1 /* $OpenBSD: conf.c,v 1.83 2005/05/26 02:38:35 cloder Exp $	 */
2 /* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $	 */
3 
4 /*
5  * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist.  All rights reserved.
6  * Copyright (c) 2000, 2001, 2002 H�kan Olsson.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 /*
30  * This code was written under funding by Ericsson Radio Systems.
31  */
32 
33 #include <sys/param.h>
34 #include <sys/mman.h>
35 #include <sys/queue.h>
36 #include <sys/socket.h>
37 #include <sys/stat.h>
38 #include <netinet/in.h>
39 #include <arpa/inet.h>
40 #include <ctype.h>
41 #include <fcntl.h>
42 #include <stdio.h>
43 #include <stdlib.h>
44 #include <string.h>
45 #include <unistd.h>
46 #include <errno.h>
47 
48 #include "app.h"
49 #include "conf.h"
50 #include "log.h"
51 #include "monitor.h"
52 #include "util.h"
53 
54 static char    *conf_get_trans_str(int, char *, char *);
55 static void     conf_load_defaults(int);
56 #if 0
57 static int      conf_find_trans_xf(int, char *);
58 #endif
59 
60 struct conf_trans {
61 	TAILQ_ENTRY(conf_trans) link;
62 	int	 trans;
63 	enum conf_op {
64 		CONF_SET, CONF_REMOVE, CONF_REMOVE_SECTION
65 	}	 op;
66 	char	*section;
67 	char	*tag;
68 	char	*value;
69 	int	 override;
70 	int	 is_default;
71 };
72 
73 #define CONF_SECT_MAX 256
74 
75 TAILQ_HEAD(conf_trans_head, conf_trans) conf_trans_queue;
76 
77 /*
78  * Radix-64 Encoding.
79  */
80 const u_int8_t  bin2asc[] =
81     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
82 
83 const u_int8_t  asc2bin[] =
84 {
85 	255, 255, 255, 255, 255, 255, 255, 255,
86 	255, 255, 255, 255, 255, 255, 255, 255,
87 	255, 255, 255, 255, 255, 255, 255, 255,
88 	255, 255, 255, 255, 255, 255, 255, 255,
89 	255, 255, 255, 255, 255, 255, 255, 255,
90 	255, 255, 255, 62, 255, 255, 255, 63,
91 	52, 53, 54, 55, 56, 57, 58, 59,
92 	60, 61, 255, 255, 255, 255, 255, 255,
93 	255, 0, 1, 2, 3, 4, 5, 6,
94 	7, 8, 9, 10, 11, 12, 13, 14,
95 	15, 16, 17, 18, 19, 20, 21, 22,
96 	23, 24, 25, 255, 255, 255, 255, 255,
97 	255, 26, 27, 28, 29, 30, 31, 32,
98 	33, 34, 35, 36, 37, 38, 39, 40,
99 	41, 42, 43, 44, 45, 46, 47, 48,
100 	49, 50, 51, 255, 255, 255, 255, 255
101 };
102 
103 struct conf_binding {
104 	LIST_ENTRY(conf_binding) link;
105 	char	*section;
106 	char	*tag;
107 	char	*value;
108 	int	 is_default;
109 };
110 
111 char	*conf_path = CONFIG_FILE;
LIST_HEAD(conf_bindings,conf_binding)112 LIST_HEAD(conf_bindings, conf_binding) conf_bindings[256];
113 
114 static char	*conf_addr;
115 static __inline__ u_int8_t
116 conf_hash(char *s)
117 {
118 	u_int8_t hash = 0;
119 
120 	while (*s) {
121 		hash = ((hash << 1) | (hash >> 7)) ^ tolower(*s);
122 		s++;
123 	}
124 	return hash;
125 }
126 
127 /*
128  * Insert a tag-value combination from LINE (the equal sign is at POS)
129  */
130 static int
conf_remove_now(char * section,char * tag)131 conf_remove_now(char *section, char *tag)
132 {
133 	struct conf_binding *cb, *next;
134 
135 	for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
136 	    cb = next) {
137 		next = LIST_NEXT(cb, link);
138 		if (strcasecmp(cb->section, section) == 0 &&
139 		    strcasecmp(cb->tag, tag) == 0) {
140 			LIST_REMOVE(cb, link);
141 			LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section,
142 			    tag, cb->value));
143 			free(cb->section);
144 			free(cb->tag);
145 			free(cb->value);
146 			free(cb);
147 			return 0;
148 		}
149 	}
150 	return 1;
151 }
152 
153 static int
conf_remove_section_now(char * section)154 conf_remove_section_now(char *section)
155 {
156 	struct conf_binding *cb, *next;
157 	int	unseen = 1;
158 
159 	for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
160 	    cb = next) {
161 		next = LIST_NEXT(cb, link);
162 		if (strcasecmp(cb->section, section) == 0) {
163 			unseen = 0;
164 			LIST_REMOVE(cb, link);
165 			LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section,
166 			    cb->tag, cb->value));
167 			free(cb->section);
168 			free(cb->tag);
169 			free(cb->value);
170 			free(cb);
171 		}
172 	}
173 	return unseen;
174 }
175 
176 /*
177  * Insert a tag-value combination from LINE (the equal sign is at POS)
178  * into SECTION of our configuration database.
