Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/ipsec-tools-0_8-branch]: src/crypto/dist/ipsec-tools/src/racoon Allow in...
details: https://anonhg.NetBSD.org/src/rev/c834092e0de9
branches: ipsec-tools-0_8-branch
changeset: 763327:c834092e0de9
user: tteras <tteras%NetBSD.org@localhost>
date: Wed Aug 29 08:42:24 2012 +0000
description:
Allow inherited remote blocks without additional remote statements to be
specified in a simpler way. patch by Roman Hoog Antink <rha%open.ch@localhost>
diffstat:
crypto/dist/ipsec-tools/src/racoon/cfparse.y | 157 ++++++++++++----------
crypto/dist/ipsec-tools/src/racoon/cftoken.l | 3 +-
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 | 6 +-
3 files changed, 88 insertions(+), 78 deletions(-)
diffs (240 lines):
diff -r ecb82025a018 -r c834092e0de9 crypto/dist/ipsec-tools/src/racoon/cfparse.y
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y Thu Aug 23 11:46:06 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y Wed Aug 29 08:42:24 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $ */
+/* $NetBSD: cfparse.y,v 1.42.2.1 2012/08/29 08:42:24 tteras Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -172,6 +172,76 @@
return 0;
}
+static int process_rmconf()
+{
+
+ /* check a exchange mode */
+ if (cur_rmconf->etypes == NULL) {
+ yyerror("no exchange mode specified.\n");
+ return -1;
+ }
+
+ if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
+ cur_rmconf->idvtype = IDTYPE_ADDRESS;
+
+ if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
+ if (cur_rmconf->mycertfile) {
+ if (cur_rmconf->idv)
+ yywarn("Both CERT and ASN1 ID "
+ "are set. Hope this is OK.\n");
+ /* TODO: Preparse the DN here */
+ } else if (cur_rmconf->idv) {
+ /* OK, using asn1dn without X.509. */
+ } else {
+ yyerror("ASN1 ID not specified "
+ "and no CERT defined!\n");
+ return -1;
+ }
+ }
+
+ if (duprmconf_finish(cur_rmconf))
+ return -1;
+
+ if (set_isakmp_proposal(cur_rmconf) != 0)
+ return -1;
+
+ /* DH group settting if aggressive mode is there. */
+ if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
+ struct isakmpsa *p;
+ int b = 0;
+
+ /* DH group */
+ for (p = cur_rmconf->proposal; p; p = p->next) {
+ if (b == 0 || (b && b == p->dh_group)) {
+ b = p->dh_group;
+ continue;
+ }
+ yyerror("DH group must be equal "
+ "in all proposals "
+ "when aggressive mode is "
+ "used.\n");
+ return -1;
+ }
+ cur_rmconf->dh_group = b;
+
+ if (cur_rmconf->dh_group == 0) {
+ yyerror("DH group must be set in the proposal.\n");
+ return -1;
+ }
+
+ /* DH group settting if PFS is required. */
+ if (oakley_setdhgroup(cur_rmconf->dh_group,
+ &cur_rmconf->dhgrp) < 0) {
+ yyerror("failed to set DH value.\n");
+ return -1;
+ }
+ }
+
+ insrmconf(cur_rmconf);
+
+ return 0;
+}
+
%}
%union {
@@ -1643,7 +1713,7 @@
vfree($2);
vfree($4);
}
- remote_specs_block
+ remote_specs_inherit_block
| REMOTE QUOTEDSTRING
{
struct remoteconf *new;
@@ -1686,7 +1756,7 @@
new->remote = $2;
cur_rmconf = new;
}
- remote_specs_block
+ remote_specs_inherit_block
| REMOTE remote_index
{
struct remoteconf *new;
@@ -1703,81 +1773,20 @@
remote_specs_block
;
+remote_specs_inherit_block
+ : remote_specs_block
+ | EOS /* inheritance without overriding any settings */
+ {
+ if (process_rmconf() != 0)
+ return -1;
+ }
+ ;
+
remote_specs_block
: BOC remote_specs EOC
{
- /* check a exchange mode */
- if (cur_rmconf->etypes == NULL) {
- yyerror("no exchange mode specified.\n");
- return -1;
- }
-
- if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
- cur_rmconf->idvtype = IDTYPE_ADDRESS;
-
- if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
- if (cur_rmconf->mycertfile) {
- if (cur_rmconf->idv)
- yywarn("Both CERT and ASN1 ID "
- "are set. Hope this is OK.\n");
- /* TODO: Preparse the DN here */
- } else if (cur_rmconf->idv) {
- /* OK, using asn1dn without X.509. */
- } else {
- yyerror("ASN1 ID not specified "
- "and no CERT defined!\n");
- return -1;
- }
- }
-
- if (duprmconf_finish(cur_rmconf))
+ if (process_rmconf() != 0)
return -1;
-
-#if 0
- /* this pointer copy will never happen, because duprmconf_shallow
- * already copied all pointers.
