File: | src/sbin/ipsecctl/obj/parse.c |
Warning: | line 2698, column 13 Attempt to free released memory |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | #include <stdlib.h> | ||||
2 | #include <string.h> | ||||
3 | #define YYBYACC1 1 | ||||
4 | #define YYMAJOR1 1 | ||||
5 | #define YYMINOR9 9 | ||||
6 | #define YYLEXyylex() yylex() | ||||
7 | #define YYEMPTY-1 -1 | ||||
8 | #define yyclearin(yychar=(-1)) (yychar=(YYEMPTY-1)) | ||||
9 | #define yyerrok(yyerrflag=0) (yyerrflag=0) | ||||
10 | #define YYRECOVERING()(yyerrflag!=0) (yyerrflag!=0) | ||||
11 | #define YYPREFIX"yy" "yy" | ||||
12 | #line 24 "/usr/src/sbin/ipsecctl/parse.y" | ||||
13 | #include <sys/types.h> | ||||
14 | #include <sys/ioctl.h> | ||||
15 | #include <sys/queue.h> | ||||
16 | #include <sys/socket.h> | ||||
17 | #include <sys/stat.h> | ||||
18 | #include <net/if.h> | ||||
19 | #include <netinet/in.h> | ||||
20 | #include <netinet/ip_ipsp.h> | ||||
21 | #include <arpa/inet.h> | ||||
22 | |||||
23 | #include <ctype.h> | ||||
24 | #include <err.h> | ||||
25 | #include <errno(*__errno()).h> | ||||
26 | #include <fcntl.h> | ||||
27 | #include <ifaddrs.h> | ||||
28 | #include <limits.h> | ||||
29 | #include <netdb.h> | ||||
30 | #include <stdarg.h> | ||||
31 | #include <stdio.h> | ||||
32 | #include <string.h> | ||||
33 | #include <syslog.h> | ||||
34 | #include <unistd.h> | ||||
35 | #include <netdb.h> | ||||
36 | |||||
37 | #include "ipsecctl.h" | ||||
38 | |||||
39 | TAILQ_HEAD(files, file)struct files { struct file *tqh_first; struct file **tqh_last ; } files = TAILQ_HEAD_INITIALIZER(files){ ((void *)0), &(files).tqh_first }; | ||||
40 | static struct file { | ||||
41 | TAILQ_ENTRY(file)struct { struct file *tqe_next; struct file **tqe_prev; } entry; | ||||
42 | FILE *stream; | ||||
43 | char *name; | ||||
44 | int lineno; | ||||
45 | int errors; | ||||
46 | } *file, *topfile; | ||||
47 | struct file *pushfile(const char *, int); | ||||
48 | int popfile(void); | ||||
49 | int check_file_secrecy(int, const char *); | ||||
50 | int yyparse(void); | ||||
51 | int yylex(void); | ||||
52 | int yyerror(const char *, ...) | ||||
53 | __attribute__((__format__ (printf, 1, 2))) | ||||
54 | __attribute__((__nonnull__ (1))); | ||||
55 | int yywarn(const char *, ...) | ||||
56 | __attribute__((__format__ (printf, 1, 2))) | ||||
57 | __attribute__((__nonnull__ (1))); | ||||
58 | int kw_cmp(const void *, const void *); | ||||
59 | int lookup(char *); | ||||
60 | int lgetc(int); | ||||
61 | int lungetc(int); | ||||
62 | int findeol(void); | ||||
63 | |||||
64 | TAILQ_HEAD(symhead, sym)struct symhead { struct sym *tqh_first; struct sym **tqh_last ; } symhead = TAILQ_HEAD_INITIALIZER(symhead){ ((void *)0), &(symhead).tqh_first }; | ||||
65 | struct sym { | ||||
66 | TAILQ_ENTRY(sym)struct { struct sym *tqe_next; struct sym **tqe_prev; } entry; | ||||
67 | int used; | ||||
68 | int persist; | ||||
69 | char *nam; | ||||
70 | char *val; | ||||
71 | }; | ||||
72 | int symset(const char *, const char *, int); | ||||
73 | char *symget(const char *); | ||||
74 | int cmdline_symset(char *); | ||||
75 | |||||
76 | #define KEYSIZE_LIMIT1024 1024 | ||||
77 | |||||
78 | static struct ipsecctl *ipsec = NULL((void *)0); | ||||
79 | static int debug = 0; | ||||
80 | |||||
81 | const struct ipsec_xf authxfs[] = { | ||||
82 | { "unknown", AUTHXF_UNKNOWN, 0, 0 }, | ||||
83 | { "none", AUTHXF_NONE, 0, 0 }, | ||||
84 | { "hmac-md5", AUTHXF_HMAC_MD5, 16, 0 }, | ||||
85 | { "hmac-ripemd160", AUTHXF_HMAC_RIPEMD160, 20, 0 }, | ||||
86 | { "hmac-sha1", AUTHXF_HMAC_SHA1, 20, 0 }, | ||||
87 | { "hmac-sha2-256", AUTHXF_HMAC_SHA2_256, 32, 0 }, | ||||
88 | { "hmac-sha2-384", AUTHXF_HMAC_SHA2_384, 48, 0 }, | ||||
89 | { "hmac-sha2-512", AUTHXF_HMAC_SHA2_512, 64, 0 }, | ||||
90 | { NULL((void *)0), 0, 0, 0 }, | ||||
91 | }; | ||||
92 | |||||
93 | const struct ipsec_xf encxfs[] = { | ||||
94 | { "unknown", ENCXF_UNKNOWN, 0, 0, 0, 0 }, | ||||
95 | { "none", ENCXF_NONE, 0, 0, 0, 0 }, | ||||
96 | { "3des-cbc", ENCXF_3DES_CBC, 24, 24, 0, 0 }, | ||||
97 | { "aes", ENCXF_AES, 16, 32, 0, 0 }, | ||||
98 | { "aes-128", ENCXF_AES_128, 16, 16, 0, 0 }, | ||||
99 | { "aes-192", ENCXF_AES_192, 24, 24, 0, 0 }, | ||||
100 | { "aes-256", ENCXF_AES_256, 32, 32, 0, 0 }, | ||||
101 | { "aesctr", ENCXF_AESCTR, 16+4, 32+4, 0, 1 }, | ||||
102 | { "aes-128-ctr", ENCXF_AES_128_CTR, 16+4, 16+4, 0, 1 }, | ||||
103 | { "aes-192-ctr", ENCXF_AES_192_CTR, 24+4, 24+4, 0, 1 }, | ||||
104 | { "aes-256-ctr", ENCXF_AES_256_CTR, 32+4, 32+4, 0, 1 }, | ||||
105 | { "aes-128-gcm", ENCXF_AES_128_GCM, 16+4, 16+4, 1, 1 }, | ||||
106 | { "aes-192-gcm", ENCXF_AES_192_GCM, 24+4, 24+4, 1, 1 }, | ||||
107 | { "aes-256-gcm", ENCXF_AES_256_GCM, 32+4, 32+4, 1, 1 }, | ||||
108 | { "aes-128-gmac", ENCXF_AES_128_GMAC, 16+4, 16+4, 1, 1 }, | ||||
109 | { "aes-192-gmac", ENCXF_AES_192_GMAC, 24+4, 24+4, 1, 1 }, | ||||
110 | { "aes-256-gmac", ENCXF_AES_256_GMAC, 32+4, 32+4, 1, 1 }, | ||||
111 | { "blowfish", ENCXF_BLOWFISH, 5, 56, 0, 0 }, | ||||
112 | { "cast128", ENCXF_CAST128, 5, 16, 0, 0 }, | ||||
113 | { "chacha20-poly1305", ENCXF_CHACHA20_POLY1305, 32+4, 32+4, 1, 1 }, | ||||
114 | { "null", ENCXF_NULL, 0, 0, 0, 0 }, | ||||
115 | { NULL((void *)0), 0, 0, 0, 0, 0 }, | ||||
116 | }; | ||||
117 | |||||
118 | const struct ipsec_xf compxfs[] = { | ||||
119 | { "unknown", COMPXF_UNKNOWN, 0, 0 }, | ||||
120 | { "deflate", COMPXF_DEFLATE, 0, 0 }, | ||||
121 | { NULL((void *)0), 0, 0, 0 }, | ||||
122 | }; | ||||
123 | |||||
124 | const struct ipsec_xf groupxfs[] = { | ||||
125 | { "unknown", GROUPXF_UNKNOWN, 0, 0 }, | ||||
126 | { "none", GROUPXF_NONE, 0, 0 }, | ||||
127 | { "modp768", GROUPXF_1, 768, 0 }, | ||||
128 | { "grp1", GROUPXF_1, 768, 0 }, | ||||
129 | { "modp1024", GROUPXF_2, 1024, 0 }, | ||||
130 | { "grp2", GROUPXF_2, 1024, 0 }, | ||||
131 | { "modp1536", GROUPXF_5, 1536, 0 }, | ||||
132 | { "grp5", GROUPXF_5, 1536, 0 }, | ||||
133 | { "modp2048", GROUPXF_14, 2048, 0 }, | ||||
134 | { "grp14", GROUPXF_14, 2048, 0 }, | ||||
135 | { "modp3072", GROUPXF_15, 3072, 0 }, | ||||
136 | { "grp15", GROUPXF_15, 3072, 0 }, | ||||
137 | { "modp4096", GROUPXF_16, 4096, 0 }, | ||||
138 | { "grp16", GROUPXF_16, 4096, 0 }, | ||||
139 | { "modp6144", GROUPXF_17, 6144, 0 }, | ||||
140 | { "grp17", GROUPXF_17, 6144, 0 }, | ||||
141 | { "modp8192", GROUPXF_18, 8192, 0 }, | ||||
142 | { "grp18", GROUPXF_18, 8192, 0 }, | ||||
143 | { "ecp256", GROUPXF_19, 256, 0 }, | ||||
144 | { "grp19", GROUPXF_19, 256, 0 }, | ||||
145 | { "ecp384", GROUPXF_20, 384, 0 }, | ||||
146 | { "grp20", GROUPXF_20, 384, 0 }, | ||||
147 | { "ecp521", GROUPXF_21, 521, 0 }, | ||||
148 | { "grp21", GROUPXF_21, 521, 0 }, | ||||
149 | { "ecp192", GROUPXF_25, 192, 0 }, | ||||
150 | { "grp25", GROUPXF_25, 192, 0 }, | ||||
151 | { "ecp224", GROUPXF_26, 224, 0 }, | ||||
152 | { "grp26", GROUPXF_26, 224, 0 }, | ||||
153 | { "bp224", GROUPXF_27, 224, 0 }, | ||||
154 | { "grp27", GROUPXF_27, 224, 0 }, | ||||
155 | { "bp256", GROUPXF_28, 256, 0 }, | ||||
156 | { "grp28", GROUPXF_28, 256, 0 }, | ||||
157 | { "bp384", GROUPXF_29, 384, 0 }, | ||||
158 | { "grp29", GROUPXF_29, 384, 0 }, | ||||
159 | { "bp512", GROUPXF_30, 512, 0 }, | ||||
160 | { "grp30", GROUPXF_30, 512, 0 }, | ||||
161 | { NULL((void *)0), 0, 0, 0 }, | ||||
162 | }; | ||||
163 | |||||
164 | int atoul(char *, u_long *); | ||||
165 | int atospi(char *, u_int32_t *); | ||||
166 | u_int8_t x2i(unsigned char *); | ||||
167 | struct ipsec_key *parsekey(unsigned char *, size_t); | ||||
168 | struct ipsec_key *parsekeyfile(char *); | ||||
169 | struct ipsec_addr_wrap *host(const char *); | ||||
170 | struct ipsec_addr_wrap *host_v6(const char *, int); | ||||
171 | struct ipsec_addr_wrap *host_v4(const char *, int); | ||||
172 | struct ipsec_addr_wrap *host_dns(const char *, int); | ||||
173 | struct ipsec_addr_wrap *host_if(const char *, int); | ||||
174 | struct ipsec_addr_wrap *host_any(void); | ||||
175 | void ifa_load(void); | ||||
176 | int ifa_exists(const char *); | ||||
177 | struct ipsec_addr_wrap *ifa_lookup(const char *ifa_name); | ||||
178 | struct ipsec_addr_wrap *ifa_grouplookup(const char *); | ||||
179 | void set_ipmask(struct ipsec_addr_wrap *, u_int8_t); | ||||
180 | const struct ipsec_xf *parse_xf(const char *, const struct ipsec_xf *); | ||||
181 | struct ipsec_lifetime *parse_life(const char *); | ||||
182 | struct ipsec_transforms *copytransforms(const struct ipsec_transforms *); | ||||
183 | struct ipsec_lifetime *copylife(const struct ipsec_lifetime *); | ||||
184 | struct ipsec_auth *copyipsecauth(const struct ipsec_auth *); | ||||
185 | struct ike_auth *copyikeauth(const struct ike_auth *); | ||||
186 | struct ipsec_key *copykey(struct ipsec_key *); | ||||
187 | struct ipsec_addr_wrap *copyhost(const struct ipsec_addr_wrap *); | ||||
188 | char *copytag(const char *); | ||||
189 | struct ipsec_rule *copyrule(struct ipsec_rule *); | ||||
190 | int validate_af(struct ipsec_addr_wrap *, | ||||
191 | struct ipsec_addr_wrap *); | ||||
192 | int validate_sa(u_int32_t, u_int8_t, | ||||
193 | struct ipsec_transforms *, struct ipsec_key *, | ||||
194 | struct ipsec_key *, u_int8_t); | ||||
195 | struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_hosts *, | ||||
196 | u_int32_t, u_int8_t, u_int16_t, | ||||
197 | struct ipsec_transforms *, | ||||
198 | struct ipsec_key *, struct ipsec_key *); | ||||
199 | struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t, | ||||
200 | struct ipsec_key *, struct ipsec_key *); | ||||
201 | struct ipsec_rule *create_sabundle(struct ipsec_addr_wrap *, u_int8_t, | ||||
202 | u_int32_t, struct ipsec_addr_wrap *, u_int8_t, | ||||
203 | u_int32_t); | ||||
204 | struct ipsec_rule *create_flow(u_int8_t, u_int8_t, struct ipsec_hosts *, | ||||
205 | u_int8_t, char *, char *, u_int8_t); | ||||
206 | int set_rule_peers(struct ipsec_rule *r, | ||||
207 | struct ipsec_hosts *peers); | ||||
208 | void expand_any(struct ipsec_addr_wrap *); | ||||
209 | int expand_rule(struct ipsec_rule *, struct ipsec_hosts *, | ||||
210 | u_int8_t, u_int32_t, struct ipsec_key *, | ||||
211 | struct ipsec_key *, char *); | ||||
212 | struct ipsec_rule *reverse_rule(struct ipsec_rule *); | ||||
213 | struct ipsec_rule *create_ike(u_int8_t, struct ipsec_hosts *, | ||||
214 | struct ike_mode *, struct ike_mode *, u_int8_t, | ||||
215 | u_int8_t, u_int8_t, char *, char *, | ||||
216 | struct ike_auth *, char *); | ||||
217 | int add_sabundle(struct ipsec_rule *, char *); | ||||
218 | int get_id_type(char *); | ||||
219 | |||||
220 | struct ipsec_transforms *ipsec_transforms; | ||||
221 | |||||
222 | typedef struct { | ||||
223 | union { | ||||
224 | int64_t number; | ||||
225 | u_int8_t ikemode; | ||||
226 | u_int8_t dir; | ||||
227 | u_int8_t satype; /* encapsulating prococol */ | ||||
228 | u_int8_t proto; /* encapsulated protocol */ | ||||
229 | u_int8_t tmode; | ||||
230 | char *string; | ||||
231 | u_int16_t port; | ||||
232 | struct ipsec_hosts hosts; | ||||
233 | struct ipsec_hosts peers; | ||||
234 | struct ipsec_addr_wrap *anyhost; | ||||
235 | struct ipsec_addr_wrap *singlehost; | ||||
236 | struct ipsec_addr_wrap *host; | ||||
237 | struct { | ||||
238 | char *srcid; | ||||
239 | char *dstid; | ||||
240 | } ids; | ||||
241 | char *id; | ||||
242 | u_int8_t type; | ||||
243 | struct ike_auth ikeauth; | ||||
244 | struct { | ||||
245 | u_int32_t spiout; | ||||
246 | u_int32_t spiin; | ||||
247 | } spis; | ||||
248 | struct { | ||||
249 | u_int8_t encap; | ||||
250 | u_int16_t port; | ||||
251 | } udpencap; | ||||
252 | struct { | ||||
253 | struct ipsec_key *keyout; | ||||
254 | struct ipsec_key *keyin; | ||||
255 | } authkeys; | ||||
256 | struct { | ||||
257 | struct ipsec_key *keyout; | ||||
258 | struct ipsec_key *keyin; | ||||
259 | } enckeys; | ||||
260 | struct { | ||||
261 | struct ipsec_key *keyout; | ||||
262 | struct ipsec_key *keyin; | ||||
263 | } keys; | ||||
264 | struct ipsec_transforms *transforms; | ||||
265 | struct ipsec_lifetime *life; | ||||
266 | struct ike_mode *mode; | ||||
267 | } v; | ||||
268 | int lineno; | ||||
269 | } YYSTYPE; | ||||
270 | |||||
271 | #line 272 "parse.c" | ||||
272 | #define FLOW257 257 | ||||
273 | #define FROM258 258 | ||||
274 | #define ESP259 259 | ||||
275 | #define AH260 260 | ||||
276 | #define IN261 261 | ||||
277 | #define PEER262 262 | ||||
278 | #define ON263 263 | ||||
279 | #define OUT264 264 | ||||
280 | #define TO265 265 | ||||
281 | #define SRCID266 266 | ||||
282 | #define DSTID267 267 | ||||
283 | #define RSA268 268 | ||||
284 | #define PSK269 269 | ||||
285 | #define TCPMD5270 270 | ||||
286 | #define SPI271 271 | ||||
287 | #define AUTHKEY272 272 | ||||
288 | #define ENCKEY273 273 | ||||
289 | #define FILENAME274 274 | ||||
290 | #define AUTHXF275 275 | ||||
291 | #define ENCXF276 276 | ||||
292 | #define ERROR277 277 | ||||
293 | #define IKE278 278 | ||||
294 | #define MAIN279 279 | ||||
295 | #define QUICK280 280 | ||||
296 | #define AGGRESSIVE281 281 | ||||
297 | #define PASSIVE282 282 | ||||
298 | #define ACTIVE283 283 | ||||
299 | #define ANY284 284 | ||||
300 | #define IPIP285 285 | ||||
301 | #define IPCOMP286 286 | ||||
302 | #define COMPXF287 287 | ||||
303 | #define TUNNEL288 288 | ||||
304 | #define TRANSPORT289 289 | ||||
305 | #define DYNAMIC290 290 | ||||
306 | #define LIFETIME291 291 | ||||
307 | #define TYPE292 292 | ||||
308 | #define DENY293 293 | ||||
309 | #define BYPASS294 294 | ||||
310 | #define LOCAL295 295 | ||||
311 | #define PROTO296 296 | ||||
312 | #define USE297 297 | ||||
313 | #define ACQUIRE298 298 | ||||
314 | #define REQUIRE299 299 | ||||
315 | #define DONTACQ300 300 | ||||
316 | #define GROUP301 301 | ||||
317 | #define PORT302 302 | ||||
318 | #define TAG303 303 | ||||
319 | #define INCLUDE304 304 | ||||
320 | #define BUNDLE305 305 | ||||
321 | #define UDPENCAP306 306 | ||||
322 | #define STRING307 307 | ||||
323 | #define NUMBER308 308 | ||||
324 | #define YYERRCODE256 256 | ||||
325 | const short yylhs[] = | ||||
326 | { -1, | ||||
327 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 38, | ||||
328 | 38, 32, 36, 35, 34, 33, 3, 3, 3, 3, | ||||
329 | 3, 4, 4, 4, 4, 5, 5, 6, 6, 6, | ||||
330 | 2, 2, 2, 7, 7, 8, 8, 9, 9, 10, | ||||
331 | 10, 10, 10, 10, 11, 11, 12, 12, 14, 14, | ||||
332 | 15, 15, 13, 13, 13, 13, 16, 16, 16, 16, | ||||
333 | 27, 27, 27, 27, 27, 27, 27, 17, 18, 18, | ||||
334 | 19, 19, 19, 40, 24, 24, 39, 39, 41, 41, | ||||
335 | 41, 41, 29, 29, 29, 30, 30, 28, 28, 28, | ||||
336 | 20, 20, 21, 21, 22, 22, 23, 23, 25, 25, | ||||
337 | 25, 25, 26, 26, 26, 31, 31, 1, 1, 37, | ||||
338 | }; | ||||
339 | const short yylen[] = | ||||
340 | { 2, | ||||
341 | 0, 3, 2, 3, 3, 3, 3, 3, 3, 1, | ||||
342 | 0, 2, 4, 9, 8, 12, 0, 1, 1, 1, | ||||
343 | 1, 0, 2, 2, 2, 1, 1, 0, 1, 1, | ||||
344 | 0, 1, 1, 6, 6, 0, 2, 1, 1, 0, | ||||
345 | 4, 4, 2, 2, 1, 1, 0, 1, 1, 3, | ||||
346 | 1, 3, 1, 4, 1, 3, 0, 4, 2, 2, | ||||
347 | 0, 2, 2, 2, 2, 2, 2, 1, 2, 2, | ||||
348 | 0, 1, 3, 0, 2, 0, 2, 1, 2, 2, | ||||
349 | 2, 2, 0, 3, 3, 0, 3, 0, 2, 2, | ||||
350 | 0, 2, 0, 2, 0, 2, 1, 2, 0, 1, | ||||
351 | 1, 1, 0, 1, 2, 0, 2, 2, 1, 3, | ||||
352 | }; | ||||
353 | const short yydefred[] = | ||||
354 | { 1, | ||||
355 | 0, 0, 0, 18, 19, 0, 0, 21, 20, 0, | ||||
356 | 0, 3, 0, 0, 0, 0, 0, 0, 0, 9, | ||||
357 | 0, 0, 0, 0, 100, 102, 101, 0, 12, 0, | ||||
358 | 29, 30, 0, 2, 4, 5, 6, 7, 8, 32, | ||||
359 | 33, 0, 55, 0, 0, 0, 0, 0, 0, 0, | ||||
360 | 0, 109, 0, 0, 0, 0, 0, 49, 0, 0, | ||||
361 | 0, 0, 0, 69, 70, 0, 13, 0, 108, 0, | ||||
362 | 24, 25, 26, 27, 23, 0, 52, 10, 56, 0, | ||||
363 | 38, 39, 37, 0, 0, 0, 0, 97, 92, 0, | ||||
364 | 0, 0, 0, 0, 0, 50, 0, 54, 0, 98, | ||||
365 | 0, 0, 0, 0, 46, 48, 0, 45, 0, 0, | ||||
366 | 0, 0, 34, 35, 0, 73, 0, 0, 0, 0, | ||||
367 | 0, 0, 78, 0, 0, 68, 0, 60, 0, 15, | ||||
368 | 0, 0, 0, 0, 0, 79, 80, 81, 82, 77, | ||||
369 | 41, 42, 0, 65, 66, 62, 63, 64, 67, 0, | ||||
370 | 0, 0, 0, 94, 0, 14, 58, 0, 84, 85, | ||||
371 | 0, 0, 96, 90, 89, 87, 104, 0, 0, 105, | ||||
372 | 0, 16, 107, | ||||
373 | }; | ||||
374 | const short yydgoto[] = | ||||
375 | { 1, | ||||
376 | 53, 42, 13, 56, 75, 33, 24, 61, 83, 95, | ||||
377 | 107, 108, 46, 59, 47, 112, 127, 50, 92, 67, | ||||
378 | 135, 156, 89, 103, 28, 169, 130, 159, 133, 153, | ||||
379 | 172, 14, 15, 16, 17, 18, 19, 80, 122, 104, | ||||
380 | 123, | ||||
381 | }; | ||||
382 | const short yysindex[] = | ||||
383 | { 0, | ||||
384 | 50, 15, -194, 0, 0, -179, -182, 0, 0, -265, | ||||
385 | 19, 0, -260, 73, 84, 89, 93, 97, 101, 0, | ||||
386 | -238, -118, -118, -152, 0, 0, 0, -194, 0, -184, | ||||
387 | 0, 0, -179, 0, 0, 0, 0, 0, 0, 0, | ||||
388 | 0, -155, 0, 95, -118, -162, 103, -162, -190, -128, | ||||
389 | -260, 0, -160, -152, -245, -179, -163, 0, -35, -178, | ||||
390 | -119, -159, -108, 0, 0, -236, 0, -155, 0, -154, | ||||
391 | 0, 0, 0, 0, 0, -222, 0, 0, 0, -118, | ||||
392 | 0, 0, 0, -118, 112, -118, -153, 0, 0, -179, | ||||
393 | -151, 0, -271, -150, -135, 0, -162, 0, -162, 0, | ||||
394 | -222, -149, -128, -191, 0, 0, -140, 0, -106, -147, | ||||
395 | -147, -134, 0, 0, -167, 0, -112, -145, -144, -143, | ||||
396 | -142, -191, 0, -150, -271, 0, -100, 0, -172, 0, | ||||
397 | 0, 0, -111, -236, -133, 0, 0, 0, 0, 0, | ||||
398 | 0, 0, -147, 0, 0, 0, 0, 0, 0, -121, | ||||
399 | -121, 0, -135, 0, -136, 0, 0, -171, 0, 0, | ||||
400 | -121, -130, 0, 0, 0, 0, 0, -132, -129, 0, | ||||
401 | -131, 0, 0,}; | ||||
402 | const short yyrindex[] = | ||||
403 | { 0, | ||||
404 | -183, 0, -215, 0, 0, 0, -241, 0, 0, 0, | ||||
405 | 0, 0, -161, 0, 0, 0, 0, 0, 0, 0, | ||||
406 | -226, 0, 0, 0, 0, 0, 0, -201, 0, 0, | ||||
407 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
408 | 0, -156, 0, -10, 0, -92, 10, -81, 0, 168, | ||||
409 | -207, 0, 169, 0, 0, 0, 0, 0, -116, 0, | ||||
410 | 0, 0, 0, 0, 0, 0, 0, -156, 0, 46, | ||||
411 | 0, 0, 0, 0, 0, -4, 0, 0, 0, 0, | ||||
412 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
413 | 66, 83, 139, 170, -6, 0, 106, 0, 106, 0, | ||||
