1 /*	$NetBSD: cfparse.y,v 1.18.4.7 2008/07/21 20:45:32 tteras Exp $	*/
2 
3 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
4 
5 %{
6 /*
7  * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
8  * All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 3. Neither the name of the project nor the names of its contributors
19  *    may be used to endorse or promote products derived from this software
20  *    without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  */
34 
35 #include "config.h"
36 
37 #include <sys/types.h>
38 #include <sys/param.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
41 
42 #include <netinet/in.h>
43 #include PATH_IPSEC_H
44 
45 #ifdef ENABLE_HYBRID
46 #include <arpa/inet.h>
47 #endif
48 
49 #include <stdlib.h>
50 #include <stdio.h>
51 #include <string.h>
52 #include <errno.h>
53 #include <netdb.h>
54 #include <pwd.h>
55 #include <grp.h>
56 
57 #include "var.h"
58 #include "misc.h"
59 #include "vmbuf.h"
60 #include "plog.h"
61 #include "sockmisc.h"
62 #include "str2val.h"
63 #include "genlist.h"
64 #include "debug.h"
65 
66 #include "admin.h"
67 #include "privsep.h"
68 #include "cfparse_proto.h"
69 #include "cftoken_proto.h"
70 #include "algorithm.h"
71 #include "localconf.h"
72 #include "policy.h"
73 #include "sainfo.h"
74 #include "oakley.h"
75 #include "pfkey.h"
76 #include "remoteconf.h"
77 #include "grabmyaddr.h"
78 #include "isakmp_var.h"
79 #include "handler.h"
80 #include "isakmp.h"
81 #include "nattraversal.h"
82 #include "isakmp_frag.h"
83 #ifdef ENABLE_HYBRID
84 #include "resolv.h"
85 #include "isakmp_unity.h"
86 #include "isakmp_xauth.h"
87 #include "isakmp_cfg.h"
88 #endif
89 #include "ipsec_doi.h"
90 #include "strnames.h"
91 #include "gcmalloc.h"
92 #ifdef HAVE_GSSAPI
93 #include "gssapi.h"
94 #endif
95 #include "vendorid.h"
96 #include "rsalist.h"
97 
98 struct proposalspec {
99 	time_t lifetime;		/* for isakmp/ipsec */
100 	int lifebyte;			/* for isakmp/ipsec */
101 	struct secprotospec *spspec;	/* the head is always current spec. */
102 	struct proposalspec *next;	/* the tail is the most prefered. */
103 	struct proposalspec *prev;
104 };
105 
106 struct secprotospec {
107 	int prop_no;
108 	int trns_no;
109 	int strength;		/* for isakmp/ipsec */
110 	int encklen;		/* for isakmp/ipsec */
111 	time_t lifetime;	/* for isakmp */
112 	int lifebyte;		/* for isakmp */
113 	int proto_id;		/* for ipsec (isakmp?) */
114 	int ipsec_level;	/* for ipsec */
115 	int encmode;		/* for ipsec */
116 	int vendorid;		/* for isakmp */
117 	char *gssid;
118 	struct sockaddr *remote;
119 	int algclass[MAXALGCLASS];
120 
121 	struct secprotospec *next;	/* the tail is the most prefiered. */
122 	struct secprotospec *prev;
123 	struct proposalspec *back;
124 };
125 
126 static int num2dhgroup[] = {
127 	0,
128 	OAKLEY_ATTR_GRP_DESC_MODP768,
129 	OAKLEY_ATTR_GRP_DESC_MODP1024,
130 	OAKLEY_ATTR_GRP_DESC_EC2N155,
131 	OAKLEY_ATTR_GRP_DESC_EC2N185,
132 	OAKLEY_ATTR_GRP_DESC_MODP1536,
133 	0,
134 	0,
135 	0,
136 	0,
137 	0,
138 	0,
139 	0,
140 	0,
141 	OAKLEY_ATTR_GRP_DESC_MODP2048,
142 	OAKLEY_ATTR_GRP_DESC_MODP3072,
143 	OAKLEY_ATTR_GRP_DESC_MODP4096,
144 	OAKLEY_ATTR_GRP_DESC_MODP6144,
145 	OAKLEY_ATTR_GRP_DESC_MODP8192
146 };
147 
148 static struct remoteconf *cur_rmconf;
149 static int tmpalgtype[MAXALGCLASS];
150 static struct sainfo *cur_sainfo;
151 static int cur_algclass;
152 static int oldloglevel = LLV_BASE;
153 
154 static struct proposalspec *newprspec __P((void));
155 static void insprspec __P((struct proposalspec *, struct proposalspec **));
156 static struct secprotospec *newspspec __P((void));
157 static void insspspec __P((struct secprotospec *, struct proposalspec **));
158 static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
159 
160 static int set_isakmp_proposal
161 	__P((struct remoteconf *, struct proposalspec *));
162 static void clean_tmpalgtype __P((void));
163 static int expand_isakmpspec __P((int, int, int *,
164 	int, int, time_t, int, int, int, char *, struct remoteconf *));
165 static int listen_addr __P((struct sockaddr *addr, int udp_encap));
166 
167 void freeetypes (struct etypes **etypes);
168 
169 #if 0
170 static int fix_lifebyte __P((u_long));
171 #endif
172 %}
173 
174 %union {
175 	unsigned long num;
176 	vchar_t *val;
177 	struct remoteconf *rmconf;
178 	struct sockaddr *saddr;
179 	struct sainfoalg *alg;
180 }
181 
182 	/* privsep */
183 %token PRIVSEP USER GROUP CHROOT
184 	/* path */
185 %token PATH PATHTYPE
186 	/* include */
187 %token INCLUDE
188 	/* self information */
189 %token IDENTIFIER VENDORID
190 	/* logging */
191 %token LOGGING LOGLEV
192 	/* padding */
193 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
194 	/* listen */
195 %token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
196 	/* ldap config */
197 %token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
198 %token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
199 	/* modecfg */
200 %token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
201 %token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
202 %token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
203 %token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
204 %token CFG_PFS_GROUP CFG_SAVE_PASSWD
205 
206 	/* timer */
207 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
208 %token RETRY_PHASE1 RETRY_PHASE2 NATT_KA
209 	/* algorithm */
210 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
211 	/* sainfo */
212 %token SAINFO FROM
213 	/* remote */
214 %token REMOTE ANONYMOUS INHERIT
215 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
216 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
217 %token VERIFY_CERT SEND_CERT SEND_CR
218 %token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER
219 %token PEERS_IDENTIFIER VERIFY_IDENTIFIER
220 %token DNSSEC CERT_X509 CERT_PLAINRSA
221 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
222 %token NAT_TRAVERSAL REMOTE_FORCE_LEVEL
223 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
224 %token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
225 %token PROPOSAL
226 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
227 %token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
228 %token COMPLEX_BUNDLE
229 %token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL
230 %token PH1ID
231 %token XAUTH_LOGIN WEAK_PHASE1_CHECK
232 
233 %token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
234 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
235 
236 %token SCRIPT PHASE1_UP PHASE1_DOWN
237 
238 %token NUMBER SWITCH BOOLEAN
239 %token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
240 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
241 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
242 %token EOS BOC EOC COMMA
243 
244 %type <num> NUMBER BOOLEAN SWITCH keylength
245 %type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE
246 %type <num> ALGORITHM_CLASS dh_group_num
247 %type <num> ALGORITHMTYPE STRENGTHTYPE
248 %type <num> PREFIX prefix PORT port ike_port
249 %type <num> ul_proto UL_PROTO
250 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
251 %type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL
252 %type <num> unittype_time unittype_byte
253 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
254 %type <val> identifierstring
255 %type <saddr> remote_index ike_addrinfo_port
256 %type <alg> algorithm
257 
258 %%
259 
260 statements
261 	:	/* nothing */
262 	|	statements statement
263 	;
264 statement
265 	:	privsep_statement
266 	|	path_statement
267 	|	include_statement
268 	|	gssenc_statement
269 	|	identifier_statement
270 	|	logging_statement
271 	|	padding_statement
272 	|	listen_statement
273 	|	ldapcfg_statement
274 	|	modecfg_statement
275 	|	timer_statement
276 	|	sainfo_statement
277 	|	remote_statement
278 	|	special_statement
279 	;
280 
281 	/* privsep */
282 privsep_statement
283 	:	PRIVSEP BOC privsep_stmts EOC
284 	;
285 privsep_stmts
286 	:	/* nothing */
287 	|	privsep_stmts privsep_stmt
288 	;
289 privsep_stmt
290 	:	USER QUOTEDSTRING
291 		{
292 			struct passwd *pw;
293 
294 			if ((pw = getpwnam($2->v)) == NULL) {
295 				yyerror("unknown user \"%s\"", $2->v);
296 				return -1;
297 			}
298 			lcconf->uid = pw->pw_uid;
299 		}
300 		EOS
301 	|	USER NUMBER { lcconf->uid = $2; } EOS
302 	|	GROUP QUOTEDSTRING
303 		{
304 			struct group *gr;
305 
306 			if ((gr = getgrnam($2->v)) == NULL) {
307 				yyerror("unknown group \"%s\"", $2->v);
308 				return -1;
309 			}
310 			lcconf->gid = gr->gr_gid;
311 		}
312 		EOS
313 	|	GROUP NUMBER { lcconf->gid = $2; } EOS
314 	|	CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
315 	;
316 
317 	/* path */
318 path_statement
319 	:	PATH PATHTYPE QUOTEDSTRING
320 		{
321 			if ($2 >= LC_PATHTYPE_MAX) {
322 				yyerror("invalid path type %d", $2);
323 				return -1;
324 			}
325 
326 			/* free old pathinfo */
327 			if (lcconf->pathinfo[$2])
328 				racoon_free(lcconf->pathinfo[$2]);
329 
330 			/* set new pathinfo */
331 			lcconf->pathinfo[$2] = racoon_strdup($3->v);
332 			STRDUP_FATAL(lcconf->pathinfo[$2]);
333 			vfree($3);
334 		}
335 		EOS
336 	;
337 
338 	/* special */
339 special_statement
340 	:	COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
341 	;
342 
343 	/* include */
344 include_statement
345 	:	INCLUDE QUOTEDSTRING EOS
346 		{
347 			char path[MAXPATHLEN];
348 
349 			getpathname(path, sizeof(path),
350 				LC_PATHTYPE_INCLUDE, $2->v);
351 			vfree($2);
352 			if (yycf_switch_buffer(path) != 0)
353 				return -1;
354 		}
355 	;
356 
357 	/* gss_id_enc */
358 gssenc_statement
359 	:	GSS_ID_ENC GSS_ID_ENCTYPE EOS
360 		{
361 			if ($2 >= LC_GSSENC_MAX) {
362 				yyerror("invalid GSS ID encoding %d", $2);
363 				return -1;
364 			}
365 			lcconf->gss_id_enc = $2;
366 		}
367 	;
368 
369 	/* self information */
370 identifier_statement
371 	:	IDENTIFIER identifier_stmt
372 	;
373 identifier_stmt
374 	:	VENDORID
375 		{
376 			/*XXX to be deleted */
377 		}
378 		QUOTEDSTRING EOS
379 	|	IDENTIFIERTYPE QUOTEDSTRING
380 		{
381 			/*XXX to be deleted */
382 			$2->l--;	/* nuke '\0' */
383 			lcconf->ident[$1] = $2;
384 			if (lcconf->ident[$1] == NULL) {
385 				yyerror("failed to set my ident: %s",
386 					strerror(errno));
387 				return -1;
388 			}
389 		}
390 		EOS
391 	;
392 
393 	/* logging */
394 logging_statement
395 	:	LOGGING log_level EOS
396 	;
397 log_level
398 	:	HEXSTRING
399 		{
400 			/*
401 			 * XXX ignore it because this specification
402 			 * will be obsoleted.
