Bug Summary

File:src/sbin/iked/obj/parse.c
Warning:line 3364, column 29
Access to field 'port' results in a dereference of a null pointer (loaded from field 'dst')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name parse.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sbin/iked/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/sbin/iked -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/sbin/iked/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c parse.c
1#include <stdlib.h>
2#include <string.h>
3#define YYBYACC1 1
4#define YYMAJOR1 1
5#define YYMINOR9 9
6#define YYLEXyylex() yylex()
7#define YYEMPTY-1 -1
8#define yyclearin(yychar=(-1)) (yychar=(YYEMPTY-1))
9#define yyerrok(yyerrflag=0) (yyerrflag=0)
10#define YYRECOVERING()(yyerrflag!=0) (yyerrflag!=0)
11#define YYPREFIX"yy" "yy"
12#line 26 "/usr/src/sbin/iked/parse.y"
13#include <sys/types.h>
14#include <sys/ioctl.h>
15#include <sys/queue.h>
16#include <sys/socket.h>
17#include <sys/stat.h>
18#include <net/if.h>
19#include <netinet/in.h>
20#include <netinet/ip_ipsp.h>
21#include <arpa/inet.h>
22
23#include <ctype.h>
24#include <err.h>
25#include <errno(*__errno()).h>
26#include <fcntl.h>
27#include <ifaddrs.h>
28#include <limits.h>
29#include <netdb.h>
30#include <stdarg.h>
31#include <stdio.h>
32#include <stdlib.h>
33#include <string.h>
34#include <syslog.h>
35#include <unistd.h>
36#include <netdb.h>
37#include <event.h>
38
39#include "iked.h"
40#include "ikev2.h"
41#include "eap.h"
42
43TAILQ_HEAD(files, file)struct files { struct file *tqh_first; struct file **tqh_last
; } files = TAILQ_HEAD_INITIALIZER(files){ ((void *)0), &(files).tqh_first };
44static struct file {
45 TAILQ_ENTRY(file)struct { struct file *tqe_next; struct file **tqe_prev; } entry;
46 FILE *stream;
47 char *name;
48 size_t ungetpos;
49 size_t ungetsize;
50 u_char *ungetbuf;
51 int eof_reached;
52 int lineno;
53 int errors;
54} *file, *topfile;
55struct file *pushfile(const char *, int);
56int popfile(void);
57int check_file_secrecy(int, const char *);
58int yyparse(void);
59int yylex(void);
60int yyerror(const char *, ...)
61 __attribute__((__format__ (printf, 1, 2)))
62 __attribute__((__nonnull__ (1)));
63int kw_cmp(const void *, const void *);
64int lookup(char *);
65int igetc(void);
66int lgetc(int);
67void lungetc(int);
68int findeol(void);
69
70TAILQ_HEAD(symhead, sym)struct symhead { struct sym *tqh_first; struct sym **tqh_last
; } symhead = TAILQ_HEAD_INITIALIZER(symhead){ ((void *)0), &(symhead).tqh_first };
71struct sym {
72 TAILQ_ENTRY(sym)struct { struct sym *tqe_next; struct sym **tqe_prev; } entry;
73 int used;
74 int persist;
75 char *nam;
76 char *val;
77};
78int symset(const char *, const char *, int);
79char *symget(const char *);
80
81#define KEYSIZE_LIMIT1024 1024
82
83static struct iked *env = NULL((void *)0);
84static int debug = 0;
85static int rules = 0;
86static int passive = 0;
87static int decouple = 0;
88static int mobike = 1;
89static int enforcesingleikesa = 0;
90static int stickyaddress = 0;
91static int fragmentation = 0;
92static int dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60;
93static char *ocsp_url = NULL((void *)0);
94static long ocsp_tolerate = 0;
95static long ocsp_maxage = -1;
96static int cert_partial_chain = 0;
97
98struct iked_transform ikev2_default_ike_transforms[] = {
99 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 },
100 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 },
101 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 },
102 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_3DES3 },
103 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 },
104 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 },
105 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 },
106 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 },
107 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 },
108 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 },
109 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 },
110 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 },
111 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 },
112 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 },
113 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 },
114 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 },
115 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 },
116 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 },
117 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 },
118 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 },
119 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 },
120 { 0 }
121};
122size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) /
123 sizeof(ikev2_default_ike_transforms[0])) - 1);
124
125struct iked_transform ikev2_default_ike_transforms_noauth[] = {
126 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 },
127 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 },
128 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_2565 },
129 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_3846 },
130 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA2_5127 },
131 { IKEV2_XFORMTYPE_PRF2, IKEV2_XFORMPRF_HMAC_SHA12 },
132 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_CURVE2551931 },
133 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_52121 },
134 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_38420 },
135 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_ECP_25619 },
136 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_409616 },
137 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_307215 },
138 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_204814 },
139 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_15365 },
140 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_MODP_10242 },
141 { 0 }
142};
143size_t ikev2_default_nike_transforms_noauth =
144 ((sizeof(ikev2_default_ike_transforms_noauth) /
145 sizeof(ikev2_default_ike_transforms_noauth[0])) - 1);
146
147struct iked_transform ikev2_default_esp_transforms[] = {
148 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 256 },
149 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 192 },
150 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_CBC12, 128 },
151 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_256_12812 },
152 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_384_19213 },
153 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA2_512_25614 },
154 { IKEV2_XFORMTYPE_INTEGR3, IKEV2_XFORMAUTH_HMAC_SHA1_962 },
155 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 },
156 { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 },
157 { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 },
158 { 0 }
159};
160size_t ikev2_default_nesp_transforms = ((sizeof(ikev2_default_esp_transforms) /
161 sizeof(ikev2_default_esp_transforms[0])) - 1);
162
163struct iked_transform ikev2_default_esp_transforms_noauth[] = {
164 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 128 },
165 { IKEV2_XFORMTYPE_ENCR1, IKEV2_XFORMENCR_AES_GCM_1620, 256 },
166 { IKEV2_XFORMTYPE_DH4, IKEV2_XFORMDH_NONE0 },
167 { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_ESN1 },
168 { IKEV2_XFORMTYPE_ESN5, IKEV2_XFORMESN_NONE0 },
169 { 0 }
170};
171size_t ikev2_default_nesp_transforms_noauth =
172 ((sizeof(ikev2_default_esp_transforms_noauth) /
173 sizeof(ikev2_default_esp_transforms_noauth[0])) - 1);
174
175const struct ipsec_xf authxfs[] = {
176 { "hmac-md5", IKEV2_XFORMAUTH_HMAC_MD5_961, 16 },
177 { "hmac-sha1", IKEV2_XFORMAUTH_HMAC_SHA1_962, 20 },
178 { "hmac-sha2-256", IKEV2_XFORMAUTH_HMAC_SHA2_256_12812, 32 },
179 { "hmac-sha2-384", IKEV2_XFORMAUTH_HMAC_SHA2_384_19213, 48 },
180 { "hmac-sha2-512", IKEV2_XFORMAUTH_HMAC_SHA2_512_25614, 64 },
181 { NULL((void *)0) }
182};
183
184const struct ipsec_xf prfxfs[] = {
185 { "hmac-md5", IKEV2_XFORMPRF_HMAC_MD51, 16 },
186 { "hmac-sha1", IKEV2_XFORMPRF_HMAC_SHA12, 20 },
187 { "hmac-sha2-256", IKEV2_XFORMPRF_HMAC_SHA2_2565, 32 },
188 { "hmac-sha2-384", IKEV2_XFORMPRF_HMAC_SHA2_3846, 48 },
189 { "hmac-sha2-512", IKEV2_XFORMPRF_HMAC_SHA2_5127, 64 },
190 { NULL((void *)0) }
191};
192
193const struct ipsec_xf *encxfs = NULL((void *)0);
194
195const struct ipsec_xf ikeencxfs[] = {
196 { "3des", IKEV2_XFORMENCR_3DES3, 24 },
197 { "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 },
198 { "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 },
199 { "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 },
200 { "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 },
201 { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 },
202 { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 },
203 { "aes-128-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 16, 16, 4, 1 },
204 { "aes-256-gcm-12", IKEV2_XFORMENCR_AES_GCM_1219, 32, 32, 4, 1 },
205 { NULL((void *)0) }
206};
207
208const struct ipsec_xf ipsecencxfs[] = {
209 { "3des", IKEV2_XFORMENCR_3DES3, 24 },
210 { "3des-cbc", IKEV2_XFORMENCR_3DES3, 24 },
211 { "aes-128", IKEV2_XFORMENCR_AES_CBC12, 16, 16 },
212 { "aes-192", IKEV2_XFORMENCR_AES_CBC12, 24, 24 },
213 { "aes-256", IKEV2_XFORMENCR_AES_CBC12, 32, 32 },
214 { "aes-128-ctr", IKEV2_XFORMENCR_AES_CTR13, 16, 16, 4 },
215 { "aes-192-ctr", IKEV2_XFORMENCR_AES_CTR13, 24, 24, 4 },
216 { "aes-256-ctr", IKEV2_XFORMENCR_AES_CTR13, 32, 32, 4 },
217 { "aes-128-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 16, 16, 4, 1 },
218 { "aes-192-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 24, 24, 4, 1 },
219 { "aes-256-gcm", IKEV2_XFORMENCR_AES_GCM_1620, 32, 32, 4, 1 },
220 { "aes-128-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 16, 16, 4, 1 },
221 { "aes-192-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 24, 24, 4, 1 },
222 { "aes-256-gmac", IKEV2_XFORMENCR_NULL_AES_GMAC21, 32, 32, 4, 1 },
223 { "blowfish", IKEV2_XFORMENCR_BLOWFISH7, 20, 20 },
224 { "cast", IKEV2_XFORMENCR_CAST6, 16, 16 },
225 { "chacha20-poly1305", IKEV2_XFORMENCR_CHACHA20_POLY130528,
226 32, 32, 4, 1 },
227 { "null", IKEV2_XFORMENCR_NULL11, 0, 0 },
228 { NULL((void *)0) }
229};
230
231const struct ipsec_xf groupxfs[] = {
232 { "none", IKEV2_XFORMDH_NONE0 },
233 { "modp768", IKEV2_XFORMDH_MODP_7681 },
234 { "grp1", IKEV2_XFORMDH_MODP_7681 },
235 { "modp1024", IKEV2_XFORMDH_MODP_10242 },
236 { "grp2", IKEV2_XFORMDH_MODP_10242 },
237 { "modp1536", IKEV2_XFORMDH_MODP_15365 },
238 { "grp5", IKEV2_XFORMDH_MODP_15365 },
239 { "modp2048", IKEV2_XFORMDH_MODP_204814 },
240 { "grp14", IKEV2_XFORMDH_MODP_204814 },
241 { "modp3072", IKEV2_XFORMDH_MODP_307215 },
242 { "grp15", IKEV2_XFORMDH_MODP_307215 },
243 { "modp4096", IKEV2_XFORMDH_MODP_409616 },
244 { "grp16", IKEV2_XFORMDH_MODP_409616 },
245 { "modp6144", IKEV2_XFORMDH_MODP_614417 },
246 { "grp17", IKEV2_XFORMDH_MODP_614417 },
247 { "modp8192", IKEV2_XFORMDH_MODP_819218 },
248 { "grp18", IKEV2_XFORMDH_MODP_819218 },
249 { "ecp256", IKEV2_XFORMDH_ECP_25619 },
250 { "grp19", IKEV2_XFORMDH_ECP_25619 },
251 { "ecp384", IKEV2_XFORMDH_ECP_38420 },
252 { "grp20", IKEV2_XFORMDH_ECP_38420 },
253 { "ecp521", IKEV2_XFORMDH_ECP_52121 },
254 { "grp21", IKEV2_XFORMDH_ECP_52121 },
255 { "ecp192", IKEV2_XFORMDH_ECP_19225 },
256 { "grp25", IKEV2_XFORMDH_ECP_19225 },
257 { "ecp224", IKEV2_XFORMDH_ECP_22426 },
258 { "grp26", IKEV2_XFORMDH_ECP_22426 },
259 { "brainpool224", IKEV2_XFORMDH_BRAINPOOL_P224R127 },
260 { "grp27", IKEV2_XFORMDH_BRAINPOOL_P224R127 },
261 { "brainpool256", IKEV2_XFORMDH_BRAINPOOL_P256R128 },
262 { "grp28", IKEV2_XFORMDH_BRAINPOOL_P256R128 },
263 { "brainpool384", IKEV2_XFORMDH_BRAINPOOL_P384R129 },
264 { "grp29", IKEV2_XFORMDH_BRAINPOOL_P384R129 },
265 { "brainpool512", IKEV2_XFORMDH_BRAINPOOL_P512R130 },
266 { "grp30", IKEV2_XFORMDH_BRAINPOOL_P512R130 },
267 { "curve25519", IKEV2_XFORMDH_CURVE2551931 },
268 { "grp31", IKEV2_XFORMDH_CURVE2551931 },
269 { "sntrup761x25519", IKEV2_XFORMDH_X_SNTRUP761X255191035 },
270 { NULL((void *)0) }
271};
272
273const struct ipsec_xf esnxfs[] = {
274 { "esn", IKEV2_XFORMESN_ESN1 },
275 { "noesn", IKEV2_XFORMESN_NONE0 },
276 { NULL((void *)0) }
277};
278
279const struct ipsec_xf methodxfs[] = {
280 { "none", IKEV2_AUTH_NONE0 },
281 { "rsa", IKEV2_AUTH_RSA_SIG1 },
282 { "ecdsa256", IKEV2_AUTH_ECDSA_2569 },
283 { "ecdsa384", IKEV2_AUTH_ECDSA_38410 },
284 { "ecdsa521", IKEV2_AUTH_ECDSA_52111 },
285 { "rfc7427", IKEV2_AUTH_SIG14 },
286 { "signature", IKEV2_AUTH_SIG_ANY255 },
287 { NULL((void *)0) }
288};
289
290const struct ipsec_xf saxfs[] = {
291 { "esp", IKEV2_SAPROTO_ESP3 },
292 { "ah", IKEV2_SAPROTO_AH2 },
293 { NULL((void *)0) }
294};
295
296const struct ipsec_xf cpxfs[] = {
297 { "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS1, AF_INET2 },
298 { "netmask", IKEV2_CFG_INTERNAL_IP4_NETMASK2, AF_INET2 },
299 { "name-server", IKEV2_CFG_INTERNAL_IP4_DNS3, AF_INET2 },
300 { "netbios-server", IKEV2_CFG_INTERNAL_IP4_NBNS4, AF_INET2 },
301 { "dhcp-server", IKEV2_CFG_INTERNAL_IP4_DHCP6, AF_INET2 },
302 { "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS8, AF_INET624 },
303 { "name-server", IKEV2_CFG_INTERNAL_IP6_DNS10, AF_INET624 },
304 { "netbios-server", IKEV2_CFG_INTERNAL_IP6_NBNS11, AF_INET624 },
305 { "dhcp-server", IKEV2_CFG_INTERNAL_IP6_DHCP12, AF_INET624 },
306 { "protected-subnet", IKEV2_CFG_INTERNAL_IP4_SUBNET13, AF_INET2 },
307 { "protected-subnet", IKEV2_CFG_INTERNAL_IP6_SUBNET15, AF_INET624 },
308 { "access-server", IKEV2_CFG_INTERNAL_IP4_SERVER23456, AF_INET2 },
309 { "access-server", IKEV2_CFG_INTERNAL_IP6_SERVER23457, AF_INET624 },
310 { NULL((void *)0) }
311};
312
313const struct iked_lifetime deflifetime = {
314 IKED_LIFETIME_BYTES4294967296,
315 IKED_LIFETIME_SECONDS10800
316};
317
318#define IPSEC_ADDR_ANY(0x1) (0x1)
319#define IPSEC_ADDR_DYNAMIC(0x2) (0x2)
320
321struct ipsec_addr_wrap {
322 struct sockaddr_storage address;
323 uint8_t mask;
324 int netaddress;
325 sa_family_t af;
326 unsigned int type;
327 unsigned int action;
328 uint16_t port;
329 char *name;
330 struct ipsec_addr_wrap *next;
331 struct ipsec_addr_wrap *tail;
332 struct ipsec_addr_wrap *srcnat;
333};
334
335struct ipsec_hosts {
336 struct ipsec_addr_wrap *src;
337 struct ipsec_addr_wrap *dst;
338};
339
340struct ipsec_filters {
341 char *tag;
342 unsigned int tap;
343};
344
345void copy_sockaddrtoipa(struct ipsec_addr_wrap *,
346 struct sockaddr *);
347struct ipsec_addr_wrap *host(const char *);
348struct ipsec_addr_wrap *host_ip(const char *, int);
349struct ipsec_addr_wrap *host_dns(const char *, int);
350struct ipsec_addr_wrap *host_if(const char *, int);
351struct ipsec_addr_wrap *host_any(void);
352struct ipsec_addr_wrap *host_dynamic(void);
353void ifa_load(void);
354int ifa_exists(const char *);
355struct ipsec_addr_wrap *ifa_lookup(const char *ifa_name);
356struct ipsec_addr_wrap *ifa_grouplookup(const char *);
357void set_ipmask(struct ipsec_addr_wrap *, int);
358const struct ipsec_xf *parse_xf(const char *, unsigned int,
359 const struct ipsec_xf *);
360void copy_transforms(unsigned int,
361 const struct ipsec_xf **, unsigned int,
362 struct iked_transform **, unsigned int *,
363 struct iked_transform *, size_t);
364int create_ike(char *, int, struct ipsec_addr_wrap *,
365 int, struct ipsec_hosts *,
366 struct ipsec_hosts *, struct ipsec_mode *,
367 struct ipsec_mode *, uint8_t,
368 uint8_t, char *, char *,
369 uint32_t, struct iked_lifetime *,
370 struct iked_auth *, struct ipsec_filters *,
371 struct ipsec_addr_wrap *, char *);
372int create_user(const char *, const char *);
373int get_id_type(char *);
374uint8_t x2i(unsigned char *);
375int parsekey(unsigned char *, size_t, struct iked_auth *);
376int parsekeyfile(char *, struct iked_auth *);
377void iaw_free(struct ipsec_addr_wrap *);
378static int create_flow(struct iked_policy *pol, int, struct ipsec_addr_wrap *ipa,
379 struct ipsec_addr_wrap *ipb);
380static int expand_flows(struct iked_policy *, int, struct ipsec_addr_wrap *,
381 struct ipsec_addr_wrap *);
382static struct ipsec_addr_wrap *
383 expand_keyword(struct ipsec_addr_wrap *);
384
385struct ipsec_transforms *ipsec_transforms;
386struct ipsec_filters *ipsec_filters;
387struct ipsec_mode *ipsec_mode;
388/* interface lookup routintes */
389struct ipsec_addr_wrap *iftab;
390
391typedef struct {
392 union {
393 int64_t number;
394 uint8_t ikemode;
395 uint8_t dir;
396 uint8_t satype;
397 char *string;
398 uint16_t port;
399 struct ipsec_hosts *hosts;
400 struct ipsec_hosts peers;
401 struct ipsec_addr_wrap *anyhost;
402 struct ipsec_addr_wrap *host;
403 struct ipsec_addr_wrap *cfg;
404 struct ipsec_addr_wrap *proto;
405 struct {
406 char *srcid;
407 char *dstid;
408 } ids;
409 char *id;
410 uint8_t type;
411 struct iked_lifetime lifetime;
412 struct iked_auth ikeauth;
413 struct iked_auth ikekey;
414 struct ipsec_transforms *transforms;
415 struct ipsec_filters *filters;
416 struct ipsec_mode *mode;
417 } v;
418 int lineno;
419} YYSTYPE;
420
421#line 422 "parse.c"
422#define FROM257 257
423#define ESP258 258
424#define AH259 259
425#define IN260 260
426#define PEER261 261
427#define ON262 262
428#define OUT263 263
429#define TO264 264
430#define SRCID265 265
431#define DSTID266 266
432#define PSK267 267
433#define PORT268 268
434#define FILENAME269 269
435#define AUTHXF270 270
436#define PRFXF271 271
437#define ENCXF272 272
438#define ERROR273 273
439#define IKEV2274 274
440#define IKESA275 275
441#define CHILDSA276 276
442#define ESN277 277
443#define NOESN278 278
444#define PASSIVE279 279
445#define ACTIVE280 280
446#define ANY281 281
447#define TAG282 282
448#define TAP283 283
449#define PROTO284 284
450#define LOCAL285 285
451#define GROUP286 286
452#define NAME287 287