179  */
180 static int
conf_set_now(char * section,char * tag,char * value,int override,int is_default)181 conf_set_now(char *section, char *tag, char *value, int override,
182     int is_default)
183 {
184 	struct conf_binding *node = 0;
185 
186 	if (override)
187 		conf_remove_now(section, tag);
188 	else if (conf_get_str(section, tag)) {
189 		if (!is_default)
190 			log_print("conf_set_now: duplicate tag [%s]:%s, "
191 			    "ignoring...\n", section, tag);
192 		return 1;
193 	}
194 	node = calloc(1, sizeof *node);
195 	if (!node) {
196 		log_error("conf_set_now: calloc (1, %lu) failed",
197 		    (unsigned long)sizeof *node);
198 		return 1;
199 	}
200 	node->section = node->tag = node->value = NULL;
201 	if ((node->section = strdup(section)) == NULL)
202 		goto fail;
203 	if ((node->tag = strdup(tag)) == NULL)
204 		goto fail;
205 	if ((node->value = strdup(value)) == NULL)
206 		goto fail;
207 	node->is_default = is_default;
208 
209 	LIST_INSERT_HEAD(&conf_bindings[conf_hash(section)], node, link);
210 	LOG_DBG((LOG_MISC, 95, "conf_set_now: [%s]:%s->%s", node->section,
211 	    node->tag, node->value));
212 	return 0;
213 fail:
214 	if (node->value) {
215 		free(node->value);
216 		node->value = NULL;
217 	}
218 	if (node->tag) {
219 		free(node->tag);
220 		node->tag = NULL;
221 	}
222 	if (node->section) {
223 		free(node->section);
224 		node->section = NULL;
225 	}
226 	return 1;
227 }
228 
229 /*
230  * Parse the line LINE of SZ bytes.  Skip Comments, recognize section
231  * headers and feed tag-value pairs into our configuration database.
232  */
233 static void
conf_parse_line(int trans,char * line,int ln,size_t sz)234 conf_parse_line(int trans, char *line, int ln, size_t sz)
235 {
236 	char	*val;
237 	size_t	 i;
238 	int	 j;
239 	static char *section = 0;
240 
241 	/* Lines starting with '#' or ';' are comments.  */
242 	if (*line == '#' || *line == ';')
243 		return;
244 
245 	/* '[section]' parsing...  */
246 	if (*line == '[') {
247 		for (i = 1; i < sz; i++)
248 			if (line[i] == ']')
249 				break;
250 		if (section)
251 			free(section);
252 		if (i == sz) {
253 			log_print("conf_parse_line: %d:"
254 			    "unmatched ']', ignoring until next section", ln);
255 			section = 0;
256 			return;
257 		}
258 		section = malloc(i);
259 		if (!section) {
260 			log_print("conf_parse_line: %d: malloc (%lu) failed",
261 			    ln, (unsigned long)i);
262 			return;
263 		}
264 		strlcpy(section, line + 1, i);
265 		return;
266 	}
267 	/* Deal with assignments.  */
268 	for (i = 0; i < sz; i++)
269 		if (line[i] == '=') {
270 			/* If no section, we are ignoring the lines.  */
271 			if (!section) {
272 				log_print("conf_parse_line: %d: ignoring line "
273 				    "due to no section", ln);
274 				return;
275 			}
276 			line[strcspn(line, " \t=")] = '\0';
277 			val = line + i + 1 + strspn(line + i + 1, " \t");
278 			/* Skip trailing whitespace, if any */
279 			for (j = sz - (val - line) - 1; j > 0 &&
280 			    isspace(val[j]); j--)
281 				val[j] = '\0';
282 			/* XXX Perhaps should we not ignore errors?  */
283 			conf_set(trans, section, line, val, 0, 0);
284 			return;
285 		}
286 	/* Other non-empty lines are weird.  */
287 	i = strspn(line, " \t");
288 	if (line[i])
289 		log_print("conf_parse_line: %d: syntax error", ln);
290 }
291 
292 /* Parse the mapped configuration file.  */
293 static void
conf_parse(int trans,char * buf,size_t sz)294 conf_parse(int trans, char *buf, size_t sz)
295 {
296 	char	*cp = buf;
297 	char	*bufend = buf + sz;
298 	char	*line;
299 	int	ln = 1;
300 
301 	line = cp;
302 	while (cp < bufend) {
303 		if (*cp == '\n') {
304 			/* Check for escaped newlines.  */
305 			if (cp > buf && *(cp - 1) == '\\')
306 				*(cp - 1) = *cp = ' ';
307 			else {
308 				*cp = '\0';
309 				conf_parse_line(trans, line, ln, cp - line);
310 				line = cp + 1;
311 			}
312 			ln++;
313 		}
314 		cp++;
315 	}
316 	if (cp != line)
317 		log_print("conf_parse: last line unterminated, ignored.");
318 }
319 
320 /*
321  * Auto-generate default configuration values for the transforms and
322  * suites the user wants.
