Head

GCC Code Coverage Report
Directory:	./		Exec	Total	Coverage
File:	sbin/iked/parse.c	Lines:	0	430	0.0 %
Date:	2017-11-07	Branches:	0	349	0.0 %

#include <stdlib.h>
#include <string.h>
#define YYBYACC 1
#define YYMAJOR 1
#define YYMINOR 9
#define YYLEX yylex()
#define YYEMPTY -1
#define yyclearin (yychar=(YYEMPTY))
#define yyerrok (yyerrflag=0)
#define YYRECOVERING() (yyerrflag!=0)
#define YYPREFIX "yy"
#line 25 "parse.y"
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/queue.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <net/if.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#include <openssl/pem.h>
#include <openssl/evp.h>

#include <ctype.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <ifaddrs.h>
#include <limits.h>
#include <netdb.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <netdb.h>
#include <event.h>

#include "iked.h"
#include "ikev2.h"
#include "eap.h"

TAILQ_HEAD(files, file)		 files = TAILQ_HEAD_INITIALIZER(files);
static struct file {
	TAILQ_ENTRY(file)	 entry;
	FILE			*stream;
	char			*name;
	int			 lineno;
	int			 errors;
} *file;
EVP_PKEY	*wrap_pubkey(FILE *);
EVP_PKEY	*find_pubkey(const char *);
int		 set_policy(char *, int, struct iked_policy *);
int		 set_policy_auth_method(const char *, EVP_PKEY *,
		     struct iked_policy *);
struct file	*pushfile(const char *, int);
int		 popfile(void);
int		 check_file_secrecy(int, const char *);
int		 yyparse(void);
int		 yylex(void);
int		 yyerror(const char *, ...)
    __attribute__((__format__ (printf, 1, 2)))
    __attribute__((__nonnull__ (1)));
int		 kw_cmp(const void *, const void *);
int		 lookup(char *);
int		 lgetc(int);
int		 lungetc(int);
int		 findeol(void);

TAILQ_HEAD(symhead, sym)	 symhead = TAILQ_HEAD_INITIALIZER(symhead);
struct sym {
	TAILQ_ENTRY(sym)	 entry;
	int			 used;
	int			 persist;
	char			*nam;
	char			*val;
};
int		 symset(const char *, const char *, int);
char		*symget(const char *);

#define KEYSIZE_LIMIT	1024

static struct iked	*env = NULL;
static int		 debug = 0;
static int		 rules = 0;
static int		 passive = 0;
static int		 decouple = 0;
static char		*ocsp_url = NULL;

struct ipsec_xf {
	const char	*name;
	unsigned int	 id;
	unsigned int	 length;
	unsigned int	 keylength;
	unsigned int	 nonce;
	unsigned int	 noauth;
};

struct ipsec_transforms {
	const struct ipsec_xf *authxf;
	const struct ipsec_xf *prfxf;
	const struct ipsec_xf *encxf;
	const struct ipsec_xf *groupxf;
	const struct ipsec_xf *esnxf;
};

struct ipsec_mode {
	struct ipsec_transforms	*xfs;
	uint8_t			 ike_exch;
};

struct iked_transform ikev2_default_ike_transforms[] = {
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_3DES },
	{ IKEV2_XFORMTYPE_PRF,	IKEV2_XFORMPRF_HMAC_SHA2_256 },
	{ IKEV2_XFORMTYPE_PRF,	IKEV2_XFORMPRF_HMAC_SHA1 },
	{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
	{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
	{ IKEV2_XFORMTYPE_DH,	IKEV2_XFORMDH_MODP_2048 },
	{ IKEV2_XFORMTYPE_DH,	IKEV2_XFORMDH_MODP_1536 },
	{ IKEV2_XFORMTYPE_DH,	IKEV2_XFORMDH_MODP_1024 },
	{ 0 }
};
size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) /
    sizeof(ikev2_default_ike_transforms[0])) - 1);

struct iked_transform ikev2_default_esp_transforms[] = {
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
	{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },
	{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
	{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
	{ IKEV2_XFORMTYPE_ESN,	IKEV2_XFORMESN_ESN },
	{ IKEV2_XFORMTYPE_ESN,	IKEV2_XFORMESN_NONE },
	{ 0 }
};
size_t ikev2_default_nesp_transforms = ((sizeof(ikev2_default_esp_transforms) /
    sizeof(ikev2_default_esp_transforms[0])) - 1);

const struct ipsec_xf authxfs[] = {
	{ "hmac-md5",		IKEV2_XFORMAUTH_HMAC_MD5_96,		16 },
	{ "hmac-sha1",		IKEV2_XFORMAUTH_HMAC_SHA1_96,		20 },
	{ "hmac-sha2-256",	IKEV2_XFORMAUTH_HMAC_SHA2_256_128,	32 },
	{ "hmac-sha2-384",	IKEV2_XFORMAUTH_HMAC_SHA2_384_192,	48 },
	{ "hmac-sha2-512",	IKEV2_XFORMAUTH_HMAC_SHA2_512_256,	64 },
	{ NULL }
};

const struct ipsec_xf prfxfs[] = {
	{ "hmac-md5",		IKEV2_XFORMPRF_HMAC_MD5,	16 },
	{ "hmac-sha1",		IKEV2_XFORMPRF_HMAC_SHA1,	20 },
	{ "hmac-sha2-256",	IKEV2_XFORMPRF_HMAC_SHA2_256,	32 },
	{ "hmac-sha2-384",	IKEV2_XFORMPRF_HMAC_SHA2_384,	48 },
	{ "hmac-sha2-512",	IKEV2_XFORMPRF_HMAC_SHA2_512,	64 },
	{ NULL }
};

const struct ipsec_xf *encxfs = NULL;

const struct ipsec_xf ikeencxfs[] = {
	{ "3des",		IKEV2_XFORMENCR_3DES,		24 },
	{ "3des-cbc",		IKEV2_XFORMENCR_3DES,		24 },
	{ "aes-128",		IKEV2_XFORMENCR_AES_CBC,	16, 16 },
	{ "aes-192",		IKEV2_XFORMENCR_AES_CBC,	24, 24 },
	{ "aes-256",		IKEV2_XFORMENCR_AES_CBC,	32, 32 },
	{ NULL }
};

const struct ipsec_xf ipsecencxfs[] = {
	{ "3des",		IKEV2_XFORMENCR_3DES,		24 },
	{ "3des-cbc",		IKEV2_XFORMENCR_3DES,		24 },
	{ "aes-128",		IKEV2_XFORMENCR_AES_CBC,	16, 16 },
	{ "aes-192",		IKEV2_XFORMENCR_AES_CBC,	24, 24 },
	{ "aes-256",		IKEV2_XFORMENCR_AES_CBC,	32, 32 },
	{ "aes-128-ctr",	IKEV2_XFORMENCR_AES_CTR,	16, 16, 4 },
	{ "aes-192-ctr",	IKEV2_XFORMENCR_AES_CTR,	24, 24, 4 },
	{ "aes-256-ctr",	IKEV2_XFORMENCR_AES_CTR,	32, 32, 4 },
	{ "aes-128-gcm",	IKEV2_XFORMENCR_AES_GCM_16,	16, 16, 4, 1 },
	{ "aes-192-gcm",	IKEV2_XFORMENCR_AES_GCM_16,	24, 24, 4, 1 },
	{ "aes-256-gcm",	IKEV2_XFORMENCR_AES_GCM_16,	32, 32, 4, 1 },
	{ "aes-128-gmac",	IKEV2_XFORMENCR_NULL_AES_GMAC,	16, 16, 4, 1 },
	{ "aes-192-gmac",	IKEV2_XFORMENCR_NULL_AES_GMAC,	24, 24, 4, 1 },
	{ "aes-256-gmac",	IKEV2_XFORMENCR_NULL_AES_GMAC,	32, 32, 4, 1 },
	{ "blowfish",		IKEV2_XFORMENCR_BLOWFISH,	20, 20 },
	{ "cast",		IKEV2_XFORMENCR_CAST,		16, 16 },
	{ "chacha20-poly1305",	IKEV2_XFORMENCR_CHACHA20_POLY1305,
								32, 32, 4, 1 },
	{ "null",		IKEV2_XFORMENCR_NULL,		0, 0 },
	{ NULL }
};

const struct ipsec_xf groupxfs[] = {
	{ "modp768",		IKEV2_XFORMDH_MODP_768 },
	{ "grp1",		IKEV2_XFORMDH_MODP_768 },
	{ "modp1024",		IKEV2_XFORMDH_MODP_1024 },
	{ "grp2",		IKEV2_XFORMDH_MODP_1024 },
	{ "ec2n155",		IKEV2_XFORMDH_EC2N_155 },
	{ "grp3",		IKEV2_XFORMDH_EC2N_155 },
	{ "ec2n185",		IKEV2_XFORMDH_EC2N_185 },
	{ "grp4",		IKEV2_XFORMDH_EC2N_185 },
	{ "modp1536",		IKEV2_XFORMDH_MODP_1536 },
	{ "grp5",		IKEV2_XFORMDH_MODP_1536 },
	{ "modp2048",		IKEV2_XFORMDH_MODP_2048 },
	{ "grp14",		IKEV2_XFORMDH_MODP_2048 },
	{ "modp3072",		IKEV2_XFORMDH_MODP_3072 },
	{ "grp15",		IKEV2_XFORMDH_MODP_3072 },
	{ "modp4096",		IKEV2_XFORMDH_MODP_4096 },
	{ "grp16",		IKEV2_XFORMDH_MODP_4096 },
	{ "modp6144",		IKEV2_XFORMDH_MODP_6144 },
	{ "grp17",		IKEV2_XFORMDH_MODP_6144 },
	{ "modp8192",		IKEV2_XFORMDH_MODP_8192 },
	{ "grp18",		IKEV2_XFORMDH_MODP_8192 },
	{ "ecp256",		IKEV2_XFORMDH_ECP_256 },
	{ "grp19",		IKEV2_XFORMDH_ECP_256 },
	{ "ecp384",		IKEV2_XFORMDH_ECP_384 },
	{ "grp20",		IKEV2_XFORMDH_ECP_384 },
	{ "ecp521",		IKEV2_XFORMDH_ECP_521 },
	{ "grp21",		IKEV2_XFORMDH_ECP_521 },
	{ "ecp192",		IKEV2_XFORMDH_ECP_192 },
	{ "grp25",		IKEV2_XFORMDH_ECP_192 },
	{ "ecp224",		IKEV2_XFORMDH_ECP_224 },
	{ "grp26",		IKEV2_XFORMDH_ECP_224 },
	{ "brainpool224",	IKEV2_XFORMDH_BRAINPOOL_P224R1 },
	{ "grp27",		IKEV2_XFORMDH_BRAINPOOL_P224R1 },
	{ "brainpool256",	IKEV2_XFORMDH_BRAINPOOL_P256R1 },
	{ "grp28",		IKEV2_XFORMDH_BRAINPOOL_P256R1 },
	{ "brainpool384",	IKEV2_XFORMDH_BRAINPOOL_P384R1 },
	{ "grp29",		IKEV2_XFORMDH_BRAINPOOL_P384R1 },
	{ "brainpool512",	IKEV2_XFORMDH_BRAINPOOL_P512R1 },
	{ "grp30",		IKEV2_XFORMDH_BRAINPOOL_P512R1 },
	{ "curve25519",		IKEV2_XFORMDH_X_CURVE25519 },
	{ NULL }
};

const struct ipsec_xf methodxfs[] = {
	{ "none",		IKEV2_AUTH_NONE },
	{ "rsa",		IKEV2_AUTH_RSA_SIG },
	{ "ecdsa256",		IKEV2_AUTH_ECDSA_256 },
	{ "ecdsa384",		IKEV2_AUTH_ECDSA_384 },
	{ "ecdsa521",		IKEV2_AUTH_ECDSA_521 },
	{ "rfc7427",		IKEV2_AUTH_SIG },
	{ "signature",		IKEV2_AUTH_SIG_ANY },
	{ NULL }
};

const struct ipsec_xf saxfs[] = {
	{ "esp",		IKEV2_SAPROTO_ESP },
	{ "ah",			IKEV2_SAPROTO_AH },
	{ NULL }
};

const struct ipsec_xf cpxfs[] = {
	{ "address", IKEV2_CFG_INTERNAL_IP4_ADDRESS,		AF_INET },
	{ "netmask", IKEV2_CFG_INTERNAL_IP4_NETMASK,		AF_INET },
	{ "name-server", IKEV2_CFG_INTERNAL_IP4_DNS,		AF_INET },
	{ "netbios-server", IKEV2_CFG_INTERNAL_IP4_NBNS,	AF_INET },
	{ "dhcp-server", IKEV2_CFG_INTERNAL_IP4_DHCP,		AF_INET },
	{ "address", IKEV2_CFG_INTERNAL_IP6_ADDRESS,		AF_INET6 },
	{ "name-server", IKEV2_CFG_INTERNAL_IP6_DNS,		AF_INET6 },
	{ "netbios-server", IKEV2_CFG_INTERNAL_IP6_NBNS,	AF_INET6 },
	{ "dhcp-server", IKEV2_CFG_INTERNAL_IP6_DHCP,		AF_INET6 },
	{ "protected-subnet", IKEV2_CFG_INTERNAL_IP4_SUBNET,	AF_INET },
	{ "protected-subnet", IKEV2_CFG_INTERNAL_IP6_SUBNET,	AF_INET6 },
	{ "access-server", IKEV2_CFG_INTERNAL_IP4_SERVER,	AF_INET },
	{ "access-server", IKEV2_CFG_INTERNAL_IP6_SERVER,	AF_INET6 },
	{ NULL }
};

const struct iked_lifetime deflifetime = {
	IKED_LIFETIME_BYTES,
	IKED_LIFETIME_SECONDS
};

struct ipsec_addr_wrap {
	struct sockaddr_storage	 address;
	uint8_t			 mask;
	int			 netaddress;
	sa_family_t		 af;
	unsigned int		 type;
	unsigned int		 action;
	char			*name;
	struct ipsec_addr_wrap	*next;
	struct ipsec_addr_wrap	*tail;
	struct ipsec_addr_wrap	*srcnat;
};

struct ipsec_hosts {
	struct ipsec_addr_wrap	*src;
	struct ipsec_addr_wrap	*dst;
	uint16_t		 sport;
	uint16_t		 dport;
};

struct ipsec_filters {
	char			*tag;
	unsigned int		 tap;
};

struct ipsec_addr_wrap	*host(const char *);
struct ipsec_addr_wrap	*host_v6(const char *, int);
struct ipsec_addr_wrap	*host_v4(const char *, int);
struct ipsec_addr_wrap	*host_dns(const char *, int);
struct ipsec_addr_wrap	*host_if(const char *, int);
struct ipsec_addr_wrap	*host_any(void);
void			 ifa_load(void);
int			 ifa_exists(const char *);
struct ipsec_addr_wrap	*ifa_lookup(const char *ifa_name);
struct ipsec_addr_wrap	*ifa_grouplookup(const char *);
void			 set_ipmask(struct ipsec_addr_wrap *, uint8_t);
const struct ipsec_xf	*parse_xf(const char *, unsigned int,
			    const struct ipsec_xf *);
const char		*print_xf(unsigned int, unsigned int,
			    const struct ipsec_xf *);
void			 copy_transforms(unsigned int, const struct ipsec_xf *,
			    const struct ipsec_xf *,
			    struct iked_transform *, size_t,
			    unsigned int *, struct iked_transform *, size_t);
int			 create_ike(char *, int, uint8_t, struct ipsec_hosts *,
			    struct ipsec_hosts *, struct ipsec_mode *,
			    struct ipsec_mode *, uint8_t,
			    uint8_t, char *, char *,
			    uint32_t, struct iked_lifetime *,
			    struct iked_auth *, struct ipsec_filters *,
			    struct ipsec_addr_wrap *);
int			 create_user(const char *, const char *);
int			 get_id_type(char *);
uint8_t			 x2i(unsigned char *);
int			 parsekey(unsigned char *, size_t, struct iked_auth *);
int			 parsekeyfile(char *, struct iked_auth *);

struct ipsec_transforms *ipsec_transforms;
struct ipsec_filters *ipsec_filters;

typedef struct {
	union {
		int64_t			 number;
		uint8_t			 ikemode;
		uint8_t			 dir;
		uint8_t			 satype;
		uint8_t			 proto;
		char			*string;
		uint16_t		 port;
		struct ipsec_hosts	*hosts;
		struct ipsec_hosts	 peers;
		struct ipsec_addr_wrap	*anyhost;
		struct ipsec_addr_wrap	*host;
		struct ipsec_addr_wrap	*cfg;
		struct {
			char		*srcid;
			char		*dstid;
		} ids;
		char			*id;
		uint8_t			 type;
		struct iked_lifetime	 lifetime;
		struct iked_auth	 ikeauth;
		struct iked_auth	 ikekey;
		struct ipsec_transforms	*transforms;
		struct ipsec_filters	*filters;
		struct ipsec_mode	*mode;
	} v;
	int lineno;
} YYSTYPE;

