1: /* $NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $ */
2:
3: /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
4:
5: %{
6: /*
7: * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
8: * All rights reserved.
9: *
10: * Redistribution and use in source and binary forms, with or without
11: * modification, are permitted provided that the following conditions
12: * are met:
13: * 1. Redistributions of source code must retain the above copyright
14: * notice, this list of conditions and the following disclaimer.
15: * 2. Redistributions in binary form must reproduce the above copyright
16: * notice, this list of conditions and the following disclaimer in the
17: * documentation and/or other materials provided with the distribution.
18: * 3. Neither the name of the project nor the names of its contributors
19: * may be used to endorse or promote products derived from this software
20: * without specific prior written permission.
21: *
22: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32: * SUCH DAMAGE.
33: */
34:
35: #include "config.h"
36:
37: #include <sys/types.h>
38: #include <sys/param.h>
39: #include <sys/queue.h>
40: #include <sys/socket.h>
41:
42: #include <netinet/in.h>
43: #include PATH_IPSEC_H
44:
45: #ifdef ENABLE_HYBRID
46: #include <arpa/inet.h>
47: #endif
48:
49: #include <stdlib.h>
50: #include <stdio.h>
51: #include <string.h>
52: #include <errno.h>
53: #include <netdb.h>
54: #include <pwd.h>
55: #include <grp.h>
56:
57: #include "var.h"
58: #include "misc.h"
59: #include "vmbuf.h"
60: #include "plog.h"
61: #include "sockmisc.h"
62: #include "str2val.h"
63: #include "genlist.h"
64: #include "debug.h"
65:
66: #include "admin.h"
67: #include "privsep.h"
68: #include "cfparse_proto.h"
69: #include "cftoken_proto.h"
70: #include "algorithm.h"
71: #include "localconf.h"
72: #include "policy.h"
73: #include "sainfo.h"
74: #include "oakley.h"
75: #include "pfkey.h"
76: #include "remoteconf.h"
77: #include "grabmyaddr.h"
78: #include "isakmp_var.h"
79: #include "handler.h"
80: #include "isakmp.h"
81: #include "nattraversal.h"
82: #include "isakmp_frag.h"
83: #ifdef ENABLE_HYBRID
84: #include "resolv.h"
85: #include "isakmp_unity.h"
86: #include "isakmp_xauth.h"
87: #include "isakmp_cfg.h"
88: #endif
89: #include "ipsec_doi.h"
90: #include "strnames.h"
91: #include "gcmalloc.h"
92: #ifdef HAVE_GSSAPI
93: #include "gssapi.h"
94: #endif
95: #include "vendorid.h"
96: #include "rsalist.h"
97: #include "crypto_openssl.h"
98:
99: struct secprotospec {
100: int prop_no;
101: int trns_no;
102: int strength; /* for isakmp/ipsec */
103: int encklen; /* for isakmp/ipsec */
104: time_t lifetime; /* for isakmp */
105: int lifebyte; /* for isakmp */
106: int proto_id; /* for ipsec (isakmp?) */
107: int ipsec_level; /* for ipsec */
108: int encmode; /* for ipsec */
109: int vendorid; /* for isakmp */
110: char *gssid;
111: struct sockaddr *remote;
112: int algclass[MAXALGCLASS];
113:
114: struct secprotospec *next; /* the tail is the most prefiered. */
115: struct secprotospec *prev;
116: };
117:
118: static int num2dhgroup[] = {
119: 0,
120: OAKLEY_ATTR_GRP_DESC_MODP768,
121: OAKLEY_ATTR_GRP_DESC_MODP1024,
122: OAKLEY_ATTR_GRP_DESC_EC2N155,
123: OAKLEY_ATTR_GRP_DESC_EC2N185,
124: OAKLEY_ATTR_GRP_DESC_MODP1536,
125: 0,
126: 0,
127: 0,
128: 0,
129: 0,
130: 0,
131: 0,
132: 0,
133: OAKLEY_ATTR_GRP_DESC_MODP2048,
134: OAKLEY_ATTR_GRP_DESC_MODP3072,
135: OAKLEY_ATTR_GRP_DESC_MODP4096,
136: OAKLEY_ATTR_GRP_DESC_MODP6144,
137: OAKLEY_ATTR_GRP_DESC_MODP8192
138: };
139:
140: static struct remoteconf *cur_rmconf;
141: static int tmpalgtype[MAXALGCLASS];
142: static struct sainfo *cur_sainfo;
143: static int cur_algclass;
144: static int oldloglevel = LLV_BASE;
145:
146: static struct secprotospec *newspspec __P((void));
147: static void insspspec __P((struct remoteconf *, struct secprotospec *));
148: void dupspspec_list __P((struct remoteconf *dst, struct remoteconf *src));
149: void flushspspec __P((struct remoteconf *));
150: static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
151:
152: static int set_isakmp_proposal __P((struct remoteconf *));
153: static void clean_tmpalgtype __P((void));
154: static int expand_isakmpspec __P((int, int, int *,
155: int, int, time_t, int, int, int, char *, struct remoteconf *));
156:
157: void freeetypes (struct etypes **etypes);
158:
159: static int load_x509(const char *file, char **filenameptr,
160: vchar_t **certptr)
161: {
162: char path[PATH_MAX];
163:
164: getpathname(path, sizeof(path), LC_PATHTYPE_CERT, file);
165: *certptr = eay_get_x509cert(path);
166: if (*certptr == NULL)
167: return -1;
168:
169: *filenameptr = racoon_strdup(file);
170: STRDUP_FATAL(*filenameptr);
171:
172: return 0;
173: }
174:
175: %}
176:
177: %union {
178: unsigned long num;
179: vchar_t *val;
180: struct remoteconf *rmconf;
181: struct sockaddr *saddr;
182: struct sainfoalg *alg;
183: }
184:
185: /* privsep */
186: %token PRIVSEP USER GROUP CHROOT
187: /* path */
188: %token PATH PATHTYPE
189: /* include */
190: %token INCLUDE
191: /* PFKEY_BUFFER */
192: %token PFKEY_BUFFER
193: /* logging */
194: %token LOGGING LOGLEV
195: /* padding */
196: %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
197: /* listen */
198: %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
199: /* ldap config */
200: %token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
201: %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
202: /* radius config */
203: %token RADCFG RAD_AUTH RAD_ACCT RAD_TIMEOUT RAD_RETRIES
204: /* modecfg */
205: %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
206: %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
207: %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
208: %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
209: %token CFG_PFS_GROUP CFG_SAVE_PASSWD
210:
211: /* timer */
212: %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
213: %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA
214: /* algorithm */
215: %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
216: /* sainfo */
217: %token SAINFO FROM
218: /* remote */
219: %token REMOTE ANONYMOUS CLIENTADDR INHERIT REMOTE_ADDRESS
220: %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
221: %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
222: %token VERIFY_CERT SEND_CERT SEND_CR MATCH_EMPTY_CR
223: %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER
224: %token PEERS_IDENTIFIER VERIFY_IDENTIFIER
225: %token DNSSEC CERT_X509 CERT_PLAINRSA
226: %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
227: %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL
228: %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
229: %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
230: %token PROPOSAL
231: %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
232: %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
233: %token COMPLEX_BUNDLE
234: %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL
235: %token PH1ID
236: %token XAUTH_LOGIN WEAK_PHASE1_CHECK
237: %token REKEY
238:
239: %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
240: %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
241:
242: %token SCRIPT PHASE1_UP PHASE1_DOWN PHASE1_DEAD
243:
244: %token NUMBER SWITCH BOOLEAN
245: %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
246: %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
247: %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
248: %token EOS BOC EOC COMMA
249:
250: %type <num> NUMBER BOOLEAN SWITCH keylength
251: %type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE
252: %type <num> ALGORITHM_CLASS dh_group_num
253: %type <num> ALGORITHMTYPE STRENGTHTYPE
254: %type <num> PREFIX prefix PORT port ike_port
255: %type <num> ul_proto UL_PROTO
256: %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
257: %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL
258: %type <num> unittype_time unittype_byte
259: %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
260: %type <val> identifierstring
261: %type <saddr> remote_index ike_addrinfo_port
262: %type <alg> algorithm
263:
264: %%
265:
266: statements
267: : /* nothing */
268: | statements statement
269: ;
270: statement
271: : privsep_statement
272: | path_statement
273: | include_statement
274: | pfkey_statement
275: | gssenc_statement
276: | logging_statement
277: | padding_statement
278: | listen_statement
279: | ldapcfg_statement
280: | radcfg_statement
281: | modecfg_statement
282: | timer_statement
283: | sainfo_statement
284: | remote_statement
285: | special_statement
286: ;
287:
288: /* privsep */
289: privsep_statement
290: : PRIVSEP BOC privsep_stmts EOC
291: ;
292: privsep_stmts
293: : /* nothing */
294: | privsep_stmts privsep_stmt
295: ;
296: privsep_stmt
297: : USER QUOTEDSTRING
298: {
299: struct passwd *pw;
300:
301: if ((pw = getpwnam($2->v)) == NULL) {
