conf.c revision 1.104
1/* $OpenBSD: conf.c,v 1.104 2015/08/20 22:02:21 deraadt Exp $ */ 2/* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */ 3 4/* 5 * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 2000, 2001, 2002 H�kan Olsson. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29/* 30 * This code was written under funding by Ericsson Radio Systems. 31 */ 32 33#include <sys/types.h> 34#include <sys/mman.h> 35#include <sys/queue.h> 36#include <sys/socket.h> 37#include <sys/stat.h> 38#include <netinet/in.h> 39#include <arpa/inet.h> 40#include <ctype.h> 41#include <fcntl.h> 42#include <stdio.h> 43#include <stdlib.h> 44#include <string.h> 45#include <unistd.h> 46#include <errno.h> 47 48#include "app.h" 49#include "conf.h" 50#include "log.h" 51#include "monitor.h" 52#include "util.h" 53 54static char *conf_get_trans_str(int, char *, char *); 55static void conf_load_defaults(int); 56#if 0 57static int conf_find_trans_xf(int, char *); 58#endif 59 60struct conf_trans { 61 TAILQ_ENTRY(conf_trans) link; 62 int trans; 63 enum conf_op { 64 CONF_SET, CONF_REMOVE, CONF_REMOVE_SECTION 65 } op; 66 char *section; 67 char *tag; 68 char *value; 69 int override; 70 int is_default; 71}; 72 73#define CONF_SECT_MAX 256 74 75TAILQ_HEAD(conf_trans_head, conf_trans) conf_trans_queue; 76 77struct conf_binding { 78 LIST_ENTRY(conf_binding) link; 79 char *section; 80 char *tag; 81 char *value; 82 int is_default; 83}; 84 85char *conf_path = CONFIG_FILE; 86LIST_HEAD(conf_bindings, conf_binding) conf_bindings[256]; 87 88static char *conf_addr; 89static __inline__ u_int8_t 90conf_hash(char *s) 91{ 92 u_int8_t hash = 0; 93 94 while (*s) { 95 hash = ((hash << 1) | (hash >> 7)) ^ tolower((unsigned char)*s); 96 s++; 97 } 98 return hash; 99} 100 101/* 102 * Insert a tag-value combination from LINE (the equal sign is at POS) 103 */ 104static int 105conf_remove_now(char *section, char *tag) 106{ 107 struct conf_binding *cb, *next; 108 109 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; 110 cb = next) { 111 next = LIST_NEXT(cb, link); 112 if (strcasecmp(cb->section, section) == 0 && 113 strcasecmp(cb->tag, tag) == 0) { 114 LIST_REMOVE(cb, link); 115 LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section, 116 tag, cb->value)); 117 free(cb->section); 118 free(cb->tag); 119 free(cb->value); 120 free(cb); 121 return 0; 122 } 123 } 124 return 1; 125} 126 127static int 128conf_remove_section_now(char *section) 129{ 130 struct conf_binding *cb, *next; 131 int unseen = 1; 132 133 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; 134 cb = next) { 135 next = LIST_NEXT(cb, link); 136 if (strcasecmp(cb->section, section) == 0) { 137 unseen = 0; 138 LIST_REMOVE(cb, link); 139 LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section, 140 cb->tag, cb->value)); 141 free(cb->section); 142 free(cb->tag); 143 free(cb->value); 144 free(cb); 145 } 146 } 147 return unseen; 148} 149 150/* 151 * Insert a tag-value combination from LINE (the equal sign is at POS) 152 * into SECTION of our configuration database. 153 */ 154static int 155conf_set_now(char *section, char *tag, char *value, int override, 156 int is_default) 157{ 158 struct conf_binding *node = 0; 159 160 if (override) 161 conf_remove_now(section, tag); 162 else if (conf_get_str(section, tag)) { 163 if (!is_default) 164 log_print("conf_set_now: duplicate tag [%s]:%s, " 165 "ignoring...