search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / ipsec-tools / src / racoon / cfparse.y
blob5d8baf8aa4ae4247238b18a1b8fbb3810de46d65
1 /* $NetBSD: cfparse.y,v 1.36 2009/01/23 08:23:51 tteras Exp $ */
2
3 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
4
5 %{
6 /*
7 * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the project nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include "config.h"
36
37 #include <sys/types.h>
38 #include <sys/param.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
41
42 #include <netinet/in.h>
43 #include PATH_IPSEC_H
44
45 #ifdef ENABLE_HYBRID
46 #include <arpa/inet.h>
47 #endif
48
49 #include <stdlib.h>
50 #include <stdio.h>
51 #include <string.h>
52 #include <errno.h>
53 #include <netdb.h>
54 #include <pwd.h>
55 #include <grp.h>
56
57 #include "var.h"
58 #include "misc.h"
59 #include "vmbuf.h"
60 #include "plog.h"
61 #include "sockmisc.h"
62 #include "str2val.h"
63 #include "genlist.h"
64 #include "debug.h"
65
66 #include "admin.h"
67 #include "privsep.h"
68 #include "cfparse_proto.h"
69 #include "cftoken_proto.h"
70 #include "algorithm.h"
71 #include "localconf.h"
72 #include "policy.h"
73 #include "sainfo.h"
74 #include "oakley.h"
75 #include "pfkey.h"
76 #include "remoteconf.h"
77 #include "grabmyaddr.h"
78 #include "isakmp_var.h"
79 #include "handler.h"
80 #include "isakmp.h"
81 #include "nattraversal.h"
82 #include "isakmp_frag.h"
83 #ifdef ENABLE_HYBRID
84 #include "resolv.h"
85 #include "isakmp_unity.h"
86 #include "isakmp_xauth.h"
87 #include "isakmp_cfg.h"
88 #endif
89 #include "ipsec_doi.h"
90 #include "strnames.h"
91 #include "gcmalloc.h"
92 #ifdef HAVE_GSSAPI
93 #include "gssapi.h"
94 #endif
95 #include "vendorid.h"
96 #include "rsalist.h"
97 #include "crypto_openssl.h"
98
99 struct secprotospec {
100 int prop_no;
101 int trns_no;
102 int strength; /* for isakmp/ipsec */
103 int encklen; /* for isakmp/ipsec */
104 time_t lifetime; /* for isakmp */
105 int lifebyte; /* for isakmp */
106 int proto_id; /* for ipsec (isakmp?) */
107 int ipsec_level; /* for ipsec */
108 int encmode; /* for ipsec */
109 int vendorid; /* for isakmp */
110 char *gssid;
111 struct sockaddr *remote;
112 int algclass[MAXALGCLASS];
113
114 struct secprotospec *next; /* the tail is the most prefiered. */
115 struct secprotospec *prev;
116 };
117
118 static int num2dhgroup[] = {
119 0,
120 OAKLEY_ATTR_GRP_DESC_MODP768,
121 OAKLEY_ATTR_GRP_DESC_MODP1024,
122 OAKLEY_ATTR_GRP_DESC_EC2N155,
123 OAKLEY_ATTR_GRP_DESC_EC2N185,
124 OAKLEY_ATTR_GRP_DESC_MODP1536,
125 0,
126 0,
127 0,
128 0,
129 0,
130 0,
131 0,
132 0,
133 OAKLEY_ATTR_GRP_DESC_MODP2048,
134 OAKLEY_ATTR_GRP_DESC_MODP3072,
135 OAKLEY_ATTR_GRP_DESC_MODP4096,
136 OAKLEY_ATTR_GRP_DESC_MODP6144,
137 OAKLEY_ATTR_GRP_DESC_MODP8192
138 };
139
140 static struct remoteconf *cur_rmconf;
141 static int tmpalgtype[MAXALGCLASS];
142 static struct sainfo *cur_sainfo;
143 static int cur_algclass;
144 static int oldloglevel = LLV_BASE;
145
146 static struct secprotospec *newspspec __P((void));
147 static void insspspec __P((struct remoteconf *, struct secprotospec *));
148 static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
149
150 static int set_isakmp_proposal __P((struct remoteconf *));
151 static void clean_tmpalgtype __P((void));
152 static int expand_isakmpspec __P((int, int, int *,
153 int, int, time_t, int, int, int, char *, struct remoteconf *));
154
155 void freeetypes (struct etypes **etypes);
156
157 static int load_x509(const char *file, char **filenameptr,
158 vchar_t **certptr)
159 {
160 char path[PATH_MAX];
161
162 getpathname(path, sizeof(path), LC_PATHTYPE_CERT, file);
163 *certptr = eay_get_x509cert(path);
164 if (*certptr == NULL)
165 return -1;
166
167 *filenameptr = racoon_strdup(file);
168 STRDUP_FATAL(*filenameptr);
169
170 return 0;
171 }
172
173 %}
174
175 %union {
176 unsigned long num;
177 vchar_t *val;
178 struct remoteconf *rmconf;
179 struct sockaddr *saddr;
180 struct sainfoalg *alg;
181 }
182
183 /* privsep */
184 %token PRIVSEP USER GROUP CHROOT
185 /* path */
186 %token PATH PATHTYPE
187 /* include */
188 %token INCLUDE
189 /* PFKEY_BUFFER */
190 %token PFKEY_BUFFER
191 /* logging */
192 %token LOGGING LOGLEV
193 /* padding */
194 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
195 /* listen */
196 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
197 /* ldap config */
198 %token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
199 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
200 /* radius config */
201 %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
202 /* modecfg */
203 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
204 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
205 %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
206 %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
207 %token CFG_PFS_GROUP CFG_SAVE_PASSWD
208
209 /* timer */
210 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
211 %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA
212 /* algorithm */
213 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
214 /* sainfo */
215 %token SAINFO FROM
216 /* remote */
217 %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS
218 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
219 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
220 %token VERIFY_CERT SEND_CERT SEND_CR MATCH_EMPTY_CR
221 %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER
222 %token PEERS_IDENTIFIER VERIFY_IDENTIFIER
223 %token DNSSEC CERT_X509 CERT_PLAINRSA
224 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
225 %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL
226 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
227 %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
228 %token PROPOSAL
229 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
230 %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
231 %token COMPLEX_BUNDLE
232 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL
233 %token PH1ID
234 %token XAUTH_LOGIN WEAK_PHASE1_CHECK
235 %token REKEY
236
237 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
238 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
239
240 %token SCRIPT PHASE1_UP PHASE1_DOWN
241
242 %token NUMBER SWITCH BOOLEAN
243 %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
244 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
245 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
246 %token EOS BOC EOC COMMA
247
248 %type <num> NUMBER BOOLEAN SWITCH keylength
249 %type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE
250 %type <num> ALGORITHM_CLASS dh_group_num
251 %type <num> ALGORITHMTYPE STRENGTHTYPE
252 %type <num> PREFIX prefix PORT port ike_port
253 %type <num> ul_proto UL_PROTO
254 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
255 %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL
256 %type <num> unittype_time unittype_byte
257 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
258 %type <val> identifierstring
259 %type <saddr> remote_index ike_addrinfo_port
260 %type <alg> algorithm
261
262 %%
263
264 statements
265 : /* nothing */
266 | statements statement
267 ;
268 statement
269 : privsep_statement
270 | path_statement
271 | include_statement
272 | pfkey_statement
273 | gssenc_statement
274 | logging_statement
275 | padding_statement
276 | listen_statement
277 | ldapcfg_statement
278 | radcfg_statement
279 | modecfg_statement
280 | timer_statement
281 | sainfo_statement
282 | remote_statement
283 | special_statement
284 ;
285
286 /* privsep */
287 privsep_statement
288 : PRIVSEP BOC privsep_stmts EOC
289 ;
290 privsep_stmts
291 : /* nothing */
292 | privsep_stmts privsep_stmt
293 ;
294 privsep_stmt
295 : USER QUOTEDSTRING
296 {
297 struct passwd *pw;
298
299 if ((pw = getpwnam($2->v)) == NULL) {
300 yyerror("unknown user \"%s\"", $2->v);
301 return -1;
302 }
303 lcconf->uid = pw->pw_uid;
304 }
305 EOS
306 | USER NUMBER { lcconf->uid = $2; } EOS
307 | GROUP QUOTEDSTRING
308 {
309 struct group *gr;
310
311 if ((gr = getgrnam($2->v)) == NULL) {
312 yyerror("unknown group \"%s\"", $2->v);
313 return -1;
314 }
315 lcconf->gid = gr->gr_gid;
316 }
317 EOS
318 | GROUP NUMBER { lcconf->gid = $2; } EOS
319 | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
320 ;
321
322 /* path */
323 path_statement
324 : PATH PATHTYPE QUOTEDSTRING
325 {