302: yyerror("unknown user \"%s\"", $2->v);
303: return -1;
304: }
305: lcconf->uid = pw->pw_uid;
306: }
307: EOS
308: | USER NUMBER { lcconf->uid = $2; } EOS
309: | GROUP QUOTEDSTRING
310: {
311: struct group *gr;
312:
313: if ((gr = getgrnam($2->v)) == NULL) {
314: yyerror("unknown group \"%s\"", $2->v);
315: return -1;
316: }
317: lcconf->gid = gr->gr_gid;
318: }
319: EOS
320: | GROUP NUMBER { lcconf->gid = $2; } EOS
321: | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
322: ;
323:
324: /* path */
325: path_statement
326: : PATH PATHTYPE QUOTEDSTRING
327: {
328: if ($2 >= LC_PATHTYPE_MAX) {
329: yyerror("invalid path type %d", $2);
330: return -1;
331: }
332:
333: /* free old pathinfo */
334: if (lcconf->pathinfo[$2])
335: racoon_free(lcconf->pathinfo[$2]);
336:
337: /* set new pathinfo */
338: lcconf->pathinfo[$2] = racoon_strdup($3->v);
339: STRDUP_FATAL(lcconf->pathinfo[$2]);
340: vfree($3);
341: }
342: EOS
343: ;
344:
345: /* special */
346: special_statement
347: : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
348: ;
349:
350: /* include */
351: include_statement
352: : INCLUDE QUOTEDSTRING EOS
353: {
354: char path[MAXPATHLEN];
355:
356: getpathname(path, sizeof(path),
357: LC_PATHTYPE_INCLUDE, $2->v);
358: vfree($2);
359: if (yycf_switch_buffer(path) != 0)
360: return -1;
361: }
362: ;
363:
364: /* pfkey_buffer */
365: pfkey_statement
366: : PFKEY_BUFFER NUMBER EOS
367: {
368: lcconf->pfkey_buffer_size = $2;
369: }
370: ;
371: /* gss_id_enc */
372: gssenc_statement
373: : GSS_ID_ENC GSS_ID_ENCTYPE EOS
374: {
375: if ($2 >= LC_GSSENC_MAX) {
376: yyerror("invalid GSS ID encoding %d", $2);
377: return -1;
378: }
379: lcconf->gss_id_enc = $2;
380: }
381: ;
382:
383: /* logging */
384: logging_statement
385: : LOGGING log_level EOS
386: ;
387: log_level
388: : LOGLEV
389: {
390: /*
391: * set the loglevel to the value specified
392: * in the configuration file plus the number
393: * of -d options specified on the command line
394: */
395: loglevel += $1 - oldloglevel;
396: oldloglevel = $1;
397: }
398: ;
399:
400: /* padding */
401: padding_statement
402: : PADDING BOC padding_stmts EOC
403: ;
404: padding_stmts
405: : /* nothing */
406: | padding_stmts padding_stmt
407: ;
408: padding_stmt
409: : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
410: | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
411: | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
412: | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
413: | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
414: ;
415:
416: /* listen */
417: listen_statement
418: : LISTEN BOC listen_stmts EOC
419: ;
420: listen_stmts
421: : /* nothing */
422: | listen_stmts listen_stmt
423: ;
424: listen_stmt
425: : X_ISAKMP ike_addrinfo_port
426: {
427: myaddr_listen($2, FALSE);
428: racoon_free($2);
429: }
430: EOS
431: | X_ISAKMP_NATT ike_addrinfo_port
432: {
433: #ifdef ENABLE_NATT
434: myaddr_listen($2, TRUE);
435: racoon_free($2);
436: #else
437: racoon_free($2);
438: yyerror("NAT-T support not compiled in.");
439: #endif
440: }
441: EOS
442: | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
443: {
444: #ifdef ENABLE_ADMINPORT
445: adminsock_conf($2, $3, $4, $5);
446: #else
447: yywarn("admin port support not compiled in");
448: #endif
449: }
450: EOS
451: | ADMINSOCK QUOTEDSTRING
452: {
453: #ifdef ENABLE_ADMINPORT
454: adminsock_conf($2, NULL, NULL, -1);
455: #else
456: yywarn("admin port support not compiled in");
457: #endif
458: }
459: EOS
460: | ADMINSOCK DISABLED
461: {
462: #ifdef ENABLE_ADMINPORT
463: adminsock_path = NULL;
464: #else
465: yywarn("admin port support not compiled in");
466: #endif
467: }
468: EOS
469: | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
470: ;
471: ike_addrinfo_port
472: : ADDRSTRING ike_port
473: {
474: char portbuf[10];
475:
476: snprintf(portbuf, sizeof(portbuf), "%ld", $2);
477: $$ = str2saddr($1->v, portbuf);
478: vfree($1);
479: if (!$$)
480: return -1;
481: }
482: ;
483: ike_port
484: : /* nothing */ { $$ = PORT_ISAKMP; }
485: | PORT { $$ = $1; }
486: ;
487:
488: /* radius configuration */
489: radcfg_statement
490: : RADCFG {
491: #ifndef ENABLE_HYBRID
492: yyerror("racoon not configured with --enable-hybrid");
493: return -1;
494: #endif
495: #ifndef HAVE_LIBRADIUS
496: yyerror("racoon not configured with --with-libradius");
497: return -1;
498: #endif
499: #ifdef ENABLE_HYBRID
500: #ifdef HAVE_LIBRADIUS
501: xauth_rad_config.timeout = 3;
502: xauth_rad_config.retries = 3;
503: #endif
504: #endif
505: } BOC radcfg_stmts EOC
506: ;
507: radcfg_stmts
508: : /* nothing */
509: | radcfg_stmts radcfg_stmt
510: ;
511: radcfg_stmt
512: : RAD_AUTH QUOTEDSTRING QUOTEDSTRING
513: {
514: #ifdef ENABLE_HYBRID
515: #ifdef HAVE_LIBRADIUS
516: int i = xauth_rad_config.auth_server_count;
517: if (i == RADIUS_MAX_SERVERS) {
518: yyerror("maximum radius auth servers exceeded");
519: return -1;
520: }
521:
522: xauth_rad_config.auth_server_list[i].host = vdup($2);
523: xauth_rad_config.auth_server_list[i].secret = vdup($3);
524: xauth_rad_config.auth_server_list[i].port = 0; // default port
525: xauth_rad_config.auth_server_count++;
526: #endif
527: #endif
528: }
529: EOS
530: | RAD_AUTH QUOTEDSTRING NUMBER QUOTEDSTRING
531: {
532: #ifdef ENABLE_HYBRID
533: #ifdef HAVE_LIBRADIUS
534: int i = xauth_rad_config.auth_server_count;
535: if (i == RADIUS_MAX_SERVERS) {
536: yyerror("maximum radius auth servers exceeded");
537: return -1;
538: }
539:
540: xauth_rad_config.auth_server_list[i].host = vdup($2);
541: xauth_rad_config.auth_server_list[i].secret = vdup($4);
542: xauth_rad_config.auth_server_list[i].port = $3;
543: xauth_rad_config.auth_server_count++;
544: #endif
545: #endif
546: }
547: EOS
548: | RAD_ACCT QUOTEDSTRING QUOTEDSTRING
549: {
550: #ifdef ENABLE_HYBRID
551: #ifdef HAVE_LIBRADIUS
552: int i = xauth_rad_config.acct_server_count;
553: if (i == RADIUS_MAX_SERVERS) {
554: yyerror("maximum radius account servers exceeded");
555: return -1;
556: }
557:
558: xauth_rad_config.acct_server_list[i].host = vdup($2);
559: xauth_rad_config.acct_server_list[i].secret = vdup($3);
560: xauth_rad_config.acct_server_list[i].port = 0; // default port
561: xauth_rad_config.acct_server_count++;
562: #endif
563: #endif
564: }
565: EOS
566: | RAD_ACCT QUOTEDSTRING NUMBER QUOTEDSTRING
567: {
568: #ifdef ENABLE_HYBRID
569: #ifdef HAVE_LIBRADIUS
570: int i = xauth_rad_config.acct_server_count;
571: if (i == RADIUS_MAX_SERVERS) {
572: yyerror("maximum radius account servers exceeded");
573: return -1;
574: }
575:
576: xauth_rad_config.acct_server_list[i].host = vdup($2);
577: xauth_rad_config.acct_server_list[i].secret = vdup($4);
578: xauth_rad_config.acct_server_list[i].port = $3;
579: xauth_rad_config.acct_server_count++;
580: #endif
581: #endif
582: }
583: EOS
584: | RAD_TIMEOUT NUMBER
585: {
586: #ifdef ENABLE_HYBRID
587: #ifdef HAVE_LIBRADIUS
588: xauth_rad_config.timeout = $2;
589: #endif
590: #endif
591: }
592: EOS
593: | RAD_RETRIES NUMBER
594: {
595: #ifdef ENABLE_HYBRID
596: #ifdef HAVE_LIBRADIUS
597: xauth_rad_config.retries = $2;
598: #endif
599: #endif
600: }
601: EOS
602: ;
603:
604: /* ldap configuration */
605: ldapcfg_statement
606: : LDAPCFG {
607: #ifndef ENABLE_HYBRID
608: yyerror("racoon not configured with --enable-hybrid");
609: return -1;
610: #endif
611: #ifndef HAVE_LIBLDAP
612: yyerror("racoon not configured with --with-libldap");
613: return -1;
614: #endif
615: } BOC ldapcfg_stmts EOC
616: ;
617: ldapcfg_stmts
618: : /* nothing */
619: | ldapcfg_stmts ldapcfg_stmt
620: ;
621: ldapcfg_stmt
622: : LDAP_PVER NUMBER
623: {
624: #ifdef ENABLE_HYBRID
625: #ifdef HAVE_LIBLDAP
626: if (($2<2)||($2>3))
627: yyerror("invalid ldap protocol version (2|3)");
628: xauth_ldap_config.pver = $2;
629: #endif
630: #endif
631: }
632: EOS
633: | LDAP_HOST QUOTEDSTRING
634: {
635: #ifdef ENABLE_HYBRID
636: #ifdef HAVE_LIBLDAP
637: if (xauth_ldap_config.host != NULL)
638: vfree(xauth_ldap_config.host);
639: xauth_ldap_config.host = vdup($2);
640: #endif
641: #endif
642: }
643: EOS
644: | LDAP_PORT NUMBER
645: {
646: #ifdef ENABLE_HYBRID
647: #ifdef HAVE_LIBLDAP
648: xauth_ldap_config.port = $2;
649: #endif
650: #endif
651: }
652: EOS
653: | LDAP_BASE QUOTEDSTRING
654: {
655: #ifdef ENABLE_HYBRID
656: #ifdef HAVE_LIBLDAP
657: if (xauth_ldap_config.base != NULL)
658: vfree(xauth_ldap_config.base);
659: xauth_ldap_config.base = vdup($2);
660: #endif
661: #endif
662: }
663: EOS
664: | LDAP_SUBTREE SWITCH
665: {
666: #ifdef ENABLE_HYBRID
667: #ifdef HAVE_LIBLDAP
668: xauth_ldap_config.subtree = $2;
669: #endif
670: #endif
671: }
672: EOS
673: | LDAP_BIND_DN QUOTEDSTRING
674: {
675: #ifdef ENABLE_HYBRID
676: #ifdef HAVE_LIBLDAP
677: if (xauth_ldap_config.bind_dn != NULL)
678: vfree(xauth_ldap_config.bind_dn);
679: xauth_ldap_config.bind_dn = vdup($2);
680: #endif
681: #endif
682: }
683: EOS
