parse.c

Bug Summary

File:	src/sbin/iked/obj/parse.c
Warning:	line 2006, column 4 Value stored to 's6' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name parse.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sbin/iked/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/sbin/iked -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/sbin/iked/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c parse.c

1	#include <stdlib.h>
2	#include <string.h>
3	#define YYBYACC1 1
4	#define YYMAJOR1 1
5	#define YYMINOR9 9
6	#define YYLEXyylex() yylex()
7	#define YYEMPTY-1 -1
8	#define yyclearin(yychar=(-1)) (yychar=(YYEMPTY-1))
9	#define yyerrok(yyerrflag=0) (yyerrflag=0)
10	#define YYRECOVERING()(yyerrflag!=0) (yyerrflag!=0)
11	#define YYPREFIX"yy" "yy"
12	#line 26 "/usr/src/sbin/iked/parse.y"
13	#include <sys/types.h>
14	#include <sys/ioctl.h>
15	#include <sys/queue.h>
16	#include <sys/socket.h>
17	#include <sys/stat.h>
18	#include <net/if.h>
19	#include <netinet/in.h>
20	#include <netinet/ip_ipsp.h>
21	#include <arpa/inet.h>
22
23	#include <ctype.h>
24	#include <err.h>
25	#include <errno(*__errno()).h>
26	#include <fcntl.h>
27	#include <ifaddrs.h>
28	#include <limits.h>
29	#include <netdb.h>
30	#include <stdarg.h>
31	#include <stdio.h>
32	#include <stdlib.h>
33	#include <string.h>
34	#include <syslog.h>
35	#include <unistd.h>
36	#include <netdb.h>
37	#include <event.h>
38
39	#include "iked.h"
40	#include "ikev2.h"
41	#include "eap.h"
42
43	TAILQ_HEAD(files, file)struct files { struct file tqh_first; struct file tqh_last ; } files = TAILQ_HEAD_INITIALIZER(files){ ((void )0), &(files).tqh_first };
44	static struct file {
45	TAILQ_ENTRY(file)struct { struct file tqe_next; struct file *tqe_prev; } entry;
46	FILE *stream;
47	char *name;
48	size_t ungetpos;
49	size_t ungetsize;
50	u_char *ungetbuf;
51	int eof_reached;
52	int lineno;
53	int errors;
54	} file, topfile;
55	struct file pushfile(const char , int);
56	int popfile(void);
57	int check_file_secrecy(int, const char *);
58	int yyparse(void);
59	int yylex(void);
60	int yyerror(const char *, ...)
61	__attribute__((__format__ (printf, 1, 2)))
62	__attribute__((__nonnull__ (1)));
63	int kw_cmp(const void , const void );
64	int lookup(char *);
65	int igetc(void);
66	int lgetc(int);
67	void lungetc(int);
68	int findeol(void);
69
70	TAILQ_HEAD(symhead, sym)struct symhead { struct sym tqh_first; struct sym tqh_last ; } symhead = TAILQ_HEAD_INITIALIZER(symhead){ ((void )0), &(symhead).tqh_first };
71	struct sym {
72	TAILQ_ENTRY(sym)struct { struct sym tqe_next; struct sym *tqe_prev; } entry;
73	int used;
74	int persist;
75	char *nam;
76	char *val;
77	};
78	int symset(const char , const char , int);
79	char symget(const char );
80
81	#define KEYSIZE_LIMIT1024 1024
82
83	static struct iked env = NULL((void )0);
84	static int debug = 0;
85	static int rules = 0;
86	static int passive = 0;
87	static int decouple = 0;
88	static int mobike = 1;
89	static int enforcesingleikesa = 0;
90	static int stickyaddress = 0;
91	static int fragmentation = 0;
92	static int dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60;
93	static char ocsp_url = NULL((void )0);
94	static long ocsp_tolerate = 0;
95	static long ocsp_maxage = -1;
96	static int cert_partial_chain = 0;
97
98	struct iked_transform ikev2_default_ike_transforms[] = {
99	{ IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 },
100	{ IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 },
101	{ IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 },
102	{ IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_3DES3 },
103	{ IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 },
104	{ IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 },
105	{ IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 },
106	{ IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 },
107	{ IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 },
108	{ IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 },
109	{ IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 },
110	{ IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 },
111	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 },
112	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 },
113	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 },
114	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 },
115	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 },
116	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 },
117	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 },
118	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 },
119	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 },
120	{ 0 }
121	};
122	size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) /
123	sizeof(ikev2_default_ike_transforms[0])) - 1);
124
125	struct iked_transform ikev2_default_ike_transforms_noauth[] = {
126	{ IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 },
127	{ IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 },
128	{ IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 },
129	{ IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 },
130	{ IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 },
131	{ IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 },
132	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 },
133	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 },
134	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 },
135	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 },
136	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 },
137	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 },
138	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 },
139	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 },
140	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 },
141	{ 0 }
142	};
143	size_t ikev2_default_nike_transforms_noauth =
144	((sizeof(ikev2_default_ike_transforms_noauth) /
145	sizeof(ikev2_default_ike_transforms_noauth[0])) - 1);
146
147	struct iked_transform ikev2_default_esp_transforms[] = {
148	{ IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 },
149	{ IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 },
150	{ IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 },
151	{ IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 },
152	{ IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 },
153	{ IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 },
154	{ IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 },
155	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 },
156	{ IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 },
157	{ IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 },
158	{ 0 }
159	};
160	size_t ikev2_default_nesp_transforms = ((sizeof(ikev2_default_esp_transforms) /
161	sizeof(ikev2_default_esp_transforms[0])) - 1);
162
163	struct iked_transform ikev2_default_esp_transforms_noauth[] = {
164	{ IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 },
165	{ IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 },
166	{ IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 },
167	{ IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 },
168	{ IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 },
169	{ 0 }
170	};
171	size_t ikev2_default_nesp_transforms_noauth =
172	((sizeof(ikev2_default_esp_transforms_noauth) /
173	sizeof(ikev2_default_esp_transforms_noauth[0])) - 1);
174
175	const struct ipsec_xf authxfs[] = {
176	{ "hmac-md5", IKEV2_XFORMAUTH_HMAC_MD5_961, 16 },
177	{ "hmac-sha1", IKEV2_XFORMAUTH_HMAC_SHA1_962, 20 },
178	{ "hmac-sha2-256", IKEV2_XFORMAUTH_HMAC_SHA2_256_12812, 32 },
179	{ "hmac-sha2-384", IKEV2_XFORMAUTH_HMAC_SHA2_384_19213, 48 },
180	{ "hmac-sha2-512", IKEV2_XFORMAUTH_HMAC_SHA2_512_25614, 64 },
181	{ NULL((void *)0) }
182	};
183
184	const struct ipsec_xf prfxfs[] = {
185	{ "hmac-md5", IKEV2_XFORMPRF_HMAC_MD51, 16 },
186	{ "hmac-sha1", IKEV2_XFORMPRF_HMAC_SHA12, 20 },
187	{ "hmac-sha2-256", IKEV2_XFORMPRF_HMAC_SHA2_2565, 32 },
188	{ "hmac-sha2-384", IKEV2_XFORMPRF_HMAC_SHA2_3846, 48 },
189	{ "hmac-sha2-512", IKEV2_XFORMPRF_HMAC_SHA2_5127, 64 },
190	{ NULL((void *)0) }
191	};
192
193	const struct ipsec_xf encxfs = NULL((void )0);
194
195	const struct ipsec_xf ikeencxfs[] = {
196	{ "3des", IKEV2_XFORMENCR_3DES3, 24 },
197	{ "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 },
198	{ "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 },
199	{ "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 },
200	{ "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 },
201	{ "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 },
202	{ "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 },
203	{ "aes-128-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 16, 16, 4, 1 },
204	{ "aes-256-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 32, 32, 4, 1 },
205	{ NULL((void *)0) }
206	};
207
208	const struct ipsec_xf ipsecencxfs[] = {
209	{ "3des", IKEV2_XFORMENCR_3DES3, 24 },
210	{ "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 },
211	{ "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 },
212	{ "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 },
213	{ "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 },
214	{ "aes-128-ctr", IKEV2_XFORMENCR_AES_CTR13, 16, 16, 4 },
215	{ "aes-192-ctr", IKEV2_XFORMENCR_AES_CTR13, 24, 24, 4 },
216	{ "aes-256-ctr", IKEV2_XFORMENCR_AES_CTR13, 32, 32, 4 },
217	{ "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 },
218	{ "aes-192-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 24, 24, 4, 1 },
219	{ "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 },
220	{ "aes-128-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 16, 16, 4, 1 },
221	{ "aes-192-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 24, 24, 4, 1 },
222	{ "aes-256-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 32, 32, 4, 1 },
223	{ "blowfish", IKEV2_XFORMENCR_BLOWFISH7, 20, 20 },
224	{ "cast", IKEV2_XFORMENCR_CAST6, 16, 16 },
225	{ "chacha20-poly1305", IKEV2_XFORMENCR_CHACHA20_POLY130528,
226	32, 32, 4, 1 },
227	{ "null", IKEV2_XFORMENCR_NULL11, 0, 0 },
228	{ NULL((void *)0) }
229	};
230
231	const struct ipsec_xf groupxfs[] = {
232	{ "none", IKEV2_XFORMDH_NONE0 },
233	{ "modp768", IKEV2_XFORMDH_MODP_7681 },
234	{ "grp1", IKEV2_XFORMDH_MODP_7681 },
235	{ "modp1024", IKEV2_XFORMDH_MODP_10242 },
236	{ "grp2", IKEV2_XFORMDH_MODP_10242 },
237	{ "modp1536", IKEV2_XFORMDH_MODP_15365 },
238	{ "grp5", IKEV2_XFORMDH_MODP_15365 },
239	{ "modp2048", IKEV2_XFORMDH_MODP_204814 },
240	{ "grp14", IKEV2_XFORMDH_MODP_204814 },
241	{ "modp3072", IKEV2_XFORMDH_MODP_307215 },
242	{ "grp15", IKEV2_XFORMDH_MODP_307215 },
243	{ "modp4096", IKEV2_XFORMDH_MODP_409616 },
244	{ "grp16", IKEV2_XFORMDH_MODP_409616 },
245	{ "modp6144", IKEV2_XFORMDH_MODP_614417 },
246	{ "grp17", IKEV2_XFORMDH_MODP_614417 },
247	{ "modp8192", IKEV2_XFORMDH_MODP_819218 },
248	{ "grp18", IKEV2_XFORMDH_MODP_819218 },
249	{ "ecp256", IKEV2_XFORMDH_ECP_25619 },
250	{ "grp19", IKEV2_XFORMDH_ECP_25619 },
251	{ "ecp384", IKEV2_XFORMDH_ECP_38420 },
252	{ "grp20", IKEV2_XFORMDH_ECP_38420 },
253	{ "ecp521", IKEV2_XFORMDH_ECP_52121 },
254	{ "grp21", IKEV2_XFORMDH_ECP_52121 },
255	{ "ecp192", IKEV2_XFORMDH_ECP_19225 },
256	{ "grp25", IKEV2_XFORMDH_ECP_19225 },
257	{ "ecp224", IKEV2_XFORMDH_ECP_22426 },
258	{ "grp26", IKEV2_XFORMDH_ECP_22426 },
259	{ "brainpool224", IKEV2_XFORMDH_BRAINPOOL_P224R127 },
260	{ "grp27", IKEV2_XFORMDH_BRAINPOOL_P224R127 },
261	{ "brainpool256", IKEV2_XFORMDH_BRAINPOOL_P256R128 },
262	{ "grp28", IKEV2_XFORMDH_BRAINPOOL_P256R128 },
263	{ "brainpool384", IKEV2_XFORMDH_BRAINPOOL_P384R129 },
264	{ "grp29", IKEV2_XFORMDH_BRAINPOOL_P384R129 },
265	{ "brainpool512", IKEV2_XFORMDH_BRAINPOOL_P512R130 },
266	{ "grp30", IKEV2_XFORMDH_BRAINPOOL_P512R130 },
267	{ "curve25519", IKEV2_XFORMDH_CURVE2551931 },
268	{ "grp31", IKEV2_XFORMDH_CURVE2551931 },
269	{ "sntrup761x25519", IKEV2_XFORMDH_X_SNTRUP761X255191035 },
270	{ NULL((void *)0) }
271	};
272
273	const struct ipsec_xf esnxfs[] = {
274	{ "esn", IKEV2_XFORMESN_ESN1 },
275	{ "noesn", IKEV2_XFORMESN_NONE0 },
276	{ NULL((void *)0) }
277	};
278
279	const struct ipsec_xf methodxfs[] = {
280	{ "none", IKEV2_AUTH_NONE0 },
281	{ "rsa", IKEV2_AUTH_RSA_SIG1 },
282	{ "ecdsa256", IKEV2_AUTH_ECDSA_2569 },
283	{ "ecdsa384", IKEV2_AUTH_ECDSA_38410 },
284	{ "ecdsa521", IKEV2_AUTH_ECDSA_52111 },
285	{ "rfc7427", IKEV2_AUTH_SIG14 },
286	{ "signature", IKEV2_AUTH_SIG_ANY255 },
287	{ NULL((void *)0) }
288	};
289
290	const struct ipsec_xf saxfs[] = {
291	{ "esp", IKEV2_SAPROTO_ESP3 },
292	{ "ah", IKEV2_SAPROTO_AH2 },
293	{ NULL((void *)0) }
294	};
295
296	const struct ipsec_xf cpxfs[] = {
297	{ "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS1, AF_INET2 },
298	{ "netmask", IKEV2_CFG_INTERNAL_IP4_NETMASK2, AF_INET2 },
299	{ "name-server", IKEV2_CFG_INTERNAL_IP4_DNS3, AF_INET2 },
300	{ "netbios-server", IKEV2_CFG_INTERNAL_IP4_NBNS4, AF_INET2 },
301	{ "dhcp-server", IKEV2_CFG_INTERNAL_IP4_DHCP6, AF_INET2 },
302	{ "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS8, AF_INET624 },
303	{ "name-server", IKEV2_CFG_INTERNAL_IP6_DNS10, AF_INET624 },
304	{ "netbios-server", IKEV2_CFG_INTERNAL_IP6_NBNS11, AF_INET624 },
305	{ "dhcp-server", IKEV2_CFG_INTERNAL_IP6_DHCP12, AF_INET624 },
306	{ "protected-subnet", IKEV2_CFG_INTERNAL_IP4_SUBNET13, AF_INET2 },
307	{ "protected-subnet", IKEV2_CFG_INTERNAL_IP6_SUBNET15, AF_INET624 },
308	{ "access-server", IKEV2_CFG_INTERNAL_IP4_SERVER23456, AF_INET2 },
309	{ "access-server", IKEV2_CFG_INTERNAL_IP6_SERVER23457, AF_INET624 },
310	{ NULL((void *)0) }
311	};
312
313	const struct iked_lifetime deflifetime = {
314	IKED_LIFETIME_BYTES4294967296,
315	IKED_LIFETIME_SECONDS10800
316	};
317
318	#define IPSEC_ADDR_ANY(0x1) (0x1)
319	#define IPSEC_ADDR_DYNAMIC(0x2) (0x2)
320
321	struct ipsec_addr_wrap {
322	struct sockaddr_storage address;
323	uint8_t mask;
324	int netaddress;
325	sa_family_t af;
326	unsigned int type;
327	unsigned int action;
328	uint16_t port;
329	char *name;
330	struct ipsec_addr_wrap *next;
331	struct ipsec_addr_wrap *tail;
332	struct ipsec_addr_wrap *srcnat;
333	};
334
335	struct ipsec_hosts {
336	struct ipsec_addr_wrap *src;
337	struct ipsec_addr_wrap *dst;
338	};
339
340	struct ipsec_filters {
341	char *tag;
342	unsigned int tap;
343	};
344
345	void copy_sockaddrtoipa(struct ipsec_addr_wrap *,
346	struct sockaddr *);
347	struct ipsec_addr_wrap host(const char );
348	struct ipsec_addr_wrap host_ip(const char , int);
349	struct ipsec_addr_wrap host_dns(const char , int);
350	struct ipsec_addr_wrap host_if(const char , int);
351	struct ipsec_addr_wrap *host_any(void);
352	struct ipsec_addr_wrap *host_dynamic(void);
353	void ifa_load(void);
354	int ifa_exists(const char *);
355	struct ipsec_addr_wrap ifa_lookup(const char ifa_name);
356	struct ipsec_addr_wrap ifa_grouplookup(const char );
357	void set_ipmask(struct ipsec_addr_wrap *, int);
358	const struct ipsec_xf parse_xf(const char , unsigned int,
359	const struct ipsec_xf *);
360	void copy_transforms(unsigned int,
361	const struct ipsec_xf **, unsigned int,
362	struct iked_transform *, unsigned int ,
363	struct iked_transform *, size_t);
364	int create_ike(char , int, struct ipsec_addr_wrap ,
365	int, struct ipsec_hosts *,
366	struct ipsec_hosts , struct ipsec_mode ,
367	struct ipsec_mode *, uint8_t,
368	uint8_t, char , char ,
369	uint32_t, struct iked_lifetime *,
370	struct iked_auth , struct ipsec_filters ,
371	struct ipsec_addr_wrap , char );
372	int create_user(const char , const char );
373	int get_id_type(char *);
374	uint8_t x2i(unsigned char *);
375	int parsekey(unsigned char , size_t, struct iked_auth );
376	int parsekeyfile(char , struct iked_auth );
377	void iaw_free(struct ipsec_addr_wrap *);
378	static int create_flow(struct iked_policy pol, int, struct ipsec_addr_wrap ipa,
379	struct ipsec_addr_wrap *ipb);
380	static int expand_flows(struct iked_policy , int, struct ipsec_addr_wrap ,
381	struct ipsec_addr_wrap *);