403 			 */
404 			yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
405 			vfree($1);
406 		}
407 	|	LOGLEV
408 		{
409 			/*
410 			 * set the loglevel to the value specified
411 			 * in the configuration file plus the number
412 			 * of -d options specified on the command line
413 			 */
414 			loglevel += $1 - oldloglevel;
415 			oldloglevel = $1;
416 		}
417 	;
418 
419 	/* padding */
420 padding_statement
421 	:	PADDING BOC padding_stmts EOC
422 	;
423 padding_stmts
424 	:	/* nothing */
425 	|	padding_stmts padding_stmt
426 	;
427 padding_stmt
428 	:	PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
429 	|	PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
430 	|	PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
431 	|	PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
432 	|	PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
433 	;
434 
435 	/* listen */
436 listen_statement
437 	:	LISTEN BOC listen_stmts EOC
438 	;
439 listen_stmts
440 	:	/* nothing */
441 	|	listen_stmts listen_stmt
442 	;
443 listen_stmt
444 	:	X_ISAKMP ike_addrinfo_port
445 		{
446 			listen_addr ($2, 0);
447 		}
448 		EOS
449 	|	X_ISAKMP_NATT ike_addrinfo_port
450 		{
451 #ifdef ENABLE_NATT
452 			listen_addr ($2, 1);
453 #else
454 			yyerror("NAT-T support not compiled in.");
455 #endif
456 		}
457 		EOS
458 	|	X_ADMIN
459 		{
460 			yyerror("admin directive is obsoleted.");
461 		}
462 		PORT EOS
463 	|	ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
464 		{
465 #ifdef ENABLE_ADMINPORT
466 			adminsock_conf($2, $3, $4, $5);
467 #else
468 			yywarn("admin port support not compiled in");
469 #endif
470 		}
471 		EOS
472 	|	ADMINSOCK QUOTEDSTRING
473 		{
474 #ifdef ENABLE_ADMINPORT
475 			adminsock_conf($2, NULL, NULL, -1);
476 #else
477 			yywarn("admin port support not compiled in");
478 #endif
479 		}
480 		EOS
481 	|	ADMINSOCK DISABLED
482 		{
483 #ifdef ENABLE_ADMINPORT
484 			adminsock_path = NULL;
485 #else
486 			yywarn("admin port support not compiled in");
487 #endif
488 		}
489 		EOS
490 	|	STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
491 	;
492 ike_addrinfo_port
493 	:	ADDRSTRING ike_port
494 		{
495 			char portbuf[10];
496 
497 			snprintf(portbuf, sizeof(portbuf), "%ld", $2);
498 			$$ = str2saddr($1->v, portbuf);
499 			vfree($1);
500 			if (!$$)
501 				return -1;
502 		}
503 	;
504 ike_port
505 	:	/* nothing */	{ $$ = PORT_ISAKMP; }
506 	|	PORT		{ $$ = $1; }
507 	;
508 
509 	/* ldap configuration */
510 ldapcfg_statement
511 	:	LDAPCFG {
512 #ifndef ENABLE_HYBRID
513 			yyerror("racoon not configured with --enable-hybrid");
514 			return -1;
515 #endif
516 #ifndef HAVE_LIBLDAP
517 			yyerror("racoon not configured with --with-libldap");
518 			return -1;
519 #endif
520 		} BOC ldapcfg_stmts EOC
521 	;
522 ldapcfg_stmts
523 	:	/* nothing */
524 	|	ldapcfg_stmts ldapcfg_stmt
525 	;
526 ldapcfg_stmt
527 	:	LDAP_PVER NUMBER
528 		{
529 #ifdef ENABLE_HYBRID
530 #ifdef HAVE_LIBLDAP
531 			if (($2<2)||($2>3))
532 				yyerror("invalid ldap protocol version (2|3)");
533 			xauth_ldap_config.pver = $2;
534 #endif
535 #endif
536 		}
537 		EOS
538 	|	LDAP_HOST QUOTEDSTRING
539 		{
540 #ifdef ENABLE_HYBRID
541 #ifdef HAVE_LIBLDAP
542 			if (xauth_ldap_config.host != NULL)
543 				vfree(xauth_ldap_config.host);
544 			xauth_ldap_config.host = vdup($2);
545 #endif
546 #endif
547 		}
548 		EOS
549 	|	LDAP_PORT NUMBER
550 		{
551 #ifdef ENABLE_HYBRID
552 #ifdef HAVE_LIBLDAP
553 			xauth_ldap_config.port = $2;
554 #endif
555 #endif
556 		}
557 		EOS
558 	|	LDAP_BASE QUOTEDSTRING
559 		{
560 #ifdef ENABLE_HYBRID
561 #ifdef HAVE_LIBLDAP
562 			if (xauth_ldap_config.base != NULL)
563 				vfree(xauth_ldap_config.base);
564 			xauth_ldap_config.base = vdup($2);
565 #endif
566 #endif
567 		}
568 		EOS
569 	|	LDAP_SUBTREE SWITCH
570 		{
571 #ifdef ENABLE_HYBRID
572 #ifdef HAVE_LIBLDAP
573 			xauth_ldap_config.subtree = $2;
574 #endif
575 #endif
576 		}
577 		EOS
578 	|	LDAP_BIND_DN QUOTEDSTRING
579 		{
580 #ifdef ENABLE_HYBRID
581 #ifdef HAVE_LIBLDAP
582 			if (xauth_ldap_config.bind_dn != NULL)
583 				vfree(xauth_ldap_config.bind_dn);
584 			xauth_ldap_config.bind_dn = vdup($2);
585 #endif
586 #endif
587 		}
588 		EOS
589 	|	LDAP_BIND_PW QUOTEDSTRING
590 		{
591 #ifdef ENABLE_HYBRID
592 #ifdef HAVE_LIBLDAP
593 			if (xauth_ldap_config.bind_pw != NULL)
594 				vfree(xauth_ldap_config.bind_pw);
595 			xauth_ldap_config.bind_pw = vdup($2);
596 #endif
597 #endif
598 		}
599 		EOS
600 	|	LDAP_ATTR_USER QUOTEDSTRING
601 		{
602 #ifdef ENABLE_HYBRID
603 #ifdef HAVE_LIBLDAP
604 			if (xauth_ldap_config.attr_user != NULL)
605 				vfree(xauth_ldap_config.attr_user);
606 			xauth_ldap_config.attr_user = vdup($2);
607 #endif
608 #endif
609 		}
610 		EOS
611 	|	LDAP_ATTR_ADDR QUOTEDSTRING
612 		{
613 #ifdef ENABLE_HYBRID
614 #ifdef HAVE_LIBLDAP
615 			if (xauth_ldap_config.attr_addr != NULL)
616 				vfree(xauth_ldap_config.attr_addr);
617 			xauth_ldap_config.attr_addr = vdup($2);
618 #endif
619 #endif
620 		}
621 		EOS
622 	|	LDAP_ATTR_MASK QUOTEDSTRING
623 		{
624 #ifdef ENABLE_HYBRID
625 #ifdef HAVE_LIBLDAP
626 			if (xauth_ldap_config.attr_mask != NULL)
627 				vfree(xauth_ldap_config.attr_mask);
628 			xauth_ldap_config.attr_mask = vdup($2);
629 #endif
630 #endif
631 		}
632 		EOS
633 	|	LDAP_ATTR_GROUP QUOTEDSTRING
634 		{
635 #ifdef ENABLE_HYBRID
636 #ifdef HAVE_LIBLDAP
637 			if (xauth_ldap_config.attr_group != NULL)
638 				vfree(xauth_ldap_config.attr_group);
639 			xauth_ldap_config.attr_group = vdup($2);
640 #endif
641 #endif
642 		}
643 		EOS
644 	|	LDAP_ATTR_MEMBER QUOTEDSTRING
645 		{
646 #ifdef ENABLE_HYBRID
647 #ifdef HAVE_LIBLDAP
648 			if (xauth_ldap_config.attr_member != NULL)
649 				vfree(xauth_ldap_config.attr_member);
650 			xauth_ldap_config.attr_member = vdup($2);
651 #endif
652 #endif
653 		}
654 		EOS
655 	;
656 
657 	/* modecfg */
658 modecfg_statement
659 	:	MODECFG BOC modecfg_stmts EOC
660 	;
661 modecfg_stmts
662 	:	/* nothing */
663 	|	modecfg_stmts modecfg_stmt
664 	;
665 modecfg_stmt
666 	:	CFG_NET4 ADDRSTRING
667 		{
668 #ifdef ENABLE_HYBRID
669 			if (inet_pton(AF_INET, $2->v,
670 			     &isakmp_cfg_config.network4) != 1)
671 				yyerror("bad IPv4 network address.");
672 #else
673 			yyerror("racoon not configured with --enable-hybrid");
674 #endif
675 		}
676 		EOS
677 	|	CFG_MASK4 ADDRSTRING
678 		{
679 #ifdef ENABLE_HYBRID
680 			if (inet_pton(AF_INET, $2->v,
681 			    &isakmp_cfg_config.netmask4) != 1)
682 				yyerror("bad IPv4 netmask address.");
683 #else
684 			yyerror("racoon not configured with --enable-hybrid");
685 #endif
686 		}
687 		EOS
688 	|	CFG_DNS4 addrdnslist
689 		EOS
690 	|	CFG_NBNS4 addrwinslist
691 		EOS
692 	|	CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
693 		{
694 #ifdef ENABLE_HYBRID
695 			isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
696 #else
697 			yyerror("racoon not configured with --enable-hybrid");
698 #endif
699 		}
700 		EOS
701 	|	CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
702 		{
703 #ifdef ENABLE_HYBRID
704 			isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
705 #else
706 			yyerror("racoon not configured with --enable-hybrid");
707 #endif
708 		}
709 		EOS
710 	|	CFG_SPLIT_DNS splitdnslist
711 		{
712 #ifndef ENABLE_HYBRID
713 			yyerror("racoon not configured with --enable-hybrid");
714 #endif
715 		}
716 		EOS
717 	|	CFG_DEFAULT_DOMAIN QUOTEDSTRING
718 		{
719 #ifdef ENABLE_HYBRID
720 			strncpy(&isakmp_cfg_config.default_domain[0],
721 			    $2->v, MAXPATHLEN);
722 			isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0';
723 			vfree($2);
724 #else
725 			yyerror("racoon not configured with --enable-hybrid");
726 #endif
727 		}
728 		EOS
729 	|	CFG_AUTH_SOURCE CFG_SYSTEM
730 		{
731 #ifdef ENABLE_HYBRID
732 			isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
733 #else
734 			yyerror("racoon not configured with --enable-hybrid");
735 #endif
736 		}
737 		EOS
738 	|	CFG_AUTH_SOURCE CFG_RADIUS
739 		{
740 #ifdef ENABLE_HYBRID
741 #ifdef HAVE_LIBRADIUS
742 			isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
743 #else /* HAVE_LIBRADIUS */
744 			yyerror("racoon not configured with --with-libradius");
745 #endif /* HAVE_LIBRADIUS */
746 #else /* ENABLE_HYBRID */
