forked from acouzens/open5gs
668 lines
18 KiB
Text
668 lines
18 KiB
Text
/*********************************************************************************************************
|
|
* Software License Agreement (BSD License) *
|
|
* Author: Sebastien Decugis <sdecugis@freediameter.net> *
|
|
* *
|
|
* Copyright (c) 2015, WIDE Project and NICT *
|
|
* All rights reserved. *
|
|
* *
|
|
* Redistribution and use of this software in source and binary forms, with or without modification, are *
|
|
* permitted provided that the following conditions are met: *
|
|
* *
|
|
* * Redistributions of source code must retain the above *
|
|
* copyright notice, this list of conditions and the *
|
|
* following disclaimer. *
|
|
* *
|
|
* * Redistributions in binary form must reproduce the above *
|
|
* copyright notice, this list of conditions and the *
|
|
* following disclaimer in the documentation and/or other *
|
|
* materials provided with the distribution. *
|
|
* *
|
|
* * Neither the name of the WIDE Project or NICT nor the *
|
|
* names of its contributors may be used to endorse or *
|
|
* promote products derived from this software without *
|
|
* specific prior written permission of WIDE Project and *
|
|
* NICT. *
|
|
* *
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
|
|
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
|
|
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
|
|
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT *
|
|
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS *
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
|
|
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF *
|
|
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
|
|
*********************************************************************************************************/
|
|
|
|
/* Yacc configuration parser.
|
|
*
|
|
* This file defines the grammar of the configuration file.
|
|
* Note that each extension has a separate independant configuration file.
|
|
*
|
|
* Note : This module is NOT thread-safe. All processing must be done from one thread only.
|
|
*/
|
|
|
|
/* For development only : */
|
|
%debug
|
|
%error-verbose
|
|
|
|
%parse-param {struct fd_config * conf}
|
|
|
|
/* Keep track of location */
|
|
%locations
|
|
%pure-parser
|
|
|
|
%{
|
|
#include "fdcore-internal.h"
|
|
#include "fdd.tab.h" /* bug : bison does not define the YYLTYPE before including this bloc, so... */
|
|
|
|
/* The Lex parser prototype */
|
|
int fddlex(YYSTYPE *lvalp, YYLTYPE *llocp);
|
|
|
|
/* Function to report error */
|
|
void yyerror (YYLTYPE *ploc, struct fd_config * conf, char const *s)
|
|
{
|
|
if (ploc->first_line != ploc->last_line) {
|
|
