projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
merged EAP-MD5 into trunk
[strongswan.git] / src / starter / confread.c
1 /* strongSwan IPsec config file parser
2 * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 *
14 * RCSID $Id$
15 */
16
17 #include <stddef.h>
18 #include <stdlib.h>
19 #include <string.h>
20 #include <assert.h>
21
22 #include <freeswan.h>
23
24 #include "../pluto/constants.h"
25 #include "../pluto/defs.h"
26 #include "../pluto/log.h"
27
28 #include "keywords.h"
29 #include "parser.h"
30 #include "confread.h"
31 #include "args.h"
32 #include "interfaces.h"
33
34 /* strings containing a colon are interpreted as an IPv6 address */
35 #define ip_version(string) (strchr(string, ':') != NULL)? AF_INET6 : AF_INET;
36
37 static const char ike_defaults[] = "aes128-sha-modp2048";
38 static const char esp_defaults[] = "aes128-sha1, 3des-md5";
39
40 static const char firewall_defaults[] = "ipsec _updown iptables";
41
42 static void default_values(starter_config_t *cfg)
43 {
44 if (cfg == NULL)
45 return;
46
47 memset(cfg, 0, sizeof(struct starter_config));
48
49 /* is there enough space for all seen flags? */
50 assert(KW_SETUP_LAST - KW_SETUP_FIRST <
51 sizeof(cfg->setup.seen) * BITS_PER_BYTE);
52 assert(KW_CONN_LAST - KW_CONN_FIRST <
53 sizeof(cfg->conn_default.seen) * BITS_PER_BYTE);
54 assert(KW_END_LAST - KW_END_FIRST <
55 sizeof(cfg->conn_default.right.seen) * BITS_PER_BYTE);
56 assert(KW_CA_LAST - KW_CA_FIRST <
57 sizeof(cfg->ca_default.seen) * BITS_PER_BYTE);
58
59 cfg->setup.seen = LEMPTY;
60 cfg->setup.fragicmp = TRUE;
61 cfg->setup.hidetos = TRUE;
62 cfg->setup.uniqueids = TRUE;
63 cfg->setup.interfaces = new_list("%defaultroute");
64 cfg->setup.charonstart = TRUE;
65 cfg->setup.plutostart = TRUE;
66
67 cfg->conn_default.seen = LEMPTY;
68 cfg->conn_default.startup = STARTUP_NO;
69 cfg->conn_default.state = STATE_IGNORE;
70 cfg->conn_default.policy = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG |
71 POLICY_PFS | POLICY_MOBIKE;
72
73 cfg->conn_default.ike = clone_str(ike_defaults, "ike_defaults");
74 cfg->conn_default.esp = clone_str(esp_defaults, "esp_defaults");
75 cfg->conn_default.sa_ike_life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
76 cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
77 cfg->conn_default.sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT;
78 cfg->conn_default.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
79 cfg->conn_default.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;
80 cfg->conn_default.addr_family = AF_INET;
81 cfg->conn_default.tunnel_addr_family = AF_INET;
82
83 cfg->conn_default.left.seen = LEMPTY;
84 cfg->conn_default.right.seen = LEMPTY;
85
86 cfg->conn_default.left.sendcert = CERT_SEND_IF_ASKED;
87 cfg->conn_default.right.sendcert = CERT_SEND_IF_ASKED;
88
89 anyaddr(AF_INET, &cfg->conn_default.left.addr);
90 anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
91 anyaddr(AF_INET, &cfg->conn_default.left.srcip);
92 anyaddr(AF_INET, &cfg->conn_default.right.addr);
93 anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
94 anyaddr(AF_INET, &cfg->conn_default.right.srcip);
95
96 cfg->ca_default.seen = LEMPTY;
97 }
98
99 #define KW_POLICY_FLAG(sy, sn, fl) \
100 if (streq(kw->value, sy)) { conn->policy |= fl; } \
101 else if (streq(kw->value, sn)) { conn->policy &= ~fl; } \
102 else { plog("# bad policy value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
103
104 static void
105 load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
106 {
107 kw_list_t *kw;
108
109 DBG(DBG_CONTROL,
110 DBG_log("Loading config setup")
111 )
112
