GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: sbin/iked/parse.y Lines: 0 975 0.0 %
Date: 2017-11-13 Branches: 0 711 0.0 %

Line Branch Exec Source
1
/*	$OpenBSD: parse.y,v 1.65 2017/04/24 07:07:25 reyk Exp $	*/
2
3
/*
4
 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
5
 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
6
 * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
7
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
8
 * Copyright (c) 2001 Daniel Hartmeier.  All rights reserved.
9
 * Copyright (c) 2001 Theo de Raadt.  All rights reserved.
10
 *
11
 * Permission to use, copy, modify, and distribute this software for any
12
 * purpose with or without fee is hereby granted, provided that the above
13
 * copyright notice and this permission notice appear in all copies.
14
 *
15
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
16
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
17
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
18
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
19
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22
 */
23
24
%{
25
#include <sys/types.h>
26
#include <sys/ioctl.h>
27
#include <sys/queue.h>
28
#include <sys/socket.h>
29
#include <sys/stat.h>
30
#include <net/if.h>
31
#include <netinet/in.h>
32
#include <arpa/inet.h>
33
34
#include <openssl/pem.h>
35
#include <openssl/evp.h>
36
37
#include <ctype.h>
38
#include <err.h>
39
#include <errno.h>
40
#include <fcntl.h>
41
#include <ifaddrs.h>
42
#include <limits.h>
43
#include <netdb.h>
44
#include <stdarg.h>
45
#include <stdio.h>
46
#include <stdlib.h>
47
#include <string.h>
48
#include <syslog.h>
49
#include <unistd.h>
50
#include <netdb.h>
51
#include <event.h>
52
53
#include "iked.h"
54
#include "ikev2.h"
55
#include "eap.h"
56
57
TAILQ_HEAD(files, file)		 files = TAILQ_HEAD_INITIALIZER(files);
58
static struct file {
59
	TAILQ_ENTRY(file)	 entry;
60
	FILE			*stream;
61
	char			*name;
62
	int			 lineno;
63
	int			 errors;
64
} *file;
65
EVP_PKEY	*wrap_pubkey(FILE *);
66
EVP_PKEY	*find_pubkey(const char *);
67
int		 set_policy(char *, int, struct iked_policy *);
68
int		 set_policy_auth_method(const char *, EVP_PKEY *,
69
		     struct iked_policy *);
70
struct file	*pushfile(const char *, int);
71
int		 popfile(void);
72
int		 check_file_secrecy(int, const char *);
73
int		 yyparse(void);
74
int		 yylex(void);
75
int		 yyerror(const char *, ...)
76
    __attribute__((__format__ (printf, 1, 2)))
77
    __attribute__((__nonnull__ (1)));
78
int		 kw_cmp(const void *, const void *);
79
int		 lookup(char *);
80
int		 lgetc(int);
81
int		 lungetc(int);
82
int		 findeol(void);
83
84
TAILQ_HEAD(symhead, sym)	 symhead = TAILQ_HEAD_INITIALIZER(symhead);
85
struct sym {
86
	TAILQ_ENTRY(sym)	 entry;
87
	int			 used;
88
	int			 persist;
89
	char			*nam;
90
	char			*val;
91
};
92
int		 symset(const char *, const char *, int);
93
char		*symget(const char *);
94
95
#define KEYSIZE_LIMIT	1024
96
97
static struct iked	*env = NULL;
98
static int		 debug = 0;
99
static int		 rules = 0;
100
static int		 passive = 0;
101
static int		 decouple = 0;
102
static char		*ocsp_url = NULL;
103
104
struct ipsec_xf {
105
	const char	*name;
106
	unsigned int	 id;
107
	unsigned int	 length;
108
	unsigned int	 keylength;
109
	unsigned int	 nonce;
110
	unsigned int	 noauth;
111
};
112
113
struct ipsec_transforms {
114
	const struct ipsec_xf *authxf;
115
	const struct ipsec_xf *prfxf;
116
	const struct ipsec_xf *encxf;
117
	const struct ipsec_xf *groupxf;
118
	const struct ipsec_xf *esnxf;
119
};
120
121
struct ipsec_mode {
122
	struct ipsec_transforms	*xfs;
123
	uint8_t			 ike_exch;
124
};
125
126
struct iked_transform ikev2_default_ike_transforms[] = {
127
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
128
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
129
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },
130
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_3DES },
131
	{ IKEV2_XFORMTYPE_PRF,	IKEV2_XFORMPRF_HMAC_SHA2_256 },
132
	{ IKEV2_XFORMTYPE_PRF,	IKEV2_XFORMPRF_HMAC_SHA1 },
133
	{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
134
	{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
135
	{ IKEV2_XFORMTYPE_DH,	IKEV2_XFORMDH_MODP_2048 },
136
	{ IKEV2_XFORMTYPE_DH,	IKEV2_XFORMDH_MODP_1536 },
137
	{ IKEV2_XFORMTYPE_DH,	IKEV2_XFORMDH_MODP_1024 },
138
	{ 0 }
139
};
140
size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) /
141
    sizeof(ikev2_default_ike_transforms[0])) - 1);
142
143
struct iked_transform ikev2_default_esp_transforms[] = {
144
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
145
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
146
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },
147
	{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
148
	{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
149
	{ IKEV2_XFORMTYPE_ESN,	IKEV2_XFORMESN_ESN },
150
	{ IKEV2_XFORMTYPE_ESN,	IKEV2_XFORMESN_NONE },
151
	{ 0 }
152
};
153
size_t ikev2_default_nesp_transforms = ((sizeof(ikev2_default_esp_transforms) /
154
    sizeof(ikev2_default_esp_transforms[0])) - 1);
155
156
const struct ipsec_xf authxfs[] = {
157
	{ "hmac-md5",		IKEV2_XFORMAUTH_HMAC_MD5_96,		16 },
158
	{ "hmac-sha1",		IKEV2_XFORMAUTH_HMAC_SHA1_96,		20 },
159
	{ "hmac-sha2-256",	IKEV2_XFORMAUTH_HMAC_SHA2_256_128,	32 },
160
	{ "hmac-sha2-384",	IKEV2_XFORMAUTH_HMAC_SHA2_384_192,	48 },
161
	{ "hmac-sha2-512",	IKEV2_XFORMAUTH_HMAC_SHA2_512_256,	64 },
162
	{ NULL }
163
};
164
165
const struct ipsec_xf prfxfs[] = {
166
	{ "hmac-md5",		IKEV2_XFORMPRF_HMAC_MD5,	16 },
167
	{ "hmac-sha1",		IKEV2_XFORMPRF_HMAC_SHA1,	20 },
168
	{ "hmac-sha2-256",	IKEV2_XFORMPRF_HMAC_SHA2_256,	32 },
169
	{ "hmac-sha2-384",	IKEV2_XFORMPRF_HMAC_SHA2_384,	48 },
170
	{ "hmac-sha2-512",	IKEV2_XFORMPRF_HMAC_SHA2_512,	64 },
171
	{ NULL }
172
};
173
174
const struct ipsec_xf *encxfs = NULL;
175
176
const struct ipsec_xf ikeencxfs[] = {
177
	{ "3des",		IKEV2_XFORMENCR_3DES,		24 },
178
	{ "3des-cbc",		IKEV2_XFORMENCR_3DES,		24 },
179
	{ "aes-128",		IKEV2_XFORMENCR_AES_CBC,	16, 16 },
180
	{ "aes-192",		IKEV2_XFORMENCR_AES_CBC,	24, 24 },
181
	{ "aes-256",		IKEV2_XFORMENCR_AES_CBC,	32, 32 },
182
	{ NULL }
183
};
184
185
const struct ipsec_xf ipsecencxfs[] = {
186
	{ "3des",		IKEV2_XFORMENCR_3DES,		24 },
187
	{ "3des-cbc",		IKEV2_XFORMENCR_3DES,		24 },
188
	{ "aes-128",		IKEV2_XFORMENCR_AES_CBC,	16, 16 },
189
	{ "aes-192",		IKEV2_XFORMENCR_AES_CBC,	24, 24 },
190
	{ "aes-256",		IKEV2_XFORMENCR_AES_CBC,	32, 32 },
191
	{ "aes-128-ctr",	IKEV2_XFORMENCR_AES_CTR,	16, 16, 4 },
192
	{ "aes-192-ctr",	IKEV2_XFORMENCR_AES_CTR,	24, 24, 4 },
193
	{ "aes-256-ctr",	IKEV2_XFORMENCR_AES_CTR,	32, 32, 4 },
194
	{ "aes-128-gcm",	IKEV2_XFORMENCR_AES_GCM_16,	16, 16, 4, 1 },
195
	{ "aes-192-gcm",	IKEV2_XFORMENCR_AES_GCM_16,	24, 24, 4, 1 },
196
	{ "aes-256-gcm",	IKEV2_XFORMENCR_AES_GCM_16,	32, 32, 4, 1 },
197
	{ "aes-128-gmac",	IKEV2_XFORMENCR_NULL_AES_GMAC,	16, 16, 4, 1 },
198
	{ "aes-192-gmac",	IKEV2_XFORMENCR_NULL_AES_GMAC,	24, 24, 4, 1 },
199
	{ "aes-256-gmac",	IKEV2_XFORMENCR_NULL_AES_GMAC,	32, 32, 4, 1 },
200
	{ "blowfish",		IKEV2_XFORMENCR_BLOWFISH,	20, 20 },
201
	{ "cast",		IKEV2_XFORMENCR_CAST,		16, 16 },
202
	{ "chacha20-poly1305",	IKEV2_XFORMENCR_CHACHA20_POLY1305,
203
								32, 32, 4, 1 },
204
	{ "null",		IKEV2_XFORMENCR_NULL,		0, 0 },
205
	{ NULL }
206
};
207
208
const struct ipsec_xf groupxfs[] = {
209
	{ "modp768",		IKEV2_XFORMDH_MODP_768 },
210
	{ "grp1",		IKEV2_XFORMDH_MODP_768 },
211
	{ "modp1024",		IKEV2_XFORMDH_MODP_1024 },
212
	{ "grp2",		IKEV2_XFORMDH_MODP_1024 },
213
	{ "ec2n155",		IKEV2_XFORMDH_EC2N_155 },
214
	{ "grp3",		IKEV2_XFORMDH_EC2N_155 },
215
	{ "ec2n185",		IKEV2_XFORMDH_EC2N_185 },
216
	{ "grp4",		IKEV2_XFORMDH_EC2N_185 },
217
	{ "modp1536",		IKEV2_XFORMDH_MODP_1536 },
218
	{ "grp5",		IKEV2_XFORMDH_MODP_1536 },
219
	{ "modp2048",		IKEV2_XFORMDH_MODP_2048 },
220
	{ "grp14",		IKEV2_XFORMDH_MODP_2048 },
221
	{ "modp3072",		IKEV2_XFORMDH_MODP_3072 },
222
	{ "grp15",		IKEV2_XFORMDH_MODP_3072 },
223
	{ "modp4096",		IKEV2_XFORMDH_MODP_4096 },
224
	{ "grp16",		IKEV2_XFORMDH_MODP_4096 },
225
	{ "modp6144",		IKEV2_XFORMDH_MODP_6144 },
226
	{ "grp17",		IKEV2_XFORMDH_MODP_6144 },
227
	{ "modp8192",		IKEV2_XFORMDH_MODP_8192 },
228
	{ "grp18",		IKEV2_XFORMDH_MODP_8192 },
229
	{ "ecp256",		IKEV2_XFORMDH_ECP_256 },
230
	{ "grp19",		IKEV2_XFORMDH_ECP_256 },
231
	{ "ecp384",		IKEV2_XFORMDH_ECP_384 },
232
	{ "grp20",		IKEV2_XFORMDH_ECP_384 },
233
	{ "ecp521",		IKEV2_XFORMDH_ECP_521 },
234
	{ "grp21",		IKEV2_XFORMDH_ECP_521 },
235
	{ "ecp192",		IKEV2_XFORMDH_ECP_192 },
236
	{ "grp25",		IKEV2_XFORMDH_ECP_192 },
237
	{ "ecp224",		IKEV2_XFORMDH_ECP_224 },
238
	{ "grp26",		IKEV2_XFORMDH_ECP_224 },
239
	{ "brainpool224",	IKEV2_XFORMDH_BRAINPOOL_P224R1 },
240
	{ "grp27",		IKEV2_XFORMDH_BRAINPOOL_P224R1 },
241
	{ "brainpool256",	IKEV2_XFORMDH_BRAINPOOL_P256R1 },
242
	{ "grp28",		IKEV2_XFORMDH_BRAINPOOL_P256R1 },
243
	{ "brainpool384",	IKEV2_XFORMDH_BRAINPOOL_P384R1 },
244
	{ "grp29",		IKEV2_XFORMDH_BRAINPOOL_P384R1 },
245
	{ "brainpool512",	IKEV2_XFORMDH_BRAINPOOL_P512R1 },
246
	{ "grp30",		IKEV2_XFORMDH_BRAINPOOL_P512R1 },
247
	{ "curve25519",		IKEV2_XFORMDH_X_CURVE25519 },
248
	{ NULL }
249
};
250
251
const struct ipsec_xf methodxfs[] = {
252
	{ "none",		IKEV2_AUTH_NONE },
253
	{ "rsa",		IKEV2_AUTH_RSA_SIG },
254
	{ "ecdsa256",		IKEV2_AUTH_ECDSA_256 },
255
	{ "ecdsa384",		IKEV2_AUTH_ECDSA_384 },
256
	{ "ecdsa521",		IKEV2_AUTH_ECDSA_521 },
257
	{ "rfc7427",		IKEV2_AUTH_SIG },
258
	{ "signature",		IKEV2_AUTH_SIG_ANY },
259
	{ NULL }
260
};
261
262
const struct ipsec_xf saxfs[] = {
263
	{ "esp",		IKEV2_SAPROTO_ESP },
264
	{ "ah",			IKEV2_SAPROTO_AH },
265
	{ NULL }
266
};
267
268
const struct ipsec_xf cpxfs[] = {
269
	{ "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS,		AF_INET },
270
	{ "netmask", IKEV2_CFG_INTERNAL_IP4_NETMASK,		AF_INET },
271
	{ "name-server", IKEV2_CFG_INTERNAL_IP4_DNS,		AF_INET },