\n", section, tag); 166 return 1; 167 } 168 node = calloc(1, sizeof *node); 169 if (!node) { 170 log_error("conf_set_now: calloc (1, %lu) failed", 171 (unsigned long)sizeof *node); 172 return 1; 173 } 174 node->section = node->tag = node->value = NULL; 175 if ((node->section = strdup(section)) == NULL) 176 goto fail; 177 if ((node->tag = strdup(tag)) == NULL) 178 goto fail; 179 if ((node->value = strdup(value)) == NULL) 180 goto fail; 181 node->is_default = is_default; 182 183 LIST_INSERT_HEAD(&conf_bindings[conf_hash(section)], node, link); 184 LOG_DBG((LOG_MISC, 95, "conf_set_now: [%s]:%s->%s", node->section, 185 node->tag, node->value)); 186 return 0; 187fail: 188 free(node->value); 189 free(node->tag); 190 free(node->section); 191 free(node); 192 return 1; 193} 194 195/* 196 * Parse the line LINE of SZ bytes. Skip Comments, recognize section 197 * headers and feed tag-value pairs into our configuration database. 198 */ 199static void 200conf_parse_line(int trans, char *line, int ln, size_t sz) 201{ 202 char *val; 203 size_t i; 204 int j; 205 static char *section = 0; 206 207 /* Lines starting with '#' or ';' are comments. */ 208 if (*line == '#' || *line == ';') 209 return; 210 211 /* '[section]' parsing... */ 212 if (*line == '[') { 213 for (i = 1; i < sz; i++) 214 if (line[i] == ']') 215 break; 216 free(section); 217 if (i == sz) { 218 log_print("conf_parse_line: %d:" 219 "unmatched ']', ignoring until next section", ln); 220 section = 0; 221 return; 222 } 223 section = malloc(i); 224 if (!section) { 225 log_print("conf_parse_line: %d: malloc (%lu) failed", 226 ln, (unsigned long)i); 227 return; 228 } 229 strlcpy(section, line + 1, i); 230 return; 231 } 232 /* Deal with assignments. */ 233 for (i = 0; i < sz; i++) 234 if (line[i] == '=') { 235 /* If no section, we are ignoring the lines. */ 236 if (!section) { 237 log_print("conf_parse_line: %d: ignoring line " 238 "due to no section", ln); 239 return; 240 } 241 line[strcspn(line, " \t=")] = '\0'; 242 val = line + i + 1 + strspn(line + i + 1, " \t"); 243 /* Skip trailing whitespace, if any */ 244 for (j = sz - (val - line) - 1; j > 0 && 245 isspace((unsigned char)val[j]); j--) 246 val[j] = '\0'; 247 /* XXX Perhaps should we not ignore errors? */ 248 conf_set(trans, section, line, val, 0, 0); 249 return; 250 } 251 /* Other non-empty lines are weird. */ 252 i = strspn(line, " \t"); 253 if (line[i]) 254 log_print("conf_parse_line: %d: syntax error", ln); 255} 256 257/* Parse the mapped configuration file. */ 258static void 259conf_parse(int trans, char *buf, size_t sz) 260{ 261 char *cp = buf; 262 char *bufend = buf + sz; 263 char *line; 264 int ln = 1; 265 266 line = cp; 267 while (cp < bufend) { 268 if (*cp == '\n') { 269 /* Check for escaped newlines. */ 270 if (cp > buf && *(cp - 1) == '\\') 271 *(cp - 1) = *cp = ' '; 272 else { 273 *cp = '\0'; 274 conf_parse_line(trans, line, ln, cp - line); 275 line = cp + 1; 276 } 277 ln++; 278 } 279 cp++; 280 } 281 if (cp != line) 282 log_print("conf_parse: last line unterminated, ignored."); 283} 284 285/* 286 * Auto-generate default configuration values for the transforms and 287 * suites the user wants. 288 * 289 * Resulting section names can be: 290 * For main mode: 291 * {DES,BLF,3DES,CAST,AES,AES-{128,192,256}-{MD5,SHA,SHA2-{256,384,512}} \ 292 * [-GRP{1,2,5,14,15}][-{DSS,RSA_SIG}] 293 * For quick mode: 294 * QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE 295 * where 296 * {proto} = ESP, AH 297 * {cipher} = DES, 3DES, CAST, BLF, AES, AES-{128,192,256}, AESCTR 298 * {hash} = MD5, SHA, RIPEMD, SHA2-{256,384,512} 299 * {group} = GRP1, GRP2, GRP5, GRP14, GRP15 300 * 301 * DH group defaults to MODP_1024. 