File: | src/sbin/iked/obj/parse.c |
Warning: | line 2006, column 4 Value stored to 's6' is never read |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | #include <stdlib.h> |
2 | #include <string.h> |
3 | #define YYBYACC1 1 |
4 | #define YYMAJOR1 1 |
5 | #define YYMINOR9 9 |
6 | #define YYLEXyylex() yylex() |
7 | #define YYEMPTY-1 -1 |
8 | #define yyclearin(yychar=(-1)) (yychar=(YYEMPTY-1)) |
9 | #define yyerrok(yyerrflag=0) (yyerrflag=0) |
10 | #define YYRECOVERING()(yyerrflag!=0) (yyerrflag!=0) |
11 | #define YYPREFIX"yy" "yy" |
12 | #line 26 "/usr/src/sbin/iked/parse.y" |
13 | #include <sys/types.h> |
14 | #include <sys/ioctl.h> |
15 | #include <sys/queue.h> |
16 | #include <sys/socket.h> |
17 | #include <sys/stat.h> |
18 | #include <net/if.h> |
19 | #include <netinet/in.h> |
20 | #include <netinet/ip_ipsp.h> |
21 | #include <arpa/inet.h> |
22 | |
23 | #include <ctype.h> |
24 | #include <err.h> |
25 | #include <errno(*__errno()).h> |
26 | #include <fcntl.h> |
27 | #include <ifaddrs.h> |
28 | #include <limits.h> |
29 | #include <netdb.h> |
30 | #include <stdarg.h> |
31 | #include <stdio.h> |
32 | #include <stdlib.h> |
33 | #include <string.h> |
34 | #include <syslog.h> |
35 | #include <unistd.h> |
36 | #include <netdb.h> |
37 | #include <event.h> |
38 | |
39 | #include "iked.h" |
40 | #include "ikev2.h" |
41 | #include "eap.h" |
42 | |
43 | TAILQ_HEAD(files, file)struct files { struct file *tqh_first; struct file **tqh_last ; } files = TAILQ_HEAD_INITIALIZER(files){ ((void *)0), &(files).tqh_first }; |
44 | static struct file { |
45 | TAILQ_ENTRY(file)struct { struct file *tqe_next; struct file **tqe_prev; } entry; |
46 | FILE *stream; |
47 | char *name; |
48 | size_t ungetpos; |
49 | size_t ungetsize; |
50 | u_char *ungetbuf; |
51 | int eof_reached; |
52 | int lineno; |
53 | int errors; |
54 | } *file, *topfile; |
55 | struct file *pushfile(const char *, int); |
56 | int popfile(void); |
57 | int check_file_secrecy(int, const char *); |
58 | int yyparse(void); |
59 | int yylex(void); |
60 | int yyerror(const char *, ...) |
61 | __attribute__((__format__ (printf, 1, 2))) |
62 | __attribute__((__nonnull__ (1))); |
63 | int kw_cmp(const void *, const void *); |
64 | int lookup(char *); |
65 | int igetc(void); |
66 | int lgetc(int); |
67 | void lungetc(int); |
68 | int findeol(void); |
69 | |
70 | TAILQ_HEAD(symhead, sym)struct symhead { struct sym *tqh_first; struct sym **tqh_last ; } symhead = TAILQ_HEAD_INITIALIZER(symhead){ ((void *)0), &(symhead).tqh_first }; |
71 | struct sym { |
72 | TAILQ_ENTRY(sym)struct { struct sym *tqe_next; struct sym **tqe_prev; } entry; |
73 | int used; |
74 | int persist; |
75 | char *nam; |
76 | char *val; |
77 | }; |
78 | int symset(const char *, const char *, int); |
79 | char *symget(const char *); |
80 | |
81 | #define KEYSIZE_LIMIT1024 1024 |
82 | |
83 | static struct iked *env = NULL((void *)0); |
84 | static int debug = 0; |
85 | static int rules = 0; |
86 | static int passive = 0; |
87 | static int decouple = 0; |
88 | static int mobike = 1; |
89 | static int enforcesingleikesa = 0; |
90 | static int stickyaddress = 0; |
91 | static int fragmentation = 0; |
92 | static int dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60; |
93 | static char *ocsp_url = NULL((void *)0); |
94 | static long ocsp_tolerate = 0; |
95 | static long ocsp_maxage = -1; |
96 | static int cert_partial_chain = 0; |
97 | |
98 | struct iked_transform ikev2_default_ike_transforms[] = { |
99 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 }, |
100 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 }, |
101 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 }, |
102 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_3DES3 }, |
103 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 }, |
104 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 }, |
105 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 }, |
106 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 }, |
107 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 }, |
108 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 }, |
109 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 }, |
110 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 }, |
111 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 }, |
112 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 }, |
113 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 }, |
114 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 }, |
115 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 }, |
116 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 }, |
117 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 }, |
118 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 }, |
119 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 }, |
120 | { 0 } |
121 | }; |
122 | size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) / |
123 | sizeof(ikev2_default_ike_transforms[0])) - 1); |
124 | |
125 | struct iked_transform ikev2_default_ike_transforms_noauth[] = { |
126 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 }, |
127 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 }, |
128 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 }, |
129 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 }, |
130 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 }, |
131 | { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 }, |
132 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 }, |
133 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 }, |
134 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 }, |
135 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 }, |
136 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 }, |
137 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 }, |
138 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 }, |
139 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 }, |
140 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 }, |
141 | { 0 } |
142 | }; |
143 | size_t ikev2_default_nike_transforms_noauth = |
144 | ((sizeof(ikev2_default_ike_transforms_noauth) / |
145 | sizeof(ikev2_default_ike_transforms_noauth[0])) - 1); |
146 | |
147 | struct iked_transform ikev2_default_esp_transforms[] = { |
148 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 }, |
149 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 }, |
150 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 }, |
151 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 }, |
152 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 }, |
153 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 }, |
154 | { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 }, |
155 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 }, |
156 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 }, |
157 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 }, |
158 | { 0 } |
159 | }; |
160 | size_t ikev2_default_nesp_transforms = ((sizeof(ikev2_default_esp_transforms) / |
161 | sizeof(ikev2_default_esp_transforms[0])) - 1); |
162 | |
163 | struct iked_transform ikev2_default_esp_transforms_noauth[] = { |
164 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 }, |
165 | { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 }, |
166 | { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 }, |
167 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 }, |
168 | { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 }, |
169 | { 0 } |
170 | }; |
171 | size_t ikev2_default_nesp_transforms_noauth = |
172 | ((sizeof(ikev2_default_esp_transforms_noauth) / |
173 | sizeof(ikev2_default_esp_transforms_noauth[0])) - 1); |
174 | |
175 | const struct ipsec_xf authxfs[] = { |
176 | { "hmac-md5", IKEV2_XFORMAUTH_HMAC_MD5_961, 16 }, |
177 | { "hmac-sha1", IKEV2_XFORMAUTH_HMAC_SHA1_962, 20 }, |
178 | { "hmac-sha2-256", IKEV2_XFORMAUTH_HMAC_SHA2_256_12812, 32 }, |
179 | { "hmac-sha2-384", IKEV2_XFORMAUTH_HMAC_SHA2_384_19213, 48 }, |
180 | { "hmac-sha2-512", IKEV2_XFORMAUTH_HMAC_SHA2_512_25614, 64 }, |
181 | { NULL((void *)0) } |
182 | }; |
183 | |
184 | const struct ipsec_xf prfxfs[] = { |
185 | { "hmac-md5", IKEV2_XFORMPRF_HMAC_MD51, 16 }, |
186 | { "hmac-sha1", IKEV2_XFORMPRF_HMAC_SHA12, 20 }, |
187 | { "hmac-sha2-256", IKEV2_XFORMPRF_HMAC_SHA2_2565, 32 }, |
188 | { "hmac-sha2-384", IKEV2_XFORMPRF_HMAC_SHA2_3846, 48 }, |
189 | { "hmac-sha2-512", IKEV2_XFORMPRF_HMAC_SHA2_5127, 64 }, |
190 | { NULL((void *)0) } |
191 | }; |
192 | |
193 | const struct ipsec_xf *encxfs = NULL((void *)0); |
194 | |
195 | const struct ipsec_xf ikeencxfs[] = { |
196 | { "3des", IKEV2_XFORMENCR_3DES3, 24 }, |
197 | { "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 }, |
198 | { "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 }, |
199 | { "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 }, |
200 | { "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 }, |
201 | { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 }, |
202 | { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 }, |
203 | { "aes-128-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 16, 16, 4, 1 }, |
204 | { "aes-256-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 32, 32, 4, 1 }, |
205 | { NULL((void *)0) } |
206 | }; |
207 | |
208 | const struct ipsec_xf ipsecencxfs[] = { |
209 | { "3des", IKEV2_XFORMENCR_3DES3, 24 }, |
210 | { "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 }, |
211 | { "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 }, |
212 | { "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 }, |
213 | { "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 }, |
214 | { "aes-128-ctr", IKEV2_XFORMENCR_AES_CTR13, 16, 16, 4 }, |
215 | { "aes-192-ctr", IKEV2_XFORMENCR_AES_CTR13, 24, 24, 4 }, |
216 | { "aes-256-ctr", IKEV2_XFORMENCR_AES_CTR13, 32, 32, 4 }, |
217 | { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 }, |
218 | { "aes-192-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 24, 24, 4, 1 }, |
219 | { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 }, |
220 | { "aes-128-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 16, 16, 4, 1 }, |
221 | { "aes-192-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 24, 24, 4, 1 }, |
222 | { "aes-256-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 32, 32, 4, 1 }, |
223 | { "blowfish", IKEV2_XFORMENCR_BLOWFISH7, 20, 20 }, |
224 | { "cast", IKEV2_XFORMENCR_CAST6, 16, 16 }, |
225 | { "chacha20-poly1305", IKEV2_XFORMENCR_CHACHA20_POLY130528, |
226 | 32, 32, 4, 1 }, |
227 | { "null", IKEV2_XFORMENCR_NULL11, 0, 0 }, |
228 | { NULL((void *)0) } |
229 | }; |
230 | |
231 | const struct ipsec_xf groupxfs[] = { |
232 | { "none", IKEV2_XFORMDH_NONE0 }, |
233 | { "modp768", IKEV2_XFORMDH_MODP_7681 }, |
234 | { "grp1", IKEV2_XFORMDH_MODP_7681 }, |
235 | { "modp1024", IKEV2_XFORMDH_MODP_10242 }, |
236 | { "grp2", IKEV2_XFORMDH_MODP_10242 }, |
237 | { "modp1536", IKEV2_XFORMDH_MODP_15365 }, |
238 | { "grp5", IKEV2_XFORMDH_MODP_15365 }, |
239 | { "modp2048", IKEV2_XFORMDH_MODP_204814 }, |
240 | { "grp14", IKEV2_XFORMDH_MODP_204814 }, |
241 | { "modp3072", IKEV2_XFORMDH_MODP_307215 }, |
242 | { "grp15", IKEV2_XFORMDH_MODP_307215 }, |
243 | { "modp4096", IKEV2_XFORMDH_MODP_409616 }, |
244 | { "grp16", IKEV2_XFORMDH_MODP_409616 }, |
245 | { "modp6144", IKEV2_XFORMDH_MODP_614417 }, |
246 | { "grp17", IKEV2_XFORMDH_MODP_614417 }, |
247 | { "modp8192", IKEV2_XFORMDH_MODP_819218 }, |
248 | { "grp18", IKEV2_XFORMDH_MODP_819218 }, |
249 | { "ecp256", IKEV2_XFORMDH_ECP_25619 }, |
250 | { "grp19", IKEV2_XFORMDH_ECP_25619 }, |
251 | { "ecp384", IKEV2_XFORMDH_ECP_38420 }, |
252 | { "grp20", IKEV2_XFORMDH_ECP_38420 }, |
253 | { "ecp521", IKEV2_XFORMDH_ECP_52121 }, |
254 | { "grp21", IKEV2_XFORMDH_ECP_52121 }, |
255 | { "ecp192", IKEV2_XFORMDH_ECP_19225 }, |
256 | { "grp25", IKEV2_XFORMDH_ECP_19225 }, |
257 | { "ecp224", IKEV2_XFORMDH_ECP_22426 }, |
258 | { "grp26", IKEV2_XFORMDH_ECP_22426 }, |
259 | { "brainpool224", IKEV2_XFORMDH_BRAINPOOL_P224R127 }, |
260 | { "grp27", IKEV2_XFORMDH_BRAINPOOL_P224R127 }, |
261 | { "brainpool256", IKEV2_XFORMDH_BRAINPOOL_P256R128 }, |
262 | { "grp28", IKEV2_XFORMDH_BRAINPOOL_P256R128 }, |
263 | { "brainpool384", IKEV2_XFORMDH_BRAINPOOL_P384R129 }, |
264 | { "grp29", IKEV2_XFORMDH_BRAINPOOL_P384R129 }, |
265 | { "brainpool512", IKEV2_XFORMDH_BRAINPOOL_P512R130 }, |
266 | { "grp30", IKEV2_XFORMDH_BRAINPOOL_P512R130 }, |
267 | { "curve25519", IKEV2_XFORMDH_CURVE2551931 }, |
268 | { "grp31", IKEV2_XFORMDH_CURVE2551931 }, |
269 | { "sntrup761x25519", IKEV2_XFORMDH_X_SNTRUP761X255191035 }, |
270 | { NULL((void *)0) } |
271 | }; |
272 | |
273 | const struct ipsec_xf esnxfs[] = { |
274 | { "esn", IKEV2_XFORMESN_ESN1 }, |
275 | { "noesn", IKEV2_XFORMESN_NONE0 }, |
276 | { NULL((void *)0) } |
277 | }; |
278 | |
279 | const struct ipsec_xf methodxfs[] = { |
280 | { "none", IKEV2_AUTH_NONE0 }, |
281 | { "rsa", IKEV2_AUTH_RSA_SIG1 }, |
282 | { "ecdsa256", IKEV2_AUTH_ECDSA_2569 }, |
283 | { "ecdsa384", IKEV2_AUTH_ECDSA_38410 }, |
284 | { "ecdsa521", IKEV2_AUTH_ECDSA_52111 }, |
285 | { "rfc7427", IKEV2_AUTH_SIG14 }, |
286 | { "signature", IKEV2_AUTH_SIG_ANY255 }, |
287 | { NULL((void *)0) } |
288 | }; |
289 | |
290 | const struct ipsec_xf saxfs[] = { |
291 | { "esp", IKEV2_SAPROTO_ESP3 }, |
292 | { "ah", IKEV2_SAPROTO_AH2 }, |
293 | { NULL((void *)0) } |
294 | }; |
295 | |
296 | const struct ipsec_xf cpxfs[] = { |
297 | { "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS1, AF_INET2 }, |
298 | { "netmask", IKEV2_CFG_INTERNAL_IP4_NETMASK2, AF_INET2 }, |
299 | { "name-server", IKEV2_CFG_INTERNAL_IP4_DNS3, AF_INET2 }, |
300 | { "netbios-server", IKEV2_CFG_INTERNAL_IP4_NBNS4, AF_INET2 }, |
301 | { "dhcp-server", IKEV2_CFG_INTERNAL_IP4_DHCP6, AF_INET2 }, |
302 | { "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS8, AF_INET624 }, |
303 | { "name-server", IKEV2_CFG_INTERNAL_IP6_DNS10, AF_INET624 }, |
304 | { "netbios-server", IKEV2_CFG_INTERNAL_IP6_NBNS11, AF_INET624 }, |
305 | { "dhcp-server", IKEV2_CFG_INTERNAL_IP6_DHCP12, AF_INET624 }, |
306 | { "protected-subnet", IKEV2_CFG_INTERNAL_IP4_SUBNET13, AF_INET2 }, |
307 | { "protected-subnet", IKEV2_CFG_INTERNAL_IP6_SUBNET15, AF_INET624 }, |
308 | { "access-server", IKEV2_CFG_INTERNAL_IP4_SERVER23456, AF_INET2 }, |
309 | { "access-server", IKEV2_CFG_INTERNAL_IP6_SERVER23457, AF_INET624 }, |
310 | { NULL((void *)0) } |
311 | }; |
312 | |
313 | const struct iked_lifetime deflifetime = { |
314 | IKED_LIFETIME_BYTES4294967296, |
315 | IKED_LIFETIME_SECONDS10800 |
316 | }; |
317 | |
318 | #define IPSEC_ADDR_ANY(0x1) (0x1) |
319 | #define IPSEC_ADDR_DYNAMIC(0x2) (0x2) |
320 | |
321 | struct ipsec_addr_wrap { |
322 | struct sockaddr_storage address; |
323 | uint8_t mask; |
324 | int netaddress; |
325 | sa_family_t af; |
326 | unsigned int type; |
327 | unsigned int action; |
328 | uint16_t port; |
329 | char *name; |
330 | struct ipsec_addr_wrap *next; |
331 | struct ipsec_addr_wrap *tail; |
332 | struct ipsec_addr_wrap *srcnat; |
333 | }; |
334 | |
335 | struct ipsec_hosts { |
336 | struct ipsec_addr_wrap *src; |
337 | struct ipsec_addr_wrap *dst; |
338 | }; |
339 | |
340 | struct ipsec_filters { |
341 | char *tag; |
342 | unsigned int tap; |
343 | }; |
344 | |
345 | void copy_sockaddrtoipa(struct ipsec_addr_wrap *, |
346 | struct sockaddr *); |
347 | struct ipsec_addr_wrap *host(const char *); |
348 | struct ipsec_addr_wrap *host_ip(const char *, int); |
349 | struct ipsec_addr_wrap *host_dns(const char *, int); |
350 | struct ipsec_addr_wrap *host_if(const char *, int); |
351 | struct ipsec_addr_wrap *host_any(void); |
352 | struct ipsec_addr_wrap *host_dynamic(void); |
353 | void ifa_load(void); |
354 | int ifa_exists(const char *); |
355 | struct ipsec_addr_wrap *ifa_lookup(const char *ifa_name); |
356 | struct ipsec_addr_wrap *ifa_grouplookup(const char *); |
357 | void set_ipmask(struct ipsec_addr_wrap *, int); |
358 | const struct ipsec_xf *parse_xf(const char *, unsigned int, |
359 | const struct ipsec_xf *); |
360 | void copy_transforms(unsigned int, |
361 | const struct ipsec_xf **, unsigned int, |
362 | struct iked_transform **, unsigned int *, |
363 | struct iked_transform *, size_t); |
364 | int create_ike(char *, int, struct ipsec_addr_wrap *, |
365 | int, struct ipsec_hosts *, |
366 | struct ipsec_hosts *, struct ipsec_mode *, |
367 | struct ipsec_mode *, uint8_t, |
368 | uint8_t, char *, char *, |
369 | uint32_t, struct iked_lifetime *, |
370 | struct iked_auth *, struct ipsec_filters *, |
371 | struct ipsec_addr_wrap *, char *); |
372 | int create_user(const char *, const char *); |
373 | int get_id_type(char *); |
374 | uint8_t x2i(unsigned char *); |
375 | int parsekey(unsigned char *, size_t, struct iked_auth *); |
376 | int parsekeyfile(char *, struct iked_auth *); |
377 | void iaw_free(struct ipsec_addr_wrap *); |
378 | static int create_flow(struct iked_policy *pol, int, struct ipsec_addr_wrap *ipa, |
379 | struct ipsec_addr_wrap *ipb); |
380 | static int expand_flows(struct iked_policy *, int, struct ipsec_addr_wrap *, |
381 | struct ipsec_addr_wrap *); |
382 | static struct ipsec_addr_wrap * |
383 | expand_keyword(struct ipsec_addr_wrap *); |
384 | |
385 | struct ipsec_transforms *ipsec_transforms; |
386 | struct ipsec_filters *ipsec_filters; |
387 | struct ipsec_mode *ipsec_mode; |
388 | /* interface lookup routintes */ |
389 | struct ipsec_addr_wrap *iftab; |
390 | |
391 | typedef struct { |
392 | union { |
393 | int64_t number; |
394 | uint8_t ikemode; |
395 | uint8_t dir; |
396 | uint8_t satype; |
397 | char *string; |
398 | uint16_t port; |
399 | struct ipsec_hosts *hosts; |
400 | struct ipsec_hosts peers; |
401 | struct ipsec_addr_wrap *anyhost; |
402 | struct ipsec_addr_wrap *host; |
403 | struct ipsec_addr_wrap *cfg; |
404 | struct ipsec_addr_wrap *proto; |
