summaryrefslogtreecommitdiffstats
path: root/ipsec-tools/src/racoon/cfparse.y
diff options
context:
space:
mode:
Diffstat (limited to 'ipsec-tools/src/racoon/cfparse.y')
-rw-r--r--ipsec-tools/src/racoon/cfparse.y2841
1 files changed, 2841 insertions, 0 deletions
diff --git a/ipsec-tools/src/racoon/cfparse.y b/ipsec-tools/src/racoon/cfparse.y
new file mode 100644
index 00000000..0d9bd670
--- /dev/null
+++ b/ipsec-tools/src/racoon/cfparse.y
@@ -0,0 +1,2841 @@
+/* $NetBSD: cfparse.y,v 1.42.2.1 2012/08/29 08:42:24 tteras Exp $ */
+
+/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
+
+%{
+/*
+ * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/queue.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include PATH_IPSEC_H
+
+#ifdef ENABLE_HYBRID
+#include <arpa/inet.h>
+#endif
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <grp.h>
+
+#include "var.h"
+#include "misc.h"
+#include "vmbuf.h"
+#include "plog.h"
+#include "sockmisc.h"
+#include "str2val.h"
+#include "genlist.h"
+#include "debug.h"
+
+#include "admin.h"
+#include "privsep.h"
+#include "cfparse_proto.h"
+#include "cftoken_proto.h"
+#include "algorithm.h"
+#include "localconf.h"
+#include "policy.h"
+#include "sainfo.h"
+#include "oakley.h"
+#include "pfkey.h"
+#include "remoteconf.h"
+#include "grabmyaddr.h"
+#include "isakmp_var.h"
+#include "handler.h"
+#include "isakmp.h"
+#include "nattraversal.h"
+#include "isakmp_frag.h"
+#ifdef ENABLE_HYBRID
+#include "resolv.h"
+#include "isakmp_unity.h"
+#include "isakmp_xauth.h"
+#include "isakmp_cfg.h"
+#endif
+#include "ipsec_doi.h"
+#include "strnames.h"
+#include "gcmalloc.h"
+#ifdef HAVE_GSSAPI
+#include "gssapi.h"
+#endif
+#include "vendorid.h"
+#include "rsalist.h"
+#include "crypto_openssl.h"
+
+struct secprotospec {
+ int prop_no;
+ int trns_no;
+ int strength; /* for isakmp/ipsec */
+ int encklen; /* for isakmp/ipsec */
+ time_t lifetime; /* for isakmp */
+ int lifebyte; /* for isakmp */
+ int proto_id; /* for ipsec (isakmp?) */
+ int ipsec_level; /* for ipsec */
+ int encmode; /* for ipsec */
+ int vendorid; /* for isakmp */
+ char *gssid;
+ struct sockaddr *remote;
+ int algclass[MAXALGCLASS];
+
+ struct secprotospec *next; /* the tail is the most prefiered. */
+ struct secprotospec *prev;
+};
+
+static int num2dhgroup[] = {
+ 0,
+ OAKLEY_ATTR_GRP_DESC_MODP768,
+ OAKLEY_ATTR_GRP_DESC_MODP1024,
+ OAKLEY_ATTR_GRP_DESC_EC2N155,
+ OAKLEY_ATTR_GRP_DESC_EC2N185,
+ OAKLEY_ATTR_GRP_DESC_MODP1536,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ OAKLEY_ATTR_GRP_DESC_MODP2048,
+ OAKLEY_ATTR_GRP_DESC_MODP3072,
+ OAKLEY_ATTR_GRP_DESC_MODP4096,
+ OAKLEY_ATTR_GRP_DESC_MODP6144,
+ OAKLEY_ATTR_GRP_DESC_MODP8192
+};
+
+static struct remoteconf *cur_rmconf;
+static int tmpalgtype[MAXALGCLASS];
+static struct sainfo *cur_sainfo;
+static int cur_algclass;
+static int oldloglevel = LLV_BASE;
+
+static struct secprotospec *newspspec __P((void));
+static void insspspec __P((struct remoteconf *, struct secprotospec *));
+void dupspspec_list __P((struct remoteconf *dst, struct remoteconf *src));
+void flushspspec __P((struct remoteconf *));
+static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
+
+static int set_isakmp_proposal __P((struct remoteconf *));
+static void clean_tmpalgtype __P((void));
+static int expand_isakmpspec __P((int, int, int *,
+ int, int, time_t, int, int, int, char *, struct remoteconf *));
+
+void freeetypes (struct etypes **etypes);
+
+static int load_x509(const char *file, char **filenameptr,
+ vchar_t **certptr)
+{
+ char path[PATH_MAX];
+
+ getpathname(path, sizeof(path), LC_PATHTYPE_CERT, file);
+ *certptr = eay_get_x509cert(path);
+ if (*certptr == NULL)
+ return -1;
+
+ *filenameptr = racoon_strdup(file);
+ STRDUP_FATAL(*filenameptr);
+
+ return 0;
+}
+
+static int process_rmconf()
+{
+
+ /* check a exchange mode */
+ if (cur_rmconf->etypes == NULL) {
+ yyerror("no exchange mode specified.\n");
+ return -1;
+ }
+
+ if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
+ cur_rmconf->idvtype = IDTYPE_ADDRESS;
+
+ if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
+ if (cur_rmconf->mycertfile) {
+ if (cur_rmconf->idv)
+ yywarn("Both CERT and ASN1 ID "
+ "are set. Hope this is OK.\n");
+ /* TODO: Preparse the DN here */
+ } else if (cur_rmconf->idv) {
+ /* OK, using asn1dn without X.509. */
+ } else {
+ yyerror("ASN1 ID not specified "
+ "and no CERT defined!\n");
+ return -1;
+ }
+ }
+
+ if (duprmconf_finish(cur_rmconf))
+ return -1;
+
+ if (set_isakmp_proposal(cur_rmconf) != 0)
+ return -1;
+
+ /* DH group settting if aggressive mode is there. */
+ if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
+ struct isakmpsa *p;
+ int b = 0;
+
+ /* DH group */
+ for (p = cur_rmconf->proposal; p; p = p->next) {
+ if (b == 0 || (b && b == p->dh_group)) {
+ b = p->dh_group;
+ continue;
+ }
+ yyerror("DH group must be equal "
+ "in all proposals "
+ "when aggressive mode is "
+ "used.\n");
+ return -1;
+ }
+ cur_rmconf->dh_group = b;
+
+ if (cur_rmconf->dh_group == 0) {
+ yyerror("DH group must be set in the proposal.\n");
+ return -1;
+ }
+
+ /* DH group settting if PFS is required. */
+ if (oakley_setdhgroup(cur_rmconf->dh_group,
+ &cur_rmconf->dhgrp) < 0) {
+ yyerror("failed to set DH value.\n");
+ return -1;
+ }
+ }
+
+ insrmconf(cur_rmconf);
+
+ return 0;
+}
+
+%}
+
+%union {
+ unsigned long num;
+ vchar_t *val;
+ struct remoteconf *rmconf;
+ struct sockaddr *saddr;
+ struct sainfoalg *alg;
+}
+
+ /* privsep */
+%token PRIVSEP USER GROUP CHROOT
+ /* path */
+%token PATH PATHTYPE
+ /* include */
+%token INCLUDE
+ /* PFKEY_BUFFER */
+%token PFKEY_BUFFER
+ /* logging */
+%token LOGGING LOGLEV
+ /* padding */
+%token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
+ /* listen */
+%token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
+ /* ldap config */
+%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
+%token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
+ /* radius config */
+%token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
+ /* modecfg */
+%token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
+%token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
+%token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
+%token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
+%token CFG_PFS_GROUP CFG_SAVE_PASSWD
+
+ /* timer */
+%token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
+%token RETRY_PHASE1 RETRY_PHASE2 NATT_KA
+ /* algorithm */
+%token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
+ /* sainfo */
+%token SAINFO FROM
+ /* remote */
+%token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS
+%token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
+%token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
+%token VERIFY_CERT SEND_CERT SEND_CR MATCH_EMPTY_CR
+%token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER
+%token PEERS_IDENTIFIER VERIFY_IDENTIFIER
+%token DNSSEC CERT_X509 CERT_PLAINRSA
+%token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
+%token NAT_TRAVERSAL REMOTE_FORCE_LEVEL
+%token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
+%token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
+%token PROPOSAL
+%token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
