1 /* $OpenBSD: parse.y,v 1.178 2020/02/07 13:01:34 bluhm Exp $ */ 2 3 /* 4 * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org> 5 * Copyright (c) 2001 Markus Friedl. All rights reserved. 6 * Copyright (c) 2001 Daniel Hartmeier. All rights reserved. 7 * Copyright (c) 2001 Theo de Raadt. All rights reserved. 8 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 9 * 10 * Permission to use, copy, modify, and distribute this software for any 11 * purpose with or without fee is hereby granted, provided that the above 12 * copyright notice and this permission notice appear in all copies. 13 * 14 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 15 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 17 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 18 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 19 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 20 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21 */ 22 23 %{ 24 #include <sys/types.h> 25 #include <sys/ioctl.h> 26 #include <sys/queue.h> 27 #include <sys/socket.h> 28 #include <sys/stat.h> 29 #include <net/if.h> 30 #include <netinet/in.h> 31 #include <netinet/ip_ipsp.h> 32 #include <arpa/inet.h> 33 34 #include <ctype.h> 35 #include <err.h> 36 #include <errno.h> 37 #include <fcntl.h> 38 #include <ifaddrs.h> 39 #include <limits.h> 40 #include <netdb.h> 41 #include <stdarg.h> 42 #include <stdio.h> 43 #include <string.h> 44 #include <syslog.h> 45 #include <unistd.h> 46 #include <netdb.h> 47 48 #include "ipsecctl.h" 49 50 TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files); 51 static struct file { 52 TAILQ_ENTRY(file) entry; 53 FILE *stream; 54 char *name; 55 int lineno; 56 int errors; 57 } *file, *topfile; 58 struct file *pushfile(const char *, int); 59 int popfile(void); 60 int check_file_secrecy(int, const char *); 61 int yyparse(void); 62 int yylex(void); 63 int yyerror(const char *, ...) 64 __attribute__((__format__ (printf, 1, 2))) 65 __attribute__((__nonnull__ (1))); 66 int yywarn(const char *, ...) 67 __attribute__((__format__ (printf, 1, 2))) 68 __attribute__((__nonnull__ (1))); 69 int kw_cmp(const void *, const void *); 70 int lookup(char *); 71 int lgetc(int); 72 int lungetc(int); 73 int findeol(void); 74 75 TAILQ_HEAD(symhead, sym) symhead = TAILQ_HEAD_INITIALIZER(symhead); 76 struct sym { 77 TAILQ_ENTRY(sym) entry; 78 int used; 79 int persist; 80 char *nam; 81 char *val; 82 }; 83 int symset(const char *, const char *, int); 84 char *symget(const char *); 85 int cmdline_symset(char *); 86 87 #define KEYSIZE_LIMIT 1024 88 89 static struct ipsecctl *ipsec = NULL; 90 static int debug = 0; 91 92 const struct ipsec_xf authxfs[] = { 93 { "unknown", AUTHXF_UNKNOWN, 0, 0 }, 94 { "none", AUTHXF_NONE, 0, 0 }, 95 { "hmac-md5", AUTHXF_HMAC_MD5, 16, 0 }, 96 { "hmac-ripemd160", AUTHXF_HMAC_RIPEMD160, 20, 0 }, 97 { "hmac-sha1", AUTHXF_HMAC_SHA1, 20, 0 }, 98 { "hmac-sha2-256", AUTHXF_HMAC_SHA2_256, 32, 0 }, 99 { "hmac-sha2-384", AUTHXF_HMAC_SHA2_384, 48, 0 }, 100 { "hmac-sha2-512", AUTHXF_HMAC_SHA2_512, 64, 0 }, 101 { NULL, 0, 0, 0 }, 102 }; 103 104 const struct ipsec_xf encxfs[] = { 105 { "unknown", ENCXF_UNKNOWN, 0, 0, 0, 0 }, 106 { "none", ENCXF_NONE, 0, 0, 0, 0 }, 107 { "3des-cbc", ENCXF_3DES_CBC, 24, 24, 0, 0 }, 108 { "aes", ENCXF_AES, 16, 32, 0, 0 }, 109 { "aes-128", ENCXF_AES_128, 16, 16, 0, 0 }, 110 { "aes-192", ENCXF_AES_192, 24, 24, 0, 0 }, 111 { "aes-256", ENCXF_AES_256, 32, 32, 0, 0 }, 112 { "aesctr", ENCXF_AESCTR, 16+4, 32+4, 0, 1 }, 113 { "aes-128-ctr", ENCXF_AES_128_CTR, 16+4, 16+4, 0, 1 }, 114 { "aes-192-ctr", ENCXF_AES_192_CTR, 24+4, 24+4, 0, 1 }, 115 { "aes-256-ctr", ENCXF_AES_256_CTR, 32+4, 32+4, 0, 1 }, 116 { "aes-128-gcm", ENCXF_AES_128_GCM, 16+4, 16+4, 1, 1 }, 117 { "aes-192-gcm", ENCXF_AES_192_GCM, 24+4, 24+4, 1, 1 }, 118 { "aes-256-gcm", ENCXF_AES_256_GCM, 32+4, 32+4, 1, 1 }, 119 { "aes-128-gmac", ENCXF_AES_128_GMAC, 16+4, 16+4, 1, 1 }, 120 { "aes-192-gmac", ENCXF_AES_192_GMAC, 24+4, 24+4, 1, 1 }, 121 { "aes-256-gmac", ENCXF_AES_256_GMAC, 32+4, 32+4, 1, 1 }, 122 { "blowfish", ENCXF_BLOWFISH, 5, 56, 0, 0 }, 123 { "cast128", ENCXF_CAST128, 5, 16, 0, 0 }, 124 { "chacha20-poly1305", ENCXF_CHACHA20_POLY1305, 32+4, 32+4, 1, 1 }, 125 { "null", ENCXF_NULL, 0, 0, 0, 0 }, 126 { NULL, 0, 0, 0, 0, 0 }, 127 }; 128 129 const struct ipsec_xf compxfs[] = { 130 { "unknown", COMPXF_UNKNOWN, 0, 0 }, 131 { "deflate", COMPXF_DEFLATE, 0, 0 }, 132 { "lzs", COMPXF_LZS, 0, 0 }, 133 { NULL, 0, 0, 0 }, 134 }; 135 136 const struct ipsec_xf groupxfs[] = { 137 { "unknown", GROUPXF_UNKNOWN, 0, 0 }, 138 { "none", GROUPXF_NONE, 0, 0 }, 139 { "modp768", GROUPXF_1, 768, 0 }, 140 { "grp1", GROUPXF_1, 768, 0 }, 141 { "modp1024", GROUPXF_2, 1024, 0 }, 142 { "grp2", GROUPXF_2, 1024, 0 }, 143 { "modp1536", GROUPXF_5, 1536, 0 }, 144 { "grp5", GROUPXF_5, 1536, 0 }, 145 { "modp2048", GROUPXF_14, 2048, 0 }, 146 { "grp14", GROUPXF_14, 2048, 0 }, 147 { "modp3072", GROUPXF_15, 3072, 0 }, 148 { "grp15", GROUPXF_15, 3072, 0 }, 149 { "modp4096", GROUPXF_16, 4096, 0 }, 150 { "grp16", GROUPXF_16, 4096, 0 }, 151 { "modp6144", GROUPXF_17, 6144, 0 }, 152 { "grp17", GROUPXF_17, 6144, 0 }, 153 { "modp8192", GROUPXF_18, 8192, 0 }, 154 { "grp18", GROUPXF_18, 8192, 0 }, 155 { "ecp256", GROUPXF_19, 256, 0 }, 156 { "grp19", GROUPXF_19, 256, 0 }, 157 { "ecp384", GROUPXF_20, 384, 0 }, 158 { "grp20", GROUPXF_20, 384, 0 }, 159 { "ecp521", GROUPXF_21, 521, 0 }, 160 { "grp21", GROUPXF_21, 521, 0 }, 161 { "ecp192", GROUPXF_25, 192, 0 }, 162 { "grp25", GROUPXF_25, 192, 0 }, 163 { "ecp224", GROUPXF_26, 224, 0 }, 164 { "grp26", GROUPXF_26, 224, 0 }, 165 { "bp224", GROUPXF_27, 224, 0 }, 166 { "grp27", GROUPXF_27, 224, 0 }, 167 { "bp256", GROUPXF_28, 256, 0 }, 168 { "grp28", GROUPXF_28, 256, 0 }, 169 { "bp384", GROUPXF_29, 384, 0 }, 170 { "grp29", GROUPXF_29, 384, 0 }, 171 { "bp512", GROUPXF_30, 512, 0 }, 172 { "grp30", GROUPXF_30, 512, 0 }, 173 { NULL, 0, 0, 0 }, 174 }; 175 176 int atoul(char *, u_long *); 177 int atospi(char *, u_int32_t *); 178 u_int8_t x2i(unsigned char *); 179 struct ipsec_key *parsekey(unsigned char *, size_t); 180 struct ipsec_key *parsekeyfile(char *); 181 struct ipsec_addr_wrap *host(const char *); 182 struct ipsec_addr_wrap *host_v6(const char *, int); 183 struct ipsec_addr_wrap *host_v4(const char *, int); 184 struct ipsec_addr_wrap *host_dns(const char *, int); 185 struct ipsec_addr_wrap *host_if(const char *, int); 186 struct ipsec_addr_wrap *host_any(void); 187 void ifa_load(void); 188 int ifa_exists(const char *); 189 struct ipsec_addr_wrap *ifa_lookup(const char *ifa_name); 190 struct ipsec_addr_wrap *ifa_grouplookup(const char *); 191 void set_ipmask(struct ipsec_addr_wrap *, u_int8_t); 192 const struct ipsec_xf *parse_xf(const char *, const struct ipsec_xf *); 193 struct ipsec_lifetime *parse_life(const char *); 194 struct ipsec_transforms *copytransforms(const struct ipsec_transforms *); 195 struct ipsec_lifetime *copylife(const struct ipsec_lifetime *); 196 struct ipsec_auth *copyipsecauth(const struct ipsec_auth *); 197 struct ike_auth *copyikeauth(const struct ike_auth *); 198 struct ipsec_key *copykey(struct ipsec_key *); 199 struct ipsec_addr_wrap *copyhost(const struct ipsec_addr_wrap *); 200 char *copytag(const char *); 201 struct ipsec_rule *copyrule(struct ipsec_rule *); 202 int validate_af(struct ipsec_addr_wrap *, 203 struct ipsec_addr_wrap *); 204 int validate_sa(u_int32_t, u_int8_t, 205 struct ipsec_transforms *, struct ipsec_key *, 206 struct ipsec_key *, u_int8_t); 207 struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_hosts *, 208 u_int32_t, u_int8_t, u_int16_t, 209 struct ipsec_transforms *, 210 struct ipsec_key *, struct ipsec_key *); 211 struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t, 212 struct ipsec_key *, struct ipsec_key *); 213 struct ipsec_rule *create_sabundle(struct ipsec_addr_wrap *, u_int8_t, 214 u_int32_t, struct ipsec_addr_wrap *, u_int8_t, 215 u_int32_t); 216 struct ipsec_rule *create_flow(u_int8_t, u_int8_t, struct ipsec_hosts *, 217 u_int8_t, char *, char *, u_int8_t); 218 int set_rule_peers(struct ipsec_rule *r, 219 struct ipsec_hosts *peers); 220 void expand_any(struct ipsec_addr_wrap *); 221 int expand_rule(struct ipsec_rule *, struct ipsec_hosts *, 222 u_int8_t, u_int32_t, struct ipsec_key *, 223 struct ipsec_key *, char *); 224 struct ipsec_rule *reverse_rule(struct ipsec_rule *); 225 struct ipsec_rule *create_ike(u_int8_t, struct ipsec_hosts *, 226 struct ike_mode *, struct ike_mode *, u_int8_t, 227 u_int8_t, u_int8_t, char *, char *, 228 struct ike_auth *, char *); 229 int add_sabundle(struct ipsec_rule *, char *); 230 int get_id_type(char *); 231 232 struct ipsec_transforms *ipsec_transforms; 233 234 typedef struct { 235 union { 236 int64_t number; 237 u_int8_t ikemode; 238 u_int8_t dir; 239 u_int8_t satype; /* encapsulating prococol */ 240 u_int8_t proto; /* encapsulated protocol */ 241 u_int8_t tmode; 242 char *string; 243 u_int16_t port; 244 struct ipsec_hosts hosts; 245 struct ipsec_hosts peers; 246 struct ipsec_addr_wrap *anyhost; 247 struct ipsec_addr_wrap *singlehost; 248 struct ipsec_addr_wrap *host; 249 struct { 250 char *srcid; 251 char *dstid; 252 } ids; 253 char *id; 254 u_int8_t type; 255 struct ike_auth ikeauth; 256 struct { 257 u_int32_t spiout; 258 u_int32_t spiin; 259 } spis; 260 struct { 261 u_int8_t encap; 262 u_int16_t port; 263 } udpencap; 264 struct { 265 struct ipsec_key *keyout; 266 struct ipsec_key *keyin; 267 } authkeys; 268 struct { 269 struct ipsec_key *keyout; 270 struct ipsec_key *keyin; 271 } enckeys; 272 struct { 273 struct ipsec_key *keyout; 274 struct ipsec_key *keyin; 275 } keys; 276 struct ipsec_transforms *transforms; 277 struct ipsec_lifetime *life; 278 struct ike_mode *mode; 279 } v; 280 int lineno; 281 } YYSTYPE; 282 283 %} 284 285 %token FLOW FROM ESP AH IN PEER ON OUT TO SRCID DSTID RSA PSK TCPMD5 SPI 286 %token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK AGGRESSIVE 287 %token PASSIVE ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC LIFETIME 288 %token TYPE DENY BYPASS LOCAL PROTO USE ACQUIRE REQUIRE DONTACQ GROUP PORT TAG 289 %token INCLUDE BUNDLE UDPENCAP 290 %token <v.string> STRING 291 %token <v.number> NUMBER 292 %type <v.string> string 293 %type <v.dir> dir 294 %type <v.satype> satype 295 %type <v.proto> proto 296 %type <v.number> protoval 297 %type <v.tmode> tmode 298 %type <v.hosts> hosts 299 %type <v.port> port 300 %type <v.number> portval 301 %type <v.peers> peers 302 %type <v.anyhost> anyhost 303 %type <v.singlehost> singlehost 304 %type <v.host> host host_list host_spec 305 %type <v.ids> ids 306 %type <v.id> id 307 %type <v.spis> spispec 308 %type <v.udpencap> udpencap 309 %type <v.authkeys> authkeyspec 310 %type <v.enckeys> enckeyspec 311 %type <v.string> bundlestring 312 %type <v.keys> keyspec 313 %type <v.transforms> transforms 314 %type <v.ikemode> ikemode 315 %type <v.ikeauth> ikeauth 316 %type <v.type> type 317 %type <v.life> lifetime 318 %type <v.mode> phase1mode phase2mode 319 %type <v.string> tag 320 %% 321 322 grammar : /* empty */ 323 | grammar include '\n' 324 | grammar '\n' 325 | grammar ikerule '\n' 326 | grammar flowrule '\n' 327 | grammar sarule '\n' 328 | grammar tcpmd5rule '\n' 329 | grammar varset '\n' 330 | grammar error '\n' { file->errors++; } 331 ; 332 333 comma : ',' 334 | /* empty */ 335 ; 336 337 include : INCLUDE STRING { 338 struct file *nfile; 339 340 if ((nfile = pushfile($2, 0)) == NULL) { 341 yyerror("failed to include file %s", $2); 342 free($2); 343 YYERROR; 344 } 345 free($2); 346 347 file = nfile; 348 lungetc('\n'); 349 } 350 ; 351 352 tcpmd5rule : TCPMD5 hosts spispec authkeyspec { 353 struct ipsec_rule *r; 354 355 r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, &$2, 356 $3.spiout, 0, 0, NULL, $4.keyout, NULL); 357 if (r == NULL) 358 YYERROR; 359 360 if (expand_rule(r, NULL, 0, $3.spiin, $4.keyin, NULL, 361 NULL)) 362 errx(1, "tcpmd5rule: expand_rule"); 363 } 364 ; 365 366 sarule : satype tmode hosts spispec udpencap transforms authkeyspec 367 enckeyspec bundlestring { 368 struct ipsec_rule *r; 369 370 r = create_sa($1, $2, &$3, $4.spiout, $5.encap, $5.port, 371 $6, $7.keyout, $8.keyout); 372 if (r == NULL) 373 YYERROR; 374 375 if (expand_rule(r, NULL, 0, $4.spiin, $7.keyin, 376 $8.keyin, $9)) 377 errx(1, "sarule: expand_rule"); 378 } 379 ; 380 381 flowrule : FLOW satype dir proto hosts peers ids type { 382 struct ipsec_rule *r; 383 384 r = create_flow($3, $4, &$5, $2, $7.srcid, 385 $7.dstid, $8); 386 if (r == NULL) 387 YYERROR; 388 389 if (expand_rule(r, &$6, $3, 0, NULL, NULL, NULL)) 390 errx(1, "flowrule: expand_rule"); 391 } 392 ; 393 394 ikerule : IKE ikemode satype tmode proto hosts peers 395 phase1mode phase2mode ids ikeauth tag { 396 struct ipsec_rule *r; 397 398 r = create_ike($5, &$6, $8, $9, $3, $4, $2, 399 $10.srcid, $10.dstid, &$11, $12); 400 if (r == NULL) 401 YYERROR; 402 403 if (expand_rule(r, &$7, 0, 0, NULL, NULL, NULL)) 404 errx(1, "ikerule: expand_rule"); 405 } 406 ; 407 408 satype : /* empty */ { $$ = IPSEC_ESP; } 409 | ESP { $$ = IPSEC_ESP; } 410 | AH { $$ = IPSEC_AH; } 411 | IPCOMP { $$ = IPSEC_IPCOMP; } 412 | IPIP { $$ = IPSEC_IPIP; } 413 ; 414 415 proto : /* empty */ { $$ = 0; } 416 | PROTO protoval { $$ = $2; } 417 | PROTO ESP { $$ = IPPROTO_ESP; } 418 | PROTO AH { $$ = IPPROTO_AH; } 419 ; 420 421 protoval : STRING { 422 struct protoent *p; 423 424 p = getprotobyname($1); 425 if (p == NULL) { 426 yyerror("unknown protocol: %s", $1); 427 YYERROR; 428 } 429 $$ = p->p_proto; 430 free($1); 431 } 432 | NUMBER { 433 if ($1 > 255 || $1 < 0) { 434 yyerror("protocol outside range"); 435 YYERROR; 436 } 437 } 438 ; 439 440 tmode : /* empty */ { $$ = IPSEC_TUNNEL; } 441 | TUNNEL { $$ = IPSEC_TUNNEL; } 442 | TRANSPORT { $$ = IPSEC_TRANSPORT; } 443 ; 444 445 dir : /* empty */ { $$ = IPSEC_INOUT; } 446 | IN { $$ = IPSEC_IN; } 447 | OUT { $$ = IPSEC_OUT; } 448 ; 449 450 hosts : FROM host port TO host port { 451 struct ipsec_addr_wrap *ipa; 452 for (ipa = $5; ipa; ipa = ipa->next) { 453 if (ipa->srcnat) { 454 yyerror("no flow NAT support for" 455 " destination network: %s", ipa->name); 456 YYERROR; 457 } 458 } 459 $$.src = $2; 460 $$.sport = $3; 461 $$.dst = $5; 462 $$.dport = $6; 463 } 464 | TO host port FROM host port { 465 struct ipsec_addr_wrap *ipa; 466 for (ipa = $2; ipa; ipa = ipa->next) { 467 if (ipa->srcnat) { 468 yyerror("no flow NAT support for" 469 " destination network: %s", ipa->name); 470 YYERROR; 471 } 472 } 473 $$.src = $5; 474 $$.sport = $6; 475 $$.dst = $2; 476 $$.dport = $3; 477 } 478 ; 479 480 port : /* empty */ { $$ = 0; } 481 | PORT portval { $$ = $2; } 482 ; 483 484 portval : STRING { 485 struct servent *s; 486 487 if ((s = getservbyname($1, "tcp")) != NULL || 488 (s = getservbyname($1, "udp")) != NULL) { 489 $$ = s->s_port; 490 } else { 491 yyerror("unknown port: %s", $1); 492 YYERROR; 493 } 494 } 495 | NUMBER { 496 if ($1 > USHRT_MAX || $1 < 0) { 497 yyerror("port outside range"); 498 YYERROR; 499 } 500 $$ = htons($1); 501 } 502 ; 503 504 peers : /* empty */ { 505 $$.dst = NULL; 506 $$.src = NULL; 507 } 508 | PEER anyhost LOCAL singlehost { 509 $$.dst = $2; 510 $$.src = $4; 511 } 512 | LOCAL singlehost PEER anyhost { 513 $$.dst = $4; 514 $$.src = $2; 515 } 516 | PEER anyhost { 517 $$.dst = $2; 518 $$.src = NULL; 519 } 520 | LOCAL singlehost { 521 $$.dst = NULL; 522 $$.src = $2; 523 } 524 ; 525 526 anyhost : singlehost { $$ = $1; } 527 | ANY { 528 $$ = host_any(); 529 } 530 531 singlehost : /* empty */ { $$ = NULL; } 532 | STRING { 533 if (($$ = host($1)) == NULL) { 534 free($1); 535 yyerror("could not parse host specification"); 536 YYERROR; 537 } 538 free($1); 539 } 540 ; 541 542 host_list : host { $$ = $1; } 543 | host_list comma host { 544 if ($3 == NULL) 545 $$ = $1; 546 else if ($1 == NULL) 547 $$ = $3; 548 else { 549 $1->tail->next = $3; 550 $1->tail = $3->tail; 551 $$ = $1; 552 } 553 } 554 ; 555 556 host_spec : STRING { 557 if (($$ = host($1)) == NULL) { 558 free($1); 559 yyerror("could not parse host specification"); 560 YYERROR; 561 } 562 free($1); 563 } 564 | STRING '/' NUMBER { 565 char *buf; 566 567 if (asprintf(&buf, "%s/%lld", $1, $3) == -1) 568 err(1, "host: asprintf"); 569 free($1); 570 if (($$ = host(buf)) == NULL) { 571 free(buf); 572 yyerror("could not parse host specification"); 573 YYERROR; 574 } 575 free(buf); 576 } 577 ; 578 579 host : host_spec { $$ = $1; } 580 | host_spec '(' host_spec ')' { 581 if ($3->af != $1->af) { 582 yyerror("Flow NAT address family mismatch"); 583 YYERROR; 584 } 585 $$ = $1; 586 $$->srcnat = $3; 587 } 588 | ANY { 589 $$ = host_any(); 590 } 591 | '{' host_list '}' { $$ = $2; } 592 ; 593 594 ids : /* empty */ { 595 $$.srcid = NULL; 596 $$.dstid = NULL; 597 } 598 | SRCID id DSTID id { 599 $$.srcid = $2; 600 $$.dstid = $4; 601 } 602 | SRCID id { 603 $$.srcid = $2; 604 $$.dstid = NULL; 605 } 606 | DSTID id { 607 $$.srcid = NULL; 608 $$.dstid = $2; 609 } 610 ; 611 612 type : /* empty */ { 613 $$ = TYPE_UNKNOWN; 614 } 615 | TYPE USE { 616 $$ = TYPE_USE; 617 } 618 | TYPE ACQUIRE { 619 $$ = TYPE_ACQUIRE; 620 } 621 | TYPE REQUIRE { 622 $$ = TYPE_REQUIRE; 623 } 624 | TYPE DENY { 625 $$ = TYPE_DENY; 626 } 627 | TYPE BYPASS { 628 $$ = TYPE_BYPASS; 629 } 630 | TYPE DONTACQ { 631 $$ = TYPE_DONTACQ; 632 } 633 ; 634 635 id : STRING { $$ = $1; } 636 ; 637 638 spispec : SPI STRING { 639 u_int32_t spi; 640 char *p = strchr($2, ':'); 641 642 if (p != NULL) { 643 *p++ = 0; 644 645 if (atospi(p, &spi) == -1) { 646 free($2); 647 YYERROR; 648 } 649 $$.spiin = spi; 650 } else 651 $$.spiin = 0; 652 653 if (atospi($2, &spi) == -1) { 654 free($2); 655 YYERROR; 656 } 657 $$.spiout = spi; 658 659 660 free($2); 661 } 662 | SPI NUMBER { 663 if ($2 > UINT_MAX || $2 < 0) { 664 yyerror("%lld not a valid spi", $2); 665 YYERROR; 666 } 667 if ($2 >= SPI_RESERVED_MIN && $2 <= SPI_RESERVED_MAX) { 668 yyerror("%lld within reserved spi range", $2); 669 YYERROR; 670 } 671 672 $$.spiin = 0; 673 $$.spiout = $2; 674 } 675 ; 676 677 udpencap : /* empty */ { 678 $$.encap = 0; 679 } 680 | UDPENCAP { 681 $$.encap = 1; 682 $$.port = 0; 683 } 684 | UDPENCAP PORT NUMBER { 685 $$.encap = 1; 686 $$.port = $3; 687 } 688 ; 689 690 transforms : { 691 if ((ipsec_transforms = calloc(1, 692 sizeof(struct ipsec_transforms))) == NULL) 693 err(1, "transforms: calloc"); 694 } 695 transforms_l 696 { $$ = ipsec_transforms; } 697 | /* empty */ { 698 if (($$ = calloc(1, 699 sizeof(struct ipsec_transforms))) == NULL) 700 err(1, "transforms: calloc"); 701 } 702 ; 703 704 transforms_l : transforms_l transform 705 | transform 706 ; 707 708 transform : AUTHXF STRING { 709 if (ipsec_transforms->authxf) 710 yyerror("auth already set"); 711 else { 712 ipsec_transforms->authxf = parse_xf($2, 713 authxfs); 714 if (!ipsec_transforms->authxf) 715 yyerror("%s not a valid transform", $2); 716 } 717 } 718 | ENCXF STRING { 719 if (ipsec_transforms->encxf) 720 yyerror("enc already set"); 721 else { 722 ipsec_transforms->encxf = parse_xf($2, encxfs); 723 if (!ipsec_transforms->encxf) 724 yyerror("%s not a valid transform", $2); 725 } 726 } 727 | COMPXF STRING { 728 if (ipsec_transforms->compxf) 729 yyerror("comp already set"); 730 else { 731 ipsec_transforms->compxf = parse_xf($2, 732 compxfs); 733 if (!ipsec_transforms->compxf) 734 yyerror("%s not a valid transform", $2); 735 } 736 } 737 | GROUP STRING { 738 if (ipsec_transforms->groupxf) 739 yyerror("group already set"); 740 else { 741 ipsec_transforms->groupxf = parse_xf($2, 742 groupxfs); 743 if (!ipsec_transforms->groupxf) 744 yyerror("%s not a valid transform", $2); 745 } 746 } 747 ; 748 749 phase1mode : /* empty */ { 750 struct ike_mode *p1; 751 752 /* We create just an empty main mode */ 753 if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL) 754 err(1, "phase1mode: calloc"); 755 p1->ike_exch = IKE_MM; 756 $$ = p1; 757 } 758 | MAIN transforms lifetime { 759 struct ike_mode *p1; 760 761 if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL) 762 err(1, "phase1mode: calloc"); 763 p1->xfs = $2; 764 p1->life = $3; 765 p1->ike_exch = IKE_MM; 766 $$ = p1; 767 } 768 | AGGRESSIVE transforms lifetime { 769 struct ike_mode *p1; 770 771 if ((p1 = calloc(1, sizeof(struct ike_mode))) == NULL) 772 err(1, "phase1mode: calloc"); 773 p1->xfs = $2; 774 p1->life = $3; 775 p1->ike_exch = IKE_AM; 776 $$ = p1; 777 } 778 ; 779 780 phase2mode : /* empty */ { 781 struct ike_mode *p2; 782 783 /* We create just an empty quick mode */ 784 if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL) 785 err(1, "phase2mode: calloc"); 786 p2->ike_exch = IKE_QM; 787 $$ = p2; 788 } 789 | QUICK transforms lifetime { 790 struct ike_mode *p2; 791 792 if ((p2 = calloc(1, sizeof(struct ike_mode))) == NULL) 793 err(1, "phase2mode: calloc"); 794 p2->xfs = $2; 795 p2->life = $3; 796 p2->ike_exch = IKE_QM; 797 $$ = p2; 798 } 799 ; 800 801 lifetime : /* empty */ { 802 struct ipsec_lifetime *life; 803 804 /* We create just an empty transform */ 805 if ((life = calloc(1, sizeof(struct ipsec_lifetime))) 806 == NULL) 807 err(1, "life: calloc"); 808 life->lt_seconds = -1; 809 life->lt_bytes = -1; 810 $$ = life; 811 } 812 | LIFETIME NUMBER { 813 struct ipsec_lifetime *life; 814 815 if ((life = calloc(1, sizeof(struct ipsec_lifetime))) 816 == NULL) 817 err(1, "life: calloc"); 818 life->lt_seconds = $2; 819 life->lt_bytes = -1; 820 $$ = life; 821 } 822 | LIFETIME STRING { 823 $$ = parse_life($2); 824 } 825 ; 826 827 authkeyspec : /* empty */ { 828 $$.keyout = NULL; 829 $$.keyin = NULL; 830 } 831 | AUTHKEY keyspec { 832 $$.keyout = $2.keyout; 833 $$.keyin = $2.keyin; 834 } 835 ; 836 837 enckeyspec : /* empty */ { 838 $$.keyout = NULL; 839 $$.keyin = NULL; 840 } 841 | ENCKEY keyspec { 842 $$.keyout = $2.keyout; 843 $$.keyin = $2.keyin; 844 } 845 ; 846 847 bundlestring : /* empty */ { $$ = NULL; } 848 | BUNDLE STRING { $$ = $2; } 849 ; 850 851 keyspec : STRING { 852 unsigned char *hex; 853 unsigned char *p = strchr($1, ':'); 854 855 if (p != NULL ) { 856 *p++ = 0; 857 858 if (!strncmp(p, "0x", 2)) 859 p += 2; 860 $$.keyin = parsekey(p, strlen(p)); 861 } else 862 $$.keyin = NULL; 863 864 hex = $1; 865 if (!strncmp(hex, "0x", 2)) 866 hex += 2; 867 $$.keyout = parsekey(hex, strlen(hex)); 868 869 free($1); 870 } 871 | FILENAME STRING { 872 unsigned char *p = strchr($2, ':'); 873 874 if (p != NULL) { 875 *p++ = 0; 876 $$.keyin = parsekeyfile(p); 877 } 878 $$.keyout = parsekeyfile($2); 879 free($2); 880 } 881 ; 882 883 ikemode : /* empty */ { $$ = IKE_ACTIVE; } 884 | PASSIVE { $$ = IKE_PASSIVE; } 885 | DYNAMIC { $$ = IKE_DYNAMIC; } 886 | ACTIVE { $$ = IKE_ACTIVE; } 887 ; 888 889 ikeauth : /* empty */ { 890 $$.type = IKE_AUTH_RSA; 891 $$.string = NULL; 892 } 893 | RSA { 894 $$.type = IKE_AUTH_RSA; 895 $$.string = NULL; 896 } 897 | PSK STRING { 898 $$.type = IKE_AUTH_PSK; 899 if (($$.string = strdup($2)) == NULL) 900 err(1, "ikeauth: strdup"); 901 } 902 ; 903 904 tag : /* empty */ 905 { 906 $$ = NULL; 907 } 908 | TAG STRING 909 { 910 $$ = $2; 911 } 912 ; 913 914 string : string STRING 915 { 916 if (asprintf(&$$, "%s %s", $1, $2) == -1) 917 err(1, "string: asprintf"); 918 free($1); 919 free($2); 920 } 921 | STRING 922 ; 923 924 varset : STRING '=' string 925 { 926 char *s = $1; 927 if (ipsec->opts & IPSECCTL_OPT_VERBOSE) 928 printf("%s = \"%s\"\n", $1, $3); 929 while (*s++) { 930 if (isspace((unsigned char)*s)) { 931 yyerror("macro name cannot contain " 932 "whitespace"); 933 free($1); 934 free($3); 935 YYERROR; 936 } 937 } 938 if (symset($1, $3, 0) == -1) 939 err(1, "cannot store variable"); 940 free($1); 941 free($3); 942 } 943 ; 944 945 %% 946 947 struct keywords { 948 const char *k_name; 949 int k_val; 950 }; 951 952 int 953 yyerror(const char *fmt, ...) 954 { 955 va_list ap; 956 957 file->errors++; 958 va_start(ap, fmt); 959 fprintf(stderr, "%s: %d: ", file->name, yylval.lineno); 960 vfprintf(stderr, fmt, ap); 961 fprintf(stderr, "\n"); 962 va_end(ap); 963 return (0); 964 } 965 966 int 967 yywarn(const char *fmt, ...) 968 { 969 va_list ap; 970 971 va_start(ap, fmt); 972 fprintf(stderr, "%s: %d: ", file->name, yylval.lineno); 973 vfprintf(stderr, fmt, ap); 974 fprintf(stderr, "\n"); 975 va_end(ap); 976 return (0); 977 } 978 979 int 980 kw_cmp(const void *k, const void *e) 981 { 982 return (strcmp(k, ((const struct keywords *)e)->k_name)); 983 } 984 985 int 986 lookup(char *s) 987 { 988 /* this has to be sorted always */ 989 static const struct keywords keywords[] = { 990 { "acquire", ACQUIRE }, 991 { "active", ACTIVE }, 992 { "aggressive", AGGRESSIVE }, 993 { "ah", AH }, 994 { "any", ANY }, 995 { "auth", AUTHXF }, 996 { "authkey", AUTHKEY }, 997 { "bundle", BUNDLE }, 998 { "bypass", BYPASS }, 999 { "comp", COMPXF }, 1000 { "deny", DENY }, 1001 { "dontacq", DONTACQ }, 1002 { "dstid", DSTID }, 1003 { "dynamic", DYNAMIC }, 1004 { "enc", ENCXF }, 1005 { "enckey", ENCKEY }, 1006 { "esp", ESP }, 1007 { "file", FILENAME }, 1008 { "flow", FLOW }, 1009 { "from", FROM }, 1010 { "group", GROUP }, 1011 { "ike", IKE }, 1012 { "in", IN }, 1013 { "include", INCLUDE }, 1014 { "ipcomp", IPCOMP }, 1015 { "ipip", IPIP }, 1016 { "lifetime", LIFETIME }, 1017 { "local", LOCAL }, 1018 { "main", MAIN }, 1019 { "out", OUT }, 1020 { "passive", PASSIVE }, 1021 { "peer", PEER }, 1022 { "port", PORT }, 1023 { "proto", PROTO }, 1024 { "psk", PSK }, 1025 { "quick", QUICK }, 1026 { "require", REQUIRE }, 1027 { "rsa", RSA }, 1028 { "spi", SPI }, 1029 { "srcid", SRCID }, 1030 { "tag", TAG }, 1031 { "tcpmd5", TCPMD5 }, 1032 { "to", TO }, 1033 { "transport", TRANSPORT }, 1034 { "tunnel", TUNNEL }, 1035 { "type", TYPE }, 1036 { "udpencap", UDPENCAP }, 1037 { "use", USE } 1038 }; 1039 const struct keywords *p; 1040 1041 p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]), 1042 sizeof(keywords[0]), kw_cmp); 1043 1044 if (p) { 1045 if (debug > 1) 1046 fprintf(stderr, "%s: %d\n", s, p->k_val); 1047 return (p->k_val); 1048 } else { 1049 if (debug > 1) 1050 fprintf(stderr, "string: %s\n", s); 1051 return (STRING); 1052 } 1053 } 1054 1055 #define MAXPUSHBACK 128 1056 1057 u_char *parsebuf; 1058 int parseindex; 1059 u_char pushback_buffer[MAXPUSHBACK]; 1060 int pushback_index = 0; 1061 1062 int 1063 lgetc(int quotec) 1064 { 1065 int c, next; 1066 1067 if (parsebuf) { 1068 /* Read character from the parsebuffer instead of input. */ 1069 if (parseindex >= 0) { 1070 c = parsebuf[parseindex++]; 1071 if (c != '\0') 1072 return (c); 1073 parsebuf = NULL; 1074 } else 1075 parseindex++; 1076 } 1077 1078 if (pushback_index) 1079 return (pushback_buffer[--pushback_index]); 1080 1081 if (quotec) { 1082 if ((c = getc(file->stream)) == EOF) { 1083 yyerror("reached end of file while parsing quoted string"); 1084 if (file == topfile || popfile() == EOF) 1085 return (EOF); 1086 return (quotec); 1087 } 1088 return (c); 1089 } 1090 1091 while ((c = getc(file->stream)) == '\\') { 1092 next = getc(file->stream); 1093 if (next != '\n') { 1094 c = next; 1095 break; 1096 } 1097 yylval.lineno = file->lineno; 1098 file->lineno++; 1099 } 1100 1101 while (c == EOF) { 1102 if (file == topfile || popfile() == EOF) 1103 return (EOF); 1104 c = getc(file->stream); 1105 } 1106 