1 /* $NetBSD: cfparse.y,v 1.18.4.7 2008/07/21 20:45:32 tteras Exp $ */
2
3 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
4
5 %{
6 /*
7 * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the project nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include "config.h"
36
37 #include <sys/types.h>
38 #include <sys/param.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
41
42 #include <netinet/in.h>
43 #include PATH_IPSEC_H
44
45 #ifdef ENABLE_HYBRID
46 #include <arpa/inet.h>
47 #endif
48
49 #include <stdlib.h>
50 #include <stdio.h>
51 #include <string.h>
52 #include <errno.h>
53 #include <netdb.h>
54 #include <pwd.h>
55 #include <grp.h>
56
57 #include "var.h"
58 #include "misc.h"
59 #include "vmbuf.h"
60 #include "plog.h"
61 #include "sockmisc.h"
62 #include "str2val.h"
63 #include "genlist.h"
64 #include "debug.h"
65
66 #include "admin.h"
67 #include "privsep.h"
68 #include "cfparse_proto.h"
69 #include "cftoken_proto.h"
70 #include "algorithm.h"
71 #include "localconf.h"
72 #include "policy.h"
73 #include "sainfo.h"
74 #include "oakley.h"
75 #include "pfkey.h"
76 #include "remoteconf.h"
77 #include "grabmyaddr.h"
78 #include "isakmp_var.h"
79 #include "handler.h"
80 #include "isakmp.h"
81 #include "nattraversal.h"
82 #include "isakmp_frag.h"
83 #ifdef ENABLE_HYBRID
84 #include "resolv.h"
85 #include "isakmp_unity.h"
86 #include "isakmp_xauth.h"
87 #include "isakmp_cfg.h"
88 #endif
89 #include "ipsec_doi.h"
90 #include "strnames.h"
91 #include "gcmalloc.h"
92 #ifdef HAVE_GSSAPI
93 #include "gssapi.h"
94 #endif
95 #include "vendorid.h"
96 #include "rsalist.h"
97
98 struct proposalspec {
99 time_t lifetime; /* for isakmp/ipsec */
100 int lifebyte; /* for isakmp/ipsec */
101 struct secprotospec *spspec; /* the head is always current spec. */
102 struct proposalspec *next; /* the tail is the most prefered. */
103 struct proposalspec *prev;
104 };
105
106 struct secprotospec {
107 int prop_no;
108 int trns_no;
109 int strength; /* for isakmp/ipsec */
110 int encklen; /* for isakmp/ipsec */
111 time_t lifetime; /* for isakmp */
112 int lifebyte; /* for isakmp */
113 int proto_id; /* for ipsec (isakmp?) */
114 int ipsec_level; /* for ipsec */
115 int encmode; /* for ipsec */
116 int vendorid; /* for isakmp */
117 char *gssid;
118 struct sockaddr *remote;
119 int algclass[MAXALGCLASS];
120
121 struct secprotospec *next; /* the tail is the most prefiered. */
122 struct secprotospec *prev;
123 struct proposalspec *back;
124 };
125
126 static int num2dhgroup[] = {
127 0,
128 OAKLEY_ATTR_GRP_DESC_MODP768,
129 OAKLEY_ATTR_GRP_DESC_MODP1024,
130 OAKLEY_ATTR_GRP_DESC_EC2N155,
131 OAKLEY_ATTR_GRP_DESC_EC2N185,
132 OAKLEY_ATTR_GRP_DESC_MODP1536,
133 0,
134 0,
135 0,
136 0,
137 0,
138 0,
139 0,
140 0,
141 OAKLEY_ATTR_GRP_DESC_MODP2048,
142 OAKLEY_ATTR_GRP_DESC_MODP3072,
143 OAKLEY_ATTR_GRP_DESC_MODP4096,
144 OAKLEY_ATTR_GRP_DESC_MODP6144,
145 OAKLEY_ATTR_GRP_DESC_MODP8192
146 };
147
148 static struct remoteconf *cur_rmconf;
149 static int tmpalgtype[MAXALGCLASS];
150 static struct sainfo *cur_sainfo;
151 static int cur_algclass;
152 static int oldloglevel = LLV_BASE;
153
154 static struct proposalspec *newprspec __P((void));
155 static void insprspec __P((struct proposalspec *, struct proposalspec **));
156 static struct secprotospec *newspspec __P((void));
157 static void insspspec __P((struct secprotospec *, struct proposalspec **));
158 static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
159
160 static int set_isakmp_proposal
161 __P((struct remoteconf *, struct proposalspec *));
162 static void clean_tmpalgtype __P((void));
163 static int expand_isakmpspec __P((int, int, int *,
164 int, int, time_t, int, int, int, char *, struct remoteconf *));
165 static int listen_addr __P((struct sockaddr *addr, int udp_encap));
166
167 void freeetypes (struct etypes **etypes);
168
169 #if 0
170 static int fix_lifebyte __P((u_long));
171 #endif
172 %}
173
174 %union {
175 unsigned long num;
176 vchar_t *val;
177 struct remoteconf *rmconf;
178 struct sockaddr *saddr;
179 struct sainfoalg *alg;
180 }
181
182 /* privsep */
183 %token PRIVSEP USER GROUP CHROOT
184 /* path */
185 %token PATH PATHTYPE
186 /* include */
187 %token INCLUDE
188 /* self information */
189 %token IDENTIFIER VENDORID
190 /* logging */
191 %token LOGGING LOGLEV
192 /* padding */
193 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
194 /* listen */
195 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
196 /* ldap config */
197 %token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
198 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
199 /* modecfg */
200 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
201 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
202 %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
203 %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
204 %token CFG_PFS_GROUP CFG_SAVE_PASSWD
205
206 /* timer */
207 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
208 %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA
209 /* algorithm */
210 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
211 /* sainfo */
212 %token SAINFO FROM
213 /* remote */
214 %token REMOTE ANONYMOUS INHERIT
215 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
216 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
217 %token VERIFY_CERT SEND_CERT SEND_CR
218 %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER
219 %token PEERS_IDENTIFIER VERIFY_IDENTIFIER
220 %token DNSSEC CERT_X509 CERT_PLAINRSA
221 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
222 %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL
223 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
224 %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
225 %token PROPOSAL
226 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
227 %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
228 %token COMPLEX_BUNDLE
229 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL
230 %token PH1ID
231 %token XAUTH_LOGIN WEAK_PHASE1_CHECK
232
233 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
234 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
235
236 %token SCRIPT PHASE1_UP PHASE1_DOWN
237
238 %token NUMBER SWITCH BOOLEAN
239 %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
240 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
241 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
242 %token EOS BOC EOC COMMA
243
244 %type <num> NUMBER BOOLEAN SWITCH keylength
245 %type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE
246 %type <num> ALGORITHM_CLASS dh_group_num
247 %type <num> ALGORITHMTYPE STRENGTHTYPE
248 %type <num> PREFIX prefix PORT port ike_port
249 %type <num> ul_proto UL_PROTO
250 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
251 %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL
252 %type <num> unittype_time unittype_byte
253 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
254 %type <val> identifierstring
255 %type <saddr> remote_index ike_addrinfo_port
256 %type <alg> algorithm
257
258 %%
259
260 statements
261 : /* nothing */
262 | statements statement
263 ;
264 statement
265 : privsep_statement
266 | path_statement
267 | include_statement
268 | gssenc_statement
269 | identifier_statement
270 | logging_statement
271 | padding_statement
272 | listen_statement
273 | ldapcfg_statement
274 | modecfg_statement
275 | timer_statement
276 | sainfo_statement
277 | remote_statement
278 | special_statement
279 ;
280
281 /* privsep */
282 privsep_statement
283 : PRIVSEP BOC privsep_stmts EOC
284 ;
285 privsep_stmts
286 : /* nothing */
287 | privsep_stmts privsep_stmt
288 ;
289 privsep_stmt
290 : USER QUOTEDSTRING
291 {
292 struct passwd *pw;
293
294 if ((pw = getpwnam($2->v)) == NULL) {
295 yyerror("unknown user \"%s\"", $2->v);
296 return -1;
297 }
298 lcconf->uid = pw->pw_uid;
299 }
300 EOS
301 | USER NUMBER { lcconf->uid = $2; } EOS
302 | GROUP QUOTEDSTRING
303 {
304 struct group *gr;
305
306 if ((gr = getgrnam($2->v)) == NULL) {
307 yyerror("unknown group \"%s\"", $2->v);
308 return -1;
309 }
310 lcconf->gid = gr->gr_gid;
311 }
312 EOS
313 | GROUP NUMBER { lcconf->gid = $2; } EOS
314 | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
315 ;
316
317 /* path */
318 path_statement
319 : PATH PATHTYPE QUOTEDSTRING
320 {
321 if ($2 >= LC_PATHTYPE_MAX) {
322 yyerror("invalid path type %d", $2);
323 return -1;
324 }
325
326 /* free old pathinfo */
327 if (lcconf->pathinfo[$2])
328 racoon_free(lcconf->pathinfo[$2]);
329
330 /* set new pathinfo */
331 lcconf->pathinfo[$2] = racoon_strdup($3->v);
332 STRDUP_FATAL(lcconf->pathinfo[$2]);
333 vfree($3);
334 }
335 EOS
336 ;
337
338 /* special */
339 special_statement
340 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
341 ;
342
343 /* include */
344 include_statement
345 : INCLUDE QUOTEDSTRING EOS
346 {
347 char path[MAXPATHLEN];
348
349 getpathname(path, sizeof(path),
350 LC_PATHTYPE_INCLUDE, $2->v);
351 vfree($2);
352 if (yycf_switch_buffer(path) != 0)
353 return -1;
354 }
355 ;
356
357 /* gss_id_enc */
358 gssenc_statement
359 : GSS_ID_ENC GSS_ID_ENCTYPE EOS
360 {
361 if ($2 >= LC_GSSENC_MAX) {
362 yyerror("invalid GSS ID encoding %d", $2);
363 return -1;
364 }
365 lcconf->gss_id_enc = $2;
366 }
367 ;
368
369 /* self information */
370 identifier_statement
371 : IDENTIFIER identifier_stmt
372 ;
373 identifier_stmt
374 : VENDORID
375 {
376 /*XXX to be deleted */
377 }
378 QUOTEDSTRING EOS
379 | IDENTIFIERTYPE QUOTEDSTRING
380 {
381 /*XXX to be deleted */
382 $2->l--; /* nuke '\0' */
383 lcconf->ident[$1] = $2;
384 if (lcconf->ident[$1] == NULL) {
385 yyerror("failed to set my ident: %s",
386 strerror(errno));
387 return -1;
388 }
389 }
390 EOS
391 ;
392
393 /* logging */
394 logging_statement
395 : LOGGING log_level EOS
396 ;
397 log_level
398 : HEXSTRING
399 {
400 /*
401 * XXX ignore it because this specification
402 * will be obsoleted.