272
	{ "netbios-server", IKEV2_CFG_INTERNAL_IP4_NBNS,	AF_INET },
273
	{ "dhcp-server", IKEV2_CFG_INTERNAL_IP4_DHCP,		AF_INET },
274
	{ "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS,		AF_INET6 },
275
	{ "name-server", IKEV2_CFG_INTERNAL_IP6_DNS,		AF_INET6 },
276
	{ "netbios-server", IKEV2_CFG_INTERNAL_IP6_NBNS,	AF_INET6 },
277
	{ "dhcp-server", IKEV2_CFG_INTERNAL_IP6_DHCP,		AF_INET6 },
278
	{ "protected-subnet", IKEV2_CFG_INTERNAL_IP4_SUBNET,	AF_INET },
279
	{ "protected-subnet", IKEV2_CFG_INTERNAL_IP6_SUBNET,	AF_INET6 },
280
	{ "access-server", IKEV2_CFG_INTERNAL_IP4_SERVER,	AF_INET },
281
	{ "access-server", IKEV2_CFG_INTERNAL_IP6_SERVER,	AF_INET6 },
282
	{ NULL }
283
};
284
285
const struct iked_lifetime deflifetime = {
286
	IKED_LIFETIME_BYTES,
287
	IKED_LIFETIME_SECONDS
288
};
289
290
struct ipsec_addr_wrap {
291
	struct sockaddr_storage	 address;
292
	uint8_t			 mask;
293
	int			 netaddress;
294
	sa_family_t		 af;
295
	unsigned int		 type;
296
	unsigned int		 action;
297
	char			*name;
298
	struct ipsec_addr_wrap	*next;
299
	struct ipsec_addr_wrap	*tail;
300
	struct ipsec_addr_wrap	*srcnat;
301
};
302
303
struct ipsec_hosts {
304
	struct ipsec_addr_wrap	*src;
305
	struct ipsec_addr_wrap	*dst;
306
	uint16_t		 sport;
307
	uint16_t		 dport;
308
};
309
310
struct ipsec_filters {
311
	char			*tag;
312
	unsigned int		 tap;
313
};
314
315
struct ipsec_addr_wrap	*host(const char *);
316
struct ipsec_addr_wrap	*host_v6(const char *, int);
317
struct ipsec_addr_wrap	*host_v4(const char *, int);
318
struct ipsec_addr_wrap	*host_dns(const char *, int);
319
struct ipsec_addr_wrap	*host_if(const char *, int);
320
struct ipsec_addr_wrap	*host_any(void);
321
void			 ifa_load(void);
322
int			 ifa_exists(const char *);
323
struct ipsec_addr_wrap	*ifa_lookup(const char *ifa_name);
324
struct ipsec_addr_wrap	*ifa_grouplookup(const char *);
325
void			 set_ipmask(struct ipsec_addr_wrap *, uint8_t);
326
const struct ipsec_xf	*parse_xf(const char *, unsigned int,
327
			    const struct ipsec_xf *);
328
const char		*print_xf(unsigned int, unsigned int,
329
			    const struct ipsec_xf *);
330
void			 copy_transforms(unsigned int, const struct ipsec_xf *,
331
			    const struct ipsec_xf *,
332
			    struct iked_transform *, size_t,
333
			    unsigned int *, struct iked_transform *, size_t);
334
int			 create_ike(char *, int, uint8_t, struct ipsec_hosts *,
335
			    struct ipsec_hosts *, struct ipsec_mode *,
336
			    struct ipsec_mode *, uint8_t,
337
			    uint8_t, char *, char *,
338
			    uint32_t, struct iked_lifetime *,
339
			    struct iked_auth *, struct ipsec_filters *,
340
			    struct ipsec_addr_wrap *);
341
int			 create_user(const char *, const char *);
342
int			 get_id_type(char *);
343
uint8_t			 x2i(unsigned char *);
344
int			 parsekey(unsigned char *, size_t, struct iked_auth *);
345
int			 parsekeyfile(char *, struct iked_auth *);
346
347
struct ipsec_transforms *ipsec_transforms;
348
struct ipsec_filters *ipsec_filters;
349
350
typedef struct {
351
	union {
352
		int64_t			 number;
353
		uint8_t			 ikemode;
354
		uint8_t			 dir;
355
		uint8_t			 satype;
356
		uint8_t			 proto;
357
		char			*string;
358
		uint16_t		 port;
359
		struct ipsec_hosts	*hosts;
360
		struct ipsec_hosts	 peers;
361
		struct ipsec_addr_wrap	*anyhost;
362
		struct ipsec_addr_wrap	*host;
363
		struct ipsec_addr_wrap	*cfg;
364
		struct {
365
			char		*srcid;
366
			char		*dstid;
367
		} ids;
368
		char			*id;
369
		uint8_t			 type;
370
		struct iked_lifetime	 lifetime;
371
		struct iked_auth	 ikeauth;
372
		struct iked_auth	 ikekey;
373
		struct ipsec_transforms	*transforms;
374
		struct ipsec_filters	*filters;
375
		struct ipsec_mode	*mode;
376
	} v;
377
	int lineno;
378
} YYSTYPE;
379
380
%}
381
382
%token	FROM ESP AH IN PEER ON OUT TO SRCID DSTID PSK PORT
383
%token	FILENAME AUTHXF PRFXF ENCXF ERROR IKEV2 IKESA CHILDSA
384
%token	PASSIVE ACTIVE ANY TAG TAP PROTO LOCAL GROUP NAME CONFIG EAP USER
385
%token	IKEV1 FLOW SA TCPMD5 TUNNEL TRANSPORT COUPLE DECOUPLE SET
386
%token	INCLUDE LIFETIME BYTES INET INET6 QUICK SKIP DEFAULT
387
%token	IPCOMP OCSP IKELIFETIME
388
%token	<v.string>		STRING
389
%token	<v.number>		NUMBER
390
%type	<v.string>		string
391
%type	<v.satype>		satype
392
%type	<v.proto>		proto
393
%type	<v.number>		protoval
394
%type	<v.hosts>		hosts hosts_list
395
%type	<v.port>		port
396
%type	<v.number>		portval af
397
%type	<v.peers>		peers
398
%type	<v.anyhost>		anyhost
399
%type	<v.host>		host host_spec
400
%type	<v.ids>			ids
401
%type	<v.id>			id
402
%type	<v.transforms>		transforms
403
%type	<v.filters>		filters
404
%type	<v.ikemode>		ikeflags ikematch ikemode ipcomp
405
%type	<v.ikeauth>		ikeauth
406
%type	<v.ikekey>		keyspec
407
%type	<v.mode>		ike_sa child_sa
408
%type	<v.lifetime>		lifetime
409
%type	<v.number>		byte_spec time_spec ikelifetime
410
%type	<v.string>		name
411
%type	<v.cfg>			cfg ikecfg ikecfgvals
412
%%
413
414
grammar		: /* empty */
415
		| grammar include '\n'
416
		| grammar '\n'
417
		| grammar set '\n'
418
		| grammar user '\n'
419
		| grammar ikev2rule '\n'
420
		| grammar varset '\n'
421
		| grammar otherrule skipline '\n'
422
		| grammar error '\n'		{ file->errors++; }
423
		;
424
425
comma		: ','
426
		| /* empty */
427
		;
428
429
include		: INCLUDE STRING		{
430
			struct file	*nfile;
431
432
			if ((nfile = pushfile($2, 0)) == NULL) {
433
				yyerror("failed to include file %s", $2);
434
				free($2);
435
				YYERROR;
436
			}
437
			free($2);
438
439
			file = nfile;
440
			lungetc('\n');
441
		}
442
		;
443
444
set		: SET ACTIVE	{ passive = 0; }
445
		| SET PASSIVE	{ passive = 1; }
446
		| SET COUPLE	{ decouple = 0; }
447
		| SET DECOUPLE	{ decouple = 1; }
448
		| SET OCSP STRING		{
449
			if ((ocsp_url = strdup($3)) == NULL) {
450
				yyerror("cannot set ocsp_url");
451
				YYERROR;
452
			}
453
		}
454
		;
455
456
user		: USER STRING STRING		{
457
			if (create_user($2, $3) == -1)
458
				YYERROR;
459
		}
460
		;
461
462
ikev2rule	: IKEV2 name ikeflags satype af proto hosts_list peers
463
		    ike_sa child_sa ids ikelifetime lifetime ikeauth ikecfg
464
		    filters {
465
			if (create_ike($2, $5, $6, $7, &$8, $9, $10, $4, $3,
466
			    $11.srcid, $11.dstid, $12, &$13, &$14,
467
			    $16, $15) == -1) {
468
				yyerror("create_ike failed");
469
				YYERROR;
470
			}
471
		}
472
		;
473
474
ikecfg		: /* empty */			{ $$ = NULL; }
475
		| ikecfgvals			{ $$ = $1; }
476
		;
477
478
ikecfgvals	: cfg				{ $$ = $1; }
479
		| ikecfgvals cfg		{
480
			if ($2 == NULL)
481
				$$ = $1;
482
			else if ($1 == NULL)
483
				$$ = $2;
484
			else {
485
				$1->tail->next = $2;
486
				$1->tail = $2->tail;
487
				$$ = $1;
488
			}
489
		}
490
		;
491
492
cfg		: CONFIG STRING host_spec	{
493
			const struct ipsec_xf	*xf;
494
495
			if ((xf = parse_xf($2, $3->af, cpxfs)) == NULL) {
496
				yyerror("not a valid ikecfg option");
497
				free($2);
498
				free($3);
499
				YYERROR;
500
			}
501
			$$ = $3;
502
			$$->type = xf->id;
503
			$$->action = IKEV2_CP_REPLY;	/* XXX */
504
		}
505
		;
506
507
name		: /* empty */			{ $$ = NULL; }
508
		| STRING			{
509
			$$ = $1;
510
		}
511
512
satype		: /* empty */			{ $$ = IKEV2_SAPROTO_ESP; }
513
		| ESP				{ $$ = IKEV2_SAPROTO_ESP; }
514
		| AH				{ $$ = IKEV2_SAPROTO_AH; }
515
		;
516
517
af		: /* empty */			{ $$ = AF_UNSPEC; }
518
		| INET				{ $$ = AF_INET; }
519
		| INET6				{ $$ = AF_INET6; }
520
		;
521
522
proto		: /* empty */			{ $$ = 0; }
523
		| PROTO protoval		{ $$ = $2; }
524
		| PROTO ESP			{ $$ = IPPROTO_ESP; }
525
		| PROTO AH			{ $$ = IPPROTO_AH; }
526
		;
527
528
protoval	: STRING			{
529
			struct protoent *p;
530
531
			p = getprotobyname($1);
532
			if (p == NULL) {
533
				yyerror("unknown protocol: %s", $1);
534
				YYERROR;
535
			}
536
			$$ = p->p_proto;
537
			free($1);
538
		}
539
		| NUMBER			{
540
			if ($1 > 255 || $1 < 0) {
541
				yyerror("protocol outside range");
542
				YYERROR;
543
			}
544
		}
545
		;
546
547
hosts_list	: hosts				{ $$ = $1; }
548
		| hosts_list comma hosts	{
549
			if ($3 == NULL)
550
				$$ = $1;
551
			else if ($1 == NULL)
552
				$$ = $3;
553
			else {
554
				$1->src->tail->next = $3->src;
555
				$1->src->tail = $3->src->tail;
556
				$1->dst->tail->next = $3->dst;
557
				$1->dst->tail = $3->dst->tail;
558
				$$ = $1;
559
			}
560
		}
561
		;
562
563
hosts		: FROM host port TO host port		{
564
			struct ipsec_addr_wrap *ipa;
565
			for (ipa = $5; ipa; ipa = ipa->next) {
566
				if (ipa->srcnat) {
567
					yyerror("no flow NAT support for"
568
					    " destination network: %s",
569
					    ipa->name);
570
					YYERROR;
571
				}
572
			}
573
574
			if (($$ = calloc(1, sizeof(*$$))) == NULL)
575
				err(1, "hosts: calloc");
576
577
			$$->src = $2;
578
			$$->sport = $3;
579
			$$->dst = $5;
580
			$$->dport = $6;
581
		}
582
		| TO host port FROM host port		{
583
			struct ipsec_addr_wrap *ipa;
584
			for (ipa = $2; ipa; ipa = ipa->next) {
585
				if (ipa->srcnat) {
586
					yyerror("no flow NAT support for"
587
					    " destination network: %s",
588
					    ipa->name);
589
					YYERROR;
590
				}
591
			}
592
			if (($$ = calloc(1, sizeof(*$$))) == NULL)
593
				err(1, "hosts: calloc");
594
595
			$$->src = $5;
596
			$$->sport = $6;
597
			$$->dst = $2;
598
			$$->dport = $3;
599
		}
600
		;
601
602
port		: /* empty */				{ $$ = 0; }
603
		| PORT portval				{ $$ = $2; }
604
		;
605
606
portval		: STRING				{
607
			struct servent *s;
608
609
			if ((s = getservbyname($1, "tcp")) != NULL ||
610
			    (s = getservbyname($1, "udp")) != NULL) {
611
				$$ = s->s_port;
612
			} else {
613
				yyerror("unknown port: %s", $1);
614
				YYERROR;
615
			}
616
		}
617
		| NUMBER				{
618
			if ($1 > USHRT_MAX || $1 < 0) {
619
				yyerror("port outside range");
620
				YYERROR;
621
			}
622
			$$ = htons($1);
623
		}
624
		;
625
626
peers		: /* empty */				{
627
			$$.dst = NULL;
628
			$$.src = NULL;