684: | LDAP_BIND_PW QUOTEDSTRING
685: {
686: #ifdef ENABLE_HYBRID
687: #ifdef HAVE_LIBLDAP
688: if (xauth_ldap_config.bind_pw != NULL)
689: vfree(xauth_ldap_config.bind_pw);
690: xauth_ldap_config.bind_pw = vdup($2);
691: #endif
692: #endif
693: }
694: EOS
695: | LDAP_ATTR_USER QUOTEDSTRING
696: {
697: #ifdef ENABLE_HYBRID
698: #ifdef HAVE_LIBLDAP
699: if (xauth_ldap_config.attr_user != NULL)
700: vfree(xauth_ldap_config.attr_user);
701: xauth_ldap_config.attr_user = vdup($2);
702: #endif
703: #endif
704: }
705: EOS
706: | LDAP_ATTR_ADDR QUOTEDSTRING
707: {
708: #ifdef ENABLE_HYBRID
709: #ifdef HAVE_LIBLDAP
710: if (xauth_ldap_config.attr_addr != NULL)
711: vfree(xauth_ldap_config.attr_addr);
712: xauth_ldap_config.attr_addr = vdup($2);
713: #endif
714: #endif
715: }
716: EOS
717: | LDAP_ATTR_MASK QUOTEDSTRING
718: {
719: #ifdef ENABLE_HYBRID
720: #ifdef HAVE_LIBLDAP
721: if (xauth_ldap_config.attr_mask != NULL)
722: vfree(xauth_ldap_config.attr_mask);
723: xauth_ldap_config.attr_mask = vdup($2);
724: #endif
725: #endif
726: }
727: EOS
728: | LDAP_ATTR_GROUP QUOTEDSTRING
729: {
730: #ifdef ENABLE_HYBRID
731: #ifdef HAVE_LIBLDAP
732: if (xauth_ldap_config.attr_group != NULL)
733: vfree(xauth_ldap_config.attr_group);
734: xauth_ldap_config.attr_group = vdup($2);
735: #endif
736: #endif
737: }
738: EOS
739: | LDAP_ATTR_MEMBER QUOTEDSTRING
740: {
741: #ifdef ENABLE_HYBRID
742: #ifdef HAVE_LIBLDAP
743: if (xauth_ldap_config.attr_member != NULL)
744: vfree(xauth_ldap_config.attr_member);
745: xauth_ldap_config.attr_member = vdup($2);
746: #endif
747: #endif
748: }
749: EOS
750: ;
751:
752: /* modecfg */
753: modecfg_statement
754: : MODECFG BOC modecfg_stmts EOC
755: ;
756: modecfg_stmts
757: : /* nothing */
758: | modecfg_stmts modecfg_stmt
759: ;
760: modecfg_stmt
761: : CFG_NET4 ADDRSTRING
762: {
763: #ifdef ENABLE_HYBRID
764: if (inet_pton(AF_INET, $2->v,
765: &isakmp_cfg_config.network4) != 1)
766: yyerror("bad IPv4 network address.");
767: #else
768: yyerror("racoon not configured with --enable-hybrid");
769: #endif
770: }
771: EOS
772: | CFG_MASK4 ADDRSTRING
773: {
774: #ifdef ENABLE_HYBRID
775: if (inet_pton(AF_INET, $2->v,
776: &isakmp_cfg_config.netmask4) != 1)
777: yyerror("bad IPv4 netmask address.");
778: #else
779: yyerror("racoon not configured with --enable-hybrid");
780: #endif
781: }
782: EOS
783: | CFG_DNS4 addrdnslist
784: EOS
785: | CFG_NBNS4 addrwinslist
786: EOS
787: | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
788: {
789: #ifdef ENABLE_HYBRID
790: isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
791: #else
792: yyerror("racoon not configured with --enable-hybrid");
793: #endif
794: }
795: EOS
796: | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
797: {
798: #ifdef ENABLE_HYBRID
799: isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
800: #else
801: yyerror("racoon not configured with --enable-hybrid");
802: #endif
803: }
804: EOS
805: | CFG_SPLIT_DNS splitdnslist
806: {
807: #ifndef ENABLE_HYBRID
808: yyerror("racoon not configured with --enable-hybrid");
809: #endif
810: }
811: EOS
812: | CFG_DEFAULT_DOMAIN QUOTEDSTRING
813: {
814: #ifdef ENABLE_HYBRID
815: strncpy(&isakmp_cfg_config.default_domain[0],
816: $2->v, MAXPATHLEN);
817: isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0';
818: vfree($2);
819: #else
820: yyerror("racoon not configured with --enable-hybrid");
821: #endif
822: }
823: EOS
824: | CFG_AUTH_SOURCE CFG_SYSTEM
825: {
826: #ifdef ENABLE_HYBRID
827: isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
828: #else
829: yyerror("racoon not configured with --enable-hybrid");
830: #endif
831: }
832: EOS
833: | CFG_AUTH_SOURCE CFG_RADIUS
834: {
835: #ifdef ENABLE_HYBRID
836: #ifdef HAVE_LIBRADIUS
837: isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
838: #else /* HAVE_LIBRADIUS */
839: yyerror("racoon not configured with --with-libradius");
840: #endif /* HAVE_LIBRADIUS */
841: #else /* ENABLE_HYBRID */
842: yyerror("racoon not configured with --enable-hybrid");
843: #endif /* ENABLE_HYBRID */
844: }
845: EOS
846: | CFG_AUTH_SOURCE CFG_PAM
847: {
848: #ifdef ENABLE_HYBRID
849: #ifdef HAVE_LIBPAM
850: isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
851: #else /* HAVE_LIBPAM */
852: yyerror("racoon not configured with --with-libpam");
853: #endif /* HAVE_LIBPAM */
854: #else /* ENABLE_HYBRID */
855: yyerror("racoon not configured with --enable-hybrid");
856: #endif /* ENABLE_HYBRID */
857: }
858: EOS
859: | CFG_AUTH_SOURCE CFG_LDAP
860: {
861: #ifdef ENABLE_HYBRID
862: #ifdef HAVE_LIBLDAP
863: isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
864: #else /* HAVE_LIBLDAP */
865: yyerror("racoon not configured with --with-libldap");
866: #endif /* HAVE_LIBLDAP */
867: #else /* ENABLE_HYBRID */
868: yyerror("racoon not configured with --enable-hybrid");
869: #endif /* ENABLE_HYBRID */
870: }
871: EOS
872: | CFG_AUTH_GROUPS authgrouplist
873: {
874: #ifndef ENABLE_HYBRID
875: yyerror("racoon not configured with --enable-hybrid");
876: #endif
877: }
878: EOS
879: | CFG_GROUP_SOURCE CFG_SYSTEM
880: {
881: #ifdef ENABLE_HYBRID
882: isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
883: #else
884: yyerror("racoon not configured with --enable-hybrid");
885: #endif
886: }
887: EOS
888: | CFG_GROUP_SOURCE CFG_LDAP
889: {
890: #ifdef ENABLE_HYBRID
891: #ifdef HAVE_LIBLDAP
892: isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
893: #else /* HAVE_LIBLDAP */
894: yyerror("racoon not configured with --with-libldap");
895: #endif /* HAVE_LIBLDAP */
896: #else /* ENABLE_HYBRID */
897: yyerror("racoon not configured with --enable-hybrid");
898: #endif /* ENABLE_HYBRID */
899: }
900: EOS
901: | CFG_ACCOUNTING CFG_NONE
902: {
903: #ifdef ENABLE_HYBRID
904: isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
905: #else
906: yyerror("racoon not configured with --enable-hybrid");
907: #endif
908: }
909: EOS
910: | CFG_ACCOUNTING CFG_SYSTEM
911: {
912: #ifdef ENABLE_HYBRID
913: isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
914: #else
915: yyerror("racoon not configured with --enable-hybrid");
916: #endif
917: }
918: EOS
919: | CFG_ACCOUNTING CFG_RADIUS
920: {
921: #ifdef ENABLE_HYBRID
922: #ifdef HAVE_LIBRADIUS
923: isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
924: #else /* HAVE_LIBRADIUS */
925: yyerror("racoon not configured with --with-libradius");
926: #endif /* HAVE_LIBRADIUS */
927: #else /* ENABLE_HYBRID */
928: yyerror("racoon not configured with --enable-hybrid");
929: #endif /* ENABLE_HYBRID */
930: }
931: EOS
932: | CFG_ACCOUNTING CFG_PAM
933: {
934: #ifdef ENABLE_HYBRID
935: #ifdef HAVE_LIBPAM
936: isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
937: #else /* HAVE_LIBPAM */
938: yyerror("racoon not configured with --with-libpam");
939: #endif /* HAVE_LIBPAM */
940: #else /* ENABLE_HYBRID */
941: yyerror("racoon not configured with --enable-hybrid");
942: #endif /* ENABLE_HYBRID */
943: }
944: EOS
945: | CFG_POOL_SIZE NUMBER
946: {
947: #ifdef ENABLE_HYBRID
948: if (isakmp_cfg_resize_pool($2) != 0)
949: yyerror("cannot allocate memory for pool");
950: #else /* ENABLE_HYBRID */
951: yyerror("racoon not configured with --enable-hybrid");
952: #endif /* ENABLE_HYBRID */
953: }
954: EOS
955: | CFG_PFS_GROUP NUMBER
956: {
957: #ifdef ENABLE_HYBRID
958: isakmp_cfg_config.pfs_group = $2;
959: #else /* ENABLE_HYBRID */
960: yyerror("racoon not configured with --enable-hybrid");
961: #endif /* ENABLE_HYBRID */
962: }
963: EOS
964: | CFG_SAVE_PASSWD SWITCH
965: {
966: #ifdef ENABLE_HYBRID
967: isakmp_cfg_config.save_passwd = $2;
968: #else /* ENABLE_HYBRID */
969: yyerror("racoon not configured with --enable-hybrid");
970: #endif /* ENABLE_HYBRID */
971: }
972: EOS
973: | CFG_AUTH_THROTTLE NUMBER
974: {
975: #ifdef ENABLE_HYBRID
976: isakmp_cfg_config.auth_throttle = $2;
977: #else /* ENABLE_HYBRID */
978: yyerror("racoon not configured with --enable-hybrid");
979: #endif /* ENABLE_HYBRID */
980: }
981: EOS
982: | CFG_CONF_SOURCE CFG_LOCAL
983: {
984: #ifdef ENABLE_HYBRID
985: isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
986: #else /* ENABLE_HYBRID */
987: yyerror("racoon not configured with --enable-hybrid");
988: #endif /* ENABLE_HYBRID */
989: }
990: EOS
991: | CFG_CONF_SOURCE CFG_RADIUS
992: {
993: #ifdef ENABLE_HYBRID
994: #ifdef HAVE_LIBRADIUS
995: isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
996: #else /* HAVE_LIBRADIUS */
997: yyerror("racoon not configured with --with-libradius");
998: #endif /* HAVE_LIBRADIUS */
999: #else /* ENABLE_HYBRID */
1000: yyerror("racoon not configured with --enable-hybrid");
1001: #endif /* ENABLE_HYBRID */
1002: }
1003: EOS
1004: | CFG_CONF_SOURCE CFG_LDAP
1005: {
1006: #ifdef ENABLE_HYBRID
1007: #ifdef HAVE_LIBLDAP
1008: isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
1009: #else /* HAVE_LIBLDAP */
1010: yyerror("racoon not configured with --with-libldap");
