1: /*
2: * Copyright (C) 2014 Tobias Brunner
3: * HSR Hochschule fuer Technik Rapperswil
4: *
5: * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
6: *
7: * This program is free software; you can redistribute it and/or modify it
8: * under the terms of the GNU General Public License as published by the
9: * Free Software Foundation; either version 2 of the License, or (at your
10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11: *
12: * This program is distributed in the hope that it will be useful, but
13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15: * for more details.
16: */
17:
18: #include <sys/types.h>
19: #include <sys/stat.h>
20: #include <unistd.h>
21: #include <stddef.h>
22: #include <stdlib.h>
23: #include <string.h>
24: #include <assert.h>
25: #include <netdb.h>
26:
27: #include <library.h>
28: #include <utils/debug.h>
29:
30: #include "keywords.h"
31: #include "confread.h"
32: #include "args.h"
33: #include "files.h"
34: #include "parser/conf_parser.h"
35:
36: #define IKE_LIFETIME_DEFAULT 10800 /* 3 hours */
37: #define IPSEC_LIFETIME_DEFAULT 3600 /* 1 hour */
38: #define SA_REPLACEMENT_MARGIN_DEFAULT 540 /* 9 minutes */
39: #define SA_REPLACEMENT_FUZZ_DEFAULT 100 /* 100% of margin */
40: #define SA_REPLACEMENT_RETRIES_DEFAULT 3
41: #define SA_REPLAY_WINDOW_DEFAULT -1 /* use charon.replay_window */
42:
43: static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
44:
45: /**
46: * Process deprecated keywords
47: */
48: static bool is_deprecated(kw_token_t token, char *name, char *conn)
49: {
50: switch (token)
51: {
52: case KW_SETUP_DEPRECATED:
53: case KW_PKCS11_DEPRECATED:
54: DBG1(DBG_APP, "# deprecated keyword '%s' in config setup", name);
55: break;
56: case KW_CONN_DEPRECATED:
57: case KW_END_DEPRECATED:
58: case KW_PFS_DEPRECATED:
59: DBG1(DBG_APP, "# deprecated keyword '%s' in conn '%s'", name, conn);
60: break;
61: case KW_CA_DEPRECATED:
62: DBG1(DBG_APP, "# deprecated keyword '%s' in ca '%s'", name, conn);
63: break;
64: default:
65: return FALSE;
66: }
67: /* additional messages for some */
68: switch (token)
69: {
70: case KW_PKCS11_DEPRECATED:
71: DBG1(DBG_APP, " use the 'pkcs11' plugin instead");
72: break;
73: case KW_PFS_DEPRECATED:
74: DBG1(DBG_APP, " PFS is enabled by specifying a DH group in the "
75: "'esp' cipher suite");
76: break;
77: default:
78: break;
79: }
80: return TRUE;
81: }
82:
83: /*
84: * parse config setup section
85: */
86: static void load_setup(starter_config_t *cfg, conf_parser_t *parser)
87: {
88: enumerator_t *enumerator;
89: dictionary_t *dict;
90: const kw_entry_t *entry;
91: char *key, *value;
92:
93: DBG2(DBG_APP, "Loading config setup");
94: dict = parser->get_section(parser, CONF_PARSER_CONFIG_SETUP, NULL);
95: if (!dict)
96: {
97: return;
98: }
99: enumerator = dict->create_enumerator(dict);
100: while (enumerator->enumerate(enumerator, &key, &value))
101: {
102: bool assigned = FALSE;
103:
104: entry = in_word_set(key, strlen(key));
105: if (!entry)
106: {
107: DBG1(DBG_APP, "# unknown keyword '%s'", key);
108: cfg->non_fatal_err++;
109: continue;
110: }
111: if ((int)entry->token < KW_SETUP_FIRST || entry->token > KW_SETUP_LAST)
112: {
113: DBG1(DBG_APP, "# unsupported keyword '%s' in config setup", key);