#line 369 "parse.c"
#define FROM 257
#define ESP 258
#define AH 259
#define IN 260
#define PEER 261
#define ON 262
#define OUT 263
#define TO 264
#define SRCID 265
#define DSTID 266
#define PSK 267
#define PORT 268
#define FILENAME 269
#define AUTHXF 270
#define PRFXF 271
#define ENCXF 272
#define ERROR 273
#define IKEV2 274
#define IKESA 275
#define CHILDSA 276
#define PASSIVE 277
#define ACTIVE 278
#define ANY 279
#define TAG 280
#define TAP 281
#define PROTO 282
#define LOCAL 283
#define GROUP 284
#define NAME 285
#define CONFIG 286
#define EAP 287
#define USER 288
#define IKEV1 289
#define FLOW 290
#define SA 291
#define TCPMD5 292
#define TUNNEL 293
#define TRANSPORT 294
#define COUPLE 295
#define DECOUPLE 296
#define SET 297
#define INCLUDE 298
#define LIFETIME 299
#define BYTES 300
#define INET 301
#define INET6 302
#define QUICK 303
#define SKIP 304
#define DEFAULT 305
#define IPCOMP 306
#define OCSP 307
#define IKELIFETIME 308
#define STRING 309
#define NUMBER 310
#define YYERRCODE 256
const short yylhs[] =
	{                                        -1,
    0,    0,    0,    0,    0,    0,    0,    0,    0,   41,
   41,   34,   35,   35,   35,   35,   35,   36,   37,   32,
   32,   33,   33,   31,   30,   30,    2,    2,    2,    9,
    9,    9,    3,    3,    3,    3,    4,    4,    6,    6,
    5,    5,    7,    7,    8,    8,   10,   10,   10,   10,
   10,   11,   11,   13,   13,   12,   12,   12,   14,   14,
   14,   14,   15,   43,   16,   16,   42,   42,   44,   44,
   44,   44,   24,   45,   24,   25,   46,   25,   18,   19,
   19,   19,   19,   20,   20,   20,   21,   21,   22,   22,
   22,   22,   27,   27,   28,   28,   26,   26,   26,   29,
   29,   23,   23,   48,   17,   17,   47,   47,   49,   49,
    1,    1,   38,   39,   39,   39,   39,   50,   50,   50,
   50,   50,   40,
};
const short yylen[] =
	{                                         2,
    0,    3,    2,    3,    3,    3,    3,    4,    3,    1,
    0,    2,    2,    2,    2,    2,    3,    3,   16,    0,
    1,    1,    2,    3,    0,    1,    0,    1,    1,    0,
    1,    1,    0,    2,    2,    2,    1,    1,    1,    3,
    6,    6,    0,    2,    1,    1,    0,    4,    4,    2,
    2,    1,    1,    1,    3,    1,    4,    1,    0,    4,
    2,    2,    1,    0,    2,    0,    2,    1,    2,    2,
    2,    2,    0,    0,    3,    0,    0,    3,    3,    0,
    1,    1,    1,    0,    1,    1,    0,    1,    0,    2,
    2,    1,    1,    1,    1,    1,    0,    2,    4,    0,
    2,    1,    2,    0,    2,    0,    2,    1,    2,    2,
    2,    1,    3,    1,    1,    1,    1,    1,    1,    1,
    1,    1,    0,
};
const short yydefred[] =
	{                                      1,
    0,    0,  119,  120,    0,    0,  114,  116,  118,  117,
  121,  122,    0,    0,    0,    3,    0,    0,    0,    0,
    0,  123,  115,    9,   26,    0,    0,   14,   13,   15,
   16,    0,   12,    0,    2,    4,    5,    6,    7,    0,
   81,   82,   83,    0,    0,   18,   17,  112,    0,    8,
   28,   29,    0,   85,   86,    0,  111,   31,   32,    0,
   88,   79,    0,    0,   35,   36,   37,   38,   34,    0,
    0,   39,    0,   58,    0,    0,    0,    0,    0,    0,
   10,    0,    0,    0,    0,    0,    0,    0,   53,    0,
   52,    0,   74,    0,   40,   55,   45,   46,   44,    0,
    0,    0,    0,    0,    0,   77,    0,    0,   57,    0,
   48,   49,   75,    0,    0,    0,    0,    0,   41,   42,
    0,    0,    0,    0,    0,   68,   78,   63,    0,   62,
    0,    0,   69,   71,   70,   72,   67,    0,   96,   95,
  101,    0,    0,   60,    0,    0,    0,   92,    0,    0,
    0,  102,   90,   91,    0,   22,    0,    0,   94,   93,
   99,  103,    0,   19,    0,   23,   24,    0,    0,    0,
  108,  109,  110,  107,
};
const short yydgoto[] =
	{                                       1,
   49,   53,   64,   69,   72,   73,   86,   99,   60,   82,
   90,   76,   77,  118,  129,  113,  164,   44,   45,   56,
   62,  149,  153,   94,  107,  143,  161,  141,  132,   26,
  156,  157,  158,   17,   18,   19,   20,   21,   22,   40,
   83,  125,  114,  126,  105,  115,  170,  165,  171,   23,
};
const short yysindex[] =
	{                                      0,
  115,    1,    0,    0, -276, -260,    0,    0,    0,    0,
    0,    0, -187, -229,    8,    0,   75,   84,   93,   95,
   97,    0,    0,    0,    0, -174, -173,    0,    0,    0,
    0, -172,    0, -171,    0,    0,    0,    0,    0,  129,
    0,    0,    0, -176, -167,    0,    0,    0, -169,    0,
    0,    0, -279,    0,    0, -165,    0,    0,    0, -140,
    0,    0, -253, -244,    0,    0,    0,    0,    0, -263,
 -263,    0,  -43,    0,   96, -124,  105, -124, -250, -250,
    0, -129, -244, -163, -212, -116, -160, -107,    0, -132,
    0, -109,    0, -123,    0,    0,    0,    0,    0, -263,
  113, -263, -250, -250,    0,    0, -142, -124,    0, -124,
    0,    0,    0, -156,    0, -153, -153, -151,    0,    0,
 -150, -149, -148, -147, -156,    0,    0,    0, -111,    0,
 -177, -141,    0,    0,    0,    0,    0, -153,    0,    0,
    0, -177, -255,    0, -136, -262, -144,    0, -120, -175,
 -139,    0,    0,    0, -138,    0,    0, -120,    0,    0,
    0,    0, -160,    0, -154,    0,    0, -137, -135, -154,
    0,    0,    0,    0,};
const short yyrindex[] =
	{                                      0,
    0,    0,    0,    0, -240,    0,    0,    0,    0,    0,
    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
    0,    0,    0,    0,    0, -206,    0,    0,    0,    0,
    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
    0,    0,    0, -183, -214,    0,    0,    0,  157,    0,
    0,    0, -209,    0,    0, -180,    0,    0,    0, -236,
    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
    0,    0,  153,    0,  -10,  -96,   26,  -88,    0,    0,
    0,  253,    0,    0,    0,    0,    0,    0,    0,  204,
    0,  229,    0,  309,    0,    0,    0,    0,    0,    0,
    0,    0,    0,    0,   83,    0,  317,   57,    0,   57,
    0,    0,    0,    0,  179,    0,    0,   30,    0,    0,
    0,    0,    0,    0,  278,    0,    0,    0,  342,    0,
    0,   -6,    0,    0,    0,    0,    0,    0,    0,    0,
    0,    0,   -2,    0,  107,    0,    0,    0,    5,    0,
    0,    0,    0,    0,    0,    0,   15,   50,    0,    0,
    0,    0,    0,    0,    0,    0,    0,    0,    0,  163,
    0,    0,    0,    0,};
const short yygindex[] =
	{                                      0,
    0,    0,    0,    0,   92,    0,  -69,    0,    0,    0,
    9,    4,  -77,    0, -103,   61,    0,    0,    0,    0,
    0,    0,    0,    0,    0,    0,    0,   35,    0,    0,
   20,    0,    0,    0,    0,    0,    0,    0,    0,    0,
    0,    0,    0,   54,    0,    0,    0,    0,   10,    0,
};
#define YYTABLESIZE 651
const short yytable[] =
	{                                      54,
   81,   91,   91,   97,   65,   66,  151,   89,   88,  101,
   24,  146,   70,  130,   20,   74,   25,   25,   25,   71,
   33,   58,   59,   25,  106,   91,   91,   33,   89,   54,
   54,  147,   25,   54,  144,   56,   25,   25,  119,  100,
  120,   25,   84,   84,   84,   75,  152,   30,   27,   84,
   80,   80,   80,  148,   30,   67,   68,   80,   75,   21,
   25,   25,   25,   25,   25,   25,   43,   84,   34,   56,
   80,   80,   30,   27,   78,   80,   87,   87,   87,   33,
   27,   51,   52,   87,   35,  167,   84,   84,   92,   28,
   29,   84,   66,   36,   80,   80,   97,   98,   27,   80,
   43,   87,   37,  108,   38,  110,   39,   30,   31,   54,
   55,  111,  112,  121,  122,  123,   98,   27,   27,   32,
   87,   87,  116,  117,   16,  168,  169,  124,   41,   42,
   43,  139,  140,  159,  160,   46,   47,   48,   50,   57,
   61,   63,   84,   85,   87,   93,   96,  100,   75,  102,
  103,  104,  106,  109,  138,  128,  131,  142,  133,  134,
  135,  136,   47,  150,  154,  155,  113,   43,   43,  162,
  163,  172,  105,  173,   95,  127,  145,  166,  137,  174,
    0,    0,    0,    0,    0,    0,    0,    0,   66,    0,
    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
    0,    0,    0,   50,    0,    0,    0,   79,    0,    0,
    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
    0,    0,    0,    0,    0,    0,    0,    0,   51,   80,
    0,    0,    0,    0,    0,    0,   54,    0,    0,    0,
   54,    0,    0,   54,   54,   54,   54,   54,    0,    0,
   97,    0,   73,    0,   54,   54,    0,    0,    0,   54,
   54,    0,   54,   97,   97,   54,   54,   89,   89,   97,
   97,    0,   56,   89,   20,   20,   56,   65,   54,   56,
   56,   56,   56,   56,  104,  104,  100,   54,   54,    0,
   56,   56,   97,    0,    0,   56,   56,    0,   56,  100,
  100,   56,   56,   43,    0,  100,  100,   43,   76,    0,
   43,   43,   43,   43,   56,    0,   59,    0,  100,   21,
   21,   43,   43,   56,   56,    0,   43,   43,  100,   43,
    0,    0,   43,   43,    0,    0,    0,   66,   66,   66,
    0,   61,   64,   64,   64,   43,    0,    0,   66,    0,
    0,    0,   66,   66,   43,   43,   64,    0,   66,   66,
    2,    3,    0,   98,    0,    0,    0,    0,    4,    0,
    0,   66,    0,    0,    0,    0,   98,   98,    5,    0,
   66,   66,   98,   98,    0,    0,    0,    0,    0,    0,
    0,    0,    6,    7,    8,    9,   10,   11,   12,   11,
    0,   13,   14,    0,    0,   98,   11,   47,   47,   47,
    0,    0,    0,   15,    0,    0,    0,   47,   47,    0,
    0,    0,   47,   47,    0,    0,    0,    0,   47,   47,
    0,    0,    0,   66,   66,   66,    0,    0,   64,   64,
   64,   47,    0,    0,    0,    0,    0,    0,   66,   66,
   47,   47,   64,    0,   66,   66,    0,    0,   50,   50,
   50,    0,    0,    0,    0,    0,    0,   66,   50,   50,
    0,    0,    0,   50,   50,    0,   66,   66,    0,   50,
   50,    0,    0,   51,   51,   51,    0,    0,    0,    0,
    0,    0,   50,   51,   51,    0,    0,    0,   51,   51,
    0,   50,   50,    0,   51,   51,    0,   73,   73,   73,
    0,    0,    0,    0,    0,    0,    0,   51,   73,    0,
    0,    0,   73,   73,    0,    0,   51,   51,   73,   73,
    0,    0,   65,   65,   65,    0,    0,    0,    0,    0,
    0,   73,    0,   65,    0,    0,    0,   65,   65,    0,
   73,   73,    0,   65,   65,    0,    0,    0,    0,    0,
    0,    0,    0,   76,   76,   76,   65,    0,    0,    0,
    0,    0,    0,   59,    0,   65,   65,    0,   76,   76,
    0,    0,    0,    0,   76,   76,   59,   59,    0,    0,
    0,    0,   59,   59,    0,    0,    0,   76,   61,    0,
    0,    0,    0,    0,    0,   59,   76,   76,    0,    0,
    0,   61,   61,    0,   59,   59,    0,   61,   61,    0,
    0,    0,    0,    0,    0,    0,    0,    0,    0,    0,
   61,    0,    0,    0,    0,    0,    0,    0,    0,   61,
   61,
};
const short yycheck[] =
	{                                      10,
   44,   79,   80,   10,  258,  259,  269,   10,   78,   87,
   10,  267,  257,  117,   10,  279,  257,  258,  259,  264,
  257,  301,  302,  264,   10,  103,  104,  264,  279,   40,
   41,  287,  309,   44,  138,   10,  277,  278,  108,   10,
  110,  282,  257,  258,  259,  309,  309,  257,  309,  264,
  257,  258,  259,  309,  264,  309,  310,  264,  309,   10,
  301,  302,  303,  304,  305,  306,   10,  282,   61,   44,
  277,  278,  282,  257,   71,  282,  257,  258,  259,  309,
  264,  258,  259,  264,   10,  163,  301,  302,   80,  277,
  278,  306,   10,   10,  301,  302,  309,  310,  282,  306,
   44,  282,   10,  100,   10,  102,   10,  295,  296,  277,
  278,  103,  104,  270,  271,  272,   10,  301,  302,  307,
  301,  302,  265,  266,   10,  280,  281,  284,  303,  304,
  305,  309,  310,  309,  310,  309,  309,  309,   10,  309,
  306,  282,   47,  268,   40,  275,  310,  264,  309,  257,
  283,  261,  276,   41,  266,  309,  308,  299,  309,  309,
  309,  309,   10,  300,  309,  286,   10,  264,  257,  309,
  309,  309,   10,  309,   83,  115,  142,  158,  125,  170,
   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   10,   -1,
   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
   -1,   -1,   -1,   10,   -1,   -1,   -1,  261,   -1,   -1,
   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   10,  283,
   -1,   -1,   -1,   -1,   -1,   -1,  257,   -1,   -1,   -1,
  261,   -1,   -1,  264,  265,  266,  267,  268,   -1,   -1,
  267,   -1,   10,   -1,  275,  276,   -1,   -1,   -1,  280,
  281,   -1,  283,  280,  281,  286,  287,  280,  281,  286,
  287,   -1,  257,  286,  280,  281,  261,   10,  299,  264,
  265,  266,  267,  268,  280,  281,  267,  308,  309,   -1,
  275,  276,  309,   -1,   -1,  280,  281,   -1,  283,  280,
  281,  286,  287,  257,   -1,  286,  287,  261,   10,   -1,
  264,  265,  266,  267,  299,   -1,   10,   -1,  299,  280,
  281,  275,  276,  308,  309,   -1,  280,  281,  309,  283,
   -1,   -1,  286,  287,   -1,   -1,   -1,  265,  266,  267,
   -1,   10,  270,  271,  272,  299,   -1,   -1,  276,   -1,
   -1,   -1,  280,  281,  308,  309,  284,   -1,  286,  287,
  256,  257,   -1,  267,   -1,   -1,   -1,   -1,  264,   -1,
   -1,  299,   -1,   -1,   -1,   -1,  280,  281,  274,   -1,
  308,  309,  286,  287,   -1,   -1,   -1,   -1,   -1,   -1,
   -1,   -1,  288,  289,  290,  291,  292,  293,  294,  257,
   -1,  297,  298,   -1,   -1,  309,  264,  265,  266,  267,
   -1,   -1,   -1,  309,   -1,   -1,   -1,  275,  276,   -1,
   -1,   -1,  280,  281,   -1,   -1,   -1,   -1,  286,  287,
   -1,   -1,   -1,  265,  266,  267,   -1,   -1,  270,  271,
  272,  299,   -1,   -1,   -1,   -1,   -1,   -1,  280,  281,
  308,  309,  284,   -1,  286,  287,   -1,   -1,  265,  266,
  267,   -1,   -1,   -1,   -1,   -1,   -1,  299,  275,  276,
   -1,   -1,   -1,  280,  281,   -1,  308,  309,   -1,  286,
  287,   -1,   -1,  265,  266,  267,   -1,   -1,   -1,   -1,
   -1,   -1,  299,  275,  276,   -1,   -1,   -1,  280,  281,
   -1,  308,  309,   -1,  286,  287,   -1,  265,  266,  267,
   -1,   -1,   -1,   -1,   -1,   -1,   -1,  299,  276,   -1,
   -1,   -1,  280,  281,   -1,   -1,  308,  309,  286,  287,
   -1,   -1,  265,  266,  267,   -1,   -1,   -1,   -1,   -1,
   -1,  299,   -1,  276,   -1,   -1,   -1,  280,  281,   -1,
  308,  309,   -1,  286,  287,   -1,   -1,   -1,   -1,   -1,
   -1,   -1,   -1,  265,  266,  267,  299,   -1,   -1,   -1,
   -1,   -1,   -1,  267,   -1,  308,  309,   -1,  280,  281,
   -1,   -1,   -1,   -1,  286,  287,  280,  281,   -1,   -1,
   -1,   -1,  286,  287,   -1,   -1,   -1,  299,  267,   -1,
   -1,   -1,   -1,   -1,   -1,  299,  308,  309,   -1,   -1,
   -1,  280,  281,   -1,  308,  309,   -1,  286,  287,   -1,
   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,
  299,   -1,   -1,   -1,   -1,   -1,   -1,   -1,   -1,  308,
  309,
};
#define YYFINAL 1
#ifndef YYDEBUG
#define YYDEBUG 0
#endif
#define YYMAXTOKEN 310
#if YYDEBUG
const char * const yyname[] =
	{
"end-of-file",0,0,0,0,0,0,0,0,0,"'\\n'",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,"'('","')'",0,0,"','",0,0,"'/'",0,0,0,0,0,0,0,0,0,0,0,0,0,
"'='",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
"FROM","ESP","AH","IN","PEER","ON","OUT","TO","SRCID","DSTID","PSK","PORT",
"FILENAME","AUTHXF","PRFXF","ENCXF","ERROR","IKEV2","IKESA","CHILDSA","PASSIVE",
"ACTIVE","ANY","TAG","TAP","PROTO","LOCAL","GROUP","NAME","CONFIG","EAP","USER",
"IKEV1","FLOW","SA","TCPMD5","TUNNEL","TRANSPORT","COUPLE","DECOUPLE","SET",
"INCLUDE","LIFETIME","BYTES","INET","INET6","QUICK","SKIP","DEFAULT","IPCOMP",
"OCSP","IKELIFETIME","STRING","NUMBER",
};
const char * const yyrule[] =
	{"$accept : grammar",
"grammar :",
"grammar : grammar include '\\n'",
"grammar : grammar '\\n'",
"grammar : grammar set '\\n'",
"grammar : grammar user '\\n'",
"grammar : grammar ikev2rule '\\n'",
"grammar : grammar varset '\\n'",
"grammar : grammar otherrule skipline '\\n'",
"grammar : grammar error '\\n'",
"comma : ','",
"comma :",
"include : INCLUDE STRING",
"set : SET ACTIVE",
"set : SET PASSIVE",
"set : SET COUPLE",
"set : SET DECOUPLE",
"set : SET OCSP STRING",
"user : USER STRING STRING",
"ikev2rule : IKEV2 name ikeflags satype af proto hosts_list peers ike_sa child_sa ids ikelifetime lifetime ikeauth ikecfg filters",
"ikecfg :",
"ikecfg : ikecfgvals",
"ikecfgvals : cfg",
"ikecfgvals : ikecfgvals cfg",
"cfg : CONFIG STRING host_spec",
"name :",
"name : STRING",
"satype :",
"satype : ESP",
"satype : AH",
"af :",
"af : INET",
"af : INET6",
"proto :",
"proto : PROTO protoval",
"proto : PROTO ESP",
"proto : PROTO AH",
"protoval : STRING",
"protoval : NUMBER",
"hosts_list : hosts",
"hosts_list : hosts_list comma hosts",
"hosts : FROM host port TO host port",
"hosts : TO host port FROM host port",
"port :",
"port : PORT portval",
"portval : STRING",
"portval : NUMBER",
"peers :",
"peers : PEER anyhost LOCAL anyhost",
"peers : LOCAL anyhost PEER anyhost",
"peers : PEER anyhost",
"peers : LOCAL anyhost",
"anyhost : host_spec",
"anyhost : ANY",
"host_spec : STRING",
"host_spec : STRING '/' NUMBER",
"host : host_spec",
"host : host_spec '(' host_spec ')'",
"host : ANY",
"ids :",
"ids : SRCID id DSTID id",
"ids : SRCID id",
"ids : DSTID id",
"id : STRING",
"$$1 :",
"transforms : $$1 transforms_l",
"transforms :",
"transforms_l : transforms_l transform",
"transforms_l : transform",
"transform : AUTHXF STRING",
"transform : ENCXF STRING",
"transform : PRFXF STRING",
"transform : GROUP STRING",
"ike_sa :",
"$$2 :",
"ike_sa : IKESA $$2 transforms",
"child_sa :",
"$$3 :",
"child_sa : CHILDSA $$3 transforms",
"ikeflags : ikematch ikemode ipcomp",
"ikematch :",
"ikematch : QUICK",
"ikematch : SKIP",
"ikematch : DEFAULT",
"ikemode :",
"ikemode : PASSIVE",
"ikemode : ACTIVE",
"ipcomp :",
"ipcomp : IPCOMP",
"ikeauth :",
"ikeauth : PSK keyspec",
"ikeauth : EAP STRING",
"ikeauth : STRING",
"byte_spec : NUMBER",
"byte_spec : STRING",
"time_spec : NUMBER",
"time_spec : STRING",
"lifetime :",
"lifetime : LIFETIME time_spec",
"lifetime : LIFETIME time_spec BYTES byte_spec",
"ikelifetime :",
"ikelifetime : IKELIFETIME time_spec",
"keyspec : STRING",
"keyspec : FILENAME STRING",
"$$4 :",
"filters : $$4 filters_l",
"filters :",
"filters_l : filters_l filter",
"filters_l : filter",
"filter : TAG STRING",
"filter : TAP STRING",
"string : string STRING",
"string : STRING",
"varset : STRING '=' string",
"otherrule : IKEV1",
"otherrule : sarule",
"otherrule : FLOW",
"otherrule : TCPMD5",
"sarule : SA",
"sarule : FROM",
"sarule : TO",
"sarule : TUNNEL",
"sarule : TRANSPORT",
"skipline :",
};
#endif
#ifdef YYSTACKSIZE
#undef YYMAXDEPTH
#define YYMAXDEPTH YYSTACKSIZE
#else
#ifdef YYMAXDEPTH
#define YYSTACKSIZE YYMAXDEPTH
#else
#define YYSTACKSIZE 10000
#define YYMAXDEPTH 10000
#endif
#endif
#define YYINITSTACKSIZE 200
/* LINTUSED */
int yydebug;
int yynerrs;
int yyerrflag;
int yychar;
short *yyssp;
YYSTYPE *yyvsp;
YYSTYPE yyval;
YYSTYPE yylval;
short *yyss;
short *yysslim;
YYSTYPE *yyvs;
unsigned int yystacksize;
int yyparse(void);
#line 1070 "parse.y"