326 if ($2 >= LC_PATHTYPE_MAX) {
327 yyerror("invalid path type %d", $2);
328 return -1;
329 }
330
331 /* free old pathinfo */
332 if (lcconf->pathinfo[$2])
333 racoon_free(lcconf->pathinfo[$2]);
334
335 /* set new pathinfo */
336 lcconf->pathinfo[$2] = racoon_strdup($3->v);
337 STRDUP_FATAL(lcconf->pathinfo[$2]);
338 vfree($3);
339 }
340 EOS
341 ;
342
343 /* special */
344 special_statement
345 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
346 ;
347
348 /* include */
349 include_statement
350 : INCLUDE QUOTEDSTRING EOS
351 {
352 char path[MAXPATHLEN];
353
354 getpathname(path, sizeof(path),
355 LC_PATHTYPE_INCLUDE, $2->v);
356 vfree($2);
357 if (yycf_switch_buffer(path) != 0)
358 return -1;
359 }
360 ;
361
362 /* pfkey_buffer */
363 pfkey_statement
364 : PFKEY_BUFFER NUMBER EOS
365 {
366 lcconf->pfkey_buffer_size = $2;
367 }
368 ;
369 /* gss_id_enc */
370 gssenc_statement
371 : GSS_ID_ENC GSS_ID_ENCTYPE EOS
372 {
373 if ($2 >= LC_GSSENC_MAX) {
374 yyerror("invalid GSS ID encoding %d", $2);
375 return -1;
376 }
377 lcconf->gss_id_enc = $2;
378 }
379 ;
380
381 /* logging */
382 logging_statement
383 : LOGGING log_level EOS
384 ;
385 log_level
386 : LOGLEV
387 {
388 /*
389 * set the loglevel to the value specified
390 * in the configuration file plus the number
391 * of -d options specified on the command line
392 */
393 loglevel += $1 - oldloglevel;
394 oldloglevel = $1;
395 }
396 ;
397
398 /* padding */
399 padding_statement
400 : PADDING BOC padding_stmts EOC
401 ;
402 padding_stmts
403 : /* nothing */
404 | padding_stmts padding_stmt
405 ;
406 padding_stmt
407 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
408 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
409 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
410 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
411 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
412 ;
413
414 /* listen */
415 listen_statement
416 : LISTEN BOC listen_stmts EOC
417 ;
418 listen_stmts
419 : /* nothing */
420 | listen_stmts listen_stmt
421 ;
422 listen_stmt
423 : X_ISAKMP ike_addrinfo_port
424 {
425 myaddr_listen($2, FALSE);
426 }
427 EOS
428 | X_ISAKMP_NATT ike_addrinfo_port
429 {
430 #ifdef ENABLE_NATT
431 myaddr_listen($2, TRUE);
432 #else
433 yyerror("NAT-T support not compiled in.");
434 #endif
435 }
436 EOS
437 | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
438 {
439 #ifdef ENABLE_ADMINPORT
440 adminsock_conf($2, $3, $4, $5);
441 #else
442 yywarn("admin port support not compiled in");
443 #endif
444 }
445 EOS
446 | ADMINSOCK QUOTEDSTRING
447 {
448 #ifdef ENABLE_ADMINPORT
449 adminsock_conf($2, NULL, NULL, -1);
450 #else
451 yywarn("admin port support not compiled in");
452 #endif
453 }
454 EOS
455 | ADMINSOCK DISABLED
456 {
457 #ifdef ENABLE_ADMINPORT
458 adminsock_path = NULL;
459 #else
460 yywarn("admin port support not compiled in");
461 #endif
462 }
463 EOS
464 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
465 ;
466 ike_addrinfo_port
467 : ADDRSTRING ike_port
468 {
469 char portbuf[10];
470
471 snprintf(portbuf, sizeof(portbuf), "%ld", $2);
472 $$ = str2saddr($1->v, portbuf);
473 vfree($1);
474 if (!$$)
475 return -1;
476 }
477 ;
478 ike_port
479 : /* nothing */ { $$ = PORT_ISAKMP; }
480 | PORT { $$ = $1; }
481 ;
482
483 /* radius configuration */
484 radcfg_statement
485 : RADCFG {
486 #ifndef ENABLE_HYBRID
487 yyerror("racoon not configured with --enable-hybrid");
488 return -1;
489 #endif
490 #ifndef HAVE_LIBRADIUS
491 yyerror("racoon not configured with --with-libradius");
492 return -1;
493 #endif
494 #ifdef ENABLE_HYBRID
495 #ifdef HAVE_LIBRADIUS
496 xauth_rad_config.timeout = 3;
497 xauth_rad_config.retries = 3;
498 #endif
499 #endif
500 } BOC radcfg_stmts EOC
501 ;
502 radcfg_stmts
503 : /* nothing */
504 | radcfg_stmts radcfg_stmt
505 ;
506 radcfg_stmt
507 : RAD_AUTH QUOTEDSTRING QUOTEDSTRING
508 {
509 #ifdef ENABLE_HYBRID
510 #ifdef HAVE_LIBRADIUS
511 int i = xauth_rad_config.auth_server_count;
512 if (i == RADIUS_MAX_SERVERS) {
513 yyerror("maximum radius auth servers exceeded");
514 return -1;
515 }
516
517 xauth_rad_config.auth_server_list[i].host = vdup($2);
518 xauth_rad_config.auth_server_list[i].secret = vdup($3);
519 xauth_rad_config.auth_server_list[i].port = 0; // default port
520 xauth_rad_config.auth_server_count++;
521 #endif
522 #endif
523 }
524 EOS
525 | RAD_AUTH QUOTEDSTRING NUMBER QUOTEDSTRING
526 {
527 #ifdef ENABLE_HYBRID
528 #ifdef HAVE_LIBRADIUS
529 int i = xauth_rad_config.auth_server_count;
530 if (i == RADIUS_MAX_SERVERS) {
531 yyerror("maximum radius auth servers exceeded");
532 return -1;
533 }
534
535 xauth_rad_config.auth_server_list[i].host = vdup($2);
536 xauth_rad_config.auth_server_list[i].secret = vdup($4);
537 xauth_rad_config.auth_server_list[i].port = $3;
538 xauth_rad_config.auth_server_count++;
539 #endif
540 #endif
541 }
542 EOS
543 | RAD_ACCT QUOTEDSTRING QUOTEDSTRING
544 {
545 #ifdef ENABLE_HYBRID
546 #ifdef HAVE_LIBRADIUS
547 int i = xauth_rad_config.acct_server_count;
548 if (i == RADIUS_MAX_SERVERS) {
549 yyerror("maximum radius account servers exceeded");
550 return -1;
551 }
552
553 xauth_rad_config.acct_server_list[i].host = vdup($2);
554 xauth_rad_config.acct_server_list[i].secret = vdup($3);
555 xauth_rad_config.acct_server_list[i].port = 0; // default port
556 xauth_rad_config.acct_server_count++;
557 #endif
558 #endif
559 }
560 EOS
561 | RAD_ACCT QUOTEDSTRING NUMBER QUOTEDSTRING
562 {
563 #ifdef ENABLE_HYBRID
564 #ifdef HAVE_LIBRADIUS
565 int i = xauth_rad_config.acct_server_count;
566 if (i == RADIUS_MAX_SERVERS) {
567 yyerror("maximum radius account servers exceeded");
568 return -1;
569 }
570
571 xauth_rad_config.acct_server_list[i].host = vdup($2);
572 xauth_rad_config.acct_server_list[i].secret = vdup($4);
573 xauth_rad_config.acct_server_list[i].port = $3;
574 xauth_rad_config.acct_server_count++;
575 #endif
576 #endif
577 }
578 EOS
579 | RAD_TIMEOUT NUMBER
580 {
581 #ifdef ENABLE_HYBRID
582 #ifdef HAVE_LIBRADIUS
583 xauth_rad_config.timeout = $2;
584 #endif
585 #endif
586 }
587 EOS
588 | RAD_RETRIES NUMBER
589 {
590 #ifdef ENABLE_HYBRID
591 #ifdef HAVE_LIBRADIUS
592 xauth_rad_config.retries = $2;
593 #endif
594 #endif
595 }
596 EOS
597 ;
598
599 /* ldap configuration */
600 ldapcfg_statement
601 : LDAPCFG {
602 #ifndef ENABLE_HYBRID
603 yyerror("racoon not configured with --enable-hybrid");
604 return -1;
605 #endif
606 #ifndef HAVE_LIBLDAP
607 yyerror("racoon not configured with --with-libldap");
608 return -1;
609 #endif
610 } BOC ldapcfg_stmts EOC
611 ;
612 ldapcfg_stmts
613 : /* nothing */
614 | ldapcfg_stmts ldapcfg_stmt
615 ;
616 ldapcfg_stmt
617 : LDAP_PVER NUMBER
618 {
619 #ifdef ENABLE_HYBRID
620 #ifdef HAVE_LIBLDAP
621 if (($2<2)||($2>3))
622 yyerror("invalid ldap protocol version (2|3)");
623 xauth_ldap_config.pver = $2;
624 #endif
625 #endif
626 }
627 EOS
628 | LDAP_HOST QUOTEDSTRING
629 {
630 #ifdef ENABLE_HYBRID
631 #ifdef HAVE_LIBLDAP
632 if (xauth_ldap_config.host != NULL)
633 vfree(xauth_ldap_config.host);
634 xauth_ldap_config.host = vdup($2);
635 #endif
636 #endif
637 }
638 EOS
639 | LDAP_PORT NUMBER
640 {
641 #ifdef ENABLE_HYBRID
642 #ifdef HAVE_LIBLDAP
643 xauth_ldap_config.port = $2;
644 #endif
645 #endif
646 }
647 EOS
648 | LDAP_BASE QUOTEDSTRING
649 {
650 #ifdef ENABLE_HYBRID
651 #ifdef HAVE_LIBLDAP
652 if (xauth_ldap_config.base != NULL)
653 vfree(xauth_ldap_config.base);
654 xauth_ldap_config.base = vdup($2);
655 #endif
656 #endif
657 }
658 EOS
659 | LDAP_SUBTREE SWITCH
660 {
661 #ifdef ENABLE_HYBRID
662 #ifdef HAVE_LIBLDAP
663 xauth_ldap_config.subtree = $2;
664 #endif
665 #endif
666 }
667 EOS
668 | LDAP_BIND_DN QUOTEDSTRING
669 {
670 #ifdef ENABLE_HYBRID
671 #ifdef HAVE_LIBLDAP
672 if (xauth_ldap_config.bind_dn != NULL)
673 vfree(xauth_ldap_config.bind_dn);
674 xauth_ldap_config.bind_dn = vdup($2);
675 #endif
676 #endif
677 }
678 EOS
679 | LDAP_BIND_PW QUOTEDSTRING
680 {
681 #ifdef ENABLE_HYBRID
682 #ifdef HAVE_LIBLDAP
683 if (xauth_ldap_config.bind_pw != NULL)
684 vfree(xauth_ldap_config.bind_pw);
685 xauth_ldap_config.bind_pw = vdup($2);
686 #endif
687 #endif
688 }
689 EOS
690 | LDAP_ATTR_USER QUOTEDSTRING
691 {
692 #ifdef ENABLE_HYBRID
693 #ifdef HAVE_LIBLDAP
694 if (xauth_ldap_config.attr_user != NULL)
695 vfree(xauth_ldap_config.attr_user);
696 xauth_ldap_config.attr_user = vdup($2);
697 #endif
698 #endif
699 }
700 EOS
701 | LDAP_ATTR_ADDR QUOTEDSTRING
