projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
starter: Remove left|rightnexthop option.
[strongswan.git] / src / starter / confread.c
1 /* strongSwan IPsec config file parser
2 * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #include <sys/types.h>
16 #include <sys/stat.h>
17 #include <unistd.h>
18 #include <stddef.h>
19 #include <stdlib.h>
20 #include <string.h>
21 #include <assert.h>
22
23 #include <library.h>
24 #include <debug.h>
25
26 #include "../pluto/constants.h"
27 #include "../pluto/defs.h"
28
29 #include "keywords.h"
30 #include "confread.h"
31 #include "args.h"
32 #include "files.h"
33
34 /* strings containing a colon are interpreted as an IPv6 address */
35 #define ip_version(string) (strchr(string, '.') ? AF_INET : AF_INET6)
36
37 static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
38 static const char esp_defaults[] = "aes128-sha1,3des-sha1";
39
40 static const char firewall_defaults[] = "ipsec _updown iptables";
41
42 static bool daemon_exists(char *daemon, char *path)
43 {
44 struct stat st;
45 if (stat(path, &st) != 0)
46 {
47 DBG1(DBG_APP, "Disabling %sstart option, '%s' not found", daemon, path);
48 return FALSE;
49 }
50 return TRUE;
51 }
52
53 static void default_values(starter_config_t *cfg)
54 {
55 if (cfg == NULL)
56 return;
57
58 memset(cfg, 0, sizeof(struct starter_config));
59
60 /* is there enough space for all seen flags? */
61 assert(KW_SETUP_LAST - KW_SETUP_FIRST <
62 sizeof(cfg->setup.seen) * BITS_PER_BYTE);
63 assert(KW_CONN_LAST - KW_CONN_FIRST <
64 sizeof(cfg->conn_default.seen) * BITS_PER_BYTE);
65 assert(KW_END_LAST - KW_END_FIRST <
66 sizeof(cfg->conn_default.right.seen) * BITS_PER_BYTE);
67 assert(KW_CA_LAST - KW_CA_FIRST <
68 sizeof(cfg->ca_default.seen) * BITS_PER_BYTE);
69
70 cfg->setup.seen = LEMPTY;
71 cfg->setup.fragicmp = TRUE;
72 cfg->setup.hidetos = TRUE;
73 cfg->setup.uniqueids = TRUE;
74 cfg->setup.interfaces = new_list("%defaultroute");
75
76 #ifdef START_CHARON
77 cfg->setup.charonstart = TRUE;
78 #endif
79 #ifdef START_PLUTO
80 cfg->setup.plutostart = TRUE;
81 #endif
82
83 cfg->conn_default.seen = LEMPTY;
84 cfg->conn_default.startup = STARTUP_NO;
85 cfg->conn_default.state = STATE_IGNORE;
86 cfg->conn_default.policy = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_PUBKEY |
87 POLICY_PFS | POLICY_MOBIKE;
88
89 cfg->conn_default.ike = strdupnull(ike_defaults);
90 cfg->conn_default.esp = strdupnull(esp_defaults);
91 cfg->conn_default.sa_ike_life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
92 cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
93 cfg->conn_default.sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT;
94 cfg->conn_default.sa_rekey_fuzz = SA_REPLACEMENT_FUZZ_DEFAULT;
95 cfg->conn_default.sa_keying_tries = SA_REPLACEMENT_RETRIES_DEFAULT;
96 cfg->conn_default.addr_family = AF_INET;
97 cfg->conn_default.tunnel_addr_family = AF_INET;
98 cfg->conn_default.install_policy = TRUE;
99 cfg->conn_default.dpd_delay = 30; /* seconds */
100 cfg->conn_default.dpd_timeout = 150; /* seconds */
101
102 cfg->conn_default.left.seen = LEMPTY;
103 cfg->conn_default.right.seen = LEMPTY;
104
105 cfg->conn_default.left.sendcert = CERT_SEND_IF_ASKED;
106 cfg->conn_default.right.sendcert = CERT_SEND_IF_ASKED;
107
108 anyaddr(AF_INET, &cfg->conn_default.left.addr);