return (c); 1107 } 1108 1109 int 1110 lungetc(int c) 1111 { 1112 if (c == EOF) 1113 return (EOF); 1114 if (parsebuf) { 1115 parseindex--; 1116 if (parseindex >= 0) 1117 return (c); 1118 } 1119 if (pushback_index < MAXPUSHBACK-1) 1120 return (pushback_buffer[pushback_index++] = c); 1121 else 1122 return (EOF); 1123 } 1124 1125 int 1126 findeol(void) 1127 { 1128 int c; 1129 1130 parsebuf = NULL; 1131 1132 /* skip to either EOF or the first real EOL */ 1133 while (1) { 1134 if (pushback_index) 1135 c = pushback_buffer[--pushback_index]; 1136 else 1137 c = lgetc(0); 1138 if (c == '\n') { 1139 file->lineno++; 1140 break; 1141 } 1142 if (c == EOF) 1143 break; 1144 } 1145 return (ERROR); 1146 } 1147 1148 int 1149 yylex(void) 1150 { 1151 u_char buf[8096]; 1152 u_char *p, *val; 1153 int quotec, next, c; 1154 int token; 1155 1156 top: 1157 p = buf; 1158 while ((c = lgetc(0)) == ' ' || c == '\t') 1159 ; /* nothing */ 1160 1161 yylval.lineno = file->lineno; 1162 if (c == '#') 1163 while ((c = lgetc(0)) != '\n' && c != EOF) 1164 ; /* nothing */ 1165 if (c == '$' && parsebuf == NULL) { 1166 while (1) { 1167 if ((c = lgetc(0)) == EOF) 1168 return (0); 1169 1170 if (p + 1 >= buf + sizeof(buf) - 1) { 1171 yyerror("string too long"); 1172 return (findeol()); 1173 } 1174 if (isalnum(c) || c == '_') { 1175 *p++ = c; 1176 continue; 1177 } 1178 *p = '\0'; 1179 lungetc(c); 1180 break; 1181 } 1182 val = symget(buf); 1183 if (val == NULL) { 1184 yyerror("macro '%s' not defined", buf); 1185 return (findeol()); 1186 } 1187 parsebuf = val; 1188 parseindex = 0; 1189 goto top; 1190 } 1191 1192 switch (c) { 1193 case '\'': 1194 case '"': 1195 quotec = c; 1196 while (1) { 1197 if ((c = lgetc(quotec)) == EOF) 1198 return (0); 1199 if (c == '\n') { 1200 file->lineno++; 1201 continue; 1202 } else if (c == '\\') { 1203 if ((next = lgetc(quotec)) == EOF) 1204 return (0); 1205 if (next == quotec || next == ' ' || 1206 next == '\t') 1207 c = next; 1208 else if (next == '\n') { 1209 file->lineno++; 1210 continue; 1211 } else 1212 lungetc(next); 1213 } else if (c == quotec) { 1214 *p = '\0'; 1215 break; 1216 } else if (c == '\0') { 1217 yyerror("syntax error"); 1218 return (findeol()); 1219 } 1220 if (p + 1 >= buf + sizeof(buf) - 1) { 1221 yyerror("string too long"); 1222 return (findeol()); 1223 } 1224 *p++ = c; 1225 } 1226 yylval.v.string = strdup(buf); 1227 if (yylval.v.string == NULL) 1228 err(1, "%s", __func__); 1229 return (STRING); 1230 } 1231 1232 #define allowed_to_end_number(x) \ 1233 (isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=') 1234 1235 if (c == '-' || isdigit(c)) { 1236 do { 1237 *p++ = c; 1238 if ((size_t)(p-buf) >= sizeof(buf)) { 1239 yyerror("string too long"); 1240 return (findeol()); 1241 } 1242 } while ((c = lgetc(0)) != EOF && isdigit(c)); 1243 lungetc(c); 1244 if (p == buf + 1 && buf[0] == '-') 1245 goto nodigits; 1246 if (c == EOF || allowed_to_end_number(c)) { 1247 const char *errstr = NULL; 1248 1249 *p = '\0'; 1250 yylval.v.number = strtonum(buf, LLONG_MIN, 1251 LLONG_MAX, &errstr); 1252 if (errstr) { 1253 yyerror("\"%s\" invalid number: %s", 1254 buf, errstr); 1255 return (findeol()); 1256 } 1257 return (NUMBER); 1258 } else { 1259 nodigits: 1260 while (p > buf + 1) 1261 lungetc(*--p); 1262 c = *--p; 1263 if (c == '-') 1264 return (c); 1265 } 1266 } 1267 1268 #define allowed_in_string(x) \ 1269 (isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \ 1270 x != '{' && x != '}' && x != '<' && x != '>' && \ 1271 x != '!' && x != '=' && x != '/' && x != '#' && \ 1272 x != ',')) 1273 1274 if (isalnum(c) || c == ':' || c == '_' || c == '*') { 1275 do { 1276 *p++ = c; 1277 if ((size_t)(p-buf) >= sizeof(buf)) { 1278 yyerror("string too long"); 1279 return (findeol()); 1280 } 1281 } while ((c = lgetc(0)) != EOF && (allowed_in_string(c))); 1282 lungetc(c); 1283 *p = '\0'; 1284 if ((token = lookup(buf)) == STRING) 1285 if ((yylval.v.string = strdup(buf)) == NULL) 1286 err(1, "%s", __func__); 1287 return (token); 1288 } 1289 if (c == '\n') { 1290 yylval.lineno = file->lineno; 1291 file->lineno++; 1292 } 1293 if (c == EOF) 1294 return (0); 1295 return (c); 1296 } 1297 1298 int 1299 check_file_secrecy(int fd, const char *fname) 1300 { 1301 struct stat st; 1302 1303 if (fstat(fd, &st)) { 1304 warn("cannot stat %s", fname); 1305 return (-1); 1306 } 1307 if (st.st_uid != 0 && st.st_uid != getuid()) { 1308 warnx("%s: owner not root or current user", fname); 1309 return (-1); 1310 } 1311 if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) { 1312 warnx("%s: group writable or world read/writable", fname); 1313 return (-1); 1314 } 1315 return (0); 1316 } 1317 1318 struct file * 1319 pushfile(const char *name, int secret) 1320 { 1321 struct file *nfile; 1322 1323 if ((nfile = calloc(1, sizeof(struct file))) == NULL) { 1324 warn("%s", __func__); 1325 return (NULL); 1326 } 1327 if ((nfile->name = strdup(name)) == NULL) { 1328 warn("%s", __func__); 1329 free(nfile); 1330 return (NULL); 1331 } 1332 if (TAILQ_FIRST(&files) == NULL && strcmp(nfile->name, "-") == 0) { 1333 nfile->stream = stdin; 1334 free(nfile->name); 1335 if ((nfile->name = strdup("stdin")) == NULL) { 1336 warn("%s", __func__); 1337 free(nfile); 1338 return (NULL); 1339 } 1340 } else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) { 1341 warn("%s: %s", __func__, nfile->name); 1342 free(nfile->name); 1343 free(nfile); 1344 return (NULL); 1345 } else if (secret && 1346 check_file_secrecy(fileno(nfile->stream), nfile->name)) { 1347 fclose(nfile->stream); 1348 free(nfile->name); 1349 free(nfile); 1350 return (NULL); 1351 } 1352 nfile->lineno = 1; 1353 TAILQ_INSERT_TAIL(&files, nfile, entry); 1354 return (nfile); 1355 } 1356 1357 int 1358 popfile(void) 1359 { 1360 struct file *prev; 1361 1362 if ((prev = TAILQ_PREV(file, files, entry)) != NULL) 1363 prev->errors += file->errors; 1364 1365 TAILQ_REMOVE(&files, file, entry); 1366 fclose(file->stream); 1367 free(file->name); 1368 free(file); 1369 file = prev; 1370 1371 return (file ? 0 : EOF); 1372 } 1373 1374 int 1375 parse_rules(const char *filename, struct ipsecctl *ipsecx) 1376 { 1377 struct sym *sym; 1378 int errors = 0; 1379 1380 ipsec = ipsecx; 1381 1382 if ((file = pushfile(filename, 1)) == NULL) { 1383 return (-1); 1384 } 1385 topfile = file; 1386 1387 yyparse(); 1388 errors = file->errors; 1389 popfile(); 1390 1391 /* Free macros and check which have not been used. */ 1392 while ((sym = TAILQ_FIRST(&symhead))) { 1393 if ((ipsec->opts & IPSECCTL_OPT_VERBOSE2) && !sym->used) 1394 fprintf(stderr, "warning: macro '%s' not " 1395 "used\n", sym->nam); 1396 free(sym->nam); 1397 free(sym->val); 1398 TAILQ_REMOVE(&symhead, sym, entry); 1399 free(sym); 1400 } 1401 1402 return (errors ? -1 : 0); 1403 } 1404 1405 int 1406 symset(const char *nam, const char *val, int persist) 1407 { 1408 struct sym *sym; 1409 1410 TAILQ_FOREACH(sym, &symhead, entry) { 1411 if (strcmp(nam, sym->nam) == 0) 1412 break; 1413 } 1414 1415 if (sym != NULL) { 1416 if (sym->persist == 1) 1417 return (0); 1418 else { 1419 free(sym->nam); 1420 free(sym->val); 1421 TAILQ_REMOVE(&symhead, sym, entry); 1422 free(sym); 1423 } 1424 } 1425 if ((sym = calloc(1, sizeof(*sym))) == NULL) 1426 return (-1); 1427 1428 sym->nam = strdup(nam); 1429 if (sym->nam == NULL) { 1430 free(sym); 1431 return (-1); 1432 } 1433 sym->val = strdup(val); 1434 if (sym->val == NULL) { 1435 free(sym->nam); 1436 free(sym); 1437 return (-1); 1438 } 1439 sym->used = 0; 1440 sym->persist = persist; 1441 TAILQ_INSERT_TAIL(&symhead, sym, entry); 1442 return (0); 1443 } 1444 1445 int 1446 cmdline_symset(char *s) 1447 { 1448 char *sym, *val; 1449 int ret; 1450 1451 if ((val = strrchr(s, '=')) == NULL) 1452 return (-1); 1453 1454 sym = strndup(s, val - s); 1455 if (sym == NULL) 1456 err(1, "%s", __func__); 1457 ret = symset(sym, val + 1, 1); 1458 free(sym); 1459 1460 return (ret); 1461 } 1462 1463 char * 1464 symget(const char *nam) 1465 { 1466 struct sym *sym; 1467 1468 TAILQ_FOREACH(sym, &symhead, entry) { 1469 if (strcmp(nam, sym->nam) == 0) { 1470 sym->used = 1; 1471 return (sym->val); 1472 } 1473 } 1474 return (NULL); 1475 } 1476 1477 int 1478 atoul(char *s, u_long *ulvalp) 1479 { 1480 u_long ulval; 1481 char *ep; 1482 1483 errno = 0; 1484 ulval = strtoul(s, &ep, 0); 1485 if (s[0] == '\0' || *ep != '\0') 1486 return (-1); 1487 if (errno == ERANGE && ulval == ULONG_MAX) 1488 return (-1); 1489 *ulvalp = ulval; 1490 return (0); 1491 } 1492 1493 int 1494 atospi(char *s, u_int32_t *spivalp) 1495 { 1496 unsigned long ulval; 1497 1498 if (atoul(s, &ulval) == -1) 1499 return (-1); 1500 if (ulval > UINT_MAX) { 1501 yyerror("%lu not a valid spi", ulval); 1502 return (-1); 1503 } 1504 if (ulval >= SPI_RESERVED_MIN && ulval <= SPI_RESERVED_MAX) { 1505 yyerror("%lu within reserved spi range", ulval); 1506 return (-1); 1507 } 1508 *spivalp = ulval; 1509 return (0); 1510 } 1511 1512 u_int8_t 1513 x2i(unsigned char *s) 1514 { 1515 char ss[3]; 1516 1517 ss[0] = s[0]; 1518 ss[1] = s[1]; 1519 ss[2] = 0; 1520 1521 if (!isxdigit(s[0]) || !isxdigit(s[1])) { 