/* $NetBSD: cfparse.y,v 1.18.4.7 2008/07/21 20:45:32 tteras Exp $ */
|
|
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
|
|
%{
|
/*
|
* Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
|
* All rights reserved.
|
*
|
* Redistribution and use in source and binary forms, with or without
|
* modification, are permitted provided that the following conditions
|
* are met:
|
* 1. Redistributions of source code must retain the above copyright
|
* notice, this list of conditions and the following disclaimer.
|
* 2. Redistributions in binary form must reproduce the above copyright
|
* notice, this list of conditions and the following disclaimer in the
|
* documentation and/or other materials provided with the distribution.
|
* 3. Neither the name of the project nor the names of its contributors
|
* may be used to endorse or promote products derived from this software
|
* without specific prior written permission.
|
*
|
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
* SUCH DAMAGE.
|
*/
|
|
#include "config.h"
|
|
#include <sys/types.h>
|
#include <sys/param.h>
|
#include <sys/queue.h>
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
#include PATH_IPSEC_H
|
|
#ifdef ENABLE_HYBRID
|
#include <arpa/inet.h>
|
#endif
|
|
#include <stdlib.h>
|
#include <stdio.h>
|
#include <string.h>
|
#include <errno.h>
|
#include <netdb.h>
|
#include <pwd.h>
|
#include <grp.h>
|
|
#include "var.h"
|
#include "misc.h"
|
#include "vmbuf.h"
|
#include "plog.h"
|
#include "sockmisc.h"
|
#include "str2val.h"
|
#include "genlist.h"
|
#include "debug.h"
|
|
#include "admin.h"
|
#include "privsep.h"
|
#include "cfparse_proto.h"
|
#include "cftoken_proto.h"
|
#include "algorithm.h"
|
#include "localconf.h"
|
#include "policy.h"
|
#include "sainfo.h"
|
#include "oakley.h"
|
#include "pfkey.h"
|
#include "remoteconf.h"
|
#include "grabmyaddr.h"
|
#include "isakmp_var.h"
|
#include "handler.h"
|
#include "isakmp.h"
|
#include "nattraversal.h"
|
#include "isakmp_frag.h"
|
#ifdef ENABLE_HYBRID
|
#include "resolv.h"
|
#include "isakmp_unity.h"
|
#include "isakmp_xauth.h"
|
#include "isakmp_cfg.h"
|
#endif
|
#include "ipsec_doi.h"
|
#include "strnames.h"
|
#include "gcmalloc.h"
|
#ifdef HAVE_GSSAPI
|
#include "gssapi.h"
|
#endif
|
#include "vendorid.h"
|
#include "rsalist.h"
|
|
struct proposalspec {
|
time_t lifetime; /* for isakmp/ipsec */
|
int lifebyte; /* for isakmp/ipsec */
|
struct secprotospec *spspec; /* the head is always current spec. */
|
struct proposalspec *next; /* the tail is the most prefered. */
|
struct proposalspec *prev;
|
};
|
|
struct secprotospec {
|
int prop_no;
|
int trns_no;
|
int strength; /* for isakmp/ipsec */
|
int encklen; /* for isakmp/ipsec */
|
time_t lifetime; /* for isakmp */
|
int lifebyte; /* for isakmp */
|
int proto_id; /* for ipsec (isakmp?) */
|
int ipsec_level; /* for ipsec */
|
int encmode; /* for ipsec */
|
int vendorid; /* for isakmp */
|
char *gssid;
|
struct sockaddr *remote;
|
int algclass[MAXALGCLASS];
|
|
struct secprotospec *next; /* the tail is the most prefiered. */
|
struct secprotospec *prev;
|
struct proposalspec *back;
|
};
|
|
static int num2dhgroup[] = {
|
0,
|
OAKLEY_ATTR_GRP_DESC_MODP768,
|
OAKLEY_ATTR_GRP_DESC_MODP1024,
|
OAKLEY_ATTR_GRP_DESC_EC2N155,
|
OAKLEY_ATTR_GRP_DESC_EC2N185,
|
OAKLEY_ATTR_GRP_DESC_MODP1536,
|
0,
|
0,
|
0,
|
0,
|
0,
|
0,
|
0,
|
0,
|
OAKLEY_ATTR_GRP_DESC_MODP2048,
|
OAKLEY_ATTR_GRP_DESC_MODP3072,
|
OAKLEY_ATTR_GRP_DESC_MODP4096,
|
OAKLEY_ATTR_GRP_DESC_MODP6144,
|
OAKLEY_ATTR_GRP_DESC_MODP8192
|
};
|
|
static struct remoteconf *cur_rmconf;
|
static int tmpalgtype[MAXALGCLASS];
|
static struct sainfo *cur_sainfo;
|
static int cur_algclass;
|
static int oldloglevel = LLV_BASE;
|
|
static struct proposalspec *newprspec __P((void));
|
static void insprspec __P((struct proposalspec *, struct proposalspec **));
|
static struct secprotospec *newspspec __P((void));
|
static void insspspec __P((struct secprotospec *, struct proposalspec **));
|
static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
|
|
static int set_isakmp_proposal
|
__P((struct remoteconf *, struct proposalspec *));
|
static void clean_tmpalgtype __P((void));
|
static int expand_isakmpspec __P((int, int, int *,
|
int, int, time_t, int, int, int, char *, struct remoteconf *));
|
static int listen_addr __P((struct sockaddr *addr, int udp_encap));
|
|
void freeetypes (struct etypes **etypes);
|
|
#if 0
|
static int fix_lifebyte __P((u_long));
|
#endif
|
%}
|
|
%union {
|
unsigned long num;
|
vchar_t *val;
|
struct remoteconf *rmconf;
|
struct sockaddr *saddr;
|
struct sainfoalg *alg;
|
}
|
|
/* privsep */
|
%token PRIVSEP USER GROUP CHROOT
|
/* path */
|
%token PATH PATHTYPE
|
/* include */
|
%token INCLUDE
|
/* self information */
|
%token IDENTIFIER VENDORID
|
/* logging */
|
%token LOGGING LOGLEV
|
/* padding */
|
%token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
|
/* listen */
|
%token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
|
/* ldap config */
|
%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
|
%token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
|
/* modecfg */
|
%token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
|
%token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
|
%token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
|
%token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
|
%token CFG_PFS_GROUP CFG_SAVE_PASSWD
|
|
/* timer */
|
%token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
|
%token RETRY_PHASE1 RETRY_PHASE2 NATT_KA
|
/* algorithm */
|
%token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
|
/* sainfo */
|
%token SAINFO FROM
|
/* remote */
|
%token REMOTE ANONYMOUS INHERIT
|
%token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
|
%token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
|
%token VERIFY_CERT SEND_CERT SEND_CR
|
%token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER
|
%token PEERS_IDENTIFIER VERIFY_IDENTIFIER
|
%token DNSSEC CERT_X509 CERT_PLAINRSA
|
%token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
|
%token NAT_TRAVERSAL REMOTE_FORCE_LEVEL
|
%token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
|
%token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
|
%token PROPOSAL
|
%token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
|
%token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
|
%token COMPLEX_BUNDLE
|
%token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL
|
%token PH1ID
|
%token XAUTH_LOGIN WEAK_PHASE1_CHECK
|
|
%token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
|
%token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
|
|
%token SCRIPT PHASE1_UP PHASE1_DOWN
|
|
%token NUMBER SWITCH BOOLEAN
|
%token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
|
%token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
|
%token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
|
%token EOS BOC EOC COMMA
|
|