403 */
404 yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
405 vfree($1);
406 }
407 | LOGLEV
408 {
409 /*
410 * set the loglevel to the value specified
411 * in the configuration file plus the number
412 * of -d options specified on the command line
413 */
414 loglevel += $1 - oldloglevel;
415 oldloglevel = $1;
416 }
417 ;
418
419 /* padding */
420 padding_statement
421 : PADDING BOC padding_stmts EOC
422 ;
423 padding_stmts
424 : /* nothing */
425 | padding_stmts padding_stmt
426 ;
427 padding_stmt
428 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
429 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
430 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
431 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
432 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
433 ;
434
435 /* listen */
436 listen_statement
437 : LISTEN BOC listen_stmts EOC
438 ;
439 listen_stmts
440 : /* nothing */
441 | listen_stmts listen_stmt
442 ;
443 listen_stmt
444 : X_ISAKMP ike_addrinfo_port
445 {
446 listen_addr ($2, 0);
447 }
448 EOS
449 | X_ISAKMP_NATT ike_addrinfo_port
450 {
451 #ifdef ENABLE_NATT
452 listen_addr ($2, 1);
453 #else
454 yyerror("NAT-T support not compiled in.");
455 #endif
456 }
457 EOS
458 | X_ADMIN
459 {
460 yyerror("admin directive is obsoleted.");
461 }
462 PORT EOS
463 | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
464 {
465 #ifdef ENABLE_ADMINPORT
466 adminsock_conf($2, $3, $4, $5);
467 #else
468 yywarn("admin port support not compiled in");
469 #endif
470 }
471 EOS
472 | ADMINSOCK QUOTEDSTRING
473 {
474 #ifdef ENABLE_ADMINPORT
475 adminsock_conf($2, NULL, NULL, -1);
476 #else
477 yywarn("admin port support not compiled in");
478 #endif
479 }
480 EOS
481 | ADMINSOCK DISABLED
482 {
483 #ifdef ENABLE_ADMINPORT
484 adminsock_path = NULL;
485 #else
486 yywarn("admin port support not compiled in");
487 #endif
488 }
489 EOS
490 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
491 ;
492 ike_addrinfo_port
493 : ADDRSTRING ike_port
494 {
495 char portbuf[10];
496
497 snprintf(portbuf, sizeof(portbuf), "%ld", $2);
498 $$ = str2saddr($1->v, portbuf);
499 vfree($1);
500 if (!$$)
501 return -1;
502 }
503 ;
504 ike_port
505 : /* nothing */ { $$ = PORT_ISAKMP; }
506 | PORT { $$ = $1; }
507 ;
508
509 /* ldap configuration */
510 ldapcfg_statement
511 : LDAPCFG {
512 #ifndef ENABLE_HYBRID
513 yyerror("racoon not configured with --enable-hybrid");
514 return -1;
515 #endif
516 #ifndef HAVE_LIBLDAP
517 yyerror("racoon not configured with --with-libldap");
518 return -1;
519 #endif
520 } BOC ldapcfg_stmts EOC
521 ;
522 ldapcfg_stmts
523 : /* nothing */
524 | ldapcfg_stmts ldapcfg_stmt
525 ;
526 ldapcfg_stmt
527 : LDAP_PVER NUMBER
528 {
529 #ifdef ENABLE_HYBRID
530 #ifdef HAVE_LIBLDAP
531 if (($2<2)||($2>3))
532 yyerror("invalid ldap protocol version (2|3)");
533 xauth_ldap_config.pver = $2;
534 #endif
535 #endif
536 }
537 EOS
538 | LDAP_HOST QUOTEDSTRING
539 {
540 #ifdef ENABLE_HYBRID
541 #ifdef HAVE_LIBLDAP
542 if (xauth_ldap_config.host != NULL)
543 vfree(xauth_ldap_config.host);
544 xauth_ldap_config.host = vdup($2);
545 #endif
546 #endif
547 }
548 EOS
549 | LDAP_PORT NUMBER
550 {
551 #ifdef ENABLE_HYBRID
552 #ifdef HAVE_LIBLDAP
553 xauth_ldap_config.port = $2;
554 #endif
555 #endif
556 }
557 EOS
558 | LDAP_BASE QUOTEDSTRING
559 {
560 #ifdef ENABLE_HYBRID
561 #ifdef HAVE_LIBLDAP
562 if (xauth_ldap_config.base != NULL)
563 vfree(xauth_ldap_config.base);
564 xauth_ldap_config.base = vdup($2);
565 #endif
566 #endif
567 }
568 EOS
569 | LDAP_SUBTREE SWITCH
570 {
571 #ifdef ENABLE_HYBRID
572 #ifdef HAVE_LIBLDAP
573 xauth_ldap_config.subtree = $2;
574 #endif
575 #endif
576 }
577 EOS
578 | LDAP_BIND_DN QUOTEDSTRING
579 {
580 #ifdef ENABLE_HYBRID
581 #ifdef HAVE_LIBLDAP
582 if (xauth_ldap_config.bind_dn != NULL)
583 vfree(xauth_ldap_config.bind_dn);
584 xauth_ldap_config.bind_dn = vdup($2);
585 #endif
586 #endif
587 }
588 EOS
589 | LDAP_BIND_PW QUOTEDSTRING
590 {
591 #ifdef ENABLE_HYBRID
592 #ifdef HAVE_LIBLDAP
593 if (xauth_ldap_config.bind_pw != NULL)
594 vfree(xauth_ldap_config.bind_pw);
595 xauth_ldap_config.bind_pw = vdup($2);
596 #endif
597 #endif
598 }
599 EOS
600 | LDAP_ATTR_USER QUOTEDSTRING
601 {
602 #ifdef ENABLE_HYBRID
603 #ifdef HAVE_LIBLDAP
604 if (xauth_ldap_config.attr_user != NULL)
605 vfree(xauth_ldap_config.attr_user);
606 xauth_ldap_config.attr_user = vdup($2);
607 #endif
608 #endif
609 }
610 EOS
611 | LDAP_ATTR_ADDR QUOTEDSTRING
612 {
613 #ifdef ENABLE_HYBRID
614 #ifdef HAVE_LIBLDAP
615 if (xauth_ldap_config.attr_addr != NULL)
616 vfree(xauth_ldap_config.attr_addr);
617 xauth_ldap_config.attr_addr = vdup($2);
618 #endif
619 #endif
620 }
621 EOS
622 | LDAP_ATTR_MASK QUOTEDSTRING
623 {
624 #ifdef ENABLE_HYBRID
625 #ifdef HAVE_LIBLDAP
626 if (xauth_ldap_config.attr_mask != NULL)
627 vfree(xauth_ldap_config.attr_mask);
628 xauth_ldap_config.attr_mask = vdup($2);
629 #endif
630 #endif
631 }
632 EOS
633 | LDAP_ATTR_GROUP QUOTEDSTRING
634 {
635 #ifdef ENABLE_HYBRID
636 #ifdef HAVE_LIBLDAP
637 if (xauth_ldap_config.attr_group != NULL)
638 vfree(xauth_ldap_config.attr_group);
639 xauth_ldap_config.attr_group = vdup($2);
640 #endif
641 #endif
642 }
643 EOS
644 | LDAP_ATTR_MEMBER QUOTEDSTRING
645 {
646 #ifdef ENABLE_HYBRID
647 #ifdef HAVE_LIBLDAP
648 if (xauth_ldap_config.attr_member != NULL)
649 vfree(xauth_ldap_config.attr_member);
650 xauth_ldap_config.attr_member = vdup($2);
651 #endif
652 #endif
653 }
654 EOS
655 ;
656
657 /* modecfg */
658 modecfg_statement
659 : MODECFG BOC modecfg_stmts EOC
660 ;
661 modecfg_stmts
662 : /* nothing */
663 | modecfg_stmts modecfg_stmt
664 ;
665 modecfg_stmt
666 : CFG_NET4 ADDRSTRING
667 {
668 #ifdef ENABLE_HYBRID
669 if (inet_pton(AF_INET, $2->v,
670 &isakmp_cfg_config.network4) != 1)
671 yyerror("bad IPv4 network address.");
672 #else
673 yyerror("racoon not configured with --enable-hybrid");
674 #endif
675 }
676 EOS
677 | CFG_MASK4 ADDRSTRING
678 {
679 #ifdef ENABLE_HYBRID
680 if (inet_pton(AF_INET, $2->v,
681 &isakmp_cfg_config.netmask4) != 1)
682 yyerror("bad IPv4 netmask address.");
683 #else
684 yyerror("racoon not configured with --enable-hybrid");
685 #endif
686 }
687 EOS
688 | CFG_DNS4 addrdnslist
689 EOS
690 | CFG_NBNS4 addrwinslist
691 EOS
692 | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
693 {
694 #ifdef ENABLE_HYBRID
695 isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
696 #else
697 yyerror("racoon not configured with --enable-hybrid");
698 #endif
699 }
700 EOS
701 | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
702 {
703 #ifdef ENABLE_HYBRID
704 isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
705 #else
706 yyerror("racoon not configured with --enable-hybrid");
707 #endif
708 }
709 EOS
710 | CFG_SPLIT_DNS splitdnslist
711 {
712 #ifndef ENABLE_HYBRID
713 yyerror("racoon not configured with --enable-hybrid");
714 #endif
715 }
716 EOS
717 | CFG_DEFAULT_DOMAIN QUOTEDSTRING
718 {
719 #ifdef ENABLE_HYBRID
720 strncpy(&isakmp_cfg_config.default_domain[0],
721 $2->v, MAXPATHLEN);
722 isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0';
723 vfree($2);
724 #else
725 yyerror("racoon not configured with --enable-hybrid");
726 #endif
727 }
728 EOS
729 | CFG_AUTH_SOURCE CFG_SYSTEM
730 {
731 #ifdef ENABLE_HYBRID
732 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
733 #else
734 yyerror("racoon not configured with --enable-hybrid");
735 #endif
736 }
737 EOS
738 | CFG_AUTH_SOURCE CFG_RADIUS
739 {
740 #ifdef ENABLE_HYBRID
741 #ifdef HAVE_LIBRADIUS
742 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