382	static struct ipsec_addr_wrap *
383	expand_keyword(struct ipsec_addr_wrap *);
384
385	struct ipsec_transforms *ipsec_transforms;
386	struct ipsec_filters *ipsec_filters;
387	struct ipsec_mode *ipsec_mode;
388	/* interface lookup routintes */
389	struct ipsec_addr_wrap *iftab;
390
391	typedef struct {
392	union {
393	int64_t number;
394	uint8_t ikemode;
395	uint8_t dir;
396	uint8_t satype;
397	char *string;
398	uint16_t port;
399	struct ipsec_hosts *hosts;
400	struct ipsec_hosts peers;
401	struct ipsec_addr_wrap *anyhost;
402	struct ipsec_addr_wrap *host;
403	struct ipsec_addr_wrap *cfg;
404	struct ipsec_addr_wrap *proto;
405	struct {
406	char *srcid;
407	char *dstid;
408	} ids;
409	char *id;
410	uint8_t type;
411	struct iked_lifetime lifetime;
412	struct iked_auth ikeauth;
413	struct iked_auth ikekey;
414	struct ipsec_transforms *transforms;
415	struct ipsec_filters *filters;
416	struct ipsec_mode *mode;
417	} v;
418	int lineno;
419	} YYSTYPE;
420
421	#line 422 "parse.c"
422	#define FROM257 257
423	#define ESP258 258
424	#define AH259 259
425	#define IN260 260
426	#define PEER261 261
427	#define ON262 262
428	#define OUT263 263
429	#define TO264 264
430	#define SRCID265 265
431	#define DSTID266 266
432	#define PSK267 267
433	#define PORT268 268
434	#define FILENAME269 269
435	#define AUTHXF270 270
436	#define PRFXF271 271
437	#define ENCXF272 272
438	#define ERROR273 273
439	#define IKEV2274 274
440	#define IKESA275 275
441	#define CHILDSA276 276
442	#define ESN277 277
443	#define NOESN278 278
444	#define PASSIVE279 279
445	#define ACTIVE280 280
446	#define ANY281 281
447	#define TAG282 282
448	#define TAP283 283
449	#define PROTO284 284
450	#define LOCAL285 285
451	#define GROUP286 286
452	#define NAME287 287
453	#define CONFIG288 288
454	#define EAP289 289
455	#define USER290 290
456	#define IKEV1291 291
457	#define FLOW292 292
458	#define SA293 293
459	#define TCPMD5294 294
460	#define TUNNEL295 295
461	#define TRANSPORT296 296
462	#define COUPLE297 297
463	#define DECOUPLE298 298
464	#define SET299 299
465	#define INCLUDE300 300
466	#define LIFETIME301 301
467	#define BYTES302 302
468	#define INET303 303
469	#define INET6304 304
470	#define QUICK305 305
471	#define SKIP306 306
472	#define DEFAULT307 307
473	#define IPCOMP308 308
474	#define OCSP309 309
475	#define IKELIFETIME310 310
476	#define MOBIKE311 311
477	#define NOMOBIKE312 312
478	#define RDOMAIN313 313
479	#define FRAGMENTATION314 314
480	#define NOFRAGMENTATION315 315
481	#define DPD_CHECK_INTERVAL316 316
482	#define ENFORCESINGLEIKESA317 317
483	#define NOENFORCESINGLEIKESA318 318
484	#define STICKYADDRESS319 319
485	#define NOSTICKYADDRESS320 320
486	#define TOLERATE321 321
487	#define MAXAGE322 322
488	#define DYNAMIC323 323
489	#define CERTPARTIALCHAIN324 324
490	#define REQUEST325 325
491	#define IFACE326 326
492	#define STRING327 327
493	#define NUMBER328 328
494	#define YYERRCODE256 256
495	const short yylhs[] =
496	{ -1,
497	0, 0, 0, 0, 0, 0, 0, 0, 0, 46,
498	46, 39, 40, 40, 40, 40, 40, 40, 40, 40,
499	40, 40, 40, 40, 40, 40, 40, 40, 40, 41,
500	42, 36, 36, 37, 37, 35, 35, 33, 33, 2,
501	2, 2, 10, 10, 10, 3, 3, 3, 4, 4,
502	5, 5, 11, 11, 7, 7, 6, 6, 8, 8,
503	9, 9, 12, 12, 12, 12, 12, 13, 13, 15,
504	15, 14, 14, 14, 14, 16, 16, 16, 16, 17,
505	48, 18, 18, 47, 47, 49, 49, 49, 49, 49,
506	38, 38, 51, 27, 27, 50, 50, 53, 52, 55,
507	28, 28, 54, 54, 57, 56, 20, 21, 21, 21,
508	21, 22, 22, 22, 23, 23, 24, 24, 24, 25,
509	25, 25, 25, 30, 30, 31, 31, 29, 29, 29,
510	32, 32, 26, 26, 59, 19, 19, 58, 58, 60,
511	60, 34, 34, 1, 1, 43, 44, 44, 44, 44,
512	61, 61, 61, 61, 61, 45,
513	};
514	const short yylen[] =
515	{ 2,
516	0, 3, 2, 3, 3, 3, 3, 4, 3, 1,
517	0, 2, 2, 2, 2, 2, 2, 2, 2, 2,
518	2, 2, 2, 2, 3, 5, 7, 2, 3, 3,
519	18, 0, 1, 1, 2, 3, 3, 0, 1, 0,
520	1, 1, 0, 1, 1, 0, 2, 4, 1, 3,
521	1, 1, 0, 2, 1, 3, 6, 6, 0, 2,
522	1, 1, 0, 4, 4, 2, 2, 1, 1, 1,
523	3, 1, 4, 1, 1, 0, 4, 2, 2, 1,
524	0, 2, 0, 2, 1, 2, 2, 2, 2, 1,
525	1, 1, 0, 2, 0, 2, 1, 0, 3, 0,
526	2, 0, 2, 1, 0, 3, 4, 0, 1, 1,
527	1, 0, 1, 1, 0, 1, 0, 1, 1, 0,
528	2, 2, 1, 1, 1, 1, 1, 0, 2, 4,
529	0, 2, 1, 2, 0, 2, 0, 2, 1, 2,
530	2, 0, 2, 2, 1, 3, 1, 1, 1, 1,
531	1, 1, 1, 1, 1, 0,
532	};
533	const short yydefred[] =
534	{ 1,
535	0, 0, 152, 153, 0, 0, 147, 149, 151, 150,
536	154, 155, 0, 0, 0, 3, 0, 0, 0, 0,
537	0, 156, 148, 9, 39, 0, 0, 14, 13, 15,
538	16, 0, 19, 20, 17, 18, 0, 21, 22, 23,
539	24, 28, 12, 0, 2, 4, 5, 6, 7, 0,
540	109, 110, 111, 0, 0, 30, 0, 29, 145, 0,
541	8, 41, 42, 0, 113, 114, 0, 0, 144, 44,
542	45, 0, 116, 0, 127, 126, 0, 0, 0, 118,
543	119, 107, 0, 51, 52, 0, 47, 0, 0, 27,
544	0, 49, 54, 0, 0, 55, 0, 10, 48, 0,
545	74, 75, 0, 0, 0, 0, 0, 0, 0, 0,
546	50, 0, 0, 0, 0, 0, 69, 0, 68, 0,
547	0, 0, 56, 71, 61, 62, 60, 0, 0, 0,
548	0, 0, 0, 0, 98, 0, 97, 0, 73, 0,
549	64, 65, 0, 0, 0, 105, 0, 104, 0, 96,
550	57, 58, 80, 0, 79, 0, 0, 0, 103, 99,
551	0, 0, 132, 0, 0, 106, 0, 0, 0, 91,
552	92, 0, 90, 0, 85, 77, 0, 0, 0, 123,
553	0, 86, 88, 87, 89, 84, 0, 0, 133, 121,
554	122, 0, 0, 34, 0, 0, 125, 124, 130, 134,
555	0, 0, 0, 0, 35, 36, 37, 143, 31, 0,
556	0, 0, 0, 139, 140, 141, 138,
557	};
558	const short yydgoto[] =
559	{ 1,
560	60, 64, 79, 91, 87, 96, 97, 114, 127, 72,
561	89, 109, 118, 104, 119, 145, 154, 160, 209, 54,
562	55, 67, 74, 82, 181, 190, 121, 133, 165, 199,
563	77, 157, 26, 204, 194, 195, 196, 173, 17, 18,
564	19, 20, 21, 22, 50, 100, 174, 161, 175, 136,
565	122, 137, 149, 147, 134, 148, 158, 213, 210, 214,
566	23,
567	};
568	const short yysindex[] =
569	{ 0,
570	184, 13, 0, 0, -302, -289, 0, 0, 0, 0,
571	0, 0, -89, -269, -5, 0, 50, 59, 66, 71,
572	74, 0, 0, 0, 0, -233, -228, 0, 0, 0,
573	0, -223, 0, 0, 0, 0, -239, 0, 0, 0,
574	0, 0, 0, -218, 0, 0, 0, 0, 0, 122,
575	0, 0, 0, -216, -200, 0, -180, 0, 0, -183,
576	0, 0, 0, -192, 0, 0, -158, -226, 0, 0,
577	0, -123, 0, -174, 0, 0, -160, -121, -150, 0,
578	0, 0, -226, 0, 0, -203, 0, -162, -238, 0,
579	-38, 0, 0, -270, -270, 0, -43, 0, 0, -203,
580	0, 0, 123, -97, 134, -97, -268, -268, 0, -238,
581	0, -149, -190, -86, -147, -74, 0, -101, 0, -73,
582	0, -83, 0, 0, 0, 0, 0, -270, 145, -270,
583	-268, -268, -120, -87, 0, -83, 0, -97, 0, -97,
584	0, 0, -140, -140, -117, 0, -87, 0, 0, 0,
585	0, 0, 0, -68, 0, -226, -102, 0, 0, 0,
586	-75, -140, 0, -226, -257, 0, -127, -126, -115, 0,
587	0, -114, 0, -75, 0, 0, -98, -262, -113, 0,
588	-271, 0, 0, 0, 0, 0, -179, -112, 0, 0,
589	0, -111, -110, 0, -116, -271, 0, 0, 0, 0,
590	-147, -268, -108, 0, 0, 0, 0, 0, 0, -125,
591	-106, -103, -125, 0, 0, 0, 0,};
592	const short yyrindex[] =
593	{ 0,
594	0, 0, 0, 0, -213, 0, 0, 0, 0, 0,
595	0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
596	0, 0, 0, 0, 0, -161, 0, 0, 0, 0,
597	0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
598	0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
599	0, 0, 0, -196, -131, 0, 195, 0, 0, 222,
600	0, 0, 0, -236, 0, 0, -128, 0, 0, 0,
601	0, -249, 0, -144, 0, 0, 223, 0, -202, 0,
602	0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
603	-173, 0, 0, 0, 0, 0, 171, 0, 0, 0,
604	0, 0, -10, -28, 19, -19, 0, 0, 224, 0,
605	0, 0, 0, 0, 0, 0, 0, 227, 0, 257,
606	323, 0, 0, 0, 0, 0, 0, 0, 0, 0,
607	0, 0, 358, 0, 0, 355, 0, 95, 0, 95,
608	0, 0, 0, 0, 372, 0, 369, 0, 65, 0,
609	0, 0, 0, 404, 0, 0, 106, 141, 0, 0,
610	0, 0, 0, 0, 75, 0, 0, 0, 0, 0,
611	0, 0, 0, 303, 0, 0, 238, 0, 0, 0,
612	-1, 0, 0, 0, 0, 0, 0, 0, 0, 0,
613	0, 0, 0, 0, 6, 23, 0, 0, 0, 0,
614	0, 0, 0, 10, 0, 0, 0, 0, 0, 0,
615	0, 0, 229, 0, 0, 0, 0,};
616	const short yygindex[] =
617	{ 0,
618	0, 0, 0, 0, -59, 130, 0, -88, 0, 0,
619	0, 0, -96, -81, -91, 0, -122, 83, 0, 0,
620	0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
621	-78, 0, 0, 0, 47, 0, 0, 0, 0, 0,
622	0, 0, 0, 0, 0, 147, 0, 0, 72, 0,
623	0, 109, 0, 0, 0, 102, 0, 0, 0, 37,
624	0,
625	};
626	#define YYTABLESIZE731 731
627	const short yytable[] =
628	{ 70,
629	98, 86, 105, 105, 90, 98, 188, 46, 32, 178,
630	101, 120, 117, 106, 46, 142, 192, 116, 94, 137,
631	43, 155, 24, 129, 25, 95, 92, 43, 72, 70,
632	70, 179, 33, 70, 141, 142, 105, 27, 105, 176,
633	111, 62, 63, 38, 38, 38, 138, 43, 140, 151,
634	38, 152, 102, 193, 53, 44, 103, 43, 103, 45,
635	40, 53, 72, 46, 189, 38, 38, 40, 46, 180,
636	38, 51, 52, 53, 83, 47, 43, 163, 65, 66,
637	48, 38, 38, 49, 120, 177, 99, 40, 58, 38,
638	38, 38, 38, 38, 38, 108, 108, 108, 56, 38,
639	75, 76, 108, 57, 59, 207, 40, 40, 59, 206,
640	70, 71, 117, 117, 117, 128, 40, 108, 108, 117,
641	80, 81, 108, 84, 85, 112, 112, 112, 115, 115,
642	115, 61, 112, 108, 108, 115, 125, 126, 59, 117,
643	68, 108, 108, 69, 143, 144, 108, 197, 198, 73,
644	83, 108, 112, 11, 11, 115, 211, 212, 117, 117,
645	78, 83, 88, 112, 112, 93, 115, 115, 117, 112,
646	113, 112, 112, 115, 115, 115, 112, 128, 124, 103,
647	63, 112, 130, 131, 115, 139, 153, 132, 146, 28,
648	29, 135, 156, 16, 167, 168, 169, 162, 164, 182,
649	183, 170, 171, 187, 25, 84, 85, 30, 31, 203,
650	172, 184, 185, 191, 200, 201, 202, 107, 208, 32,
651	215, 33, 34, 216, 35, 36, 37, 38, 39, 40,
652	41, 146, 26, 95, 42, 59, 66, 59, 136, 123,
653	166, 108, 205, 110, 150, 186, 70, 129, 159, 217,
654	70, 0, 0, 70, 70, 70, 70, 70, 0, 0,
655	0, 0, 0, 0, 70, 70, 67, 0, 0, 0,
656	0, 70, 70, 0, 70, 72, 0, 70, 70, 72,
657	32, 32, 72, 72, 72, 72, 72, 142, 142, 0,
658	70, 135, 135, 72, 72, 0, 0, 0, 0, 70,
659	72, 72, 0, 72, 33, 33, 72, 72, 0, 0,
660	0, 0, 82, 0, 70, 70, 70, 0, 0, 72,
661	0, 0, 0, 0, 32, 0, 0, 0, 72, 83,
662	83, 83, 102, 0, 81, 81, 81, 0, 0, 83,
663	83, 81, 81, 72, 72, 72, 83, 83, 33, 0,
664	81, 59, 83, 83, 0, 59, 120, 120, 59, 59,
665	59, 59, 120, 0, 94, 83, 0, 76, 0, 59,
666	59, 0, 128, 0, 83, 0, 59, 59, 101, 59,
667	0, 131, 59, 59, 0, 0, 0, 128, 128, 83,
668	83, 83, 0, 128, 128, 59, 0, 0, 0, 120,
669	120, 0, 0, 0, 59, 83, 83, 83, 0, 0,
670	81, 81, 81, 78, 0, 0, 83, 81, 81, 59,
671	59, 59, 83, 83, 0, 0, 81, 11, 83, 83,
672	128, 128, 128, 0, 11, 63, 63, 63, 0, 2,
673	3, 83, 0, 0, 0, 63, 63, 4, 0, 0,
674	83, 0, 63, 63, 0, 0, 0, 5, 63, 63,
675	0, 0, 0, 0, 0, 83, 83, 83, 0, 0,
676	0, 63, 0, 6, 7, 8, 9, 10, 11, 12,
677	63, 0, 13, 14, 0, 0, 0, 0, 95, 95,
678	95, 66, 66, 66, 0, 63, 63, 63, 93, 95,
679	0, 66, 66, 0, 129, 95, 95, 0, 66, 66,
680	15, 95, 95, 0, 66, 66, 0, 0, 0, 129,
681	129, 67, 67, 67, 95, 129, 129, 66, 0, 0,
682	0, 67, 67, 95, 0, 0, 66, 0, 67, 67,
683	0, 0, 0, 0, 67, 67, 0, 0, 95, 95,
684	95, 66, 66, 66, 0, 0, 0, 67, 0, 0,
685	0, 0, 129, 129, 129, 0, 67, 82, 82, 82,
686	0, 0, 0, 0, 0, 0, 0, 82, 82, 0,
687	0, 67, 67, 67, 82, 82, 0, 102, 102, 102,
688	82, 82, 0, 0, 0, 0, 0, 0, 100, 0,
689	0, 0, 0, 82, 102, 102, 0, 0, 0, 0,
690	102, 102, 82, 0, 0, 0, 0, 0, 0, 94,
691	94, 94, 0, 102, 76, 0, 0, 82, 82, 82,
692	94, 0, 102, 101, 101, 101, 94, 94, 131, 76,
693	76, 0, 94, 94, 0, 76, 76, 102, 102, 102,
694	101, 101, 0, 131, 131, 94, 101, 101, 76, 131,
695	131, 0, 0, 0, 94, 0, 0, 76, 0, 101,
696	78, 0, 131, 0, 0, 0, 0, 0, 101, 94,
697	94, 94, 76, 76, 76, 78, 78, 0, 0, 0,
698	0, 78, 78, 101, 101, 101, 131, 131, 131, 0,
699	0, 0, 0, 0, 78, 0, 0, 0, 0, 0,
700	0, 0, 0, 78, 0, 0, 0, 0, 0, 0,
701	0, 0, 0, 0, 0, 0, 0, 0, 78, 78,
702	78,
703	};
704	const short yycheck[] =
705	{ 10,
706	44, 123, 94, 95, 83, 44, 269, 257, 10, 267,
707	281, 108, 281, 95, 264, 10, 288, 106, 257, 10,
708	257, 144, 10, 115, 327, 264, 86, 264, 10, 40,
709	41, 289, 10, 44, 131, 132, 128, 327, 130, 162,
710	100, 258, 259, 257, 258, 259, 128, 284, 130, 138,
711	264, 140, 323, 325, 257, 61, 327, 327, 327, 10,
712	257, 264, 44, 313, 327, 279, 280, 264, 10, 327,
713	284, 305, 306, 307, 10, 10, 313, 156, 279, 280,
714	10, 295, 296, 10, 10, 164, 125, 284, 328, 303,
715	304, 305, 306, 307, 308, 257, 258, 259, 327, 313,
716	327, 328, 264, 327, 10, 202, 303, 304, 327, 201,
717	303, 304, 257, 258, 259, 10, 313, 279, 280, 264,
718	295, 296, 284, 327, 328, 257, 258, 259, 257, 258,
719	259, 10, 264, 295, 296, 264, 327, 328, 44, 284,
720	321, 303, 304, 327, 265, 266, 308, 327, 328, 308,
721	10, 313, 284, 327, 328, 284, 282, 283, 303, 304,
722	284, 322, 313, 295, 296, 328, 295, 296, 313, 47,
723	268, 303, 304, 40, 303, 304, 308, 264, 328, 327,
724	10, 313, 257, 285, 313, 41, 327, 261, 276, 279,
725	280, 275, 310, 10, 270, 271, 272, 266, 301, 327,
726	327, 277, 278, 302, 10, 327, 328, 297, 298, 326,
727	286, 327, 327, 327, 327, 327, 327, 261, 327, 309,
728	327, 311, 312, 327, 314, 315, 316, 317, 318, 319,
729	320, 10, 10, 10, 324, 264, 10, 257, 10, 110,
730	158, 285, 196, 97, 136, 174, 257, 10, 147, 213,
731	261, -1, -1, 264, 265, 266, 267, 268, -1, -1,
732	-1, -1, -1, -1, 275, 276, 10, -1, -1, -1,
733	-1, 282, 283, -1, 285, 257, -1, 288, 289, 261,
734	282, 283, 264, 265, 266, 267, 268, 282, 283, -1,
735	301, 282, 283, 275, 276, -1, -1, -1, -1, 310,
736	282, 283, -1, 285, 282, 283, 288, 289, -1, -1,
737	-1, -1, 10, -1, 325, 326, 327, -1, -1, 301,
738	-1, -1, -1, -1, 326, -1, -1, -1, 310, 265,
739	266, 267, 10, -1, 270, 271, 272, -1, -1, 275,
740	276, 277, 278, 325, 326, 327, 282, 283, 326, -1,
741	286, 257, 288, 289, -1, 261, 282, 283, 264, 265,
742	266, 267, 288, -1, 10, 301, -1, 10, -1, 275,
743	276, -1, 267, -1, 310, -1, 282, 283, 10, 285,
744	-1, 10, 288, 289, -1, -1, -1, 282, 283, 325,
745	326, 327, -1, 288, 289, 301, -1, -1, -1, 325,
746	326, -1, -1, -1, 310, 265, 266, 267, -1, -1,
747	270, 271, 272, 10, -1, -1, 276, 277, 278, 325,
748	326, 327, 282, 283, -1, -1, 286, 257, 288, 289,
749	325, 326, 327, -1, 264, 265, 266, 267, -1, 256,
750	257, 301, -1, -1, -1, 275, 276, 264, -1, -1,
751	310, -1, 282, 283, -1, -1, -1, 274, 288, 289,
752	-1, -1, -1, -1, -1, 325, 326, 327, -1, -1,
753	-1, 301, -1, 290, 291, 292, 293, 294, 295, 296,
754	310, -1, 299, 300, -1, -1, -1, -1, 265, 266,
755	267, 265, 266, 267, -1, 325, 326, 327, 275, 276,
756	-1, 275, 276, -1, 267, 282, 283, -1, 282, 283,
757	327, 288, 289, -1, 288, 289, -1, -1, -1, 282,
758	283, 265, 266, 267, 301, 288, 289, 301, -1, -1,
759	-1, 275, 276, 310, -1, -1, 310, -1, 282, 283,
760	-1, -1, -1, -1, 288, 289, -1, -1, 325, 326,
761	327, 325, 326, 327, -1, -1, -1, 301, -1, -1,
762	-1, -1, 325, 326, 327, -1, 310, 265, 266, 267,
763	-1, -1, -1, -1, -1, -1, -1, 275, 276, -1,
764	-1, 325, 326, 327, 282, 283, -1, 265, 266, 267,
765	288, 289, -1, -1, -1, -1, -1, -1, 276, -1,
766	-1, -1, -1, 301, 282, 283, -1, -1, -1, -1,
767	288, 289, 310, -1, -1, -1, -1, -1, -1, 265,
768	266, 267, -1, 301, 267, -1, -1, 325, 326, 327,
769	276, -1, 310, 265, 266, 267, 282, 283, 267, 282,
770	283, -1, 288, 289, -1, 288, 289, 325, 326, 327,
771	282, 283, -1, 282, 283, 301, 288, 289, 301, 288,
772	289, -1, -1, -1, 310, -1, -1, 310, -1, 301,
773	267, -1, 301, -1, -1, -1, -1, -1, 310, 325,
774	326, 327, 325, 326, 327, 282, 283, -1, -1, -1,
775	-1, 288, 289, 325, 326, 327, 325, 326, 327, -1,
776	-1, -1, -1, -1, 301, -1, -1, -1, -1, -1,
777	-1, -1, -1, 310, -1, -1, -1, -1, -1, -1,
778	-1, -1, -1, -1, -1, -1, -1, -1, 325, 326,
779	327,
780	};
781	#define YYFINAL1 1
782	#ifndef YYDEBUG0
783	#define YYDEBUG0 0
784	#endif
785	#define YYMAXTOKEN328 328
786	#if YYDEBUG0
787	const char * const yyname[] =
788	{
789	"end-of-file",0,0,0,0,0,0,0,0,0,"'\\n'",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
790	0,0,0,0,0,0,0,0,0,"'('","')'",0,0,"','",0,0,"'/'",0,0,0,0,0,0,0,0,0,0,0,0,0,
791	"'='",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
792	0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"'{'",0,"'}'",0,0,0,0,0,0,0,0,0,
793	0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
794	0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
795	0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
796	0,0,"FROM","ESP","AH","IN","PEER","ON","OUT","TO","SRCID","DSTID","PSK","PORT",
797	"FILENAME","AUTHXF","PRFXF","ENCXF","ERROR","IKEV2","IKESA","CHILDSA","ESN",
798	"NOESN","PASSIVE","ACTIVE","ANY","TAG","TAP","PROTO","LOCAL","GROUP","NAME",
799	"CONFIG","EAP","USER","IKEV1","FLOW","SA","TCPMD5","TUNNEL","TRANSPORT",
800	"COUPLE","DECOUPLE","SET","INCLUDE","LIFETIME","BYTES","INET","INET6","QUICK",
801	"SKIP","DEFAULT","IPCOMP","OCSP","IKELIFETIME","MOBIKE","NOMOBIKE","RDOMAIN",
