GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: sbin/isakmpd/conf.c Lines: 0 441 0.0 %
Date: 2017-11-13 Branches: 0 313 0.0 %

Line Branch Exec Source
1
/* $OpenBSD: conf.c,v 1.107 2017/10/27 08:29:32 mpi Exp $	 */
2
/* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $	 */
3
4
/*
5
 * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist.  All rights reserved.
6
 * Copyright (c) 2000, 2001, 2002 Håkan Olsson.  All rights reserved.
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions
10
 * are met:
11
 * 1. Redistributions of source code must retain the above copyright
12
 *    notice, this list of conditions and the following disclaimer.
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 *
17
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27
 */
28
29
/*
30
 * This code was written under funding by Ericsson Radio Systems.
31
 */
32
33
#include <sys/types.h>
34
#include <sys/mman.h>
35
#include <sys/queue.h>
36
#include <sys/socket.h>
37
#include <sys/stat.h>
38
#include <netinet/in.h>
39
#include <arpa/inet.h>
40
#include <ctype.h>
41
#include <fcntl.h>
42
#include <stdio.h>
43
#include <stdlib.h>
44
#include <string.h>
45
#include <unistd.h>
46
#include <errno.h>
47
48
#include "app.h"
49
#include "conf.h"
50
#include "log.h"
51
#include "monitor.h"
52
#include "util.h"
53
54
static char    *conf_get_trans_str(int, char *, char *);
55
static void     conf_load_defaults(int);
56
#if 0
57
static int      conf_find_trans_xf(int, char *);
58
#endif
59
60
struct conf_trans {
61
	TAILQ_ENTRY(conf_trans) link;
62
	int	 trans;
63
	enum conf_op {
64
		CONF_SET, CONF_REMOVE, CONF_REMOVE_SECTION
65
	}	 op;
66
	char	*section;
67
	char	*tag;
68
	char	*value;
69
	int	 override;
70
	int	 is_default;
71
};
72
73
#define CONF_SECT_MAX 256
74
75
TAILQ_HEAD(conf_trans_head, conf_trans) conf_trans_queue;
76
77
struct conf_binding {
78
	LIST_ENTRY(conf_binding) link;
79
	char	*section;
80
	char	*tag;
81
	char	*value;
82
	int	 is_default;
83
};
84
85
char	*conf_path = CONFIG_FILE;
86
LIST_HEAD(conf_bindings, conf_binding) conf_bindings[256];
87
88
static char	*conf_addr;
89
static __inline__ u_int8_t
90
conf_hash(char *s)
91
{
92
	u_int8_t hash = 0;
93
94
	while (*s) {
95
		hash = ((hash << 1) | (hash >> 7)) ^ tolower((unsigned char)*s);
96
		s++;
97
	}
98
	return hash;
99
}
100
101
/*
102
 * Insert a tag-value combination from LINE (the equal sign is at POS)
103
 */
104
static int
105
conf_remove_now(char *section, char *tag)
106
{
107
	struct conf_binding *cb, *next;
108
109
	for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
110
	    cb = next) {
111
		next = LIST_NEXT(cb, link);
112
		if (strcasecmp(cb->section, section) == 0 &&
113
		    strcasecmp(cb->tag, tag) == 0) {
114
			LIST_REMOVE(cb, link);
115
			LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section,
116
			    tag, cb->value));
117
			free(cb->section);
118
			free(cb->tag);
119
			free(cb->value);
120
			free(cb);
121
			return 0;
122
		}
123
	}
124
	return 1;
125
}
126
127
static int
128
conf_remove_section_now(char *section)
129
{
130
	struct conf_binding *cb, *next;
131
	int	unseen = 1;
132
133
	for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
134
	    cb = next) {
135
		next = LIST_NEXT(cb, link);
136
		if (strcasecmp(cb->section, section) == 0) {
137
			unseen = 0;
138
			LIST_REMOVE(cb, link);
139
			LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section,
140
			    cb->tag, cb->value));
141
			free(cb->section);
142
			free(cb->tag);
143
			free(cb->value);
144
			free(cb);
145
		}
146
	}
147
	return unseen;
148
}
149
150
/*
151
 * Insert a tag-value combination from LINE (the equal sign is at POS)
152
 * into SECTION of our configuration database.