%type <num> NUMBER BOOLEAN SWITCH keylength
|
%type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE
|
%type <num> ALGORITHM_CLASS dh_group_num
|
%type <num> ALGORITHMTYPE STRENGTHTYPE
|
%type <num> PREFIX prefix PORT port ike_port
|
%type <num> ul_proto UL_PROTO
|
%type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
|
%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL
|
%type <num> unittype_time unittype_byte
|
%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
|
%type <val> identifierstring
|
%type <saddr> remote_index ike_addrinfo_port
|
%type <alg> algorithm
|
|
%%
|
|
statements
|
: /* nothing */
|
| statements statement
|
;
|
statement
|
: privsep_statement
|
| path_statement
|
| include_statement
|
| gssenc_statement
|
| identifier_statement
|
| logging_statement
|
| padding_statement
|
| listen_statement
|
| ldapcfg_statement
|
| modecfg_statement
|
| timer_statement
|
| sainfo_statement
|
| remote_statement
|
| special_statement
|
;
|
|
/* privsep */
|
privsep_statement
|
: PRIVSEP BOC privsep_stmts EOC
|
;
|
privsep_stmts
|
: /* nothing */
|
| privsep_stmts privsep_stmt
|
;
|
privsep_stmt
|
: USER QUOTEDSTRING
|
{
|
struct passwd *pw;
|
|
if ((pw = getpwnam($2->v)) == NULL) {
|
yyerror("unknown user \"%s\"", $2->v);
|
return -1;
|
}
|
lcconf->uid = pw->pw_uid;
|
}
|
EOS
|
| USER NUMBER { lcconf->uid = $2; } EOS
|
| GROUP QUOTEDSTRING
|
{
|
struct group *gr;
|
|
if ((gr = getgrnam($2->v)) == NULL) {
|
yyerror("unknown group \"%s\"", $2->v);
|
return -1;
|
}
|
lcconf->gid = gr->gr_gid;
|
}
|
EOS
|
| GROUP NUMBER { lcconf->gid = $2; } EOS
|
| CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
|
;
|
|
/* path */
|
path_statement
|
: PATH PATHTYPE QUOTEDSTRING
|
{
|
if ($2 >= LC_PATHTYPE_MAX) {
|
yyerror("invalid path type %d", $2);
|
return -1;
|
}
|
|
/* free old pathinfo */
|
if (lcconf->pathinfo[$2])
|
racoon_free(lcconf->pathinfo[$2]);
|
|
/* set new pathinfo */
|
lcconf->pathinfo[$2] = racoon_strdup($3->v);
|
STRDUP_FATAL(lcconf->pathinfo[$2]);
|
vfree($3);
|
}
|
EOS
|
;
|
|
/* special */
|
special_statement
|
: COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
|
;
|
|
/* include */
|
include_statement
|
: INCLUDE QUOTEDSTRING EOS
|
{
|
char path[MAXPATHLEN];
|
|
getpathname(path, sizeof(path),
|
LC_PATHTYPE_INCLUDE, $2->v);
|
vfree($2);
|
if (yycf_switch_buffer(path) != 0)
|
return -1;
|
}
|
;
|
|
/* gss_id_enc */
|
gssenc_statement
|
: GSS_ID_ENC GSS_ID_ENCTYPE EOS
|
{
|
if ($2 >= LC_GSSENC_MAX) {
|
yyerror("invalid GSS ID encoding %d", $2);
|
return -1;
|
}
|
lcconf->gss_id_enc = $2;
|
}
|
;
|
|
/* self information */
|
identifier_statement
|
: IDENTIFIER identifier_stmt
|
;
|
identifier_stmt
|
: VENDORID
|
{
|
/*XXX to be deleted */
|
}
|
QUOTEDSTRING EOS
|
| IDENTIFIERTYPE QUOTEDSTRING
|
{
|
/*XXX to be deleted */
|
$2->l--; /* nuke '\0' */
|
lcconf->ident[$1] = $2;
|
if (lcconf->ident[$1] == NULL) {
|
yyerror("failed to set my ident: %s",
|
strerror(errno));
|
return -1;
|
}
|
}
|
EOS
|
;
|
|
/* logging */
|
logging_statement
|
: LOGGING log_level EOS
|
;
|
log_level
|
: HEXSTRING
|
{
|
/*
|
* XXX ignore it because this specification
|
* will be obsoleted.
|
*/
|
yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
|
vfree($1);
|
}
|
| LOGLEV
|
{
|
/*
|
* set the loglevel to the value specified
|
* in the configuration file plus the number
|
* of -d options specified on the command line
|
*/
|
loglevel += $1 - oldloglevel;
|
oldloglevel = $1;
|
}
|
;
|
|
/* padding */
|
padding_statement
|
: PADDING BOC padding_stmts EOC
|
;
|
padding_stmts
|
: /* nothing */
|
| padding_stmts padding_stmt
|
;
|
padding_stmt
|
: PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
|
| PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
|
| PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
|
| PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
|
| PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
|
;
|
|
/* listen */
|
listen_statement
|
: LISTEN BOC listen_stmts EOC
|
;
|
listen_stmts
|
: /* nothing */
|
| listen_stmts listen_stmt
|
;
|
listen_stmt
|
: X_ISAKMP ike_addrinfo_port
|
{
|
listen_addr ($2, 0);
|
}
|
EOS
|
| X_ISAKMP_NATT ike_addrinfo_port
|
{
|
#ifdef ENABLE_NATT
|
listen_addr ($2, 1);
|
#else
|
yyerror("NAT-T support not compiled in.");
|
#endif
|
}
|
EOS
|
| X_ADMIN
|
{
|
yyerror("admin directive is obsoleted.");
|
}
|
PORT EOS
|
| ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
|
{
|
#ifdef ENABLE_ADMINPORT
|
adminsock_conf($2, $3, $4, $5);
|
#else
|
yywarn("admin port support not compiled in");
|
#endif
|
}
|
EOS
|
| ADMINSOCK QUOTEDSTRING
|
{
|
#ifdef ENABLE_ADMINPORT
|
adminsock_conf($2, NULL, NULL, -1);
|
#else
|
yywarn("admin port support not compiled in");
|
#endif
|
}
|
EOS
|
| ADMINSOCK DISABLED
|
{
|
#ifdef ENABLE_ADMINPORT
|
adminsock_path = NULL;
|
#else
|
yywarn("admin port support not compiled in");
|
#endif
|
}
|
EOS
|
| STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
|
;
|
ike_addrinfo_port
|
: ADDRSTRING ike_port
|
{
|
char portbuf[10];
|
|
snprintf(portbuf, sizeof(portbuf), "%ld", $2);
|
$$ = str2saddr($1->v, portbuf);
|
vfree($1);
|
if (!$$)
|
return -1;
|
}
|
;
|
ike_port
|
: /* nothing */ { $$ = PORT_ISAKMP; }
|
| PORT { $$ = $1; }
|
;
|
|
/* ldap configuration */
|
ldapcfg_statement
|
: LDAPCFG {
|
#ifndef ENABLE_HYBRID
|
yyerror("racoon not configured with --enable-hybrid");
|
return -1;
|
#endif
|
#ifndef HAVE_LIBLDAP
|
yyerror("racoon not configured with --with-libldap");
|
return -1;
|
#endif
|
} BOC ldapcfg_stmts EOC
|
;
|
ldapcfg_stmts
|
: /* nothing */
|
| ldapcfg_stmts ldapcfg_stmt
|
;
|
ldapcfg_stmt
|
: LDAP_PVER NUMBER
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
if (($2<2)||($2>3))
|
yyerror("invalid ldap protocol version (2|3)");
|
xauth_ldap_config.pver = $2;
|
#endif
|
#endif
|
}
|
EOS
|
| LDAP_HOST QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
if (xauth_ldap_config.host != NULL)
|
vfree(xauth_ldap_config.host);
|
xauth_ldap_config.host = vdup($2);
|
#endif
|
#endif
|
}
|
EOS
|
| LDAP_PORT NUMBER
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
xauth_ldap_config.port = $2;
|
#endif
|
#endif
|
}
|
EOS
|
| LDAP_BASE QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
if (xauth_ldap_config.base != NULL)
|
vfree(xauth_ldap_config.base);
|
xauth_ldap_config.base = vdup($2);
|
#endif
|
#endif
|
}
|
EOS
|
| LDAP_SUBTREE SWITCH
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
xauth_ldap_config.subtree = $2;
|
#endif
|
#endif
|
}
|
EOS
|
| LDAP_BIND_DN QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
if (xauth_ldap_config.bind_dn != NULL)
|
vfree(xauth_ldap_config.bind_dn);
|
xauth_ldap_config.bind_dn = vdup($2);
|
#endif
|
#endif
|
}
|
EOS
|
| LDAP_BIND_PW QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
if (xauth_ldap_config.bind_pw != NULL)
|
vfree(xauth_ldap_config.bind_pw);
|
xauth_ldap_config.bind_pw = vdup($2);
|
#endif
|
#endif
|
}
|
EOS
|
