1 /* $OpenBSD: parse.y,v 1.138 2021/12/01 16:42:13 deraadt Exp $ */ 2 3 /* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 7 * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * Copyright (c) 2001 Markus Friedl. All rights reserved. 9 * Copyright (c) 2001 Daniel Hartmeier. All rights reserved. 10 * Copyright (c) 2001 Theo de Raadt. All rights reserved. 11 * 12 * Permission to use, copy, modify, and distribute this software for any 13 * purpose with or without fee is hereby granted, provided that the above 14 * copyright notice and this permission notice appear in all copies. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 17 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 18 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 19 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 20 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 21 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 22 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 23 */ 24 25 %{ 26 #include <sys/types.h> 27 #include <sys/ioctl.h> 28 #include <sys/queue.h> 29 #include <sys/socket.h> 30 #include <sys/stat.h> 31 #include <net/if.h> 32 #include <netinet/in.h> 33 #include <netinet/ip_ipsp.h> 34 #include <arpa/inet.h> 35 36 #include <ctype.h> 37 #include <err.h> 38 #include <errno.h> 39 #include <fcntl.h> 40 #include <ifaddrs.h> 41 #include <limits.h> 42 #include <netdb.h> 43 #include <stdarg.h> 44 #include <stdio.h> 45 #include <stdlib.h> 46 #include <string.h> 47 #include <syslog.h> 48 #include <unistd.h> 49 #include <netdb.h> 50 #include <event.h> 51 52 #include "iked.h" 53 #include "ikev2.h" 54 #include "eap.h" 55 56 TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files); 57 static struct file { 58 TAILQ_ENTRY(file) entry; 59 FILE *stream; 60 char *name; 61 size_t ungetpos; 62 size_t ungetsize; 63 u_char *ungetbuf; 64 int eof_reached; 65 int lineno; 66 int errors; 67 } *file, *topfile; 68 struct file *pushfile(const char *, int); 69 int popfile(void); 70 int check_file_secrecy(int, const char *); 71 int yyparse(void); 72 int yylex(void); 73 int yyerror(const char *, ...) 74 __attribute__((__format__ (printf, 1, 2))) 75 __attribute__((__nonnull__ (1))); 76 int kw_cmp(const void *, const void *); 77 int lookup(char *); 78 int igetc(void); 79 int lgetc(int); 80 void lungetc(int); 81 int findeol(void); 82 83 TAILQ_HEAD(symhead, sym) symhead = TAILQ_HEAD_INITIALIZER(symhead); 84 struct sym { 85 TAILQ_ENTRY(sym) entry; 86 int used; 87 int persist; 88 char *nam; 89 char *val; 90 }; 91 int symset(const char *, const char *, int); 92 char *symget(const char *); 93 94 #define KEYSIZE_LIMIT 1024 95 96 static struct iked *env = NULL; 97 static int debug = 0; 98 static int rules = 0; 99 static int passive = 0; 100 static int decouple = 0; 101 static int mobike = 1; 102 static int enforcesingleikesa = 0; 103 static int stickyaddress = 0; 104 static int fragmentation = 0; 105 static int dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT; 106 static char *ocsp_url = NULL; 107 static long ocsp_tolerate = 0; 108 static long ocsp_maxage = -1; 109 static int cert_partial_chain = 0; 110 111 struct iked_transform ikev2_default_ike_transforms[] = { 112 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 }, 113 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 }, 114 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 }, 115 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_3DES }, 116 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_256 }, 117 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_384 }, 118 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_512 }, 119 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA1 }, 120 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, 121 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, 122 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, 123 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, 124 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_CURVE25519 }, 125 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_521 }, 126 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_384 }, 127 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_256 }, 128 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_4096 }, 129 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_3072 }, 130 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_2048 }, 131 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1536 }, 132 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1024 }, 133 { 0 } 134 }; 135 size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) / 136 sizeof(ikev2_default_ike_transforms[0])) - 1); 137 138 struct iked_transform ikev2_default_ike_transforms_noauth[] = { 139 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 128 }, 140 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 256 }, 141 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_256 }, 142 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_384 }, 143 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_512 }, 144 { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA1 }, 145 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_CURVE25519 }, 146 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_521 }, 147 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_384 }, 148 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_256 }, 149 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_4096 }, 150 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_3072 }, 151 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_2048 }, 152 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1536 }, 153 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1024 }, 154 { 0 } 155 }; 156 size_t ikev2_default_nike_transforms_noauth = 157 ((sizeof(ikev2_default_ike_transforms_noauth) / 158 sizeof(ikev2_default_ike_transforms_noauth[0])) - 1); 159 160 struct iked_transform ikev2_default_esp_transforms[] = { 161 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 }, 162 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 }, 163 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 }, 164 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, 165 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, 166 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, 167 { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, 168 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_NONE }, 169 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_ESN }, 170 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_NONE }, 171 { 0 } 172 }; 173 size_t ikev2_default_nesp_transforms = ((sizeof(ikev2_default_esp_transforms) / 174 sizeof(ikev2_default_esp_transforms[0])) - 1); 175 176 struct iked_transform ikev2_default_esp_transforms_noauth[] = { 177 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 128 }, 178 { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 256 }, 179 { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_NONE }, 180 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_ESN }, 181 { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_NONE }, 182 { 0 } 183 }; 184 size_t ikev2_default_nesp_transforms_noauth = 185 ((sizeof(ikev2_default_esp_transforms_noauth) / 186 sizeof(ikev2_default_esp_transforms_noauth[0])) - 1); 187 188 const struct ipsec_xf authxfs[] = { 189 { "hmac-md5", IKEV2_XFORMAUTH_HMAC_MD5_96, 16 }, 190 { "hmac-sha1", IKEV2_XFORMAUTH_HMAC_SHA1_96, 20 }, 191 { "hmac-sha2-256", IKEV2_XFORMAUTH_HMAC_SHA2_256_128, 32 }, 192 { "hmac-sha2-384", IKEV2_XFORMAUTH_HMAC_SHA2_384_192, 48 }, 193 { "hmac-sha2-512", IKEV2_XFORMAUTH_HMAC_SHA2_512_256, 64 }, 194 { NULL } 195 }; 196 197 const struct ipsec_xf prfxfs[] = { 198 { "hmac-md5", IKEV2_XFORMPRF_HMAC_MD5, 16 }, 199 { "hmac-sha1", IKEV2_XFORMPRF_HMAC_SHA1, 20 }, 200 { "hmac-sha2-256", IKEV2_XFORMPRF_HMAC_SHA2_256, 32 }, 201 { "hmac-sha2-384", IKEV2_XFORMPRF_HMAC_SHA2_384, 48 }, 202 { "hmac-sha2-512", IKEV2_XFORMPRF_HMAC_SHA2_512, 64 }, 203 { NULL } 204 }; 205 206 const struct ipsec_xf *encxfs = NULL; 207 208 const struct ipsec_xf ikeencxfs[] = { 209 { "3des", IKEV2_XFORMENCR_3DES, 24 }, 210 { "3des-cbc", IKEV2_XFORMENCR_3DES, 24 }, 211 { "aes-128", IKEV2_XFORMENCR_AES_CBC, 16, 16 }, 212 { "aes-192", IKEV2_XFORMENCR_AES_CBC, 24, 24 }, 213 { "aes-256", IKEV2_XFORMENCR_AES_CBC, 32, 32 }, 214 { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_16, 16, 16, 4, 1 }, 215 { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_16, 32, 32, 4, 1 }, 216 { "aes-128-gcm-12", IKEV2_XFORMENCR_AES_GCM_12, 16, 16, 4, 1 }, 217 { "aes-256-gcm-12", IKEV2_XFORMENCR_AES_GCM_12, 32, 32, 4, 1 }, 218 { NULL } 219 }; 220 221 const struct ipsec_xf ipsecencxfs[] = { 222 { "3des", IKEV2_XFORMENCR_3DES, 24 }, 223 { "3des-cbc", IKEV2_XFORMENCR_3DES, 24 }, 224 { "aes-128", IKEV2_XFORMENCR_AES_CBC, 16, 16 }, 225 { "aes-192", IKEV2_XFORMENCR_AES_CBC, 24, 24 }, 226 { "aes-256", IKEV2_XFORMENCR_AES_CBC, 32, 32 }, 227 { "aes-128-ctr", IKEV2_XFORMENCR_AES_CTR, 16, 16, 4 }, 228 { "aes-192-ctr", IKEV2_XFORMENCR_AES_CTR, 24, 24, 4 }, 229 { "aes-256-ctr", IKEV2_XFORMENCR_AES_CTR, 32, 32, 4 }, 230 { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_16, 16, 16, 4, 1 }, 231 { "aes-192-gcm", IKEV2_XFORMENCR_AES_GCM_16, 24, 24, 4, 1 }, 232 { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_16, 32, 32, 4, 1 }, 233 { "aes-128-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC, 16, 16, 4, 1 }, 234 { "aes-192-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC, 24, 24, 4, 1 }, 235 { "aes-256-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC, 32, 32, 4, 1 }, 236 { "blowfish", IKEV2_XFORMENCR_BLOWFISH, 20, 20 }, 237 { "cast", IKEV2_XFORMENCR_CAST, 16, 16 }, 238 { "chacha20-poly1305", IKEV2_XFORMENCR_CHACHA20_POLY1305, 239 32, 32, 4, 1 }, 240 { "null", IKEV2_XFORMENCR_NULL, 0, 0 }, 241 { NULL } 242 }; 243 244 const struct ipsec_xf groupxfs[] = { 245 { "none", IKEV2_XFORMDH_NONE }, 246 { "modp768", IKEV2_XFORMDH_MODP_768 }, 247 { "grp1", IKEV2_XFORMDH_MODP_768 }, 248 { "modp1024", IKEV2_XFORMDH_MODP_1024 }, 249 { "grp2", IKEV2_XFORMDH_MODP_1024 }, 250 { "modp1536", IKEV2_XFORMDH_MODP_1536 }, 251 { "grp5", IKEV2_XFORMDH_MODP_1536 }, 252 { "modp2048", IKEV2_XFORMDH_MODP_2048 }, 253 { "grp14", IKEV2_XFORMDH_MODP_2048 }, 254 { "modp3072", IKEV2_XFORMDH_MODP_3072 }, 255 { "grp15", IKEV2_XFORMDH_MODP_3072 }, 256 { "modp4096", IKEV2_XFORMDH_MODP_4096 }, 257 { "grp16", IKEV2_XFORMDH_MODP_4096 }, 258 { "modp6144", IKEV2_XFORMDH_MODP_6144 }, 259 { "grp17", IKEV2_XFORMDH_MODP_6144 }, 260 { "modp8192", IKEV2_XFORMDH_MODP_8192 }, 261 { "grp18", IKEV2_XFORMDH_MODP_8192 }, 262 { "ecp256", IKEV2_XFORMDH_ECP_256 }, 263 { "grp19", IKEV2_XFORMDH_ECP_256 }, 264 { "ecp384", IKEV2_XFORMDH_ECP_384 }, 265 { "grp20", IKEV2_XFORMDH_ECP_384 }, 266 { "ecp521", IKEV2_XFORMDH_ECP_521 }, 267 { "grp21", IKEV2_XFORMDH_ECP_521 }, 268 { "ecp192", IKEV2_XFORMDH_ECP_192 }, 269 { "grp25", IKEV2_XFORMDH_ECP_192 }, 270 { "ecp224", IKEV2_XFORMDH_ECP_224 }, 271 { "grp26", IKEV2_XFORMDH_ECP_224 }, 272 { "brainpool224", IKEV2_XFORMDH_BRAINPOOL_P224R1 }, 273 { "grp27", IKEV2_XFORMDH_BRAINPOOL_P224R1 }, 274 { "brainpool256", IKEV2_XFORMDH_BRAINPOOL_P256R1 }, 275 { "grp28", IKEV2_XFORMDH_BRAINPOOL_P256R1 }, 276 { "brainpool384", IKEV2_XFORMDH_BRAINPOOL_P384R1 }, 277 { "grp29", IKEV2_XFORMDH_BRAINPOOL_P384R1 }, 278 { "brainpool512", IKEV2_XFORMDH_BRAINPOOL_P512R1 }, 279 { "grp30", IKEV2_XFORMDH_BRAINPOOL_P512R1 }, 280 { "curve25519", IKEV2_XFORMDH_CURVE25519 }, 281 { "grp31", IKEV2_XFORMDH_CURVE25519 }, 282 { "sntrup761x25519", IKEV2_XFORMDH_X_SNTRUP761X25519 }, 283 { NULL } 284 }; 285 286 const struct ipsec_xf esnxfs[] = { 287 { "esn", IKEV2_XFORMESN_ESN }, 288 { "noesn", IKEV2_XFORMESN_NONE }, 289 { NULL } 290 }; 291 292 const struct ipsec_xf methodxfs[] = { 293 { "none", IKEV2_AUTH_NONE }, 294 { "rsa", IKEV2_AUTH_RSA_SIG }, 295 { "ecdsa256", IKEV2_AUTH_ECDSA_256 }, 296 { "ecdsa384", IKEV2_AUTH_ECDSA_384 }, 297 { "ecdsa521", IKEV2_AUTH_ECDSA_521 }, 298 { "rfc7427", IKEV2_AUTH_SIG }, 299 { "signature", IKEV2_AUTH_SIG_ANY }, 300 { NULL } 301 }; 302 303 const struct ipsec_xf saxfs[] = { 304 { "esp", IKEV2_SAPROTO_ESP }, 305 { "ah", IKEV2_SAPROTO_AH }, 306 { NULL } 307 }; 308 309 const struct ipsec_xf cpxfs[] = { 310 { "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS, AF_INET }, 311 { "netmask", IKEV2_CFG_INTERNAL_IP4_NETMASK, AF_INET }, 312 { "name-server", IKEV2_CFG_INTERNAL_IP4_DNS, AF_INET }, 313 { "netbios-server", IKEV2_CFG_INTERNAL_IP4_NBNS, AF_INET }, 314 { "dhcp-server", IKEV2_CFG_INTERNAL_IP4_DHCP, AF_INET }, 315 { "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS, AF_INET6 }, 316 { "name-server", IKEV2_CFG_INTERNAL_IP6_DNS, AF_INET6 }, 317 { "netbios-server", IKEV2_CFG_INTERNAL_IP6_NBNS, AF_INET6 }, 318 { "dhcp-server", IKEV2_CFG_INTERNAL_IP6_DHCP, AF_INET6 }, 319 { "protected-subnet", IKEV2_CFG_INTERNAL_IP4_SUBNET, AF_INET }, 320 { "protected-subnet", IKEV2_CFG_INTERNAL_IP6_SUBNET, AF_INET6 }, 321 { "access-server", IKEV2_CFG_INTERNAL_IP4_SERVER, AF_INET }, 322 { "access-server", IKEV2_CFG_INTERNAL_IP6_SERVER, AF_INET6 }, 323 { NULL } 324 }; 325 326 const struct iked_lifetime deflifetime = { 327 IKED_LIFETIME_BYTES, 328 IKED_LIFETIME_SECONDS 329 }; 330 331 #define IPSEC_ADDR_ANY (0x1) 332 #define IPSEC_ADDR_DYNAMIC (0x2) 333 334 struct ipsec_addr_wrap { 335 struct sockaddr_storage address; 336 uint8_t mask; 337 int netaddress; 338 sa_family_t af; 339 unsigned int type; 340 unsigned int action; 341 uint16_t port; 342 char *name; 343 struct ipsec_addr_wrap *next; 344 struct ipsec_addr_wrap *tail; 345 struct ipsec_addr_wrap *srcnat; 346 }; 347 348 struct ipsec_hosts { 349 struct ipsec_addr_wrap *src; 350 struct ipsec_addr_wrap *dst; 351 }; 352 353 struct ipsec_filters { 354 char *tag; 355 unsigned int tap; 356 }; 357 358 void copy_sockaddrtoipa(struct ipsec_addr_wrap *, 359 struct sockaddr *); 360 struct ipsec_addr_wrap *host(const char *); 361 struct ipsec_addr_wrap *host_ip(const char *, int); 362 struct ipsec_addr_wrap *host_dns(const char *, int); 363 struct ipsec_addr_wrap *host_if(const char *, int); 364 struct ipsec_addr_wrap *host_any(void); 365 struct ipsec_addr_wrap *host_dynamic(void); 366 void ifa_load(void); 367 int ifa_exists(const char *); 368 struct ipsec_addr_wrap *ifa_lookup(const char *ifa_name); 369 struct ipsec_addr_wrap *ifa_grouplookup(const char *); 370 void set_ipmask(struct ipsec_addr_wrap *, int); 371 const struct ipsec_xf *parse_xf(const char *, unsigned int, 372 const struct ipsec_xf *); 373 void copy_transforms(unsigned int, 374 const struct ipsec_xf **, unsigned int, 375 struct iked_transform **, unsigned int *, 376 struct iked_transform *, size_t); 377 int create_ike(char *, int, struct ipsec_addr_wrap *, 378 int, struct ipsec_hosts *, 379 struct ipsec_hosts *, struct ipsec_mode *, 380 struct ipsec_mode *, uint8_t, 381 uint8_t, char *, char *, 382 uint32_t, struct iked_lifetime *, 383 struct iked_auth *, struct ipsec_filters *, 384 struct ipsec_addr_wrap *, char *); 385 int create_user(const char *, const char *); 386 int get_id_type(char *); 387 uint8_t x2i(unsigned char *); 388 int parsekey(unsigned char *, size_t, struct iked_auth *); 389 int parsekeyfile(char *, struct iked_auth *); 390 void iaw_free(struct ipsec_addr_wrap *); 391 static int create_flow(struct iked_policy *pol, int, struct ipsec_addr_wrap *ipa, 392 struct ipsec_addr_wrap *ipb); 393 static int expand_flows(struct iked_policy *, int, struct ipsec_addr_wrap *, 394 struct ipsec_addr_wrap *); 395 static struct ipsec_addr_wrap * 396 expand_keyword(struct ipsec_addr_wrap *); 397 398 struct ipsec_transforms *ipsec_transforms; 399 struct ipsec_filters *ipsec_filters; 400 struct ipsec_mode *ipsec_mode; 401 /* interface lookup routintes */ 402 struct ipsec_addr_wrap *iftab; 403 404 typedef struct { 405 union { 406 int64_t number; 407 uint8_t ikemode; 408 uint8_t dir; 409 uint8_t satype; 410 char *string; 411 uint16_t port; 412 struct ipsec_hosts *hosts; 413 struct ipsec_hosts peers; 414 struct ipsec_addr_wrap *anyhost; 415 struct ipsec_addr_wrap *host; 416 struct ipsec_addr_wrap *cfg; 417 struct ipsec_addr_wrap *proto; 418 struct { 419 char *srcid; 420 char *dstid; 421 } ids; 422 char *id; 423 uint8_t type; 424 struct iked_lifetime lifetime; 425 struct iked_auth ikeauth; 426 struct iked_auth ikekey; 427 struct ipsec_transforms *transforms; 428 struct ipsec_filters *filters; 429 struct ipsec_mode *mode; 430 } v; 431 int lineno; 432 } YYSTYPE; 433 434 %} 435 436 %token FROM ESP AH IN PEER ON OUT TO SRCID DSTID PSK PORT 437 %token FILENAME AUTHXF PRFXF ENCXF ERROR IKEV2 IKESA CHILDSA ESN NOESN 438 %token PASSIVE ACTIVE ANY TAG TAP PROTO LOCAL GROUP NAME CONFIG EAP USER 439 %token IKEV1 FLOW SA TCPMD5 TUNNEL TRANSPORT COUPLE DECOUPLE SET 440 %token INCLUDE LIFETIME BYTES INET INET6 QUICK SKIP DEFAULT 441 %token IPCOMP OCSP IKELIFETIME MOBIKE NOMOBIKE RDOMAIN 442 %token FRAGMENTATION NOFRAGMENTATION DPD_CHECK_INTERVAL 443 %token ENFORCESINGLEIKESA NOENFORCESINGLEIKESA 444 %token STICKYADDRESS NOSTICKYADDRESS 445 %token TOLERATE MAXAGE DYNAMIC 446 %token CERTPARTIALCHAIN 447 %token REQUEST IFACE 448 %token <v.string> STRING 449 %token <v.number> NUMBER 450 %type <v.string> string 451 %type <v.satype> satype 452 %type <v.proto> proto proto_list protoval 453 %type <v.hosts> hosts hosts_list 454 %type <v.port> port 455 %type <v.number> portval af rdomain 456 %type <v.peers> peers 457 %type <v.anyhost> anyhost 458 %type <v.host> host host_spec 459 %type <v.ids> ids 460 %type <v.id> id 461 %type <v.transforms> transforms 462 %type <v.filters> filters 463 %type <v.ikemode> ikeflags ikematch ikemode ipcomp tmode 464 %type <v.ikeauth> ikeauth 465 %type <v.ikekey> keyspec 466 %type <v.mode> ike_sas child_sas 467 %type <v.lifetime> lifetime 468 %type <v.number> byte_spec time_spec ikelifetime 469 %type <v.string> name iface 470 %type <v.cfg> cfg ikecfg ikecfgvals 471 %type <v.string> transform_esn 472 %% 473 474 grammar : /* empty */ 475 | grammar include '\n' 476 | grammar '\n' 477 | grammar set '\n' 478 | grammar user '\n' 479 | grammar ikev2rule '\n' 480 | grammar varset '\n' 481 | grammar otherrule skipline '\n' 482 | grammar error '\n' { file->errors++; } 483 ; 484 485 comma : ',' 486 | /* empty */ 487 ; 488 489 include : INCLUDE STRING { 490 struct file *nfile; 491 492 if ((nfile = pushfile($2, 1)) == NULL) { 493 yyerror("failed to include file %s", $2); 494 free($2); 495 YYERROR; 496 } 497 free($2); 498 499 file = nfile; 500 lungetc('\n'); 501 } 502 ; 503 504 set : SET ACTIVE { passive = 0; } 505 | SET PASSIVE { passive = 1; } 506 | SET COUPLE { decouple = 0; } 507 | SET DECOUPLE { decouple = 1; } 508 | SET FRAGMENTATION { fragmentation = 1; } 509 | SET NOFRAGMENTATION { fragmentation = 0; } 510 | SET MOBIKE { mobike = 1; } 511 | SET NOMOBIKE { mobike = 0; } 512 | SET ENFORCESINGLEIKESA { enforcesingleikesa = 1; } 513 | SET NOENFORCESINGLEIKESA { enforcesingleikesa = 0; } 514 | SET STICKYADDRESS { stickyaddress = 1; } 515 | SET NOSTICKYADDRESS { stickyaddress = 0; } 516 | SET OCSP STRING { 517 ocsp_url = $3; 518 } 519 | SET OCSP STRING TOLERATE time_spec { 520 ocsp_url = $3; 521 ocsp_tolerate = $5; 522 } 523 | SET OCSP STRING TOLERATE time_spec MAXAGE time_spec { 524 ocsp_url = $3; 525 ocsp_tolerate = $5; 526 ocsp_maxage = $7; 527 } 528 | SET CERTPARTIALCHAIN { 529 cert_partial_chain = 1; 530 } 531 | SET DPD_CHECK_INTERVAL NUMBER { 532 if ($3 < 0) { 533 yyerror("timeout outside range"); 534 YYERROR; 535 } 536 dpd_interval = $3; 537 } 538 ; 539 540 user : USER STRING STRING { 541 if (create_user($2, $3) == -1) 542 YYERROR; 543 free($2); 544 freezero($3, strlen($3)); 545 } 546 ; 547 548 ikev2rule : IKEV2 name ikeflags satype af proto rdomain hosts_list peers 549 ike_sas child_sas ids ikelifetime lifetime ikeauth ikecfg 550 iface filters { 551 if (create_ike($2, $5, $6, $7, $8, &$9, $10, $11, $4, 552 $3, $12.srcid, $12.dstid, $13, &$14, &$15, 553 $18, $16, $17) == -1) { 554 yyerror("create_ike failed"); 555 YYERROR; 556 } 557 } 558 ; 559 560 ikecfg : /* empty */ { $$ = NULL; } 561 | ikecfgvals { $$ = $1; } 562 ; 563 564 ikecfgvals : cfg { $$ = $1; } 565 | ikecfgvals cfg { 566 if ($2 == NULL) 567 $$ = $1; 568 else if ($1 == NULL) 569 $$ = $2; 570 else { 571 $1->tail->next = $2; 572 $1->tail = $2->tail; 573 $$ = $1; 574 } 575 } 576 ; 577 578 cfg : CONFIG STRING host_spec { 579 const struct ipsec_xf *xf; 580 581 if ((xf = parse_xf($2, $3->af, cpxfs)) == NULL) { 582 yyerror("not a valid ikecfg option"); 583 free($2); 584 free($3); 585 YYERROR; 586 } 587 free($2); 588 $$ = $3; 589 $$->type = xf->id; 590 $$->action = IKEV2_CP_REPLY; /* XXX */ 591 } 592 | REQUEST STRING anyhost { 593 const struct ipsec_xf *xf; 594 595 if ((xf = parse_xf($2, $3->af, cpxfs)) == NULL) { 596 yyerror("not