153
 */
154
static int
155
conf_set_now(char *section, char *tag, char *value, int override,
156
    int is_default)
157
{
158
	struct conf_binding *node = 0;
159
160
	if (override)
161
		conf_remove_now(section, tag);
162
	else if (conf_get_str(section, tag)) {
163
		if (!is_default)
164
			log_print("conf_set_now: duplicate tag [%s]:%s, "
165
			    "ignoring...\n", section, tag);
166
		return 1;
167
	}
168
	node = calloc(1, sizeof *node);
169
	if (!node) {
170
		log_error("conf_set_now: calloc (1, %lu) failed",
171
		    (unsigned long)sizeof *node);
172
		return 1;
173
	}
174
	node->section = node->tag = node->value = NULL;
175
	if ((node->section = strdup(section)) == NULL)
176
		goto fail;
177
	if ((node->tag = strdup(tag)) == NULL)
178
		goto fail;
179
	if ((node->value = strdup(value)) == NULL)
180
		goto fail;
181
	node->is_default = is_default;
182
183
	LIST_INSERT_HEAD(&conf_bindings[conf_hash(section)], node, link);
184
	LOG_DBG((LOG_MISC, 95, "conf_set_now: [%s]:%s->%s", node->section,
185
	    node->tag, node->value));
186
	return 0;
187
fail:
188
	free(node->value);
189
	free(node->tag);
190
	free(node->section);
191
	free(node);
192
	return 1;
193
}
194
195
/*
196
 * Parse the line LINE of SZ bytes.  Skip Comments, recognize section
197
 * headers and feed tag-value pairs into our configuration database.
198
 */
199
static void
200
conf_parse_line(int trans, char *line, int ln, size_t sz)
201
{
202
	char	*val;
203
	size_t	 i;
204
	int	 j;
205
	static char *section = 0;
206
207
	/* Lines starting with '#' or ';' are comments.  */
208
	if (*line == '#' || *line == ';')
209
		return;
210
211
	/* '[section]' parsing...  */
212
	if (*line == '[') {
213
		for (i = 1; i < sz; i++)
214
			if (line[i] == ']')
215
				break;
216
		free(section);
217
		if (i == sz) {
218
			log_print("conf_parse_line: %d:"
219
			    "unmatched ']', ignoring until next section", ln);
220
			section = 0;
221
			return;
222
		}
223
		section = malloc(i);
224
		if (!section) {
225
			log_print("conf_parse_line: %d: malloc (%lu) failed",
226
			    ln, (unsigned long)i);
227
			return;
228
		}
229
		strlcpy(section, line + 1, i);
230
		return;
231
	}
232
	/* Deal with assignments.  */
233
	for (i = 0; i < sz; i++)
234
		if (line[i] == '=') {
235
			/* If no section, we are ignoring the lines.  */
236
			if (!section) {
237
				log_print("conf_parse_line: %d: ignoring line "
238
				    "due to no section", ln);
239
				return;
240
			}
241
			line[strcspn(line, " \t=")] = '\0';
242
			val = line + i + 1 + strspn(line + i + 1, " \t");
243
			/* Skip trailing whitespace, if any */
244
			for (j = sz - (val - line) - 1; j > 0 &&
245
			    isspace((unsigned char)val[j]); j--)
246
				val[j] = '\0';
247
			/* XXX Perhaps should we not ignore errors?  */
248
			conf_set(trans, section, line, val, 0, 0);
249
			return;
250
		}
251
	/* Other non-empty lines are weird.  */
252
	i = strspn(line, " \t");
253
	if (line[i])
254
		log_print("conf_parse_line: %d: syntax error", ln);
255
}
256
257
/* Parse the mapped configuration file.  */
258
static void
259
conf_parse(int trans, char *buf, size_t sz)
260
{
261
	char	*cp = buf;
262
	char	*bufend = buf + sz;
263
	char	*line;
264
	int	ln = 1;
265
266
	line = cp;
267
	while (cp < bufend) {
268
		if (*cp == '\n') {
269
			/* Check for escaped newlines.  */
270
			if (cp > buf && *(cp - 1) == '\\')
271
				*(cp - 1) = *cp = ' ';
272
			else {
273
				*cp = '\0';
274
				conf_parse_line(trans, line, ln, cp - line);
275
				line = cp + 1;
276
			}
277
			ln++;
278
		}
279
		cp++;
280
	}
281
	if (cp != line)
282
		log_print("conf_parse: last line unterminated, ignored.");
283
}
284
285
/*
286
 * Auto-generate default configuration values for the transforms and
287
 * suites the user wants.
288
 *
289
 * Resulting section names can be:
290
 *  For main mode:
291
 *     {BLF,3DES,CAST,AES,AES-{128,192,256}-{MD5,SHA,SHA2-{256,384,512}} \
292
 *         [-GRP{1,2,5,14-21,25-30}][-{DSS,RSA_SIG}]
293
 *  For quick mode:
294
 *     QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE
295
 *     where
296
 *       {proto}  = ESP, AH
297
 *       {cipher} = 3DES, CAST, BLF, AES, AES-{128,192,256}, AESCTR
298
 *       {hash}   = MD5, SHA, RIPEMD, SHA2-{256,384,512}
299
 *       {group}  = GRP{1,2,5,14-21,25-30}
300
 *
301
 * DH group defaults to MODP_1024.
302
 *
303
 * XXX We may want to support USE_TRIPLEDES, etc...
304
 * XXX No EC2N DH support here yet.