453#define CONFIG288 288
454#define EAP289 289
455#define USER290 290
456#define IKEV1291 291
457#define FLOW292 292
458#define SA293 293
459#define TCPMD5294 294
460#define TUNNEL295 295
461#define TRANSPORT296 296
462#define COUPLE297 297
463#define DECOUPLE298 298
464#define SET299 299
465#define INCLUDE300 300
466#define LIFETIME301 301
467#define BYTES302 302
468#define INET303 303
469#define INET6304 304
470#define QUICK305 305
471#define SKIP306 306
472#define DEFAULT307 307
473#define IPCOMP308 308
474#define OCSP309 309
475#define IKELIFETIME310 310
476#define MOBIKE311 311
477#define NOMOBIKE312 312
478#define RDOMAIN313 313
479#define FRAGMENTATION314 314
480#define NOFRAGMENTATION315 315
481#define DPD_CHECK_INTERVAL316 316
482#define ENFORCESINGLEIKESA317 317
483#define NOENFORCESINGLEIKESA318 318
484#define STICKYADDRESS319 319
485#define NOSTICKYADDRESS320 320
486#define TOLERATE321 321
487#define MAXAGE322 322
488#define DYNAMIC323 323
489#define CERTPARTIALCHAIN324 324
490#define REQUEST325 325
491#define IFACE326 326
492#define STRING327 327
493#define NUMBER328 328
494#define YYERRCODE256 256
495const short yylhs[] =
496 { -1,
497 0, 0, 0, 0, 0, 0, 0, 0, 0, 46,
498 46, 39, 40, 40, 40, 40, 40, 40, 40, 40,
499 40, 40, 40, 40, 40, 40, 40, 40, 40, 41,
500 42, 36, 36, 37, 37, 35, 35, 33, 33, 2,
501 2, 2, 10, 10, 10, 3, 3, 3, 4, 4,
502 5, 5, 11, 11, 7, 7, 6, 6, 8, 8,
503 9, 9, 12, 12, 12, 12, 12, 13, 13, 15,
504 15, 14, 14, 14, 14, 16, 16, 16, 16, 17,
505 48, 18, 18, 47, 47, 49, 49, 49, 49, 49,
506 38, 38, 51, 27, 27, 50, 50, 53, 52, 55,
507 28, 28, 54, 54, 57, 56, 20, 21, 21, 21,
508 21, 22, 22, 22, 23, 23, 24, 24, 24, 25,
509 25, 25, 25, 30, 30, 31, 31, 29, 29, 29,
510 32, 32, 26, 26, 59, 19, 19, 58, 58, 60,
511 60, 34, 34, 1, 1, 43, 44, 44, 44, 44,
512 61, 61, 61, 61, 61, 45,
513};
514const short yylen[] =
515 { 2,
516 0, 3, 2, 3, 3, 3, 3, 4, 3, 1,
517 0, 2, 2, 2, 2, 2, 2, 2, 2, 2,
518 2, 2, 2, 2, 3, 5, 7, 2, 3, 3,
519 18, 0, 1, 1, 2, 3, 3, 0, 1, 0,
520 1, 1, 0, 1, 1, 0, 2, 4, 1, 3,
521 1, 1, 0, 2, 1, 3, 6, 6, 0, 2,
522 1, 1, 0, 4, 4, 2, 2, 1, 1, 1,
523 3, 1, 4, 1, 1, 0, 4, 2, 2, 1,
524 0, 2, 0, 2, 1, 2, 2, 2, 2, 1,
525 1, 1, 0, 2, 0, 2, 1, 0, 3, 0,
526 2, 0, 2, 1, 0, 3, 4, 0, 1, 1,
527 1, 0, 1, 1, 0, 1, 0, 1, 1, 0,
528 2, 2, 1, 1, 1, 1, 1, 0, 2, 4,
529 0, 2, 1, 2, 0, 2, 0, 2, 1, 2,
530 2, 0, 2, 2, 1, 3, 1, 1, 1, 1,
531 1, 1, 1, 1, 1, 0,
532};
533const short yydefred[] =
534 { 1,
535 0, 0, 152, 153, 0, 0, 147, 149, 151, 150,
536 154, 155, 0, 0, 0, 3, 0, 0, 0, 0,
537 0, 156, 148, 9, 39, 0, 0, 14, 13, 15,
538 16, 0, 19, 20, 17, 18, 0, 21, 22, 23,
539 24, 28, 12, 0, 2, 4, 5, 6, 7, 0,
540 109, 110, 111, 0, 0, 30, 0, 29, 145, 0,
541 8, 41, 42, 0, 113, 114, 0, 0, 144, 44,
542 45, 0, 116, 0, 127, 126, 0, 0, 0, 118,
543 119, 107, 0, 51, 52, 0, 47, 0, 0, 27,
544 0, 49, 54, 0, 0, 55, 0, 10, 48, 0,
545 74, 75, 0, 0, 0, 0, 0, 0, 0, 0,
546 50, 0, 0, 0, 0, 0, 69, 0, 68, 0,
547 0, 0, 56, 71, 61, 62, 60, 0, 0, 0,
548 0, 0, 0, 0, 98, 0, 97, 0, 73, 0,
549 64, 65, 0, 0, 0, 105, 0, 104, 0, 96,
550 57, 58, 80, 0, 79, 0, 0, 0, 103, 99,
551 0, 0, 132, 0, 0, 106, 0, 0, 0, 91,
552 92, 0, 90, 0, 85, 77, 0, 0, 0, 123,
553 0, 86, 88, 87, 89, 84, 0, 0, 133, 121,
554 122, 0, 0, 34, 0, 0, 125, 124, 130, 134,
555 0, 0, 0, 0, 35, 36, 37, 143, 31, 0,
556 0, 0, 0, 139, 140, 141, 138,
557};
558const short yydgoto[] =
559 { 1,
560 60, 64, 79, 91, 87, 96, 97, 114, 127, 72,
561 89, 109, 118, 104, 119, 145, 154, 160, 209, 54,
562 55, 67, 74, 82, 181, 190, 121, 133, 165, 199,
563 77, 157, 26, 204, 194, 195, 196, 173, 17, 18,
564 19, 20, 21, 22, 50, 100, 174, 161, 175, 136,
565 122, 137, 149, 147, 134, 148, 158, 213, 210, 214,
566 23,
567};
568const short yysindex[] =
569 { 0,
570 184, 13, 0, 0, -302, -289, 0, 0, 0, 0,
571 0, 0, -89, -269, -5, 0, 50, 59, 66, 71,
572 74, 0, 0, 0, 0, -233, -228, 0, 0, 0,
573 0, -223, 0, 0, 0, 0, -239, 0, 0, 0,
574 0, 0, 0, -218, 0, 0, 0, 0, 0, 122,
575 0, 0, 0, -216, -200, 0, -180, 0, 0, -183,
576 0, 0, 0, -192, 0, 0, -158, -226, 0, 0,
577 0, -123, 0, -174, 0, 0, -160, -121, -150, 0,
578 0, 0, -226, 0, 0, -203, 0, -162, -238, 0,
579 -38, 0, 0, -270, -270, 0, -43, 0, 0, -203,
580 0, 0, 123, -97, 134, -97, -268, -268, 0, -238,
581 0, -149, -190, -86, -147, -74, 0, -101, 0, -73,
582 0, -83, 0, 0, 0, 0, 0, -270, 145, -270,
583 -268, -268, -120, -87, 0, -83, 0, -97, 0, -97,
584 0, 0, -140, -140, -117, 0, -87, 0, 0, 0,
585 0, 0, 0, -68, 0, -226, -102, 0, 0, 0,
586 -75, -140, 0, -226, -257, 0, -127, -126, -115, 0,
587 0, -114, 0, -75, 0, 0, -98, -262, -113, 0,
588 -271, 0, 0, 0, 0, 0, -179, -112, 0, 0,
589 0, -111, -110, 0, -116, -271, 0, 0, 0, 0,
590 -147, -268, -108, 0, 0, 0, 0, 0, 0, -125,
591 -106, -103, -125, 0, 0, 0, 0,};
592const short yyrindex[] =
593 { 0,
594 0, 0, 0, 0, -213, 0, 0, 0, 0, 0,
595 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
596 0, 0, 0, 0, 0, -161, 0, 0, 0, 0,
597 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
598 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
599 0, 0, 0, -196, -131, 0, 195, 0, 0, 222,
600 0, 0, 0, -236, 0, 0, -128, 0, 0, 0,
601 0, -249, 0, -144, 0, 0, 223, 0, -202, 0,
602 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
603 -173, 0, 0, 0, 0, 0, 171, 0, 0, 0,
604 0, 0, -10, -28, 19, -19, 0, 0, 224, 0,
605 0, 0, 0, 0, 0, 0, 0, 227, 0, 257,
606 323, 0, 0, 0, 0, 0, 0, 0, 0, 0,
607 0, 0, 358, 0, 0, 355, 0, 95, 0, 95,
608 0, 0, 0, 0, 372, 0, 369, 0, 65, 0,
609 0, 0, 0, 404, 0, 0, 106, 141, 0, 0,
610 0, 0, 0, 0, 75, 0, 0, 0, 0, 0,
611 0, 0, 0, 303, 0, 0, 238, 0, 0, 0,
612 -1, 0, 0, 0, 0, 0, 0, 0, 0, 0,
613 0, 0, 0, 0, 6, 23, 0, 0, 0, 0,
614 0, 0, 0, 10, 0, 0, 0, 0, 0, 0,
615 0, 0, 229, 0, 0, 0, 0,};
616const short yygindex[] =
617 { 0,
618 0, 0, 0, 0, -59, 130, 0, -88, 0, 0,
619 0, 0, -96, -81, -91, 0, -122, 83, 0, 0,
620 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
621 -78, 0, 0, 0, 47, 0, 0, 0, 0, 0,
622 0, 0, 0, 0, 0, 147, 0, 0, 72, 0,
623 0, 109, 0, 0, 0, 102, 0, 0, 0, 37,
624 0,
625};
626#define YYTABLESIZE731 731
627const short yytable[] =
628 { 70,
629 98, 86, 105, 105, 90, 98, 188, 46, 32, 178,
630 101, 120, 117, 106, 46, 142, 192, 116, 94, 137,
631 43, 155, 24, 129, 25, 95, 92, 43, 72, 70,
632 70, 179, 33, 70, 141, 142, 105, 27, 105, 176,
633 111, 62, 63, 38, 38, 38, 138, 43, 140, 151,
634 38, 152, 102, 193, 53, 44, 103, 43, 103, 45,
635 40, 53, 72, 46, 189, 38, 38, 40, 46, 180,
636 38, 51, 52, 53, 83, 47, 43, 163, 65, 66,
637 48, 38, 38, 49, 120, 177, 99, 40, 58, 38,
638 38, 38, 38, 38, 38, 108, 108, 108, 56, 38,
639 75, 76, 108, 57, 59, 207, 40, 40, 59, 206,
640 70, 71, 117, 117, 117, 128, 40, 108, 108, 117,
641 80, 81, 108, 84, 85, 112, 112, 112, 115, 115,
642 115, 61, 112, 108, 108, 115, 125, 126, 59, 117,
643 68, 108, 108, 69, 143, 144, 108, 197, 198, 73,
644 83, 108, 112, 11, 11, 115, 211, 212, 117, 117,
645 78, 83, 88, 112, 112, 93, 115, 115, 117, 112,
646 113, 112, 112, 115, 115, 115, 112, 128, 124, 103,
647 63, 112, 130, 131, 115, 139, 153, 132, 146, 28,
648 29, 135, 156, 16, 167, 168, 169, 162, 164, 182,
649 183, 170, 171, 187, 25, 84, 85, 30, 31, 203,
650 172, 184, 185, 191, 200, 201, 202, 107, 208, 32,
651 215, 33, 34, 216, 35, 36, 37, 38, 39, 40,
652 41, 146, 26, 95, 42, 59, 66, 59, 136, 123,
653 166, 108, 205, 110, 150, 186, 70, 129, 159, 217,
654 70, 0, 0, 70, 70, 70, 70, 70, 0, 0,
655 0, 0, 0, 0, 70, 70, 67, 0, 0, 0,
656 0, 70, 70, 0, 70, 72, 0, 70, 70, 72,
657 32, 32, 72, 72, 72, 72, 72, 142, 142, 0,
658 70, 135, 135, 72, 72, 0, 0, 0, 0, 70,
659 72, 72, 0, 72, 33, 33, 72, 72, 0, 0,
660 0, 0, 82, 0, 70, 70, 70, 0, 0, 72,
661 0, 0, 0, 0, 32, 0, 0, 0, 72, 83,
662 83, 83, 102, 0, 81, 81, 81, 0, 0, 83,
663 83, 81, 81, 72, 72, 72, 83, 83, 33, 0,
664 81, 59, 83, 83, 0, 59, 120, 120, 59, 59,
665 59, 59, 120, 0, 94, 83, 0, 76, 0, 59,
666 59, 0, 128, 0, 83, 0, 59, 59, 101, 59,
667 0, 131, 59, 59, 0, 0, 0, 128, 128, 83,
668 83, 83, 0, 128, 128, 59, 0, 0, 0, 120,
669 120, 0, 0, 0, 59, 83, 83, 83, 0, 0,
670 81, 81, 81, 78, 0, 0, 83, 81, 81, 59,
671 59, 59, 83, 83, 0, 0, 81, 11, 83, 83,
672 128, 128, 128, 0, 11, 63, 63, 63, 0, 2,
673 3, 83, 0, 0, 0, 63, 63, 4, 0, 0,
674 83, 0, 63, 63, 0, 0, 0, 5, 63, 63,
675 0, 0, 0, 0, 0, 83, 83, 83, 0, 0,
676 0, 63, 0, 6, 7, 8, 9, 10, 11, 12,
677 63, 0, 13, 14, 0, 0, 0, 0, 95, 95,
678 95, 66, 66, 66, 0, 63, 63, 63, 93, 95,
679 0, 66, 66, 0, 129, 95, 95, 0, 66, 66,
680 15, 95, 95, 0, 66, 66, 0, 0, 0, 129,
681 129, 67, 67, 67, 95, 129, 129, 66, 0, 0,
682 0, 67, 67, 95, 0, 0, 66, 0, 67, 67,
683 0, 0, 0, 0, 67, 67, 0, 0, 95, 95,
684 95, 66, 66, 66, 0, 0, 0, 67, 0, 0,
685 0, 0, 129, 129, 129, 0, 67, 82, 82, 82,
686 0, 0, 0, 0, 0, 0, 0, 82, 82, 0,
687 0, 67, 67, 67, 82, 82, 0, 102, 102, 102,
688 82, 82, 0, 0, 0, 0, 0, 0, 100, 0,
689 0, 0, 0, 82, 102, 102, 0, 0, 0, 0,
690 102, 102, 82, 0, 0, 0, 0, 0, 0, 94,
691 94, 94, 0, 102, 76, 0, 0, 82, 82, 82,
692 94, 0, 102, 101, 101, 101, 94, 94, 131, 76,
693 76, 0, 94, 94, 0, 76, 76, 102, 102, 102,
694 101, 101, 0, 131, 131, 94, 101, 101, 76, 131,
695 131, 0, 0, 0, 94, 0, 0, 76, 0, 101,
696 78, 0, 131, 0, 0, 0, 0, 0, 101, 94,
697 94, 94, 76, 76, 76, 78, 78, 0, 0, 0,
698 0, 78, 78, 101, 101, 101, 131, 131, 131, 0,
699 0, 0, 0, 0, 78, 0, 0, 0, 0, 0,
700 0, 0, 0, 78, 0, 0, 0, 0, 0, 0,
701 0, 0, 0, 0, 0, 0, 0, 0, 78, 78,
702 78,
703};
704const short yycheck[] =
705 { 10,
706 44, 123, 94, 95, 83, 44, 269, 257, 10, 267,
707 281, 108, 281, 95, 264, 10, 288, 106, 257, 10,
708 257, 144, 10, 115, 327, 264, 86, 264, 10, 40,
709 41, 289, 10, 44, 131, 132, 128, 327, 130, 162,
710 100, 258, 259, 257, 258, 259, 128, 284, 130, 138,
711 264, 140, 323, 325, 257, 61, 327, 327, 327, 10,
712 257, 264, 44, 313, 327, 279, 280, 264, 10, 327,
713 284, 305, 306, 307, 10, 10, 313, 156, 279, 280,
714 10, 295, 296, 10, 10, 164, 125, 284, 328, 303,
715 304, 305, 306, 307, 308, 257, 258, 259, 327, 313,
716 327, 328, 264, 327, 10, 202, 303, 304, 327, 201,
717 303, 304, 257, 258, 259, 10, 313, 279, 280, 264,
718 295, 296, 284, 327, 328, 257, 258, 259, 257, 258,
719 259, 10, 264, 295, 296, 264, 327, 328, 44, 284,
720 321, 303, 304, 327, 265, 266, 308, 327, 328, 308,
721 10, 313, 284, 327, 328, 284, 282, 283, 303, 304,
722 284, 322, 313, 295, 296, 328, 295, 296, 313, 47,
723 268, 303, 304, 40, 303, 304, 308, 264, 328, 327,
724 10, 313, 257, 285, 313, 41, 327, 261, 276, 279,
725 280, 275, 310, 10, 270, 271, 272, 266, 301, 327,
726 327, 277, 278, 302, 10, 327, 328, 297, 298, 326,
727 286, 327, 327, 327, 327, 327, 327, 261, 327, 309,
728 327, 311, 312, 327, 314, 315, 316, 317, 318, 319,
729 320, 10, 10, 10, 324, 264, 10, 257, 10, 110,
730 158, 285, 196, 97, 136, 174, 257, 10, 147, 213,
731 261, -1, -1, 264, 265, 266, 267, 268, -1, -1,
732 -1, -1, -1, -1, 275, 276, 10, -1, -1, -1,
733 -1, 282, 283, -1, 285, 257, -1, 288, 289, 261,
734 282, 283, 264, 265, 266, 267, 268, 282, 283, -1,
735 301, 282, 283, 275, 276, -1, -1, -1, -1, 310,
736 282, 283, -1, 285, 282, 283, 288, 289, -1, -1,
737 -1, -1, 10, -1, 325, 326, 327, -1, -1, 301,
738 -1, -1, -1, -1, 326, -1, -1, -1, 310, 265,
739 266, 267, 10, -1, 270, 271, 272, -1, -1, 275,
740 276, 277, 278, 325, 326, 327, 282, 283, 326, -1,
741 286, 257, 288, 289, -1, 261, 282, 283, 264, 265,
742 266, 267, 288, -1, 10, 301, -1, 10, -1, 275,
743 276, -1, 267, -1, 310, -1, 282, 283, 10, 285,
744 -1, 10, 288, 289, -1, -1, -1, 282, 283, 325,
745 326, 327, -1, 288, 289, 301, -1, -1, -1, 325,
746 326, -1, -1, -1, 310, 265, 266, 267, -1, -1,
747 270, 271, 272, 10, -1, -1, 276, 277, 278, 325,
748 326, 327, 282, 283, -1, -1, 286, 257, 288, 289,
749 325, 326, 327, -1, 264, 265, 266, 267, -1, 256,
750 257, 301, -1, -1, -1, 275, 276, 264, -1, -1,
751 310, -1, 282, 283, -1, -1, -1, 274, 288, 289,
752 -1, -1, -1, -1, -1, 325, 326, 327, -1, -1,
753 -1, 301, -1, 290, 291, 292, 293, 294, 295, 296,
754 310, -1, 299, 300, -1, -1, -1, -1, 265, 266,
755 267, 265, 266, 267, -1, 325, 326, 327, 275, 276,
756 -1, 275, 276, -1, 267, 282, 283, -1, 282, 283,
757 327, 288, 289, -1, 288, 289, -1, -1, -1, 282,
758 283, 265, 266, 267, 301, 288, 289, 301, -1, -1,
759 -1, 275, 276, 310, -1, -1, 310, -1, 282, 283,
760 -1, -1, -1, -1, 288, 289, -1, -1, 325, 326,
761 327, 325, 326, 327, -1, -1, -1, 301, -1, -1,
762 -1, -1, 325, 326, 327, -1, 310, 265, 266, 267,
763 -1, -1, -1, -1, -1, -1, -1, 275, 276, -1,
764 -1, 325, 326, 327, 282, 283, -1, 265, 266, 267,
765 288, 289, -1, -1, -1, -1, -1, -1, 276, -1,
766 -1, -1, -1, 301, 282, 283, -1, -1, -1, -1,
767 288, 289, 310, -1, -1, -1, -1, -1, -1, 265,
768 266, 267, -1, 301, 267, -1, -1, 325, 326, 327,
769 276, -1, 310, 265, 266, 267, 282, 283, 267, 282,
770 283, -1, 288, 289, -1, 288, 289, 325, 326, 327,
771 282, 283, -1, 282, 283, 301, 288, 289, 301, 288,
772 289, -1, -1, -1, 310, -1, -1, 310, -1, 301,
773 267, -1, 301, -1, -1, -1, -1, -1, 310, 325,
774 326, 327, 325, 326, 327, 282, 283, -1, -1, -1,
775 -1, 288, 289, 325, 326, 327, 325, 326, 327, -1,
776 -1, -1, -1, -1, 301, -1, -1, -1, -1, -1,
777 -1, -1, -1, 310, -1, -1, -1, -1, -1, -1,
778 -1, -1, -1, -1, -1, -1, -1, -1, 325, 326,
779 327,
780};
781#define YYFINAL1 1
782#ifndef YYDEBUG0
783#define YYDEBUG0 0
784#endif
785#define YYMAXTOKEN328 328
786#if YYDEBUG0
787const char * const yyname[] =
788 {
789"end-of-file",0,0,0,0,0,0,0,0,0,"'\\n'",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
7900,0,0,0,0,0,0,0,0,"'('","')'",0,0,"','",0,0,"'/'",0,0,0,0,0,0,0,0,0,0,0,0,0,
791"'='",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
7920,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,"'{'",0,"'}'",0,0,0,0,0,0,0,0,0,
7930,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
7940,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
7950,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
7960,0,"FROM","ESP","AH","IN","PEER","ON","OUT","TO","SRCID","DSTID","PSK","PORT",
797"FILENAME","AUTHXF","PRFXF","ENCXF","ERROR","IKEV2","IKESA","CHILDSA","ESN",
798"NOESN","PASSIVE","ACTIVE","ANY","TAG","TAP","PROTO","LOCAL","GROUP","NAME",
799"CONFIG","EAP","USER","IKEV1","FLOW","SA","TCPMD5","TUNNEL","TRANSPORT",
800"COUPLE","DECOUPLE","SET","INCLUDE","LIFETIME","BYTES","INET","INET6","QUICK",
801"SKIP","DEFAULT","IPCOMP","OCSP","IKELIFETIME","MOBIKE","NOMOBIKE","RDOMAIN",
802"FRAGMENTATION","NOFRAGMENTATION","DPD_CHECK_INTERVAL","ENFORCESINGLEIKESA",
803"NOENFORCESINGLEIKESA","STICKYADDRESS","NOSTICKYADDRESS","TOLERATE","MAXAGE",
804"DYNAMIC","CERTPARTIALCHAIN","REQUEST","IFACE","STRING","NUMBER",
805};
806const char * const yyrule[] =
807 {"$accept : grammar",
808"grammar :",
809"grammar : grammar include '\\n'",
810"grammar : grammar '\\n'",
811"grammar : grammar set '\\n'",
812"grammar : grammar user '\\n'",
813"grammar : grammar ikev2rule '\\n'",
814"grammar : grammar varset '\\n'",
815"grammar : grammar otherrule skipline '\\n'",
816"grammar : grammar error '\\n'",
817"comma : ','",
818"comma :",
819"include : INCLUDE STRING",
820"set : SET ACTIVE",
821"set : SET PASSIVE",
822"set : SET COUPLE",
823"set : SET DECOUPLE",
824"set : SET FRAGMENTATION",
825"set : SET NOFRAGMENTATION",
826"set : SET MOBIKE",
827"set : SET NOMOBIKE",
828"set : SET ENFORCESINGLEIKESA",
829"set : SET NOENFORCESINGLEIKESA",
830"set : SET STICKYADDRESS",
831"set : SET NOSTICKYADDRESS",
832"set : SET OCSP STRING",
833"set : SET OCSP STRING TOLERATE time_spec",
834"set : SET OCSP STRING TOLERATE time_spec MAXAGE time_spec",
835"set : SET CERTPARTIALCHAIN",
836"set : SET DPD_CHECK_INTERVAL NUMBER",
837"user : USER STRING STRING",
838"ikev2rule : IKEV2 name ikeflags satype af proto rdomain hosts_list peers ike_sas child_sas ids ikelifetime lifetime ikeauth ikecfg iface filters",
839"ikecfg :",
840"ikecfg : ikecfgvals",
841"ikecfgvals : cfg",
842"ikecfgvals : ikecfgvals cfg",
843"cfg : CONFIG STRING host_spec",
844"cfg : REQUEST STRING anyhost",
845"name :",
846"name : STRING",
847"satype :",
848"satype : ESP",
849"satype : AH",
850"af :",
851"af : INET",
852"af : INET6",
853"proto :",
854"proto : PROTO protoval",
855"proto : PROTO '{' proto_list '}'",
856"proto_list : protoval",
857"proto_list : proto_list comma protoval",
858"protoval : STRING",
859"protoval : NUMBER",
860"rdomain :",
861"rdomain : RDOMAIN NUMBER",
862"hosts_list : hosts",
863"hosts_list : hosts_list comma hosts",
864"hosts : FROM host port TO host port",
865"hosts : TO host port FROM host port",
866"port :",
867"port : PORT portval",
868"portval : STRING",
869"portval : NUMBER",
870"peers :",
871"peers : PEER anyhost LOCAL anyhost",
872"peers : LOCAL anyhost PEER anyhost",
873"peers : PEER anyhost",
874"peers : LOCAL anyhost",
875"anyhost : host_spec",
876"anyhost : ANY",
877"host_spec : STRING",
878"host_spec : STRING '/' NUMBER",
879"host : host_spec",
880"host : host_spec '(' host_spec ')'",
881"host : ANY",
882"host : DYNAMIC",
883"ids :",
884"ids : SRCID id DSTID id",
885"ids : SRCID id",
886"ids : DSTID id",
887"id : STRING",
888"$$1 :",
889"transforms : $$1 transforms_l",
890"transforms :",
891"transforms_l : transforms_l transform",
892"transforms_l : transform",
893"transform : AUTHXF STRING",
894"transform : ENCXF STRING",
895"transform : PRFXF STRING",
896"transform : GROUP STRING",
897"transform : transform_esn",
898"transform_esn : ESN",
899"transform_esn : NOESN",
900"$$2 :",
901"ike_sas : $$2 ike_sas_l",
902"ike_sas :",
903"ike_sas_l : ike_sas_l ike_sa",
904"ike_sas_l : ike_sa",
905"$$3 :",
906"ike_sa : IKESA $$3 transforms",
907"$$4 :",
908"child_sas : $$4 child_sas_l",
909"child_sas :",
910"child_sas_l : child_sas_l child_sa",
911"child_sas_l : child_sa",
912"$$5 :",
913"child_sa : CHILDSA $$5 transforms",
914"ikeflags : ikematch ikemode ipcomp tmode",
915"ikematch :",
916"ikematch : QUICK",
917"ikematch : SKIP",
918"ikematch : DEFAULT",
