]> git.saurik.com Git - apple/network_cmds.git/blob - racoon.tproj/cfparse.y
9c655fa21b46a152d2dd969babb8a33a0670e3a9
[apple/network_cmds.git] / racoon.tproj / cfparse.y
1 /* $KAME: cfparse.y,v 1.114 2003/02/03 08:27:50 itojun Exp $ */
2
3 %{
4 #include <sys/types.h>
5 #include <sys/param.h>
6 #include <sys/queue.h>
7 #include <sys/socket.h>
8
9 #include <netinet/in.h>
10 #include <netinet6/ipsec.h>
11 #include <netkey/key_var.h>
12
13 #include <stdlib.h>
14 #include <stdio.h>
15 #include <string.h>
16 #include <ctype.h>
17 #include <errno.h>
18 #include <netdb.h>
19 #if !defined(HAVE_GETADDRINFO) || !defined(HAVE_GETNAMEINFO)
20 #include "addrinfo.h"
21 #endif
22
23 #include "var.h"
24 #include "misc.h"
25 #include "vmbuf.h"
26 #include "plog.h"
27 #include "sockmisc.h"
28 #include "str2val.h"
29 #include "debug.h"
30
31 /*#include "cfparse.h"*/
32 #include "cftoken.h"
33 #include "algorithm.h"
34 #include "localconf.h"
35 #include "policy.h"
36 #include "sainfo.h"
37 #include "oakley.h"
38 #include "pfkey.h"
39 #include "remoteconf.h"
40 #include "grabmyaddr.h"
41 #include "isakmp_var.h"
42 #include "handler.h"
43 #include "isakmp.h"
44 #include "ipsec_doi.h"
45 #include "strnames.h"
46 #include "gcmalloc.h"
47 #ifdef HAVE_GSSAPI
48 #include "gssapi.h"
49 #endif
50 #include "vendorid.h"
51 #include <CoreFoundation/CFData.h>
52
53 struct proposalspec {
54 time_t lifetime; /* for isakmp/ipsec */
55 int lifebyte; /* for isakmp/ipsec */
56 struct secprotospec *spspec; /* the head is always current spec. */
57 struct proposalspec *next; /* the tail is the most prefered. */
58 struct proposalspec *prev;
59 };
60
61 struct secprotospec {
62 int prop_no;
63 int trns_no;
64 int strength; /* for isakmp/ipsec */
65 int encklen; /* for isakmp/ipsec */
66 time_t lifetime; /* for isakmp */
67 int lifebyte; /* for isakmp */
68 int proto_id; /* for ipsec (isakmp?) */
69 int ipsec_level; /* for ipsec */
70 int encmode; /* for ipsec */
71 int vendorid; /* for isakmp */
72 char *gssid;
73 struct sockaddr *remote;
74 int algclass[MAXALGCLASS];
75
76 struct secprotospec *next; /* the tail is the most prefiered. */
77 struct secprotospec *prev;
78 struct proposalspec *back;
79 };
80
81 static int num2dhgroup[] = {
82 0,
83 OAKLEY_ATTR_GRP_DESC_MODP768,
84 OAKLEY_ATTR_GRP_DESC_MODP1024,
85 OAKLEY_ATTR_GRP_DESC_EC2N155,
86 OAKLEY_ATTR_GRP_DESC_EC2N185,
87 OAKLEY_ATTR_GRP_DESC_MODP1536,
88 };
89
90 static struct remoteconf *cur_rmconf;
91 static int tmpalgtype[MAXALGCLASS];
92 static struct sainfo *cur_sainfo;
93 static int cur_algclass;
94
95 static struct proposalspec *prhead; /* the head is always current. */
96
97 static struct proposalspec *newprspec __P((void));
98 static void cleanprhead __P((void));
99 static void insprspec __P((struct proposalspec *, struct proposalspec **));
100 static struct secprotospec *newspspec __P((void));
101 static void insspspec __P((struct secprotospec *, struct proposalspec **));
102
103 static int set_isakmp_proposal
104 __P((struct remoteconf *, struct proposalspec *));
105 static void clean_tmpalgtype __P((void));
106 static int expand_isakmpspec __P((int, int, int *,
107 int, int, time_t, int, int, int, char *, struct remoteconf *));
108
109 static int base64toCFData(vchar_t *, CFDataRef*);
110
111 #if 0
112 static int fix_lifebyte __P((u_long));
113 #endif
114 %}
115
116 %union {
117 unsigned long num;
118 vchar_t *val;
119 struct remoteconf *rmconf;
120 struct sockaddr *saddr;
121 struct sainfoalg *alg;
122 }
123
124 /* path */
125 %token PATH PATHTYPE
126 /* include */
127 %token INCLUDE
128 /* self information */
129 %token IDENTIFIER VENDORID
130 /* logging */
131 %token LOGGING LOGLEV
132 /* padding */
133 %token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
134 /* listen */
135 %token LISTEN X_ISAKMP X_ADMIN STRICT_ADDRESS
136 /* timer */
137 %token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
138 %token RETRY_PHASE1 RETRY_PHASE2
139 /* algorithm */
140 %token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
141 /* sainfo */
142 %token SAINFO
143 /* remote */
144 %token REMOTE ANONYMOUS
145 %token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
146 %token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE VERIFY_CERT SEND_CERT SEND_CR
147 %token IDENTIFIERTYPE MY_IDENTIFIER PEERS_IDENTIFIER VERIFY_IDENTIFIER
148 %token SHARED_SECRET SECRETTYPE
149 %token OPEN_DIR_AUTH_GROUP IN_KEYCHAIN
150 %token CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
151 %token DNSSEC CERT_X509
152 %token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
153 %token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