305
 */
306
307
/* Find the value for a section+tag in the transaction list.  */
308
static char *
309
conf_get_trans_str(int trans, char *section, char *tag)
310
{
311
	struct conf_trans *node, *nf = 0;
312
313
	for (node = TAILQ_FIRST(&conf_trans_queue); node;
314
	    node = TAILQ_NEXT(node, link))
315
		if (node->trans == trans && strcasecmp(section, node->section)
316
		    == 0 && strcasecmp(tag, node->tag) == 0) {
317
			if (!nf)
318
				nf = node;
319
			else if (node->override)
320
				nf = node;
321
		}
322
	return nf ? nf->value : 0;
323
}
324
325
#if 0
326
/* XXX Currently unused.  */
327
static int
328
conf_find_trans_xf(int phase, char *xf)
329
{
330
	struct conf_trans *node;
331
	char	*p;
332
333
	/* Find the relevant transforms and suites, if any.  */
334
	for (node = TAILQ_FIRST(&conf_trans_queue); node;
335
	    node = TAILQ_NEXT(node, link))
336
		if ((phase == 1 && strcmp("Transforms", node->tag) == 0) ||
337
		    (phase == 2 && strcmp("Suites", node->tag) == 0)) {
338
			p = node->value;
339
			while ((p = strstr(p, xf)) != NULL)
340
				if (*(p + strlen(p)) &&
341
				    *(p + strlen(p)) != ',')
342
					p += strlen(p);
343
				else
344
					return 1;
345
		}
346
	return 0;
347
}
348
#endif
349
350
static void
351
conf_load_defaults_mm(int tr, char *mme, char *mmh, char *mma, char *dhg,
352
    char *mme_p, char *mma_p, char *dhg_p, char *mmh_p)
353
{
354
	char sect[CONF_SECT_MAX];
355
356
	snprintf(sect, sizeof sect, "%s%s%s%s", mme_p, mmh_p, dhg_p, mma_p);
357
358
	LOG_DBG((LOG_MISC, 95, "conf_load_defaults_mm: main mode %s", sect));
359
360
	conf_set(tr, sect, "ENCRYPTION_ALGORITHM", mme, 0, 1);
361
	if (strcmp(mme, "BLOWFISH_CBC") == 0)
362
		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
363
		    1);
364
        else if (strcmp(mme_p, "AES-128") == 0)
365
                conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1);
366
        else if (strcmp(mme_p, "AES-192") == 0)
367
                conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1);
368
        else if (strcmp(mme_p, "AES-256") == 0)
369
                conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
370
	else if (strcmp(mme, "AES_CBC") == 0)
371
		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
372
		    1);
373
374
	conf_set(tr, sect, "HASH_ALGORITHM", mmh, 0, 1);
375
	conf_set(tr, sect, "AUTHENTICATION_METHOD", mma, 0, 1);
376
	conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1);
377
	conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_MAIN_MODE, 0, 1);
378
}
379
380
static void
381
conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p,
382
    char *qmh_p, char *qm_ah_id, char *dhg_p, int proto, int mode, int pfs)
383
{
384
	char sect[CONF_SECT_MAX], tmp[CONF_SECT_MAX];
385
386
	/* Helper #defines, incl abbreviations.  */
387
#define PROTO(x)  ((x) ? "AH" : "ESP")
388
#define PFS(x)    ((x) ? "-PFS" : "")
389
#define MODE(x)   ((x) ? "TRANSPORT" : "TUNNEL")
390
#define MODE_p(x) ((x) ? "-TRP" : "")
391
392
	/* For AH a hash must be present and no encryption is allowed */
393
	if (proto == 1 && (strcmp(qmh, "NONE") == 0 ||
394
	    strcmp(qme, "NONE") != 0))
395
		return;
396
397
	/* For ESP encryption must be provided, an empty hash is ok. */
398
	if (proto == 0 && strcmp(qme, "NONE") == 0)
399
		return;
400
401
	/* When PFS is disabled no DH group must be specified. */
402
	if (pfs == 0 && strcmp(dhg_p, ""))
403
		return;
404
405
	/* For GCM no additional authentication must be specified */
406
	if (proto == 0 && strcmp(qmh, "NONE") != 0 &&
407
	    (strcmp(qme, "AES_GCM_16") == 0 || strcmp(qme, "AES_GMAC") == 0))
408
		return;
409
410
	snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto),
411
	    MODE_p(mode), qme_p, qmh_p, PFS(pfs), dhg_p);
412
413
	strlcpy(sect, tmp, CONF_SECT_MAX);
414
	strlcat(sect, "-SUITE",	CONF_SECT_MAX);
415
416
	LOG_DBG((LOG_MISC, 95, "conf_load_defaults_qm: quick mode %s", sect));
417
418
	conf_set(tr, sect, "Protocols", tmp, 0, 1);
419
	snprintf(sect, sizeof sect, "IPSEC_%s", PROTO(proto));
420
	conf_set(tr, tmp, "PROTOCOL_ID", sect, 0, 1);
421
	strlcpy(sect, tmp, CONF_SECT_MAX);
422
	strlcat(sect, "-XF", CONF_SECT_MAX);
423
	conf_set(tr, tmp, "Transforms", sect, 0, 1);
424
425
	/*
426
	 * XXX For now, defaults
427
	 * contain one xf per protocol.