302 * 303 * XXX We may want to support USE_TRIPLEDES, etc... 304 * XXX No EC2N DH support here yet. 305 */ 306 307/* Find the value for a section+tag in the transaction list. */ 308static char * 309conf_get_trans_str(int trans, char *section, char *tag) 310{ 311 struct conf_trans *node, *nf = 0; 312 313 for (node = TAILQ_FIRST(&conf_trans_queue); node; 314 node = TAILQ_NEXT(node, link)) 315 if (node->trans == trans && strcasecmp(section, node->section) 316 == 0 && strcasecmp(tag, node->tag) == 0) { 317 if (!nf) 318 nf = node; 319 else if (node->override) 320 nf = node; 321 } 322 return nf ? nf->value : 0; 323} 324 325#if 0 326/* XXX Currently unused. */ 327static int 328conf_find_trans_xf(int phase, char *xf) 329{ 330 struct conf_trans *node; 331 char *p; 332 333 /* Find the relevant transforms and suites, if any. */ 334 for (node = TAILQ_FIRST(&conf_trans_queue); node; 335 node = TAILQ_NEXT(node, link)) 336 if ((phase == 1 && strcmp("Transforms", node->tag) == 0) || 337 (phase == 2 && strcmp("Suites", node->tag) == 0)) { 338 p = node->value; 339 while ((p = strstr(p, xf)) != NULL) 340 if (*(p + strlen(p)) && 341 *(p + strlen(p)) != ',') 342 p += strlen(p); 343 else 344 return 1; 345 } 346 return 0; 347} 348#endif 349 350static void 351conf_load_defaults_mm(int tr, char *mme, char *mmh, char *mma, char *dhg, 352 char *mme_p, char *mma_p, char *dhg_p, char *mmh_p) 353{ 354 char sect[CONF_SECT_MAX]; 355 356 snprintf(sect, sizeof sect, "%s%s%s%s", mme_p, mmh_p, dhg_p, mma_p); 357 358 LOG_DBG((LOG_MISC, 95, "conf_load_defaults_mm: main mode %s", sect)); 359 360 conf_set(tr, sect, "ENCRYPTION_ALGORITHM", mme, 0, 1); 361 if (strcmp(mme, "BLOWFISH_CBC") == 0) 362 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0, 363 1); 364 else if (strcmp(mme_p, "AES-128") == 0) 365 conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1); 366 else if (strcmp(mme_p, "AES-192") == 0) 367 conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1); 368 else if (strcmp(mme_p, "AES-256") == 0) 369 conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1); 370 else if (strcmp(mme, "AES_CBC") == 0) 371 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0, 372 1); 373 374 conf_set(tr, sect, "HASH_ALGORITHM", mmh, 0, 1); 375 conf_set(tr, sect, "AUTHENTICATION_METHOD", mma, 0, 1); 376 conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1); 377 conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_MAIN_MODE, 0, 1); 378} 379 380static void 381conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p, 382 char *qmh_p, char *qm_ah_id, char *dhg_p, int proto, int mode, int pfs) 383{ 384 char sect[CONF_SECT_MAX], tmp[CONF_SECT_MAX]; 385 386 /* Helper #defines, incl abbreviations. */ 387#define PROTO(x) ((x) ? "AH" : "ESP") 388#define PFS(x) ((x) ? "-PFS" : "") 389#define MODE(x) ((x) ? "TRANSPORT" : "TUNNEL") 390#define MODE_p(x) ((x) ? "-TRP" : "") 391 392 /* For AH a hash must be present and no encryption is allowed */ 393 if (proto == 1 && (strcmp(qmh, "NONE") == 0 || 394 strcmp(qme, "NONE") != 0)) 395 return; 396 397 /* For ESP encryption must be provided, an empty hash is ok. */ 398 if (proto == 0 && strcmp(qme, "NONE") == 0) 399 return; 400 401 /* When PFS is disabled no DH group must be specified. */ 402 if (pfs == 0 && strcmp(dhg_p, "")) 403 return; 404 405 /* For GCM no additional authentication must be specified */ 406 if (proto == 0 && strcmp(qmh, "NONE") != 0 && 407 (strcmp(qme, "AES_GCM_16") == 0 || strcmp(qme, "AES_GMAC") == 0)) 408 return; 409 410 snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto), 411 MODE_p(mode), qme_p, qmh_p, PFS(pfs), dhg_p); 412 413 strlcpy(sect, tmp, CONF_SECT_MAX); 414 strlcat(sect, "-SUITE", CONF_SECT_MAX); 415 416 LOG_DBG((LOG_MISC, 95, "conf_load_defaults_qm: quick mode %s", sect)); 417 418 conf_set(tr, sect, "Protocols", tmp, 0, 1); 419 snprintf(sect, sizeof sect, "IPSEC_%s", PROTO(proto)); 420 conf_set(tr, tmp, "PROTOCOL_ID", sect, 0, 1); 421 strlcpy(sect, tmp, CONF_SECT_MAX); 422 strlcat(sect, "-XF", CONF_SECT_MAX); 423 conf_set(tr, tmp, "Transforms", sect, 0, 1); 424 425 /* 426 * XXX For now, defaults 427 * contain one xf per protocol. 