154 %token GENERATE_POLICY SUPPORT_MIP6
155 %token PROPOSAL
156 %token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
157 %token GSSAPI_ID
158 %token COMPLEX_BUNDLE
159
160 %token PREFIX PORT PORTANY UL_PROTO ANY
161 %token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH
162
163 %token NUMBER SWITCH BOOLEAN
164 %token HEXSTRING QUOTEDSTRING ADDRSTRING
165 %token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
166 %token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
167 %token EOS BOC EOC COMMA
168
169 %type <num> NUMBER BOOLEAN SWITCH keylength
170 %type <num> PATHTYPE IDENTIFIERTYPE LOGLEV
171 %type <num> SECRETTYPE
172 %type <num> ALGORITHM_CLASS dh_group_num
173 %type <num> ALGORITHMTYPE STRENGTHTYPE
174 %type <num> PREFIX prefix PORT port ike_port
175 %type <num> ul_proto UL_PROTO
176 %type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
177 %type <num> CERTTYPE CERT_X509 PROPOSAL_CHECK_LEVEL
178 %type <num> VERIFICATION_MODULE VERIFICATION_OPTION
179 %type <num> unittype_time unittype_byte
180 %type <val> QUOTEDSTRING HEXSTRING ADDRSTRING sainfo_id
181 %type <val> identifierstring
182 %type <saddr> remote_index ike_addrinfo_port
183 %type <alg> algorithm
184
185 %%
186
187 statements
188 : /* nothing */
189 | statements statement
190 ;
191 statement
192 : path_statement
193 | include_statement
194 | identifier_statement
195 | logging_statement
196 | padding_statement
197 | listen_statement
198 | timer_statement
199 | sainfo_statement
200 | remote_statement
201 | special_statement
202 ;
203
204 /* path */
205 path_statement
206 : PATH PATHTYPE QUOTEDSTRING
207 {
208 if ($2 > LC_PATHTYPE_MAX) {
209 yyerror("invalid path type %d", $2);
210 return -1;
211 }
212
213 /* free old pathinfo */
214 if (lcconf->pathinfo[$2])
215 racoon_free(lcconf->pathinfo[$2]);
216
217 /* set new pathinfo */
218 lcconf->pathinfo[$2] = strdup($3->v);
219 vfree($3);
220 }
221 EOS
222 ;
223
224 /* special */
225 special_statement
226 : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
227 ;
228
229 /* include */
230 include_statement
231 : INCLUDE QUOTEDSTRING EOS
232 {
233 char path[MAXPATHLEN];
234
235 getpathname(path, sizeof(path),
236 LC_PATHTYPE_INCLUDE, $2->v);
237 vfree($2);
238 if (yycf_switch_buffer(path) != 0)
239 return -1;
240 }
241 ;
242
243 /* self infomation */
244 identifier_statement
245 : IDENTIFIER identifier_stmt
246 ;
247 identifier_stmt
248 : VENDORID
249 {
250 /*XXX to be deleted */
251 }
252 QUOTEDSTRING EOS
253 | IDENTIFIERTYPE QUOTEDSTRING
254 {
255 /*XXX to be deleted */
256 $2->l--; /* nuke '\0' */
257 lcconf->ident[$1] = $2;
258 if (lcconf->ident[$1] == NULL) {
259 yyerror("failed to set my ident: %s",
260 strerror(errno));
261 return -1;
262 }
263 }
264 EOS
265 ;
266
267 /* logging */
268 logging_statement
269 : LOGGING log_level EOS
270 ;
271 log_level
272 : HEXSTRING
273 {
274 /*
275 * XXX ignore it because this specification
276 * will be obsoleted.
277 */
278 yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
279 vfree($1);
280 }
281 | LOGLEV
282 {
283 /*
284 * set the loglevel by configuration file only when
285 * the command line did not specify any loglevel.
286 */
287 if (loglevel <= LLV_BASE)
288 loglevel += $1;
289 }
290 ;
291
292 /* padding */
293 padding_statement
294 : PADDING BOC padding_stmts EOC
295 ;
296 padding_stmts
297 : /* nothing */
298 | padding_stmts padding_stmt
299 ;
300 padding_stmt
301 : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
302 | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
303 | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
304 | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
305 | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
306 ;
307
308 /* listen */
309 listen_statement
310 : LISTEN BOC listen_stmts EOC
311 ;
312 listen_stmts
313 : /* nothing */
314 | listen_stmts listen_stmt
315 ;
316 listen_stmt
317 : X_ISAKMP ike_addrinfo_port
318 {
319 struct myaddrs *p;
320
321 p = newmyaddr();
322 if (p == NULL) {
323 yyerror("failed to allocate myaddrs");
324 return -1;
325 }
326 p->addr = $2;
327 if (p->addr == NULL) {
328 yyerror("failed to copy sockaddr ");
329 delmyaddr(p);
330 return -1;
331 }
332 p->sock = -1;
333 p->nattsock = -1;
334 p->addrcount = 1;
335 insmyaddr(p, &lcconf->myaddrs);
336
337 lcconf->autograbaddr = 0;
338 }
339 EOS
340 | X_ADMIN
341 {
342 yyerror("admin directive is obsoleted.");
343 }
344 PORT EOS
345 | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
346 ;
347 ike_addrinfo_port
348 : ADDRSTRING ike_port
349 {
350 char portbuf[10];
351
352 snprintf(portbuf, sizeof(portbuf), "%ld", $2);
353 $$ = str2saddr($1->v, portbuf);