113 for (kw = cfgp->config_setup; kw; kw = kw->next)
114 {
115 bool assigned = FALSE;
116
117 kw_token_t token = kw->entry->token;
118
119 if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
120 {
121 plog("# unsupported keyword '%s' in config setup", kw->entry->name);
122 cfg->err++;
123 continue;
124 }
125
126 if (!assign_arg(token, KW_SETUP_FIRST, kw, (char *)cfg, &assigned))
127 {
128 plog(" bad argument value in config setup");
129 cfg->err++;
130 continue;
131 }
132 }
133 }
134
135 static void
136 kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
137 , kw_list_t *kw, char *conn_name, starter_config_t *cfg)
138 {
139 err_t ugh = NULL;
140 bool assigned = FALSE;
141 int has_port_wildcard; /* set if port is %any */
142
143 char *name = kw->entry->name;
144 char *value = kw->value;
145
146 if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
147 goto err;
148
149 if (token == KW_SENDCERT)
150 {
151 if (end->sendcert == CERT_YES_SEND)
152 end->sendcert = CERT_ALWAYS_SEND;
153 else if (end->sendcert == CERT_NO_SEND)
154 end->sendcert = CERT_NEVER_SEND;
155 }
156
157 if (assigned)
158 return;
159
160 switch (token)
161 {
162 case KW_HOST:
163 if (streq(value, "%defaultroute"))
164 {
165 if (cfg->defaultroute.defined)
166 {
167 end->addr = cfg->defaultroute.addr;
168 end->nexthop = cfg->defaultroute.nexthop;
169 }
170 else
171 {
172 plog("# default route not known: %s=%s", name, value);
173 goto err;
174 }
175 }
176 else if (streq(value, "%any"))
177 {
178 anyaddr(conn->addr_family, &end->addr);
179 }
180 else if (streq(value, "%any6"))
181 {
182 conn->addr_family = AF_INET6;
183 anyaddr(conn->addr_family, &end->addr);
184 }
185 else if (streq(value, "%group"))
186 {
187 ip_address any;
188
189 conn->policy |= POLICY_GROUP | POLICY_TUNNEL;
190 anyaddr(conn->addr_family, &end->addr);
191 anyaddr(conn->tunnel_addr_family, &any);
192 initsubnet(&any, 0, '0', &end->subnet);
193 end->has_client = TRUE;
194 }
195 else
196 {
197 /* check for allow_any prefix */
198 if (value[0] == '%')
199 {
200 end->allow_any = TRUE;
201 value++;
202 }
203 conn->addr_family = ip_version(value);
204 ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
205 if (ugh != NULL)
206 {
207 plog("# bad addr: %s=%s [%s]", name, value, ugh);
208 if (streq(ugh, "does not look numeric and name lookup failed"))
209 {
210 end->dns_failed = TRUE;
211 anyaddr(conn->addr_family, &end->addr);
212 }
213 else
214 {
215 goto err;
216 }
217 }
218 }
219 break;
220 case KW_NEXTHOP:
221 if (streq(value, "%defaultroute"))
222 {
223 if (cfg->defaultroute.defined)
224 end->nexthop = cfg->defaultroute.nexthop;
225 else
226 {
227 plog("# default route not known: %s=%s", name, value);
228 goto err;
229 }
230 }
231 else if (streq(value, "%direct"))
232 {
233 ugh = anyaddr(conn->addr_family, &end->nexthop);
234 }
235 else
236 {
237 conn->addr_family = ip_version(value);
238 ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
239 }
240 if (ugh != NULL)
241 {
242 plog("# bad addr: %s=%s [%s]", name, value, ugh);
243 goto err;
244 }
245 break;
246 case KW_SUBNET:
247 if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
248 || (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
249 {
250 end->virt = clone_str(value, "virt");
251 }
252 else
253 {
254 end->has_client = TRUE;
255 conn->tunnel_addr_family = ip_version(value);
256 ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
257 if (ugh != NULL)
258 {
259 plog("# bad subnet: %s=%s [%s]", name, value, ugh);
260 goto err;
261 }
262 }
263 break;
264 case KW_SUBNETWITHIN:
265 end->has_client = TRUE;
266 end->has_client_wildcard = TRUE;