702 {
703 #ifdef ENABLE_HYBRID
704 #ifdef HAVE_LIBLDAP
705 if (xauth_ldap_config.attr_addr != NULL)
706 vfree(xauth_ldap_config.attr_addr);
707 xauth_ldap_config.attr_addr = vdup($2);
708 #endif
709 #endif
710 }
711 EOS
712 | LDAP_ATTR_MASK QUOTEDSTRING
713 {
714 #ifdef ENABLE_HYBRID
715 #ifdef HAVE_LIBLDAP
716 if (xauth_ldap_config.attr_mask != NULL)
717 vfree(xauth_ldap_config.attr_mask);
718 xauth_ldap_config.attr_mask = vdup($2);
719 #endif
720 #endif
721 }
722 EOS
723 | LDAP_ATTR_GROUP QUOTEDSTRING
724 {
725 #ifdef ENABLE_HYBRID
726 #ifdef HAVE_LIBLDAP
727 if (xauth_ldap_config.attr_group != NULL)
728 vfree(xauth_ldap_config.attr_group);
729 xauth_ldap_config.attr_group = vdup($2);
730 #endif
731 #endif
732 }
733 EOS
734 | LDAP_ATTR_MEMBER QUOTEDSTRING
735 {
736 #ifdef ENABLE_HYBRID
737 #ifdef HAVE_LIBLDAP
738 if (xauth_ldap_config.attr_member != NULL)
739 vfree(xauth_ldap_config.attr_member);
740 xauth_ldap_config.attr_member = vdup($2);
741 #endif
742 #endif
743 }
744 EOS
745 ;
746
747 /* modecfg */
748 modecfg_statement
749 : MODECFG BOC modecfg_stmts EOC
750 ;
751 modecfg_stmts
752 : /* nothing */
753 | modecfg_stmts modecfg_stmt
754 ;
755 modecfg_stmt
756 : CFG_NET4 ADDRSTRING
757 {
758 #ifdef ENABLE_HYBRID
759 if (inet_pton(AF_INET, $2->v,
760 &isakmp_cfg_config.network4) != 1)
761 yyerror("bad IPv4 network address.");
762 #else
763 yyerror("racoon not configured with --enable-hybrid");
764 #endif
765 }
766 EOS
767 | CFG_MASK4 ADDRSTRING
768 {
769 #ifdef ENABLE_HYBRID
770 if (inet_pton(AF_INET, $2->v,
771 &isakmp_cfg_config.netmask4) != 1)
772 yyerror("bad IPv4 netmask address.");
773 #else
774 yyerror("racoon not configured with --enable-hybrid");
775 #endif
776 }
777 EOS
778 | CFG_DNS4 addrdnslist
779 EOS
780 | CFG_NBNS4 addrwinslist
781 EOS
782 | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
783 {
784 #ifdef ENABLE_HYBRID
785 isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
786 #else
787 yyerror("racoon not configured with --enable-hybrid");
788 #endif
789 }
790 EOS
791 | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
792 {
793 #ifdef ENABLE_HYBRID
794 isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
795 #else
796 yyerror("racoon not configured with --enable-hybrid");
797 #endif
798 }
799 EOS
800 | CFG_SPLIT_DNS splitdnslist
801 {
802 #ifndef ENABLE_HYBRID
803 yyerror("racoon not configured with --enable-hybrid");
804 #endif
805 }
806 EOS
807 | CFG_DEFAULT_DOMAIN QUOTEDSTRING
808 {
809 #ifdef ENABLE_HYBRID
810 strncpy(&isakmp_cfg_config.default_domain[0],
811 $2->v, MAXPATHLEN);
812 isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0';
813 vfree($2);
814 #else
815 yyerror("racoon not configured with --enable-hybrid");
816 #endif
817 }
818 EOS
819 | CFG_AUTH_SOURCE CFG_SYSTEM
820 {
821 #ifdef ENABLE_HYBRID
822 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
823 #else
824 yyerror("racoon not configured with --enable-hybrid");
825 #endif
826 }
827 EOS
828 | CFG_AUTH_SOURCE CFG_RADIUS
829 {
830 #ifdef ENABLE_HYBRID
831 #ifdef HAVE_LIBRADIUS
832 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
833 #else /* HAVE_LIBRADIUS */
834 yyerror("racoon not configured with --with-libradius");
835 #endif /* HAVE_LIBRADIUS */
836 #else /* ENABLE_HYBRID */
837 yyerror("racoon not configured with --enable-hybrid");
838 #endif /* ENABLE_HYBRID */
839 }
840 EOS
841 | CFG_AUTH_SOURCE CFG_PAM
842 {
843 #ifdef ENABLE_HYBRID
844 #ifdef HAVE_LIBPAM
845 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
846 #else /* HAVE_LIBPAM */
847 yyerror("racoon not configured with --with-libpam");
848 #endif /* HAVE_LIBPAM */
849 #else /* ENABLE_HYBRID */
850 yyerror("racoon not configured with --enable-hybrid");
851 #endif /* ENABLE_HYBRID */
852 }
853 EOS
854 | CFG_AUTH_SOURCE CFG_LDAP
855 {
856 #ifdef ENABLE_HYBRID
857 #ifdef HAVE_LIBLDAP
858 isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
859 #else /* HAVE_LIBLDAP */
860 yyerror("racoon not configured with --with-libldap");
861 #endif /* HAVE_LIBLDAP */
862 #else /* ENABLE_HYBRID */
863 yyerror("racoon not configured with --enable-hybrid");
864 #endif /* ENABLE_HYBRID */
865 }
866 EOS
867 | CFG_AUTH_GROUPS authgrouplist
868 {
869 #ifndef ENABLE_HYBRID
870 yyerror("racoon not configured with --enable-hybrid");
871 #endif
872 }
873 EOS
874 | CFG_GROUP_SOURCE CFG_SYSTEM
875 {
876 #ifdef ENABLE_HYBRID
877 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
878 #else
879 yyerror("racoon not configured with --enable-hybrid");
880 #endif
881 }
882 EOS
883 | CFG_GROUP_SOURCE CFG_LDAP
884 {
885 #ifdef ENABLE_HYBRID
886 #ifdef HAVE_LIBLDAP
887 isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
888 #else /* HAVE_LIBLDAP */
889 yyerror("racoon not configured with --with-libldap");
890 #endif /* HAVE_LIBLDAP */
891 #else /* ENABLE_HYBRID */
892 yyerror("racoon not configured with --enable-hybrid");
893 #endif /* ENABLE_HYBRID */
894 }
895 EOS
896 | CFG_ACCOUNTING CFG_NONE
897 {
898 #ifdef ENABLE_HYBRID
899 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
900 #else
901 yyerror("racoon not configured with --enable-hybrid");
902 #endif
903 }
904 EOS
905 | CFG_ACCOUNTING CFG_SYSTEM
906 {
907 #ifdef ENABLE_HYBRID
908 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
909 #else
910 yyerror("racoon not configured with --enable-hybrid");
911 #endif
912 }
913 EOS
914 | CFG_ACCOUNTING CFG_RADIUS
915 {
916 #ifdef ENABLE_HYBRID
917 #ifdef HAVE_LIBRADIUS
918 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
919 #else /* HAVE_LIBRADIUS */
920 yyerror("racoon not configured with --with-libradius");
921 #endif /* HAVE_LIBRADIUS */
922 #else /* ENABLE_HYBRID */
923 yyerror("racoon not configured with --enable-hybrid");
924 #endif /* ENABLE_HYBRID */
925 }
926 EOS
927 | CFG_ACCOUNTING CFG_PAM
928 {
929 #ifdef ENABLE_HYBRID
930 #ifdef HAVE_LIBPAM
931 isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
932 #else /* HAVE_LIBPAM */
933 yyerror("racoon not configured with --with-libpam");
934 #endif /* HAVE_LIBPAM */
935 #else /* ENABLE_HYBRID */
936 yyerror("racoon not configured with --enable-hybrid");
937 #endif /* ENABLE_HYBRID */
938 }
939 EOS
940 | CFG_POOL_SIZE NUMBER
941 {
942 #ifdef ENABLE_HYBRID
943 if (isakmp_cfg_resize_pool($2) != 0)
944 yyerror("cannot allocate memory for pool");
945 #else /* ENABLE_HYBRID */
946 yyerror("racoon not configured with --enable-hybrid");
947 #endif /* ENABLE_HYBRID */
948 }
949 EOS
950 | CFG_PFS_GROUP NUMBER
951 {
952 #ifdef ENABLE_HYBRID
953 isakmp_cfg_config.pfs_group = $2;
954 #else /* ENABLE_HYBRID */
955 yyerror("racoon not configured with --enable-hybrid");
956 #endif /* ENABLE_HYBRID */
957 }
958 EOS
959 | CFG_SAVE_PASSWD SWITCH
960 {
961 #ifdef ENABLE_HYBRID
962 isakmp_cfg_config.save_passwd = $2;
963 #else /* ENABLE_HYBRID */
964 yyerror("racoon not configured with --enable-hybrid");
965 #endif /* ENABLE_HYBRID */
966 }
967 EOS
968 | CFG_AUTH_THROTTLE NUMBER
969 {
970 #ifdef ENABLE_HYBRID
971 isakmp_cfg_config.auth_throttle = $2;
972 #else /* ENABLE_HYBRID */
973 yyerror("racoon not configured with --enable-hybrid");
974 #endif /* ENABLE_HYBRID */
975 }
976 EOS
977 | CFG_CONF_SOURCE CFG_LOCAL
978 {
979 #ifdef ENABLE_HYBRID
980 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
981 #else /* ENABLE_HYBRID */
982 yyerror("racoon not configured with --enable-hybrid");
983 #endif /* ENABLE_HYBRID */
984 }
985 EOS
986 | CFG_CONF_SOURCE CFG_RADIUS
987 {
988 #ifdef ENABLE_HYBRID
989 #ifdef HAVE_LIBRADIUS
990 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
991 #else /* HAVE_LIBRADIUS */
992 yyerror("racoon not configured with --with-libradius");
993 #endif /* HAVE_LIBRADIUS */
994 #else /* ENABLE_HYBRID */
995 yyerror("racoon not configured with --enable-hybrid");
996 #endif /* ENABLE_HYBRID */
997 }
998 EOS
999 | CFG_CONF_SOURCE CFG_LDAP
1000 {
1001 #ifdef ENABLE_HYBRID
1002 #ifdef HAVE_LIBLDAP
1003 isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
1004 #else /* HAVE_LIBLDAP */
1005 yyerror("racoon not configured with --with-libldap");
1006 #endif /* HAVE_LIBLDAP */
1007 #else /* ENABLE_HYBRID */
1008 yyerror("racoon not configured with --enable-hybrid");
1009 #endif /* ENABLE_HYBRID */
1010 }
1011 EOS
1012 | CFG_MOTD QUOTEDSTRING
1013 {
1014 #ifdef ENABLE_HYBRID
1015 strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN);
1016 isakmp_cfg_config.motd[MAXPATHLEN] = '\0';