428 */ 429 if (proto == 0) 430 conf_set(tr, sect, "TRANSFORM_ID", qme, 0, 1); 431 else 432 conf_set(tr, sect, "TRANSFORM_ID", qm_ah_id, 0, 1); 433 if (strcmp(qme ,"BLOWFISH") == 0) 434 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0, 435 1); 436 else if (strcmp(qme_p, "-AES-128") == 0 || 437 strcmp(qme_p, "-AESCTR-128") == 0 || 438 strcmp(qme_p, "-AESGCM-128") == 0 || 439 strcmp(qme_p, "-AESGMAC-128") == 0) 440 conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1); 441 else if (strcmp(qme_p, "-AES-192") == 0 || 442 strcmp(qme_p, "-AESCTR-192") == 0 || 443 strcmp(qme_p, "-AESGCM-192") == 0 || 444 strcmp(qme_p, "-AESGMAC-192") == 0) 445 conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1); 446 else if (strcmp(qme_p, "-AES-256") == 0 || 447 strcmp(qme_p, "-AESCTR-256") == 0 || 448 strcmp(qme_p, "-AESGCM-256") == 0 || 449 strcmp(qme_p, "-AESGMAC-256") == 0) 450 conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1); 451 else if (strcmp(qme, "AES") == 0) 452 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0, 453 1); 454 455 conf_set(tr, sect, "ENCAPSULATION_MODE", MODE(mode), 0, 1); 456 if (strcmp(qmh, "NONE")) { 457 conf_set(tr, sect, "AUTHENTICATION_ALGORITHM", qmh, 0, 1); 458 459 /* XXX Another shortcut to keep length down */ 460 if (pfs) 461 conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1); 462 } 463 464 /* XXX Lifetimes depending on enc/auth strength? */ 465 conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_QUICK_MODE, 0, 1); 466} 467 468static void 469conf_load_defaults(int tr) 470{ 471 int enc, auth, hash, group, proto, mode, pfs; 472 char *dflt; 473 474 char *mm_auth[] = {"PRE_SHARED", "DSS", "RSA_SIG", 0}; 475 char *mm_auth_p[] = {"", "-DSS", "-RSA_SIG", 0}; 476 char *mm_hash[] = {"MD5", "SHA", "SHA2_256", "SHA2_384", "SHA2_512", 477 0}; 478 char *mm_hash_p[] = {"-MD5", "-SHA", "-SHA2-256", "-SHA2-384", 479 "-SHA2-512", "", 0 }; 480 char *mm_enc[] = {"DES_CBC", "BLOWFISH_CBC", "3DES_CBC", "CAST_CBC", 481 "AES_CBC", "AES_CBC", "AES_CBC", "AES_CBC", 0}; 482 char *mm_enc_p[] = {"DES", "BLF", "3DES", "CAST", "AES", "AES-128", 483 "AES-192", "AES-256", 0}; 484 char *dhgroup[] = {"MODP_1024", "MODP_768", "MODP_1024", 485 "MODP_1536", "MODP_2048", "MODP_3072", "MODP_4096", 486 "MODP_6144", "MODP_8192", 0}; 487 char *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14", 488 "-GRP15", "-GRP16", "-GRP17", "-GRP18", 0}; 489 char *qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES", 490 "AES", "AES", "AES", "AES_CTR", "AES_CTR", "AES_CTR", 491 "AES_CTR", "AES_GCM_16", 492 "AES_GCM_16", "AES_GCM_16", "AES_GMAC", "AES_GMAC", 493 "AES_GMAC", "NULL", "NONE", 0}; 494 char *qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES", 495 "-AES-128", "-AES-192", "-AES-256", "-AESCTR", 496 "-AESCTR-128", "-AESCTR-192", "-AESCTR-256", 497 "-AESGCM-128", "-AESGCM-192", "-AESGCM-256", 498 "-AESGMAC-128", "-AESGMAC-192", "-AESGMAC-256", "-NULL", 499 "", 0}; 500 char *qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD", 501 "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE", 502 0}; 503 char *qm_hash_p[] = {"-MD5", "-SHA", "-RIPEMD", "-SHA2-256", 