802	"FRAGMENTATION","NOFRAGMENTATION","DPD_CHECK_INTERVAL","ENFORCESINGLEIKESA",
803	"NOENFORCESINGLEIKESA","STICKYADDRESS","NOSTICKYADDRESS","TOLERATE","MAXAGE",
804	"DYNAMIC","CERTPARTIALCHAIN","REQUEST","IFACE","STRING","NUMBER",
805	};
806	const char * const yyrule[] =
807	{"$accept : grammar",
808	"grammar :",
809	"grammar : grammar include '\\n'",
810	"grammar : grammar '\\n'",
811	"grammar : grammar set '\\n'",
812	"grammar : grammar user '\\n'",
813	"grammar : grammar ikev2rule '\\n'",
814	"grammar : grammar varset '\\n'",
815	"grammar : grammar otherrule skipline '\\n'",
816	"grammar : grammar error '\\n'",
817	"comma : ','",
818	"comma :",
819	"include : INCLUDE STRING",
820	"set : SET ACTIVE",
821	"set : SET PASSIVE",
822	"set : SET COUPLE",
823	"set : SET DECOUPLE",
824	"set : SET FRAGMENTATION",
825	"set : SET NOFRAGMENTATION",
826	"set : SET MOBIKE",
827	"set : SET NOMOBIKE",
828	"set : SET ENFORCESINGLEIKESA",
829	"set : SET NOENFORCESINGLEIKESA",
830	"set : SET STICKYADDRESS",
831	"set : SET NOSTICKYADDRESS",
832	"set : SET OCSP STRING",
833	"set : SET OCSP STRING TOLERATE time_spec",
834	"set : SET OCSP STRING TOLERATE time_spec MAXAGE time_spec",
835	"set : SET CERTPARTIALCHAIN",
836	"set : SET DPD_CHECK_INTERVAL NUMBER",
837	"user : USER STRING STRING",
838	"ikev2rule : IKEV2 name ikeflags satype af proto rdomain hosts_list peers ike_sas child_sas ids ikelifetime lifetime ikeauth ikecfg iface filters",
839	"ikecfg :",
840	"ikecfg : ikecfgvals",
841	"ikecfgvals : cfg",
842	"ikecfgvals : ikecfgvals cfg",
843	"cfg : CONFIG STRING host_spec",
844	"cfg : REQUEST STRING anyhost",
845	"name :",
846	"name : STRING",
847	"satype :",
848	"satype : ESP",
849	"satype : AH",
850	"af :",
851	"af : INET",
852	"af : INET6",
853	"proto :",
854	"proto : PROTO protoval",
855	"proto : PROTO '{' proto_list '}'",
856	"proto_list : protoval",
857	"proto_list : proto_list comma protoval",
858	"protoval : STRING",
859	"protoval : NUMBER",
860	"rdomain :",
861	"rdomain : RDOMAIN NUMBER",
862	"hosts_list : hosts",
863	"hosts_list : hosts_list comma hosts",
864	"hosts : FROM host port TO host port",
865	"hosts : TO host port FROM host port",
866	"port :",
867	"port : PORT portval",
868	"portval : STRING",
869	"portval : NUMBER",
870	"peers :",
871	"peers : PEER anyhost LOCAL anyhost",
872	"peers : LOCAL anyhost PEER anyhost",
873	"peers : PEER anyhost",
874	"peers : LOCAL anyhost",
875	"anyhost : host_spec",
876	"anyhost : ANY",
877	"host_spec : STRING",
878	"host_spec : STRING '/' NUMBER",
879	"host : host_spec",
880	"host : host_spec '(' host_spec ')'",
881	"host : ANY",
882	"host : DYNAMIC",
883	"ids :",
884	"ids : SRCID id DSTID id",
885	"ids : SRCID id",
886	"ids : DSTID id",
887	"id : STRING",
888	"$$1 :",
889	"transforms : $$1 transforms_l",
890	"transforms :",
891	"transforms_l : transforms_l transform",
892	"transforms_l : transform",
893	"transform : AUTHXF STRING",
894	"transform : ENCXF STRING",
895	"transform : PRFXF STRING",
896	"transform : GROUP STRING",
897	"transform : transform_esn",
898	"transform_esn : ESN",
899	"transform_esn : NOESN",
900	"$$2 :",
901	"ike_sas : $$2 ike_sas_l",
902	"ike_sas :",
903	"ike_sas_l : ike_sas_l ike_sa",
904	"ike_sas_l : ike_sa",
905	"$$3 :",
906	"ike_sa : IKESA $$3 transforms",
907	"$$4 :",
908	"child_sas : $$4 child_sas_l",
909	"child_sas :",
910	"child_sas_l : child_sas_l child_sa",
911	"child_sas_l : child_sa",
912	"$$5 :",
913	"child_sa : CHILDSA $$5 transforms",
914	"ikeflags : ikematch ikemode ipcomp tmode",
915	"ikematch :",
916	"ikematch : QUICK",
917	"ikematch : SKIP",
918	"ikematch : DEFAULT",
919	"ikemode :",
920	"ikemode : PASSIVE",
921	"ikemode : ACTIVE",
922	"ipcomp :",
923	"ipcomp : IPCOMP",
924	"tmode :",
925	"tmode : TUNNEL",
926	"tmode : TRANSPORT",
927	"ikeauth :",
928	"ikeauth : PSK keyspec",
929	"ikeauth : EAP STRING",
930	"ikeauth : STRING",
931	"byte_spec : NUMBER",
932	"byte_spec : STRING",
933	"time_spec : NUMBER",
934	"time_spec : STRING",
935	"lifetime :",
936	"lifetime : LIFETIME time_spec",
937	"lifetime : LIFETIME time_spec BYTES byte_spec",
938	"ikelifetime :",
939	"ikelifetime : IKELIFETIME time_spec",
940	"keyspec : STRING",
941	"keyspec : FILENAME STRING",
942	"$$6 :",
943	"filters : $$6 filters_l",
944	"filters :",
945	"filters_l : filters_l filter",
946	"filters_l : filter",
947	"filter : TAG STRING",
948	"filter : TAP STRING",
949	"iface :",
950	"iface : IFACE STRING",
951	"string : string STRING",
952	"string : STRING",
953	"varset : STRING '=' string",
954	"otherrule : IKEV1",
955	"otherrule : sarule",
956	"otherrule : FLOW",
957	"otherrule : TCPMD5",
958	"sarule : SA",
959	"sarule : FROM",
960	"sarule : TO",
961	"sarule : TUNNEL",
962	"sarule : TRANSPORT",
963	"skipline :",
964	};
965	#endif
966	#ifdef YYSTACKSIZE10000
967	#undef YYMAXDEPTH10000
968	#define YYMAXDEPTH10000 YYSTACKSIZE10000
969	#else
970	#ifdef YYMAXDEPTH10000
971	#define YYSTACKSIZE10000 YYMAXDEPTH10000
972	#else
973	#define YYSTACKSIZE10000 10000
974	#define YYMAXDEPTH10000 10000
975	#endif
976	#endif
977	#define YYINITSTACKSIZE200 200
978	/* LINTUSED */
979	int yydebug;
980	int yynerrs;
981	int yyerrflag;
982	int yychar;
983	short *yyssp;
984	YYSTYPE *yyvsp;
985	YYSTYPE yyval;
986	YYSTYPE yylval;
987	short *yyss;
988	short *yysslim;
989	YYSTYPE *yyvs;
990	unsigned int yystacksize;
991	int yyparse(void);
992	#line 1294 "/usr/src/sbin/iked/parse.y"
993
994	struct keywords {
995	const char *k_name;
996	int k_val;
997	};
998
999	void
1000	copy_sockaddrtoipa(struct ipsec_addr_wrap ipa, struct sockaddr sa)
1001	{
1002	if (sa->sa_family == AF_INET624)
1003	memcpy(&ipa->address, sa, sizeof(struct sockaddr_in6));
1004	else if (sa->sa_family == AF_INET2)
1005	memcpy(&ipa->address, sa, sizeof(struct sockaddr_in));
1006	else
1007	warnx("unhandled af %d", sa->sa_family);
1008	}
1009
1010	int
1011	yyerror(const char *fmt, ...)
1012	{
1013	va_list ap;
1014
1015	file->errors++;
1016	va_start(ap, fmt)__builtin_va_start(ap, fmt);
1017	fprintf(stderr(&__sF[2]), "%s: %d: ", file->name, yylval.lineno);
1018	vfprintf(stderr(&__sF[2]), fmt, ap);
1019	fprintf(stderr(&__sF[2]), "\n");
1020	va_end(ap)__builtin_va_end(ap);
1021	return (0);
1022	}
1023
1024	int
1025	kw_cmp(const void k, const void e)
1026	{
1027	return (strcmp(k, ((const struct keywords *)e)->k_name));
1028	}
1029
1030	int
1031	lookup(char *s)
1032	{
1033	/* this has to be sorted always */
1034	static const struct keywords keywords[] = {
1035	{ "active", ACTIVE280 },
1036	{ "ah", AH259 },
1037	{ "any", ANY281 },
1038	{ "auth", AUTHXF270 },
1039	{ "bytes", BYTES302 },
1040	{ "cert_partial_chain", CERTPARTIALCHAIN324 },
1041	{ "childsa", CHILDSA276 },
1042	{ "config", CONFIG288 },
1043	{ "couple", COUPLE297 },
1044	{ "decouple", DECOUPLE298 },
1045	{ "default", DEFAULT307 },
1046	{ "dpd_check_interval", DPD_CHECK_INTERVAL316 },
1047	{ "dstid", DSTID266 },
1048	{ "dynamic", DYNAMIC323 },
1049	{ "eap", EAP289 },
1050	{ "enc", ENCXF272 },
1051	{ "enforcesingleikesa", ENFORCESINGLEIKESA317 },
1052	{ "esn", ESN277 },
1053	{ "esp", ESP258 },
1054	{ "file", FILENAME269 },
1055	{ "flow", FLOW292 },
1056	{ "fragmentation", FRAGMENTATION314 },
1057	{ "from", FROM257 },
1058	{ "group", GROUP286 },
1059	{ "iface", IFACE326 },
1060	{ "ike", IKEV1291 },
1061	{ "ikelifetime", IKELIFETIME310 },
1062	{ "ikesa", IKESA275 },
1063	{ "ikev2", IKEV2274 },
1064	{ "include", INCLUDE300 },
1065	{ "inet", INET303 },
1066	{ "inet6", INET6304 },
1067	{ "ipcomp", IPCOMP308 },
1068	{ "lifetime", LIFETIME301 },
1069	{ "local", LOCAL285 },
1070	{ "maxage", MAXAGE322 },
1071	{ "mobike", MOBIKE311 },
1072	{ "name", NAME287 },
1073	{ "noenforcesingleikesa", NOENFORCESINGLEIKESA318 },
1074	{ "noesn", NOESN278 },
1075	{ "nofragmentation", NOFRAGMENTATION315 },
1076	{ "nomobike", NOMOBIKE312 },
1077	{ "nostickyaddress", NOSTICKYADDRESS320 },
1078	{ "ocsp", OCSP309 },
1079	{ "passive", PASSIVE279 },
1080	{ "peer", PEER261 },
1081	{ "port", PORT268 },
1082	{ "prf", PRFXF271 },
1083	{ "proto", PROTO284 },
1084	{ "psk", PSK267 },
1085	{ "quick", QUICK305 },
1086	{ "rdomain", RDOMAIN313 },
1087	{ "request", REQUEST325 },
1088	{ "sa", SA293 },
1089	{ "set", SET299 },
1090	{ "skip", SKIP306 },
1091	{ "srcid", SRCID265 },
1092	{ "stickyaddress", STICKYADDRESS319 },
1093	{ "tag", TAG282 },
1094	{ "tap", TAP283 },
1095	{ "tcpmd5", TCPMD5294 },
1096	{ "to", TO264 },
1097	{ "tolerate", TOLERATE321 },
1098	{ "transport", TRANSPORT296 },
1099	{ "tunnel", TUNNEL295 },
1100	{ "user", USER290 }
1101	};
1102	const struct keywords *p;
1103
1104	p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),
1105	sizeof(keywords[0]), kw_cmp);
1106
1107	if (p) {
1108	if (debug > 1)
1109	fprintf(stderr(&__sF[2]), "%s: %d\n", s, p->k_val);
1110	return (p->k_val);
1111	} else {
1112	if (debug > 1)
1113	fprintf(stderr(&__sF[2]), "string: %s\n", s);
1114	return (STRING327);
1115	}
1116	}
1117
1118	#define START_EXPAND1 1
1119	#define DONE_EXPAND2 2
1120
1121	static int expanding;
1122
1123	int
1124	igetc(void)
1125	{
1126	int c;
1127
1128	while (1) {
1129	if (file->ungetpos > 0)
1130	c = file->ungetbuf[--file->ungetpos];
1131	else
1132	c = getc(file->stream)(!__isthreaded ? (--(file->stream)->_r < 0 ? __srget (file->stream) : (int)(*(file->stream)->_p++)) : (getc )(file->stream));
1133
1134	if (c == START_EXPAND1)
1135	expanding = 1;
1136	else if (c == DONE_EXPAND2)
1137	expanding = 0;
1138	else
1139	break;
1140	}
1141	return (c);
1142	}
1143
1144	int
1145	lgetc(int quotec)
1146	{
1147	int c, next;
1148
1149	if (quotec) {
1150	if ((c = igetc()) == EOF(-1)) {
1151	yyerror("reached end of file while parsing "
1152	"quoted string");
1153	if (file == topfile \|\| popfile() == EOF(-1))
1154	return (EOF(-1));
1155	return (quotec);
1156	}
1157	return (c);
1158	}
1159
1160	while ((c = igetc()) == '\\') {
1161	next = igetc();
1162	if (next != '\n') {
1163	c = next;
1164	break;
1165	}
1166	yylval.lineno = file->lineno;
1167	file->lineno++;
1168	}
1169
1170	while (c == EOF(-1)) {
1171	/*
1172	* Fake EOL when hit EOF for the first time. This gets line
1173	* count right if last line in included file is syntactically
1174	* invalid and has no newline.
1175	*/
1176	if (file->eof_reached == 0) {
1177	file->eof_reached = 1;
1178	return ('\n');
1179	}
1180	while (c == EOF(-1)) {
1181	if (file == topfile \|\| popfile() == EOF(-1))
1182	return (EOF(-1));
1183	c = igetc();
1184	}
1185	}
1186	return (c);
1187	}
1188
1189	void
1190	lungetc(int c)
1191	{
1192	if (c == EOF(-1))
1193	return;
1194
1195	if (file->ungetpos >= file->ungetsize) {
1196	void *p = reallocarray(file->ungetbuf, file->ungetsize, 2);
1197	if (p == NULL((void *)0))
1198	err(1, "lungetc");
1199	file->ungetbuf = p;
1200	file->ungetsize *= 2;
1201	}
1202	file->ungetbuf[file->ungetpos++] = c;
1203	}
1204
1205	int
1206	findeol(void)
1207	{
1208	int c;
1209
1210	/* skip to either EOF or the first real EOL */
1211	while (1) {
1212	c = lgetc(0);
1213	if (c == '\n') {
1214	file->lineno++;
1215	break;
1216	}
1217	if (c == EOF(-1))
1218	break;
1219	}
1220	return (ERROR273);
1221	}
1222
1223	int
1224	yylex(void)
1225	{
1226	char buf[8096];
1227	char p, val;
1228	int quotec, next, c;
1229	int token;
1230
1231	top:
1232	p = buf;
1233	while ((c = lgetc(0)) == ' ' \|\| c == '\t')
1234	; /* nothing */
1235
1236	yylval.lineno = file->lineno;
1237	if (c == '#')
1238	while ((c = lgetc(0)) != '\n' && c != EOF(-1))
1239	; /* nothing */
1240	if (c == '$' && !expanding) {
1241	while (1) {
1242	if ((c = lgetc(0)) == EOF(-1))
1243	return (0);
1244
1245	if (p + 1 >= buf + sizeof(buf) - 1) {
1246	yyerror("string too long");
1247	return (findeol());
1248	}
1249	if (isalnum(c) \|\| c == '_') {
1250	*p++ = c;
1251	continue;
1252	}
1253	*p = '\0';
1254	lungetc(c);
1255	break;
1256	}
1257	val = symget(buf);
1258	if (val == NULL((void *)0)) {
1259	yyerror("macro '%s' not defined", buf);
1260	return (findeol());
1261	}
1262	p = val + strlen(val) - 1;
1263	lungetc(DONE_EXPAND2);
1264	while (p >= val) {
1265	lungetc((unsigned char)*p);
1266	p--;
1267	}
1268	lungetc(START_EXPAND1);
1269	goto top;
1270	}
1271
1272	switch (c) {
1273	case '\'':
1274	case '"':
1275	quotec = c;
1276	while (1) {
1277	if ((c = lgetc(quotec)) == EOF(-1))
1278	return (0);
1279	if (c == '\n') {
1280	file->lineno++;
1281	continue;
1282	} else if (c == '\\') {
1283	if ((next = lgetc(quotec)) == EOF(-1))
1284	return (0);
1285	if (next == quotec \|\| next == ' ' \|\|
1286	next == '\t')
1287	c = next;
1288	else if (next == '\n') {
1289	file->lineno++;
1290	continue;
1291	} else
1292	lungetc(next);
1293	} else if (c == quotec) {
1294	*p = '\0';
1295	break;
1296	} else if (c == '\0') {
1297	yyerror("syntax error");
1298	return (findeol());
1299	}
1300	if (p + 1 >= buf + sizeof(buf) - 1) {
1301	yyerror("string too long");
1302	return (findeol());
1303	}
1304	*p++ = c;
1305	}
1306	yylval.v.string = strdup(buf);
1307	if (yylval.v.string == NULL((void *)0))
1308	err(1, "%s", __func__);
1309	return (STRING327);
1310	}
1311
1312	#define allowed_to_end_number(x)(isspace(x) \|\| x == ')' \|\| x ==',' \|\| x == '/' \|\| x == '}' \|\| x == '=') \
1313	(isspace(x) \|\| x == ')' \|\| x ==',' \|\| x == '/' \|\| x == '}' \|\| x == '=')
1314
1315	if (c == '-' \|\| isdigit(c)) {
1316	do {
1317	*p++ = c;
1318	if ((size_t)(p-buf) >= sizeof(buf)) {
1319	yyerror("string too long");
1320	return (findeol());
1321	}
1322	} while ((c = lgetc(0)) != EOF(-1) && isdigit(c));
1323	lungetc(c);
1324	if (p == buf + 1 && buf[0] == '-')
1325	goto nodigits;
1326	if (c == EOF(-1) \|\| allowed_to_end_number(c)(isspace(c) \|\| c == ')' \|\| c ==',' \|\| c == '/' \|\| c == '}' \|\| c == '=')) {
1327	const char errstr = NULL((void )0);
1328
1329	*p = '\0';
1330	yylval.v.number = strtonum(buf, LLONG_MIN(-9223372036854775807LL -1LL),
1331	LLONG_MAX9223372036854775807LL, &errstr);
1332	if (errstr) {
1333	yyerror("\"%s\" invalid number: %s",
1334	buf, errstr);
1335	return (findeol());
1336	}
1337	return (NUMBER328);
1338	} else {
1339	nodigits:
1340	while (p > buf + 1)
1341	lungetc((unsigned char)*--p);
1342	c = (unsigned char)*--p;
1343	if (c == '-')
1344	return (c);
1345	}
1346	}
1347
1348	#define allowed_in_string(x)(isalnum(x) \|\| (ispunct(x) && x != '(' && x != ')' && x != '{' && x != '}' && x != '<' && x != '>' && x != '!' && x != '=' && x != '/' && x != '#' && x != ',') ) \
1349	(isalnum(x) \|\| (ispunct(x) && x != '(' && x != ')' && \
1350	x != '{' && x != '}' && x != '<' && x != '>' && \
1351	x != '!' && x != '=' && x != '/' && x != '#' && \
1352	x != ','))
1353
1354	if (isalnum(c) \|\| c == ':' \|\| c == '_' \|\| c == '*') {
1355	do {
1356	*p++ = c;
1357	if ((size_t)(p-buf) >= sizeof(buf)) {
1358	yyerror("string too long");
1359	return (findeol());
1360	}
1361	} while ((c = lgetc(0)) != EOF(-1) && (allowed_in_string(c)(isalnum(c) \|\| (ispunct(c) && c != '(' && c != ')' && c != '{' && c != '}' && c != '<' && c != '>' && c != '!' && c != '=' && c != '/' && c != '#' && c != ',') )));
1362	lungetc(c);
1363	*p = '\0';
1364	if ((token = lookup(buf)) == STRING327)
1365	if ((yylval.v.string = strdup(buf)) == NULL((void *)0))
1366	err(1, "%s", __func__);
1367	return (token);
1368	}
1369	if (c == '\n') {
1370	yylval.lineno = file->lineno;
1371	file->lineno++;
1372	}
1373	if (c == EOF(-1))
1374	return (0);
1375	return (c);
1376	}
1377
1378	int
1379	check_file_secrecy(int fd, const char *fname)
1380	{
1381	struct stat st;
1382
1383	if (fstat(fd, &st)) {
1384	warn("cannot stat %s", fname);
1385	return (-1);
1386	}
1387	if (st.st_uid != 0 && st.st_uid != getuid()) {
1388	warnx("%s: owner not root or current user", fname);
1389	return (-1);
1390	}
1391	if (st.st_mode & (S_IWGRP0000020 \| S_IXGRP0000010 \| S_IRWXO0000007)) {
1392	warnx("%s: group writable or world read/writable", fname);
1393	return (-1);
1394	}
1395	return (0);
1396	}
1397
1398	struct file *
1399	pushfile(const char *name, int secret)
1400	{
1401	struct file *nfile;
1402