743 #else /* HAVE_LIBRADIUS */
744 yyerror("racoon not configured with --with-libradius");
745 #endif /* HAVE_LIBRADIUS */
746 #else /* ENABLE_HYBRID */
747 yyerror("racoon not configured with --enable-hybrid");
748 #endif /* ENABLE_HYBRID */
749 }
750 EOS
751 | CFG_AUTH_SOURCE CFG_PAM
752 {
753 #ifdef ENABLE_HYBRID
754 #ifdef HAVE_LIBPAM
755 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
756 #else /* HAVE_LIBPAM */
757 yyerror("racoon not configured with --with-libpam");
758 #endif /* HAVE_LIBPAM */
759 #else /* ENABLE_HYBRID */
760 yyerror("racoon not configured with --enable-hybrid");
761 #endif /* ENABLE_HYBRID */
762 }
763 EOS
764 | CFG_AUTH_SOURCE CFG_LDAP
765 {
766 #ifdef ENABLE_HYBRID
767 #ifdef HAVE_LIBLDAP
768 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
769 #else /* HAVE_LIBLDAP */
770 yyerror("racoon not configured with --with-libldap");
771 #endif /* HAVE_LIBLDAP */
772 #else /* ENABLE_HYBRID */
773 yyerror("racoon not configured with --enable-hybrid");
774 #endif /* ENABLE_HYBRID */
775 }
776 EOS
777 | CFG_AUTH_GROUPS authgrouplist
778 {
779 #ifndef ENABLE_HYBRID
780 yyerror("racoon not configured with --enable-hybrid");
781 #endif
782 }
783 EOS
784 | CFG_GROUP_SOURCE CFG_SYSTEM
785 {
786 #ifdef ENABLE_HYBRID
787 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
788 #else
789 yyerror("racoon not configured with --enable-hybrid");
790 #endif
791 }
792 EOS
793 | CFG_GROUP_SOURCE CFG_LDAP
794 {
795 #ifdef ENABLE_HYBRID
796 #ifdef HAVE_LIBLDAP
797 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
798 #else /* HAVE_LIBLDAP */
799 yyerror("racoon not configured with --with-libldap");
800 #endif /* HAVE_LIBLDAP */
801 #else /* ENABLE_HYBRID */
802 yyerror("racoon not configured with --enable-hybrid");
803 #endif /* ENABLE_HYBRID */
804 }
805 EOS
806 | CFG_ACCOUNTING CFG_NONE
807 {
808 #ifdef ENABLE_HYBRID
809 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
810 #else
811 yyerror("racoon not configured with --enable-hybrid");
812 #endif
813 }
814 EOS
815 | CFG_ACCOUNTING CFG_SYSTEM
816 {
817 #ifdef ENABLE_HYBRID
818 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
819 #else
820 yyerror("racoon not configured with --enable-hybrid");
821 #endif
822 }
823 EOS
824 | CFG_ACCOUNTING CFG_RADIUS
825 {
826 #ifdef ENABLE_HYBRID
827 #ifdef HAVE_LIBRADIUS
828 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
829 #else /* HAVE_LIBRADIUS */
830 yyerror("racoon not configured with --with-libradius");
831 #endif /* HAVE_LIBRADIUS */
832 #else /* ENABLE_HYBRID */
833 yyerror("racoon not configured with --enable-hybrid");
834 #endif /* ENABLE_HYBRID */
835 }
836 EOS
837 | CFG_ACCOUNTING CFG_PAM
838 {
839 #ifdef ENABLE_HYBRID
840 #ifdef HAVE_LIBPAM
841 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
842 #else /* HAVE_LIBPAM */
843 yyerror("racoon not configured with --with-libpam");
844 #endif /* HAVE_LIBPAM */
845 #else /* ENABLE_HYBRID */
846 yyerror("racoon not configured with --enable-hybrid");
847 #endif /* ENABLE_HYBRID */
848 }
849 EOS
850 | CFG_POOL_SIZE NUMBER
851 {
852 #ifdef ENABLE_HYBRID
853 if (isakmp_cfg_resize_pool($2) != 0)
854 yyerror("cannot allocate memory for pool");
855 #else /* ENABLE_HYBRID */
856 yyerror("racoon not configured with --enable-hybrid");
857 #endif /* ENABLE_HYBRID */
858 }
859 EOS
860 | CFG_PFS_GROUP NUMBER
861 {
862 #ifdef ENABLE_HYBRID
863 isakmp_cfg_config.pfs_group = $2;
864 #else /* ENABLE_HYBRID */
865 yyerror("racoon not configured with --enable-hybrid");
866 #endif /* ENABLE_HYBRID */
867 }
868 EOS
869 | CFG_SAVE_PASSWD SWITCH
870 {
871 #ifdef ENABLE_HYBRID
872 isakmp_cfg_config.save_passwd = $2;
873 #else /* ENABLE_HYBRID */
874 yyerror("racoon not configured with --enable-hybrid");
875 #endif /* ENABLE_HYBRID */
876 }
877 EOS
878 | CFG_AUTH_THROTTLE NUMBER
879 {
880 #ifdef ENABLE_HYBRID
881 isakmp_cfg_config.auth_throttle = $2;
882 #else /* ENABLE_HYBRID */
883 yyerror("racoon not configured with --enable-hybrid");
884 #endif /* ENABLE_HYBRID */
885 }
886 EOS
887 | CFG_CONF_SOURCE CFG_LOCAL
888 {
889 #ifdef ENABLE_HYBRID
890 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
891 #else /* ENABLE_HYBRID */
892 yyerror("racoon not configured with --enable-hybrid");
893 #endif /* ENABLE_HYBRID */
894 }
895 EOS
896 | CFG_CONF_SOURCE CFG_RADIUS
897 {
898 #ifdef ENABLE_HYBRID
899 #ifdef HAVE_LIBRADIUS
900 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
901 #else /* HAVE_LIBRADIUS */
902 yyerror("racoon not configured with --with-libradius");
903 #endif /* HAVE_LIBRADIUS */
904 #else /* ENABLE_HYBRID */
905 yyerror("racoon not configured with --enable-hybrid");
906 #endif /* ENABLE_HYBRID */
907 }
908 EOS
909 | CFG_CONF_SOURCE CFG_LDAP
910 {
911 #ifdef ENABLE_HYBRID
912 #ifdef HAVE_LIBLDAP
913 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
914 #else /* HAVE_LIBLDAP */
915 yyerror("racoon not configured with --with-libldap");
916 #endif /* HAVE_LIBLDAP */
917 #else /* ENABLE_HYBRID */
918 yyerror("racoon not configured with --enable-hybrid");
919 #endif /* ENABLE_HYBRID */
920 }
921 EOS
922 | CFG_MOTD QUOTEDSTRING
923 {
924 #ifdef ENABLE_HYBRID
925 strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN);
926 isakmp_cfg_config.motd[MAXPATHLEN] = '\0';
927 vfree($2);
928 #else
929 yyerror("racoon not configured with --enable-hybrid");
930 #endif
931 }
932 EOS
933 ;
934
935 addrdnslist
936 : addrdns
937 | addrdns COMMA addrdnslist
938 ;
939 addrdns
940 : ADDRSTRING
941 {
942 #ifdef ENABLE_HYBRID
943 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
944
945 if (icc->dns4_index > MAXNS)
946 yyerror("No more than %d DNS", MAXNS);
947 if (inet_pton(AF_INET, $1->v,
948 &icc->dns4[icc->dns4_index++]) != 1)
949 yyerror("bad IPv4 DNS address.");
950 #else
951 yyerror("racoon not configured with --enable-hybrid");
952 #endif
953 }
954 ;
955
956 addrwinslist
957 : addrwins
958 | addrwins COMMA addrwinslist
959 ;
960 addrwins
961 : ADDRSTRING
962 {
963 #ifdef ENABLE_HYBRID
964 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
965
966 if (icc->nbns4_index > MAXWINS)
967 yyerror("No more than %d WINS", MAXWINS);
968 if (inet_pton(AF_INET, $1->v,
969 &icc->nbns4[icc->nbns4_index++]) != 1)
970 yyerror("bad IPv4 WINS address.");
971 #else
972 yyerror("racoon not configured with --enable-hybrid");
973 #endif
974 }
975 ;
976
977 splitnetlist
978 : splitnet
979 | splitnetlist COMMA splitnet
980 ;
981 splitnet
982 : ADDRSTRING PREFIX
983 {
984 #ifdef ENABLE_HYBRID
985 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
986 struct unity_network network;
987 memset(&network,0,sizeof(network));
988
989 if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
990 yyerror("bad IPv4 SPLIT address.");
991
992 /* Turn $2 (the prefix) into a subnet mask */
993 network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
994
995 /* add the network to our list */
996 if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
997 yyerror("Unable to allocate split network");
998 #else
999 yyerror("racoon not configured with --enable-hybrid");
1000 #endif
1001 }
1002 ;
1003
1004 authgrouplist
1005 : authgroup
1006 | authgroup COMMA authgrouplist
1007 ;
1008 authgroup
1009 : QUOTEDSTRING
1010 {
1011 #ifdef ENABLE_HYBRID
1012 char * groupname = NULL;
1013 char ** grouplist = NULL;
1014 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1015
1016 grouplist = racoon_realloc(icc->grouplist,
1017 sizeof(char**)*(icc->groupcount+1));
1018 if (grouplist == NULL)
1019 yyerror("unable to allocate auth group list");
1020