TRACE_ERROR("%s:%d.%d-%d.%d : %s", conf->cnf_file, ploc->first_line, ploc->first_column, ploc->last_line, ploc->last_column, s);
|
|
} else if (ploc->first_column != ploc->last_column) {
|
|
TRACE_ERROR("%s:%d.%d-%d : %s", conf->cnf_file, ploc->first_line, ploc->first_column, ploc->last_column, s);
|
|
} else {
|
|
TRACE_ERROR("%s:%d.%d : %s", conf->cnf_file, ploc->first_line, ploc->first_column, s);
|
|
}
|
|
}
|
|
|
|
int got_peer_noip = 0;
|
|
int got_peer_noipv6 = 0;
|
|
int got_peer_notcp = 0;
|
|
int got_peer_nosctp = 0;
|
|
|
|
struct peer_info fddpi;
|
|
|
|
%}
|
|
|
|
/* Values returned by lex for token */
|
|
%union {
|
|
char *string; /* The string is allocated by strdup in lex.*/
|
|
int integer; /* Store integer values */
|
|
}
|
|
|
|
/* In case of error in the lexical analysis */
|
|
%token LEX_ERROR
|
|
|
|
%token <string> QSTRING
|
|
%token <integer> INTEGER
|
|
|
|
%type <string> extconf
|
|
|
|
%token IDENTITY
|
|
%token REALM
|
|
%token PORT
|
|
%token SECPORT
|
|
%token SEC3436
|
|
%token NOIP
|
|
%token NOIP6
|
|
%token NOTCP
|
|
%token NOSCTP
|
|
%token PREFERTCP
|
|
%token OLDTLS
|
|
%token NOTLS
|
|
%token SCTPSTREAMS
|
|
%token APPSERVTHREADS
|
|
%token LISTENON
|
|
%token THRPERSRV
|
|
%token TCTIMER
|
|
%token TWTIMER
|
|
%token NORELAY
|
|
%token LOADEXT
|
|
%token CONNPEER
|
|
%token CONNTO
|
|
%token TLS_CRED
|
|
%token TLS_CA
|
|
%token TLS_CRL
|
|
%token TLS_PRIO
|
|
%token TLS_DH_BITS
|
|
%token TLS_DH_FILE
|
|
|
|
|
|
/* -------------------------------------- */
|
|
%%
|
|
|
|
/* The grammar definition - Sections blocs. */
|
|
conffile: /* Empty is OK -- for simplicity here, we reject in daemon later */
|
|
| conffile identity
|
|
| conffile realm
|
|
| conffile tctimer
|
|
| conffile twtimer
|
|
| conffile port
|
|
| conffile secport
|
|
| conffile sec3436
|
|
| conffile sctpstreams
|
|
| conffile listenon
|
|
| conffile thrpersrv
|
|
| conffile norelay
|
|
| conffile appservthreads
|
|
| conffile noip
|
|
| conffile noip6
|
|
| conffile notcp
|
|
| conffile nosctp
|
|
| conffile prefertcp
|
|
| conffile oldtls
|
|
| conffile loadext
|
|
| conffile connpeer
|
|
| conffile tls_cred
|
|
| conffile tls_ca
|
|
| conffile tls_crl
|
|
| conffile tls_prio
|
|
| conffile tls_dh
|
|
| conffile errors
|
|
{
|
|
yyerror(&yylloc, conf, "An error occurred while parsing the configuration file");
|
|
return EINVAL;
|
|
}
|
|
;
|
|
|
|
/* Lexical or syntax error */
|
|
errors: LEX_ERROR
|
|
| error
|
|
;
|
|
|
|
identity: IDENTITY '=' QSTRING ';'
|
|
{
|
|
conf->cnf_diamid = $3;
|
|
}
|
|
;
|
|
|
|
realm: REALM '=' QSTRING ';'
|
|
{
|
|
conf->cnf_diamrlm = $3;
|
|
}
|
|
;
|
|
|
|
tctimer: TCTIMER '=' INTEGER ';'
|
|
{
|
|