1011: #endif /* HAVE_LIBLDAP */
1012: #else /* ENABLE_HYBRID */
1013: yyerror("racoon not configured with --enable-hybrid");
1014: #endif /* ENABLE_HYBRID */
1015: }
1016: EOS
1017: | CFG_MOTD QUOTEDSTRING
1018: {
1019: #ifdef ENABLE_HYBRID
1020: strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN);
1021: isakmp_cfg_config.motd[MAXPATHLEN] = '\0';
1022: vfree($2);
1023: #else
1024: yyerror("racoon not configured with --enable-hybrid");
1025: #endif
1026: }
1027: EOS
1028: ;
1029:
1030: addrdnslist
1031: : addrdns
1032: | addrdns COMMA addrdnslist
1033: ;
1034: addrdns
1035: : ADDRSTRING
1036: {
1037: #ifdef ENABLE_HYBRID
1038: struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1039:
1040: if (icc->dns4_index > MAXNS)
1041: yyerror("No more than %d DNS", MAXNS);
1042: if (inet_pton(AF_INET, $1->v,
1043: &icc->dns4[icc->dns4_index++]) != 1)
1044: yyerror("bad IPv4 DNS address.");
1045: #else
1046: yyerror("racoon not configured with --enable-hybrid");
1047: #endif
1048: }
1049: ;
1050:
1051: addrwinslist
1052: : addrwins
1053: | addrwins COMMA addrwinslist
1054: ;
1055: addrwins
1056: : ADDRSTRING
1057: {
1058: #ifdef ENABLE_HYBRID
1059: struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1060:
1061: if (icc->nbns4_index > MAXWINS)
1062: yyerror("No more than %d WINS", MAXWINS);
1063: if (inet_pton(AF_INET, $1->v,
1064: &icc->nbns4[icc->nbns4_index++]) != 1)
1065: yyerror("bad IPv4 WINS address.");
1066: #else
1067: yyerror("racoon not configured with --enable-hybrid");
1068: #endif
1069: }
1070: ;
1071:
1072: splitnetlist
1073: : splitnet
1074: | splitnetlist COMMA splitnet
1075: ;
1076: splitnet
1077: : ADDRSTRING PREFIX
1078: {
1079: #ifdef ENABLE_HYBRID
1080: struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1081: struct unity_network network;
1082: memset(&network,0,sizeof(network));
1083:
1084: if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
1085: yyerror("bad IPv4 SPLIT address.");
1086:
1087: /* Turn $2 (the prefix) into a subnet mask */
1088: network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
1089:
1090: /* add the network to our list */
1091: if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
1092: yyerror("Unable to allocate split network");
1093: #else
1094: yyerror("racoon not configured with --enable-hybrid");
1095: #endif
1096: }
1097: ;
1098:
1099: authgrouplist
1100: : authgroup
1101: | authgroup COMMA authgrouplist
1102: ;
1103: authgroup
1104: : QUOTEDSTRING
1105: {
1106: #ifdef ENABLE_HYBRID
1107: char * groupname = NULL;
1108: char ** grouplist = NULL;
1109: struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1110:
1111: grouplist = racoon_realloc(icc->grouplist,
1112: sizeof(char**)*(icc->groupcount+1));
1113: if (grouplist == NULL) {
1114: yyerror("unable to allocate auth group list");
1115: return -1;
1116: }
1117:
1118: groupname = racoon_malloc($1->l+1);
1119: if (groupname == NULL) {
1120: yyerror("unable to allocate auth group name");
1121: return -1;
1122: }
1123:
1124: memcpy(groupname,$1->v,$1->l);
1125: groupname[$1->l]=0;
1126: grouplist[icc->groupcount]=groupname;
1127: icc->grouplist = grouplist;
1128: icc->groupcount++;
1129:
1130: vfree($1);
1131: #else
1132: yyerror("racoon not configured with --enable-hybrid");
1133: #endif
1134: }
1135: ;
1136:
1137: splitdnslist
1138: : splitdns
1139: | splitdns COMMA splitdnslist
1140: ;
1141: splitdns
1142: : QUOTEDSTRING
1143: {
1144: #ifdef ENABLE_HYBRID
1145: struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1146:
1147: if (!icc->splitdns_len)
1148: {
1149: icc->splitdns_list = racoon_malloc($1->l);
1150: if(icc->splitdns_list == NULL) {
1151: yyerror("error allocating splitdns list buffer");
1152: return -1;
1153: }
1154: memcpy(icc->splitdns_list,$1->v,$1->l);
1155: icc->splitdns_len = $1->l;
1156: }
1157: else
1158: {
1159: int len = icc->splitdns_len + $1->l + 1;
1160: icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
1161: if(icc->splitdns_list == NULL) {
1162: yyerror("error allocating splitdns list buffer");
1163: return -1;
1164: }
1165: icc->splitdns_list[icc->splitdns_len] = ',';
1166: memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
1167: icc->splitdns_len = len;
1168: }
1169: vfree($1);
1170: #else
1171: yyerror("racoon not configured with --enable-hybrid");
1172: #endif
1173: }
1174: ;
1175:
1176:
1177: /* timer */
1178: timer_statement
1179: : RETRY BOC timer_stmts EOC
1180: ;
1181: timer_stmts
1182: : /* nothing */
1183: | timer_stmts timer_stmt
1184: ;
1185: timer_stmt
1186: : RETRY_COUNTER NUMBER
1187: {
1188: lcconf->retry_counter = $2;
1189: }
1190: EOS
1191: | RETRY_INTERVAL NUMBER unittype_time
1192: {
1193: lcconf->retry_interval = $2 * $3;
1194: }
1195: EOS
1196: | RETRY_PERSEND NUMBER
1197: {
1198: lcconf->count_persend = $2;
1199: }
1200: EOS
1201: | RETRY_PHASE1 NUMBER unittype_time
1202: {
1203: lcconf->retry_checkph1 = $2 * $3;
1204: }
1205: EOS
1206: | RETRY_PHASE2 NUMBER unittype_time
1207: {
1208: lcconf->wait_ph2complete = $2 * $3;
1209: }
1210: EOS
1211: | NATT_KA NUMBER unittype_time
1212: {
1213: #ifdef ENABLE_NATT
1214: if (libipsec_opt & LIBIPSEC_OPT_NATT)
1215: lcconf->natt_ka_interval = $2 * $3;
1216: else
1217: yyerror("libipsec lacks NAT-T support");
1218: #else
1219: yyerror("NAT-T support not compiled in.");
1220: #endif
1221: }
1222: EOS
1223: ;
1224:
1225: /* sainfo */
1226: sainfo_statement
1227: : SAINFO
1228: {
1229: cur_sainfo = newsainfo();
1230: if (cur_sainfo == NULL) {
1231: yyerror("failed to allocate sainfo");
1232: return -1;
1233: }
1234: }
1235: sainfo_name sainfo_param BOC sainfo_specs
1236: {
1237: struct sainfo *check;
1238:
1239: /* default */
1240: if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
1241: yyerror("no encryption algorithm at %s",
1242: sainfo2str(cur_sainfo));
1243: return -1;
1244: }
1245: if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
1246: yyerror("no authentication algorithm at %s",
1247: sainfo2str(cur_sainfo));
1248: return -1;
1249: }
1250: if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
1251: yyerror("no compression algorithm at %s",
1252: sainfo2str(cur_sainfo));
1253: return -1;
1254: }
1255:
1256: /* duplicate check */
1257: check = getsainfo(cur_sainfo->idsrc,
1258: cur_sainfo->iddst,
1259: cur_sainfo->id_i,
1260: NULL,
1261: cur_sainfo->remoteid);
1262:
1263: if (check && ((check->idsrc != SAINFO_ANONYMOUS) &&
1264: (cur_sainfo->idsrc != SAINFO_ANONYMOUS))) {
1265: yyerror("duplicated sainfo: %s",
1266: sainfo2str(cur_sainfo));
1267: return -1;
1268: }
1269:
1270: inssainfo(cur_sainfo);
1271: }
1272: EOC
1273: ;
1274: sainfo_name
1275: : ANONYMOUS
1276: {
1277: cur_sainfo->idsrc = SAINFO_ANONYMOUS;
1278: cur_sainfo->iddst = SAINFO_ANONYMOUS;
1279: }
1280: | ANONYMOUS CLIENTADDR
1281: {
1282: cur_sainfo->idsrc = SAINFO_ANONYMOUS;
1283: cur_sainfo->iddst = SAINFO_CLIENTADDR;
1284: }
1285: | ANONYMOUS sainfo_id
1286: {
1287: cur_sainfo->idsrc = SAINFO_ANONYMOUS;
1288: cur_sainfo->iddst = $2;
1289: }
1290: | sainfo_id ANONYMOUS
1291: {
1292: cur_sainfo->idsrc = $1;
1293: cur_sainfo->iddst = SAINFO_ANONYMOUS;
1294: }
1295: | sainfo_id CLIENTADDR
1296: {
1297: cur_sainfo->idsrc = $1;
1298: cur_sainfo->iddst = SAINFO_CLIENTADDR;
1299: }
1300: | sainfo_id sainfo_id
1301: {
1302: cur_sainfo->idsrc = $1;
1303: cur_sainfo->iddst = $2;
1304: }
1305: ;
1306: sainfo_id
1307: : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
1308: {
1309: char portbuf[10];
1310: struct sockaddr *saddr;
1311:
1312: if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
1313: && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
1314: yyerror("port number must be \"any\".");
1315: return -1;
1316: }
1317:
1318: snprintf(portbuf, sizeof(portbuf), "%lu", $4);
1319: saddr = str2saddr($2->v, portbuf);
1320: vfree($2);
1321: if (saddr == NULL)
1322: return -1;
1323:
1324: switch (saddr->sa_family) {
1325: case AF_INET:
1326: if ($5 == IPPROTO_ICMPV6) {
1327: yyerror("upper layer protocol mismatched.\n");
1328: racoon_free(saddr);
1329: return -1;
1330: }
1331: $$ = ipsecdoi_sockaddr2id(saddr,
1332: $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
1333: $5);
1334: break;
1335: #ifdef INET6
1336: case AF_INET6:
1337: if ($5 == IPPROTO_ICMP) {
1338: yyerror("upper layer protocol mismatched.\n");
1339: racoon_free(saddr);
1340: return -1;
1341: }
1342: $$ = ipsecdoi_sockaddr2id(saddr,
1343: $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
1344: $5);
1345: break;
1346: #endif
1347: default:
1348: yyerror("invalid family: %d", saddr->sa_family);
1349: $$ = NULL;
1350: break;
1351: }
1352: racoon_free(saddr);
1353: if ($$ == NULL)
1354: return -1;
1355: }
1356: | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
1357: {
1358: char portbuf[10];
1359: struct sockaddr *laddr = NULL, *haddr = NULL;
1360: char *cur = NULL;
1361:
1362: if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