747 			yyerror("racoon not configured with --enable-hybrid");
748 #endif /* ENABLE_HYBRID */
749 		}
750 		EOS
751 	|	CFG_AUTH_SOURCE CFG_PAM
752 		{
753 #ifdef ENABLE_HYBRID
754 #ifdef HAVE_LIBPAM
755 			isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
756 #else /* HAVE_LIBPAM */
757 			yyerror("racoon not configured with --with-libpam");
758 #endif /* HAVE_LIBPAM */
759 #else /* ENABLE_HYBRID */
760 			yyerror("racoon not configured with --enable-hybrid");
761 #endif /* ENABLE_HYBRID */
762 		}
763 		EOS
764 	|	CFG_AUTH_SOURCE CFG_LDAP
765 		{
766 #ifdef ENABLE_HYBRID
767 #ifdef HAVE_LIBLDAP
768 			isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
769 #else /* HAVE_LIBLDAP */
770 			yyerror("racoon not configured with --with-libldap");
771 #endif /* HAVE_LIBLDAP */
772 #else /* ENABLE_HYBRID */
773 			yyerror("racoon not configured with --enable-hybrid");
774 #endif /* ENABLE_HYBRID */
775 		}
776 		EOS
777 	|	CFG_AUTH_GROUPS authgrouplist
778 		{
779 #ifndef ENABLE_HYBRID
780 			yyerror("racoon not configured with --enable-hybrid");
781 #endif
782 		}
783 		EOS
784 	|	CFG_GROUP_SOURCE CFG_SYSTEM
785 		{
786 #ifdef ENABLE_HYBRID
787 			isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
788 #else
789 			yyerror("racoon not configured with --enable-hybrid");
790 #endif
791 		}
792 		EOS
793 	|	CFG_GROUP_SOURCE CFG_LDAP
794 		{
795 #ifdef ENABLE_HYBRID
796 #ifdef HAVE_LIBLDAP
797 			isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
798 #else /* HAVE_LIBLDAP */
799 			yyerror("racoon not configured with --with-libldap");
800 #endif /* HAVE_LIBLDAP */
801 #else /* ENABLE_HYBRID */
802 			yyerror("racoon not configured with --enable-hybrid");
803 #endif /* ENABLE_HYBRID */
804 		}
805 		EOS
806 	|	CFG_ACCOUNTING CFG_NONE
807 		{
808 #ifdef ENABLE_HYBRID
809 			isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
810 #else
811 			yyerror("racoon not configured with --enable-hybrid");
812 #endif
813 		}
814 		EOS
815 	|	CFG_ACCOUNTING CFG_SYSTEM
816 		{
817 #ifdef ENABLE_HYBRID
818 			isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
819 #else
820 			yyerror("racoon not configured with --enable-hybrid");
821 #endif
822 		}
823 		EOS
824 	|	CFG_ACCOUNTING CFG_RADIUS
825 		{
826 #ifdef ENABLE_HYBRID
827 #ifdef HAVE_LIBRADIUS
828 			isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
829 #else /* HAVE_LIBRADIUS */
830 			yyerror("racoon not configured with --with-libradius");
831 #endif /* HAVE_LIBRADIUS */
832 #else /* ENABLE_HYBRID */
833 			yyerror("racoon not configured with --enable-hybrid");
834 #endif /* ENABLE_HYBRID */
835 		}
836 		EOS
837 	|	CFG_ACCOUNTING CFG_PAM
838 		{
839 #ifdef ENABLE_HYBRID
840 #ifdef HAVE_LIBPAM
841 			isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
842 #else /* HAVE_LIBPAM */
843 			yyerror("racoon not configured with --with-libpam");
844 #endif /* HAVE_LIBPAM */
845 #else /* ENABLE_HYBRID */
846 			yyerror("racoon not configured with --enable-hybrid");
847 #endif /* ENABLE_HYBRID */
848 		}
849 		EOS
850 	|	CFG_POOL_SIZE NUMBER
851 		{
852 #ifdef ENABLE_HYBRID
853 			if (isakmp_cfg_resize_pool($2) != 0)
854 				yyerror("cannot allocate memory for pool");
855 #else /* ENABLE_HYBRID */
856 			yyerror("racoon not configured with --enable-hybrid");
857 #endif /* ENABLE_HYBRID */
858 		}
859 		EOS
860 	|	CFG_PFS_GROUP NUMBER
861 		{
862 #ifdef ENABLE_HYBRID
863 			isakmp_cfg_config.pfs_group = $2;
864 #else /* ENABLE_HYBRID */
865 			yyerror("racoon not configured with --enable-hybrid");
866 #endif /* ENABLE_HYBRID */
867 		}
868 		EOS
869 	|	CFG_SAVE_PASSWD SWITCH
870 		{
871 #ifdef ENABLE_HYBRID
872 			isakmp_cfg_config.save_passwd = $2;
873 #else /* ENABLE_HYBRID */
874 			yyerror("racoon not configured with --enable-hybrid");
875 #endif /* ENABLE_HYBRID */
876 		}
877 		EOS
878 	|	CFG_AUTH_THROTTLE NUMBER
879 		{
880 #ifdef ENABLE_HYBRID
881 			isakmp_cfg_config.auth_throttle = $2;
882 #else /* ENABLE_HYBRID */
883 			yyerror("racoon not configured with --enable-hybrid");
884 #endif /* ENABLE_HYBRID */
885 		}
886 		EOS
887 	|	CFG_CONF_SOURCE CFG_LOCAL
888 		{
889 #ifdef ENABLE_HYBRID
890 			isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
891 #else /* ENABLE_HYBRID */
892 			yyerror("racoon not configured with --enable-hybrid");
893 #endif /* ENABLE_HYBRID */
894 		}
895 		EOS
896 	|	CFG_CONF_SOURCE CFG_RADIUS
897 		{
898 #ifdef ENABLE_HYBRID
899 #ifdef HAVE_LIBRADIUS
900 			isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
901 #else /* HAVE_LIBRADIUS */
902 			yyerror("racoon not configured with --with-libradius");
903 #endif /* HAVE_LIBRADIUS */
904 #else /* ENABLE_HYBRID */
905 			yyerror("racoon not configured with --enable-hybrid");
906 #endif /* ENABLE_HYBRID */
907 		}
908 		EOS
909 	|	CFG_CONF_SOURCE CFG_LDAP
910 		{
911 #ifdef ENABLE_HYBRID
912 #ifdef HAVE_LIBLDAP
913 			isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
914 #else /* HAVE_LIBLDAP */
915 			yyerror("racoon not configured with --with-libldap");
916 #endif /* HAVE_LIBLDAP */
917 #else /* ENABLE_HYBRID */
918 			yyerror("racoon not configured with --enable-hybrid");
919 #endif /* ENABLE_HYBRID */
920 		}
921 		EOS
922 	|	CFG_MOTD QUOTEDSTRING
923 		{
924 #ifdef ENABLE_HYBRID
925 			strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN);
926 			isakmp_cfg_config.motd[MAXPATHLEN] = '\0';
927 			vfree($2);
928 #else
929 			yyerror("racoon not configured with --enable-hybrid");
930 #endif
931 		}
932 		EOS
933 	;
934 
935 addrdnslist
936 	:	addrdns
937 	|	addrdns COMMA addrdnslist
938 	;
939 addrdns
940 	:	ADDRSTRING
941 		{
942 #ifdef ENABLE_HYBRID
943 			struct isakmp_cfg_config *icc = &isakmp_cfg_config;
944 
945 			if (icc->dns4_index > MAXNS)
946 				yyerror("No more than %d DNS", MAXNS);
947 			if (inet_pton(AF_INET, $1->v,
948 			    &icc->dns4[icc->dns4_index++]) != 1)
949 				yyerror("bad IPv4 DNS address.");
950 #else
951 			yyerror("racoon not configured with --enable-hybrid");
952 #endif
953 		}
954 	;
955 
956 addrwinslist
957 	:	addrwins
958 	|	addrwins COMMA addrwinslist
959 	;
960 addrwins
961 	:	ADDRSTRING
962 		{
963 #ifdef ENABLE_HYBRID
964 			struct isakmp_cfg_config *icc = &isakmp_cfg_config;
965 
966 			if (icc->nbns4_index > MAXWINS)
967 				yyerror("No more than %d WINS", MAXWINS);
968 			if (inet_pton(AF_INET, $1->v,
969 			    &icc->nbns4[icc->nbns4_index++]) != 1)
970 				yyerror("bad IPv4 WINS address.");
971 #else
972 			yyerror("racoon not configured with --enable-hybrid");
973 #endif
974 		}
975 	;
976 
977 splitnetlist
978 	:	splitnet
979 	|	splitnetlist COMMA splitnet
980 	;
981 splitnet
982 	:	ADDRSTRING PREFIX
983 		{
984 #ifdef ENABLE_HYBRID
985 			struct isakmp_cfg_config *icc = &isakmp_cfg_config;
986 			struct unity_network network;
987 			memset(&network,0,sizeof(network));
988 
989 			if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
990 				yyerror("bad IPv4 SPLIT address.");
991 
992 			/* Turn $2 (the prefix) into a subnet mask */
993 			network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
994 
995 			/* add the network to our list */
996 			if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
997 				yyerror("Unable to allocate split network");
998 #else
999 			yyerror("racoon not configured with --enable-hybrid");
1000 #endif
1001 		}
1002 	;
1003 
1004 authgrouplist
1005 	:	authgroup
1006 	|	authgroup COMMA authgrouplist
1007 	;
1008 authgroup
1009 	:	QUOTEDSTRING
1010 		{
1011 #ifdef ENABLE_HYBRID
1012 			char * groupname = NULL;
1013 			char ** grouplist = NULL;
1014 			struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1015 
1016 			grouplist = racoon_realloc(icc->grouplist,
1017 					sizeof(char**)*(icc->groupcount+1));
1018 			if (grouplist == NULL)
1019 				yyerror("unable to allocate auth group list");
1020 
1021 			groupname = racoon_malloc($1->l+1);
1022 			if (groupname == NULL)
1023 				yyerror("unable to allocate auth group name");
1024 
1025 			memcpy(groupname,$1->v,$1->l);
1026 			groupname[$1->l]=0;
1027 			grouplist[icc->groupcount]=groupname;
1028 			icc->grouplist = grouplist;
1029 			icc->groupcount++;
1030 
1031 			vfree($1);
1032 #else
1033 			yyerror("racoon not configured with --enable-hybrid");
1034 #endif
1035 		}
1036 	;
1037 
1038 splitdnslist
1039 	:	splitdns