struct keywords {
	const char	*k_name;
	int		 k_val;
};

int
yyerror(const char *fmt, ...)
{
	va_list		 ap;

	file->errors++;
	va_start(ap, fmt);
	fprintf(stderr, "%s: %d: ", file->name, yylval.lineno);
	vfprintf(stderr, fmt, ap);
	fprintf(stderr, "\n");
	va_end(ap);
	return (0);
}

int
kw_cmp(const void *k, const void *e)
{
	return (strcmp(k, ((const struct keywords *)e)->k_name));
}

int
lookup(char *s)
{
	/* this has to be sorted always */
	static const struct keywords keywords[] = {
		{ "active",		ACTIVE },
		{ "ah",			AH },
		{ "any",		ANY },
		{ "auth",		AUTHXF },
		{ "bytes",		BYTES },
		{ "childsa",		CHILDSA },
		{ "config",		CONFIG },
		{ "couple",		COUPLE },
		{ "decouple",		DECOUPLE },
		{ "default",		DEFAULT },
		{ "dstid",		DSTID },
		{ "eap",		EAP },
		{ "enc",		ENCXF },
		{ "esp",		ESP },
		{ "file",		FILENAME },
		{ "flow",		FLOW },
		{ "from",		FROM },
		{ "group",		GROUP },
		{ "ike",		IKEV1 },
		{ "ikelifetime",	IKELIFETIME },
		{ "ikesa",		IKESA },
		{ "ikev2",		IKEV2 },
		{ "include",		INCLUDE },
		{ "inet",		INET },
		{ "inet6",		INET6 },
		{ "ipcomp",		IPCOMP },
		{ "lifetime",		LIFETIME },
		{ "local",		LOCAL },
		{ "name",		NAME },
		{ "ocsp",		OCSP },
		{ "passive",		PASSIVE },
		{ "peer",		PEER },
		{ "port",		PORT },
		{ "prf",		PRFXF },
		{ "proto",		PROTO },
		{ "psk",		PSK },
		{ "quick",		QUICK },
		{ "sa",			SA },
		{ "set",		SET },
		{ "skip",		SKIP },
		{ "srcid",		SRCID },
		{ "tag",		TAG },
		{ "tap",		TAP },
		{ "tcpmd5",		TCPMD5 },
		{ "to",			TO },
		{ "transport",		TRANSPORT },
		{ "tunnel",		TUNNEL },
		{ "user",		USER }
	};
	const struct keywords	*p;

	p = bsearch(s, keywords, sizeof(keywords)/sizeof(keywords[0]),
	    sizeof(keywords[0]), kw_cmp);

	if (p) {
		if (debug > 1)
			fprintf(stderr, "%s: %d\n", s, p->k_val);
		return (p->k_val);
	} else {
		if (debug > 1)
			fprintf(stderr, "string: %s\n", s);
		return (STRING);
	}
}

#define MAXPUSHBACK	128

unsigned char	*parsebuf;
int		 parseindex;
unsigned char	 pushback_buffer[MAXPUSHBACK];
int		 pushback_index = 0;

int
lgetc(int quotec)
{
	int		c, next;

	if (parsebuf) {
		/* Read character from the parsebuffer instead of input. */
		if (parseindex >= 0) {
			c = parsebuf[parseindex++];
			if (c != '\0')
				return (c);
			parsebuf = NULL;
		} else
			parseindex++;
	}

	if (pushback_index)
		return (pushback_buffer[--pushback_index]);

	if (quotec) {
		if ((c = getc(file->stream)) == EOF) {
			yyerror("reached end of file while parsing "
			    "quoted string");
			if (popfile() == EOF)
				return (EOF);
			return (quotec);
		}
		return (c);
	}

	while ((c = getc(file->stream)) == '\\') {
		next = getc(file->stream);
		if (next != '\n') {
			c = next;
			break;
		}
		yylval.lineno = file->lineno;
		file->lineno++;
	}

	while (c == EOF) {
		if (popfile() == EOF)
			return (EOF);
		c = getc(file->stream);
	}
	return (c);
}

int
lungetc(int c)
{
	if (c == EOF)
		return (EOF);
	if (parsebuf) {
		parseindex--;
		if (parseindex >= 0)
			return (c);
	}
	if (pushback_index < MAXPUSHBACK-1)
		return (pushback_buffer[pushback_index++] = c);
	else
		return (EOF);
}

int
findeol(void)
{
	int	c;

	parsebuf = NULL;

	/* skip to either EOF or the first real EOL */
	while (1) {
		if (pushback_index)
			c = pushback_buffer[--pushback_index];
		else
			c = lgetc(0);
		if (c == '\n') {
			file->lineno++;
			break;
		}
		if (c == EOF)
			break;
	}
	return (ERROR);
}

int
yylex(void)
{
	unsigned char	 buf[8096];
	unsigned char	*p, *val;
	int		 quotec, next, c;
	int		 token;

top:
	p = buf;
	while ((c = lgetc(0)) == ' ' || c == '\t')
		; /* nothing */

	yylval.lineno = file->lineno;
	if (c == '#')
		while ((c = lgetc(0)) != '\n' && c != EOF)
			; /* nothing */
	if (c == '$' && parsebuf == NULL) {
		while (1) {
			if ((c = lgetc(0)) == EOF)
				return (0);

			if (p + 1 >= buf + sizeof(buf) - 1) {
				yyerror("string too long");
				return (findeol());
			}
			if (isalnum(c) || c == '_') {
				*p++ = c;
				continue;
			}
			*p = '\0';
			lungetc(c);
			break;
		}
		val = symget(buf);
		if (val == NULL) {
			yyerror("macro '%s' not defined", buf);
			return (findeol());
		}
		parsebuf = val;
		parseindex = 0;
		goto top;
	}

	switch (c) {
	case '\'':
	case '"':
		quotec = c;
		while (1) {
			if ((c = lgetc(quotec)) == EOF)
				return (0);
			if (c == '\n') {
				file->lineno++;
				continue;
			} else if (c == '\\') {
				if ((next = lgetc(quotec)) == EOF)
					return (0);
				if (next == quotec || c == ' ' || c == '\t')
					c = next;
				else if (next == '\n') {
					file->lineno++;
					continue;
				} else
					lungetc(next);
			} else if (c == quotec) {
				*p = '\0';
				break;
			} else if (c == '\0') {
				yyerror("syntax error");
				return (findeol());
			}
			if (p + 1 >= buf + sizeof(buf) - 1) {
				yyerror("string too long");
				return (findeol());
			}
			*p++ = c;
		}
		yylval.v.string = strdup(buf);
		if (yylval.v.string == NULL)
			err(1, "yylex: strdup");
		return (STRING);
	}

#define allowed_to_end_number(x) \
	(isspace(x) || x == ')' || x ==',' || x == '/' || x == '}' || x == '=')

	if (c == '-' || isdigit(c)) {
		do {
			*p++ = c;
			if ((unsigned)(p-buf) >= sizeof(buf)) {
				yyerror("string too long");
				return (findeol());
			}
		} while ((c = lgetc(0)) != EOF && isdigit(c));
		lungetc(c);
		if (p == buf + 1 && buf[0] == '-')
			goto nodigits;
		if (c == EOF || allowed_to_end_number(c)) {
			const char *errstr = NULL;