+%token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
+%token COMPLEX_BUNDLE
+%token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL
+%token PH1ID
+%token XAUTH_LOGIN WEAK_PHASE1_CHECK
+%token REKEY
+
+%token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
+%token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
+
+%token SCRIPT PHASE1_UP PHASE1_DOWN PHASE1_DEAD
+
+%token NUMBER SWITCH BOOLEAN
+%token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
+%token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
+%token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
+%token EOS BOC EOC COMMA
+
+%type <num> NUMBER BOOLEAN SWITCH keylength
+%type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE
+%type <num> ALGORITHM_CLASS dh_group_num
+%type <num> ALGORITHMTYPE STRENGTHTYPE
+%type <num> PREFIX prefix PORT port ike_port
+%type <num> ul_proto UL_PROTO
+%type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
+%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL
+%type <num> unittype_time unittype_byte
+%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
+%type <val> identifierstring
+%type <saddr> remote_index ike_addrinfo_port
+%type <alg> algorithm
+
+%%
+
+statements
+ : /* nothing */
+ | statements statement
+ ;
+statement
+ : privsep_statement
+ | path_statement
+ | include_statement
+ | pfkey_statement
+ | gssenc_statement
+ | logging_statement
+ | padding_statement
+ | listen_statement
+ | ldapcfg_statement
+ | radcfg_statement
+ | modecfg_statement
+ | timer_statement
+ | sainfo_statement
+ | remote_statement
+ | special_statement
+ ;
+
+ /* privsep */
+privsep_statement
+ : PRIVSEP BOC privsep_stmts EOC
+ ;
+privsep_stmts
+ : /* nothing */
+ | privsep_stmts privsep_stmt
+ ;
+privsep_stmt
+ : USER QUOTEDSTRING
+ {
+ struct passwd *pw;
+
+ if ((pw = getpwnam($2->v)) == NULL) {
+ yyerror("unknown user \"%s\"", $2->v);
+ return -1;
+ }
+ lcconf->uid = pw->pw_uid;
+ }
+ EOS
+ | USER NUMBER { lcconf->uid = $2; } EOS
+ | GROUP QUOTEDSTRING
+ {
+ struct group *gr;
+
+ if ((gr = getgrnam($2->v)) == NULL) {
+ yyerror("unknown group \"%s\"", $2->v);
+ return -1;
+ }
+ lcconf->gid = gr->gr_gid;
+ }
+ EOS
+ | GROUP NUMBER { lcconf->gid = $2; } EOS
+ | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
+ ;
+
+ /* path */
+path_statement
+ : PATH PATHTYPE QUOTEDSTRING
+ {
+ if ($2 >= LC_PATHTYPE_MAX) {
+ yyerror("invalid path type %d", $2);
+ return -1;
+ }
+
+ /* free old pathinfo */
+ if (lcconf->pathinfo[$2])
+ racoon_free(lcconf->pathinfo[$2]);
+
+ /* set new pathinfo */
+ lcconf->pathinfo[$2] = racoon_strdup($3->v);
+ STRDUP_FATAL(lcconf->pathinfo[$2]);
+ vfree($3);
+ }
+ EOS
+ ;
+
+ /* special */
+special_statement
+ : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
+ ;
+
+ /* include */
+include_statement
+ : INCLUDE QUOTEDSTRING EOS
+ {
+ char path[MAXPATHLEN];
+
+ getpathname(path, sizeof(path),
+ LC_PATHTYPE_INCLUDE, $2->v);
+ vfree($2);
+ if (yycf_switch_buffer(path) != 0)
+ return -1;
+ }
+ ;
+
+ /* pfkey_buffer */
+pfkey_statement
+ : PFKEY_BUFFER NUMBER EOS
+ {
+ lcconf->pfkey_buffer_size = $2;
+ }
+ ;
+ /* gss_id_enc */
+gssenc_statement
+ : GSS_ID_ENC GSS_ID_ENCTYPE EOS
+ {
+ if ($2 >= LC_GSSENC_MAX) {
+ yyerror("invalid GSS ID encoding %d", $2);
+ return -1;
+ }
+ lcconf->gss_id_enc = $2;
+ }
+ ;
+
+ /* logging */
+logging_statement
+ : LOGGING log_level EOS
+ ;
+log_level
+ : LOGLEV
+ {
+ /*
+ * set the loglevel to the value specified
+ * in the configuration file plus the number
+ * of -d options specified on the command line
+ */
+ loglevel += $1 - oldloglevel;
+ oldloglevel = $1;
+ }
+ ;
+
+ /* padding */
+padding_statement
+ : PADDING BOC padding_stmts EOC
+ ;
+padding_stmts
+ : /* nothing */
+ | padding_stmts padding_stmt
+ ;
+padding_stmt
+ : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
+ | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
+ | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
+ | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
+ | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
+ ;
+
+ /* listen */
+listen_statement
+ : LISTEN BOC listen_stmts EOC
+ ;
+listen_stmts
+ : /* nothing */
+ | listen_stmts listen_stmt
+ ;
+listen_stmt
+ : X_ISAKMP ike_addrinfo_port
+ {
+ myaddr_listen($2, FALSE);
+ racoon_free($2);
+ }
+ EOS
+ | X_ISAKMP_NATT ike_addrinfo_port
+ {
+#ifdef ENABLE_NATT
+ myaddr_listen($2, TRUE);
+ racoon_free($2);
+#else
+ racoon_free($2);
+ yyerror("NAT-T support not compiled in.");
+#endif
+ }
+ EOS
+ | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
+ {
+#ifdef ENABLE_ADMINPORT
+ adminsock_conf($2, $3, $4, $5);
+#else
+ yywarn("admin port support not compiled in");
+#endif
+ }
+ EOS
+ | ADMINSOCK QUOTEDSTRING
+ {
+#ifdef ENABLE_ADMINPORT
+ adminsock_conf($2, NULL, NULL, -1);
+#else
+ yywarn("admin port support not compiled in");
+#endif
+ }
+ EOS
+ | ADMINSOCK DISABLED
+ {
+#ifdef ENABLE_ADMINPORT
+ adminsock_path = NULL;
+#else
+ yywarn("admin port support not compiled in");
+#endif
+ }
+ EOS
+ | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
+ ;
+ike_addrinfo_port
+ : ADDRSTRING ike_port
+ {
+ char portbuf[10];
+
+ snprintf(portbuf, sizeof(portbuf), "%ld", $2);
+ $$ = str2saddr($1->v, portbuf);
+ vfree($1);
+ if (!$$)
+ return -1;
+ }
+ ;
+ike_port
+ : /* nothing */ { $$ = PORT_ISAKMP; }
+ | PORT { $$ = $1; }
+ ;
+
+ /* radius configuration */
+radcfg_statement
+ : RADCFG {
+#ifndef ENABLE_HYBRID
+ yyerror("racoon not configured with --enable-hybrid");
+ return -1;
+#endif
+#ifndef HAVE_LIBRADIUS
+ yyerror("racoon not configured with --with-libradius");
+ return -1;
+#endif
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+ xauth_rad_config.timeout = 3;
+ xauth_rad_config.retries = 3;
+#endif
+#endif
+ } BOC radcfg_stmts EOC
+ ;
+radcfg_stmts
+ : /* nothing */
+ | radcfg_stmts radcfg_stmt
+ ;
+radcfg_stmt
+ : RAD_AUTH QUOTEDSTRING QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+ int i = xauth_rad_config.auth_server_count;
+ if (i == RADIUS_MAX_SERVERS) {
+ yyerror("maximum radius auth servers exceeded");
+ return -1;
+ }
+
+ xauth_rad_config.auth_server_list[i].host = vdup($2);
+ xauth_rad_config.auth_server_list[i].secret = vdup($3);
+ xauth_rad_config.auth_server_list[i].port = 0; // default port
+ xauth_rad_config.auth_server_count++;
+#endif
+#endif
+ }
+ EOS
+ | RAD_AUTH QUOTEDSTRING NUMBER QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+ int i = xauth_rad_config.auth_server_count;
+ if (i == RADIUS_MAX_SERVERS) {
+ yyerror("maximum radius auth servers exceeded");
+ return -1;
+ }
+
+ xauth_rad_config.auth_server_list[i].host = vdup($2);
+ xauth_rad_config.auth_server_list[i].secret = vdup($4);
+ xauth_rad_config.auth_server_list[i].port = $3;
+ xauth_rad_config.auth_server_count++;
+#endif
+#endif
+ }
+ EOS
+ | RAD_ACCT QUOTEDSTRING QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+ int i = xauth_rad_config.acct_server_count;
+ if (i == RADIUS_MAX_SERVERS) {
+ yyerror("maximum radius account servers exceeded");
+ return -1;
+ }
+
+ xauth_rad_config.acct_server_list[i].host = vdup($2);
+ xauth_rad_config.acct_server_list[i].secret = vdup($3);
+ xauth_rad_config.acct_server_list[i].port = 0; // default port
+ xauth_rad_config.acct_server_count++;
+#endif
+#endif
+ }
+ EOS
