Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon Allow inherited remote bl...
details: https://anonhg.NetBSD.org/src/rev/30d9e5529e76
branches: trunk
changeset: 768546:30d9e5529e76
user: tteras <tteras%NetBSD.org@localhost>
date: Fri Aug 19 05:36:47 2011 +0000
description:
Allow inherited remote blocks without additional remote statements to
be specified in a simpler way. patch by Roman Hoog Antink <rha%open.ch@localhost>
diffstat:
crypto/dist/ipsec-tools/src/racoon/cfparse.y | 157 ++++++++++++----------
crypto/dist/ipsec-tools/src/racoon/cftoken.l | 3 +-
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 | 3 +-
3 files changed, 87 insertions(+), 76 deletions(-)
diffs (230 lines):
diff -r 43f3044a34fe -r 30d9e5529e76 crypto/dist/ipsec-tools/src/racoon/cfparse.y
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y Fri Aug 19 02:18:26 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y Fri Aug 19 05:36:47 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $ */
+/* $NetBSD: cfparse.y,v 1.43 2011/08/19 05:36:47 tteras Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@@ -172,6 +172,76 @@
return 0;
}
+static int process_rmconf()
+{
+
+ /* check a exchange mode */
+ if (cur_rmconf->etypes == NULL) {
+ yyerror("no exchange mode specified.\n");
+ return -1;
+ }
+
+ if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
+ cur_rmconf->idvtype = IDTYPE_ADDRESS;
+
+ if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
+ if (cur_rmconf->mycertfile) {
+ if (cur_rmconf->idv)
+ yywarn("Both CERT and ASN1 ID "
+ "are set. Hope this is OK.\n");
+ /* TODO: Preparse the DN here */
+ } else if (cur_rmconf->idv) {
+ /* OK, using asn1dn without X.509. */
+ } else {
+ yyerror("ASN1 ID not specified "
+ "and no CERT defined!\n");
+ return -1;
+ }
+ }
+
+ if (duprmconf_finish(cur_rmconf))
+ return -1;
+
+ if (set_isakmp_proposal(cur_rmconf) != 0)
+ return -1;
+
+ /* DH group settting if aggressive mode is there. */
+ if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
+ struct isakmpsa *p;
+ int b = 0;
+
+ /* DH group */
+ for (p = cur_rmconf->proposal; p; p = p->next) {
+ if (b == 0 || (b && b == p->dh_group)) {
+ b = p->dh_group;
+ continue;
+ }
+ yyerror("DH group must be equal "
+ "in all proposals "
+ "when aggressive mode is "
+ "used.\n");
+ return -1;
+ }
+ cur_rmconf->dh_group = b;
+
+ if (cur_rmconf->dh_group == 0) {
+ yyerror("DH group must be set in the proposal.\n");
+ return -1;
+ }
+
+ /* DH group settting if PFS is required. */
+ if (oakley_setdhgroup(cur_rmconf->dh_group,
+ &cur_rmconf->dhgrp) < 0) {
+ yyerror("failed to set DH value.\n");
+ return -1;
+ }
+ }
+
+ insrmconf(cur_rmconf);
+
+ return 0;
+}
+
%}
%union {
@@ -1643,7 +1713,7 @@
vfree($2);
vfree($4);
}
- remote_specs_block
+ remote_specs_inherit_block
| REMOTE QUOTEDSTRING
{
struct remoteconf *new;
@@ -1686,7 +1756,7 @@
new->remote = $2;
cur_rmconf = new;
}
- remote_specs_block
+ remote_specs_inherit_block
| REMOTE remote_index
{
struct remoteconf *new;
@@ -1703,81 +1773,20 @@
remote_specs_block
;
+remote_specs_inherit_block
+ : remote_specs_block
+ | EOS /* inheritance without overriding any settings */
+ {
+ if (process_rmconf() != 0)
+ return -1;
+ }
+ ;
+
remote_specs_block
: BOC remote_specs EOC
{
- /* check a exchange mode */
- if (cur_rmconf->etypes == NULL) {
- yyerror("no exchange mode specified.\n");
- return -1;
- }
-
- if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
- cur_rmconf->idvtype = IDTYPE_ADDRESS;
-
- if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
- if (cur_rmconf->mycertfile) {
- if (cur_rmconf->idv)
- yywarn("Both CERT and ASN1 ID "
- "are set. Hope this is OK.\n");
- /* TODO: Preparse the DN here */
- } else if (cur_rmconf->idv) {
- /* OK, using asn1dn without X.509. */
- } else {
- yyerror("ASN1 ID not specified "
- "and no CERT defined!\n");
- return -1;
- }
- }
-
- if (duprmconf_finish(cur_rmconf))
+ if (process_rmconf() != 0)
return -1;
-
-#if 0
- /* this pointer copy will never happen, because duprmconf_shallow
- * already copied all pointers.