109 anyaddr(AF_INET, &cfg->conn_default.right.addr);
110 cfg->conn_default.left.ikeport = 500;
111 cfg->conn_default.right.ikeport = 500;
112
113 cfg->ca_default.seen = LEMPTY;
114 }
115
116 #define KW_POLICY_FLAG(sy, sn, fl) \
117 if (streq(kw->value, sy)) { conn->policy |= fl; } \
118 else if (streq(kw->value, sn)) { conn->policy &= ~fl; } \
119 else { DBG1(DBG_APP, "# bad policy value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
120
121 static void load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
122 {
123 kw_list_t *kw;
124
125 DBG2(DBG_APP, "Loading config setup");
126
127 for (kw = cfgp->config_setup; kw; kw = kw->next)
128 {
129 bool assigned = FALSE;
130
131 kw_token_t token = kw->entry->token;
132
133 if ((int)token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
134 {
135 DBG1(DBG_APP, "# unsupported keyword '%s' in config setup",
136 kw->entry->name);
137 cfg->err++;
138 continue;
139 }
140
141 if (!assign_arg(token, KW_SETUP_FIRST, kw, (char *)cfg, &assigned))
142 {
143 DBG1(DBG_APP, " bad argument value in config setup");
144 cfg->err++;
145 continue;
146 }
147 }
148
149 /* verify the executables are actually available (some distros split
150 * packages but enabled both) */
151 #ifdef START_CHARON
152 cfg->setup.charonstart = cfg->setup.charonstart &&
153 daemon_exists("charon", CHARON_CMD);
154 #else
155 cfg->setup.charonstart = FALSE;
156 #endif
157 #ifdef START_PLUTO
158 cfg->setup.plutostart = cfg->setup.plutostart &&
159 daemon_exists("pluto", PLUTO_CMD);
160 #else
161 cfg->setup.plutostart = FALSE;
162 #endif
163 }
164
165 static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
166 kw_list_t *kw, char *conn_name, starter_config_t *cfg)
167 {
168 err_t ugh = NULL;
169 bool assigned = FALSE;
170 bool has_port_wildcard; /* set if port is %any */
171
172 char *name = kw->entry->name;
173 char *value = kw->value;
174
175 if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
176 goto err;
177
178 /* post processing of some keywords that were assigned automatically */
179 switch (token)
180 {
181 case KW_HOST:
182 free(end->host);
183 end->host = NULL;
184 if (streq(value, "%any") || streq(value, "%any4"))
185 {
186 anyaddr(conn->addr_family, &end->addr);
187 }
188 else if (streq(value, "%any6"))
189 {
190 conn->addr_family = AF_INET6;
191 anyaddr(conn->addr_family, &end->addr);
192 }
193 else if (streq(value, "%group"))
194 {
195 ip_address any;
196
197 conn->policy |= POLICY_GROUP | POLICY_TUNNEL;
198 anyaddr(conn->addr_family, &end->addr);
199 anyaddr(conn->tunnel_addr_family, &any);
200 end->has_client = TRUE;
201 }
202 else
203 {
204 /* check for allow_any prefix */
205 if (value[0] == '%')
206 {
207 end->allow_any = TRUE;
208 value++;
209 }
210 conn->addr_family = ip_version(value);
211 ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
212 if (ugh != NULL)
213 {
214 DBG1(DBG_APP, "# bad addr: %s=%s [%s]", name, value, ugh);
215 if (streq(ugh, "does not look numeric and name lookup failed"))
216 {
217 end->dns_failed = TRUE;
218 anyaddr(conn->addr_family, &end->addr);
219 }
220 else
221 {
222 goto err;
223 }
224 }
225 end->host = strdupnull(value);
226 }
227 break;
228 case KW_SUBNET:
229 if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
230 || (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