504 "-SHA2-384", "-SHA2-512", "", 0}; 505 char *qm_ah_id[] = {"MD5", "SHA", "RIPEMD", "SHA2_256", "SHA2_384", 506 "SHA2_512", "", 0}; 507 508 /* General and X509 defaults */ 509 conf_set(tr, "General", "Retransmits", CONF_DFLT_RETRANSMITS, 0, 1); 510 conf_set(tr, "General", "Exchange-max-time", CONF_DFLT_EXCH_MAX_TIME, 511 0, 1); 512 conf_set(tr, "General", "Use-Keynote", CONF_DFLT_USE_KEYNOTE, 0, 1); 513 conf_set(tr, "General", "Policy-file", CONF_DFLT_POLICY_FILE, 0, 1); 514 conf_set(tr, "General", "Pubkey-directory", CONF_DFLT_PUBKEY_DIR, 0, 515 1); 516 517 conf_set(tr, "X509-certificates", "CA-directory", 518 CONF_DFLT_X509_CA_DIR, 0, 1); 519 conf_set(tr, "X509-certificates", "Cert-directory", 520 CONF_DFLT_X509_CERT_DIR, 0, 1); 521 conf_set(tr, "X509-certificates", "Private-key", 522 CONF_DFLT_X509_PRIVATE_KEY, 0, 1); 523 conf_set(tr, "X509-certificates", "Private-key-directory", 524 CONF_DFLT_X509_PRIVATE_KEY_DIR, 0, 1); 525 conf_set(tr, "X509-certificates", "CRL-directory", 526 CONF_DFLT_X509_CRL_DIR, 0, 1); 527 528 conf_set(tr, "KeyNote", "Credential-directory", 529 CONF_DFLT_KEYNOTE_CRED_DIR, 0, 1); 530 531 conf_set(tr, "General", "Delete-SAs", CONF_DFLT_DELETE_SAS, 0, 1); 532 533 /* Lifetimes. XXX p1/p2 vs main/quick mode may be unclear. */ 534 dflt = conf_get_trans_str(tr, "General", "Default-phase-1-lifetime"); 535 conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_TYPE", 536 CONF_DFLT_TYPE_LIFE_MAIN_MODE, 0, 1); 537 conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_DURATION", 538 (dflt ? dflt : CONF_DFLT_VAL_LIFE_MAIN_MODE), 0, 1); 539 540 dflt = conf_get_trans_str(tr, "General", "Default-phase-2-lifetime"); 541 conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_TYPE", 542 CONF_DFLT_TYPE_LIFE_QUICK_MODE, 0, 1); 543 conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_DURATION", 544 (dflt ? dflt : CONF_DFLT_VAL_LIFE_QUICK_MODE), 0, 1); 545 546 /* Default Phase-1 Configuration section */ 547 conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "EXCHANGE_TYPE", 548 CONF_DFLT_PHASE1_EXCH_TYPE, 0, 1); 549 conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "Transforms", 550 CONF_DFLT_PHASE1_TRANSFORMS, 0, 1); 551 552 /* Main modes */ 553 for (enc = 0; mm_enc[enc]; enc++) 554 for (hash = 0; mm_hash[hash]; hash++) 555 for (auth = 0; mm_auth[auth]; auth++) 556 for (group = 0; dhgroup_p[group]; group++) 557 conf_load_defaults_mm (tr, mm_enc[enc], 558 mm_hash[hash], mm_auth[auth], 559 dhgroup[group], mm_enc_p[enc], 560 mm_auth_p[auth], dhgroup_p[group], 561 mm_hash_p[hash]); 562 563 /* Setup a default Phase 1 entry */ 564 conf_set(tr, "Phase 1", "Default", "Default-phase-1", 0, 1); 565 conf_set(tr, "Default-phase-1", "Phase", "1", 0, 1); 566 conf_set(tr, "Default-phase-1", "Configuration", 567 "Default-phase-1-configuration", 0, 1); 568 dflt = conf_get_trans_str(tr, "General", "Default-phase-1-ID"); 569 if (dflt) 570 conf_set(tr, "Default-phase-1", "ID", dflt, 0, 1); 571 572 /* Quick modes */ 573 for (enc = 0; qm_enc[enc]; enc++) 574 for (proto = 0; proto < 2; proto++) 575 for (mode = 0; mode < 2; mode++) 576 for (pfs = 0; pfs < 2; pfs++) 577 for (hash = 0; qm_hash[hash]; hash++) 578 for (group = 0; 579 dhgroup_p[group]; group++) 580 conf_load_defaults_qm( 581 tr, qm_enc[enc], 582 qm_hash[hash], 583 dhgroup[group], 584 qm_enc_p[enc], 585 qm_hash_p[hash], 586 qm_ah_id[hash], 587 dhgroup_p[group], 588 proto, mode, pfs); 589} 590 591void 592conf_init(void) 593{ 594 unsigned int i; 595 596 for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++) 597 LIST_INIT(&conf_bindings[i]); 598 