414 | 235, 0, -9, 0, 0, 0, 190, 0, 208, 0, | ||||
415 | 0, 171, 0, 0, 114, 0, -7, 0, 0, 0, | ||||
416 | 0, 57, 0, 217, 217, 0, 110, 0, 0, 0, | ||||
417 | 124, 124, 255, 0, 172, 0, 0, 0, 0, 0, | ||||
418 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 239, | ||||
419 | 239, 177, -2, 0, 0, 0, 0, 0, 0, 0, | ||||
420 | 263, -8, 0, 0, 0, 0, 0, 0, 173, 0, | ||||
421 | 0, 0, 0,}; | ||||
422 | const short yygindex[] = | ||||
423 | { 0, | ||||
424 | 0, 0, 13, 116, 0, 134, -21, -38, 0, 85, | ||||
425 | 63, -72, -12, 0, 128, 39, -90, 140, 0, 90, | ||||
426 | 0, 0, 61, -54, 0, 0, 0, -124, 0, 0, | ||||
427 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
428 | 74, | ||||
429 | }; | ||||
430 | #define YYTABLESIZE566 566 | ||||
431 | const short yytable[] = | ||||
432 | { 51, | ||||
433 | 91, 103, 93, 57, 45, 40, 11, 57, 78, 63, | ||||
434 | 48, 54, 105, 71, 72, 21, 99, 99, 99, 53, | ||||
435 | 128, 109, 40, 99, 20, 41, 160, 31, 32, 51, | ||||
436 | 51, 31, 58, 51, 76, 106, 166, 87, 31, 93, | ||||
437 | 51, 29, 17, 99, 99, 17, 99, 99, 17, 17, | ||||
438 | 28, 141, 157, 53, 99, 71, 17, 28, 113, 12, | ||||
439 | 114, 73, 74, 17, 4, 5, 75, 96, 101, 31, | ||||
440 | 88, 97, 94, 99, 17, 72, 150, 151, 22, 30, | ||||
441 | 17, 17, 34, 118, 119, 23, 17, 17, 28, 79, | ||||
442 | 8, 9, 76, 35, 17, 120, 28, 161, 36, 25, | ||||
443 | 26, 22, 37, 28, 17, 17, 38, 27, 22, 121, | ||||
444 | 39, 131, 51, 132, 51, 36, 64, 65, 49, 59, | ||||
445 | 144, 145, 52, 83, 146, 147, 148, 149, 81, 82, | ||||
446 | 110, 111, 53, 76, 53, 164, 165, 167, 168, 60, | ||||
447 | 55, 57, 62, 66, 77, 84, 69, 44, 47, 86, | ||||
448 | 102, 91, 98, 100, 124, 125, 106, 129, 116, 126, | ||||
449 | 134, 136, 137, 138, 139, 43, 143, 11, 152, 158, | ||||
450 | 163, 155, 36, 171, 170, 173, 36, 91, 110, 47, | ||||
451 | 61, 95, 106, 90, 68, 115, 76, 142, 44, 85, | ||||
452 | 11, 162, 117, 70, 154, 140, 0, 0, 0, 43, | ||||
453 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
454 | 0, 0, 0, 0, 0, 0, 0, 44, 0, 0, | ||||
455 | 0, 0, 0, 0, 0, 0, 47, 0, 0, 0, | ||||
456 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
457 | 0, 0, 0, 0, 40, 0, 0, 51, 88, 0, | ||||
458 | 0, 51, 0, 0, 51, 51, 51, 51, 51, 0, | ||||
459 | 51, 40, 40, 91, 86, 57, 57, 53, 51, 51, | ||||
460 | 51, 53, 88, 51, 53, 53, 53, 53, 53, 0, | ||||
461 | 53, 51, 0, 0, 51, 57, 0, 40, 53, 53, | ||||
462 | 53, 51, 51, 53, 103, 91, 51, 93, 0, 0, | ||||
463 | 57, 53, 0, 0, 53, 2, 3, 0, 4, 5, | ||||
464 | 0, 53, 53, 0, 0, 0, 53, 71, 71, 6, | ||||
465 | 71, 71, 75, 75, 75, 75, 0, 7, 75, 75, | ||||
466 | 0, 0, 71, 0, 8, 9, 75, 72, 72, 0, | ||||
467 | 72, 72, 0, 0, 0, 0, 71, 75, 0, 0, | ||||
468 | 71, 0, 72, 10, 76, 76, 11, 74, 74, 75, | ||||
469 | 0, 75, 0, 0, 0, 0, 72, 36, 0, 74, | ||||
470 | 72, 36, 36, 36, 36, 0, 36, 59, 59, 83, | ||||
471 | 83, 83, 83, 74, 36, 36, 36, 76, 0, 76, | ||||
472 | 76, 76, 76, 83, 0, 0, 0, 36, 74, 74, | ||||
473 | 36, 59, 0, 76, 47, 47, 47, 47, 36, 0, | ||||
474 | 74, 0, 59, 0, 76, 0, 83, 47, 47, 47, | ||||
475 | 0, 0, 0, 0, 74, 0, 76, 0, 0, 0, | ||||
476 | 47, 47, 0, 47, 0, 47, 47, 47, 47, 0, | ||||
477 | 0, 47, 76, 76, 76, 76, 0, 0, 47, 47, | ||||
478 | 47, 74, 74, 0, 0, 43, 43, 43, 43, 0, | ||||
479 | 0, 47, 0, 74, 0, 0, 0, 76, 43, 43, | ||||
480 | 43, 0, 47, 44, 44, 44, 44, 74, 0, 76, | ||||
481 | 0, 43, 47, 47, 47, 47, 44, 44, 44, 0, | ||||
482 | 0, 0, 43, 0, 0, 47, 47, 47, 0, 44, | ||||
483 | 40, 40, 40, 40, 88, 88, 88, 88, 47, 0, | ||||
484 | 44, 0, 0, 40, 40, 40, 0, 0, 88, 47, | ||||
485 | 86, 86, 86, 86, 0, 0, 0, 0, 88, 88, | ||||
486 | 88, 88, 0, 0, 0, 0, 0, 40, 0, 0, | ||||
487 | 0, 88, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
488 | 0, 0, 0, 0, 0, 0, 0, 86, 0, 0, | ||||
489 | 0, 0, 0, 0, 0, 88, | ||||
490 | }; | ||||
491 | const short yycheck[] = | ||||
492 | { 10, | ||||
493 | 10, 10, 10, 10, 123, 10, 123, 10, 44, 48, | ||||
494 | 23, 33, 284, 259, 260, 3, 258, 259, 260, 10, | ||||
495 | 111, 94, 261, 265, 10, 264, 151, 288, 289, 40, | ||||
496 | 41, 258, 45, 44, 56, 307, 161, 274, 265, 262, | ||||
497 | 28, 307, 258, 285, 286, 261, 288, 289, 264, 265, | ||||
498 | 258, 124, 143, 44, 296, 10, 258, 265, 97, 10, | ||||
499 | 99, 307, 308, 265, 259, 260, 10, 80, 90, 296, | ||||
500 | 307, 84, 295, 86, 258, 10, 131, 132, 258, 61, | ||||
501 | 296, 265, 10, 275, 276, 265, 288, 289, 296, 125, | ||||
502 | 285, 286, 10, 10, 296, 287, 258, 152, 10, 282, | ||||
503 | 283, 258, 10, 265, 288, 289, 10, 290, 265, 301, | ||||
504 | 10, 279, 123, 281, 125, 10, 307, 308, 271, 10, | ||||
505 | 293, 294, 307, 10, 297, 298, 299, 300, 307, 308, | ||||
506 | 266, 267, 123, 10, 125, 307, 308, 268, 269, 302, | ||||
507 | 296, 47, 40, 272, 308, 265, 307, 307, 10, 258, | ||||
508 | 302, 306, 41, 307, 295, 262, 307, 292, 308, 307, | ||||
509 | 273, 307, 307, 307, 307, 284, 267, 284, 280, 291, | ||||
510 | 307, 305, 265, 303, 307, 307, 258, 10, 10, 10, | ||||
511 | 10, 10, 10, 68, 51, 101, 10, 125, 307, 62, | ||||
512 | 307, 153, 103, 54, 134, 122, -1, -1, -1, 10, | ||||
513 | -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, | ||||
514 | -1, -1, -1, -1, -1, -1, -1, 10, -1, -1, | ||||
515 | -1, -1, -1, -1, -1, -1, 10, -1, -1, -1, | ||||
516 | -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, | ||||
517 | -1, -1, -1, -1, 10, -1, -1, 258, 10, -1, | ||||
518 | -1, 262, -1, -1, 265, 266, 267, 268, 269, -1, | ||||
519 | 271, 266, 267, 273, 10, 268, 269, 258, 279, 280, | ||||
520 | 281, 262, 10, 284, 265, 266, 267, 268, 269, -1, | ||||
521 | 271, 292, -1, -1, 295, 292, -1, 292, 279, 280, | ||||
522 | 281, 302, 303, 284, 303, 305, 307, 305, -1, -1, | ||||
523 | 303, 292, -1, -1, 295, 256, 257, -1, 259, 260, | ||||
524 | -1, 302, 303, -1, -1, -1, 307, 272, 273, 270, | ||||
525 | 275, 276, 266, 267, 268, 269, -1, 278, 272, 273, | ||||
526 | -1, -1, 287, -1, 285, 286, 280, 272, 273, -1, | ||||
527 | 275, 276, -1, -1, -1, -1, 301, 291, -1, -1, | ||||
528 | 305, -1, 287, 304, 272, 273, 307, 275, 276, 303, | ||||
529 | -1, 305, -1, -1, -1, -1, 301, 262, -1, 287, | ||||
530 | 305, 266, 267, 268, 269, -1, 271, 268, 269, 266, | ||||
531 | 267, 268, 269, 301, 279, 280, 281, 305, -1, 266, | ||||
532 | 267, 268, 269, 280, -1, -1, -1, 292, 275, 276, | ||||
533 | 295, 292, -1, 280, 266, 267, 268, 269, 303, -1, | ||||
534 | 287, -1, 303, -1, 291, -1, 303, 279, 280, 281, | ||||
535 | -1, -1, -1, -1, 301, -1, 303, -1, -1, -1, | ||||
536 | 292, 262, -1, 295, -1, 266, 267, 268, 269, -1, | ||||
537 | -1, 303, 266, 267, 268, 269, -1, -1, 279, 280, | ||||
538 | 281, 275, 276, -1, -1, 266, 267, 268, 269, -1, | ||||
539 | -1, 292, -1, 287, -1, -1, -1, 291, 279, 280, | ||||
540 | 281, -1, 303, 266, 267, 268, 269, 301, -1, 303, | ||||
541 | -1, 292, 266, 267, 268, 269, 279, 280, 281, -1, | ||||
542 | -1, -1, 303, -1, -1, 279, 280, 281, -1, 292, | ||||
543 | 266, 267, 268, 269, 266, 267, 268, 269, 292, -1, | ||||
544 | 303, -1, -1, 279, 280, 281, -1, -1, 280, 303, | ||||
545 | 266, 267, 268, 269, -1, -1, -1, -1, 266, 267, | ||||
546 | 268, 269, -1, -1, -1, -1, -1, 303, -1, -1, | ||||
547 | -1, 303, -1, -1, -1, -1, -1, -1, -1, -1, | ||||
548 | -1, -1, -1, -1, -1, -1, -1, 303, -1, -1, | ||||
549 | -1, -1, -1, -1, -1, 303, | ||||
550 | }; | ||||
551 | #define YYFINAL1 1 | ||||
552 | #ifndef YYDEBUG0 | ||||
553 | #define YYDEBUG0 0 | ||||
554 | #endif | ||||
555 | #define YYMAXTOKEN308 308 | ||||
556 | #if YYDEBUG0 | ||||
557 | const char * const yyname[] = | ||||
558 | { | ||||
559 | "end-of-file",0,0,0,0,0,0,0,0,0,"'\\n'",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
560 | 0,0,0,0,0,0,0,0,0,"'('","')'",0,0,"','",0,0,"'/'",0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
561 | "'='",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
562 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"'{'",0,"'}'",0,0,0,0,0,0,0,0,0, | ||||
563 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
564 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
565 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
566 | 0,0,"FLOW","FROM","ESP","AH","IN","PEER","ON","OUT","TO","SRCID","DSTID","RSA", | ||||
567 | "PSK","TCPMD5","SPI","AUTHKEY","ENCKEY","FILENAME","AUTHXF","ENCXF","ERROR", | ||||
568 | "IKE","MAIN","QUICK","AGGRESSIVE","PASSIVE","ACTIVE","ANY","IPIP","IPCOMP", | ||||
569 | "COMPXF","TUNNEL","TRANSPORT","DYNAMIC","LIFETIME","TYPE","DENY","BYPASS", | ||||
570 | "LOCAL","PROTO","USE","ACQUIRE","REQUIRE","DONTACQ","GROUP","PORT","TAG", | ||||
571 | "INCLUDE","BUNDLE","UDPENCAP","STRING","NUMBER", | ||||
572 | }; | ||||
573 | const char * const yyrule[] = | ||||
574 | {"$accept : grammar", | ||||
575 | "grammar :", | ||||
576 | "grammar : grammar include '\\n'", | ||||
577 | "grammar : grammar '\\n'", | ||||
578 | "grammar : grammar ikerule '\\n'", | ||||
579 | "grammar : grammar flowrule '\\n'", | ||||
580 | "grammar : grammar sarule '\\n'", | ||||
581 | "grammar : grammar tcpmd5rule '\\n'", | ||||
582 | "grammar : grammar varset '\\n'", | ||||
583 | "grammar : grammar error '\\n'", | ||||
584 | "comma : ','", | ||||
585 | "comma :", | ||||
586 | "include : INCLUDE STRING", | ||||
587 | "tcpmd5rule : TCPMD5 hosts spispec authkeyspec", | ||||
588 | "sarule : satype tmode hosts spispec udpencap transforms authkeyspec enckeyspec bundlestring", | ||||
589 | "flowrule : FLOW satype dir proto hosts peers ids type", | ||||
590 | "ikerule : IKE ikemode satype tmode proto hosts peers phase1mode phase2mode ids ikeauth tag", | ||||
591 | "satype :", | ||||
592 | "satype : ESP", | ||||
593 | "satype : AH", | ||||
594 | "satype : IPCOMP", | ||||
595 | "satype : IPIP", | ||||
596 | "proto :", | ||||
597 | "proto : PROTO protoval", | ||||
598 | "proto : PROTO ESP", | ||||
599 | "proto : PROTO AH", | ||||
600 | "protoval : STRING", | ||||
601 | "protoval : NUMBER", | ||||
602 | "tmode :", | ||||
603 | "tmode : TUNNEL", | ||||
604 | "tmode : TRANSPORT", | ||||
605 | "dir :", | ||||
606 | "dir : IN", | ||||
607 | "dir : OUT", | ||||
608 | "hosts : FROM host port TO host port", | ||||
609 | "hosts : TO host port FROM host port", | ||||
610 | "port :", | ||||
611 | "port : PORT portval", | ||||
612 | "portval : STRING", | ||||
613 | "portval : NUMBER", | ||||
614 | "peers :", | ||||
615 | "peers : PEER anyhost LOCAL singlehost", | ||||
616 | "peers : LOCAL singlehost PEER anyhost", | ||||
617 | "peers : PEER anyhost", | ||||
618 | "peers : LOCAL singlehost", | ||||
619 | "anyhost : singlehost", | ||||
620 | "anyhost : ANY", | ||||
621 | "singlehost :", | ||||
622 | "singlehost : STRING", | ||||
623 | "host_list : host", | ||||
624 | "host_list : host_list comma host", | ||||
625 | "host_spec : STRING", | ||||
626 | "host_spec : STRING '/' NUMBER", | ||||
627 | "host : host_spec", | ||||
628 | "host : host_spec '(' host_spec ')'", | ||||
629 | "host : ANY", | ||||
630 | "host : '{' host_list '}'", | ||||
631 | "ids :", | ||||
632 | "ids : SRCID id DSTID id", | ||||
633 | "ids : SRCID id", | ||||
634 | "ids : DSTID id", | ||||
635 | "type :", | ||||
636 | "type : TYPE USE", | ||||
637 | "type : TYPE ACQUIRE", | ||||
638 | "type : TYPE REQUIRE", | ||||
639 | "type : TYPE DENY", | ||||
640 | "type : TYPE BYPASS", | ||||
641 | "type : TYPE DONTACQ", | ||||
642 | "id : STRING", | ||||
643 | "spispec : SPI STRING", | ||||
644 | "spispec : SPI NUMBER", | ||||
645 | "udpencap :", | ||||
646 | "udpencap : UDPENCAP", | ||||
647 | "udpencap : UDPENCAP PORT NUMBER", | ||||
648 | "$$1 :", | ||||
649 | "transforms : $$1 transforms_l", | ||||
650 | "transforms :", | ||||
651 | "transforms_l : transforms_l transform", | ||||
652 | "transforms_l : transform", | ||||
653 | "transform : AUTHXF STRING", | ||||
654 | "transform : ENCXF STRING", | ||||
655 | "transform : COMPXF STRING", | ||||
656 | "transform : GROUP STRING", | ||||
657 | "phase1mode :", | ||||
658 | "phase1mode : MAIN transforms lifetime", | ||||
659 | "phase1mode : AGGRESSIVE transforms lifetime", | ||||
660 | "phase2mode :", | ||||
661 | "phase2mode : QUICK transforms lifetime", | ||||
662 | "lifetime :", | ||||
663 | "lifetime : LIFETIME NUMBER", | ||||
664 | "lifetime : LIFETIME STRING", | ||||
665 | "authkeyspec :", | ||||
666 | "authkeyspec : AUTHKEY keyspec", | ||||
667 | "enckeyspec :", | ||||
668 | "enckeyspec : ENCKEY keyspec", | ||||
669 | "bundlestring :", | ||||
670 | "bundlestring : BUNDLE STRING", | ||||
671 | "keyspec : STRING", | ||||
672 | "keyspec : FILENAME STRING", | ||||
673 | "ikemode :", | ||||
674 | "ikemode : PASSIVE", | ||||
675 | "ikemode : DYNAMIC", | ||||
676 | "ikemode : ACTIVE", | ||||
677 | "ikeauth :", | ||||
678 | "ikeauth : RSA", | ||||
679 | "ikeauth : PSK STRING", | ||||
680 | "tag :", | ||||
681 | "tag : TAG STRING", | ||||
682 | "string : string STRING", | ||||
683 | "string : STRING", | ||||
684 | "varset : STRING '=' string", | ||||
685 | }; | ||||
686 | #endif | ||||
687 | #ifdef YYSTACKSIZE10000 | ||||
688 | #undef YYMAXDEPTH10000 | ||||
689 | #define YYMAXDEPTH10000 YYSTACKSIZE10000 | ||||
690 | #else | ||||
691 | #ifdef YYMAXDEPTH10000 | ||||
692 | #define YYSTACKSIZE10000 YYMAXDEPTH10000 | ||||
693 | #else | ||||
694 | #define YYSTACKSIZE10000 10000 | ||||
695 | #define YYMAXDEPTH10000 10000 | ||||
696 | #endif | ||||
697 | #endif | ||||
698 | #define YYINITSTACKSIZE200 200 | ||||
699 | /* LINTUSED */ | ||||
700 | int yydebug; | ||||
701 | int yynerrs; | ||||
702 | int yyerrflag; | ||||
703 | int yychar; | ||||
704 | short *yyssp; | ||||
705 | YYSTYPE *yyvsp; | ||||
706 | YYSTYPE yyval; | ||||
707 | YYSTYPE yylval; | ||||
708 | short *yyss; | ||||
709 | short *yysslim; | ||||
710 | YYSTYPE *yyvs; | ||||
711 | unsigned int yystacksize; | ||||
712 | int yyparse(void); | ||||
713 | #line 945 "/usr/src/sbin/ipsecctl/parse.y" | ||||
714 | |||||
715 | struct keywords { | ||||
716 | const char *k_name; | ||||
717 | int k_val; | ||||
718 | }; | ||||
719 | |||||
720 | int | ||||
721 | yyerror(const char *fmt, ...) | ||||
722 | { | ||||
723 | va_list ap; | ||||
724 | |||||
725 | file->errors++; | ||||
726 | va_start(ap, fmt)__builtin_va_start(ap, fmt); | ||||
727 | fprintf(stderr(&__sF[2]), "%s: %d: ", file->name, yylval.lineno); | ||||
728 | vfprintf(stderr(&__sF[2]), fmt, ap); | ||||
729 | fprintf(stderr(&__sF[2]), "\n"); | ||||
730 | va_end(ap)__builtin_va_end(ap); | ||||
731 | return (0); | ||||
732 | } | ||||
733 | |||||
734 | int | ||||
735 | yywarn(const char *fmt, ...) | ||||
736 | { | ||||
737 | va_list ap; | ||||
738 | |||||
739 | va_start(ap, fmt)__builtin_va_start(ap, fmt); | ||||
740 | fprintf(stderr(&__sF[2]), "%s: %d: ", file->name, yylval.lineno); | ||||
741 | vfprintf(stderr(&__sF[2]), fmt, ap); | ||||
742 | fprintf(stderr(&__sF[2]), "\n"); | ||||
743 | va_end(ap)__builtin_va_end(ap); | ||||
744 | return (0); | ||||
745 | } | ||||
746 | |||||
747 | int | ||||
748 | kw_cmp(const void *k, const void *e) | ||||
749 | { | ||||
750 | return (strcmp(k, ((const struct keywords *)e)->k_name)); | ||||
751 | } | ||||
752 | |||||
753 | int | ||||
754 | lookup(char *s) | ||||
755 | { | ||||
756 | /* this has to be sorted always */ | ||||
757 | static const struct keywords keywords[] = { | ||||
758 | { "acquire", ACQUIRE298 }, | ||||
759 | { "active", ACTIVE283 }, | ||||
760 | { "aggressive", AGGRESSIVE281 }, | ||||
761 | { "ah", AH260 }, | ||||
762 | { "any", ANY284 }, | ||||
763 | { "auth", AUTHXF275 }, | ||||
764 | { "authkey", AUTHKEY272 }, | ||||
765 | { "bundle", BUNDLE305 }, | ||||
766 | { "bypass", BYPASS294 }, | ||||
767 | { "comp", COMPXF287 }, | ||||
768 | { "deny", DENY293 }, | ||||
769 | { "dontacq", DONTACQ300 }, | ||||
770 | { "dstid", DSTID267 }, | ||||
771 | { "dynamic", DYNAMIC290 }, | ||||
772 | { "enc", ENCXF276 }, | ||||
773 | { "enckey", ENCKEY273 }, | ||||
774 | { "esp", ESP259 }, | ||||
775 | { "file", FILENAME274 }, | ||||
776 | { "flow", FLOW257 }, | ||||
777 | { "from", FROM258 }, | ||||
778 | { "group", GROUP301 }, | ||||
779 | { "ike", IKE278 }, | ||||
780 | { "in", IN261 }, | ||||
781 | { "include", INCLUDE304 }, | ||||
782 | { "ipcomp", IPCOMP286 }, | ||||
783 | { "ipip", IPIP285 }, | ||||
784 | { "lifetime", LIFETIME291 }, | ||||
785 | { "local", LOCAL295 }, | ||||
786 | { "main", MAIN279 }, | ||||
787 | { "out", OUT264 }, | ||||
788 | { "passive", PASSIVE282 }, | ||||
789 | { "peer", PEER262 }, | ||||
790 | { "port", PORT302 }, | ||||
791 | { "proto", PROTO296 }, | ||||
792 | { "psk", PSK269 }, | ||||
793 | { "quick", QUICK280 }, | ||||
794 | { "require", REQUIRE299 }, | ||||
795 | { "rsa", RSA268 }, | ||||
796 | { "spi", SPI271 }, | ||||
797 | { "srcid", SRCID266 }, | ||||
798 | { "tag", TAG303 }, | ||||
799 | { "tcpmd5", TCPMD5270 }, | ||||
800 | { "to", TO265 }, | ||||
801 | { "transport", TRANSPORT289 }, | ||||
802 | { "tunnel", TUNNEL288 }, | ||||
803 | { "type", TYPE292 }, | ||||
804 | { "udpencap", UDPENCAP306 }, | ||||
805 | { "use", USE297 } | ||||
806 | }; | ||||
807 | const struct keywords *p; | ||||
808 | |||||
809 | p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]), | ||||
810 | sizeof(keywords[0]), kw_cmp); | ||||
811 | |||||
812 | if (p) { | ||||
813 | if (debug > 1) | ||||
814 | fprintf(stderr(&__sF[2]), "%s: %d\n", s, p->k_val); | ||||
815 | return (p->k_val); | ||||
816 | } else { | ||||
817 | if (debug > 1) | ||||
818 | fprintf(stderr(&__sF[2]), "string: %s\n", s); | ||||
819 | return (STRING307); | ||||
820 | } | ||||
821 | } | ||||
822 | |||||
823 | #define MAXPUSHBACK128 128 | ||||
824 | |||||
825 | char *parsebuf; | ||||
826 | int parseindex; | ||||
827 | char pushback_buffer[MAXPUSHBACK128]; | ||||
828 | int pushback_index = 0; | ||||
829 | |||||
830 | int | ||||
831 | lgetc(int quotec) | ||||
832 | { | ||||
833 | int c, next; | ||||
834 | |||||
835 | if (parsebuf) { | ||||
836 | /* Read character from the parsebuffer instead of input. */ | ||||
837 | if (parseindex >= 0) { | ||||
838 | c = (unsigned char)parsebuf[parseindex++]; | ||||
839 | if (c != '\0') | ||||
840 | return (c); | ||||
841 | parsebuf = NULL((void *)0); | ||||
842 | } else | ||||
843 | parseindex++; | ||||