405 | struct { |
406 | char *srcid; |
407 | char *dstid; |
408 | } ids; |
409 | char *id; |
410 | uint8_t type; |
411 | struct iked_lifetime lifetime; |
412 | struct iked_auth ikeauth; |
413 | struct iked_auth ikekey; |
414 | struct ipsec_transforms *transforms; |
415 | struct ipsec_filters *filters; |
416 | struct ipsec_mode *mode; |
417 | } v; |
418 | int lineno; |
419 | } YYSTYPE; |
420 | |
421 | #line 422 "parse.c" |
422 | #define FROM257 257 |
423 | #define ESP258 258 |
424 | #define AH259 259 |
425 | #define IN260 260 |
426 | #define PEER261 261 |
427 | #define ON262 262 |
428 | #define OUT263 263 |
429 | #define TO264 264 |
430 | #define SRCID265 265 |
431 | #define DSTID266 266 |
432 | #define PSK267 267 |
433 | #define PORT268 268 |
434 | #define FILENAME269 269 |
435 | #define AUTHXF270 270 |
436 | #define PRFXF271 271 |
437 | #define ENCXF272 272 |
438 | #define ERROR273 273 |
439 | #define IKEV2274 274 |
440 | #define IKESA275 275 |
441 | #define CHILDSA276 276 |
442 | #define ESN277 277 |
443 | #define NOESN278 278 |
444 | #define PASSIVE279 279 |
445 | #define ACTIVE280 280 |
446 | #define ANY281 281 |
447 | #define TAG282 282 |
448 | #define TAP283 283 |
449 | #define PROTO284 284 |
450 | #define LOCAL285 285 |
451 | #define GROUP286 286 |
452 | #define NAME287 287 |
453 | #define CONFIG288 288 |
454 | #define EAP289 289 |
455 | #define USER290 290 |
456 | #define IKEV1291 291 |
457 | #define FLOW292 292 |
458 | #define SA293 293 |
459 | #define TCPMD5294 294 |
460 | #define TUNNEL295 295 |
461 | #define TRANSPORT296 296 |
462 | #define COUPLE297 297 |
463 | #define DECOUPLE298 298 |
464 | #define SET299 299 |
465 | #define INCLUDE300 300 |
466 | #define LIFETIME301 301 |
467 | #define BYTES302 302 |
468 | #define INET303 303 |
469 | #define INET6304 304 |
470 | #define QUICK305 305 |
471 | #define SKIP306 306 |
472 | #define DEFAULT307 307 |
473 | #define IPCOMP308 308 |
474 | #define OCSP309 309 |
475 | #define IKELIFETIME310 310 |
476 | #define MOBIKE311 311 |
477 | #define NOMOBIKE312 312 |
478 | #define RDOMAIN313 313 |
479 | #define FRAGMENTATION314 314 |
480 | #define NOFRAGMENTATION315 315 |
481 | #define DPD_CHECK_INTERVAL316 316 |
482 | #define ENFORCESINGLEIKESA317 317 |
483 | #define NOENFORCESINGLEIKESA318 318 |
484 | #define STICKYADDRESS319 319 |
485 | #define NOSTICKYADDRESS320 320 |
486 | #define TOLERATE321 321 |
487 | #define MAXAGE322 322 |
488 | #define DYNAMIC323 323 |
489 | #define CERTPARTIALCHAIN324 324 |
490 | #define REQUEST325 325 |
491 | #define IFACE326 326 |
492 | #define STRING327 327 |
493 | #define NUMBER328 328 |
494 | #define YYERRCODE256 256 |
495 | const short yylhs[] = |
496 | { -1, |
497 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, |
498 | 46, 39, 40, 40, 40, 40, 40, 40, 40, 40, |
499 | 40, 40, 40, 40, 40, 40, 40, 40, 40, 41, |
500 | 42, 36, 36, 37, 37, 35, 35, 33, 33, 2, |
501 | 2, 2, 10, 10, 10, 3, 3, 3, 4, 4, |
502 | 5, 5, 11, 11, 7, 7, 6, 6, 8, 8, |
503 | 9, 9, 12, 12, 12, 12, 12, 13, 13, 15, |
504 | 15, 14, 14, 14, 14, 16, 16, 16, 16, 17, |
505 | 48, 18, 18, 47, 47, 49, 49, 49, 49, 49, |
506 | 38, 38, 51, 27, 27, 50, 50, 53, 52, 55, |
507 | 28, 28, 54, 54, 57, 56, 20, 21, 21, 21, |
508 | 21, 22, 22, 22, 23, 23, 24, 24, 24, 25, |
509 | 25, 25, 25, 30, 30, 31, 31, 29, 29, 29, |
510 | 32, 32, 26, 26, 59, 19, 19, 58, 58, 60, |
511 | 60, 34, 34, 1, 1, 43, 44, 44, 44, 44, |
512 | 61, 61, 61, 61, 61, 45, |
513 | }; |
514 | const short yylen[] = |
515 | { 2, |
516 | 0, 3, 2, 3, 3, 3, 3, 4, 3, 1, |
517 | 0, 2, 2, 2, 2, 2, 2, 2, 2, 2, |
518 | 2, 2, 2, 2, 3, 5, 7, 2, 3, 3, |
519 | 18, 0, 1, 1, 2, 3, 3, 0, 1, 0, |
520 | 1, 1, 0, 1, 1, 0, 2, 4, 1, 3, |
521 | 1, 1, 0, 2, 1, 3, 6, 6, 0, 2, |
522 | 1, 1, 0, 4, 4, 2, 2, 1, 1, 1, |
523 | 3, 1, 4, 1, 1, 0, 4, 2, 2, 1, |
524 | 0, 2, 0, 2, 1, 2, 2, 2, 2, 1, |
525 | 1, 1, 0, 2, 0, 2, 1, 0, 3, 0, |
526 | 2, 0, 2, 1, 0, 3, 4, 0, 1, 1, |
527 | 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, |
528 | 2, 2, 1, 1, 1, 1, 1, 0, 2, 4, |
529 | 0, 2, 1, 2, 0, 2, 0, 2, 1, 2, |
530 | 2, 0, 2, 2, 1, 3, 1, 1, 1, 1, |
531 | 1, 1, 1, 1, 1, 0, |
532 | }; |
533 | const short yydefred[] = |
534 | { 1, |
535 | 0, 0, 152, 153, 0, 0, 147, 149, 151, 150, |
536 | 154, 155, 0, 0, 0, 3, 0, 0, 0, 0, |
537 | 0, 156, 148, 9, 39, 0, 0, 14, 13, 15, |
538 | 16, 0, 19, 20, 17, 18, 0, 21, 22, 23, |
539 | 24, 28, 12, 0, 2, 4, 5, 6, 7, 0, |
540 | 109, 110, 111, 0, 0, 30, 0, 29, 145, 0, |
541 | 8, 41, 42, 0, 113, 114, 0, 0, 144, 44, |
542 | 45, 0, 116, 0, 127, 126, 0, 0, 0, 118, |
543 | 119, 107, 0, 51, 52, 0, 47, 0, 0, 27, |
544 | 0, 49, 54, 0, 0, 55, 0, 10, 48, 0, |
545 | 74, 75, 0, 0, 0, 0, 0, 0, 0, 0, |
546 | 50, 0, 0, 0, 0, 0, 69, 0, 68, 0, |
547 | 0, 0, 56, 71, 61, 62, 60, 0, 0, 0, |
548 | 0, 0, 0, 0, 98, 0, 97, 0, 73, 0, |
549 | 64, 65, 0, 0, 0, 105, 0, 104, 0, 96, |
550 | 57, 58, 80, 0, 79, 0, 0, 0, 103, 99, |
551 | 0, 0, 132, 0, 0, 106, 0, 0, 0, 91, |
552 | 92, 0, 90, 0, 85, 77, 0, 0, 0, 123, |
553 | 0, 86, 88, 87, 89, 84, 0, 0, 133, 121, |
554 | 122, 0, 0, 34, 0, 0, 125, 124, 130, 134, |
555 | 0, 0, 0, 0, 35, 36, 37, 143, 31, 0, |
556 | 0, 0, 0, 139, 140, 141, 138, |
557 | }; |
558 | const short yydgoto[] = |
559 | { 1, |
560 | 60, 64, 79, 91, 87, 96, 97, 114, 127, 72, |
561 | 89, 109, 118, 104, 119, 145, 154, 160, 209, 54, |
562 | 55, 67, 74, 82, 181, 190, 121, 133, 165, 199, |
563 | 77, 157, 26, 204, 194, 195, 196, 173, 17, 18, |
564 | 19, 20, 21, 22, 50, 100, 174, 161, 175, 136, |
565 | 122, 137, 149, 147, 134, 148, 158, 213, 210, 214, |
566 | 23, |
567 | }; |
568 | const short yysindex[] = |
569 | { 0, |
570 | 184, 13, 0, 0, -302, -289, 0, 0, 0, 0, |
571 | 0, 0, -89, -269, -5, 0, 50, 59, 66, 71, |
572 | 74, 0, 0, 0, 0, -233, -228, 0, 0, 0, |
573 | 0, -223, 0, 0, 0, 0, -239, 0, 0, 0, |
574 | 0, 0, 0, -218, 0, 0, 0, 0, 0, 122, |
575 | 0, 0, 0, -216, -200, 0, -180, 0, 0, -183, |
576 | 0, 0, 0, -192, 0, 0, -158, -226, 0, 0, |
577 | 0, -123, 0, -174, 0, 0, -160, -121, -150, 0, |
578 | 0, 0, -226, 0, 0, -203, 0, -162, -238, 0, |
579 | -38, 0, 0, -270, -270, 0, -43, 0, 0, -203, |
580 | 0, 0, 123, -97, 134, -97, -268, -268, 0, -238, |
581 | 0, -149, -190, -86, -147, -74, 0, -101, 0, -73, |
582 | 0, -83, 0, 0, 0, 0, 0, -270, 145, -270, |
583 | -268, -268, -120, -87, 0, -83, 0, -97, 0, -97, |
584 | 0, 0, -140, -140, -117, 0, -87, 0, 0, 0, |
585 | 0, 0, 0, -68, 0, -226, -102, 0, 0, 0, |
586 | -75, -140, 0, -226, -257, 0, -127, -126, -115, 0, |
587 | 0, -114, 0, -75, 0, 0, -98, -262, -113, 0, |
588 | -271, 0, 0, 0, 0, 0, -179, -112, 0, 0, |
589 | 0, -111, -110, 0, -116, -271, 0, 0, 0, 0, |
590 | -147, -268, -108, 0, 0, 0, 0, 0, 0, -125, |
591 | -106, -103, -125, 0, 0, 0, 0,}; |
592 | const short yyrindex[] = |
593 | { 0, |
594 | 0, 0, 0, 0, -213, 0, 0, 0, 0, 0, |
595 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
596 | 0, 0, 0, 0, 0, -161, 0, 0, 0, 0, |
597 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
598 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
599 | 0, 0, 0, -196, -131, 0, 195, 0, 0, 222, |
600 | 0, 0, 0, -236, 0, 0, -128, 0, 0, 0, |
601 | 0, -249, 0, -144, 0, 0, 223, 0, -202, 0, |
602 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
603 | -173, 0, 0, 0, 0, 0, 171, 0, 0, 0, |
604 | 0, 0, -10, -28, 19, -19, 0, 0, 224, 0, |
605 | 0, 0, 0, 0, 0, 0, 0, 227, 0, 257, |
606 | 323, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
607 | 0, 0, 358, 0, 0, 355, 0, 95, 0, 95, |
608 | 0, 0, 0, 0, 372, 0, 369, 0, 65, 0, |
609 | 0, 0, 0, 404, 0, 0, 106, 141, 0, 0, |
610 | 0, 0, 0, 0, 75, 0, 0, 0, 0, 0, |
611 | 0, 0, 0, 303, 0, 0, 238, 0, 0, 0, |
612 | -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
613 | 0, 0, 0, 0, 6, 23, 0, 0, 0, 0, |
614 | 0, 0, 0, 10, 0, 0, 0, 0, 0, 0, |
615 | 0, 0, 229, 0, 0, 0, 0,}; |
616 | const short yygindex[] = |
617 | { 0, |
618 | 0, 0, 0, 0, -59, 130, 0, -88, 0, 0, |
619 | 0, 0, -96, -81, -91, 0, -122, 83, 0, 0, |
620 | 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, |
621 | -78, 0, 0, 0, 47, 0, 0, 0, 0, 0, |
622 | 0, 0, 0, 0, 0, 147, 0, 0, 72, 0, |
623 | 0, 109, 0, 0, 0, 102, 0, 0, 0, 37, |
624 | 0, |
625 | }; |
626 | #define YYTABLESIZE731 731 |
627 | const short yytable[] = |
628 | { 70, |
629 | 98, 86, 105, 105, 90, 98, 188, 46, 32, 178, |
630 | 101, 120, 117, 106, 46, 142, 192, 116, 94, 137, |
631 | 43, 155, 24, 129, 25, 95, 92, 43, 72, 70, |
632 | 70, 179, 33, 70, 141, 142, 105, 27, 105, 176, |
633 | 111, 62, 63, 38, 38, 38, 138, 43, 140, 151, |
634 | 38, 152, 102, 193, 53, 44, 103, 43, 103, 45, |
635 | 40, 53, 72, 46, 189, 38, 38, 40, 46, 180, |
636 | 38, 51, 52, 53, 83, 47, 43, 163, 65, 66, |
637 | 48, 38, 38, 49, 120, 177, 99, 40, 58, 38, |
638 | 38, 38, 38, 38, 38, 108, 108, 108, 56, 38, |
639 | 75, 76, 108, 57, 59, 207, 40, 40, 59, 206, |
640 | 70, 71, 117, 117, 117, 128, 40, 108, 108, 117, |
641 | 80, 81, 108, 84, 85, 112, 112, 112, 115, 115, |
642 | 115, 61, 112, 108, 108, 115, 125, 126, 59, 117, |
643 | 68, 108, 108, 69, 143, 144, 108, 197, 198, 73, |
644 | 83, 108, 112, 11, 11, 115, 211, 212, 117, 117, |
645 | 78, 83, 88, 112, 112, 93, 115, 115, 117, 112, |
646 | 113, 112, 112, 115, 115, 115, 112, 128, 124, 103, |
647 | 63, 112, 130, 131, 115, 139, 153, 132, 146, 28, |
648 | 29, 135, 156, 16, 167, 168, 169, 162, 164, 182, |
649 | 183, 170, 171, 187, 25, 84, 85, 30, 31, 203, |
650 | 172, 184, 185, 191, 200, 201, 202, 107, 208, 32, |
651 | 215, 33, 34, 216, 35, 36, 37, 38, 39, 40, |
652 | 41, 146, 26, 95, 42, 59, 66, 59, 136, 123, |
653 | 166, 108, 205, 110, 150, 186, 70, 129, 159, 217, |
654 | 70, 0, 0, 70, 70, 70, 70, 70, 0, 0, |
655 | 0, 0, 0, 0, 70, 70, 67, 0, 0, 0, |
656 | 0, 70, 70, 0, 70, 72, 0, 70, 70, 72, |
657 | 32, 32, 72, 72, 72, 72, 72, 142, 142, 0, |
658 | 70, 135, 135, 72, 72, 0, 0, 0, 0, 70, |
659 | 72, 72, 0, 72, 33, 33, 72, 72, 0, 0, |
660 | 0, 0, 82, 0, 70, 70, 70, 0, 0, 72, |
661 | 0, 0, 0, 0, 32, 0, 0, 0, 72, 83, |
662 | 83, 83, 102, 0, 81, 81, 81, 0, 0, 83, |
663 | 83, 81, 81, 72, 72, 72, 83, 83, 33, 0, |
664 | 81, 59, 83, 83, 0, 59, 120, 120, 59, 59, |
665 | 59, 59, 120, 0, 94, 83, 0, 76, 0, 59, |
666 | 59, 0, 128, 0, 83, 0, 59, 59, 101, 59, |
667 | 0, 131, 59, 59, 0, 0, 0, 128, 128, 83, |
668 | 83, 83, 0, 128, 128, 59, 0, 0, 0, 120, |
669 | 120, 0, 0, 0, 59, 83, 83, 83, 0, 0, |
670 | 81, 81, 81, 78, 0, 0, 83, 81, 81, 59, |
671 | 59, 59, 83, 83, 0, 0, 81, 11, 83, 83, |
672 | 128, 128, 128, 0, 11, 63, 63, 63, 0, 2, |
673 | 3, 83, 0, 0, 0, 63, 63, 4, 0, 0, |
674 | 83, 0, 63, 63, 0, 0, 0, 5, 63, 63, |
675 | 0, 0, 0, 0, 0, 83, 83, 83, 0, 0, |
676 | 0, 63, 0, 6, 7, 8, 9, 10, 11, 12, |
677 | 63, 0, 13, 14, 0, 0, 0, 0, 95, 95, |
678 | 95, 66, 66, 66, 0, 63, 63, 63, 93, 95, |
679 | 0, 66, 66, 0, 129, 95, 95, 0, 66, 66, |
680 | 15, 95, 95, 0, 66, 66, 0, 0, 0, 129, |
681 | 129, 67, 67, 67, 95, 129, 129, 66, 0, 0, |
682 | 0, 67, 67, 95, 0, 0, 66, 0, 67, 67, |
683 | 0, 0, 0, 0, 67, 67, 0, 0, 95, 95, |
684 | 95, 66, 66, 66, 0, 0, 0, 67, 0, 0, |
685 | 0, 0, 129, 129, 129, 0, 67, 82, 82, 82, |
686 | 0, 0, 0, 0, 0, 0, 0, 82, 82, 0, |
687 | 0, 67, 67, 67, 82, 82, 0, 102, 102, 102, |
688 | 82, 82, 0, 0, 0, 0, 0, 0, 100, 0, |
689 | 0, 0, 0, 82, 102, 102, 0, 0, 0, 0, |
690 | 102, 102, 82, 0, 0, 0, 0, 0, 0, 94, |
691 | 94, 94, 0, 102, 76, 0, 0, 82, 82, 82, |
692 | 94, 0, 102, 101, 101, 101, 94, 94, 131, 76, |
693 | 76, 0, 94, 94, 0, 76, 76, 102, 102, 102, |
694 | 101, 101, 0, 131, 131, 94, 101, 101, 76, 131, |
695 | 131, 0, 0, 0, 94, 0, 0, 76, 0, 101, |
696 | 78, 0, 131, 0, 0, 0, 0, 0, 101, 94, |
697 | 94, 94, 76, 76, 76, 78, 78, 0, 0, 0, |
698 | 0, 78, 78, 101, 101, 101, 131, 131, 131, 0, |
699 | 0, 0, 0, 0, 78, 0, 0, 0, 0, 0, |
700 | 0, 0, 0, 78, 0, 0, 0, 0, 0, 0, |
701 | 0, 0, 0, 0, 0, 0, 0, 0, 78, 78, |
702 | 78, |
703 | }; |
704 | const short yycheck[] = |
705 | { 10, |
706 | 44, 123, 94, 95, 83, 44, 269, 257, 10, 267, |
707 | 281, 108, 281, 95, 264, 10, 288, 106, 257, 10, |
708 | 257, 144, 10, 115, 327, 264, 86, 264, 10, 40, |
709 | 41, 289, 10, 44, 131, 132, 128, 327, 130, 162, |
710 | 100, 258, 259, 257, 258, 259, 128, 284, 130, 138, |
711 | 264, 140, 323, 325, 257, 61, 327, 327, 327, 10, |
712 | 257, 264, 44, 313, 327, 279, 280, 264, 10, 327, |
713 | 284, 305, 306, 307, 10, 10, 313, 156, 279, 280, |
714 | 10, 295, 296, 10, 10, 164, 125, 284, 328, 303, |
715 | 304, 305, 306, 307, 308, 257, 258, 259, 327, 313, |
716 | 327, 328, 264, 327, 10, 202, 303, 304, 327, 201, |
717 | 303, 304, 257, 258, 259, 10, 313, 279, 280, 264, |
718 | 295, 296, 284, 327, 328, 257, 258, 259, 257, 258, |
719 | 259, 10, 264, 295, 296, 264, 327, 328, 44, 284, |
720 | 321, 303, 304, 327, 265, 266, 308, 327, 328, 308, |
721 | 10, 313, 284, 327, 328, 284, 282, 283, 303, 304, |
722 | 284, 322, 313, 295, 296, 328, 295, 296, 313, 47, |
723 | 268, 303, 304, 40, 303, 304, 308, 264, 328, 327, |
724 | 10, 313, 257, 285, 313, 41, 327, 261, 276, 279, |
725 | 280, 275, 310, 10, 270, 271, 272, 266, 301, 327, |
726 | 327, 277, 278, 302, 10, 327, 328, 297, 298, 326, |
727 | 286, 327, 327, 327, 327, 327, 327, 261, 327, 309, |
728 | 327, 311, 312, 327, 314, 315, 316, 317, 318, 319, |
729 | 320, 10, 10, 10, 324, 264, 10, 257, 10, 110, |
730 | 158, 285, 196, 97, 136, 174, 257, 10, 147, 213, |
731 | 261, -1, -1, 264, 265, 266, 267, 268, -1, -1, |
732 | -1, -1, -1, -1, 275, 276, 10, -1, -1, -1, |
733 | -1, 282, 283, -1, 285, 257, -1, 288, 289, 261, |
734 | 282, 283, 264, 265, 266, 267, 268, 282, 283, -1, |
735 | 301, 282, 283, 275, 276, -1, -1, -1, -1, 310, |
736 | 282, 283, -1, 285, 282, 283, 288, 289, -1, -1, |
737 | -1, -1, 10, -1, 325, 326, 327, -1, -1, 301, |
738 | -1, -1, -1, -1, 326, -1, -1, -1, 310, 265, |
739 | 266, 267, 10, -1, 270, 271, 272, -1, -1, 275, |
740 | 276, 277, 278, 325, 326, 327, 282, 283, 326, -1, |
741 | 286, 257, 288, 289, -1, 261, 282, 283, 264, 265, |
742 | 266, 267, 288, -1, 10, 301, -1, 10, -1, 275, |
743 | 276, -1, 267, -1, 310, -1, 282, 283, 10, 285, |
744 | -1, 10, 288, 289, -1, -1, -1, 282, 283, 325, |
745 | 326, 327, -1, 288, 289, 301, -1, -1, -1, 325, |
746 | 326, -1, -1, -1, 310, 265, 266, 267, -1, -1, |
747 | 270, 271, 272, 10, -1, -1, 276, 277, 278, 325, |
748 | 326, 327, 282, 283, -1, -1, 286, 257, 288, 289, |
749 | 325, 326, 327, -1, 264, 265, 266, 267, -1, 256, |
750 | 257, 301, -1, -1, -1, 275, 276, 264, -1, -1, |
751 | 310, -1, 282, 283, -1, -1, -1, 274, 288, 289, |
752 | -1, -1, -1, -1, -1, 325, 326, 327, -1, -1, |
753 | -1, 301, -1, 290, 291, 292, 293, 294, 295, 296, |
754 | 310, -1, 299, 300, -1, -1, -1, -1, 265, 266, |
755 | 267, 265, 266, 267, -1, 325, 326, 327, 275, 276, |
756 | -1, 275, 276, -1, 267, 282, 283, -1, 282, 283, |
757 | 327, 288, 289, -1, 288, 289, -1, -1, -1, 282, |
758 | 283, 265, 266, 267, 301, 288, 289, 301, -1, -1, |
759 | -1, 275, 276, 310, -1, -1, 310, -1, 282, 283, |
760 | -1, -1, -1, -1, 288, 289, -1, -1, 325, 326, |
761 | 327, 325, 326, 327, -1, -1, -1, 301, -1, -1, |
762 | -1, -1, 325, 326, 327, -1, 310, 265, 266, 267, |
763 | -1, -1, -1, -1, -1, -1, -1, 275, 276, -1, |
764 | -1, 325, 326, 327, 282, 283, -1, 265, 266, 267, |
765 | 288, 289, -1, -1, -1, -1, -1, -1, 276, -1, |
766 | -1, -1, -1, 301, 282, 283, -1, -1, -1, -1, |
767 | 288, 289, 310, -1, -1, -1, -1, -1, -1, 265, |
768 | 266, 267, -1, 301, 267, -1, -1, 325, 326, 327, |
769 | 276, -1, 310, 265, 266, 267, 282, 283, 267, 282, |
770 | 283, -1, 288, 289, -1, 288, 289, 325, 326, 327, |
771 | 282, 283, -1, 282, 283, 301, 288, 289, 301, 288, |
772 | 289, -1, -1, -1, 310, -1, -1, 310, -1, 301, |
773 | 267, -1, 301, -1, -1, -1, -1, -1, 310, 325, |
774 | 326, 327, 325, 326, 327, 282, 283, -1, -1, -1, |
775 | -1, 288, 289, 325, 326, 327, 325, 326, 327, -1, |
776 | -1, -1, -1, -1, 301, -1, -1, -1, -1, -1, |
777 | -1, -1, -1, 310, -1, -1, -1, -1, -1, -1, |
778 | -1, -1, -1, -1, -1, -1, -1, -1, 325, 326, |
779 | 327, |
780 | }; |
781 | #define YYFINAL1 1 |
782 | #ifndef YYDEBUG0 |
783 | #define YYDEBUG0 0 |
784 | #endif |
785 | #define YYMAXTOKEN328 328 |
786 | #if YYDEBUG0 |
787 | const char * const yyname[] = |
788 | { |
789 | "end-of-file",0,0,0,0,0,0,0,0,0,"'\\n'",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, |
790 | 0,0,0,0,0,0,0,0,0,"'('","')'",0,0,"','",0,0,"'/'",0,0,0,0,0,0,0,0,0,0,0,0,0, |
791 | "'='",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, |
792 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"'{'",0,"'}'",0,0,0,0,0,0,0,0,0, |
793 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, |
794 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, |
795 | 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, |
796 | 0,0,"FROM","ESP","AH","IN","PEER","ON","OUT","TO","SRCID","DSTID","PSK","PORT", |
797 | "FILENAME","AUTHXF","PRFXF","ENCXF","ERROR","IKEV2","IKESA","CHILDSA","ESN", |
798 | "NOESN","PASSIVE","ACTIVE","ANY","TAG","TAP","PROTO","LOCAL","GROUP","NAME", |
799 | "CONFIG","EAP","USER","IKEV1","FLOW","SA","TCPMD5","TUNNEL","TRANSPORT", |
800 | "COUPLE","DECOUPLE","SET","INCLUDE","LIFETIME","BYTES","INET","INET6","QUICK", |
801 | "SKIP","DEFAULT","IPCOMP","OCSP","IKELIFETIME","MOBIKE","NOMOBIKE","RDOMAIN", |
802 | "FRAGMENTATION","NOFRAGMENTATION","DPD_CHECK_INTERVAL","ENFORCESINGLEIKESA", |
803 | "NOENFORCESINGLEIKESA","STICKYADDRESS","NOSTICKYADDRESS","TOLERATE","MAXAGE", |
804 | "DYNAMIC","CERTPARTIALCHAIN","REQUEST","IFACE","STRING","NUMBER", |
805 | }; |
806 | const char * const yyrule[] = |
807 | {"$accept : grammar", |
808 | "grammar :", |
809 | "grammar : grammar include '\\n'", |
810 | "grammar : grammar '\\n'", |
811 | "grammar : grammar set '\\n'", |
812 | "grammar : grammar user '\\n'", |
813 | "grammar : grammar ikev2rule '\\n'", |
814 | "grammar : grammar varset '\\n'", |
815 | "grammar : grammar otherrule skipline '\\n'", |
816 | "grammar : grammar error '\\n'", |
817 | "comma : ','", |
818 | "comma :", |
819 | "include : INCLUDE STRING", |
820 | "set : SET ACTIVE", |
