1 /* $OpenBSD: parse.y,v 1.148 2024/11/04 02:44:28 dlg Exp $ */
2
3 /*
4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
6 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
7 * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
8 * Copyright (c) 2001 Markus Friedl. All rights reserved.
9 * Copyright (c) 2001 Daniel Hartmeier. All rights reserved.
10 * Copyright (c) 2001 Theo de Raadt. All rights reserved.
11 *
12 * Permission to use, copy, modify, and distribute this software for any
13 * purpose with or without fee is hereby granted, provided that the above
14 * copyright notice and this permission notice appear in all copies.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
17 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
18 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
19 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
20 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
21 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
22 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 */
24
25 %{
26 #include <sys/types.h>
27 #include <sys/ioctl.h>
28 #include <sys/queue.h>
29 #include <sys/socket.h>
30 #include <sys/stat.h>
31 #include <net/if.h>
32 #include <netinet/in.h>
33 #include <netinet/ip_ipsp.h>
34 #include <arpa/inet.h>
35
36 #include <ctype.h>
37 #include <err.h>
38 #include <errno.h>
39 #include <fcntl.h>
40 #include <ifaddrs.h>
41 #include <inttypes.h>
42 #include <limits.h>
43 #include <netdb.h>
44 #include <radius.h>
45 #include <stdarg.h>
46 #include <stddef.h>
47 #include <stdio.h>
48 #include <stdlib.h>
49 #include <string.h>
50 #include <syslog.h>
51 #include <unistd.h>
52 #include <event.h>
53
54 #include "iked.h"
55 #include "ikev2.h"
56 #include "eap.h"
57
58 TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files);
59 static struct file {
60 TAILQ_ENTRY(file) entry;
61 FILE *stream;
62 char *name;
63 size_t ungetpos;
64 size_t ungetsize;
65 u_char *ungetbuf;
66 int eof_reached;
67 int lineno;
68 int errors;
69 } *file, *topfile;
70 struct file *pushfile(const char *, int);
71 int popfile(void);
72 int check_file_secrecy(int, const char *);
73 int yyparse(void);
74 int yylex(void);
75 int yyerror(const char *, ...)
76 __attribute__((__format__ (printf, 1, 2)))
77 __attribute__((__nonnull__ (1)));
78 int kw_cmp(const void *, const void *);
79 int lookup(char *);
80 int igetc(void);
81 int lgetc(int);
82 void lungetc(int);
83 int findeol(void);
84
85 TAILQ_HEAD(symhead, sym) symhead = TAILQ_HEAD_INITIALIZER(symhead);
86 struct sym {
87 TAILQ_ENTRY(sym) entry;
88 int used;
89 int persist;
90 char *nam;
91 char *val;
92 };
93 int symset(const char *, const char *, int);
94 char *symget(const char *);
95
96 #define KEYSIZE_LIMIT 1024
97
98 static struct iked *env = NULL;
99 static int debug = 0;
100 static int rules = 0;
101 static int passive = 0;
102 static int decouple = 0;
103 static int mobike = 1;
104 static int enforcesingleikesa = 0;
105 static int stickyaddress = 0;
106 static int fragmentation = 0;
107 static int vendorid = 1;
108 static int dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT;
109 static char *ocsp_url = NULL;
110 static long ocsp_tolerate = 0;
111 static long ocsp_maxage = -1;
112 static int cert_partial_chain = 0;
113 static struct iked_radopts
114 radauth, radacct;
115
116 struct iked_transform ikev2_default_ike_transforms[] = {
117 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
118 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
119 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },
120 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_3DES },
121 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_256 },
122 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_384 },
123 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_512 },
124 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA1 },
125 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
126 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 },
127 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 },
128 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
129 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_CURVE25519 },
130 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_521 },
131 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_384 },
132 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_256 },
133 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_4096 },
134 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_3072 },
135 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_2048 },
136 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1536 },
137 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1024 },
138 { 0 }
139 };
140 size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) /
141 sizeof(ikev2_default_ike_transforms[0])) - 1);
142
143 struct iked_transform ikev2_default_ike_transforms_noauth[] = {
144 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 128 },
145 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 256 },
146 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_256 },
147 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_384 },
148 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_512 },
149 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA1 },
150 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_CURVE25519 },
151 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_521 },
152 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_384 },
153 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_256 },
154 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_4096 },
155 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_3072 },
156 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_2048 },
157 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1536 },
158 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1024 },
159 { 0 }
160 };
161 size_t ikev2_default_nike_transforms_noauth =
162 ((sizeof(ikev2_default_ike_transforms_noauth) /
163 sizeof(ikev2_default_ike_transforms_noauth[0])) - 1);
164
165 struct iked_transform ikev2_default_esp_transforms[] = {
166 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
167 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
168 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },
169 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
170 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 },
171 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 },
172 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
173 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_NONE },
174 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_ESN },
175 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_NONE },
176 { 0 }
177 };
178 size_t ikev2_default_nesp_transforms = ((sizeof(ikev2_default_esp_transforms) /
179 sizeof(ikev2_default_esp_transforms[0])) - 1);
180
181 struct iked_transform ikev2_default_esp_transforms_noauth[] = {
182 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 128 },
183 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 256 },
184 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_NONE },
185 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_ESN },
186 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_NONE },
187 { 0 }
188 };
189 size_t ikev2_default_nesp_transforms_noauth =
190 ((sizeof(ikev2_default_esp_transforms_noauth) /
191 sizeof(ikev2_default_esp_transforms_noauth[0])) - 1);
192
193 const struct ipsec_xf authxfs[] = {
194 { "hmac-md5", IKEV2_XFORMAUTH_HMAC_MD5_96, 16 },
195 { "hmac-sha1", IKEV2_XFORMAUTH_HMAC_SHA1_96, 20 },
196 { "hmac-sha2-256", IKEV2_XFORMAUTH_HMAC_SHA2_256_128, 32 },
197 { "hmac-sha2-384", IKEV2_XFORMAUTH_HMAC_SHA2_384_192, 48 },
198 { "hmac-sha2-512", IKEV2_XFORMAUTH_HMAC_SHA2_512_256, 64 },
199 { NULL }
200 };
201
202 const struct ipsec_xf prfxfs[] = {
203 { "hmac-md5", IKEV2_XFORMPRF_HMAC_MD5, 16 },
204 { "hmac-sha1", IKEV2_XFORMPRF_HMAC_SHA1, 20 },
205 { "hmac-sha2-256", IKEV2_XFORMPRF_HMAC_SHA2_256, 32 },
206 { "hmac-sha2-384", IKEV2_XFORMPRF_HMAC_SHA2_384, 48 },
207 { "hmac-sha2-512", IKEV2_XFORMPRF_HMAC_SHA2_512, 64 },
208 { NULL }
209 };
210
211 const struct ipsec_xf *encxfs = NULL;
212
213 const struct ipsec_xf ikeencxfs[] = {
214 { "3des", IKEV2_XFORMENCR_3DES, 24 },
215 { "3des-cbc", IKEV2_XFORMENCR_3DES, 24 },
216 { "aes-128", IKEV2_XFORMENCR_AES_CBC, 16, 16 },
217 { "aes-192", IKEV2_XFORMENCR_AES_CBC, 24, 24 },
218 { "aes-256", IKEV2_XFORMENCR_AES_CBC, 32, 32 },
219 { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_16, 16, 16, 4, 1 },
220 { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_16, 32, 32, 4, 1 },
221 { "aes-128-gcm-12", IKEV2_XFORMENCR_AES_GCM_12, 16, 16, 4, 1 },
222 { "aes-256-gcm-12", IKEV2_XFORMENCR_AES_GCM_12, 32, 32, 4, 1 },
223 { NULL }
224 };
225
226 const struct ipsec_xf ipsecencxfs[] = {
227 { "3des", IKEV2_XFORMENCR_3DES, 24 },
228 { "3des-cbc", IKEV2_XFORMENCR_3DES, 24 },
229 { "aes-128", IKEV2_XFORMENCR_AES_CBC, 16, 16 },
230 { "aes-192", IKEV2_XFORMENCR_AES_CBC, 24, 24 },
231 { "aes-256", IKEV2_XFORMENCR_AES_CBC, 32, 32 },
232 { "aes-128-ctr", IKEV2_XFORMENCR_AES_CTR, 16, 16, 4 },
233 { "aes-192-ctr", IKEV2_XFORMENCR_AES_CTR, 24, 24, 4 },
234 { "aes-256-ctr", IKEV2_XFORMENCR_AES_CTR, 32, 32, 4 },
235 { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_16, 16, 16, 4, 1 },
236 { "aes-192-gcm", IKEV2_XFORMENCR_AES_GCM_16, 24, 24, 4, 1 },
237 { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_16, 32, 32, 4, 1 },
238 { "aes-128-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC, 16, 16, 4, 1 },
239 { "aes-192-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC, 24, 24, 4, 1 },
240 { "aes-256-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC, 32, 32, 4, 1 },
241 { "blowfish", IKEV2_XFORMENCR_BLOWFISH, 20, 20 },
242 { "cast", IKEV2_XFORMENCR_CAST, 16, 16 },
243 { "chacha20-poly1305", IKEV2_XFORMENCR_CHACHA20_POLY1305,
244 32, 32, 4, 1 },
245 { "null", IKEV2_XFORMENCR_NULL, 0, 0 },
246 { NULL }
247 };
248
249 const struct ipsec_xf groupxfs[] = {
250 { "none", IKEV2_XFORMDH_NONE },
251 { "modp768", IKEV2_XFORMDH_MODP_768 },
252 { "grp1", IKEV2_XFORMDH_MODP_768 },
253 { "modp1024", IKEV2_XFORMDH_MODP_1024 },
254 { "grp2", IKEV2_XFORMDH_MODP_1024 },
255 { "modp1536", IKEV2_XFORMDH_MODP_1536 },
256 { "grp5", IKEV2_XFORMDH_MODP_1536 },
257 { "modp2048", IKEV2_XFORMDH_MODP_2048 },
258 { "grp14", IKEV2_XFORMDH_MODP_2048 },
259 { "modp3072", IKEV2_XFORMDH_MODP_3072 },
260 { "grp15", IKEV2_XFORMDH_MODP_3072 },
261 { "modp4096", IKEV2_XFORMDH_MODP_4096 },
262 { "grp16", IKEV2_XFORMDH_MODP_4096 },
263 { "modp6144", IKEV2_XFORMDH_MODP_6144 },
264 { "grp17", IKEV2_XFORMDH_MODP_6144 },
265 { "modp8192", IKEV2_XFORMDH_MODP_8192 },
266 { "grp18", IKEV2_XFORMDH_MODP_8192 },
267 { "ecp256", IKEV2_XFORMDH_ECP_256 },
268 { "grp19", IKEV2_XFORMDH_ECP_256 },
269 { "ecp384", IKEV2_XFORMDH_ECP_384 },
270 { "grp20", IKEV2_XFORMDH_ECP_384 },
271 { "ecp521", IKEV2_XFORMDH_ECP_521 },
272 { "grp21", IKEV2_XFORMDH_ECP_521 },
273 { "ecp192", IKEV2_XFORMDH_ECP_192 },
274 { "grp25", IKEV2_XFORMDH_ECP_192 },
275 { "ecp224", IKEV2_XFORMDH_ECP_224 },
276 { "grp26", IKEV2_XFORMDH_ECP_224 },
277 { "brainpool224", IKEV2_XFORMDH_BRAINPOOL_P224R1 },
278 { "grp27", IKEV2_XFORMDH_BRAINPOOL_P224R1 },
279 { "brainpool256", IKEV2_XFORMDH_BRAINPOOL_P256R1 },
280 { "grp28", IKEV2_XFORMDH_BRAINPOOL_P256R1 },
281 { "brainpool384", IKEV2_XFORMDH_BRAINPOOL_P384R1 },
282 { "grp29", IKEV2_XFORMDH_BRAINPOOL_P384R1 },
283 { "brainpool512", IKEV2_XFORMDH_BRAINPOOL_P512R1 },