354 vfree($1);
355 if (!$$)
356 return -1;
357 }
358 ;
359 ike_port
360 : /* nothing */ { $$ = PORT_ISAKMP; }
361 | PORT { $$ = $1; }
362 ;
363
364 /* timer */
365 timer_statement
366 : RETRY BOC timer_stmts EOC
367 ;
368 timer_stmts
369 : /* nothing */
370 | timer_stmts timer_stmt
371 ;
372 timer_stmt
373 : RETRY_COUNTER NUMBER
374 {
375 lcconf->retry_counter = $2;
376 }
377 EOS
378 | RETRY_INTERVAL NUMBER unittype_time
379 {
380 lcconf->retry_interval = $2 * $3;
381 }
382 EOS
383 | RETRY_PERSEND NUMBER
384 {
385 lcconf->count_persend = $2;
386 }
387 EOS
388 | RETRY_PHASE1 NUMBER unittype_time
389 {
390 lcconf->retry_checkph1 = $2 * $3;
391 }
392 EOS
393 | RETRY_PHASE2 NUMBER unittype_time
394 {
395 lcconf->wait_ph2complete = $2 * $3;
396 }
397 EOS
398 ;
399
400 /* sainfo */
401 sainfo_statement
402 : SAINFO
403 {
404 cur_sainfo = newsainfo();
405 if (cur_sainfo == NULL) {
406 yyerror("failed to allocate sainfo");
407 return -1;
408 }
409 }
410 sainfo_name BOC sainfo_specs
411 {
412 struct sainfo *check;
413
414 /* default */
415 if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
416 yyerror("no encryption algorithm at %s",
417 sainfo2str(cur_sainfo));
418 return -1;
419 }
420 if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
421 yyerror("no authentication algorithm at %s",
422 sainfo2str(cur_sainfo));
423 return -1;
424 }
425 if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
426 yyerror("no compression algorithm at %s",
427 sainfo2str(cur_sainfo));
428 return -1;
429 }
430
431 /* duplicate check */
432 check = getsainfo(cur_sainfo->idsrc, cur_sainfo->iddst);
433 if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
434 yyerror("duplicated sainfo: %s",
435 sainfo2str(cur_sainfo));
436 return -1;
437 }
438 inssainfo(cur_sainfo);
439 }
440 EOC
441 ;
442 sainfo_name
443 : ANONYMOUS
444 {
445 cur_sainfo->idsrc = NULL;
446 cur_sainfo->iddst = NULL;
447 }
448 | sainfo_id sainfo_id
449 {
450 cur_sainfo->idsrc = $1;
451 cur_sainfo->iddst = $2;
452 }
453 ;
454 sainfo_id
455 : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
456 {
457 char portbuf[10];
458 struct sockaddr *saddr;
459
460 if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
461 && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
462 yyerror("port number must be \"any\".");
463 return -1;
464 }
465
466 snprintf(portbuf, sizeof(portbuf), "%lu", $4);
467 saddr = str2saddr($2->v, portbuf);
468 vfree($2);
469 if (saddr == NULL)
470 return -1;
471
472 switch (saddr->sa_family) {
473 case AF_INET:
474 if ($5 == IPPROTO_ICMPV6) {
475 yyerror("upper layer protocol mismatched.\n");
476 racoon_free(saddr);
477 return -1;
478 }
479 $$ = ipsecdoi_sockaddr2id(saddr,
480 $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
481 $5);
482 break;
483 #ifdef INET6
484 case AF_INET6:
485 if ($5 == IPPROTO_ICMP) {
486 yyerror("upper layer protocol mismatched.\n");
487 racoon_free(saddr);
488 return -1;
489 }
490 $$ = ipsecdoi_sockaddr2id(saddr,
491 $3 == ~0 ? (sizeof(struct in6_addr) << 3) : $3,
492 $5);
493 break;
494 #endif
495 default:
496 yyerror("invalid family: %d", saddr->sa_family);
497 break;
498 }
499 racoon_free(saddr);
500 if ($$ == NULL)
501 return -1;
502 }
503 | IDENTIFIERTYPE QUOTEDSTRING
504 {
505 struct ipsecdoi_id_b *id_b;
506
507 if ($1 == IDTYPE_ASN1DN) {
508 yyerror("id type forbidden: %d", $1);
509 return -1;
510 }
511
512 $2->l--;
513
514 $$ = vmalloc(sizeof(*id_b) + $2->l);
515 if ($$ == NULL) {
516 yyerror("failed to allocate identifier");
517 return -1;
518 }
519
520 id_b = (struct ipsecdoi_id_b *)$$->v;
521 id_b->type = idtype2doi($1);
522
523 id_b->proto_id = 0;
524 id_b->port = 0;
525
526 memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
527 }
528 ;
529 sainfo_specs
530 : /* nothing */
531 | sainfo_specs sainfo_spec
532 ;
533 sainfo_spec
534 : PFS_GROUP dh_group_num
535 {
536 cur_sainfo->pfs_group = $2;
537 }
538 EOS
539 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
540 {
541 cur_sainfo->lifetime = $3 * $4;
542 }
543 EOS
544 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
545 {
546 #if 1
547 yyerror("byte lifetime support is deprecated");
548 return -1;
549 #else
550 cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
551 if (cur_sainfo->lifebyte == 0)
552 return -1;
553 #endif
554 }
555 EOS
556 | ALGORITHM_CLASS {
557 cur_algclass = $1;
558 }
559 algorithms EOS
560 | IDENTIFIER IDENTIFIERTYPE
561 {
562 yyerror("it's deprecated to specify a identifier in phase 2");
563 }
564 EOS
565 | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
566 {
567 yyerror("it's deprecated to specify a identifier in phase 2");
568 }
569 EOS
570 ;