- */
- if (cur_rmconf->spspec == NULL &&
- cur_rmconf->inherited_from != NULL) {
- cur_rmconf->spspec = cur_rmconf->inherited_from->spspec;
- }
-#endif
- if (set_isakmp_proposal(cur_rmconf) != 0)
- return -1;
-
- /* DH group settting if aggressive mode is there. */
- if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
- struct isakmpsa *p;
- int b = 0;
-
- /* DH group */
- for (p = cur_rmconf->proposal; p; p = p->next) {
- if (b == 0 || (b && b == p->dh_group)) {
- b = p->dh_group;
- continue;
- }
- yyerror("DH group must be equal "
- "in all proposals "
- "when aggressive mode is "
- "used.\n");
- return -1;
- }
- cur_rmconf->dh_group = b;
-
- if (cur_rmconf->dh_group == 0) {
- yyerror("DH group must be set in the proposal.\n");
- return -1;
- }
-
- /* DH group settting if PFS is required. */
- if (oakley_setdhgroup(cur_rmconf->dh_group,
- &cur_rmconf->dhgrp) < 0) {
- yyerror("failed to set DH value.\n");
- return -1;
- }
- }
-
- insrmconf(cur_rmconf);
}
;
remote_index
diff -r 43f3044a34fe -r 30d9e5529e76 crypto/dist/ipsec-tools/src/racoon/cftoken.l
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken.l Fri Aug 19 02:18:26 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken.l Fri Aug 19 05:36:47 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cftoken.l,v 1.23 2011/02/02 15:21:34 vanhu Exp $ */
+/* $NetBSD: cftoken.l,v 1.24 2011/08/19 05:36:47 tteras Exp $ */
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
@@ -307,6 +307,7 @@
<S_INI>remote { BEGIN S_RMT; YYDB; return(REMOTE); }
<S_RMT>anonymous { YYD; return(ANONYMOUS); }
<S_RMT>inherit { YYD; return(INHERIT); }
+<S_RMT>{semi} { BEGIN S_INI; YYDB; return(EOS); }
/* remote spec */
<S_RMT>{bcl} { BEGIN S_RMTS; return(BOC); }
<S_RMTS>{ecl} { BEGIN S_INI; return(EOC); }
diff -r 43f3044a34fe -r 30d9e5529e76 crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
--- a/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Fri Aug 19 02:18:26 2011 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 Fri Aug 19 05:36:47 2011 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: racoon.conf.5,v 1.61 2010/06/22 20:51:04 wiz Exp $
+.\" $NetBSD: racoon.conf.5,v 1.62 2011/08/19 05:36:47 tteras Exp $
.\"
.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
.\"
@@ -376,6 +376,7 @@
.Ss Remote Nodes Specifications
.Bl -tag -width Ds -compact
.It Ic remote Ar name Bo Ic inherit Ar parent_name Bc Ic { Ar statements Ic }
+.It Ic remote Ar name Ic inherit Ar parent_name ;
Specifies the IKE phase 1 parameters for each remote node.
.Pp
If connection is initiated using racoonctl, a unique match using the
Home |
Main Index |
Thread Index |
Old Index