284 { "grp30", IKEV2_XFORMDH_BRAINPOOL_P512R1 },
285 { "curve25519", IKEV2_XFORMDH_CURVE25519 },
286 { "grp31", IKEV2_XFORMDH_CURVE25519 },
287 { "sntrup761x25519", IKEV2_XFORMDH_X_SNTRUP761X25519 },
288 { NULL }
289 };
290
291 const struct ipsec_xf esnxfs[] = {
292 { "esn", IKEV2_XFORMESN_ESN },
293 { "noesn", IKEV2_XFORMESN_NONE },
294 { NULL }
295 };
296
297 const struct ipsec_xf methodxfs[] = {
298 { "none", IKEV2_AUTH_NONE },
299 { "rsa", IKEV2_AUTH_RSA_SIG },
300 { "ecdsa256", IKEV2_AUTH_ECDSA_256 },
301 { "ecdsa384", IKEV2_AUTH_ECDSA_384 },
302 { "ecdsa521", IKEV2_AUTH_ECDSA_521 },
303 { "rfc7427", IKEV2_AUTH_SIG },
304 { "signature", IKEV2_AUTH_SIG_ANY },
305 { NULL }
306 };
307
308 const struct ipsec_xf saxfs[] = {
309 { "esp", IKEV2_SAPROTO_ESP },
310 { "ah", IKEV2_SAPROTO_AH },
311 { NULL }
312 };
313
314 const struct ipsec_xf cpxfs[] = {
315 { "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS, AF_INET },
316 { "netmask", IKEV2_CFG_INTERNAL_IP4_NETMASK, AF_INET },
317 { "name-server", IKEV2_CFG_INTERNAL_IP4_DNS, AF_INET },
318 { "netbios-server", IKEV2_CFG_INTERNAL_IP4_NBNS, AF_INET },
319 { "dhcp-server", IKEV2_CFG_INTERNAL_IP4_DHCP, AF_INET },
320 { "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS, AF_INET6 },
321 { "name-server", IKEV2_CFG_INTERNAL_IP6_DNS, AF_INET6 },
322 { "netbios-server", IKEV2_CFG_INTERNAL_IP6_NBNS, AF_INET6 },
323 { "dhcp-server", IKEV2_CFG_INTERNAL_IP6_DHCP, AF_INET6 },
324 { "protected-subnet", IKEV2_CFG_INTERNAL_IP4_SUBNET, AF_INET },
325 { "protected-subnet", IKEV2_CFG_INTERNAL_IP6_SUBNET, AF_INET6 },
326 { "access-server", IKEV2_CFG_INTERNAL_IP4_SERVER, AF_INET },
327 { "access-server", IKEV2_CFG_INTERNAL_IP6_SERVER, AF_INET6 },
328 { NULL }
329 };
330
331 const struct iked_lifetime deflifetime = {
332 IKED_LIFETIME_BYTES,
333 IKED_LIFETIME_SECONDS
334 };
335
336 #define IPSEC_ADDR_ANY (0x1)
337 #define IPSEC_ADDR_DYNAMIC (0x2)
338
339 struct ipsec_addr_wrap {
340 struct sockaddr_storage address;
341 uint8_t mask;
342 int netaddress;
343 sa_family_t af;
344 unsigned int type;
345 unsigned int action;
346 uint16_t port;
347 char *name;
348 struct ipsec_addr_wrap *next;
349 struct ipsec_addr_wrap *tail;
350 struct ipsec_addr_wrap *srcnat;
351 };
352
353 struct ipsec_hosts {
354 struct ipsec_addr_wrap *src;
355 struct ipsec_addr_wrap *dst;
356 };
357
358 struct ipsec_filters {
359 char *tag;
360 unsigned int tap;
361 };
362
363 void copy_sockaddrtoipa(struct ipsec_addr_wrap *,
364 struct sockaddr *);
365 struct ipsec_addr_wrap *host(const char *);
366 struct ipsec_addr_wrap *host_ip(const char *, int);
367 struct ipsec_addr_wrap *host_dns(const char *, int);
368 struct ipsec_addr_wrap *host_if(const char *, int);
369 struct ipsec_addr_wrap *host_any(void);
370 struct ipsec_addr_wrap *host_dynamic(void);
371 void ifa_load(void);
372 int ifa_exists(const char *);
373 struct ipsec_addr_wrap *ifa_lookup(const char *ifa_name);
374 struct ipsec_addr_wrap *ifa_grouplookup(const char *);
375 void set_ipmask(struct ipsec_addr_wrap *, int);
376 const struct ipsec_xf *parse_xf(const char *, unsigned int,
377 const struct ipsec_xf *);
378 void copy_transforms(unsigned int,
379 const struct ipsec_xf **, unsigned int,
380 struct iked_transform **, unsigned int *,
381 struct iked_transform *, size_t);
382 int create_ike(char *, int, struct ipsec_addr_wrap *,
383 int, struct ipsec_hosts *,
384 struct ipsec_hosts *, struct ipsec_mode *,
385 struct ipsec_mode *, uint8_t,
386 unsigned int, char *, char *,
387 uint32_t, struct iked_lifetime *,
388 struct iked_auth *, struct ipsec_filters *,
389 struct ipsec_addr_wrap *, char *);
390 int create_user(const char *, const char *);
391 int get_id_type(char *);
392 uint8_t x2i(unsigned char *);
393 int parsekey(unsigned char *, size_t, struct iked_auth *);
394 int parsekeyfile(char *, struct iked_auth *);
395 void iaw_free(struct ipsec_addr_wrap *);
396 static int create_flow(struct iked_policy *pol, int, struct ipsec_addr_wrap *ipa,
397 struct ipsec_addr_wrap *ipb);
398 static int expand_flows(struct iked_policy *, int, struct ipsec_addr_wrap *,
399 struct ipsec_addr_wrap *);
400 static struct ipsec_addr_wrap *
401 expand_keyword(struct ipsec_addr_wrap *);
402 struct iked_radserver *
403 create_radserver(const char *, u_short, const char *);
404
405 struct ipsec_transforms *ipsec_transforms;
406 struct ipsec_filters *ipsec_filters;
407 struct ipsec_mode *ipsec_mode;
408 /* interface lookup routintes */
409 struct ipsec_addr_wrap *iftab;
410
411 typedef struct {
412 union {
413 int64_t number;
414 unsigned int ikemode;
415 uint8_t dir;
416 uint8_t satype;
417 uint8_t accounting;
418 char *string;
419 uint16_t port;
420 struct ipsec_hosts *hosts;
421 struct ipsec_hosts peers;
422 struct ipsec_addr_wrap *anyhost;
423 struct ipsec_addr_wrap *host;
424 struct ipsec_addr_wrap *cfg;
425 struct ipsec_addr_wrap *proto;
426 struct {
427 char *srcid;
428 char *dstid;
429 } ids;
430 char *id;
431 uint8_t type;
432 struct iked_lifetime lifetime;
433 struct iked_auth ikeauth;
434 struct iked_auth ikekey;
435 struct ipsec_transforms *transforms;
436 struct ipsec_filters *filters;
437 struct ipsec_mode *mode;
438 struct {
439 uint32_t vendorid;
440 uint8_t attrtype;
441 } radattr;
442 } v;
443 int lineno;
444 } YYSTYPE;
445
446 %}
447
448 %token FROM ESP AH IN PEER ON OUT TO SRCID DSTID PSK PORT
449 %token FILENAME AUTHXF PRFXF ENCXF ERROR IKEV2 IKESA CHILDSA ESN NOESN
450 %token PASSIVE ACTIVE ANY TAG TAP PROTO LOCAL GROUP NAME CONFIG EAP USER
451 %token IKEV1 FLOW SA TCPMD5 TUNNEL TRANSPORT COUPLE DECOUPLE SET
452 %token INCLUDE LIFETIME BYTES INET INET6 QUICK SKIP DEFAULT
453 %token IPCOMP OCSP IKELIFETIME MOBIKE NOMOBIKE RDOMAIN
454 %token FRAGMENTATION NOFRAGMENTATION DPD_CHECK_INTERVAL
455 %token ENFORCESINGLEIKESA NOENFORCESINGLEIKESA
456 %token STICKYADDRESS NOSTICKYADDRESS
457 %token VENDORID NOVENDORID
458 %token TOLERATE MAXAGE DYNAMIC
459 %token CERTPARTIALCHAIN
460 %token REQUEST IFACE
461 %token RADIUS ACCOUNTING SERVER SECRET MAX_TRIES MAX_FAILOVERS
462 %token CLIENT DAE LISTEN ON NATT
463 %token <v.string> STRING
464 %token <v.number> NUMBER
465 %type <v.string> string
466 %type <v.satype> satype
467 %type <v.proto> proto proto_list protoval
468 %type <v.hosts> hosts hosts_list
469 %type <v.port> port
470 %type <v.number> portval af rdomain hexdecnumber
471 %type <v.peers> peers
472 %type <v.anyhost> anyhost
473 %type <v.host> host host_spec
474 %type <v.ids> ids
475 %type <v.id> id
476 %type <v.transforms> transforms
477 %type <v.filters> filters
478 %type <v.ikemode> ikeflags
479 %type <v.ikemode> ikematch ikemode ipcomp tmode natt_force
480 %type <v.ikeauth> ikeauth
481 %type <v.ikekey> keyspec
482 %type <v.mode> ike_sas child_sas
483 %type <v.lifetime> lifetime
484 %type <v.number> byte_spec time_spec ikelifetime
485 %type <v.string> name iface
486 %type <v.cfg> cfg ikecfg ikecfgvals
487 %type <v.string> transform_esn
488 %type <v.accounting> accounting
489 %type <v.radattr> radattr
490 %%
491
492 grammar : /* empty */
493 | grammar include '\n'
494 | grammar '\n'
495 | grammar set '\n'
496 | grammar user '\n'
497 | grammar ikev2rule '\n'
498 | grammar radius '\n'
499 | grammar varset '\n'
500 | grammar otherrule skipline '\n'
501 | grammar error '\n' { file->errors++; }
502 ;
503
504 comma : ','
505 | /* empty */
506 ;
507
508 include : INCLUDE STRING {
509 struct file *nfile;
510
511 if ((nfile = pushfile($2, 1)) == NULL) {
512 yyerror("failed to include file %s", $2);
513 free($2);
514 YYERROR;
515 }
516 free($2);
517
518 file = nfile;
519 lungetc('\n');
520 }
521 ;
522
523 set : SET ACTIVE { passive = 0; }
524 | SET PASSIVE { passive = 1; }
525 | SET COUPLE { decouple = 0; }
526 | SET DECOUPLE { decouple = 1; }
527 | SET FRAGMENTATION { fragmentation = 1; }
528 | SET NOFRAGMENTATION { fragmentation = 0; }
529 | SET MOBIKE { mobike = 1; }
530 | SET NOMOBIKE { mobike = 0; }
531 | SET VENDORID { vendorid = 1; }
532 | SET NOVENDORID { vendorid = 0; }
533 | SET ENFORCESINGLEIKESA { enforcesingleikesa = 1; }
534 | SET NOENFORCESINGLEIKESA { enforcesingleikesa = 0; }
535 | SET STICKYADDRESS { stickyaddress = 1; }
536 | SET NOSTICKYADDRESS { stickyaddress = 0; }
537 | SET OCSP STRING {
538 ocsp_url = $3;
539 }
540 | SET OCSP STRING TOLERATE time_spec {
541 ocsp_url = $3;
542 ocsp_tolerate = $5;
543 }
544 | SET OCSP STRING TOLERATE time_spec MAXAGE time_spec {
545 ocsp_url = $3;
546 ocsp_tolerate = $5;
547 ocsp_maxage = $7;
548 }
549 | SET CERTPARTIALCHAIN {
550 cert_partial_chain = 1;
551 }
552 | SET DPD_CHECK_INTERVAL NUMBER {
553 if ($3 < 0) {
554 yyerror("timeout outside range");
555 YYERROR;
556 }
557 dpd_interval = $3;
558 }
559 ;
560
561 user : USER STRING STRING {
562 if (create_user($2, $3) == -1)
563 YYERROR;
564 free($2);
565 freezero($3, strlen($3));
566 }
567 ;
568
569 ikev2rule : IKEV2 name ikeflags satype af proto rdomain hosts_list peers
570 ike_sas child_sas ids ikelifetime lifetime ikeauth ikecfg
571 iface filters {
572 if (create_ike($2, $5, $6, $7, $8, &$9, $10, $11, $4,
573 $3, $12.srcid, $12.dstid, $13, &$14, &$15,
574 $18, $16, $17) == -1) {
575 yyerror("create_ike failed");
576 YYERROR;
577 }
578 }
579 ;
580
581 ikecfg : /* empty */ { $$ = NULL; }
582 | ikecfgvals { $$ = $1; }
583 ;
584
585 ikecfgvals : cfg { $$ = $1; }
586 | ikecfgvals cfg {
587 if ($2 == NULL)
588 $$ = $1;
589 else if ($1 == NULL)
590 $$ = $2;
591 else {
592 $1->tail->next = $2;
593 $1->tail = $2->tail;
594 $$ = $1;
595 }
596 }
597 ;
598
599 cfg : CONFIG STRING host_spec {
600 const struct ipsec_xf *xf;
601
602 if ((xf = parse_xf($2, $3->af, cpxfs)) == NULL) {
603 yyerror("not a valid ikecfg option");
604 free($2);
605 free($3);
606 YYERROR;
607 }
608 free($2);
609 $$ = $3;
610 $$->type = xf->id;
611 $$->action = IKEV2_CP_REPLY; /* XXX */
612 }
613 | REQUEST STRING anyhost {
614 const struct ipsec_xf *xf;
615
616 if ((xf = parse_xf($2, $3->af, cpxfs)) == NULL) {
617 yyerror("not a valid ikecfg option");
618 free($2);
619 free($3);
620 YYERROR;
621 }
622 free($2);
623 $$ = $3;
624 $$->type = xf->id;
625 $$->action = IKEV2_CP_REQUEST; /* XXX */
626 }
627 ;
628
629 name : /* empty */ { $$ = NULL; }
630 | STRING {
631 $$ = $1;
632 }
633
634 satype : /* empty */ { $$ = IKEV2_SAPROTO_ESP; }
635 | ESP { $$ = IKEV2_SAPROTO_ESP; }
636 | AH { $$ = IKEV2_SAPROTO_AH; }
637 ;
638
639 af : /* empty */ { $$ = AF_UNSPEC; }
640 | INET { $$ = AF_INET; }
641 | INET6 { $$ = AF_INET6; }
642 ;
643
644 proto : /* empty */ { $$ = NULL; }
645 | PROTO protoval { $$ = $2; }
646 | PROTO '{' proto_list '}' { $$ = $3; }
647 ;
648
649 proto_list : protoval { $$ = $1; }
650 | proto_list comma protoval {
651 if ($3 == NULL)
652 $$ = $1;
653 else if ($1 == NULL)
654 $$ = $3;
655 else {
656 $1->tail->next = $3;
657 $1->tail = $3->tail;
658 $$ = $1;
659 }
660 }
661 ;
662
663 protoval : STRING {
664 struct protoent *p;
665
666 p = getprotobyname($1);
667 if (p == NULL) {
668 yyerror("unknown protocol: %s", $1);
669 YYERROR;
670 }
671
672 if (($$ = calloc(1, sizeof(*$$))) == NULL)
673 err(1, "protoval: calloc");
674
675 $$->type = p->p_proto;
676 $$->tail = $$;
677 free($1);
678 }
679 | NUMBER {
680 if ($1 > 255 || $1 < 0) {
681 yyerror("protocol outside range");
682 YYERROR;
683 }
684 if (($$ = calloc(1, sizeof(*$$))) == NULL)
685 err(1, "protoval: calloc");
686
687 $$->type = $1;
688 $$->tail = $$;
689 }
690 ;
691
692 rdomain : /* empty */ { $$ = -1; }
693 | RDOMAIN NUMBER {
694 if ($2 > 255 || $2 < 0) {
695 yyerror("rdomain outside range");
696 YYERROR;
697 }
698 $$ = $2;
699 }
700