| LDAP_ATTR_USER QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
if (xauth_ldap_config.attr_user != NULL)
|
vfree(xauth_ldap_config.attr_user);
|
xauth_ldap_config.attr_user = vdup($2);
|
#endif
|
#endif
|
}
|
EOS
|
| LDAP_ATTR_ADDR QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
if (xauth_ldap_config.attr_addr != NULL)
|
vfree(xauth_ldap_config.attr_addr);
|
xauth_ldap_config.attr_addr = vdup($2);
|
#endif
|
#endif
|
}
|
EOS
|
| LDAP_ATTR_MASK QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
if (xauth_ldap_config.attr_mask != NULL)
|
vfree(xauth_ldap_config.attr_mask);
|
xauth_ldap_config.attr_mask = vdup($2);
|
#endif
|
#endif
|
}
|
EOS
|
| LDAP_ATTR_GROUP QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
if (xauth_ldap_config.attr_group != NULL)
|
vfree(xauth_ldap_config.attr_group);
|
xauth_ldap_config.attr_group = vdup($2);
|
#endif
|
#endif
|
}
|
EOS
|
| LDAP_ATTR_MEMBER QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
if (xauth_ldap_config.attr_member != NULL)
|
vfree(xauth_ldap_config.attr_member);
|
xauth_ldap_config.attr_member = vdup($2);
|
#endif
|
#endif
|
}
|
EOS
|
;
|
|
/* modecfg */
|
modecfg_statement
|
: MODECFG BOC modecfg_stmts EOC
|
;
|
modecfg_stmts
|
: /* nothing */
|
| modecfg_stmts modecfg_stmt
|
;
|
modecfg_stmt
|
: CFG_NET4 ADDRSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
if (inet_pton(AF_INET, $2->v,
|
&isakmp_cfg_config.network4) != 1)
|
yyerror("bad IPv4 network address.");
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| CFG_MASK4 ADDRSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
if (inet_pton(AF_INET, $2->v,
|
&isakmp_cfg_config.netmask4) != 1)
|
yyerror("bad IPv4 netmask address.");
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| CFG_DNS4 addrdnslist
|
EOS
|
| CFG_NBNS4 addrwinslist
|
EOS
|
| CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
|
{
|
#ifdef ENABLE_HYBRID
|
isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
|
{
|
#ifdef ENABLE_HYBRID
|
isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| CFG_SPLIT_DNS splitdnslist
|
{
|
#ifndef ENABLE_HYBRID
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| CFG_DEFAULT_DOMAIN QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
strncpy(&isakmp_cfg_config.default_domain[0],
|
$2->v, MAXPATHLEN);
|
isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0';
|
vfree($2);
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| CFG_AUTH_SOURCE CFG_SYSTEM
|
{
|
#ifdef ENABLE_HYBRID
|
isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| CFG_AUTH_SOURCE CFG_RADIUS
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBRADIUS
|
isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
|
#else /* HAVE_LIBRADIUS */
|
yyerror("racoon not configured with --with-libradius");
|
#endif /* HAVE_LIBRADIUS */
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_AUTH_SOURCE CFG_PAM
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBPAM
|
isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
|
#else /* HAVE_LIBPAM */
|
yyerror("racoon not configured with --with-libpam");
|
#endif /* HAVE_LIBPAM */
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_AUTH_SOURCE CFG_LDAP
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
|
#else /* HAVE_LIBLDAP */
|
yyerror("racoon not configured with --with-libldap");
|
#endif /* HAVE_LIBLDAP */
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_AUTH_GROUPS authgrouplist
|
{
|
#ifndef ENABLE_HYBRID
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| CFG_GROUP_SOURCE CFG_SYSTEM
|
{
|
#ifdef ENABLE_HYBRID
|
isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| CFG_GROUP_SOURCE CFG_LDAP
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
|
#else /* HAVE_LIBLDAP */
|
yyerror("racoon not configured with --with-libldap");
|
#endif /* HAVE_LIBLDAP */
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_ACCOUNTING CFG_NONE
|
{
|
#ifdef ENABLE_HYBRID
|
isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| CFG_ACCOUNTING CFG_SYSTEM
|
{
|
#ifdef ENABLE_HYBRID
|
isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| CFG_ACCOUNTING CFG_RADIUS
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBRADIUS
|
isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
|
#else /* HAVE_LIBRADIUS */
|
yyerror("racoon not configured with --with-libradius");
|
#endif /* HAVE_LIBRADIUS */
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_ACCOUNTING CFG_PAM
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBPAM
|
isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
|
#else /* HAVE_LIBPAM */
|
yyerror("racoon not configured with --with-libpam");
|
#endif /* HAVE_LIBPAM */
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_POOL_SIZE NUMBER
|
{
|
#ifdef ENABLE_HYBRID
|
if (isakmp_cfg_resize_pool($2) != 0)
|
yyerror("cannot allocate memory for pool");
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_PFS_GROUP NUMBER
|
{
|
#ifdef ENABLE_HYBRID
|
isakmp_cfg_config.pfs_group = $2;
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_SAVE_PASSWD SWITCH
|
{
|
#ifdef ENABLE_HYBRID
|
isakmp_cfg_config.save_passwd = $2;
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_AUTH_THROTTLE NUMBER
|
{
|
#ifdef ENABLE_HYBRID
|
isakmp_cfg_config.auth_throttle = $2;
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_CONF_SOURCE CFG_LOCAL
|
{
|
#ifdef ENABLE_HYBRID
|
isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_CONF_SOURCE CFG_RADIUS
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBRADIUS
|
isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
|
#else /* HAVE_LIBRADIUS */
|
yyerror("racoon not configured with --with-libradius");
|
#endif /* HAVE_LIBRADIUS */
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_CONF_SOURCE CFG_LDAP
|
{
|
#ifdef ENABLE_HYBRID
|
#ifdef HAVE_LIBLDAP
|
isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
|
#else /* HAVE_LIBLDAP */
|
yyerror("racoon not configured with --with-libldap");
|
#endif /* HAVE_LIBLDAP */
|
#else /* ENABLE_HYBRID */
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif /* ENABLE_HYBRID */
|
}
|
EOS
|
| CFG_MOTD QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN);
|
isakmp_cfg_config.motd[MAXPATHLEN] = '\0';
|
vfree($2);
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
;
|
|
addrdnslist
|
: addrdns
|
| addrdns COMMA addrdnslist
|
;
|
addrdns
|
: ADDRSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
struct isakmp_cfg_config *icc = &isakmp_cfg_config;
|
|
if (icc->dns4_index > MAXNS)
|
yyerror("No more than %d DNS", MAXNS);
|
if (inet_pton(AF_INET, $1->v,
|
&icc->dns4[icc->dns4_index++]) != 1)
|
yyerror("bad IPv4 DNS address.");
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
;
|
|
addrwinslist
|
: addrwins
|
| addrwins COMMA addrwinslist
|
;
|
addrwins
|
: ADDRSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
struct isakmp_cfg_config *icc = &isakmp_cfg_config;
|
|
if (icc->nbns4_index > MAXWINS)
|
yyerror("No more than %d WINS", MAXWINS);
|
if (inet_pton(AF_INET, $1->v,