CHECK_PARAMS_DO( ($3 > 0),
|
|
{ yyerror (&yylloc, conf, "Invalid value"); YYERROR; } );
|
|
conf->cnf_timer_tc = (unsigned int)$3;
|
|
}
|
|
;
|
|
|
|
twtimer: TWTIMER '=' INTEGER ';'
|
|
{
|
|
CHECK_PARAMS_DO( ($3 > 5),
|
|
{ yyerror (&yylloc, conf, "Invalid value"); YYERROR; } );
|
|
conf->cnf_timer_tw = (unsigned int)$3;
|
|
}
|
|
;
|
|
|
|
port: PORT '=' INTEGER ';'
|
|
{
|
|
CHECK_PARAMS_DO( ($3 >= 0) && ($3 < 1<<16),
|
|
{ yyerror (&yylloc, conf, "Invalid value"); YYERROR; } );
|
|
conf->cnf_port = (uint16_t)$3;
|
|
}
|
|
;
|
|
|
|
secport: SECPORT '=' INTEGER ';'
|
|
{
|
|
CHECK_PARAMS_DO( ($3 >= 0) && ($3 < 1<<16),
|
|
{ yyerror (&yylloc, conf, "Invalid value"); YYERROR; } );
|
|
conf->cnf_port_tls = (uint16_t)$3;
|
|
}
|
|
;
|
|
|
|
sec3436: SEC3436 '=' INTEGER ';'
|
|
{
|
|
CHECK_PARAMS_DO( ($3 >= 0) && ($3 < 1<<16),
|
|
{ yyerror (&yylloc, conf, "Invalid value"); YYERROR; } );
|
|
conf->cnf_port_3436 = (uint16_t)$3;
|
|
}
|
|
;
|
|
|
|
sctpstreams: SCTPSTREAMS '=' INTEGER ';'
|
|
{
|
|
CHECK_PARAMS_DO( ($3 > 0) && ($3 < 1<<16),
|
|
{ yyerror (&yylloc, conf, "Invalid value"); YYERROR; } );
|
|
conf->cnf_sctp_str = (uint16_t)$3;
|
|
}
|
|
;
|
|
|
|
listenon: LISTENON '=' QSTRING ';'
|
|
{
|
|
struct addrinfo hints, *ai;
|
|
int ret;
|
|
|
|
memset(&hints, 0, sizeof(hints));
|
|
hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
|
|
ret = getaddrinfo($3, NULL, &hints, &ai);
|
|
if (ret) { yyerror (&yylloc, conf, gai_strerror(ret)); YYERROR; }
|
|
CHECK_FCT_DO( fd_ep_add_merge( &conf->cnf_endpoints, ai->ai_addr, ai->ai_addrlen, EP_FL_CONF ), YYERROR );
|
|
freeaddrinfo(ai);
|
|
free($3);
|
|
}
|
|
;
|
|
|
|
thrpersrv: THRPERSRV '=' INTEGER ';'
|
|
{
|
|
CHECK_PARAMS_DO( ($3 > 0),
|
|
{ yyerror (&yylloc, conf, "Invalid value"); YYERROR; } );
|
|
conf->cnf_thr_srv = $3;
|
|
}
|
|
;
|
|
|
|
norelay: NORELAY ';'
|
|
{
|
|
conf->cnf_flags.no_fwd = 1;
|
|
}
|
|
;
|
|
|
|
appservthreads: APPSERVTHREADS '=' INTEGER ';'
|
|
{
|
|
CHECK_PARAMS_DO( ($3 > 0) && ($3 < 256),
|
|
{ yyerror (&yylloc, conf, "Invalid value"); YYERROR; } );
|
|
conf->cnf_dispthr = (uint16_t)$3;
|
|
}
|
|
;
|
|
|
|
noip: NOIP ';'
|
|
{
|
|
if (got_peer_noipv6) {
|
|
yyerror (&yylloc, conf, "No_IP conflicts with a ConnectPeer directive No_IPv6.");
|
|
YYERROR;
|
|
}
|
|
conf->cnf_flags.no_ip4 = 1;
|
|
}
|
|
;
|
|
|
|
noip6: NOIP6 ';'
|
|
{
|
|
if (got_peer_noip) {
|
|
yyerror (&yylloc, conf, "No_IP conflicts with a ConnectPeer directive No_IP.");
|
|
YYERROR;
|
|
}
|
|
conf->cnf_flags.no_ip6 = 1;
|
|
}
|
|
;
|
|
|
|
notcp: NOTCP ';'
|
|
{
|
|
#ifdef DISABLE_SCTP
|
|
yyerror (&yylloc, conf, "No_TCP cannot be specified for daemon compiled with DISABLE_SCTP option.");
|
|
YYERROR;
|
|
#endif