701 hosts_list : hosts { $$ = $1; }
702 | hosts_list comma hosts {
703 if ($3 == NULL)
704 $$ = $1;
705 else if ($1 == NULL)
706 $$ = $3;
707 else {
708 $1->src->tail->next = $3->src;
709 $1->src->tail = $3->src->tail;
710 $1->dst->tail->next = $3->dst;
711 $1->dst->tail = $3->dst->tail;
712 $$ = $1;
713 free($3);
714 }
715 }
716 ;
717
718 hosts : FROM host port TO host port {
719 struct ipsec_addr_wrap *ipa;
720 for (ipa = $5; ipa; ipa = ipa->next) {
721 if (ipa->srcnat) {
722 yyerror("no flow NAT support for"
723 " destination network: %s",
724 ipa->name);
725 YYERROR;
726 }
727 }
728
729 if (($$ = calloc(1, sizeof(*$$))) == NULL)
730 err(1, "hosts: calloc");
731
732 $$->src = $2;
733 $$->src->port = $3;
734 $$->dst = $5;
735 $$->dst->port = $6;
736 }
737 | TO host port FROM host port {
738 struct ipsec_addr_wrap *ipa;
739 for (ipa = $2; ipa; ipa = ipa->next) {
740 if (ipa->srcnat) {
741 yyerror("no flow NAT support for"
742 " destination network: %s",
743 ipa->name);
744 YYERROR;
745 }
746 }
747 if (($$ = calloc(1, sizeof(*$$))) == NULL)
748 err(1, "hosts: calloc");
749
750 $$->src = $5;
751 $$->src->port = $6;
752 $$->dst = $2;
753 $$->dst->port = $3;
754 }
755 ;
756
757 port : /* empty */ { $$ = 0; }
758 | PORT portval { $$ = $2; }
759 ;
760
761 portval : STRING {
762 struct servent *s;
763
764 if ((s = getservbyname($1, "tcp")) != NULL ||
765 (s = getservbyname($1, "udp")) != NULL) {
766 $$ = s->s_port;
767 } else {
768 yyerror("unknown port: %s", $1);
769 YYERROR;
770 }
771 free($1);
772 }
773 | NUMBER {
774 if ($1 > USHRT_MAX || $1 < 0) {
775 yyerror("port outside range");
776 YYERROR;
777 }
778 $$ = htons($1);
779 }
780 ;
781
782 peers : /* empty */ {
783 $$.dst = NULL;
784 $$.src = NULL;
785 }
786 | PEER anyhost LOCAL anyhost {
787 $$.dst = $2;
788 $$.src = $4;
789 }
790 | LOCAL anyhost PEER anyhost {
791 $$.dst = $4;
792 $$.src = $2;
793 }
794 | PEER anyhost {
795 $$.dst = $2;
796 $$.src = NULL;
797 }
798 | LOCAL anyhost {
799 $$.dst = NULL;
800 $$.src = $2;
801 }
802 ;
803
804 anyhost : host_spec { $$ = $1; }
805 | ANY {
806 $$ = host_any();
807 }
808
809 host_spec : STRING {
810 if (($$ = host($1)) == NULL) {
811 free($1);
812 yyerror("could not parse host specification");
813 YYERROR;
814 }
815 free($1);
816 }
817 | STRING '/' NUMBER {
818 char *buf;
819
820 if (asprintf(&buf, "%s/%lld", $1, $3) == -1)
821 err(1, "host: asprintf");
822 free($1);
823 if (($$ = host(buf)) == NULL) {
824 free(buf);
825 yyerror("could not parse host specification");
826 YYERROR;
827 }
828 free(buf);
829 }
830 ;
831
832 host : host_spec { $$ = $1; }
833 | host_spec '(' host_spec ')' {
834 if (($1->af != AF_UNSPEC) && ($3->af != AF_UNSPEC) &&
835 ($3->af != $1->af)) {
836 yyerror("Flow NAT address family mismatch");
837 YYERROR;
838 }
839 $$ = $1;
840 $$->srcnat = $3;
841 }
842 | ANY {
843 $$ = host_any();
844 }
845 | DYNAMIC {
846 $$ = host_dynamic();
847 }
848 ;
849
850 ids : /* empty */ {
851 $$.srcid = NULL;
852 $$.dstid = NULL;
853 }
854 | SRCID id DSTID id {
855 $$.srcid = $2;
856 $$.dstid = $4;
857 }
858 | SRCID id {
859 $$.srcid = $2;
860 $$.dstid = NULL;
861 }
862 | DSTID id {
863 $$.srcid = NULL;
864 $$.dstid = $2;
865 }
866 ;
867
868 id : STRING { $$ = $1; }
869 ;
870
871 transforms : {
872 if ((ipsec_transforms = calloc(1,
873 sizeof(struct ipsec_transforms))) == NULL)
874 err(1, "transforms: calloc");
875 }
876 transforms_l {
877 $$ = ipsec_transforms;
878 }
879 | /* empty */ {
880 $$ = NULL;
881 }
882 ;
883
884 transforms_l : transforms_l transform
885 | transform
886 ;
887
888 transform : AUTHXF STRING {
889 const struct ipsec_xf **xfs = ipsec_transforms->authxf;
890 size_t nxfs = ipsec_transforms->nauthxf;
891 xfs = recallocarray(xfs, nxfs, nxfs + 1,
892 sizeof(struct ipsec_xf *));
893 if (xfs == NULL)
894 err(1, "transform: recallocarray");
895 if ((xfs[nxfs] = parse_xf($2, 0, authxfs)) == NULL) {
896 yyerror("%s not a valid transform", $2);
897 YYERROR;
898 }
899 free($2);
900 ipsec_transforms->authxf = xfs;
901 ipsec_transforms->nauthxf++;
902 }
903 | ENCXF STRING {
904 const struct ipsec_xf **xfs = ipsec_transforms->encxf;
905 size_t nxfs = ipsec_transforms->nencxf;
906 xfs = recallocarray(xfs, nxfs, nxfs + 1,
907 sizeof(struct ipsec_xf *));
908 if (xfs == NULL)
909 err(1, "transform: recallocarray");
910 if ((xfs[nxfs] = parse_xf($2, 0, encxfs)) == NULL) {
911 yyerror("%s not a valid transform", $2);
912 YYERROR;
913 }
914 free($2);
915 ipsec_transforms->encxf = xfs;
916 ipsec_transforms->nencxf++;
917 }
918 | PRFXF STRING {
919 const struct ipsec_xf **xfs = ipsec_transforms->prfxf;
920 size_t nxfs = ipsec_transforms->nprfxf;
921 xfs = recallocarray(xfs, nxfs, nxfs + 1,
922 sizeof(struct ipsec_xf *));
923 if (xfs == NULL)
924 err(1, "transform: recallocarray");
925 if ((xfs[nxfs] = parse_xf($2, 0, prfxfs)) == NULL) {
926 yyerror("%s not a valid transform", $2);
927 YYERROR;
928 }
929 free($2);
930 ipsec_transforms->prfxf = xfs;
931 ipsec_transforms->nprfxf++;
932 }
933 | GROUP STRING {
934 const struct ipsec_xf **xfs = ipsec_transforms->groupxf;
935 size_t nxfs = ipsec_transforms->ngroupxf;
936 xfs = recallocarray(xfs, nxfs, nxfs + 1,
937 sizeof(struct ipsec_xf *));
938 if (xfs == NULL)
939 err(1, "transform: recallocarray");
940 if ((xfs[nxfs] = parse_xf($2, 0, groupxfs)) == NULL) {
941 yyerror("%s not a valid transform", $2);
942 YYERROR;
943 }
944 free($2);
945 ipsec_transforms->groupxf = xfs;
946 ipsec_transforms->ngroupxf++;
947 }
948 | transform_esn {
949 const struct ipsec_xf **xfs = ipsec_transforms->esnxf;
950 size_t nxfs = ipsec_transforms->nesnxf;
951 xfs = recallocarray(xfs, nxfs, nxfs + 1,
952 sizeof(struct ipsec_xf *));
953 if (xfs == NULL)
954 err(1, "transform: recallocarray");
955 if ((xfs[nxfs] = parse_xf($1, 0, esnxfs)) == NULL) {
956 yyerror("%s not a valid transform", $1);
957 YYERROR;
958 }
959 ipsec_transforms->esnxf = xfs;
960 ipsec_transforms->nesnxf++;
961 }
962 ;
963
964 transform_esn : ESN { $$ = "esn"; }
965 | NOESN { $$ = "noesn"; }
966 ;
967
968 ike_sas : {
969 if ((ipsec_mode = calloc(1,
970 sizeof(struct ipsec_mode))) == NULL)
971 err(1, "ike_sas: calloc");
972 }
973 ike_sas_l {
974 $$ = ipsec_mode;
975 }
976 | /* empty */ {
977 $$ = NULL;
978 }
979 ;
980
981 ike_sas_l : ike_sas_l ike_sa
982 | ike_sa
983 ;
984
985 ike_sa : IKESA {
986 if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs,
987 ipsec_mode->nxfs, ipsec_mode->nxfs + 1,
988 sizeof(struct ipsec_transforms *))) == NULL)
989 err(1, "ike_sa: recallocarray");
990 ipsec_mode->nxfs++;
991 encxfs = ikeencxfs;
992 } transforms {
993 ipsec_mode->xfs[ipsec_mode->nxfs - 1] = $3;
994 }
995 ;
996
997 child_sas : {
998 if ((ipsec_mode = calloc(1,
999 sizeof(struct ipsec_mode))) == NULL)
1000 err(1, "child_sas: calloc");
1001 }
1002 child_sas_l {
1003 $$ = ipsec_mode;
1004 }
1005 | /* empty */ {
1006 $$ = NULL;
1007 }
1008 ;
1009
1010 child_sas_l : child_sas_l child_sa
1011 | child_sa
1012 ;
1013
1014 child_sa : CHILDSA {
1015 if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs,
1016 ipsec_mode->nxfs, ipsec_mode->nxfs + 1,
1017 sizeof(struct ipsec_transforms *))) == NULL)
1018 err(1, "child_sa: recallocarray");
1019 ipsec_mode->nxfs++;
1020 encxfs = ipsecencxfs;
1021 } transforms {
1022 ipsec_mode->xfs[ipsec_mode->nxfs - 1] = $3;
1023 }
1024 ;
1025
1026 ikeflags : ikematch ikemode ipcomp tmode natt_force {
1027 $$ = $1 | $2 | $3 | $4 | $5;
1028 }
1029 ;
1030
1031 ikematch : /* empty */ { $$ = 0; }
1032 | QUICK { $$ = IKED_POLICY_QUICK; }
1033 | SKIP { $$ = IKED_POLICY_SKIP; }
1034 | DEFAULT { $$ = IKED_POLICY_DEFAULT; }
1035 ;
1036
1037 ikemode : /* empty */ { $$ = IKED_POLICY_PASSIVE; }
1038 | PASSIVE { $$ = IKED_POLICY_PASSIVE; }
1039 | ACTIVE { $$ = IKED_POLICY_ACTIVE; }
1040 ;
1041
1042 ipcomp : /* empty */ { $$ = 0; }
1043 | IPCOMP { $$ = IKED_POLICY_IPCOMP; }
1044 ;
1045
1046 tmode : /* empty */ { $$ = 0; }
1047 | TUNNEL { $$ = 0; }
1048 | TRANSPORT { $$ = IKED_POLICY_TRANSPORT; }
1049 ;
1050
1051 natt_force : /* empty */ { $$ = 0; }
1052 | NATT { $$ = IKED_POLICY_NATT_FORCE; }
1053 ;
1054
1055 ikeauth : /* empty */ {
1056 $$.auth_method = IKEV2_AUTH_SIG_ANY; /* default */
1057 $$.auth_eap = 0;
1058 $$.auth_length = 0;
1059 }
1060 | PSK keyspec {
1061 memcpy(&$$, &$2, sizeof($$));
1062 $$.auth_method = IKEV2_AUTH_SHARED_KEY_MIC;
1063 $$.auth_eap = 0;
1064 explicit_bzero(&$2, sizeof($2));
1065 }
1066 | EAP RADIUS {
1067 $$.auth_method = IKEV2_AUTH_SIG_ANY;
1068 $$.auth_eap = EAP_TYPE_RADIUS;
1069 $$.auth_length = 0;
1070 }
1071 | EAP STRING {
1072 unsigned int i;
1073
1074 for (i = 0; i < strlen($2); i++)
1075 if ($2[i] == '-')
1076 $2[i] = '_';
1077
1078 if (strcasecmp("mschap_v2", $2) == 0)
1079 $$.auth_eap = EAP_TYPE_MSCHAP_V2;
1080 else if (strcasecmp("radius", $2) == 0)
1081 $$.auth_eap = EAP_TYPE_RADIUS;
1082 else {
1083 yyerror("unsupported EAP method: %s", $2);
1084 free($2);
1085 YYERROR;
1086 }
1087 free($2);
1088
1089 $$.auth_method = IKEV2_AUTH_SIG_ANY;
1090 $$.auth_length = 0;
1091 }
1092 | STRING {
1093 const struct ipsec_xf *xf;
1094
1095 if ((xf = parse_xf($1, 0, methodxfs)) == NULL ||
1096 xf->id == IKEV2_AUTH_NONE) {
1097 yyerror("not a valid authentication mode");
1098 free($1);
1099 YYERROR;
1100 }
1101 free($1);
1102
1103 $$.auth_method = xf->id;
1104 $$.auth_eap = 0;
1105 $$.auth_length = 0;
1106 }
1107 ;
1108
1109 byte_spec : NUMBER {
1110 $$ = $1;
1111 }
1112 | STRING {
1113 uint64_t bytes = 0;
1114 char unit = 0;
1115
1116 if (sscanf($1, "%llu%c", &bytes, &unit) != 2) {
1117 yyerror("invalid byte specification: %s", $1);
1118 YYERROR;
1119 }
1120 free($1);
1121 switch (toupper((unsigned char)unit)) {
1122 case 'K':
1123 bytes *= 1024;
1124 break;
1125 case 'M':
1126 bytes *= 1024 * 1024;
1127 break;
1128 case 'G':
1129 bytes *= 1024 * 1024 * 1024;
1130 break;
1131 default:
1132 yyerror("invalid byte unit");
1133 YYERROR;
1134 }
1135 $$ = bytes;
1136 }
1137 ;
1138
1139 time_spec : NUMBER {
1140 $$ = $1;
1141 }
1142 | STRING {
1143 uint64_t seconds = 0;
1144 char unit = 0;
1145
1146 if (sscanf($1, "%llu%c", &seconds, &unit) != 2) {
1147 yyerror("invalid time specification: %s", $1);
1148 YYERROR;
1149 }
1150 free($1);
1151 switch (tolower((unsigned char)unit)) {
1152 case 'm':
1153 seconds *= 60;
1154 break;
1155 case 'h':
1156 seconds *= 60 * 60;
1157 break;
1158 default:
1159 yyerror("invalid time unit");
1160 YYERROR;
1161 }
1162 $$ = seconds;
1163 }
1164 ;
1165
1166 lifetime : /* empty */ {
1167 $$ = deflifetime;
1168 }
1169 | LIFETIME time_spec {
1170 $$.lt_seconds = $2;
1171 $$.lt_bytes = deflifetime.lt_bytes;
1172 }
1173 | LIFETIME time_spec BYTES byte_spec {
1174 $$.lt_seconds = $2;
1175 $$.lt_bytes = $4;
1176 }
1177 ;
1178
1179 ikelifetime : /* empty */ {
1180 $$ = 0;
1181 }
1182 | IKELIFETIME time_spec {
1183 $$ = $2;
1184 }
1185
1186 keyspec : STRING {
1187 uint8_t *hex;
1188
1189 bzero(&$$, sizeof($$));
1190
1191 hex = $1;
1192 if (strncmp(hex, "0x", 2) == 0) {
1193 hex += 2;
1194 if (parsekey(hex, strlen(hex), &$$) != 0) {
1195 free($1);
1196 YYERROR;
1197 }
1198 } else {
1199 if (strlen($1) > sizeof($$.auth_data)) {
1200 yyerror("psk too long");
1201 free($1);
1202 YYERROR;
1203 }
1204 strlcpy($$.auth_data, $1,
1205 sizeof($$.auth_data));
1206 $$.auth_length = strlen($1);
1207 }
1208 freezero($1, strlen($1));
1209 }
1210 | FILENAME STRING {
1211 if (parsekeyfile($2, &$$) != 0) {
1212 free($2);
1213 YYERROR;
1214 }
1215 free($2);
1216 }
1217 ;
1218
1219 filters : {
1220 if ((ipsec_filters = calloc(1,
1221 sizeof(struct ipsec_filters))) == NULL)
1222 err(1, "filters: calloc");
1223 }
1224 filters_l {