1021 groupname = racoon_malloc($1->l+1);
1022 if (groupname == NULL)
1023 yyerror("unable to allocate auth group name");
1024
1025 memcpy(groupname,$1->v,$1->l);
1026 groupname[$1->l]=0;
1027 grouplist[icc->groupcount]=groupname;
1028 icc->grouplist = grouplist;
1029 icc->groupcount++;
1030
1031 vfree($1);
1032 #else
1033 yyerror("racoon not configured with --enable-hybrid");
1034 #endif
1035 }
1036 ;
1037
1038 splitdnslist
1039 : splitdns
1040 | splitdns COMMA splitdnslist
1041 ;
1042 splitdns
1043 : QUOTEDSTRING
1044 {
1045 #ifdef ENABLE_HYBRID
1046 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1047
1048 if (!icc->splitdns_len)
1049 {
1050 icc->splitdns_list = racoon_malloc($1->l);
1051 if(icc->splitdns_list == NULL)
1052 yyerror("error allocating splitdns list buffer");
1053 memcpy(icc->splitdns_list,$1->v,$1->l);
1054 icc->splitdns_len = $1->l;
1055 }
1056 else
1057 {
1058 int len = icc->splitdns_len + $1->l + 1;
1059 icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
1060 if(icc->splitdns_list == NULL)
1061 yyerror("error allocating splitdns list buffer");
1062 icc->splitdns_list[icc->splitdns_len] = ',';
1063 memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
1064 icc->splitdns_len = len;
1065 }
1066 vfree($1);
1067 #else
1068 yyerror("racoon not configured with --enable-hybrid");
1069 #endif
1070 }
1071 ;
1072
1073
1074 /* timer */
1075 timer_statement
1076 : RETRY BOC timer_stmts EOC
1077 ;
1078 timer_stmts
1079 : /* nothing */
1080 | timer_stmts timer_stmt
1081 ;
1082 timer_stmt
1083 : RETRY_COUNTER NUMBER
1084 {
1085 lcconf->retry_counter = $2;
1086 }
1087 EOS
1088 | RETRY_INTERVAL NUMBER unittype_time
1089 {
1090 lcconf->retry_interval = $2 * $3;
1091 }
1092 EOS
1093 | RETRY_PERSEND NUMBER
1094 {
1095 lcconf->count_persend = $2;
1096 }
1097 EOS
1098 | RETRY_PHASE1 NUMBER unittype_time
1099 {
1100 lcconf->retry_checkph1 = $2 * $3;
1101 }
1102 EOS
1103 | RETRY_PHASE2 NUMBER unittype_time
1104 {
1105 lcconf->wait_ph2complete = $2 * $3;
1106 }
1107 EOS
1108 | NATT_KA NUMBER unittype_time
1109 {
1110 #ifdef ENABLE_NATT
1111 if (libipsec_opt & LIBIPSEC_OPT_NATT)
1112 lcconf->natt_ka_interval = $2 * $3;
1113 else
1114 yyerror("libipsec lacks NAT-T support");
1115 #else
1116 yyerror("NAT-T support not compiled in.");
1117 #endif
1118 }
1119 EOS
1120 ;
1121
1122 /* sainfo */
1123 sainfo_statement
1124 : SAINFO
1125 {
1126 cur_sainfo = newsainfo();
1127 if (cur_sainfo == NULL) {
1128 yyerror("failed to allocate sainfo");
1129 return -1;
1130 }
1131 }
1132 sainfo_name sainfo_param BOC sainfo_specs
1133 {
1134 struct sainfo *check;
1135
1136 /* default */
1137 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
1138 yyerror("no encryption algorithm at %s",
1139 sainfo2str(cur_sainfo));
1140 return -1;
1141 }
1142 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
1143 yyerror("no authentication algorithm at %s",
1144 sainfo2str(cur_sainfo));
1145 return -1;
1146 }
1147 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
1148 yyerror("no compression algorithm at %s",
1149 sainfo2str(cur_sainfo));
1150 return -1;
1151 }
1152
1153 /* duplicate check */
1154 check = getsainfo(cur_sainfo->idsrc,
1155 cur_sainfo->iddst,
1156 cur_sainfo->id_i,
1157 cur_sainfo->remoteid);
1158 if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
1159 yyerror("duplicated sainfo: %s",
1160 sainfo2str(cur_sainfo));
1161 return -1;
1162 }
1163 inssainfo(cur_sainfo);
1164 }
1165 EOC
1166 ;
1167 sainfo_name
1168 : ANONYMOUS
1169 {
1170 cur_sainfo->idsrc = NULL;
1171 cur_sainfo->iddst = NULL;
1172 }
1173 | ANONYMOUS sainfo_id
1174 {
1175 cur_sainfo->idsrc = NULL;
1176 cur_sainfo->iddst = $2;
1177 }
1178 | sainfo_id ANONYMOUS
1179 {
1180 cur_sainfo->idsrc = $1;
1181 cur_sainfo->iddst = NULL;
1182 }
1183 | sainfo_id sainfo_id
1184 {
1185 cur_sainfo->idsrc = $1;
1186 cur_sainfo->iddst = $2;
1187 }
1188 ;
1189 sainfo_id
1190 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
1191 {
1192 char portbuf[10];
1193 struct sockaddr *saddr;
1194
1195 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
1196 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
1197 yyerror("port number must be \"any\".");
1198 return -1;
1199 }
1200
1201 snprintf(portbuf, sizeof(portbuf), "%lu", $4);
1202 saddr = str2saddr($2->v, portbuf);
1203 vfree($2);
1204 if (saddr == NULL)
1205 return -1;
1206
1207 switch (saddr->sa_family) {
1208 case AF_INET:
1209 if ($5 == IPPROTO_ICMPV6) {
1210 yyerror("upper layer protocol mismatched.\n");
1211 racoon_free(saddr);
1212 return -1;
1213 }
1214 $$ = ipsecdoi_sockaddr2id(saddr,
1215 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
1216 $5);
1217 break;
1218 #ifdef INET6
1219 case AF_INET6:
1220 if ($5 == IPPROTO_ICMP) {
1221 yyerror("upper layer protocol mismatched.\n");
1222 racoon_free(saddr);
1223 return -1;
1224 }
1225 $$ = ipsecdoi_sockaddr2id(saddr,
1226 $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
1227 $5);
1228 break;
1229 #endif
1230 default:
1231 yyerror("invalid family: %d", saddr->sa_family);
1232 $$ = NULL;
1233 break;
1234 }
1235 racoon_free(saddr);
1236 if ($$ == NULL)
1237 return -1;
1238 }
1239 | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
1240 {
1241 char portbuf[10];
1242 struct sockaddr *laddr = NULL, *haddr = NULL;
1243 char *cur = NULL;
1244
1245 if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
1246 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
1247 yyerror("port number must be \"any\".");
1248 return -1;
1249 }
1250
1251 snprintf(portbuf, sizeof(portbuf), "%lu", $5);
1252
1253 laddr = str2saddr($2->v, portbuf);
1254 if (laddr == NULL) {
1255 return -1;
1256 }
1257 vfree($2);
1258 haddr = str2saddr($3->v, portbuf);
1259 if (haddr == NULL) {
1260 racoon_free(laddr);
1261 return -1;
1262 }
1263 vfree($3);
1264
1265 switch (laddr->sa_family) {
1266 case AF_INET:
1267 if ($6 == IPPROTO_ICMPV6) {
1268 yyerror("upper layer protocol mismatched.\n");
1269 if (laddr)
1270 racoon_free(laddr);
1271 if (haddr)
1272 racoon_free(haddr);
1273 return -1;
1274 }
1275 $$ = ipsecdoi_sockrange2id(laddr, haddr,
1276 $6);
1277 break;
1278 #ifdef INET6
1279 case AF_INET6:
1280 if ($6 == IPPROTO_ICMP) {
1281 yyerror("upper layer protocol mismatched.\n");
1282 if (laddr)
1283 racoon_free(laddr);
1284 if (haddr)
1285 racoon_free(haddr);
1286 return -1;
1287 }
1288 $$ = ipsecdoi_sockrange2id(laddr, haddr,
1289 $6);
1290 break;
1291 #endif
1292 default:
1293 yyerror("invalid family: %d", laddr->sa_family);
1294 $$ = NULL;
1295 break;
1296 }
1297 if (laddr)
1298 racoon_free(laddr);
1299 if (haddr)
1300 racoon_free(haddr);
1301 if ($$ == NULL)
1302 return -1;
1303 }
1304 | IDENTIFIERTYPE QUOTEDSTRING
1305 {
1306 struct ipsecdoi_id_b *id_b;
1307
1308 if ($1 == IDTYPE_ASN1DN) {
1309 yyerror("id type forbidden: %d", $1);
1310 $$ = NULL;
1311 return -1;
1312 }
1313
1314 $2->l--;
1315
1316 $$ = vmalloc(sizeof(*id_b) + $2->l);
1317 if ($$ == NULL) {
1318 yyerror("failed to allocate identifier");
1319 return -1;
1320 }
1321
1322 id_b = (struct ipsecdoi_id_b *)$$->v;
1323 id_b->type = idtype2doi($1);
1324
1325 id_b->proto_id = 0;
1326 id_b->port = 0;
1327
1328 memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
1329 }
1330 ;
1331 sainfo_param
1332 : /* nothing */
1333 {
1334 cur_sainfo->id_i = NULL;
1335 }
1336 | FROM IDENTIFIERTYPE identifierstring
1337 {
1338 struct ipsecdoi_id_b *id_b;
1339 vchar_t *idv;
1340
1341 if (set_identifier(&idv, $2, $3) != 0) {
1342 yyerror("failed to set identifer.\n");
1343 return -1;
1344 }
1345 cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