TAILQ_INIT(&conf_trans_queue); 599 conf_reinit(); 600} 601 602/* Open the config file and map it into our address space, then parse it. */ 603void 604conf_reinit(void) 605{ 606 struct conf_binding *cb = 0; 607 int fd, trans; 608 unsigned int i; 609 size_t sz; 610 char *new_conf_addr = 0; 611 612 fd = monitor_open(conf_path, O_RDONLY, 0); 613 if (fd == -1 || check_file_secrecy_fd(fd, conf_path, &sz) == -1) { 614 if (fd == -1 && errno != ENOENT) 615 log_error("conf_reinit: open(\"%s\", O_RDONLY, 0) " 616 "failed", conf_path); 617 if (fd != -1) 618 close(fd); 619 620 trans = conf_begin(); 621 } else { 622 new_conf_addr = malloc(sz); 623 if (!new_conf_addr) { 624 log_error("conf_reinit: malloc (%lu) failed", 625 (unsigned long)sz); 626 goto fail; 627 } 628 /* XXX I assume short reads won't happen here. */ 629 if (read(fd, new_conf_addr, sz) != (int)sz) { 630 log_error("conf_reinit: read (%d, %p, %lu) failed", 631 fd, new_conf_addr, (unsigned long)sz); 632 goto fail; 633 } 634 close(fd); 635 636 trans = conf_begin(); 637 638 /* XXX Should we not care about errors and rollback? */ 639 conf_parse(trans, new_conf_addr, sz); 640 } 641 642 /* Load default configuration values. */ 643 conf_load_defaults(trans); 644 645 /* Free potential existing configuration. */ 646 if (conf_addr) { 647 for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; 648 i++) 649 for (cb = LIST_FIRST(&conf_bindings[i]); cb; 650 cb = LIST_FIRST(&conf_bindings[i])) 651 conf_remove_now(cb->section, cb->tag); 652 free(conf_addr); 653 } 654 conf_end(trans, 1); 655 conf_addr = new_conf_addr; 656 return; 657 658fail: 659 free(new_conf_addr); 660 close(fd); 661} 662 663/* 664 * Return the numeric value denoted by TAG in section SECTION or DEF 665 * if that tag does not exist. 666 */ 667int 668conf_get_num(char *section, char *tag, int def) 669{ 670 char *value = conf_get_str(section, tag); 671 672 if (value) 673 return atoi(value); 674 return def; 675} 676 677/* 678 * Return the socket endpoint address denoted by TAG in SECTION as a 679 * struct sockaddr. It is the callers responsibility to deallocate 680 * this structure when it is finished with it. 681 */ 682struct sockaddr * 683conf_get_address(char *section, char *tag) 684{ 685 char *value = conf_get_str(section, tag); 686 struct sockaddr *sa; 687 688 if (!value) 689 return 0; 690 if (text2sockaddr(value, 0, &sa, 0, 0) == -1) 691 return 0; 692 return sa; 693} 694 695/* Validate X according to the range denoted by TAG in section SECTION. */ 696int 697conf_match_num(char *section, char *tag, int x) 698{ 699 char *value = conf_get_str(section, tag); 700 int val, min, max, n; 701 702 if (!value) 703 return 0; 704 n = sscanf(value, "%d,%d:%d", &val, &min, &max); 705 switch (n) { 706 case 1: 707 LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d==%d?", 708 section, tag, val, x)); 709 return x == val; 710 case 3: 711 LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d<=%d<=%d?", 712 section, tag, min, x, max)); 713 return min <= x && max >= x; 714 default: 715 log_error("conf_match_num: section %s tag %s: invalid number " 716 "spec %s", section, tag, value); 717 } 718 return 0; 719} 720 721/* Return the string value denoted by TAG in section SECTION. */ 722char * 723conf_get_str(char *section, char *tag) 724{ 725 struct conf_binding *cb; 726 727 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; 728 cb = LIST_NEXT(cb, link)) 729 if (strcasecmp(section, cb->section) == 0 && 730 strcasecmp(tag, cb->tag) == 0) { 731 LOG_DBG((LOG_MISC, 95, "conf_get_str: [%s]:%s->%s", 732 section, tag, cb->value)); 733 return cb->value; 734 } 735 LOG_DBG((LOG_MISC, 95, 736 "conf_get_str: configuration value not found [%s]:%s", section, 737 tag)); 738 return 0; 739} 740 741/* 742 * Build a list of string values out of the comma separated value denoted by 743 * TAG in SECTION. 