821 | "set : SET PASSIVE", |
822 | "set : SET COUPLE", |
823 | "set : SET DECOUPLE", |
824 | "set : SET FRAGMENTATION", |
825 | "set : SET NOFRAGMENTATION", |
826 | "set : SET MOBIKE", |
827 | "set : SET NOMOBIKE", |
828 | "set : SET ENFORCESINGLEIKESA", |
829 | "set : SET NOENFORCESINGLEIKESA", |
830 | "set : SET STICKYADDRESS", |
831 | "set : SET NOSTICKYADDRESS", |
832 | "set : SET OCSP STRING", |
833 | "set : SET OCSP STRING TOLERATE time_spec", |
834 | "set : SET OCSP STRING TOLERATE time_spec MAXAGE time_spec", |
835 | "set : SET CERTPARTIALCHAIN", |
836 | "set : SET DPD_CHECK_INTERVAL NUMBER", |
837 | "user : USER STRING STRING", |
838 | "ikev2rule : IKEV2 name ikeflags satype af proto rdomain hosts_list peers ike_sas child_sas ids ikelifetime lifetime ikeauth ikecfg iface filters", |
839 | "ikecfg :", |
840 | "ikecfg : ikecfgvals", |
841 | "ikecfgvals : cfg", |
842 | "ikecfgvals : ikecfgvals cfg", |
843 | "cfg : CONFIG STRING host_spec", |
844 | "cfg : REQUEST STRING anyhost", |
845 | "name :", |
846 | "name : STRING", |
847 | "satype :", |
848 | "satype : ESP", |
849 | "satype : AH", |
850 | "af :", |
851 | "af : INET", |
852 | "af : INET6", |
853 | "proto :", |
854 | "proto : PROTO protoval", |
855 | "proto : PROTO '{' proto_list '}'", |
856 | "proto_list : protoval", |
857 | "proto_list : proto_list comma protoval", |
858 | "protoval : STRING", |
859 | "protoval : NUMBER", |
860 | "rdomain :", |
861 | "rdomain : RDOMAIN NUMBER", |
862 | "hosts_list : hosts", |
863 | "hosts_list : hosts_list comma hosts", |
864 | "hosts : FROM host port TO host port", |
865 | "hosts : TO host port FROM host port", |
866 | "port :", |
867 | "port : PORT portval", |
868 | "portval : STRING", |
869 | "portval : NUMBER", |
870 | "peers :", |
871 | "peers : PEER anyhost LOCAL anyhost", |
872 | "peers : LOCAL anyhost PEER anyhost", |
873 | "peers : PEER anyhost", |
874 | "peers : LOCAL anyhost", |
875 | "anyhost : host_spec", |
876 | "anyhost : ANY", |
877 | "host_spec : STRING", |
878 | "host_spec : STRING '/' NUMBER", |
879 | "host : host_spec", |
880 | "host : host_spec '(' host_spec ')'", |
881 | "host : ANY", |
882 | "host : DYNAMIC", |
883 | "ids :", |
884 | "ids : SRCID id DSTID id", |
885 | "ids : SRCID id", |
886 | "ids : DSTID id", |
887 | "id : STRING", |
888 | "$$1 :", |
889 | "transforms : $$1 transforms_l", |
890 | "transforms :", |
891 | "transforms_l : transforms_l transform", |
892 | "transforms_l : transform", |
893 | "transform : AUTHXF STRING", |
894 | "transform : ENCXF STRING", |
895 | "transform : PRFXF STRING", |
896 | "transform : GROUP STRING", |
897 | "transform : transform_esn", |
898 | "transform_esn : ESN", |
899 | "transform_esn : NOESN", |
900 | "$$2 :", |
901 | "ike_sas : $$2 ike_sas_l", |
902 | "ike_sas :", |
903 | "ike_sas_l : ike_sas_l ike_sa", |
904 | "ike_sas_l : ike_sa", |
905 | "$$3 :", |
906 | "ike_sa : IKESA $$3 transforms", |
907 | "$$4 :", |
908 | "child_sas : $$4 child_sas_l", |
909 | "child_sas :", |
910 | "child_sas_l : child_sas_l child_sa", |
911 | "child_sas_l : child_sa", |
912 | "$$5 :", |
913 | "child_sa : CHILDSA $$5 transforms", |
914 | "ikeflags : ikematch ikemode ipcomp tmode", |
915 | "ikematch :", |
916 | "ikematch : QUICK", |
917 | "ikematch : SKIP", |
918 | "ikematch : DEFAULT", |
919 | "ikemode :", |
920 | "ikemode : PASSIVE", |
921 | "ikemode : ACTIVE", |
922 | "ipcomp :", |
923 | "ipcomp : IPCOMP", |
924 | "tmode :", |
925 | "tmode : TUNNEL", |
926 | "tmode : TRANSPORT", |
927 | "ikeauth :", |
928 | "ikeauth : PSK keyspec", |
929 | "ikeauth : EAP STRING", |
930 | "ikeauth : STRING", |
931 | "byte_spec : NUMBER", |
932 | "byte_spec : STRING", |
933 | "time_spec : NUMBER", |
934 | "time_spec : STRING", |
935 | "lifetime :", |
936 | "lifetime : LIFETIME time_spec", |
937 | "lifetime : LIFETIME time_spec BYTES byte_spec", |
938 | "ikelifetime :", |
939 | "ikelifetime : IKELIFETIME time_spec", |
940 | "keyspec : STRING", |
941 | "keyspec : FILENAME STRING", |
942 | "$$6 :", |
943 | "filters : $$6 filters_l", |
944 | "filters :", |
945 | "filters_l : filters_l filter", |
946 | "filters_l : filter", |
947 | "filter : TAG STRING", |
948 | "filter : TAP STRING", |
949 | "iface :", |
950 | "iface : IFACE STRING", |
951 | "string : string STRING", |
952 | "string : STRING", |
953 | "varset : STRING '=' string", |
954 | "otherrule : IKEV1", |
955 | "otherrule : sarule", |
956 | "otherrule : FLOW", |
957 | "otherrule : TCPMD5", |
958 | "sarule : SA", |
959 | "sarule : FROM", |
960 | "sarule : TO", |
961 | "sarule : TUNNEL", |
962 | "sarule : TRANSPORT", |
963 | "skipline :", |
964 | }; |
965 | #endif |
966 | #ifdef YYSTACKSIZE10000 |
967 | #undef YYMAXDEPTH10000 |
968 | #define YYMAXDEPTH10000 YYSTACKSIZE10000 |
969 | #else |
970 | #ifdef YYMAXDEPTH10000 |
971 | #define YYSTACKSIZE10000 YYMAXDEPTH10000 |
972 | #else |
973 | #define YYSTACKSIZE10000 10000 |
974 | #define YYMAXDEPTH10000 10000 |
975 | #endif |
976 | #endif |
977 | #define YYINITSTACKSIZE200 200 |
978 | /* LINTUSED */ |
979 | int yydebug; |
980 | int yynerrs; |
981 | int yyerrflag; |
982 | int yychar; |
983 | short *yyssp; |
984 | YYSTYPE *yyvsp; |
985 | YYSTYPE yyval; |
986 | YYSTYPE yylval; |
987 | short *yyss; |
988 | short *yysslim; |
989 | YYSTYPE *yyvs; |
990 | unsigned int yystacksize; |
991 | int yyparse(void); |
992 | #line 1294 "/usr/src/sbin/iked/parse.y" |
993 | |
994 | struct keywords { |
995 | const char *k_name; |
996 | int k_val; |
997 | }; |
998 | |
999 | void |
1000 | copy_sockaddrtoipa(struct ipsec_addr_wrap *ipa, struct sockaddr *sa) |
1001 | { |
1002 | if (sa->sa_family == AF_INET624) |
1003 | memcpy(&ipa->address, sa, sizeof(struct sockaddr_in6)); |
1004 | else if (sa->sa_family == AF_INET2) |
1005 | memcpy(&ipa->address, sa, sizeof(struct sockaddr_in)); |
1006 | else |
1007 | warnx("unhandled af %d", sa->sa_family); |
1008 | } |
1009 | |
1010 | int |
1011 | yyerror(const char *fmt, ...) |
1012 | { |
1013 | va_list ap; |
1014 | |
1015 | file->errors++; |
1016 | va_start(ap, fmt)__builtin_va_start(ap, fmt); |
1017 | fprintf(stderr(&__sF[2]), "%s: %d: ", file->name, yylval.lineno); |
1018 | vfprintf(stderr(&__sF[2]), fmt, ap); |
1019 | fprintf(stderr(&__sF[2]), "\n"); |
1020 | va_end(ap)__builtin_va_end(ap); |
1021 | return (0); |
1022 | } |
1023 | |
1024 | int |
1025 | kw_cmp(const void *k, const void *e) |
1026 | { |
1027 | return (strcmp(k, ((const struct keywords *)e)->k_name)); |
1028 | } |
1029 | |
1030 | int |
1031 | lookup(char *s) |
1032 | { |
1033 | /* this has to be sorted always */ |
1034 | static const struct keywords keywords[] = { |
1035 | { "active", ACTIVE280 }, |
1036 | { "ah", AH259 }, |
1037 | { "any", ANY281 }, |
1038 | { "auth", AUTHXF270 }, |
1039 | { "bytes", BYTES302 }, |
1040 | { "cert_partial_chain", CERTPARTIALCHAIN324 }, |
1041 | { "childsa", CHILDSA276 }, |
1042 | { "config", CONFIG288 }, |
1043 | { "couple", COUPLE297 }, |
1044 | { "decouple", DECOUPLE298 }, |
1045 | { "default", DEFAULT307 }, |
1046 | { "dpd_check_interval", DPD_CHECK_INTERVAL316 }, |
1047 | { "dstid", DSTID266 }, |
1048 | { "dynamic", DYNAMIC323 }, |
1049 | { "eap", EAP289 }, |
1050 | { "enc", ENCXF272 }, |
1051 | { "enforcesingleikesa", ENFORCESINGLEIKESA317 }, |
1052 | { "esn", ESN277 }, |
1053 | { "esp", ESP258 }, |
1054 | { "file", FILENAME269 }, |
1055 | { "flow", FLOW292 }, |
1056 | { "fragmentation", FRAGMENTATION314 }, |
1057 | { "from", FROM257 }, |
1058 | { "group", GROUP286 }, |
1059 | { "iface", IFACE326 }, |
1060 | { "ike", IKEV1291 }, |
1061 | { "ikelifetime", IKELIFETIME310 }, |
1062 | { "ikesa", IKESA275 }, |
1063 | { "ikev2", IKEV2274 }, |
1064 | { "include", INCLUDE300 }, |
1065 | { "inet", INET303 }, |
1066 | { "inet6", INET6304 }, |
1067 | { "ipcomp", IPCOMP308 }, |
1068 | { "lifetime", LIFETIME301 }, |
1069 | { "local", LOCAL285 }, |
1070 | { "maxage", MAXAGE322 }, |
1071 | { "mobike", MOBIKE311 }, |
1072 | { "name", NAME287 }, |
1073 | { "noenforcesingleikesa", NOENFORCESINGLEIKESA318 }, |
1074 | { "noesn", NOESN278 }, |
1075 | { "nofragmentation", NOFRAGMENTATION315 }, |
1076 | { "nomobike", NOMOBIKE312 }, |
1077 | { "nostickyaddress", NOSTICKYADDRESS320 }, |
1078 | { "ocsp", OCSP309 }, |
1079 | { "passive", PASSIVE279 }, |
1080 | { "peer", PEER261 }, |
1081 | { "port", PORT268 }, |
1082 | { "prf", PRFXF271 }, |
1083 | { "proto", PROTO284 }, |
1084 | { "psk", PSK267 }, |
1085 | { "quick", QUICK305 }, |
1086 | { "rdomain", RDOMAIN313 }, |
1087 | { "request", REQUEST325 }, |
1088 | { "sa", SA293 }, |
1089 | { "set", SET299 }, |
1090 | { "skip", SKIP306 }, |
1091 | { "srcid", SRCID265 }, |
1092 | { "stickyaddress", STICKYADDRESS319 }, |
1093 | { "tag", TAG282 }, |
1094 | { "tap", TAP283 }, |
1095 | { "tcpmd5", TCPMD5294 }, |
1096 | { "to", TO264 }, |
1097 | { "tolerate", TOLERATE321 }, |
1098 | { "transport", TRANSPORT296 }, |
1099 | { "tunnel", TUNNEL295 }, |
1100 | { "user", USER290 } |
1101 | }; |
1102 | const struct keywords *p; |
1103 | |
1104 | p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]), |
1105 | sizeof(keywords[0]), kw_cmp); |
1106 | |
1107 | if (p) { |
1108 | if (debug > 1) |
1109 | fprintf(stderr(&__sF[2]), "%s: %d\n", s, p->k_val); |
1110 | return (p->k_val); |
1111 | } else { |
1112 | if (debug > 1) |
1113 | fprintf(stderr(&__sF[2]), "string: %s\n", s); |
1114 | return (STRING327); |
1115 | } |
1116 | } |
1117 | |
1118 | #define START_EXPAND1 1 |
1119 | #define DONE_EXPAND2 2 |
1120 | |
1121 | static int expanding; |
1122 | |
1123 | int |
1124 | igetc(void) |
1125 | { |
1126 | int c; |
1127 | |
1128 | while (1) { |
1129 | if (file->ungetpos > 0) |
1130 | c = file->ungetbuf[--file->ungetpos]; |
1131 | else |
1132 | c = getc(file->stream)(!__isthreaded ? (--(file->stream)->_r < 0 ? __srget (file->stream) : (int)(*(file->stream)->_p++)) : (getc )(file->stream)); |
1133 | |
1134 | if (c == START_EXPAND1) |
1135 | expanding = 1; |
1136 | else if (c == DONE_EXPAND2) |
1137 | expanding = 0; |
1138 | else |
1139 | break; |
1140 | } |
1141 | return (c); |
1142 | } |
1143 | |
1144 | int |
1145 | lgetc(int quotec) |
1146 | { |
1147 | int c, next; |
1148 | |
1149 | if (quotec) { |
1150 | if ((c = igetc()) == EOF(-1)) { |
1151 | yyerror("reached end of file while parsing " |
1152 | "quoted string"); |
1153 | if (file == topfile || popfile() == EOF(-1)) |
1154 | return (EOF(-1)); |
1155 | return (quotec); |
1156 | } |
1157 | return (c); |
1158 | } |
1159 | |
1160 | while ((c = igetc()) == '\\') { |
1161 | next = igetc(); |
1162 | if (next != '\n') { |
1163 | c = next; |
1164 | break; |
1165 | } |
1166 | yylval.lineno = file->lineno; |
1167 | file->lineno++; |
1168 | } |
1169 | |
1170 | while (c == EOF(-1)) { |
1171 | /* |
1172 | * Fake EOL when hit EOF for the first time. This gets line |
1173 | * count right if last line in included file is syntactically |
1174 | * invalid and has no newline. |
1175 | */ |
1176 | if (file->eof_reached == 0) { |
1177 | file->eof_reached = 1; |
1178 | return ('\n'); |
1179 | } |
1180 | while (c == EOF(-1)) { |
1181 | if (file == topfile || popfile() == EOF(-1)) |
1182 | return (EOF(-1)); |
1183 | c = igetc(); |
1184 | } |
1185 | } |
1186 | return (c); |
1187 | } |
1188 | |
1189 | void |
1190 | lungetc(int c) |
1191 | { |
1192 | if (c == EOF(-1)) |
1193 | return; |
1194 | |
1195 | if (file->ungetpos >= file->ungetsize) { |
1196 | void *p = reallocarray(file->ungetbuf, file->ungetsize, 2); |
1197 | if (p == NULL((void *)0)) |
1198 | err(1, "lungetc"); |
1199 | file->ungetbuf = p; |
1200 | file->ungetsize *= 2; |
1201 | } |
1202 | file->ungetbuf[file->ungetpos++] = c; |
1203 | } |
1204 | |
1205 | int |
1206 | findeol(void) |
1207 | { |
1208 | int c; |
1209 | |
1210 | /* skip to either EOF or the first real EOL */ |
1211 | while (1) { |
1212 | c = lgetc(0); |
1213 | if (c == '\n') { |
1214 | file->lineno++; |
1215 | break; |
1216 | } |
1217 | if (c == EOF(-1)) |
1218 | break; |
1219 | } |
1220 | return (ERROR273); |
1221 | } |
1222 | |
1223 | int |
1224 | yylex(void) |
1225 | { |
1226 | char buf[8096]; |
1227 | char *p, *val; |
1228 | int quotec, next, c; |
1229 | int token; |
1230 | |
1231 | top: |
1232 | p = buf; |
1233 | while ((c = lgetc(0)) == ' ' || c == '\t') |
1234 | ; /* nothing */ |
1235 | |
1236 | yylval.lineno = file->lineno; |
1237 | if (c == '#') |
1238 | while ((c = lgetc(0)) != '\n' && c != EOF(-1)) |
1239 | ; /* nothing */ |
1240 | if (c == '$' && !expanding) { |
1241 | while (1) { |
1242 | if ((c = lgetc(0)) == EOF(-1)) |
1243 | return (0); |
1244 | |
1245 | if (p + 1 >= buf + sizeof(buf) - 1) { |
1246 | yyerror("string too long"); |
1247 | return (findeol()); |
1248 | } |
1249 | if (isalnum(c) || c == '_') { |
1250 | *p++ = c; |
1251 | continue; |
1252 | } |
1253 | *p = '\0'; |
1254 | lungetc(c); |
1255 | break; |
1256 | } |
1257 | val = symget(buf); |
1258 | if (val == NULL((void *)0)) { |
1259 | yyerror("macro '%s' not defined", buf); |
1260 | return (findeol()); |
1261 | } |
1262 | p = val + strlen(val) - 1; |
1263 | lungetc(DONE_EXPAND2); |
1264 | while (p >= val) { |
1265 | lungetc((unsigned char)*p); |
1266 | p--; |
1267 | } |
1268 | lungetc(START_EXPAND1); |
1269 | goto top; |
1270 | } |
1271 | |
1272 | switch (c) { |
1273 | case '\'': |
1274 | case '"': |
1275 | quotec = c; |
1276 | while (1) { |
1277 | if ((c = lgetc(quotec)) == EOF(-1)) |
1278 | return (0); |
1279 | if (c == '\n') { |
1280 | file->lineno++; |
1281 | continue; |
1282 | } else if (c == '\\') { |
1283 | if ((next = lgetc(quotec)) == EOF(-1)) |
1284 | return (0); |
1285 | if (next == quotec || next == ' ' || |
1286 | next == '\t') |
1287 | c = next; |
1288 | else if (next == '\n') { |
1289 | file->lineno++; |
1290 | continue; |
1291 | } else |
1292 | lungetc(next); |
1293 | } else if (c == quotec) { |
1294 | *p = '\0'; |
1295 | break; |
1296 | } else if (c == '\0') { |
1297 | yyerror("syntax error"); |
1298 | return (findeol()); |
1299 | } |
1300 | if (p + 1 >= buf + sizeof(buf) - 1) { |
1301 | yyerror("string too long"); |
1302 | return (findeol()); |
1303 | } |
1304 | *p++ = c; |
1305 | } |
1306 | yylval.v.string = strdup(buf); |
1307 | if (yylval.v.string == NULL((void *)0)) |
1308 | err(1, "%s", __func__); |
1309 | return (STRING327); |
1310 | } |
1311 | |
1312 | #define allowed_to_end_number(x)(isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') \ |
1313 | (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') |
1314 | |
1315 | if (c == '-' || isdigit(c)) { |
1316 | do { |
1317 | *p++ = c; |
1318 | if ((size_t)(p-buf) >= sizeof(buf)) { |
1319 | yyerror("string too long"); |
1320 | return (findeol()); |
1321 | } |
1322 | } while ((c = lgetc(0)) != EOF(-1) && isdigit(c)); |
1323 | lungetc(c); |
1324 | if (p == buf + 1 && buf[0] == '-') |
1325 | goto nodigits; |
1326 | if (c == EOF(-1) || allowed_to_end_number(c)(isspace(c) || c == ')' || c ==',' || c == '/' || c == '}' || c == '=')) { |
1327 | const char *errstr = NULL((void *)0); |
1328 | |
1329 | *p = '\0'; |
1330 | yylval.v.number = strtonum(buf, LLONG_MIN(-9223372036854775807LL -1LL), |
1331 | LLONG_MAX9223372036854775807LL, &errstr); |
1332 | if (errstr) { |
1333 | yyerror("\"%s\" invalid number: %s", |
1334 | buf, errstr); |
1335 | return (findeol()); |
1336 | } |
1337 | return (NUMBER328); |
1338 | } else { |
1339 | nodigits: |
1340 | while (p > buf + 1) |
1341 | lungetc((unsigned char)*--p); |
1342 | c = (unsigned char)*--p; |
1343 | if (c == '-') |
1344 | return (c); |
1345 | } |
1346 | } |
1347 | |
1348 | #define allowed_in_string(x)(isalnum(x) || (ispunct(x) && x != '(' && x != ')' && x != '{' && x != '}' && x != '<' && x != '>' && x != '!' && x != '=' && x != '/' && x != '#' && x != ',') ) \ |
1349 | (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \ |
1350 | x != '{' && x != '}' && x != '<' && x != '>' && \ |
1351 | x != '!' && x != '=' && x != '/' && x != '#' && \ |
1352 | x != ',')) |
1353 | |
1354 | if (isalnum(c) || c == ':' || c == '_' || c == '*') { |
1355 | do { |
1356 | *p++ = c; |
1357 | if ((size_t)(p-buf) >= sizeof(buf)) { |
1358 | yyerror("string too long"); |
1359 | return (findeol()); |
1360 | } |
1361 | } while ((c = lgetc(0)) != EOF(-1) && (allowed_in_string(c)(isalnum(c) || (ispunct(c) && c != '(' && c != ')' && c != '{' && c != '}' && c != '<' && c != '>' && c != '!' && c != '=' && c != '/' && c != '#' && c != ',') ))); |
1362 | lungetc(c); |
1363 | *p = '\0'; |
1364 | if ((token = lookup(buf)) == STRING327) |
1365 | if ((yylval.v.string = strdup(buf)) == NULL((void *)0)) |
1366 | err(1, "%s", __func__); |
1367 | return (token); |
1368 | } |
1369 | if (c == '\n') { |
1370 | yylval.lineno = file->lineno; |
1371 | file->lineno++; |
1372 | } |
1373 | if (c == EOF(-1)) |
1374 | return (0); |
1375 | return (c); |
1376 | } |
1377 | |
1378 | int |
1379 | check_file_secrecy(int fd, const char *fname) |
1380 | { |
1381 | struct stat st; |
1382 | |
1383 | if (fstat(fd, &st)) { |
1384 | warn("cannot stat %s", fname); |
1385 | return (-1); |
1386 | } |
1387 | if (st.st_uid != 0 && st.st_uid != getuid()) { |
1388 | warnx("%s: owner not root or current user", fname); |
1389 | return (-1); |
1390 | } |
1391 | if (st.st_mode & (S_IWGRP0000020 | S_IXGRP0000010 | S_IRWXO0000007)) { |
1392 | warnx("%s: group writable or world read/writable", fname); |
1393 | return (-1); |
1394 | } |
1395 | return (0); |
1396 | } |
1397 | |
1398 | struct file * |
1399 | pushfile(const char *name, int secret) |
1400 | { |
1401 | struct file *nfile; |
1402 | |
1403 | if ((nfile = calloc(1, sizeof(struct file))) == NULL((void *)0)) { |
1404 | warn("%s", __func__); |
1405 | return (NULL((void *)0)); |
1406 | } |
1407 | if ((nfile->name = strdup(name)) == NULL((void *)0)) { |
1408 | warn("%s", __func__); |
1409 | free(nfile); |
1410 | return (NULL((void *)0)); |
1411 | } |
1412 | if (TAILQ_FIRST(&files)((&files)->tqh_first) == NULL((void *)0) && strcmp(nfile->name, "-") == 0) { |
