1 /* $NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $ */
2
3 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
4
5 %{
6 /*
7 * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the project nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include "config.h"
36
37 #include <sys/types.h>
38 #include <sys/param.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
41
42 #include <netinet/in.h>
43 #include PATH_IPSEC_H
44
45 #ifdef ENABLE_HYBRID
46 #include <arpa/inet.h>
47 #endif
48
49 #include <stdlib.h>
50 #include <stdio.h>
51 #include <string.h>
52 #include <errno.h>
53 #include <netdb.h>
54 #include <pwd.h>
55 #include <grp.h>
56
57 #include "var.h"
58 #include "misc.h"
59 #include "vmbuf.h"
60 #include "plog.h"
61 #include "sockmisc.h"
62 #include "str2val.h"
63 #include "genlist.h"
64 #include "debug.h"
65
66 #include "admin.h"
67 #include "privsep.h"
68 #include "cfparse_proto.h"
69 #include "cftoken_proto.h"
70 #include "algorithm.h"
71 #include "localconf.h"
72 #include "policy.h"
73 #include "sainfo.h"
74 #include "oakley.h"
75 #include "pfkey.h"
76 #include "remoteconf.h"
77 #include "grabmyaddr.h"
78 #include "isakmp_var.h"
79 #include "handler.h"
80 #include "isakmp.h"
81 #include "nattraversal.h"
82 #include "isakmp_frag.h"
83 #ifdef ENABLE_HYBRID
84 #include "resolv.h"
85 #include "isakmp_unity.h"
86 #include "isakmp_xauth.h"
87 #include "isakmp_cfg.h"
88 #endif
89 #include "ipsec_doi.h"
90 #include "strnames.h"
91 #include "gcmalloc.h"
92 #ifdef HAVE_GSSAPI
93 #include "gssapi.h"
94 #endif
95 #include "vendorid.h"
96 #include "rsalist.h"
97 #include "crypto_openssl.h"
98
99 struct secprotospec {
100 int prop_no;
101 int trns_no;
102 int strength; /* for isakmp/ipsec */
103 int encklen; /* for isakmp/ipsec */
104 time_t lifetime; /* for isakmp */
105 int lifebyte; /* for isakmp */
106 int proto_id; /* for ipsec (isakmp?) */
107 int ipsec_level; /* for ipsec */
108 int encmode; /* for ipsec */
109 int vendorid; /* for isakmp */
110 char *gssid;
111 struct sockaddr *remote;
112 int algclass[MAXALGCLASS];
113
114 struct secprotospec *next; /* the tail is the most prefiered. */
115 struct secprotospec *prev;
116 };
117
118 static int num2dhgroup[] = {
119 0,
120 OAKLEY_ATTR_GRP_DESC_MODP768,
121 OAKLEY_ATTR_GRP_DESC_MODP1024,
122 OAKLEY_ATTR_GRP_DESC_EC2N155,
123 OAKLEY_ATTR_GRP_DESC_EC2N185,
124 OAKLEY_ATTR_GRP_DESC_MODP1536,
125 0,
126 0,
127 0,
128 0,
129 0,
130 0,
131 0,
132 0,
133 OAKLEY_ATTR_GRP_DESC_MODP2048,
134 OAKLEY_ATTR_GRP_DESC_MODP3072,
135 OAKLEY_ATTR_GRP_DESC_MODP4096,
136 OAKLEY_ATTR_GRP_DESC_MODP6144,
137 OAKLEY_ATTR_GRP_DESC_MODP8192
138 };
139
140 static struct remoteconf *cur_rmconf;
141 static int tmpalgtype[MAXALGCLASS];
142 static struct sainfo *cur_sainfo;
143 static int cur_algclass;
144 static int oldloglevel = LLV_BASE;
145
146 static struct secprotospec *newspspec __P((void));
147 static void insspspec __P((struct remoteconf *, struct secprotospec *));
148 void dupspspec_list __P((struct remoteconf *dst, struct remoteconf *src));
149 void flushspspec __P((struct remoteconf *));
150 static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
151
152 static int set_isakmp_proposal __P((struct remoteconf *));
153 static void clean_tmpalgtype __P((void));
154 static int expand_isakmpspec __P((int, int, int *,
155 int, int, time_t, int, int, int, char *, struct remoteconf *));
156
157 void freeetypes (struct etypes **etypes);
158
load_x509(const char * file,char ** filenameptr,vchar_t ** certptr)159 static int load_x509(const char *file, char **filenameptr,
160 vchar_t **certptr)
161 {
162 char path[PATH_MAX];
163
164 getpathname(path, sizeof(path), LC_PATHTYPE_CERT, file);
165 *certptr = eay_get_x509cert(path);
166 if (*certptr == NULL)
167 return -1;
168
169 *filenameptr = racoon_strdup(file);
170 STRDUP_FATAL(*filenameptr);
171
172 return 0;
173 }
174
175 %}
176
177 %union {
178 unsigned long num;
179 vchar_t *val;
180 struct remoteconf *rmconf;
181 struct sockaddr *saddr;
182 struct sainfoalg *alg;
183 }
184
185 /* privsep */
186 %token PRIVSEP USER GROUP CHROOT
187 /* path */
188 %token PATH PATHTYPE
189 /* include */
190 %token INCLUDE
191 /* PFKEY_BUFFER */
192 %token PFKEY_BUFFER
193 /* logging */
194 %token LOGGING LOGLEV
195 /* padding */
196 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
197 /* listen */
198 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
199 /* ldap config */
200 %token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
201 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
202 /* radius config */
203 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
204 /* modecfg */
205 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
206 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
207 %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
208 %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
209 %token CFG_PFS_GROUP CFG_SAVE_PASSWD
210
211 /* timer */
212 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
213 %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA
214 /* algorithm */
215 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
216 /* sainfo */
217 %token SAINFO FROM
218 /* remote */
219 %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS
220 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
221 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
222 %token VERIFY_CERT SEND_CERT SEND_CR MATCH_EMPTY_CR
223 %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER
224 %token PEERS_IDENTIFIER VERIFY_IDENTIFIER
225 %token DNSSEC CERT_X509 CERT_PLAINRSA
226 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
227 %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL
228 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
229 %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
230 %token PROPOSAL
231 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
232 %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
233 %token COMPLEX_BUNDLE
234 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL
235 %token PH1ID
236 %token XAUTH_LOGIN WEAK_PHASE1_CHECK
237 %token REKEY
238
239 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
240 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
241
242 %token SCRIPT PHASE1_UP PHASE1_DOWN PHASE1_DEAD
243
244 %token NUMBER SWITCH BOOLEAN
245 %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
246 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
247 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
248 %token EOS BOC EOC COMMA
249
250 %type <num> NUMBER BOOLEAN SWITCH keylength
251 %type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE
252 %type <num> ALGORITHM_CLASS dh_group_num
253 %type <num> ALGORITHMTYPE STRENGTHTYPE
254 %type <num> PREFIX prefix PORT port ike_port
255 %type <num> ul_proto UL_PROTO
256 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
257 %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL
258 %type <num> unittype_time unittype_byte
259 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
260 %type <val> identifierstring
261 %type <saddr> remote_index ike_addrinfo_port
262 %type <alg> algorithm
263
264 %%
265
266 statements
267 : /* nothing */
268 | statements statement
269 ;
270 statement
271 : privsep_statement
272 | path_statement
273 | include_statement
274 | pfkey_statement
275 | gssenc_statement
276 | logging_statement
277 | padding_statement
278 | listen_statement
279 | ldapcfg_statement
280 | radcfg_statement
281 | modecfg_statement
282 | timer_statement
283 | sainfo_statement
284 | remote_statement
285 | special_statement
286 ;
287
288 /* privsep */
289 privsep_statement
290 : PRIVSEP BOC privsep_stmts EOC
291 ;
292 privsep_stmts
293 : /* nothing */
294 | privsep_stmts privsep_stmt
295 ;
296 privsep_stmt
297 : USER QUOTEDSTRING
298 {
299 struct passwd *pw;
300
301 if ((pw = getpwnam($2->v)) == NULL) {
302 yyerror("unknown user \"%s\"", $2->v);
303 return -1;
304 }
305 lcconf->uid = pw->pw_uid;
306 }
307 EOS
308 | USER NUMBER { lcconf->uid = $2; } EOS
309 | GROUP QUOTEDSTRING
310 {
311 struct group *gr;
312
313 if ((gr = getgrnam($2->v)) == NULL) {
314 yyerror("unknown group \"%s\"", $2->v);
315 return -1;
316 }
317 lcconf->gid = gr->gr_gid;
318 }
319 EOS
320 | GROUP NUMBER { lcconf->gid = $2; } EOS
321 | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
322 ;
323
324 /* path */
325 path_statement