1403	if ((nfile = calloc(1, sizeof(struct file))) == NULL((void *)0)) {
1404	warn("%s", __func__);
1405	return (NULL((void *)0));
1406	}
1407	if ((nfile->name = strdup(name)) == NULL((void *)0)) {
1408	warn("%s", __func__);
1409	free(nfile);
1410	return (NULL((void *)0));
1411	}
1412	if (TAILQ_FIRST(&files)((&files)->tqh_first) == NULL((void *)0) && strcmp(nfile->name, "-") == 0) {
1413	nfile->stream = stdin(&__sF[0]);
1414	free(nfile->name);
1415	if ((nfile->name = strdup("stdin")) == NULL((void *)0)) {
1416	warn("%s", __func__);
1417	free(nfile);
1418	return (NULL((void *)0));
1419	}
1420	} else if ((nfile->stream = fopen(nfile->name, "r")) == NULL((void *)0)) {
1421	warn("%s: %s", __func__, nfile->name);
1422	free(nfile->name);
1423	free(nfile);
1424	return (NULL((void *)0));
1425	} else if (secret &&
1426	check_file_secrecy(fileno(nfile->stream)(!__isthreaded ? ((nfile->stream)->_file) : (fileno)(nfile ->stream)), nfile->name)) {
1427	fclose(nfile->stream);
1428	free(nfile->name);
1429	free(nfile);
1430	return (NULL((void *)0));
1431	}
1432	nfile->lineno = TAILQ_EMPTY(&files)(((&files)->tqh_first) == ((void *)0)) ? 1 : 0;
1433	nfile->ungetsize = 16;
1434	nfile->ungetbuf = malloc(nfile->ungetsize);
1435	if (nfile->ungetbuf == NULL((void *)0)) {
1436	warn("%s", __func__);
1437	fclose(nfile->stream);
1438	free(nfile->name);
1439	free(nfile);
1440	return (NULL((void *)0));
1441	}
1442	TAILQ_INSERT_TAIL(&files, nfile, entry)do { (nfile)->entry.tqe_next = ((void )0); (nfile)->entry .tqe_prev = (&files)->tqh_last; (&files)->tqh_last = (nfile); (&files)->tqh_last = &(nfile)->entry .tqe_next; } while (0);
1443	return (nfile);
1444	}
1445
1446	int
1447	popfile(void)
1448	{
1449	struct file *prev;
1450
1451	if ((prev = TAILQ_PREV(file, files, entry)((((struct files )((file)->entry.tqe_prev))->tqh_last ))) != NULL((void *)0))
1452	prev->errors += file->errors;
1453
1454	TAILQ_REMOVE(&files, file, entry)do { if (((file)->entry.tqe_next) != ((void )0)) (file)-> entry.tqe_next->entry.tqe_prev = (file)->entry.tqe_prev ; else (&files)->tqh_last = (file)->entry.tqe_prev; (file)->entry.tqe_prev = (file)->entry.tqe_next; ; ; } while (0);
1455	fclose(file->stream);
1456	free(file->name);
1457	free(file->ungetbuf);
1458	free(file);
1459	file = prev;
1460
1461	return (file ? 0 : EOF(-1));
1462	}
1463
1464	int
1465	parse_config(const char filename, struct iked x_env)
1466	{
1467	struct sym *sym;
1468	int errors = 0;
1469
1470	env = x_env;
1471	rules = 0;
1472
1473	if ((file = pushfile(filename, 1)) == NULL((void *)0))
1474	return (-1);
1475	topfile = file;
1476
1477	free(ocsp_url);
1478
1479	mobike = 1;
1480	enforcesingleikesa = stickyaddress = 0;
1481	cert_partial_chain = decouple = passive = 0;
1482	ocsp_tolerate = 0;
1483	ocsp_url = NULL((void *)0);
1484	ocsp_maxage = -1;
1485	fragmentation = 0;
1486	dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60;
1487	decouple = passive = 0;
1488	ocsp_url = NULL((void *)0);
1489
1490	if (env->sc_opts & IKED_OPT_PASSIVE0x00000004)
1491	passive = 1;
1492
1493	yyparse();
1494	errors = file->errors;
1495	popfile();
1496
1497	env->sc_passive = passive ? 1 : 0;
1498	env->sc_decoupled = decouple ? 1 : 0;
1499	env->sc_mobikesc_static.st_mobike = mobike;
1500	env->sc_enforcesingleikesasc_static.st_enforcesingleikesa = enforcesingleikesa;
1501	env->sc_stickyaddresssc_static.st_stickyaddress = stickyaddress;
1502	env->sc_fragsc_static.st_frag = fragmentation;
1503	env->sc_alive_timeoutsc_static.st_alive_timeout = dpd_interval;
1504	env->sc_ocsp_url = ocsp_url;
1505	env->sc_ocsp_tolerate = ocsp_tolerate;
1506	env->sc_ocsp_maxage = ocsp_maxage;
1507	env->sc_cert_partial_chain = cert_partial_chain;
1508
1509	if (!rules)
1510	log_warnx("%s: no valid configuration rules found",
1511	filename);
1512	else
1513	log_debug("%s: loaded %d configuration rules",
1514	filename, rules);
1515
1516	/* Free macros and check which have not been used. */
1517	while ((sym = TAILQ_FIRST(&symhead)((&symhead)->tqh_first))) {
1518	if (!sym->used)
1519	log_debug("warning: macro '%s' not "
1520	"used\n", sym->nam);
1521	free(sym->nam);
1522	free(sym->val);
1523	TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void )0)) (sym)-> entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev; else (&symhead)->tqh_last = (sym)->entry.tqe_prev; (sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while (0);
1524	free(sym);
1525	}
1526
1527	iaw_free(iftab);
1528	iftab = NULL((void *)0);
1529
1530	return (errors ? -1 : 0);
1531	}
1532
1533	int
1534	symset(const char nam, const char val, int persist)
1535	{
1536	struct sym *sym;
1537
1538	TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void * )0); (sym) = ((sym)->entry.tqe_next)) {
1539	if (strcmp(nam, sym->nam) == 0)
1540	break;
1541	}
1542
1543	if (sym != NULL((void *)0)) {
1544	if (sym->persist == 1)
1545	return (0);
1546	else {
1547	free(sym->nam);
1548	free(sym->val);
1549	TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void )0)) (sym)-> entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev; else (&symhead)->tqh_last = (sym)->entry.tqe_prev; (sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while (0);
1550	free(sym);
1551	}
1552	}
1553	if ((sym = calloc(1, sizeof(sym))) == NULL((void )0))
1554	return (-1);
1555
1556	sym->nam = strdup(nam);
1557	if (sym->nam == NULL((void *)0)) {
1558	free(sym);
1559	return (-1);
1560	}
1561	sym->val = strdup(val);
1562	if (sym->val == NULL((void *)0)) {
1563	free(sym->nam);
1564	free(sym);
1565	return (-1);
1566	}
1567	sym->used = 0;
1568	sym->persist = persist;
1569	TAILQ_INSERT_TAIL(&symhead, sym, entry)do { (sym)->entry.tqe_next = ((void )0); (sym)->entry. tqe_prev = (&symhead)->tqh_last; (&symhead)->tqh_last = (sym); (&symhead)->tqh_last = &(sym)->entry. tqe_next; } while (0);
1570	return (0);
1571	}
1572
1573	int
1574	cmdline_symset(char *s)
1575	{
1576	char sym, val;
1577	int ret;
1578
1579	if ((val = strrchr(s, '=')) == NULL((void *)0))
1580	return (-1);
1581
1582	sym = strndup(s, val - s);
1583	if (sym == NULL((void *)0))
1584	err(1, "%s", __func__);
1585	ret = symset(sym, val + 1, 1);
1586	free(sym);
1587
1588	return (ret);
1589	}
1590
1591	char *
1592	symget(const char *nam)
1593	{
1594	struct sym *sym;
1595
1596	TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void * )0); (sym) = ((sym)->entry.tqe_next)) {
1597	if (strcmp(nam, sym->nam) == 0) {
1598	sym->used = 1;
1599	return (sym->val);
1600	}
1601	}
1602	return (NULL((void *)0));
1603	}
1604
1605	uint8_t
1606	x2i(unsigned char *s)
1607	{
1608	char ss[3];
1609
1610	ss[0] = s[0];
1611	ss[1] = s[1];
1612	ss[2] = 0;
1613
1614	if (!isxdigit(s[0]) \|\| !isxdigit(s[1])) {
1615	yyerror("keys need to be specified in hex digits");
1616	return (-1);
1617	}
1618	return ((uint8_t)strtoul(ss, NULL((void *)0), 16));
1619	}
1620
1621	int
1622	parsekey(unsigned char hexkey, size_t len, struct iked_auth auth)
1623	{
1624	unsigned int i;
1625
1626	bzero(auth, sizeof(*auth));
1627	if ((len / 2) > sizeof(auth->auth_data))
1628	return (-1);
1629	auth->auth_length = len / 2;
1630
1631	for (i = 0; i < auth->auth_length; i++)
1632	auth->auth_data[i] = x2i(hexkey + 2 * i);
1633
1634	return (0);
1635	}
1636
1637	int
1638	parsekeyfile(char filename, struct iked_auth auth)
1639	{
1640	struct stat sb;
1641	int fd, ret;
1642	unsigned char *hex;
1643
1644	if ((fd = open(filename, O_RDONLY0x0000)) == -1)
1645	err(1, "open %s", filename);
1646	if (fstat(fd, &sb) == -1)
1647	err(1, "parsekeyfile: stat %s", filename);
1648	if ((sb.st_size > KEYSIZE_LIMIT1024) \|\| (sb.st_size == 0))
1649	errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
1650	"small");
1651	if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL((void *)0))
1652	err(1, "parsekeyfile: calloc");
1653	if (read(fd, hex, sb.st_size) < sb.st_size)
1654	err(1, "parsekeyfile: read");
1655	close(fd);
1656	ret = parsekey(hex, sb.st_size, auth);
1657	free(hex);
1658	return (ret);
1659	}
1660
1661	int
1662	get_id_type(char *string)
1663	{
1664	struct in6_addr ia;
1665
1666	if (string == NULL((void *)0))
1667	return (IKEV2_ID_NONE0);
1668
1669	if (*string == '/')
1670	return (IKEV2_ID_ASN1_DN9);
1671	else if (inet_pton(AF_INET2, string, &ia) == 1)
1672	return (IKEV2_ID_IPV41);
1673	else if (inet_pton(AF_INET624, string, &ia) == 1)
1674	return (IKEV2_ID_IPV65);
1675	else if (strchr(string, '@'))
1676	return (IKEV2_ID_UFQDN3);
1677	else
1678	return (IKEV2_ID_FQDN2);
1679	}
1680
1681	struct ipsec_addr_wrap *
1682	host(const char *s)
1683	{
1684	struct ipsec_addr_wrap ipa = NULL((void )0);
1685	int mask = -1;
1686	char p, ps;
1687	const char *errstr;
1688
1689	if ((ps = strdup(s)) == NULL((void *)0))
1690	err(1, "%s: strdup", __func__);
1691
1692	if ((p = strchr(ps, '/')) != NULL((void *)0)) {
1693	mask = strtonum(p+1, 0, 128, &errstr);
1694	if (errstr) {
1695	fprintf(stderr(&__sF[2]), "netmask is %s: %s\n", errstr, p);
1696	goto error;
1697	}
1698	p[0] = '\0';
1699	}
1700
1701	if ((ipa = host_if(ps, mask)) == NULL((void *)0) &&
1702	(ipa = host_ip(ps, mask)) == NULL((void *)0) &&
1703	(ipa = host_dns(ps, mask)) == NULL((void *)0))
1704	fprintf(stderr(&__sF[2]), "no IP address found for %s\n", s);
1705
1706	error:
1707	free(ps);
1708	return (ipa);
1709	}
1710
1711	struct ipsec_addr_wrap *
1712	host_ip(const char *s, int mask)
1713	{
1714	struct ipsec_addr_wrap ipa = NULL((void )0);
1715	struct addrinfo hints, *res;
1716	char hbuf[NI_MAXHOST256];
1717
1718	bzero(&hints, sizeof(struct addrinfo));
1719	hints.ai_family = AF_UNSPEC0;
1720	hints.ai_socktype = SOCK_DGRAM2; /dummy/
1721	hints.ai_flags = AI_NUMERICHOST4;
1722	if (getaddrinfo(s, NULL((void *)0), &hints, &res))
1723	return (NULL((void *)0));
1724	if (res->ai_next)
1725	err(1, "%s: %s expanded to multiple item", __func__, s);
1726
1727	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1728	if (ipa == NULL((void *)0))
1729	err(1, "%s", __func__);
1730	ipa->af = res->ai_family;
1731	copy_sockaddrtoipa(ipa, res->ai_addr);
1732	ipa->next = NULL((void *)0);
1733	ipa->tail = ipa;
1734
1735	set_ipmask(ipa, mask);
1736	if (getnameinfo(res->ai_addr, res->ai_addrlen,
1737	hbuf, sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1)) {
1738	errx(1, "could not get a numeric hostname");
1739	}
1740
1741	if (mask > -1) {
1742	ipa->netaddress = 1;
1743	if (asprintf(&ipa->name, "%s/%d", hbuf, mask) == -1)
1744	err(1, "%s", __func__);
1745	} else {
1746	if ((ipa->name = strdup(hbuf)) == NULL((void *)0))
1747	err(1, "%s", __func__);
1748	}
1749
1750	freeaddrinfo(res);
1751
1752	return (ipa);
1753	}
1754
1755	struct ipsec_addr_wrap *
1756	host_dns(const char *s, int mask)
1757	{
1758	struct ipsec_addr_wrap ipa = NULL((void )0), head = NULL((void )0);
1759	struct addrinfo hints, res0, res;
1760	int error;
1761	char hbuf[NI_MAXHOST256];
1762
1763	bzero(&hints, sizeof(struct addrinfo));
1764	hints.ai_family = PF_UNSPEC0;
1765	hints.ai_socktype = SOCK_STREAM1;
1766	hints.ai_flags = AI_ADDRCONFIG64;
1767	error = getaddrinfo(s, NULL((void *)0), &hints, &res0);
1768	if (error)
1769	return (NULL((void *)0));
1770
1771	for (res = res0; res; res = res->ai_next) {
1772	if (res->ai_family != AF_INET2 && res->ai_family != AF_INET624)
1773	continue;
1774
1775	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1776	if (ipa == NULL((void *)0))
1777	err(1, "%s", __func__);
1778	copy_sockaddrtoipa(ipa, res->ai_addr);
1779	error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf,
1780	sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1);
1781	if (error)
1782	err(1, "host_dns: getnameinfo");
1783	ipa->name = strdup(hbuf);
1784	if (ipa->name == NULL((void *)0))
1785	err(1, "%s", __func__);
1786	ipa->af = res->ai_family;
1787	ipa->next = NULL((void *)0);
1788	ipa->tail = ipa;
1789	if (head == NULL((void *)0))
1790	head = ipa;
1791	else {
1792	head->tail->next = ipa;
1793	head->tail = ipa;
1794	}
1795
1796	/*
1797	* XXX for now, no netmask support for IPv6.
1798	* but since there's no way to specify address family, once you
1799	* have IPv6 address on a host, you cannot use dns/netmask
1800	* syntax.
1801	*/
1802	if (ipa->af == AF_INET2)
1803	set_ipmask(ipa, mask == -1 ? 32 : mask);
1804	else
1805	if (mask != -1)
1806	err(1, "host_dns: cannot apply netmask "
1807	"on non-IPv4 address");
1808	}
1809	freeaddrinfo(res0);
1810
1811	return (head);
1812	}
1813
1814	struct ipsec_addr_wrap *
1815	host_if(const char *s, int mask)
1816	{
1817	struct ipsec_addr_wrap ipa = NULL((void )0);
1818
1819	if (ifa_exists(s))
1820	ipa = ifa_lookup(s);
1821
1822	return (ipa);
1823	}
1824
1825	struct ipsec_addr_wrap *
1826	host_any(void)
1827	{
1828	struct ipsec_addr_wrap *ipa;
1829
1830	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1831	if (ipa == NULL((void *)0))
1832	err(1, "%s", __func__);
1833	ipa->af = AF_UNSPEC0;
1834	ipa->netaddress = 1;
1835	ipa->tail = ipa;
1836	ipa->type = IPSEC_ADDR_ANY(0x1);
1837	return (ipa);
1838	}
1839
1840	struct ipsec_addr_wrap *
1841	host_dynamic(void)
1842	{
1843	struct ipsec_addr_wrap *ipa;
1844
1845	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1846	if (ipa == NULL((void *)0))
1847	err(1, "%s", __func__);
1848	ipa->af = AF_UNSPEC0;
1849	ipa->tail = ipa;
1850	ipa->type = IPSEC_ADDR_DYNAMIC(0x2);
1851	return (ipa);
1852	}
1853
1854	void
1855	ifa_load(void)
1856	{
1857	struct ifaddrs ifap, ifa;
1858	struct ipsec_addr_wrap n = NULL((void )0), h = NULL((void )0);
1859	struct sockaddr_in *sa_in;
1860	struct sockaddr_in6 *sa_in6;
1861
1862	if (getifaddrs(&ifap) == -1)
1863	err(1, "ifa_load: getifaddrs");
1864
1865	for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
1866	if (ifa->ifa_addr == NULL((void *)0) \|\|
1867	!(ifa->ifa_addr->sa_family == AF_INET2 \|\|
1868	ifa->ifa_addr->sa_family == AF_INET624 \|\|
1869	ifa->ifa_addr->sa_family == AF_LINK18))
1870	continue;
1871	n = calloc(1, sizeof(struct ipsec_addr_wrap));
1872	if (n == NULL((void *)0))
1873	err(1, "%s", __func__);
1874	n->af = ifa->ifa_addr->sa_family;
1875	if ((n->name = strdup(ifa->ifa_name)) == NULL((void *)0))
1876	err(1, "%s", __func__);
1877	if (n->af == AF_INET2) {
1878	sa_in = (struct sockaddr_in *)ifa->ifa_addr;
1879	memcpy(&n->address, sa_in, sizeof(*sa_in));
1880	sa_in = (struct sockaddr_in *)ifa->ifa_netmask;
1881	n->mask = mask2prefixlen((struct sockaddr *)sa_in);
1882	} else if (n->af == AF_INET624) {
1883	sa_in6 = (struct sockaddr_in6 *)ifa->ifa_addr;
1884	memcpy(&n->address, sa_in6, sizeof(*sa_in6));
1885	sa_in6 = (struct sockaddr_in6 *)ifa->ifa_netmask;
1886	n->mask = mask2prefixlen6((struct sockaddr *)sa_in6);
1887	}
1888	n->next = NULL((void *)0);
1889	n->tail = n;
1890	if (h == NULL((void *)0))
1891	h = n;
1892	else {
1893	h->tail->next = n;
1894	h->tail = n;
1895	}
1896	}
1897
1898	iftab = h;
1899	freeifaddrs(ifap);
1900	}
1901
1902	int
1903	ifa_exists(const char *ifa_name)
1904	{
1905	struct ipsec_addr_wrap *n;
1906	struct ifgroupreq ifgr;
1907	int s;
1908
1909	if (iftab == NULL((void *)0))
1910	ifa_load();
1911
1912	/* check wether this is a group */
1913	if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1)
1914	err(1, "ifa_exists: socket");
1915	bzero(&ifgr, sizeof(ifgr));
1916	strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
1917	if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000\|(unsigned long)0x40000000) \| ((sizeof (struct ifgroupreq) & 0x1fff) << 16) \| ((('i')) << 8) \| ((138))), (caddr_t)&ifgr) == 0) {
1918	close(s);
1919	return (1);
1920	}
1921	close(s);
1922
1923	for (n = iftab; n; n = n->next) {
1924	if (n->af == AF_LINK18 && !strncmp(n->name, ifa_name,
1925	IFNAMSIZ16))
1926	return (1);
1927	}
1928
1929	return (0);
1930	}
1931
1932	struct ipsec_addr_wrap *
1933	ifa_grouplookup(const char *ifa_name)
1934	{
1935	struct ifg_req *ifg;
1936	struct ifgroupreq ifgr;
1937	int s;
1938	size_t len;
1939	struct ipsec_addr_wrap n, h = NULL((void )0), hn;
1940
1941	if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1)
1942	err(1, "socket");
1943	bzero(&ifgr, sizeof(ifgr));
1944	strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