844 | } | ||||
845 | |||||
846 | if (pushback_index) | ||||
847 | return ((unsigned char)pushback_buffer[--pushback_index]); | ||||
848 | |||||
849 | if (quotec) { | ||||
850 | if ((c = getc(file->stream)(!__isthreaded ? (--(file->stream)->_r < 0 ? __srget (file->stream) : (int)(*(file->stream)->_p++)) : (getc )(file->stream))) == EOF(-1)) { | ||||
851 | yyerror("reached end of file while parsing quoted string"); | ||||
852 | if (file == topfile || popfile() == EOF(-1)) | ||||
853 | return (EOF(-1)); | ||||
854 | return (quotec); | ||||
855 | } | ||||
856 | return (c); | ||||
857 | } | ||||
858 | |||||
859 | while ((c = getc(file->stream)(!__isthreaded ? (--(file->stream)->_r < 0 ? __srget (file->stream) : (int)(*(file->stream)->_p++)) : (getc )(file->stream))) == '\\') { | ||||
860 | next = getc(file->stream)(!__isthreaded ? (--(file->stream)->_r < 0 ? __srget (file->stream) : (int)(*(file->stream)->_p++)) : (getc )(file->stream)); | ||||
861 | if (next != '\n') { | ||||
862 | c = next; | ||||
863 | break; | ||||
864 | } | ||||
865 | yylval.lineno = file->lineno; | ||||
866 | file->lineno++; | ||||
867 | } | ||||
868 | |||||
869 | while (c == EOF(-1)) { | ||||
870 | if (file == topfile || popfile() == EOF(-1)) | ||||
871 | return (EOF(-1)); | ||||
872 | c = getc(file->stream)(!__isthreaded ? (--(file->stream)->_r < 0 ? __srget (file->stream) : (int)(*(file->stream)->_p++)) : (getc )(file->stream)); | ||||
873 | } | ||||
874 | return (c); | ||||
875 | } | ||||
876 | |||||
877 | int | ||||
878 | lungetc(int c) | ||||
879 | { | ||||
880 | if (c == EOF(-1)) | ||||
881 | return (EOF(-1)); | ||||
882 | if (parsebuf) { | ||||
883 | parseindex--; | ||||
884 | if (parseindex >= 0) | ||||
885 | return (c); | ||||
886 | } | ||||
887 | if (pushback_index + 1 >= MAXPUSHBACK128) | ||||
888 | return (EOF(-1)); | ||||
889 | pushback_buffer[pushback_index++] = c; | ||||
890 | return (c); | ||||
891 | } | ||||
892 | |||||
893 | int | ||||
894 | findeol(void) | ||||
895 | { | ||||
896 | int c; | ||||
897 | |||||
898 | parsebuf = NULL((void *)0); | ||||
899 | |||||
900 | /* skip to either EOF or the first real EOL */ | ||||
901 | while (1) { | ||||
902 | if (pushback_index) | ||||
903 | c = (unsigned char)pushback_buffer[--pushback_index]; | ||||
904 | else | ||||
905 | c = lgetc(0); | ||||
906 | if (c == '\n') { | ||||
907 | file->lineno++; | ||||
908 | break; | ||||
909 | } | ||||
910 | if (c == EOF(-1)) | ||||
911 | break; | ||||
912 | } | ||||
913 | return (ERROR277); | ||||
914 | } | ||||
915 | |||||
916 | int | ||||
917 | yylex(void) | ||||
918 | { | ||||
919 | char buf[8096]; | ||||
920 | char *p, *val; | ||||
921 | int quotec, next, c; | ||||
922 | int token; | ||||
923 | |||||
924 | top: | ||||
925 | p = buf; | ||||
926 | while ((c = lgetc(0)) == ' ' || c == '\t') | ||||
927 | ; /* nothing */ | ||||
928 | |||||
929 | yylval.lineno = file->lineno; | ||||
930 | if (c == '#') | ||||
931 | while ((c = lgetc(0)) != '\n' && c != EOF(-1)) | ||||
932 | ; /* nothing */ | ||||
933 | if (c == '$' && parsebuf == NULL((void *)0)) { | ||||
934 | while (1) { | ||||
935 | if ((c = lgetc(0)) == EOF(-1)) | ||||
936 | return (0); | ||||
937 | |||||
938 | if (p + 1 >= buf + sizeof(buf) - 1) { | ||||
939 | yyerror("string too long"); | ||||
940 | return (findeol()); | ||||
941 | } | ||||
942 | if (isalnum(c) || c == '_') { | ||||
943 | *p++ = c; | ||||
944 | continue; | ||||
945 | } | ||||
946 | *p = '\0'; | ||||
947 | lungetc(c); | ||||
948 | break; | ||||
949 | } | ||||
950 | val = symget(buf); | ||||
951 | if (val == NULL((void *)0)) { | ||||
952 | yyerror("macro '%s' not defined", buf); | ||||
953 | return (findeol()); | ||||
954 | } | ||||
955 | parsebuf = val; | ||||
956 | parseindex = 0; | ||||
957 | goto top; | ||||
958 | } | ||||
959 | |||||
960 | switch (c) { | ||||
961 | case '\'': | ||||
962 | case '"': | ||||
963 | quotec = c; | ||||
964 | while (1) { | ||||
965 | if ((c = lgetc(quotec)) == EOF(-1)) | ||||
966 | return (0); | ||||
967 | if (c == '\n') { | ||||
968 | file->lineno++; | ||||
969 | continue; | ||||
970 | } else if (c == '\\') { | ||||
971 | if ((next = lgetc(quotec)) == EOF(-1)) | ||||
972 | return (0); | ||||
973 | if (next == quotec || next == ' ' || | ||||
974 | next == '\t') | ||||
975 | c = next; | ||||
976 | else if (next == '\n') { | ||||
977 | file->lineno++; | ||||
978 | continue; | ||||
979 | } else | ||||
980 | lungetc(next); | ||||
981 | } else if (c == quotec) { | ||||
982 | *p = '\0'; | ||||
983 | break; | ||||
984 | } else if (c == '\0') { | ||||
985 | yyerror("syntax error"); | ||||
986 | return (findeol()); | ||||
987 | } | ||||
988 | if (p + 1 >= buf + sizeof(buf) - 1) { | ||||
989 | yyerror("string too long"); | ||||
990 | return (findeol()); | ||||
991 | } | ||||
992 | *p++ = c; | ||||
993 | } | ||||
994 | yylval.v.string = strdup(buf); | ||||
995 | if (yylval.v.string == NULL((void *)0)) | ||||
996 | err(1, "%s", __func__); | ||||
997 | return (STRING307); | ||||
998 | } | ||||
999 | |||||
1000 | #define allowed_to_end_number(x)(isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') \ | ||||
1001 | (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') | ||||
1002 | |||||
1003 | if (c == '-' || isdigit(c)) { | ||||
1004 | do { | ||||
1005 | *p++ = c; | ||||
1006 | if ((size_t)(p-buf) >= sizeof(buf)) { | ||||
1007 | yyerror("string too long"); | ||||
1008 | return (findeol()); | ||||
1009 | } | ||||
1010 | } while ((c = lgetc(0)) != EOF(-1) && isdigit(c)); | ||||
1011 | lungetc(c); | ||||
1012 | if (p == buf + 1 && buf[0] == '-') | ||||
1013 | goto nodigits; | ||||
1014 | if (c == EOF(-1) || allowed_to_end_number(c)(isspace(c) || c == ')' || c ==',' || c == '/' || c == '}' || c == '=')) { | ||||
1015 | const char *errstr = NULL((void *)0); | ||||
1016 | |||||
1017 | *p = '\0'; | ||||
1018 | yylval.v.number = strtonum(buf, LLONG_MIN(-9223372036854775807LL -1LL), | ||||
1019 | LLONG_MAX9223372036854775807LL, &errstr); | ||||
1020 | if (errstr) { | ||||
1021 | yyerror("\"%s\" invalid number: %s", | ||||
1022 | buf, errstr); | ||||
1023 | return (findeol()); | ||||
1024 | } | ||||
1025 | return (NUMBER308); | ||||
1026 | } else { | ||||
1027 | nodigits: | ||||
1028 | while (p > buf + 1) | ||||
1029 | lungetc((unsigned char)*--p); | ||||
1030 | c = (unsigned char)*--p; | ||||
1031 | if (c == '-') | ||||
1032 | return (c); | ||||
1033 | } | ||||
1034 | } | ||||
1035 | |||||
1036 | #define allowed_in_string(x)(isalnum(x) || (ispunct(x) && x != '(' && x != ')' && x != '{' && x != '}' && x != '<' && x != '>' && x != '!' && x != '=' && x != '/' && x != '#' && x != ',') ) \ | ||||
1037 | (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \ | ||||
1038 | x != '{' && x != '}' && x != '<' && x != '>' && \ | ||||
1039 | x != '!' && x != '=' && x != '/' && x != '#' && \ | ||||
1040 | x != ',')) | ||||
1041 | |||||
1042 | if (isalnum(c) || c == ':' || c == '_' || c == '*') { | ||||
1043 | do { | ||||
1044 | *p++ = c; | ||||
1045 | if ((size_t)(p-buf) >= sizeof(buf)) { | ||||
1046 | yyerror("string too long"); | ||||
1047 | return (findeol()); | ||||
1048 | } | ||||
1049 | } while ((c = lgetc(0)) != EOF(-1) && (allowed_in_string(c)(isalnum(c) || (ispunct(c) && c != '(' && c != ')' && c != '{' && c != '}' && c != '<' && c != '>' && c != '!' && c != '=' && c != '/' && c != '#' && c != ',') ))); | ||||
1050 | lungetc(c); | ||||
1051 | *p = '\0'; | ||||
1052 | if ((token = lookup(buf)) == STRING307) | ||||
1053 | if ((yylval.v.string = strdup(buf)) == NULL((void *)0)) | ||||
1054 | err(1, "%s", __func__); | ||||
1055 | return (token); | ||||
1056 | } | ||||
1057 | if (c == '\n') { | ||||
1058 | yylval.lineno = file->lineno; | ||||
1059 | file->lineno++; | ||||
1060 | } | ||||
1061 | if (c == EOF(-1)) | ||||
1062 | return (0); | ||||
1063 | return (c); | ||||
1064 | } | ||||
1065 | |||||
1066 | int | ||||
1067 | check_file_secrecy(int fd, const char *fname) | ||||
1068 | { | ||||
1069 | struct stat st; | ||||
1070 | |||||
1071 | if (fstat(fd, &st)) { | ||||
1072 | warn("cannot stat %s", fname); | ||||
1073 | return (-1); | ||||
1074 | } | ||||
1075 | if (st.st_uid != 0 && st.st_uid != getuid()) { | ||||
1076 | warnx("%s: owner not root or current user", fname); | ||||
1077 | return (-1); | ||||
1078 | } | ||||
1079 | if (st.st_mode & (S_IWGRP0000020 | S_IXGRP0000010 | S_IRWXO0000007)) { | ||||
1080 | warnx("%s: group writable or world read/writable", fname); | ||||
1081 | return (-1); | ||||
1082 | } | ||||
1083 | return (0); | ||||
1084 | } | ||||
1085 | |||||
1086 | struct file * | ||||
1087 | pushfile(const char *name, int secret) | ||||
1088 | { | ||||
1089 | struct file *nfile; | ||||
1090 | |||||
1091 | if ((nfile = calloc(1, sizeof(struct file))) == NULL((void *)0)) { | ||||
1092 | warn("%s", __func__); | ||||
1093 | return (NULL((void *)0)); | ||||
1094 | } | ||||
1095 | if ((nfile->name = strdup(name)) == NULL((void *)0)) { | ||||
1096 | warn("%s", __func__); | ||||
1097 | free(nfile); | ||||
1098 | return (NULL((void *)0)); | ||||
1099 | } | ||||
1100 | if (TAILQ_FIRST(&files)((&files)->tqh_first) == NULL((void *)0) && strcmp(nfile->name, "-") == 0) { | ||||
1101 | nfile->stream = stdin(&__sF[0]); | ||||
1102 | free(nfile->name); | ||||
1103 | if ((nfile->name = strdup("stdin")) == NULL((void *)0)) { | ||||
1104 | warn("%s", __func__); | ||||
1105 | free(nfile); | ||||
1106 | return (NULL((void *)0)); | ||||
1107 | } | ||||
1108 | } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL((void *)0)) { | ||||
1109 | warn("%s: %s", __func__, nfile->name); | ||||
1110 | free(nfile->name); | ||||
1111 | free(nfile); | ||||
1112 | return (NULL((void *)0)); | ||||
1113 | } else if (secret && | ||||
1114 | check_file_secrecy(fileno(nfile->stream)(!__isthreaded ? ((nfile->stream)->_file) : (fileno)(nfile ->stream)), nfile->name)) { | ||||
1115 | fclose(nfile->stream); | ||||
1116 | free(nfile->name); | ||||
1117 | free(nfile); | ||||
1118 | return (NULL((void *)0)); | ||||
1119 | } | ||||
1120 | nfile->lineno = 1; | ||||
1121 | TAILQ_INSERT_TAIL(&files, nfile, entry)do { (nfile)->entry.tqe_next = ((void *)0); (nfile)->entry .tqe_prev = (&files)->tqh_last; *(&files)->tqh_last = (nfile); (&files)->tqh_last = &(nfile)->entry .tqe_next; } while (0); | ||||
1122 | return (nfile); | ||||
1123 | } | ||||
1124 | |||||
1125 | int | ||||
1126 | popfile(void) | ||||
1127 | { | ||||
1128 | struct file *prev; | ||||
1129 | |||||
1130 | if ((prev = TAILQ_PREV(file, files, entry)(*(((struct files *)((file)->entry.tqe_prev))->tqh_last ))) != NULL((void *)0)) | ||||
1131 | prev->errors += file->errors; | ||||
1132 | |||||
1133 | TAILQ_REMOVE(&files, file, entry)do { if (((file)->entry.tqe_next) != ((void *)0)) (file)-> entry.tqe_next->entry.tqe_prev = (file)->entry.tqe_prev ; else (&files)->tqh_last = (file)->entry.tqe_prev; *(file)->entry.tqe_prev = (file)->entry.tqe_next; ; ; } while (0); | ||||
1134 | fclose(file->stream); | ||||
1135 | free(file->name); | ||||
1136 | free(file); | ||||
1137 | file = prev; | ||||
1138 | |||||
1139 | return (file ? 0 : EOF(-1)); | ||||
1140 | } | ||||
1141 | |||||
1142 | int | ||||
1143 | parse_rules(const char *filename, struct ipsecctl *ipsecx) | ||||
1144 | { | ||||
1145 | struct sym *sym; | ||||
1146 | int errors = 0; | ||||
1147 | |||||
1148 | ipsec = ipsecx; | ||||
1149 | |||||
1150 | if ((file = pushfile(filename, 1)) == NULL((void *)0)) { | ||||
1151 | return (-1); | ||||
1152 | } | ||||
1153 | topfile = file; | ||||
1154 | |||||
1155 | yyparse(); | ||||
1156 | errors = file->errors; | ||||
1157 | popfile(); | ||||
1158 | |||||
1159 | /* Free macros and check which have not been used. */ | ||||
1160 | while ((sym = TAILQ_FIRST(&symhead)((&symhead)->tqh_first))) { | ||||
1161 | if ((ipsec->opts & IPSECCTL_OPT_VERBOSE20x0020) && !sym->used) | ||||
1162 | fprintf(stderr(&__sF[2]), "warning: macro '%s' not " | ||||
1163 | "used\n", sym->nam); | ||||
1164 | free(sym->nam); | ||||
1165 | free(sym->val); | ||||
1166 | TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)-> entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev; else (&symhead)->tqh_last = (sym)->entry.tqe_prev; *(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while (0); | ||||
1167 | free(sym); | ||||
1168 | } | ||||
1169 | |||||
1170 | return (errors ? -1 : 0); | ||||
1171 | } | ||||
1172 | |||||
1173 | int | ||||
1174 | symset(const char *nam, const char *val, int persist) | ||||
1175 | { | ||||
1176 | struct sym *sym; | ||||
1177 | |||||
1178 | TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void * )0); (sym) = ((sym)->entry.tqe_next)) { | ||||
1179 | if (strcmp(nam, sym->nam) == 0) | ||||
1180 | break; | ||||
1181 | } | ||||
1182 | |||||
1183 | if (sym != NULL((void *)0)) { | ||||
1184 | if (sym->persist == 1) | ||||
1185 | return (0); | ||||
1186 | else { | ||||
1187 | free(sym->nam); | ||||
1188 | free(sym->val); | ||||
1189 | TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)-> entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev; else (&symhead)->tqh_last = (sym)->entry.tqe_prev; *(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while (0); | ||||
1190 | free(sym); | ||||
1191 | } | ||||
1192 | } | ||||
1193 | if ((sym = calloc(1, sizeof(*sym))) == NULL((void *)0)) | ||||
1194 | return (-1); | ||||
1195 | |||||
1196 | sym->nam = strdup(nam); | ||||
1197 | if (sym->nam == NULL((void *)0)) { | ||||
1198 | free(sym); | ||||
1199 | return (-1); | ||||
1200 | } | ||||
1201 | sym->val = strdup(val); | ||||
1202 | if (sym->val == NULL((void *)0)) { | ||||
1203 | free(sym->nam); | ||||
1204 | free(sym); | ||||
1205 | return (-1); | ||||
1206 | } | ||||
1207 | sym->used = 0; | ||||
1208 | sym->persist = persist; | ||||
1209 | TAILQ_INSERT_TAIL(&symhead, sym, entry)do { (sym)->entry.tqe_next = ((void *)0); (sym)->entry. tqe_prev = (&symhead)->tqh_last; *(&symhead)->tqh_last = (sym); (&symhead)->tqh_last = &(sym)->entry. tqe_next; } while (0); | ||||
1210 | return (0); | ||||
1211 | } | ||||
1212 | |||||
1213 | int | ||||
1214 | cmdline_symset(char *s) | ||||
1215 | { | ||||
1216 | char *sym, *val; | ||||
1217 | int ret; | ||||
1218 | |||||
1219 | if ((val = strrchr(s, '=')) == NULL((void *)0)) | ||||
1220 | return (-1); | ||||
1221 | |||||
1222 | sym = strndup(s, val - s); | ||||
1223 | if (sym == NULL((void *)0)) | ||||
1224 | err(1, "%s", __func__); | ||||
1225 | ret = symset(sym, val + 1, 1); | ||||
1226 | free(sym); | ||||
1227 | |||||
1228 | return (ret); | ||||
1229 | } | ||||
1230 | |||||
1231 | char * | ||||
1232 | symget(const char *nam) | ||||
1233 | { | ||||
1234 | struct sym *sym; | ||||
1235 | |||||
1236 | TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void * )0); (sym) = ((sym)->entry.tqe_next)) { | ||||
1237 | if (strcmp(nam, sym->nam) == 0) { | ||||
1238 | sym->used = 1; | ||||
1239 | return (sym->val); | ||||
1240 | } | ||||
1241 | } | ||||
1242 | return (NULL((void *)0)); | ||||
1243 | } | ||||
1244 | |||||
1245 | int | ||||
1246 | atoul(char *s, u_long *ulvalp) | ||||
1247 | { | ||||
1248 | u_long ulval; | ||||
1249 | char *ep; | ||||
1250 | |||||
1251 | errno(*__errno()) = 0; | ||||
1252 | ulval = strtoul(s, &ep, 0); | ||||
1253 | if (s[0] == '\0' || *ep != '\0') | ||||
1254 | return (-1); | ||||
1255 | if (errno(*__errno()) == ERANGE34 && ulval == ULONG_MAX(9223372036854775807L *2UL+1UL)) | ||||
1256 | return (-1); | ||||
1257 | *ulvalp = ulval; | ||||
1258 | return (0); | ||||
1259 | } | ||||
1260 | |||||
1261 | int | ||||
1262 | atospi(char *s, u_int32_t *spivalp) | ||||
1263 | { | ||||
1264 | unsigned long ulval; | ||||
1265 | |||||
1266 | if (atoul(s, &ulval) == -1) | ||||
1267 | return (-1); | ||||
1268 | if (ulval > UINT_MAX(2147483647 *2U +1U)) { | ||||
1269 | yyerror("%lu not a valid spi", ulval); | ||||
1270 | return (-1); | ||||
1271 | } | ||||
1272 | if (ulval >= SPI_RESERVED_MIN1 && ulval <= SPI_RESERVED_MAX255) { | ||||
1273 | yyerror("%lu within reserved spi range", ulval); | ||||
1274 | return (-1); | ||||
1275 | } | ||||
1276 | *spivalp = ulval; | ||||
1277 | return (0); | ||||
1278 | } | ||||
1279 | |||||
1280 | u_int8_t | ||||
1281 | x2i(unsigned char *s) | ||||
1282 | { | ||||
1283 | char ss[3]; | ||||
1284 | |||||
1285 | ss[0] = s[0]; | ||||
1286 | ss[1] = s[1]; | ||||
1287 | ss[2] = 0; | ||||
1288 | |||||
1289 | if (!isxdigit(s[0]) || !isxdigit(s[1])) { | ||||
1290 | yyerror("keys need to be specified in hex digits"); | ||||
1291 | return (-1); | ||||
1292 | } | ||||
1293 | return ((u_int8_t)strtoul(ss, NULL((void *)0), 16)); | ||||
1294 | } | ||||
1295 | |||||
1296 | struct ipsec_key * | ||||
1297 | parsekey(unsigned char *hexkey, size_t len) | ||||
1298 | { | ||||
1299 | struct ipsec_key *key; | ||||
1300 | int i; | ||||
1301 | |||||
1302 | key = calloc(1, sizeof(struct ipsec_key)); | ||||
1303 | if (key == NULL((void *)0)) | ||||
1304 | err(1, "%s", __func__); | ||||
1305 | |||||
1306 | key->len = len / 2; | ||||
1307 | key->data = calloc(key->len, sizeof(u_int8_t)); | ||||
1308 | if (key->data == NULL((void *)0)) | ||||
1309 | err(1, "%s", __func__); | ||||
1310 | |||||
1311 | for (i = 0; i < (int)key->len; i++) | ||||
1312 | key->data[i] = x2i(hexkey + 2 * i); | ||||
1313 | |||||
1314 | return (key); | ||||
1315 | } | ||||
1316 | |||||
1317 | struct ipsec_key * | ||||
1318 | parsekeyfile(char *filename) | ||||
1319 | { | ||||
1320 | struct stat sb; | ||||
1321 | int fd; | ||||
1322 | unsigned char *hex; | ||||
1323 | |||||
1324 | if ((fd = open(filename, O_RDONLY0x0000)) < 0) | ||||
1325 | err(1, "open %s", filename); | ||||
1326 | if (fstat(fd, &sb) < 0) | ||||
1327 | err(1, "parsekeyfile: stat %s", filename); | ||||
1328 | if ((sb.st_size > KEYSIZE_LIMIT1024) || (sb.st_size == 0)) | ||||
1329 | errx(1, "%s: key too %s", filename, sb.st_size ? "large" : | ||||
1330 | "small"); | ||||
1331 | if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL((void *)0)) | ||||
1332 | err(1, "%s", __func__); | ||||
1333 | if (read(fd, hex, sb.st_size) < sb.st_size) | ||||