326 : PATH PATHTYPE QUOTEDSTRING
327 {
328 if ($2 >= LC_PATHTYPE_MAX) {
329 yyerror("invalid path type %d", $2);
330 return -1;
331 }
332
333 /* free old pathinfo */
334 if (lcconf->pathinfo[$2])
335 racoon_free(lcconf->pathinfo[$2]);
336
337 /* set new pathinfo */
338 lcconf->pathinfo[$2] = racoon_strdup($3->v);
339 STRDUP_FATAL(lcconf->pathinfo[$2]);
340 vfree($3);
341 }
342 EOS
343 ;
344
345 /* special */
346 special_statement
347 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
348 ;
349
350 /* include */
351 include_statement
352 : INCLUDE QUOTEDSTRING EOS
353 {
354 char path[MAXPATHLEN];
355
356 getpathname(path, sizeof(path),
357 LC_PATHTYPE_INCLUDE, $2->v);
358 vfree($2);
359 if (yycf_switch_buffer(path) != 0)
360 return -1;
361 }
362 ;
363
364 /* pfkey_buffer */
365 pfkey_statement
366 : PFKEY_BUFFER NUMBER EOS
367 {
368 lcconf->pfkey_buffer_size = $2;
369 }
370 ;
371 /* gss_id_enc */
372 gssenc_statement
373 : GSS_ID_ENC GSS_ID_ENCTYPE EOS
374 {
375 if ($2 >= LC_GSSENC_MAX) {
376 yyerror("invalid GSS ID encoding %d", $2);
377 return -1;
378 }
379 lcconf->gss_id_enc = $2;
380 }
381 ;
382
383 /* logging */
384 logging_statement
385 : LOGGING log_level EOS
386 ;
387 log_level
388 : LOGLEV
389 {
390 /*
391 * set the loglevel to the value specified
392 * in the configuration file plus the number
393 * of -d options specified on the command line
394 */
395 loglevel += $1 - oldloglevel;
396 oldloglevel = $1;
397 }
398 ;
399
400 /* padding */
401 padding_statement
402 : PADDING BOC padding_stmts EOC
403 ;
404 padding_stmts
405 : /* nothing */
406 | padding_stmts padding_stmt
407 ;
408 padding_stmt
409 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
410 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
411 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
412 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
413 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
414 ;
415
416 /* listen */
417 listen_statement
418 : LISTEN BOC listen_stmts EOC
419 ;
420 listen_stmts
421 : /* nothing */
422 | listen_stmts listen_stmt
423 ;
424 listen_stmt
425 : X_ISAKMP ike_addrinfo_port
426 {
427 myaddr_listen($2, FALSE);
428 racoon_free($2);
429 }
430 EOS
431 | X_ISAKMP_NATT ike_addrinfo_port
432 {
433 #ifdef ENABLE_NATT
434 myaddr_listen($2, TRUE);
435 racoon_free($2);
436 #else
437 racoon_free($2);
438 yyerror("NAT-T support not compiled in.");
439 #endif
440 }
441 EOS
442 | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
443 {
444 #ifdef ENABLE_ADMINPORT
445 adminsock_conf($2, $3, $4, $5);
446 #else
447 yywarn("admin port support not compiled in");
448 #endif
449 }
450 EOS
451 | ADMINSOCK QUOTEDSTRING
452 {
453 #ifdef ENABLE_ADMINPORT
454 adminsock_conf($2, NULL, NULL, -1);
455 #else
456 yywarn("admin port support not compiled in");
457 #endif
458 }
459 EOS
460 | ADMINSOCK DISABLED
461 {
462 #ifdef ENABLE_ADMINPORT
463 adminsock_path = NULL;
464 #else
465 yywarn("admin port support not compiled in");
466 #endif
467 }
468 EOS
469 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
470 ;
471 ike_addrinfo_port
472 : ADDRSTRING ike_port
473 {
474 char portbuf[10];
475
476 snprintf(portbuf, sizeof(portbuf), "%ld", $2);
477 $$ = str2saddr($1->v, portbuf);
478 vfree($1);
479 if (!$$)
480 return -1;
481 }
482 ;
483 ike_port
484 : /* nothing */ { $$ = PORT_ISAKMP; }
485 | PORT { $$ = $1; }
486 ;
487
488 /* radius configuration */
489 radcfg_statement
490 : RADCFG {
491 #ifndef ENABLE_HYBRID
492 yyerror("racoon not configured with --enable-hybrid");
493 return -1;
494 #endif
495 #ifndef HAVE_LIBRADIUS
496 yyerror("racoon not configured with --with-libradius");
497 return -1;
498 #endif
499 #ifdef ENABLE_HYBRID
500 #ifdef HAVE_LIBRADIUS
501 xauth_rad_config.timeout = 3;
502 xauth_rad_config.retries = 3;
503 #endif
504 #endif
505 } BOC radcfg_stmts EOC
506 ;
507 radcfg_stmts
508 : /* nothing */
509 | radcfg_stmts radcfg_stmt
510 ;
511 radcfg_stmt
512 : RAD_AUTH QUOTEDSTRING QUOTEDSTRING
513 {
514 #ifdef ENABLE_HYBRID
515 #ifdef HAVE_LIBRADIUS
516 int i = xauth_rad_config.auth_server_count;
517 if (i == RADIUS_MAX_SERVERS) {
518 yyerror("maximum radius auth servers exceeded");
519 return -1;
520 }
521
522 xauth_rad_config.auth_server_list[i].host = vdup($2);
523 xauth_rad_config.auth_server_list[i].secret = vdup($3);
524 xauth_rad_config.auth_server_list[i].port = 0; // default port
525 xauth_rad_config.auth_server_count++;
526 #endif
527 #endif
528 }
529 EOS
530 | RAD_AUTH QUOTEDSTRING NUMBER QUOTEDSTRING
531 {
532 #ifdef ENABLE_HYBRID
533 #ifdef HAVE_LIBRADIUS
534 int i = xauth_rad_config.auth_server_count;
535 if (i == RADIUS_MAX_SERVERS) {
536 yyerror("maximum radius auth servers exceeded");
537 return -1;
538 }
539
540 xauth_rad_config.auth_server_list[i].host = vdup($2);
541 xauth_rad_config.auth_server_list[i].secret = vdup($4);
542 xauth_rad_config.auth_server_list[i].port = $3;
543 xauth_rad_config.auth_server_count++;
544 #endif
545 #endif
546 }
547 EOS
548 | RAD_ACCT QUOTEDSTRING QUOTEDSTRING
549 {
550 #ifdef ENABLE_HYBRID
551 #ifdef HAVE_LIBRADIUS
552 int i = xauth_rad_config.acct_server_count;
553 if (i == RADIUS_MAX_SERVERS) {
554 yyerror("maximum radius account servers exceeded");
555 return -1;
556 }
557
558 xauth_rad_config.acct_server_list[i].host = vdup($2);
559 xauth_rad_config.acct_server_list[i].secret = vdup($3);
560 xauth_rad_config.acct_server_list[i].port = 0; // default port
561 xauth_rad_config.acct_server_count++;
562 #endif
563 #endif
564 }
565 EOS
566 | RAD_ACCT QUOTEDSTRING NUMBER QUOTEDSTRING
567 {
568 #ifdef ENABLE_HYBRID
569 #ifdef HAVE_LIBRADIUS
570 int i = xauth_rad_config.acct_server_count;
571 if (i == RADIUS_MAX_SERVERS) {
572 yyerror("maximum radius account servers exceeded");
573 return -1;
574 }
575
576 xauth_rad_config.acct_server_list[i].host = vdup($2);
577 xauth_rad_config.acct_server_list[i].secret = vdup($4);
578 xauth_rad_config.acct_server_list[i].port = $3;
579 xauth_rad_config.acct_server_count++;
580 #endif
581 #endif
582 }
583 EOS
584 | RAD_TIMEOUT NUMBER
585 {
586 #ifdef ENABLE_HYBRID
587 #ifdef HAVE_LIBRADIUS
588 xauth_rad_config.timeout = $2;
589 #endif
590 #endif
591 }
592 EOS
593 | RAD_RETRIES NUMBER
594 {
595 #ifdef ENABLE_HYBRID
596 #ifdef HAVE_LIBRADIUS
597 xauth_rad_config.retries = $2;
598 #endif
599 #endif
600 }
601 EOS
602 ;
603
604 /* ldap configuration */
605 ldapcfg_statement
606 : LDAPCFG {
607 #ifndef ENABLE_HYBRID
608 yyerror("racoon not configured with --enable-hybrid");
609 return -1;
610 #endif
611 #ifndef HAVE_LIBLDAP
612 yyerror("racoon not configured with --with-libldap");
613 return -1;
614 #endif
615 } BOC ldapcfg_stmts EOC
616 ;
617 ldapcfg_stmts
618 : /* nothing */
619 | ldapcfg_stmts ldapcfg_stmt
620 ;
621 ldapcfg_stmt
622 : LDAP_PVER NUMBER
623 {
624 #ifdef ENABLE_HYBRID
625 #ifdef HAVE_LIBLDAP
626 if (($2<2)||($2>3))
627 yyerror("invalid ldap protocol version (2|3)");
628 xauth_ldap_config.pver = $2;
629 #endif
630 #endif
631 }
632 EOS
633 | LDAP_HOST QUOTEDSTRING
634 {
635 #ifdef ENABLE_HYBRID
636 #ifdef HAVE_LIBLDAP
637 if (xauth_ldap_config.host != NULL)
638 vfree(xauth_ldap_config.host);
639 xauth_ldap_config.host = vdup($2);
640 #endif
641 #endif
642 }
643 EOS
644 | LDAP_PORT NUMBER
645 {
646 #ifdef ENABLE_HYBRID
647 #ifdef HAVE_LIBLDAP
648 xauth_ldap_config.port = $2;
649 #endif
650 #endif
651 }
652 EOS
653 | LDAP_BASE QUOTEDSTRING
654 {
655 #ifdef ENABLE_HYBRID
656 #ifdef HAVE_LIBLDAP
657 if (xauth_ldap_config.base != NULL)
658 vfree(xauth_ldap_config.base);
659 xauth_ldap_config.base = vdup($2);
660 #endif
661 #endif
662 }
663 EOS
664 | LDAP_SUBTREE SWITCH
665 {
666 #ifdef ENABLE_HYBRID
667 #ifdef HAVE_LIBLDAP
668 xauth_ldap_config.subtree = $2;
669 #endif
670 #endif
671 }
672 EOS
673 | LDAP_BIND_DN QUOTEDSTRING
674 {
675 #ifdef ENABLE_HYBRID
676 #ifdef HAVE_LIBLDAP
677 if (xauth_ldap_config.bind_dn != NULL)
678 vfree(xauth_ldap_config.bind_dn);
679 xauth_ldap_config.bind_dn = vdup($2);
680 #endif
681 #endif
682 }
683 EOS
684 | LDAP_BIND_PW QUOTEDSTRING
685 {
686 #ifdef ENABLE_HYBRID
687 #ifdef HAVE_LIBLDAP
688 if (xauth_ldap_config.bind_pw != NULL)
689 vfree(xauth_ldap_config.bind_pw);
690 xauth_ldap_config.bind_pw = vdup($2);
691 #endif
692 #endif
693 }
694 EOS
695 | LDAP_ATTR_USER QUOTEDSTRING
696 {
697 #ifdef ENABLE_HYBRID
698 #ifdef HAVE_LIBLDAP
699 if (xauth_ldap_config.attr_user != NULL)
700 vfree(xauth_ldap_config.attr_user);