629
		}
630
		| PEER anyhost LOCAL anyhost		{
631
			$$.dst = $2;
632
			$$.src = $4;
633
		}
634
		| LOCAL anyhost PEER anyhost		{
635
			$$.dst = $4;
636
			$$.src = $2;
637
		}
638
		| PEER anyhost				{
639
			$$.dst = $2;
640
			$$.src = NULL;
641
		}
642
		| LOCAL anyhost				{
643
			$$.dst = NULL;
644
			$$.src = $2;
645
		}
646
		;
647
648
anyhost		: host_spec			{ $$ = $1; }
649
		| ANY				{
650
			$$ = host_any();
651
		}
652
653
host_spec	: STRING			{
654
			if (($$ = host($1)) == NULL) {
655
				free($1);
656
				yyerror("could not parse host specification");
657
				YYERROR;
658
			}
659
			free($1);
660
		}
661
		| STRING '/' NUMBER		{
662
			char	*buf;
663
664
			if (asprintf(&buf, "%s/%lld", $1, $3) == -1)
665
				err(1, "host: asprintf");
666
			free($1);
667
			if (($$ = host(buf)) == NULL)	{
668
				free(buf);
669
				yyerror("could not parse host specification");
670
				YYERROR;
671
			}
672
			free(buf);
673
		}
674
		;
675
676
host		: host_spec			{ $$ = $1; }
677
		| host_spec '(' host_spec ')'   {
678
			if (($1->af != AF_UNSPEC) && ($3->af != AF_UNSPEC) &&
679
			    ($3->af != $1->af)) {
680
				yyerror("Flow NAT address family mismatch");
681
				YYERROR;
682
			}
683
			$$ = $1;
684
			$$->srcnat = $3;
685
		}
686
		| ANY				{
687
			$$ = host_any();
688
		}
689
		;
690
691
ids		: /* empty */			{
692
			$$.srcid = NULL;
693
			$$.dstid = NULL;
694
		}
695
		| SRCID id DSTID id		{
696
			$$.srcid = $2;
697
			$$.dstid = $4;
698
		}
699
		| SRCID id			{
700
			$$.srcid = $2;
701
			$$.dstid = NULL;
702
		}
703
		| DSTID id			{
704
			$$.srcid = NULL;
705
			$$.dstid = $2;
706
		}
707
		;
708
709
id		: STRING			{ $$ = $1; }
710
		;
711
712
transforms	:					{
713
			if ((ipsec_transforms = calloc(1,
714
			    sizeof(struct ipsec_transforms))) == NULL)
715
				err(1, "transforms: calloc");
716
		}
717
		    transforms_l			{
718
			$$ = ipsec_transforms;
719
		}
720
		| /* empty */				{
721
			$$ = NULL;
722
		}
723
		;
724
725
transforms_l	: transforms_l transform
726
		| transform
727
		;
728
729
transform	: AUTHXF STRING			{
730
			if (ipsec_transforms->authxf)
731
				yyerror("auth already set");
732
			else {
733
				ipsec_transforms->authxf = parse_xf($2, 0,
734
				    authxfs);
735
				if (!ipsec_transforms->authxf)
736
					yyerror("%s not a valid transform", $2);
737
			}
738
		}
739
		| ENCXF STRING			{
740
			if (ipsec_transforms->encxf)
741
				yyerror("enc already set");
742
			else {
743
				ipsec_transforms->encxf = parse_xf($2, 0,
744
				    encxfs);
745
				if (!ipsec_transforms->encxf)
746
					yyerror("%s not a valid transform",
747
					    $2);
748
			}
749
		}
750
		| PRFXF STRING			{
751
			if (ipsec_transforms->prfxf)
752
				yyerror("prf already set");
753
			else {
754
				ipsec_transforms->prfxf = parse_xf($2, 0,
755
				    prfxfs);
756
				if (!ipsec_transforms->prfxf)
757
					yyerror("%s not a valid transform",
758
					    $2);
759
			}
760
		}
761
		| GROUP STRING			{
762
			if (ipsec_transforms->groupxf)
763
				yyerror("group already set");
764
			else {
765
				ipsec_transforms->groupxf = parse_xf($2, 0,
766
				    groupxfs);
767
				if (!ipsec_transforms->groupxf)
768
					yyerror("%s not a valid transform",
769
					    $2);
770
			}
771
		}
772
		;
773
774
ike_sa		: /* empty */	{
775
			$$ = NULL;
776
		}
777
		| IKESA		{
778
			encxfs = ikeencxfs;
779
		} transforms	{
780
			if (($$ = calloc(1, sizeof(*$$))) == NULL)
781
				err(1, "ike_sa: calloc");
782
			$$->xfs = $3;
783
		}
784
		;
785
786
child_sa	: /* empty */	{
787
			$$ = NULL;
788
		}
789
		| CHILDSA	{
790
			encxfs = ipsecencxfs;
791
		} transforms	{
792
			if (($$ = calloc(1, sizeof(*$$))) == NULL)
793
				err(1, "child_sa: calloc");
794
			$$->xfs = $3;
795
		}
796
		;
797
798
ikeflags	: ikematch ikemode ipcomp	{ $$ = $1 | $2 | $3; }
799
		;
800
801
ikematch	: /* empty */			{ $$ = 0; }
802
		| QUICK				{ $$ = IKED_POLICY_QUICK; }
803
		| SKIP				{ $$ = IKED_POLICY_SKIP; }
804
		| DEFAULT			{ $$ = IKED_POLICY_DEFAULT; }
805
		;
806
807
ikemode		: /* empty */			{ $$ = IKED_POLICY_PASSIVE; }
808
		| PASSIVE			{ $$ = IKED_POLICY_PASSIVE; }
809
		| ACTIVE			{ $$ = IKED_POLICY_ACTIVE; }
810
		;
811
812
ipcomp		: /* empty */			{ $$ = 0; }
813
		| IPCOMP			{ $$ = IKED_POLICY_IPCOMP; }
814
		;
815
816
ikeauth		: /* empty */			{
817
			$$.auth_method = IKEV2_AUTH_SIG_ANY;	/* default */
818
			$$.auth_eap = 0;
819
			$$.auth_length = 0;
820
		}
821
		| PSK keyspec			{
822
			memcpy(&$$, &$2, sizeof($$));
823
			$$.auth_method = IKEV2_AUTH_SHARED_KEY_MIC;
824
			$$.auth_eap = 0;
825
		}
826
		| EAP STRING			{
827
			unsigned int i;
828
829
			for (i = 0; i < strlen($2); i++)
830
				if ($2[i] == '-')
831
					$2[i] = '_';
832
833
			if (strcasecmp("mschap_v2", $2) != 0) {
834
				yyerror("unsupported EAP method: %s", $2);
835
				free($2);
836
				YYERROR;
837
			}
838
			free($2);
839
840
			$$.auth_method = IKEV2_AUTH_RSA_SIG;
841
			$$.auth_eap = EAP_TYPE_MSCHAP_V2;
842
			$$.auth_length = 0;
843
		}
844
		| STRING			{
845
			const struct ipsec_xf *xf;
846
847
			if ((xf = parse_xf($1, 0, methodxfs)) == NULL ||
848
			    xf->id == IKEV2_AUTH_NONE) {
849
				yyerror("not a valid authentication mode");
850
				free($1);
851
				YYERROR;
852
			}
853
			free($1);
854
855
			$$.auth_method = xf->id;
856
			$$.auth_eap = 0;
857
			$$.auth_length = 0;
858
		}
859
		;
860
861
byte_spec	: NUMBER			{
862
			$$ = $1;
863
		}
864
		| STRING			{
865
			uint64_t	 bytes = 0;
866
			char		 unit = 0;
867
868
			if (sscanf($1, "%llu%c", &bytes, &unit) != 2) {
869
				yyerror("invalid byte specification: %s", $1);
870
				YYERROR;
871
			}
872
			switch (toupper((unsigned char)unit)) {
873
			case 'K':
874
				bytes *= 1024;
875
				break;
876
			case 'M':
877
				bytes *= 1024 * 1024;
878
				break;
879
			case 'G':
880
				bytes *= 1024 * 1024 * 1024;
881
				break;
882
			default:
883
				yyerror("invalid byte unit");
884
				YYERROR;
885
			}
886
			$$ = bytes;
887
		}
888
		;
889
890
time_spec	: NUMBER			{
891
			$$ = $1;
892
		}
893
		| STRING			{
894
			uint64_t	 seconds = 0;
895
			char		 unit = 0;
896
897
			if (sscanf($1, "%llu%c", &seconds, &unit) != 2) {
898
				yyerror("invalid time specification: %s", $1);
899
				YYERROR;
900
			}
901
			switch (tolower((unsigned char)unit)) {
902
			case 'm':
903
				seconds *= 60;
904
				break;
905
			case 'h':
906
				seconds *= 60 * 60;
907
				break;
908
			default:
909
				yyerror("invalid time unit");
910
				YYERROR;
911
			}
912
			$$ = seconds;
913
		}
914
		;
915
916
lifetime	: /* empty */				{
917
			$$ = deflifetime;
918
		}
919
		| LIFETIME time_spec			{
920
			$$.lt_seconds = $2;
921
			$$.lt_bytes = deflifetime.lt_bytes;
922
		}
923
		| LIFETIME time_spec BYTES byte_spec	{
924
			$$.lt_seconds = $2;
925
			$$.lt_bytes = $4;
926
		}
927
		;
928
929
ikelifetime	: /* empty */				{
930
			$$ = 0;
931
		}
932
		| IKELIFETIME time_spec			{
933
			$$ = $2;
934
		}
935
936
keyspec		: STRING			{
937
			uint8_t		*hex;
938
939
			bzero(&$$, sizeof($$));
940
941
			hex = $1;
942
			if (strncmp(hex, "0x", 2) == 0) {
943
				hex += 2;
944
				if (parsekey(hex, strlen(hex), &$$) != 0) {
945
					free($1);
946
					YYERROR;
947
				}
948
			} else {
949
				if (strlen($1) > sizeof($$.auth_data)) {
950
					yyerror("psk too long");
951
					free($1);
952
					YYERROR;
953
				}
954
				strlcpy($$.auth_data, $1,
955
				    sizeof($$.auth_data));
956
				$$.auth_length = strlen($1);
957
			}
958
			free($1);
959
		}
960
		| FILENAME STRING		{
961
			if (parsekeyfile($2, &$$) != 0) {
962
				free($2);
963
				YYERROR;
964
			}
965
			free($2);
966
		}
967
		;
968
969
filters		:					{
970
			if ((ipsec_filters = calloc(1,
971
			    sizeof(struct ipsec_filters))) == NULL)
972
				err(1, "filters: calloc");
973
		}
974
		    filters_l			{
975
			$$ = ipsec_filters;
976
		}
977
		| /* empty */				{
978
			$$ = NULL;
979
		}
980
		;
981
982
filters_l	: filters_l filter
983
		| filter
984
		;
985
986
filter		: TAG STRING
987
		{
988
			ipsec_filters->tag = $2;
989
		}
990
		| TAP STRING
991
		{
992
			const char	*errstr = NULL;
993
			size_t		 len;
994
995
			len = strcspn($2, "0123456789");
996
			if (strlen("enc") != len ||
997
			    strncmp("enc", $2, len) != 0) {
998
				yyerror("invalid tap interface name: %s", $2);
999
				free($2);
1000
				YYERROR;
1001
			}
1002
			ipsec_filters->tap =
1003
			    strtonum($2 + len, 0, UINT_MAX, &errstr);
1004
			free($2);
1005
			if (errstr != NULL) {
1006
				yyerror("invalid tap interface unit: %s",
1007
				    errstr);
1008
				YYERROR;
1009
			}
1010
		}
1011
		;
1012
1013
string		: string STRING
1014
		{
1015
			if (asprintf(&$$, "%s %s", $1, $2) == -1)
1016
				err(1, "string: asprintf");
1017
			free($1);
1018
			free($2);
1019
		}
1020
		| STRING
1021
		;
1022
1023
varset		: STRING '=' string
1024
		{
1025
			char *s = $1;
1026
			log_debug("%s = \"%s\"\n", $1, $3);
1027
			while (*s++) {
1028
				if (isspace((unsigned char)*s)) {
1029
					yyerror("macro name cannot contain "
1030
					    "whitespace");
1031
					YYERROR;
1032
				}
1033
			}
1034
			if (symset($1, $3, 0) == -1)
1035
				err(1, "cannot store variable");
1036
			free($1);
1037
			free($3);
1038
		}
1039
		;
1040
1041
/*
1042
 * ignore IKEv1/manual keying rules in ipsec.conf
1043
 */
1044
otherrule	: IKEV1
1045
		| sarule
1046
		| FLOW
1047
		| TCPMD5
1048
		;
1049
1050
/* manual keying SAs might start with the following keywords */
1051
sarule		: SA
1052
		| FROM
1053
		| TO
1054
		| TUNNEL
1055
		| TRANSPORT
1056
		;
1057
1058
/* ignore everything to the end of the line */
1059
skipline	:
1060
		{
1061
			int	 c;
1062
1063
			while ((c = lgetc(0)) != '\n' && c != EOF)
1064
				; /* nothing */
1065
			if (c == '\n')
1066
				lungetc(c);
1067
		}
1068
		;
1069
%%
1070
1071
struct keywords {
1072
	const char	*k_name;
1073
	int		 k_val;
1074
};
1075
1076
int
1077
yyerror(const char *fmt, ...)