1334 | err(1, "parsekeyfile: read"); | ||||
1335 | close(fd); | ||||
1336 | return (parsekey(hex, sb.st_size)); | ||||
1337 | } | ||||
1338 | |||||
1339 | int | ||||
1340 | get_id_type(char *string) | ||||
1341 | { | ||||
1342 | struct in6_addr ia; | ||||
1343 | |||||
1344 | if (string == NULL((void *)0)) | ||||
1345 | return (ID_UNKNOWN); | ||||
1346 | |||||
1347 | if (inet_pton(AF_INET2, string, &ia) == 1) | ||||
1348 | return (ID_IPV4); | ||||
1349 | else if (inet_pton(AF_INET624, string, &ia) == 1) | ||||
1350 | return (ID_IPV6); | ||||
1351 | else if (strchr(string, '@')) | ||||
1352 | return (ID_UFQDN); | ||||
1353 | else | ||||
1354 | return (ID_FQDN); | ||||
1355 | } | ||||
1356 | |||||
1357 | struct ipsec_addr_wrap * | ||||
1358 | host(const char *s) | ||||
1359 | { | ||||
1360 | struct ipsec_addr_wrap *ipa = NULL((void *)0); | ||||
1361 | int mask, cont = 1; | ||||
1362 | char *p, *q, *ps; | ||||
1363 | |||||
1364 | if ((p = strrchr(s, '/')) != NULL((void *)0)) { | ||||
1365 | errno(*__errno()) = 0; | ||||
1366 | mask = strtol(p + 1, &q, 0); | ||||
1367 | if (errno(*__errno()) == ERANGE34 || !q || *q || mask > 128 || q == (p + 1)) | ||||
1368 | errx(1, "host: invalid netmask '%s'", p); | ||||
1369 | if ((ps = malloc(strlen(s) - strlen(p) + 1)) == NULL((void *)0)) | ||||
1370 | err(1, "%s", __func__); | ||||
1371 | strlcpy(ps, s, strlen(s) - strlen(p) + 1); | ||||
1372 | } else { | ||||
1373 | if ((ps = strdup(s)) == NULL((void *)0)) | ||||
1374 | err(1, "%s", __func__); | ||||
1375 | mask = -1; | ||||
1376 | } | ||||
1377 | |||||
1378 | /* Does interface with this name exist? */ | ||||
1379 | if (cont && (ipa = host_if(ps, mask)) != NULL((void *)0)) | ||||
1380 | cont = 0; | ||||
1381 | |||||
1382 | /* IPv4 address? */ | ||||
1383 | if (cont && (ipa = host_v4(s, mask == -1 ? 32 : mask)) != NULL((void *)0)) | ||||
1384 | cont = 0; | ||||
1385 | |||||
1386 | /* IPv6 address? */ | ||||
1387 | if (cont && (ipa = host_v6(ps, mask == -1 ? 128 : mask)) != NULL((void *)0)) | ||||
1388 | cont = 0; | ||||
1389 | |||||
1390 | /* dns lookup */ | ||||
1391 | if (cont && mask == -1 && (ipa = host_dns(s, mask)) != NULL((void *)0)) | ||||
1392 | cont = 0; | ||||
1393 | free(ps); | ||||
1394 | |||||
1395 | if (ipa == NULL((void *)0) || cont == 1) { | ||||
1396 | fprintf(stderr(&__sF[2]), "no IP address found for %s\n", s); | ||||
1397 | return (NULL((void *)0)); | ||||
1398 | } | ||||
1399 | return (ipa); | ||||
1400 | } | ||||
1401 | |||||
1402 | struct ipsec_addr_wrap * | ||||
1403 | host_v6(const char *s, int prefixlen) | ||||
1404 | { | ||||
1405 | struct ipsec_addr_wrap *ipa = NULL((void *)0); | ||||
1406 | struct addrinfo hints, *res; | ||||
1407 | char hbuf[NI_MAXHOST256]; | ||||
1408 | |||||
1409 | bzero(&hints, sizeof(struct addrinfo)); | ||||
1410 | hints.ai_family = AF_INET624; | ||||
1411 | hints.ai_socktype = SOCK_STREAM1; | ||||
1412 | hints.ai_flags = AI_NUMERICHOST4; | ||||
1413 | if (getaddrinfo(s, NULL((void *)0), &hints, &res)) | ||||
1414 | return (NULL((void *)0)); | ||||
1415 | if (res->ai_next) | ||||
1416 | err(1, "host_v6: numeric hostname expanded to multiple item"); | ||||
1417 | |||||
1418 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1419 | if (ipa == NULL((void *)0)) | ||||
1420 | err(1, "%s", __func__); | ||||
1421 | ipa->af = res->ai_family; | ||||
1422 | memcpy(&ipa->address.v6ipa.v6, | ||||
1423 | &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, | ||||
1424 | sizeof(struct in6_addr)); | ||||
1425 | if (prefixlen > 128) | ||||
1426 | prefixlen = 128; | ||||
1427 | ipa->next = NULL((void *)0); | ||||
1428 | ipa->tail = ipa; | ||||
1429 | |||||
1430 | set_ipmask(ipa, prefixlen); | ||||
1431 | if (getnameinfo(res->ai_addr, res->ai_addrlen, | ||||
1432 | hbuf, sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1)) { | ||||
1433 | errx(1, "could not get a numeric hostname"); | ||||
1434 | } | ||||
1435 | |||||
1436 | if (prefixlen != 128) { | ||||
1437 | ipa->netaddress = 1; | ||||
1438 | if (asprintf(&ipa->name, "%s/%d", hbuf, prefixlen) == -1) | ||||
1439 | err(1, "%s", __func__); | ||||
1440 | } else { | ||||
1441 | if ((ipa->name = strdup(hbuf)) == NULL((void *)0)) | ||||
1442 | err(1, "%s", __func__); | ||||
1443 | } | ||||
1444 | |||||
1445 | freeaddrinfo(res); | ||||
1446 | |||||
1447 | return (ipa); | ||||
1448 | } | ||||
1449 | |||||
1450 | struct ipsec_addr_wrap * | ||||
1451 | host_v4(const char *s, int mask) | ||||
1452 | { | ||||
1453 | struct ipsec_addr_wrap *ipa = NULL((void *)0); | ||||
1454 | struct in_addr ina; | ||||
1455 | int bits = 32; | ||||
1456 | |||||
1457 | bzero(&ina, sizeof(struct in_addr)); | ||||
1458 | if (strrchr(s, '/') != NULL((void *)0)) { | ||||
1459 | if ((bits = inet_net_pton(AF_INET2, s, &ina, sizeof(ina))) == -1) | ||||
1460 | return (NULL((void *)0)); | ||||
1461 | } else { | ||||
1462 | if (inet_pton(AF_INET2, s, &ina) != 1) | ||||
1463 | return (NULL((void *)0)); | ||||
1464 | } | ||||
1465 | |||||
1466 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1467 | if (ipa == NULL((void *)0)) | ||||
1468 | err(1, "%s", __func__); | ||||
1469 | |||||
1470 | ipa->address.v4ipa.v4 = ina; | ||||
1471 | ipa->name = strdup(s); | ||||
1472 | if (ipa->name == NULL((void *)0)) | ||||
1473 | err(1, "%s", __func__); | ||||
1474 | ipa->af = AF_INET2; | ||||
1475 | ipa->next = NULL((void *)0); | ||||
1476 | ipa->tail = ipa; | ||||
1477 | |||||
1478 | set_ipmask(ipa, bits); | ||||
1479 | if (strrchr(s, '/') != NULL((void *)0)) | ||||
1480 | ipa->netaddress = 1; | ||||
1481 | |||||
1482 | return (ipa); | ||||
1483 | } | ||||
1484 | |||||
1485 | struct ipsec_addr_wrap * | ||||
1486 | host_dns(const char *s, int mask) | ||||
1487 | { | ||||
1488 | struct ipsec_addr_wrap *ipa = NULL((void *)0), *head = NULL((void *)0); | ||||
1489 | struct addrinfo hints, *res0, *res; | ||||
1490 | int error; | ||||
1491 | char hbuf[NI_MAXHOST256]; | ||||
1492 | |||||
1493 | bzero(&hints, sizeof(struct addrinfo)); | ||||
1494 | hints.ai_family = PF_UNSPEC0; | ||||
1495 | hints.ai_socktype = SOCK_STREAM1; | ||||
1496 | error = getaddrinfo(s, NULL((void *)0), &hints, &res0); | ||||
1497 | if (error) | ||||
1498 | return (NULL((void *)0)); | ||||
1499 | |||||
1500 | for (res = res0; res; res = res->ai_next) { | ||||
1501 | if (res->ai_family != AF_INET2 && res->ai_family != AF_INET624) | ||||
1502 | continue; | ||||
1503 | |||||
1504 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1505 | if (ipa == NULL((void *)0)) | ||||
1506 | err(1, "%s", __func__); | ||||
1507 | switch (res->ai_family) { | ||||
1508 | case AF_INET2: | ||||
1509 | memcpy(&ipa->address.v4ipa.v4, | ||||
1510 | &((struct sockaddr_in *)res->ai_addr)->sin_addr, | ||||
1511 | sizeof(struct in_addr)); | ||||
1512 | break; | ||||
1513 | case AF_INET624: | ||||
1514 | /* XXX we do not support scoped IPv6 address yet */ | ||||
1515 | if (((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) { | ||||
1516 | free(ipa); | ||||
1517 | continue; | ||||
1518 | } | ||||
1519 | memcpy(&ipa->address.v6ipa.v6, | ||||
1520 | &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, | ||||
1521 | sizeof(struct in6_addr)); | ||||
1522 | break; | ||||
1523 | } | ||||
1524 | error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, | ||||
1525 | sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1); | ||||
1526 | if (error) | ||||
1527 | err(1, "host_dns: getnameinfo"); | ||||
1528 | ipa->name = strdup(hbuf); | ||||
1529 | if (ipa->name == NULL((void *)0)) | ||||
1530 | err(1, "%s", __func__); | ||||
1531 | ipa->af = res->ai_family; | ||||
1532 | ipa->next = NULL((void *)0); | ||||
1533 | ipa->tail = ipa; | ||||
1534 | if (head == NULL((void *)0)) | ||||
1535 | head = ipa; | ||||
1536 | else { | ||||
1537 | head->tail->next = ipa; | ||||
1538 | head->tail = ipa; | ||||
1539 | } | ||||
1540 | |||||
1541 | /* | ||||
1542 | * XXX for now, no netmask support for IPv6. | ||||
1543 | * but since there's no way to specify address family, once you | ||||
1544 | * have IPv6 address on a host, you cannot use dns/netmask | ||||
1545 | * syntax. | ||||
1546 | */ | ||||
1547 | if (ipa->af == AF_INET2) | ||||
1548 | set_ipmask(ipa, mask == -1 ? 32 : mask); | ||||
1549 | else | ||||
1550 | if (mask != -1) | ||||
1551 | err(1, "host_dns: cannot apply netmask " | ||||
1552 | "on non-IPv4 address"); | ||||
1553 | } | ||||
1554 | freeaddrinfo(res0); | ||||
1555 | |||||
1556 | return (head); | ||||
1557 | } | ||||
1558 | |||||
1559 | struct ipsec_addr_wrap * | ||||
1560 | host_if(const char *s, int mask) | ||||
1561 | { | ||||
1562 | struct ipsec_addr_wrap *ipa = NULL((void *)0); | ||||
1563 | |||||
1564 | if (ifa_exists(s)) | ||||
1565 | ipa = ifa_lookup(s); | ||||
1566 | |||||
1567 | return (ipa); | ||||
1568 | } | ||||
1569 | |||||
1570 | struct ipsec_addr_wrap * | ||||
1571 | host_any(void) | ||||
1572 | { | ||||
1573 | struct ipsec_addr_wrap *ipa; | ||||
1574 | |||||
1575 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1576 | if (ipa == NULL((void *)0)) | ||||
1577 | err(1, "%s", __func__); | ||||
1578 | ipa->af = AF_UNSPEC0; | ||||
1579 | ipa->netaddress = 1; | ||||
1580 | ipa->tail = ipa; | ||||
1581 | return (ipa); | ||||
1582 | } | ||||
1583 | |||||
1584 | /* interface lookup routintes */ | ||||
1585 | |||||
1586 | struct ipsec_addr_wrap *iftab; | ||||
1587 | |||||
1588 | void | ||||
1589 | ifa_load(void) | ||||
1590 | { | ||||
1591 | struct ifaddrs *ifap, *ifa; | ||||
1592 | struct ipsec_addr_wrap *n = NULL((void *)0), *h = NULL((void *)0); | ||||
1593 | |||||
1594 | if (getifaddrs(&ifap) < 0) | ||||
1595 | err(1, "ifa_load: getifaddrs"); | ||||
1596 | |||||
1597 | for (ifa = ifap; ifa; ifa = ifa->ifa_next) { | ||||
1598 | if (ifa->ifa_addr == NULL((void *)0) || | ||||
1599 | !(ifa->ifa_addr->sa_family == AF_INET2 || | ||||
1600 | ifa->ifa_addr->sa_family == AF_INET624 || | ||||
1601 | ifa->ifa_addr->sa_family == AF_LINK18)) | ||||
1602 | continue; | ||||
1603 | n = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1604 | if (n == NULL((void *)0)) | ||||
1605 | err(1, "%s", __func__); | ||||
1606 | n->af = ifa->ifa_addr->sa_family; | ||||
1607 | if ((n->name = strdup(ifa->ifa_name)) == NULL((void *)0)) | ||||
1608 | err(1, "%s", __func__); | ||||
1609 | if (n->af == AF_INET2) { | ||||
1610 | n->af = AF_INET2; | ||||
1611 | memcpy(&n->address.v4ipa.v4, &((struct sockaddr_in *) | ||||
1612 | ifa->ifa_addr)->sin_addr, | ||||
1613 | sizeof(struct in_addr)); | ||||
1614 | memcpy(&n->mask.v4ipa.v4, &((struct sockaddr_in *) | ||||
1615 | ifa->ifa_netmask)->sin_addr, | ||||
1616 | sizeof(struct in_addr)); | ||||
1617 | } else if (n->af == AF_INET624) { | ||||
1618 | n->af = AF_INET624; | ||||
1619 | memcpy(&n->address.v6ipa.v6, &((struct sockaddr_in6 *) | ||||
1620 | ifa->ifa_addr)->sin6_addr, | ||||
1621 | sizeof(struct in6_addr)); | ||||
1622 | memcpy(&n->mask.v6ipa.v6, &((struct sockaddr_in6 *) | ||||
1623 | ifa->ifa_netmask)->sin6_addr, | ||||
1624 | sizeof(struct in6_addr)); | ||||
1625 | } | ||||
1626 | n->next = NULL((void *)0); | ||||
1627 | n->tail = n; | ||||
1628 | if (h == NULL((void *)0)) | ||||
1629 | h = n; | ||||
1630 | else { | ||||
1631 | h->tail->next = n; | ||||
1632 | h->tail = n; | ||||
1633 | } | ||||
1634 | } | ||||
1635 | |||||
1636 | iftab = h; | ||||
1637 | freeifaddrs(ifap); | ||||
1638 | } | ||||
1639 | |||||
1640 | int | ||||
1641 | ifa_exists(const char *ifa_name) | ||||
1642 | { | ||||
1643 | struct ipsec_addr_wrap *n; | ||||
1644 | struct ifgroupreq ifgr; | ||||
1645 | int s; | ||||
1646 | |||||
1647 | if (iftab == NULL((void *)0)) | ||||
1648 | ifa_load(); | ||||
1649 | |||||
1650 | /* check whether this is a group */ | ||||
1651 | if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1) | ||||
1652 | err(1, "ifa_exists: socket"); | ||||
1653 | bzero(&ifgr, sizeof(ifgr)); | ||||
1654 | strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); | ||||
1655 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == 0) { | ||||
1656 | close(s); | ||||
1657 | return (1); | ||||
1658 | } | ||||
1659 | close(s); | ||||
1660 | |||||
1661 | for (n = iftab; n; n = n->next) { | ||||
1662 | if (n->af == AF_LINK18 && !strncmp(n->name, ifa_name, | ||||
1663 | IFNAMSIZ16)) | ||||
1664 | return (1); | ||||
1665 | } | ||||
1666 | |||||
1667 | return (0); | ||||
1668 | } | ||||
1669 | |||||
1670 | struct ipsec_addr_wrap * | ||||
1671 | ifa_grouplookup(const char *ifa_name) | ||||
1672 | { | ||||
1673 | struct ifg_req *ifg; | ||||
1674 | struct ifgroupreq ifgr; | ||||
1675 | int s; | ||||
1676 | size_t len; | ||||
1677 | struct ipsec_addr_wrap *n, *h = NULL((void *)0), *hn; | ||||
1678 | |||||
1679 | if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1) | ||||
1680 | err(1, "socket"); | ||||
1681 | bzero(&ifgr, sizeof(ifgr)); | ||||
1682 | strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); | ||||
1683 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == -1) { | ||||
1684 | close(s); | ||||
1685 | return (NULL((void *)0)); | ||||
1686 | } | ||||
1687 | |||||
1688 | len = ifgr.ifgr_len; | ||||
1689 | if ((ifgr.ifgr_groupsifgr_ifgru.ifgru_groups = calloc(1, len)) == NULL((void *)0)) | ||||
1690 | err(1, "%s", __func__); | ||||
1691 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == -1) | ||||
1692 | err(1, "ioctl"); | ||||
1693 | |||||
1694 | for (ifg = ifgr.ifgr_groupsifgr_ifgru.ifgru_groups; ifg && len >= sizeof(struct ifg_req); | ||||
1695 | ifg++) { | ||||
1696 | len -= sizeof(struct ifg_req); | ||||
1697 | if ((n = ifa_lookup(ifg->ifgrq_memberifgrq_ifgrqu.ifgrqu_member)) == NULL((void *)0)) | ||||
1698 | continue; | ||||
1699 | if (h == NULL((void *)0)) | ||||
1700 | h = n; | ||||
1701 | else { | ||||
1702 | for (hn = h; hn->next != NULL((void *)0); hn = hn->next) | ||||
1703 | ; /* nothing */ | ||||
1704 | hn->next = n; | ||||
1705 | n->tail = hn; | ||||
1706 | } | ||||
1707 | } | ||||
1708 | free(ifgr.ifgr_groupsifgr_ifgru.ifgru_groups); | ||||
1709 | close(s); | ||||
1710 | |||||
1711 | return (h); | ||||
1712 | } | ||||
1713 | |||||
1714 | struct ipsec_addr_wrap * | ||||
1715 | ifa_lookup(const char *ifa_name) | ||||
1716 | { | ||||
1717 | struct ipsec_addr_wrap *p = NULL((void *)0), *h = NULL((void *)0), *n = NULL((void *)0); | ||||
1718 | |||||
1719 | if (iftab == NULL((void *)0)) | ||||
1720 | ifa_load(); | ||||
1721 | |||||
1722 | if ((n = ifa_grouplookup(ifa_name)) != NULL((void *)0)) | ||||
1723 | return (n); | ||||
1724 | |||||
1725 | for (p = iftab; p; p = p->next) { | ||||
1726 | if (p->af != AF_INET2 && p->af != AF_INET624) | ||||
1727 | continue; | ||||
1728 | if (strncmp(p->name, ifa_name, IFNAMSIZ16)) | ||||
1729 | continue; | ||||
1730 | n = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1731 | if (n == NULL((void *)0)) | ||||
1732 | err(1, "%s", __func__); | ||||
1733 | memcpy(n, p, sizeof(struct ipsec_addr_wrap)); | ||||
1734 | if ((n->name = strdup(p->name)) == NULL((void *)0)) | ||||
1735 | err(1, "%s", __func__); | ||||
1736 | switch (n->af) { | ||||
1737 | case AF_INET2: | ||||
1738 | set_ipmask(n, 32); | ||||
1739 | break; | ||||
1740 | case AF_INET624: | ||||
1741 | /* route/show.c and bgpd/util.c give KAME credit */ | ||||
1742 | if (IN6_IS_ADDR_LINKLOCAL(&n->address.v6)(((&n->address.ipa.v6)->__u6_addr.__u6_addr8[0] == 0xfe ) && (((&n->address.ipa.v6)->__u6_addr.__u6_addr8 [1] & 0xc0) == 0x80))) { | ||||
1743 | u_int16_t tmp16; | ||||
1744 | /* for now we can not handle link local, | ||||
1745 | * therefore bail for now | ||||
1746 | */ | ||||
1747 | free(n); | ||||
1748 | continue; | ||||
1749 | |||||
1750 | memcpy(&tmp16, &n->address.v6ipa.v6.s6_addr__u6_addr.__u6_addr8[2], | ||||
1751 | sizeof(tmp16)); | ||||
1752 | /* use this when we support link-local | ||||
1753 | * n->??.scopeid = ntohs(tmp16); | ||||
1754 | */ | ||||
1755 | n->address.v6ipa.v6.s6_addr__u6_addr.__u6_addr8[2] = 0; | ||||
1756 | n->address.v6ipa.v6.s6_addr__u6_addr.__u6_addr8[3] = 0; | ||||
1757 | } | ||||
1758 | set_ipmask(n, 128); | ||||
1759 | break; | ||||
1760 | } | ||||
1761 | |||||
1762 | n->next = NULL((void *)0); | ||||
1763 | n->tail = n; | ||||
1764 | if (h == NULL((void *)0)) | ||||
1765 | h = n; | ||||
1766 | else { | ||||
1767 | h->tail->next = n; | ||||
1768 | h->tail = n; | ||||
1769 | } | ||||
1770 | } | ||||
1771 | |||||
1772 | return (h); | ||||
1773 | } | ||||
1774 | |||||
1775 | void | ||||
1776 | set_ipmask(struct ipsec_addr_wrap *address, u_int8_t b) | ||||
1777 | { | ||||
1778 | struct ipsec_addr *ipa; | ||||
1779 | int i, j = 0; | ||||
1780 | |||||
1781 | ipa = &address->mask; | ||||
1782 | bzero(ipa, sizeof(struct ipsec_addr)); | ||||
1783 | |||||
1784 | while (b >= 32) { | ||||
1785 | ipa->addr32ipa.addr32[j++] = 0xffffffff; | ||||
1786 | b -= 32; | ||||
1787 | } | ||||
1788 | for (i = 31; i > 31 - b; --i) | ||||
1789 | ipa->addr32ipa.addr32[j] |= (1 << i); | ||||
1790 | if (b) | ||||
1791 | ipa->addr32ipa.addr32[j] = htonl(ipa->addr32[j])(__uint32_t)(__builtin_constant_p(ipa->ipa.addr32[j]) ? (__uint32_t )(((__uint32_t)(ipa->ipa.addr32[j]) & 0xff) << 24 | ((__uint32_t)(ipa->ipa.addr32[j]) & 0xff00) << 8 | ((__uint32_t)(ipa->ipa.addr32[j]) & 0xff0000) >> 8 | ((__uint32_t)(ipa->ipa.addr32[j]) & 0xff000000) >> 24) : __swap32md(ipa->ipa.addr32[j])); | ||||
1792 | } | ||||
1793 | |||||
1794 | const struct ipsec_xf * | ||||
1795 | parse_xf(const char *name, const struct ipsec_xf xfs[]) | ||||
1796 | { | ||||
1797 | int i; | ||||
1798 | |||||
1799 | for (i = 0; xfs[i].name != NULL((void *)0); i++) { | ||||
1800 | if (strncmp(name, xfs[i].name, strlen(name))) | ||||
1801 | continue; | ||||
1802 | return &xfs[i]; | ||||
1803 | } | ||||
1804 | return (NULL((void *)0)); | ||||
1805 | } | ||||
1806 | |||||
1807 | struct ipsec_lifetime * | ||||
1808 | parse_life(const char *value) | ||||
1809 | { | ||||
1810 | struct ipsec_lifetime *life; | ||||
1811 | int ret; | ||||
1812 | int seconds = 0; | ||||
1813 | char unit = 0; | ||||
1814 | |||||
1815 | ret = sscanf(value, "%d%c", &seconds, &unit); | ||||