1040 	|	splitdns COMMA splitdnslist
1041 	;
1042 splitdns
1043 	:	QUOTEDSTRING
1044 		{
1045 #ifdef ENABLE_HYBRID
1046 			struct isakmp_cfg_config *icc = &isakmp_cfg_config;
1047 
1048 			if (!icc->splitdns_len)
1049 			{
1050 				icc->splitdns_list = racoon_malloc($1->l);
1051 				if(icc->splitdns_list == NULL)
1052 					yyerror("error allocating splitdns list buffer");
1053 				memcpy(icc->splitdns_list,$1->v,$1->l);
1054 				icc->splitdns_len = $1->l;
1055 			}
1056 			else
1057 			{
1058 				int len = icc->splitdns_len + $1->l + 1;
1059 				icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
1060 				if(icc->splitdns_list == NULL)
1061 					yyerror("error allocating splitdns list buffer");
1062 				icc->splitdns_list[icc->splitdns_len] = ',';
1063 				memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
1064 				icc->splitdns_len = len;
1065 			}
1066 			vfree($1);
1067 #else
1068 			yyerror("racoon not configured with --enable-hybrid");
1069 #endif
1070 		}
1071 	;
1072 
1073 
1074 	/* timer */
1075 timer_statement
1076 	:	RETRY BOC timer_stmts EOC
1077 	;
1078 timer_stmts
1079 	:	/* nothing */
1080 	|	timer_stmts timer_stmt
1081 	;
1082 timer_stmt
1083 	:	RETRY_COUNTER NUMBER
1084 		{
1085 			lcconf->retry_counter = $2;
1086 		}
1087 		EOS
1088 	|	RETRY_INTERVAL NUMBER unittype_time
1089 		{
1090 			lcconf->retry_interval = $2 * $3;
1091 		}
1092 		EOS
1093 	|	RETRY_PERSEND NUMBER
1094 		{
1095 			lcconf->count_persend = $2;
1096 		}
1097 		EOS
1098 	|	RETRY_PHASE1 NUMBER unittype_time
1099 		{
1100 			lcconf->retry_checkph1 = $2 * $3;
1101 		}
1102 		EOS
1103 	|	RETRY_PHASE2 NUMBER unittype_time
1104 		{
1105 			lcconf->wait_ph2complete = $2 * $3;
1106 		}
1107 		EOS
1108 	|	NATT_KA NUMBER unittype_time
1109 		{
1110 #ifdef ENABLE_NATT
1111         		if (libipsec_opt & LIBIPSEC_OPT_NATT)
1112 				lcconf->natt_ka_interval = $2 * $3;
1113 			else
1114                 		yyerror("libipsec lacks NAT-T support");
1115 #else
1116 			yyerror("NAT-T support not compiled in.");
1117 #endif
1118 		}
1119 		EOS
1120 	;
1121 
1122 	/* sainfo */
1123 sainfo_statement
1124 	:	SAINFO
1125 		{
1126 			cur_sainfo = newsainfo();
1127 			if (cur_sainfo == NULL) {
1128 				yyerror("failed to allocate sainfo");
1129 				return -1;
1130 			}
1131 		}
1132 		sainfo_name sainfo_param BOC sainfo_specs
1133 		{
1134 			struct sainfo *check;
1135 
1136 			/* default */
1137 			if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
1138 				yyerror("no encryption algorithm at %s",
1139 					sainfo2str(cur_sainfo));
1140 				return -1;
1141 			}
1142 			if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
1143 				yyerror("no authentication algorithm at %s",
1144 					sainfo2str(cur_sainfo));
1145 				return -1;
1146 			}
1147 			if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
1148 				yyerror("no compression algorithm at %s",
1149 					sainfo2str(cur_sainfo));
1150 				return -1;
1151 			}
1152 
1153 			/* duplicate check */
1154 			check = getsainfo(cur_sainfo->idsrc,
1155 					  cur_sainfo->iddst,
1156 					  cur_sainfo->id_i,
1157 					  cur_sainfo->remoteid);
1158 			if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
1159 				yyerror("duplicated sainfo: %s",
1160 					sainfo2str(cur_sainfo));
1161 				return -1;
1162 			}
1163 			inssainfo(cur_sainfo);
1164 		}
1165 		EOC
1166 	;
1167 sainfo_name
1168 	:	ANONYMOUS
1169 		{
1170 			cur_sainfo->idsrc = NULL;
1171 			cur_sainfo->iddst = NULL;
1172 		}
1173 	|	ANONYMOUS sainfo_id
1174 		{
1175 			cur_sainfo->idsrc = NULL;
1176 			cur_sainfo->iddst = $2;
1177 		}
1178 	|	sainfo_id ANONYMOUS
1179 		{
1180 			cur_sainfo->idsrc = $1;
1181 			cur_sainfo->iddst = NULL;
1182 		}
1183 	|	sainfo_id sainfo_id
1184 		{
1185 			cur_sainfo->idsrc = $1;
1186 			cur_sainfo->iddst = $2;
1187 		}
1188 	;
1189 sainfo_id
1190 	:	IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
1191 		{
1192 			char portbuf[10];
1193 			struct sockaddr *saddr;
1194 
1195 			if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
1196 			 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
1197 				yyerror("port number must be \"any\".");
1198 				return -1;
1199 			}
1200 
1201 			snprintf(portbuf, sizeof(portbuf), "%lu", $4);
1202 			saddr = str2saddr($2->v, portbuf);
1203 			vfree($2);
1204 			if (saddr == NULL)
1205 				return -1;
1206 
1207 			switch (saddr->sa_family) {
1208 			case AF_INET:
1209 				if ($5 == IPPROTO_ICMPV6) {
1210 					yyerror("upper layer protocol mismatched.\n");
1211 					racoon_free(saddr);
1212 					return -1;
1213 				}
1214 				$$ = ipsecdoi_sockaddr2id(saddr,
1215 										  $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
1216 										  $5);
1217 				break;
1218 #ifdef INET6
1219 			case AF_INET6:
1220 				if ($5 == IPPROTO_ICMP) {
1221 					yyerror("upper layer protocol mismatched.\n");
1222 					racoon_free(saddr);
1223 					return -1;
1224 				}
1225 				$$ = ipsecdoi_sockaddr2id(saddr,
1226 										  $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
1227 										  $5);
1228 				break;
1229 #endif
1230 			default:
1231 				yyerror("invalid family: %d", saddr->sa_family);
1232 				$$ = NULL;
1233 				break;
1234 			}
1235 			racoon_free(saddr);
1236 			if ($$ == NULL)
1237 				return -1;
1238 		}
1239 	|	IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
1240 		{
1241 			char portbuf[10];
1242 			struct sockaddr *laddr = NULL, *haddr = NULL;
1243 			char *cur = NULL;
1244 
1245 			if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
1246 			 && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
1247 				yyerror("port number must be \"any\".");
1248 				return -1;
1249 			}
1250 
1251 			snprintf(portbuf, sizeof(portbuf), "%lu", $5);
1252 
1253 			laddr = str2saddr($2->v, portbuf);
1254 			if (laddr == NULL) {
1255 			    return -1;
1256 			}
1257 			vfree($2);
1258 			haddr = str2saddr($3->v, portbuf);
1259 			if (haddr == NULL) {
1260 			    racoon_free(laddr);
1261 			    return -1;
1262 			}
1263 			vfree($3);
1264 
1265 			switch (laddr->sa_family) {
1266 			case AF_INET:
1267 				if ($6 == IPPROTO_ICMPV6) {
1268 				    yyerror("upper layer protocol mismatched.\n");
1269 				    if (laddr)
1270 					racoon_free(laddr);
1271 				    if (haddr)
1272 					racoon_free(haddr);
1273 				    return -1;
1274 				}
1275                                 $$ = ipsecdoi_sockrange2id(laddr, haddr,
1276 							   $6);
1277 				break;
1278 #ifdef INET6
1279 			case AF_INET6:
1280 				if ($6 == IPPROTO_ICMP) {
1281 					yyerror("upper layer protocol mismatched.\n");
1282 					if (laddr)
1283 					    racoon_free(laddr);
1284 					if (haddr)
1285 					    racoon_free(haddr);
1286 					return -1;
1287 				}
1288 				$$ = ipsecdoi_sockrange2id(laddr, haddr,
1289 							       $6);
1290 				break;
1291 #endif
1292 			default:
1293 				yyerror("invalid family: %d", laddr->sa_family);
1294 				$$ = NULL;
1295 				break;
1296 			}
1297 			if (laddr)
1298 			    racoon_free(laddr);
1299 			if (haddr)
1300 			    racoon_free(haddr);
1301 			if ($$ == NULL)
1302 				return -1;
1303 		}
1304 	|	IDENTIFIERTYPE QUOTEDSTRING
1305 		{
1306 			struct ipsecdoi_id_b *id_b;
1307 
1308 			if ($1 == IDTYPE_ASN1DN) {
1309 				yyerror("id type forbidden: %d", $1);
1310 				$$ = NULL;
1311 				return -1;
1312 			}
1313 
1314 			$2->l--;
1315 
1316 			$$ = vmalloc(sizeof(*id_b) + $2->l);
1317 			if ($$ == NULL) {
1318 				yyerror("failed to allocate identifier");
1319 				return -1;
1320 			}
1321 
1322 			id_b = (struct ipsecdoi_id_b *)$$->v;
1323 			id_b->type = idtype2doi($1);
1324 
1325 			id_b->proto_id = 0;
1326 			id_b->port = 0;
1327 
1328 			memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
1329 		}
1330 	;
1331 sainfo_param
1332 	:	/* nothing */
1333 		{
1334 			cur_sainfo->id_i = NULL;
1335 		}
1336 	|	FROM IDENTIFIERTYPE identifierstring
1337 		{
1338 			struct ipsecdoi_id_b *id_b;
1339 			vchar_t *idv;
1340 
1341 			if (set_identifier(&idv, $2, $3) != 0) {
1342 				yyerror("failed to set identifer.\n");
1343 				return -1;
1344 			}
1345 			cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
1346 			if (cur_sainfo->id_i == NULL) {
1347 				yyerror("failed to allocate identifier");
1348 				return -1;
1349 			}
1350 
1351 			id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
