From 0d1708823e9b92c30eeadb465b6d2821c48e3fe1 Mon Sep 17 00:00:00 2001
From: Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org>
Date: Mon, 29 May 2006 03:38:29 +0000
Subject: unify expansion of SA rules.  Needed for general rule expansion.

---
 sbin/ipsecctl/parse.y | 57 +++++++++++++++++++++++++--------------------------
 1 file changed, 28 insertions(+), 29 deletions(-)

diff --git a/sbin/ipsecctl/parse.y b/sbin/ipsecctl/parse.y
index eb38e049218..32a7b5367c1 100644
--- a/sbin/ipsecctl/parse.y
+++ b/sbin/ipsecctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.70 2006/05/28 21:24:09 hshoexer Exp $	*/
+/*	$OpenBSD: parse.y,v 1.71 2006/05/29 03:38:28 hshoexer Exp $	*/
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -154,6 +154,8 @@ struct ipsec_rule	*create_sa(u_int8_t, u_int8_t, struct ipsec_addr_wrap *,
 			     struct ipsec_addr_wrap *, u_int32_t,
 			     struct ipsec_transforms *, struct ipsec_key *,
 			     struct ipsec_key *);
+int			 expand_sa(struct ipsec_rule *, u_int32_t,
+			     struct ipsec_key *, struct ipsec_key *);
 struct ipsec_rule	*reverse_sa(struct ipsec_rule *, u_int32_t,
 			     struct ipsec_key *, struct ipsec_key *);
 struct ipsec_rule	*create_flow(u_int8_t, u_int8_t, struct
@@ -287,20 +289,8 @@ tcpmd5rule	: TCPMD5 hosts spispec authkeyspec	{
 				YYERROR;
 			r->nr = ipsec->rule_nr++;
 
-			if (ipsecctl_add_rule(ipsec, r))
-				errx(1, "tcpmd5rule: ipsecctl_add_rule");
-
-			/* Create and add reverse SA rule. */
-			if ($3.spiin != 0 || $4.keyin != NULL) {
-				r = reverse_sa(r, $3.spiin, $4.keyin, NULL);
-				if (r == NULL)
-					YYERROR;
-				r->nr = ipsec->rule_nr++;
-
-				if (ipsecctl_add_rule(ipsec, r))
-					errx(1, "tcpmd5rule: "
-					    "ipsecctl_add_rule");
-			}
+			if (expand_sa(r, $3.spiin, $4.keyin, NULL))
+				errx(1, "tcpmd5rule: expand_sa");
 		}
 		;
 
@@ -314,20 +304,8 @@ sarule		: satype tmode hosts spispec transforms authkeyspec
 				YYERROR;
 			r->nr = ipsec->rule_nr++;
 
-			if (ipsecctl_add_rule(ipsec, r))
-				errx(1, "sarule: ipsecctl_add_rule");
-
-			/* Create and add reverse SA rule. */
-			if ($4.spiin != 0 || $6.keyin || $7.keyin) {
-				r = reverse_sa(r, $4.spiin, $6.keyin,
-				    $7.keyin);
-				if (r == NULL)
-					YYERROR;
-				r->nr = ipsec->rule_nr++;
-
-				if (ipsecctl_add_rule(ipsec, r))
-					errx(1, "sarule: ipsecctl_add_rule");
-			}
+			if (expand_sa(r, $4.spiin, $6.keyin, $7.keyin))
+				errx(1, "sarule: expand_sa");
 		}
 		;
 
@@ -1675,6 +1653,27 @@ create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_addr_wrap *src, struct
 	return r;
 }
 
+int
+expand_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,
+    struct ipsec_key *enckey)
+{
+	struct ipsec_rule	*r;
+
+	if (ipsecctl_add_rule(ipsec, rule))
+		return (1);
+	if (spi != 0 || authkey || enckey) {
+		r = reverse_sa(rule, spi, authkey, enckey);
+		if (r == NULL)
+			return (1);
+		r->nr = ipsec->rule_nr++;
+
+		if (ipsecctl_add_rule(ipsec, r))
+			return (1);
+	}
+
+	return (0);
+}
+
 struct ipsec_rule *
 reverse_sa(struct ipsec_rule *rule, u_int32_t spi, struct ipsec_key *authkey,
     struct ipsec_key *enckey)
-- 
cgit v1.2.3