1413 | nfile->stream = stdin(&__sF[0]); |
1414 | free(nfile->name); |
1415 | if ((nfile->name = strdup("stdin")) == NULL((void *)0)) { |
1416 | warn("%s", __func__); |
1417 | free(nfile); |
1418 | return (NULL((void *)0)); |
1419 | } |
1420 | } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL((void *)0)) { |
1421 | warn("%s: %s", __func__, nfile->name); |
1422 | free(nfile->name); |
1423 | free(nfile); |
1424 | return (NULL((void *)0)); |
1425 | } else if (secret && |
1426 | check_file_secrecy(fileno(nfile->stream)(!__isthreaded ? ((nfile->stream)->_file) : (fileno)(nfile ->stream)), nfile->name)) { |
1427 | fclose(nfile->stream); |
1428 | free(nfile->name); |
1429 | free(nfile); |
1430 | return (NULL((void *)0)); |
1431 | } |
1432 | nfile->lineno = TAILQ_EMPTY(&files)(((&files)->tqh_first) == ((void *)0)) ? 1 : 0; |
1433 | nfile->ungetsize = 16; |
1434 | nfile->ungetbuf = malloc(nfile->ungetsize); |
1435 | if (nfile->ungetbuf == NULL((void *)0)) { |
1436 | warn("%s", __func__); |
1437 | fclose(nfile->stream); |
1438 | free(nfile->name); |
1439 | free(nfile); |
1440 | return (NULL((void *)0)); |
1441 | } |
1442 | TAILQ_INSERT_TAIL(&files, nfile, entry)do { (nfile)->entry.tqe_next = ((void *)0); (nfile)->entry .tqe_prev = (&files)->tqh_last; *(&files)->tqh_last = (nfile); (&files)->tqh_last = &(nfile)->entry .tqe_next; } while (0); |
1443 | return (nfile); |
1444 | } |
1445 | |
1446 | int |
1447 | popfile(void) |
1448 | { |
1449 | struct file *prev; |
1450 | |
1451 | if ((prev = TAILQ_PREV(file, files, entry)(*(((struct files *)((file)->entry.tqe_prev))->tqh_last ))) != NULL((void *)0)) |
1452 | prev->errors += file->errors; |
1453 | |
1454 | TAILQ_REMOVE(&files, file, entry)do { if (((file)->entry.tqe_next) != ((void *)0)) (file)-> entry.tqe_next->entry.tqe_prev = (file)->entry.tqe_prev ; else (&files)->tqh_last = (file)->entry.tqe_prev; *(file)->entry.tqe_prev = (file)->entry.tqe_next; ; ; } while (0); |
1455 | fclose(file->stream); |
1456 | free(file->name); |
1457 | free(file->ungetbuf); |
1458 | free(file); |
1459 | file = prev; |
1460 | |
1461 | return (file ? 0 : EOF(-1)); |
1462 | } |
1463 | |
1464 | int |
1465 | parse_config(const char *filename, struct iked *x_env) |
1466 | { |
1467 | struct sym *sym; |
1468 | int errors = 0; |
1469 | |
1470 | env = x_env; |
1471 | rules = 0; |
1472 | |
1473 | if ((file = pushfile(filename, 1)) == NULL((void *)0)) |
1474 | return (-1); |
1475 | topfile = file; |
1476 | |
1477 | free(ocsp_url); |
1478 | |
1479 | mobike = 1; |
1480 | enforcesingleikesa = stickyaddress = 0; |
1481 | cert_partial_chain = decouple = passive = 0; |
1482 | ocsp_tolerate = 0; |
1483 | ocsp_url = NULL((void *)0); |
1484 | ocsp_maxage = -1; |
1485 | fragmentation = 0; |
1486 | dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60; |
1487 | decouple = passive = 0; |
1488 | ocsp_url = NULL((void *)0); |
1489 | |
1490 | if (env->sc_opts & IKED_OPT_PASSIVE0x00000004) |
1491 | passive = 1; |
1492 | |
1493 | yyparse(); |
1494 | errors = file->errors; |
1495 | popfile(); |
1496 | |
1497 | env->sc_passive = passive ? 1 : 0; |
1498 | env->sc_decoupled = decouple ? 1 : 0; |
1499 | env->sc_mobikesc_static.st_mobike = mobike; |
1500 | env->sc_enforcesingleikesasc_static.st_enforcesingleikesa = enforcesingleikesa; |
1501 | env->sc_stickyaddresssc_static.st_stickyaddress = stickyaddress; |
1502 | env->sc_fragsc_static.st_frag = fragmentation; |
1503 | env->sc_alive_timeoutsc_static.st_alive_timeout = dpd_interval; |
1504 | env->sc_ocsp_url = ocsp_url; |
1505 | env->sc_ocsp_tolerate = ocsp_tolerate; |
1506 | env->sc_ocsp_maxage = ocsp_maxage; |
1507 | env->sc_cert_partial_chain = cert_partial_chain; |
1508 | |
1509 | if (!rules) |
1510 | log_warnx("%s: no valid configuration rules found", |
1511 | filename); |
1512 | else |
1513 | log_debug("%s: loaded %d configuration rules", |
1514 | filename, rules); |
1515 | |
1516 | /* Free macros and check which have not been used. */ |
1517 | while ((sym = TAILQ_FIRST(&symhead)((&symhead)->tqh_first))) { |
1518 | if (!sym->used) |
1519 | log_debug("warning: macro '%s' not " |
1520 | "used\n", sym->nam); |
1521 | free(sym->nam); |
1522 | free(sym->val); |
1523 | TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)-> entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev; else (&symhead)->tqh_last = (sym)->entry.tqe_prev; *(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while (0); |
1524 | free(sym); |
1525 | } |
1526 | |
1527 | iaw_free(iftab); |
1528 | iftab = NULL((void *)0); |
1529 | |
1530 | return (errors ? -1 : 0); |
1531 | } |
1532 | |
1533 | int |
1534 | symset(const char *nam, const char *val, int persist) |
1535 | { |
1536 | struct sym *sym; |
1537 | |
1538 | TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void * )0); (sym) = ((sym)->entry.tqe_next)) { |
1539 | if (strcmp(nam, sym->nam) == 0) |
1540 | break; |
1541 | } |
1542 | |
1543 | if (sym != NULL((void *)0)) { |
1544 | if (sym->persist == 1) |
1545 | return (0); |
1546 | else { |
1547 | free(sym->nam); |
1548 | free(sym->val); |
1549 | TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)-> entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev; else (&symhead)->tqh_last = (sym)->entry.tqe_prev; *(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while (0); |
1550 | free(sym); |
1551 | } |
1552 | } |
1553 | if ((sym = calloc(1, sizeof(*sym))) == NULL((void *)0)) |
1554 | return (-1); |
1555 | |
1556 | sym->nam = strdup(nam); |
1557 | if (sym->nam == NULL((void *)0)) { |
1558 | free(sym); |
1559 | return (-1); |
1560 | } |
1561 | sym->val = strdup(val); |
1562 | if (sym->val == NULL((void *)0)) { |
1563 | free(sym->nam); |
1564 | free(sym); |
1565 | return (-1); |
1566 | } |
1567 | sym->used = 0; |
1568 | sym->persist = persist; |
1569 | TAILQ_INSERT_TAIL(&symhead, sym, entry)do { (sym)->entry.tqe_next = ((void *)0); (sym)->entry. tqe_prev = (&symhead)->tqh_last; *(&symhead)->tqh_last = (sym); (&symhead)->tqh_last = &(sym)->entry. tqe_next; } while (0); |
1570 | return (0); |
1571 | } |
1572 | |
1573 | int |
1574 | cmdline_symset(char *s) |
1575 | { |
1576 | char *sym, *val; |
1577 | int ret; |
1578 | |
1579 | if ((val = strrchr(s, '=')) == NULL((void *)0)) |
1580 | return (-1); |
1581 | |
1582 | sym = strndup(s, val - s); |
1583 | if (sym == NULL((void *)0)) |
1584 | err(1, "%s", __func__); |
1585 | ret = symset(sym, val + 1, 1); |
1586 | free(sym); |
1587 | |
1588 | return (ret); |
1589 | } |
1590 | |
1591 | char * |
1592 | symget(const char *nam) |
1593 | { |
1594 | struct sym *sym; |
1595 | |
1596 | TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void * )0); (sym) = ((sym)->entry.tqe_next)) { |
1597 | if (strcmp(nam, sym->nam) == 0) { |
1598 | sym->used = 1; |
1599 | return (sym->val); |
1600 | } |
1601 | } |
1602 | return (NULL((void *)0)); |
1603 | } |
1604 | |
1605 | uint8_t |
1606 | x2i(unsigned char *s) |
1607 | { |
1608 | char ss[3]; |
1609 | |
1610 | ss[0] = s[0]; |
1611 | ss[1] = s[1]; |
1612 | ss[2] = 0; |
1613 | |
1614 | if (!isxdigit(s[0]) || !isxdigit(s[1])) { |
1615 | yyerror("keys need to be specified in hex digits"); |
1616 | return (-1); |
1617 | } |
1618 | return ((uint8_t)strtoul(ss, NULL((void *)0), 16)); |
1619 | } |
1620 | |
1621 | int |
1622 | parsekey(unsigned char *hexkey, size_t len, struct iked_auth *auth) |
1623 | { |
1624 | unsigned int i; |
1625 | |
1626 | bzero(auth, sizeof(*auth)); |
1627 | if ((len / 2) > sizeof(auth->auth_data)) |
1628 | return (-1); |
1629 | auth->auth_length = len / 2; |
1630 | |
1631 | for (i = 0; i < auth->auth_length; i++) |
1632 | auth->auth_data[i] = x2i(hexkey + 2 * i); |
1633 | |
1634 | return (0); |
1635 | } |
1636 | |
1637 | int |
1638 | parsekeyfile(char *filename, struct iked_auth *auth) |
1639 | { |
1640 | struct stat sb; |
1641 | int fd, ret; |
1642 | unsigned char *hex; |
1643 | |
1644 | if ((fd = open(filename, O_RDONLY0x0000)) == -1) |
1645 | err(1, "open %s", filename); |
1646 | if (fstat(fd, &sb) == -1) |
1647 | err(1, "parsekeyfile: stat %s", filename); |
1648 | if ((sb.st_size > KEYSIZE_LIMIT1024) || (sb.st_size == 0)) |
1649 | errx(1, "%s: key too %s", filename, sb.st_size ? "large" : |
1650 | "small"); |
1651 | if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL((void *)0)) |
1652 | err(1, "parsekeyfile: calloc"); |
1653 | if (read(fd, hex, sb.st_size) < sb.st_size) |
1654 | err(1, "parsekeyfile: read"); |
1655 | close(fd); |
1656 | ret = parsekey(hex, sb.st_size, auth); |
1657 | free(hex); |
1658 | return (ret); |
1659 | } |
1660 | |
1661 | int |
1662 | get_id_type(char *string) |
1663 | { |
1664 | struct in6_addr ia; |
1665 | |
1666 | if (string == NULL((void *)0)) |
1667 | return (IKEV2_ID_NONE0); |
1668 | |
1669 | if (*string == '/') |
1670 | return (IKEV2_ID_ASN1_DN9); |
1671 | else if (inet_pton(AF_INET2, string, &ia) == 1) |
1672 | return (IKEV2_ID_IPV41); |
1673 | else if (inet_pton(AF_INET624, string, &ia) == 1) |
1674 | return (IKEV2_ID_IPV65); |
1675 | else if (strchr(string, '@')) |
1676 | return (IKEV2_ID_UFQDN3); |
1677 | else |
1678 | return (IKEV2_ID_FQDN2); |
1679 | } |
1680 | |
1681 | struct ipsec_addr_wrap * |
1682 | host(const char *s) |
1683 | { |
1684 | struct ipsec_addr_wrap *ipa = NULL((void *)0); |
1685 | int mask = -1; |
1686 | char *p, *ps; |
1687 | const char *errstr; |
1688 | |
1689 | if ((ps = strdup(s)) == NULL((void *)0)) |
1690 | err(1, "%s: strdup", __func__); |
1691 | |
1692 | if ((p = strchr(ps, '/')) != NULL((void *)0)) { |
1693 | mask = strtonum(p+1, 0, 128, &errstr); |
1694 | if (errstr) { |
1695 | fprintf(stderr(&__sF[2]), "netmask is %s: %s\n", errstr, p); |
1696 | goto error; |
1697 | } |
1698 | p[0] = '\0'; |
1699 | } |
1700 | |
1701 | if ((ipa = host_if(ps, mask)) == NULL((void *)0) && |
1702 | (ipa = host_ip(ps, mask)) == NULL((void *)0) && |
1703 | (ipa = host_dns(ps, mask)) == NULL((void *)0)) |
1704 | fprintf(stderr(&__sF[2]), "no IP address found for %s\n", s); |
1705 | |
1706 | error: |
1707 | free(ps); |
1708 | return (ipa); |
1709 | } |
1710 | |
1711 | struct ipsec_addr_wrap * |
1712 | host_ip(const char *s, int mask) |
1713 | { |
1714 | struct ipsec_addr_wrap *ipa = NULL((void *)0); |
1715 | struct addrinfo hints, *res; |
1716 | char hbuf[NI_MAXHOST256]; |
1717 | |
1718 | bzero(&hints, sizeof(struct addrinfo)); |
1719 | hints.ai_family = AF_UNSPEC0; |
1720 | hints.ai_socktype = SOCK_DGRAM2; /*dummy*/ |
1721 | hints.ai_flags = AI_NUMERICHOST4; |
1722 | if (getaddrinfo(s, NULL((void *)0), &hints, &res)) |
1723 | return (NULL((void *)0)); |
1724 | if (res->ai_next) |
1725 | err(1, "%s: %s expanded to multiple item", __func__, s); |
1726 | |
1727 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); |
1728 | if (ipa == NULL((void *)0)) |
1729 | err(1, "%s", __func__); |
1730 | ipa->af = res->ai_family; |
1731 | copy_sockaddrtoipa(ipa, res->ai_addr); |
1732 | ipa->next = NULL((void *)0); |
1733 | ipa->tail = ipa; |
1734 | |
1735 | set_ipmask(ipa, mask); |
1736 | if (getnameinfo(res->ai_addr, res->ai_addrlen, |
1737 | hbuf, sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1)) { |
1738 | errx(1, "could not get a numeric hostname"); |
1739 | } |
1740 | |
1741 | if (mask > -1) { |
1742 | ipa->netaddress = 1; |
1743 | if (asprintf(&ipa->name, "%s/%d", hbuf, mask) == -1) |
1744 | err(1, "%s", __func__); |
1745 | } else { |
1746 | if ((ipa->name = strdup(hbuf)) == NULL((void *)0)) |
1747 | err(1, "%s", __func__); |
1748 | } |
1749 | |
1750 | freeaddrinfo(res); |
1751 | |
1752 | return (ipa); |
1753 | } |
1754 | |
1755 | struct ipsec_addr_wrap * |
1756 | host_dns(const char *s, int mask) |
1757 | { |
1758 | struct ipsec_addr_wrap *ipa = NULL((void *)0), *head = NULL((void *)0); |
1759 | struct addrinfo hints, *res0, *res; |
1760 | int error; |
1761 | char hbuf[NI_MAXHOST256]; |
1762 | |
1763 | bzero(&hints, sizeof(struct addrinfo)); |
1764 | hints.ai_family = PF_UNSPEC0; |
1765 | hints.ai_socktype = SOCK_STREAM1; |
1766 | hints.ai_flags = AI_ADDRCONFIG64; |
1767 | error = getaddrinfo(s, NULL((void *)0), &hints, &res0); |
1768 | if (error) |
1769 | return (NULL((void *)0)); |
1770 | |
1771 | for (res = res0; res; res = res->ai_next) { |
1772 | if (res->ai_family != AF_INET2 && res->ai_family != AF_INET624) |
1773 | continue; |
1774 | |
1775 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); |
1776 | if (ipa == NULL((void *)0)) |
1777 | err(1, "%s", __func__); |
1778 | copy_sockaddrtoipa(ipa, res->ai_addr); |
1779 | error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, |
1780 | sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1); |
1781 | if (error) |
1782 | err(1, "host_dns: getnameinfo"); |
1783 | ipa->name = strdup(hbuf); |
1784 | if (ipa->name == NULL((void *)0)) |
1785 | err(1, "%s", __func__); |
1786 | ipa->af = res->ai_family; |
1787 | ipa->next = NULL((void *)0); |
1788 | ipa->tail = ipa; |
1789 | if (head == NULL((void *)0)) |
1790 | head = ipa; |
1791 | else { |
1792 | head->tail->next = ipa; |
1793 | head->tail = ipa; |
1794 | } |
1795 | |
1796 | /* |
1797 | * XXX for now, no netmask support for IPv6. |
1798 | * but since there's no way to specify address family, once you |
1799 | * have IPv6 address on a host, you cannot use dns/netmask |
1800 | * syntax. |
1801 | */ |
1802 | if (ipa->af == AF_INET2) |
1803 | set_ipmask(ipa, mask == -1 ? 32 : mask); |
1804 | else |
1805 | if (mask != -1) |
1806 | err(1, "host_dns: cannot apply netmask " |
1807 | "on non-IPv4 address"); |
1808 | } |
1809 | freeaddrinfo(res0); |
1810 | |
1811 | return (head); |
1812 | } |
1813 | |
1814 | struct ipsec_addr_wrap * |
1815 | host_if(const char *s, int mask) |
1816 | { |
1817 | struct ipsec_addr_wrap *ipa = NULL((void *)0); |
1818 | |
1819 | if (ifa_exists(s)) |
1820 | ipa = ifa_lookup(s); |
1821 | |
1822 | return (ipa); |
1823 | } |
1824 | |
1825 | struct ipsec_addr_wrap * |
1826 | host_any(void) |
1827 | { |
1828 | struct ipsec_addr_wrap *ipa; |
1829 | |
1830 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); |
1831 | if (ipa == NULL((void *)0)) |
1832 | err(1, "%s", __func__); |
1833 | ipa->af = AF_UNSPEC0; |
1834 | ipa->netaddress = 1; |
1835 | ipa->tail = ipa; |
1836 | ipa->type = IPSEC_ADDR_ANY(0x1); |
1837 | return (ipa); |
1838 | } |
1839 | |
1840 | struct ipsec_addr_wrap * |
1841 | host_dynamic(void) |
1842 | { |
1843 | struct ipsec_addr_wrap *ipa; |
1844 | |
1845 | ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); |
1846 | if (ipa == NULL((void *)0)) |
1847 | err(1, "%s", __func__); |
1848 | ipa->af = AF_UNSPEC0; |
1849 | ipa->tail = ipa; |
1850 | ipa->type = IPSEC_ADDR_DYNAMIC(0x2); |
1851 | return (ipa); |
1852 | } |
1853 | |
1854 | void |
1855 | ifa_load(void) |
1856 | { |
1857 | struct ifaddrs *ifap, *ifa; |
1858 | struct ipsec_addr_wrap *n = NULL((void *)0), *h = NULL((void *)0); |
1859 | struct sockaddr_in *sa_in; |
1860 | struct sockaddr_in6 *sa_in6; |
1861 | |
1862 | if (getifaddrs(&ifap) == -1) |
1863 | err(1, "ifa_load: getifaddrs"); |
1864 | |
1865 | for (ifa = ifap; ifa; ifa = ifa->ifa_next) { |
1866 | if (ifa->ifa_addr == NULL((void *)0) || |
1867 | !(ifa->ifa_addr->sa_family == AF_INET2 || |
1868 | ifa->ifa_addr->sa_family == AF_INET624 || |
1869 | ifa->ifa_addr->sa_family == AF_LINK18)) |
1870 | continue; |
1871 | n = calloc(1, sizeof(struct ipsec_addr_wrap)); |
1872 | if (n == NULL((void *)0)) |
1873 | err(1, "%s", __func__); |
1874 | n->af = ifa->ifa_addr->sa_family; |
1875 | if ((n->name = strdup(ifa->ifa_name)) == NULL((void *)0)) |
1876 | err(1, "%s", __func__); |
1877 | if (n->af == AF_INET2) { |
1878 | sa_in = (struct sockaddr_in *)ifa->ifa_addr; |
1879 | memcpy(&n->address, sa_in, sizeof(*sa_in)); |
1880 | sa_in = (struct sockaddr_in *)ifa->ifa_netmask; |
1881 | n->mask = mask2prefixlen((struct sockaddr *)sa_in); |
1882 | } else if (n->af == AF_INET624) { |
1883 | sa_in6 = (struct sockaddr_in6 *)ifa->ifa_addr; |
1884 | memcpy(&n->address, sa_in6, sizeof(*sa_in6)); |
1885 | sa_in6 = (struct sockaddr_in6 *)ifa->ifa_netmask; |
1886 | n->mask = mask2prefixlen6((struct sockaddr *)sa_in6); |
1887 | } |
1888 | n->next = NULL((void *)0); |
1889 | n->tail = n; |
1890 | if (h == NULL((void *)0)) |
1891 | h = n; |
1892 | else { |
1893 | h->tail->next = n; |
1894 | h->tail = n; |
1895 | } |
1896 | } |
1897 | |
1898 | iftab = h; |
1899 | freeifaddrs(ifap); |
1900 | } |
1901 | |
1902 | int |
1903 | ifa_exists(const char *ifa_name) |
1904 | { |
1905 | struct ipsec_addr_wrap *n; |
1906 | struct ifgroupreq ifgr; |
1907 | int s; |
1908 | |
1909 | if (iftab == NULL((void *)0)) |
1910 | ifa_load(); |
1911 | |
1912 | /* check wether this is a group */ |
1913 | if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1) |
1914 | err(1, "ifa_exists: socket"); |
1915 | bzero(&ifgr, sizeof(ifgr)); |
1916 | strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); |
1917 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == 0) { |
1918 | close(s); |
1919 | return (1); |
1920 | } |
1921 | close(s); |
1922 | |
1923 | for (n = iftab; n; n = n->next) { |
1924 | if (n->af == AF_LINK18 && !strncmp(n->name, ifa_name, |
1925 | IFNAMSIZ16)) |
1926 | return (1); |
1927 | } |
1928 | |
1929 | return (0); |
1930 | } |
1931 | |
1932 | struct ipsec_addr_wrap * |
1933 | ifa_grouplookup(const char *ifa_name) |
1934 | { |
1935 | struct ifg_req *ifg; |
1936 | struct ifgroupreq ifgr; |
1937 | int s; |
1938 | size_t len; |
1939 | struct ipsec_addr_wrap *n, *h = NULL((void *)0), *hn; |
1940 | |
1941 | if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1) |
1942 | err(1, "socket"); |
1943 | bzero(&ifgr, sizeof(ifgr)); |
1944 | strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); |
1945 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == -1) { |
1946 | close(s); |
1947 | return (NULL((void *)0)); |
1948 | } |
1949 | |
1950 | len = ifgr.ifgr_len; |