|
|
if (conf->cnf_flags.no_sctp)
|
|
{
|
|
yyerror (&yylloc, conf, "No_TCP conflicts with No_SCTP directive." );
|
|
YYERROR;
|
|
}
|
|
if (got_peer_nosctp) {
|
|
yyerror (&yylloc, conf, "No_TCP conflicts with a ConnectPeer directive No_SCTP.");
|
|
YYERROR;
|
|
}
|
|
conf->cnf_flags.no_tcp = 1;
|
|
}
|
|
;
|
|
|
|
nosctp: NOSCTP ';'
|
|
{
|
|
if (conf->cnf_flags.no_tcp)
|
|
{
|
|
yyerror (&yylloc, conf, "No_SCTP conflicts with No_TCP directive." );
|
|
YYERROR;
|
|
}
|
|
if (got_peer_notcp) {
|
|
yyerror (&yylloc, conf, "No_SCTP conflicts with a ConnectPeer directive No_TCP.");
|
|
YYERROR;
|
|
}
|
|
conf->cnf_flags.no_sctp = 1;
|
|
}
|
|
;
|
|
|
|
prefertcp: PREFERTCP ';'
|
|
{
|
|
conf->cnf_flags.pr_tcp = 1;
|
|
}
|
|
;
|
|
|
|
oldtls: OLDTLS ';'
|
|
{
|
|
conf->cnf_flags.tls_alg = 1;
|
|
}
|
|
;
|
|
|
|
loadext: LOADEXT '=' QSTRING extconf ';'
|
|
{
|
|
char * fname;
|
|
char * cfname;
|
|
FILE * fd;
|
|
|
|
/* Try and open the extension file */
|
|
fname = $3;
|
|
fd = fopen(fname, "r");
|
|
if ((fd == NULL) && (*fname != '/')) {
|
|
char * bkp = fname;
|
|
CHECK_MALLOC_DO( fname = malloc( strlen(bkp) + strlen(DEFAULT_EXTENSIONS_PATH) + 2 ),
|
|
{ yyerror (&yylloc, conf, "Not enough memory"); YYERROR; } );
|
|
sprintf(fname, DEFAULT_EXTENSIONS_PATH "/%s", bkp);
|
|
fd = fopen(fname, "r");
|
|
if (fd == NULL) {
|
|
free(fname);
|
|
fname = bkp;
|
|
} else {
|
|
free(bkp);
|
|
}
|
|
}
|
|
if (fd != NULL) {
|
|
fclose(fd);
|
|
} /* otherwise, LD_LIBRARY_PATH will be tested by dl_open.
|
|
This should not give any security issue, otherwise we can add an "else fail" here. */
|
|
|
|
/* Try and open the configuration file (optional) */
|
|
cfname = $4;
|
|
if (cfname) {
|
|
fd = fopen(cfname, "r");
|
|
if ((fd == NULL) && (*cfname != '/')) {
|
|
char * test;
|
|
CHECK_MALLOC_DO( test = malloc( strlen(cfname) + strlen(DEFAULT_CONF_PATH) + 2 ),
|
|
{ yyerror (&yylloc, conf, "Not enough memory"); YYERROR; } );
|
|
sprintf(test, DEFAULT_CONF_PATH "/%s", cfname);
|
|
fd = fopen(test, "r");
|
|
if (fd) {
|
|
free(cfname);
|
|
cfname=test;
|
|
} else {
|
|
/* This is not an error, we allow an extension to wait for something else than a real conf file. */
|
|
free(test);
|
|
}
|
|
}
|
|
if (fd)
|
|
fclose(fd);
|
|
}
|
|
|
|
CHECK_FCT_DO( fd_ext_add( fname, cfname ),
|
|
{ yyerror (&yylloc, conf, "Error adding extension"); YYERROR; } );
|
|
}
|
|
;
|
|
|
|
extconf: /* empty */
|
|
{
|
|
$$ = NULL;
|
|
}
|
|
| ':' QSTRING
|
|
{
|
|
$$ = $2;
|
|
}
|
|
;
|
|
|
|
connpeer: {
|
|
memset(&fddpi, 0, sizeof(fddpi));
|
|
fddpi.config.pic_flags.persist = PI_PRST_ALWAYS;
|
|
fd_list_init( &fddpi.pi_endpoints, NULL );
|
|
}
|
|
CONNPEER '=' QSTRING peerinfo ';'
|
|
{
|