1225 $$ = ipsec_filters;
1226 }
1227 | /* empty */ {
1228 $$ = NULL;
1229 }
1230 ;
1231
1232 filters_l : filters_l filter
1233 | filter
1234 ;
1235
1236 filter : TAG STRING
1237 {
1238 ipsec_filters->tag = $2;
1239 }
1240 | TAP STRING
1241 {
1242 const char *errstr = NULL;
1243 size_t len;
1244
1245 len = strcspn($2, "0123456789");
1246 if (strlen("enc") != len ||
1247 strncmp("enc", $2, len) != 0) {
1248 yyerror("invalid tap interface name: %s", $2);
1249 free($2);
1250 YYERROR;
1251 }
1252 ipsec_filters->tap =
1253 strtonum($2 + len, 0, UINT_MAX, &errstr);
1254 free($2);
1255 if (errstr != NULL) {
1256 yyerror("invalid tap interface unit: %s",
1257 errstr);
1258 YYERROR;
1259 }
1260 }
1261 ;
1262
1263 iface : {
1264 $$ = NULL;
1265 }
1266 | IFACE STRING {
1267 $$ = $2;
1268 }
1269
1270 string : string STRING
1271 {
1272 if (asprintf(&$$, "%s %s", $1, $2) == -1)
1273 err(1, "string: asprintf");
1274 free($1);
1275 free($2);
1276 }
1277 | STRING
1278 ;
1279
1280 radius : RADIUS accounting SERVER STRING port SECRET STRING
1281 {
1282 int ret, gai_err;
1283 struct addrinfo hints, *ai;
1284 u_short port;
1285
1286 memset(&hints, 0, sizeof(hints));
1287 hints.ai_family = PF_UNSPEC;
1288 hints.ai_socktype = SOCK_DGRAM;
1289 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
1290 if ((gai_err = getaddrinfo($4, NULL, &hints, &ai))
1291 != 0) {
1292 yyerror("could not parse the address: %s: %s",
1293 $4, gai_strerror(gai_err));
1294 free($4);
1295 explicit_bzero($7, strlen($7));
1296 free($7);
1297 YYERROR;
1298 }
1299 port = $5;
1300 if (port == 0)
1301 port = htons((!$2)? RADIUS_DEFAULT_PORT :
1302 RADIUS_ACCT_DEFAULT_PORT);
1303 socket_af(ai->ai_addr, port);
1304 if ((ret = config_setradserver(env, ai->ai_addr,
1305 ai->ai_addrlen, $7, $2)) != 0) {
1306 yyerror("could not set radius server");
1307 free($4);
1308 explicit_bzero($7, strlen($7));
1309 free($7);
1310 YYERROR;
1311 }
1312 explicit_bzero($7, strlen($7));
1313 freeaddrinfo(ai);
1314 free($4);
1315 free($7);
1316 }
1317 | RADIUS accounting MAX_TRIES NUMBER {
1318 if ($4 <= 0) {
1319 yyerror("max-tries must a positive value");
1320 YYERROR;
1321 }
1322 if ($2)
1323 radacct.max_tries = $4;
1324 else
1325 radauth.max_tries = $4;
1326 }
1327 | RADIUS accounting MAX_FAILOVERS NUMBER {
1328 if ($4 < 0) {
1329 yyerror("max-failovers must be 0 or a "
1330 "positive value");
1331 YYERROR;
1332 }
1333 if ($2)
1334 radacct.max_failovers = $4;
1335 else
1336 radauth.max_failovers = $4;
1337 }
1338 | RADIUS CONFIG af STRING radattr {
1339 const struct ipsec_xf *xf;
1340 int af, cfgtype;
1341
1342 af = $3;
1343 if (af == AF_UNSPEC)
1344 af = AF_INET;
1345 if (strcmp($4, "none") == 0)
1346 cfgtype = 0;
1347 else {
1348 if ((xf = parse_xf($4, af, cpxfs)) == NULL ||
1349 xf->id == IKEV2_CFG_INTERNAL_IP4_SUBNET ||
1350 xf->id == IKEV2_CFG_INTERNAL_IP6_SUBNET) {
1351 yyerror("not a valid ikecfg option");
1352 free($4);
1353 YYERROR;
1354 }
1355 cfgtype = xf->id;
1356 }
1357 free($4);
1358 config_setradcfgmap(env, cfgtype, $5.vendorid,
1359 $5.attrtype);
1360 }
1361 | RADIUS DAE LISTEN ON STRING port {
1362 int ret, gai_err;
1363 struct addrinfo hints, *ai;
1364 u_short port;
1365
1366 memset(&hints, 0, sizeof(hints));
1367 hints.ai_family = PF_UNSPEC;
1368 hints.ai_socktype = SOCK_DGRAM;
1369 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
1370 if ((gai_err = getaddrinfo($5, NULL, &hints, &ai))
1371 != 0) {
1372 yyerror("could not parse the address: %s: %s",
1373 $5, gai_strerror(gai_err));
1374 free($5);
1375 YYERROR;
1376 }
1377 port = $6;
1378 if (port == 0)
1379 port = htons(RADIUS_DAE_DEFAULT_PORT);
1380 socket_af(ai->ai_addr, port);
1381 if ((ret = config_setraddae(env, ai->ai_addr,
1382 ai->ai_addrlen)) != 0) {
1383 yyerror("could not set radius server");
1384 free($5);
1385 YYERROR;
1386 }
1387 freeaddrinfo(ai);
1388 free($5);
1389 }
1390 | RADIUS DAE CLIENT STRING SECRET STRING {
1391 int gai_err;
1392 struct addrinfo hints, *ai;
1393
1394 memset(&hints, 0, sizeof(hints));
1395 hints.ai_family = PF_UNSPEC;
1396 hints.ai_socktype = SOCK_DGRAM;
1397 hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
1398 if ((gai_err = getaddrinfo($4, NULL, &hints, &ai))
1399 != 0) {
1400 yyerror("could not parse the address: %s: %s",
1401 $4, gai_strerror(gai_err));
1402 free($4);
1403 explicit_bzero($6, strlen($6));
1404 free($6);
1405 YYERROR;
1406 }
1407 config_setradclient(env, ai->ai_addr, ai->ai_addrlen,
1408 $6);
1409 free($4);
1410 explicit_bzero($6, strlen($6));
1411 free($6);
1412 freeaddrinfo(ai);
1413 }
1414 ;
1415
1416 radattr : hexdecnumber hexdecnumber {
1417 if ($1 < 0 || 0xffffffL < $1) {
1418 yyerror("vendor-id must be in 0-0xffffff");
1419 YYERROR;
1420 }
1421 if ($2 < 0 || 256 <= $2) {
1422 yyerror("attribute type must be in 0-255");
1423 YYERROR;
1424 }
1425 $$.vendorid = $1;
1426 $$.attrtype = $2;
1427 }
1428 | hexdecnumber {
1429 if ($1 < 0 || 256 <= $1) {
1430 yyerror("attribute type must be in 0-255");
1431 YYERROR;
1432 }
1433 $$.vendorid = 0;
1434 $$.attrtype = $1;
1435 }
1436
1437 hexdecnumber : STRING {
1438 const char *errstr;
1439 char *ep;
1440 uintmax_t ul;
1441
1442 if ($1[0] == '0' && $1[1] == 'x' && isxdigit($1[2])) {
1443 ul = strtoumax($1 + 2, &ep, 16);
1444 if (*ep != '\0') {
1445 yyerror("`%s' is not a number", $1);
1446 free($1);
1447 YYERROR;
1448 }
1449 if (ul == UINTMAX_MAX || ul > UINT64_MAX) {
1450 yyerror("`%s' is out-of-range", $1);
1451 free($1);
1452 YYERROR;
1453 }
1454 $$ = ul;
1455 } else {
1456 $$ = strtonum($1, 0, UINT64_MAX, &errstr);
1457 if (errstr != NULL) {
1458 yyerror("`%s' is %s", $1, errstr);
1459 free($1);
1460 YYERROR;
1461 }
1462 }
1463 free($1);
1464 }
1465 | NUMBER
1466 ;
1467
1468 accounting : {
1469 $$ = 0;
1470 }
1471 | ACCOUNTING {
1472 $$ = 1;
1473 }
1474 ;
1475
1476 varset : STRING '=' string
1477 {
1478 char *s = $1;
1479 log_debug("%s = \"%s\"\n", $1, $3);
1480 while (*s++) {
1481 if (isspace((unsigned char)*s)) {
1482 yyerror("macro name cannot contain "
1483 "whitespace");
1484 free($1);
1485 free($3);
1486 YYERROR;
1487 }
1488 }
1489 if (symset($1, $3, 0) == -1)
1490 err(1, "cannot store variable");
1491 free($1);
1492 free($3);
1493 }
1494 ;
1495
1496 /*
1497 * ignore IKEv1/manual keying rules in ipsec.conf
1498 */
1499 otherrule : IKEV1
1500 | sarule
1501 | FLOW
1502 | TCPMD5
1503 ;
1504
1505 /* manual keying SAs might start with the following keywords */
1506 sarule : SA
1507 | FROM
1508 | TO
1509 | TUNNEL
1510 | TRANSPORT
1511 ;
1512
1513 /* ignore everything to the end of the line */
1514 skipline :
1515 {
1516 int c;
1517
1518 while ((c = lgetc(0)) != '\n' && c != EOF)
1519 ; /* nothing */
1520 if (c == '\n')
1521 lungetc(c);
1522 }
1523 ;
1524 %%
1525
1526 struct keywords {
1527 const char *k_name;
1528 int k_val;
1529 };
1530
1531 void
copy_sockaddrtoipa(struct ipsec_addr_wrap * ipa,struct sockaddr * sa)1532 copy_sockaddrtoipa(struct ipsec_addr_wrap *ipa, struct sockaddr *sa)
1533 {
1534 if (sa->sa_family == AF_INET6)
1535 memcpy(&ipa->address, sa, sizeof(struct sockaddr_in6));
1536 else if (sa->sa_family == AF_INET)
1537 memcpy(&ipa->address, sa, sizeof(struct sockaddr_in));
1538 else
1539 warnx("unhandled af %d", sa->sa_family);
1540 }
1541
1542 int
yyerror(const char * fmt,...)1543 yyerror(const char *fmt, ...)
1544 {
1545 va_list ap;
1546
1547 file->errors++;
1548 va_start(ap, fmt);
1549 fprintf(stderr, "%s: %d: ", file->name, yylval.lineno);
1550 vfprintf(stderr, fmt, ap);
1551 fprintf(stderr, "\n");
1552 va_end(ap);
1553 return (0);
1554 }
1555
1556 int
kw_cmp(const void * k,const void * e)1557 kw_cmp(const void *k, const void *e)
1558 {
1559 return (strcmp(k, ((const struct keywords *)e)->k_name));
1560 }
1561
1562 int
lookup(char * s)1563 lookup(char *s)
1564 {
1565 /* this has to be sorted always */
1566 static const struct keywords keywords[] = {
1567 { "accounting", ACCOUNTING },
1568 { "active", ACTIVE },
1569 { "ah", AH },
1570 { "any", ANY },
1571 { "auth", AUTHXF },
1572 { "bytes", BYTES },
1573 { "cert_partial_chain", CERTPARTIALCHAIN },
1574 { "childsa", CHILDSA },
1575 { "client", CLIENT },
1576 { "config", CONFIG },
1577 { "couple", COUPLE },
1578 { "dae", DAE },
1579 { "decouple", DECOUPLE },
1580 { "default", DEFAULT },
1581 { "dpd_check_interval", DPD_CHECK_INTERVAL },
1582 { "dstid", DSTID },
1583 { "dynamic", DYNAMIC },
1584 { "eap", EAP },
1585 { "enc", ENCXF },
1586 { "enforcesingleikesa", ENFORCESINGLEIKESA },
1587 { "esn", ESN },
1588 { "esp", ESP },
1589 { "file", FILENAME },
1590 { "flow", FLOW },
1591 { "fragmentation", FRAGMENTATION },
1592 { "from", FROM },
1593 { "group", GROUP },
1594 { "iface", IFACE },
1595 { "ike", IKEV1 },
1596 { "ikelifetime", IKELIFETIME },
1597 { "ikesa", IKESA },
1598 { "ikev2", IKEV2 },
1599 { "include", INCLUDE },
1600 { "inet", INET },
1601 { "inet6", INET6 },
1602 { "ipcomp", IPCOMP },
1603 { "lifetime", LIFETIME },
1604 { "listen", LISTEN },
1605 { "local", LOCAL },
1606 { "max-failovers", MAX_FAILOVERS},
1607 { "max-tries", MAX_TRIES },
1608 { "maxage", MAXAGE },
1609 { "mobike", MOBIKE },
1610 { "name", NAME },
1611 { "natt", NATT },
1612 { "noenforcesingleikesa", NOENFORCESINGLEIKESA },
1613 { "noesn", NOESN },
1614 { "nofragmentation", NOFRAGMENTATION },
1615 { "nomobike", NOMOBIKE },
1616 { "nostickyaddress", NOSTICKYADDRESS },
1617 { "novendorid", NOVENDORID },
1618 { "ocsp", OCSP },
1619 { "on", ON },
1620 { "passive", PASSIVE },
1621 { "peer", PEER },
1622 { "port", PORT },
1623 { "prf", PRFXF },
1624 { "proto", PROTO },
1625 { "psk", PSK },
1626 { "quick", QUICK },
1627 { "radius", RADIUS },
1628 { "rdomain", RDOMAIN },
1629 { "request", REQUEST },
1630 { "sa", SA },
1631 { "secret", SECRET },
1632 { "server", SERVER },
1633 { "set", SET },
1634 { "skip", SKIP },
1635 { "srcid", SRCID },
1636 { "stickyaddress", STICKYADDRESS },
1637 { "tag", TAG },
1638 { "tap", TAP },
1639 { "tcpmd5", TCPMD5 },
1640 { "to", TO },
1641 { "tolerate", TOLERATE },
1642 { "transport", TRANSPORT },
1643 { "tunnel", TUNNEL },
1644 { "user", USER },
1645 { "vendorid", VENDORID }
1646 };
1647 const struct keywords *p;
1648
1649 p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),
1650 sizeof(keywords[0]), kw_cmp);
1651
1652 if (p) {
1653 if (debug > 1)
1654 fprintf(stderr, "%s: %d\n", s, p->k_val);
1655 return (p->k_val);
1656 } else {
1657 if (debug > 1)
1658 fprintf(stderr, "string: %s\n", s);
1659 return (STRING);
1660 }
1661 }
1662
1663 #define START_EXPAND 1
1664 #define DONE_EXPAND 2
1665
1666 static int expanding;
1667
1668 int
igetc(void)1669 igetc(void)
1670 {
1671 int c;
1672
1673 while (1) {
1674 if (file->ungetpos > 0)
1675 c = file->ungetbuf[--file->ungetpos];
1676 else
1677 c = getc(file->stream);
1678
1679 if (c == START_EXPAND)
1680 expanding = 1;
1681 else if (c == DONE_EXPAND)
1682 expanding = 0;
1683 else
1684 break;
1685 }
1686 return (c);
1687 }
1688
1689 int
lgetc(int quotec)1690 lgetc(int quotec)
1691 {
1692 int c, next;
1693
1694 if (quotec) {
1695 if ((c = igetc()) == EOF) {
1696 yyerror("reached end of file while parsing "
1697 "quoted string");
1698 if (file == topfile || popfile() == EOF)
1699 return (EOF);
1700 return (quotec);
1701 }
1702 return (c);
1703 }
1704
1705 while ((c = igetc()) == '\\') {
1706 next = igetc();
1707 if (next != '\n') {
1708 c = next;
1709 break;
1710 }
1711 yylval.lineno = file->lineno;
1712 file->lineno++;
1713 }
1714
1715 while (c == EOF) {
1716 /*
1717 * Fake EOL when hit EOF for the first time. This gets line
1718 * count right if last line in included file is syntactically
1719 * invalid and has no newline.