323  *
324  * Resulting section names can be:
325  *  For main mode:
326  *     {DES,BLF,3DES,CAST,AES}-{MD5,SHA}[-GRP{1,2,5,14}][-{DSS,RSA_SIG}]
327  *  For quick mode:
328  *     QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE
329  *     where
330  *       {proto}  = ESP, AH
331  *       {cipher} = DES, 3DES, CAST, BLF, AES
332  *       {hash}   = MD5, SHA, RIPEMD, SHA2-{-256,384,512}
333  *       {group}  = GRP1, GRP2, GRP5, GRP14
334  *
335  * DH group defaults to MODP_1024.
336  *
337  * XXX We may want to support USE_TRIPLEDES, etc...
338  * XXX No EC2N DH support here yet.
339  */
340 
341 /* Find the value for a section+tag in the transaction list.  */
342 static char *
conf_get_trans_str(int trans,char * section,char * tag)343 conf_get_trans_str(int trans, char *section, char *tag)
344 {
345 	struct conf_trans *node, *nf = 0;
346 
347 	for (node = TAILQ_FIRST(&conf_trans_queue); node;
348 	    node = TAILQ_NEXT(node, link))
349 		if (node->trans == trans && strcasecmp(section, node->section)
350 		    == 0 && strcasecmp(tag, node->tag) == 0) {
351 			if (!nf)
352 				nf = node;
353 			else if (node->override)
354 				nf = node;
355 		}
356 	return nf ? nf->value : 0;
357 }
358 
359 #if 0
360 /* XXX Currently unused.  */
361 static int
362 conf_find_trans_xf(int phase, char *xf)
363 {
364 	struct conf_trans *node;
365 	char	*p;
366 
367 	/* Find the relevant transforms and suites, if any.  */
368 	for (node = TAILQ_FIRST(&conf_trans_queue); node;
369 	    node = TAILQ_NEXT(node, link))
370 		if ((phase == 1 && strcmp("Transforms", node->tag) == 0) ||
371 		    (phase == 2 && strcmp("Suites", node->tag) == 0)) {
372 			p = node->value;
373 			while ((p = strstr(p, xf)) != NULL)
374 				if (*(p + strlen(p)) &&
375 				    *(p + strlen(p)) != ',')
376 					p += strlen(p);
377 				else
378 					return 1;
379 		}
380 	return 0;
381 }
382 #endif
383 
384 static void
conf_load_defaults_mm(int tr,char * mme,char * mmh,char * mma,char * dhg,char * mme_p,char * mma_p,char * dhg_p)385 conf_load_defaults_mm(int tr, char *mme, char *mmh, char *mma, char *dhg,
386     char *mme_p, char *mma_p, char *dhg_p)
387 {
388 	char sect[CONF_SECT_MAX];
389 
390 	snprintf(sect, sizeof sect, "%s-%s%s%s", mme_p, mmh, dhg_p, mma_p);
391 
392 	LOG_DBG((LOG_MISC, 95, "conf_load_defaults_mm: main mode %s", sect));
393 
394 	conf_set(tr, sect, "ENCRYPTION_ALGORITHM", mme, 0, 1);
395 	if (strcmp(mme, "BLOWFISH_CBC") == 0)
396 		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
397 		    1);
398 	else if (strcmp(mme, "AES_CBC") == 0)
399 		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
400 		    1);
401 
402 	conf_set(tr, sect, "HASH_ALGORITHM", mmh, 0, 1);
403 	conf_set(tr, sect, "AUTHENTICATION_METHOD", mma, 0, 1);
404 	conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1);
405 	conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_MAIN_MODE, 0, 1);
406 }
407 
408 static void
conf_load_defaults_qm(int tr,char * qme,char * qmh,char * dhg,char * qme_p,char * qmh_p,char * dhg_p,int proto,int mode,int pfs)409 conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p,
410     char *qmh_p, char *dhg_p, int proto, int mode, int pfs)
411 {
412 	char sect[CONF_SECT_MAX], tmp[CONF_SECT_MAX];
413 
414 	/* Helper #defines, incl abbreviations.  */
415 #define PROTO(x)  ((x) ? "AH" : "ESP")
416 #define PFS(x)    ((x) ? "-PFS" : "")
417 #define MODE(x)   ((x) ? "TRANSPORT" : "TUNNEL")
418 #define MODE_p(x) ((x) ? "-TRP" : "")
419 
420 	if (proto == 1 && strcmp(qmh, "NONE") == 0) /* AH */
421 		return;
422 
423 	snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto),
424 	    MODE_p(mode), qme_p, qmh_p, PFS(pfs), dhg_p);
425 
426 	strlcpy(sect, tmp, CONF_SECT_MAX);
427 	strlcat(sect, "-SUITE",	CONF_SECT_MAX);
428 
429 	LOG_DBG((LOG_MISC, 95, "conf_load_defaults_qm: quick mode %s", sect));
430 
431 	conf_set(tr, sect, "Protocols", tmp, 0, 1);
432 	snprintf(sect, sizeof sect, "IPSEC_%s", PROTO(proto));
433 	conf_set(tr, tmp, "PROTOCOL_ID", sect, 0, 1);
434 	strlcpy(sect, tmp, CONF_SECT_MAX);
435 	strlcat(sect, "-XF", CONF_SECT_MAX);
436 	conf_set(tr, tmp, "Transforms", sect, 0, 1);
437 
438 	/*
439 	 * XXX For now, defaults
440 	 * contain one xf per protocol.