1945	if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000\|(unsigned long)0x40000000) \| ((sizeof (struct ifgroupreq) & 0x1fff) << 16) \| ((('i')) << 8) \| ((138))), (caddr_t)&ifgr) == -1) {
1946	close(s);
1947	return (NULL((void *)0));
1948	}
1949
1950	len = ifgr.ifgr_len;
1951	if ((ifgr.ifgr_groupsifgr_ifgru.ifgru_groups = calloc(1, len)) == NULL((void *)0))
1952	err(1, "%s", __func__);
1953	if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000\|(unsigned long)0x40000000) \| ((sizeof (struct ifgroupreq) & 0x1fff) << 16) \| ((('i')) << 8) \| ((138))), (caddr_t)&ifgr) == -1)
1954	err(1, "ioctl");
1955
1956	for (ifg = ifgr.ifgr_groupsifgr_ifgru.ifgru_groups; ifg && len >= sizeof(struct ifg_req);
1957	ifg++) {
1958	len -= sizeof(struct ifg_req);
1959	if ((n = ifa_lookup(ifg->ifgrq_memberifgrq_ifgrqu.ifgrqu_member)) == NULL((void *)0))
1960	continue;
1961	if (h == NULL((void *)0))
1962	h = n;
1963	else {
1964	for (hn = h; hn->next != NULL((void *)0); hn = hn->next)
1965	; /* nothing */
1966	hn->next = n;
1967	n->tail = hn;
1968	}
1969	}
1970	free(ifgr.ifgr_groupsifgr_ifgru.ifgru_groups);
1971	close(s);
1972
1973	return (h);
1974	}
1975
1976	struct ipsec_addr_wrap *
1977	ifa_lookup(const char *ifa_name)
1978	{
1979	struct ipsec_addr_wrap p = NULL((void )0), h = NULL((void )0), n = NULL((void )0);
1980	struct sockaddr_in6 *in6;
1981	uint8_t *s6;
1982
1983	if (iftab == NULL((void *)0))
1984	ifa_load();
1985
1986	if ((n = ifa_grouplookup(ifa_name)) != NULL((void *)0))
1987	return (n);
1988
1989	for (p = iftab; p; p = p->next) {
1990	if (p->af != AF_INET2 && p->af != AF_INET624)
1991	continue;
1992	if (strncmp(p->name, ifa_name, IFNAMSIZ16))
1993	continue;
1994	n = calloc(1, sizeof(struct ipsec_addr_wrap));
1995	if (n == NULL((void *)0))
1996	err(1, "%s", __func__);
1997	memcpy(n, p, sizeof(struct ipsec_addr_wrap));
1998	if ((n->name = strdup(p->name)) == NULL((void *)0))
1999	err(1, "%s", __func__);
2000	switch (n->af) {
2001	case AF_INET2:
2002	set_ipmask(n, 32);
2003	break;
2004	case AF_INET624:
2005	in6 = (struct sockaddr_in6 *)&n->address;
2006	s6 = (uint8_t *)&in6->sin6_addr.s6_addr__u6_addr.__u6_addr8;
	Value stored to 's6' is never read
2007
2008	/* route/show.c and bgpd/util.c give KAME credit */
2009	if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)(((&in6->sin6_addr)->__u6_addr.__u6_addr8[0] == 0xfe ) && (((&in6->sin6_addr)->__u6_addr.__u6_addr8 [1] & 0xc0) == 0x80))) {
2010	uint16_t tmp16;
2011
2012	/* for now we can not handle link local,
2013	* therefore bail for now
2014	*/
2015	free(n->name);
2016	free(n);
2017	continue;
2018
2019	memcpy(&tmp16, &s6[2], sizeof(tmp16));
2020	/* use this when we support link-local
2021	* n->??.scopeid = ntohs(tmp16);
2022	*/
2023	s6[2] = 0;
2024	s6[3] = 0;
2025	}
2026	set_ipmask(n, 128);
2027	break;
2028	}
2029
2030	n->next = NULL((void *)0);
2031	n->tail = n;
2032	if (h == NULL((void *)0))
2033	h = n;
2034	else {
2035	h->tail->next = n;
2036	h->tail = n;
2037	}
2038	}
2039
2040	return (h);
2041	}
2042
2043	void
2044	set_ipmask(struct ipsec_addr_wrap *address, int b)
2045	{
2046	if (b == -1)
2047	address->mask = address->af == AF_INET2 ? 32 : 128;
2048	else
2049	address->mask = b;
2050	}
2051
2052	const struct ipsec_xf *
2053	parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[])
2054	{
2055	int i;
2056
2057	for (i = 0; xfs[i].name != NULL((void *)0); i++) {
2058	if (strncmp(name, xfs[i].name, strlen(name)))
2059	continue;
2060	if (length == 0 \|\| length == xfs[i].length)
2061	return &xfs[i];
2062	}
2063	return (NULL((void *)0));
2064	}
2065
2066	int
2067	encxf_noauth(unsigned int id)
2068	{
2069	int i;
2070
2071	for (i = 0; ikeencxfs[i].name != NULL((void *)0); i++)
2072	if (ikeencxfs[i].id == id)
2073	return ikeencxfs[i].noauth;
2074	return (0);
2075	}
2076
2077	size_t
2078	keylength_xf(unsigned int saproto, unsigned int type, unsigned int id)
2079	{
2080	int i;
2081	const struct ipsec_xf *xfs;
2082
2083	switch (type) {
2084	case IKEV2_XFORMTYPE_ENCR1:
2085	if (saproto == IKEV2_SAPROTO_IKE1)
2086	xfs = ikeencxfs;
2087	else
2088	xfs = ipsecencxfs;
2089	break;
2090	case IKEV2_XFORMTYPE_INTEGR3:
2091	xfs = authxfs;
2092	break;
2093	default:
2094	return (0);
2095	}
2096
2097	for (i = 0; xfs[i].name != NULL((void *)0); i++) {
2098	if (xfs[i].id == id)
2099	return (xfs[i].length * 8);
2100	}
2101	return (0);
2102	}
2103
2104	size_t
2105	noncelength_xf(unsigned int type, unsigned int id)
2106	{
2107	const struct ipsec_xf *xfs = ipsecencxfs;
2108	int i;
2109
2110	if (type != IKEV2_XFORMTYPE_ENCR1)
2111	return (0);
2112
2113	for (i = 0; xfs[i].name != NULL((void *)0); i++)
2114	if (xfs[i].id == id)
2115	return (xfs[i].nonce * 8);
2116	return (0);
2117	}
2118
2119	void
2120	copy_transforms(unsigned int type,
2121	const struct ipsec_xf **xfs, unsigned int nxfs,
2122	struct iked_transform *dst, unsigned int ndst,
2123	struct iked_transform *src, size_t nsrc)
2124	{
2125	unsigned int i;
2126	struct iked_transform a, b;
2127	const struct ipsec_xf *xf;
2128
2129	if (nxfs) {
2130	for (i = 0; i < nxfs; i++) {
2131	xf = xfs[i];
2132	dst = recallocarray(dst, *ndst,
2133	*ndst + 1, sizeof(struct iked_transform));
2134	if (dst == NULL((void )0))
2135	err(1, "%s", __func__);
2136	b = dst + (ndst)++;
2137
2138	b->xform_type = type;
2139	b->xform_id = xf->id;
2140	b->xform_keylength = xf->length * 8;
2141	b->xform_length = xf->keylength * 8;
2142	}
2143	return;
2144	}
2145
2146	for (i = 0; i < nsrc; i++) {
2147	a = src + i;
2148	if (a->xform_type != type)
2149	continue;
2150	dst = recallocarray(dst, *ndst,
2151	*ndst + 1, sizeof(struct iked_transform));
2152	if (dst == NULL((void )0))
2153	err(1, "%s", __func__);
2154	b = dst + (ndst)++;
2155	memcpy(b, a, sizeof(*b));
2156	}
2157	}
2158
2159	int
2160	create_ike(char name, int af, struct ipsec_addr_wrap ipproto,
2161	int rdomain, struct ipsec_hosts *hosts,
2162	struct ipsec_hosts peers, struct ipsec_mode ike_sa,
2163	struct ipsec_mode *ipsec_sa, uint8_t saproto,
2164	uint8_t flags, char srcid, char dstid,
2165	uint32_t ikelifetime, struct iked_lifetime *lt,
2166	struct iked_auth authtype, struct ipsec_filters filter,
2167	struct ipsec_addr_wrap ikecfg, char iface)
2168	{
2169	char idstr[IKED_ID_SIZE1024];
2170	struct ipsec_addr_wrap ipa, ipb, *ipp;
2171	struct iked_auth *ikeauth;
2172	struct iked_policy pol;
2173	struct iked_proposal p, ptmp;
2174	struct iked_transform *xf;
2175	unsigned int i, j, xfi, noauth, auth;
2176	unsigned int ikepropid = 1, ipsecpropid = 1;
2177	struct iked_flow flow, ftmp;
2178	static unsigned int policy_id = 0;
2179	struct iked_cfg *cfg;
2180	int ret = -1;
2181
2182	bzero(&pol, sizeof(pol));
2183	bzero(idstr, sizeof(idstr));
2184
2185	pol.pol_id = ++policy_id;
2186	pol.pol_certreqtype = env->sc_certreqtype;
2187	pol.pol_af = af;
2188	pol.pol_saproto = saproto;
2189	for (i = 0, ipp = ipproto; ipp; ipp = ipp->next, i++) {
2190	if (i >= IKED_IPPROTO_MAX16) {
2191	yyerror("too many protocols");
2192	return (-1);
2193	}
2194	pol.pol_ipproto[i] = ipp->type;
2195	pol.pol_nipproto++;
2196	}
2197
2198	pol.pol_flags = flags;
2199	pol.pol_rdomain = rdomain;
2200	memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth));
2201	explicit_bzero(authtype, sizeof(*authtype));
2202
2203	if (name != NULL((void *)0)) {
2204	if (strlcpy(pol.pol_name, name,
2205	sizeof(pol.pol_name)) >= sizeof(pol.pol_name)) {
2206	yyerror("name too long");
2207	return (-1);
2208	}
2209	} else {
2210	snprintf(pol.pol_name, sizeof(pol.pol_name),
2211	"policy%d", policy_id);
2212	}
2213
2214	if (iface != NULL((void *)0)) {
2215	pol.pol_iface = if_nametoindex(iface);
2216	if (pol.pol_iface == 0) {
2217	yyerror("invalid iface");
2218	return (-1);
2219	}
2220	}
2221
2222	if (srcid) {
2223	pol.pol_localid.id_type = get_id_type(srcid);
2224	pol.pol_localid.id_length = strlen(srcid);
2225	if (strlcpy((char *)pol.pol_localid.id_data,
2226	srcid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) {
2227	yyerror("srcid too long");
2228	return (-1);
2229	}
2230	}
2231	if (dstid) {
2232	pol.pol_peerid.id_type = get_id_type(dstid);
2233	pol.pol_peerid.id_length = strlen(dstid);
2234	if (strlcpy((char *)pol.pol_peerid.id_data,
2235	dstid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) {
2236	yyerror("dstid too long");
2237	return (-1);
2238	}
2239	}
2240
2241	if (filter != NULL((void *)0)) {
2242	if (filter->tag)
2243	strlcpy(pol.pol_tag, filter->tag, sizeof(pol.pol_tag));
2244	pol.pol_tap = filter->tap;
2245	}
2246
2247	if (peers == NULL((void *)0)) {
2248	if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) {
2249	yyerror("active mode requires peer specification");
2250	return (-1);
2251	}
2252	pol.pol_flags \|= IKED_POLICY_DEFAULT0x01\|IKED_POLICY_SKIP0x10;
2253	}
2254
2255	if (peers && peers->src && peers->dst &&
2256	(peers->src->af != AF_UNSPEC0) && (peers->dst->af != AF_UNSPEC0) &&
2257	(peers->src->af != peers->dst->af))
2258	fatalx("create_ike: peer address family mismatch");
2259
2260	if (peers && (pol.pol_af != AF_UNSPEC0) &&
2261	((peers->src && (peers->src->af != AF_UNSPEC0) &&
2262	(peers->src->af != pol.pol_af)) \|\|
2263	(peers->dst && (peers->dst->af != AF_UNSPEC0) &&
2264	(peers->dst->af != pol.pol_af))))
2265	fatalx("create_ike: policy address family mismatch");
2266
2267	ipa = ipb = NULL((void *)0);
2268	if (peers) {
2269	if (peers->src)
2270	ipa = peers->src;
2271	if (peers->dst)
2272	ipb = peers->dst;
2273	if (ipa == NULL((void )0) && ipb == NULL((void )0)) {
2274	if (hosts->src && hosts->src->next == NULL((void *)0))
2275	ipa = hosts->src;
2276	if (hosts->dst && hosts->dst->next == NULL((void *)0))
2277	ipb = hosts->dst;
2278	}
2279	}
2280	if (ipa == NULL((void )0) && ipb == NULL((void )0)) {
2281	yyerror("could not get local/peer specification");
2282	return (-1);
2283	}
2284	if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) {
2285	if (ipb == NULL((void *)0) \|\| ipb->netaddress \|\|
2286	(ipa != NULL((void *)0) && ipa->netaddress)) {
2287	yyerror("active mode requires local/peer address");
2288	return (-1);
2289	}
2290	}
2291	if (ipa) {
2292	memcpy(&pol.pol_local.addr, &ipa->address,
2293	sizeof(ipa->address));
2294	pol.pol_local.addr_af = ipa->af;
2295	pol.pol_local.addr_mask = ipa->mask;
2296	pol.pol_local.addr_net = ipa->netaddress;
2297	if (pol.pol_af == AF_UNSPEC0)
2298	pol.pol_af = ipa->af;
2299	}
2300	if (ipb) {
2301	memcpy(&pol.pol_peer.addr, &ipb->address,
2302	sizeof(ipb->address));
2303	pol.pol_peer.addr_af = ipb->af;
2304	pol.pol_peer.addr_mask = ipb->mask;
2305	pol.pol_peer.addr_net = ipb->netaddress;
2306	if (pol.pol_af == AF_UNSPEC0)
2307	pol.pol_af = ipb->af;
2308	}
2309
2310	if (ikelifetime)
2311	pol.pol_rekey = ikelifetime;
2312
2313	if (lt)
2314	pol.pol_lifetime = *lt;
2315	else
2316	pol.pol_lifetime = deflifetime;
2317
2318	TAILQ_INIT(&pol.pol_proposals)do { (&pol.pol_proposals)->tqh_first = ((void *)0); (& pol.pol_proposals)->tqh_last = &(&pol.pol_proposals )->tqh_first; } while (0);
2319	RB_INIT(&pol.pol_flows)do { (&pol.pol_flows)->rbh_root = ((void *)0); } while (0);
2320
2321	if (ike_sa == NULL((void *)0) \|\| ike_sa->nxfs == 0) {
2322	/* AES-GCM proposal */
2323	if ((p = calloc(1, sizeof(p))) == NULL((void )0))
2324	err(1, "%s", __func__);
2325	p->prop_id = ikepropid++;
2326	p->prop_protoid = IKEV2_SAPROTO_IKE1;
2327	p->prop_nxforms = ikev2_default_nike_transforms_noauth;
2328	p->prop_xforms = ikev2_default_ike_transforms_noauth;
2329	TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void )0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; (&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2330	pol.pol_nproposals++;
2331
2332	/* Non GCM proposal */
2333	if ((p = calloc(1, sizeof(p))) == NULL((void )0))
2334	err(1, "%s", __func__);
2335	p->prop_id = ikepropid++;
2336	p->prop_protoid = IKEV2_SAPROTO_IKE1;
2337	p->prop_nxforms = ikev2_default_nike_transforms;
2338	p->prop_xforms = ikev2_default_ike_transforms;
2339	TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void )0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; (&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2340	pol.pol_nproposals++;
2341	} else {
2342	for (i = 0; i < ike_sa->nxfs; i++) {
2343	noauth = auth = 0;
2344	for (j = 0; j < ike_sa->xfs[i]->nencxf; j++) {
2345	if (ike_sa->xfs[i]->encxf[j]->noauth)
2346	noauth++;
2347	else
2348	auth++;
2349	}
2350	for (j = 0; j < ike_sa->xfs[i]->ngroupxf; j++) {
2351	if (ike_sa->xfs[i]->groupxf[j]->id
2352	== IKEV2_XFORMDH_NONE0) {
2353	yyerror("IKE group can not be \"none\".");
2354	goto done;
2355	}
2356	}
2357	if (ike_sa->xfs[i]->nauthxf)
2358	auth++;
2359
2360	if (ike_sa->xfs[i]->nesnxf) {
2361	yyerror("cannot use ESN with ikesa.");
2362	goto done;
2363	}
2364	if (noauth && noauth != ike_sa->xfs[i]->nencxf) {
2365	yyerror("cannot mix encryption transforms with "
2366	"implicit and non-implicit authentication");
2367	goto done;
2368	}
2369	if (noauth && ike_sa->xfs[i]->nauthxf) {
2370	yyerror("authentication is implicit for given "
2371	"encryption transforms");
2372	goto done;
2373	}
2374
2375	if (!auth) {
2376	if ((p = calloc(1, sizeof(p))) == NULL((void )0))
2377	err(1, "%s", __func__);
2378
2379	xf = NULL((void *)0);
2380	xfi = 0;
2381	copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2382	ike_sa->xfs[i]->encxf,
2383	ike_sa->xfs[i]->nencxf, &xf, &xfi,
2384	ikev2_default_ike_transforms_noauth,
2385	ikev2_default_nike_transforms_noauth);
2386	copy_transforms(IKEV2_XFORMTYPE_DH4,
2387	ike_sa->xfs[i]->groupxf,
2388	ike_sa->xfs[i]->ngroupxf, &xf, &xfi,
2389	ikev2_default_ike_transforms_noauth,
2390	ikev2_default_nike_transforms_noauth);
2391	copy_transforms(IKEV2_XFORMTYPE_PRF2,
2392	ike_sa->xfs[i]->prfxf,
2393	ike_sa->xfs[i]->nprfxf, &xf, &xfi,
2394	ikev2_default_ike_transforms_noauth,
2395	ikev2_default_nike_transforms_noauth);
2396
2397	p->prop_id = ikepropid++;
2398	p->prop_protoid = IKEV2_SAPROTO_IKE1;
2399	p->prop_xforms = xf;
2400	p->prop_nxforms = xfi;
2401	TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void )0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; (&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2402	pol.pol_nproposals++;
2403	}
2404	if (!noauth) {
2405	if ((p = calloc(1, sizeof(p))) == NULL((void )0))
2406	err(1, "%s", __func__);
2407
2408	xf = NULL((void *)0);
2409	xfi = 0;
2410	copy_transforms(IKEV2_XFORMTYPE_INTEGR3,
2411	ike_sa->xfs[i]->authxf,
2412	ike_sa->xfs[i]->nauthxf, &xf, &xfi,
2413	ikev2_default_ike_transforms,
2414	ikev2_default_nike_transforms);
2415	copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2416	ike_sa->xfs[i]->encxf,
2417	ike_sa->xfs[i]->nencxf, &xf, &xfi,
2418	ikev2_default_ike_transforms,
2419	ikev2_default_nike_transforms);
2420	copy_transforms(IKEV2_XFORMTYPE_DH4,
2421	ike_sa->xfs[i]->groupxf,
2422	ike_sa->xfs[i]->ngroupxf, &xf, &xfi,
2423	ikev2_default_ike_transforms,
2424	ikev2_default_nike_transforms);
2425	copy_transforms(IKEV2_XFORMTYPE_PRF2,
2426	ike_sa->xfs[i]->prfxf,
2427	ike_sa->xfs[i]->nprfxf, &xf, &xfi,
2428	ikev2_default_ike_transforms,
2429	ikev2_default_nike_transforms);
2430
2431	p->prop_id = ikepropid++;
2432	p->prop_protoid = IKEV2_SAPROTO_IKE1;
2433	p->prop_xforms = xf;
2434	p->prop_nxforms = xfi;
2435	TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void )0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; (&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2436	pol.pol_nproposals++;
2437	}
2438	}
2439	}
2440
2441	if (ipsec_sa == NULL((void *)0) \|\| ipsec_sa->nxfs == 0) {
2442	if ((p = calloc(1, sizeof(p))) == NULL((void )0))
2443	err(1, "%s", __func__);
2444	p->prop_id = ipsecpropid++;
2445	p->prop_protoid = saproto;
2446	p->prop_nxforms = ikev2_default_nesp_transforms_noauth;
2447	p->prop_xforms = ikev2_default_esp_transforms_noauth;
2448	TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void )0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; (&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2449	pol.pol_nproposals++;
2450