a valid ikecfg option"); 597 free($2); 598 free($3); 599 YYERROR; 600 } 601 free($2); 602 $$ = $3; 603 $$->type = xf->id; 604 $$->action = IKEV2_CP_REQUEST; /* XXX */ 605 } 606 ; 607 608 name : /* empty */ { $$ = NULL; } 609 | STRING { 610 $$ = $1; 611 } 612 613 satype : /* empty */ { $$ = IKEV2_SAPROTO_ESP; } 614 | ESP { $$ = IKEV2_SAPROTO_ESP; } 615 | AH { $$ = IKEV2_SAPROTO_AH; } 616 ; 617 618 af : /* empty */ { $$ = AF_UNSPEC; } 619 | INET { $$ = AF_INET; } 620 | INET6 { $$ = AF_INET6; } 621 ; 622 623 proto : /* empty */ { $$ = NULL; } 624 | PROTO protoval { $$ = $2; } 625 | PROTO '{' proto_list '}' { $$ = $3; } 626 ; 627 628 proto_list : protoval { $$ = $1; } 629 | proto_list comma protoval { 630 if ($3 == NULL) 631 $$ = $1; 632 else if ($1 == NULL) 633 $$ = $3; 634 else { 635 $1->tail->next = $3; 636 $1->tail = $3->tail; 637 $$ = $1; 638 } 639 } 640 ; 641 642 protoval : STRING { 643 struct protoent *p; 644 645 p = getprotobyname($1); 646 if (p == NULL) { 647 yyerror("unknown protocol: %s", $1); 648 YYERROR; 649 } 650 651 if (($$ = calloc(1, sizeof(*$$))) == NULL) 652 err(1, "protoval: calloc"); 653 654 $$->type = p->p_proto; 655 $$->tail = $$; 656 free($1); 657 } 658 | NUMBER { 659 if ($1 > 255 || $1 < 0) { 660 yyerror("protocol outside range"); 661 YYERROR; 662 } 663 if (($$ = calloc(1, sizeof(*$$))) == NULL) 664 err(1, "protoval: calloc"); 665 666 $$->type = $1; 667 $$->tail = $$; 668 } 669 ; 670 671 rdomain : /* empty */ { $$ = -1; } 672 | RDOMAIN NUMBER { 673 if ($2 > 255 || $2 < 0) { 674 yyerror("rdomain outside range"); 675 YYERROR; 676 } 677 $$ = $2; 678 } 679 680 hosts_list : hosts { $$ = $1; } 681 | hosts_list comma hosts { 682 if ($3 == NULL) 683 $$ = $1; 684 else if ($1 == NULL) 685 $$ = $3; 686 else { 687 $1->src->tail->next = $3->src; 688 $1->src->tail = $3->src->tail; 689 $1->dst->tail->next = $3->dst; 690 $1->dst->tail = $3->dst->tail; 691 $$ = $1; 692 free($3); 693 } 694 } 695 ; 696 697 hosts : FROM host port TO host port { 698 struct ipsec_addr_wrap *ipa; 699 for (ipa = $5; ipa; ipa = ipa->next) { 700 if (ipa->srcnat) { 701 yyerror("no flow NAT support for" 702 " destination network: %s", 703 ipa->name); 704 YYERROR; 705 } 706 } 707 708 if (($$ = calloc(1, sizeof(*$$))) == NULL) 709 err(1, "hosts: calloc"); 710 711 $$->src = $2; 712 $$->src->port = $3; 713 $$->dst = $5; 714 $$->dst->port = $6; 715 } 716 | TO host port FROM host port { 717 struct ipsec_addr_wrap *ipa; 718 for (ipa = $2; ipa; ipa = ipa->next) { 719 if (ipa->srcnat) { 720 yyerror("no flow NAT support for" 721 " destination network: %s", 722 ipa->name); 723 YYERROR; 724 } 725 } 726 if (($$ = calloc(1, sizeof(*$$))) == NULL) 727 err(1, "hosts: calloc"); 728 729 $$->src = $5; 730 $$->src->port = $6; 731 $$->dst = $2; 732 $$->dst->port = $3; 733 } 734 ; 735 736 port : /* empty */ { $$ = 0; } 737 | PORT portval { $$ = $2; } 738 ; 739 740 portval : STRING { 741 struct servent *s; 742 743 if ((s = getservbyname($1, "tcp")) != NULL || 744 (s = getservbyname($1, "udp")) != NULL) { 745 $$ = s->s_port; 746 } else { 747 yyerror("unknown port: %s", $1); 748 YYERROR; 749 } 750 free($1); 751 } 752 | NUMBER { 753 if ($1 > USHRT_MAX || $1 < 0) { 754 yyerror("port outside range"); 755 YYERROR; 756 } 757 $$ = htons($1); 758 } 759 ; 760 761 peers : /* empty */ { 762 $$.dst = NULL; 763 $$.src = NULL; 764 } 765 | PEER anyhost LOCAL anyhost { 766 $$.dst = $2; 767 $$.src = $4; 768 } 769 | LOCAL anyhost PEER anyhost { 770 $$.dst = $4; 771 $$.src = $2; 772 } 773 | PEER anyhost { 774 $$.dst = $2; 775 $$.src = NULL; 776 } 777 | LOCAL anyhost { 778 $$.dst = NULL; 779 $$.src = $2; 780 } 781 ; 782 783 anyhost : host_spec { $$ = $1; } 784 | ANY { 785 $$ = host_any(); 786 } 787 788 host_spec : STRING { 789 if (($$ = host($1)) == NULL) { 790 free($1); 791 yyerror("could not parse host specification"); 792 YYERROR; 793 } 794 free($1); 795 } 796 | STRING '/' NUMBER { 797 char *buf; 798 799 if (asprintf(&buf, "%s/%lld", $1, $3) == -1) 800 err(1, "host: asprintf"); 801 free($1); 802 if (($$ = host(buf)) == NULL) { 803 free(buf); 804 yyerror("could not parse host specification"); 805 YYERROR; 806 } 807 free(buf); 808 } 809 ; 810 811 host : host_spec { $$ = $1; } 812 | host_spec '(' host_spec ')' { 813 if (($1->af != AF_UNSPEC) && ($3->af != AF_UNSPEC) && 814 ($3->af != $1->af)) { 815 yyerror("Flow NAT address family mismatch"); 816 YYERROR; 817 } 818 $$ = $1; 819 $$->srcnat = $3; 820 } 821 | ANY { 822 $$ = host_any(); 823 } 824 | DYNAMIC { 825 $$ = host_dynamic(); 826 } 827 ; 828 829 ids : /* empty */ { 830 $$.srcid = NULL; 831 $$.dstid = NULL; 832 } 833 | SRCID id DSTID id { 834 $$.srcid = $2; 835 $$.dstid = $4; 836 } 837 | SRCID id { 838 $$.srcid = $2; 839 $$.dstid = NULL; 840 } 841 | DSTID id { 842 $$.srcid = NULL; 843 $$.dstid = $2; 844 } 845 ; 846 847 id : STRING { $$ = $1; } 848 ; 849 850 transforms : { 851 if ((ipsec_transforms = calloc(1, 852 sizeof(struct ipsec_transforms))) == NULL) 853 err(1, "transforms: calloc"); 854 } 855 transforms_l { 856 $$ = ipsec_transforms; 857 } 858 | /* empty */ { 859 $$ = NULL; 860 } 861 ; 862 863 transforms_l : transforms_l transform 864 | transform 865 ; 866 867 transform : AUTHXF STRING { 868 const struct ipsec_xf **xfs = ipsec_transforms->authxf; 869 size_t nxfs = ipsec_transforms->nauthxf; 870 xfs = recallocarray(xfs, nxfs, nxfs + 1, 871 sizeof(struct ipsec_xf *)); 872 if (xfs == NULL) 873 err(1, "transform: recallocarray"); 874 if ((xfs[nxfs] = parse_xf($2, 0, authxfs)) == NULL) { 875 yyerror("%s not a valid transform", $2); 876 YYERROR; 877 } 878 free($2); 879 ipsec_transforms->authxf = xfs; 880 ipsec_transforms->nauthxf++; 881 } 882 | ENCXF STRING { 883 const struct ipsec_xf **xfs = ipsec_transforms->encxf; 884 size_t nxfs = ipsec_transforms->nencxf; 885 xfs = recallocarray(xfs, nxfs, nxfs + 1, 886 sizeof(struct ipsec_xf *)); 887 if (xfs == NULL) 888 err(1, "transform: recallocarray"); 889 if ((xfs[nxfs] = parse_xf($2, 0, encxfs)) == NULL) { 890 yyerror("%s not a valid transform", $2); 891 YYERROR; 892 } 893 free($2); 894 ipsec_transforms->encxf = xfs; 895 ipsec_transforms->nencxf++; 896 } 897 | PRFXF STRING { 898 const struct ipsec_xf **xfs = ipsec_transforms->prfxf; 899 size_t nxfs = ipsec_transforms->nprfxf; 900 xfs = recallocarray(xfs, nxfs, nxfs + 1, 901 sizeof(struct ipsec_xf *)); 902 if (xfs == NULL) 903 err(1, "transform: recallocarray"); 904 if ((xfs[nxfs] = parse_xf($2, 0, prfxfs)) == NULL) { 905 yyerror("%s not a valid transform", $2); 906 YYERROR; 907 } 908 free($2); 909 ipsec_transforms->prfxf = xfs; 910 ipsec_transforms->nprfxf++; 911 } 912 | GROUP STRING { 913 const struct ipsec_xf **xfs = ipsec_transforms->groupxf; 914 size_t nxfs = ipsec_transforms->ngroupxf; 915 xfs = recallocarray(xfs, nxfs, nxfs + 1, 916 sizeof(struct ipsec_xf *)); 917 if (xfs == NULL) 918 err(1, "transform: recallocarray"); 919 if ((xfs[nxfs] = parse_xf($2, 0, groupxfs)) == NULL) { 920 yyerror("%s not a valid transform", $2); 921 YYERROR; 922 } 923 free($2); 924 ipsec_transforms->groupxf = xfs; 925 ipsec_transforms->ngroupxf++; 926 } 927 | transform_esn { 928 const struct ipsec_xf **xfs = ipsec_transforms->esnxf; 929 size_t nxfs = ipsec_transforms->nesnxf; 930 xfs = recallocarray(xfs, nxfs, nxfs + 1, 931 sizeof(struct ipsec_xf *)); 932 if (xfs == NULL) 933 err(1, "transform: recallocarray"); 934 if ((xfs[nxfs] = parse_xf($1, 0, esnxfs)) == NULL) { 935 yyerror("%s not a valid transform", $1); 936 YYERROR; 937 } 938 ipsec_transforms->esnxf = xfs; 939 ipsec_transforms->nesnxf++; 940 } 941 ; 942 943 transform_esn : ESN { $$ = "esn"; } 944 | NOESN { $$ = "noesn"; } 945 ; 946 947 ike_sas : { 948 if ((ipsec_mode = calloc(1, 949 sizeof(struct ipsec_mode))) == NULL) 950 err(1, "ike_sas: calloc"); 951 } 952 ike_sas_l { 953 $$ = ipsec_mode; 954 } 955 | /* empty */ { 956 $$ = NULL; 957 } 958 ; 959 960 ike_sas_l : ike_sas_l ike_sa 961 | ike_sa 962 ; 963 964 ike_sa : IKESA { 965 if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs, 966 ipsec_mode->nxfs, ipsec_mode->nxfs + 1, 967 sizeof(struct ipsec_transforms *))) == NULL) 968 err(1, "ike_sa: recallocarray"); 969 ipsec_mode->nxfs++; 970 encxfs = ikeencxfs; 971 } transforms { 972 ipsec_mode->xfs[ipsec_mode->nxfs - 1] = $3; 973 } 974 ; 975 976 child_sas : { 977 if ((ipsec_mode = calloc(1, 978 sizeof(struct ipsec_mode))) == NULL) 979 err(1, "child_sas: calloc"); 980 } 981 child_sas_l { 982 $$ = ipsec_mode; 983 } 984 | /* empty */ { 985 $$ = NULL; 986 } 987 ; 988 989 child_sas_l : child_sas_l child_sa 990 | child_sa 991 ; 992 993 child_sa : CHILDSA { 994 if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs, 995 ipsec_mode->nxfs, ipsec_mode->nxfs + 1, 996 sizeof(struct ipsec_transforms *))) == NULL) 997 err(1, "child_sa: recallocarray"); 998 ipsec_mode->nxfs++; 999 encxfs = ipsecencxfs; 1000 } transforms { 1001 ipsec_mode->xfs[ipsec_mode->nxfs - 1] = $3; 1002 } 1003 ; 1004 1005 ikeflags : ikematch ikemode ipcomp tmode { $$ = $1 | $2 | $3 | $4; } 1006 ; 1007 1008 ikematch : /* empty */ { $$ = 0; } 1009 | QUICK { $$ = IKED_POLICY_QUICK; } 1010 | SKIP { $$ = IKED_POLICY_SKIP; } 1011 | DEFAULT { $$ = IKED_POLICY_DEFAULT; } 1012 ; 1013 1014 ikemode : /* empty */ { $$ = IKED_POLICY_PASSIVE; } 1015 | PASSIVE { $$ = IKED_POLICY_PASSIVE; } 1016 | ACTIVE { $$ = IKED_POLICY_ACTIVE; } 1017 ; 1018 1019 ipcomp : /* empty */ { $$ = 0; } 1020 | IPCOMP { $$ = IKED_POLICY_IPCOMP; } 1021 ; 1022 1023 tmode : /* empty */ { $$ = 0; } 1024 | TUNNEL { $$ = 0; } 1025 | TRANSPORT { $$ = IKED_POLICY_TRANSPORT; } 1026 ; 1027 1028 ikeauth : /* empty */ { 1029 $$.auth_method = IKEV2_AUTH_SIG_ANY; /* default */ 1030 $$.auth_eap = 0; 1031 $$.auth_length = 0; 1032 } 1033 | PSK keyspec { 1034 memcpy(&$$, &$2, sizeof($$)); 1035 $$.auth_method = IKEV2_AUTH_SHARED_KEY_MIC; 1036 $$.auth_eap = 0; 1037 explicit_bzero(&$2, sizeof($2)); 1038 } 1039 | EAP STRING { 1040 unsigned int i; 1041 1042 for (i = 0; i < strlen($2); i++) 1043 if ($2[i] == '-') 1044 $2[i] = '_'; 1045 1046 if (strcasecmp("mschap_v2", $2) != 0) { 1047 yyerror("unsupported EAP method: %s", $2); 1048 free($2); 1049 YYERROR; 1050 } 1051 free($2); 1052 1053 $$.auth_method = IKEV2_AUTH_SIG_ANY; 1054 $$.auth_eap = EAP_TYPE_MSCHAP_V2; 1055 $$.auth_length = 0; 1056 } 1057 | STRING { 1058 const struct ipsec_xf *xf; 1059 1060 if ((xf = parse_xf($1, 0, methodxfs)) == NULL || 1061 xf->id == IKEV2_AUTH_NONE) { 1062 yyerror("not a valid authentication mode"); 1063 