File: | src/sbin/iked/obj/parse.c |
Warning: | line 3407, column 29 Access to field 'port' results in a dereference of a null pointer (loaded from field 'dst') |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | #include <stdlib.h> | ||||
2 | #include <string.h> | ||||
3 | #define YYBYACC1 1 | ||||
4 | #define YYMAJOR1 1 | ||||
5 | #define YYMINOR9 9 | ||||
6 | #define YYLEXyylex() yylex() | ||||
7 | #define YYEMPTY-1 -1 | ||||
8 | #define yyclearin(yychar=(-1)) (yychar=(YYEMPTY-1)) | ||||
9 | #define yyerrok(yyerrflag=0) (yyerrflag=0) | ||||
10 | #define YYRECOVERING()(yyerrflag!=0) (yyerrflag!=0) | ||||
11 | #define YYPREFIX"yy" "yy" | ||||
12 | #line 26 "/usr/src/sbin/iked/parse.y" | ||||
13 | #include <sys/types.h> | ||||
14 | #include <sys/ioctl.h> | ||||
15 | #include <sys/queue.h> | ||||
16 | #include <sys/socket.h> | ||||
17 | #include <sys/stat.h> | ||||
18 | #include <net/if.h> | ||||
19 | #include <netinet/in.h> | ||||
20 | #include <netinet/ip_ipsp.h> | ||||
21 | #include <arpa/inet.h> | ||||
22 | |||||
23 | #include <ctype.h> | ||||
24 | #include <err.h> | ||||
25 | #include <errno(*__errno()).h> | ||||
26 | #include <fcntl.h> | ||||
27 | #include <ifaddrs.h> | ||||
28 | #include <limits.h> | ||||
29 | #include <netdb.h> | ||||
30 | #include <stdarg.h> | ||||
31 | #include <stdio.h> | ||||
32 | #include <stdlib.h> | ||||
33 | #include <string.h> | ||||
34 | #include <syslog.h> | ||||
35 | #include <unistd.h> | ||||
36 | #include <event.h> | ||||
37 | |||||
38 | #include "iked.h" | ||||
39 | #include "ikev2.h" | ||||
40 | #include "eap.h" | ||||
41 | |||||
42 | TAILQ_HEAD(files, file)struct files { struct file *tqh_first; struct file **tqh_last ; } files = TAILQ_HEAD_INITIALIZER(files){ ((void *)0), &(files).tqh_first }; | ||||
43 | static struct file { | ||||
44 | TAILQ_ENTRY(file)struct { struct file *tqe_next; struct file **tqe_prev; } entry; | ||||
45 | FILE *stream; | ||||
46 | char *name; | ||||
47 | size_t ungetpos; | ||||
48 | size_t ungetsize; | ||||
49 | u_char *ungetbuf; | ||||
50 | int eof_reached; | ||||
51 | int lineno; | ||||
52 | int errors; | ||||
53 | } *file, *topfile; | ||||
54 | struct file *pushfile(const char *, int); | ||||
55 | int popfile(void); | ||||
56 | int check_file_secrecy(int, const char *); | ||||
57 | int yyparse(void); | ||||
58 | int yylex(void); | ||||
59 | int yyerror(const char *, ...) | ||||
60 | __attribute__((__format__ (printf, 1, 2))) | ||||
61 | __attribute__((__nonnull__ (1))); | ||||
62 | int kw_cmp(const void *, const void *); | ||||
63 | int lookup(char *); | ||||
64 | int igetc(void); | ||||
65 | int lgetc(int); | ||||
66 | void lungetc(int); | ||||
67 | int findeol(void); | ||||
68 | |||||
69 | TAILQ_HEAD(symhead, sym)struct symhead { struct sym *tqh_first; struct sym **tqh_last ; } symhead = TAILQ_HEAD_INITIALIZER(symhead){ ((void *)0), &(symhead).tqh_first }; | ||||
70 | struct sym { | ||||
71 | TAILQ_ENTRY(sym)struct { struct sym *tqe_next; struct sym **tqe_prev; } entry; | ||||
72 | int used; | ||||
73 | int persist; | ||||
74 | char *nam; | ||||
75 | char *val; | ||||
76 | }; | ||||
77 | int symset(const char *, const char *, int); | ||||
78 | char *symget(const char *); | ||||
79 | |||||
80 | #define KEYSIZE_LIMIT1024 1024 | ||||
81 | |||||
82 | static struct iked *env = NULL((void *)0); | ||||
83 | static int debug = 0; | ||||
84 | static int rules = 0; | ||||
85 | static int passive = 0; | ||||
86 | static int decouple = 0; | ||||
87 | static int mobike = 1; | ||||
88 | static int enforcesingleikesa = 0; | ||||
89 | static int stickyaddress = 0; | ||||
90 | static int fragmentation = 0; | ||||
91 | static int vendorid = 1; | ||||
92 | static int dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60; | ||||
93 | static char *ocsp_url = NULL((void *)0); | ||||
94 | static long ocsp_tolerate = 0; | ||||
95 | static long ocsp_maxage = -1; | ||||
96 | static int cert_partial_chain = 0; | ||||
97 | |||||
98 | struct iked_transform ikev2_default_ike_transforms[] = { | ||||
99 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 }, | ||||
100 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 }, | ||||
101 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 }, | ||||
102 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_3DES3 }, | ||||
103 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 }, | ||||
104 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 }, | ||||
105 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 }, | ||||
106 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 }, | ||||
107 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 }, | ||||
108 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 }, | ||||
109 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 }, | ||||
110 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 }, | ||||
111 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 }, | ||||
112 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 }, | ||||
113 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 }, | ||||
114 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 }, | ||||
115 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 }, | ||||
116 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 }, | ||||
117 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 }, | ||||
118 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 }, | ||||
119 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 }, | ||||
120 | { 0 } | ||||
121 | }; | ||||
122 | size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) / | ||||
123 | sizeof(ikev2_default_ike_transforms[0])) - 1); | ||||
124 | |||||
125 | struct iked_transform ikev2_default_ike_transforms_noauth[] = { | ||||
126 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 }, | ||||
127 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 }, | ||||
128 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 }, | ||||
129 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 }, | ||||
130 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 }, | ||||
131 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 }, | ||||
132 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 }, | ||||
133 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 }, | ||||
134 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 }, | ||||
135 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 }, | ||||
136 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 }, | ||||
137 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 }, | ||||
138 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 }, | ||||
139 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 }, | ||||
140 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 }, | ||||
141 | { 0 } | ||||
142 | }; | ||||
143 | size_t ikev2_default_nike_transforms_noauth = | ||||
144 | ((sizeof(ikev2_default_ike_transforms_noauth) / | ||||
145 | sizeof(ikev2_default_ike_transforms_noauth[0])) - 1); | ||||
146 | |||||
147 | struct iked_transform ikev2_default_esp_transforms[] = { | ||||
148 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 }, | ||||
149 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 }, | ||||
150 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 }, | ||||
151 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 }, | ||||
152 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 }, | ||||
153 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 }, | ||||
154 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 }, | ||||
155 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 }, | ||||
156 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 }, | ||||
157 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 }, | ||||
158 | { 0 } | ||||
159 | }; | ||||
160 | size_t ikev2_default_nesp_transforms = ((sizeof(ikev2_default_esp_transforms) / | ||||
161 | sizeof(ikev2_default_esp_transforms[0])) - 1); | ||||
162 | |||||
163 | struct iked_transform ikev2_default_esp_transforms_noauth[] = { | ||||
164 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 }, | ||||
165 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 }, | ||||
166 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 }, | ||||
167 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 }, | ||||
168 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 }, | ||||
169 | { 0 } | ||||
170 | }; | ||||
171 | size_t ikev2_default_nesp_transforms_noauth = | ||||
172 | ((sizeof(ikev2_default_esp_transforms_noauth) / | ||||
173 | sizeof(ikev2_default_esp_transforms_noauth[0])) - 1); | ||||
174 | |||||
175 | const struct ipsec_xf authxfs[] = { | ||||
176 | { "hmac-md5", IKEV2_XFORMAUTH_HMAC_MD5_961, 16 }, | ||||
177 | { "hmac-sha1", IKEV2_XFORMAUTH_HMAC_SHA1_962, 20 }, | ||||
178 | { "hmac-sha2-256", IKEV2_XFORMAUTH_HMAC_SHA2_256_12812, 32 }, | ||||
179 | { "hmac-sha2-384", IKEV2_XFORMAUTH_HMAC_SHA2_384_19213, 48 }, | ||||
180 | { "hmac-sha2-512", IKEV2_XFORMAUTH_HMAC_SHA2_512_25614, 64 }, | ||||
181 | { NULL((void *)0) } | ||||
182 | }; | ||||
183 | |||||
184 | const struct ipsec_xf prfxfs[] = { | ||||
185 | { "hmac-md5", IKEV2_XFORMPRF_HMAC_MD51, 16 }, | ||||
186 | { "hmac-sha1", IKEV2_XFORMPRF_HMAC_SHA12, 20 }, | ||||
187 | { "hmac-sha2-256", IKEV2_XFORMPRF_HMAC_SHA2_2565, 32 }, | ||||
188 | { "hmac-sha2-384", IKEV2_XFORMPRF_HMAC_SHA2_3846, 48 }, | ||||
189 | { "hmac-sha2-512", IKEV2_XFORMPRF_HMAC_SHA2_5127, 64 }, | ||||
190 | { NULL((void *)0) } | ||||
191 | }; | ||||
192 | |||||
193 | const struct ipsec_xf *encxfs = NULL((void *)0); | ||||
194 | |||||
195 | const struct ipsec_xf ikeencxfs[] = { | ||||
196 | { "3des", IKEV2_XFORMENCR_3DES3, 24 }, | ||||
197 | { "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 }, | ||||
198 | { "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 }, | ||||
199 | { "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 }, | ||||
200 | { "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 }, | ||||
201 | { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 }, | ||||
202 | { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 }, | ||||
203 | { "aes-128-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 16, 16, 4, 1 }, | ||||
204 | { "aes-256-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 32, 32, 4, 1 }, | ||||
205 | { NULL((void *)0) } | ||||
206 | }; | ||||
207 | |||||
208 | const struct ipsec_xf ipsecencxfs[] = { | ||||
209 | { "3des", IKEV2_XFORMENCR_3DES3, 24 }, | ||||
210 | { "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 }, | ||||
211 | { "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 }, | ||||
212 | { "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 }, | ||||
213 | { "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 }, | ||||
214 | { "aes-128-ctr", IKEV2_XFORMENCR_AES_CTR13, 16, 16, 4 }, | ||||
215 | { "aes-192-ctr", IKEV2_XFORMENCR_AES_CTR13, 24, 24, 4 }, | ||||
216 | { "aes-256-ctr", IKEV2_XFORMENCR_AES_CTR13, 32, 32, 4 }, | ||||
217 | { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 }, | ||||
218 | { "aes-192-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 24, 24, 4, 1 }, | ||||
219 | { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 }, | ||||
220 | { "aes-128-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 16, 16, 4, 1 }, | ||||
221 | { "aes-192-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 24, 24, 4, 1 }, | ||||
222 | { "aes-256-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 32, 32, 4, 1 }, | ||||
223 | { "blowfish", IKEV2_XFORMENCR_BLOWFISH7, 20, 20 }, | ||||
224 | { "cast", IKEV2_XFORMENCR_CAST6, 16, 16 }, | ||||
225 | { "chacha20-poly1305", IKEV2_XFORMENCR_CHACHA20_POLY130528, | ||||
226 | 32, 32, 4, 1 }, | ||||
227 | { "null", IKEV2_XFORMENCR_NULL11, 0, 0 }, | ||||
228 | { NULL((void *)0) } | ||||
229 | }; | ||||
230 | |||||
231 | const struct ipsec_xf groupxfs[] = { | ||||
232 | { "none", IKEV2_XFORMDH_NONE0 }, | ||||
233 | { "modp768", IKEV2_XFORMDH_MODP_7681 }, | ||||
234 | { "grp1", IKEV2_XFORMDH_MODP_7681 }, | ||||
235 | { "modp1024", IKEV2_XFORMDH_MODP_10242 }, | ||||
236 | { "grp2", IKEV2_XFORMDH_MODP_10242 }, | ||||
237 | { "modp1536", IKEV2_XFORMDH_MODP_15365 }, | ||||
238 | { "grp5", IKEV2_XFORMDH_MODP_15365 }, | ||||
239 | { "modp2048", IKEV2_XFORMDH_MODP_204814 }, | ||||
240 | { "grp14", IKEV2_XFORMDH_MODP_204814 }, | ||||
241 | { "modp3072", IKEV2_XFORMDH_MODP_307215 }, | ||||
242 | { "grp15", IKEV2_XFORMDH_MODP_307215 }, | ||||
243 | { "modp4096", IKEV2_XFORMDH_MODP_409616 }, | ||||
244 | { "grp16", IKEV2_XFORMDH_MODP_409616 }, | ||||
245 | { "modp6144", IKEV2_XFORMDH_MODP_614417 }, | ||||
246 | { "grp17", IKEV2_XFORMDH_MODP_614417 }, | ||||
247 | { "modp8192", IKEV2_XFORMDH_MODP_819218 }, | ||||
248 | { "grp18", IKEV2_XFORMDH_MODP_819218 }, | ||||
249 | { "ecp256", IKEV2_XFORMDH_ECP_25619 }, | ||||
250 | { "grp19", IKEV2_XFORMDH_ECP_25619 }, | ||||
251 | { "ecp384", IKEV2_XFORMDH_ECP_38420 }, | ||||
252 | { "grp20", IKEV2_XFORMDH_ECP_38420 }, | ||||
253 | { "ecp521", IKEV2_XFORMDH_ECP_52121 }, | ||||
254 | { "grp21", IKEV2_XFORMDH_ECP_52121 }, | ||||
255 | { "ecp192", IKEV2_XFORMDH_ECP_19225 }, | ||||
256 | { "grp25", IKEV2_XFORMDH_ECP_19225 }, | ||||
257 | { "ecp224", IKEV2_XFORMDH_ECP_22426 }, | ||||
258 | { "grp26", IKEV2_XFORMDH_ECP_22426 }, | ||||
259 | { "brainpool224", IKEV2_XFORMDH_BRAINPOOL_P224R127 }, | ||||
260 | { "grp27", IKEV2_XFORMDH_BRAINPOOL_P224R127 }, | ||||
261 | { "brainpool256", IKEV2_XFORMDH_BRAINPOOL_P256R128 }, | ||||
262 | { "grp28", IKEV2_XFORMDH_BRAINPOOL_P256R128 }, | ||||
263 | { "brainpool384", IKEV2_XFORMDH_BRAINPOOL_P384R129 }, | ||||
264 | { "grp29", IKEV2_XFORMDH_BRAINPOOL_P384R129 }, | ||||
265 | { "brainpool512", IKEV2_XFORMDH_BRAINPOOL_P512R130 }, | ||||
266 | { "grp30", IKEV2_XFORMDH_BRAINPOOL_P512R130 }, | ||||
267 | { "curve25519", IKEV2_XFORMDH_CURVE2551931 }, | ||||
268 | { "grp31", IKEV2_XFORMDH_CURVE2551931 }, | ||||
269 | { "sntrup761x25519", IKEV2_XFORMDH_X_SNTRUP761X255191035 }, | ||||
270 | { NULL((void *)0) } | ||||
271 | }; | ||||
272 | |||||
273 | const struct ipsec_xf esnxfs[] = { | ||||
274 | { "esn", IKEV2_XFORMESN_ESN1 }, | ||||
275 | { "noesn", IKEV2_XFORMESN_NONE0 }, | ||||
276 | { NULL((void *)0) } | ||||
277 | }; | ||||
278 | |||||
279 | const struct ipsec_xf methodxfs[] = { | ||||
280 | { "none", IKEV2_AUTH_NONE0 }, | ||||
281 | { "rsa", IKEV2_AUTH_RSA_SIG1 }, | ||||
282 | { "ecdsa256", IKEV2_AUTH_ECDSA_2569 }, | ||||
283 | { "ecdsa384", IKEV2_AUTH_ECDSA_38410 }, | ||||
284 | { "ecdsa521", IKEV2_AUTH_ECDSA_52111 }, | ||||
285 | { "rfc7427", IKEV2_AUTH_SIG14 }, | ||||
286 | { "signature", IKEV2_AUTH_SIG_ANY255 }, | ||||
287 | { NULL((void *)0) } | ||||
288 | }; | ||||
289 | |||||
290 | const struct ipsec_xf saxfs[] = { | ||||
291 | { "esp", IKEV2_SAPROTO_ESP3 }, | ||||
292 | { "ah", IKEV2_SAPROTO_AH2 }, | ||||
293 | { NULL((void *)0) } | ||||
294 | }; | ||||
295 | |||||
296 | const struct ipsec_xf cpxfs[] = { | ||||
297 | { "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS1, AF_INET2 }, | ||||
298 | { "netmask", IKEV2_CFG_INTERNAL_IP4_NETMASK2, AF_INET2 }, | ||||
299 | { "name-server", IKEV2_CFG_INTERNAL_IP4_DNS3, AF_INET2 }, | ||||
300 | { "netbios-server", IKEV2_CFG_INTERNAL_IP4_NBNS4, AF_INET2 }, | ||||
301 | { "dhcp-server", IKEV2_CFG_INTERNAL_IP4_DHCP6, AF_INET2 }, | ||||
302 | { "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS8, AF_INET624 }, | ||||
303 | { "name-server", IKEV2_CFG_INTERNAL_IP6_DNS10, AF_INET624 }, | ||||
304 | { "netbios-server", IKEV2_CFG_INTERNAL_IP6_NBNS11, AF_INET624 }, | ||||
305 | { "dhcp-server", IKEV2_CFG_INTERNAL_IP6_DHCP12, AF_INET624 }, | ||||
306 | { "protected-subnet", IKEV2_CFG_INTERNAL_IP4_SUBNET13, AF_INET2 }, | ||||
307 | { "protected-subnet", IKEV2_CFG_INTERNAL_IP6_SUBNET15, AF_INET624 }, | ||||
308 | { "access-server", IKEV2_CFG_INTERNAL_IP4_SERVER23456, AF_INET2 }, | ||||
309 | { "access-server", IKEV2_CFG_INTERNAL_IP6_SERVER23457, AF_INET624 }, | ||||
310 | { NULL((void *)0) } | ||||
311 | }; | ||||
312 | |||||
313 | const struct iked_lifetime deflifetime = { | ||||
314 | IKED_LIFETIME_BYTES4294967296ULL, | ||||
315 | IKED_LIFETIME_SECONDS10800 | ||||
316 | }; | ||||
317 | |||||
318 | #define IPSEC_ADDR_ANY(0x1) (0x1) | ||||
319 | #define IPSEC_ADDR_DYNAMIC(0x2) (0x2) | ||||
320 | |||||
321 | struct ipsec_addr_wrap { | ||||
322 | struct sockaddr_storage address; | ||||
323 | uint8_t mask; | ||||
324 | int netaddress; | ||||
325 | sa_family_t af; | ||||
326 | unsigned int type; | ||||
327 | unsigned int action; | ||||
328 | uint16_t port; | ||||
329 | char *name; | ||||
330 | struct ipsec_addr_wrap *next; | ||||
331 | struct ipsec_addr_wrap *tail; | ||||
332 | struct ipsec_addr_wrap *srcnat; | ||||
333 | }; | ||||
334 | |||||
335 | struct ipsec_hosts { | ||||
336 | struct ipsec_addr_wrap *src; | ||||
337 | struct ipsec_addr_wrap *dst; | ||||
338 | }; | ||||
339 | |||||
340 | struct ipsec_filters { | ||||
341 | char *tag; | ||||
342 | unsigned int tap; | ||||
343 | }; | ||||
344 | |||||
345 | void copy_sockaddrtoipa(struct ipsec_addr_wrap *, | ||||
346 | struct sockaddr *); | ||||
347 | struct ipsec_addr_wrap *host(const char *); | ||||
348 | struct ipsec_addr_wrap *host_ip(const char *, int); | ||||
349 | struct ipsec_addr_wrap *host_dns(const char *, int); | ||||
350 | struct ipsec_addr_wrap *host_if(const char *, int); | ||||
351 | struct ipsec_addr_wrap *host_any(void); | ||||
352 | struct ipsec_addr_wrap *host_dynamic(void); | ||||
353 | void ifa_load(void); | ||||
354 | int ifa_exists(const char *); | ||||
355 | struct ipsec_addr_wrap *ifa_lookup(const char *ifa_name); | ||||
356 | struct ipsec_addr_wrap *ifa_grouplookup(const char *); | ||||
357 | void set_ipmask(struct ipsec_addr_wrap *, int); | ||||
358 | const struct ipsec_xf *parse_xf(const char *, unsigned int, | ||||
359 | const struct ipsec_xf *); | ||||
360 | void copy_transforms(unsigned int, | ||||
361 | const struct ipsec_xf **, unsigned int, | ||||
362 | struct iked_transform **, unsigned int *, | ||||
363 | struct iked_transform *, size_t); | ||||
364 | int create_ike(char *, int, struct ipsec_addr_wrap *, | ||||
365 | int, struct ipsec_hosts *, | ||||
366 | struct ipsec_hosts *, struct ipsec_mode *, | ||||
367 | struct ipsec_mode *, uint8_t, | ||||
368 | uint8_t, char *, char *, | ||||
369 | uint32_t, struct iked_lifetime *, | ||||
370 | struct iked_auth *, struct ipsec_filters *, | ||||
371 | struct ipsec_addr_wrap *, char *); | ||||
372 | int create_user(const char *, const char *); | ||||
373 | int get_id_type(char *); | ||||
374 | uint8_t x2i(unsigned char *); | ||||
375 | int parsekey(unsigned char *, size_t, struct iked_auth *); | ||||
376 | int parsekeyfile(char *, struct iked_auth *); | ||||
377 | void iaw_free(struct ipsec_addr_wrap *); | ||||
378 | static int create_flow(struct iked_policy *pol, int, struct ipsec_addr_wrap *ipa, | ||||
379 | struct ipsec_addr_wrap *ipb); | ||||
380 | static int expand_flows(struct iked_policy *, int, struct ipsec_addr_wrap *, | ||||
381 | struct ipsec_addr_wrap *); | ||||
382 | static struct ipsec_addr_wrap * | ||||
383 | expand_keyword(struct ipsec_addr_wrap *); | ||||
384 | |||||
385 | struct ipsec_transforms *ipsec_transforms; | ||||
386 | struct ipsec_filters *ipsec_filters; | ||||
387 | struct ipsec_mode *ipsec_mode; | ||||
388 | /* interface lookup routintes */ | ||||
389 | struct ipsec_addr_wrap *iftab; | ||||
390 | |||||
391 | typedef struct { | ||||
392 | union { | ||||
393 | int64_t number; | ||||
394 | uint8_t ikemode; | ||||
395 | uint8_t dir; | ||||
396 | uint8_t satype; | ||||
397 | char *string; | ||||
398 | uint16_t port; | ||||
399 | struct ipsec_hosts *hosts; | ||||
400 | struct ipsec_hosts peers; | ||||
401 | struct ipsec_addr_wrap *anyhost; | ||||
402 | struct ipsec_addr_wrap *host; | ||||
403 | struct ipsec_addr_wrap *cfg; | ||||
404 | struct ipsec_addr_wrap *proto; | ||||
405 | struct { | ||||
406 | char *srcid; | ||||
407 | char *dstid; | ||||
408 | } ids; | ||||
409 | char *id; | ||||
410 | uint8_t type; | ||||
411 | struct iked_lifetime lifetime; | ||||
412 | struct iked_auth ikeauth; | ||||
413 | struct iked_auth ikekey; | ||||
414 | struct ipsec_transforms *transforms; | ||||
415 | struct ipsec_filters *filters; | ||||
416 | struct ipsec_mode *mode; | ||||
417 | } v; | ||||
418 | int lineno; | ||||
419 | } YYSTYPE; | ||||
420 | |||||
421 | #line 422 "parse.c" | ||||
422 | #define FROM257 257 | ||||
423 | #define ESP258 258 | ||||
424 | #define AH259 259 | ||||
425 | #define IN260 260 | ||||
426 | #define PEER261 261 | ||||
427 | #define ON262 262 | ||||
428 | #define OUT263 263 | ||||
429 | #define TO264 264 | ||||
430 | #define SRCID265 265 | ||||
431 | #define DSTID266 266 | ||||
432 | #define PSK267 267 | ||||
433 | #define PORT268 268 | ||||
434 | #define FILENAME269 269 | ||||
435 | #define AUTHXF270 270 | ||||
436 | #define PRFXF271 271 | ||||
437 | #define ENCXF272 272 | ||||
438 | #define ERROR273 273 | ||||
439 | #define IKEV2274 274 | ||||
440 | #define IKESA275 275 | ||||
441 | #define CHILDSA276 276 | ||||
442 | #define ESN277 277 | ||||
443 | #define NOESN278 278 | ||||
444 | #define PASSIVE279 279 | ||||
445 | #define ACTIVE280 280 | ||||
446 | #define ANY281 281 | ||||
447 | #define TAG282 282 | ||||
448 | #define TAP283 283 | ||||
449 | #define PROTO284 284 | ||||
450 | #define LOCAL285 285 | ||||
451 | #define GROUP286 286 | ||||
452 | #define NAME287 287 | ||||
453 | #define CONFIG288 288 | ||||
454 | #define EAP289 289 | ||||
455 | #define USER290 290 | ||||
456 | #define IKEV1291 291 | ||||
457 | #define FLOW292 292 | ||||
458 | #define SA293 293 | ||||
459 | #define TCPMD5294 294 | ||||
460 | #define TUNNEL295 295 | ||||
461 | #define TRANSPORT296 296 | ||||
462 | #define COUPLE297 297 | ||||
463 | #define DECOUPLE298 298 | ||||
464 | #define SET299 299 | ||||
465 | #define INCLUDE300 300 | ||||
466 | #define LIFETIME301 301 | ||||
467 | #define BYTES302 302 | ||||
468 | #define INET303 303 | ||||
469 | #define INET6304 304 | ||||
470 | #define QUICK305 305 | ||||
471 | #define SKIP306 306 | ||||
472 | #define DEFAULT307 307 | ||||
473 | #define IPCOMP308 308 | ||||
474 | #define OCSP309 309 | ||||
475 | #define IKELIFETIME310 310 | ||||
476 | #define MOBIKE311 311 | ||||
477 | #define NOMOBIKE312 312 | ||||
478 | #define RDOMAIN313 313 | ||||
479 | #define FRAGMENTATION314 314 | ||||
480 | #define NOFRAGMENTATION315 315 | ||||
481 | #define DPD_CHECK_INTERVAL316 316 | ||||
482 | #define ENFORCESINGLEIKESA317 317 | ||||
483 | #define NOENFORCESINGLEIKESA318 318 | ||||
484 | #define STICKYADDRESS319 319 | ||||
485 | #define NOSTICKYADDRESS320 320 | ||||
486 | #define VENDORID321 321 | ||||
487 | #define NOVENDORID322 322 | ||||
488 | #define TOLERATE323 323 | ||||
489 | #define MAXAGE324 324 | ||||
490 | #define DYNAMIC325 325 | ||||
491 | #define CERTPARTIALCHAIN326 326 | ||||
492 | #define REQUEST327 327 | ||||
493 | #define IFACE328 328 | ||||
494 | #define STRING329 329 | ||||
495 | #define NUMBER330 330 | ||||
496 | #define YYERRCODE256 256 | ||||
497 | const short yylhs[] = | ||||
498 | { -1, | ||||
499 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, | ||||
500 | 46, 39, 40, 40, 40, 40, 40, 40, 40, 40, | ||||
501 | 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, | ||||
502 | 40, 41, 42, 36, 36, 37, 37, 35, 35, 33, | ||||
503 | 33, 2, 2, 2, 10, 10, 10, 3, 3, 3, | ||||
504 | 4, 4, 5, 5, 11, 11, 7, 7, 6, 6, | ||||
505 | 8, 8, 9, 9, 12, 12, 12, 12, 12, 13, | ||||
506 | 13, 15, 15, 14, 14, 14, 14, 16, 16, 16, | ||||
507 | 16, 17, 48, 18, 18, 47, 47, 49, 49, 49, | ||||
508 | 49, 49, 38, 38, 51, 27, 27, 50, 50, 53, | ||||
509 | 52, 55, 28, 28, 54, 54, 57, 56, 20, 21, | ||||
510 | 21, 21, 21, 22, 22, 22, 23, 23, 24, 24, | ||||
511 | 24, 25, 25, 25, 25, 30, 30, 31, 31, 29, | ||||
512 | 29, 29, 32, 32, 26, 26, 59, 19, 19, 58, | ||||
513 | 58, 60, 60, 34, 34, 1, 1, 43, 44, 44, | ||||
514 | 44, 44, 61, 61, 61, 61, 61, 45, | ||||
515 | }; | ||||
516 | const short yylen[] = | ||||
517 | { 2, | ||||
518 | 0, 3, 2, 3, 3, 3, 3, 4, 3, 1, | ||||
519 | 0, 2, 2, 2, 2, 2, 2, 2, 2, 2, | ||||
520 | 2, 2, 2, 2, 2, 2, 3, 5, 7, 2, | ||||
521 | 3, 3, 18, 0, 1, 1, 2, 3, 3, 0, | ||||
522 | 1, 0, 1, 1, 0, 1, 1, 0, 2, 4, | ||||
523 | 1, 3, 1, 1, 0, 2, 1, 3, 6, 6, | ||||
524 | 0, 2, 1, 1, 0, 4, 4, 2, 2, 1, | ||||
525 | 1, 1, 3, 1, 4, 1, 1, 0, 4, 2, | ||||
526 | 2, 1, 0, 2, 0, 2, 1, 2, 2, 2, | ||||
527 | 2, 1, 1, 1, 0, 2, 0, 2, 1, 0, | ||||
528 | 3, 0, 2, 0, 2, 1, 0, 3, 4, 0, | ||||
529 | 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, | ||||
530 | 1, 0, 2, 2, 1, 1, 1, 1, 1, 0, | ||||
531 | 2, 4, 0, 2, 1, 2, 0, 2, 0, 2, | ||||
532 | 1, 2, 2, 0, 2, 2, 1, 3, 1, 1, | ||||
533 | 1, 1, 1, 1, 1, 1, 1, 0, | ||||
534 | }; | ||||
535 | const short yydefred[] = | ||||
536 | { 1, | ||||
537 | 0, 0, 154, 155, 0, 0, 149, 151, 153, 152, | ||||
538 | 156, 157, 0, 0, 0, 3, 0, 0, 0, 0, | ||||
539 | 0, 158, 150, 9, 41, 0, 0, 14, 13, 15, | ||||
540 | 16, 0, 19, 20, 17, 18, 0, 23, 24, 25, | ||||
541 | 26, 21, 22, 30, 12, 0, 2, 4, 5, 6, | ||||
542 | 7, 0, 111, 112, 113, 0, 0, 32, 0, 31, | ||||
543 | 147, 0, 8, 43, 44, 0, 115, 116, 0, 0, | ||||
544 | 146, 46, 47, 0, 118, 0, 129, 128, 0, 0, | ||||
545 | 0, 120, 121, 109, 0, 53, 54, 0, 49, 0, | ||||
546 | 0, 29, 0, 51, 56, 0, 0, 57, 0, 10, | ||||
547 | 50, 0, 76, 77, 0, 0, 0, 0, 0, 0, | ||||
548 | 0, 0, 52, 0, 0, 0, 0, 0, 71, 0, | ||||
549 | 70, 0, 0, 0, 58, 73, 63, 64, 62, 0, | ||||
550 | 0, 0, 0, 0, 0, 0, 100, 0, 99, 0, | ||||
551 | 75, 0, 66, 67, 0, 0, 0, 107, 0, 106, | ||||
552 | 0, 98, 59, 60, 82, 0, 81, 0, 0, 0, | ||||
553 | 105, 101, 0, 0, 134, 0, 0, 108, 0, 0, | ||||
554 | 0, 93, 94, 0, 92, 0, 87, 79, 0, 0, | ||||
555 | 0, 125, 0, 88, 90, 89, 91, 86, 0, 0, | ||||
556 | 135, 123, 124, 0, 0, 36, 0, 0, 127, 126, | ||||
557 | 132, 136, 0, 0, 0, 0, 37, 38, 39, 145, | ||||
558 | 33, 0, 0, 0, 0, 141, 142, 143, 140, | ||||
559 | }; | ||||
560 | const short yydgoto[] = | ||||
561 | { 1, | ||||
562 | 62, 66, 81, 93, 89, 98, 99, 116, 129, 74, | ||||
563 | 91, 111, 120, 106, 121, 147, 156, 162, 211, 56, | ||||
564 | 57, 69, 76, 84, 183, 192, 123, 135, 167, 201, | ||||
565 | 79, 159, 26, 206, 196, 197, 198, 175, 17, 18, | ||||
566 | 19, 20, 21, 22, 52, 102, 176, 163, 177, 138, | ||||
567 | 124, 139, 151, 149, 136, 150, 160, 215, 212, 216, | ||||
568 | 23, | ||||
569 | }; | ||||
570 | const short yysindex[] = | ||||
571 | { 0, | ||||
572 | 184, 25, 0, 0, -290, -282, 0, 0, 0, 0, | ||||
573 | 0, 0, 399, -276, 24, 0, 70, 81, 86, 92, | ||||
574 | 98, 0, 0, 0, 0, -262, -206, 0, 0, 0, | ||||
575 | 0, -192, 0, 0, 0, 0, -214, 0, 0, 0, | ||||
576 | 0, 0, 0, 0, 0, -188, 0, 0, 0, 0, | ||||
577 | 0, 116, 0, 0, 0, -235, -260, 0, -189, 0, | ||||
578 | 0, -172, 0, 0, 0, -229, 0, 0, -165, -253, | ||||
579 | 0, 0, 0, -117, 0, -201, 0, 0, -158, -121, | ||||
580 | -144, 0, 0, 0, -253, 0, 0, -231, 0, -160, | ||||
581 | -195, 0, -37, 0, 0, -239, -239, 0, -43, 0, | ||||
582 | 0, -231, 0, 0, 127, -93, 136, -93, -269, -269, | ||||
583 | 0, -195, 0, -152, -223, -87, -150, -77, 0, -103, | ||||
584 | 0, -75, 0, -88, 0, 0, 0, 0, 0, -239, | ||||
585 | 147, -239, -269, -269, -153, -86, 0, -88, 0, -93, | ||||
586 | 0, -93, 0, 0, -136, -136, -115, 0, -86, 0, | ||||
587 | 0, 0, 0, 0, 0, -69, 0, -253, -102, 0, | ||||
588 | 0, 0, -213, -136, 0, -253, -257, 0, -131, -129, | ||||
589 | -127, 0, 0, -126, 0, -213, 0, 0, -113, -261, | ||||
590 | -123, 0, -275, 0, 0, 0, 0, 0, -194, -122, | ||||
591 | 0, 0, 0, -119, -116, 0, -111, -275, 0, 0, | ||||
592 | 0, 0, -150, -269, -114, 0, 0, 0, 0, 0, | ||||
593 | 0, -133, -110, -109, -133, 0, 0, 0, 0,}; | ||||
594 | const short yyrindex[] = | ||||
595 | { 0, | ||||
596 | 0, 0, 0, 0, -175, 0, 0, 0, 0, 0, | ||||
597 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
598 | 0, 0, 0, 0, 0, -140, 0, 0, 0, 0, | ||||
599 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
600 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
601 | 0, 0, 0, 0, 0, -142, -112, 0, 201, 0, | ||||
602 | 0, 202, 0, 0, 0, -243, 0, 0, -203, 0, | ||||
603 | 0, 0, 0, -246, 0, -99, 0, 0, 206, 0, | ||||
604 | -186, 0, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
605 | 0, 0, -176, 0, 0, 0, 0, 0, 171, 0, | ||||
606 | 0, 0, 0, 0, -10, -42, 19, -36, 0, 0, | ||||
607 | 220, 0, 0, 0, 0, 0, 0, 0, 0, 240, | ||||
608 | 0, 288, 353, 0, 0, 0, 0, 0, 0, 0, | ||||
609 | 0, 0, 0, 0, 251, 0, 0, 357, 0, 104, | ||||
610 | 0, 104, 0, 0, 0, 0, 23, 0, 93, 0, | ||||
611 | 56, 0, 0, 0, 0, 343, 0, 0, 406, 141, | ||||
612 | 0, 0, 0, 0, 0, 0, 27, 0, 0, 0, | ||||
613 | 0, 0, 0, 0, 0, 320, 0, 0, 416, 0, | ||||
614 | 0, 0, 115, 0, 0, 0, 0, 0, 0, 0, | ||||
615 | 0, 0, 0, 0, 0, 0, -1, 117, 0, 0, | ||||
616 | 0, 0, 0, 0, 0, 6, 0, 0, 0, 0, | ||||
617 | 0, 0, 0, 0, 213, 0, 0, 0, 0,}; | ||||
618 | const short yygindex[] = | ||||
619 | { 0, | ||||
620 | 0, 0, 0, 0, -66, 112, 0, -91, 0, 0, | ||||
621 | 0, 0, -107, -82, -92, 0, -118, 65, 0, 0, | ||||
622 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
623 | -79, 0, 0, 0, 28, 0, 0, 0, 0, 0, | ||||
624 | 0, 0, 0, 0, 0, 128, 0, 0, 52, 0, | ||||
625 | 0, 91, 0, 0, 0, 82, 0, 0, 0, 17, | ||||
626 | 0, | ||||
627 | }; | ||||
628 | #define YYTABLESIZE745 745 | ||||
629 | const short yytable[] = | ||||
630 | { 72, | ||||
631 | 100, 88, 122, 107, 107, 92, 100, 190, 144, 180, | ||||
632 | 48, 119, 194, 45, 108, 139, 118, 48, 67, 68, | ||||
633 | 45, 94, 64, 65, 131, 143, 144, 157, 74, 72, | ||||
634 | 72, 181, 133, 72, 24, 113, 122, 107, 25, 107, | ||||
635 | 45, 103, 53, 54, 55, 178, 27, 140, 153, 142, | ||||
636 | 154, 195, 45, 117, 117, 117, 169, 170, 171, 105, | ||||
637 | 117, 96, 74, 172, 173, 85, 48, 191, 97, 45, | ||||
638 | 55, 182, 174, 72, 73, 77, 78, 55, 165, 47, | ||||
639 | 117, 40, 40, 40, 46, 104, 179, 101, 40, 105, | ||||
640 | 48, 117, 117, 82, 83, 49, 209, 86, 87, 117, | ||||
641 | 117, 50, 103, 40, 40, 127, 128, 51, 40, 117, | ||||
642 | 208, 145, 146, 61, 42, 60, 110, 110, 110, 40, | ||||
643 | 40, 42, 58, 110, 34, 63, 35, 40, 40, 40, | ||||
644 | 40, 40, 40, 70, 199, 200, 59, 40, 110, 110, | ||||
645 | 61, 42, 75, 110, 114, 114, 114, 61, 213, 214, | ||||
646 | 85, 114, 11, 11, 110, 110, 71, 119, 119, 119, | ||||
647 | 42, 42, 110, 110, 119, 85, 80, 110, 90, 95, | ||||
648 | 42, 114, 110, 114, 115, 117, 130, 126, 105, 132, | ||||
649 | 65, 133, 114, 114, 119, 134, 137, 141, 189, 148, | ||||
650 | 114, 114, 155, 16, 158, 114, 164, 184, 166, 185, | ||||
651 | 114, 186, 187, 119, 119, 193, 202, 86, 87, 203, | ||||
652 | 27, 148, 204, 119, 210, 28, 205, 109, 217, 218, | ||||
653 | 61, 61, 138, 125, 168, 207, 112, 188, 152, 97, | ||||
654 | 161, 219, 0, 0, 0, 0, 0, 0, 0, 0, | ||||
655 | 0, 110, 0, 0, 0, 0, 72, 0, 0, 68, | ||||
656 | 72, 0, 0, 72, 72, 72, 72, 72, 0, 0, | ||||
657 | 78, 0, 0, 0, 72, 72, 0, 0, 0, 0, | ||||
658 | 0, 72, 72, 0, 72, 74, 0, 72, 72, 74, | ||||
659 | 144, 144, 74, 74, 74, 74, 74, 137, 137, 133, | ||||
660 | 72, 0, 0, 74, 74, 0, 0, 69, 0, 72, | ||||
661 | 74, 74, 0, 74, 133, 133, 74, 74, 122, 122, | ||||
662 | 133, 133, 0, 0, 122, 0, 72, 72, 72, 74, | ||||
663 | 85, 85, 85, 133, 0, 83, 83, 83, 74, 84, | ||||
664 | 85, 85, 83, 83, 0, 0, 0, 85, 85, 0, | ||||
665 | 0, 83, 0, 85, 85, 74, 74, 74, 0, 133, | ||||
666 | 133, 133, 80, 122, 122, 0, 85, 103, 103, 103, | ||||
667 | 61, 0, 104, 0, 61, 85, 96, 61, 61, 61, | ||||
668 | 61, 0, 0, 0, 103, 103, 0, 0, 61, 61, | ||||
669 | 103, 103, 85, 85, 85, 61, 61, 0, 61, 0, | ||||
670 | 0, 61, 61, 103, 0, 0, 34, 34, 35, 35, | ||||
671 | 0, 0, 103, 0, 61, 85, 85, 85, 0, 0, | ||||
672 | 83, 83, 83, 61, 0, 130, 85, 83, 83, 103, | ||||
673 | 103, 103, 85, 85, 0, 131, 83, 11, 85, 85, | ||||
674 | 61, 61, 61, 0, 11, 65, 65, 65, 0, 2, | ||||
675 | 3, 85, 34, 0, 35, 65, 65, 4, 0, 0, | ||||
676 | 85, 0, 65, 65, 0, 0, 0, 5, 65, 65, | ||||
677 | 0, 0, 0, 0, 0, 0, 0, 85, 85, 85, | ||||
678 | 0, 65, 0, 6, 7, 8, 9, 10, 11, 12, | ||||
679 | 65, 0, 13, 14, 97, 97, 97, 0, 0, 0, | ||||
680 | 0, 0, 0, 0, 95, 97, 0, 65, 65, 65, | ||||
681 | 0, 97, 97, 0, 68, 68, 68, 97, 97, 0, | ||||
682 | 0, 0, 15, 0, 68, 68, 0, 78, 0, 0, | ||||
683 | 97, 68, 68, 0, 0, 0, 0, 68, 68, 97, | ||||
684 | 0, 0, 78, 78, 0, 0, 0, 0, 78, 78, | ||||
685 | 68, 0, 0, 0, 0, 0, 97, 97, 97, 68, | ||||
686 | 0, 78, 69, 69, 69, 0, 0, 0, 0, 0, | ||||
687 | 78, 0, 69, 69, 0, 0, 68, 68, 68, 69, | ||||
688 | 69, 0, 0, 0, 0, 69, 69, 78, 78, 78, | ||||
689 | 0, 0, 0, 0, 84, 84, 84, 0, 69, 0, | ||||
690 | 0, 0, 0, 0, 84, 84, 0, 69, 0, 0, | ||||
691 | 0, 84, 84, 0, 0, 0, 0, 84, 84, 80, | ||||
692 | 0, 0, 0, 0, 69, 69, 69, 104, 104, 104, | ||||
693 | 84, 96, 96, 96, 80, 80, 0, 0, 102, 84, | ||||
694 | 80, 80, 96, 0, 104, 104, 0, 0, 96, 96, | ||||
695 | 104, 104, 0, 80, 96, 96, 84, 84, 84, 0, | ||||
696 | 0, 0, 80, 104, 0, 0, 0, 96, 0, 0, | ||||
697 | 0, 0, 104, 0, 0, 0, 96, 0, 0, 80, | ||||
698 | 80, 80, 130, 0, 0, 0, 0, 28, 29, 104, | ||||
699 | 104, 104, 131, 96, 96, 96, 0, 130, 130, 0, | ||||
700 | 0, 0, 0, 130, 130, 30, 31, 131, 131, 0, | ||||
701 | 0, 0, 0, 131, 131, 0, 0, 32, 0, 33, | ||||
702 | 34, 0, 35, 36, 37, 38, 39, 40, 41, 42, | ||||
703 | 43, 0, 0, 0, 44, 0, 0, 0, 0, 0, | ||||
704 | 0, 0, 130, 130, 130, 0, 0, 0, 0, 0, | ||||
705 | 0, 0, 131, 131, 131, | ||||
706 | }; | ||||
707 | const short yycheck[] = | ||||
708 | { 10, | ||||
709 | 44, 123, 110, 96, 97, 85, 44, 269, 10, 267, | ||||
710 | 257, 281, 288, 257, 97, 10, 108, 264, 279, 280, | ||||
711 | 264, 88, 258, 259, 117, 133, 134, 146, 10, 40, | ||||
712 | 41, 289, 10, 44, 10, 102, 10, 130, 329, 132, | ||||
713 | 284, 281, 305, 306, 307, 164, 329, 130, 140, 132, | ||||
714 | 142, 327, 329, 257, 258, 259, 270, 271, 272, 329, | ||||
715 | 264, 257, 44, 277, 278, 10, 313, 329, 264, 313, | ||||
716 | 257, 329, 286, 303, 304, 329, 330, 264, 158, 10, | ||||
717 | 284, 257, 258, 259, 61, 325, 166, 125, 264, 329, | ||||
718 | 10, 295, 296, 295, 296, 10, 204, 329, 330, 303, | ||||
719 | 304, 10, 10, 279, 280, 329, 330, 10, 284, 313, | ||||
720 | 203, 265, 266, 10, 257, 330, 257, 258, 259, 295, | ||||
721 | 296, 264, 329, 264, 10, 10, 10, 303, 304, 305, | ||||
722 | 306, 307, 308, 323, 329, 330, 329, 313, 279, 280, | ||||
723 | 329, 284, 308, 284, 257, 258, 259, 44, 282, 283, | ||||
724 | 10, 264, 329, 330, 295, 296, 329, 257, 258, 259, | ||||
725 | 303, 304, 303, 304, 264, 324, 284, 308, 313, 330, | ||||
726 | 313, 284, 313, 47, 268, 40, 264, 330, 329, 257, | ||||
727 | 10, 285, 295, 296, 284, 261, 275, 41, 302, 276, | ||||
728 | 303, 304, 329, 10, 310, 308, 266, 329, 301, 329, | ||||
729 | 313, 329, 329, 303, 304, 329, 329, 329, 330, 329, | ||||
730 | 10, 10, 329, 313, 329, 10, 328, 261, 329, 329, | ||||
731 | 257, 264, 10, 112, 160, 198, 99, 176, 138, 10, | ||||
732 | 149, 215, -1, -1, -1, -1, -1, -1, -1, -1, | ||||
733 | -1, 285, -1, -1, -1, -1, 257, -1, -1, 10, | ||||
734 | 261, -1, -1, 264, 265, 266, 267, 268, -1, -1, | ||||
735 | 10, -1, -1, -1, 275, 276, -1, -1, -1, -1, | ||||
736 | -1, 282, 283, -1, 285, 257, -1, 288, 289, 261, | ||||
737 | 282, 283, 264, 265, 266, 267, 268, 282, 283, 267, | ||||
738 | 301, -1, -1, 275, 276, -1, -1, 10, -1, 310, | ||||
739 | 282, 283, -1, 285, 282, 283, 288, 289, 282, 283, | ||||
740 | 288, 289, -1, -1, 288, -1, 327, 328, 329, 301, | ||||
741 | 265, 266, 267, 301, -1, 270, 271, 272, 310, 10, | ||||
742 | 275, 276, 277, 278, -1, -1, -1, 282, 283, -1, | ||||
743 | -1, 286, -1, 288, 289, 327, 328, 329, -1, 327, | ||||
744 | 328, 329, 10, 327, 328, -1, 301, 265, 266, 267, | ||||
745 | 257, -1, 10, -1, 261, 310, 10, 264, 265, 266, | ||||
746 | 267, -1, -1, -1, 282, 283, -1, -1, 275, 276, | ||||
747 | 288, 289, 327, 328, 329, 282, 283, -1, 285, -1, | ||||
748 | -1, 288, 289, 301, -1, -1, 282, 283, 282, 283, | ||||
749 | -1, -1, 310, -1, 301, 265, 266, 267, -1, -1, | ||||
750 | 270, 271, 272, 310, -1, 10, 276, 277, 278, 327, | ||||
751 | 328, 329, 282, 283, -1, 10, 286, 257, 288, 289, | ||||
752 | 327, 328, 329, -1, 264, 265, 266, 267, -1, 256, | ||||
753 | 257, 301, 328, -1, 328, 275, 276, 264, -1, -1, | ||||
754 | 310, -1, 282, 283, -1, -1, -1, 274, 288, 289, | ||||
755 | -1, -1, -1, -1, -1, -1, -1, 327, 328, 329, | ||||
756 | -1, 301, -1, 290, 291, 292, 293, 294, 295, 296, | ||||
757 | 310, -1, 299, 300, 265, 266, 267, -1, -1, -1, | ||||
758 | -1, -1, -1, -1, 275, 276, -1, 327, 328, 329, | ||||
759 | -1, 282, 283, -1, 265, 266, 267, 288, 289, -1, | ||||
760 | -1, -1, 329, -1, 275, 276, -1, 267, -1, -1, | ||||
761 | 301, 282, 283, -1, -1, -1, -1, 288, 289, 310, | ||||
762 | -1, -1, 282, 283, -1, -1, -1, -1, 288, 289, | ||||
763 | 301, -1, -1, -1, -1, -1, 327, 328, 329, 310, | ||||
764 | -1, 301, 265, 266, 267, -1, -1, -1, -1, -1, | ||||
765 | 310, -1, 275, 276, -1, -1, 327, 328, 329, 282, | ||||
766 | 283, -1, -1, -1, -1, 288, 289, 327, 328, 329, | ||||
767 | -1, -1, -1, -1, 265, 266, 267, -1, 301, -1, | ||||
768 | -1, -1, -1, -1, 275, 276, -1, 310, -1, -1, | ||||
769 | -1, 282, 283, -1, -1, -1, -1, 288, 289, 267, | ||||
770 | -1, -1, -1, -1, 327, 328, 329, 265, 266, 267, | ||||
771 | 301, 265, 266, 267, 282, 283, -1, -1, 276, 310, | ||||
772 | 288, 289, 276, -1, 282, 283, -1, -1, 282, 283, | ||||
773 | 288, 289, -1, 301, 288, 289, 327, 328, 329, -1, | ||||
774 | -1, -1, 310, 301, -1, -1, -1, 301, -1, -1, | ||||
775 | -1, -1, 310, -1, -1, -1, 310, -1, -1, 327, | ||||
776 | 328, 329, 267, -1, -1, -1, -1, 279, 280, 327, | ||||
777 | 328, 329, 267, 327, 328, 329, -1, 282, 283, -1, | ||||
778 | -1, -1, -1, 288, 289, 297, 298, 282, 283, -1, | ||||
779 | -1, -1, -1, 288, 289, -1, -1, 309, -1, 311, | ||||
780 | 312, -1, 314, 315, 316, 317, 318, 319, 320, 321, | ||||
781 | 322, -1, -1, -1, 326, -1, -1, -1, -1, -1, | ||||
782 | -1, -1, 327, 328, 329, -1, -1, -1, -1, -1, | ||||
783 | -1, -1, 327, 328, 329, | ||||
784 | }; | ||||
785 | #define YYFINAL1 1 | ||||
786 | #ifndef YYDEBUG0 | ||||
787 | #define YYDEBUG0 0 | ||||
788 | #endif | ||||
789 | #define YYMAXTOKEN330 330 | ||||
790 | #if YYDEBUG0 | ||||
791 | const char * const yyname[] = | ||||
792 | { | ||||
793 | "end-of-file",0,0,0,0,0,0,0,0,0,"'\\n'",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
794 | 0,0,0,0,0,0,0,0,0,"'('","')'",0,0,"','",0,0,"'/'",0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
795 | "'='",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
796 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"'{'",0,"'}'",0,0,0,0,0,0,0,0,0, | ||||
797 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
798 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
799 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, | ||||
800 | 0,0,"FROM","ESP","AH","IN","PEER","ON","OUT","TO","SRCID","DSTID","PSK","PORT", | ||||
801 | "FILENAME","AUTHXF","PRFXF","ENCXF","ERROR","IKEV2","IKESA","CHILDSA","ESN", | ||||
802 | "NOESN","PASSIVE","ACTIVE","ANY","TAG","TAP","PROTO","LOCAL","GROUP","NAME", | ||||
803 | "CONFIG","EAP","USER","IKEV1","FLOW","SA","TCPMD5","TUNNEL","TRANSPORT", | ||||
804 | "COUPLE","DECOUPLE","SET","INCLUDE","LIFETIME","BYTES","INET","INET6","QUICK", | ||||
805 | "SKIP","DEFAULT","IPCOMP","OCSP","IKELIFETIME","MOBIKE","NOMOBIKE","RDOMAIN", | ||||
806 | "FRAGMENTATION","NOFRAGMENTATION","DPD_CHECK_INTERVAL","ENFORCESINGLEIKESA", | ||||
807 | "NOENFORCESINGLEIKESA","STICKYADDRESS","NOSTICKYADDRESS","VENDORID", | ||||
808 | "NOVENDORID","TOLERATE","MAXAGE","DYNAMIC","CERTPARTIALCHAIN","REQUEST","IFACE", | ||||
809 | "STRING","NUMBER", | ||||
810 | }; | ||||
811 | const char * const yyrule[] = | ||||
812 | {"$accept : grammar", | ||||
813 | "grammar :", | ||||
814 | "grammar : grammar include '\\n'", | ||||
815 | "grammar : grammar '\\n'", | ||||
816 | "grammar : grammar set '\\n'", | ||||
817 | "grammar : grammar user '\\n'", | ||||
818 | "grammar : grammar ikev2rule '\\n'", | ||||
819 | "grammar : grammar varset '\\n'", | ||||
820 | "grammar : grammar otherrule skipline '\\n'", | ||||
821 | "grammar : grammar error '\\n'", | ||||
822 | "comma : ','", | ||||
823 | "comma :", | ||||
824 | "include : INCLUDE STRING", | ||||
825 | "set : SET ACTIVE", | ||||
826 | "set : SET PASSIVE", | ||||
827 | "set : SET COUPLE", | ||||
828 | "set : SET DECOUPLE", | ||||
829 | "set : SET FRAGMENTATION", | ||||
830 | "set : SET NOFRAGMENTATION", | ||||
831 | "set : SET MOBIKE", | ||||
832 | "set : SET NOMOBIKE", | ||||
833 | "set : SET VENDORID", | ||||
834 | "set : SET NOVENDORID", | ||||
835 | "set : SET ENFORCESINGLEIKESA", | ||||
836 | "set : SET NOENFORCESINGLEIKESA", | ||||
837 | "set : SET STICKYADDRESS", | ||||
838 | "set : SET NOSTICKYADDRESS", | ||||
839 | "set : SET OCSP STRING", | ||||
840 | "set : SET OCSP STRING TOLERATE time_spec", | ||||
841 | "set : SET OCSP STRING TOLERATE time_spec MAXAGE time_spec", | ||||
842 | "set : SET CERTPARTIALCHAIN", | ||||
843 | "set : SET DPD_CHECK_INTERVAL NUMBER", | ||||
844 | "user : USER STRING STRING", | ||||
845 | "ikev2rule : IKEV2 name ikeflags satype af proto rdomain hosts_list peers ike_sas child_sas ids ikelifetime lifetime ikeauth ikecfg iface filters", | ||||
846 | "ikecfg :", | ||||
847 | "ikecfg : ikecfgvals", | ||||
848 | "ikecfgvals : cfg", | ||||
849 | "ikecfgvals : ikecfgvals cfg", | ||||
850 | "cfg : CONFIG STRING host_spec", | ||||
851 | "cfg : REQUEST STRING anyhost", | ||||
852 | "name :", | ||||
853 | "name : STRING", | ||||
854 | "satype :", | ||||
855 | "satype : ESP", | ||||
856 | "satype : AH", | ||||
857 | "af :", | ||||
858 | "af : INET", | ||||
859 | "af : INET6", | ||||
860 | "proto :", | ||||
861 | "proto : PROTO protoval", | ||||
862 | "proto : PROTO '{' proto_list '}'", | ||||
863 | "proto_list : protoval", | ||||
864 | "proto_list : proto_list comma protoval", | ||||
865 | "protoval : STRING", | ||||
866 | "protoval : NUMBER", | ||||
867 | "rdomain :", | ||||
868 | "rdomain : RDOMAIN NUMBER", | ||||
869 | "hosts_list : hosts", | ||||
870 | "hosts_list : hosts_list comma hosts", | ||||
871 | "hosts : FROM host port TO host port", | ||||
872 | "hosts : TO host port FROM host port", | ||||
873 | "port :", | ||||
874 | "port : PORT portval", | ||||
875 | "portval : STRING", | ||||
876 | "portval : NUMBER", | ||||
877 | "peers :", | ||||
878 | "peers : PEER anyhost LOCAL anyhost", | ||||
879 | "peers : LOCAL anyhost PEER anyhost", | ||||
880 | "peers : PEER anyhost", | ||||
881 | "peers : LOCAL anyhost", | ||||
882 | "anyhost : host_spec", | ||||
883 | "anyhost : ANY", | ||||
884 | "host_spec : STRING", | ||||
885 | "host_spec : STRING '/' NUMBER", | ||||
886 | "host : host_spec", | ||||
887 | "host : host_spec '(' host_spec ')'", | ||||
888 | "host : ANY", | ||||
889 | "host : DYNAMIC", | ||||
890 | "ids :", | ||||
891 | "ids : SRCID id DSTID id", | ||||
892 | "ids : SRCID id", | ||||
893 | "ids : DSTID id", | ||||
894 | "id : STRING", | ||||
895 | "$$1 :", | ||||
896 | "transforms : $$1 transforms_l", | ||||
897 | "transforms :", | ||||
898 | "transforms_l : transforms_l transform", | ||||
899 | "transforms_l : transform", | ||||
900 | "transform : AUTHXF STRING", | ||||
901 | "transform : ENCXF STRING", | ||||
902 | "transform : PRFXF STRING", | ||||
903 | "transform : GROUP STRING", | ||||
904 | "transform : transform_esn", | ||||
905 | "transform_esn : ESN", | ||||
906 | "transform_esn : NOESN", | ||||
907 | "$$2 :", | ||||
908 | "ike_sas : $$2 ike_sas_l", | ||||
909 | "ike_sas :", | ||||
910 | "ike_sas_l : ike_sas_l ike_sa", | ||||
911 | "ike_sas_l : ike_sa", | ||||
912 | "$$3 :", | ||||
913 | "ike_sa : IKESA $$3 transforms", | ||||
914 | "$$4 :", | ||||
915 | "child_sas : $$4 child_sas_l", | ||||
916 | "child_sas :", | ||||
917 | "child_sas_l : child_sas_l child_sa", | ||||
918 | "child_sas_l : child_sa", | ||||
919 | "$$5 :", | ||||
920 | "child_sa : CHILDSA $$5 transforms", | ||||
921 | "ikeflags : ikematch ikemode ipcomp tmode", | ||||
922 | "ikematch :", | ||||
923 | "ikematch : QUICK", | ||||
924 | "ikematch : SKIP", | ||||
925 | "ikematch : DEFAULT", | ||||
926 | "ikemode :", | ||||
927 | "ikemode : PASSIVE", | ||||
928 | "ikemode : ACTIVE", | ||||
929 | "ipcomp :", | ||||
930 | "ipcomp : IPCOMP", | ||||
931 | "tmode :", | ||||
932 | "tmode : TUNNEL", | ||||
933 | "tmode : TRANSPORT", | ||||
934 | "ikeauth :", | ||||
935 | "ikeauth : PSK keyspec", | ||||
936 | "ikeauth : EAP STRING", | ||||
937 | "ikeauth : STRING", | ||||
938 | "byte_spec : NUMBER", | ||||
939 | "byte_spec : STRING", | ||||
940 | "time_spec : NUMBER", | ||||
941 | "time_spec : STRING", | ||||
942 | "lifetime :", | ||||
943 | "lifetime : LIFETIME time_spec", | ||||
944 | "lifetime : LIFETIME time_spec BYTES byte_spec", | ||||
945 | "ikelifetime :", | ||||
946 | "ikelifetime : IKELIFETIME time_spec", | ||||
947 | "keyspec : STRING", | ||||
948 | "keyspec : FILENAME STRING", | ||||
949 | "$$6 :", | ||||
950 | "filters : $$6 filters_l", | ||||
951 | "filters :", | ||||
952 | "filters_l : filters_l filter", | ||||
953 | "filters_l : filter", | ||||
954 | "filter : TAG STRING", | ||||
955 | "filter : TAP STRING", | ||||
956 | "iface :", | ||||
957 | "iface : IFACE STRING", | ||||
958 | "string : string STRING", | ||||
959 | "string : STRING", | ||||
960 | "varset : STRING '=' string", | ||||
961 | "otherrule : IKEV1", | ||||
962 | "otherrule : sarule", | ||||
963 | "otherrule : FLOW", | ||||
964 | "otherrule : TCPMD5", | ||||
965 | "sarule : SA", | ||||
966 | "sarule : FROM", | ||||
967 | "sarule : TO", | ||||
968 | "sarule : TUNNEL", | ||||
969 | "sarule : TRANSPORT", | ||||
970 | "skipline :", | ||||
971 | }; | ||||
972 | #endif | ||||
973 | #ifdef YYSTACKSIZE10000 | ||||
974 | #undef YYMAXDEPTH10000 | ||||
975 | #define YYMAXDEPTH10000 YYSTACKSIZE10000 | ||||
976 | #else | ||||
977 | #ifdef YYMAXDEPTH10000 | ||||
978 | #define YYSTACKSIZE10000 YYMAXDEPTH10000 | ||||
979 | #else | ||||
980 | #define YYSTACKSIZE10000 10000 | ||||
981 | #define YYMAXDEPTH10000 10000 | ||||
982 | #endif | ||||
983 | #endif | ||||
984 | #define YYINITSTACKSIZE200 200 | ||||
985 | /* LINTUSED */ | ||||
986 | int yydebug; | ||||
987 | int yynerrs; | ||||
988 | int yyerrflag; | ||||
989 | int yychar; | ||||
990 | short *yyssp; | ||||
991 | YYSTYPE *yyvsp; | ||||
992 | YYSTYPE yyval; | ||||
993 | YYSTYPE yylval; | ||||
994 | short *yyss; | ||||
995 | short *yysslim; | ||||
996 | YYSTYPE *yyvs; | ||||
997 | unsigned int yystacksize; | ||||
998 | int yyparse(void); | ||||
999 | #line 1297 "/usr/src/sbin/iked/parse.y" | ||||
1000 | |||||
1001 | struct keywords { | ||||
1002 | const char *k_name; | ||||
1003 | int k_val; | ||||
1004 | }; | ||||
1005 | |||||
1006 | void | ||||
1007 | copy_sockaddrtoipa(struct ipsec_addr_wrap *ipa, struct sockaddr *sa) | ||||
1008 | { | ||||
1009 | if (sa->sa_family == AF_INET624) | ||||
1010 | memcpy(&ipa->address, sa, sizeof(struct sockaddr_in6)); | ||||
1011 | else if (sa->sa_family == AF_INET2) | ||||
1012 | memcpy(&ipa->address, sa, sizeof(struct sockaddr_in)); | ||||
1013 | else | ||||
1014 | warnx("unhandled af %d", sa->sa_family); | ||||
1015 | } | ||||
1016 | |||||
1017 | int | ||||
1018 | yyerror(const char *fmt, ...) | ||||
1019 | { | ||||
1020 | va_list ap; | ||||
1021 | |||||
1022 | file->errors++; | ||||
1023 | va_start(ap, fmt)__builtin_va_start((ap), fmt); | ||||
1024 | fprintf(stderr(&__sF[2]), "%s: %d: ", file->name, yylval.lineno); | ||||
1025 | vfprintf(stderr(&__sF[2]), fmt, ap); | ||||
1026 | fprintf(stderr(&__sF[2]), "\n"); | ||||
1027 | va_end(ap)__builtin_va_end((ap)); | ||||
1028 | return (0); | ||||
1029 | } | ||||
1030 | |||||
1031 | int | ||||
1032 | kw_cmp(const void *k, const void *e) | ||||
1033 | { | ||||
1034 | return (strcmp(k, ((const struct keywords *)e)->k_name)); | ||||
1035 | } | ||||
1036 | |||||
1037 | int | ||||
1038 | lookup(char *s) | ||||
1039 | { | ||||
1040 | /* this has to be sorted always */ | ||||
1041 | static const struct keywords keywords[] = { | ||||
1042 | { "active", ACTIVE280 }, | ||||
1043 | { "ah", AH259 }, | ||||
1044 | { "any", ANY281 }, | ||||
1045 | { "auth", AUTHXF270 }, | ||||
1046 | { "bytes", BYTES302 }, | ||||
1047 | { "cert_partial_chain", CERTPARTIALCHAIN326 }, | ||||
1048 | { "childsa", CHILDSA276 }, | ||||
1049 | { "config", CONFIG288 }, | ||||
1050 | { "couple", COUPLE297 }, | ||||
1051 | { "decouple", DECOUPLE298 }, | ||||
1052 | { "default", DEFAULT307 }, | ||||
1053 | { "dpd_check_interval", DPD_CHECK_INTERVAL316 }, | ||||
1054 | { "dstid", DSTID266 }, | ||||
1055 | { "dynamic", DYNAMIC325 }, | ||||
1056 | { "eap", EAP289 }, | ||||
1057 | { "enc", ENCXF272 }, | ||||
1058 | { "enforcesingleikesa", ENFORCESINGLEIKESA317 }, | ||||
1059 | { "esn", ESN277 }, | ||||
1060 | { "esp", ESP258 }, | ||||
1061 | { "file", FILENAME269 }, | ||||
1062 | { "flow", FLOW292 }, | ||||
1063 | { "fragmentation", FRAGMENTATION314 }, | ||||
1064 | { "from", FROM257 }, | ||||
1065 | { "group", GROUP286 }, | ||||
1066 | { "iface", IFACE328 }, | ||||
1067 | { "ike", IKEV1291 }, | ||||
1068 | { "ikelifetime", IKELIFETIME310 }, | ||||
1069 | { "ikesa", IKESA275 }, | ||||
1070 | { "ikev2", IKEV2274 }, | ||||
1071 | { "include", INCLUDE300 }, | ||||
1072 | { "inet", INET303 }, | ||||
1073 | { "inet6", INET6304 }, | ||||
1074 | { "ipcomp", IPCOMP308 }, | ||||
1075 | { "lifetime", LIFETIME301 }, | ||||
1076 | { "local", LOCAL285 }, | ||||
1077 | { "maxage", MAXAGE324 }, | ||||
1078 | { "mobike", MOBIKE311 }, | ||||
1079 | { "name", NAME287 }, | ||||
1080 | { "noenforcesingleikesa", NOENFORCESINGLEIKESA318 }, | ||||
1081 | { "noesn", NOESN278 }, | ||||
1082 | { "nofragmentation", NOFRAGMENTATION315 }, | ||||
1083 | { "nomobike", NOMOBIKE312 }, | ||||
1084 | { "nostickyaddress", NOSTICKYADDRESS320 }, | ||||
1085 | { "novendorid", NOVENDORID322 }, | ||||
1086 | { "ocsp", OCSP309 }, | ||||
1087 | { "passive", PASSIVE279 }, | ||||
1088 | { "peer", PEER261 }, | ||||
1089 | { "port", PORT268 }, | ||||
1090 | { "prf", PRFXF271 }, | ||||
1091 | { "proto", PROTO284 }, | ||||
1092 | { "psk", PSK267 }, | ||||
1093 | { "quick", QUICK305 }, | ||||
1094 | { "rdomain", RDOMAIN313 }, | ||||
1095 | { "request", REQUEST327 }, | ||||
1096 | { "sa", SA293 }, | ||||
1097 | { "set", SET299 }, | ||||
1098 | { "skip", SKIP306 }, | ||||
1099 | { "srcid", SRCID265 }, | ||||
1100 | { "stickyaddress", STICKYADDRESS319 }, | ||||
1101 | { "tag", TAG282 }, | ||||
1102 | { "tap", TAP283 }, | ||||
1103 | { "tcpmd5", TCPMD5294 }, | ||||
1104 | { "to", TO264 }, | ||||
1105 | { "tolerate", TOLERATE323 }, | ||||
1106 | { "transport", TRANSPORT296 }, | ||||
1107 | { "tunnel", TUNNEL295 }, | ||||
1108 | { "user", USER290 }, | ||||
1109 | { "vendorid", VENDORID321 } | ||||
1110 | }; | ||||
1111 | const struct keywords *p; | ||||
1112 | |||||
1113 | p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]), | ||||
1114 | sizeof(keywords[0]), kw_cmp); | ||||
1115 | |||||
1116 | if (p) { | ||||
1117 | if (debug > 1) | ||||
1118 | fprintf(stderr(&__sF[2]), "%s: %d\n", s, p->k_val); | ||||
1119 | return (p->k_val); | ||||
1120 | } else { | ||||
1121 | if (debug > 1) | ||||
1122 | fprintf(stderr(&__sF[2]), "string: %s\n", s); | ||||
1123 | return (STRING329); | ||||
1124 | } | ||||
1125 | } | ||||
1126 | |||||
1127 | #define START_EXPAND1 1 | ||||
1128 | #define DONE_EXPAND2 2 | ||||
1129 | |||||
1130 | static int expanding; | ||||
1131 | |||||
1132 | int | ||||
1133 | igetc(void) | ||||
1134 | { | ||||
1135 | int c; | ||||
1136 | |||||
1137 | while (1) { | ||||
1138 | if (file->ungetpos > 0) | ||||
1139 | c = file->ungetbuf[--file->ungetpos]; | ||||
1140 | else | ||||
1141 | c = getc(file->stream)(!__isthreaded ? (--(file->stream)->_r < 0 ? __srget (file->stream) : (int)(*(file->stream)->_p++)) : (getc )(file->stream)); | ||||
1142 | |||||
1143 | if (c == START_EXPAND1) | ||||
1144 | expanding = 1; | ||||
1145 | else if (c == DONE_EXPAND2) | ||||
1146 | expanding = 0; | ||||
1147 | else | ||||
1148 | break; | ||||
1149 | } | ||||
1150 | return (c); | ||||
1151 | } | ||||
1152 | |||||
1153 | int | ||||
1154 | lgetc(int quotec) | ||||
1155 | { | ||||
1156 | int c, next; | ||||
1157 | |||||
1158 | if (quotec) { | ||||
1159 | if ((c = igetc()) == EOF(-1)) { | ||||
1160 | yyerror("reached end of file while parsing " | ||||
1161 | "quoted string"); | ||||
1162 | if (file == topfile || popfile() == EOF(-1)) | ||||
1163 | return (EOF(-1)); | ||||
1164 | return (quotec); | ||||
1165 | } | ||||
1166 | return (c); | ||||
1167 | } | ||||
1168 | |||||
1169 | while ((c = igetc()) == '\\') { | ||||
1170 | next = igetc(); | ||||
1171 | if (next != '\n') { | ||||
1172 | c = next; | ||||
1173 | break; | ||||
1174 | } | ||||
1175 | yylval.lineno = file->lineno; | ||||
1176 | file->lineno++; | ||||
1177 | } | ||||
1178 | |||||
1179 | while (c == EOF(-1)) { | ||||
1180 | /* | ||||
1181 | * Fake EOL when hit EOF for the first time. This gets line | ||||
1182 | * count right if last line in included file is syntactically | ||||
1183 | * invalid and has no newline. | ||||
1184 | */ | ||||
1185 | if (file->eof_reached == 0) { | ||||
1186 | file->eof_reached = 1; | ||||
1187 | return ('\n'); | ||||
1188 | } | ||||
1189 | while (c == EOF(-1)) { | ||||
1190 | if (file == topfile || popfile() == EOF(-1)) | ||||
1191 | return (EOF(-1)); | ||||
1192 | c = igetc(); | ||||
1193 | } | ||||
1194 | } | ||||
1195 | return (c); | ||||
1196 | } | ||||
1197 | |||||
1198 | void | ||||
1199 | lungetc(int c) | ||||
1200 | { | ||||
1201 | if (c == EOF(-1)) | ||||
1202 | return; | ||||
1203 | |||||
1204 | if (file->ungetpos >= file->ungetsize) { | ||||
1205 | void *p = reallocarray(file->ungetbuf, file->ungetsize, 2); | ||||
1206 | if (p == NULL((void *)0)) | ||||
1207 | err(1, "lungetc"); | ||||
1208 | file->ungetbuf = p; | ||||
1209 | file->ungetsize *= 2; | ||||
1210 | } | ||||
1211 | file->ungetbuf[file->ungetpos++] = c; | ||||
1212 | } | ||||
1213 | |||||
1214 | int | ||||
1215 | findeol(void) | ||||
1216 | { | ||||
1217 | int c; | ||||
1218 | |||||
1219 | /* skip to either EOF or the first real EOL */ | ||||
1220 | while (1) { | ||||
1221 | c = lgetc(0); | ||||
1222 | if (c == '\n') { | ||||
1223 | file->lineno++; | ||||
1224 | break; | ||||
1225 | } | ||||
1226 | if (c == EOF(-1)) | ||||
1227 | break; | ||||
1228 | } | ||||
1229 | return (ERROR273); | ||||
1230 | } | ||||
1231 | |||||
1232 | int | ||||
1233 | yylex(void) | ||||
1234 | { | ||||
1235 | char buf[8096]; | ||||
1236 | char *p, *val; | ||||
1237 | int quotec, next, c; | ||||
1238 | int token; | ||||
1239 | |||||
1240 | top: | ||||
1241 | p = buf; | ||||
1242 | while ((c = lgetc(0)) == ' ' || c == '\t') | ||||
1243 | ; /* nothing */ | ||||
1244 | |||||
1245 | yylval.lineno = file->lineno; | ||||
1246 | if (c == '#') | ||||
1247 | while ((c = lgetc(0)) != '\n' && c != EOF(-1)) | ||||
1248 | ; /* nothing */ | ||||
1249 | if (c == '$' && !expanding) { | ||||
1250 | while (1) { | ||||
1251 | if ((c = lgetc(0)) == EOF(-1)) | ||||
1252 | return (0); | ||||
1253 | |||||
1254 | if (p + 1 >= buf + sizeof(buf) - 1) { | ||||
1255 | yyerror("string too long"); | ||||
1256 | return (findeol()); | ||||
1257 | } | ||||
1258 | if (isalnum(c) || c == '_') { | ||||
1259 | *p++ = c; | ||||
1260 | continue; | ||||
1261 | } | ||||
1262 | *p = '\0'; | ||||
1263 | lungetc(c); | ||||
1264 | break; | ||||
1265 | } | ||||
1266 | val = symget(buf); | ||||
1267 | if (val == NULL((void *)0)) { | ||||
1268 | yyerror("macro '%s' not defined", buf); | ||||
1269 | return (findeol()); | ||||
1270 | } | ||||
1271 | p = val + strlen(val) - 1; | ||||
1272 | lungetc(DONE_EXPAND2); | ||||
1273 | while (p >= val) { | ||||
1274 | lungetc((unsigned char)*p); | ||||
1275 | p--; | ||||
1276 | } | ||||
1277 | lungetc(START_EXPAND1); | ||||
1278 | goto top; | ||||
1279 | } | ||||
1280 | |||||
1281 | switch (c) { | ||||
1282 | case '\'': | ||||
1283 | case '"': | ||||
1284 | quotec = c; | ||||
1285 | while (1) { | ||||
1286 | if ((c = lgetc(quotec)) == EOF(-1)) | ||||
1287 | return (0); | ||||
1288 | if (c == '\n') { | ||||
1289 | file->lineno++; | ||||
1290 | continue; | ||||
1291 | } else if (c == '\\') { | ||||
1292 | if ((next = lgetc(quotec)) == EOF(-1)) | ||||
1293 | return (0); | ||||
1294 | if (next == quotec || next == ' ' || | ||||
1295 | next == '\t') | ||||
1296 | c = next; | ||||
1297 | else if (next == '\n') { | ||||
1298 | file->lineno++; | ||||
1299 | continue; | ||||
1300 | } else | ||||
1301 | lungetc(next); | ||||
1302 | } else if (c == quotec) { | ||||
1303 | *p = '\0'; | ||||
1304 | break; | ||||
1305 | } else if (c == '\0') { | ||||
1306 | yyerror("syntax error"); | ||||
1307 | return (findeol()); | ||||
1308 | } | ||||
1309 | if (p + 1 >= buf + sizeof(buf) - 1) { | ||||
1310 | yyerror("string too long"); | ||||
1311 | return (findeol()); | ||||
1312 | } | ||||
1313 | *p++ = c; | ||||
1314 | } | ||||
1315 | yylval.v.string = strdup(buf); | ||||
1316 | if (yylval.v.string == NULL((void *)0)) | ||||
1317 | err(1, "%s", __func__); | ||||
1318 | return (STRING329); | ||||
1319 | } | ||||
1320 | |||||
1321 | #define allowed_to_end_number(x)(isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') \ | ||||
1322 | (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') | ||||
1323 | |||||
1324 | if (c == '-' || isdigit(c)) { | ||||
1325 | do { | ||||
1326 | *p++ = c; | ||||
1327 | if ((size_t)(p-buf) >= sizeof(buf)) { | ||||
1328 | yyerror("string too long"); | ||||
1329 | return (findeol()); | ||||
1330 | } | ||||
1331 | } while ((c = lgetc(0)) != EOF(-1) && isdigit(c)); | ||||
1332 | lungetc(c); | ||||
1333 | if (p == buf + 1 && buf[0] == '-') | ||||
1334 | goto nodigits; | ||||
1335 | if (c == EOF(-1) || allowed_to_end_number(c)(isspace(c) || c == ')' || c ==',' || c == '/' || c == '}' || c == '=')) { | ||||
1336 | const char *errstr = NULL((void *)0); | ||||
1337 | |||||
1338 | *p = '\0'; | ||||
1339 | yylval.v.number = strtonum(buf, LLONG_MIN(-0x7fffffffffffffffLL-1), | ||||
1340 | LLONG_MAX0x7fffffffffffffffLL, &errstr); | ||||
1341 | if (errstr) { | ||||
1342 | yyerror("\"%s\" invalid number: %s", | ||||
1343 | buf, errstr); | ||||
1344 | return (findeol()); | ||||
1345 | } | ||||
1346 | return (NUMBER330); | ||||
1347 | } else { | ||||
1348 | nodigits: | ||||
1349 | while (p > buf + 1) | ||||
1350 | lungetc((unsigned char)*--p); | ||||
1351 | c = (unsigned char)*--p; | ||||
1352 | if (c == '-') | ||||
1353 | return (c); | ||||
1354 | } | ||||
1355 | } | ||||
1356 | |||||
1357 | #define allowed_in_string(x)(isalnum(x) || (ispunct(x) && x != '(' && x != ')' && x != '{' && x != '}' && x != '<' && x != '>' && x != '!' && x != '=' && x != '/' && x != '#' && x != ',') ) \ | ||||
1358 | (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \ | ||||
1359 | x != '{' && x != '}' && x != '<' && x != '>' && \ | ||||
1360 | x != '!' && x != '=' && x != '/' && x != '#' && \ | ||||
1361 | x != ',')) | ||||
1362 | |||||
1363 | if (isalnum(c) || c == ':' || c == '_' || c == '*') { | ||||
1364 | do { | ||||
1365 | *p++ = c; | ||||
1366 | if ((size_t)(p-buf) >= sizeof(buf)) { | ||||
1367 | yyerror("string too long"); | ||||
1368 | return (findeol()); | ||||
1369 | } | ||||
1370 | } while ((c = lgetc(0)) != EOF(-1) && (allowed_in_string(c)(isalnum(c) || (ispunct(c) && c != '(' && c != ')' && c != '{' && c != '}' && c != '<' && c != '>' && c != '!' && c != '=' && c != '/' && c != '#' && c != ',') ))); | ||||
1371 | lungetc(c); | ||||
1372 | *p = '\0'; | ||||
1373 | if ((token = lookup(buf)) == STRING329) | ||||
1374 | if ((yylval.v.string = strdup(buf)) == NULL((void *)0)) | ||||
1375 | err(1, "%s", __func__); | ||||
1376 | return (token); | ||||
1377 | } | ||||
1378 | if (c == '\n') { | ||||
1379 | yylval.lineno = file->lineno; | ||||
1380 | file->lineno++; | ||||
1381 | } | ||||
1382 | if (c == EOF(-1)) | ||||
1383 | return (0); | ||||
1384 | return (c); | ||||
1385 | } | ||||
1386 | |||||
1387 | int | ||||
1388 | check_file_secrecy(int fd, const char *fname) | ||||
1389 | { | ||||
1390 | struct stat st; | ||||
1391 | |||||
1392 | if (fstat(fd, &st)) { | ||||
1393 | warn("cannot stat %s", fname); | ||||
1394 | return (-1); | ||||
1395 | } | ||||
1396 | if (st.st_uid != 0 && st.st_uid != getuid()) { | ||||
1397 | warnx("%s: owner not root or current user", fname); | ||||
1398 | return (-1); | ||||
1399 | } | ||||
1400 | if (st.st_mode & (S_IWGRP0000020 | S_IXGRP0000010 | S_IRWXO0000007)) { | ||||
1401 | warnx("%s: group writable or world read/writable", fname); | ||||
1402 | return (-1); | ||||
1403 | } | ||||
1404 | return (0); | ||||
1405 | } | ||||
1406 | |||||
1407 | struct file * | ||||
1408 | pushfile(const char *name, int secret) | ||||
1409 | { | ||||
1410 | struct file *nfile; | ||||
1411 | |||||
1412 | if ((nfile = calloc(1, sizeof(struct file))) == NULL((void *)0)) { | ||||
1413 | warn("%s", __func__); | ||||
1414 | return (NULL((void *)0)); | ||||
1415 | } | ||||
1416 | if ((nfile->name = strdup(name)) == NULL((void *)0)) { | ||||
1417 | warn("%s", __func__); | ||||
1418 | free(nfile); | ||||
1419 | return (NULL((void *)0)); | ||||
1420 | } | ||||
1421 | if (TAILQ_FIRST(&files)((&files)->tqh_first) == NULL((void *)0) && strcmp(nfile->name, "-") == 0) { | ||||
1422 | nfile->stream = stdin(&__sF[0]); | ||||
1423 | free(nfile->name); | ||||
1424 | if ((nfile->name = strdup("stdin")) == NULL((void *)0)) { | ||||
1425 | warn("%s", __func__); | ||||
1426 | free(nfile); | ||||
1427 | return (NULL((void *)0)); | ||||
1428 | } | ||||
1429 | } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL((void *)0)) { | ||||
1430 | warn("%s: %s", __func__, nfile->name); | ||||
1431 | free(nfile->name); | ||||
1432 | free(nfile); | ||||
1433 | return (NULL((void *)0)); | ||||
1434 | } else if (secret && | ||||
1435 | check_file_secrecy(fileno(nfile->stream)(!__isthreaded ? ((nfile->stream)->_file) : (fileno)(nfile ->stream)), nfile->name)) { | ||||
1436 | fclose(nfile->stream); | ||||
1437 | free(nfile->name); | ||||
1438 | free(nfile); | ||||
1439 | return (NULL((void *)0)); | ||||
1440 | } | ||||
1441 | nfile->lineno = TAILQ_EMPTY(&files)(((&files)->tqh_first) == ((void *)0)) ? 1 : 0; | ||||
1442 | nfile->ungetsize = 16; | ||||
1443 | nfile->ungetbuf = malloc(nfile->ungetsize); | ||||
1444 | if (nfile->ungetbuf == NULL((void *)0)) { | ||||
1445 | warn("%s", __func__); | ||||
1446 | fclose(nfile->stream); | ||||
1447 | free(nfile->name); | ||||
1448 | free(nfile); | ||||
1449 | return (NULL((void *)0)); | ||||
1450 | } | ||||
1451 | TAILQ_INSERT_TAIL(&files, nfile, entry)do { (nfile)->entry.tqe_next = ((void *)0); (nfile)->entry .tqe_prev = (&files)->tqh_last; *(&files)->tqh_last = (nfile); (&files)->tqh_last = &(nfile)->entry .tqe_next; } while (0); | ||||
1452 | return (nfile); | ||||
1453 | } | ||||
1454 | |||||
1455 | int | ||||
1456 | popfile(void) | ||||
1457 | { | ||||
1458 | struct file *prev; | ||||
1459 | |||||
1460 | if ((prev = TAILQ_PREV(file, files, entry)(*(((struct files *)((file)->entry.tqe_prev))->tqh_last ))) != NULL((void *)0)) | ||||
1461 | prev->errors += file->errors; | ||||
1462 | |||||
1463 | TAILQ_REMOVE(&files, file, entry)do { if (((file)->entry.tqe_next) != ((void *)0)) (file)-> entry.tqe_next->entry.tqe_prev = (file)->entry.tqe_prev ; else (&files)->tqh_last = (file)->entry.tqe_prev; *(file)->entry.tqe_prev = (file)->entry.tqe_next; ; ; } while (0); | ||||
1464 | fclose(file->stream); | ||||
1465 | free(file->name); | ||||
1466 | free(file->ungetbuf); | ||||
1467 | free(file); | ||||
1468 | file = prev; | ||||
1469 | |||||
1470 | return (file ? 0 : EOF(-1)); | ||||
1471 | } | ||||
1472 | |||||
1473 | int | ||||
1474 | parse_config(const char *filename, struct iked *x_env) | ||||
1475 | { | ||||
1476 | struct sym *sym; | ||||
1477 | int errors = 0; | ||||
1478 | |||||
1479 | env = x_env; | ||||
1480 | rules = 0; | ||||
1481 | |||||
1482 | if ((file = pushfile(filename, 1)) == NULL((void *)0)) | ||||
1483 | return (-1); | ||||
1484 | topfile = file; | ||||
1485 | |||||
1486 | free(ocsp_url); | ||||
1487 | |||||
1488 | mobike = 1; | ||||
1489 | enforcesingleikesa = stickyaddress = 0; | ||||
1490 | cert_partial_chain = decouple = passive = 0; | ||||
1491 | ocsp_tolerate = 0; | ||||
1492 | ocsp_url = NULL((void *)0); | ||||
1493 | ocsp_maxage = -1; | ||||
1494 | fragmentation = 0; | ||||
1495 | dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60; | ||||
1496 | decouple = passive = 0; | ||||
1497 | ocsp_url = NULL((void *)0); | ||||
1498 | |||||
1499 | if (env->sc_opts & IKED_OPT_PASSIVE0x00000004) | ||||
1500 | passive = 1; | ||||
1501 | |||||
1502 | yyparse(); | ||||
1503 | errors = file->errors; | ||||
1504 | popfile(); | ||||
1505 | |||||
1506 | env->sc_passive = passive ? 1 : 0; | ||||
1507 | env->sc_decoupled = decouple ? 1 : 0; | ||||
1508 | env->sc_mobikesc_static.st_mobike = mobike; | ||||
1509 | env->sc_enforcesingleikesasc_static.st_enforcesingleikesa = enforcesingleikesa; | ||||
1510 | env->sc_stickyaddresssc_static.st_stickyaddress = stickyaddress; | ||||
1511 | env->sc_fragsc_static.st_frag = fragmentation; | ||||
1512 | env->sc_alive_timeoutsc_static.st_alive_timeout = dpd_interval; | ||||
1513 | env->sc_ocsp_url = ocsp_url; | ||||
1514 | env->sc_ocsp_tolerate = ocsp_tolerate; | ||||
1515 | env->sc_ocsp_maxage = ocsp_maxage; | ||||
1516 | env->sc_cert_partial_chain = cert_partial_chain; | ||||
1517 | env->sc_vendoridsc_static.st_vendorid = vendorid; | ||||
1518 | |||||
1519 | if (!rules) | ||||
1520 | log_warnx("%s: no valid configuration rules found", | ||||
1521 | filename); | ||||
1522 | else | ||||
1523 | log_debug("%s: loaded %d configuration rules", | ||||
1524 | filename, rules); | ||||
1525 | |||||
1526 | /* Free macros and check which have not been used. */ | ||||
1527 | while ((sym = TAILQ_FIRST(&symhead)((&symhead)->tqh_first))) { | ||||
1528 | if (!sym->used) | ||||
1529 | log_debug("warning: macro '%s' not " | ||||
1530 | "used\n", sym->nam); | ||||
1531 | free(sym->nam); | ||||
1532 | free(sym->val); | ||||
1533 | TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)-> entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev; else (&symhead)->tqh_last = (sym)->entry.tqe_prev; *(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while (0); | ||||
1534 | free(sym); | ||||
1535 | } | ||||
1536 | |||||
1537 | iaw_free(iftab); | ||||
1538 | iftab = NULL((void *)0); | ||||
1539 | |||||
1540 | return (errors ? -1 : 0); | ||||
1541 | } | ||||
1542 | |||||
1543 | int | ||||
1544 | symset(const char *nam, const char *val, int persist) | ||||
1545 | { | ||||
1546 | struct sym *sym; | ||||
1547 | |||||
1548 | TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void * )0); (sym) = ((sym)->entry.tqe_next)) { | ||||
1549 | if (strcmp(nam, sym->nam) == 0) | ||||
1550 | break; | ||||
1551 | } | ||||
1552 | |||||
1553 | if (sym != NULL((void *)0)) { | ||||
1554 | if (sym->persist == 1) | ||||
1555 | return (0); | ||||
1556 | else { | ||||
1557 | free(sym->nam); | ||||
1558 | free(sym->val); | ||||
1559 | TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)-> entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev; else (&symhead)->tqh_last = (sym)->entry.tqe_prev; *(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while (0); | ||||
1560 | free(sym); | ||||
1561 | } | ||||
1562 | } | ||||
1563 | if ((sym = calloc(1, sizeof(*sym))) == NULL((void *)0)) | ||||
1564 | return (-1); | ||||
1565 | |||||
1566 | sym->nam = strdup(nam); | ||||
1567 | if (sym->nam == NULL((void *)0)) { | ||||
1568 | free(sym); | ||||
1569 | return (-1); | ||||
1570 | } | ||||
1571 | sym->val = strdup(val); | ||||
1572 | if (sym->val == NULL((void *)0)) { | ||||
1573 | free(sym->nam); | ||||
1574 | free(sym); | ||||
1575 | return (-1); | ||||
1576 | } | ||||
1577 | sym->used = 0; | ||||
1578 | sym->persist = persist; | ||||
1579 | TAILQ_INSERT_TAIL(&symhead, sym, entry)do { (sym)->entry.tqe_next = ((void *)0); (sym)->entry. tqe_prev = (&symhead)->tqh_last; *(&symhead)->tqh_last = (sym); (&symhead)->tqh_last = &(sym)->entry. tqe_next; } while (0); | ||||
1580 | return (0); | ||||
1581 | } | ||||
1582 | |||||
1583 | int | ||||
1584 | cmdline_symset(char *s) | ||||
1585 | { | ||||
1586 | char *sym, *val; | ||||
1587 | int ret; | ||||
1588 | |||||
1589 | if ((val = strrchr(s, '=')) == NULL((void *)0)) | ||||
1590 | return (-1); | ||||
1591 | |||||
1592 | sym = strndup(s, val - s); | ||||
1593 | if (sym == NULL((void *)0)) | ||||
1594 | err(1, "%s", __func__); | ||||
1595 | ret = symset(sym, val + 1, 1); | ||||
1596 | free(sym); | ||||
1597 | |||||
1598 | return (ret); | ||||
1599 | } | ||||
1600 | |||||
1601 | char * | ||||
1602 | symget(const char *nam) | ||||
1603 | { | ||||
1604 | struct sym *sym; | ||||
1605 | |||||
1606 | TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void * )0); (sym) = ((sym)->entry.tqe_next)) { | ||||
1607 | if (strcmp(nam, sym->nam) == 0) { | ||||
1608 | sym->used = 1; | ||||
1609 | return (sym->val); | ||||
1610 | } | ||||
1611 | } | ||||
1612 | return (NULL((void *)0)); | ||||
1613 | } | ||||
1614 | |||||
1615 | uint8_t | ||||
1616 | x2i(unsigned char *s) | ||||
1617 | { | ||||
1618 | char ss[3]; | ||||
1619 | |||||
1620 | ss[0] = s[0]; | ||||
1621 | ss[1] = s[1]; | ||||
1622 | ss[2] = 0; | ||||
1623 | |||||
1624 | if (!isxdigit(s[0]) || !isxdigit(s[1])) { | ||||
1625 | yyerror("keys need to be specified in hex digits"); | ||||
1626 | return (-1); | ||||
1627 | } | ||||
1628 | return ((uint8_t)strtoul(ss, NULL((void *)0), 16)); | ||||
1629 | } | ||||
1630 | |||||
1631 | int | ||||
1632 | parsekey(unsigned char *hexkey, size_t len, struct iked_auth *auth) | ||||
1633 | { | ||||
1634 | unsigned int i; | ||||
1635 | |||||
1636 | bzero(auth, sizeof(*auth)); | ||||
1637 | if ((len / 2) > sizeof(auth->auth_data)) | ||||
1638 | return (-1); | ||||
1639 | auth->auth_length = len / 2; | ||||
1640 | |||||
1641 | for (i = 0; i < auth->auth_length; i++) | ||||
1642 | auth->auth_data[i] = x2i(hexkey + 2 * i); | ||||
1643 | |||||
1644 | return (0); | ||||
1645 | } | ||||
1646 | |||||
1647 | int | ||||
1648 | parsekeyfile(char *filename, struct iked_auth *auth) | ||||
1649 | { | ||||
1650 | struct stat sb; | ||||
1651 | int fd, ret; | ||||
1652 | unsigned char *hex; | ||||
1653 | |||||
1654 | if ((fd = open(filename, O_RDONLY0x0000)) == -1) | ||||
1655 | err(1, "open %s", filename); | ||||
1656 | if (fstat(fd, &sb) == -1) | ||||
1657 | err(1, "parsekeyfile: stat %s", filename); | ||||
1658 | if ((sb.st_size > KEYSIZE_LIMIT1024) || (sb.st_size == 0)) | ||||
1659 | errx(1, "%s: key too %s", filename, sb.st_size ? "large" : | ||||
1660 | "small"); | ||||
1661 | if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL((void *)0)) | ||||
1662 | err(1, "parsekeyfile: calloc"); | ||||
1663 | if (read(fd, hex, sb.st_size) < sb.st_size) | ||||
1664 | err(1, "parsekeyfile: read"); | ||||
1665 | close(fd); | ||||
1666 | ret = parsekey(hex, sb.st_size, auth); | ||||
1667 | free(hex); | ||||
1668 | return (ret); | ||||
1669 | } | ||||
1670 | |||||
1671 | int | ||||
1672 | get_id_type(char *string) | ||||
1673 | { | ||||
1674 | struct in6_addr ia; | ||||
1675 | |||||
1676 | if (string == NULL((void *)0)) | ||||
1677 | return (IKEV2_ID_NONE0); | ||||
1678 | |||||
1679 | if (*string == '/') | ||||
1680 | return (IKEV2_ID_ASN1_DN9); | ||||
1681 | else if (inet_pton(AF_INET2, string, &ia) == 1) | ||||
1682 | return (IKEV2_ID_IPV41); | ||||
1683 | else if (inet_pton(AF_INET624, string, &ia) == 1) | ||||
1684 | return (IKEV2_ID_IPV65); | ||||
1685 | else if (strchr(string, '@')) | ||||
1686 | return (IKEV2_ID_UFQDN3); | ||||
1687 | else | ||||
1688 | return (IKEV2_ID_FQDN2); | ||||
1689 | } | ||||
1690 | |||||
1691 | struct ipsec_addr_wrap * | ||||
1692 | host(const char *s) | ||||
1693 | { | ||||
1694 | struct ipsec_addr_wrap *ipa = NULL((void *)0); | ||||
1695 | int mask = -1; | ||||
1696 | char *p, *ps; | ||||
1697 | const char *errstr; | ||||
1698 | |||||
1699 | if ((ps = strdup(s)) == NULL((void *)0)) | ||||
1700 | err(1, "%s: strdup", __func__); | ||||
1701 | |||||
1702 | if ((p = strchr(ps, '/')) != NULL((void *)0)) { | ||||
1703 | mask = strtonum(p+1, 0, 128, &errstr); | ||||
1704 | if (errstr) { | ||||
1705 | fprintf(stderr(&__sF[2]), "netmask is %s: %s\n", errstr, p); | ||||
1706 | goto error; | ||||
1707 | } | ||||
1708 | p[0] = '\0'; | ||||
1709 | } | ||||
1710 | |||||
1711 | if ((ipa = host_if(ps, mask)) == NULL((void *)0) && | ||||
1712 | (ipa = host_ip(ps, mask)) == NULL((void *)0) && | ||||
1713 | (ipa = host_dns(ps, mask)) == NULL((void *)0)) | ||||
1714 | fprintf(stderr(&__sF[2]), "no IP address found for %s\n", s); | ||||
1715 | |||||
1716 | error: | ||||
1717 | free(ps); | ||||
1718 | return (ipa); | ||||
1719 | } | ||||
1720 | |||||
1721 | struct ipsec_addr_wrap * | ||||
1722 | host_ip(const char *s, int mask) | ||||
1723 | { | ||||
1724 | struct ipsec_addr_wrap *ipa = NULL((void *)0); | ||||
1725 | struct addrinfo hints, *res; | ||||
1726 | char hbuf[NI_MAXHOST256]; | ||||
1727 | |||||
1728 | bzero(&hints, sizeof(struct addrinfo)); | ||||
1729 | hints.ai_family = AF_UNSPEC0; | ||||
1730 | hints.ai_socktype = SOCK_DGRAM2; /*dummy*/ | ||||
1731 | hints.ai_flags = AI_NUMERICHOST4; | ||||
1732 | if (getaddrinfo(s, NULL((void *)0), &hints, &res)) | ||||
1733 | return (NULL((void *)0)); | ||||
1734 | if (res->ai_next) | ||||
1735 | err(1, "%s: %s expanded to multiple item", __func__, s); | ||||
1736 | |||||
1737 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1738 | if (ipa == NULL((void *)0)) | ||||
1739 | err(1, "%s", __func__); | ||||
1740 | ipa->af = res->ai_family; | ||||
1741 | copy_sockaddrtoipa(ipa, res->ai_addr); | ||||
1742 | ipa->next = NULL((void *)0); | ||||
1743 | ipa->tail = ipa; | ||||
1744 | |||||
1745 | set_ipmask(ipa, mask); | ||||
1746 | if (getnameinfo(res->ai_addr, res->ai_addrlen, | ||||
1747 | hbuf, sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1)) { | ||||
1748 | errx(1, "could not get a numeric hostname"); | ||||
1749 | } | ||||
1750 | |||||
1751 | if (mask > -1) { | ||||
1752 | ipa->netaddress = 1; | ||||
1753 | if (asprintf(&ipa->name, "%s/%d", hbuf, mask) == -1) | ||||
1754 | err(1, "%s", __func__); | ||||
1755 | } else { | ||||
1756 | if ((ipa->name = strdup(hbuf)) == NULL((void *)0)) | ||||
1757 | err(1, "%s", __func__); | ||||
1758 | } | ||||
1759 | |||||
1760 | freeaddrinfo(res); | ||||
1761 | |||||
1762 | return (ipa); | ||||
1763 | } | ||||
1764 | |||||
1765 | struct ipsec_addr_wrap * | ||||
1766 | host_dns(const char *s, int mask) | ||||
1767 | { | ||||
1768 | struct ipsec_addr_wrap *ipa = NULL((void *)0), *head = NULL((void *)0); | ||||
1769 | struct addrinfo hints, *res0, *res; | ||||
1770 | int error; | ||||
1771 | char hbuf[NI_MAXHOST256]; | ||||
1772 | |||||
1773 | bzero(&hints, sizeof(struct addrinfo)); | ||||
1774 | hints.ai_family = PF_UNSPEC0; | ||||
1775 | hints.ai_socktype = SOCK_STREAM1; | ||||
1776 | hints.ai_flags = AI_ADDRCONFIG64; | ||||
1777 | error = getaddrinfo(s, NULL((void *)0), &hints, &res0); | ||||
1778 | if (error) | ||||
1779 | return (NULL((void *)0)); | ||||
1780 | |||||
1781 | for (res = res0; res; res = res->ai_next) { | ||||
1782 | if (res->ai_family != AF_INET2 && res->ai_family != AF_INET624) | ||||
1783 | continue; | ||||
1784 | |||||
1785 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1786 | if (ipa == NULL((void *)0)) | ||||
1787 | err(1, "%s", __func__); | ||||
1788 | copy_sockaddrtoipa(ipa, res->ai_addr); | ||||
1789 | error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, | ||||
1790 | sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1); | ||||
1791 | if (error) | ||||
1792 | err(1, "host_dns: getnameinfo"); | ||||
1793 | ipa->name = strdup(hbuf); | ||||
1794 | if (ipa->name == NULL((void *)0)) | ||||
1795 | err(1, "%s", __func__); | ||||
1796 | ipa->af = res->ai_family; | ||||
1797 | ipa->next = NULL((void *)0); | ||||
1798 | ipa->tail = ipa; | ||||
1799 | if (head == NULL((void *)0)) | ||||
1800 | head = ipa; | ||||
1801 | else { | ||||
1802 | head->tail->next = ipa; | ||||
1803 | head->tail = ipa; | ||||
1804 | } | ||||
1805 | |||||
1806 | /* | ||||
1807 | * XXX for now, no netmask support for IPv6. | ||||
1808 | * but since there's no way to specify address family, once you | ||||
1809 | * have IPv6 address on a host, you cannot use dns/netmask | ||||
1810 | * syntax. | ||||
1811 | */ | ||||
1812 | if (ipa->af == AF_INET2) | ||||
1813 | set_ipmask(ipa, mask == -1 ? 32 : mask); | ||||
1814 | else | ||||
1815 | if (mask != -1) | ||||
1816 | err(1, "host_dns: cannot apply netmask " | ||||
1817 | "on non-IPv4 address"); | ||||
1818 | } | ||||
1819 | freeaddrinfo(res0); | ||||
1820 | |||||
1821 | return (head); | ||||
1822 | } | ||||
1823 | |||||
1824 | struct ipsec_addr_wrap * | ||||
1825 | host_if(const char *s, int mask) | ||||
1826 | { | ||||
1827 | struct ipsec_addr_wrap *ipa = NULL((void *)0); | ||||
1828 | |||||
1829 | if (ifa_exists(s)) | ||||
1830 | ipa = ifa_lookup(s); | ||||
1831 | |||||
1832 | return (ipa); | ||||
1833 | } | ||||
1834 | |||||
1835 | struct ipsec_addr_wrap * | ||||
1836 | host_any(void) | ||||
1837 | { | ||||
1838 | struct ipsec_addr_wrap *ipa; | ||||
1839 | |||||
1840 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1841 | if (ipa == NULL((void *)0)) | ||||
1842 | err(1, "%s", __func__); | ||||
1843 | ipa->af = AF_UNSPEC0; | ||||
1844 | ipa->netaddress = 1; | ||||
1845 | ipa->tail = ipa; | ||||
1846 | ipa->type = IPSEC_ADDR_ANY(0x1); | ||||
1847 | return (ipa); | ||||
1848 | } | ||||
1849 | |||||
1850 | struct ipsec_addr_wrap * | ||||
1851 | host_dynamic(void) | ||||
1852 | { | ||||
1853 | struct ipsec_addr_wrap *ipa; | ||||
1854 | |||||
1855 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1856 | if (ipa == NULL((void *)0)) | ||||
1857 | err(1, "%s", __func__); | ||||
1858 | ipa->af = AF_UNSPEC0; | ||||
1859 | ipa->tail = ipa; | ||||
1860 | ipa->type = IPSEC_ADDR_DYNAMIC(0x2); | ||||
1861 | return (ipa); | ||||
1862 | } | ||||
1863 | |||||
1864 | void | ||||
1865 | ifa_load(void) | ||||
1866 | { | ||||
1867 | struct ifaddrs *ifap, *ifa; | ||||
1868 | struct ipsec_addr_wrap *n = NULL((void *)0), *h = NULL((void *)0); | ||||
1869 | struct sockaddr_in *sa_in; | ||||
1870 | struct sockaddr_in6 *sa_in6; | ||||
1871 | |||||
1872 | if (getifaddrs(&ifap) == -1) | ||||
1873 | err(1, "ifa_load: getifaddrs"); | ||||
1874 | |||||
1875 | for (ifa = ifap; ifa; ifa = ifa->ifa_next) { | ||||
1876 | if (ifa->ifa_addr == NULL((void *)0) || | ||||
1877 | !(ifa->ifa_addr->sa_family == AF_INET2 || | ||||
1878 | ifa->ifa_addr->sa_family == AF_INET624 || | ||||
1879 | ifa->ifa_addr->sa_family == AF_LINK18)) | ||||
1880 | continue; | ||||
1881 | n = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
1882 | if (n == NULL((void *)0)) | ||||
1883 | err(1, "%s", __func__); | ||||
1884 | n->af = ifa->ifa_addr->sa_family; | ||||
1885 | if ((n->name = strdup(ifa->ifa_name)) == NULL((void *)0)) | ||||
1886 | err(1, "%s", __func__); | ||||
1887 | if (n->af == AF_INET2) { | ||||
1888 | sa_in = (struct sockaddr_in *)ifa->ifa_addr; | ||||
1889 | memcpy(&n->address, sa_in, sizeof(*sa_in)); | ||||
1890 | sa_in = (struct sockaddr_in *)ifa->ifa_netmask; | ||||
1891 | n->mask = mask2prefixlen((struct sockaddr *)sa_in); | ||||
1892 | } else if (n->af == AF_INET624) { | ||||
1893 | sa_in6 = (struct sockaddr_in6 *)ifa->ifa_addr; | ||||
1894 | memcpy(&n->address, sa_in6, sizeof(*sa_in6)); | ||||
1895 | sa_in6 = (struct sockaddr_in6 *)ifa->ifa_netmask; | ||||
1896 | n->mask = mask2prefixlen6((struct sockaddr *)sa_in6); | ||||
1897 | } | ||||
1898 | n->next = NULL((void *)0); | ||||
1899 | n->tail = n; | ||||
1900 | if (h == NULL((void *)0)) | ||||
1901 | h = n; | ||||
1902 | else { | ||||
1903 | h->tail->next = n; | ||||
1904 | h->tail = n; | ||||
1905 | } | ||||
1906 | } | ||||
1907 | |||||
1908 | iftab = h; | ||||
1909 | freeifaddrs(ifap); | ||||
1910 | } | ||||
1911 | |||||
1912 | int | ||||
1913 | ifa_exists(const char *ifa_name) | ||||
1914 | { | ||||
1915 | struct ipsec_addr_wrap *n; | ||||
1916 | struct ifgroupreq ifgr; | ||||
1917 | int s; | ||||
1918 | |||||
1919 | if (iftab == NULL((void *)0)) | ||||
1920 | ifa_load(); | ||||
1921 | |||||
1922 | /* check wether this is a group */ | ||||
1923 | if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1) | ||||
1924 | err(1, "ifa_exists: socket"); | ||||
1925 | bzero(&ifgr, sizeof(ifgr)); | ||||
1926 | strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); | ||||
1927 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == 0) { | ||||
1928 | close(s); | ||||
1929 | return (1); | ||||
1930 | } | ||||
1931 | close(s); | ||||
1932 | |||||
1933 | for (n = iftab; n; n = n->next) { | ||||
1934 | if (n->af == AF_LINK18 && !strncmp(n->name, ifa_name, | ||||
1935 | IFNAMSIZ16)) | ||||
1936 | return (1); | ||||
1937 | } | ||||
1938 | |||||
1939 | return (0); | ||||
1940 | } | ||||
1941 | |||||
1942 | struct ipsec_addr_wrap * | ||||
1943 | ifa_grouplookup(const char *ifa_name) | ||||
1944 | { | ||||
1945 | struct ifg_req *ifg; | ||||
1946 | struct ifgroupreq ifgr; | ||||
1947 | int s; | ||||
1948 | size_t len; | ||||
1949 | struct ipsec_addr_wrap *n, *h = NULL((void *)0), *hn; | ||||
1950 | |||||
1951 | if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1) | ||||
1952 | err(1, "socket"); | ||||
1953 | bzero(&ifgr, sizeof(ifgr)); | ||||
1954 | strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); | ||||
1955 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == -1) { | ||||
1956 | close(s); | ||||
1957 | return (NULL((void *)0)); | ||||
1958 | } | ||||
1959 | |||||
1960 | len = ifgr.ifgr_len; | ||||
1961 | if ((ifgr.ifgr_groupsifgr_ifgru.ifgru_groups = calloc(1, len)) == NULL((void *)0)) | ||||
1962 | err(1, "%s", __func__); | ||||
1963 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == -1) | ||||
1964 | err(1, "ioctl"); | ||||
1965 | |||||
1966 | for (ifg = ifgr.ifgr_groupsifgr_ifgru.ifgru_groups; ifg && len >= sizeof(struct ifg_req); | ||||
1967 | ifg++) { | ||||
1968 | len -= sizeof(struct ifg_req); | ||||
1969 | if ((n = ifa_lookup(ifg->ifgrq_memberifgrq_ifgrqu.ifgrqu_member)) == NULL((void *)0)) | ||||
1970 | continue; | ||||
1971 | if (h == NULL((void *)0)) | ||||
1972 | h = n; | ||||
1973 | else { | ||||
1974 | for (hn = h; hn->next != NULL((void *)0); hn = hn->next) | ||||
1975 | ; /* nothing */ | ||||
1976 | hn->next = n; | ||||
1977 | n->tail = hn; | ||||
1978 | } | ||||
1979 | } | ||||
1980 | free(ifgr.ifgr_groupsifgr_ifgru.ifgru_groups); | ||||
1981 | close(s); | ||||
1982 | |||||
1983 | return (h); | ||||
1984 | } | ||||
1985 | |||||
1986 | struct ipsec_addr_wrap * | ||||
1987 | ifa_lookup(const char *ifa_name) | ||||
1988 | { | ||||
1989 | struct ipsec_addr_wrap *p = NULL((void *)0), *h = NULL((void *)0), *n = NULL((void *)0); | ||||
1990 | struct sockaddr_in6 *in6; | ||||
1991 | uint8_t *s6; | ||||
1992 | |||||
1993 | if (iftab == NULL((void *)0)) | ||||
1994 | ifa_load(); | ||||
1995 | |||||
1996 | if ((n = ifa_grouplookup(ifa_name)) != NULL((void *)0)) | ||||
1997 | return (n); | ||||
1998 | |||||
1999 | for (p = iftab; p; p = p->next) { | ||||
2000 | if (p->af != AF_INET2 && p->af != AF_INET624) | ||||
2001 | continue; | ||||
2002 | if (strncmp(p->name, ifa_name, IFNAMSIZ16)) | ||||
2003 | continue; | ||||
2004 | n = calloc(1, sizeof(struct ipsec_addr_wrap)); | ||||
2005 | if (n == NULL((void *)0)) | ||||
2006 | err(1, "%s", __func__); | ||||
2007 | memcpy(n, p, sizeof(struct ipsec_addr_wrap)); | ||||
2008 | if ((n->name = strdup(p->name)) == NULL((void *)0)) | ||||
2009 | err(1, "%s", __func__); | ||||
2010 | switch (n->af) { | ||||
2011 | case AF_INET2: | ||||
2012 | set_ipmask(n, 32); | ||||
2013 | break; | ||||
2014 | case AF_INET624: | ||||
2015 | in6 = (struct sockaddr_in6 *)&n->address; | ||||
2016 | s6 = (uint8_t *)&in6->sin6_addr.s6_addr__u6_addr.__u6_addr8; | ||||
2017 | |||||
2018 | /* route/show.c and bgpd/util.c give KAME credit */ | ||||
2019 | if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)(((&in6->sin6_addr)->__u6_addr.__u6_addr8[0] == 0xfe ) && (((&in6->sin6_addr)->__u6_addr.__u6_addr8 [1] & 0xc0) == 0x80))) { | ||||
2020 | uint16_t tmp16; | ||||
2021 | |||||
2022 | /* for now we can not handle link local, | ||||
2023 | * therefore bail for now | ||||
2024 | */ | ||||
2025 | free(n->name); | ||||
2026 | free(n); | ||||
2027 | continue; | ||||
2028 | |||||
2029 | memcpy(&tmp16, &s6[2], sizeof(tmp16)); | ||||
2030 | /* use this when we support link-local | ||||
2031 | * n->??.scopeid = ntohs(tmp16); | ||||
2032 | */ | ||||
2033 | s6[2] = 0; | ||||
2034 | s6[3] = 0; | ||||
2035 | } | ||||
2036 | set_ipmask(n, 128); | ||||
2037 | break; | ||||
2038 | } | ||||
2039 | |||||
2040 | n->next = NULL((void *)0); | ||||
2041 | n->tail = n; | ||||
2042 | if (h == NULL((void *)0)) | ||||
2043 | h = n; | ||||
2044 | else { | ||||
2045 | h->tail->next = n; | ||||
2046 | h->tail = n; | ||||
2047 | } | ||||
2048 | } | ||||
2049 | |||||
2050 | return (h); | ||||
2051 | } | ||||
2052 | |||||
2053 | void | ||||
2054 | set_ipmask(struct ipsec_addr_wrap *address, int b) | ||||
2055 | { | ||||
2056 | if (b == -1) | ||||
2057 | address->mask = address->af == AF_INET2 ? 32 : 128; | ||||
2058 | else | ||||
2059 | address->mask = b; | ||||
2060 | } | ||||
2061 | |||||
2062 | const struct ipsec_xf * | ||||
2063 | parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[]) | ||||
2064 | { | ||||
2065 | int i; | ||||
2066 | |||||
2067 | for (i = 0; xfs[i].name != NULL((void *)0); i++) { | ||||
2068 | if (strncmp(name, xfs[i].name, strlen(name))) | ||||
2069 | continue; | ||||
2070 | if (length == 0 || length == xfs[i].length) | ||||
2071 | return &xfs[i]; | ||||
2072 | } | ||||
2073 | return (NULL((void *)0)); | ||||
2074 | } | ||||
2075 | |||||
2076 | int | ||||
2077 | encxf_noauth(unsigned int id) | ||||
2078 | { | ||||
2079 | int i; | ||||
2080 | |||||
2081 | for (i = 0; ikeencxfs[i].name != NULL((void *)0); i++) | ||||
2082 | if (ikeencxfs[i].id == id) | ||||
2083 | return ikeencxfs[i].noauth; | ||||
2084 | return (0); | ||||
2085 | } | ||||
2086 | |||||
2087 | size_t | ||||
2088 | keylength_xf(unsigned int saproto, unsigned int type, unsigned int id) | ||||
2089 | { | ||||
2090 | int i; | ||||
2091 | const struct ipsec_xf *xfs; | ||||
2092 | |||||
2093 | switch (type) { | ||||
2094 | case IKEV2_XFORMTYPE_ENCR1: | ||||
2095 | if (saproto == IKEV2_SAPROTO_IKE1) | ||||
2096 | xfs = ikeencxfs; | ||||
2097 | else | ||||
2098 | xfs = ipsecencxfs; | ||||
2099 | break; | ||||
2100 | case IKEV2_XFORMTYPE_INTEGR3: | ||||
2101 | xfs = authxfs; | ||||
2102 | break; | ||||
2103 | default: | ||||
2104 | return (0); | ||||
2105 | } | ||||
2106 | |||||
2107 | for (i = 0; xfs[i].name != NULL((void *)0); i++) { | ||||
2108 | if (xfs[i].id == id) | ||||
2109 | return (xfs[i].length * 8); | ||||
2110 | } | ||||
2111 | return (0); | ||||
2112 | } | ||||
2113 | |||||
2114 | size_t | ||||
2115 | noncelength_xf(unsigned int type, unsigned int id) | ||||
2116 | { | ||||
2117 | const struct ipsec_xf *xfs = ipsecencxfs; | ||||
2118 | int i; | ||||
2119 | |||||
2120 | if (type != IKEV2_XFORMTYPE_ENCR1) | ||||
2121 | return (0); | ||||
2122 | |||||
2123 | for (i = 0; xfs[i].name != NULL((void *)0); i++) | ||||
2124 | if (xfs[i].id == id) | ||||
2125 | return (xfs[i].nonce * 8); | ||||
2126 | return (0); | ||||
2127 | } | ||||
2128 | |||||
2129 | void | ||||
2130 | copy_transforms(unsigned int type, | ||||
2131 | const struct ipsec_xf **xfs, unsigned int nxfs, | ||||
2132 | struct iked_transform **dst, unsigned int *ndst, | ||||
2133 | struct iked_transform *src, size_t nsrc) | ||||
2134 | { | ||||
2135 | unsigned int i; | ||||
2136 | struct iked_transform *a, *b; | ||||
2137 | const struct ipsec_xf *xf; | ||||
2138 | |||||
2139 | if (nxfs) { | ||||
2140 | for (i = 0; i < nxfs; i++) { | ||||
2141 | xf = xfs[i]; | ||||
2142 | *dst = recallocarray(*dst, *ndst, | ||||
2143 | *ndst + 1, sizeof(struct iked_transform)); | ||||
2144 | if (*dst == NULL((void *)0)) | ||||
2145 | err(1, "%s", __func__); | ||||
2146 | b = *dst + (*ndst)++; | ||||
2147 | |||||
2148 | b->xform_type = type; | ||||
2149 | b->xform_id = xf->id; | ||||
2150 | b->xform_keylength = xf->length * 8; | ||||
2151 | b->xform_length = xf->keylength * 8; | ||||
2152 | } | ||||
2153 | return; | ||||
2154 | } | ||||
2155 | |||||
2156 | for (i = 0; i < nsrc; i++) { | ||||
2157 | a = src + i; | ||||
2158 | if (a->xform_type != type) | ||||
2159 | continue; | ||||
2160 | *dst = recallocarray(*dst, *ndst, | ||||
2161 | *ndst + 1, sizeof(struct iked_transform)); | ||||
2162 | if (*dst == NULL((void *)0)) | ||||
2163 | err(1, "%s", __func__); | ||||
2164 | b = *dst + (*ndst)++; | ||||
2165 | memcpy(b, a, sizeof(*b)); | ||||
2166 | } | ||||
2167 | } | ||||
2168 | |||||
2169 | int | ||||
2170 | create_ike(char *name, int af, struct ipsec_addr_wrap *ipproto, | ||||
2171 | int rdomain, struct ipsec_hosts *hosts, | ||||
2172 | struct ipsec_hosts *peers, struct ipsec_mode *ike_sa, | ||||
2173 | struct ipsec_mode *ipsec_sa, uint8_t saproto, | ||||
2174 | uint8_t flags, char *srcid, char *dstid, | ||||
2175 | uint32_t ikelifetime, struct iked_lifetime *lt, | ||||
2176 | struct iked_auth *authtype, struct ipsec_filters *filter, | ||||
2177 | struct ipsec_addr_wrap *ikecfg, char *iface) | ||||
2178 | { | ||||
2179 | char idstr[IKED_ID_SIZE1024]; | ||||
2180 | struct ipsec_addr_wrap *ipa, *ipb, *ipp; | ||||
2181 | struct iked_auth *ikeauth; | ||||
2182 | struct iked_policy pol; | ||||
2183 | struct iked_proposal *p, *ptmp; | ||||
2184 | struct iked_transform *xf; | ||||
2185 | unsigned int i, j, xfi, noauth, auth; | ||||
2186 | unsigned int ikepropid = 1, ipsecpropid = 1; | ||||
2187 | struct iked_flow *flow, *ftmp; | ||||
2188 | static unsigned int policy_id = 0; | ||||
2189 | struct iked_cfg *cfg; | ||||
2190 | int ret = -1; | ||||
2191 | |||||
2192 | bzero(&pol, sizeof(pol)); | ||||
2193 | bzero(idstr, sizeof(idstr)); | ||||
2194 | |||||
2195 | pol.pol_id = ++policy_id; | ||||
2196 | pol.pol_certreqtype = env->sc_certreqtype; | ||||
2197 | pol.pol_af = af; | ||||
2198 | pol.pol_saproto = saproto; | ||||
2199 | for (i = 0, ipp = ipproto; ipp; ipp = ipp->next, i++) { | ||||
2200 | if (i >= IKED_IPPROTO_MAX16) { | ||||
2201 | yyerror("too many protocols"); | ||||
2202 | return (-1); | ||||
2203 | } | ||||
2204 | pol.pol_ipproto[i] = ipp->type; | ||||
2205 | pol.pol_nipproto++; | ||||
2206 | } | ||||
2207 | |||||
2208 | pol.pol_flags = flags; | ||||
2209 | pol.pol_rdomain = rdomain; | ||||
2210 | memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth)); | ||||
2211 | explicit_bzero(authtype, sizeof(*authtype)); | ||||
2212 | |||||
2213 | if (name != NULL((void *)0)) { | ||||
2214 | if (strlcpy(pol.pol_name, name, | ||||
2215 | sizeof(pol.pol_name)) >= sizeof(pol.pol_name)) { | ||||
2216 | yyerror("name too long"); | ||||
2217 | return (-1); | ||||
2218 | } | ||||
2219 | } else { | ||||
2220 | snprintf(pol.pol_name, sizeof(pol.pol_name), | ||||
2221 | "policy%d", policy_id); | ||||
2222 | } | ||||
2223 | |||||
2224 | if (iface != NULL((void *)0)) { | ||||
2225 | /* sec(4) */ | ||||
2226 | if (strncmp("sec", iface, strlen("sec")) == 0) | ||||
2227 | pol.pol_flags |= IKED_POLICY_ROUTING0x80; | ||||
2228 | |||||
2229 | pol.pol_iface = if_nametoindex(iface); | ||||
2230 | if (pol.pol_iface == 0) { | ||||
2231 | yyerror("invalid iface"); | ||||
2232 | return (-1); | ||||
2233 | } | ||||
2234 | } | ||||
2235 | |||||
2236 | if (srcid) { | ||||
2237 | pol.pol_localid.id_type = get_id_type(srcid); | ||||
2238 | pol.pol_localid.id_length = strlen(srcid); | ||||
2239 | if (strlcpy((char *)pol.pol_localid.id_data, | ||||
2240 | srcid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) { | ||||
2241 | yyerror("srcid too long"); | ||||
2242 | return (-1); | ||||
2243 | } | ||||
2244 | } | ||||
2245 | if (dstid) { | ||||
2246 | pol.pol_peerid.id_type = get_id_type(dstid); | ||||
2247 | pol.pol_peerid.id_length = strlen(dstid); | ||||
2248 | if (strlcpy((char *)pol.pol_peerid.id_data, | ||||
2249 | dstid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) { | ||||
2250 | yyerror("dstid too long"); | ||||
2251 | return (-1); | ||||
2252 | } | ||||
2253 | } | ||||
2254 | |||||
2255 | if (filter != NULL((void *)0)) { | ||||
2256 | if (filter->tag) | ||||
2257 | strlcpy(pol.pol_tag, filter->tag, sizeof(pol.pol_tag)); | ||||
2258 | pol.pol_tap = filter->tap; | ||||
2259 | } | ||||
2260 | |||||
2261 | if (peers == NULL((void *)0)) { | ||||
2262 | if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) { | ||||
2263 | yyerror("active mode requires peer specification"); | ||||
2264 | return (-1); | ||||
2265 | } | ||||
2266 | pol.pol_flags |= IKED_POLICY_DEFAULT0x01|IKED_POLICY_SKIP0x10; | ||||
2267 | } | ||||
2268 | |||||
2269 | if (peers && peers->src && peers->dst && | ||||
2270 | (peers->src->af != AF_UNSPEC0) && (peers->dst->af != AF_UNSPEC0) && | ||||
2271 | (peers->src->af != peers->dst->af)) | ||||
2272 | fatalx("create_ike: peer address family mismatch"); | ||||
2273 | |||||
2274 | if (peers && (pol.pol_af != AF_UNSPEC0) && | ||||
2275 | ((peers->src && (peers->src->af != AF_UNSPEC0) && | ||||
2276 | (peers->src->af != pol.pol_af)) || | ||||
2277 | (peers->dst && (peers->dst->af != AF_UNSPEC0) && | ||||
2278 | (peers->dst->af != pol.pol_af)))) | ||||
2279 | fatalx("create_ike: policy address family mismatch"); | ||||
2280 | |||||
2281 | ipa = ipb = NULL((void *)0); | ||||
2282 | if (peers) { | ||||
2283 | if (peers->src) | ||||
2284 | ipa = peers->src; | ||||
2285 | if (peers->dst) | ||||
2286 | ipb = peers->dst; | ||||
2287 | if (ipa == NULL((void *)0) && ipb == NULL((void *)0)) { | ||||
2288 | if (hosts->src && hosts->src->next == NULL((void *)0)) | ||||
2289 | ipa = hosts->src; | ||||
2290 | if (hosts->dst && hosts->dst->next == NULL((void *)0)) | ||||
2291 | ipb = hosts->dst; | ||||
2292 | } | ||||
2293 | } | ||||
2294 | if (ipa == NULL((void *)0) && ipb == NULL((void *)0)) { | ||||
2295 | yyerror("could not get local/peer specification"); | ||||
2296 | return (-1); | ||||
2297 | } | ||||
2298 | if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) { | ||||
2299 | if (ipb == NULL((void *)0) || ipb->netaddress || | ||||
2300 | (ipa != NULL((void *)0) && ipa->netaddress)) { | ||||
2301 | yyerror("active mode requires local/peer address"); | ||||
2302 | return (-1); | ||||
2303 | } | ||||
2304 | } | ||||
2305 | if (ipa) { | ||||
2306 | memcpy(&pol.pol_local.addr, &ipa->address, | ||||
2307 | sizeof(ipa->address)); | ||||
2308 | pol.pol_local.addr_af = ipa->af; | ||||
2309 | pol.pol_local.addr_mask = ipa->mask; | ||||
2310 | pol.pol_local.addr_net = ipa->netaddress; | ||||
2311 | if (pol.pol_af == AF_UNSPEC0) | ||||
2312 | pol.pol_af = ipa->af; | ||||
2313 | } | ||||
2314 | if (ipb) { | ||||
2315 | memcpy(&pol.pol_peer.addr, &ipb->address, | ||||
2316 | sizeof(ipb->address)); | ||||
2317 | pol.pol_peer.addr_af = ipb->af; | ||||
2318 | pol.pol_peer.addr_mask = ipb->mask; | ||||
2319 | pol.pol_peer.addr_net = ipb->netaddress; | ||||
2320 | if (pol.pol_af == AF_UNSPEC0) | ||||
2321 | pol.pol_af = ipb->af; | ||||
2322 | } | ||||
2323 | |||||
2324 | if (ikelifetime) | ||||
2325 | pol.pol_rekey = ikelifetime; | ||||
2326 | |||||
2327 | if (lt) | ||||
2328 | pol.pol_lifetime = *lt; | ||||
2329 | else | ||||
2330 | pol.pol_lifetime = deflifetime; | ||||
2331 | |||||
2332 | TAILQ_INIT(&pol.pol_proposals)do { (&pol.pol_proposals)->tqh_first = ((void *)0); (& pol.pol_proposals)->tqh_last = &(&pol.pol_proposals )->tqh_first; } while (0); | ||||
2333 | RB_INIT(&pol.pol_flows)do { (&pol.pol_flows)->rbh_root = ((void *)0); } while (0); | ||||
2334 | |||||
2335 | if (ike_sa == NULL((void *)0) || ike_sa->nxfs == 0) { | ||||
2336 | /* AES-GCM proposal */ | ||||
2337 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) | ||||
2338 | err(1, "%s", __func__); | ||||
2339 | p->prop_id = ikepropid++; | ||||
2340 | p->prop_protoid = IKEV2_SAPROTO_IKE1; | ||||
2341 | p->prop_nxforms = ikev2_default_nike_transforms_noauth; | ||||
2342 | p->prop_xforms = ikev2_default_ike_transforms_noauth; | ||||
2343 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); | ||||
2344 | pol.pol_nproposals++; | ||||
2345 | |||||
2346 | /* Non GCM proposal */ | ||||
2347 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) | ||||
2348 | err(1, "%s", __func__); | ||||
2349 | p->prop_id = ikepropid++; | ||||
2350 | p->prop_protoid = IKEV2_SAPROTO_IKE1; | ||||
2351 | p->prop_nxforms = ikev2_default_nike_transforms; | ||||
2352 | p->prop_xforms = ikev2_default_ike_transforms; | ||||
2353 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); | ||||
2354 | pol.pol_nproposals++; | ||||
2355 | } else { | ||||
2356 | for (i = 0; i < ike_sa->nxfs; i++) { | ||||
2357 | noauth = auth = 0; | ||||
2358 | for (j = 0; j < ike_sa->xfs[i]->nencxf; j++) { | ||||
2359 | if (ike_sa->xfs[i]->encxf[j]->noauth) | ||||
2360 | noauth++; | ||||
2361 | else | ||||
2362 | auth++; | ||||
2363 | } | ||||
2364 | for (j = 0; j < ike_sa->xfs[i]->ngroupxf; j++) { | ||||
2365 | if (ike_sa->xfs[i]->groupxf[j]->id | ||||
2366 | == IKEV2_XFORMDH_NONE0) { | ||||
2367 | yyerror("IKE group can not be \"none\"."); | ||||
2368 | goto done; | ||||
2369 | } | ||||
2370 | } | ||||
2371 | if (ike_sa->xfs[i]->nauthxf) | ||||
2372 | auth++; | ||||
2373 | |||||
2374 | if (ike_sa->xfs[i]->nesnxf) { | ||||
2375 | yyerror("cannot use ESN with ikesa."); | ||||
2376 | goto done; | ||||
2377 | } | ||||
2378 | if (noauth && noauth != ike_sa->xfs[i]->nencxf) { | ||||
2379 | yyerror("cannot mix encryption transforms with " | ||||
2380 | "implicit and non-implicit authentication"); | ||||
2381 | goto done; | ||||
2382 | } | ||||
2383 | if (noauth && ike_sa->xfs[i]->nauthxf) { | ||||
2384 | yyerror("authentication is implicit for given " | ||||
2385 | "encryption transforms"); | ||||
2386 | goto done; | ||||
2387 | } | ||||
2388 | |||||
2389 | if (!auth) { | ||||
2390 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) | ||||
2391 | err(1, "%s", __func__); | ||||
2392 | |||||
2393 | xf = NULL((void *)0); | ||||
2394 | xfi = 0; | ||||
2395 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, | ||||
2396 | ike_sa->xfs[i]->encxf, | ||||
2397 | ike_sa->xfs[i]->nencxf, &xf, &xfi, | ||||
2398 | ikev2_default_ike_transforms_noauth, | ||||
2399 | ikev2_default_nike_transforms_noauth); | ||||
2400 | copy_transforms(IKEV2_XFORMTYPE_DH4, | ||||
2401 | ike_sa->xfs[i]->groupxf, | ||||
2402 | ike_sa->xfs[i]->ngroupxf, &xf, &xfi, | ||||
2403 | ikev2_default_ike_transforms_noauth, | ||||
2404 | ikev2_default_nike_transforms_noauth); | ||||
2405 | copy_transforms(IKEV2_XFORMTYPE_PRF2, | ||||
2406 | ike_sa->xfs[i]->prfxf, | ||||
2407 | ike_sa->xfs[i]->nprfxf, &xf, &xfi, | ||||
2408 | ikev2_default_ike_transforms_noauth, | ||||
2409 | ikev2_default_nike_transforms_noauth); | ||||
2410 | |||||
2411 | p->prop_id = ikepropid++; | ||||
2412 | p->prop_protoid = IKEV2_SAPROTO_IKE1; | ||||
2413 | p->prop_xforms = xf; | ||||
2414 | p->prop_nxforms = xfi; | ||||
2415 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); | ||||
2416 | pol.pol_nproposals++; | ||||
2417 | } | ||||
2418 | if (!noauth) { | ||||
2419 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) | ||||
2420 | err(1, "%s", __func__); | ||||
2421 | |||||
2422 | xf = NULL((void *)0); | ||||
2423 | xfi = 0; | ||||
2424 | copy_transforms(IKEV2_XFORMTYPE_INTEGR3, | ||||
2425 | ike_sa->xfs[i]->authxf, | ||||
2426 | ike_sa->xfs[i]->nauthxf, &xf, &xfi, | ||||
2427 | ikev2_default_ike_transforms, | ||||
2428 | ikev2_default_nike_transforms); | ||||
2429 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, | ||||
2430 | ike_sa->xfs[i]->encxf, | ||||
2431 | ike_sa->xfs[i]->nencxf, &xf, &xfi, | ||||
2432 | ikev2_default_ike_transforms, | ||||
2433 | ikev2_default_nike_transforms); | ||||
2434 | copy_transforms(IKEV2_XFORMTYPE_DH4, | ||||
2435 | ike_sa->xfs[i]->groupxf, | ||||
2436 | ike_sa->xfs[i]->ngroupxf, &xf, &xfi, | ||||
2437 | ikev2_default_ike_transforms, | ||||
2438 | ikev2_default_nike_transforms); | ||||
2439 | copy_transforms(IKEV2_XFORMTYPE_PRF2, | ||||
2440 | ike_sa->xfs[i]->prfxf, | ||||
2441 | ike_sa->xfs[i]->nprfxf, &xf, &xfi, | ||||
2442 | ikev2_default_ike_transforms, | ||||
2443 | ikev2_default_nike_transforms); | ||||
2444 | |||||
2445 | p->prop_id = ikepropid++; | ||||
2446 | p->prop_protoid = IKEV2_SAPROTO_IKE1; | ||||
2447 | p->prop_xforms = xf; | ||||
2448 | p->prop_nxforms = xfi; | ||||
2449 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); | ||||
2450 | pol.pol_nproposals++; | ||||
2451 | } | ||||
2452 | } | ||||
2453 | } | ||||
2454 | |||||
2455 | if (ipsec_sa == NULL((void *)0) || ipsec_sa->nxfs == 0) { | ||||
2456 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) | ||||
2457 | err(1, "%s", __func__); | ||||
2458 | p->prop_id = ipsecpropid++; | ||||
2459 | p->prop_protoid = saproto; | ||||
2460 | p->prop_nxforms = ikev2_default_nesp_transforms_noauth; | ||||
2461 | p->prop_xforms = ikev2_default_esp_transforms_noauth; | ||||
2462 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); | ||||
2463 | pol.pol_nproposals++; | ||||
2464 | |||||
2465 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) | ||||
2466 | err(1, "%s", __func__); | ||||
2467 | p->prop_id = ipsecpropid++; | ||||
2468 | p->prop_protoid = saproto; | ||||
2469 | p->prop_nxforms = ikev2_default_nesp_transforms; | ||||
2470 | p->prop_xforms = ikev2_default_esp_transforms; | ||||
2471 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); | ||||
2472 | pol.pol_nproposals++; | ||||
2473 | } else { | ||||
2474 | for (i = 0; i < ipsec_sa->nxfs; i++) { | ||||
2475 | noauth = auth = 0; | ||||
2476 | for (j = 0; j < ipsec_sa->xfs[i]->nencxf; j++) { | ||||
2477 | if (ipsec_sa->xfs[i]->encxf[j]->noauth) | ||||
2478 | noauth++; | ||||
2479 | else | ||||
2480 | auth++; | ||||
2481 | } | ||||
2482 | if (ipsec_sa->xfs[i]->nauthxf) | ||||
2483 | auth++; | ||||
2484 | |||||
2485 | if (noauth && noauth != ipsec_sa->xfs[i]->nencxf) { | ||||
2486 | yyerror("cannot mix encryption transforms with " | ||||
2487 | "implicit and non-implicit authentication"); | ||||
2488 | goto done; | ||||
2489 | } | ||||
2490 | if (noauth && ipsec_sa->xfs[i]->nauthxf) { | ||||
2491 | yyerror("authentication is implicit for given " | ||||
2492 | "encryption transforms"); | ||||
2493 | goto done; | ||||
2494 | } | ||||
2495 | |||||
2496 | if (!auth) { | ||||
2497 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) | ||||
2498 | err(1, "%s", __func__); | ||||
2499 | |||||
2500 | xf = NULL((void *)0); | ||||
2501 | xfi = 0; | ||||
2502 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, | ||||
2503 | ipsec_sa->xfs[i]->encxf, | ||||
2504 | ipsec_sa->xfs[i]->nencxf, &xf, &xfi, | ||||
2505 | ikev2_default_esp_transforms_noauth, | ||||
2506 | ikev2_default_nesp_transforms_noauth); | ||||
2507 | copy_transforms(IKEV2_XFORMTYPE_DH4, | ||||
2508 | ipsec_sa->xfs[i]->groupxf, | ||||
2509 | ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi, | ||||
2510 | ikev2_default_esp_transforms_noauth, | ||||
2511 | ikev2_default_nesp_transforms_noauth); | ||||
2512 | copy_transforms(IKEV2_XFORMTYPE_ESN5, | ||||
2513 | ipsec_sa->xfs[i]->esnxf, | ||||
2514 | ipsec_sa->xfs[i]->nesnxf, &xf, &xfi, | ||||
2515 | ikev2_default_esp_transforms_noauth, | ||||
2516 | ikev2_default_nesp_transforms_noauth); | ||||
2517 | |||||
2518 | p->prop_id = ipsecpropid++; | ||||
2519 | p->prop_protoid = saproto; | ||||
2520 | p->prop_xforms = xf; | ||||
2521 | p->prop_nxforms = xfi; | ||||
2522 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); | ||||
2523 | pol.pol_nproposals++; | ||||
2524 | } | ||||
2525 | if (!noauth) { | ||||
2526 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) | ||||
2527 | err(1, "%s", __func__); | ||||
2528 | |||||
2529 | xf = NULL((void *)0); | ||||
2530 | xfi = 0; | ||||
2531 | copy_transforms(IKEV2_XFORMTYPE_INTEGR3, | ||||
2532 | ipsec_sa->xfs[i]->authxf, | ||||
2533 | ipsec_sa->xfs[i]->nauthxf, &xf, &xfi, | ||||
2534 | ikev2_default_esp_transforms, | ||||
2535 | ikev2_default_nesp_transforms); | ||||
2536 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, | ||||
2537 | ipsec_sa->xfs[i]->encxf, | ||||
2538 | ipsec_sa->xfs[i]->nencxf, &xf, &xfi, | ||||
2539 | ikev2_default_esp_transforms, | ||||
2540 | ikev2_default_nesp_transforms); | ||||
2541 | copy_transforms(IKEV2_XFORMTYPE_DH4, | ||||
2542 | ipsec_sa->xfs[i]->groupxf, | ||||
2543 | ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi, | ||||
2544 | ikev2_default_esp_transforms, | ||||
2545 | ikev2_default_nesp_transforms); | ||||
2546 | copy_transforms(IKEV2_XFORMTYPE_ESN5, | ||||
2547 | ipsec_sa->xfs[i]->esnxf, | ||||
2548 | ipsec_sa->xfs[i]->nesnxf, &xf, &xfi, | ||||
2549 | ikev2_default_esp_transforms, | ||||
2550 | ikev2_default_nesp_transforms); | ||||
2551 | |||||
2552 | p->prop_id = ipsecpropid++; | ||||
2553 | p->prop_protoid = saproto; | ||||
2554 | p->prop_xforms = xf; | ||||
2555 | p->prop_nxforms = xfi; | ||||
2556 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); | ||||
2557 | pol.pol_nproposals++; | ||||
2558 | } | ||||
2559 | } | ||||
2560 | } | ||||
2561 | |||||
2562 | for (ipa = hosts->src, ipb = hosts->dst; ipa && ipb; | ||||
2563 | ipa = ipa->next, ipb = ipb->next) { | ||||
2564 | for (j = 0; j < pol.pol_nipproto; j++) | ||||
2565 | if (expand_flows(&pol, pol.pol_ipproto[j], ipa, ipb)) | ||||
2566 | fatalx("create_ike: invalid flow"); | ||||
2567 | if (pol.pol_nipproto == 0) | ||||
2568 | if (expand_flows(&pol, 0, ipa, ipb)) | ||||
2569 | fatalx("create_ike: invalid flow"); | ||||
2570 | } | ||||
2571 | |||||
2572 | for (j = 0, ipa = ikecfg; ipa; ipa = ipa->next, j++) { | ||||
2573 | if (j >= IKED_CFG_MAX16) | ||||
2574 | break; | ||||
2575 | cfg = &pol.pol_cfg[j]; | ||||
2576 | pol.pol_ncfg++; | ||||
2577 | |||||
2578 | cfg->cfg_action = ipa->action; | ||||
2579 | cfg->cfg_type = ipa->type; | ||||
2580 | memcpy(&cfg->cfg.address.addr, &ipa->address, | ||||
2581 | sizeof(ipa->address)); | ||||
2582 | cfg->cfg.address.addr_mask = ipa->mask; | ||||
2583 | cfg->cfg.address.addr_net = ipa->netaddress; | ||||
2584 | cfg->cfg.address.addr_af = ipa->af; | ||||
2585 | } | ||||
2586 | |||||
2587 | if (dstid) | ||||
2588 | strlcpy(idstr, dstid, sizeof(idstr)); | ||||
2589 | else if (!pol.pol_peer.addr_net) | ||||
2590 | strlcpy(idstr, print_addr(&pol.pol_peer.addr), sizeof(idstr)); | ||||
2591 | |||||
2592 | ikeauth = &pol.pol_auth; | ||||
2593 | switch (ikeauth->auth_method) { | ||||
2594 | case IKEV2_AUTH_RSA_SIG1: | ||||
2595 | pol.pol_certreqtype = IKEV2_CERT_RSA_KEY11; | ||||
2596 | break; | ||||
2597 | case IKEV2_AUTH_ECDSA_2569: | ||||
2598 | case IKEV2_AUTH_ECDSA_38410: | ||||
2599 | case IKEV2_AUTH_ECDSA_52111: | ||||
2600 | pol.pol_certreqtype = IKEV2_CERT_ECDSA201; | ||||
2601 | break; | ||||
2602 | default: | ||||
2603 | pol.pol_certreqtype = IKEV2_CERT_NONE0; | ||||
2604 | break; | ||||
2605 | } | ||||
2606 | |||||
2607 | log_debug("%s: using %s for peer %s", __func__, | ||||
2608 | print_xf(ikeauth->auth_method, 0, methodxfs), idstr); | ||||
2609 | |||||
2610 | config_setpolicy(env, &pol, PROC_IKEV2); | ||||
2611 | config_setflow(env, &pol, PROC_IKEV2); | ||||
2612 | |||||
2613 | rules++; | ||||
2614 | ret = 0; | ||||
2615 | |||||
2616 | done: | ||||
2617 | if (ike_sa) { | ||||
2618 | for (i = 0; i < ike_sa->nxfs; i++) { | ||||
2619 | free(ike_sa->xfs[i]->authxf); | ||||
2620 | free(ike_sa->xfs[i]->encxf); | ||||
2621 | free(ike_sa->xfs[i]->groupxf); | ||||
2622 | free(ike_sa->xfs[i]->prfxf); | ||||
2623 | free(ike_sa->xfs[i]); | ||||
2624 | } | ||||
2625 | free(ike_sa->xfs); | ||||
2626 | free(ike_sa); | ||||
2627 | } | ||||
2628 | if (ipsec_sa) { | ||||
2629 | for (i = 0; i < ipsec_sa->nxfs; i++) { | ||||
2630 | free(ipsec_sa->xfs[i]->authxf); | ||||
2631 | free(ipsec_sa->xfs[i]->encxf); | ||||
2632 | free(ipsec_sa->xfs[i]->groupxf); | ||||
2633 | free(ipsec_sa->xfs[i]->prfxf); | ||||
2634 | free(ipsec_sa->xfs[i]->esnxf); | ||||
2635 | free(ipsec_sa->xfs[i]); | ||||
2636 | } | ||||
2637 | free(ipsec_sa->xfs); | ||||
2638 | free(ipsec_sa); | ||||
2639 | } | ||||
2640 | TAILQ_FOREACH_SAFE(p, &pol.pol_proposals, prop_entry, ptmp)for ((p) = ((&pol.pol_proposals)->tqh_first); (p) != ( (void *)0) && ((ptmp) = ((p)->prop_entry.tqe_next) , 1); (p) = (ptmp)) { | ||||
2641 | if (p->prop_xforms != ikev2_default_ike_transforms && | ||||
2642 | p->prop_xforms != ikev2_default_ike_transforms_noauth && | ||||
2643 | p->prop_xforms != ikev2_default_esp_transforms && | ||||
2644 | p->prop_xforms != ikev2_default_esp_transforms_noauth) | ||||
2645 | free(p->prop_xforms); | ||||
2646 | free(p); | ||||
2647 | } | ||||
2648 | if (peers != NULL((void *)0)) { | ||||
2649 | iaw_free(peers->src); | ||||
2650 | iaw_free(peers->dst); | ||||
2651 | /* peers is static, cannot be freed */ | ||||
2652 | } | ||||
2653 | if (hosts != NULL((void *)0)) { | ||||
2654 | iaw_free(hosts->src); | ||||
2655 | iaw_free(hosts->dst); | ||||
2656 | free(hosts); | ||||
2657 | } | ||||
2658 | iaw_free(ikecfg); | ||||
2659 | iaw_free(ipproto); | ||||
2660 | RB_FOREACH_SAFE(flow, iked_flows, &pol.pol_flows, ftmp)for ((flow) = iked_flows_RB_MINMAX(&pol.pol_flows, -1); ( (flow) != ((void *)0)) && ((ftmp) = iked_flows_RB_NEXT (flow), 1); (flow) = (ftmp)) { | ||||
2661 | RB_REMOVE(iked_flows, &pol.pol_flows, flow)iked_flows_RB_REMOVE(&pol.pol_flows, flow); | ||||
2662 | free(flow); | ||||
2663 | } | ||||
2664 | free(name); | ||||
2665 | free(srcid); | ||||
2666 | free(dstid); | ||||
2667 | return (ret); | ||||
2668 | } | ||||
2669 | |||||
2670 | static int | ||||
2671 | create_flow(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *ipa, | ||||
2672 | struct ipsec_addr_wrap *ipb) | ||||
2673 | { | ||||
2674 | struct iked_flow *flow; | ||||
2675 | struct ipsec_addr_wrap *ippn; | ||||
2676 | |||||
2677 | if (ipa->af != ipb->af) { | ||||
2678 | yyerror("cannot mix different address families."); | ||||
2679 | return (-1); | ||||
2680 | } | ||||
2681 | |||||
2682 | if ((flow = calloc(1, sizeof(struct iked_flow))) == NULL((void *)0)) | ||||
2683 | fatalx("%s: failed to alloc flow.", __func__); | ||||
2684 | |||||
2685 | memcpy(&flow->flow_src.addr, &ipa->address, | ||||
2686 | sizeof(ipa->address)); | ||||
2687 | flow->flow_src.addr_af = ipa->af; | ||||
2688 | flow->flow_src.addr_mask = ipa->mask; | ||||
2689 | flow->flow_src.addr_net = ipa->netaddress; | ||||
2690 | flow->flow_src.addr_port = ipa->port; | ||||
2691 | |||||
2692 | memcpy(&flow->flow_dst.addr, &ipb->address, | ||||
2693 | sizeof(ipb->address)); | ||||
2694 | flow->flow_dst.addr_af = ipb->af; | ||||
2695 | flow->flow_dst.addr_mask = ipb->mask; | ||||
2696 | flow->flow_dst.addr_net = ipb->netaddress; | ||||
2697 | flow->flow_dst.addr_port = ipb->port; | ||||
2698 | |||||
2699 | ippn = ipa->srcnat; | ||||
2700 | if (ippn) { | ||||
2701 | memcpy(&flow->flow_prenat.addr, &ippn->address, | ||||
2702 | sizeof(ippn->address)); | ||||
2703 | flow->flow_prenat.addr_af = ippn->af; | ||||
2704 | flow->flow_prenat.addr_mask = ippn->mask; | ||||
2705 | flow->flow_prenat.addr_net = ippn->netaddress; | ||||
2706 | } else { | ||||
2707 | flow->flow_prenat.addr_af = 0; | ||||
2708 | } | ||||
2709 | |||||
2710 | flow->flow_dir = IPSP_DIRECTION_OUT0x2; | ||||
2711 | flow->flow_ipproto = proto; | ||||
2712 | flow->flow_saproto = pol->pol_saproto; | ||||
2713 | flow->flow_rdomain = pol->pol_rdomain; | ||||
2714 | |||||
2715 | if (RB_INSERT(iked_flows, &pol->pol_flows, flow)iked_flows_RB_INSERT(&pol->pol_flows, flow) == NULL((void *)0)) | ||||
2716 | pol->pol_nflows++; | ||||
2717 | else { | ||||
2718 | warnx("create_ike: duplicate flow"); | ||||
2719 | free(flow); | ||||
2720 | } | ||||
2721 | |||||
2722 | return (0); | ||||
2723 | } | ||||
2724 | |||||
2725 | static int | ||||
2726 | expand_flows(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *src, | ||||
2727 | struct ipsec_addr_wrap *dst) | ||||
2728 | { | ||||
2729 | struct ipsec_addr_wrap *ipa = NULL((void *)0), *ipb = NULL((void *)0); | ||||
2730 | int ret = -1; | ||||
2731 | int srcaf, dstaf; | ||||
2732 | |||||
2733 | srcaf = src->af; | ||||
2734 | dstaf = dst->af; | ||||
2735 | |||||
2736 | if (src->af == AF_UNSPEC0 && | ||||
2737 | dst->af == AF_UNSPEC0) { | ||||
2738 | /* Need both IPv4 and IPv6 flows */ | ||||
2739 | src->af = dst->af = AF_INET2; | ||||
2740 | ipa = expand_keyword(src); | ||||
2741 | ipb = expand_keyword(dst); | ||||
2742 | if (!ipa || !ipb) | ||||
2743 | goto done; | ||||
2744 | if (create_flow(pol, proto, ipa, ipb)) | ||||
2745 | goto done; | ||||
2746 | |||||
2747 | iaw_free(ipa); | ||||
2748 | iaw_free(ipb); | ||||
2749 | src->af = dst->af = AF_INET624; | ||||
2750 | ipa = expand_keyword(src); | ||||
2751 | ipb = expand_keyword(dst); | ||||
2752 | if (!ipa || !ipb) | ||||
2753 | goto done; | ||||
2754 | if (create_flow(pol, proto, ipa, ipb)) | ||||
2755 | goto done; | ||||
2756 | } else if (src->af == AF_UNSPEC0) { | ||||
2757 | src->af = dst->af; | ||||
2758 | ipa = expand_keyword(src); | ||||
2759 | if (!ipa) | ||||
2760 | goto done; | ||||
2761 | if (create_flow(pol, proto, ipa, dst)) | ||||
2762 | goto done; | ||||
2763 | } else if (dst->af == AF_UNSPEC0) { | ||||
2764 | dst->af = src->af; | ||||
2765 | ipa = expand_keyword(dst); | ||||
2766 | if (!ipa) | ||||
2767 | goto done; | ||||
2768 | if (create_flow(pol, proto, src, ipa)) | ||||
2769 | goto done; | ||||
2770 | } else if (create_flow(pol, proto, src, dst)) | ||||
2771 | goto done; | ||||
2772 | ret = 0; | ||||
2773 | done: | ||||
2774 | src->af = srcaf; | ||||
2775 | dst->af = dstaf; | ||||
2776 | iaw_free(ipa); | ||||
2777 | iaw_free(ipb); | ||||
2778 | return (ret); | ||||
2779 | } | ||||
2780 | |||||
2781 | static struct ipsec_addr_wrap * | ||||
2782 | expand_keyword(struct ipsec_addr_wrap *ip) | ||||
2783 | { | ||||
2784 | switch(ip->af) { | ||||
2785 | case AF_INET2: | ||||
2786 | switch(ip->type) { | ||||
2787 | case IPSEC_ADDR_ANY(0x1): | ||||
2788 | return (host("0.0.0.0/0")); | ||||
2789 | case IPSEC_ADDR_DYNAMIC(0x2): | ||||
2790 | return (host("0.0.0.0")); | ||||
2791 | } | ||||
2792 | break; | ||||
2793 | case AF_INET624: | ||||
2794 | switch(ip->type) { | ||||
2795 | case IPSEC_ADDR_ANY(0x1): | ||||
2796 | return (host("::/0")); | ||||
2797 | case IPSEC_ADDR_DYNAMIC(0x2): | ||||
2798 | return (host("::")); | ||||
2799 | } | ||||
2800 | } | ||||
2801 | return (NULL((void *)0)); | ||||
2802 | } | ||||
2803 | |||||
2804 | int | ||||
2805 | create_user(const char *user, const char *pass) | ||||
2806 | { | ||||
2807 | struct iked_user usr; | ||||
2808 | |||||
2809 | bzero(&usr, sizeof(usr)); | ||||
2810 | |||||
2811 | if (*user == '\0' || (strlcpy(usr.usr_name, user, | ||||
2812 | sizeof(usr.usr_name)) >= sizeof(usr.usr_name))) { | ||||
2813 | yyerror("invalid user name"); | ||||
2814 | return (-1); | ||||
2815 | } | ||||
2816 | if (*pass == '\0' || (strlcpy(usr.usr_pass, pass, | ||||
2817 | sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) { | ||||
2818 | yyerror("invalid password"); | ||||
2819 | explicit_bzero(&usr, sizeof usr); /* zap partial password */ | ||||
2820 | return (-1); | ||||
2821 | } | ||||
2822 | |||||
2823 | config_setuser(env, &usr, PROC_IKEV2); | ||||
2824 | |||||
2825 | rules++; | ||||
2826 | |||||
2827 | explicit_bzero(&usr, sizeof usr); | ||||
2828 | return (0); | ||||
2829 | } | ||||
2830 | |||||
2831 | void | ||||
2832 | iaw_free(struct ipsec_addr_wrap *head) | ||||
2833 | { | ||||
2834 | struct ipsec_addr_wrap *n, *cur; | ||||
2835 | |||||
2836 | if (head == NULL((void *)0)) | ||||
2837 | return; | ||||
2838 | |||||
2839 | for (n = head; n != NULL((void *)0); ) { | ||||
2840 | cur = n; | ||||
2841 | n = n->next; | ||||
2842 | if (cur->srcnat != NULL((void *)0)) { | ||||
2843 | free(cur->srcnat->name); | ||||
2844 | free(cur->srcnat); | ||||
2845 | } | ||||
2846 | free(cur->name); | ||||
2847 | free(cur); | ||||
2848 | } | ||||
2849 | } | ||||
2850 | #line 2843 "parse.c" | ||||
2851 | /* allocate initial stack or double stack size, up to YYMAXDEPTH */ | ||||
2852 | static int yygrowstack(void) | ||||
2853 | { | ||||
2854 | unsigned int newsize; | ||||
2855 | long sslen; | ||||
2856 | short *newss; | ||||
2857 | YYSTYPE *newvs; | ||||
2858 | |||||
2859 | if ((newsize = yystacksize) == 0) | ||||
2860 | newsize = YYINITSTACKSIZE200; | ||||
2861 | else if (newsize >= YYMAXDEPTH10000) | ||||
2862 | return -1; | ||||
2863 | else if ((newsize *= 2) > YYMAXDEPTH10000) | ||||
2864 | newsize = YYMAXDEPTH10000; | ||||
2865 | sslen = yyssp - yyss; | ||||
2866 | #ifdef SIZE_MAX0xffffffffffffffffUL | ||||
2867 | #define YY_SIZE_MAX0xffffffffffffffffUL SIZE_MAX0xffffffffffffffffUL | ||||
2868 | #else | ||||
2869 | #define YY_SIZE_MAX0xffffffffffffffffUL 0xffffffffU | ||||
2870 | #endif | ||||
2871 | if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newss) | ||||
2872 | goto bail; | ||||
2873 | newss = (short *)realloc(yyss, newsize * sizeof *newss); | ||||
2874 | if (newss == NULL((void *)0)) | ||||
2875 | goto bail; | ||||
2876 | yyss = newss; | ||||
2877 | yyssp = newss + sslen; | ||||
2878 | if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newvs) | ||||
2879 | goto bail; | ||||
2880 | newvs = (YYSTYPE *)realloc(yyvs, newsize * sizeof *newvs); | ||||
2881 | if (newvs == NULL((void *)0)) | ||||
2882 | goto bail; | ||||
2883 | yyvs = newvs; | ||||
2884 | yyvsp = newvs + sslen; | ||||
2885 | yystacksize = newsize; | ||||
2886 | yysslim = yyss + newsize - 1; | ||||
2887 | return 0; | ||||
2888 | bail: | ||||
2889 | if (yyss) | ||||
2890 | free(yyss); | ||||
2891 | if (yyvs) | ||||
2892 | free(yyvs); | ||||
2893 | yyss = yyssp = NULL((void *)0); | ||||
2894 | yyvs = yyvsp = NULL((void *)0); | ||||
2895 | yystacksize = 0; | ||||
2896 | return -1; | ||||
2897 | } | ||||
2898 | |||||
2899 | #define YYABORTgoto yyabort goto yyabort | ||||
2900 | #define YYREJECTgoto yyabort goto yyabort | ||||
2901 | #define YYACCEPTgoto yyaccept goto yyaccept | ||||
2902 | #define YYERRORgoto yyerrlab goto yyerrlab | ||||
2903 | int | ||||
2904 | yyparse(void) | ||||
2905 | { | ||||
2906 | int yym, yyn, yystate; | ||||
2907 | #if YYDEBUG0 | ||||
2908 | const char *yys; | ||||
2909 | |||||
2910 | if ((yys = getenv("YYDEBUG"))) | ||||
2911 | { | ||||
2912 | yyn = *yys; | ||||
2913 | if (yyn >= '0' && yyn <= '9') | ||||
2914 | yydebug = yyn - '0'; | ||||
2915 | } | ||||
2916 | #endif /* YYDEBUG */ | ||||
2917 | |||||
2918 | yynerrs = 0; | ||||
2919 | yyerrflag = 0; | ||||
2920 | yychar = (-1); | ||||
2921 | |||||
2922 | if (yyss == NULL((void *)0) && yygrowstack()) goto yyoverflow; | ||||
| |||||
2923 | yyssp = yyss; | ||||
2924 | yyvsp = yyvs; | ||||
2925 | *yyssp = yystate = 0; | ||||
2926 | |||||
2927 | yyloop: | ||||
2928 | if ((yyn = yydefred[yystate]) != 0) goto yyreduce; | ||||
2929 | if (yychar
| ||||
2930 | { | ||||
2931 | if ((yychar = yylex()) < 0) yychar = 0; | ||||
2932 | #if YYDEBUG0 | ||||
2933 | if (yydebug) | ||||
2934 | { | ||||
2935 | yys = 0; | ||||
2936 | if (yychar <= YYMAXTOKEN330) yys = yyname[yychar]; | ||||
2937 | if (!yys) yys = "illegal-symbol"; | ||||
2938 | printf("%sdebug: state %d, reading %d (%s)\n", | ||||
2939 | YYPREFIX"yy", yystate, yychar, yys); | ||||
2940 | } | ||||
2941 | #endif | ||||
2942 | } | ||||
2943 | if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 && | ||||
2944 | yyn <= YYTABLESIZE745 && yycheck[yyn] == yychar) | ||||
2945 | { | ||||
2946 | #if YYDEBUG0 | ||||
2947 | if (yydebug) | ||||
2948 | printf("%sdebug: state %d, shifting to state %d\n", | ||||
2949 | YYPREFIX"yy", yystate, yytable[yyn]); | ||||
2950 | #endif | ||||
2951 | if (yyssp >= yysslim && yygrowstack()) | ||||
2952 | { | ||||
2953 | goto yyoverflow; | ||||
2954 | } | ||||
2955 | *++yyssp = yystate = yytable[yyn]; | ||||
2956 | *++yyvsp = yylval; | ||||
2957 | yychar = (-1); | ||||
2958 | if (yyerrflag > 0) --yyerrflag; | ||||
2959 | goto yyloop; | ||||
2960 | } | ||||
2961 | if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 && | ||||
2962 | yyn <= YYTABLESIZE745 && yycheck[yyn] == yychar) | ||||
2963 | { | ||||
2964 | yyn = yytable[yyn]; | ||||
2965 | goto yyreduce; | ||||
2966 | } | ||||
2967 | if (yyerrflag) goto yyinrecovery; | ||||
2968 | #if defined(__GNUC__4) | ||||
2969 | goto yynewerror; | ||||
2970 | #endif | ||||
2971 | yynewerror: | ||||
2972 | yyerror("syntax error"); | ||||
2973 | #if defined(__GNUC__4) | ||||
2974 | goto yyerrlab; | ||||
2975 | #endif | ||||
2976 | yyerrlab: | ||||
2977 | ++yynerrs; | ||||
2978 | yyinrecovery: | ||||
2979 | if (yyerrflag < 3) | ||||
2980 | { | ||||
2981 | yyerrflag = 3; | ||||
2982 | for (;;) | ||||
2983 | { | ||||
2984 | if ((yyn = yysindex[*yyssp]) && (yyn += YYERRCODE256) >= 0 && | ||||
2985 | yyn <= YYTABLESIZE745 && yycheck[yyn] == YYERRCODE256) | ||||
2986 | { | ||||
2987 | #if YYDEBUG0 | ||||
2988 | if (yydebug) | ||||
2989 | printf("%sdebug: state %d, error recovery shifting\ | ||||
2990 | to state %d\n", YYPREFIX"yy", *yyssp, yytable[yyn]); | ||||
2991 | #endif | ||||
2992 | if (yyssp >= yysslim && yygrowstack()) | ||||
2993 | { | ||||
2994 | goto yyoverflow; | ||||
2995 | } | ||||
2996 | *++yyssp = yystate = yytable[yyn]; | ||||
2997 | *++yyvsp = yylval; | ||||
2998 | goto yyloop; | ||||
2999 | } | ||||
3000 | else | ||||
3001 | { | ||||
3002 | #if YYDEBUG0 | ||||
3003 | if (yydebug) | ||||
3004 | printf("%sdebug: error recovery discarding state %d\n", | ||||
3005 | YYPREFIX"yy", *yyssp); | ||||
3006 | #endif | ||||
3007 | if (yyssp <= yyss) goto yyabort; | ||||
3008 | --yyssp; | ||||
3009 | --yyvsp; | ||||
3010 | } | ||||
3011 | } | ||||
3012 | } | ||||
3013 | else | ||||
3014 | { | ||||
3015 | if (yychar == 0) goto yyabort; | ||||
3016 | #if YYDEBUG0 | ||||
3017 | if (yydebug) | ||||
3018 | { | ||||
3019 | yys = 0; | ||||
3020 | if (yychar <= YYMAXTOKEN330) yys = yyname[yychar]; | ||||
3021 | if (!yys) yys = "illegal-symbol"; | ||||
3022 | printf("%sdebug: state %d, error recovery discards token %d (%s)\n", | ||||
3023 | YYPREFIX"yy", yystate, yychar, yys); | ||||
3024 | } | ||||
3025 | #endif | ||||
3026 | yychar = (-1); | ||||
3027 | goto yyloop; | ||||
3028 | } | ||||
3029 | yyreduce: | ||||
3030 | #if YYDEBUG0 | ||||
3031 | if (yydebug) | ||||
3032 | printf("%sdebug: state %d, reducing by rule %d (%s)\n", | ||||
3033 | YYPREFIX"yy", yystate, yyn, yyrule[yyn]); | ||||
3034 | #endif | ||||
3035 | yym = yylen[yyn]; | ||||
3036 | if (yym
| ||||
3037 | yyval = yyvsp[1-yym]; | ||||
3038 | else | ||||
3039 | memset(&yyval, 0, sizeof yyval); | ||||
3040 | switch (yyn) | ||||
3041 | { | ||||
3042 | case 9: | ||||
3043 | #line 483 "/usr/src/sbin/iked/parse.y" | ||||
3044 | { file->errors++; } | ||||
3045 | break; | ||||
3046 | case 12: | ||||
3047 | #line 490 "/usr/src/sbin/iked/parse.y" | ||||
3048 | { | ||||
3049 | struct file *nfile; | ||||
3050 | |||||
3051 | if ((nfile = pushfile(yyvsp[0].v.string, 1)) == NULL((void *)0)) { | ||||
3052 | yyerror("failed to include file %s", yyvsp[0].v.string); | ||||
3053 | free(yyvsp[0].v.string); | ||||
3054 | YYERRORgoto yyerrlab; | ||||
3055 | } | ||||
3056 | free(yyvsp[0].v.string); | ||||
3057 | |||||
3058 | file = nfile; | ||||
3059 | lungetc('\n'); | ||||
3060 | } | ||||
3061 | break; | ||||
3062 | case 13: | ||||
3063 | #line 505 "/usr/src/sbin/iked/parse.y" | ||||
3064 | { passive = 0; } | ||||
3065 | break; | ||||
3066 | case 14: | ||||
3067 | #line 506 "/usr/src/sbin/iked/parse.y" | ||||
3068 | { passive = 1; } | ||||
3069 | break; | ||||
3070 | case 15: | ||||
3071 | #line 507 "/usr/src/sbin/iked/parse.y" | ||||
3072 | { decouple = 0; } | ||||
3073 | break; | ||||
3074 | case 16: | ||||
3075 | #line 508 "/usr/src/sbin/iked/parse.y" | ||||
3076 | { decouple = 1; } | ||||
3077 | break; | ||||
3078 | case 17: | ||||
3079 | #line 509 "/usr/src/sbin/iked/parse.y" | ||||
3080 | { fragmentation = 1; } | ||||
3081 | break; | ||||
3082 | case 18: | ||||
3083 | #line 510 "/usr/src/sbin/iked/parse.y" | ||||
3084 | { fragmentation = 0; } | ||||
3085 | break; | ||||
3086 | case 19: | ||||
3087 | #line 511 "/usr/src/sbin/iked/parse.y" | ||||
3088 | { mobike = 1; } | ||||
3089 | break; | ||||
3090 | case 20: | ||||
3091 | #line 512 "/usr/src/sbin/iked/parse.y" | ||||
3092 | { mobike = 0; } | ||||
3093 | break; | ||||
3094 | case 21: | ||||
3095 | #line 513 "/usr/src/sbin/iked/parse.y" | ||||
3096 | { vendorid = 1; } | ||||
3097 | break; | ||||
3098 | case 22: | ||||
3099 | #line 514 "/usr/src/sbin/iked/parse.y" | ||||
3100 | { vendorid = 0; } | ||||
3101 | break; | ||||
3102 | case 23: | ||||
3103 | #line 515 "/usr/src/sbin/iked/parse.y" | ||||
3104 | { enforcesingleikesa = 1; } | ||||
3105 | break; | ||||
3106 | case 24: | ||||
3107 | #line 516 "/usr/src/sbin/iked/parse.y" | ||||
3108 | { enforcesingleikesa = 0; } | ||||
3109 | break; | ||||
3110 | case 25: | ||||
3111 | #line 517 "/usr/src/sbin/iked/parse.y" | ||||
3112 | { stickyaddress = 1; } | ||||
3113 | break; | ||||
3114 | case 26: | ||||
3115 | #line 518 "/usr/src/sbin/iked/parse.y" | ||||
3116 | { stickyaddress = 0; } | ||||
3117 | break; | ||||
3118 | case 27: | ||||
3119 | #line 519 "/usr/src/sbin/iked/parse.y" | ||||
3120 | { | ||||
3121 | ocsp_url = yyvsp[0].v.string; | ||||
3122 | } | ||||
3123 | break; | ||||
3124 | case 28: | ||||
3125 | #line 522 "/usr/src/sbin/iked/parse.y" | ||||
3126 | { | ||||
3127 | ocsp_url = yyvsp[-2].v.string; | ||||
3128 | ocsp_tolerate = yyvsp[0].v.number; | ||||
3129 | } | ||||
3130 | break; | ||||
3131 | case 29: | ||||
3132 | #line 526 "/usr/src/sbin/iked/parse.y" | ||||
3133 | { | ||||
3134 | ocsp_url = yyvsp[-4].v.string; | ||||
3135 | ocsp_tolerate = yyvsp[-2].v.number; | ||||
3136 | ocsp_maxage = yyvsp[0].v.number; | ||||
3137 | } | ||||
3138 | break; | ||||
3139 | case 30: | ||||
3140 | #line 531 "/usr/src/sbin/iked/parse.y" | ||||
3141 | { | ||||
3142 | cert_partial_chain = 1; | ||||
3143 | } | ||||
3144 | break; | ||||
3145 | case 31: | ||||
3146 | #line 534 "/usr/src/sbin/iked/parse.y" | ||||
3147 | { | ||||
3148 | if (yyvsp[0].v.number < 0) { | ||||
3149 | yyerror("timeout outside range"); | ||||
3150 | YYERRORgoto yyerrlab; | ||||
3151 | } | ||||
3152 | dpd_interval = yyvsp[0].v.number; | ||||
3153 | } | ||||
3154 | break; | ||||
3155 | case 32: | ||||
3156 | #line 543 "/usr/src/sbin/iked/parse.y" | ||||
3157 | { | ||||
3158 | if (create_user(yyvsp[-1].v.string, yyvsp[0].v.string) == -1) | ||||
3159 | YYERRORgoto yyerrlab; | ||||
3160 | free(yyvsp[-1].v.string); | ||||
3161 | freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string)); | ||||
3162 | } | ||||
3163 | break; | ||||
3164 | case 33: | ||||
3165 | #line 553 "/usr/src/sbin/iked/parse.y" | ||||
3166 | { | ||||
3167 | if (create_ike(yyvsp[-16].v.string, yyvsp[-13].v.number, yyvsp[-12].v.proto, yyvsp[-11].v.number, yyvsp[-10].v.hosts, &yyvsp[-9].v.peers, yyvsp[-8].v.mode, yyvsp[-7].v.mode, yyvsp[-14].v.satype, | ||||
3168 | yyvsp[-15].v.ikemode, yyvsp[-6].v.ids.srcid, yyvsp[-6].v.ids.dstid, yyvsp[-5].v.number, &yyvsp[-4].v.lifetime, &yyvsp[-3].v.ikeauth, | ||||
3169 | yyvsp[0].v.filters, yyvsp[-2].v.cfg, yyvsp[-1].v.string) == -1) { | ||||
3170 | yyerror("create_ike failed"); | ||||
3171 | YYERRORgoto yyerrlab; | ||||
3172 | } | ||||
3173 | } | ||||
3174 | break; | ||||
3175 | case 34: | ||||
3176 | #line 563 "/usr/src/sbin/iked/parse.y" | ||||
3177 | { yyval.v.cfg = NULL((void *)0); } | ||||
3178 | break; | ||||
3179 | case 35: | ||||
3180 | #line 564 "/usr/src/sbin/iked/parse.y" | ||||
3181 | { yyval.v.cfg = yyvsp[0].v.cfg; } | ||||
3182 | break; | ||||
3183 | case 36: | ||||
3184 | #line 567 "/usr/src/sbin/iked/parse.y" | ||||
3185 | { yyval.v.cfg = yyvsp[0].v.cfg; } | ||||
3186 | break; | ||||
3187 | case 37: | ||||
3188 | #line 568 "/usr/src/sbin/iked/parse.y" | ||||
3189 | { | ||||
3190 | if (yyvsp[0].v.cfg == NULL((void *)0)) | ||||
3191 | yyval.v.cfg = yyvsp[-1].v.cfg; | ||||
3192 | else if (yyvsp[-1].v.cfg == NULL((void *)0)) | ||||
3193 | yyval.v.cfg = yyvsp[0].v.cfg; | ||||
3194 | else { | ||||
3195 | yyvsp[-1].v.cfg->tail->next = yyvsp[0].v.cfg; | ||||
3196 | yyvsp[-1].v.cfg->tail = yyvsp[0].v.cfg->tail; | ||||
3197 | yyval.v.cfg = yyvsp[-1].v.cfg; | ||||
3198 | } | ||||
3199 | } | ||||
3200 | break; | ||||
3201 | case 38: | ||||
3202 | #line 581 "/usr/src/sbin/iked/parse.y" | ||||
3203 | { | ||||
3204 | const struct ipsec_xf *xf; | ||||
3205 | |||||
3206 | if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.host->af, cpxfs)) == NULL((void *)0)) { | ||||
3207 | yyerror("not a valid ikecfg option"); | ||||
3208 | free(yyvsp[-1].v.string); | ||||
3209 | free(yyvsp[0].v.host); | ||||
3210 | YYERRORgoto yyerrlab; | ||||
3211 | } | ||||
3212 | free(yyvsp[-1].v.string); | ||||
3213 | yyval.v.cfg = yyvsp[0].v.host; | ||||
3214 | yyval.v.cfg->type = xf->id; | ||||
3215 | yyval.v.cfg->action = IKEV2_CP_REPLY2; /* XXX */ | ||||
3216 | } | ||||
3217 | break; | ||||
3218 | case 39: | ||||
3219 | #line 595 "/usr/src/sbin/iked/parse.y" | ||||
3220 | { | ||||
3221 | const struct ipsec_xf *xf; | ||||
3222 | |||||
3223 | if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.anyhost->af, cpxfs)) == NULL((void *)0)) { | ||||
3224 | yyerror("not a valid ikecfg option"); | ||||
3225 | free(yyvsp[-1].v.string); | ||||
3226 | free(yyvsp[0].v.anyhost); | ||||
3227 | YYERRORgoto yyerrlab; | ||||
3228 | } | ||||
3229 | free(yyvsp[-1].v.string); | ||||
3230 | yyval.v.cfg = yyvsp[0].v.anyhost; | ||||
3231 | yyval.v.cfg->type = xf->id; | ||||
3232 | yyval.v.cfg->action = IKEV2_CP_REQUEST1; /* XXX */ | ||||
3233 | } | ||||
3234 | break; | ||||
3235 | case 40: | ||||
3236 | #line 611 "/usr/src/sbin/iked/parse.y" | ||||
3237 | { yyval.v.string = NULL((void *)0); } | ||||
3238 | break; | ||||
3239 | case 41: | ||||
3240 | #line 612 "/usr/src/sbin/iked/parse.y" | ||||
3241 | { | ||||
3242 | yyval.v.string = yyvsp[0].v.string; | ||||
3243 | } | ||||
3244 | break; | ||||
3245 | case 42: | ||||
3246 | #line 616 "/usr/src/sbin/iked/parse.y" | ||||
3247 | { yyval.v.satype = IKEV2_SAPROTO_ESP3; } | ||||
3248 | break; | ||||
3249 | case 43: | ||||
3250 | #line 617 "/usr/src/sbin/iked/parse.y" | ||||
3251 | { yyval.v.satype = IKEV2_SAPROTO_ESP3; } | ||||
3252 | break; | ||||
3253 | case 44: | ||||
3254 | #line 618 "/usr/src/sbin/iked/parse.y" | ||||
3255 | { yyval.v.satype = IKEV2_SAPROTO_AH2; } | ||||
3256 | break; | ||||
3257 | case 45: | ||||
3258 | #line 621 "/usr/src/sbin/iked/parse.y" | ||||
3259 | { yyval.v.number = AF_UNSPEC0; } | ||||
3260 | break; | ||||
3261 | case 46: | ||||
3262 | #line 622 "/usr/src/sbin/iked/parse.y" | ||||
3263 | { yyval.v.number = AF_INET2; } | ||||
3264 | break; | ||||
3265 | case 47: | ||||
3266 | #line 623 "/usr/src/sbin/iked/parse.y" | ||||
3267 | { yyval.v.number = AF_INET624; } | ||||
3268 | break; | ||||
3269 | case 48: | ||||
3270 | #line 626 "/usr/src/sbin/iked/parse.y" | ||||
3271 | { yyval.v.proto = NULL((void *)0); } | ||||
3272 | break; | ||||
3273 | case 49: | ||||
3274 | #line 627 "/usr/src/sbin/iked/parse.y" | ||||
3275 | { yyval.v.proto = yyvsp[0].v.proto; } | ||||
3276 | break; | ||||
3277 | case 50: | ||||
3278 | #line 628 "/usr/src/sbin/iked/parse.y" | ||||
3279 | { yyval.v.proto = yyvsp[-1].v.proto; } | ||||
3280 | break; | ||||
3281 | case 51: | ||||
3282 | #line 631 "/usr/src/sbin/iked/parse.y" | ||||
3283 | { yyval.v.proto = yyvsp[0].v.proto; } | ||||
3284 | break; | ||||
3285 | case 52: | ||||
3286 | #line 632 "/usr/src/sbin/iked/parse.y" | ||||
3287 | { | ||||
3288 | if (yyvsp[0].v.proto == NULL((void *)0)) | ||||
3289 | yyval.v.proto = yyvsp[-2].v.proto; | ||||
3290 | else if (yyvsp[-2].v.proto == NULL((void *)0)) | ||||
3291 | yyval.v.proto = yyvsp[0].v.proto; | ||||
3292 | else { | ||||
3293 | yyvsp[-2].v.proto->tail->next = yyvsp[0].v.proto; | ||||
3294 | yyvsp[-2].v.proto->tail = yyvsp[0].v.proto->tail; | ||||
3295 | yyval.v.proto = yyvsp[-2].v.proto; | ||||
3296 | } | ||||
3297 | } | ||||
3298 | break; | ||||
3299 | case 53: | ||||
3300 | #line 645 "/usr/src/sbin/iked/parse.y" | ||||
3301 | { | ||||
3302 | struct protoent *p; | ||||
3303 | |||||
3304 | p = getprotobyname(yyvsp[0].v.string); | ||||
3305 | if (p == NULL((void *)0)) { | ||||
3306 | yyerror("unknown protocol: %s", yyvsp[0].v.string); | ||||
3307 | YYERRORgoto yyerrlab; | ||||
3308 | } | ||||
3309 | |||||
3310 | if ((yyval.v.proto = calloc(1, sizeof(*yyval.v.proto))) == NULL((void *)0)) | ||||
3311 | err(1, "protoval: calloc"); | ||||
3312 | |||||
3313 | yyval.v.proto->type = p->p_proto; | ||||
3314 | yyval.v.proto->tail = yyval.v.proto; | ||||
3315 | free(yyvsp[0].v.string); | ||||
3316 | } | ||||
3317 | break; | ||||
3318 | case 54: | ||||
3319 | #line 661 "/usr/src/sbin/iked/parse.y" | ||||
3320 | { | ||||
3321 | if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) { | ||||
3322 | yyerror("protocol outside range"); | ||||
3323 | YYERRORgoto yyerrlab; | ||||
3324 | } | ||||
3325 | if ((yyval.v.proto = calloc(1, sizeof(*yyval.v.proto))) == NULL((void *)0)) | ||||
3326 | err(1, "protoval: calloc"); | ||||
3327 | |||||
3328 | yyval.v.proto->type = yyvsp[0].v.number; | ||||
3329 | yyval.v.proto->tail = yyval.v.proto; | ||||
3330 | } | ||||
3331 | break; | ||||
3332 | case 55: | ||||
3333 | #line 674 "/usr/src/sbin/iked/parse.y" | ||||
3334 | { yyval.v.number = -1; } | ||||
3335 | break; | ||||
3336 | case 56: | ||||
3337 | #line 675 "/usr/src/sbin/iked/parse.y" | ||||
3338 | { | ||||
3339 | if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) { | ||||
3340 | yyerror("rdomain outside range"); | ||||
3341 | YYERRORgoto yyerrlab; | ||||
3342 | } | ||||
3343 | yyval.v.number = yyvsp[0].v.number; | ||||
3344 | } | ||||
3345 | break; | ||||
3346 | case 57: | ||||
3347 | #line 683 "/usr/src/sbin/iked/parse.y" | ||||
3348 | { yyval.v.hosts = yyvsp[0].v.hosts; } | ||||
3349 | break; | ||||
3350 | case 58: | ||||
3351 | #line 684 "/usr/src/sbin/iked/parse.y" | ||||
3352 | { | ||||
3353 | if (yyvsp[0].v.hosts == NULL((void *)0)) | ||||
3354 | yyval.v.hosts = yyvsp[-2].v.hosts; | ||||
3355 | else if (yyvsp[-2].v.hosts == NULL((void *)0)) | ||||
3356 | yyval.v.hosts = yyvsp[0].v.hosts; | ||||
3357 | else { | ||||
3358 | yyvsp[-2].v.hosts->src->tail->next = yyvsp[0].v.hosts->src; | ||||
3359 | yyvsp[-2].v.hosts->src->tail = yyvsp[0].v.hosts->src->tail; | ||||
3360 | yyvsp[-2].v.hosts->dst->tail->next = yyvsp[0].v.hosts->dst; | ||||
3361 | yyvsp[-2].v.hosts->dst->tail = yyvsp[0].v.hosts->dst->tail; | ||||
3362 | yyval.v.hosts = yyvsp[-2].v.hosts; | ||||
3363 | free(yyvsp[0].v.hosts); | ||||
3364 | } | ||||
3365 | } | ||||
3366 | break; | ||||
3367 | case 59: | ||||
3368 | #line 700 "/usr/src/sbin/iked/parse.y" | ||||
3369 | { | ||||
3370 | struct ipsec_addr_wrap *ipa; | ||||
3371 | for (ipa = yyvsp[-1].v.host; ipa; ipa = ipa->next) { | ||||
3372 | if (ipa->srcnat) { | ||||
3373 | yyerror("no flow NAT support for" | ||||
3374 | " destination network: %s", | ||||
3375 | ipa->name); | ||||
3376 | YYERRORgoto yyerrlab; | ||||
3377 | } | ||||
3378 | } | ||||
3379 | |||||
3380 | if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL((void *)0)) | ||||
3381 | err(1, "hosts: calloc"); | ||||
3382 | |||||
3383 | yyval.v.hosts->src = yyvsp[-4].v.host; | ||||
3384 | yyval.v.hosts->src->port = yyvsp[-3].v.port; | ||||
3385 | yyval.v.hosts->dst = yyvsp[-1].v.host; | ||||
3386 | yyval.v.hosts->dst->port = yyvsp[0].v.port; | ||||
3387 | } | ||||
3388 | break; | ||||
3389 | case 60: | ||||
3390 | #line 719 "/usr/src/sbin/iked/parse.y" | ||||
3391 | { | ||||
3392 | struct ipsec_addr_wrap *ipa; | ||||
3393 | for (ipa = yyvsp[-4].v.host; ipa; ipa = ipa->next) { | ||||
3394 | if (ipa->srcnat) { | ||||
3395 | yyerror("no flow NAT support for" | ||||
3396 | " destination network: %s", | ||||
3397 | ipa->name); | ||||
3398 | YYERRORgoto yyerrlab; | ||||
3399 | } | ||||
3400 | } | ||||
3401 | if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL((void *)0)) | ||||
3402 | err(1, "hosts: calloc"); | ||||
3403 | |||||
3404 | yyval.v.hosts->src = yyvsp[-1].v.host; | ||||
3405 | yyval.v.hosts->src->port = yyvsp[0].v.port; | ||||
3406 | yyval.v.hosts->dst = yyvsp[-4].v.host; | ||||
3407 | yyval.v.hosts->dst->port = yyvsp[-3].v.port; | ||||
| |||||
3408 | } | ||||
3409 | break; | ||||
3410 | case 61: | ||||
3411 | #line 739 "/usr/src/sbin/iked/parse.y" | ||||
3412 | { yyval.v.port = 0; } | ||||
3413 | break; | ||||
3414 | case 62: | ||||
3415 | #line 740 "/usr/src/sbin/iked/parse.y" | ||||
3416 | { yyval.v.port = yyvsp[0].v.number; } | ||||
3417 | break; | ||||
3418 | case 63: | ||||
3419 | #line 743 "/usr/src/sbin/iked/parse.y" | ||||
3420 | { | ||||
3421 | struct servent *s; | ||||
3422 | |||||
3423 | if ((s = getservbyname(yyvsp[0].v.string, "tcp")) != NULL((void *)0) || | ||||
3424 | (s = getservbyname(yyvsp[0].v.string, "udp")) != NULL((void *)0)) { | ||||
3425 | yyval.v.number = s->s_port; | ||||
3426 | } else { | ||||
3427 | yyerror("unknown port: %s", yyvsp[0].v.string); | ||||
3428 | YYERRORgoto yyerrlab; | ||||
3429 | } | ||||
3430 | free(yyvsp[0].v.string); | ||||
3431 | } | ||||
3432 | break; | ||||
3433 | case 64: | ||||
3434 | #line 755 "/usr/src/sbin/iked/parse.y" | ||||
3435 | { | ||||
3436 | if (yyvsp[0].v.number > USHRT_MAX0xffff || yyvsp[0].v.number < 0) { | ||||
3437 | yyerror("port outside range"); | ||||
3438 | YYERRORgoto yyerrlab; | ||||
3439 | } | ||||
3440 | yyval.v.number = htons(yyvsp[0].v.number)(__uint16_t)(__builtin_constant_p(yyvsp[0].v.number) ? (__uint16_t )(((__uint16_t)(yyvsp[0].v.number) & 0xffU) << 8 | ( (__uint16_t)(yyvsp[0].v.number) & 0xff00U) >> 8) : __swap16md (yyvsp[0].v.number)); | ||||
3441 | } | ||||
3442 | break; | ||||
3443 | case 65: | ||||
3444 | #line 764 "/usr/src/sbin/iked/parse.y" | ||||
3445 | { | ||||
3446 | yyval.v.peers.dst = NULL((void *)0); | ||||
3447 | yyval.v.peers.src = NULL((void *)0); | ||||
3448 | } | ||||
3449 | break; | ||||
3450 | case 66: | ||||
3451 | #line 768 "/usr/src/sbin/iked/parse.y" | ||||
3452 | { | ||||
3453 | yyval.v.peers.dst = yyvsp[-2].v.anyhost; | ||||
3454 | yyval.v.peers.src = yyvsp[0].v.anyhost; | ||||
3455 | } | ||||
3456 | break; | ||||
3457 | case 67: | ||||
3458 | #line 772 "/usr/src/sbin/iked/parse.y" | ||||
3459 | { | ||||
3460 | yyval.v.peers.dst = yyvsp[0].v.anyhost; | ||||
3461 | yyval.v.peers.src = yyvsp[-2].v.anyhost; | ||||
3462 | } | ||||
3463 | break; | ||||
3464 | case 68: | ||||
3465 | #line 776 "/usr/src/sbin/iked/parse.y" | ||||
3466 | { | ||||
3467 | yyval.v.peers.dst = yyvsp[0].v.anyhost; | ||||
3468 | yyval.v.peers.src = NULL((void *)0); | ||||
3469 | } | ||||
3470 | break; | ||||
3471 | case 69: | ||||
3472 | #line 780 "/usr/src/sbin/iked/parse.y" | ||||
3473 | { | ||||
3474 | yyval.v.peers.dst = NULL((void *)0); | ||||
3475 | yyval.v.peers.src = yyvsp[0].v.anyhost; | ||||
3476 | } | ||||
3477 | break; | ||||
3478 | case 70: | ||||
3479 | #line 786 "/usr/src/sbin/iked/parse.y" | ||||
3480 | { yyval.v.anyhost = yyvsp[0].v.host; } | ||||
3481 | break; | ||||
3482 | case 71: | ||||
3483 | #line 787 "/usr/src/sbin/iked/parse.y" | ||||
3484 | { | ||||
3485 | yyval.v.anyhost = host_any(); | ||||
3486 | } | ||||
3487 | break; | ||||
3488 | case 72: | ||||
3489 | #line 791 "/usr/src/sbin/iked/parse.y" | ||||
3490 | { | ||||
3491 | if ((yyval.v.host = host(yyvsp[0].v.string)) == NULL((void *)0)) { | ||||
3492 | free(yyvsp[0].v.string); | ||||
3493 | yyerror("could not parse host specification"); | ||||
3494 | YYERRORgoto yyerrlab; | ||||
3495 | } | ||||
3496 | free(yyvsp[0].v.string); | ||||
3497 | } | ||||
3498 | break; | ||||
3499 | case 73: | ||||
3500 | #line 799 "/usr/src/sbin/iked/parse.y" | ||||
3501 | { | ||||
3502 | char *buf; | ||||
3503 | |||||
3504 | if (asprintf(&buf, "%s/%lld", yyvsp[-2].v.string, yyvsp[0].v.number) == -1) | ||||
3505 | err(1, "host: asprintf"); | ||||
3506 | free(yyvsp[-2].v.string); | ||||
3507 | if ((yyval.v.host = host(buf)) == NULL((void *)0)) { | ||||
3508 | free(buf); | ||||
3509 | yyerror("could not parse host specification"); | ||||
3510 | YYERRORgoto yyerrlab; | ||||
3511 | } | ||||
3512 | free(buf); | ||||
3513 | } | ||||
3514 | break; | ||||
3515 | case 74: | ||||
3516 | #line 814 "/usr/src/sbin/iked/parse.y" | ||||
3517 | { yyval.v.host = yyvsp[0].v.host; } | ||||
3518 | break; | ||||
3519 | case 75: | ||||
3520 | #line 815 "/usr/src/sbin/iked/parse.y" | ||||
3521 | { | ||||
3522 | if ((yyvsp[-3].v.host->af != AF_UNSPEC0) && (yyvsp[-1].v.host->af != AF_UNSPEC0) && | ||||
3523 | (yyvsp[-1].v.host->af != yyvsp[-3].v.host->af)) { | ||||
3524 | yyerror("Flow NAT address family mismatch"); | ||||
3525 | YYERRORgoto yyerrlab; | ||||
3526 | } | ||||
3527 | yyval.v.host = yyvsp[-3].v.host; | ||||
3528 | yyval.v.host->srcnat = yyvsp[-1].v.host; | ||||
3529 | } | ||||
3530 | break; | ||||
3531 | case 76: | ||||
3532 | #line 824 "/usr/src/sbin/iked/parse.y" | ||||
3533 | { | ||||
3534 | yyval.v.host = host_any(); | ||||
3535 | } | ||||
3536 | break; | ||||
3537 | case 77: | ||||
3538 | #line 827 "/usr/src/sbin/iked/parse.y" | ||||
3539 | { | ||||
3540 | yyval.v.host = host_dynamic(); | ||||
3541 | } | ||||
3542 | break; | ||||
3543 | case 78: | ||||
3544 | #line 832 "/usr/src/sbin/iked/parse.y" | ||||
3545 | { | ||||
3546 | yyval.v.ids.srcid = NULL((void *)0); | ||||
3547 | yyval.v.ids.dstid = NULL((void *)0); | ||||
3548 | } | ||||
3549 | break; | ||||
3550 | case 79: | ||||
3551 | #line 836 "/usr/src/sbin/iked/parse.y" | ||||
3552 | { | ||||
3553 | yyval.v.ids.srcid = yyvsp[-2].v.id; | ||||
3554 | yyval.v.ids.dstid = yyvsp[0].v.id; | ||||
3555 | } | ||||
3556 | break; | ||||
3557 | case 80: | ||||
3558 | #line 840 "/usr/src/sbin/iked/parse.y" | ||||
3559 | { | ||||
3560 | yyval.v.ids.srcid = yyvsp[0].v.id; | ||||
3561 | yyval.v.ids.dstid = NULL((void *)0); | ||||
3562 | } | ||||
3563 | break; | ||||
3564 | case 81: | ||||
3565 | #line 844 "/usr/src/sbin/iked/parse.y" | ||||
3566 | { | ||||
3567 | yyval.v.ids.srcid = NULL((void *)0); | ||||
3568 | yyval.v.ids.dstid = yyvsp[0].v.id; | ||||
3569 | } | ||||
3570 | break; | ||||
3571 | case 82: | ||||
3572 | #line 850 "/usr/src/sbin/iked/parse.y" | ||||
3573 | { yyval.v.id = yyvsp[0].v.string; } | ||||
3574 | break; | ||||
3575 | case 83: | ||||
3576 | #line 853 "/usr/src/sbin/iked/parse.y" | ||||
3577 | { | ||||
3578 | if ((ipsec_transforms = calloc(1, | ||||
3579 | sizeof(struct ipsec_transforms))) == NULL((void *)0)) | ||||
3580 | err(1, "transforms: calloc"); | ||||
3581 | } | ||||
3582 | break; | ||||
3583 | case 84: | ||||
3584 | #line 858 "/usr/src/sbin/iked/parse.y" | ||||
3585 | { | ||||
3586 | yyval.v.transforms = ipsec_transforms; | ||||
3587 | } | ||||
3588 | break; | ||||
3589 | case 85: | ||||
3590 | #line 861 "/usr/src/sbin/iked/parse.y" | ||||
3591 | { | ||||
3592 | yyval.v.transforms = NULL((void *)0); | ||||
3593 | } | ||||
3594 | break; | ||||
3595 | case 88: | ||||
3596 | #line 870 "/usr/src/sbin/iked/parse.y" | ||||
3597 | { | ||||
3598 | const struct ipsec_xf **xfs = ipsec_transforms->authxf; | ||||
3599 | size_t nxfs = ipsec_transforms->nauthxf; | ||||
3600 | xfs = recallocarray(xfs, nxfs, nxfs + 1, | ||||
3601 | sizeof(struct ipsec_xf *)); | ||||
3602 | if (xfs == NULL((void *)0)) | ||||
3603 | err(1, "transform: recallocarray"); | ||||
3604 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, authxfs)) == NULL((void *)0)) { | ||||
3605 | yyerror("%s not a valid transform", yyvsp[0].v.string); | ||||
3606 | YYERRORgoto yyerrlab; | ||||
3607 | } | ||||
3608 | free(yyvsp[0].v.string); | ||||
3609 | ipsec_transforms->authxf = xfs; | ||||
3610 | ipsec_transforms->nauthxf++; | ||||
3611 | } | ||||
3612 | break; | ||||
3613 | case 89: | ||||
3614 | #line 885 "/usr/src/sbin/iked/parse.y" | ||||
3615 | { | ||||
3616 | const struct ipsec_xf **xfs = ipsec_transforms->encxf; | ||||
3617 | size_t nxfs = ipsec_transforms->nencxf; | ||||
3618 | xfs = recallocarray(xfs, nxfs, nxfs + 1, | ||||
3619 | sizeof(struct ipsec_xf *)); | ||||
3620 | if (xfs == NULL((void *)0)) | ||||
3621 | err(1, "transform: recallocarray"); | ||||
3622 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, encxfs)) == NULL((void *)0)) { | ||||
3623 | yyerror("%s not a valid transform", yyvsp[0].v.string); | ||||
3624 | YYERRORgoto yyerrlab; | ||||
3625 | } | ||||
3626 | free(yyvsp[0].v.string); | ||||
3627 | ipsec_transforms->encxf = xfs; | ||||
3628 | ipsec_transforms->nencxf++; | ||||
3629 | } | ||||
3630 | break; | ||||
3631 | case 90: | ||||
3632 | #line 900 "/usr/src/sbin/iked/parse.y" | ||||
3633 | { | ||||
3634 | const struct ipsec_xf **xfs = ipsec_transforms->prfxf; | ||||
3635 | size_t nxfs = ipsec_transforms->nprfxf; | ||||
3636 | xfs = recallocarray(xfs, nxfs, nxfs + 1, | ||||
3637 | sizeof(struct ipsec_xf *)); | ||||
3638 | if (xfs == NULL((void *)0)) | ||||
3639 | err(1, "transform: recallocarray"); | ||||
3640 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, prfxfs)) == NULL((void *)0)) { | ||||
3641 | yyerror("%s not a valid transform", yyvsp[0].v.string); | ||||
3642 | YYERRORgoto yyerrlab; | ||||
3643 | } | ||||
3644 | free(yyvsp[0].v.string); | ||||
3645 | ipsec_transforms->prfxf = xfs; | ||||
3646 | ipsec_transforms->nprfxf++; | ||||
3647 | } | ||||
3648 | break; | ||||
3649 | case 91: | ||||
3650 | #line 915 "/usr/src/sbin/iked/parse.y" | ||||
3651 | { | ||||
3652 | const struct ipsec_xf **xfs = ipsec_transforms->groupxf; | ||||
3653 | size_t nxfs = ipsec_transforms->ngroupxf; | ||||
3654 | xfs = recallocarray(xfs, nxfs, nxfs + 1, | ||||
3655 | sizeof(struct ipsec_xf *)); | ||||
3656 | if (xfs == NULL((void *)0)) | ||||
3657 | err(1, "transform: recallocarray"); | ||||
3658 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, groupxfs)) == NULL((void *)0)) { | ||||
3659 | yyerror("%s not a valid transform", yyvsp[0].v.string); | ||||
3660 | YYERRORgoto yyerrlab; | ||||
3661 | } | ||||
3662 | free(yyvsp[0].v.string); | ||||
3663 | ipsec_transforms->groupxf = xfs; | ||||
3664 | ipsec_transforms->ngroupxf++; | ||||
3665 | } | ||||
3666 | break; | ||||
3667 | case 92: | ||||
3668 | #line 930 "/usr/src/sbin/iked/parse.y" | ||||
3669 | { | ||||
3670 | const struct ipsec_xf **xfs = ipsec_transforms->esnxf; | ||||
3671 | size_t nxfs = ipsec_transforms->nesnxf; | ||||
3672 | xfs = recallocarray(xfs, nxfs, nxfs + 1, | ||||
3673 | sizeof(struct ipsec_xf *)); | ||||
3674 | if (xfs == NULL((void *)0)) | ||||
3675 | err(1, "transform: recallocarray"); | ||||
3676 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, esnxfs)) == NULL((void *)0)) { | ||||
3677 | yyerror("%s not a valid transform", yyvsp[0].v.string); | ||||
3678 | YYERRORgoto yyerrlab; | ||||
3679 | } | ||||
3680 | ipsec_transforms->esnxf = xfs; | ||||
3681 | ipsec_transforms->nesnxf++; | ||||
3682 | } | ||||
3683 | break; | ||||
3684 | case 93: | ||||
3685 | #line 946 "/usr/src/sbin/iked/parse.y" | ||||
3686 | { yyval.v.string = "esn"; } | ||||
3687 | break; | ||||
3688 | case 94: | ||||
3689 | #line 947 "/usr/src/sbin/iked/parse.y" | ||||
3690 | { yyval.v.string = "noesn"; } | ||||
3691 | break; | ||||
3692 | case 95: | ||||
3693 | #line 950 "/usr/src/sbin/iked/parse.y" | ||||
3694 | { | ||||
3695 | if ((ipsec_mode = calloc(1, | ||||
3696 | sizeof(struct ipsec_mode))) == NULL((void *)0)) | ||||
3697 | err(1, "ike_sas: calloc"); | ||||
3698 | } | ||||
3699 | break; | ||||
3700 | case 96: | ||||
3701 | #line 955 "/usr/src/sbin/iked/parse.y" | ||||
3702 | { | ||||
3703 | yyval.v.mode = ipsec_mode; | ||||
3704 | } | ||||
3705 | break; | ||||
3706 | case 97: | ||||
3707 | #line 958 "/usr/src/sbin/iked/parse.y" | ||||
3708 | { | ||||
3709 | yyval.v.mode = NULL((void *)0); | ||||
3710 | } | ||||
3711 | break; | ||||
3712 | case 100: | ||||
3713 | #line 967 "/usr/src/sbin/iked/parse.y" | ||||
3714 | { | ||||
3715 | if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs, | ||||
3716 | ipsec_mode->nxfs, ipsec_mode->nxfs + 1, | ||||
3717 | sizeof(struct ipsec_transforms *))) == NULL((void *)0)) | ||||
3718 | err(1, "ike_sa: recallocarray"); | ||||
3719 | ipsec_mode->nxfs++; | ||||
3720 | encxfs = ikeencxfs; | ||||
3721 | } | ||||
3722 | break; | ||||
3723 | case 101: | ||||
3724 | #line 974 "/usr/src/sbin/iked/parse.y" | ||||
3725 | { | ||||
3726 | ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms; | ||||
3727 | } | ||||
3728 | break; | ||||
3729 | case 102: | ||||
3730 | #line 979 "/usr/src/sbin/iked/parse.y" | ||||
3731 | { | ||||
3732 | if ((ipsec_mode = calloc(1, | ||||
3733 | sizeof(struct ipsec_mode))) == NULL((void *)0)) | ||||
3734 | err(1, "child_sas: calloc"); | ||||
3735 | } | ||||
3736 | break; | ||||
3737 | case 103: | ||||
3738 | #line 984 "/usr/src/sbin/iked/parse.y" | ||||
3739 | { | ||||
3740 | yyval.v.mode = ipsec_mode; | ||||
3741 | } | ||||
3742 | break; | ||||
3743 | case 104: | ||||
3744 | #line 987 "/usr/src/sbin/iked/parse.y" | ||||
3745 | { | ||||
3746 | yyval.v.mode = NULL((void *)0); | ||||
3747 | } | ||||
3748 | break; | ||||
3749 | case 107: | ||||
3750 | #line 996 "/usr/src/sbin/iked/parse.y" | ||||
3751 | { | ||||
3752 | if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs, | ||||
3753 | ipsec_mode->nxfs, ipsec_mode->nxfs + 1, | ||||
3754 | sizeof(struct ipsec_transforms *))) == NULL((void *)0)) | ||||
3755 | err(1, "child_sa: recallocarray"); | ||||
3756 | ipsec_mode->nxfs++; | ||||
3757 | encxfs = ipsecencxfs; | ||||
3758 | } | ||||
3759 | break; | ||||
3760 | case 108: | ||||
3761 | #line 1003 "/usr/src/sbin/iked/parse.y" | ||||
3762 | { | ||||
3763 | ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms; | ||||
3764 | } | ||||
3765 | break; | ||||
3766 | case 109: | ||||
3767 | #line 1008 "/usr/src/sbin/iked/parse.y" | ||||
3768 | { yyval.v.ikemode = yyvsp[-3].v.ikemode | yyvsp[-2].v.ikemode | yyvsp[-1].v.ikemode | yyvsp[0].v.ikemode; } | ||||
3769 | break; | ||||
3770 | case 110: | ||||
3771 | #line 1011 "/usr/src/sbin/iked/parse.y" | ||||
3772 | { yyval.v.ikemode = 0; } | ||||
3773 | break; | ||||
3774 | case 111: | ||||
3775 | #line 1012 "/usr/src/sbin/iked/parse.y" | ||||
3776 | { yyval.v.ikemode = IKED_POLICY_QUICK0x08; } | ||||
3777 | break; | ||||
3778 | case 112: | ||||
3779 | #line 1013 "/usr/src/sbin/iked/parse.y" | ||||
3780 | { yyval.v.ikemode = IKED_POLICY_SKIP0x10; } | ||||
3781 | break; | ||||
3782 | case 113: | ||||
3783 | #line 1014 "/usr/src/sbin/iked/parse.y" | ||||
3784 | { yyval.v.ikemode = IKED_POLICY_DEFAULT0x01; } | ||||
3785 | break; | ||||
3786 | case 114: | ||||
3787 | #line 1017 "/usr/src/sbin/iked/parse.y" | ||||
3788 | { yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; } | ||||
3789 | break; | ||||
3790 | case 115: | ||||
3791 | #line 1018 "/usr/src/sbin/iked/parse.y" | ||||
3792 | { yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; } | ||||
3793 | break; | ||||
3794 | case 116: | ||||
3795 | #line 1019 "/usr/src/sbin/iked/parse.y" | ||||
3796 | { yyval.v.ikemode = IKED_POLICY_ACTIVE0x02; } | ||||
3797 | break; | ||||
3798 | case 117: | ||||
3799 | #line 1022 "/usr/src/sbin/iked/parse.y" | ||||
3800 | { yyval.v.ikemode = 0; } | ||||
3801 | break; | ||||
3802 | case 118: | ||||
3803 | #line 1023 "/usr/src/sbin/iked/parse.y" | ||||
3804 | { yyval.v.ikemode = IKED_POLICY_IPCOMP0x20; } | ||||
3805 | break; | ||||
3806 | case 119: | ||||
3807 | #line 1026 "/usr/src/sbin/iked/parse.y" | ||||
3808 | { yyval.v.ikemode = 0; } | ||||
3809 | break; | ||||
3810 | case 120: | ||||
3811 | #line 1027 "/usr/src/sbin/iked/parse.y" | ||||
3812 | { yyval.v.ikemode = 0; } | ||||
3813 | break; | ||||
3814 | case 121: | ||||
3815 | #line 1028 "/usr/src/sbin/iked/parse.y" | ||||
3816 | { yyval.v.ikemode = IKED_POLICY_TRANSPORT0x40; } | ||||
3817 | break; | ||||
3818 | case 122: | ||||
3819 | #line 1031 "/usr/src/sbin/iked/parse.y" | ||||
3820 | { | ||||
3821 | yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255; /* default */ | ||||
3822 | yyval.v.ikeauth.auth_eap = 0; | ||||
3823 | yyval.v.ikeauth.auth_length = 0; | ||||
3824 | } | ||||
3825 | break; | ||||
3826 | case 123: | ||||
3827 | #line 1036 "/usr/src/sbin/iked/parse.y" | ||||
3828 | { | ||||
3829 | memcpy(&yyval.v.ikeauth, &yyvsp[0].v.ikekey, sizeof(yyval.v.ikeauth)); | ||||
3830 | yyval.v.ikeauth.auth_method = IKEV2_AUTH_SHARED_KEY_MIC2; | ||||
3831 | yyval.v.ikeauth.auth_eap = 0; | ||||
3832 | explicit_bzero(&yyvsp[0].v.ikekey, sizeof(yyvsp[0].v.ikekey)); | ||||
3833 | } | ||||
3834 | break; | ||||
3835 | case 124: | ||||
3836 | #line 1042 "/usr/src/sbin/iked/parse.y" | ||||
3837 | { | ||||
3838 | unsigned int i; | ||||
3839 | |||||
3840 | for (i = 0; i < strlen(yyvsp[0].v.string); i++) | ||||
3841 | if (yyvsp[0].v.string[i] == '-') | ||||
3842 | yyvsp[0].v.string[i] = '_'; | ||||
3843 | |||||
3844 | if (strcasecmp("mschap_v2", yyvsp[0].v.string) != 0) { | ||||
3845 | yyerror("unsupported EAP method: %s", yyvsp[0].v.string); | ||||
3846 | free(yyvsp[0].v.string); | ||||
3847 | YYERRORgoto yyerrlab; | ||||
3848 | } | ||||
3849 | free(yyvsp[0].v.string); | ||||
3850 | |||||
3851 | yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255; | ||||
3852 | yyval.v.ikeauth.auth_eap = EAP_TYPE_MSCHAP_V226; | ||||
3853 | yyval.v.ikeauth.auth_length = 0; | ||||
3854 | } | ||||
3855 | break; | ||||
3856 | case 125: | ||||
3857 | #line 1060 "/usr/src/sbin/iked/parse.y" | ||||
3858 | { | ||||
3859 | const struct ipsec_xf *xf; | ||||
3860 | |||||
3861 | if ((xf = parse_xf(yyvsp[0].v.string, 0, methodxfs)) == NULL((void *)0) || | ||||
3862 | xf->id == IKEV2_AUTH_NONE0) { | ||||
3863 | yyerror("not a valid authentication mode"); | ||||
3864 | free(yyvsp[0].v.string); | ||||
3865 | YYERRORgoto yyerrlab; | ||||
3866 | } | ||||
3867 | free(yyvsp[0].v.string); | ||||
3868 | |||||
3869 | yyval.v.ikeauth.auth_method = xf->id; | ||||
3870 | yyval.v.ikeauth.auth_eap = 0; | ||||
3871 | yyval.v.ikeauth.auth_length = 0; | ||||
3872 | } | ||||
3873 | break; | ||||
3874 | case 126: | ||||
3875 | #line 1077 "/usr/src/sbin/iked/parse.y" | ||||
3876 | { | ||||
3877 | yyval.v.number = yyvsp[0].v.number; | ||||
3878 | } | ||||
3879 | break; | ||||
3880 | case 127: | ||||
3881 | #line 1080 "/usr/src/sbin/iked/parse.y" | ||||
3882 | { | ||||
3883 | uint64_t bytes = 0; | ||||
3884 | char unit = 0; | ||||
3885 | |||||
3886 | if (sscanf(yyvsp[0].v.string, "%llu%c", &bytes, &unit) != 2) { | ||||
3887 | yyerror("invalid byte specification: %s", yyvsp[0].v.string); | ||||
3888 | YYERRORgoto yyerrlab; | ||||
3889 | } | ||||
3890 | free(yyvsp[0].v.string); | ||||
3891 | switch (toupper((unsigned char)unit)) { | ||||
3892 | case 'K': | ||||
3893 | bytes *= 1024; | ||||
3894 | break; | ||||
3895 | case 'M': | ||||
3896 | bytes *= 1024 * 1024; | ||||
3897 | break; | ||||
3898 | case 'G': | ||||
3899 | bytes *= 1024 * 1024 * 1024; | ||||
3900 | break; | ||||
3901 | default: | ||||
3902 | yyerror("invalid byte unit"); | ||||
3903 | YYERRORgoto yyerrlab; | ||||
3904 | } | ||||
3905 | yyval.v.number = bytes; | ||||
3906 | } | ||||
3907 | break; | ||||
3908 | case 128: | ||||
3909 | #line 1107 "/usr/src/sbin/iked/parse.y" | ||||
3910 | { | ||||
3911 | yyval.v.number = yyvsp[0].v.number; | ||||
3912 | } | ||||
3913 | break; | ||||
3914 | case 129: | ||||
3915 | #line 1110 "/usr/src/sbin/iked/parse.y" | ||||
3916 | { | ||||
3917 | uint64_t seconds = 0; | ||||
3918 | char unit = 0; | ||||
3919 | |||||
3920 | if (sscanf(yyvsp[0].v.string, "%llu%c", &seconds, &unit) != 2) { | ||||
3921 | yyerror("invalid time specification: %s", yyvsp[0].v.string); | ||||
3922 | YYERRORgoto yyerrlab; | ||||
3923 | } | ||||
3924 | free(yyvsp[0].v.string); | ||||
3925 | switch (tolower((unsigned char)unit)) { | ||||
3926 | case 'm': | ||||
3927 | seconds *= 60; | ||||
3928 | break; | ||||
3929 | case 'h': | ||||
3930 | seconds *= 60 * 60; | ||||
3931 | break; | ||||
3932 | default: | ||||
3933 | yyerror("invalid time unit"); | ||||
3934 | YYERRORgoto yyerrlab; | ||||
3935 | } | ||||
3936 | yyval.v.number = seconds; | ||||
3937 | } | ||||
3938 | break; | ||||
3939 | case 130: | ||||
3940 | #line 1134 "/usr/src/sbin/iked/parse.y" | ||||
3941 | { | ||||
3942 | yyval.v.lifetime = deflifetime; | ||||
3943 | } | ||||
3944 | break; | ||||
3945 | case 131: | ||||
3946 | #line 1137 "/usr/src/sbin/iked/parse.y" | ||||
3947 | { | ||||
3948 | yyval.v.lifetime.lt_seconds = yyvsp[0].v.number; | ||||
3949 | yyval.v.lifetime.lt_bytes = deflifetime.lt_bytes; | ||||
3950 | } | ||||
3951 | break; | ||||
3952 | case 132: | ||||
3953 | #line 1141 "/usr/src/sbin/iked/parse.y" | ||||
3954 | { | ||||
3955 | yyval.v.lifetime.lt_seconds = yyvsp[-2].v.number; | ||||
3956 | yyval.v.lifetime.lt_bytes = yyvsp[0].v.number; | ||||
3957 | } | ||||
3958 | break; | ||||
3959 | case 133: | ||||
3960 | #line 1147 "/usr/src/sbin/iked/parse.y" | ||||
3961 | { | ||||
3962 | yyval.v.number = 0; | ||||
3963 | } | ||||
3964 | break; | ||||
3965 | case 134: | ||||
3966 | #line 1150 "/usr/src/sbin/iked/parse.y" | ||||
3967 | { | ||||
3968 | yyval.v.number = yyvsp[0].v.number; | ||||
3969 | } | ||||
3970 | break; | ||||
3971 | case 135: | ||||
3972 | #line 1154 "/usr/src/sbin/iked/parse.y" | ||||
3973 | { | ||||
3974 | uint8_t *hex; | ||||
3975 | |||||
3976 | bzero(&yyval.v.ikekey, sizeof(yyval.v.ikekey)); | ||||
3977 | |||||
3978 | hex = yyvsp[0].v.string; | ||||
3979 | if (strncmp(hex, "0x", 2) == 0) { | ||||
3980 | hex += 2; | ||||
3981 | if (parsekey(hex, strlen(hex), &yyval.v.ikekey) != 0) { | ||||
3982 | free(yyvsp[0].v.string); | ||||
3983 | YYERRORgoto yyerrlab; | ||||
3984 | } | ||||
3985 | } else { | ||||
3986 | if (strlen(yyvsp[0].v.string) > sizeof(yyval.v.ikekey.auth_data)) { | ||||
3987 | yyerror("psk too long"); | ||||
3988 | free(yyvsp[0].v.string); | ||||
3989 | YYERRORgoto yyerrlab; | ||||
3990 | } | ||||
3991 | strlcpy(yyval.v.ikekey.auth_data, yyvsp[0].v.string, | ||||
3992 | sizeof(yyval.v.ikekey.auth_data)); | ||||
3993 | yyval.v.ikekey.auth_length = strlen(yyvsp[0].v.string); | ||||
3994 | } | ||||
3995 | freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string)); | ||||
3996 | } | ||||
3997 | break; | ||||
3998 | case 136: | ||||
3999 | #line 1178 "/usr/src/sbin/iked/parse.y" | ||||
4000 | { | ||||
4001 | if (parsekeyfile(yyvsp[0].v.string, &yyval.v.ikekey) != 0) { | ||||
4002 | free(yyvsp[0].v.string); | ||||
4003 | YYERRORgoto yyerrlab; | ||||
4004 | } | ||||
4005 | free(yyvsp[0].v.string); | ||||
4006 | } | ||||
4007 | break; | ||||
4008 | case 137: | ||||
4009 | #line 1187 "/usr/src/sbin/iked/parse.y" | ||||
4010 | { | ||||
4011 | if ((ipsec_filters = calloc(1, | ||||
4012 | sizeof(struct ipsec_filters))) == NULL((void *)0)) | ||||
4013 | err(1, "filters: calloc"); | ||||
4014 | } | ||||
4015 | break; | ||||
4016 | case 138: | ||||
4017 | #line 1192 "/usr/src/sbin/iked/parse.y" | ||||
4018 | { | ||||
4019 | yyval.v.filters = ipsec_filters; | ||||
4020 | } | ||||
4021 | break; | ||||
4022 | case 139: | ||||
4023 | #line 1195 "/usr/src/sbin/iked/parse.y" | ||||
4024 | { | ||||
4025 | yyval.v.filters = NULL((void *)0); | ||||
4026 | } | ||||
4027 | break; | ||||
4028 | case 142: | ||||
4029 | #line 1205 "/usr/src/sbin/iked/parse.y" | ||||
4030 | { | ||||
4031 | ipsec_filters->tag = yyvsp[0].v.string; | ||||
4032 | } | ||||
4033 | break; | ||||
4034 | case 143: | ||||
4035 | #line 1209 "/usr/src/sbin/iked/parse.y" | ||||
4036 | { | ||||
4037 | const char *errstr = NULL((void *)0); | ||||
4038 | size_t len; | ||||
4039 | |||||
4040 | len = strcspn(yyvsp[0].v.string, "0123456789"); | ||||
4041 | if (strlen("enc") != len || | ||||
4042 | strncmp("enc", yyvsp[0].v.string, len) != 0) { | ||||
4043 | yyerror("invalid tap interface name: %s", yyvsp[0].v.string); | ||||
4044 | free(yyvsp[0].v.string); | ||||
4045 | YYERRORgoto yyerrlab; | ||||
4046 | } | ||||
4047 | ipsec_filters->tap = | ||||
4048 | strtonum(yyvsp[0].v.string + len, 0, UINT_MAX0xffffffffU, &errstr); | ||||
4049 | free(yyvsp[0].v.string); | ||||
4050 | if (errstr != NULL((void *)0)) { | ||||
4051 | yyerror("invalid tap interface unit: %s", | ||||
4052 | errstr); | ||||
4053 | YYERRORgoto yyerrlab; | ||||
4054 | } | ||||
4055 | } | ||||
4056 | break; | ||||
4057 | case 144: | ||||
4058 | #line 1231 "/usr/src/sbin/iked/parse.y" | ||||
4059 | { | ||||
4060 | yyval.v.string = NULL((void *)0); | ||||
4061 | } | ||||
4062 | break; | ||||
4063 | case 145: | ||||
4064 | #line 1234 "/usr/src/sbin/iked/parse.y" | ||||
4065 | { | ||||
4066 | yyval.v.string = yyvsp[0].v.string; | ||||
4067 | } | ||||
4068 | break; | ||||
4069 | case 146: | ||||
4070 | #line 1239 "/usr/src/sbin/iked/parse.y" | ||||
4071 | { | ||||
4072 | if (asprintf(&yyval.v.string, "%s %s", yyvsp[-1].v.string, yyvsp[0].v.string) == -1) | ||||
4073 | err(1, "string: asprintf"); | ||||
4074 | free(yyvsp[-1].v.string); | ||||
4075 | free(yyvsp[0].v.string); | ||||
4076 | } | ||||
4077 | break; | ||||
4078 | case 148: | ||||
4079 | #line 1249 "/usr/src/sbin/iked/parse.y" | ||||
4080 | { | ||||
4081 | char *s = yyvsp[-2].v.string; | ||||
4082 | log_debug("%s = \"%s\"\n", yyvsp[-2].v.string, yyvsp[0].v.string); | ||||
4083 | while (*s++) { | ||||
4084 | if (isspace((unsigned char)*s)) { | ||||
4085 | yyerror("macro name cannot contain " | ||||
4086 | "whitespace"); | ||||
4087 | free(yyvsp[-2].v.string); | ||||
4088 | free(yyvsp[0].v.string); | ||||
4089 | YYERRORgoto yyerrlab; | ||||
4090 | } | ||||
4091 | } | ||||
4092 | if (symset(yyvsp[-2].v.string, yyvsp[0].v.string, 0) == -1) | ||||
4093 | err(1, "cannot store variable"); | ||||
4094 | free(yyvsp[-2].v.string); | ||||
4095 | free(yyvsp[0].v.string); | ||||
4096 | } | ||||
4097 | break; | ||||
4098 | case 158: | ||||
4099 | #line 1287 "/usr/src/sbin/iked/parse.y" | ||||
4100 | { | ||||
4101 | int c; | ||||
4102 | |||||
4103 | while ((c = lgetc(0)) != '\n' && c != EOF(-1)) | ||||
4104 | ; /* nothing */ | ||||
4105 | if (c == '\n') | ||||
4106 | lungetc(c); | ||||
4107 | } | ||||
4108 | break; | ||||
4109 | #line 4102 "parse.c" | ||||
4110 | } | ||||
4111 | yyssp -= yym; | ||||
4112 | yystate = *yyssp; | ||||
4113 | yyvsp -= yym; | ||||
4114 | yym = yylhs[yyn]; | ||||
4115 | if (yystate
| ||||
4116 | { | ||||
4117 | #if YYDEBUG0 | ||||
4118 | if (yydebug) | ||||
4119 | printf("%sdebug: after reduction, shifting from state 0 to\ | ||||
4120 | state %d\n", YYPREFIX"yy", YYFINAL1); | ||||
4121 | #endif | ||||
4122 | yystate = YYFINAL1; | ||||
4123 | *++yyssp = YYFINAL1; | ||||
4124 | *++yyvsp = yyval; | ||||
4125 | if (yychar
| ||||
4126 | { | ||||
4127 | if ((yychar = yylex()) < 0) yychar = 0; | ||||
4128 | #if YYDEBUG0 | ||||
4129 | if (yydebug) | ||||
4130 | { | ||||
4131 | yys = 0; | ||||
4132 | if (yychar <= YYMAXTOKEN330) yys = yyname[yychar]; | ||||
4133 | if (!yys) yys = "illegal-symbol"; | ||||
4134 | printf("%sdebug: state %d, reading %d (%s)\n", | ||||
4135 | YYPREFIX"yy", YYFINAL1, yychar, yys); | ||||
4136 | } | ||||
4137 | #endif | ||||
4138 | } | ||||
4139 | if (yychar == 0) goto yyaccept; | ||||
4140 | goto yyloop; | ||||
4141 | } | ||||
4142 | if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 && | ||||
4143 | yyn <= YYTABLESIZE745 && yycheck[yyn] == yystate) | ||||
4144 | yystate = yytable[yyn]; | ||||
4145 | else | ||||
4146 | yystate = yydgoto[yym]; | ||||
4147 | #if YYDEBUG0 | ||||
4148 | if (yydebug) | ||||
4149 | printf("%sdebug: after reduction, shifting from state %d \ | ||||
4150 | to state %d\n", YYPREFIX"yy", *yyssp, yystate); | ||||
4151 | #endif | ||||
4152 | if (yyssp >= yysslim && yygrowstack()) | ||||
4153 | { | ||||
4154 | goto yyoverflow; | ||||
4155 | } | ||||
4156 | *++yyssp = yystate; | ||||
4157 | *++yyvsp = yyval; | ||||
4158 | goto yyloop; | ||||
4159 | yyoverflow: | ||||
4160 | yyerror("yacc stack overflow"); | ||||
4161 | yyabort: | ||||
4162 | if (yyss) | ||||
4163 | free(yyss); | ||||
4164 | if (yyvs) | ||||
4165 | free(yyvs); | ||||
4166 | yyss = yyssp = NULL((void *)0); | ||||
4167 | yyvs = yyvsp = NULL((void *)0); | ||||
4168 | yystacksize = 0; | ||||
4169 | return (1); | ||||
4170 | yyaccept: | ||||
4171 | if (yyss) | ||||
4172 | free(yyss); | ||||
4173 | if (yyvs) | ||||
4174 | free(yyvs); | ||||
4175 | yyss = yyssp = NULL((void *)0); | ||||
4176 | yyvs = yyvsp = NULL((void *)0); | ||||
4177 | yystacksize = 0; | ||||
4178 | return (0); | ||||
4179 | } |