Bug Summary

File:src/sbin/iked/obj/parse.c
Warning:line 2016, column 4
Value stored to 's6' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name parse.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sbin/iked/obj -resource-dir /usr/local/llvm16/lib/clang/16 -I /usr/src/sbin/iked -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/sbin/iked/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c parse.c
1#include <stdlib.h>
2#include <string.h>
3#define YYBYACC1 1
4#define YYMAJOR1 1
5#define YYMINOR9 9
6#define YYLEXyylex() yylex()
7#define YYEMPTY-1 -1
8#define yyclearin(yychar=(-1)) (yychar=(YYEMPTY-1))
9#define yyerrok(yyerrflag=0) (yyerrflag=0)
10#define YYRECOVERING()(yyerrflag!=0) (yyerrflag!=0)
11#define YYPREFIX"yy" "yy"
12#line 26 "/usr/src/sbin/iked/parse.y"
13#include <sys/types.h>
14#include <sys/ioctl.h>
15#include <sys/queue.h>
16#include <sys/socket.h>
17#include <sys/stat.h>
18#include <net/if.h>
19#include <netinet/in.h>
20#include <netinet/ip_ipsp.h>
21#include <arpa/inet.h>
22
23#include <ctype.h>
24#include <err.h>
25#include <errno(*__errno()).h>
26#include <fcntl.h>
27#include <ifaddrs.h>
28#include <limits.h>
29#include <netdb.h>
30#include <stdarg.h>
31#include <stdio.h>
32#include <stdlib.h>
33#include <string.h>
34#include <syslog.h>
35#include <unistd.h>
36#include <event.h>
37
38#include "iked.h"
39#include "ikev2.h"
40#include "eap.h"
41
42TAILQ_HEAD(files, file)struct files { struct file *tqh_first; struct file **tqh_last
; } files = TAILQ_HEAD_INITIALIZER(files){ ((void *)0), &(files).tqh_first };
43static struct file {
44 TAILQ_ENTRY(file)struct { struct file *tqe_next; struct file **tqe_prev; } entry;
45 FILE *stream;
46 char *name;
47 size_t ungetpos;
48 size_t ungetsize;
49 u_char *ungetbuf;
50 int eof_reached;
51 int lineno;
52 int errors;
53} *file, *topfile;
54struct file *pushfile(const char *, int);
55int popfile(void);
56int check_file_secrecy(int, const char *);
57int yyparse(void);
58int yylex(void);
59int yyerror(const char *, ...)
60 __attribute__((__format__ (printf, 1, 2)))
61 __attribute__((__nonnull__ (1)));
62int kw_cmp(const void *, const void *);
63int lookup(char *);
64int igetc(void);
65int lgetc(int);
66void lungetc(int);
67int findeol(void);
68
69TAILQ_HEAD(symhead, sym)struct symhead { struct sym *tqh_first; struct sym **tqh_last
; } symhead = TAILQ_HEAD_INITIALIZER(symhead){ ((void *)0), &(symhead).tqh_first };
70struct sym {
71 TAILQ_ENTRY(sym)struct { struct sym *tqe_next; struct sym **tqe_prev; } entry;
72 int used;
73 int persist;
74 char *nam;
75 char *val;
76};
77int symset(const char *, const char *, int);
78char *symget(const char *);
79
80#define KEYSIZE_LIMIT1024 1024
81
82static struct iked *env = NULL((void *)0);
83static int debug = 0;
84static int rules = 0;
85static int passive = 0;
86static int decouple = 0;
87static int mobike = 1;
88static int enforcesingleikesa = 0;
89static int stickyaddress = 0;
90static int fragmentation = 0;
91static int vendorid = 1;
92static int dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60;
93static char *ocsp_url = NULL((void *)0);
94static long ocsp_tolerate = 0;
95static long ocsp_maxage = -1;
96static int cert_partial_chain = 0;
97
98struct iked_transform ikev2_default_ike_transforms[] = {
99 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 },
100 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 },
101 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 },
102 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_3DES3 },
103 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 },
104 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 },
105 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 },
106 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 },
107 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 },
108 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 },
109 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 },
110 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 },
111 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 },
112 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 },
113 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 },
114 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 },
115 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 },
116 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 },
117 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 },
118 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 },
119 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 },
120 { 0 }
121};
122size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) /
123 sizeof(ikev2_default_ike_transforms[0])) - 1);
124
125struct iked_transform ikev2_default_ike_transforms_noauth[] = {
126 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 },
127 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 },
128 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 },
129 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 },
130 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 },
131 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 },
132 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 },
133 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 },
134 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 },
135 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 },
136 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 },
137 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 },
138 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 },
139 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 },
140 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 },
141 { 0 }
142};
143size_t ikev2_default_nike_transforms_noauth =
144 ((sizeof(ikev2_default_ike_transforms_noauth) /
145 sizeof(ikev2_default_ike_transforms_noauth[0])) - 1);
146
147struct iked_transform ikev2_default_esp_transforms[] = {
148 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 },
149 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 },
150 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 },
151 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 },
152 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 },
153 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 },
154 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 },
155 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 },
156 { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 },
157 { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 },
158 { 0 }
159};
160size_t ikev2_default_nesp_transforms = ((sizeof(ikev2_default_esp_transforms) /
161 sizeof(ikev2_default_esp_transforms[0])) - 1);
162
163struct iked_transform ikev2_default_esp_transforms_noauth[] = {
164 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 },
165 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 },
166 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 },
167 { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 },
168 { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 },
169 { 0 }
170};
171size_t ikev2_default_nesp_transforms_noauth =
172 ((sizeof(ikev2_default_esp_transforms_noauth) /
173 sizeof(ikev2_default_esp_transforms_noauth[0])) - 1);
174
175const struct ipsec_xf authxfs[] = {
176 { "hmac-md5", IKEV2_XFORMAUTH_HMAC_MD5_961, 16 },
177 { "hmac-sha1", IKEV2_XFORMAUTH_HMAC_SHA1_962, 20 },
178 { "hmac-sha2-256", IKEV2_XFORMAUTH_HMAC_SHA2_256_12812, 32 },
179 { "hmac-sha2-384", IKEV2_XFORMAUTH_HMAC_SHA2_384_19213, 48 },
180 { "hmac-sha2-512", IKEV2_XFORMAUTH_HMAC_SHA2_512_25614, 64 },
181 { NULL((void *)0) }
182};
183
184const struct ipsec_xf prfxfs[] = {
185 { "hmac-md5", IKEV2_XFORMPRF_HMAC_MD51, 16 },
186 { "hmac-sha1", IKEV2_XFORMPRF_HMAC_SHA12, 20 },
187 { "hmac-sha2-256", IKEV2_XFORMPRF_HMAC_SHA2_2565, 32 },
188 { "hmac-sha2-384", IKEV2_XFORMPRF_HMAC_SHA2_3846, 48 },
189 { "hmac-sha2-512", IKEV2_XFORMPRF_HMAC_SHA2_5127, 64 },
190 { NULL((void *)0) }
191};
192
193const struct ipsec_xf *encxfs = NULL((void *)0);
194
195const struct ipsec_xf ikeencxfs[] = {
196 { "3des", IKEV2_XFORMENCR_3DES3, 24 },
197 { "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 },
198 { "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 },
199 { "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 },
200 { "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 },
201 { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 },
202 { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 },
203 { "aes-128-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 16, 16, 4, 1 },
204 { "aes-256-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 32, 32, 4, 1 },
205 { NULL((void *)0) }
206};
207
208const struct ipsec_xf ipsecencxfs[] = {
209 { "3des", IKEV2_XFORMENCR_3DES3, 24 },
210 { "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 },
211 { "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 },
212 { "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 },
213 { "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 },
214 { "aes-128-ctr", IKEV2_XFORMENCR_AES_CTR13, 16, 16, 4 },
215 { "aes-192-ctr", IKEV2_XFORMENCR_AES_CTR13, 24, 24, 4 },
216 { "aes-256-ctr", IKEV2_XFORMENCR_AES_CTR13, 32, 32, 4 },
217 { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 },
218 { "aes-192-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 24, 24, 4, 1 },
219 { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 },
220 { "aes-128-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 16, 16, 4, 1 },
221 { "aes-192-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 24, 24, 4, 1 },
222 { "aes-256-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 32, 32, 4, 1 },
223 { "blowfish", IKEV2_XFORMENCR_BLOWFISH7, 20, 20 },
224 { "cast", IKEV2_XFORMENCR_CAST6, 16, 16 },
225 { "chacha20-poly1305", IKEV2_XFORMENCR_CHACHA20_POLY130528,
226 32, 32, 4, 1 },
227 { "null", IKEV2_XFORMENCR_NULL11, 0, 0 },
228 { NULL((void *)0) }
229};
230
231const struct ipsec_xf groupxfs[] = {
232 { "none", IKEV2_XFORMDH_NONE0 },
233 { "modp768", IKEV2_XFORMDH_MODP_7681 },
234 { "grp1", IKEV2_XFORMDH_MODP_7681 },
235 { "modp1024", IKEV2_XFORMDH_MODP_10242 },
236 { "grp2", IKEV2_XFORMDH_MODP_10242 },
237 { "modp1536", IKEV2_XFORMDH_MODP_15365 },
238 { "grp5", IKEV2_XFORMDH_MODP_15365 },
239 { "modp2048", IKEV2_XFORMDH_MODP_204814 },
240 { "grp14", IKEV2_XFORMDH_MODP_204814 },
241 { "modp3072", IKEV2_XFORMDH_MODP_307215 },
242 { "grp15", IKEV2_XFORMDH_MODP_307215 },
243 { "modp4096", IKEV2_XFORMDH_MODP_409616 },
244 { "grp16", IKEV2_XFORMDH_MODP_409616 },
245 { "modp6144", IKEV2_XFORMDH_MODP_614417 },
246 { "grp17", IKEV2_XFORMDH_MODP_614417 },
247 { "modp8192", IKEV2_XFORMDH_MODP_819218 },
248 { "grp18", IKEV2_XFORMDH_MODP_819218 },
249 { "ecp256", IKEV2_XFORMDH_ECP_25619 },
250 { "grp19", IKEV2_XFORMDH_ECP_25619 },
251 { "ecp384", IKEV2_XFORMDH_ECP_38420 },
252 { "grp20", IKEV2_XFORMDH_ECP_38420 },
253 { "ecp521", IKEV2_XFORMDH_ECP_52121 },
254 { "grp21", IKEV2_XFORMDH_ECP_52121 },
255 { "ecp192", IKEV2_XFORMDH_ECP_19225 },
256 { "grp25", IKEV2_XFORMDH_ECP_19225 },
257 { "ecp224", IKEV2_XFORMDH_ECP_22426 },
258 { "grp26", IKEV2_XFORMDH_ECP_22426 },
259 { "brainpool224", IKEV2_XFORMDH_BRAINPOOL_P224R127 },
260 { "grp27", IKEV2_XFORMDH_BRAINPOOL_P224R127 },
261 { "brainpool256", IKEV2_XFORMDH_BRAINPOOL_P256R128 },
262 { "grp28", IKEV2_XFORMDH_BRAINPOOL_P256R128 },
263 { "brainpool384", IKEV2_XFORMDH_BRAINPOOL_P384R129 },
264 { "grp29", IKEV2_XFORMDH_BRAINPOOL_P384R129 },
265 { "brainpool512", IKEV2_XFORMDH_BRAINPOOL_P512R130 },
266 { "grp30", IKEV2_XFORMDH_BRAINPOOL_P512R130 },
267 { "curve25519", IKEV2_XFORMDH_CURVE2551931 },
268 { "grp31", IKEV2_XFORMDH_CURVE2551931 },
269 { "sntrup761x25519", IKEV2_XFORMDH_X_SNTRUP761X255191035 },
270 { NULL((void *)0) }
271};
272
273const struct ipsec_xf esnxfs[] = {
274 { "esn", IKEV2_XFORMESN_ESN1 },
275 { "noesn", IKEV2_XFORMESN_NONE0 },
276 { NULL((void *)0) }
277};
278
279const struct ipsec_xf methodxfs[] = {
280 { "none", IKEV2_AUTH_NONE0 },
281 { "rsa", IKEV2_AUTH_RSA_SIG1 },
282 { "ecdsa256", IKEV2_AUTH_ECDSA_2569 },
283 { "ecdsa384", IKEV2_AUTH_ECDSA_38410 },
284 { "ecdsa521", IKEV2_AUTH_ECDSA_52111 },
285 { "rfc7427", IKEV2_AUTH_SIG14 },
286 { "signature", IKEV2_AUTH_SIG_ANY255 },
287 { NULL((void *)0) }
288};
289
290const struct ipsec_xf saxfs[] = {
291 { "esp", IKEV2_SAPROTO_ESP3 },
292 { "ah", IKEV2_SAPROTO_AH2 },
293 { NULL((void *)0) }
294};
295
296const struct ipsec_xf cpxfs[] = {
297 { "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS1, AF_INET2 },
298 { "netmask", IKEV2_CFG_INTERNAL_IP4_NETMASK2, AF_INET2 },
299 { "name-server", IKEV2_CFG_INTERNAL_IP4_DNS3, AF_INET2 },
300 { "netbios-server", IKEV2_CFG_INTERNAL_IP4_NBNS4, AF_INET2 },
301 { "dhcp-server", IKEV2_CFG_INTERNAL_IP4_DHCP6, AF_INET2 },
302 { "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS8, AF_INET624 },
303 { "name-server", IKEV2_CFG_INTERNAL_IP6_DNS10, AF_INET624 },
304 { "netbios-server", IKEV2_CFG_INTERNAL_IP6_NBNS11, AF_INET624 },
305 { "dhcp-server", IKEV2_CFG_INTERNAL_IP6_DHCP12, AF_INET624 },
306 { "protected-subnet", IKEV2_CFG_INTERNAL_IP4_SUBNET13, AF_INET2 },
307 { "protected-subnet", IKEV2_CFG_INTERNAL_IP6_SUBNET15, AF_INET624 },
308 { "access-server", IKEV2_CFG_INTERNAL_IP4_SERVER23456, AF_INET2 },
309 { "access-server", IKEV2_CFG_INTERNAL_IP6_SERVER23457, AF_INET624 },
310 { NULL((void *)0) }
311};
312
313const struct iked_lifetime deflifetime = {
314 IKED_LIFETIME_BYTES4294967296ULL,
315 IKED_LIFETIME_SECONDS10800
316};
317
318#define IPSEC_ADDR_ANY(0x1) (0x1)
319#define IPSEC_ADDR_DYNAMIC(0x2) (0x2)
320
321struct ipsec_addr_wrap {
322 struct sockaddr_storage address;
323 uint8_t mask;
324 int netaddress;
325 sa_family_t af;
326 unsigned int type;
327 unsigned int action;
328 uint16_t port;
329 char *name;
330 struct ipsec_addr_wrap *next;
331 struct ipsec_addr_wrap *tail;
332 struct ipsec_addr_wrap *srcnat;
333};
334
335struct ipsec_hosts {
336 struct ipsec_addr_wrap *src;
337 struct ipsec_addr_wrap *dst;
338};
339
340struct ipsec_filters {
341 char *tag;
342 unsigned int tap;
343};
344
345void copy_sockaddrtoipa(struct ipsec_addr_wrap *,
346 struct sockaddr *);
347struct ipsec_addr_wrap *host(const char *);
348struct ipsec_addr_wrap *host_ip(const char *, int);
349struct ipsec_addr_wrap *host_dns(const char *, int);
350struct ipsec_addr_wrap *host_if(const char *, int);
351struct ipsec_addr_wrap *host_any(void);
352struct ipsec_addr_wrap *host_dynamic(void);
353void ifa_load(void);
354int ifa_exists(const char *);
355struct ipsec_addr_wrap *ifa_lookup(const char *ifa_name);
356struct ipsec_addr_wrap *ifa_grouplookup(const char *);
357void set_ipmask(struct ipsec_addr_wrap *, int);
358const struct ipsec_xf *parse_xf(const char *, unsigned int,
359 const struct ipsec_xf *);
360void copy_transforms(unsigned int,
361 const struct ipsec_xf **, unsigned int,
362 struct iked_transform **, unsigned int *,
363 struct iked_transform *, size_t);
364int create_ike(char *, int, struct ipsec_addr_wrap *,
365 int, struct ipsec_hosts *,
366 struct ipsec_hosts *, struct ipsec_mode *,
367 struct ipsec_mode *, uint8_t,
368 uint8_t, char *, char *,
369 uint32_t, struct iked_lifetime *,
370 struct iked_auth *, struct ipsec_filters *,
371 struct ipsec_addr_wrap *, char *);
372int create_user(const char *, const char *);
373int get_id_type(char *);
374uint8_t x2i(unsigned char *);
375int parsekey(unsigned char *, size_t, struct iked_auth *);
376int parsekeyfile(char *, struct iked_auth *);
377void iaw_free(struct ipsec_addr_wrap *);
378static int create_flow(struct iked_policy *pol, int, struct ipsec_addr_wrap *ipa,
379 struct ipsec_addr_wrap *ipb);
380static int expand_flows(struct iked_policy *, int, struct ipsec_addr_wrap *,
