for (n = iftab; n; n = n->next) { 1822 if (n->af == AF_LINK && !strncmp(n->name, ifa_name, 1823 IFNAMSIZ)) 1824 return (1); 1825 } 1826 1827 return (0); 1828} 1829 1830struct ipsec_addr_wrap * 1831ifa_grouplookup(const char *ifa_name) 1832{ 1833 struct ifg_req *ifg; 1834 struct ifgroupreq ifgr; 1835 int s; 1836 size_t len; 1837 struct ipsec_addr_wrap *n, *h = NULL, *hn; 1838 1839 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) 1840 err(1, "socket"); 1841 bzero(&ifgr, sizeof(ifgr)); 1842 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); 1843 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) { 1844 close(s); 1845 return (NULL); 1846 } 1847 1848 len = ifgr.ifgr_len; 1849 if ((ifgr.ifgr_groups = calloc(1, len)) == NULL) 1850 err(1, "calloc"); 1851 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) 1852 err(1, "ioctl"); 1853 1854 for (ifg = ifgr.ifgr_groups; ifg && len >= sizeof(struct ifg_req); 1855 ifg++) { 1856 len -= sizeof(struct ifg_req); 1857 if ((n = ifa_lookup(ifg->ifgrq_member)) == NULL) 1858 continue; 1859 if (h == NULL) 1860 h = n; 1861 else { 1862 for (hn = h; hn->next != NULL; hn = hn->next) 1863 ; /* nothing */ 1864 hn->next = n; 1865 n->tail = hn; 1866 } 1867 } 1868 free(ifgr.ifgr_groups); 1869 close(s); 1870 1871 return (h); 1872} 1873 1874struct ipsec_addr_wrap * 1875ifa_lookup(const char *ifa_name) 1876{ 1877 struct ipsec_addr_wrap *p = NULL, *h = NULL, *n = NULL; 1878 1879 if (iftab == NULL) 1880 ifa_load(); 1881 1882 if ((n = ifa_grouplookup(ifa_name)) != NULL) 1883 return (n); 1884 1885 for (p = iftab; p; p = p->next) { 1886 if (p->af != AF_INET && p->af != AF_INET6) 1887 continue; 1888 if (strncmp(p->name, ifa_name, IFNAMSIZ)) 1889 continue; 1890 n = calloc(1, sizeof(struct ipsec_addr_wrap)); 1891 if (n == NULL) 1892 err(1, "ifa_lookup: calloc"); 1893 memcpy(n, p, sizeof(struct ipsec_addr_wrap)); 1894 if ((n->name = strdup(p->name)) == NULL) 1895 err(1, "ifa_lookup: strdup"); 1896 switch (n->af) { 1897 case AF_INET: 1898 set_ipmask(n, 32); 1899 break; 1900 case AF_INET6: 1901 /* route/show.c and bgpd/util.c give KAME credit */ 1902 if (IN6_IS_ADDR_LINKLOCAL(&n->address.v6)) { 1903 u_int16_t tmp16; 1904 /* for now we can not handle link local, 1905 * therefore bail for now 1906 */ 1907 free(n); 1908 continue; 1909 1910 memcpy(&tmp16, &n->address.v6.s6_addr[2], 1911 sizeof(tmp16)); 1912 /* use this when we support link-local 1913 * n->??.scopeid = ntohs(tmp16); 1914 */ 1915 n->address.v6.s6_addr[2] = 0; 1916 n->address.v6.s6_addr[3] = 0; 1917 } 1918 set_ipmask(n, 128); 1919 break; 1920 } 1921 1922 n->next = NULL; 1923 n->tail = n; 1924 if (h == NULL) 1925 h = n; 1926 else { 1927 h->tail->next = n; 1928 h->tail = n; 1929 } 1930 } 1931 1932 return (h); 1933} 1934 1935void 1936set_ipmask(struct ipsec_addr_wrap *address, u_int8_t b) 1937{ 1938 struct ipsec_addr *ipa; 1939 int i, j = 0; 1940 1941 ipa = &address->mask; 1942 bzero(ipa, sizeof(struct ipsec_addr)); 1943 1944 while (b >= 32) { 1945 ipa->addr32[j++] = 0xffffffff; 1946 b -= 32; 1947 } 1948 for (i = 31; i > 31 - b; --i) 1949 ipa->addr32[j] |= (1 << i); 1950 if (b) 1951 ipa->addr32[j] = htonl(ipa->addr32[j]); 1952} 