			*p = '\0';
			yylval.v.number = strtonum(buf, LLONG_MIN,
			    LLONG_MAX, &errstr);
			if (errstr) {
				yyerror("\"%s\" invalid number: %s",
				    buf, errstr);
				return (findeol());
			}
			return (NUMBER);
		} else {
nodigits:
			while (p > buf + 1)
				lungetc(*--p);
			c = *--p;
			if (c == '-')
				return (c);
		}
	}

#define allowed_in_string(x) \
	(isalnum(x) || (ispunct(x) && x != '(' && x != ')' && \
	x != '{' && x != '}' && x != '<' && x != '>' && \
	x != '!' && x != '=' && x != '/' && x != '#' && \
	x != ','))

	if (isalnum(c) || c == ':' || c == '_' || c == '*') {
		do {
			*p++ = c;
			if ((unsigned)(p-buf) >= sizeof(buf)) {
				yyerror("string too long");
				return (findeol());
			}
		} while ((c = lgetc(0)) != EOF && (allowed_in_string(c)));
		lungetc(c);
		*p = '\0';
		if ((token = lookup(buf)) == STRING)
			if ((yylval.v.string = strdup(buf)) == NULL)
				err(1, "yylex: strdup");
		return (token);
	}
	if (c == '\n') {
		yylval.lineno = file->lineno;
		file->lineno++;
	}
	if (c == EOF)
		return (0);
	return (c);
}

int
check_file_secrecy(int fd, const char *fname)
{
	struct stat	st;

	if (fstat(fd, &st)) {
		warn("cannot stat %s", fname);
		return (-1);
	}
	if (st.st_uid != 0 && st.st_uid != getuid()) {
		warnx("%s: owner not root or current user", fname);
		return (-1);
	}
	if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) {
		warnx("%s: group writable or world read/writable", fname);
		return (-1);
	}
	return (0);
}

struct file *
pushfile(const char *name, int secret)
{
	struct file	*nfile;

	if ((nfile = calloc(1, sizeof(struct file))) == NULL) {
		warn("malloc");
		return (NULL);
	}
	if ((nfile->name = strdup(name)) == NULL) {
		warn("malloc");
		free(nfile);
		return (NULL);
	}
	if (TAILQ_FIRST(&files) == NULL && strcmp(nfile->name, "-") == 0) {
		nfile->stream = stdin;
		free(nfile->name);
		if ((nfile->name = strdup("stdin")) == NULL) {
			warn("strdup");
			free(nfile);
			return (NULL);
		}
	} else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) {
		warn("%s", nfile->name);
		free(nfile->name);
		free(nfile);
		return (NULL);
	} else if (secret &&
	    check_file_secrecy(fileno(nfile->stream), nfile->name)) {
		fclose(nfile->stream);
		free(nfile->name);
		free(nfile);
		return (NULL);
	}
	nfile->lineno = 1;
	TAILQ_INSERT_TAIL(&files, nfile, entry);
	return (nfile);
}

int
popfile(void)
{
	struct file	*prev;

	if ((prev = TAILQ_PREV(file, files, entry)) != NULL) {
		prev->errors += file->errors;
		TAILQ_REMOVE(&files, file, entry);
		fclose(file->stream);
		free(file->name);
		free(file);
		file = prev;
		return (0);
	}
	return (EOF);
}

int
parse_config(const char *filename, struct iked *x_env)
{
	struct sym	*sym;
	int		 errors = 0;

	env = x_env;
	rules = 0;

	if ((file = pushfile(filename, 1)) == NULL)
		return (-1);

	decouple = passive = 0;

	if (env->sc_opts & IKED_OPT_PASSIVE)
		passive = 1;

	yyparse();
	errors = file->errors;
	popfile();

	env->sc_passive = passive ? 1 : 0;
	env->sc_decoupled = decouple ? 1 : 0;
	env->sc_ocsp_url = ocsp_url;

	if (!rules)
		log_warnx("%s: no valid configuration rules found",
		    filename);
	else
		log_debug("%s: loaded %d configuration rules",
		    filename, rules);

	/* Free macros and check which have not been used. */
	while ((sym = TAILQ_FIRST(&symhead))) {
		if (!sym->used)
			log_debug("warning: macro '%s' not "
			    "used\n", sym->nam);
		free(sym->nam);
		free(sym->val);
		TAILQ_REMOVE(&symhead, sym, entry);
		free(sym);
	}

	return (errors ? -1 : 0);
}

int
symset(const char *nam, const char *val, int persist)
{
	struct sym	*sym;

	TAILQ_FOREACH(sym, &symhead, entry) {
		if (strcmp(nam, sym->nam) == 0)
			break;
	}

	if (sym != NULL) {
		if (sym->persist == 1)
			return (0);
		else {
			free(sym->nam);
			free(sym->val);
			TAILQ_REMOVE(&symhead, sym, entry);
			free(sym);
		}
	}
	if ((sym = calloc(1, sizeof(*sym))) == NULL)
		return (-1);

	sym->nam = strdup(nam);
	if (sym->nam == NULL) {
		free(sym);
		return (-1);
	}
	sym->val = strdup(val);
	if (sym->val == NULL) {
		free(sym->nam);
		free(sym);
		return (-1);
	}
	sym->used = 0;
	sym->persist = persist;
	TAILQ_INSERT_TAIL(&symhead, sym, entry);
	return (0);
}

int
cmdline_symset(char *s)
{
	char	*sym, *val;
	int	ret;
	size_t	len;

	if ((val = strrchr(s, '=')) == NULL)
		return (-1);

	len = strlen(s) - strlen(val) + 1;
	if ((sym = malloc(len)) == NULL)
		err(1, "cmdline_symset: malloc");

	strlcpy(sym, s, len);

	ret = symset(sym, val + 1, 1);
	free(sym);

	return (ret);
}

char *
symget(const char *nam)
{
	struct sym	*sym;

	TAILQ_FOREACH(sym, &symhead, entry) {
		if (strcmp(nam, sym->nam) == 0) {
			sym->used = 1;
			return (sym->val);
		}
	}
	return (NULL);
}

uint8_t
x2i(unsigned char *s)
{
	char	ss[3];

	ss[0] = s[0];
	ss[1] = s[1];
	ss[2] = 0;

	if (!isxdigit(s[0]) || !isxdigit(s[1])) {
		yyerror("keys need to be specified in hex digits");
		return (-1);
	}
	return ((uint8_t)strtoul(ss, NULL, 16));
}

int
parsekey(unsigned char *hexkey, size_t len, struct iked_auth *auth)
{
	unsigned int	  i;

	bzero(auth, sizeof(*auth));
	if ((len / 2) > sizeof(auth->auth_data))
		return (-1);
	auth->auth_length = len / 2;

	for (i = 0; i < auth->auth_length; i++)
		auth->auth_data[i] = x2i(hexkey + 2 * i);

	return (0);
}

int
parsekeyfile(char *filename, struct iked_auth *auth)
{
	struct stat	 sb;
	int		 fd, ret;
	unsigned char	*hex;

	if ((fd = open(filename, O_RDONLY)) < 0)
		err(1, "open %s", filename);
	if (fstat(fd, &sb) < 0)
		err(1, "parsekeyfile: stat %s", filename);
	if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0))
		errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
		    "small");
	if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL)
		err(1, "parsekeyfile: calloc");
	if (read(fd, hex, sb.st_size) < sb.st_size)
		err(1, "parsekeyfile: read");
	close(fd);
	ret = parsekey(hex, sb.st_size, auth);
	free(hex);
	return (ret);
}

int
get_id_type(char *string)
{
	struct in6_addr ia;

	if (string == NULL)
		return (IKEV2_ID_NONE);

	if (*string == '/')
		return (IKEV2_ID_ASN1_DN);
	else if (inet_pton(AF_INET, string, &ia) == 1)
		return (IKEV2_ID_IPV4);
	else if (inet_pton(AF_INET6, string, &ia) == 1)
		return (IKEV2_ID_IPV6);
	else if (strchr(string, '@'))
		return (IKEV2_ID_UFQDN);
	else
		return (IKEV2_ID_FQDN);
}

EVP_PKEY *
wrap_pubkey(FILE *fp)
{
	EVP_PKEY	*key = NULL;
	struct rsa_st	*rsa = NULL;

	key = PEM_read_PUBKEY(fp, NULL, NULL, NULL);
	if (key == NULL) {
		/* reading PKCS #8 failed, try PEM */
		rewind(fp);
		rsa = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL);
		fclose(fp);
		if (rsa == NULL)
			return (NULL);
		if ((key = EVP_PKEY_new()) == NULL) {
			RSA_free(rsa);
			return (NULL);
		}
		if (!EVP_PKEY_set1_RSA(key, rsa)) {
			RSA_free(rsa);
			EVP_PKEY_free(key);
			return (NULL);
		}
		/* Always free RSA *rsa */
		RSA_free(rsa);
	} else {
		fclose(fp);
	}

	return (key);
}

EVP_PKEY *
find_pubkey(const char *keyfile)
{
	FILE		*fp = NULL;
	if ((fp = fopen(keyfile, "r")) == NULL)
		return (NULL);

	return (wrap_pubkey(fp));
}

int
set_policy_auth_method(const char *peerid, EVP_PKEY *key,
    struct iked_policy *pol)
{
	struct rsa_st		*rsa;
	EC_KEY			*ec_key;
	u_int8_t		 method;
	u_int8_t		 cert_type;
	struct iked_auth	*ikeauth;

	method = IKEV2_AUTH_NONE;
	cert_type = IKEV2_CERT_NONE;

	if (key != NULL) {
		/* infer policy from key type */
		if ((rsa = EVP_PKEY_get1_RSA(key)) != NULL) {
			method = IKEV2_AUTH_RSA_SIG;
			cert_type = IKEV2_CERT_RSA_KEY;
			RSA_free(rsa);
		} else if ((ec_key = EVP_PKEY_get1_EC_KEY(key)) != NULL) {
			const EC_GROUP *group = EC_KEY_get0_group(ec_key);
			if (group == NULL) {
				EC_KEY_free(ec_key);
				return (-1);
			}
			switch (EC_GROUP_get_degree(group)) {
			case 256:
				method = IKEV2_AUTH_ECDSA_256;
				break;
			case 384:
				method = IKEV2_AUTH_ECDSA_384;
				break;
			case 521:
				method = IKEV2_AUTH_ECDSA_521;
				break;
			default:
				EC_KEY_free(ec_key);
				return (-1);
			}
			cert_type = IKEV2_CERT_ECDSA;
			EC_KEY_free(ec_key);
		}

		if (method == IKEV2_AUTH_NONE || cert_type == IKEV2_CERT_NONE)
			return (-1);
	} else {
		/* default to IKEV2_CERT_X509_CERT otherwise */
		method = IKEV2_AUTH_SIG;
		cert_type = IKEV2_CERT_X509_CERT;
	}

	ikeauth = &pol->pol_auth;

	if (ikeauth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC) {
		if (key != NULL &&
		    method != IKEV2_AUTH_RSA_SIG)
			goto mismatch;
		return (0);
	}

	if (ikeauth->auth_method != IKEV2_AUTH_NONE &&
	    ikeauth->auth_method != IKEV2_AUTH_SIG_ANY &&
	    ikeauth->auth_method != method)
		goto mismatch;

	ikeauth->auth_method = method;
	pol->pol_certreqtype = cert_type;

	log_debug("%s: using %s for peer %s", __func__,
	    print_xf(method, 0, methodxfs), peerid);

	return (0);

 mismatch:
	log_warnx("%s: ikeauth policy mismatch, %s specified, but only %s "
	    "possible", __func__, print_xf(ikeauth->auth_method, 0, methodxfs),
	    print_xf(method, 0, methodxfs));
	return (-1);
}

int
set_policy(char *idstr, int type, struct iked_policy *pol)
{
	char		 keyfile[PATH_MAX];
	const char	*prefix = NULL;
	EVP_PKEY	*key = NULL;

	switch (type) {
	case IKEV2_ID_IPV4:
		prefix = "ipv4";
		break;
	case IKEV2_ID_IPV6:
		prefix = "ipv6";
		break;
	case IKEV2_ID_FQDN:
		prefix = "fqdn";
		break;
	case IKEV2_ID_UFQDN:
		prefix = "ufqdn";
		break;
	case IKEV2_ID_ASN1_DN:
		/* public key authentication is not supported with ASN.1 IDs */
		goto done;
	default:
		/* Unspecified ID or public key not supported for this type */
		log_debug("%s: unknown type = %d", __func__, type);
		return (-1);
	}

	lc_string(idstr);
	if ((size_t)snprintf(keyfile, sizeof(keyfile),
	    IKED_CA IKED_PUBKEY_DIR "%s/%s", prefix,
	    idstr) >= sizeof(keyfile)) {
		log_warnx("%s: public key path is too long", __func__);
		return (-1);
	}

	if ((key = find_pubkey(keyfile)) == NULL) {
		log_warnx("%s: could not find pubkey for %s", __func__,
		    keyfile);
	}

 done:
	if (set_policy_auth_method(keyfile, key, pol) < 0) {
		EVP_PKEY_free(key);
		log_warnx("%s: failed to set policy auth method for %s",
		    __func__, keyfile);
		return (-1);
	}

	if (key != NULL) {
		EVP_PKEY_free(key);
		log_debug("%s: found pubkey for %s", __func__, keyfile);
	}

	return (0);
}

struct ipsec_addr_wrap *
host(const char *s)
{
	struct ipsec_addr_wrap	*ipa = NULL;
	int			 mask, cont = 1;
	char			*p, *q, *ps;

	if ((p = strrchr(s, '/')) != NULL) {
		errno = 0;
		mask = strtol(p + 1, &q, 0);
		if (errno == ERANGE || !q || *q || mask > 128 || q == (p + 1))
			errx(1, "host: invalid netmask '%s'", p);
		if ((ps = malloc(strlen(s) - strlen(p) + 1)) == NULL)
			err(1, "host: calloc");
		strlcpy(ps, s, strlen(s) - strlen(p) + 1);
	} else {
		if ((ps = strdup(s)) == NULL)
			err(1, "host: strdup");
		mask = -1;
	}

	/* Does interface with this name exist? */
	if (cont && (ipa = host_if(ps, mask)) != NULL)
		cont = 0;

	/* IPv4 address? */
	if (cont && (ipa = host_v4(s, mask == -1 ? 32 : mask)) != NULL)
		cont = 0;

	/* IPv6 address? */
	if (cont && (ipa = host_v6(ps, mask == -1 ? 128 : mask)) != NULL)
		cont = 0;

	/* dns lookup */
	if (cont && mask == -1 && (ipa = host_dns(s, mask)) != NULL)
		cont = 0;
	free(ps);

	if (ipa == NULL || cont == 1) {
		fprintf(stderr, "no IP address found for %s\n", s);
		return (NULL);
	}
	return (ipa);
}

struct ipsec_addr_wrap *
host_v6(const char *s, int prefixlen)
{
	struct ipsec_addr_wrap	*ipa = NULL;
	struct addrinfo		 hints, *res;
	char			 hbuf[NI_MAXHOST];

	bzero(&hints, sizeof(struct addrinfo));
	hints.ai_family = AF_INET6;
	hints.ai_socktype = SOCK_STREAM;
	hints.ai_flags = AI_NUMERICHOST;
	if (getaddrinfo(s, NULL, &hints, &res))
		return (NULL);
	if (res->ai_next)
		err(1, "host_v6: numeric hostname expanded to multiple item");