571
572 algorithms
573 : algorithm
574 {
575 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
576 }
577 | algorithm
578 {
579 inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
580 }
581 COMMA algorithms
582 ;
583 algorithm
584 : ALGORITHMTYPE keylength
585 {
586 int defklen;
587
588 $$ = newsainfoalg();
589 if ($$ == NULL) {
590 yyerror("failed to get algorithm allocation");
591 return -1;
592 }
593
594 $$->alg = algtype2doi(cur_algclass, $1);
595 if ($$->alg == -1) {
596 yyerror("algorithm mismatched");
597 racoon_free($$);
598 return -1;
599 }
600
601 defklen = default_keylen(cur_algclass, $1);
602 if (defklen == 0) {
603 if ($2) {
604 yyerror("keylen not allowed");
605 racoon_free($$);
606 return -1;
607 }
608 } else {
609 if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
610 yyerror("invalid keylen %d", $2);
611 racoon_free($$);
612 return -1;
613 }
614 }
615
616 if ($2)
617 $$->encklen = $2;
618 else
619 $$->encklen = defklen;
620
621 /* check if it's supported algorithm by kernel */
622 if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
623 && pk_checkalg(cur_algclass, $1, $$->encklen)) {
624 int a = algclass2doi(cur_algclass);
625 int b = algtype2doi(cur_algclass, $1);
626 if (a == IPSECDOI_ATTR_AUTH)
627 a = IPSECDOI_PROTO_IPSEC_AH;
628 yyerror("algorithm %s not supported",
629 s_ipsecdoi_trns(a, b));
630 racoon_free($$);
631 return -1;
632 }
633 }
634 ;
635 prefix
636 : /* nothing */ { $$ = ~0; }
637 | PREFIX { $$ = $1; }
638 ;
639 port
640 : /* nothing */ { $$ = IPSEC_PORT_ANY; }
641 | PORT { $$ = $1; }
642 | PORTANY { $$ = IPSEC_PORT_ANY; }
643 ;
644 ul_proto
645 : NUMBER { $$ = $1; }
646 | UL_PROTO { $$ = $1; }
647 | ANY { $$ = IPSEC_ULPROTO_ANY; }
648 ;
649 keylength
650 : /* nothing */ { $$ = 0; }
651 | NUMBER { $$ = $1; }
652 ;
653
654 /* remote */
655 remote_statement
656 : REMOTE remote_index
657 {
658 struct remoteconf *new;
659 struct proposalspec *prspec;
660
661 new = newrmconf();
662 if (new == NULL) {
663 yyerror("failed to get new remoteconf.");
664 return -1;
665 }
666
667 new->remote = $2;
668 cur_rmconf = new;
669
670 prspec = newprspec();
671 if (prspec == NULL)
672 return -1;
673 prspec->lifetime = oakley_get_defaultlifetime();
674 insprspec(prspec, &prhead);
675 }
676 BOC remote_specs
677 {
678 /* check a exchange mode */
679 if (cur_rmconf->etypes == NULL) {
680 yyerror("no exchange mode specified.\n");
681 return -1;
682 }
683
684 if (cur_rmconf->idvtype == IDTYPE_ASN1DN
685 && cur_rmconf->mycertfile == NULL
686 && cur_rmconf->identity_in_keychain == 0) {
687 yyerror("id type mismatched due to "
688 "no CERT defined.\n");
689 return -1;
690 }
691
692 if (cur_rmconf->cert_verification_option == VERIFICATION_OPTION_PEERS_IDENTIFIER
693 && cur_rmconf->idv_p == NULL) {
694 yyerror("peers_identifier required for specified certificate "
695 "verification option.\n");
696 return -1;
697 }
698
699 if (set_isakmp_proposal(cur_rmconf, prhead) != 0)
700 return -1;
701
702 /* DH group settting if aggressive mode is there. */
703 if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
704 struct isakmpsa *p;
705 int b = 0;
706
707 /* DH group */
708 for (p = cur_rmconf->proposal; p; p = p->next) {
709 if (b == 0 || (b && b == p->dh_group)) {
710 b = p->dh_group;
711 continue;
712 }
713 yyerror("DH group must be equal "
714 "to each proposals's "
715 "when aggressive mode is "
716 "used.\n");
717 return -1;
718 }
719 cur_rmconf->dh_group = b;
720
721 if (cur_rmconf->dh_group == 0) {
722 yyerror("DH group must be required.\n");
723 return -1;
724 }
725
726 /* DH group settting if PFS is required. */
727 if (oakley_setdhgroup(cur_rmconf->dh_group,
728 &cur_rmconf->dhgrp) < 0) {
729 yyerror("failed to set DH value.\n");
730 return -1;
731 }
732 }
733
734 insrmconf(cur_rmconf);
735
736 cleanprhead();
737 }
738 EOC
739 ;
740 remote_index
741 : ANONYMOUS ike_port
742 {
743 $$ = newsaddr(sizeof(struct sockaddr *));
744 $$->sa_family = AF_UNSPEC;
745 ((struct sockaddr_in *)$$)->sin_port = htons($2);
746 }
747 | ike_addrinfo_port
748 {
749 $$ = $1;
750 if ($$ == NULL) {
751 yyerror("failed to allocate sockaddr");
752 return -1;
753 }
754 }
755 ;
756 remote_specs
757 : /* nothing */
758 | remote_specs remote_spec
759 ;
760 remote_spec
761 : EXCHANGE_MODE exchange_types EOS
762 | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
763 | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
764 | CERTIFICATE_TYPE cert_spec
765 | PEERS_CERTFILE QUOTEDSTRING
766 {
767 #ifdef HAVE_SIGNING_C
768 cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
769 cur_rmconf->peerscertfile = strdup($2->v);
770 vfree($2);
771 #else