1720 */
1721 if (file->eof_reached == 0) {
1722 file->eof_reached = 1;
1723 return ('\n');
1724 }
1725 while (c == EOF) {
1726 if (file == topfile || popfile() == EOF)
1727 return (EOF);
1728 c = igetc();
1729 }
1730 }
1731 return (c);
1732 }
1733
1734 void
lungetc(int c)1735 lungetc(int c)
1736 {
1737 if (c == EOF)
1738 return;
1739
1740 if (file->ungetpos >= file->ungetsize) {
1741 void *p = reallocarray(file->ungetbuf, file->ungetsize, 2);
1742 if (p == NULL)
1743 err(1, "lungetc");
1744 file->ungetbuf = p;
1745 file->ungetsize *= 2;
1746 }
1747 file->ungetbuf[file->ungetpos++] = c;
1748 }
1749
1750 int
findeol(void)1751 findeol(void)
1752 {
1753 int c;
1754
1755 /* skip to either EOF or the first real EOL */
1756 while (1) {
1757 c = lgetc(0);
1758 if (c == '\n') {
1759 file->lineno++;
1760 break;
1761 }
1762 if (c == EOF)
1763 break;
1764 }
1765 return (ERROR);
1766 }
1767
1768 int
yylex(void)1769 yylex(void)
1770 {
1771 char buf[8096];
1772 char *p, *val;
1773 int quotec, next, c;
1774 int token;
1775
1776 top:
1777 p = buf;
1778 while ((c = lgetc(0)) == ' ' || c == '\t')
1779 ; /* nothing */
1780
1781 yylval.lineno = file->lineno;
1782 if (c == '#')
1783 while ((c = lgetc(0)) != '\n' && c != EOF)
1784 ; /* nothing */
1785 if (c == '$' && !expanding) {
1786 while (1) {
1787 if ((c = lgetc(0)) == EOF)
1788 return (0);
1789
1790 if (p + 1 >= buf + sizeof(buf) - 1) {
1791 yyerror("string too long");
1792 return (findeol());
1793 }
1794 if (isalnum(c) || c == '_') {
1795 *p++ = c;
1796 continue;
1797 }
1798 *p = '\0';
1799 lungetc(c);
1800 break;
1801 }
1802 val = symget(buf);
1803 if (val == NULL) {
1804 yyerror("macro '%s' not defined", buf);
1805 return (findeol());
1806 }
1807 p = val + strlen(val) - 1;
1808 lungetc(DONE_EXPAND);
1809 while (p >= val) {
1810 lungetc((unsigned char)*p);
1811 p--;
1812 }
1813 lungetc(START_EXPAND);
1814 goto top;
1815 }
1816
1817 switch (c) {
1818 case '\'':
1819 case '"':
1820 quotec = c;
1821 while (1) {
1822 if ((c = lgetc(quotec)) == EOF)
1823 return (0);
1824 if (c == '\n') {
1825 file->lineno++;
1826 continue;
1827 } else if (c == '\\') {
1828 if ((next = lgetc(quotec)) == EOF)
1829 return (0);
1830 if (next == quotec || next == ' ' ||
1831 next == '\t')
1832 c = next;
1833 else if (next == '\n') {
1834 file->lineno++;
1835 continue;
1836 } else
1837 lungetc(next);
1838 } else if (c == quotec) {
1839 *p = '\0';
1840 break;
1841 } else if (c == '\0') {
1842 yyerror("syntax error");
1843 return (findeol());
1844 }
1845 if (p + 1 >= buf + sizeof(buf) - 1) {
1846 yyerror("string too long");
1847 return (findeol());
1848 }
1849 *p++ = c;
1850 }
1851 yylval.v.string = strdup(buf);
1852 if (yylval.v.string == NULL)
1853 err(1, "%s", __func__);
1854 return (STRING);
1855 }
1856
1857 #define allowed_to_end_number(x) \
1858 (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=')
1859
1860 if (c == '-' || isdigit(c)) {
1861 do {
1862 *p++ = c;
1863 if ((size_t)(p-buf) >= sizeof(buf)) {
1864 yyerror("string too long");
1865 return (findeol());
1866 }
1867 } while ((c = lgetc(0)) != EOF && isdigit(c));
1868 lungetc(c);
1869 if (p == buf + 1 && buf[0] == '-')
1870 goto nodigits;
1871 if (c == EOF || allowed_to_end_number(c)) {
1872 const char *errstr = NULL;
1873
1874 *p = '\0';
1875 yylval.v.number = strtonum(buf, LLONG_MIN,
1876 LLONG_MAX, &errstr);
1877 if (errstr) {
1878 yyerror("\"%s\" invalid number: %s",
1879 buf, errstr);
1880 return (findeol());
1881 }
1882 return (NUMBER);
1883 } else {
1884 nodigits:
1885 while (p > buf + 1)
1886 lungetc((unsigned char)*--p);
1887 c = (unsigned char)*--p;
1888 if (c == '-')
1889 return (c);
1890 }
1891 }
1892
1893 #define allowed_in_string(x) \
1894 (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \
1895 x != '{' && x != '}' && x != '<' && x != '>' && \
1896 x != '!' && x != '=' && x != '/' && x != '#' && \
1897 x != ','))
1898
1899 if (isalnum(c) || c == ':' || c == '_' || c == '*') {
1900 do {
1901 *p++ = c;
1902 if ((size_t)(p-buf) >= sizeof(buf)) {
1903 yyerror("string too long");
1904 return (findeol());
1905 }
1906 } while ((c = lgetc(0)) != EOF && (allowed_in_string(c)));
1907 lungetc(c);
1908 *p = '\0';
1909 if ((token = lookup(buf)) == STRING)
1910 if ((yylval.v.string = strdup(buf)) == NULL)
1911 err(1, "%s", __func__);
1912 return (token);
1913 }
1914 if (c == '\n') {
1915 yylval.lineno = file->lineno;
1916 file->lineno++;
1917 }
1918 if (c == EOF)
1919 return (0);
1920 return (c);
1921 }
1922
1923 int
check_file_secrecy(int fd,const char * fname)1924 check_file_secrecy(int fd, const char *fname)
1925 {
1926 struct stat st;
1927
1928 if (fstat(fd, &st)) {
1929 warn("cannot stat %s", fname);
1930 return (-1);
1931 }
1932 if (st.st_uid != 0 && st.st_uid != getuid()) {
1933 warnx("%s: owner not root or current user", fname);
1934 return (-1);
1935 }
1936 if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) {
1937 warnx("%s: group writable or world read/writable", fname);
1938 return (-1);
1939 }
1940 return (0);
1941 }
1942
1943 struct file *
pushfile(const char * name,int secret)1944 pushfile(const char *name, int secret)
1945 {
1946 struct file *nfile;
1947
1948 if ((nfile = calloc(1, sizeof(struct file))) == NULL) {
1949 warn("%s", __func__);
1950 return (NULL);
1951 }
1952 if ((nfile->name = strdup(name)) == NULL) {
1953 warn("%s", __func__);
1954 free(nfile);
1955 return (NULL);
1956 }
1957 if (TAILQ_FIRST(&files) == NULL && strcmp(nfile->name, "-") == 0) {
1958 nfile->stream = stdin;
1959 free(nfile->name);
1960 if ((nfile->name = strdup("stdin")) == NULL) {
1961 warn("%s", __func__);
1962 free(nfile);
1963 return (NULL);
1964 }
1965 } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) {
1966 warn("%s: %s", __func__, nfile->name);
1967 free(nfile->name);
1968 free(nfile);
1969 return (NULL);
1970 } else if (secret &&
1971 check_file_secrecy(fileno(nfile->stream), nfile->name)) {
1972 fclose(nfile->stream);
1973 free(nfile->name);
1974 free(nfile);
1975 return (NULL);
1976 }
1977 nfile->lineno = TAILQ_EMPTY(&files) ? 1 : 0;
1978 nfile->ungetsize = 16;
1979 nfile->ungetbuf = malloc(nfile->ungetsize);
1980 if (nfile->ungetbuf == NULL) {
1981 warn("%s", __func__);
1982 fclose(nfile->stream);
1983 free(nfile->name);
1984 free(nfile);
1985 return (NULL);
1986 }
1987 TAILQ_INSERT_TAIL(&files, nfile, entry);
1988 return (nfile);
1989 }
1990
1991 int
popfile(void)1992 popfile(void)
1993 {
1994 struct file *prev;
1995
1996 if ((prev = TAILQ_PREV(file, files, entry)) != NULL)
1997 prev->errors += file->errors;
1998
1999 TAILQ_REMOVE(&files, file, entry);
2000 fclose(file->stream);
2001 free(file->name);
2002 free(file->ungetbuf);
2003 free(file);
2004 file = prev;
2005
2006 return (file ? 0 : EOF);
2007 }
2008
2009 int
parse_config(const char * filename,struct iked * x_env)2010 parse_config(const char *filename, struct iked *x_env)
2011 {
2012 struct sym *sym;
2013 int errors = 0;
2014
2015 env = x_env;
2016 rules = 0;
2017
2018 if ((file = pushfile(filename, 1)) == NULL)
2019 return (-1);
2020 topfile = file;
2021
2022 free(ocsp_url);
2023
2024 mobike = 1;
2025 enforcesingleikesa = stickyaddress = 0;
2026 cert_partial_chain = decouple = passive = 0;
2027 ocsp_tolerate = 0;
2028 ocsp_url = NULL;
2029 ocsp_maxage = -1;
2030 fragmentation = 0;
2031 dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT;
2032 decouple = passive = 0;
2033 ocsp_url = NULL;
2034 radauth.max_tries = 3;
2035 radauth.max_failovers = 0;
2036 radacct.max_tries = 3;
2037 radacct.max_failovers = 0;
2038
2039 if (env->sc_opts & IKED_OPT_PASSIVE)
2040 passive = 1;
2041
2042 yyparse();
2043 errors = file->errors;
2044 popfile();
2045
2046 env->sc_passive = passive ? 1 : 0;
2047 env->sc_decoupled = decouple ? 1 : 0;
2048 env->sc_mobike = mobike;
2049 env->sc_enforcesingleikesa = enforcesingleikesa;
2050 env->sc_stickyaddress = stickyaddress;
2051 env->sc_frag = fragmentation;
2052 env->sc_alive_timeout = dpd_interval;
2053 env->sc_ocsp_url = ocsp_url;
2054 env->sc_ocsp_tolerate = ocsp_tolerate;
2055 env->sc_ocsp_maxage = ocsp_maxage;
2056 env->sc_cert_partial_chain = cert_partial_chain;
2057 env->sc_vendorid = vendorid;
2058 env->sc_radauth = radauth;
2059 env->sc_radacct = radacct;
2060
2061 if (!rules)
2062 log_warnx("%s: no valid configuration rules found",
2063 filename);
2064 else
2065 log_debug("%s: loaded %d configuration rules",
2066 filename, rules);
2067
2068 /* Free macros and check which have not been used. */
2069 while ((sym = TAILQ_FIRST(&symhead))) {
2070 if (!sym->used)
2071 log_debug("warning: macro '%s' not "
2072 "used\n", sym->nam);
2073 free(sym->nam);
2074 free(sym->val);
2075 TAILQ_REMOVE(&symhead, sym, entry);
2076 free(sym);
2077 }
2078
2079 iaw_free(iftab);
2080 iftab = NULL;
2081
2082 return (errors ? -1 : 0);
2083 }
2084
2085 int
symset(const char * nam,const char * val,int persist)2086 symset(const char *nam, const char *val, int persist)
2087 {
2088 struct sym *sym;
2089
2090 TAILQ_FOREACH(sym, &symhead, entry) {
2091 if (strcmp(nam, sym->nam) == 0)
2092 break;
2093 }
2094
2095 if (sym != NULL) {
2096 if (sym->persist == 1)
2097 return (0);
2098 else {
2099 free(sym->nam);
2100 free(sym->val);
2101 TAILQ_REMOVE(&symhead, sym, entry);
2102 free(sym);
2103 }
2104 }
2105 if ((sym = calloc(1, sizeof(*sym))) == NULL)
2106 return (-1);
2107
2108 sym->nam = strdup(nam);
2109 if (sym->nam == NULL) {
2110 free(sym);
2111 return (-1);
2112 }
2113 sym->val = strdup(val);
2114 if (sym->val == NULL) {
2115 free(sym->nam);
2116 free(sym);
2117 return (-1);
2118 }
2119 sym->used = 0;
2120 sym->persist = persist;
2121 TAILQ_INSERT_TAIL(&symhead, sym, entry);
2122 return (0);
2123 }
2124
2125 int
cmdline_symset(char * s)2126 cmdline_symset(char *s)
2127 {
2128 char *sym, *val;
2129 int ret;
2130
2131 if ((val = strrchr(s, '=')) == NULL)
2132 return (-1);
2133
2134 sym = strndup(s, val - s);
2135 if (sym == NULL)
2136 err(1, "%s", __func__);
2137 ret = symset(sym, val + 1, 1);
2138 free(sym);
2139
2140 return (ret);
2141 }
2142
2143 char *
symget(const char * nam)2144 symget(const char *nam)
2145 {
2146 struct sym *sym;
2147
2148 TAILQ_FOREACH(sym, &symhead, entry) {
2149 if (strcmp(nam, sym->nam) == 0) {
2150 sym->used = 1;
2151 return (sym->val);
2152 }
2153 }
2154 return (NULL);
2155 }
2156
2157 uint8_t
x2i(unsigned char * s)2158 x2i(unsigned char *s)
2159 {
2160 char ss[3];
2161
2162 ss[0] = s[0];
2163 ss[1] = s[1];
2164 ss[2] = 0;
2165
2166 if (!isxdigit(s[0]) || !isxdigit(s[1])) {
2167 yyerror("keys need to be specified in hex digits");
2168 return (-1);
2169 }
2170 return ((uint8_t)strtoul(ss, NULL, 16));
2171 }
2172
2173 int
parsekey(unsigned char * hexkey,size_t len,struct iked_auth * auth)2174 parsekey(unsigned char *hexkey, size_t len, struct iked_auth *auth)
2175 {
2176 unsigned int i;
2177
2178 bzero(auth, sizeof(*auth));
2179 if ((len / 2) > sizeof(auth->auth_data))
2180 return (-1);
2181 auth->auth_length = len / 2;
2182
2183 for (i = 0; i < auth->auth_length; i++)
2184 auth->auth_data[i] = x2i(hexkey + 2 * i);
2185
2186 return (0);
2187 }
2188
2189 int
parsekeyfile(char * filename,struct iked_auth * auth)2190 parsekeyfile(char *filename, struct iked_auth *auth)
2191 {
2192 struct stat sb;
2193 int fd, ret;
2194 unsigned char *hex;
2195
2196 if ((fd = open(filename, O_RDONLY)) == -1)
2197 err(1, "open %s", filename);
2198 if (check_file_secrecy(fd, filename) == -1)
2199 exit(1);
2200 if (fstat(fd, &sb) == -1)
2201 err(1, "parsekeyfile: stat %s", filename);
