1 /* $OpenBSD: conf.c,v 1.107 2017/10/27 08:29:32 mpi Exp $ */
2 /* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */
3
4 /*
5 * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved.
6 * Copyright (c) 2000, 2001, 2002 H�kan Olsson. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 /*
30 * This code was written under funding by Ericsson Radio Systems.
31 */
32
33 #include <sys/types.h>
34 #include <sys/mman.h>
35 #include <sys/queue.h>
36 #include <sys/socket.h>
37 #include <sys/stat.h>
38 #include <netinet/in.h>
39 #include <arpa/inet.h>
40 #include <ctype.h>
41 #include <fcntl.h>
42 #include <stdio.h>
43 #include <stdlib.h>
44 #include <string.h>
45 #include <unistd.h>
46 #include <errno.h>
47
48 #include "app.h"
49 #include "conf.h"
50 #include "log.h"
51 #include "monitor.h"
52 #include "util.h"
53
54 static char *conf_get_trans_str(int, char *, char *);
55 static void conf_load_defaults(int);
56 #if 0
57 static int conf_find_trans_xf(int, char *);
58 #endif
59
60 struct conf_trans {
61 TAILQ_ENTRY(conf_trans) link;
62 int trans;
63 enum conf_op {
64 CONF_SET, CONF_REMOVE, CONF_REMOVE_SECTION
65 } op;
66 char *section;
67 char *tag;
68 char *value;
69 int override;
70 int is_default;
71 };
72
73 #define CONF_SECT_MAX 256
74
75 TAILQ_HEAD(conf_trans_head, conf_trans) conf_trans_queue;
76
77 struct conf_binding {
78 LIST_ENTRY(conf_binding) link;
79 char *section;
80 char *tag;
81 char *value;
82 int is_default;
83 };
84
85 char *conf_path = CONFIG_FILE;
LIST_HEAD(conf_bindings,conf_binding)86 LIST_HEAD(conf_bindings, conf_binding) conf_bindings[256];
87
88 static char *conf_addr;
89 static __inline__ u_int8_t
90 conf_hash(char *s)
91 {
92 u_int8_t hash = 0;
93
94 while (*s) {
95 hash = ((hash << 1) | (hash >> 7)) ^ tolower((unsigned char)*s);
96 s++;
97 }
98 return hash;
99 }
100
101 /*
102 * Insert a tag-value combination from LINE (the equal sign is at POS)
103 */
104 static int
conf_remove_now(char * section,char * tag)105 conf_remove_now(char *section, char *tag)
106 {
107 struct conf_binding *cb, *next;
108
109 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
110 cb = next) {
111 next = LIST_NEXT(cb, link);
112 if (strcasecmp(cb->section, section) == 0 &&
113 strcasecmp(cb->tag, tag) == 0) {
114 LIST_REMOVE(cb, link);
115 LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section,
116 tag, cb->value));
117 free(cb->section);
118 free(cb->tag);
119 free(cb->value);
120 free(cb);
121 return 0;
122 }
123 }
124 return 1;
125 }
126
127 static int
conf_remove_section_now(char * section)128 conf_remove_section_now(char *section)
129 {
130 struct conf_binding *cb, *next;
131 int unseen = 1;
132
133 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
134 cb = next) {
135 next = LIST_NEXT(cb, link);
136 if (strcasecmp(cb->section, section) == 0) {
137 unseen = 0;
138 LIST_REMOVE(cb, link);
139 LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section,
140 cb->tag, cb->value));
141 free(cb->section);
142 free(cb->tag);
143 free(cb->value);
144 free(cb);
145 }
146 }
147 return unseen;
148 }
149
150 /*
151 * Insert a tag-value combination from LINE (the equal sign is at POS)
152 * into SECTION of our configuration database.
153 */
154 static int
conf_set_now(char * section,char * tag,char * value,int override,int is_default)155 conf_set_now(char *section, char *tag, char *value, int override,
156 int is_default)
157 {
158 struct conf_binding *node = 0;
159
160 if (override)
161 conf_remove_now(section, tag);
162 else if (conf_get_str(section, tag)) {
163 if (!is_default)
164 log_print("conf_set_now: duplicate tag [%s]:%s, "
165 "ignoring...\n", section, tag);
166 return 1;
167 }
168 node = calloc(1, sizeof *node);
169 if (!node) {
170 log_error("conf_set_now: calloc (1, %lu) failed",
171 (unsigned long)sizeof *node);
172 return 1;
173 }
174 node->section = node->tag = node->value = NULL;
175 if ((node->section = strdup(section)) == NULL)
176 goto fail;
177 if ((node->tag = strdup(tag)) == NULL)
178 goto fail;
179 if ((node->value = strdup(value)) == NULL)
180 goto fail;
181 node->is_default = is_default;
182
183 LIST_INSERT_HEAD(&conf_bindings[conf_hash(section)], node, link);
184 LOG_DBG((LOG_MISC, 95, "conf_set_now: [%s]:%s->%s", node->section,
185 node->tag, node->value));
186 return 0;
187 fail:
188 free(node->value);
189 free(node->tag);
190 free(node->section);
191 free(node);
192 return 1;
193 }
194
195 /*
196 * Parse the line LINE of SZ bytes. Skip Comments, recognize section
197 * headers and feed tag-value pairs into our configuration database.