2451	if ((p = calloc(1, sizeof(p))) == NULL((void )0))
2452	err(1, "%s", __func__);
2453	p->prop_id = ipsecpropid++;
2454	p->prop_protoid = saproto;
2455	p->prop_nxforms = ikev2_default_nesp_transforms;
2456	p->prop_xforms = ikev2_default_esp_transforms;
2457	TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void )0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; (&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2458	pol.pol_nproposals++;
2459	} else {
2460	for (i = 0; i < ipsec_sa->nxfs; i++) {
2461	noauth = auth = 0;
2462	for (j = 0; j < ipsec_sa->xfs[i]->nencxf; j++) {
2463	if (ipsec_sa->xfs[i]->encxf[j]->noauth)
2464	noauth++;
2465	else
2466	auth++;
2467	}
2468	if (ipsec_sa->xfs[i]->nauthxf)
2469	auth++;
2470
2471	if (noauth && noauth != ipsec_sa->xfs[i]->nencxf) {
2472	yyerror("cannot mix encryption transforms with "
2473	"implicit and non-implicit authentication");
2474	goto done;
2475	}
2476	if (noauth && ipsec_sa->xfs[i]->nauthxf) {
2477	yyerror("authentication is implicit for given "
2478	"encryption transforms");
2479	goto done;
2480	}
2481
2482	if (!auth) {
2483	if ((p = calloc(1, sizeof(p))) == NULL((void )0))
2484	err(1, "%s", __func__);
2485
2486	xf = NULL((void *)0);
2487	xfi = 0;
2488	copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2489	ipsec_sa->xfs[i]->encxf,
2490	ipsec_sa->xfs[i]->nencxf, &xf, &xfi,
2491	ikev2_default_esp_transforms_noauth,
2492	ikev2_default_nesp_transforms_noauth);
2493	copy_transforms(IKEV2_XFORMTYPE_DH4,
2494	ipsec_sa->xfs[i]->groupxf,
2495	ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi,
2496	ikev2_default_esp_transforms_noauth,
2497	ikev2_default_nesp_transforms_noauth);
2498	copy_transforms(IKEV2_XFORMTYPE_ESN5,
2499	ipsec_sa->xfs[i]->esnxf,
2500	ipsec_sa->xfs[i]->nesnxf, &xf, &xfi,
2501	ikev2_default_esp_transforms_noauth,
2502	ikev2_default_nesp_transforms_noauth);
2503
2504	p->prop_id = ipsecpropid++;
2505	p->prop_protoid = saproto;
2506	p->prop_xforms = xf;
2507	p->prop_nxforms = xfi;
2508	TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void )0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; (&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2509	pol.pol_nproposals++;
2510	}
2511	if (!noauth) {
2512	if ((p = calloc(1, sizeof(p))) == NULL((void )0))
2513	err(1, "%s", __func__);
2514
2515	xf = NULL((void *)0);
2516	xfi = 0;
2517	copy_transforms(IKEV2_XFORMTYPE_INTEGR3,
2518	ipsec_sa->xfs[i]->authxf,
2519	ipsec_sa->xfs[i]->nauthxf, &xf, &xfi,
2520	ikev2_default_esp_transforms,
2521	ikev2_default_nesp_transforms);
2522	copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2523	ipsec_sa->xfs[i]->encxf,
2524	ipsec_sa->xfs[i]->nencxf, &xf, &xfi,
2525	ikev2_default_esp_transforms,
2526	ikev2_default_nesp_transforms);
2527	copy_transforms(IKEV2_XFORMTYPE_DH4,
2528	ipsec_sa->xfs[i]->groupxf,
2529	ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi,
2530	ikev2_default_esp_transforms,
2531	ikev2_default_nesp_transforms);
2532	copy_transforms(IKEV2_XFORMTYPE_ESN5,
2533	ipsec_sa->xfs[i]->esnxf,
2534	ipsec_sa->xfs[i]->nesnxf, &xf, &xfi,
2535	ikev2_default_esp_transforms,
2536	ikev2_default_nesp_transforms);
2537
2538	p->prop_id = ipsecpropid++;
2539	p->prop_protoid = saproto;
2540	p->prop_xforms = xf;
2541	p->prop_nxforms = xfi;
2542	TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void )0); (p)->prop_entry .tqe_prev = (&pol.pol_proposals)->tqh_last; (&pol .pol_proposals)->tqh_last = (p); (&pol.pol_proposals)-> tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2543	pol.pol_nproposals++;
2544	}
2545	}
2546	}
2547
2548	for (ipa = hosts->src, ipb = hosts->dst; ipa && ipb;
2549	ipa = ipa->next, ipb = ipb->next) {
2550	for (j = 0; j < pol.pol_nipproto; j++)
2551	if (expand_flows(&pol, pol.pol_ipproto[j], ipa, ipb))
2552	fatalx("create_ike: invalid flow");
2553	if (pol.pol_nipproto == 0)
2554	if (expand_flows(&pol, 0, ipa, ipb))
2555	fatalx("create_ike: invalid flow");
2556	}
2557
2558	for (j = 0, ipa = ikecfg; ipa; ipa = ipa->next, j++) {
2559	if (j >= IKED_CFG_MAX16)
2560	break;
2561	cfg = &pol.pol_cfg[j];
2562	pol.pol_ncfg++;
2563
2564	cfg->cfg_action = ipa->action;
2565	cfg->cfg_type = ipa->type;
2566	memcpy(&cfg->cfg.address.addr, &ipa->address,
2567	sizeof(ipa->address));
2568	cfg->cfg.address.addr_mask = ipa->mask;
2569	cfg->cfg.address.addr_net = ipa->netaddress;
2570	cfg->cfg.address.addr_af = ipa->af;
2571	}
2572
2573	if (dstid)
2574	strlcpy(idstr, dstid, sizeof(idstr));
2575	else if (!pol.pol_peer.addr_net)
2576	print_host((struct sockaddr *)&pol.pol_peer.addr, idstr,
2577	sizeof(idstr));
2578
2579	ikeauth = &pol.pol_auth;
2580	switch (ikeauth->auth_method) {
2581	case IKEV2_AUTH_RSA_SIG1:
2582	pol.pol_certreqtype = IKEV2_CERT_RSA_KEY11;
2583	break;
2584	case IKEV2_AUTH_ECDSA_2569:
2585	case IKEV2_AUTH_ECDSA_38410:
2586	case IKEV2_AUTH_ECDSA_52111:
2587	pol.pol_certreqtype = IKEV2_CERT_ECDSA201;
2588	break;
2589	default:
2590	pol.pol_certreqtype = IKEV2_CERT_NONE0;
2591	break;
2592	}
2593
2594	log_debug("%s: using %s for peer %s", __func__,
2595	print_xf(ikeauth->auth_method, 0, methodxfs), idstr);
2596
2597	config_setpolicy(env, &pol, PROC_IKEV2);
2598	config_setflow(env, &pol, PROC_IKEV2);
2599
2600	rules++;
2601	ret = 0;
2602
2603	done:
2604	if (ike_sa) {
2605	for (i = 0; i < ike_sa->nxfs; i++) {
2606	free(ike_sa->xfs[i]->authxf);
2607	free(ike_sa->xfs[i]->encxf);
2608	free(ike_sa->xfs[i]->groupxf);
2609	free(ike_sa->xfs[i]->prfxf);
2610	free(ike_sa->xfs[i]);
2611	}
2612	free(ike_sa->xfs);
2613	free(ike_sa);
2614	}
2615	if (ipsec_sa) {
2616	for (i = 0; i < ipsec_sa->nxfs; i++) {
2617	free(ipsec_sa->xfs[i]->authxf);
2618	free(ipsec_sa->xfs[i]->encxf);
2619	free(ipsec_sa->xfs[i]->groupxf);
2620	free(ipsec_sa->xfs[i]->prfxf);
2621	free(ipsec_sa->xfs[i]);
2622	}
2623	free(ipsec_sa->xfs);
2624	free(ipsec_sa);
2625	}
2626	TAILQ_FOREACH_SAFE(p, &pol.pol_proposals, prop_entry, ptmp)for ((p) = ((&pol.pol_proposals)->tqh_first); (p) != ( (void *)0) && ((ptmp) = ((p)->prop_entry.tqe_next) , 1); (p) = (ptmp)) {
2627	if (p->prop_xforms != ikev2_default_ike_transforms &&
2628	p->prop_xforms != ikev2_default_ike_transforms_noauth &&
2629	p->prop_xforms != ikev2_default_esp_transforms &&
2630	p->prop_xforms != ikev2_default_esp_transforms_noauth)
2631	free(p->prop_xforms);
2632	free(p);
2633	}
2634	if (peers != NULL((void *)0)) {
2635	iaw_free(peers->src);
2636	iaw_free(peers->dst);
2637	/* peers is static, cannot be freed */
2638	}
2639	if (hosts != NULL((void *)0)) {
2640	iaw_free(hosts->src);
2641	iaw_free(hosts->dst);
2642	free(hosts);
2643	}
2644	iaw_free(ikecfg);
2645	iaw_free(ipproto);
2646	RB_FOREACH_SAFE(flow, iked_flows, &pol.pol_flows, ftmp)for ((flow) = iked_flows_RB_MINMAX(&pol.pol_flows, -1); ( (flow) != ((void *)0)) && ((ftmp) = iked_flows_RB_NEXT (flow), 1); (flow) = (ftmp)) {
2647	RB_REMOVE(iked_flows, &pol.pol_flows, flow)iked_flows_RB_REMOVE(&pol.pol_flows, flow);
2648	free(flow);
2649	}
2650	free(name);
2651	free(srcid);
2652	free(dstid);
2653	return (ret);
2654	}
2655
2656	static int
2657	create_flow(struct iked_policy pol, int proto, struct ipsec_addr_wrap ipa,
2658	struct ipsec_addr_wrap *ipb)
2659	{
2660	struct iked_flow *flow;
2661	struct ipsec_addr_wrap *ippn;
2662
2663	if (ipa->af != ipb->af) {
2664	yyerror("cannot mix different address families.");
2665	return (-1);
2666	}
2667
2668	if ((flow = calloc(1, sizeof(struct iked_flow))) == NULL((void *)0))
2669	fatalx("%s: failed to alloc flow.", __func__);
2670
2671	memcpy(&flow->flow_src.addr, &ipa->address,
2672	sizeof(ipa->address));
2673	flow->flow_src.addr_af = ipa->af;
2674	flow->flow_src.addr_mask = ipa->mask;
2675	flow->flow_src.addr_net = ipa->netaddress;
2676	flow->flow_src.addr_port = ipa->port;
2677
2678	memcpy(&flow->flow_dst.addr, &ipb->address,
2679	sizeof(ipb->address));
2680	flow->flow_dst.addr_af = ipb->af;
2681	flow->flow_dst.addr_mask = ipb->mask;
2682	flow->flow_dst.addr_net = ipb->netaddress;
2683	flow->flow_dst.addr_port = ipb->port;
2684
2685	ippn = ipa->srcnat;
2686	if (ippn) {
2687	memcpy(&flow->flow_prenat.addr, &ippn->address,
2688	sizeof(ippn->address));
2689	flow->flow_prenat.addr_af = ippn->af;
2690	flow->flow_prenat.addr_mask = ippn->mask;
2691	flow->flow_prenat.addr_net = ippn->netaddress;
2692	} else {
2693	flow->flow_prenat.addr_af = 0;
2694	}
2695
2696	flow->flow_dir = IPSP_DIRECTION_OUT0x2;
2697	flow->flow_ipproto = proto;
2698	flow->flow_saproto = pol->pol_saproto;
2699	flow->flow_rdomain = pol->pol_rdomain;
2700
2701	if (RB_INSERT(iked_flows, &pol->pol_flows, flow)iked_flows_RB_INSERT(&pol->pol_flows, flow) == NULL((void *)0))
2702	pol->pol_nflows++;
2703	else {
2704	warnx("create_ike: duplicate flow");
2705	free(flow);
2706	}
2707
2708	return (0);
2709	}
2710
2711	static int
2712	expand_flows(struct iked_policy pol, int proto, struct ipsec_addr_wrap src,
2713	struct ipsec_addr_wrap *dst)
2714	{
2715	struct ipsec_addr_wrap ipa = NULL((void )0), ipb = NULL((void )0);
2716	int ret = -1;
2717	int srcaf, dstaf;
2718
2719	srcaf = src->af;
2720	dstaf = dst->af;
2721
2722	if (src->af == AF_UNSPEC0 &&
2723	dst->af == AF_UNSPEC0) {
2724	/* Need both IPv4 and IPv6 flows */
2725	src->af = dst->af = AF_INET2;
2726	ipa = expand_keyword(src);
2727	ipb = expand_keyword(dst);
2728	if (!ipa \|\| !ipb)
2729	goto done;
2730	if (create_flow(pol, proto, ipa, ipb))
2731	goto done;
2732
2733	iaw_free(ipa);
2734	iaw_free(ipb);
2735	src->af = dst->af = AF_INET624;
2736	ipa = expand_keyword(src);
2737	ipb = expand_keyword(dst);
2738	if (!ipa \|\| !ipb)
2739	goto done;
2740	if (create_flow(pol, proto, ipa, ipb))
2741	goto done;
2742	} else if (src->af == AF_UNSPEC0) {
2743	src->af = dst->af;
2744	ipa = expand_keyword(src);
2745	if (!ipa)
2746	goto done;
2747	if (create_flow(pol, proto, ipa, dst))
2748	goto done;
2749	} else if (dst->af == AF_UNSPEC0) {
2750	dst->af = src->af;
2751	ipa = expand_keyword(dst);
2752	if (!ipa)
2753	goto done;
2754	if (create_flow(pol, proto, src, ipa))
2755	goto done;
2756	} else if (create_flow(pol, proto, src, dst))
2757	goto done;
2758	ret = 0;
2759	done:
2760	src->af = srcaf;
2761	dst->af = dstaf;
2762	iaw_free(ipa);
2763	iaw_free(ipb);
2764	return (ret);
2765	}
2766
2767	static struct ipsec_addr_wrap *
2768	expand_keyword(struct ipsec_addr_wrap *ip)
2769	{
2770	switch(ip->af) {
2771	case AF_INET2:
2772	switch(ip->type) {
2773	case IPSEC_ADDR_ANY(0x1):
2774	return (host("0.0.0.0/0"));
2775	case IPSEC_ADDR_DYNAMIC(0x2):
2776	return (host("0.0.0.0"));
2777	}
2778	break;
2779	case AF_INET624:
2780	switch(ip->type) {
2781	case IPSEC_ADDR_ANY(0x1):
2782	return (host("::/0"));
2783	case IPSEC_ADDR_DYNAMIC(0x2):
2784	return (host("::"));
2785	}
2786	}
2787	return (NULL((void *)0));
2788	}
2789
2790	int
2791	create_user(const char user, const char pass)
2792	{
2793	struct iked_user usr;
2794
2795	bzero(&usr, sizeof(usr));
2796
2797	if (*user == '\0' \|\| (strlcpy(usr.usr_name, user,
2798	sizeof(usr.usr_name)) >= sizeof(usr.usr_name))) {
2799	yyerror("invalid user name");
2800	return (-1);
2801	}
2802	if (*pass == '\0' \|\| (strlcpy(usr.usr_pass, pass,
2803	sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) {
2804	yyerror("invalid password");
2805	explicit_bzero(&usr, sizeof usr); /* zap partial password */
2806	return (-1);
2807	}
2808
2809	config_setuser(env, &usr, PROC_IKEV2);
2810
2811	rules++;
2812
2813	explicit_bzero(&usr, sizeof usr);
2814	return (0);
2815	}
2816
2817	void
2818	iaw_free(struct ipsec_addr_wrap *head)
2819	{
2820	struct ipsec_addr_wrap n, cur;
2821
2822	if (head == NULL((void *)0))
2823	return;
2824
2825	for (n = head; n != NULL((void *)0); ) {
2826	cur = n;
2827	n = n->next;
2828	if (cur->srcnat != NULL((void *)0)) {
2829	free(cur->srcnat->name);
2830	free(cur->srcnat);
2831	}
2832	free(cur->name);
2833	free(cur);
2834	}
2835	}
2836	#line 2829 "parse.c"
2837	/* allocate initial stack or double stack size, up to YYMAXDEPTH */
2838	static int yygrowstack(void)
2839	{
2840	unsigned int newsize;
2841	long sslen;
2842	short *newss;
2843	YYSTYPE *newvs;
2844
2845	if ((newsize = yystacksize) == 0)
2846	newsize = YYINITSTACKSIZE200;
2847	else if (newsize >= YYMAXDEPTH10000)
2848	return -1;
2849	else if ((newsize *= 2) > YYMAXDEPTH10000)
2850	newsize = YYMAXDEPTH10000;
2851	sslen = yyssp - yyss;
2852	#ifdef SIZE_MAX0xffffffffffffffffUL
2853	#define YY_SIZE_MAX0xffffffffffffffffUL SIZE_MAX0xffffffffffffffffUL
2854	#else
2855	#define YY_SIZE_MAX0xffffffffffffffffUL 0xffffffffU
2856	#endif
2857	if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newss)
2858	goto bail;
2859	newss = (short )realloc(yyss, newsize sizeof *newss);
2860	if (newss == NULL((void *)0))
2861	goto bail;
2862	yyss = newss;
2863	yyssp = newss + sslen;
2864	if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newvs)
2865	goto bail;
2866	newvs = (YYSTYPE )realloc(yyvs, newsize sizeof *newvs);
2867	if (newvs == NULL((void *)0))
2868	goto bail;
2869	yyvs = newvs;
2870	yyvsp = newvs + sslen;
2871	yystacksize = newsize;
2872	yysslim = yyss + newsize - 1;
2873	return 0;
2874	bail:
2875	if (yyss)
2876	free(yyss);
2877	if (yyvs)
2878	free(yyvs);
2879	yyss = yyssp = NULL((void *)0);
2880	yyvs = yyvsp = NULL((void *)0);
2881	yystacksize = 0;
2882	return -1;
2883	}
2884
2885	#define YYABORTgoto yyabort goto yyabort
2886	#define YYREJECTgoto yyabort goto yyabort
2887	#define YYACCEPTgoto yyaccept goto yyaccept
2888	#define YYERRORgoto yyerrlab goto yyerrlab
2889	int
2890	yyparse(void)
2891	{
2892	int yym, yyn, yystate;
2893	#if YYDEBUG0
2894	const char *yys;
2895
2896	if ((yys = getenv("YYDEBUG")))
2897	{
2898	yyn = *yys;
2899	if (yyn >= '0' && yyn <= '9')
2900	yydebug = yyn - '0';
2901	}
2902	#endif /* YYDEBUG */
2903
2904	yynerrs = 0;
2905	yyerrflag = 0;
2906	yychar = (-1);
2907
2908	if (yyss == NULL((void *)0) && yygrowstack()) goto yyoverflow;
2909	yyssp = yyss;
2910	yyvsp = yyvs;
2911	*yyssp = yystate = 0;
2912
2913	yyloop:
2914	if ((yyn = yydefred[yystate]) != 0) goto yyreduce;
2915	if (yychar < 0)
2916	{
2917	if ((yychar = yylex()) < 0) yychar = 0;
2918	#if YYDEBUG0
2919	if (yydebug)
2920	{
2921	yys = 0;
2922	if (yychar <= YYMAXTOKEN328) yys = yyname[yychar];
2923	if (!yys) yys = "illegal-symbol";
2924	printf("%sdebug: state %d, reading %d (%s)\n",
2925	YYPREFIX"yy", yystate, yychar, yys);
2926	}
2927	#endif
2928	}
2929	if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 &&
2930	yyn <= YYTABLESIZE731 && yycheck[yyn] == yychar)
2931	{
2932	#if YYDEBUG0
2933	if (yydebug)
2934	printf("%sdebug: state %d, shifting to state %d\n",
2935	YYPREFIX"yy", yystate, yytable[yyn]);
2936	#endif
2937	if (yyssp >= yysslim && yygrowstack())
2938	{
2939	goto yyoverflow;
2940	}
2941	*++yyssp = yystate = yytable[yyn];
2942	*++yyvsp = yylval;
2943	yychar = (-1);
2944	if (yyerrflag > 0) --yyerrflag;
2945	goto yyloop;
2946	}
2947	if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 &&
2948	yyn <= YYTABLESIZE731 && yycheck[yyn] == yychar)
2949	{
2950	yyn = yytable[yyn];
2951	goto yyreduce;
2952	}
2953	if (yyerrflag) goto yyinrecovery;
2954	#if defined(__GNUC__4)
2955	goto yynewerror;
2956	#endif
2957	yynewerror:
2958	yyerror("syntax error");
2959	#if defined(__GNUC__4)
2960	goto yyerrlab;
2961	#endif
2962	yyerrlab:
2963	++yynerrs;
2964	yyinrecovery:
2965	if (yyerrflag < 3)
2966	{
2967	yyerrflag = 3;
2968	for (;;)
2969	{
2970	if ((yyn = yysindex[*yyssp]) && (yyn += YYERRCODE256) >= 0 &&
2971	yyn <= YYTABLESIZE731 && yycheck[yyn] == YYERRCODE256)
2972	{
2973	#if YYDEBUG0
2974	if (yydebug)
2975	printf("%sdebug: state %d, error recovery shifting\
2976	to state %d\n", YYPREFIX"yy", *yyssp, yytable[yyn]);
2977	#endif
2978	if (yyssp >= yysslim && yygrowstack())
2979	{
2980	goto yyoverflow;
2981	}
2982	*++yyssp = yystate = yytable[yyn];
2983	*++yyvsp = yylval;
2984	goto yyloop;
2985	}
2986	else
2987	{
2988	#if YYDEBUG0
2989	if (yydebug)
2990	printf("%sdebug: error recovery discarding state %d\n",
2991	YYPREFIX"yy", *yyssp);
2992	#endif
2993	if (yyssp <= yyss) goto yyabort;
2994	--yyssp;
2995	--yyvsp;
2996	}