1951 | if ((ifgr.ifgr_groupsifgr_ifgru.ifgru_groups = calloc(1, len)) == NULL((void *)0)) |
1952 | err(1, "%s", __func__); |
1953 | if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof (struct ifgroupreq) & 0x1fff) << 16) | ((('i')) << 8) | ((138))), (caddr_t)&ifgr) == -1) |
1954 | err(1, "ioctl"); |
1955 | |
1956 | for (ifg = ifgr.ifgr_groupsifgr_ifgru.ifgru_groups; ifg && len >= sizeof(struct ifg_req); |
1957 | ifg++) { |
1958 | len -= sizeof(struct ifg_req); |
1959 | if ((n = ifa_lookup(ifg->ifgrq_memberifgrq_ifgrqu.ifgrqu_member)) == NULL((void *)0)) |
1960 | continue; |
1961 | if (h == NULL((void *)0)) |
1962 | h = n; |
1963 | else { |
1964 | for (hn = h; hn->next != NULL((void *)0); hn = hn->next) |
1965 | ; /* nothing */ |
1966 | hn->next = n; |
1967 | n->tail = hn; |
1968 | } |
1969 | } |
1970 | free(ifgr.ifgr_groupsifgr_ifgru.ifgru_groups); |
1971 | close(s); |
1972 | |
1973 | return (h); |
1974 | } |
1975 | |
1976 | struct ipsec_addr_wrap * |
1977 | ifa_lookup(const char *ifa_name) |
1978 | { |
1979 | struct ipsec_addr_wrap *p = NULL((void *)0), *h = NULL((void *)0), *n = NULL((void *)0); |
1980 | struct sockaddr_in6 *in6; |
1981 | uint8_t *s6; |
1982 | |
1983 | if (iftab == NULL((void *)0)) |
1984 | ifa_load(); |
1985 | |
1986 | if ((n = ifa_grouplookup(ifa_name)) != NULL((void *)0)) |
1987 | return (n); |
1988 | |
1989 | for (p = iftab; p; p = p->next) { |
1990 | if (p->af != AF_INET2 && p->af != AF_INET624) |
1991 | continue; |
1992 | if (strncmp(p->name, ifa_name, IFNAMSIZ16)) |
1993 | continue; |
1994 | n = calloc(1, sizeof(struct ipsec_addr_wrap)); |
1995 | if (n == NULL((void *)0)) |
1996 | err(1, "%s", __func__); |
1997 | memcpy(n, p, sizeof(struct ipsec_addr_wrap)); |
1998 | if ((n->name = strdup(p->name)) == NULL((void *)0)) |
1999 | err(1, "%s", __func__); |
2000 | switch (n->af) { |
2001 | case AF_INET2: |
2002 | set_ipmask(n, 32); |
2003 | break; |
2004 | case AF_INET624: |
2005 | in6 = (struct sockaddr_in6 *)&n->address; |
2006 | s6 = (uint8_t *)&in6->sin6_addr.s6_addr__u6_addr.__u6_addr8; |
Value stored to 's6' is never read | |
2007 | |
2008 | /* route/show.c and bgpd/util.c give KAME credit */ |
2009 | if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)(((&in6->sin6_addr)->__u6_addr.__u6_addr8[0] == 0xfe ) && (((&in6->sin6_addr)->__u6_addr.__u6_addr8 [1] & 0xc0) == 0x80))) { |
2010 | uint16_t tmp16; |
2011 | |
2012 | /* for now we can not handle link local, |
2013 | * therefore bail for now |
2014 | */ |
2015 | free(n->name); |
2016 | free(n); |
2017 | continue; |
2018 | |
2019 | memcpy(&tmp16, &s6[2], sizeof(tmp16)); |
2020 | /* use this when we support link-local |
2021 | * n->??.scopeid = ntohs(tmp16); |
2022 | */ |
2023 | s6[2] = 0; |
2024 | s6[3] = 0; |
2025 | } |
2026 | set_ipmask(n, 128); |
2027 | break; |
2028 | } |
2029 | |
2030 | n->next = NULL((void *)0); |
2031 | n->tail = n; |
2032 | if (h == NULL((void *)0)) |
2033 | h = n; |
2034 | else { |
2035 | h->tail->next = n; |
2036 | h->tail = n; |
2037 | } |
2038 | } |
2039 | |
2040 | return (h); |
2041 | } |
2042 | |
2043 | void |
2044 | set_ipmask(struct ipsec_addr_wrap *address, int b) |
2045 | { |
2046 | if (b == -1) |
2047 | address->mask = address->af == AF_INET2 ? 32 : 128; |
2048 | else |
2049 | address->mask = b; |
2050 | } |
2051 | |
2052 | const struct ipsec_xf * |
2053 | parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[]) |
2054 | { |
2055 | int i; |
2056 | |
2057 | for (i = 0; xfs[i].name != NULL((void *)0); i++) { |
2058 | if (strncmp(name, xfs[i].name, strlen(name))) |
2059 | continue; |
2060 | if (length == 0 || length == xfs[i].length) |
2061 | return &xfs[i]; |
2062 | } |
2063 | return (NULL((void *)0)); |
2064 | } |
2065 | |
2066 | int |
2067 | encxf_noauth(unsigned int id) |
2068 | { |
2069 | int i; |
2070 | |
2071 | for (i = 0; ikeencxfs[i].name != NULL((void *)0); i++) |
2072 | if (ikeencxfs[i].id == id) |
2073 | return ikeencxfs[i].noauth; |
2074 | return (0); |
2075 | } |
2076 | |
2077 | size_t |
2078 | keylength_xf(unsigned int saproto, unsigned int type, unsigned int id) |
2079 | { |
2080 | int i; |
2081 | const struct ipsec_xf *xfs; |
2082 | |
2083 | switch (type) { |
2084 | case IKEV2_XFORMTYPE_ENCR1: |
2085 | if (saproto == IKEV2_SAPROTO_IKE1) |
2086 | xfs = ikeencxfs; |
2087 | else |
2088 | xfs = ipsecencxfs; |
2089 | break; |
2090 | case IKEV2_XFORMTYPE_INTEGR3: |
2091 | xfs = authxfs; |
2092 | break; |
2093 | default: |
2094 | return (0); |
2095 | } |
2096 | |
2097 | for (i = 0; xfs[i].name != NULL((void *)0); i++) { |
2098 | if (xfs[i].id == id) |
2099 | return (xfs[i].length * 8); |
2100 | } |
2101 | return (0); |
2102 | } |
2103 | |
2104 | size_t |
2105 | noncelength_xf(unsigned int type, unsigned int id) |
2106 | { |
2107 | const struct ipsec_xf *xfs = ipsecencxfs; |
2108 | int i; |
2109 | |
2110 | if (type != IKEV2_XFORMTYPE_ENCR1) |
2111 | return (0); |
2112 | |
2113 | for (i = 0; xfs[i].name != NULL((void *)0); i++) |
2114 | if (xfs[i].id == id) |
2115 | return (xfs[i].nonce * 8); |
2116 | return (0); |
2117 | } |
2118 | |
2119 | void |
2120 | copy_transforms(unsigned int type, |
2121 | const struct ipsec_xf **xfs, unsigned int nxfs, |
2122 | struct iked_transform **dst, unsigned int *ndst, |
2123 | struct iked_transform *src, size_t nsrc) |
2124 | { |
2125 | unsigned int i; |
2126 | struct iked_transform *a, *b; |
2127 | const struct ipsec_xf *xf; |
2128 | |
2129 | if (nxfs) { |
2130 | for (i = 0; i < nxfs; i++) { |
2131 | xf = xfs[i]; |
2132 | *dst = recallocarray(*dst, *ndst, |
2133 | *ndst + 1, sizeof(struct iked_transform)); |
2134 | if (*dst == NULL((void *)0)) |
2135 | err(1, "%s", __func__); |
2136 | b = *dst + (*ndst)++; |
2137 | |
2138 | b->xform_type = type; |
2139 | b->xform_id = xf->id; |
2140 | b->xform_keylength = xf->length * 8; |
2141 | b->xform_length = xf->keylength * 8; |
2142 | } |
2143 | return; |
2144 | } |
2145 | |
2146 | for (i = 0; i < nsrc; i++) { |
2147 | a = src + i; |
2148 | if (a->xform_type != type) |
2149 | continue; |
2150 | *dst = recallocarray(*dst, *ndst, |
2151 | *ndst + 1, sizeof(struct iked_transform)); |
2152 | if (*dst == NULL((void *)0)) |
2153 | err(1, "%s", __func__); |
2154 | b = *dst + (*ndst)++; |
2155 | memcpy(b, a, sizeof(*b)); |
2156 | } |
2157 | } |
2158 | |
2159 | int |
2160 | create_ike(char *name, int af, struct ipsec_addr_wrap *ipproto, |
2161 | int rdomain, struct ipsec_hosts *hosts, |
2162 | struct ipsec_hosts *peers, struct ipsec_mode *ike_sa, |
2163 | struct ipsec_mode *ipsec_sa, uint8_t saproto, |
2164 | uint8_t flags, char *srcid, char *dstid, |
2165 | uint32_t ikelifetime, struct iked_lifetime *lt, |
2166 | struct iked_auth *authtype, struct ipsec_filters *filter, |
2167 | struct ipsec_addr_wrap *ikecfg, char *iface) |
2168 | { |
2169 | char idstr[IKED_ID_SIZE1024]; |
2170 | struct ipsec_addr_wrap *ipa, *ipb, *ipp; |
2171 | struct iked_auth *ikeauth; |
2172 | struct iked_policy pol; |
2173 | struct iked_proposal *p, *ptmp; |
2174 | struct iked_transform *xf; |
2175 | unsigned int i, j, xfi, noauth, auth; |
2176 | unsigned int ikepropid = 1, ipsecpropid = 1; |
2177 | struct iked_flow *flow, *ftmp; |
2178 | static unsigned int policy_id = 0; |
2179 | struct iked_cfg *cfg; |
2180 | int ret = -1; |
2181 | |
2182 | bzero(&pol, sizeof(pol)); |
2183 | bzero(idstr, sizeof(idstr)); |
2184 | |
2185 | pol.pol_id = ++policy_id; |
2186 | pol.pol_certreqtype = env->sc_certreqtype; |
2187 | pol.pol_af = af; |
2188 | pol.pol_saproto = saproto; |
2189 | for (i = 0, ipp = ipproto; ipp; ipp = ipp->next, i++) { |
2190 | if (i >= IKED_IPPROTO_MAX16) { |
2191 | yyerror("too many protocols"); |
2192 | return (-1); |
2193 | } |
2194 | pol.pol_ipproto[i] = ipp->type; |
2195 | pol.pol_nipproto++; |
2196 | } |
2197 | |
2198 | pol.pol_flags = flags; |
2199 | pol.pol_rdomain = rdomain; |
2200 | memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth)); |
2201 | explicit_bzero(authtype, sizeof(*authtype)); |
2202 | |
2203 | if (name != NULL((void *)0)) { |
2204 | if (strlcpy(pol.pol_name, name, |
2205 | sizeof(pol.pol_name)) >= sizeof(pol.pol_name)) { |
2206 | yyerror("name too long"); |
2207 | return (-1); |
2208 | } |
2209 | } else { |
2210 | snprintf(pol.pol_name, sizeof(pol.pol_name), |
2211 | "policy%d", policy_id); |
2212 | } |
2213 | |
2214 | if (iface != NULL((void *)0)) { |
2215 | pol.pol_iface = if_nametoindex(iface); |
2216 | if (pol.pol_iface == 0) { |
2217 | yyerror("invalid iface"); |
2218 | return (-1); |
2219 | } |
2220 | } |
2221 | |
2222 | if (srcid) { |
2223 | pol.pol_localid.id_type = get_id_type(srcid); |
2224 | pol.pol_localid.id_length = strlen(srcid); |
2225 | if (strlcpy((char *)pol.pol_localid.id_data, |
2226 | srcid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) { |
2227 | yyerror("srcid too long"); |
2228 | return (-1); |
2229 | } |
2230 | } |
2231 | if (dstid) { |
2232 | pol.pol_peerid.id_type = get_id_type(dstid); |
2233 | pol.pol_peerid.id_length = strlen(dstid); |
2234 | if (strlcpy((char *)pol.pol_peerid.id_data, |
2235 | dstid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) { |
2236 | yyerror("dstid too long"); |
2237 | return (-1); |
2238 | } |
2239 | } |
2240 | |
2241 | if (filter != NULL((void *)0)) { |
2242 | if (filter->tag) |
2243 | strlcpy(pol.pol_tag, filter->tag, sizeof(pol.pol_tag)); |
2244 | pol.pol_tap = filter->tap; |
2245 | } |
2246 | |
2247 | if (peers == NULL((void *)0)) { |
2248 | if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) { |
2249 | yyerror("active mode requires peer specification"); |
2250 | return (-1); |
2251 | } |
2252 | pol.pol_flags |= IKED_POLICY_DEFAULT0x01|IKED_POLICY_SKIP0x10; |
2253 | } |
2254 | |
2255 | if (peers && peers->src && peers->dst && |
2256 | (peers->src->af != AF_UNSPEC0) && (peers->dst->af != AF_UNSPEC0) && |
2257 | (peers->src->af != peers->dst->af)) |
2258 | fatalx("create_ike: peer address family mismatch"); |
2259 | |
2260 | if (peers && (pol.pol_af != AF_UNSPEC0) && |
2261 | ((peers->src && (peers->src->af != AF_UNSPEC0) && |
2262 | (peers->src->af != pol.pol_af)) || |
2263 | (peers->dst && (peers->dst->af != AF_UNSPEC0) && |
2264 | (peers->dst->af != pol.pol_af)))) |
2265 | fatalx("create_ike: policy address family mismatch"); |
2266 | |
2267 | ipa = ipb = NULL((void *)0); |
2268 | if (peers) { |
2269 | if (peers->src) |
2270 | ipa = peers->src; |
2271 | if (peers->dst) |
2272 | ipb = peers->dst; |
2273 | if (ipa == NULL((void *)0) && ipb == NULL((void *)0)) { |
2274 | if (hosts->src && hosts->src->next == NULL((void *)0)) |
2275 | ipa = hosts->src; |
2276 | if (hosts->dst && hosts->dst->next == NULL((void *)0)) |
2277 | ipb = hosts->dst; |
2278 | } |
2279 | } |
2280 | if (ipa == NULL((void *)0) && ipb == NULL((void *)0)) { |
2281 | yyerror("could not get local/peer specification"); |
2282 | return (-1); |
2283 | } |
2284 | if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) { |
2285 | if (ipb == NULL((void *)0) || ipb->netaddress || |
2286 | (ipa != NULL((void *)0) && ipa->netaddress)) { |
2287 | yyerror("active mode requires local/peer address"); |
2288 | return (-1); |
2289 | } |
2290 | } |
2291 | if (ipa) { |
2292 | memcpy(&pol.pol_local.addr, &ipa->address, |
2293 | sizeof(ipa->address)); |
2294 | pol.pol_local.addr_af = ipa->af; |
2295 | pol.pol_local.addr_mask = ipa->mask; |
2296 | pol.pol_local.addr_net = ipa->netaddress; |
2297 | if (pol.pol_af == AF_UNSPEC0) |
2298 | pol.pol_af = ipa->af; |
2299 | } |
2300 | if (ipb) { |
2301 | memcpy(&pol.pol_peer.addr, &ipb->address, |
2302 | sizeof(ipb->address)); |
2303 | pol.pol_peer.addr_af = ipb->af; |
2304 | pol.pol_peer.addr_mask = ipb->mask; |
2305 | pol.pol_peer.addr_net = ipb->netaddress; |
2306 | if (pol.pol_af == AF_UNSPEC0) |
2307 | pol.pol_af = ipb->af; |
2308 | } |
2309 | |
2310 | if (ikelifetime) |
2311 | pol.pol_rekey = ikelifetime; |
2312 | |
2313 | if (lt) |
2314 | pol.pol_lifetime = *lt; |
2315 | else |
2316 | pol.pol_lifetime = deflifetime; |
2317 | |
2318 | TAILQ_INIT(&pol.pol_proposals)do { (&pol.pol_proposals)->tqh_first = ((void *)0); (& pol.pol_proposals)->tqh_last = &(&pol.pol_proposals )->tqh_first; } while (0); |
2319 | RB_INIT(&pol.pol_flows)do { (&pol.pol_flows)->rbh_root = ((void *)0); } while (0); |
2320 | |
2321 | if (ike_sa == NULL((void *)0) || ike_sa->nxfs == 0) { |
2322 | /* AES-GCM proposal */ |
2323 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2324 | err(1, "%s", __func__); |
2325 | p->prop_id = ikepropid++; |
2326 | p->prop_protoid = IKEV2_SAPROTO_IKE1; |
2327 | p->prop_nxforms = ikev2_default_nike_transforms_noauth; |
2328 | p->prop_xforms = ikev2_default_ike_transforms_noauth; |
2329 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2330 | pol.pol_nproposals++; |
2331 | |
2332 | /* Non GCM proposal */ |
2333 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2334 | err(1, "%s", __func__); |
2335 | p->prop_id = ikepropid++; |
2336 | p->prop_protoid = IKEV2_SAPROTO_IKE1; |
2337 | p->prop_nxforms = ikev2_default_nike_transforms; |
2338 | p->prop_xforms = ikev2_default_ike_transforms; |
2339 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2340 | pol.pol_nproposals++; |
2341 | } else { |
2342 | for (i = 0; i < ike_sa->nxfs; i++) { |
2343 | noauth = auth = 0; |
2344 | for (j = 0; j < ike_sa->xfs[i]->nencxf; j++) { |
2345 | if (ike_sa->xfs[i]->encxf[j]->noauth) |
2346 | noauth++; |
2347 | else |
2348 | auth++; |
2349 | } |
2350 | for (j = 0; j < ike_sa->xfs[i]->ngroupxf; j++) { |
2351 | if (ike_sa->xfs[i]->groupxf[j]->id |
2352 | == IKEV2_XFORMDH_NONE0) { |
2353 | yyerror("IKE group can not be \"none\"."); |
2354 | goto done; |
2355 | } |
2356 | } |
2357 | if (ike_sa->xfs[i]->nauthxf) |
2358 | auth++; |
2359 | |
2360 | if (ike_sa->xfs[i]->nesnxf) { |
2361 | yyerror("cannot use ESN with ikesa."); |
2362 | goto done; |
2363 | } |
2364 | if (noauth && noauth != ike_sa->xfs[i]->nencxf) { |
2365 | yyerror("cannot mix encryption transforms with " |
2366 | "implicit and non-implicit authentication"); |
2367 | goto done; |
2368 | } |
2369 | if (noauth && ike_sa->xfs[i]->nauthxf) { |
2370 | yyerror("authentication is implicit for given " |
2371 | "encryption transforms"); |
2372 | goto done; |
2373 | } |
2374 | |
2375 | if (!auth) { |
2376 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2377 | err(1, "%s", __func__); |
2378 | |
2379 | xf = NULL((void *)0); |
2380 | xfi = 0; |
2381 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, |
2382 | ike_sa->xfs[i]->encxf, |
2383 | ike_sa->xfs[i]->nencxf, &xf, &xfi, |
2384 | ikev2_default_ike_transforms_noauth, |
2385 | ikev2_default_nike_transforms_noauth); |
2386 | copy_transforms(IKEV2_XFORMTYPE_DH4, |
2387 | ike_sa->xfs[i]->groupxf, |
2388 | ike_sa->xfs[i]->ngroupxf, &xf, &xfi, |
2389 | ikev2_default_ike_transforms_noauth, |
2390 | ikev2_default_nike_transforms_noauth); |
2391 | copy_transforms(IKEV2_XFORMTYPE_PRF2, |
2392 | ike_sa->xfs[i]->prfxf, |
2393 | ike_sa->xfs[i]->nprfxf, &xf, &xfi, |
2394 | ikev2_default_ike_transforms_noauth, |
2395 | ikev2_default_nike_transforms_noauth); |
2396 | |
2397 | p->prop_id = ikepropid++; |
2398 | p->prop_protoid = IKEV2_SAPROTO_IKE1; |
2399 | p->prop_xforms = xf; |
2400 | p->prop_nxforms = xfi; |
2401 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2402 | pol.pol_nproposals++; |
2403 | } |
2404 | if (!noauth) { |
2405 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2406 | err(1, "%s", __func__); |
2407 | |
2408 | xf = NULL((void *)0); |
2409 | xfi = 0; |
2410 | copy_transforms(IKEV2_XFORMTYPE_INTEGR3, |
2411 | ike_sa->xfs[i]->authxf, |
2412 | ike_sa->xfs[i]->nauthxf, &xf, &xfi, |
2413 | ikev2_default_ike_transforms, |
2414 | ikev2_default_nike_transforms); |
2415 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, |
2416 | ike_sa->xfs[i]->encxf, |
2417 | ike_sa->xfs[i]->nencxf, &xf, &xfi, |
2418 | ikev2_default_ike_transforms, |
2419 | ikev2_default_nike_transforms); |
2420 | copy_transforms(IKEV2_XFORMTYPE_DH4, |
2421 | ike_sa->xfs[i]->groupxf, |
2422 | ike_sa->xfs[i]->ngroupxf, &xf, &xfi, |
2423 | ikev2_default_ike_transforms, |
2424 | ikev2_default_nike_transforms); |
2425 | copy_transforms(IKEV2_XFORMTYPE_PRF2, |
2426 | ike_sa->xfs[i]->prfxf, |
2427 | ike_sa->xfs[i]->nprfxf, &xf, &xfi, |
2428 | ikev2_default_ike_transforms, |
2429 | ikev2_default_nike_transforms); |
2430 | |
2431 | p->prop_id = ikepropid++; |
2432 | p->prop_protoid = IKEV2_SAPROTO_IKE1; |
2433 | p->prop_xforms = xf; |
2434 | p->prop_nxforms = xfi; |
2435 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2436 | pol.pol_nproposals++; |
2437 | } |
2438 | } |
2439 | } |
2440 | |
2441 | if (ipsec_sa == NULL((void *)0) || ipsec_sa->nxfs == 0) { |
2442 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2443 | err(1, "%s", __func__); |
2444 | p->prop_id = ipsecpropid++; |
2445 | p->prop_protoid = saproto; |
2446 | p->prop_nxforms = ikev2_default_nesp_transforms_noauth; |
2447 | p->prop_xforms = ikev2_default_esp_transforms_noauth; |
2448 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2449 | pol.pol_nproposals++; |
2450 | |
2451 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2452 | err(1, "%s", __func__); |
2453 | p->prop_id = ipsecpropid++; |
2454 | p->prop_protoid = saproto; |
2455 | p->prop_nxforms = ikev2_default_nesp_transforms; |
2456 | p->prop_xforms = ikev2_default_esp_transforms; |
2457 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2458 | pol.pol_nproposals++; |
2459 | } else { |
2460 | for (i = 0; i < ipsec_sa->nxfs; i++) { |
2461 | noauth = auth = 0; |
2462 | for (j = 0; j < ipsec_sa->xfs[i]->nencxf; j++) { |
2463 | if (ipsec_sa->xfs[i]->encxf[j]->noauth) |
2464 | noauth++; |
2465 | else |
2466 | auth++; |
2467 | } |
2468 | if (ipsec_sa->xfs[i]->nauthxf) |
2469 | auth++; |
2470 | |
2471 | if (noauth && noauth != ipsec_sa->xfs[i]->nencxf) { |
2472 | yyerror("cannot mix encryption transforms with " |