2202 if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0))
2203 errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
2204 "small");
2205 if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL)
2206 err(1, "parsekeyfile: calloc");
2207 if (read(fd, hex, sb.st_size) < sb.st_size)
2208 err(1, "parsekeyfile: read");
2209 close(fd);
2210 ret = parsekey(hex, sb.st_size, auth);
2211 free(hex);
2212 return (ret);
2213 }
2214
2215 int
get_id_type(char * string)2216 get_id_type(char *string)
2217 {
2218 struct in6_addr ia;
2219
2220 if (string == NULL)
2221 return (IKEV2_ID_NONE);
2222
2223 if (*string == '/')
2224 return (IKEV2_ID_ASN1_DN);
2225 else if (inet_pton(AF_INET, string, &ia) == 1)
2226 return (IKEV2_ID_IPV4);
2227 else if (inet_pton(AF_INET6, string, &ia) == 1)
2228 return (IKEV2_ID_IPV6);
2229 else if (strchr(string, '@'))
2230 return (IKEV2_ID_UFQDN);
2231 else
2232 return (IKEV2_ID_FQDN);
2233 }
2234
2235 struct ipsec_addr_wrap *
host(const char * s)2236 host(const char *s)
2237 {
2238 struct ipsec_addr_wrap *ipa = NULL;
2239 int mask = -1;
2240 char *p, *ps;
2241 const char *errstr;
2242
2243 if ((ps = strdup(s)) == NULL)
2244 err(1, "%s: strdup", __func__);
2245
2246 if ((p = strchr(ps, '/')) != NULL) {
2247 mask = strtonum(p+1, 0, 128, &errstr);
2248 if (errstr) {
2249 fprintf(stderr, "netmask is %s: %s\n", errstr, p);
2250 goto error;
2251 }
2252 p[0] = '\0';
2253 }
2254
2255 if ((ipa = host_if(ps, mask)) == NULL &&
2256 (ipa = host_ip(ps, mask)) == NULL &&
2257 (ipa = host_dns(ps, mask)) == NULL)
2258 fprintf(stderr, "no IP address found for %s\n", s);
2259
2260 error:
2261 free(ps);
2262 return (ipa);
2263 }
2264
2265 struct ipsec_addr_wrap *
host_ip(const char * s,int mask)2266 host_ip(const char *s, int mask)
2267 {
2268 struct ipsec_addr_wrap *ipa = NULL;
2269 struct addrinfo hints, *res;
2270 char hbuf[NI_MAXHOST];
2271
2272 bzero(&hints, sizeof(struct addrinfo));
2273 hints.ai_family = AF_UNSPEC;
2274 hints.ai_socktype = SOCK_DGRAM; /*dummy*/
2275 hints.ai_flags = AI_NUMERICHOST;
2276 if (getaddrinfo(s, NULL, &hints, &res))
2277 return (NULL);
2278 if (res->ai_next)
2279 err(1, "%s: %s expanded to multiple item", __func__, s);
2280
2281 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
2282 if (ipa == NULL)
2283 err(1, "%s", __func__);
2284 ipa->af = res->ai_family;
2285 copy_sockaddrtoipa(ipa, res->ai_addr);
2286 ipa->next = NULL;
2287 ipa->tail = ipa;
2288
2289 set_ipmask(ipa, mask);
2290 if (getnameinfo(res->ai_addr, res->ai_addrlen,
2291 hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) {
2292 errx(1, "could not get a numeric hostname");
2293 }
2294
2295 if (mask > -1) {
2296 ipa->netaddress = 1;
2297 if (asprintf(&ipa->name, "%s/%d", hbuf, mask) == -1)
2298 err(1, "%s", __func__);
2299 } else {
2300 if ((ipa->name = strdup(hbuf)) == NULL)
2301 err(1, "%s", __func__);
2302 }
2303
2304 freeaddrinfo(res);
2305
2306 return (ipa);
2307 }
2308
2309 struct ipsec_addr_wrap *
host_dns(const char * s,int mask)2310 host_dns(const char *s, int mask)
2311 {
2312 struct ipsec_addr_wrap *ipa = NULL, *head = NULL;
2313 struct addrinfo hints, *res0, *res;
2314 int error;
2315 char hbuf[NI_MAXHOST];
2316
2317 bzero(&hints, sizeof(struct addrinfo));
2318 hints.ai_family = PF_UNSPEC;
2319 hints.ai_socktype = SOCK_STREAM;
2320 hints.ai_flags = AI_ADDRCONFIG;
2321 error = getaddrinfo(s, NULL, &hints, &res0);
2322 if (error)
2323 return (NULL);
2324
2325 for (res = res0; res; res = res->ai_next) {
2326 if (res->ai_family != AF_INET && res->ai_family != AF_INET6)
2327 continue;
2328
2329 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
2330 if (ipa == NULL)
2331 err(1, "%s", __func__);
2332 copy_sockaddrtoipa(ipa, res->ai_addr);
2333 error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf,
2334 sizeof(hbuf), NULL, 0, NI_NUMERICHOST);
2335 if (error)
2336 err(1, "host_dns: getnameinfo");
2337 ipa->name = strdup(hbuf);
2338 if (ipa->name == NULL)
2339 err(1, "%s", __func__);
2340 ipa->af = res->ai_family;
2341 ipa->next = NULL;
2342 ipa->tail = ipa;
2343 if (head == NULL)
2344 head = ipa;
2345 else {
2346 head->tail->next = ipa;
2347 head->tail = ipa;
2348 }
2349
2350 /*
2351 * XXX for now, no netmask support for IPv6.
2352 * but since there's no way to specify address family, once you
2353 * have IPv6 address on a host, you cannot use dns/netmask
2354 * syntax.
2355 */
2356 if (ipa->af == AF_INET)
2357 set_ipmask(ipa, mask == -1 ? 32 : mask);
2358 else
2359 if (mask != -1)
2360 err(1, "host_dns: cannot apply netmask "
2361 "on non-IPv4 address");
2362 }
2363 freeaddrinfo(res0);
2364
2365 return (head);
2366 }
2367
2368 struct ipsec_addr_wrap *
host_if(const char * s,int mask)2369 host_if(const char *s, int mask)
2370 {
2371 struct ipsec_addr_wrap *ipa = NULL;
2372
2373 if (ifa_exists(s))
2374 ipa = ifa_lookup(s);
2375
2376 return (ipa);
2377 }
2378
2379 struct ipsec_addr_wrap *
host_any(void)2380 host_any(void)
2381 {
2382 struct ipsec_addr_wrap *ipa;
2383
2384 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
2385 if (ipa == NULL)
2386 err(1, "%s", __func__);
2387 ipa->af = AF_UNSPEC;
2388 ipa->netaddress = 1;
2389 ipa->tail = ipa;
2390 ipa->type = IPSEC_ADDR_ANY;
2391 return (ipa);
2392 }
2393
2394 struct ipsec_addr_wrap *
host_dynamic(void)2395 host_dynamic(void)
2396 {
2397 struct ipsec_addr_wrap *ipa;
2398
2399 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
2400 if (ipa == NULL)
2401 err(1, "%s", __func__);
2402 ipa->af = AF_UNSPEC;
2403 ipa->tail = ipa;
2404 ipa->type = IPSEC_ADDR_DYNAMIC;
2405 return (ipa);
2406 }
2407
2408 void
ifa_load(void)2409 ifa_load(void)
2410 {
2411 struct ifaddrs *ifap, *ifa;
2412 struct ipsec_addr_wrap *n = NULL, *h = NULL;
2413 struct sockaddr_in *sa_in;
2414 struct sockaddr_in6 *sa_in6;
2415
2416 if (getifaddrs(&ifap) == -1)
2417 err(1, "ifa_load: getifaddrs");
2418
2419 for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
2420 if (ifa->ifa_addr == NULL ||
2421 !(ifa->ifa_addr->sa_family == AF_INET ||
2422 ifa->ifa_addr->sa_family == AF_INET6 ||
2423 ifa->ifa_addr->sa_family == AF_LINK))
2424 continue;
2425 n = calloc(1, sizeof(struct ipsec_addr_wrap));
2426 if (n == NULL)
2427 err(1, "%s", __func__);
2428 n->af = ifa->ifa_addr->sa_family;
2429 if ((n->name = strdup(ifa->ifa_name)) == NULL)
2430 err(1, "%s", __func__);
2431 if (n->af == AF_INET) {
2432 sa_in = (struct sockaddr_in *)ifa->ifa_addr;
2433 memcpy(&n->address, sa_in, sizeof(*sa_in));
2434 sa_in = (struct sockaddr_in *)ifa->ifa_netmask;
2435 n->mask = mask2prefixlen((struct sockaddr *)sa_in);
2436 } else if (n->af == AF_INET6) {
2437 sa_in6 = (struct sockaddr_in6 *)ifa->ifa_addr;
2438 memcpy(&n->address, sa_in6, sizeof(*sa_in6));
2439 sa_in6 = (struct sockaddr_in6 *)ifa->ifa_netmask;
2440 n->mask = mask2prefixlen6((struct sockaddr *)sa_in6);
2441 }
2442 n->next = NULL;
2443 n->tail = n;
2444 if (h == NULL)
2445 h = n;
2446 else {
2447 h->tail->next = n;
2448 h->tail = n;
2449 }
2450 }
2451
2452 iftab = h;
2453 freeifaddrs(ifap);
2454 }
2455
2456 int
ifa_exists(const char * ifa_name)2457 ifa_exists(const char *ifa_name)
2458 {
2459 struct ipsec_addr_wrap *n;
2460 struct ifgroupreq ifgr;
2461 int s;
2462
2463 if (iftab == NULL)
2464 ifa_load();
2465
2466 /* check wether this is a group */
2467 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
2468 err(1, "ifa_exists: socket");
2469 bzero(&ifgr, sizeof(ifgr));
2470 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
2471 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == 0) {
2472 close(s);
2473 return (1);
2474 }
2475 close(s);
2476
2477 for (n = iftab; n; n = n->next) {
2478 if (n->af == AF_LINK && !strncmp(n->name, ifa_name,
2479 IFNAMSIZ))
2480 return (1);
2481 }
2482
2483 return (0);
2484 }
2485
2486 struct ipsec_addr_wrap *
ifa_grouplookup(const char * ifa_name)2487 ifa_grouplookup(const char *ifa_name)
2488 {
2489 struct ifg_req *ifg;
2490 struct ifgroupreq ifgr;
2491 int s;
2492 size_t len;
2493 struct ipsec_addr_wrap *n, *h = NULL, *hn;
2494
2495 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
2496 err(1, "socket");
2497 bzero(&ifgr, sizeof(ifgr));
2498 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
2499 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) {
2500 close(s);
2501 return (NULL);
2502 }
2503
2504 len = ifgr.ifgr_len;
2505 if ((ifgr.ifgr_groups = calloc(1, len)) == NULL)
2506 err(1, "%s", __func__);
2507 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1)
2508 err(1, "ioctl");
2509
2510 for (ifg = ifgr.ifgr_groups; ifg && len >= sizeof(struct ifg_req);
2511 ifg++) {
2512 len -= sizeof(struct ifg_req);
2513 if ((n = ifa_lookup(ifg->ifgrq_member)) == NULL)
2514 continue;
2515 if (h == NULL)
2516 h = n;
2517 else {
2518 for (hn = h; hn->next != NULL; hn = hn->next)
2519 ; /* nothing */
2520 hn->next = n;
2521 n->tail = hn;
2522 }
2523 }
2524 free(ifgr.ifgr_groups);
2525 close(s);
2526
2527 return (h);
2528 }
2529
2530 struct ipsec_addr_wrap *
ifa_lookup(const char * ifa_name)2531 ifa_lookup(const char *ifa_name)
2532 {
2533 struct ipsec_addr_wrap *p = NULL, *h = NULL, *n = NULL;
2534 struct sockaddr_in6 *in6;
2535 uint8_t *s6;
2536
2537 if (iftab == NULL)
2538 ifa_load();
2539
2540 if ((n = ifa_grouplookup(ifa_name)) != NULL)
2541 return (n);
2542
2543 for (p = iftab; p; p = p->next) {
2544 if (p->af != AF_INET && p->af != AF_INET6)
2545 continue;
2546 if (strncmp(p->name, ifa_name, IFNAMSIZ))
2547 continue;
2548 n = calloc(1, sizeof(struct ipsec_addr_wrap));
2549 if (n == NULL)
2550 err(1, "%s", __func__);
2551 memcpy(n, p, sizeof(struct ipsec_addr_wrap));
2552 if ((n->name = strdup(p->name)) == NULL)
2553 err(1, "%s", __func__);
2554 switch (n->af) {
2555 case AF_INET:
2556 set_ipmask(n, 32);
2557 break;
2558 case AF_INET6:
2559 in6 = (struct sockaddr_in6 *)&n->address;
2560 s6 = (uint8_t *)&in6->sin6_addr.s6_addr;
2561
2562 /* route/show.c and bgpd/util.c give KAME credit */
2563 if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)) {
2564 uint16_t tmp16;
2565
2566 /* for now we can not handle link local,
2567 * therefore bail for now
2568 */
2569 free(n->name);
2570 free(n);
2571 continue;
2572
2573 memcpy(&tmp16, &s6[2], sizeof(tmp16));
2574 /* use this when we support link-local
2575 * n->??.scopeid = ntohs(tmp16);
2576 */
2577 s6[2] = 0;
2578 s6[3] = 0;
2579 }
2580 set_ipmask(n, 128);
2581 break;
2582 }
2583
2584 n->next = NULL;
2585 n->tail = n;
2586 if (h == NULL)
2587 h = n;
2588 else {
2589 h->tail->next = n;
2590 h->tail = n;
2591 }
2592 }
2593
2594 return (h);
2595 }
2596
2597 void
set_ipmask(struct ipsec_addr_wrap * address,int b)2598 set_ipmask(struct ipsec_addr_wrap *address, int b)
2599 {
2600 if (b == -1)
2601 address->mask = address->af == AF_INET ? 32 : 128;
2602 else
2603 address->mask = b;
2604 }
2605
2606 const struct ipsec_xf *
parse_xf(const char * name,unsigned int length,const struct ipsec_xf xfs[])2607 parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[])
2608 {
2609 int i;
2610
2611 for (i = 0; xfs[i].name != NULL; i++) {
2612 if (strncmp(name, xfs[i].name, strlen(name)))
2613 continue;
2614 if (length == 0 || length == xfs[i].length)
2615 return &xfs[i];
2616 }
2617 return (NULL);
2618 }
2619
2620 int
encxf_noauth(unsigned int id)2621 encxf_noauth(unsigned int id)
2622 {
2623 int i;
2624
2625 for (i = 0; ikeencxfs[i].name != NULL; i++)
2626 if (ikeencxfs[i].id == id)
2627 return ikeencxfs[i].noauth;
2628 return (0);
2629 }
2630
2631 size_t