919"ikemode :",
920"ikemode : PASSIVE",
921"ikemode : ACTIVE",
922"ipcomp :",
923"ipcomp : IPCOMP",
924"tmode :",
925"tmode : TUNNEL",
926"tmode : TRANSPORT",
927"ikeauth :",
928"ikeauth : PSK keyspec",
929"ikeauth : EAP STRING",
930"ikeauth : STRING",
931"byte_spec : NUMBER",
932"byte_spec : STRING",
933"time_spec : NUMBER",
934"time_spec : STRING",
935"lifetime :",
936"lifetime : LIFETIME time_spec",
937"lifetime : LIFETIME time_spec BYTES byte_spec",
938"ikelifetime :",
939"ikelifetime : IKELIFETIME time_spec",
940"keyspec : STRING",
941"keyspec : FILENAME STRING",
942"$$6 :",
943"filters : $$6 filters_l",
944"filters :",
945"filters_l : filters_l filter",
946"filters_l : filter",
947"filter : TAG STRING",
948"filter : TAP STRING",
949"iface :",
950"iface : IFACE STRING",
951"string : string STRING",
952"string : STRING",
953"varset : STRING '=' string",
954"otherrule : IKEV1",
955"otherrule : sarule",
956"otherrule : FLOW",
957"otherrule : TCPMD5",
958"sarule : SA",
959"sarule : FROM",
960"sarule : TO",
961"sarule : TUNNEL",
962"sarule : TRANSPORT",
963"skipline :",
964};
965#endif
966#ifdef YYSTACKSIZE10000
967#undef YYMAXDEPTH10000
968#define YYMAXDEPTH10000 YYSTACKSIZE10000
969#else
970#ifdef YYMAXDEPTH10000
971#define YYSTACKSIZE10000 YYMAXDEPTH10000
972#else
973#define YYSTACKSIZE10000 10000
974#define YYMAXDEPTH10000 10000
975#endif
976#endif
977#define YYINITSTACKSIZE200 200
978/* LINTUSED */
979int yydebug;
980int yynerrs;
981int yyerrflag;
982int yychar;
983short *yyssp;
984YYSTYPE *yyvsp;
985YYSTYPE yyval;
986YYSTYPE yylval;
987short *yyss;
988short *yysslim;
989YYSTYPE *yyvs;
990unsigned int yystacksize;
991int yyparse(void);
992#line 1294 "/usr/src/sbin/iked/parse.y"
993
994struct keywords {
995 const char *k_name;
996 int k_val;
997};
998
999void
1000copy_sockaddrtoipa(struct ipsec_addr_wrap *ipa, struct sockaddr *sa)
1001{
1002 if (sa->sa_family == AF_INET624)
1003 memcpy(&ipa->address, sa, sizeof(struct sockaddr_in6));
1004 else if (sa->sa_family == AF_INET2)
1005 memcpy(&ipa->address, sa, sizeof(struct sockaddr_in));
1006 else
1007 warnx("unhandled af %d", sa->sa_family);
1008}
1009
1010int
1011yyerror(const char *fmt, ...)
1012{
1013 va_list ap;
1014
1015 file->errors++;
1016 va_start(ap, fmt)__builtin_va_start(ap, fmt);
1017 fprintf(stderr(&__sF[2]), "%s: %d: ", file->name, yylval.lineno);
1018 vfprintf(stderr(&__sF[2]), fmt, ap);
1019 fprintf(stderr(&__sF[2]), "\n");
1020 va_end(ap)__builtin_va_end(ap);
1021 return (0);
1022}
1023
1024int
1025kw_cmp(const void *k, const void *e)
1026{
1027 return (strcmp(k, ((const struct keywords *)e)->k_name));
1028}
1029
1030int
1031lookup(char *s)
1032{
1033 /* this has to be sorted always */
1034 static const struct keywords keywords[] = {
1035 { "active", ACTIVE280 },
1036 { "ah", AH259 },
1037 { "any", ANY281 },
1038 { "auth", AUTHXF270 },
1039 { "bytes", BYTES302 },
1040 { "cert_partial_chain", CERTPARTIALCHAIN324 },
1041 { "childsa", CHILDSA276 },
1042 { "config", CONFIG288 },
1043 { "couple", COUPLE297 },
1044 { "decouple", DECOUPLE298 },
1045 { "default", DEFAULT307 },
1046 { "dpd_check_interval", DPD_CHECK_INTERVAL316 },
1047 { "dstid", DSTID266 },
1048 { "dynamic", DYNAMIC323 },
1049 { "eap", EAP289 },
1050 { "enc", ENCXF272 },
1051 { "enforcesingleikesa", ENFORCESINGLEIKESA317 },
1052 { "esn", ESN277 },
1053 { "esp", ESP258 },
1054 { "file", FILENAME269 },
1055 { "flow", FLOW292 },
1056 { "fragmentation", FRAGMENTATION314 },
1057 { "from", FROM257 },
1058 { "group", GROUP286 },
1059 { "iface", IFACE326 },
1060 { "ike", IKEV1291 },
1061 { "ikelifetime", IKELIFETIME310 },
1062 { "ikesa", IKESA275 },
1063 { "ikev2", IKEV2274 },
1064 { "include", INCLUDE300 },
1065 { "inet", INET303 },
1066 { "inet6", INET6304 },
1067 { "ipcomp", IPCOMP308 },
1068 { "lifetime", LIFETIME301 },
1069 { "local", LOCAL285 },
1070 { "maxage", MAXAGE322 },
1071 { "mobike", MOBIKE311 },
1072 { "name", NAME287 },
1073 { "noenforcesingleikesa", NOENFORCESINGLEIKESA318 },
1074 { "noesn", NOESN278 },
1075 { "nofragmentation", NOFRAGMENTATION315 },
1076 { "nomobike", NOMOBIKE312 },
1077 { "nostickyaddress", NOSTICKYADDRESS320 },
1078 { "ocsp", OCSP309 },
1079 { "passive", PASSIVE279 },
1080 { "peer", PEER261 },
1081 { "port", PORT268 },
1082 { "prf", PRFXF271 },
1083 { "proto", PROTO284 },
1084 { "psk", PSK267 },
1085 { "quick", QUICK305 },
1086 { "rdomain", RDOMAIN313 },
1087 { "request", REQUEST325 },
1088 { "sa", SA293 },
1089 { "set", SET299 },
1090 { "skip", SKIP306 },
1091 { "srcid", SRCID265 },
1092 { "stickyaddress", STICKYADDRESS319 },
1093 { "tag", TAG282 },
1094 { "tap", TAP283 },
1095 { "tcpmd5", TCPMD5294 },
1096 { "to", TO264 },
1097 { "tolerate", TOLERATE321 },
1098 { "transport", TRANSPORT296 },
1099 { "tunnel", TUNNEL295 },
1100 { "user", USER290 }
1101 };
1102 const struct keywords *p;
1103
1104 p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),
1105 sizeof(keywords[0]), kw_cmp);
1106
1107 if (p) {
1108 if (debug > 1)
1109 fprintf(stderr(&__sF[2]), "%s: %d\n", s, p->k_val);
1110 return (p->k_val);
1111 } else {
1112 if (debug > 1)
1113 fprintf(stderr(&__sF[2]), "string: %s\n", s);
1114 return (STRING327);
1115 }
1116}
1117
1118#define START_EXPAND1 1
1119#define DONE_EXPAND2 2
1120
1121static int expanding;
1122
1123int
1124igetc(void)
1125{
1126 int c;
1127
1128 while (1) {
1129 if (file->ungetpos > 0)
1130 c = file->ungetbuf[--file->ungetpos];
1131 else
1132 c = getc(file->stream)(!__isthreaded ? (--(file->stream)->_r < 0 ? __srget
(file->stream) : (int)(*(file->stream)->_p++)) : (getc
)(file->stream));
1133
1134 if (c == START_EXPAND1)
1135 expanding = 1;
1136 else if (c == DONE_EXPAND2)
1137 expanding = 0;
1138 else
1139 break;
1140 }
1141 return (c);
1142}
1143
1144int
1145lgetc(int quotec)
1146{
1147 int c, next;
1148
1149 if (quotec) {
1150 if ((c = igetc()) == EOF(-1)) {
1151 yyerror("reached end of file while parsing "
1152 "quoted string");
1153 if (file == topfile || popfile() == EOF(-1))
1154 return (EOF(-1));
1155 return (quotec);
1156 }
1157 return (c);
1158 }
1159
1160 while ((c = igetc()) == '\\') {
1161 next = igetc();
1162 if (next != '\n') {
1163 c = next;
1164 break;
1165 }
1166 yylval.lineno = file->lineno;
1167 file->lineno++;
1168 }
1169
1170 while (c == EOF(-1)) {
1171 /*
1172 * Fake EOL when hit EOF for the first time. This gets line
1173 * count right if last line in included file is syntactically
1174 * invalid and has no newline.
1175 */
1176 if (file->eof_reached == 0) {
1177 file->eof_reached = 1;
1178 return ('\n');
1179 }
1180 while (c == EOF(-1)) {
1181 if (file == topfile || popfile() == EOF(-1))
1182 return (EOF(-1));
1183 c = igetc();
1184 }
1185 }
1186 return (c);
1187}
1188
1189void
1190lungetc(int c)
1191{
1192 if (c == EOF(-1))
1193 return;
1194
1195 if (file->ungetpos >= file->ungetsize) {
1196 void *p = reallocarray(file->ungetbuf, file->ungetsize, 2);
1197 if (p == NULL((void *)0))
1198 err(1, "lungetc");
1199 file->ungetbuf = p;
1200 file->ungetsize *= 2;
1201 }
1202 file->ungetbuf[file->ungetpos++] = c;
1203}
1204
1205int
1206findeol(void)
1207{
1208 int c;
1209
1210 /* skip to either EOF or the first real EOL */
1211 while (1) {
1212 c = lgetc(0);
1213 if (c == '\n') {
1214 file->lineno++;
1215 break;
1216 }
1217 if (c == EOF(-1))
1218 break;
1219 }
1220 return (ERROR273);
1221}
1222
1223int
1224yylex(void)
1225{
1226 char buf[8096];
1227 char *p, *val;
1228 int quotec, next, c;
1229 int token;
1230
1231top:
1232 p = buf;
1233 while ((c = lgetc(0)) == ' ' || c == '\t')
1234 ; /* nothing */
1235
1236 yylval.lineno = file->lineno;
1237 if (c == '#')
1238 while ((c = lgetc(0)) != '\n' && c != EOF(-1))
1239 ; /* nothing */
1240 if (c == '$' && !expanding) {
1241 while (1) {
1242 if ((c = lgetc(0)) == EOF(-1))
1243 return (0);
1244
1245 if (p + 1 >= buf + sizeof(buf) - 1) {
1246 yyerror("string too long");
1247 return (findeol());
1248 }
1249 if (isalnum(c) || c == '_') {
1250 *p++ = c;
1251 continue;
1252 }
1253 *p = '\0';
1254 lungetc(c);
1255 break;
1256 }
1257 val = symget(buf);
1258 if (val == NULL((void *)0)) {
1259 yyerror("macro '%s' not defined", buf);
1260 return (findeol());
1261 }
1262 p = val + strlen(val) - 1;
1263 lungetc(DONE_EXPAND2);
1264 while (p >= val) {
1265 lungetc((unsigned char)*p);
1266 p--;
1267 }
1268 lungetc(START_EXPAND1);
1269 goto top;
1270 }
1271
1272 switch (c) {
1273 case '\'':
1274 case '"':
1275 quotec = c;
1276 while (1) {
1277 if ((c = lgetc(quotec)) == EOF(-1))
1278 return (0);
1279 if (c == '\n') {
1280 file->lineno++;
1281 continue;
1282 } else if (c == '\\') {
1283 if ((next = lgetc(quotec)) == EOF(-1))
1284 return (0);
1285 if (next == quotec || next == ' ' ||
1286 next == '\t')
1287 c = next;
1288 else if (next == '\n') {
1289 file->lineno++;
1290 continue;
1291 } else
1292 lungetc(next);
1293 } else if (c == quotec) {
1294 *p = '\0';
1295 break;
1296 } else if (c == '\0') {
1297 yyerror("syntax error");
1298 return (findeol());
1299 }
1300 if (p + 1 >= buf + sizeof(buf) - 1) {
1301 yyerror("string too long");
1302 return (findeol());
1303 }
1304 *p++ = c;
1305 }
1306 yylval.v.string = strdup(buf);
1307 if (yylval.v.string == NULL((void *)0))
1308 err(1, "%s", __func__);
1309 return (STRING327);
1310 }
1311
1312#define allowed_to_end_number(x)(isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' ||
x == '=') \
1313 (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=')
1314
1315 if (c == '-' || isdigit(c)) {
1316 do {
1317 *p++ = c;
1318 if ((size_t)(p-buf) >= sizeof(buf)) {
1319 yyerror("string too long");
1320 return (findeol());
1321 }
1322 } while ((c = lgetc(0)) != EOF(-1) && isdigit(c));
1323 lungetc(c);
1324 if (p == buf + 1 && buf[0] == '-')
1325 goto nodigits;
1326 if (c == EOF(-1) || allowed_to_end_number(c)(isspace(c) || c == ')' || c ==',' || c == '/' || c == '}' ||
c == '=')) {
1327 const char *errstr = NULL((void *)0);
1328
1329 *p = '\0';
1330 yylval.v.number = strtonum(buf, LLONG_MIN(-9223372036854775807LL -1LL),
1331 LLONG_MAX9223372036854775807LL, &errstr);
1332 if (errstr) {
1333 yyerror("\"%s\" invalid number: %s",
1334 buf, errstr);
1335 return (findeol());
1336 }
1337 return (NUMBER328);
1338 } else {
1339nodigits:
1340 while (p > buf + 1)
1341 lungetc((unsigned char)*--p);
1342 c = (unsigned char)*--p;
1343 if (c == '-')
1344 return (c);
1345 }
1346 }
1347
1348#define allowed_in_string(x)(isalnum(x) || (ispunct(x) && x != '(' && x !=
')' && x != '{' && x != '}' && x != '<'
&& x != '>' && x != '!' && x != '='
&& x != '/' && x != '#' && x != ',')
) \
1349 (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \
1350 x != '{' && x != '}' && x != '<' && x != '>' && \
1351 x != '!' && x != '=' && x != '/' && x != '#' && \
1352 x != ','))
1353
1354 if (isalnum(c) || c == ':' || c == '_' || c == '*') {
1355 do {
1356 *p++ = c;
1357 if ((size_t)(p-buf) >= sizeof(buf)) {
1358 yyerror("string too long");
1359 return (findeol());
1360 }
1361 } while ((c = lgetc(0)) != EOF(-1) && (allowed_in_string(c)(isalnum(c) || (ispunct(c) && c != '(' && c !=
')' && c != '{' && c != '}' && c != '<'
&& c != '>' && c != '!' && c != '='
&& c != '/' && c != '#' && c != ',')
)));
1362 lungetc(c);
1363 *p = '\0';
1364 if ((token = lookup(buf)) == STRING327)
1365 if ((yylval.v.string = strdup(buf)) == NULL((void *)0))
1366 err(1, "%s", __func__);
1367 return (token);
1368 }
1369 if (c == '\n') {
1370 yylval.lineno = file->lineno;
1371 file->lineno++;
1372 }
1373 if (c == EOF(-1))
1374 return (0);
1375 return (c);
1376}
1377
1378int
1379check_file_secrecy(int fd, const char *fname)
1380{
1381 struct stat st;
1382
1383 if (fstat(fd, &st)) {
1384 warn("cannot stat %s", fname);
1385 return (-1);
1386 }
1387 if (st.st_uid != 0 && st.st_uid != getuid()) {
1388 warnx("%s: owner not root or current user", fname);
1389 return (-1);
1390 }
1391 if (st.st_mode & (S_IWGRP0000020 | S_IXGRP0000010 | S_IRWXO0000007)) {
1392 warnx("%s: group writable or world read/writable", fname);
1393 return (-1);
1394 }
1395 return (0);
1396}
1397
1398struct file *
1399pushfile(const char *name, int secret)
1400{
1401 struct file *nfile;
1402
1403 if ((nfile = calloc(1, sizeof(struct file))) == NULL((void *)0)) {
1404 warn("%s", __func__);
1405 return (NULL((void *)0));
1406 }
1407 if ((nfile->name = strdup(name)) == NULL((void *)0)) {
1408 warn("%s", __func__);
1409 free(nfile);
1410 return (NULL((void *)0));
1411 }
1412 if (TAILQ_FIRST(&files)((&files)->tqh_first) == NULL((void *)0) && strcmp(nfile->name, "-") == 0) {
1413 nfile->stream = stdin(&__sF[0]);
1414 free(nfile->name);
1415 if ((nfile->name = strdup("stdin")) == NULL((void *)0)) {
1416 warn("%s", __func__);
1417 free(nfile);
1418 return (NULL((void *)0));
1419 }
1420 } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL((void *)0)) {
1421 warn("%s: %s", __func__, nfile->name);
1422 free(nfile->name);
1423 free(nfile);
1424 return (NULL((void *)0));
1425 } else if (secret &&
1426 check_file_secrecy(fileno(nfile->stream)(!__isthreaded ? ((nfile->stream)->_file) : (fileno)(nfile
->stream)), nfile->name)) {
1427 fclose(nfile->stream);
1428 free(nfile->name);
1429 free(nfile);
1430 return (NULL((void *)0));
1431 }
1432 nfile->lineno = TAILQ_EMPTY(&files)(((&files)->tqh_first) == ((void *)0)) ? 1 : 0;
1433 nfile->ungetsize = 16;
1434 nfile->ungetbuf = malloc(nfile->ungetsize);
1435 if (nfile->ungetbuf == NULL((void *)0)) {
1436 warn("%s", __func__);
1437 fclose(nfile->stream);
1438 free(nfile->name);
1439 free(nfile);
1440 return (NULL((void *)0));
1441 }
1442 TAILQ_INSERT_TAIL(&files, nfile, entry)do { (nfile)->entry.tqe_next = ((void *)0); (nfile)->entry
.tqe_prev = (&files)->tqh_last; *(&files)->tqh_last
= (nfile); (&files)->tqh_last = &(nfile)->entry
.tqe_next; } while (0);
1443 return (nfile);
1444}
1445
1446int
1447popfile(void)
1448{
1449 struct file *prev;
1450
1451 if ((prev = TAILQ_PREV(file, files, entry)(*(((struct files *)((file)->entry.tqe_prev))->tqh_last
))) != NULL((void *)0))
1452 prev->errors += file->errors;
1453
1454 TAILQ_REMOVE(&files, file, entry)do { if (((file)->entry.tqe_next) != ((void *)0)) (file)->
entry.tqe_next->entry.tqe_prev = (file)->entry.tqe_prev
; else (&files)->tqh_last = (file)->entry.tqe_prev;
*(file)->entry.tqe_prev = (file)->entry.tqe_next; ; ; }
while (0);
1455 fclose(file->stream);
1456 free(file->name);
1457 free(file->ungetbuf);
1458 free(file);
1459 file = prev;
1460
1461 return (file ? 0 : EOF(-1));
1462}
1463
1464int
1465parse_config(const char *filename, struct iked *x_env)
1466{
1467 struct sym *sym;
1468 int errors = 0;
1469
1470 env = x_env;
1471 rules = 0;
1472
1473 if ((file = pushfile(filename, 1)) == NULL((void *)0))
1474 return (-1);
1475 topfile = file;
1476
1477 free(ocsp_url);
1478
1479 mobike = 1;
1480 enforcesingleikesa = stickyaddress = 0;
1481 cert_partial_chain = decouple = passive = 0;
1482 ocsp_tolerate = 0;
1483 ocsp_url = NULL((void *)0);
1484 ocsp_maxage = -1;
1485 fragmentation = 0;
1486 dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT60;
1487 decouple = passive = 0;
1488 ocsp_url = NULL((void *)0);
1489
1490 if (env->sc_opts & IKED_OPT_PASSIVE0x00000004)
1491 passive = 1;
1492
1493 yyparse();
1494 errors = file->errors;
1495 popfile();
1496
1497 env->sc_passive = passive ? 1 : 0;
1498 env->sc_decoupled = decouple ? 1 : 0;
1499 env->sc_mobikesc_static.st_mobike = mobike;
1500 env->sc_enforcesingleikesasc_static.st_enforcesingleikesa = enforcesingleikesa;
1501 env->sc_stickyaddresssc_static.st_stickyaddress = stickyaddress;
1502 env->sc_fragsc_static.st_frag = fragmentation;
1503 env->sc_alive_timeoutsc_static.st_alive_timeout = dpd_interval;
1504 env->sc_ocsp_url = ocsp_url;
1505 env->sc_ocsp_tolerate = ocsp_tolerate;
1506 env->sc_ocsp_maxage = ocsp_maxage;
1507 env->sc_cert_partial_chain = cert_partial_chain;
1508
1509 if (!rules)
1510 log_warnx("%s: no valid configuration rules found",
1511 filename);
1512 else
1513 log_debug("%s: loaded %d configuration rules",
1514 filename, rules);
1515
1516 /* Free macros and check which have not been used. */
1517 while ((sym = TAILQ_FIRST(&symhead)((&symhead)->tqh_first))) {
1518 if (!sym->used)
1519 log_debug("warning: macro '%s' not "
1520 "used\n", sym->nam);
1521 free(sym->nam);
1522 free(sym->val);
1523 TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)->
entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev;
else (&symhead)->tqh_last = (sym)->entry.tqe_prev;
*(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while
(0);
1524 free(sym);
1525 }
1526
1527 iaw_free(iftab);
1528 iftab = NULL((void *)0);
1529
1530 return (errors ? -1 : 0);
1531}
1532
1533int
1534symset(const char *nam, const char *val, int persist)
1535{
1536 struct sym *sym;
1537
1538 TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void *
)0); (sym) = ((sym)->entry.tqe_next)) {
1539 if (strcmp(nam, sym->nam) == 0)
1540 break;
1541 }
1542
1543 if (sym != NULL((void *)0)) {
1544 if (sym->persist == 1)
1545 return (0);
1546 else {
1547 free(sym->nam);
1548 free(sym->val);
1549 TAILQ_REMOVE(&symhead, sym, entry)do { if (((sym)->entry.tqe_next) != ((void *)0)) (sym)->
entry.tqe_next->entry.tqe_prev = (sym)->entry.tqe_prev;
else (&symhead)->tqh_last = (sym)->entry.tqe_prev;
*(sym)->entry.tqe_prev = (sym)->entry.tqe_next; ; ; } while
(0);
1550 free(sym);
1551 }
1552 }
1553 if ((sym = calloc(1, sizeof(*sym))) == NULL((void *)0))
1554 return (-1);
1555
1556 sym->nam = strdup(nam);
1557 if (sym->nam == NULL((void *)0)) {
1558 free(sym);
1559 return (-1);
1560 }
1561 sym->val = strdup(val);
1562 if (sym->val == NULL((void *)0)) {
1563 free(sym->nam);
1564 free(sym);
1565 return (-1);
1566 }
1567 sym->used = 0;
1568 sym->persist = persist;