|
fddpi.pi_diamid = $4;
|
|
CHECK_FCT_DO( fd_peer_add ( &fddpi, conf->cnf_file, NULL, NULL ),
|
|
{ yyerror (&yylloc, conf, "Error adding ConnectPeer information"); YYERROR; } );
|
|
|
|
/* Now destroy any content in the structure */
|
|
free(fddpi.pi_diamid);
|
|
free(fddpi.config.pic_realm);
|
|
free(fddpi.config.pic_priority);
|
|
while (!FD_IS_LIST_EMPTY(&fddpi.pi_endpoints)) {
|
|
struct fd_list * li = fddpi.pi_endpoints.next;
|
|
fd_list_unlink(li);
|
|
free(li);
|
|
}
|
|
}
|
|
;
|
|
|
|
peerinfo: /* empty */
|
|
| '{' peerparams '}'
|
|
;
|
|
|
|
peerparams: /* empty */
|
|
| peerparams NOIP ';'
|
|
{
|
|
if ((conf->cnf_flags.no_ip6) || (fddpi.config.pic_flags.pro3 == PI_P3_IP)) {
|
|
yyerror (&yylloc, conf, "No_IP conflicts with a No_IPv6 directive.");
|
|
YYERROR;
|
|
}
|
|
got_peer_noip++;
|
|
fddpi.config.pic_flags.pro3 = PI_P3_IPv6;
|
|
}
|
|
| peerparams NOIP6 ';'
|
|
{
|
|
if ((conf->cnf_flags.no_ip4) || (fddpi.config.pic_flags.pro3 == PI_P3_IPv6)) {
|
|
yyerror (&yylloc, conf, "No_IPv6 conflicts with a No_IP directive.");
|
|
YYERROR;
|
|
}
|
|
got_peer_noipv6++;
|
|
fddpi.config.pic_flags.pro3 = PI_P3_IP;
|
|
}
|
|
| peerparams NOTCP ';'
|
|
{
|
|
#ifdef DISABLE_SCTP
|
|
yyerror (&yylloc, conf, "No_TCP cannot be specified in daemon compiled with DISABLE_SCTP option.");
|
|
YYERROR;
|
|
#endif
|
|
if ((conf->cnf_flags.no_sctp) || (fddpi.config.pic_flags.pro4 == PI_P4_TCP)) {
|
|
yyerror (&yylloc, conf, "No_TCP conflicts with a No_SCTP directive.");
|
|
YYERROR;
|
|
}
|
|
got_peer_notcp++;
|
|
fddpi.config.pic_flags.pro4 = PI_P4_SCTP;
|
|
}
|
|
| peerparams NOSCTP ';'
|
|
{
|
|
if ((conf->cnf_flags.no_tcp) || (fddpi.config.pic_flags.pro4 == PI_P4_SCTP)) {
|
|
yyerror (&yylloc, conf, "No_SCTP conflicts with a No_TCP directive.");
|
|
YYERROR;
|
|
}
|
|
got_peer_nosctp++;
|
|
fddpi.config.pic_flags.pro4 = PI_P4_TCP;
|
|
}
|
|
| peerparams PREFERTCP ';'
|
|
{
|
|
fddpi.config.pic_flags.alg = PI_ALGPREF_TCP;
|
|
}
|
|
| peerparams OLDTLS ';'
|
|
{
|
|
fddpi.config.pic_flags.sec |= PI_SEC_TLS_OLD;
|
|
}
|
|
| peerparams NOTLS ';'
|
|
{
|
|
fddpi.config.pic_flags.sec |= PI_SEC_NONE;
|
|
}
|
|
| peerparams SEC3436 ';'
|
|
{
|
|
fddpi.config.pic_flags.sctpsec |= PI_SCTPSEC_3436;
|
|
}
|
|
| peerparams REALM '=' QSTRING ';'
|
|
{
|
|
fddpi.config.pic_realm = $4;
|
|
}
|
|
| peerparams PORT '=' INTEGER ';'
|
|
{
|
|
CHECK_PARAMS_DO( ($4 > 0) && ($4 < 1<<16),
|
|
{ yyerror (&yylloc, conf, "Invalid port value"); YYERROR; } );
|
|
fddpi.config.pic_port = (uint16_t)$4;
|
|
}
|
|
| peerparams TCTIMER '=' INTEGER ';'
|
|
{
|
|
fddpi.config.pic_tctimer = $4;
|
|
}
|
|
| peerparams TWTIMER '=' INTEGER ';'
|
|
{
|
|
fddpi.config.pic_twtimer = $4;
|
|
}
|