free($1); 1064 YYERROR; 1065 } 1066 free($1); 1067 1068 $$.auth_method = xf->id; 1069 $$.auth_eap = 0; 1070 $$.auth_length = 0; 1071 } 1072 ; 1073 1074 byte_spec : NUMBER { 1075 $$ = $1; 1076 } 1077 | STRING { 1078 uint64_t bytes = 0; 1079 char unit = 0; 1080 1081 if (sscanf($1, "%llu%c", &bytes, &unit) != 2) { 1082 yyerror("invalid byte specification: %s", $1); 1083 YYERROR; 1084 } 1085 free($1); 1086 switch (toupper((unsigned char)unit)) { 1087 case 'K': 1088 bytes *= 1024; 1089 break; 1090 case 'M': 1091 bytes *= 1024 * 1024; 1092 break; 1093 case 'G': 1094 bytes *= 1024 * 1024 * 1024; 1095 break; 1096 default: 1097 yyerror("invalid byte unit"); 1098 YYERROR; 1099 } 1100 $$ = bytes; 1101 } 1102 ; 1103 1104 time_spec : NUMBER { 1105 $$ = $1; 1106 } 1107 | STRING { 1108 uint64_t seconds = 0; 1109 char unit = 0; 1110 1111 if (sscanf($1, "%llu%c", &seconds, &unit) != 2) { 1112 yyerror("invalid time specification: %s", $1); 1113 YYERROR; 1114 } 1115 free($1); 1116 switch (tolower((unsigned char)unit)) { 1117 case 'm': 1118 seconds *= 60; 1119 break; 1120 case 'h': 1121 seconds *= 60 * 60; 1122 break; 1123 default: 1124 yyerror("invalid time unit"); 1125 YYERROR; 1126 } 1127 $$ = seconds; 1128 } 1129 ; 1130 1131 lifetime : /* empty */ { 1132 $$ = deflifetime; 1133 } 1134 | LIFETIME time_spec { 1135 $$.lt_seconds = $2; 1136 $$.lt_bytes = deflifetime.lt_bytes; 1137 } 1138 | LIFETIME time_spec BYTES byte_spec { 1139 $$.lt_seconds = $2; 1140 $$.lt_bytes = $4; 1141 } 1142 ; 1143 1144 ikelifetime : /* empty */ { 1145 $$ = 0; 1146 } 1147 | IKELIFETIME time_spec { 1148 $$ = $2; 1149 } 1150 1151 keyspec : STRING { 1152 uint8_t *hex; 1153 1154 bzero(&$$, sizeof($$)); 1155 1156 hex = $1; 1157 if (strncmp(hex, "0x", 2) == 0) { 1158 hex += 2; 1159 if (parsekey(hex, strlen(hex), &$$) != 0) { 1160 free($1); 1161 YYERROR; 1162 } 1163 } else { 1164 if (strlen($1) > sizeof($$.auth_data)) { 1165 yyerror("psk too long"); 1166 free($1); 1167 YYERROR; 1168 } 1169 strlcpy($$.auth_data, $1, 1170 sizeof($$.auth_data)); 1171 $$.auth_length = strlen($1); 1172 } 1173 freezero($1, strlen($1)); 1174 } 1175 | FILENAME STRING { 1176 if (parsekeyfile($2, &$$) != 0) { 1177 free($2); 1178 YYERROR; 1179 } 1180 free($2); 1181 } 1182 ; 1183 1184 filters : { 1185 if ((ipsec_filters = calloc(1, 1186 sizeof(struct ipsec_filters))) == NULL) 1187 err(1, "filters: calloc"); 1188 } 1189 filters_l { 1190 $$ = ipsec_filters; 1191 } 1192 | /* empty */ { 1193 $$ = NULL; 1194 } 1195 ; 1196 1197 filters_l : filters_l filter 1198 | filter 1199 ; 1200 1201 filter : TAG STRING 1202 { 1203 ipsec_filters->tag = $2; 1204 } 1205 | TAP STRING 1206 { 1207 const char *errstr = NULL; 1208 size_t len; 1209 1210 len = strcspn($2, "0123456789"); 1211 if (strlen("enc") != len || 1212 strncmp("enc", $2, len) != 0) { 1213 yyerror("invalid tap interface name: %s", $2); 1214 free($2); 1215 YYERROR; 1216 } 1217 ipsec_filters->tap = 1218 strtonum($2 + len, 0, UINT_MAX, &errstr); 1219 free($2); 1220 if (errstr != NULL) { 1221 yyerror("invalid tap interface unit: %s", 1222 errstr); 1223 YYERROR; 1224 } 1225 } 1226 ; 1227 1228 iface : { 1229 $$ = NULL; 1230 } 1231 | IFACE STRING { 1232 $$ = $2; 1233 } 1234 1235 string : string STRING 1236 { 1237 if (asprintf(&$$, "%s %s", $1, $2) == -1) 1238 err(1, "string: asprintf"); 1239 free($1); 1240 free($2); 1241 } 1242 | STRING 1243 ; 1244 1245 varset : STRING '=' string 1246 { 1247 char *s = $1; 1248 log_debug("%s = \"%s\"\n", $1, $3); 1249 while (*s++) { 1250 if (isspace((unsigned char)*s)) { 1251 yyerror("macro name cannot contain " 1252 "whitespace"); 1253 free($1); 1254 free($3); 1255 YYERROR; 1256 } 1257 } 1258 if (symset($1, $3, 0) == -1) 1259 err(1, "cannot store variable"); 1260 free($1); 1261 free($3); 1262 } 1263 ; 1264 1265 /* 1266 * ignore IKEv1/manual keying rules in ipsec.conf 1267 */ 1268 otherrule : IKEV1 1269 | sarule 1270 | FLOW 1271 | TCPMD5 1272 ; 1273 1274 /* manual keying SAs might start with the following keywords */ 1275 sarule : SA 1276 | FROM 1277 | TO 1278 | TUNNEL 1279 | TRANSPORT 1280 ; 1281 1282 /* ignore everything to the end of the line */ 1283 skipline : 1284 { 1285 int c; 1286 1287 while ((c = lgetc(0)) != '\n' && c != EOF) 1288 ; /* nothing */ 1289 if (c == '\n') 1290 lungetc(c); 1291 } 1292 ; 1293 %% 1294 1295 struct keywords { 1296 const char *k_name; 1297 int k_val; 1298 }; 1299 1300 void 1301 copy_sockaddrtoipa(struct ipsec_addr_wrap *ipa, struct sockaddr *sa) 1302 { 1303 if (sa->sa_family == AF_INET6) 1304 memcpy(&ipa->address, sa, sizeof(struct sockaddr_in6)); 1305 else if (sa->sa_family == AF_INET) 1306 memcpy(&ipa->address, sa, sizeof(struct sockaddr_in)); 1307 else 1308 warnx("unhandled af %d", sa->sa_family); 1309 } 1310 1311 int 1312 yyerror(const char *fmt, ...) 1313 { 1314 va_list ap; 1315 1316 file->errors++; 1317 va_start(ap, fmt); 1318 fprintf(stderr, "%s: %d: ", file->name, yylval.lineno); 1319 vfprintf(stderr, fmt, ap); 1320 fprintf(stderr, "\n"); 1321 va_end(ap); 1322 return (0); 1323 } 1324 1325 int 1326 kw_cmp(const void *k, const void *e) 1327 { 1328 return (strcmp(k, ((const struct keywords *)e)->k_name)); 1329 } 1330 1331 int 1332 lookup(char *s) 1333 { 1334 /* this has to be sorted always */ 1335 static const struct keywords keywords[] = { 1336 { "active", ACTIVE }, 1337 { "ah", AH }, 1338 { "any", ANY }, 1339 { "auth", AUTHXF }, 1340 { "bytes", BYTES }, 1341 { "cert_partial_chain", CERTPARTIALCHAIN }, 1342 { "childsa", CHILDSA }, 1343 { "config", CONFIG }, 1344 { "couple", COUPLE }, 1345 { "decouple", DECOUPLE }, 1346 { "default", DEFAULT }, 1347 { "dpd_check_interval", DPD_CHECK_INTERVAL }, 1348 { "dstid", DSTID }, 1349 { "dynamic", DYNAMIC }, 1350 { "eap", EAP }, 1351 { "enc", ENCXF }, 1352 { "enforcesingleikesa", ENFORCESINGLEIKESA }, 1353 { "esn", ESN }, 1354 { "esp", ESP }, 1355 { "file", FILENAME }, 1356 { "flow", FLOW }, 1357 { "fragmentation", FRAGMENTATION }, 1358 { "from", FROM }, 1359 { "group", GROUP }, 1360 { "iface", IFACE }, 1361 { "ike", IKEV1 }, 1362 { "ikelifetime", IKELIFETIME }, 1363 { "ikesa", IKESA }, 1364 { "ikev2", IKEV2 }, 1365 { "include", INCLUDE }, 1366 { "inet", INET }, 1367 { "inet6", INET6 }, 1368 { "ipcomp", IPCOMP }, 1369 { "lifetime", LIFETIME }, 1370 { "local", LOCAL }, 1371 { "maxage", MAXAGE }, 1372 { "mobike", MOBIKE }, 1373 { "name", NAME }, 1374 { "noenforcesingleikesa", NOENFORCESINGLEIKESA }, 1375 { "noesn", NOESN }, 1376 { "nofragmentation", NOFRAGMENTATION }, 1377 { "nomobike", NOMOBIKE }, 1378 { "nostickyaddress", NOSTICKYADDRESS }, 1379 { "ocsp", OCSP }, 1380 { "passive", PASSIVE }, 1381 { "peer", PEER }, 1382 { "port", PORT }, 1383 { "prf", PRFXF }, 1384 { "proto", PROTO }, 1385 { "psk", PSK }, 1386 { "quick", QUICK }, 1387 { "rdomain", RDOMAIN }, 1388 { "request", REQUEST }, 1389 { "sa", SA }, 1390 { "set", SET }, 1391 { "skip", SKIP }, 1392 { "srcid", SRCID }, 1393 { "stickyaddress", STICKYADDRESS }, 1394 { "tag", TAG }, 1395 { "tap", TAP }, 1396 { "tcpmd5", TCPMD5 }, 1397 { "to", TO }, 1398 { "tolerate", TOLERATE }, 1399 { "transport", TRANSPORT }, 1400 { "tunnel", TUNNEL }, 1401 { "user", USER } 1402 }; 1403 const struct keywords *p; 1404 1405 p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]), 1406 sizeof(keywords[0]), kw_cmp); 1407 1408 if (p) { 1409 if (debug > 1) 1410 fprintf(stderr, "%s: %d\n", s, p->k_val); 1411 return (p->k_val); 1412 } else { 1413 if (debug > 1) 1414 fprintf(stderr, "string: %s\n", s); 1415 return (STRING); 1416 } 1417 } 1418 1419 #define START_EXPAND 1 1420 #define DONE_EXPAND 2 1421 1422 static int expanding; 1423 1424 int 1425 igetc(void) 1426 { 1427 int c; 1428 1429 while (1) { 1430 if (file->ungetpos > 0) 1431 c = file->ungetbuf[--file->ungetpos]; 1432 else 1433 c = getc(file->stream); 1434 1435 if (c == START_EXPAND) 1436 expanding = 1; 1437 else if (c == DONE_EXPAND) 1438 expanding = 0; 1439 else 1440 break; 1441 } 1442 return (c); 1443 } 1444 1445 int 1446 lgetc(int quotec) 1447 { 1448 int c, next; 1449 1450 if (quotec) { 1451 if ((c = igetc()) == EOF) { 1452 yyerror("reached end of file while parsing " 1453 "quoted string"); 1454 if (file == topfile || popfile() == EOF) 1455 return (EOF); 1456 return (quotec); 1457 } 1458 return (c); 1459 } 1460 1461 while ((c = igetc()) == '\\') { 1462 next = igetc(); 1463 if (next != '\n') { 1464 c = next; 1465 break; 1466 } 1467 yylval.lineno = file->lineno; 1468 file->lineno++; 1469 } 1470 1471 while (c == EOF) { 1472 /* 1473 * Fake EOL when hit EOF for the first time. This gets line 1474 * count right if last line in included file is syntactically 1475 * invalid and has no newline. 1476 */ 1477 if (file->eof_reached == 0) { 1478 file->eof_reached = 1; 1479 return ('\n'); 1480 } 1481 while (c == EOF) { 1482 if (file == topfile || popfile() == EOF) 1483 return (EOF); 1484 c = igetc(); 1485 } 1486 } 1487 return (c); 1488 } 1489 1490 void 1491 lungetc(int c) 1492 { 1493 if (c == EOF) 1494 return; 1495 1496 if (file->ungetpos >= file->ungetsize) { 1497 void *p = reallocarray(file->ungetbuf, file->ungetsize, 2); 1498 if (p == NULL) 1499 err(1, "lungetc"); 1500 file->ungetbuf = p; 1501 file->ungetsize *= 2; 1502 } 1503 file->ungetbuf[file->ungetpos++] = c; 1504 } 1505 1506 int 1507 findeol(void) 1508 { 1509 int c; 1510 1511 /* skip to either EOF or the first real EOL */ 1512 while (1) { 1513 c = lgetc(0); 1514 if (c == '\n') { 1515 file->lineno++; 1516 break; 1517 } 1518 if (c == EOF) 1519 break; 1520 } 1521 return (ERROR); 1522 } 1523 1524 int 1525 yylex(void) 1526 { 1527 char buf[8096]; 1528 char *p, *val; 1529 int quotec, next, c; 1530 int token; 1531 1532 top: 1533 p = buf; 1534 while ((c = lgetc(0)) == ' ' || c == '\t') 1535 ; /* nothing */ 1536 1537 yylval.lineno = file->lineno; 1538 if (c == '#') 1539 while ((c = lgetc(0)) != '\n' && c != EOF) 1540 ; /* nothing */ 1541 if (c == '$' && !expanding) { 1542 while (1) { 1543 if ((c = lgetc(0)) == EOF) 1544 return (0); 1545 1546 if (p + 1 >= buf + sizeof(buf) - 1) { 1547 yyerror("string too long"); 1548 return (findeol()); 1549 } 1550 if (isalnum(c) || c == '_') { 1551 *p++ = c; 1552 continue; 1553 } 1554 *p = '\0'; 1555 lungetc(c); 1556 break; 1557 } 1558 val = symget(buf); 1559 if (val == NULL) { 1560 yyerror("macro '%s' not defined", buf); 1561 return (findeol()); 1562 } 1563 p = val + strlen(val) - 1; 1564 lungetc(DONE_EXPAND); 1565 while (p >= val) { 1566 lungetc((unsigned char)*p); 1567 p--; 1568 } 1569 