114: cfg->err++;
115: continue;
116: }
117: if (is_deprecated(entry->token, key, ""))
118: {
119: cfg->non_fatal_err++;
120: continue;
121: }
122: if (!assign_arg(entry->token, KW_SETUP_FIRST, key, value, cfg,
123: &assigned))
124: {
125: DBG1(DBG_APP, " bad argument value in config setup");
126: cfg->err++;
127: }
128: }
129: enumerator->destroy(enumerator);
130: dict->destroy(dict);
131: }
132:
133: /*
134: * parse a ca section
135: */
136: static void load_ca(starter_ca_t *ca, starter_config_t *cfg,
137: conf_parser_t *parser)
138: {
139: enumerator_t *enumerator;
140: dictionary_t *dict;
141: const kw_entry_t *entry;
142: kw_token_t token;
143: char *key, *value;
144:
145: DBG2(DBG_APP, "Loading ca '%s'", ca->name);
146: dict = parser->get_section(parser, CONF_PARSER_CA, ca->name);
147: if (!dict)
148: {
149: return;
150: }
151: enumerator = dict->create_enumerator(dict);
152: while (enumerator->enumerate(enumerator, &key, &value))
153: {
154: bool assigned = FALSE;
155:
156: entry = in_word_set(key, strlen(key));
157: if (!entry)
158: {
159: DBG1(DBG_APP, "# unknown keyword '%s'", key);
160: cfg->non_fatal_err++;
161: continue;
162: }
163: token = entry->token;
164: if (token == KW_AUTO)
165: {
166: token = KW_CA_SETUP;
167: }
168: if (token < KW_CA_FIRST || token > KW_CA_LAST)
169: {
170: DBG1(DBG_APP, "# unsupported keyword '%s' in ca '%s'",
171: key, ca->name);
172: cfg->err++;
173: continue;
174: }
175: if (is_deprecated(token, key, ca->name))
176: {
177: cfg->non_fatal_err++;
178: continue;
179: }
180: if (!assign_arg(token, KW_CA_FIRST, key, value, ca, &assigned))
181: {
182: DBG1(DBG_APP, " bad argument value in ca '%s'", ca->name);
183: cfg->err++;
184: }
185: }
186: enumerator->destroy(enumerator);
187: dict->destroy(dict);
188:
189: /* treat 'route' and 'start' as 'add' */
190: if (ca->startup != STARTUP_NO)
191: {
192: ca->startup = STARTUP_ADD;
193: }
194: }
195:
196: /*
197: * set some default values
198: */
199: static void conn_defaults(starter_conn_t *conn)
200: {
201: conn->startup = STARTUP_NO;
202: conn->state = STATE_IGNORE;
203: conn->mode = MODE_TUNNEL;
204: conn->options = SA_OPTION_MOBIKE;
205:
206: /* esp defaults are set after parsing the conn section */
207: conn->sa_ike_life_seconds = IKE_LIFETIME_DEFAULT;
208: conn->sa_ipsec_life_seconds = IPSEC_LIFETIME_DEFAULT;
209: conn->sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT;
210: conn->sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
211: conn->sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;
212: conn->install_policy = TRUE;
213: conn->dpd_delay = 30; /* seconds */
214: conn->dpd_timeout = 150; /* seconds */
215: conn->replay_window = SA_REPLAY_WINDOW_DEFAULT;
216: conn->fragmentation = FRAGMENTATION_YES;
217:
218: conn->left.sendcert = CERT_SEND_IF_ASKED;
219: conn->right.sendcert = CERT_SEND_IF_ASKED;
220:
221: conn->left.ikeport = 500;
222: conn->right.ikeport = 500;
223:
224: conn->left.to_port = 0xffff;
225: conn->right.to_port = 0xffff;
226: }
227:
228: /*
229: * parse left|right specific options
230: */
231: static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
232: char *key, char *value, starter_config_t *cfg)
233: {
234: bool assigned = FALSE;