231 {
232 /* used by pluto only */
233 end->has_virt = TRUE;
234 }
235 else
236 {
237 ip_subnet net;
238 char *pos;
239 int len = 0;
240
241 end->has_client = TRUE;
242 conn->tunnel_addr_family = ip_version(value);
243
244 pos = strchr(value, ',');
245 if (pos)
246 {
247 len = pos - value;
248 }
249 ugh = ttosubnet(value, len, ip_version(value), &net);
250 if (ugh != NULL)
251 {
252 DBG1(DBG_APP, "# bad subnet: %s=%s [%s]", name, value, ugh);
253 goto err;
254 }
255 }
256 break;
257 case KW_SOURCEIP:
258 if (end->has_natip)
259 {
260 DBG1(DBG_APP, "# natip and sourceip cannot be defined at the same time");
261 goto err;
262 }
263 if (value[0] == '%')
264 {
265 if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
266 streq(value, "%config") || streq(value, "%cfg"))
267 {
268 /* request ip via config payload */
269 free(end->sourceip);
270 end->sourceip = NULL;
271 end->sourceip_mask = 1;
272 }
273 else
274 { /* %poolname, strip %, serve ip requests */
275 free(end->sourceip);
276 end->sourceip = strdupnull(value+1);
277 end->sourceip_mask = 0;
278 }
279 end->modecfg = TRUE;
280 }
281 else
282 {
283 char *pos;
284 ip_address addr;
285 ip_subnet net;
286
287 conn->tunnel_addr_family = ip_version(value);
288 pos = strchr(value, '/');
289
290 if (pos)
291 { /* CIDR notation, address pool */
292 ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net);
293 if (ugh != NULL)
294 {
295 DBG1(DBG_APP, "# bad subnet: %s=%s [%s]", name, value, ugh);
296 goto err;
297 }
298 *pos = '\0';
299 free(end->sourceip);
300 end->sourceip = strdupnull(value);
301 end->sourceip_mask = atoi(pos + 1);
302 }
303 else
304 { /* fixed srcip */
305 ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
306 if (ugh != NULL)
307 {
308 DBG1(DBG_APP, "# bad addr: %s=%s [%s]", name, value, ugh);
309 goto err;
310 }
311 end->sourceip_mask = (conn->tunnel_addr_family == AF_INET) ?
312 32 : 128;
313 }
314 }
315 conn->policy |= POLICY_TUNNEL;
316 break;
317 case KW_SENDCERT:
318 if (end->sendcert == CERT_YES_SEND)
319 {
320 end->sendcert = CERT_ALWAYS_SEND;
321 }
322 else if (end->sendcert == CERT_NO_SEND)
323 {
324 end->sendcert = CERT_NEVER_SEND;
325 }
326 break;
327 default:
328 break;
329 }
330
331 if (assigned)
332 return;
333
334 /* individual processing of keywords that were not assigned automatically */
335 switch (token)
336 {
337 case KW_SUBNETWITHIN:
338 {
339 ip_subnet net;
340
341 end->has_client = TRUE;
342 end->has_client_wildcard = TRUE;
343 conn->tunnel_addr_family = ip_version(value);
344
345 ugh = ttosubnet(value, 0, ip_version(value), &net);
346 if (ugh != NULL)
347 {
348 DBG1(DBG_APP, "# bad subnet: %s=%s [%s]", name, value, ugh);
349 goto err;
350 }
351 end->subnet = strdupnull(value);
352 break;
353 }
354 case KW_PROTOPORT:
355 ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
356 end->has_port_wildcard = has_port_wildcard;
357 break;
358 case KW_NATIP:
359 {
360 ip_address addr;
361 if (end->sourceip)
362 {
363 DBG1(DBG_APP, "# natip and sourceip cannot be defined at the same time");
364 goto err;
365 }
366 conn->tunnel_addr_family = ip_version(value);
367 ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr);
368 if (ugh != NULL)
369 {
370 DBG1(DBG_APP, "# bad addr: %s=%s [%s]", name, value, ugh);
371 goto err;
372 }