+ | RAD_ACCT QUOTEDSTRING NUMBER QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+ int i = xauth_rad_config.acct_server_count;
+ if (i == RADIUS_MAX_SERVERS) {
+ yyerror("maximum radius account servers exceeded");
+ return -1;
+ }
+
+ xauth_rad_config.acct_server_list[i].host = vdup($2);
+ xauth_rad_config.acct_server_list[i].secret = vdup($4);
+ xauth_rad_config.acct_server_list[i].port = $3;
+ xauth_rad_config.acct_server_count++;
+#endif
+#endif
+ }
+ EOS
+ | RAD_TIMEOUT NUMBER
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+ xauth_rad_config.timeout = $2;
+#endif
+#endif
+ }
+ EOS
+ | RAD_RETRIES NUMBER
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+ xauth_rad_config.retries = $2;
+#endif
+#endif
+ }
+ EOS
+ ;
+
+ /* ldap configuration */
+ldapcfg_statement
+ : LDAPCFG {
+#ifndef ENABLE_HYBRID
+ yyerror("racoon not configured with --enable-hybrid");
+ return -1;
+#endif
+#ifndef HAVE_LIBLDAP
+ yyerror("racoon not configured with --with-libldap");
+ return -1;
+#endif
+ } BOC ldapcfg_stmts EOC
+ ;
+ldapcfg_stmts
+ : /* nothing */
+ | ldapcfg_stmts ldapcfg_stmt
+ ;
+ldapcfg_stmt
+ : LDAP_PVER NUMBER
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ if (($2<2)||($2>3))
+ yyerror("invalid ldap protocol version (2|3)");
+ xauth_ldap_config.pver = $2;
+#endif
+#endif
+ }
+ EOS
+ | LDAP_HOST QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ if (xauth_ldap_config.host != NULL)
+ vfree(xauth_ldap_config.host);
+ xauth_ldap_config.host = vdup($2);
+#endif
+#endif
+ }
+ EOS
+ | LDAP_PORT NUMBER
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ xauth_ldap_config.port = $2;
+#endif
+#endif
+ }
+ EOS
+ | LDAP_BASE QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ if (xauth_ldap_config.base != NULL)
+ vfree(xauth_ldap_config.base);
+ xauth_ldap_config.base = vdup($2);
+#endif
+#endif
+ }
+ EOS
+ | LDAP_SUBTREE SWITCH
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ xauth_ldap_config.subtree = $2;
+#endif
+#endif
+ }
+ EOS
+ | LDAP_BIND_DN QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ if (xauth_ldap_config.bind_dn != NULL)
+ vfree(xauth_ldap_config.bind_dn);
+ xauth_ldap_config.bind_dn = vdup($2);
+#endif
+#endif
+ }
+ EOS
+ | LDAP_BIND_PW QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ if (xauth_ldap_config.bind_pw != NULL)
+ vfree(xauth_ldap_config.bind_pw);
+ xauth_ldap_config.bind_pw = vdup($2);
+#endif
+#endif
+ }
+ EOS
+ | LDAP_ATTR_USER QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ if (xauth_ldap_config.attr_user != NULL)
+ vfree(xauth_ldap_config.attr_user);
+ xauth_ldap_config.attr_user = vdup($2);
+#endif
+#endif
+ }
+ EOS
+ | LDAP_ATTR_ADDR QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ if (xauth_ldap_config.attr_addr != NULL)
+ vfree(xauth_ldap_config.attr_addr);
+ xauth_ldap_config.attr_addr = vdup($2);
+#endif
+#endif
+ }
+ EOS
+ | LDAP_ATTR_MASK QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ if (xauth_ldap_config.attr_mask != NULL)
+ vfree(xauth_ldap_config.attr_mask);
+ xauth_ldap_config.attr_mask = vdup($2);
+#endif
+#endif
+ }
+ EOS
+ | LDAP_ATTR_GROUP QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ if (xauth_ldap_config.attr_group != NULL)
+ vfree(xauth_ldap_config.attr_group);
+ xauth_ldap_config.attr_group = vdup($2);
+#endif
+#endif
+ }
+ EOS
+ | LDAP_ATTR_MEMBER QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ if (xauth_ldap_config.attr_member != NULL)
+ vfree(xauth_ldap_config.attr_member);
+ xauth_ldap_config.attr_member = vdup($2);
+#endif
+#endif
+ }
+ EOS
+ ;
+
+ /* modecfg */
+modecfg_statement
+ : MODECFG BOC modecfg_stmts EOC
+ ;
+modecfg_stmts
+ : /* nothing */
+ | modecfg_stmts modecfg_stmt
+ ;
+modecfg_stmt
+ : CFG_NET4 ADDRSTRING
+ {
+#ifdef ENABLE_HYBRID
+ if (inet_pton(AF_INET, $2->v,
+ &isakmp_cfg_config.network4) != 1)
+ yyerror("bad IPv4 network address.");
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_MASK4 ADDRSTRING
+ {
+#ifdef ENABLE_HYBRID
+ if (inet_pton(AF_INET, $2->v,
+ &isakmp_cfg_config.netmask4) != 1)
+ yyerror("bad IPv4 netmask address.");
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_DNS4 addrdnslist
+ EOS
+ | CFG_NBNS4 addrwinslist
+ EOS
+ | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_SPLIT_DNS splitdnslist
+ {
+#ifndef ENABLE_HYBRID
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_DEFAULT_DOMAIN QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+ strncpy(&isakmp_cfg_config.default_domain[0],
+ $2->v, MAXPATHLEN);
+ isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0';
+ vfree($2);
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_AUTH_SOURCE CFG_SYSTEM
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_AUTH_SOURCE CFG_RADIUS
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+ isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
+#else /* HAVE_LIBRADIUS */
+ yyerror("racoon not configured with --with-libradius");
+#endif /* HAVE_LIBRADIUS */
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_AUTH_SOURCE CFG_PAM
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBPAM
+ isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
+#else /* HAVE_LIBPAM */
+ yyerror("racoon not configured with --with-libpam");
+#endif /* HAVE_LIBPAM */
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_AUTH_SOURCE CFG_LDAP
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
+#else /* HAVE_LIBLDAP */
+ yyerror("racoon not configured with --with-libldap");
+#endif /* HAVE_LIBLDAP */
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_AUTH_GROUPS authgrouplist
+ {
+#ifndef ENABLE_HYBRID
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_GROUP_SOURCE CFG_SYSTEM
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_GROUP_SOURCE CFG_LDAP
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
+#else /* HAVE_LIBLDAP */
+ yyerror("racoon not configured with --with-libldap");
+#endif /* HAVE_LIBLDAP */
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_ACCOUNTING CFG_NONE
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_ACCOUNTING CFG_SYSTEM
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | CFG_ACCOUNTING CFG_RADIUS
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+ isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
+#else /* HAVE_LIBRADIUS */
+ yyerror("racoon not configured with --with-libradius");
+#endif /* HAVE_LIBRADIUS */
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_ACCOUNTING CFG_PAM
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBPAM
+ isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
+#else /* HAVE_LIBPAM */
+ yyerror("racoon not configured with --with-libpam");
+#endif /* HAVE_LIBPAM */
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_POOL_SIZE NUMBER
+ {
+#ifdef ENABLE_HYBRID
+ if (isakmp_cfg_resize_pool($2) != 0)
+ yyerror("cannot allocate memory for pool");
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_PFS_GROUP NUMBER
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.pfs_group = $2;
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_SAVE_PASSWD SWITCH
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.save_passwd = $2;
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_AUTH_THROTTLE NUMBER
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.auth_throttle = $2;
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_CONF_SOURCE CFG_LOCAL