1953 1954const struct ipsec_xf * 1955parse_xf(const char *name, const struct ipsec_xf xfs[]) 1956{ 1957 int i; 1958 1959 for (i = 0; xfs[i].name != NULL; i++) { 1960 if (strncmp(name, xfs[i].name, strlen(name))) 1961 continue; 1962 return &xfs[i]; 1963 } 1964 return (NULL); 1965} 1966 1967struct ipsec_life * 1968parse_life(int value) 1969{ 1970 struct ipsec_life *life; 1971 1972 life = calloc(1, sizeof(struct ipsec_life)); 1973 if (life == NULL) 1974 err(1, "calloc"); 1975 1976 life->lifetime = value; 1977 1978 return (life); 1979} 1980 1981struct ipsec_transforms * 1982copytransforms(const struct ipsec_transforms *xfs) 1983{ 1984 struct ipsec_transforms *newxfs; 1985 1986 if (xfs == NULL) 1987 return (NULL); 1988 1989 newxfs = calloc(1, sizeof(struct ipsec_transforms)); 1990 if (newxfs == NULL) 1991 err(1, "copytransforms: calloc"); 1992 1993 memcpy(newxfs, xfs, sizeof(struct ipsec_transforms)); 1994 return (newxfs); 1995} 1996 1997struct ipsec_life * 1998copylife(const struct ipsec_life *life) 1999{ 2000 struct ipsec_life *newlife; 2001 2002 if (life == NULL) 2003 return (NULL); 2004 2005 newlife = calloc(1, sizeof(struct ipsec_life)); 2006 if (newlife == NULL) 2007 err(1, "copylife: calloc"); 2008 2009 memcpy(newlife, life, sizeof(struct ipsec_life)); 2010 return (newlife); 2011} 2012 2013struct ipsec_auth * 2014copyipsecauth(const struct ipsec_auth *auth) 2015{ 2016 struct ipsec_auth *newauth; 2017 2018 if (auth == NULL) 2019 return (NULL); 2020 2021 if ((newauth = calloc(1, sizeof(struct ipsec_auth))) == NULL) 2022 err(1, "calloc"); 2023 if (auth->srcid && 2024 asprintf(&newauth->srcid, "%s", auth->srcid) == -1) 2025 err(1, "asprintf"); 2026 if (auth->dstid && 2027 asprintf(&newauth->dstid, "%s", auth->dstid) == -1) 2028 err(1, "asprintf"); 2029 2030 newauth->srcid_type = auth->srcid_type; 2031 newauth->dstid_type = auth->dstid_type; 2032 newauth->type = auth->type; 2033 2034 return (newauth); 2035} 2036 2037struct ike_auth * 2038copyikeauth(const struct ike_auth *auth) 2039{ 2040 struct ike_auth *newauth; 2041 2042 if (auth == NULL) 2043 return (NULL); 2044 2045 if ((newauth = calloc(1, sizeof(struct ike_auth))) == NULL) 2046 err(1, "calloc"); 2047 if (auth->string && 2048 asprintf(&newauth->string, "%s", auth->string) == -1) 2049 err(1, "asprintf"); 2050 2051 newauth->type = auth->type; 2052 2053 return (newauth); 2054} 2055 2056struct ipsec_key * 2057copykey(struct ipsec_key *key) 2058{ 2059 struct ipsec_key *newkey; 2060 2061 if (key == NULL) 2062 return (NULL); 2063 2064 if ((newkey = calloc(1, sizeof(struct ipsec_key))) == NULL) 2065 err(1, "calloc"); 2066 if ((newkey->data = calloc(key->len, sizeof(u_int8_t))) == NULL) 2067 err(1, "calloc"); 2068 memcpy(newkey->data, key->data, key->len); 2069 newkey->len = key->len; 2070 2071 return (newkey); 2072} 2073 2074struct ipsec_addr_wrap * 2075copyhost(const struct ipsec_addr_wrap *src) 2076{ 2077 struct ipsec_addr_wrap *dst; 2078 2079 if (src == NULL) 2080 return (NULL); 2081 2082 dst = calloc(1, sizeof(struct ipsec_addr_wrap)); 2083 if (dst == NULL) 2084 err(1, "copyhost: calloc"); 2085 2086 memcpy(dst, src, sizeof(struct ipsec_addr_wrap)); 2087 2088 