2473 | "implicit and non-implicit authentication"); |
2474 | goto done; |
2475 | } |
2476 | if (noauth && ipsec_sa->xfs[i]->nauthxf) { |
2477 | yyerror("authentication is implicit for given " |
2478 | "encryption transforms"); |
2479 | goto done; |
2480 | } |
2481 | |
2482 | if (!auth) { |
2483 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2484 | err(1, "%s", __func__); |
2485 | |
2486 | xf = NULL((void *)0); |
2487 | xfi = 0; |
2488 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, |
2489 | ipsec_sa->xfs[i]->encxf, |
2490 | ipsec_sa->xfs[i]->nencxf, &xf, &xfi, |
2491 | ikev2_default_esp_transforms_noauth, |
2492 | ikev2_default_nesp_transforms_noauth); |
2493 | copy_transforms(IKEV2_XFORMTYPE_DH4, |
2494 | ipsec_sa->xfs[i]->groupxf, |
2495 | ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi, |
2496 | ikev2_default_esp_transforms_noauth, |
2497 | ikev2_default_nesp_transforms_noauth); |
2498 | copy_transforms(IKEV2_XFORMTYPE_ESN5, |
2499 | ipsec_sa->xfs[i]->esnxf, |
2500 | ipsec_sa->xfs[i]->nesnxf, &xf, &xfi, |
2501 | ikev2_default_esp_transforms_noauth, |
2502 | ikev2_default_nesp_transforms_noauth); |
2503 | |
2504 | p->prop_id = ipsecpropid++; |
2505 | p->prop_protoid = saproto; |
2506 | p->prop_xforms = xf; |
2507 | p->prop_nxforms = xfi; |
2508 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2509 | pol.pol_nproposals++; |
2510 | } |
2511 | if (!noauth) { |
2512 | if ((p = calloc(1, sizeof(*p))) == NULL((void *)0)) |
2513 | err(1, "%s", __func__); |
2514 | |
2515 | xf = NULL((void *)0); |
2516 | xfi = 0; |
2517 | copy_transforms(IKEV2_XFORMTYPE_INTEGR3, |
2518 | ipsec_sa->xfs[i]->authxf, |
2519 | ipsec_sa->xfs[i]->nauthxf, &xf, &xfi, |
2520 | ikev2_default_esp_transforms, |
2521 | ikev2_default_nesp_transforms); |
2522 | copy_transforms(IKEV2_XFORMTYPE_ENCR1, |
2523 | ipsec_sa->xfs[i]->encxf, |
2524 | ipsec_sa->xfs[i]->nencxf, &xf, &xfi, |
2525 | ikev2_default_esp_transforms, |
2526 | ikev2_default_nesp_transforms); |
2527 | copy_transforms(IKEV2_XFORMTYPE_DH4, |
2528 | ipsec_sa->xfs[i]->groupxf, |
2529 | ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi, |
2530 | ikev2_default_esp_transforms, |
2531 | ikev2_default_nesp_transforms); |
2532 | copy_transforms(IKEV2_XFORMTYPE_ESN5, |
2533 | ipsec_sa->xfs[i]->esnxf, |
2534 | ipsec_sa->xfs[i]->nesnxf, &xf, &xfi, |
2535 | ikev2_default_esp_transforms, |
2536 | ikev2_default_nesp_transforms); |
2537 | |
2538 | p->prop_id = ipsecpropid++; |
2539 | p->prop_protoid = saproto; |
2540 | p->prop_xforms = xf; |
2541 | p->prop_nxforms = xfi; |
2542 | TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0); |
2543 | pol.pol_nproposals++; |
2544 | } |
2545 | } |
2546 | } |
2547 | |
2548 | for (ipa = hosts->src, ipb = hosts->dst; ipa && ipb; |
2549 | ipa = ipa->next, ipb = ipb->next) { |
2550 | for (j = 0; j < pol.pol_nipproto; j++) |
2551 | if (expand_flows(&pol, pol.pol_ipproto[j], ipa, ipb)) |
2552 | fatalx("create_ike: invalid flow"); |
2553 | if (pol.pol_nipproto == 0) |
2554 | if (expand_flows(&pol, 0, ipa, ipb)) |
2555 | fatalx("create_ike: invalid flow"); |
2556 | } |
2557 | |
2558 | for (j = 0, ipa = ikecfg; ipa; ipa = ipa->next, j++) { |
2559 | if (j >= IKED_CFG_MAX16) |
2560 | break; |
2561 | cfg = &pol.pol_cfg[j]; |
2562 | pol.pol_ncfg++; |
2563 | |
2564 | cfg->cfg_action = ipa->action; |
2565 | cfg->cfg_type = ipa->type; |
2566 | memcpy(&cfg->cfg.address.addr, &ipa->address, |
2567 | sizeof(ipa->address)); |
2568 | cfg->cfg.address.addr_mask = ipa->mask; |
2569 | cfg->cfg.address.addr_net = ipa->netaddress; |
2570 | cfg->cfg.address.addr_af = ipa->af; |
2571 | } |
2572 | |
2573 | if (dstid) |
2574 | strlcpy(idstr, dstid, sizeof(idstr)); |
2575 | else if (!pol.pol_peer.addr_net) |
2576 | print_host((struct sockaddr *)&pol.pol_peer.addr, idstr, |
2577 | sizeof(idstr)); |
2578 | |
2579 | ikeauth = &pol.pol_auth; |
2580 | switch (ikeauth->auth_method) { |
2581 | case IKEV2_AUTH_RSA_SIG1: |
2582 | pol.pol_certreqtype = IKEV2_CERT_RSA_KEY11; |
2583 | break; |
2584 | case IKEV2_AUTH_ECDSA_2569: |
2585 | case IKEV2_AUTH_ECDSA_38410: |
2586 | case IKEV2_AUTH_ECDSA_52111: |
2587 | pol.pol_certreqtype = IKEV2_CERT_ECDSA201; |
2588 | break; |
2589 | default: |
2590 | pol.pol_certreqtype = IKEV2_CERT_NONE0; |
2591 | break; |
2592 | } |
2593 | |
2594 | log_debug("%s: using %s for peer %s", __func__, |
2595 | print_xf(ikeauth->auth_method, 0, methodxfs), idstr); |
2596 | |
2597 | config_setpolicy(env, &pol, PROC_IKEV2); |
2598 | config_setflow(env, &pol, PROC_IKEV2); |
2599 | |
2600 | rules++; |
2601 | ret = 0; |
2602 | |
2603 | done: |
2604 | if (ike_sa) { |
2605 | for (i = 0; i < ike_sa->nxfs; i++) { |
2606 | free(ike_sa->xfs[i]->authxf); |
2607 | free(ike_sa->xfs[i]->encxf); |
2608 | free(ike_sa->xfs[i]->groupxf); |
2609 | free(ike_sa->xfs[i]->prfxf); |
2610 | free(ike_sa->xfs[i]); |
2611 | } |
2612 | free(ike_sa->xfs); |
2613 | free(ike_sa); |
2614 | } |
2615 | if (ipsec_sa) { |
2616 | for (i = 0; i < ipsec_sa->nxfs; i++) { |
2617 | free(ipsec_sa->xfs[i]->authxf); |
2618 | free(ipsec_sa->xfs[i]->encxf); |
2619 | free(ipsec_sa->xfs[i]->groupxf); |
2620 | free(ipsec_sa->xfs[i]->prfxf); |
2621 | free(ipsec_sa->xfs[i]); |
2622 | } |
2623 | free(ipsec_sa->xfs); |
2624 | free(ipsec_sa); |
2625 | } |
2626 | TAILQ_FOREACH_SAFE(p, &pol.pol_proposals, prop_entry, ptmp)for ((p) = ((&pol.pol_proposals)->tqh_first); (p) != ( (void *)0) && ((ptmp) = ((p)->prop_entry.tqe_next) , 1); (p) = (ptmp)) { |
2627 | if (p->prop_xforms != ikev2_default_ike_transforms && |
2628 | p->prop_xforms != ikev2_default_ike_transforms_noauth && |
2629 | p->prop_xforms != ikev2_default_esp_transforms && |
2630 | p->prop_xforms != ikev2_default_esp_transforms_noauth) |
2631 | free(p->prop_xforms); |
2632 | free(p); |
2633 | } |
2634 | if (peers != NULL((void *)0)) { |
2635 | iaw_free(peers->src); |
2636 | iaw_free(peers->dst); |
2637 | /* peers is static, cannot be freed */ |
2638 | } |
2639 | if (hosts != NULL((void *)0)) { |
2640 | iaw_free(hosts->src); |
2641 | iaw_free(hosts->dst); |
2642 | free(hosts); |
2643 | } |
2644 | iaw_free(ikecfg); |
2645 | iaw_free(ipproto); |
2646 | RB_FOREACH_SAFE(flow, iked_flows, &pol.pol_flows, ftmp)for ((flow) = iked_flows_RB_MINMAX(&pol.pol_flows, -1); ( (flow) != ((void *)0)) && ((ftmp) = iked_flows_RB_NEXT (flow), 1); (flow) = (ftmp)) { |
2647 | RB_REMOVE(iked_flows, &pol.pol_flows, flow)iked_flows_RB_REMOVE(&pol.pol_flows, flow); |
2648 | free(flow); |
2649 | } |
2650 | free(name); |
2651 | free(srcid); |
2652 | free(dstid); |
2653 | return (ret); |
2654 | } |
2655 | |
2656 | static int |
2657 | create_flow(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *ipa, |
2658 | struct ipsec_addr_wrap *ipb) |
2659 | { |
2660 | struct iked_flow *flow; |
2661 | struct ipsec_addr_wrap *ippn; |
2662 | |
2663 | if (ipa->af != ipb->af) { |
2664 | yyerror("cannot mix different address families."); |
2665 | return (-1); |
2666 | } |
2667 | |
2668 | if ((flow = calloc(1, sizeof(struct iked_flow))) == NULL((void *)0)) |
2669 | fatalx("%s: failed to alloc flow.", __func__); |
2670 | |
2671 | memcpy(&flow->flow_src.addr, &ipa->address, |
2672 | sizeof(ipa->address)); |
2673 | flow->flow_src.addr_af = ipa->af; |
2674 | flow->flow_src.addr_mask = ipa->mask; |
2675 | flow->flow_src.addr_net = ipa->netaddress; |
2676 | flow->flow_src.addr_port = ipa->port; |
2677 | |
2678 | memcpy(&flow->flow_dst.addr, &ipb->address, |
2679 | sizeof(ipb->address)); |
2680 | flow->flow_dst.addr_af = ipb->af; |
2681 | flow->flow_dst.addr_mask = ipb->mask; |
2682 | flow->flow_dst.addr_net = ipb->netaddress; |
2683 | flow->flow_dst.addr_port = ipb->port; |
2684 | |
2685 | ippn = ipa->srcnat; |
2686 | if (ippn) { |
2687 | memcpy(&flow->flow_prenat.addr, &ippn->address, |
2688 | sizeof(ippn->address)); |
2689 | flow->flow_prenat.addr_af = ippn->af; |
2690 | flow->flow_prenat.addr_mask = ippn->mask; |
2691 | flow->flow_prenat.addr_net = ippn->netaddress; |
2692 | } else { |
2693 | flow->flow_prenat.addr_af = 0; |
2694 | } |
2695 | |
2696 | flow->flow_dir = IPSP_DIRECTION_OUT0x2; |
2697 | flow->flow_ipproto = proto; |
2698 | flow->flow_saproto = pol->pol_saproto; |
2699 | flow->flow_rdomain = pol->pol_rdomain; |
2700 | |
2701 | if (RB_INSERT(iked_flows, &pol->pol_flows, flow)iked_flows_RB_INSERT(&pol->pol_flows, flow) == NULL((void *)0)) |
2702 | pol->pol_nflows++; |
2703 | else { |
2704 | warnx("create_ike: duplicate flow"); |
2705 | free(flow); |
2706 | } |
2707 | |
2708 | return (0); |
2709 | } |
2710 | |
2711 | static int |
2712 | expand_flows(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *src, |
2713 | struct ipsec_addr_wrap *dst) |
2714 | { |
2715 | struct ipsec_addr_wrap *ipa = NULL((void *)0), *ipb = NULL((void *)0); |
2716 | int ret = -1; |
2717 | int srcaf, dstaf; |
2718 | |
2719 | srcaf = src->af; |
2720 | dstaf = dst->af; |
2721 | |
2722 | if (src->af == AF_UNSPEC0 && |
2723 | dst->af == AF_UNSPEC0) { |
2724 | /* Need both IPv4 and IPv6 flows */ |
2725 | src->af = dst->af = AF_INET2; |
2726 | ipa = expand_keyword(src); |
2727 | ipb = expand_keyword(dst); |
2728 | if (!ipa || !ipb) |
2729 | goto done; |
2730 | if (create_flow(pol, proto, ipa, ipb)) |
2731 | goto done; |
2732 | |
2733 | iaw_free(ipa); |
2734 | iaw_free(ipb); |
2735 | src->af = dst->af = AF_INET624; |
2736 | ipa = expand_keyword(src); |
2737 | ipb = expand_keyword(dst); |
2738 | if (!ipa || !ipb) |
2739 | goto done; |
2740 | if (create_flow(pol, proto, ipa, ipb)) |
2741 | goto done; |
2742 | } else if (src->af == AF_UNSPEC0) { |
2743 | src->af = dst->af; |
2744 | ipa = expand_keyword(src); |
2745 | if (!ipa) |
2746 | goto done; |
2747 | if (create_flow(pol, proto, ipa, dst)) |
2748 | goto done; |
2749 | } else if (dst->af == AF_UNSPEC0) { |
2750 | dst->af = src->af; |
2751 | ipa = expand_keyword(dst); |
2752 | if (!ipa) |
2753 | goto done; |
2754 | if (create_flow(pol, proto, src, ipa)) |
2755 | goto done; |
2756 | } else if (create_flow(pol, proto, src, dst)) |
2757 | goto done; |
2758 | ret = 0; |
2759 | done: |
2760 | src->af = srcaf; |
2761 | dst->af = dstaf; |
2762 | iaw_free(ipa); |
2763 | iaw_free(ipb); |
2764 | return (ret); |
2765 | } |
2766 | |
2767 | static struct ipsec_addr_wrap * |
2768 | expand_keyword(struct ipsec_addr_wrap *ip) |
2769 | { |
2770 | switch(ip->af) { |
2771 | case AF_INET2: |
2772 | switch(ip->type) { |
2773 | case IPSEC_ADDR_ANY(0x1): |
2774 | return (host("0.0.0.0/0")); |
2775 | case IPSEC_ADDR_DYNAMIC(0x2): |
2776 | return (host("0.0.0.0")); |
2777 | } |
2778 | break; |
2779 | case AF_INET624: |
2780 | switch(ip->type) { |
2781 | case IPSEC_ADDR_ANY(0x1): |
2782 | return (host("::/0")); |
2783 | case IPSEC_ADDR_DYNAMIC(0x2): |
2784 | return (host("::")); |
2785 | } |
2786 | } |
2787 | return (NULL((void *)0)); |
2788 | } |
2789 | |
2790 | int |
2791 | create_user(const char *user, const char *pass) |
2792 | { |
2793 | struct iked_user usr; |
2794 | |
2795 | bzero(&usr, sizeof(usr)); |
2796 | |
2797 | if (*user == '\0' || (strlcpy(usr.usr_name, user, |
2798 | sizeof(usr.usr_name)) >= sizeof(usr.usr_name))) { |
2799 | yyerror("invalid user name"); |
2800 | return (-1); |
2801 | } |
2802 | if (*pass == '\0' || (strlcpy(usr.usr_pass, pass, |
2803 | sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) { |
2804 | yyerror("invalid password"); |
2805 | explicit_bzero(&usr, sizeof usr); /* zap partial password */ |
2806 | return (-1); |
2807 | } |
2808 | |
2809 | config_setuser(env, &usr, PROC_IKEV2); |
2810 | |
2811 | rules++; |
2812 | |
2813 | explicit_bzero(&usr, sizeof usr); |
2814 | return (0); |
2815 | } |
2816 | |
2817 | void |
2818 | iaw_free(struct ipsec_addr_wrap *head) |
2819 | { |
2820 | struct ipsec_addr_wrap *n, *cur; |
2821 | |
2822 | if (head == NULL((void *)0)) |
2823 | return; |
2824 | |
2825 | for (n = head; n != NULL((void *)0); ) { |
2826 | cur = n; |
2827 | n = n->next; |
2828 | if (cur->srcnat != NULL((void *)0)) { |
2829 | free(cur->srcnat->name); |
2830 | free(cur->srcnat); |
2831 | } |
2832 | free(cur->name); |
2833 | free(cur); |
2834 | } |
2835 | } |
2836 | #line 2829 "parse.c" |
2837 | /* allocate initial stack or double stack size, up to YYMAXDEPTH */ |
2838 | static int yygrowstack(void) |
2839 | { |
2840 | unsigned int newsize; |
2841 | long sslen; |
2842 | short *newss; |
2843 | YYSTYPE *newvs; |
2844 | |
2845 | if ((newsize = yystacksize) == 0) |
2846 | newsize = YYINITSTACKSIZE200; |
2847 | else if (newsize >= YYMAXDEPTH10000) |
2848 | return -1; |
2849 | else if ((newsize *= 2) > YYMAXDEPTH10000) |
2850 | newsize = YYMAXDEPTH10000; |
2851 | sslen = yyssp - yyss; |
2852 | #ifdef SIZE_MAX0xffffffffffffffffUL |
2853 | #define YY_SIZE_MAX0xffffffffffffffffUL SIZE_MAX0xffffffffffffffffUL |
2854 | #else |
2855 | #define YY_SIZE_MAX0xffffffffffffffffUL 0xffffffffU |
2856 | #endif |
2857 | if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newss) |
2858 | goto bail; |
2859 | newss = (short *)realloc(yyss, newsize * sizeof *newss); |
2860 | if (newss == NULL((void *)0)) |
2861 | goto bail; |
2862 | yyss = newss; |
2863 | yyssp = newss + sslen; |
2864 | if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newvs) |
2865 | goto bail; |
2866 | newvs = (YYSTYPE *)realloc(yyvs, newsize * sizeof *newvs); |
2867 | if (newvs == NULL((void *)0)) |
2868 | goto bail; |
2869 | yyvs = newvs; |
2870 | yyvsp = newvs + sslen; |
2871 | yystacksize = newsize; |
2872 | yysslim = yyss + newsize - 1; |
2873 | return 0; |
2874 | bail: |
2875 | if (yyss) |
2876 | free(yyss); |
2877 | if (yyvs) |
2878 | free(yyvs); |
2879 | yyss = yyssp = NULL((void *)0); |
2880 | yyvs = yyvsp = NULL((void *)0); |
2881 | yystacksize = 0; |
2882 | return -1; |
2883 | } |
2884 | |
2885 | #define YYABORTgoto yyabort goto yyabort |
2886 | #define YYREJECTgoto yyabort goto yyabort |
2887 | #define YYACCEPTgoto yyaccept goto yyaccept |
2888 | #define YYERRORgoto yyerrlab goto yyerrlab |
2889 | int |
2890 | yyparse(void) |
2891 | { |
2892 | int yym, yyn, yystate; |
2893 | #if YYDEBUG0 |
2894 | const char *yys; |
2895 | |
2896 | if ((yys = getenv("YYDEBUG"))) |
2897 | { |
2898 | yyn = *yys; |
2899 | if (yyn >= '0' && yyn <= '9') |
2900 | yydebug = yyn - '0'; |
2901 | } |
2902 | #endif /* YYDEBUG */ |
2903 | |
2904 | yynerrs = 0; |
2905 | yyerrflag = 0; |
2906 | yychar = (-1); |
2907 | |
2908 | if (yyss == NULL((void *)0) && yygrowstack()) goto yyoverflow; |
2909 | yyssp = yyss; |
2910 | yyvsp = yyvs; |
2911 | *yyssp = yystate = 0; |
2912 | |
2913 | yyloop: |
2914 | if ((yyn = yydefred[yystate]) != 0) goto yyreduce; |
2915 | if (yychar < 0) |
2916 | { |
2917 | if ((yychar = yylex()) < 0) yychar = 0; |
2918 | #if YYDEBUG0 |
2919 | if (yydebug) |
2920 | { |
2921 | yys = 0; |
2922 | if (yychar <= YYMAXTOKEN328) yys = yyname[yychar]; |
2923 | if (!yys) yys = "illegal-symbol"; |
2924 | printf("%sdebug: state %d, reading %d (%s)\n", |
2925 | YYPREFIX"yy", yystate, yychar, yys); |
2926 | } |
2927 | #endif |
2928 | } |
2929 | if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 && |
2930 | yyn <= YYTABLESIZE731 && yycheck[yyn] == yychar) |
2931 | { |
2932 | #if YYDEBUG0 |
2933 | if (yydebug) |
2934 | printf("%sdebug: state %d, shifting to state %d\n", |
2935 | YYPREFIX"yy", yystate, yytable[yyn]); |
2936 | #endif |
2937 | if (yyssp >= yysslim && yygrowstack()) |
2938 | { |
2939 | goto yyoverflow; |
2940 | } |
2941 | *++yyssp = yystate = yytable[yyn]; |
2942 | *++yyvsp = yylval; |
2943 | yychar = (-1); |
2944 | if (yyerrflag > 0) --yyerrflag; |
2945 | goto yyloop; |
2946 | } |
2947 | if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 && |
2948 | yyn <= YYTABLESIZE731 && yycheck[yyn] == yychar) |
2949 | { |
2950 | yyn = yytable[yyn]; |
2951 | goto yyreduce; |
2952 | } |
2953 | if (yyerrflag) goto yyinrecovery; |
2954 | #if defined(__GNUC__4) |
2955 | goto yynewerror; |
2956 | #endif |
2957 | yynewerror: |
2958 | yyerror("syntax error"); |
2959 | #if defined(__GNUC__4) |
2960 | goto yyerrlab; |
2961 | #endif |
2962 | yyerrlab: |
2963 | ++yynerrs; |
2964 | yyinrecovery: |
2965 | if (yyerrflag < 3) |
2966 | { |
2967 | yyerrflag = 3; |
2968 | for (;;) |
2969 | { |
2970 | if ((yyn = yysindex[*yyssp]) && (yyn += YYERRCODE256) >= 0 && |
2971 | yyn <= YYTABLESIZE731 && yycheck[yyn] == YYERRCODE256) |
2972 | { |
2973 | #if YYDEBUG0 |
2974 | if (yydebug) |
2975 | printf("%sdebug: state %d, error recovery shifting\ |
2976 | to state %d\n", YYPREFIX"yy", *yyssp, yytable[yyn]); |
2977 | #endif |
2978 | if (yyssp >= yysslim && yygrowstack()) |
2979 | { |
2980 | goto yyoverflow; |
2981 | } |
2982 | *++yyssp = yystate = yytable[yyn]; |
2983 | *++yyvsp = yylval; |
2984 | goto yyloop; |
2985 | } |
2986 | else |
2987 | { |
2988 | #if YYDEBUG0 |
2989 | if (yydebug) |
2990 | printf("%sdebug: error recovery discarding state %d\n", |
2991 | YYPREFIX"yy", *yyssp); |
2992 | #endif |
2993 | if (yyssp <= yyss) goto yyabort; |
2994 | --yyssp; |
2995 | --yyvsp; |
2996 | } |
2997 | } |
2998 | } |
2999 | else |
3000 | { |
3001 | if (yychar == 0) goto yyabort; |
3002 | #if YYDEBUG0 |
3003 | if (yydebug) |
3004 | { |
3005 | yys = 0; |
3006 | if (yychar <= YYMAXTOKEN328) yys = yyname[yychar]; |
3007 | if (!yys) yys = "illegal-symbol"; |
3008 | printf("%sdebug: state %d, error recovery discards token %d (%s)\n", |
3009 | YYPREFIX"yy", yystate, yychar, yys); |
3010 | } |
3011 | #endif |
3012 | yychar = (-1); |
3013 | goto yyloop; |
3014 | } |
3015 | yyreduce: |
3016 | #if YYDEBUG0 |
3017 | if (yydebug) |
3018 | printf("%sdebug: state %d, reducing by rule %d (%s)\n", |
3019 | YYPREFIX"yy", yystate, yyn, yyrule[yyn]); |
3020 | #endif |
3021 | yym = yylen[yyn]; |
3022 | if (yym) |
3023 | yyval = yyvsp[1-yym]; |
3024 | else |
3025 | memset(&yyval, 0, sizeof yyval); |
3026 | switch (yyn) |
3027 | { |
3028 | case 9: |
3029 | #line 482 "/usr/src/sbin/iked/parse.y" |
3030 | { file->errors++; } |