+ {
+#ifdef ENABLE_HYBRID
+ isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_CONF_SOURCE CFG_RADIUS
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBRADIUS
+ isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
+#else /* HAVE_LIBRADIUS */
+ yyerror("racoon not configured with --with-libradius");
+#endif /* HAVE_LIBRADIUS */
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_CONF_SOURCE CFG_LDAP
+ {
+#ifdef ENABLE_HYBRID
+#ifdef HAVE_LIBLDAP
+ isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
+#else /* HAVE_LIBLDAP */
+ yyerror("racoon not configured with --with-libldap");
+#endif /* HAVE_LIBLDAP */
+#else /* ENABLE_HYBRID */
+ yyerror("racoon not configured with --enable-hybrid");
+#endif /* ENABLE_HYBRID */
+ }
+ EOS
+ | CFG_MOTD QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+ strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN);
+ isakmp_cfg_config.motd[MAXPATHLEN] = '\0';
+ vfree($2);
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ ;
+
+addrdnslist
+ : addrdns
+ | addrdns COMMA addrdnslist
+ ;
+addrdns
+ : ADDRSTRING
+ {
+#ifdef ENABLE_HYBRID
+ struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+ if (icc->dns4_index > MAXNS)
+ yyerror("No more than %d DNS", MAXNS);
+ if (inet_pton(AF_INET, $1->v,
+ &icc->dns4[icc->dns4_index++]) != 1)
+ yyerror("bad IPv4 DNS address.");
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ ;
+
+addrwinslist
+ : addrwins
+ | addrwins COMMA addrwinslist
+ ;
+addrwins
+ : ADDRSTRING
+ {
+#ifdef ENABLE_HYBRID
+ struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+ if (icc->nbns4_index > MAXWINS)
+ yyerror("No more than %d WINS", MAXWINS);
+ if (inet_pton(AF_INET, $1->v,
+ &icc->nbns4[icc->nbns4_index++]) != 1)
+ yyerror("bad IPv4 WINS address.");
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ ;
+
+splitnetlist
+ : splitnet
+ | splitnetlist COMMA splitnet
+ ;
+splitnet
+ : ADDRSTRING PREFIX
+ {
+#ifdef ENABLE_HYBRID
+ struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+ struct unity_network network;
+ memset(&network,0,sizeof(network));
+
+ if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
+ yyerror("bad IPv4 SPLIT address.");
+
+ /* Turn $2 (the prefix) into a subnet mask */
+ network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
+
+ /* add the network to our list */
+ if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
+ yyerror("Unable to allocate split network");
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ ;
+
+authgrouplist
+ : authgroup
+ | authgroup COMMA authgrouplist
+ ;
+authgroup
+ : QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+ char * groupname = NULL;
+ char ** grouplist = NULL;
+ struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+ grouplist = racoon_realloc(icc->grouplist,
+ sizeof(char**)*(icc->groupcount+1));
+ if (grouplist == NULL) {
+ yyerror("unable to allocate auth group list");
+ return -1;
+ }
+
+ groupname = racoon_malloc($1->l+1);
+ if (groupname == NULL) {
+ yyerror("unable to allocate auth group name");
+ return -1;
+ }
+
+ memcpy(groupname,$1->v,$1->l);
+ groupname[$1->l]=0;
+ grouplist[icc->groupcount]=groupname;
+ icc->grouplist = grouplist;
+ icc->groupcount++;
+
+ vfree($1);
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ ;
+
+splitdnslist
+ : splitdns
+ | splitdns COMMA splitdnslist
+ ;
+splitdns
+ : QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+ struct isakmp_cfg_config *icc = &isakmp_cfg_config;
+
+ if (!icc->splitdns_len)
+ {
+ icc->splitdns_list = racoon_malloc($1->l);
+ if(icc->splitdns_list == NULL) {
+ yyerror("error allocating splitdns list buffer");
+ return -1;
+ }
+ memcpy(icc->splitdns_list,$1->v,$1->l);
+ icc->splitdns_len = $1->l;
+ }
+ else
+ {
+ int len = icc->splitdns_len + $1->l + 1;
+ icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
+ if(icc->splitdns_list == NULL) {
+ yyerror("error allocating splitdns list buffer");
+ return -1;
+ }
+ icc->splitdns_list[icc->splitdns_len] = ',';
+ memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
+ icc->splitdns_len = len;
+ }
+ vfree($1);
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ ;
+
+
+ /* timer */
+timer_statement
+ : RETRY BOC timer_stmts EOC
+ ;
+timer_stmts
+ : /* nothing */
+ | timer_stmts timer_stmt
+ ;
+timer_stmt
+ : RETRY_COUNTER NUMBER
+ {
+ lcconf->retry_counter = $2;
+ }
+ EOS
+ | RETRY_INTERVAL NUMBER unittype_time
+ {
+ lcconf->retry_interval = $2 * $3;
+ }
+ EOS
+ | RETRY_PERSEND NUMBER
+ {
+ lcconf->count_persend = $2;
+ }
+ EOS
+ | RETRY_PHASE1 NUMBER unittype_time
+ {
+ lcconf->retry_checkph1 = $2 * $3;
+ }
+ EOS
+ | RETRY_PHASE2 NUMBER unittype_time
+ {
+ lcconf->wait_ph2complete = $2 * $3;
+ }
+ EOS
+ | NATT_KA NUMBER unittype_time
+ {
+#ifdef ENABLE_NATT
+ if (libipsec_opt & LIBIPSEC_OPT_NATT)
+ lcconf->natt_ka_interval = $2 * $3;
+ else
+ yyerror("libipsec lacks NAT-T support");
+#else
+ yyerror("NAT-T support not compiled in.");
+#endif
+ }
+ EOS
+ ;
+
+ /* sainfo */
+sainfo_statement
+ : SAINFO
+ {
+ cur_sainfo = newsainfo();
+ if (cur_sainfo == NULL) {
+ yyerror("failed to allocate sainfo");
+ return -1;
+ }
+ }
+ sainfo_name sainfo_param BOC sainfo_specs
+ {
+ struct sainfo *check;
+
+ /* default */
+ if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
+ yyerror("no encryption algorithm at %s",
+ sainfo2str(cur_sainfo));
+ return -1;
+ }
+ if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
+ yyerror("no authentication algorithm at %s",
+ sainfo2str(cur_sainfo));
+ return -1;
+ }
+ if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
+ yyerror("no compression algorithm at %s",
+ sainfo2str(cur_sainfo));
+ return -1;
+ }
+
+ /* duplicate check */
+ check = getsainfo(cur_sainfo->idsrc,
+ cur_sainfo->iddst,
+ cur_sainfo->id_i,
+ NULL,
+ cur_sainfo->remoteid);
+
+ if (check && ((check->idsrc != SAINFO_ANONYMOUS) &&
+ (cur_sainfo->idsrc != SAINFO_ANONYMOUS))) {
+ yyerror("duplicated sainfo: %s",
+ sainfo2str(cur_sainfo));
+ return -1;
+ }
+
+ inssainfo(cur_sainfo);
+ }
+ EOC
+ ;
+sainfo_name
+ : ANONYMOUS
+ {
+ cur_sainfo->idsrc = SAINFO_ANONYMOUS;
+ cur_sainfo->iddst = SAINFO_ANONYMOUS;
+ }
+ | ANONYMOUS CLIENTADDR
+ {
+ cur_sainfo->idsrc = SAINFO_ANONYMOUS;
+ cur_sainfo->iddst = SAINFO_CLIENTADDR;
+ }
+ | ANONYMOUS sainfo_id
+ {
+ cur_sainfo->idsrc = SAINFO_ANONYMOUS;
+ cur_sainfo->iddst = $2;
+ }
+ | sainfo_id ANONYMOUS
+ {
+ cur_sainfo->idsrc = $1;
+ cur_sainfo->iddst = SAINFO_ANONYMOUS;
+ }
+ | sainfo_id CLIENTADDR
+ {
+ cur_sainfo->idsrc = $1;
+ cur_sainfo->iddst = SAINFO_CLIENTADDR;
+ }
+ | sainfo_id sainfo_id
+ {
+ cur_sainfo->idsrc = $1;
+ cur_sainfo->iddst = $2;
+ }
+ ;
+sainfo_id
+ : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
+ {
+ char portbuf[10];
+ struct sockaddr *saddr;
+
+ if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
+ && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
+ yyerror("port number must be \"any\".");
+ return -1;
+ }
+
+ snprintf(portbuf, sizeof(portbuf), "%lu", $4);
+ saddr = str2saddr($2->v, portbuf);
+ vfree($2);
+ if (saddr == NULL)
+ return -1;
+
+ switch (saddr->sa_family) {
+ case AF_INET:
+ if ($5 == IPPROTO_ICMPV6) {
+ yyerror("upper layer protocol mismatched.\n");
+ racoon_free(saddr);
+ return -1;
+ }
+ $$ = ipsecdoi_sockaddr2id(saddr,