701 xauth_ldap_config.attr_user = vdup($2);
702 #endif
703 #endif
704 }
705 EOS
706 | LDAP_ATTR_ADDR QUOTEDSTRING
707 {
708 #ifdef ENABLE_HYBRID
709 #ifdef HAVE_LIBLDAP
710 if (xauth_ldap_config.attr_addr != NULL)
711 vfree(xauth_ldap_config.attr_addr);
712 xauth_ldap_config.attr_addr = vdup($2);
713 #endif
714 #endif
715 }
716 EOS
717 | LDAP_ATTR_MASK QUOTEDSTRING
718 {
719 #ifdef ENABLE_HYBRID
720 #ifdef HAVE_LIBLDAP
721 if (xauth_ldap_config.attr_mask != NULL)
722 vfree(xauth_ldap_config.attr_mask);
723 xauth_ldap_config.attr_mask = vdup($2);
724 #endif
725 #endif
726 }
727 EOS
728 | LDAP_ATTR_GROUP QUOTEDSTRING
729 {
730 #ifdef ENABLE_HYBRID
731 #ifdef HAVE_LIBLDAP
732 if (xauth_ldap_config.attr_group != NULL)
733 vfree(xauth_ldap_config.attr_group);
734 xauth_ldap_config.attr_group = vdup($2);
735 #endif
736 #endif
737 }
738 EOS
739 | LDAP_ATTR_MEMBER QUOTEDSTRING
740 {
741 #ifdef ENABLE_HYBRID
742 #ifdef HAVE_LIBLDAP
743 if (xauth_ldap_config.attr_member != NULL)
744 vfree(xauth_ldap_config.attr_member);
745 xauth_ldap_config.attr_member = vdup($2);
746 #endif
747 #endif
748 }
749 EOS
750 ;
751
752 /* modecfg */
753 modecfg_statement
754 : MODECFG BOC modecfg_stmts EOC
755 ;
756 modecfg_stmts
757 : /* nothing */
758 | modecfg_stmts modecfg_stmt
759 ;
760 modecfg_stmt
761 : CFG_NET4 ADDRSTRING
762 {
763 #ifdef ENABLE_HYBRID
764 if (inet_pton(AF_INET, $2->v,
765 &isakmp_cfg_config.network4) != 1)
766 yyerror("bad IPv4 network address.");
767 #else
768 yyerror("racoon not configured with --enable-hybrid");
769 #endif
770 }
771 EOS
772 | CFG_MASK4 ADDRSTRING
773 {
774 #ifdef ENABLE_HYBRID
775 if (inet_pton(AF_INET, $2->v,
776 &isakmp_cfg_config.netmask4) != 1)
777 yyerror("bad IPv4 netmask address.");
778 #else
779 yyerror("racoon not configured with --enable-hybrid");
780 #endif
781 }
782 EOS
783 | CFG_DNS4 addrdnslist
784 EOS
785 | CFG_NBNS4 addrwinslist
786 EOS
787 | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
788 {
789 #ifdef ENABLE_HYBRID
790 isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
791 #else
792 yyerror("racoon not configured with --enable-hybrid");
793 #endif
794 }
795 EOS
796 | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
797 {
798 #ifdef ENABLE_HYBRID
799 isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
800 #else
801 yyerror("racoon not configured with --enable-hybrid");
802 #endif
803 }
804 EOS
805 | CFG_SPLIT_DNS splitdnslist
806 {
807 #ifndef ENABLE_HYBRID
808 yyerror("racoon not configured with --enable-hybrid");
809 #endif
810 }
811 EOS
812 | CFG_DEFAULT_DOMAIN QUOTEDSTRING
813 {
814 #ifdef ENABLE_HYBRID
815 strncpy(&isakmp_cfg_config.default_domain[0],
816 $2->v, MAXPATHLEN);
817 isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0';
818 vfree($2);
819 #else
820 yyerror("racoon not configured with --enable-hybrid");
821 #endif
822 }
823 EOS
824 | CFG_AUTH_SOURCE CFG_SYSTEM
825 {
826 #ifdef ENABLE_HYBRID
827 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
828 #else
829 yyerror("racoon not configured with --enable-hybrid");
830 #endif
831 }
832 EOS
833 | CFG_AUTH_SOURCE CFG_RADIUS
834 {
835 #ifdef ENABLE_HYBRID
836 #ifdef HAVE_LIBRADIUS
837 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
838 #else /* HAVE_LIBRADIUS */
839 yyerror("racoon not configured with --with-libradius");
840 #endif /* HAVE_LIBRADIUS */
841 #else /* ENABLE_HYBRID */
842 yyerror("racoon not configured with --enable-hybrid");
843 #endif /* ENABLE_HYBRID */
844 }
845 EOS
846 | CFG_AUTH_SOURCE CFG_PAM
847 {
848 #ifdef ENABLE_HYBRID
849 #ifdef HAVE_LIBPAM
850 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
851 #else /* HAVE_LIBPAM */
852 yyerror("racoon not configured with --with-libpam");
853 #endif /* HAVE_LIBPAM */
854 #else /* ENABLE_HYBRID */
855 yyerror("racoon not configured with --enable-hybrid");
856 #endif /* ENABLE_HYBRID */
857 }
858 EOS
859 | CFG_AUTH_SOURCE CFG_LDAP
860 {
861 #ifdef ENABLE_HYBRID
862 #ifdef HAVE_LIBLDAP
863 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
864 #else /* HAVE_LIBLDAP */
865 yyerror("racoon not configured with --with-libldap");
866 #endif /* HAVE_LIBLDAP */
867 #else /* ENABLE_HYBRID */
868 yyerror("racoon not configured with --enable-hybrid");
869 #endif /* ENABLE_HYBRID */
870 }
871 EOS
872 | CFG_AUTH_GROUPS authgrouplist
873 {
874 #ifndef ENABLE_HYBRID
875 yyerror("racoon not configured with --enable-hybrid");
876 #endif
877 }
878 EOS
879 | CFG_GROUP_SOURCE CFG_SYSTEM
880 {
881 #ifdef ENABLE_HYBRID
882 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
883 #else
884 yyerror("racoon not configured with --enable-hybrid");
885 #endif
886 }
887 EOS
888 | CFG_GROUP_SOURCE CFG_LDAP
889 {
890 #ifdef ENABLE_HYBRID
891 #ifdef HAVE_LIBLDAP
892 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
893 #else /* HAVE_LIBLDAP */
894 yyerror("racoon not configured with --with-libldap");
895 #endif /* HAVE_LIBLDAP */
896 #else /* ENABLE_HYBRID */
897 yyerror("racoon not configured with --enable-hybrid");
898 #endif /* ENABLE_HYBRID */
899 }
900 EOS
901 | CFG_ACCOUNTING CFG_NONE
902 {
903 #ifdef ENABLE_HYBRID
904 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
905 #else
906 yyerror("racoon not configured with --enable-hybrid");
907 #endif
908 }
909 EOS
910 | CFG_ACCOUNTING CFG_SYSTEM
911 {
912 #ifdef ENABLE_HYBRID
913 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
914 #else
915 yyerror("racoon not configured with --enable-hybrid");
916 #endif
917 }
918 EOS
919 | CFG_ACCOUNTING CFG_RADIUS
920 {
921 #ifdef ENABLE_HYBRID
922 #ifdef HAVE_LIBRADIUS
923 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
924 #else /* HAVE_LIBRADIUS */
925 yyerror("racoon not configured with --with-libradius");
926 #endif /* HAVE_LIBRADIUS */
927 #else /* ENABLE_HYBRID */
928 yyerror("racoon not configured with --enable-hybrid");
929 #endif /* ENABLE_HYBRID */
930 }
931 EOS
932 | CFG_ACCOUNTING CFG_PAM
933 {
934 #ifdef ENABLE_HYBRID
935 #ifdef HAVE_LIBPAM
936 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
937 #else /* HAVE_LIBPAM */
938 yyerror("racoon not configured with --with-libpam");
939 #endif /* HAVE_LIBPAM */
940 #else /* ENABLE_HYBRID */
941 yyerror("racoon not configured with --enable-hybrid");
942 #endif /* ENABLE_HYBRID */
943 }
944 EOS
945 | CFG_POOL_SIZE NUMBER
946 {
947 #ifdef ENABLE_HYBRID
948 if (isakmp_cfg_resize_pool($2) != 0)
949 yyerror("cannot allocate memory for pool");
950 #else /* ENABLE_HYBRID */
951 yyerror("racoon not configured with --enable-hybrid");
952 #endif /* ENABLE_HYBRID */
953 }
954 EOS
955 | CFG_PFS_GROUP NUMBER
956 {
957 #ifdef ENABLE_HYBRID
958 isakmp_cfg_config.pfs_group = $2;
959 #else /* ENABLE_HYBRID */
960 yyerror("racoon not configured with --enable-hybrid");
961 #endif /* ENABLE_HYBRID */
962 }
963 EOS
964 | CFG_SAVE_PASSWD SWITCH
965 {
966 #ifdef ENABLE_HYBRID
967 isakmp_cfg_config.save_passwd = $2;
968 #else /* ENABLE_HYBRID */
969 yyerror("racoon not configured with --enable-hybrid");
970 #endif /* ENABLE_HYBRID */
971 }
972 EOS
973 | CFG_AUTH_THROTTLE NUMBER
974 {
975 #ifdef ENABLE_HYBRID
976 isakmp_cfg_config.auth_throttle = $2;
977 #else /* ENABLE_HYBRID */
978 yyerror("racoon not configured with --enable-hybrid");
979 #endif /* ENABLE_HYBRID */
980 }
981 EOS
982 | CFG_CONF_SOURCE CFG_LOCAL
983 {
984 #ifdef ENABLE_HYBRID
985 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
986 #else /* ENABLE_HYBRID */
987 yyerror("racoon not configured with --enable-hybrid");
988 #endif /* ENABLE_HYBRID */
989 }
990 EOS
991 | CFG_CONF_SOURCE CFG_RADIUS
992 {
993 #ifdef ENABLE_HYBRID
994 #ifdef HAVE_LIBRADIUS
995 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
996 #else /* HAVE_LIBRADIUS */
997 yyerror("racoon not configured with --with-libradius");
998 #endif /* HAVE_LIBRADIUS */
999 #else /* ENABLE_HYBRID */
1000 yyerror("racoon not configured with --enable-hybrid");
1001 #endif /* ENABLE_HYBRID */
1002 }
1003 EOS
1004 | CFG_CONF_SOURCE CFG_LDAP
1005 {
1006 #ifdef ENABLE_HYBRID
1007 #ifdef HAVE_LIBLDAP
1008 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
1009 #else /* HAVE_LIBLDAP */
1010 yyerror("racoon not configured with --with-libldap");
1011 #endif /* HAVE_LIBLDAP */
1012 #else /* ENABLE_HYBRID */
1013 yyerror("racoon not configured with --enable-hybrid");
1014 #endif /* ENABLE_HYBRID */
1015 }
1016 EOS
1017 | CFG_MOTD QUOTEDSTRING
1018 {
1019 #ifdef ENABLE_HYBRID