if (src->name != NULL && (dst->name = strdup(src->name)) == NULL) 2089 err(1, "copyhost: strdup"); 2090 2091 return dst; 2092} 2093 2094char * 2095copytag(const char *src) 2096{ 2097 char *tag; 2098 2099 if (src == NULL) 2100 return (NULL); 2101 if ((tag = strdup(src)) == NULL) 2102 err(1, "copytag: strdup"); 2103 2104 return (tag); 2105} 2106 2107struct ipsec_rule * 2108copyrule(struct ipsec_rule *rule) 2109{ 2110 struct ipsec_rule *r; 2111 2112 if ((r = calloc(1, sizeof(struct ipsec_rule))) == NULL) 2113 err(1, "calloc"); 2114 2115 r->src = copyhost(rule->src); 2116 r->dst = copyhost(rule->dst); 2117 r->local = copyhost(rule->local); 2118 r->peer = copyhost(rule->peer); 2119 r->auth = copyipsecauth(rule->auth); 2120 r->ikeauth = copyikeauth(rule->ikeauth); 2121 r->xfs = copytransforms(rule->xfs); 2122 r->p1xfs = copytransforms(rule->p1xfs); 2123 r->p2xfs = copytransforms(rule->p2xfs); 2124 r->p1life = copylife(rule->p1life); 2125 r->p2life = copylife(rule->p2life); 2126 r->authkey = copykey(rule->authkey); 2127 r->enckey = copykey(rule->enckey); 2128 r->tag = copytag(rule->tag); 2129 2130 r->p1ie = rule->p1ie; 2131 r->p2ie = rule->p2ie; 2132 r->type = rule->type; 2133 r->satype = rule->satype; 2134 r->proto = rule->proto; 2135 r->tmode = rule->tmode; 2136 r->direction = rule->direction; 2137 r->flowtype = rule->flowtype; 2138 r->sport = rule->sport; 2139 r->dport = rule->dport; 2140 r->ikemode = rule->ikemode; 2141 r->spi = rule->spi; 2142 r->nr = rule->nr; 2143 2144 return (r); 2145} 2146 2147int 2148validate_af(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst) 2149{ 2150 struct ipsec_addr_wrap *ta; 2151 u_int8_t src_v4 = 0; 2152 u_int8_t dst_v4 = 0; 2153 u_int8_t src_v6 = 0; 2154 u_int8_t dst_v6 = 0; 2155 2156 for (ta = src; ta; ta = ta->next) { 2157 if (ta->af == AF_INET) 2158 src_v4 = 1; 2159 if (ta->af == AF_INET6) 2160 src_v6 = 1; 2161 if (ta->af == AF_UNSPEC) 2162 return 0; 2163 if (src_v4 && src_v6) 2164 break; 2165 } 2166 for (ta = dst; ta; ta = ta->next) { 2167 if (ta->af == AF_INET) 2168 dst_v4 = 1; 2169 if (ta->af == AF_INET6) 2170 dst_v6 = 1; 2171 if (ta->af == AF_UNSPEC) 2172 return 0; 2173 if (dst_v4 && dst_v6) 2174 break; 2175 } 2176 if (src_v4 != dst_v4 && src_v6 != dst_v6) 2177 return (1); 2178 2179 return (0); 2180} 2181 2182 2183int 2184validate_sa(u_int32_t spi, u_int8_t satype, struct ipsec_transforms *xfs, 2185 struct ipsec_key *authkey, struct ipsec_key *enckey, u_int8_t tmode) 2186{ 2187 /* Sanity checks */ 2188 if (spi == 0) { 2189 yyerror("no SPI specified"); 2190 return (0); 2191 } 2192 if (satype == IPSEC_AH) { 2193 if (!xfs) { 2194 yyerror("no transforms specified"); 2195 return (0); 2196 } 2197 if (!xfs->authxf) 2198 xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256]; 2199 if (xfs->encxf) { 2200 yyerror("ah does not provide encryption"); 2201 return (0); 2202 } 2203 if (xfs->compxf) { 2204 yyerror("ah does not provide compression"); 2205 return (0); 2206 } 2207 } 2208 if (satype == IPSEC_ESP) { 2209 if (!xfs) { 2210 yyerror("no transforms specified"); 2211 return (0); 2212 } 2213 if (xfs->compxf) { 2214 yyerror("esp does not provide compression"); 2215 return (0); 2216 } 2217 if (!xfs->encxf) 2218 xfs->encxf = &encxfs[ENCXF_AES]; 2219 if (xfs->encxf->noauth && xfs->authxf) { 2220 yyerror("authentication is implicit for %s", 2221 xfs->encxf->name); 2222 return (0); 2223 } else if (!xfs->encxf->noauth && !xfs->authxf) 2224 xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256]; 2225 } 2226 if (satype == IPSEC_IPCOMP) { 2227 if (!xfs) { 2228 yyerror("no transform specified"); 2229 return (0); 2230 } 2231 if (xfs->authxf || xfs->encxf) { 2232 yyerror("no encryption or authentication with ipcomp"); 2233 return (0); 2234 } 2235 if (!xfs->compxf) 2236 xfs->compxf = &compxfs[COMPXF_DEFLATE]; 2237 } 2238 if (satype == IPSEC_IPIP) { 2239 if (!xfs) { 2240 yyerror("no transform specified"); 2241 return (0); 2242 } 2243 if (xfs->authxf || xfs->encxf || xfs->compxf) { 2244 yyerror("no encryption, authentication or compression" 2245 " with ipip"); 2246 return (0); 2247 } 2248 } 2249 if (satype == IPSEC_TCPMD5 && authkey == NULL && tmode != 2250 IPSEC_TRANSPORT) { 2251 yyerror("authentication key needed for tcpmd5"); 2252 return (0); 2253 } 2254 if (xfs && xfs->authxf) { 2255 if (!authkey && xfs->authxf != &authxfs[AUTHXF_NONE]) { 2256 yyerror("no authentication key specified"); 2257 return (0); 2258 } 2259 if (authkey && authkey->len != xfs->authxf->keymin) { 2260 yyerror("wrong authentication key length, needs to be " 2261 "%d bits", xfs->authxf->keymin * 8); 2262 return (0); 2263 } 2264 } 2265 if (xfs && xfs->encxf) { 2266 if (!enckey && xfs->encxf != &encxfs[ENCXF_NULL]) { 2267 yyerror("no encryption key specified"); 2268 return (0); 2269 } 2270 if (enckey) { 2271 if (enckey->len < xfs->encxf->keymin) { 2272 yyerror("encryption key too short (%d bits), " 2273 "minimum %d bits", enckey->len * 8, 2274 xfs->encxf->keymin * 8); 2275 return (0); 2276 } 2277 if (xfs->encxf->keymax < enckey->len) { 2278 yyerror("encryption key too long (%d bits), " 2279 "maximum %d bits", enckey->len * 8, 2280 xfs->encxf->keymax * 8); 2281 return (0); 2282 } 2283 } 2284 } 2285 2286 return 1; 2287} 2288 2289int 2290add_sagroup(struct ipsec_rule *r) 2291{ 2292 struct ipsec_rule *rp, *last, *group; 2293 int found = 0; 2294 2295 TAILQ_FOREACH(rp, &ipsec->group_queue, group_entry) { 2296 if ((strcmp(rp->src->name, r->src->name) == 0) && 2297 (strcmp(rp->dst->name, r->dst->name) == 0)) { 2298 found = 1; 2299 break; 2300 } 2301 } 2302 if (found) { 2303 last = TAILQ_LAST(&rp->dst_group_queue, dst_group_queue); 2304 TAILQ_INSERT_TAIL(&rp->dst_group_queue, r, dst_group_entry); 2305 2306 group = create_sagroup(last->dst, last->satype, last->spi, 2307 r->dst, r->satype, r->spi); 2308 if (group == NULL) 2309 return (1); 2310 group->nr = ipsec->rule_nr++; 2311 if (ipsecctl_add_rule(ipsec, group)) 2312 return (1); 2313 } else { 2314 TAILQ_INSERT_TAIL(&ipsec->group_queue, r, group_entry); 2315 TAILQ_INIT(&r->dst_group_queue); 2316 TAILQ_INSERT_TAIL(&r->dst_group_queue, r, dst_group_entry); 2317 } 2318 2319 return (0); 2320} 2321 2322struct ipsec_rule * 2323create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_hosts *hosts, 2324 u_int32_t spi, struct ipsec_transforms *xfs, struct ipsec_key *authkey, 2325 