198 */
199 static void
conf_parse_line(int trans,char * line,int ln,size_t sz)200 conf_parse_line(int trans, char *line, int ln, size_t sz)
201 {
202 char *val;
203 size_t i;
204 int j;
205 static char *section = 0;
206
207 /* Lines starting with '#' or ';' are comments. */
208 if (*line == '#' || *line == ';')
209 return;
210
211 /* '[section]' parsing... */
212 if (*line == '[') {
213 for (i = 1; i < sz; i++)
214 if (line[i] == ']')
215 break;
216 free(section);
217 if (i == sz) {
218 log_print("conf_parse_line: %d:"
219 "unmatched ']', ignoring until next section", ln);
220 section = 0;
221 return;
222 }
223 section = malloc(i);
224 if (!section) {
225 log_print("conf_parse_line: %d: malloc (%lu) failed",
226 ln, (unsigned long)i);
227 return;
228 }
229 strlcpy(section, line + 1, i);
230 return;
231 }
232 /* Deal with assignments. */
233 for (i = 0; i < sz; i++)
234 if (line[i] == '=') {
235 /* If no section, we are ignoring the lines. */
236 if (!section) {
237 log_print("conf_parse_line: %d: ignoring line "
238 "due to no section", ln);
239 return;
240 }
241 line[strcspn(line, " \t=")] = '\0';
242 val = line + i + 1 + strspn(line + i + 1, " \t");
243 /* Skip trailing whitespace, if any */
244 for (j = sz - (val - line) - 1; j > 0 &&
245 isspace((unsigned char)val[j]); j--)
246 val[j] = '\0';
247 /* XXX Perhaps should we not ignore errors? */
248 conf_set(trans, section, line, val, 0, 0);
249 return;
250 }
251 /* Other non-empty lines are weird. */
252 i = strspn(line, " \t");
253 if (line[i])
254 log_print("conf_parse_line: %d: syntax error", ln);
255 }
256
257 /* Parse the mapped configuration file. */
258 static void
conf_parse(int trans,char * buf,size_t sz)259 conf_parse(int trans, char *buf, size_t sz)
260 {
261 char *cp = buf;
262 char *bufend = buf + sz;
263 char *line;
264 int ln = 1;
265
266 line = cp;
267 while (cp < bufend) {
268 if (*cp == '\n') {
269 /* Check for escaped newlines. */
270 if (cp > buf && *(cp - 1) == '\\')
271 *(cp - 1) = *cp = ' ';
272 else {
273 *cp = '\0';
274 conf_parse_line(trans, line, ln, cp - line);
275 line = cp + 1;
276 }
277 ln++;
278 }
279 cp++;
280 }
281 if (cp != line)
282 log_print("conf_parse: last line unterminated, ignored.");
283 }
284
285 /*
286 * Auto-generate default configuration values for the transforms and
287 * suites the user wants.
288 *
289 * Resulting section names can be:
290 * For main mode:
291 * {BLF,3DES,CAST,AES,AES-{128,192,256}-{MD5,SHA,SHA2-{256,384,512}} \
292 * [-GRP{1,2,5,14-21,25-30}][-{DSS,RSA_SIG}]
293 * For quick mode:
294 * QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE
295 * where
296 * {proto} = ESP, AH
297 * {cipher} = 3DES, CAST, BLF, AES, AES-{128,192,256}, AESCTR
298 * {hash} = MD5, SHA, RIPEMD, SHA2-{256,384,512}
299 * {group} = GRP{1,2,5,14-21,25-30}
300 *
301 * DH group defaults to MODP_1024.
302 *
303 * XXX We may want to support USE_TRIPLEDES, etc...
304 * XXX No EC2N DH support here yet.