1020 strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN);
1021 isakmp_cfg_config.motd[MAXPATHLEN] = '\0';
1022 vfree($2);
1023 #else
1024 yyerror("racoon not configured with --enable-hybrid");
1025 #endif
1026 }
1027 EOS
1028 ;
1029
1030 addrdnslist
1031 : addrdns
1032 | addrdns COMMA addrdnslist
1033 ;
1034 addrdns
1035 : ADDRSTRING
1036 {
1037 #ifdef ENABLE_HYBRID
1038 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1039
1040 if (icc->dns4_index > MAXNS)
1041 yyerror("No more than %d DNS", MAXNS);
1042 if (inet_pton(AF_INET, $1->v,
1043 &icc->dns4[icc->dns4_index++]) != 1)
1044 yyerror("bad IPv4 DNS address.");
1045 #else
1046 yyerror("racoon not configured with --enable-hybrid");
1047 #endif
1048 }
1049 ;
1050
1051 addrwinslist
1052 : addrwins
1053 | addrwins COMMA addrwinslist
1054 ;
1055 addrwins
1056 : ADDRSTRING
1057 {
1058 #ifdef ENABLE_HYBRID
1059 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1060
1061 if (icc->nbns4_index > MAXWINS)
1062 yyerror("No more than %d WINS", MAXWINS);
1063 if (inet_pton(AF_INET, $1->v,
1064 &icc->nbns4[icc->nbns4_index++]) != 1)
1065 yyerror("bad IPv4 WINS address.");
1066 #else
1067 yyerror("racoon not configured with --enable-hybrid");
1068 #endif
1069 }
1070 ;
1071
1072 splitnetlist
1073 : splitnet
1074 | splitnetlist COMMA splitnet
1075 ;
1076 splitnet
1077 : ADDRSTRING PREFIX
1078 {
1079 #ifdef ENABLE_HYBRID
1080 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1081 struct unity_network network;
1082 memset(&network,0,sizeof(network));
1083
1084 if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
1085 yyerror("bad IPv4 SPLIT address.");
1086
1087 /* Turn $2 (the prefix) into a subnet mask */
1088 network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
1089
1090 /* add the network to our list */
1091 if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
1092 yyerror("Unable to allocate split network");
1093 #else
1094 yyerror("racoon not configured with --enable-hybrid");
1095 #endif
1096 }
1097 ;
1098
1099 authgrouplist
1100 : authgroup
1101 | authgroup COMMA authgrouplist
1102 ;
1103 authgroup
1104 : QUOTEDSTRING
1105 {
1106 #ifdef ENABLE_HYBRID
1107 char * groupname = NULL;
1108 char ** grouplist = NULL;
1109 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1110
1111 grouplist = racoon_realloc(icc->grouplist,
1112 sizeof(char**)*(icc->groupcount+1));
1113 if (grouplist == NULL) {
1114 yyerror("unable to allocate auth group list");
1115 return -1;
1116 }
1117
1118 groupname = racoon_malloc($1->l+1);
1119 if (groupname == NULL) {
1120 yyerror("unable to allocate auth group name");
1121 return -1;
1122 }
1123
1124 memcpy(groupname,$1->v,$1->l);
1125 groupname[$1->l]=0;
1126 grouplist[icc->groupcount]=groupname;
1127 icc->grouplist = grouplist;
1128 icc->groupcount++;
1129
1130 vfree($1);
1131 #else
1132 yyerror("racoon not configured with --enable-hybrid");
1133 #endif
1134 }
1135 ;
1136
1137 splitdnslist
1138 : splitdns
1139 | splitdns COMMA splitdnslist
1140 ;
1141 splitdns
1142 : QUOTEDSTRING
1143 {
1144 #ifdef ENABLE_HYBRID
1145 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1146
1147 if (!icc->splitdns_len)
1148 {
1149 icc->splitdns_list = racoon_malloc($1->l);
1150 if(icc->splitdns_list == NULL) {
1151 yyerror("error allocating splitdns list buffer");
1152 return -1;
1153 }
1154 memcpy(icc->splitdns_list,$1->v,$1->l);
1155 icc->splitdns_len = $1->l;
1156 }
1157 else
1158 {
1159 int len = icc->splitdns_len + $1->l + 1;
1160 icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
1161 if(icc->splitdns_list == NULL) {
1162 yyerror("error allocating splitdns list buffer");
1163 return -1;
1164 }
1165 icc->splitdns_list[icc->splitdns_len] = ',';
1166 memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
1167 icc->splitdns_len = len;
1168 }
1169 vfree($1);
1170 #else
1171 yyerror("racoon not configured with --enable-hybrid");
1172 #endif
1173 }
1174 ;
1175
1176
1177 /* timer */
1178 timer_statement
1179 : RETRY BOC timer_stmts EOC
1180 ;
1181 timer_stmts
1182 : /* nothing */
1183 | timer_stmts timer_stmt
1184 ;
1185 timer_stmt
1186 : RETRY_COUNTER NUMBER
1187 {
1188 lcconf->retry_counter = $2;
1189 }
1190 EOS
1191 | RETRY_INTERVAL NUMBER unittype_time
1192 {
1193 lcconf->retry_interval = $2 * $3;
1194 }
1195 EOS
1196 | RETRY_PERSEND NUMBER
1197 {
1198 lcconf->count_persend = $2;
1199 }
1200 EOS
1201 | RETRY_PHASE1 NUMBER unittype_time
1202 {
1203 lcconf->retry_checkph1 = $2 * $3;
1204 }
1205 EOS
1206 | RETRY_PHASE2 NUMBER unittype_time
1207 {
1208 lcconf->wait_ph2complete = $2 * $3;
1209 }
1210 EOS
1211 | NATT_KA NUMBER unittype_time
1212 {
1213 #ifdef ENABLE_NATT
1214 if (libipsec_opt & LIBIPSEC_OPT_NATT)
1215 lcconf->natt_ka_interval = $2 * $3;
1216 else
1217 yyerror("libipsec lacks NAT-T support");
1218 #else
1219 yyerror("NAT-T support not compiled in.");
1220 #endif
1221 }
1222 EOS
1223 ;
1224
1225 /* sainfo */
1226 sainfo_statement
1227 : SAINFO
1228 {
1229 cur_sainfo = newsainfo();
1230 if (cur_sainfo == NULL) {
1231 yyerror("failed to allocate sainfo");
1232 return -1;
1233 }
1234 }
1235 sainfo_name sainfo_param BOC sainfo_specs
1236 {
1237 struct sainfo *check;
1238
1239 /* default */
1240 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
1241 yyerror("no encryption algorithm at %s",
1242 sainfo2str(cur_sainfo));
1243 return -1;
1244 }
1245 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
1246 yyerror("no authentication algorithm at %s",
1247 sainfo2str(cur_sainfo));
1248 return -1;
1249 }
1250 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
1251 yyerror("no compression algorithm at %s",
1252 sainfo2str(cur_sainfo));
1253 return -1;
1254 }
1255
1256 /* duplicate check */
1257 check = getsainfo(cur_sainfo->idsrc,
1258 cur_sainfo->iddst,
1259 cur_sainfo->id_i,
1260 NULL,
1261 cur_sainfo->remoteid);
1262
1263 if (check && ((check->idsrc != SAINFO_ANONYMOUS) &&
1264 (cur_sainfo->idsrc != SAINFO_ANONYMOUS))) {
1265 yyerror("duplicated sainfo: %s",
1266 sainfo2str(cur_sainfo));
1267 return -1;
1268 }
1269
1270 inssainfo(cur_sainfo);
1271 }
1272 EOC
1273 ;
1274 sainfo_name
1275 : ANONYMOUS
1276 {
1277 cur_sainfo->idsrc = SAINFO_ANONYMOUS;
1278 cur_sainfo->iddst = SAINFO_ANONYMOUS;
1279 }
1280 | ANONYMOUS CLIENTADDR
1281 {
1282 cur_sainfo->idsrc = SAINFO_ANONYMOUS;
1283 cur_sainfo->iddst = SAINFO_CLIENTADDR;
1284 }
1285 | ANONYMOUS sainfo_id
1286 {
1287 cur_sainfo->idsrc = SAINFO_ANONYMOUS;
1288 cur_sainfo->iddst = $2;
1289 }
1290 | sainfo_id ANONYMOUS
1291 {
1292 cur_sainfo->idsrc = $1;
1293 cur_sainfo->iddst = SAINFO_ANONYMOUS;
1294 }
1295 | sainfo_id CLIENTADDR
1296 {
1297 cur_sainfo->idsrc = $1;
1298 cur_sainfo->iddst = SAINFO_CLIENTADDR;
1299 }
1300 | sainfo_id sainfo_id
1301 {
1302 cur_sainfo->idsrc = $1;
1303 cur_sainfo->iddst = $2;
1304 }
1305 ;
1306 sainfo_id
1307 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
1308 {
1309 char portbuf[10];
1310 struct sockaddr *saddr;
1311
1312 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
1313 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
1314 yyerror("port number must be \"any\".");
1315 return -1;
1316 }
1317
1318 snprintf(portbuf, sizeof(portbuf), "%lu", $4);
1319 saddr = str2saddr($2->v, portbuf);
1320 vfree($2);
1321 if (saddr == NULL)
1322 return -1;
1323
1324 switch (saddr->sa_family) {
1325 case AF_INET:
1326 if ($5 == IPPROTO_ICMPV6) {
1327 yyerror("upper layer protocol mismatched.\n");
1328 racoon_free(saddr);
1329 return -1;
1330 }
1331 $$ = ipsecdoi_sockaddr2id(saddr,
1332 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
1333 $5);
1334 break;
1335 #ifdef INET6
1336 case AF_INET6:
1337 if ($5 == IPPROTO_ICMP) {
1338 yyerror("upper layer protocol mismatched.\n");
1339 racoon_free(saddr);
1340 return -1;
1341 }
1342 $$ = ipsecdoi_sockaddr2id(saddr,
1343 $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
1344 $5);
1345 break;
1346 #endif
1347 default:
1348 yyerror("invalid family: %d", saddr->sa_family);
1349 $$ = NULL;
1350 break;
1351 }
1352 racoon_free(saddr);
1353 if ($$ == NULL)
1354 return -1;
1355 }
1356 | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
1357 {
1358 char portbuf[10];
1359 struct sockaddr *laddr = NULL, *haddr = NULL;
1360 char *cur = NULL;
1361
1362 if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
1363 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
1364 yyerror("port number must be \"any\".");
1365 return -1;
