racoon

Timo Teräs Wed, 29 Aug 2012 01:42:34 -0700

Module Name:    src
Committed By:   tteras
Date:           Wed Aug 29 08:42:25 UTC 2012


Modified Files:
        src/crypto/dist/ipsec-tools/src/racoon [ipsec-tools-0_8-branch]:
            cfparse.y cftoken.l racoon.conf.5

Log Message:
Allow inherited remote blocks without additional remote statements to be
specified in a simpler way. patch by Roman Hoog Antink <r...@open.ch>


To generate a diff of this commit:
cvs rdiff -u -r1.42 -r1.42.2.1 \
    src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
cvs rdiff -u -r1.23 -r1.23.2.1 \
    src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
cvs rdiff -u -r1.61 -r1.61.4.1 \
    src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/crypto/dist/ipsec-tools/src/racoon/cfparse.y
diff -u src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42 src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/cfparse.y:1.42	Mon Mar 14 15:50:36 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cfparse.y	Wed Aug 29 08:42:24 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.42 2011/03/14 15:50:36 vanhu Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.42.2.1 2012/08/29 08:42:24 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -172,6 +172,76 @@ static int load_x509(const char *file, c
 	return 0;
 }
 
+static int process_rmconf()
+{
+
+	/* check a exchange mode */
+	if (cur_rmconf->etypes == NULL) {
+		yyerror("no exchange mode specified.\n");
+		return -1;
+	}
+
+	if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
+		cur_rmconf->idvtype = IDTYPE_ADDRESS;
+
+	if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
+		if (cur_rmconf->mycertfile) {
+			if (cur_rmconf->idv)
+				yywarn("Both CERT and ASN1 ID "
+				       "are set. Hope this is OK.\n");
+			/* TODO: Preparse the DN here */
+		} else if (cur_rmconf->idv) {
+			/* OK, using asn1dn without X.509. */
+		} else {
+			yyerror("ASN1 ID not specified "
+				"and no CERT defined!\n");
+			return -1;
+		}
+	}
+
+	if (duprmconf_finish(cur_rmconf))
+		return -1;
+
+	if (set_isakmp_proposal(cur_rmconf) != 0)
+		return -1;
+
+	/* DH group settting if aggressive mode is there. */
+	if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
+		struct isakmpsa *p;
+		int b = 0;
+
+		/* DH group */
+		for (p = cur_rmconf->proposal; p; p = p->next) {
+			if (b == 0 || (b && b == p->dh_group)) {
+				b = p->dh_group;
+				continue;
+			}
+			yyerror("DH group must be equal "
+				"in all proposals "
+				"when aggressive mode is "
+				"used.\n");
+			return -1;
+		}
+		cur_rmconf->dh_group = b;
+
+		if (cur_rmconf->dh_group == 0) {
+			yyerror("DH group must be set in the proposal.\n");
+			return -1;
+		}
+
+		/* DH group settting if PFS is required. */
+		if (oakley_setdhgroup(cur_rmconf->dh_group,
+				&cur_rmconf->dhgrp) < 0) {
+			yyerror("failed to set DH value.\n");
+			return -1;
+		}
+	}
+
+	insrmconf(cur_rmconf);
+
+	return 0;
+}
+
 %}
 
 %union {
@@ -1643,7 +1713,7 @@ remote_statement
 			vfree($2);
 			vfree($4);
 		}
-		remote_specs_block
+		remote_specs_inherit_block
 	| REMOTE QUOTEDSTRING
 		{
 			struct remoteconf *new;
@@ -1686,7 +1756,7 @@ remote_statement
 			new->remote = $2;
 			cur_rmconf = new;
 		}
-		remote_specs_block
+		remote_specs_inherit_block
 	|	REMOTE remote_index
 		{
 			struct remoteconf *new;
@@ -1703,81 +1773,20 @@ remote_statement
 		remote_specs_block
 	;
 
-remote_specs_block
-	:	BOC remote_specs EOC
+remote_specs_inherit_block
+	:	remote_specs_block
+	|	EOS /* inheritance without overriding any settings */
 		{
-			/* check a exchange mode */
-			if (cur_rmconf->etypes == NULL) {
-				yyerror("no exchange mode specified.\n");
-				return -1;
-			}
-
-			if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
-				cur_rmconf->idvtype = IDTYPE_ADDRESS;
-
-			if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
-				if (cur_rmconf->mycertfile) {
-					if (cur_rmconf->idv)
-						yywarn("Both CERT and ASN1 ID "
-						       "are set. Hope this is OK.\n");
-					/* TODO: Preparse the DN here */
-				} else if (cur_rmconf->idv) {
-					/* OK, using asn1dn without X.509. */
-				} else {
-					yyerror("ASN1 ID not specified "
-						"and no CERT defined!\n");
-					return -1;
-				}
-			}
-
-			if (duprmconf_finish(cur_rmconf))
+			if (process_rmconf() != 0)
 				return -1;
+		}
+	;
 