305 */
306
307 /* Find the value for a section+tag in the transaction list. */
308 static char *
conf_get_trans_str(int trans,char * section,char * tag)309 conf_get_trans_str(int trans, char *section, char *tag)
310 {
311 struct conf_trans *node, *nf = 0;
312
313 for (node = TAILQ_FIRST(&conf_trans_queue); node;
314 node = TAILQ_NEXT(node, link))
315 if (node->trans == trans && strcasecmp(section, node->section)
316 == 0 && strcasecmp(tag, node->tag) == 0) {
317 if (!nf)
318 nf = node;
319 else if (node->override)
320 nf = node;
321 }
322 return nf ? nf->value : 0;
323 }
324
325 #if 0
326 /* XXX Currently unused. */
327 static int
328 conf_find_trans_xf(int phase, char *xf)
329 {
330 struct conf_trans *node;
331 char *p;
332
333 /* Find the relevant transforms and suites, if any. */
334 for (node = TAILQ_FIRST(&conf_trans_queue); node;
335 node = TAILQ_NEXT(node, link))
336 if ((phase == 1 && strcmp("Transforms", node->tag) == 0) ||
337 (phase == 2 && strcmp("Suites", node->tag) == 0)) {
338 p = node->value;
339 while ((p = strstr(p, xf)) != NULL)
340 if (*(p + strlen(p)) &&
341 *(p + strlen(p)) != ',')
342 p += strlen(p);
343 else
344 return 1;
345 }
346 return 0;
347 }
348 #endif
349
350 static void
conf_load_defaults_mm(int tr,char * mme,char * mmh,char * mma,char * dhg,char * mme_p,char * mma_p,char * dhg_p,char * mmh_p)351 conf_load_defaults_mm(int tr, char *mme, char *mmh, char *mma, char *dhg,
352 char *mme_p, char *mma_p, char *dhg_p, char *mmh_p)
353 {
354 char sect[CONF_SECT_MAX];
355
356 snprintf(sect, sizeof sect, "%s%s%s%s", mme_p, mmh_p, dhg_p, mma_p);
357
358 LOG_DBG((LOG_MISC, 95, "conf_load_defaults_mm: main mode %s", sect));
359
360 conf_set(tr, sect, "ENCRYPTION_ALGORITHM", mme, 0, 1);
361 if (strcmp(mme, "BLOWFISH_CBC") == 0)
362 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
363 1);
364 else if (strcmp(mme_p, "AES-128") == 0)
365 conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1);
366 else if (strcmp(mme_p, "AES-192") == 0)
367 conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1);
368 else if (strcmp(mme_p, "AES-256") == 0)
369 conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
370 else if (strcmp(mme, "AES_CBC") == 0)
371 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
372 1);
373
374 conf_set(tr, sect, "HASH_ALGORITHM", mmh, 0, 1);
375 conf_set(tr, sect, "AUTHENTICATION_METHOD", mma, 0, 1);
376 conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1);
377 conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_MAIN_MODE, 0, 1);
378 }
379
380 static void
conf_load_defaults_qm(int tr,char * qme,char * qmh,char * dhg,char * qme_p,char * qmh_p,char * qm_ah_id,char * dhg_p,int proto,int mode,int pfs)381 conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p,
382 char *qmh_p, char *qm_ah_id, char *dhg_p, int proto, int mode, int pfs)
383 {
384 char sect[CONF_SECT_MAX], tmp[CONF_SECT_MAX];
385
386 /* Helper #defines, incl abbreviations. */
387 #define PROTO(x) ((x) ? "AH" : "ESP")
388 #define PFS(x) ((x) ? "-PFS" : "")
389 #define MODE(x) ((x) ? "TRANSPORT" : "TUNNEL")
390 #define MODE_p(x) ((x) ? "-TRP" : "")
391
392 /* For AH a hash must be present and no encryption is allowed */
393 if (proto == 1 && (strcmp(qmh, "NONE") == 0 ||
394 strcmp(qme, "NONE") != 0))
395 return;
396
397 /* For ESP encryption must be provided, an empty hash is ok. */
398 if (proto == 0 && strcmp(qme, "NONE") == 0)
399 return;
400
401 /* When PFS is disabled no DH group must be specified. */
402 if (pfs == 0 && strcmp(dhg_p, ""))
403 return;
404
405 /* For GCM no additional authentication must be specified */
406 if (proto == 0 && strcmp(qmh, "NONE") != 0 &&
407 (strcmp(qme, "AES_GCM_16") == 0 || strcmp(qme, "AES_GMAC") == 0))
408 return;
409
410 snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto),
411 MODE_p(mode), qme_p, qmh_p, PFS(pfs), dhg_p);
412
413 strlcpy(sect, tmp, CONF_SECT_MAX);
414 strlcat(sect, "-SUITE", CONF_SECT_MAX);
415
416 LOG_DBG((LOG_MISC, 95, "conf_load_defaults_qm: quick mode %s", sect));
417
418 conf_set(tr, sect, "Protocols", tmp, 0, 1);
419 snprintf(sect, sizeof sect, "IPSEC_%s", PROTO(proto));
420 conf_set(tr, tmp, "PROTOCOL_ID", sect, 0, 1);
421 strlcpy(sect, tmp, CONF_SECT_MAX);
422 strlcat(sect, "-XF", CONF_SECT_MAX);
423 conf_set(tr, tmp, "Transforms", sect, 0, 1);
424
425 /*
426 * XXX For now, defaults
427 * contain one xf per protocol.