1816 | if (ret == 2) { | ||||
1817 | switch (tolower((unsigned char)unit)) { | ||||
1818 | case 'm': | ||||
1819 | seconds *= 60; | ||||
1820 | break; | ||||
1821 | case 'h': | ||||
1822 | seconds *= 60 * 60; | ||||
1823 | break; | ||||
1824 | default: | ||||
1825 | err(1, "invalid time unit"); | ||||
1826 | } | ||||
1827 | } else if (ret != 1) | ||||
1828 | err(1, "invalid time specification: %s", value); | ||||
1829 | |||||
1830 | life = calloc(1, sizeof(struct ipsec_lifetime)); | ||||
1831 | if (life == NULL((void *)0)) | ||||
1832 | err(1, "%s", __func__); | ||||
1833 | |||||
1834 | life->lt_seconds = seconds; | ||||
1835 | life->lt_bytes = -1; | ||||
1836 | |||||
1837 | return (life); | ||||
1838 | } | ||||
1839 | |||||
1840 | struct ipsec_transforms * | ||||
1841 | copytransforms(const struct ipsec_transforms *xfs) | ||||
1842 | { | ||||
1843 | struct ipsec_transforms *newxfs; | ||||
1844 | |||||
1845 | if (xfs == NULL((void *)0)) | ||||
1846 | return (NULL((void *)0)); | ||||
1847 | |||||
1848 | newxfs = calloc(1, sizeof(struct ipsec_transforms)); | ||||
1849 | if (newxfs == NULL((void *)0)) | ||||
1850 | err(1, "%s", __func__); | ||||
1851 | |||||
1852 | memcpy(newxfs, xfs, sizeof(struct ipsec_transforms)); | ||||
1853 | return (newxfs); | ||||
1854 | } | ||||
1855 | |||||
1856 | struct ipsec_lifetime * | ||||
1857 | copylife(const struct ipsec_lifetime *life) | ||||
1858 | { | ||||
1859 | struct ipsec_lifetime *newlife; | ||||
1860 | |||||
1861 | if (life == NULL((void *)0)) | ||||
1862 | return (NULL((void *)0)); | ||||
1863 | |||||
1864 | newlife = calloc(1, sizeof(struct ipsec_lifetime)); | ||||
1865 | if (newlife == NULL((void *)0)) | ||||
1866 | err(1, "%s", __func__); | ||||
1867 | |||||
1868 | memcpy(newlife, life, sizeof(struct ipsec_lifetime)); | ||||
1869 | return (newlife); | ||||
1870 | } | ||||
1871 | |||||
1872 | struct ipsec_auth * | ||||
1873 | copyipsecauth(const struct ipsec_auth *auth) | ||||
1874 | { | ||||
1875 | struct ipsec_auth *newauth; | ||||
1876 | |||||
1877 | if (auth == NULL((void *)0)) | ||||
1878 | return (NULL((void *)0)); | ||||
1879 | |||||
1880 | if ((newauth = calloc(1, sizeof(struct ipsec_auth))) == NULL((void *)0)) | ||||
1881 | err(1, "%s", __func__); | ||||
1882 | if (auth->srcid && | ||||
1883 | asprintf(&newauth->srcid, "%s", auth->srcid) == -1) | ||||
1884 | err(1, "%s", __func__); | ||||
1885 | if (auth->dstid && | ||||
1886 | asprintf(&newauth->dstid, "%s", auth->dstid) == -1) | ||||
1887 | err(1, "%s", __func__); | ||||
1888 | |||||
1889 | newauth->srcid_type = auth->srcid_type; | ||||
1890 | newauth->dstid_type = auth->dstid_type; | ||||
1891 | newauth->type = auth->type; | ||||
1892 | |||||
1893 | return (newauth); | ||||
1894 | } | ||||
1895 | |||||
1896 | struct ike_auth * | ||||
1897 | copyikeauth(const struct ike_auth *auth) | ||||
1898 | { | ||||
1899 | struct ike_auth *newauth; | ||||
1900 | |||||
1901 | if (auth == NULL((void *)0)) | ||||
1902 | return (NULL((void *)0)); | ||||
1903 | |||||
1904 | if ((newauth = calloc(1, sizeof(struct ike_auth))) == NULL((void *)0)) | ||||
1905 | err(1, "%s", __func__); | ||||
1906 | if (auth->string && | ||||
1907 | asprintf(&newauth->string, "%s", auth->string) == -1) | ||||
1908 | err(1, "%s", __func__); | ||||
1909 | |||||
1910 | newauth->type = auth->type; | ||||
1911 | |||||
1912 | return (newauth); | ||||
1913 | } | ||||
1914 | |||||
1915 | struct ipsec_key * | ||||
1916 | copykey(struct ipsec_key *key) | ||||
1917 | { | ||||
1918 | struct ipsec_key *newkey; | ||||
1919 | |||||
1920 | if (key == NULL((void *)0)) | ||||
1921 | return (NULL((void *)0)); | ||||
1922 | |||||
1923 | if ((newkey = calloc(1, sizeof(struct ipsec_key))) == NULL((void *)0)) | ||||
1924 | err(1, "%s", __func__); | ||||
1925 | if ((newkey->data = calloc(key->len, sizeof(u_int8_t))) == NULL((void *)0)) | ||||
1926 | err(1, "%s", __func__); | ||||
1927 | memcpy(newkey->data, key->data, key->len); | ||||
1928 | newkey->len = key->len; | ||||
1929 | |||||
1930 | return (newkey); | ||||
1931 | } | ||||
1932 | |||||
1933 | struct ipsec_addr_wrap * | ||||
1934 | copyhost(const struct ipsec_addr_wrap *src) | ||||
1935 | { | ||||
1936 | struct ipsec_addr_wrap *dst; | ||||
1937 | |||||
1938 | if (src == NULL((void *)0)) | ||||
1939 | return (NULL((void *)0)); | ||||
1940 | |||||
1941 | dst = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1942 | if (dst == NULL((void *)0)) | ||||
1943 | err(1, "%s", __func__); | ||||
1944 | |||||
1945 | memcpy(dst, src, sizeof(struct ipsec_addr_wrap)); | ||||
1946 | |||||
1947 | if (src->name != NULL((void *)0) && (dst->name = strdup(src->name)) == NULL((void *)0)) | ||||
1948 | err(1, "%s", __func__); | ||||
1949 | |||||
1950 | return dst; | ||||
1951 | } | ||||
1952 | |||||
1953 | char * | ||||
1954 | copytag(const char *src) | ||||
1955 | { | ||||
1956 | char *tag; | ||||
1957 | |||||
1958 | if (src == NULL((void *)0)) | ||||
1959 | return (NULL((void *)0)); | ||||
1960 | if ((tag = strdup(src)) == NULL((void *)0)) | ||||
1961 | err(1, "%s", __func__); | ||||
1962 | |||||
1963 | return (tag); | ||||
1964 | } | ||||
1965 | |||||
1966 | struct ipsec_rule * | ||||
1967 | copyrule(struct ipsec_rule *rule) | ||||
1968 | { | ||||
1969 | struct ipsec_rule *r; | ||||
1970 | |||||
1971 | if ((r = calloc(1, sizeof(struct ipsec_rule))) == NULL((void *)0)) | ||||
1972 | err(1, "%s", __func__); | ||||
1973 | |||||
1974 | r->src = copyhost(rule->src); | ||||
1975 | r->dst = copyhost(rule->dst); | ||||
1976 | r->local = copyhost(rule->local); | ||||
1977 | r->peer = copyhost(rule->peer); | ||||
1978 | r->auth = copyipsecauth(rule->auth); | ||||
1979 | r->ikeauth = copyikeauth(rule->ikeauth); | ||||
1980 | r->xfs = copytransforms(rule->xfs); | ||||
1981 | r->p1xfs = copytransforms(rule->p1xfs); | ||||
1982 | r->p2xfs = copytransforms(rule->p2xfs); | ||||
1983 | r->p1life = copylife(rule->p1life); | ||||
1984 | r->p2life = copylife(rule->p2life); | ||||
1985 | r->authkey = copykey(rule->authkey); | ||||
1986 | r->enckey = copykey(rule->enckey); | ||||
1987 | r->tag = copytag(rule->tag); | ||||
1988 | |||||
1989 | r->p1ie = rule->p1ie; | ||||
1990 | r->p2ie = rule->p2ie; | ||||
1991 | r->type = rule->type; | ||||
1992 | r->satype = rule->satype; | ||||
1993 | r->proto = rule->proto; | ||||
1994 | r->tmode = rule->tmode; | ||||
1995 | r->direction = rule->direction; | ||||
1996 | r->flowtype = rule->flowtype; | ||||
1997 | r->sport = rule->sport; | ||||
1998 | r->dport = rule->dport; | ||||
1999 | r->ikemode = rule->ikemode; | ||||
2000 | r->spi = rule->spi; | ||||
2001 | r->udpencap = rule->udpencap; | ||||
2002 | r->udpdport = rule->udpdport; | ||||
2003 | r->nr = rule->nr; | ||||
2004 | |||||
2005 | return (r); | ||||
2006 | } | ||||
2007 | |||||
2008 | int | ||||
2009 | validate_af(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst) | ||||
2010 | { | ||||
2011 | struct ipsec_addr_wrap *ta; | ||||
2012 | u_int8_t src_v4 = 0; | ||||
2013 | u_int8_t dst_v4 = 0; | ||||
2014 | u_int8_t src_v6 = 0; | ||||
2015 | u_int8_t dst_v6 = 0; | ||||
2016 | |||||
2017 | for (ta = src; ta; ta = ta->next) { | ||||
2018 | if (ta->af == AF_INET2) | ||||
2019 | src_v4 = 1; | ||||
2020 | if (ta->af == AF_INET624) | ||||
2021 | src_v6 = 1; | ||||
2022 | if (ta->af == AF_UNSPEC0) | ||||
2023 | return 0; | ||||
2024 | if (src_v4 && src_v6) | ||||
2025 | break; | ||||
2026 | } | ||||
2027 | for (ta = dst; ta; ta = ta->next) { | ||||
2028 | if (ta->af == AF_INET2) | ||||
2029 | dst_v4 = 1; | ||||
2030 | if (ta->af == AF_INET624) | ||||
2031 | dst_v6 = 1; | ||||
2032 | if (ta->af == AF_UNSPEC0) | ||||
2033 | return 0; | ||||
2034 | if (dst_v4 && dst_v6) | ||||
2035 | break; | ||||
2036 | } | ||||
2037 | if (src_v4 != dst_v4 && src_v6 != dst_v6) | ||||
2038 | return (1); | ||||
2039 | |||||
2040 | return (0); | ||||
2041 | } | ||||
2042 | |||||
2043 | |||||
2044 | int | ||||
2045 | validate_sa(u_int32_t spi, u_int8_t satype, struct ipsec_transforms *xfs, | ||||
2046 | struct ipsec_key *authkey, struct ipsec_key *enckey, u_int8_t tmode) | ||||
2047 | { | ||||
2048 | /* Sanity checks */ | ||||
2049 | if (spi == 0) { | ||||
2050 | yyerror("no SPI specified"); | ||||
2051 | return (0); | ||||
2052 | } | ||||
2053 | if (satype == IPSEC_AH) { | ||||
2054 | if (!xfs) { | ||||
2055 | yyerror("no transforms specified"); | ||||
2056 | return (0); | ||||
2057 | } | ||||
2058 | if (!xfs->authxf) | ||||
2059 | xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256]; | ||||
2060 | if (xfs->encxf) { | ||||
2061 | yyerror("ah does not provide encryption"); | ||||
2062 | return (0); | ||||
2063 | } | ||||
2064 | if (xfs->compxf) { | ||||
2065 | yyerror("ah does not provide compression"); | ||||
2066 | return (0); | ||||
2067 | } | ||||
2068 | } | ||||
2069 | if (satype == IPSEC_ESP) { | ||||
2070 | if (!xfs) { | ||||
2071 | yyerror("no transforms specified"); | ||||
2072 | return (0); | ||||
2073 | } | ||||
2074 | if (xfs->compxf) { | ||||
2075 | yyerror("esp does not provide compression"); | ||||
2076 | return (0); | ||||
2077 | } | ||||
2078 | if (!xfs->encxf) | ||||
2079 | xfs->encxf = &encxfs[ENCXF_AES]; | ||||
2080 | if (xfs->encxf->nostatic) { | ||||
2081 | yyerror("%s is disallowed with static keys", | ||||
2082 | xfs->encxf->name); | ||||
2083 | return 0; | ||||
2084 | } | ||||
2085 | if (xfs->encxf->noauth && xfs->authxf) { | ||||
2086 | yyerror("authentication is implicit for %s", | ||||
2087 | xfs->encxf->name); | ||||
2088 | return (0); | ||||
2089 | } else if (!xfs->encxf->noauth && !xfs->authxf) | ||||
2090 | xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256]; | ||||
2091 | } | ||||
2092 | if (satype == IPSEC_IPCOMP) { | ||||
2093 | if (!xfs) { | ||||
2094 | yyerror("no transform specified"); | ||||
2095 | return (0); | ||||
2096 | } | ||||
2097 | if (xfs->authxf || xfs->encxf) { | ||||
2098 | yyerror("no encryption or authentication with ipcomp"); | ||||
2099 | return (0); | ||||
2100 | } | ||||
2101 | if (!xfs->compxf) | ||||
2102 | xfs->compxf = &compxfs[COMPXF_DEFLATE]; | ||||
2103 | } | ||||
2104 | if (satype == IPSEC_IPIP) { | ||||
2105 | if (!xfs) { | ||||
2106 | yyerror("no transform specified"); | ||||
2107 | return (0); | ||||
2108 | } | ||||
2109 | if (xfs->authxf || xfs->encxf || xfs->compxf) { | ||||
2110 | yyerror("no encryption, authentication or compression" | ||||
2111 | " with ipip"); | ||||
2112 | return (0); | ||||
2113 | } | ||||
2114 | } | ||||
2115 | if (satype == IPSEC_TCPMD5 && authkey == NULL((void *)0) && tmode != | ||||
2116 | IPSEC_TRANSPORT) { | ||||
2117 | yyerror("authentication key needed for tcpmd5"); | ||||
2118 | return (0); | ||||
2119 | } | ||||
2120 | if (xfs && xfs->authxf) { | ||||
2121 | if (!authkey && xfs->authxf != &authxfs[AUTHXF_NONE]) { | ||||
2122 | yyerror("no authentication key specified"); | ||||
2123 | return (0); | ||||
2124 | } | ||||
2125 | if (authkey && authkey->len != xfs->authxf->keymin) { | ||||
2126 | yyerror("wrong authentication key length, needs to be " | ||||
2127 | "%zu bits", xfs->authxf->keymin * 8); | ||||
2128 | return (0); | ||||
2129 | } | ||||
2130 | } | ||||
2131 | if (xfs && xfs->encxf) { | ||||
2132 | if (!enckey && xfs->encxf != &encxfs[ENCXF_NULL]) { | ||||
2133 | yyerror("no encryption key specified"); | ||||
2134 | return (0); | ||||
2135 | } | ||||
2136 | if (enckey) { | ||||
2137 | if (enckey->len < xfs->encxf->keymin) { | ||||
2138 | yyerror("encryption key too short (%zu bits), " | ||||
2139 | "minimum %zu bits", enckey->len * 8, | ||||
2140 | xfs->encxf->keymin * 8); | ||||
2141 | return (0); | ||||
2142 | } | ||||
2143 | if (xfs->encxf->keymax < enckey->len) { | ||||
2144 | yyerror("encryption key too long (%zu bits), " | ||||
2145 | "maximum %zu bits", enckey->len * 8, | ||||
2146 | xfs->encxf->keymax * 8); | ||||
2147 | return (0); | ||||
2148 | } | ||||
2149 | } | ||||
2150 | } | ||||
2151 | |||||
2152 | return 1; | ||||
2153 | } | ||||
2154 | |||||
2155 | int | ||||
2156 | add_sabundle(struct ipsec_rule *r, char *bundle) | ||||
2157 | { | ||||
2158 | struct ipsec_rule *rp, *last, *sabundle; | ||||
2159 | int found = 0; | ||||
2160 | |||||
2161 | TAILQ_FOREACH(rp, &ipsec->bundle_queue, bundle_entry)for((rp) = ((&ipsec->bundle_queue)->tqh_first); (rp ) != ((void *)0); (rp) = ((rp)->bundle_entry.tqe_next)) { | ||||
2162 | if ((strcmp(rp->src->name, r->src->name) == 0) && | ||||
2163 | (strcmp(rp->dst->name, r->dst->name) == 0) && | ||||
2164 | (strcmp(rp->bundle, bundle) == 0)) { | ||||
2165 | found = 1; | ||||
2166 | break; | ||||
2167 | } | ||||
2168 | } | ||||
2169 | if (found) { | ||||
2170 | last = TAILQ_LAST(&rp->dst_bundle_queue, dst_bundle_queue)(*(((struct dst_bundle_queue *)((&rp->dst_bundle_queue )->tqh_last))->tqh_last)); | ||||
2171 | TAILQ_INSERT_TAIL(&rp->dst_bundle_queue, r, dst_bundle_entry)do { (r)->dst_bundle_entry.tqe_next = ((void *)0); (r)-> dst_bundle_entry.tqe_prev = (&rp->dst_bundle_queue)-> tqh_last; *(&rp->dst_bundle_queue)->tqh_last = (r); (&rp->dst_bundle_queue)->tqh_last = &(r)->dst_bundle_entry .tqe_next; } while (0); | ||||
2172 | |||||
2173 | sabundle = create_sabundle(last->dst, last->satype, last->spi, | ||||
2174 | r->dst, r->satype, r->spi); | ||||
2175 | if (sabundle == NULL((void *)0)) | ||||
2176 | return (1); | ||||
2177 | sabundle->nr = ipsec->rule_nr++; | ||||
2178 | if (ipsecctl_add_rule(ipsec, sabundle)) | ||||
2179 | return (1); | ||||
2180 | } else { | ||||
2181 | TAILQ_INSERT_TAIL(&ipsec->bundle_queue, r, bundle_entry)do { (r)->bundle_entry.tqe_next = ((void *)0); (r)->bundle_entry .tqe_prev = (&ipsec->bundle_queue)->tqh_last; *(& ipsec->bundle_queue)->tqh_last = (r); (&ipsec->bundle_queue )->tqh_last = &(r)->bundle_entry.tqe_next; } while ( 0); | ||||
2182 | TAILQ_INIT(&r->dst_bundle_queue)do { (&r->dst_bundle_queue)->tqh_first = ((void *)0 ); (&r->dst_bundle_queue)->tqh_last = &(&r-> dst_bundle_queue)->tqh_first; } while (0); | ||||
2183 | TAILQ_INSERT_TAIL(&r->dst_bundle_queue, r, dst_bundle_entry)do { (r)->dst_bundle_entry.tqe_next = ((void *)0); (r)-> dst_bundle_entry.tqe_prev = (&r->dst_bundle_queue)-> tqh_last; *(&r->dst_bundle_queue)->tqh_last = (r); ( &r->dst_bundle_queue)->tqh_last = &(r)->dst_bundle_entry .tqe_next; } while (0); | ||||
2184 | r->bundle = bundle; | ||||
2185 | } | ||||
2186 | |||||
2187 | return (0); | ||||
2188 | } | ||||
2189 | |||||
2190 | struct ipsec_rule * | ||||
2191 | create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_hosts *hosts, | ||||
2192 | u_int32_t spi, u_int8_t udpencap, u_int16_t udpdport, | ||||
2193 | struct ipsec_transforms *xfs, struct ipsec_key *authkey, struct ipsec_key *enckey) | ||||
2194 | { | ||||
2195 | struct ipsec_rule *r; | ||||
2196 | |||||
2197 | if (validate_sa(spi, satype, xfs, authkey, enckey, tmode) == 0) | ||||
2198 | return (NULL((void *)0)); | ||||
2199 | |||||
2200 | r = calloc(1, sizeof(struct ipsec_rule)); | ||||
2201 | if (r == NULL((void *)0)) | ||||
2202 | err(1, "%s", __func__); | ||||
2203 | |||||
2204 | r->type |= RULE_SA0x02; | ||||
2205 | r->satype = satype; | ||||
2206 | r->tmode = tmode; | ||||
2207 | r->src = hosts->src; | ||||
2208 | r->dst = hosts->dst; | ||||
2209 | r->spi = spi; | ||||
2210 | r->udpencap = udpencap; | ||||
2211 | r->udpdport = udpdport; | ||||
2212 | r->xfs = xfs; | ||||
2213 | r->authkey = authkey; | ||||
2214 | r->enckey = enckey; | ||||
2215 | |||||
2216 | return r; | ||||
2217 | } | ||||
2218 | |||||
2219 | struct ipsec_rule * | ||||
2220 | reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, | ||||
2221 | struct ipsec_key *enckey) | ||||
2222 | { | ||||
2223 | struct ipsec_rule *reverse; | ||||
2224 | |||||
2225 | if (validate_sa(spi, rule->satype, rule->xfs, authkey, enckey, | ||||
2226 | rule->tmode) == 0) | ||||
2227 | return (NULL((void *)0)); | ||||
2228 | |||||
2229 | reverse = calloc(1, sizeof(struct ipsec_rule)); | ||||
2230 | if (reverse == NULL((void *)0)) | ||||
2231 | err(1, "%s", __func__); | ||||
2232 | |||||
2233 | reverse->type |= RULE_SA0x02; | ||||
2234 | reverse->satype = rule->satype; | ||||
2235 | reverse->tmode = rule->tmode; | ||||
2236 | reverse->src = copyhost(rule->dst); | ||||
2237 | reverse->dst = copyhost(rule->src); | ||||
2238 | reverse->spi = spi; | ||||
2239 | reverse->udpencap = rule->udpencap; | ||||
2240 | reverse->udpdport = rule->udpdport; | ||||
2241 | reverse->xfs = copytransforms(rule->xfs); | ||||
2242 | reverse->authkey = authkey; | ||||
2243 | reverse->enckey = enckey; | ||||
2244 | |||||
2245 | return (reverse); | ||||
2246 | } | ||||
2247 | |||||
2248 | struct ipsec_rule * | ||||
2249 | create_sabundle(struct ipsec_addr_wrap *dst, u_int8_t proto, u_int32_t spi, | ||||
2250 | struct ipsec_addr_wrap *dst2, u_int8_t proto2, u_int32_t spi2) | ||||
2251 | { | ||||
2252 | struct ipsec_rule *r; | ||||
2253 | |||||
2254 | r = calloc(1, sizeof(struct ipsec_rule)); | ||||
2255 | if (r == NULL((void *)0)) | ||||
2256 | err(1, "%s", __func__); | ||||
2257 | |||||
2258 | r->type |= RULE_BUNDLE0x08; | ||||
2259 | |||||
2260 | r->dst = copyhost(dst); | ||||
2261 | r->dst2 = copyhost(dst2); | ||||
2262 | r->proto = proto; | ||||
2263 | r->proto2 = proto2; | ||||
2264 | r->spi = spi; | ||||
2265 | r->spi2 = spi2; | ||||
2266 | r->satype = proto; | ||||
2267 | |||||
2268 | return (r); | ||||
2269 | } | ||||
2270 | |||||
2271 | struct ipsec_rule * | ||||
2272 | create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_hosts *hosts, | ||||
2273 | u_int8_t satype, char *srcid, char *dstid, u_int8_t type) | ||||
2274 | { | ||||
2275 | struct ipsec_rule *r; | ||||
2276 | |||||
2277 | r = calloc(1, sizeof(struct ipsec_rule)); | ||||
2278 | if (r == NULL((void *)0)) | ||||
2279 | err(1, "%s", __func__); | ||||
2280 | |||||
2281 | r->type |= RULE_FLOW0x01; | ||||
2282 | |||||
2283 | if (dir == IPSEC_INOUT) | ||||
2284 | r->direction = IPSEC_OUT; | ||||
2285 | else | ||||
2286 | r->direction = dir; | ||||
2287 | |||||
2288 | r->satype = satype; | ||||
2289 | r->proto = proto; | ||||
2290 | r->src = hosts->src; | ||||