1363: && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
1364: yyerror("port number must be \"any\".");
1365: return -1;
1366: }
1367:
1368: snprintf(portbuf, sizeof(portbuf), "%lu", $5);
1369:
1370: laddr = str2saddr($2->v, portbuf);
1371: if (laddr == NULL) {
1372: return -1;
1373: }
1374: vfree($2);
1375: haddr = str2saddr($3->v, portbuf);
1376: if (haddr == NULL) {
1377: racoon_free(laddr);
1378: return -1;
1379: }
1380: vfree($3);
1381:
1382: switch (laddr->sa_family) {
1383: case AF_INET:
1384: if ($6 == IPPROTO_ICMPV6) {
1385: yyerror("upper layer protocol mismatched.\n");
1386: if (laddr)
1387: racoon_free(laddr);
1388: if (haddr)
1389: racoon_free(haddr);
1390: return -1;
1391: }
1392: $$ = ipsecdoi_sockrange2id(laddr, haddr,
1393: $6);
1394: break;
1395: #ifdef INET6
1396: case AF_INET6:
1397: if ($6 == IPPROTO_ICMP) {
1398: yyerror("upper layer protocol mismatched.\n");
1399: if (laddr)
1400: racoon_free(laddr);
1401: if (haddr)
1402: racoon_free(haddr);
1403: return -1;
1404: }
1405: $$ = ipsecdoi_sockrange2id(laddr, haddr,
1406: $6);
1407: break;
1408: #endif
1409: default:
1410: yyerror("invalid family: %d", laddr->sa_family);
1411: $$ = NULL;
1412: break;
1413: }
1414: if (laddr)
1415: racoon_free(laddr);
1416: if (haddr)
1417: racoon_free(haddr);
1418: if ($$ == NULL)
1419: return -1;
1420: }
1421: | IDENTIFIERTYPE QUOTEDSTRING
1422: {
1423: struct ipsecdoi_id_b *id_b;
1424:
1425: if ($1 == IDTYPE_ASN1DN) {
1426: yyerror("id type forbidden: %d", $1);
1427: $$ = NULL;
1428: return -1;
1429: }
1430:
1431: $2->l--;
1432:
1433: $$ = vmalloc(sizeof(*id_b) + $2->l);
1434: if ($$ == NULL) {
1435: yyerror("failed to allocate identifier");
1436: return -1;
1437: }
1438:
1439: id_b = (struct ipsecdoi_id_b *)$$->v;
1440: id_b->type = idtype2doi($1);
1441:
1442: id_b->proto_id = 0;
1443: id_b->port = 0;
1444:
1445: memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
1446: }
1447: ;
1448: sainfo_param
1449: : /* nothing */
1450: {
1451: cur_sainfo->id_i = NULL;
1452: }
1453: | FROM IDENTIFIERTYPE identifierstring
1454: {
1455: struct ipsecdoi_id_b *id_b;
1456: vchar_t *idv;
1457:
1458: if (set_identifier(&idv, $2, $3) != 0) {
1459: yyerror("failed to set identifer.\n");
1460: return -1;
1461: }
1462: cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
1463: if (cur_sainfo->id_i == NULL) {
1464: yyerror("failed to allocate identifier");
1465: return -1;
1466: }
1467:
1468: id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
1469: id_b->type = idtype2doi($2);
1470:
1471: id_b->proto_id = 0;
1472: id_b->port = 0;
1473:
1474: memcpy(cur_sainfo->id_i->v + sizeof(*id_b),
1475: idv->v, idv->l);
1476: vfree(idv);
1477: }
1478: | GROUP QUOTEDSTRING
1479: {
1480: #ifdef ENABLE_HYBRID
1481: if ((cur_sainfo->group = vdup($2)) == NULL) {
1482: yyerror("failed to set sainfo xauth group.\n");
1483: return -1;
1484: }
1485: #else
1486: yyerror("racoon not configured with --enable-hybrid");
1487: return -1;
1488: #endif
1489: }
1490: ;
1491: sainfo_specs
1492: : /* nothing */
1493: | sainfo_specs sainfo_spec
1494: ;
1495: sainfo_spec
1496: : PFS_GROUP dh_group_num
1497: {
1498: cur_sainfo->pfs_group = $2;
1499: }
1500: EOS
1501: | REMOTEID NUMBER
1502: {
1503: cur_sainfo->remoteid = $2;
1504: }
1505: EOS
1506: | LIFETIME LIFETYPE_TIME NUMBER unittype_time
1507: {
1508: cur_sainfo->lifetime = $3 * $4;
1509: }
1510: EOS
1511: | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1512: {
1513: #if 1
1514: yyerror("byte lifetime support is deprecated");
1515: return -1;
1516: #else
1517: cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
1518: if (cur_sainfo->lifebyte == 0)
1519: return -1;
1520: #endif
1521: }
1522: EOS
1523: | ALGORITHM_CLASS {
1524: cur_algclass = $1;
1525: }
1526: algorithms EOS
1527: ;
1528:
1529: algorithms
1530: : algorithm
1531: {
1532: inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1533: }
1534: | algorithm
1535: {
1536: inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1537: }
1538: COMMA algorithms
1539: ;
1540: algorithm
1541: : ALGORITHMTYPE keylength
1542: {
1543: int defklen;
1544:
1545: $$ = newsainfoalg();
1546: if ($$ == NULL) {
1547: yyerror("failed to get algorithm allocation");
1548: return -1;
1549: }
1550:
1551: $$->alg = algtype2doi(cur_algclass, $1);
1552: if ($$->alg == -1) {
1553: yyerror("algorithm mismatched");
1554: racoon_free($$);
1555: $$ = NULL;
1556: return -1;
1557: }
1558:
1559: defklen = default_keylen(cur_algclass, $1);
1560: if (defklen == 0) {
1561: if ($2) {
1562: yyerror("keylen not allowed");
1563: racoon_free($$);
1564: $$ = NULL;
1565: return -1;
1566: }
1567: } else {
1568: if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
1569: yyerror("invalid keylen %d", $2);
1570: racoon_free($$);
1571: $$ = NULL;
1572: return -1;
1573: }
1574: }
1575:
1576: if ($2)
1577: $$->encklen = $2;
1578: else
1579: $$->encklen = defklen;
1580:
1581: /* check if it's supported algorithm by kernel */
1582: if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
1583: && pk_checkalg(cur_algclass, $1, $$->encklen)) {
1584: int a = algclass2doi(cur_algclass);
1585: int b = algtype2doi(cur_algclass, $1);
1586: if (a == IPSECDOI_ATTR_AUTH)
1587: a = IPSECDOI_PROTO_IPSEC_AH;
1588: yyerror("algorithm %s not supported by the kernel (missing module?)",
1589: s_ipsecdoi_trns(a, b));
1590: racoon_free($$);
1591: $$ = NULL;
1592: return -1;
1593: }
1594: }
1595: ;
1596: prefix
1597: : /* nothing */ { $$ = ~0; }
1598: | PREFIX { $$ = $1; }
1599: ;
1600: port
1601: : /* nothing */ { $$ = IPSEC_PORT_ANY; }
1602: | PORT { $$ = $1; }
1603: | PORTANY { $$ = IPSEC_PORT_ANY; }
1604: ;
1605: ul_proto
1606: : NUMBER { $$ = $1; }
1607: | UL_PROTO { $$ = $1; }
1608: | ANY { $$ = IPSEC_ULPROTO_ANY; }
1609: ;
1610: keylength
1611: : /* nothing */ { $$ = 0; }
1612: | NUMBER { $$ = $1; }
1613: ;
1614:
1615: /* remote */
1616: remote_statement
1617: : REMOTE QUOTEDSTRING INHERIT QUOTEDSTRING
1618: {
1619: struct remoteconf *from, *new;
1620:
1621: if (getrmconf_by_name($2->v) != NULL) {
1622: yyerror("named remoteconf \"%s\" already exists.");
1623: return -1;
1624: }
1625:
1626: from = getrmconf_by_name($4->v);
1627: if (from == NULL) {
1628: yyerror("named parent remoteconf \"%s\" does not exist.",
1629: $4->v);
1630: return -1;
1631: }
1632:
1633: new = duprmconf_shallow(from);
1634: if (new == NULL) {
1635: yyerror("failed to duplicate remoteconf from \"%s\".",
1636: $4->v);
1637: return -1;
1638: }
1639:
1640: new->name = racoon_strdup($2->v);
1641: cur_rmconf = new;
1642:
1643: vfree($2);
1644: vfree($4);
1645: }
1646: remote_specs_block
1647: | REMOTE QUOTEDSTRING
1648: {
1649: struct remoteconf *new;
1650:
1651: if (getrmconf_by_name($2->v) != NULL) {
1652: yyerror("Named remoteconf \"%s\" already exists.");
1653: return -1;
1654: }
1655:
1656: new = newrmconf();
1657: if (new == NULL) {
1658: yyerror("failed to get new remoteconf.");
1659: return -1;
1660: }
1661: new->name = racoon_strdup($2->v);
1662: cur_rmconf = new;
1663:
1664: vfree($2);
1665: }
1666: remote_specs_block
1667: | REMOTE remote_index INHERIT remote_index
1668: {
1669: struct remoteconf *from, *new;
1670:
1671: from = getrmconf($4, GETRMCONF_F_NO_ANONYMOUS);
1672: if (from == NULL) {
1673: yyerror("failed to get remoteconf for %s.",
1674: saddr2str($4));
1675: return -1;
1676: }
1677:
1678: new = duprmconf_shallow(from);
1679: if (new == NULL) {
1680: yyerror("failed to duplicate remoteconf from %s.",
1681: saddr2str($4));
1682: return -1;
1683: }
1684:
1685: racoon_free($4);
1686: new->remote = $2;
1687: cur_rmconf = new;
1688: }
1689: remote_specs_block
1690: | REMOTE remote_index
1691: {
1692: struct remoteconf *new;
1693:
1694: new = newrmconf();
1695: if (new == NULL) {
1696: yyerror("failed to get new remoteconf.");
1697: return -1;
1698: }
1699:
1700: new->remote = $2;
1701: cur_rmconf = new;
1702: }
1703: remote_specs_block
1704: ;
1705:
1706: remote_specs_block
1707: : BOC remote_specs EOC
1708: {
1709: /* check a exchange mode */
1710: if (cur_rmconf->etypes == NULL) {
1711: yyerror("no exchange mode specified.\n");
1712: return -1;
1713: }
1714:
1715: if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
1716: cur_rmconf->idvtype = IDTYPE_ADDRESS;
1717:
1718: if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
1719: if (cur_rmconf->mycertfile) {
1720: if (cur_rmconf->idv)
1721: yywarn("Both CERT and ASN1 ID "
1722: "are set. Hope this is OK.\n");
1723: /* TODO: Preparse the DN here */
1724: } else if (cur_rmconf->idv) {
1725: /* OK, using asn1dn without X.509. */
1726: } else {
1727: yyerror("ASN1 ID not specified "
1728: "and no CERT defined!\n");
1729: return -1;
1730: }
1731: }
1732:
1733: if (duprmconf_finish(cur_rmconf))
1734: return -1;
1735:
1736: #if 0
1737: /* this pointer copy will never happen, because duprmconf_shallow
1738: * already copied all pointers.