1352 			id_b->type = idtype2doi($2);
1353 
1354 			id_b->proto_id = 0;
1355 			id_b->port = 0;
1356 
1357 			memcpy(cur_sainfo->id_i->v + sizeof(*id_b),
1358 			       idv->v, idv->l);
1359 			vfree(idv);
1360 		}
1361 	|	GROUP QUOTEDSTRING
1362 		{
1363 #ifdef ENABLE_HYBRID
1364 			if ((cur_sainfo->group = vdup($2)) == NULL) {
1365 				yyerror("failed to set sainfo xauth group.\n");
1366 				return -1;
1367 			}
1368 #else
1369 			yyerror("racoon not configured with --enable-hybrid");
1370 			return -1;
1371 #endif
1372  		}
1373 	;
1374 sainfo_specs
1375 	:	/* nothing */
1376 	|	sainfo_specs sainfo_spec
1377 	;
1378 sainfo_spec
1379 	:	PFS_GROUP dh_group_num
1380 		{
1381 			cur_sainfo->pfs_group = $2;
1382 		}
1383 		EOS
1384 	|	REMOTEID NUMBER
1385 		{
1386 			cur_sainfo->remoteid = $2;
1387 		}
1388 		EOS
1389 	|	LIFETIME LIFETYPE_TIME NUMBER unittype_time
1390 		{
1391 			cur_sainfo->lifetime = $3 * $4;
1392 		}
1393 		EOS
1394 	|	LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1395 		{
1396 #if 1
1397 			yyerror("byte lifetime support is deprecated");
1398 			return -1;
1399 #else
1400 			cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
1401 			if (cur_sainfo->lifebyte == 0)
1402 				return -1;
1403 #endif
1404 		}
1405 		EOS
1406 	|	ALGORITHM_CLASS {
1407 			cur_algclass = $1;
1408 		}
1409 		algorithms EOS
1410 	|	IDENTIFIER IDENTIFIERTYPE
1411 		{
1412 			yyerror("it's deprecated to specify a identifier in phase 2");
1413 		}
1414 		EOS
1415 	|	MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
1416 		{
1417 			yyerror("it's deprecated to specify a identifier in phase 2");
1418 		}
1419 		EOS
1420 	;
1421 
1422 algorithms
1423 	:	algorithm
1424 		{
1425 			inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1426 		}
1427 	|	algorithm
1428 		{
1429 			inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
1430 		}
1431 		COMMA algorithms
1432 	;
1433 algorithm
1434 	:	ALGORITHMTYPE keylength
1435 		{
1436 			int defklen;
1437 
1438 			$$ = newsainfoalg();
1439 			if ($$ == NULL) {
1440 				yyerror("failed to get algorithm allocation");
1441 				return -1;
1442 			}
1443 
1444 			$$->alg = algtype2doi(cur_algclass, $1);
1445 			if ($$->alg == -1) {
1446 				yyerror("algorithm mismatched");
1447 				racoon_free($$);
1448 				$$ = NULL;
1449 				return -1;
1450 			}
1451 
1452 			defklen = default_keylen(cur_algclass, $1);
1453 			if (defklen == 0) {
1454 				if ($2) {
1455 					yyerror("keylen not allowed");
1456 					racoon_free($$);
1457 					$$ = NULL;
1458 					return -1;
1459 				}
1460 			} else {
1461 				if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
1462 					yyerror("invalid keylen %d", $2);
1463 					racoon_free($$);
1464 					$$ = NULL;
1465 					return -1;
1466 				}
1467 			}
1468 
1469 			if ($2)
1470 				$$->encklen = $2;
1471 			else
1472 				$$->encklen = defklen;
1473 
1474 			/* check if it's supported algorithm by kernel */
1475 			if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
1476 			 && pk_checkalg(cur_algclass, $1, $$->encklen)) {
1477 				int a = algclass2doi(cur_algclass);
1478 				int b = algtype2doi(cur_algclass, $1);
1479 				if (a == IPSECDOI_ATTR_AUTH)
1480 					a = IPSECDOI_PROTO_IPSEC_AH;
1481 				yyerror("algorithm %s not supported by the kernel (missing module?)",
1482 					s_ipsecdoi_trns(a, b));
1483 				racoon_free($$);
1484 				$$ = NULL;
1485 				return -1;
1486 			}
1487 		}
1488 	;
1489 prefix
1490 	:	/* nothing */ { $$ = ~0; }
1491 	|	PREFIX { $$ = $1; }
1492 	;
1493 port
1494 	:	/* nothing */ { $$ = IPSEC_PORT_ANY; }
1495 	|	PORT { $$ = $1; }
1496 	|	PORTANY { $$ = IPSEC_PORT_ANY; }
1497 	;
1498 ul_proto
1499 	:	NUMBER { $$ = $1; }
1500 	|	UL_PROTO { $$ = $1; }
1501 	|	ANY { $$ = IPSEC_ULPROTO_ANY; }
1502 	;
1503 keylength
1504 	:	/* nothing */ { $$ = 0; }
1505 	|	NUMBER { $$ = $1; }
1506 	;
1507 
1508 	/* remote */
1509 remote_statement
1510 	:	REMOTE remote_index INHERIT remote_index
1511 		{
1512 			struct remoteconf *new;
1513 			struct proposalspec *prspec;
1514 
1515 			new = copyrmconf($4);
1516 			if (new == NULL) {
1517 				yyerror("failed to get remoteconf for %s.", saddr2str ($4));
1518 				return -1;
1519 			}
1520 
1521 			new->remote = $2;
1522 			new->inherited_from = getrmconf_strict($4, 1);
1523 			new->proposal = NULL;
1524 			new->prhead = NULL;
1525 			cur_rmconf = new;
1526 
1527 			prspec = newprspec();
1528 			if (prspec == NULL || !cur_rmconf->inherited_from
1529 				|| !cur_rmconf->inherited_from->proposal)
1530 				return -1;
1531 			prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime;
1532 			prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte;
1533 			insprspec(prspec, &cur_rmconf->prhead);
1534 		}
1535 		remote_specs_block
1536 	|	REMOTE remote_index
1537 		{
1538 			struct remoteconf *new;
1539 			struct proposalspec *prspec;
1540 
1541 			new = newrmconf();
1542 			if (new == NULL) {
1543 				yyerror("failed to get new remoteconf.");
1544 				return -1;
1545 			}
1546 
1547 			new->remote = $2;
1548 			cur_rmconf = new;
1549 
1550 			prspec = newprspec();
1551 			if (prspec == NULL)
1552 				return -1;
1553 			prspec->lifetime = oakley_get_defaultlifetime();
1554 			insprspec(prspec, &cur_rmconf->prhead);
1555 		}
1556 		remote_specs_block
1557 	;
1558 
1559 remote_specs_block
1560 	:	BOC remote_specs EOC
1561 		{
1562 			/* check a exchange mode */
1563 			if (cur_rmconf->etypes == NULL) {
1564 				yyerror("no exchange mode specified.\n");
1565 				return -1;
1566 			}
1567 
1568 			if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
1569 				cur_rmconf->idvtype = IDTYPE_ADDRESS;
1570 
1571 
1572 			if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
1573 				if (cur_rmconf->mycertfile) {
1574 					if (cur_rmconf->idv)
1575 						yywarn("Both CERT and ASN1 ID "
1576 						       "are set. Hope this is OK.\n");
1577 					/* TODO: Preparse the DN here */
1578 				} else if (cur_rmconf->idv) {
1579 					/* OK, using asn1dn without X.509. */
1580 				} else {
1581 					yyerror("ASN1 ID not specified "
1582 						"and no CERT defined!\n");
1583 					return -1;
1584 				}
1585 			}
1586 
1587 			if (cur_rmconf->prhead->spspec == NULL
1588 				&& cur_rmconf->inherited_from
1589 				&& cur_rmconf->inherited_from->prhead) {
1590 				cur_rmconf->prhead->spspec = cur_rmconf->inherited_from->prhead->spspec;
1591 			}
1592 			if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0)
1593 				return -1;
1594 
1595 			/* DH group settting if aggressive mode is there. */
1596 			if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
1597 				struct isakmpsa *p;
1598 				int b = 0;
1599 
1600 				/* DH group */
1601 				for (p = cur_rmconf->proposal; p; p = p->next) {
1602 					if (b == 0 || (b && b == p->dh_group)) {
1603 						b = p->dh_group;
1604 						continue;
1605 					}
1606 					yyerror("DH group must be equal "
1607 						"in all proposals "
1608 						"when aggressive mode is "
1609 						"used.\n");
1610 					return -1;
1611 				}
1612 				cur_rmconf->dh_group = b;
1613 
1614 				if (cur_rmconf->dh_group == 0) {
1615 					yyerror("DH group must be set in the proposal.\n");
1616 					return -1;
1617 				}
1618 
1619 				/* DH group settting if PFS is required. */
1620 				if (oakley_setdhgroup(cur_rmconf->dh_group,
1621 						&cur_rmconf->dhgrp) < 0) {
1622 					yyerror("failed to set DH value.\n");
1623 					return -1;
1624 				}
1625 			}
1626 
1627 			insrmconf(cur_rmconf);
1628 		}
1629 	;
1630 remote_index
1631 	:	ANONYMOUS ike_port
1632 		{
1633 			$$ = newsaddr(sizeof(struct sockaddr));
1634 			$$->sa_family = AF_UNSPEC;
1635 			((struct sockaddr_in *)$$)->sin_port = htons($2);
1636 		}
1637 	|	ike_addrinfo_port
1638 		{
1639 			$$ = $1;
1640 			if ($$ == NULL) {
1641 				yyerror("failed to allocate sockaddr");
1642 				return -1;
1643 			}
1644 		}
1645 	;
1646 remote_specs
1647 	:	/* nothing */
1648 	|	remote_specs remote_spec
1649 	;
1650 remote_spec
1651 	:	EXCHANGE_MODE
1652 		{
1653 			cur_rmconf->etypes = NULL;
1654 		}
1655 		exchange_types EOS
1656 	|	DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
1657 	|	SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
1658 	|	CERTIFICATE_TYPE cert_spec
1659 	|	PEERS_CERTFILE QUOTEDSTRING
1660 		{