428
	 */
429
	if (proto == 0)
430
		conf_set(tr, sect, "TRANSFORM_ID", qme, 0, 1);
431
	else
432
		conf_set(tr, sect, "TRANSFORM_ID", qm_ah_id, 0, 1);
433
	if (strcmp(qme ,"BLOWFISH") == 0)
434
		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
435
			 1);
436
	else if (strcmp(qme_p, "-AES-128") == 0 ||
437
	    strcmp(qme_p, "-AESCTR-128") == 0 ||
438
	    strcmp(qme_p, "-AESGCM-128") == 0 ||
439
	    strcmp(qme_p, "-AESGMAC-128") == 0)
440
		conf_set(tr, sect, "KEY_LENGTH", "128,128:128", 0, 1);
441
	else if (strcmp(qme_p, "-AES-192") == 0 ||
442
	    strcmp(qme_p, "-AESCTR-192") == 0 ||
443
	    strcmp(qme_p, "-AESGCM-192") == 0 ||
444
	    strcmp(qme_p, "-AESGMAC-192") == 0)
445
		conf_set(tr, sect, "KEY_LENGTH", "192,192:192", 0, 1);
446
	else if (strcmp(qme_p, "-AES-256") == 0 ||
447
	    strcmp(qme_p, "-AESCTR-256") == 0 ||
448
	    strcmp(qme_p, "-AESGCM-256") == 0 ||
449
	    strcmp(qme_p, "-AESGMAC-256") == 0)
450
		conf_set(tr, sect, "KEY_LENGTH", "256,256:256", 0, 1);
451
	else if	(strcmp(qme, "AES") == 0)
452
		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
453
			 1);
454
455
	conf_set(tr, sect, "ENCAPSULATION_MODE", MODE(mode), 0, 1);
456
	if (strcmp(qmh, "NONE")) {
457
		conf_set(tr, sect, "AUTHENTICATION_ALGORITHM", qmh, 0, 1);
458
459
		/* XXX Another shortcut to keep length down */
460
		if (pfs)
461
			conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1);
462
	}
463
464
	/* XXX Lifetimes depending on enc/auth strength? */
465
	conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_QUICK_MODE, 0, 1);
466
}
467
468
static void
469
conf_load_defaults(int tr)
470
{
471
	int	 enc, auth, hash, group, proto, mode, pfs;
472
	char	*dflt;
473
474
	char	*mm_auth[] = {"PRE_SHARED", "DSS", "RSA_SIG", 0};
475
	char	*mm_auth_p[] = {"", "-DSS", "-RSA_SIG", 0};
476
	char	*mm_hash[] = {"MD5", "SHA", "SHA2_256", "SHA2_384", "SHA2_512",
477
		     0};
478
	char	*mm_hash_p[] = {"-MD5", "-SHA", "-SHA2-256", "-SHA2-384",
479
		    "-SHA2-512", "", 0 };
480
	char	*mm_enc[] = {"BLOWFISH_CBC", "3DES_CBC", "CAST_CBC",
481
		    "AES_CBC", "AES_CBC", "AES_CBC", "AES_CBC", 0};
482
	char	*mm_enc_p[] = {"BLF", "3DES", "CAST", "AES", "AES-128",
483
		    "AES-192", "AES-256", 0};
484
	char	*dhgroup[] = {"MODP_1024", "MODP_768", "MODP_1024",
485
		    "MODP_1536", "MODP_2048", "MODP_3072", "MODP_4096",
486
		    "MODP_6144", "MODP_8192",
487
		    "ECP_256", "ECP_384", "ECP_521", "ECP_192", "ECP_224",
488
		    "BP_224", "BP_256", "BP_384", "BP_512", 0};
489
	char	*dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14",
490
		    "-GRP15", "-GRP16", "-GRP17", "-GRP18", "-GRP19", "-GRP20",
491
		    "-GRP21", "-GRP25", "-GRP26", "-GRP27", "-GRP28", "-GRP29",
492
		    "-GRP30", 0};
493
	char	*qm_enc[] = {"3DES", "CAST", "BLOWFISH", "AES",
494
		    "AES", "AES", "AES", "AES_CTR", "AES_CTR", "AES_CTR",
495
		    "AES_CTR", "AES_GCM_16",
496
		    "AES_GCM_16", "AES_GCM_16", "AES_GMAC", "AES_GMAC",
497
		    "AES_GMAC", "NULL", "NONE", 0};
498
	char	*qm_enc_p[] = {"-3DES", "-CAST", "-BLF", "-AES",
499
		    "-AES-128", "-AES-192", "-AES-256", "-AESCTR",
500
		    "-AESCTR-128", "-AESCTR-192", "-AESCTR-256",
501
		    "-AESGCM-128", "-AESGCM-192", "-AESGCM-256",
502
		    "-AESGMAC-128", "-AESGMAC-192", "-AESGMAC-256", "-NULL",
503
		    "", 0};
504
	char	*qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",
505
		    "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE",
506
		    0};
507
	char	*qm_hash_p[] = {"-MD5", "-SHA", "-RIPEMD", "-SHA2-256",
508
		    "-SHA2-384", "-SHA2-512", "", 0};
509
	char	*qm_ah_id[] = {"MD5", "SHA", "RIPEMD", "SHA2_256", "SHA2_384",
510
		    "SHA2_512", "", 0};
511
512
	/* General and X509 defaults */
513
	conf_set(tr, "General", "Retransmits", CONF_DFLT_RETRANSMITS, 0, 1);
514
	conf_set(tr, "General", "Exchange-max-time", CONF_DFLT_EXCH_MAX_TIME,