struct ipsec_key *enckey) 2326{ 2327 struct ipsec_rule *r; 2328 2329 if (validate_sa(spi, satype, xfs, authkey, enckey, tmode) == 0) 2330 return (NULL); 2331 2332 r = calloc(1, sizeof(struct ipsec_rule)); 2333 if (r == NULL) 2334 err(1, "create_sa: calloc"); 2335 2336 r->type |= RULE_SA; 2337 r->satype = satype; 2338 r->tmode = tmode; 2339 r->src = hosts->src; 2340 r->dst = hosts->dst; 2341 r->spi = spi; 2342 r->xfs = xfs; 2343 r->authkey = authkey; 2344 r->enckey = enckey; 2345 2346 return r; 2347} 2348 2349struct ipsec_rule * 2350reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, 2351 struct ipsec_key *enckey) 2352{ 2353 struct ipsec_rule *reverse; 2354 2355 if (validate_sa(spi, rule->satype, rule->xfs, authkey, enckey, 2356 rule->tmode) == 0) 2357 return (NULL); 2358 2359 reverse = calloc(1, sizeof(struct ipsec_rule)); 2360 if (reverse == NULL) 2361 err(1, "reverse_sa: calloc"); 2362 2363 reverse->type |= RULE_SA; 2364 reverse->satype = rule->satype; 2365 reverse->tmode = rule->tmode; 2366 reverse->src = copyhost(rule->dst); 2367 reverse->dst = copyhost(rule->src); 2368 reverse->spi = spi; 2369 reverse->xfs = copytransforms(rule->xfs); 2370 reverse->authkey = authkey; 2371 reverse->enckey = enckey; 2372 2373 return (reverse); 2374} 2375 2376struct ipsec_rule * 2377create_sagroup(struct ipsec_addr_wrap *dst, u_int8_t proto, u_int32_t spi, 2378 struct ipsec_addr_wrap *dst2, u_int8_t proto2, u_int32_t spi2) 2379{ 2380 struct ipsec_rule *r; 2381 2382 r = calloc(1, sizeof(struct ipsec_rule)); 2383 if (r == NULL) 2384 err(1, "create_sagroup: calloc"); 2385 2386 r->type |= RULE_GROUP; 2387 2388 r->dst = copyhost(dst); 2389 r->dst2 = copyhost(dst2); 2390 r->proto = proto; 2391 r->proto2 = proto2; 2392 r->spi = spi; 2393 r->spi2 = spi2; 2394 r->satype = proto; 2395 2396 return (r); 2397} 2398 2399struct ipsec_rule * 2400create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_hosts *hosts, 2401 u_int8_t satype, char *srcid, char *dstid, u_int8_t type) 2402{ 2403 struct ipsec_rule *r; 2404 2405 r = calloc(1, sizeof(struct ipsec_rule)); 2406 if (r == NULL) 2407 err(1, "create_flow: calloc"); 2408 2409 r->type |= RULE_FLOW; 2410 2411 if (dir == IPSEC_INOUT) 2412 r->direction = IPSEC_OUT; 2413 else 2414 r->direction = dir; 2415 2416 r->satype = satype; 2417 r->proto = proto; 2418 r->src = hosts->src; 2419 r->sport = hosts->sport; 2420 r->dst = hosts->dst; 2421 r->dport = hosts->dport; 2422 if ((hosts->sport != 0 || hosts->dport != 0) && 2423 (proto != IPPROTO_TCP && proto != IPPROTO_UDP)) { 2424 yyerror("no protocol supplied with source/destination ports"); 2425 goto errout; 2426 } 2427 2428 switch (satype) { 2429 case IPSEC_IPCOMP: 2430 case IPSEC_IPIP: 2431 if (type == TYPE_UNKNOWN) 2432 type = TYPE_USE; 2433 break; 2434 default: 2435 if (type == TYPE_UNKNOWN) 2436 type = TYPE_REQUIRE; 2437 break; 2438 } 2439 2440 r->flowtype = type; 2441 if (type == TYPE_DENY || type == TYPE_BYPASS) 2442 return (r); 2443 2444 r->auth = calloc(1, sizeof(struct ipsec_auth)); 2445 if (r->auth == NULL) 2446 err(1, "create_flow: calloc"); 2447 r->auth->srcid = srcid; 2448 r->auth->dstid = dstid; 2449 r->auth->srcid_type = get_id_type(srcid); 2450 r->auth->dstid_type = get_id_type(dstid); 2451 return r; 2452 2453errout: 2454 free(r); 2455 if (srcid) 2456 free(srcid); 2457 if (dstid) 2458 free(dstid); 2459 free(hosts->src); 2460 hosts->src = NULL; 2461 free(hosts->dst); 2462 hosts->dst = NULL; 2463 2464 return NULL; 2465} 2466 2467void 2468expand_any(struct ipsec_addr_wrap *ipa_in) 2469{ 2470 struct ipsec_addr_wrap *oldnext, *ipa; 2471 2472 for (ipa = ipa_in; ipa; ipa = ipa->next) { 2473 if (ipa->af != AF_UNSPEC) 2474 continue; 2475 oldnext = ipa->next; 2476 2477 ipa->af = AF_INET; 2478 ipa->netaddress = 1; 2479 if ((ipa->name = strdup("0.0.0.0/0")) == NULL) 2480 err(1, "expand_any: strdup"); 2481 2482 ipa->next = calloc(1, sizeof(struct ipsec_addr_wrap)); 2483 if (ipa->next == NULL) 2484 err(1, "expand_any: calloc"); 2485 ipa->next->af = AF_INET6; 2486 ipa->next->netaddress = 1; 2487 if ((ipa->next->name = strdup("::/0")) == NULL) 2488 err(1, "expand_any: strdup"); 2489 2490 ipa->next->next = oldnext; 2491 } 2492} 2493 2494int 2495set_rule_peers(struct ipsec_rule *r, struct ipsec_hosts *peers) 2496{ 2497 if (r->type == RULE_FLOW && 2498 (r->flowtype == TYPE_DENY || r->flowtype == TYPE_BYPASS)) 2499 return (0); 2500 2501 r->local = copyhost(peers->src); 2502 r->peer = copyhost(peers->dst); 2503 if (r->peer == NULL) { 2504 /* Set peer to remote host. Must be a host address. */ 2505 if (r->direction == IPSEC_IN) { 2506 if (!r->src->netaddress) 2507 r->peer = copyhost(r->src); 2508 } else { 2509 if (!r->dst->netaddress) 2510 r->peer = copyhost(r->dst); 2511 } 2512 } 2513 if (r->type == RULE_FLOW && r->peer == NULL) { 2514 yyerror("no peer specified for destination %s", 2515 r->dst->name); 2516 return (1); 2517 } 2518 if (r->peer != NULL && r->peer->af == AF_UNSPEC) { 2519 /* If peer has been specified as any, use the default peer. */ 2520 free(r->peer); 2521 r->peer = NULL; 2522 } 2523 if (r->type == RULE_IKE && r->peer == NULL) { 2524 /* 2525 * Check if the default peer is consistent for all 2526 * rules. Only warn to avoid breaking existing configs. 2527 */ 2528 static struct ipsec_rule *pdr = NULL; 2529 2530 if (pdr == NULL) { 2531 /* Remember first default peer rule for comparison. */ 2532 pdr = r; 2533 } else { 2534 /* The new default peer must create the same config. */ 2535 if ((pdr->local == NULL && r->local != NULL) || 2536 (pdr->local != NULL && r->local == NULL) || 2537 (pdr->local != NULL && r->local != NULL && 2538 strcmp(pdr->local->name, r->local->name))) 2539 yywarn("default peer local mismatch"); 2540 if (pdr->ikeauth->type != r->ikeauth->type) 2541 yywarn("default peer phase 1 auth mismatch"); 2542 if (pdr->ikeauth->type == IKE_AUTH_PSK && 2543 r->ikeauth->type == IKE_AUTH_PSK && 2544 strcmp(pdr->ikeauth->string, r->ikeauth->string)) 2545 yywarn("default peer psk mismatch"); 2546 if (pdr->p1ie != r->p1ie) 2547 yywarn("default peer phase 1 mode mismatch"); 2548 /* 2549 * Transforms have ADD insted of SET so they may be 2550 * different and are not checked here. 2551 */ 2552 if ((pdr->auth->srcid == NULL && 2553 r->auth->srcid != NULL) || 2554 (pdr->auth->srcid != NULL && 2555 r->auth->srcid == NULL) || 2556 (pdr->auth->srcid != NULL && 2557 r->auth->srcid != NULL && 2558 strcmp(pdr->auth->srcid, r->auth->srcid))) 2559 yywarn("default peer srcid mismatch"); 2560 if ((pdr->auth->dstid == NULL && 2561 r->auth->dstid != NULL) || 2562 (pdr->auth->dstid != NULL && 2563 r->auth->dstid == NULL) || 2564 (pdr->auth->dstid != NULL && 2565 r->auth->dstid != NULL && 2566 strcmp(pdr->auth->dstid, r->auth->dstid))) 2567 yywarn("default peer dstid mismatch"); 2568 } 2569 } 2570 return (0); 2571} 2572 2573int 2574expand_rule(struct ipsec_rule *rule, struct ipsec_hosts *peers, 2575 u_int8_t direction, u_int32_t spi, struct ipsec_key *authkey, 2576 struct ipsec_key *enckey, int group) 2577{ 2578 struct ipsec_rule *r, *revr; 2579 struct ipsec_addr_wrap *src, *dst; 2580 int added = 0, ret = 1; 2581 2582 if (validate_af(rule->src, rule->dst)) { 2583 yyerror("source/destination address families do not match"); 2584 goto errout; 2585 } 2586 expand_any(rule->src); 2587 expand_any(rule->dst); 2588 for (src = rule->src; src; src = src->next) { 2589 for (dst = rule->dst; dst; dst = dst->next) { 2590 if (src->af != dst->af) 2591 continue; 2592 r = copyrule(rule); 2593 2594 r->src = copyhost(src); 2595 r->dst = copyhost(dst); 2596 2597 if (peers && set_rule_peers(r, peers)) { 2598 ipsecctl_free_rule(r); 2599 goto errout; 2600 } 2601 2602 r->nr = ipsec->rule_nr++; 2603 if (ipsecctl_add_rule(ipsec, r)) 2604 goto out; 2605 if (group && add_sagroup(r)) 2606 goto out; 2607 2608 if (direction == IPSEC_INOUT) { 2609 /* Create and add reverse flow rule. */ 2610 revr = reverse_rule(r); 2611 if (revr == NULL) 2612 goto out; 2613 2614 revr->nr = ipsec->rule_nr++; 2615 if (ipsecctl_add_rule(ipsec, revr)) 2616 goto out; 2617 if (group && add_sagroup(revr)) 2618 goto out; 2619 } else if (spi != 0 || authkey || enckey) { 2620 /* Create and add reverse sa rule. */ 2621 revr = reverse_sa(r, spi, authkey, enckey); 2622 if (revr == NULL) 2623 goto out; 2624 2625 revr->nr = ipsec->rule_nr++; 2626 if (ipsecctl_add_rule(ipsec, revr)) 2627 goto out; 2628 if (group && add_sagroup(revr)) 2629 goto out; 2630 } 2631 added++; 2632 } 2633 } 2634 if (!added) 2635 yyerror("rule expands to no valid combination"); 2636 errout: 2637 ret = 0; 2638 ipsecctl_free_rule(rule); 2639 out: 2640 if (peers) { 2641 if (peers->src) 2642 free(peers->src); 2643 if (peers->dst) 2644 free(peers->dst); 2645 } 2646 return (ret); 2647} 2648 2649struct ipsec_rule * 2650reverse_rule(struct ipsec_rule *rule) 2651{ 2652 struct ipsec_rule *reverse; 2653 2654 reverse = calloc(1, sizeof(struct ipsec_rule)); 2655 if (reverse == NULL) 2656 err(1, "reverse_rule: calloc"); 2657 2658 reverse->type |= RULE_FLOW; 2659 2660 /* Reverse direction */ 2661 if (rule->direction == (u_int8_t)IPSEC_OUT) 2662 reverse->direction = (u_int8_t)IPSEC_IN; 2663 else 2664 reverse->direction = (u_int8_t)IPSEC_OUT; 2665 2666 reverse->flowtype = rule->flowtype; 2667 reverse->src = copyhost(rule->dst); 2668 reverse->dst = copyhost(rule->src); 2669 reverse->sport = rule->dport; 2670 reverse->dport = rule->sport; 2671 if (rule->local) 2672 reverse->local = copyhost(rule->local); 2673 if (rule->peer) 2674 reverse->peer = copyhost(rule->peer); 