1078
{
1079
	va_list		 ap;
1080
1081
	file->errors++;
1082
	va_start(ap, fmt);
1083
	fprintf(stderr, "%s: %d: ", file->name, yylval.lineno);
1084
	vfprintf(stderr, fmt, ap);
1085
	fprintf(stderr, "\n");
1086
	va_end(ap);
1087
	return (0);
1088
}
1089
1090
int
1091
kw_cmp(const void *k, const void *e)
1092
{
1093
	return (strcmp(k, ((const struct keywords *)e)->k_name));
1094
}
1095
1096
int
1097
lookup(char *s)
1098
{
1099
	/* this has to be sorted always */
1100
	static const struct keywords keywords[] = {
1101
		{ "active",		ACTIVE },
1102
		{ "ah",			AH },
1103
		{ "any",		ANY },
1104
		{ "auth",		AUTHXF },
1105
		{ "bytes",		BYTES },
1106
		{ "childsa",		CHILDSA },
1107
		{ "config",		CONFIG },
1108
		{ "couple",		COUPLE },
1109
		{ "decouple",		DECOUPLE },
1110
		{ "default",		DEFAULT },
1111
		{ "dstid",		DSTID },
1112
		{ "eap",		EAP },
1113
		{ "enc",		ENCXF },
1114
		{ "esp",		ESP },
1115
		{ "file",		FILENAME },
1116
		{ "flow",		FLOW },
1117
		{ "from",		FROM },
1118
		{ "group",		GROUP },
1119
		{ "ike",		IKEV1 },
1120
		{ "ikelifetime",	IKELIFETIME },
1121
		{ "ikesa",		IKESA },
1122
		{ "ikev2",		IKEV2 },
1123
		{ "include",		INCLUDE },
1124
		{ "inet",		INET },
1125
		{ "inet6",		INET6 },
1126
		{ "ipcomp",		IPCOMP },
1127
		{ "lifetime",		LIFETIME },
1128
		{ "local",		LOCAL },
1129
		{ "name",		NAME },
1130
		{ "ocsp",		OCSP },
1131
		{ "passive",		PASSIVE },
1132
		{ "peer",		PEER },
1133
		{ "port",		PORT },
1134
		{ "prf",		PRFXF },
1135
		{ "proto",		PROTO },
1136
		{ "psk",		PSK },
1137
		{ "quick",		QUICK },
1138
		{ "sa",			SA },
1139
		{ "set",		SET },
1140
		{ "skip",		SKIP },
1141
		{ "srcid",		SRCID },
1142
		{ "tag",		TAG },
1143
		{ "tap",		TAP },
1144
		{ "tcpmd5",		TCPMD5 },
1145
		{ "to",			TO },
1146
		{ "transport",		TRANSPORT },
1147
		{ "tunnel",		TUNNEL },
1148
		{ "user",		USER }
1149
	};
1150
	const struct keywords	*p;
1151
1152
	p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),
1153
	    sizeof(keywords[0]), kw_cmp);
1154
1155
	if (p) {
1156
		if (debug > 1)
1157
			fprintf(stderr, "%s: %d\n", s, p->k_val);
1158
		return (p->k_val);
1159
	} else {
1160
		if (debug > 1)
1161
			fprintf(stderr, "string: %s\n", s);
1162
		return (STRING);
1163
	}
1164
}
1165
1166
#define MAXPUSHBACK	128
1167
1168
unsigned char	*parsebuf;
1169
int		 parseindex;
1170
unsigned char	 pushback_buffer[MAXPUSHBACK];
1171
int		 pushback_index = 0;
1172
1173
int
1174
lgetc(int quotec)
1175
{
1176
	int		c, next;
1177
1178
	if (parsebuf) {
1179
		/* Read character from the parsebuffer instead of input. */
1180
		if (parseindex >= 0) {
1181
			c = parsebuf[parseindex++];
1182
			if (c != '\0')
1183
				return (c);
1184
			parsebuf = NULL;
1185
		} else
1186
			parseindex++;
1187
	}
1188
1189
	if (pushback_index)
1190
		return (pushback_buffer[--pushback_index]);
1191
1192
	if (quotec) {
1193
		if ((c = getc(file->stream)) == EOF) {
1194
			yyerror("reached end of file while parsing "
1195
			    "quoted string");
1196
			if (popfile() == EOF)
1197
				return (EOF);
1198
			return (quotec);
1199
		}
1200
		return (c);
1201
	}
1202
1203
	while ((c = getc(file->stream)) == '\\') {
1204
		next = getc(file->stream);
1205
		if (next != '\n') {
1206
			c = next;
1207
			break;
1208
		}
1209
		yylval.lineno = file->lineno;
1210
		file->lineno++;
1211
	}
1212
1213
	while (c == EOF) {
1214
		if (popfile() == EOF)
1215
			return (EOF);
1216
		c = getc(file->stream);
1217
	}
1218
	return (c);
1219
}
1220
1221
int
1222
lungetc(int c)
1223
{
1224
	if (c == EOF)
1225
		return (EOF);
1226
	if (parsebuf) {
1227
		parseindex--;
1228
		if (parseindex >= 0)
1229
			return (c);
1230
	}
1231
	if (pushback_index < MAXPUSHBACK-1)
1232
		return (pushback_buffer[pushback_index++] = c);
1233
	else
1234
		return (EOF);
1235
}
1236
1237
int
1238
findeol(void)
1239
{
1240
	int	c;
1241
1242
	parsebuf = NULL;
1243
1244
	/* skip to either EOF or the first real EOL */
1245
	while (1) {
1246
		if (pushback_index)
1247
			c = pushback_buffer[--pushback_index];
1248
		else
1249
			c = lgetc(0);
1250
		if (c == '\n') {
1251
			file->lineno++;
1252
			break;
1253
		}
1254
		if (c == EOF)
1255
			break;
1256
	}
1257
	return (ERROR);
1258
}
1259
1260
int
1261
yylex(void)
1262
{
1263
	unsigned char	 buf[8096];
1264
	unsigned char	*p, *val;
1265
	int		 quotec, next, c;
1266
	int		 token;
1267
1268
top:
1269
	p = buf;
1270
	while ((c = lgetc(0)) == ' ' || c == '\t')
1271
		; /* nothing */
1272
1273
	yylval.lineno = file->lineno;
1274
	if (c == '#')
1275
		while ((c = lgetc(0)) != '\n' && c != EOF)
1276
			; /* nothing */
1277
	if (c == '$' && parsebuf == NULL) {
1278
		while (1) {
1279
			if ((c = lgetc(0)) == EOF)
1280
				return (0);
1281
1282
			if (p + 1 >= buf + sizeof(buf) - 1) {
1283
				yyerror("string too long");
1284
				return (findeol());
1285
			}
1286
			if (isalnum(c) || c == '_') {
1287
				*p++ = c;
1288
				continue;
1289
			}
1290
			*p = '\0';
1291
			lungetc(c);
1292
			break;
1293
		}
1294
		val = symget(buf);
1295
		if (val == NULL) {
1296
			yyerror("macro '%s' not defined", buf);
1297
			return (findeol());
1298
		}
1299
		parsebuf = val;
1300
		parseindex = 0;
1301
		goto top;
1302
	}
1303
1304
	switch (c) {
1305
	case '\'':
1306
	case '"':
1307
		quotec = c;
1308
		while (1) {
1309
			if ((c = lgetc(quotec)) == EOF)
1310
				return (0);
1311
			if (c == '\n') {
1312
				file->lineno++;
1313
				continue;
1314
			} else if (c == '\\') {
1315
				if ((next = lgetc(quotec)) == EOF)
1316
					return (0);
1317
				if (next == quotec || c == ' ' || c == '\t')
1318
					c = next;
1319
				else if (next == '\n') {
1320
					file->lineno++;
1321
					continue;
1322
				} else
1323
					lungetc(next);
1324
			} else if (c == quotec) {
1325
				*p = '\0';
1326
				break;
1327
			} else if (c == '\0') {
1328
				yyerror("syntax error");
1329
				return (findeol());
1330
			}
1331
			if (p + 1 >= buf + sizeof(buf) - 1) {
1332
				yyerror("string too long");
1333
				return (findeol());
1334
			}
1335
			*p++ = c;
1336
		}
1337
		yylval.v.string = strdup(buf);
1338
		if (yylval.v.string == NULL)
1339
			err(1, "yylex: strdup");
1340
		return (STRING);
1341
	}
1342
1343
#define allowed_to_end_number(x) \
1344
	(isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=')
1345
1346
	if (c == '-' || isdigit(c)) {
1347
		do {
1348
			*p++ = c;
1349
			if ((unsigned)(p-buf) >= sizeof(buf)) {
1350
				yyerror("string too long");
1351
				return (findeol());
1352
			}
1353
		} while ((c = lgetc(0)) != EOF && isdigit(c));
1354
		lungetc(c);
1355
		if (p == buf + 1 && buf[0] == '-')
1356
			goto nodigits;
1357
		if (c == EOF || allowed_to_end_number(c)) {
1358
			const char *errstr = NULL;
1359
1360
			*p = '\0';
1361
			yylval.v.number = strtonum(buf, LLONG_MIN,
1362
			    LLONG_MAX, &errstr);
1363
			if (errstr) {
1364
				yyerror("\"%s\" invalid number: %s",
1365
				    buf, errstr);
1366
				return (findeol());
1367
			}
1368
			return (NUMBER);
1369
		} else {
1370
nodigits:
1371
			while (p > buf + 1)
1372
				lungetc(*--p);
1373
			c = *--p;
1374
			if (c == '-')
1375
				return (c);
1376
		}
1377
	}
1378
1379
#define allowed_in_string(x) \
1380
	(isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \
1381
	x != '{' && x != '}' && x != '<' && x != '>' && \
1382
	x != '!' && x != '=' && x != '/' && x != '#' && \
1383
	x != ','))
1384
1385
	if (isalnum(c) || c == ':' || c == '_' || c == '*') {
1386
		do {
1387
			*p++ = c;
1388
			if ((unsigned)(p-buf) >= sizeof(buf)) {
1389
				yyerror("string too long");
1390
				return (findeol());
1391
			}
1392
		} while ((c = lgetc(0)) != EOF && (allowed_in_string(c)));
1393
		lungetc(c);
1394
		*p = '\0';
1395
		if ((token = lookup(buf)) == STRING)
1396
			if ((yylval.v.string = strdup(buf)) == NULL)
1397
				err(1, "yylex: strdup");
1398
		return (token);
1399
	}
1400
	if (c == '\n') {
1401
		yylval.lineno = file->lineno;
1402
		file->lineno++;
1403
	}
1404
	if (c == EOF)
1405
		return (0);
1406
	return (c);
1407
}
1408
1409
int
1410
check_file_secrecy(int fd, const char *fname)
1411
{
1412
	struct stat	st;
1413
1414
	if (fstat(fd, &st)) {
1415
		warn("cannot stat %s", fname);
1416
		return (-1);
1417
	}
1418
	if (st.st_uid != 0 && st.st_uid != getuid()) {
1419
		warnx("%s: owner not root or current user", fname);
1420
		return (-1);
1421
	}
1422
	if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) {
1423
		warnx("%s: group writable or world read/writable", fname);
1424
		return (-1);
1425
	}
1426
	return (0);
1427
}
1428
1429
struct file *
1430
pushfile(const char *name, int secret)
1431
{
1432
	struct file	*nfile;
1433
1434
	if ((nfile = calloc(1, sizeof(struct file))) == NULL) {
1435
		warn("malloc");
1436
		return (NULL);
1437
	}
1438
	if ((nfile->name = strdup(name)) == NULL) {
1439
		warn("malloc");
1440
		free(nfile);
1441
		return (NULL);
1442
	}
1443
	if (TAILQ_FIRST(&files) == NULL && strcmp(nfile->name, "-") == 0) {
1444
		nfile->stream = stdin;
1445
		free(nfile->name);
1446
		if ((nfile->name = strdup("stdin")) == NULL) {
1447
			warn("strdup");
1448
			free(nfile);
1449
			return (NULL);
1450
		}
1451
	} else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) {
1452
		warn("%s", nfile->name);
1453
		free(nfile->name);
1454
		free(nfile);
1455
		return (NULL);
1456
	} else if (secret &&
1457
	    check_file_secrecy(fileno(nfile->stream), nfile->name)) {
1458
		fclose(nfile->stream);
1459
		free(nfile->name);
1460
		free(nfile);
1461
		return (NULL);
1462
	}
1463
	nfile->lineno = 1;
1464
	TAILQ_INSERT_TAIL(&files, nfile, entry);
1465
	return (nfile);
1466
}
1467
1468
int
1469
popfile(void)
1470
{
1471
	struct file	*prev;
1472
1473
	if ((prev = TAILQ_PREV(file, files, entry)) != NULL) {
1474
		prev->errors += file->errors;
1475
		TAILQ_REMOVE(&files, file, entry);
1476
		fclose(file->stream);
1477
		free(file->name);
1478
		free(file);
1479
		file = prev;
1480
		return (0);
1481
	}
1482
	return (EOF);
1483
}
1484
1485
int
1486
parse_config(const char *filename, struct iked *x_env)
1487
{
1488