235:
236: if (is_deprecated(token, key, conn->name))
237: {
238: cfg->non_fatal_err++;
239: return;
240: }
241:
242: if (!assign_arg(token, KW_END_FIRST, key, value, end, &assigned))
243: {
244: goto err;
245: }
246:
247: /* post processing of some keywords that were assigned automatically */
248: switch (token)
249: {
250: case KW_HOST:
251: if (value && strlen(value) > 0 && value[0] == '%')
252: {
253: if (streq(value, "%defaultroute"))
254: {
255: value = "%any";
256: }
257: if (!streq(value, "%any") && !streq(value, "%any4") &&
258: !streq(value, "%any6"))
259: { /* allow_any prefix */
260: end->allow_any = TRUE;
261: value++;
262: }
263: }
264: free(end->host);
265: end->host = strdupnull(value);
266: break;
267: case KW_SOURCEIP:
268: conn->mode = MODE_TUNNEL;
269: conn->proxy_mode = FALSE;
270: break;
271: case KW_SENDCERT:
272: if (end->sendcert == CERT_YES_SEND)
273: {
274: end->sendcert = CERT_ALWAYS_SEND;
275: }
276: else if (end->sendcert == CERT_NO_SEND)
277: {
278: end->sendcert = CERT_NEVER_SEND;
279: }
280: break;
281: default:
282: break;
283: }
284:
285: if (assigned)
286: {
287: return;
288: }
289:
290: /* individual processing of keywords that were not assigned automatically */
291: switch (token)
292: {
293: case KW_PROTOPORT:
294: {
295: struct protoent *proto;
296: struct servent *svc;
297: char *sep, *port = "", *endptr;
298: long int p;
299:
300: sep = strchr(value, '/');
301: if (sep)
302: { /* protocol/port */
303: *sep = '\0';
304: port = sep + 1;
305: }
306:
307: if (streq(value, "%any"))
308: {
309: end->protocol = 0;
310: }
311: else
312: {
313: proto = getprotobyname(value);
314: if (proto)
315: {
316: end->protocol = proto->p_proto;
317: }
318: else
319: {
320: p = strtol(value, &endptr, 0);
321: if ((*value && *endptr) || p < 0 || p > 0xff)
322: {
323: DBG1(DBG_APP, "# bad protocol: %s=%s", key, value);
324: goto err;
325: }
326: end->protocol = (uint8_t)p;
327: }
328: }
329: if (streq(port, "%any"))
330: {
331: end->from_port = 0;
332: end->to_port = 0xffff;
333: }
334: else if (streq(port, "%opaque"))
335: {
336: end->from_port = 0xffff;
337: end->to_port = 0;
338: }
339: else if (*port)
340: {
341: svc = getservbyname(port, NULL);
342: if (svc)
343: {
344: end->from_port = end->to_port = ntohs(svc->s_port);
345: }
346: else
347: {
348: p = strtol(port, &endptr, 0);
349: if (p < 0 || p > 0xffff)
350: {
351: DBG1(DBG_APP, "# bad port: %s=%s", key, port);
352: goto err;
353: }
354: end->from_port = p;
355: if (*endptr == '-')
356: {
357: port = endptr + 1;
358: p = strtol(port, &endptr, 0);
359: if (p < 0 || p > 0xffff)
360: {
361: DBG1(DBG_APP, "# bad port: %s=%s", key, port);
362: goto err;
363: }
364: }
365: end->to_port = p;
366: if (*endptr)
367: {
368: DBG1(DBG_APP, "# bad port: %s=%s", key, port);
369: goto err;
370: }
371: }
372: }
373: if (sep)
374: { /* restore the original text in case also= is used */
375: *sep = '/';
376: }
377: break;
378: }
379: default:
380: break;
381: }
382: return;
383:
384: err:
385: DBG1(DBG_APP, " bad argument value in conn '%s'", conn->name);
386: cfg->err++;
387: }
388:
389: /*
390: * macro to handle simple flags
391: */
392: #define KW_SA_OPTION_FLAG(sy, sn, fl) \