1522 yyerror("keys need to be specified in hex digits"); 1523 return (-1); 1524 } 1525 return ((u_int8_t)strtoul(ss, NULL, 16)); 1526 } 1527 1528 struct ipsec_key * 1529 parsekey(unsigned char *hexkey, size_t len) 1530 { 1531 struct ipsec_key *key; 1532 int i; 1533 1534 key = calloc(1, sizeof(struct ipsec_key)); 1535 if (key == NULL) 1536 err(1, "%s", __func__); 1537 1538 key->len = len / 2; 1539 key->data = calloc(key->len, sizeof(u_int8_t)); 1540 if (key->data == NULL) 1541 err(1, "%s", __func__); 1542 1543 for (i = 0; i < (int)key->len; i++) 1544 key->data[i] = x2i(hexkey + 2 * i); 1545 1546 return (key); 1547 } 1548 1549 struct ipsec_key * 1550 parsekeyfile(char *filename) 1551 { 1552 struct stat sb; 1553 int fd; 1554 unsigned char *hex; 1555 1556 if ((fd = open(filename, O_RDONLY)) < 0) 1557 err(1, "open %s", filename); 1558 if (fstat(fd, &sb) < 0) 1559 err(1, "parsekeyfile: stat %s", filename); 1560 if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0)) 1561 errx(1, "%s: key too %s", filename, sb.st_size ? "large" : 1562 "small"); 1563 if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL) 1564 err(1, "%s", __func__); 1565 if (read(fd, hex, sb.st_size) < sb.st_size) 1566 err(1, "parsekeyfile: read"); 1567 close(fd); 1568 return (parsekey(hex, sb.st_size)); 1569 } 1570 1571 int 1572 get_id_type(char *string) 1573 { 1574 struct in6_addr ia; 1575 1576 if (string == NULL) 1577 return (ID_UNKNOWN); 1578 1579 if (inet_pton(AF_INET, string, &ia) == 1) 1580 return (ID_IPV4); 1581 else if (inet_pton(AF_INET6, string, &ia) == 1) 1582 return (ID_IPV6); 1583 else if (strchr(string, '@')) 1584 return (ID_UFQDN); 1585 else 1586 return (ID_FQDN); 1587 } 1588 1589 struct ipsec_addr_wrap * 1590 host(const char *s) 1591 { 1592 struct ipsec_addr_wrap *ipa = NULL; 1593 int mask, cont = 1; 1594 char *p, *q, *ps; 1595 1596 if ((p = strrchr(s, '/')) != NULL) { 1597 errno = 0; 1598 mask = strtol(p + 1, &q, 0); 1599 if (errno == ERANGE || !q || *q || mask > 128 || q == (p + 1)) 1600 errx(1, "host: invalid netmask '%s'", p); 1601 if ((ps = malloc(strlen(s) - strlen(p) + 1)) == NULL) 1602 err(1, "%s", __func__); 1603 strlcpy(ps, s, strlen(s) - strlen(p) + 1); 1604 } else { 1605 if ((ps = strdup(s)) == NULL) 1606 err(1, "%s", __func__); 1607 mask = -1; 1608 } 1609 1610 /* Does interface with this name exist? */ 1611 if (cont && (ipa = host_if(ps, mask)) != NULL) 1612 cont = 0; 1613 1614 /* IPv4 address? */ 1615 if (cont && (ipa = host_v4(s, mask == -1 ? 32 : mask)) != NULL) 1616 cont = 0; 1617 1618 /* IPv6 address? */ 1619 if (cont && (ipa = host_v6(ps, mask == -1 ? 128 : mask)) != NULL) 1620 cont = 0; 1621 1622 /* dns lookup */ 1623 if (cont && mask == -1 && (ipa = host_dns(s, mask)) != NULL) 1624 cont = 0; 1625 free(ps); 1626 1627 if (ipa == NULL || cont == 1) { 1628 fprintf(stderr, "no IP address found for %s\n", s); 1629 return (NULL); 1630 } 1631 return (ipa); 1632 } 1633 1634 struct ipsec_addr_wrap * 1635 host_v6(const char *s, int prefixlen) 1636 { 1637 struct ipsec_addr_wrap *ipa = NULL; 1638 struct addrinfo hints, *res; 1639 char hbuf[NI_MAXHOST]; 1640 1641 bzero(&hints, sizeof(struct addrinfo)); 1642 hints.ai_family = AF_INET6; 1643 hints.ai_socktype = SOCK_STREAM; 1644 hints.ai_flags = AI_NUMERICHOST; 1645 if (getaddrinfo(s, NULL, &hints, &res)) 1646 return (NULL); 1647 if (res->ai_next) 1648 err(1, "host_v6: numeric hostname expanded to multiple item"); 1649 1650 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 1651 if (ipa == NULL) 1652 err(1, "%s", __func__); 1653 ipa->af = res->ai_family; 1654 memcpy(&ipa->address.v6, 1655 &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, 1656 sizeof(struct in6_addr)); 1657 if (prefixlen > 128) 1658 prefixlen = 128; 1659 ipa->next = NULL; 1660 ipa->tail = ipa; 1661 1662 set_ipmask(ipa, prefixlen); 1663 if (getnameinfo(res->ai_addr, res->ai_addrlen, 1664 hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) { 1665 errx(1, "could not get a numeric hostname"); 1666 } 1667 1668 if (prefixlen != 128) { 1669 ipa->netaddress = 1; 1670 if (asprintf(&ipa->name, "%s/%d", hbuf, prefixlen) == -1) 1671 err(1, "%s", __func__); 1672 } else { 1673 if ((ipa->name = strdup(hbuf)) == NULL) 1674 err(1, "%s", __func__); 1675 } 1676 1677 freeaddrinfo(res); 1678 1679 return (ipa); 1680 } 1681 1682 struct ipsec_addr_wrap * 1683 host_v4(const char *s, int mask) 1684 { 1685 struct ipsec_addr_wrap *ipa = NULL; 1686 struct in_addr ina; 1687 int bits = 32; 1688 1689 bzero(&ina, sizeof(struct in_addr)); 1690 if (strrchr(s, '/') != NULL) { 1691 if ((bits = inet_net_pton(AF_INET, s, &ina, sizeof(ina))) == -1) 1692 return (NULL); 1693 } else { 1694 if (inet_pton(AF_INET, s, &ina) != 1) 1695 return (NULL); 1696 } 1697 1698 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 1699 if (ipa == NULL) 1700 err(1, "%s", __func__); 1701 1702 ipa->address.v4 = ina; 1703 ipa->name = strdup(s); 1704 if (ipa->name == NULL) 1705 err(1, "%s", __func__); 1706 ipa->af = AF_INET; 1707 ipa->next = NULL; 1708 ipa->tail = ipa; 1709 1710 set_ipmask(ipa, bits); 1711 if (strrchr(s, '/') != NULL) 1712 ipa->netaddress = 1; 1713 1714 return (ipa); 1715 } 1716 1717 struct ipsec_addr_wrap * 1718 host_dns(const char *s, int mask) 1719 { 1720 struct ipsec_addr_wrap *ipa = NULL, *head = NULL; 1721 struct addrinfo hints, *res0, *res; 1722 int error; 1723 char hbuf[NI_MAXHOST]; 1724 1725 bzero(&hints, sizeof(struct addrinfo)); 1726 hints.ai_family = PF_UNSPEC; 1727 hints.ai_socktype = SOCK_STREAM; 1728 error = getaddrinfo(s, NULL, &hints, &res0); 1729 if (error) 1730 return (NULL); 1731 1732 for (res = res0; res; res = res->ai_next) { 1733 if (res->ai_family != AF_INET && res->ai_family != AF_INET6) 1734 continue; 1735 1736 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 1737 if (ipa == NULL) 1738 err(1, "%s", __func__); 1739 switch (res->ai_family) { 1740 case AF_INET: 1741 memcpy(&ipa->address.v4, 1742 &((struct sockaddr_in *)res->ai_addr)->sin_addr, 1743 sizeof(struct in_addr)); 1744 break; 1745 case AF_INET6: 1746 /* XXX we do not support scoped IPv6 address yet */ 1747 if (((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) { 1748 free(ipa); 1749 continue; 1750 } 1751 memcpy(&ipa->address.v6, 1752 &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, 1753 sizeof(struct in6_addr)); 1754 break; 1755 } 1756 error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf, 1757 sizeof(hbuf), NULL, 0, NI_NUMERICHOST); 1758 if (error) 1759 err(1, "host_dns: getnameinfo"); 1760 ipa->name = strdup(hbuf); 1761 if (ipa->name == NULL) 1762 err(1, "%s", __func__); 1763 ipa->af = res->ai_family; 1764 ipa->next = NULL; 1765 ipa->tail = ipa; 1766 if (head == NULL) 1767 head = ipa; 1768 else { 1769 head->tail->next = ipa; 1770 head->tail = ipa; 1771 } 1772 1773 /* 1774 * XXX for now, no netmask support for IPv6. 1775 * but since there's no way to specify address family, once you 1776 * have IPv6 address on a host, you cannot use dns/netmask 1777 * syntax. 1778 */ 1779 if (ipa->af == AF_INET) 1780 set_ipmask(ipa, mask == -1 ? 32 : mask); 1781 else 1782 if (mask != -1) 1783 err(1, "host_dns: cannot apply netmask " 1784 "on non-IPv4 address"); 1785 } 1786 freeaddrinfo(res0); 1787 1788 return (head); 1789 } 1790 1791 struct ipsec_addr_wrap * 1792 host_if(const char *s, int mask) 1793 { 1794 struct ipsec_addr_wrap *ipa = NULL; 1795 1796 if (ifa_exists(s)) 1797 ipa = ifa_lookup(s); 1798 1799 return (ipa); 1800 } 1801 1802 struct ipsec_addr_wrap * 1803 host_any(void) 1804 { 1805 struct ipsec_addr_wrap *ipa; 1806 1807 ipa = calloc(1, sizeof(struct ipsec_addr_wrap)); 1808 if (ipa == NULL) 1809 err(1, "%s", __func__); 1810 ipa->af = AF_UNSPEC; 1811 ipa->netaddress = 1; 1812 ipa->tail = ipa; 1813 return (ipa); 1814 } 1815 1816 /* interface lookup routintes */ 1817 1818 struct ipsec_addr_wrap *iftab; 1819 1820 void 1821 ifa_load(void) 1822 { 1823 struct ifaddrs *ifap, *ifa; 1824 struct ipsec_addr_wrap *n = NULL, *h = NULL; 1825 1826 if (getifaddrs(&ifap) < 0) 1827 err(1, "ifa_load: getifaddrs"); 1828 1829 for (ifa = ifap; ifa; ifa = ifa->ifa_next) { 1830 if (!