515
	    0, 1);
516
	conf_set(tr, "General", "Use-Keynote", CONF_DFLT_USE_KEYNOTE, 0, 1);
517
	conf_set(tr, "General", "Policy-file", CONF_DFLT_POLICY_FILE, 0, 1);
518
	conf_set(tr, "General", "Pubkey-directory", CONF_DFLT_PUBKEY_DIR, 0,
519
	    1);
520
521
	conf_set(tr, "X509-certificates", "CA-directory",
522
	    CONF_DFLT_X509_CA_DIR, 0, 1);
523
	conf_set(tr, "X509-certificates", "Cert-directory",
524
	    CONF_DFLT_X509_CERT_DIR, 0, 1);
525
	conf_set(tr, "X509-certificates", "Private-key",
526
	    CONF_DFLT_X509_PRIVATE_KEY, 0, 1);
527
	conf_set(tr, "X509-certificates", "Private-key-directory",
528
	    CONF_DFLT_X509_PRIVATE_KEY_DIR, 0, 1);
529
	conf_set(tr, "X509-certificates", "CRL-directory",
530
	    CONF_DFLT_X509_CRL_DIR, 0, 1);
531
532
	conf_set(tr, "KeyNote", "Credential-directory",
533
	    CONF_DFLT_KEYNOTE_CRED_DIR, 0, 1);
534
535
	conf_set(tr, "General", "Delete-SAs", CONF_DFLT_DELETE_SAS, 0, 1);
536
537
	/* Lifetimes. XXX p1/p2 vs main/quick mode may be unclear.  */
538
	dflt = conf_get_trans_str(tr, "General", "Default-phase-1-lifetime");
539
	conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_TYPE",
540
	    CONF_DFLT_TYPE_LIFE_MAIN_MODE, 0, 1);
541
	conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_DURATION",
542
	    (dflt ? dflt : CONF_DFLT_VAL_LIFE_MAIN_MODE), 0, 1);
543
544
	dflt = conf_get_trans_str(tr, "General", "Default-phase-2-lifetime");
545
	conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_TYPE",
546
	    CONF_DFLT_TYPE_LIFE_QUICK_MODE, 0, 1);
547
	conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_DURATION",
548
	    (dflt ? dflt : CONF_DFLT_VAL_LIFE_QUICK_MODE), 0, 1);
549
550
	/* Default Phase-1 Configuration section */
551
	conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "EXCHANGE_TYPE",
552
	    CONF_DFLT_PHASE1_EXCH_TYPE, 0, 1);
553
	conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "Transforms",
554
	    CONF_DFLT_PHASE1_TRANSFORMS, 0, 1);
555
556
	/* Main modes */
557
	for (enc = 0; mm_enc[enc]; enc++)
558
		for (hash = 0; mm_hash[hash]; hash++)
559
			for (auth = 0; mm_auth[auth]; auth++)
560
				for (group = 0; dhgroup_p[group]; group++)
561
					conf_load_defaults_mm (tr, mm_enc[enc],
562
					    mm_hash[hash], mm_auth[auth],
563
					    dhgroup[group], mm_enc_p[enc],
564
					    mm_auth_p[auth], dhgroup_p[group],
565
					    mm_hash_p[hash]);
566
567
	/* Setup a default Phase 1 entry */
568
	conf_set(tr, "Phase 1", "Default", "Default-phase-1", 0, 1);
569
	conf_set(tr, "Default-phase-1", "Phase", "1", 0, 1);
570
	conf_set(tr, "Default-phase-1", "Configuration",
571
	    "Default-phase-1-configuration", 0, 1);
572
	dflt = conf_get_trans_str(tr, "General", "Default-phase-1-ID");
573
	if (dflt)
574
		conf_set(tr, "Default-phase-1", "ID", dflt, 0, 1);
575
576
	/* Quick modes */
577
	for (enc = 0; qm_enc[enc]; enc++)
578
		for (proto = 0; proto < 2; proto++)
579
			for (mode = 0; mode < 2; mode++)
580
				for (pfs = 0; pfs < 2; pfs++)
581
					for (hash = 0; qm_hash[hash]; hash++)
582
						for (group = 0;
583
						    dhgroup_p[group]; group++)
584
							conf_load_defaults_qm(
585
							    tr, qm_enc[enc],
586
							    qm_hash[hash],
587
							    dhgroup[group],
588
							    qm_enc_p[enc],
589
							    qm_hash_p[hash],
590
							    qm_ah_id[hash],
591
							    dhgroup_p[group],
592
							    proto, mode, pfs);
593
}
594
595
void
596
conf_init(void)
597
{
598
	unsigned int i;
599
600
	for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++)
601
		LIST_INIT(&conf_bindings[i]);
602
	TAILQ_INIT(&conf_trans_queue);
603
	conf_reinit();
604
}
605
606
/* Open the config file and map it into our address space, then parse it.  */
607
void
608
conf_reinit(void)
609
{
610
	struct conf_binding *cb = 0;
611
	int	 fd, trans;
612
	unsigned int i;
613