441 	 */
442 	conf_set(tr, sect, "TRANSFORM_ID", qme, 0, 1);
443 	if (strcmp(qme ,"BLOWFISH") == 0)
444 		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0,
445 			 1);
446 	else if (strcmp(qme ,"AES") == 0)
447 		conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0,
448 			 1);
449 	conf_set(tr, sect, "ENCAPSULATION_MODE", MODE(mode), 0, 1);
450 	if (strcmp(qmh, "NONE")) {
451 		conf_set(tr, sect, "AUTHENTICATION_ALGORITHM", qmh, 0, 1);
452 
453 		/* XXX Another shortcut to keep length down */
454 		if (pfs)
455 			conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1);
456 	}
457 
458 	/* XXX Lifetimes depending on enc/auth strength? */
459 	conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_QUICK_MODE, 0, 1);
460 }
461 
462 static void
conf_load_defaults(int tr)463 conf_load_defaults(int tr)
464 {
465 	int	 enc, auth, hash, group, proto, mode, pfs;
466 	char	*dflt;
467 
468 	char	*mm_auth[] = {"PRE_SHARED", "DSS", "RSA_SIG", 0};
469 	char	*mm_auth_p[] = {"", "-DSS", "-RSA_SIG", 0};
470 	char	*mm_hash[] = {"MD5", "SHA", 0};
471 	char	*mm_enc[] = {"DES_CBC", "BLOWFISH_CBC", "3DES_CBC", "CAST_CBC",
472 		    "AES_CBC", 0};
473 	char	*mm_enc_p[] = {"DES", "BLF", "3DES", "CAST", "AES", 0};
474 	char	*dhgroup[] = {"MODP_1024", "MODP_768", "MODP_1024",
475 		    "MODP_1536", "MODP_2048", 0};
476 	char	*dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14", 0};
477 	char	*qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES", 0};
478 	char	*qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES", 0};
479 	char	*qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD",
480 		    "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE",
481 		    0};
482 	char	*qm_hash_p[] = {"-MD5", "-SHA", "-RIPEMD", "-SHA2-256",
483 		    "-SHA2-384", "-SHA2-512", "", 0};
484 
485 	/* General and X509 defaults */
486 	conf_set(tr, "General", "Retransmits", CONF_DFLT_RETRANSMITS, 0, 1);
487 	conf_set(tr, "General", "Exchange-max-time", CONF_DFLT_EXCH_MAX_TIME,
488 	    0, 1);
489 	conf_set(tr, "General", "Use-Keynote", CONF_DFLT_USE_KEYNOTE, 0, 1);
490 	conf_set(tr, "General", "Policy-file", CONF_DFLT_POLICY_FILE, 0, 1);
491 	conf_set(tr, "General", "Pubkey-directory", CONF_DFLT_PUBKEY_DIR, 0,
492 	    1);
493 
494 	conf_set(tr, "X509-certificates", "CA-directory",
495 	    CONF_DFLT_X509_CA_DIR, 0, 1);
496 	conf_set(tr, "X509-certificates", "Cert-directory",
497 	    CONF_DFLT_X509_CERT_DIR, 0, 1);
498 	conf_set(tr, "X509-certificates", "Private-key",
499 	    CONF_DFLT_X509_PRIVATE_KEY, 0, 1);
500 	conf_set(tr, "X509-certificates", "CRL-directory",
501 	    CONF_DFLT_X509_CRL_DIR, 0, 1);
502 
503 	conf_set(tr, "KeyNote", "Credential-directory",
504 	    CONF_DFLT_KEYNOTE_CRED_DIR, 0, 1);
505 
506 	/* Lifetimes. XXX p1/p2 vs main/quick mode may be unclear.  */
507 	dflt = conf_get_trans_str(tr, "General", "Default-phase-1-lifetime");
508 	conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_TYPE",
509 	    CONF_DFLT_TYPE_LIFE_MAIN_MODE, 0, 1);
510 	conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_DURATION",
511 	    (dflt ? dflt : CONF_DFLT_VAL_LIFE_MAIN_MODE), 0, 1);
512 
513 	dflt = conf_get_trans_str(tr, "General", "Default-phase-2-lifetime");
514 	conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_TYPE",
515 	    CONF_DFLT_TYPE_LIFE_QUICK_MODE, 0, 1);
516 	conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_DURATION",
517 	    (dflt ? dflt : CONF_DFLT_VAL_LIFE_QUICK_MODE), 0, 1);
518 
519 	/* Default Phase-1 Configuration section */
520 	conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "EXCHANGE_TYPE",
521 	    CONF_DFLT_PHASE1_EXCH_TYPE, 0, 1);
522 	conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "Transforms",
523 	    CONF_DFLT_PHASE1_TRANSFORMS, 0, 1);
524 
525 	/* Main modes */
526 	for (enc = 0; mm_enc[enc]; enc++)