+ $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
+ $5);
+ break;
+#ifdef INET6
+ case AF_INET6:
+ if ($5 == IPPROTO_ICMP) {
+ yyerror("upper layer protocol mismatched.\n");
+ racoon_free(saddr);
+ return -1;
+ }
+ $$ = ipsecdoi_sockaddr2id(saddr,
+ $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
+ $5);
+ break;
+#endif
+ default:
+ yyerror("invalid family: %d", saddr->sa_family);
+ $$ = NULL;
+ break;
+ }
+ racoon_free(saddr);
+ if ($$ == NULL)
+ return -1;
+ }
+ | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
+ {
+ char portbuf[10];
+ struct sockaddr *laddr = NULL, *haddr = NULL;
+ char *cur = NULL;
+
+ if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
+ && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
+ yyerror("port number must be \"any\".");
+ return -1;
+ }
+
+ snprintf(portbuf, sizeof(portbuf), "%lu", $5);
+
+ laddr = str2saddr($2->v, portbuf);
+ if (laddr == NULL) {
+ return -1;
+ }
+ vfree($2);
+ haddr = str2saddr($3->v, portbuf);
+ if (haddr == NULL) {
+ racoon_free(laddr);
+ return -1;
+ }
+ vfree($3);
+
+ switch (laddr->sa_family) {
+ case AF_INET:
+ if ($6 == IPPROTO_ICMPV6) {
+ yyerror("upper layer protocol mismatched.\n");
+ if (laddr)
+ racoon_free(laddr);
+ if (haddr)
+ racoon_free(haddr);
+ return -1;
+ }
+ $$ = ipsecdoi_sockrange2id(laddr, haddr,
+ $6);
+ break;
+#ifdef INET6
+ case AF_INET6:
+ if ($6 == IPPROTO_ICMP) {
+ yyerror("upper layer protocol mismatched.\n");
+ if (laddr)
+ racoon_free(laddr);
+ if (haddr)
+ racoon_free(haddr);
+ return -1;
+ }
+ $$ = ipsecdoi_sockrange2id(laddr, haddr,
+ $6);
+ break;
+#endif
+ default:
+ yyerror("invalid family: %d", laddr->sa_family);
+ $$ = NULL;
+ break;
+ }
+ if (laddr)
+ racoon_free(laddr);
+ if (haddr)
+ racoon_free(haddr);
+ if ($$ == NULL)
+ return -1;
+ }
+ | IDENTIFIERTYPE QUOTEDSTRING
+ {
+ struct ipsecdoi_id_b *id_b;
+
+ if ($1 == IDTYPE_ASN1DN) {
+ yyerror("id type forbidden: %d", $1);
+ $$ = NULL;
+ return -1;
+ }
+
+ $2->l--;
+
+ $$ = vmalloc(sizeof(*id_b) + $2->l);
+ if ($$ == NULL) {
+ yyerror("failed to allocate identifier");
+ return -1;
+ }
+
+ id_b = (struct ipsecdoi_id_b *)$$->v;
+ id_b->type = idtype2doi($1);
+
+ id_b->proto_id = 0;
+ id_b->port = 0;
+
+ memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
+ }
+ ;
+sainfo_param
+ : /* nothing */
+ {
+ cur_sainfo->id_i = NULL;
+ }
+ | FROM IDENTIFIERTYPE identifierstring
+ {
+ struct ipsecdoi_id_b *id_b;
+ vchar_t *idv;
+
+ if (set_identifier(&idv, $2, $3) != 0) {
+ yyerror("failed to set identifer.\n");
+ return -1;
+ }
+ cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
+ if (cur_sainfo->id_i == NULL) {
+ yyerror("failed to allocate identifier");
+ return -1;
+ }
+
+ id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
+ id_b->type = idtype2doi($2);
+
+ id_b->proto_id = 0;
+ id_b->port = 0;
+
+ memcpy(cur_sainfo->id_i->v + sizeof(*id_b),
+ idv->v, idv->l);
+ vfree(idv);
+ }
+ | GROUP QUOTEDSTRING
+ {
+#ifdef ENABLE_HYBRID
+ if ((cur_sainfo->group = vdup($2)) == NULL) {
+ yyerror("failed to set sainfo xauth group.\n");
+ return -1;
+ }
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+ return -1;
+#endif
+ }
+ ;
+sainfo_specs
+ : /* nothing */
+ | sainfo_specs sainfo_spec
+ ;
+sainfo_spec
+ : PFS_GROUP dh_group_num
+ {
+ cur_sainfo->pfs_group = $2;
+ }
+ EOS
+ | REMOTEID NUMBER
+ {
+ cur_sainfo->remoteid = $2;
+ }
+ EOS
+ | LIFETIME LIFETYPE_TIME NUMBER unittype_time
+ {
+ cur_sainfo->lifetime = $3 * $4;
+ }
+ EOS
+ | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
+ {
+#if 1
+ yyerror("byte lifetime support is deprecated");
+ return -1;
+#else
+ cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
+ if (cur_sainfo->lifebyte == 0)
+ return -1;
+#endif
+ }
+ EOS
+ | ALGORITHM_CLASS {
+ cur_algclass = $1;
+ }
+ algorithms EOS
+ ;
+
+algorithms
+ : algorithm
+ {
+ inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
+ }
+ | algorithm
+ {
+ inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
+ }
+ COMMA algorithms
+ ;
+algorithm
+ : ALGORITHMTYPE keylength
+ {
+ int defklen;
+
+ $$ = newsainfoalg();
+ if ($$ == NULL) {
+ yyerror("failed to get algorithm allocation");
+ return -1;
+ }
+
+ $$->alg = algtype2doi(cur_algclass, $1);
+ if ($$->alg == -1) {
+ yyerror("algorithm mismatched");
+ racoon_free($$);
+ $$ = NULL;
+ return -1;
+ }
+
+ defklen = default_keylen(cur_algclass, $1);
+ if (defklen == 0) {
+ if ($2) {
+ yyerror("keylen not allowed");
+ racoon_free($$);
+ $$ = NULL;
+ return -1;
+ }
+ } else {
+ if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
+ yyerror("invalid keylen %d", $2);
+ racoon_free($$);
+ $$ = NULL;
+ return -1;
+ }
+ }
+
+ if ($2)
+ $$->encklen = $2;
+ else
+ $$->encklen = defklen;
+
+ /* check if it's supported algorithm by kernel */
+ if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
+ && pk_checkalg(cur_algclass, $1, $$->encklen)) {
+ int a = algclass2doi(cur_algclass);
+ int b = algtype2doi(cur_algclass, $1);
+ if (a == IPSECDOI_ATTR_AUTH)
+ a = IPSECDOI_PROTO_IPSEC_AH;
+ yyerror("algorithm %s not supported by the kernel (missing module?)",
+ s_ipsecdoi_trns(a, b));
+ racoon_free($$);
+ $$ = NULL;
+ return -1;
+ }
+ }
+ ;
+prefix
+ : /* nothing */ { $$ = ~0; }
+ | PREFIX { $$ = $1; }
+ ;
+port
+ : /* nothing */ { $$ = IPSEC_PORT_ANY; }
+ | PORT { $$ = $1; }
+ | PORTANY { $$ = IPSEC_PORT_ANY; }
+ ;
+ul_proto
+ : NUMBER { $$ = $1; }
+ | UL_PROTO { $$ = $1; }
+ | ANY { $$ = IPSEC_ULPROTO_ANY; }
+ ;
+keylength
+ : /* nothing */ { $$ = 0; }
+ | NUMBER { $$ = $1; }
+ ;
+
+ /* remote */
+remote_statement
+ : REMOTE QUOTEDSTRING INHERIT QUOTEDSTRING
+ {
+ struct remoteconf *from, *new;
+
+ if (getrmconf_by_name($2->v) != NULL) {
+ yyerror("named remoteconf \"%s\" already exists.");
+ return -1;
+ }
+
+ from = getrmconf_by_name($4->v);
+ if (from == NULL) {
+ yyerror("named parent remoteconf \"%s\" does not exist.",
+ $4->v);
+ return -1;
+ }
+
+ new = duprmconf_shallow(from);
+ if (new == NULL) {
+ yyerror("failed to duplicate remoteconf from \"%s\".",
+ $4->v);
+ return -1;
+ }
+
+ new->name = racoon_strdup($2->v);
+ cur_rmconf = new;
+
+ vfree($2);
+ vfree($4);
+ }
+ remote_specs_inherit_block
+ | REMOTE QUOTEDSTRING
+ {
+ struct remoteconf *new;
+
+ if (getrmconf_by_name($2->v) != NULL) {
+ yyerror("Named remoteconf \"%s\" already exists.");
+ return -1;
+ }
+
+ new = newrmconf();
+ if (new == NULL) {
+ yyerror("failed to get new remoteconf.");
+ return -1;
+ }
+ new->name = racoon_strdup($2->v);
+ cur_rmconf = new;
+
+ vfree($2);
+ }
+ remote_specs_block
+ | REMOTE remote_index INHERIT remote_index
+ {
+ struct remoteconf *from, *new;
+
+ from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS);
+ if (from == NULL) {
+ yyerror("failed to get remoteconf for %s.",
+ saddr2str($4));
+ return -1;
+ }
+
+ new = duprmconf_shallow(from);
+ if (new == NULL) {
+ yyerror("failed to duplicate remoteconf from %s.",
+ saddr2str($4));
+ return -1;
+ }
+
+ racoon_free($4);
+ new->remote = $2;
+ cur_rmconf = new;
+ }
+ remote_specs_inherit_block
+ | REMOTE remote_index
+ {
+ struct remoteconf *new;
+
+ new = newrmconf();
+ if (new == NULL) {
+ yyerror("failed to get new remoteconf.");
+ return -1;
+ }
+
+ new->remote = $2;
+ cur_rmconf = new;
+ }
+ remote_specs_block
+ ;
+
+remote_specs_inherit_block