1346 if (cur_sainfo->id_i == NULL) {
1347 yyerror("failed to allocate identifier");
1348 return -1;
1349 }
1350
1351 id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
1352 id_b->type = idtype2doi($2);
1353
1354 id_b->proto_id = 0;
1355 id_b->port = 0;
1356
1357 memcpy(cur_sainfo->id_i->v + sizeof(*id_b),
1358 idv->v, idv->l);
1359 vfree(idv);
1360 }
1361 | GROUP QUOTEDSTRING
1362 {
1363 #ifdef ENABLE_HYBRID
1364 if ((cur_sainfo->group = vdup($2)) == NULL) {
1365 yyerror("failed to set sainfo xauth group.\n");
1366 return -1;
1367 }
1368 #else
1369 yyerror("racoon not configured with --enable-hybrid");
1370 return -1;
1371 #endif
1372 }
1373 ;
1374 sainfo_specs
1375 : /* nothing */
1376 | sainfo_specs sainfo_spec
1377 ;
1378 sainfo_spec
1379 : PFS_GROUP dh_group_num
1380 {
1381 cur_sainfo->pfs_group = $2;
1382 }
1383 EOS
1384 | REMOTEID NUMBER
1385 {
1386 cur_sainfo->remoteid = $2;
1387 }
1388 EOS
1389 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
1390 {
1391 cur_sainfo->lifetime = $3 * $4;
1392 }
1393 EOS
1394 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1395 {
1396 #if 1
1397 yyerror("byte lifetime support is deprecated");
1398 return -1;
1399 #else
1400 cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
1401 if (cur_sainfo->lifebyte == 0)
1402 return -1;
1403 #endif
1404 }
1405 EOS
1406 | ALGORITHM_CLASS {
1407 cur_algclass = $1;
1408 }
1409 algorithms EOS
1410 | IDENTIFIER IDENTIFIERTYPE
1411 {
1412 yyerror("it's deprecated to specify a identifier in phase 2");
1413 }
1414 EOS
1415 | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
1416 {
1417 yyerror("it's deprecated to specify a identifier in phase 2");
1418 }
1419 EOS
1420 ;
1421
1422 algorithms
1423 : algorithm
1424 {
1425 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1426 }
1427 | algorithm
1428 {
1429 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1430 }
1431 COMMA algorithms
1432 ;
1433 algorithm
1434 : ALGORITHMTYPE keylength
1435 {
1436 int defklen;
1437
1438 $$ = newsainfoalg();
1439 if ($$ == NULL) {
1440 yyerror("failed to get algorithm allocation");
1441 return -1;
1442 }
1443
1444 $$->alg = algtype2doi(cur_algclass, $1);
1445 if ($$->alg == -1) {
1446 yyerror("algorithm mismatched");
1447 racoon_free($$);
1448 $$ = NULL;
1449 return -1;
1450 }
1451
1452 defklen = default_keylen(cur_algclass, $1);
1453 if (defklen == 0) {
1454 if ($2) {
1455 yyerror("keylen not allowed");
1456 racoon_free($$);
1457 $$ = NULL;
1458 return -1;
1459 }
1460 } else {
1461 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
1462 yyerror("invalid keylen %d", $2);
1463 racoon_free($$);
1464 $$ = NULL;
1465 return -1;
1466 }
1467 }
1468
1469 if ($2)
1470 $$->encklen = $2;
1471 else
1472 $$->encklen = defklen;
1473
1474 /* check if it's supported algorithm by kernel */
1475 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
1476 && pk_checkalg(cur_algclass, $1, $$->encklen)) {
1477 int a = algclass2doi(cur_algclass);
1478 int b = algtype2doi(cur_algclass, $1);
1479 if (a == IPSECDOI_ATTR_AUTH)
1480 a = IPSECDOI_PROTO_IPSEC_AH;
1481 yyerror("algorithm %s not supported by the kernel (missing module?)",
1482 s_ipsecdoi_trns(a, b));
1483 racoon_free($$);
1484 $$ = NULL;
1485 return -1;
1486 }
1487 }
1488 ;
1489 prefix
1490 : /* nothing */ { $$ = ~0; }
1491 | PREFIX { $$ = $1; }
1492 ;
1493 port
1494 : /* nothing */ { $$ = IPSEC_PORT_ANY; }
1495 | PORT { $$ = $1; }
1496 | PORTANY { $$ = IPSEC_PORT_ANY; }
1497 ;
1498 ul_proto
1499 : NUMBER { $$ = $1; }
1500 | UL_PROTO { $$ = $1; }
1501 | ANY { $$ = IPSEC_ULPROTO_ANY; }
1502 ;
1503 keylength
1504 : /* nothing */ { $$ = 0; }
1505 | NUMBER { $$ = $1; }
1506 ;
1507
1508 /* remote */
1509 remote_statement
1510 : REMOTE remote_index INHERIT remote_index
1511 {
1512 struct remoteconf *new;
1513 struct proposalspec *prspec;
1514
1515 new = copyrmconf($4);
1516 if (new == NULL) {
1517 yyerror("failed to get remoteconf for %s.", saddr2str ($4));
1518 return -1;
1519 }
1520
1521 new->remote = $2;
1522 new->inherited_from = getrmconf_strict($4, 1);
1523 new->proposal = NULL;
1524 new->prhead = NULL;
1525 cur_rmconf = new;
1526
1527 prspec = newprspec();
1528 if (prspec == NULL || !cur_rmconf->inherited_from
1529 || !cur_rmconf->inherited_from->proposal)
1530 return -1;
1531 prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime;
1532 prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte;
1533 insprspec(prspec, &cur_rmconf->prhead);
1534 }
1535 remote_specs_block
1536 | REMOTE remote_index
1537 {
1538 struct remoteconf *new;
1539 struct proposalspec *prspec;
1540
1541 new = newrmconf();
1542 if (new == NULL) {
1543 yyerror("failed to get new remoteconf.");
1544 return -1;
1545 }
1546
1547 new->remote = $2;
1548 cur_rmconf = new;
1549
1550 prspec = newprspec();
1551 if (prspec == NULL)
1552 return -1;
1553 prspec->lifetime = oakley_get_defaultlifetime();
1554 insprspec(prspec, &cur_rmconf->prhead);
1555 }
1556 remote_specs_block
1557 ;
1558
1559 remote_specs_block
1560 : BOC remote_specs EOC
1561 {
1562 /* check a exchange mode */
1563 if (cur_rmconf->etypes == NULL) {
1564 yyerror("no exchange mode specified.\n");
1565 return -1;
1566 }
1567
1568 if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
1569 cur_rmconf->idvtype = IDTYPE_ADDRESS;
1570
1571
1572 if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
1573 if (cur_rmconf->mycertfile) {
1574 if (cur_rmconf->idv)
1575 yywarn("Both CERT and ASN1 ID "
1576 "are set. Hope this is OK.\n");
1577 /* TODO: Preparse the DN here */
1578 } else if (cur_rmconf->idv) {
1579 /* OK, using asn1dn without X.509. */
1580 } else {
1581 yyerror("ASN1 ID not specified "
1582 "and no CERT defined!\n");
1583 return -1;
1584 }
1585 }
1586
1587 if (cur_rmconf->prhead->spspec == NULL
1588 && cur_rmconf->inherited_from
1589 && cur_rmconf->inherited_from->prhead) {
1590 cur_rmconf->prhead->spspec = cur_rmconf->inherited_from->prhead->spspec;
1591 }
1592 if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0)
1593 return -1;
1594
1595 /* DH group settting if aggressive mode is there. */
1596 if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
1597 struct isakmpsa *p;
1598 int b = 0;
1599
1600 /* DH group */
1601 for (p = cur_rmconf->proposal; p; p = p->next) {
1602 if (b == 0 || (b && b == p->dh_group)) {
1603 b = p->dh_group;
1604 continue;
1605 }
1606 yyerror("DH group must be equal "
1607 "in all proposals "
1608 "when aggressive mode is "
1609 "used.\n");
1610 return -1;
1611 }
1612 cur_rmconf->dh_group = b;
1613
1614 if (cur_rmconf->dh_group == 0) {
1615 yyerror("DH group must be set in the proposal.\n");
1616 return -1;
1617 }
1618
1619 /* DH group settting if PFS is required. */
1620 if (oakley_setdhgroup(cur_rmconf->dh_group,
1621 &cur_rmconf->dhgrp) < 0) {
1622 yyerror("failed to set DH value.\n");
1623 return -1;
1624 }
1625 }
1626
1627 insrmconf(cur_rmconf);
1628 }
1629 ;
1630 remote_index
1631 : ANONYMOUS ike_port
1632 {
1633 $$ = newsaddr(sizeof(struct sockaddr));
1634 $$->sa_family = AF_UNSPEC;
1635 ((struct sockaddr_in *)$$)->sin_port = htons($2);
1636 }
1637 | ike_addrinfo_port
1638 {
1639 $$ = $1;
1640 if ($$ == NULL) {
1641 yyerror("failed to allocate sockaddr");
1642 return -1;
1643 }
1644 }
1645 ;
1646 remote_specs
1647 : /* nothing */
1648 | remote_specs remote_spec
1649 ;
1650 remote_spec
1651 : EXCHANGE_MODE
1652 {
1653 cur_rmconf->etypes = NULL;
1654 }
1655 exchange_types EOS
1656 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
1657 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