527 		for (hash = 0; mm_hash[hash]; hash++)
528 			for (auth = 0; mm_auth[auth]; auth++)
529 				for (group = 0; dhgroup_p[group]; group++)
530 					conf_load_defaults_mm (tr, mm_enc[enc],
531 					    mm_hash[hash], mm_auth[auth],
532 					    dhgroup[group], mm_enc_p[enc],
533 					    mm_auth_p[auth], dhgroup_p[group]);
534 
535 	/* Setup a default Phase 1 entry */
536 	conf_set(tr, "Phase 1", "Default", "Default-phase-1", 0, 1);
537 	conf_set(tr, "Default-phase-1", "Phase", "1", 0, 1);
538 	conf_set(tr, "Default-phase-1", "Configuration",
539 	    "Default-phase-1-configuration", 0, 1);
540 	dflt = conf_get_trans_str(tr, "General", "Default-phase-1-ID");
541 	if (dflt)
542 		conf_set(tr, "Default-phase-1", "ID", dflt, 0, 1);
543 
544 	/* Quick modes */
545 	for (enc = 0; qm_enc[enc]; enc++)
546 		for (proto = 0; proto < 2; proto++)
547 			for (mode = 0; mode < 2; mode++)
548 				for (pfs = 0; pfs < 2; pfs++)
549 					for (hash = 0; qm_hash[hash]; hash++)
550 						for (group = 0;
551 						    dhgroup_p[group]; group++)
552 							conf_load_defaults_qm(
553 							    tr, qm_enc[enc],
554 							    qm_hash[hash],
555 							    dhgroup[group],
556 							    qm_enc_p[enc],
557 							    qm_hash_p[hash],
558 							    dhgroup_p[group],
559 							    proto, mode, pfs);
560 }
561 
562 void
conf_init(void)563 conf_init(void)
564 {
565 	unsigned int i;
566 
567 	for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++)
568 		LIST_INIT(&conf_bindings[i]);
569 	TAILQ_INIT(&conf_trans_queue);
570 	conf_reinit();
571 }
572 
573 /* Open the config file and map it into our address space, then parse it.  */
574 void
conf_reinit(void)575 conf_reinit(void)
576 {
577 	struct conf_binding *cb = 0;
578 	int	 fd, trans;
579 	unsigned int i;
580 	size_t	 sz;
581 	char	*new_conf_addr = 0;
582 
583 	if ((fd = monitor_open(conf_path, O_RDONLY, 0)) != -1) {
584 		if (check_file_secrecy_fd(fd, conf_path, &sz))
585 			goto fail;
586 
587 		new_conf_addr = malloc(sz);
588 		if (!new_conf_addr) {
589 			log_error("conf_reinit: malloc (%lu) failed",
590 			    (unsigned long)sz);
591 			goto fail;
592 		}
593 		/* XXX I assume short reads won't happen here.  */
594 		if (read(fd, new_conf_addr, sz) != (int)sz) {
595 			log_error("conf_reinit: read (%d, %p, %lu) failed",
596 			    fd, new_conf_addr, (unsigned long)sz);
597 			goto fail;
598 		}
599 		close(fd);
600 
601 		trans = conf_begin();
602 
603 		/* XXX Should we not care about errors and rollback?  */
604 		conf_parse(trans, new_conf_addr, sz);
605 	} else {
606 		if (errno != ENOENT)
607 			log_error("conf_reinit: open(\"%s\", O_RDONLY, 0) "
608 			    "failed", conf_path);
609 
610 		trans = conf_begin();
611 	}
612 
613 	/* Load default configuration values.  */
614 	conf_load_defaults(trans);
615 
616 	/* Free potential existing configuration.  */
617 	if (conf_addr) {
618 		for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0];
619 		    i++)
620 			for (cb = LIST_FIRST(&conf_bindings[i]); cb;
621 			    cb = LIST_FIRST(&conf_bindings[i]))
622 				conf_remove_now(cb->section, cb->tag);
623 		free(conf_addr);
624 	}
625 	conf_end(trans, 1);
626 	conf_addr = new_conf_addr;
627 	return;
628 
629 fail:
630 	if (new_conf_addr)
631 		free(new_conf_addr);
632 	close(fd);
633 }
634 
635 /*
636  * Return the numeric value denoted by TAG in section SECTION or DEF
637  * if that tag does not exist.
638  */
639 int
conf_get_num(char * section,char * tag,int def)640 conf_get_num(char *section, char *tag, int def)
641 {
642 	char	*value = conf_get_str(section, tag);
643 
644 	if (value)
645 		return atoi(value);
646 	return def;
647 }
648 
649 /*
650  * Return the socket endpoint address denoted by TAG in SECTION as a
651  * struct sockaddr.  It is the callers responsibility to deallocate
652  * this structure when it is finished with it.