1739: */
1740: if (cur_rmconf->spspec == NULL &&
1741: cur_rmconf->inherited_from != NULL) {
1742: cur_rmconf->spspec = cur_rmconf->inherited_from->spspec;
1743: }
1744: #endif
1745: if (set_isakmp_proposal(cur_rmconf) != 0)
1746: return -1;
1747:
1748: /* DH group settting if aggressive mode is there. */
1749: if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
1750: struct isakmpsa *p;
1751: int b = 0;
1752:
1753: /* DH group */
1754: for (p = cur_rmconf->proposal; p; p = p->next) {
1755: if (b == 0 || (b && b == p->dh_group)) {
1756: b = p->dh_group;
1757: continue;
1758: }
1759: yyerror("DH group must be equal "
1760: "in all proposals "
1761: "when aggressive mode is "
1762: "used.\n");
1763: return -1;
1764: }
1765: cur_rmconf->dh_group = b;
1766:
1767: if (cur_rmconf->dh_group == 0) {
1768: yyerror("DH group must be set in the proposal.\n");
1769: return -1;
1770: }
1771:
1772: /* DH group settting if PFS is required. */
1773: if (oakley_setdhgroup(cur_rmconf->dh_group,
1774: &cur_rmconf->dhgrp) < 0) {
1775: yyerror("failed to set DH value.\n");
1776: return -1;
1777: }
1778: }
1779:
1780: insrmconf(cur_rmconf);
1781: }
1782: ;
1783: remote_index
1784: : ANONYMOUS ike_port
1785: {
1786: $$ = newsaddr(sizeof(struct sockaddr));
1787: $$->sa_family = AF_UNSPEC;
1788: ((struct sockaddr_in *)$$)->sin_port = htons($2);
1789: }
1790: | ike_addrinfo_port
1791: {
1792: $$ = $1;
1793: if ($$ == NULL) {
1794: yyerror("failed to allocate sockaddr");
1795: return -1;
1796: }
1797: }
1798: ;
1799: remote_specs
1800: : /* nothing */
1801: | remote_specs remote_spec
1802: ;
1803: remote_spec
1804: : REMOTE_ADDRESS ike_addrinfo_port
1805: {
1806: if (cur_rmconf->remote != NULL) {
1807: yyerror("remote_address already specified");
1808: return -1;
1809: }
1810: cur_rmconf->remote = $2;
1811: }
1812: EOS
1813: | EXCHANGE_MODE
1814: {
1815: cur_rmconf->etypes = NULL;
1816: }
1817: exchange_types EOS
1818: | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
1819: | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
1820: | CERTIFICATE_TYPE cert_spec
1821: | PEERS_CERTFILE QUOTEDSTRING
1822: {
1823: yywarn("This directive without certtype will be removed!\n");
1824: yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
1825:
1826: if (cur_rmconf->peerscert != NULL) {
1827: yyerror("peers_certfile already defined\n");
1828: return -1;
1829: }
1830:
1831: if (load_x509($2->v, &cur_rmconf->peerscertfile,
1832: &cur_rmconf->peerscert)) {
1833: yyerror("failed to load certificate \"%s\"\n",
1834: $2->v);
1835: return -1;
1836: }
1837:
1838: vfree($2);
1839: }
1840: EOS
1841: | PEERS_CERTFILE CERT_X509 QUOTEDSTRING
1842: {
1843: if (cur_rmconf->peerscert != NULL) {
1844: yyerror("peers_certfile already defined\n");
1845: return -1;
1846: }
1847:
1848: if (load_x509($3->v, &cur_rmconf->peerscertfile,
1849: &cur_rmconf->peerscert)) {
1850: yyerror("failed to load certificate \"%s\"\n",
1851: $3->v);
1852: return -1;
1853: }
1854:
1855: vfree($3);
1856: }
1857: EOS
1858: | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
1859: {
1860: char path[MAXPATHLEN];
1861: int ret = 0;
1862:
1863: if (cur_rmconf->peerscert != NULL) {
1864: yyerror("peers_certfile already defined\n");
1865: return -1;
1866: }
1867:
1868: cur_rmconf->peerscert = vmalloc(1);
1869: if (cur_rmconf->peerscert == NULL) {
1870: yyerror("failed to allocate peerscert");
1871: return -1;
1872: }
1873: cur_rmconf->peerscert->v[0] = ISAKMP_CERT_PLAINRSA;
1874:
1875: getpathname(path, sizeof(path),
1876: LC_PATHTYPE_CERT, $3->v);
1877: if (rsa_parse_file(cur_rmconf->rsa_public, path,
1878: RSA_TYPE_PUBLIC)) {
1879: yyerror("Couldn't parse keyfile.\n", path);
1880: return -1;
1881: }
1882: plog(LLV_DEBUG, LOCATION, NULL,
1883: "Public PlainRSA keyfile parsed: %s\n", path);
1884:
1885: vfree($3);
1886: }
1887: EOS
1888: | PEERS_CERTFILE DNSSEC
1889: {
1890: if (cur_rmconf->peerscert != NULL) {
1891: yyerror("peers_certfile already defined\n");
1892: return -1;
1893: }
1894: cur_rmconf->peerscert = vmalloc(1);
1895: if (cur_rmconf->peerscert == NULL) {
1896: yyerror("failed to allocate peerscert");
1897: return -1;
1898: }
1899: cur_rmconf->peerscert->v[0] = ISAKMP_CERT_DNS;
1900: }
1901: EOS
1902: | CA_TYPE CERT_X509 QUOTEDSTRING
1903: {
1904: if (cur_rmconf->cacert != NULL) {
1905: yyerror("ca_type already defined\n");
1906: return -1;
1907: }
1908:
1909: if (load_x509($3->v, &cur_rmconf->cacertfile,
1910: &cur_rmconf->cacert)) {
1911: yyerror("failed to load certificate \"%s\"\n",
1912: $3->v);
1913: return -1;
1914: }
1915:
1916: vfree($3);
1917: }
1918: EOS
1919: | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
1920: | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
1921: | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
1922: | MATCH_EMPTY_CR SWITCH { cur_rmconf->match_empty_cr = $2; } EOS
1923: | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
1924: {
1925: if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
1926: yyerror("failed to set identifer.\n");
1927: return -1;
1928: }
1929: cur_rmconf->idvtype = $2;
1930: }
1931: EOS
1932: | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1933: {
1934: if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
1935: yyerror("failed to set identifer.\n");
1936: return -1;
1937: }
1938: cur_rmconf->idvtype = $2;
1939: }
1940: EOS
1941: | XAUTH_LOGIN identifierstring
1942: {
1943: #ifdef ENABLE_HYBRID
1944: /* formerly identifier type login */
1945: if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
1946: yyerror("failed to allocate xauth state\n");
1947: return -1;
1948: }
1949: if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
1950: yyerror("failed to set identifer.\n");
1951: return -1;
1952: }
1953: #else
1954: yyerror("racoon not configured with --enable-hybrid");
1955: #endif
1956: }
1957: EOS
1958: | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
1959: {
1960: struct idspec *id;
1961: id = newidspec();
1962: if (id == NULL) {
1963: yyerror("failed to allocate idspec");
1964: return -1;
1965: }
1966: if (set_identifier(&id->id, $2, $3) != 0) {
1967: yyerror("failed to set identifer.\n");
1968: racoon_free(id);
1969: return -1;
1970: }
1971: id->idtype = $2;
1972: genlist_append (cur_rmconf->idvl_p, id);
1973: }
1974: EOS
1975: | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1976: {
1977: struct idspec *id;
1978: id = newidspec();
1979: if (id == NULL) {
1980: yyerror("failed to allocate idspec");
1981: return -1;
1982: }
1983: if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
1984: yyerror("failed to set identifer.\n");
1985: racoon_free(id);
1986: return -1;
1987: }
1988: id->idtype = $2;
1989: genlist_append (cur_rmconf->idvl_p, id);
1990: }
1991: EOS
1992: | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
1993: | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
1994: | DH_GROUP
1995: {
1996: yyerror("dh_group cannot be defined here.");
1997: return -1;
1998: }
1999: dh_group_num EOS
2000: | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
2001: | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
2002: | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
2003: | ESP_FRAG NUMBER {
2004: #ifdef SADB_X_EXT_NAT_T_FRAG
2005: if (libipsec_opt & LIBIPSEC_OPT_FRAG)
2006: cur_rmconf->esp_frag = $2;
2007: else
2008: yywarn("libipsec lacks IKE frag support");
2009: #else
2010: yywarn("Your kernel does not support esp_frag");
2011: #endif
2012: } EOS
2013: | SCRIPT QUOTEDSTRING PHASE1_UP {
2014: if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL)
2015: vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]);
2016:
2017: cur_rmconf->script[SCRIPT_PHASE1_UP] =
2018: script_path_add(vdup($2));
2019: } EOS
2020: | SCRIPT QUOTEDSTRING PHASE1_DOWN {
2021: if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL)
2022: vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]);
2023:
2024: cur_rmconf->script[SCRIPT_PHASE1_DOWN] =
2025: script_path_add(vdup($2));
2026: } EOS
2027: | SCRIPT QUOTEDSTRING PHASE1_DEAD {
2028: if (cur_rmconf->script[SCRIPT_PHASE1_DEAD] != NULL)
2029: vfree(cur_rmconf->script[SCRIPT_PHASE1_DEAD]);
2030:
2031: cur_rmconf->script[SCRIPT_PHASE1_DEAD] =
2032: script_path_add(vdup($2));
2033: } EOS
2034: | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
2035: | WEAK_PHASE1_CHECK SWITCH {
2036: cur_rmconf->weak_phase1_check = $2;
2037: } EOS
2038: | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
2039: | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
2040: | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
2041: | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
2042: | NAT_TRAVERSAL SWITCH
2043: {
2044: #ifdef ENABLE_NATT
2045: if (libipsec_opt & LIBIPSEC_OPT_NATT)
2046: cur_rmconf->nat_traversal = $2;
2047: else
2048: yyerror("libipsec lacks NAT-T support");
2049: #else
2050: yyerror("NAT-T support not compiled in.");
2051: #endif
2052: } EOS
2053: | NAT_TRAVERSAL REMOTE_FORCE_LEVEL
2054: {
2055: #ifdef ENABLE_NATT