428 */
429 if (proto == 0)
430 conf_set(tr, sect, "TRANSFORM_ID", qme, 0, 1);
431 else
432 conf_set(tr, sect, "TRANSFORM_ID", qm_ah_id, 0, 1);
433 if (strcmp(qme ,"BLOWFISH") == 0)
434 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
435 1);
436 else if (strcmp(qme_p, "-AES-128") == 0 ||
437 strcmp(qme_p, "-AESCTR-128") == 0 ||
438 strcmp(qme_p, "-AESGCM-128") == 0 ||
439 strcmp(qme_p, "-AESGMAC-128") == 0)
440 conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1);
441 else if (strcmp(qme_p, "-AES-192") == 0 ||
442 strcmp(qme_p, "-AESCTR-192") == 0 ||
443 strcmp(qme_p, "-AESGCM-192") == 0 ||
444 strcmp(qme_p, "-AESGMAC-192") == 0)
445 conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1);
446 else if (strcmp(qme_p, "-AES-256") == 0 ||
447 strcmp(qme_p, "-AESCTR-256") == 0 ||
448 strcmp(qme_p, "-AESGCM-256") == 0 ||
449 strcmp(qme_p, "-AESGMAC-256") == 0)
450 conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
451 else if (strcmp(qme, "AES") == 0)
452 conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
453 1);
454
455 conf_set(tr, sect, "ENCAPSULATION_MODE", MODE(mode), 0, 1);
456 if (strcmp(qmh, "NONE")) {
457 conf_set(tr, sect, "AUTHENTICATION_ALGORITHM", qmh, 0, 1);
458
459 /* XXX Another shortcut to keep length down */
460 if (pfs)
461 conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1);
462 }
463
464 /* XXX Lifetimes depending on enc/auth strength? */
465 conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_QUICK_MODE, 0, 1);
466 }
467
468 static void
conf_load_defaults(int tr)469 conf_load_defaults(int tr)
470 {
471 int enc, auth, hash, group, proto, mode, pfs;
472 char *dflt;
473
474 char *mm_auth[] = {"PRE_SHARED", "DSS", "RSA_SIG", 0};
475 char *mm_auth_p[] = {"", "-DSS", "-RSA_SIG", 0};
476 char *mm_hash[] = {"MD5", "SHA", "SHA2_256", "SHA2_384", "SHA2_512",
477 0};
478 char *mm_hash_p[] = {"-MD5", "-SHA", "-SHA2-256", "-SHA2-384",
479 "-SHA2-512", "", 0 };
480 char *mm_enc[] = {"BLOWFISH_CBC", "3DES_CBC", "CAST_CBC",
481 "AES_CBC", "AES_CBC", "AES_CBC", "AES_CBC", 0};
482 char *mm_enc_p[] = {"BLF", "3DES", "CAST", "AES", "AES-128",
483 "AES-192", "AES-256", 0};
484 char *dhgroup[] = {"MODP_1024", "MODP_768", "MODP_1024",
485 "MODP_1536", "MODP_2048", "MODP_3072", "MODP_4096",
486 "MODP_6144", "MODP_8192",
487 "ECP_256", "ECP_384", "ECP_521", "ECP_192", "ECP_224",
488 "BP_224", "BP_256", "BP_384", "BP_512", 0};
489 char *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14",
490 "-GRP15", "-GRP16", "-GRP17", "-GRP18", "-GRP19", "-GRP20",
491 "-GRP21", "-GRP25", "-GRP26", "-GRP27", "-GRP28", "-GRP29",
492 "-GRP30", 0};
493 char *qm_enc[] = {"3DES", "CAST", "BLOWFISH", "AES",
494 "AES", "AES", "AES", "AES_CTR", "AES_CTR", "AES_CTR",
495 "AES_CTR", "AES_GCM_16",
496 "AES_GCM_16", "AES_GCM_16", "AES_GMAC", "AES_GMAC",
497 "AES_GMAC", "NULL", "NONE", 0};
498 char *qm_enc_p[] = {"-3DES", "-CAST", "-BLF", "-AES",
499 "-AES-128", "-AES-192", "-AES-256", "-AESCTR",
500 "-AESCTR-128", "-AESCTR-192", "-AESCTR-256",
501 "-AESGCM-128", "-AESGCM-192", "-AESGCM-256",
502 "-AESGMAC-128", "-AESGMAC-192", "-AESGMAC-256", "-NULL",
503 "", 0};
504 char *qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",
505 "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE",
506 0};
507 char *qm_hash_p[] = {"-MD5", "-SHA", "-RIPEMD", "-SHA2-256",
508 "-SHA2-384", "-SHA2-512", "", 0};
509 char *qm_ah_id[] = {"MD5", "SHA", "RIPEMD", "SHA2_256", "SHA2_384",
510 "SHA2_512", "", 0};
511
512 /* General and X509 defaults */
513 conf_set(tr, "General", "Retransmits", CONF_DFLT_RETRANSMITS, 0, 1);
514 conf_set(tr, "General", "Exchange-max-time", CONF_DFLT_EXCH_MAX_TIME,
515 0, 1);