2291 | r->sport = hosts->sport; | ||||
2292 | r->dst = hosts->dst; | ||||
2293 | r->dport = hosts->dport; | ||||
2294 | if ((hosts->sport != 0 || hosts->dport != 0) && | ||||
2295 | (proto != IPPROTO_TCP6 && proto != IPPROTO_UDP17)) { | ||||
2296 | yyerror("no protocol supplied with source/destination ports"); | ||||
2297 | goto errout; | ||||
2298 | } | ||||
2299 | |||||
2300 | switch (satype) { | ||||
2301 | case IPSEC_IPCOMP: | ||||
2302 | case IPSEC_IPIP: | ||||
2303 | if (type == TYPE_UNKNOWN) | ||||
2304 | type = TYPE_USE; | ||||
2305 | break; | ||||
2306 | default: | ||||
2307 | if (type == TYPE_UNKNOWN) | ||||
2308 | type = TYPE_REQUIRE; | ||||
2309 | break; | ||||
2310 | } | ||||
2311 | |||||
2312 | r->flowtype = type; | ||||
2313 | if (type == TYPE_DENY || type == TYPE_BYPASS) | ||||
2314 | return (r); | ||||
2315 | |||||
2316 | r->auth = calloc(1, sizeof(struct ipsec_auth)); | ||||
2317 | if (r->auth == NULL((void *)0)) | ||||
2318 | err(1, "%s", __func__); | ||||
2319 | r->auth->srcid = srcid; | ||||
2320 | r->auth->dstid = dstid; | ||||
2321 | r->auth->srcid_type = get_id_type(srcid); | ||||
2322 | r->auth->dstid_type = get_id_type(dstid); | ||||
2323 | return r; | ||||
2324 | |||||
2325 | errout: | ||||
2326 | free(r); | ||||
2327 | if (srcid) | ||||
2328 | free(srcid); | ||||
2329 | if (dstid) | ||||
2330 | free(dstid); | ||||
2331 | free(hosts->src); | ||||
2332 | hosts->src = NULL((void *)0); | ||||
2333 | free(hosts->dst); | ||||
2334 | hosts->dst = NULL((void *)0); | ||||
2335 | |||||
2336 | return NULL((void *)0); | ||||
2337 | } | ||||
2338 | |||||
2339 | void | ||||
2340 | expand_any(struct ipsec_addr_wrap *ipa_in) | ||||
2341 | { | ||||
2342 | struct ipsec_addr_wrap *oldnext, *ipa; | ||||
2343 | |||||
2344 | for (ipa = ipa_in; ipa; ipa = ipa->next) { | ||||
2345 | if (ipa->af != AF_UNSPEC0) | ||||
2346 | continue; | ||||
2347 | oldnext = ipa->next; | ||||
2348 | |||||
2349 | ipa->af = AF_INET2; | ||||
2350 | ipa->netaddress = 1; | ||||
2351 | if ((ipa->name = strdup("0.0.0.0/0")) == NULL((void *)0)) | ||||
2352 | err(1, "%s", __func__); | ||||
2353 | |||||
2354 | ipa->next = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
2355 | if (ipa->next == NULL((void *)0)) | ||||
2356 | err(1, "%s", __func__); | ||||
2357 | ipa->next->af = AF_INET624; | ||||
2358 | ipa->next->netaddress = 1; | ||||
2359 | if ((ipa->next->name = strdup("::/0")) == NULL((void *)0)) | ||||
2360 | err(1, "%s", __func__); | ||||
2361 | |||||
2362 | ipa->next->next = oldnext; | ||||
2363 | } | ||||
2364 | } | ||||
2365 | |||||
2366 | int | ||||
2367 | set_rule_peers(struct ipsec_rule *r, struct ipsec_hosts *peers) | ||||
2368 | { | ||||
2369 | if (r->type == RULE_FLOW0x01 && | ||||
2370 | (r->flowtype == TYPE_DENY || r->flowtype == TYPE_BYPASS)) | ||||
2371 | return (0); | ||||
2372 | |||||
2373 | r->local = copyhost(peers->src); | ||||
2374 | r->peer = copyhost(peers->dst); | ||||
2375 | if (r->peer == NULL((void *)0)) { | ||||
2376 | /* Set peer to remote host. Must be a host address. */ | ||||
2377 | if (r->direction == IPSEC_IN) { | ||||
2378 | if (!r->src->netaddress) | ||||
2379 | r->peer = copyhost(r->src); | ||||
2380 | } else { | ||||
2381 | if (!r->dst->netaddress) | ||||
2382 | r->peer = copyhost(r->dst); | ||||
2383 | } | ||||
2384 | } | ||||
2385 | if (r->type == RULE_FLOW0x01 && r->peer == NULL((void *)0)) { | ||||
2386 | yyerror("no peer specified for destination %s", | ||||
2387 | r->dst->name); | ||||
2388 | return (1); | ||||
2389 | } | ||||
2390 | if (r->peer != NULL((void *)0) && r->peer->af == AF_UNSPEC0) { | ||||
2391 | /* If peer has been specified as any, use the default peer. */ | ||||
2392 | free(r->peer); | ||||
2393 | r->peer = NULL((void *)0); | ||||
2394 | } | ||||
2395 | if (r->type == RULE_IKE0x04 && r->peer == NULL((void *)0)) { | ||||
2396 | /* | ||||
2397 | * Check if the default peer is consistent for all | ||||
2398 | * rules. Only warn to avoid breaking existing configs. | ||||
2399 | */ | ||||
2400 | static struct ipsec_rule *pdr = NULL((void *)0); | ||||
2401 | |||||
2402 | if (pdr == NULL((void *)0)) { | ||||
2403 | /* Remember first default peer rule for comparison. */ | ||||
2404 | pdr = r; | ||||
2405 | } else { | ||||
2406 | /* The new default peer must create the same config. */ | ||||
2407 | if ((pdr->local == NULL((void *)0) && r->local != NULL((void *)0)) || | ||||
2408 | (pdr->local != NULL((void *)0) && r->local == NULL((void *)0)) || | ||||
2409 | (pdr->local != NULL((void *)0) && r->local != NULL((void *)0) && | ||||
2410 | strcmp(pdr->local->name, r->local->name))) | ||||
2411 | yywarn("default peer local mismatch"); | ||||
2412 | if (pdr->ikeauth->type != r->ikeauth->type) | ||||
2413 | yywarn("default peer phase 1 auth mismatch"); | ||||
2414 | if (pdr->ikeauth->type == IKE_AUTH_PSK && | ||||
2415 | r->ikeauth->type == IKE_AUTH_PSK && | ||||
2416 | strcmp(pdr->ikeauth->string, r->ikeauth->string)) | ||||
2417 | yywarn("default peer psk mismatch"); | ||||
2418 | if (pdr->p1ie != r->p1ie) | ||||
2419 | yywarn("default peer phase 1 mode mismatch"); | ||||
2420 | /* | ||||
2421 | * Transforms have ADD insted of SET so they may be | ||||
2422 | * different and are not checked here. | ||||
2423 | */ | ||||
2424 | if ((pdr->auth->srcid == NULL((void *)0) && | ||||
2425 | r->auth->srcid != NULL((void *)0)) || | ||||
2426 | (pdr->auth->srcid != NULL((void *)0) && | ||||
2427 | r->auth->srcid == NULL((void *)0)) || | ||||
2428 | (pdr->auth->srcid != NULL((void *)0) && | ||||
2429 | r->auth->srcid != NULL((void *)0) && | ||||
2430 | strcmp(pdr->auth->srcid, r->auth->srcid))) | ||||
2431 | yywarn("default peer srcid mismatch"); | ||||
2432 | if ((pdr->auth->dstid == NULL((void *)0) && | ||||
2433 | r->auth->dstid != NULL((void *)0)) || | ||||
2434 | (pdr->auth->dstid != NULL((void *)0) && | ||||
2435 | r->auth->dstid == NULL((void *)0)) || | ||||
2436 | (pdr->auth->dstid != NULL((void *)0) && | ||||
2437 | r->auth->dstid != NULL((void *)0) && | ||||
2438 | strcmp(pdr->auth->dstid, r->auth->dstid))) | ||||
2439 | yywarn("default peer dstid mismatch"); | ||||
2440 | } | ||||
2441 | } | ||||
2442 | return (0); | ||||
2443 | } | ||||
2444 | |||||
2445 | int | ||||
2446 | expand_rule(struct ipsec_rule *rule, struct ipsec_hosts *peers, | ||||
2447 | u_int8_t direction, u_int32_t spi, struct ipsec_key *authkey, | ||||
2448 | struct ipsec_key *enckey, char *bundle) | ||||
2449 | { | ||||
2450 | struct ipsec_rule *r, *revr; | ||||
2451 | struct ipsec_addr_wrap *src, *dst; | ||||
2452 | int added = 0, ret = 1; | ||||
2453 | |||||
2454 | if (validate_af(rule->src, rule->dst)) { | ||||
2455 | yyerror("source/destination address families do not match"); | ||||
2456 | goto errout; | ||||
2457 | } | ||||
2458 | expand_any(rule->src); | ||||
2459 | expand_any(rule->dst); | ||||
2460 | for (src = rule->src; src; src = src->next) { | ||||
2461 | for (dst = rule->dst; dst; dst = dst->next) { | ||||
2462 | if (src->af != dst->af) | ||||
2463 | continue; | ||||
2464 | r = copyrule(rule); | ||||
2465 | |||||
2466 | r->src = copyhost(src); | ||||
2467 | r->dst = copyhost(dst); | ||||
2468 | |||||
2469 | if (peers && set_rule_peers(r, peers)) { | ||||
2470 | ipsecctl_free_rule(r); | ||||
2471 | goto errout; | ||||
2472 | } | ||||
2473 | |||||
2474 | r->nr = ipsec->rule_nr++; | ||||
2475 | if (ipsecctl_add_rule(ipsec, r)) | ||||
2476 | goto out; | ||||
2477 | if (bundle && add_sabundle(r, bundle)) | ||||
2478 | goto out; | ||||
2479 | |||||
2480 | if (direction == IPSEC_INOUT) { | ||||
2481 | /* Create and add reverse flow rule. */ | ||||
2482 | revr = reverse_rule(r); | ||||
2483 | if (revr == NULL((void *)0)) | ||||
2484 | goto out; | ||||
2485 | |||||
2486 | revr->nr = ipsec->rule_nr++; | ||||
2487 | if (ipsecctl_add_rule(ipsec, revr)) | ||||
2488 | goto out; | ||||
2489 | if (bundle && add_sabundle(revr, bundle)) | ||||
2490 | goto out; | ||||
2491 | } else if (spi != 0 || authkey || enckey) { | ||||
2492 | /* Create and add reverse sa rule. */ | ||||
2493 | revr = reverse_sa(r, spi, authkey, enckey); | ||||
2494 | if (revr == NULL((void *)0)) | ||||
2495 | goto out; | ||||
2496 | |||||
2497 | revr->nr = ipsec->rule_nr++; | ||||
2498 | if (ipsecctl_add_rule(ipsec, revr)) | ||||
2499 | goto out; | ||||
2500 | if (bundle && add_sabundle(revr, bundle)) | ||||
2501 | goto out; | ||||
2502 | } | ||||
2503 | added++; | ||||
2504 | } | ||||
2505 | } | ||||
2506 | if (!added) | ||||
2507 | yyerror("rule expands to no valid combination"); | ||||
2508 | errout: | ||||
2509 | ret = 0; | ||||
2510 | ipsecctl_free_rule(rule); | ||||
2511 | out: | ||||
2512 | if (peers) { | ||||
2513 | if (peers->src) | ||||
2514 | free(peers->src); | ||||
2515 | if (peers->dst) | ||||
2516 | free(peers->dst); | ||||
2517 | } | ||||
2518 | return (ret); | ||||
2519 | } | ||||
2520 | |||||
2521 | struct ipsec_rule * | ||||
2522 | reverse_rule(struct ipsec_rule *rule) | ||||
2523 | { | ||||
2524 | struct ipsec_rule *reverse; | ||||
2525 | |||||
2526 | reverse = calloc(1, sizeof(struct ipsec_rule)); | ||||
2527 | if (reverse == NULL((void *)0)) | ||||
2528 | err(1, "%s", __func__); | ||||
2529 | |||||
2530 | reverse->type |= RULE_FLOW0x01; | ||||
2531 | |||||
2532 | /* Reverse direction */ | ||||
2533 | if (rule->direction == (u_int8_t)IPSEC_OUT) | ||||
2534 | reverse->direction = (u_int8_t)IPSEC_IN; | ||||
2535 | else | ||||
2536 | reverse->direction = (u_int8_t)IPSEC_OUT; | ||||
2537 | |||||
2538 | reverse->flowtype = rule->flowtype; | ||||
2539 | reverse->src = copyhost(rule->dst); | ||||
2540 | reverse->dst = copyhost(rule->src); | ||||
2541 | reverse->sport = rule->dport; | ||||
2542 | reverse->dport = rule->sport; | ||||
2543 | if (rule->local) | ||||
2544 | reverse->local = copyhost(rule->local); | ||||
2545 | if (rule->peer) | ||||
2546 | reverse->peer = copyhost(rule->peer); | ||||
2547 | reverse->satype = rule->satype; | ||||
2548 | reverse->proto = rule->proto; | ||||
2549 | |||||
2550 | if (rule->auth) { | ||||
2551 | reverse->auth = calloc(1, sizeof(struct ipsec_auth)); | ||||
2552 | if (reverse->auth == NULL((void *)0)) | ||||
2553 | err(1, "%s", __func__); | ||||
2554 | if (rule->auth->dstid && (reverse->auth->dstid = | ||||
2555 | strdup(rule->auth->dstid)) == NULL((void *)0)) | ||||
2556 | err(1, "%s", __func__); | ||||
2557 | if (rule->auth->srcid && (reverse->auth->srcid = | ||||
2558 | strdup(rule->auth->srcid)) == NULL((void *)0)) | ||||
2559 | err(1, "%s", __func__); | ||||
2560 | reverse->auth->srcid_type = rule->auth->srcid_type; | ||||
2561 | reverse->auth->dstid_type = rule->auth->dstid_type; | ||||
2562 | reverse->auth->type = rule->auth->type; | ||||
2563 | } | ||||
2564 | |||||
2565 | return reverse; | ||||
2566 | } | ||||
2567 | |||||
2568 | struct ipsec_rule * | ||||
2569 | create_ike(u_int8_t proto, struct ipsec_hosts *hosts, | ||||
2570 | struct ike_mode *phase1mode, struct ike_mode *phase2mode, u_int8_t satype, | ||||
2571 | u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid, | ||||
2572 | struct ike_auth *authtype, char *tag) | ||||
2573 | { | ||||
2574 | struct ipsec_rule *r; | ||||
2575 | |||||
2576 | r = calloc(1, sizeof(struct ipsec_rule)); | ||||
2577 | if (r == NULL((void *)0)) | ||||
2578 | err(1, "%s", __func__); | ||||
2579 | |||||
2580 | r->type = RULE_IKE0x04; | ||||
2581 | |||||
2582 | r->proto = proto; | ||||
2583 | r->src = hosts->src; | ||||
2584 | r->sport = hosts->sport; | ||||
2585 | r->dst = hosts->dst; | ||||
2586 | r->dport = hosts->dport; | ||||
2587 | if ((hosts->sport != 0 || hosts->dport != 0) && | ||||
2588 | (proto != IPPROTO_TCP6 && proto != IPPROTO_UDP17)) { | ||||
2589 | yyerror("no protocol supplied with source/destination ports"); | ||||
2590 | goto errout; | ||||
2591 | } | ||||
2592 | |||||
2593 | r->satype = satype; | ||||
2594 | r->tmode = tmode; | ||||
2595 | r->ikemode = mode; | ||||
2596 | if (phase1mode) { | ||||
2597 | r->p1xfs = phase1mode->xfs; | ||||
2598 | r->p1life = phase1mode->life; | ||||
2599 | r->p1ie = phase1mode->ike_exch; | ||||
2600 | } else { | ||||
2601 | r->p1ie = IKE_MM; | ||||
2602 | } | ||||
2603 | if (phase2mode) { | ||||
2604 | if (phase2mode->xfs && phase2mode->xfs->encxf && | ||||
2605 | phase2mode->xfs->encxf->noauth && | ||||
2606 | phase2mode->xfs->authxf) { | ||||
2607 | yyerror("authentication is implicit for %s", | ||||
2608 | phase2mode->xfs->encxf->name); | ||||
2609 | goto errout; | ||||
2610 | } | ||||
2611 | r->p2xfs = phase2mode->xfs; | ||||
2612 | r->p2life = phase2mode->life; | ||||
2613 | r->p2ie = phase2mode->ike_exch; | ||||
2614 | } else { | ||||
2615 | r->p2ie = IKE_QM; | ||||
2616 | } | ||||
2617 | |||||
2618 | r->auth = calloc(1, sizeof(struct ipsec_auth)); | ||||
2619 | if (r->auth == NULL((void *)0)) | ||||
2620 | err(1, "%s", __func__); | ||||
2621 | r->auth->srcid = srcid; | ||||
2622 | r->auth->dstid = dstid; | ||||
2623 | r->auth->srcid_type = get_id_type(srcid); | ||||
2624 | r->auth->dstid_type = get_id_type(dstid); | ||||
2625 | r->ikeauth = calloc(1, sizeof(struct ike_auth)); | ||||
2626 | if (r->ikeauth == NULL((void *)0)) | ||||
2627 | err(1, "%s", __func__); | ||||
2628 | r->ikeauth->type = authtype->type; | ||||
2629 | r->ikeauth->string = authtype->string; | ||||
2630 | r->tag = tag; | ||||
2631 | |||||
2632 | return (r); | ||||
2633 | |||||
2634 | errout: | ||||
2635 | free(r); | ||||
2636 | free(hosts->src); | ||||
2637 | hosts->src = NULL((void *)0); | ||||
2638 | free(hosts->dst); | ||||
2639 | hosts->dst = NULL((void *)0); | ||||
2640 | if (phase1mode) { | ||||
2641 | free(phase1mode->xfs); | ||||
2642 | phase1mode->xfs = NULL((void *)0); | ||||
2643 | free(phase1mode->life); | ||||
2644 | phase1mode->life = NULL((void *)0); | ||||
2645 | } | ||||
2646 | if (phase2mode) { | ||||
2647 | free(phase2mode->xfs); | ||||
2648 | phase2mode->xfs = NULL((void *)0); | ||||
2649 | free(phase2mode->life); | ||||
2650 | phase2mode->life = NULL((void *)0); | ||||
2651 | } | ||||
2652 | if (srcid) | ||||
2653 | free(srcid); | ||||
2654 | if (dstid) | ||||
2655 | free(dstid); | ||||
2656 | return NULL((void *)0); | ||||
2657 | } | ||||
2658 | #line 2651 "parse.c" | ||||
2659 | /* allocate initial stack or double stack size, up to YYMAXDEPTH */ | ||||
2660 | static int yygrowstack(void) | ||||
2661 | { | ||||
2662 | unsigned int newsize; | ||||
2663 | long sslen; | ||||
2664 | short *newss; | ||||
2665 | YYSTYPE *newvs; | ||||
2666 | |||||
2667 | if ((newsize = yystacksize) == 0) | ||||
2668 | newsize = YYINITSTACKSIZE200; | ||||
2669 | else if (newsize >= YYMAXDEPTH10000) | ||||
2670 | return -1; | ||||
2671 | else if ((newsize *= 2) > YYMAXDEPTH10000) | ||||
2672 | newsize = YYMAXDEPTH10000; | ||||
2673 | sslen = yyssp - yyss; | ||||
2674 | #ifdef SIZE_MAX | ||||
2675 | #define YY_SIZE_MAX0xffffffffU SIZE_MAX | ||||
2676 | #else | ||||
2677 | #define YY_SIZE_MAX0xffffffffU 0xffffffffU | ||||
2678 | #endif | ||||
2679 | if (newsize && YY_SIZE_MAX0xffffffffU / newsize < sizeof *newss) | ||||
2680 | goto bail; | ||||
2681 | newss = (short *)realloc(yyss, newsize * sizeof *newss); | ||||
2682 | if (newss == NULL((void *)0)) | ||||
2683 | goto bail; | ||||
2684 | yyss = newss; | ||||
2685 | yyssp = newss + sslen; | ||||
2686 | if (newsize && YY_SIZE_MAX0xffffffffU / newsize < sizeof *newvs) | ||||
2687 | goto bail; | ||||
2688 | newvs = (YYSTYPE *)realloc(yyvs, newsize * sizeof *newvs); | ||||
2689 | if (newvs == NULL((void *)0)) | ||||
2690 | goto bail; | ||||
2691 | yyvs = newvs; | ||||
2692 | yyvsp = newvs + sslen; | ||||
2693 | yystacksize = newsize; | ||||
2694 | yysslim = yyss + newsize - 1; | ||||
2695 | return 0; | ||||
2696 | bail: | ||||
2697 | if (yyss) | ||||
2698 | free(yyss); | ||||
| |||||
2699 | if (yyvs) | ||||
2700 | free(yyvs); | ||||
2701 | yyss = yyssp = NULL((void *)0); | ||||
2702 | yyvs = yyvsp = NULL((void *)0); | ||||
2703 | yystacksize = 0; | ||||
2704 | return -1; | ||||
2705 | } | ||||
2706 | |||||
2707 | #define YYABORTgoto yyabort goto yyabort | ||||
2708 | #define YYREJECTgoto yyabort goto yyabort | ||||
2709 | #define YYACCEPTgoto yyaccept goto yyaccept | ||||
2710 | #define YYERRORgoto yyerrlab goto yyerrlab | ||||
2711 | int | ||||
2712 | yyparse(void) | ||||
2713 | { | ||||
2714 | int yym, yyn, yystate; | ||||
2715 | #if YYDEBUG0 | ||||
2716 | const char *yys; | ||||
2717 | |||||
2718 | if ((yys = getenv("YYDEBUG"))) | ||||
2719 | { | ||||
2720 | yyn = *yys; | ||||
2721 | if (yyn >= '0' && yyn <= '9') | ||||
2722 | yydebug = yyn - '0'; | ||||
2723 | } | ||||
2724 | #endif /* YYDEBUG */ | ||||
2725 | |||||
2726 | yynerrs = 0; | ||||
2727 | yyerrflag = 0; | ||||
2728 | yychar = (-1); | ||||
2729 | |||||
2730 | if (yyss == NULL((void *)0) && yygrowstack()) goto yyoverflow; | ||||
| |||||
2731 | yyssp = yyss; | ||||
2732 | yyvsp = yyvs; | ||||
2733 | *yyssp = yystate = 0; | ||||
2734 | |||||
2735 | yyloop: | ||||
2736 | if ((yyn = yydefred[yystate]) != 0) goto yyreduce; | ||||
2737 | if (yychar
| ||||
2738 | { | ||||
2739 | if ((yychar = yylex()) < 0) yychar = 0; | ||||
2740 | #if YYDEBUG0 | ||||
2741 | if (yydebug) | ||||
2742 | { | ||||
2743 | yys = 0; | ||||
2744 | if (yychar <= YYMAXTOKEN308) yys = yyname[yychar]; | ||||
2745 | if (!yys) yys = "illegal-symbol"; | ||||
2746 | printf("%sdebug: state %d, reading %d (%s)\n", | ||||
2747 | YYPREFIX"yy", yystate, yychar, yys); | ||||
2748 | } | ||||
2749 | #endif | ||||
2750 | } | ||||
2751 | if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 && | ||||
2752 | yyn <= YYTABLESIZE566 && yycheck[yyn] == yychar) | ||||
2753 | { | ||||
2754 | #if YYDEBUG0 | ||||
2755 | if (yydebug) | ||||
2756 | printf("%sdebug: state %d, shifting to state %d\n", | ||||
2757 | YYPREFIX"yy", yystate, yytable[yyn]); | ||||
2758 | #endif | ||||
2759 | if (yyssp >= yysslim && yygrowstack()) | ||||
2760 | { | ||||
2761 | goto yyoverflow; | ||||
2762 | } | ||||
2763 | *++yyssp = yystate = yytable[yyn]; | ||||
2764 | *++yyvsp = yylval; | ||||
2765 | yychar = (-1); | ||||