keylength_xf(unsigned int saproto,unsigned int type,unsigned int id)2632 keylength_xf(unsigned int saproto, unsigned int type, unsigned int id)
2633 {
2634 int i;
2635 const struct ipsec_xf *xfs;
2636
2637 switch (type) {
2638 case IKEV2_XFORMTYPE_ENCR:
2639 if (saproto == IKEV2_SAPROTO_IKE)
2640 xfs = ikeencxfs;
2641 else
2642 xfs = ipsecencxfs;
2643 break;
2644 case IKEV2_XFORMTYPE_INTEGR:
2645 xfs = authxfs;
2646 break;
2647 default:
2648 return (0);
2649 }
2650
2651 for (i = 0; xfs[i].name != NULL; i++) {
2652 if (xfs[i].id == id)
2653 return (xfs[i].length * 8);
2654 }
2655 return (0);
2656 }
2657
2658 size_t
noncelength_xf(unsigned int type,unsigned int id)2659 noncelength_xf(unsigned int type, unsigned int id)
2660 {
2661 const struct ipsec_xf *xfs = ipsecencxfs;
2662 int i;
2663
2664 if (type != IKEV2_XFORMTYPE_ENCR)
2665 return (0);
2666
2667 for (i = 0; xfs[i].name != NULL; i++)
2668 if (xfs[i].id == id)
2669 return (xfs[i].nonce * 8);
2670 return (0);
2671 }
2672
2673 void
copy_transforms(unsigned int type,const struct ipsec_xf ** xfs,unsigned int nxfs,struct iked_transform ** dst,unsigned int * ndst,struct iked_transform * src,size_t nsrc)2674 copy_transforms(unsigned int type,
2675 const struct ipsec_xf **xfs, unsigned int nxfs,
2676 struct iked_transform **dst, unsigned int *ndst,
2677 struct iked_transform *src, size_t nsrc)
2678 {
2679 unsigned int i;
2680 struct iked_transform *a, *b;
2681 const struct ipsec_xf *xf;
2682
2683 if (nxfs) {
2684 for (i = 0; i < nxfs; i++) {
2685 xf = xfs[i];
2686 *dst = recallocarray(*dst, *ndst,
2687 *ndst + 1, sizeof(struct iked_transform));
2688 if (*dst == NULL)
2689 err(1, "%s", __func__);
2690 b = *dst + (*ndst)++;
2691
2692 b->xform_type = type;
2693 b->xform_id = xf->id;
2694 b->xform_keylength = xf->length * 8;
2695 b->xform_length = xf->keylength * 8;
2696 }
2697 return;
2698 }
2699
2700 for (i = 0; i < nsrc; i++) {
2701 a = src + i;
2702 if (a->xform_type != type)
2703 continue;
2704 *dst = recallocarray(*dst, *ndst,
2705 *ndst + 1, sizeof(struct iked_transform));
2706 if (*dst == NULL)
2707 err(1, "%s", __func__);
2708 b = *dst + (*ndst)++;
2709 memcpy(b, a, sizeof(*b));
2710 }
2711 }
2712
2713 int
create_ike(char * name,int af,struct ipsec_addr_wrap * ipproto,int rdomain,struct ipsec_hosts * hosts,struct ipsec_hosts * peers,struct ipsec_mode * ike_sa,struct ipsec_mode * ipsec_sa,uint8_t saproto,unsigned int flags,char * srcid,char * dstid,uint32_t ikelifetime,struct iked_lifetime * lt,struct iked_auth * authtype,struct ipsec_filters * filter,struct ipsec_addr_wrap * ikecfg,char * iface)2714 create_ike(char *name, int af, struct ipsec_addr_wrap *ipproto,
2715 int rdomain, struct ipsec_hosts *hosts,
2716 struct ipsec_hosts *peers, struct ipsec_mode *ike_sa,
2717 struct ipsec_mode *ipsec_sa, uint8_t saproto,
2718 unsigned int flags, char *srcid, char *dstid,
2719 uint32_t ikelifetime, struct iked_lifetime *lt,
2720 struct iked_auth *authtype, struct ipsec_filters *filter,
2721 struct ipsec_addr_wrap *ikecfg, char *iface)
2722 {
2723 char idstr[IKED_ID_SIZE];
2724 struct ipsec_addr_wrap *ipa, *ipb, *ipp;
2725 struct iked_auth *ikeauth;
2726 struct iked_policy pol;
2727 struct iked_proposal *p, *ptmp;
2728 struct iked_transform *xf;
2729 unsigned int i, j, xfi, noauth, auth;
2730 unsigned int ikepropid = 1, ipsecpropid = 1;
2731 struct iked_flow *flow, *ftmp;
2732 static unsigned int policy_id = 0;
2733 struct iked_cfg *cfg;
2734 int ret = -1;
2735
2736 bzero(&pol, sizeof(pol));
2737 bzero(idstr, sizeof(idstr));
2738
2739 pol.pol_id = ++policy_id;
2740 pol.pol_certreqtype = env->sc_certreqtype;
2741 pol.pol_af = af;
2742 pol.pol_saproto = saproto;
2743 for (i = 0, ipp = ipproto; ipp; ipp = ipp->next, i++) {
2744 if (i >= IKED_IPPROTO_MAX) {
2745 yyerror("too many protocols");
2746 return (-1);
2747 }
2748 pol.pol_ipproto[i] = ipp->type;
2749 pol.pol_nipproto++;
2750 }
2751
2752 pol.pol_flags = flags;
2753 pol.pol_rdomain = rdomain;
2754 memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth));
2755 explicit_bzero(authtype, sizeof(*authtype));
2756
2757 if (name != NULL) {
2758 if (strlcpy(pol.pol_name, name,
2759 sizeof(pol.pol_name)) >= sizeof(pol.pol_name)) {
2760 yyerror("name too long");
2761 return (-1);
2762 }
2763 } else {
2764 snprintf(pol.pol_name, sizeof(pol.pol_name),
2765 "policy%d", policy_id);
2766 }
2767
2768 if (iface != NULL) {
2769 /* sec(4) */
2770 if (strncmp("sec", iface, strlen("sec")) == 0)
2771 pol.pol_flags |= IKED_POLICY_ROUTING;
2772
2773 pol.pol_iface = if_nametoindex(iface);
2774 if (pol.pol_iface == 0) {
2775 yyerror("invalid iface");
2776 return (-1);
2777 }
2778 }
2779
2780 if (srcid) {
2781 pol.pol_localid.id_type = get_id_type(srcid);
2782 pol.pol_localid.id_length = strlen(srcid);
2783 if (strlcpy((char *)pol.pol_localid.id_data,
2784 srcid, IKED_ID_SIZE) >= IKED_ID_SIZE) {
2785 yyerror("srcid too long");
2786 return (-1);
2787 }
2788 }
2789 if (dstid) {
2790 pol.pol_peerid.id_type = get_id_type(dstid);
2791 pol.pol_peerid.id_length = strlen(dstid);
2792 if (strlcpy((char *)pol.pol_peerid.id_data,
2793 dstid, IKED_ID_SIZE) >= IKED_ID_SIZE) {
2794 yyerror("dstid too long");
2795 return (-1);
2796 }
2797 }
2798
2799 if (filter != NULL) {
2800 if (filter->tag)
2801 strlcpy(pol.pol_tag, filter->tag, sizeof(pol.pol_tag));
2802 pol.pol_tap = filter->tap;
2803 }
2804
2805 if (peers == NULL) {
2806 if (pol.pol_flags & IKED_POLICY_ACTIVE) {
2807 yyerror("active mode requires peer specification");
2808 return (-1);
2809 }
2810 pol.pol_flags |= IKED_POLICY_DEFAULT|IKED_POLICY_SKIP;
2811 }
2812
2813 if (peers && peers->src && peers->dst &&
2814 (peers->src->af != AF_UNSPEC) && (peers->dst->af != AF_UNSPEC) &&
2815 (peers->src->af != peers->dst->af))
2816 fatalx("create_ike: peer address family mismatch");
2817
2818 if (peers && (pol.pol_af != AF_UNSPEC) &&
2819 ((peers->src && (peers->src->af != AF_UNSPEC) &&
2820 (peers->src->af != pol.pol_af)) ||
2821 (peers->dst && (peers->dst->af != AF_UNSPEC) &&
2822 (peers->dst->af != pol.pol_af))))
2823 fatalx("create_ike: policy address family mismatch");
2824
2825 ipa = ipb = NULL;
2826 if (peers) {
2827 if (peers->src)
2828 ipa = peers->src;
2829 if (peers->dst)
2830 ipb = peers->dst;
2831 if (ipa == NULL && ipb == NULL) {
2832 if (hosts->src && hosts->src->next == NULL)
2833 ipa = hosts->src;
2834 if (hosts->dst && hosts->dst->next == NULL)
2835 ipb = hosts->dst;
2836 }
2837 }
2838 if (ipa == NULL && ipb == NULL) {
2839 yyerror("could not get local/peer specification");
2840 return (-1);
2841 }
2842 if (pol.pol_flags & IKED_POLICY_ACTIVE) {
2843 if (ipb == NULL || ipb->netaddress ||
2844 (ipa != NULL && ipa->netaddress)) {
2845 yyerror("active mode requires local/peer address");
2846 return (-1);
2847 }
2848 }
2849 if (ipa) {
2850 memcpy(&pol.pol_local.addr, &ipa->address,
2851 sizeof(ipa->address));
2852 pol.pol_local.addr_af = ipa->af;
2853 pol.pol_local.addr_mask = ipa->mask;
2854 pol.pol_local.addr_net = ipa->netaddress;
2855 if (pol.pol_af == AF_UNSPEC)
2856 pol.pol_af = ipa->af;
2857 }
2858 if (ipb) {
2859 memcpy(&pol.pol_peer.addr, &ipb->address,
2860 sizeof(ipb->address));
2861 pol.pol_peer.addr_af = ipb->af;
2862 pol.pol_peer.addr_mask = ipb->mask;
2863 pol.pol_peer.addr_net = ipb->netaddress;
2864 if (pol.pol_af == AF_UNSPEC)
2865 pol.pol_af = ipb->af;
2866 }
2867
2868 if (ikelifetime)
2869 pol.pol_rekey = ikelifetime;
2870
2871 if (lt)
2872 pol.pol_lifetime = *lt;
2873 else
2874 pol.pol_lifetime = deflifetime;
2875
2876 TAILQ_INIT(&pol.pol_proposals);
2877 RB_INIT(&pol.pol_flows);
2878
2879 if (ike_sa == NULL || ike_sa->nxfs == 0) {
2880 /* AES-GCM proposal */
2881 if ((p = calloc(1, sizeof(*p))) == NULL)
2882 err(1, "%s", __func__);
2883 p->prop_id = ikepropid++;
2884 p->prop_protoid = IKEV2_SAPROTO_IKE;
2885 p->prop_nxforms = ikev2_default_nike_transforms_noauth;
2886 p->prop_xforms = ikev2_default_ike_transforms_noauth;
2887 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry);
2888 pol.pol_nproposals++;
2889
2890 /* Non GCM proposal */
2891 if ((p = calloc(1, sizeof(*p))) == NULL)
2892 err(1, "%s", __func__);
2893 p->prop_id = ikepropid++;
2894 p->prop_protoid = IKEV2_SAPROTO_IKE;
2895 p->prop_nxforms = ikev2_default_nike_transforms;
2896 p->prop_xforms = ikev2_default_ike_transforms;
2897 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry);
2898 pol.pol_nproposals++;
2899 } else {
2900 for (i = 0; i < ike_sa->nxfs; i++) {
2901 noauth = auth = 0;
2902 for (j = 0; j < ike_sa->xfs[i]->nencxf; j++) {
2903 if (ike_sa->xfs[i]->encxf[j]->noauth)
2904 noauth++;
2905 else
2906 auth++;
2907 }
2908 for (j = 0; j < ike_sa->xfs[i]->ngroupxf; j++) {
2909 if (ike_sa->xfs[i]->groupxf[j]->id
2910 == IKEV2_XFORMDH_NONE) {
2911 yyerror("IKE group can not be \"none\".");
2912 goto done;
2913 }
2914 }
2915 if (ike_sa->xfs[i]->nauthxf)
2916 auth++;
2917
2918 if (ike_sa->xfs[i]->nesnxf) {
2919 yyerror("cannot use ESN with ikesa.");
2920 goto done;
2921 }
2922 if (noauth && noauth != ike_sa->xfs[i]->nencxf) {
2923 yyerror("cannot mix encryption transforms with "
2924 "implicit and non-implicit authentication");
2925 goto done;
2926 }
2927 if (noauth && ike_sa->xfs[i]->nauthxf) {
2928 yyerror("authentication is implicit for given "
2929 "encryption transforms");
2930 goto done;
2931 }
2932
2933 if (!auth) {
2934 if ((p = calloc(1, sizeof(*p))) == NULL)
2935 err(1, "%s", __func__);
2936
2937 xf = NULL;
2938 xfi = 0;
2939 copy_transforms(IKEV2_XFORMTYPE_ENCR,
2940 ike_sa->xfs[i]->encxf,
2941 ike_sa->xfs[i]->nencxf, &xf, &xfi,
2942 ikev2_default_ike_transforms_noauth,
2943 ikev2_default_nike_transforms_noauth);
2944 copy_transforms(IKEV2_XFORMTYPE_DH,
2945 ike_sa->xfs[i]->groupxf,
2946 ike_sa->xfs[i]->ngroupxf, &xf, &xfi,
2947 ikev2_default_ike_transforms_noauth,
2948 ikev2_default_nike_transforms_noauth);
2949 copy_transforms(IKEV2_XFORMTYPE_PRF,
2950 ike_sa->xfs[i]->prfxf,
2951 ike_sa->xfs[i]->nprfxf, &xf, &xfi,
2952 ikev2_default_ike_transforms_noauth,
2953 ikev2_default_nike_transforms_noauth);
2954
2955 p->prop_id = ikepropid++;
2956 p->prop_protoid = IKEV2_SAPROTO_IKE;
2957 p->prop_xforms = xf;
2958 p->prop_nxforms = xfi;
2959 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry);
2960 pol.pol_nproposals++;
2961 }
2962 if (!noauth) {
2963 if ((p = calloc(1, sizeof(*p))) == NULL)
2964 err(1, "%s", __func__);
2965
2966 xf = NULL;
2967 xfi = 0;
2968 copy_transforms(IKEV2_XFORMTYPE_INTEGR,
2969 ike_sa->xfs[i]->authxf,
2970 ike_sa->xfs[i]->nauthxf, &xf, &xfi,
2971 ikev2_default_ike_transforms,
2972 ikev2_default_nike_transforms);
2973 copy_transforms(IKEV2_XFORMTYPE_ENCR,
2974 ike_sa->xfs[i]->encxf,
2975 ike_sa->xfs[i]->nencxf, &xf, &xfi,
2976 ikev2_default_ike_transforms,
2977 ikev2_default_nike_transforms);
2978 copy_transforms(IKEV2_XFORMTYPE_DH,
2979 ike_sa->xfs[i]->groupxf,
2980 ike_sa->xfs[i]->ngroupxf, &xf, &xfi,
2981 ikev2_default_ike_transforms,
2982 ikev2_default_nike_transforms);
2983 copy_transforms(IKEV2_XFORMTYPE_PRF,
2984 ike_sa->xfs[i]->prfxf,
2985 ike_sa->xfs[i]->nprfxf, &xf, &xfi,
2986 ikev2_default_ike_transforms,
2987 ikev2_default_nike_transforms);
2988
2989 p->prop_id = ikepropid++;
2990 p->prop_protoid = IKEV2_SAPROTO_IKE;
2991 p->prop_xforms = xf;
2992 p->prop_nxforms = xfi;
2993 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry);
2994 pol.pol_nproposals++;
2995 }
2996 }
2997 }
2998
2999 if (ipsec_sa == NULL || ipsec_sa->nxfs == 0) {
3000 if ((p = calloc(1, sizeof(*p))) == NULL)