653  */
654 struct sockaddr *
conf_get_address(char * section,char * tag)655 conf_get_address(char *section, char *tag)
656 {
657 	char	*value = conf_get_str(section, tag);
658 	struct sockaddr *sa;
659 
660 	if (!value)
661 		return 0;
662 	if (text2sockaddr(value, 0, &sa, 0, 0) == -1)
663 		return 0;
664 	return sa;
665 }
666 
667 /* Validate X according to the range denoted by TAG in section SECTION.  */
668 int
conf_match_num(char * section,char * tag,int x)669 conf_match_num(char *section, char *tag, int x)
670 {
671 	char	*value = conf_get_str(section, tag);
672 	int	 val, min, max, n;
673 
674 	if (!value)
675 		return 0;
676 	n = sscanf(value, "%d,%d:%d", &val, &min, &max);
677 	switch (n) {
678 	case 1:
679 		LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d==%d?",
680 		    section, tag, val, x));
681 		return x == val;
682 	case 3:
683 		LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d<=%d<=%d?",
684 		    section, tag, min, x, max));
685 		return min <= x && max >= x;
686 	default:
687 		log_error("conf_match_num: section %s tag %s: invalid number "
688 		    "spec %s", section, tag, value);
689 	}
690 	return 0;
691 }
692 
693 /* Return the string value denoted by TAG in section SECTION.  */
694 char *
conf_get_str(char * section,char * tag)695 conf_get_str(char *section, char *tag)
696 {
697 	struct conf_binding *cb;
698 
699 	for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
700 	    cb = LIST_NEXT(cb, link))
701 		if (strcasecmp(section, cb->section) == 0 &&
702 		    strcasecmp(tag, cb->tag) == 0) {
703 			LOG_DBG((LOG_MISC, 95, "conf_get_str: [%s]:%s->%s",
704 			    section, tag, cb->value));
705 			return cb->value;
706 		}
707 	LOG_DBG((LOG_MISC, 95,
708 	    "conf_get_str: configuration value not found [%s]:%s", section,
709 	    tag));
710 	return 0;
711 }
712 
713 /*
714  * Build a list of string values out of the comma separated value denoted by
715  * TAG in SECTION.
716  */
717 struct conf_list *
conf_get_list(char * section,char * tag)718 conf_get_list(char *section, char *tag)
719 {
720 	char	*liststr = 0, *p, *field, *t;
721 	struct conf_list *list = 0;
722 	struct conf_list_node *node = 0;
723 
724 	list = malloc(sizeof *list);
725 	if (!list)
726 		goto cleanup;
727 	TAILQ_INIT(&list->fields);
728 	list->cnt = 0;
729 	liststr = conf_get_str(section, tag);
730 	if (!liststr)
731 		goto cleanup;
732 	liststr = strdup(liststr);
733 	if (!liststr)
734 		goto cleanup;
735 	p = liststr;
736 	while ((field = strsep(&p, ",")) != NULL) {
737 		/* Skip leading whitespace */
738 		while (isspace(*field))
739 			field++;
740 		/* Skip trailing whitespace */
741 		if (p)
742 			for (t = p - 1; t > field && isspace(*t); t--)
743 				*t = '\0';
744 		if (*field == '\0') {
745 			log_print("conf_get_list: empty field, ignoring...");
746 			continue;
747 		}
748 		list->cnt++;
749 		node = calloc(1, sizeof *node);
750 		if (!node)
751 			goto cleanup;
752 		node->field = strdup(field);
753 		if (!node->field)
754 			goto cleanup;
755 		TAILQ_INSERT_TAIL(&list->fields, node, link);
756 	}
757 	free(liststr);
758 	return list;
759 
760 cleanup:
761 	if (node)
762 		free(node);
763 	if (list)
764 		conf_free_list(list);
765 	if (liststr)
766 		free(liststr);
767 	return 0;
768 }
769 
770 struct conf_list *
conf_get_tag_list(char * section)771 conf_get_tag_list(char *section)
772 {
773 	struct conf_list *list = 0;
774 	struct conf_list_node *node = 0;
775 	struct conf_binding *cb;
776 
777 	list = malloc(sizeof *list);
778 	if (!list)
779 		goto cleanup;
780 	TAILQ_INIT(&list->fields);
781 	list->cnt = 0;
782 	for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb;
783 	    cb = LIST_NEXT(cb, link))
784 		if (strcasecmp(section, cb->section) == 0) {
785 			list->cnt++;
786 			node = calloc(1, sizeof *node);
787 			if (!node)
788 				goto cleanup;
789 			node->field = strdup(cb->tag);
790 			if (!node->field)
791 				goto cleanup;
792 			TAILQ_INSERT_TAIL(&list->fields, node, link);
793 		}
794 	return list;
795 
796 cleanup:
797 	if (node)
798 		free(node);
799 	if (list)
800 		conf_free_list(list);
801 	return 0;
802 }
803 
804 /* Decode a PEM encoded buffer.  */
805 int
conf_decode_base64(u_int8_t * out,u_int32_t * len,u_char * buf)806 conf_decode_base64(u_int8_t *out, u_int32_t *len, u_char *buf)