1658 | CERTIFICATE_TYPE cert_spec
1659 | PEERS_CERTFILE QUOTEDSTRING
1660 {
1661 yywarn("This directive without certtype will be removed!\n");
1662 yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
1663 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1664
1665 if (cur_rmconf->peerscertfile != NULL)
1666 racoon_free(cur_rmconf->peerscertfile);
1667 cur_rmconf->peerscertfile = racoon_strdup($2->v);
1668 STRDUP_FATAL(cur_rmconf->peerscertfile);
1669 vfree($2);
1670 }
1671 EOS
1672 | CA_TYPE CERT_X509 QUOTEDSTRING
1673 {
1674 cur_rmconf->cacerttype = $2;
1675 cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
1676 if (cur_rmconf->cacertfile != NULL)
1677 racoon_free(cur_rmconf->cacertfile);
1678 cur_rmconf->cacertfile = racoon_strdup($3->v);
1679 STRDUP_FATAL(cur_rmconf->cacertfile);
1680 vfree($3);
1681 }
1682 EOS
1683 | PEERS_CERTFILE CERT_X509 QUOTEDSTRING
1684 {
1685 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1686 if (cur_rmconf->peerscertfile != NULL)
1687 racoon_free(cur_rmconf->peerscertfile);
1688 cur_rmconf->peerscertfile = racoon_strdup($3->v);
1689 STRDUP_FATAL(cur_rmconf->peerscertfile);
1690 vfree($3);
1691 }
1692 EOS
1693 | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
1694 {
1695 char path[MAXPATHLEN];
1696 int ret = 0;
1697
1698 getpathname(path, sizeof(path),
1699 LC_PATHTYPE_CERT, $3->v);
1700 vfree($3);
1701
1702 if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) {
1703 yyerror("Different peers_certfile method "
1704 "already defined: %d!\n",
1705 cur_rmconf->getcert_method);
1706 return -1;
1707 }
1708 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1709 if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) {
1710 yyerror("Couldn't parse keyfile.\n", path);
1711 return -1;
1712 }
1713 plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path);
1714 }
1715 EOS
1716 | PEERS_CERTFILE DNSSEC
1717 {
1718 if (cur_rmconf->getcert_method) {
1719 yyerror("Different peers_certfile method already defined!\n");
1720 return -1;
1721 }
1722 cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
1723 cur_rmconf->peerscertfile = NULL;
1724 }
1725 EOS
1726 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
1727 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
1728 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
1729 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
1730 {
1731 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
1732 yyerror("failed to set identifer.\n");
1733 return -1;
1734 }
1735 cur_rmconf->idvtype = $2;
1736 }
1737 EOS
1738 | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1739 {
1740 if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
1741 yyerror("failed to set identifer.\n");
1742 return -1;
1743 }
1744 cur_rmconf->idvtype = $2;
1745 }
1746 EOS
1747 | XAUTH_LOGIN identifierstring
1748 {
1749 #ifdef ENABLE_HYBRID
1750 /* formerly identifier type login */
1751 if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
1752 yyerror("failed to allocate xauth state\n");
1753 return -1;
1754 }
1755 if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
1756 yyerror("failed to set identifer.\n");
1757 return -1;
1758 }
1759 #else
1760 yyerror("racoon not configured with --enable-hybrid");
1761 #endif
1762 }
1763 EOS
1764 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
1765 {
1766 struct idspec *id;
1767 id = newidspec();
1768 if (id == NULL) {
1769 yyerror("failed to allocate idspec");
1770 return -1;
1771 }
1772 if (set_identifier(&id->id, $2, $3) != 0) {
1773 yyerror("failed to set identifer.\n");
1774 racoon_free(id);
1775 return -1;
1776 }
1777 id->idtype = $2;
1778 genlist_append (cur_rmconf->idvl_p, id);
1779 }
1780 EOS
1781 | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1782 {
1783 struct idspec *id;
1784 id = newidspec();
1785 if (id == NULL) {
1786 yyerror("failed to allocate idspec");
1787 return -1;
1788 }
1789 if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
1790 yyerror("failed to set identifer.\n");
1791 racoon_free(id);
1792 return -1;
1793 }
1794 id->idtype = $2;
1795 genlist_append (cur_rmconf->idvl_p, id);
1796 }
1797 EOS
1798 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
1799 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
1800 | DH_GROUP
1801 {
1802 yyerror("dh_group cannot be defined here.");
1803 return -1;
1804 }
1805 dh_group_num EOS
1806 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
1807 | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
1808 | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
1809 | ESP_FRAG NUMBER {
1810 #ifdef SADB_X_EXT_NAT_T_FRAG
1811 if (libipsec_opt & LIBIPSEC_OPT_FRAG)
1812 cur_rmconf->esp_frag = $2;
1813 else
1814 yywarn("libipsec lacks IKE frag support");
1815 #else
1816 yywarn("Your kernel does not support esp_frag");
1817 #endif
1818 } EOS
1819 | SCRIPT QUOTEDSTRING PHASE1_UP {
1820 if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL)
1821 vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]);
1822
1823 cur_rmconf->script[SCRIPT_PHASE1_UP] =
1824 script_path_add(vdup($2));
1825 } EOS
1826 | SCRIPT QUOTEDSTRING PHASE1_DOWN {
1827 if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL)
1828 vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]);
1829
1830 cur_rmconf->script[SCRIPT_PHASE1_DOWN] =
1831 script_path_add(vdup($2));
1832 } EOS
1833 | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
1834 | WEAK_PHASE1_CHECK SWITCH {
1835 cur_rmconf->weak_phase1_check = $2;
1836 } EOS
1837 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
1838 | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
1839 | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
1840 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
1841 | NAT_TRAVERSAL SWITCH
1842 {
1843 #ifdef ENABLE_NATT
1844 if (libipsec_opt & LIBIPSEC_OPT_NATT)
1845 cur_rmconf->nat_traversal = $2;
1846 else
1847 yyerror("libipsec lacks NAT-T support");
1848 #else
1849 yyerror("NAT-T support not compiled in.");
1850 #endif
1851 } EOS
1852 | NAT_TRAVERSAL REMOTE_FORCE_LEVEL
1853 {
1854 #ifdef ENABLE_NATT
1855 if (libipsec_opt & LIBIPSEC_OPT_NATT)
1856 cur_rmconf->nat_traversal = NATT_FORCE;
1857 else
1858 yyerror("libipsec lacks NAT-T support");
1859 #else
1860 yyerror("NAT-T support not compiled in.");
1861 #endif
1862 } EOS
1863 | DPD SWITCH
1864 {
1865 #ifdef ENABLE_DPD
1866 cur_rmconf->dpd = $2;
1867 #else
1868 yyerror("DPD support not compiled in.");
1869 #endif
1870 } EOS
1871 | DPD_DELAY NUMBER
1872 {
1873 #ifdef ENABLE_DPD
1874 cur_rmconf->dpd_interval = $2;
1875 #else
1876 yyerror("DPD support not compiled in.");
1877 #endif
1878 }
1879 EOS
1880 | DPD_RETRY NUMBER
1881 {
1882 #ifdef ENABLE_DPD
1883 cur_rmconf->dpd_retry = $2;
1884 #else
1885 yyerror("DPD support not compiled in.");
1886 #endif
1887 }
1888 EOS
1889 | DPD_MAXFAIL NUMBER
1890 {
1891 #ifdef ENABLE_DPD
1892 cur_rmconf->dpd_maxfails = $2;
1893 #else
1894 yyerror("DPD support not compiled in.");
1895 #endif
1896 }
1897 EOS
1898 | PH1ID NUMBER
1899 {
1900 cur_rmconf->ph1id = $2;
1901 }
1902 EOS
1903 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
1904 {
1905 cur_rmconf->prhead->lifetime = $3 * $4;
1906 }
1907 EOS
1908 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
1909 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1910 {
1911 #if 1
1912 yyerror("byte lifetime support is deprecated in Phase1");
1913 return -1;
1914 #else
1915 yywarn("the lifetime of bytes in phase 1 "
1916 "will be ignored at the moment.");
1917 cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4);