744 */ 745struct conf_list * 746conf_get_list(char *section, char *tag) 747{ 748 char *liststr = 0, *p, *field, *t; 749 struct conf_list *list = 0; 750 struct conf_list_node *node = 0; 751 752 list = malloc(sizeof *list); 753 if (!list) 754 goto cleanup; 755 TAILQ_INIT(&list->fields); 756 list->cnt = 0; 757 liststr = conf_get_str(section, tag); 758 if (!liststr) 759 goto cleanup; 760 liststr = strdup(liststr); 761 if (!liststr) 762 goto cleanup; 763 p = liststr; 764 while ((field = strsep(&p, ",")) != NULL) { 765 /* Skip leading whitespace */ 766 while (isspace((unsigned char)*field)) 767 field++; 768 /* Skip trailing whitespace */ 769 if (p) 770 for (t = p - 1; t > field && isspace((unsigned char)*t); t--) 771 *t = '\0'; 772 if (*field == '\0') { 773 log_print("conf_get_list: empty field, ignoring..."); 774 continue; 775 } 776 list->cnt++; 777 node = calloc(1, sizeof *node); 778 if (!node) 779 goto cleanup; 780 node->field = strdup(field); 781 if (!node->field) 782 goto cleanup; 783 TAILQ_INSERT_TAIL(&list->fields, node, link); 784 } 785 free(liststr); 786 return list; 787 788cleanup: 789 free(node); 790 if (list) 791 conf_free_list(list); 792 free(liststr); 793 return 0; 794} 795 796struct conf_list * 797conf_get_tag_list(char *section) 798{ 799 struct conf_list *list = 0; 800 struct conf_list_node *node = 0; 801 struct conf_binding *cb; 802 803 list = malloc(sizeof *list); 804 if (!list) 805 goto cleanup; 806 TAILQ_INIT(&list->fields); 807 list->cnt = 0; 808 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; 809 cb = LIST_NEXT(cb, link)) 810 if (strcasecmp(section, cb->section) == 0) { 811 list->cnt++; 812 node = calloc(1, sizeof *node); 813 if (!node) 814 goto cleanup; 815 node->field = strdup(cb->tag); 816 if (!node->field) 817 goto cleanup; 818 TAILQ_INSERT_TAIL(&list->fields, node, link); 819 } 820 return list; 821 822cleanup: 823 free(node); 824 if (list) 825 conf_free_list(list); 826 return 0; 827} 828 829void 830conf_free_list(struct conf_list *list) 831{ 832 struct conf_list_node *node = TAILQ_FIRST(&list->fields); 833 834 while (node) { 835 TAILQ_REMOVE(&list->fields, node, link); 836 free(node->field); 837 free(node); 838 node = TAILQ_FIRST(&list->fields); 839 } 840 free(list); 841} 842 843int 844conf_begin(void) 845{ 846 static int seq = 0; 847 848 return ++seq; 849} 850 851static int 852conf_trans_node(int transaction, enum conf_op op, char *section, char *tag, 853 char *value, int override, int is_default) 854{ 855 struct conf_trans *node; 856 857 node = calloc(1, sizeof *node); 858 if (!node) { 859 log_error("conf_trans_node: calloc (1, %lu) failed", 860 (unsigned long)sizeof *node); 861 return 1; 862 } 863 node->trans = transaction; 864 node->op = op; 865 node->override = override; 866 node->is_default = is_default; 867 if (section && (node->section = strdup(section)) == NULL) 868 goto fail; 869 if (tag && (node->tag = strdup(tag)) == NULL) 870 goto fail; 871 if (value && (node->value = strdup(value)) == NULL) 872 goto fail; 873 TAILQ_INSERT_TAIL(&conf_trans_queue, node, link); 874 return 0; 875 876fail: 877 free(node->section); 878 free(node->tag); 879 free(node->value); 880 free(node); 881 return 1; 882} 883 884/* Queue a set operation. */ 885int 886conf_set(int transaction, char *section, char *tag, char *value, int override, 887 int is_default) 888{ 