807 {
808 	u_int32_t	c = 0;
809 	u_int8_t	c1, c2, c3, c4;
810 
811 	while (*buf) {
812 		if (*buf > 127 || (c1 = asc2bin[*buf]) == 255)
813 			return 0;
814 		buf++;
815 
816 		if (*buf > 127 || (c2 = asc2bin[*buf]) == 255)
817 			return 0;
818 		buf++;
819 
820 		if (*buf == '=') {
821 			c3 = c4 = 0;
822 			c++;
823 
824 			/* Check last four bit */
825 			if (c2 & 0xF)
826 				return 0;
827 
828 			if (strcmp((char *)buf, "==") == 0)
829 				buf++;
830 			else
831 				return 0;
832 		} else if (*buf > 127 || (c3 = asc2bin[*buf]) == 255)
833 			return 0;
834 		else {
835 			if (*++buf == '=') {
836 				c4 = 0;
837 				c += 2;
838 
839 				/* Check last two bit */
840 				if (c3 & 3)
841 					return 0;
842 
843 				if (strcmp((char *)buf, "="))
844 					return 0;
845 
846 			} else if (*buf > 127 || (c4 = asc2bin[*buf]) == 255)
847 				return 0;
848 			else
849 				c += 3;
850 		}
851 
852 		buf++;
853 		*out++ = (c1 << 2) | (c2 >> 4);
854 		*out++ = (c2 << 4) | (c3 >> 2);
855 		*out++ = (c3 << 6) | c4;
856 	}
857 
858 	*len = c;
859 	return 1;
860 
861 }
862 
863 void
conf_free_list(struct conf_list * list)864 conf_free_list(struct conf_list *list)
865 {
866 	struct conf_list_node *node = TAILQ_FIRST(&list->fields);
867 
868 	while (node) {
869 		TAILQ_REMOVE(&list->fields, node, link);
870 		if (node->field)
871 			free(node->field);
872 		free(node);
873 		node = TAILQ_FIRST(&list->fields);
874 	}
875 	free(list);
876 }
877 
878 int
conf_begin(void)879 conf_begin(void)
880 {
881 	static int	seq = 0;
882 
883 	return ++seq;
884 }
885 
886 static struct conf_trans *
conf_trans_node(int transaction,enum conf_op op)887 conf_trans_node(int transaction, enum conf_op op)
888 {
889 	struct conf_trans *node;
890 
891 	node = calloc(1, sizeof *node);
892 	if (!node) {
893 		log_error("conf_trans_node: calloc (1, %lu) failed",
894 		    (unsigned long)sizeof *node);
895 		return 0;
896 	}
897 	node->trans = transaction;
898 	node->op = op;
899 	TAILQ_INSERT_TAIL(&conf_trans_queue, node, link);
900 	return node;
901 }
902 
903 /* Queue a set operation.  */
904 int
conf_set(int transaction,char * section,char * tag,char * value,int override,int is_default)905 conf_set(int transaction, char *section, char *tag, char *value, int override,
906     int is_default)
907 {
908 	struct conf_trans *node;
909 
910 	node = conf_trans_node(transaction, CONF_SET);
911 	if (!node)
912 		return 1;
913 	node->section = strdup(section);
914 	if (!node->section) {
915 		log_error("conf_set: strdup (\"%s\") failed", section);
916 		goto fail;
917 	}
918 	node->tag = strdup(tag);
919 	if (!node->tag) {
920 		log_error("conf_set: strdup (\"%s\") failed", tag);
921 		goto fail;
922 	}
923 	node->value = strdup(value);
924 	if (!node->value) {
925 		log_error("conf_set: strdup (\"%s\") failed", value);
926 		goto fail;
927 	}
928 	node->override = override;
929 	node->is_default = is_default;
930 	return 0;
931 
932 fail:
933 	if (node->tag)
934 		free(node->tag);
935 	if (node->section)
936 		free(node->section);
937 	if (node)
938 		free(node);
939 	return 1;
940 }
941 
942 /* Queue a remove operation.  */
943 int
conf_remove(int transaction,char * section,char * tag)944 conf_remove(int transaction, char *section, char *tag)
945 {
946 	struct conf_trans *node;
947 
948 	node = conf_trans_node(transaction, CONF_REMOVE);
949 	if (!node)
950 		goto fail;
951 	node->section = strdup(section);
952 	if (!node->section) {
953 		log_error("conf_remove: strdup (\"%s\") failed", section);
954 		goto fail;
955 	}
956 	node->tag = strdup(tag);
957 	if (!node->tag) {
958 		log_error("conf_remove: strdup (\"%s\") failed", tag);
959 		goto fail;
960 	}
961 	return 0;
962 
963 fail:
964 	if (node->section)
965 		free(node->section);
966 	if (node)
967 		free(node);
968 	return 1;
969 }
970 
971 /* Queue a remove section operation.  */
972 int
conf_remove_section(int transaction,char * section)973 conf_remove_section(int transaction, char *section)
974 {
975 	struct conf_trans *node;
976 
977 	node = conf_trans_node(transaction, CONF_REMOVE_SECTION);
978 	if (!node)
979 		goto fail;
980 	node->section = strdup(section);
981 	if (!node->section) {