	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
	if (ipa == NULL)
		err(1, "host_v6: calloc");
	ipa->af = res->ai_family;
	memcpy(&ipa->address, res->ai_addr, sizeof(struct sockaddr_in6));
	if (prefixlen > 128)
		prefixlen = 128;
	ipa->next = NULL;
	ipa->tail = ipa;

	set_ipmask(ipa, prefixlen);
	if (getnameinfo(res->ai_addr, res->ai_addrlen,
	    hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) {
		errx(1, "could not get a numeric hostname");
	}

	if (prefixlen != 128) {
		ipa->netaddress = 1;
		if (asprintf(&ipa->name, "%s/%d", hbuf, prefixlen) == -1)
			err(1, "host_v6: asprintf");
	} else {
		if ((ipa->name = strdup(hbuf)) == NULL)
			err(1, "host_v6: strdup");
	}

	freeaddrinfo(res);

	return (ipa);
}

struct ipsec_addr_wrap *
host_v4(const char *s, int mask)
{
	struct ipsec_addr_wrap	*ipa = NULL;
	struct sockaddr_in	 ina;
	int			 bits = 32;

	bzero(&ina, sizeof(ina));
	if (strrchr(s, '/') != NULL) {
		if ((bits = inet_net_pton(AF_INET, s, &ina.sin_addr,
		    sizeof(ina.sin_addr))) == -1)
			return (NULL);
	} else {
		if (inet_pton(AF_INET, s, &ina.sin_addr) != 1)
			return (NULL);
	}

	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
	if (ipa == NULL)
		err(1, "host_v4: calloc");

	ina.sin_family = AF_INET;
	ina.sin_len = sizeof(ina);
	memcpy(&ipa->address, &ina, sizeof(ina));

	ipa->name = strdup(s);
	if (ipa->name == NULL)
		err(1, "host_v4: strdup");
	ipa->af = AF_INET;
	ipa->next = NULL;
	ipa->tail = ipa;

	set_ipmask(ipa, bits);
	if (strrchr(s, '/') != NULL)
		ipa->netaddress = 1;

	return (ipa);
}

struct ipsec_addr_wrap *
host_dns(const char *s, int mask)
{
	struct ipsec_addr_wrap	*ipa = NULL, *head = NULL;
	struct addrinfo		 hints, *res0, *res;
	int			 error;
	char			 hbuf[NI_MAXHOST];

	bzero(&hints, sizeof(struct addrinfo));
	hints.ai_family = PF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
	hints.ai_flags = AI_ADDRCONFIG;
	error = getaddrinfo(s, NULL, &hints, &res0);
	if (error)
		return (NULL);

	for (res = res0; res; res = res->ai_next) {
		if (res->ai_family != AF_INET && res->ai_family != AF_INET6)
			continue;

		ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
		if (ipa == NULL)
			err(1, "host_dns: calloc");
		switch (res->ai_family) {
		case AF_INET:
			memcpy(&ipa->address, res->ai_addr,
			    sizeof(struct sockaddr_in));
			break;
		case AF_INET6:
			memcpy(&ipa->address, res->ai_addr,
			    sizeof(struct sockaddr_in6));
			break;
		}
		error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf,
		    sizeof(hbuf), NULL, 0, NI_NUMERICHOST);
		if (error)
			err(1, "host_dns: getnameinfo");
		ipa->name = strdup(hbuf);
		if (ipa->name == NULL)
			err(1, "host_dns: strdup");
		ipa->af = res->ai_family;
		ipa->next = NULL;
		ipa->tail = ipa;
		if (head == NULL)
			head = ipa;
		else {
			head->tail->next = ipa;
			head->tail = ipa;
		}

		/*
		 * XXX for now, no netmask support for IPv6.
		 * but since there's no way to specify address family, once you
		 * have IPv6 address on a host, you cannot use dns/netmask
		 * syntax.
		 */
		if (ipa->af == AF_INET)
			set_ipmask(ipa, mask == -1 ? 32 : mask);
		else
			if (mask != -1)
				err(1, "host_dns: cannot apply netmask "
				    "on non-IPv4 address");
	}
	freeaddrinfo(res0);

	return (head);
}

struct ipsec_addr_wrap *
host_if(const char *s, int mask)
{
	struct ipsec_addr_wrap *ipa = NULL;

	if (ifa_exists(s))
		ipa = ifa_lookup(s);

	return (ipa);
}

struct ipsec_addr_wrap *
host_any(void)
{
	struct ipsec_addr_wrap	*ipa;

	ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
	if (ipa == NULL)
		err(1, "host_any: calloc");
	ipa->af = AF_UNSPEC;
	ipa->netaddress = 1;
	ipa->tail = ipa;
	return (ipa);
}

/* interface lookup routintes */

struct ipsec_addr_wrap	*iftab;

void
ifa_load(void)
{
	struct ifaddrs		*ifap, *ifa;
	struct ipsec_addr_wrap	*n = NULL, *h = NULL;
	struct sockaddr_in	*sa_in;
	struct sockaddr_in6	*sa_in6;

	if (getifaddrs(&ifap) < 0)
		err(1, "ifa_load: getifaddrs");

	for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
		if (!(ifa->ifa_addr->sa_family == AF_INET ||
		    ifa->ifa_addr->sa_family == AF_INET6 ||
		    ifa->ifa_addr->sa_family == AF_LINK))
			continue;
		n = calloc(1, sizeof(struct ipsec_addr_wrap));
		if (n == NULL)
			err(1, "ifa_load: calloc");
		n->af = ifa->ifa_addr->sa_family;
		if ((n->name = strdup(ifa->ifa_name)) == NULL)
			err(1, "ifa_load: strdup");
		if (n->af == AF_INET) {
			sa_in = (struct sockaddr_in *)ifa->ifa_addr;
			memcpy(&n->address, sa_in, sizeof(*sa_in));
			sa_in = (struct sockaddr_in *)ifa->ifa_netmask;
			n->mask = mask2prefixlen((struct sockaddr *)sa_in);
		} else if (n->af == AF_INET6) {
			sa_in6 = (struct sockaddr_in6 *)ifa->ifa_addr;
			memcpy(&n->address, sa_in6, sizeof(*sa_in6));
			sa_in6 = (struct sockaddr_in6 *)ifa->ifa_netmask;
			n->mask = mask2prefixlen6((struct sockaddr *)sa_in6);
		}
		n->next = NULL;
		n->tail = n;
		if (h == NULL)
			h = n;
		else {
			h->tail->next = n;
			h->tail = n;
		}
	}

	iftab = h;
	freeifaddrs(ifap);
}

int
ifa_exists(const char *ifa_name)
{
	struct ipsec_addr_wrap	*n;
	struct ifgroupreq	 ifgr;
	int			 s;

	if (iftab == NULL)
		ifa_load();

	/* check wether this is a group */
	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
		err(1, "ifa_exists: socket");
	bzero(&ifgr, sizeof(ifgr));
	strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == 0) {
		close(s);
		return (1);
	}
	close(s);

	for (n = iftab; n; n = n->next) {
		if (n->af == AF_LINK && !strncmp(n->name, ifa_name,
		    IFNAMSIZ))
			return (1);
	}

	return (0);
}

struct ipsec_addr_wrap *
ifa_grouplookup(const char *ifa_name)
{
	struct ifg_req		*ifg;
	struct ifgroupreq	 ifgr;
	int			 s;
	size_t			 len;
	struct ipsec_addr_wrap	*n, *h = NULL, *hn;

	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
		err(1, "socket");
	bzero(&ifgr, sizeof(ifgr));
	strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) {
		close(s);
		return (NULL);
	}

	len = ifgr.ifgr_len;
	if ((ifgr.ifgr_groups = calloc(1, len)) == NULL)
		err(1, "calloc");
	if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1)
		err(1, "ioctl");

	for (ifg = ifgr.ifgr_groups; ifg && len >= sizeof(struct ifg_req);
	    ifg++) {
		len -= sizeof(struct ifg_req);
		if ((n = ifa_lookup(ifg->ifgrq_member)) == NULL)
			continue;
		if (h == NULL)
			h = n;
		else {
			for (hn = h; hn->next != NULL; hn = hn->next)
				;	/* nothing */
			hn->next = n;
			n->tail = hn;
		}
	}
	free(ifgr.ifgr_groups);
	close(s);

	return (h);
}

struct ipsec_addr_wrap *
ifa_lookup(const char *ifa_name)
{
	struct ipsec_addr_wrap	*p = NULL, *h = NULL, *n = NULL;
	struct sockaddr_in6	*in6;
	uint8_t			*s6;

	if (iftab == NULL)
		ifa_load();

	if ((n = ifa_grouplookup(ifa_name)) != NULL)
		return (n);

	for (p = iftab; p; p = p->next) {
		if (p->af != AF_INET && p->af != AF_INET6)
			continue;
		if (strncmp(p->name, ifa_name, IFNAMSIZ))
			continue;
		n = calloc(1, sizeof(struct ipsec_addr_wrap));
		if (n == NULL)
			err(1, "ifa_lookup: calloc");
		memcpy(n, p, sizeof(struct ipsec_addr_wrap));
		if ((n->name = strdup(p->name)) == NULL)
			err(1, "ifa_lookup: strdup");
		switch (n->af) {
		case AF_INET:
			set_ipmask(n, 32);
			break;
		case AF_INET6:
			in6 = (struct sockaddr_in6 *)&n->address;
			s6 = (uint8_t *)&in6->sin6_addr.s6_addr;

			/* route/show.c and bgpd/util.c give KAME credit */
			if (IN6_IS_ADDR_LINKLOCAL(&in6->sin6_addr)) {
				uint16_t	 tmp16;

				/* for now we can not handle link local,
				 * therefore bail for now
				 */
				free(n);
				continue;

				memcpy(&tmp16, &s6[2], sizeof(tmp16));
				/* use this when we support link-local
				 * n->??.scopeid = ntohs(tmp16);
				 */
				s6[2] = 0;
				s6[3] = 0;
			}
			set_ipmask(n, 128);
			break;
		}

		n->next = NULL;
		n->tail = n;
		if (h == NULL)
			h = n;
		else {
			h->tail->next = n;
			h->tail = n;
		}
	}

	return (h);
}

void
set_ipmask(struct ipsec_addr_wrap *address, uint8_t b)
{
	address->mask = b;
}

const struct ipsec_xf *
parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[])
{
	int		i;

	for (i = 0; xfs[i].name != NULL; i++) {
		if (strncmp(name, xfs[i].name, strlen(name)))
			continue;
		if (length == 0 || length == xfs[i].length)
			return &xfs[i];
	}
	return (NULL);
}

const char *
print_xf(unsigned int id, unsigned int length, const struct ipsec_xf xfs[])
{
	int		i;

	for (i = 0; xfs[i].name != NULL; i++) {
		if (xfs[i].id == id) {
			if (length == 0 || length == xfs[i].length)
				return (xfs[i].name);
		}
	}
	return ("unknown");
}

size_t
keylength_xf(unsigned int saproto, unsigned int type, unsigned int id)
{
	int			 i;
	const struct ipsec_xf	*xfs;

	switch (type) {
	case IKEV2_XFORMTYPE_ENCR:
		if (saproto == IKEV2_SAPROTO_IKE)
			xfs = ikeencxfs;
		else
			xfs = ipsecencxfs;
		break;
	case IKEV2_XFORMTYPE_INTEGR:
		xfs = authxfs;
		break;
	default:
		return (0);
	}

	for (i = 0; xfs[i].name != NULL; i++) {
		if (xfs[i].id == id)
			return (xfs[i].length * 8);
	}
	return (0);
}

size_t
noncelength_xf(unsigned int type, unsigned int id)
{
	const struct ipsec_xf	*xfs = ipsecencxfs;
	int			 i;

	if (type != IKEV2_XFORMTYPE_ENCR)
		return (0);

	for (i = 0; xfs[i].name != NULL; i++)
		if (xfs[i].id == id)
			return (xfs[i].nonce * 8);
	return (0);
}

void
print_user(struct iked_user *usr)
{
	print_verbose("user \"%s\" \"%s\"\n", usr->usr_name, usr->usr_pass);
}

void
print_policy(struct iked_policy *pol)
{
	struct iked_proposal	*pp;
	struct iked_transform	*xform;
	struct iked_flow	*flow;
	struct iked_cfg		*cfg;
	unsigned int		 i, j;
	const struct ipsec_xf	*xfs = NULL;

	print_verbose("ikev2");

	if (pol->pol_name[0] != '\0')
		print_verbose(" \"%s\"", pol->pol_name);

	if (pol->pol_flags & IKED_POLICY_DEFAULT)
		print_verbose(" default");
	else if (pol->pol_flags & IKED_POLICY_QUICK)
		print_verbose(" quick");
	else if (pol->pol_flags & IKED_POLICY_SKIP)
		print_verbose(" skip");

	if (pol->pol_flags & IKED_POLICY_ACTIVE)
		print_verbose(" active");
	else
		print_verbose(" passive");

	print_verbose(" %s", print_xf(pol->pol_saproto, 0, saxfs));

	if (pol->pol_ipproto)
		print_verbose(" proto %s", print_proto(pol->pol_ipproto));

	if (pol->pol_af) {
		if (pol->pol_af == AF_INET)
			print_verbose(" inet");
		else
			print_verbose(" inet6");
	}

	RB_FOREACH(flow, iked_flows, &pol->pol_flows) {
		print_verbose(" from %s",
		    print_host((struct sockaddr *)&flow->flow_src.addr, NULL,
		    0));
		if (flow->flow_src.addr_af != AF_UNSPEC &&
		    flow->flow_src.addr_net)
			print_verbose("/%d", flow->flow_src.addr_mask);
		if (flow->flow_src.addr_port)
			print_verbose(" port %d",
			    ntohs(flow->flow_src.addr_port));

		print_verbose(" to %s",
		    print_host((struct sockaddr *)&flow->flow_dst.addr, NULL,
		    0));
		if (flow->flow_dst.addr_af != AF_UNSPEC &&
		    flow->flow_dst.addr_net)
			print_verbose("/%d", flow->flow_dst.addr_mask);
		if (flow->flow_dst.addr_port)
			print_verbose(" port %d",
			    ntohs(flow->flow_dst.addr_port));
	}

	if ((pol->pol_flags & IKED_POLICY_DEFAULT) == 0) {
		print_verbose(" local %s",
		    print_host((struct sockaddr *)&pol->pol_local.addr, NULL,
		    0));
		if (pol->pol_local.addr.ss_family != AF_UNSPEC &&
		    pol->pol_local.addr_net)
			print_verbose("/%d", pol->pol_local.addr_mask);

		print_verbose(" peer %s",
		    print_host((struct sockaddr *)&pol->pol_peer.addr, NULL,
		    0));
		if (pol->pol_peer.addr.ss_family != AF_UNSPEC &&
		    pol->pol_peer.addr_net)
			print_verbose("/%d", pol->pol_peer.addr_mask);
	}