2056: if (libipsec_opt & LIBIPSEC_OPT_NATT)
2057: cur_rmconf->nat_traversal = NATT_FORCE;
2058: else
2059: yyerror("libipsec lacks NAT-T support");
2060: #else
2061: yyerror("NAT-T support not compiled in.");
2062: #endif
2063: } EOS
2064: | DPD SWITCH
2065: {
2066: #ifdef ENABLE_DPD
2067: cur_rmconf->dpd = $2;
2068: #else
2069: yyerror("DPD support not compiled in.");
2070: #endif
2071: } EOS
2072: | DPD_DELAY NUMBER
2073: {
2074: #ifdef ENABLE_DPD
2075: cur_rmconf->dpd_interval = $2;
2076: #else
2077: yyerror("DPD support not compiled in.");
2078: #endif
2079: }
2080: EOS
2081: | DPD_RETRY NUMBER
2082: {
2083: #ifdef ENABLE_DPD
2084: cur_rmconf->dpd_retry = $2;
2085: #else
2086: yyerror("DPD support not compiled in.");
2087: #endif
2088: }
2089: EOS
2090: | DPD_MAXFAIL NUMBER
2091: {
2092: #ifdef ENABLE_DPD
2093: cur_rmconf->dpd_maxfails = $2;
2094: #else
2095: yyerror("DPD support not compiled in.");
2096: #endif
2097: }
2098: EOS
2099: | REKEY SWITCH { cur_rmconf->rekey = $2; } EOS
2100: | REKEY REMOTE_FORCE_LEVEL { cur_rmconf->rekey = REKEY_FORCE; } EOS
2101: | PH1ID NUMBER
2102: {
2103: cur_rmconf->ph1id = $2;
2104: }
2105: EOS
2106: | LIFETIME LIFETYPE_TIME NUMBER unittype_time
2107: {
2108: cur_rmconf->lifetime = $3 * $4;
2109: }
2110: EOS
2111: | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
2112: | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
2113: {
2114: #if 1
2115: yyerror("byte lifetime support is deprecated in Phase1");
2116: return -1;
2117: #else
2118: yywarn("the lifetime of bytes in phase 1 "
2119: "will be ignored at the moment.");
2120: cur_rmconf->lifebyte = fix_lifebyte($3 * $4);
2121: if (cur_rmconf->lifebyte == 0)
2122: return -1;
2123: #endif
2124: }
2125: EOS
2126: | PROPOSAL
2127: {
2128: struct secprotospec *spspec;
2129:
2130: spspec = newspspec();
2131: if (spspec == NULL)
2132: return -1;
2133: insspspec(cur_rmconf, spspec);
2134: }
2135: BOC isakmpproposal_specs EOC
2136: ;
2137: exchange_types
2138: : /* nothing */
2139: | exchange_types EXCHANGETYPE
2140: {
2141: struct etypes *new;
2142: new = racoon_malloc(sizeof(struct etypes));
2143: if (new == NULL) {
2144: yyerror("failed to allocate etypes");
2145: return -1;
2146: }
2147: new->type = $2;
2148: new->next = NULL;
2149: if (cur_rmconf->etypes == NULL)
2150: cur_rmconf->etypes = new;
2151: else {
2152: struct etypes *p;
2153: for (p = cur_rmconf->etypes;
2154: p->next != NULL;
2155: p = p->next)
2156: ;
2157: p->next = new;
2158: }
2159: }
2160: ;
2161: cert_spec
2162: : CERT_X509 QUOTEDSTRING QUOTEDSTRING
2163: {
2164: if (cur_rmconf->mycert != NULL) {
2165: yyerror("certificate_type already defined\n");
2166: return -1;
2167: }
2168:
2169: if (load_x509($2->v, &cur_rmconf->mycertfile,
2170: &cur_rmconf->mycert)) {
2171: yyerror("failed to load certificate \"%s\"\n",
2172: $2->v);
2173: return -1;
2174: }
2175:
2176: cur_rmconf->myprivfile = racoon_strdup($3->v);
2177: STRDUP_FATAL(cur_rmconf->myprivfile);
2178:
2179: vfree($2);
2180: vfree($3);
2181: }
2182: EOS
2183: | CERT_PLAINRSA QUOTEDSTRING
2184: {
2185: char path[MAXPATHLEN];
2186: int ret = 0;
2187:
2188: if (cur_rmconf->mycert != NULL) {
2189: yyerror("certificate_type already defined\n");
2190: return -1;
2191: }
2192:
2193: cur_rmconf->mycert = vmalloc(1);
2194: if (cur_rmconf->mycert == NULL) {
2195: yyerror("failed to allocate mycert");
2196: return -1;
2197: }
2198: cur_rmconf->mycert->v[0] = ISAKMP_CERT_PLAINRSA;
2199:
2200: getpathname(path, sizeof(path),
2201: LC_PATHTYPE_CERT, $2->v);
2202: cur_rmconf->send_cr = FALSE;
2203: cur_rmconf->send_cert = FALSE;
2204: cur_rmconf->verify_cert = FALSE;
2205: if (rsa_parse_file(cur_rmconf->rsa_private, path,
2206: RSA_TYPE_PRIVATE)) {
2207: yyerror("Couldn't parse keyfile.\n", path);
2208: return -1;
2209: }
2210: plog(LLV_DEBUG, LOCATION, NULL,
2211: "Private PlainRSA keyfile parsed: %s\n", path);
2212: vfree($2);
2213: }
2214: EOS
2215: ;
2216: dh_group_num
2217: : ALGORITHMTYPE
2218: {
2219: $$ = algtype2doi(algclass_isakmp_dh, $1);
2220: if ($$ == -1) {
2221: yyerror("must be DH group");
2222: return -1;
2223: }
2224: }
2225: | NUMBER
2226: {
2227: if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
2228: $$ = num2dhgroup[$1];
2229: } else {
2230: yyerror("must be DH group");
2231: $$ = 0;
2232: return -1;
2233: }
2234: }
2235: ;
2236: identifierstring
2237: : /* nothing */ { $$ = NULL; }
2238: | ADDRSTRING { $$ = $1; }
2239: | QUOTEDSTRING { $$ = $1; }
2240: ;
2241: isakmpproposal_specs
2242: : /* nothing */
2243: | isakmpproposal_specs isakmpproposal_spec
2244: ;
2245: isakmpproposal_spec
2246: : LIFETIME LIFETYPE_TIME NUMBER unittype_time
2247: {
2248: cur_rmconf->spspec->lifetime = $3 * $4;
2249: }
2250: EOS
2251: | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
2252: {
2253: #if 1
2254: yyerror("byte lifetime support is deprecated");
2255: return -1;
2256: #else
2257: cur_rmconf->spspec->lifebyte = fix_lifebyte($3 * $4);
2258: if (cur_rmconf->spspec->lifebyte == 0)
2259: return -1;
2260: #endif
2261: }
2262: EOS
2263: | DH_GROUP dh_group_num
2264: {
2265: cur_rmconf->spspec->algclass[algclass_isakmp_dh] = $2;
2266: }
2267: EOS
2268: | GSS_ID QUOTEDSTRING
2269: {
2270: if (cur_rmconf->spspec->vendorid != VENDORID_GSSAPI) {
2271: yyerror("wrong Vendor ID for gssapi_id");
2272: return -1;
2273: }
2274: if (cur_rmconf->spspec->gssid != NULL)
2275: racoon_free(cur_rmconf->spspec->gssid);
2276: cur_rmconf->spspec->gssid =
2277: racoon_strdup($2->v);
2278: STRDUP_FATAL(cur_rmconf->spspec->gssid);
2279: }
2280: EOS
2281: | ALGORITHM_CLASS ALGORITHMTYPE keylength
2282: {
2283: int doi;
2284: int defklen;
2285:
2286: doi = algtype2doi($1, $2);
2287: if (doi == -1) {
2288: yyerror("algorithm mismatched 1");
2289: return -1;
2290: }
2291:
2292: switch ($1) {
2293: case algclass_isakmp_enc:
2294: /* reject suppressed algorithms */
2295: #ifndef HAVE_OPENSSL_RC5_H
2296: if ($2 == algtype_rc5) {
2297: yyerror("algorithm %s not supported",
2298: s_attr_isakmp_enc(doi));
2299: return -1;
2300: }
2301: #endif
2302: #ifndef HAVE_OPENSSL_IDEA_H
2303: if ($2 == algtype_idea) {
2304: yyerror("algorithm %s not supported",
2305: s_attr_isakmp_enc(doi));
2306: return -1;
2307: }
2308: #endif
2309:
2310: cur_rmconf->spspec->algclass[algclass_isakmp_enc] = doi;
2311: defklen = default_keylen($1, $2);
2312: if (defklen == 0) {
2313: if ($3) {
2314: yyerror("keylen not allowed");
2315: return -1;
2316: }
2317: } else {
2318: if ($3 && check_keylen($1, $2, $3) < 0) {
2319: yyerror("invalid keylen %d", $3);
2320: return -1;
2321: }
2322: }
2323: if ($3)
2324: cur_rmconf->spspec->encklen = $3;
2325: else
2326: cur_rmconf->spspec->encklen = defklen;
2327: break;
2328: case algclass_isakmp_hash:
2329: cur_rmconf->spspec->algclass[algclass_isakmp_hash] = doi;
2330: break;
2331: case algclass_isakmp_ameth:
2332: cur_rmconf->spspec->algclass[algclass_isakmp_ameth] = doi;
2333: /*
2334: * We may have to set the Vendor ID for the
2335: * authentication method we're using.
2336: */
2337: switch ($2) {
2338: case algtype_gssapikrb:
2339: if (cur_rmconf->spspec->vendorid !=
2340: VENDORID_UNKNOWN) {
2341: yyerror("Vendor ID mismatch "
2342: "for auth method");
2343: return -1;
2344: }
2345: /*
2346: * For interoperability with Win2k,
2347: * we set the Vendor ID to "GSSAPI".
2348: */
2349: cur_rmconf->spspec->vendorid =
2350: VENDORID_GSSAPI;
2351: break;
2352: case algtype_rsasig:
2353: if (oakley_get_certtype(cur_rmconf->peerscert) == ISAKMP_CERT_PLAINRSA) {
2354: if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
2355: yyerror ("Private PlainRSA key not set. "
2356: "Use directive 'certificate_type plainrsa ...'\n");
2357: return -1;
2358: }
2359: if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
2360: yyerror ("Public PlainRSA keys not set. "
2361: "Use directive 'peers_certfile plainrsa ...'\n");
2362: return -1;
2363: }
2364: }
2365: break;
2366: default:
2367: break;
2368: }
2369: break;
2370: default:
2371: yyerror("algorithm mismatched 2");
2372: return -1;
2373: }
2374: }
2375: EOS
2376: ;
2377:
2378: unittype_time
2379: : UNITTYPE_SEC { $$ = 1; }
2380: | UNITTYPE_MIN { $$ = 60; }
2381: | UNITTYPE_HOUR { $$ = (60 * 60); }
2382: ;
2383: unittype_byte
2384: : UNITTYPE_BYTE { $$ = 1; }
2385: | UNITTYPE_KBYTES { $$ = 1024; }
2386: | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
2387: | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
2388: ;
2389: %%
2390:
2391: static struct secprotospec *
2392: newspspec()
2393: {
2394: struct secprotospec *new;
2395:
2396: new = racoon_calloc(1, sizeof(*new));
2397: if (new == NULL) {
2398: yyerror("failed to allocate spproto");
2399: return NULL;
2400: }
2401:
2402: new->encklen = 0; /*XXX*/
2403:
2404: /*
2405: * Default to "uknown" vendor -- we will override this
2406: * as necessary. When we send a Vendor ID payload, an
2407: * "unknown" will be translated to a KAME/racoon ID.
2408: */
2409: new->vendorid = VENDORID_UNKNOWN;
2410:
2411: return new;
2412: }
2413:
2414: /*
2415: * insert into head of list.