|
&icc->nbns4[icc->nbns4_index++]) != 1)
|
yyerror("bad IPv4 WINS address.");
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
;
|
|
splitnetlist
|
: splitnet
|
| splitnetlist COMMA splitnet
|
;
|
splitnet
|
: ADDRSTRING PREFIX
|
{
|
#ifdef ENABLE_HYBRID
|
struct isakmp_cfg_config *icc = &isakmp_cfg_config;
|
struct unity_network network;
|
memset(&network,0,sizeof(network));
|
|
if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
|
yyerror("bad IPv4 SPLIT address.");
|
|
/* Turn $2 (the prefix) into a subnet mask */
|
network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
|
|
/* add the network to our list */
|
if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
|
yyerror("Unable to allocate split network");
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
;
|
|
authgrouplist
|
: authgroup
|
| authgroup COMMA authgrouplist
|
;
|
authgroup
|
: QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
char * groupname = NULL;
|
char ** grouplist = NULL;
|
struct isakmp_cfg_config *icc = &isakmp_cfg_config;
|
|
grouplist = racoon_realloc(icc->grouplist,
|
sizeof(char**)*(icc->groupcount+1));
|
if (grouplist == NULL)
|
yyerror("unable to allocate auth group list");
|
|
groupname = racoon_malloc($1->l+1);
|
if (groupname == NULL)
|
yyerror("unable to allocate auth group name");
|
|
memcpy(groupname,$1->v,$1->l);
|
groupname[$1->l]=0;
|
grouplist[icc->groupcount]=groupname;
|
icc->grouplist = grouplist;
|
icc->groupcount++;
|
|
vfree($1);
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
;
|
|
splitdnslist
|
: splitdns
|
| splitdns COMMA splitdnslist
|
;
|
splitdns
|
: QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
struct isakmp_cfg_config *icc = &isakmp_cfg_config;
|
|
if (!icc->splitdns_len)
|
{
|
icc->splitdns_list = racoon_malloc($1->l);
|
if(icc->splitdns_list == NULL)
|
yyerror("error allocating splitdns list buffer");
|
memcpy(icc->splitdns_list,$1->v,$1->l);
|
icc->splitdns_len = $1->l;
|
}
|
else
|
{
|
int len = icc->splitdns_len + $1->l + 1;
|
icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
|
if(icc->splitdns_list == NULL)
|
yyerror("error allocating splitdns list buffer");
|
icc->splitdns_list[icc->splitdns_len] = ',';
|
memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
|
icc->splitdns_len = len;
|
}
|
vfree($1);
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
;
|
|
|
/* timer */
|
timer_statement
|
: RETRY BOC timer_stmts EOC
|
;
|
timer_stmts
|
: /* nothing */
|
| timer_stmts timer_stmt
|
;
|
timer_stmt
|
: RETRY_COUNTER NUMBER
|
{
|
lcconf->retry_counter = $2;
|
}
|
EOS
|
| RETRY_INTERVAL NUMBER unittype_time
|
{
|
lcconf->retry_interval = $2 * $3;
|
}
|
EOS
|
| RETRY_PERSEND NUMBER
|
{
|
lcconf->count_persend = $2;
|
}
|
EOS
|
| RETRY_PHASE1 NUMBER unittype_time
|
{
|
lcconf->retry_checkph1 = $2 * $3;
|
}
|
EOS
|
| RETRY_PHASE2 NUMBER unittype_time
|
{
|
lcconf->wait_ph2complete = $2 * $3;
|
}
|
EOS
|
| NATT_KA NUMBER unittype_time
|
{
|
#ifdef ENABLE_NATT
|
if (libipsec_opt & LIBIPSEC_OPT_NATT)
|
lcconf->natt_ka_interval = $2 * $3;
|
else
|
yyerror("libipsec lacks NAT-T support");
|
#else
|
yyerror("NAT-T support not compiled in.");
|
#endif
|
}
|
EOS
|
;
|
|
/* sainfo */
|
sainfo_statement
|
: SAINFO
|
{
|
cur_sainfo = newsainfo();
|
if (cur_sainfo == NULL) {
|
yyerror("failed to allocate sainfo");
|
return -1;
|
}
|
}
|
sainfo_name sainfo_param BOC sainfo_specs
|
{
|
struct sainfo *check;
|
|
/* default */
|
if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
|
yyerror("no encryption algorithm at %s",
|
sainfo2str(cur_sainfo));
|
return -1;
|
}
|
if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
|
yyerror("no authentication algorithm at %s",
|
sainfo2str(cur_sainfo));
|
return -1;
|
}
|
if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
|
yyerror("no compression algorithm at %s",
|
sainfo2str(cur_sainfo));
|
return -1;
|
}
|
|
/* duplicate check */
|
check = getsainfo(cur_sainfo->idsrc,
|
cur_sainfo->iddst,
|
cur_sainfo->id_i,
|
cur_sainfo->remoteid);
|
if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
|
yyerror("duplicated sainfo: %s",
|
sainfo2str(cur_sainfo));
|
return -1;
|
}
|
inssainfo(cur_sainfo);
|
}
|
EOC
|
;
|
sainfo_name
|
: ANONYMOUS
|
{
|
cur_sainfo->idsrc = NULL;
|
cur_sainfo->iddst = NULL;
|
}
|
| ANONYMOUS sainfo_id
|
{
|
cur_sainfo->idsrc = NULL;
|
cur_sainfo->iddst = $2;
|
}
|
| sainfo_id ANONYMOUS
|
{
|
cur_sainfo->idsrc = $1;
|
cur_sainfo->iddst = NULL;
|
}
|
| sainfo_id sainfo_id
|
{
|
cur_sainfo->idsrc = $1;
|
cur_sainfo->iddst = $2;
|
}
|
;
|
sainfo_id
|
: IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
|
{
|
char portbuf[10];
|
struct sockaddr *saddr;
|
|
if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
|
&& ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
|
yyerror("port number must be \"any\".");
|
return -1;
|
}
|
|
snprintf(portbuf, sizeof(portbuf), "%lu", $4);
|
saddr = str2saddr($2->v, portbuf);
|
vfree($2);
|
if (saddr == NULL)
|
return -1;
|
|
switch (saddr->sa_family) {
|
case AF_INET:
|
if ($5 == IPPROTO_ICMPV6) {
|
yyerror("upper layer protocol mismatched.\n");
|
racoon_free(saddr);
|
return -1;
|
}
|
$$ = ipsecdoi_sockaddr2id(saddr,
|
$3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
|
$5);
|
break;
|
#ifdef INET6
|
case AF_INET6:
|
if ($5 == IPPROTO_ICMP) {
|
yyerror("upper layer protocol mismatched.\n");
|
racoon_free(saddr);
|
return -1;
|
}
|
$$ = ipsecdoi_sockaddr2id(saddr,
|
$3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
|
$5);
|
break;
|
#endif
|
default:
|
yyerror("invalid family: %d", saddr->sa_family);
|
$$ = NULL;
|
break;
|
}
|
racoon_free(saddr);
|
if ($$ == NULL)
|
return -1;
|
}
|
| IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
|
{
|
char portbuf[10];
|
struct sockaddr *laddr = NULL, *haddr = NULL;
|
char *cur = NULL;
|
|
if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
|
&& ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
|
yyerror("port number must be \"any\".");
|
return -1;
|
}
|
|
snprintf(portbuf, sizeof(portbuf), "%lu", $5);
|
|
laddr = str2saddr($2->v, portbuf);
|
if (laddr == NULL) {
|
return -1;
|
}
|
vfree($2);
|
haddr = str2saddr($3->v, portbuf);
|
if (haddr == NULL) {
|
racoon_free(laddr);
|
return -1;
|
}
|
vfree($3);
|
|
switch (laddr->sa_family) {
|
case AF_INET:
|
if ($6 == IPPROTO_ICMPV6) {
|
yyerror("upper layer protocol mismatched.\n");
|
if (laddr)
|
racoon_free(laddr);
|
if (haddr)
|
racoon_free(haddr);
|
return -1;
|
}
|
$$ = ipsecdoi_sockrange2id(laddr, haddr,
|
$6);
|
break;
|
#ifdef INET6
|
case AF_INET6:
|
if ($6 == IPPROTO_ICMP) {
|
yyerror("upper layer protocol mismatched.\n");
|
if (laddr)
|
racoon_free(laddr);
|
if (haddr)
|
racoon_free(haddr);
|
return -1;
|
}
|
$$ = ipsecdoi_sockrange2id(laddr, haddr,
|
$6);
|
break;
|
#endif
|
default:
|
yyerror("invalid family: %d", laddr->sa_family);
|
$$ = NULL;
|
break;
|
}
|
if (laddr)
|
racoon_free(laddr);
|
if (haddr)
|
racoon_free(haddr);