381 struct ipsec_addr_wrap *);
382static struct ipsec_addr_wrap *
383 expand_keyword(struct ipsec_addr_wrap *);
384
385struct ipsec_transforms *ipsec_transforms;
386struct ipsec_filters *ipsec_filters;
387struct ipsec_mode *ipsec_mode;
388/* interface lookup routintes */
389struct ipsec_addr_wrap *iftab;
390
391typedef struct {
392 union {
393 int64_t number;
394 uint8_t ikemode;
395 uint8_t dir;
396 uint8_t satype;
397 char *string;
398 uint16_t port;
399 struct ipsec_hosts *hosts;
400 struct ipsec_hosts peers;
401 struct ipsec_addr_wrap *anyhost;
402 struct ipsec_addr_wrap *host;
403 struct ipsec_addr_wrap *cfg;
404 struct ipsec_addr_wrap *proto;
405 struct {
406 char *srcid;
407 char *dstid;
408 } ids;
409 char *id;
410 uint8_t type;
411 struct iked_lifetime lifetime;
412 struct iked_auth ikeauth;
413 struct iked_auth ikekey;
414 struct ipsec_transforms *transforms;
415 struct ipsec_filters *filters;
416 struct ipsec_mode *mode;
417 } v;
418 int lineno;
419} YYSTYPE;
420
421#line 422 "parse.c"
422#define FROM257 257
423#define ESP258 258
424#define AH259 259
425#define IN260 260
426#define PEER261 261
427#define ON262 262
428#define OUT263 263
429#define TO264 264
430#define SRCID265 265
431#define DSTID266 266
432#define PSK267 267
433#define PORT268 268
434#define FILENAME269 269
435#define AUTHXF270 270
436#define PRFXF271 271
437#define ENCXF272 272
438#define ERROR273 273
439#define IKEV2274 274
440#define IKESA275 275
441#define CHILDSA276 276
442#define ESN277 277
443#define NOESN278 278
444#define PASSIVE279 279
445#define ACTIVE280 280
446#define ANY281 281
447#define TAG282 282
448#define TAP283 283
449#define PROTO284 284
450#define LOCAL285 285
451#define GROUP286 286
452#define NAME287 287
453#define CONFIG288 288
454#define EAP289 289
455#define USER290 290
456#define IKEV1291 291
457#define FLOW292 292
458#define SA293 293
459#define TCPMD5294 294
460#define TUNNEL295 295
461#define TRANSPORT296 296
462#define COUPLE297 297
463#define DECOUPLE298 298
464#define SET299 299
465#define INCLUDE300 300
466#define LIFETIME301 301
467#define BYTES302 302
468#define INET303 303
469#define INET6304 304
470#define QUICK305 305
471#define SKIP306 306
472#define DEFAULT307 307
473#define IPCOMP308 308
474#define OCSP309 309
475#define IKELIFETIME310 310
476#define MOBIKE311 311
477#define NOMOBIKE312 312
478#define RDOMAIN313 313
479#define FRAGMENTATION314 314
480#define NOFRAGMENTATION315 315
481#define DPD_CHECK_INTERVAL316 316
482#define ENFORCESINGLEIKESA317 317
483#define NOENFORCESINGLEIKESA318 318
484#define STICKYADDRESS319 319
485#define NOSTICKYADDRESS320 320
486#define VENDORID321 321
487#define NOVENDORID322 322
488#define TOLERATE323 323
489#define MAXAGE324 324
490#define DYNAMIC325 325
491#define CERTPARTIALCHAIN326 326
492#define REQUEST327 327
493#define IFACE328 328
494#define STRING329 329
495#define NUMBER330 330
496#define YYERRCODE256 256
497const short yylhs[] =
498 { -1,
499 0, 0, 0, 0, 0, 0, 0, 0, 0, 46,
500 46, 39, 40, 40, 40, 40, 40, 40, 40, 40,
501 40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
502 40, 41, 42, 36, 36, 37, 37, 35, 35, 33,
503 33, 2, 2, 2, 10, 10, 10, 3, 3, 3,
504 4, 4, 5, 5, 11, 11, 7, 7, 6, 6,
505 8, 8, 9, 9, 12, 12, 12, 12, 12, 13,
506 13, 15, 15, 14, 14, 14, 14, 16, 16, 16,
507 16, 17, 48, 18, 18, 47, 47, 49, 49, 49,
508 49, 49, 38, 38, 51, 27, 27, 50, 50, 53,
509 52, 55, 28, 28, 54, 54, 57, 56, 20, 21,
510 21, 21, 21, 22, 22, 22, 23, 23, 24, 24,
511 24, 25, 25, 25, 25, 30, 30, 31, 31, 29,
512 29, 29, 32, 32, 26, 26, 59, 19, 19, 58,
513 58, 60, 60, 34, 34, 1, 1, 43, 44, 44,
514 44, 44, 61, 61, 61, 61, 61, 45,
515};
516const short yylen[] =
517 { 2,
518 0, 3, 2, 3, 3, 3, 3, 4, 3, 1,
519 0, 2, 2, 2, 2, 2, 2, 2, 2, 2,
520 2, 2, 2, 2, 2, 2, 3, 5, 7, 2,
521 3, 3, 18, 0, 1, 1, 2, 3, 3, 0,
522 1, 0, 1, 1, 0, 1, 1, 0, 2, 4,
523 1, 3, 1, 1, 0, 2, 1, 3, 6, 6,
524 0, 2, 1, 1, 0, 4, 4, 2, 2, 1,
525 1, 1, 3, 1, 4, 1, 1, 0, 4, 2,
526 2, 1, 0, 2, 0, 2, 1, 2, 2, 2,
527 2, 1, 1, 1, 0, 2, 0, 2, 1, 0,
528 3, 0, 2, 0, 2, 1, 0, 3, 4, 0,
529 1, 1, 1, 0, 1, 1, 0, 1, 0, 1,
530 1, 0, 2, 2, 1, 1, 1, 1, 1, 0,
531 2, 4, 0, 2, 1, 2, 0, 2, 0, 2,
532 1, 2, 2, 0, 2, 2, 1, 3, 1, 1,
533 1, 1, 1, 1, 1, 1, 1, 0,
534};
535const short yydefred[] =
536 { 1,
537 0, 0, 154, 155, 0, 0, 149, 151, 153, 152,
538 156, 157, 0, 0, 0, 3, 0, 0, 0, 0,
539 0, 158, 150, 9, 41, 0, 0, 14, 13, 15,
540 16, 0, 19, 20, 17, 18, 0, 23, 24, 25,
541 26, 21, 22, 30, 12, 0, 2, 4, 5, 6,
542 7, 0, 111, 112, 113, 0, 0, 32, 0, 31,
543 147, 0, 8, 43, 44, 0, 115, 116, 0, 0,
544 146, 46, 47, 0, 118, 0, 129, 128, 0, 0,
545 0, 120, 121, 109, 0, 53, 54, 0, 49, 0,
546 0, 29, 0, 51, 56, 0, 0, 57, 0, 10,
547 50, 0, 76, 77, 0, 0, 0, 0, 0, 0,
548 0, 0, 52, 0, 0, 0, 0, 0, 71, 0,
549 70, 0, 0, 0, 58, 73, 63, 64, 62, 0,
550 0, 0, 0, 0, 0, 0, 100, 0, 99, 0,
551 75, 0, 66, 67, 0, 0, 0, 107, 0, 106,
552 0, 98, 59, 60, 82, 0, 81, 0, 0, 0,
553 105, 101, 0, 0, 134, 0, 0, 108, 0, 0,
554 0, 93, 94, 0, 92, 0, 87, 79, 0, 0,
555 0, 125, 0, 88, 90, 89, 91, 86, 0, 0,
556 135, 123, 124, 0, 0, 36, 0, 0, 127, 126,
557 132, 136, 0, 0, 0, 0, 37, 38, 39, 145,
558 33, 0, 0, 0, 0, 141, 142, 143, 140,
559};
560const short yydgoto[] =
561 { 1,
562 62, 66, 81, 93, 89, 98, 99, 116, 129, 74,
563 91, 111, 120, 106, 121, 147, 156, 162, 211, 56,
564 57, 69, 76, 84, 183, 192, 123, 135, 167, 201,
565 79, 159, 26, 206, 196, 197, 198, 175, 17, 18,
566 19, 20, 21, 22, 52, 102, 176, 163, 177, 138,
567 124, 139, 151, 149, 136, 150, 160, 215, 212, 216,
568 23,
569};
570const short yysindex[] =
571 { 0,
572 184, 25, 0, 0, -290, -282, 0, 0, 0, 0,
573 0, 0, 399, -276, 24, 0, 70, 81, 86, 92,
574 98, 0, 0, 0, 0, -262, -206, 0, 0, 0,
575 0, -192, 0, 0, 0, 0, -214, 0, 0, 0,
576 0, 0, 0, 0, 0, -188, 0, 0, 0, 0,
577 0, 116, 0, 0, 0, -235, -260, 0, -189, 0,
578 0, -172, 0, 0, 0, -229, 0, 0, -165, -253,
579 0, 0, 0, -117, 0, -201, 0, 0, -158, -121,
580 -144, 0, 0, 0, -253, 0, 0, -231, 0, -160,
581 -195, 0, -37, 0, 0, -239, -239, 0, -43, 0,
582 0, -231, 0, 0, 127, -93, 136, -93, -269, -269,
583 0, -195, 0, -152, -223, -87, -150, -77, 0, -103,
584 0, -75, 0, -88, 0, 0, 0, 0, 0, -239,
585 147, -239, -269, -269, -153, -86, 0, -88, 0, -93,
586 0, -93, 0, 0, -136, -136, -115, 0, -86, 0,
587 0, 0, 0, 0, 0, -69, 0, -253, -102, 0,
588 0, 0, -213, -136, 0, -253, -257, 0, -131, -129,
589 -127, 0, 0, -126, 0, -213, 0, 0, -113, -261,
590 -123, 0, -275, 0, 0, 0, 0, 0, -194, -122,
591 0, 0, 0, -119, -116, 0, -111, -275, 0, 0,
592 0, 0, -150, -269, -114, 0, 0, 0, 0, 0,
593 0, -133, -110, -109, -133, 0, 0, 0, 0,};
594const short yyrindex[] =
595 { 0,
596 0, 0, 0, 0, -175, 0, 0, 0, 0, 0,
597 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
598 0, 0, 0, 0, 0, -140, 0, 0, 0, 0,
599 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
600 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
601 0, 0, 0, 0, 0, -142, -112, 0, 201, 0,
602 0, 202, 0, 0, 0, -243, 0, 0, -203, 0,
603 0, 0, 0, -246, 0, -99, 0, 0, 206, 0,
604 -186, 0, 0, 0, 0, 0, 0, 0, 0, 0,
605 0, 0, -176, 0, 0, 0, 0, 0, 171, 0,
606 0, 0, 0, 0, -10, -42, 19, -36, 0, 0,
607 220, 0, 0, 0, 0, 0, 0, 0, 0, 240,
608 0, 288, 353, 0, 0, 0, 0, 0, 0, 0,
609 0, 0, 0, 0, 251, 0, 0, 357, 0, 104,
610 0, 104, 0, 0, 0, 0, 23, 0, 93, 0,
611 56, 0, 0, 0, 0, 343, 0, 0, 406, 141,
612 0, 0, 0, 0, 0, 0, 27, 0, 0, 0,
613 0, 0, 0, 0, 0, 320, 0, 0, 416, 0,
614 0, 0, 115, 0, 0, 0, 0, 0, 0, 0,
615 0, 0, 0, 0, 0, 0, -1, 117, 0, 0,
616 0, 0, 0, 0, 0, 6, 0, 0, 0, 0,
617 0, 0, 0, 0, 213, 0, 0, 0, 0,};
618const short yygindex[] =
619 { 0,
620 0, 0, 0, 0, -66, 112, 0, -91, 0, 0,
621 0, 0, -107, -82, -92, 0, -118, 65, 0, 0,
622 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
623 -79, 0, 0, 0, 28, 0, 0, 0, 0, 0,
624 0, 0, 0, 0, 0, 128, 0, 0, 52, 0,
625 0, 91, 0, 0, 0, 82, 0, 0, 0, 17,
626 0,
627};
628#define YYTABLESIZE745 745
629const short yytable[] =
630 { 72,
631 100, 88, 122, 107, 107, 92, 100, 190, 144, 180,
632 48, 119, 194, 45, 108, 139, 118, 48, 67, 68,
633 45, 94, 64, 65, 131, 143, 144, 157, 74, 72,
634 72, 181, 133, 72, 24, 113, 122, 107, 25, 107,
635 45, 103, 53, 54, 55, 178, 27, 140, 153, 142,
636 154, 195, 45, 117, 117, 117, 169, 170, 171, 105,
637 117, 96, 74, 172, 173, 85, 48, 191, 97, 45,
638 55, 182, 174, 72, 73, 77, 78, 55, 165, 47,
639 117, 40, 40, 40, 46, 104, 179, 101, 40, 105,
640 48, 117, 117, 82, 83, 49, 209, 86, 87, 117,
641 117, 50, 103, 40, 40, 127, 128, 51, 40, 117,
642 208, 145, 146, 61, 42, 60, 110, 110, 110, 40,
643 40, 42, 58, 110, 34, 63, 35, 40, 40, 40,
644 40, 40, 40, 70, 199, 200, 59, 40, 110, 110,
645 61, 42, 75, 110, 114, 114, 114, 61, 213, 214,
646 85, 114, 11, 11, 110, 110, 71, 119, 119, 119,
647 42, 42, 110, 110, 119, 85, 80, 110, 90, 95,
648 42, 114, 110, 114, 115, 117, 130, 126, 105, 132,
649 65, 133, 114, 114, 119, 134, 137, 141, 189, 148,
650 114, 114, 155, 16, 158, 114, 164, 184, 166, 185,
651 114, 186, 187, 119, 119, 193, 202, 86, 87, 203,
652 27, 148, 204, 119, 210, 28, 205, 109, 217, 218,
653 61, 61, 138, 125, 168, 207, 112, 188, 152, 97,
654 161, 219, 0, 0, 0, 0, 0, 0, 0, 0,
655 0, 110, 0, 0, 0, 0, 72, 0, 0, 68,
656 72, 0, 0, 72, 72, 72, 72, 72, 0, 0,
657 78, 0, 0, 0, 72, 72, 0, 0, 0, 0,
658 0, 72, 72, 0, 72, 74, 0, 72, 72, 74,
659 144, 144, 74, 74, 74, 74, 74, 137, 137, 133,
660 72, 0, 0, 74, 74, 0, 0, 69, 0, 72,
661 74, 74, 0, 74, 133, 133, 74, 74, 122, 122,
662 133, 133, 0, 0, 122, 0, 72, 72, 72, 74,
663 85, 85, 85, 133, 0, 83, 83, 83, 74, 84,
664 85, 85, 83, 83, 0, 0, 0, 85, 85, 0,
665 0, 83, 0, 85, 85, 74, 74, 74, 0, 133,
666 133, 133, 80, 122, 122, 0, 85, 103, 103, 103,
667 61, 0, 104, 0, 61, 85, 96, 61, 61, 61,
668 61, 0, 0, 0, 103, 103, 0, 0, 61, 61,
669 103, 103, 85, 85, 85, 61, 61, 0, 61, 0,
670 0, 61, 61, 103, 0, 0, 34, 34, 35, 35,
671 0, 0, 103, 0, 61, 85, 85, 85, 0, 0,
672 83, 83, 83, 61, 0, 130, 85, 83, 83, 103,
673 103, 103, 85, 85, 0, 131, 83, 11, 85, 85,
674 61, 61, 61, 0, 11, 65, 65, 65, 0, 2,
675 3, 85, 34, 0, 35, 65, 65, 4, 0, 0,
676 85, 0, 65, 65, 0, 0, 0, 5, 65, 65,
677 0, 0, 0, 0, 0, 0, 0, 85, 85, 85,
678 0, 65, 0, 6, 7, 8, 9, 10, 11, 12,
679 65, 0, 13, 14, 97, 97, 97, 0, 0, 0,
680 0, 0, 0, 0, 95, 97, 0, 65, 65, 65,
681 0, 97, 97, 0, 68, 68, 68, 97, 97, 0,
682 0, 0, 15, 0, 68, 68, 0, 78, 0, 0,
683 97, 68, 68, 0, 0, 0, 0, 68, 68, 97,
684 0, 0, 78, 78, 0, 0, 0, 0, 78, 78,
685 68, 0, 0, 0, 0, 0, 97, 97, 97, 68,
686 0, 78, 69, 69, 69, 0, 0, 0, 0, 0,
687 78, 0, 69, 69, 0, 0, 68, 68, 68, 69,
688 69, 0, 0, 0, 0, 69, 69, 78, 78, 78,
689 0, 0, 0, 0, 84, 84, 84, 0, 69, 0,
690 0, 0, 0, 0, 84, 84, 0, 69, 0, 0,
691 0, 84, 84, 0, 0, 0, 0, 84, 84, 80,
692 0, 0, 0, 0, 69, 69, 69, 104, 104, 104,
693 84, 96, 96, 96, 80, 80, 0, 0, 102, 84,
694 80, 80, 96, 0, 104, 104, 0, 0, 96, 96,
695 104, 104, 0, 80, 96, 96, 84, 84, 84, 0,
696 0, 0, 80, 104, 0, 0, 0, 96, 0, 0,
697 0, 0, 104, 0, 0, 0, 96, 0, 0, 80,
698 80, 80, 130, 0, 0, 0, 0, 28, 29, 104,
699 104, 104, 131, 96, 96, 96, 0, 130, 130, 0,
700 0, 0, 0, 130, 130, 30, 31, 131, 131, 0,
701 0, 0, 0, 131, 131, 0, 0, 32, 0, 33,
702 34, 0, 35, 36, 37, 38, 39, 40, 41, 42,
703 43, 0, 0, 0, 44, 0, 0, 0, 0, 0,
704 0, 0, 130, 130, 130, 0, 0, 0, 0, 0,
705 0, 0, 131, 131, 131,
706};
707const short yycheck[] =
708 { 10,
709 44, 123, 110, 96, 97, 85, 44, 269, 10, 267,
710 257, 281, 288, 257, 97, 10, 108, 264, 279, 280,
711 264, 88, 258, 259, 117, 133, 134, 146, 10, 40,
712 41, 289, 10, 44, 10, 102, 10, 130, 329, 132,
713 284, 281, 305, 306, 307, 164, 329, 130, 140, 132,
714 142, 327, 329, 257, 258, 259, 270, 271, 272, 329,
715 264, 257, 44, 277, 278, 10, 313, 329, 264, 313,
716 257, 329, 286, 303, 304, 329, 330, 264, 158, 10,
717 284, 257, 258, 259, 61, 325, 166, 125, 264, 329,
718 10, 295, 296, 295, 296, 10, 204, 329, 330, 303,
719 304, 10, 10, 279, 280, 329, 330, 10, 284, 313,
720 203, 265, 266, 10, 257, 330, 257, 258, 259, 295,
721 296, 264, 329, 264, 10, 10, 10, 303, 304, 305,
722 306, 307, 308, 323, 329, 330, 329, 313, 279, 280,
723 329, 284, 308, 284, 257, 258, 259, 44, 282, 283,
724 10, 264, 329, 330, 295, 296, 329, 257, 258, 259,
725 303, 304, 303, 304, 264, 324, 284, 308, 313, 330,
726 313, 284, 313, 47, 268, 40, 264, 330, 329, 257,
727 10, 285, 295, 296, 284, 261, 275, 41, 302, 276,
728 303, 304, 329, 10, 310, 308, 266, 329, 301, 329,
729 313, 329, 329, 303, 304, 329, 329, 329, 330, 329,
730 10, 10, 329, 313, 329, 10, 328, 261, 329, 329,
731 257, 264, 10, 112, 160, 198, 99, 176, 138, 10,
732 149, 215, -1, -1, -1, -1, -1, -1, -1, -1,
733 -1, 285, -1, -1, -1, -1, 257, -1, -1, 10,
734 261, -1, -1, 264, 265, 266, 267, 268, -1, -1,
735 10, -1, -1, -1, 275, 276, -1, -1, -1, -1,
736 -1, 282, 283, -1, 285, 257, -1, 288, 289, 261,
737 282, 283, 264, 265, 266, 267, 268, 282, 283, 267,
738 301, -1, -1, 275, 276, -1, -1, 10, -1, 310,
739 282, 283, -1, 285, 282, 283, 288, 289, 282, 283,
740 288, 289, -1, -1, 288, -1, 327, 328, 329, 301,
741 265, 266, 267, 301, -1, 270, 271, 272, 310, 10,
742 275, 276, 277, 278, -1, -1, -1, 282, 283, -1,
743 -1, 286, -1, 288, 289, 327, 328, 329, -1, 327,
744 328, 329, 10, 327, 328, -1, 301, 265, 266, 267,
745 257, -1, 10, -1, 261, 310, 10, 264, 265, 266,
746 267, -1, -1, -1, 282, 283, -1, -1, 275, 276,
747 288, 289, 327, 328, 329, 282, 283, -1, 285, -1,
748 -1, 288, 289, 301, -1, -1, 282, 283, 282, 283,
749 -1, -1, 310, -1, 301, 265, 266, 267, -1, -1,
750 270, 271, 272, 310, -1, 10, 276, 277, 278, 327,
751 328, 329, 282, 283, -1, 10, 286, 257, 288, 289,
752 327, 328, 329, -1, 264, 265, 266, 267, -1, 256,
753 257, 301, 328, -1, 328, 275, 276, 264, -1, -1,
754 310, -1, 282, 283, -1, -1, -1, 274, 288, 289,
755 -1, -1, -1, -1, -1, -1, -1, 327, 328, 329,
756 -1, 301, -1, 290, 291, 292, 293, 294, 295, 296,
757 310, -1, 299, 300, 265, 266, 267, -1, -1, -1,
758 -1, -1, -1, -1, 275, 276, -1, 327, 328, 329,
759 -1, 282, 283, -1, 265, 266, 267, 288, 289, -1,
760 -1, -1, 329, -1, 275, 276, -1, 267, -1, -1,
761 301, 282, 283, -1, -1, -1, -1, 288, 289, 310,
762 -1, -1, 282, 283, -1, -1, -1, -1, 288, 289,
763 301, -1, -1, -1, -1, -1, 327, 328, 329, 310,
764 -1, 301, 265, 266, 267, -1, -1, -1, -1, -1,
765 310, -1, 275, 276, -1, -1, 327, 328, 329, 282,
766 283, -1, -1, -1, -1, 288, 289, 327, 328, 329,
767 -1, -1, -1, -1, 265, 266, 267, -1, 301, -1,
768 -1, -1, -1, -1, 275, 276, -1, 310, -1, -1,
769 -1, 282, 283, -1, -1, -1, -1, 288, 289, 267,
770 -1, -1, -1, -1, 327, 328, 329, 265, 266, 267,
771 301, 265, 266, 267, 282, 283, -1, -1, 276, 310,
772 288, 289, 276, -1, 282, 283, -1, -1, 282, 283,
773 288, 289, -1, 301, 288, 289, 327, 328, 329, -1,
774 -1, -1, 310, 301, -1, -1, -1, 301, -1, -1,
775 -1, -1, 310, -1, -1, -1, 310, -1, -1, 327,
776 328, 329, 267, -1, -1, -1, -1, 279, 280, 327,
777 328, 329, 267, 327, 328, 329, -1, 282, 283, -1,
778 -1, -1, -1, 288, 289, 297, 298, 282, 283, -1,
779 -1, -1, -1, 288, 289, -1, -1, 309, -1, 311,
780 312, -1, 314, 315, 316, 317, 318, 319, 320, 321,
781 322, -1, -1, -1, 326, -1, -1, -1, -1, -1,
782 -1, -1, 327, 328, 329, -1, -1, -1, -1, -1,
783 -1, -1, 327, 328, 329,
784};
785#define YYFINAL1 1
786#ifndef YYDEBUG0
787#define YYDEBUG0 0
788#endif
789#define YYMAXTOKEN330 330
790#if YYDEBUG0
791const char * const yyname[] =
792 {
793"end-of-file",0,0,0,0,0,0,0,0,0,"'\\n'",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
7940,0,0,0,0,0,0,0,0,"'('","')'",0,0,"','",0,0,"'/'",0,0,0,0,0,0,0,0,0,0,0,0,0,
795"'='",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
7960,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"'{'",0,"'}'",0,0,0,0,0,0,0,0,0,
7970,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
7980,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
7990,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
8000,0,"FROM","ESP","AH","IN","PEER","ON","OUT","TO","SRCID","DSTID","PSK","PORT",
801"FILENAME","AUTHXF","PRFXF","ENCXF","ERROR","IKEV2","IKESA","CHILDSA","ESN",
802"NOESN","PASSIVE","ACTIVE","ANY","TAG","TAP","PROTO","LOCAL","GROUP","NAME",
803"CONFIG","EAP","USER","IKEV1","FLOW","SA","TCPMD5","TUNNEL","TRANSPORT",
804"COUPLE","DECOUPLE","SET","INCLUDE","LIFETIME","BYTES","INET","INET6","QUICK",
805"SKIP","DEFAULT","IPCOMP","OCSP","IKELIFETIME","MOBIKE","NOMOBIKE","RDOMAIN",
806"FRAGMENTATION","NOFRAGMENTATION","DPD_CHECK_INTERVAL","ENFORCESINGLEIKESA",
807"NOENFORCESINGLEIKESA","STICKYADDRESS","NOSTICKYADDRESS","VENDORID",
808"NOVENDORID","TOLERATE","MAXAGE","DYNAMIC","CERTPARTIALCHAIN","REQUEST","IFACE",
809"STRING","NUMBER",
810};
811const char * const yyrule[] =
812 {"$accept : grammar",
813"grammar :",
814"grammar : grammar include '\\n'",
815"grammar : grammar '\\n'",
816"grammar : grammar set '\\n'",
817"grammar : grammar user '\\n'",
818"grammar : grammar ikev2rule '\\n'",
819"grammar : grammar varset '\\n'",
820"grammar : grammar otherrule skipline '\\n'",
821"grammar : grammar error '\\n'",
822"comma : ','",
823"comma :",
824"include : INCLUDE STRING",
825"set : SET ACTIVE",
826"set : SET PASSIVE",
827"set : SET COUPLE",
828"set : SET DECOUPLE",
829"set : SET FRAGMENTATION",
830"set : SET NOFRAGMENTATION",
831"set : SET MOBIKE",
832"set : SET NOMOBIKE",
833"set : SET VENDORID",
834"set : SET NOVENDORID",
835"set : SET ENFORCESINGLEIKESA",
836"set : SET NOENFORCESINGLEIKESA",
837"set : SET STICKYADDRESS",
838"set : SET NOSTICKYADDRESS",
839"set : SET OCSP STRING",
840"set : SET OCSP STRING TOLERATE time_spec",
841"set : SET OCSP STRING TOLERATE time_spec MAXAGE time_spec",
842"set : SET CERTPARTIALCHAIN",
843"set : SET DPD_CHECK_INTERVAL NUMBER",
844"user : USER STRING STRING",
845"ikev2rule : IKEV2 name ikeflags satype af proto rdomain hosts_list peers ike_sas child_sas ids ikelifetime lifetime ikeauth ikecfg iface filters",
846"ikecfg :",
847"ikecfg : ikecfgvals",
848"ikecfgvals : cfg",
849"ikecfgvals : ikecfgvals cfg",
850"cfg : CONFIG STRING host_spec",
851"cfg : REQUEST STRING anyhost",
852"name :",
853"name : STRING",
854"satype :",
855"satype : ESP",
856"satype : AH",
857"af :",
858"af : INET",
859"af : INET6",
860"proto :",
861"proto : PROTO protoval",
862"proto : PROTO '{' proto_list '}'",
863"proto_list : protoval",
864"proto_list : proto_list comma protoval",
865"protoval : STRING",
866"protoval : NUMBER",
867"rdomain :",
868"rdomain : RDOMAIN NUMBER",
869"hosts_list : hosts",
870"hosts_list : hosts_list comma hosts",
871"hosts : FROM host port TO host port",
872"hosts : TO host port FROM host port",
873"port :",
874"port : PORT portval",
875"portval : STRING",
876"portval : NUMBER",
877"peers :",
878"peers : PEER anyhost LOCAL anyhost",
879"peers : LOCAL anyhost PEER anyhost",
880"peers : PEER anyhost",
881"peers : LOCAL anyhost",
882"anyhost : host_spec",
883"anyhost : ANY",
884"host_spec : STRING",
885"host_spec : STRING '/' NUMBER",
886"host : host_spec",
887"host : host_spec '(' host_spec ')'",
888"host : ANY",
889"host : DYNAMIC",
890"ids :",
891"ids : SRCID id DSTID id",
892"ids : SRCID id",
893"ids : DSTID id",
894"id : STRING",
895"$$1 :",
896"transforms : $$1 transforms_l",
897"transforms :",
898"transforms_l : transforms_l transform",
899"transforms_l : transform",
900"transform : AUTHXF STRING",
901"transform : ENCXF STRING",
902"transform : PRFXF STRING",
903"transform : GROUP STRING",
904"transform : transform_esn",
905"transform_esn : ESN",
906"transform_esn : NOESN",
907"$$2 :",
908"ike_sas : $$2 ike_sas_l",
909"ike_sas :",
910"ike_sas_l : ike_sas_l ike_sa",
911"ike_sas_l : ike_sa",
912"$$3 :",
913"ike_sa : IKESA $$3 transforms",
914"$$4 :",
915"child_sas : $$4 child_sas_l",
916"child_sas :",
917"child_sas_l : child_sas_l child_sa",
918"child_sas_l : child_sa",
919"$$5 :",
920"child_sa : CHILDSA $$5 transforms",
921"ikeflags : ikematch ikemode ipcomp tmode",
922"ikematch :",
923"ikematch : QUICK",
924"ikematch : SKIP",
925"ikematch : DEFAULT",
926"ikemode :",
927"ikemode : PASSIVE",
928"ikemode : ACTIVE",
929"ipcomp :",
930"ipcomp : IPCOMP",
931"tmode :",
932"tmode : TUNNEL",
933"tmode : TRANSPORT",
934"ikeauth :",
935"ikeauth : PSK keyspec",
936"ikeauth : EAP STRING",
937"ikeauth : STRING",
938"byte_spec : NUMBER",
939"byte_spec : STRING",
940"time_spec : NUMBER",
941"time_spec : STRING",
942"lifetime :",
943"lifetime : LIFETIME time_spec",
944"lifetime : LIFETIME time_spec BYTES byte_spec",
945"ikelifetime :",
946"ikelifetime : IKELIFETIME time_spec",
947"keyspec : STRING",
948"keyspec : FILENAME STRING",
949"$$6 :",
950"filters : $$6 filters_l",
951"filters :",
952"filters_l : filters_l filter",
953"filters_l : filter",
954"filter : TAG STRING",
955"filter : TAP STRING",
956"iface :",
957"iface : IFACE STRING",
958"string : string STRING",
959"string : STRING",
960"varset : STRING '=' string",
961"otherrule : IKEV1",
962"otherrule : sarule",
963"otherrule : FLOW",
964"otherrule : TCPMD5",
965"sarule : SA",
966"sarule : FROM",
967"sarule : TO",
968"sarule : TUNNEL",
969"sarule : TRANSPORT",
970"skipline :",
971};
972#endif
973#ifdef YYSTACKSIZE10000
974#undef YYMAXDEPTH10000
975#define YYMAXDEPTH10000 YYSTACKSIZE10000
976#else
977#ifdef YYMAXDEPTH10000
978#define YYSTACKSIZE10000 YYMAXDEPTH10000
979#else
980#define YYSTACKSIZE10000 10000
981#define YYMAXDEPTH10000 10000
982#endif
983#endif
984#define YYINITSTACKSIZE200 200
985/* LINTUSED */
986int yydebug;
987int yynerrs;
988int yyerrflag;
989int yychar;
990short *yyssp;
991YYSTYPE *yyvsp;
992YYSTYPE yyval;
993YYSTYPE yylval;
994short *yyss;
995short *yysslim;
996YYSTYPE *yyvs;
997unsigned int yystacksize;
998int yyparse(void);
999#line 1297 "/usr/src/sbin/iked/parse.y"
1000
1001struct keywords {
1002 const char *k_name;
1003 int k_val;
1004};
1005
1006void
1007copy_sockaddrtoipa(struct ipsec_addr_wrap *ipa, struct sockaddr *sa)
1008{
1009 if (sa->sa_family == AF_INET624)
1010 memcpy(&ipa->address, sa, sizeof(struct sockaddr_in6));
1011 else if (sa->sa_family == AF_INET2)
1012 memcpy(&ipa->address, sa, sizeof(struct sockaddr_in));
1013 else
1014 warnx("unhandled af %d", sa->sa_family);
1015}
1016
1017int
1018yyerror(const char *fmt, ...)
1019{
1020 va_list ap;
1021
1022 file->errors++;
1023 va_start(ap, fmt)__builtin_va_start((ap), fmt);
1024 fprintf(stderr(&__sF[2]), "%s: %d: ", file->name, yylval.lineno);
1025 vfprintf(stderr(&__sF[2]), fmt, ap);
1026 fprintf(stderr(&__sF[2]), "\n");
1027 va_end(ap)__builtin_va_end((ap));
1028 return (0);
1029}
1030
1031int
1032kw_cmp(const void *k, const void *e)
1033{
1034 return (strcmp(k, ((const struct keywords *)e)->k_name));
1035}
1036
1037int
1038lookup(char *s)
1039{
1040 /* this has to be sorted always */
1041 static const struct keywords keywords[] = {
1042 { "active", ACTIVE280 },
1043 { "ah", AH259 },
1044 { "any", ANY281 },
1045 { "auth", AUTHXF270 },
1046 { "bytes", BYTES302 },
1047 { "cert_partial_chain", CERTPARTIALCHAIN326 },
1048 { "childsa", CHILDSA276 },
1049 { "config", CONFIG288 },
1050 { "couple", COUPLE297 },
1051 { "decouple", DECOUPLE298 },
1052 { "default", DEFAULT307 },
1053 { "dpd_check_interval", DPD_CHECK_INTERVAL316 },
1054 { "dstid", DSTID266 },
1055 { "dynamic", DYNAMIC325 },
1056 { "eap", EAP289 },
1057 { "enc", ENCXF272 },
1058 { "enforcesingleikesa", ENFORCESINGLEIKESA317 },
1059 { "esn", ESN277 },
1060 { "esp", ESP258 },
1061 { "file", FILENAME269 },
1062 { "flow", FLOW292 },
1063 { "fragmentation", FRAGMENTATION314 },
1064 { "from", FROM257 },
1065 { "group", GROUP286 },
1066 { "iface", IFACE328 },
1067 { "ike", IKEV1291 },
1068 { "ikelifetime", IKELIFETIME310 },
1069 { "ikesa", IKESA275 },
1070 { "ikev2", IKEV2274 },
1071 { "include", INCLUDE300 },
1072 { "inet", INET303 },
1073 { "inet6", INET6304 },
1074 { "ipcomp", IPCOMP308 },
1075 { "lifetime", LIFETIME301 },
1076 { "local", LOCAL285 },
1077 { "maxage", MAXAGE324 },
1078 { "mobike", MOBIKE311 },
1079 { "name", NAME287 },
1080 { "noenforcesingleikesa", NOENFORCESINGLEIKESA318 },
1081 { "noesn", NOESN278 },
1082 { "nofragmentation", NOFRAGMENTATION315 },
1083 { "nomobike", NOMOBIKE312 },
1084 { "nostickyaddress", NOSTICKYADDRESS320 },
1085 { "novendorid", NOVENDORID322 },
1086 { "ocsp", OCSP309 },
1087 { "passive", PASSIVE279 },
1088 { "peer", PEER261 },
1089 { "port", PORT268 },
1090 { "prf", PRFXF271 },
1091 { "proto", PROTO284 },
1092 { "psk", PSK267 },
1093 { "quick", QUICK305 },
1094 { "rdomain", RDOMAIN313 },
1095 { "request", REQUEST327 },
1096 { "sa", SA293 },
1097 { "set", SET299 },
1098 { "skip", SKIP306 },
1099 { "srcid", SRCID265 },
1100 { "stickyaddress", STICKYADDRESS319 },
1101 { "tag", TAG282 },
1102 { "tap", TAP283 },
1103 { "tcpmd5", TCPMD5294 },
1104 { "to", TO264 },
1105 { "tolerate", TOLERATE323 },
1106 { "transport", TRANSPORT296 },
1107 { "tunnel", TUNNEL295 },
1108 { "user", USER290 },
1109 { "vendorid", VENDORID321 }
1110 };
1111 const struct keywords *p;
1112
1113 p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),
1114 sizeof(keywords[0]), kw_cmp);
1115
1116 if (p) {
1117 if (debug > 1)
1118 fprintf(stderr(&__sF[2]), "%s: %d\n", s, p->k_val);
1119 return (p->k_val);
1120 } else {
1121 if (debug > 1)
1122 fprintf(stderr(&__sF[2]), "string: %s\n", s);
1123 return (STRING329);
1124 }
1125}
1126
1127#define START_EXPAND1 1
1128#define DONE_EXPAND2 2
1129
1130static int expanding;
1131
1132int
1133igetc(void)
1134{
1135 int c;
1136
1137 while (1) {
1138 if (file->ungetpos > 0)
1139 c = file->ungetbuf[--file->ungetpos];
1140 else
1141 c = getc(file->stream)(!__isthreaded ? (--(file->stream)->_r < 0 ? __srget
(file->stream) : (int)(*(file->stream)->_p++)) : (getc
)(file->stream));
1142
1143 if (c == START_EXPAND1)
1144 expanding = 1;
1145 else if (c == DONE_EXPAND2)
1146 expanding = 0;
1147 else
1148 break;
1149 }
1150 return (c);
1151}
1152
1153int
1154lgetc(int quotec)
1155{
1156 int c, next;
1157
1158 if (quotec) {
1159 if ((c = igetc()) == EOF(-1)) {
1160 yyerror("reached end of file while parsing "
1161 "quoted string");
1162 if (file == topfile || popfile() == EOF(-1))
1163 return (EOF(-1));
1164 return (quotec);
1165 }
1166 return (c);
1167 }
1168
1169 while ((c = igetc()) == '\\') {
1170 next = igetc();
1171 if (next != '\n') {
1172 c = next;
1173 break;
1174 }
1175 yylval.lineno = file->lineno;
1176 file->lineno++;
1177 }
1178
1179 while (c == EOF(-1)) {
1180 /*
1181 * Fake EOL when hit EOF for the first time. This gets line
1182 * count right if last line in included file is syntactically
1183 * invalid and has no newline.
1184 */
1185 if (file->eof_reached == 0) {
1186 file->eof_reached = 1;
1187 return ('\n');
1188 }
1189 while (c == EOF(-1)) {
1190 if (file == topfile || popfile() == EOF(-1))
1191 return (EOF(-1));
1192 c = igetc();
1193 }
1194 }
1195 return (c);
1196}
1197
1198void
1199lungetc(int c)
1200{
1201 if (c == EOF(-1))
1202 return;
1203
1204 if (file->ungetpos >= file->ungetsize) {
1205 void *p = reallocarray(file->ungetbuf, file->ungetsize, 2);
1206 if (p == NULL((void *)0))
1207 err(1, "lungetc");
1208 file->ungetbuf = p;
1209 file->ungetsize *= 2;
1210 }
1211 file->ungetbuf[file->ungetpos++] = c;
1212}
1213
1214int
1215findeol(void)
1216{
1217 int c;
1218
1219 /* skip to either EOF or the first real EOL */
1220 while (1) {
1221 c = lgetc(0);
1222 if (c == '\n') {
1223 file->lineno++;
1224 break;
1225 }
1226 if (c == EOF(-1))
1227 break;
1228 }
1229 return (ERROR273);
1230}
1231
1232int
1233yylex(void)
1234{
1235 char buf[8096];
1236 char *p, *val;
1237 int quotec, next, c;
1238 int token;
1239
1240top:
1241 p = buf;
1242 while ((c = lgetc(0)) == ' ' || c == '\t')
1243 ; /* nothing */
1244
1245 yylval.lineno = file->lineno;
1246 if (c == '#')
1247 while ((c = lgetc(0)) != '\n' && c != EOF(-1))
1248 ; /* nothing */
1249 if (c == '$' && !expanding) {
1250 while (1) {
1251 if ((c = lgetc(0)) == EOF(-1))
1252 return (0);
1253
1254 if (p + 1 >= buf + sizeof(buf) - 1) {
1255 yyerror("string too long");
1256 return (findeol());
1257 }
1258 if (isalnum(c) || c == '_') {
1259 *p++ = c;
1260 continue;
1261 }
1262 *p = '\0';
1263 lungetc(c);
1264 break;
1265 }
1266 val = symget(buf);
1267 if (val == NULL((void *)0)) {
1268 yyerror("macro '%s' not defined", buf);
1269 return (findeol());
1270 }
1271 p = val + strlen(val) - 1;
1272 lungetc(DONE_EXPAND2);
1273 while (p >= val) {
1274 lungetc((unsigned char)*p);
1275 p--;
1276 }
1277 lungetc(START_EXPAND1);
1278 goto top;
1279 }
1280
1281 switch (c) {
1282 case '\'':
1283 case '"':
1284 quotec = c;
1285 while (1) {
1286 if ((c = lgetc(quotec)) == EOF(-1))
1287 return (0);
1288 if (c == '\n') {
1289 file->lineno++;
1290 continue;
1291 } else if (c == '\\') {
1292 if ((next = lgetc(quotec)) == EOF(-1))
1293 return (0);
1294 if (next == quotec || next == ' ' ||
1295 next == '\t')
1296 c = next;
1297 else if (next == '\n') {
1298 file->lineno++;
1299 continue;
1300 } else
1301 lungetc(next);
1302 } else if (c == quotec) {
1303 *p = '\0';
1304 break;
1305 } else if (c == '\0') {
1306 yyerror("syntax error");
1307 return (findeol());
1308 }
1309 if (p + 1 >= buf + sizeof(buf) - 1) {
1310 yyerror("string too long");
1311 return (findeol());
1312 }
1313 *p++ = c;
1314 }
1315 yylval.v.string = strdup(buf);
1316 if (yylval.v.string == NULL((void *)0))
1317 err(1, "%s", __func__);
1318 return (STRING329);
1319 }
1320
1321#define allowed_to_end_number(x)(isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' ||
x == '=') \
1322 (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=')
1323
1324 if (c == '-' || isdigit(c)) {
1325 do {
1326 *p++ = c;
1327 if ((size_t)(p-buf) >= sizeof(buf)) {
1328 yyerror("string too long");
1329 return (findeol());
1330 }
1331 } while ((c = lgetc(0)) != EOF(-1) && isdigit(c));
1332 lungetc(c);
1333 if (p == buf + 1 && buf[0] == '-')
1334 goto nodigits;
1335 if (c == EOF(-1) || allowed_to_end_number(c)(isspace(c) || c == ')' || c ==',' || c == '/' || c == '}' ||
c == '=')) {
1336 const char *errstr = NULL((void *)0);
1337
1338 *p = '\0';
1339 yylval.v.number = strtonum(buf, LLONG_MIN(-0x7fffffffffffffffLL-1),
1340 LLONG_MAX0x7fffffffffffffffLL, &errstr);
1341 if (errstr) {
1342 yyerror("\"%s\" invalid number: %s",
1343 buf, errstr);
1344 return (findeol());
1345 }
1346 return (NUMBER330);
1347 } else {
1348nodigits:
1349 while (p > buf + 1)
1350 lungetc((unsigned char)*--p);
1351 c = (unsigned char)*--p;
1352 if (c == '-')
1353 return (c);
1354 }
1355 }
1356
1357#define allowed_in_string(x)(isalnum(x) || (ispunct(x) && x != '(' && x !=
')' && x != '{' && x != '}' && x != '<'
&& x != '>' && x != '!' && x != '='
&& x != '/' && x != '#' && x != ',')
) \
1358 (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \
1359 x != '{' && x != '}' && x != '<' && x != '>' && \
1360 x != '!' && x != '=' && x != '/' && x != '#' && \
1361 x != ','))
1362
1363 if (isalnum(c) || c == ':' || c == '_' || c == '*') {
1364 do {
1365 *p++ = c;
1366 if ((size_t)(p-buf) >= sizeof(buf)) {
1367 yyerror("string too long");
1368 return (findeol());
1369 }
1370 } while ((c = lgetc(0)) != EOF(-1) && (allowed_in_string(c)(isalnum(c) || (ispunct(c) && c != '(' && c !=
')' && c != '{' && c != '}' && c != '<'
&& c != '>' && c != '!' && c != '='
&& c != '/' && c != '#' && c != ',')
)));
1371 lungetc(c);
1372 *p = '\0';
1373 if ((token = lookup(buf)) == STRING329)
1374 if ((yylval.v.string = strdup(buf)) == NULL((void *)0))
1375 err(1, "%s", __func__);
1376 return (token);
1377 }
1378 if (c == '\n') {
1379 yylval.lineno = file->lineno;
1380 file->lineno++;
1381 }
1382 if (c == EOF(-1))
1383 return (0);
1384 return (c);
1385}
1386
1387int
1388check_file_secrecy(int fd, const char *fname)
1389{
1390 struct stat st;
1391
1392 if (fstat(fd, &st)) {
1393 warn("cannot stat %s", fname);
1394 return (-1);
1395 }
1396 if (st.st_uid != 0 && st.st_uid != getuid()) {
1397 warnx("%s: owner not root or current user", fname);
1398 return (-1);
1399 }
1400 if (st.st_mode & (S_IWGRP0000020 | S_IXGRP0000010 | S_IRWXO0000007)) {
1401 warnx("%s: group writable or world read/writable", fname);
1402 return (-1);
1403 }
1404 return (0);
1405}
1406
1407struct file *
1408pushfile(const char *name, int secret)
1409{
1410 struct file *nfile;
1411
1412 if ((nfile = calloc(1, sizeof(struct file))) == NULL((void *)0)) {
1413 warn("%s", __func__);
1414 return (NULL((void *)0));
1415 }
1416 if ((nfile->name = strdup(name)) == NULL((void *)0)) {
1417 warn("%s", __func__);
1418 free(nfile);
1419 return (NULL((void *)0));
1420 }
1421 if (TAILQ_FIRST(&files)((&files)->tqh_first) == NULL((void *)0) && strcmp(nfile->name, "-") == 0) {
1422 nfile->stream = stdin(&__sF[0]);
1423 free(nfile->name);
1424 if ((nfile->name = strdup("stdin")) == NULL((void *)0)) {
1425 warn("%s", __func__);
1426 free(nfile);
1427 return (NULL((void *)0));
1428 }
1429 } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL((void *)0)) {
1430 warn("%s: %s", __func__, nfile->name);
1431 free(nfile->name);
1432 free(nfile);
1433 return (NULL((void *)0));
1434 } else if (secret &&
1435 check_file_secrecy(fileno(nfile->stream)(!__isthreaded ? ((nfile->stream)->_file) : (fileno)(nfile
->stream)), nfile->name)) {
1436 fclose(nfile->stream);
1437 free(nfile->name);
1438 free(nfile);
1439 return (NULL((void *)0));
1440 }
1441 nfile->lineno = TAILQ_EMPTY(&files)(((&files)->tqh_first) == ((void *)0)) ? 1 : 0;
1442 nfile->ungetsize = 16;
1443 nfile->ungetbuf = malloc(nfile->ungetsize);
1444 if (nfile->ungetbuf == NULL((void *)0)) {
1445 warn("%s", __func__);
1446 fclose(nfile->stream);
1447 free(nfile->name);
1448 free(nfile);
1449 return (NULL((void *)0));
1450 }
1451 TAILQ_INSERT_TAIL(&files, nfile, entry)do { (nfile)->entry.tqe_next = ((void *)0); (nfile)->entry
.tqe_prev = (&files)->tqh_last; *(&files)->tqh_last
= (nfile); (&files)->tqh_last = &(nfile)->entry
.tqe_next; } while (0);
1452 return (nfile);
1453}
1454
1455int
1456popfile(void)
1457{
1458 struct file *prev;
1459
1460 if ((prev = TAILQ_PREV(file, files, entry)(*(((struct files *)((file)->entry.tqe_prev))->tqh_last
))) != NULL((void *)0))
1461 prev->errors += file->errors;
1462
1463 TAILQ_REMOVE(&files, file, entry)do { if (((file)->entry.tqe_next) != ((void *)0)) (file)->
entry.tqe_next->entry.tqe_prev = (file)->entry.tqe_prev
; else (&files)->tqh_last = (file)->entry.tqe_prev;
*(file)->entry.tqe_prev = (file)->entry.tqe_next; ; ; }
while (0);
1464 fclose(file->stream);
1465 free(file->name);
1466 free(file->ungetbuf);
1467 free(file);
1468 file = prev;
1469
1470 return (file ? 0 : EOF(-1));
1471}
1472
1473int
1474parse_config(const char *filename, struct iked *x_env)
1475{
1476 struct sym *sym;
1477 int errors = 0;
1478
1479 env = x_env;
1480 rules = 0;
1481
1482 if ((file = pushfile(filename, 1)) == NULL((void *)0))
1483 return (-1);
1484 topfile = file;
1485
1486 free(ocsp_url);
1487
1488 mobike = 1;
1489 enforcesingleikesa = stickyaddress = 0;
1490 cert_partial_chain = decouple = passive = 0;
1491 ocsp_tolerate = 0;
1492 ocsp_url = NULL((void *)0);
1493 ocsp_maxage = -1;
1494 fragmentation = 0;
1495 dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60;
1496 decouple = passive = 0;
1497 ocsp_url = NULL((void *)0);
1498
1499 if (env->sc_opts & IKED_OPT_PASSIVE0x00000004)
1500 passive = 1;
1501
1502 yyparse();
1503 errors = file->errors;
1504 popfile();
1505
1506 env->sc_passive = passive ? 1 : 0;
1507 env->sc_decoupled = decouple ? 1 : 0;
1508 env->sc_mobikesc_static.st_mobike = mobike;
1509 env->sc_enforcesingleikesasc_static.st_enforcesingleikesa = enforcesingleikesa;
1510 env->sc_stickyaddresssc_static.st_stickyaddress = stickyaddress;
1511 env->sc_fragsc_static.st_frag = fragmentation;
1512 env->sc_alive_timeoutsc_static.st_alive_timeout = dpd_interval;
1513 env->sc_ocsp_url = ocsp_url;
1514 env->sc_ocsp_tolerate = ocsp_tolerate;
1515 env->sc_ocsp_maxage = ocsp_maxage;
1516 env->sc_cert_partial_chain = cert_partial_chain;
1517 env->sc_vendoridsc_static.st_vendorid = vendorid;
1518
1519 if (!rules)
1520 log_warnx("%s: no valid configuration rules found",
1521 filename);
1522 else
1523 log_debug("%s: loaded %d configuration rules",
1524 filename, rules);
1525
1526 /* Free macros and check which have not been used. */
1527 while ((sym = TAILQ_FIRST(&symhead)((&symhead)->tqh_first))) {
1528 if (!sym->used)
1529 log_debug("warning: macro '%s' not "
1530 "used\n", sym->nam);
1531 free(sym->nam);
1532 free(sym->val);
1533 TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)->
entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev;
else (&symhead)->tqh_last = (sym)->entry.tqe_prev;
*(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while
(0);
1534 free(sym);
1535 }
1536
1537 iaw_free(iftab);
1538 iftab = NULL((void *)0);
1539
1540 return (errors ? -1 : 0);
1541}
1542
1543int
1544symset(const char *nam, const char *val, int persist)
1545{
1546 struct sym *sym;
1547
1548 TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void *
)0); (sym) = ((sym)->entry.tqe_next)) {
1549 if (strcmp(nam, sym->nam) == 0)
1550 break;
1551 }
1552
1553 if (sym != NULL((void *)0)) {
1554 if (sym->persist == 1)
1555 return (0);
1556 else {
1557 free(sym->nam);
1558 free(sym->val);
1559 TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)->
entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev;
else (&symhead)->tqh_last = (sym)->entry.tqe_prev;
*(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while
(0);
1560 free(sym);
1561 }
1562 }
1563 if ((sym = calloc(1, sizeof(*sym))) == NULL((void *)0))
1564 return (-1);
1565
1566 sym->nam = strdup(nam);
1567 if (sym->nam == NULL((void *)0)) {
1568 free(sym);
1569 return (-1);
1570 }
1571 sym->val = strdup(val);
1572 if (sym->val == NULL((void *)0)) {
1573 free(sym->nam);
1574 free(sym);
1575 return (-1);
1576 }
1577 sym->used = 0;
1578 sym->persist = persist;
1579 TAILQ_INSERT_TAIL(&symhead, sym, entry)do { (sym)->entry.tqe_next = ((void *)0); (sym)->entry.
tqe_prev = (&symhead)->tqh_last; *(&symhead)->tqh_last
= (sym); (&symhead)->tqh_last = &(sym)->entry.
tqe_next; } while (0);
1580 return (0);
1581}
1582
1583int
1584cmdline_symset(char *s)
1585{
1586 char *sym, *val;
1587 int ret;
1588
1589 if ((val = strrchr(s, '=')) == NULL((void *)0))
1590 return (-1);
1591
1592 sym = strndup(s, val - s);
1593 if (sym == NULL((void *)0))
1594 err(1, "%s", __func__);
1595 ret = symset(sym, val + 1, 1);
1596 free(sym);
1597
1598 return (ret);
1599}
1600
1601char *
1602symget(const char *nam)
1603{
1604 struct sym *sym;
1605
1606 TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void *
)0); (sym) = ((sym)->entry.tqe_next)) {
1607 if (strcmp(nam, sym->nam) == 0) {
1608 sym->used = 1;
1609 return (sym->val);
1610 }
1611 }
1612 return (NULL((void *)0));
1613}
1614
1615uint8_t
1616x2i(unsigned char *s)
1617{
1618 char ss[3];
1619
1620 ss[0] = s[0];
1621 ss[1] = s[1];
1622 ss[2] = 0;
1623
1624 if (!isxdigit(s[0]) || !isxdigit(s[1])) {
1625 yyerror("keys need to be specified in hex digits");
1626 return (-1);
1627 }
1628 return ((uint8_t)strtoul(ss, NULL((void *)0), 16));
1629}
1630
1631int
1632parsekey(unsigned char *hexkey, size_t len, struct iked_auth *auth)
1633{
1634 unsigned int i;
1635
1636 bzero(auth, sizeof(*auth));
1637 if ((len / 2) > sizeof(auth->auth_data))
1638 return (-1);
1639 auth->auth_length = len / 2;
1640
1641 for (i = 0; i < auth->auth_length; i++)
1642 auth->auth_data[i] = x2i(hexkey + 2 * i);
1643
1644 return (0);
1645}
1646
1647int
1648parsekeyfile(char *filename, struct iked_auth *auth)
1649{
1650 struct stat sb;
1651 int fd, ret;
1652 unsigned char *hex;
1653
1654 if ((fd = open(filename, O_RDONLY0x0000)) == -1)
1655 err(1, "open %s", filename);
1656 if (fstat(fd, &sb) == -1)
1657 err(1, "parsekeyfile: stat %s", filename);
1658 if ((sb.st_size > KEYSIZE_LIMIT1024) || (sb.st_size == 0))
1659 errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
1660 "small");
1661 if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL((void *)0))
1662 err(1, "parsekeyfile: calloc");
1663 if (read(fd, hex, sb.st_size) < sb.st_size)
1664 err(1, "parsekeyfile: read");
1665 close(fd);
1666 ret = parsekey(hex, sb.st_size, auth);
1667 free(hex);
1668 return (ret);
1669}
1670
1671int
1672get_id_type(char *string)
1673{
1674 struct in6_addr ia;
1675
1676 if (string == NULL((void *)0))
1677 return (IKEV2_ID_NONE0);
1678
1679 if (*string == '/')
1680 return (IKEV2_ID_ASN1_DN9);
1681 else if (inet_pton(AF_INET2, string, &ia) == 1)
1682 return (IKEV2_ID_IPV41);
1683 else if (inet_pton(AF_INET624, string, &ia) == 1)
1684 return (IKEV2_ID_IPV65);
1685 else if (strchr(string, '@'))
1686 return (IKEV2_ID_UFQDN3);
1687 else
1688 return (IKEV2_ID_FQDN2);
1689}
1690
1691struct ipsec_addr_wrap *
1692host(const char *s)
1693{
1694 struct ipsec_addr_wrap *ipa = NULL((void *)0);
1695 int mask = -1;
1696 char *p, *ps;
1697 const char *errstr;
1698
1699 if ((ps = strdup(s)) == NULL((void *)0))
1700 err(1, "%s: strdup", __func__);
1701
1702 if ((p = strchr(ps, '/')) != NULL((void *)0)) {
1703 mask = strtonum(p+1, 0, 128, &errstr);
1704 if (errstr) {
1705 fprintf(stderr(&__sF[2]), "netmask is %s: %s\n", errstr, p);
1706 goto error;
1707 }
1708 p[0] = '\0';
1709 }
1710
1711 if ((ipa = host_if(ps, mask)) == NULL((void *)0) &&
1712 (ipa = host_ip(ps, mask)) == NULL((void *)0) &&
1713 (ipa = host_dns(ps, mask)) == NULL((void *)0))
1714 fprintf(stderr(&__sF[2]), "no IP address found for %s\n", s);
1715
1716error:
1717 free(ps);
1718 return (ipa);
1719}
1720
1721struct ipsec_addr_wrap *
1722host_ip(const char *s, int mask)
1723{
1724 struct ipsec_addr_wrap *ipa = NULL((void *)0);
1725 struct addrinfo hints, *res;
1726 char hbuf[NI_MAXHOST256];
1727
1728 bzero(&hints, sizeof(struct addrinfo));
1729 hints.ai_family = AF_UNSPEC0;
1730 hints.ai_socktype = SOCK_DGRAM2; /*dummy*/
1731 hints.ai_flags = AI_NUMERICHOST4;
1732 if (getaddrinfo(s, NULL((void *)0), &hints, &res))
1733 return (NULL((void *)0));
1734 if (res->ai_next)
1735 err(1, "%s: %s expanded to multiple item", __func__, s);
1736
1737 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1738 if (ipa == NULL((void *)0))
1739 err(1, "%s", __func__);
1740 ipa->af = res->ai_family;
1741 copy_sockaddrtoipa(ipa, res->ai_addr);
1742 ipa->next = NULL((void *)0);
1743 ipa->tail = ipa;
1744
1745 set_ipmask(ipa, mask);
1746 if (getnameinfo(res->ai_addr, res->ai_addrlen,
1747 hbuf, sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1)) {
1748 errx(1, "could not get a numeric hostname");
1749 }
1750
1751 if (mask > -1) {
1752 ipa->netaddress = 1;
1753 if (asprintf(&ipa->name, "%s/%d", hbuf, mask) == -1)
1754 err(1, "%s", __func__);
1755 } else {
1756 if ((ipa->name = strdup(hbuf)) == NULL((void *)0))
1757 err(1, "%s", __func__);
1758 }
1759
1760 freeaddrinfo(res);
1761
1762 return (ipa);
1763}
1764
1765struct ipsec_addr_wrap *
1766host_dns(const char *s, int mask)
1767{
1768 struct ipsec_addr_wrap *ipa = NULL((void *)0), *head = NULL((void *)0);
1769 struct addrinfo hints, *res0, *res;
1770 int error;
1771 char hbuf[NI_MAXHOST256];
1772
1773 bzero(&hints, sizeof(struct addrinfo));
1774 hints.ai_family = PF_UNSPEC0;
1775 hints.ai_socktype = SOCK_STREAM1;
1776 hints.ai_flags = AI_ADDRCONFIG64;
1777 error = getaddrinfo(s, NULL((void *)0), &hints, &res0);
1778 if (error)
1779 return (NULL((void *)0));
1780
1781 for (res = res0; res; res = res->ai_next) {
1782 if (res->ai_family != AF_INET2 && res->ai_family != AF_INET624)
1783 continue;
1784
1785 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1786 if (ipa == NULL((void *)0))
1787 err(1, "%s", __func__);
1788 copy_sockaddrtoipa(ipa, res->ai_addr);
1789 error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf,
1790 sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1);
1791 if (error)
1792 err(1, "host_dns: getnameinfo");
1793 ipa->name = strdup(hbuf);
1794 if (ipa->name == NULL((void *)0))
1795 err(1, "%s", __func__);
1796 ipa->af = res->ai_family;
1797 ipa->next = NULL((void *)0);
1798 ipa->tail = ipa;
1799 if (head == NULL((void *)0))
1800 head = ipa;
1801 else {
1802 head->tail->next = ipa;
1803 head->tail = ipa;
1804 }
1805
1806 /*
1807 * XXX for now, no netmask support for IPv6.
1808 * but since there's no way to specify address family, once you
1809 * have IPv6 address on a host, you cannot use dns/netmask
1810 * syntax.
1811 */
1812 if (ipa->af == AF_INET2)
1813 set_ipmask(ipa, mask == -1 ? 32 : mask);
1814 else
1815 if (mask != -1)
1816 err(1, "host_dns: cannot apply netmask "
1817 "on non-IPv4 address");
1818 }
1819 freeaddrinfo(res0);
1820
1821 return (head);
1822}
1823
1824struct ipsec_addr_wrap *
1825host_if(const char *s, int mask)
1826{
1827 struct ipsec_addr_wrap *ipa = NULL((void *)0);
1828
1829 if (ifa_exists(s))
1830 ipa = ifa_lookup(s);
1831
1832 return (ipa);
1833}
1834
1835struct ipsec_addr_wrap *
1836host_any(void)
1837{
1838 struct ipsec_addr_wrap *ipa;
1839
1840 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1841 if (ipa == NULL((void *)0))
1842 err(1, "%s", __func__);
1843 ipa->af = AF_UNSPEC0;
1844 ipa->netaddress = 1;
1845 ipa->tail = ipa;
1846 ipa->type = IPSEC_ADDR_ANY(0x1);
1847 return (ipa);
1848}
1849
1850struct ipsec_addr_wrap *
1851host_dynamic(void)
1852{
1853 struct ipsec_addr_wrap *ipa;
1854
1855 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1856 if (ipa == NULL((void *)0))
1857 err(1, "%s", __func__);
1858 ipa->af = AF_UNSPEC0;
1859 ipa->tail = ipa;
1860 ipa->type = IPSEC_ADDR_DYNAMIC(0x2);
1861 return (ipa);
1862}
1863
1864void
1865ifa_load(void)
1866{
1867 struct ifaddrs *ifap, *ifa;
1868 struct ipsec_addr_wrap *n = NULL((void *)0), *h = NULL((void *)0);
1869 struct sockaddr_in *sa_in;
1870 struct sockaddr_in6 *sa_in6;
1871
1872 if (getifaddrs(&ifap) == -1)
1873 err(1, "ifa_load: getifaddrs");
1874
1875 for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
1876 if (ifa->ifa_addr == NULL((void *)0) ||
1877 !(ifa->ifa_addr->sa_family == AF_INET2 ||
1878 ifa->ifa_addr->sa_family == AF_INET624 ||
1879 ifa->ifa_addr->sa_family == AF_LINK18))
1880 continue;
1881 n = calloc(1, sizeof(struct ipsec_addr_wrap));
1882 if (n == NULL((void *)0))
1883 err(1, "%s", __func__);
1884 n->af = ifa->ifa_addr->sa_family;
1885 if ((n->name = strdup(ifa->ifa_name)) == NULL((void *)0))
1886 err(1, "%s", __func__);
1887 if (n->af == AF_INET2) {
1888 sa_in = (struct sockaddr_in *)ifa->ifa_addr;
1889 memcpy(&n->address, sa_in, sizeof(*sa_in));
1890 sa_in = (struct sockaddr_in *)ifa->ifa_netmask;
1891 n->mask = mask2prefixlen((struct sockaddr *)sa_in);
1892 } else if (n->af == AF_INET624) {
1893 sa_in6 = (struct sockaddr_in6 *)ifa->ifa_addr;
1894 memcpy(&n->address, sa_in6, sizeof(*sa_in6));
1895 sa_in6 = (struct sockaddr_in6 *)ifa->ifa_netmask;
1896 n->mask = mask2prefixlen6((struct sockaddr *)sa_in6);
1897 }
1898 n->next = NULL((void *)0);
1899 n->tail = n;
1900 if (h == NULL((void *)0))
1901 h = n;
1902 else {
1903 h->tail->next = n;
1904 h->tail = n;
1905 }
1906 }
1907
1908 iftab = h;
1909 freeifaddrs(ifap);
1910}
1911
1912int
1913ifa_exists(const char *ifa_name)
1914{
1915 struct ipsec_addr_wrap *n;
1916 struct ifgroupreq ifgr;
1917 int s;
1918
1919 if (iftab == NULL((void *)0))
1920 ifa_load();
1921
1922 /* check wether this is a group */
1923 if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1)
1924 err(1, "ifa_exists: socket");
1925 bzero(&ifgr, sizeof(ifgr));
1926 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
1927 if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct ifgroupreq) & 0x1fff) << 16) | ((('i')) <<
8) | ((138))), (caddr_t)&ifgr) == 0) {
1928 close(s);
1929 return (1);
1930 }
1931 close(s);
1932
1933 for (n = iftab; n; n = n->next) {
1934 if (n->af == AF_LINK18 && !strncmp(n->name, ifa_name,
1935 IFNAMSIZ16))
1936 return (1);
1937 }
1938
1939 return (0);
1940}
1941
1942struct ipsec_addr_wrap *
1943ifa_grouplookup(const char *ifa_name)
1944{
1945 struct ifg_req *ifg;
1946 struct ifgroupreq ifgr;
1947 int s;
1948 size_t len;
1949 struct ipsec_addr_wrap *n, *h = NULL((void *)0), *hn;
1950
1951 if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1)
1952 err(1, "socket");
1953 bzero(&ifgr, sizeof(ifgr));
1954 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
1955 if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct ifgroupreq) & 0x1fff) << 16) | ((('i')) <<
8) | ((138))), (caddr_t)&ifgr) == -1) {
1956 close(s);
1957 return (NULL((void *)0));
1958 }
1959
1960 len = ifgr.ifgr_len;
1961 if ((ifgr.ifgr_groupsifgr_ifgru.ifgru_groups = calloc(1, len)) == NULL((void *)0))
1962 err(1, "%s", __func__);
1963 if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct ifgroupreq) & 0x1fff) << 16) | ((('i')) <<
8) | ((138))), (caddr_t)&ifgr) == -1)
1964 err(1, "ioctl");
1965
1966 for (ifg = ifgr.ifgr_groupsifgr_ifgru.ifgru_groups; ifg && len >= sizeof(struct ifg_req);
1967 ifg++) {
1968 len -= sizeof(struct ifg_req);
1969 if ((n = ifa_lookup(ifg->ifgrq_memberifgrq_ifgrqu.ifgrqu_member)) == NULL((void *)0))
1970 continue;
1971 if (h == NULL((void *)0))
1972 h = n;
1973 else {
1974 for (hn = h; hn->next != NULL((void *)0); hn = hn->next)
1975 ; /* nothing */
1976 hn->next = n;
1977 n->tail = hn;
1978 }
1979 }
1980 free(ifgr.ifgr_groupsifgr_ifgru.ifgru_groups);
1981 close(s);
1982
1983 return (h);
1984}
1985
1986struct ipsec_addr_wrap *
1987ifa_lookup(const char *ifa_name)
1988{
1989 struct ipsec_addr_wrap *p = NULL((void *)0), *h = NULL((void *)0), *n = NULL((void *)0);
1990 struct sockaddr_in6 *in6;
1991 uint8_t *s6;
1992
1993 if (iftab == NULL((void *)0))
1994 ifa_load();
1995
1996 if ((n = ifa_grouplookup(ifa_name)) != NULL((void *)0))
1997 return (n);
1998
1999 for (p = iftab; p; p = p->next) {
2000 if (p->af != AF_INET2 && p->af != AF_INET624)
2001 continue;
2002 if (strncmp(p->name, ifa_name, IFNAMSIZ16))
2003 continue;
2004 n = calloc(1, sizeof(struct ipsec_addr_wrap));
2005 if (n == NULL((void *)0))
2006 err(1, "%s", __func__);
2007 memcpy(n, p, sizeof(struct ipsec_addr_wrap));
2008 if ((n->name = strdup(p->name)) == NULL((void *)0))
2009 err(1, "%s", __func__);
2010 switch (n->af) {
2011 case AF_INET2:
2012 set_ipmask(n, 32);
2013 break;
2014 case AF_INET624:
2015 in6 = (struct sockaddr_in6 *)&n->address;
2016 s6 = (uint8_t *)&in6->sin6_addr.s6_addr__u6_addr.__u6_addr8;
Value stored to 's6' is never read
2017
2018 /* route/show.c and bgpd/util.c give KAME credit */
2019 if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)(((&in6->sin6_addr)->__u6_addr.__u6_addr8[0] == 0xfe
) && (((&in6->sin6_addr)->__u6_addr.__u6_addr8
[1] & 0xc0) == 0x80))) {
2020 uint16_t tmp16;
2021
2022 /* for now we can not handle link local,
2023 * therefore bail for now
2024 */
2025 free(n->name);
2026 free(n);
2027 continue;
2028
2029 memcpy(&tmp16, &s6[2], sizeof(tmp16));
2030 /* use this when we support link-local
2031 * n->??.scopeid = ntohs(tmp16);
2032 */
2033 s6[2] = 0;
2034 s6[3] = 0;
2035 }
2036 set_ipmask(n, 128);
2037 break;
2038 }
2039
2040 n->next = NULL((void *)0);
2041 n->tail = n;
2042 if (h == NULL((void *)0))
2043 h = n;
2044 else {
2045 h->tail->next = n;
2046 h->tail = n;
2047 }
2048 }
2049
2050 return (h);
2051}
2052
2053void
2054set_ipmask(struct ipsec_addr_wrap *address, int b)
2055{
2056 if (b == -1)
2057 address->mask = address->af == AF_INET2 ? 32 : 128;
2058 else
2059 address->mask = b;
2060}
2061
2062const struct ipsec_xf *
2063parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[])
2064{
2065 int i;
2066
2067 for (i = 0; xfs[i].name != NULL((void *)0); i++) {
2068 if (strncmp(name, xfs[i].name, strlen(name)))
2069 continue;
2070 if (length == 0 || length == xfs[i].length)
2071 return &xfs[i];
2072 }
2073 return (NULL((void *)0));
2074}
2075
2076int
2077encxf_noauth(unsigned int id)
2078{
2079 int i;
2080
2081 for (i = 0; ikeencxfs[i].name != NULL((void *)0); i++)
2082 if (ikeencxfs[i].id == id)
2083 return ikeencxfs[i].noauth;
2084 return (0);
2085}
2086
2087size_t
2088keylength_xf(unsigned int saproto, unsigned int type, unsigned int id)
2089{
2090 int i;
2091 const struct ipsec_xf *xfs;
2092
2093 switch (type) {
2094 case IKEV2_XFORMTYPE_ENCR1:
2095 if (saproto == IKEV2_SAPROTO_IKE1)
2096 xfs = ikeencxfs;
2097 else
2098 xfs = ipsecencxfs;
2099 break;
2100 case IKEV2_XFORMTYPE_INTEGR3:
2101 xfs = authxfs;
2102 break;
2103 default:
2104 return (0);
2105 }
2106
2107 for (i = 0; xfs[i].name != NULL((void *)0); i++) {
2108 if (xfs[i].id == id)
2109 return (xfs[i].length * 8);
2110 }
2111 return (0);
2112}
2113
2114size_t
2115noncelength_xf(unsigned int type, unsigned int id)
2116{
2117 const struct ipsec_xf *xfs = ipsecencxfs;
2118 int i;
2119
2120 if (type != IKEV2_XFORMTYPE_ENCR1)
2121 return (0);
2122
2123 for (i = 0; xfs[i].name != NULL((void *)0); i++)
2124 if (xfs[i].id == id)
2125 return (xfs[i].nonce * 8);
2126 return (0);
2127}
2128
2129void
2130copy_transforms(unsigned int type,
2131 const struct ipsec_xf **xfs, unsigned int nxfs,
2132 struct iked_transform **dst, unsigned int *ndst,
2133 struct iked_transform *src, size_t nsrc)
2134{
2135 unsigned int i;
2136 struct iked_transform *a, *b;
2137 const struct ipsec_xf *xf;
2138
2139 if (nxfs) {
2140 for (i = 0; i < nxfs; i++) {
2141 xf = xfs[i];
2142 *dst = recallocarray(*dst, *ndst,
2143 *ndst + 1, sizeof(struct iked_transform));
2144 if (*dst == NULL((void *)0))
2145 err(1, "%s", __func__);
2146 b = *dst + (*ndst)++;
2147
2148 b->xform_type = type;
2149 b->xform_id = xf->id;
2150 b->xform_keylength = xf->length * 8;
2151 b->xform_length = xf->keylength * 8;
2152 }
2153 return;
2154 }
2155
2156 for (i = 0; i < nsrc; i++) {
2157 a = src + i;
2158 if (a->xform_type != type)
2159 continue;
2160 *dst = recallocarray(*dst, *ndst,
2161 *ndst + 1, sizeof(struct iked_transform));
2162 if (*dst == NULL((void *)0))
2163 err(1, "%s", __func__);
2164 b = *dst + (*ndst)++;
2165 memcpy(b, a, sizeof(*b));
2166 }
2167}
2168
2169int
2170create_ike(char *name, int af, struct ipsec_addr_wrap *ipproto,
2171 int rdomain, struct ipsec_hosts *hosts,
2172 struct ipsec_hosts *peers, struct ipsec_mode *ike_sa,
2173 struct ipsec_mode *ipsec_sa, uint8_t saproto,
2174 uint8_t flags, char *srcid, char *dstid,
2175 uint32_t ikelifetime, struct iked_lifetime *lt,
2176 struct iked_auth *authtype, struct ipsec_filters *filter,
2177 struct ipsec_addr_wrap *ikecfg, char *iface)
2178{
2179 char idstr[IKED_ID_SIZE1024];
2180 struct ipsec_addr_wrap *ipa, *ipb, *ipp;
2181 struct iked_auth *ikeauth;
2182 struct iked_policy pol;
2183 struct iked_proposal *p, *ptmp;
2184 struct iked_transform *xf;
2185 unsigned int i, j, xfi, noauth, auth;
2186 unsigned int ikepropid = 1, ipsecpropid = 1;
2187 struct iked_flow *flow, *ftmp;
2188 static unsigned int policy_id = 0;
2189 struct iked_cfg *cfg;
2190 int ret = -1;
2191
2192 bzero(&pol, sizeof(pol));
2193 bzero(idstr, sizeof(idstr));
2194
2195 pol.pol_id = ++policy_id;
2196 pol.pol_certreqtype = env->sc_certreqtype;
2197 pol.pol_af = af;
2198 pol.pol_saproto = saproto;
2199 for (i = 0, ipp = ipproto; ipp; ipp = ipp->next, i++) {
2200 if (i >= IKED_IPPROTO_MAX16) {
2201 yyerror("too many protocols");
2202 return (-1);
2203 }
2204 pol.pol_ipproto[i] = ipp->type;
2205 pol.pol_nipproto++;
2206 }
2207
2208 pol.pol_flags = flags;
2209 pol.pol_rdomain = rdomain;
2210 memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth));
2211 explicit_bzero(authtype, sizeof(*authtype));
2212
2213 if (name != NULL((void *)0)) {
2214 if (strlcpy(pol.pol_name, name,
2215 sizeof(pol.pol_name)) >= sizeof(pol.pol_name)) {
2216 yyerror("name too long");
2217 return (-1);
2218 }
2219 } else {
2220 snprintf(pol.pol_name, sizeof(pol.pol_name),
2221 "policy%d", policy_id);
2222 }
2223
2224 if (iface != NULL((void *)0)) {
2225 /* sec(4) */
2226 if (strncmp("sec", iface, strlen("sec")) == 0)
2227 pol.pol_flags |= IKED_POLICY_ROUTING0x80;
2228
2229 pol.pol_iface = if_nametoindex(iface);
2230 if (pol.pol_iface == 0) {
2231 yyerror("invalid iface");
2232 return (-1);
2233 }
2234 }
2235
2236 if (srcid) {
2237 pol.pol_localid.id_type = get_id_type(srcid);
2238 pol.pol_localid.id_length = strlen(srcid);
2239 if (strlcpy((char *)pol.pol_localid.id_data,
2240 srcid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) {
2241 yyerror("srcid too long");
2242 return (-1);
2243 }
2244 }
2245 if (dstid) {
2246 pol.pol_peerid.id_type = get_id_type(dstid);
2247 pol.pol_peerid.id_length = strlen(dstid);
2248 if (strlcpy((char *)pol.pol_peerid.id_data,
2249 dstid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) {
2250 yyerror("dstid too long");
2251 return (-1);
2252 }
2253 }
2254
2255 if (filter != NULL((void *)0)) {
2256 if (filter->tag)
2257 strlcpy(pol.pol_tag, filter->tag, sizeof(pol.pol_tag));
2258 pol.pol_tap = filter->tap;
2259 }
2260
2261 if (peers == NULL((void *)0)) {
2262 if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) {
2263 yyerror("active mode requires peer specification");
2264 return (-1);
2265 }
2266 pol.pol_flags |= IKED_POLICY_DEFAULT0x01|IKED_POLICY_SKIP0x10;
2267 }
2268
2269 if (peers && peers->src && peers->dst &&
2270 (peers->src->af != AF_UNSPEC0) && (peers->dst->af != AF_UNSPEC0) &&
2271 (peers->src->af != peers->dst->af))
2272 fatalx("create_ike: peer address family mismatch");
2273
2274 if (peers && (pol.pol_af != AF_UNSPEC0) &&
2275 ((peers->src && (peers->src->af != AF_UNSPEC0) &&
2276 (peers->src->af != pol.pol_af)) ||
2277 (peers->dst && (peers->dst->af != AF_UNSPEC0) &&
2278 (peers->dst->af != pol.pol_af))))
2279 fatalx("create_ike: policy address family mismatch");
2280
2281 ipa = ipb = NULL((void *)0);
2282 if (peers) {
2283 if (peers->src)
2284 ipa = peers->src;
2285 if (peers->dst)
2286 ipb = peers->dst;
2287 if (ipa == NULL((void *)0) && ipb == NULL((void *)0)) {
2288 if (hosts->src && hosts->src->next == NULL((void *)0))
2289 ipa = hosts->src;
2290 if (hosts->dst && hosts->dst->next == NULL((void *)0))
2291 ipb = hosts->dst;
2292 }
2293 }
2294 if (ipa == NULL((void *)0) && ipb == NULL((void *)0)) {
2295 yyerror("could not get local/peer specification");
2296 return (-1);
2297 }
2298 if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) {
2299 if (ipb == NULL((void *)0) || ipb->netaddress ||
2300 (ipa != NULL((void *)0) && ipa->netaddress)) {
2301 yyerror("active mode requires local/peer address");
2302 return (-1);
2303 }
2304 }
2305 if (ipa) {
2306 memcpy(&pol.pol_local.addr, &ipa->address,
2307 sizeof(ipa->address));
2308 pol.pol_local.addr_af = ipa->af;
2309 pol.pol_local.addr_mask = ipa->mask;
2310 pol.pol_local.addr_net = ipa->netaddress;
2311 if (pol.pol_af == AF_UNSPEC0)
2312 pol.pol_af = ipa->af;
2313 }
2314 if (ipb) {
2315 memcpy(&pol.pol_peer.addr, &ipb->address,
2316 sizeof(ipb->address));
2317 pol.pol_peer.addr_af = ipb->af;
2318 pol.pol_peer.addr_mask = ipb->mask;
2319 pol.pol_peer.addr_net = ipb->netaddress;
2320 if (pol.pol_af == AF_UNSPEC0)
2321 pol.pol_af = ipb->af;
2322 }
2323
2324 if (ikelifetime)
2325 pol.pol_rekey = ikelifetime;
2326
2327 if (lt)
2328 pol.pol_lifetime = *lt;
2329 else
2330 pol.pol_lifetime = deflifetime;
2331
2332 TAILQ_INIT(&pol.pol_proposals)do { (&pol.pol_proposals)->tqh_first = ((void *)0); (&
pol.pol_proposals)->tqh_last = &(&pol.pol_proposals
)->tqh_first; } while (0);
2333 RB_INIT(&pol.pol_flows)do { (&pol.pol_flows)->rbh_root = ((void *)0); } while
(0);
2334
2335 if (ike_sa == NULL((void *)0) || ike_sa->nxfs == 0) {
2336 /* AES-GCM proposal */
2337 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2338 err(1, "%s", __func__);
2339 p->prop_id = ikepropid++;
2340 p->prop_protoid = IKEV2_SAPROTO_IKE1;
2341 p->prop_nxforms = ikev2_default_nike_transforms_noauth;
2342 p->prop_xforms = ikev2_default_ike_transforms_noauth;
2343 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2344 pol.pol_nproposals++;
2345
2346 /* Non GCM proposal */
2347 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2348 err(1, "%s", __func__);
2349 p->prop_id = ikepropid++;
2350 p->prop_protoid = IKEV2_SAPROTO_IKE1;
2351 p->prop_nxforms = ikev2_default_nike_transforms;
2352 p->prop_xforms = ikev2_default_ike_transforms;
2353 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2354 pol.pol_nproposals++;
2355 } else {
2356 for (i = 0; i < ike_sa->nxfs; i++) {
2357 noauth = auth = 0;
2358 for (j = 0; j < ike_sa->xfs[i]->nencxf; j++) {
2359 if (ike_sa->xfs[i]->encxf[j]->noauth)
2360 noauth++;
2361 else
2362 auth++;
2363 }
2364 for (j = 0; j < ike_sa->xfs[i]->ngroupxf; j++) {
2365 if (ike_sa->xfs[i]->groupxf[j]->id
2366 == IKEV2_XFORMDH_NONE0) {
2367 yyerror("IKE group can not be \"none\".");
2368 goto done;
2369 }
2370 }
2371 if (ike_sa->xfs[i]->nauthxf)
2372 auth++;
2373
2374 if (ike_sa->xfs[i]->nesnxf) {
2375 yyerror("cannot use ESN with ikesa.");
2376 goto done;
2377 }
2378 if (noauth && noauth != ike_sa->xfs[i]->nencxf) {
2379 yyerror("cannot mix encryption transforms with "
2380 "implicit and non-implicit authentication");
2381 goto done;
2382 }
2383 if (noauth && ike_sa->xfs[i]->nauthxf) {
2384 yyerror("authentication is implicit for given "
2385 "encryption transforms");
2386 goto done;
2387 }
2388
2389 if (!auth) {
2390 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2391 err(1, "%s", __func__);
2392
2393 xf = NULL((void *)0);
2394 xfi = 0;
2395 copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2396 ike_sa->xfs[i]->encxf,
2397 ike_sa->xfs[i]->nencxf, &xf, &xfi,
2398 ikev2_default_ike_transforms_noauth,
2399 ikev2_default_nike_transforms_noauth);
2400 copy_transforms(IKEV2_XFORMTYPE_DH4,
2401 ike_sa->xfs[i]->groupxf,
2402 ike_sa->xfs[i]->ngroupxf, &xf, &xfi,
2403 ikev2_default_ike_transforms_noauth,
2404 ikev2_default_nike_transforms_noauth);
2405 copy_transforms(IKEV2_XFORMTYPE_PRF2,
2406 ike_sa->xfs[i]->prfxf,
2407 ike_sa->xfs[i]->nprfxf, &xf, &xfi,
2408 ikev2_default_ike_transforms_noauth,
2409 ikev2_default_nike_transforms_noauth);
2410
2411 p->prop_id = ikepropid++;
2412 p->prop_protoid = IKEV2_SAPROTO_IKE1;
2413 p->prop_xforms = xf;
2414 p->prop_nxforms = xfi;
2415 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2416 pol.pol_nproposals++;
2417 }
2418 if (!noauth) {
2419 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2420 err(1, "%s", __func__);
2421
2422 xf = NULL((void *)0);
2423 xfi = 0;
2424 copy_transforms(IKEV2_XFORMTYPE_INTEGR3,
2425 ike_sa->xfs[i]->authxf,
2426 ike_sa->xfs[i]->nauthxf, &xf, &xfi,
2427 ikev2_default_ike_transforms,
2428 ikev2_default_nike_transforms);
2429 copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2430 ike_sa->xfs[i]->encxf,
2431 ike_sa->xfs[i]->nencxf, &xf, &xfi,
2432 ikev2_default_ike_transforms,
2433 ikev2_default_nike_transforms);
2434 copy_transforms(IKEV2_XFORMTYPE_DH4,
2435 ike_sa->xfs[i]->groupxf,
2436 ike_sa->xfs[i]->ngroupxf, &xf, &xfi,
2437 ikev2_default_ike_transforms,
2438 ikev2_default_nike_transforms);
2439 copy_transforms(IKEV2_XFORMTYPE_PRF2,
2440 ike_sa->xfs[i]->prfxf,
2441 ike_sa->xfs[i]->nprfxf, &xf, &xfi,
2442 ikev2_default_ike_transforms,
2443 ikev2_default_nike_transforms);
2444
2445 p->prop_id = ikepropid++;
2446 p->prop_protoid = IKEV2_SAPROTO_IKE1;
2447 p->prop_xforms = xf;
2448 p->prop_nxforms = xfi;
2449 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2450 pol.pol_nproposals++;
2451 }
2452 }
2453 }
2454
2455 if (ipsec_sa == NULL((void *)0) || ipsec_sa->nxfs == 0) {
2456 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2457 err(1, "%s", __func__);
2458 p->prop_id = ipsecpropid++;
2459 p->prop_protoid = saproto;
2460 p->prop_nxforms = ikev2_default_nesp_transforms_noauth;
2461 p->prop_xforms = ikev2_default_esp_transforms_noauth;
2462 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2463 pol.pol_nproposals++;
2464
2465 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2466 err(1, "%s", __func__);
2467 p->prop_id = ipsecpropid++;
2468 p->prop_protoid = saproto;
2469 p->prop_nxforms = ikev2_default_nesp_transforms;
2470 p->prop_xforms = ikev2_default_esp_transforms;
2471 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2472 pol.pol_nproposals++;
2473 } else {
2474 for (i = 0; i < ipsec_sa->nxfs; i++) {
2475 noauth = auth = 0;
2476 for (j = 0; j < ipsec_sa->xfs[i]->nencxf; j++) {
2477 if (ipsec_sa->xfs[i]->encxf[j]->noauth)
2478 noauth++;
2479 else
2480 auth++;
2481 }
2482 if (ipsec_sa->xfs[i]->nauthxf)
2483 auth++;
2484
2485 if (noauth && noauth != ipsec_sa->xfs[i]->nencxf) {
2486 yyerror("cannot mix encryption transforms with "
2487 "implicit and non-implicit authentication");
2488 goto done;
2489 }
2490 if (noauth && ipsec_sa->xfs[i]->nauthxf) {
2491 yyerror("authentication is implicit for given "
2492 "encryption transforms");
2493 goto done;
2494 }
2495
2496 if (!auth) {
2497 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2498 err(1, "%s", __func__);
2499
2500 xf = NULL((void *)0);
2501 xfi = 0;
2502 copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2503 ipsec_sa->xfs[i]->encxf,
2504 ipsec_sa->xfs[i]->nencxf, &xf, &xfi,
2505 ikev2_default_esp_transforms_noauth,
2506 ikev2_default_nesp_transforms_noauth);
2507 copy_transforms(IKEV2_XFORMTYPE_DH4,
2508 ipsec_sa->xfs[i]->groupxf,
2509 ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi,
2510 ikev2_default_esp_transforms_noauth,
2511 ikev2_default_nesp_transforms_noauth);
2512 copy_transforms(IKEV2_XFORMTYPE_ESN5,
2513 ipsec_sa->xfs[i]->esnxf,
2514 ipsec_sa->xfs[i]->nesnxf, &xf, &xfi,
2515 ikev2_default_esp_transforms_noauth,
2516 ikev2_default_nesp_transforms_noauth);
2517
2518 p->prop_id = ipsecpropid++;
2519 p->prop_protoid = saproto;
2520 p->prop_xforms = xf;
2521 p->prop_nxforms = xfi;
2522 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2523 pol.pol_nproposals++;
2524 }
2525 if (!noauth) {
2526 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2527 err(1, "%s", __func__);
2528
2529 xf = NULL((void *)0);
2530 xfi = 0;
2531 copy_transforms(IKEV2_XFORMTYPE_INTEGR3,
2532 ipsec_sa->xfs[i]->authxf,
2533 ipsec_sa->xfs[i]->nauthxf, &xf, &xfi,
2534 ikev2_default_esp_transforms,
2535 ikev2_default_nesp_transforms);
2536 copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2537 ipsec_sa->xfs[i]->encxf,
2538 ipsec_sa->xfs[i]->nencxf, &xf, &xfi,
2539 ikev2_default_esp_transforms,
2540 ikev2_default_nesp_transforms);
2541 copy_transforms(IKEV2_XFORMTYPE_DH4,
2542 ipsec_sa->xfs[i]->groupxf,
2543 ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi,
2544 ikev2_default_esp_transforms,
2545 ikev2_default_nesp_transforms);
2546 copy_transforms(IKEV2_XFORMTYPE_ESN5,
2547 ipsec_sa->xfs[i]->esnxf,
2548 ipsec_sa->xfs[i]->nesnxf, &xf, &xfi,
2549 ikev2_default_esp_transforms,
2550 ikev2_default_nesp_transforms);
2551
2552 p->prop_id = ipsecpropid++;
2553 p->prop_protoid = saproto;
2554 p->prop_xforms = xf;
2555 p->prop_nxforms = xfi;
2556 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2557 pol.pol_nproposals++;
2558 }
2559 }
2560 }
2561
2562 for (ipa = hosts->src, ipb = hosts->dst; ipa && ipb;
2563 ipa = ipa->next, ipb = ipb->next) {
2564 for (j = 0; j < pol.pol_nipproto; j++)
2565 if (expand_flows(&pol, pol.pol_ipproto[j], ipa, ipb))
2566 fatalx("create_ike: invalid flow");
2567 if (pol.pol_nipproto == 0)
2568 if (expand_flows(&pol, 0, ipa, ipb))
2569 fatalx("create_ike: invalid flow");
2570 }
2571
2572 for (j = 0, ipa = ikecfg; ipa; ipa = ipa->next, j++) {
2573 if (j >= IKED_CFG_MAX16)
2574 break;
2575 cfg = &pol.pol_cfg[j];
2576 pol.pol_ncfg++;
2577
2578 cfg->cfg_action = ipa->action;
2579 cfg->cfg_type = ipa->type;
2580 memcpy(&cfg->cfg.address.addr, &ipa->address,
2581 sizeof(ipa->address));
2582 cfg->cfg.address.addr_mask = ipa->mask;
2583 cfg->cfg.address.addr_net = ipa->netaddress;
2584 cfg->cfg.address.addr_af = ipa->af;
2585 }
2586
2587 if (dstid)
2588 strlcpy(idstr, dstid, sizeof(idstr));
2589 else if (!pol.pol_peer.addr_net)
2590 strlcpy(idstr, print_addr(&pol.pol_peer.addr), sizeof(idstr));
2591
2592 ikeauth = &pol.pol_auth;
2593 switch (ikeauth->auth_method) {
2594 case IKEV2_AUTH_RSA_SIG1:
2595 pol.pol_certreqtype = IKEV2_CERT_RSA_KEY11;
2596 break;
2597 case IKEV2_AUTH_ECDSA_2569:
2598 case IKEV2_AUTH_ECDSA_38410:
2599 case IKEV2_AUTH_ECDSA_52111:
2600 pol.pol_certreqtype = IKEV2_CERT_ECDSA201;
2601 break;
2602 default:
2603 pol.pol_certreqtype = IKEV2_CERT_NONE0;
2604 break;
2605 }
2606
2607 log_debug("%s: using %s for peer %s", __func__,
2608 print_xf(ikeauth->auth_method, 0, methodxfs), idstr);
2609
2610 config_setpolicy(env, &pol, PROC_IKEV2);
2611 config_setflow(env, &pol, PROC_IKEV2);
2612
2613 rules++;
2614 ret = 0;
2615
2616done:
2617 if (ike_sa) {
2618 for (i = 0; i < ike_sa->nxfs; i++) {
2619 free(ike_sa->xfs[i]->authxf);
2620 free(ike_sa->xfs[i]->encxf);
2621 free(ike_sa->xfs[i]->groupxf);
2622 free(ike_sa->xfs[i]->prfxf);
2623 free(ike_sa->xfs[i]);
2624 }
2625 free(ike_sa->xfs);
2626 free(ike_sa);
2627 }
2628 if (ipsec_sa) {
2629 for (i = 0; i < ipsec_sa->nxfs; i++) {
2630 free(ipsec_sa->xfs[i]->authxf);
2631 free(ipsec_sa->xfs[i]->encxf);
2632 free(ipsec_sa->xfs[i]->groupxf);
2633 free(ipsec_sa->xfs[i]->prfxf);
2634 free(ipsec_sa->xfs[i]->esnxf);
2635 free(ipsec_sa->xfs[i]);
2636 }
2637 free(ipsec_sa->xfs);
2638 free(ipsec_sa);
2639 }
2640 TAILQ_FOREACH_SAFE(p, &pol.pol_proposals, prop_entry, ptmp)for ((p) = ((&pol.pol_proposals)->tqh_first); (p) != (
(void *)0) && ((ptmp) = ((p)->prop_entry.tqe_next)
, 1); (p) = (ptmp)) {
2641 if (p->prop_xforms != ikev2_default_ike_transforms &&
2642 p->prop_xforms != ikev2_default_ike_transforms_noauth &&
2643 p->prop_xforms != ikev2_default_esp_transforms &&
2644 p->prop_xforms != ikev2_default_esp_transforms_noauth)
2645 free(p->prop_xforms);
2646 free(p);
2647 }
2648 if (peers != NULL((void *)0)) {
2649 iaw_free(peers->src);
2650 iaw_free(peers->dst);
2651 /* peers is static, cannot be freed */
2652 }
2653 if (hosts != NULL((void *)0)) {
2654 iaw_free(hosts->src);
2655 iaw_free(hosts->dst);
2656 free(hosts);
2657 }
2658 iaw_free(ikecfg);
2659 iaw_free(ipproto);
2660 RB_FOREACH_SAFE(flow, iked_flows, &pol.pol_flows, ftmp)for ((flow) = iked_flows_RB_MINMAX(&pol.pol_flows, -1); (
(flow) != ((void *)0)) && ((ftmp) = iked_flows_RB_NEXT
(flow), 1); (flow) = (ftmp)) {
2661 RB_REMOVE(iked_flows, &pol.pol_flows, flow)iked_flows_RB_REMOVE(&pol.pol_flows, flow);
2662 free(flow);
2663 }
2664 free(name);
2665 free(srcid);
2666 free(dstid);
2667 return (ret);
2668}
2669
2670static int
2671create_flow(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *ipa,
2672 struct ipsec_addr_wrap *ipb)
2673{
2674 struct iked_flow *flow;
2675 struct ipsec_addr_wrap *ippn;
2676
2677 if (ipa->af != ipb->af) {
2678 yyerror("cannot mix different address families.");
2679 return (-1);
2680 }
2681
2682 if ((flow = calloc(1, sizeof(struct iked_flow))) == NULL((void *)0))
2683 fatalx("%s: failed to alloc flow.", __func__);
2684
2685 memcpy(&flow->flow_src.addr, &ipa->address,
2686 sizeof(ipa->address));
2687 flow->flow_src.addr_af = ipa->af;
2688 flow->flow_src.addr_mask = ipa->mask;
2689 flow->flow_src.addr_net = ipa->netaddress;
2690 flow->flow_src.addr_port = ipa->port;
2691
2692 memcpy(&flow->flow_dst.addr, &ipb->address,
2693 sizeof(ipb->address));
2694 flow->flow_dst.addr_af = ipb->af;
2695 flow->flow_dst.addr_mask = ipb->mask;
2696 flow->flow_dst.addr_net = ipb->netaddress;
2697 flow->flow_dst.addr_port = ipb->port;
2698
2699 ippn = ipa->srcnat;
2700 if (ippn) {
2701 memcpy(&flow->flow_prenat.addr, &ippn->address,
2702 sizeof(ippn->address));
2703 flow->flow_prenat.addr_af = ippn->af;
2704 flow->flow_prenat.addr_mask = ippn->mask;
2705 flow->flow_prenat.addr_net = ippn->netaddress;
2706 } else {
2707 flow->flow_prenat.addr_af = 0;
2708 }
2709
2710 flow->flow_dir = IPSP_DIRECTION_OUT0x2;
2711 flow->flow_ipproto = proto;
2712 flow->flow_saproto = pol->pol_saproto;
2713 flow->flow_rdomain = pol->pol_rdomain;
2714
2715 if (RB_INSERT(iked_flows, &pol->pol_flows, flow)iked_flows_RB_INSERT(&pol->pol_flows, flow) == NULL((void *)0))
2716 pol->pol_nflows++;
2717 else {
2718 warnx("create_ike: duplicate flow");
2719 free(flow);
2720 }
2721
2722 return (0);
2723}
2724
2725static int
2726expand_flows(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *src,
2727 struct ipsec_addr_wrap *dst)
2728{
2729 struct ipsec_addr_wrap *ipa = NULL((void *)0), *ipb = NULL((void *)0);
2730 int ret = -1;
2731 int srcaf, dstaf;
2732
2733 srcaf = src->af;
2734 dstaf = dst->af;
2735
2736 if (src->af == AF_UNSPEC0 &&
2737 dst->af == AF_UNSPEC0) {
2738 /* Need both IPv4 and IPv6 flows */
2739 src->af = dst->af = AF_INET2;
2740 ipa = expand_keyword(src);
2741 ipb = expand_keyword(dst);
2742 if (!ipa || !ipb)
2743 goto done;
2744 if (create_flow(pol, proto, ipa, ipb))
2745 goto done;
2746
2747 iaw_free(ipa);
2748 iaw_free(ipb);
2749 src->af = dst->af = AF_INET624;
2750 ipa = expand_keyword(src);
2751 ipb = expand_keyword(dst);
2752 if (!ipa || !ipb)
2753 goto done;
2754 if (create_flow(pol, proto, ipa, ipb))
2755 goto done;
2756 } else if (src->af == AF_UNSPEC0) {
2757 src->af = dst->af;
2758 ipa = expand_keyword(src);
2759 if (!ipa)
2760 goto done;
2761 if (create_flow(pol, proto, ipa, dst))
2762 goto done;
2763 } else if (dst->af == AF_UNSPEC0) {
2764 dst->af = src->af;
2765 ipa = expand_keyword(dst);
2766 if (!ipa)
2767 goto done;
2768 if (create_flow(pol, proto, src, ipa))
2769 goto done;
2770 } else if (create_flow(pol, proto, src, dst))
2771 goto done;
2772 ret = 0;
2773 done:
2774 src->af = srcaf;
2775 dst->af = dstaf;
2776 iaw_free(ipa);
2777 iaw_free(ipb);
2778 return (ret);
2779}
2780
2781static struct ipsec_addr_wrap *
2782expand_keyword(struct ipsec_addr_wrap *ip)
2783{
2784 switch(ip->af) {
2785 case AF_INET2:
2786 switch(ip->type) {
2787 case IPSEC_ADDR_ANY(0x1):
2788 return (host("0.0.0.0/0"));
2789 case IPSEC_ADDR_DYNAMIC(0x2):
2790 return (host("0.0.0.0"));
2791 }
2792 break;
2793 case AF_INET624:
2794 switch(ip->type) {
2795 case IPSEC_ADDR_ANY(0x1):
2796 return (host("::/0"));
2797 case IPSEC_ADDR_DYNAMIC(0x2):
2798 return (host("::"));
2799 }
2800 }
2801 return (NULL((void *)0));
2802}
2803
2804int
2805create_user(const char *user, const char *pass)
2806{
2807 struct iked_user usr;
2808
2809 bzero(&usr, sizeof(usr));
2810
2811 if (*user == '\0' || (strlcpy(usr.usr_name, user,
2812 sizeof(usr.usr_name)) >= sizeof(usr.usr_name))) {
2813 yyerror("invalid user name");
2814 return (-1);
2815 }
2816 if (*pass == '\0' || (strlcpy(usr.usr_pass, pass,
2817 sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) {
2818 yyerror("invalid password");
2819 explicit_bzero(&usr, sizeof usr); /* zap partial password */
2820 return (-1);
2821 }
2822
2823 config_setuser(env, &usr, PROC_IKEV2);
2824
2825 rules++;
2826
2827 explicit_bzero(&usr, sizeof usr);
2828 return (0);
2829}
2830
2831void
2832iaw_free(struct ipsec_addr_wrap *head)
2833{
2834 struct ipsec_addr_wrap *n, *cur;
2835
2836 if (head == NULL((void *)0))
2837 return;
2838
2839 for (n = head; n != NULL((void *)0); ) {
2840 cur = n;
2841 n = n->next;
2842 if (cur->srcnat != NULL((void *)0)) {
2843 free(cur->srcnat->name);
2844 free(cur->srcnat);
2845 }
2846 free(cur->name);
2847 free(cur);
2848 }
2849}
2850#line 2843 "parse.c"
2851/* allocate initial stack or double stack size, up to YYMAXDEPTH */
2852static int yygrowstack(void)
2853{
2854 unsigned int newsize;
2855 long sslen;
2856 short *newss;
2857 YYSTYPE *newvs;
2858
2859 if ((newsize = yystacksize) == 0)
2860 newsize = YYINITSTACKSIZE200;
2861 else if (newsize >= YYMAXDEPTH10000)
2862 return -1;
2863 else if ((newsize *= 2) > YYMAXDEPTH10000)
2864 newsize = YYMAXDEPTH10000;
2865 sslen = yyssp - yyss;
2866#ifdef SIZE_MAX0xffffffffffffffffUL
2867#define YY_SIZE_MAX0xffffffffffffffffUL SIZE_MAX0xffffffffffffffffUL
2868#else
2869#define YY_SIZE_MAX0xffffffffffffffffUL 0xffffffffU
2870#endif
2871 if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newss)
2872 goto bail;
2873 newss = (short *)realloc(yyss, newsize * sizeof *newss);
2874 if (newss == NULL((void *)0))
2875 goto bail;
2876 yyss = newss;
2877 yyssp = newss + sslen;
2878 if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newvs)
2879 goto bail;
2880 newvs = (YYSTYPE *)realloc(yyvs, newsize * sizeof *newvs);
2881 if (newvs == NULL((void *)0))
2882 goto bail;
2883 yyvs = newvs;
2884 yyvsp = newvs + sslen;
2885 yystacksize = newsize;
2886 yysslim = yyss + newsize - 1;
2887 return 0;
2888bail:
2889 if (yyss)
2890 free(yyss);
2891 if (yyvs)
2892 free(yyvs);
2893 yyss = yyssp = NULL((void *)0);
2894 yyvs = yyvsp = NULL((void *)0);
2895 yystacksize = 0;
2896 return -1;
2897}
2898
2899#define YYABORTgoto yyabort goto yyabort
2900#define YYREJECTgoto yyabort goto yyabort
2901#define YYACCEPTgoto yyaccept goto yyaccept
2902#define YYERRORgoto yyerrlab goto yyerrlab
2903int
2904yyparse(void)
2905{
2906 int yym, yyn, yystate;
2907#if YYDEBUG0
2908 const char *yys;
2909
2910 if ((yys = getenv("YYDEBUG")))
2911 {
2912 yyn = *yys;
2913 if (yyn >= '0' && yyn <= '9')
2914 yydebug = yyn - '0';
2915 }
2916#endif /* YYDEBUG */
2917
2918 yynerrs = 0;
2919 yyerrflag = 0;
2920 yychar = (-1);
2921
2922 if (yyss == NULL((void *)0) && yygrowstack()) goto yyoverflow;
2923 yyssp = yyss;
2924 yyvsp = yyvs;
2925 *yyssp = yystate = 0;
2926
2927yyloop:
2928 if ((yyn = yydefred[yystate]) != 0) goto yyreduce;
2929 if (yychar < 0)
2930 {
2931 if ((yychar = yylex()) < 0) yychar = 0;
2932#if YYDEBUG0
2933 if (yydebug)
2934 {
2935 yys = 0;
2936 if (yychar <= YYMAXTOKEN330) yys = yyname[yychar];
2937 if (!yys) yys = "illegal-symbol";
2938 printf("%sdebug: state %d, reading %d (%s)\n",
2939 YYPREFIX"yy", yystate, yychar, yys);
2940 }
2941#endif
2942 }
2943 if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 &&
2944 yyn <= YYTABLESIZE745 && yycheck[yyn] == yychar)
2945 {
2946#if YYDEBUG0
2947 if (yydebug)
2948 printf("%sdebug: state %d, shifting to state %d\n",
2949 YYPREFIX"yy", yystate, yytable[yyn]);
2950#endif
2951 if (yyssp >= yysslim && yygrowstack())
2952 {
2953 goto yyoverflow;
2954 }
2955 *++yyssp = yystate = yytable[yyn];
2956 *++yyvsp = yylval;
2957 yychar = (-1);
2958 if (yyerrflag > 0) --yyerrflag;
2959 goto yyloop;
2960 }
2961 if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 &&
2962 yyn <= YYTABLESIZE745 && yycheck[yyn] == yychar)
2963 {
2964 yyn = yytable[yyn];
2965 goto yyreduce;
2966 }
2967 if (yyerrflag) goto yyinrecovery;
2968#if defined(__GNUC__4)
2969 goto yynewerror;
2970#endif
2971yynewerror:
2972 yyerror("syntax error");
2973#if defined(__GNUC__4)
2974 goto yyerrlab;
2975#endif
2976yyerrlab:
2977 ++yynerrs;
2978yyinrecovery:
2979 if (yyerrflag < 3)
2980 {
2981 yyerrflag = 3;
2982 for (;;)
2983 {
2984 if ((yyn = yysindex[*yyssp]) && (yyn += YYERRCODE256) >= 0 &&
2985 yyn <= YYTABLESIZE745 && yycheck[yyn] == YYERRCODE256)
2986 {
2987#if YYDEBUG0
2988 if (yydebug)
2989 printf("%sdebug: state %d, error recovery shifting\
2990 to state %d\n", YYPREFIX"yy", *yyssp, yytable[yyn]);
2991#endif
2992 if (yyssp >= yysslim && yygrowstack())
2993 {
2994 goto yyoverflow;
2995 }
2996 *++yyssp = yystate = yytable[yyn];
2997 *++yyvsp = yylval;
2998 goto yyloop;
2999 }
3000 else
3001 {
3002#if YYDEBUG0
3003 if (yydebug)
3004 printf("%sdebug: error recovery discarding state %d\n",
3005 YYPREFIX"yy", *yyssp);
3006#endif
3007 if (yyssp <= yyss) goto yyabort;
3008 --yyssp;
3009 --yyvsp;
3010 }
3011 }
3012 }
3013 else
3014 {
3015 if (yychar == 0) goto yyabort;
3016#if YYDEBUG0
3017 if (yydebug)
3018 {
3019 yys = 0;
3020 if (yychar <= YYMAXTOKEN330) yys = yyname[yychar];
3021 if (!yys) yys = "illegal-symbol";
3022 printf("%sdebug: state %d, error recovery discards token %d (%s)\n",
3023 YYPREFIX"yy", yystate, yychar, yys);
3024 }
3025#endif
3026 yychar = (-1);
3027 goto yyloop;
3028 }
3029yyreduce:
3030#if YYDEBUG0
3031 if (yydebug)
3032 printf("%sdebug: state %d, reducing by rule %d (%s)\n",
3033 YYPREFIX"yy", yystate, yyn, yyrule[yyn]);
3034#endif
3035 yym = yylen[yyn];
3036 if (yym)
3037 yyval = yyvsp[1-yym];
3038 else
3039 memset(&yyval, 0, sizeof yyval);
3040 switch (yyn)
3041 {
3042case 9:
3043#line 483 "/usr/src/sbin/iked/parse.y"
3044{ file->errors++; }
3045break;
3046case 12:
3047#line 490 "/usr/src/sbin/iked/parse.y"
3048{
3049 struct file *nfile;
3050
3051 if ((nfile = pushfile(yyvsp[0].v.string, 1)) == NULL((void *)0)) {
3052 yyerror("failed to include file %s", yyvsp[0].v.string);
3053 free(yyvsp[0].v.string);
3054 YYERRORgoto yyerrlab;
3055 }
3056 free(yyvsp[0].v.string);
3057
3058 file = nfile;
3059 lungetc('\n');
3060 }
3061break;
3062case 13:
3063#line 505 "/usr/src/sbin/iked/parse.y"
3064{ passive = 0; }
3065break;
3066case 14:
3067#line 506 "/usr/src/sbin/iked/parse.y"
3068{ passive = 1; }
3069break;
3070case 15:
3071#line 507 "/usr/src/sbin/iked/parse.y"
3072{ decouple = 0; }
3073break;
3074case 16:
3075#line 508 "/usr/src/sbin/iked/parse.y"
3076{ decouple = 1; }
3077break;
3078case 17:
3079#line 509 "/usr/src/sbin/iked/parse.y"
3080{ fragmentation = 1; }
3081break;
3082case 18:
3083#line 510 "/usr/src/sbin/iked/parse.y"
3084{ fragmentation = 0; }
3085break;
3086case 19:
3087#line 511 "/usr/src/sbin/iked/parse.y"
3088{ mobike = 1; }
3089break;
3090case 20:
3091#line 512 "/usr/src/sbin/iked/parse.y"
3092{ mobike = 0; }
3093break;
3094case 21:
3095#line 513 "/usr/src/sbin/iked/parse.y"
3096{ vendorid = 1; }
3097break;
3098case 22:
3099#line 514 "/usr/src/sbin/iked/parse.y"
3100{ vendorid = 0; }
3101break;
3102case 23:
3103#line 515 "/usr/src/sbin/iked/parse.y"
3104{ enforcesingleikesa = 1; }
3105break;
3106case 24:
3107#line 516 "/usr/src/sbin/iked/parse.y"
3108{ enforcesingleikesa = 0; }
3109break;
3110case 25:
3111#line 517 "/usr/src/sbin/iked/parse.y"
3112{ stickyaddress = 1; }
3113break;
3114case 26:
3115#line 518 "/usr/src/sbin/iked/parse.y"
3116{ stickyaddress = 0; }
3117break;
3118case 27:
3119#line 519 "/usr/src/sbin/iked/parse.y"
3120{
3121 ocsp_url = yyvsp[0].v.string;
3122 }
3123break;
3124case 28:
3125#line 522 "/usr/src/sbin/iked/parse.y"
3126{
3127 ocsp_url = yyvsp[-2].v.string;
3128 ocsp_tolerate = yyvsp[0].v.number;
3129 }
3130break;
3131case 29:
3132#line 526 "/usr/src/sbin/iked/parse.y"
3133{
3134 ocsp_url = yyvsp[-4].v.string;
3135 ocsp_tolerate = yyvsp[-2].v.number;
3136 ocsp_maxage = yyvsp[0].v.number;
3137 }
3138break;
3139case 30:
3140#line 531 "/usr/src/sbin/iked/parse.y"
3141{
3142 cert_partial_chain = 1;
3143 }
3144break;
3145case 31:
3146#line 534 "/usr/src/sbin/iked/parse.y"
3147{
3148 if (yyvsp[0].v.number < 0) {
3149 yyerror("timeout outside range");
3150 YYERRORgoto yyerrlab;
3151 }
3152 dpd_interval = yyvsp[0].v.number;
3153 }
3154break;
3155case 32:
3156#line 543 "/usr/src/sbin/iked/parse.y"
3157{
3158 if (create_user(yyvsp[-1].v.string, yyvsp[0].v.string) == -1)
3159 YYERRORgoto yyerrlab;
3160 free(yyvsp[-1].v.string);
3161 freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string));
3162 }
3163break;
3164case 33:
3165#line 553 "/usr/src/sbin/iked/parse.y"
3166{
3167 if (create_ike(yyvsp[-16].v.string, yyvsp[-13].v.number, yyvsp[-12].v.proto, yyvsp[-11].v.number, yyvsp[-10].v.hosts, &yyvsp[-9].v.peers, yyvsp[-8].v.mode, yyvsp[-7].v.mode, yyvsp[-14].v.satype,
3168 yyvsp[-15].v.ikemode, yyvsp[-6].v.ids.srcid, yyvsp[-6].v.ids.dstid, yyvsp[-5].v.number, &yyvsp[-4].v.lifetime, &yyvsp[-3].v.ikeauth,
3169 yyvsp[0].v.filters, yyvsp[-2].v.cfg, yyvsp[-1].v.string) == -1) {
3170 yyerror("create_ike failed");
3171 YYERRORgoto yyerrlab;
3172 }
3173 }
3174break;
3175case 34:
3176#line 563 "/usr/src/sbin/iked/parse.y"
3177{ yyval.v.cfg = NULL((void *)0); }
3178break;
3179case 35:
3180#line 564 "/usr/src/sbin/iked/parse.y"
3181{ yyval.v.cfg = yyvsp[0].v.cfg; }
3182break;
3183case 36:
3184#line 567 "/usr/src/sbin/iked/parse.y"
3185{ yyval.v.cfg = yyvsp[0].v.cfg; }
3186break;
3187case 37:
3188#line 568 "/usr/src/sbin/iked/parse.y"
3189{
3190 if (yyvsp[0].v.cfg == NULL((void *)0))
3191 yyval.v.cfg = yyvsp[-1].v.cfg;
3192 else if (yyvsp[-1].v.cfg == NULL((void *)0))
3193 yyval.v.cfg = yyvsp[0].v.cfg;
3194 else {
3195 yyvsp[-1].v.cfg->tail->next = yyvsp[0].v.cfg;
3196 yyvsp[-1].v.cfg->tail = yyvsp[0].v.cfg->tail;
3197 yyval.v.cfg = yyvsp[-1].v.cfg;
3198 }
3199 }
3200break;
3201case 38:
3202#line 581 "/usr/src/sbin/iked/parse.y"
3203{
3204 const struct ipsec_xf *xf;
3205
3206 if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.host->af, cpxfs)) == NULL((void *)0)) {
3207 yyerror("not a valid ikecfg option");
3208 free(yyvsp[-1].v.string);
3209 free(yyvsp[0].v.host);
3210 YYERRORgoto yyerrlab;
3211 }
3212 free(yyvsp[-1].v.string);
3213 yyval.v.cfg = yyvsp[0].v.host;
3214 yyval.v.cfg->type = xf->id;
3215 yyval.v.cfg->action = IKEV2_CP_REPLY2; /* XXX */
3216 }
3217break;
3218case 39:
3219#line 595 "/usr/src/sbin/iked/parse.y"
3220{
3221 const struct ipsec_xf *xf;
3222
3223 if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.anyhost->af, cpxfs)) == NULL((void *)0)) {
3224 yyerror("not a valid ikecfg option");
3225 free(yyvsp[-1].v.string);
3226 free(yyvsp[0].v.anyhost);
3227 YYERRORgoto yyerrlab;
3228 }
3229 free(yyvsp[-1].v.string);
3230 yyval.v.cfg = yyvsp[0].v.anyhost;
3231 yyval.v.cfg->type = xf->id;
3232 yyval.v.cfg->action = IKEV2_CP_REQUEST1; /* XXX */
3233 }
3234break;
3235case 40:
3236#line 611 "/usr/src/sbin/iked/parse.y"
3237{ yyval.v.string = NULL((void *)0); }
3238break;
3239case 41:
3240#line 612 "/usr/src/sbin/iked/parse.y"
3241{
3242 yyval.v.string = yyvsp[0].v.string;
3243 }
3244break;
3245case 42:
3246#line 616 "/usr/src/sbin/iked/parse.y"
3247{ yyval.v.satype = IKEV2_SAPROTO_ESP3; }
3248break;
3249case 43:
3250#line 617 "/usr/src/sbin/iked/parse.y"
3251{ yyval.v.satype = IKEV2_SAPROTO_ESP3; }
3252break;
3253case 44:
3254#line 618 "/usr/src/sbin/iked/parse.y"
3255{ yyval.v.satype = IKEV2_SAPROTO_AH2; }
3256break;
3257case 45:
3258#line 621 "/usr/src/sbin/iked/parse.y"
3259{ yyval.v.number = AF_UNSPEC0; }
3260break;
3261case 46:
3262#line 622 "/usr/src/sbin/iked/parse.y"
3263{ yyval.v.number = AF_INET2; }
3264break;
3265case 47:
3266#line 623 "/usr/src/sbin/iked/parse.y"
3267{ yyval.v.number = AF_INET624; }
3268break;
3269case 48:
3270#line 626 "/usr/src/sbin/iked/parse.y"
3271{ yyval.v.proto = NULL((void *)0); }
3272break;
3273case 49:
3274#line 627 "/usr/src/sbin/iked/parse.y"
3275{ yyval.v.proto = yyvsp[0].v.proto; }
3276break;
3277case 50:
3278#line 628 "/usr/src/sbin/iked/parse.y"
3279{ yyval.v.proto = yyvsp[-1].v.proto; }
3280break;
3281case 51:
3282#line 631 "/usr/src/sbin/iked/parse.y"
3283{ yyval.v.proto = yyvsp[0].v.proto; }
3284break;
3285case 52:
3286#line 632 "/usr/src/sbin/iked/parse.y"
3287{
3288 if (yyvsp[0].v.proto == NULL((void *)0))
3289 yyval.v.proto = yyvsp[-2].v.proto;
3290 else if (yyvsp[-2].v.proto == NULL((void *)0))
3291 yyval.v.proto = yyvsp[0].v.proto;
3292 else {
3293 yyvsp[-2].v.proto->tail->next = yyvsp[0].v.proto;
3294 yyvsp[-2].v.proto->tail = yyvsp[0].v.proto->tail;
3295 yyval.v.proto = yyvsp[-2].v.proto;
3296 }
3297 }
3298break;
3299case 53:
3300#line 645 "/usr/src/sbin/iked/parse.y"
3301{
3302 struct protoent *p;
3303
3304 p = getprotobyname(yyvsp[0].v.string);
3305 if (p == NULL((void *)0)) {
3306 yyerror("unknown protocol: %s", yyvsp[0].v.string);
3307 YYERRORgoto yyerrlab;
3308 }
3309
3310 if ((yyval.v.proto = calloc(1, sizeof(*yyval.v.proto))) == NULL((void *)0))
3311 err(1, "protoval: calloc");
3312
3313 yyval.v.proto->type = p->p_proto;
3314 yyval.v.proto->tail = yyval.v.proto;
3315 free(yyvsp[0].v.string);
3316 }
3317break;
3318case 54:
3319#line 661 "/usr/src/sbin/iked/parse.y"
3320{
3321 if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) {
3322 yyerror("protocol outside range");
3323 YYERRORgoto yyerrlab;
3324 }
3325 if ((yyval.v.proto = calloc(1, sizeof(*yyval.v.proto))) == NULL((void *)0))
3326 err(1, "protoval: calloc");
3327
3328 yyval.v.proto->type = yyvsp[0].v.number;
3329 yyval.v.proto->tail = yyval.v.proto;
3330 }
3331break;
3332case 55:
3333#line 674 "/usr/src/sbin/iked/parse.y"
3334{ yyval.v.number = -1; }
3335break;
3336case 56:
3337#line 675 "/usr/src/sbin/iked/parse.y"
3338{
3339 if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) {
3340 yyerror("rdomain outside range");
3341 YYERRORgoto yyerrlab;
3342 }
3343 yyval.v.number = yyvsp[0].v.number;
3344 }
3345break;
3346case 57:
3347#line 683 "/usr/src/sbin/iked/parse.y"
3348{ yyval.v.hosts = yyvsp[0].v.hosts; }
3349break;
3350case 58:
3351#line 684 "/usr/src/sbin/iked/parse.y"
3352{
3353 if (yyvsp[0].v.hosts == NULL((void *)0))
3354 yyval.v.hosts = yyvsp[-2].v.hosts;
3355 else if (yyvsp[-2].v.hosts == NULL((void *)0))
3356 yyval.v.hosts = yyvsp[0].v.hosts;
3357 else {
3358 yyvsp[-2].v.hosts->src->tail->next = yyvsp[0].v.hosts->src;
3359 yyvsp[-2].v.hosts->src->tail = yyvsp[0].v.hosts->src->tail;
3360 yyvsp[-2].v.hosts->dst->tail->next = yyvsp[0].v.hosts->dst;
3361 yyvsp[-2].v.hosts->dst->tail = yyvsp[0].v.hosts->dst->tail;
3362 yyval.v.hosts = yyvsp[-2].v.hosts;
3363 free(yyvsp[0].v.hosts);
3364 }
3365 }
3366break;
3367case 59:
3368#line 700 "/usr/src/sbin/iked/parse.y"
3369{
3370 struct ipsec_addr_wrap *ipa;
3371 for (ipa = yyvsp[-1].v.host; ipa; ipa = ipa->next) {
3372 if (ipa->srcnat) {
3373 yyerror("no flow NAT support for"
3374 " destination network: %s",
3375 ipa->name);
3376 YYERRORgoto yyerrlab;
3377 }
3378 }
3379
3380 if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL((void *)0))
3381 err(1, "hosts: calloc");
3382
3383 yyval.v.hosts->src = yyvsp[-4].v.host;
3384 yyval.v.hosts->src->port = yyvsp[-3].v.port;
3385 yyval.v.hosts->dst = yyvsp[-1].v.host;
3386 yyval.v.hosts->dst->port = yyvsp[0].v.port;
3387 }
3388break;
3389case 60:
3390#line 719 "/usr/src/sbin/iked/parse.y"
3391{
3392 struct ipsec_addr_wrap *ipa;
3393 for (ipa = yyvsp[-4].v.host; ipa; ipa = ipa->next) {
3394 if (ipa->srcnat) {
3395 yyerror("no flow NAT support for"
3396 " destination network: %s",
3397 ipa->name);
3398 YYERRORgoto yyerrlab;
3399 }
3400 }
3401 if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL((void *)0))
3402 err(1, "hosts: calloc");
3403
3404 yyval.v.hosts->src = yyvsp[-1].v.host;
3405 yyval.v.hosts->src->port = yyvsp[0].v.port;
3406 yyval.v.hosts->dst = yyvsp[-4].v.host;
3407 yyval.v.hosts->dst->port = yyvsp[-3].v.port;
3408 }
3409break;
3410case 61:
3411#line 739 "/usr/src/sbin/iked/parse.y"
3412{ yyval.v.port = 0; }
3413break;
3414case 62:
3415#line 740 "/usr/src/sbin/iked/parse.y"
3416{ yyval.v.port = yyvsp[0].v.number; }
3417break;
3418case 63:
3419#line 743 "/usr/src/sbin/iked/parse.y"
3420{
3421 struct servent *s;
3422
3423 if ((s = getservbyname(yyvsp[0].v.string, "tcp")) != NULL((void *)0) ||
3424 (s = getservbyname(yyvsp[0].v.string, "udp")) != NULL((void *)0)) {
3425 yyval.v.number = s->s_port;
3426 } else {
3427 yyerror("unknown port: %s", yyvsp[0].v.string);
3428 YYERRORgoto yyerrlab;
3429 }
3430 free(yyvsp[0].v.string);
3431 }
3432break;
3433case 64:
3434#line 755 "/usr/src/sbin/iked/parse.y"
3435{
3436 if (yyvsp[0].v.number > USHRT_MAX0xffff || yyvsp[0].v.number < 0) {
3437 yyerror("port outside range");
3438 YYERRORgoto yyerrlab;
3439 }
3440 yyval.v.number = htons(yyvsp[0].v.number)(__uint16_t)(__builtin_constant_p(yyvsp[0].v.number) ? (__uint16_t
)(((__uint16_t)(yyvsp[0].v.number) & 0xffU) << 8 | (
(__uint16_t)(yyvsp[0].v.number) & 0xff00U) >> 8) : __swap16md
(yyvsp[0].v.number));
3441 }
3442break;
3443case 65:
3444#line 764 "/usr/src/sbin/iked/parse.y"
3445{
3446 yyval.v.peers.dst = NULL((void *)0);
3447 yyval.v.peers.src = NULL((void *)0);
3448 }
3449break;
3450case 66:
3451#line 768 "/usr/src/sbin/iked/parse.y"
3452{
3453 yyval.v.peers.dst = yyvsp[-2].v.anyhost;
3454 yyval.v.peers.src = yyvsp[0].v.anyhost;
3455 }
3456break;
3457case 67:
3458#line 772 "/usr/src/sbin/iked/parse.y"
3459{
3460 yyval.v.peers.dst = yyvsp[0].v.anyhost;
3461 yyval.v.peers.src = yyvsp[-2].v.anyhost;
3462 }
3463break;
3464case 68:
3465#line 776 "/usr/src/sbin/iked/parse.y"
3466{
3467 yyval.v.peers.dst = yyvsp[0].v.anyhost;
3468 yyval.v.peers.src = NULL((void *)0);
3469 }
3470break;
3471case 69:
3472#line 780 "/usr/src/sbin/iked/parse.y"
3473{
3474 yyval.v.peers.dst = NULL((void *)0);
3475 yyval.v.peers.src = yyvsp[0].v.anyhost;
3476 }
3477break;
3478case 70:
3479#line 786 "/usr/src/sbin/iked/parse.y"
3480{ yyval.v.anyhost = yyvsp[0].v.host; }
3481break;
3482case 71:
3483#line 787 "/usr/src/sbin/iked/parse.y"
3484{
3485 yyval.v.anyhost = host_any();
3486 }
3487break;
3488case 72:
3489#line 791 "/usr/src/sbin/iked/parse.y"
3490{
3491 if ((yyval.v.host = host(yyvsp[0].v.string)) == NULL((void *)0)) {
3492 free(yyvsp[0].v.string);
3493 yyerror("could not parse host specification");
3494 YYERRORgoto yyerrlab;
3495 }
3496 free(yyvsp[0].v.string);
3497 }
3498break;
3499case 73:
3500#line 799 "/usr/src/sbin/iked/parse.y"
3501{
3502 char *buf;
3503
3504 if (asprintf(&buf, "%s/%lld", yyvsp[-2].v.string, yyvsp[0].v.number) == -1)
3505 err(1, "host: asprintf");
3506 free(yyvsp[-2].v.string);
3507 if ((yyval.v.host = host(buf)) == NULL((void *)0)) {
3508 free(buf);
3509 yyerror("could not parse host specification");
3510 YYERRORgoto yyerrlab;
3511 }
3512 free(buf);
3513 }
3514break;
3515case 74:
3516#line 814 "/usr/src/sbin/iked/parse.y"
3517{ yyval.v.host = yyvsp[0].v.host; }
3518break;
3519case 75:
3520#line 815 "/usr/src/sbin/iked/parse.y"
3521{
3522 if ((yyvsp[-3].v.host->af != AF_UNSPEC0) && (yyvsp[-1].v.host->af != AF_UNSPEC0) &&
3523 (yyvsp[-1].v.host->af != yyvsp[-3].v.host->af)) {
3524 yyerror("Flow NAT address family mismatch");
3525 YYERRORgoto yyerrlab;
3526 }
3527 yyval.v.host = yyvsp[-3].v.host;
3528 yyval.v.host->srcnat = yyvsp[-1].v.host;
3529 }
3530break;
3531case 76:
3532#line 824 "/usr/src/sbin/iked/parse.y"
3533{
3534 yyval.v.host = host_any();
3535 }
3536break;
3537case 77:
3538#line 827 "/usr/src/sbin/iked/parse.y"
3539{
3540 yyval.v.host = host_dynamic();
3541 }
3542break;
3543case 78:
3544#line 832 "/usr/src/sbin/iked/parse.y"
3545{
3546 yyval.v.ids.srcid = NULL((void *)0);
3547 yyval.v.ids.dstid = NULL((void *)0);
3548 }
3549break;
3550case 79:
3551#line 836 "/usr/src/sbin/iked/parse.y"
3552{
3553 yyval.v.ids.srcid = yyvsp[-2].v.id;
3554 yyval.v.ids.dstid = yyvsp[0].v.id;
3555 }
3556break;
3557case 80:
3558#line 840 "/usr/src/sbin/iked/parse.y"
3559{
3560 yyval.v.ids.srcid = yyvsp[0].v.id;
3561 yyval.v.ids.dstid = NULL((void *)0);
3562 }
3563break;
3564case 81:
3565#line 844 "/usr/src/sbin/iked/parse.y"
3566{
3567 yyval.v.ids.srcid = NULL((void *)0);
3568 yyval.v.ids.dstid = yyvsp[0].v.id;
3569 }
3570break;
3571case 82:
3572#line 850 "/usr/src/sbin/iked/parse.y"
3573{ yyval.v.id = yyvsp[0].v.string; }
3574break;
3575case 83:
3576#line 853 "/usr/src/sbin/iked/parse.y"
3577{
3578 if ((ipsec_transforms = calloc(1,
3579 sizeof(struct ipsec_transforms))) == NULL((void *)0))
3580 err(1, "transforms: calloc");
3581 }
3582break;
3583case 84:
3584#line 858 "/usr/src/sbin/iked/parse.y"
3585{
3586 yyval.v.transforms = ipsec_transforms;
3587 }
3588break;
3589case 85:
3590#line 861 "/usr/src/sbin/iked/parse.y"
3591{
3592 yyval.v.transforms = NULL((void *)0);
3593 }
3594break;
3595case 88:
3596#line 870 "/usr/src/sbin/iked/parse.y"
3597{
3598 const struct ipsec_xf **xfs = ipsec_transforms->authxf;
3599 size_t nxfs = ipsec_transforms->nauthxf;
3600 xfs = recallocarray(xfs, nxfs, nxfs + 1,
3601 sizeof(struct ipsec_xf *));
3602 if (xfs == NULL((void *)0))
3603 err(1, "transform: recallocarray");
3604 if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, authxfs)) == NULL((void *)0)) {
3605 yyerror("%s not a valid transform", yyvsp[0].v.string);
3606 YYERRORgoto yyerrlab;
3607 }
3608 free(yyvsp[0].v.string);
3609 ipsec_transforms->authxf = xfs;
3610 ipsec_transforms->nauthxf++;
3611 }
3612break;
3613case 89:
3614#line 885 "/usr/src/sbin/iked/parse.y"
3615{
3616 const struct ipsec_xf **xfs = ipsec_transforms->encxf;
3617 size_t nxfs = ipsec_transforms->nencxf;
3618 xfs = recallocarray(xfs, nxfs, nxfs + 1,
3619 sizeof(struct ipsec_xf *));
3620 if (xfs == NULL((void *)0))
3621 err(1, "transform: recallocarray");
3622 if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, encxfs)) == NULL((void *)0)) {
3623 yyerror("%s not a valid transform", yyvsp[0].v.string);
3624 YYERRORgoto yyerrlab;
3625 }
3626 free(yyvsp[0].v.string);
3627 ipsec_transforms->encxf = xfs;
3628 ipsec_transforms->nencxf++;
3629 }
3630break;
3631case 90:
3632#line 900 "/usr/src/sbin/iked/parse.y"
3633{
3634 const struct ipsec_xf **xfs = ipsec_transforms->prfxf;
3635 size_t nxfs = ipsec_transforms->nprfxf;
3636 xfs = recallocarray(xfs, nxfs, nxfs + 1,
3637 sizeof(struct ipsec_xf *));
3638 if (xfs == NULL((void *)0))
3639 err(1, "transform: recallocarray");
3640 if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, prfxfs)) == NULL((void *)0)) {
3641 yyerror("%s not a valid transform", yyvsp[0].v.string);
3642 YYERRORgoto yyerrlab;
3643 }
3644 free(yyvsp[0].v.string);
3645 ipsec_transforms->prfxf = xfs;
3646 ipsec_transforms->nprfxf++;
3647 }
3648break;
3649case 91:
3650#line 915 "/usr/src/sbin/iked/parse.y"
3651{
3652 const struct ipsec_xf **xfs = ipsec_transforms->groupxf;
3653 size_t nxfs = ipsec_transforms->ngroupxf;
3654 xfs = recallocarray(xfs, nxfs, nxfs + 1,
3655 sizeof(struct ipsec_xf *));
3656 if (xfs == NULL((void *)0))
3657 err(1, "transform: recallocarray");
3658 if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, groupxfs)) == NULL((void *)0)) {
3659 yyerror("%s not a valid transform", yyvsp[0].v.string);
3660 YYERRORgoto yyerrlab;
3661 }
3662 free(yyvsp[0].v.string);
3663 ipsec_transforms->groupxf = xfs;
3664 ipsec_transforms->ngroupxf++;
3665 }
3666break;
3667case 92:
3668#line 930 "/usr/src/sbin/iked/parse.y"
3669{
3670 const struct ipsec_xf **xfs = ipsec_transforms->esnxf;
3671 size_t nxfs = ipsec_transforms->nesnxf;
3672 xfs = recallocarray(xfs, nxfs, nxfs + 1,
3673 sizeof(struct ipsec_xf *));
3674 if (xfs == NULL((void *)0))
3675 err(1, "transform: recallocarray");
3676 if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, esnxfs)) == NULL((void *)0)) {
3677 yyerror("%s not a valid transform", yyvsp[0].v.string);
3678 YYERRORgoto yyerrlab;
3679 }
3680 ipsec_transforms->esnxf = xfs;
3681 ipsec_transforms->nesnxf++;
3682 }
3683break;
3684case 93:
3685#line 946 "/usr/src/sbin/iked/parse.y"
3686{ yyval.v.string = "esn"; }
3687break;
3688case 94:
3689#line 947 "/usr/src/sbin/iked/parse.y"
3690{ yyval.v.string = "noesn"; }
3691break;
3692case 95:
3693#line 950 "/usr/src/sbin/iked/parse.y"
3694{
3695 if ((ipsec_mode = calloc(1,
3696 sizeof(struct ipsec_mode))) == NULL((void *)0))
3697 err(1, "ike_sas: calloc");
3698 }
3699break;
3700case 96:
3701#line 955 "/usr/src/sbin/iked/parse.y"
3702{
3703 yyval.v.mode = ipsec_mode;
3704 }
3705break;
3706case 97:
3707#line 958 "/usr/src/sbin/iked/parse.y"
3708{
3709 yyval.v.mode = NULL((void *)0);
3710 }
3711break;
3712case 100:
3713#line 967 "/usr/src/sbin/iked/parse.y"
3714{
3715 if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs,
3716 ipsec_mode->nxfs, ipsec_mode->nxfs + 1,
3717 sizeof(struct ipsec_transforms *))) == NULL((void *)0))
3718 err(1, "ike_sa: recallocarray");
3719 ipsec_mode->nxfs++;
3720 encxfs = ikeencxfs;
3721 }
3722break;
3723case 101:
3724#line 974 "/usr/src/sbin/iked/parse.y"
3725{
3726 ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms;
3727 }
3728break;
3729case 102:
3730#line 979 "/usr/src/sbin/iked/parse.y"
3731{
3732 if ((ipsec_mode = calloc(1,
3733 sizeof(struct ipsec_mode))) == NULL((void *)0))
3734 err(1, "child_sas: calloc");
3735 }
3736break;
3737case 103:
3738#line 984 "/usr/src/sbin/iked/parse.y"
3739{
3740 yyval.v.mode = ipsec_mode;
3741 }
3742break;
3743case 104:
3744#line 987 "/usr/src/sbin/iked/parse.y"
3745{
3746 yyval.v.mode = NULL((void *)0);
3747 }
3748break;
3749case 107:
3750#line 996 "/usr/src/sbin/iked/parse.y"
3751{
3752 if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs,
3753 ipsec_mode->nxfs, ipsec_mode->nxfs + 1,
3754 sizeof(struct ipsec_transforms *))) == NULL((void *)0))
3755 err(1, "child_sa: recallocarray");
3756 ipsec_mode->nxfs++;
3757 encxfs = ipsecencxfs;
3758 }
3759break;
3760case 108:
3761#line 1003 "/usr/src/sbin/iked/parse.y"
3762{
3763 ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms;
3764 }
3765break;
3766case 109:
3767#line 1008 "/usr/src/sbin/iked/parse.y"
3768{ yyval.v.ikemode = yyvsp[-3].v.ikemode | yyvsp[-2].v.ikemode | yyvsp[-1].v.ikemode | yyvsp[0].v.ikemode; }
3769break;
3770case 110:
3771#line 1011 "/usr/src/sbin/iked/parse.y"
3772{ yyval.v.ikemode = 0; }
3773break;
3774case 111:
3775#line 1012 "/usr/src/sbin/iked/parse.y"
3776{ yyval.v.ikemode = IKED_POLICY_QUICK0x08; }
3777break;
3778case 112:
3779#line 1013 "/usr/src/sbin/iked/parse.y"
3780{ yyval.v.ikemode = IKED_POLICY_SKIP0x10; }
3781break;
3782case 113:
3783#line 1014 "/usr/src/sbin/iked/parse.y"
3784{ yyval.v.ikemode = IKED_POLICY_DEFAULT0x01; }
3785break;
3786case 114:
3787#line 1017 "/usr/src/sbin/iked/parse.y"
3788{ yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; }
3789break;
3790case 115:
3791#line 1018 "/usr/src/sbin/iked/parse.y"
3792{ yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; }
3793break;
3794case 116:
3795#line 1019 "/usr/src/sbin/iked/parse.y"
3796{ yyval.v.ikemode = IKED_POLICY_ACTIVE0x02; }
3797break;
3798case 117:
3799#line 1022 "/usr/src/sbin/iked/parse.y"
3800{ yyval.v.ikemode = 0; }
3801break;
3802case 118:
3803#line 1023 "/usr/src/sbin/iked/parse.y"
3804{ yyval.v.ikemode = IKED_POLICY_IPCOMP0x20; }
3805break;
3806case 119:
3807#line 1026 "/usr/src/sbin/iked/parse.y"
3808{ yyval.v.ikemode = 0; }
3809break;
3810case 120:
3811#line 1027 "/usr/src/sbin/iked/parse.y"
3812{ yyval.v.ikemode = 0; }
3813break;
3814case 121:
3815#line 1028 "/usr/src/sbin/iked/parse.y"
3816{ yyval.v.ikemode = IKED_POLICY_TRANSPORT0x40; }
3817break;
3818case 122:
3819#line 1031 "/usr/src/sbin/iked/parse.y"
3820{
3821 yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255; /* default */
3822 yyval.v.ikeauth.auth_eap = 0;
3823 yyval.v.ikeauth.auth_length = 0;
3824 }
3825break;
3826case 123:
3827#line 1036 "/usr/src/sbin/iked/parse.y"
3828{
3829 memcpy(&yyval.v.ikeauth, &yyvsp[0].v.ikekey, sizeof(yyval.v.ikeauth));
3830 yyval.v.ikeauth.auth_method = IKEV2_AUTH_SHARED_KEY_MIC2;
3831 yyval.v.ikeauth.auth_eap = 0;
3832 explicit_bzero(&yyvsp[0].v.ikekey, sizeof(yyvsp[0].v.ikekey));
3833 }
3834break;
3835case 124:
3836#line 1042 "/usr/src/sbin/iked/parse.y"
3837{
3838 unsigned int i;
3839
3840 for (i = 0; i < strlen(yyvsp[0].v.string); i++)
3841 if (yyvsp[0].v.string[i] == '-')
3842 yyvsp[0].v.string[i] = '_';
3843
3844 if (strcasecmp("mschap_v2", yyvsp[0].v.string) != 0) {
3845 yyerror("unsupported EAP method: %s", yyvsp[0].v.string);
3846 free(yyvsp[0].v.string);
3847 YYERRORgoto yyerrlab;
3848 }
3849 free(yyvsp[0].v.string);
3850
3851 yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255;
3852 yyval.v.ikeauth.auth_eap = EAP_TYPE_MSCHAP_V226;
3853 yyval.v.ikeauth.auth_length = 0;
3854 }
3855break;
3856case 125:
3857#line 1060 "/usr/src/sbin/iked/parse.y"
3858{
3859 const struct ipsec_xf *xf;
3860
3861 if ((xf = parse_xf(yyvsp[0].v.string, 0, methodxfs)) == NULL((void *)0) ||
3862 xf->id == IKEV2_AUTH_NONE0) {
3863 yyerror("not a valid authentication mode");
3864 free(yyvsp[0].v.string);
3865 YYERRORgoto yyerrlab;
3866 }
3867 free(yyvsp[0].v.string);
3868
3869 yyval.v.ikeauth.auth_method = xf->id;
3870 yyval.v.ikeauth.auth_eap = 0;
3871 yyval.v.ikeauth.auth_length = 0;
3872 }
3873break;
3874case 126:
3875#line 1077 "/usr/src/sbin/iked/parse.y"
3876{
3877 yyval.v.number = yyvsp[0].v.number;
3878 }
3879break;
3880case 127:
3881#line 1080 "/usr/src/sbin/iked/parse.y"
3882{
3883 uint64_t bytes = 0;
3884 char unit = 0;
3885
3886 if (sscanf(yyvsp[0].v.string, "%llu%c", &bytes, &unit) != 2) {
3887 yyerror("invalid byte specification: %s", yyvsp[0].v.string);
3888 YYERRORgoto yyerrlab;
3889 }
3890 free(yyvsp[0].v.string);
3891 switch (toupper((unsigned char)unit)) {
3892 case 'K':
3893 bytes *= 1024;
3894 break;
3895 case 'M':
3896 bytes *= 1024 * 1024;
3897 break;
3898 case 'G':
3899 bytes *= 1024 * 1024 * 1024;
3900 break;
3901 default:
3902 yyerror("invalid byte unit");
3903 YYERRORgoto yyerrlab;
3904 }
3905 yyval.v.number = bytes;
3906 }
3907break;
3908case 128:
3909#line 1107 "/usr/src/sbin/iked/parse.y"
3910{
3911 yyval.v.number = yyvsp[0].v.number;
3912 }
3913break;
3914case 129:
3915#line 1110 "/usr/src/sbin/iked/parse.y"
3916{
3917 uint64_t seconds = 0;
3918 char unit = 0;
3919
3920 if (sscanf(yyvsp[0].v.string, "%llu%c", &seconds, &unit) != 2) {
3921 yyerror("invalid time specification: %s", yyvsp[0].v.string);
3922 YYERRORgoto yyerrlab;
3923 }
3924 free(yyvsp[0].v.string);
3925 switch (tolower((unsigned char)unit)) {
3926 case 'm':
3927 seconds *= 60;
3928 break;
3929 case 'h':
3930 seconds *= 60 * 60;
3931 break;
3932 default:
3933 yyerror("invalid time unit");
3934 YYERRORgoto yyerrlab;
3935 }
3936 yyval.v.number = seconds;
3937 }
3938break;
3939case 130:
3940#line 1134 "/usr/src/sbin/iked/parse.y"
3941{
3942 yyval.v.lifetime = deflifetime;
3943 }
3944break;
3945case 131:
3946#line 1137 "/usr/src/sbin/iked/parse.y"
3947{
3948 yyval.v.lifetime.lt_seconds = yyvsp[0].v.number;
3949 yyval.v.lifetime.lt_bytes = deflifetime.lt_bytes;
3950 }
3951break;
3952case 132:
3953#line 1141 "/usr/src/sbin/iked/parse.y"
3954{
3955 yyval.v.lifetime.lt_seconds = yyvsp[-2].v.number;
3956 yyval.v.lifetime.lt_bytes = yyvsp[0].v.number;
3957 }
3958break;
3959case 133:
3960#line 1147 "/usr/src/sbin/iked/parse.y"
3961{
3962 yyval.v.number = 0;
3963 }
3964break;
3965case 134:
3966#line 1150 "/usr/src/sbin/iked/parse.y"
3967{
3968 yyval.v.number = yyvsp[0].v.number;
3969 }
3970break;
3971case 135:
3972#line 1154 "/usr/src/sbin/iked/parse.y"
3973{
3974 uint8_t *hex;
3975
3976 bzero(&yyval.v.ikekey, sizeof(yyval.v.ikekey));
3977
3978 hex = yyvsp[0].v.string;
3979 if (strncmp(hex, "0x", 2) == 0) {
3980 hex += 2;
3981 if (parsekey(hex, strlen(hex), &yyval.v.ikekey) != 0) {
3982 free(yyvsp[0].v.string);
3983 YYERRORgoto yyerrlab;
3984 }
3985 } else {
3986 if (strlen(yyvsp[0].v.string) > sizeof(yyval.v.ikekey.auth_data)) {
3987 yyerror("psk too long");
3988 free(yyvsp[0].v.string);
3989 YYERRORgoto yyerrlab;
3990 }
3991 strlcpy(yyval.v.ikekey.auth_data, yyvsp[0].v.string,
3992 sizeof(yyval.v.ikekey.auth_data));
3993 yyval.v.ikekey.auth_length = strlen(yyvsp[0].v.string);
3994 }
3995 freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string));
3996 }
3997break;
3998case 136:
3999#line 1178 "/usr/src/sbin/iked/parse.y"
4000{
4001 if (parsekeyfile(yyvsp[0].v.string, &yyval.v.ikekey) != 0) {
4002 free(yyvsp[0].v.string);
4003 YYERRORgoto yyerrlab;
4004 }
4005 free(yyvsp[0].v.string);
4006 }
4007break;
4008case 137:
4009#line 1187 "/usr/src/sbin/iked/parse.y"
4010{
4011 if ((ipsec_filters = calloc(1,
4012 sizeof(struct ipsec_filters))) == NULL((void *)0))
4013 err(1, "filters: calloc");
4014 }
4015break;
4016case 138:
4017#line 1192 "/usr/src/sbin/iked/parse.y"
4018{
4019 yyval.v.filters = ipsec_filters;
4020 }
4021break;
4022case 139:
4023#line 1195 "/usr/src/sbin/iked/parse.y"
4024{
4025 yyval.v.filters = NULL((void *)0);
4026 }
4027break;
4028case 142:
4029#line 1205 "/usr/src/sbin/iked/parse.y"
4030{
4031 ipsec_filters->tag = yyvsp[0].v.string;
4032 }
4033break;
4034case 143:
4035#line 1209 "/usr/src/sbin/iked/parse.y"
4036{
4037 const char *errstr = NULL((void *)0);
4038 size_t len;
4039
4040 len = strcspn(yyvsp[0].v.string, "0123456789");
4041 if (strlen("enc") != len ||
4042 strncmp("enc", yyvsp[0].v.string, len) != 0) {
4043 yyerror("invalid tap interface name: %s", yyvsp[0].v.string);
4044 free(yyvsp[0].v.string);
4045 YYERRORgoto yyerrlab;
4046 }
4047 ipsec_filters->tap =
4048 strtonum(yyvsp[0].v.string + len, 0, UINT_MAX0xffffffffU, &errstr);
4049 free(yyvsp[0].v.string);
4050 if (errstr != NULL((void *)0)) {
4051 yyerror("invalid tap interface unit: %s",
4052 errstr);
4053 YYERRORgoto yyerrlab;
4054 }
4055 }
4056break;
4057case 144:
4058#line 1231 "/usr/src/sbin/iked/parse.y"
4059{
4060 yyval.v.string = NULL((void *)0);
4061 }
4062break;
4063case 145:
4064#line 1234 "/usr/src/sbin/iked/parse.y"
4065{
4066 yyval.v.string = yyvsp[0].v.string;
4067 }
4068break;
4069case 146:
4070#line 1239 "/usr/src/sbin/iked/parse.y"
4071{
4072 if (asprintf(&yyval.v.string, "%s %s", yyvsp[-1].v.string, yyvsp[0].v.string) == -1)
4073 err(1, "string: asprintf");
4074 free(yyvsp[-1].v.string);
4075 free(yyvsp[0].v.string);
4076 }
4077break;
4078case 148:
4079#line 1249 "/usr/src/sbin/iked/parse.y"
4080{
4081 char *s = yyvsp[-2].v.string;
4082 log_debug("%s = \"%s\"\n", yyvsp[-2].v.string, yyvsp[0].v.string);
4083 while (*s++) {
4084 if (isspace((unsigned char)*s)) {
4085 yyerror("macro name cannot contain "
4086 "whitespace");
4087 free(yyvsp[-2].v.string);
4088 free(yyvsp[0].v.string);
4089 YYERRORgoto yyerrlab;
4090 }
4091 }
4092 if (symset(yyvsp[-2].v.string, yyvsp[0].v.string, 0) == -1)
4093 err(1, "cannot store variable");
4094 free(yyvsp[-2].v.string);
4095 free(yyvsp[0].v.string);
4096 }
4097break;
4098case 158:
4099#line 1287 "/usr/src/sbin/iked/parse.y"
4100{
4101 int c;
4102
4103 while ((c = lgetc(0)) != '\n' && c != EOF(-1))
4104 ; /* nothing */
4105 if (c == '\n')
4106 lungetc(c);
4107 }
4108break;
4109#line 4102 "parse.c"
4110 }
4111 yyssp -= yym;
4112 yystate = *yyssp;
4113 yyvsp -= yym;
4114 yym = yylhs[yyn];
4115 if (yystate == 0 && yym == 0)
4116 {
4117#if YYDEBUG0
4118 if (yydebug)
4119 printf("%sdebug: after reduction, shifting from state 0 to\
4120 state %d\n", YYPREFIX"yy", YYFINAL1);
4121#endif
4122 yystate = YYFINAL1;
4123 *++yyssp = YYFINAL1;
4124 *++yyvsp = yyval;
4125 if (yychar < 0)
4126 {
4127 if ((yychar = yylex()) < 0) yychar = 0;
4128#if YYDEBUG0
4129 if (yydebug)
4130 {
4131 yys = 0;
4132 if (yychar <= YYMAXTOKEN330) yys = yyname[yychar];
4133 if (!yys) yys = "illegal-symbol";
4134 printf("%sdebug: state %d, reading %d (%s)\n",
4135 YYPREFIX"yy", YYFINAL1, yychar, yys);
4136 }
4137#endif
4138 }
4139 if (yychar == 0) goto yyaccept;
4140 goto yyloop;
4141 }
4142 if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 &&
4143 yyn <= YYTABLESIZE745 && yycheck[yyn] == yystate)
4144 yystate = yytable[yyn];
4145 else
4146 yystate = yydgoto[yym];
4147#if YYDEBUG0
4148 if (yydebug)
4149 printf("%sdebug: after reduction, shifting from state %d \
4150to state %d\n", YYPREFIX"yy", *yyssp, yystate);
4151#endif
4152 if (yyssp >= yysslim && yygrowstack())
4153 {
4154 goto yyoverflow;
4155 }
4156 *++yyssp = yystate;
4157 *++yyvsp = yyval;
4158 goto yyloop;
4159yyoverflow:
4160 yyerror("yacc stack overflow");
4161yyabort:
4162 if (yyss)
4163 free(yyss);
4164 if (yyvs)
4165 free(yyvs);
4166 yyss = yyssp = NULL((void *)0);
4167 yyvs = yyvsp = NULL((void *)0);
4168 yystacksize = 0;
4169 return (1);
4170yyaccept:
4171 if (yyss)
4172 free(yyss);
4173 if (yyvs)
4174 free(yyvs);
4175 yyss = yyssp = NULL((void *)0);
4176 yyvs = yyvsp = NULL((void *)0);
4177 yystacksize = 0;
4178 return (0);
4179}