1017 vfree($2);
1018 #else
1019 yyerror("racoon not configured with --enable-hybrid");
1020 #endif
1021 }
1022 EOS
1023 ;
1024
1025 addrdnslist
1026 : addrdns
1027 | addrdns COMMA addrdnslist
1028 ;
1029 addrdns
1030 : ADDRSTRING
1031 {
1032 #ifdef ENABLE_HYBRID
1033 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1034
1035 if (icc->dns4_index > MAXNS)
1036 yyerror("No more than %d DNS", MAXNS);
1037 if (inet_pton(AF_INET, $1->v,
1038 &icc->dns4[icc->dns4_index++]) != 1)
1039 yyerror("bad IPv4 DNS address.");
1040 #else
1041 yyerror("racoon not configured with --enable-hybrid");
1042 #endif
1043 }
1044 ;
1045
1046 addrwinslist
1047 : addrwins
1048 | addrwins COMMA addrwinslist
1049 ;
1050 addrwins
1051 : ADDRSTRING
1052 {
1053 #ifdef ENABLE_HYBRID
1054 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1055
1056 if (icc->nbns4_index > MAXWINS)
1057 yyerror("No more than %d WINS", MAXWINS);
1058 if (inet_pton(AF_INET, $1->v,
1059 &icc->nbns4[icc->nbns4_index++]) != 1)
1060 yyerror("bad IPv4 WINS address.");
1061 #else
1062 yyerror("racoon not configured with --enable-hybrid");
1063 #endif
1064 }
1065 ;
1066
1067 splitnetlist
1068 : splitnet
1069 | splitnetlist COMMA splitnet
1070 ;
1071 splitnet
1072 : ADDRSTRING PREFIX
1073 {
1074 #ifdef ENABLE_HYBRID
1075 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1076 struct unity_network network;
1077 memset(&network,0,sizeof(network));
1078
1079 if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
1080 yyerror("bad IPv4 SPLIT address.");
1081
1082 /* Turn $2 (the prefix) into a subnet mask */
1083 network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
1084
1085 /* add the network to our list */
1086 if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
1087 yyerror("Unable to allocate split network");
1088 #else
1089 yyerror("racoon not configured with --enable-hybrid");
1090 #endif
1091 }
1092 ;
1093
1094 authgrouplist
1095 : authgroup
1096 | authgroup COMMA authgrouplist
1097 ;
1098 authgroup
1099 : QUOTEDSTRING
1100 {
1101 #ifdef ENABLE_HYBRID
1102 char * groupname = NULL;
1103 char ** grouplist = NULL;
1104 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1105
1106 grouplist = racoon_realloc(icc->grouplist,
1107 sizeof(char**)*(icc->groupcount+1));
1108 if (grouplist == NULL) {
1109 yyerror("unable to allocate auth group list");
1110 return -1;
1111 }
1112
1113 groupname = racoon_malloc($1->l+1);
1114 if (groupname == NULL) {
1115 yyerror("unable to allocate auth group name");
1116 return -1;
1117 }
1118
1119 memcpy(groupname,$1->v,$1->l);
1120 groupname[$1->l]=0;
1121 grouplist[icc->groupcount]=groupname;
1122 icc->grouplist = grouplist;
1123 icc->groupcount++;
1124
1125 vfree($1);
1126 #else
1127 yyerror("racoon not configured with --enable-hybrid");
1128 #endif
1129 }
1130 ;
1131
1132 splitdnslist
1133 : splitdns
1134 | splitdns COMMA splitdnslist
1135 ;
1136 splitdns
1137 : QUOTEDSTRING
1138 {
1139 #ifdef ENABLE_HYBRID
1140 struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1141
1142 if (!icc->splitdns_len)
1143 {
1144 icc->splitdns_list = racoon_malloc($1->l);
1145 if(icc->splitdns_list == NULL) {
1146 yyerror("error allocating splitdns list buffer");
1147 return -1;
1148 }
1149 memcpy(icc->splitdns_list,$1->v,$1->l);
1150 icc->splitdns_len = $1->l;
1151 }
1152 else
1153 {
1154 int len = icc->splitdns_len + $1->l + 1;
1155 icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
1156 if(icc->splitdns_list == NULL) {
1157 yyerror("error allocating splitdns list buffer");
1158 return -1;
1159 }
1160 icc->splitdns_list[icc->splitdns_len] = ',';
1161 memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
1162 icc->splitdns_len = len;
1163 }
1164 vfree($1);
1165 #else
1166 yyerror("racoon not configured with --enable-hybrid");
1167 #endif
1168 }
1169 ;
1170
1171
1172 /* timer */
1173 timer_statement
1174 : RETRY BOC timer_stmts EOC
1175 ;
1176 timer_stmts
1177 : /* nothing */
1178 | timer_stmts timer_stmt
1179 ;
1180 timer_stmt
1181 : RETRY_COUNTER NUMBER
1182 {
1183 lcconf->retry_counter = $2;
1184 }
1185 EOS
1186 | RETRY_INTERVAL NUMBER unittype_time
1187 {
1188 lcconf->retry_interval = $2 * $3;
1189 }
1190 EOS
1191 | RETRY_PERSEND NUMBER
1192 {
1193 lcconf->count_persend = $2;
1194 }
1195 EOS
1196 | RETRY_PHASE1 NUMBER unittype_time
1197 {
1198 lcconf->retry_checkph1 = $2 * $3;
1199 }
1200 EOS
1201 | RETRY_PHASE2 NUMBER unittype_time
1202 {
1203 lcconf->wait_ph2complete = $2 * $3;
1204 }
1205 EOS
1206 | NATT_KA NUMBER unittype_time
1207 {
1208 #ifdef ENABLE_NATT
1209 if (libipsec_opt & LIBIPSEC_OPT_NATT)
1210 lcconf->natt_ka_interval = $2 * $3;
1211 else
1212 yyerror("libipsec lacks NAT-T support");
1213 #else
1214 yyerror("NAT-T support not compiled in.");
1215 #endif
1216 }
1217 EOS
1218 ;
1219
1220 /* sainfo */
1221 sainfo_statement
1222 : SAINFO
1223 {
1224 cur_sainfo = newsainfo();
1225 if (cur_sainfo == NULL) {
1226 yyerror("failed to allocate sainfo");
1227 return -1;
1228 }
1229 }
1230 sainfo_name sainfo_param BOC sainfo_specs
1231 {
1232 struct sainfo *check;
1233
1234 /* default */
1235 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
1236 yyerror("no encryption algorithm at %s",
1237 sainfo2str(cur_sainfo));
1238 return -1;
1239 }
1240 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
1241 yyerror("no authentication algorithm at %s",
1242 sainfo2str(cur_sainfo));
1243 return -1;
1244 }
1245 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
1246 yyerror("no compression algorithm at %s",
1247 sainfo2str(cur_sainfo));
1248 return -1;
1249 }
1250
1251 /* duplicate check */
1252 check = getsainfo(cur_sainfo->idsrc,
1253 cur_sainfo->iddst,
1254 cur_sainfo->id_i,
1255 NULL,
1256 cur_sainfo->remoteid);
1257
1258 if (check && ((check->idsrc != SAINFO_ANONYMOUS) &&
1259 (cur_sainfo->idsrc != SAINFO_ANONYMOUS))) {
1260 yyerror("duplicated sainfo: %s",
1261 sainfo2str(cur_sainfo));
1262 return -1;
1263 }
1264
1265 inssainfo(cur_sainfo);
1266 }
1267 EOC
1268 ;
1269 sainfo_name
1270 : ANONYMOUS
1271 {
1272 cur_sainfo->idsrc = SAINFO_ANONYMOUS;
1273 cur_sainfo->iddst = SAINFO_ANONYMOUS;
1274 }
1275 | ANONYMOUS CLIENTADDR
1276 {
1277 cur_sainfo->idsrc = SAINFO_ANONYMOUS;
1278 cur_sainfo->iddst = SAINFO_CLIENTADDR;
1279 }
1280 | ANONYMOUS sainfo_id
1281 {
1282 cur_sainfo->idsrc = SAINFO_ANONYMOUS;
1283 cur_sainfo->iddst = $2;
1284 }
1285 | sainfo_id ANONYMOUS
1286 {
1287 cur_sainfo->idsrc = $1;
1288 cur_sainfo->iddst = SAINFO_ANONYMOUS;
1289 }
1290 | sainfo_id CLIENTADDR
1291 {
1292 cur_sainfo->idsrc = $1;
1293 cur_sainfo->iddst = SAINFO_CLIENTADDR;
1294 }
1295 | sainfo_id sainfo_id
1296 {
1297 cur_sainfo->idsrc = $1;
1298 cur_sainfo->iddst = $2;
1299 }
1300 ;
1301 sainfo_id
1302 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
1303 {
1304 char portbuf[10];
1305 struct sockaddr *saddr;
1306
1307 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
1308 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
1309 yyerror("port number must be \"any\".");
1310 return -1;
1311 }
1312
1313 snprintf(portbuf, sizeof(portbuf), "%lu", $4);
1314 saddr = str2saddr($2->v, portbuf);
1315 vfree($2);
1316 if (saddr == NULL)
1317 return -1;
1318
1319 switch (saddr->sa_family) {
1320 case AF_INET:
1321 if ($5 == IPPROTO_ICMPV6) {
1322 yyerror("upper layer protocol mismatched.\n");
1323 racoon_free(saddr);
1324 return -1;
1325 }
1326 $$ = ipsecdoi_sockaddr2id(saddr,
1327 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
1328 $5);
1329 break;
1330 #ifdef INET6
1331 case AF_INET6:
1332 if ($5 == IPPROTO_ICMP) {
1333 yyerror("upper layer protocol mismatched.\n");
1334 racoon_free(saddr);
1335 return -1;
1336 }
1337 $$ = ipsecdoi_sockaddr2id(saddr,
1338 $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
1339 $5);
1340 break;
1341 #endif
1342 default:
1343 yyerror("invalid family: %d", saddr->sa_family);
1344 $$ = NULL;
1345 break;
1346 }
1347 racoon_free(saddr);
1348 if ($$ == NULL)
1349 return -1;
1350 }
1351 | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
1352 {
1353 char portbuf[10];
1354 struct sockaddr *laddr = NULL, *haddr = NULL;
1355 char *cur = NULL;
1356
1357 if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
1358 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
1359 yyerror("port number must be \"any\".");
1360 return -1;
1361 }
1362
1363 snprintf(portbuf, sizeof(portbuf), "%lu", $5);
1364
1365 laddr = str2saddr($2->v, portbuf);