1918 if (cur_rmconf->prhead->lifebyte == 0)
1919 return -1;
1920 #endif
1921 }
1922 EOS
1923 | PROPOSAL
1924 {
1925 struct secprotospec *spspec;
1926
1927 spspec = newspspec();
1928 if (spspec == NULL)
1929 return -1;
1930 insspspec(spspec, &cur_rmconf->prhead);
1931 }
1932 BOC isakmpproposal_specs EOC
1933 ;
1934 exchange_types
1935 : /* nothing */
1936 | exchange_types EXCHANGETYPE
1937 {
1938 struct etypes *new;
1939 new = racoon_malloc(sizeof(struct etypes));
1940 if (new == NULL) {
1941 yyerror("failed to allocate etypes");
1942 return -1;
1943 }
1944 new->type = $2;
1945 new->next = NULL;
1946 if (cur_rmconf->etypes == NULL)
1947 cur_rmconf->etypes = new;
1948 else {
1949 struct etypes *p;
1950 for (p = cur_rmconf->etypes;
1951 p->next != NULL;
1952 p = p->next)
1953 ;
1954 p->next = new;
1955 }
1956 }
1957 ;
1958 cert_spec
1959 : CERT_X509 QUOTEDSTRING QUOTEDSTRING
1960 {
1961 cur_rmconf->certtype = $1;
1962 if (cur_rmconf->mycertfile != NULL)
1963 racoon_free(cur_rmconf->mycertfile);
1964 cur_rmconf->mycertfile = racoon_strdup($2->v);
1965 STRDUP_FATAL(cur_rmconf->mycertfile);
1966 vfree($2);
1967 if (cur_rmconf->myprivfile != NULL)
1968 racoon_free(cur_rmconf->myprivfile);
1969 cur_rmconf->myprivfile = racoon_strdup($3->v);
1970 STRDUP_FATAL(cur_rmconf->myprivfile);
1971 vfree($3);
1972 }
1973 EOS
1974 | CERT_PLAINRSA QUOTEDSTRING
1975 {
1976 char path[MAXPATHLEN];
1977 int ret = 0;
1978
1979 getpathname(path, sizeof(path),
1980 LC_PATHTYPE_CERT, $2->v);
1981 vfree($2);
1982
1983 cur_rmconf->certtype = $1;
1984 cur_rmconf->send_cr = FALSE;
1985 cur_rmconf->send_cert = FALSE;
1986 cur_rmconf->verify_cert = FALSE;
1987 if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) {
1988 yyerror("Couldn't parse keyfile.\n", path);
1989 return -1;
1990 }
1991 plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path);
1992 }
1993 EOS
1994 ;
1995 dh_group_num
1996 : ALGORITHMTYPE
1997 {
1998 $$ = algtype2doi(algclass_isakmp_dh, $1);
1999 if ($$ == -1) {
2000 yyerror("must be DH group");
2001 return -1;
2002 }
2003 }
2004 | NUMBER
2005 {
2006 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
2007 $$ = num2dhgroup[$1];
2008 } else {
2009 yyerror("must be DH group");
2010 $$ = 0;
2011 return -1;
2012 }
2013 }
2014 ;
2015 identifierstring
2016 : /* nothing */ { $$ = NULL; }
2017 | ADDRSTRING { $$ = $1; }
2018 | QUOTEDSTRING { $$ = $1; }
2019 ;
2020 isakmpproposal_specs
2021 : /* nothing */
2022 | isakmpproposal_specs isakmpproposal_spec
2023 ;
2024 isakmpproposal_spec
2025 : STRENGTH
2026 {
2027 yyerror("strength directive is obsoleted.");
2028 } STRENGTHTYPE EOS
2029 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
2030 {
2031 cur_rmconf->prhead->spspec->lifetime = $3 * $4;
2032 }
2033 EOS
2034 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
2035 {
2036 #if 1
2037 yyerror("byte lifetime support is deprecated");
2038 return -1;
2039 #else
2040 cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
2041 if (cur_rmconf->prhead->spspec->lifebyte == 0)
2042 return -1;
2043 #endif
2044 }
2045 EOS
2046 | DH_GROUP dh_group_num
2047 {
2048 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_dh] = $2;
2049 }
2050 EOS
2051 | GSS_ID QUOTEDSTRING
2052 {
2053 if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) {
2054 yyerror("wrong Vendor ID for gssapi_id");
2055 return -1;
2056 }
2057 if (cur_rmconf->prhead->spspec->gssid != NULL)
2058 racoon_free(cur_rmconf->prhead->spspec->gssid);
2059 cur_rmconf->prhead->spspec->gssid =
2060 racoon_strdup($2->v);
2061 STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid);
2062 }
2063 EOS
2064 | ALGORITHM_CLASS ALGORITHMTYPE keylength
2065 {
2066 int doi;
2067 int defklen;
2068
2069 doi = algtype2doi($1, $2);
2070 if (doi == -1) {
2071 yyerror("algorithm mismatched 1");
2072 return -1;
2073 }
2074
2075 switch ($1) {
2076 case algclass_isakmp_enc:
2077 /* reject suppressed algorithms */
2078 #ifndef HAVE_OPENSSL_RC5_H
2079 if ($2 == algtype_rc5) {
2080 yyerror("algorithm %s not supported",
2081 s_attr_isakmp_enc(doi));
2082 return -1;
2083 }
2084 #endif
2085 #ifndef HAVE_OPENSSL_IDEA_H
2086 if ($2 == algtype_idea) {
2087 yyerror("algorithm %s not supported",
2088 s_attr_isakmp_enc(doi));
2089 return -1;
2090 }
2091 #endif
2092
2093 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi;
2094 defklen = default_keylen($1, $2);
2095 if (defklen == 0) {
2096 if ($3) {
2097 yyerror("keylen not allowed");
2098 return -1;
2099 }
2100 } else {
2101 if ($3 && check_keylen($1, $2, $3) < 0) {
2102 yyerror("invalid keylen %d", $3);
2103 return -1;
2104 }
2105 }
2106 if ($3)
2107 cur_rmconf->prhead->spspec->encklen = $3;
2108 else
2109 cur_rmconf->prhead->spspec->encklen = defklen;
2110 break;
2111 case algclass_isakmp_hash:
2112 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_hash] = doi;
2113 break;
2114 case algclass_isakmp_ameth:
2115 cur_rmconf->prhead->spspec->algclass[algclass_isakmp_ameth] = doi;
2116 /*
2117 * We may have to set the Vendor ID for the
2118 * authentication method we're using.
2119 */
2120 switch ($2) {
2121 case algtype_gssapikrb:
2122 if (cur_rmconf->prhead->spspec->vendorid !=
2123 VENDORID_UNKNOWN) {
2124 yyerror("Vendor ID mismatch "
2125 "for auth method");
2126 return -1;
2127 }
2128 /*
2129 * For interoperability with Win2k,
2130 * we set the Vendor ID to "GSSAPI".
2131 */
2132 cur_rmconf->prhead->spspec->vendorid =
2133 VENDORID_GSSAPI;
2134 break;
2135 case algtype_rsasig:
2136 if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) {
2137 if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
2138 yyerror ("Private PlainRSA key not set. "
2139 "Use directive 'certificate_type plainrsa ...'\n");
2140 return -1;
2141 }
2142 if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
2143 yyerror ("Public PlainRSA keys not set. "
2144 "Use directive 'peers_certfile plainrsa ...'\n");
2145 return -1;
2146 }
2147 }
2148 break;
2149 default:
2150 break;
2151 }
2152 break;
2153 default:
2154 yyerror("algorithm mismatched 2");
2155 return -1;
2156 }
2157 }
2158 EOS
2159 ;
2160
2161 unittype_time
2162 : UNITTYPE_SEC { $$ = 1; }
2163 | UNITTYPE_MIN { $$ = 60; }
2164 | UNITTYPE_HOUR { $$ = (60 * 60); }
2165 ;
2166 unittype_byte
2167 : UNITTYPE_BYTE { $$ = 1; }
2168 | UNITTYPE_KBYTES { $$ = 1024; }
2169 | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
2170 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
2171 ;
2172 %%
2173
2174 static struct proposalspec *
2175 newprspec()
2176 {
2177 struct proposalspec *new;
2178
2179 new = racoon_calloc(1, sizeof(*new));
2180 if (new == NULL)
2181 yyerror("failed to allocate proposal");
2182
2183 return new;
2184 }
2185
2186 /*
2187 * insert into head of list.
2188 */
2189 static void
insprspec(prspec,head)2190 insprspec(prspec, head)
2191 struct proposalspec *prspec;
2192 struct proposalspec **head;
2193 {
2194 if (*head != NULL)
2195 (*head)->prev = prspec;
2196 prspec->next = *head;
2197 *head = prspec;
2198 }
2199
2200 static struct secprotospec *
newspspec()2201 newspspec()
2202 {
2203 struct secprotospec *new;
2204
2205 new = racoon_calloc(1, sizeof(*new));
2206 if (new == NULL) {
2207 yyerror("failed to allocate spproto");
2208 return NULL;
2209 }
2210
2211 new->encklen = 0; /*XXX*/
2212
2213 /*
2214 * Default to "uknown" vendor -- we will override this
2215 * as necessary. When we send a Vendor ID payload, an
2216 * "unknown" will be translated to a KAME/racoon ID.
2217 */
2218 new->vendorid = VENDORID_UNKNOWN;
2219
2220 return new;
2221 }
2222
2223 /*
2224 * insert into head of list.