1661 			yywarn("This directive without certtype will be removed!\n");
1662 			yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
1663 			cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1664 
1665 			if (cur_rmconf->peerscertfile != NULL)
1666 				racoon_free(cur_rmconf->peerscertfile);
1667 			cur_rmconf->peerscertfile = racoon_strdup($2->v);
1668 			STRDUP_FATAL(cur_rmconf->peerscertfile);
1669 			vfree($2);
1670 		}
1671 		EOS
1672 	|	CA_TYPE CERT_X509 QUOTEDSTRING
1673 		{
1674 			cur_rmconf->cacerttype = $2;
1675 			cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
1676 			if (cur_rmconf->cacertfile != NULL)
1677 				racoon_free(cur_rmconf->cacertfile);
1678 			cur_rmconf->cacertfile = racoon_strdup($3->v);
1679 			STRDUP_FATAL(cur_rmconf->cacertfile);
1680 			vfree($3);
1681 		}
1682 		EOS
1683 	|	PEERS_CERTFILE CERT_X509 QUOTEDSTRING
1684 		{
1685 			cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1686 			if (cur_rmconf->peerscertfile != NULL)
1687 				racoon_free(cur_rmconf->peerscertfile);
1688 			cur_rmconf->peerscertfile = racoon_strdup($3->v);
1689 			STRDUP_FATAL(cur_rmconf->peerscertfile);
1690 			vfree($3);
1691 		}
1692 		EOS
1693 	|	PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
1694 		{
1695 			char path[MAXPATHLEN];
1696 			int ret = 0;
1697 
1698 			getpathname(path, sizeof(path),
1699 				LC_PATHTYPE_CERT, $3->v);
1700 			vfree($3);
1701 
1702 			if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) {
1703 				yyerror("Different peers_certfile method "
1704 					"already defined: %d!\n",
1705 					cur_rmconf->getcert_method);
1706 				return -1;
1707 			}
1708 			cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
1709 			if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) {
1710 				yyerror("Couldn't parse keyfile.\n", path);
1711 				return -1;
1712 			}
1713 			plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path);
1714 		}
1715 		EOS
1716 	|	PEERS_CERTFILE DNSSEC
1717 		{
1718 			if (cur_rmconf->getcert_method) {
1719 				yyerror("Different peers_certfile method already defined!\n");
1720 				return -1;
1721 			}
1722 			cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
1723 			cur_rmconf->peerscertfile = NULL;
1724 		}
1725 		EOS
1726 	|	VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
1727 	|	SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
1728 	|	SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
1729 	|	MY_IDENTIFIER IDENTIFIERTYPE identifierstring
1730 		{
1731 			if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
1732 				yyerror("failed to set identifer.\n");
1733 				return -1;
1734 			}
1735 			cur_rmconf->idvtype = $2;
1736 		}
1737 		EOS
1738 	|	MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1739 		{
1740 			if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
1741 				yyerror("failed to set identifer.\n");
1742 				return -1;
1743 			}
1744 			cur_rmconf->idvtype = $2;
1745 		}
1746 		EOS
1747 	|	XAUTH_LOGIN identifierstring
1748 		{
1749 #ifdef ENABLE_HYBRID
1750 			/* formerly identifier type login */
1751 			if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
1752 				yyerror("failed to allocate xauth state\n");
1753 				return -1;
1754 			}
1755 			if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
1756 				yyerror("failed to set identifer.\n");
1757 				return -1;
1758 			}
1759 #else
1760 			yyerror("racoon not configured with --enable-hybrid");
1761 #endif
1762 		}
1763 		EOS
1764 	|	PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
1765 		{
1766 			struct idspec  *id;
1767 			id = newidspec();
1768 			if (id == NULL) {
1769 				yyerror("failed to allocate idspec");
1770 				return -1;
1771 			}
1772 			if (set_identifier(&id->id, $2, $3) != 0) {
1773 				yyerror("failed to set identifer.\n");
1774 				racoon_free(id);
1775 				return -1;
1776 			}
1777 			id->idtype = $2;
1778 			genlist_append (cur_rmconf->idvl_p, id);
1779 		}
1780 		EOS
1781 	|	PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
1782 		{
1783 			struct idspec  *id;
1784 			id = newidspec();
1785 			if (id == NULL) {
1786 				yyerror("failed to allocate idspec");
1787 				return -1;
1788 			}
1789 			if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
1790 				yyerror("failed to set identifer.\n");
1791 				racoon_free(id);
1792 				return -1;
1793 			}
1794 			id->idtype = $2;
1795 			genlist_append (cur_rmconf->idvl_p, id);
1796 		}
1797 		EOS
1798 	|	VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
1799 	|	NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
1800 	|	DH_GROUP
1801 		{
1802 			yyerror("dh_group cannot be defined here.");
1803 			return -1;
1804 		}
1805 		dh_group_num EOS
1806 	|	PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
1807 	|	IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
1808 	|	IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
1809 	|	ESP_FRAG NUMBER {
1810 #ifdef SADB_X_EXT_NAT_T_FRAG
1811         		if (libipsec_opt & LIBIPSEC_OPT_FRAG)
1812 				cur_rmconf->esp_frag = $2;
1813 			else
1814                 		yywarn("libipsec lacks IKE frag support");
1815 #else
1816 			yywarn("Your kernel does not support esp_frag");
1817 #endif
1818 		} EOS
1819 	|	SCRIPT QUOTEDSTRING PHASE1_UP {
1820 			if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL)
1821 				vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]);
1822 
1823 			cur_rmconf->script[SCRIPT_PHASE1_UP] =
1824 			    script_path_add(vdup($2));
1825 		} EOS
1826 	|	SCRIPT QUOTEDSTRING PHASE1_DOWN {
1827 			if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL)
1828 				vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]);
1829 
1830 			cur_rmconf->script[SCRIPT_PHASE1_DOWN] =
1831 			    script_path_add(vdup($2));
1832 		} EOS
1833 	|	MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
1834 	|	WEAK_PHASE1_CHECK SWITCH {
1835 			cur_rmconf->weak_phase1_check = $2;
1836 		} EOS
1837 	|	GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
1838 	|	GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
1839 	|	SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
1840 	|	INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
1841 	|	NAT_TRAVERSAL SWITCH
1842 		{
1843 #ifdef ENABLE_NATT
1844         		if (libipsec_opt & LIBIPSEC_OPT_NATT)
1845 				cur_rmconf->nat_traversal = $2;
1846 			else
1847                 		yyerror("libipsec lacks NAT-T support");
1848 #else
1849 			yyerror("NAT-T support not compiled in.");
1850 #endif
1851 		} EOS
1852 	|	NAT_TRAVERSAL REMOTE_FORCE_LEVEL
1853 		{
1854 #ifdef ENABLE_NATT
1855 			if (libipsec_opt & LIBIPSEC_OPT_NATT)
1856 				cur_rmconf->nat_traversal = NATT_FORCE;
1857 			else
1858                 		yyerror("libipsec lacks NAT-T support");
1859 #else
1860 			yyerror("NAT-T support not compiled in.");
1861 #endif
1862 		} EOS
1863 	|	DPD SWITCH
1864 		{
1865 #ifdef ENABLE_DPD
1866 			cur_rmconf->dpd = $2;
1867 #else
1868 			yyerror("DPD support not compiled in.");
1869 #endif
1870 		} EOS
1871 	|	DPD_DELAY NUMBER
1872 		{
1873 #ifdef ENABLE_DPD
1874 			cur_rmconf->dpd_interval = $2;
1875 #else
1876 			yyerror("DPD support not compiled in.");
1877 #endif
1878 		}
1879 		EOS
1880 	|	DPD_RETRY NUMBER
1881 		{
1882 #ifdef ENABLE_DPD
1883 			cur_rmconf->dpd_retry = $2;
1884 #else
1885 			yyerror("DPD support not compiled in.");
1886 #endif
1887 		}
1888 		EOS
1889 	|	DPD_MAXFAIL NUMBER
1890 		{
1891 #ifdef ENABLE_DPD
1892 			cur_rmconf->dpd_maxfails = $2;
1893 #else
1894 			yyerror("DPD support not compiled in.");
1895 #endif
1896 		}
1897 		EOS
1898 	|	PH1ID NUMBER
1899 		{
1900 			cur_rmconf->ph1id = $2;
1901 		}
1902 		EOS
1903 	|	LIFETIME LIFETYPE_TIME NUMBER unittype_time
1904 		{
1905 			cur_rmconf->prhead->lifetime = $3 * $4;
1906 		}
1907 		EOS
1908 	|	PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
1909 	|	LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
1910 		{
1911 #if 1
1912 			yyerror("byte lifetime support is deprecated in Phase1");
1913 			return -1;
1914 #else
1915 			yywarn("the lifetime of bytes in phase 1 "
1916 				"will be ignored at the moment.");
1917 			cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4);
1918 			if (cur_rmconf->prhead->lifebyte == 0)
1919 				return -1;
1920 #endif
1921 		}
1922 		EOS