373 end->sourceip = strdupnull(value);
374 end->has_natip = TRUE;
375 conn->policy |= POLICY_TUNNEL;
376 break;
377 }
378 default:
379 break;
380 }
381 return;
382
383 err:
384 DBG1(DBG_APP, " bad argument value in conn '%s'", conn_name);
385 cfg->err++;
386 }
387
388 /*
389 * handles left|right=<FQDN> DNS resolution failure
390 */
391 static void handle_dns_failure(const char *label, starter_end_t *end,
392 starter_config_t *cfg, starter_conn_t *conn)
393 {
394 if (end->dns_failed)
395 {
396 if (end->allow_any)
397 {
398 DBG1(DBG_APP, "# fallback to %s=%%any due to '%%' prefix or %sallowany=yes",
399 label, label);
400 }
401 else if (!end->host)
402 {
403 /* declare an error */
404 cfg->err++;
405 }
406 }
407 }
408
409 /*
410 * handles left|rightfirewall and left|rightupdown parameters
411 */
412 static void handle_firewall(const char *label, starter_end_t *end,
413 starter_config_t *cfg)
414 {
415 if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST)))
416 {
417 if (end->updown != NULL)
418 {
419 DBG1(DBG_APP, "# cannot have both %sfirewall and %supdown", label,
420 label);
421 cfg->err++;
422 }
423 else
424 {
425 end->updown = strdupnull(firewall_defaults);
426 end->firewall = FALSE;
427 }
428 }
429 }
430
431 static bool handle_mark(char *value, mark_t *mark)
432 {
433 char *pos, *endptr;
434
435 pos = strchr(value, '/');
436 if (pos)
437 {
438 *pos = '\0';
439 mark->mask = strtoul(pos+1, &endptr, 0);
440 if (*endptr != '\0')
441 {
442 DBG1(DBG_APP, "# invalid mark mask: %s", pos+1);
443 return FALSE;
444 }
445 }
446 else
447 {
448 mark->mask = 0xffffffff;
449 }
450 if (value == '\0')
451 {
452 mark->value = 0;
453 }
454 else
455 {
456 mark->value = strtoul(value, &endptr, 0);
457 if (*endptr != '\0')
458 {
459 DBG1(DBG_APP, "# invalid mark value: %s", value);
460 return FALSE;
461 }
462 }
463 return TRUE;
464 }
465
466 /*
467 * parse a conn section
468 */
469 static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
470 {
471 char *conn_name = (conn->name == NULL)? "%default":conn->name;
472
473 for ( ; kw; kw = kw->next)
474 {
475 bool assigned = FALSE;
476
477 kw_token_t token = kw->entry->token;
478
479 if (token >= KW_LEFT_FIRST && token <= KW_LEFT_LAST)
480 {
481 kw_end(conn, &conn->left, token - KW_LEFT_FIRST + KW_END_FIRST
482 , kw, conn_name, cfg);
483 continue;
484 }
485 else if (token >= KW_RIGHT_FIRST && token <= KW_RIGHT_LAST)
486 {
487 kw_end(conn, &conn->right, token - KW_RIGHT_FIRST + KW_END_FIRST
488 , kw, conn_name, cfg);
489 continue;
490 }
491
492 if (token == KW_AUTO)
493 {
494 token = KW_CONN_SETUP;
495 }
496 else if (token == KW_ALSO)
497 {
498 if (cfg->parse_also)
499 {
500 also_t *also = malloc_thing(also_t);
501
502 also->name = strdupnull(kw->value);
503 also->next = conn->also;
504 conn->also = also;
505
506 DBG2(DBG_APP, " also=%s", kw->value);
507 }
508 continue;
509 }
510
511 if (token < KW_CONN_FIRST || token > KW_CONN_LAST)
512 {
513 DBG1(DBG_APP, "# unsupported keyword '%s' in conn '%s'",
514 kw->entry->name, conn_name);
515 cfg->err++;
516 continue;
517 }
518
519 if (!assign_arg(token, KW_CONN_FIRST, kw, (char *)conn, &assigned))
520 {
521 DBG1(DBG_APP, " bad argument value in conn '%s'", conn_name);
522 cfg->err++;
523 continue;
524 }
525
526 if (assigned)
527 continue;
528
529 switch (token)
530 {
531 case KW_TYPE:
532 conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
533 if (streq(kw->value, "tunnel"))
534 {
535 conn->policy |= POLICY_TUNNEL;
536 }
537 else if (streq(kw->value, "beet"))
538 {
539 conn->policy |= POLICY_BEET;
540 }
541 else if (streq(kw->value, "transport_proxy"))
542 {
543 conn->policy |= POLICY_PROXY;
544 }
545 else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
546 {
547 conn->policy |= POLICY_SHUNT_PASS;
548 }
549 else if (streq(kw->value, "drop"))
550 {
551 conn->policy |= POLICY_SHUNT_DROP;
552 }
553 else if (streq(kw->value, "reject"))
554 {
555 conn->policy |= POLICY_SHUNT_REJECT;
556 }
557 else if (strcmp(kw->value, "transport") != 0)
558 {
559 DBG1(DBG_APP, "# bad policy value: %s=%s", kw->entry->name,
560 kw->value);
561 cfg->err++;
562 }
563 break;
564 case KW_PFS:
565 KW_POLICY_FLAG("yes", "no", POLICY_PFS)
566 break;
567 case KW_COMPRESS:
568 KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
569 break;
570 case KW_AUTH:
571 KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
572 break;
573 case KW_MARK:
574 if (!handle_mark(kw->value, &conn->mark_in))
575 {
576 cfg->err++;
577 break;
578 }
579 conn->mark_out = conn->mark_in;
580 break;
581 case KW_MARK_IN:
582 if (!handle_mark(kw->value, &conn->mark_in))
583 {
584 cfg->err++;
585 }
586 break;
587 case KW_MARK_OUT:
588 if (!handle_mark(kw->value, &conn->mark_out))
589 {
590 cfg->err++;
591 }
592 break;
593 case KW_TFC:
594 if (streq(kw->value, "%mtu"))
595 {
596 conn->tfc = -1;
597 }
598 else
599 {
600 char *endptr;
601
602 conn->tfc = strtoul(kw->value, &endptr, 10);
603 if (*endptr != '\0')
604 {
605 DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
606 kw->value);
607 cfg->err++;
608 }
609 }
610 break;
611 case KW_KEYINGTRIES:
612 if (streq(kw->value, "%forever"))
613 {
614 conn->sa_keying_tries = 0;
615 }
616 else
617 {
618 char *endptr;
619
620 conn->sa_keying_tries = strtoul(kw->value, &endptr, 10);
621 if (*endptr != '\0')
622 {
623 DBG1(DBG_APP, "# bad integer value: %s=%s", kw->entry->name,
624 kw->value);
625 cfg->err++;
626 }
627 }
628 break;
629 case KW_REKEY:
630 KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
631 break;
632 case KW_REAUTH:
633 KW_POLICY_FLAG("no", "yes", POLICY_DONT_REAUTH)
634 break;
635 case KW_MOBIKE:
636 KW_POLICY_FLAG("yes", "no", POLICY_MOBIKE)
637 break;
638 case KW_FORCEENCAPS:
639 KW_POLICY_FLAG("yes", "no", POLICY_FORCE_ENCAP)
640 break;
641 case KW_MODECONFIG:
642 KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH)
643 break;
644 case KW_XAUTH:
645 KW_POLICY_FLAG("server", "client", POLICY_XAUTH_SERVER)
646 break;
647 default:
648 break;
649 }
650 }
651
652 handle_dns_failure("left", &conn->left, cfg, conn);
653 handle_dns_failure("right", &conn->right, cfg, conn);
654 handle_firewall("left", &conn->left, cfg);
655 handle_firewall("right", &conn->right, cfg);
656 }
657
658 /*
659 * initialize a conn object with the default conn
660 */
661 static void conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
662 {
663 memcpy(conn, def, sizeof(starter_conn_t));
664 conn->name = strdupnull(name);
665
666 clone_args(KW_CONN_FIRST, KW_CONN_LAST, (char *)conn, (char *)def);
667 clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left, (char *)&def->left);