lungetc(START_EXPAND); 1570 goto top; 1571 } 1572 1573 switch (c) { 1574 case '\'': 1575 case '"': 1576 quotec = c; 1577 while (1) { 1578 if ((c = lgetc(quotec)) == EOF) 1579 return (0); 1580 if (c == '\n') { 1581 file->lineno++; 1582 continue; 1583 } else if (c == '\\') { 1584 if ((next = lgetc(quotec)) == EOF) 1585 return (0); 1586 if (next == quotec || next == ' ' || 1587 next == '\t') 1588 c = next; 1589 else if (next == '\n') { 1590 file->lineno++; 1591 continue; 1592 } else 1593 lungetc(next); 1594 } else if (c == quotec) { 1595 *p = '\0'; 1596 break; 1597 } else if (c == '\0') { 1598 yyerror("syntax error"); 1599 return (findeol()); 1600 } 1601 if (p + 1 >= buf + sizeof(buf) - 1) { 1602 yyerror("string too long"); 1603 return (findeol()); 1604 } 1605 *p++ = c; 1606 } 1607 yylval.v.string = strdup(buf); 1608 if (yylval.v.string == NULL) 1609 err(1, "%s", __func__); 1610 return (STRING); 1611 } 1612 1613 #define allowed_to_end_number(x) \ 1614 (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') 1615 1616 if (c == '-' || isdigit(c)) { 1617 do { 1618 *p++ = c; 1619 if ((size_t)(p-buf) >= sizeof(buf)) { 1620 yyerror("string too long"); 1621 return (findeol()); 1622 } 1623 } while ((c = lgetc(0)) != EOF && isdigit(c)); 1624 lungetc(c); 1625 if (p == buf + 1 && buf[0] == '-') 1626 goto nodigits; 1627 if (c == EOF || allowed_to_end_number(c)) { 1628 const char *errstr = NULL; 1629 1630 *p = '\0'; 1631 yylval.v.number = strtonum(buf, LLONG_MIN, 1632 LLONG_MAX, &errstr); 1633 if (errstr) { 1634 yyerror("\"%s\" invalid number: %s", 1635 buf, errstr); 1636 return (findeol()); 1637 } 1638 return (NUMBER); 1639 } else { 1640 nodigits: 1641 while (p > buf + 1) 1642 lungetc((unsigned char)*--p); 1643 c = (unsigned char)*--p; 1644 if (c == '-') 1645 return (c); 1646 } 1647 } 1648 1649 #define allowed_in_string(x) \ 1650 (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \ 1651 x != '{' && x != '}' && x != '<' && x != '>' && \ 1652 x != '!' && x != '=' && x != '/' && x != '#' && \ 1653 x != ',')) 1654 1655 if (isalnum(c) || c == ':' || c == '_' || c == '*') { 1656 do { 1657 *p++ = c; 1658 if ((size_t)(p-buf) >= sizeof(buf)) { 1659 yyerror("string too long"); 1660 return (findeol()); 1661 } 1662 } while ((c = lgetc(0)) != EOF && (allowed_in_string(c))); 1663 lungetc(c); 1664 *p = '\0'; 1665 if ((token = lookup(buf)) == STRING) 1666 if ((yylval.v.string = strdup(buf)) == NULL) 1667 err(1, "%s", __func__); 1668 return (token); 1669 } 1670 if (c == '\n') { 1671 yylval.lineno = file->lineno; 1672 file->lineno++; 1673 } 1674 if (c == EOF) 1675 return (0); 1676 return (c); 1677 } 1678 1679 int 1680 check_file_secrecy(int fd, const char *fname) 1681 { 1682 struct stat st; 1683 1684 if (fstat(fd, &st)) { 1685 warn("cannot stat %s", fname); 1686 return (-1); 1687 } 1688 if (st.st_uid != 0 && st.st_uid != getuid()) { 1689 warnx("%s: owner not root or current user", fname); 1690 return (-1); 1691 } 1692 if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) { 1693 warnx("%s: group writable or world read/writable", fname); 1694 return (-1); 1695 } 1696 return (0); 1697 } 1698 1699 struct file * 1700 pushfile(const char *name, int secret) 1701 { 1702 struct file *nfile; 1703 1704 if ((nfile = calloc(1, sizeof(struct file))) == NULL) { 1705 warn("%s", __func__); 1706 return (NULL); 1707 } 1708 if ((nfile->name = strdup(name)) == NULL) { 1709 warn("%s", __func__); 1710 free(nfile); 1711 return (NULL); 1712 } 1713 if (TAILQ_FIRST(&files) == NULL && strcmp(nfile->name, "-") == 0) { 1714 nfile->stream = stdin; 1715 free(nfile->name); 1716 if ((nfile->name = strdup("stdin")) == NULL) { 1717 warn("%s", __func__); 1718 free(nfile); 1719 return (NULL); 1720 } 1721 } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) { 1722 warn("%s: %s", __func__, nfile->name); 1723 free(nfile->name); 1724 free(nfile); 1725 return (NULL); 1726 } else if (secret && 1727 check_file_secrecy(fileno(nfile->stream), nfile->name)) { 1728 fclose(nfile->stream); 1729 free(nfile->name); 1730 free(nfile); 1731 return (NULL); 1732 } 1733 nfile->lineno = TAILQ_EMPTY(&files) ? 1 : 0; 1734 nfile->ungetsize = 16; 1735 nfile->ungetbuf = malloc(nfile->ungetsize); 1736 if (nfile->ungetbuf == NULL) { 1737 warn("%s", __func__); 1738 fclose(nfile->stream); 1739 free(nfile->name); 1740 free(nfile); 1741 return (NULL); 1742 } 1743 TAILQ_INSERT_TAIL(&files, nfile, entry); 1744 return (nfile); 1745 } 1746 1747 int 1748 popfile(void) 1749 { 1750 struct file *prev; 1751 1752 if ((prev = TAILQ_PREV(file, files, entry)) != NULL) 1753 prev->errors += file->errors; 1754 1755 TAILQ_REMOVE(&files, file, entry); 1756 fclose(file->stream); 1757 free(file->name); 1758 free(file->ungetbuf); 1759 free(file); 1760 file = prev; 1761 1762 return (file ? 0 : EOF); 1763 } 1764 1765 int 1766 parse_config(const char *filename, struct iked *x_env) 1767 { 1768 struct sym *sym; 1769 int errors = 0; 1770 1771 env = x_env; 1772 rules = 0; 1773 1774 if ((file = pushfile(filename, 1)) == NULL) 1775 return (-1); 1776 topfile = file; 1777 1778 free(ocsp_url); 1779 1780 mobike = 1; 1781 enforcesingleikesa = stickyaddress = 0; 1782 cert_partial_chain = decouple = passive = 0; 1783 ocsp_tolerate = 0; 1784 ocsp_url = NULL; 1785 ocsp_maxage = -1; 1786 fragmentation = 0; 1787 dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT; 1788 decouple = passive = 0; 1789 ocsp_url = NULL; 1790 1791 if (env->sc_opts & IKED_OPT_PASSIVE) 1792 passive = 1; 1793 1794 yyparse(); 1795 errors = file->errors; 1796 popfile(); 1797 1798 env->sc_passive = passive ? 1 : 0; 1799 env->sc_decoupled = decouple ? 1 : 0; 1800 env->sc_mobike = mobike; 1801 env->sc_enforcesingleikesa = enforcesingleikesa; 1802 env->sc_stickyaddress = stickyaddress; 1803 env->sc_frag = fragmentation; 1804 env->sc_alive_timeout = dpd_interval; 1805 env->sc_ocsp_url = ocsp_url; 1806 env->sc_ocsp_tolerate = ocsp_tolerate; 1807 env->sc_ocsp_maxage = ocsp_maxage; 1808 env->sc_cert_partial_chain = cert_partial_chain; 1809 1810 if (!rules) 1811 log_warnx("%s: no valid configuration rules found", 1812 filename); 1813 else 1814 log_debug("%s: loaded %d configuration rules", 1815 filename, rules); 1816 1817 /* Free macros and check which have not been used. */ 1818 while ((sym = TAILQ_FIRST(&symhead))) { 1819 if (!sym->used) 1820 log_debug("warning: macro '%s' not " 1821 "used\n", sym->nam); 1822 free(sym->nam); 1823 free(sym->val); 1824 TAILQ_REMOVE(&symhead, sym, entry); 1825 free(sym); 1826 } 1827 1828 iaw_free(iftab); 1829 iftab = NULL; 1830 1831 return (errors ? -1 : 0); 1832 } 1833 1834 int 1835 symset(const char *nam, const char *val, int persist) 1836 { 1837 struct sym *sym; 1838 1839 TAILQ_FOREACH(sym, &symhead, entry) { 1840 if (strcmp(nam, sym->nam) == 0) 1841 break; 1842 } 1843 1844 if (sym != NULL) { 1845 if (sym->persist == 1) 1846 return (0); 1847 else { 1848 free(sym->nam); 1849 free(sym->val); 1850 TAILQ_REMOVE(&symhead, sym, entry); 1851 free(sym); 1852 } 1853 } 1854 if ((sym = calloc(1, sizeof(*sym))) == NULL) 1855 return (-1); 1856 1857 sym->nam = strdup(nam); 1858 if (sym->nam == NULL) { 1859 free(sym); 1860 return (-1); 1861 } 1862 sym->val = strdup(val); 1863 if (sym->val == NULL) { 1864 free(sym->nam); 1865 free(sym); 1866 return (-1); 1867 } 1868 sym->used = 0; 1869 sym->persist = persist; 1870 TAILQ_INSERT_TAIL(&symhead, sym, entry); 1871 return (0); 1872 } 1873 1874 int 1875 cmdline_symset(char *s) 1876 { 1877 char *sym, *val; 1878 int ret; 1879 1880 if ((val = strrchr(s, '=')) == NULL) 1881 return (-1); 1882 1883 sym = strndup(s, val - s); 1884 if (sym == NULL) 1885 err(1, "%s", __func__); 1886 ret = symset(sym, val + 1, 1); 1887 free(sym); 1888 1889 return (ret); 1890 } 1891 1892 char * 1893 symget(const char *nam) 1894 { 1895 struct sym *sym; 1896 1897 TAILQ_FOREACH(sym, &symhead, entry) { 1898 if (strcmp(nam, sym->nam) == 0) { 1899 sym->used = 1; 1900 return (sym->val); 1901 } 1902 } 1903 return (NULL); 1904 } 1905 1906 uint8_t 1907 x2i(unsigned char *s) 1908 { 1909 char ss[3]; 1910 1911 ss[0] = s[0]; 1912 ss[1] = s[1]; 1913 ss[2] = 0; 1914 1915 if (!isxdigit(s[0]) || !isxdigit(s[1])) { 1916 yyerror("keys need to be specified in hex digits"); 1917 return (-1); 1918 } 1919 return ((uint8_t)strtoul(ss, NULL, 16)); 1920 } 1921 1922 int 1923 parsekey(unsigned char *hexkey, size_t len, struct iked_auth *auth) 1924 { 1925 unsigned int i; 1926 1927 bzero(auth, sizeof(*auth)); 1928 if ((len / 2) > sizeof(auth->auth_data)) 1929 return (-1); 1930 auth->auth_length = len / 2; 1931 1932 for (i = 0; i < auth->auth_length; i++) 1933 auth->auth_data[i] = x2i(hexkey + 2 * i); 1934 1935 return (0); 1936 } 1937 1938 int 1939 parsekeyfile(char *filename, struct iked_auth *auth) 1940 { 1941 struct stat sb; 1942 int fd, ret; 1943 unsigned char *hex; 1944 1945 if ((fd = open(filename, O_RDONLY)) == -1) 1946 err(1, "open %s", filename); 1947 if (fstat(fd, &sb) == -1) 1948 err(1, "parsekeyfile: stat %s", filename); 1949 if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0)) 1950 errx(1, "%s: key too %s", filename, sb.st_size ? "large" : 1951 "small"); 1952 if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL) 1953 err(1, "parsekeyfile: calloc"); 1954 if (read(fd, hex, sb.st_size) < sb.st_size) 1955 err(1, "parsekeyfile: read"); 1956 close(fd); 1957 ret = parsekey(hex, sb.st_size, auth); 1958 free(hex); 1959 return (ret); 1960 } 1961 1962 int 1963 get_id_type(char *string) 1964 { 1965 struct in6_addr ia; 1966 1967 if (string == NULL) 1968 return (IKEV2_ID_NONE); 1969 1970 if (*string == '/') 1971 return (IKEV2_ID_ASN1_DN); 1972 else if (inet_pton(AF_INET, string, &ia) == 1) 1973 return (IKEV2_ID_IPV4); 1974 else if (inet_pton(AF_INET6, string, &ia) == 1) 1975 return (IKEV2_ID_IPV6); 1976 else if (strchr(string, '@')) 1977 return (IKEV2_ID_UFQDN); 1978 else 1979 return (IKEV2_ID_FQDN); 1980 } 1981 1982 struct ipsec_addr_wrap * 1983 host(const char *s) 1984 { 1985 struct ipsec_addr_wrap *ipa = NULL; 1986 int mask = -1; 1987 char *p, *ps; 1988 const char *errstr; 1989 1990 if ((ps = strdup(s)) == NULL) 1991 err(1, "%s: strdup", __func__); 1992 1993 if ((p = strchr(ps, '/')) != NULL) { 1994 mask = strtonum(p+1, 0, 128, &errstr); 1995 if (errstr) { 1996 fprintf(stderr, "netmask is %s: %s\n", errstr, p); 1997 goto error; 1998 } 1999 p[0] = '\0'; 2000 } 2001 2002 if ((ipa = host_if(ps, mask)) == NULL && 2003 (ipa = host_ip(ps, mask)) == NULL && 2004 (ipa = host_dns(ps, mask)) == NULL) 2005 fprintf(stderr, "no IP address found for %s\n", s); 2006 2007 error: 2008 free(ps); 2009 return (ipa); 2010 } 2011 2012 struct ipsec_addr_wrap * 2013 host_ip(const char *s, int mask) 2014 { 2015 struct ipsec_addr_wrap *ipa = NULL; 2016 struct addrinfo hints, *res; 2017 char hbuf[NI_MAXHOST]; 2018 2019 bzero(&hints, sizeof(struct addrinfo)); 2020 hints.ai_family = AF_UNSPEC; 2021 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 2022 hints.ai_flags = AI_NUMERICHOST; 2023 if (getaddrinfo(s, NULL, &hints, &res)) 2024 return (NULL); 2025 if (res->ai_next) 2026 err(1, "%s: %s expanded to multiple item", __func__, s); 2027 2028 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 2029 if (ipa == NULL) 2030 err(1, "%s", __func__); 2031 ipa->af = res->ai_family; 2032 copy_sockaddrtoipa(ipa, res->ai_addr); 2033 ipa->next = NULL; 2034 ipa->tail = ipa; 2035 2036 set_ipmask(ipa, mask); 2037 if (getnameinfo(res->ai_addr, res->ai_addrlen, 2038 hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) { 2039 errx(1, "could not get a numeric hostname"); 2040 } 2041 2042 if (mask > -1) { 2043 ipa->netaddress = 1; 2044 if (asprintf(&ipa->name, "%s/%d", hbuf, mask) == -1) 2045 err(1, "%s", __func__); 2046 } else { 2047 if ((ipa->name = strdup(hbuf)) == NULL) 2048 err(1, "%s", __func__); 2049 } 2050 2051 freeaddrinfo(res); 2052 2053 return (ipa); 2054 } 2055 2056 struct ipsec_addr_wrap * 2057 host_dns(const char *s, int mask) 2058 { 2059 struct ipsec_addr_wrap *ipa = NULL, *head = NULL; 2060 struct addrinfo hints, *res0, *res; 2061 int error; 2062 char hbuf[NI_MAXHOST]; 2063 2064 bzero(&hints, sizeof(struct addrinfo)); 2065 hints.ai_family = PF_UNSPEC; 2066 hints.ai_socktype = SOCK_STREAM; 2067 hints.ai_flags = AI_ADDRCONFIG; 2068 error = getaddrinfo(s, NULL, &hints, &res0); 2069 if (error) 2070 return (NULL); 2071 2072 for (res = res0; res; res = res->ai_next) { 2073 if (res->ai_family != AF_INET && res->ai_family != AF_INET6) 2074 continue; 2075 2076 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 2077 if (ipa == NULL) 2078 err(1, "%s", __func__); 2079 copy_sockaddrtoipa(ipa, res->ai_addr); 2080 error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, 2081 sizeof(hbuf), NULL, 0, NI_NUMERICHOST); 2082 if (error) 2083 err(1, "host_dns: getnameinfo"); 2084 ipa->name = strdup(hbuf); 2085 if (ipa->name == NULL) 2086 err(1, "%s", __func__); 2087 ipa->af = res->ai_family; 2088 ipa->next = NULL; 2089 ipa->tail = ipa; 2090 if (head == NULL) 2091 head = ipa; 2092 else { 2093 head->tail->next = ipa; 2094 head->tail = ipa; 2095 } 2096 2097 /* 2098 * XXX for now, no netmask support for IPv6. 2099 * but since there's no way to specify address family, once you 2100 * have IPv6 address on a host, you cannot use dns/netmask 2101 * syntax. 2102 */ 2103 if (ipa->af == AF_INET) 2104 set_ipmask(ipa, mask == -1 ? 32 : mask); 2105 else 2106 if (mask != -1) 2107 err(1, "host_dns: cannot apply netmask " 2108 "on non-IPv4 address"); 2109 } 2110 freeaddrinfo(res0); 2111 2112 return (head); 2113 } 2114 2115 struct ipsec_addr_wrap * 2116 host_if(const char *s, int mask) 2117 { 2118 struct ipsec_addr_wrap *ipa = NULL; 2119 2120 if (ifa_exists(s)) 2121 ipa = ifa_lookup(s); 2122 2123 return (ipa); 2124 } 2125 2126 struct ipsec_addr_wrap * 2127 host_any(void) 2128 { 2129 struct ipsec_addr_wrap *ipa; 2130 2131 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 2132 if (ipa == NULL) 2133 err(1, "%s", __func__); 2134 ipa->af = AF_UNSPEC; 2135 ipa->netaddress = 1; 2136 ipa->tail = ipa; 2137 ipa->type = IPSEC_ADDR_ANY; 2138 return (ipa); 2139 } 2140 2141 struct ipsec_addr_wrap * 2142 host_dynamic(void) 2143 { 2144 struct ipsec_addr_wrap *ipa; 2145 2146 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 2147 if (ipa == NULL) 2148 err(1, "%s", __func__); 2149 ipa->af = AF_UNSPEC; 2150 ipa->tail = ipa; 2151 ipa->type = IPSEC_ADDR_DYNAMIC; 2152 return (ipa); 2153 } 2154 2155 void 2156 ifa_load(void) 2157 { 2158 struct ifaddrs *ifap, *ifa; 2159 struct ipsec_addr_wrap *n = NULL, *h = NULL; 2160 struct sockaddr_in *sa_in; 2161 struct sockaddr_in6 *sa_in6; 2162 2163 if (getifaddrs(&ifap) == -1) 2164 err(1, "ifa_load: getifaddrs"); 2165 2166 for (ifa = ifap; ifa; ifa = ifa->ifa_next) { 2167 if (ifa->ifa_addr == NULL || 2168 !(ifa->ifa_addr->sa_family == AF_INET || 2169 ifa->ifa_addr->sa_family == AF_INET6 || 2170 ifa->ifa_addr->sa_family == AF_LINK)) 2171 continue; 2172 n = calloc(1, sizeof(struct ipsec_addr_wrap)); 2173 if (n == NULL) 2174 err(1, "%s", __func__); 2175 n->af = ifa->ifa_addr->sa_family; 2176 if ((n->name = strdup(ifa->ifa_name)) == NULL) 2177 err(1, "%s", __func__); 2178 if (n->af == AF_INET) { 2179 sa_in = (struct sockaddr_in *)ifa->ifa_addr; 2180 memcpy(&n->address, sa_in, sizeof(*sa_in)); 2181 sa_in = (struct sockaddr_in *)ifa->ifa_netmask; 2182 n->mask = mask2prefixlen((struct sockaddr *)sa_in); 2183 } else if (n->af == AF_INET6) { 2184 sa_in6 = (struct sockaddr_in6 *)ifa->ifa_addr; 2185 memcpy(&n->address, sa_in6, sizeof(*sa_in6)); 2186 sa_in6 = (struct sockaddr_in6 *)ifa->ifa_netmask; 2187 n->mask = mask2prefixlen6((struct sockaddr *)sa_in6); 2188 } 2189 n->next = NULL; 2190 n->tail = n; 2191 if (h == NULL) 2192 h = n; 2193 else { 2194 h->tail->next = n; 2195 h->tail = n; 2196 } 2197 } 2198 2199 iftab = h; 2200 freeifaddrs(ifap); 2201 } 2202 2203 int 2204 ifa_exists(const char *ifa_name) 2205 { 2206 struct ipsec_addr_wrap *n; 2207 struct ifgroupreq ifgr; 2208 int s; 2209 2210 if (iftab == NULL) 2211 ifa_load(); 2212 2213 /* check wether this is a group */ 2214 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) 2215 err(1, "ifa_exists: socket"); 2216 bzero(&ifgr, sizeof(ifgr)); 2217 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); 2218 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == 0) { 2219 close(s); 2220 return (1); 2221 } 2222 close(s); 2223 2224 for (n = iftab; n; n = n->next) { 2225 if (n->af == AF_LINK && !strncmp(n->name, ifa_name, 2226 IFNAMSIZ)) 2227 return (1); 2228 } 2229 2230 return (0); 2231 } 2232 2233 struct ipsec_addr_wrap * 2234 ifa_grouplookup(const char *ifa_name) 2235 { 2236 struct ifg_req *ifg; 2237 struct ifgroupreq ifgr; 2238 int s; 2239 size_t len; 2240 struct ipsec_addr_wrap *n, *h = NULL, *hn; 2241 2242 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) 2243 err(1, "socket"); 2244 bzero(&ifgr, sizeof(ifgr)); 2245 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); 2246 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) { 2247 close(s); 2248 return (NULL); 2249 } 2250 2251 len = ifgr.ifgr_len; 2252 if ((ifgr.ifgr_groups = calloc(1, len)) == NULL) 2253 err(1, "%s", __func__); 2254 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) 2255 err(1, "ioctl"); 2256 2257 for (ifg = ifgr.ifgr_groups; ifg && len >= sizeof(struct ifg_req); 2258 ifg++) { 2259 len -= sizeof(struct ifg_req); 2260 if ((n = ifa_lookup(ifg->ifgrq_member)) == NULL) 2261 continue; 2262 if (h == NULL) 2263 h = n; 2264 else { 2265 for (hn = h; hn->next != NULL; hn = hn->next) 2266 ; /* nothing */ 2267 hn->next = n; 2268 n->tail = hn; 2269 } 2270 } 2271 free(ifgr.ifgr_groups); 2272 close(s); 2273 2274 return (h); 2275 } 2276 2277 struct ipsec_addr_wrap * 2278 ifa_lookup(const char *ifa_name) 2279 { 2280 struct ipsec_addr_wrap *p = NULL, *h = NULL, *n = NULL; 2281 struct sockaddr_in6 *in6; 2282 uint8_t *s6; 2283 2284 if (iftab == NULL) 2285 ifa_load(); 2286 2287 if ((n = ifa_grouplookup(ifa_name)) != NULL) 2288 return (n); 2289 2290 for (p = iftab; p; p = p->next) { 2291 if (p->af != AF_INET && p->af != AF_INET6) 2292 continue; 2293 if (strncmp(p->name, ifa_name, IFNAMSIZ)) 2294 continue; 2295 n = calloc(1, sizeof(struct ipsec_addr_wrap)); 2296 if (n == NULL) 2297 err(1, "%s", __func__); 2298 memcpy(n, p, sizeof(struct ipsec_addr_wrap)); 2299 if ((n->name = strdup(p->name)) == NULL) 2300 err(1, "%s", __func__); 2301 switch (n->af) { 2302 case AF_INET: 2303 set_ipmask(n, 32); 2304 break; 2305 case AF_INET6: 2306 in6 = (struct sockaddr_in6 *)&n->address; 2307 s6 = (uint8_t *)&in6->sin6_addr.s6_addr; 2308 2309 /* route/show.c and bgpd/util.c give KAME credit */ 2310 if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)) { 2311 uint16_t tmp16; 2312 2313 /* for now we can not handle link local, 2314 * therefore bail for now 2315 */ 2316 free(n->name); 2317 free(n); 2318 continue; 2319 2320 memcpy(&tmp16, &s6[2], sizeof(tmp16)); 2321 /* use this when we support link-local 2322 * n->??.scopeid = ntohs(tmp16); 2323 */ 2324 s6[2] = 0; 2325 s6[3] = 0; 2326 } 2327 set_ipmask(n, 128); 2328 break; 2329 } 2330 2331 n->next = NULL; 2332 n->tail = n; 2333 if (h == NULL) 2334 h = n; 2335 else { 2336 h->tail->next = n; 2337 h->tail = n; 2338 } 2339 } 2340 2341 return (h); 2342 } 2343 2344 void 2345 set_ipmask(struct ipsec_addr_wrap *address, int b) 2346 { 2347 if (b == -1) 2348 address->mask = address->af == AF_INET ? 