1569 TAILQ_INSERT_TAIL(&symhead, sym, entry)do { (sym)->entry.tqe_next = ((void *)0); (sym)->entry.
tqe_prev = (&symhead)->tqh_last; *(&symhead)->tqh_last
= (sym); (&symhead)->tqh_last = &(sym)->entry.
tqe_next; } while (0);
1570 return (0);
1571}
1572
1573int
1574cmdline_symset(char *s)
1575{
1576 char *sym, *val;
1577 int ret;
1578
1579 if ((val = strrchr(s, '=')) == NULL((void *)0))
1580 return (-1);
1581
1582 sym = strndup(s, val - s);
1583 if (sym == NULL((void *)0))
1584 err(1, "%s", __func__);
1585 ret = symset(sym, val + 1, 1);
1586 free(sym);
1587
1588 return (ret);
1589}
1590
1591char *
1592symget(const char *nam)
1593{
1594 struct sym *sym;
1595
1596 TAILQ_FOREACH(sym, &symhead, entry)for((sym) = ((&symhead)->tqh_first); (sym) != ((void *
)0); (sym) = ((sym)->entry.tqe_next)) {
1597 if (strcmp(nam, sym->nam) == 0) {
1598 sym->used = 1;
1599 return (sym->val);
1600 }
1601 }
1602 return (NULL((void *)0));
1603}
1604
1605uint8_t
1606x2i(unsigned char *s)
1607{
1608 char ss[3];
1609
1610 ss[0] = s[0];
1611 ss[1] = s[1];
1612 ss[2] = 0;
1613
1614 if (!isxdigit(s[0]) || !isxdigit(s[1])) {
1615 yyerror("keys need to be specified in hex digits");
1616 return (-1);
1617 }
1618 return ((uint8_t)strtoul(ss, NULL((void *)0), 16));
1619}
1620
1621int
1622parsekey(unsigned char *hexkey, size_t len, struct iked_auth *auth)
1623{
1624 unsigned int i;
1625
1626 bzero(auth, sizeof(*auth));
1627 if ((len / 2) > sizeof(auth->auth_data))
1628 return (-1);
1629 auth->auth_length = len / 2;
1630
1631 for (i = 0; i < auth->auth_length; i++)
1632 auth->auth_data[i] = x2i(hexkey + 2 * i);
1633
1634 return (0);
1635}
1636
1637int
1638parsekeyfile(char *filename, struct iked_auth *auth)
1639{
1640 struct stat sb;
1641 int fd, ret;
1642 unsigned char *hex;
1643
1644 if ((fd = open(filename, O_RDONLY0x0000)) == -1)
1645 err(1, "open %s", filename);
1646 if (fstat(fd, &sb) == -1)
1647 err(1, "parsekeyfile: stat %s", filename);
1648 if ((sb.st_size > KEYSIZE_LIMIT1024) || (sb.st_size == 0))
1649 errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
1650 "small");
1651 if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL((void *)0))
1652 err(1, "parsekeyfile: calloc");
1653 if (read(fd, hex, sb.st_size) < sb.st_size)
1654 err(1, "parsekeyfile: read");
1655 close(fd);
1656 ret = parsekey(hex, sb.st_size, auth);
1657 free(hex);
1658 return (ret);
1659}
1660
1661int
1662get_id_type(char *string)
1663{
1664 struct in6_addr ia;
1665
1666 if (string == NULL((void *)0))
1667 return (IKEV2_ID_NONE0);
1668
1669 if (*string == '/')
1670 return (IKEV2_ID_ASN1_DN9);
1671 else if (inet_pton(AF_INET2, string, &ia) == 1)
1672 return (IKEV2_ID_IPV41);
1673 else if (inet_pton(AF_INET624, string, &ia) == 1)
1674 return (IKEV2_ID_IPV65);
1675 else if (strchr(string, '@'))
1676 return (IKEV2_ID_UFQDN3);
1677 else
1678 return (IKEV2_ID_FQDN2);
1679}
1680
1681struct ipsec_addr_wrap *
1682host(const char *s)
1683{
1684 struct ipsec_addr_wrap *ipa = NULL((void *)0);
1685 int mask = -1;
1686 char *p, *ps;
1687 const char *errstr;
1688
1689 if ((ps = strdup(s)) == NULL((void *)0))
1690 err(1, "%s: strdup", __func__);
1691
1692 if ((p = strchr(ps, '/')) != NULL((void *)0)) {
1693 mask = strtonum(p+1, 0, 128, &errstr);
1694 if (errstr) {
1695 fprintf(stderr(&__sF[2]), "netmask is %s: %s\n", errstr, p);
1696 goto error;
1697 }
1698 p[0] = '\0';
1699 }
1700
1701 if ((ipa = host_if(ps, mask)) == NULL((void *)0) &&
1702 (ipa = host_ip(ps, mask)) == NULL((void *)0) &&
1703 (ipa = host_dns(ps, mask)) == NULL((void *)0))
1704 fprintf(stderr(&__sF[2]), "no IP address found for %s\n", s);
1705
1706error:
1707 free(ps);
1708 return (ipa);
1709}
1710
1711struct ipsec_addr_wrap *
1712host_ip(const char *s, int mask)
1713{
1714 struct ipsec_addr_wrap *ipa = NULL((void *)0);
1715 struct addrinfo hints, *res;
1716 char hbuf[NI_MAXHOST256];
1717
1718 bzero(&hints, sizeof(struct addrinfo));
1719 hints.ai_family = AF_UNSPEC0;
1720 hints.ai_socktype = SOCK_DGRAM2; /*dummy*/
1721 hints.ai_flags = AI_NUMERICHOST4;
1722 if (getaddrinfo(s, NULL((void *)0), &hints, &res))
1723 return (NULL((void *)0));
1724 if (res->ai_next)
1725 err(1, "%s: %s expanded to multiple item", __func__, s);
1726
1727 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1728 if (ipa == NULL((void *)0))
1729 err(1, "%s", __func__);
1730 ipa->af = res->ai_family;
1731 copy_sockaddrtoipa(ipa, res->ai_addr);
1732 ipa->next = NULL((void *)0);
1733 ipa->tail = ipa;
1734
1735 set_ipmask(ipa, mask);
1736 if (getnameinfo(res->ai_addr, res->ai_addrlen,
1737 hbuf, sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1)) {
1738 errx(1, "could not get a numeric hostname");
1739 }
1740
1741 if (mask > -1) {
1742 ipa->netaddress = 1;
1743 if (asprintf(&ipa->name, "%s/%d", hbuf, mask) == -1)
1744 err(1, "%s", __func__);
1745 } else {
1746 if ((ipa->name = strdup(hbuf)) == NULL((void *)0))
1747 err(1, "%s", __func__);
1748 }
1749
1750 freeaddrinfo(res);
1751
1752 return (ipa);
1753}
1754
1755struct ipsec_addr_wrap *
1756host_dns(const char *s, int mask)
1757{
1758 struct ipsec_addr_wrap *ipa = NULL((void *)0), *head = NULL((void *)0);
1759 struct addrinfo hints, *res0, *res;
1760 int error;
1761 char hbuf[NI_MAXHOST256];
1762
1763 bzero(&hints, sizeof(struct addrinfo));
1764 hints.ai_family = PF_UNSPEC0;
1765 hints.ai_socktype = SOCK_STREAM1;
1766 hints.ai_flags = AI_ADDRCONFIG64;
1767 error = getaddrinfo(s, NULL((void *)0), &hints, &res0);
1768 if (error)
1769 return (NULL((void *)0));
1770
1771 for (res = res0; res; res = res->ai_next) {
1772 if (res->ai_family != AF_INET2 && res->ai_family != AF_INET624)
1773 continue;
1774
1775 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1776 if (ipa == NULL((void *)0))
1777 err(1, "%s", __func__);
1778 copy_sockaddrtoipa(ipa, res->ai_addr);
1779 error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf,
1780 sizeof(hbuf), NULL((void *)0), 0, NI_NUMERICHOST1);
1781 if (error)
1782 err(1, "host_dns: getnameinfo");
1783 ipa->name = strdup(hbuf);
1784 if (ipa->name == NULL((void *)0))
1785 err(1, "%s", __func__);
1786 ipa->af = res->ai_family;
1787 ipa->next = NULL((void *)0);
1788 ipa->tail = ipa;
1789 if (head == NULL((void *)0))
1790 head = ipa;
1791 else {
1792 head->tail->next = ipa;
1793 head->tail = ipa;
1794 }
1795
1796 /*
1797 * XXX for now, no netmask support for IPv6.
1798 * but since there's no way to specify address family, once you
1799 * have IPv6 address on a host, you cannot use dns/netmask
1800 * syntax.
1801 */
1802 if (ipa->af == AF_INET2)
1803 set_ipmask(ipa, mask == -1 ? 32 : mask);
1804 else
1805 if (mask != -1)
1806 err(1, "host_dns: cannot apply netmask "
1807 "on non-IPv4 address");
1808 }
1809 freeaddrinfo(res0);
1810
1811 return (head);
1812}
1813
1814struct ipsec_addr_wrap *
1815host_if(const char *s, int mask)
1816{
1817 struct ipsec_addr_wrap *ipa = NULL((void *)0);
1818
1819 if (ifa_exists(s))
1820 ipa = ifa_lookup(s);
1821
1822 return (ipa);
1823}
1824
1825struct ipsec_addr_wrap *
1826host_any(void)
1827{
1828 struct ipsec_addr_wrap *ipa;
1829
1830 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1831 if (ipa == NULL((void *)0))
1832 err(1, "%s", __func__);
1833 ipa->af = AF_UNSPEC0;
1834 ipa->netaddress = 1;
1835 ipa->tail = ipa;
1836 ipa->type = IPSEC_ADDR_ANY(0x1);
1837 return (ipa);
1838}
1839
1840struct ipsec_addr_wrap *
1841host_dynamic(void)
1842{
1843 struct ipsec_addr_wrap *ipa;
1844
1845 ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
1846 if (ipa == NULL((void *)0))
1847 err(1, "%s", __func__);
1848 ipa->af = AF_UNSPEC0;
1849 ipa->tail = ipa;
1850 ipa->type = IPSEC_ADDR_DYNAMIC(0x2);
1851 return (ipa);
1852}
1853
1854void
1855ifa_load(void)
1856{
1857 struct ifaddrs *ifap, *ifa;
1858 struct ipsec_addr_wrap *n = NULL((void *)0), *h = NULL((void *)0);
1859 struct sockaddr_in *sa_in;
1860 struct sockaddr_in6 *sa_in6;
1861
1862 if (getifaddrs(&ifap) == -1)
1863 err(1, "ifa_load: getifaddrs");
1864
1865 for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
1866 if (ifa->ifa_addr == NULL((void *)0) ||
1867 !(ifa->ifa_addr->sa_family == AF_INET2 ||
1868 ifa->ifa_addr->sa_family == AF_INET624 ||
1869 ifa->ifa_addr->sa_family == AF_LINK18))
1870 continue;
1871 n = calloc(1, sizeof(struct ipsec_addr_wrap));
1872 if (n == NULL((void *)0))
1873 err(1, "%s", __func__);
1874 n->af = ifa->ifa_addr->sa_family;
1875 if ((n->name = strdup(ifa->ifa_name)) == NULL((void *)0))
1876 err(1, "%s", __func__);
1877 if (n->af == AF_INET2) {
1878 sa_in = (struct sockaddr_in *)ifa->ifa_addr;
1879 memcpy(&n->address, sa_in, sizeof(*sa_in));
1880 sa_in = (struct sockaddr_in *)ifa->ifa_netmask;
1881 n->mask = mask2prefixlen((struct sockaddr *)sa_in);
1882 } else if (n->af == AF_INET624) {
1883 sa_in6 = (struct sockaddr_in6 *)ifa->ifa_addr;
1884 memcpy(&n->address, sa_in6, sizeof(*sa_in6));
1885 sa_in6 = (struct sockaddr_in6 *)ifa->ifa_netmask;
1886 n->mask = mask2prefixlen6((struct sockaddr *)sa_in6);
1887 }
1888 n->next = NULL((void *)0);
1889 n->tail = n;
1890 if (h == NULL((void *)0))
1891 h = n;
1892 else {
1893 h->tail->next = n;
1894 h->tail = n;
1895 }
1896 }
1897
1898 iftab = h;
1899 freeifaddrs(ifap);
1900}
1901
1902int
1903ifa_exists(const char *ifa_name)
1904{
1905 struct ipsec_addr_wrap *n;
1906 struct ifgroupreq ifgr;
1907 int s;
1908
1909 if (iftab == NULL((void *)0))
1910 ifa_load();
1911
1912 /* check wether this is a group */
1913 if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1)
1914 err(1, "ifa_exists: socket");
1915 bzero(&ifgr, sizeof(ifgr));
1916 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
1917 if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct ifgroupreq) & 0x1fff) << 16) | ((('i')) <<
8) | ((138))), (caddr_t)&ifgr) == 0) {
1918 close(s);
1919 return (1);
1920 }
1921 close(s);
1922
1923 for (n = iftab; n; n = n->next) {
1924 if (n->af == AF_LINK18 && !strncmp(n->name, ifa_name,
1925 IFNAMSIZ16))
1926 return (1);
1927 }
1928
1929 return (0);
1930}
1931
1932struct ipsec_addr_wrap *
1933ifa_grouplookup(const char *ifa_name)
1934{
1935 struct ifg_req *ifg;
1936 struct ifgroupreq ifgr;
1937 int s;
1938 size_t len;
1939 struct ipsec_addr_wrap *n, *h = NULL((void *)0), *hn;
1940
1941 if ((s = socket(AF_INET2, SOCK_DGRAM2, 0)) == -1)
1942 err(1, "socket");
1943 bzero(&ifgr, sizeof(ifgr));
1944 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
1945 if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct ifgroupreq) & 0x1fff) << 16) | ((('i')) <<
8) | ((138))), (caddr_t)&ifgr) == -1) {
1946 close(s);
1947 return (NULL((void *)0));
1948 }
1949
1950 len = ifgr.ifgr_len;
1951 if ((ifgr.ifgr_groupsifgr_ifgru.ifgru_groups = calloc(1, len)) == NULL((void *)0))
1952 err(1, "%s", __func__);
1953 if (ioctl(s, SIOCGIFGMEMB(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct ifgroupreq) & 0x1fff) << 16) | ((('i')) <<
8) | ((138))), (caddr_t)&ifgr) == -1)
1954 err(1, "ioctl");
1955
1956 for (ifg = ifgr.ifgr_groupsifgr_ifgru.ifgru_groups; ifg && len >= sizeof(struct ifg_req);
1957 ifg++) {
1958 len -= sizeof(struct ifg_req);
1959 if ((n = ifa_lookup(ifg->ifgrq_memberifgrq_ifgrqu.ifgrqu_member)) == NULL((void *)0))
1960 continue;
1961 if (h == NULL((void *)0))
1962 h = n;
1963 else {
1964 for (hn = h; hn->next != NULL((void *)0); hn = hn->next)
1965 ; /* nothing */
1966 hn->next = n;
1967 n->tail = hn;
1968 }
1969 }
1970 free(ifgr.ifgr_groupsifgr_ifgru.ifgru_groups);
1971 close(s);
1972
1973 return (h);
1974}
1975
1976struct ipsec_addr_wrap *
1977ifa_lookup(const char *ifa_name)
1978{
1979 struct ipsec_addr_wrap *p = NULL((void *)0), *h = NULL((void *)0), *n = NULL((void *)0);
1980 struct sockaddr_in6 *in6;
1981 uint8_t *s6;
1982
1983 if (iftab == NULL((void *)0))
1984 ifa_load();
1985
1986 if ((n = ifa_grouplookup(ifa_name)) != NULL((void *)0))
1987 return (n);
1988
1989 for (p = iftab; p; p = p->next) {
1990 if (p->af != AF_INET2 && p->af != AF_INET624)
1991 continue;
1992 if (strncmp(p->name, ifa_name, IFNAMSIZ16))
1993 continue;
1994 n = calloc(1, sizeof(struct ipsec_addr_wrap));
1995 if (n == NULL((void *)0))
1996 err(1, "%s", __func__);
1997 memcpy(n, p, sizeof(struct ipsec_addr_wrap));
1998 if ((n->name = strdup(p->name)) == NULL((void *)0))
1999 err(1, "%s", __func__);
2000 switch (n->af) {
2001 case AF_INET2:
2002 set_ipmask(n, 32);
2003 break;
2004 case AF_INET624:
2005 in6 = (struct sockaddr_in6 *)&n->address;
2006 s6 = (uint8_t *)&in6->sin6_addr.s6_addr__u6_addr.__u6_addr8;
2007
2008 /* route/show.c and bgpd/util.c give KAME credit */
2009 if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)(((&in6->sin6_addr)->__u6_addr.__u6_addr8[0] == 0xfe
) && (((&in6->sin6_addr)->__u6_addr.__u6_addr8
[1] & 0xc0) == 0x80))) {
2010 uint16_t tmp16;
2011
2012 /* for now we can not handle link local,
2013 * therefore bail for now
2014 */
2015 free(n->name);
2016 free(n);
2017 continue;
2018
2019 memcpy(&tmp16, &s6[2], sizeof(tmp16));
2020 /* use this when we support link-local
2021 * n->??.scopeid = ntohs(tmp16);
2022 */
2023 s6[2] = 0;
2024 s6[3] = 0;
2025 }
2026 set_ipmask(n, 128);
2027 break;
2028 }
2029
2030 n->next = NULL((void *)0);
2031 n->tail = n;
2032 if (h == NULL((void *)0))
2033 h = n;
2034 else {
2035 h->tail->next = n;
2036 h->tail = n;
2037 }
2038 }
2039
2040 return (h);
2041}
2042
2043void
2044set_ipmask(struct ipsec_addr_wrap *address, int b)
2045{
2046 if (b == -1)
2047 address->mask = address->af == AF_INET2 ? 32 : 128;
2048 else
2049 address->mask = b;
2050}
2051
2052const struct ipsec_xf *
2053parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[])
2054{
2055 int i;
2056
2057 for (i = 0; xfs[i].name != NULL((void *)0); i++) {
2058 if (strncmp(name, xfs[i].name, strlen(name)))
2059 continue;
2060 if (length == 0 || length == xfs[i].length)
2061 return &xfs[i];
2062 }
2063 return (NULL((void *)0));
2064}
2065
2066int
2067encxf_noauth(unsigned int id)
2068{
2069 int i;
2070
2071 for (i = 0; ikeencxfs[i].name != NULL((void *)0); i++)
2072 if (ikeencxfs[i].id == id)
2073 return ikeencxfs[i].noauth;
2074 return (0);
2075}
2076
2077size_t
2078keylength_xf(unsigned int saproto, unsigned int type, unsigned int id)
2079{
2080 int i;
2081 const struct ipsec_xf *xfs;
2082
2083 switch (type) {
2084 case IKEV2_XFORMTYPE_ENCR1:
2085 if (saproto == IKEV2_SAPROTO_IKE1)
2086 xfs = ikeencxfs;
2087 else
2088 xfs = ipsecencxfs;
2089 break;
2090 case IKEV2_XFORMTYPE_INTEGR3:
2091 xfs = authxfs;
2092 break;
2093 default:
2094 return (0);
2095 }
2096
2097 for (i = 0; xfs[i].name != NULL((void *)0); i++) {
2098 if (xfs[i].id == id)
2099 return (xfs[i].length * 8);
2100 }
2101 return (0);
2102}
2103
2104size_t
2105noncelength_xf(unsigned int type, unsigned int id)
2106{
2107 const struct ipsec_xf *xfs = ipsecencxfs;
2108 int i;
2109
2110 if (type != IKEV2_XFORMTYPE_ENCR1)
2111 return (0);