+ : remote_specs_block
+ | EOS /* inheritance without overriding any settings */
+ {
+ if (process_rmconf() != 0)
+ return -1;
+ }
+ ;
+
+remote_specs_block
+ : BOC remote_specs EOC
+ {
+ if (process_rmconf() != 0)
+ return -1;
+ }
+ ;
+remote_index
+ : ANONYMOUS ike_port
+ {
+ $$ = newsaddr(sizeof(struct sockaddr));
+ $$->sa_family = AF_UNSPEC;
+ ((struct sockaddr_in *)$$)->sin_port = htons($2);
+ }
+ | ike_addrinfo_port
+ {
+ $$ = $1;
+ if ($$ == NULL) {
+ yyerror("failed to allocate sockaddr");
+ return -1;
+ }
+ }
+ ;
+remote_specs
+ : /* nothing */
+ | remote_specs remote_spec
+ ;
+remote_spec
+ : REMOTE_ADDRESS ike_addrinfo_port
+ {
+ if (cur_rmconf->remote != NULL) {
+ yyerror("remote_address already specified");
+ return -1;
+ }
+ cur_rmconf->remote = $2;
+ }
+ EOS
+ | EXCHANGE_MODE
+ {
+ cur_rmconf->etypes = NULL;
+ }
+ exchange_types EOS
+ | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
+ | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
+ | CERTIFICATE_TYPE cert_spec
+ | PEERS_CERTFILE QUOTEDSTRING
+ {
+ yywarn("This directive without certtype will be removed!\n");
+ yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
+
+ if (cur_rmconf->peerscert != NULL) {
+ yyerror("peers_certfile already defined\n");
+ return -1;
+ }
+
+ if (load_x509($2->v, &cur_rmconf->peerscertfile,
+ &cur_rmconf->peerscert)) {
+ yyerror("failed to load certificate \"%s\"\n",
+ $2->v);
+ return -1;
+ }
+
+ vfree($2);
+ }
+ EOS
+ | PEERS_CERTFILE CERT_X509 QUOTEDSTRING
+ {
+ if (cur_rmconf->peerscert != NULL) {
+ yyerror("peers_certfile already defined\n");
+ return -1;
+ }
+
+ if (load_x509($3->v, &cur_rmconf->peerscertfile,
+ &cur_rmconf->peerscert)) {
+ yyerror("failed to load certificate \"%s\"\n",
+ $3->v);
+ return -1;
+ }
+
+ vfree($3);
+ }
+ EOS
+ | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
+ {
+ char path[MAXPATHLEN];
+ int ret = 0;
+
+ if (cur_rmconf->peerscert != NULL) {
+ yyerror("peers_certfile already defined\n");
+ return -1;
+ }
+
+ cur_rmconf->peerscert = vmalloc(1);
+ if (cur_rmconf->peerscert == NULL) {
+ yyerror("failed to allocate peerscert");
+ return -1;
+ }
+ cur_rmconf->peerscert->v[0] = ISAKMP_CERT_PLAINRSA;
+
+ getpathname(path, sizeof(path),
+ LC_PATHTYPE_CERT, $3->v);
+ if (rsa_parse_file(cur_rmconf->rsa_public, path,
+ RSA_TYPE_PUBLIC)) {
+ yyerror("Couldn't parse keyfile.\n", path);
+ return -1;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "Public PlainRSA keyfile parsed: %s\n", path);
+
+ vfree($3);
+ }
+ EOS
+ | PEERS_CERTFILE DNSSEC
+ {
+ if (cur_rmconf->peerscert != NULL) {
+ yyerror("peers_certfile already defined\n");
+ return -1;
+ }
+ cur_rmconf->peerscert = vmalloc(1);
+ if (cur_rmconf->peerscert == NULL) {
+ yyerror("failed to allocate peerscert");
+ return -1;
+ }
+ cur_rmconf->peerscert->v[0] = ISAKMP_CERT_DNS;
+ }
+ EOS
+ | CA_TYPE CERT_X509 QUOTEDSTRING
+ {
+ if (cur_rmconf->cacert != NULL) {
+ yyerror("ca_type already defined\n");
+ return -1;
+ }
+
+ if (load_x509($3->v, &cur_rmconf->cacertfile,
+ &cur_rmconf->cacert)) {
+ yyerror("failed to load certificate \"%s\"\n",
+ $3->v);
+ return -1;
+ }
+
+ vfree($3);
+ }
+ EOS
+ | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
+ | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
+ | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
+ | MATCH_EMPTY_CR SWITCH { cur_rmconf->match_empty_cr = $2; } EOS
+ | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
+ {
+ if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
+ yyerror("failed to set identifer.\n");
+ return -1;
+ }
+ cur_rmconf->idvtype = $2;
+ }
+ EOS
+ | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
+ {
+ if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
+ yyerror("failed to set identifer.\n");
+ return -1;
+ }
+ cur_rmconf->idvtype = $2;
+ }
+ EOS
+ | XAUTH_LOGIN identifierstring
+ {
+#ifdef ENABLE_HYBRID
+ /* formerly identifier type login */
+ if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
+ yyerror("failed to allocate xauth state\n");
+ return -1;
+ }
+ if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
+ yyerror("failed to set identifer.\n");
+ return -1;
+ }
+#else
+ yyerror("racoon not configured with --enable-hybrid");
+#endif
+ }
+ EOS
+ | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
+ {
+ struct idspec *id;
+ id = newidspec();
+ if (id == NULL) {
+ yyerror("failed to allocate idspec");
+ return -1;
+ }
+ if (set_identifier(&id->id, $2, $3) != 0) {
+ yyerror("failed to set identifer.\n");
+ racoon_free(id);
+ return -1;
+ }
+ id->idtype = $2;
+ genlist_append (cur_rmconf->idvl_p, id);
+ }
+ EOS
+ | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
+ {
+ struct idspec *id;
+ id = newidspec();
+ if (id == NULL) {
+ yyerror("failed to allocate idspec");
+ return -1;
+ }
+ if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
+ yyerror("failed to set identifer.\n");
+ racoon_free(id);
+ return -1;
+ }
+ id->idtype = $2;
+ genlist_append (cur_rmconf->idvl_p, id);
+ }
+ EOS
+ | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
+ | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
+ | DH_GROUP
+ {
+ yyerror("dh_group cannot be defined here.");
+ return -1;
+ }
+ dh_group_num EOS
+ | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
+ | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
+ | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
+ | ESP_FRAG NUMBER {
+#ifdef SADB_X_EXT_NAT_T_FRAG
+ if (libipsec_opt & LIBIPSEC_OPT_FRAG)
+ cur_rmconf->esp_frag = $2;
+ else
+ yywarn("libipsec lacks IKE frag support");
+#else
+ yywarn("Your kernel does not support esp_frag");
+#endif
+ } EOS
+ | SCRIPT QUOTEDSTRING PHASE1_UP {
+ if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL)
+ vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]);
+
+ cur_rmconf->script[SCRIPT_PHASE1_UP] =
+ script_path_add(vdup($2));
+ } EOS
+ | SCRIPT QUOTEDSTRING PHASE1_DOWN {
+ if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL)
+ vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]);
+
+ cur_rmconf->script[SCRIPT_PHASE1_DOWN] =
+ script_path_add(vdup($2));
+ } EOS
+ | SCRIPT QUOTEDSTRING PHASE1_DEAD {
+ if (cur_rmconf->script[SCRIPT_PHASE1_DEAD] != NULL)
+ vfree(cur_rmconf->script[SCRIPT_PHASE1_DEAD]);
+
+ cur_rmconf->script[SCRIPT_PHASE1_DEAD] =
+ script_path_add(vdup($2));
+ } EOS
+ | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
+ | WEAK_PHASE1_CHECK SWITCH {
+ cur_rmconf->weak_phase1_check = $2;
+ } EOS
+ | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
+ | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
+ | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
+ | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
+ | NAT_TRAVERSAL SWITCH
+ {
+#ifdef ENABLE_NATT
+ if (libipsec_opt & LIBIPSEC_OPT_NATT)
+ cur_rmconf->nat_traversal = $2;
+ else
+ yyerror("libipsec lacks NAT-T support");
+#else
+ yyerror("NAT-T support not compiled in.");
+#endif
+ } EOS
+ | NAT_TRAVERSAL REMOTE_FORCE_LEVEL
+ {
+#ifdef ENABLE_NATT
+ if (libipsec_opt & LIBIPSEC_OPT_NATT)
+ cur_rmconf->nat_traversal = NATT_FORCE;
+ else
+ yyerror("libipsec lacks NAT-T support");
+#else
+ yyerror("NAT-T support not compiled in.");
+#endif
+ } EOS
+ | DPD SWITCH
+ {
+#ifdef ENABLE_DPD
+ cur_rmconf->dpd = $2;
+#else
+ yyerror("DPD support not compiled in.");