	TAILQ_FOREACH(pp, &pol->pol_proposals, prop_entry) {
		if (!pp->prop_nxforms)
			continue;
		if (pp->prop_protoid == IKEV2_SAPROTO_IKE)
			print_verbose(" ikesa");
		else
			print_verbose(" childsa");

		for (j = 0; ikev2_xformtype_map[j].cm_type != 0; j++) {
			xfs = NULL;

			for (i = 0; i < pp->prop_nxforms; i++) {
				xform = pp->prop_xforms + i;

				if (xform->xform_type !=
				    ikev2_xformtype_map[j].cm_type)
					continue;

				if (xfs != NULL) {
					print_verbose(",");
				} else {
					switch (xform->xform_type) {
					case IKEV2_XFORMTYPE_INTEGR:
						print_verbose(" auth ");
						xfs = authxfs;
						break;
					case IKEV2_XFORMTYPE_ENCR:
						print_verbose(" enc ");
						if (pp->prop_protoid ==
						    IKEV2_SAPROTO_IKE)
							xfs = ikeencxfs;
						else
							xfs = ipsecencxfs;
						break;
					case IKEV2_XFORMTYPE_PRF:
						print_verbose(" prf ");
						xfs = prfxfs;
						break;
					case IKEV2_XFORMTYPE_DH:
						print_verbose(" group ");
						xfs = groupxfs;
						break;
					default:
						continue;
					}
				}

				print_verbose("%s", print_xf(xform->xform_id,
				    xform->xform_length / 8, xfs));
			}
		}
	}

	if (pol->pol_localid.id_length != 0)
		print_verbose(" srcid %s", pol->pol_localid.id_data);
	if (pol->pol_peerid.id_length != 0)
		print_verbose(" dstid %s", pol->pol_peerid.id_data);

	if (pol->pol_rekey)
		print_verbose(" ikelifetime %u", pol->pol_rekey);

	print_verbose(" lifetime %llu bytes %llu",
	    pol->pol_lifetime.lt_seconds, pol->pol_lifetime.lt_bytes);

	switch (pol->pol_auth.auth_method) {
	case IKEV2_AUTH_NONE:
		print_verbose (" none");
		break;
	case IKEV2_AUTH_SHARED_KEY_MIC:
		print_verbose(" psk 0x");
		for (i = 0; i < pol->pol_auth.auth_length; i++)
			print_verbose("%02x", pol->pol_auth.auth_data[i]);
		break;
	default:
		if (pol->pol_auth.auth_eap)
			print_verbose(" eap \"%s\"",
			    print_map(pol->pol_auth.auth_eap, eap_type_map));
		else
			print_verbose(" %s",
			    print_xf(pol->pol_auth.auth_method, 0, methodxfs));
	}

	for (i = 0; i < pol->pol_ncfg; i++) {
		cfg = &pol->pol_cfg[i];
		print_verbose(" config %s %s", print_xf(cfg->cfg_type,
		    cfg->cfg.address.addr_af, cpxfs),
		    print_host((struct sockaddr *)&cfg->cfg.address.addr, NULL,
		    0));
	}

	if (pol->pol_tag[0] != '\0')
		print_verbose(" tag \"%s\"", pol->pol_tag);

	if (pol->pol_tap != 0)
		print_verbose(" tap \"enc%u\"", pol->pol_tap);

	print_verbose("\n");
}

void
copy_transforms(unsigned int type, const struct ipsec_xf *xf,
    const struct ipsec_xf *xfs,
    struct iked_transform *dst, size_t ndst,
    unsigned int *n, struct iked_transform *src, size_t nsrc)
{
	unsigned int		 i;
	struct iked_transform	*a, *b;

	if (xf != NULL) {
		if (*n >= ndst)
			return;
		b = dst + (*n)++;

		b->xform_type = type;
		b->xform_id = xf->id;
		b->xform_keylength = xf->length * 8;
		b->xform_length = xf->keylength * 8;
		return;
	}

	for (i = 0; i < nsrc; i++) {
		a = src + i;
		if (a->xform_type != type)
			continue;
		if (*n >= ndst)
			return;
		b = dst + (*n)++;
		memcpy(b, a, sizeof(*b));
	}
}

int
create_ike(char *name, int af, uint8_t ipproto, struct ipsec_hosts *hosts,
    struct ipsec_hosts *peers, struct ipsec_mode *ike_sa,
    struct ipsec_mode *ipsec_sa, uint8_t saproto,
    uint8_t flags, char *srcid, char *dstid,
    uint32_t ikelifetime, struct iked_lifetime *lt,
    struct iked_auth *authtype, struct ipsec_filters *filter,
    struct ipsec_addr_wrap *ikecfg)
{
	char			 idstr[IKED_ID_SIZE];
	unsigned int		 idtype = IKEV2_ID_NONE;
	struct ipsec_addr_wrap	*ipa, *ipb, *ippn;
	struct iked_policy	 pol;
	struct iked_proposal	 prop[2];
	unsigned int		 j;
	struct iked_transform	 ikexforms[64], ipsecxforms[64];
	struct iked_flow	 flows[64];
	static unsigned int	 policy_id = 0;
	struct iked_cfg		*cfg;

	bzero(&pol, sizeof(pol));
	bzero(&prop, sizeof(prop));
	bzero(&ikexforms, sizeof(ikexforms));
	bzero(&ipsecxforms, sizeof(ipsecxforms));
	bzero(&flows, sizeof(flows));
	bzero(idstr, sizeof(idstr));

	pol.pol_id = ++policy_id;
	pol.pol_certreqtype = env->sc_certreqtype;
	pol.pol_af = af;
	pol.pol_saproto = saproto;
	pol.pol_ipproto = ipproto;
	pol.pol_flags = flags;
	memcpy(&pol.pol_auth, authtype, sizeof(struct iked_auth));

	if (name != NULL) {
		if (strlcpy(pol.pol_name, name,
		    sizeof(pol.pol_name)) >= sizeof(pol.pol_name)) {
			yyerror("name too long");
			return (-1);
		}
	} else {
		snprintf(pol.pol_name, sizeof(pol.pol_name),
		    "policy%d", policy_id);
	}

	if (srcid) {
		pol.pol_localid.id_type = get_id_type(srcid);
		pol.pol_localid.id_length = strlen(srcid);
		if (strlcpy((char *)pol.pol_localid.id_data,
		    srcid, IKED_ID_SIZE) >= IKED_ID_SIZE) {
			yyerror("srcid too long");
			return (-1);
		}
	}
	if (dstid) {
		pol.pol_peerid.id_type = get_id_type(dstid);
		pol.pol_peerid.id_length = strlen(dstid);
		if (strlcpy((char *)pol.pol_peerid.id_data,
		    dstid, IKED_ID_SIZE) >= IKED_ID_SIZE) {
			yyerror("dstid too long");
			return (-1);
		}
	}

	if (filter != NULL) {
		if (filter->tag)
			strlcpy(pol.pol_tag, filter->tag, sizeof(pol.pol_tag));
		pol.pol_tap = filter->tap;
	}

	if (peers == NULL) {
		if (pol.pol_flags & IKED_POLICY_ACTIVE) {
			yyerror("active mode requires peer specification");
			return (-1);
		}
		pol.pol_flags |= IKED_POLICY_DEFAULT|IKED_POLICY_SKIP;
	}

	if (peers && peers->src && peers->dst &&
	    (peers->src->af != AF_UNSPEC) && (peers->dst->af != AF_UNSPEC) &&
	    (peers->src->af != peers->dst->af))
		fatalx("create_ike: peer address family mismatch");

	if (peers && (pol.pol_af != AF_UNSPEC) &&
	    ((peers->src && (peers->src->af != AF_UNSPEC) &&
	    (peers->src->af != pol.pol_af)) ||
	    (peers->dst && (peers->dst->af != AF_UNSPEC) &&
	    (peers->dst->af != pol.pol_af))))
		fatalx("create_ike: policy address family mismatch");

	ipa = ipb = NULL;
	if (peers) {
		if (peers->src)
			ipa = peers->src;
		if (peers->dst)
			ipb = peers->dst;
		if (ipa == NULL && ipb == NULL) {
			if (hosts->src && hosts->src->next == NULL)
				ipa = hosts->src;
			if (hosts->dst && hosts->dst->next == NULL)
				ipb = hosts->dst;
		}
	}
	if (ipa == NULL && ipb == NULL) {
		yyerror("could not get local/peer specification");
		return (-1);
	}
	if (pol.pol_flags & IKED_POLICY_ACTIVE) {
		if (ipb == NULL || ipb->netaddress ||
		    (ipa != NULL && ipa->netaddress)) {
			yyerror("active mode requires local/peer address");
			return (-1);
		}
	}
	if (ipa) {
		memcpy(&pol.pol_local.addr, &ipa->address,
		    sizeof(ipa->address));
		pol.pol_local.addr_af = ipa->af;
		pol.pol_local.addr_mask = ipa->mask;
		pol.pol_local.addr_net = ipa->netaddress;
		if (pol.pol_af == AF_UNSPEC)
			pol.pol_af = ipa->af;
	}
	if (ipb) {
		memcpy(&pol.pol_peer.addr, &ipb->address,
		    sizeof(ipb->address));
		pol.pol_peer.addr_af = ipb->af;
		pol.pol_peer.addr_mask = ipb->mask;
		pol.pol_peer.addr_net = ipb->netaddress;
		if (pol.pol_af == AF_UNSPEC)
			pol.pol_af = ipb->af;
	}

	if (ikelifetime)
		pol.pol_rekey = ikelifetime;

	if (lt)
		pol.pol_lifetime = *lt;
	else
		pol.pol_lifetime = deflifetime;

	TAILQ_INIT(&pol.pol_proposals);
	RB_INIT(&pol.pol_flows);

	prop[0].prop_id = ++pol.pol_nproposals;
	prop[0].prop_protoid = IKEV2_SAPROTO_IKE;
	if (ike_sa == NULL || ike_sa->xfs == NULL) {
		prop[0].prop_nxforms = ikev2_default_nike_transforms;
		prop[0].prop_xforms = ikev2_default_ike_transforms;
	} else {
		j = 0;
		copy_transforms(IKEV2_XFORMTYPE_INTEGR,
		    ike_sa->xfs->authxf, authxfs,
		    ikexforms, nitems(ikexforms), &j,
		    ikev2_default_ike_transforms,
		    ikev2_default_nike_transforms);
		copy_transforms(IKEV2_XFORMTYPE_ENCR,
		    ike_sa->xfs->encxf, ikeencxfs,
		    ikexforms, nitems(ikexforms), &j,
		    ikev2_default_ike_transforms,
		    ikev2_default_nike_transforms);
		copy_transforms(IKEV2_XFORMTYPE_DH,
		    ike_sa->xfs->groupxf, groupxfs,
		    ikexforms, nitems(ikexforms), &j,
		    ikev2_default_ike_transforms,
		    ikev2_default_nike_transforms);
		copy_transforms(IKEV2_XFORMTYPE_PRF,
		    ike_sa->xfs->prfxf, prfxfs,
		    ikexforms, nitems(ikexforms), &j,
		    ikev2_default_ike_transforms,
		    ikev2_default_nike_transforms);
		prop[0].prop_nxforms = j;
		prop[0].prop_xforms = ikexforms;
	}
	TAILQ_INSERT_TAIL(&pol.pol_proposals, &prop[0], prop_entry);

	prop[1].prop_id = ++pol.pol_nproposals;
	prop[1].prop_protoid = saproto;
	if (ipsec_sa == NULL || ipsec_sa->xfs == NULL) {
		prop[1].prop_nxforms = ikev2_default_nesp_transforms;
		prop[1].prop_xforms = ikev2_default_esp_transforms;
	} else {
		j = 0;
		if (ipsec_sa->xfs->encxf && ipsec_sa->xfs->encxf->noauth &&
		    ipsec_sa->xfs->authxf) {
			yyerror("authentication is implicit for %s",
			    ipsec_sa->xfs->encxf->name);
			return (-1);
		}
		if (ipsec_sa->xfs->encxf == NULL ||
		    (ipsec_sa->xfs->encxf && !ipsec_sa->xfs->encxf->noauth))
			copy_transforms(IKEV2_XFORMTYPE_INTEGR,
			    ipsec_sa->xfs->authxf, authxfs,
			    ipsecxforms, nitems(ipsecxforms), &j,
			    ikev2_default_esp_transforms,
			    ikev2_default_nesp_transforms);
		copy_transforms(IKEV2_XFORMTYPE_ENCR,
		    ipsec_sa->xfs->encxf, ipsecencxfs,
		    ipsecxforms, nitems(ipsecxforms), &j,
		    ikev2_default_esp_transforms,
		    ikev2_default_nesp_transforms);
		copy_transforms(IKEV2_XFORMTYPE_DH,
		    ipsec_sa->xfs->groupxf, groupxfs,
		    ipsecxforms, nitems(ipsecxforms), &j,
		    ikev2_default_esp_transforms,
		    ikev2_default_nesp_transforms);
		copy_transforms(IKEV2_XFORMTYPE_ESN,
		    NULL, NULL,
		    ipsecxforms, nitems(ipsecxforms), &j,
		    ikev2_default_esp_transforms,
		    ikev2_default_nesp_transforms);
		prop[1].prop_nxforms = j;
		prop[1].prop_xforms = ipsecxforms;
	}
	TAILQ_INSERT_TAIL(&pol.pol_proposals, &prop[1], prop_entry);

	if (hosts == NULL || hosts->src == NULL || hosts->dst == NULL)
		fatalx("create_ike: no traffic selectors/flows");

	for (j = 0, ipa = hosts->src, ipb = hosts->dst; ipa && ipb;
	    ipa = ipa->next, ipb = ipb->next, j++) {
		if (j >= nitems(flows))
			fatalx("create_ike: too many flows");
		memcpy(&flows[j].flow_src.addr, &ipa->address,
		    sizeof(ipa->address));
		flows[j].flow_src.addr_af = ipa->af;
		flows[j].flow_src.addr_mask = ipa->mask;
		flows[j].flow_src.addr_net = ipa->netaddress;
		flows[j].flow_src.addr_port = hosts->sport;

		memcpy(&flows[j].flow_dst.addr, &ipb->address,
		    sizeof(ipb->address));
		flows[j].flow_dst.addr_af = ipb->af;
		flows[j].flow_dst.addr_mask = ipb->mask;
		flows[j].flow_dst.addr_net = ipb->netaddress;
		flows[j].flow_dst.addr_port = hosts->dport;

		ippn = ipa->srcnat;
		if (ippn) {
			memcpy(&flows[j].flow_prenat.addr, &ippn->address,
			    sizeof(ippn->address));
			flows[j].flow_prenat.addr_af = ippn->af;
			flows[j].flow_prenat.addr_mask = ippn->mask;
			flows[j].flow_prenat.addr_net = ippn->netaddress;
		} else {
			flows[j].flow_prenat.addr_af = 0;
		}

		flows[j].flow_ipproto = ipproto;

		if (RB_INSERT(iked_flows, &pol.pol_flows, &flows[j]) == NULL)
			pol.pol_nflows++;
		else
			warnx("create_ike: duplicate flow");
	}

	for (j = 0, ipa = ikecfg; ipa; ipa = ipa->next, j++) {
		if (j >= IKED_CFG_MAX)
			break;
		cfg = &pol.pol_cfg[j];
		pol.pol_ncfg++;

		cfg->cfg_action = ipa->action;
		cfg->cfg_type = ipa->type;
		memcpy(&cfg->cfg.address.addr, &ipa->address,
		    sizeof(ipa->address));
		cfg->cfg.address.addr_mask = ipa->mask;
		cfg->cfg.address.addr_net = ipa->netaddress;
		cfg->cfg.address.addr_af = ipa->af;
	}

	if (dstid) {
		strlcpy(idstr, dstid, sizeof(idstr));
		idtype = pol.pol_peerid.id_type;
	} else if (!pol.pol_peer.addr_net) {
		print_host((struct sockaddr *)&pol.pol_peer.addr, idstr,
		    sizeof(idstr));
		switch (pol.pol_peer.addr.ss_family) {
		case AF_INET:
			idtype = IKEV2_ID_IPV4;
			break;
		case AF_INET6:
			idtype = IKEV2_ID_IPV6;
			break;
		default:
			log_warnx("%s: unknown address family", __func__);
			break;
		}
	}