2112
2113 for (i = 0; xfs[i].name != NULL((void *)0); i++)
2114 if (xfs[i].id == id)
2115 return (xfs[i].nonce * 8);
2116 return (0);
2117}
2118
2119void
2120copy_transforms(unsigned int type,
2121 const struct ipsec_xf **xfs, unsigned int nxfs,
2122 struct iked_transform **dst, unsigned int *ndst,
2123 struct iked_transform *src, size_t nsrc)
2124{
2125 unsigned int i;
2126 struct iked_transform *a, *b;
2127 const struct ipsec_xf *xf;
2128
2129 if (nxfs) {
2130 for (i = 0; i < nxfs; i++) {
2131 xf = xfs[i];
2132 *dst = recallocarray(*dst, *ndst,
2133 *ndst + 1, sizeof(struct iked_transform));
2134 if (*dst == NULL((void *)0))
2135 err(1, "%s", __func__);
2136 b = *dst + (*ndst)++;
2137
2138 b->xform_type = type;
2139 b->xform_id = xf->id;
2140 b->xform_keylength = xf->length * 8;
2141 b->xform_length = xf->keylength * 8;
2142 }
2143 return;
2144 }
2145
2146 for (i = 0; i < nsrc; i++) {
2147 a = src + i;
2148 if (a->xform_type != type)
2149 continue;
2150 *dst = recallocarray(*dst, *ndst,
2151 *ndst + 1, sizeof(struct iked_transform));
2152 if (*dst == NULL((void *)0))
2153 err(1, "%s", __func__);
2154 b = *dst + (*ndst)++;
2155 memcpy(b, a, sizeof(*b));
2156 }
2157}
2158
2159int
2160create_ike(char *name, int af, struct ipsec_addr_wrap *ipproto,
2161 int rdomain, struct ipsec_hosts *hosts,
2162 struct ipsec_hosts *peers, struct ipsec_mode *ike_sa,
2163 struct ipsec_mode *ipsec_sa, uint8_t saproto,
2164 uint8_t flags, char *srcid, char *dstid,
2165 uint32_t ikelifetime, struct iked_lifetime *lt,
2166 struct iked_auth *authtype, struct ipsec_filters *filter,
2167 struct ipsec_addr_wrap *ikecfg, char *iface)
2168{
2169 char idstr[IKED_ID_SIZE1024];
2170 struct ipsec_addr_wrap *ipa, *ipb, *ipp;
2171 struct iked_auth *ikeauth;
2172 struct iked_policy pol;
2173 struct iked_proposal *p, *ptmp;
2174 struct iked_transform *xf;
2175 unsigned int i, j, xfi, noauth, auth;
2176 unsigned int ikepropid = 1, ipsecpropid = 1;
2177 struct iked_flow *flow, *ftmp;
2178 static unsigned int policy_id = 0;
2179 struct iked_cfg *cfg;
2180 int ret = -1;
2181
2182 bzero(&pol, sizeof(pol));
2183 bzero(idstr, sizeof(idstr));
2184
2185 pol.pol_id = ++policy_id;
2186 pol.pol_certreqtype = env->sc_certreqtype;
2187 pol.pol_af = af;
2188 pol.pol_saproto = saproto;
2189 for (i = 0, ipp = ipproto; ipp; ipp = ipp->next, i++) {
2190 if (i >= IKED_IPPROTO_MAX16) {
2191 yyerror("too many protocols");
2192 return (-1);
2193 }
2194 pol.pol_ipproto[i] = ipp->type;
2195 pol.pol_nipproto++;
2196 }
2197
2198 pol.pol_flags = flags;
2199 pol.pol_rdomain = rdomain;
2200 memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth));
2201 explicit_bzero(authtype, sizeof(*authtype));
2202
2203 if (name != NULL((void *)0)) {
2204 if (strlcpy(pol.pol_name, name,
2205 sizeof(pol.pol_name)) >= sizeof(pol.pol_name)) {
2206 yyerror("name too long");
2207 return (-1);
2208 }
2209 } else {
2210 snprintf(pol.pol_name, sizeof(pol.pol_name),
2211 "policy%d", policy_id);
2212 }
2213
2214 if (iface != NULL((void *)0)) {
2215 pol.pol_iface = if_nametoindex(iface);
2216 if (pol.pol_iface == 0) {
2217 yyerror("invalid iface");
2218 return (-1);
2219 }
2220 }
2221
2222 if (srcid) {
2223 pol.pol_localid.id_type = get_id_type(srcid);
2224 pol.pol_localid.id_length = strlen(srcid);
2225 if (strlcpy((char *)pol.pol_localid.id_data,
2226 srcid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) {
2227 yyerror("srcid too long");
2228 return (-1);
2229 }
2230 }
2231 if (dstid) {
2232 pol.pol_peerid.id_type = get_id_type(dstid);
2233 pol.pol_peerid.id_length = strlen(dstid);
2234 if (strlcpy((char *)pol.pol_peerid.id_data,
2235 dstid, IKED_ID_SIZE1024) >= IKED_ID_SIZE1024) {
2236 yyerror("dstid too long");
2237 return (-1);
2238 }
2239 }
2240
2241 if (filter != NULL((void *)0)) {
2242 if (filter->tag)
2243 strlcpy(pol.pol_tag, filter->tag, sizeof(pol.pol_tag));
2244 pol.pol_tap = filter->tap;
2245 }
2246
2247 if (peers == NULL((void *)0)) {
2248 if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) {
2249 yyerror("active mode requires peer specification");
2250 return (-1);
2251 }
2252 pol.pol_flags |= IKED_POLICY_DEFAULT0x01|IKED_POLICY_SKIP0x10;
2253 }
2254
2255 if (peers && peers->src && peers->dst &&
2256 (peers->src->af != AF_UNSPEC0) && (peers->dst->af != AF_UNSPEC0) &&
2257 (peers->src->af != peers->dst->af))
2258 fatalx("create_ike: peer address family mismatch");
2259
2260 if (peers && (pol.pol_af != AF_UNSPEC0) &&
2261 ((peers->src && (peers->src->af != AF_UNSPEC0) &&
2262 (peers->src->af != pol.pol_af)) ||
2263 (peers->dst && (peers->dst->af != AF_UNSPEC0) &&
2264 (peers->dst->af != pol.pol_af))))
2265 fatalx("create_ike: policy address family mismatch");
2266
2267 ipa = ipb = NULL((void *)0);
2268 if (peers) {
2269 if (peers->src)
2270 ipa = peers->src;
2271 if (peers->dst)
2272 ipb = peers->dst;
2273 if (ipa == NULL((void *)0) && ipb == NULL((void *)0)) {
2274 if (hosts->src && hosts->src->next == NULL((void *)0))
2275 ipa = hosts->src;
2276 if (hosts->dst && hosts->dst->next == NULL((void *)0))
2277 ipb = hosts->dst;
2278 }
2279 }
2280 if (ipa == NULL((void *)0) && ipb == NULL((void *)0)) {
2281 yyerror("could not get local/peer specification");
2282 return (-1);
2283 }
2284 if (pol.pol_flags & IKED_POLICY_ACTIVE0x02) {
2285 if (ipb == NULL((void *)0) || ipb->netaddress ||
2286 (ipa != NULL((void *)0) && ipa->netaddress)) {
2287 yyerror("active mode requires local/peer address");
2288 return (-1);
2289 }
2290 }
2291 if (ipa) {
2292 memcpy(&pol.pol_local.addr, &ipa->address,
2293 sizeof(ipa->address));
2294 pol.pol_local.addr_af = ipa->af;
2295 pol.pol_local.addr_mask = ipa->mask;
2296 pol.pol_local.addr_net = ipa->netaddress;
2297 if (pol.pol_af == AF_UNSPEC0)
2298 pol.pol_af = ipa->af;
2299 }
2300 if (ipb) {
2301 memcpy(&pol.pol_peer.addr, &ipb->address,
2302 sizeof(ipb->address));
2303 pol.pol_peer.addr_af = ipb->af;
2304 pol.pol_peer.addr_mask = ipb->mask;
2305 pol.pol_peer.addr_net = ipb->netaddress;
2306 if (pol.pol_af == AF_UNSPEC0)
2307 pol.pol_af = ipb->af;
2308 }
2309
2310 if (ikelifetime)
2311 pol.pol_rekey = ikelifetime;
2312
2313 if (lt)
2314 pol.pol_lifetime = *lt;
2315 else
2316 pol.pol_lifetime = deflifetime;
2317
2318 TAILQ_INIT(&pol.pol_proposals)do { (&pol.pol_proposals)->tqh_first = ((void *)0); (&
pol.pol_proposals)->tqh_last = &(&pol.pol_proposals
)->tqh_first; } while (0);
2319 RB_INIT(&pol.pol_flows)do { (&pol.pol_flows)->rbh_root = ((void *)0); } while
(0);
2320
2321 if (ike_sa == NULL((void *)0) || ike_sa->nxfs == 0) {
2322 /* AES-GCM proposal */
2323 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2324 err(1, "%s", __func__);
2325 p->prop_id = ikepropid++;
2326 p->prop_protoid = IKEV2_SAPROTO_IKE1;
2327 p->prop_nxforms = ikev2_default_nike_transforms_noauth;
2328 p->prop_xforms = ikev2_default_ike_transforms_noauth;
2329 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2330 pol.pol_nproposals++;
2331
2332 /* Non GCM proposal */
2333 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2334 err(1, "%s", __func__);
2335 p->prop_id = ikepropid++;
2336 p->prop_protoid = IKEV2_SAPROTO_IKE1;
2337 p->prop_nxforms = ikev2_default_nike_transforms;
2338 p->prop_xforms = ikev2_default_ike_transforms;
2339 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2340 pol.pol_nproposals++;
2341 } else {
2342 for (i = 0; i < ike_sa->nxfs; i++) {
2343 noauth = auth = 0;
2344 for (j = 0; j < ike_sa->xfs[i]->nencxf; j++) {
2345 if (ike_sa->xfs[i]->encxf[j]->noauth)
2346 noauth++;
2347 else
2348 auth++;
2349 }
2350 for (j = 0; j < ike_sa->xfs[i]->ngroupxf; j++) {
2351 if (ike_sa->xfs[i]->groupxf[j]->id
2352 == IKEV2_XFORMDH_NONE0) {
2353 yyerror("IKE group can not be \"none\".");
2354 goto done;
2355 }
2356 }
2357 if (ike_sa->xfs[i]->nauthxf)
2358 auth++;
2359
2360 if (ike_sa->xfs[i]->nesnxf) {
2361 yyerror("cannot use ESN with ikesa.");
2362 goto done;
2363 }
2364 if (noauth && noauth != ike_sa->xfs[i]->nencxf) {
2365 yyerror("cannot mix encryption transforms with "
2366 "implicit and non-implicit authentication");
2367 goto done;
2368 }
2369 if (noauth && ike_sa->xfs[i]->nauthxf) {
2370 yyerror("authentication is implicit for given "
2371 "encryption transforms");
2372 goto done;
2373 }
2374
2375 if (!auth) {
2376 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2377 err(1, "%s", __func__);
2378
2379 xf = NULL((void *)0);
2380 xfi = 0;
2381 copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2382 ike_sa->xfs[i]->encxf,
2383 ike_sa->xfs[i]->nencxf, &xf, &xfi,
2384 ikev2_default_ike_transforms_noauth,
2385 ikev2_default_nike_transforms_noauth);
2386 copy_transforms(IKEV2_XFORMTYPE_DH4,
2387 ike_sa->xfs[i]->groupxf,
2388 ike_sa->xfs[i]->ngroupxf, &xf, &xfi,
2389 ikev2_default_ike_transforms_noauth,
2390 ikev2_default_nike_transforms_noauth);
2391 copy_transforms(IKEV2_XFORMTYPE_PRF2,
2392 ike_sa->xfs[i]->prfxf,
2393 ike_sa->xfs[i]->nprfxf, &xf, &xfi,
2394 ikev2_default_ike_transforms_noauth,
2395 ikev2_default_nike_transforms_noauth);
2396
2397 p->prop_id = ikepropid++;
2398 p->prop_protoid = IKEV2_SAPROTO_IKE1;
2399 p->prop_xforms = xf;
2400 p->prop_nxforms = xfi;
2401 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2402 pol.pol_nproposals++;
2403 }
2404 if (!noauth) {
2405 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2406 err(1, "%s", __func__);
2407
2408 xf = NULL((void *)0);
2409 xfi = 0;
2410 copy_transforms(IKEV2_XFORMTYPE_INTEGR3,
2411 ike_sa->xfs[i]->authxf,
2412 ike_sa->xfs[i]->nauthxf, &xf, &xfi,
2413 ikev2_default_ike_transforms,
2414 ikev2_default_nike_transforms);
2415 copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2416 ike_sa->xfs[i]->encxf,
2417 ike_sa->xfs[i]->nencxf, &xf, &xfi,
2418 ikev2_default_ike_transforms,
2419 ikev2_default_nike_transforms);
2420 copy_transforms(IKEV2_XFORMTYPE_DH4,
2421 ike_sa->xfs[i]->groupxf,
2422 ike_sa->xfs[i]->ngroupxf, &xf, &xfi,
2423 ikev2_default_ike_transforms,
2424 ikev2_default_nike_transforms);
2425 copy_transforms(IKEV2_XFORMTYPE_PRF2,
2426 ike_sa->xfs[i]->prfxf,
2427 ike_sa->xfs[i]->nprfxf, &xf, &xfi,
2428 ikev2_default_ike_transforms,
2429 ikev2_default_nike_transforms);
2430
2431 p->prop_id = ikepropid++;
2432 p->prop_protoid = IKEV2_SAPROTO_IKE1;
2433 p->prop_xforms = xf;
2434 p->prop_nxforms = xfi;
2435 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2436 pol.pol_nproposals++;
2437 }
2438 }
2439 }
2440
2441 if (ipsec_sa == NULL((void *)0) || ipsec_sa->nxfs == 0) {
2442 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2443 err(1, "%s", __func__);
2444 p->prop_id = ipsecpropid++;
2445 p->prop_protoid = saproto;
2446 p->prop_nxforms = ikev2_default_nesp_transforms_noauth;
2447 p->prop_xforms = ikev2_default_esp_transforms_noauth;
2448 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2449 pol.pol_nproposals++;
2450
2451 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2452 err(1, "%s", __func__);
2453 p->prop_id = ipsecpropid++;
2454 p->prop_protoid = saproto;
2455 p->prop_nxforms = ikev2_default_nesp_transforms;
2456 p->prop_xforms = ikev2_default_esp_transforms;
2457 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2458 pol.pol_nproposals++;
2459 } else {
2460 for (i = 0; i < ipsec_sa->nxfs; i++) {
2461 noauth = auth = 0;
2462 for (j = 0; j < ipsec_sa->xfs[i]->nencxf; j++) {
2463 if (ipsec_sa->xfs[i]->encxf[j]->noauth)
2464 noauth++;
2465 else
2466 auth++;
2467 }
2468 if (ipsec_sa->xfs[i]->nauthxf)
2469 auth++;
2470
2471 if (noauth && noauth != ipsec_sa->xfs[i]->nencxf) {
2472 yyerror("cannot mix encryption transforms with "
2473 "implicit and non-implicit authentication");
2474 goto done;
2475 }
2476 if (noauth && ipsec_sa->xfs[i]->nauthxf) {
2477 yyerror("authentication is implicit for given "
2478 "encryption transforms");
2479 goto done;
2480 }
2481
2482 if (!auth) {
2483 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2484 err(1, "%s", __func__);
2485
2486 xf = NULL((void *)0);
2487 xfi = 0;
2488 copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2489 ipsec_sa->xfs[i]->encxf,
2490 ipsec_sa->xfs[i]->nencxf, &xf, &xfi,
2491 ikev2_default_esp_transforms_noauth,
2492 ikev2_default_nesp_transforms_noauth);
2493 copy_transforms(IKEV2_XFORMTYPE_DH4,
2494 ipsec_sa->xfs[i]->groupxf,
2495 ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi,
2496 ikev2_default_esp_transforms_noauth,
2497 ikev2_default_nesp_transforms_noauth);
2498 copy_transforms(IKEV2_XFORMTYPE_ESN5,
2499 ipsec_sa->xfs[i]->esnxf,
2500 ipsec_sa->xfs[i]->nesnxf, &xf, &xfi,
2501 ikev2_default_esp_transforms_noauth,
2502 ikev2_default_nesp_transforms_noauth);
2503
2504 p->prop_id = ipsecpropid++;
2505 p->prop_protoid = saproto;
2506 p->prop_xforms = xf;
2507 p->prop_nxforms = xfi;
2508 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2509 pol.pol_nproposals++;
2510 }
2511 if (!noauth) {
2512 if ((p = calloc(1, sizeof(*p))) == NULL((void *)0))
2513 err(1, "%s", __func__);
2514
2515 xf = NULL((void *)0);
2516 xfi = 0;
2517 copy_transforms(IKEV2_XFORMTYPE_INTEGR3,
2518 ipsec_sa->xfs[i]->authxf,
2519 ipsec_sa->xfs[i]->nauthxf, &xf, &xfi,
2520 ikev2_default_esp_transforms,
2521 ikev2_default_nesp_transforms);
2522 copy_transforms(IKEV2_XFORMTYPE_ENCR1,
2523 ipsec_sa->xfs[i]->encxf,
2524 ipsec_sa->xfs[i]->nencxf, &xf, &xfi,
2525 ikev2_default_esp_transforms,
2526 ikev2_default_nesp_transforms);
2527 copy_transforms(IKEV2_XFORMTYPE_DH4,
2528 ipsec_sa->xfs[i]->groupxf,
2529 ipsec_sa->xfs[i]->ngroupxf, &xf, &xfi,
2530 ikev2_default_esp_transforms,
2531 ikev2_default_nesp_transforms);
2532 copy_transforms(IKEV2_XFORMTYPE_ESN5,
2533 ipsec_sa->xfs[i]->esnxf,
2534 ipsec_sa->xfs[i]->nesnxf, &xf, &xfi,
2535 ikev2_default_esp_transforms,
2536 ikev2_default_nesp_transforms);
2537
2538 p->prop_id = ipsecpropid++;
2539 p->prop_protoid = saproto;
2540 p->prop_xforms = xf;
2541 p->prop_nxforms = xfi;
2542 TAILQ_INSERT_TAIL(&pol.pol_proposals, p, prop_entry)do { (p)->prop_entry.tqe_next = ((void *)0); (p)->prop_entry
.tqe_prev = (&pol.pol_proposals)->tqh_last; *(&pol
.pol_proposals)->tqh_last = (p); (&pol.pol_proposals)->
tqh_last = &(p)->prop_entry.tqe_next; } while (0);
2543 pol.pol_nproposals++;
2544 }
2545 }
2546 }
2547
2548 for (ipa = hosts->src, ipb = hosts->dst; ipa && ipb;
2549 ipa = ipa->next, ipb = ipb->next) {
2550 for (j = 0; j < pol.pol_nipproto; j++)
2551 if (expand_flows(&pol, pol.pol_ipproto[j], ipa, ipb))
2552 fatalx("create_ike: invalid flow");
2553 if (pol.pol_nipproto == 0)
2554 if (expand_flows(&pol, 0, ipa, ipb))
2555 fatalx("create_ike: invalid flow");
2556 }
2557
2558 for (j = 0, ipa = ikecfg; ipa; ipa = ipa->next, j++) {
2559 if (j >= IKED_CFG_MAX16)
2560 break;
2561 cfg = &pol.pol_cfg[j];
2562 pol.pol_ncfg++;
2563
2564 cfg->cfg_action = ipa->action;
2565 cfg->cfg_type = ipa->type;
2566 memcpy(&cfg->cfg.address.addr, &ipa->address,