|
if ($$ == NULL)
|
return -1;
|
}
|
| IDENTIFIERTYPE QUOTEDSTRING
|
{
|
struct ipsecdoi_id_b *id_b;
|
|
if ($1 == IDTYPE_ASN1DN) {
|
yyerror("id type forbidden: %d", $1);
|
$$ = NULL;
|
return -1;
|
}
|
|
$2->l--;
|
|
$$ = vmalloc(sizeof(*id_b) + $2->l);
|
if ($$ == NULL) {
|
yyerror("failed to allocate identifier");
|
return -1;
|
}
|
|
id_b = (struct ipsecdoi_id_b *)$$->v;
|
id_b->type = idtype2doi($1);
|
|
id_b->proto_id = 0;
|
id_b->port = 0;
|
|
memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
|
}
|
;
|
sainfo_param
|
: /* nothing */
|
{
|
cur_sainfo->id_i = NULL;
|
}
|
| FROM IDENTIFIERTYPE identifierstring
|
{
|
struct ipsecdoi_id_b *id_b;
|
vchar_t *idv;
|
|
if (set_identifier(&idv, $2, $3) != 0) {
|
yyerror("failed to set identifer.\n");
|
return -1;
|
}
|
cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
|
if (cur_sainfo->id_i == NULL) {
|
yyerror("failed to allocate identifier");
|
return -1;
|
}
|
|
id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
|
id_b->type = idtype2doi($2);
|
|
id_b->proto_id = 0;
|
id_b->port = 0;
|
|
memcpy(cur_sainfo->id_i->v + sizeof(*id_b),
|
idv->v, idv->l);
|
vfree(idv);
|
}
|
| GROUP QUOTEDSTRING
|
{
|
#ifdef ENABLE_HYBRID
|
if ((cur_sainfo->group = vdup($2)) == NULL) {
|
yyerror("failed to set sainfo xauth group.\n");
|
return -1;
|
}
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
return -1;
|
#endif
|
}
|
;
|
sainfo_specs
|
: /* nothing */
|
| sainfo_specs sainfo_spec
|
;
|
sainfo_spec
|
: PFS_GROUP dh_group_num
|
{
|
cur_sainfo->pfs_group = $2;
|
}
|
EOS
|
| REMOTEID NUMBER
|
{
|
cur_sainfo->remoteid = $2;
|
}
|
EOS
|
| LIFETIME LIFETYPE_TIME NUMBER unittype_time
|
{
|
cur_sainfo->lifetime = $3 * $4;
|
}
|
EOS
|
| LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
|
{
|
#if 1
|
yyerror("byte lifetime support is deprecated");
|
return -1;
|
#else
|
cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
|
if (cur_sainfo->lifebyte == 0)
|
return -1;
|
#endif
|
}
|
EOS
|
| ALGORITHM_CLASS {
|
cur_algclass = $1;
|
}
|
algorithms EOS
|
| IDENTIFIER IDENTIFIERTYPE
|
{
|
yyerror("it's deprecated to specify a identifier in phase 2");
|
}
|
EOS
|
| MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
|
{
|
yyerror("it's deprecated to specify a identifier in phase 2");
|
}
|
EOS
|
;
|
|
algorithms
|
: algorithm
|
{
|
inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
|
}
|
| algorithm
|
{
|
inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
|
}
|
COMMA algorithms
|
;
|
algorithm
|
: ALGORITHMTYPE keylength
|
{
|
int defklen;
|
|
$$ = newsainfoalg();
|
if ($$ == NULL) {
|
yyerror("failed to get algorithm allocation");
|
return -1;
|
}
|
|
$$->alg = algtype2doi(cur_algclass, $1);
|
if ($$->alg == -1) {
|
yyerror("algorithm mismatched");
|
racoon_free($$);
|
$$ = NULL;
|
return -1;
|
}
|
|
defklen = default_keylen(cur_algclass, $1);
|
if (defklen == 0) {
|
if ($2) {
|
yyerror("keylen not allowed");
|
racoon_free($$);
|
$$ = NULL;
|
return -1;
|
}
|
} else {
|
if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
|
yyerror("invalid keylen %d", $2);
|
racoon_free($$);
|
$$ = NULL;
|
return -1;
|
}
|
}
|
|
if ($2)
|
$$->encklen = $2;
|
else
|
$$->encklen = defklen;
|
|
/* check if it's supported algorithm by kernel */
|
if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
|
&& pk_checkalg(cur_algclass, $1, $$->encklen)) {
|
int a = algclass2doi(cur_algclass);
|
int b = algtype2doi(cur_algclass, $1);
|
if (a == IPSECDOI_ATTR_AUTH)
|
a = IPSECDOI_PROTO_IPSEC_AH;
|
yyerror("algorithm %s not supported by the kernel (missing module?)",
|
s_ipsecdoi_trns(a, b));
|
racoon_free($$);
|
$$ = NULL;
|
return -1;
|
}
|
}
|
;
|
prefix
|
: /* nothing */ { $$ = ~0; }
|
| PREFIX { $$ = $1; }
|
;
|
port
|
: /* nothing */ { $$ = IPSEC_PORT_ANY; }
|
| PORT { $$ = $1; }
|
| PORTANY { $$ = IPSEC_PORT_ANY; }
|
;
|
ul_proto
|
: NUMBER { $$ = $1; }
|
| UL_PROTO { $$ = $1; }
|
| ANY { $$ = IPSEC_ULPROTO_ANY; }
|
;
|
keylength
|
: /* nothing */ { $$ = 0; }
|
| NUMBER { $$ = $1; }
|
;
|
|
/* remote */
|
remote_statement
|
: REMOTE remote_index INHERIT remote_index
|
{
|
struct remoteconf *new;
|
struct proposalspec *prspec;
|
|
new = copyrmconf($4);
|
if (new == NULL) {
|
yyerror("failed to get remoteconf for %s.", saddr2str ($4));
|
return -1;
|
}
|
|
new->remote = $2;
|
new->inherited_from = getrmconf_strict($4, 1);
|
new->proposal = NULL;
|
new->prhead = NULL;
|
cur_rmconf = new;
|
|
prspec = newprspec();
|
if (prspec == NULL || !cur_rmconf->inherited_from
|
|| !cur_rmconf->inherited_from->proposal)
|
return -1;
|
prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime;
|
prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte;
|
insprspec(prspec, &cur_rmconf->prhead);
|
}
|
remote_specs_block
|
| REMOTE remote_index
|
{
|
struct remoteconf *new;
|
struct proposalspec *prspec;
|
|
new = newrmconf();
|
if (new == NULL) {
|
yyerror("failed to get new remoteconf.");
|
return -1;
|
}
|
|
new->remote = $2;
|
cur_rmconf = new;
|
|
prspec = newprspec();
|
if (prspec == NULL)
|
return -1;
|
prspec->lifetime = oakley_get_defaultlifetime();
|
insprspec(prspec, &cur_rmconf->prhead);
|
}
|
remote_specs_block
|
;
|
|
remote_specs_block
|
: BOC remote_specs EOC
|
{
|
/* check a exchange mode */
|
if (cur_rmconf->etypes == NULL) {
|
yyerror("no exchange mode specified.\n");
|
return -1;
|
}
|
|
if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
|
cur_rmconf->idvtype = IDTYPE_ADDRESS;
|
|
|
if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
|
if (cur_rmconf->mycertfile) {
|
if (cur_rmconf->idv)
|
yywarn("Both CERT and ASN1 ID "
|
"are set. Hope this is OK.\n");
|
/* TODO: Preparse the DN here */
|
} else if (cur_rmconf->idv) {
|
/* OK, using asn1dn without X.509. */
|
} else {
|
yyerror("ASN1 ID not specified "
|
"and no CERT defined!\n");
|
return -1;
|
}
|
}
|
|
if (cur_rmconf->prhead->spspec == NULL
|
&& cur_rmconf->inherited_from
|
&& cur_rmconf->inherited_from->prhead) {
|
cur_rmconf->prhead->spspec = cur_rmconf->inherited_from->prhead->spspec;
|
}
|
if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0)
|
return -1;
|
|
/* DH group settting if aggressive mode is there. */
|
if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
|
struct isakmpsa *p;
|
int b = 0;
|
|
/* DH group */
|
for (p = cur_rmconf->proposal; p; p = p->next) {
|
if (b == 0 || (b && b == p->dh_group)) {
|
b = p->dh_group;
|
continue;
|
}
|
yyerror("DH group must be equal "
|
"in all proposals "
|
"when aggressive mode is "
|
"used.\n");
|
return -1;
|
}
|
cur_rmconf->dh_group = b;
|
|
if (cur_rmconf->dh_group == 0) {
|
yyerror("DH group must be set in the proposal.\n");
|
return -1;
|
}
|
|
/* DH group settting if PFS is required. */
|
if (oakley_setdhgroup(cur_rmconf->dh_group,
|
&cur_rmconf->dhgrp) < 0) {
|
yyerror("failed to set DH value.\n");
|
return -1;
|
}
|
}
|
|
insrmconf(cur_rmconf);
|
}
|
;
|
remote_index
|
: ANONYMOUS ike_port
|
{
|
$$ = newsaddr(sizeof(struct sockaddr));