3031 | break; |
3032 | case 12: |
3033 | #line 489 "/usr/src/sbin/iked/parse.y" |
3034 | { |
3035 | struct file *nfile; |
3036 | |
3037 | if ((nfile = pushfile(yyvsp[0].v.string, 1)) == NULL((void *)0)) { |
3038 | yyerror("failed to include file %s", yyvsp[0].v.string); |
3039 | free(yyvsp[0].v.string); |
3040 | YYERRORgoto yyerrlab; |
3041 | } |
3042 | free(yyvsp[0].v.string); |
3043 | |
3044 | file = nfile; |
3045 | lungetc('\n'); |
3046 | } |
3047 | break; |
3048 | case 13: |
3049 | #line 504 "/usr/src/sbin/iked/parse.y" |
3050 | { passive = 0; } |
3051 | break; |
3052 | case 14: |
3053 | #line 505 "/usr/src/sbin/iked/parse.y" |
3054 | { passive = 1; } |
3055 | break; |
3056 | case 15: |
3057 | #line 506 "/usr/src/sbin/iked/parse.y" |
3058 | { decouple = 0; } |
3059 | break; |
3060 | case 16: |
3061 | #line 507 "/usr/src/sbin/iked/parse.y" |
3062 | { decouple = 1; } |
3063 | break; |
3064 | case 17: |
3065 | #line 508 "/usr/src/sbin/iked/parse.y" |
3066 | { fragmentation = 1; } |
3067 | break; |
3068 | case 18: |
3069 | #line 509 "/usr/src/sbin/iked/parse.y" |
3070 | { fragmentation = 0; } |
3071 | break; |
3072 | case 19: |
3073 | #line 510 "/usr/src/sbin/iked/parse.y" |
3074 | { mobike = 1; } |
3075 | break; |
3076 | case 20: |
3077 | #line 511 "/usr/src/sbin/iked/parse.y" |
3078 | { mobike = 0; } |
3079 | break; |
3080 | case 21: |
3081 | #line 512 "/usr/src/sbin/iked/parse.y" |
3082 | { enforcesingleikesa = 1; } |
3083 | break; |
3084 | case 22: |
3085 | #line 513 "/usr/src/sbin/iked/parse.y" |
3086 | { enforcesingleikesa = 0; } |
3087 | break; |
3088 | case 23: |
3089 | #line 514 "/usr/src/sbin/iked/parse.y" |
3090 | { stickyaddress = 1; } |
3091 | break; |
3092 | case 24: |
3093 | #line 515 "/usr/src/sbin/iked/parse.y" |
3094 | { stickyaddress = 0; } |
3095 | break; |
3096 | case 25: |
3097 | #line 516 "/usr/src/sbin/iked/parse.y" |
3098 | { |
3099 | ocsp_url = yyvsp[0].v.string; |
3100 | } |
3101 | break; |
3102 | case 26: |
3103 | #line 519 "/usr/src/sbin/iked/parse.y" |
3104 | { |
3105 | ocsp_url = yyvsp[-2].v.string; |
3106 | ocsp_tolerate = yyvsp[0].v.number; |
3107 | } |
3108 | break; |
3109 | case 27: |
3110 | #line 523 "/usr/src/sbin/iked/parse.y" |
3111 | { |
3112 | ocsp_url = yyvsp[-4].v.string; |
3113 | ocsp_tolerate = yyvsp[-2].v.number; |
3114 | ocsp_maxage = yyvsp[0].v.number; |
3115 | } |
3116 | break; |
3117 | case 28: |
3118 | #line 528 "/usr/src/sbin/iked/parse.y" |
3119 | { |
3120 | cert_partial_chain = 1; |
3121 | } |
3122 | break; |
3123 | case 29: |
3124 | #line 531 "/usr/src/sbin/iked/parse.y" |
3125 | { |
3126 | if (yyvsp[0].v.number < 0) { |
3127 | yyerror("timeout outside range"); |
3128 | YYERRORgoto yyerrlab; |
3129 | } |
3130 | dpd_interval = yyvsp[0].v.number; |
3131 | } |
3132 | break; |
3133 | case 30: |
3134 | #line 540 "/usr/src/sbin/iked/parse.y" |
3135 | { |
3136 | if (create_user(yyvsp[-1].v.string, yyvsp[0].v.string) == -1) |
3137 | YYERRORgoto yyerrlab; |
3138 | free(yyvsp[-1].v.string); |
3139 | freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string)); |
3140 | } |
3141 | break; |
3142 | case 31: |
3143 | #line 550 "/usr/src/sbin/iked/parse.y" |
3144 | { |
3145 | if (create_ike(yyvsp[-16].v.string, yyvsp[-13].v.number, yyvsp[-12].v.proto, yyvsp[-11].v.number, yyvsp[-10].v.hosts, &yyvsp[-9].v.peers, yyvsp[-8].v.mode, yyvsp[-7].v.mode, yyvsp[-14].v.satype, |
3146 | yyvsp[-15].v.ikemode, yyvsp[-6].v.ids.srcid, yyvsp[-6].v.ids.dstid, yyvsp[-5].v.number, &yyvsp[-4].v.lifetime, &yyvsp[-3].v.ikeauth, |
3147 | yyvsp[0].v.filters, yyvsp[-2].v.cfg, yyvsp[-1].v.string) == -1) { |
3148 | yyerror("create_ike failed"); |
3149 | YYERRORgoto yyerrlab; |
3150 | } |
3151 | } |
3152 | break; |
3153 | case 32: |
3154 | #line 560 "/usr/src/sbin/iked/parse.y" |
3155 | { yyval.v.cfg = NULL((void *)0); } |
3156 | break; |
3157 | case 33: |
3158 | #line 561 "/usr/src/sbin/iked/parse.y" |
3159 | { yyval.v.cfg = yyvsp[0].v.cfg; } |
3160 | break; |
3161 | case 34: |
3162 | #line 564 "/usr/src/sbin/iked/parse.y" |
3163 | { yyval.v.cfg = yyvsp[0].v.cfg; } |
3164 | break; |
3165 | case 35: |
3166 | #line 565 "/usr/src/sbin/iked/parse.y" |
3167 | { |
3168 | if (yyvsp[0].v.cfg == NULL((void *)0)) |
3169 | yyval.v.cfg = yyvsp[-1].v.cfg; |
3170 | else if (yyvsp[-1].v.cfg == NULL((void *)0)) |
3171 | yyval.v.cfg = yyvsp[0].v.cfg; |
3172 | else { |
3173 | yyvsp[-1].v.cfg->tail->next = yyvsp[0].v.cfg; |
3174 | yyvsp[-1].v.cfg->tail = yyvsp[0].v.cfg->tail; |
3175 | yyval.v.cfg = yyvsp[-1].v.cfg; |
3176 | } |
3177 | } |
3178 | break; |
3179 | case 36: |
3180 | #line 578 "/usr/src/sbin/iked/parse.y" |
3181 | { |
3182 | const struct ipsec_xf *xf; |
3183 | |
3184 | if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.host->af, cpxfs)) == NULL((void *)0)) { |
3185 | yyerror("not a valid ikecfg option"); |
3186 | free(yyvsp[-1].v.string); |
3187 | free(yyvsp[0].v.host); |
3188 | YYERRORgoto yyerrlab; |
3189 | } |
3190 | free(yyvsp[-1].v.string); |
3191 | yyval.v.cfg = yyvsp[0].v.host; |
3192 | yyval.v.cfg->type = xf->id; |
3193 | yyval.v.cfg->action = IKEV2_CP_REPLY2; /* XXX */ |
3194 | } |
3195 | break; |
3196 | case 37: |
3197 | #line 592 "/usr/src/sbin/iked/parse.y" |
3198 | { |
3199 | const struct ipsec_xf *xf; |
3200 | |
3201 | if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.anyhost->af, cpxfs)) == NULL((void *)0)) { |
3202 | yyerror("not a valid ikecfg option"); |
3203 | free(yyvsp[-1].v.string); |
3204 | free(yyvsp[0].v.anyhost); |
3205 | YYERRORgoto yyerrlab; |
3206 | } |
3207 | free(yyvsp[-1].v.string); |
3208 | yyval.v.cfg = yyvsp[0].v.anyhost; |
3209 | yyval.v.cfg->type = xf->id; |
3210 | yyval.v.cfg->action = IKEV2_CP_REQUEST1; /* XXX */ |
3211 | } |
3212 | break; |
3213 | case 38: |
3214 | #line 608 "/usr/src/sbin/iked/parse.y" |
3215 | { yyval.v.string = NULL((void *)0); } |
3216 | break; |
3217 | case 39: |
3218 | #line 609 "/usr/src/sbin/iked/parse.y" |
3219 | { |
3220 | yyval.v.string = yyvsp[0].v.string; |
3221 | } |
3222 | break; |
3223 | case 40: |
3224 | #line 613 "/usr/src/sbin/iked/parse.y" |
3225 | { yyval.v.satype = IKEV2_SAPROTO_ESP3; } |
3226 | break; |
3227 | case 41: |
3228 | #line 614 "/usr/src/sbin/iked/parse.y" |
3229 | { yyval.v.satype = IKEV2_SAPROTO_ESP3; } |
3230 | break; |
3231 | case 42: |
3232 | #line 615 "/usr/src/sbin/iked/parse.y" |
3233 | { yyval.v.satype = IKEV2_SAPROTO_AH2; } |
3234 | break; |
3235 | case 43: |
3236 | #line 618 "/usr/src/sbin/iked/parse.y" |
3237 | { yyval.v.number = AF_UNSPEC0; } |
3238 | break; |
3239 | case 44: |
3240 | #line 619 "/usr/src/sbin/iked/parse.y" |
3241 | { yyval.v.number = AF_INET2; } |
3242 | break; |
3243 | case 45: |
3244 | #line 620 "/usr/src/sbin/iked/parse.y" |
3245 | { yyval.v.number = AF_INET624; } |
3246 | break; |
3247 | case 46: |
3248 | #line 623 "/usr/src/sbin/iked/parse.y" |
3249 | { yyval.v.proto = NULL((void *)0); } |
3250 | break; |
3251 | case 47: |
3252 | #line 624 "/usr/src/sbin/iked/parse.y" |
3253 | { yyval.v.proto = yyvsp[0].v.proto; } |
3254 | break; |
3255 | case 48: |
3256 | #line 625 "/usr/src/sbin/iked/parse.y" |
3257 | { yyval.v.proto = yyvsp[-1].v.proto; } |
3258 | break; |
3259 | case 49: |
3260 | #line 628 "/usr/src/sbin/iked/parse.y" |
3261 | { yyval.v.proto = yyvsp[0].v.proto; } |
3262 | break; |
3263 | case 50: |
3264 | #line 629 "/usr/src/sbin/iked/parse.y" |
3265 | { |
3266 | if (yyvsp[0].v.proto == NULL((void *)0)) |
3267 | yyval.v.proto = yyvsp[-2].v.proto; |
3268 | else if (yyvsp[-2].v.proto == NULL((void *)0)) |
3269 | yyval.v.proto = yyvsp[0].v.proto; |
3270 | else { |
3271 | yyvsp[-2].v.proto->tail->next = yyvsp[0].v.proto; |
3272 | yyvsp[-2].v.proto->tail = yyvsp[0].v.proto->tail; |
3273 | yyval.v.proto = yyvsp[-2].v.proto; |
3274 | } |
3275 | } |
3276 | break; |
3277 | case 51: |
3278 | #line 642 "/usr/src/sbin/iked/parse.y" |
3279 | { |
3280 | struct protoent *p; |
3281 | |
3282 | p = getprotobyname(yyvsp[0].v.string); |
3283 | if (p == NULL((void *)0)) { |
3284 | yyerror("unknown protocol: %s", yyvsp[0].v.string); |
3285 | YYERRORgoto yyerrlab; |
3286 | } |
3287 | |
3288 | if ((yyval.v.proto = calloc(1, sizeof(*yyval.v.proto))) == NULL((void *)0)) |
3289 | err(1, "protoval: calloc"); |
3290 | |
3291 | yyval.v.proto->type = p->p_proto; |
3292 | yyval.v.proto->tail = yyval.v.proto; |
3293 | free(yyvsp[0].v.string); |
3294 | } |
3295 | break; |
3296 | case 52: |
3297 | #line 658 "/usr/src/sbin/iked/parse.y" |
3298 | { |
3299 | if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) { |
3300 | yyerror("protocol outside range"); |
3301 | YYERRORgoto yyerrlab; |
3302 | } |
3303 | if ((yyval.v.proto = calloc(1, sizeof(*yyval.v.proto))) == NULL((void *)0)) |
3304 | err(1, "protoval: calloc"); |
3305 | |
3306 | yyval.v.proto->type = yyvsp[0].v.number; |
3307 | yyval.v.proto->tail = yyval.v.proto; |
3308 | } |
3309 | break; |
3310 | case 53: |
3311 | #line 671 "/usr/src/sbin/iked/parse.y" |
3312 | { yyval.v.number = -1; } |
3313 | break; |
3314 | case 54: |
3315 | #line 672 "/usr/src/sbin/iked/parse.y" |
3316 | { |
3317 | if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) { |
3318 | yyerror("rdomain outside range"); |
3319 | YYERRORgoto yyerrlab; |
3320 | } |
3321 | yyval.v.number = yyvsp[0].v.number; |
3322 | } |
3323 | break; |
3324 | case 55: |
3325 | #line 680 "/usr/src/sbin/iked/parse.y" |
3326 | { yyval.v.hosts = yyvsp[0].v.hosts; } |
3327 | break; |
3328 | case 56: |
3329 | #line 681 "/usr/src/sbin/iked/parse.y" |
3330 | { |
3331 | if (yyvsp[0].v.hosts == NULL((void *)0)) |
3332 | yyval.v.hosts = yyvsp[-2].v.hosts; |
3333 | else if (yyvsp[-2].v.hosts == NULL((void *)0)) |
3334 | yyval.v.hosts = yyvsp[0].v.hosts; |
3335 | else { |
3336 | yyvsp[-2].v.hosts->src->tail->next = yyvsp[0].v.hosts->src; |
3337 | yyvsp[-2].v.hosts->src->tail = yyvsp[0].v.hosts->src->tail; |
3338 | yyvsp[-2].v.hosts->dst->tail->next = yyvsp[0].v.hosts->dst; |
3339 | yyvsp[-2].v.hosts->dst->tail = yyvsp[0].v.hosts->dst->tail; |
3340 | yyval.v.hosts = yyvsp[-2].v.hosts; |
3341 | free(yyvsp[0].v.hosts); |
3342 | } |
3343 | } |
3344 | break; |
3345 | case 57: |
3346 | #line 697 "/usr/src/sbin/iked/parse.y" |
3347 | { |
3348 | struct ipsec_addr_wrap *ipa; |
3349 | for (ipa = yyvsp[-1].v.host; ipa; ipa = ipa->next) { |
3350 | if (ipa->srcnat) { |
3351 | yyerror("no flow NAT support for" |
3352 | " destination network: %s", |
3353 | ipa->name); |
3354 | YYERRORgoto yyerrlab; |
3355 | } |
3356 | } |
3357 | |
3358 | if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL((void *)0)) |
3359 | err(1, "hosts: calloc"); |
3360 | |
3361 | yyval.v.hosts->src = yyvsp[-4].v.host; |
3362 | yyval.v.hosts->src->port = yyvsp[-3].v.port; |
3363 | yyval.v.hosts->dst = yyvsp[-1].v.host; |
3364 | yyval.v.hosts->dst->port = yyvsp[0].v.port; |
3365 | } |
3366 | break; |
3367 | case 58: |
3368 | #line 716 "/usr/src/sbin/iked/parse.y" |
3369 | { |
3370 | struct ipsec_addr_wrap *ipa; |
3371 | for (ipa = yyvsp[-4].v.host; ipa; ipa = ipa->next) { |
3372 | if (ipa->srcnat) { |
3373 | yyerror("no flow NAT support for" |
3374 | " destination network: %s", |
3375 | ipa->name); |
3376 | YYERRORgoto yyerrlab; |
3377 | } |
3378 | } |
3379 | if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL((void *)0)) |
3380 | err(1, "hosts: calloc"); |
3381 | |
3382 | yyval.v.hosts->src = yyvsp[-1].v.host; |
3383 | yyval.v.hosts->src->port = yyvsp[0].v.port; |
3384 | yyval.v.hosts->dst = yyvsp[-4].v.host; |
3385 | yyval.v.hosts->dst->port = yyvsp[-3].v.port; |
3386 | } |
3387 | break; |
3388 | case 59: |
3389 | #line 736 "/usr/src/sbin/iked/parse.y" |
3390 | { yyval.v.port = 0; } |
3391 | break; |
3392 | case 60: |
3393 | #line 737 "/usr/src/sbin/iked/parse.y" |
3394 | { yyval.v.port = yyvsp[0].v.number; } |
3395 | break; |
3396 | case 61: |
3397 | #line 740 "/usr/src/sbin/iked/parse.y" |
3398 | { |
3399 | struct servent *s; |
3400 | |
3401 | if ((s = getservbyname(yyvsp[0].v.string, "tcp")) != NULL((void *)0) || |
3402 | (s = getservbyname(yyvsp[0].v.string, "udp")) != NULL((void *)0)) { |
3403 | yyval.v.number = s->s_port; |
3404 | } else { |
3405 | yyerror("unknown port: %s", yyvsp[0].v.string); |
3406 | YYERRORgoto yyerrlab; |
3407 | } |
3408 | free(yyvsp[0].v.string); |
3409 | } |
3410 | break; |
3411 | case 62: |
3412 | #line 752 "/usr/src/sbin/iked/parse.y" |
3413 | { |
3414 | if (yyvsp[0].v.number > USHRT_MAX(32767 *2 +1) || yyvsp[0].v.number < 0) { |
3415 | yyerror("port outside range"); |
3416 | YYERRORgoto yyerrlab; |
3417 | } |
3418 | yyval.v.number = htons(yyvsp[0].v.number)(__uint16_t)(__builtin_constant_p(yyvsp[0].v.number) ? (__uint16_t )(((__uint16_t)(yyvsp[0].v.number) & 0xffU) << 8 | ( (__uint16_t)(yyvsp[0].v.number) & 0xff00U) >> 8) : __swap16md (yyvsp[0].v.number)); |
3419 | } |
3420 | break; |
3421 | case 63: |
3422 | #line 761 "/usr/src/sbin/iked/parse.y" |
3423 | { |
3424 | yyval.v.peers.dst = NULL((void *)0); |
3425 | yyval.v.peers.src = NULL((void *)0); |
3426 | } |
3427 | break; |
3428 | case 64: |
3429 | #line 765 "/usr/src/sbin/iked/parse.y" |
3430 | { |
3431 | yyval.v.peers.dst = yyvsp[-2].v.anyhost; |
3432 | yyval.v.peers.src = yyvsp[0].v.anyhost; |
3433 | } |
3434 | break; |
3435 | case 65: |
3436 | #line 769 "/usr/src/sbin/iked/parse.y" |
3437 | { |
3438 | yyval.v.peers.dst = yyvsp[0].v.anyhost; |
3439 | yyval.v.peers.src = yyvsp[-2].v.anyhost; |
3440 | } |
3441 | break; |
3442 | case 66: |
3443 | #line 773 "/usr/src/sbin/iked/parse.y" |
3444 | { |
3445 | yyval.v.peers.dst = yyvsp[0].v.anyhost; |
3446 | yyval.v.peers.src = NULL((void *)0); |
3447 | } |
3448 | break; |
3449 | case 67: |
3450 | #line 777 "/usr/src/sbin/iked/parse.y" |
3451 | { |
3452 | yyval.v.peers.dst = NULL((void *)0); |
3453 | yyval.v.peers.src = yyvsp[0].v.anyhost; |
3454 | } |
3455 | break; |
3456 | case 68: |
3457 | #line 783 "/usr/src/sbin/iked/parse.y" |
3458 | { yyval.v.anyhost = yyvsp[0].v.host; } |
3459 | break; |
3460 | case 69: |
3461 | #line 784 "/usr/src/sbin/iked/parse.y" |
3462 | { |
3463 | yyval.v.anyhost = host_any(); |
3464 | } |
3465 | break; |
3466 | case 70: |
3467 | #line 788 "/usr/src/sbin/iked/parse.y" |
3468 | { |
3469 | if ((yyval.v.host = host(yyvsp[0].v.string)) == NULL((void *)0)) { |
3470 | free(yyvsp[0].v.string); |
3471 | yyerror("could not parse host specification"); |
3472 | YYERRORgoto yyerrlab; |
3473 | } |
3474 | free(yyvsp[0].v.string); |
3475 | } |
3476 | break; |
3477 | case 71: |
3478 | #line 796 "/usr/src/sbin/iked/parse.y" |
3479 | { |
3480 | char *buf; |
3481 | |
3482 | if (asprintf(&buf, "%s/%lld", yyvsp[-2].v.string, yyvsp[0].v.number) == -1) |
3483 | err(1, "host: asprintf"); |
3484 | free(yyvsp[-2].v.string); |
3485 | if ((yyval.v.host = host(buf)) == NULL((void *)0)) { |
3486 | free(buf); |
3487 | yyerror("could not parse host specification"); |
3488 | YYERRORgoto yyerrlab; |
3489 | } |
3490 | free(buf); |
3491 | } |
3492 | break; |
3493 | case 72: |
3494 | #line 811 "/usr/src/sbin/iked/parse.y" |
3495 | { yyval.v.host = yyvsp[0].v.host; } |
3496 | break; |
3497 | case 73: |
3498 | #line 812 "/usr/src/sbin/iked/parse.y" |
3499 | { |
3500 | if ((yyvsp[-3].v.host->af != AF_UNSPEC0) && (yyvsp[-1].v.host->af != AF_UNSPEC0) && |
3501 | (yyvsp[-1].v.host->af != yyvsp[-3].v.host->af)) { |
3502 | yyerror("Flow NAT address family mismatch"); |
3503 | YYERRORgoto yyerrlab; |
3504 | } |
3505 | yyval.v.host = yyvsp[-3].v.host; |
3506 | yyval.v.host->srcnat = yyvsp[-1].v.host; |
3507 | } |
3508 | break; |
3509 | case 74: |
3510 | #line 821 "/usr/src/sbin/iked/parse.y" |
3511 | { |
3512 | yyval.v.host = host_any(); |
3513 | } |
3514 | break; |
3515 | case 75: |
3516 | #line 824 "/usr/src/sbin/iked/parse.y" |
3517 | { |
3518 | yyval.v.host = host_dynamic(); |
3519 | } |
3520 | break; |
3521 | case 76: |
3522 | #line 829 "/usr/src/sbin/iked/parse.y" |
3523 | { |
3524 | yyval.v.ids.srcid = NULL((void *)0); |
3525 | yyval.v.ids.dstid = NULL((void *)0); |
3526 | } |
3527 | break; |
3528 | case 77: |
3529 | #line 833 "/usr/src/sbin/iked/parse.y" |
3530 | { |
3531 | yyval.v.ids.srcid = yyvsp[-2].v.id; |
3532 | yyval.v.ids.dstid = yyvsp[0].v.id; |
3533 | } |
3534 | break; |
3535 | case 78: |
3536 | #line 837 "/usr/src/sbin/iked/parse.y" |
3537 | { |
3538 | yyval.v.ids.srcid = yyvsp[0].v.id; |
3539 | yyval.v.ids.dstid = NULL((void *)0); |
3540 | } |
3541 | break; |
3542 | case 79: |
3543 | #line 841 "/usr/src/sbin/iked/parse.y" |
3544 | { |
3545 | yyval.v.ids.srcid = NULL((void *)0); |
3546 | yyval.v.ids.dstid = yyvsp[0].v.id; |
3547 | } |
3548 | break; |
3549 | case 80: |
3550 | #line 847 "/usr/src/sbin/iked/parse.y" |
3551 | { yyval.v.id = yyvsp[0].v.string; } |
3552 | break; |
3553 | case 81: |
3554 | #line 850 "/usr/src/sbin/iked/parse.y" |
3555 | { |
3556 | if ((ipsec_transforms = calloc(1, |
3557 | sizeof(struct ipsec_transforms))) == NULL((void *)0)) |
3558 | err(1, "transforms: calloc"); |
3559 | } |
3560 | break; |
3561 | case 82: |
3562 | #line 855 "/usr/src/sbin/iked/parse.y" |
3563 | { |
3564 | yyval.v.transforms = ipsec_transforms; |
3565 | } |
3566 | break; |
3567 | case 83: |
3568 | #line 858 "/usr/src/sbin/iked/parse.y" |
3569 | { |
3570 | yyval.v.transforms = NULL((void *)0); |
3571 | } |
3572 | break; |
3573 | case 86: |
3574 | #line 867 "/usr/src/sbin/iked/parse.y" |
3575 | { |
3576 | const struct ipsec_xf **xfs = ipsec_transforms->authxf; |
3577 | size_t nxfs = ipsec_transforms->nauthxf; |
3578 | xfs = recallocarray(xfs, nxfs, nxfs + 1, |
3579 | sizeof(struct ipsec_xf *)); |
3580 | if (xfs == NULL((void *)0)) |
3581 | err(1, "transform: recallocarray"); |
3582 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, authxfs)) == NULL((void *)0)) { |
3583 | yyerror("%s not a valid transform", yyvsp[0].v.string); |
3584 | YYERRORgoto yyerrlab; |
3585 | } |
3586 | free(yyvsp[0].v.string); |
3587 | ipsec_transforms->authxf = xfs; |