516 conf_set(tr, "General", "Use-Keynote", CONF_DFLT_USE_KEYNOTE, 0, 1);
517 conf_set(tr, "General", "Policy-file", CONF_DFLT_POLICY_FILE, 0, 1);
518 conf_set(tr, "General", "Pubkey-directory", CONF_DFLT_PUBKEY_DIR, 0,
519 1);
520
521 conf_set(tr, "X509-certificates", "CA-directory",
522 CONF_DFLT_X509_CA_DIR, 0, 1);
523 conf_set(tr, "X509-certificates", "Cert-directory",
524 CONF_DFLT_X509_CERT_DIR, 0, 1);
525 conf_set(tr, "X509-certificates", "Private-key",
526 CONF_DFLT_X509_PRIVATE_KEY, 0, 1);
527 conf_set(tr, "X509-certificates", "Private-key-directory",
528 CONF_DFLT_X509_PRIVATE_KEY_DIR, 0, 1);
529 conf_set(tr, "X509-certificates", "CRL-directory",
530 CONF_DFLT_X509_CRL_DIR, 0, 1);
531
532 conf_set(tr, "KeyNote", "Credential-directory",
533 CONF_DFLT_KEYNOTE_CRED_DIR, 0, 1);
534
535 conf_set(tr, "General", "Delete-SAs", CONF_DFLT_DELETE_SAS, 0, 1);
536
537 /* Lifetimes. XXX p1/p2 vs main/quick mode may be unclear. */
538 dflt = conf_get_trans_str(tr, "General", "Default-phase-1-lifetime");
539 conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_TYPE",
540 CONF_DFLT_TYPE_LIFE_MAIN_MODE, 0, 1);
541 conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_DURATION",
542 (dflt ? dflt : CONF_DFLT_VAL_LIFE_MAIN_MODE), 0, 1);
543
544 dflt = conf_get_trans_str(tr, "General", "Default-phase-2-lifetime");
545 conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_TYPE",
546 CONF_DFLT_TYPE_LIFE_QUICK_MODE, 0, 1);
547 conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_DURATION",
548 (dflt ? dflt : CONF_DFLT_VAL_LIFE_QUICK_MODE), 0, 1);
549
550 /* Default Phase-1 Configuration section */
551 conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "EXCHANGE_TYPE",
552 CONF_DFLT_PHASE1_EXCH_TYPE, 0, 1);
553 conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "Transforms",
554 CONF_DFLT_PHASE1_TRANSFORMS, 0, 1);
555
556 /* Main modes */
557 for (enc = 0; mm_enc[enc]; enc++)
558 for (hash = 0; mm_hash[hash]; hash++)
559 for (auth = 0; mm_auth[auth]; auth++)
560 for (group = 0; dhgroup_p[group]; group++)
561 conf_load_defaults_mm (tr, mm_enc[enc],
562 mm_hash[hash], mm_auth[auth],
563 dhgroup[group], mm_enc_p[enc],
564 mm_auth_p[auth], dhgroup_p[group],
565 mm_hash_p[hash]);
566
567 /* Setup a default Phase 1 entry */
568 conf_set(tr, "Phase 1", "Default", "Default-phase-1", 0, 1);
569 conf_set(tr, "Default-phase-1", "Phase", "1", 0, 1);
570 conf_set(tr, "Default-phase-1", "Configuration",
571 "Default-phase-1-configuration", 0, 1);
572 dflt = conf_get_trans_str(tr, "General", "Default-phase-1-ID");
573 if (dflt)
574 conf_set(tr, "Default-phase-1", "ID", dflt, 0, 1);
575
576 /* Quick modes */
577 for (enc = 0; qm_enc[enc]; enc++)
578 for (proto = 0; proto < 2; proto++)
579 for (mode = 0; mode < 2; mode++)
580 for (pfs = 0; pfs < 2; pfs++)
581 for (hash = 0; qm_hash[hash]; hash++)
582 for (group = 0;
583 dhgroup_p[group]; group++)
584 conf_load_defaults_qm(
585 tr, qm_enc[enc],
586 qm_hash[hash],
587 dhgroup[group],
588 qm_enc_p[enc],
589 qm_hash_p[hash],
590 qm_ah_id[hash],
591 dhgroup_p[group],
592 proto, mode, pfs);
593 }
594
595 void
conf_init(void)596 conf_init(void)
597 {
598 unsigned int i;
599
600 for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++)
601 LIST_INIT(&conf_bindings[i]);
602 TAILQ_INIT(&conf_trans_queue);
603 conf_reinit();
604 }
605
606 /* Open the config file and map it into our address space, then parse it. */
607 void
conf_reinit(void)608 conf_reinit(void)
609 {
610 struct conf_binding *cb = 0;
611 int fd, trans;
612 unsigned int i;
613 size_t sz;
614 char *new_conf_addr = 0;
615
616 fd = monitor_open(conf_path, O_RDONLY, 0);
617 if (fd == -1 || check_file_secrecy_fd(fd, conf_path, &sz) == -1) {