2567 sizeof(ipa->address));
2568 cfg->cfg.address.addr_mask = ipa->mask;
2569 cfg->cfg.address.addr_net = ipa->netaddress;
2570 cfg->cfg.address.addr_af = ipa->af;
2571 }
2572
2573 if (dstid)
2574 strlcpy(idstr, dstid, sizeof(idstr));
2575 else if (!pol.pol_peer.addr_net)
2576 print_host((struct sockaddr *)&pol.pol_peer.addr, idstr,
2577 sizeof(idstr));
2578
2579 ikeauth = &pol.pol_auth;
2580 switch (ikeauth->auth_method) {
2581 case IKEV2_AUTH_RSA_SIG1:
2582 pol.pol_certreqtype = IKEV2_CERT_RSA_KEY11;
2583 break;
2584 case IKEV2_AUTH_ECDSA_2569:
2585 case IKEV2_AUTH_ECDSA_38410:
2586 case IKEV2_AUTH_ECDSA_52111:
2587 pol.pol_certreqtype = IKEV2_CERT_ECDSA201;
2588 break;
2589 default:
2590 pol.pol_certreqtype = IKEV2_CERT_NONE0;
2591 break;
2592 }
2593
2594 log_debug("%s: using %s for peer %s", __func__,
2595 print_xf(ikeauth->auth_method, 0, methodxfs), idstr);
2596
2597 config_setpolicy(env, &pol, PROC_IKEV2);
2598 config_setflow(env, &pol, PROC_IKEV2);
2599
2600 rules++;
2601 ret = 0;
2602
2603done:
2604 if (ike_sa) {
2605 for (i = 0; i < ike_sa->nxfs; i++) {
2606 free(ike_sa->xfs[i]->authxf);
2607 free(ike_sa->xfs[i]->encxf);
2608 free(ike_sa->xfs[i]->groupxf);
2609 free(ike_sa->xfs[i]->prfxf);
2610 free(ike_sa->xfs[i]);
2611 }
2612 free(ike_sa->xfs);
2613 free(ike_sa);
2614 }
2615 if (ipsec_sa) {
2616 for (i = 0; i < ipsec_sa->nxfs; i++) {
2617 free(ipsec_sa->xfs[i]->authxf);
2618 free(ipsec_sa->xfs[i]->encxf);
2619 free(ipsec_sa->xfs[i]->groupxf);
2620 free(ipsec_sa->xfs[i]->prfxf);
2621 free(ipsec_sa->xfs[i]);
2622 }
2623 free(ipsec_sa->xfs);
2624 free(ipsec_sa);
2625 }
2626 TAILQ_FOREACH_SAFE(p, &pol.pol_proposals, prop_entry, ptmp)for ((p) = ((&pol.pol_proposals)->tqh_first); (p) != (
(void *)0) && ((ptmp) = ((p)->prop_entry.tqe_next)
, 1); (p) = (ptmp)) {
2627 if (p->prop_xforms != ikev2_default_ike_transforms &&
2628 p->prop_xforms != ikev2_default_ike_transforms_noauth &&
2629 p->prop_xforms != ikev2_default_esp_transforms &&
2630 p->prop_xforms != ikev2_default_esp_transforms_noauth)
2631 free(p->prop_xforms);
2632 free(p);
2633 }
2634 if (peers != NULL((void *)0)) {
2635 iaw_free(peers->src);
2636 iaw_free(peers->dst);
2637 /* peers is static, cannot be freed */
2638 }
2639 if (hosts != NULL((void *)0)) {
2640 iaw_free(hosts->src);
2641 iaw_free(hosts->dst);
2642 free(hosts);
2643 }
2644 iaw_free(ikecfg);
2645 iaw_free(ipproto);
2646 RB_FOREACH_SAFE(flow, iked_flows, &pol.pol_flows, ftmp)for ((flow) = iked_flows_RB_MINMAX(&pol.pol_flows, -1); (
(flow) != ((void *)0)) && ((ftmp) = iked_flows_RB_NEXT
(flow), 1); (flow) = (ftmp)) {
2647 RB_REMOVE(iked_flows, &pol.pol_flows, flow)iked_flows_RB_REMOVE(&pol.pol_flows, flow);
2648 free(flow);
2649 }
2650 free(name);
2651 free(srcid);
2652 free(dstid);
2653 return (ret);
2654}
2655
2656static int
2657create_flow(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *ipa,
2658 struct ipsec_addr_wrap *ipb)
2659{
2660 struct iked_flow *flow;
2661 struct ipsec_addr_wrap *ippn;
2662
2663 if (ipa->af != ipb->af) {
2664 yyerror("cannot mix different address families.");
2665 return (-1);
2666 }
2667
2668 if ((flow = calloc(1, sizeof(struct iked_flow))) == NULL((void *)0))
2669 fatalx("%s: failed to alloc flow.", __func__);
2670
2671 memcpy(&flow->flow_src.addr, &ipa->address,
2672 sizeof(ipa->address));
2673 flow->flow_src.addr_af = ipa->af;
2674 flow->flow_src.addr_mask = ipa->mask;
2675 flow->flow_src.addr_net = ipa->netaddress;
2676 flow->flow_src.addr_port = ipa->port;
2677
2678 memcpy(&flow->flow_dst.addr, &ipb->address,
2679 sizeof(ipb->address));
2680 flow->flow_dst.addr_af = ipb->af;
2681 flow->flow_dst.addr_mask = ipb->mask;
2682 flow->flow_dst.addr_net = ipb->netaddress;
2683 flow->flow_dst.addr_port = ipb->port;
2684
2685 ippn = ipa->srcnat;
2686 if (ippn) {
2687 memcpy(&flow->flow_prenat.addr, &ippn->address,
2688 sizeof(ippn->address));
2689 flow->flow_prenat.addr_af = ippn->af;
2690 flow->flow_prenat.addr_mask = ippn->mask;
2691 flow->flow_prenat.addr_net = ippn->netaddress;
2692 } else {
2693 flow->flow_prenat.addr_af = 0;
2694 }
2695
2696 flow->flow_dir = IPSP_DIRECTION_OUT0x2;
2697 flow->flow_ipproto = proto;
2698 flow->flow_saproto = pol->pol_saproto;
2699 flow->flow_rdomain = pol->pol_rdomain;
2700
2701 if (RB_INSERT(iked_flows, &pol->pol_flows, flow)iked_flows_RB_INSERT(&pol->pol_flows, flow) == NULL((void *)0))
2702 pol->pol_nflows++;
2703 else {
2704 warnx("create_ike: duplicate flow");
2705 free(flow);
2706 }
2707
2708 return (0);
2709}
2710
2711static int
2712expand_flows(struct iked_policy *pol, int proto, struct ipsec_addr_wrap *src,
2713 struct ipsec_addr_wrap *dst)
2714{
2715 struct ipsec_addr_wrap *ipa = NULL((void *)0), *ipb = NULL((void *)0);
2716 int ret = -1;
2717 int srcaf, dstaf;
2718
2719 srcaf = src->af;
2720 dstaf = dst->af;
2721
2722 if (src->af == AF_UNSPEC0 &&
2723 dst->af == AF_UNSPEC0) {
2724 /* Need both IPv4 and IPv6 flows */
2725 src->af = dst->af = AF_INET2;
2726 ipa = expand_keyword(src);
2727 ipb = expand_keyword(dst);
2728 if (!ipa || !ipb)
2729 goto done;
2730 if (create_flow(pol, proto, ipa, ipb))
2731 goto done;
2732
2733 iaw_free(ipa);
2734 iaw_free(ipb);
2735 src->af = dst->af = AF_INET624;
2736 ipa = expand_keyword(src);
2737 ipb = expand_keyword(dst);
2738 if (!ipa || !ipb)
2739 goto done;
2740 if (create_flow(pol, proto, ipa, ipb))
2741 goto done;
2742 } else if (src->af == AF_UNSPEC0) {
2743 src->af = dst->af;
2744 ipa = expand_keyword(src);
2745 if (!ipa)
2746 goto done;
2747 if (create_flow(pol, proto, ipa, dst))
2748 goto done;
2749 } else if (dst->af == AF_UNSPEC0) {
2750 dst->af = src->af;
2751 ipa = expand_keyword(dst);
2752 if (!ipa)
2753 goto done;
2754 if (create_flow(pol, proto, src, ipa))
2755 goto done;
2756 } else if (create_flow(pol, proto, src, dst))
2757 goto done;
2758 ret = 0;
2759 done:
2760 src->af = srcaf;
2761 dst->af = dstaf;
2762 iaw_free(ipa);
2763 iaw_free(ipb);
2764 return (ret);
2765}
2766
2767static struct ipsec_addr_wrap *
2768expand_keyword(struct ipsec_addr_wrap *ip)
2769{
2770 switch(ip->af) {
2771 case AF_INET2:
2772 switch(ip->type) {
2773 case IPSEC_ADDR_ANY(0x1):
2774 return (host("0.0.0.0/0"));
2775 case IPSEC_ADDR_DYNAMIC(0x2):
2776 return (host("0.0.0.0"));
2777 }
2778 break;
2779 case AF_INET624:
2780 switch(ip->type) {
2781 case IPSEC_ADDR_ANY(0x1):
2782 return (host("::/0"));
2783 case IPSEC_ADDR_DYNAMIC(0x2):
2784 return (host("::"));
2785 }
2786 }
2787 return (NULL((void *)0));
2788}
2789
2790int
2791create_user(const char *user, const char *pass)
2792{
2793 struct iked_user usr;
2794
2795 bzero(&usr, sizeof(usr));
2796
2797 if (*user == '\0' || (strlcpy(usr.usr_name, user,
2798 sizeof(usr.usr_name)) >= sizeof(usr.usr_name))) {
2799 yyerror("invalid user name");
2800 return (-1);
2801 }
2802 if (*pass == '\0' || (strlcpy(usr.usr_pass, pass,
2803 sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) {
2804 yyerror("invalid password");
2805 explicit_bzero(&usr, sizeof usr); /* zap partial password */
2806 return (-1);
2807 }
2808
2809 config_setuser(env, &usr, PROC_IKEV2);
2810
2811 rules++;
2812
2813 explicit_bzero(&usr, sizeof usr);
2814 return (0);
2815}
2816
2817void
2818iaw_free(struct ipsec_addr_wrap *head)
2819{
2820 struct ipsec_addr_wrap *n, *cur;
2821
2822 if (head == NULL((void *)0))
2823 return;
2824
2825 for (n = head; n != NULL((void *)0); ) {
2826 cur = n;
2827 n = n->next;
2828 if (cur->srcnat != NULL((void *)0)) {
2829 free(cur->srcnat->name);
2830 free(cur->srcnat);
2831 }
2832 free(cur->name);
2833 free(cur);
2834 }
2835}
2836#line 2829 "parse.c"
2837/* allocate initial stack or double stack size, up to YYMAXDEPTH */
2838static int yygrowstack(void)
2839{
2840 unsigned int newsize;
2841 long sslen;
2842 short *newss;
2843 YYSTYPE *newvs;
2844
2845 if ((newsize = yystacksize) == 0)
2846 newsize = YYINITSTACKSIZE200;
2847 else if (newsize >= YYMAXDEPTH10000)
2848 return -1;
2849 else if ((newsize *= 2) > YYMAXDEPTH10000)
2850 newsize = YYMAXDEPTH10000;
2851 sslen = yyssp - yyss;
2852#ifdef SIZE_MAX0xffffffffffffffffUL
2853#define YY_SIZE_MAX0xffffffffffffffffUL SIZE_MAX0xffffffffffffffffUL
2854#else
2855#define YY_SIZE_MAX0xffffffffffffffffUL 0xffffffffU
2856#endif
2857 if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newss)
2858 goto bail;
2859 newss = (short *)realloc(yyss, newsize * sizeof *newss);
2860 if (newss == NULL((void *)0))
2861 goto bail;
2862 yyss = newss;
2863 yyssp = newss + sslen;
2864 if (newsize && YY_SIZE_MAX0xffffffffffffffffUL / newsize < sizeof *newvs)
2865 goto bail;
2866 newvs = (YYSTYPE *)realloc(yyvs, newsize * sizeof *newvs);
2867 if (newvs == NULL((void *)0))
2868 goto bail;
2869 yyvs = newvs;
2870 yyvsp = newvs + sslen;
2871 yystacksize = newsize;
2872 yysslim = yyss + newsize - 1;
2873 return 0;
2874bail:
2875 if (yyss)
2876 free(yyss);
2877 if (yyvs)
2878 free(yyvs);
2879 yyss = yyssp = NULL((void *)0);
2880 yyvs = yyvsp = NULL((void *)0);
2881 yystacksize = 0;
2882 return -1;
2883}
2884
2885#define YYABORTgoto yyabort goto yyabort
2886#define YYREJECTgoto yyabort goto yyabort
2887#define YYACCEPTgoto yyaccept goto yyaccept
2888#define YYERRORgoto yyerrlab goto yyerrlab
2889int
2890yyparse(void)
2891{
2892 int yym, yyn, yystate;
2893#if YYDEBUG0
2894 const char *yys;
2895
2896 if ((yys = getenv("YYDEBUG")))
2897 {
2898 yyn = *yys;
2899 if (yyn >= '0' && yyn <= '9')
2900 yydebug = yyn - '0';
2901 }
2902#endif /* YYDEBUG */
2903
2904 yynerrs = 0;
2905 yyerrflag = 0;
2906 yychar = (-1);
2907
2908 if (yyss == NULL((void *)0) && yygrowstack()) goto yyoverflow;
1
Assuming 'yyss' is not equal to NULL
2909 yyssp = yyss;
2910 yyvsp = yyvs;
2911 *yyssp = yystate = 0;
2912
2913yyloop:
2914 if ((yyn = yydefred[yystate]) != 0) goto yyreduce;
2
Taking true branch
3
Control jumps to line 3021
13
Taking false branch
24
Assuming the condition is true
25
Taking true branch
26
Control jumps to line 3021
2915 if (yychar
13.1
'yychar' is >= 0
 < 0)
14
Taking false branch
2916 {
2917 if ((yychar = yylex()) < 0) yychar = 0;
2918#if YYDEBUG0
2919 if (yydebug)
2920 {
2921 yys = 0;
2922 if (yychar <= YYMAXTOKEN328) yys = yyname[yychar];
2923 if (!yys) yys = "illegal-symbol";
2924 printf("%sdebug: state %d, reading %d (%s)\n",
2925 YYPREFIX"yy", yystate, yychar, yys);
2926 }
2927#endif
2928 }
2929 if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 &&
15
Assuming 'yyn' is not equal to 0
16
Assuming the condition is true
19
Taking true branch
2930 yyn <= YYTABLESIZE731 && yycheck[yyn] == yychar)
17
Assuming 'yyn' is <= YYTABLESIZE
18
Assuming the condition is true
2931 {
2932#if YYDEBUG0
2933 if (yydebug)
2934 printf("%sdebug: state %d, shifting to state %d\n",
2935 YYPREFIX"yy", yystate, yytable[yyn]);
2936#endif
2937 if (yyssp >= yysslim && yygrowstack())
20
Assuming 'yyssp' is < 'yysslim'
2938 {
2939 goto yyoverflow;
2940 }
2941 *++yyssp = yystate = yytable[yyn];
2942 *++yyvsp = yylval;
2943 yychar = (-1);
2944 if (yyerrflag > 0) --yyerrflag;
21
Assuming 'yyerrflag' is <= 0
22
Taking false branch
2945 goto yyloop;
23
Control jumps to line 2914
2946 }
2947 if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 &&
2948 yyn <= YYTABLESIZE731 && yycheck[yyn] == yychar)
2949 {
2950 yyn = yytable[yyn];
2951 goto yyreduce;
2952 }
2953 if (yyerrflag) goto yyinrecovery;
2954#if defined(__GNUC__4)
2955 goto yynewerror;
2956#endif
2957yynewerror:
2958 yyerror("syntax error");
2959#if defined(__GNUC__4)
2960 goto yyerrlab;
2961#endif
2962yyerrlab:
2963 ++yynerrs;
2964yyinrecovery:
2965 if (yyerrflag < 3)
2966 {
2967 yyerrflag = 3;
2968 for (;;)
2969 {
2970 if ((yyn = yysindex[*yyssp]) && (yyn += YYERRCODE256) >= 0 &&
2971 yyn <= YYTABLESIZE731 && yycheck[yyn] == YYERRCODE256)
2972 {
2973#if YYDEBUG0
2974 if (yydebug)
2975 printf("%sdebug: state %d, error recovery shifting\
2976 to state %d\n", YYPREFIX"yy", *yyssp, yytable[yyn]);
2977#endif
2978 if (yyssp >= yysslim && yygrowstack())
2979 {
2980 goto yyoverflow;
2981 }
2982 *++yyssp = yystate = yytable[yyn];
2983 *++yyvsp = yylval;
2984 goto yyloop;
2985 }
2986 else
2987 {
2988#if YYDEBUG0
2989 if (yydebug)
2990 printf("%sdebug: error recovery discarding state %d\n",
2991 YYPREFIX"yy", *yyssp);
2992#endif
2993 if (yyssp <= yyss) goto yyabort;
2994 --yyssp;
2995 --yyvsp;
2996 }
2997 }
2998 }
2999 else
3000 {
3001 if (yychar == 0) goto yyabort;
3002#if YYDEBUG0
3003 if (yydebug)
3004 {
3005 yys = 0;
3006 if (yychar <= YYMAXTOKEN328) yys = yyname[yychar];
3007 if (!yys) yys = "illegal-symbol";
3008 printf("%sdebug: state %d, error recovery discards token %d (%s)\n",
3009 YYPREFIX"yy", yystate, yychar, yys);
3010 }
3011#endif
3012 yychar = (-1);
3013 goto yyloop;
3014 }
3015yyreduce:
3016#if YYDEBUG0
3017 if (yydebug)
3018 printf("%sdebug: state %d, reducing by rule %d (%s)\n",
3019 YYPREFIX"yy", yystate, yyn, yyrule[yyn]);
3020#endif
3021 yym = yylen[yyn];
3022 if (yym
3.1
'yym' is 0
)
4
Taking false branch
27
Assuming 'yym' is 0
28
Taking false branch
3023 yyval = yyvsp[1-yym];
3024 else
3025 memset(&yyval, 0, sizeof yyval);
3026 switch (yyn)
5
'Default' branch taken. Execution continues on line 4089
29
Control jumps to 'case 57:' at line 3345
3027 {
3028case 9:
3029#line 482 "/usr/src/sbin/iked/parse.y"
3030{ file->errors++; }
3031break;
3032case 12:
3033#line 489 "/usr/src/sbin/iked/parse.y"
3034{
3035 struct file *nfile;
3036
3037 if ((nfile = pushfile(yyvsp[0].v.string, 1)) == NULL((void *)0)) {
3038 yyerror("failed to include file %s", yyvsp[0].v.string);
3039 free(yyvsp[0].v.string);
3040 YYERRORgoto yyerrlab;
3041 }
3042 free(yyvsp[0].v.string);
3043
3044 file = nfile;
3045 lungetc('\n');
3046 }
3047break;
3048case 13:
3049#line 504 "/usr/src/sbin/iked/parse.y"
3050{ passive = 0; }
3051break;
3052case 14:
3053#line 505 "/usr/src/sbin/iked/parse.y"
3054{ passive = 1; }
3055break;
3056case 15:
3057#line 506 "/usr/src/sbin/iked/parse.y"
3058{ decouple = 0; }
3059break;
3060case 16:
3061#line 507 "/usr/src/sbin/iked/parse.y"
3062{ decouple = 1; }
3063break;
3064case 17:
3065#line 508 "/usr/src/sbin/iked/parse.y"
3066{ fragmentation = 1; }
3067break;
3068case 18:
3069#line 509 "/usr/src/sbin/iked/parse.y"
3070{ fragmentation = 0; }
3071break;
3072case 19:
3073#line 510 "/usr/src/sbin/iked/parse.y"
3074{ mobike = 1; }
3075break;
3076case 20:
3077#line 511 "/usr/src/sbin/iked/parse.y"
3078{ mobike = 0; }
3079break;
3080case 21:
3081#line 512 "/usr/src/sbin/iked/parse.y"
3082{ enforcesingleikesa = 1; }
3083break;
3084case 22:
3085#line 513 "/usr/src/sbin/iked/parse.y"
3086{ enforcesingleikesa = 0; }
3087break;
3088case 23:
3089#line 514 "/usr/src/sbin/iked/parse.y"
3090{ stickyaddress = 1; }
3091break;
3092case 24:
3093#line 515 "/usr/src/sbin/iked/parse.y"
3094{ stickyaddress = 0; }
3095break;
3096case 25:
3097#line 516 "/usr/src/sbin/iked/parse.y"
3098{
3099 ocsp_url = yyvsp[0].v.string;