1366 }
1367
1368 snprintf(portbuf, sizeof(portbuf), "%lu", $5);
1369
1370 laddr = str2saddr($2->v, portbuf);
1371 if (laddr == NULL) {
1372 return -1;
1373 }
1374 vfree($2);
1375 haddr = str2saddr($3->v, portbuf);
1376 if (haddr == NULL) {
1377 racoon_free(laddr);
1378 return -1;
1379 }
1380 vfree($3);
1381
1382 switch (laddr->sa_family) {
1383 case AF_INET:
1384 if ($6 == IPPROTO_ICMPV6) {
1385 yyerror("upper layer protocol mismatched.\n");
1386 if (laddr)
1387 racoon_free(laddr);
1388 if (haddr)
1389 racoon_free(haddr);
1390 return -1;
1391 }
1392 $$ = ipsecdoi_sockrange2id(laddr, haddr,
1393 $6);
1394 break;
1395 #ifdef INET6
1396 case AF_INET6:
1397 if ($6 == IPPROTO_ICMP) {
1398 yyerror("upper layer protocol mismatched.\n");
1399 if (laddr)
1400 racoon_free(laddr);
1401 if (haddr)
1402 racoon_free(haddr);
1403 return -1;
1404 }
1405 $$ = ipsecdoi_sockrange2id(laddr, haddr,
1406 $6);
1407 break;
1408 #endif
1409 default:
1410 yyerror("invalid family: %d", laddr->sa_family);
1411 $$ = NULL;
1412 break;
1413 }
1414 if (laddr)
1415 racoon_free(laddr);
1416 if (haddr)
1417 racoon_free(haddr);
1418 if ($$ == NULL)
1419 return -1;
1420 }
1421 | IDENTIFIERTYPE QUOTEDSTRING
1422 {
1423 struct ipsecdoi_id_b *id_b;
1424
1425 if ($1 == IDTYPE_ASN1DN) {
1426 yyerror("id type forbidden: %d", $1);
1427 $$ = NULL;
1428 return -1;
1429 }
1430
1431 $2->l--;
1432
1433 $$ = vmalloc(sizeof(*id_b) + $2->l);
1434 if ($$ == NULL) {
1435 yyerror("failed to allocate identifier");
1436 return -1;
1437 }
1438
1439 id_b = (struct ipsecdoi_id_b *)$$->v;
1440 id_b->type = idtype2doi($1);
1441
1442 id_b->proto_id = 0;
1443 id_b->port = 0;
1444
1445 memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
1446 }
1447 ;
1448 sainfo_param
1449 : /* nothing */
1450 {
1451 cur_sainfo->id_i = NULL;
1452 }
1453 | FROM IDENTIFIERTYPE identifierstring
1454 {
1455 struct ipsecdoi_id_b *id_b;
1456 vchar_t *idv;
1457
1458 if (set_identifier(&idv, $2, $3) != 0) {
1459 yyerror("failed to set identifer.\n");
1460 return -1;
1461 }
1462 cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
1463 if (cur_sainfo->id_i == NULL) {
1464 yyerror("failed to allocate identifier");
1465 return -1;
1466 }
1467
1468 id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
1469 id_b->type = idtype2doi($2);
1470
1471 id_b->proto_id = 0;
1472 id_b->port = 0;
1473
1474 memcpy(cur_sainfo->id_i->v + sizeof(*id_b),
1475 idv->v, idv->l);
1476 vfree(idv);
1477 }
1478 | GROUP QUOTEDSTRING
1479 {
1480 #ifdef ENABLE_HYBRID
1481 if ((cur_sainfo->group = vdup($2)) == NULL) {
1482 yyerror("failed to set sainfo xauth group.\n");
1483 return -1;
1484 }
1485 #else
1486 yyerror("racoon not configured with --enable-hybrid");
1487 return -1;
1488 #endif
1489 }
1490 ;
1491 sainfo_specs
1492 : /* nothing */
1493 | sainfo_specs sainfo_spec
1494 ;
1495 sainfo_spec
1496 : PFS_GROUP dh_group_num
1497 {
1498 cur_sainfo->pfs_group = $2;
1499 }
1500 EOS
1501 | REMOTEID NUMBER
1502 {
1503 cur_sainfo->remoteid = $2;
1504 }
1505 EOS
1506 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
1507 {
1508 cur_sainfo->lifetime = $3 * $4;
1509 }
1510 EOS
1511 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1512 {
1513 #if 1
1514 yyerror("byte lifetime support is deprecated");
1515 return -1;
1516 #else
1517 cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
1518 if (cur_sainfo->lifebyte == 0)
1519 return -1;
1520 #endif
1521 }
1522 EOS
1523 | ALGORITHM_CLASS {
1524 cur_algclass = $1;
1525 }
1526 algorithms EOS
1527 ;
1528
1529 algorithms
1530 : algorithm
1531 {
1532 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1533 }
1534 | algorithm
1535 {
1536 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1537 }
1538 COMMA algorithms
1539 ;
1540 algorithm
1541 : ALGORITHMTYPE keylength
1542 {
1543 int defklen;
1544
1545 $$ = newsainfoalg();
1546 if ($$ == NULL) {
1547 yyerror("failed to get algorithm allocation");
1548 return -1;
1549 }
1550
1551 $$->alg = algtype2doi(cur_algclass, $1);
1552 if ($$->alg == -1) {
1553 yyerror("algorithm mismatched");
1554 racoon_free($$);
1555 $$ = NULL;
1556 return -1;
1557 }
1558
1559 defklen = default_keylen(cur_algclass, $1);
1560 if (defklen == 0) {
1561 if ($2) {
1562 yyerror("keylen not allowed");
1563 racoon_free($$);
1564 $$ = NULL;
1565 return -1;
1566 }
1567 } else {
1568 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
1569 yyerror("invalid keylen %d", $2);
1570 racoon_free($$);
1571 $$ = NULL;
1572 return -1;
1573 }
1574 }
1575
1576 if ($2)
1577 $$->encklen = $2;
1578 else
1579 $$->encklen = defklen;
1580
1581 /* check if it's supported algorithm by kernel */
1582 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
1583 && pk_checkalg(cur_algclass, $1, $$->encklen)) {
1584 int a = algclass2doi(cur_algclass);
1585 int b = algtype2doi(cur_algclass, $1);
1586 if (a == IPSECDOI_ATTR_AUTH)
1587 a = IPSECDOI_PROTO_IPSEC_AH;
1588 yyerror("algorithm %s not supported by the kernel (missing module?)",
1589 s_ipsecdoi_trns(a, b));
1590 racoon_free($$);
1591 $$ = NULL;
1592 return -1;
1593 }
1594 }
1595 ;
1596 prefix
1597 : /* nothing */ { $$ = ~0; }
1598 | PREFIX { $$ = $1; }
1599 ;
1600 port
1601 : /* nothing */ { $$ = IPSEC_PORT_ANY; }
1602 | PORT { $$ = $1; }
1603 | PORTANY { $$ = IPSEC_PORT_ANY; }
1604 ;
1605 ul_proto
1606 : NUMBER { $$ = $1; }
1607 | UL_PROTO { $$ = $1; }
1608 | ANY { $$ = IPSEC_ULPROTO_ANY; }
1609 ;
1610 keylength
1611 : /* nothing */ { $$ = 0; }
1612 | NUMBER { $$ = $1; }
1613 ;
1614
1615 /* remote */
1616 remote_statement
1617 : REMOTE QUOTEDSTRING INHERIT QUOTEDSTRING
1618 {
1619 struct remoteconf *from, *new;
1620
1621 if (getrmconf_by_name($2->v) != NULL) {
1622 yyerror("named remoteconf \"%s\" already exists.");
1623 return -1;
1624 }
1625
1626 from = getrmconf_by_name($4->v);
1627 if (from == NULL) {
1628 yyerror("named parent remoteconf \"%s\" does not exist.",
1629 $4->v);
1630 return -1;
1631 }
1632
1633 new = duprmconf_shallow(from);
1634 if (new == NULL) {
1635 yyerror("failed to duplicate remoteconf from \"%s\".",
1636 $4->v);
1637 return -1;
1638 }
1639
1640 new->name = racoon_strdup($2->v);
1641 cur_rmconf = new;
1642
1643 vfree($2);
1644 vfree($4);
1645 }
1646 remote_specs_block
1647 | REMOTE QUOTEDSTRING
1648 {
1649 struct remoteconf *new;
1650
1651 if (getrmconf_by_name($2->v) != NULL) {
1652 yyerror("Named remoteconf \"%s\" already exists.");
1653 return -1;
1654 }
1655
1656 new = newrmconf();
1657 if (new == NULL) {
1658 yyerror("failed to get new remoteconf.");
1659 return -1;
1660 }
1661 new->name = racoon_strdup($2->v);
1662 cur_rmconf = new;
1663
1664 vfree($2);
1665 }
1666 remote_specs_block
1667 | REMOTE remote_index INHERIT remote_index
1668 {
1669 struct remoteconf *from, *new;
1670
1671 from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS);
1672 if (from == NULL) {
1673 yyerror("failed to get remoteconf for %s.",
1674 saddr2str($4));
1675 return -1;
1676 }
1677
1678 new = duprmconf_shallow(from);
1679 if (new == NULL) {
1680 yyerror("failed to duplicate remoteconf from %s.",
1681 saddr2str($4));
1682 return -1;
1683 }
1684
1685 racoon_free($4);
1686 new->remote = $2;
1687 cur_rmconf = new;
1688 }
1689 remote_specs_block
1690 | REMOTE remote_index
1691 {
1692 struct remoteconf *new;
1693
1694 new = newrmconf();
1695 if (new == NULL) {
1696 yyerror("failed to get new remoteconf.");
1697 return -1;
1698 }
1699
1700 new->remote = $2;
1701 cur_rmconf = new;
1702 }
1703 remote_specs_block
1704 ;
1705
1706 remote_specs_block
1707 : BOC remote_specs EOC
1708 {
1709 /* check a exchange mode */
1710 if (cur_rmconf->etypes == NULL) {
1711 yyerror("no exchange mode specified.\n");
1712 return -1;
1713 }
1714
1715 if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
1716 cur_rmconf->idvtype = IDTYPE_ADDRESS;
1717
1718 if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
1719 if (cur_rmconf->mycertfile) {
1720 if (cur_rmconf->idv)
1721 yywarn("Both CERT and ASN1 ID "
1722 "are set. Hope this is OK.\n");
1723 /* TODO: Preparse the DN here */
1724 } else if (cur_rmconf->idv) {
1725 /* OK, using asn1dn without X.509. */
1726 } else {
1727 yyerror("ASN1 ID not specified "
1728 "and no CERT defined!\n");
1729 return -1;
1730 }
1731 }
1732
1733 if (duprmconf_finish(cur_rmconf))
1734 return -1;
1735
1736 #if 0
1737 /* this pointer copy will never happen, because duprmconf_shallow
1738 * already copied all pointers.