|
| peerparams TLS_PRIO '=' QSTRING ';'
|
|
{
|
|
fddpi.config.pic_priority = $4;
|
|
}
|
|
| peerparams CONNTO '=' QSTRING ';'
|
|
{
|
|
struct addrinfo hints, *ai;
|
|
int ret;
|
|
int disc = 0;
|
|
|
|
memset(&hints, 0, sizeof(hints));
|
|
hints.ai_flags = AI_ADDRCONFIG | AI_NUMERICHOST;
|
|
ret = getaddrinfo($4, NULL, &hints, &ai);
|
|
if (ret == EAI_NONAME) {
|
|
/* The name was maybe not numeric, try again */
|
|
disc = EP_FL_DISC;
|
|
hints.ai_flags &= ~ AI_NUMERICHOST;
|
|
ret = getaddrinfo($4, NULL, &hints, &ai);
|
|
}
|
|
if (ret) { yyerror (&yylloc, conf, gai_strerror(ret)); YYERROR; }
|
|
|
|
CHECK_FCT_DO( fd_ep_add_merge( &fddpi.pi_endpoints, ai->ai_addr, ai->ai_addrlen, EP_FL_CONF | (disc ?: EP_ACCEPTALL) ), YYERROR );
|
|
free($4);
|
|
freeaddrinfo(ai);
|
|
}
|
|
;
|
|
|
|
tls_cred: TLS_CRED '=' QSTRING ',' QSTRING ';'
|
|
{
|
|
FILE * fd;
|
|
fd = fopen($3, "r");
|
|
if (fd == NULL) {
|
|
int ret = errno;
|
|
TRACE_ERROR("Unable to open certificate file %s for reading: %s", $3, strerror(ret));
|
|
yyerror (&yylloc, conf, "Error on file name");
|
|
YYERROR;
|
|
}
|
|
fclose(fd);
|
|
fd = fopen($5, "r");
|
|
if (fd == NULL) {
|
|
int ret = errno;
|
|
TRACE_ERROR("Unable to open private key file %s for reading: %s", $5, strerror(ret));
|
|
yyerror (&yylloc, conf, "Error on file name");
|
|
YYERROR;
|
|
}
|
|
fclose(fd);
|
|
conf->cnf_sec_data.cert_file = $3;
|
|
conf->cnf_sec_data.key_file = $5;
|
|
|
|
CHECK_GNUTLS_DO( gnutls_certificate_set_x509_key_file(
|
|
conf->cnf_sec_data.credentials,
|
|
conf->cnf_sec_data.cert_file,
|
|
conf->cnf_sec_data.key_file,
|
|
GNUTLS_X509_FMT_PEM),
|
|
{ yyerror (&yylloc, conf, "Error opening certificate or private key file."); YYERROR; } );
|
|
}
|
|
;
|
|
|
|
tls_ca: TLS_CA '=' QSTRING ';'
|
|
{
|
|
FILE * fd;
|
|
fd = fopen($3, "rb");
|
|
if (fd == NULL) {
|
|
int ret = errno;
|
|
TRACE_ERROR("Unable to open CA file %s for reading: %s", $3, strerror(ret));
|
|
yyerror (&yylloc, conf, "Error on file name");
|
|
YYERROR;
|
|
}
|
|
#ifdef GNUTLS_VERSION_300
|
|
{
|
|
/* We import these CA in the trust list */
|
|
gnutls_x509_crt_t * calist;
|
|
unsigned int cacount;
|
|
gnutls_datum_t cafile;
|
|
|
|
CHECK_FCT_DO( fd_conf_stream_to_gnutls_datum(fd, &cafile),
|
|
{ yyerror (&yylloc, conf, "Error reading CA file."); YYERROR; } );
|
|
|
|
CHECK_GNUTLS_DO( gnutls_x509_crt_list_import2(&calist, &cacount, &cafile, GNUTLS_X509_FMT_PEM,
|
|
GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED),
|
|
{ yyerror (&yylloc, conf, "Error importing CA file."); YYERROR; } );
|
|
free(cafile.data);
|
|
|
|
CHECK_GNUTLS_DO( gnutls_x509_trust_list_add_cas (fd_g_config->cnf_sec_data.trustlist, calist, cacount, 0),
|
|