3001 err(1, "%s", __func__);
3002 p->prop_id = ipsecpropid++;
3003 p->prop_protoid = saproto;
3004 p->prop_nxforms = ikev2_default_nesp_transforms_noauth;
3005 p->prop_xforms = ikev2_default_esp_transforms_noauth;
3006 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry);
3007 pol.pol_nproposals++;
3008
3009 if ((p = calloc(1, sizeof(*p))) == NULL)
3010 err(1, "%s", __func__);
3011 p->prop_id = ipsecpropid++;
3012 p->prop_protoid = saproto;
3013 p->prop_nxforms = ikev2_default_nesp_transforms;
3014 p->prop_xforms = ikev2_default_esp_transforms;
3015 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry);
3016 pol.pol_nproposals++;
3017 } else {
3018 for (i = 0; i < ipsec_sa->nxfs; i++) {
3019 noauth = auth = 0;
3020 for (j = 0; j < ipsec_sa->xfs[i]->nencxf; j++) {
3021 if (ipsec_sa->xfs[i]->encxf[j]->noauth)
3022 noauth++;
3023 else
3024 auth++;
3025 }
3026 if (ipsec_sa->xfs[i]->nauthxf)
3027 auth++;
3028
3029 if (noauth && noauth != ipsec_sa->xfs[i]->nencxf) {
3030 yyerror("cannot mix encryption transforms with "
3031 "implicit and non-implicit authentication");
3032 goto done;
3033 }
3034 if (noauth && ipsec_sa->xfs[i]->nauthxf) {
3035 yyerror("authentication is implicit for given "
3036 "encryption transforms");
3037 goto done;
3038 }
3039
3040 if (!auth) {
3041 if ((p = calloc(1, sizeof(*p))) == NULL)
3042 err(1, "%s", __func__);
3043
3044 xf = NULL;
3045 xfi = 0;
3046 copy_transforms(IKEV2_XFORMTYPE_ENCR,
3047 ipsec_sa->xfs[i]->encxf,
3048 ipsec_sa->xfs[i]->nencxf, &xf, &xfi,
3049 ikev2_default_esp_transforms_noauth,
3050 ikev2_default_nesp_transforms_noauth);
3051 copy_transforms(IKEV2_XFORMTYPE_DH,
3052 ipsec_sa->xfs[i]->groupxf,
3053 ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi,
3054 ikev2_default_esp_transforms_noauth,
3055 ikev2_default_nesp_transforms_noauth);
3056 copy_transforms(IKEV2_XFORMTYPE_ESN,
3057 ipsec_sa->xfs[i]->esnxf,
3058 ipsec_sa->xfs[i]->nesnxf, &xf, &xfi,
3059 ikev2_default_esp_transforms_noauth,
3060 ikev2_default_nesp_transforms_noauth);
3061
3062 p->prop_id = ipsecpropid++;
3063 p->prop_protoid = saproto;
3064 p->prop_xforms = xf;
3065 p->prop_nxforms = xfi;
3066 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry);
3067 pol.pol_nproposals++;
3068 }
3069 if (!noauth) {
3070 if ((p = calloc(1, sizeof(*p))) == NULL)
3071 err(1, "%s", __func__);
3072
3073 xf = NULL;
3074 xfi = 0;
3075 copy_transforms(IKEV2_XFORMTYPE_INTEGR,
3076 ipsec_sa->xfs[i]->authxf,
3077 ipsec_sa->xfs[i]->nauthxf, &xf, &xfi,
3078 ikev2_default_esp_transforms,
3079 ikev2_default_nesp_transforms);
3080 copy_transforms(IKEV2_XFORMTYPE_ENCR,
3081 ipsec_sa->xfs[i]->encxf,
3082 ipsec_sa->xfs[i]->nencxf, &xf, &xfi,
3083 ikev2_default_esp_transforms,
3084 ikev2_default_nesp_transforms);
3085 copy_transforms(IKEV2_XFORMTYPE_DH,
3086 ipsec_sa->xfs[i]->groupxf,
3087 ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi,
3088 ikev2_default_esp_transforms,
3089 ikev2_default_nesp_transforms);
3090 copy_transforms(IKEV2_XFORMTYPE_ESN,
3091 ipsec_sa->xfs[i]->esnxf,
3092 ipsec_sa->xfs[i]->nesnxf, &xf, &xfi,
3093 ikev2_default_esp_transforms,
3094 ikev2_default_nesp_transforms);
3095
3096 p->prop_id = ipsecpropid++;
3097 p->prop_protoid = saproto;
3098 p->prop_xforms = xf;
3099 p->prop_nxforms = xfi;
3100 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry);
3101 pol.pol_nproposals++;
3102 }
3103 }
3104 }
3105
3106 for (ipa = hosts->src, ipb = hosts->dst; ipa && ipb;
3107 ipa = ipa->next, ipb = ipb->next) {
3108 for (j = 0; j < pol.pol_nipproto; j++)
3109 if (expand_flows(&pol, pol.pol_ipproto[j], ipa, ipb))
3110 fatalx("create_ike: invalid flow");
3111 if (pol.pol_nipproto == 0)
3112 if (expand_flows(&pol, 0, ipa, ipb))
3113 fatalx("create_ike: invalid flow");
3114 }
3115
3116 for (j = 0, ipa = ikecfg; ipa; ipa = ipa->next, j++) {
3117 if (j >= IKED_CFG_MAX)
3118 break;
3119 cfg = &pol.pol_cfg[j];
3120 pol.pol_ncfg++;
3121
3122 cfg->cfg_action = ipa->action;
3123 cfg->cfg_type = ipa->type;
3124 memcpy(&cfg->cfg.address.addr, &ipa->address,
3125 sizeof(ipa->address));
3126 cfg->cfg.address.addr_mask = ipa->mask;
3127 cfg->cfg.address.addr_net = ipa->netaddress;
3128 cfg->cfg.address.addr_af = ipa->af;
3129 }
3130
3131 if (dstid)
3132 strlcpy(idstr, dstid, sizeof(idstr));
3133 else if (!pol.pol_peer.addr_net)
3134 strlcpy(idstr, print_addr(&pol.pol_peer.addr), sizeof(idstr));
3135
3136 ikeauth = &pol.pol_auth;
3137 switch (ikeauth->auth_method) {
3138 case IKEV2_AUTH_RSA_SIG:
3139 pol.pol_certreqtype = IKEV2_CERT_RSA_KEY;
3140 break;
3141 case IKEV2_AUTH_ECDSA_256:
3142 case IKEV2_AUTH_ECDSA_384:
3143 case IKEV2_AUTH_ECDSA_521:
3144 pol.pol_certreqtype = IKEV2_CERT_ECDSA;
3145 break;
3146 default:
3147 pol.pol_certreqtype = IKEV2_CERT_NONE;
3148 break;
3149 }
3150
3151 log_debug("%s: using %s for peer %s", __func__,
3152 print_xf(ikeauth->auth_method, 0, methodxfs), idstr);
3153
3154 config_setpolicy(env, &pol, PROC_IKEV2);
3155 config_setflow(env, &pol, PROC_IKEV2);
3156
3157 rules++;
3158 ret = 0;
3159
3160 done:
3161 if (ike_sa) {
3162 for (i = 0; i < ike_sa->nxfs; i++) {
3163 free(ike_sa->xfs[i]->authxf);
3164 free(ike_sa->xfs[i]->encxf);
3165 free(ike_sa->xfs[i]->groupxf);
3166 free(ike_sa->xfs[i]->prfxf);
3167 free(ike_sa->xfs[i]);
3168 }
3169 free(ike_sa->xfs);
3170 free(ike_sa);
3171 }
3172 if (ipsec_sa) {
3173 for (i = 0; i < ipsec_sa->nxfs; i++) {
3174 free(ipsec_sa->xfs[i]->authxf);
3175 free(ipsec_sa->xfs[i]->encxf);
3176 free(ipsec_sa->xfs[i]->groupxf);
3177 free(ipsec_sa->xfs[i]->prfxf);
3178 free(ipsec_sa->xfs[i]->esnxf);
3179 free(ipsec_sa->xfs[i]);
3180 }
3181 free(ipsec_sa->xfs);
3182 free(ipsec_sa);
3183 }
3184 TAILQ_FOREACH_SAFE(p, &pol.pol_proposals, prop_entry, ptmp) {
3185 if (p->prop_xforms != ikev2_default_ike_transforms &&
3186 p->prop_xforms != ikev2_default_ike_transforms_noauth &&
3187 p->prop_xforms != ikev2_default_esp_transforms &&
3188 p->prop_xforms != ikev2_default_esp_transforms_noauth)
3189 free(p->prop_xforms);
3190 free(p);
3191 }
3192 if (peers != NULL) {
3193 iaw_free(peers->src);
3194 iaw_free(peers->dst);
3195 /* peers is static, cannot be freed */
3196 }
3197 if (hosts != NULL) {
3198 iaw_free(hosts->src);
3199 iaw_free(hosts->dst);
3200 free(hosts);
3201 }
3202 iaw_free(ikecfg);
3203 iaw_free(ipproto);
3204 RB_FOREACH_SAFE(flow, iked_flows, &pol.pol_flows, ftmp) {
3205 RB_REMOVE(iked_flows, &pol.pol_flows, flow);
3206 free(flow);
3207 }
3208 free(name);
3209 free(srcid);
3210 free(dstid);
3211 return (ret);
3212 }
3213
3214 static int
create_flow(struct iked_policy * pol,int proto,struct ipsec_addr_wrap * ipa,struct ipsec_addr_wrap * ipb)3215 create_flow(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *ipa,
3216 struct ipsec_addr_wrap *ipb)
3217 {
3218 struct iked_flow *flow;
3219 struct ipsec_addr_wrap *ippn;
3220
3221 if (ipa->af != ipb->af) {
3222 yyerror("cannot mix different address families.");
3223 return (-1);
3224 }
3225
3226 if ((flow = calloc(1, sizeof(struct iked_flow))) == NULL)
3227 fatalx("%s: failed to alloc flow.", __func__);
3228
3229 memcpy(&flow->flow_src.addr, &ipa->address,
3230 sizeof(ipa->address));
3231 flow->flow_src.addr_af = ipa->af;
3232 flow->flow_src.addr_mask = ipa->mask;
3233 flow->flow_src.addr_net = ipa->netaddress;
3234 flow->flow_src.addr_port = ipa->port;
3235
3236 memcpy(&flow->flow_dst.addr, &ipb->address,
3237 sizeof(ipb->address));
3238 flow->flow_dst.addr_af = ipb->af;
3239 flow->flow_dst.addr_mask = ipb->mask;
3240 flow->flow_dst.addr_net = ipb->netaddress;
3241 flow->flow_dst.addr_port = ipb->port;
3242
3243 ippn = ipa->srcnat;
3244 if (ippn) {
3245 memcpy(&flow->flow_prenat.addr, &ippn->address,
3246 sizeof(ippn->address));
3247 flow->flow_prenat.addr_af = ippn->af;
3248 flow->flow_prenat.addr_mask = ippn->mask;
3249 flow->flow_prenat.addr_net = ippn->netaddress;
3250 } else {
3251 flow->flow_prenat.addr_af = 0;
3252 }
3253
3254 flow->flow_dir = IPSP_DIRECTION_OUT;
3255 flow->flow_ipproto = proto;
3256 flow->flow_saproto = pol->pol_saproto;
3257 flow->flow_rdomain = pol->pol_rdomain;
3258
3259 if (RB_INSERT(iked_flows, &pol->pol_flows, flow) == NULL)
3260 pol->pol_nflows++;
3261 else {
3262 warnx("create_ike: duplicate flow");
3263 free(flow);
3264 }
3265
3266 return (0);
3267 }
3268
3269 static int
expand_flows(struct iked_policy * pol,int proto,struct ipsec_addr_wrap * src,struct ipsec_addr_wrap * dst)3270 expand_flows(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *src,
3271 struct ipsec_addr_wrap *dst)
3272 {
3273 struct ipsec_addr_wrap *ipa = NULL, *ipb = NULL;
3274 int ret = -1;
3275 int srcaf, dstaf;
3276
3277 srcaf = src->af;
3278 dstaf = dst->af;
3279
3280 if (src->af == AF_UNSPEC &&
3281 dst->af == AF_UNSPEC) {
3282 /* Need both IPv4 and IPv6 flows */
3283 src->af = dst->af = AF_INET;
3284 ipa = expand_keyword(src);
3285 ipb = expand_keyword(dst);
3286 if (!ipa || !ipb)
3287 goto done;
3288 if (create_flow(pol, proto, ipa, ipb))
3289 goto done;
3290
3291 iaw_free(ipa);
3292 iaw_free(ipb);
3293 src->af = dst->af = AF_INET6;
3294 ipa = expand_keyword(src);
3295 ipb = expand_keyword(dst);
3296 if (!ipa || !ipb)
3297 goto done;
3298 if (create_flow(pol, proto, ipa, ipb))
3299 goto done;
3300 } else if (src->af == AF_UNSPEC) {
3301 src->af = dst->af;
3302 ipa = expand_keyword(src);
3303 if (!ipa)
3304 goto done;
3305 if (create_flow(pol, proto, ipa, dst))
3306 goto done;
3307 } else if (dst->af == AF_UNSPEC) {
3308 dst->af = src->af;
3309 ipa = expand_keyword(dst);
3310 if (!ipa)
3311 goto done;
3312 if (create_flow(pol, proto, src, ipa))
3313 goto done;
3314 } else if (create_flow(pol, proto, src, dst))
3315 goto done;
3316 ret = 0;
3317 done:
3318 src->af = srcaf;
3319 dst->af = dstaf;
3320 iaw_free(ipa);
3321 iaw_free(ipb);
3322 return (ret);
3323 }
3324
3325 static struct ipsec_addr_wrap *
expand_keyword(struct ipsec_addr_wrap * ip)3326 expand_keyword(struct ipsec_addr_wrap *ip)
3327 {
3328 switch(ip->af) {
3329 case AF_INET:
3330 switch(ip->type) {
3331 case IPSEC_ADDR_ANY:
3332 return (host("0.0.0.0/0"));
3333 case IPSEC_ADDR_DYNAMIC:
3334 return (host("0.0.0.0"));
3335 }
3336 break;
3337 case AF_INET6:
3338 switch(ip->type) {
3339 case IPSEC_ADDR_ANY:
3340 return (host("::/0"));
3341 case IPSEC_ADDR_DYNAMIC:
3342 return (host("::"));
3343 }
3344 }
3345 return (NULL);
3346 }
3347
3348 int
create_user(const char * user,const char * pass)3349 create_user(const char *user, const char *pass)
3350 {
3351 struct iked_user usr;
3352
3353 bzero(&usr, sizeof(usr));
3354
3355 if (*user == '\0' || (strlcpy(usr.usr_name, user,
3356 sizeof(usr.usr_name)) >= sizeof(usr.usr_name))) {
3357 yyerror("invalid user name");
3358 return (-1);
3359 }
3360 if (*pass == '\0' || (strlcpy(usr.usr_pass, pass,
3361 sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) {
3362 yyerror("invalid password");
3363 explicit_bzero(&usr, sizeof usr); /* zap partial password */
3364 return (-1);
3365 }
3366
3367 config_setuser(env, &usr, PROC_IKEV2);
3368
3369 rules++;
3370
3371 explicit_bzero(&usr, sizeof usr);
3372 return (0);
3373 }
3374
3375 void
iaw_free(struct ipsec_addr_wrap * head)3376 iaw_free(struct ipsec_addr_wrap *head)
3377 {
3378 struct ipsec_addr_wrap *n, *cur;
3379
3380 if (head == NULL)
3381 return;
3382
3383 for (n = head; n != NULL; ) {
3384 cur = n;
3385 n = n->next;
3386 if (cur->srcnat != NULL) {
3387 free(cur->srcnat->name);
3388 free(cur->srcnat);
3389 }
3390 free(cur->name);
3391 free(cur);
3392 }
3393 }
3394