1739 */
1740 if (cur_rmconf->spspec == NULL &&
1741 cur_rmconf->inherited_from != NULL) {
1742 cur_rmconf->spspec = cur_rmconf->inherited_from->spspec;
1743 }
1744 #endif
1745 if (set_isakmp_proposal(cur_rmconf) != 0)
1746 return -1;
1747
1748 /* DH group settting if aggressive mode is there. */
1749 if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
1750 struct isakmpsa *p;
1751 int b = 0;
1752
1753 /* DH group */
1754 for (p = cur_rmconf->proposal; p; p = p->next) {
1755 if (b == 0 || (b && b == p->dh_group)) {
1756 b = p->dh_group;
1757 continue;
1758 }
1759 yyerror("DH group must be equal "
1760 "in all proposals "
1761 "when aggressive mode is "
1762 "used.\n");
1763 return -1;
1764 }
1765 cur_rmconf->dh_group = b;
1766
1767 if (cur_rmconf->dh_group == 0) {
1768 yyerror("DH group must be set in the proposal.\n");
1769 return -1;
1770 }
1771
1772 /* DH group settting if PFS is required. */
1773 if (oakley_setdhgroup(cur_rmconf->dh_group,
1774 &cur_rmconf->dhgrp) < 0) {
1775 yyerror("failed to set DH value.\n");
1776 return -1;
1777 }
1778 }
1779
1780 insrmconf(cur_rmconf);
1781 }
1782 ;
1783 remote_index
1784 : ANONYMOUS ike_port
1785 {
1786 $$ = newsaddr(sizeof(struct sockaddr));
1787 $$->sa_family = AF_UNSPEC;
1788 ((struct sockaddr_in *)$$)->sin_port = htons($2);
1789 }
1790 | ike_addrinfo_port
1791 {
1792 $$ = $1;
1793 if ($$ == NULL) {
1794 yyerror("failed to allocate sockaddr");
1795 return -1;
1796 }
1797 }
1798 ;
1799 remote_specs
1800 : /* nothing */
1801 | remote_specs remote_spec
1802 ;
1803 remote_spec
1804 : REMOTE_ADDRESS ike_addrinfo_port
1805 {
1806 if (cur_rmconf->remote != NULL) {
1807 yyerror("remote_address already specified");
1808 return -1;
1809 }
1810 cur_rmconf->remote = $2;
1811 }
1812 EOS
1813 | EXCHANGE_MODE
1814 {
1815 cur_rmconf->etypes = NULL;
1816 }
1817 exchange_types EOS
1818 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
1819 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
1820 | CERTIFICATE_TYPE cert_spec
1821 | PEERS_CERTFILE QUOTEDSTRING
1822 {
1823 yywarn("This directive without certtype will be removed!\n");
1824 yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
1825
1826 if (cur_rmconf->peerscert != NULL) {
1827 yyerror("peers_certfile already defined\n");
1828 return -1;
1829 }
1830
1831 if (load_x509($2->v, &cur_rmconf->peerscertfile,
1832 &cur_rmconf->peerscert)) {
1833 yyerror("failed to load certificate \"%s\"\n",
1834 $2->v);
1835 return -1;
1836 }
1837
1838 vfree($2);
1839 }
1840 EOS
1841 | PEERS_CERTFILE CERT_X509 QUOTEDSTRING
1842 {
1843 if (cur_rmconf->peerscert != NULL) {
1844 yyerror("peers_certfile already defined\n");
1845 return -1;
1846 }
1847
1848 if (load_x509($3->v, &cur_rmconf->peerscertfile,
1849 &cur_rmconf->peerscert)) {
1850 yyerror("failed to load certificate \"%s\"\n",
1851 $3->v);
1852 return -1;
1853 }
1854
1855 vfree($3);
1856 }
1857 EOS
1858 | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
1859 {
1860 char path[MAXPATHLEN];
1861 int ret = 0;
1862
1863 if (cur_rmconf->peerscert != NULL) {
1864 yyerror("peers_certfile already defined\n");
1865 return -1;
1866 }
1867
1868 cur_rmconf->peerscert = vmalloc(1);
1869 if (cur_rmconf->peerscert == NULL) {
1870 yyerror("failed to allocate peerscert");
1871 return -1;
1872 }
1873 cur_rmconf->peerscert->v[0] = ISAKMP_CERT_PLAINRSA;
1874
1875 getpathname(path, sizeof(path),
1876 LC_PATHTYPE_CERT, $3->v);
1877 if (rsa_parse_file(cur_rmconf->rsa_public, path,
1878 RSA_TYPE_PUBLIC)) {
1879 yyerror("Couldn't parse keyfile.\n", path);
1880 return -1;
1881 }
1882 plog(LLV_DEBUG, LOCATION, NULL,
1883 "Public PlainRSA keyfile parsed: %s\n", path);
1884
1885 vfree($3);
1886 }
1887 EOS
1888 | PEERS_CERTFILE DNSSEC
1889 {
1890 if (cur_rmconf->peerscert != NULL) {
1891 yyerror("peers_certfile already defined\n");
1892 return -1;
1893 }
1894 cur_rmconf->peerscert = vmalloc(1);
1895 if (cur_rmconf->peerscert == NULL) {
1896 yyerror("failed to allocate peerscert");
1897 return -1;
1898 }
1899 cur_rmconf->peerscert->v[0] = ISAKMP_CERT_DNS;
1900 }
1901 EOS
1902 | CA_TYPE CERT_X509 QUOTEDSTRING
1903 {
1904 if (cur_rmconf->cacert != NULL) {
1905 yyerror("ca_type already defined\n");
1906 return -1;
1907 }
1908
1909 if (load_x509($3->v, &cur_rmconf->cacertfile,
1910 &cur_rmconf->cacert)) {
1911 yyerror("failed to load certificate \"%s\"\n",
1912 $3->v);
1913 return -1;
1914 }
1915
1916 vfree($3);
1917 }
1918 EOS
1919 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
1920 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
1921 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
1922 | MATCH_EMPTY_CR SWITCH { cur_rmconf->match_empty_cr = $2; } EOS
1923 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
1924 {
1925 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
1926 yyerror("failed to set identifer.\n");
1927 return -1;
1928 }
1929 cur_rmconf->idvtype = $2;
1930 }
1931 EOS
1932 | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1933 {
1934 if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
1935 yyerror("failed to set identifer.\n");
1936 return -1;
1937 }
1938 cur_rmconf->idvtype = $2;
1939 }
1940 EOS
1941 | XAUTH_LOGIN identifierstring
1942 {
1943 #ifdef ENABLE_HYBRID
1944 /* formerly identifier type login */
1945 if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
1946 yyerror("failed to allocate xauth state\n");
1947 return -1;
1948 }
1949 if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
1950 yyerror("failed to set identifer.\n");
1951 return -1;
1952 }
1953 #else
1954 yyerror("racoon not configured with --enable-hybrid");
1955 #endif
1956 }
1957 EOS
1958 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
1959 {
1960 struct idspec *id;
1961 id = newidspec();
1962 if (id == NULL) {
1963 yyerror("failed to allocate idspec");
1964 return -1;
1965 }
1966 if (set_identifier(&id->id, $2, $3) != 0) {
1967 yyerror("failed to set identifer.\n");
1968 racoon_free(id);
1969 return -1;
1970 }
1971 id->idtype = $2;
1972 genlist_append (cur_rmconf->idvl_p, id);
1973 }
1974 EOS
1975 | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1976 {
1977 struct idspec *id;
1978 id = newidspec();
1979 if (id == NULL) {
1980 yyerror("failed to allocate idspec");
1981 return -1;
1982 }
1983 if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
1984 yyerror("failed to set identifer.\n");
1985 racoon_free(id);
1986 return -1;
1987 }
1988 id->idtype = $2;
1989 genlist_append (cur_rmconf->idvl_p, id);
1990 }
1991 EOS
1992 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
1993 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
1994 | DH_GROUP
1995 {
1996 yyerror("dh_group cannot be defined here.");
1997 return -1;
1998 }
1999 dh_group_num EOS
2000 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
2001 | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
2002 | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
2003 | ESP_FRAG NUMBER {
2004 #ifdef SADB_X_EXT_NAT_T_FRAG
2005 if (libipsec_opt & LIBIPSEC_OPT_FRAG)
2006 cur_rmconf->esp_frag = $2;
2007 else
2008 yywarn("libipsec lacks IKE frag support");
2009 #else
2010 yywarn("Your kernel does not support esp_frag");
2011 #endif
2012 } EOS
2013 | SCRIPT QUOTEDSTRING PHASE1_UP {
2014 if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL)
2015 vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]);
2016
2017 cur_rmconf->script[SCRIPT_PHASE1_UP] =
2018 script_path_add(vdup($2));
2019 } EOS
2020 | SCRIPT QUOTEDSTRING PHASE1_DOWN {
2021 if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL)
2022 vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]);
2023
2024 cur_rmconf->script[SCRIPT_PHASE1_DOWN] =
2025 script_path_add(vdup($2));
2026 } EOS
2027 | SCRIPT QUOTEDSTRING PHASE1_DEAD {
2028 if (cur_rmconf->script[SCRIPT_PHASE1_DEAD] != NULL)
2029 vfree(cur_rmconf->script[SCRIPT_PHASE1_DEAD]);
2030
2031 cur_rmconf->script[SCRIPT_PHASE1_DEAD] =
2032 script_path_add(vdup($2));
2033 } EOS
2034 | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
2035 | WEAK_PHASE1_CHECK SWITCH {
2036 cur_rmconf->weak_phase1_check = $2;
2037 } EOS
2038 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
2039 | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
2040 | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
2041 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
2042 | NAT_TRAVERSAL SWITCH
2043 {
2044 #ifdef ENABLE_NATT
2045 if (libipsec_opt & LIBIPSEC_OPT_NATT)
2046 cur_rmconf->nat_traversal = $2;
2047 else
2048 yyerror("libipsec lacks NAT-T support");
2049 #else
2050 yyerror("NAT-T support not compiled in.");
2051 #endif
2052 } EOS
2053 | NAT_TRAVERSAL REMOTE_FORCE_LEVEL
2054 {
2055 #ifdef ENABLE_NATT