	struct sym	*sym;
1489
	int		 errors = 0;
1490
1491
	env = x_env;
1492
	rules = 0;
1493
1494
	if ((file = pushfile(filename, 1)) == NULL)
1495
		return (-1);
1496
1497
	decouple = passive = 0;
1498
1499
	if (env->sc_opts & IKED_OPT_PASSIVE)
1500
		passive = 1;
1501
1502
	yyparse();
1503
	errors = file->errors;
1504
	popfile();
1505
1506
	env->sc_passive = passive ? 1 : 0;
1507
	env->sc_decoupled = decouple ? 1 : 0;
1508
	env->sc_ocsp_url = ocsp_url;
1509
1510
	if (!rules)
1511
		log_warnx("%s: no valid configuration rules found",
1512
		    filename);
1513
	else
1514
		log_debug("%s: loaded %d configuration rules",
1515
		    filename, rules);
1516
1517
	/* Free macros and check which have not been used. */
1518
	while ((sym = TAILQ_FIRST(&symhead))) {
1519
		if (!sym->used)
1520
			log_debug("warning: macro '%s' not "
1521
			    "used\n", sym->nam);
1522
		free(sym->nam);
1523
		free(sym->val);
1524
		TAILQ_REMOVE(&symhead, sym, entry);
1525
		free(sym);
1526
	}
1527
1528
	return (errors ? -1 : 0);
1529
}
1530
1531
int
1532
symset(const char *nam, const char *val, int persist)
1533
{
1534
	struct sym	*sym;
1535
1536
	TAILQ_FOREACH(sym, &symhead, entry) {
1537
		if (strcmp(nam, sym->nam) == 0)
1538
			break;
1539
	}
1540
1541
	if (sym != NULL) {
1542
		if (sym->persist == 1)
1543
			return (0);
1544
		else {
1545
			free(sym->nam);
1546
			free(sym->val);
1547
			TAILQ_REMOVE(&symhead, sym, entry);
1548
			free(sym);
1549
		}
1550
	}
1551
	if ((sym = calloc(1, sizeof(*sym))) == NULL)
1552
		return (-1);
1553
1554
	sym->nam = strdup(nam);
1555
	if (sym->nam == NULL) {
1556
		free(sym);
1557
		return (-1);
1558
	}
1559
	sym->val = strdup(val);
1560
	if (sym->val == NULL) {
1561
		free(sym->nam);
1562
		free(sym);
1563
		return (-1);
1564
	}
1565
	sym->used = 0;
1566
	sym->persist = persist;
1567
	TAILQ_INSERT_TAIL(&symhead, sym, entry);
1568
	return (0);
1569
}
1570
1571
int
1572
cmdline_symset(char *s)
1573
{
1574
	char	*sym, *val;
1575
	int	ret;
1576
	size_t	len;
1577
1578
	if ((val = strrchr(s, '=')) == NULL)
1579
		return (-1);
1580
1581
	len = strlen(s) - strlen(val) + 1;
1582
	if ((sym = malloc(len)) == NULL)
1583
		err(1, "cmdline_symset: malloc");
1584
1585
	strlcpy(sym, s, len);
1586
1587
	ret = symset(sym, val + 1, 1);
1588
	free(sym);
1589
1590
	return (ret);
1591
}
1592
1593
char *
1594
symget(const char *nam)
1595
{
1596
	struct sym	*sym;
1597
1598
	TAILQ_FOREACH(sym, &symhead, entry) {
1599
		if (strcmp(nam, sym->nam) == 0) {
1600
			sym->used = 1;
1601
			return (sym->val);
1602
		}
1603
	}
1604
	return (NULL);
1605
}
1606
1607
uint8_t
1608
x2i(unsigned char *s)
1609
{
1610
	char	ss[3];
1611
1612
	ss[0] = s[0];
1613
	ss[1] = s[1];
1614
	ss[2] = 0;
1615
1616
	if (!isxdigit(s[0]) || !isxdigit(s[1])) {
1617
		yyerror("keys need to be specified in hex digits");
1618
		return (-1);
1619
	}
1620
	return ((uint8_t)strtoul(ss, NULL, 16));
1621
}
1622
1623
int
1624
parsekey(unsigned char *hexkey, size_t len, struct iked_auth *auth)
1625
{
1626
	unsigned int	  i;
1627
1628
	bzero(auth, sizeof(*auth));
1629
	if ((len / 2) > sizeof(auth->auth_data))
1630
		return (-1);
1631
	auth->auth_length = len / 2;
1632
1633
	for (i = 0; i < auth->auth_length; i++)
1634
		auth->auth_data[i] = x2i(hexkey + 2 * i);
1635
1636
	return (0);
1637
}
1638
1639
int
1640
parsekeyfile(char *filename, struct iked_auth *auth)
1641
{
1642
	struct stat	 sb;
1643
	int		 fd, ret;
1644
	unsigned char	*hex;
1645
1646
	if ((fd = open(filename, O_RDONLY)) < 0)
1647
		err(1, "open %s", filename);
1648
	if (fstat(fd, &sb) < 0)
1649
		err(1, "parsekeyfile: stat %s", filename);
1650
	if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0))
1651
		errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
1652
		    "small");
1653
	if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL)
1654
		err(1, "parsekeyfile: calloc");
1655
	if (read(fd, hex, sb.st_size) < sb.st_size)
1656
		err(1, "parsekeyfile: read");
1657
	close(fd);
1658
	ret = parsekey(hex, sb.st_size, auth);
1659
	free(hex);
1660
	return (ret);
1661
}
1662
1663
int
1664
get_id_type(char *string)
1665
{
1666
	struct in6_addr ia;
1667
1668
	if (string == NULL)
1669
		return (IKEV2_ID_NONE);
1670
1671
	if (*string == '/')
1672
		return (IKEV2_ID_ASN1_DN);
1673
	else if (inet_pton(AF_INET, string, &ia) == 1)
1674
		return (IKEV2_ID_IPV4);
1675
	else if (inet_pton(AF_INET6, string, &ia) == 1)
1676
		return (IKEV2_ID_IPV6);
1677
	else if (strchr(string, '@'))
1678
		return (IKEV2_ID_UFQDN);
1679
	else
1680
		return (IKEV2_ID_FQDN);
1681
}
1682
1683
EVP_PKEY *
1684
wrap_pubkey(FILE *fp)
1685
{
1686
	EVP_PKEY	*key = NULL;
1687
	struct rsa_st	*rsa = NULL;
1688
1689
	key = PEM_read_PUBKEY(fp, NULL, NULL, NULL);
1690
	if (key == NULL) {
1691
		/* reading PKCS #8 failed, try PEM */
1692
		rewind(fp);
1693
		rsa = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL);
1694
		fclose(fp);
1695
		if (rsa == NULL)
1696
			return (NULL);
1697
		if ((key = EVP_PKEY_new()) == NULL) {
1698
			RSA_free(rsa);
1699
			return (NULL);
1700
		}
1701
		if (!EVP_PKEY_set1_RSA(key, rsa)) {
1702
			RSA_free(rsa);
1703
			EVP_PKEY_free(key);
1704
			return (NULL);
1705
		}
1706
		/* Always free RSA *rsa */
1707
		RSA_free(rsa);
1708
	} else {
1709
		fclose(fp);
1710
	}
1711
1712
	return (key);
1713
}
1714
1715
EVP_PKEY *
1716
find_pubkey(const char *keyfile)
1717
{
1718
	FILE		*fp = NULL;
1719
	if ((fp = fopen(keyfile, "r")) == NULL)
1720
		return (NULL);
1721
1722
	return (wrap_pubkey(fp));
1723
}
1724
1725
int
1726
set_policy_auth_method(const char *peerid, EVP_PKEY *key,
1727
    struct iked_policy *pol)
1728
{
1729
	struct rsa_st		*rsa;
1730
	EC_KEY			*ec_key;
1731
	u_int8_t		 method;
1732
	u_int8_t		 cert_type;
1733
	struct iked_auth	*ikeauth;
1734
1735
	method = IKEV2_AUTH_NONE;
1736
	cert_type = IKEV2_CERT_NONE;
1737
1738
	if (key != NULL) {
1739
		/* infer policy from key type */
1740
		if ((rsa = EVP_PKEY_get1_RSA(key)) != NULL) {
1741
			method = IKEV2_AUTH_RSA_SIG;
1742
			cert_type = IKEV2_CERT_RSA_KEY;
1743
			RSA_free(rsa);
1744
		} else if ((ec_key = EVP_PKEY_get1_EC_KEY(key)) != NULL) {
1745
			const EC_GROUP *group = EC_KEY_get0_group(ec_key);
1746
			if (group == NULL) {
1747
				EC_KEY_free(ec_key);
1748
				return (-1);
1749
			}
1750
			switch (EC_GROUP_get_degree(group)) {
1751
			case 256:
1752
				method = IKEV2_AUTH_ECDSA_256;
1753
				break;
1754
			case 384:
1755
				method = IKEV2_AUTH_ECDSA_384;
1756
				break;
1757
			case 521:
1758
				method = IKEV2_AUTH_ECDSA_521;
1759
				break;
1760
			default:
1761
				EC_KEY_free(ec_key);
1762
				return (-1);
1763
			}
1764
			cert_type = IKEV2_CERT_ECDSA;
1765
			EC_KEY_free(ec_key);
1766
		}
1767
1768
		if (method == IKEV2_AUTH_NONE || cert_type == IKEV2_CERT_NONE)
1769
			return (-1);
1770
	} else {
1771
		/* default to IKEV2_CERT_X509_CERT otherwise */
1772
		method = IKEV2_AUTH_SIG;
1773
		cert_type = IKEV2_CERT_X509_CERT;
1774
	}
1775
1776
	ikeauth = &pol->pol_auth;
1777
1778
	if (ikeauth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC) {
1779
		if (key != NULL &&
1780
		    method != IKEV2_AUTH_RSA_SIG)
1781
			goto mismatch;
1782
		return (0);
1783
	}
1784
1785
	if (ikeauth->auth_method != IKEV2_AUTH_NONE &&
1786
	    ikeauth->auth_method != IKEV2_AUTH_SIG_ANY &&
1787
	    ikeauth->auth_method != method)
1788
		goto mismatch;
1789
1790
	ikeauth->auth_method = method;
1791
	pol->pol_certreqtype = cert_type;
1792
1793
	log_debug("%s: using %s for peer %s", __func__,
1794
	    print_xf(method, 0, methodxfs), peerid);
1795
1796
	return (0);
1797
1798
 mismatch:
1799
	log_warnx("%s: ikeauth policy mismatch, %s specified, but only %s "
1800
	    "possible", __func__, print_xf(ikeauth->auth_method, 0, methodxfs),
1801
	    print_xf(method, 0, methodxfs));
1802
	return (-1);
1803
}
1804
1805
int
1806
set_policy(char *idstr, int type, struct iked_policy *pol)
1807
{
1808
	char		 keyfile[PATH_MAX];
1809
	const char	*prefix = NULL;
1810
	EVP_PKEY	*key = NULL;
1811
1812
	switch (type) {
1813
	case IKEV2_ID_IPV4:
1814
		prefix = "ipv4";
1815
		break;
1816
	case IKEV2_ID_IPV6:
1817
		prefix = "ipv6";
1818
		break;
1819
	case IKEV2_ID_FQDN:
1820
		prefix = "fqdn";
1821
		break;
1822
	case IKEV2_ID_UFQDN:
1823
		prefix = "ufqdn";
1824
		break;
1825
	case IKEV2_ID_ASN1_DN:
1826
		/* public key authentication is not supported with ASN.1 IDs */
1827
		goto done;
1828
	default:
1829
		/* Unspecified ID or public key not supported for this type */
1830
		log_debug("%s: unknown type = %d", __func__, type);
1831
		return (-1);
1832
	}
1833
1834
	lc_string(idstr);
1835
	if ((size_t)snprintf(keyfile, sizeof(keyfile),
1836
	    IKED_CA IKED_PUBKEY_DIR "%s/%s", prefix,
1837
	    idstr) >= sizeof(keyfile)) {
1838
		log_warnx("%s: public key path is too long", __func__);
1839
		return (-1);
1840
	}
1841
1842
	if ((key = find_pubkey(keyfile)) == NULL) {
1843
		log_warnx("%s: could not find pubkey for %s", __func__,
1844
		    keyfile);
1845
	}
1846
1847
 done:
1848
	if (set_policy_auth_method(keyfile, key, pol) < 0) {
1849
		EVP_PKEY_free(key);
1850
		log_warnx("%s: failed to set policy auth method for %s",
1851
		    __func__, keyfile);
1852
		return (-1);
1853
	}
1854
1855
	if (key != NULL) {
1856
		EVP_PKEY_free(key);
1857
		log_debug("%s: found pubkey for %s", __func__, keyfile);
1858
	}
1859
1860
	return (0);
1861
}
1862
1863
struct ipsec_addr_wrap *
1864
host(const char *s)
1865
{
1866
	struct ipsec_addr_wrap	*ipa = NULL;
1867
	int			 mask, cont = 1;
1868
	char			*p, *q, *ps;
1869
1870
	if ((p = strrchr(s, '/')) != NULL) {
1871
		errno = 0;
1872
		mask = strtol(p + 1, &q, 0);
1873
		if (errno == ERANGE || !q || *q || mask > 128 || q == (p + 1))
1874
			errx(1, "host: invalid netmask '%s'", p);
1875
		if ((ps = malloc(strlen(s) - strlen(p) + 1)) == NULL)
1876
			err(1, "host: calloc");
1877
		strlcpy(ps, s, strlen(s) - strlen(p) + 1);
1878
	} else {
1879
		if ((ps = strdup(s)) == NULL)
1880
			err(1, "host: strdup");
1881
		mask = -1;
1882
	}
1883
1884
	/* Does interface with this name exist? */