2997	}
2998	}
2999	else
3000	{
3001	if (yychar == 0) goto yyabort;
3002	#if YYDEBUG0
3003	if (yydebug)
3004	{
3005	yys = 0;
3006	if (yychar <= YYMAXTOKEN328) yys = yyname[yychar];
3007	if (!yys) yys = "illegal-symbol";
3008	printf("%sdebug: state %d, error recovery discards token %d (%s)\n",
3009	YYPREFIX"yy", yystate, yychar, yys);
3010	}
3011	#endif
3012	yychar = (-1);
3013	goto yyloop;
3014	}
3015	yyreduce:
3016	#if YYDEBUG0
3017	if (yydebug)
3018	printf("%sdebug: state %d, reducing by rule %d (%s)\n",
3019	YYPREFIX"yy", yystate, yyn, yyrule[yyn]);
3020	#endif
3021	yym = yylen[yyn];
3022	if (yym)
3023	yyval = yyvsp[1-yym];
3024	else
3025	memset(&yyval, 0, sizeof yyval);
3026	switch (yyn)
3027	{
3028	case 9:
3029	#line 482 "/usr/src/sbin/iked/parse.y"
3030	{ file->errors++; }
3031	break;
3032	case 12:
3033	#line 489 "/usr/src/sbin/iked/parse.y"
3034	{
3035	struct file *nfile;
3036
3037	if ((nfile = pushfile(yyvsp[0].v.string, 1)) == NULL((void *)0)) {
3038	yyerror("failed to include file %s", yyvsp[0].v.string);
3039	free(yyvsp[0].v.string);
3040	YYERRORgoto yyerrlab;
3041	}
3042	free(yyvsp[0].v.string);
3043
3044	file = nfile;
3045	lungetc('\n');
3046	}
3047	break;
3048	case 13:
3049	#line 504 "/usr/src/sbin/iked/parse.y"
3050	{ passive = 0; }
3051	break;
3052	case 14:
3053	#line 505 "/usr/src/sbin/iked/parse.y"
3054	{ passive = 1; }
3055	break;
3056	case 15:
3057	#line 506 "/usr/src/sbin/iked/parse.y"
3058	{ decouple = 0; }
3059	break;
3060	case 16:
3061	#line 507 "/usr/src/sbin/iked/parse.y"
3062	{ decouple = 1; }
3063	break;
3064	case 17:
3065	#line 508 "/usr/src/sbin/iked/parse.y"
3066	{ fragmentation = 1; }
3067	break;
3068	case 18:
3069	#line 509 "/usr/src/sbin/iked/parse.y"
3070	{ fragmentation = 0; }
3071	break;
3072	case 19:
3073	#line 510 "/usr/src/sbin/iked/parse.y"
3074	{ mobike = 1; }
3075	break;
3076	case 20:
3077	#line 511 "/usr/src/sbin/iked/parse.y"
3078	{ mobike = 0; }
3079	break;
3080	case 21:
3081	#line 512 "/usr/src/sbin/iked/parse.y"
3082	{ enforcesingleikesa = 1; }
3083	break;
3084	case 22:
3085	#line 513 "/usr/src/sbin/iked/parse.y"
3086	{ enforcesingleikesa = 0; }
3087	break;
3088	case 23:
3089	#line 514 "/usr/src/sbin/iked/parse.y"
3090	{ stickyaddress = 1; }
3091	break;
3092	case 24:
3093	#line 515 "/usr/src/sbin/iked/parse.y"
3094	{ stickyaddress = 0; }
3095	break;
3096	case 25:
3097	#line 516 "/usr/src/sbin/iked/parse.y"
3098	{
3099	ocsp_url = yyvsp[0].v.string;
3100	}
3101	break;
3102	case 26:
3103	#line 519 "/usr/src/sbin/iked/parse.y"
3104	{
3105	ocsp_url = yyvsp[-2].v.string;
3106	ocsp_tolerate = yyvsp[0].v.number;
3107	}
3108	break;
3109	case 27:
3110	#line 523 "/usr/src/sbin/iked/parse.y"
3111	{
3112	ocsp_url = yyvsp[-4].v.string;
3113	ocsp_tolerate = yyvsp[-2].v.number;
3114	ocsp_maxage = yyvsp[0].v.number;
3115	}
3116	break;
3117	case 28:
3118	#line 528 "/usr/src/sbin/iked/parse.y"
3119	{
3120	cert_partial_chain = 1;
3121	}
3122	break;
3123	case 29:
3124	#line 531 "/usr/src/sbin/iked/parse.y"
3125	{
3126	if (yyvsp[0].v.number < 0) {
3127	yyerror("timeout outside range");
3128	YYERRORgoto yyerrlab;
3129	}
3130	dpd_interval = yyvsp[0].v.number;
3131	}
3132	break;
3133	case 30:
3134	#line 540 "/usr/src/sbin/iked/parse.y"
3135	{
3136	if (create_user(yyvsp[-1].v.string, yyvsp[0].v.string) == -1)
3137	YYERRORgoto yyerrlab;
3138	free(yyvsp[-1].v.string);
3139	freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string));
3140	}
3141	break;
3142	case 31:
3143	#line 550 "/usr/src/sbin/iked/parse.y"
3144	{
3145	if (create_ike(yyvsp[-16].v.string, yyvsp[-13].v.number, yyvsp[-12].v.proto, yyvsp[-11].v.number, yyvsp[-10].v.hosts, &yyvsp[-9].v.peers, yyvsp[-8].v.mode, yyvsp[-7].v.mode, yyvsp[-14].v.satype,
3146	yyvsp[-15].v.ikemode, yyvsp[-6].v.ids.srcid, yyvsp[-6].v.ids.dstid, yyvsp[-5].v.number, &yyvsp[-4].v.lifetime, &yyvsp[-3].v.ikeauth,
3147	yyvsp[0].v.filters, yyvsp[-2].v.cfg, yyvsp[-1].v.string) == -1) {
3148	yyerror("create_ike failed");
3149	YYERRORgoto yyerrlab;
3150	}
3151	}
3152	break;
3153	case 32:
3154	#line 560 "/usr/src/sbin/iked/parse.y"
3155	{ yyval.v.cfg = NULL((void *)0); }
3156	break;
3157	case 33:
3158	#line 561 "/usr/src/sbin/iked/parse.y"
3159	{ yyval.v.cfg = yyvsp[0].v.cfg; }
3160	break;
3161	case 34:
3162	#line 564 "/usr/src/sbin/iked/parse.y"
3163	{ yyval.v.cfg = yyvsp[0].v.cfg; }
3164	break;
3165	case 35:
3166	#line 565 "/usr/src/sbin/iked/parse.y"
3167	{
3168	if (yyvsp[0].v.cfg == NULL((void *)0))
3169	yyval.v.cfg = yyvsp[-1].v.cfg;
3170	else if (yyvsp[-1].v.cfg == NULL((void *)0))
3171	yyval.v.cfg = yyvsp[0].v.cfg;
3172	else {
3173	yyvsp[-1].v.cfg->tail->next = yyvsp[0].v.cfg;
3174	yyvsp[-1].v.cfg->tail = yyvsp[0].v.cfg->tail;
3175	yyval.v.cfg = yyvsp[-1].v.cfg;
3176	}
3177	}
3178	break;
3179	case 36:
3180	#line 578 "/usr/src/sbin/iked/parse.y"
3181	{
3182	const struct ipsec_xf *xf;
3183
3184	if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.host->af, cpxfs)) == NULL((void *)0)) {
3185	yyerror("not a valid ikecfg option");
3186	free(yyvsp[-1].v.string);
3187	free(yyvsp[0].v.host);
3188	YYERRORgoto yyerrlab;
3189	}
3190	free(yyvsp[-1].v.string);
3191	yyval.v.cfg = yyvsp[0].v.host;
3192	yyval.v.cfg->type = xf->id;
3193	yyval.v.cfg->action = IKEV2_CP_REPLY2; /* XXX */
3194	}
3195	break;
3196	case 37:
3197	#line 592 "/usr/src/sbin/iked/parse.y"
3198	{
3199	const struct ipsec_xf *xf;
3200
3201	if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.anyhost->af, cpxfs)) == NULL((void *)0)) {
3202	yyerror("not a valid ikecfg option");
3203	free(yyvsp[-1].v.string);
3204	free(yyvsp[0].v.anyhost);
3205	YYERRORgoto yyerrlab;
3206	}
3207	free(yyvsp[-1].v.string);
3208	yyval.v.cfg = yyvsp[0].v.anyhost;
3209	yyval.v.cfg->type = xf->id;
3210	yyval.v.cfg->action = IKEV2_CP_REQUEST1; /* XXX */
3211	}
3212	break;
3213	case 38:
3214	#line 608 "/usr/src/sbin/iked/parse.y"
3215	{ yyval.v.string = NULL((void *)0); }
3216	break;
3217	case 39:
3218	#line 609 "/usr/src/sbin/iked/parse.y"
3219	{
3220	yyval.v.string = yyvsp[0].v.string;
3221	}
3222	break;
3223	case 40:
3224	#line 613 "/usr/src/sbin/iked/parse.y"
3225	{ yyval.v.satype = IKEV2_SAPROTO_ESP3; }
3226	break;
3227	case 41:
3228	#line 614 "/usr/src/sbin/iked/parse.y"
3229	{ yyval.v.satype = IKEV2_SAPROTO_ESP3; }
3230	break;
3231	case 42:
3232	#line 615 "/usr/src/sbin/iked/parse.y"
3233	{ yyval.v.satype = IKEV2_SAPROTO_AH2; }
3234	break;
3235	case 43:
3236	#line 618 "/usr/src/sbin/iked/parse.y"
3237	{ yyval.v.number = AF_UNSPEC0; }
3238	break;
3239	case 44:
3240	#line 619 "/usr/src/sbin/iked/parse.y"
3241	{ yyval.v.number = AF_INET2; }
3242	break;
3243	case 45:
3244	#line 620 "/usr/src/sbin/iked/parse.y"
3245	{ yyval.v.number = AF_INET624; }
3246	break;
3247	case 46:
3248	#line 623 "/usr/src/sbin/iked/parse.y"
3249	{ yyval.v.proto = NULL((void *)0); }
3250	break;
3251	case 47:
3252	#line 624 "/usr/src/sbin/iked/parse.y"
3253	{ yyval.v.proto = yyvsp[0].v.proto; }
3254	break;
3255	case 48:
3256	#line 625 "/usr/src/sbin/iked/parse.y"
3257	{ yyval.v.proto = yyvsp[-1].v.proto; }
3258	break;
3259	case 49:
3260	#line 628 "/usr/src/sbin/iked/parse.y"
3261	{ yyval.v.proto = yyvsp[0].v.proto; }
3262	break;
3263	case 50:
3264	#line 629 "/usr/src/sbin/iked/parse.y"
3265	{
3266	if (yyvsp[0].v.proto == NULL((void *)0))
3267	yyval.v.proto = yyvsp[-2].v.proto;
3268	else if (yyvsp[-2].v.proto == NULL((void *)0))
3269	yyval.v.proto = yyvsp[0].v.proto;
3270	else {
3271	yyvsp[-2].v.proto->tail->next = yyvsp[0].v.proto;
3272	yyvsp[-2].v.proto->tail = yyvsp[0].v.proto->tail;
3273	yyval.v.proto = yyvsp[-2].v.proto;
3274	}
3275	}
3276	break;
3277	case 51:
3278	#line 642 "/usr/src/sbin/iked/parse.y"
3279	{
3280	struct protoent *p;
3281
3282	p = getprotobyname(yyvsp[0].v.string);
3283	if (p == NULL((void *)0)) {
3284	yyerror("unknown protocol: %s", yyvsp[0].v.string);
3285	YYERRORgoto yyerrlab;
3286	}
3287
3288	if ((yyval.v.proto = calloc(1, sizeof(yyval.v.proto))) == NULL((void )0))
3289	err(1, "protoval: calloc");
3290
3291	yyval.v.proto->type = p->p_proto;
3292	yyval.v.proto->tail = yyval.v.proto;
3293	free(yyvsp[0].v.string);
3294	}
3295	break;
3296	case 52:
3297	#line 658 "/usr/src/sbin/iked/parse.y"
3298	{
3299	if (yyvsp[0].v.number > 255 \|\| yyvsp[0].v.number < 0) {
3300	yyerror("protocol outside range");
3301	YYERRORgoto yyerrlab;
3302	}
3303	if ((yyval.v.proto = calloc(1, sizeof(yyval.v.proto))) == NULL((void )0))
3304	err(1, "protoval: calloc");
3305
3306	yyval.v.proto->type = yyvsp[0].v.number;
3307	yyval.v.proto->tail = yyval.v.proto;
3308	}
3309	break;
3310	case 53:
3311	#line 671 "/usr/src/sbin/iked/parse.y"
3312	{ yyval.v.number = -1; }
3313	break;
3314	case 54:
3315	#line 672 "/usr/src/sbin/iked/parse.y"
3316	{
3317	if (yyvsp[0].v.number > 255 \|\| yyvsp[0].v.number < 0) {
3318	yyerror("rdomain outside range");
3319	YYERRORgoto yyerrlab;
3320	}
3321	yyval.v.number = yyvsp[0].v.number;
3322	}
3323	break;
3324	case 55:
3325	#line 680 "/usr/src/sbin/iked/parse.y"
3326	{ yyval.v.hosts = yyvsp[0].v.hosts; }
3327	break;
3328	case 56:
3329	#line 681 "/usr/src/sbin/iked/parse.y"
3330	{
3331	if (yyvsp[0].v.hosts == NULL((void *)0))
3332	yyval.v.hosts = yyvsp[-2].v.hosts;
3333	else if (yyvsp[-2].v.hosts == NULL((void *)0))
3334	yyval.v.hosts = yyvsp[0].v.hosts;
3335	else {
3336	yyvsp[-2].v.hosts->src->tail->next = yyvsp[0].v.hosts->src;
3337	yyvsp[-2].v.hosts->src->tail = yyvsp[0].v.hosts->src->tail;
3338	yyvsp[-2].v.hosts->dst->tail->next = yyvsp[0].v.hosts->dst;
3339	yyvsp[-2].v.hosts->dst->tail = yyvsp[0].v.hosts->dst->tail;
3340	yyval.v.hosts = yyvsp[-2].v.hosts;
3341	free(yyvsp[0].v.hosts);
3342	}
3343	}
3344	break;
3345	case 57:
3346	#line 697 "/usr/src/sbin/iked/parse.y"
3347	{
3348	struct ipsec_addr_wrap *ipa;
3349	for (ipa = yyvsp[-1].v.host; ipa; ipa = ipa->next) {
3350	if (ipa->srcnat) {
3351	yyerror("no flow NAT support for"
3352	" destination network: %s",
3353	ipa->name);
3354	YYERRORgoto yyerrlab;
3355	}
3356	}
3357
3358	if ((yyval.v.hosts = calloc(1, sizeof(yyval.v.hosts))) == NULL((void )0))
3359	err(1, "hosts: calloc");
3360
3361	yyval.v.hosts->src = yyvsp[-4].v.host;
3362	yyval.v.hosts->src->port = yyvsp[-3].v.port;
3363	yyval.v.hosts->dst = yyvsp[-1].v.host;
3364	yyval.v.hosts->dst->port = yyvsp[0].v.port;
3365	}
3366	break;
3367	case 58:
3368	#line 716 "/usr/src/sbin/iked/parse.y"
3369	{
3370	struct ipsec_addr_wrap *ipa;
3371	for (ipa = yyvsp[-4].v.host; ipa; ipa = ipa->next) {
3372	if (ipa->srcnat) {
3373	yyerror("no flow NAT support for"
3374	" destination network: %s",
3375	ipa->name);
3376	YYERRORgoto yyerrlab;
3377	}
3378	}
3379	if ((yyval.v.hosts = calloc(1, sizeof(yyval.v.hosts))) == NULL((void )0))
3380	err(1, "hosts: calloc");
3381
3382	yyval.v.hosts->src = yyvsp[-1].v.host;
3383	yyval.v.hosts->src->port = yyvsp[0].v.port;
3384	yyval.v.hosts->dst = yyvsp[-4].v.host;
3385	yyval.v.hosts->dst->port = yyvsp[-3].v.port;
3386	}
3387	break;
3388	case 59:
3389	#line 736 "/usr/src/sbin/iked/parse.y"
3390	{ yyval.v.port = 0; }
3391	break;
3392	case 60:
3393	#line 737 "/usr/src/sbin/iked/parse.y"
3394	{ yyval.v.port = yyvsp[0].v.number; }
3395	break;
3396	case 61:
3397	#line 740 "/usr/src/sbin/iked/parse.y"
3398	{
3399	struct servent *s;
3400
3401	if ((s = getservbyname(yyvsp[0].v.string, "tcp")) != NULL((void *)0) \|\|
3402	(s = getservbyname(yyvsp[0].v.string, "udp")) != NULL((void *)0)) {
3403	yyval.v.number = s->s_port;
3404	} else {
3405	yyerror("unknown port: %s", yyvsp[0].v.string);
3406	YYERRORgoto yyerrlab;
3407	}
3408	free(yyvsp[0].v.string);
3409	}
3410	break;
3411	case 62:
3412	#line 752 "/usr/src/sbin/iked/parse.y"
3413	{
3414	if (yyvsp[0].v.number > USHRT_MAX(32767 *2 +1) \|\| yyvsp[0].v.number < 0) {
3415	yyerror("port outside range");
3416	YYERRORgoto yyerrlab;
3417	}
3418	yyval.v.number = htons(yyvsp[0].v.number)(__uint16_t)(__builtin_constant_p(yyvsp[0].v.number) ? (__uint16_t )(((__uint16_t)(yyvsp[0].v.number) & 0xffU) << 8 \| ( (__uint16_t)(yyvsp[0].v.number) & 0xff00U) >> 8) : __swap16md (yyvsp[0].v.number));
3419	}
3420	break;
3421	case 63:
3422	#line 761 "/usr/src/sbin/iked/parse.y"
3423	{
3424	yyval.v.peers.dst = NULL((void *)0);
3425	yyval.v.peers.src = NULL((void *)0);
3426	}
3427	break;
3428	case 64:
3429	#line 765 "/usr/src/sbin/iked/parse.y"
3430	{
3431	yyval.v.peers.dst = yyvsp[-2].v.anyhost;
3432	yyval.v.peers.src = yyvsp[0].v.anyhost;
3433	}
3434	break;
3435	case 65:
3436	#line 769 "/usr/src/sbin/iked/parse.y"
3437	{
3438	yyval.v.peers.dst = yyvsp[0].v.anyhost;
3439	yyval.v.peers.src = yyvsp[-2].v.anyhost;
3440	}
3441	break;
3442	case 66:
3443	#line 773 "/usr/src/sbin/iked/parse.y"
3444	{
3445	yyval.v.peers.dst = yyvsp[0].v.anyhost;
3446	yyval.v.peers.src = NULL((void *)0);
3447	}
3448	break;
3449	case 67:
3450	#line 777 "/usr/src/sbin/iked/parse.y"
3451	{
3452	yyval.v.peers.dst = NULL((void *)0);
3453	yyval.v.peers.src = yyvsp[0].v.anyhost;
3454	}
3455	break;
3456	case 68:
3457	#line 783 "/usr/src/sbin/iked/parse.y"
3458	{ yyval.v.anyhost = yyvsp[0].v.host; }
3459	break;
3460	case 69:
3461	#line 784 "/usr/src/sbin/iked/parse.y"
3462	{
3463	yyval.v.anyhost = host_any();
3464	}
3465	break;
3466	case 70:
3467	#line 788 "/usr/src/sbin/iked/parse.y"
3468	{
3469	if ((yyval.v.host = host(yyvsp[0].v.string)) == NULL((void *)0)) {
3470	free(yyvsp[0].v.string);
3471	yyerror("could not parse host specification");
3472	YYERRORgoto yyerrlab;
3473	}
3474	free(yyvsp[0].v.string);
3475	}
3476	break;
3477	case 71:
3478	#line 796 "/usr/src/sbin/iked/parse.y"
3479	{
3480	char *buf;
3481
3482	if (asprintf(&buf, "%s/%lld", yyvsp[-2].v.string, yyvsp[0].v.number) == -1)
3483	err(1, "host: asprintf");
3484	free(yyvsp[-2].v.string);
3485	if ((yyval.v.host = host(buf)) == NULL((void *)0)) {
3486	free(buf);
3487	yyerror("could not parse host specification");
3488	YYERRORgoto yyerrlab;
3489	}
3490	free(buf);
3491	}
3492	break;
3493	case 72:
3494	#line 811 "/usr/src/sbin/iked/parse.y"
3495	{ yyval.v.host = yyvsp[0].v.host; }
3496	break;
3497	case 73:
3498	#line 812 "/usr/src/sbin/iked/parse.y"
3499	{
3500	if ((yyvsp[-3].v.host->af != AF_UNSPEC0) && (yyvsp[-1].v.host->af != AF_UNSPEC0) &&
3501	(yyvsp[-1].v.host->af != yyvsp[-3].v.host->af)) {
3502	yyerror("Flow NAT address family mismatch");
3503	YYERRORgoto yyerrlab;
3504	}
3505	yyval.v.host = yyvsp[-3].v.host;
3506	yyval.v.host->srcnat = yyvsp[-1].v.host;
3507	}
3508	break;
3509	case 74:
3510	#line 821 "/usr/src/sbin/iked/parse.y"
3511	{
3512	yyval.v.host = host_any();
3513	}
3514	break;
3515	case 75:
3516	#line 824 "/usr/src/sbin/iked/parse.y"
3517	{
3518	yyval.v.host = host_dynamic();
3519	}
3520	break;
3521	case 76:
3522	#line 829 "/usr/src/sbin/iked/parse.y"
3523	{
3524	yyval.v.ids.srcid = NULL((void *)0);
3525	yyval.v.ids.dstid = NULL((void *)0);
3526	}
3527	break;
3528	case 77:
3529	#line 833 "/usr/src/sbin/iked/parse.y"
3530	{
3531	yyval.v.ids.srcid = yyvsp[-2].v.id;
3532	yyval.v.ids.dstid = yyvsp[0].v.id;
3533	}
3534	break;
3535	case 78:
3536	#line 837 "/usr/src/sbin/iked/parse.y"
3537	{
3538	yyval.v.ids.srcid = yyvsp[0].v.id;
3539	yyval.v.ids.dstid = NULL((void *)0);
3540	}
3541	break;
3542	case 79:
3543	#line 841 "/usr/src/sbin/iked/parse.y"
3544	{
3545	yyval.v.ids.srcid = NULL((void *)0);
3546	yyval.v.ids.dstid = yyvsp[0].v.id;
3547	}
3548	break;
3549	case 80:
3550	#line 847 "/usr/src/sbin/iked/parse.y"
3551	{ yyval.v.id = yyvsp[0].v.string; }
3552	break;
3553	case 81:
3554	#line 850 "/usr/src/sbin/iked/parse.y"
3555	{
3556	if ((ipsec_transforms = calloc(1,
3557	sizeof(struct ipsec_transforms))) == NULL((void *)0))
3558	err(1, "transforms: calloc");
3559	}
3560	break;
3561	case 82:
3562	#line 855 "/usr/src/sbin/iked/parse.y"
3563	{
3564	yyval.v.transforms = ipsec_transforms;
3565	}
3566	break;
3567	case 83:
3568	#line 858 "/usr/src/sbin/iked/parse.y"
3569	{
3570	yyval.v.transforms = NULL((void *)0);
3571	}
3572	break;
3573	case 86:
3574	#line 867 "/usr/src/sbin/iked/parse.y"
3575	{
3576	const struct ipsec_xf **xfs = ipsec_transforms->authxf;
3577	size_t nxfs = ipsec_transforms->nauthxf;