(ifa->ifa_addr->sa_family == AF_INET || 1831 ifa->ifa_addr->sa_family == AF_INET6 || 1832 ifa->ifa_addr->sa_family == AF_LINK)) 1833 continue; 1834 n = calloc(1, sizeof(struct ipsec_addr_wrap)); 1835 if (n == NULL) 1836 err(1, "%s", __func__); 1837 n->af = ifa->ifa_addr->sa_family; 1838 if ((n->name = strdup(ifa->ifa_name)) == NULL) 1839 err(1, "%s", __func__); 1840 if (n->af == AF_INET) { 1841 n->af = AF_INET; 1842 memcpy(&n->address.v4, &((struct sockaddr_in *) 1843 ifa->ifa_addr)->sin_addr, 1844 sizeof(struct in_addr)); 1845 memcpy(&n->mask.v4, &((struct sockaddr_in *) 1846 ifa->ifa_netmask)->sin_addr, 1847 sizeof(struct in_addr)); 1848 } else if (n->af == AF_INET6) { 1849 n->af = AF_INET6; 1850 memcpy(&n->address.v6, &((struct sockaddr_in6 *) 1851 ifa->ifa_addr)->sin6_addr, 1852 sizeof(struct in6_addr)); 1853 memcpy(&n->mask.v6, &((struct sockaddr_in6 *) 1854 ifa->ifa_netmask)->sin6_addr, 1855 sizeof(struct in6_addr)); 1856 } 1857 n->next = NULL; 1858 n->tail = n; 1859 if (h == NULL) 1860 h = n; 1861 else { 1862 h->tail->next = n; 1863 h->tail = n; 1864 } 1865 } 1866 1867 iftab = h; 1868 freeifaddrs(ifap); 1869 } 1870 1871 int 1872 ifa_exists(const char *ifa_name) 1873 { 1874 struct ipsec_addr_wrap *n; 1875 struct ifgroupreq ifgr; 1876 int s; 1877 1878 if (iftab == NULL) 1879 ifa_load(); 1880 1881 /* check whether this is a group */ 1882 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) 1883 err(1, "ifa_exists: socket"); 1884 bzero(&ifgr, sizeof(ifgr)); 1885 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); 1886 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == 0) { 1887 close(s); 1888 return (1); 1889 } 1890 close(s); 1891 1892 for (n = iftab; n; n = n->next) { 1893 if (n->af == AF_LINK && !strncmp(n->name, ifa_name, 1894 IFNAMSIZ)) 1895 return (1); 1896 } 1897 1898 return (0); 1899 } 1900 1901 struct ipsec_addr_wrap * 1902 ifa_grouplookup(const char *ifa_name) 1903 { 1904 struct ifg_req *ifg; 1905 struct ifgroupreq ifgr; 1906 int s; 1907 size_t len; 1908 struct ipsec_addr_wrap *n, *h = NULL, *hn; 1909 1910 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) 1911 err(1, "socket"); 1912 bzero(&ifgr, sizeof(ifgr)); 1913 strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name)); 1914 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) { 1915 close(s); 1916 return (NULL); 1917 } 1918 1919 len = ifgr.ifgr_len; 1920 if ((ifgr.ifgr_groups = calloc(1, len)) == NULL) 1921 err(1, "%s", __func__); 1922 if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) 1923 err(1, "ioctl"); 1924 1925 for (ifg = ifgr.ifgr_groups; ifg && len >= sizeof(struct ifg_req); 1926 ifg++) { 1927 len -= sizeof(struct ifg_req); 1928 if ((n = ifa_lookup(ifg->ifgrq_member)) == NULL) 1929 continue; 1930 if (h == NULL) 1931 h = n; 1932 else { 1933 for (hn = h; hn->next != NULL; hn = hn->next) 1934 ; /* nothing */ 1935 hn->next = n; 1936 n->tail = hn; 1937 } 1938 } 1939 free(ifgr.ifgr_groups); 1940 close(s); 1941 1942 return (h); 1943 } 1944 1945 struct ipsec_addr_wrap * 1946 ifa_lookup(const char *ifa_name) 1947 { 1948 struct ipsec_addr_wrap *p = NULL, *h = NULL, *n = NULL; 1949 1950 if (iftab == NULL) 1951 ifa_load(); 1952 1953 if ((n = ifa_grouplookup(ifa_name)) != NULL) 1954 return (n); 1955 1956 for (p = iftab; p; p = p->next) { 1957 if (p->af != AF_INET && p->af != AF_INET6) 1958 continue; 1959 if (strncmp(p->name, ifa_name, IFNAMSIZ)) 1960 continue; 1961 n = calloc(1, sizeof(struct ipsec_addr_wrap)); 1962 if (n == NULL) 1963 err(1, "%s", __func__); 1964 memcpy(n, p, sizeof(struct ipsec_addr_wrap)); 1965 if ((n->name = strdup(p->name)) == NULL) 1966 err(1, "%s", __func__); 1967 switch (n->af) { 1968 case AF_INET: 1969 set_ipmask(n, 32); 1970 break; 1971 case AF_INET6: 1972 /* route/show.c and bgpd/util.c give KAME credit */ 1973 if (IN6_IS_ADDR_LINKLOCAL(&n->address.v6)) { 1974 u_int16_t tmp16; 1975 /* for now we can not handle link local, 1976 * therefore bail for now 1977 */ 1978 free(n); 1979 continue; 1980 1981 memcpy(&tmp16, &n->address.v6.s6_addr[2], 1982 sizeof(tmp16)); 1983 /* use this when we support link-local 1984 * n->??.scopeid = ntohs(tmp16); 1985 */ 1986 n->address.v6.s6_addr[2] = 0; 1987 n->address.v6.s6_addr[3] = 0; 1988 } 1989 set_ipmask(n, 128); 1990 break; 1991 } 1992 1993 n->next = NULL; 1994 n->tail = n; 1995 if (h == NULL) 1996 h = n; 1997 else { 1998 h->tail->next = n; 1999 h->tail = n; 2000 } 2001 } 2002 2003 return (h); 2004 } 2005 2006 void 2007 set_ipmask(struct ipsec_addr_wrap *address, u_int8_t b) 2008 { 2009 struct ipsec_addr *ipa; 2010 int i, j = 0; 2011 2012 ipa = &address->mask; 2013 bzero(ipa, sizeof(struct ipsec_addr)); 2014 2015 while (b >= 32) { 2016 ipa->addr32[j++] = 0xffffffff; 2017 b -= 32; 2018 } 2019 for (i = 31; i > 31 - b; --i) 2020 ipa->addr32[j] |= (1 << i); 2021 if (b) 2022 ipa->addr32[j] = htonl(ipa->addr32[j]); 2023 } 2024 2025 const struct ipsec_xf * 2026 parse_xf(const char *name, const struct ipsec_xf xfs[]) 2027 { 2028 int i; 2029 2030 for (i = 0; xfs[i].name != NULL; i++) { 2031 if (strncmp(name, xfs[i].name, strlen(name))) 2032 continue; 2033 return &xfs[i]; 2034 } 2035 return (NULL); 2036 } 2037 2038 struct ipsec_lifetime * 2039 parse_life(const char *value) 2040 { 2041 struct ipsec_lifetime *life; 2042 int ret; 2043 int seconds = 0; 2044 char unit = 0; 2045 2046 ret = sscanf(value, "%d%c", &seconds, &unit); 2047 if (ret == 2) { 2048 switch (tolower((unsigned char)unit)) { 2049 case 'm': 2050 seconds *= 60; 2051 break; 2052 case 'h': 2053 seconds *= 60 * 60; 2054 break; 2055 default: 2056 err(1, "invalid time unit"); 2057 } 2058 } else if (ret != 1) 2059 err(1, "invalid time specification: %s", value); 2060 2061 life = calloc(1, sizeof(struct ipsec_lifetime)); 2062 if (life == NULL) 2063 err(1, "%s", __func__); 2064 2065 life->lt_seconds = seconds; 2066 life->lt_bytes = -1; 2067 2068 return (life); 2069 } 2070 2071 struct ipsec_transforms * 2072 copytransforms(const struct ipsec_transforms *xfs) 2073 { 2074 struct ipsec_transforms *newxfs; 2075 2076 if (xfs == NULL) 2077 return (NULL); 2078 2079 newxfs = calloc(1, sizeof(struct ipsec_transforms)); 2080 if (newxfs == NULL) 2081 err(1, "%s", __func__); 2082 2083 memcpy(newxfs, xfs, sizeof(struct ipsec_transforms)); 2084 return (newxfs); 2085 } 2086 2087 struct ipsec_lifetime * 2088 copylife(const struct ipsec_lifetime *life) 2089 { 2090 struct ipsec_lifetime *newlife; 2091 2092 if (life == NULL) 2093 return (NULL); 2094 2095 newlife = calloc(1, sizeof(struct ipsec_lifetime)); 2096 if (newlife == NULL) 2097 err(1, "%s", __func__); 2098 2099 memcpy(newlife, life, sizeof(struct ipsec_lifetime)); 2100 return (newlife); 2101 } 2102 2103 struct ipsec_auth * 2104 copyipsecauth(const struct ipsec_auth *auth) 2105 { 2106 struct ipsec_auth *newauth; 2107 2108 if (auth == NULL) 2109 return (NULL); 2110 2111 if ((newauth = calloc(1, sizeof(struct ipsec_auth))) == NULL) 2112 err(1, "%s", __func__); 2113 if (auth->srcid && 2114 asprintf(&newauth->srcid, "%s", auth->srcid) == -1) 2115 err(1, "%s", __func__); 2116 if (auth->dstid && 2117 asprintf(&newauth->dstid, "%s", auth->dstid) == -1) 2118 err(1, "%s", __func__); 2119 2120 newauth->srcid_type = auth->srcid_type; 2121 newauth->dstid_type = auth->dstid_type; 2122 newauth->type = auth->type; 2123 2124 return (newauth); 2125 } 2126 2127 struct ike_auth * 2128 copyikeauth(const struct ike_auth *auth) 2129 { 2130 struct ike_auth *newauth; 2131 2132 if (auth == NULL) 2133 return (NULL); 2134 2135 if ((newauth = calloc(1, sizeof(struct ike_auth))) == NULL) 2136 err(1, "%s", __func__); 2137 if (auth->string && 2138 asprintf(&newauth->string, "%s", auth->string) == -1) 2139 err(1, "%s", __func__); 2140 2141 newauth->type = auth->type; 2142 2143 return (newauth); 2144 } 2145 2146 struct ipsec_key * 2147 copykey(struct ipsec_key *key) 2148 { 2149 struct ipsec_key *newkey; 2150 2151 if (key == NULL) 2152 return (NULL); 2153 2154 if ((newkey = calloc(1, sizeof(struct ipsec_key))) == NULL) 2155 err(1, "%s", __func__); 2156 if ((newkey->data = calloc(key->len, sizeof(u_int8_t))) == NULL) 2157 err(1, "%s", __func__); 2158 memcpy(newkey->data, key->data, key->len); 2159 newkey->len = key->len; 2160 2161 return (newkey); 2162 } 2163 2164 struct ipsec_addr_wrap * 2165 copyhost(const struct ipsec_addr_wrap *src) 2166 { 2167 struct ipsec_addr_wrap *dst; 2168 2169 if (src == NULL) 2170 return (NULL); 2171 2172 dst = calloc(1, sizeof(struct ipsec_addr_wrap)); 2173 if (dst == NULL) 2174 err(1, "%s", __func__); 2175 2176 memcpy(dst, src, sizeof(struct ipsec_addr_wrap)); 2177 2178 if (src->name != NULL && (dst->name = strdup(src->name)) == NULL) 2179 err(1, "%s", __func__); 2180 2181 return dst; 2182 } 2183 2184 char * 2185 copytag(const char *src) 2186 { 2187 char *tag; 2188 2189 if (src == NULL) 2190 return (NULL); 2191 if ((tag = strdup(src)) == NULL) 2192 err(1, "%s", __func__); 2193 2194 return (tag); 2195 } 2196 2197 struct ipsec_rule * 2198 copyrule(struct ipsec_rule *rule) 2199 { 2200 struct ipsec_rule *r; 2201 2202 if ((r = calloc(1, sizeof(struct ipsec_rule))) == NULL) 2203 err(1, "%s", __func__); 2204 2205 r->src = copyhost(rule->src); 2206 r->dst = copyhost(rule->dst); 2207 r->local = copyhost(rule->local); 2208 r->peer = copyhost(rule->peer); 2209 r->auth = copyipsecauth(rule->auth); 2210 r->ikeauth = copyikeauth(rule->ikeauth); 2211 r->xfs = copytransforms(rule->xfs); 2212 r->p1xfs = copytransforms(rule->p1xfs); 2213 r->p2xfs = copytransforms(rule->p2xfs); 2214 r->p1life = copylife(rule->p1life); 2215 r->p2life = copylife(rule->p2life); 2216 r->authkey = copykey(rule->authkey); 2217 r->enckey = copykey(rule->enckey); 2218 r->tag = copytag(rule->tag); 2219 2220 r->p1ie = rule->p1ie; 2221 r->p2ie = rule->p2ie; 2222 r->type = rule->type; 2223 r->satype = rule->satype; 2224 r->proto = rule->proto; 2225 r->tmode = rule->tmode; 2226 r->direction = rule->direction; 2227 r->flowtype = rule->flowtype; 2228 r->sport = rule->sport; 2229 r->dport = rule->dport; 2230 r->ikemode = rule->ikemode; 2231 r->spi = rule->spi; 2232 r->udpencap = rule->udpencap; 2233 r->udpdport = rule->udpdport; 2234 r->nr = rule->nr; 2235 2236 return (r); 2237 } 2238 2239 int 2240 validate_af(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst) 2241 { 2242 struct ipsec_addr_wrap *ta; 2243 u_int8_t src_v4 = 0; 2244 u_int8_t dst_v4 = 0; 2245 u_int8_t src_v6 = 0; 2246 u_int8_t dst_v6 = 0; 2247 2248 for (ta = src; ta; ta = ta->next) { 2249 if (ta->af == AF_INET) 2250 src_v4 = 1; 2251 if (ta->af == AF_INET6) 2252 src_v6 = 1; 2253 if (ta->af == AF_UNSPEC) 2254 return 0; 2255 if (src_v4 && src_v6) 2256 break; 2257 } 2258 for (ta = dst; ta; ta = ta->next) { 2259 if (ta->af == AF_INET) 2260 dst_v4 = 1; 2261 if (ta->af == AF_INET6) 2262 dst_v6 = 1; 2263 if (ta->af == AF_UNSPEC) 2264 return 0; 2265 if (dst_v4 && dst_v6) 2266 break; 2267 } 2268 if (src_v4 != dst_v4 && src_v6 != dst_v6) 2269 return (1); 2270 2271 return (0); 2272 } 2273 2274 2275 int 2276 validate_sa(u_int32_t spi, u_int8_t satype, struct ipsec_transforms *xfs, 2277 struct ipsec_key *authkey, struct ipsec_key *enckey, u_int8_t tmode) 2278 { 2279 /* Sanity checks */ 2280 if (spi == 0) { 2281 yyerror("no SPI specified"); 2282 return (0); 2283 } 2284 if (satype == IPSEC_AH) { 2285 if (!xfs) { 2286 yyerror("no transforms specified"); 2287 return (0); 2288 } 2289 if (!xfs->authxf) 2290 xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256]; 2291 if (xfs->encxf) { 2292 yyerror("ah does not provide encryption"); 2293 return (0); 2294 } 2295 if (xfs->compxf) { 2296 yyerror("ah does not provide compression"); 2297 return (0); 2298 } 2299 } 2300 if (satype == IPSEC_ESP) { 2301 if (!xfs) { 2302 yyerror("no transforms specified"); 2303 return (0); 2304 } 2305 if (xfs->compxf) { 2306 yyerror("esp does not provide compression"); 2307 return (0); 2308 } 2309 if (!xfs->encxf) 2310 xfs->encxf = &encxfs[ENCXF_AES]; 2311 if (xfs->encxf->nostatic) { 2312 yyerror("%s is disallowed with static keys", 2313 xfs->encxf->name); 2314 return 0; 2315 } 2316 if (xfs->encxf->noauth && xfs->authxf) { 2317 yyerror("authentication is implicit for %s", 2318 xfs->encxf->name); 2319 return (0); 2320 } else if (!xfs->encxf->noauth && !xfs->authxf) 2321 xfs->authxf = &authxfs[AUTHXF_HMAC_SHA2_256]; 2322 } 2323 if (satype == IPSEC_IPCOMP) { 2324 if (!xfs) { 2325 yyerror("no transform specified"); 2326 return (0); 2327 } 2328 if (xfs->authxf || xfs->encxf) { 2329 yyerror("no encryption or authentication with ipcomp"); 2330 return (0); 2331 } 2332 if (!xfs->compxf) 2333 xfs->compxf = &compxfs[COMPXF_DEFLATE]; 2334 } 2335 if (satype == IPSEC_IPIP) { 2336 if (!xfs) { 2337 yyerror("no transform specified"); 2338 return (0); 2339 } 2340 if (xfs->authxf || xfs->encxf || xfs->compxf) { 2341 yyerror("no encryption, authentication or compression" 2342 " with ipip"); 2343 return (0); 2344 } 2345 } 2346 if (satype == IPSEC_TCPMD5 && authkey == NULL && tmode != 2347 IPSEC_TRANSPORT) { 2348 yyerror("authentication key needed for tcpmd5"); 2349 return (0); 2350 } 2351 if (xfs && xfs->authxf) { 2352 if (!authkey && xfs->authxf != &authxfs[AUTHXF_NONE]) { 2353 yyerror("no authentication key specified"); 2354 return (0); 2355 } 2356 if (authkey && authkey->len != xfs->authxf->keymin) { 2357 yyerror("wrong authentication key length, needs to be " 2358 "%zu bits", xfs->authxf->keymin * 8); 2359 return (0); 2360 } 2361 } 2362 if (xfs && xfs->encxf) { 2363 if (!enckey && xfs->encxf != &encxfs[ENCXF_NULL]) { 2364 yyerror("no encryption key specified"); 2365 return (0); 2366 } 2367 if (enckey) { 2368 if (enckey->len < xfs->encxf->keymin) { 2369 yyerror("encryption key too short (%zu bits), " 2370 "minimum %zu bits", enckey->len * 8, 2371 xfs->encxf->keymin * 8); 2372 return (0); 2373 } 2374 if (xfs->encxf->keymax < enckey->len) { 2375 yyerror("encryption key too long (%zu bits), " 2376 "maximum %zu bits", enckey->len * 8, 2377 xfs->encxf->keymax * 8); 2378 return (0); 2379 } 2380 } 2381 } 2382 2383 return 1; 2384 } 2385 2386 int 2387 add_sabundle(struct ipsec_rule *r, char *bundle) 2388 { 2389 struct ipsec_rule *rp, *last, *sabundle; 2390 int found = 0; 2391 2392 TAILQ_FOREACH(rp, &ipsec->bundle_queue, bundle_entry) { 2393 if ((strcmp(rp->src->name, r->src->name) == 0) && 2394 (strcmp(rp->dst->name, r->dst->name) == 0) && 2395 (strcmp(rp->bundle, bundle) == 0)) { 2396 found = 1; 2397 break; 2398 } 2399 } 2400 if (found) { 2401 last = TAILQ_LAST(&rp->dst_bundle_queue, dst_bundle_queue); 2402 TAILQ_INSERT_TAIL(&rp->dst_bundle_queue, r, dst_bundle_entry); 2403 2404 sabundle = create_sabundle(last->dst, last->satype, last->spi, 2405 r->dst, r->satype, r->spi); 2406 if (sabundle == NULL) 2407 return (1); 2408 sabundle->nr = ipsec->rule_nr++; 2409 if (ipsecctl_add_rule(ipsec, sabundle)) 2410 return (1); 2411 } else { 2412 TAILQ_INSERT_TAIL(&ipsec->bundle_queue, r, bundle_entry); 2413 TAILQ_INIT(&r->dst_bundle_queue); 2414 TAILQ_INSERT_TAIL(&r->dst_bundle_queue, r, dst_bundle_entry); 2415 r->bundle = bundle; 2416 } 2417 2418 return (0); 2419 } 2420 2421 struct ipsec_rule * 2422 create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_hosts *hosts, 2423 u_int32_t spi, u_int8_t udpencap, u_int16_t udpdport, 2424 struct ipsec_transforms *xfs, struct ipsec_key *authkey, struct ipsec_key *enckey) 2425 { 2426 struct ipsec_rule *r; 2427 2428 if (validate_sa(spi, satype, xfs, authkey, enckey, tmode) == 0) 2429 return (NULL); 2430 2431 r = calloc(1, sizeof(struct ipsec_rule)); 2432 if (r == NULL) 2433 err(1, "%s", __func__); 2434 2435 r->type |= RULE_SA; 2436 r->satype = satype; 2437 r->tmode = tmode; 2438 r->src = hosts->src; 2439 r->dst = hosts->dst; 2440 r->spi = spi; 2441 r->udpencap = udpencap; 2442 r->udpdport = udpdport; 2443 r->xfs = xfs; 2444 r->authkey = authkey; 2445 r->enckey = enckey; 2446 2447 return r; 2448 } 2449 2450 struct ipsec_rule * 2451 reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey, 2452 struct ipsec_key *enckey) 2453 { 2454 struct ipsec_rule *reverse; 2455 2456 if (validate_sa(spi, rule->satype, rule->xfs, authkey, enckey, 2457 rule->tmode) == 0) 2458 return (NULL); 2459 2460 reverse = calloc(1, sizeof(struct ipsec_rule)); 2461 if (reverse == NULL) 2462 err(1, "%s", __func__); 2463 2464 reverse->type |= RULE_SA; 2465 reverse->satype = rule->satype; 2466 reverse->tmode = rule->tmode; 2467 reverse->src = copyhost(rule->dst); 2468 reverse->dst = copyhost(rule->src); 2469 reverse->spi = spi; 2470 reverse->udpencap = rule->udpencap; 2471 reverse->udpdport = rule->udpdport; 2472 reverse->xfs = copytransforms(rule->xfs); 2473 reverse->authkey = authkey; 2474 reverse->enckey = enckey; 2475 2476 return (reverse); 2477 } 2478 2479 struct ipsec_rule * 2480 create_sabundle(struct ipsec_addr_wrap *dst, u_int8_t proto, u_int32_t spi, 2481 struct ipsec_addr_wrap *dst2, u_int8_t proto2, u_int32_t spi2) 2482 { 2483 struct ipsec_rule *r; 2484 2485 r = calloc(1, sizeof(struct ipsec_rule)); 2486 if (r == NULL) 2487 err(1, "%s", __func__); 2488 2489 r->type |= RULE_BUNDLE; 2490 2491 r->dst = copyhost(dst); 2492 r->dst2 = copyhost(dst2); 2493 r->proto = proto; 2494 r->proto2 = proto2; 2495 r->spi = spi; 2496 r->spi2 = spi2; 2497 r->satype = proto; 2498 2499 return (r); 2500 } 2501 2502 struct ipsec_rule * 2503 create_flow(u_int8_t dir, u_int8_t proto, struct ipsec_hosts *hosts, 2504 u_int8_t satype, char *srcid, char *dstid, u_int8_t type) 2505 { 2506 struct ipsec_rule *r; 2507 2508 r = calloc(1, sizeof(struct ipsec_rule)); 2509 if (r == NULL) 2510 err(1, "%s", __func__); 2511 2512 r->type |= RULE_FLOW; 2513 2514 if (dir == IPSEC_INOUT) 2515 r->direction = IPSEC_OUT; 2516 else 2517 r->direction = dir; 2518 2519 r->satype = satype; 2520 r->proto = proto; 2521 r->src = hosts->src; 2522 r->sport = hosts->sport; 2523 r->dst = hosts->dst; 2524 r->dport = hosts->dport; 2525 if ((hosts->sport != 0 || hosts->dport != 0) && 2526 (proto != IPPROTO_TCP && proto != IPPROTO_UDP)) { 2527 yyerror("no protocol supplied with source/destination ports"); 2528 goto errout; 2529 } 2530 2531 switch (satype) { 2532 case IPSEC_IPCOMP: 2533 case IPSEC_IPIP: 2534 if (type == TYPE_UNKNOWN) 2535 type = TYPE_USE; 2536 break; 2537 default: 2538 if (type == TYPE_UNKNOWN) 2539 type = TYPE_REQUIRE; 2540 break; 2541 } 2542 2543 r->flowtype = type; 2544 if (type == TYPE_DENY || type == TYPE_BYPASS) 2545 return (r); 2546 2547 r->auth = calloc(1, sizeof(struct ipsec_auth)); 2548 if (r->auth == NULL) 2549 err(1, "%s", __func__); 2550 r->auth->srcid = srcid; 2551 r->auth->dstid = dstid; 2552 r->auth->srcid_type = get_id_type(srcid); 2553 r->auth->dstid_type = get_id_type(dstid); 2554 return r; 2555 2556 errout: 2557 free(r); 2558 if (srcid) 2559 free(srcid); 2560 if (dstid) 2561 free(dstid); 2562 free(hosts->src); 2563 hosts->src = NULL; 2564 free(hosts->dst); 2565 hosts->dst = NULL; 2566 2567 return NULL; 2568 } 2569 2570 void 2571 expand_any(struct ipsec_addr_wrap *ipa_in) 2572 { 2573 struct ipsec_addr_wrap *oldnext, *ipa; 2574 2575 for (ipa = ipa_in; ipa; ipa = ipa->next) { 2576 if (ipa->af != AF_UNSPEC) 2577 continue; 2578 oldnext = ipa->next; 2579 2580 ipa->af = AF_INET; 2581 ipa->netaddress = 1; 2582 if ((ipa->name = strdup("0.0.0.0/0")) == NULL) 2583 err(1, "%s", __func__); 2584 2585 ipa->next = calloc(1, sizeof(struct ipsec_addr_wrap)); 2586 if (ipa->next == NULL) 2587 err(1, "%s", __func__); 2588 ipa->next->af = AF_INET6; 2589 ipa->next->netaddress = 1; 2590 if ((ipa->next->name = strdup("::/0")) == NULL) 2591 err(1, "%s", __func__); 2592 2593 ipa->next->next = oldnext; 2594 } 2595 } 2596 2597 int 2598 set_rule_peers(struct ipsec_rule *r, struct ipsec_hosts *peers) 2599 { 2600 if (r->type == RULE_FLOW && 2601 (r->flowtype == TYPE_DENY || r->flowtype == TYPE_BYPASS)) 2602 return (0); 2603 2604 r->local = copyhost(peers->src); 2605 r->peer = copyhost(peers->dst); 2606 if (r->peer == NULL) { 2607 /* Set peer to remote host. Must be a host address. */ 2608 if (r->direction == IPSEC_IN) { 2609 if (!r->src->netaddress) 2610 r->peer = copyhost(r->src); 2611 } else { 2612 if (!r->dst->netaddress) 2613 r->peer = copyhost(r->dst); 2614 } 2615 } 2616 if (r->type == RULE_FLOW && r->peer == NULL) { 2617 yyerror("no peer specified for destination %s", 2618 r->dst->name); 2619 return (1); 2620 } 2621 if (r->peer != NULL && r->peer->af == AF_UNSPEC) { 2622 /* If peer has been specified as any, use the default peer. */ 2623 free(r->peer); 2624 r->peer = NULL; 2625 } 2626 if (r->type == RULE_IKE && r->peer == NULL) { 2627 /* 2628 * Check if the default peer is consistent for all 2629 * rules. Only warn to avoid breaking existing configs. 2630 */ 2631 static struct ipsec_rule *pdr = NULL; 2632 2633 if (pdr == NULL) { 2634 /* Remember first default peer rule for comparison. */ 2635 pdr = r; 2636 } else { 2637 /* The new default peer must create the same config. */ 2638 if ((pdr->local == NULL && r->local != NULL) || 2639 (pdr->local != NULL && r->local == NULL) || 2640 (pdr->local != NULL && r->local != NULL && 2641 strcmp(pdr->local->name, r->local->name))) 2642 yywarn("default peer local mismatch"); 2643 if (pdr->ikeauth->type != r->ikeauth->type) 2644 yywarn("default peer phase 1 auth mismatch"); 2645 if (pdr->ikeauth->type == IKE_AUTH_PSK && 2646 r->ikeauth->type == IKE_AUTH_PSK && 2647 strcmp(pdr->ikeauth->string, r->ikeauth->string)) 2648 yywarn("default peer psk mismatch"); 2649 if (pdr->p1ie != r->p1ie) 2650 yywarn("default peer phase 1 mode mismatch"); 2651 /* 2652 * Transforms have ADD insted of SET so they may be 2653 * different and are not checked here. 2654 */ 2655 if ((pdr->auth->srcid == NULL && 2656 r->auth->srcid != NULL) || 2657 (pdr->auth->srcid != NULL && 2658 r->auth->srcid == NULL) || 2659 (pdr->auth->srcid != NULL && 2660 r->auth->srcid != NULL && 2661 strcmp(pdr->auth->srcid, r->auth->srcid))) 2662 yywarn("default peer srcid mismatch"); 2663 if ((pdr->auth->dstid == NULL && 2664 r->auth->dstid != NULL) || 2665 (pdr->auth->dstid != NULL && 2666 r->auth->dstid == NULL) || 2667 (pdr->auth->dstid != NULL && 2668 r->auth->dstid != NULL && 2669 strcmp(pdr->auth->dstid, r->auth->dstid))) 2670 yywarn("default peer dstid mismatch"); 2671 } 2672 } 2673 return (0); 2674 } 2675 2676 int 2677 expand_rule(struct ipsec_rule *rule, struct ipsec_hosts *peers, 2678 u_int8_t direction, u_int32_t spi, struct ipsec_key *authkey, 2679 struct ipsec_key *enckey, char *bundle) 2680 { 2681 struct ipsec_rule *r, *revr; 2682 struct ipsec_addr_wrap *src, *dst; 2683 int added = 0, ret = 1; 2684 2685 if (validate_af(rule->src, rule->dst)) { 2686 yyerror("source/destination address families do not match"); 2687 goto errout; 2688 } 2689 expand_any(rule->src); 2690 expand_any(rule->dst); 2691 for (src = rule->src; src; src = src->next) { 2692 for (dst = rule->dst; dst; dst = dst->next) { 2693 if (src->af != dst->af) 2694 continue; 2695 r = copyrule(rule); 2696 2697 r->src = copyhost(src); 2698 r->dst = copyhost(dst); 2699 2700 if (peers && set_rule_peers(r, peers)) { 2701 ipsecctl_free_rule(r); 2702 goto errout; 2703 } 2704 2705 r->nr = ipsec->rule_nr++; 2706 if (ipsecctl_add_rule(ipsec, r)) 2707 goto out; 2708 if (bundle && add_sabundle(r, bundle)) 2709 goto out; 2710 2711 if (direction == IPSEC_INOUT) { 2712 /* Create and add reverse flow rule. */ 2713 revr = reverse_rule(r); 2714 if (revr == NULL) 2715 goto out; 2716 2717 revr->nr = ipsec->rule_nr++; 2718 if (ipsecctl_add_rule(ipsec, revr)) 2719 goto out; 2720 if (bundle && add_sabundle(revr, bundle)) 2721 goto out; 2722 } else if (spi != 0 || authkey || enckey) { 2723 /* Create and add reverse sa rule. */ 2724 revr = reverse_sa(r, spi, authkey, enckey); 2725 if (revr == NULL) 2726 goto out; 2727 2728 revr->nr = ipsec->rule_nr++; 2729 if (ipsecctl_add_rule(ipsec, revr)) 2730 goto out; 2731 if (bundle && add_sabundle(revr, bundle)) 2732 goto out; 2733 } 2734 added++; 2735 } 2736 } 2737 if (!added) 2738 yyerror("rule expands to no valid combination"); 2739 errout: 2740 ret = 0; 2741 ipsecctl_free_rule(rule); 2742 out: 2743 if (peers) { 2744 if (peers->src) 2745 free(peers->src); 2746 if (peers->dst) 2747 free(peers->dst); 2748 } 2749 return (ret); 2750 } 2751 2752 struct ipsec_rule * 2753 reverse_rule(struct ipsec_rule *rule) 2754 { 2755 struct ipsec_rule *reverse; 2756 2757 reverse = calloc(1, sizeof(struct ipsec_rule)); 2758 if (reverse == NULL) 2759 err(1, "%s", __func__); 2760 2761 reverse->type |= RULE_FLOW; 2762 2763 /* Reverse direction */ 2764 if (rule->direction == (u_int8_t)IPSEC_OUT) 2765 reverse->direction = (u_int8_t)IPSEC_IN; 2766 else 2767 reverse->direction = (u_int8_t)IPSEC_OUT; 2768 2769 reverse->flowtype = rule->flowtype; 2770 reverse->src = copyhost(rule->dst); 2771 reverse->dst = copyhost(rule->src); 2772 reverse->sport = rule->dport; 2773 reverse->dport = rule->sport; 2774 if (rule->local) 2775 reverse->local = copyhost(rule->local); 2776 if (rule->peer) 2777 reverse->peer = copyhost(rule->peer); 2778 reverse->satype = rule->satype; 2779 reverse->proto = rule->proto; 2780 2781 if (rule->auth) { 2782 reverse->auth = calloc(1, sizeof(struct ipsec_auth)); 2783 if (reverse->auth == NULL) 2784 err(1, "%s", __func__); 2785 if (rule->auth->dstid && (reverse->auth->dstid = 2786 strdup(rule->auth->dstid)) == NULL) 2787 err(1, "%s", __func__); 2788 if (rule->auth->srcid && (reverse->auth->srcid = 2789 strdup(rule->auth->srcid)) == NULL) 2790 err(1, "%s", __func__); 2791 reverse->auth->srcid_type = rule->auth->srcid_type; 2792 reverse->auth->dstid_type = rule->auth->dstid_type; 2793 reverse->auth->type = rule->auth->type; 2794 } 2795 2796 return reverse; 2797 } 2798 2799 struct ipsec_rule * 2800 create_ike(u_int8_t proto, struct ipsec_hosts *hosts, 2801 struct ike_mode *phase1mode, struct ike_mode *phase2mode, u_int8_t satype, 2802 u_int8_t tmode, u_int8_t mode, char *srcid, char *dstid, 2803 struct ike_auth *authtype, char *tag) 2804 { 2805 struct ipsec_rule *r; 2806 2807 r = calloc(1, sizeof(struct ipsec_rule)); 2808 if (r == NULL) 2809 err(1, "%s", __func__); 2810 2811 r->type = RULE_IKE; 2812 2813 r->proto = proto; 2814 r->src = hosts->src; 2815 r->sport = hosts->sport; 2816 r->dst = hosts->dst; 2817 r->dport = hosts->dport; 2818 if ((hosts->sport != 0 || hosts->dport != 0) && 2819 (proto != IPPROTO_TCP && proto != IPPROTO_UDP)) { 2820 yyerror("no protocol supplied with source/destination ports"); 2821 goto errout; 2822 } 2823 2824 r->satype = satype; 2825 r->tmode = tmode; 2826 r->ikemode = mode; 2827 if (phase1mode) { 2828 r->p1xfs = phase1mode->xfs; 2829 r->p1life = phase1mode->life; 2830 r->p1ie = phase1mode->ike_exch; 2831 } else { 2832 r->p1ie = IKE_MM; 2833 } 2834 if (phase2mode) { 2835 if (phase2mode->xfs && phase2mode->xfs->encxf && 2836 phase2mode->xfs->encxf->noauth && 2837 phase2mode->xfs->authxf) { 2838 yyerror("authentication is implicit for %s", 2839 phase2mode->xfs->encxf->name); 2840 goto errout; 2841 } 2842 r->p2xfs = phase2mode->xfs; 2843 r->p2life = phase2mode->life; 2844 r->p2ie = phase2mode->ike_exch; 2845 } else { 2846 r->p2ie = IKE_QM; 2847 } 2848 2849 r->auth = calloc(1, sizeof(struct ipsec_auth)); 2850 if (r->auth == NULL) 2851 err(1, "%s", __func__); 2852 r->auth->srcid = srcid; 2853 r->auth->dstid = dstid; 2854 r->auth->srcid_type = get_id_type(srcid); 2855 r->auth->dstid_type = get_id_type(dstid); 2856 r->ikeauth = calloc(1, sizeof(struct ike_auth)); 2857 if (r->ikeauth == NULL) 2858 err(1, "%s", __func__); 2859 r->ikeauth->type = authtype->type; 2860 r->ikeauth->string = authtype->string; 2861 r->tag = tag; 2862 2863 return (r); 2864 2865 errout: 2866 free(r); 2867 free(hosts->src); 2868 hosts->src = NULL; 2869 free(hosts->dst); 2870 hosts->dst = NULL; 2871 if (phase1mode) { 2872 free(phase1mode->xfs); 2873 phase1mode->xfs = NULL; 2874 free(phase1mode->life); 2875 phase1mode->life = NULL; 2876 } 2877 if (phase2mode) { 2878 free(phase2mode->xfs); 2879 phase2mode->xfs = NULL; 2880 free(phase2mode->life); 2881 phase2mode->life = NULL; 2882 } 2883 if (srcid) 2884 free(srcid); 2885 if (dstid) 2886 free(dstid); 2887 return NULL; 2888 } 2889