267 conn->tunnel_addr_family = ip_version(value);
268 ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
269 break;
270 case KW_PROTOPORT:
271 ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
272 end->has_port_wildcard = has_port_wildcard;
273 break;
274 case KW_SOURCEIP:
275 if (end->has_natip)
276 {
277 plog("# natip and sourceip cannot be defined at the same time");
278 goto err;
279 }
280 if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
281 streq(value, "%config") || streq(value, "%cfg"))
282 {
283 end->modecfg = TRUE;
284 }
285 else
286 {
287 conn->tunnel_addr_family = ip_version(value);
288 ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
289 if (ugh != NULL)
290 {
291 plog("# bad addr: %s=%s [%s]", name, value, ugh);
292 goto err;
293 }
294 end->has_srcip = TRUE;
295 }
296 conn->policy |= POLICY_TUNNEL;
297 break;
298 case KW_NATIP:
299 if (end->has_srcip)
300 {
301 plog("# natip and sourceip cannot be defined at the same time");
302 goto err;
303 }
304 if (streq(value, "%defaultroute"))
305 {
306 if (cfg->defaultroute.defined)
307 {
308 end->srcip = cfg->defaultroute.addr;
309 }
310 else
311 {
312 plog("# default route not known: %s=%s", name, value);
313 goto err;
314 }
315 }
316 else
317 {
318 conn->tunnel_addr_family = ip_version(value);
319 ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
320 if (ugh != NULL)
321 {
322 plog("# bad addr: %s=%s [%s]", name, value, ugh);
323 goto err;
324 }
325 }
326 end->has_natip = TRUE;
327 conn->policy |= POLICY_TUNNEL;
328 break;
329 default:
330 break;
331 }
332 return;
333
334 err:
335 plog(" bad argument value in conn '%s'", conn_name);
336 cfg->err++;
337 }
338
339 /*
340 * handles left|right=<FQDN> DNS resolution failure
341 */
342 static void
343 handle_dns_failure( const char *label, starter_end_t *end, starter_config_t *cfg)
344 {
345 if (end->dns_failed)
346 {
347 if (end->allow_any)
348 {
349 plog("# fallback to %s=%%any due to '%%' prefix or %sallowany=yes",
350 label, label);
351 }
352 else
353 {
354 /* declare an error */
355 cfg->err++;
356 }
357 }
358 }
359
360 /*
361 * handles left|rightfirewall and left|rightupdown parameters
362 */
363 static void
364 handle_firewall( const char *label, starter_end_t *end, starter_config_t *cfg)
365 {
366 if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST)))
367 {
368 if (end->updown != NULL)
369 {
370 plog("# cannot have both %sfirewall and %supdown", label, label);
371 cfg->err++;
372 }
373 else
374 {
375 end->updown = clone_str(firewall_defaults, "firewall_defaults");
376 end->firewall = FALSE;
377 }
378 }
379 }
380
381 /*
382 * parse a conn section
383 */
384 static void
385 load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
386 {
387 char *conn_name = (conn->name == NULL)? "%default":conn->name;
388
389 for ( ; kw; kw = kw->next)
390 {
391 bool assigned = FALSE;
392
393 kw_token_t token = kw->entry->token;
394
395 if (token >= KW_LEFT_FIRST && token <= KW_LEFT_LAST)
396 {
397 kw_end(conn, &conn->left, token - KW_LEFT_FIRST + KW_END_FIRST
398 , kw, conn_name, cfg);
399 continue;
400 }
401 else if (token >= KW_RIGHT_FIRST && token <= KW_RIGHT_LAST)
402 {
403 kw_end(conn, &conn->right, token - KW_RIGHT_FIRST + KW_END_FIRST
404 , kw, conn_name, cfg);
405 continue;
406 }
407
408 if (token == KW_AUTO)
409 {
410 token = KW_CONN_SETUP;
411 }
412 else if (token == KW_ALSO)
413 {
414 if (cfg->parse_also)
415 {
416 also_t *also = alloc_thing(also_t, "also_t");
417
418 also->name = clone_str(kw->value, "also");
419 also->next = conn->also;
420 conn->also = also;
421
422 DBG(DBG_CONTROL,
423 DBG_log(" also=%s", kw->value)
424 )
425 }