32 : 128; 2349 else 2350 address->mask = b; 2351 } 2352 2353 const struct ipsec_xf * 2354 parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[]) 2355 { 2356 int i; 2357 2358 for (i = 0; xfs[i].name != NULL; i++) { 2359 if (strncmp(name, xfs[i].name, strlen(name))) 2360 continue; 2361 if (length == 0 || length == xfs[i].length) 2362 return &xfs[i]; 2363 } 2364 return (NULL); 2365 } 2366 2367 int 2368 encxf_noauth(unsigned int id) 2369 { 2370 int i; 2371 2372 for (i = 0; ikeencxfs[i].name != NULL; i++) 2373 if (ikeencxfs[i].id == id) 2374 return ikeencxfs[i].noauth; 2375 return (0); 2376 } 2377 2378 size_t 2379 keylength_xf(unsigned int saproto, unsigned int type, unsigned int id) 2380 { 2381 int i; 2382 const struct ipsec_xf *xfs; 2383 2384 switch (type) { 2385 case IKEV2_XFORMTYPE_ENCR: 2386 if (saproto == IKEV2_SAPROTO_IKE) 2387 xfs = ikeencxfs; 2388 else 2389 xfs = ipsecencxfs; 2390 break; 2391 case IKEV2_XFORMTYPE_INTEGR: 2392 xfs = authxfs; 2393 break; 2394 default: 2395 return (0); 2396 } 2397 2398 for (i = 0; xfs[i].name != NULL; i++) { 2399 if (xfs[i].id == id) 2400 return (xfs[i].length * 8); 2401 } 2402 return (0); 2403 } 2404 2405 size_t 2406 noncelength_xf(unsigned int type, unsigned int id) 2407 { 2408 const struct ipsec_xf *xfs = ipsecencxfs; 2409 int i; 2410 2411 if (type != IKEV2_XFORMTYPE_ENCR) 2412 return (0); 2413 2414 for (i = 0; xfs[i].name != NULL; i++) 2415 if (xfs[i].id == id) 2416 return (xfs[i].nonce * 8); 2417 return (0); 2418 } 2419 2420 void 2421 copy_transforms(unsigned int type, 2422 const struct ipsec_xf **xfs, unsigned int nxfs, 2423 struct iked_transform **dst, unsigned int *ndst, 2424 struct iked_transform *src, size_t nsrc) 2425 { 2426 unsigned int i; 2427 struct iked_transform *a, *b; 2428 const struct ipsec_xf *xf; 2429 2430 if (nxfs) { 2431 for (i = 0; i < nxfs; i++) { 2432 xf = xfs[i]; 2433 *dst = recallocarray(*dst, *ndst, 2434 *ndst + 1, sizeof(struct iked_transform)); 2435 if (*dst == NULL) 2436 err(1, "%s", __func__); 2437 b = *dst + (*ndst)++; 2438 2439 b->xform_type = type; 2440 b->xform_id = xf->id; 2441 b->xform_keylength = xf->length * 8; 2442 b->xform_length = xf->keylength * 8; 2443 } 2444 return; 2445 } 2446 2447 for (i = 0; i < nsrc; i++) { 2448 a = src + i; 2449 if (a->xform_type != type) 2450 continue; 2451 *dst = recallocarray(*dst, *ndst, 2452 *ndst + 1, sizeof(struct iked_transform)); 2453 if (*dst == NULL) 2454 err(1, "%s", __func__); 2455 b = *dst + (*ndst)++; 2456 memcpy(b, a, sizeof(*b)); 2457 } 2458 } 2459 2460 int 2461 create_ike(char *name, int af, struct ipsec_addr_wrap *ipproto, 2462 int rdomain, struct ipsec_hosts *hosts, 2463 struct ipsec_hosts *peers, struct ipsec_mode *ike_sa, 2464 struct ipsec_mode *ipsec_sa, uint8_t saproto, 2465 uint8_t flags, char *srcid, char *dstid, 2466 uint32_t ikelifetime, struct iked_lifetime *lt, 2467 struct iked_auth *authtype, struct ipsec_filters *filter, 2468 struct ipsec_addr_wrap *ikecfg, char *iface) 2469 { 2470 char idstr[IKED_ID_SIZE]; 2471 struct ipsec_addr_wrap *ipa, *ipb, *ipp; 2472 struct iked_auth *ikeauth; 2473 struct iked_policy pol; 2474 struct iked_proposal *p, *ptmp; 2475 struct iked_transform *xf; 2476 unsigned int i, j, xfi, noauth, auth; 2477 unsigned int ikepropid = 1, ipsecpropid = 1; 2478 struct iked_flow *flow, *ftmp; 2479 static unsigned int policy_id = 0; 2480 struct iked_cfg *cfg; 2481 int ret = -1; 2482 2483 bzero(&pol, sizeof(pol)); 2484 bzero(idstr, sizeof(idstr)); 2485 2486 pol.pol_id = ++policy_id; 2487 pol.pol_certreqtype = env->sc_certreqtype; 2488 pol.pol_af = af; 2489 pol.pol_saproto = saproto; 2490 for (i = 0, ipp = ipproto; ipp; ipp = ipp->next, i++) { 2491 if (i > IKED_IPPROTO_MAX) { 2492 yyerror("too many protocols"); 2493 return (-1); 2494 } 2495 pol.pol_ipproto[i] = ipp->type; 2496 pol.pol_nipproto++; 2497 } 2498 2499 pol.pol_flags = flags; 2500 pol.pol_rdomain = rdomain; 2501 memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth)); 2502 explicit_bzero(authtype, sizeof(*authtype)); 2503 2504 if (name != NULL) { 2505 if (strlcpy(pol.pol_name, name, 2506 sizeof(pol.pol_name)) >= sizeof(pol.pol_name)) { 2507 yyerror("name too long"); 2508 return (-1); 2509 } 2510 } else { 2511 snprintf(pol.pol_name, sizeof(pol.pol_name), 2512 "policy%d", policy_id); 2513 } 2514 2515 if (iface != NULL) { 2516 pol.pol_iface = if_nametoindex(iface); 2517 if (pol.pol_iface == 0) { 2518 yyerror("invalid iface"); 2519 return (-1); 2520 } 2521 } 2522 2523 if (srcid) { 2524 pol.pol_localid.id_type = get_id_type(srcid); 2525 pol.pol_localid.id_length = strlen(srcid); 2526 if (strlcpy((char *)pol.pol_localid.id_data, 2527 srcid, IKED_ID_SIZE) >= IKED_ID_SIZE) { 2528 yyerror("srcid too long"); 2529 return (-1); 2530 } 2531 } 2532 if (dstid) { 2533 pol.pol_peerid.id_type = get_id_type(dstid); 2534 pol.pol_peerid.id_length = strlen(dstid); 2535 if (strlcpy((char *)pol.pol_peerid.id_data, 2536 dstid, IKED_ID_SIZE) >= IKED_ID_SIZE) { 2537 yyerror("dstid too long"); 2538 return (-1); 2539 } 2540 } 2541 2542 if (filter != NULL) { 2543 if (filter->tag) 2544 strlcpy(pol.pol_tag, filter->tag, sizeof(pol.pol_tag)); 2545 pol.pol_tap = filter->tap; 2546 } 2547 2548 if (peers == NULL) { 2549 if (pol.pol_flags & IKED_POLICY_ACTIVE) { 2550 yyerror("active mode requires peer specification"); 2551 return (-1); 2552 } 2553 pol.pol_flags |= IKED_POLICY_DEFAULT|IKED_POLICY_SKIP; 2554 } 2555 2556 if (peers && peers->src && peers->dst && 2557 (peers->src->af != AF_UNSPEC) && (peers->dst->af != AF_UNSPEC) && 2558 (peers->src->af != peers->dst->af)) 2559 fatalx("create_ike: peer address family mismatch"); 2560 2561 if (peers && (pol.pol_af != AF_UNSPEC) && 2562 ((peers->src && (peers->src->af != AF_UNSPEC) && 2563 (peers->src->af != pol.pol_af)) || 2564 (peers->dst && (peers->dst->af != AF_UNSPEC) && 2565 (peers->dst->af != pol.pol_af)))) 2566 fatalx("create_ike: policy address family mismatch"); 2567 2568 ipa = ipb = NULL; 2569 if (peers) { 2570 if (peers->src) 2571 ipa = peers->src; 2572 if (peers->dst) 2573 ipb = peers->dst; 2574 if (ipa == NULL && ipb == NULL) { 2575 if (hosts->src && hosts->src->next == NULL) 2576 ipa = hosts->src; 2577 if (hosts->dst && hosts->dst->next == NULL) 2578 ipb = hosts->dst; 2579 } 2580 } 2581 if (ipa == NULL && ipb == NULL) { 2582 yyerror("could not get local/peer specification"); 2583 return (-1); 2584 } 2585 if (pol.pol_flags & IKED_POLICY_ACTIVE) { 2586 if (ipb == NULL || ipb->netaddress || 2587 (ipa != NULL && ipa->netaddress)) { 2588 yyerror("active mode requires local/peer address"); 2589 return (-1); 2590 } 2591 } 2592 if (ipa) { 2593 memcpy(&pol.pol_local.addr, &ipa->address, 2594 sizeof(ipa->address)); 2595 pol.pol_local.addr_af = ipa->af; 2596 pol.pol_local.addr_mask = ipa->mask; 2597 pol.pol_local.addr_net = ipa->netaddress; 2598 if (pol.pol_af == AF_UNSPEC) 2599 pol.pol_af = ipa->af; 2600 } 2601 if (ipb) { 2602 memcpy(&pol.pol_peer.addr, &ipb->address, 2603 sizeof(ipb->address)); 2604 pol.pol_peer.addr_af = ipb->af; 2605 pol.pol_peer.addr_mask = ipb->mask; 2606 pol.pol_peer.addr_net = ipb->netaddress; 2607 if (pol.pol_af == AF_UNSPEC) 2608 pol.pol_af = ipb->af; 2609 } 2610 2611 if (ikelifetime) 2612 pol.pol_rekey = ikelifetime; 2613 2614 if (lt) 2615 pol.pol_lifetime = *lt; 2616 else 2617 pol.pol_lifetime = deflifetime; 2618 2619 TAILQ_INIT(&pol.pol_proposals); 2620 RB_INIT(&pol.pol_flows); 2621 2622 if (ike_sa == NULL || ike_sa->nxfs == 0) { 2623 /* AES-GCM proposal */ 2624 if ((p = calloc(1, sizeof(*p))) == NULL) 2625 err(1, "%s", __func__); 2626 p->prop_id = ikepropid++; 2627 p->prop_protoid = IKEV2_SAPROTO_IKE; 2628 p->prop_nxforms = ikev2_default_nike_transforms_noauth; 2629 p->prop_xforms = ikev2_default_ike_transforms_noauth; 2630 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2631 pol.pol_nproposals++; 2632 2633 /* Non GCM proposal */ 2634 if ((p = calloc(1, sizeof(*p))) == NULL) 2635 err(1, "%s", __func__); 2636 p->prop_id = ikepropid++; 2637 p->prop_protoid = IKEV2_SAPROTO_IKE; 2638 p->prop_nxforms = ikev2_default_nike_transforms; 2639 p->prop_xforms = ikev2_default_ike_transforms; 2640 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2641 pol.pol_nproposals++; 2642 } else { 2643 for (i = 0; i < ike_sa->nxfs; i++) { 2644 noauth = auth = 0; 2645 for (j = 0; j < ike_sa->xfs[i]->nencxf; j++) { 2646 if (ike_sa->xfs[i]->encxf[j]->noauth) 2647 noauth++; 2648 else 2649 auth++; 2650 } 2651 for (j = 0; j < ike_sa->xfs[i]->ngroupxf; j++) { 2652 if (ike_sa->xfs[i]->groupxf[j]->id 2653 == IKEV2_XFORMDH_NONE) { 2654 yyerror("IKE group can not be \"none\"."); 2655 goto done; 2656 } 2657 } 2658 if (ike_sa->xfs[i]->nauthxf) 2659 auth++; 2660 2661 if (ike_sa->xfs[i]->nesnxf) { 2662 yyerror("cannot use ESN with ikesa."); 2663 goto done; 2664 } 2665 if (noauth && noauth != ike_sa->xfs[i]->nencxf) { 2666 yyerror("cannot mix encryption transforms with " 2667 "implicit and non-implicit authentication"); 2668 goto done; 2669 } 2670 if (noauth && ike_sa->xfs[i]->nauthxf) { 2671 yyerror("authentication is implicit for given " 2672 "encryption transforms"); 2673 goto done; 2674 } 2675 2676 if (!auth) { 2677 if ((p = calloc(1, sizeof(*p))) == NULL) 2678 err(1, "%s", __func__); 2679 2680 xf = NULL; 2681 xfi = 0; 2682 copy_transforms(IKEV2_XFORMTYPE_ENCR, 2683 ike_sa->xfs[i]->encxf, 2684 ike_sa->xfs[i]->nencxf, &xf, &xfi, 2685 ikev2_default_ike_transforms_noauth, 2686 ikev2_default_nike_transforms_noauth); 2687 copy_transforms(IKEV2_XFORMTYPE_DH, 2688 ike_sa->xfs[i]->groupxf, 2689 ike_sa->xfs[i]->ngroupxf, &xf, &xfi, 2690 ikev2_default_ike_transforms_noauth, 2691 ikev2_default_nike_transforms_noauth); 2692 copy_transforms(IKEV2_XFORMTYPE_PRF, 2693 ike_sa->xfs[i]->prfxf, 2694 ike_sa->xfs[i]->nprfxf, &xf, &xfi, 2695 ikev2_default_ike_transforms_noauth, 2696 ikev2_default_nike_transforms_noauth); 2697 2698 p->prop_id = ikepropid++; 2699 p->prop_protoid = IKEV2_SAPROTO_IKE; 2700 p->prop_xforms = xf; 2701 p->prop_nxforms = xfi; 2702 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2703 pol.pol_nproposals++; 2704 } 2705 if (!noauth) { 2706 if ((p = calloc(1, sizeof(*p))) == NULL) 2707 err(1, "%s", __func__); 2708 2709 xf = NULL; 2710 xfi = 0; 2711 copy_transforms(IKEV2_XFORMTYPE_INTEGR, 2712 ike_sa->xfs[i]->authxf, 2713 ike_sa->xfs[i]->nauthxf, &xf, &xfi, 2714 ikev2_default_ike_transforms, 2715 ikev2_default_nike_transforms); 2716 copy_transforms(IKEV2_XFORMTYPE_ENCR, 2717 ike_sa->xfs[i]->encxf, 2718 ike_sa->xfs[i]->nencxf, &xf, &xfi, 2719 ikev2_default_ike_transforms, 2720 ikev2_default_nike_transforms); 2721 copy_transforms(IKEV2_XFORMTYPE_DH, 2722 ike_sa->xfs[i]->groupxf, 2723 ike_sa->xfs[i]->ngroupxf, &xf, &xfi, 2724 ikev2_default_ike_transforms, 2725 ikev2_default_nike_transforms); 2726 copy_transforms(IKEV2_XFORMTYPE_PRF, 2727 ike_sa->xfs[i]->prfxf, 2728 ike_sa->xfs[i]->nprfxf, &xf, &xfi, 2729 ikev2_default_ike_transforms, 2730 ikev2_default_nike_transforms); 2731 2732 p->prop_id = ikepropid++; 2733 p->prop_protoid = IKEV2_SAPROTO_IKE; 2734 p->prop_xforms = xf; 2735 p->prop_nxforms = xfi; 2736 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2737 pol.pol_nproposals++; 2738 } 2739 } 2740 } 2741 2742 if (ipsec_sa == NULL || ipsec_sa->nxfs == 0) { 2743 if ((p = calloc(1, sizeof(*p))) == NULL) 2744 err(1, "%s", __func__); 2745 p->prop_id = ipsecpropid++; 2746 p->prop_protoid = saproto; 2747 p->prop_nxforms = ikev2_default_nesp_transforms_noauth; 2748 p->prop_xforms = ikev2_default_esp_transforms_noauth; 2749 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2750 pol.pol_nproposals++; 2751 2752 if ((p = calloc(1, sizeof(*p))) == NULL) 2753 err(1, "%s", __func__); 2754 p->prop_id = ipsecpropid++; 2755 p->prop_protoid = saproto; 2756 p->prop_nxforms = ikev2_default_nesp_transforms; 2757 p->prop_xforms = ikev2_default_esp_transforms; 2758 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2759 pol.pol_nproposals++; 2760 } else { 2761 