	/* Make sure that we know how to authenticate this peer */
	if (idtype && set_policy(idstr, idtype, &pol) < 0) {
		log_debug("%s: set_policy failed", __func__);
		return (-1);
	}

	config_setpolicy(env, &pol, PROC_IKEV2);
	config_setflow(env, &pol, PROC_IKEV2);

	rules++;
	return (0);
}

int
create_user(const char *user, const char *pass)
{
	struct iked_user	 usr;

	bzero(&usr, sizeof(usr));

	if (*user == '\0' || (strlcpy(usr.usr_name, user,
	    sizeof(usr.usr_name)) >= sizeof(usr.usr_name))) {
		yyerror("invalid user name");
		return (-1);
	}
	if (*pass == '\0' || (strlcpy(usr.usr_pass, pass,
	    sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) {
		yyerror("invalid password");
		return (-1);
	}

	config_setuser(env, &usr, PROC_IKEV2);

	rules++;
	return (0);
}
#line 2665 "parse.c"
/* allocate initial stack or double stack size, up to YYMAXDEPTH */
static int yygrowstack(void)
{
    unsigned int newsize;
    long sslen;
    short *newss;
    YYSTYPE *newvs;

    if ((newsize = yystacksize) == 0)
        newsize = YYINITSTACKSIZE;
    else if (newsize >= YYMAXDEPTH)
        return -1;
    else if ((newsize *= 2) > YYMAXDEPTH)
        newsize = YYMAXDEPTH;
    sslen = yyssp - yyss;
#ifdef SIZE_MAX
#define YY_SIZE_MAX SIZE_MAX
#else
#define YY_SIZE_MAX 0xffffffffU
#endif
    if (newsize && YY_SIZE_MAX / newsize < sizeof *newss)
        goto bail;
    newss = yyss ? (short *)realloc(yyss, newsize * sizeof *newss) :
      (short *)malloc(newsize * sizeof *newss); /* overflow check above */
    if (newss == NULL)
        goto bail;
    yyss = newss;
    yyssp = newss + sslen;
    if (newsize && YY_SIZE_MAX / newsize < sizeof *newvs)
        goto bail;
    newvs = yyvs ? (YYSTYPE *)realloc(yyvs, newsize * sizeof *newvs) :
      (YYSTYPE *)malloc(newsize * sizeof *newvs); /* overflow check above */
    if (newvs == NULL)
        goto bail;
    yyvs = newvs;
    yyvsp = newvs + sslen;
    yystacksize = newsize;
    yysslim = yyss + newsize - 1;
    return 0;
bail:
    if (yyss)
            free(yyss);
    if (yyvs)
            free(yyvs);
    yyss = yyssp = NULL;
    yyvs = yyvsp = NULL;
    yystacksize = 0;
    return -1;
}

#define YYABORT goto yyabort
#define YYREJECT goto yyabort
#define YYACCEPT goto yyaccept
#define YYERROR goto yyerrlab
int
yyparse(void)
{
    int yym, yyn, yystate;
#if YYDEBUG
    const char *yys;

    if ((yys = getenv("YYDEBUG")))
    {
        yyn = *yys;
        if (yyn >= '0' && yyn <= '9')
            yydebug = yyn - '0';
    }
#endif /* YYDEBUG */

    yynerrs = 0;
    yyerrflag = 0;
    yychar = (-1);

    if (yyss == NULL && yygrowstack()) goto yyoverflow;
    yyssp = yyss;
    yyvsp = yyvs;
    *yyssp = yystate = 0;

yyloop:
    if ((yyn = yydefred[yystate]) != 0) goto yyreduce;
    if (yychar < 0)
    {
        if ((yychar = yylex()) < 0) yychar = 0;
#if YYDEBUG
        if (yydebug)
        {
            yys = 0;
            if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
            if (!yys) yys = "illegal-symbol";
            printf("%sdebug: state %d, reading %d (%s)\n",
                    YYPREFIX, yystate, yychar, yys);
        }
#endif
    }
    if ((yyn = yysindex[yystate]) && (yyn += yychar) >= 0 &&
            yyn <= YYTABLESIZE && yycheck[yyn] == yychar)
    {
#if YYDEBUG
        if (yydebug)
            printf("%sdebug: state %d, shifting to state %d\n",
                    YYPREFIX, yystate, yytable[yyn]);
#endif
        if (yyssp >= yysslim && yygrowstack())
        {
            goto yyoverflow;
        }
        *++yyssp = yystate = yytable[yyn];
        *++yyvsp = yylval;
        yychar = (-1);
        if (yyerrflag > 0)  --yyerrflag;
        goto yyloop;
    }
    if ((yyn = yyrindex[yystate]) && (yyn += yychar) >= 0 &&
            yyn <= YYTABLESIZE && yycheck[yyn] == yychar)
    {
        yyn = yytable[yyn];
        goto yyreduce;
    }
    if (yyerrflag) goto yyinrecovery;
#if defined(__GNUC__)
    goto yynewerror;
#endif
yynewerror:
    yyerror("syntax error");
#if defined(__GNUC__)
    goto yyerrlab;
#endif
yyerrlab:
    ++yynerrs;
yyinrecovery:
    if (yyerrflag < 3)
    {
        yyerrflag = 3;
        for (;;)
        {
            if ((yyn = yysindex[*yyssp]) && (yyn += YYERRCODE) >= 0 &&
                    yyn <= YYTABLESIZE && yycheck[yyn] == YYERRCODE)
            {
#if YYDEBUG
                if (yydebug)
                    printf("%sdebug: state %d, error recovery shifting\
 to state %d\n", YYPREFIX, *yyssp, yytable[yyn]);
#endif
                if (yyssp >= yysslim && yygrowstack())
                {
                    goto yyoverflow;
                }
                *++yyssp = yystate = yytable[yyn];
                *++yyvsp = yylval;
                goto yyloop;
            }
            else
            {
#if YYDEBUG
                if (yydebug)
                    printf("%sdebug: error recovery discarding state %d\n",
                            YYPREFIX, *yyssp);
#endif
                if (yyssp <= yyss) goto yyabort;
                --yyssp;
                --yyvsp;
            }
        }
    }
    else
    {
        if (yychar == 0) goto yyabort;
#if YYDEBUG
        if (yydebug)
        {
            yys = 0;
            if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
            if (!yys) yys = "illegal-symbol";
            printf("%sdebug: state %d, error recovery discards token %d (%s)\n",
                    YYPREFIX, yystate, yychar, yys);
        }
#endif
        yychar = (-1);
        goto yyloop;
    }
yyreduce:
#if YYDEBUG
    if (yydebug)
        printf("%sdebug: state %d, reducing by rule %d (%s)\n",
                YYPREFIX, yystate, yyn, yyrule[yyn]);
#endif
    yym = yylen[yyn];
    if (yym)
        yyval = yyvsp[1-yym];
    else
        memset(&yyval, 0, sizeof yyval);
    switch (yyn)
    {
case 9:
#line 422 "parse.y"
{ file->errors++; }
break;
case 12:
#line 429 "parse.y"
{
			struct file	*nfile;

			if ((nfile = pushfile(yyvsp[0].v.string, 0)) == NULL) {
				yyerror("failed to include file %s", yyvsp[0].v.string);
				free(yyvsp[0].v.string);
				YYERROR;
			}
			free(yyvsp[0].v.string);

			file = nfile;
			lungetc('\n');
		}
break;
case 13:
#line 444 "parse.y"
{ passive = 0; }
break;
case 14:
#line 445 "parse.y"
{ passive = 1; }
break;
case 15:
#line 446 "parse.y"
{ decouple = 0; }
break;
case 16:
#line 447 "parse.y"
{ decouple = 1; }
break;
case 17:
#line 448 "parse.y"
{
			if ((ocsp_url = strdup(yyvsp[0].v.string)) == NULL) {
				yyerror("cannot set ocsp_url");
				YYERROR;
			}
		}
break;
case 18:
#line 456 "parse.y"
{
			if (create_user(yyvsp[-1].v.string, yyvsp[0].v.string) == -1)
				YYERROR;
		}
break;
case 19:
#line 464 "parse.y"
{
			if (create_ike(yyvsp[-14].v.string, yyvsp[-11].v.number, yyvsp[-10].v.proto, yyvsp[-9].v.hosts, &yyvsp[-8].v.peers, yyvsp[-7].v.mode, yyvsp[-6].v.mode, yyvsp[-12].v.satype, yyvsp[-13].v.ikemode,
			    yyvsp[-5].v.ids.srcid, yyvsp[-5].v.ids.dstid, yyvsp[-4].v.number, &yyvsp[-3].v.lifetime, &yyvsp[-2].v.ikeauth,
			    yyvsp[0].v.filters, yyvsp[-1].v.cfg) == -1) {
				yyerror("create_ike failed");
				YYERROR;
			}
		}
break;
case 20:
#line 474 "parse.y"
{ yyval.v.cfg = NULL; }
break;
case 21:
#line 475 "parse.y"
{ yyval.v.cfg = yyvsp[0].v.cfg; }
break;
case 22:
#line 478 "parse.y"
{ yyval.v.cfg = yyvsp[0].v.cfg; }
break;
case 23:
#line 479 "parse.y"
{
			if (yyvsp[0].v.cfg == NULL)
				yyval.v.cfg = yyvsp[-1].v.cfg;
			else if (yyvsp[-1].v.cfg == NULL)
				yyval.v.cfg = yyvsp[0].v.cfg;
			else {
				yyvsp[-1].v.cfg->tail->next = yyvsp[0].v.cfg;
				yyvsp[-1].v.cfg->tail = yyvsp[0].v.cfg->tail;
				yyval.v.cfg = yyvsp[-1].v.cfg;
			}
		}
break;
case 24:
#line 492 "parse.y"
{
			const struct ipsec_xf	*xf;

			if ((xf = parse_xf(yyvsp[-1].v.string, yyvsp[0].v.host->af, cpxfs)) == NULL) {
				yyerror("not a valid ikecfg option");
				free(yyvsp[-1].v.string);
				free(yyvsp[0].v.host);
				YYERROR;
			}
			yyval.v.cfg = yyvsp[0].v.host;
			yyval.v.cfg->type = xf->id;
			yyval.v.cfg->action = IKEV2_CP_REPLY;	/* XXX */
		}
break;
case 25:
#line 507 "parse.y"
{ yyval.v.string = NULL; }
break;
case 26:
#line 508 "parse.y"
{
			yyval.v.string = yyvsp[0].v.string;
		}
break;
case 27:
#line 512 "parse.y"
{ yyval.v.satype = IKEV2_SAPROTO_ESP; }
break;
case 28:
#line 513 "parse.y"
{ yyval.v.satype = IKEV2_SAPROTO_ESP; }
break;
case 29:
#line 514 "parse.y"
{ yyval.v.satype = IKEV2_SAPROTO_AH; }
break;
case 30:
#line 517 "parse.y"
{ yyval.v.number = AF_UNSPEC; }
break;
case 31:
#line 518 "parse.y"
{ yyval.v.number = AF_INET; }
break;
case 32:
#line 519 "parse.y"
{ yyval.v.number = AF_INET6; }
break;
case 33:
#line 522 "parse.y"
{ yyval.v.proto = 0; }
break;
case 34:
#line 523 "parse.y"
{ yyval.v.proto = yyvsp[0].v.number; }
break;
case 35:
#line 524 "parse.y"
{ yyval.v.proto = IPPROTO_ESP; }
break;
case 36:
#line 525 "parse.y"
{ yyval.v.proto = IPPROTO_AH; }
break;
case 37:
#line 528 "parse.y"
{
			struct protoent *p;

			p = getprotobyname(yyvsp[0].v.string);
			if (p == NULL) {
				yyerror("unknown protocol: %s", yyvsp[0].v.string);
				YYERROR;
			}
			yyval.v.number = p->p_proto;
			free(yyvsp[0].v.string);
		}
break;
case 38:
#line 539 "parse.y"
{
			if (yyvsp[0].v.number > 255 || yyvsp[0].v.number < 0) {
				yyerror("protocol outside range");
				YYERROR;
			}
		}
break;
case 39:
#line 547 "parse.y"
{ yyval.v.hosts = yyvsp[0].v.hosts; }
break;
case 40:
#line 548 "parse.y"
{
			if (yyvsp[0].v.hosts == NULL)
				yyval.v.hosts = yyvsp[-2].v.hosts;
			else if (yyvsp[-2].v.hosts == NULL)
				yyval.v.hosts = yyvsp[0].v.hosts;
			else {
				yyvsp[-2].v.hosts->src->tail->next = yyvsp[0].v.hosts->src;
				yyvsp[-2].v.hosts->src->tail = yyvsp[0].v.hosts->src->tail;
				yyvsp[-2].v.hosts->dst->tail->next = yyvsp[0].v.hosts->dst;
				yyvsp[-2].v.hosts->dst->tail = yyvsp[0].v.hosts->dst->tail;
				yyval.v.hosts = yyvsp[-2].v.hosts;
			}
		}
break;
case 41:
#line 563 "parse.y"
{
			struct ipsec_addr_wrap *ipa;
			for (ipa = yyvsp[-1].v.host; ipa; ipa = ipa->next) {
				if (ipa->srcnat) {
					yyerror("no flow NAT support for"
					    " destination network: %s",
					    ipa->name);
					YYERROR;
				}
			}

			if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL)
				err(1, "hosts: calloc");

			yyval.v.hosts->src = yyvsp[-4].v.host;
			yyval.v.hosts->sport = yyvsp[-3].v.port;
			yyval.v.hosts->dst = yyvsp[-1].v.host;
			yyval.v.hosts->dport = yyvsp[0].v.port;
		}
break;
case 42:
#line 582 "parse.y"
{
			struct ipsec_addr_wrap *ipa;
			for (ipa = yyvsp[-4].v.host; ipa; ipa = ipa->next) {
				if (ipa->srcnat) {
					yyerror("no flow NAT support for"
					    " destination network: %s",
					    ipa->name);
					YYERROR;
				}
			}
			if ((yyval.v.hosts = calloc(1, sizeof(*yyval.v.hosts))) == NULL)
				err(1, "hosts: calloc");

			yyval.v.hosts->src = yyvsp[-1].v.host;
			yyval.v.hosts->sport = yyvsp[0].v.port;
			yyval.v.hosts->dst = yyvsp[-4].v.host;
			yyval.v.hosts->dport = yyvsp[-3].v.port;
		}
break;
case 43:
#line 602 "parse.y"
{ yyval.v.port = 0; }
break;
case 44:
#line 603 "parse.y"
{ yyval.v.port = yyvsp[0].v.number; }
break;
case 45:
#line 606 "parse.y"
{
			struct servent *s;

			if ((s = getservbyname(yyvsp[0].v.string, "tcp")) != NULL ||
			    (s = getservbyname(yyvsp[0].v.string, "udp")) != NULL) {
				yyval.v.number = s->s_port;
			} else {
				yyerror("unknown port: %s", yyvsp[0].v.string);
				YYERROR;
			}
		}
break;
case 46:
#line 617 "parse.y"
{
			if (yyvsp[0].v.number > USHRT_MAX || yyvsp[0].v.number < 0) {
				yyerror("port outside range");
				YYERROR;
			}
			yyval.v.number = htons(yyvsp[0].v.number);
		}
break;
case 47:
#line 626 "parse.y"
{
			yyval.v.peers.dst = NULL;
			yyval.v.peers.src = NULL;
		}
break;
case 48:
#line 630 "parse.y"
{
			yyval.v.peers.dst = yyvsp[-2].v.anyhost;
			yyval.v.peers.src = yyvsp[0].v.anyhost;
		}
break;
case 49:
#line 634 "parse.y"
{
			yyval.v.peers.dst = yyvsp[0].v.anyhost;
			yyval.v.peers.src = yyvsp[-2].v.anyhost;
		}
break;
case 50:
#line 638 "parse.y"
{
			yyval.v.peers.dst = yyvsp[0].v.anyhost;
			yyval.v.peers.src = NULL;
		}
break;
case 51:
#line 642 "parse.y"
{
			yyval.v.peers.dst = NULL;
			yyval.v.peers.src = yyvsp[0].v.anyhost;
		}
break;
case 52:
#line 648 "parse.y"
{ yyval.v.anyhost = yyvsp[0].v.host; }
break;
case 53:
#line 649 "parse.y"
{
			yyval.v.anyhost = host_any();
		}
break;
case 54:
#line 653 "parse.y"
{
			if ((yyval.v.host = host(yyvsp[0].v.string)) == NULL) {
				free(yyvsp[0].v.string);
				yyerror("could not parse host specification");
				YYERROR;
			}
			free(yyvsp[0].v.string);
		}
break;
case 55:
#line 661 "parse.y"
{
			char	*buf;