426 continue;
427 }
428
429 if (token < KW_CONN_FIRST || token > KW_CONN_LAST)
430 {
431 plog("# unsupported keyword '%s' in conn '%s'"
432 , kw->entry->name, conn_name);
433 cfg->err++;
434 continue;
435 }
436
437 if (!assign_arg(token, KW_CONN_FIRST, kw, (char *)conn, &assigned))
438 {
439 plog(" bad argument value in conn '%s'", conn_name);
440 cfg->err++;
441 continue;
442 }
443
444 if (assigned)
445 continue;
446
447 switch (token)
448 {
449 case KW_TYPE:
450 conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
451 if (streq(kw->value, "tunnel"))
452 conn->policy |= POLICY_TUNNEL;
453 else if (streq(kw->value, "beet"))
454 conn->policy |= POLICY_BEET;
455 else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
456 conn->policy |= POLICY_SHUNT_PASS;
457 else if (streq(kw->value, "drop"))
458 conn->policy |= POLICY_SHUNT_DROP;
459 else if (streq(kw->value, "reject"))
460 conn->policy |= POLICY_SHUNT_REJECT;
461 else if (strcmp(kw->value, "transport") != 0)
462 {
463 plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
464 cfg->err++;
465 }
466 break;
467 case KW_PFS:
468 KW_POLICY_FLAG("yes", "no", POLICY_PFS)
469 break;
470 case KW_COMPRESS:
471 KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
472 break;
473 case KW_AUTH:
474 KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
475 break;
476 case KW_AUTHBY:
477 conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
478
479 if (!(streq(kw->value, "never") || streq(kw->value, "eap")))
480 {
481 char *value = kw->value;
482 char *second = strchr(kw->value, '|');
483
484 if (second != NULL)
485 *second = '\0';
486
487 /* also handles the cases secret|rsasig and rsasig|secret */
488 for (;;)
489 {
490 if (streq(value, "rsasig"))
491 conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT;
492 else if (streq(value, "secret") || streq(value, "psk"))
493 conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
494 else if (streq(value, "xauthrsasig"))
495 conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
496 else if (streq(value, "xauthpsk"))
497 conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
498 else
499 {
500 plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
501 cfg->err++;
502 break;
503 }
504 if (second == NULL)
505 break;
506 value = second;
507 second = NULL; /* traverse the loop no more than twice */
508 }
509 }
510 break;
511 case KW_EAP:
512 /* TODO: a gperf function for all EAP types */
513 if (streq(kw->value, "aka"))
514 {
515 conn->eap = 23;
516 }
517 else if (streq(kw->value, "sim"))
518 {
519 conn->eap = 18;
520 }
521 else if (streq(kw->value, "md5"))
522 {
523 conn->eap = 4;
524 }
525 else
526 {
527 conn->eap = atoi(kw->value);
528 if (conn->eap == 0)
529 {
530 plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value);
531 cfg->err++;
532 }
533 }
534 break;
535 case KW_KEYINGTRIES:
536 if (streq(kw->value, "%forever"))
537 {
538 conn->sa_keying_tries = 0;
539 }
540 else
541 {
542 char *endptr;
543
544 conn->sa_keying_tries = strtoul(kw->value, &endptr, 10);
545 if (*endptr != '\0')
546 {
547 plog("# bad integer value: %s=%s", kw->entry->name, kw->value);
548 cfg->err++;
549 }
550 }
551 break;
552 case KW_REKEY:
553 KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
554 break;
555 case KW_REAUTH:
556 KW_POLICY_FLAG("no", "yes", POLICY_DONT_REAUTH)
557 break;
558 case KW_MOBIKE:
559 KW_POLICY_FLAG("yes", "no", POLICY_MOBIKE)
560 break;
561 case KW_FORCEENCAPS:
562 KW_POLICY_FLAG("yes", "no", POLICY_FORCE_ENCAP)
563 break;
564 case KW_MODECONFIG:
565 KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH)
566 break;
567 case KW_XAUTH:
568 KW_POLICY_FLAG("server", "client", POLICY_XAUTH_SERVER)
569 break;
570 default:
571 break;
572 }
573 }
574
575 handle_dns_failure("left", &conn->left, cfg);
576 handle_dns_failure("right", &conn->right, cfg);
577 handle_firewall("left", &conn->left, cfg);
578 handle_firewall("right", &conn->right, cfg);
579 }
580
581 /*
582 * initialize a conn object with the default conn
583 */
584 static void
585 conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
586 {
587 memcpy(conn, def, sizeof(starter_conn_t));
588 conn->name = clone_str(name, "conn name");
589
590 clone_args(KW_CONN_FIRST, KW_CONN_LAST, (char *)conn, (char *)def);
591 clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left, (char *)&def->left);
592 clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right, (char *)&def->right);
593 }
594
595 /*
596 * parse a ca section
597 */
598 static void
599 load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
600 {
601 char *ca_name = (ca->name == NULL)? "%default":ca->name;
602
603 for ( ; kw; kw = kw->next)
604 {
605 bool assigned = FALSE;
606
607 kw_token_t token = kw->entry->token;
608
609 if (token == KW_AUTO)
610 {
611 token = KW_CA_SETUP;
612 }
613 else if (token == KW_ALSO)
614 {
615 if (cfg->parse_also)
616 {
617 also_t *also = alloc_thing(also_t, "also_t");
618
619 also->name = clone_str(kw->value, "also");
620 also->next = ca->also;
621 ca->also = also;
622
623 DBG(DBG_CONTROL,
624 DBG_log(" also=%s", kw->value)
625 )
626 }
627 continue;
628 }
629
630 if (token < KW_CA_FIRST || token > KW_CA_LAST)
631 {
632 plog("# unsupported keyword '%s' in ca '%s'", kw->entry->name, ca_name);
633 cfg->err++;
634 continue;
635 }
636
637 if (!assign_arg(token, KW_CA_FIRST, kw, (char *)ca, &assigned))
638 {
639 plog(" bad argument value in ca '%s'", ca_name);
640 cfg->err++;
641 }
642 }
643
644 /* treat 'route' and 'start' as 'add' */
645 if (ca->startup != STARTUP_NO)
646 ca->startup = STARTUP_ADD;
647 }
648
649 /*
650 * initialize a ca object with the default ca
651 */
652 static void
653 ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
654 {
655 memcpy(ca, def, sizeof(starter_ca_t));
656 ca->name = clone_str(name, "ca name");
657
658 clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
659 }
660
661 static kw_list_t*
662 find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg);
663
664 static void
665 load_also_conns(starter_conn_t *conn, also_t *also, starter_config_t *cfg)
666 {
667 while (also != NULL)
668 {
669 kw_list_t *kw = find_also_conn(also->name, conn, cfg);
670
671 if (kw == NULL)
672 {
673 plog(" conn '%s' cannot include '%s'", conn->name, also->name);
674 }
675 else
676 {
677 DBG(DBG_CONTROL,
678 DBG_log("conn '%s' includes '%s'", conn->name, also->name)
679 )
680 /* only load if no error occurred in the first round */
681 if (cfg->err == 0)
682 load_conn(conn, kw, cfg);
683 }
684 also = also->next;
685 }
686 }
687
688 /*
689 * find a conn included by also
690 */
691 static kw_list_t*
692 find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg)
693 {
694 starter_conn_t *c = cfg->conn_first;
695
696 while (c != NULL)
697 {
698 if (streq(name, c->name))
699 {
700 if (conn->visit == c->visit)
701 {
702 plog("# detected also loop");
703 cfg->err++;
704 return NULL;
705 }
706 c->visit = conn->visit;
707 load_also_conns(conn, c->also, cfg);
708 return c->kw;
709 }
710 c = c->next;
711 }
712
713 plog("# also '%s' not found", name);
714 cfg->err++;
715 return NULL;
716 }
717
718 static kw_list_t*
719 find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg);
720
721 static void
722 load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