3100 }
3101break;
3102case 26:
3103#line 519 "/usr/src/sbin/iked/parse.y"
3104{
3105 ocsp_url = yyvsp[-2].v.string;
3106 ocsp_tolerate = yyvsp[0].v.number;
3107 }
3108break;
3109case 27:
3110#line 523 "/usr/src/sbin/iked/parse.y"
3111{
3112 ocsp_url = yyvsp[-4].v.string;
3113 ocsp_tolerate = yyvsp[-2].v.number;
3114 ocsp_maxage = yyvsp[0].v.number;
3115 }
3116break;
3117case 28:
3118#line 528 "/usr/src/sbin/iked/parse.y"
3119{
3120 cert_partial_chain = 1;
3121 }
3122break;
3123case 29:
3124#line 531 "/usr/src/sbin/iked/parse.y"
3125{
3126 if (yyvsp[0].v.number < 0) {
3127 yyerror("timeout outside range");
3128 YYERRORgoto yyerrlab;
3129 }
3130 dpd_interval = yyvsp[0].v.number;
3131 }
3132break;
3133case 30:
3134#line 540 "/usr/src/sbin/iked/parse.y"
3135{
3136 if (create_user(yyvsp[-1].v.string, yyvsp[0].v.string) == -1)
3137 YYERRORgoto yyerrlab;
3138 free(yyvsp[-1].v.string);
3139 freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string));
3140 }
3141break;
3142case 31:
3143#line 550 "/usr/src/sbin/iked/parse.y"
3144{
3145 if (create_ike(yyvsp[-16].v.string, yyvsp[-13].v.number, yyvsp[-12].v.proto, yyvsp[-11].v.number, yyvsp[-10].v.hosts, &yyvsp[-9].v.peers, yyvsp[-8].v.mode, yyvsp[-7].v.mode, yyvsp[-14].v.satype,
3146 yyvsp[-15].v.ikemode, yyvsp[-6].v.ids.srcid, yyvsp[-6].v.ids.dstid, yyvsp[-5].v.number, &yyvsp[-4].v.lifetime, &yyvsp[-3].v.ikeauth,
3147 yyvsp[0].v.filters, yyvsp[-2].v.cfg, yyvsp[-1].v.string) == -1) {
3148 yyerror("create_ike failed");
3149 YYERRORgoto yyerrlab;
3150 }
3151 }
3152break;
3153case 32:
3154#line 560 "/usr/src/sbin/iked/parse.y"
3155{ yyval.v.cfg = NULL((void *)0); }
3156break;
3157case 33:
3158#line 561 "/usr/src/sbin/iked/parse.y"
3159{ yyval.v.cfg = yyvsp[0].v.cfg; }
3160break;
3161case 34:
3162#line 564 "/usr/src/sbin/iked/parse.y"
3163{ yyval.v.cfg = yyvsp[0].v.cfg; }
3164break;
3165case 35:
3166#line 565 "/usr/src/sbin/iked/parse.y"
3167{
3168 if (yyvsp[0].v.cfg == NULL((void *)0))
3169 yyval.v.cfg = yyvsp[-1].v.cfg;
3170 else if (yyvsp[-1].v.cfg == NULL((void *)0))
3171 yyval.v.cfg = yyvsp[0].v.cfg;
3172 else {
3173 yyvsp[-1].v.cfg->tail->next = yyvsp[0].v.cfg;
3174 yyvsp[-1].v.cfg->tail = yyvsp[0].v.cfg->tail;
3175 yyval.v.cfg = yyvsp[-1].v.cfg;
3176 }
3177 }
3178break;
3179case 36:
3180#line 578 "/usr/src/sbin/iked/parse.y"
3181{
3182 const struct ipsec_xf *xf;
3183
3184 if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.host->af, cpxfs)) == NULL((void *)0)) {
3185 yyerror("not a valid ikecfg option");
3186 free(yyvsp[-1].v.string);
3187 free(yyvsp[0].v.host);
3188 YYERRORgoto yyerrlab;
3189 }
3190 free(yyvsp[-1].v.string);
3191 yyval.v.cfg = yyvsp[0].v.host;
3192 yyval.v.cfg->type = xf->id;
3193 yyval.v.cfg->action = IKEV2_CP_REPLY2; /* XXX */
3194 }
3195break;
3196case 37:
3197#line 592 "/usr/src/sbin/iked/parse.y"
3198{
3199 const struct ipsec_xf *xf;
3200
3201 if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.anyhost->af, cpxfs)) == NULL((void *)0)) {
3202 yyerror("not a valid ikecfg option");
3203 free(yyvsp[-1].v.string);
3204 free(yyvsp[0].v.anyhost);
3205 YYERRORgoto yyerrlab;
3206 }
3207 free(yyvsp[-1].v.string);
3208 yyval.v.cfg = yyvsp[0].v.anyhost;
3209 yyval.v.cfg->type = xf->id;
3210 yyval.v.cfg->action = IKEV2_CP_REQUEST1; /* XXX */
3211 }
3212break;
3213case 38:
3214#line 608 "/usr/src/sbin/iked/parse.y"
3215{ yyval.v.string = NULL((void *)0); }
3216break;
3217case 39:
3218#line 609 "/usr/src/sbin/iked/parse.y"
3219{
3220 yyval.v.string = yyvsp[0].v.string;
3221 }
3222break;
3223case 40:
3224#line 613 "/usr/src/sbin/iked/parse.y"
3225{ yyval.v.satype = IKEV2_SAPROTO_ESP3; }
3226break;
3227case 41:
3228#line 614 "/usr/src/sbin/iked/parse.y"
3229{ yyval.v.satype = IKEV2_SAPROTO_ESP3; }
3230break;
3231case 42:
3232#line 615 "/usr/src/sbin/iked/parse.y"
3233{ yyval.v.satype = IKEV2_SAPROTO_AH2; }
3234break;
3235case 43:
3236#line 618 "/usr/src/sbin/iked/parse.y"
3237{ yyval.v.number = AF_UNSPEC0; }
3238break;
3239case 44:
3240#line 619 "/usr/src/sbin/iked/parse.y"
3241{ yyval.v.number = AF_INET2; }
3242break;
3243case 45:
3244#line 620 "/usr/src/sbin/iked/parse.y"
3245{ yyval.v.number = AF_INET624; }
3246break;
3247case 46:
3248#line 623 "/usr/src/sbin/iked/parse.y"
3249{ yyval.v.proto = NULL((void *)0); }
3250break;
3251case 47:
3252#line 624 "/usr/src/sbin/iked/parse.y"
3253{ yyval.v.proto = yyvsp[0].v.proto; }
3254break;
3255case 48:
3256#line 625 "/usr/src/sbin/iked/parse.y"
3257{ yyval.v.proto = yyvsp[-1].v.proto; }
3258break;
3259case 49:
3260#line 628 "/usr/src/sbin/iked/parse.y"
3261{ yyval.v.proto = yyvsp[0].v.proto; }
3262break;
3263case 50:
3264#line 629 "/usr/src/sbin/iked/parse.y"
3265{
3266 if (yyvsp[0].v.proto == NULL((void *)0))
3267 yyval.v.proto = yyvsp[-2].v.proto;
3268 else if (yyvsp[-2].v.proto == NULL((void *)0))
3269 yyval.v.proto = yyvsp[0].v.proto;
3270 else {
3271 yyvsp[-2].v.proto->tail->next = yyvsp[0].v.proto;
3272 yyvsp[-2].v.proto->tail = yyvsp[0].v.proto->tail;
3273 yyval.v.proto = yyvsp[-2].v.proto;
3274 }
3275 }
3276break;
3277case 51:
3278#line 642 "/usr/src/sbin/iked/parse.y"
3279{
3280 struct protoent *p;
3281
3282 p = getprotobyname(yyvsp[0].v.string);
3283 if (p == NULL((void *)0)) {
3284 yyerror("unknown protocol: %s", yyvsp[0].v.string);
3285 YYERRORgoto yyerrlab;
3286 }
3287
3288 if ((yyval.v.proto = calloc(1, sizeof(*yyval.v.proto))) == NULL((void *)0))
3289 err(1, "protoval: calloc");
3290
3291 yyval.v.proto->type = p->p_proto;
3292 yyval.v.proto->tail = yyval.v.proto;
3293 free(yyvsp[0].v.string);
3294 }
3295break;
3296case 52:
3297#line 658 "/usr/src/sbin/iked/parse.y"
3298{
3299 if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) {
3300 yyerror("protocol outside range");
3301 YYERRORgoto yyerrlab;
3302 }
3303 if ((yyval.v.proto = calloc(1, sizeof(*yyval.v.proto))) == NULL((void *)0))
3304 err(1, "protoval: calloc");
3305
3306 yyval.v.proto->type = yyvsp[0].v.number;
3307 yyval.v.proto->tail = yyval.v.proto;
3308 }
3309break;
3310case 53:
3311#line 671 "/usr/src/sbin/iked/parse.y"
3312{ yyval.v.number = -1; }
3313break;
3314case 54:
3315#line 672 "/usr/src/sbin/iked/parse.y"
3316{
3317 if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) {
3318 yyerror("rdomain outside range");
3319 YYERRORgoto yyerrlab;
3320 }
3321 yyval.v.number = yyvsp[0].v.number;
3322 }
3323break;
3324case 55:
3325#line 680 "/usr/src/sbin/iked/parse.y"
3326{ yyval.v.hosts = yyvsp[0].v.hosts; }
3327break;
3328case 56:
3329#line 681 "/usr/src/sbin/iked/parse.y"
3330{
3331 if (yyvsp[0].v.hosts == NULL((void *)0))
3332 yyval.v.hosts = yyvsp[-2].v.hosts;
3333 else if (yyvsp[-2].v.hosts == NULL((void *)0))
3334 yyval.v.hosts = yyvsp[0].v.hosts;
3335 else {
3336 yyvsp[-2].v.hosts->src->tail->next = yyvsp[0].v.hosts->src;
3337 yyvsp[-2].v.hosts->src->tail = yyvsp[0].v.hosts->src->tail;
3338 yyvsp[-2].v.hosts->dst->tail->next = yyvsp[0].v.hosts->dst;
3339 yyvsp[-2].v.hosts->dst->tail = yyvsp[0].v.hosts->dst->tail;
3340 yyval.v.hosts = yyvsp[-2].v.hosts;
3341 free(yyvsp[0].v.hosts);
3342 }
3343 }
3344break;
3345case 57:
3346#line 697 "/usr/src/sbin/iked/parse.y"
3347{
3348 struct ipsec_addr_wrap *ipa;
3349 for (ipa = yyvsp[-1].v.host; ipa; ipa = ipa->next) {
30
Assuming pointer value is null
31
Loop condition is false. Execution continues on line 3358
3350 if (ipa->srcnat) {
3351 yyerror("no flow NAT support for"
3352 " destination network: %s",
3353 ipa->name);
3354 YYERRORgoto yyerrlab;
3355 }
3356 }
3357
3358 if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL((void *)0))
32
Assuming the condition is false
33
Taking false branch
3359 err(1, "hosts: calloc");
3360
3361 yyval.v.hosts->src = yyvsp[-4].v.host;
3362 yyval.v.hosts->src->port = yyvsp[-3].v.port;
3363 yyval.v.hosts->dst = yyvsp[-1].v.host;
34
Null pointer value stored to field 'dst'
3364 yyval.v.hosts->dst->port = yyvsp[0].v.port;
35
Access to field 'port' results in a dereference of a null pointer (loaded from field 'dst')
3365 }
3366break;
3367case 58:
3368#line 716 "/usr/src/sbin/iked/parse.y"
3369{
3370 struct ipsec_addr_wrap *ipa;
3371 for (ipa = yyvsp[-4].v.host; ipa; ipa = ipa->next) {
3372 if (ipa->srcnat) {
3373 yyerror("no flow NAT support for"
3374 " destination network: %s",
3375 ipa->name);
3376 YYERRORgoto yyerrlab;
3377 }
3378 }
3379 if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL((void *)0))
3380 err(1, "hosts: calloc");
3381
3382 yyval.v.hosts->src = yyvsp[-1].v.host;
3383 yyval.v.hosts->src->port = yyvsp[0].v.port;
3384 yyval.v.hosts->dst = yyvsp[-4].v.host;
3385 yyval.v.hosts->dst->port = yyvsp[-3].v.port;
3386 }
3387break;
3388case 59:
3389#line 736 "/usr/src/sbin/iked/parse.y"
3390{ yyval.v.port = 0; }
3391break;
3392case 60:
3393#line 737 "/usr/src/sbin/iked/parse.y"
3394{ yyval.v.port = yyvsp[0].v.number; }
3395break;
3396case 61:
3397#line 740 "/usr/src/sbin/iked/parse.y"
3398{
3399 struct servent *s;
3400
3401 if ((s = getservbyname(yyvsp[0].v.string, "tcp")) != NULL((void *)0) ||
3402 (s = getservbyname(yyvsp[0].v.string, "udp")) != NULL((void *)0)) {
3403 yyval.v.number = s->s_port;
3404 } else {
3405 yyerror("unknown port: %s", yyvsp[0].v.string);
3406 YYERRORgoto yyerrlab;
3407 }
3408 free(yyvsp[0].v.string);
3409 }
3410break;
3411case 62:
3412#line 752 "/usr/src/sbin/iked/parse.y"
3413{
3414 if (yyvsp[0].v.number > USHRT_MAX(32767 *2 +1) || yyvsp[0].v.number < 0) {
3415 yyerror("port outside range");
3416 YYERRORgoto yyerrlab;
3417 }
3418 yyval.v.number = htons(yyvsp[0].v.number)(__uint16_t)(__builtin_constant_p(yyvsp[0].v.number) ? (__uint16_t
)(((__uint16_t)(yyvsp[0].v.number) & 0xffU) << 8 | (
(__uint16_t)(yyvsp[0].v.number) & 0xff00U) >> 8) : __swap16md
(yyvsp[0].v.number));
3419 }
3420break;
3421case 63:
3422#line 761 "/usr/src/sbin/iked/parse.y"
3423{
3424 yyval.v.peers.dst = NULL((void *)0);
3425 yyval.v.peers.src = NULL((void *)0);
3426 }
3427break;
3428case 64:
3429#line 765 "/usr/src/sbin/iked/parse.y"
3430{
3431 yyval.v.peers.dst = yyvsp[-2].v.anyhost;
3432 yyval.v.peers.src = yyvsp[0].v.anyhost;
3433 }
3434break;
3435case 65:
3436#line 769 "/usr/src/sbin/iked/parse.y"
3437{
3438 yyval.v.peers.dst = yyvsp[0].v.anyhost;
3439 yyval.v.peers.src = yyvsp[-2].v.anyhost;
3440 }
3441break;
3442case 66:
3443#line 773 "/usr/src/sbin/iked/parse.y"
3444{
3445 yyval.v.peers.dst = yyvsp[0].v.anyhost;
3446 yyval.v.peers.src = NULL((void *)0);
3447 }
3448break;
3449case 67:
3450#line 777 "/usr/src/sbin/iked/parse.y"
3451{
3452 yyval.v.peers.dst = NULL((void *)0);
3453 yyval.v.peers.src = yyvsp[0].v.anyhost;
3454 }
3455break;
3456case 68:
3457#line 783 "/usr/src/sbin/iked/parse.y"
3458{ yyval.v.anyhost = yyvsp[0].v.host; }
3459break;
3460case 69:
3461#line 784 "/usr/src/sbin/iked/parse.y"
3462{
3463 yyval.v.anyhost = host_any();
3464 }
3465break;
3466case 70:
3467#line 788 "/usr/src/sbin/iked/parse.y"
3468{
3469 if ((yyval.v.host = host(yyvsp[0].v.string)) == NULL((void *)0)) {
3470 free(yyvsp[0].v.string);
3471 yyerror("could not parse host specification");
3472 YYERRORgoto yyerrlab;
3473 }
3474 free(yyvsp[0].v.string);
3475 }
3476break;
3477case 71:
3478#line 796 "/usr/src/sbin/iked/parse.y"
3479{
3480 char *buf;
3481
3482 if (asprintf(&buf, "%s/%lld", yyvsp[-2].v.string, yyvsp[0].v.number) == -1)
3483 err(1, "host: asprintf");
3484 free(yyvsp[-2].v.string);
3485 if ((yyval.v.host = host(buf)) == NULL((void *)0)) {
3486 free(buf);
3487 yyerror("could not parse host specification");
3488 YYERRORgoto yyerrlab;
3489 }
3490 free(buf);
3491 }
3492break;
3493case 72:
3494#line 811 "/usr/src/sbin/iked/parse.y"
3495{ yyval.v.host = yyvsp[0].v.host; }
3496break;
3497case 73:
3498#line 812 "/usr/src/sbin/iked/parse.y"
3499{
3500 if ((yyvsp[-3].v.host->af != AF_UNSPEC0) && (yyvsp[-1].v.host->af != AF_UNSPEC0) &&
3501 (yyvsp[-1].v.host->af != yyvsp[-3].v.host->af)) {
3502 yyerror("Flow NAT address family mismatch");
3503 YYERRORgoto yyerrlab;
3504 }
3505 yyval.v.host = yyvsp[-3].v.host;
3506 yyval.v.host->srcnat = yyvsp[-1].v.host;
3507 }
3508break;
3509case 74:
3510#line 821 "/usr/src/sbin/iked/parse.y"
3511{
3512 yyval.v.host = host_any();
3513 }
3514break;
3515case 75:
3516#line 824 "/usr/src/sbin/iked/parse.y"
3517{
3518 yyval.v.host = host_dynamic();
3519 }
3520break;
3521case 76:
3522#line 829 "/usr/src/sbin/iked/parse.y"
3523{
3524 yyval.v.ids.srcid = NULL((void *)0);
3525 yyval.v.ids.dstid = NULL((void *)0);
3526 }
3527break;
3528case 77:
3529#line 833 "/usr/src/sbin/iked/parse.y"
3530{
3531 yyval.v.ids.srcid = yyvsp[-2].v.id;
3532 yyval.v.ids.dstid = yyvsp[0].v.id;
3533 }
3534break;
3535case 78:
3536#line 837 "/usr/src/sbin/iked/parse.y"
3537{
3538 yyval.v.ids.srcid = yyvsp[0].v.id;
3539 yyval.v.ids.dstid = NULL((void *)0);
3540 }
3541break;
3542case 79:
3543#line 841 "/usr/src/sbin/iked/parse.y"
3544{
3545 yyval.v.ids.srcid = NULL((void *)0);
3546 yyval.v.ids.dstid = yyvsp[0].v.id;
3547 }
3548break;
3549case 80:
3550#line 847 "/usr/src/sbin/iked/parse.y"
3551{ yyval.v.id = yyvsp[0].v.string; }
3552break;
3553case 81:
3554#line 850 "/usr/src/sbin/iked/parse.y"
3555{
3556 if ((ipsec_transforms = calloc(1,
3557 sizeof(struct ipsec_transforms))) == NULL((void *)0))
3558 err(1, "transforms: calloc");
3559 }
3560break;
3561case 82:
3562#line 855 "/usr/src/sbin/iked/parse.y"
3563{
3564 yyval.v.transforms = ipsec_transforms;
3565 }
3566break;
3567case 83:
3568#line 858 "/usr/src/sbin/iked/parse.y"
3569{
3570 yyval.v.transforms = NULL((void *)0);
3571 }
3572break;
3573case 86:
3574#line 867 "/usr/src/sbin/iked/parse.y"
3575{
3576 const struct ipsec_xf **xfs = ipsec_transforms->authxf;
3577 size_t nxfs = ipsec_transforms->nauthxf;
3578 xfs = recallocarray(xfs, nxfs, nxfs + 1,
3579 sizeof(struct ipsec_xf *));
3580 if (xfs == NULL((void *)0))
3581 err(1, "transform: recallocarray");
3582 if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, authxfs)) == NULL((void *)0)) {
3583 yyerror("%s not a valid transform", yyvsp[0].v.string);
3584 YYERRORgoto yyerrlab;
3585 }
3586 free(yyvsp[0].v.string);
3587 ipsec_transforms->authxf = xfs;
3588 ipsec_transforms->nauthxf++;
3589 }
3590break;
3591case 87:
3592#line 882 "/usr/src/sbin/iked/parse.y"
3593{
3594 const struct ipsec_xf **xfs = ipsec_transforms->encxf;
3595 size_t nxfs = ipsec_transforms->nencxf;
3596 xfs = recallocarray(xfs, nxfs, nxfs + 1,
3597 sizeof(struct ipsec_xf *));
3598 if (xfs == NULL((void *)0))
3599 err(1, "transform: recallocarray");
3600 if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, encxfs)) == NULL((void *)0)) {
3601 yyerror("%s not a valid transform", yyvsp[0].v.string);
3602 YYERRORgoto yyerrlab;
3603 }
3604 free(yyvsp[0].v.string);
3605 ipsec_transforms->encxf = xfs;
3606 ipsec_transforms->nencxf++;
3607 }
3608break;
3609case 88:
3610#line 897 "/usr/src/sbin/iked/parse.y"
3611{
3612 const struct ipsec_xf **xfs = ipsec_transforms->prfxf;