	size_t	 sz;
614
	char	*new_conf_addr = 0;
615
616
	fd = monitor_open(conf_path, O_RDONLY, 0);
617
	if (fd == -1 || check_file_secrecy_fd(fd, conf_path, &sz) == -1) {
618
		if (fd == -1 && errno != ENOENT)
619
			log_error("conf_reinit: open(\"%s\", O_RDONLY, 0) "
620
			    "failed", conf_path);
621
		if (fd != -1)
622
			close(fd);
623
624
		trans = conf_begin();
625
	} else {
626
		new_conf_addr = malloc(sz);
627
		if (!new_conf_addr) {
628
			log_error("conf_reinit: malloc (%lu) failed",
629
			    (unsigned long)sz);
630
			goto fail;
631
		}
632
		/* XXX I assume short reads won't happen here.  */
633
		if (read(fd, new_conf_addr, sz) != (int)sz) {
634
			log_error("conf_reinit: read (%d, %p, %lu) failed",
635
			    fd, new_conf_addr, (unsigned long)sz);
636
			goto fail;
637
		}
638
		close(fd);
639
640
		trans = conf_begin();
641
642
		/* XXX Should we not care about errors and rollback?  */
643
		conf_parse(trans, new_conf_addr, sz);
644
	}
645
646
	/* Load default configuration values.  */
647
	conf_load_defaults(trans);
648
649
	/* Free potential existing configuration.  */
650
	if (conf_addr) {
651
		for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0];
652
		    i++)
653
			for (cb = LIST_FIRST(&conf_bindings[i]); cb;
654
			    cb = LIST_FIRST(&conf_bindings[i]))
655
				conf_remove_now(cb->section, cb->tag);
656
		free(conf_addr);
657
	}
658
	conf_end(trans, 1);
659
	conf_addr = new_conf_addr;
660
	return;
661
662
fail:
663
	free(new_conf_addr);
664
	close(fd);
665
}
666
667
/*
668
 * Return the numeric value denoted by TAG in section SECTION or DEF
669
 * if that tag does not exist.
670
 */
671
int
672
conf_get_num(char *section, char *tag, int def)
673
{
674
	char	*value = conf_get_str(section, tag);
675
676
	if (value)
677
		return atoi(value);
678
	return def;
679
}
680
681
/*
682
 * Return the socket endpoint address denoted by TAG in SECTION as a
683
 * struct sockaddr.  It is the callers responsibility to deallocate
684
 * this structure when it is finished with it.
685
 */
686
struct sockaddr *
687
conf_get_address(char *section, char *tag)
688
{
689
	char	*value = conf_get_str(section, tag);
690
	struct sockaddr *sa;
691
692
	if (!value)
693
		return 0;
694
	if (text2sockaddr(value, 0, &sa, 0, 0) == -1)
695
		return 0;
696
	return sa;
697
}
698
699
/* Validate X according to the range denoted by TAG in section SECTION.  */
700
int
701
conf_match_num(char *section, char *tag, int x)
702
{
703
	char	*value = conf_get_str(section, tag);
704
	int	 val, min, max, n;
705
706
	if (!value)
707
		return 0;
708
	n = sscanf(value, "%d,%d:%d", &val, &min, &max);
709
	switch (n) {
710
	case 1:
711
		LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d==%d?",
712
		    section, tag, val, x));
713
		return x == val;
714
	case 3:
715
		LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d<=%d<=%d?",
716
		    section, tag, min, x, max));
717
		return min <= x && max >= x;
718
	default:
719
		log_error("conf_match_num: section %s tag %s: invalid number "
720
		    "spec %s", section, tag, value);
721
	}
722
	return 0;
723
}
724
725
/* Return the string value denoted by TAG in section SECTION.  */
726
char *
727
conf_get_str(char *section, char *tag)
728
{
729
	struct conf_binding *cb;
730
731
	for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
732
	    cb = LIST_NEXT(cb, link))
733
		if (strcasecmp(section, cb->section) == 0 &&
734
		    strcasecmp(tag, cb->tag) == 0) {
735
			LOG_DBG((LOG_MISC, 95, "conf_get_str: [%s]:%s->%s",
736
			    section, tag, cb->value));
737
			return cb->value;
738
		}
739
	LOG_DBG((LOG_MISC, 95,
740
	    "conf_get_str: configuration value not found [%s]:%s", section,
741
	    tag));
742
	return 0;
743
}
744
745
/*
746
 * Build a list of string values out of the comma separated value denoted by
747
 * TAG in SECTION.