1366 if (laddr == NULL) {
1367 return -1;
1368 }
1369 vfree($2);
1370 haddr = str2saddr($3->v, portbuf);
1371 if (haddr == NULL) {
1372 racoon_free(laddr);
1373 return -1;
1374 }
1375 vfree($3);
1376
1377 switch (laddr->sa_family) {
1378 case AF_INET:
1379 if ($6 == IPPROTO_ICMPV6) {
1380 yyerror("upper layer protocol mismatched.\n");
1381 if (laddr)
1382 racoon_free(laddr);
1383 if (haddr)
1384 racoon_free(haddr);
1385 return -1;
1386 }
1387 $$ = ipsecdoi_sockrange2id(laddr, haddr,
1388 $6);
1389 break;
1390 #ifdef INET6
1391 case AF_INET6:
1392 if ($6 == IPPROTO_ICMP) {
1393 yyerror("upper layer protocol mismatched.\n");
1394 if (laddr)
1395 racoon_free(laddr);
1396 if (haddr)
1397 racoon_free(haddr);
1398 return -1;
1399 }
1400 $$ = ipsecdoi_sockrange2id(laddr, haddr,
1401 $6);
1402 break;
1403 #endif
1404 default:
1405 yyerror("invalid family: %d", laddr->sa_family);
1406 $$ = NULL;
1407 break;
1408 }
1409 if (laddr)
1410 racoon_free(laddr);
1411 if (haddr)
1412 racoon_free(haddr);
1413 if ($$ == NULL)
1414 return -1;
1415 }
1416 | IDENTIFIERTYPE QUOTEDSTRING
1417 {
1418 struct ipsecdoi_id_b *id_b;
1419
1420 if ($1 == IDTYPE_ASN1DN) {
1421 yyerror("id type forbidden: %d", $1);
1422 $$ = NULL;
1423 return -1;
1424 }
1425
1426 $2->l--;
1427
1428 $$ = vmalloc(sizeof(*id_b) + $2->l);
1429 if ($$ == NULL) {
1430 yyerror("failed to allocate identifier");
1431 return -1;
1432 }
1433
1434 id_b = (struct ipsecdoi_id_b *)$$->v;
1435 id_b->type = idtype2doi($1);
1436
1437 id_b->proto_id = 0;
1438 id_b->port = 0;
1439
1440 memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
1441 }
1442 ;
1443 sainfo_param
1444 : /* nothing */
1445 {
1446 cur_sainfo->id_i = NULL;
1447 }
1448 | FROM IDENTIFIERTYPE identifierstring
1449 {
1450 struct ipsecdoi_id_b *id_b;
1451 vchar_t *idv;
1452
1453 if (set_identifier(&idv, $2, $3) != 0) {
1454 yyerror("failed to set identifer.\n");
1455 return -1;
1456 }
1457 cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
1458 if (cur_sainfo->id_i == NULL) {
1459 yyerror("failed to allocate identifier");
1460 return -1;
1461 }
1462
1463 id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
1464 id_b->type = idtype2doi($2);
1465
1466 id_b->proto_id = 0;
1467 id_b->port = 0;
1468
1469 memcpy(cur_sainfo->id_i->v + sizeof(*id_b),
1470 idv->v, idv->l);
1471 vfree(idv);
1472 }
1473 | GROUP QUOTEDSTRING
1474 {
1475 #ifdef ENABLE_HYBRID
1476 if ((cur_sainfo->group = vdup($2)) == NULL) {
1477 yyerror("failed to set sainfo xauth group.\n");
1478 return -1;
1479 }
1480 #else
1481 yyerror("racoon not configured with --enable-hybrid");
1482 return -1;
1483 #endif
1484 }
1485 ;
1486 sainfo_specs
1487 : /* nothing */
1488 | sainfo_specs sainfo_spec
1489 ;
1490 sainfo_spec
1491 : PFS_GROUP dh_group_num
1492 {
1493 cur_sainfo->pfs_group = $2;
1494 }
1495 EOS
1496 | REMOTEID NUMBER
1497 {
1498 cur_sainfo->remoteid = $2;
1499 }
1500 EOS
1501 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
1502 {
1503 cur_sainfo->lifetime = $3 * $4;
1504 }
1505 EOS
1506 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1507 {
1508 #if 1
1509 yyerror("byte lifetime support is deprecated");
1510 return -1;
1511 #else
1512 cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
1513 if (cur_sainfo->lifebyte == 0)
1514 return -1;
1515 #endif
1516 }
1517 EOS
1518 | ALGORITHM_CLASS {
1519 cur_algclass = $1;
1520 }
1521 algorithms EOS
1522 ;
1523
1524 algorithms
1525 : algorithm
1526 {
1527 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1528 }
1529 | algorithm
1530 {
1531 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1532 }
1533 COMMA algorithms
1534 ;
1535 algorithm
1536 : ALGORITHMTYPE keylength
1537 {
1538 int defklen;
1539
1540 $$ = newsainfoalg();
1541 if ($$ == NULL) {
1542 yyerror("failed to get algorithm allocation");
1543 return -1;
1544 }
1545
1546 $$->alg = algtype2doi(cur_algclass, $1);
1547 if ($$->alg == -1) {
1548 yyerror("algorithm mismatched");
1549 racoon_free($$);
1550 $$ = NULL;
1551 return -1;
1552 }
1553
1554 defklen = default_keylen(cur_algclass, $1);
1555 if (defklen == 0) {
1556 if ($2) {
1557 yyerror("keylen not allowed");
1558 racoon_free($$);
1559 $$ = NULL;
1560 return -1;
1561 }
1562 } else {
1563 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
1564 yyerror("invalid keylen %d", $2);
1565 racoon_free($$);
1566 $$ = NULL;
1567 return -1;
1568 }
1569 }
1570
1571 if ($2)
1572 $$->encklen = $2;
1573 else
1574 $$->encklen = defklen;
1575
1576 /* check if it's supported algorithm by kernel */
1577 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
1578 && pk_checkalg(cur_algclass, $1, $$->encklen)) {
1579 int a = algclass2doi(cur_algclass);
1580 int b = algtype2doi(cur_algclass, $1);
1581 if (a == IPSECDOI_ATTR_AUTH)
1582 a = IPSECDOI_PROTO_IPSEC_AH;
1583 yyerror("algorithm %s not supported by the kernel (missing module?)",
1584 s_ipsecdoi_trns(a, b));
1585 racoon_free($$);
1586 $$ = NULL;
1587 return -1;
1588 }
1589 }
1590 ;
1591 prefix
1592 : /* nothing */ { $$ = ~0; }
1593 | PREFIX { $$ = $1; }
1594 ;
1595 port
1596 : /* nothing */ { $$ = IPSEC_PORT_ANY; }
1597 | PORT { $$ = $1; }
1598 | PORTANY { $$ = IPSEC_PORT_ANY; }
1599 ;
1600 ul_proto
1601 : NUMBER { $$ = $1; }
1602 | UL_PROTO { $$ = $1; }
1603 | ANY { $$ = IPSEC_ULPROTO_ANY; }
1604 ;
1605 keylength
1606 : /* nothing */ { $$ = 0; }
1607 | NUMBER { $$ = $1; }
1608 ;
1609
1610 /* remote */
1611 remote_statement
1612 : REMOTE QUOTEDSTRING INHERIT QUOTEDSTRING
1613 {
1614 struct remoteconf *from, *new;
1615
1616 if (getrmconf_by_name($2->v) != NULL) {
1617 yyerror("named remoteconf \"%s\" already exists.");
1618 return -1;
1619 }
1620
1621 from = getrmconf_by_name($4->v);
1622 if (from == NULL) {
1623 yyerror("named parent remoteconf \"%s\" does not exist.",
1624 $4->v);
1625 return -1;
1626 }
1627
1628 new = duprmconf(from);
1629 if (new == NULL) {
1630 yyerror("failed to duplicate remoteconf from \"%s\".",
1631 $4->v);
1632 return -1;
1633 }
1634
1635 new->name = racoon_strdup($2->v);
1636 cur_rmconf = new;
1637
1638 vfree($2);
1639 vfree($4);
1640 }
1641 remote_specs_block
1642 | REMOTE QUOTEDSTRING
1643 {
1644 struct remoteconf *new;
1645
1646 if (getrmconf_by_name($2->v) != NULL) {
1647 yyerror("Named remoteconf \"%s\" already exists.");
1648 return -1;
1649 }
1650
1651 new = newrmconf();
1652 if (new == NULL) {
1653 yyerror("failed to get new remoteconf.");
1654 return -1;
1655 }
1656 new->name = racoon_strdup($2->v);
1657 cur_rmconf = new;
1658
1659 vfree($2);
1660 }
1661 remote_specs_block
1662 | REMOTE remote_index INHERIT remote_index
1663 {
1664 struct remoteconf *from, *new;
1665
1666 from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS);
1667 if (from == NULL) {
1668 yyerror("failed to get remoteconf for %s.",
1669 saddr2str($4));
1670 return -1;
1671 }
1672
1673 new = duprmconf(from);
1674 if (new == NULL) {
1675 yyerror("failed to duplicate remoteconf from %s.",
1676 saddr2str($4));
1677 return -1;
1678 }
1679
1680 new->remote = $2;
1681 cur_rmconf = new;
1682 }
1683 remote_specs_block
1684 | REMOTE remote_index
1685 {
1686 struct remoteconf *new;
1687
1688 new = newrmconf();
1689 if (new == NULL) {
1690 yyerror("failed to get new remoteconf.");
1691 return -1;
1692 }
1693
1694 new->remote = $2;
1695 cur_rmconf = new;
1696 }
1697 remote_specs_block
1698 ;
1699
1700 remote_specs_block
1701 : BOC remote_specs EOC
1702 {
1703 /* check a exchange mode */
1704 if (cur_rmconf->etypes == NULL) {
1705 yyerror("no exchange mode specified.\n");
1706 return -1;
1707 }
1708
1709 if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
1710 cur_rmconf->idvtype = IDTYPE_ADDRESS;
1711
1712 if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
1713 if (cur_rmconf->mycertfile) {
1714 if (cur_rmconf->idv)
1715 yywarn("Both CERT and ASN1 ID "
1716 "are set. Hope this is OK.\n");
1717 /* TODO: Preparse the DN here */
1718 } else if (cur_rmconf->idv) {
1719 /* OK, using asn1dn without X.509. */
1720 } else {
1721 yyerror("ASN1 ID not specified "
1722 "and no CERT defined!\n");
1723 return -1;
1724 }
1725 }
1726
1727 if (cur_rmconf->spspec == NULL &&
1728 cur_rmconf->inherited_from != NULL) {
1729 cur_rmconf->spspec = cur_rmconf->inherited_from->spspec;
1730 }
1731 if (set_isakmp_proposal(cur_rmconf) != 0)
1732 return -1;
1733
1734 /* DH group settting if aggressive mode is there. */
1735 if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