- */
- if (cur_rmconf->spspec == NULL &&
- cur_rmconf->inherited_from != NULL) {
- cur_rmconf->spspec = cur_rmconf->inherited_from->spspec;
- }
-#endif
- if (set_isakmp_proposal(cur_rmconf) != 0)
- return -1;
-
- /* DH group settting if aggressive mode is there. */
- if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
- struct isakmpsa *p;
- int b = 0;
-
- /* DH group */
- for (p = cur_rmconf->proposal; p; p = p->next) {
- if (b == 0 || (b && b == p->dh_group)) {
- b = p->dh_group;
- continue;
- }
- yyerror("DH group must be equal "
- "in all proposals "
- "when aggressive mode is "
- "used.\n");
- return -1;
- }
- cur_rmconf->dh_group = b;
-
- if (cur_rmconf->dh_group == 0) {
- yyerror("DH group must be set in the proposal.\n");
- return -1;
- }
-
- /* DH group settting if PFS is required. */
- if (oakley_setdhgroup(cur_rmconf->dh_group,
- &cur_rmconf->dhgrp) < 0) {
- yyerror("failed to set DH value.\n");
- return -1;
- }
- }
-
- insrmconf(cur_rmconf);
}
;
remote_index
diff -r ecb82025a018 -r c834092e0de9 crypto/dist/ipsec-tools/src/racoon/cftoken.l
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken.l Thu Aug 23 11:46:06 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken.l Wed Aug 29 08:42:24 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cftoken.l,v 1.23 2011/02/02 15:21:34 vanhu Exp $ */
+/* $NetBSD: cftoken.l,v 1.23.2.1 2012/08/29 08:42:24 tteras Exp $ */
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
@@ -307,6 +307,7 @@
<S_INI>remote { BEGIN S_RMT; YYDB; return(REMOTE); }
<S_RMT>anonymous { YYD; return(ANONYMOUS); }
<S_RMT>inherit { YYD; return(INHERIT); }
+<S_RMT>{semi} { BEGIN S_INI; YYDB; return(EOS); }
/* remote spec */
<S_RMT>{bcl} { BEGIN S_RMTS; return(BOC); }
<S_RMTS>{ecl} { BEGIN S_INI; return(EOC); }
diff -r ecb82025a018 -r c834092e0de9 crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Thu Aug 23 11:46:06 2012 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Wed Aug 29 08:42:24 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: racoon.conf.5,v 1.61 2010/06/22 20:51:04 wiz Exp $
+.\" $NetBSD: racoon.conf.5,v 1.61.4.1 2012/08/29 08:42:24 tteras Exp $
.\"
.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
.\"
@@ -29,7 +29,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd June 22, 2010
+.Dd August 29, 2012
.Dt RACOON.CONF 5
.Os
.\"
@@ -375,7 +375,7 @@
.\"
.Ss Remote Nodes Specifications
.Bl -tag -width Ds -compact
-.It Ic remote Ar name Bo Ic inherit Ar parent_name Bc Ic { Ar statements Ic }
+.It Ic remote Ar name Bo Ic inherit Ar parent_name Bc Ic ({ Ar statements Ic } | ;)
Specifies the IKE phase 1 parameters for each remote node.
.Pp
If connection is initiated using racoonctl, a unique match using the
Home |
Main Index |
Thread Index |
Old Index