|
$$->sa_family = AF_UNSPEC;
|
((struct sockaddr_in *)$$)->sin_port = htons($2);
|
}
|
| ike_addrinfo_port
|
{
|
$$ = $1;
|
if ($$ == NULL) {
|
yyerror("failed to allocate sockaddr");
|
return -1;
|
}
|
}
|
;
|
remote_specs
|
: /* nothing */
|
| remote_specs remote_spec
|
;
|
remote_spec
|
: EXCHANGE_MODE
|
{
|
cur_rmconf->etypes = NULL;
|
}
|
exchange_types EOS
|
| DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
|
| SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
|
| CERTIFICATE_TYPE cert_spec
|
| PEERS_CERTFILE QUOTEDSTRING
|
{
|
yywarn("This directive without certtype will be removed!\n");
|
yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
|
cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
|
|
if (cur_rmconf->peerscertfile != NULL)
|
racoon_free(cur_rmconf->peerscertfile);
|
cur_rmconf->peerscertfile = racoon_strdup($2->v);
|
STRDUP_FATAL(cur_rmconf->peerscertfile);
|
vfree($2);
|
}
|
EOS
|
| CA_TYPE CERT_X509 QUOTEDSTRING
|
{
|
cur_rmconf->cacerttype = $2;
|
cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
|
if (cur_rmconf->cacertfile != NULL)
|
racoon_free(cur_rmconf->cacertfile);
|
cur_rmconf->cacertfile = racoon_strdup($3->v);
|
STRDUP_FATAL(cur_rmconf->cacertfile);
|
vfree($3);
|
}
|
EOS
|
| PEERS_CERTFILE CERT_X509 QUOTEDSTRING
|
{
|
cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
|
if (cur_rmconf->peerscertfile != NULL)
|
racoon_free(cur_rmconf->peerscertfile);
|
cur_rmconf->peerscertfile = racoon_strdup($3->v);
|
STRDUP_FATAL(cur_rmconf->peerscertfile);
|
vfree($3);
|
}
|
EOS
|
| PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
|
{
|
char path[MAXPATHLEN];
|
int ret = 0;
|
|
getpathname(path, sizeof(path),
|
LC_PATHTYPE_CERT, $3->v);
|
vfree($3);
|
|
if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) {
|
yyerror("Different peers_certfile method "
|
"already defined: %d!\n",
|
cur_rmconf->getcert_method);
|
return -1;
|
}
|
cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
|
if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) {
|
yyerror("Couldn't parse keyfile.\n", path);
|
return -1;
|
}
|
plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path);
|
}
|
EOS
|
| PEERS_CERTFILE DNSSEC
|
{
|
if (cur_rmconf->getcert_method) {
|
yyerror("Different peers_certfile method already defined!\n");
|
return -1;
|
}
|
cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
|
cur_rmconf->peerscertfile = NULL;
|
}
|
EOS
|
| VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
|
| SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
|
| SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
|
| MY_IDENTIFIER IDENTIFIERTYPE identifierstring
|
{
|
if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
|
yyerror("failed to set identifer.\n");
|
return -1;
|
}
|
cur_rmconf->idvtype = $2;
|
}
|
EOS
|
| MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
|
{
|
if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
|
yyerror("failed to set identifer.\n");
|
return -1;
|
}
|
cur_rmconf->idvtype = $2;
|
}
|
EOS
|
| XAUTH_LOGIN identifierstring
|
{
|
#ifdef ENABLE_HYBRID
|
/* formerly identifier type login */
|
if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
|
yyerror("failed to allocate xauth state\n");
|
return -1;
|
}
|
if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
|
yyerror("failed to set identifer.\n");
|
return -1;
|
}
|
#else
|
yyerror("racoon not configured with --enable-hybrid");
|
#endif
|
}
|
EOS
|
| PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
|
{
|
struct idspec *id;
|
id = newidspec();
|
if (id == NULL) {
|
yyerror("failed to allocate idspec");
|
return -1;
|
}
|
if (set_identifier(&id->id, $2, $3) != 0) {
|
yyerror("failed to set identifer.\n");
|
racoon_free(id);
|
return -1;
|
}
|
id->idtype = $2;
|
genlist_append (cur_rmconf->idvl_p, id);
|
}
|
EOS
|
| PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
|
{
|
struct idspec *id;
|
id = newidspec();
|
if (id == NULL) {
|
yyerror("failed to allocate idspec");
|
return -1;
|
}
|
if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
|
yyerror("failed to set identifer.\n");
|
racoon_free(id);
|
return -1;
|
}
|
id->idtype = $2;
|
genlist_append (cur_rmconf->idvl_p, id);
|
}
|
EOS
|
| VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
|
| NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
|
| DH_GROUP
|
{
|
yyerror("dh_group cannot be defined here.");
|
return -1;
|
}
|
dh_group_num EOS
|
| PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
|
| IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
|
| IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
|
| ESP_FRAG NUMBER {
|
#ifdef SADB_X_EXT_NAT_T_FRAG
|
if (libipsec_opt & LIBIPSEC_OPT_FRAG)
|
cur_rmconf->esp_frag = $2;
|
else
|
yywarn("libipsec lacks IKE frag support");
|
#else
|
yywarn("Your kernel does not support esp_frag");
|
#endif
|
} EOS
|
| SCRIPT QUOTEDSTRING PHASE1_UP {
|
if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL)
|
vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]);
|
|
cur_rmconf->script[SCRIPT_PHASE1_UP] =
|
script_path_add(vdup($2));
|
} EOS
|
| SCRIPT QUOTEDSTRING PHASE1_DOWN {
|
if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL)
|
vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]);
|
|
cur_rmconf->script[SCRIPT_PHASE1_DOWN] =
|
script_path_add(vdup($2));
|
} EOS
|
| MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
|
| WEAK_PHASE1_CHECK SWITCH {
|
cur_rmconf->weak_phase1_check = $2;
|
} EOS
|
| GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
|
| GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
|
| SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
|
| INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
|
| NAT_TRAVERSAL SWITCH
|
{
|
#ifdef ENABLE_NATT
|
if (libipsec_opt & LIBIPSEC_OPT_NATT)
|
cur_rmconf->nat_traversal = $2;
|
else
|
yyerror("libipsec lacks NAT-T support");
|
#else
|
yyerror("NAT-T support not compiled in.");
|
#endif
|
} EOS
|
| NAT_TRAVERSAL REMOTE_FORCE_LEVEL
|
{
|
#ifdef ENABLE_NATT
|
if (libipsec_opt & LIBIPSEC_OPT_NATT)
|
cur_rmconf->nat_traversal = NATT_FORCE;
|
else
|
yyerror("libipsec lacks NAT-T support");
|
#else
|
yyerror("NAT-T support not compiled in.");
|
#endif
|
} EOS
|
| DPD SWITCH
|
{
|
#ifdef ENABLE_DPD
|
cur_rmconf->dpd = $2;
|
#else
|
yyerror("DPD support not compiled in.");
|
#endif
|
} EOS
|
| DPD_DELAY NUMBER
|
{
|
#ifdef ENABLE_DPD
|
cur_rmconf->dpd_interval = $2;
|
#else
|
yyerror("DPD support not compiled in.");
|
#endif
|
}
|
EOS
|
| DPD_RETRY NUMBER
|
{
|
#ifdef ENABLE_DPD
|
cur_rmconf->dpd_retry = $2;
|
#else
|
yyerror("DPD support not compiled in.");
|
#endif
|
}
|
EOS
|
| DPD_MAXFAIL NUMBER
|
{
|
#ifdef ENABLE_DPD
|
cur_rmconf->dpd_maxfails = $2;
|
#else
|
yyerror("DPD support not compiled in.");
|
#endif
|
}
|
EOS
|
| PH1ID NUMBER
|
{
|
cur_rmconf->ph1id = $2;
|
}
|
EOS
|
| LIFETIME LIFETYPE_TIME NUMBER unittype_time
|
{
|
cur_rmconf->prhead->lifetime = $3 * $4;