1885
	if (cont && (ipa = host_if(ps, mask)) != NULL)
1886
		cont = 0;
1887
1888
	/* IPv4 address? */
1889
	if (cont && (ipa = host_v4(s, mask == -1 ? 32 : mask)) != NULL)
1890
		cont = 0;
1891
1892
	/* IPv6 address? */
1893
	if (cont && (ipa = host_v6(ps, mask == -1 ? 128 : mask)) != NULL)
1894
		cont = 0;
1895
1896
	/* dns lookup */
1897
	if (cont && mask == -1 && (ipa = host_dns(s, mask)) != NULL)
1898
		cont = 0;
1899
	free(ps);
1900
1901
	if (ipa == NULL || cont == 1) {
1902
		fprintf(stderr, "no IP address found for %s\n", s);
1903
		return (NULL);
1904
	}
1905
	return (ipa);
1906
}
1907
1908
struct ipsec_addr_wrap *
1909
host_v6(const char *s, int prefixlen)
1910
{
1911
	struct ipsec_addr_wrap	*ipa = NULL;
1912
	struct addrinfo		 hints, *res;
1913
	char			 hbuf[NI_MAXHOST];
1914
1915
	bzero(&hints, sizeof(struct addrinfo));
1916
	hints.ai_family = AF_INET6;
1917
	hints.ai_socktype = SOCK_STREAM;
1918
	hints.ai_flags = AI_NUMERICHOST;
1919
	if (getaddrinfo(s, NULL, &hints, &res))
1920
		return (NULL);
1921
	if (res->ai_next)
1922
		err(1, "host_v6: numeric hostname expanded to multiple item");
1923
1924
	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1925
	if (ipa == NULL)
1926
		err(1, "host_v6: calloc");
1927
	ipa->af = res->ai_family;
1928
	memcpy(&ipa->address, res->ai_addr, sizeof(struct sockaddr_in6));
1929
	if (prefixlen > 128)
1930
		prefixlen = 128;
1931
	ipa->next = NULL;
1932
	ipa->tail = ipa;
1933
1934
	set_ipmask(ipa, prefixlen);
1935
	if (getnameinfo(res->ai_addr, res->ai_addrlen,
1936
	    hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) {
1937
		errx(1, "could not get a numeric hostname");
1938
	}
1939
1940
	if (prefixlen != 128) {
1941
		ipa->netaddress = 1;
1942
		if (asprintf(&ipa->name, "%s/%d", hbuf, prefixlen) == -1)
1943
			err(1, "host_v6: asprintf");
1944
	} else {
1945
		if ((ipa->name = strdup(hbuf)) == NULL)
1946
			err(1, "host_v6: strdup");
1947
	}
1948
1949
	freeaddrinfo(res);
1950
1951
	return (ipa);
1952
}
1953
1954
struct ipsec_addr_wrap *
1955
host_v4(const char *s, int mask)
1956
{
1957
	struct ipsec_addr_wrap	*ipa = NULL;
1958
	struct sockaddr_in	 ina;
1959
	int			 bits = 32;
1960
1961
	bzero(&ina, sizeof(ina));
1962
	if (strrchr(s, '/') != NULL) {
1963
		if ((bits = inet_net_pton(AF_INET, s, &ina.sin_addr,
1964
		    sizeof(ina.sin_addr))) == -1)
1965
			return (NULL);
1966
	} else {
1967
		if (inet_pton(AF_INET, s, &ina.sin_addr) != 1)
1968
			return (NULL);
1969
	}
1970
1971
	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1972
	if (ipa == NULL)
1973
		err(1, "host_v4: calloc");
1974
1975
	ina.sin_family = AF_INET;
1976
	ina.sin_len = sizeof(ina);
1977
	memcpy(&ipa->address, &ina, sizeof(ina));
1978
1979
	ipa->name = strdup(s);
1980
	if (ipa->name == NULL)
1981
		err(1, "host_v4: strdup");
1982
	ipa->af = AF_INET;
1983
	ipa->next = NULL;
1984
	ipa->tail = ipa;
1985
1986
	set_ipmask(ipa, bits);
1987
	if (strrchr(s, '/') != NULL)
1988
		ipa->netaddress = 1;
1989
1990
	return (ipa);
1991
}
1992
1993
struct ipsec_addr_wrap *
1994
host_dns(const char *s, int mask)
1995
{
1996
	struct ipsec_addr_wrap	*ipa = NULL, *head = NULL;
1997
	struct addrinfo		 hints, *res0, *res;
1998
	int			 error;
1999
	char			 hbuf[NI_MAXHOST];
2000
2001
	bzero(&hints, sizeof(struct addrinfo));
2002
	hints.ai_family = PF_UNSPEC;
2003
	hints.ai_socktype = SOCK_STREAM;
2004
	hints.ai_flags = AI_ADDRCONFIG;
2005
	error = getaddrinfo(s, NULL, &hints, &res0);
2006
	if (error)
2007
		return (NULL);
2008
2009
	for (res = res0; res; res = res->ai_next) {
2010
		if (res->ai_family != AF_INET && res->ai_family != AF_INET6)
2011
			continue;
2012
2013
		ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
2014
		if (ipa == NULL)
2015
			err(1, "host_dns: calloc");
2016
		switch (res->ai_family) {
2017
		case AF_INET:
2018
			memcpy(&ipa->address, res->ai_addr,
2019
			    sizeof(struct sockaddr_in));
2020
			break;
2021
		case AF_INET6:
2022
			memcpy(&ipa->address, res->ai_addr,
2023
			    sizeof(struct sockaddr_in6));
2024
			break;
2025
		}
2026
		error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf,
2027
		    sizeof(hbuf), NULL, 0, NI_NUMERICHOST);
2028
		if (error)
2029
			err(1, "host_dns: getnameinfo");
2030
		ipa->name = strdup(hbuf);
2031
		if (ipa->name == NULL)
2032
			err(1, "host_dns: strdup");
2033
		ipa->af = res->ai_family;
2034
		ipa->next = NULL;
2035
		ipa->tail = ipa;
2036
		if (head == NULL)
2037
			head = ipa;
2038
		else {
2039
			head->tail->next = ipa;
2040
			head->tail = ipa;
2041
		}
2042
2043
		/*
2044
		 * XXX for now, no netmask support for IPv6.
2045
		 * but since there's no way to specify address family, once you
2046
		 * have IPv6 address on a host, you cannot use dns/netmask
2047
		 * syntax.
2048
		 */
2049
		if (ipa->af == AF_INET)
2050
			set_ipmask(ipa, mask == -1 ? 32 : mask);
2051
		else
2052
			if (mask != -1)
2053
				err(1, "host_dns: cannot apply netmask "
2054
				    "on non-IPv4 address");
2055
	}
2056
	freeaddrinfo(res0);
2057
2058
	return (head);
2059
}
2060
2061
struct ipsec_addr_wrap *
2062
host_if(const char *s, int mask)
2063
{
2064
	struct ipsec_addr_wrap *ipa = NULL;
2065
2066
	if (ifa_exists(s))
2067
		ipa = ifa_lookup(s);
2068
2069
	return (ipa);
2070
}
2071
2072
struct ipsec_addr_wrap *
2073
host_any(void)
2074
{
2075
	struct ipsec_addr_wrap	*ipa;
2076
2077
	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
2078
	if (ipa == NULL)
2079
		err(1, "host_any: calloc");
2080
	ipa->af = AF_UNSPEC;
2081
	ipa->netaddress = 1;
2082
	ipa->tail = ipa;
2083
	return (ipa);
2084
}
2085
2086
/* interface lookup routintes */
2087
2088
struct ipsec_addr_wrap	*iftab;
2089
2090
void
2091
ifa_load(void)
2092
{
2093
	struct ifaddrs		*ifap, *ifa;
2094
	struct ipsec_addr_wrap	*n = NULL, *h = NULL;
2095
	struct sockaddr_in	*sa_in;
2096
	struct sockaddr_in6	*sa_in6;
2097
2098
	if (getifaddrs(&ifap) < 0)
2099
		err(1, "ifa_load: getifaddrs");
2100
2101
	for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
2102
		if (!(ifa->ifa_addr->sa_family == AF_INET ||
2103
		    ifa->ifa_addr->sa_family == AF_INET6 ||
2104
		    ifa->ifa_addr->sa_family == AF_LINK))
2105
			continue;
2106
		n = calloc(1, sizeof(struct ipsec_addr_wrap));
2107
		if (n == NULL)
2108
			err(1, "ifa_load: calloc");
2109
		n->af = ifa->ifa_addr->sa_family;
2110
		if ((n->name = strdup(ifa->ifa_name)) == NULL)
2111
			err(1, "ifa_load: strdup");
2112
		if (n->af == AF_INET) {
2113
			sa_in = (struct sockaddr_in *)ifa->ifa_addr;
2114
			memcpy(&n->address, sa_in, sizeof(*sa_in));
2115
			sa_in = (struct sockaddr_in *)ifa->ifa_netmask;
2116
			n->mask = mask2prefixlen((struct sockaddr *)sa_in);
2117
		} else if (n->af == AF_INET6) {
2118
			sa_in6 = (struct sockaddr_in6 *)ifa->ifa_addr;
2119
			memcpy(&n->address, sa_in6, sizeof(*sa_in6));
2120
			sa_in6 = (struct sockaddr_in6 *)ifa->ifa_netmask;
2121
			n->mask = mask2prefixlen6((struct sockaddr *)sa_in6);
2122
		}
2123
		n->next = NULL;
2124
		n->tail = n;
2125
		if (h == NULL)
2126
			h = n;
2127
		else {
2128
			h->tail->next = n;
2129
			h->tail = n;
2130
		}
2131
	}
2132
2133
	iftab = h;
2134
	freeifaddrs(ifap);
2135
}
2136
2137
int
2138
ifa_exists(const char *ifa_name)
2139
{
2140
	struct ipsec_addr_wrap	*n;
2141
	struct ifgroupreq	 ifgr;
2142
	int			 s;
2143
2144
	if (iftab == NULL)
2145
		ifa_load();
2146
2147
	/* check wether this is a group */
2148
	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
2149
		err(1, "ifa_exists: socket");
2150
	bzero(&ifgr, sizeof(ifgr));
2151
	strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
2152
	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == 0) {
2153
		close(s);
2154
		return (1);
2155
	}
2156
	close(s);
2157
2158
	for (n = iftab; n; n = n->next) {
2159
		if (n->af == AF_LINK && !strncmp(n->name, ifa_name,
2160
		    IFNAMSIZ))
2161
			return (1);
2162
	}
2163
2164
	return (0);
2165
}
2166
2167
struct ipsec_addr_wrap *
2168
ifa_grouplookup(const char *ifa_name)
2169
{
2170
	struct ifg_req		*ifg;
2171
	struct ifgroupreq	 ifgr;
2172
	int			 s;
2173
	size_t			 len;
2174
	struct ipsec_addr_wrap	*n, *h = NULL, *hn;
2175
2176
	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
2177
		err(1, "socket");
2178
	bzero(&ifgr, sizeof(ifgr));
2179
	strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
2180
	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) {
2181
		close(s);
2182
		return (NULL);
2183
	}
2184
2185
	len = ifgr.ifgr_len;
2186
	if ((ifgr.ifgr_groups = calloc(1, len)) == NULL)
2187
		err(1, "calloc");
2188
	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1)
2189
		err(1, "ioctl");
2190
2191
	for (ifg = ifgr.ifgr_groups; ifg && len >= sizeof(struct ifg_req);
2192
	    ifg++) {
2193
		len -= sizeof(struct ifg_req);
2194
		if ((n = ifa_lookup(ifg->ifgrq_member)) == NULL)
2195
			continue;
2196
		if (h == NULL)
2197
			h = n;
2198
		else {
2199
			for (hn = h; hn->next != NULL; hn = hn->next)
2200
				;	/* nothing */
2201
			hn->next = n;
2202
			n->tail = hn;
2203
		}
2204
	}
2205
	free(ifgr.ifgr_groups);
2206
	close(s);
2207
2208
	return (h);
2209
}
2210
2211
struct ipsec_addr_wrap *
2212
ifa_lookup(const char *ifa_name)
2213
{
2214
	struct ipsec_addr_wrap	*p = NULL, *h = NULL, *n = NULL;
2215
	struct sockaddr_in6	*in6;
2216
	uint8_t			*s6;
2217
2218
	if (iftab == NULL)
2219
		ifa_load();
2220
2221
	if ((n = ifa_grouplookup(ifa_name)) != NULL)
2222
		return (n);
2223
2224
	for (p = iftab; p; p = p->next) {
2225
		if (p->af != AF_INET && p->af != AF_INET6)
2226
			continue;
2227
		if (strncmp(p->name, ifa_name, IFNAMSIZ))
2228
			continue;
2229
		n = calloc(1, sizeof(struct ipsec_addr_wrap));
2230
		if (n == NULL)
2231
			err(1, "ifa_lookup: calloc");
2232
		memcpy(n, p, sizeof(struct ipsec_addr_wrap));
2233
		if ((n->name = strdup(p->name)) == NULL)
2234
			err(1, "ifa_lookup: strdup");
2235
		switch (n->af) {
2236
		case AF_INET:
2237
			set_ipmask(n, 32);
2238
			break;
2239
		case AF_INET6:
2240
			in6 = (struct sockaddr_in6 *)&n->address;
2241
			s6 = (uint8_t *)&in6->sin6_addr.s6_addr;