for (i = 0; i < ipsec_sa->nxfs; i++) { 2762 noauth = auth = 0; 2763 for (j = 0; j < ipsec_sa->xfs[i]->nencxf; j++) { 2764 if (ipsec_sa->xfs[i]->encxf[j]->noauth) 2765 noauth++; 2766 else 2767 auth++; 2768 } 2769 if (ipsec_sa->xfs[i]->nauthxf) 2770 auth++; 2771 2772 if (noauth && noauth != ipsec_sa->xfs[i]->nencxf) { 2773 yyerror("cannot mix encryption transforms with " 2774 "implicit and non-implicit authentication"); 2775 goto done; 2776 } 2777 if (noauth && ipsec_sa->xfs[i]->nauthxf) { 2778 yyerror("authentication is implicit for given " 2779 "encryption transforms"); 2780 goto done; 2781 } 2782 2783 if (!auth) { 2784 if ((p = calloc(1, sizeof(*p))) == NULL) 2785 err(1, "%s", __func__); 2786 2787 xf = NULL; 2788 xfi = 0; 2789 copy_transforms(IKEV2_XFORMTYPE_ENCR, 2790 ipsec_sa->xfs[i]->encxf, 2791 ipsec_sa->xfs[i]->nencxf, &xf, &xfi, 2792 ikev2_default_esp_transforms_noauth, 2793 ikev2_default_nesp_transforms_noauth); 2794 copy_transforms(IKEV2_XFORMTYPE_DH, 2795 ipsec_sa->xfs[i]->groupxf, 2796 ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi, 2797 ikev2_default_esp_transforms_noauth, 2798 ikev2_default_nesp_transforms_noauth); 2799 copy_transforms(IKEV2_XFORMTYPE_ESN, 2800 ipsec_sa->xfs[i]->esnxf, 2801 ipsec_sa->xfs[i]->nesnxf, &xf, &xfi, 2802 ikev2_default_esp_transforms_noauth, 2803 ikev2_default_nesp_transforms_noauth); 2804 2805 p->prop_id = ipsecpropid++; 2806 p->prop_protoid = saproto; 2807 p->prop_xforms = xf; 2808 p->prop_nxforms = xfi; 2809 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2810 pol.pol_nproposals++; 2811 } 2812 if (!noauth) { 2813 if ((p = calloc(1, sizeof(*p))) == NULL) 2814 err(1, "%s", __func__); 2815 2816 xf = NULL; 2817 xfi = 0; 2818 copy_transforms(IKEV2_XFORMTYPE_INTEGR, 2819 ipsec_sa->xfs[i]->authxf, 2820 ipsec_sa->xfs[i]->nauthxf, &xf, &xfi, 2821 ikev2_default_esp_transforms, 2822 ikev2_default_nesp_transforms); 2823 copy_transforms(IKEV2_XFORMTYPE_ENCR, 2824 ipsec_sa->xfs[i]->encxf, 2825 ipsec_sa->xfs[i]->nencxf, &xf, &xfi, 2826 ikev2_default_esp_transforms, 2827 ikev2_default_nesp_transforms); 2828 copy_transforms(IKEV2_XFORMTYPE_DH, 2829 ipsec_sa->xfs[i]->groupxf, 2830 ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi, 2831 ikev2_default_esp_transforms, 2832 ikev2_default_nesp_transforms); 2833 copy_transforms(IKEV2_XFORMTYPE_ESN, 2834 ipsec_sa->xfs[i]->esnxf, 2835 ipsec_sa->xfs[i]->nesnxf, &xf, &xfi, 2836 ikev2_default_esp_transforms, 2837 ikev2_default_nesp_transforms); 2838 2839 p->prop_id = ipsecpropid++; 2840 p->prop_protoid = saproto; 2841 p->prop_xforms = xf; 2842 p->prop_nxforms = xfi; 2843 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry); 2844 pol.pol_nproposals++; 2845 } 2846 } 2847 } 2848 2849 for (ipa = hosts->src, ipb = hosts->dst; ipa && ipb; 2850 ipa = ipa->next, ipb = ipb->next) { 2851 for (j = 0; j < pol.pol_nipproto; j++) 2852 if (expand_flows(&pol, pol.pol_ipproto[j], ipa, ipb)) 2853 fatalx("create_ike: invalid flow"); 2854 if (pol.pol_nipproto == 0) 2855 if (expand_flows(&pol, 0, ipa, ipb)) 2856 fatalx("create_ike: invalid flow"); 2857 } 2858 2859 for (j = 0, ipa = ikecfg; ipa; ipa = ipa->next, j++) { 2860 if (j >= IKED_CFG_MAX) 2861 break; 2862 cfg = &pol.pol_cfg[j]; 2863 pol.pol_ncfg++; 2864 2865 cfg->cfg_action = ipa->action; 2866 cfg->cfg_type = ipa->type; 2867 memcpy(&cfg->cfg.address.addr, &ipa->address, 2868 sizeof(ipa->address)); 2869 cfg->cfg.address.addr_mask = ipa->mask; 2870 cfg->cfg.address.addr_net = ipa->netaddress; 2871 cfg->cfg.address.addr_af = ipa->af; 2872 } 2873 2874 if (dstid) 2875 strlcpy(idstr, dstid, sizeof(idstr)); 2876 else if (!pol.pol_peer.addr_net) 2877 print_host((struct sockaddr *)&pol.pol_peer.addr, idstr, 2878 sizeof(idstr)); 2879 2880 ikeauth = &pol.pol_auth; 2881 switch (ikeauth->auth_method) { 2882 case IKEV2_AUTH_RSA_SIG: 2883 pol.pol_certreqtype = IKEV2_CERT_RSA_KEY; 2884 break; 2885 case IKEV2_AUTH_ECDSA_256: 2886 case IKEV2_AUTH_ECDSA_384: 2887 case IKEV2_AUTH_ECDSA_521: 2888 pol.pol_certreqtype = IKEV2_CERT_ECDSA; 2889 break; 2890 default: 2891 pol.pol_certreqtype = IKEV2_CERT_NONE; 2892 break; 2893 } 2894 2895 log_debug("%s: using %s for peer %s", __func__, 2896 print_xf(ikeauth->auth_method, 0, methodxfs), idstr); 2897 2898 config_setpolicy(env, &pol, PROC_IKEV2); 2899 config_setflow(env, &pol, PROC_IKEV2); 2900 2901 rules++; 2902 ret = 0; 2903 2904 done: 2905 if (ike_sa) { 2906 for (i = 0; i < ike_sa->nxfs; i++) { 2907 free(ike_sa->xfs[i]->authxf); 2908 free(ike_sa->xfs[i]->encxf); 2909 free(ike_sa->xfs[i]->groupxf); 2910 free(ike_sa->xfs[i]->prfxf); 2911 free(ike_sa->xfs[i]); 2912 } 2913 free(ike_sa->xfs); 2914 free(ike_sa); 2915 } 2916 if (ipsec_sa) { 2917 for (i = 0; i < ipsec_sa->nxfs; i++) { 2918 free(ipsec_sa->xfs[i]->authxf); 2919 free(ipsec_sa->xfs[i]->encxf); 2920 free(ipsec_sa->xfs[i]->groupxf); 2921 free(ipsec_sa->xfs[i]->prfxf); 2922 free(ipsec_sa->xfs[i]); 2923 } 2924 free(ipsec_sa->xfs); 2925 free(ipsec_sa); 2926 } 2927 TAILQ_FOREACH_SAFE(p, &pol.pol_proposals, prop_entry, ptmp) { 2928 if (p->prop_xforms != ikev2_default_ike_transforms && 2929 p->prop_xforms != ikev2_default_ike_transforms_noauth && 2930 p->prop_xforms != ikev2_default_esp_transforms && 2931 p->prop_xforms != ikev2_default_esp_transforms_noauth) 2932 free(p->prop_xforms); 2933 free(p); 2934 } 2935 if (peers != NULL) { 2936 iaw_free(peers->src); 2937 iaw_free(peers->dst); 2938 /* peers is static, cannot be freed */ 2939 } 2940 if (hosts != NULL) { 2941 iaw_free(hosts->src); 2942 iaw_free(hosts->dst); 2943 free(hosts); 2944 } 2945 iaw_free(ikecfg); 2946 iaw_free(ipproto); 2947 RB_FOREACH_SAFE(flow, iked_flows, &pol.pol_flows, ftmp) { 2948 RB_REMOVE(iked_flows, &pol.pol_flows, flow); 2949 free(flow); 2950 } 2951 free(name); 2952 free(srcid); 2953 free(dstid); 2954 return (ret); 2955 } 2956 2957 static int 2958 create_flow(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *ipa, 2959 struct ipsec_addr_wrap *ipb) 2960 { 2961 struct iked_flow *flow; 2962 struct ipsec_addr_wrap *ippn; 2963 2964 if (ipa->af != ipb->af) { 2965 yyerror("cannot mix different address families."); 2966 return (-1); 2967 } 2968 2969 if ((flow = calloc(1, sizeof(struct iked_flow))) == NULL) 2970 fatalx("%s: failed to alloc flow.", __func__); 2971 2972 memcpy(&flow->flow_src.addr, &ipa->address, 2973 sizeof(ipa->address)); 2974 flow->flow_src.addr_af = ipa->af; 2975 flow->flow_src.addr_mask = ipa->mask; 2976 flow->flow_src.addr_net = ipa->netaddress; 2977 flow->flow_src.addr_port = ipa->port; 2978 2979 memcpy(&flow->flow_dst.addr, &ipb->address, 2980 sizeof(ipb->address)); 2981 flow->flow_dst.addr_af = ipb->af; 2982 flow->flow_dst.addr_mask = ipb->mask; 2983 flow->flow_dst.addr_net = ipb->netaddress; 2984 flow->flow_dst.addr_port = ipb->port; 2985 2986 ippn = ipa->srcnat; 2987 if (ippn) { 2988 memcpy(&flow->flow_prenat.addr, &ippn->address, 2989 sizeof(ippn->address)); 2990 flow->flow_prenat.addr_af = ippn->af; 2991 flow->flow_prenat.addr_mask = ippn->mask; 2992 flow->flow_prenat.addr_net = ippn->netaddress; 2993 } else { 2994 flow->flow_prenat.addr_af = 0; 2995 } 2996 2997 flow->flow_dir = IPSP_DIRECTION_OUT; 2998 flow->flow_ipproto = proto; 2999 flow->flow_saproto = pol->pol_saproto; 3000 flow->flow_rdomain = pol->pol_rdomain; 3001 3002 if (RB_INSERT(iked_flows, &pol->pol_flows, flow) == NULL) 3003 pol->pol_nflows++; 3004 else { 3005 warnx("create_ike: duplicate flow"); 3006 free(flow); 3007 } 3008 3009 return (0); 3010 } 3011 3012 static int 3013 expand_flows(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *src, 3014 struct ipsec_addr_wrap *dst) 3015 { 3016 struct ipsec_addr_wrap *ipa = NULL, *ipb = NULL; 3017 int ret = -1; 3018 int srcaf, dstaf; 3019 3020 srcaf = src->af; 3021 dstaf = dst->af; 3022 3023 if (src->af == AF_UNSPEC && 3024 dst->af == AF_UNSPEC) { 3025 /* Need both IPv4 and IPv6 flows */ 3026 src->af = dst->af = AF_INET; 3027 ipa = expand_keyword(src); 3028 ipb = expand_keyword(dst); 3029 if (!ipa || !ipb) 3030 goto done; 3031 if (create_flow(pol, proto, ipa, ipb)) 3032 goto done; 3033 3034 iaw_free(ipa); 3035 iaw_free(ipb); 3036 src->af = dst->af = AF_INET6; 3037 ipa = expand_keyword(src); 3038 ipb = expand_keyword(dst); 3039 if (!ipa || !ipb) 3040 goto done; 3041 if (create_flow(pol, proto, ipa, ipb)) 3042 goto done; 3043 } else if (src->af == AF_UNSPEC) { 3044 src->af = dst->af; 3045 ipa = expand_keyword(src); 3046 if (!ipa) 3047 goto done; 3048 if (create_flow(pol, proto, ipa, dst)) 3049 goto done; 3050 } else if (dst->af == AF_UNSPEC) { 3051 dst->af = src->af; 3052 ipa = expand_keyword(dst); 3053 if (!ipa) 3054 goto done; 3055 if (create_flow(pol, proto, src, ipa)) 3056 goto done; 3057 } else if (create_flow(pol, proto, src, dst)) 3058 goto done; 3059 ret = 0; 3060 done: 3061 src->af = srcaf; 3062 dst->af = dstaf; 3063 iaw_free(ipa); 3064 iaw_free(ipb); 3065 return (ret); 3066 } 3067 3068 static struct ipsec_addr_wrap * 3069 expand_keyword(struct ipsec_addr_wrap *ip) 3070 { 3071 switch(ip->af) { 3072 case AF_INET: 3073 switch(ip->type) { 3074 case IPSEC_ADDR_ANY: 3075 return (host("0.0.0.0/0")); 3076 case IPSEC_ADDR_DYNAMIC: 3077 return (host("0.0.0.0")); 3078 } 3079 break; 3080 case AF_INET6: 3081 switch(ip->type) { 3082 case IPSEC_ADDR_ANY: 3083 return (host("::/0")); 3084 case IPSEC_ADDR_DYNAMIC: 3085 return (host("::")); 3086 } 3087 } 3088 return (NULL); 3089 } 3090 3091 int 3092 create_user(const char *user, const char *pass) 3093 { 3094 struct iked_user usr; 3095 3096 bzero(&usr, sizeof(usr)); 3097 3098 if (*user == '\0' || (strlcpy(usr.usr_name, user, 3099 sizeof(usr.usr_name)) >= sizeof(usr.usr_name))) { 3100 yyerror("invalid user name"); 3101 return (-1); 3102 } 3103 if (*pass == '\0' || (strlcpy(usr.usr_pass, pass, 3104 sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) { 3105 yyerror("invalid password"); 3106 explicit_bzero(&usr, sizeof usr); /* zap partial password */ 3107 return (-1); 3108 } 3109 3110 config_setuser(env, &usr, PROC_IKEV2); 3111 3112 rules++; 3113 3114 explicit_bzero(&usr, sizeof usr); 3115 return (0); 3116 } 3117 3118 void 3119 iaw_free(struct ipsec_addr_wrap *head) 3120 { 3121 struct ipsec_addr_wrap *n, *cur; 3122 3123 if (head == NULL) 3124 return; 3125 3126 for (n = head; n != NULL; ) { 3127 cur = n; 3128 n = n->next; 3129 if (cur->srcnat != NULL) { 3130 free(cur->srcnat->name); 3131 free(cur->srcnat); 3132 } 3133 free(cur->name); 3134 free(cur); 3135 } 3136 } 3137