3613 size_t nxfs = ipsec_transforms->nprfxf;
3614 xfs = recallocarray(xfs, nxfs, nxfs + 1,
3615 sizeof(struct ipsec_xf *));
3616 if (xfs == NULL((void *)0))
3617 err(1, "transform: recallocarray");
3618 if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, prfxfs)) == NULL((void *)0)) {
3619 yyerror("%s not a valid transform", yyvsp[0].v.string);
3620 YYERRORgoto yyerrlab;
3621 }
3622 free(yyvsp[0].v.string);
3623 ipsec_transforms->prfxf = xfs;
3624 ipsec_transforms->nprfxf++;
3625 }
3626break;
3627case 89:
3628#line 912 "/usr/src/sbin/iked/parse.y"
3629{
3630 const struct ipsec_xf **xfs = ipsec_transforms->groupxf;
3631 size_t nxfs = ipsec_transforms->ngroupxf;
3632 xfs = recallocarray(xfs, nxfs, nxfs + 1,
3633 sizeof(struct ipsec_xf *));
3634 if (xfs == NULL((void *)0))
3635 err(1, "transform: recallocarray");
3636 if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, groupxfs)) == NULL((void *)0)) {
3637 yyerror("%s not a valid transform", yyvsp[0].v.string);
3638 YYERRORgoto yyerrlab;
3639 }
3640 free(yyvsp[0].v.string);
3641 ipsec_transforms->groupxf = xfs;
3642 ipsec_transforms->ngroupxf++;
3643 }
3644break;
3645case 90:
3646#line 927 "/usr/src/sbin/iked/parse.y"
3647{
3648 const struct ipsec_xf **xfs = ipsec_transforms->esnxf;
3649 size_t nxfs = ipsec_transforms->nesnxf;
3650 xfs = recallocarray(xfs, nxfs, nxfs + 1,
3651 sizeof(struct ipsec_xf *));
3652 if (xfs == NULL((void *)0))
3653 err(1, "transform: recallocarray");
3654 if ((xfs[nxfs] = parse_xf(yyvsp[0].v.string, 0, esnxfs)) == NULL((void *)0)) {
3655 yyerror("%s not a valid transform", yyvsp[0].v.string);
3656 YYERRORgoto yyerrlab;
3657 }
3658 ipsec_transforms->esnxf = xfs;
3659 ipsec_transforms->nesnxf++;
3660 }
3661break;
3662case 91:
3663#line 943 "/usr/src/sbin/iked/parse.y"
3664{ yyval.v.string = "esn"; }
3665break;
3666case 92:
3667#line 944 "/usr/src/sbin/iked/parse.y"
3668{ yyval.v.string = "noesn"; }
3669break;
3670case 93:
3671#line 947 "/usr/src/sbin/iked/parse.y"
3672{
3673 if ((ipsec_mode = calloc(1,
3674 sizeof(struct ipsec_mode))) == NULL((void *)0))
3675 err(1, "ike_sas: calloc");
3676 }
3677break;
3678case 94:
3679#line 952 "/usr/src/sbin/iked/parse.y"
3680{
3681 yyval.v.mode = ipsec_mode;
3682 }
3683break;
3684case 95:
3685#line 955 "/usr/src/sbin/iked/parse.y"
3686{
3687 yyval.v.mode = NULL((void *)0);
3688 }
3689break;
3690case 98:
3691#line 964 "/usr/src/sbin/iked/parse.y"
3692{
3693 if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs,
3694 ipsec_mode->nxfs, ipsec_mode->nxfs + 1,
3695 sizeof(struct ipsec_transforms *))) == NULL((void *)0))
3696 err(1, "ike_sa: recallocarray");
3697 ipsec_mode->nxfs++;
3698 encxfs = ikeencxfs;
3699 }
3700break;
3701case 99:
3702#line 971 "/usr/src/sbin/iked/parse.y"
3703{
3704 ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms;
3705 }
3706break;
3707case 100:
3708#line 976 "/usr/src/sbin/iked/parse.y"
3709{
3710 if ((ipsec_mode = calloc(1,
3711 sizeof(struct ipsec_mode))) == NULL((void *)0))
3712 err(1, "child_sas: calloc");
3713 }
3714break;
3715case 101:
3716#line 981 "/usr/src/sbin/iked/parse.y"
3717{
3718 yyval.v.mode = ipsec_mode;
3719 }
3720break;
3721case 102:
3722#line 984 "/usr/src/sbin/iked/parse.y"
3723{
3724 yyval.v.mode = NULL((void *)0);
3725 }
3726break;
3727case 105:
3728#line 993 "/usr/src/sbin/iked/parse.y"
3729{
3730 if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs,
3731 ipsec_mode->nxfs, ipsec_mode->nxfs + 1,
3732 sizeof(struct ipsec_transforms *))) == NULL((void *)0))
3733 err(1, "child_sa: recallocarray");
3734 ipsec_mode->nxfs++;
3735 encxfs = ipsecencxfs;
3736 }
3737break;
3738case 106:
3739#line 1000 "/usr/src/sbin/iked/parse.y"
3740{
3741 ipsec_mode->xfs[ipsec_mode->nxfs - 1] = yyvsp[0].v.transforms;
3742 }
3743break;
3744case 107:
3745#line 1005 "/usr/src/sbin/iked/parse.y"
3746{ yyval.v.ikemode = yyvsp[-3].v.ikemode | yyvsp[-2].v.ikemode | yyvsp[-1].v.ikemode | yyvsp[0].v.ikemode; }
3747break;
3748case 108:
3749#line 1008 "/usr/src/sbin/iked/parse.y"
3750{ yyval.v.ikemode = 0; }
3751break;
3752case 109:
3753#line 1009 "/usr/src/sbin/iked/parse.y"
3754{ yyval.v.ikemode = IKED_POLICY_QUICK0x08; }
3755break;
3756case 110:
3757#line 1010 "/usr/src/sbin/iked/parse.y"
3758{ yyval.v.ikemode = IKED_POLICY_SKIP0x10; }
3759break;
3760case 111:
3761#line 1011 "/usr/src/sbin/iked/parse.y"
3762{ yyval.v.ikemode = IKED_POLICY_DEFAULT0x01; }
3763break;
3764case 112:
3765#line 1014 "/usr/src/sbin/iked/parse.y"
3766{ yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; }
3767break;
3768case 113:
3769#line 1015 "/usr/src/sbin/iked/parse.y"
3770{ yyval.v.ikemode = IKED_POLICY_PASSIVE0x00; }
3771break;
3772case 114:
3773#line 1016 "/usr/src/sbin/iked/parse.y"
3774{ yyval.v.ikemode = IKED_POLICY_ACTIVE0x02; }
3775break;
3776case 115:
3777#line 1019 "/usr/src/sbin/iked/parse.y"
3778{ yyval.v.ikemode = 0; }
3779break;
3780case 116:
3781#line 1020 "/usr/src/sbin/iked/parse.y"
3782{ yyval.v.ikemode = IKED_POLICY_IPCOMP0x20; }
3783break;
3784case 117:
3785#line 1023 "/usr/src/sbin/iked/parse.y"
3786{ yyval.v.ikemode = 0; }
3787break;
3788case 118:
3789#line 1024 "/usr/src/sbin/iked/parse.y"
3790{ yyval.v.ikemode = 0; }
3791break;
3792case 119:
3793#line 1025 "/usr/src/sbin/iked/parse.y"
3794{ yyval.v.ikemode = IKED_POLICY_TRANSPORT0x40; }
3795break;
3796case 120:
3797#line 1028 "/usr/src/sbin/iked/parse.y"
3798{
3799 yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255; /* default */
3800 yyval.v.ikeauth.auth_eap = 0;
3801 yyval.v.ikeauth.auth_length = 0;
3802 }
3803break;
3804case 121:
3805#line 1033 "/usr/src/sbin/iked/parse.y"
3806{
3807 memcpy(&yyval.v.ikeauth, &yyvsp[0].v.ikekey, sizeof(yyval.v.ikeauth));
3808 yyval.v.ikeauth.auth_method = IKEV2_AUTH_SHARED_KEY_MIC2;
3809 yyval.v.ikeauth.auth_eap = 0;
3810 explicit_bzero(&yyvsp[0].v.ikekey, sizeof(yyvsp[0].v.ikekey));
3811 }
3812break;
3813case 122:
3814#line 1039 "/usr/src/sbin/iked/parse.y"
3815{
3816 unsigned int i;
3817
3818 for (i = 0; i < strlen(yyvsp[0].v.string); i++)
3819 if (yyvsp[0].v.string[i] == '-')
3820 yyvsp[0].v.string[i] = '_';
3821
3822 if (strcasecmp("mschap_v2", yyvsp[0].v.string) != 0) {
3823 yyerror("unsupported EAP method: %s", yyvsp[0].v.string);
3824 free(yyvsp[0].v.string);
3825 YYERRORgoto yyerrlab;
3826 }
3827 free(yyvsp[0].v.string);
3828
3829 yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY255;
3830 yyval.v.ikeauth.auth_eap = EAP_TYPE_MSCHAP_V226;
3831 yyval.v.ikeauth.auth_length = 0;
3832 }
3833break;
3834case 123:
3835#line 1057 "/usr/src/sbin/iked/parse.y"
3836{
3837 const struct ipsec_xf *xf;
3838
3839 if ((xf = parse_xf(yyvsp[0].v.string, 0, methodxfs)) == NULL((void *)0) ||
3840 xf->id == IKEV2_AUTH_NONE0) {
3841 yyerror("not a valid authentication mode");
3842 free(yyvsp[0].v.string);
3843 YYERRORgoto yyerrlab;
3844 }
3845 free(yyvsp[0].v.string);
3846
3847 yyval.v.ikeauth.auth_method = xf->id;
3848 yyval.v.ikeauth.auth_eap = 0;
3849 yyval.v.ikeauth.auth_length = 0;
3850 }
3851break;
3852case 124:
3853#line 1074 "/usr/src/sbin/iked/parse.y"
3854{
3855 yyval.v.number = yyvsp[0].v.number;
3856 }
3857break;
3858case 125:
3859#line 1077 "/usr/src/sbin/iked/parse.y"
3860{
3861 uint64_t bytes = 0;
3862 char unit = 0;
3863
3864 if (sscanf(yyvsp[0].v.string, "%llu%c", &bytes, &unit) != 2) {
3865 yyerror("invalid byte specification: %s", yyvsp[0].v.string);
3866 YYERRORgoto yyerrlab;
3867 }
3868 free(yyvsp[0].v.string);
3869 switch (toupper((unsigned char)unit)) {
3870 case 'K':
3871 bytes *= 1024;
3872 break;
3873 case 'M':
3874 bytes *= 1024 * 1024;
3875 break;
3876 case 'G':
3877 bytes *= 1024 * 1024 * 1024;
3878 break;
3879 default:
3880 yyerror("invalid byte unit");
3881 YYERRORgoto yyerrlab;
3882 }
3883 yyval.v.number = bytes;
3884 }
3885break;
3886case 126:
3887#line 1104 "/usr/src/sbin/iked/parse.y"
3888{
3889 yyval.v.number = yyvsp[0].v.number;
3890 }
3891break;
3892case 127:
3893#line 1107 "/usr/src/sbin/iked/parse.y"
3894{
3895 uint64_t seconds = 0;
3896 char unit = 0;
3897
3898 if (sscanf(yyvsp[0].v.string, "%llu%c", &seconds, &unit) != 2) {
3899 yyerror("invalid time specification: %s", yyvsp[0].v.string);
3900 YYERRORgoto yyerrlab;
3901 }
3902 free(yyvsp[0].v.string);
3903 switch (tolower((unsigned char)unit)) {
3904 case 'm':
3905 seconds *= 60;
3906 break;
3907 case 'h':
3908 seconds *= 60 * 60;
3909 break;
3910 default:
3911 yyerror("invalid time unit");
3912 YYERRORgoto yyerrlab;
3913 }
3914 yyval.v.number = seconds;
3915 }
3916break;
3917case 128:
3918#line 1131 "/usr/src/sbin/iked/parse.y"
3919{
3920 yyval.v.lifetime = deflifetime;
3921 }
3922break;
3923case 129:
3924#line 1134 "/usr/src/sbin/iked/parse.y"
3925{
3926 yyval.v.lifetime.lt_seconds = yyvsp[0].v.number;
3927 yyval.v.lifetime.lt_bytes = deflifetime.lt_bytes;
3928 }
3929break;
3930case 130:
3931#line 1138 "/usr/src/sbin/iked/parse.y"
3932{
3933 yyval.v.lifetime.lt_seconds = yyvsp[-2].v.number;
3934 yyval.v.lifetime.lt_bytes = yyvsp[0].v.number;
3935 }
3936break;
3937case 131:
3938#line 1144 "/usr/src/sbin/iked/parse.y"
3939{
3940 yyval.v.number = 0;
3941 }
3942break;
3943case 132:
3944#line 1147 "/usr/src/sbin/iked/parse.y"
3945{
3946 yyval.v.number = yyvsp[0].v.number;
3947 }
3948break;
3949case 133:
3950#line 1151 "/usr/src/sbin/iked/parse.y"
3951{
3952 uint8_t *hex;
3953
3954 bzero(&yyval.v.ikekey, sizeof(yyval.v.ikekey));
3955
3956 hex = yyvsp[0].v.string;
3957 if (strncmp(hex, "0x", 2) == 0) {
3958 hex += 2;
3959 if (parsekey(hex, strlen(hex), &yyval.v.ikekey) != 0) {
3960 free(yyvsp[0].v.string);
3961 YYERRORgoto yyerrlab;
3962 }
3963 } else {
3964 if (strlen(yyvsp[0].v.string) > sizeof(yyval.v.ikekey.auth_data)) {
3965 yyerror("psk too long");
3966 free(yyvsp[0].v.string);
3967 YYERRORgoto yyerrlab;
3968 }
3969 strlcpy(yyval.v.ikekey.auth_data, yyvsp[0].v.string,
3970 sizeof(yyval.v.ikekey.auth_data));
3971 yyval.v.ikekey.auth_length = strlen(yyvsp[0].v.string);
3972 }
3973 freezero(yyvsp[0].v.string, strlen(yyvsp[0].v.string));
3974 }
3975break;
3976case 134:
3977#line 1175 "/usr/src/sbin/iked/parse.y"
3978{
3979 if (parsekeyfile(yyvsp[0].v.string, &yyval.v.ikekey) != 0) {
3980 free(yyvsp[0].v.string);
3981 YYERRORgoto yyerrlab;
3982 }
3983 free(yyvsp[0].v.string);
3984 }
3985break;
3986case 135:
3987#line 1184 "/usr/src/sbin/iked/parse.y"
3988{
3989 if ((ipsec_filters = calloc(1,
3990 sizeof(struct ipsec_filters))) == NULL((void *)0))
3991 err(1, "filters: calloc");
3992 }
3993break;
3994case 136:
3995#line 1189 "/usr/src/sbin/iked/parse.y"
3996{
3997 yyval.v.filters = ipsec_filters;
3998 }
3999break;
4000case 137:
4001#line 1192 "/usr/src/sbin/iked/parse.y"
4002{
4003 yyval.v.filters = NULL((void *)0);
4004 }
4005break;
4006case 140:
4007#line 1202 "/usr/src/sbin/iked/parse.y"
4008{
4009 ipsec_filters->tag = yyvsp[0].v.string;
4010 }
4011break;
4012case 141:
4013#line 1206 "/usr/src/sbin/iked/parse.y"
4014{
4015 const char *errstr = NULL((void *)0);
4016 size_t len;
4017
4018 len = strcspn(yyvsp[0].v.string, "0123456789");
4019 if (strlen("enc") != len ||
4020 strncmp("enc", yyvsp[0].v.string, len) != 0) {
4021 yyerror("invalid tap interface name: %s", yyvsp[0].v.string);
4022 free(yyvsp[0].v.string);
4023 YYERRORgoto yyerrlab;
4024 }
4025 ipsec_filters->tap =
4026 strtonum(yyvsp[0].v.string + len, 0, UINT_MAX(2147483647 *2U +1U), &errstr);
4027 free(yyvsp[0].v.string);
4028 if (errstr != NULL((void *)0)) {
4029 yyerror("invalid tap interface unit: %s",
4030 errstr);
4031 YYERRORgoto yyerrlab;
4032 }
4033 }
4034break;
4035case 142:
4036#line 1228 "/usr/src/sbin/iked/parse.y"
4037{
4038 yyval.v.string = NULL((void *)0);
4039 }
4040break;
4041case 143:
4042#line 1231 "/usr/src/sbin/iked/parse.y"
4043{
4044 yyval.v.string = yyvsp[0].v.string;
4045 }
4046break;
4047case 144:
4048#line 1236 "/usr/src/sbin/iked/parse.y"
4049{
4050 if (asprintf(&yyval.v.string, "%s %s", yyvsp[-1].v.string, yyvsp[0].v.string) == -1)
4051 err(1, "string: asprintf");
4052 free(yyvsp[-1].v.string);
4053 free(yyvsp[0].v.string);
4054 }
4055break;
4056case 146:
4057#line 1246 "/usr/src/sbin/iked/parse.y"
4058{
4059 char *s = yyvsp[-2].v.string;
4060 log_debug("%s = \"%s\"\n", yyvsp[-2].v.string, yyvsp[0].v.string);
4061 while (*s++) {
4062 if (isspace((unsigned char)*s)) {
4063 yyerror("macro name cannot contain "
4064 "whitespace");
4065 free(yyvsp[-2].v.string);
4066 free(yyvsp[0].v.string);
4067 YYERRORgoto yyerrlab;
4068 }
4069 }
4070 if (symset(yyvsp[-2].v.string, yyvsp[0].v.string, 0) == -1)
4071 err(1, "cannot store variable");
4072 free(yyvsp[-2].v.string);
4073 free(yyvsp[0].v.string);
4074 }
4075break;
4076case 156:
4077#line 1284 "/usr/src/sbin/iked/parse.y"
4078{
4079 int c;
4080
4081 while ((c = lgetc(0)) != '\n' && c != EOF(-1))
4082 ; /* nothing */
4083 if (c == '\n')
4084 lungetc(c);
4085 }
4086break;
4087#line 4080 "parse.c"
4088 }
4089 yyssp -= yym;
4090 yystate = *yyssp;
4091 yyvsp -= yym;
4092 yym = yylhs[yyn];
4093 if (yystate
5.1
'yystate' is equal to 0
 == 0 && yym
5.2
'yym' is equal to 0
 == 0)
6
Taking true branch
4094 {
4095#if YYDEBUG0
4096 if (yydebug)
4097 printf("%sdebug: after reduction, shifting from state 0 to\
4098 state %d\n", YYPREFIX"yy", YYFINAL1);
4099#endif
4100 yystate = YYFINAL1;
4101 *++yyssp = YYFINAL1;
4102 *++yyvsp = yyval;
4103 if (yychar
6.1
'yychar' is < 0
 < 0)
7
Taking true branch
4104 {
4105 if ((yychar = yylex()) < 0) yychar = 0;
8
Assuming the condition is false
9
Taking false branch
4106#if YYDEBUG0
4107 if (yydebug)
4108 {
4109 yys = 0;
4110 if (yychar <= YYMAXTOKEN328) yys = yyname[yychar];
4111 if (!yys) yys = "illegal-symbol";
4112 printf("%sdebug: state %d, reading %d (%s)\n",
4113 YYPREFIX"yy", YYFINAL1, yychar, yys);
4114 }
4115#endif
4116 }
4117 if (yychar == 0) goto yyaccept;
10
Assuming 'yychar' is not equal to 0
11
Taking false branch
4118 goto yyloop;
12
Control jumps to line 2914
4119 }
4120 if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 &&
4121 yyn <= YYTABLESIZE731 && yycheck[yyn] == yystate)
4122 yystate = yytable[yyn];
4123 else
4124 yystate = yydgoto[yym];
4125#if YYDEBUG0
4126 if (yydebug)
4127 printf("%sdebug: after reduction, shifting from state %d \
4128to state %d\n", YYPREFIX"yy", *yyssp, yystate);
4129#endif
4130 if (yyssp >= yysslim && yygrowstack())
4131 {
4132 goto yyoverflow;
4133 }
4134 *++yyssp = yystate;
4135 *++yyvsp = yyval;
4136 goto yyloop;
4137yyoverflow:
4138 yyerror("yacc stack overflow");
4139yyabort:
4140 if (yyss)
4141 free(yyss);
4142 if (yyvs)
4143 free(yyvs);
4144 yyss = yyssp = NULL((void *)0);
4145 yyvs = yyvsp = NULL((void *)0);
4146 yystacksize = 0;
4147 return (1);
4148yyaccept:
4149 if (yyss)
4150 free(yyss);
4151 if (yyvs)
4152 free(yyvs);
4153 yyss = yyssp = NULL((void *)0);
4154 yyvs = yyvsp = NULL((void *)0);
4155 yystacksize = 0;
4156 return (0);
4157}