|
}
|
EOS
|
| PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
|
| LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
|
{
|
#if 1
|
yyerror("byte lifetime support is deprecated in Phase1");
|
return -1;
|
#else
|
yywarn("the lifetime of bytes in phase 1 "
|
"will be ignored at the moment.");
|
cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4);
|
if (cur_rmconf->prhead->lifebyte == 0)
|
return -1;
|
#endif
|
}
|
EOS
|
| PROPOSAL
|
{
|
struct secprotospec *spspec;
|
|
spspec = newspspec();
|
if (spspec == NULL)
|
return -1;
|
insspspec(spspec, &cur_rmconf->prhead);
|
}
|
BOC isakmpproposal_specs EOC
|
;
|
exchange_types
|
: /* nothing */
|
| exchange_types EXCHANGETYPE
|
{
|
struct etypes *new;
|
new = racoon_malloc(sizeof(struct etypes));
|
if (new == NULL) {
|
yyerror("failed to allocate etypes");
|
return -1;
|
}
|
new->type = $2;
|
new->next = NULL;
|
if (cur_rmconf->etypes == NULL)
|
cur_rmconf->etypes = new;
|
else {
|
struct etypes *p;
|
for (p = cur_rmconf->etypes;
|
p->next != NULL;
|
p = p->next)
|
;
|
p->next = new;
|
}
|
}
|
;
|
cert_spec
|
: CERT_X509 QUOTEDSTRING QUOTEDSTRING
|
{
|
cur_rmconf->certtype = $1;
|
if (cur_rmconf->mycertfile != NULL)
|
racoon_free(cur_rmconf->mycertfile);
|
cur_rmconf->mycertfile = racoon_strdup($2->v);
|
STRDUP_FATAL(cur_rmconf->mycertfile);
|
vfree($2);
|
if (cur_rmconf->myprivfile != NULL)
|
racoon_free(cur_rmconf->myprivfile);
|
cur_rmconf->myprivfile = racoon_strdup($3->v);
|
STRDUP_FATAL(cur_rmconf->myprivfile);
|
vfree($3);
|
}
|
EOS
|
| CERT_PLAINRSA QUOTEDSTRING
|
{
|
char path[MAXPATHLEN];
|
int ret = 0;
|
|
getpathname(path, sizeof(path),
|
LC_PATHTYPE_CERT, $2->v);
|
vfree($2);
|
|
cur_rmconf->certtype = $1;
|
cur_rmconf->send_cr = FALSE;
|
cur_rmconf->send_cert = FALSE;
|
cur_rmconf->verify_cert = FALSE;
|
if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) {
|
yyerror("Couldn't parse keyfile.\n", path);
|
return -1;
|
}
|
plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path);
|
}
|
EOS
|
;
|
dh_group_num
|
: ALGORITHMTYPE
|
{
|
$$ = algtype2doi(algclass_isakmp_dh, $1);
|
if ($$ == -1) {
|
yyerror("must be DH group");
|
return -1;
|
}
|
}
|
| NUMBER
|
{
|
if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
|
$$ = num2dhgroup[$1];
|
} else {
|
yyerror("must be DH group");
|
$$ = 0;
|
return -1;
|
}
|
}
|
;
|
identifierstring
|
: /* nothing */ { $$ = NULL; }
|
| ADDRSTRING { $$ = $1; }
|
| QUOTEDSTRING { $$ = $1; }
|
;
|
isakmpproposal_specs
|
: /* nothing */
|
| isakmpproposal_specs isakmpproposal_spec
|
;
|
isakmpproposal_spec
|
: STRENGTH
|
{
|
yyerror("strength directive is obsoleted.");
|
} STRENGTHTYPE EOS
|
| LIFETIME LIFETYPE_TIME NUMBER unittype_time
|
{
|
cur_rmconf->prhead->spspec->lifetime = $3 * $4;
|
}
|
EOS
|
| LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
|
{
|
#if 1
|
yyerror("byte lifetime support is deprecated");
|
return -1;
|
#else
|
cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
|
if (cur_rmconf->prhead->spspec->lifebyte == 0)
|
return -1;
|
#endif
|
}
|
EOS
|
| DH_GROUP dh_group_num
|
{
|
cur_rmconf->prhead->spspec->algclass[algclass_isakmp_dh] = $2;
|
}
|
EOS
|
| GSS_ID QUOTEDSTRING
|
{
|
if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) {
|
yyerror("wrong Vendor ID for gssapi_id");
|
return -1;
|
}
|
if (cur_rmconf->prhead->spspec->gssid != NULL)
|
racoon_free(cur_rmconf->prhead->spspec->gssid);
|
cur_rmconf->prhead->spspec->gssid =
|
racoon_strdup($2->v);
|
STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid);
|
}
|
EOS
|
| ALGORITHM_CLASS ALGORITHMTYPE keylength
|
{
|
int doi;
|
int defklen;
|
|
doi = algtype2doi($1, $2);
|
if (doi == -1) {
|
yyerror("algorithm mismatched 1");
|
return -1;
|
}
|
|
switch ($1) {
|
case algclass_isakmp_enc:
|
/* reject suppressed algorithms */
|
#ifndef HAVE_OPENSSL_RC5_H
|
if ($2 == algtype_rc5) {
|
yyerror("algorithm %s not supported",
|
s_attr_isakmp_enc(doi));
|
return -1;
|
}
|
#endif
|
#ifndef HAVE_OPENSSL_IDEA_H
|
if ($2 == algtype_idea) {
|
yyerror("algorithm %s not supported",
|
s_attr_isakmp_enc(doi));
|
return -1;
|
}
|
#endif
|
|
cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi;
|
defklen = default_keylen($1, $2);
|
if (defklen == 0) {
|
if ($3) {
|
yyerror("keylen not allowed");
|
return -1;
|
}
|
} else {
|
if ($3 && check_keylen($1, $2, $3) < 0) {
|
yyerror("invalid keylen %d", $3);
|
return -1;
|
}
|
}
|
if ($3)
|
cur_rmconf->prhead->spspec->encklen = $3;
|
else
|
cur_rmconf->prhead->spspec->encklen = defklen;
|
break;
|
case algclass_isakmp_hash:
|
cur_rmconf->prhead->spspec->algclass[algclass_isakmp_hash] = doi;
|
break;
|
case algclass_isakmp_ameth:
|
cur_rmconf->prhead->spspec->algclass[algclass_isakmp_ameth] = doi;
|
/*
|
* We may have to set the Vendor ID for the
|
* authentication method we're using.
|
*/
|
switch ($2) {
|
case algtype_gssapikrb:
|
if (cur_rmconf->prhead->spspec->vendorid !=
|
VENDORID_UNKNOWN) {
|
yyerror("Vendor ID mismatch "
|
"for auth method");
|
return -1;
|
}
|
/*
|
* For interoperability with Win2k,
|
* we set the Vendor ID to "GSSAPI".
|
*/
|
cur_rmconf->prhead->spspec->vendorid =
|
VENDORID_GSSAPI;
|
break;
|
case algtype_rsasig:
|
if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) {
|
if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
|
yyerror ("Private PlainRSA key not set. "
|
"Use directive 'certificate_type plainrsa ...'\n");
|
return -1;
|
}
|
if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
|
yyerror ("Public PlainRSA keys not set. "
|
"Use directive 'peers_certfile plainrsa ...'\n");
|
return -1;
|
}
|
}
|
break;
|
default:
|
break;
|
}
|
break;
|
default:
|
yyerror("algorithm mismatched 2");
|
return -1;
|
}
|
}
|
EOS
|
;
|
|
unittype_time
|
: UNITTYPE_SEC { $$ = 1; }
|
| UNITTYPE_MIN { $$ = 60; }
|
| UNITTYPE_HOUR { $$ = (60 * 60); }
|
;
|
unittype_byte
|
: UNITTYPE_BYTE { $$ = 1; }
|
| UNITTYPE_KBYTES { $$ = 1024; }
|
| UNITTYPE_MBYTES { $$ = (1024 * 1024); }
|
| UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
|
;
|
%%
|
|
static struct proposalspec *
|
newprspec()
|
{
|
struct proposalspec *new;
|
|
new = racoon_calloc(1, sizeof(*new));
|
if (new == NULL)
|
yyerror("failed to allocate proposal");
|
|
return new;
|
}
|
|
/*
|
* insert into head of list.
|
*/
|
static void
|
insprspec(prspec, head)
|
struct proposalspec *prspec;
|
struct proposalspec **head;
|
{
|
if (*head != NULL)
|
(*head)->prev = prspec;
|
prspec->next = *head;
|
*head = prspec;
|
}
|
|
static struct secprotospec *
|
newspspec()
|
{
|
struct secprotospec *new;
|
|
new = racoon_calloc(1, sizeof(*new));
|
if (new == NULL) {
|
yyerror("failed to allocate spproto");
|
return NULL;
|
}
|
|
new->encklen = 0; /*XXX*/
|
|
/*
|
* Default to "uknown" vendor -- we will override this
|
* as necessary. When we send a Vendor ID payload, an
|
* "unknown" will be translated to a KAME/racoon ID.
|
*/
|
new->vendorid = VENDORID_UNKNOWN;
|
|
return new;
|
}
|
|
/*
|
* insert into head of list.