3588 | ipsec_transforms->nauthxf++; |
3589 | } |
3590 | break; |
3591 | case 87: |
3592 | #line 882 "/usr/src/sbin/iked/parse.y" |
3593 | { |
3594 | const struct ipsec_xf **xfs = ipsec_transforms->encxf; |
3595 | size_t nxfs = ipsec_transforms->nencxf; |
3596 | xfs = recallocarray(xfs, nxfs, nxfs + 1, |
3597 | sizeof(struct ipsec_xf *)); |
3598 | if (xfs == NULL((void *)0)) |
3599 | err(1, "transform: recallocarray"); |
3600 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, encxfs)) == NULL((void *)0)) { |
3601 | yyerror("%s not a valid transform", yyvsp[0].v.string); |
3602 | YYERRORgoto yyerrlab; |
3603 | } |
3604 | free(yyvsp[0].v.string); |
3605 | ipsec_transforms->encxf = xfs; |
3606 | ipsec_transforms->nencxf++; |
3607 | } |
3608 | break; |
3609 | case 88: |
3610 | #line 897 "/usr/src/sbin/iked/parse.y" |
3611 | { |
3612 | const struct ipsec_xf **xfs = ipsec_transforms->prfxf; |
3613 | size_t nxfs = ipsec_transforms->nprfxf; |
3614 | xfs = recallocarray(xfs, nxfs, nxfs + 1, |
3615 | sizeof(struct ipsec_xf *)); |
3616 | if (xfs == NULL((void *)0)) |
3617 | err(1, "transform: recallocarray"); |
3618 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, prfxfs)) == NULL((void *)0)) { |
3619 | yyerror("%s not a valid transform", yyvsp[0].v.string); |
3620 | YYERRORgoto yyerrlab; |
3621 | } |
3622 | free(yyvsp[0].v.string); |
3623 | ipsec_transforms->prfxf = xfs; |
3624 | ipsec_transforms->nprfxf++; |
3625 | } |
3626 | break; |
3627 | case 89: |
3628 | #line 912 "/usr/src/sbin/iked/parse.y" |
3629 | { |
3630 | const struct ipsec_xf **xfs = ipsec_transforms->groupxf; |
3631 | size_t nxfs = ipsec_transforms->ngroupxf; |
3632 | xfs = recallocarray(xfs, nxfs, nxfs + 1, |
3633 | sizeof(struct ipsec_xf *)); |
3634 | if (xfs == NULL((void *)0)) |
3635 | err(1, "transform: recallocarray"); |
3636 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, groupxfs)) == NULL((void *)0)) { |
3637 | yyerror("%s not a valid transform", yyvsp[0].v.string); |
3638 | YYERRORgoto yyerrlab; |
3639 | } |
3640 | free(yyvsp[0].v.string); |
3641 | ipsec_transforms->groupxf = xfs; |
3642 | ipsec_transforms->ngroupxf++; |
3643 | } |
3644 | break; |
3645 | case 90: |
3646 | #line 927 "/usr/src/sbin/iked/parse.y" |
3647 | { |
3648 | const struct ipsec_xf **xfs = ipsec_transforms->esnxf; |
3649 | size_t nxfs = ipsec_transforms->nesnxf; |
3650 | xfs = recallocarray(xfs, nxfs, nxfs + 1, |
3651 | sizeof(struct ipsec_xf *)); |
3652 | if (xfs == NULL((void *)0)) |
3653 | err(1, "transform: recallocarray"); |
3654 | if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, esnxfs)) == NULL((void *)0)) { |
3655 | yyerror("%s not a valid transform", yyvsp[0].v.string); |
3656 | YYERRORgoto yyerrlab; |
3657 | } |
3658 | ipsec_transforms->esnxf = xfs; |
3659 | ipsec_transforms->nesnxf++; |
3660 | } |
3661 | break; |
3662 | case 91: |
3663 | #line 943 "/usr/src/sbin/iked/parse.y" |
3664 | { yyval.v.string = "esn"; } |
3665 | break; |
3666 | case 92: |
3667 | #line 944 "/usr/src/sbin/iked/parse.y" |
3668 | { yyval.v.string = "noesn"; } |
3669 | break; |
3670 | case 93: |
3671 | #line 947 "/usr/src/sbin/iked/parse.y" |
3672 | { |
3673 | if ((ipsec_mode = calloc(1, |
3674 | sizeof(struct ipsec_mode))) == NULL((void *)0)) |
3675 | err(1, "ike_sas: calloc"); |
3676 | } |
3677 | break; |
3678 | case 94: |
3679 | #line 952 "/usr/src/sbin/iked/parse.y" |
3680 | { |
3681 | yyval.v.mode = ipsec_mode; |
3682 | } |
3683 | break; |
3684 | case 95: |
3685 | #line 955 "/usr/src/sbin/iked/parse.y" |
3686 | { |
3687 | yyval.v.mode = NULL((void *)0); |
3688 | } |
3689 | break; |
3690 | case 98: |
3691 | #line 964 "/usr/src/sbin/iked/parse.y" |
3692 | { |
3693 | if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs, |
3694 | ipsec_mode->nxfs, ipsec_mode->nxfs + 1, |
3695 | sizeof(struct ipsec_transforms *))) == NULL((void *)0)) |
3696 | err(1, "ike_sa: recallocarray"); |
3697 | ipsec_mode->nxfs++; |
3698 | encxfs = ikeencxfs; |
3699 | } |
3700 | break; |
3701 | case 99: |
3702 | #line 971 "/usr/src/sbin/iked/parse.y" |
3703 | { |
3704 | ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms; |
3705 | } |
3706 | break; |
3707 | case 100: |
3708 | #line 976 "/usr/src/sbin/iked/parse.y" |
3709 | { |
3710 | if ((ipsec_mode = calloc(1, |
3711 | sizeof(struct ipsec_mode))) == NULL((void *)0)) |
3712 | err(1, "child_sas: calloc"); |
3713 | } |
3714 | break; |
3715 | case 101: |
3716 | #line 981 "/usr/src/sbin/iked/parse.y" |
3717 | { |
3718 | yyval.v.mode = ipsec_mode; |
3719 | } |
3720 | break; |
3721 | case 102: |
3722 | #line 984 "/usr/src/sbin/iked/parse.y" |
3723 | { |
3724 | yyval.v.mode = NULL((void *)0); |
3725 | } |
3726 | break; |
3727 | case 105: |
3728 | #line 993 "/usr/src/sbin/iked/parse.y" |
3729 | { |
3730 | if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs, |
3731 | ipsec_mode->nxfs, ipsec_mode->nxfs + 1, |
3732 | sizeof(struct ipsec_transforms *))) == NULL((void *)0)) |
3733 | err(1, "child_sa: recallocarray"); |
3734 | ipsec_mode->nxfs++; |
3735 | encxfs = ipsecencxfs; |
3736 | } |
3737 | break; |
3738 | case 106: |
3739 | #line 1000 "/usr/src/sbin/iked/parse.y" |
3740 | { |
3741 | ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms; |
3742 | } |
3743 | break; |
3744 | case 107: |
3745 | #line 1005 "/usr/src/sbin/iked/parse.y" |
3746 | { yyval.v.ikemode = yyvsp[-3].v.ikemode | yyvsp[-2].v.ikemode | yyvsp[-1].v.ikemode | yyvsp[0].v.ikemode; } |
3747 | break; |
3748 | case 108: |
3749 | #line 1008 "/usr/src/sbin/iked/parse.y" |
3750 | { yyval.v.ikemode = 0; } |
3751 | break; |
3752 | case 109: |
3753 | #line 1009 "/usr/src/sbin/iked/parse.y" |
3754 | { yyval.v.ikemode = IKED_POLICY_QUICK0x08; } |
3755 | break; |
3756 | case 110: |
3757 | #line 1010 "/usr/src/sbin/iked/parse.y" |
3758 | { yyval.v.ikemode = IKED_POLICY_SKIP0x10; } |
3759 | break; |
3760 | case 111: |
3761 | #line 1011 "/usr/src/sbin/iked/parse.y" |
3762 | { yyval.v.ikemode = IKED_POLICY_DEFAULT0x01; } |
3763 | break; |
3764 | case 112: |
3765 | #line 1014 "/usr/src/sbin/iked/parse.y" |
3766 | { yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; } |
3767 | break; |
3768 | case 113: |
3769 | #line 1015 "/usr/src/sbin/iked/parse.y" |
3770 | { yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; } |
3771 | break; |
3772 | case 114: |
3773 | #line 1016 "/usr/src/sbin/iked/parse.y" |
3774 | { yyval.v.ikemode = IKED_POLICY_ACTIVE0x02; } |
3775 | break; |
3776 | case 115: |
3777 | #line 1019 "/usr/src/sbin/iked/parse.y" |
3778 | { yyval.v.ikemode = 0; } |
3779 | break; |
3780 | case 116: |
3781 | #line 1020 "/usr/src/sbin/iked/parse.y" |
3782 | { yyval.v.ikemode = IKED_POLICY_IPCOMP0x20; } |
3783 | break; |
3784 | case 117: |
3785 | #line 1023 "/usr/src/sbin/iked/parse.y" |
3786 | { yyval.v.ikemode = 0; } |
3787 | break; |
3788 | case 118: |
3789 | #line 1024 "/usr/src/sbin/iked/parse.y" |
3790 | { yyval.v.ikemode = 0; } |
3791 | break; |
3792 | case 119: |
3793 | #line 1025 "/usr/src/sbin/iked/parse.y" |
3794 | { yyval.v.ikemode = IKED_POLICY_TRANSPORT0x40; } |
3795 | break; |
3796 | case 120: |
3797 | #line 1028 "/usr/src/sbin/iked/parse.y" |
3798 | { |
3799 | yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255; /* default */ |
3800 | yyval.v.ikeauth.auth_eap = 0; |
3801 | yyval.v.ikeauth.auth_length = 0; |
3802 | } |
3803 | break; |
3804 | case 121: |
3805 | #line 1033 "/usr/src/sbin/iked/parse.y" |
3806 | { |
3807 | memcpy(&yyval.v.ikeauth, &yyvsp[0].v.ikekey, sizeof(yyval.v.ikeauth)); |
3808 | yyval.v.ikeauth.auth_method = IKEV2_AUTH_SHARED_KEY_MIC2; |
3809 | yyval.v.ikeauth.auth_eap = 0; |
3810 | explicit_bzero(&yyvsp[0].v.ikekey, sizeof(yyvsp[0].v.ikekey)); |
3811 | } |
3812 | break; |
3813 | case 122: |
3814 | #line 1039 "/usr/src/sbin/iked/parse.y" |
3815 | { |
3816 | unsigned int i; |
3817 | |
3818 | for (i = 0; i < strlen(yyvsp[0].v.string); i++) |
3819 | if (yyvsp[0].v.string[i] == '-') |
3820 | yyvsp[0].v.string[i] = '_'; |
3821 | |
3822 | if (strcasecmp("mschap_v2", yyvsp[0].v.string) != 0) { |
3823 | yyerror("unsupported EAP method: %s", yyvsp[0].v.string); |
3824 | free(yyvsp[0].v.string); |
3825 | YYERRORgoto yyerrlab; |
3826 | } |
3827 | free(yyvsp[0].v.string); |
3828 | |
3829 | yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255; |
3830 | yyval.v.ikeauth.auth_eap = EAP_TYPE_MSCHAP_V226; |
3831 | yyval.v.ikeauth.auth_length = 0; |
3832 | } |
3833 | break; |
3834 | case 123: |
3835 | #line 1057 "/usr/src/sbin/iked/parse.y" |
3836 | { |
3837 | const struct ipsec_xf *xf; |
3838 | |
3839 | if ((xf = parse_xf(yyvsp[0].v.string, 0, methodxfs)) == NULL((void *)0) || |
3840 | xf->id == IKEV2_AUTH_NONE0) { |
3841 | yyerror("not a valid authentication mode"); |
3842 | free(yyvsp[0].v.string); |
3843 | YYERRORgoto yyerrlab; |
3844 | } |
3845 | free(yyvsp[0].v.string); |
3846 | |
3847 | yyval.v.ikeauth.auth_method = xf->id; |
3848 | yyval.v.ikeauth.auth_eap = 0; |
3849 | yyval.v.ikeauth.auth_length = 0; |
3850 | } |
3851 | break; |
3852 | case 124: |
3853 | #line 1074 "/usr/src/sbin/iked/parse.y" |
3854 | { |
3855 | yyval.v.number = yyvsp[0].v.number; |
3856 | } |
3857 | break; |
3858 | case 125: |
3859 | #line 1077 "/usr/src/sbin/iked/parse.y" |
3860 | { |
3861 | uint64_t bytes = 0; |
3862 | char unit = 0; |
3863 | |
3864 | if (sscanf(yyvsp[0].v.string, "%llu%c", &bytes, &unit) != 2) { |
3865 | yyerror("invalid byte specification: %s", yyvsp[0].v.string); |
3866 | YYERRORgoto yyerrlab; |
3867 | } |
3868 | free(yyvsp[0].v.string); |
3869 | switch (toupper((unsigned char)unit)) { |
3870 | case 'K': |
3871 | bytes *= 1024; |
3872 | break; |
3873 | case 'M': |
3874 | bytes *= 1024 * 1024; |
3875 | break; |
3876 | case 'G': |
3877 | bytes *= 1024 * 1024 * 1024; |
3878 | break; |
3879 | default: |
3880 | yyerror("invalid byte unit"); |
3881 | YYERRORgoto yyerrlab; |
3882 | } |
3883 | yyval.v.number = bytes; |
3884 | } |
3885 | break; |
3886 | case 126: |
3887 | #line 1104 "/usr/src/sbin/iked/parse.y" |
3888 | { |
3889 | yyval.v.number = yyvsp[0].v.number; |
3890 | } |
3891 | break; |
3892 | case 127: |
3893 | #line 1107 "/usr/src/sbin/iked/parse.y" |
3894 | { |
3895 | uint64_t seconds = 0; |
3896 | char unit = 0; |
3897 | |
3898 | if (sscanf(yyvsp[0].v.string, "%llu%c", &seconds, &unit) != 2) { |
3899 | yyerror("invalid time specification: %s", yyvsp[0].v.string); |
3900 | YYERRORgoto yyerrlab; |
3901 | } |
3902 | free(yyvsp[0].v.string); |
3903 | switch (tolower((unsigned char)unit)) { |
3904 | case 'm': |
3905 | seconds *= 60; |
3906 | break; |
3907 | case 'h': |
3908 | seconds *= 60 * 60; |
3909 | break; |
3910 | default: |
3911 | yyerror("invalid time unit"); |
3912 | YYERRORgoto yyerrlab; |
3913 | } |
3914 | yyval.v.number = seconds; |
3915 | } |
3916 | break; |
3917 | case 128: |
3918 | #line 1131 "/usr/src/sbin/iked/parse.y" |
3919 | { |
3920 | yyval.v.lifetime = deflifetime; |
3921 | } |
3922 | break; |
3923 | case 129: |
3924 | #line 1134 "/usr/src/sbin/iked/parse.y" |
3925 | { |
3926 | yyval.v.lifetime.lt_seconds = yyvsp[0].v.number; |
3927 | yyval.v.lifetime.lt_bytes = deflifetime.lt_bytes; |
3928 | } |
3929 | break; |
3930 | case 130: |
3931 | #line 1138 "/usr/src/sbin/iked/parse.y" |
3932 | { |
3933 | yyval.v.lifetime.lt_seconds = yyvsp[-2].v.number; |
3934 | yyval.v.lifetime.lt_bytes = yyvsp[0].v.number; |
3935 | } |
3936 | break; |
3937 | case 131: |
3938 | #line 1144 "/usr/src/sbin/iked/parse.y" |
3939 | { |
3940 | yyval.v.number = 0; |
3941 | } |
3942 | break; |
3943 | case 132: |
3944 | #line 1147 "/usr/src/sbin/iked/parse.y" |
3945 | { |
3946 | yyval.v.number = yyvsp[0].v.number; |
3947 | } |
3948 | break; |
3949 | case 133: |
3950 | #line 1151 "/usr/src/sbin/iked/parse.y" |
3951 | { |
3952 | uint8_t *hex; |
3953 | |
3954 | bzero(&yyval.v.ikekey, sizeof(yyval.v.ikekey)); |
3955 | |
3956 | hex = yyvsp[0].v.string; |
3957 | if (strncmp(hex, "0x", 2) == 0) { |
3958 | hex += 2; |
3959 | if (parsekey(hex, strlen(hex), &yyval.v.ikekey) != 0) { |
3960 | free(yyvsp[0].v.string); |
3961 | YYERRORgoto yyerrlab; |
3962 | } |
3963 | } else { |
3964 | if (strlen(yyvsp[0].v.string) > sizeof(yyval.v.ikekey.auth_data)) { |
3965 | yyerror("psk too long"); |
3966 | free(yyvsp[0].v.string); |
3967 | YYERRORgoto yyerrlab; |
3968 | } |
3969 | strlcpy(yyval.v.ikekey.auth_data, yyvsp[0].v.string, |
3970 | sizeof(yyval.v.ikekey.auth_data)); |
3971 | yyval.v.ikekey.auth_length = strlen(yyvsp[0].v.string); |
3972 | } |
3973 | freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string)); |
3974 | } |
3975 | break; |
3976 | case 134: |
3977 | #line 1175 "/usr/src/sbin/iked/parse.y" |
3978 | { |
3979 | if (parsekeyfile(yyvsp[0].v.string, &yyval.v.ikekey) != 0) { |
3980 | free(yyvsp[0].v.string); |
3981 | YYERRORgoto yyerrlab; |
3982 | } |
3983 | free(yyvsp[0].v.string); |
3984 | } |
3985 | break; |
3986 | case 135: |
3987 | #line 1184 "/usr/src/sbin/iked/parse.y" |
3988 | { |
3989 | if ((ipsec_filters = calloc(1, |
3990 | sizeof(struct ipsec_filters))) == NULL((void *)0)) |
3991 | err(1, "filters: calloc"); |
3992 | } |
3993 | break; |
3994 | case 136: |
3995 | #line 1189 "/usr/src/sbin/iked/parse.y" |
3996 | { |
3997 | yyval.v.filters = ipsec_filters; |
3998 | } |
3999 | break; |
4000 | case 137: |
4001 | #line 1192 "/usr/src/sbin/iked/parse.y" |
4002 | { |
4003 | yyval.v.filters = NULL((void *)0); |
4004 | } |
4005 | break; |
4006 | case 140: |
4007 | #line 1202 "/usr/src/sbin/iked/parse.y" |
4008 | { |
4009 | ipsec_filters->tag = yyvsp[0].v.string; |
4010 | } |
4011 | break; |
4012 | case 141: |
4013 | #line 1206 "/usr/src/sbin/iked/parse.y" |
4014 | { |
4015 | const char *errstr = NULL((void *)0); |
4016 | size_t len; |
4017 | |
4018 | len = strcspn(yyvsp[0].v.string, "0123456789"); |
4019 | if (strlen("enc") != len || |
4020 | strncmp("enc", yyvsp[0].v.string, len) != 0) { |
4021 | yyerror("invalid tap interface name: %s", yyvsp[0].v.string); |
4022 | free(yyvsp[0].v.string); |
4023 | YYERRORgoto yyerrlab; |
4024 | } |
4025 | ipsec_filters->tap = |
4026 | strtonum(yyvsp[0].v.string + len, 0, UINT_MAX(2147483647 *2U +1U), &errstr); |
4027 | free(yyvsp[0].v.string); |
4028 | if (errstr != NULL((void *)0)) { |
4029 | yyerror("invalid tap interface unit: %s", |
4030 | errstr); |
4031 | YYERRORgoto yyerrlab; |
4032 | } |
4033 | } |
4034 | break; |
4035 | case 142: |
4036 | #line 1228 "/usr/src/sbin/iked/parse.y" |
4037 | { |
4038 | yyval.v.string = NULL((void *)0); |
4039 | } |
4040 | break; |
4041 | case 143: |
4042 | #line 1231 "/usr/src/sbin/iked/parse.y" |
4043 | { |
4044 | yyval.v.string = yyvsp[0].v.string; |
4045 | } |
4046 | break; |
4047 | case 144: |
4048 | #line 1236 "/usr/src/sbin/iked/parse.y" |
4049 | { |
4050 | if (asprintf(&yyval.v.string, "%s %s", yyvsp[-1].v.string, yyvsp[0].v.string) == -1) |
4051 | err(1, "string: asprintf"); |
4052 | free(yyvsp[-1].v.string); |
4053 | free(yyvsp[0].v.string); |
4054 | } |
4055 | break; |
4056 | case 146: |
4057 | #line 1246 "/usr/src/sbin/iked/parse.y" |
4058 | { |
4059 | char *s = yyvsp[-2].v.string; |
4060 | log_debug("%s = \"%s\"\n", yyvsp[-2].v.string, yyvsp[0].v.string); |
4061 | while (*s++) { |
4062 | if (isspace((unsigned char)*s)) { |
4063 | yyerror("macro name cannot contain " |
4064 | "whitespace"); |
4065 | free(yyvsp[-2].v.string); |
4066 | free(yyvsp[0].v.string); |
4067 | YYERRORgoto yyerrlab; |
4068 | } |
4069 | } |
4070 | if (symset(yyvsp[-2].v.string, yyvsp[0].v.string, 0) == -1) |
4071 | err(1, "cannot store variable"); |
4072 | free(yyvsp[-2].v.string); |
4073 | free(yyvsp[0].v.string); |
4074 | } |
4075 | break; |
4076 | case 156: |
4077 | #line 1284 "/usr/src/sbin/iked/parse.y" |
4078 | { |
4079 | int c; |
4080 | |
4081 | while ((c = lgetc(0)) != '\n' && c != EOF(-1)) |
4082 | ; /* nothing */ |
4083 | if (c == '\n') |
4084 | lungetc(c); |
4085 | } |
4086 | break; |
4087 | #line 4080 "parse.c" |
4088 | } |
4089 | yyssp -= yym; |
4090 | yystate = *yyssp; |
4091 | yyvsp -= yym; |
4092 | yym = yylhs[yyn]; |
4093 | if (yystate == 0 && yym == 0) |
4094 | { |
4095 | #if YYDEBUG0 |
4096 | if (yydebug) |
4097 | printf("%sdebug: after reduction, shifting from state 0 to\ |
4098 | state %d\n", YYPREFIX"yy", YYFINAL1); |
4099 | #endif |
4100 | yystate = YYFINAL1; |
4101 | *++yyssp = YYFINAL1; |
4102 | *++yyvsp = yyval; |
4103 | if (yychar < 0) |
4104 | { |
4105 | if ((yychar = yylex()) < 0) yychar = 0; |
4106 | #if YYDEBUG0 |
4107 | if (yydebug) |
4108 | { |
4109 | yys = 0; |
4110 | if (yychar <= YYMAXTOKEN328) yys = yyname[yychar]; |
4111 | if (!yys) yys = "illegal-symbol"; |
4112 | printf("%sdebug: state %d, reading %d (%s)\n", |
4113 | YYPREFIX"yy", YYFINAL1, yychar, yys); |
4114 | } |
4115 | #endif |
4116 | } |
4117 | if (yychar == 0) goto yyaccept; |
4118 | goto yyloop; |
4119 | } |
4120 | if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 && |
4121 | yyn <= YYTABLESIZE731 && yycheck[yyn] == yystate) |
4122 | yystate = yytable[yyn]; |
4123 | else |
4124 | yystate = yydgoto[yym]; |
4125 | #if YYDEBUG0 |
4126 | if (yydebug) |
4127 | printf("%sdebug: after reduction, shifting from state %d \ |
4128 | to state %d\n", YYPREFIX"yy", *yyssp, yystate); |
4129 | #endif |
4130 | if (yyssp >= yysslim && yygrowstack()) |
4131 | { |
4132 | goto yyoverflow; |
4133 | } |
4134 | *++yyssp = yystate; |
4135 | *++yyvsp = yyval; |
4136 | goto yyloop; |
4137 | yyoverflow: |
4138 | yyerror("yacc stack overflow"); |
4139 | yyabort: |
4140 | if (yyss) |
4141 | free(yyss); |
4142 | if (yyvs) |
4143 | free(yyvs); |
4144 | yyss = yyssp = NULL((void *)0); |
4145 | yyvs = yyvsp = NULL((void *)0); |
4146 | yystacksize = 0; |
4147 | return (1); |
4148 | yyaccept: |
4149 | if (yyss) |
4150 | free(yyss); |
4151 | if (yyvs) |
4152 | free(yyvs); |
4153 | yyss = yyssp = NULL((void *)0); |
4154 | yyvs = yyvsp = NULL((void *)0); |
4155 | yystacksize = 0; |
4156 | return (0); |
4157 | } |