2766 | if (yyerrflag > 0) --yyerrflag; | ||||
2767 | goto yyloop; | ||||
2768 | } | ||||
2769 | if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 && | ||||
2770 | yyn <= YYTABLESIZE566 && yycheck[yyn] == yychar) | ||||
2771 | { | ||||
2772 | yyn = yytable[yyn]; | ||||
2773 | goto yyreduce; | ||||
2774 | } | ||||
2775 | if (yyerrflag) goto yyinrecovery; | ||||
2776 | #if defined(__GNUC__4) | ||||
2777 | goto yynewerror; | ||||
2778 | #endif | ||||
2779 | yynewerror: | ||||
2780 | yyerror("syntax error"); | ||||
2781 | #if defined(__GNUC__4) | ||||
2782 | goto yyerrlab; | ||||
2783 | #endif | ||||
2784 | yyerrlab: | ||||
2785 | ++yynerrs; | ||||
2786 | yyinrecovery: | ||||
2787 | if (yyerrflag < 3) | ||||
2788 | { | ||||
2789 | yyerrflag = 3; | ||||
2790 | for (;;) | ||||
2791 | { | ||||
2792 | if ((yyn = yysindex[*yyssp]) && (yyn += YYERRCODE256) >= 0 && | ||||
2793 | yyn <= YYTABLESIZE566 && yycheck[yyn] == YYERRCODE256) | ||||
2794 | { | ||||
2795 | #if YYDEBUG0 | ||||
2796 | if (yydebug) | ||||
2797 | printf("%sdebug: state %d, error recovery shifting\ | ||||
2798 | to state %d\n", YYPREFIX"yy", *yyssp, yytable[yyn]); | ||||
2799 | #endif | ||||
2800 | if (yyssp >= yysslim && yygrowstack()) | ||||
2801 | { | ||||
2802 | goto yyoverflow; | ||||
2803 | } | ||||
2804 | *++yyssp = yystate = yytable[yyn]; | ||||
2805 | *++yyvsp = yylval; | ||||
2806 | goto yyloop; | ||||
2807 | } | ||||
2808 | else | ||||
2809 | { | ||||
2810 | #if YYDEBUG0 | ||||
2811 | if (yydebug) | ||||
2812 | printf("%sdebug: error recovery discarding state %d\n", | ||||
2813 | YYPREFIX"yy", *yyssp); | ||||
2814 | #endif | ||||
2815 | if (yyssp <= yyss) goto yyabort; | ||||
2816 | --yyssp; | ||||
2817 | --yyvsp; | ||||
2818 | } | ||||
2819 | } | ||||
2820 | } | ||||
2821 | else | ||||
2822 | { | ||||
2823 | if (yychar == 0) goto yyabort; | ||||
2824 | #if YYDEBUG0 | ||||
2825 | if (yydebug) | ||||
2826 | { | ||||
2827 | yys = 0; | ||||
2828 | if (yychar <= YYMAXTOKEN308) yys = yyname[yychar]; | ||||
2829 | if (!yys) yys = "illegal-symbol"; | ||||
2830 | printf("%sdebug: state %d, error recovery discards token %d (%s)\n", | ||||
2831 | YYPREFIX"yy", yystate, yychar, yys); | ||||
2832 | } | ||||
2833 | #endif | ||||
2834 | yychar = (-1); | ||||
2835 | goto yyloop; | ||||
2836 | } | ||||
2837 | yyreduce: | ||||
2838 | #if YYDEBUG0 | ||||
2839 | if (yydebug) | ||||
2840 | printf("%sdebug: state %d, reducing by rule %d (%s)\n", | ||||
2841 | YYPREFIX"yy", yystate, yyn, yyrule[yyn]); | ||||
2842 | #endif | ||||
2843 | yym = yylen[yyn]; | ||||
2844 | if (yym
| ||||
2845 | yyval = yyvsp[1-yym]; | ||||
2846 | else | ||||
2847 | memset(&yyval, 0, sizeof yyval); | ||||
2848 | switch (yyn) | ||||
2849 | { | ||||
2850 | case 9: | ||||
2851 | #line 329 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2852 | { file->errors++; } | ||||
2853 | break; | ||||
2854 | case 12: | ||||
2855 | #line 336 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2856 | { | ||||
2857 | struct file *nfile; | ||||
2858 | |||||
2859 | if ((nfile = pushfile(yyvsp[0].v.string, 0)) == NULL((void *)0)) { | ||||
2860 | yyerror("failed to include file %s", yyvsp[0].v.string); | ||||
2861 | free(yyvsp[0].v.string); | ||||
2862 | YYERRORgoto yyerrlab; | ||||
2863 | } | ||||
2864 | free(yyvsp[0].v.string); | ||||
2865 | |||||
2866 | file = nfile; | ||||
2867 | lungetc('\n'); | ||||
2868 | } | ||||
2869 | break; | ||||
2870 | case 13: | ||||
2871 | #line 351 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2872 | { | ||||
2873 | struct ipsec_rule *r; | ||||
2874 | |||||
2875 | r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, &yyvsp[-2].v.hosts, | ||||
2876 | yyvsp[-1].v.spis.spiout, 0, 0, NULL((void *)0), yyvsp[0].v.authkeys.keyout, NULL((void *)0)); | ||||
2877 | if (r == NULL((void *)0)) | ||||
2878 | YYERRORgoto yyerrlab; | ||||
2879 | |||||
2880 | if (expand_rule(r, NULL((void *)0), 0, yyvsp[-1].v.spis.spiin, yyvsp[0].v.authkeys.keyin, NULL((void *)0), | ||||
2881 | NULL((void *)0))) | ||||
2882 | errx(1, "tcpmd5rule: expand_rule"); | ||||
2883 | } | ||||
2884 | break; | ||||
2885 | case 14: | ||||
2886 | #line 366 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2887 | { | ||||
2888 | struct ipsec_rule *r; | ||||
2889 | |||||
2890 | r = create_sa(yyvsp[-8].v.satype, yyvsp[-7].v.tmode, &yyvsp[-6].v.hosts, yyvsp[-5].v.spis.spiout, yyvsp[-4].v.udpencap.encap, yyvsp[-4].v.udpencap.port, | ||||
2891 | yyvsp[-3].v.transforms, yyvsp[-2].v.authkeys.keyout, yyvsp[-1].v.enckeys.keyout); | ||||
2892 | if (r == NULL((void *)0)) | ||||
2893 | YYERRORgoto yyerrlab; | ||||
2894 | |||||
2895 | if (expand_rule(r, NULL((void *)0), 0, yyvsp[-5].v.spis.spiin, yyvsp[-2].v.authkeys.keyin, | ||||
2896 | yyvsp[-1].v.enckeys.keyin, yyvsp[0].v.string)) | ||||
2897 | errx(1, "sarule: expand_rule"); | ||||
2898 | } | ||||
2899 | break; | ||||
2900 | case 15: | ||||
2901 | #line 380 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2902 | { | ||||
2903 | struct ipsec_rule *r; | ||||
2904 | |||||
2905 | r = create_flow(yyvsp[-5].v.dir, yyvsp[-4].v.proto, &yyvsp[-3].v.hosts, yyvsp[-6].v.satype, yyvsp[-1].v.ids.srcid, | ||||
2906 | yyvsp[-1].v.ids.dstid, yyvsp[0].v.type); | ||||
2907 | if (r == NULL((void *)0)) | ||||
2908 | YYERRORgoto yyerrlab; | ||||
2909 | |||||
2910 | if (expand_rule(r, &yyvsp[-2].v.peers, yyvsp[-5].v.dir, 0, NULL((void *)0), NULL((void *)0), NULL((void *)0))) | ||||
2911 | errx(1, "flowrule: expand_rule"); | ||||
2912 | } | ||||
2913 | break; | ||||
2914 | case 16: | ||||
2915 | #line 394 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2916 | { | ||||
2917 | struct ipsec_rule *r; | ||||
2918 | |||||
2919 | r = create_ike(yyvsp[-7].v.proto, &yyvsp[-6].v.hosts, yyvsp[-4].v.mode, yyvsp[-3].v.mode, yyvsp[-9].v.satype, yyvsp[-8].v.tmode, yyvsp[-10].v.ikemode, | ||||
2920 | yyvsp[-2].v.ids.srcid, yyvsp[-2].v.ids.dstid, &yyvsp[-1].v.ikeauth, yyvsp[0].v.string); | ||||
2921 | if (r == NULL((void *)0)) | ||||
2922 | YYERRORgoto yyerrlab; | ||||
2923 | |||||
2924 | if (expand_rule(r, &yyvsp[-5].v.peers, 0, 0, NULL((void *)0), NULL((void *)0), NULL((void *)0))) | ||||
2925 | errx(1, "ikerule: expand_rule"); | ||||
2926 | } | ||||
2927 | break; | ||||
2928 | case 17: | ||||
2929 | #line 407 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2930 | { yyval.v.satype = IPSEC_ESP; } | ||||
2931 | break; | ||||
2932 | case 18: | ||||
2933 | #line 408 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2934 | { yyval.v.satype = IPSEC_ESP; } | ||||
2935 | break; | ||||
2936 | case 19: | ||||
2937 | #line 409 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2938 | { yyval.v.satype = IPSEC_AH; } | ||||
2939 | break; | ||||
2940 | case 20: | ||||
2941 | #line 410 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2942 | { yyval.v.satype = IPSEC_IPCOMP; } | ||||
2943 | break; | ||||
2944 | case 21: | ||||
2945 | #line 411 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2946 | { yyval.v.satype = IPSEC_IPIP; } | ||||
2947 | break; | ||||
2948 | case 22: | ||||
2949 | #line 414 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2950 | { yyval.v.proto = 0; } | ||||
2951 | break; | ||||
2952 | case 23: | ||||
2953 | #line 415 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2954 | { yyval.v.proto = yyvsp[0].v.number; } | ||||
2955 | break; | ||||
2956 | case 24: | ||||
2957 | #line 416 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2958 | { yyval.v.proto = IPPROTO_ESP50; } | ||||
2959 | break; | ||||
2960 | case 25: | ||||
2961 | #line 417 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2962 | { yyval.v.proto = IPPROTO_AH51; } | ||||
2963 | break; | ||||
2964 | case 26: | ||||
2965 | #line 420 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2966 | { | ||||
2967 | struct protoent *p; | ||||
2968 | |||||
2969 | p = getprotobyname(yyvsp[0].v.string); | ||||
2970 | if (p == NULL((void *)0)) { | ||||
2971 | yyerror("unknown protocol: %s", yyvsp[0].v.string); | ||||
2972 | YYERRORgoto yyerrlab; | ||||
2973 | } | ||||
2974 | yyval.v.number = p->p_proto; | ||||
2975 | free(yyvsp[0].v.string); | ||||
2976 | } | ||||
2977 | break; | ||||
2978 | case 27: | ||||
2979 | #line 431 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2980 | { | ||||
2981 | if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) { | ||||
2982 | yyerror("protocol outside range"); | ||||
2983 | YYERRORgoto yyerrlab; | ||||
2984 | } | ||||
2985 | } | ||||
2986 | break; | ||||
2987 | case 28: | ||||
2988 | #line 439 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2989 | { yyval.v.tmode = IPSEC_TUNNEL; } | ||||
2990 | break; | ||||
2991 | case 29: | ||||
2992 | #line 440 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2993 | { yyval.v.tmode = IPSEC_TUNNEL; } | ||||
2994 | break; | ||||
2995 | case 30: | ||||
2996 | #line 441 "/usr/src/sbin/ipsecctl/parse.y" | ||||
2997 | { yyval.v.tmode = IPSEC_TRANSPORT; } | ||||
2998 | break; | ||||
2999 | case 31: | ||||
3000 | #line 444 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3001 | { yyval.v.dir = IPSEC_INOUT; } | ||||
3002 | break; | ||||
3003 | case 32: | ||||
3004 | #line 445 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3005 | { yyval.v.dir = IPSEC_IN; } | ||||
3006 | break; | ||||
3007 | case 33: | ||||
3008 | #line 446 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3009 | { yyval.v.dir = IPSEC_OUT; } | ||||
3010 | break; | ||||
3011 | case 34: | ||||
3012 | #line 449 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3013 | { | ||||
3014 | struct ipsec_addr_wrap *ipa; | ||||
3015 | for (ipa = yyvsp[-1].v.host; ipa; ipa = ipa->next) { | ||||
3016 | if (ipa->srcnat) { | ||||
3017 | yyerror("no flow NAT support for" | ||||
3018 | " destination network: %s", ipa->name); | ||||
3019 | YYERRORgoto yyerrlab; | ||||
3020 | } | ||||
3021 | } | ||||
3022 | yyval.v.hosts.src = yyvsp[-4].v.host; | ||||
3023 | yyval.v.hosts.sport = yyvsp[-3].v.port; | ||||
3024 | yyval.v.hosts.dst = yyvsp[-1].v.host; | ||||
3025 | yyval.v.hosts.dport = yyvsp[0].v.port; | ||||
3026 | } | ||||
3027 | break; | ||||
3028 | case 35: | ||||
3029 | #line 463 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3030 | { | ||||
3031 | struct ipsec_addr_wrap *ipa; | ||||
3032 | for (ipa = yyvsp[-4].v.host; ipa; ipa = ipa->next) { | ||||
3033 | if (ipa->srcnat) { | ||||
3034 | yyerror("no flow NAT support for" | ||||
3035 | " destination network: %s", ipa->name); | ||||
3036 | YYERRORgoto yyerrlab; | ||||
3037 | } | ||||
3038 | } | ||||
3039 | yyval.v.hosts.src = yyvsp[-1].v.host; | ||||
3040 | yyval.v.hosts.sport = yyvsp[0].v.port; | ||||
3041 | yyval.v.hosts.dst = yyvsp[-4].v.host; | ||||
3042 | yyval.v.hosts.dport = yyvsp[-3].v.port; | ||||
3043 | } | ||||
3044 | break; | ||||
3045 | case 36: | ||||
3046 | #line 479 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3047 | { yyval.v.port = 0; } | ||||
3048 | break; | ||||
3049 | case 37: | ||||
3050 | #line 480 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3051 | { yyval.v.port = yyvsp[0].v.number; } | ||||
3052 | break; | ||||
3053 | case 38: | ||||
3054 | #line 483 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3055 | { | ||||
3056 | struct servent *s; | ||||
3057 | |||||
3058 | if ((s = getservbyname(yyvsp[0].v.string, "tcp")) != NULL((void *)0) || | ||||
3059 | (s = getservbyname(yyvsp[0].v.string, "udp")) != NULL((void *)0)) { | ||||
3060 | yyval.v.number = s->s_port; | ||||
3061 | } else { | ||||
3062 | yyerror("unknown port: %s", yyvsp[0].v.string); | ||||
3063 | YYERRORgoto yyerrlab; | ||||
3064 | } | ||||
3065 | } | ||||
3066 | break; | ||||
3067 | case 39: | ||||
3068 | #line 494 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3069 | { | ||||
3070 | if (yyvsp[0].v.number > USHRT_MAX(32767 *2 +1) || yyvsp[0].v.number < 0) { | ||||
3071 | yyerror("port outside range"); | ||||
3072 | YYERRORgoto yyerrlab; | ||||
3073 | } | ||||
3074 | yyval.v.number = htons(yyvsp[0].v.number)(__uint16_t)(__builtin_constant_p(yyvsp[0].v.number) ? (__uint16_t )(((__uint16_t)(yyvsp[0].v.number) & 0xffU) << 8 | ( (__uint16_t)(yyvsp[0].v.number) & 0xff00U) >> 8) : __swap16md (yyvsp[0].v.number)); | ||||
3075 | } | ||||
3076 | break; | ||||
3077 | case 40: | ||||
3078 | #line 503 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3079 | { | ||||
3080 | yyval.v.peers.dst = NULL((void *)0); | ||||
3081 | yyval.v.peers.src = NULL((void *)0); | ||||
3082 | } | ||||
3083 | break; | ||||
3084 | case 41: | ||||
3085 | #line 507 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3086 | { | ||||
3087 | yyval.v.peers.dst = yyvsp[-2].v.anyhost; | ||||
3088 | yyval.v.peers.src = yyvsp[0].v.singlehost; | ||||
3089 | } | ||||
3090 | break; | ||||
3091 | case 42: | ||||
3092 | #line 511 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3093 | { | ||||
3094 | yyval.v.peers.dst = yyvsp[0].v.anyhost; | ||||
3095 | yyval.v.peers.src = yyvsp[-2].v.singlehost; | ||||
3096 | } | ||||
3097 | break; | ||||
3098 | case 43: | ||||
3099 | #line 515 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3100 | { | ||||
3101 | yyval.v.peers.dst = yyvsp[0].v.anyhost; | ||||
3102 | yyval.v.peers.src = NULL((void *)0); | ||||
3103 | } | ||||
3104 | break; | ||||
3105 | case 44: | ||||
3106 | #line 519 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3107 | { | ||||
3108 | yyval.v.peers.dst = NULL((void *)0); | ||||
3109 | yyval.v.peers.src = yyvsp[0].v.singlehost; | ||||
3110 | } | ||||
3111 | break; | ||||
3112 | case 45: | ||||
3113 | #line 525 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3114 | { yyval.v.anyhost = yyvsp[0].v.singlehost; } | ||||
3115 | break; | ||||
3116 | case 46: | ||||
3117 | #line 526 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3118 | { | ||||
3119 | yyval.v.anyhost = host_any(); | ||||
3120 | } | ||||
3121 | break; | ||||
3122 | case 47: | ||||
3123 | #line 530 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3124 | { yyval.v.singlehost = NULL((void *)0); } | ||||
3125 | break; | ||||
3126 | case 48: | ||||
3127 | #line 531 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3128 | { | ||||
3129 | if ((yyval.v.singlehost = host(yyvsp[0].v.string)) == NULL((void *)0)) { | ||||
3130 | free(yyvsp[0].v.string); | ||||
3131 | yyerror("could not parse host specification"); | ||||
3132 | YYERRORgoto yyerrlab; | ||||
3133 | } | ||||
3134 | free(yyvsp[0].v.string); | ||||
3135 | } | ||||
3136 | break; | ||||
3137 | case 49: | ||||
3138 | #line 541 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3139 | { yyval.v.host = yyvsp[0].v.host; } | ||||
3140 | break; | ||||
3141 | case 50: | ||||
3142 | #line 542 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3143 | { | ||||
3144 | if (yyvsp[0].v.host == NULL((void *)0)) | ||||
3145 | yyval.v.host = yyvsp[-2].v.host; | ||||
3146 | else if (yyvsp[-2].v.host == NULL((void *)0)) | ||||
3147 | yyval.v.host = yyvsp[0].v.host; | ||||
3148 | else { | ||||
3149 | yyvsp[-2].v.host->tail->next = yyvsp[0].v.host; | ||||
3150 | yyvsp[-2].v.host->tail = yyvsp[0].v.host->tail; | ||||
3151 | yyval.v.host = yyvsp[-2].v.host; | ||||
3152 | } | ||||
3153 | } | ||||
3154 | break; | ||||
3155 | case 51: | ||||
3156 | #line 555 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3157 | { | ||||
3158 | if ((yyval.v.host = host(yyvsp[0].v.string)) == NULL((void *)0)) { | ||||
3159 | free(yyvsp[0].v.string); | ||||
3160 | yyerror("could not parse host specification"); | ||||
3161 | YYERRORgoto yyerrlab; | ||||
3162 | } | ||||
3163 | free(yyvsp[0].v.string); | ||||
3164 | } | ||||
3165 | break; | ||||
3166 | case 52: | ||||
3167 | #line 563 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3168 | { | ||||
3169 | char *buf; | ||||
3170 | |||||
3171 | if (asprintf(&buf, "%s/%lld", yyvsp[-2].v.string, yyvsp[0].v.number) == -1) | ||||
3172 | err(1, "host: asprintf"); | ||||
3173 | free(yyvsp[-2].v.string); | ||||
3174 | if ((yyval.v.host = host(buf)) == NULL((void *)0)) { | ||||
3175 | free(buf); | ||||
3176 | yyerror("could not parse host specification"); | ||||
3177 | YYERRORgoto yyerrlab; | ||||
3178 | } | ||||
3179 | free(buf); | ||||
3180 | } | ||||
3181 | break; | ||||
3182 | case 53: | ||||
3183 | #line 578 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3184 | { yyval.v.host = yyvsp[0].v.host; } | ||||
3185 | break; | ||||
3186 | case 54: | ||||
3187 | #line 579 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3188 | { | ||||
3189 | if (yyvsp[-1].v.host->af != yyvsp[-3].v.host->af) { | ||||
3190 | yyerror("Flow NAT address family mismatch"); | ||||
3191 | YYERRORgoto yyerrlab; | ||||
3192 | } | ||||
3193 | yyval.v.host = yyvsp[-3].v.host; | ||||
3194 | yyval.v.host->srcnat = yyvsp[-1].v.host; | ||||
3195 | } | ||||
3196 | break; | ||||
3197 | case 55: | ||||
3198 | #line 587 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3199 | { | ||||
3200 | yyval.v.host = host_any(); | ||||
3201 | } | ||||
3202 | break; | ||||
3203 | case 56: | ||||
3204 | #line 590 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3205 | { yyval.v.host = yyvsp[-1].v.host; } | ||||
3206 | break; | ||||
3207 | case 57: | ||||
3208 | #line 593 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3209 | { | ||||
3210 | yyval.v.ids.srcid = NULL((void *)0); | ||||
3211 | yyval.v.ids.dstid = NULL((void *)0); | ||||
3212 | } | ||||
3213 | break; | ||||
3214 | case 58: | ||||
3215 | #line 597 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3216 | { | ||||
3217 | yyval.v.ids.srcid = yyvsp[-2].v.id; | ||||
3218 | yyval.v.ids.dstid = yyvsp[0].v.id; | ||||
3219 | } | ||||
3220 | break; | ||||
3221 | case 59: | ||||
3222 | #line 601 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3223 | { | ||||
3224 | yyval.v.ids.srcid = yyvsp[0].v.id; | ||||
3225 | yyval.v.ids.dstid = NULL((void *)0); | ||||
3226 | } | ||||
3227 | break; | ||||
3228 | case 60: | ||||
3229 | #line 605 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3230 | { | ||||
3231 | yyval.v.ids.srcid = NULL((void *)0); | ||||