+#endif
+ } EOS
+ | DPD_DELAY NUMBER
+ {
+#ifdef ENABLE_DPD
+ cur_rmconf->dpd_interval = $2;
+#else
+ yyerror("DPD support not compiled in.");
+#endif
+ }
+ EOS
+ | DPD_RETRY NUMBER
+ {
+#ifdef ENABLE_DPD
+ cur_rmconf->dpd_retry = $2;
+#else
+ yyerror("DPD support not compiled in.");
+#endif
+ }
+ EOS
+ | DPD_MAXFAIL NUMBER
+ {
+#ifdef ENABLE_DPD
+ cur_rmconf->dpd_maxfails = $2;
+#else
+ yyerror("DPD support not compiled in.");
+#endif
+ }
+ EOS
+ | REKEY SWITCH { cur_rmconf->rekey = $2; } EOS
+ | REKEY REMOTE_FORCE_LEVEL { cur_rmconf->rekey = REKEY_FORCE; } EOS
+ | PH1ID NUMBER
+ {
+ cur_rmconf->ph1id = $2;
+ }
+ EOS
+ | LIFETIME LIFETYPE_TIME NUMBER unittype_time
+ {
+ cur_rmconf->lifetime = $3 * $4;
+ }
+ EOS
+ | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
+ | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
+ {
+#if 1
+ yyerror("byte lifetime support is deprecated in Phase1");
+ return -1;
+#else
+ yywarn("the lifetime of bytes in phase 1 "
+ "will be ignored at the moment.");
+ cur_rmconf->lifebyte = fix_lifebyte($3 * $4);
+ if (cur_rmconf->lifebyte == 0)
+ return -1;
+#endif
+ }
+ EOS
+ | PROPOSAL
+ {
+ struct secprotospec *spspec;
+
+ spspec = newspspec();
+ if (spspec == NULL)
+ return -1;
+ insspspec(cur_rmconf, spspec);
+ }
+ BOC isakmpproposal_specs EOC
+ ;
+exchange_types
+ : /* nothing */
+ | exchange_types EXCHANGETYPE
+ {
+ struct etypes *new;
+ new = racoon_malloc(sizeof(struct etypes));
+ if (new == NULL) {
+ yyerror("failed to allocate etypes");
+ return -1;
+ }
+ new->type = $2;
+ new->next = NULL;
+ if (cur_rmconf->etypes == NULL)
+ cur_rmconf->etypes = new;
+ else {
+ struct etypes *p;
+ for (p = cur_rmconf->etypes;
+ p->next != NULL;
+ p = p->next)
+ ;
+ p->next = new;
+ }
+ }
+ ;
+cert_spec
+ : CERT_X509 QUOTEDSTRING QUOTEDSTRING
+ {
+ if (cur_rmconf->mycert != NULL) {
+ yyerror("certificate_type already defined\n");
+ return -1;
+ }
+
+ if (load_x509($2->v, &cur_rmconf->mycertfile,
+ &cur_rmconf->mycert)) {
+ yyerror("failed to load certificate \"%s\"\n",
+ $2->v);
+ return -1;
+ }
+
+ cur_rmconf->myprivfile = racoon_strdup($3->v);
+ STRDUP_FATAL(cur_rmconf->myprivfile);
+
+ vfree($2);
+ vfree($3);
+ }
+ EOS
+ | CERT_PLAINRSA QUOTEDSTRING
+ {
+ char path[MAXPATHLEN];
+ int ret = 0;
+
+ if (cur_rmconf->mycert != NULL) {
+ yyerror("certificate_type already defined\n");
+ return -1;
+ }
+
+ cur_rmconf->mycert = vmalloc(1);
+ if (cur_rmconf->mycert == NULL) {
+ yyerror("failed to allocate mycert");
+ return -1;
+ }
+ cur_rmconf->mycert->v[0] = ISAKMP_CERT_PLAINRSA;
+
+ getpathname(path, sizeof(path),
+ LC_PATHTYPE_CERT, $2->v);
+ cur_rmconf->send_cr = FALSE;
+ cur_rmconf->send_cert = FALSE;
+ cur_rmconf->verify_cert = FALSE;
+ if (rsa_parse_file(cur_rmconf->rsa_private, path,
+ RSA_TYPE_PRIVATE)) {
+ yyerror("Couldn't parse keyfile.\n", path);
+ return -1;
+ }
+ plog(LLV_DEBUG, LOCATION, NULL,
+ "Private PlainRSA keyfile parsed: %s\n", path);
+ vfree($2);
+ }
+ EOS
+ ;
+dh_group_num
+ : ALGORITHMTYPE
+ {
+ $$ = algtype2doi(algclass_isakmp_dh, $1);
+ if ($$ == -1) {
+ yyerror("must be DH group");
+ return -1;
+ }
+ }
+ | NUMBER
+ {
+ if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
+ $$ = num2dhgroup[$1];
+ } else {
+ yyerror("must be DH group");
+ $$ = 0;
+ return -1;
+ }
+ }
+ ;
+identifierstring
+ : /* nothing */ { $$ = NULL; }
+ | ADDRSTRING { $$ = $1; }
+ | QUOTEDSTRING { $$ = $1; }
+ ;
+isakmpproposal_specs
+ : /* nothing */
+ | isakmpproposal_specs isakmpproposal_spec
+ ;
+isakmpproposal_spec
+ : LIFETIME LIFETYPE_TIME NUMBER unittype_time
+ {
+ cur_rmconf->spspec->lifetime = $3 * $4;
+ }
+ EOS
+ | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
+ {
+#if 1
+ yyerror("byte lifetime support is deprecated");
+ return -1;
+#else
+ cur_rmconf->spspec->lifebyte = fix_lifebyte($3 * $4);
+ if (cur_rmconf->spspec->lifebyte == 0)
+ return -1;
+#endif
+ }
+ EOS
+ | DH_GROUP dh_group_num
+ {
+ cur_rmconf->spspec->algclass[algclass_isakmp_dh] = $2;
+ }
+ EOS
+ | GSS_ID QUOTEDSTRING
+ {
+ if (cur_rmconf->spspec->vendorid != VENDORID_GSSAPI) {
+ yyerror("wrong Vendor ID for gssapi_id");
+ return -1;
+ }
+ if (cur_rmconf->spspec->gssid != NULL)
+ racoon_free(cur_rmconf->spspec->gssid);
+ cur_rmconf->spspec->gssid =
+ racoon_strdup($2->v);
+ STRDUP_FATAL(cur_rmconf->spspec->gssid);
+ }
+ EOS
+ | ALGORITHM_CLASS ALGORITHMTYPE keylength
+ {
+ int doi;
+ int defklen;
+
+ doi = algtype2doi($1, $2);
+ if (doi == -1) {
+ yyerror("algorithm mismatched 1");
+ return -1;
+ }
+
+ switch ($1) {
+ case algclass_isakmp_enc:
+ /* reject suppressed algorithms */
+#ifndef HAVE_OPENSSL_RC5_H
+ if ($2 == algtype_rc5) {
+ yyerror("algorithm %s not supported",
+ s_attr_isakmp_enc(doi));
+ return -1;
+ }
+#endif
+#ifndef HAVE_OPENSSL_IDEA_H
+ if ($2 == algtype_idea) {
+ yyerror("algorithm %s not supported",
+ s_attr_isakmp_enc(doi));
+ return -1;
+ }
+#endif
+
+ cur_rmconf->spspec->algclass[algclass_isakmp_enc] = doi;
+ defklen = default_keylen($1, $2);
+ if (defklen == 0) {
+ if ($3) {
+ yyerror("keylen not allowed");
+ return -1;
+ }
+ } else {
+ if ($3 && check_keylen($1, $2, $3) < 0) {
+ yyerror("invalid keylen %d", $3);
+ return -1;
+ }
+ }
+ if ($3)
+ cur_rmconf->spspec->encklen = $3;
+ else
+ cur_rmconf->spspec->encklen = defklen;
+ break;
+ case algclass_isakmp_hash:
+ cur_rmconf->spspec->algclass[algclass_isakmp_hash] = doi;
+ break;
+ case algclass_isakmp_ameth:
+ cur_rmconf->spspec->algclass[algclass_isakmp_ameth] = doi;
+ /*
+ * We may have to set the Vendor ID for the
+ * authentication method we're using.
+ */
+ switch ($2) {
+ case algtype_gssapikrb:
+ if (cur_rmconf->spspec->vendorid !=
+ VENDORID_UNKNOWN) {
+ yyerror("Vendor ID mismatch "
+ "for auth method");
+ return -1;
+ }
+ /*
+ * For interoperability with Win2k,
+ * we set the Vendor ID to "GSSAPI".
+ */
+ cur_rmconf->spspec->vendorid =
+ VENDORID_GSSAPI;
+ break;
+ case algtype_rsasig:
+ if (oakley_get_certtype(cur_rmconf->peerscert) == ISAKMP_CERT_PLAINRSA) {
+ if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
+ yyerror ("Private PlainRSA key not set. "
+ "Use directive 'certificate_type plainrsa ...'\n");
+ return -1;
+ }
+ if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
+ yyerror ("Public PlainRSA keys not set. "
+ "Use directive 'peers_certfile plainrsa ...'\n");
+ return -1;
+ }
+ }
+ break;
+ default:
+ break;
+ }
+ break;
+ default:
+ yyerror("algorithm mismatched 2");
+ return -1;
+ }
+ }
+ EOS
+ ;
+
+unittype_time
+ : UNITTYPE_SEC { $$ = 1; }
+ | UNITTYPE_MIN { $$ = 60; }
+ | UNITTYPE_HOUR { $$ = (60 * 60); }
+ ;
+unittype_byte
+ : UNITTYPE_BYTE { $$ = 1; }
+ | UNITTYPE_KBYTES { $$ = 1024; }
+ | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
+ | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
+ ;
+%%
+
+static struct secprotospec *
+newspspec()
+{
+ struct secprotospec *new;
+
+ new = racoon_calloc(1, sizeof(*new));
+ if (new == NULL) {
+ yyerror("failed to allocate spproto");
+ return NULL;
+ }
+
+ new->encklen = 0; /*XXX*/
+
+ /*
+ * Default to "uknown" vendor -- we will override this
+ * as necessary. When we send a Vendor ID payload, an
+ * "unknown" will be translated to a KAME/racoon ID.
+ */
+ new->vendorid = VENDORID_UNKNOWN;
+
+ return new;
+}
+
+/*
+ * insert into head of list.