668 clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right, (char *)&def->right);
669 }
670
671 /*
672 * parse a ca section
673 */
674 static void load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
675 {
676 char *ca_name = (ca->name == NULL)? "%default":ca->name;
677
678 for ( ; kw; kw = kw->next)
679 {
680 bool assigned = FALSE;
681
682 kw_token_t token = kw->entry->token;
683
684 if (token == KW_AUTO)
685 {
686 token = KW_CA_SETUP;
687 }
688 else if (token == KW_ALSO)
689 {
690 if (cfg->parse_also)
691 {
692 also_t *also = malloc_thing(also_t);
693
694 also->name = strdupnull(kw->value);
695 also->next = ca->also;
696 ca->also = also;
697
698 DBG2(DBG_APP, " also=%s", kw->value);
699 }
700 continue;
701 }
702
703 if (token < KW_CA_FIRST || token > KW_CA_LAST)
704 {
705 DBG1(DBG_APP, "# unsupported keyword '%s' in ca '%s'",
706 kw->entry->name, ca_name);
707 cfg->err++;
708 continue;
709 }
710
711 if (!assign_arg(token, KW_CA_FIRST, kw, (char *)ca, &assigned))
712 {
713 DBG1(DBG_APP, " bad argument value in ca '%s'", ca_name);
714 cfg->err++;
715 }
716 }
717
718 /* treat 'route' and 'start' as 'add' */
719 if (ca->startup != STARTUP_NO)
720 ca->startup = STARTUP_ADD;
721 }
722
723 /*
724 * initialize a ca object with the default ca
725 */
726 static void ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
727 {
728 memcpy(ca, def, sizeof(starter_ca_t));
729 ca->name = strdupnull(name);
730
731 clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
732 }
733
734 static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn,
735 starter_config_t *cfg);
736
737 static void load_also_conns(starter_conn_t *conn, also_t *also,
738 starter_config_t *cfg)
739 {
740 while (also != NULL)
741 {
742 kw_list_t *kw = find_also_conn(also->name, conn, cfg);
743
744 if (kw == NULL)
745 {
746 DBG1(DBG_APP, " conn '%s' cannot include '%s'", conn->name,
747 also->name);
748 }
749 else
750 {
751 DBG2(DBG_APP, "conn '%s' includes '%s'", conn->name, also->name);
752 /* only load if no error occurred in the first round */
753 if (cfg->err == 0)
754 load_conn(conn, kw, cfg);
755 }
756 also = also->next;
757 }
758 }
759
760 /*
761 * find a conn included by also
762 */
763 static kw_list_t* find_also_conn(const char* name, starter_conn_t *conn,
764 starter_config_t *cfg)
765 {
766 starter_conn_t *c = cfg->conn_first;
767
768 while (c != NULL)
769 {
770 if (streq(name, c->name))
771 {
772 if (conn->visit == c->visit)
773 {
774 DBG1(DBG_APP, "# detected also loop");
775 cfg->err++;
776 return NULL;
777 }
778 c->visit = conn->visit;
779 load_also_conns(conn, c->also, cfg);
780 return c->kw;
781 }
782 c = c->next;
783 }
784
785 DBG1(DBG_APP, "# also '%s' not found", name);
786 cfg->err++;
787 return NULL;
788 }
789
790 static kw_list_t* find_also_ca(const char* name, starter_ca_t *ca,
791 starter_config_t *cfg);
792
793 static void load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
794 {
795 while (also != NULL)
796 {
797 kw_list_t *kw = find_also_ca(also->name, ca, cfg);
798
799 if (kw == NULL)
800 {
801 DBG1(DBG_APP, " ca '%s' cannot include '%s'", ca->name,
802 also->name);
803 }
804 else
805 {
806 DBG2(DBG_APP, "ca '%s' includes '%s'", ca->name, also->name);
807 /* only load if no error occurred in the first round */
808 if (cfg->err == 0)
809 load_ca(ca, kw, cfg);
810 }
811 also = also->next;