2416: */
2417: static void
2418: insspspec(rmconf, spspec)
2419: struct remoteconf *rmconf;
2420: struct secprotospec *spspec;
2421: {
2422: if (rmconf->spspec != NULL)
2423: rmconf->spspec->prev = spspec;
2424: spspec->next = rmconf->spspec;
2425: rmconf->spspec = spspec;
2426: }
2427:
2428: static struct secprotospec *
2429: dupspspec(spspec)
2430: struct secprotospec *spspec;
2431: {
2432: struct secprotospec *new;
2433:
2434: new = newspspec();
2435: if (new == NULL) {
2436: plog(LLV_ERROR, LOCATION, NULL,
2437: "dupspspec: malloc failed\n");
2438: return NULL;
2439: }
2440: memcpy(new, spspec, sizeof(*new));
2441:
2442: if (spspec->gssid) {
2443: new->gssid = racoon_strdup(spspec->gssid);
2444: STRDUP_FATAL(new->gssid);
2445: }
2446: if (spspec->remote) {
2447: new->remote = racoon_malloc(sizeof(*new->remote));
2448: if (new->remote == NULL) {
2449: plog(LLV_ERROR, LOCATION, NULL,
2450: "dupspspec: malloc failed (remote)\n");
2451: return NULL;
2452: }
2453: memcpy(new->remote, spspec->remote, sizeof(*new->remote));
2454: }
2455:
2456: return new;
2457: }
2458:
2459: /*
2460: * copy the whole list
2461: */
2462: void
2463: dupspspec_list(dst, src)
2464: struct remoteconf *dst, *src;
2465: {
2466: struct secprotospec *p, *new, *last;
2467:
2468: for(p = src->spspec, last = NULL; p; p = p->next, last = new) {
2469: new = dupspspec(p);
2470: if (new == NULL)
2471: exit(1);
2472:
2473: new->prev = last;
2474: new->next = NULL; /* not necessary but clean */
2475:
2476: if (last)
2477: last->next = new;
2478: else /* first element */
2479: dst->spspec = new;
2480:
2481: }
2482: }
2483:
2484: /*
2485: * delete the whole list
2486: */
2487: void
2488: flushspspec(rmconf)
2489: struct remoteconf *rmconf;
2490: {
2491: struct secprotospec *p;
2492:
2493: while(rmconf->spspec != NULL) {
2494: p = rmconf->spspec;
2495: rmconf->spspec = p->next;
2496: if (p->next != NULL)
2497: p->next->prev = NULL; /* not necessary but clean */
2498:
2499: if (p->gssid)
2500: racoon_free(p->gssid);
2501: if (p->remote)
2502: racoon_free(p->remote);
2503: racoon_free(p);
2504: }
2505: rmconf->spspec = NULL;
2506: }
2507:
2508: /* set final acceptable proposal */
2509: static int
2510: set_isakmp_proposal(rmconf)
2511: struct remoteconf *rmconf;
2512: {
2513: struct secprotospec *s;
2514: int prop_no = 1;
2515: int trns_no = 1;
2516: int32_t types[MAXALGCLASS];
2517:
2518: /* mandatory check */
2519: if (rmconf->spspec == NULL) {
2520: yyerror("no remote specification found: %s.\n",
2521: saddr2str(rmconf->remote));
2522: return -1;
2523: }
2524: for (s = rmconf->spspec; s != NULL; s = s->next) {
2525: /* XXX need more to check */
2526: if (s->algclass[algclass_isakmp_enc] == 0) {
2527: yyerror("encryption algorithm required.");
2528: return -1;
2529: }
2530: if (s->algclass[algclass_isakmp_hash] == 0) {
2531: yyerror("hash algorithm required.");
2532: return -1;
2533: }
2534: if (s->algclass[algclass_isakmp_dh] == 0) {
2535: yyerror("DH group required.");
2536: return -1;
2537: }
2538: if (s->algclass[algclass_isakmp_ameth] == 0) {
2539: yyerror("authentication method required.");
2540: return -1;
2541: }
2542: }
2543:
2544: /* skip to last part */
2545: for (s = rmconf->spspec; s->next != NULL; s = s->next)
2546: ;
2547:
2548: while (s != NULL) {
2549: plog(LLV_DEBUG2, LOCATION, NULL,
2550: "lifetime = %ld\n", (long)
2551: (s->lifetime ? s->lifetime : rmconf->lifetime));
2552: plog(LLV_DEBUG2, LOCATION, NULL,
2553: "lifebyte = %d\n",
2554: s->lifebyte ? s->lifebyte : rmconf->lifebyte);
2555: plog(LLV_DEBUG2, LOCATION, NULL,
2556: "encklen=%d\n", s->encklen);
2557:
2558: memset(types, 0, ARRAYLEN(types));
2559: types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
2560: types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
2561: types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
2562: types[algclass_isakmp_ameth] =
2563: s->algclass[algclass_isakmp_ameth];
2564:
2565: /* expanding spspec */
2566: clean_tmpalgtype();
2567: trns_no = expand_isakmpspec(prop_no, trns_no, types,
2568: algclass_isakmp_enc, algclass_isakmp_ameth + 1,
2569: s->lifetime ? s->lifetime : rmconf->lifetime,
2570: s->lifebyte ? s->lifebyte : rmconf->lifebyte,
2571: s->encklen, s->vendorid, s->gssid,
2572: rmconf);
2573: if (trns_no == -1) {
2574: plog(LLV_ERROR, LOCATION, NULL,
2575: "failed to expand isakmp proposal.\n");
2576: return -1;
2577: }
2578:
2579: s = s->prev;
2580: }
2581:
2582: if (rmconf->proposal == NULL) {
2583: plog(LLV_ERROR, LOCATION, NULL,
2584: "no proposal found.\n");
2585: return -1;
2586: }
2587:
2588: return 0;
2589: }
2590:
2591: static void
2592: clean_tmpalgtype()
2593: {
2594: int i;
2595: for (i = 0; i < MAXALGCLASS; i++)
2596: tmpalgtype[i] = 0; /* means algorithm undefined. */
2597: }
2598:
2599: static int
2600: expand_isakmpspec(prop_no, trns_no, types,
2601: class, last, lifetime, lifebyte, encklen, vendorid, gssid,
2602: rmconf)
2603: int prop_no, trns_no;
2604: int *types, class, last;
2605: time_t lifetime;
2606: int lifebyte;
2607: int encklen;
2608: int vendorid;
2609: char *gssid;
2610: struct remoteconf *rmconf;
2611: {
2612: struct isakmpsa *new;
2613:
2614: /* debugging */
2615: {
2616: int j;
2617: char tb[10];
2618: plog(LLV_DEBUG2, LOCATION, NULL,
2619: "p:%d t:%d\n", prop_no, trns_no);
2620: for (j = class; j < MAXALGCLASS; j++) {
2621: snprintf(tb, sizeof(tb), "%d", types[j]);
2622: plog(LLV_DEBUG2, LOCATION, NULL,
2623: "%s%s%s%s\n",
2624: s_algtype(j, types[j]),
2625: types[j] ? "(" : "",
2626: tb[0] == '0' ? "" : tb,
2627: types[j] ? ")" : "");
2628: }
2629: plog(LLV_DEBUG2, LOCATION, NULL, "\n");
2630: }
2631:
2632: #define TMPALGTYPE2STR(n) \
2633: s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
2634: /* check mandatory values */
2635: if (types[algclass_isakmp_enc] == 0
2636: || types[algclass_isakmp_ameth] == 0
2637: || types[algclass_isakmp_hash] == 0
2638: || types[algclass_isakmp_dh] == 0) {
2639: yyerror("few definition of algorithm "
2640: "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
2641: TMPALGTYPE2STR(enc),
2642: TMPALGTYPE2STR(ameth),
2643: TMPALGTYPE2STR(hash),
2644: TMPALGTYPE2STR(dh));
2645: return -1;
2646: }
2647: #undef TMPALGTYPE2STR
2648:
2649: /* set new sa */
2650: new = newisakmpsa();
2651: if (new == NULL) {
2652: yyerror("failed to allocate isakmp sa");
2653: return -1;
2654: }
2655: new->prop_no = prop_no;
2656: new->trns_no = trns_no++;
2657: new->lifetime = lifetime;
2658: new->lifebyte = lifebyte;
2659: new->enctype = types[algclass_isakmp_enc];
2660: new->encklen = encklen;
2661: new->authmethod = types[algclass_isakmp_ameth];
2662: new->hashtype = types[algclass_isakmp_hash];
2663: new->dh_group = types[algclass_isakmp_dh];
2664: new->vendorid = vendorid;
2665: #ifdef HAVE_GSSAPI
2666: if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
2667: if (gssid != NULL) {
2668: if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
2669: racoon_free(new);
2670: yyerror("failed to allocate gssid");
2671: return -1;
2672: }
2673: memcpy(new->gssid->v, gssid, new->gssid->l);
2674: racoon_free(gssid);
2675: } else {
2676: /*
2677: * Allocate the default ID so that it gets put
2678: * into a GSS ID attribute during the Phase 1
2679: * exchange.
2680: */
2681: new->gssid = gssapi_get_default_gss_id();
2682: }
2683: }
2684: #endif
2685: insisakmpsa(new, rmconf);
2686:
2687: return trns_no;
2688: }
2689:
2690: #if 0
2691: /*
2692: * fix lifebyte.
2693: * Must be more than 1024B because its unit is kilobytes.
2694: * That is defined RFC2407.
2695: */
2696: static int
2697: fix_lifebyte(t)
2698: unsigned long t;
2699: {
2700: if (t < 1024) {
2701: yyerror("byte size should be more than 1024B.");
2702: return 0;
2703: }
2704:
2705: return(t / 1024);
2706: }
2707: #endif
2708:
2709: int
2710: cfparse()
2711: {
2712: int error;
2713:
2714: yyerrorcount = 0;
2715: yycf_init_buffer();
2716:
2717: if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
2718: plog(LLV_ERROR, LOCATION, NULL,
2719: "could not read configuration file \"%s\"\n",
2720: lcconf->racoon_conf);
2721: return -1;
2722: }
2723:
2724: error = yyparse();
2725: if (error != 0) {
2726: if (yyerrorcount) {
2727: plog(LLV_ERROR, LOCATION, NULL,
2728: "fatal parse failure (%d errors)\n",
2729: yyerrorcount);
2730: } else {
2731: plog(LLV_ERROR, LOCATION, NULL,
2732: "fatal parse failure.\n");
2733: }
2734: return -1;
2735: }
2736:
2737: if (error == 0 && yyerrorcount) {
2738: plog(LLV_ERROR, LOCATION, NULL,
2739: "parse error is nothing, but yyerrorcount is %d.\n",
2740: yyerrorcount);
2741: exit(1);
2742: }
2743:
2744: yycf_clean_buffer();
2745:
2746: plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
2747:
2748: return 0;
2749: }
2750:
2751: int
2752: cfreparse()
2753: {
2754: flushph2();
2755: flushph1();
2756: flushrmconf();
2757: flushsainfo();
2758: clean_tmpalgtype();
2759: return(cfparse());
2760: }
2761:
2762: #ifdef ENABLE_ADMINPORT
2763: static void
2764: adminsock_conf(path, owner, group, mode_dec)
2765: vchar_t *path;
2766: vchar_t *owner;
2767: vchar_t *group;
2768: int mode_dec;
2769: {
2770: struct passwd *pw = NULL;
2771: struct group *gr = NULL;
2772: mode_t mode = 0;
2773: uid_t uid;
2774: gid_t gid;
2775: int isnum;
2776:
2777: adminsock_path = path->v;
2778:
2779: if (owner == NULL)
2780: return;
2781:
2782: errno = 0;
2783: uid = atoi(owner->v);
2784: isnum = !errno;
2785: if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
2786: yyerror("User \"%s\" does not exist", owner->v);
2787:
2788: if (pw)
2789: adminsock_owner = pw->pw_uid;
2790: else
2791: adminsock_owner = uid;
2792:
2793: if (group == NULL)
2794: return;
2795:
2796: errno = 0;
2797: gid = atoi(group->v);
2798: isnum = !errno;
2799: if (((gr = getgrnam(group->v)) == NULL) && !isnum)
2800: yyerror("Group \"%s\" does not exist", group->v);
2801:
2802: if (gr)
2803: adminsock_group = gr->gr_gid;
2804: else
2805: adminsock_group = gid;
2806:
2807: if (mode_dec == -1)
2808: return;
2809:
2810: if (mode_dec > 777)
2811: yyerror("Mode 0%03o is invalid", mode_dec);
2812: if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
2813: if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
2814: if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
2815:
2816: if (mode_dec > 77)
2817: yyerror("Mode 0%03o is invalid", mode_dec);
2818: if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
2819: if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
2820: if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
2821:
2822: if (mode_dec > 7)
2823: yyerror("Mode 0%03o is invalid", mode_dec);
2824: if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
2825: if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
2826: if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
2827:
2828: adminsock_mode = mode;
2829:
2830: return;
2831: }
2832: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to cfparse.y CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon