File: | src/sbin/iked/obj/parse.c |
Warning: | line 2016, column 4 Value stored to 's6' is never read |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | #include <stdlib.h> |
2 | #include <string.h> |
3 | #define YYBYACC1 1 |
4 | #define YYMAJOR1 1 |
5 | #define YYMINOR9 9 |
6 | #define YYLEXyylex() yylex() |
7 | #define YYEMPTY-1 -1 |
8 | #define yyclearin(yychar=(-1)) (yychar=(YYEMPTY-1)) |
9 | #define yyerrok(yyerrflag=0) (yyerrflag=0) |
10 | #define YYRECOVERING()(yyerrflag!=0) (yyerrflag!=0) |
11 | #define YYPREFIX"yy" "yy" |
12 | #line 26 "/usr/src/sbin/iked/parse.y" |
13 | #include <sys/types.h> |
14 | #include <sys/ioctl.h> |
15 | #include <sys/queue.h> |
16 | #include <sys/socket.h> |
17 | #include <sys/stat.h> |
18 | #include <net/if.h> |
19 | #include <netinet/in.h> |
20 | #include <netinet/ip_ipsp.h> |
21 | #include <arpa/inet.h> |
22 | |
23 | #include <ctype.h> |
24 | #include <err.h> |
25 | #include <errno(*__errno()).h> |
26 | #include <fcntl.h> |
27 | #include <ifaddrs.h> |
28 | #include <limits.h> |
29 | #include <netdb.h> |
30 | #include <stdarg.h> |
31 | #include <stdio.h> |
32 | #include <stdlib.h> |
33 | #include <string.h> |
34 | #include <syslog.h> |
35 | #include <unistd.h> |
36 | #include <event.h> |
37 | |
38 | #include "iked.h" |
39 | #include "ikev2.h" |
40 | #include "eap.h" |
41 | |
42 | TAILQ_HEAD(files, file)struct files { struct file *tqh_first; struct file **tqh_last ; } files = TAILQ_HEAD_INITIALIZER(files){ ((void *)0), &(files).tqh_first }; |
43 | static struct file { |
44 | TAILQ_ENTRY(file)struct { struct file *tqe_next; struct file **tqe_prev; } entry; |
45 | FILE *stream; |
46 | char *name; |
47 | size_t ungetpos; |
48 | size_t ungetsize; |
49 | u_char *ungetbuf; |
50 | int eof_reached; |
51 | int lineno; |
52 | int errors; |
53 | } *file, *topfile; |
54 | struct file *pushfile(const char *, int); |
55 | int popfile(void); |
56 | int check_file_secrecy(int, const char *); |
57 | int yyparse(void); |
58 | int yylex(void); |
59 | int yyerror(const char *, ...) |
60 | __attribute__((__format__ (printf, 1, 2))) |
61 | __attribute__((__nonnull__ (1))); |
62 | int kw_cmp(const void *, const void *); |
63 | int lookup(char *); |
64 | int igetc(void); |
65 | int lgetc(int); |
66 | void lungetc(int); |
67 | int findeol(void); |
68 | |
69 | TAILQ_HEAD(symhead, sym)struct symhead { struct sym *tqh_first; struct sym **tqh_last ; } symhead = TAILQ_HEAD_INITIALIZER(symhead){ ((void *)0), &(symhead).tqh_first }; |
70 | struct sym { |
71 | TAILQ_ENTRY(sym)struct { struct sym *tqe_next; struct sym **tqe_prev; } entry; |
72 | int used; |
73 | int persist; |
74 | char *nam; |
75 | char *val; |
76 | }; |
77 | int symset(const char *, const char *, int); |
78 | char *symget(const char *); |
79 | |
80 | #define KEYSIZE_LIMIT1024 1024 |
81 | |
82 | static struct iked *env = NULL((void *)0); |
83 | static int debug = 0; |
84 | static int rules = 0; |
85 | static int passive = 0; |
86 | static int decouple = 0; |
87 | static int mobike = 1; |
88 | static int enforcesingleikesa = 0; |
89 | static int stickyaddress = 0; |
90 | static int fragmentation = 0; |
91 | static int vendorid = 1; |
92 | static int dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60; |
93 | static char *ocsp_url = NULL((void *)0); |
94 | static long ocsp_tolerate = 0; |
95 | static long ocsp_maxage = -1; |
96 | static int cert_partial_chain = 0; |
97 | |
98 | struct iked_transform ikev2_default_ike_transforms[] = { |
99 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 }, |
100 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 }, |
101 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 }, |
102 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_3DES3 }, |
103 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 }, |
104 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 }, |
105 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 }, |
106 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 }, |
107 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 }, |
108 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 }, |
109 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 }, |
110 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 }, |
111 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 }, |
112 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 }, |
113 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 }, |
114 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 }, |
115 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 }, |
116 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 }, |
117 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 }, |
118 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 }, |
119 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 }, |
120 | { 0 } |
121 | }; |
122 | size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) / |
123 | sizeof(ikev2_default_ike_transforms[0])) - 1); |
124 | |
125 | struct iked_transform ikev2_default_ike_transforms_noauth[] = { |
126 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 }, |
127 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 }, |
128 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 }, |
129 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 }, |
130 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 }, |
131 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 }, |
132 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 }, |
133 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 }, |
134 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 }, |
135 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 }, |
136 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 }, |
137 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 }, |
138 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 }, |
139 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 }, |
140 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 }, |
141 | { 0 } |
142 | }; |
143 | size_t ikev2_default_nike_transforms_noauth = |
144 | ((sizeof(ikev2_default_ike_transforms_noauth) / |
145 | sizeof(ikev2_default_ike_transforms_noauth[0])) - 1); |
146 | |
147 | struct iked_transform ikev2_default_esp_transforms[] = { |
148 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 }, |
149 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 }, |
150 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 }, |
151 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 }, |
152 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 }, |
153 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 }, |
154 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 }, |
155 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 }, |
156 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 }, |
157 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 }, |
158 | { 0 } |
159 | }; |
160 | size_t ikev2_default_nesp_transforms = ((sizeof(ikev2_default_esp_transforms) / |
161 | sizeof(ikev2_default_esp_transforms[0])) - 1); |
162 | |
163 | struct iked_transform ikev2_default_esp_transforms_noauth[] = { |
164 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 }, |
165 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 }, |
166 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 }, |
167 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 }, |
168 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 }, |
169 | { 0 } |
170 | }; |
171 | size_t ikev2_default_nesp_transforms_noauth = |
172 | ((sizeof(ikev2_default_esp_transforms_noauth) / |
173 | sizeof(ikev2_default_esp_transforms_noauth[0])) - 1); |
174 | |
175 | const struct ipsec_xf authxfs[] = { |
176 | { "hmac-md5", IKEV2_XFORMAUTH_HMAC_MD5_961, 16 }, |
177 | { "hmac-sha1", IKEV2_XFORMAUTH_HMAC_SHA1_962, 20 }, |
178 | { "hmac-sha2-256", IKEV2_XFORMAUTH_HMAC_SHA2_256_12812, 32 }, |
179 | { "hmac-sha2-384", IKEV2_XFORMAUTH_HMAC_SHA2_384_19213, 48 }, |
180 | { "hmac-sha2-512", IKEV2_XFORMAUTH_HMAC_SHA2_512_25614, 64 }, |
181 | { NULL((void *)0) } |
182 | }; |
183 | |
184 | const struct ipsec_xf prfxfs[] = { |
185 | { "hmac-md5", IKEV2_XFORMPRF_HMAC_MD51, 16 }, |
186 | { "hmac-sha1", IKEV2_XFORMPRF_HMAC_SHA12, 20 }, |
187 | { "hmac-sha2-256", IKEV2_XFORMPRF_HMAC_SHA2_2565, 32 }, |
188 | { "hmac-sha2-384", IKEV2_XFORMPRF_HMAC_SHA2_3846, 48 }, |
189 | { "hmac-sha2-512", IKEV2_XFORMPRF_HMAC_SHA2_5127, 64 }, |
190 | { NULL((void *)0) } |
191 | }; |
192 | |
193 | const struct ipsec_xf *encxfs = NULL((void *)0); |
194 | |
195 | const struct ipsec_xf ikeencxfs[] = { |
196 | { "3des", IKEV2_XFORMENCR_3DES3, 24 }, |
197 | { "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 }, |
198 | { "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 }, |
199 | { "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 }, |
200 | { "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 }, |
201 | { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 }, |
202 | { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 }, |
203 | { "aes-128-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 16, 16, 4, 1 }, |
204 | { "aes-256-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 32, 32, 4, 1 }, |
205 | { NULL((void *)0) } |
206 | }; |
207 | |
208 | const struct ipsec_xf ipsecencxfs[] = { |
209 | { "3des", IKEV2_XFORMENCR_3DES3, 24 }, |
210 | { "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 }, |
211 | { "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 }, |
212 | { "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 }, |
213 | { "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 }, |
214 | { "aes-128-ctr", IKEV2_XFORMENCR_AES_CTR13, 16, 16, 4 }, |
215 | { "aes-192-ctr", IKEV2_XFORMENCR_AES_CTR13, 24, 24, 4 }, |
216 | { "aes-256-ctr", IKEV2_XFORMENCR_AES_CTR13, 32, 32, 4 }, |
217 | { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 }, |
218 | { "aes-192-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 24, 24, 4, 1 }, |
219 | { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 }, |
220 | { "aes-128-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 16, 16, 4, 1 }, |
221 | { "aes-192-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 24, 24, 4, 1 }, |
222 | { "aes-256-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 32, 32, 4, 1 }, |
223 | { "blowfish", IKEV2_XFORMENCR_BLOWFISH7, 20, 20 }, |
224 | { "cast", IKEV2_XFORMENCR_CAST6, 16, 16 }, |
225 | { "chacha20-poly1305", IKEV2_XFORMENCR_CHACHA20_POLY130528, |
226 | 32, 32, 4, 1 }, |
227 | { "null", IKEV2_XFORMENCR_NULL11, 0, 0 }, |
228 | { NULL((void *)0) } |
229 | }; |
230 | |
231 | const struct ipsec_xf groupxfs[] = { |
232 | { "none", IKEV2_XFORMDH_NONE0 }, |
233 | { "modp768", IKEV2_XFORMDH_MODP_7681 }, |
234 | { "grp1", IKEV2_XFORMDH_MODP_7681 }, |
235 | { "modp1024", IKEV2_XFORMDH_MODP_10242 }, |
236 | { "grp2", IKEV2_XFORMDH_MODP_10242 }, |
237 | { "modp1536", IKEV2_XFORMDH_MODP_15365 }, |
238 | { "grp5", IKEV2_XFORMDH_MODP_15365 }, |
239 | { "modp2048", IKEV2_XFORMDH_MODP_204814 }, |
240 | { "grp14", IKEV2_XFORMDH_MODP_204814 }, |
241 | { "modp3072", IKEV2_XFORMDH_MODP_307215 }, |
242 | { "grp15", IKEV2_XFORMDH_MODP_307215 }, |
243 | { "modp4096", IKEV2_XFORMDH_MODP_409616 }, |
244 | { "grp16", IKEV2_XFORMDH_MODP_409616 }, |
245 | { "modp6144", IKEV2_XFORMDH_MODP_614417 }, |
246 | { "grp17", IKEV2_XFORMDH_MODP_614417 }, |
247 | { "modp8192", IKEV2_XFORMDH_MODP_819218 }, |
248 | { "grp18", IKEV2_XFORMDH_MODP_819218 }, |
249 | { "ecp256", IKEV2_XFORMDH_ECP_25619 }, |
250 | { "grp19", IKEV2_XFORMDH_ECP_25619 }, |
251 | { "ecp384", IKEV2_XFORMDH_ECP_38420 }, |
252 | { "grp20", IKEV2_XFORMDH_ECP_38420 }, |
253 | { "ecp521", IKEV2_XFORMDH_ECP_52121 }, |
254 | { "grp21", IKEV2_XFORMDH_ECP_52121 }, |
255 | { "ecp192", IKEV2_XFORMDH_ECP_19225 }, |
256 | { "grp25", IKEV2_XFORMDH_ECP_19225 }, |
257 | { "ecp224", IKEV2_XFORMDH_ECP_22426 }, |
258 | { "grp26", IKEV2_XFORMDH_ECP_22426 }, |
259 | { "brainpool224", IKEV2_XFORMDH_BRAINPOOL_P224R127 }, |
260 | { "grp27", IKEV2_XFORMDH_BRAINPOOL_P224R127 }, |
261 | { "brainpool256", IKEV2_XFORMDH_BRAINPOOL_P256R128 }, |
262 | { "grp28", IKEV2_XFORMDH_BRAINPOOL_P256R128 }, |
263 | { "brainpool384", IKEV2_XFORMDH_BRAINPOOL_P384R129 }, |
264 | { "grp29", IKEV2_XFORMDH_BRAINPOOL_P384R129 }, |
265 | { "brainpool512", IKEV2_XFORMDH_BRAINPOOL_P512R130 }, |
266 | { "grp30", IKEV2_XFORMDH_BRAINPOOL_P512R130 }, |
267 | { "curve25519", IKEV2_XFORMDH_CURVE2551931 }, |
268 | { "grp31", IKEV2_XFORMDH_CURVE2551931 }, |
269 | { "sntrup761x25519", IKEV2_XFORMDH_X_SNTRUP761X255191035 }, |
270 | { NULL((void *)0) } |
271 | }; |
272 | |
273 | const struct ipsec_xf esnxfs[] = { |
274 | { "esn", IKEV2_XFORMESN_ESN1 }, |
275 | { "noesn", IKEV2_XFORMESN_NONE0 }, |
276 | { NULL((void *)0) } |
277 | }; |
278 | |
279 | const struct ipsec_xf methodxfs[] = { |
280 | { "none", IKEV2_AUTH_NONE0 }, |
281 | { "rsa", IKEV2_AUTH_RSA_SIG1 }, |
282 | { "ecdsa256", IKEV2_AUTH_ECDSA_2569 }, |
283 | { "ecdsa384", IKEV2_AUTH_ECDSA_38410 }, |
284 | { "ecdsa521", IKEV2_AUTH_ECDSA_52111 }, |
285 | { "rfc7427", IKEV2_AUTH_SIG14 }, |
286 | { "signature", IKEV2_AUTH_SIG_ANY255 }, |
287 | { NULL((void *)0) } |
288 | }; |
289 | |
290 | const struct ipsec_xf saxfs[] = { |
291 | { "esp", IKEV2_SAPROTO_ESP3 }, |
292 | { "ah", IKEV2_SAPROTO_AH2 }, |
293 | { NULL((void *)0) } |
294 | }; |
295 | |
296 | const struct ipsec_xf cpxfs[] = { |
297 | { "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS1, AF_INET2 }, |
298 | { "netmask", IKEV2_CFG_INTERNAL_IP4_NETMASK2, AF_INET2 }, |
299 | { "name-server", IKEV2_CFG_INTERNAL_IP4_DNS3, AF_INET2 }, |
300 | { "netbios-server", IKEV2_CFG_INTERNAL_IP4_NBNS4, AF_INET2 }, |
301 | { "dhcp-server", IKEV2_CFG_INTERNAL_IP4_DHCP6, AF_INET2 }, |
302 | { "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS8, AF_INET624 }, |
303 | { "name-server", IKEV2_CFG_INTERNAL_IP6_DNS10, AF_INET624 }, |
304 | { "netbios-server", IKEV2_CFG_INTERNAL_IP6_NBNS11, AF_INET624 }, |
305 | { "dhcp-server", IKEV2_CFG_INTERNAL_IP6_DHCP12, AF_INET624 }, |
306 | { "protected-subnet", IKEV2_CFG_INTERNAL_IP4_SUBNET13, AF_INET2 }, |
307 | { "protected-subnet", IKEV2_CFG_INTERNAL_IP6_SUBNET15, AF_INET624 }, |
308 | { "access-server", IKEV2_CFG_INTERNAL_IP4_SERVER23456, AF_INET2 }, |
309 | { "access-server", IKEV2_CFG_INTERNAL_IP6_SERVER23457, AF_INET624 }, |
310 | { NULL((void *)0) } |
311 | }; |
312 | |
313 | const struct iked_lifetime deflifetime = { |
314 | IKED_LIFETIME_BYTES4294967296ULL, |
315 | IKED_LIFETIME_SECONDS10800 |
316 | }; |
317 | |
318 | #define IPSEC_ADDR_ANY(0x1) (0x1) |
319 | #define IPSEC_ADDR_DYNAMIC(0x2) (0x2) |
320 | |
321 | struct ipsec_addr_wrap { |
322 | struct sockaddr_storage address; |
323 | uint8_t mask; |
324 | int netaddress; |
325 | sa_family_t af; |
326 | unsigned int type; |
327 | unsigned int action; |
328 | uint16_t port; |
329 | char *name; |
330 | struct ipsec_addr_wrap *next; |
331 | struct ipsec_addr_wrap *tail; |
332 | struct ipsec_addr_wrap *srcnat; |
333 | }; |
334 | |
335 | struct ipsec_hosts { |
336 | struct ipsec_addr_wrap *src; |
337 | struct ipsec_addr_wrap *dst; |
338 | }; |
339 | |
340 | struct ipsec_filters { |
341 | char *tag; |
342 | unsigned int tap; |
343 | }; |
344 | |
345 | void copy_sockaddrtoipa(struct ipsec_addr_wrap *, |
346 | struct sockaddr *); |
347 | struct ipsec_addr_wrap *host(const char *); |
348 | struct ipsec_addr_wrap *host_ip(const char *, int); |
349 | struct ipsec_addr_wrap *host_dns(const char *, int); |
350 | struct ipsec_addr_wrap *host_if(const char *, int); |
351 | struct ipsec_addr_wrap *host_any(void); |
352 | struct ipsec_addr_wrap *host_dynamic(void); |
353 | void ifa_load(void); |
354 | int ifa_exists(const char *); |
355 | struct ipsec_addr_wrap *ifa_lookup(const char *ifa_name); |
356 | struct ipsec_addr_wrap *ifa_grouplookup(const char *); |
357 | void set_ipmask(struct ipsec_addr_wrap *, int); |
358 | const struct ipsec_xf *parse_xf(const char *, unsigned int, |
359 | const struct ipsec_xf *); |
360 | void copy_transforms(unsigned int, |
361 | const struct ipsec_xf **, unsigned int, |
362 | struct iked_transform **, unsigned int *, |
363 | struct iked_transform *, size_t); |
364 | int create_ike(char *, int, struct ipsec_addr_wrap *, |
365 | int, struct ipsec_hosts *, |
366 | struct ipsec_hosts *, struct ipsec_mode *, |
367 | struct ipsec_mode *, uint8_t, |
368 | uint8_t, char *, char *, |
369 | uint32_t, struct iked_lifetime *, |
370 | struct iked_auth *, struct ipsec_filters *, |
371 | struct ipsec_addr_wrap *, char *); |
372 | int create_user(const char *, const char *); |
373 | int get_id_type(char *); |
374 | uint8_t x2i(unsigned char *); |
375 | int parsekey(unsigned char *, size_t, struct iked_auth *); |
376 | int parsekeyfile(char *, struct iked_auth *); |
377 | void iaw_free(struct ipsec_addr_wrap *); |
378 | static int create_flow(struct iked_policy *pol, int, struct ipsec_addr_wrap *ipa, |
379 | struct ipsec_addr_wrap *ipb); |
380 | static int expand_flows(struct iked_policy *, int, struct ipsec_addr_wrap *, |
381 | struct ipsec_addr_wrap *); |
382 | static struct ipsec_addr_wrap * |
383 | expand_keyword(struct ipsec_addr_wrap *); |
384 | |
385 | struct ipsec_transforms *ipsec_transforms; |
386 | struct ipsec_filters *ipsec_filters; |
387 | struct ipsec_mode *ipsec_mode; |
388 | /* interface lookup routintes */ |
389 | struct ipsec_addr_wrap *iftab; |
390 | |
391 | typedef struct { |
392 | union { |
393 | int64_t number; |
394 | uint8_t ikemode; |
395 | uint8_t dir; |
396 | uint8_t satype; |
397 | char *string; |
398 | uint16_t port; |
399 | struct ipsec_hosts *hosts; |
400 | struct ipsec_hosts peers; |
401 | struct ipsec_addr_wrap *anyhost; |
402 | struct ipsec_addr_wrap *host; |
403 | struct ipsec_addr_wrap *cfg; |
404 | struct ipsec_addr_wrap *proto; |
405 | struct { |
406 | char *srcid; |
407 | char *dstid; |
408 | } ids; |
409 | char *id; |
410 | uint8_t type; |
411 | struct iked_lifetime lifetime; |
412 | struct iked_auth ikeauth; |
413 | struct iked_auth ikekey; |
414 | struct ipsec_transforms *transforms; |
415 | struct ipsec_filters *filters; |
416 | struct ipsec_mode *mode; |
417 | } v; |
418 | int lineno; |
419 | } YYSTYPE; |
420 | |
421 | #line 422 "parse.c" |
422 | #define FROM257 257 |
423 | #define ESP258 258 |
424 | #define AH259 259 |
425 | #define IN260 260 |
426 | #define PEER261 261 |
427 | #define ON262 262 |
428 | #define OUT263 263 |
429 | #define TO264 264 |
430 | #define SRCID265 265 |
431 | #define DSTID266 266 |
432 | #define PSK267 267 |
433 | #define PORT268 268 |
434 | #define FILENAME269 269 |
435 | #define AUTHXF270 270 |
436 | #define PRFXF271 271 |
437 | #define ENCXF272 272 |
438 | #define ERROR273 273 |
439 | #define IKEV2274 274 |
440 | #define IKESA275 275 |
441 | #define CHILDSA276 276 |
442 | #define ESN277 277 |
443 | #define NOESN278 278 |
444 | #define PASSIVE279 279 |
445 | #define ACTIVE280 280 |
446 | #define ANY281 281 |
447 | #define TAG282 282 |
448 | #define TAP283 283 |
449 | #define PROTO284 284 |
450 | #define LOCAL285 285 |
451 | #define GROUP286 286 |
452 | #define NAME287 287 |
453 | #define CONFIG288 288 |
454 | #define EAP289 289 |
455 | #define USER290 290 |
456 | #define IKEV1291 291 |
457 | #define FLOW292 292 |
458 | #define SA293 293 |
459 | #define TCPMD5294 294 |
460 | #define TUNNEL295 295 |
461 | #define TRANSPORT296 296 |
462 | #define COUPLE297 297 |
463 | #define DECOUPLE298 298 |
464 | #define SET299 299 |
465 | #define INCLUDE300 300 |
466 | #define LIFETIME301 301 |
467 | #define BYTES302 302 |
468 | #define INET303 303 |
469 | #define INET6304 304 |
470 | #define QUICK305 305 |
471 | #define SKIP306 306 |
472 | #define DEFAULT307 307 |
473 | #define IPCOMP308 308 |
474 | #define OCSP309 309 |
475 | #define IKELIFETIME310 310 |
476 | #define MOBIKE311 311 |
477 | #define NOMOBIKE312 312 |
478 | #define RDOMAIN313 313 |
479 | #define FRAGMENTATION314 314 |
480 | #define NOFRAGMENTATION315 315 |
481 | #define DPD_CHECK_INTERVAL316 316 |
482 | #define ENFORCESINGLEIKESA317 317 |
483 | #define NOENFORCESINGLEIKESA318 318 |
484 | #define STICKYADDRESS319 319 |
485 | #define NOSTICKYADDRESS320 320 |
486 | #define VENDORID321 321 |
487 | #define NOVENDORID322 322 |
488 | #define TOLERATE323 323 |
489 | #define MAXAGE324 324 |
490 | #define DYNAMIC325 325 |
491 | #define CERTPARTIALCHAIN326 326 |
492 | #define REQUEST327 327 |
493 | #define IFACE328 328 |
494 | #define STRING329 329 |
495 | #define NUMBER330 330 |
496 | #define YYERRCODE256 256 |
497 | const short yylhs[] = |
498 | { -1, |
499 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, |
500 | 46, 39, 40, 40, 40, 40, 40, 40, 40, 40, |
501 | 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, |
502 | 40, 41, 42, 36, 36, 37, 37, 35, 35, 33, |
503 | 33, 2, 2, 2, 10, 10, 10, 3, 3, 3, |
504 | 4, 4, 5, 5, 11, 11, 7, 7, 6, 6, |
505 | 8, 8, 9, 9, 12, 12, 12, 12, 12, 13, |
506 | 13, 15, 15, 14, 14, 14, 14, 16, 16, 16, |
507 | 16, 17, 48, 18, 18, 47, 47, 49, 49, 49, |
508 | 49, 49, 38, 38, 51, 27, 27, 50, 50, 53, |
509 | 52, 55, 28, 28, 54, 54, 57, 56, 20, 21, |
510 | 21, 21, 21, 22, 22, 22, 23, 23, 24, 24, |
511 | 24, 25, 25, 25, 25, 30, 30, 31, 31, 29, |
512 | 29, 29, 32, 32, 26, 26, 59, 19, 19, 58, |
513 | 58, 60, 60, 34, 34, 1, 1, 43, 44, 44, |
514 | 44, 44, 61, 61, 61, 61, 61, 45, |
515 | }; |
516 | const short yylen[] = |
517 | { 2, |
518 | 0, 3, 2, 3, 3, 3, 3, 4, 3, 1, |
519 | 0, 2, 2, 2, 2, 2, 2, 2, 2, 2, |
520 | 2, 2, 2, 2, 2, 2, 3, 5, 7, 2, |
521 | 3, 3, 18, 0, 1, 1, 2, 3, 3, 0, |
522 | 1, 0, 1, 1, 0, 1, 1, 0, 2, 4, |
523 | 1, 3, 1, 1, 0, 2, 1, 3, 6, 6, |
524 | 0, 2, 1, 1, 0, 4, 4, 2, 2, 1, |
525 | 1, 1, 3, 1, 4, 1, 1, 0, 4, 2, |
526 | 2, 1, 0, 2, 0, 2, 1, 2, 2, 2, |
527 | 2, 1, 1, 1, 0, 2, 0, 2, 1, 0, |
528 | 3, 0, 2, 0, 2, 1, 0, 3, 4, 0, |
529 | 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, |
530 | 1, 0, 2, 2, 1, 1, 1, 1, 1, 0, |
531 | 2, 4, 0, 2, 1, 2, 0, 2, 0, 2, |
532 | 1, 2, 2, 0, 2, 2, 1, 3, 1, 1, |
533 | 1, 1, 1, 1, 1, 1, 1, 0, |
534 | }; |
535 | const short yydefred[] = |
536 | { 1, |
537 | 0, 0, 154, 155, 0, 0, 149, 151, 153, 152, |
538 | 156, 157, 0, 0, 0, 3, 0, 0, 0, 0, |
539 | 0, 158, 150, 9, 41, 0, 0, 14, 13, 15, |
540 | 16, 0, 19, 20, 17, 18, 0, 23, 24, 25, |
541 | 26, 21, 22, 30, 12, 0, 2, 4, 5, 6, |
542 | 7, 0, 111, 112, 113, 0, 0, 32, 0, 31, |
543 | 147, 0, 8, 43, 44, 0, 115, 116, 0, 0, |
544 | 146, 46, 47, 0, 118, 0, 129, 128, 0, 0, |
545 | 0, 120, 121, 109, 0, 53, 54, 0, 49, 0, |
546 | 0, 29, 0, 51, 56, 0, 0, 57, 0, 10, |
547 | 50, 0, 76, 77, 0, 0, 0, 0, 0, 0, |
548 | 0, 0, 52, 0, 0, 0, 0, 0, 71, 0, |
549 | 70, 0, 0, 0, 58, 73, 63, 64, 62, 0, |
550 | 0, 0, 0, 0, 0, 0, 100, 0, 99, 0, |
551 | 75, 0, 66, 67, 0, 0, 0, 107, 0, 106, |
552 | 0, 98, 59, 60, 82, 0, 81, 0, 0, 0, |
553 | 105, 101, 0, 0, 134, 0, 0, 108, 0, 0, |
554 | 0, 93, 94, 0, 92, 0, 87, 79, 0, 0, |
555 | 0, 125, 0, 88, 90, 89, 91, 86, 0, 0, |
556 | 135, 123, 124, 0, 0, 36, 0, 0, 127, 126, |
557 | 132, 136, 0, 0, 0, 0, 37, 38, 39, 145, |
558 | 33, 0, 0, 0, 0, 141, 142, 143, 140, |
559 | }; |
560 | const short yydgoto[] = |
561 | { 1, |
562 | 62, 66, 81, 93, 89, 98, 99, 116, 129, 74, |
563 | 91, 111, 120, 106, 121, 147, 156, 162, 211, 56, |
564 | 57, 69, 76, 84, 183, 192, 123, 135, 167, 201, |
565 | 79, 159, 26, 206, 196, 197, 198, 175, 17, 18, |
566 | 19, 20, 21, 22, 52, 102, 176, 163, 177, 138, |
567 | 124, 139, 151, 149, 136, 150, 160, 215, 212, 216, |
568 | 23, |
569 | }; |
570 | const short yysindex[] = |
571 | { 0, |
572 | 184, 25, 0, 0, -290, -282, 0, 0, 0, 0, |
573 | 0, 0, 399, -276, 24, 0, 70, 81, 86, 92, |
574 | 98, 0, 0, 0, 0, -262, -206, 0, 0, 0, |
575 | 0, -192, 0, 0, 0, 0, -214, 0, 0, 0, |
576 | 0, 0, 0, 0, 0, -188, 0, 0, 0, 0, |
577 | 0, 116, 0, 0, 0, -235, -260, 0, -189, 0, |
578 | 0, -172, 0, 0, 0, -229, 0, 0, -165, -253, |
579 | 0, 0, 0, -117, 0, -201, 0, 0, -158, -121, |
580 | -144, 0, 0, 0, -253, 0, 0, -231, 0, -160, |
581 | -195, 0, -37, 0, 0, -239, -239, 0, -43, 0, |
582 | 0, -231, 0, 0, 127, -93, 136, -93, -269, -269, |
583 | 0, -195, 0, -152, -223, -87, -150, -77, 0, -103, |
584 | 0, -75, 0, -88, 0, 0, 0, 0, 0, -239, |
585 | 147, -239, -269, -269, -153, -86, 0, -88, 0, -93, |
586 | 0, -93, 0, 0, -136, -136, -115, 0, -86, 0, |
587 | 0, 0, 0, 0, 0, -69, 0, -253, -102, 0, |
588 | 0, 0, -213, -136, 0, -253, -257, 0, -131, -129, |
589 | -127, 0, 0, -126, 0, -213, 0, 0, -113, -261, |
590 | -123, 0, -275, 0, 0, 0, 0, 0, -194, -122, |
591 | 0, 0, 0, -119, -116, 0, -111, -275, 0, 0, |
592 | 0, 0, -150, -269, -114, 0, 0, 0, 0, 0, |
593 | 0, -133, -110, -109, -133, 0, 0, 0, 0,}; |
594 | const short yyrindex[] = |
595 | { 0, |
596 | 0, 0, 0, 0, -175, 0, 0, 0, 0, 0, |
597 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
598 | 0, 0, 0, 0, 0, -140, 0, 0, 0, 0, |
599 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
600 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
601 | 0, 0, 0, 0, 0, -142, -112, 0, 201, 0, |
602 | 0, 202, 0, 0, 0, -243, 0, 0, -203, 0, |
603 | 0, 0, 0, -246, 0, -99, 0, 0, 206, 0, |
604 | -186, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
605 | 0, 0, -176, 0, 0, 0, 0, 0, 171, 0, |
606 | 0, 0, 0, 0, -10, -42, 19, -36, 0, 0, |
607 | 220, 0, 0, 0, 0, 0, 0, 0, 0, 240, |
608 | 0, 288, 353, 0, 0, 0, 0, 0, 0, 0, |
609 | 0, 0, 0, 0, 251, 0, 0, 357, 0, 104, |
610 | 0, 104, 0, 0, 0, 0, 23, 0, 93, 0, |
611 | 56, 0, 0, 0, 0, 343, 0, 0, 406, 141, |
612 | 0, 0, 0, 0, 0, 0, 27, 0, 0, 0, |
613 | 0, 0, 0, 0, 0, 320, 0, 0, 416, 0, |
614 | 0, 0, 115, 0, 0, 0, 0, 0, 0, 0, |
615 | 0, 0, 0, 0, 0, 0, -1, 117, 0, 0, |
616 | 0, 0, 0, 0, 0, 6, 0, 0, 0, 0, |
617 | 0, 0, 0, 0, 213, 0, 0, 0, 0,}; |
618 | const short yygindex[] = |
619 | { 0, |
620 | 0, 0, 0, 0, -66, 112, 0, -91, 0, 0, |
621 | 0, 0, -107, -82, -92, 0, -118, 65, 0, 0, |
622 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
623 | -79, 0, 0, 0, 28, 0, 0, 0, 0, 0, |
624 | 0, 0, 0, 0, 0, 128, 0, 0, 52, 0, |
625 | 0, 91, 0, 0, 0, 82, 0, 0, 0, 17, |
626 | 0, |
627 | }; |
628 | #define YYTABLESIZE745 745 |
629 | const short yytable[] = |
630 | { 72, |
631 | 100, 88, 122, 107, 107, 92, 100, 190, 144, 180, |
632 | 48, 119, 194, 45, 108, 139, 118, 48, 67, 68, |
633 | 45, 94, 64, 65, 131, 143, 144, 157, 74, 72, |
634 | 72, 181, 133, 72, 24, 113, 122, 107, 25, 107, |
635 | 45, 103, 53, 54, 55, 178, 27, 140, 153, 142, |
636 | 154, 195, 45, 117, 117, 117, 169, 170, 171, 105, |
637 | 117, 96, 74, 172, 173, 85, 48, 191, 97, 45, |
638 | 55, 182, 174, 72, 73, 77, 78, 55, 165, 47, |
639 | 117, 40, 40, 40, 46, 104, 179, 101, 40, 105, |
640 | 48, 117, 117, 82, 83, 49, 209, 86, 87, 117, |
641 | 117, 50, 103, 40, 40, 127, 128, 51, 40, 117, |
642 | 208, 145, 146, 61, 42, 60, 110, 110, 110, 40, |
643 | 40, 42, 58, 110, 34, 63, 35, 40, 40, 40, |
644 | 40, 40, 40, 70, 199, 200, 59, 40, 110, 110, |
645 | 61, 42, 75, 110, 114, 114, 114, 61, 213, 214, |
646 | 85, 114, 11, 11, 110, 110, 71, 119, 119, 119, |
647 | 42, 42, 110, 110, 119, 85, 80, 110, 90, 95, |
648 | 42, 114, 110, 114, 115, 117, 130, 126, 105, 132, |
649 | 65, 133, 114, 114, 119, 134, 137, 141, 189, 148, |
650 | 114, 114, 155, 16, 158, 114, 164, 184, 166, 185, |
651 | 114, 186, 187, 119, 119, 193, 202, 86, 87, 203, |
652 | 27, 148, 204, 119, 210, 28, 205, 109, 217, 218, |
653 | 61, 61, 138, 125, 168, 207, 112, 188, 152, 97, |
654 | 161, 219, 0, 0, 0, 0, 0, 0, 0, 0, |
655 | 0, 110, 0, 0, 0, 0, 72, 0, 0, 68, |
656 | 72, 0, 0, 72, 72, 72, 72, 72, 0, 0, |
657 | 78, 0, 0, 0, 72, 72, 0, 0, 0, 0, |
658 | 0, 72, 72, 0, 72, 74, 0, 72, 72, 74, |
659 | 144, 144, 74, 74, 74, 74, 74, 137, 137, 133, |
660 | 72, 0, 0, 74, 74, 0, 0, 69, 0, 72, |
661 | 74, 74, 0, 74, 133, 133, 74, 74, 122, 122, |
662 | 133, 133, 0, 0, 122, 0, 72, 72, 72, 74, |
663 | 85, 85, 85, 133, 0, 83, 83, 83, 74, 84, |
664 | 85, 85, 83, 83, 0, 0, 0, 85, 85, 0, |
665 | 0, 83, 0, 85, 85, 74, 74, 74, 0, 133, |
666 | 133, 133, 80, 122, 122, 0, 85, 103, 103, 103, |
667 | 61, 0, 104, 0, 61, 85, 96, 61, 61, 61, |
668 | 61, 0, 0, 0, 103, 103, 0, 0, 61, 61, |
669 | 103, 103, 85, 85, 85, 61, 61, 0, 61, 0, |
670 | 0, 61, 61, 103, 0, 0, 34, 34, 35, 35, |
671 | 0, 0, 103, 0, 61, 85, 85, 85, 0, 0, |
672 | 83, 83, 83, 61, 0, 130, 85, 83, 83, 103, |
673 | 103, 103, 85, 85, 0, 131, 83, 11, 85, 85, |
674 | 61, 61, 61, 0, 11, 65, 65, 65, 0, 2, |
675 | 3, 85, 34, 0, 35, 65, 65, 4, 0, 0, |
676 | 85, 0, 65, 65, 0, 0, 0, 5, 65, 65, |
677 | 0, 0, 0, 0, 0, 0, 0, 85, 85, 85, |
678 | 0, 65, 0, 6, 7, 8, 9, 10, 11, 12, |
679 | 65, 0, 13, 14, 97, 97, 97, 0, 0, 0, |
680 | 0, 0, 0, 0, 95, 97, 0, 65, 65, 65, |
681 | 0, 97, 97, 0, 68, 68, 68, 97, 97, 0, |
682 | 0, 0, 15, 0, 68, 68, 0, 78, 0, 0, |
683 | 97, 68, 68, 0, 0, 0, 0, 68, 68, 97, |
684 | 0, 0, 78, 78, 0, 0, 0, 0, 78, 78, |
685 | 68, 0, 0, 0, 0, 0, 97, 97, 97, 68, |
686 | 0, 78, 69, 69, 69, 0, 0, 0, 0, 0, |
687 | 78, 0, 69, 69, 0, 0, 68, 68, 68, 69, |
688 | 69, 0, 0, 0, 0, 69, 69, 78, 78, 78, |
689 | 0, 0, 0, 0, 84, 84, 84, 0, 69, 0, |
690 | 0, 0, 0, 0, 84, 84, 0, 69, 0, 0, |
691 | 0, 84, 84, 0, 0, 0, 0, 84, 84, 80, |
692 | 0, 0, 0, 0, 69, 69, 69, 104, 104, 104, |
693 | 84, 96, 96, 96, 80, 80, 0, 0, 102, 84, |
694 | 80, 80, 96, 0, 104, 104, 0, 0, 96, 96, |
695 | 104, 104, 0, 80, 96, 96, 84, 84, 84, 0, |
696 | 0, 0, 80, 104, 0, 0, 0, 96, 0, 0, |
697 | 0, 0, 104, 0, 0, 0, 96, 0, 0, 80, |
698 | 80, 80, 130, 0, 0, 0, 0, 28, 29, 104, |
699 | 104, 104, 131, 96, 96, 96, 0, 130, 130, 0, |
700 | 0, 0, 0, 130, 130, 30, 31, 131, 131, 0, |
701 | 0, 0, 0, 131, 131, 0, 0, 32, 0, 33, |
702 | 34, 0, 35, 36, 37, 38, 39, 40, 41, 42, |
703 | 43, 0, 0, 0, 44, 0, 0, 0, 0, 0, |
704 | 0, 0, 130, 130, 130, 0, 0, 0, 0, 0, |
705 | 0, 0, 131, 131, 131, |
706 | }; |
707 | const short yycheck[] = |
708 | { 10, |
709 | 44, 123, 110, 96, 97, 85, 44, 269, 10, 267, |
710 | 257, 281, 288, 257, 97, 10, 108, 264, 279, 280, |
711 | 264, 88, 258, 259, 117, 133, 134, 146, 10, 40, |
712 | 41, 289, 10, 44, 10, 102, 10, 130, 329, 132, |
713 | 284, 281, 305, 306, 307, 164, 329, 130, 140, 132, |
714 | 142, 327, 329, 257, 258, 259, 270, 271, 272, 329, |
715 | 264, 257, 44, 277, 278, 10, 313, 329, 264, 313, |
716 | 257, 329, 286, 303, 304, 329, 330, 264, 158, 10, |
717 | 284, 257, 258, 259, 61, 325, 166, 125, 264, 329, |
718 | 10, 295, 296, 295, 296, 10, 204, 329, 330, 303, |
719 | 304, 10, 10, 279, 280, 329, 330, 10, 284, 313, |
720 | 203, 265, 266, 10, 257, 330, 257, 258, 259, 295, |
721 | 296, 264, 329, 264, 10, 10, 10, 303, 304, 305, |
722 | 306, 307, 308, 323, 329, 330, 329, 313, 279, 280, |
723 | 329, 284, 308, 284, 257, 258, 259, 44, 282, 283, |
724 | 10, 264, 329, 330, 295, 296, 329, 257, 258, 259, |
725 | 303, 304, 303, 304, 264, 324, 284, 308, 313, 330, |
726 | 313, 284, 313, 47, 268, 40, 264, 330, 329, 257, |
727 | 10, 285, 295, 296, 284, 261, 275, 41, 302, 276, |
728 | 303, 304, 329, 10, 310, 308, 266, 329, 301, 329, |
729 | 313, 329, 329, 303, 304, 329, 329, 329, 330, 329, |
730 | 10, 10, 329, 313, 329, 10, 328, 261, 329, 329, |
731 | 257, 264, 10, 112, 160, 198, 99, 176, 138, 10, |
732 | 149, 215, -1, -1, -1, -1, -1, -1, -1, -1, |
733 | -1, 285, -1, -1, -1, -1, 257, -1, -1, 10, |
734 | 261, -1, -1, 264, 265, 266, 267, 268, -1, -1, |
735 | 10, -1, -1, -1, 275, 276, -1, -1, -1, -1, |
736 | -1, 282, 283, -1, 285, 257, -1, 288, 289, 261, |
737 | 282, 283, 264, 265, 266, 267, 268, 282, 283, 267, |
738 | 301, -1, -1, 275, 276, -1, -1, 10, -1, 310, |
739 | 282, 283, -1, 285, 282, 283, 288, 289, 282, 283, |
740 | 288, 289, -1, -1, 288, -1, 327, 328, 329, 301, |
741 | 265, 266, 267, 301, -1, 270, 271, 272, 310, 10, |
742 | 275, 276, 277, 278, -1, -1, -1, 282, 283, -1, |
743 | -1, 286, -1, 288, 289, 327, 328, 329, -1, 327, |
744 | 328, 329, 10, 327, 328, -1, 301, 265, 266, 267, |
745 | 257, -1, 10, -1, 261, 310, 10, 264, 265, 266, |
746 | 267, -1, -1, -1, 282, 283, -1, -1, 275, 276, |
747 | 288, 289, 327, 328, 329, 282, 283, -1, 285, -1, |
748 | -1, 288, 289, 301, -1, -1, 282, 283, 282, 283, |
749 | -1, -1, 310, -1, 301, 265, 266, 267, -1, -1, |
750 | 270, 271, 272, 310, -1, 10, 276, 277, 278, 327, |
751 | 328, 329, 282, 283, -1, 10, 286, 257, 288, 289, |
752 | 327, 328, 329, -1, 264, 265, 266, 267, -1, 256, |
753 | 257, 301, 328, -1, 328, 275, 276, 264, -1, -1, |
754 | 310, -1, 282, 283, -1, -1, -1, 274, 288, 289, |
755 | -1, -1, -1, -1, -1, -1, -1, 327, 328, 329, |
756 | -1, 301, -1, 290, 291, 292, 293, 294, 295, 296, |
757 | 310, -1, 299, 300, 265, 266, 267, -1, -1, -1, |
758 | -1, -1, -1, -1, 275, 276, -1, 327, 328, 329, |
759 | -1, 282, 283, -1, 265, 266, 267, 288, 289, -1, |
760 | -1, -1, 329, -1, 275, 276, -1, 267, -1, -1, |
761 | 301, 282, 283, -1, -1, -1, -1, 288, 289, 310, |
762 | -1, -1, 282, 283, -1, -1, -1, -1, 288, 289, |
763 | 301, -1, -1, -1, -1, -1, 327, 328, 329, 310, |
764 | -1, 301, 265, 266, 267, -1, -1, -1, -1, -1, |
765 | 310, -1, 275, 276, -1, -1, 327, 328, 329, 282, |
766 | 283, -1, -1, -1, -1, 288, 289, 327, 328, 329, |
767 | -1, -1, -1, -1, 265, 266, 267, -1, 301, -1, |
768 | -1, -1, -1, -1, 275, 276, -1, 310, -1, -1, |
769 | -1, 282, 283, -1, -1, -1, -1, 288, 289, 267, |
770 | -1, -1, -1, -1, 327, 328, 329, 265, 266, 267, |
771 | 301, 265, 266, 267, 282, 283, -1, -1, 276, 310, |
772 | 288, 289, 276, -1, 282, 283, -1, -1, 282, 283, |
773 | 288, 289, -1, 301, 288, 289, 327, 328, 329, -1, |
774 | -1, -1, 310, 301, -1, -1, -1, 301, -1, -1, |
775 | -1, -1, 310, -1, -1, -1, 310, -1, -1, 327, |
776 | 328, 329, 267, -1, -1, -1, -1, 279, 280, 327, |
777 | 328, 329, 267, 327, 328, 329, -1, 282, 283, -1, |
778 | -1, -1, -1, 288, 289, 297, 298, 282, 283, -1, |
779 | -1, -1, -1, 288, 289, -1, -1, 309, -1, 311, |
780 | 312, -1, 314, 315, 316, 317, 318, 319, 320, 321, |
781 | 322, -1, -1, -1, 326, -1, -1, -1, -1, -1, |
782 | -1, -1, 327, 328, 329, -1, -1, -1, -1, -1, |
783 | -1, -1, 327, 328, 329, |
784 | }; |
785 | #define YYFINAL1 1 |
786 | #ifndef YYDEBUG0 |
787 | #define YYDEBUG0 0 |
788 | #endif |
789 | #define YYMAXTOKEN330 330 |
790 | #if YYDEBUG0 |
791 | const char * const yyname[] = |
792 | { |
793 | "end-of-file",0,0,0,0,0,0,0,0,0,"'\\n'",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, |
794 | 0,0,0,0,0,0,0,0,0,"'('","')'",0,0,"','",0,0,"'/'",0,0,0,0,0,0,0,0,0,0,0,0,0, |
795 | "'='",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, |
796 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"'{'",0,"'}'",0,0,0,0,0,0,0,0,0, |
797 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, |
798 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, |
799 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, |
800 | 0,0,"FROM","ESP","AH","IN","PEER","ON","OUT","TO","SRCID","DSTID","PSK","PORT", |
801 | "FILENAME","AUTHXF","PRFXF","ENCXF","ERROR","IKEV2","IKESA","CHILDSA","ESN", |
802 | "NOESN","PASSIVE","ACTIVE","ANY","TAG","TAP","PROTO","LOCAL","GROUP","NAME", |
803 | "CONFIG","EAP","USER","IKEV1","FLOW","SA","TCPMD5","TUNNEL","TRANSPORT", |
804 | "COUPLE","DECOUPLE","SET","INCLUDE","LIFETIME","BYTES","INET","INET6","QUICK", |
805 | "SKIP","DEFAULT","IPCOMP","OCSP","IKELIFETIME","MOBIKE","NOMOBIKE","RDOMAIN", |
806 | "FRAGMENTATION","NOFRAGMENTATION","DPD_CHECK_INTERVAL","ENFORCESINGLEIKESA", |
807 | "NOENFORCESINGLEIKESA","STICKYADDRESS","NOSTICKYADDRESS","VENDORID", |
808 | "NOVENDORID","TOLERATE","MAXAGE","DYNAMIC","CERTPARTIALCHAIN","REQUEST","IFACE", |
809 | "STRING","NUMBER", |
810 | }; |
811 | const char * const yyrule[] = |
812 | {"$accept : grammar", |
813 | "grammar :", |
814 | "grammar : grammar include '\\n'", |
815 | "grammar : grammar '\\n'", |
816 | "grammar : grammar set '\\n'", |
817 | "grammar : grammar user '\\n'", |
818 | "grammar : grammar ikev2rule '\\n'", |
819 | "grammar : grammar varset '\\n'", |
820 | "grammar : grammar otherrule skipline '\\n'", |
821 | "grammar : grammar error '\\n'", |
822 | "comma : ','", |
823 | "comma :", |
824 | "include : INCLUDE STRING", |
825 | "set : SET ACTIVE", |
826 | "set : SET PASSIVE", |
827 | "set : SET COUPLE", |
828 | "set : SET DECOUPLE", |
829 | "set : SET FRAGMENTATION", |
830 | "set : SET NOFRAGMENTATION", |
831 | "set : SET MOBIKE", |
832 | "set : SET NOMOBIKE", |
833 | "set : SET VENDORID", |
834 | "set : SET NOVENDORID", |
835 | "set : SET ENFORCESINGLEIKESA", |
836 | "set : SET NOENFORCESINGLEIKESA", |
837 | "set : SET STICKYADDRESS", |
838 | "set : SET NOSTICKYADDRESS", |
839 | "set : SET OCSP STRING", |
840 | "set : SET OCSP STRING TOLERATE time_spec", |
841 | "set : SET OCSP STRING TOLERATE time_spec MAXAGE time_spec", |
842 | "set : SET CERTPARTIALCHAIN", |
843 | "set : SET DPD_CHECK_INTERVAL NUMBER", |
844 | "user : USER STRING STRING", |
845 | "ikev2rule : IKEV2 name ikeflags satype af proto rdomain hosts_list peers ike_sas child_sas ids ikelifetime lifetime ikeauth ikecfg iface filters", |
846 | "ikecfg :", |
847 | "ikecfg : ikecfgvals", |
848 | "ikecfgvals : cfg", |
849 | "ikecfgvals : ikecfgvals cfg", |
850 | "cfg : CONFIG STRING host_spec", |
851 | "cfg : REQUEST STRING anyhost", |
852 | "name :", |
853 | "name : STRING", |
854 | "satype :", |
855 | "satype : ESP", |
856 | "satype : AH", |
857 | "af :", |
858 | "af : INET", |
859 | "af : INET6", |
860 | "proto :", |
861 | "proto : PROTO protoval", |
862 | "proto : PROTO '{' proto_list '}'", |
863 | "proto_list : protoval", |
864 | "proto_list : proto_list comma protoval", |
865 | "protoval : STRING", |
866 | "protoval : NUMBER", |
867 | "rdomain :", |
868 | "rdomain : RDOMAIN NUMBER", |
869 | "hosts_list : hosts", |
870 | "hosts_list : hosts_list comma hosts", |
871 | "hosts : FROM host port TO host port", |
872 | "hosts : TO host port FROM host port", |
873 | "port :", |
874 | "port : PORT portval", |
875 | "portval : STRING", |
876 | "portval : NUMBER", |
877 | "peers :", |
878 | "peers : PEER anyhost LOCAL anyhost", |
879 | "peers : LOCAL anyhost PEER anyhost", |
880 | "peers : PEER anyhost", |
881 | "peers : LOCAL anyhost", |
882 | "anyhost : host_spec", |
883 | "anyhost : ANY", |
884 | "host_spec : STRING", |
885 | "host_spec : STRING '/' NUMBER", |
886 | "host : host_spec", |
887 | "host : host_spec '(' host_spec ')'", |
888 | "host : ANY", |
889 | "host : DYNAMIC", |
890 | "ids :", |
891 | "ids : SRCID id DSTID id", |
892 | "ids : SRCID id", |
893 | "ids : DSTID id", |
894 | "id : STRING", |
895 | "$$1 :", |
896 | "transforms : $$1 transforms_l", |
897 | "transforms :", |
898 | "transforms_l : transforms_l transform", |
899 | "transforms_l : transform", |
900 | "transform : AUTHXF STRING", |
901 | "transform : ENCXF STRING", |
902 | "transform : PRFXF STRING", |
903 | "transform : GROUP STRING", |
904 | "transform : transform_esn", |
905 | "transform_esn : ESN", |
906 | "transform_esn : NOESN", |
907 | "$$2 :", |
908 | "ike_sas : $$2 ike_sas_l", |
909 | "ike_sas :", |
910 | "ike_sas_l : ike_sas_l ike_sa", |
911 | "ike_sas_l : ike_sa", |
912 | "$$3 :", |
913 | "ike_sa : IKESA $$3 transforms", |
914 | "$$4 :", |
915 | "child_sas : $$4 child_sas_l", |
916 | "child_sas :", |
917 | "child_sas_l : child_sas_l child_sa", |
918 | "child_sas_l : child_sa", |
919 | "$$5 :", |
920 | "child_sa : CHILDSA $$5 transforms", |
921 | "ikeflags : ikematch ikemode ipcomp tmode", |
922 | "ikematch :", |
923 | "ikematch : QUICK", |
924 | "ikematch : SKIP", |
925 | "ikematch : DEFAULT", |
926 | "ikemode :", |
927 | "ikemode : PASSIVE", |
928 | "ikemode : ACTIVE", |
929 | "ipcomp :", |
930 | "ipcomp : IPCOMP", |
931 | "tmode :", |
932 | "tmode : TUNNEL", |
933 | "tmode : TRANSPORT", |
934 | "ikeauth :", |
935 | "ikeauth : PSK keyspec", |
936 | "ikeauth : EAP STRING", |
937 | "ikeauth : STRING", |
938 | "byte_spec : NUMBER", |
939 | "byte_spec : STRING", |
940 | "time_spec : NUMBER", |
941 | "time_spec : STRING", |
942 | "lifetime :", |
943 | "lifetime : LIFETIME time_spec", |
944 | "lifetime : LIFETIME time_spec BYTES byte_spec", |
945 | "ikelifetime :", |
946 | "ikelifetime : IKELIFETIME time_spec", |
947 | "keyspec : STRING", |
948 | "keyspec : FILENAME STRING", |
949 | "$$6 :", |
950 | "filters : $$6 filters_l", |
951 | "filters :", |
952 | "filters_l : filters_l filter", |
953 | "filters_l : filter", |
954 | "filter : TAG STRING", |
955 | "filter : TAP STRING", |
956 | "iface :", |
957 | "iface : IFACE STRING", |
958 | "string : string STRING", |
959 | "string : STRING", |
960 | "varset : STRING '=' string", |
961 | "otherrule : IKEV1", |
962 | "otherrule : sarule", |
963 | "otherrule : FLOW", |
964 | "otherrule : TCPMD5", |
965 | "sarule : SA", |
966 | "sarule : FROM", |
967 | "sarule : TO", |
968 | "sarule : TUNNEL", |
969 | "sarule : TRANSPORT", |
970 | "skipline :", |
971 | }; |
972 | #endif |
973 | #ifdef YYSTACKSIZE10000 |
974 | #undef YYMAXDEPTH10000 |
975 | #define YYMAXDEPTH10000 YYSTACKSIZE10000 |
976 | #else |
977 | #ifdef YYMAXDEPTH10000 |
978 | #define YYSTACKSIZE10000 YYMAXDEPTH10000 |
979 | #else |
980 | #define YYSTACKSIZE10000 10000 |
981 | #define YYMAXDEPTH10000 10000 |
982 | #endif |
983 | #endif |
984 | #define YYINITSTACKSIZE200 200 |
985 | /* LINTUSED */ |
986 | int yydebug; |
987 | int yynerrs; |
988 | int yyerrflag; |
989 | int yychar; |
990 | short *yyssp; |
991 | YYSTYPE *yyvsp; |
992 | YYSTYPE yyval; |
993 | YYSTYPE yylval; |
994 | short *yyss; |
995 | short *yysslim; |
996 | YYSTYPE *yyvs; |
997 | unsigned int yystacksize; |
998 | int yyparse(void); |
999 | #line 1297 "/usr/src/sbin/iked/parse.y" |
1000 | |
1001 | struct keywords { |
1002 | const char *k_name; |
1003 | int k_val; |
1004 | }; |
1005 | |
1006 | void |
1007 | copy_sockaddrtoipa(struct ipsec_addr_wrap *ipa, struct sockaddr *sa) |
1008 | { |
1009 | if (sa->sa_family == AF_INET624) |
1010 | memcpy(&ipa->address, sa, sizeof(struct sockaddr_in6)); |
1011 | else if (sa->sa_family == AF_INET2) |
1012 | memcpy(&ipa->address, sa, sizeof(struct sockaddr_in)); |
1013 | else |
1014 | warnx("unhandled af %d", sa->sa_family); |
1015 | } |
1016 | |
1017 | int |
1018 | yyerror(const char *fmt, ...) |
1019 | { |
1020 | va_list ap; |
1021 | |
1022 | file->errors++; |
1023 | va_start(ap, fmt)__builtin_va_start((ap), fmt); |
1024 | fprintf(stderr(&__sF[2]), "%s: %d: ", file->name, yylval.lineno); |
1025 | vfprintf(stderr(&__sF[2]), fmt, ap); |
1026 | fprintf(stderr(&__sF[2]), "\n"); |
1027 | va_end(ap)__builtin_va_end((ap)); |
1028 | return (0); |
1029 | } |
1030 | |
1031 | int |
1032 | kw_cmp(const void *k, const void *e) |
1033 | { |
1034 | return (strcmp(k, ((const struct keywords *)e)->k_name)); |
1035 | } |
1036 | |
1037 | int |
1038 | lookup(char *s) |
1039 | { |
1040 | /* this has to be sorted always */ |
1041 | static const struct keywords keywords[] = { |
1042 | { "active", ACTIVE280 }, |
1043 | { "ah", AH259 }, |
1044 | { "any", ANY281 }, |
1045 | { "auth", AUTHXF270 }, |
1046 | { "bytes", BYTES302 }, |
1047 | { "cert_partial_chain", CERTPARTIALCHAIN326 }, |
1048 | { "childsa", CHILDSA276 }, |
1049 | { "config", CONFIG288 }, |
1050 | { "couple", COUPLE297 }, |
1051 | { "decouple", DECOUPLE298 }, |
1052 | { "default", DEFAULT307 }, |
1053 | { "dpd_check_interval", DPD_CHECK_INTERVAL316 }, |
1054 | { "dstid", DSTID266 }, |
1055 | { "dynamic", DYNAMIC325 }, |
1056 | { "eap", EAP289 }, |
1057 | { "enc", ENCXF272 }, |
1058 | { "enforcesingleikesa", ENFORCESINGLEIKESA317 }, |
1059 | { "esn", ESN277 }, |
1060 | { "esp", ESP258 }, |
1061 | { "file", FILENAME269 }, |
1062 | { "flow", FLOW292 }, |
1063 | { "fragmentation", FRAGMENTATION314 }, |
1064 | { "from", FROM257 }, |
1065 | { "group", GROUP286 }, |
1066 | { "iface", IFACE328 }, |
1067 | { "ike", IKEV1291 }, |
1068 | { "ikelifetime", IKELIFETIME310 }, |
1069 | { "ikesa", IKESA275 }, |
1070 | { "ikev2", IKEV2274 }, |
1071 | { "include", INCLUDE300 }, |
1072 | { "inet", INET303 }, |
1073 | { "inet6", INET6304 }, |
1074 | { "ipcomp", IPCOMP308 }, |
1075 | { "lifetime", LIFETIME301 }, |
1076 | { "local", LOCAL285 }, |
1077 | { "maxage", MAXAGE324 }, |
1078 | { "mobike", MOBIKE311 }, |
1079 | { "name", NAME287 }, |
1080 | { "noenforcesingleikesa", NOENFORCESINGLEIKESA318 }, |
1081 | { "noesn", NOESN278 }, |
1082 | { "nofragmentation", NOFRAGMENTATION315 }, |
1083 | { "nomobike", NOMOBIKE312 }, |
1084 | { "nostickyaddress", NOSTICKYADDRESS320 }, |
1085 | { "novendorid", NOVENDORID322 }, |
1086 | { "ocsp", OCSP309 }, |
1087 | { "passive", PASSIVE279 }, |
1088 | { "peer", PEER261 }, |
1089 | { "port", PORT268 }, |
1090 | { "prf", PRFXF271 }, |
1091 | { "proto", PROTO284 }, |
1092 | { "psk", PSK267 }, |
1093 | { "quick", QUICK305 }, |
1094 | { "rdomain", RDOMAIN313 }, |
1095 | { "request", REQUEST327 }, |
1096 | { "sa", SA293 }, |
1097 | { "set", SET299 }, |
1098 | { "skip", SKIP306 }, |
1099 | { "srcid", SRCID265 }, |
1100 | { "stickyaddress", STICKYADDRESS319 }, |
1101 | { "tag", TAG282 }, |
1102 | { "tap", TAP283 }, |
1103 | { "tcpmd5", TCPMD5294 }, |
1104 | { "to", TO264 }, |
1105 | { "tolerate", TOLERATE323 }, |
1106 | { "transport", TRANSPORT296 }, |
1107 | { "tunnel", TUNNEL295 }, |
1108 | { "user", USER290 }, |
1109 | { "vendorid", VENDORID321 } |
1110 | }; |
1111 | const struct keywords *p; |
1112 | |
1113 | p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]), |
1114 | sizeof(keywords[0]), kw_cmp); |
1115 | |
1116 | if (p) { |
1117 | if (debug > 1) |
1118 | fprintf(stderr(&__sF[2]), "%s: %d\n", s, p->k_val); |
1119 | return (p->k_val); |
1120 | } else { |
1121 | if (debug > 1) |
1122 | fprintf(stderr(&__sF[2]), "string: %s\n", s); |
1123 | return (STRING329); |
1124 | } |
1125 | } |
1126 | |
1127 | #define START_EXPAND1 1 |
1128 | #define DONE_EXPAND2 2 |
1129 | |
1130 | static int expanding; |
1131 | |
1132 | int |
1133 | igetc(void) |
1134 | { |
1135 | int c; |
1136 | |
1137 | while (1) { |
1138 | if (file->ungetpos > 0) |
1139 | c = file->ungetbuf[--file->ungetpos]; |
1140 | else |
1141 | c = getc(file->stream)(!__isthreaded ? (--(file->stream)->_r < 0 ? __srget (file->stream) : (int)(*(file->stream)->_p++)) : (getc )(file->stream)); |
1142 | |
1143 | if (c == START_EXPAND1) |
1144 | expanding = 1; |
1145 | else if (c == DONE_EXPAND2) |
1146 | expanding = 0; |
1147 | else |
1148 | break; |
1149 | } |
1150 | return (c); |
1151 | } |
1152 | |
1153 | int |
1154 | lgetc(int quotec) |
1155 | { |
1156 | int c, next; |
1157 | |
1158 | if (quotec) { |
1159 | if ((c = igetc()) == EOF(-1)) { |
1160 | yyerror("reached end of file while parsing " |
1161 | "quoted string"); |
1162 | if (file == topfile || popfile() == EOF(-1)) |
1163 | return (EOF(-1)); |
1164 | return (quotec); |
1165 | } |
1166 | return (c); |
1167 | } |
1168 | |
1169 | while ((c = igetc()) == '\\') { |
1170 | next = igetc(); |
1171 | if (next != '\n') { |
1172 | c = next; |
1173 | break; |
1174 | } |
1175 | yylval.lineno = file->lineno; |
1176 | file->lineno++; |
1177 | } |
1178 | |
1179 | while (c == EOF(-1)) { |
1180 | /* |
1181 | * Fake EOL when hit EOF for the first time. This gets line |
1182 | * count right if last line in included file is syntactically |
1183 | * invalid and has no newline. |
1184 | */ |
1185 | if (file->eof_reached == 0) { |
1186 | file->eof_reached = 1; |
1187 | return ('\n'); |
1188 | } |
1189 | while (c == EOF(-1)) { |
1190 | if (file == topfile || popfile() == EOF(-1)) |
1191 | return (EOF(-1)); |
1192 | c = igetc(); |
1193 | } |
1194 | } |
1195 | return (c); |
1196 | } |
1197 | |
1198 | void |
1199 | lungetc(int c) |
1200 | { |
1201 | if (c == EOF(-1)) |
1202 | return; |
1203 | |
1204 | if (file->ungetpos >= file->ungetsize) { |
1205 | void *p = reallocarray(file->ungetbuf, file->ungetsize, 2); |
1206 | if (p == NULL((void *)0)) |
1207 | err(1, "lungetc"); |
1208 | file->ungetbuf = p; |
1209 | file->ungetsize *= 2; |
1210 | } |
1211 | file->ungetbuf[file->ungetpos++] = c; |
1212 | } |
1213 | |
1214 | int |
1215 | findeol(void) |
1216 | { |
1217 | int c; |
1218 | |
1219 | /* skip to either EOF or the first real EOL */ |
1220 | while (1) { |
1221 | c = lgetc(0); |
1222 | if (c == '\n') { |
1223 | file->lineno++; |
1224 | break; |
1225 | } |
1226 | if (c == EOF(-1)) |
1227 | break; |
1228 | } |
1229 | return (ERROR273); |
1230 | } |
1231 | |
1232 | int |
1233 | yylex(void) |
1234 | { |
1235 | char buf[8096]; |
1236 | char *p, *val; |
1237 | int quotec, next, c; |
1238 | int token; |
1239 | |
1240 | top: |
1241 | p = buf; |
1242 | while ((c = lgetc(0)) == ' ' || c == '\t') |
1243 | ; /* nothing */ |
1244 | |
1245 | yylval.lineno = file->lineno; |
1246 | if (c == '#') |
1247 | while ((c = lgetc(0)) != '\n' && c != EOF(-1)) |
1248 | ; /* nothing */ |
1249 | if (c == '$' && !expanding) { |
1250 | while (1) { |
1251 | if ((c = lgetc(0)) == EOF(-1)) |
1252 | return (0); |
1253 | |
1254 | if (p + 1 >= buf + sizeof(buf) - 1) { |
1255 | yyerror("string too long"); |
1256 | return (findeol()); |
1257 | } |
1258 | if (isalnum(c) || c == '_') { |
1259 | *p++ = c; |
1260 | continue; |
1261 | } |
1262 | *p = '\0'; |
1263 | lungetc(c); |
1264 | break; |
1265 | } |
1266 | val = symget(buf); |
1267 | if (val == NULL((void *)0)) { |
1268 | yyerror("macro '%s' not defined", buf); |
1269 | return (findeol()); |
1270 | } |
1271 | p = val + strlen(val) - 1; |
1272 | lungetc(DONE_EXPAND2); |
1273 | while (p >= val) { |
1274 | lungetc((unsigned char)*p); |
1275 | p--; |
1276 | } |
1277 | lungetc(START_EXPAND1); |
1278 | goto top; |
1279 | } |
1280 | |
1281 | switch (c) { |
1282 | case '\'': |
1283 | case '"': |
1284 | quotec = c; |
1285 | while (1) { |
1286 | if ((c = lgetc(quotec)) == EOF(-1)) |
1287 | return (0); |
1288 | if (c == '\n') { |
1289 | file->lineno++; |
1290 | continue; |
1291 | } else if (c == '\\') { |
1292 | if ((next = lgetc(quotec)) == EOF(-1)) |
1293 | return (0); |
1294 | if (next == quotec || next == ' ' || |
1295 | next == '\t') |
1296 | c = next; |
1297 | else if (next == '\n') { |
1298 | file->lineno++; |
1299 | continue; |
1300 | } else |
1301 | lungetc(next); |
1302 | } else if (c == quotec) { |
1303 | *p = '\0'; |
1304 | break; |
1305 | } else if (c == '\0') { |
1306 | yyerror("syntax error"); |
1307 | return (findeol()); |
1308 | } |
1309 | if (p + 1 >= buf + sizeof(buf) - 1) { |
1310 | yyerror("string too long"); |
1311 | return (findeol()); |
1312 | } |
1313 | *p++ = c; |
1314 | } |
1315 | yylval.v.string = strdup(buf); |
1316 | if (yylval.v.string == NULL((void *)0)) |
1317 | err(1, "%s", __func__); |
1318 | return (STRING329); |
1319 | } |
1320 | |
1321 | #define allowed_to_end_number(x)(isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') \ |
1322 | (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') |
1323 | |
1324 | if (c == '-' || isdigit(c)) { |
1325 | do { |
1326 | *p++ = c; |
1327 | if ((size_t)(p-buf) >= sizeof(buf)) { |
1328 | yyerror("string too long"); |
1329 | return (findeol()); |
1330 | } |
1331 | } while ((c = lgetc(0)) != EOF(-1) && isdigit(c)); |
1332 | lungetc(c); |
1333 | if (p == buf + 1 && buf[0] == '-') |
1334 | goto nodigits; |
1335 | if (c == EOF(-1) || allowed_to_end_number(c)(isspace(c) || c == ')' || c ==',' || c == '/' || c == '}' || c == '=')) { |
1336 | const char *errstr = NULL((void *)0); |
1337 | |
1338 | *p = '\0'; |
1339 | yylval.v.number = strtonum(buf, LLONG_MIN(-0x7fffffffffffffffLL-1), |
1340 | LLONG_MAX0x7fffffffffffffffLL, &errstr); |
1341 | if (errstr) { |
1342 | yyerror("\"%s\" invalid number: %s", |
1343 | buf, errstr); |
1344 | return (findeol()); |
1345 | } |
1346 | return (NUMBER330); |
1347 | } else { |
1348 | nodigits: |
1349 | while (p > buf + 1) |
1350 | lungetc((unsigned char)*--p); |
1351 | c = (unsigned char)*--p; |
1352 | if (c == '-') |
1353 | return (c); |
1354 | } |
1355 | } |
1356 | |
1357 | #define allowed_in_string(x)(isalnum(x) || (ispunct(x) && x != '(' && x != ')' && x != '{' && x != '}' && x != '<' && x != '>' && x != '!' && x != '=' && x != '/' && x != '#' && x != ',') ) \ |
1358 | (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \ |
1359 | x != '{' && x != '}' && x != '<' && x != '>' && \ |
1360 | x != '!' && x != '=' && x != '/' && x != '#' && \ |
1361 | x != ',')) |
1362 | |
1363 | if (isalnum(c) || c == ':' || c == '_' || c == '*') { |
1364 | do { |
1365 | *p++ = c; |
1366 | if ((size_t)(p-buf) >= sizeof(buf)) { |
1367 | yyerror("string too long"); |
1368 | return (findeol()); |
1369 | } |
1370 | } while ((c = lgetc(0)) != EOF(-1) && (allowed_in_string(c)(isalnum(c) || (ispunct(c) && c != '(' && c != ')' && c != '{' && c != '}' && c != '<' && c != '>' && c != '!' && c != '=' && c != '/' && c != '#' && c != ',') ))); |
1371 | lungetc(c); |
1372 | *p = '\0'; |
1373 | if ((token = lookup(buf)) == STRING329) |
1374 | if ((yylval.v.string = strdup(buf)) == NULL((void *)0)) |
1375 | err(1, "%s", __func__); |
1376 | return (token); |
1377 | } |
1378 | if (c == '\n') { |
1379 | yylval.lineno = file->lineno; |
1380 | file->lineno++; |
1381 | } |
1382 | if (c == EOF(-1)) |
1383 | return (0); |
1384 | return (c); |
1385 | } |
1386 | |
1387 | int |
1388 | check_file_secrecy(int fd, const char *fname) |
1389 | { |
1390 | struct stat st; |
1391 | |
1392 | if (fstat(fd, &st)) { |
1393 | warn("cannot stat %s", fname); |
1394 | return (-1); |
1395 | } |
1396 | if (st.st_uid != 0 && st.st_uid != getuid()) { |
1397 | warnx("%s: owner not root or current user", fname); |
1398 | return (-1); |
1399 | } |
1400 | if (st.st_mode & (S_IWGRP0000020 | S_IXGRP0000010 | S_IRWXO0000007)) { |
1401 | warnx("%s: group writable or world read/writable", fname); |
1402 | return (-1); |
1403 | } |
1404 | return (0); |
1405 | } |
1406 | |
1407 | struct file * |
1408 | pushfile(const char *name, int secret) |
1409 | { |
1410 | struct file *nfile; |
1411 | |
1412 | if ((nfile = calloc(1, sizeof(struct file))) == NULL((void *)0)) { |
1413 | warn("%s", __func__); |
1414 | return (NULL((void *)0)); |
1415 | } |
1416 | if ((nfile->name = strdup(name)) == NULL((void *)0)) { |
1417 | warn("%s", __func__); |
1418 | free(nfile); |
1419 | return (NULL((void *)0)); |
1420 | } |
1421 | if (TAILQ_FIRST(&files)((&files)->tqh_first) == NULL((void *)0) && strcmp(nfile->name, "-") == 0) { |
1422 | nfile->stream = stdin(&__sF[0]); |
1423 | free(nfile->name); |
1424 | if ((nfile->name = strdup("stdin")) == NULL((void *)0)) { |
1425 | warn("%s", __func__); |
1426 | free(nfile); |
1427 | return (NULL((void *)0)); |
1428 | } |
1429 | } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL((void *)0)) { |
1430 | warn("%s: %s", __func__, nfile->name); |
1431 | free(nfile->name); |
1432 | free(nfile); |
1433 | return (NULL((void *)0)); |
1434 | } else if (secret && |
1435 | check_file_secrecy(fileno(nfile->stream)(!__isthreaded ? ((nfile->stream)->_file) : (fileno)(nfile ->stream)), nfile->name)) { |
1436 | fclose(nfile->stream); |
1437 | free(nfile->name); |
1438 | free(nfile); |
1439 | return (NULL((void *)0)); |
1440 | } |
1441 | nfile->lineno = TAILQ_EMPTY(&files)(((&files)->tqh_first) == ((void *)0)) ? 1 : 0; |
1442 | nfile->ungetsize = 16; |
1443 | nfile->ungetbuf = malloc(nfile->ungetsize); |
1444 | if (nfile->ungetbuf == NULL((void *)0)) { |
1445 | warn("%s", __func__); |
1446 | fclose(nfile->stream); |
1447 | free(nfile->name); |
1448 | free(nfile); |
1449 | return (NULL((void *)0)); |
1450 | } |
1451 | TAILQ_INSERT_TAIL(&files, nfile, entry)do { (nfile)->entry.tqe_next = ((void *)0); (nfile)->entry .tqe_prev = (&files)->tqh_last; *(&files)->tqh_last = (nfile); (&files)->tqh_last = &(nfile)->entry .tqe_next; } while (0); |
1452 | return (nfile); |
1453 | } |
1454 | |
1455 | int |
1456 | popfile(void) |
1457 | { |
1458 | struct file *prev; |
1459 | |
1460 | if ((prev = TAILQ_PREV(file, files, entry)(*(((struct files *)((file)->entry.tqe_prev))->tqh_last ))) != NULL((void *)0)) |
1461 | prev->errors += file->errors; |
1462 | |
1463 | TAILQ_REMOVE(&files, file, entry)do { if (((file)->entry.tqe_next) != ((void *)0)) (file)-> entry.tqe_next->entry.tqe_prev = (file)->entry.tqe_prev ; else (&files)->tqh_last = (file)->entry.tqe_prev; *(file)->entry.tqe_prev = (file)->entry.tqe_next; ; ; } while (0); |
1464 | fclose(file->stream); |
1465 | free(file->name); |
1466 | free(file->ungetbuf); |
1467 | free(file); |
1468 | file = prev; |
1469 | |
1470 | return (file ? 0 : EOF(-1)); |
1471 | } |
1472 | |
1473 | int |
1474 | parse_config(const char *filename, struct iked *x_env) |
1475 | { |
1476 | struct sym *sym; |
1477 | int errors = 0; |
1478 | |
1479 | env = x_env; |
1480 | rules = 0; |
1481 | |
1482 | if ((file = pushfile(filename, 1)) == NULL((void *)0)) |
1483 | return (-1); |
1484 | topfile = file; |
1485 | |
1486 | free(ocsp_url); |
1487 | |
1488 | mobike = 1; |
1489 | enforcesingleikesa = stickyaddress = 0; |
1490 | cert_partial_chain = decouple = passive = 0; |
1491 | ocsp_tolerate = 0; |
1492 | ocsp_url = NULL((void *)0); |
1493 | ocsp_maxage = -1; |
1494 | fragmentation = 0; |
1495 | dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60; |
1496 | decouple = passive = 0; |
1497 | ocsp_url = NULL((void *)0); |
1498 | |
1499 | if (env->sc_opts & IKED_OPT_PASSIVE0x00000004) |
1500 | passive = 1; |
1501 | |
1502 | yyparse(); |
1503 | errors = file->errors; |
1504 | popfile(); |
1505 | |
1506 | env->sc_passive = passive ? 1 : 0; |
1507 | env->sc_decoupled = decouple ? 1 : 0; |
1508 | env->sc_mobikesc_static.st_mobike = mobike; |
1509 | env->sc_enforcesingleikesasc_static.st_enforcesingleikesa = enforcesingleikesa; |
1510 | env->sc_stickyaddresssc_static.st_stickyaddress = stickyaddress; |
1511 | env->sc_fragsc_static.st_frag = fragmentation; |
1512 | env->sc_alive_timeoutsc_static.st_alive_timeout = dpd_interval; |
1513 | env->sc_ocsp_url = ocsp_url; |
1514 | env->sc_ocsp_tolerate = ocsp_tolerate; |
1515 | env->sc_ocsp_maxage = ocsp_maxage; |
1516 | env->sc_cert_partial_chain = cert_partial_chain; |
1517 | env->sc_vendoridsc_static.st_vendorid = vendorid; |
1518 | |
1519 | if (!rules) |
1520 | log_warnx("%s: no valid configuration rules found", |
1521 | filename); |
1522 | else |
1523 | log_debug("%s: loaded %d configuration rules", |
1524 | filename, rules); |
1525 | |
1526 | /* Free macros and check which have not been used. */ |
1527 | while ((sym = TAILQ_FIRST(&symhead)((&symhead)->tqh_first))) { |
1528 | if (!sym->used) |
1529 | log_debug("warning: macro '%s' not " |
1530 | "used\n", sym->nam); |
1531 | free(sym->nam); |
1532 | free(sym->val); |
1533 | TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)-> entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev; else (&symhead)->tqh_last = (sym)->entry.tqe_prev; *(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while (0); |
1534 | free(sym); |
1535 | } |
1536 | |
1537 | iaw_free(iftab); |
1538 | iftab = NULL((void *)0); |
1539 | |
1540 | return (errors ? -1 : 0); |
1541 | } |
1542 | |
1543 | int |
1544 | symset(const char *nam, const char *val, int persist) |
1545 | { |
1546 | struct sym *sym; |
1547 | |
1548 | TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void * )0); (sym) = ((sym)->entry.tqe_next)) { |
1549 | if (strcmp(nam, sym->nam) == 0) |
1550 | break; |
1551 | } |
1552 | |
1553 | if (sym != NULL((void *)0)) { |
1554 | if (sym->persist == 1) |
1555 | return (0); |
1556 | else { |
1557 | free(sym->nam); |
1558 | free(sym->val); |
1559 | TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)-> entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev; else (&symhead)->tqh_last = (sym)->entry.tqe_prev; *(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while (0); |
1560 | free(sym); |
1561 | } |
1562 | } |
1563 | if ((sym = calloc(1, sizeof(*sym))) == NULL((void *)0)) |
1564 | return (-1); |
1565 | |
1566 | sym->nam = strdup(nam); |
1567 | if (sym->nam == NULL((void *)0)) { |
1568 | free(sym); |
1569 | return (-1); |
1570 | } |
1571 | sym->val = strdup(val); |
1572 | if (sym->val == NULL((void *)0)) { |
1573 | free(sym->nam); |
1574 | free(sym); |
1575 | return (-1); |
1576 | } |
1577 | sym->used = 0; |
1578 | sym->persist = persist; |
1579 | TAILQ_INSERT_TAIL(&symhead, sym, entry)do { (sym)->entry.tqe_next = ((void *)0); (sym)->entry. tqe_prev = (&symhead)->tqh_last; *(&symhead)->tqh_last = (sym); (&symhead)->tqh_last = &(sym)->entry. tqe_next; } while (0); |
1580 | return (0); |
1581 | } |
1582 | |
1583 | int |
1584 | cmdline_symset(char *s) |
1585 | { |
1586 | char *sym, *val; |
1587 | int ret; |
1588 | |
1589 | if ((val = strrchr(s, '=')) == NULL((void *)0)) |
1590 | return (-1); |
1591 | |
1592 | sym = strndup(s, val - s); |
1593 | if (sym == NULL((void *)0)) |
1594 | err(1, "%s", __func__); |
1595 | ret = symset(sym, val + 1, 1); |
1596 | free(sym); |
1597 | |
1598 | return (ret); |
1599 | } |
1600 | |
1601 | char * |
1602 | symget(const char *nam) |
1603 | { |
1604 | struct sym *sym; |
1605 | |
1606 | TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void * )0); (sym) = ((sym)->entry.tqe_next)) { |
1607 | if (strcmp(nam, sym->nam) == 0) { |
1608 | sym->used = 1; |
1609 | return (sym->val); |
1610 | } |
1611 | } |
1612 | return (NULL((void *)0)); |
1613 | } |
1614 | |
1615 | uint8_t |
1616 | x2i(unsigned char *s) |
1617 | { |
1618 | char ss[3]; |
1619 | |
1620 | ss[0] = s[0]; |
1621 | ss[1] = s[1]; |
1622 | ss[2] = 0; |
1623 | |
1624 | if (!isxdigit(s[0]) || !isxdigit(s[1])) { |
1625 | yyerror("keys need to be specified in hex digits"); |
1626 | return (-1); |
1627 | } |
1628 | return ((uint8_t)strtoul(ss, NULL((void *)0), 16)); |
1629 | } |
1630 | |
1631 | int |
1632 | parsekey(unsigned char *hexkey, size_t len, struct iked_auth *auth) |
1633 | { |
1634 | unsigned int i; |
1635 | |
1636 | bzero(auth, sizeof(*auth)); |
1637 | if ((len / 2) > sizeof(auth->auth_data)) |
1638 | return (-1); |
1639 | auth->auth_length = len / 2; |
1640 | |
1641 | for (i = 0; i < auth->auth_length; i++) |
1642 | auth->auth_data[i] = x2i(hexkey + 2 * i); |
1643 | |
1644 | return (0); |
1645 | } |
1646 | |
1647 | int |
1648 | parsekeyfile(char *filename, struct iked_auth *auth) |
1649 | { |
1650 | struct stat sb; |
1651 | int fd, ret; |
1652 | unsigned char *hex; |
1653 | |
1654 | if ((fd = open(filename, O_RDONLY0x0000)) == -1) |
1655 | err(1, "open %s", filename); |
1656 | if (fstat(fd, &sb) == -1) |
1657 | err(1, "parsekeyfile: stat %s", filename); |
1658 | if ((sb.st_size > KEYSIZE_LIMIT1024) || (sb.st_size == 0)) |
1659 | errx(1, "%s: key too %s", filename, sb.st_size ? "large" : |
1660 | "small"); |
1661 | if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL((void *)0)) |
1662 | err(1, "parsekeyfile: calloc"); |
1663 | if (read(fd, hex, sb.st_size) < sb.st_size) |
1664 | err(1, "parsekeyfile: read"); |
1665 | close(fd); |
1666 | ret = parsekey(hex, sb.st_size, auth); |
1667 | free(hex); |
1668 | return (ret); |
1669 | } |
1670 | |
1671 | int |
1672 | get_id_type(char *string) |
1673 | { |
1674 | struct in6_addr ia; |
1675 | |
1676 | if (string == NULL((void *)0)) |
1677 | return (IKEV2_ID_NONE0); |
1678 | |
1679 | if (*string == '/') |
1680 | return (IKEV2_ID_ASN1_DN9); |
1681 | else if (inet_pton(AF_INET2, string, &ia) == 1) |
1682 | return (IKEV2_ID_IPV41); |
1683 | else if (inet_pton(AF_INET624, string, &ia) == 1) |
1684 | return (IKEV2_ID_IPV65); |
1685 | else if (strchr(string, '@')) |
1686 | return (IKEV2_ID_UFQDN3); |
1687 | else |
1688 | return (IKEV2_ID_FQDN2); |
1689 | } |
1690 | |
1691 | struct ipsec_addr_wrap * |
1692 | host(const char *s) |
1693 | { |
1694 | struct ipsec_addr_wrap *ipa = NULL((void *)0); |
1695 | int mask = -1; |
1696 | char *p, *ps; |
1697 | const char *errstr; |
1698 | |
1699 | if ((ps = strdup(s)) == NULL((void *)0)) |
1700 | err(1, "%s: strdup", __func__); |
1701 | |
1702 | if ((p = strchr(ps, '/')) != NULL((void *)0)) { |
1703 | mask = strtonum(p+1, 0, 128, &errstr); |
1704 | if (errstr) { |
1705 | fprintf(stderr(&__sF[2]), "netmask is %s: %s\n", errstr, p); |
1706 | goto error; |
1707 | } |
1708 | p[0] = '\0'; |
1709 | } |
1710 | |
1711 | if ((ipa = host_if(ps, mask)) == NULL((void *)0) && |
1712 | (ipa = host_ip(ps, mask)) == NULL((void *)0) && |
1713 | (ipa = host_dns(ps, mask)) == NULL((void *)0)) |
1714 | fprintf(stderr(&__sF[2]), "no IP address found for %s\n", s); |
1715 | |
1716 | error: |
1717 | free(ps); |
1718 | return (ipa); |
1719 | } |
1720 | |
1721 | struct ipsec_addr_wrap * |
1722 | host_ip(const char *s, int mask) |
1723 | { |
1724 | struct ipsec_addr_wrap *ipa = NULL((void *)0); |
1725 | struct addrinfo hints, *res; |
1726 | char hbuf[NI_MAXHOST256]; |
1727 | |
1728 | bzero(&hints, sizeof(struct addrinfo)); |
1729 | hints.ai_family = AF_UNSPEC0; |
1730 | hints.ai_socktype = SOCK_DGRAM2; /*dummy*/ |
1731 | hints.ai_flags = AI_NUMERICHOST4; |
1732 | if (getaddrinfo(s, NULL((void *)0), &hints, &res)) |
1733 | return (NULL((void *)0)); |
1734 | if (res->ai_next) |
1735 | err(1, "%s: %s expanded to multiple item", __func__, s); |
1736 | |
1737 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); |
1738 | if (ipa == NULL((void *)0)) |
1739 | err(1, "%s", __func__); |
1740 | ipa->af = res->ai_family; |
1741 | copy_sockaddrtoipa(ipa, res->ai_addr); |
1742 | ipa->next = NULL((void *)0); |
1743 | ipa->tail = ipa; |
1744 | |
1745 | set_ipmask(ipa, mask); |
1746 | if (getnameinfo(res->ai_addr, res->ai_addrlen, |
1747 | hbuf, sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1)) { |
1748 | errx(1, "could not get a numeric hostname"); |
1749 | } |
1750 | |
1751 | if (mask > -1) { |
1752 | ipa->netaddress = 1; |
1753 | if (asprintf(&ipa->name, "%s/%d", hbuf, mask) == -1) |
1754 | err(1, "%s", __func__); |
1755 | } else { |
1756 | if ((ipa->name = strdup(hbuf)) == NULL((void *)0)) |
1757 | err(1, "%s", __func__); |
1758 | } |
1759 | |
1760 | freeaddrinfo(res); |
1761 | |
1762 | return (ipa); |
1763 | } |
1764 | |
1765 | struct ipsec_addr_wrap * |
1766 | host_dns(const char *s, int mask) |
1767 | { |
1768 | struct ipsec_addr_wrap *ipa = NULL((void *)0), *head = NULL((void *)0); |
1769 | struct addrinfo hints, *res0, *res; |
1770 | int error; |
1771 | char hbuf[NI_MAXHOST256]; |
1772 | |
1773 | bzero(&hints, sizeof(struct addrinfo)); |
1774 | hints.ai_family = PF_UNSPEC0; |
1775 | hints.ai_socktype = SOCK_STREAM1; |
1776 | hints.ai_flags = AI_ADDRCONFIG64; |
1777 | error = getaddrinfo(s, NULL((void *)0), &hints, &res0); |
1778 | if (error) |
1779 | return (NULL((void *)0)); |
1780 | |
1781 | for (res = res0; res; res = res->ai_next) { |
1782 | if (res->ai_family != AF_INET2 && res->ai_family != AF_INET624) |
1783 | continue; |
1784 | |
1785 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); |
1786 | if (ipa == NULL((void *)0)) |
1787 | err(1, "%s", __func__); |
1788 | copy_sockaddrtoipa(ipa, res->ai_addr); |
1789 | error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, |
1790 | sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1); |
1791 | if (error) |
1792 | err(1, "host_dns: getnameinfo"); |
1793 | ipa->name = strdup(hbuf); |
1794 | if (ipa->name == NULL((void *)0)) |
1795 | err(1, "%s", __func__); |
1796 | ipa->af = res->ai_family; |
1797 | ipa->next = NULL((void *)0); |
1798 | ipa->tail = ipa; |
1799 | if (head == NULL((void *)0)) |
1800 | head = ipa; |
1801 | else { |
1802 | head->tail->next = ipa; |
1803 | head->tail = ipa; |
1804 | } |
1805 | |
1806 | /* |
1807 | * XXX for now, no netmask support for IPv6. |
1808 | * but since there's no way to specify address family, once you |
1809 | * have IPv6 address on a host, you cannot use dns/netmask |
1810 | * syntax. |
1811 | */ |
1812 | if (ipa->af == AF_INET2) |
1813 | set_ipmask(ipa, mask == -1 ? 32 : mask); |
1814 | else |
1815 | if (mask != -1) |
1816 | err(1, "host_dns: cannot apply netmask " |
1817 | "on non-IPv4 address"); |
1818 | } |
1819 | freeaddrinfo(res0); |
1820 | |
1821 | return (head); |
1822 | } |
1823 | |
1824 | struct ipsec_addr_wrap * |
1825 | host_if(const char *s, int mask) |
1826 | { |
1827 | struct ipsec_addr_wrap *ipa = NULL((void *)0); |
1828 | |
1829 | if (ifa_exists(s)) |
1830 | ipa = ifa_lookup(s); |
1831 | |
1832 | return (ipa); |
1833 | } |
1834 | |
1835 | struct ipsec_addr_wrap * |
1836 | host_any(void) |
1837 | { |
1838 | struct ipsec_addr_wrap *ipa; |
1839 | |
1840 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); |
1841 | if (ipa == NULL((void *)0)) |
1842 | err(1, "%s", __func__); |
1843 | ipa->af = AF_UNSPEC0; |
1844 | ipa->netaddress = 1; |
1845 | ipa->tail = ipa; |
1846 | ipa->type = IPSEC_ADDR_ANY(0x1); |
1847 | return (ipa); |
1848 | } |
1849 | |
1850 | struct ipsec_addr_wrap * |
1851 | host_dynamic(void) |
1852 | { |
1853 | struct ipsec_addr_wrap *ipa; |
1854 | |
1855 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); |
1856 | if (ipa == NULL((void *)0)) |
1857 | err(1, "%s", __func__); |
1858 | ipa->af = AF_UNSPEC0; |
1859 | ipa->tail = ipa; |
1860 | ipa->type = IPSEC_ADDR_DYNAMIC(0x2); |
1861 | return (ipa); |
1862 | } |
1863 | |
1864 | void |
1865 | ifa_load(void) |
1866 | { |
1867 | struct ifaddrs *ifap, *ifa; |
1868 | struct ipsec_addr_wrap *n = NULL((void *)0), *h = NULL((void *)0); |
1869 | struct sockaddr_in *sa_in; |
1870 | struct sockaddr_in6 *sa_in6; |
1871 | |
1872 | if (getifaddrs(&ifap) == -1) |
1873 | err(1, "ifa_load: getifaddrs"); |
1874 | |
1875 | for (ifa = ifap; ifa; ifa = ifa->ifa_next) { |
1876 | if (ifa->ifa_addr == NULL((void *)0) || |
1877 | !(ifa->ifa_addr->sa_family == AF_INET2 || |
1878 | ifa->ifa_addr->sa_family == AF_INET624 || |
1879 | ifa->ifa_addr->sa_family == AF_LINK18)) |
1880 | continue; |
1881 | n = calloc(1, sizeof(struct ipsec_addr_wrap)); |
1882 | if (n == NULL((void *)0)) |
1883 | err(1, "%s", __func__); |
1884 | n->af = ifa->ifa_addr->sa_family; |
1885 | if ((n->name = strdup(ifa->ifa_name)) == NULL((void *)0)) |
1886 | err(1, "%s", __func__); |
1887 | if (n->af == AF_INET2) { |
1888 | sa_in = (struct sockaddr_in *)ifa->ifa_addr; |
1889 | memcpy(&n->address, sa_in, sizeof(*sa_in)); |
1890 | sa_in = (struct sockaddr_in *)ifa->ifa_netmask; |
1891 | n->mask = mask2prefixlen((struct sockaddr *)sa_in); |
1892 | } else if (n->af == AF_INET624) { |
1893 | sa_in6 = (struct sockaddr_in6 *)ifa->ifa_addr; |
1894 | memcpy(&n->address, sa_in6, sizeof(*sa_in6)); |
1895 | sa_in6 = (struct sockaddr_in6 *)ifa->ifa_netmask; |
1896 | n->mask = mask2prefixlen6((struct sockaddr *)sa_in6); |
1897 | } |
1898 | n->next = NULL((void *)0); |
1899 | n->tail = n; |
1900 | if (h == NULL((void *)0)) |
1901 | h = n; |
1902 | else { |
1903 | h->tail->next = n; |
1904 | h->tail = n; |
1905 | } |
1906 | } |
1907 | |
1908 | iftab = h; |
1909 | freeifaddrs(ifap); |
1910 | } |
1911 | |
1912 | int |
1913 | ifa_exists(const char *ifa_name) |
1914 | { |
1915 | struct ipsec_addr_wrap *n; |
1916 | struct ifgroupreq ifgr; |
1917 | int s; |
1918 | |
1919 | if (iftab == NULL((void *)0)) |
1920 | ifa_load(); |
1921 | |
1922 | /* check wether this is a group */ |
1923 | if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1) |
1924 | err(1, "ifa_exists: socket"); |
1925 | bzero(&ifgr, sizeof(ifgr)); |
1926 | strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); |
1927 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == 0) { |
1928 | close(s); |
1929 | return (1); |
1930 | } |
1931 | close(s); |
1932 | |
1933 | for (n = iftab; n; n = n->next) { |
1934 | if (n->af == AF_LINK18 && !strncmp(n->name, ifa_name, |
1935 | IFNAMSIZ16)) |
1936 | return (1); |
1937 | } |
1938 | |
1939 | return (0); |
1940 | } |
1941 | |
1942 | struct ipsec_addr_wrap * |
1943 | ifa_grouplookup(const char *ifa_name) |
1944 | { |
1945 | struct ifg_req *ifg; |
1946 | struct ifgroupreq ifgr; |
1947 | int s; |
1948 | size_t len; |
1949 | struct ipsec_addr_wrap *n, *h = NULL((void *)0), *hn; |
1950 | |
1951 | if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1) |
1952 | err(1, "socket"); |
1953 | bzero(&ifgr, sizeof(ifgr)); |
1954 | strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); |
1955 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == -1) { |
1956 | close(s); |
1957 | return (NULL((void *)0)); |
1958 | } |
1959 | |
1960 | len = ifgr.ifgr_len; |
1961 | if ((ifgr.ifgr_groupsifgr_ifgru.ifgru_groups = calloc(1, len)) == NULL((void *)0)) |
1962 | err(1, "%s", __func__); |
1963 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == -1) |
1964 | err(1, "ioctl"); |
1965 | |
1966 | for (ifg = ifgr.ifgr_groupsifgr_ifgru.ifgru_groups; ifg && len >= sizeof(struct ifg_req); |
1967 | ifg++) { |
1968 | len -= sizeof(struct ifg_req); |
1969 | if ((n = ifa_lookup(ifg->ifgrq_memberifgrq_ifgrqu.ifgrqu_member)) == NULL((void *)0)) |
1970 | continue; |
1971 | if (h == NULL((void *)0)) |
1972 | h = n; |
1973 | else { |
1974 | for (hn = h; hn->next != NULL((void *)0); hn = hn->next) |
1975 | ; /* nothing */ |
1976 | hn->next = n; |
1977 | n->tail = hn; |
1978 | } |
1979 | } |
1980 | free(ifgr.ifgr_groupsifgr_ifgru.ifgru_groups); |
1981 | close(s); |
1982 | |
1983 | return (h); |
1984 | } |
1985 | |
1986 | struct ipsec_addr_wrap * |
1987 | ifa_lookup(const char *ifa_name) |
1988 | { |
1989 | struct ipsec_addr_wrap *p = NULL((void *)0), *h = NULL((void *)0), *n = NULL((void *)0); |
1990 | struct sockaddr_in6 *in6; |
1991 | uint8_t *s6; |
1992 | |
1993 | if (iftab == NULL((void *)0)) |
1994 | ifa_load(); |
1995 | |
1996 | if ((n = ifa_grouplookup(ifa_name)) != NULL((void *)0)) |
1997 | return (n); |
1998 | |
1999 | for (p = iftab; p; p = p->next) { |
2000 | if (p->af != AF_INET2 && p->af != AF_INET624) |
2001 | continue; |
2002 | if (strncmp(p->name, ifa_name, IFNAMSIZ16)) |
2003 | continue; |
2004 | n = calloc(1, sizeof(struct ipsec_addr_wrap)); |
2005 | if (n == NULL((void *)0)) |
2006 | err(1, "%s", __func__); |
2007 | memcpy(n, p, sizeof(struct ipsec_addr_wrap)); |
2008 | if ((n->name = strdup(p->name)) == NULL((void *)0)) |
2009 | err(1, "%s", __func__); |
2010 | switch (n->af) { |
2011 | case AF_INET2: |
2012 | set_ipmask(n, 32); |
2013 | break; |
2014 | case AF_INET624: |
2015 | in6 = (struct sockaddr_in6 *)&n->address; |
2016 | s6 = (uint8_t *)&in6->sin6_addr.s6_addr__u6_addr.__u6_addr8; |
Value stored to 's6' is never read | |
2017 | |
2018 | /* route/show.c and bgpd/util.c give KAME credit */ |
2019 | if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)(((&in6->sin6_addr)->__u6_addr.__u6_addr8[0] == 0xfe ) && (((&in6->sin6_addr)->__u6_addr.__u6_addr8 [1] & 0xc0) == 0x80))) { |
2020 | uint16_t tmp16; |
2021 | |
2022 | /* for now we can not handle link local, |
2023 | * therefore bail for now |
2024 | */ |
2025 | free(n->name); |
2026 | free(n); |
2027 | continue; |
2028 | |
2029 | memcpy(&tmp16, &s6[2], sizeof(tmp16)); |
2030 | /* use this when we support link-local |
2031 | * n->??.scopeid = ntohs(tmp16); |
2032 | */ |
2033 | s6[2] = 0; |
2034 | s6[3] = 0; |
2035 | } |
2036 | set_ipmask(n, 128); |
2037 | break; |
2038 | } |
2039 | |
2040 | n->next = NULL((void *)0); |
2041 | n->tail = n; |
2042 | if (h == NULL((void *)0)) |
2043 | h = n; |
2044 | else { |
2045 | h->tail->next = n; |
2046 | h->tail = n; |
2047 | } |
2048 | } |
2049 | |
2050 | return (h); |
2051 | } |
2052 | |
2053 | void |
2054 | set_ipmask(struct ipsec_addr_wrap *address, int b) |
2055 | { |
2056 | if (b == -1) |
2057 | address->mask = address->af == AF_INET2 ? 32 : 128; |
2058 | else |
2059 | address->mask = b; |
2060 | } |
2061 | |
2062 | const struct ipsec_xf * |
2063 | parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[]) |
2064 | { |
2065 | int i; |
2066 | |
2067 | for (i = 0; xfs[i].name != NULL((void *)0); i++) { |
2068 | if (strncmp(name, xfs[i].name, strlen(name))) |
2069 | continue; |
2070 | if (length == 0 || length == xfs[i].length) |
2071 | return &xfs[i]; |
2072 | } |
2073 | return (NULL((void *)0)); |
2074 | } |
2075 | |
2076 | int |
2077 | encxf_noauth(unsigned int id) |
2078 | { |
2079 | int i; |
2080 | |
2081 | for (i = 0; ikeencxfs[i].name != NULL((void *)0); i++) |
2082 | if (ikeencxfs[i].id == id) |
2083 | return ikeencxfs[i].noauth; |
2084 | return (0); |
2085 | } |
2086 | |
2087 | size_t |
2088 | keylength_xf(unsigned int saproto, unsigned int type, unsigned int id) |
2089 | { |
2090 | int i; |
2091 | const struct ipsec_xf *xfs; |
2092 | |
2093 | switch (type) { |
2094 | case IKEV2_XFORMTYPE_ENCR1: |
2095 | if (saproto == IKEV2_SAPROTO_IKE1) |
2096 | xfs = ikeencxfs; |
2097 | else |
2098 | xfs = ipsecencxfs; |
2099 | break; |
2100 | case IKEV2_XFORMTYPE_INTEGR3: |
2101 | xfs = authxfs; |
2102 | break; |
2103 | default: |
2104 | return (0); |
2105 | } |
2106 | |
2107 | for (i = 0; xfs[i].name != NULL((void *)0); i++) { |
2108 | if (xfs[i].id == id) |
2109 | return (xfs[i].length * 8); |
2110 | } |
2111 | return (0); |
2112 | } |
2113 | |
2114 | size_t |
2115 | noncelength_xf(unsigned int type, unsigned int id) |
2116 | { |
2117 | const struct ipsec_xf *xfs = ipsecencxfs; |
2118 | int i; |
2119 | |
2120 | if (type != IKEV2_XFORMTYPE_ENCR1) |
2121 | return (0); |
2122 | |
2123 | for (i = 0; xfs[i].name != NULL((void *)0); i++) |
2124 | if (xfs[i].id == id) |
2125 | return (xfs[i].nonce * 8); |
2126 | return (0); |
2127 | } |
2128 | |
2129 | void |
2130 | copy_transforms(unsigned int type, |
2131 | const struct ipsec_xf **xfs, unsigned int nxfs, |
2132 | struct iked_transform **dst, unsigned int *ndst, |
2133 | struct iked_transform *src, size_t nsrc) |
2134 | { |
2135 | unsigned int i; |
2136 | struct iked_transform *a, *b; |
2137 | const struct ipsec_xf *xf; |
2138 | |
2139 | if (nxfs) { |
2140 | for (i = 0; i < nxfs; i++) { |
2141 | xf = xfs[i]; |
2142 | *dst = recallocarray(*dst, *ndst, |
2143 | *ndst + 1, sizeof(struct iked_transform)); |
2144 | if (*dst == NULL((void *)0)) |
2145 | err(1, "%s", __func__); |
2146 | b = *dst + (*ndst)++; |
2147 | |
2148 | b->xform_type = type; |
2149 | b->xform_id = xf->id; |
2150 | b->xform_keylength = xf->length * 8; |
2151 | b->xform_length = xf->keylength * 8; |
2152 | } |
2153 | return; |
2154 | } |
2155 | |
2156 | for (i = 0; i < nsrc; i++) { |
2157 | a = src + i; |
2158 | if (a->xform_type != type) |
2159 | continue; |
2160 | *dst = recallocarray(*dst, *ndst, |
2161 | *ndst + 1, sizeof(struct iked_transform)); |
2162 | if (*dst == NULL((void *)0)) |
2163 | err(1, "%s", __func__); |
2164 | b = *dst + (*ndst)++; |
2165 | memcpy(b, a, sizeof(*b)); |
2166 | } |
2167 | } |
2168 | |
2169 | int |
2170 | create_ike(char *name, int af, struct ipsec_addr_wrap *ipproto, |
2171 | int rdomain, struct ipsec_hosts *hosts, |
2172 | struct ipsec_hosts *peers, struct ipsec_mode *ike_sa, |
2173 | struct ipsec_mode *ipsec_sa, uint8_t saproto, |
2174 | uint8_t flags, char *srcid, char *dstid, |
2175 | uint32_t ikelifetime, struct iked_lifetime *lt, |
2176 | struct iked_auth *authtype, struct ipsec_filters *filter, |
2177 | struct ipsec_addr_wrap *ikecfg, char *iface) |
2178 | { |
2179 | char idstr[IKED_ID_SIZE1024]; |
2180 | struct ipsec_addr_wrap *ipa, *ipb, *ipp; |
2181 | struct iked_auth *ikeauth; |
2182 | struct iked_policy pol; |
2183 | struct iked_proposal *p, *ptmp; |
2184 | struct iked_transform *xf; |
2185 | unsigned int i, j, xfi, noauth, auth; |
2186 | unsigned int ikepropid = 1, ipsecpropid = 1; |
2187 | struct iked_flow *flow, *ftmp; |
2188 | static unsigned int policy_id = 0; |
2189 | struct iked_cfg *cfg; |
2190 | int ret = -1; |
2191 | |
2192 | bzero(&pol, sizeof(pol)); |
2193 | bzero(idstr, sizeof(idstr)); |
2194 | |
2195 | pol.pol_id = ++policy_id; |
2196 | pol.pol_certreqtype = env->sc_certreqtype; |
2197 | pol.pol_af = af; |
2198 | pol.pol_saproto = saproto; |
2199 | for (i = 0, ipp = ipproto; ipp; ipp = ipp->next, i++) { |
2200 | if (i >= IKED_IPPROTO_MAX16) { |
2201 | yyerror("too many protocols"); |
2202 | return (-1); |
2203 | } |
2204 | pol.pol_ipproto[i] = ipp->type; |
2205 | pol.pol_nipproto++; |
2206 | } |
2207 | |
2208 | pol.pol_flags = flags; |
2209 | pol.pol_rdomain = rdomain; |
2210 | memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth)); |
2211 | explicit_bzero(authtype, sizeof(*authtype)); |
2212 | |
2213 | if (name != NULL((void *)0)) { |
2214 | if (strlcpy(pol.pol_name, name, |
2215 | sizeof(pol.pol_name)) >= sizeof(pol.pol_name)) { |
2216 | yyerror("name too long"); |
2217 | return (-1); |
2218 | } |
2219 | } else { |
2220 | snprintf(pol.pol_name, sizeof(pol.pol_name), |
2221 | "policy%d", policy_id); |
2222 | } |
2223 | |
2224 | if (iface != NULL((void *)0)) { |
2225 | /* sec(4) */ |
2226 | if (strncmp("sec", iface, strlen("sec")) == 0) |
2227 | pol.pol_flags |= IKED_POLICY_ROUTING0x80; |
2228 | |
2229 | pol.pol_iface = if_nametoindex(iface); |
2230 | if (pol.pol_iface == 0) { |
2231 | yyerror("invalid iface"); |
2232 | return (-1); |
2233 | } |
2234 | } |
2235 | |
2236 | if (srcid) { |
2237 | pol.pol_localid.id_type = get_id_type(srcid); |
2238 | pol.pol_localid.id_length = strlen(srcid); |
2239 | if (strlcpy((char *)pol.pol_localid.id_data, |
2240 | srcid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) { |
2241 | yyerror("srcid too long"); |
2242 | return (-1); |
2243 | } |
2244 | } |
2245 | if (dstid) { |
2246 | pol.pol_peerid.id_type = get_id_type(dstid); |
2247 | pol.pol_peerid.id_length = strlen(dstid); |
2248 | if (strlcpy((char *)pol.pol_peerid.id_data, |
2249 | dstid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) { |
2250 | yyerror("dstid too long"); |
2251 | return (-1); |
2252 | } |
2253 | } |
2254 | |
2255 | if (filter != NULL((void *)0)) { |
2256 | if (filter->tag) |
2257 | strlcpy(pol.pol_tag, filter->tag, sizeof(pol.pol_tag)); |
2258 | pol.pol_tap = filter->tap; |
2259 | } |
2260 | |
2261 | if (peers == NULL((void *)0)) { |
2262 | if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) { |
2263 | yyerror("active mode requires peer specification"); |
2264 | return (-1); |
2265 | } |
2266 | pol.pol_flags |= IKED_POLICY_DEFAULT0x01|IKED_POLICY_SKIP0x10; |
2267 | } |
2268 | |
2269 | if (peers && peers->src && peers->dst && |
2270 | (peers->src->af != AF_UNSPEC0) && (peers->dst->af != AF_UNSPEC0) && |
2271 | (peers->src->af != peers->dst->af)) |
2272 | fatalx("create_ike: peer address family mismatch"); |
2273 | |
2274 | if (peers && (pol.pol_af != AF_UNSPEC0) && |
2275 | ((peers->src && (peers->src->af != AF_UNSPEC0) && |
2276 | (peers->src->af != pol.pol_af)) || |
2277 | (peers->dst && (peers->dst->af != AF_UNSPEC0) && |
2278 | (peers->dst->af != pol.pol_af)))) |
2279 | fatalx("create_ike: policy address family mismatch"); |
2280 | |
2281 | ipa = ipb = NULL((void *)0); |
2282 | if (peers) { |
2283 | if (peers->src) |
2284 | ipa = peers->src; |
2285 | if (peers->dst) |
2286 | ipb = peers->dst; |
2287 | if (ipa == NULL((void *)0) && ipb == NULL((void *)0)) { |
2288 | if (hosts->src && hosts->src->next == NULL((void *)0)) |
2289 | ipa = hosts->src; |
2290 | if (hosts->dst && hosts->dst->next == NULL((void *)0)) |
2291 | ipb = hosts->dst; |
2292 | } |
2293 | } |
2294 | if (ipa == NULL((void *)0) && ipb == NULL((void *)0)) { |
2295 | yyerror("could not get local/peer specification"); |
2296 | return (-1); |
2297 | } |
2298 | if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) { |
2299 | if (ipb == NULL((void *)0) || ipb->netaddress || |
2300 | (ipa != NULL((void *)0) && ipa->netaddress)) { |
2301 | yyerror("active mode requires local/peer address"); |
2302 | return (-1); |
2303 | } |
2304 | } |
2305 | if (ipa) { |
2306 | memcpy(&pol.pol_local.addr, &ipa->address, |
2307 | sizeof(ipa->address)); |
2308 | pol.pol_local.addr_af = ipa->af; |
2309 | pol.pol_local.addr_mask = ipa->mask; |
2310 | pol.pol_local.addr_net = ipa->netaddress; |
2311 | if (pol.pol_af == AF_UNSPEC0) |
2312 | pol.pol_af = ipa->af; |
2313 | } |
2314 | if (ipb) { |
2315 | memcpy(&pol.pol_peer.addr, &ipb->address, |
2316 | sizeof(ipb->address)); |
2317 | pol.pol_peer.addr_af = ipb->af; |
2318 | pol.pol_peer.addr_mask = ipb->mask; |
2319 | pol.pol_peer.addr_net = ipb->netaddress; |
2320 | if (pol.pol_af == AF_UNSPEC0) |
2321 | pol.pol_af = ipb->af; |
2322 | } |
2323 | |
2324 | if (ikelifetime) |
2325 | pol.pol_rekey = ikelifetime; |
2326 | |
2327 | if (lt) |
2328 | pol.pol_lifetime = *lt; |
2329 | else |
2330 | pol.pol_lifetime = deflifetime; |
2331 | |
2332 | TAILQ_INIT(&pol.pol_proposals)do { (&pol.pol_proposals)->tqh_first = ((void *)0); (& pol.pol_proposals)->tqh_last = &(&pol.pol_proposals )->tqh_first; } while (0); |
2333 | RB_INIT(&pol.pol_flows)do { (&pol.pol_flows)->rbh_root = ((void *)0); } while (0); |
2334 | |
2335 | if (ike_sa == NULL((void *)0) || ike_sa->nxfs == 0) { |
2336 | /* AES-GCM proposal */ |
2337 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2338 | err(1, "%s", __func__); |
2339 | p->prop_id = ikepropid++; |
2340 | p->prop_protoid = IKEV2_SAPROTO_IKE1; |
2341 | p->prop_nxforms = ikev2_default_nike_transforms_noauth; |
2342 | p->prop_xforms = ikev2_default_ike_transforms_noauth; |
2343 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2344 | pol.pol_nproposals++; |
2345 | |
2346 | /* Non GCM proposal */ |
2347 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2348 | err(1, "%s", __func__); |
2349 | p->prop_id = ikepropid++; |
2350 | p->prop_protoid = IKEV2_SAPROTO_IKE1; |
2351 | p->prop_nxforms = ikev2_default_nike_transforms; |
2352 | p->prop_xforms = ikev2_default_ike_transforms; |
2353 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2354 | pol.pol_nproposals++; |
2355 | } else { |
2356 | for (i = 0; i < ike_sa->nxfs; i++) { |
2357 | noauth = auth = 0; |
2358 | for (j = 0; j < ike_sa->xfs[i]->nencxf; j++) { |
2359 | if (ike_sa->xfs[i]->encxf[j]->noauth) |
2360 | noauth++; |
2361 | else |
2362 | auth++; |
2363 | } |
2364 | for (j = 0; j < ike_sa->xfs[i]->ngroupxf; j++) { |
2365 | if (ike_sa->xfs[i]->groupxf[j]->id |
2366 | == IKEV2_XFORMDH_NONE0) { |
2367 | yyerror("IKE group can not be \"none\"."); |
2368 | goto done; |
2369 | } |
2370 | } |
2371 | if (ike_sa->xfs[i]->nauthxf) |
2372 | auth++; |
2373 | |
2374 | if (ike_sa->xfs[i]->nesnxf) { |
2375 | yyerror("cannot use ESN with ikesa."); |
2376 | goto done; |
2377 | } |
2378 | if (noauth && noauth != ike_sa->xfs[i]->nencxf) { |
2379 | yyerror("cannot mix encryption transforms with " |
2380 | "implicit and non-implicit authentication"); |
2381 | goto done; |
2382 | } |
2383 | if (noauth && ike_sa->xfs[i]->nauthxf) { |
2384 | yyerror("authentication is implicit for given " |
2385 | "encryption transforms"); |
2386 | goto done; |
2387 | } |
2388 | |
2389 | if (!auth) { |
2390 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2391 | err(1, "%s", __func__); |
2392 | |
2393 | xf = NULL((void *)0); |
2394 | xfi = 0; |
2395 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, |
2396 | ike_sa->xfs[i]->encxf, |
2397 | ike_sa->xfs[i]->nencxf, &xf, &xfi, |
2398 | ikev2_default_ike_transforms_noauth, |
2399 | ikev2_default_nike_transforms_noauth); |
2400 | copy_transforms(IKEV2_XFORMTYPE_DH4, |
2401 | ike_sa->xfs[i]->groupxf, |
2402 | ike_sa->xfs[i]->ngroupxf, &xf, &xfi, |
2403 | ikev2_default_ike_transforms_noauth, |
2404 | ikev2_default_nike_transforms_noauth); |
2405 | copy_transforms(IKEV2_XFORMTYPE_PRF2, |
2406 | ike_sa->xfs[i]->prfxf, |
2407 | ike_sa->xfs[i]->nprfxf, &xf, &xfi, |
2408 | ikev2_default_ike_transforms_noauth, |
2409 | ikev2_default_nike_transforms_noauth); |
2410 | |
2411 | p->prop_id = ikepropid++; |
2412 | p->prop_protoid = IKEV2_SAPROTO_IKE1; |
2413 | p->prop_xforms = xf; |
2414 | p->prop_nxforms = xfi; |
2415 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2416 | pol.pol_nproposals++; |
2417 | } |
2418 | if (!noauth) { |
2419 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2420 | err(1, "%s", __func__); |
2421 | |
2422 | xf = NULL((void *)0); |
2423 | xfi = 0; |
2424 | copy_transforms(IKEV2_XFORMTYPE_INTEGR3, |
2425 | ike_sa->xfs[i]->authxf, |
2426 | ike_sa->xfs[i]->nauthxf, &xf, &xfi, |
2427 | ikev2_default_ike_transforms, |
2428 | ikev2_default_nike_transforms); |
2429 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, |
2430 | ike_sa->xfs[i]->encxf, |
2431 | ike_sa->xfs[i]->nencxf, &xf, &xfi, |
2432 | ikev2_default_ike_transforms, |
2433 | ikev2_default_nike_transforms); |
2434 | copy_transforms(IKEV2_XFORMTYPE_DH4, |
2435 | ike_sa->xfs[i]->groupxf, |
2436 | ike_sa->xfs[i]->ngroupxf, &xf, &xfi, |
2437 | ikev2_default_ike_transforms, |
2438 | ikev2_default_nike_transforms); |
2439 | copy_transforms(IKEV2_XFORMTYPE_PRF2, |
2440 | ike_sa->xfs[i]->prfxf, |
2441 | ike_sa->xfs[i]->nprfxf, &xf, &xfi, |
2442 | ikev2_default_ike_transforms, |
2443 | ikev2_default_nike_transforms); |
2444 | |
2445 | p->prop_id = ikepropid++; |
2446 | p->prop_protoid = IKEV2_SAPROTO_IKE1; |
2447 | p->prop_xforms = xf; |
2448 | p->prop_nxforms = xfi; |
2449 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2450 | pol.pol_nproposals++; |
2451 | } |
2452 | } |
2453 | } |
2454 | |
2455 | if (ipsec_sa == NULL((void *)0) || ipsec_sa->nxfs == 0) { |
2456 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2457 | err(1, "%s", __func__); |
2458 | p->prop_id = ipsecpropid++; |
2459 | p->prop_protoid = saproto; |
2460 | p->prop_nxforms = ikev2_default_nesp_transforms_noauth; |
2461 | p->prop_xforms = ikev2_default_esp_transforms_noauth; |
2462 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2463 | pol.pol_nproposals++; |
2464 | |
2465 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2466 | err(1, "%s", __func__); |
2467 | p->prop_id = ipsecpropid++; |
2468 | p->prop_protoid = saproto; |
2469 | p->prop_nxforms = ikev2_default_nesp_transforms; |
2470 | p->prop_xforms = ikev2_default_esp_transforms; |
2471 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2472 | pol.pol_nproposals++; |
2473 | } else { |
2474 | for (i = 0; i < ipsec_sa->nxfs; i++) { |
2475 | noauth = auth = 0; |
2476 | for (j = 0; j < ipsec_sa->xfs[i]->nencxf; j++) { |
2477 | if (ipsec_sa->xfs[i]->encxf[j]->noauth) |
2478 | noauth++; |
2479 | else |
2480 | auth++; |
2481 | } |
2482 | if (ipsec_sa->xfs[i]->nauthxf) |
2483 | auth++; |
2484 | |
2485 | if (noauth && noauth != ipsec_sa->xfs[i]->nencxf) { |
2486 | yyerror("cannot mix encryption transforms with " |
2487 | "implicit and non-implicit authentication"); |
2488 | goto done; |
2489 | } |
2490 | if (noauth && ipsec_sa->xfs[i]->nauthxf) { |
2491 | yyerror("authentication is implicit for given " |
2492 | "encryption transforms"); |
2493 | goto done; |
2494 | } |
2495 | |
2496 | if (!auth) { |
2497 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2498 | err(1, "%s", __func__); |
2499 | |
2500 | xf = NULL((void *)0); |
2501 | xfi = 0; |
2502 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, |
2503 | ipsec_sa->xfs[i]->encxf, |
2504 | ipsec_sa->xfs[i]->nencxf, &xf, &xfi, |
2505 | ikev2_default_esp_transforms_noauth, |
2506 | ikev2_default_nesp_transforms_noauth); |
2507 | copy_transforms(IKEV2_XFORMTYPE_DH4, |
2508 | ipsec_sa->xfs[i]->groupxf, |
2509 | ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi, |
2510 | ikev2_default_esp_transforms_noauth, |
2511 | ikev2_default_nesp_transforms_noauth); |
2512 | copy_transforms(IKEV2_XFORMTYPE_ESN5, |
2513 | ipsec_sa->xfs[i]->esnxf, |
2514 | ipsec_sa->xfs[i]->nesnxf, &xf, &xfi, |
2515 | ikev2_default_esp_transforms_noauth, |
2516 | ikev2_default_nesp_transforms_noauth); |
2517 | |
2518 | p->prop_id = ipsecpropid++; |
2519 | p->prop_protoid = saproto; |
2520 | p->prop_xforms = xf; |
2521 | p->prop_nxforms = xfi; |
2522 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2523 | pol.pol_nproposals++; |
2524 | } |
2525 | if (!noauth) { |
2526 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2527 | err(1, "%s", __func__); |
2528 | |
2529 | xf = NULL((void *)0); |
2530 | xfi = 0; |
2531 | copy_transforms(IKEV2_XFORMTYPE_INTEGR3, |
2532 | ipsec_sa->xfs[i]->authxf, |
2533 | ipsec_sa->xfs[i]->nauthxf, &xf, &xfi, |
2534 | ikev2_default_esp_transforms, |
2535 | ikev2_default_nesp_transforms); |
2536 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, |
2537 | ipsec_sa->xfs[i]->encxf, |
2538 | ipsec_sa->xfs[i]->nencxf, &xf, &xfi, |
2539 | ikev2_default_esp_transforms, |
2540 | ikev2_default_nesp_transforms); |
2541 | copy_transforms(IKEV2_XFORMTYPE_DH4, |
2542 | ipsec_sa->xfs[i]->groupxf, |
2543 | ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi, |
2544 | ikev2_default_esp_transforms, |
2545 | ikev2_default_nesp_transforms); |
2546 | copy_transforms(IKEV2_XFORMTYPE_ESN5, |
2547 | ipsec_sa->xfs[i]->esnxf, |
2548 | ipsec_sa->xfs[i]->nesnxf, &xf, &xfi, |
2549 | ikev2_default_esp_transforms, |
2550 | ikev2_default_nesp_transforms); |
2551 | |
2552 | p->prop_id = ipsecpropid++; |
2553 | p->prop_protoid = saproto; |
2554 | p->prop_xforms = xf; |
2555 | p->prop_nxforms = xfi; |
2556 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2557 | pol.pol_nproposals++; |
2558 | } |
2559 | } |
2560 | } |
2561 | |
2562 | for (ipa = hosts->src, ipb = hosts->dst; ipa && ipb; |
2563 | ipa = ipa->next, ipb = ipb->next) { |
2564 | for (j = 0; j < pol.pol_nipproto; j++) |
2565 | if (expand_flows(&pol, pol.pol_ipproto[j], ipa, ipb)) |
2566 | fatalx("create_ike: invalid flow"); |
2567 | if (pol.pol_nipproto == 0) |
2568 | if (expand_flows(&pol, 0, ipa, ipb)) |
2569 | fatalx("create_ike: invalid flow"); |
2570 | } |
2571 | |
2572 | for (j = 0, ipa = ikecfg; ipa; ipa = ipa->next, j++) { |
2573 | if (j >= IKED_CFG_MAX16) |
2574 | break; |
2575 | cfg = &pol.pol_cfg[j]; |
2576 | pol.pol_ncfg++; |
2577 | |
2578 | cfg->cfg_action = ipa->action; |
2579 | cfg->cfg_type = ipa->type; |
2580 | memcpy(&cfg->cfg.address.addr, &ipa->address, |
2581 | sizeof(ipa->address)); |
2582 | cfg->cfg.address.addr_mask = ipa->mask; |
2583 | cfg->cfg.address.addr_net = ipa->netaddress; |
2584 | cfg->cfg.address.addr_af = ipa->af; |
2585 | } |
2586 | |
2587 | if (dstid) |
2588 | strlcpy(idstr, dstid, sizeof(idstr)); |
2589 | else if (!pol.pol_peer.addr_net) |
2590 | strlcpy(idstr, print_addr(&pol.pol_peer.addr), sizeof(idstr)); |
2591 | |
2592 | ikeauth = &pol.pol_auth; |
2593 | switch (ikeauth->auth_method) { |
2594 | case IKEV2_AUTH_RSA_SIG1: |
2595 | pol.pol_certreqtype = IKEV2_CERT_RSA_KEY11; |
2596 | break; |
2597 | case IKEV2_AUTH_ECDSA_2569: |
2598 | case IKEV2_AUTH_ECDSA_38410: |
2599 | case IKEV2_AUTH_ECDSA_52111: |
2600 | pol.pol_certreqtype = IKEV2_CERT_ECDSA201; |
2601 | break; |
2602 | default: |
2603 | pol.pol_certreqtype = IKEV2_CERT_NONE0; |
2604 | break; |
2605 | } |
2606 | |
2607 | log_debug("%s: using %s for peer %s", __func__, |
2608 | print_xf(ikeauth->auth_method, 0, methodxfs), idstr); |
2609 | |
2610 | config_setpolicy(env, &pol, PROC_IKEV2); |
2611 | config_setflow(env, &pol, PROC_IKEV2); |
2612 | |
2613 | rules++; |
2614 | ret = 0; |
2615 | |
2616 | done: |
2617 | if (ike_sa) { |
2618 | for (i = 0; i < ike_sa->nxfs; i++) { |
2619 | free(ike_sa->xfs[i]->authxf); |
2620 | free(ike_sa->xfs[i]->encxf); |
2621 | free(ike_sa->xfs[i]->groupxf); |
2622 | free(ike_sa->xfs[i]->prfxf); |
2623 | free(ike_sa->xfs[i]); |
2624 | } |
2625 | free(ike_sa->xfs); |
2626 | free(ike_sa); |
2627 | } |
2628 | if (ipsec_sa) { |
2629 | for (i = 0; i < ipsec_sa->nxfs; i++) { |
2630 | free(ipsec_sa->xfs[i]->authxf); |
2631 | free(ipsec_sa->xfs[i]->encxf); |
2632 | free(ipsec_sa->xfs[i]->groupxf); |
2633 | free(ipsec_sa->xfs[i]->prfxf); |
2634 | free(ipsec_sa->xfs[i]->esnxf); |
2635 | free(ipsec_sa->xfs[i]); |
2636 | } |
2637 | free(ipsec_sa->xfs); |
2638 | free(ipsec_sa); |
2639 | } |
2640 | TAILQ_FOREACH_SAFE(p, &pol.pol_proposals, prop_entry, ptmp)for ((p) = ((&pol.pol_proposals)->tqh_first); (p) != ( (void *)0) && ((ptmp) = ((p)->prop_entry.tqe_next) , 1); (p) = (ptmp)) { |
2641 | if (p->prop_xforms != ikev2_default_ike_transforms && |
2642 | p->prop_xforms != ikev2_default_ike_transforms_noauth && |
2643 | p->prop_xforms != ikev2_default_esp_transforms && |
2644 | p->prop_xforms != ikev2_default_esp_transforms_noauth) |
2645 | free(p->prop_xforms); |
2646 | free(p); |
2647 | } |
2648 | if (peers != NULL((void *)0)) { |
2649 | iaw_free(peers->src); |
2650 | iaw_free(peers->dst); |
2651 | /* peers is static, cannot be freed */ |
2652 | } |
2653 | if (hosts != NULL((void *)0)) { |
2654 | iaw_free(hosts->src); |
2655 | iaw_free(hosts->dst); |
2656 | free(hosts); |
2657 | } |
2658 | iaw_free(ikecfg); |
2659 | iaw_free(ipproto); |
2660 | RB_FOREACH_SAFE(flow, iked_flows, &pol.pol_flows, ftmp)for ((flow) = iked_flows_RB_MINMAX(&pol.pol_flows, -1); ( (flow) != ((void *)0)) && ((ftmp) = iked_flows_RB_NEXT (flow), 1); (flow) = (ftmp)) { |
2661 | RB_REMOVE(iked_flows, &pol.pol_flows, flow)iked_flows_RB_REMOVE(&pol.pol_flows, flow); |
2662 | free(flow); |
2663 | } |
2664 | free(name); |
2665 | free(srcid); |
2666 | free(dstid); |
2667 | return (ret); |
2668 | } |
2669 | |
2670 | static int |
2671 | create_flow(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *ipa, |
2672 | struct ipsec_addr_wrap *ipb) |
2673 | { |
2674 | struct iked_flow *flow; |
2675 | struct ipsec_addr_wrap *ippn; |
2676 | |
2677 | if (ipa->af != ipb->af) { |
2678 | yyerror("cannot mix different address families."); |
2679 | return (-1); |
2680 | } |
2681 | |
2682 | if ((flow = calloc(1, sizeof(struct iked_flow))) == NULL((void *)0)) |
2683 | fatalx("%s: failed to alloc flow.", __func__); |
2684 | |
2685 | memcpy(&flow->flow_src.addr, &ipa->address, |
2686 | sizeof(ipa->address)); |
2687 | flow->flow_src.addr_af = ipa->af; |
2688 | flow->flow_src.addr_mask = ipa->mask; |
2689 | flow->flow_src.addr_net = ipa->netaddress; |
2690 | flow->flow_src.addr_port = ipa->port; |
2691 | |
2692 | memcpy(&flow->flow_dst.addr, &ipb->address, |
2693 | sizeof(ipb->address)); |
2694 | flow->flow_dst.addr_af = ipb->af; |
2695 | flow->flow_dst.addr_mask = ipb->mask; |
2696 | flow->flow_dst.addr_net = ipb->netaddress; |
2697 | flow->flow_dst.addr_port = ipb->port; |
2698 | |
2699 | ippn = ipa->srcnat; |
2700 | if (ippn) { |
2701 | memcpy(&flow->flow_prenat.addr, &ippn->address, |
2702 | sizeof(ippn->address)); |
2703 | flow->flow_prenat.addr_af = ippn->af; |
2704 | flow->flow_prenat.addr_mask = ippn->mask; |
2705 | flow->flow_prenat.addr_net = ippn->netaddress; |
2706 | } else { |
2707 | flow->flow_prenat.addr_af = 0; |
2708 | } |
2709 | |
2710 | flow->flow_dir = IPSP_DIRECTION_OUT0x2; |
2711 | flow->flow_ipproto = proto; |
2712 | flow->flow_saproto = pol->pol_saproto; |
2713 | flow->flow_rdomain = pol->pol_rdomain; |
2714 | |
2715 | if (RB_INSERT(iked_flows, &pol->pol_flows, flow)iked_flows_RB_INSERT(&pol->pol_flows, flow) == NULL((void *)0)) |
2716 | pol->pol_nflows++; |
2717 | else { |
2718 | warnx("create_ike: duplicate flow"); |
2719 | free(flow); |
2720 | } |
2721 | |
2722 | return (0); |
2723 | } |
2724 | |
2725 | static int |
2726 | expand_flows(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *src, |
2727 | struct ipsec_addr_wrap *dst) |
2728 | { |
2729 | struct ipsec_addr_wrap *ipa = NULL((void *)0), *ipb = NULL((void *)0); |
2730 | int ret = -1; |
2731 | int srcaf, dstaf; |
2732 | |
2733 | srcaf = src->af; |
2734 | dstaf = dst->af; |
2735 | |
2736 | if (src->af == AF_UNSPEC0 && |
2737 | dst->af == AF_UNSPEC0) { |
2738 | /* Need both IPv4 and IPv6 flows */ |
2739 | src->af = dst->af = AF_INET2; |
2740 | ipa = expand_keyword(src); |
2741 | ipb = expand_keyword(dst); |
2742 | if (!ipa || !ipb) |
2743 | goto done; |
2744 | if (create_flow(pol, proto, ipa, ipb)) |
2745 | goto done; |
2746 | |
2747 | iaw_free(ipa); |
2748 | iaw_free(ipb); |
2749 | src->af = dst->af = AF_INET624; |
2750 | ipa = expand_keyword(src); |
2751 | ipb = expand_keyword(dst); |
2752 | if (!ipa || !ipb) |
2753 | goto done; |
2754 | if (create_flow(pol, proto, ipa, ipb)) |
2755 | goto done; |
2756 | } else if (src->af == AF_UNSPEC0) { |
2757 | src->af = dst->af; |
2758 | ipa = expand_keyword(src); |
2759 | if (!ipa) |
2760 | goto done; |
2761 | if (create_flow(pol, proto, ipa, dst)) |
2762 | goto done; |
2763 | } else if (dst->af == AF_UNSPEC0) { |
2764 | dst->af = src->af; |
2765 | ipa = expand_keyword(dst); |
2766 | if (!ipa) |
2767 | goto done; |
2768 | if (create_flow(pol, proto, src, ipa)) |
2769 | goto done; |
2770 | } else if (create_flow(pol, proto, src, dst)) |
2771 | goto done; |
2772 | ret = 0; |
2773 | done: |
2774 | src->af = srcaf; |
2775 | dst->af = dstaf; |
2776 | iaw_free(ipa); |
2777 | iaw_free(ipb); |
2778 | return (ret); |
2779 | } |
2780 | |
2781 | static struct ipsec_addr_wrap * |
2782 | expand_keyword(struct ipsec_addr_wrap *ip) |
2783 | { |
2784 | switch(ip->af) { |
2785 | case AF_INET2: |
2786 | switch(ip->type) { |
2787 | case IPSEC_ADDR_ANY(0x1): |
2788 | return (host("0.0.0.0/0")); |
2789 | case IPSEC_ADDR_DYNAMIC(0x2): |
2790 | return (host("0.0.0.0")); |
2791 | } |
2792 | break; |
2793 | case AF_INET624: |
2794 | switch(ip->type) { |
2795 | case IPSEC_ADDR_ANY(0x1): |
2796 | return (host("::/0")); |
2797 | case IPSEC_ADDR_DYNAMIC(0x2): |
2798 | return (host("::")); |
2799 | } |
2800 | } |
2801 | return (NULL((void *)0)); |
2802 | } |
2803 | |
2804 | int |
2805 | create_user(const char *user, const char *pass) |
2806 | { |
2807 | struct iked_user usr; |
2808 | |
2809 | bzero(&usr, sizeof(usr)); |
2810 | |
2811 | if (*user == '\0' || (strlcpy(usr.usr_name, user, |
2812 | sizeof(usr.usr_name)) >= sizeof(usr.usr_name))) { |
2813 | yyerror("invalid user name"); |
2814 | return (-1); |
2815 | } |
2816 | if (*pass == '\0' || (strlcpy(usr.usr_pass, pass, |
2817 | sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) { |
2818 | yyerror("invalid password"); |
2819 | explicit_bzero(&usr, sizeof usr); /* zap partial password */ |
2820 | return (-1); |
2821 | } |
2822 | |
2823 | config_setuser(env, &usr, PROC_IKEV2); |
2824 | |
2825 | rules++; |
2826 | |
2827 | explicit_bzero(&usr, sizeof usr); |
2828 | return (0); |
2829 | } |
2830 | |
2831 | void |
2832 | iaw_free(struct ipsec_addr_wrap *head) |
2833 | { |
2834 | struct ipsec_addr_wrap *n, *cur; |
2835 | |
2836 | if (head == NULL((void *)0)) |
2837 | return; |
2838 | |
2839 | for (n = head; n != NULL((void *)0); ) { |
2840 | cur = n; |
2841 | n = n->next; |
2842 | if (cur->srcnat != NULL((void *)0)) { |
2843 | free(cur->srcnat->name); |
2844 | free(cur->srcnat); |
2845 | } |
2846 | free(cur->name); |
2847 | free(cur); |
2848 | } |
2849 | } |
2850 | #line 2843 "parse.c" |
2851 | /* allocate initial stack or double stack size, up to YYMAXDEPTH */ |
2852 | static int yygrowstack(void) |
2853 | { |
2854 | unsigned int newsize; |
2855 | long sslen; |
2856 | short *newss; |
2857 | YYSTYPE *newvs; |
2858 | |
2859 | if ((newsize = yystacksize) == 0) |
2860 | newsize = YYINITSTACKSIZE200; |
2861 | else if (newsize >= YYMAXDEPTH10000) |
2862 | return -1; |
2863 | else if ((newsize *= 2) > YYMAXDEPTH10000) |
2864 | newsize = YYMAXDEPTH10000; |
2865 | sslen = yyssp - yyss; |
2866 | #ifdef SIZE_MAX0xffffffffffffffffUL |
2867 | #define YY_SIZE_MAX0xffffffffffffffffUL SIZE_MAX0xffffffffffffffffUL |
2868 | #else |
2869 | #define YY_SIZE_MAX0xffffffffffffffffUL 0xffffffffU |
2870 | #endif |
2871 | if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newss) |
2872 | goto bail; |
2873 | newss = (short *)realloc(yyss, newsize * sizeof *newss); |
2874 | if (newss == NULL((void *)0)) |
2875 | goto bail; |
2876 | yyss = newss; |
2877 | yyssp = newss + sslen; |
2878 | if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newvs) |
2879 | goto bail; |
2880 | newvs = (YYSTYPE *)realloc(yyvs, newsize * sizeof *newvs); |
2881 | if (newvs == NULL((void *)0)) |
2882 | goto bail; |
2883 | yyvs = newvs; |
2884 | yyvsp = newvs + sslen; |
2885 | yystacksize = newsize; |
2886 | yysslim = yyss + newsize - 1; |
2887 | return 0; |
2888 | bail: |
2889 | if (yyss) |
2890 | free(yyss); |
2891 | if (yyvs) |
2892 | free(yyvs); |
2893 | yyss = yyssp = NULL((void *)0); |
2894 | yyvs = yyvsp = NULL((void *)0); |
2895 | yystacksize = 0; |
2896 | return -1; |
2897 | } |
2898 | |
2899 | #define YYABORTgoto yyabort goto yyabort |
2900 | #define YYREJECTgoto yyabort goto yyabort |
2901 | #define YYACCEPTgoto yyaccept goto yyaccept |
2902 | #define YYERRORgoto yyerrlab goto yyerrlab |
2903 | int |
2904 | yyparse(void) |
2905 | { |
2906 | int yym, yyn, yystate; |
2907 | #if YYDEBUG0 |
2908 | const char *yys; |
2909 | |
2910 | if ((yys = getenv("YYDEBUG"))) |
2911 | { |
2912 | yyn = *yys; |
2913 | if (yyn >= '0' && yyn <= '9') |
2914 | yydebug = yyn - '0'; |
2915 | } |
2916 | #endif /* YYDEBUG */ |
2917 | |
2918 | yynerrs = 0; |
2919 | yyerrflag = 0; |
2920 | yychar = (-1); |
2921 | |
2922 | if (yyss == NULL((void *)0) && yygrowstack()) goto yyoverflow; |
2923 | yyssp = yyss; |
2924 | yyvsp = yyvs; |
2925 | *yyssp = yystate = 0; |
2926 | |
2927 | yyloop: |
2928 | if ((yyn = yydefred[yystate]) != 0) goto yyreduce; |
2929 | if (yychar < 0) |
2930 | { |
2931 | if ((yychar = yylex()) < 0) yychar = 0; |
2932 | #if YYDEBUG0 |
2933 | if (yydebug) |
2934 | { |
2935 | yys = 0; |
2936 | if (yychar <= YYMAXTOKEN330) yys = yyname[yychar]; |
2937 | if (!yys) yys = "illegal-symbol"; |
2938 | printf("%sdebug: state %d, reading %d (%s)\n", |
2939 | YYPREFIX"yy", yystate, yychar, yys); |
2940 | } |
2941 | #endif |
2942 | } |
2943 | if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 && |
2944 | yyn <= YYTABLESIZE745 && yycheck[yyn] == yychar) |
2945 | { |
2946 | #if YYDEBUG0 |
2947 | if (yydebug) |
2948 | printf("%sdebug: state %d, shifting to state %d\n", |
2949 | YYPREFIX"yy", yystate, yytable[yyn]); |
2950 | #endif |
2951 | if (yyssp >= yysslim && yygrowstack()) |
2952 | { |
2953 | goto yyoverflow; |
2954 | } |
2955 | *++yyssp = yystate = yytable[yyn]; |
2956 | *++yyvsp = yylval; |
2957 | yychar = (-1); |
2958 | if (yyerrflag > 0) --yyerrflag; |
2959 | goto yyloop; |
2960 | } |
2961 | if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 && |
2962 | yyn <= YYTABLESIZE745 && yycheck[yyn] == yychar) |
2963 | { |
2964 | yyn = yytable[yyn]; |
2965 | goto yyreduce; |
2966 | } |
2967 | if (yyerrflag) goto yyinrecovery; |
2968 | #if defined(__GNUC__4) |
2969 | goto yynewerror; |
2970 | #endif |
2971 | yynewerror: |
2972 | yyerror("syntax error"); |
2973 | #if defined(__GNUC__4) |
2974 | goto yyerrlab; |
2975 | #endif |
2976 | yyerrlab: |
2977 | ++yynerrs; |
2978 | yyinrecovery: |
2979 | if (yyerrflag < 3) |
2980 | { |
2981 | yyerrflag = 3; |
2982 | for (;;) |
2983 | { |
2984 | if ((yyn = yysindex[*yyssp]) && (yyn += YYERRCODE256) >= 0 && |
2985 | yyn <= YYTABLESIZE745 && yycheck[yyn] == YYERRCODE256) |
2986 | { |
2987 | #if YYDEBUG0 |
2988 | if (yydebug) |
2989 | printf("%sdebug: state %d, error recovery shifting\ |
2990 | to state %d\n", YYPREFIX"yy", *yyssp, yytable[yyn]); |
2991 | #endif |
2992 | if (yyssp >= yysslim && yygrowstack()) |
2993 | { |
2994 | goto yyoverflow; |
2995 | } |
2996 | *++yyssp = yystate = yytable[yyn]; |
2997 | *++yyvsp = yylval; |
2998 | goto yyloop; |
2999 | } |
3000 | else |
3001 | { |
3002 | #if YYDEBUG0 |
3003 | if (yydebug) |
3004 | printf("%sdebug: error recovery discarding state %d\n", |
3005 | YYPREFIX"yy", *yyssp); |
3006 | #endif |
3007 | if (yyssp <= yyss) goto yyabort; |
3008 | --yyssp; |
3009 | --yyvsp; |
3010 | } |
3011 | } |
3012 | } |
3013 | else |
3014 | { |
3015 | if (yychar == 0) goto yyabort; |
3016 | #if YYDEBUG0 |
3017 | if (yydebug) |
3018 | { |
3019 | yys = 0; |
3020 | if (yychar <= YYMAXTOKEN330) yys = yyname[yychar]; |
3021 | if (!yys) yys = "illegal-symbol"; |
3022 | printf("%sdebug: state %d, error recovery discards token %d (%s)\n", |
3023 | YYPREFIX"yy", yystate, yychar, yys); |
3024 | } |
3025 | #endif |
3026 | yychar = (-1); |
3027 | goto yyloop; |
3028 | } |
3029 | yyreduce: |
3030 | #if YYDEBUG0 |
3031 | if (yydebug) |
3032 | printf("%sdebug: state %d, reducing by rule %d (%s)\n", |
3033 | YYPREFIX"yy", yystate, yyn, yyrule[yyn]); |
3034 | #endif |
3035 | yym = yylen[yyn]; |
3036 | if (yym) |
3037 | yyval = yyvsp[1-yym]; |
3038 | else |
3039 | memset(&yyval, 0, sizeof yyval); |
3040 | switch (yyn) |
3041 | { |
3042 | case 9: |
3043 | #line 483 "/usr/src/sbin/iked/parse.y" |
3044 | { file->errors++; } |
3045 | break; |
3046 | case 12: |
3047 | #line 490 "/usr/src/sbin/iked/parse.y" |
3048 | { |
3049 | struct file *nfile; |
3050 | |
3051 | if ((nfile = pushfile(yyvsp[0].v.string, 1)) == NULL((void *)0)) { |
3052 | yyerror("failed to include file %s", yyvsp[0].v.string); |
3053 | free(yyvsp[0].v.string); |
3054 | YYERRORgoto yyerrlab; |
3055 | } |
3056 | free(yyvsp[0].v.string); |
3057 | |
3058 | file = nfile; |
3059 | lungetc('\n'); |
3060 | } |
3061 | break; |
3062 | case 13: |
3063 | #line 505 "/usr/src/sbin/iked/parse.y" |
3064 | { passive = 0; } |
3065 | break; |
3066 | case 14: |
3067 | #line 506 "/usr/src/sbin/iked/parse.y" |
3068 | { passive = 1; } |
3069 | break; |
3070 | case 15: |
3071 | #line 507 "/usr/src/sbin/iked/parse.y" |
3072 | { decouple = 0; } |
3073 | break; |
3074 | case 16: |
3075 | #line 508 "/usr/src/sbin/iked/parse.y" |
3076 | { decouple = 1; } |
3077 | break; |
3078 | case 17: |
3079 | #line 509 "/usr/src/sbin/iked/parse.y" |
3080 | { fragmentation = 1; } |
3081 | break; |
3082 | case 18: |
3083 | #line 510 "/usr/src/sbin/iked/parse.y" |
3084 | { fragmentation = 0; } |
3085 | break; |
3086 | case 19: |
3087 | #line 511 "/usr/src/sbin/iked/parse.y" |
3088 | { mobike = 1; } |
3089 | break; |
3090 | case 20: |
3091 | #line 512 "/usr/src/sbin/iked/parse.y" |
3092 | { mobike = 0; } |
3093 | break; |
3094 | case 21: |
3095 | #line 513 "/usr/src/sbin/iked/parse.y" |
3096 | { vendorid = 1; } |
3097 | break; |
3098 | case 22: |
3099 | #line 514 "/usr/src/sbin/iked/parse.y" |
3100 | { vendorid = 0; } |
3101 | break; |
3102 | case 23: |
3103 | #line 515 "/usr/src/sbin/iked/parse.y" |
3104 | { enforcesingleikesa = 1; } |
3105 | break; |
3106 | case 24: |
3107 | #line 516 "/usr/src/sbin/iked/parse.y" |
3108 | { enforcesingleikesa = 0; } |
3109 | break; |
3110 | case 25: |
3111 | #line 517 "/usr/src/sbin/iked/parse.y" |
3112 | { stickyaddress = 1; } |
3113 | break; |
3114 | case 26: |
3115 | #line 518 "/usr/src/sbin/iked/parse.y" |
3116 | { stickyaddress = 0; } |
3117 | break; |
3118 | case 27: |
3119 | #line 519 "/usr/src/sbin/iked/parse.y" |
3120 | { |
3121 | ocsp_url = yyvsp[0].v.string; |
3122 | } |
3123 | break; |
3124 | case 28: |
3125 | #line 522 "/usr/src/sbin/iked/parse.y" |
3126 | { |
3127 | ocsp_url = yyvsp[-2].v.string; |
3128 | ocsp_tolerate = yyvsp[0].v.number; |
3129 | } |
3130 | break; |
3131 | case 29: |
3132 | #line 526 "/usr/src/sbin/iked/parse.y" |
3133 | { |
3134 | ocsp_url = yyvsp[-4].v.string; |
3135 | ocsp_tolerate = yyvsp[-2].v.number; |
3136 | ocsp_maxage = yyvsp[0].v.number; |
3137 | } |
3138 | break; |
3139 | case 30: |
3140 | #line 531 "/usr/src/sbin/iked/parse.y" |
3141 | { |
3142 | cert_partial_chain = 1; |
3143 | } |
3144 | break; |
3145 | case 31: |
3146 | #line 534 "/usr/src/sbin/iked/parse.y" |
3147 | { |
3148 | if (yyvsp[0].v.number < 0) { |
3149 | yyerror("timeout outside range"); |
3150 | YYERRORgoto yyerrlab; |
3151 | } |
3152 | dpd_interval = yyvsp[0].v.number; |
3153 | } |
3154 | break; |
3155 | case 32: |
3156 | #line 543 "/usr/src/sbin/iked/parse.y" |
3157 | { |
3158 | if (create_user(yyvsp[-1].v.string, yyvsp[0].v.string) == -1) |
3159 | YYERRORgoto yyerrlab; |
3160 | free(yyvsp[-1].v.string); |
3161 | freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string)); |
3162 | } |
3163 | break; |
3164 | case 33: |
3165 | #line 553 "/usr/src/sbin/iked/parse.y" |
3166 | { |
3167 | if (create_ike(yyvsp[-16].v.string, yyvsp[-13].v.number, yyvsp[-12].v.proto, yyvsp[-11].v.number, yyvsp[-10].v.hosts, &yyvsp[-9].v.peers, yyvsp[-8].v.mode, yyvsp[-7].v.mode, yyvsp[-14].v.satype, |
3168 | yyvsp[-15].v.ikemode, yyvsp[-6].v.ids.srcid, yyvsp[-6].v.ids.dstid, yyvsp[-5].v.number, &yyvsp[-4].v.lifetime, &yyvsp[-3].v.ikeauth, |
3169 | yyvsp[0].v.filters, yyvsp[-2].v.cfg, yyvsp[-1].v.string) == -1) { |
3170 | yyerror("create_ike failed"); |
3171 | YYERRORgoto yyerrlab; |
3172 | } |
3173 | } |
3174 | break; |
3175 | case 34: |
3176 | #line 563 "/usr/src/sbin/iked/parse.y" |
3177 | { yyval.v.cfg = NULL((void *)0); } |
3178 | break; |
3179 | case 35: |
3180 | #line 564 "/usr/src/sbin/iked/parse.y" |
3181 | { yyval.v.cfg = yyvsp[0].v.cfg; } |
3182 | break; |
3183 | case 36: |
3184 | #line 567 "/usr/src/sbin/iked/parse.y" |
3185 | { yyval.v.cfg = yyvsp[0].v.cfg; } |
3186 | break; |
3187 | case 37: |
3188 | #line 568 "/usr/src/sbin/iked/parse.y" |
3189 | { |
3190 | if (yyvsp[0].v.cfg == NULL((void *)0)) |
3191 | yyval.v.cfg = yyvsp[-1].v.cfg; |
3192 | else if (yyvsp[-1].v.cfg == NULL((void *)0)) |
3193 | yyval.v.cfg = yyvsp[0].v.cfg; |
3194 | else { |
3195 | yyvsp[-1].v.cfg->tail->next = yyvsp[0].v.cfg; |
3196 | yyvsp[-1].v.cfg->tail = yyvsp[0].v.cfg->tail; |
3197 | yyval.v.cfg = yyvsp[-1].v.cfg; |
3198 | } |
3199 | } |
3200 | break; |
3201 | case 38: |
3202 | #line 581 "/usr/src/sbin/iked/parse.y" |
3203 | { |
3204 | const struct ipsec_xf *xf; |
3205 | |
3206 | if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.host->af, cpxfs)) == NULL((void *)0)) { |
3207 | yyerror("not a valid ikecfg option"); |
3208 | free(yyvsp[-1].v.string); |
3209 | free(yyvsp[0].v.host); |
3210 | YYERRORgoto yyerrlab; |
3211 | } |
3212 | free(yyvsp[-1].v.string); |
3213 | yyval.v.cfg = yyvsp[0].v.host; |
3214 | yyval.v.cfg->type = xf->id; |
3215 | yyval.v.cfg->action = IKEV2_CP_REPLY2; /* XXX */ |
3216 | } |
3217 | break; |
3218 | case 39: |
3219 | #line 595 "/usr/src/sbin/iked/parse.y" |
3220 | { |
3221 | const struct ipsec_xf *xf; |
3222 | |
3223 | if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.anyhost->af, cpxfs)) == NULL((void *)0)) { |
3224 | yyerror("not a valid ikecfg option"); |
3225 | free(yyvsp[-1].v.string); |
3226 | free(yyvsp[0].v.anyhost); |
3227 | YYERRORgoto yyerrlab; |
3228 | } |
3229 | free(yyvsp[-1].v.string); |
3230 | yyval.v.cfg = yyvsp[0].v.anyhost; |
3231 | yyval.v.cfg->type = xf->id; |
3232 | yyval.v.cfg->action = IKEV2_CP_REQUEST1; /* XXX */ |
3233 | } |
3234 | break; |
3235 | case 40: |
3236 | #line 611 "/usr/src/sbin/iked/parse.y" |
3237 | { yyval.v.string = NULL((void *)0); } |
3238 | break; |
3239 | case 41: |
3240 | #line 612 "/usr/src/sbin/iked/parse.y" |
3241 | { |
3242 | yyval.v.string = yyvsp[0].v.string; |
3243 | } |
3244 | break; |
3245 | case 42: |
3246 | #line 616 "/usr/src/sbin/iked/parse.y" |
3247 | { yyval.v.satype = IKEV2_SAPROTO_ESP3; } |
3248 | break; |
3249 | case 43: |
3250 | #line 617 "/usr/src/sbin/iked/parse.y" |
3251 | { yyval.v.satype = IKEV2_SAPROTO_ESP3; } |
3252 | break; |
3253 | case 44: |
3254 | #line 618 "/usr/src/sbin/iked/parse.y" |
3255 | { yyval.v.satype = IKEV2_SAPROTO_AH2; } |
3256 | break; |
3257 | case 45: |
3258 | #line 621 "/usr/src/sbin/iked/parse.y" |
3259 | { yyval.v.number = AF_UNSPEC0; } |
3260 | break; |
3261 | case 46: |
3262 | #line 622 "/usr/src/sbin/iked/parse.y" |
3263 | { yyval.v.number = AF_INET2; } |
3264 | break; |
3265 | case 47: |
3266 | #line 623 "/usr/src/sbin/iked/parse.y" |
3267 | { yyval.v.number = AF_INET624; } |
3268 | break; |
3269 | case 48: |
3270 | #line 626 "/usr/src/sbin/iked/parse.y" |
3271 | { yyval.v.proto = NULL((void *)0); } |
3272 | break; |
3273 | case 49: |
3274 | #line 627 "/usr/src/sbin/iked/parse.y" |
3275 | { yyval.v.proto = yyvsp[0].v.proto; } |
3276 | break; |
3277 | case 50: |
3278 | #line 628 "/usr/src/sbin/iked/parse.y" |
3279 | { yyval.v.proto = yyvsp[-1].v.proto; } |
3280 | break; |
3281 | case 51: |
3282 | #line 631 "/usr/src/sbin/iked/parse.y" |
3283 | { yyval.v.proto = yyvsp[0].v.proto; } |
3284 | break; |
3285 | case 52: |
3286 | #line 632 "/usr/src/sbin/iked/parse.y" |
3287 | { |
3288 | if (yyvsp[0].v.proto == NULL((void *)0)) |
3289 | yyval.v.proto = yyvsp[-2].v.proto; |
3290 | else if (yyvsp[-2].v.proto == NULL((void *)0)) |
3291 | yyval.v.proto = yyvsp[0].v.proto; |
3292 | else { |
3293 | yyvsp[-2].v.proto->tail->next = yyvsp[0].v.proto; |
3294 | yyvsp[-2].v.proto->tail = yyvsp[0].v.proto->tail; |
3295 | yyval.v.proto = yyvsp[-2].v.proto; |
3296 | } |
3297 | } |
3298 | break; |
3299 | case 53: |
3300 | #line 645 "/usr/src/sbin/iked/parse.y" |
3301 | { |
3302 | struct protoent *p; |
3303 | |
3304 | p = getprotobyname(yyvsp[0].v.string); |
3305 | if (p == NULL((void *)0)) { |
3306 | yyerror("unknown protocol: %s", yyvsp[0].v.string); |
3307 | YYERRORgoto yyerrlab; |
3308 | } |
3309 | |
3310 | if ((yyval.v.proto = calloc(1, sizeof(*yyval.v.proto))) == NULL((void *)0)) |
3311 | err(1, "protoval: calloc"); |
3312 | |
3313 | yyval.v.proto->type = p->p_proto; |
3314 | yyval.v.proto->tail = yyval.v.proto; |
3315 | free(yyvsp[0].v.string); |
3316 | } |
3317 | break; |
3318 | case 54: |
3319 | #line 661 "/usr/src/sbin/iked/parse.y" |
3320 | { |
3321 | if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) { |
3322 | yyerror("protocol outside range"); |
3323 | YYERRORgoto yyerrlab; |
3324 | } |
3325 | if ((yyval.v.proto = calloc(1, sizeof(*yyval.v.proto))) == NULL((void *)0)) |
3326 | err(1, "protoval: calloc"); |
3327 | |
3328 | yyval.v.proto->type = yyvsp[0].v.number; |
3329 | yyval.v.proto->tail = yyval.v.proto; |
3330 | } |
3331 | break; |
3332 | case 55: |
3333 | #line 674 "/usr/src/sbin/iked/parse.y" |
3334 | { yyval.v.number = -1; } |
3335 | break; |
3336 | case 56: |
3337 | #line 675 "/usr/src/sbin/iked/parse.y" |
3338 | { |
3339 | if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) { |
3340 | yyerror("rdomain outside range"); |
3341 | YYERRORgoto yyerrlab; |
3342 | } |
3343 | yyval.v.number = yyvsp[0].v.number; |
3344 | } |
3345 | break; |
3346 | case 57: |
3347 | #line 683 "/usr/src/sbin/iked/parse.y" |
3348 | { yyval.v.hosts = yyvsp[0].v.hosts; } |
3349 | break; |
3350 | case 58: |
3351 | #line 684 "/usr/src/sbin/iked/parse.y" |
3352 | { |
3353 | if (yyvsp[0].v.hosts == NULL((void *)0)) |
3354 | yyval.v.hosts = yyvsp[-2].v.hosts; |
3355 | else if (yyvsp[-2].v.hosts == NULL((void *)0)) |
3356 | yyval.v.hosts = yyvsp[0].v.hosts; |
3357 | else { |
3358 | yyvsp[-2].v.hosts->src->tail->next = yyvsp[0].v.hosts->src; |
3359 | yyvsp[-2].v.hosts->src->tail = yyvsp[0].v.hosts->src->tail; |
3360 | yyvsp[-2].v.hosts->dst->tail->next = yyvsp[0].v.hosts->dst; |
3361 | yyvsp[-2].v.hosts->dst->tail = yyvsp[0].v.hosts->dst->tail; |
3362 | yyval.v.hosts = yyvsp[-2].v.hosts; |
3363 | free(yyvsp[0].v.hosts); |
3364 | } |
3365 | } |
3366 | break; |
3367 | case 59: |
3368 | #line 700 "/usr/src/sbin/iked/parse.y" |
3369 | { |
3370 | struct ipsec_addr_wrap *ipa; |
3371 | for (ipa = yyvsp[-1].v.host; ipa; ipa = ipa->next) { |
3372 | if (ipa->srcnat) { |
3373 | yyerror("no flow NAT support for" |
3374 | " destination network: %s", |
3375 | ipa->name); |
3376 | YYERRORgoto yyerrlab; |
3377 | } |
3378 | } |
3379 | |
3380 | if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL((void *)0)) |
3381 | err(1, "hosts: calloc"); |
3382 | |
3383 | yyval.v.hosts->src = yyvsp[-4].v.host; |
3384 | yyval.v.hosts->src->port = yyvsp[-3].v.port; |
3385 | yyval.v.hosts->dst = yyvsp[-1].v.host; |
3386 | yyval.v.hosts->dst->port = yyvsp[0].v.port; |
3387 | } |
3388 | break; |
3389 | case 60: |
3390 | #line 719 "/usr/src/sbin/iked/parse.y" |
3391 | { |
3392 | struct ipsec_addr_wrap *ipa; |
3393 | for (ipa = yyvsp[-4].v.host; ipa; ipa = ipa->next) { |
3394 | if (ipa->srcnat) { |
3395 | yyerror("no flow NAT support for" |
3396 | " destination network: %s", |
3397 | ipa->name); |
3398 | YYERRORgoto yyerrlab; |
3399 | } |
3400 | } |
3401 | if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL((void *)0)) |
3402 | err(1, "hosts: calloc"); |
3403 | |
3404 | yyval.v.hosts->src = yyvsp[-1].v.host; |
3405 | yyval.v.hosts->src->port = yyvsp[0].v.port; |
3406 | yyval.v.hosts->dst = yyvsp[-4].v.host; |
3407 | yyval.v.hosts->dst->port = yyvsp[-3].v.port; |
3408 | } |
3409 | break; |
3410 | case 61: |
3411 | #line 739 "/usr/src/sbin/iked/parse.y" |
3412 | { yyval.v.port = 0; } |
3413 | break; |
3414 | case 62: |
3415 | #line 740 "/usr/src/sbin/iked/parse.y" |
3416 | { yyval.v.port = yyvsp[0].v.number; } |
3417 | break; |
3418 | case 63: |
3419 | #line 743 "/usr/src/sbin/iked/parse.y" |
3420 | { |
3421 | struct servent *s; |
3422 | |
3423 | if ((s = getservbyname(yyvsp[0].v.string, "tcp")) != NULL((void *)0) || |
3424 | (s = getservbyname(yyvsp[0].v.string, "udp")) != NULL((void *)0)) { |
3425 | yyval.v.number = s->s_port; |
3426 | } else { |
3427 | yyerror("unknown port: %s", yyvsp[0].v.string); |
3428 | YYERRORgoto yyerrlab; |
3429 | } |
3430 | free(yyvsp[0].v.string); |
3431 | } |
3432 | break; |
3433 | case 64: |
3434 | #line 755 "/usr/src/sbin/iked/parse.y" |
3435 | { |
3436 | if (yyvsp[0].v.number > USHRT_MAX0xffff || yyvsp[0].v.number < 0) { |
3437 | yyerror("port outside range"); |
3438 | YYERRORgoto yyerrlab; |
3439 | } |
3440 | yyval.v.number = htons(yyvsp[0].v.number)(__uint16_t)(__builtin_constant_p(yyvsp[0].v.number) ? (__uint16_t )(((__uint16_t)(yyvsp[0].v.number) & 0xffU) << 8 | ( (__uint16_t)(yyvsp[0].v.number) & 0xff00U) >> 8) : __swap16md (yyvsp[0].v.number)); |
3441 | } |
3442 | break; |
3443 | case 65: |
3444 | #line 764 "/usr/src/sbin/iked/parse.y" |
3445 | { |
3446 | yyval.v.peers.dst = NULL((void *)0); |
3447 | yyval.v.peers.src = NULL((void *)0); |
3448 | } |
3449 | break; |
3450 | case 66: |
3451 | #line 768 "/usr/src/sbin/iked/parse.y" |
3452 | { |
3453 | yyval.v.peers.dst = yyvsp[-2].v.anyhost; |
3454 | yyval.v.peers.src = yyvsp[0].v.anyhost; |
3455 | } |
3456 | break; |
3457 | case 67: |
3458 | #line 772 "/usr/src/sbin/iked/parse.y" |
3459 | { |
3460 | yyval.v.peers.dst = yyvsp[0].v.anyhost; |
3461 | yyval.v.peers.src = yyvsp[-2].v.anyhost; |
3462 | } |
3463 | break; |
3464 | case 68: |
3465 | #line 776 "/usr/src/sbin/iked/parse.y" |
3466 | { |
3467 | yyval.v.peers.dst = yyvsp[0].v.anyhost; |
3468 | yyval.v.peers.src = NULL((void *)0); |
3469 | } |
3470 | break; |
3471 | case 69: |
3472 | #line 780 "/usr/src/sbin/iked/parse.y" |
3473 | { |
3474 | yyval.v.peers.dst = NULL((void *)0); |
3475 | yyval.v.peers.src = yyvsp[0].v.anyhost; |
3476 | } |
3477 | break; |
3478 | case 70: |
3479 | #line 786 "/usr/src/sbin/iked/parse.y" |
3480 | { yyval.v.anyhost = yyvsp[0].v.host; } |
3481 | break; |
3482 | case 71: |
3483 | #line 787 "/usr/src/sbin/iked/parse.y" |
3484 | { |
3485 | yyval.v.anyhost = host_any(); |
3486 | } |
3487 | break; |
3488 | case 72: |
3489 | #line 791 "/usr/src/sbin/iked/parse.y" |
3490 | { |
3491 | if ((yyval.v.host = host(yyvsp[0].v.string)) == NULL((void *)0)) { |
3492 | free(yyvsp[0].v.string); |
3493 | yyerror("could not parse host specification"); |
3494 | YYERRORgoto yyerrlab; |
3495 | } |
3496 | free(yyvsp[0].v.string); |
3497 | } |
3498 | break; |
3499 | case 73: |
3500 | #line 799 "/usr/src/sbin/iked/parse.y" |
3501 | { |
3502 | char *buf; |
3503 | |
3504 | if (asprintf(&buf, "%s/%lld", yyvsp[-2].v.string, yyvsp[0].v.number) == -1) |
3505 | err(1, "host: asprintf"); |
3506 | free(yyvsp[-2].v.string); |
3507 | if ((yyval.v.host = host(buf)) == NULL((void *)0)) { |
3508 | free(buf); |
3509 | yyerror("could not parse host specification"); |
3510 | YYERRORgoto yyerrlab; |
3511 | } |
3512 | free(buf); |
3513 | } |
3514 | break; |
3515 | case 74: |
3516 | #line 814 "/usr/src/sbin/iked/parse.y" |
3517 | { yyval.v.host = yyvsp[0].v.host; } |
3518 | break; |
3519 | case 75: |
3520 | #line 815 "/usr/src/sbin/iked/parse.y" |
3521 | { |
3522 | if ((yyvsp[-3].v.host->af != AF_UNSPEC0) && (yyvsp[-1].v.host->af != AF_UNSPEC0) && |
3523 | (yyvsp[-1].v.host->af != yyvsp[-3].v.host->af)) { |
3524 | yyerror("Flow NAT address family mismatch"); |
3525 | YYERRORgoto yyerrlab; |
3526 | } |
3527 | yyval.v.host = yyvsp[-3].v.host; |
3528 | yyval.v.host->srcnat = yyvsp[-1].v.host; |
3529 | } |
3530 | break; |
3531 | case 76: |
3532 | #line 824 "/usr/src/sbin/iked/parse.y" |
3533 | { |
3534 | yyval.v.host = host_any(); |
3535 | } |
3536 | break; |
3537 | case 77: |
3538 | #line 827 "/usr/src/sbin/iked/parse.y" |
3539 | { |
3540 | yyval.v.host = host_dynamic(); |
3541 | } |
3542 | break; |
3543 | case 78: |
3544 | #line 832 "/usr/src/sbin/iked/parse.y" |
3545 | { |
3546 | yyval.v.ids.srcid = NULL((void *)0); |
3547 | yyval.v.ids.dstid = NULL((void *)0); |
3548 | } |
3549 | break; |
3550 | case 79: |
3551 | #line 836 "/usr/src/sbin/iked/parse.y" |
3552 | { |
3553 | yyval.v.ids.srcid = yyvsp[-2].v.id; |
3554 | yyval.v.ids.dstid = yyvsp[0].v.id; |
3555 | } |
3556 | break; |
3557 | case 80: |
3558 | #line 840 "/usr/src/sbin/iked/parse.y" |
3559 | { |
3560 | yyval.v.ids.srcid = yyvsp[0].v.id; |
3561 | yyval.v.ids.dstid = NULL((void *)0); |
3562 | } |
3563 | break; |
3564 | case 81: |
3565 | #line 844 "/usr/src/sbin/iked/parse.y" |
3566 | { |
3567 | yyval.v.ids.srcid = NULL((void *)0); |
3568 | yyval.v.ids.dstid = yyvsp[0].v.id; |
3569 | } |
3570 | break; |
3571 | case 82: |
3572 | #line 850 "/usr/src/sbin/iked/parse.y" |
3573 | { yyval.v.id = yyvsp[0].v.string; } |
3574 | break; |
3575 | case 83: |
3576 | #line 853 "/usr/src/sbin/iked/parse.y" |
3577 | { |
3578 | if ((ipsec_transforms = calloc(1, |
3579 | sizeof(struct ipsec_transforms))) == NULL((void *)0)) |
3580 | err(1, "transforms: calloc"); |
3581 | } |
3582 | break; |
3583 | case 84: |
3584 | #line 858 "/usr/src/sbin/iked/parse.y" |
3585 | { |
3586 | yyval.v.transforms = ipsec_transforms; |
3587 | } |
3588 | break; |
3589 | case 85: |
3590 | #line 861 "/usr/src/sbin/iked/parse.y" |
3591 | { |
3592 | yyval.v.transforms = NULL((void *)0); |
3593 | } |
3594 | break; |
3595 | case 88: |
3596 | #line 870 "/usr/src/sbin/iked/parse.y" |
3597 | { |
3598 | const struct ipsec_xf **xfs = ipsec_transforms->authxf; |
3599 | size_t nxfs = ipsec_transforms->nauthxf; |
3600 | xfs = recallocarray(xfs, nxfs, nxfs + 1, |
3601 | sizeof(struct ipsec_xf *)); |
3602 | if (xfs == NULL((void *)0)) |
3603 | err(1, "transform: recallocarray"); |
3604 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, authxfs)) == NULL((void *)0)) { |
3605 | yyerror("%s not a valid transform", yyvsp[0].v.string); |
3606 | YYERRORgoto yyerrlab; |
3607 | } |
3608 | free(yyvsp[0].v.string); |
3609 | ipsec_transforms->authxf = xfs; |
3610 | ipsec_transforms->nauthxf++; |
3611 | } |
3612 | break; |
3613 | case 89: |
3614 | #line 885 "/usr/src/sbin/iked/parse.y" |
3615 | { |
3616 | const struct ipsec_xf **xfs = ipsec_transforms->encxf; |
3617 | size_t nxfs = ipsec_transforms->nencxf; |
3618 | xfs = recallocarray(xfs, nxfs, nxfs + 1, |
3619 | sizeof(struct ipsec_xf *)); |
3620 | if (xfs == NULL((void *)0)) |
3621 | err(1, "transform: recallocarray"); |
3622 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, encxfs)) == NULL((void *)0)) { |
3623 | yyerror("%s not a valid transform", yyvsp[0].v.string); |
3624 | YYERRORgoto yyerrlab; |
3625 | } |
3626 | free(yyvsp[0].v.string); |
3627 | ipsec_transforms->encxf = xfs; |
3628 | ipsec_transforms->nencxf++; |
3629 | } |
3630 | break; |
3631 | case 90: |
3632 | #line 900 "/usr/src/sbin/iked/parse.y" |
3633 | { |
3634 | const struct ipsec_xf **xfs = ipsec_transforms->prfxf; |
3635 | size_t nxfs = ipsec_transforms->nprfxf; |
3636 | xfs = recallocarray(xfs, nxfs, nxfs + 1, |
3637 | sizeof(struct ipsec_xf *)); |
3638 | if (xfs == NULL((void *)0)) |
3639 | err(1, "transform: recallocarray"); |
3640 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, prfxfs)) == NULL((void *)0)) { |
3641 | yyerror("%s not a valid transform", yyvsp[0].v.string); |
3642 | YYERRORgoto yyerrlab; |
3643 | } |
3644 | free(yyvsp[0].v.string); |
3645 | ipsec_transforms->prfxf = xfs; |
3646 | ipsec_transforms->nprfxf++; |
3647 | } |
3648 | break; |
3649 | case 91: |
3650 | #line 915 "/usr/src/sbin/iked/parse.y" |
3651 | { |
3652 | const struct ipsec_xf **xfs = ipsec_transforms->groupxf; |
3653 | size_t nxfs = ipsec_transforms->ngroupxf; |
3654 | xfs = recallocarray(xfs, nxfs, nxfs + 1, |
3655 | sizeof(struct ipsec_xf *)); |
3656 | if (xfs == NULL((void *)0)) |
3657 | err(1, "transform: recallocarray"); |
3658 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, groupxfs)) == NULL((void *)0)) { |
3659 | yyerror("%s not a valid transform", yyvsp[0].v.string); |
3660 | YYERRORgoto yyerrlab; |
3661 | } |
3662 | free(yyvsp[0].v.string); |
3663 | ipsec_transforms->groupxf = xfs; |
3664 | ipsec_transforms->ngroupxf++; |
3665 | } |
3666 | break; |
3667 | case 92: |
3668 | #line 930 "/usr/src/sbin/iked/parse.y" |
3669 | { |
3670 | const struct ipsec_xf **xfs = ipsec_transforms->esnxf; |
3671 | size_t nxfs = ipsec_transforms->nesnxf; |
3672 | xfs = recallocarray(xfs, nxfs, nxfs + 1, |
3673 | sizeof(struct ipsec_xf *)); |
3674 | if (xfs == NULL((void *)0)) |
3675 | err(1, "transform: recallocarray"); |
3676 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, esnxfs)) == NULL((void *)0)) { |
3677 | yyerror("%s not a valid transform", yyvsp[0].v.string); |
3678 | YYERRORgoto yyerrlab; |
3679 | } |
3680 | ipsec_transforms->esnxf = xfs; |
3681 | ipsec_transforms->nesnxf++; |
3682 | } |
3683 | break; |
3684 | case 93: |
3685 | #line 946 "/usr/src/sbin/iked/parse.y" |
3686 | { yyval.v.string = "esn"; } |
3687 | break; |
3688 | case 94: |
3689 | #line 947 "/usr/src/sbin/iked/parse.y" |
3690 | { yyval.v.string = "noesn"; } |
3691 | break; |
3692 | case 95: |
3693 | #line 950 "/usr/src/sbin/iked/parse.y" |
3694 | { |
3695 | if ((ipsec_mode = calloc(1, |
3696 | sizeof(struct ipsec_mode))) == NULL((void *)0)) |
3697 | err(1, "ike_sas: calloc"); |
3698 | } |
3699 | break; |
3700 | case 96: |
3701 | #line 955 "/usr/src/sbin/iked/parse.y" |
3702 | { |
3703 | yyval.v.mode = ipsec_mode; |
3704 | } |
3705 | break; |
3706 | case 97: |
3707 | #line 958 "/usr/src/sbin/iked/parse.y" |
3708 | { |
3709 | yyval.v.mode = NULL((void *)0); |
3710 | } |
3711 | break; |
3712 | case 100: |
3713 | #line 967 "/usr/src/sbin/iked/parse.y" |
3714 | { |
3715 | if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs, |
3716 | ipsec_mode->nxfs, ipsec_mode->nxfs + 1, |
3717 | sizeof(struct ipsec_transforms *))) == NULL((void *)0)) |
3718 | err(1, "ike_sa: recallocarray"); |
3719 | ipsec_mode->nxfs++; |
3720 | encxfs = ikeencxfs; |
3721 | } |
3722 | break; |
3723 | case 101: |
3724 | #line 974 "/usr/src/sbin/iked/parse.y" |
3725 | { |
3726 | ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms; |
3727 | } |
3728 | break; |
3729 | case 102: |
3730 | #line 979 "/usr/src/sbin/iked/parse.y" |
3731 | { |
3732 | if ((ipsec_mode = calloc(1, |
3733 | sizeof(struct ipsec_mode))) == NULL((void *)0)) |
3734 | err(1, "child_sas: calloc"); |
3735 | } |
3736 | break; |
3737 | case 103: |
3738 | #line 984 "/usr/src/sbin/iked/parse.y" |
3739 | { |
3740 | yyval.v.mode = ipsec_mode; |
3741 | } |
3742 | break; |
3743 | case 104: |
3744 | #line 987 "/usr/src/sbin/iked/parse.y" |
3745 | { |
3746 | yyval.v.mode = NULL((void *)0); |
3747 | } |
3748 | break; |
3749 | case 107: |
3750 | #line 996 "/usr/src/sbin/iked/parse.y" |
3751 | { |
3752 | if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs, |
3753 | ipsec_mode->nxfs, ipsec_mode->nxfs + 1, |
3754 | sizeof(struct ipsec_transforms *))) == NULL((void *)0)) |
3755 | err(1, "child_sa: recallocarray"); |
3756 | ipsec_mode->nxfs++; |
3757 | encxfs = ipsecencxfs; |
3758 | } |
3759 | break; |
3760 | case 108: |
3761 | #line 1003 "/usr/src/sbin/iked/parse.y" |
3762 | { |
3763 | ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms; |
3764 | } |
3765 | break; |
3766 | case 109: |
3767 | #line 1008 "/usr/src/sbin/iked/parse.y" |
3768 | { yyval.v.ikemode = yyvsp[-3].v.ikemode | yyvsp[-2].v.ikemode | yyvsp[-1].v.ikemode | yyvsp[0].v.ikemode; } |
3769 | break; |
3770 | case 110: |
3771 | #line 1011 "/usr/src/sbin/iked/parse.y" |
3772 | { yyval.v.ikemode = 0; } |
3773 | break; |
3774 | case 111: |
3775 | #line 1012 "/usr/src/sbin/iked/parse.y" |
3776 | { yyval.v.ikemode = IKED_POLICY_QUICK0x08; } |
3777 | break; |
3778 | case 112: |
3779 | #line 1013 "/usr/src/sbin/iked/parse.y" |
3780 | { yyval.v.ikemode = IKED_POLICY_SKIP0x10; } |
3781 | break; |
3782 | case 113: |
3783 | #line 1014 "/usr/src/sbin/iked/parse.y" |
3784 | { yyval.v.ikemode = IKED_POLICY_DEFAULT0x01; } |
3785 | break; |
3786 | case 114: |
3787 | #line 1017 "/usr/src/sbin/iked/parse.y" |
3788 | { yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; } |
3789 | break; |
3790 | case 115: |
3791 | #line 1018 "/usr/src/sbin/iked/parse.y" |
3792 | { yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; } |
3793 | break; |
3794 | case 116: |
3795 | #line 1019 "/usr/src/sbin/iked/parse.y" |
3796 | { yyval.v.ikemode = IKED_POLICY_ACTIVE0x02; } |
3797 | break; |
3798 | case 117: |
3799 | #line 1022 "/usr/src/sbin/iked/parse.y" |
3800 | { yyval.v.ikemode = 0; } |
3801 | break; |
3802 | case 118: |
3803 | #line 1023 "/usr/src/sbin/iked/parse.y" |
3804 | { yyval.v.ikemode = IKED_POLICY_IPCOMP0x20; } |
3805 | break; |
3806 | case 119: |
3807 | #line 1026 "/usr/src/sbin/iked/parse.y" |
3808 | { yyval.v.ikemode = 0; } |
3809 | break; |
3810 | case 120: |
3811 | #line 1027 "/usr/src/sbin/iked/parse.y" |
3812 | { yyval.v.ikemode = 0; } |
3813 | break; |
3814 | case 121: |
3815 | #line 1028 "/usr/src/sbin/iked/parse.y" |
3816 | { yyval.v.ikemode = IKED_POLICY_TRANSPORT0x40; } |
3817 | break; |
3818 | case 122: |
3819 | #line 1031 "/usr/src/sbin/iked/parse.y" |
3820 | { |
3821 | yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255; /* default */ |
3822 | yyval.v.ikeauth.auth_eap = 0; |
3823 | yyval.v.ikeauth.auth_length = 0; |
3824 | } |
3825 | break; |
3826 | case 123: |
3827 | #line 1036 "/usr/src/sbin/iked/parse.y" |
3828 | { |
3829 | memcpy(&yyval.v.ikeauth, &yyvsp[0].v.ikekey, sizeof(yyval.v.ikeauth)); |
3830 | yyval.v.ikeauth.auth_method = IKEV2_AUTH_SHARED_KEY_MIC2; |
3831 | yyval.v.ikeauth.auth_eap = 0; |
3832 | explicit_bzero(&yyvsp[0].v.ikekey, sizeof(yyvsp[0].v.ikekey)); |
3833 | } |
3834 | break; |
3835 | case 124: |
3836 | #line 1042 "/usr/src/sbin/iked/parse.y" |
3837 | { |
3838 | unsigned int i; |
3839 | |
3840 | for (i = 0; i < strlen(yyvsp[0].v.string); i++) |
3841 | if (yyvsp[0].v.string[i] == '-') |
3842 | yyvsp[0].v.string[i] = '_'; |
3843 | |
3844 | if (strcasecmp("mschap_v2", yyvsp[0].v.string) != 0) { |
3845 | yyerror("unsupported EAP method: %s", yyvsp[0].v.string); |
3846 | free(yyvsp[0].v.string); |
3847 | YYERRORgoto yyerrlab; |
3848 | } |
3849 | free(yyvsp[0].v.string); |
3850 | |
3851 | yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255; |
3852 | yyval.v.ikeauth.auth_eap = EAP_TYPE_MSCHAP_V226; |
3853 | yyval.v.ikeauth.auth_length = 0; |
3854 | } |
3855 | break; |
3856 | case 125: |
3857 | #line 1060 "/usr/src/sbin/iked/parse.y" |
3858 | { |
3859 | const struct ipsec_xf *xf; |
3860 | |
3861 | if ((xf = parse_xf(yyvsp[0].v.string, 0, methodxfs)) == NULL((void *)0) || |
3862 | xf->id == IKEV2_AUTH_NONE0) { |
3863 | yyerror("not a valid authentication mode"); |
3864 | free(yyvsp[0].v.string); |
3865 | YYERRORgoto yyerrlab; |
3866 | } |
3867 | free(yyvsp[0].v.string); |
3868 | |
3869 | yyval.v.ikeauth.auth_method = xf->id; |
3870 | yyval.v.ikeauth.auth_eap = 0; |
3871 | yyval.v.ikeauth.auth_length = 0; |
3872 | } |
3873 | break; |
3874 | case 126: |
3875 | #line 1077 "/usr/src/sbin/iked/parse.y" |
3876 | { |
3877 | yyval.v.number = yyvsp[0].v.number; |
3878 | } |
3879 | break; |
3880 | case 127: |
3881 | #line 1080 "/usr/src/sbin/iked/parse.y" |
3882 | { |
3883 | uint64_t bytes = 0; |
3884 | char unit = 0; |
3885 | |
3886 | if (sscanf(yyvsp[0].v.string, "%llu%c", &bytes, &unit) != 2) { |
3887 | yyerror("invalid byte specification: %s", yyvsp[0].v.string); |
3888 | YYERRORgoto yyerrlab; |
3889 | } |
3890 | free(yyvsp[0].v.string); |
3891 | switch (toupper((unsigned char)unit)) { |
3892 | case 'K': |
3893 | bytes *= 1024; |
3894 | break; |
3895 | case 'M': |
3896 | bytes *= 1024 * 1024; |
3897 | break; |
3898 | case 'G': |
3899 | bytes *= 1024 * 1024 * 1024; |
3900 | break; |
3901 | default: |
3902 | yyerror("invalid byte unit"); |
3903 | YYERRORgoto yyerrlab; |
3904 | } |
3905 | yyval.v.number = bytes; |
3906 | } |
3907 | break; |
3908 | case 128: |
3909 | #line 1107 "/usr/src/sbin/iked/parse.y" |
3910 | { |
3911 | yyval.v.number = yyvsp[0].v.number; |
3912 | } |
3913 | break; |
3914 | case 129: |
3915 | #line 1110 "/usr/src/sbin/iked/parse.y" |
3916 | { |
3917 | uint64_t seconds = 0; |
3918 | char unit = 0; |
3919 | |
3920 | if (sscanf(yyvsp[0].v.string, "%llu%c", &seconds, &unit) != 2) { |
3921 | yyerror("invalid time specification: %s", yyvsp[0].v.string); |
3922 | YYERRORgoto yyerrlab; |
3923 | } |
3924 | free(yyvsp[0].v.string); |
3925 | switch (tolower((unsigned char)unit)) { |
3926 | case 'm': |
3927 | seconds *= 60; |
3928 | break; |
3929 | case 'h': |
3930 | seconds *= 60 * 60; |
3931 | break; |
3932 | default: |
3933 | yyerror("invalid time unit"); |
3934 | YYERRORgoto yyerrlab; |
3935 | } |
3936 | yyval.v.number = seconds; |
3937 | } |
3938 | break; |
3939 | case 130: |
3940 | #line 1134 "/usr/src/sbin/iked/parse.y" |
3941 | { |
3942 | yyval.v.lifetime = deflifetime; |
3943 | } |
3944 | break; |
3945 | case 131: |
3946 | #line 1137 "/usr/src/sbin/iked/parse.y" |
3947 | { |
3948 | yyval.v.lifetime.lt_seconds = yyvsp[0].v.number; |
3949 | yyval.v.lifetime.lt_bytes = deflifetime.lt_bytes; |
3950 | } |
3951 | break; |
3952 | case 132: |
3953 | #line 1141 "/usr/src/sbin/iked/parse.y" |
3954 | { |
3955 | yyval.v.lifetime.lt_seconds = yyvsp[-2].v.number; |
3956 | yyval.v.lifetime.lt_bytes = yyvsp[0].v.number; |
3957 | } |
3958 | break; |
3959 | case 133: |
3960 | #line 1147 "/usr/src/sbin/iked/parse.y" |
3961 | { |
3962 | yyval.v.number = 0; |
3963 | } |
3964 | break; |
3965 | case 134: |
3966 | #line 1150 "/usr/src/sbin/iked/parse.y" |
3967 | { |
3968 | yyval.v.number = yyvsp[0].v.number; |
3969 | } |
3970 | break; |
3971 | case 135: |
3972 | #line 1154 "/usr/src/sbin/iked/parse.y" |
3973 | { |
3974 | uint8_t *hex; |
3975 | |
3976 | bzero(&yyval.v.ikekey, sizeof(yyval.v.ikekey)); |
3977 | |
3978 | hex = yyvsp[0].v.string; |
3979 | if (strncmp(hex, "0x", 2) == 0) { |
3980 | hex += 2; |
3981 | if (parsekey(hex, strlen(hex), &yyval.v.ikekey) != 0) { |
3982 | free(yyvsp[0].v.string); |
3983 | YYERRORgoto yyerrlab; |
3984 | } |
3985 | } else { |
3986 | if (strlen(yyvsp[0].v.string) > sizeof(yyval.v.ikekey.auth_data)) { |
3987 | yyerror("psk too long"); |
3988 | free(yyvsp[0].v.string); |
3989 | YYERRORgoto yyerrlab; |
3990 | } |
3991 | strlcpy(yyval.v.ikekey.auth_data, yyvsp[0].v.string, |
3992 | sizeof(yyval.v.ikekey.auth_data)); |
3993 | yyval.v.ikekey.auth_length = strlen(yyvsp[0].v.string); |
3994 | } |
3995 | freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string)); |
3996 | } |
3997 | break; |
3998 | case 136: |
3999 | #line 1178 "/usr/src/sbin/iked/parse.y" |
4000 | { |
4001 | if (parsekeyfile(yyvsp[0].v.string, &yyval.v.ikekey) != 0) { |
4002 | free(yyvsp[0].v.string); |
4003 | YYERRORgoto yyerrlab; |
4004 | } |
4005 | free(yyvsp[0].v.string); |
4006 | } |
4007 | break; |
4008 | case 137: |
4009 | #line 1187 "/usr/src/sbin/iked/parse.y" |
4010 | { |
4011 | if ((ipsec_filters = calloc(1, |
4012 | sizeof(struct ipsec_filters))) == NULL((void *)0)) |
4013 | err(1, "filters: calloc"); |
4014 | } |
4015 | break; |
4016 | case 138: |
4017 | #line 1192 "/usr/src/sbin/iked/parse.y" |
4018 | { |
4019 | yyval.v.filters = ipsec_filters; |
4020 | } |
4021 | break; |
4022 | case 139: |
4023 | #line 1195 "/usr/src/sbin/iked/parse.y" |
4024 | { |
4025 | yyval.v.filters = NULL((void *)0); |
4026 | } |
4027 | break; |
4028 | case 142: |
4029 | #line 1205 "/usr/src/sbin/iked/parse.y" |
4030 | { |
4031 | ipsec_filters->tag = yyvsp[0].v.string; |
4032 | } |
4033 | break; |
4034 | case 143: |
4035 | #line 1209 "/usr/src/sbin/iked/parse.y" |
4036 | { |
4037 | const char *errstr = NULL((void *)0); |
4038 | size_t len; |
4039 | |
4040 | len = strcspn(yyvsp[0].v.string, "0123456789"); |
4041 | if (strlen("enc") != len || |
4042 | strncmp("enc", yyvsp[0].v.string, len) != 0) { |
4043 | yyerror("invalid tap interface name: %s", yyvsp[0].v.string); |
4044 | free(yyvsp[0].v.string); |
4045 | YYERRORgoto yyerrlab; |
4046 | } |
4047 | ipsec_filters->tap = |
4048 | strtonum(yyvsp[0].v.string + len, 0, UINT_MAX0xffffffffU, &errstr); |
4049 | free(yyvsp[0].v.string); |
4050 | if (errstr != NULL((void *)0)) { |
4051 | yyerror("invalid tap interface unit: %s", |
4052 | errstr); |
4053 | YYERRORgoto yyerrlab; |
4054 | } |
4055 | } |
4056 | break; |
4057 | case 144: |
4058 | #line 1231 "/usr/src/sbin/iked/parse.y" |
4059 | { |
4060 | yyval.v.string = NULL((void *)0); |
4061 | } |
4062 | break; |
4063 | case 145: |
4064 | #line 1234 "/usr/src/sbin/iked/parse.y" |
4065 | { |
4066 | yyval.v.string = yyvsp[0].v.string; |
4067 | } |
4068 | break; |
4069 | case 146: |
4070 | #line 1239 "/usr/src/sbin/iked/parse.y" |
4071 | { |
4072 | if (asprintf(&yyval.v.string, "%s %s", yyvsp[-1].v.string, yyvsp[0].v.string) == -1) |
4073 | err(1, "string: asprintf"); |
4074 | free(yyvsp[-1].v.string); |
4075 | free(yyvsp[0].v.string); |
4076 | } |
4077 | break; |
4078 | case 148: |
4079 | #line 1249 "/usr/src/sbin/iked/parse.y" |
4080 | { |
4081 | char *s = yyvsp[-2].v.string; |
4082 | log_debug("%s = \"%s\"\n", yyvsp[-2].v.string, yyvsp[0].v.string); |
4083 | while (*s++) { |
4084 | if (isspace((unsigned char)*s)) { |
4085 | yyerror("macro name cannot contain " |
4086 | "whitespace"); |
4087 | free(yyvsp[-2].v.string); |
4088 | free(yyvsp[0].v.string); |
4089 | YYERRORgoto yyerrlab; |
4090 | } |
4091 | } |
4092 | if (symset(yyvsp[-2].v.string, yyvsp[0].v.string, 0) == -1) |
4093 | err(1, "cannot store variable"); |
4094 | free(yyvsp[-2].v.string); |
4095 | free(yyvsp[0].v.string); |
4096 | } |
4097 | break; |
4098 | case 158: |
4099 | #line 1287 "/usr/src/sbin/iked/parse.y" |
4100 | { |
4101 | int c; |
4102 | |
4103 | while ((c = lgetc(0)) != '\n' && c != EOF(-1)) |
4104 | ; /* nothing */ |
4105 | if (c == '\n') |
4106 | lungetc(c); |
4107 | } |
4108 | break; |
4109 | #line 4102 "parse.c" |
4110 | } |
4111 | yyssp -= yym; |
4112 | yystate = *yyssp; |
4113 | yyvsp -= yym; |
4114 | yym = yylhs[yyn]; |
4115 | if (yystate == 0 && yym == 0) |
4116 | { |
4117 | #if YYDEBUG0 |
4118 | if (yydebug) |
4119 | printf("%sdebug: after reduction, shifting from state 0 to\ |
4120 | state %d\n", YYPREFIX"yy", YYFINAL1); |
4121 | #endif |
4122 | yystate = YYFINAL1; |
4123 | *++yyssp = YYFINAL1; |
4124 | *++yyvsp = yyval; |
4125 | if (yychar < 0) |
4126 | { |
4127 | if ((yychar = yylex()) < 0) yychar = 0; |
4128 | #if YYDEBUG0 |
4129 | if (yydebug) |
4130 | { |
4131 | yys = 0; |
4132 | if (yychar <= YYMAXTOKEN330) yys = yyname[yychar]; |
4133 | if (!yys) yys = "illegal-symbol"; |
4134 | printf("%sdebug: state %d, reading %d (%s)\n", |
4135 | YYPREFIX"yy", YYFINAL1, yychar, yys); |
4136 | } |
4137 | #endif |
4138 | } |
4139 | if (yychar == 0) goto yyaccept; |
4140 | goto yyloop; |
4141 | } |
4142 | if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 && |
4143 | yyn <= YYTABLESIZE745 && yycheck[yyn] == yystate) |
4144 | yystate = yytable[yyn]; |
4145 | else |
4146 | yystate = yydgoto[yym]; |
4147 | #if YYDEBUG0 |
4148 | if (yydebug) |
4149 | printf("%sdebug: after reduction, shifting from state %d \ |
4150 | to state %d\n", YYPREFIX"yy", *yyssp, yystate); |
4151 | #endif |
4152 | if (yyssp >= yysslim && yygrowstack()) |
4153 | { |
4154 | goto yyoverflow; |
4155 | } |
4156 | *++yyssp = yystate; |
4157 | *++yyvsp = yyval; |
4158 | goto yyloop; |
4159 | yyoverflow: |
4160 | yyerror("yacc stack overflow"); |
4161 | yyabort: |
4162 | if (yyss) |
4163 | free(yyss); |
4164 | if (yyvs) |
4165 | free(yyvs); |
4166 | yyss = yyssp = NULL((void *)0); |
4167 | yyvs = yyvsp = NULL((void *)0); |
4168 | yystacksize = 0; |
4169 | return (1); |
4170 | yyaccept: |
4171 | if (yyss) |
4172 | free(yyss); |
4173 | if (yyvs) |
4174 | free(yyvs); |
4175 | yyss = yyssp = NULL((void *)0); |
4176 | yyvs = yyvsp = NULL((void *)0); |
4177 | yystacksize = 0; |
4178 | return (0); |
4179 | } |