812 }
813 }
814
815 /*
816 * find a ca included by also
817 */
818 static kw_list_t* find_also_ca(const char* name, starter_ca_t *ca,
819 starter_config_t *cfg)
820 {
821 starter_ca_t *c = cfg->ca_first;
822
823 while (c != NULL)
824 {
825 if (streq(name, c->name))
826 {
827 if (ca->visit == c->visit)
828 {
829 DBG1(DBG_APP, "# detected also loop");
830 cfg->err++;
831 return NULL;
832 }
833 c->visit = ca->visit;
834 load_also_cas(ca, c->also, cfg);
835 return c->kw;
836 }
837 c = c->next;
838 }
839
840 DBG1(DBG_APP, "# also '%s' not found", name);
841 cfg->err++;
842 return NULL;
843 }
844
845 /*
846 * free the memory used by also_t objects
847 */
848 static void free_also(also_t *head)
849 {
850 while (head != NULL)
851 {
852 also_t *also = head;
853
854 head = also->next;
855 free(also->name);
856 free(also);
857 }
858 }
859
860 /*
861 * free the memory used by a starter_conn_t object
862 */
863 static void confread_free_conn(starter_conn_t *conn)
864 {
865 free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left);
866 free_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right);
867 free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn);
868 free_also(conn->also);
869 }
870
871 /*
872 * free the memory used by a starter_ca_t object
873 */
874 static void
875 confread_free_ca(starter_ca_t *ca)
876 {
877 free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca);
878 free_also(ca->also);
879 }
880
881 /*
882 * free the memory used by a starter_config_t object
883 */
884 void confread_free(starter_config_t *cfg)
885 {
886 starter_conn_t *conn = cfg->conn_first;
887 starter_ca_t *ca = cfg->ca_first;
888
889 free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg);
890
891 confread_free_conn(&cfg->conn_default);
892
893 while (conn != NULL)
894 {
895 starter_conn_t *conn_aux = conn;
896
897 conn = conn->next;
898 confread_free_conn(conn_aux);
899 free(conn_aux);
900 }
901
902 confread_free_ca(&cfg->ca_default);
903
904 while (ca != NULL)
905 {
906 starter_ca_t *ca_aux = ca;
907
908 ca = ca->next;
909 confread_free_ca(ca_aux);
910 free(ca_aux);
911 }
912
913 free(cfg);
914 }
915
916 /*
917 * load and parse an IPsec configuration file
918 */
919 starter_config_t* confread_load(const char *file)
920 {
921 starter_config_t *cfg = NULL;
922 config_parsed_t *cfgp;
923 section_list_t *sconn, *sca;
924 starter_conn_t *conn;
925 starter_ca_t *ca;
926
927 u_int total_err;
928 u_int visit = 0;
929
930 /* load IPSec configuration file */
931 cfgp = parser_load_conf(file);
932 if (!cfgp)
933 {
934 return NULL;
935 }
936 cfg = malloc_thing(starter_config_t);
937
938 /* set default values */
939 default_values(cfg);
940
941 /* load config setup section */
942 load_setup(cfg, cfgp);
943
944 /* in the first round parse also statements */
945 cfg->parse_also = TRUE;
946
947 /* find %default ca section */
948 for (sca = cfgp->ca_first; sca; sca = sca->next)
949 {
950 if (streq(sca->name, "%default"))
951 {
952 DBG2(DBG_APP, "Loading ca %%default");
953 load_ca(&cfg->ca_default, sca->kw, cfg);
954 }
955 }
956
957 /* parameters defined in ca %default sections can be overloads */
958 cfg->ca_default.seen = LEMPTY;
959
960 /* load other ca sections */
961 for (sca = cfgp->ca_first; sca; sca = sca->next)
962 {
963 u_int previous_err;
964