2242
2243
			/* route/show.c and bgpd/util.c give KAME credit */
2244
			if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)) {
2245
				uint16_t	 tmp16;
2246
2247
				/* for now we can not handle link local,
2248
				 * therefore bail for now
2249
				 */
2250
				free(n);
2251
				continue;
2252
2253
				memcpy(&tmp16, &s6[2], sizeof(tmp16));
2254
				/* use this when we support link-local
2255
				 * n->??.scopeid = ntohs(tmp16);
2256
				 */
2257
				s6[2] = 0;
2258
				s6[3] = 0;
2259
			}
2260
			set_ipmask(n, 128);
2261
			break;
2262
		}
2263
2264
		n->next = NULL;
2265
		n->tail = n;
2266
		if (h == NULL)
2267
			h = n;
2268
		else {
2269
			h->tail->next = n;
2270
			h->tail = n;
2271
		}
2272
	}
2273
2274
	return (h);
2275
}
2276
2277
void
2278
set_ipmask(struct ipsec_addr_wrap *address, uint8_t b)
2279
{
2280
	address->mask = b;
2281
}
2282
2283
const struct ipsec_xf *
2284
parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[])
2285
{
2286
	int		i;
2287
2288
	for (i = 0; xfs[i].name != NULL; i++) {
2289
		if (strncmp(name, xfs[i].name, strlen(name)))
2290
			continue;
2291
		if (length == 0 || length == xfs[i].length)
2292
			return &xfs[i];
2293
	}
2294
	return (NULL);
2295
}
2296
2297
const char *
2298
print_xf(unsigned int id, unsigned int length, const struct ipsec_xf xfs[])
2299
{
2300
	int		i;
2301
2302
	for (i = 0; xfs[i].name != NULL; i++) {
2303
		if (xfs[i].id == id) {
2304
			if (length == 0 || length == xfs[i].length)
2305
				return (xfs[i].name);
2306
		}
2307
	}
2308
	return ("unknown");
2309
}
2310
2311
size_t
2312
keylength_xf(unsigned int saproto, unsigned int type, unsigned int id)
2313
{
2314
	int			 i;
2315
	const struct ipsec_xf	*xfs;
2316
2317
	switch (type) {
2318
	case IKEV2_XFORMTYPE_ENCR:
2319
		if (saproto == IKEV2_SAPROTO_IKE)
2320
			xfs = ikeencxfs;
2321
		else
2322
			xfs = ipsecencxfs;
2323
		break;
2324
	case IKEV2_XFORMTYPE_INTEGR:
2325
		xfs = authxfs;
2326
		break;
2327
	default:
2328
		return (0);
2329
	}
2330
2331
	for (i = 0; xfs[i].name != NULL; i++) {
2332
		if (xfs[i].id == id)
2333
			return (xfs[i].length * 8);
2334
	}
2335
	return (0);
2336
}
2337
2338
size_t
2339
noncelength_xf(unsigned int type, unsigned int id)
2340
{
2341
	const struct ipsec_xf	*xfs = ipsecencxfs;
2342
	int			 i;
2343
2344
	if (type != IKEV2_XFORMTYPE_ENCR)
2345
		return (0);
2346
2347
	for (i = 0; xfs[i].name != NULL; i++)
2348
		if (xfs[i].id == id)
2349
			return (xfs[i].nonce * 8);
2350
	return (0);
2351
}
2352
2353
void
2354
print_user(struct iked_user *usr)
2355
{
2356
	print_verbose("user \"%s\" \"%s\"\n", usr->usr_name, usr->usr_pass);
2357
}
2358
2359
void
2360
print_policy(struct iked_policy *pol)
2361
{
2362
	struct iked_proposal	*pp;
2363
	struct iked_transform	*xform;
2364
	struct iked_flow	*flow;
2365
	struct iked_cfg		*cfg;
2366
	unsigned int		 i, j;
2367
	const struct ipsec_xf	*xfs = NULL;
2368
2369
	print_verbose("ikev2");
2370
2371
	if (pol->pol_name[0] != '\0')
2372
		print_verbose(" \"%s\"", pol->pol_name);
2373
2374
	if (pol->pol_flags & IKED_POLICY_DEFAULT)
2375
		print_verbose(" default");
2376
	else if (pol->pol_flags & IKED_POLICY_QUICK)
2377
		print_verbose(" quick");
2378
	else if (pol->pol_flags & IKED_POLICY_SKIP)
2379
		print_verbose(" skip");
2380
2381
	if (pol->pol_flags & IKED_POLICY_ACTIVE)
2382
		print_verbose(" active");
2383
	else
2384
		print_verbose(" passive");
2385
2386
	print_verbose(" %s", print_xf(pol->pol_saproto, 0, saxfs));
2387
2388
	if (pol->pol_ipproto)
2389
		print_verbose(" proto %s", print_proto(pol->pol_ipproto));
2390
2391
	if (pol->pol_af) {
2392
		if (pol->pol_af == AF_INET)
2393
			print_verbose(" inet");
2394
		else
2395
			print_verbose(" inet6");
2396
	}
2397
2398
	RB_FOREACH(flow, iked_flows, &pol->pol_flows) {
2399
		print_verbose(" from %s",
2400
		    print_host((struct sockaddr *)&flow->flow_src.addr, NULL,
2401
		    0));
2402
		if (flow->flow_src.addr_af != AF_UNSPEC &&
2403
		    flow->flow_src.addr_net)
2404
			print_verbose("/%d", flow->flow_src.addr_mask);
2405
		if (flow->flow_src.addr_port)
2406
			print_verbose(" port %d",
2407
			    ntohs(flow->flow_src.addr_port));
2408
2409
		print_verbose(" to %s",
2410
		    print_host((struct sockaddr *)&flow->flow_dst.addr, NULL,
2411
		    0));
2412
		if (flow->flow_dst.addr_af != AF_UNSPEC &&
2413
		    flow->flow_dst.addr_net)
2414
			print_verbose("/%d", flow->flow_dst.addr_mask);
2415
		if (flow->flow_dst.addr_port)
2416
			print_verbose(" port %d",
2417
			    ntohs(flow->flow_dst.addr_port));
2418
	}
2419
2420
	if ((pol->pol_flags & IKED_POLICY_DEFAULT) == 0) {
2421
		print_verbose(" local %s",
2422
		    print_host((struct sockaddr *)&pol->pol_local.addr, NULL,
2423
		    0));
2424
		if (pol->pol_local.addr.ss_family != AF_UNSPEC &&
2425
		    pol->pol_local.addr_net)
2426
			print_verbose("/%d", pol->pol_local.addr_mask);
2427
2428
		print_verbose(" peer %s",
2429
		    print_host((struct sockaddr *)&pol->pol_peer.addr, NULL,
2430
		    0));
2431
		if (pol->pol_peer.addr.ss_family != AF_UNSPEC &&
2432
		    pol->pol_peer.addr_net)
2433
			print_verbose("/%d", pol->pol_peer.addr_mask);
2434
	}
2435
2436
	TAILQ_FOREACH(pp, &pol->pol_proposals, prop_entry) {
2437
		if (!pp->prop_nxforms)
2438
			continue;
2439
		if (pp->prop_protoid == IKEV2_SAPROTO_IKE)
2440
			print_verbose(" ikesa");
2441
		else
2442
			print_verbose(" childsa");
2443
2444
		for (j = 0; ikev2_xformtype_map[j].cm_type != 0; j++) {
2445
			xfs = NULL;
2446
2447
			for (i = 0; i < pp->prop_nxforms; i++) {
2448
				xform = pp->prop_xforms + i;
2449
2450
				if (xform->xform_type !=
2451
				    ikev2_xformtype_map[j].cm_type)
2452
					continue;
2453
2454
				if (xfs != NULL) {
2455
					print_verbose(",");
2456
				} else {
2457
					switch (xform->xform_type) {
2458
					case IKEV2_XFORMTYPE_INTEGR:
2459
						print_verbose(" auth ");
2460
						xfs = authxfs;
2461
						break;
2462
					case IKEV2_XFORMTYPE_ENCR:
2463
						print_verbose(" enc ");
2464
						if (pp->prop_protoid ==
2465
						    IKEV2_SAPROTO_IKE)
2466
							xfs = ikeencxfs;
2467
						else
2468
							xfs = ipsecencxfs;
2469
						break;
2470
					case IKEV2_XFORMTYPE_PRF:
2471
						print_verbose(" prf ");
2472
						xfs = prfxfs;
2473
						break;
2474
					case IKEV2_XFORMTYPE_DH:
2475
						print_verbose(" group ");
2476
						xfs = groupxfs;
2477
						break;
2478
					default:
2479
						continue;
2480
					}
2481
				}
2482
2483
				print_verbose("%s", print_xf(xform->xform_id,
2484
				    xform->xform_length / 8, xfs));
2485
			}
2486
		}
2487
	}
2488
2489
	if (pol->pol_localid.id_length != 0)
2490
		print_verbose(" srcid %s", pol->pol_localid.id_data);
2491
	if (pol->pol_peerid.id_length != 0)
2492
		print_verbose(" dstid %s", pol->pol_peerid.id_data);
2493
2494
	if (pol->pol_rekey)
2495
		print_verbose(" ikelifetime %u", pol->pol_rekey);
2496
2497
	print_verbose(" lifetime %llu bytes %llu",
2498
	    pol->pol_lifetime.lt_seconds, pol->pol_lifetime.lt_bytes);
2499
2500
	switch (pol->pol_auth.auth_method) {
2501
	case IKEV2_AUTH_NONE:
2502
		print_verbose (" none");
2503
		break;
2504
	case IKEV2_AUTH_SHARED_KEY_MIC:
2505
		print_verbose(" psk 0x");
2506
		for (i = 0; i < pol->pol_auth.auth_length; i++)
2507
			print_verbose("%02x", pol->pol_auth.auth_data[i]);
2508
		break;
2509
	default:
2510
		if (pol->pol_auth.auth_eap)
2511
			print_verbose(" eap \"%s\"",
2512
			    print_map(pol->pol_auth.auth_eap, eap_type_map));
2513
		else
2514
			print_verbose(" %s",
2515
			    print_xf(pol->pol_auth.auth_method, 0, methodxfs));
2516
	}
2517
2518
	for (i = 0; i < pol->pol_ncfg; i++) {
2519
		cfg = &pol->pol_cfg[i];
2520
		print_verbose(" config %s %s", print_xf(cfg->cfg_type,
2521
		    cfg->cfg.address.addr_af, cpxfs),
2522
		    print_host((struct sockaddr *)&cfg->cfg.address.addr, NULL,
2523
		    0));
2524
	}
2525
2526
	if (pol->pol_tag[0] != '\0')
2527
		print_verbose(" tag \"%s\"", pol->pol_tag);
2528
2529
	if (pol->pol_tap != 0)
2530
		print_verbose(" tap \"enc%u\"", pol->pol_tap);
2531
2532
	print_verbose("\n");
2533
}
2534
2535
void
2536
copy_transforms(unsigned int type, const struct ipsec_xf *xf,
2537
    const struct ipsec_xf *xfs,
2538
    struct iked_transform *dst, size_t ndst,
2539
    unsigned int *n, struct iked_transform *src, size_t nsrc)
2540
{
2541
	unsigned int		 i;
2542
	struct iked_transform	*a, *b;
2543
2544
	if (xf != NULL) {
2545
		if (*n >= ndst)
2546
			return;
2547
		b = dst + (*n)++;
2548
2549
		b->xform_type = type;
2550
		b->xform_id = xf->id;
2551
		b->xform_keylength = xf->length * 8;
2552
		b->xform_length = xf->keylength * 8;
2553
		return;
2554
	}
2555
2556
	for (i = 0; i < nsrc; i++) {
2557
		a = src + i;
2558
		if (a->xform_type != type)
2559
			continue;
2560
		if (*n >= ndst)
2561
			return;
2562
		b = dst + (*n)++;
2563
		memcpy(b, a, sizeof(*b));
2564
	}
2565
}
2566
2567
int
2568
create_ike(char *name, int af, uint8_t ipproto, struct ipsec_hosts *hosts,
2569
    struct ipsec_hosts *peers, struct ipsec_mode *ike_sa,
2570
    struct ipsec_mode *ipsec_sa, uint8_t saproto,
2571
    uint8_t flags, char *srcid, char *dstid,
2572
    uint32_t ikelifetime, struct iked_lifetime *lt,
2573
    struct iked_auth *authtype, struct ipsec_filters *filter,
2574
    struct ipsec_addr_wrap *ikecfg)
2575
{
2576
	char			 idstr[IKED_ID_SIZE];
2577
	unsigned int		 idtype = IKEV2_ID_NONE;
2578
	struct ipsec_addr_wrap	*ipa, *ipb, *ippn;
2579
	struct iked_policy	 pol;
2580
	struct iked_proposal	 prop[2];
2581
	unsigned int		 j;
2582
	struct iked_transform	 ikexforms[64], ipsecxforms[64];
2583
	struct iked_flow	 flows[64];
2584
	static unsigned int	 policy_id = 0;
2585
	struct iked_cfg		*cfg;
2586
2587
	bzero(&pol, sizeof(pol));
2588
	bzero(&prop, sizeof(prop));
2589
	bzero(&ikexforms, sizeof(ikexforms));
2590
	bzero(&ipsecxforms, sizeof(ipsecxforms));
2591
	bzero(&flows, sizeof(flows));
2592
	bzero(idstr, sizeof(idstr));
2593
2594
	pol.pol_id = ++policy_id;
2595
	pol.pol_certreqtype = env->sc_certreqtype;
2596