2225 */
2226 static void
insspspec(spspec,head)2227 insspspec(spspec, head)
2228 struct secprotospec *spspec;
2229 struct proposalspec **head;
2230 {
2231 spspec->back = *head;
2232
2233 if ((*head)->spspec != NULL)
2234 (*head)->spspec->prev = spspec;
2235 spspec->next = (*head)->spspec;
2236 (*head)->spspec = spspec;
2237 }
2238
2239 /* set final acceptable proposal */
2240 static int
set_isakmp_proposal(rmconf,prspec)2241 set_isakmp_proposal(rmconf, prspec)
2242 struct remoteconf *rmconf;
2243 struct proposalspec *prspec;
2244 {
2245 struct proposalspec *p;
2246 struct secprotospec *s;
2247 int prop_no = 1;
2248 int trns_no = 1;
2249 int32_t types[MAXALGCLASS];
2250
2251 p = prspec;
2252 if (p->next != 0) {
2253 plog(LLV_ERROR, LOCATION, NULL,
2254 "multiple proposal definition.\n");
2255 return -1;
2256 }
2257
2258 /* mandatory check */
2259 if (p->spspec == NULL) {
2260 yyerror("no remote specification found: %s.\n",
2261 saddr2str(rmconf->remote));
2262 return -1;
2263 }
2264 for (s = p->spspec; s != NULL; s = s->next) {
2265 /* XXX need more to check */
2266 if (s->algclass[algclass_isakmp_enc] == 0) {
2267 yyerror("encryption algorithm required.");
2268 return -1;
2269 }
2270 if (s->algclass[algclass_isakmp_hash] == 0) {
2271 yyerror("hash algorithm required.");
2272 return -1;
2273 }
2274 if (s->algclass[algclass_isakmp_dh] == 0) {
2275 yyerror("DH group required.");
2276 return -1;
2277 }
2278 if (s->algclass[algclass_isakmp_ameth] == 0) {
2279 yyerror("authentication method required.");
2280 return -1;
2281 }
2282 }
2283
2284 /* skip to last part */
2285 for (s = p->spspec; s->next != NULL; s = s->next)
2286 ;
2287
2288 while (s != NULL) {
2289 plog(LLV_DEBUG2, LOCATION, NULL,
2290 "lifetime = %ld\n", (long)
2291 (s->lifetime ? s->lifetime : p->lifetime));
2292 plog(LLV_DEBUG2, LOCATION, NULL,
2293 "lifebyte = %d\n",
2294 s->lifebyte ? s->lifebyte : p->lifebyte);
2295 plog(LLV_DEBUG2, LOCATION, NULL,
2296 "encklen=%d\n", s->encklen);
2297
2298 memset(types, 0, ARRAYLEN(types));
2299 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
2300 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
2301 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
2302 types[algclass_isakmp_ameth] =
2303 s->algclass[algclass_isakmp_ameth];
2304
2305 /* expanding spspec */
2306 clean_tmpalgtype();
2307 trns_no = expand_isakmpspec(prop_no, trns_no, types,
2308 algclass_isakmp_enc, algclass_isakmp_ameth + 1,
2309 s->lifetime ? s->lifetime : p->lifetime,
2310 s->lifebyte ? s->lifebyte : p->lifebyte,
2311 s->encklen, s->vendorid, s->gssid,
2312 rmconf);
2313 if (trns_no == -1) {
2314 plog(LLV_ERROR, LOCATION, NULL,
2315 "failed to expand isakmp proposal.\n");
2316 return -1;
2317 }
2318
2319 s = s->prev;
2320 }
2321
2322 if (rmconf->proposal == NULL) {
2323 plog(LLV_ERROR, LOCATION, NULL,
2324 "no proposal found.\n");
2325 return -1;
2326 }
2327
2328 return 0;
2329 }
2330
2331 static void
clean_tmpalgtype()2332 clean_tmpalgtype()
2333 {
2334 int i;
2335 for (i = 0; i < MAXALGCLASS; i++)
2336 tmpalgtype[i] = 0; /* means algorithm undefined. */
2337 }
2338
2339 static int
expand_isakmpspec(prop_no,trns_no,types,class,last,lifetime,lifebyte,encklen,vendorid,gssid,rmconf)2340 expand_isakmpspec(prop_no, trns_no, types,
2341 class, last, lifetime, lifebyte, encklen, vendorid, gssid,
2342 rmconf)
2343 int prop_no, trns_no;
2344 int *types, class, last;
2345 time_t lifetime;
2346 int lifebyte;
2347 int encklen;
2348 int vendorid;
2349 char *gssid;
2350 struct remoteconf *rmconf;
2351 {
2352 struct isakmpsa *new;
2353
2354 /* debugging */
2355 {
2356 int j;
2357 char tb[10];
2358 plog(LLV_DEBUG2, LOCATION, NULL,
2359 "p:%d t:%d\n", prop_no, trns_no);
2360 for (j = class; j < MAXALGCLASS; j++) {
2361 snprintf(tb, sizeof(tb), "%d", types[j]);
2362 plog(LLV_DEBUG2, LOCATION, NULL,
2363 "%s%s%s%s\n",
2364 s_algtype(j, types[j]),
2365 types[j] ? "(" : "",
2366 tb[0] == '0' ? "" : tb,
2367 types[j] ? ")" : "");
2368 }
2369 plog(LLV_DEBUG2, LOCATION, NULL, "\n");
2370 }
2371
2372 #define TMPALGTYPE2STR(n) \
2373 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
2374 /* check mandatory values */
2375 if (types[algclass_isakmp_enc] == 0
2376 || types[algclass_isakmp_ameth] == 0
2377 || types[algclass_isakmp_hash] == 0
2378 || types[algclass_isakmp_dh] == 0) {
2379 yyerror("few definition of algorithm "
2380 "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
2381 TMPALGTYPE2STR(enc),
2382 TMPALGTYPE2STR(ameth),
2383 TMPALGTYPE2STR(hash),
2384 TMPALGTYPE2STR(dh));
2385 return -1;
2386 }
2387 #undef TMPALGTYPE2STR
2388
2389 /* set new sa */
2390 new = newisakmpsa();
2391 if (new == NULL) {
2392 yyerror("failed to allocate isakmp sa");
2393 return -1;
2394 }
2395 new->prop_no = prop_no;
2396 new->trns_no = trns_no++;
2397 new->lifetime = lifetime;
2398 new->lifebyte = lifebyte;
2399 new->enctype = types[algclass_isakmp_enc];
2400 new->encklen = encklen;
2401 new->authmethod = types[algclass_isakmp_ameth];
2402 new->hashtype = types[algclass_isakmp_hash];
2403 new->dh_group = types[algclass_isakmp_dh];
2404 new->vendorid = vendorid;
2405 #ifdef HAVE_GSSAPI
2406 if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
2407 if (gssid != NULL) {
2408 if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
2409 racoon_free(new);
2410 yyerror("failed to allocate gssid");
2411 return -1;
2412 }
2413 memcpy(new->gssid->v, gssid, new->gssid->l);
2414 racoon_free(gssid);
2415 #ifdef ENABLE_HYBRID
2416 } else if (rmconf->xauth == NULL) {
2417 #else
2418 } else {
2419 #endif
2420 /*
2421 * Allocate the default ID so that it gets put
2422 * into a GSS ID attribute during the Phase 1
2423 * exchange.
2424 */
2425 new->gssid = gssapi_get_default_gss_id();
2426 }
2427 }
2428 #endif
2429 insisakmpsa(new, rmconf);
2430
2431 return trns_no;
2432 }
2433
2434 static int
listen_addr(struct sockaddr * addr,int udp_encap)2435 listen_addr (struct sockaddr *addr, int udp_encap)
2436 {
2437 struct myaddrs *p;
2438
2439 p = newmyaddr();
2440 if (p == NULL) {
2441 yyerror("failed to allocate myaddrs");
2442 return -1;
2443 }
2444 p->addr = addr;
2445 if (p->addr == NULL) {
2446 yyerror("failed to copy sockaddr ");
2447 delmyaddr(p);
2448 return -1;
2449 }
2450 p->udp_encap = udp_encap;
2451
2452 insmyaddr(p, &lcconf->myaddrs);
2453
2454 lcconf->autograbaddr = 0;
2455 return 0;
2456 }
2457
2458 #if 0
2459 /*
2460 * fix lifebyte.
2461 * Must be more than 1024B because its unit is kilobytes.
2462 * That is defined RFC2407.
2463 */
2464 static int
2465 fix_lifebyte(t)
2466 unsigned long t;
2467 {
2468 if (t < 1024) {
2469 yyerror("byte size should be more than 1024B.");
2470 return 0;
2471 }
2472
2473 return(t / 1024);
2474 }
2475 #endif
2476
2477 int
cfparse()2478 cfparse()
2479 {
2480 int error;
2481
2482 yycf_init_buffer();
2483
2484 if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
2485 plog(LLV_ERROR, LOCATION, NULL,
2486 "could not read configuration file \"%s\"\n",
2487 lcconf->racoon_conf);
2488 return -1;
2489 }
2490
2491 error = yyparse();
2492 if (error != 0) {
2493 if (yyerrorcount) {
2494 plog(LLV_ERROR, LOCATION, NULL,
2495 "fatal parse failure (%d errors)\n",
2496 yyerrorcount);
2497 } else {
2498 plog(LLV_ERROR, LOCATION, NULL,
2499 "fatal parse failure.\n");
2500 }
2501 return -1;
2502 }
2503
2504 if (error == 0 && yyerrorcount) {
2505 plog(LLV_ERROR, LOCATION, NULL,
2506 "parse error is nothing, but yyerrorcount is %d.\n",
2507 yyerrorcount);
2508 exit(1);
2509 }
2510
2511 yycf_clean_buffer();
2512
2513 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
2514
2515 return 0;
2516 }
2517
2518 int
cfreparse()2519 cfreparse()
2520 {
2521 flushph2();
2522 flushph1();
2523 flushrmconf();
2524 flushsainfo();
2525 clean_tmpalgtype();
2526 return(cfparse());
2527 }
2528
2529 #ifdef ENABLE_ADMINPORT
2530 static void
adminsock_conf(path,owner,group,mode_dec)2531 adminsock_conf(path, owner, group, mode_dec)
2532 vchar_t *path;
2533 vchar_t *owner;
2534 vchar_t *group;
2535 int mode_dec;
2536 {
2537 struct passwd *pw = NULL;
2538 struct group *gr = NULL;
2539 mode_t mode = 0;
2540 uid_t uid;
2541 gid_t gid;
2542 int isnum;
2543
2544 adminsock_path = path->v;
2545
2546 if (owner == NULL)
2547 return;
2548
2549 errno = 0;
2550 uid = atoi(owner->v);
2551 isnum = !errno;
2552 if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
2553 yyerror("User \"%s\" does not exist", owner->v);
2554
2555 if (pw)
2556 adminsock_owner = pw->pw_uid;
2557 else
2558 adminsock_owner = uid;
2559
2560 if (group == NULL)
2561 return;
2562
2563 errno = 0;
2564 gid = atoi(group->v);
2565 isnum = !errno;
2566 if (((gr = getgrnam(group->v)) == NULL) && !isnum)
2567 yyerror("Group \"%s\" does not exist", group->v);
2568
2569 if (gr)
2570 adminsock_group = gr->gr_gid;
2571 else
2572 adminsock_group = gid;
2573
2574 if (mode_dec == -1)
2575 return;
2576
2577 if (mode_dec > 777)
2578 yyerror("Mode 0%03o is invalid", mode_dec);
2579 if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
2580 if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
2581 if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
2582
2583 if (mode_dec > 77)
2584 yyerror("Mode 0%03o is invalid", mode_dec);
2585 if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
2586 if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
2587 if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
2588
2589 if (mode_dec > 7)
2590 yyerror("Mode 0%03o is invalid", mode_dec);
2591 if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
2592 if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
2593 if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
2594
2595 adminsock_mode = mode;
2596
2597 return;
2598 }
2599 #endif
2600