965 /* skip %default ca section */
966 if (streq(sca->name, "%default"))
967 continue;
968
969 DBG2(DBG_APP, "Loading ca '%s'", sca->name);
970 ca = malloc_thing(starter_ca_t);
971
972 ca_default(sca->name, ca, &cfg->ca_default);
973 ca->kw = sca->kw;
974 ca->next = NULL;
975
976 previous_err = cfg->err;
977 load_ca(ca, ca->kw, cfg);
978 if (cfg->err > previous_err)
979 {
980 /* errors occurred - free the ca */
981 confread_free_ca(ca);
982 cfg->non_fatal_err += cfg->err - previous_err;
983 cfg->err = previous_err;
984 }
985 else
986 {
987 /* success - insert the ca into the chained list */
988 if (cfg->ca_last)
989 cfg->ca_last->next = ca;
990 cfg->ca_last = ca;
991 if (!cfg->ca_first)
992 cfg->ca_first = ca;
993 }
994 }
995
996 for (ca = cfg->ca_first; ca; ca = ca->next)
997 {
998 also_t *also = ca->also;
999
1000 while (also != NULL)
1001 {
1002 kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg);
1003
1004 load_ca(ca, kw, cfg);
1005 also = also->next;
1006 }
1007
1008 if (ca->startup != STARTUP_NO)
1009 ca->state = STATE_TO_ADD;
1010 }
1011
1012 /* find %default conn sections */
1013 for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
1014 {
1015 if (streq(sconn->name, "%default"))
1016 {
1017 DBG2(DBG_APP, "Loading conn %%default");
1018 load_conn(&cfg->conn_default, sconn->kw, cfg);
1019 }
1020 }
1021
1022 /* parameter defined in conn %default sections can be overloaded */
1023 cfg->conn_default.seen = LEMPTY;
1024 cfg->conn_default.right.seen = LEMPTY;
1025 cfg->conn_default.left.seen = LEMPTY;
1026
1027 /* load other conn sections */
1028 for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
1029 {
1030 u_int previous_err;
1031
1032 /* skip %default conn section */
1033 if (streq(sconn->name, "%default"))
1034 continue;
1035
1036 DBG2(DBG_APP, "Loading conn '%s'", sconn->name);
1037 conn = malloc_thing(starter_conn_t);
1038
1039 conn_default(sconn->name, conn, &cfg->conn_default);
1040 conn->kw = sconn->kw;
1041 conn->next = NULL;
1042
1043 previous_err = cfg->err;
1044 load_conn(conn, conn->kw, cfg);
1045 if (cfg->err > previous_err)
1046 {
1047 /* error occurred - free the conn */
1048 confread_free_conn(conn);
1049 cfg->non_fatal_err += cfg->err - previous_err;
1050 cfg->err = previous_err;
1051 }
1052 else
1053 {
1054 /* success - insert the conn into the chained list */
1055 if (cfg->conn_last)
1056 cfg->conn_last->next = conn;
1057 cfg->conn_last = conn;
1058 if (!cfg->conn_first)
1059 cfg->conn_first = conn;
1060 }
1061 }
1062
1063 /* in the second round do not parse also statements */
1064 cfg->parse_also = FALSE;
1065
1066 for (ca = cfg->ca_first; ca; ca = ca->next)
1067 {
1068 ca->visit = ++visit;
1069 load_also_cas(ca, ca->also, cfg);
1070
1071 if (ca->startup != STARTUP_NO)
1072 ca->state = STATE_TO_ADD;
1073 }
1074
1075 for (conn = cfg->conn_first; conn; conn = conn->next)
1076 {
1077 conn->visit = ++visit;
1078 load_also_conns(conn, conn->also, cfg);
1079
1080 if (conn->startup != STARTUP_NO)
1081 conn->state = STATE_TO_ADD;
1082 }
1083
1084 parser_free_conf(cfgp);
1085
1086 total_err = cfg->err + cfg->non_fatal_err;
1087 if (total_err > 0)
1088 {
1089 DBG1(DBG_APP, "### %d parsing error%s (%d fatal) ###",
1090 total_err, (total_err > 1)?"s":"", cfg->err);
1091 }
1092
1093 return cfg;
1094 }
strongSwan - IPsec VPN