748
 */
749
struct conf_list *
750
conf_get_list(char *section, char *tag)
751
{
752
	char	*liststr = 0, *p, *field, *t;
753
	struct conf_list *list = 0;
754
	struct conf_list_node *node = 0;
755
756
	list = malloc(sizeof *list);
757
	if (!list)
758
		goto cleanup;
759
	TAILQ_INIT(&list->fields);
760
	list->cnt = 0;
761
	liststr = conf_get_str(section, tag);
762
	if (!liststr)
763
		goto cleanup;
764
	liststr = strdup(liststr);
765
	if (!liststr)
766
		goto cleanup;
767
	p = liststr;
768
	while ((field = strsep(&p, ",")) != NULL) {
769
		/* Skip leading whitespace */
770
		while (isspace((unsigned char)*field))
771
			field++;
772
		/* Skip trailing whitespace */
773
		if (p)
774
			for (t = p - 1; t > field && isspace((unsigned char)*t); t--)
775
				*t = '\0';
776
		if (*field == '\0') {
777
			log_print("conf_get_list: empty field, ignoring...");
778
			continue;
779
		}
780
		list->cnt++;
781
		node = calloc(1, sizeof *node);
782
		if (!node)
783
			goto cleanup;
784
		node->field = strdup(field);
785
		if (!node->field)
786
			goto cleanup;
787
		TAILQ_INSERT_TAIL(&list->fields, node, link);
788
	}
789
	free(liststr);
790
	return list;
791
792
cleanup:
793
	free(node);
794
	if (list)
795
		conf_free_list(list);
796
	free(liststr);
797
	return 0;
798
}
799
800
struct conf_list *
801
conf_get_tag_list(char *section)
802
{
803
	struct conf_list *list = 0;
804
	struct conf_list_node *node = 0;
805
	struct conf_binding *cb;
806
807
	list = malloc(sizeof *list);
808
	if (!list)
809
		goto cleanup;
810
	TAILQ_INIT(&list->fields);
811
	list->cnt = 0;
812
	for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
813
	    cb = LIST_NEXT(cb, link))
814
		if (strcasecmp(section, cb->section) == 0) {
815
			list->cnt++;
816
			node = calloc(1, sizeof *node);
817
			if (!node)
818
				goto cleanup;
819
			node->field = strdup(cb->tag);
820
			if (!node->field)
821
				goto cleanup;
822
			TAILQ_INSERT_TAIL(&list->fields, node, link);
823
		}
824
	return list;
825
826
cleanup:
827
	free(node);
828
	if (list)
829
		conf_free_list(list);
830
	return 0;
831
}
832
833
void
834
conf_free_list(struct conf_list *list)
835
{
836
	struct conf_list_node *node = TAILQ_FIRST(&list->fields);
837
838
	while (node) {
839
		TAILQ_REMOVE(&list->fields, node, link);
840
		free(node->field);
841
		free(node);
842
		node = TAILQ_FIRST(&list->fields);
843
	}
844
	free(list);
845
}
846
847
int
848
conf_begin(void)
849
{
850
	static int	seq = 0;
851
852
	return ++seq;
853
}
854
855
static int
856
conf_trans_node(int transaction, enum conf_op op, char *section, char *tag,
857
    char *value, int override, int is_default)
858
{
859
	struct conf_trans *node;
860
861
	node = calloc(1, sizeof *node);
862
	if (!node) {
863
		log_error("conf_trans_node: calloc (1, %lu) failed",
864
		    (unsigned long)sizeof *node);
865
		return 1;
866
	}
867
	node->trans = transaction;
868
	node->op = op;
869
	node->override = override;
870
	node->is_default = is_default;
871
	if (section && (node->section = strdup(section)) == NULL)
872
		goto fail;
873
	if (tag && (node->tag = strdup(tag)) == NULL)
874
		goto fail;
875
	if (value && (node->value = strdup(value)) == NULL)
876
		goto fail;
877
	TAILQ_INSERT_TAIL(&conf_trans_queue, node, link);
878
	return 0;
879
880
fail:
881
	free(node->section);
882
	free(node->tag);
883
	free(node->value);
884
	free(node);
885
	return 1;
886
}
887
888
/* Queue a set operation.  */
889
int
890
conf_set(int transaction, char *section, char *tag, char *value, int override,
891
    int is_default)
892
{
893
	return conf_trans_node(transaction, CONF_SET, section, tag, value,
894
	    override, is_default);
895
}
896
897
/* Queue a remove operation.  */
898
int
899
conf_remove(int transaction, char *section, char *tag)
900