772 yyerror("directive not supported");
773 return -1;
774 #endif
775 }
776 EOS
777 | PEERS_CERTFILE DNSSEC
778 {
779 #ifdef HAVE_SIGNING_C
780 cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
781 cur_rmconf->peerscertfile = NULL;
782 #else
783 yyerror("directive not supported");
784 return -1;
785 #endif
786 }
787 EOS
788 | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
789 | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
790 | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
791 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE { cur_rmconf->cert_verification = $2; } EOS
792 | CERTIFICATE_VERIFICATION VERIFICATION_MODULE VERIFICATION_OPTION
793 {
794 cur_rmconf->cert_verification = $2;
795 cur_rmconf->cert_verification_option = $3;
796 }
797 EOS
798 | OPEN_DIR_AUTH_GROUP QUOTEDSTRING { cur_rmconf->open_dir_auth_group = $2; } EOS
799 | IDENTIFIER IDENTIFIERTYPE
800 {
801 /*XXX to be deleted */
802 cur_rmconf->idvtype = $2;
803 }
804 EOS
805 | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
806 {
807 if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
808 yyerror("failed to set identifer.\n");
809 vfree($3);
810 return -1;
811 }
812 vfree($3);
813 cur_rmconf->idvtype = $2;
814 }
815 EOS
816 | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
817 {
818 if (set_identifier(&cur_rmconf->idv_p, $2, $3) != 0) {
819 yyerror("failed to set identifer.\n");
820 vfree($3);
821 return -1;
822 }
823 vfree($3);
824 cur_rmconf->idvtype_p = $2;
825 }
826 EOS
827 | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
828 | SHARED_SECRET SECRETTYPE QUOTEDSTRING { cur_rmconf->secrettype = $2; cur_rmconf->shared_secret = $3; } EOS
829 | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
830 | DH_GROUP
831 {
832 yyerror("dh_group cannot be defined here.");
833 return -1;
834 }
835 dh_group_num EOS
836 | KEEPALIVE { cur_rmconf->keepalive = TRUE; } EOS
837 | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
838 | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
839 | SUPPORT_MIP6 SWITCH { cur_rmconf->support_mip6 = $2; } EOS
840 | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
841 | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
842 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
843 {
844 prhead->lifetime = $3 * $4;
845 }
846 EOS
847 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
848 {
849 #if 1
850 yyerror("byte lifetime support is deprecated");
851 return -1;
852 #else
853 yywarn("the lifetime of bytes in phase 1 "
854 "will be ignored at the moment.");
855 prhead->lifebyte = fix_lifebyte($3 * $4);
856 if (prhead->lifebyte == 0)
857 return -1;
858 #endif
859 }
860 EOS
861 | PROPOSAL
862 {
863 struct secprotospec *spspec;
864
865 spspec = newspspec();
866 if (spspec == NULL)
867 return -1;
868 insspspec(spspec, &prhead);
869 }
870 BOC isakmpproposal_specs EOC
871 ;
872 exchange_types
873 : /* nothing */
874 | exchange_types EXCHANGETYPE
875 {
876 struct etypes *new;
877 new = racoon_malloc(sizeof(struct etypes));
878 if (new == NULL) {
879 yyerror("filed to allocate etypes");
880 return -1;
881 }
882 new->type = $2;
883 new->next = NULL;
884 if (cur_rmconf->etypes == NULL)
885 cur_rmconf->etypes = new;
886 else {
887 struct etypes *p;
888 for (p = cur_rmconf->etypes;
889 p->next != NULL;
890 p = p->next)
891 ;
892 p->next = new;
893 }
894 }
895 ;
896 cert_spec
897 : CERT_X509 QUOTEDSTRING QUOTEDSTRING
898 {
899 #ifdef HAVE_SIGNING_C
900 cur_rmconf->certtype = $1;
901 cur_rmconf->mycertfile = strdup($2->v);
902 vfree($2);
903 cur_rmconf->myprivfile = strdup($3->v);
904 vfree($3);
905 #else
906 yyerror("directive not supported");
907 return -1;
908 #endif
909 }
910 EOS
911 | CERT_X509 IN_KEYCHAIN
912 {
913 cur_rmconf->certtype = $1;
914 cur_rmconf->identity_in_keychain = 1;
915 cur_rmconf->keychainCertRef = 0;
916 }
917 EOS
918 ;
919 | CERT_X509 IN_KEYCHAIN QUOTEDSTRING
920 {
921 int result;
922
923 cur_rmconf->certtype = $1;
924 cur_rmconf->identity_in_keychain = 1;
925 result = base64toCFData($3, &cur_rmconf->keychainCertRef);
926 vfree($3);
927 if (result)
928 return -1;
929 }
930 EOS
931 ;
932
933 dh_group_num
934 : ALGORITHMTYPE
935 {
936 $$ = algtype2doi(algclass_isakmp_dh, $1);
937 if ($$ == -1) {
938 yyerror("must be DH group");
939 return -1;
940 }
941 }
942 | NUMBER
943 {
944 if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
945 $$ = num2dhgroup[$1];
946 } else {
947 yyerror("must be DH group");
948 return -1;
949 }
950 }
951 ;
952 identifierstring
953 : /* nothing */ { $$ = NULL; }
954 | ADDRSTRING { $$ = $1; }
955 | QUOTEDSTRING { $$ = $1; }
956 ;
957 isakmpproposal_specs
958 : /* nothing */