618 if (fd == -1 && errno != ENOENT)
619 log_error("conf_reinit: open(\"%s\", O_RDONLY, 0) "
620 "failed", conf_path);
621 if (fd != -1)
622 close(fd);
623
624 trans = conf_begin();
625 } else {
626 new_conf_addr = malloc(sz);
627 if (!new_conf_addr) {
628 log_error("conf_reinit: malloc (%lu) failed",
629 (unsigned long)sz);
630 goto fail;
631 }
632 /* XXX I assume short reads won't happen here. */
633 if (read(fd, new_conf_addr, sz) != (int)sz) {
634 log_error("conf_reinit: read (%d, %p, %lu) failed",
635 fd, new_conf_addr, (unsigned long)sz);
636 goto fail;
637 }
638 close(fd);
639
640 trans = conf_begin();
641
642 /* XXX Should we not care about errors and rollback? */
643 conf_parse(trans, new_conf_addr, sz);
644 }
645
646 /* Load default configuration values. */
647 conf_load_defaults(trans);
648
649 /* Free potential existing configuration. */
650 if (conf_addr) {
651 for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0];
652 i++)
653 for (cb = LIST_FIRST(&conf_bindings[i]); cb;
654 cb = LIST_FIRST(&conf_bindings[i]))
655 conf_remove_now(cb->section, cb->tag);
656 free(conf_addr);
657 }
658 conf_end(trans, 1);
659 conf_addr = new_conf_addr;
660 return;
661
662 fail:
663 free(new_conf_addr);
664 close(fd);
665 }
666
667 /*
668 * Return the numeric value denoted by TAG in section SECTION or DEF
669 * if that tag does not exist.
670 */
671 int
conf_get_num(char * section,char * tag,int def)672 conf_get_num(char *section, char *tag, int def)
673 {
674 char *value = conf_get_str(section, tag);
675
676 if (value)
677 return atoi(value);
678 return def;
679 }
680
681 /*
682 * Return the socket endpoint address denoted by TAG in SECTION as a
683 * struct sockaddr. It is the callers responsibility to deallocate
684 * this structure when it is finished with it.
685 */
686 struct sockaddr *
conf_get_address(char * section,char * tag)687 conf_get_address(char *section, char *tag)
688 {
689 char *value = conf_get_str(section, tag);
690 struct sockaddr *sa;
691
692 if (!value)
693 return 0;
694 if (text2sockaddr(value, 0, &sa, 0, 0) == -1)
695 return 0;
696 return sa;
697 }
698
699 /* Validate X according to the range denoted by TAG in section SECTION. */
700 int
conf_match_num(char * section,char * tag,int x)701 conf_match_num(char *section, char *tag, int x)
702 {
703 char *value = conf_get_str(section, tag);
704 int val, min, max, n;
705
706 if (!value)
707 return 0;
708 n = sscanf(value, "%d,%d:%d", &val, &min, &max);
709 switch (n) {
710 case 1:
711 LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d==%d?",
712 section, tag, val, x));
713 return x == val;
714 case 3:
715 LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d<=%d<=%d?",
716 section, tag, min, x, max));
717 return min <= x && max >= x;
718 default:
719 log_error("conf_match_num: section %s tag %s: invalid number "
720 "spec %s", section, tag, value);
721 }
722 return 0;
723 }
724
725 /* Return the string value denoted by TAG in section SECTION. */
726 char *
conf_get_str(char * section,char * tag)727 conf_get_str(char *section, char *tag)
728 {
729 struct conf_binding *cb;
730
731 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
732 cb = LIST_NEXT(cb, link))
733 if (strcasecmp(section, cb->section) == 0 &&
734 strcasecmp(tag, cb->tag) == 0) {
735 LOG_DBG((LOG_MISC, 95, "conf_get_str: [%s]:%s->%s",
736 section, tag, cb->value));
737 return cb->value;
738 }
739 LOG_DBG((LOG_MISC, 95,
740 "conf_get_str: configuration value not found [%s]:%s", section,
741 tag));
742 return 0;
743 }
744
745 /*
746 * Build a list of string values out of the comma separated value denoted by
747 * TAG in SECTION.