{
901
	return conf_trans_node(transaction, CONF_REMOVE, section, tag, NULL,
902
	    0, 0);
903
}
904
905
/* Queue a remove section operation.  */
906
int
907
conf_remove_section(int transaction, char *section)
908
{
909
	return conf_trans_node(transaction, CONF_REMOVE_SECTION, section, NULL,
910
	    NULL, 0, 0);
911
}
912
913
/* Execute all queued operations for this transaction.  Cleanup.  */
914
int
915
conf_end(int transaction, int commit)
916
{
917
	struct conf_trans *node, *next;
918
919
	for (node = TAILQ_FIRST(&conf_trans_queue); node; node = next) {
920
		next = TAILQ_NEXT(node, link);
921
		if (node->trans == transaction) {
922
			if (commit)
923
				switch (node->op) {
924
				case CONF_SET:
925
					conf_set_now(node->section, node->tag,
926
					    node->value, node->override,
927
					    node->is_default);
928
					break;
929
				case CONF_REMOVE:
930
					conf_remove_now(node->section,
931
					    node->tag);
932
					break;
933
				case CONF_REMOVE_SECTION:
934
					conf_remove_section_now(node->section);
935
					break;
936
				default:
937
					log_print("conf_end: unknown "
938
					    "operation: %d", node->op);
939
				}
940
			TAILQ_REMOVE(&conf_trans_queue, node, link);
941
			free(node->section);
942
			free(node->tag);
943
			free(node->value);
944
			free(node);
945
		}
946
	}
947
	return 0;
948
}
949
950
/*
951
 * Dump running configuration upon SIGUSR1.
952
 * Configuration is "stored in reverse order", so reverse it again.
953
 */
954
struct dumper {
955
	char	*s, *v;
956
	struct dumper *next;
957
};
958
959
static void
960
conf_report_dump(struct dumper *node)
961
{
962
	/* Recursive, cleanup when we're done.  */
963
964
	if (node->next)
965
		conf_report_dump(node->next);
966
967
	if (node->v)
968
		LOG_DBG((LOG_REPORT, 0, "%s=\t%s", node->s, node->v));
969
	else if (node->s) {
970
		LOG_DBG((LOG_REPORT, 0, "%s", node->s));
971
		if (strlen(node->s) > 0)
972
			free(node->s);
973
	}
974
	free(node);
975
}
976
977
void
978
conf_report(void)
979
{
980
	struct conf_binding *cb, *last = 0;
981
	unsigned int	i;
982
	char           *current_section = NULL;
983
	struct dumper  *dumper, *dnode;
984
985
	dumper = dnode = calloc(1, sizeof *dumper);
986
	if (!dumper)
987
		goto mem_fail;
988
989
	LOG_DBG((LOG_REPORT, 0, "conf_report: dumping running configuration"));
990
991
	for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++)
992
		for (cb = LIST_FIRST(&conf_bindings[i]); cb;
993
		    cb = LIST_NEXT(cb, link)) {
994
			if (!cb->is_default) {
995
				/* Dump this entry.  */
996
				if (!current_section || strcmp(cb->section,
997
				    current_section)) {
998
					if (current_section) {
999
						if (asprintf(&dnode->s, "[%s]",
1000
						    current_section) == -1)
1001
							goto mem_fail;
1002
						dnode->next = calloc(1,
1003
						    sizeof(struct dumper));
1004
						dnode = dnode->next;
1005
						if (!dnode)
1006
							goto mem_fail;
1007
1008
						dnode->s = "";
1009
						dnode->next = calloc(1,
1010
						    sizeof(struct dumper));
1011
						dnode = dnode->next;
1012
						if (!dnode)
1013
							goto mem_fail;
1014
					}
1015
					current_section = cb->section;
1016
				}
1017
				dnode->s = cb->tag;
1018
				dnode->v = cb->value;
1019
				dnode->next = calloc(1, sizeof(struct dumper));
1020
				dnode = dnode->next;
1021
				if (!dnode)
1022
					goto mem_fail;
1023
				last = cb;
1024
			}
1025
		}
1026
1027
	if (last)
1028
		if (asprintf(&dnode->s, "[%s]", last->section) == -1)
1029
			goto mem_fail;
1030
	conf_report_dump(dumper);
1031
1032
	return;
1033
1034
mem_fail:
1035
	log_error("conf_report: malloc/calloc failed");
1036
	while ((dnode = dumper) != 0) {
1037
		dumper = dumper->next;
1038
		free(dnode->s);
1039
		free(dnode);
1040
	}
1041
}