+ */
+static void
+insspspec(rmconf, spspec)
+ struct remoteconf *rmconf;
+ struct secprotospec *spspec;
+{
+ if (rmconf->spspec != NULL)
+ rmconf->spspec->prev = spspec;
+ spspec->next = rmconf->spspec;
+ rmconf->spspec = spspec;
+}
+
+static struct secprotospec *
+dupspspec(spspec)
+ struct secprotospec *spspec;
+{
+ struct secprotospec *new;
+
+ new = newspspec();
+ if (new == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "dupspspec: malloc failed\n");
+ return NULL;
+ }
+ memcpy(new, spspec, sizeof(*new));
+
+ if (spspec->gssid) {
+ new->gssid = racoon_strdup(spspec->gssid);
+ STRDUP_FATAL(new->gssid);
+ }
+ if (spspec->remote) {
+ new->remote = racoon_malloc(sizeof(*new->remote));
+ if (new->remote == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "dupspspec: malloc failed (remote)\n");
+ return NULL;
+ }
+ memcpy(new->remote, spspec->remote, sizeof(*new->remote));
+ }
+
+ return new;
+}
+
+/*
+ * copy the whole list
+ */
+void
+dupspspec_list(dst, src)
+ struct remoteconf *dst, *src;
+{
+ struct secprotospec *p, *new, *last;
+
+ for(p = src->spspec, last = NULL; p; p = p->next, last = new) {
+ new = dupspspec(p);
+ if (new == NULL)
+ exit(1);
+
+ new->prev = last;
+ new->next = NULL; /* not necessary but clean */
+
+ if (last)
+ last->next = new;
+ else /* first element */
+ dst->spspec = new;
+
+ }
+}
+
+/*
+ * delete the whole list
+ */
+void
+flushspspec(rmconf)
+ struct remoteconf *rmconf;
+{
+ struct secprotospec *p;
+
+ while(rmconf->spspec != NULL) {
+ p = rmconf->spspec;
+ rmconf->spspec = p->next;
+ if (p->next != NULL)
+ p->next->prev = NULL; /* not necessary but clean */
+
+ if (p->gssid)
+ racoon_free(p->gssid);
+ if (p->remote)
+ racoon_free(p->remote);
+ racoon_free(p);
+ }
+ rmconf->spspec = NULL;
+}
+
+/* set final acceptable proposal */
+static int
+set_isakmp_proposal(rmconf)
+ struct remoteconf *rmconf;
+{
+ struct secprotospec *s;
+ int prop_no = 1;
+ int trns_no = 1;
+ int32_t types[MAXALGCLASS];
+
+ /* mandatory check */
+ if (rmconf->spspec == NULL) {
+ yyerror("no remote specification found: %s.\n",
+ saddr2str(rmconf->remote));
+ return -1;
+ }
+ for (s = rmconf->spspec; s != NULL; s = s->next) {
+ /* XXX need more to check */
+ if (s->algclass[algclass_isakmp_enc] == 0) {
+ yyerror("encryption algorithm required.");
+ return -1;
+ }
+ if (s->algclass[algclass_isakmp_hash] == 0) {
+ yyerror("hash algorithm required.");
+ return -1;
+ }
+ if (s->algclass[algclass_isakmp_dh] == 0) {
+ yyerror("DH group required.");
+ return -1;
+ }
+ if (s->algclass[algclass_isakmp_ameth] == 0) {
+ yyerror("authentication method required.");
+ return -1;
+ }
+ }
+
+ /* skip to last part */
+ for (s = rmconf->spspec; s->next != NULL; s = s->next)
+ ;
+
+ while (s != NULL) {
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "lifetime = %ld\n", (long)
+ (s->lifetime ? s->lifetime : rmconf->lifetime));
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "lifebyte = %d\n",
+ s->lifebyte ? s->lifebyte : rmconf->lifebyte);
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "encklen=%d\n", s->encklen);
+
+ memset(types, 0, ARRAYLEN(types));
+ types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
+ types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
+ types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
+ types[algclass_isakmp_ameth] =
+ s->algclass[algclass_isakmp_ameth];
+
+ /* expanding spspec */
+ clean_tmpalgtype();
+ trns_no = expand_isakmpspec(prop_no, trns_no, types,
+ algclass_isakmp_enc, algclass_isakmp_ameth + 1,
+ s->lifetime ? s->lifetime : rmconf->lifetime,
+ s->lifebyte ? s->lifebyte : rmconf->lifebyte,
+ s->encklen, s->vendorid, s->gssid,
+ rmconf);
+ if (trns_no == -1) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to expand isakmp proposal.\n");
+ return -1;
+ }
+
+ s = s->prev;
+ }
+
+ if (rmconf->proposal == NULL) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "no proposal found.\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+static void
+clean_tmpalgtype()
+{
+ int i;
+ for (i = 0; i < MAXALGCLASS; i++)
+ tmpalgtype[i] = 0; /* means algorithm undefined. */
+}
+
+static int
+expand_isakmpspec(prop_no, trns_no, types,
+ class, last, lifetime, lifebyte, encklen, vendorid, gssid,
+ rmconf)
+ int prop_no, trns_no;
+ int *types, class, last;
+ time_t lifetime;
+ int lifebyte;
+ int encklen;
+ int vendorid;
+ char *gssid;
+ struct remoteconf *rmconf;
+{
+ struct isakmpsa *new;
+
+ /* debugging */
+ {
+ int j;
+ char tb[10];
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "p:%d t:%d\n", prop_no, trns_no);
+ for (j = class; j < MAXALGCLASS; j++) {
+ snprintf(tb, sizeof(tb), "%d", types[j]);
+ plog(LLV_DEBUG2, LOCATION, NULL,
+ "%s%s%s%s\n",
+ s_algtype(j, types[j]),
+ types[j] ? "(" : "",
+ tb[0] == '0' ? "" : tb,
+ types[j] ? ")" : "");
+ }
+ plog(LLV_DEBUG2, LOCATION, NULL, "\n");
+ }
+
+#define TMPALGTYPE2STR(n) \
+ s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
+ /* check mandatory values */
+ if (types[algclass_isakmp_enc] == 0
+ || types[algclass_isakmp_ameth] == 0
+ || types[algclass_isakmp_hash] == 0
+ || types[algclass_isakmp_dh] == 0) {
+ yyerror("few definition of algorithm "
+ "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
+ TMPALGTYPE2STR(enc),
+ TMPALGTYPE2STR(ameth),
+ TMPALGTYPE2STR(hash),
+ TMPALGTYPE2STR(dh));
+ return -1;
+ }
+#undef TMPALGTYPE2STR
+
+ /* set new sa */
+ new = newisakmpsa();
+ if (new == NULL) {
+ yyerror("failed to allocate isakmp sa");
+ return -1;
+ }
+ new->prop_no = prop_no;
+ new->trns_no = trns_no++;
+ new->lifetime = lifetime;
+ new->lifebyte = lifebyte;
+ new->enctype = types[algclass_isakmp_enc];
+ new->encklen = encklen;
+ new->authmethod = types[algclass_isakmp_ameth];
+ new->hashtype = types[algclass_isakmp_hash];
+ new->dh_group = types[algclass_isakmp_dh];
+ new->vendorid = vendorid;
+#ifdef HAVE_GSSAPI
+ if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
+ if (gssid != NULL) {
+ if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
+ racoon_free(new);
+ yyerror("failed to allocate gssid");
+ return -1;
+ }
+ memcpy(new->gssid->v, gssid, new->gssid->l);
+ racoon_free(gssid);
+ } else {
+ /*
+ * Allocate the default ID so that it gets put
+ * into a GSS ID attribute during the Phase 1
+ * exchange.
+ */
+ new->gssid = gssapi_get_default_gss_id();
+ }
+ }
+#endif
+ insisakmpsa(new, rmconf);
+
+ return trns_no;
+}
+
+#if 0
+/*
+ * fix lifebyte.
+ * Must be more than 1024B because its unit is kilobytes.
+ * That is defined RFC2407.
+ */
+static int
+fix_lifebyte(t)
+ unsigned long t;
+{
+ if (t < 1024) {
+ yyerror("byte size should be more than 1024B.");
+ return 0;
+ }
+
+ return(t / 1024);
+}
+#endif
+
+int
+cfparse()
+{
+ int error;
+
+ yyerrorcount = 0;
+ yycf_init_buffer();
+
+ if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "could not read configuration file \"%s\"\n",
+ lcconf->racoon_conf);
+ return -1;
+ }
+
+ error = yyparse();
+ if (error != 0) {
+ if (yyerrorcount) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "fatal parse failure (%d errors)\n",
+ yyerrorcount);
+ } else {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "fatal parse failure.\n");
+ }
+ return -1;
+ }
+
+ if (error == 0 && yyerrorcount) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "parse error is nothing, but yyerrorcount is %d.\n",
+ yyerrorcount);
+ exit(1);
+ }
+
+ yycf_clean_buffer();
+
+ plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
+
+ return 0;
+}
+
+int
+cfreparse()
+{
+ flushph2();
+ flushph1();
+ flushrmconf();
+ flushsainfo();
+ clean_tmpalgtype();
+ return(cfparse());
+}
+
+#ifdef ENABLE_ADMINPORT
+static void
+adminsock_conf(path, owner, group, mode_dec)
+ vchar_t *path;
+ vchar_t *owner;
+ vchar_t *group;
+ int mode_dec;
+{
+ struct passwd *pw = NULL;
+ struct group *gr = NULL;
+ mode_t mode = 0;
+ uid_t uid;
+ gid_t gid;
+ int isnum;
+
+ adminsock_path = path->v;
+
+ if (owner == NULL)
+ return;
+
+ errno = 0;
+ uid = atoi(owner->v);
+ isnum = !errno;
+ if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
+ yyerror("User \"%s\" does not exist", owner->v);
+
+ if (pw)
+ adminsock_owner = pw->pw_uid;
+ else
+ adminsock_owner = uid;
+
+ if (group == NULL)
+ return;
+
+ errno = 0;
+ gid = atoi(group->v);
+ isnum = !errno;
+ if (((gr = getgrnam(group->v)) == NULL) && !isnum)
+ yyerror("Group \"%s\" does not exist", group->v);
+
+ if (gr)
+ adminsock_group = gr->gr_gid;
+ else
+ adminsock_group = gid;
+
+ if (mode_dec == -1)
+ return;
+
+ if (mode_dec > 777)
+ yyerror("Mode 0%03o is invalid", mode_dec);
+ if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
+ if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
+ if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
+
+ if (mode_dec > 77)
+ yyerror("Mode 0%03o is invalid", mode_dec);
+ if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
+ if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
+ if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
+
+ if (mode_dec > 7)
+ yyerror("Mode 0%03o is invalid", mode_dec);
+ if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
+ if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
+ if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
+
+ adminsock_mode = mode;
+
+ return;
+}
+#endif
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-03 17:21:14 +0000