959 | isakmpproposal_specs isakmpproposal_spec
960 ;
961 isakmpproposal_spec
962 : STRENGTH
963 {
964 yyerror("strength directive is obsoleted.");
965 } STRENGTHTYPE EOS
966 | LIFETIME LIFETYPE_TIME NUMBER unittype_time
967 {
968 prhead->spspec->lifetime = $3 * $4;
969 }
970 EOS
971 | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
972 {
973 #if 1
974 yyerror("byte lifetime support is deprecated");
975 return -1;
976 #else
977 prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
978 if (prhead->spspec->lifebyte == 0)
979 return -1;
980 #endif
981 }
982 EOS
983 | DH_GROUP dh_group_num
984 {
985 prhead->spspec->algclass[algclass_isakmp_dh] = $2;
986 }
987 EOS
988 | GSSAPI_ID QUOTEDSTRING
989 {
990 if (prhead->spspec->vendorid != VENDORID_GSSAPI) {
991 yyerror("wrong Vendor ID for gssapi_id");
992 return -1;
993 }
994 prhead->spspec->gssid = strdup($2->v);
995 }
996 EOS
997 | ALGORITHM_CLASS ALGORITHMTYPE keylength
998 {
999 int doi;
1000 int defklen;
1001
1002 doi = algtype2doi($1, $2);
1003 if (doi == -1) {
1004 yyerror("algorithm mismatched 1");
1005 return -1;
1006 }
1007
1008 switch ($1) {
1009 case algclass_isakmp_enc:
1010 /* reject suppressed algorithms */
1011 #ifndef HAVE_OPENSSL_RC5_H
1012 if ($2 == algtype_rc5) {
1013 yyerror("algorithm %s not supported",
1014 s_attr_isakmp_enc(doi));
1015 return -1;
1016 }
1017 #endif
1018 #ifndef HAVE_OPENSSL_IDEA_H
1019 if ($2 == algtype_idea) {
1020 yyerror("algorithm %s not supported",
1021 s_attr_isakmp_enc(doi));
1022 return -1;
1023 }
1024 #endif
1025
1026 prhead->spspec->algclass[algclass_isakmp_enc] = doi;
1027 defklen = default_keylen($1, $2);
1028 if (defklen == 0) {
1029 if ($3) {
1030 yyerror("keylen not allowed");
1031 return -1;
1032 }
1033 } else {
1034 if ($3 && check_keylen($1, $2, $3) < 0) {
1035 yyerror("invalid keylen %d", $3);
1036 return -1;
1037 }
1038 }
1039 if ($3)
1040 prhead->spspec->encklen = $3;
1041 else
1042 prhead->spspec->encklen = defklen;
1043 break;
1044 case algclass_isakmp_hash:
1045 prhead->spspec->algclass[algclass_isakmp_hash] = doi;
1046 break;
1047 case algclass_isakmp_ameth:
1048 prhead->spspec->algclass[algclass_isakmp_ameth] = doi;
1049 /*
1050 * We may have to set the Vendor ID for the
1051 * authentication method we're using.
1052 */
1053 switch ($2) {
1054 case algtype_gssapikrb:
1055 if (prhead->spspec->vendorid !=
1056 VENDORID_UNKNOWN) {
1057 yyerror("Vendor ID mismatch "
1058 "for auth method");
1059 return -1;
1060 }
1061 /*
1062 * For interoperability with Win2k,
1063 * we set the Vendor ID to "GSSAPI".
1064 */
1065 prhead->spspec->vendorid =
1066 VENDORID_GSSAPI;
1067 break;
1068 default:
1069 break;
1070 }
1071 break;
1072 default:
1073 yyerror("algorithm mismatched 2");
1074 return -1;
1075 }
1076 }
1077 EOS
1078 ;
1079
1080 unittype_time
1081 : UNITTYPE_SEC { $$ = 1; }
1082 | UNITTYPE_MIN { $$ = 60; }
1083 | UNITTYPE_HOUR { $$ = (60 * 60); }
1084 ;
1085 unittype_byte
1086 : UNITTYPE_BYTE { $$ = 1; }
1087 | UNITTYPE_KBYTES { $$ = 1024; }
1088 | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
1089 | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
1090 ;
1091 %%
1092
1093 static struct proposalspec *
1094 newprspec()
1095 {
1096 struct proposalspec *new;
1097
1098 new = racoon_calloc(1, sizeof(*new));
1099 if (new == NULL)
1100 yyerror("failed to allocate proposal");
1101
1102 return new;
1103 }
1104
1105 static void
1106 cleanprhead()
1107 {
1108 struct proposalspec *p, *next;
1109
1110 if (prhead == NULL)
1111 return;
1112
1113 for (p = prhead; p != NULL; p = next) {
1114 struct secprotospec *psp, *nextsp;
1115 for (psp = p->spspec; psp; psp = nextsp) {
1116 nextsp = psp->next;
1117 racoon_free(p->spspec);
1118 }
1119 next = p->next;
1120 racoon_free(p);
1121 }
1122
1123 prhead = NULL;
1124 }
1125
1126 /*
1127 * insert into head of list.
1128 */
1129 static void
1130 insprspec(prspec, head)
1131 struct proposalspec *prspec;
1132 struct proposalspec **head;
1133 {
1134 if (*head != NULL)
1135 (*head)->prev = prspec;
1136 prspec->next = *head;
1137 *head = prspec;
1138 }
1139
1140 static struct secprotospec *
1141 newspspec()
1142 {
1143 struct secprotospec *new;
1144
1145 new = racoon_calloc(1, sizeof(*new));
1146 if (new == NULL) {
1147 yyerror("failed to allocate spproto");
1148 return NULL;
1149 }
1150
1151 new->encklen = 0; /*XXX*/
1152
1153 /*
1154 * Default to "uknown" vendor -- we will override this
1155 * as necessary. When we send a Vendor ID payload, an
1156 * "unknown" will be translated to a KAME/racoon ID.
1157 */
1158 new->vendorid = VENDORID_UNKNOWN;
1159
1160 return new;
1161 }
1162
1163 /*
1164 * insert into head of list.