-#if 0
-			/* this pointer copy will never happen, because duprmconf_shallow
-			 * already copied all pointers.
-			 */
-			if (cur_rmconf->spspec == NULL &&
-			    cur_rmconf->inherited_from != NULL) {
-				cur_rmconf->spspec = cur_rmconf->inherited_from->spspec;
-			}
-#endif
-			if (set_isakmp_proposal(cur_rmconf) != 0)
+remote_specs_block
+	:	BOC remote_specs EOC
+		{
+			if (process_rmconf() != 0)
 				return -1;
-
-			/* DH group settting if aggressive mode is there. */
-			if (check_etypeok(cur_rmconf, (void*) ISAKMP_ETYPE_AGG)) {
-				struct isakmpsa *p;
-				int b = 0;
-
-				/* DH group */
-				for (p = cur_rmconf->proposal; p; p = p->next) {
-					if (b == 0 || (b && b == p->dh_group)) {
-						b = p->dh_group;
-						continue;
-					}
-					yyerror("DH group must be equal "
-						"in all proposals "
-						"when aggressive mode is "
-						"used.\n");
-					return -1;
-				}
-				cur_rmconf->dh_group = b;
-
-				if (cur_rmconf->dh_group == 0) {
-					yyerror("DH group must be set in the proposal.\n");
-					return -1;
-				}
-
-				/* DH group settting if PFS is required. */
-				if (oakley_setdhgroup(cur_rmconf->dh_group,
-						&cur_rmconf->dhgrp) < 0) {
-					yyerror("failed to set DH value.\n");
-					return -1;
-				}
-			}
-
-			insrmconf(cur_rmconf);
 		}
 	;
 remote_index

Index: src/crypto/dist/ipsec-tools/src/racoon/cftoken.l
diff -u src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.23 src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.23.2.1
--- src/crypto/dist/ipsec-tools/src/racoon/cftoken.l:1.23	Wed Feb  2 15:21:34 2011
+++ src/crypto/dist/ipsec-tools/src/racoon/cftoken.l	Wed Aug 29 08:42:24 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.23 2011/02/02 15:21:34 vanhu Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.23.2.1 2012/08/29 08:42:24 tteras Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -307,6 +307,7 @@ hexstring	0x{hexdigit}+
 <S_INI>remote		{ BEGIN S_RMT; YYDB; return(REMOTE); }
 <S_RMT>anonymous	{ YYD; return(ANONYMOUS); }
 <S_RMT>inherit		{ YYD; return(INHERIT); }
+<S_RMT>{semi}		{ BEGIN S_INI; YYDB; return(EOS); }
 	/* remote spec */
 <S_RMT>{bcl}		{ BEGIN S_RMTS; return(BOC); }
 <S_RMTS>{ecl}		{ BEGIN S_INI; return(EOC); }

Index: src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
diff -u src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.61 src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.61.4.1
--- src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5:1.61	Tue Jun 22 20:51:04 2010
+++ src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5	Wed Aug 29 08:42:24 2012
@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.61 2010/06/22 20:51:04 wiz Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.61.4.1 2012/08/29 08:42:24 tteras Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd June 22, 2010
+.Dd August 29, 2012
 .Dt RACOON.CONF 5
 .Os
 .\"
@@ -375,7 +375,7 @@ This problem is known to be fixed in Lin
 .\"
 .Ss Remote Nodes Specifications
 .Bl -tag -width Ds -compact
-.It Ic remote Ar name Bo Ic inherit Ar parent_name Bc Ic { Ar statements Ic }
+.It Ic remote Ar name Bo Ic inherit Ar parent_name Bc Ic ({ Ar statements Ic } | ;)
 Specifies the IKE phase 1 parameters for each remote node.
 .Pp
 If connection is initiated using racoonctl, a unique match using the

CVS commit: [ipsec-tools-0_8-branch] src/crypto/dist/ipsec-tools/src/racoon

Reply via email to