3232 | yyval.v.ids.dstid = yyvsp[0].v.id; | ||||
3233 | } | ||||
3234 | break; | ||||
3235 | case 61: | ||||
3236 | #line 611 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3237 | { | ||||
3238 | yyval.v.type = TYPE_UNKNOWN; | ||||
3239 | } | ||||
3240 | break; | ||||
3241 | case 62: | ||||
3242 | #line 614 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3243 | { | ||||
3244 | yyval.v.type = TYPE_USE; | ||||
3245 | } | ||||
3246 | break; | ||||
3247 | case 63: | ||||
3248 | #line 617 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3249 | { | ||||
3250 | yyval.v.type = TYPE_ACQUIRE; | ||||
3251 | } | ||||
3252 | break; | ||||
3253 | case 64: | ||||
3254 | #line 620 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3255 | { | ||||
3256 | yyval.v.type = TYPE_REQUIRE; | ||||
3257 | } | ||||
3258 | break; | ||||
3259 | case 65: | ||||
3260 | #line 623 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3261 | { | ||||
3262 | yyval.v.type = TYPE_DENY; | ||||
3263 | } | ||||
3264 | break; | ||||
3265 | case 66: | ||||
3266 | #line 626 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3267 | { | ||||
3268 | yyval.v.type = TYPE_BYPASS; | ||||
3269 | } | ||||
3270 | break; | ||||
3271 | case 67: | ||||
3272 | #line 629 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3273 | { | ||||
3274 | yyval.v.type = TYPE_DONTACQ; | ||||
3275 | } | ||||
3276 | break; | ||||
3277 | case 68: | ||||
3278 | #line 634 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3279 | { yyval.v.id = yyvsp[0].v.string; } | ||||
3280 | break; | ||||
3281 | case 69: | ||||
3282 | #line 637 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3283 | { | ||||
3284 | u_int32_t spi; | ||||
3285 | char *p = strchr(yyvsp[0].v.string, ':'); | ||||
3286 | |||||
3287 | if (p != NULL((void *)0)) { | ||||
3288 | *p++ = 0; | ||||
3289 | |||||
3290 | if (atospi(p, &spi) == -1) { | ||||
3291 | free(yyvsp[0].v.string); | ||||
3292 | YYERRORgoto yyerrlab; | ||||
3293 | } | ||||
3294 | yyval.v.spis.spiin = spi; | ||||
3295 | } else | ||||
3296 | yyval.v.spis.spiin = 0; | ||||
3297 | |||||
3298 | if (atospi(yyvsp[0].v.string, &spi) == -1) { | ||||
3299 | free(yyvsp[0].v.string); | ||||
3300 | YYERRORgoto yyerrlab; | ||||
3301 | } | ||||
3302 | yyval.v.spis.spiout = spi; | ||||
3303 | |||||
3304 | |||||
3305 | free(yyvsp[0].v.string); | ||||
3306 | } | ||||
3307 | break; | ||||
3308 | case 70: | ||||
3309 | #line 661 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3310 | { | ||||
3311 | if (yyvsp[0].v.number > UINT_MAX(2147483647 *2U +1U) || yyvsp[0].v.number < 0) { | ||||
3312 | yyerror("%lld not a valid spi", yyvsp[0].v.number); | ||||
3313 | YYERRORgoto yyerrlab; | ||||
3314 | } | ||||
3315 | if (yyvsp[0].v.number >= SPI_RESERVED_MIN1 && yyvsp[0].v.number <= SPI_RESERVED_MAX255) { | ||||
3316 | yyerror("%lld within reserved spi range", yyvsp[0].v.number); | ||||
3317 | YYERRORgoto yyerrlab; | ||||
3318 | } | ||||
3319 | |||||
3320 | yyval.v.spis.spiin = 0; | ||||
3321 | yyval.v.spis.spiout = yyvsp[0].v.number; | ||||
3322 | } | ||||
3323 | break; | ||||
3324 | case 71: | ||||
3325 | #line 676 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3326 | { | ||||
3327 | yyval.v.udpencap.encap = 0; | ||||
3328 | } | ||||
3329 | break; | ||||
3330 | case 72: | ||||
3331 | #line 679 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3332 | { | ||||
3333 | yyval.v.udpencap.encap = 1; | ||||
3334 | yyval.v.udpencap.port = 0; | ||||
3335 | } | ||||
3336 | break; | ||||
3337 | case 73: | ||||
3338 | #line 683 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3339 | { | ||||
3340 | yyval.v.udpencap.encap = 1; | ||||
3341 | yyval.v.udpencap.port = yyvsp[0].v.number; | ||||
3342 | } | ||||
3343 | break; | ||||
3344 | case 74: | ||||
3345 | #line 689 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3346 | { | ||||
3347 | if ((ipsec_transforms = calloc(1, | ||||
3348 | sizeof(struct ipsec_transforms))) == NULL((void *)0)) | ||||
3349 | err(1, "transforms: calloc"); | ||||
3350 | } | ||||
3351 | break; | ||||
3352 | case 75: | ||||
3353 | #line 695 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3354 | { yyval.v.transforms = ipsec_transforms; } | ||||
3355 | break; | ||||
3356 | case 76: | ||||
3357 | #line 696 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3358 | { | ||||
3359 | if ((yyval.v.transforms = calloc(1, | ||||
3360 | sizeof(struct ipsec_transforms))) == NULL((void *)0)) | ||||
3361 | err(1, "transforms: calloc"); | ||||
3362 | } | ||||
3363 | break; | ||||
3364 | case 79: | ||||
3365 | #line 707 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3366 | { | ||||
3367 | if (ipsec_transforms->authxf) | ||||
3368 | yyerror("auth already set"); | ||||
3369 | else { | ||||
3370 | ipsec_transforms->authxf = parse_xf(yyvsp[0].v.string, | ||||
3371 | authxfs); | ||||
3372 | if (!ipsec_transforms->authxf) | ||||
3373 | yyerror("%s not a valid transform", yyvsp[0].v.string); | ||||
3374 | } | ||||
3375 | } | ||||
3376 | break; | ||||
3377 | case 80: | ||||
3378 | #line 717 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3379 | { | ||||
3380 | if (ipsec_transforms->encxf) | ||||
3381 | yyerror("enc already set"); | ||||
3382 | else { | ||||
3383 | ipsec_transforms->encxf = parse_xf(yyvsp[0].v.string, encxfs); | ||||
3384 | if (!ipsec_transforms->encxf) | ||||
3385 | yyerror("%s not a valid transform", yyvsp[0].v.string); | ||||
3386 | } | ||||
3387 | } | ||||
3388 | break; | ||||
3389 | case 81: | ||||
3390 | #line 726 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3391 | { | ||||
3392 | if (ipsec_transforms->compxf) | ||||
3393 | yyerror("comp already set"); | ||||
3394 | else { | ||||
3395 | ipsec_transforms->compxf = parse_xf(yyvsp[0].v.string, | ||||
3396 | compxfs); | ||||
3397 | if (!ipsec_transforms->compxf) | ||||
3398 | yyerror("%s not a valid transform", yyvsp[0].v.string); | ||||
3399 | } | ||||
3400 | } | ||||
3401 | break; | ||||
3402 | case 82: | ||||
3403 | #line 736 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3404 | { | ||||
3405 | if (ipsec_transforms->groupxf) | ||||
3406 | yyerror("group already set"); | ||||
3407 | else { | ||||
3408 | ipsec_transforms->groupxf = parse_xf(yyvsp[0].v.string, | ||||
3409 | groupxfs); | ||||
3410 | if (!ipsec_transforms->groupxf) | ||||
3411 | yyerror("%s not a valid transform", yyvsp[0].v.string); | ||||
3412 | } | ||||
3413 | } | ||||
3414 | break; | ||||
3415 | case 83: | ||||
3416 | #line 748 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3417 | { | ||||
3418 | struct ike_mode *p1; | ||||
3419 | |||||
3420 | /* We create just an empty main mode */ | ||||
3421 | if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL((void *)0)) | ||||
3422 | err(1, "phase1mode: calloc"); | ||||
3423 | p1->ike_exch = IKE_MM; | ||||
3424 | yyval.v.mode = p1; | ||||
3425 | } | ||||
3426 | break; | ||||
3427 | case 84: | ||||
3428 | #line 757 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3429 | { | ||||
3430 | struct ike_mode *p1; | ||||
3431 | |||||
3432 | if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL((void *)0)) | ||||
3433 | err(1, "phase1mode: calloc"); | ||||
3434 | p1->xfs = yyvsp[-1].v.transforms; | ||||
3435 | p1->life = yyvsp[0].v.life; | ||||
3436 | p1->ike_exch = IKE_MM; | ||||
3437 | yyval.v.mode = p1; | ||||
3438 | } | ||||
3439 | break; | ||||
3440 | case 85: | ||||
3441 | #line 767 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3442 | { | ||||
3443 | struct ike_mode *p1; | ||||
3444 | |||||
3445 | if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL((void *)0)) | ||||
3446 | err(1, "phase1mode: calloc"); | ||||
3447 | p1->xfs = yyvsp[-1].v.transforms; | ||||
3448 | p1->life = yyvsp[0].v.life; | ||||
3449 | p1->ike_exch = IKE_AM; | ||||
3450 | yyval.v.mode = p1; | ||||
3451 | } | ||||
3452 | break; | ||||
3453 | case 86: | ||||
3454 | #line 779 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3455 | { | ||||
3456 | struct ike_mode *p2; | ||||
3457 | |||||
3458 | /* We create just an empty quick mode */ | ||||
3459 | if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL((void *)0)) | ||||
3460 | err(1, "phase2mode: calloc"); | ||||
3461 | p2->ike_exch = IKE_QM; | ||||
3462 | yyval.v.mode = p2; | ||||
3463 | } | ||||
3464 | break; | ||||
3465 | case 87: | ||||
3466 | #line 788 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3467 | { | ||||
3468 | struct ike_mode *p2; | ||||
3469 | |||||
3470 | if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL((void *)0)) | ||||
3471 | err(1, "phase2mode: calloc"); | ||||
3472 | p2->xfs = yyvsp[-1].v.transforms; | ||||
3473 | p2->life = yyvsp[0].v.life; | ||||
3474 | p2->ike_exch = IKE_QM; | ||||
3475 | yyval.v.mode = p2; | ||||
3476 | } | ||||
3477 | break; | ||||
3478 | case 88: | ||||
3479 | #line 800 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3480 | { | ||||
3481 | struct ipsec_lifetime *life; | ||||
3482 | |||||
3483 | /* We create just an empty transform */ | ||||
3484 | if ((life = calloc(1, sizeof(struct ipsec_lifetime))) | ||||
3485 | == NULL((void *)0)) | ||||
3486 | err(1, "life: calloc"); | ||||
3487 | life->lt_seconds = -1; | ||||
3488 | life->lt_bytes = -1; | ||||
3489 | yyval.v.life = life; | ||||
3490 | } | ||||
3491 | break; | ||||
3492 | case 89: | ||||
3493 | #line 811 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3494 | { | ||||
3495 | struct ipsec_lifetime *life; | ||||
3496 | |||||
3497 | if ((life = calloc(1, sizeof(struct ipsec_lifetime))) | ||||
3498 | == NULL((void *)0)) | ||||
3499 | err(1, "life: calloc"); | ||||
3500 | life->lt_seconds = yyvsp[0].v.number; | ||||
3501 | life->lt_bytes = -1; | ||||
3502 | yyval.v.life = life; | ||||
3503 | } | ||||
3504 | break; | ||||
3505 | case 90: | ||||
3506 | #line 821 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3507 | { | ||||
3508 | yyval.v.life = parse_life(yyvsp[0].v.string); | ||||
3509 | } | ||||
3510 | break; | ||||
3511 | case 91: | ||||
3512 | #line 826 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3513 | { | ||||
3514 | yyval.v.authkeys.keyout = NULL((void *)0); | ||||
3515 | yyval.v.authkeys.keyin = NULL((void *)0); | ||||
3516 | } | ||||
3517 | break; | ||||
3518 | case 92: | ||||
3519 | #line 830 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3520 | { | ||||
3521 | yyval.v.authkeys.keyout = yyvsp[0].v.keys.keyout; | ||||
3522 | yyval.v.authkeys.keyin = yyvsp[0].v.keys.keyin; | ||||
3523 | } | ||||
3524 | break; | ||||
3525 | case 93: | ||||
3526 | #line 836 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3527 | { | ||||
3528 | yyval.v.enckeys.keyout = NULL((void *)0); | ||||
3529 | yyval.v.enckeys.keyin = NULL((void *)0); | ||||
3530 | } | ||||
3531 | break; | ||||
3532 | case 94: | ||||
3533 | #line 840 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3534 | { | ||||
3535 | yyval.v.enckeys.keyout = yyvsp[0].v.keys.keyout; | ||||
3536 | yyval.v.enckeys.keyin = yyvsp[0].v.keys.keyin; | ||||
3537 | } | ||||
3538 | break; | ||||
3539 | case 95: | ||||
3540 | #line 846 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3541 | { yyval.v.string = NULL((void *)0); } | ||||
3542 | break; | ||||
3543 | case 96: | ||||
3544 | #line 847 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3545 | { yyval.v.string = yyvsp[0].v.string; } | ||||
3546 | break; | ||||
3547 | case 97: | ||||
3548 | #line 850 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3549 | { | ||||
3550 | unsigned char *hex; | ||||
3551 | unsigned char *p = strchr(yyvsp[0].v.string, ':'); | ||||
3552 | |||||
3553 | if (p != NULL((void *)0) ) { | ||||
3554 | *p++ = 0; | ||||
3555 | |||||
3556 | if (!strncmp(p, "0x", 2)) | ||||
3557 | p += 2; | ||||
3558 | yyval.v.keys.keyin = parsekey(p, strlen(p)); | ||||
3559 | } else | ||||
3560 | yyval.v.keys.keyin = NULL((void *)0); | ||||
3561 | |||||
3562 | hex = yyvsp[0].v.string; | ||||
3563 | if (!strncmp(hex, "0x", 2)) | ||||
3564 | hex += 2; | ||||
3565 | yyval.v.keys.keyout = parsekey(hex, strlen(hex)); | ||||
3566 | |||||
3567 | free(yyvsp[0].v.string); | ||||
3568 | } | ||||
3569 | break; | ||||
3570 | case 98: | ||||
3571 | #line 870 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3572 | { | ||||
3573 | unsigned char *p = strchr(yyvsp[0].v.string, ':'); | ||||
3574 | |||||
3575 | if (p != NULL((void *)0)) { | ||||
3576 | *p++ = 0; | ||||
3577 | yyval.v.keys.keyin = parsekeyfile(p); | ||||
3578 | } | ||||
3579 | yyval.v.keys.keyout = parsekeyfile(yyvsp[0].v.string); | ||||
3580 | free(yyvsp[0].v.string); | ||||
3581 | } | ||||
3582 | break; | ||||
3583 | case 99: | ||||
3584 | #line 882 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3585 | { yyval.v.ikemode = IKE_ACTIVE; } | ||||
3586 | break; | ||||
3587 | case 100: | ||||
3588 | #line 883 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3589 | { yyval.v.ikemode = IKE_PASSIVE; } | ||||
3590 | break; | ||||
3591 | case 101: | ||||
3592 | #line 884 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3593 | { yyval.v.ikemode = IKE_DYNAMIC; } | ||||
3594 | break; | ||||
3595 | case 102: | ||||
3596 | #line 885 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3597 | { yyval.v.ikemode = IKE_ACTIVE; } | ||||
3598 | break; | ||||
3599 | case 103: | ||||
3600 | #line 888 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3601 | { | ||||
3602 | yyval.v.ikeauth.type = IKE_AUTH_RSA; | ||||
3603 | yyval.v.ikeauth.string = NULL((void *)0); | ||||
3604 | } | ||||
3605 | break; | ||||
3606 | case 104: | ||||
3607 | #line 892 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3608 | { | ||||
3609 | yyval.v.ikeauth.type = IKE_AUTH_RSA; | ||||
3610 | yyval.v.ikeauth.string = NULL((void *)0); | ||||
3611 | } | ||||
3612 | break; | ||||
3613 | case 105: | ||||
3614 | #line 896 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3615 | { | ||||
3616 | yyval.v.ikeauth.type = IKE_AUTH_PSK; | ||||
3617 | if ((yyval.v.ikeauth.string = strdup(yyvsp[0].v.string)) == NULL((void *)0)) | ||||
3618 | err(1, "ikeauth: strdup"); | ||||
3619 | } | ||||
3620 | break; | ||||
3621 | case 106: | ||||
3622 | #line 904 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3623 | { | ||||
3624 | yyval.v.string = NULL((void *)0); | ||||
3625 | } | ||||
3626 | break; | ||||
3627 | case 107: | ||||
3628 | #line 908 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3629 | { | ||||
3630 | yyval.v.string = yyvsp[0].v.string; | ||||
3631 | } | ||||
3632 | break; | ||||
3633 | case 108: | ||||
3634 | #line 914 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3635 | { | ||||
3636 | if (asprintf(&yyval.v.string, "%s %s", yyvsp[-1].v.string, yyvsp[0].v.string) == -1) | ||||
3637 | err(1, "string: asprintf"); | ||||
3638 | free(yyvsp[-1].v.string); | ||||
3639 | free(yyvsp[0].v.string); | ||||
3640 | } | ||||
3641 | break; | ||||
3642 | case 110: | ||||
3643 | #line 924 "/usr/src/sbin/ipsecctl/parse.y" | ||||
3644 | { | ||||
3645 | char *s = yyvsp[-2].v.string; | ||||
3646 | if (ipsec->opts & IPSECCTL_OPT_VERBOSE0x0010) | ||||
3647 | printf("%s = \"%s\"\n", yyvsp[-2].v.string, yyvsp[0].v.string); | ||||
3648 | while (*s++) { | ||||
3649 | if (isspace((unsigned char)*s)) { | ||||
3650 | yyerror("macro name cannot contain " | ||||
3651 | "whitespace"); | ||||
3652 | free(yyvsp[-2].v.string); | ||||
3653 | free(yyvsp[0].v.string); | ||||
3654 | YYERRORgoto yyerrlab; | ||||
3655 | } | ||||
3656 | } | ||||
3657 | if (symset(yyvsp[-2].v.string, yyvsp[0].v.string, 0) == -1) | ||||
3658 | err(1, "cannot store variable"); | ||||
3659 | free(yyvsp[-2].v.string); | ||||
3660 | free(yyvsp[0].v.string); | ||||
3661 | } | ||||
3662 | break; | ||||
3663 | #line 3656 "parse.c" | ||||
3664 | } | ||||
3665 | yyssp -= yym; | ||||
3666 | yystate = *yyssp; | ||||
3667 | yyvsp -= yym; | ||||
3668 | yym = yylhs[yyn]; | ||||
3669 | if (yystate
| ||||
3670 | { | ||||
3671 | #if YYDEBUG0 | ||||
3672 | if (yydebug) | ||||
3673 | printf("%sdebug: after reduction, shifting from state 0 to\ | ||||
3674 | state %d\n", YYPREFIX"yy", YYFINAL1); | ||||
3675 | #endif | ||||
3676 | yystate = YYFINAL1; | ||||
3677 | *++yyssp = YYFINAL1; | ||||
3678 | *++yyvsp = yyval; | ||||
3679 | if (yychar
| ||||
3680 | { | ||||
3681 | if ((yychar = yylex()) < 0) yychar = 0; | ||||
3682 | #if YYDEBUG0 | ||||
3683 | if (yydebug) | ||||
3684 | { | ||||
3685 | yys = 0; | ||||
3686 | if (yychar <= YYMAXTOKEN308) yys = yyname[yychar]; | ||||
3687 | if (!yys) yys = "illegal-symbol"; | ||||
3688 | printf("%sdebug: state %d, reading %d (%s)\n", | ||||
3689 | YYPREFIX"yy", YYFINAL1, yychar, yys); | ||||
3690 | } | ||||
3691 | #endif | ||||
3692 | } | ||||
3693 | if (yychar == 0) goto yyaccept; | ||||
3694 | goto yyloop; | ||||
3695 | } | ||||
3696 | if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 && | ||||
3697 | yyn <= YYTABLESIZE566 && yycheck[yyn] == yystate) | ||||
3698 | yystate = yytable[yyn]; | ||||
3699 | else | ||||
3700 | yystate = yydgoto[yym]; | ||||
3701 | #if YYDEBUG0 | ||||
3702 | if (yydebug) | ||||
3703 | printf("%sdebug: after reduction, shifting from state %d \ | ||||
3704 | to state %d\n", YYPREFIX"yy", *yyssp, yystate); | ||||
3705 | #endif | ||||
3706 | if (yyssp >= yysslim && yygrowstack()) | ||||
3707 | { | ||||
3708 | goto yyoverflow; | ||||
3709 | } | ||||
3710 | *++yyssp = yystate; | ||||
3711 | *++yyvsp = yyval; | ||||
3712 | goto yyloop; | ||||
3713 | yyoverflow: | ||||
3714 | yyerror("yacc stack overflow"); | ||||
3715 | yyabort: | ||||
3716 | if (yyss) | ||||
3717 | free(yyss); | ||||
3718 | if (yyvs) | ||||
3719 | free(yyvs); | ||||
3720 | yyss = yyssp = NULL((void *)0); | ||||
3721 | yyvs = yyvsp = NULL((void *)0); | ||||
3722 | yystacksize = 0; | ||||
3723 | return (1); | ||||
3724 | yyaccept: | ||||
3725 | if (yyss) | ||||
3726 | free(yyss); | ||||
3727 | if (yyvs) | ||||
3728 | free(yyvs); | ||||
3729 | yyss = yyssp = NULL((void *)0); | ||||
3730 | yyvs = yyvsp = NULL((void *)0); | ||||
3731 | yystacksize = 0; | ||||
3732 | return (0); | ||||
3733 | } |