393: if (streq(value, sy)) { conn->options |= fl; } \
394: else if (streq(value, sn)) { conn->options &= ~fl; } \
395: else { DBG1(DBG_APP, "# bad option value: %s=%s", key, value); cfg->err++; }
396:
397: /*
398: * parse settings not handled by the simple argument parser
399: */
400: static void handle_keyword(kw_token_t token, starter_conn_t *conn, char *key,
401: char *value, starter_config_t *cfg)
402: {
403: if ((token == KW_ESP && conn->ah) || (token == KW_AH && conn->esp))
404: {
405: DBG1(DBG_APP, "# can't have both 'ah' and 'esp' options");
406: cfg->err++;
407: return;
408: }
409: switch (token)
410: {
411: case KW_TYPE:
412: {
413: conn->mode = MODE_TRANSPORT;
414: conn->proxy_mode = FALSE;
415: if (streq(value, "tunnel"))
416: {
417: conn->mode = MODE_TUNNEL;
418: }
419: else if (streq(value, "beet"))
420: {
421: conn->mode = MODE_BEET;
422: }
423: else if (streq(value, "transport_proxy"))
424: {
425: conn->mode = MODE_TRANSPORT;
426: conn->proxy_mode = TRUE;
427: }
428: else if (streq(value, "passthrough") || streq(value, "pass"))
429: {
430: conn->mode = MODE_PASS;
431: }
432: else if (streq(value, "drop") || streq(value, "reject"))
433: {
434: conn->mode = MODE_DROP;
435: }
436: else if (!streq(value, "transport"))
437: {
438: DBG1(DBG_APP, "# bad policy value: %s=%s", key, value);
439: cfg->err++;
440: }
441: break;
442: }
443: case KW_COMPRESS:
444: KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_COMPRESS)
445: break;
446: case KW_MARK:
447: if (!mark_from_string(value, MARK_OP_UNIQUE, &conn->mark_in))
448: {
449: cfg->err++;
450: break;
451: }
452: conn->mark_out = conn->mark_in;
453: break;
454: case KW_MARK_IN:
455: if (!mark_from_string(value, MARK_OP_UNIQUE, &conn->mark_in))
456: {
457: cfg->err++;
458: }
459: break;
460: case KW_MARK_OUT:
461: if (!mark_from_string(value, MARK_OP_UNIQUE, &conn->mark_out))
462: {
463: cfg->err++;
464: }
465: break;
466: case KW_TFC:
467: if (streq(value, "%mtu"))
468: {
469: conn->tfc = -1;
470: }
471: else
472: {
473: char *endptr;
474:
475: conn->tfc = strtoul(value, &endptr, 10);
476: if (*endptr != '\0')
477: {
478: DBG1(DBG_APP, "# bad integer value: %s=%s", key, value);
479: cfg->err++;
480: }
481: }
482: break;
483: case KW_KEYINGTRIES:
484: if (streq(value, "%forever"))
485: {
486: conn->sa_keying_tries = 0;
487: }
488: else
489: {
490: char *endptr;
491:
492: conn->sa_keying_tries = strtoul(value, &endptr, 10);
493: if (*endptr != '\0')
494: {
495: DBG1(DBG_APP, "# bad integer value: %s=%s", key, value);
496: cfg->err++;
497: }
498: }
499: break;
500: case KW_REKEY:
501: KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REKEY)
502: break;
503: case KW_REAUTH:
504: KW_SA_OPTION_FLAG("no", "yes", SA_OPTION_DONT_REAUTH)
505: break;
506: case KW_MOBIKE:
507: KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_MOBIKE)
508: break;
509: case KW_FORCEENCAPS:
510: KW_SA_OPTION_FLAG("yes", "no", SA_OPTION_FORCE_ENCAP)
511: break;
512: case KW_MODECONFIG:
513: KW_SA_OPTION_FLAG("push", "pull", SA_OPTION_MODECFG_PUSH)
514: break;
515: case KW_XAUTH:
516: KW_SA_OPTION_FLAG("server", "client", SA_OPTION_XAUTH_SERVER)
517: break;
518: default:
519: break;
520: }
521: }
522:
523: /*
524: * handles left|rightfirewall and left|rightupdown parameters