1923 	|	PROPOSAL
1924 		{
1925 			struct secprotospec *spspec;
1926 
1927 			spspec = newspspec();
1928 			if (spspec == NULL)
1929 				return -1;
1930 			insspspec(spspec, &cur_rmconf->prhead);
1931 		}
1932 		BOC isakmpproposal_specs EOC
1933 	;
1934 exchange_types
1935 	:	/* nothing */
1936 	|	exchange_types EXCHANGETYPE
1937 		{
1938 			struct etypes *new;
1939 			new = racoon_malloc(sizeof(struct etypes));
1940 			if (new == NULL) {
1941 				yyerror("failed to allocate etypes");
1942 				return -1;
1943 			}
1944 			new->type = $2;
1945 			new->next = NULL;
1946 			if (cur_rmconf->etypes == NULL)
1947 				cur_rmconf->etypes = new;
1948 			else {
1949 				struct etypes *p;
1950 				for (p = cur_rmconf->etypes;
1951 				     p->next != NULL;
1952 				     p = p->next)
1953 					;
1954 				p->next = new;
1955 			}
1956 		}
1957 	;
1958 cert_spec
1959 	:	CERT_X509 QUOTEDSTRING QUOTEDSTRING
1960 		{
1961 			cur_rmconf->certtype = $1;
1962 			if (cur_rmconf->mycertfile != NULL)
1963 				racoon_free(cur_rmconf->mycertfile);
1964 			cur_rmconf->mycertfile = racoon_strdup($2->v);
1965 			STRDUP_FATAL(cur_rmconf->mycertfile);
1966 			vfree($2);
1967 			if (cur_rmconf->myprivfile != NULL)
1968 				racoon_free(cur_rmconf->myprivfile);
1969 			cur_rmconf->myprivfile = racoon_strdup($3->v);
1970 			STRDUP_FATAL(cur_rmconf->myprivfile);
1971 			vfree($3);
1972 		}
1973 		EOS
1974 	|	CERT_PLAINRSA QUOTEDSTRING
1975 		{
1976 			char path[MAXPATHLEN];
1977 			int ret = 0;
1978 
1979 			getpathname(path, sizeof(path),
1980 				LC_PATHTYPE_CERT, $2->v);
1981 			vfree($2);
1982 
1983 			cur_rmconf->certtype = $1;
1984 			cur_rmconf->send_cr = FALSE;
1985 			cur_rmconf->send_cert = FALSE;
1986 			cur_rmconf->verify_cert = FALSE;
1987 			if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) {
1988 				yyerror("Couldn't parse keyfile.\n", path);
1989 				return -1;
1990 			}
1991 			plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path);
1992 		}
1993 		EOS
1994 	;
1995 dh_group_num
1996 	:	ALGORITHMTYPE
1997 		{
1998 			$$ = algtype2doi(algclass_isakmp_dh, $1);
1999 			if ($$ == -1) {
2000 				yyerror("must be DH group");
2001 				return -1;
2002 			}
2003 		}
2004 	|	NUMBER
2005 		{
2006 			if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
2007 				$$ = num2dhgroup[$1];
2008 			} else {
2009 				yyerror("must be DH group");
2010 				$$ = 0;
2011 				return -1;
2012 			}
2013 		}
2014 	;
2015 identifierstring
2016 	:	/* nothing */ { $$ = NULL; }
2017 	|	ADDRSTRING { $$ = $1; }
2018 	|	QUOTEDSTRING { $$ = $1; }
2019 	;
2020 isakmpproposal_specs
2021 	:	/* nothing */
2022 	|	isakmpproposal_specs isakmpproposal_spec
2023 	;
2024 isakmpproposal_spec
2025 	:	STRENGTH
2026 		{
2027 			yyerror("strength directive is obsoleted.");
2028 		} STRENGTHTYPE EOS
2029 	|	LIFETIME LIFETYPE_TIME NUMBER unittype_time
2030 		{
2031 			cur_rmconf->prhead->spspec->lifetime = $3 * $4;
2032 		}
2033 		EOS
2034 	|	LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
2035 		{
2036 #if 1
2037 			yyerror("byte lifetime support is deprecated");
2038 			return -1;
2039 #else
2040 			cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
2041 			if (cur_rmconf->prhead->spspec->lifebyte == 0)
2042 				return -1;
2043 #endif
2044 		}
2045 		EOS
2046 	|	DH_GROUP dh_group_num
2047 		{
2048 			cur_rmconf->prhead->spspec->algclass[algclass_isakmp_dh] = $2;
2049 		}
2050 		EOS
2051 	|	GSS_ID QUOTEDSTRING
2052 		{
2053 			if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) {
2054 				yyerror("wrong Vendor ID for gssapi_id");
2055 				return -1;
2056 			}
2057 			if (cur_rmconf->prhead->spspec->gssid != NULL)
2058 				racoon_free(cur_rmconf->prhead->spspec->gssid);
2059 			cur_rmconf->prhead->spspec->gssid =
2060 			    racoon_strdup($2->v);
2061 			STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid);
2062 		}
2063 		EOS
2064 	|	ALGORITHM_CLASS ALGORITHMTYPE keylength
2065 		{
2066 			int doi;
2067 			int defklen;
2068 
2069 			doi = algtype2doi($1, $2);
2070 			if (doi == -1) {
2071 				yyerror("algorithm mismatched 1");
2072 				return -1;
2073 			}
2074 
2075 			switch ($1) {
2076 			case algclass_isakmp_enc:
2077 			/* reject suppressed algorithms */
2078 #ifndef HAVE_OPENSSL_RC5_H
2079 				if ($2 == algtype_rc5) {
2080 					yyerror("algorithm %s not supported",
2081 					    s_attr_isakmp_enc(doi));
2082 					return -1;
2083 				}
2084 #endif
2085 #ifndef HAVE_OPENSSL_IDEA_H
2086 				if ($2 == algtype_idea) {
2087 					yyerror("algorithm %s not supported",
2088 					    s_attr_isakmp_enc(doi));
2089 					return -1;
2090 				}
2091 #endif
2092 
2093 				cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi;
2094 				defklen = default_keylen($1, $2);
2095 				if (defklen == 0) {
2096 					if ($3) {
2097 						yyerror("keylen not allowed");
2098 						return -1;
2099 					}
2100 				} else {
2101 					if ($3 && check_keylen($1, $2, $3) < 0) {
2102 						yyerror("invalid keylen %d", $3);
2103 						return -1;
2104 					}
2105 				}
2106 				if ($3)
2107 					cur_rmconf->prhead->spspec->encklen = $3;
2108 				else
2109 					cur_rmconf->prhead->spspec->encklen = defklen;
2110 				break;
2111 			case algclass_isakmp_hash:
2112 				cur_rmconf->prhead->spspec->algclass[algclass_isakmp_hash] = doi;
2113 				break;
2114 			case algclass_isakmp_ameth:
2115 				cur_rmconf->prhead->spspec->algclass[algclass_isakmp_ameth] = doi;
2116 				/*
2117 				 * We may have to set the Vendor ID for the
2118 				 * authentication method we're using.
2119 				 */
2120 				switch ($2) {
2121 				case algtype_gssapikrb:
2122 					if (cur_rmconf->prhead->spspec->vendorid !=
2123 					    VENDORID_UNKNOWN) {
2124 						yyerror("Vendor ID mismatch "
2125 						    "for auth method");
2126 						return -1;
2127 					}
2128 					/*
2129 					 * For interoperability with Win2k,
2130 					 * we set the Vendor ID to "GSSAPI".
2131 					 */
2132 					cur_rmconf->prhead->spspec->vendorid =
2133 					    VENDORID_GSSAPI;
2134 					break;
2135 				case algtype_rsasig:
2136 					if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) {
2137 						if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
2138 							yyerror ("Private PlainRSA key not set. "
2139 								"Use directive 'certificate_type plainrsa ...'\n");
2140 							return -1;
2141 						}
2142 						if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
2143 							yyerror ("Public PlainRSA keys not set. "
2144 								"Use directive 'peers_certfile plainrsa ...'\n");
2145 							return -1;
2146 						}
2147 					}
2148 					break;
2149 				default:
2150 					break;
2151 				}
2152 				break;
2153 			default:
2154 				yyerror("algorithm mismatched 2");
2155 				return -1;
2156 			}
2157 		}
2158 		EOS
2159 	;
2160 
2161 unittype_time
2162 	:	UNITTYPE_SEC	{ $$ = 1; }
2163 	|	UNITTYPE_MIN	{ $$ = 60; }
2164 	|	UNITTYPE_HOUR	{ $$ = (60 * 60); }
2165 	;
2166 unittype_byte
2167 	:	UNITTYPE_BYTE	{ $$ = 1; }
2168 	|	UNITTYPE_KBYTES	{ $$ = 1024; }
2169 	|	UNITTYPE_MBYTES	{ $$ = (1024 * 1024); }
2170 	|	UNITTYPE_TBYTES	{ $$ = (1024 * 1024 * 1024); }
2171 	;
2172 %%
2173 
2174 static struct proposalspec *
2175 newprspec()
2176 {
2177 	struct proposalspec *new;
2178 
2179 	new = racoon_calloc(1, sizeof(*new));
2180 	if (new == NULL)
2181 		yyerror("failed to allocate proposal");
2182 
2183 	return new;
2184 }
2185 
2186 /*
2187  * insert into head of list.
2188  */
2189 static void
insprspec(prspec,head)2190 insprspec(prspec, head)
2191 	struct proposalspec *prspec;
2192 	struct proposalspec **head;
2193 {
2194 	if (*head != NULL)
2195 		(*head)->prev = prspec;
2196 	prspec->next = *head;
2197 	*head = prspec;
2198 }
2199 
2200 static struct secprotospec *
newspspec()2201 newspspec()
2202 {
2203 	struct secprotospec *new;
2204 
2205 	new = racoon_calloc(1, sizeof(*new));
2206 	if (new == NULL) {
2207 		yyerror("failed to allocate spproto");
2208 		return NULL;
2209 	}
2210 
2211 	new->encklen = 0;	/*XXX*/
2212 
2213 	/*
2214 	 * Default to "uknown" vendor -- we will override this
2215 	 * as necessary.  When we send a Vendor ID payload, an
2216 	 * "unknown" will be translated to a KAME/racoon ID.
2217 	 */
2218 	new->vendorid = VENDORID_UNKNOWN;
2219 
2220 	return new;
2221 }
2222 
2223 /*
2224  * insert into head of list.