|
*/
|
static void
|
insspspec(spspec, head)
|
struct secprotospec *spspec;
|
struct proposalspec **head;
|
{
|
spspec->back = *head;
|
|
if ((*head)->spspec != NULL)
|
(*head)->spspec->prev = spspec;
|
spspec->next = (*head)->spspec;
|
(*head)->spspec = spspec;
|
}
|
|
/* set final acceptable proposal */
|
static int
|
set_isakmp_proposal(rmconf, prspec)
|
struct remoteconf *rmconf;
|
struct proposalspec *prspec;
|
{
|
struct proposalspec *p;
|
struct secprotospec *s;
|
int prop_no = 1;
|
int trns_no = 1;
|
int32_t types[MAXALGCLASS];
|
|
p = prspec;
|
if (p->next != 0) {
|
plog(LLV_ERROR, LOCATION, NULL,
|
"multiple proposal definition.\n");
|
return -1;
|
}
|
|
/* mandatory check */
|
if (p->spspec == NULL) {
|
yyerror("no remote specification found: %s.\n",
|
saddr2str(rmconf->remote));
|
return -1;
|
}
|
for (s = p->spspec; s != NULL; s = s->next) {
|
/* XXX need more to check */
|
if (s->algclass[algclass_isakmp_enc] == 0) {
|
yyerror("encryption algorithm required.");
|
return -1;
|
}
|
if (s->algclass[algclass_isakmp_hash] == 0) {
|
yyerror("hash algorithm required.");
|
return -1;
|
}
|
if (s->algclass[algclass_isakmp_dh] == 0) {
|
yyerror("DH group required.");
|
return -1;
|
}
|
if (s->algclass[algclass_isakmp_ameth] == 0) {
|
yyerror("authentication method required.");
|
return -1;
|
}
|
}
|
|
/* skip to last part */
|
for (s = p->spspec; s->next != NULL; s = s->next)
|
;
|
|
while (s != NULL) {
|
plog(LLV_DEBUG2, LOCATION, NULL,
|
"lifetime = %ld\n", (long)
|
(s->lifetime ? s->lifetime : p->lifetime));
|
plog(LLV_DEBUG2, LOCATION, NULL,
|
"lifebyte = %d\n",
|
s->lifebyte ? s->lifebyte : p->lifebyte);
|
plog(LLV_DEBUG2, LOCATION, NULL,
|
"encklen=%d\n", s->encklen);
|
|
memset(types, 0, ARRAYLEN(types));
|
types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
|
types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
|
types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
|
types[algclass_isakmp_ameth] =
|
s->algclass[algclass_isakmp_ameth];
|
|
/* expanding spspec */
|
clean_tmpalgtype();
|
trns_no = expand_isakmpspec(prop_no, trns_no, types,
|
algclass_isakmp_enc, algclass_isakmp_ameth + 1,
|
s->lifetime ? s->lifetime : p->lifetime,
|
s->lifebyte ? s->lifebyte : p->lifebyte,
|
s->encklen, s->vendorid, s->gssid,
|
rmconf);
|
if (trns_no == -1) {
|
plog(LLV_ERROR, LOCATION, NULL,
|
"failed to expand isakmp proposal.\n");
|
return -1;
|
}
|
|
s = s->prev;
|
}
|
|
if (rmconf->proposal == NULL) {
|
plog(LLV_ERROR, LOCATION, NULL,
|
"no proposal found.\n");
|
return -1;
|
}
|
|
return 0;
|
}
|
|
static void
|
clean_tmpalgtype()
|
{
|
int i;
|
for (i = 0; i < MAXALGCLASS; i++)
|
tmpalgtype[i] = 0; /* means algorithm undefined. */
|
}
|
|
static int
|
expand_isakmpspec(prop_no, trns_no, types,
|
class, last, lifetime, lifebyte, encklen, vendorid, gssid,
|
rmconf)
|
int prop_no, trns_no;
|
int *types, class, last;
|
time_t lifetime;
|
int lifebyte;
|
int encklen;
|
int vendorid;
|
char *gssid;
|
struct remoteconf *rmconf;
|
{
|
struct isakmpsa *new;
|
|
/* debugging */
|
{
|
int j;
|
char tb[10];
|
plog(LLV_DEBUG2, LOCATION, NULL,
|
"p:%d t:%d\n", prop_no, trns_no);
|
for (j = class; j < MAXALGCLASS; j++) {
|
snprintf(tb, sizeof(tb), "%d", types[j]);
|
plog(LLV_DEBUG2, LOCATION, NULL,
|
"%s%s%s%s\n",
|
s_algtype(j, types[j]),
|
types[j] ? "(" : "",
|
tb[0] == '0' ? "" : tb,
|
types[j] ? ")" : "");
|
}
|
plog(LLV_DEBUG2, LOCATION, NULL, "\n");
|
}
|
|
#define TMPALGTYPE2STR(n) \
|
s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
|
/* check mandatory values */
|
if (types[algclass_isakmp_enc] == 0
|
|| types[algclass_isakmp_ameth] == 0
|
|| types[algclass_isakmp_hash] == 0
|
|| types[algclass_isakmp_dh] == 0) {
|
yyerror("few definition of algorithm "
|
"enc=%s ameth=%s hash=%s dhgroup=%s.\n",
|
TMPALGTYPE2STR(enc),
|
TMPALGTYPE2STR(ameth),
|
TMPALGTYPE2STR(hash),
|
TMPALGTYPE2STR(dh));
|
return -1;
|
}
|
#undef TMPALGTYPE2STR
|
|
/* set new sa */
|
new = newisakmpsa();
|
if (new == NULL) {
|
yyerror("failed to allocate isakmp sa");
|
return -1;
|
}
|
new->prop_no = prop_no;
|
new->trns_no = trns_no++;
|
new->lifetime = lifetime;
|
new->lifebyte = lifebyte;
|
new->enctype = types[algclass_isakmp_enc];
|
new->encklen = encklen;
|
new->authmethod = types[algclass_isakmp_ameth];
|
new->hashtype = types[algclass_isakmp_hash];
|
new->dh_group = types[algclass_isakmp_dh];
|
new->vendorid = vendorid;
|
#ifdef HAVE_GSSAPI
|
if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
|
if (gssid != NULL) {
|
if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
|
racoon_free(new);
|
yyerror("failed to allocate gssid");
|
return -1;
|
}
|
memcpy(new->gssid->v, gssid, new->gssid->l);
|
racoon_free(gssid);
|
#ifdef ENABLE_HYBRID
|
} else if (rmconf->xauth == NULL) {
|
#else
|
} else {
|
#endif
|
/*
|
* Allocate the default ID so that it gets put
|
* into a GSS ID attribute during the Phase 1
|
* exchange.
|
*/
|
new->gssid = gssapi_get_default_gss_id();
|
}
|
}
|
#endif
|
insisakmpsa(new, rmconf);
|
|
return trns_no;
|
}
|
|
static int
|
listen_addr (struct sockaddr *addr, int udp_encap)
|
{
|
struct myaddrs *p;
|
|
p = newmyaddr();
|
if (p == NULL) {
|
yyerror("failed to allocate myaddrs");
|
return -1;
|
}
|
p->addr = addr;
|
if (p->addr == NULL) {
|
yyerror("failed to copy sockaddr ");
|
delmyaddr(p);
|
return -1;
|
}
|
p->udp_encap = udp_encap;
|
|
insmyaddr(p, &lcconf->myaddrs);
|
|
lcconf->autograbaddr = 0;
|
return 0;
|
}
|
|
#if 0
|
/*
|
* fix lifebyte.
|
* Must be more than 1024B because its unit is kilobytes.
|
* That is defined RFC2407.
|
*/
|
static int
|
fix_lifebyte(t)
|
unsigned long t;
|
{
|
if (t < 1024) {
|
yyerror("byte size should be more than 1024B.");
|
return 0;
|
}
|
|
return(t / 1024);
|
}
|
#endif
|
|
int
|
cfparse()
|
{
|
int error;
|
|
yycf_init_buffer();
|
|
if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
|
plog(LLV_ERROR, LOCATION, NULL,
|
"could not read configuration file \"%s\"\n",
|
lcconf->racoon_conf);
|
return -1;
|
}
|
|
error = yyparse();
|
if (error != 0) {
|
if (yyerrorcount) {
|
plog(LLV_ERROR, LOCATION, NULL,
|
"fatal parse failure (%d errors)\n",
|
yyerrorcount);
|
} else {
|
plog(LLV_ERROR, LOCATION, NULL,
|
"fatal parse failure.\n");
|
}
|
return -1;
|
}
|
|
if (error == 0 && yyerrorcount) {
|
plog(LLV_ERROR, LOCATION, NULL,
|
"parse error is nothing, but yyerrorcount is %d.\n",
|
yyerrorcount);
|
exit(1);
|
}
|
|
yycf_clean_buffer();
|
|
plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
|
|
return 0;
|
}
|
|
int
|
cfreparse()
|
{
|
flushph2();
|
flushph1();
|
flushrmconf();
|
flushsainfo();
|
clean_tmpalgtype();
|
return(cfparse());
|
}
|
|
#ifdef ENABLE_ADMINPORT
|
static void
|
adminsock_conf(path, owner, group, mode_dec)
|
vchar_t *path;
|
vchar_t *owner;
|
vchar_t *group;
|
int mode_dec;
|
{
|
struct passwd *pw = NULL;
|
struct group *gr = NULL;
|
mode_t mode = 0;
|
uid_t uid;
|
gid_t gid;
|
int isnum;
|
|
adminsock_path = path->v;
|
|
if (owner == NULL)
|
return;
|
|
errno = 0;
|
uid = atoi(owner->v);
|
isnum = !errno;
|
if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
|
yyerror("User \"%s\" does not exist", owner->v);
|
|
if (pw)
|
adminsock_owner = pw->pw_uid;
|
else
|
adminsock_owner = uid;
|
|
if (group == NULL)
|
return;
|
|
errno = 0;
|
gid = atoi(group->v);
|
isnum = !errno;
|
if (((gr = getgrnam(group->v)) == NULL) && !isnum)
|
yyerror("Group \"%s\" does not exist", group->v);
|
|
if (gr)
|
adminsock_group = gr->gr_gid;
|
else
|
adminsock_group = gid;
|
|
if (mode_dec == -1)
|
return;
|
|
if (mode_dec > 777)
|
yyerror("Mode 0%03o is invalid", mode_dec);
|
if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
|
if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
|
if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
|
|
if (mode_dec > 77)
|
yyerror("Mode 0%03o is invalid", mode_dec);
|
if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
|
if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
|
if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
|
|
if (mode_dec > 7)
|
yyerror("Mode 0%03o is invalid", mode_dec);
|
if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
|
if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
|
if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
|
|
adminsock_mode = mode;
|
|
return;
|
}
|
#endif
|