982 		log_error("conf_remove_section: strdup (\"%s\") failed",
983 		    section);
984 		goto fail;
985 	}
986 	return 0;
987 
988 fail:
989 	if (node)
990 		free(node);
991 	return 1;
992 }
993 
994 /* Execute all queued operations for this transaction.  Cleanup.  */
995 int
conf_end(int transaction,int commit)996 conf_end(int transaction, int commit)
997 {
998 	struct conf_trans *node, *next;
999 
1000 	for (node = TAILQ_FIRST(&conf_trans_queue); node; node = next) {
1001 		next = TAILQ_NEXT(node, link);
1002 		if (node->trans == transaction) {
1003 			if (commit)
1004 				switch (node->op) {
1005 				case CONF_SET:
1006 					conf_set_now(node->section, node->tag,
1007 					    node->value, node->override,
1008 					    node->is_default);
1009 					break;
1010 				case CONF_REMOVE:
1011 					conf_remove_now(node->section,
1012 					    node->tag);
1013 					break;
1014 				case CONF_REMOVE_SECTION:
1015 					conf_remove_section_now(node->section);
1016 					break;
1017 				default:
1018 					log_print("conf_end: unknown "
1019 					    "operation: %d", node->op);
1020 				}
1021 			TAILQ_REMOVE(&conf_trans_queue, node, link);
1022 			if (node->section)
1023 				free(node->section);
1024 			if (node->tag)
1025 				free(node->tag);
1026 			if (node->value)
1027 				free(node->value);
1028 			free(node);
1029 		}
1030 	}
1031 	return 0;
1032 }
1033 
1034 /*
1035  * Dump running configuration upon SIGUSR1.
1036  * Configuration is "stored in reverse order", so reverse it again.
1037  */
1038 struct dumper {
1039 	char	*s, *v;
1040 	struct dumper *next;
1041 };
1042 
1043 static void
conf_report_dump(struct dumper * node)1044 conf_report_dump(struct dumper *node)
1045 {
1046 	/* Recursive, cleanup when we're done.  */
1047 
1048 	if (node->next)
1049 		conf_report_dump(node->next);
1050 
1051 	if (node->v)
1052 		LOG_DBG((LOG_REPORT, 0, "%s=\t%s", node->s, node->v));
1053 	else if (node->s) {
1054 		LOG_DBG((LOG_REPORT, 0, "%s", node->s));
1055 		if (strlen(node->s) > 0)
1056 			free(node->s);
1057 	}
1058 	free(node);
1059 }
1060 
1061 void
conf_report(void)1062 conf_report(void)
1063 {
1064 	struct conf_binding *cb, *last = 0;
1065 	unsigned int	i, len;
1066 	char           *current_section = (char *)0;
1067 	struct dumper  *dumper, *dnode;
1068 
1069 	dumper = dnode = (struct dumper *)calloc(1, sizeof *dumper);
1070 	if (!dumper)
1071 		goto mem_fail;
1072 
1073 	LOG_DBG((LOG_REPORT, 0, "conf_report: dumping running configuration"));
1074 
1075 	for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++)
1076 		for (cb = LIST_FIRST(&conf_bindings[i]); cb;
1077 		    cb = LIST_NEXT(cb, link)) {
1078 			if (!cb->is_default) {
1079 				/* Dump this entry.  */
1080 				if (!current_section || strcmp(cb->section,
1081 				    current_section)) {
1082 					if (current_section) {
1083 						len = strlen(current_section)
1084 						    + 3;
1085 						dnode->s = malloc(len);
1086 						if (!dnode->s)
1087 							goto mem_fail;
1088 
1089 						snprintf(dnode->s, len, "[%s]",
1090 						    current_section);
1091 						dnode->next = (struct dumper *)
1092 						    calloc(1,
1093 							sizeof(struct dumper));
1094 						dnode = dnode->next;
1095 						if (!dnode)
1096 							goto mem_fail;
1097 
1098 						dnode->s = "";
1099 						dnode->next = (struct dumper *)
1100 						    calloc(1,
1101 							sizeof(struct dumper));
1102 						dnode = dnode->next;
1103 						if (!dnode)
1104 							goto mem_fail;
1105 					}
1106 					current_section = cb->section;
1107 				}
1108 				dnode->s = cb->tag;
1109 				dnode->v = cb->value;
1110 				dnode->next = (struct dumper *)
1111 				    calloc(1, sizeof(struct dumper));
1112 				dnode = dnode->next;
1113 				if (!dnode)
1114 					goto mem_fail;
1115 				last = cb;
1116 			}
1117 		}
1118 
1119 	if (last) {
1120 		len = strlen(last->section) + 3;
1121 		dnode->s = malloc(len);
1122 		if (!dnode->s)
1123 			goto mem_fail;
1124 		snprintf(dnode->s, len, "[%s]", last->section);
1125 	}
1126 	conf_report_dump(dumper);
1127 
1128 	return;
1129 
1130 mem_fail:
1131 	log_error("conf_report: malloc/calloc failed");
1132 	while ((dnode = dumper) != 0) {
1133 		dumper = dumper->next;
1134 		if (dnode->s)
1135 			free(dnode->s);
1136 		free(dnode);
1137 	}
1138 }
1139