			if (asprintf(&buf, "%s/%lld", yyvsp[-2].v.string, yyvsp[0].v.number) == -1)
				err(1, "host: asprintf");
			free(yyvsp[-2].v.string);
			if ((yyval.v.host = host(buf)) == NULL)	{
				free(buf);
				yyerror("could not parse host specification");
				YYERROR;
			}
			free(buf);
		}
break;
case 56:
#line 676 "parse.y"
{ yyval.v.host = yyvsp[0].v.host; }
break;
case 57:
#line 677 "parse.y"
{
			if ((yyvsp[-3].v.host->af != AF_UNSPEC) && (yyvsp[-1].v.host->af != AF_UNSPEC) &&
			    (yyvsp[-1].v.host->af != yyvsp[-3].v.host->af)) {
				yyerror("Flow NAT address family mismatch");
				YYERROR;
			}
			yyval.v.host = yyvsp[-3].v.host;
			yyval.v.host->srcnat = yyvsp[-1].v.host;
		}
break;
case 58:
#line 686 "parse.y"
{
			yyval.v.host = host_any();
		}
break;
case 59:
#line 691 "parse.y"
{
			yyval.v.ids.srcid = NULL;
			yyval.v.ids.dstid = NULL;
		}
break;
case 60:
#line 695 "parse.y"
{
			yyval.v.ids.srcid = yyvsp[-2].v.id;
			yyval.v.ids.dstid = yyvsp[0].v.id;
		}
break;
case 61:
#line 699 "parse.y"
{
			yyval.v.ids.srcid = yyvsp[0].v.id;
			yyval.v.ids.dstid = NULL;
		}
break;
case 62:
#line 703 "parse.y"
{
			yyval.v.ids.srcid = NULL;
			yyval.v.ids.dstid = yyvsp[0].v.id;
		}
break;
case 63:
#line 709 "parse.y"
{ yyval.v.id = yyvsp[0].v.string; }
break;
case 64:
#line 712 "parse.y"
{
			if ((ipsec_transforms = calloc(1,
			    sizeof(struct ipsec_transforms))) == NULL)
				err(1, "transforms: calloc");
		}
break;
case 65:
#line 717 "parse.y"
{
			yyval.v.transforms = ipsec_transforms;
		}
break;
case 66:
#line 720 "parse.y"
{
			yyval.v.transforms = NULL;
		}
break;
case 69:
#line 729 "parse.y"
{
			if (ipsec_transforms->authxf)
				yyerror("auth already set");
			else {
				ipsec_transforms->authxf = parse_xf(yyvsp[0].v.string, 0,
				    authxfs);
				if (!ipsec_transforms->authxf)
					yyerror("%s not a valid transform", yyvsp[0].v.string);
			}
		}
break;
case 70:
#line 739 "parse.y"
{
			if (ipsec_transforms->encxf)
				yyerror("enc already set");
			else {
				ipsec_transforms->encxf = parse_xf(yyvsp[0].v.string, 0,
				    encxfs);
				if (!ipsec_transforms->encxf)
					yyerror("%s not a valid transform",
					    yyvsp[0].v.string);
			}
		}
break;
case 71:
#line 750 "parse.y"
{
			if (ipsec_transforms->prfxf)
				yyerror("prf already set");
			else {
				ipsec_transforms->prfxf = parse_xf(yyvsp[0].v.string, 0,
				    prfxfs);
				if (!ipsec_transforms->prfxf)
					yyerror("%s not a valid transform",
					    yyvsp[0].v.string);
			}
		}
break;
case 72:
#line 761 "parse.y"
{
			if (ipsec_transforms->groupxf)
				yyerror("group already set");
			else {
				ipsec_transforms->groupxf = parse_xf(yyvsp[0].v.string, 0,
				    groupxfs);
				if (!ipsec_transforms->groupxf)
					yyerror("%s not a valid transform",
					    yyvsp[0].v.string);
			}
		}
break;
case 73:
#line 774 "parse.y"
{
			yyval.v.mode = NULL;
		}
break;
case 74:
#line 777 "parse.y"
{
			encxfs = ikeencxfs;
		}
break;
case 75:
#line 779 "parse.y"
{
			if ((yyval.v.mode = calloc(1, sizeof(*yyval.v.mode))) == NULL)
				err(1, "ike_sa: calloc");
			yyval.v.mode->xfs = yyvsp[0].v.transforms;
		}
break;
case 76:
#line 786 "parse.y"
{
			yyval.v.mode = NULL;
		}
break;
case 77:
#line 789 "parse.y"
{
			encxfs = ipsecencxfs;
		}
break;
case 78:
#line 791 "parse.y"
{
			if ((yyval.v.mode = calloc(1, sizeof(*yyval.v.mode))) == NULL)
				err(1, "child_sa: calloc");
			yyval.v.mode->xfs = yyvsp[0].v.transforms;
		}
break;
case 79:
#line 798 "parse.y"
{ yyval.v.ikemode = yyvsp[-2].v.ikemode | yyvsp[-1].v.ikemode | yyvsp[0].v.ikemode; }
break;
case 80:
#line 801 "parse.y"
{ yyval.v.ikemode = 0; }
break;
case 81:
#line 802 "parse.y"
{ yyval.v.ikemode = IKED_POLICY_QUICK; }
break;
case 82:
#line 803 "parse.y"
{ yyval.v.ikemode = IKED_POLICY_SKIP; }
break;
case 83:
#line 804 "parse.y"
{ yyval.v.ikemode = IKED_POLICY_DEFAULT; }
break;
case 84:
#line 807 "parse.y"
{ yyval.v.ikemode = IKED_POLICY_PASSIVE; }
break;
case 85:
#line 808 "parse.y"
{ yyval.v.ikemode = IKED_POLICY_PASSIVE; }
break;
case 86:
#line 809 "parse.y"
{ yyval.v.ikemode = IKED_POLICY_ACTIVE; }
break;
case 87:
#line 812 "parse.y"
{ yyval.v.ikemode = 0; }
break;
case 88:
#line 813 "parse.y"
{ yyval.v.ikemode = IKED_POLICY_IPCOMP; }
break;
case 89:
#line 816 "parse.y"
{
			yyval.v.ikeauth.auth_method = IKEV2_AUTH_SIG_ANY;	/* default */
			yyval.v.ikeauth.auth_eap = 0;
			yyval.v.ikeauth.auth_length = 0;
		}
break;
case 90:
#line 821 "parse.y"
{
			memcpy(&yyval.v.ikeauth, &yyvsp[0].v.ikekey, sizeof(yyval.v.ikeauth));
			yyval.v.ikeauth.auth_method = IKEV2_AUTH_SHARED_KEY_MIC;
			yyval.v.ikeauth.auth_eap = 0;
		}
break;
case 91:
#line 826 "parse.y"
{
			unsigned int i;

			for (i = 0; i < strlen(yyvsp[0].v.string); i++)
				if (yyvsp[0].v.string[i] == '-')
					yyvsp[0].v.string[i] = '_';

			if (strcasecmp("mschap_v2", yyvsp[0].v.string) != 0) {
				yyerror("unsupported EAP method: %s", yyvsp[0].v.string);
				free(yyvsp[0].v.string);
				YYERROR;
			}
			free(yyvsp[0].v.string);

			yyval.v.ikeauth.auth_method = IKEV2_AUTH_RSA_SIG;
			yyval.v.ikeauth.auth_eap = EAP_TYPE_MSCHAP_V2;
			yyval.v.ikeauth.auth_length = 0;
		}
break;
case 92:
#line 844 "parse.y"
{
			const struct ipsec_xf *xf;

			if ((xf = parse_xf(yyvsp[0].v.string, 0, methodxfs)) == NULL ||
			    xf->id == IKEV2_AUTH_NONE) {
				yyerror("not a valid authentication mode");
				free(yyvsp[0].v.string);
				YYERROR;
			}
			free(yyvsp[0].v.string);

			yyval.v.ikeauth.auth_method = xf->id;
			yyval.v.ikeauth.auth_eap = 0;
			yyval.v.ikeauth.auth_length = 0;
		}
break;
case 93:
#line 861 "parse.y"
{
			yyval.v.number = yyvsp[0].v.number;
		}
break;
case 94:
#line 864 "parse.y"
{
			uint64_t	 bytes = 0;
			char		 unit = 0;

			if (sscanf(yyvsp[0].v.string, "%llu%c", &bytes, &unit) != 2) {
				yyerror("invalid byte specification: %s", yyvsp[0].v.string);
				YYERROR;
			}
			switch (toupper((unsigned char)unit)) {
			case 'K':
				bytes *= 1024;
				break;
			case 'M':
				bytes *= 1024 * 1024;
				break;
			case 'G':
				bytes *= 1024 * 1024 * 1024;
				break;
			default:
				yyerror("invalid byte unit");
				YYERROR;
			}
			yyval.v.number = bytes;
		}
break;
case 95:
#line 890 "parse.y"
{
			yyval.v.number = yyvsp[0].v.number;
		}
break;
case 96:
#line 893 "parse.y"
{
			uint64_t	 seconds = 0;
			char		 unit = 0;

			if (sscanf(yyvsp[0].v.string, "%llu%c", &seconds, &unit) != 2) {
				yyerror("invalid time specification: %s", yyvsp[0].v.string);
				YYERROR;
			}
			switch (tolower((unsigned char)unit)) {
			case 'm':
				seconds *= 60;
				break;
			case 'h':
				seconds *= 60 * 60;
				break;
			default:
				yyerror("invalid time unit");
				YYERROR;
			}
			yyval.v.number = seconds;
		}
break;
case 97:
#line 916 "parse.y"
{
			yyval.v.lifetime = deflifetime;
		}
break;
case 98:
#line 919 "parse.y"
{
			yyval.v.lifetime.lt_seconds = yyvsp[0].v.number;
			yyval.v.lifetime.lt_bytes = deflifetime.lt_bytes;
		}
break;
case 99:
#line 923 "parse.y"
{
			yyval.v.lifetime.lt_seconds = yyvsp[-2].v.number;
			yyval.v.lifetime.lt_bytes = yyvsp[0].v.number;
		}
break;
case 100:
#line 929 "parse.y"
{
			yyval.v.number = 0;
		}
break;
case 101:
#line 932 "parse.y"
{
			yyval.v.number = yyvsp[0].v.number;
		}
break;
case 102:
#line 936 "parse.y"
{
			uint8_t		*hex;

			bzero(&yyval.v.ikekey, sizeof(yyval.v.ikekey));

			hex = yyvsp[0].v.string;
			if (strncmp(hex, "0x", 2) == 0) {
				hex += 2;
				if (parsekey(hex, strlen(hex), &yyval.v.ikekey) != 0) {
					free(yyvsp[0].v.string);
					YYERROR;
				}
			} else {
				if (strlen(yyvsp[0].v.string) > sizeof(yyval.v.ikekey.auth_data)) {
					yyerror("psk too long");
					free(yyvsp[0].v.string);
					YYERROR;
				}
				strlcpy(yyval.v.ikekey.auth_data, yyvsp[0].v.string,
				    sizeof(yyval.v.ikekey.auth_data));
				yyval.v.ikekey.auth_length = strlen(yyvsp[0].v.string);
			}
			free(yyvsp[0].v.string);
		}
break;
case 103:
#line 960 "parse.y"
{
			if (parsekeyfile(yyvsp[0].v.string, &yyval.v.ikekey) != 0) {
				free(yyvsp[0].v.string);
				YYERROR;
			}
			free(yyvsp[0].v.string);
		}
break;
case 104:
#line 969 "parse.y"
{
			if ((ipsec_filters = calloc(1,
			    sizeof(struct ipsec_filters))) == NULL)
				err(1, "filters: calloc");
		}
break;
case 105:
#line 974 "parse.y"
{
			yyval.v.filters = ipsec_filters;
		}
break;
case 106:
#line 977 "parse.y"
{
			yyval.v.filters = NULL;
		}
break;
case 109:
#line 987 "parse.y"
{
			ipsec_filters->tag = yyvsp[0].v.string;
		}
break;
case 110:
#line 991 "parse.y"
{
			const char	*errstr = NULL;
			size_t		 len;

			len = strcspn(yyvsp[0].v.string, "0123456789");
			if (strlen("enc") != len ||
			    strncmp("enc", yyvsp[0].v.string, len) != 0) {
				yyerror("invalid tap interface name: %s", yyvsp[0].v.string);
				free(yyvsp[0].v.string);
				YYERROR;
			}
			ipsec_filters->tap =
			    strtonum(yyvsp[0].v.string + len, 0, UINT_MAX, &errstr);
			free(yyvsp[0].v.string);
			if (errstr != NULL) {
				yyerror("invalid tap interface unit: %s",
				    errstr);
				YYERROR;
			}
		}
break;
case 111:
#line 1014 "parse.y"
{
			if (asprintf(&yyval.v.string, "%s %s", yyvsp[-1].v.string, yyvsp[0].v.string) == -1)
				err(1, "string: asprintf");
			free(yyvsp[-1].v.string);
			free(yyvsp[0].v.string);
		}
break;
case 113:
#line 1024 "parse.y"
{
			char *s = yyvsp[-2].v.string;
			log_debug("%s = \"%s\"\n", yyvsp[-2].v.string, yyvsp[0].v.string);
			while (*s++) {
				if (isspace((unsigned char)*s)) {
					yyerror("macro name cannot contain "
					    "whitespace");
					YYERROR;
				}
			}
			if (symset(yyvsp[-2].v.string, yyvsp[0].v.string, 0) == -1)
				err(1, "cannot store variable");
			free(yyvsp[-2].v.string);
			free(yyvsp[0].v.string);
		}
break;
case 123:
#line 1060 "parse.y"
{
			int	 c;

			while ((c = lgetc(0)) != '\n' && c != EOF)
				; /* nothing */
			if (c == '\n')
				lungetc(c);
		}
break;
#line 3687 "parse.c"
    }
    yyssp -= yym;
    yystate = *yyssp;
    yyvsp -= yym;
    yym = yylhs[yyn];
    if (yystate == 0 && yym == 0)
    {
#if YYDEBUG
        if (yydebug)
            printf("%sdebug: after reduction, shifting from state 0 to\
 state %d\n", YYPREFIX, YYFINAL);
#endif
        yystate = YYFINAL;
        *++yyssp = YYFINAL;
        *++yyvsp = yyval;
        if (yychar < 0)
        {
            if ((yychar = yylex()) < 0) yychar = 0;
#if YYDEBUG
            if (yydebug)
            {
                yys = 0;
                if (yychar <= YYMAXTOKEN) yys = yyname[yychar];
                if (!yys) yys = "illegal-symbol";
                printf("%sdebug: state %d, reading %d (%s)\n",
                        YYPREFIX, YYFINAL, yychar, yys);
            }
#endif
        }
        if (yychar == 0) goto yyaccept;
        goto yyloop;
    }
    if ((yyn = yygindex[yym]) && (yyn += yystate) >= 0 &&
            yyn <= YYTABLESIZE && yycheck[yyn] == yystate)
        yystate = yytable[yyn];
    else
        yystate = yydgoto[yym];
#if YYDEBUG
    if (yydebug)
        printf("%sdebug: after reduction, shifting from state %d \
to state %d\n", YYPREFIX, *yyssp, yystate);
#endif
    if (yyssp >= yysslim && yygrowstack())
    {
        goto yyoverflow;
    }
    *++yyssp = yystate;
    *++yyvsp = yyval;
    goto yyloop;
yyoverflow:
    yyerror("yacc stack overflow");
yyabort:
    if (yyss)
            free(yyss);
    if (yyvs)
            free(yyvs);
    yyss = yyssp = NULL;
    yyvs = yyvsp = NULL;
    yystacksize = 0;
    return (1);
yyaccept:
    if (yyss)
            free(yyss);
    if (yyvs)
            free(yyvs);
    yyss = yyssp = NULL;
    yyvs = yyvsp = NULL;
    yystacksize = 0;
    return (0);
}

Generated by: GCOVR (Version 3.3)