1165 */
1166 static void
1167 insspspec(spspec, head)
1168 struct secprotospec *spspec;
1169 struct proposalspec **head;
1170 {
1171 spspec->back = *head;
1172
1173 if ((*head)->spspec != NULL)
1174 (*head)->spspec->prev = spspec;
1175 spspec->next = (*head)->spspec;
1176 (*head)->spspec = spspec;
1177 }
1178
1179 /* set final acceptable proposal */
1180 static int
1181 set_isakmp_proposal(rmconf, prspec)
1182 struct remoteconf *rmconf;
1183 struct proposalspec *prspec;
1184 {
1185 struct proposalspec *p;
1186 struct secprotospec *s;
1187 int prop_no = 1;
1188 int trns_no = 1;
1189 u_int32_t types[MAXALGCLASS];
1190
1191 p = prspec;
1192 if (p->next != 0) {
1193 plog(LLV_ERROR, LOCATION, NULL,
1194 "multiple proposal definition.\n");
1195 return -1;
1196 }
1197
1198 /* mandatory check */
1199 if (p->spspec == NULL) {
1200 yyerror("no remote specification found: %s.\n",
1201 rm2str(rmconf));
1202 return -1;
1203 }
1204 for (s = p->spspec; s != NULL; s = s->next) {
1205 /* XXX need more to check */
1206 if (s->algclass[algclass_isakmp_enc] == 0) {
1207 yyerror("encryption algorithm required.");
1208 return -1;
1209 }
1210 if (s->algclass[algclass_isakmp_hash] == 0) {
1211 yyerror("hash algorithm required.");
1212 return -1;
1213 }
1214 if (s->algclass[algclass_isakmp_dh] == 0) {
1215 yyerror("DH group required.");
1216 return -1;
1217 }
1218 if (s->algclass[algclass_isakmp_ameth] == 0) {
1219 yyerror("authentication method required.");
1220 return -1;
1221 }
1222 }
1223
1224 /* skip to last part */
1225 for (s = p->spspec; s->next != NULL; s = s->next)
1226 ;
1227
1228 while (s != NULL) {
1229 plog(LLV_DEBUG2, LOCATION, NULL,
1230 "lifetime = %ld\n", (long)
1231 (s->lifetime ? s->lifetime : p->lifetime));
1232 plog(LLV_DEBUG2, LOCATION, NULL,
1233 "lifebyte = %d\n",
1234 s->lifebyte ? s->lifebyte : p->lifebyte);
1235 plog(LLV_DEBUG2, LOCATION, NULL,
1236 "encklen=%d\n", s->encklen);
1237
1238 memset(types, 0, ARRAYLEN(types));
1239 types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
1240 types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
1241 types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
1242 types[algclass_isakmp_ameth] =
1243 s->algclass[algclass_isakmp_ameth];
1244
1245 /* expanding spspec */
1246 clean_tmpalgtype();
1247 trns_no = expand_isakmpspec(prop_no, trns_no, types,
1248 algclass_isakmp_enc, algclass_isakmp_ameth + 1,
1249 s->lifetime ? s->lifetime : p->lifetime,
1250 s->lifebyte ? s->lifebyte : p->lifebyte,
1251 s->encklen, s->vendorid, s->gssid,
1252 rmconf);
1253 if (trns_no == -1) {
1254 plog(LLV_ERROR, LOCATION, NULL,
1255 "failed to expand isakmp proposal.\n");
1256 return -1;
1257 }
1258
1259 s = s->prev;
1260 }
1261
1262 if (rmconf->proposal == NULL) {
1263 plog(LLV_ERROR, LOCATION, NULL,
1264 "no proposal found.\n");
1265 return -1;
1266 }
1267
1268 return 0;
1269 }
1270
1271 static void
1272 clean_tmpalgtype()
1273 {
1274 int i;
1275 for (i = 0; i < MAXALGCLASS; i++)
1276 tmpalgtype[i] = 0; /* means algorithm undefined. */
1277 }
1278
1279 static int
1280 expand_isakmpspec(prop_no, trns_no, types,
1281 class, last, lifetime, lifebyte, encklen, vendorid, gssid,
1282 rmconf)
1283 int prop_no, trns_no;
1284 int *types, class, last;
1285 time_t lifetime;
1286 int lifebyte;
1287 int encklen;
1288 int vendorid;
1289 char *gssid;
1290 struct remoteconf *rmconf;
1291 {
1292 struct isakmpsa *new;
1293
1294 /* debugging */
1295 {
1296 int j;
1297 char tb[10];
1298 plog(LLV_DEBUG2, LOCATION, NULL,
1299 "p:%d t:%d\n", prop_no, trns_no);
1300 for (j = class; j < MAXALGCLASS; j++) {
1301 snprintf(tb, sizeof(tb), "%d", types[j]);
1302 plog(LLV_DEBUG2, LOCATION, NULL,
1303 "%s%s%s%s\n",
1304 s_algtype(j, types[j]),
1305 types[j] ? "(" : "",
1306 tb[0] == '0' ? "" : tb,
1307 types[j] ? ")" : "");
1308 }
1309 plog(LLV_DEBUG2, LOCATION, NULL, "\n");
1310 }
1311
1312 #define TMPALGTYPE2STR(n) \
1313 s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
1314 /* check mandatory values */
1315 if (types[algclass_isakmp_enc] == 0
1316 || types[algclass_isakmp_ameth] == 0
1317 || types[algclass_isakmp_hash] == 0
1318 || types[algclass_isakmp_dh] == 0) {
1319 yyerror("few definition of algorithm "
1320 "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
1321 TMPALGTYPE2STR(enc),
1322 TMPALGTYPE2STR(ameth),
1323 TMPALGTYPE2STR(hash),
1324 TMPALGTYPE2STR(dh));
1325 return -1;
1326 }
1327 #undef TMPALGTYPE2STR
1328
1329 /* set new sa */
1330 new = newisakmpsa();
1331 if (new == NULL) {
1332 yyerror("failed to allocate isakmp sa");
1333 return -1;
1334 }
1335 new->prop_no = prop_no;
1336 new->trns_no = trns_no++;
1337 new->lifetime = lifetime;
1338 new->lifebyte = lifebyte;
1339 new->enctype = types[algclass_isakmp_enc];
1340 new->encklen = encklen;
1341 new->authmethod = types[algclass_isakmp_ameth];
1342 new->hashtype = types[algclass_isakmp_hash];
1343 new->dh_group = types[algclass_isakmp_dh];
1344 new->vendorid = vendorid;
1345 #ifdef HAVE_GSSAPI
1346 if (gssid != NULL) {
1347 new->gssid = vmalloc(strlen(gssid) + 1);
1348 memcpy(new->gssid->v, gssid, new->gssid->l);
1349 racoon_free(gssid);
1350 } else
1351 new->gssid = NULL;
1352 #endif
1353 insisakmpsa(new, rmconf);
1354
1355 return trns_no;
1356 }
1357
1358 #if 0
1359 /*
1360 * fix lifebyte.