723 {
724 while (also != NULL)
725 {
726 kw_list_t *kw = find_also_ca(also->name, ca, cfg);
727
728 if (kw == NULL)
729 {
730 plog(" ca '%s' cannot include '%s'", ca->name, also->name);
731 }
732 else
733 {
734 DBG(DBG_CONTROL,
735 DBG_log("ca '%s' includes '%s'", ca->name, also->name)
736 )
737 /* only load if no error occurred in the first round */
738 if (cfg->err == 0)
739 load_ca(ca, kw, cfg);
740 }
741 also = also->next;
742 }
743 }
744
745 /*
746 * find a ca included by also
747 */
748 static kw_list_t*
749 find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg)
750 {
751 starter_ca_t *c = cfg->ca_first;
752
753 while (c != NULL)
754 {
755 if (streq(name, c->name))
756 {
757 if (ca->visit == c->visit)
758 {
759 plog("# detected also loop");
760 cfg->err++;
761 return NULL;
762 }
763 c->visit = ca->visit;
764 load_also_cas(ca, c->also, cfg);
765 return c->kw;
766 }
767 c = c->next;
768 }
769
770 plog("# also '%s' not found", name);
771 cfg->err++;
772 return NULL;
773 }
774
775 /*
776 * free the memory used by also_t objects
777 */
778 static void
779 free_also(also_t *head)
780 {
781 while (head != NULL)
782 {
783 also_t *also = head;
784
785 head = also->next;
786 pfree(also->name);
787 pfree(also);
788 }
789 }
790
791 /*
792 * free the memory used by a starter_conn_t object
793 */
794 static void
795 confread_free_conn(starter_conn_t *conn)
796 {
797 free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left);
798 free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right);
799 free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn);
800 free_also(conn->also);
801 }
802
803 /*
804 * free the memory used by a starter_ca_t object
805 */
806 static void
807 confread_free_ca(starter_ca_t *ca)
808 {
809 free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca);
810 free_also(ca->also);
811 }
812
813 /*
814 * free the memory used by a starter_config_t object
815 */
816 void
817 confread_free(starter_config_t *cfg)
818 {
819 starter_conn_t *conn = cfg->conn_first;
820 starter_ca_t *ca = cfg->ca_first;
821
822 free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg);
823
824 confread_free_conn(&cfg->conn_default);
825
826 while (conn != NULL)
827 {
828 starter_conn_t *conn_aux = conn;
829
830 conn = conn->next;
831 confread_free_conn(conn_aux);
832 pfree(conn_aux);
833 }
834
835 confread_free_ca(&cfg->ca_default);
836
837 while (ca != NULL)
838 {
839 starter_ca_t *ca_aux = ca;
840
841 ca = ca->next;
842 confread_free_ca(ca_aux);
843 pfree(ca_aux);
844 }
845
846 pfree(cfg);
847 }
848
849 /*
850 * load and parse an IPsec configuration file
851 */
852 starter_config_t *
853 confread_load(const char *file)
854 {
855 starter_config_t *cfg = NULL;
856 config_parsed_t *cfgp;
857 section_list_t *sconn, *sca;
858 starter_conn_t *conn;
859 starter_ca_t *ca;
860
861 u_int total_err;
862 u_int visit = 0;
863
864 /* load IPSec configuration file */
865 cfgp = parser_load_conf(file);
866 if (!cfgp)
867 return NULL;
868
869 cfg = (starter_config_t *)alloc_thing(starter_config_t, "starter_config_t");
870
871 /* set default values */
872 default_values(cfg);
873
874 /* determine default route */
875 get_defaultroute(&cfg->defaultroute);
876
877 /* load config setup section */
878 load_setup(cfg, cfgp);
879
880 /* in the first round parse also statements */
881 cfg->parse_also = TRUE;
882
883 /* find %default ca section */
884 for (sca = cfgp->ca_first; sca; sca = sca->next)
885 {
886 if (streq(sca->name, "%default"))
887 {
888 DBG(DBG_CONTROL,
889 DBG_log("Loading ca %%default")
890 )
891 load_ca(&cfg->ca_default, sca->kw, cfg);