2056 if (libipsec_opt & LIBIPSEC_OPT_NATT)
2057 cur_rmconf->nat_traversal = NATT_FORCE;
2058 else
2059 yyerror("libipsec lacks NAT-T support");
2060 #else
2061 yyerror("NAT-T support not compiled in.");
2062 #endif
2063 } EOS
2064 | DPD SWITCH
2065 {
2066 #ifdef ENABLE_DPD
2067 cur_rmconf->dpd = $2;
2068 #else
2069 yyerror("DPD support not compiled in.");
2070 #endif
2071 } EOS
2072 | DPD_DELAY NUMBER
2073 {
2074 #ifdef ENABLE_DPD
2075 cur_rmconf->dpd_interval = $2;
2076 #else
2077 yyerror("DPD support not compiled in.");
2078 #endif
2079 }
2080 EOS
2081 | DPD_RETRY NUMBER
2082 {
2083 #ifdef ENABLE_DPD
2084 cur_rmconf->dpd_retry = $2;
2085 #else
2086 yyerror("DPD support not compiled in.");
2087 #endif
2088 }
2089 EOS
2090 | DPD_MAXFAIL NUMBER
2091 {
2092 #ifdef ENABLE_DPD
2093 cur_rmconf->dpd_maxfails = $2;
2094 #else
2095 yyerror("DPD support not compiled in.");
2096 #endif
2097 }
2098 EOS
2099 | REKEY SWITCH { cur_rmconf->rekey = $2; } EOS
2100 | REKEY REMOTE_FORCE_LEVEL { cur_rmconf->rekey = REKEY_FORCE; } EOS
2101 | PH1ID NUMBER
2102 {
2103 cur_rmconf->ph1id = $2;
2104 }
2105 EOS
2106 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
2107 {
2108 cur_rmconf->lifetime = $3 * $4;
2109 }
2110 EOS
2111 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
2112 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
2113 {
2114 #if 1
2115 yyerror("byte lifetime support is deprecated in Phase1");
2116 return -1;
2117 #else
2118 yywarn("the lifetime of bytes in phase 1 "
2119 "will be ignored at the moment.");
2120 cur_rmconf->lifebyte = fix_lifebyte($3 * $4);
2121 if (cur_rmconf->lifebyte == 0)
2122 return -1;
2123 #endif
2124 }
2125 EOS
2126 | PROPOSAL
2127 {
2128 struct secprotospec *spspec;
2129
2130 spspec = newspspec();
2131 if (spspec == NULL)
2132 return -1;
2133 insspspec(cur_rmconf, spspec);
2134 }
2135 BOC isakmpproposal_specs EOC
2136 ;
2137 exchange_types
2138 : /* nothing */
2139 | exchange_types EXCHANGETYPE
2140 {
2141 struct etypes *new;
2142 new = racoon_malloc(sizeof(struct etypes));
2143 if (new == NULL) {
2144 yyerror("failed to allocate etypes");
2145 return -1;
2146 }
2147 new->type = $2;
2148 new->next = NULL;
2149 if (cur_rmconf->etypes == NULL)
2150 cur_rmconf->etypes = new;
2151 else {
2152 struct etypes *p;
2153 for (p = cur_rmconf->etypes;
2154 p->next != NULL;
2155 p = p->next)
2156 ;
2157 p->next = new;
2158 }
2159 }
2160 ;
2161 cert_spec
2162 : CERT_X509 QUOTEDSTRING QUOTEDSTRING
2163 {
2164 if (cur_rmconf->mycert != NULL) {
2165 yyerror("certificate_type already defined\n");
2166 return -1;
2167 }
2168
2169 if (load_x509($2->v, &cur_rmconf->mycertfile,
2170 &cur_rmconf->mycert)) {
2171 yyerror("failed to load certificate \"%s\"\n",
2172 $2->v);
2173 return -1;
2174 }
2175
2176 cur_rmconf->myprivfile = racoon_strdup($3->v);
2177 STRDUP_FATAL(cur_rmconf->myprivfile);
2178
2179 vfree($2);
2180 vfree($3);
2181 }
2182 EOS
2183 | CERT_PLAINRSA QUOTEDSTRING
2184 {
2185 char path[MAXPATHLEN];
2186 int ret = 0;
2187
2188 if (cur_rmconf->mycert != NULL) {
2189 yyerror("certificate_type already defined\n");
2190 return -1;
2191 }
2192
2193 cur_rmconf->mycert = vmalloc(1);
2194 if (cur_rmconf->mycert == NULL) {
2195 yyerror("failed to allocate mycert");
2196 return -1;
2197 }
2198 cur_rmconf->mycert->v[0] = ISAKMP_CERT_PLAINRSA;
2199
2200 getpathname(path, sizeof(path),
2201 LC_PATHTYPE_CERT, $2->v);
2202 cur_rmconf->send_cr = FALSE;
2203 cur_rmconf->send_cert = FALSE;
2204 cur_rmconf->verify_cert = FALSE;
2205 if (rsa_parse_file(cur_rmconf->rsa_private, path,
2206 RSA_TYPE_PRIVATE)) {
2207 yyerror("Couldn't parse keyfile.\n", path);
2208 return -1;
2209 }
2210 plog(LLV_DEBUG, LOCATION, NULL,
2211 "Private PlainRSA keyfile parsed: %s\n", path);
2212 vfree($2);
2213 }
2214 EOS
2215 ;
2216 dh_group_num
2217 : ALGORITHMTYPE
2218 {
2219 $$ = algtype2doi(algclass_isakmp_dh, $1);
2220 if ($$ == -1) {
2221 yyerror("must be DH group");
2222 return -1;
2223 }
2224 }
2225 | NUMBER
2226 {
2227 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
2228 $$ = num2dhgroup[$1];
2229 } else {
2230 yyerror("must be DH group");
2231 $$ = 0;
2232 return -1;
2233 }
2234 }
2235 ;
2236 identifierstring
2237 : /* nothing */ { $$ = NULL; }
2238 | ADDRSTRING { $$ = $1; }
2239 | QUOTEDSTRING { $$ = $1; }
2240 ;
2241 isakmpproposal_specs
2242 : /* nothing */
2243 | isakmpproposal_specs isakmpproposal_spec
2244 ;
2245 isakmpproposal_spec
2246 : LIFETIME LIFETYPE_TIME NUMBER unittype_time
2247 {
2248 cur_rmconf->spspec->lifetime = $3 * $4;
2249 }
2250 EOS
2251 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
2252 {
2253 #if 1
2254 yyerror("byte lifetime support is deprecated");
2255 return -1;
2256 #else
2257 cur_rmconf->spspec->lifebyte = fix_lifebyte($3 * $4);
2258 if (cur_rmconf->spspec->lifebyte == 0)
2259 return -1;
2260 #endif
2261 }
2262 EOS
2263 | DH_GROUP dh_group_num
2264 {
2265 cur_rmconf->spspec->algclass[algclass_isakmp_dh] = $2;
2266 }
2267 EOS
2268 | GSS_ID QUOTEDSTRING
2269 {
2270 if (cur_rmconf->spspec->vendorid != VENDORID_GSSAPI) {
2271 yyerror("wrong Vendor ID for gssapi_id");
2272 return -1;
2273 }
2274 if (cur_rmconf->spspec->gssid != NULL)
2275 racoon_free(cur_rmconf->spspec->gssid);
2276 cur_rmconf->spspec->gssid =
2277 racoon_strdup($2->v);
2278 STRDUP_FATAL(cur_rmconf->spspec->gssid);
2279 }
2280 EOS
2281 | ALGORITHM_CLASS ALGORITHMTYPE keylength
2282 {
2283 int doi;
2284 int defklen;
2285
2286 doi = algtype2doi($1, $2);
2287 if (doi == -1) {
2288 yyerror("algorithm mismatched 1");
2289 return -1;
2290 }
2291
2292 switch ($1) {
2293 case algclass_isakmp_enc:
2294 /* reject suppressed algorithms */
2295 #ifndef HAVE_OPENSSL_RC5_H
2296 if ($2 == algtype_rc5) {
2297 yyerror("algorithm %s not supported",
2298 s_attr_isakmp_enc(doi));
2299 return -1;
2300 }
2301 #endif
2302 #ifndef HAVE_OPENSSL_IDEA_H
2303 if ($2 == algtype_idea) {
2304 yyerror("algorithm %s not supported",
2305 s_attr_isakmp_enc(doi));
2306 return -1;
2307 }
2308 #endif
2309
2310 cur_rmconf->spspec->algclass[algclass_isakmp_enc] = doi;
2311 defklen = default_keylen($1, $2);
2312 if (defklen == 0) {
2313 if ($3) {
2314 yyerror("keylen not allowed");
2315 return -1;
2316 }
2317 } else {
2318 if ($3 && check_keylen($1, $2, $3) < 0) {
2319 yyerror("invalid keylen %d", $3);
2320 return -1;
2321 }
2322 }
2323 if ($3)
2324 cur_rmconf->spspec->encklen = $3;
2325 else
2326 cur_rmconf->spspec->encklen = defklen;
2327 break;
2328 case algclass_isakmp_hash:
2329 cur_rmconf->spspec->algclass[algclass_isakmp_hash] = doi;
2330 break;
2331 case algclass_isakmp_ameth:
2332 cur_rmconf->spspec->algclass[algclass_isakmp_ameth] = doi;
2333 /*
2334 * We may have to set the Vendor ID for the
2335 * authentication method we're using.
2336 */
2337 switch ($2) {
2338 case algtype_gssapikrb:
2339 if (cur_rmconf->spspec->vendorid !=
2340 VENDORID_UNKNOWN) {
2341 yyerror("Vendor ID mismatch "
2342 "for auth method");
2343 return -1;
2344 }
2345 /*
2346 * For interoperability with Win2k,
2347 * we set the Vendor ID to "GSSAPI".
2348 */
2349 cur_rmconf->spspec->vendorid =
2350 VENDORID_GSSAPI;
2351 break;
2352 case algtype_rsasig:
2353 if (oakley_get_certtype(cur_rmconf->peerscert) == ISAKMP_CERT_PLAINRSA) {
2354 if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
2355 yyerror ("Private PlainRSA key not set. "
2356 "Use directive 'certificate_type plainrsa ...'\n");
2357 return -1;
2358 }
2359 if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
2360 yyerror ("Public PlainRSA keys not set. "
2361 "Use directive 'peers_certfile plainrsa ...'\n");
2362 return -1;
2363 }
2364 }
2365 break;
2366 default:
2367 break;
2368 }
2369 break;
2370 default:
2371 yyerror("algorithm mismatched 2");
2372 return -1;
2373 }
2374 }
2375 EOS
2376 ;
2377
2378 unittype_time
2379 : UNITTYPE_SEC { $$ = 1; }
2380 | UNITTYPE_MIN { $$ = 60; }
2381 | UNITTYPE_HOUR { $$ = (60 * 60); }
2382 ;
2383 unittype_byte
2384 : UNITTYPE_BYTE { $$ = 1; }
2385 | UNITTYPE_KBYTES { $$ = 1024; }
2386 | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
2387 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
2388 ;
2389 %%
2390
2391 static struct secprotospec *
2392 newspspec()
2393 {
2394 struct secprotospec *new;
2395
2396 new = racoon_calloc(1, sizeof(*new));
2397 if (new == NULL) {
2398 yyerror("failed to allocate spproto");
2399 return NULL;
2400 }
2401
2402 new->encklen = 0; /*XXX*/
2403
2404 /*
2405 * Default to "uknown" vendor -- we will override this
2406 * as necessary. When we send a Vendor ID payload, an
2407 * "unknown" will be translated to a KAME/racoon ID.
2408 */
2409 new->vendorid = VENDORID_UNKNOWN;
2410
2411 return new;
2412 }
2413
2414 /*
2415 * insert into head of list.