889 return conf_trans_node(transaction, CONF_SET, section, tag, value, 890 override, is_default); 891} 892 893/* Queue a remove operation. */ 894int 895conf_remove(int transaction, char *section, char *tag) 896{ 897 return conf_trans_node(transaction, CONF_REMOVE, section, tag, NULL, 898 0, 0); 899} 900 901/* Queue a remove section operation. */ 902int 903conf_remove_section(int transaction, char *section) 904{ 905 return conf_trans_node(transaction, CONF_REMOVE_SECTION, section, NULL, 906 NULL, 0, 0); 907} 908 909/* Execute all queued operations for this transaction. Cleanup. */ 910int 911conf_end(int transaction, int commit) 912{ 913 struct conf_trans *node, *next; 914 915 for (node = TAILQ_FIRST(&conf_trans_queue); node; node = next) { 916 next = TAILQ_NEXT(node, link); 917 if (node->trans == transaction) { 918 if (commit) 919 switch (node->op) { 920 case CONF_SET: 921 conf_set_now(node->section, node->tag, 922 node->value, node->override, 923 node->is_default); 924 break; 925 case CONF_REMOVE: 926 conf_remove_now(node->section, 927 node->tag); 928 break; 929 case CONF_REMOVE_SECTION: 930 conf_remove_section_now(node->section); 931 break; 932 default: 933 log_print("conf_end: unknown " 934 "operation: %d", node->op); 935 } 936 TAILQ_REMOVE(&conf_trans_queue, node, link); 937 free(node->section); 938 free(node->tag); 939 free(node->value); 940 free(node); 941 } 942 } 943 return 0; 944} 945 946/* 947 * Dump running configuration upon SIGUSR1. 948 * Configuration is "stored in reverse order", so reverse it again. 949 */ 950struct dumper { 951 char *s, *v; 952 struct dumper *next; 953}; 954 955static void 956conf_report_dump(struct dumper *node) 957{ 958 /* Recursive, cleanup when we're done. */ 959 960 if (node->next) 961 conf_report_dump(node->next); 962 963 if (node->v) 964 LOG_DBG((LOG_REPORT, 0, "%s=\t%s", node->s, node->v)); 965 else if (node->s) { 966 LOG_DBG((LOG_REPORT, 0, "%s", node->s)); 967 if (strlen(node->s) > 0) 968 free(node->s); 969 } 970 free(node); 971} 972 973void 974conf_report(void) 975{ 976 struct conf_binding *cb, *last = 0; 977 unsigned int i; 978 char *current_section = (char *)0; 979 struct dumper *dumper, *dnode; 980 981 dumper = dnode = calloc(1, sizeof *dumper); 982 if (!dumper) 983 goto mem_fail; 984 985 LOG_DBG((LOG_REPORT, 0, "conf_report: dumping running configuration")); 986 987 for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++) 988 for (cb = LIST_FIRST(&conf_bindings[i]); cb; 989 cb = LIST_NEXT(cb, link)) { 990 if (!cb->is_default) { 991 /* Dump this entry. */ 992 if (!current_section || strcmp(cb->section, 993 current_section)) { 994 if (current_section) { 995 if (asprintf(&dnode->s, "[%s]", 996 current_section) == -1) 997 goto mem_fail; 998 dnode->next = calloc(1, 999 sizeof(struct dumper)); 1000 dnode = dnode->next; 1001 if (!dnode) 1002 goto mem_fail; 1003 1004 dnode->s = ""; 1005 dnode->next = calloc(1, 1006 sizeof(struct dumper)); 1007 dnode = dnode->next; 1008 if (!dnode) 1009 goto mem_fail; 1010 } 1011 current_section = cb->section; 1012 } 1013 dnode->s = cb->tag; 1014 dnode->v = cb->value; 1015 dnode->next = calloc(1, sizeof(struct dumper)); 1016 dnode = dnode->next; 1017 if (!dnode) 1018 goto mem_fail; 1019 last = cb; 1020 } 1021 } 1022 1023 if (last) 1024 if (asprintf(&dnode->s, "[%s]", last->section) == -1) 1025 goto mem_fail; 1026 conf_report_dump(dumper); 1027 1028 return; 1029 1030mem_fail: 1031 log_error("conf_report: malloc/calloc failed"); 1032 while ((dnode = dumper) != 0) { 1033 dumper = dumper->next; 1034 free(dnode->s); 1035 free(dnode); 1036 } 1037} 1038