748 */
749 struct conf_list *
conf_get_list(char * section,char * tag)750 conf_get_list(char *section, char *tag)
751 {
752 char *liststr = 0, *p, *field, *t;
753 struct conf_list *list = 0;
754 struct conf_list_node *node = 0;
755
756 list = malloc(sizeof *list);
757 if (!list)
758 goto cleanup;
759 TAILQ_INIT(&list->fields);
760 list->cnt = 0;
761 liststr = conf_get_str(section, tag);
762 if (!liststr)
763 goto cleanup;
764 liststr = strdup(liststr);
765 if (!liststr)
766 goto cleanup;
767 p = liststr;
768 while ((field = strsep(&p, ",")) != NULL) {
769 /* Skip leading whitespace */
770 while (isspace((unsigned char)*field))
771 field++;
772 /* Skip trailing whitespace */
773 if (p)
774 for (t = p - 1; t > field && isspace((unsigned char)*t); t--)
775 *t = '\0';
776 if (*field == '\0') {
777 log_print("conf_get_list: empty field, ignoring...");
778 continue;
779 }
780 list->cnt++;
781 node = calloc(1, sizeof *node);
782 if (!node)
783 goto cleanup;
784 node->field = strdup(field);
785 if (!node->field)
786 goto cleanup;
787 TAILQ_INSERT_TAIL(&list->fields, node, link);
788 }
789 free(liststr);
790 return list;
791
792 cleanup:
793 free(node);
794 if (list)
795 conf_free_list(list);
796 free(liststr);
797 return 0;
798 }
799
800 struct conf_list *
conf_get_tag_list(char * section)801 conf_get_tag_list(char *section)
802 {
803 struct conf_list *list = 0;
804 struct conf_list_node *node = 0;
805 struct conf_binding *cb;
806
807 list = malloc(sizeof *list);
808 if (!list)
809 goto cleanup;
810 TAILQ_INIT(&list->fields);
811 list->cnt = 0;
812 for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
813 cb = LIST_NEXT(cb, link))
814 if (strcasecmp(section, cb->section) == 0) {
815 list->cnt++;
816 node = calloc(1, sizeof *node);
817 if (!node)
818 goto cleanup;
819 node->field = strdup(cb->tag);
820 if (!node->field)
821 goto cleanup;
822 TAILQ_INSERT_TAIL(&list->fields, node, link);
823 }
824 return list;
825
826 cleanup:
827 free(node);
828 if (list)
829 conf_free_list(list);
830 return 0;
831 }
832
833 void
conf_free_list(struct conf_list * list)834 conf_free_list(struct conf_list *list)
835 {
836 struct conf_list_node *node = TAILQ_FIRST(&list->fields);
837
838 while (node) {
839 TAILQ_REMOVE(&list->fields, node, link);
840 free(node->field);
841 free(node);
842 node = TAILQ_FIRST(&list->fields);
843 }
844 free(list);
845 }
846
847 int
conf_begin(void)848 conf_begin(void)
849 {
850 static int seq = 0;
851
852 return ++seq;
853 }
854
855 static int
conf_trans_node(int transaction,enum conf_op op,char * section,char * tag,char * value,int override,int is_default)856 conf_trans_node(int transaction, enum conf_op op, char *section, char *tag,
857 char *value, int override, int is_default)
858 {
859 struct conf_trans *node;
860
861 node = calloc(1, sizeof *node);
862 if (!node) {
863 log_error("conf_trans_node: calloc (1, %lu) failed",
864 (unsigned long)sizeof *node);
865 return 1;
866 }
867 node->trans = transaction;
868 node->op = op;
869 node->override = override;
870 node->is_default = is_default;
871 if (section && (node->section = strdup(section)) == NULL)
872 goto fail;
873 if (tag && (node->tag = strdup(tag)) == NULL)
874 goto fail;
875 if (value && (node->value = strdup(value)) == NULL)
876 goto fail;
877 TAILQ_INSERT_TAIL(&conf_trans_queue, node, link);
878 return 0;
879
880 fail:
881 free(node->section);
882 free(node->tag);
883 free(node->value);
884 free(node);
885 return 1;
886 }
887
888 /* Queue a set operation. */
889 int
conf_set(int transaction,char * section,char * tag,char * value,int override,int is_default)890 conf_set(int transaction, char *section, char *tag, char *value, int override,
891 int is_default)
892 {
893 return conf_trans_node(transaction, CONF_SET, section, tag, value,