892 }
893 }
894
895 /* parameters defined in ca %default sections can be overloads */
896 cfg->ca_default.seen = LEMPTY;
897
898 /* load other ca sections */
899 for (sca = cfgp->ca_first; sca; sca = sca->next)
900 {
901 u_int previous_err;
902
903 /* skip %default ca section */
904 if (streq(sca->name, "%default"))
905 continue;
906
907 DBG(DBG_CONTROL,
908 DBG_log("Loading ca '%s'", sca->name)
909 )
910 ca = (starter_ca_t *)alloc_thing(starter_ca_t, "starter_ca_t");
911
912 ca_default(sca->name, ca, &cfg->ca_default);
913 ca->kw = sca->kw;
914 ca->next = NULL;
915
916 previous_err = cfg->err;
917 load_ca(ca, ca->kw, cfg);
918 if (cfg->err > previous_err)
919 {
920 /* errors occurred - free the ca */
921 confread_free_ca(ca);
922 cfg->non_fatal_err += cfg->err - previous_err;
923 cfg->err = previous_err;
924 }
925 else
926 {
927 /* success - insert the ca into the chained list */
928 if (cfg->ca_last)
929 cfg->ca_last->next = ca;
930 cfg->ca_last = ca;
931 if (!cfg->ca_first)
932 cfg->ca_first = ca;
933 }
934 }
935
936 for (ca = cfg->ca_first; ca; ca = ca->next)
937 {
938 also_t *also = ca->also;
939
940 while (also != NULL)
941 {
942 kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg);
943
944 load_ca(ca, kw, cfg);
945 also = also->next;
946 }
947
948 if (ca->startup != STARTUP_NO)
949 ca->state = STATE_TO_ADD;
950 }
951
952 /* find %default conn sections */
953 for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
954 {
955 if (streq(sconn->name, "%default"))
956 {
957 DBG(DBG_CONTROL,
958 DBG_log("Loading conn %%default")
959 )
960 load_conn(&cfg->conn_default, sconn->kw, cfg);
961 }
962 }
963
964 /* parameter defined in conn %default sections can be overloaded */
965 cfg->conn_default.seen = LEMPTY;
966 cfg->conn_default.right.seen = LEMPTY;
967 cfg->conn_default.left.seen = LEMPTY;
968
969 /* load other conn sections */
970 for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
971 {
972 u_int previous_err;
973
974 /* skip %default conn section */
975 if (streq(sconn->name, "%default"))
976 continue;
977
978 DBG(DBG_CONTROL,
979 DBG_log("Loading conn '%s'", sconn->name)
980 )
981 conn = (starter_conn_t *)alloc_thing(starter_conn_t, "starter_conn_t");
982
983 conn_default(sconn->name, conn, &cfg->conn_default);
984 conn->kw = sconn->kw;
985 conn->next = NULL;
986
987 previous_err = cfg->err;
988 load_conn(conn, conn->kw, cfg);
989 if (cfg->err > previous_err)
990 {
991 /* error occurred - free the conn */
992 confread_free_conn(conn);
993 cfg->non_fatal_err += cfg->err - previous_err;
994 cfg->err = previous_err;
995 }
996 else
997 {
998 /* success - insert the conn into the chained list */
999 if (cfg->conn_last)
1000 cfg->conn_last->next = conn;
1001 cfg->conn_last = conn;
1002 if (!cfg->conn_first)
1003 cfg->conn_first = conn;
1004 }
1005 }
1006
1007 /* in the second round do not parse also statements */
1008 cfg->parse_also = FALSE;
1009
1010 for (ca = cfg->ca_first; ca; ca = ca->next)
1011 {
1012 ca->visit = ++visit;
1013 load_also_cas(ca, ca->also, cfg);
1014
1015 if (ca->startup != STARTUP_NO)
1016 ca->state = STATE_TO_ADD;
1017 }
1018
1019 for (conn = cfg->conn_first; conn; conn = conn->next)
1020 {
1021 conn->visit = ++visit;
1022 load_also_conns(conn, conn->also, cfg);
1023
1024 if (conn->startup != STARTUP_NO)
1025 conn->state = STATE_TO_ADD;
1026 }
1027
1028 parser_free_conf(cfgp);
1029
1030 total_err = cfg->err + cfg->non_fatal_err;
1031 if (total_err > 0)
1032 {
1033 plog("### %d parsing error%s (%d fatal) ###"
1034 , total_err, (total_err > 1)?"s":"", cfg->err);
1035 }
1036
1037 return cfg;
1038 }
strongSwan - IPsec VPN