3578	xfs = recallocarray(xfs, nxfs, nxfs + 1,
3579	sizeof(struct ipsec_xf *));
3580	if (xfs == NULL((void *)0))
3581	err(1, "transform: recallocarray");
3582	if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, authxfs)) == NULL((void *)0)) {
3583	yyerror("%s not a valid transform", yyvsp[0].v.string);
3584	YYERRORgoto yyerrlab;
3585	}
3586	free(yyvsp[0].v.string);
3587	ipsec_transforms->authxf = xfs;
3588	ipsec_transforms->nauthxf++;
3589	}
3590	break;
3591	case 87:
3592	#line 882 "/usr/src/sbin/iked/parse.y"
3593	{
3594	const struct ipsec_xf **xfs = ipsec_transforms->encxf;
3595	size_t nxfs = ipsec_transforms->nencxf;
3596	xfs = recallocarray(xfs, nxfs, nxfs + 1,
3597	sizeof(struct ipsec_xf *));
3598	if (xfs == NULL((void *)0))
3599	err(1, "transform: recallocarray");
3600	if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, encxfs)) == NULL((void *)0)) {
3601	yyerror("%s not a valid transform", yyvsp[0].v.string);
3602	YYERRORgoto yyerrlab;
3603	}
3604	free(yyvsp[0].v.string);
3605	ipsec_transforms->encxf = xfs;
3606	ipsec_transforms->nencxf++;
3607	}
3608	break;
3609	case 88:
3610	#line 897 "/usr/src/sbin/iked/parse.y"
3611	{
3612	const struct ipsec_xf **xfs = ipsec_transforms->prfxf;
3613	size_t nxfs = ipsec_transforms->nprfxf;
3614	xfs = recallocarray(xfs, nxfs, nxfs + 1,
3615	sizeof(struct ipsec_xf *));
3616	if (xfs == NULL((void *)0))
3617	err(1, "transform: recallocarray");
3618	if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, prfxfs)) == NULL((void *)0)) {
3619	yyerror("%s not a valid transform", yyvsp[0].v.string);
3620	YYERRORgoto yyerrlab;
3621	}
3622	free(yyvsp[0].v.string);
3623	ipsec_transforms->prfxf = xfs;
3624	ipsec_transforms->nprfxf++;
3625	}
3626	break;
3627	case 89:
3628	#line 912 "/usr/src/sbin/iked/parse.y"
3629	{
3630	const struct ipsec_xf **xfs = ipsec_transforms->groupxf;
3631	size_t nxfs = ipsec_transforms->ngroupxf;
3632	xfs = recallocarray(xfs, nxfs, nxfs + 1,
3633	sizeof(struct ipsec_xf *));
3634	if (xfs == NULL((void *)0))
3635	err(1, "transform: recallocarray");
3636	if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, groupxfs)) == NULL((void *)0)) {
3637	yyerror("%s not a valid transform", yyvsp[0].v.string);
3638	YYERRORgoto yyerrlab;
3639	}
3640	free(yyvsp[0].v.string);
3641	ipsec_transforms->groupxf = xfs;
3642	ipsec_transforms->ngroupxf++;
3643	}
3644	break;
3645	case 90:
3646	#line 927 "/usr/src/sbin/iked/parse.y"
3647	{
3648	const struct ipsec_xf **xfs = ipsec_transforms->esnxf;
3649	size_t nxfs = ipsec_transforms->nesnxf;
3650	xfs = recallocarray(xfs, nxfs, nxfs + 1,
3651	sizeof(struct ipsec_xf *));
3652	if (xfs == NULL((void *)0))
3653	err(1, "transform: recallocarray");
3654	if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, esnxfs)) == NULL((void *)0)) {
3655	yyerror("%s not a valid transform", yyvsp[0].v.string);
3656	YYERRORgoto yyerrlab;
3657	}
3658	ipsec_transforms->esnxf = xfs;
3659	ipsec_transforms->nesnxf++;
3660	}
3661	break;
3662	case 91:
3663	#line 943 "/usr/src/sbin/iked/parse.y"
3664	{ yyval.v.string = "esn"; }
3665	break;
3666	case 92:
3667	#line 944 "/usr/src/sbin/iked/parse.y"
3668	{ yyval.v.string = "noesn"; }
3669	break;
3670	case 93:
3671	#line 947 "/usr/src/sbin/iked/parse.y"
3672	{
3673	if ((ipsec_mode = calloc(1,
3674	sizeof(struct ipsec_mode))) == NULL((void *)0))
3675	err(1, "ike_sas: calloc");
3676	}
3677	break;
3678	case 94:
3679	#line 952 "/usr/src/sbin/iked/parse.y"
3680	{
3681	yyval.v.mode = ipsec_mode;
3682	}
3683	break;
3684	case 95:
3685	#line 955 "/usr/src/sbin/iked/parse.y"
3686	{
3687	yyval.v.mode = NULL((void *)0);
3688	}
3689	break;
3690	case 98:
3691	#line 964 "/usr/src/sbin/iked/parse.y"
3692	{
3693	if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs,
3694	ipsec_mode->nxfs, ipsec_mode->nxfs + 1,
3695	sizeof(struct ipsec_transforms ))) == NULL((void )0))
3696	err(1, "ike_sa: recallocarray");
3697	ipsec_mode->nxfs++;
3698	encxfs = ikeencxfs;
3699	}
3700	break;
3701	case 99:
3702	#line 971 "/usr/src/sbin/iked/parse.y"
3703	{
3704	ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms;
3705	}
3706	break;
3707	case 100:
3708	#line 976 "/usr/src/sbin/iked/parse.y"
3709	{
3710	if ((ipsec_mode = calloc(1,
3711	sizeof(struct ipsec_mode))) == NULL((void *)0))
3712	err(1, "child_sas: calloc");
3713	}
3714	break;
3715	case 101:
3716	#line 981 "/usr/src/sbin/iked/parse.y"
3717	{
3718	yyval.v.mode = ipsec_mode;
3719	}
3720	break;
3721	case 102:
3722	#line 984 "/usr/src/sbin/iked/parse.y"
3723	{
3724	yyval.v.mode = NULL((void *)0);
3725	}
3726	break;
3727	case 105:
3728	#line 993 "/usr/src/sbin/iked/parse.y"
3729	{
3730	if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs,
3731	ipsec_mode->nxfs, ipsec_mode->nxfs + 1,
3732	sizeof(struct ipsec_transforms ))) == NULL((void )0))
3733	err(1, "child_sa: recallocarray");
3734	ipsec_mode->nxfs++;
3735	encxfs = ipsecencxfs;
3736	}
3737	break;
3738	case 106:
3739	#line 1000 "/usr/src/sbin/iked/parse.y"
3740	{
3741	ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms;
3742	}
3743	break;
3744	case 107:
3745	#line 1005 "/usr/src/sbin/iked/parse.y"
3746	{ yyval.v.ikemode = yyvsp[-3].v.ikemode \| yyvsp[-2].v.ikemode \| yyvsp[-1].v.ikemode \| yyvsp[0].v.ikemode; }
3747	break;
3748	case 108:
3749	#line 1008 "/usr/src/sbin/iked/parse.y"
3750	{ yyval.v.ikemode = 0; }
3751	break;
3752	case 109:
3753	#line 1009 "/usr/src/sbin/iked/parse.y"
3754	{ yyval.v.ikemode = IKED_POLICY_QUICK0x08; }
3755	break;
3756	case 110:
3757	#line 1010 "/usr/src/sbin/iked/parse.y"
3758	{ yyval.v.ikemode = IKED_POLICY_SKIP0x10; }
3759	break;
3760	case 111:
3761	#line 1011 "/usr/src/sbin/iked/parse.y"
3762	{ yyval.v.ikemode = IKED_POLICY_DEFAULT0x01; }
3763	break;
3764	case 112:
3765	#line 1014 "/usr/src/sbin/iked/parse.y"
3766	{ yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; }
3767	break;
3768	case 113:
3769	#line 1015 "/usr/src/sbin/iked/parse.y"
3770	{ yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; }
3771	break;
3772	case 114:
3773	#line 1016 "/usr/src/sbin/iked/parse.y"
3774	{ yyval.v.ikemode = IKED_POLICY_ACTIVE0x02; }
3775	break;
3776	case 115:
3777	#line 1019 "/usr/src/sbin/iked/parse.y"
3778	{ yyval.v.ikemode = 0; }
3779	break;
3780	case 116:
3781	#line 1020 "/usr/src/sbin/iked/parse.y"
3782	{ yyval.v.ikemode = IKED_POLICY_IPCOMP0x20; }
3783	break;
3784	case 117:
3785	#line 1023 "/usr/src/sbin/iked/parse.y"
3786	{ yyval.v.ikemode = 0; }
3787	break;
3788	case 118:
3789	#line 1024 "/usr/src/sbin/iked/parse.y"
3790	{ yyval.v.ikemode = 0; }
3791	break;
3792	case 119:
3793	#line 1025 "/usr/src/sbin/iked/parse.y"
3794	{ yyval.v.ikemode = IKED_POLICY_TRANSPORT0x40; }
3795	break;
3796	case 120:
3797	#line 1028 "/usr/src/sbin/iked/parse.y"
3798	{
3799	yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255; /* default */
3800	yyval.v.ikeauth.auth_eap = 0;
3801	yyval.v.ikeauth.auth_length = 0;
3802	}
3803	break;
3804	case 121:
3805	#line 1033 "/usr/src/sbin/iked/parse.y"
3806	{
3807	memcpy(&yyval.v.ikeauth, &yyvsp[0].v.ikekey, sizeof(yyval.v.ikeauth));
3808	yyval.v.ikeauth.auth_method = IKEV2_AUTH_SHARED_KEY_MIC2;
3809	yyval.v.ikeauth.auth_eap = 0;
3810	explicit_bzero(&yyvsp[0].v.ikekey, sizeof(yyvsp[0].v.ikekey));
3811	}
3812	break;
3813	case 122:
3814	#line 1039 "/usr/src/sbin/iked/parse.y"
3815	{
3816	unsigned int i;
3817
3818	for (i = 0; i < strlen(yyvsp[0].v.string); i++)
3819	if (yyvsp[0].v.string[i] == '-')
3820	yyvsp[0].v.string[i] = '_';
3821
3822	if (strcasecmp("mschap_v2", yyvsp[0].v.string) != 0) {
3823	yyerror("unsupported EAP method: %s", yyvsp[0].v.string);
3824	free(yyvsp[0].v.string);
3825	YYERRORgoto yyerrlab;
3826	}
3827	free(yyvsp[0].v.string);
3828
3829	yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255;
3830	yyval.v.ikeauth.auth_eap = EAP_TYPE_MSCHAP_V226;
3831	yyval.v.ikeauth.auth_length = 0;
3832	}
3833	break;
3834	case 123:
3835	#line 1057 "/usr/src/sbin/iked/parse.y"
3836	{
3837	const struct ipsec_xf *xf;
3838
3839	if ((xf = parse_xf(yyvsp[0].v.string, 0, methodxfs)) == NULL((void *)0) \|\|
3840	xf->id == IKEV2_AUTH_NONE0) {
3841	yyerror("not a valid authentication mode");
3842	free(yyvsp[0].v.string);
3843	YYERRORgoto yyerrlab;
3844	}
3845	free(yyvsp[0].v.string);
3846
3847	yyval.v.ikeauth.auth_method = xf->id;
3848	yyval.v.ikeauth.auth_eap = 0;
3849	yyval.v.ikeauth.auth_length = 0;
3850	}
3851	break;
3852	case 124:
3853	#line 1074 "/usr/src/sbin/iked/parse.y"
3854	{
3855	yyval.v.number = yyvsp[0].v.number;
3856	}
3857	break;
3858	case 125:
3859	#line 1077 "/usr/src/sbin/iked/parse.y"
3860	{
3861	uint64_t bytes = 0;
3862	char unit = 0;
3863
3864	if (sscanf(yyvsp[0].v.string, "%llu%c", &bytes, &unit) != 2) {
3865	yyerror("invalid byte specification: %s", yyvsp[0].v.string);
3866	YYERRORgoto yyerrlab;
3867	}
3868	free(yyvsp[0].v.string);
3869	switch (toupper((unsigned char)unit)) {
3870	case 'K':
3871	bytes *= 1024;
3872	break;
3873	case 'M':
3874	bytes = 1024 1024;
3875	break;
3876	case 'G':
3877	bytes = 1024 1024 * 1024;
3878	break;
3879	default:
3880	yyerror("invalid byte unit");
3881	YYERRORgoto yyerrlab;
3882	}
3883	yyval.v.number = bytes;
3884	}
3885	break;
3886	case 126:
3887	#line 1104 "/usr/src/sbin/iked/parse.y"
3888	{
3889	yyval.v.number = yyvsp[0].v.number;
3890	}
3891	break;
3892	case 127:
3893	#line 1107 "/usr/src/sbin/iked/parse.y"
3894	{
3895	uint64_t seconds = 0;
3896	char unit = 0;
3897
3898	if (sscanf(yyvsp[0].v.string, "%llu%c", &seconds, &unit) != 2) {
3899	yyerror("invalid time specification: %s", yyvsp[0].v.string);
3900	YYERRORgoto yyerrlab;
3901	}
3902	free(yyvsp[0].v.string);
3903	switch (tolower((unsigned char)unit)) {
3904	case 'm':
3905	seconds *= 60;
3906	break;
3907	case 'h':
3908	seconds = 60 60;
3909	break;
3910	default:
3911	yyerror("invalid time unit");
3912	YYERRORgoto yyerrlab;
3913	}
3914	yyval.v.number = seconds;
3915	}
3916	break;
3917	case 128:
3918	#line 1131 "/usr/src/sbin/iked/parse.y"
3919	{
3920	yyval.v.lifetime = deflifetime;
3921	}
3922	break;
3923	case 129:
3924	#line 1134 "/usr/src/sbin/iked/parse.y"
3925	{
3926	yyval.v.lifetime.lt_seconds = yyvsp[0].v.number;
3927	yyval.v.lifetime.lt_bytes = deflifetime.lt_bytes;
3928	}
3929	break;
3930	case 130:
3931	#line 1138 "/usr/src/sbin/iked/parse.y"
3932	{
3933	yyval.v.lifetime.lt_seconds = yyvsp[-2].v.number;
3934	yyval.v.lifetime.lt_bytes = yyvsp[0].v.number;
3935	}
3936	break;
3937	case 131:
3938	#line 1144 "/usr/src/sbin/iked/parse.y"
3939	{
3940	yyval.v.number = 0;
3941	}
3942	break;
3943	case 132:
3944	#line 1147 "/usr/src/sbin/iked/parse.y"
3945	{
3946	yyval.v.number = yyvsp[0].v.number;
3947	}
3948	break;
3949	case 133:
3950	#line 1151 "/usr/src/sbin/iked/parse.y"
3951	{
3952	uint8_t *hex;
3953
3954	bzero(&yyval.v.ikekey, sizeof(yyval.v.ikekey));
3955
3956	hex = yyvsp[0].v.string;
3957	if (strncmp(hex, "0x", 2) == 0) {
3958	hex += 2;
3959	if (parsekey(hex, strlen(hex), &yyval.v.ikekey) != 0) {
3960	free(yyvsp[0].v.string);
3961	YYERRORgoto yyerrlab;
3962	}
3963	} else {
3964	if (strlen(yyvsp[0].v.string) > sizeof(yyval.v.ikekey.auth_data)) {
3965	yyerror("psk too long");
3966	free(yyvsp[0].v.string);
3967	YYERRORgoto yyerrlab;
3968	}
3969	strlcpy(yyval.v.ikekey.auth_data, yyvsp[0].v.string,
3970	sizeof(yyval.v.ikekey.auth_data));
3971	yyval.v.ikekey.auth_length = strlen(yyvsp[0].v.string);
3972	}
3973	freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string));
3974	}
3975	break;
3976	case 134:
3977	#line 1175 "/usr/src/sbin/iked/parse.y"
3978	{
3979	if (parsekeyfile(yyvsp[0].v.string, &yyval.v.ikekey) != 0) {
3980	free(yyvsp[0].v.string);
3981	YYERRORgoto yyerrlab;
3982	}
3983	free(yyvsp[0].v.string);
3984	}
3985	break;
3986	case 135:
3987	#line 1184 "/usr/src/sbin/iked/parse.y"
3988	{
3989	if ((ipsec_filters = calloc(1,
3990	sizeof(struct ipsec_filters))) == NULL((void *)0))
3991	err(1, "filters: calloc");
3992	}
3993	break;
3994	case 136:
3995	#line 1189 "/usr/src/sbin/iked/parse.y"
3996	{
3997	yyval.v.filters = ipsec_filters;
3998	}
3999	break;
4000	case 137:
4001	#line 1192 "/usr/src/sbin/iked/parse.y"
4002	{
4003	yyval.v.filters = NULL((void *)0);
4004	}
4005	break;
4006	case 140:
4007	#line 1202 "/usr/src/sbin/iked/parse.y"
4008	{
4009	ipsec_filters->tag = yyvsp[0].v.string;
4010	}
4011	break;
4012	case 141:
4013	#line 1206 "/usr/src/sbin/iked/parse.y"
4014	{
4015	const char errstr = NULL((void )0);
4016	size_t len;
4017
4018	len = strcspn(yyvsp[0].v.string, "0123456789");
4019	if (strlen("enc") != len \|\|
4020	strncmp("enc", yyvsp[0].v.string, len) != 0) {
4021	yyerror("invalid tap interface name: %s", yyvsp[0].v.string);
4022	free(yyvsp[0].v.string);
4023	YYERRORgoto yyerrlab;
4024	}
4025	ipsec_filters->tap =
4026	strtonum(yyvsp[0].v.string + len, 0, UINT_MAX(2147483647 *2U +1U), &errstr);
4027	free(yyvsp[0].v.string);
4028	if (errstr != NULL((void *)0)) {
4029	yyerror("invalid tap interface unit: %s",
4030	errstr);
4031	YYERRORgoto yyerrlab;
4032	}
4033	}
4034	break;
4035	case 142:
4036	#line 1228 "/usr/src/sbin/iked/parse.y"
4037	{
4038	yyval.v.string = NULL((void *)0);
4039	}
4040	break;
4041	case 143:
4042	#line 1231 "/usr/src/sbin/iked/parse.y"
4043	{
4044	yyval.v.string = yyvsp[0].v.string;
4045	}
4046	break;
4047	case 144:
4048	#line 1236 "/usr/src/sbin/iked/parse.y"
4049	{
4050	if (asprintf(&yyval.v.string, "%s %s", yyvsp[-1].v.string, yyvsp[0].v.string) == -1)
4051	err(1, "string: asprintf");
4052	free(yyvsp[-1].v.string);
4053	free(yyvsp[0].v.string);
4054	}
4055	break;
4056	case 146:
4057	#line 1246 "/usr/src/sbin/iked/parse.y"
4058	{
4059	char *s = yyvsp[-2].v.string;
4060	log_debug("%s = \"%s\"\n", yyvsp[-2].v.string, yyvsp[0].v.string);
4061	while (*s++) {
4062	if (isspace((unsigned char)*s)) {
4063	yyerror("macro name cannot contain "
4064	"whitespace");
4065	free(yyvsp[-2].v.string);
4066	free(yyvsp[0].v.string);
4067	YYERRORgoto yyerrlab;
4068	}
4069	}
4070	if (symset(yyvsp[-2].v.string, yyvsp[0].v.string, 0) == -1)
4071	err(1, "cannot store variable");
4072	free(yyvsp[-2].v.string);
4073	free(yyvsp[0].v.string);
4074	}
4075	break;
4076	case 156:
4077	#line 1284 "/usr/src/sbin/iked/parse.y"
4078	{
4079	int c;
4080
4081	while ((c = lgetc(0)) != '\n' && c != EOF(-1))
4082	; /* nothing */
4083	if (c == '\n')
4084	lungetc(c);
4085	}
4086	break;
4087	#line 4080 "parse.c"
4088	}
4089	yyssp -= yym;
4090	yystate = *yyssp;
4091	yyvsp -= yym;
4092	yym = yylhs[yyn];
4093	if (yystate == 0 && yym == 0)
4094	{
4095	#if YYDEBUG0
4096	if (yydebug)
4097	printf("%sdebug: after reduction, shifting from state 0 to\
4098	state %d\n", YYPREFIX"yy", YYFINAL1);
4099	#endif
4100	yystate = YYFINAL1;
4101	*++yyssp = YYFINAL1;
4102	*++yyvsp = yyval;
4103	if (yychar < 0)
4104	{
4105	if ((yychar = yylex()) < 0) yychar = 0;
4106	#if YYDEBUG0
4107	if (yydebug)
4108	{
4109	yys = 0;
4110	if (yychar <= YYMAXTOKEN328) yys = yyname[yychar];
4111	if (!yys) yys = "illegal-symbol";
4112	printf("%sdebug: state %d, reading %d (%s)\n",
4113	YYPREFIX"yy", YYFINAL1, yychar, yys);
4114	}
4115	#endif
4116	}
4117	if (yychar == 0) goto yyaccept;
4118	goto yyloop;
4119	}
4120	if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 &&
4121	yyn <= YYTABLESIZE731 && yycheck[yyn] == yystate)
4122	yystate = yytable[yyn];
4123	else
4124	yystate = yydgoto[yym];
4125	#if YYDEBUG0
4126	if (yydebug)
4127	printf("%sdebug: after reduction, shifting from state %d \
4128	to state %d\n", YYPREFIX"yy", *yyssp, yystate);
4129	#endif
4130	if (yyssp >= yysslim && yygrowstack())
4131	{
4132	goto yyoverflow;
4133	}
4134	*++yyssp = yystate;
4135	*++yyvsp = yyval;
4136	goto yyloop;
4137	yyoverflow:
4138	yyerror("yacc stack overflow");
4139	yyabort:
4140	if (yyss)
4141	free(yyss);
4142	if (yyvs)
4143	free(yyvs);
4144	yyss = yyssp = NULL((void *)0);
4145	yyvs = yyvsp = NULL((void *)0);
4146	yystacksize = 0;
4147	return (1);
4148	yyaccept:
4149	if (yyss)
4150	free(yyss);
4151	if (yyvs)
4152	free(yyvs);
4153	yyss = yyssp = NULL((void *)0);
4154	yyvs = yyvsp = NULL((void *)0);
4155	yystacksize = 0;
4156	return (0);
4157	}