1736 struct isakmpsa *p;
1737 int b = 0;
1738
1739 /* DH group */
1740 for (p = cur_rmconf->proposal; p; p = p->next) {
1741 if (b == 0 || (b && b == p->dh_group)) {
1742 b = p->dh_group;
1743 continue;
1744 }
1745 yyerror("DH group must be equal "
1746 "in all proposals "
1747 "when aggressive mode is "
1748 "used.\n");
1749 return -1;
1750 }
1751 cur_rmconf->dh_group = b;
1752
1753 if (cur_rmconf->dh_group == 0) {
1754 yyerror("DH group must be set in the proposal.\n");
1755 return -1;
1756 }
1757
1758 /* DH group settting if PFS is required. */
1759 if (oakley_setdhgroup(cur_rmconf->dh_group,
1760 &cur_rmconf->dhgrp) < 0) {
1761 yyerror("failed to set DH value.\n");
1762 return -1;
1763 }
1764 }
1765
1766 insrmconf(cur_rmconf);
1767 }
1768 ;
1769 remote_index
1770 : ANONYMOUS ike_port
1771 {
1772 $$ = newsaddr(sizeof(struct sockaddr));
1773 $$->sa_family = AF_UNSPEC;
1774 ((struct sockaddr_in *)$$)->sin_port = htons($2);
1775 }
1776 | ike_addrinfo_port
1777 {
1778 $$ = $1;
1779 if ($$ == NULL) {
1780 yyerror("failed to allocate sockaddr");
1781 return -1;
1782 }
1783 }
1784 ;
1785 remote_specs
1786 : /* nothing */
1787 | remote_specs remote_spec
1788 ;
1789 remote_spec
1790 : REMOTE_ADDRESS ike_addrinfo_port
1791 {
1792 if (cur_rmconf->remote != NULL) {
1793 yyerror("remote_address already specified");
1794 return -1;
1795 }
1796 cur_rmconf->remote = $2;
1797 }
1798 EOS
1799 | EXCHANGE_MODE
1800 {
1801 cur_rmconf->etypes = NULL;
1802 }
1803 exchange_types EOS
1804 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
1805 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
1806 | CERTIFICATE_TYPE cert_spec
1807 | PEERS_CERTFILE QUOTEDSTRING
1808 {
1809 yywarn("This directive without certtype will be removed!\n");
1810 yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
1811
1812 if (cur_rmconf->peerscert != NULL) {
1813 yyerror("peers_certfile already defined\n");
1814 return -1;
1815 }
1816
1817 if (load_x509($2->v, &cur_rmconf->peerscertfile,
1818 &cur_rmconf->peerscert)) {
1819 yyerror("failed to load certificate \"%s\"\n",
1820 $2->v);
1821 return -1;
1822 }
1823
1824 vfree($2);
1825 }
1826 EOS
1827 | PEERS_CERTFILE CERT_X509 QUOTEDSTRING
1828 {
1829 if (cur_rmconf->peerscert != NULL) {
1830 yyerror("peers_certfile already defined\n");
1831 return -1;
1832 }
1833
1834 if (load_x509($3->v, &cur_rmconf->peerscertfile,
1835 &cur_rmconf->peerscert)) {
1836 yyerror("failed to load certificate \"%s\"\n",
1837 $3->v);
1838 return -1;
1839 }
1840
1841 vfree($3);
1842 }
1843 EOS
1844 | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
1845 {
1846 char path[MAXPATHLEN];
1847 int ret = 0;
1848
1849 if (cur_rmconf->peerscert != NULL) {
1850 yyerror("peers_certfile already defined\n");
1851 return -1;
1852 }
1853
1854 cur_rmconf->peerscert = vmalloc(1);
1855 if (cur_rmconf->peerscert == NULL) {
1856 yyerror("failed to allocate peerscert");
1857 return -1;
1858 }
1859 cur_rmconf->peerscert->v[0] = ISAKMP_CERT_PLAINRSA;
1860
1861 getpathname(path, sizeof(path),
1862 LC_PATHTYPE_CERT, $3->v);
1863 if (rsa_parse_file(cur_rmconf->rsa_public, path,
1864 RSA_TYPE_PUBLIC)) {
1865 yyerror("Couldn't parse keyfile.\n", path);
1866 return -1;
1867 }
1868 plog(LLV_DEBUG, LOCATION, NULL,
1869 "Public PlainRSA keyfile parsed: %s\n", path);
1870
1871 vfree($3);
1872 }
1873 EOS
1874 | PEERS_CERTFILE DNSSEC
1875 {
1876 if (cur_rmconf->peerscert != NULL) {
1877 yyerror("peers_certfile already defined\n");
1878 return -1;
1879 }
1880 cur_rmconf->peerscert = vmalloc(1);
1881 if (cur_rmconf->peerscert == NULL) {
1882 yyerror("failed to allocate peerscert");
1883 return -1;
1884 }
1885 cur_rmconf->peerscert->v[0] = ISAKMP_CERT_DNS;
1886 }
1887 EOS
1888 | CA_TYPE CERT_X509 QUOTEDSTRING
1889 {
1890 if (cur_rmconf->cacert != NULL) {
1891 yyerror("ca_type already defined\n");
1892 return -1;
1893 }
1894
1895 if (load_x509($3->v, &cur_rmconf->cacertfile,
1896 &cur_rmconf->cacert)) {
1897 yyerror("failed to load certificate \"%s\"\n",
1898 $3->v);
1899 return -1;
1900 }
1901
1902 vfree($3);
1903 }
1904 EOS
1905 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
1906 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
1907 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
1908 | MATCH_EMPTY_CR SWITCH { cur_rmconf->match_empty_cr = $2; } EOS
1909 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
1910 {
1911 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
1912 yyerror("failed to set identifer.\n");
1913 return -1;
1914 }
1915 cur_rmconf->idvtype = $2;
1916 }
1917 EOS
1918 | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1919 {
1920 if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
1921 yyerror("failed to set identifer.\n");
1922 return -1;
1923 }
1924 cur_rmconf->idvtype = $2;
1925 }
1926 EOS
1927 | XAUTH_LOGIN identifierstring
1928 {
1929 #ifdef ENABLE_HYBRID
1930 /* formerly identifier type login */
1931 if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
1932 yyerror("failed to allocate xauth state\n");
1933 return -1;
1934 }
1935 if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
1936 yyerror("failed to set identifer.\n");
1937 return -1;
1938 }
1939 #else
1940 yyerror("racoon not configured with --enable-hybrid");
1941 #endif
1942 }
1943 EOS
1944 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
1945 {
1946 struct idspec *id;
1947 id = newidspec();
1948 if (id == NULL) {
1949 yyerror("failed to allocate idspec");
1950 return -1;
1951 }
1952 if (set_identifier(&id->id, $2, $3) != 0) {
1953 yyerror("failed to set identifer.\n");
1954 racoon_free(id);
1955 return -1;
1956 }
1957 id->idtype = $2;
1958 genlist_append (cur_rmconf->idvl_p, id);
1959 }
1960 EOS
1961 | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1962 {
1963 struct idspec *id;
1964 id = newidspec();
1965 if (id == NULL) {
1966 yyerror("failed to allocate idspec");
1967 return -1;
1968 }
1969 if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
1970 yyerror("failed to set identifer.\n");
1971 racoon_free(id);
1972 return -1;
1973 }
1974 id->idtype = $2;
1975 genlist_append (cur_rmconf->idvl_p, id);
1976 }
1977 EOS
1978 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
1979 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
1980 | DH_GROUP
1981 {
1982 yyerror("dh_group cannot be defined here.");
1983 return -1;
1984 }
1985 dh_group_num EOS
1986 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
1987 | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
1988 | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
1989 | ESP_FRAG NUMBER {
1990 #ifdef SADB_X_EXT_NAT_T_FRAG
1991 if (libipsec_opt & LIBIPSEC_OPT_FRAG)
1992 cur_rmconf->esp_frag = $2;
1993 else
1994 yywarn("libipsec lacks IKE frag support");
1995 #else
1996 yywarn("Your kernel does not support esp_frag");
1997 #endif
1998 } EOS
1999 | SCRIPT QUOTEDSTRING PHASE1_UP {
2000 if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL)
2001 vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]);
2002
2003 cur_rmconf->script[SCRIPT_PHASE1_UP] =
2004 script_path_add(vdup($2));
2005 } EOS
2006 | SCRIPT QUOTEDSTRING PHASE1_DOWN {
2007 if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL)
2008 vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]);
2009
2010 cur_rmconf->script[SCRIPT_PHASE1_DOWN] =
2011 script_path_add(vdup($2));
2012 } EOS
2013 | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
2014 | WEAK_PHASE1_CHECK SWITCH {
2015 cur_rmconf->weak_phase1_check = $2;
2016 } EOS
2017 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
2018 | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
2019 | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
2020 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
2021 | NAT_TRAVERSAL SWITCH
2022 {
2023 #ifdef ENABLE_NATT
2024 if (libipsec_opt & LIBIPSEC_OPT_NATT)
2025 cur_rmconf->nat_traversal = $2;
2026 else
2027 yyerror("libipsec lacks NAT-T support");
2028 #else
2029 yyerror("NAT-T support not compiled in.");
2030 #endif
2031 } EOS
2032 | NAT_TRAVERSAL REMOTE_FORCE_LEVEL
2033 {
2034 #ifdef ENABLE_NATT
2035 if (libipsec_opt & LIBIPSEC_OPT_NATT)
2036 cur_rmconf->nat_traversal = NATT_FORCE;
2037 else
2038 yyerror("libipsec lacks NAT-T support");
2039 #else
2040 yyerror("NAT-T support not compiled in.");
2041 #endif
2042 } EOS
2043 | DPD SWITCH
2044 {
2045 #ifdef ENABLE_DPD
2046 cur_rmconf->dpd = $2;