2675 reverse->satype = rule->satype; 2676 reverse->proto = rule->proto; 2677 2678 if (rule->auth) { 2679 reverse->auth = calloc(1, sizeof(struct ipsec_auth)); 2680 if (reverse->auth == NULL) 2681 err(1, "reverse_rule: calloc"); 2682 if (rule->auth->dstid && (reverse->auth->dstid = 2683 strdup(rule->auth->dstid)) == NULL) 2684 err(1, "reverse_rule: strdup"); 2685 if (rule->auth->srcid && (reverse->auth->srcid = 2686 strdup(rule->auth->srcid)) == NULL) 2687 err(1, "reverse_rule: strdup"); 2688 reverse->auth->srcid_type = rule->auth->srcid_type; 2689 reverse->auth->dstid_type = rule->auth->dstid_type; 2690 reverse->auth->type = rule->auth->type; 2691 } 2692 2693 return reverse; 2694} 2695 2696struct ipsec_rule * 2697create_ike(u_int8_t proto, struct ipsec_hosts *hosts, 2698 struct ike_mode *phase1mode, struct ike_mode *phase2mode, u_int8_t satype, 2699 u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid, 2700 struct ike_auth *authtype, char *tag) 2701{ 2702 struct ipsec_rule *r; 2703 2704 r = calloc(1, sizeof(struct ipsec_rule)); 2705 if (r == NULL) 2706 err(1, "create_ike: calloc"); 2707 2708 r->type = RULE_IKE; 2709 2710 r->proto = proto; 2711 r->src = hosts->src; 2712 r->sport = hosts->sport; 2713 r->dst = hosts->dst; 2714 r->dport = hosts->dport; 2715 if ((hosts->sport != 0 || hosts->dport != 0) && 2716 (proto != IPPROTO_TCP && proto != IPPROTO_UDP)) { 2717 yyerror("no protocol supplied with source/destination ports"); 2718 goto errout; 2719 } 2720 2721 r->satype = satype; 2722 r->tmode = tmode; 2723 r->ikemode = mode; 2724 if (phase1mode) { 2725 r->p1xfs = phase1mode->xfs; 2726 r->p1life = phase1mode->life; 2727 r->p1ie = phase1mode->ike_exch; 2728 } else { 2729 r->p1ie = IKE_MM; 2730 } 2731 if (phase2mode) { 2732 if (phase2mode->xfs && phase2mode->xfs->encxf && 2733 phase2mode->xfs->encxf->noauth && 2734 phase2mode->xfs->authxf) { 2735 yyerror("authentication is implicit for %s", 2736 phase2mode->xfs->encxf->name); 2737 goto errout; 2738 } 2739 r->p2xfs = phase2mode->xfs; 2740 r->p2life = phase2mode->life; 2741 r->p2ie = phase2mode->ike_exch; 2742 } else { 2743 r->p2ie = IKE_QM; 2744 } 2745 2746 r->auth = calloc(1, sizeof(struct ipsec_auth)); 2747 if (r->auth == NULL) 2748 err(1, "create_ike: calloc"); 2749 r->auth->srcid = srcid; 2750 r->auth->dstid = dstid; 2751 r->auth->srcid_type = get_id_type(srcid); 2752 r->auth->dstid_type = get_id_type(dstid); 2753 r->ikeauth = calloc(1, sizeof(struct ike_auth)); 2754 if (r->ikeauth == NULL) 2755 err(1, "create_ike: calloc"); 2756 r->ikeauth->type = authtype->type; 2757 r->ikeauth->string = authtype->string; 2758 r->tag = tag; 2759 2760 return (r); 2761 2762errout: 2763 free(r); 2764 free(hosts->src); 2765 hosts->src = NULL; 2766 free(hosts->dst); 2767 hosts->dst = NULL; 2768 if (phase1mode) { 2769 free(phase1mode->xfs); 2770 phase1mode->xfs = NULL; 2771 free(phase1mode->life); 2772 phase1mode->life = NULL; 2773 } 2774 if (phase2mode) { 2775 free(phase2mode->xfs); 2776 phase2mode->xfs = NULL; 2777 free(phase2mode->life); 2778 phase2mode->life = NULL; 2779 } 2780 if (srcid) 2781 free(srcid); 2782 if (dstid) 2783 free(dstid); 2784 return NULL; 2785} 2786