2416 */
2417 static void
insspspec(rmconf,spspec)2418 insspspec(rmconf, spspec)
2419 struct remoteconf *rmconf;
2420 struct secprotospec *spspec;
2421 {
2422 if (rmconf->spspec != NULL)
2423 rmconf->spspec->prev = spspec;
2424 spspec->next = rmconf->spspec;
2425 rmconf->spspec = spspec;
2426 }
2427
2428 static struct secprotospec *
dupspspec(spspec)2429 dupspspec(spspec)
2430 struct secprotospec *spspec;
2431 {
2432 struct secprotospec *new;
2433
2434 new = newspspec();
2435 if (new == NULL) {
2436 plog(LLV_ERROR, LOCATION, NULL,
2437 "dupspspec: malloc failed\n");
2438 return NULL;
2439 }
2440 memcpy(new, spspec, sizeof(*new));
2441
2442 if (spspec->gssid) {
2443 new->gssid = racoon_strdup(spspec->gssid);
2444 STRDUP_FATAL(new->gssid);
2445 }
2446 if (spspec->remote) {
2447 new->remote = racoon_malloc(sizeof(*new->remote));
2448 if (new->remote == NULL) {
2449 plog(LLV_ERROR, LOCATION, NULL,
2450 "dupspspec: malloc failed (remote)\n");
2451 return NULL;
2452 }
2453 memcpy(new->remote, spspec->remote, sizeof(*new->remote));
2454 }
2455
2456 return new;
2457 }
2458
2459 /*
2460 * copy the whole list
2461 */
2462 void
dupspspec_list(dst,src)2463 dupspspec_list(dst, src)
2464 struct remoteconf *dst, *src;
2465 {
2466 struct secprotospec *p, *new, *last;
2467
2468 for(p = src->spspec, last = NULL; p; p = p->next, last = new) {
2469 new = dupspspec(p);
2470 if (new == NULL)
2471 exit(1);
2472
2473 new->prev = last;
2474 new->next = NULL; /* not necessary but clean */
2475
2476 if (last)
2477 last->next = new;
2478 else /* first element */
2479 dst->spspec = new;
2480
2481 }
2482 }
2483
2484 /*
2485 * delete the whole list
2486 */
2487 void
flushspspec(rmconf)2488 flushspspec(rmconf)
2489 struct remoteconf *rmconf;
2490 {
2491 struct secprotospec *p;
2492
2493 while(rmconf->spspec != NULL) {
2494 p = rmconf->spspec;
2495 rmconf->spspec = p->next;
2496 if (p->next != NULL)
2497 p->next->prev = NULL; /* not necessary but clean */
2498
2499 if (p->gssid)
2500 racoon_free(p->gssid);
2501 if (p->remote)
2502 racoon_free(p->remote);
2503 racoon_free(p);
2504 }
2505 rmconf->spspec = NULL;
2506 }
2507
2508 /* set final acceptable proposal */
2509 static int
set_isakmp_proposal(rmconf)2510 set_isakmp_proposal(rmconf)
2511 struct remoteconf *rmconf;
2512 {
2513 struct secprotospec *s;
2514 int prop_no = 1;
2515 int trns_no = 1;
2516 int32_t types[MAXALGCLASS];
2517
2518 /* mandatory check */
2519 if (rmconf->spspec == NULL) {
2520 yyerror("no remote specification found: %s.\n",
2521 saddr2str(rmconf->remote));
2522 return -1;
2523 }
2524 for (s = rmconf->spspec; s != NULL; s = s->next) {
2525 /* XXX need more to check */
2526 if (s->algclass[algclass_isakmp_enc] == 0) {
2527 yyerror("encryption algorithm required.");
2528 return -1;
2529 }
2530 if (s->algclass[algclass_isakmp_hash] == 0) {
2531 yyerror("hash algorithm required.");
2532 return -1;
2533 }
2534 if (s->algclass[algclass_isakmp_dh] == 0) {
2535 yyerror("DH group required.");
2536 return -1;
2537 }
2538 if (s->algclass[algclass_isakmp_ameth] == 0) {
2539 yyerror("authentication method required.");
2540 return -1;
2541 }
2542 }
2543
2544 /* skip to last part */
2545 for (s = rmconf->spspec; s->next != NULL; s = s->next)
2546 ;
2547
2548 while (s != NULL) {
2549 plog(LLV_DEBUG2, LOCATION, NULL,
2550 "lifetime = %ld\n", (long)
2551 (s->lifetime ? s->lifetime : rmconf->lifetime));
2552 plog(LLV_DEBUG2, LOCATION, NULL,
2553 "lifebyte = %d\n",
2554 s->lifebyte ? s->lifebyte : rmconf->lifebyte);
2555 plog(LLV_DEBUG2, LOCATION, NULL,
2556 "encklen=%d\n", s->encklen);
2557
2558 memset(types, 0, ARRAYLEN(types));
2559 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
2560 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
2561 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
2562 types[algclass_isakmp_ameth] =
2563 s->algclass[algclass_isakmp_ameth];
2564
2565 /* expanding spspec */
2566 clean_tmpalgtype();
2567 trns_no = expand_isakmpspec(prop_no, trns_no, types,
2568 algclass_isakmp_enc, algclass_isakmp_ameth + 1,
2569 s->lifetime ? s->lifetime : rmconf->lifetime,
2570 s->lifebyte ? s->lifebyte : rmconf->lifebyte,
2571 s->encklen, s->vendorid, s->gssid,
2572 rmconf);
2573 if (trns_no == -1) {
2574 plog(LLV_ERROR, LOCATION, NULL,
2575 "failed to expand isakmp proposal.\n");
2576 return -1;
2577 }
2578
2579 s = s->prev;
2580 }
2581
2582 if (rmconf->proposal == NULL) {
2583 plog(LLV_ERROR, LOCATION, NULL,
2584 "no proposal found.\n");
2585 return -1;
2586 }
2587
2588 return 0;
2589 }
2590
2591 static void
clean_tmpalgtype()2592 clean_tmpalgtype()
2593 {
2594 int i;
2595 for (i = 0; i < MAXALGCLASS; i++)
2596 tmpalgtype[i] = 0; /* means algorithm undefined. */
2597 }
2598
2599 static int
expand_isakmpspec(prop_no,trns_no,types,class,last,lifetime,lifebyte,encklen,vendorid,gssid,rmconf)2600 expand_isakmpspec(prop_no, trns_no, types,
2601 class, last, lifetime, lifebyte, encklen, vendorid, gssid,
2602 rmconf)
2603 int prop_no, trns_no;
2604 int *types, class, last;
2605 time_t lifetime;
2606 int lifebyte;
2607 int encklen;
2608 int vendorid;
2609 char *gssid;
2610 struct remoteconf *rmconf;
2611 {
2612 struct isakmpsa *new;
2613
2614 /* debugging */
2615 {
2616 int j;
2617 char tb[10];
2618 plog(LLV_DEBUG2, LOCATION, NULL,
2619 "p:%d t:%d\n", prop_no, trns_no);
2620 for (j = class; j < MAXALGCLASS; j++) {
2621 snprintf(tb, sizeof(tb), "%d", types[j]);
2622 plog(LLV_DEBUG2, LOCATION, NULL,
2623 "%s%s%s%s\n",
2624 s_algtype(j, types[j]),
2625 types[j] ? "(" : "",
2626 tb[0] == '0' ? "" : tb,
2627 types[j] ? ")" : "");
2628 }
2629 plog(LLV_DEBUG2, LOCATION, NULL, "\n");
2630 }
2631
2632 #define TMPALGTYPE2STR(n) \
2633 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
2634 /* check mandatory values */
2635 if (types[algclass_isakmp_enc] == 0
2636 || types[algclass_isakmp_ameth] == 0
2637 || types[algclass_isakmp_hash] == 0
2638 || types[algclass_isakmp_dh] == 0) {
2639 yyerror("few definition of algorithm "
2640 "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
2641 TMPALGTYPE2STR(enc),
2642 TMPALGTYPE2STR(ameth),
2643 TMPALGTYPE2STR(hash),
2644 TMPALGTYPE2STR(dh));
2645 return -1;
2646 }
2647 #undef TMPALGTYPE2STR
2648
2649 /* set new sa */
2650 new = newisakmpsa();
2651 if (new == NULL) {
2652 yyerror("failed to allocate isakmp sa");
2653 return -1;
2654 }
2655 new->prop_no = prop_no;
2656 new->trns_no = trns_no++;
2657 new->lifetime = lifetime;
2658 new->lifebyte = lifebyte;
2659 new->enctype = types[algclass_isakmp_enc];
2660 new->encklen = encklen;
2661 new->authmethod = types[algclass_isakmp_ameth];
2662 new->hashtype = types[algclass_isakmp_hash];
2663 new->dh_group = types[algclass_isakmp_dh];
2664 new->vendorid = vendorid;
2665 #ifdef HAVE_GSSAPI
2666 if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
2667 if (gssid != NULL) {
2668 if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
2669 racoon_free(new);
2670 yyerror("failed to allocate gssid");
2671 return -1;
2672 }
2673 memcpy(new->gssid->v, gssid, new->gssid->l);
2674 racoon_free(gssid);
2675 } else {
2676 /*
2677 * Allocate the default ID so that it gets put
2678 * into a GSS ID attribute during the Phase 1
2679 * exchange.
2680 */
2681 new->gssid = gssapi_get_default_gss_id();
2682 }
2683 }
2684 #endif
2685 insisakmpsa(new, rmconf);
2686
2687 return trns_no;
2688 }
2689
2690 #if 0
2691 /*
2692 * fix lifebyte.
2693 * Must be more than 1024B because its unit is kilobytes.
2694 * That is defined RFC2407.
2695 */
2696 static int
2697 fix_lifebyte(t)
2698 unsigned long t;
2699 {
2700 if (t < 1024) {
2701 yyerror("byte size should be more than 1024B.");
2702 return 0;
2703 }
2704
2705 return(t / 1024);
2706 }
2707 #endif
2708
2709 int
cfparse()2710 cfparse()
2711 {
2712 int error;
2713
2714 yyerrorcount = 0;
2715 yycf_init_buffer();
2716
2717 if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
2718 plog(LLV_ERROR, LOCATION, NULL,
2719 "could not read configuration file \"%s\"\n",
2720 lcconf->racoon_conf);
2721 return -1;
2722 }
2723
2724 error = yyparse();
2725 if (error != 0) {
2726 if (yyerrorcount) {
2727 plog(LLV_ERROR, LOCATION, NULL,
2728 "fatal parse failure (%d errors)\n",
2729 yyerrorcount);
2730 } else {
2731 plog(LLV_ERROR, LOCATION, NULL,
2732 "fatal parse failure.\n");
2733 }
2734 return -1;
2735 }
2736
2737 if (error == 0 && yyerrorcount) {
2738 plog(LLV_ERROR, LOCATION, NULL,
2739 "parse error is nothing, but yyerrorcount is %d.\n",
2740 yyerrorcount);
2741 exit(1);
2742 }
2743
2744 yycf_clean_buffer();
2745
2746 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
2747
2748 return 0;
2749 }
2750
2751 int
cfreparse()2752 cfreparse()
2753 {
2754 flushph2();
2755 flushph1();
2756 flushrmconf();
2757 flushsainfo();
2758 clean_tmpalgtype();
2759 return(cfparse());
2760 }
2761
2762 #ifdef ENABLE_ADMINPORT
2763 static void
adminsock_conf(path,owner,group,mode_dec)2764 adminsock_conf(path, owner, group, mode_dec)
2765 vchar_t *path;
2766 vchar_t *owner;
2767 vchar_t *group;
2768 int mode_dec;
2769 {
2770 struct passwd *pw = NULL;
2771 struct group *gr = NULL;
2772 mode_t mode = 0;
2773 uid_t uid;
2774 gid_t gid;
2775 int isnum;
2776
2777 adminsock_path = path->v;
2778
2779 if (owner == NULL)
2780 return;
2781
2782 errno = 0;
2783 uid = atoi(owner->v);
2784 isnum = !errno;
2785 if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
2786 yyerror("User \"%s\" does not exist", owner->v);
2787
2788 if (pw)
2789 adminsock_owner = pw->pw_uid;
2790 else
2791 adminsock_owner = uid;
2792
2793 if (group == NULL)
2794 return;
2795
2796 errno = 0;
2797 gid = atoi(group->v);
2798 isnum = !errno;
2799 if (((gr = getgrnam(group->v)) == NULL) && !isnum)
2800 yyerror("Group \"%s\" does not exist", group->v);
2801
2802 if (gr)
2803 adminsock_group = gr->gr_gid;
2804 else
2805 adminsock_group = gid;
2806
2807 if (mode_dec == -1)
2808 return;
2809
2810 if (mode_dec > 777)
2811 yyerror("Mode 0%03o is invalid", mode_dec);
2812 if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
2813 if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
2814 if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
2815
2816 if (mode_dec > 77)
2817 yyerror("Mode 0%03o is invalid", mode_dec);
2818 if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
2819 if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
2820 if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
2821
2822 if (mode_dec > 7)
2823 yyerror("Mode 0%03o is invalid", mode_dec);
2824 if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
2825 if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
2826 if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
2827
2828 adminsock_mode = mode;
2829
2830 return;
2831 }
2832 #endif
2833