{ yyerror (&yylloc, conf, "Error saving CA in trust list."); YYERROR; } );
|
|
}
|
|
#endif /* GNUTLS_VERSION_300 */
|
|
fclose(fd);
|
|
conf->cnf_sec_data.ca_file = $3;
|
|
CHECK_GNUTLS_DO( conf->cnf_sec_data.ca_file_nr += gnutls_certificate_set_x509_trust_file(
|
|
conf->cnf_sec_data.credentials,
|
|
conf->cnf_sec_data.ca_file,
|
|
GNUTLS_X509_FMT_PEM),
|
|
{ yyerror (&yylloc, conf, "Error setting CA parameters."); YYERROR; } );
|
|
|
|
}
|
|
;
|
|
|
|
tls_crl: TLS_CRL '=' QSTRING ';'
|
|
{
|
|
FILE * fd;
|
|
fd = fopen($3, "rb");
|
|
if (fd == NULL) {
|
|
int ret = errno;
|
|
TRACE_ERROR("Unable to open CRL file %s for reading: %s", $3, strerror(ret));
|
|
yyerror (&yylloc, conf, "Error on file name");
|
|
YYERROR;
|
|
}
|
|
#ifdef GNUTLS_VERSION_300
|
|
{
|
|
/* We import these CRL in the trust list */
|
|
gnutls_x509_crl_t * crllist;
|
|
unsigned int crlcount;
|
|
gnutls_datum_t crlfile;
|
|
|
|
CHECK_FCT_DO( fd_conf_stream_to_gnutls_datum(fd, &crlfile),
|
|
{ yyerror (&yylloc, conf, "Error reading CRL file."); YYERROR; } );
|
|
|
|
CHECK_GNUTLS_DO( gnutls_x509_crl_list_import2(&crllist, &crlcount, &crlfile, GNUTLS_X509_FMT_PEM, 0),
|
|
{ yyerror (&yylloc, conf, "Error importing CRL file."); YYERROR; } );
|
|
free(crlfile.data);
|
|
|
|
CHECK_GNUTLS_DO( gnutls_x509_trust_list_add_crls (fd_g_config->cnf_sec_data.trustlist, crllist, crlcount,
|
|
GNUTLS_TL_VERIFY_CRL,
|
|
0),
|
|
{ yyerror (&yylloc, conf, "Error importing CRL in trust list."); YYERROR; } );
|
|
}
|
|
#endif /* GNUTLS_VERSION_300 */
|
|
fclose(fd);
|
|
conf->cnf_sec_data.crl_file = $3;
|
|
CHECK_GNUTLS_DO( gnutls_certificate_set_x509_crl_file(
|
|
conf->cnf_sec_data.credentials,
|
|
conf->cnf_sec_data.crl_file,
|
|
GNUTLS_X509_FMT_PEM),
|
|
{ yyerror (&yylloc, conf, "Error setting CRL parameters."); YYERROR; } );
|
|
}
|
|
;
|
|
|
|
tls_prio: TLS_PRIO '=' QSTRING ';'
|
|
{
|
|
const char * err_pos = NULL;
|
|
conf->cnf_sec_data.prio_string = $3;
|
|
CHECK_GNUTLS_DO( gnutls_priority_init(
|
|
&conf->cnf_sec_data.prio_cache,
|
|
conf->cnf_sec_data.prio_string,
|
|
&err_pos),
|
|
{ yyerror (&yylloc, conf, "Error setting Priority parameter.");
|
|
TRACE_ERROR("Error at position : %s", err_pos);
|
|
YYERROR; } );
|
|
}
|
|
;
|
|
|
|
tls_dh: TLS_DH_BITS '=' INTEGER ';'
|
|
{
|
|
conf->cnf_sec_data.dh_bits = $3;
|
|
}
|
|
| TLS_DH_FILE '=' QSTRING ';'
|
|
{
|
|
FILE * fd;
|
|
free(conf->cnf_sec_data.dh_file);
|
|
conf->cnf_sec_data.dh_file = $3;
|
|
fd = fopen($3, "r");
|
|
if (fd == NULL) {
|
|
int ret = errno;
|
|
TRACE_ERROR("Unable to open DH file %s for reading: %s", $3, strerror(ret));
|
|
yyerror (&yylloc, conf, "Error on file name");
|
|
YYERROR;
|
|
}
|
|
fclose(fd);
|
|
}
|
|
;
|