525: */
526: static void handle_firewall(const char *label, starter_end_t *end,
527: starter_config_t *cfg)
528: {
529: if (end->firewall)
530: {
531: if (end->updown != NULL)
532: {
533: DBG1(DBG_APP, "# cannot have both %sfirewall and %supdown", label,
534: label);
535: cfg->err++;
536: }
537: else
538: {
539: end->updown = strdupnull(firewall_defaults);
540: end->firewall = FALSE;
541: }
542: }
543: }
544:
545: /*
546: * parse a conn section
547: */
548: static void load_conn(starter_conn_t *conn, starter_config_t *cfg,
549: conf_parser_t *parser)
550: {
551: enumerator_t *enumerator;
552: dictionary_t *dict;
553: const kw_entry_t *entry;
554: kw_token_t token;
555: char *key, *value;
556:
557: DBG2(DBG_APP, "Loading conn '%s'", conn->name);
558: dict = parser->get_section(parser, CONF_PARSER_CONN, conn->name);
559: if (!dict)
560: {
561: return;
562: }
563: enumerator = dict->create_enumerator(dict);
564: while (enumerator->enumerate(enumerator, &key, &value))
565: {
566: bool assigned = FALSE;
567:
568: entry = in_word_set(key, strlen(key));
569: if (!entry)
570: {
571: DBG1(DBG_APP, "# unknown keyword '%s'", key);
572: cfg->non_fatal_err++;
573: continue;
574: }
575: token = entry->token;
576: if (token >= KW_LEFT_FIRST && token <= KW_LEFT_LAST)
577: {
578: kw_end(conn, &conn->left, token - KW_LEFT_FIRST + KW_END_FIRST,
579: key, value, cfg);
580: continue;
581: }
582: else if (token >= KW_RIGHT_FIRST && token <= KW_RIGHT_LAST)
583: {
584: kw_end(conn, &conn->right, token - KW_RIGHT_FIRST + KW_END_FIRST,
585: key, value, cfg);
586: continue;
587: }
588: if (token == KW_AUTO)
589: {
590: token = KW_CONN_SETUP;
591: }
592: if (token < KW_CONN_FIRST || token > KW_CONN_LAST)
593: {
594: DBG1(DBG_APP, "# unsupported keyword '%s' in conn '%s'",
595: key, conn->name);
596: cfg->err++;
597: continue;
598: }
599: if (is_deprecated(token, key, conn->name))
600: {
601: cfg->non_fatal_err++;
602: continue;
603: }
604: if (!assign_arg(token, KW_CONN_FIRST, key, value, conn,
605: &assigned))
606: {
607: DBG1(DBG_APP, " bad argument value in conn '%s'", conn->name);
608: cfg->err++;
609: continue;
610: }
611: if (!assigned)
612: {
613: handle_keyword(token, conn, key, value, cfg);
614: }
615: }
616: enumerator->destroy(enumerator);
617: dict->destroy(dict);
618:
619: handle_firewall("left", &conn->left, cfg);
620: handle_firewall("right", &conn->right, cfg);
621: }
622:
623: /*
624: * free the memory used by a starter_ca_t object
625: */
626: static void confread_free_ca(starter_ca_t *ca)
627: {
628: free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca);
629: free(ca);
630: }
631:
632: /*
633: * free the memory used by a starter_conn_t object
634: */
635: static void confread_free_conn(starter_conn_t *conn)
636: {
637: free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left);
638: free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right);
639: free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn);
640: free(conn);
641: }
642:
643: /*
644: * free the memory used by a starter_config_t object
645: */
646: void confread_free(starter_config_t *cfg)
647: {
648: starter_conn_t *conn = cfg->conn_first;
649: starter_ca_t *ca = cfg->ca_first;
650:
651: free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg);
652:
653: while (conn != NULL)
654: {
655: starter_conn_t *conn_aux = conn;
656:
657: conn = conn->next;
658: confread_free_conn(conn_aux);
659: }
660:
661: while (ca != NULL)
662: {
663: starter_ca_t *ca_aux = ca;
664:
665: ca = ca->next;
666: confread_free_ca(ca_aux);
667: }
668:
669: free(cfg);
670: }
671:
672: /*
673: * load and parse an IPsec configuration file
674: */
675: starter_config_t* confread_load(const char *file)
676: {
677: conf_parser_t *parser;
678: starter_config_t *cfg = NULL;
679: enumerator_t *enumerator;
680: u_int total_err;
681: char *name;
682:
683: parser = conf_parser_create(file);
684: if (!parser->parse(parser))
685: {
686: parser->destroy(parser);
687: return NULL;
688: }
689:
690: INIT(cfg,
691: .setup = {
692: .uniqueids = TRUE,
693: }
694: );
695:
696: /* load config setup section */
697: load_setup(cfg, parser);
698:
699: /* load ca sections */
700: enumerator = parser->get_sections(parser, CONF_PARSER_CA);
701: while (enumerator->enumerate(enumerator, &name))
702: {
703: u_int previous_err = cfg->err;
704: starter_ca_t *ca;
705:
706: INIT(ca,
707: .name = strdup(name),
708: );
709: load_ca(ca, cfg, parser);
710:
711: if (cfg->err > previous_err)
712: {
713: total_err = cfg->err - previous_err;
714: DBG1(DBG_APP, "# ignored ca '%s' due to %d parsing error%s", name,
715: total_err, (total_err > 1) ? "s" : "");
716: confread_free_ca(ca);
717: cfg->non_fatal_err += cfg->err - previous_err;
718: cfg->err = previous_err;
719: }
720: else
721: {
722: if (cfg->ca_last)
723: {
724: cfg->ca_last->next = ca;
725: }
726: cfg->ca_last = ca;
727: if (!cfg->ca_first)
728: {
729: cfg->ca_first = ca;
730: }
731: if (ca->startup != STARTUP_NO)
732: {
733: ca->state = STATE_TO_ADD;
734: }
735: }
736: }
737: enumerator->destroy(enumerator);
738:
739: /* load conn sections */
740: enumerator = parser->get_sections(parser, CONF_PARSER_CONN);
741: while (enumerator->enumerate(enumerator, &name))
742: {
743: u_int previous_err = cfg->err;
744: starter_conn_t *conn;
745:
746: INIT(conn,
747: .name = strdup(name),
748: );
749: conn_defaults(conn);
750: load_conn(conn, cfg, parser);
751:
752: if (cfg->err > previous_err)
753: {
754: total_err = cfg->err - previous_err;
755: DBG1(DBG_APP, "# ignored conn '%s' due to %d parsing error%s", name,
756: total_err, (total_err > 1) ? "s" : "");
757: confread_free_conn(conn);
758: cfg->non_fatal_err += cfg->err - previous_err;
759: cfg->err = previous_err;
760: }
761: else
762: {
763: if (cfg->conn_last)
764: {
765: cfg->conn_last->next = conn;
766: }
767: cfg->conn_last = conn;
768: if (!cfg->conn_first)
769: {
770: cfg->conn_first = conn;
771: }
772: if (conn->startup != STARTUP_NO)
773: {
774: conn->state = STATE_TO_ADD;
775: }
776: }
777: }
778: enumerator->destroy(enumerator);
779:
780: parser->destroy(parser);
781:
782: total_err = cfg->err + cfg->non_fatal_err;
783: if (total_err > 0)
784: {
785: DBG1(DBG_APP, "### %d parsing error%s (%d fatal) ###",
786: total_err, (total_err > 1)?"s":"", cfg->err);
787: }
788: return cfg;
789: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to confread.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / starter