2047 #else
2048 yyerror("DPD support not compiled in.");
2049 #endif
2050 } EOS
2051 | DPD_DELAY NUMBER
2052 {
2053 #ifdef ENABLE_DPD
2054 cur_rmconf->dpd_interval = $2;
2055 #else
2056 yyerror("DPD support not compiled in.");
2057 #endif
2058 }
2059 EOS
2060 | DPD_RETRY NUMBER
2061 {
2062 #ifdef ENABLE_DPD
2063 cur_rmconf->dpd_retry = $2;
2064 #else
2065 yyerror("DPD support not compiled in.");
2066 #endif
2067 }
2068 EOS
2069 | DPD_MAXFAIL NUMBER
2070 {
2071 #ifdef ENABLE_DPD
2072 cur_rmconf->dpd_maxfails = $2;
2073 #else
2074 yyerror("DPD support not compiled in.");
2075 #endif
2076 }
2077 EOS
2078 | REKEY SWITCH { cur_rmconf->rekey = $2; } EOS
2079 | REKEY REMOTE_FORCE_LEVEL { cur_rmconf->rekey = REKEY_FORCE; } EOS
2080 | PH1ID NUMBER
2081 {
2082 cur_rmconf->ph1id = $2;
2083 }
2084 EOS
2085 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
2086 {
2087 cur_rmconf->lifetime = $3 * $4;
2088 }
2089 EOS
2090 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
2091 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
2092 {
2093 #if 1
2094 yyerror("byte lifetime support is deprecated in Phase1");
2095 return -1;
2096 #else
2097 yywarn("the lifetime of bytes in phase 1 "
2098 "will be ignored at the moment.");
2099 cur_rmconf->lifebyte = fix_lifebyte($3 * $4);
2100 if (cur_rmconf->lifebyte == 0)
2101 return -1;
2102 #endif
2103 }
2104 EOS
2105 | PROPOSAL
2106 {
2107 struct secprotospec *spspec;
2108
2109 spspec = newspspec();
2110 if (spspec == NULL)
2111 return -1;
2112 insspspec(cur_rmconf, spspec);
2113 }
2114 BOC isakmpproposal_specs EOC
2115 ;
2116 exchange_types
2117 : /* nothing */
2118 | exchange_types EXCHANGETYPE
2119 {
2120 struct etypes *new;
2121 new = racoon_malloc(sizeof(struct etypes));
2122 if (new == NULL) {
2123 yyerror("failed to allocate etypes");
2124 return -1;
2125 }
2126 new->type = $2;
2127 new->next = NULL;
2128 if (cur_rmconf->etypes == NULL)
2129 cur_rmconf->etypes = new;
2130 else {
2131 struct etypes *p;
2132 for (p = cur_rmconf->etypes;
2133 p->next != NULL;
2134 p = p->next)
2135 ;
2136 p->next = new;
2137 }
2138 }
2139 ;
2140 cert_spec
2141 : CERT_X509 QUOTEDSTRING QUOTEDSTRING
2142 {
2143 if (cur_rmconf->mycert != NULL) {
2144 yyerror("certificate_type already defined\n");
2145 return -1;
2146 }
2147
2148 if (load_x509($2->v, &cur_rmconf->mycertfile,
2149 &cur_rmconf->mycert)) {
2150 yyerror("failed to load certificate \"%s\"\n",
2151 $2->v);
2152 return -1;
2153 }
2154
2155 cur_rmconf->myprivfile = racoon_strdup($3->v);
2156 STRDUP_FATAL(cur_rmconf->myprivfile);
2157
2158 vfree($2);
2159 vfree($3);
2160 }
2161 EOS
2162 | CERT_PLAINRSA QUOTEDSTRING
2163 {
2164 char path[MAXPATHLEN];
2165 int ret = 0;
2166
2167 if (cur_rmconf->mycert != NULL) {
2168 yyerror("certificate_type already defined\n");
2169 return -1;
2170 }
2171
2172 cur_rmconf->mycert = vmalloc(1);
2173 if (cur_rmconf->mycert == NULL) {
2174 yyerror("failed to allocate mycert");
2175 return -1;
2176 }
2177 cur_rmconf->mycert->v[0] = ISAKMP_CERT_PLAINRSA;
2178
2179 getpathname(path, sizeof(path),
2180 LC_PATHTYPE_CERT, $2->v);
2181 cur_rmconf->send_cr = FALSE;
2182 cur_rmconf->send_cert = FALSE;
2183 cur_rmconf->verify_cert = FALSE;
2184 if (rsa_parse_file(cur_rmconf->rsa_private, path,
2185 RSA_TYPE_PRIVATE)) {
2186 yyerror("Couldn't parse keyfile.\n", path);
2187 return -1;
2188 }
2189 plog(LLV_DEBUG, LOCATION, NULL,
2190 "Private PlainRSA keyfile parsed: %s\n", path);
2191 vfree($2);
2192 }
2193 EOS
2194 ;
2195 dh_group_num
2196 : ALGORITHMTYPE
2197 {
2198 $$ = algtype2doi(algclass_isakmp_dh, $1);
2199 if ($$ == -1) {
2200 yyerror("must be DH group");
2201 return -1;
2202 }
2203 }
2204 | NUMBER
2205 {
2206 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
2207 $$ = num2dhgroup[$1];
2208 } else {
2209 yyerror("must be DH group");
2210 $$ = 0;
2211 return -1;
2212 }
2213 }
2214 ;
2215 identifierstring
2216 : /* nothing */ { $$ = NULL; }
2217 | ADDRSTRING { $$ = $1; }
2218 | QUOTEDSTRING { $$ = $1; }
2219 ;
2220 isakmpproposal_specs
2221 : /* nothing */
2222 | isakmpproposal_specs isakmpproposal_spec
2223 ;
2224 isakmpproposal_spec
2225 : LIFETIME LIFETYPE_TIME NUMBER unittype_time
2226 {
2227 cur_rmconf->spspec->lifetime = $3 * $4;
2228 }
2229 EOS
2230 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
2231 {
2232 #if 1
2233 yyerror("byte lifetime support is deprecated");
2234 return -1;
2235 #else
2236 cur_rmconf->spspec->lifebyte = fix_lifebyte($3 * $4);
2237 if (cur_rmconf->spspec->lifebyte == 0)
2238 return -1;
2239 #endif
2240 }
2241 EOS
2242 | DH_GROUP dh_group_num
2243 {
2244 cur_rmconf->spspec->algclass[algclass_isakmp_dh] = $2;
2245 }
2246 EOS
2247 | GSS_ID QUOTEDSTRING
2248 {
2249 if (cur_rmconf->spspec->vendorid != VENDORID_GSSAPI) {
2250 yyerror("wrong Vendor ID for gssapi_id");
2251 return -1;
2252 }
2253 if (cur_rmconf->spspec->gssid != NULL)
2254 racoon_free(cur_rmconf->spspec->gssid);
2255 cur_rmconf->spspec->gssid =
2256 racoon_strdup($2->v);
2257 STRDUP_FATAL(cur_rmconf->spspec->gssid);
2258 }
2259 EOS
2260 | ALGORITHM_CLASS ALGORITHMTYPE keylength
2261 {
2262 int doi;
2263 int defklen;
2264
2265 doi = algtype2doi($1, $2);
2266 if (doi == -1) {
2267 yyerror("algorithm mismatched 1");
2268 return -1;
2269 }
2270
2271 switch ($1) {
2272 case algclass_isakmp_enc:
2273 /* reject suppressed algorithms */
2274 #ifndef HAVE_OPENSSL_RC5_H
2275 if ($2 == algtype_rc5) {
2276 yyerror("algorithm %s not supported",
2277 s_attr_isakmp_enc(doi));
2278 return -1;
2279 }
2280 #endif
2281 #ifndef HAVE_OPENSSL_IDEA_H
2282 if ($2 == algtype_idea) {
2283 yyerror("algorithm %s not supported",
2284 s_attr_isakmp_enc(doi));
2285 return -1;
2286 }
2287 #endif
2288
2289 cur_rmconf->spspec->algclass[algclass_isakmp_enc] = doi;
2290 defklen = default_keylen($1, $2);
2291 if (defklen == 0) {
2292 if ($3) {
2293 yyerror("keylen not allowed");
2294 return -1;
2295 }
2296 } else {
2297 if ($3 && check_keylen($1, $2, $3) < 0) {
2298 yyerror("invalid keylen %d", $3);
2299 return -1;
2300 }
2301 }
2302 if ($3)
2303 cur_rmconf->spspec->encklen = $3;
2304 else
2305 cur_rmconf->spspec->encklen = defklen;
2306 break;
2307 case algclass_isakmp_hash:
2308 cur_rmconf->spspec->algclass[algclass_isakmp_hash] = doi;
2309 break;
2310 case algclass_isakmp_ameth:
2311 cur_rmconf->spspec->algclass[algclass_isakmp_ameth] = doi;
2312 /*
2313 * We may have to set the Vendor ID for the
2314 * authentication method we're using.
2315 */
2316 switch ($2) {
2317 case algtype_gssapikrb:
2318 if (cur_rmconf->spspec->vendorid !=
2319 VENDORID_UNKNOWN) {
2320 yyerror("Vendor ID mismatch "
2321 "for auth method");
2322 return -1;
2323 }
2324 /*
2325 * For interoperability with Win2k,
2326 * we set the Vendor ID to "GSSAPI".
2327 */
2328 cur_rmconf->spspec->vendorid =
2329 VENDORID_GSSAPI;
2330 break;
2331 case algtype_rsasig:
2332 if (oakley_get_certtype(cur_rmconf->peerscert) == ISAKMP_CERT_PLAINRSA) {
2333 if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
2334 yyerror ("Private PlainRSA key not set. "
2335 "Use directive 'certificate_type plainrsa ...'\n");
2336 return -1;
2337 }
2338 if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
2339 yyerror ("Public PlainRSA keys not set. "
2340 "Use directive 'peers_certfile plainrsa ...'\n");
2341 return -1;
2342 }
2343 }
2344 break;
2345 default:
2346 break;
2347 }
2348 break;
2349 default:
2350 yyerror("algorithm mismatched 2");
2351 return -1;
2352 }
2353 }
2354 EOS
2355 ;
2356
2357 unittype_time
2358 : UNITTYPE_SEC { $$ = 1; }
2359 | UNITTYPE_MIN { $$ = 60; }
2360 | UNITTYPE_HOUR { $$ = (60 * 60); }
2361 ;
2362 unittype_byte
2363 : UNITTYPE_BYTE { $$ = 1; }
2364 | UNITTYPE_KBYTES { $$ = 1024; }
2365 | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
2366 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
2367 ;
2368 %%
2369
2370 static struct secprotospec *
2371 newspspec()
2372 {
2373 struct secprotospec *new;
2374
2375 new = racoon_calloc(1, sizeof(*new));
2376 if (new == NULL) {
2377 yyerror("failed to allocate spproto");
2378 return NULL;
2379 }
2380
2381 new->encklen = 0; /*XXX*/
2382
2383 /*
2384 * Default to "uknown" vendor -- we will override this
2385 * as necessary. When we send a Vendor ID payload, an
2386 * "unknown" will be translated to a KAME/racoon ID.
2387 */
2388 new->vendorid = VENDORID_UNKNOWN;
2389
2390 return new;
2391 }
2392
2393 /*
2394 * insert into head of list.
2395 */
2396 static void
2397 insspspec(rmconf, spspec)
2398 struct remoteconf *rmconf;
2399 struct secprotospec *spspec;
2400 {
2401 if (rmconf->spspec != NULL)
2402 rmconf->spspec->prev = spspec;
2403 spspec->next = rmconf->spspec;
2404 rmconf->spspec = spspec;
2405 }
2406
2407 /* set final acceptable proposal */
2408 static int
2409 set_isakmp_proposal(rmconf)
2410 struct remoteconf *rmconf;
2411 {
2412 struct secprotospec *s;
2413 int prop_no = 1;
2414 int trns_no = 1;
2415 int32_t types[MAXALGCLASS];
2416
2417 /* mandatory check */
2418 if (rmconf->spspec == NULL) {
2419 yyerror("no remote specification found: %s.\n",
2420 saddr2str(rmconf->remote));
2421 return -1;
2422 }
2423 for (s = rmconf->spspec; s != NULL; s = s->next) {
2424 /* XXX need more to check */
2425 if (s->algclass[algclass_isakmp_enc] == 0) {
2426 yyerror("encryption algorithm required.");
2427 return -1;
2428 }
2429 if (s->algclass[algclass_isakmp_hash] == 0) {
2430 yyerror("hash algorithm required.");
2431 return -1;
2432 }
2433 if (s->algclass[algclass_isakmp_dh] == 0) {
2434 yyerror("DH group required.");
2435 return -1;
2436 }
2437 if (s->algclass[algclass_isakmp_ameth] == 0) {
2438 yyerror("authentication method required.");
2439 return -1;
2440 }
2441 }
2442
2443 /* skip to last part */
2444 for (s = rmconf->spspec; s->next != NULL; s = s->next)
2445 ;
2446
2447 while (s != NULL) {
2448 plog(LLV_DEBUG2, LOCATION, NULL,
2449 "lifetime = %ld\n", (long)
2450 (s->lifetime ? s->lifetime : rmconf->lifetime));
2451 plog(LLV_DEBUG2, LOCATION, NULL,
2452 "lifebyte = %d\n",
2453 s->lifebyte ? s->lifebyte : rmconf->lifebyte);
2454 plog(LLV_DEBUG2, LOCATION, NULL,
2455 "encklen=%d\n", s->encklen);
2456
2457 memset(types, 0, ARRAYLEN(types));
2458 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
2459 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
2460 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
2461 types[algclass_isakmp_ameth] =
2462 s->algclass[algclass_isakmp_ameth];
2463
2464 /* expanding spspec */
2465 clean_tmpalgtype();
2466 trns_no = expand_isakmpspec(prop_no, trns_no, types,
2467 algclass_isakmp_enc, algclass_isakmp_ameth + 1,
2468 s->lifetime ? s->lifetime : rmconf->lifetime,
2469 s->lifebyte ? s->lifebyte : rmconf->lifebyte,
2470 s->encklen, s->vendorid, s->gssid,
2471 rmconf);
2472 if (trns_no == -1) {
2473 plog(LLV_ERROR, LOCATION, NULL,
2474 "failed to expand isakmp proposal.\n");
2475 return -1;
2476 }
2477
2478 s = s->prev;
2479 }
2480
2481 if (rmconf->proposal == NULL) {
2482 plog(LLV_ERROR, LOCATION, NULL,
2483 "no proposal found.\n");
2484 return -1;
2485 }
2486
2487 return 0;
2488 }
2489
2490 static void
2491 clean_tmpalgtype()
2492 {
2493 int i;
2494 for (i = 0; i < MAXALGCLASS; i++)
2495 tmpalgtype[i] = 0; /* means algorithm undefined. */
2496 }
2497
2498 static int
2499 expand_isakmpspec(prop_no, trns_no, types,
2500 class, last, lifetime, lifebyte, encklen, vendorid, gssid,
2501 rmconf)
2502 int prop_no, trns_no;
2503 int *types, class, last;
2504 time_t lifetime;
2505 int lifebyte;
2506 int encklen;
2507 int vendorid;
2508 char *gssid;
2509 struct remoteconf *rmconf;
2510 {
2511 struct isakmpsa *new;
2512
2513 /* debugging */
2514 {
2515 int j;
2516 char tb[10];
2517 plog(LLV_DEBUG2, LOCATION, NULL,
2518 "p:%d t:%d\n", prop_no, trns_no);
2519 for (j = class; j < MAXALGCLASS; j++) {
2520 snprintf(tb, sizeof(tb), "%d", types[j]);
2521 plog(LLV_DEBUG2, LOCATION, NULL,
2522 "%s%s%s%s\n",
2523 s_algtype(j, types[j]),
2524 types[j] ? "(" : "",
2525 tb[0] == '0' ? "" : tb,
2526 types[j] ? ")" : "");
2527 }
2528 plog(LLV_DEBUG2, LOCATION, NULL, "\n");
2529 }
2530
2531 #define TMPALGTYPE2STR(n) \
2532 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
2533 /* check mandatory values */
2534 if (types[algclass_isakmp_enc] == 0
2535 || types[algclass_isakmp_ameth] == 0
2536 || types[algclass_isakmp_hash] == 0
2537 || types[algclass_isakmp_dh] == 0) {
2538 yyerror("few definition of algorithm "
2539 "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
2540 TMPALGTYPE2STR(enc),
2541 TMPALGTYPE2STR(ameth),
2542 TMPALGTYPE2STR(hash),
2543 TMPALGTYPE2STR(dh));
2544 return -1;
2545 }
2546 #undef TMPALGTYPE2STR
2547
2548 /* set new sa */
2549 new = newisakmpsa();
2550 if (new == NULL) {
2551 yyerror("failed to allocate isakmp sa");
2552 return -1;
2553 }
2554 new->prop_no = prop_no;
2555 new->trns_no = trns_no++;
2556 new->lifetime = lifetime;
2557 new->lifebyte = lifebyte;
2558 new->enctype = types[algclass_isakmp_enc];
2559 new->encklen = encklen;
2560 new->authmethod = types[algclass_isakmp_ameth];
2561 new->hashtype = types[algclass_isakmp_hash];
2562 new->dh_group = types[algclass_isakmp_dh];
2563 new->vendorid = vendorid;
2564 #ifdef HAVE_GSSAPI
2565 if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
2566 if (gssid != NULL) {
2567 if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
2568 racoon_free(new);
2569 yyerror("failed to allocate gssid");
2570 return -1;
2571 }
2572 memcpy(new->gssid->v, gssid, new->gssid->l);
2573 racoon_free(gssid);
2574 } else {
2575 /*
2576 * Allocate the default ID so that it gets put
2577 * into a GSS ID attribute during the Phase 1
2578 * exchange.
2579 */
2580 new->gssid = gssapi_get_default_gss_id();
2581 }
2582 }
2583 #endif
2584 insisakmpsa(new, rmconf);
2585
2586 return trns_no;
2587 }
2588
2589 #if 0
2590 /*
2591 * fix lifebyte.
2592 * Must be more than 1024B because its unit is kilobytes.
2593 * That is defined RFC2407.
2594 */
2595 static int
2596 fix_lifebyte(t)
2597 unsigned long t;
2598 {
2599 if (t < 1024) {
2600 yyerror("byte size should be more than 1024B.");
2601 return 0;
2602 }
2603
2604 return(t / 1024);
2605 }
2606 #endif
2607
2608 int
2609 cfparse()
2610 {
2611 int error;
2612
2613 yycf_init_buffer();
2614
2615 if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
2616 plog(LLV_ERROR, LOCATION, NULL,
2617 "could not read configuration file \"%s\"\n",
2618 lcconf->racoon_conf);
2619 return -1;
2620 }
2621
2622 error = yyparse();
2623 if (error != 0) {
2624 if (yyerrorcount) {
2625 plog(LLV_ERROR, LOCATION, NULL,
2626 "fatal parse failure (%d errors)\n",
2627 yyerrorcount);
2628 } else {
2629 plog(LLV_ERROR, LOCATION, NULL,
2630 "fatal parse failure.\n");
2631 }
2632 return -1;
2633 }
2634
2635 if (error == 0 && yyerrorcount) {
2636 plog(LLV_ERROR, LOCATION, NULL,
2637 "parse error is nothing, but yyerrorcount is %d.\n",
2638 yyerrorcount);
2639 exit(1);
2640 }
2641
2642 yycf_clean_buffer();
2643
2644 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
2645
2646 return 0;
2647 }
2648
2649 int
2650 cfreparse()
2651 {
2652 flushph2();
2653 flushph1();
2654 flushrmconf();
2655 flushsainfo();
2656 clean_tmpalgtype();
2657 return(cfparse());
2658 }
2659
2660 #ifdef ENABLE_ADMINPORT
2661 static void
2662 adminsock_conf(path, owner, group, mode_dec)
2663 vchar_t *path;
2664 vchar_t *owner;
2665 vchar_t *group;
2666 int mode_dec;
2667 {
2668 struct passwd *pw = NULL;
2669 struct group *gr = NULL;
2670 mode_t mode = 0;
2671 uid_t uid;
2672 gid_t gid;
2673 int isnum;
2674
2675 adminsock_path = path->v;
2676
2677 if (owner == NULL)
2678 return;
2679
2680 errno = 0;
2681 uid = atoi(owner->v);
2682 isnum = !errno;
2683 if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
2684 yyerror("User \"%s\" does not exist", owner->v);
2685
2686 if (pw)
2687 adminsock_owner = pw->pw_uid;
2688 else
2689 adminsock_owner = uid;
2690
2691 if (group == NULL)
2692 return;
2693
2694 errno = 0;
2695 gid = atoi(group->v);
2696 isnum = !errno;
2697 if (((gr = getgrnam(group->v)) == NULL) && !isnum)
2698 yyerror("Group \"%s\" does not exist", group->v);
2699
2700 if (gr)
2701 adminsock_group = gr->gr_gid;
2702 else
2703 adminsock_group = gid;
2704
2705 if (mode_dec == -1)
2706 return;
2707
2708 if (mode_dec > 777)
2709 yyerror("Mode 0%03o is invalid", mode_dec);
2710 if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
2711 if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
2712 if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
2713
2714 if (mode_dec > 77)
2715 yyerror("Mode 0%03o is invalid", mode_dec);
2716 if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
2717 if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
2718 if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
2719
2720 if (mode_dec > 7)
2721 yyerror("Mode 0%03o is invalid", mode_dec);
2722 if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
2723 if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
2724 if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
2725
2726 adminsock_mode = mode;
2727
2728 return;
2729 }
2730 #endif
NetBSD on the FriendlyARM MINI2440