1361 * Must be more than 1024B because its unit is kilobytes.
1362 * That is defined RFC2407.
1363 */
1364 static int
1365 fix_lifebyte(t)
1366 unsigned long t;
1367 {
1368 if (t < 1024) {
1369 yyerror("byte size should be more than 1024B.");
1370 return 0;
1371 }
1372
1373 return(t / 1024);
1374 }
1375 #endif
1376
1377 extern int yyparse(void);
1378
1379 int
1380 cfparse()
1381 {
1382 int error;
1383
1384 yycf_init_buffer();
1385
1386 if (yycf_switch_buffer(lcconf->racoon_conf) != 0)
1387 return -1;
1388
1389 prhead = NULL;
1390
1391 error = yyparse();
1392 if (error != 0) {
1393 if (yyerrorcount) {
1394 plog(LLV_ERROR, LOCATION, NULL,
1395 "fatal parse failure (%d errors)\n",
1396 yyerrorcount);
1397 } else {
1398 plog(LLV_ERROR, LOCATION, NULL,
1399 "fatal parse failure.\n");
1400 }
1401 return -1;
1402 }
1403
1404 if (error == 0 && yyerrorcount) {
1405 plog(LLV_ERROR, LOCATION, NULL,
1406 "parse error is nothing, but yyerrorcount is %d.\n",
1407 yyerrorcount);
1408 exit(1);
1409 }
1410
1411 yycf_clean_buffer();
1412
1413 plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
1414
1415 return 0;
1416 }
1417
1418 int
1419 cfreparse()
1420 {
1421 flushph2();
1422 flushph1();
1423 flushrmconf();
1424 flushsainfo();
1425 cleanprhead();
1426 clean_tmpalgtype();
1427
1428 return(cfparse());
1429 }
1430
1431
1432 /* -----------------------------------------------------------------------------
1433 The base-64 encoding packs three 8-bit bytes into four 7-bit ASCII
1434 characters. If the number of bytes in the original data isn't divisable
1435 by three, "=" characters are used to pad the encoded data. The complete
1436 set of characters used in base-64 are:
1437 'A'..'Z' => 00..25
1438 'a'..'z' => 26..51
1439 '0'..'9' => 52..61
1440 '+' => 62
1441 '/' => 63
1442 '=' => pad
1443
1444 ----------------------------------------------------------------------------- */
1445 static const signed char base64_DecodeTable[128] = {
1446 /* 000 */ -1, -1, -1, -1, -1, -1, -1, -1,
1447 /* 010 */ -1, -1, -1, -1, -1, -1, -1, -1,
1448 /* 020 */ -1, -1, -1, -1, -1, -1, -1, -1,
1449 /* 030 */ -1, -1, -1, -1, -1, -1, -1, -1,
1450 /* ' ' */ -1, -1, -1, -1, -1, -1, -1, -1,
1451 /* '(' */ -1, -1, -1, 62, -1, -1, -1, 63,
1452 /* '0' */ 52, 53, 54, 55, 56, 57, 58, 59,
1453 /* '8' */ 60, 61, -1, -1, -1, 0, -1, -1,
1454 /* '@' */ -1, 0, 1, 2, 3, 4, 5, 6,
1455 /* 'H' */ 7, 8, 9, 10, 11, 12, 13, 14,
1456 /* 'P' */ 15, 16, 17, 18, 19, 20, 21, 22,
1457 /* 'X' */ 23, 24, 25, -1, -1, -1, -1, -1,
1458 /* '`' */ -1, 26, 27, 28, 29, 30, 31, 32,
1459 /* 'h' */ 33, 34, 35, 36, 37, 38, 39, 40,
1460 /* 'p' */ 41, 42, 43, 44, 45, 46, 47, 48,
1461 /* 'x' */ 49, 50, 51, -1, -1, -1, -1, -1
1462 };
1463
1464 static int base64toCFData(vchar_t *textin, CFDataRef *dataRef)
1465 {
1466 uint8_t *tmpbuf;
1467 uint8_t c;
1468 int tmpbufpos = 0;
1469 int numeq = 0;
1470 int acc = 0;
1471 int cntr = 0;
1472 uint8_t *textcur = textin->v;
1473 int len = textin->l;
1474 int i;
1475
1476 tmpbuf = malloc(len); // len of result will be less than encoded len
1477 if (tmpbuf == NULL) {
1478 yyerror("memory error - could not allocate buffer for certificate reference conversion from base-64.");
1479 return -1;
1480 }
1481
1482 for (i = 0; i < len; i++) {
1483 c = *(textcur++);
1484 if (c == '=')
1485 numeq++;
1486 else if (!isspace(c))
1487 numeq = 0;
1488 if (base64_DecodeTable[c] < 0)
1489 continue;
1490 cntr++;
1491 acc <<= 6;
1492 acc += base64_DecodeTable[c];
1493 if (0 == (cntr & 0x3)) {
1494 tmpbuf[tmpbufpos++] = (acc >> 16) & 0xff;
1495 if (numeq < 2)
1496 tmpbuf[tmpbufpos++] = (acc >> 8) & 0xff;
1497 if (numeq < 1)
1498 tmpbuf[tmpbufpos++] = acc & 0xff;
1499 }
1500 }
1501 *dataRef = CFDataCreate(NULL, tmpbuf, tmpbufpos);
1502 free(tmpbuf);
1503 return 0;
1504
1505 }
1506