2225  */
2226 static void
insspspec(spspec,head)2227 insspspec(spspec, head)
2228 	struct secprotospec *spspec;
2229 	struct proposalspec **head;
2230 {
2231 	spspec->back = *head;
2232 
2233 	if ((*head)->spspec != NULL)
2234 		(*head)->spspec->prev = spspec;
2235 	spspec->next = (*head)->spspec;
2236 	(*head)->spspec = spspec;
2237 }
2238 
2239 /* set final acceptable proposal */
2240 static int
set_isakmp_proposal(rmconf,prspec)2241 set_isakmp_proposal(rmconf, prspec)
2242 	struct remoteconf *rmconf;
2243 	struct proposalspec *prspec;
2244 {
2245 	struct proposalspec *p;
2246 	struct secprotospec *s;
2247 	int prop_no = 1;
2248 	int trns_no = 1;
2249 	int32_t types[MAXALGCLASS];
2250 
2251 	p = prspec;
2252 	if (p->next != 0) {
2253 		plog(LLV_ERROR, LOCATION, NULL,
2254 			"multiple proposal definition.\n");
2255 		return -1;
2256 	}
2257 
2258 	/* mandatory check */
2259 	if (p->spspec == NULL) {
2260 		yyerror("no remote specification found: %s.\n",
2261 			saddr2str(rmconf->remote));
2262 		return -1;
2263 	}
2264 	for (s = p->spspec; s != NULL; s = s->next) {
2265 		/* XXX need more to check */
2266 		if (s->algclass[algclass_isakmp_enc] == 0) {
2267 			yyerror("encryption algorithm required.");
2268 			return -1;
2269 		}
2270 		if (s->algclass[algclass_isakmp_hash] == 0) {
2271 			yyerror("hash algorithm required.");
2272 			return -1;
2273 		}
2274 		if (s->algclass[algclass_isakmp_dh] == 0) {
2275 			yyerror("DH group required.");
2276 			return -1;
2277 		}
2278 		if (s->algclass[algclass_isakmp_ameth] == 0) {
2279 			yyerror("authentication method required.");
2280 			return -1;
2281 		}
2282 	}
2283 
2284 	/* skip to last part */
2285 	for (s = p->spspec; s->next != NULL; s = s->next)
2286 		;
2287 
2288 	while (s != NULL) {
2289 		plog(LLV_DEBUG2, LOCATION, NULL,
2290 			"lifetime = %ld\n", (long)
2291 			(s->lifetime ? s->lifetime : p->lifetime));
2292 		plog(LLV_DEBUG2, LOCATION, NULL,
2293 			"lifebyte = %d\n",
2294 			s->lifebyte ? s->lifebyte : p->lifebyte);
2295 		plog(LLV_DEBUG2, LOCATION, NULL,
2296 			"encklen=%d\n", s->encklen);
2297 
2298 		memset(types, 0, ARRAYLEN(types));
2299 		types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
2300 		types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
2301 		types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
2302 		types[algclass_isakmp_ameth] =
2303 		    s->algclass[algclass_isakmp_ameth];
2304 
2305 		/* expanding spspec */
2306 		clean_tmpalgtype();
2307 		trns_no = expand_isakmpspec(prop_no, trns_no, types,
2308 				algclass_isakmp_enc, algclass_isakmp_ameth + 1,
2309 				s->lifetime ? s->lifetime : p->lifetime,
2310 				s->lifebyte ? s->lifebyte : p->lifebyte,
2311 				s->encklen, s->vendorid, s->gssid,
2312 				rmconf);
2313 		if (trns_no == -1) {
2314 			plog(LLV_ERROR, LOCATION, NULL,
2315 				"failed to expand isakmp proposal.\n");
2316 			return -1;
2317 		}
2318 
2319 		s = s->prev;
2320 	}
2321 
2322 	if (rmconf->proposal == NULL) {
2323 		plog(LLV_ERROR, LOCATION, NULL,
2324 			"no proposal found.\n");
2325 		return -1;
2326 	}
2327 
2328 	return 0;
2329 }
2330 
2331 static void
clean_tmpalgtype()2332 clean_tmpalgtype()
2333 {
2334 	int i;
2335 	for (i = 0; i < MAXALGCLASS; i++)
2336 		tmpalgtype[i] = 0;	/* means algorithm undefined. */
2337 }
2338 
2339 static int
expand_isakmpspec(prop_no,trns_no,types,class,last,lifetime,lifebyte,encklen,vendorid,gssid,rmconf)2340 expand_isakmpspec(prop_no, trns_no, types,
2341 		class, last, lifetime, lifebyte, encklen, vendorid, gssid,
2342 		rmconf)
2343 	int prop_no, trns_no;
2344 	int *types, class, last;
2345 	time_t lifetime;
2346 	int lifebyte;
2347 	int encklen;
2348 	int vendorid;
2349 	char *gssid;
2350 	struct remoteconf *rmconf;
2351 {
2352 	struct isakmpsa *new;
2353 
2354 	/* debugging */
2355     {
2356 	int j;
2357 	char tb[10];
2358 	plog(LLV_DEBUG2, LOCATION, NULL,
2359 		"p:%d t:%d\n", prop_no, trns_no);
2360 	for (j = class; j < MAXALGCLASS; j++) {
2361 		snprintf(tb, sizeof(tb), "%d", types[j]);
2362 		plog(LLV_DEBUG2, LOCATION, NULL,
2363 			"%s%s%s%s\n",
2364 			s_algtype(j, types[j]),
2365 			types[j] ? "(" : "",
2366 			tb[0] == '0' ? "" : tb,
2367 			types[j] ? ")" : "");
2368 	}
2369 	plog(LLV_DEBUG2, LOCATION, NULL, "\n");
2370     }
2371 
2372 #define TMPALGTYPE2STR(n) \
2373 	s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
2374 		/* check mandatory values */
2375 		if (types[algclass_isakmp_enc] == 0
2376 		 || types[algclass_isakmp_ameth] == 0
2377 		 || types[algclass_isakmp_hash] == 0
2378 		 || types[algclass_isakmp_dh] == 0) {
2379 			yyerror("few definition of algorithm "
2380 				"enc=%s ameth=%s hash=%s dhgroup=%s.\n",
2381 				TMPALGTYPE2STR(enc),
2382 				TMPALGTYPE2STR(ameth),
2383 				TMPALGTYPE2STR(hash),
2384 				TMPALGTYPE2STR(dh));
2385 			return -1;
2386 		}
2387 #undef TMPALGTYPE2STR
2388 
2389 	/* set new sa */
2390 	new = newisakmpsa();
2391 	if (new == NULL) {
2392 		yyerror("failed to allocate isakmp sa");
2393 		return -1;
2394 	}
2395 	new->prop_no = prop_no;
2396 	new->trns_no = trns_no++;
2397 	new->lifetime = lifetime;
2398 	new->lifebyte = lifebyte;
2399 	new->enctype = types[algclass_isakmp_enc];
2400 	new->encklen = encklen;
2401 	new->authmethod = types[algclass_isakmp_ameth];
2402 	new->hashtype = types[algclass_isakmp_hash];
2403 	new->dh_group = types[algclass_isakmp_dh];
2404 	new->vendorid = vendorid;
2405 #ifdef HAVE_GSSAPI
2406 	if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
2407 		if (gssid != NULL) {
2408 			if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
2409 				racoon_free(new);
2410 				yyerror("failed to allocate gssid");
2411 				return -1;
2412 			}
2413 			memcpy(new->gssid->v, gssid, new->gssid->l);
2414 			racoon_free(gssid);
2415 #ifdef ENABLE_HYBRID
2416 		} else if (rmconf->xauth == NULL) {
2417 #else
2418 		} else {
2419 #endif
2420 			/*
2421 			 * Allocate the default ID so that it gets put
2422 			 * into a GSS ID attribute during the Phase 1
2423 			 * exchange.
2424 			 */
2425 			new->gssid = gssapi_get_default_gss_id();
2426 		}
2427 	}
2428 #endif
2429 	insisakmpsa(new, rmconf);
2430 
2431 	return trns_no;
2432 }
2433 
2434 static int
listen_addr(struct sockaddr * addr,int udp_encap)2435 listen_addr (struct sockaddr *addr, int udp_encap)
2436 {
2437 	struct myaddrs *p;
2438 
2439 	p = newmyaddr();
2440 	if (p == NULL) {
2441 		yyerror("failed to allocate myaddrs");
2442 		return -1;
2443 	}
2444 	p->addr = addr;
2445 	if (p->addr == NULL) {
2446 		yyerror("failed to copy sockaddr ");
2447 		delmyaddr(p);
2448 		return -1;
2449 	}
2450 	p->udp_encap = udp_encap;
2451 
2452 	insmyaddr(p, &lcconf->myaddrs);
2453 
2454 	lcconf->autograbaddr = 0;
2455 	return 0;
2456 }
2457 
2458 #if 0
2459 /*
2460  * fix lifebyte.
2461  * Must be more than 1024B because its unit is kilobytes.
2462  * That is defined RFC2407.
2463  */
2464 static int
2465 fix_lifebyte(t)
2466 	unsigned long t;
2467 {
2468 	if (t < 1024) {
2469 		yyerror("byte size should be more than 1024B.");
2470 		return 0;
2471 	}
2472 
2473 	return(t / 1024);
2474 }
2475 #endif
2476 
2477 int
cfparse()2478 cfparse()
2479 {
2480 	int error;
2481 
2482 	yycf_init_buffer();
2483 
2484 	if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
2485 		plog(LLV_ERROR, LOCATION, NULL,
2486 		    "could not read configuration file \"%s\"\n",
2487 		    lcconf->racoon_conf);
2488 		return -1;
2489 	}
2490 
2491 	error = yyparse();
2492 	if (error != 0) {
2493 		if (yyerrorcount) {
2494 			plog(LLV_ERROR, LOCATION, NULL,
2495 				"fatal parse failure (%d errors)\n",
2496 				yyerrorcount);
2497 		} else {
2498 			plog(LLV_ERROR, LOCATION, NULL,
2499 				"fatal parse failure.\n");
2500 		}
2501 		return -1;
2502 	}
2503 
2504 	if (error == 0 && yyerrorcount) {
2505 		plog(LLV_ERROR, LOCATION, NULL,
2506 			"parse error is nothing, but yyerrorcount is %d.\n",
2507 				yyerrorcount);
2508 		exit(1);
2509 	}
2510 
2511 	yycf_clean_buffer();
2512 
2513 	plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
2514 
2515 	return 0;
2516 }
2517 
2518 int
cfreparse()2519 cfreparse()
2520 {
2521 	flushph2();
2522 	flushph1();
2523 	flushrmconf();
2524 	flushsainfo();
2525 	clean_tmpalgtype();
2526 	return(cfparse());
2527 }
2528 
2529 #ifdef ENABLE_ADMINPORT
2530 static void
adminsock_conf(path,owner,group,mode_dec)2531 adminsock_conf(path, owner, group, mode_dec)
2532 	vchar_t *path;
2533 	vchar_t *owner;
2534 	vchar_t *group;
2535 	int mode_dec;
2536 {
2537 	struct passwd *pw = NULL;
2538 	struct group *gr = NULL;
2539 	mode_t mode = 0;
2540 	uid_t uid;
2541 	gid_t gid;
2542 	int isnum;
2543 
2544 	adminsock_path = path->v;
2545 
2546 	if (owner == NULL)
2547 		return;
2548 
2549 	errno = 0;
2550 	uid = atoi(owner->v);
2551 	isnum = !errno;
2552 	if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
2553 		yyerror("User \"%s\" does not exist", owner->v);
2554 
2555 	if (pw)
2556 		adminsock_owner = pw->pw_uid;
2557 	else
2558 		adminsock_owner = uid;
2559 
2560 	if (group == NULL)
2561 		return;
2562 
2563 	errno = 0;
2564 	gid = atoi(group->v);
2565 	isnum = !errno;
2566 	if (((gr = getgrnam(group->v)) == NULL) && !isnum)
2567 		yyerror("Group \"%s\" does not exist", group->v);
2568 
2569 	if (gr)
2570 		adminsock_group = gr->gr_gid;
2571 	else
2572 		adminsock_group = gid;
2573 
2574 	if (mode_dec == -1)
2575 		return;
2576 
2577 	if (mode_dec > 777)
2578 		yyerror("Mode 0%03o is invalid", mode_dec);
2579 	if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
2580 	if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
2581 	if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
2582 
2583 	if (mode_dec > 77)
2584 		yyerror("Mode 0%03o is invalid", mode_dec);
2585 	if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
2586 	if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
2587 	if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
2588 
2589 	if (mode_dec > 7)
2590 		yyerror("Mode 0%03o is invalid", mode_dec);
2591 	if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
2592 	if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
2593 	if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
2594 
2595 	adminsock_mode = mode;
2596 
2597 	return;
2598 }
2599 #endif
2600