	pol.pol_af = af;
2597
	pol.pol_saproto = saproto;
2598
	pol.pol_ipproto = ipproto;
2599
	pol.pol_flags = flags;
2600
	memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth));
2601
2602
	if (name != NULL) {
2603
		if (strlcpy(pol.pol_name, name,
2604
		    sizeof(pol.pol_name)) >= sizeof(pol.pol_name)) {
2605
			yyerror("name too long");
2606
			return (-1);
2607
		}
2608
	} else {
2609
		snprintf(pol.pol_name, sizeof(pol.pol_name),
2610
		    "policy%d", policy_id);
2611
	}
2612
2613
	if (srcid) {
2614
		pol.pol_localid.id_type = get_id_type(srcid);
2615
		pol.pol_localid.id_length = strlen(srcid);
2616
		if (strlcpy((char *)pol.pol_localid.id_data,
2617
		    srcid, IKED_ID_SIZE) >= IKED_ID_SIZE) {
2618
			yyerror("srcid too long");
2619
			return (-1);
2620
		}
2621
	}
2622
	if (dstid) {
2623
		pol.pol_peerid.id_type = get_id_type(dstid);
2624
		pol.pol_peerid.id_length = strlen(dstid);
2625
		if (strlcpy((char *)pol.pol_peerid.id_data,
2626
		    dstid, IKED_ID_SIZE) >= IKED_ID_SIZE) {
2627
			yyerror("dstid too long");
2628
			return (-1);
2629
		}
2630
	}
2631
2632
	if (filter != NULL) {
2633
		if (filter->tag)
2634
			strlcpy(pol.pol_tag, filter->tag, sizeof(pol.pol_tag));
2635
		pol.pol_tap = filter->tap;
2636
	}
2637
2638
	if (peers == NULL) {
2639
		if (pol.pol_flags & IKED_POLICY_ACTIVE) {
2640
			yyerror("active mode requires peer specification");
2641
			return (-1);
2642
		}
2643
		pol.pol_flags |= IKED_POLICY_DEFAULT|IKED_POLICY_SKIP;
2644
	}
2645
2646
	if (peers && peers->src && peers->dst &&
2647
	    (peers->src->af != AF_UNSPEC) && (peers->dst->af != AF_UNSPEC) &&
2648
	    (peers->src->af != peers->dst->af))
2649
		fatalx("create_ike: peer address family mismatch");
2650
2651
	if (peers && (pol.pol_af != AF_UNSPEC) &&
2652
	    ((peers->src && (peers->src->af != AF_UNSPEC) &&
2653
	    (peers->src->af != pol.pol_af)) ||
2654
	    (peers->dst && (peers->dst->af != AF_UNSPEC) &&
2655
	    (peers->dst->af != pol.pol_af))))
2656
		fatalx("create_ike: policy address family mismatch");
2657
2658
	ipa = ipb = NULL;
2659
	if (peers) {
2660
		if (peers->src)
2661
			ipa = peers->src;
2662
		if (peers->dst)
2663
			ipb = peers->dst;
2664
		if (ipa == NULL && ipb == NULL) {
2665
			if (hosts->src && hosts->src->next == NULL)
2666
				ipa = hosts->src;
2667
			if (hosts->dst && hosts->dst->next == NULL)
2668
				ipb = hosts->dst;
2669
		}
2670
	}
2671
	if (ipa == NULL && ipb == NULL) {
2672
		yyerror("could not get local/peer specification");
2673
		return (-1);
2674
	}
2675
	if (pol.pol_flags & IKED_POLICY_ACTIVE) {
2676
		if (ipb == NULL || ipb->netaddress ||
2677
		    (ipa != NULL && ipa->netaddress)) {
2678
			yyerror("active mode requires local/peer address");
2679
			return (-1);
2680
		}
2681
	}
2682
	if (ipa) {
2683
		memcpy(&pol.pol_local.addr, &ipa->address,
2684
		    sizeof(ipa->address));
2685
		pol.pol_local.addr_af = ipa->af;
2686
		pol.pol_local.addr_mask = ipa->mask;
2687
		pol.pol_local.addr_net = ipa->netaddress;
2688
		if (pol.pol_af == AF_UNSPEC)
2689
			pol.pol_af = ipa->af;
2690
	}
2691
	if (ipb) {
2692
		memcpy(&pol.pol_peer.addr, &ipb->address,
2693
		    sizeof(ipb->address));
2694
		pol.pol_peer.addr_af = ipb->af;
2695
		pol.pol_peer.addr_mask = ipb->mask;
2696
		pol.pol_peer.addr_net = ipb->netaddress;
2697
		if (pol.pol_af == AF_UNSPEC)
2698
			pol.pol_af = ipb->af;
2699
	}
2700
2701
	if (ikelifetime)
2702
		pol.pol_rekey = ikelifetime;
2703
2704
	if (lt)
2705
		pol.pol_lifetime = *lt;
2706
	else
2707
		pol.pol_lifetime = deflifetime;
2708
2709
	TAILQ_INIT(&pol.pol_proposals);
2710
	RB_INIT(&pol.pol_flows);
2711
2712
	prop[0].prop_id = ++pol.pol_nproposals;
2713
	prop[0].prop_protoid = IKEV2_SAPROTO_IKE;
2714
	if (ike_sa == NULL || ike_sa->xfs == NULL) {
2715
		prop[0].prop_nxforms = ikev2_default_nike_transforms;
2716
		prop[0].prop_xforms = ikev2_default_ike_transforms;
2717
	} else {
2718
		j = 0;
2719
		copy_transforms(IKEV2_XFORMTYPE_INTEGR,
2720
		    ike_sa->xfs->authxf, authxfs,
2721
		    ikexforms, nitems(ikexforms), &j,
2722
		    ikev2_default_ike_transforms,
2723
		    ikev2_default_nike_transforms);
2724
		copy_transforms(IKEV2_XFORMTYPE_ENCR,
2725
		    ike_sa->xfs->encxf, ikeencxfs,
2726
		    ikexforms, nitems(ikexforms), &j,
2727
		    ikev2_default_ike_transforms,
2728
		    ikev2_default_nike_transforms);
2729
		copy_transforms(IKEV2_XFORMTYPE_DH,
2730
		    ike_sa->xfs->groupxf, groupxfs,
2731
		    ikexforms, nitems(ikexforms), &j,
2732
		    ikev2_default_ike_transforms,
2733
		    ikev2_default_nike_transforms);
2734
		copy_transforms(IKEV2_XFORMTYPE_PRF,
2735
		    ike_sa->xfs->prfxf, prfxfs,
2736
		    ikexforms, nitems(ikexforms), &j,
2737
		    ikev2_default_ike_transforms,
2738
		    ikev2_default_nike_transforms);
2739
		prop[0].prop_nxforms = j;
2740
		prop[0].prop_xforms = ikexforms;
2741
	}
2742
	TAILQ_INSERT_TAIL(&pol.pol_proposals, &prop[0], prop_entry);
2743
2744
	prop[1].prop_id = ++pol.pol_nproposals;
2745
	prop[1].prop_protoid = saproto;
2746
	if (ipsec_sa == NULL || ipsec_sa->xfs == NULL) {
2747
		prop[1].prop_nxforms = ikev2_default_nesp_transforms;
2748
		prop[1].prop_xforms = ikev2_default_esp_transforms;
2749
	} else {
2750
		j = 0;
2751
		if (ipsec_sa->xfs->encxf && ipsec_sa->xfs->encxf->noauth &&
2752
		    ipsec_sa->xfs->authxf) {
2753
			yyerror("authentication is implicit for %s",
2754
			    ipsec_sa->xfs->encxf->name);
2755
			return (-1);
2756
		}
2757
		if (ipsec_sa->xfs->encxf == NULL ||
2758
		    (ipsec_sa->xfs->encxf && !ipsec_sa->xfs->encxf->noauth))
2759
			copy_transforms(IKEV2_XFORMTYPE_INTEGR,
2760
			    ipsec_sa->xfs->authxf, authxfs,
2761
			    ipsecxforms, nitems(ipsecxforms), &j,
2762
			    ikev2_default_esp_transforms,
2763
			    ikev2_default_nesp_transforms);
2764
		copy_transforms(IKEV2_XFORMTYPE_ENCR,
2765
		    ipsec_sa->xfs->encxf, ipsecencxfs,
2766
		    ipsecxforms, nitems(ipsecxforms), &j,
2767
		    ikev2_default_esp_transforms,
2768
		    ikev2_default_nesp_transforms);
2769
		copy_transforms(IKEV2_XFORMTYPE_DH,
2770
		    ipsec_sa->xfs->groupxf, groupxfs,
2771
		    ipsecxforms, nitems(ipsecxforms), &j,
2772
		    ikev2_default_esp_transforms,
2773
		    ikev2_default_nesp_transforms);
2774
		copy_transforms(IKEV2_XFORMTYPE_ESN,
2775
		    NULL, NULL,
2776
		    ipsecxforms, nitems(ipsecxforms), &j,
2777
		    ikev2_default_esp_transforms,
2778
		    ikev2_default_nesp_transforms);
2779
		prop[1].prop_nxforms = j;
2780
		prop[1].prop_xforms = ipsecxforms;
2781
	}
2782
	TAILQ_INSERT_TAIL(&pol.pol_proposals, &prop[1], prop_entry);
2783
2784
	if (hosts == NULL || hosts->src == NULL || hosts->dst == NULL)
2785
		fatalx("create_ike: no traffic selectors/flows");
2786
2787
	for (j = 0, ipa = hosts->src, ipb = hosts->dst; ipa && ipb;
2788
	    ipa = ipa->next, ipb = ipb->next, j++) {
2789
		if (j >= nitems(flows))
2790
			fatalx("create_ike: too many flows");
2791
		memcpy(&flows[j].flow_src.addr, &ipa->address,
2792
		    sizeof(ipa->address));
2793
		flows[j].flow_src.addr_af = ipa->af;
2794
		flows[j].flow_src.addr_mask = ipa->mask;
2795
		flows[j].flow_src.addr_net = ipa->netaddress;
2796
		flows[j].flow_src.addr_port = hosts->sport;
2797
2798
		memcpy(&flows[j].flow_dst.addr, &ipb->address,
2799
		    sizeof(ipb->address));
2800
		flows[j].flow_dst.addr_af = ipb->af;
2801
		flows[j].flow_dst.addr_mask = ipb->mask;
2802
		flows[j].flow_dst.addr_net = ipb->netaddress;
2803
		flows[j].flow_dst.addr_port = hosts->dport;
2804
2805
		ippn = ipa->srcnat;
2806
		if (ippn) {
2807
			memcpy(&flows[j].flow_prenat.addr, &ippn->address,
2808
			    sizeof(ippn->address));
2809
			flows[j].flow_prenat.addr_af = ippn->af;
2810
			flows[j].flow_prenat.addr_mask = ippn->mask;
2811
			flows[j].flow_prenat.addr_net = ippn->netaddress;
2812
		} else {
2813
			flows[j].flow_prenat.addr_af = 0;
2814
		}
2815
2816
		flows[j].flow_ipproto = ipproto;
2817
2818
		if (RB_INSERT(iked_flows, &pol.pol_flows, &flows[j]) == NULL)
2819
			pol.pol_nflows++;
2820
		else
2821
			warnx("create_ike: duplicate flow");
2822
	}
2823
2824
	for (j = 0, ipa = ikecfg; ipa; ipa = ipa->next, j++) {
2825
		if (j >= IKED_CFG_MAX)
2826
			break;
2827
		cfg = &pol.pol_cfg[j];
2828
		pol.pol_ncfg++;
2829
2830
		cfg->cfg_action = ipa->action;
2831
		cfg->cfg_type = ipa->type;
2832
		memcpy(&cfg->cfg.address.addr, &ipa->address,
2833
		    sizeof(ipa->address));
2834
		cfg->cfg.address.addr_mask = ipa->mask;
2835
		cfg->cfg.address.addr_net = ipa->netaddress;
2836
		cfg->cfg.address.addr_af = ipa->af;
2837
	}
2838
2839
	if (dstid) {
2840
		strlcpy(idstr, dstid, sizeof(idstr));
2841
		idtype = pol.pol_peerid.id_type;
2842
	} else if (!pol.pol_peer.addr_net) {
2843
		print_host((struct sockaddr *)&pol.pol_peer.addr, idstr,
2844
		    sizeof(idstr));
2845
		switch (pol.pol_peer.addr.ss_family) {
2846
		case AF_INET:
2847
			idtype = IKEV2_ID_IPV4;
2848
			break;
2849
		case AF_INET6:
2850
			idtype = IKEV2_ID_IPV6;
2851
			break;
2852
		default:
2853
			log_warnx("%s: unknown address family", __func__);
2854
			break;
2855
		}
2856
	}
2857
2858
	/* Make sure that we know how to authenticate this peer */
2859
	if (idtype && set_policy(idstr, idtype, &pol) < 0) {
2860
		log_debug("%s: set_policy failed", __func__);
2861
		return (-1);
2862
	}
2863
2864
	config_setpolicy(env, &pol, PROC_IKEV2);
2865
	config_setflow(env, &pol, PROC_IKEV2);
2866
2867
	rules++;
2868
	return (0);
2869
}
2870
2871
int
2872
create_user(const char *user, const char *pass)
2873
{
2874
	struct iked_user	 usr;
2875
2876
	bzero(&usr, sizeof(usr));
2877
2878
	if (*user == '\0' || (strlcpy(usr.usr_name, user,
2879
	    sizeof(usr.usr_name)) >= sizeof(usr.usr_name))) {
2880
		yyerror("invalid user name");
2881
		return (-1);
2882
	}
2883
	if (*pass == '\0' || (strlcpy(usr.usr_pass, pass,
2884
	    sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) {
2885
		yyerror("invalid password");
2886
		return (-1);
2887
	}
2888
2889
	config_setuser(env, &usr, PROC_IKEV2);
2890
2891
	rules++;
2892
	return (0);
2893
}