894 override, is_default);
895 }
896
897 /* Queue a remove operation. */
898 int
conf_remove(int transaction,char * section,char * tag)899 conf_remove(int transaction, char *section, char *tag)
900 {
901 return conf_trans_node(transaction, CONF_REMOVE, section, tag, NULL,
902 0, 0);
903 }
904
905 /* Queue a remove section operation. */
906 int
conf_remove_section(int transaction,char * section)907 conf_remove_section(int transaction, char *section)
908 {
909 return conf_trans_node(transaction, CONF_REMOVE_SECTION, section, NULL,
910 NULL, 0, 0);
911 }
912
913 /* Execute all queued operations for this transaction. Cleanup. */
914 int
conf_end(int transaction,int commit)915 conf_end(int transaction, int commit)
916 {
917 struct conf_trans *node, *next;
918
919 for (node = TAILQ_FIRST(&conf_trans_queue); node; node = next) {
920 next = TAILQ_NEXT(node, link);
921 if (node->trans == transaction) {
922 if (commit)
923 switch (node->op) {
924 case CONF_SET:
925 conf_set_now(node->section, node->tag,
926 node->value, node->override,
927 node->is_default);
928 break;
929 case CONF_REMOVE:
930 conf_remove_now(node->section,
931 node->tag);
932 break;
933 case CONF_REMOVE_SECTION:
934 conf_remove_section_now(node->section);
935 break;
936 default:
937 log_print("conf_end: unknown "
938 "operation: %d", node->op);
939 }
940 TAILQ_REMOVE(&conf_trans_queue, node, link);
941 free(node->section);
942 free(node->tag);
943 free(node->value);
944 free(node);
945 }
946 }
947 return 0;
948 }
949
950 /*
951 * Dump running configuration upon SIGUSR1.
952 * Configuration is "stored in reverse order", so reverse it again.
953 */
954 struct dumper {
955 char *s, *v;
956 struct dumper *next;
957 };
958
959 static void
conf_report_dump(struct dumper * node)960 conf_report_dump(struct dumper *node)
961 {
962 /* Recursive, cleanup when we're done. */
963
964 if (node->next)
965 conf_report_dump(node->next);
966
967 if (node->v)
968 LOG_DBG((LOG_REPORT, 0, "%s=\t%s", node->s, node->v));
969 else if (node->s) {
970 LOG_DBG((LOG_REPORT, 0, "%s", node->s));
971 if (strlen(node->s) > 0)
972 free(node->s);
973 }
974 free(node);
975 }
976
977 void
conf_report(void)978 conf_report(void)
979 {
980 struct conf_binding *cb, *last = 0;
981 unsigned int i;
982 char *current_section = NULL;
983 struct dumper *dumper, *dnode;
984
985 dumper = dnode = calloc(1, sizeof *dumper);
986 if (!dumper)
987 goto mem_fail;
988
989 LOG_DBG((LOG_REPORT, 0, "conf_report: dumping running configuration"));
990
991 for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++)
992 for (cb = LIST_FIRST(&conf_bindings[i]); cb;
993 cb = LIST_NEXT(cb, link)) {
994 if (!cb->is_default) {
995 /* Dump this entry. */
996 if (!current_section || strcmp(cb->section,
997 current_section)) {
998 if (current_section) {
999 if (asprintf(&dnode->s, "[%s]",
1000 current_section) == -1)
1001 goto mem_fail;
1002 dnode->next = calloc(1,
1003 sizeof(struct dumper));
1004 dnode = dnode->next;
1005 if (!dnode)
1006 goto mem_fail;
1007
1008 dnode->s = "";
1009 dnode->next = calloc(1,
1010 sizeof(struct dumper));
1011 dnode = dnode->next;
1012 if (!dnode)
1013 goto mem_fail;
1014 }
1015 current_section = cb->section;
1016 }
1017 dnode->s = cb->tag;
1018 dnode->v = cb->value;
1019 dnode->next = calloc(1, sizeof(struct dumper));
1020 dnode = dnode->next;
1021 if (!dnode)
1022 goto mem_fail;
1023 last = cb;
1024 }
1025 }
1026
1027 if (last)
1028 if (asprintf(&dnode->s, "[%s]", last->section) == -1)
1029 goto mem_fail;
1030 conf_report_dump(dumper);
1031
1032 return;
1033
1034 mem_fail:
1035 log_error("conf_report: malloc/calloc failed");
1036 while ((dnode = dumper) != 0) {
1037 dumper = dumper->next;
1038 free(dnode->s);
1039 free(dnode);
1040 }
1041 }
1042