xref: /freebsd/sbin/setkey/parse.y (revision fcb560670601b2a4d87bb31d7531c8dcc37ee71b)
1 /*	$FreeBSD$	*/
2 /*	$KAME: parse.y,v 1.83 2004/05/18 08:48:23 sakane Exp $	*/
3 
4 /*
5  * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. Neither the name of the project nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 %{
34 #include <sys/types.h>
35 #include <sys/param.h>
36 #include <sys/socket.h>
37 
38 #include <net/route.h>
39 #include <netinet/in.h>
40 #include <net/pfkeyv2.h>
41 #include <netipsec/key_var.h>
42 #include <netipsec/ipsec.h>
43 #include <arpa/inet.h>
44 
45 #include <string.h>
46 #include <unistd.h>
47 #include <stdio.h>
48 #include <netdb.h>
49 #include <ctype.h>
50 #include <errno.h>
51 
52 #include "libpfkey.h"
53 #include "vchar.h"
54 
55 #define ATOX(c) \
56   (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10)))
57 
58 u_int32_t p_spi;
59 u_int p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
60 u_int32_t p_reqid;
61 u_int p_key_enc_len, p_key_auth_len;
62 caddr_t p_key_enc, p_key_auth;
63 time_t p_lt_hard, p_lt_soft;
64 
65 static int p_aiflags = 0, p_aifamily = PF_UNSPEC;
66 
67 static struct addrinfo *parse_addr(char *, char *);
68 static int fix_portstr(vchar_t *, vchar_t *, vchar_t *);
69 static int setvarbuf(char *, int *, struct sadb_ext *, int, caddr_t, int);
70 void parse_init(void);
71 void free_buffer(void);
72 
73 int setkeymsg0(struct sadb_msg *, unsigned int, unsigned int, size_t);
74 static int setkeymsg_spdaddr(unsigned int, unsigned int, vchar_t *,
75 	struct addrinfo *, int, struct addrinfo *, int);
76 static int setkeymsg_addr(unsigned int, unsigned int,
77 	struct addrinfo *, struct addrinfo *, int);
78 static int setkeymsg_add(unsigned int, unsigned int,
79 	struct addrinfo *, struct addrinfo *);
80 extern int setkeymsg(char *, size_t *);
81 extern int sendkeymsg(char *, size_t);
82 
83 extern int yylex(void);
84 extern void yyfatal(const char *);
85 extern void yyerror(const char *);
86 %}
87 
88 %union {
89 	int num;
90 	unsigned long ulnum;
91 	vchar_t val;
92 	struct addrinfo *res;
93 }
94 
95 %token EOT SLASH BLCL ELCL
96 %token ADD GET DELETE DELETEALL FLUSH DUMP
97 %token PR_ESP PR_AH PR_IPCOMP PR_TCP
98 %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
99 %token F_MODE MODE F_REQID
100 %token F_EXT EXTENSION NOCYCLICSEQ
101 %token ALG_AUTH ALG_AUTH_NOKEY
102 %token ALG_ENC ALG_ENC_NOKEY ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD
103 %token ALG_COMP
104 %token F_LIFETIME_HARD F_LIFETIME_SOFT
105 %token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY
106 	/* SPD management */
107 %token SPDADD SPDDELETE SPDDUMP SPDFLUSH
108 %token F_POLICY PL_REQUESTS
109 %token F_AIFLAGS
110 %token TAGGED
111 
112 %type <num> prefix protocol_spec upper_spec
113 %type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY
114 %type <num> ALG_AUTH ALG_AUTH_NOKEY
115 %type <num> ALG_COMP
116 %type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP
117 %type <num> EXTENSION MODE
118 %type <ulnum> DECSTRING
119 %type <val> PL_REQUESTS portstr key_string
120 %type <val> policy_requests
121 %type <val> QUOTEDSTRING HEXSTRING STRING
122 %type <val> F_AIFLAGS
123 %type <val> upper_misc_spec policy_spec
124 %type <res> ipaddr
125 
126 %%
127 commands
128 	:	/*NOTHING*/
129 	|	commands command
130 		{
131 			free_buffer();
132 			parse_init();
133 		}
134 	;
135 
136 command
137 	:	add_command
138 	|	get_command
139 	|	delete_command
140 	|	deleteall_command
141 	|	flush_command
142 	|	dump_command
143 	|	spdadd_command
144 	|	spddelete_command
145 	|	spddump_command
146 	|	spdflush_command
147 	;
148 	/* commands concerned with management, there is in tail of this file. */
149 
150 	/* add command */
151 add_command
152 	:	ADD ipaddropts ipaddr ipaddr protocol_spec spi extension_spec algorithm_spec EOT
153 		{
154 			int status;
155 
156 			status = setkeymsg_add(SADB_ADD, $5, $3, $4);
157 			if (status < 0)
158 				return -1;
159 		}
160 	;
161 
162 	/* delete */
163 delete_command
164 	:	DELETE ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
165 		{
166 			int status;
167 
168 			if ($3->ai_next || $4->ai_next) {
169 				yyerror("multiple address specified");
170 				return -1;
171 			}
172 			if (p_mode != IPSEC_MODE_ANY)
173 				yyerror("WARNING: mode is obsolete");
174 
175 			status = setkeymsg_addr(SADB_DELETE, $5, $3, $4, 0);
176 			if (status < 0)
177 				return -1;
178 		}
179 	;
180 
181 	/* deleteall command */
182 deleteall_command
183 	:	DELETEALL ipaddropts ipaddr ipaddr protocol_spec EOT
184 		{
185 			int status;
186 
187 			status = setkeymsg_addr(SADB_DELETE, $5, $3, $4, 1);
188 			if (status < 0)
189 				return -1;
190 		}
191 	;
192 
193 	/* get command */
194 get_command
195 	:	GET ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
196 		{
197 			int status;
198 
199 			if (p_mode != IPSEC_MODE_ANY)
200 				yyerror("WARNING: mode is obsolete");
201 
202 			status = setkeymsg_addr(SADB_GET, $5, $3, $4, 0);
203 			if (status < 0)
204 				return -1;
205 		}
206 	;
207 
208 	/* flush */
209 flush_command
210 	:	FLUSH protocol_spec EOT
211 		{
212 			struct sadb_msg msg;
213 			setkeymsg0(&msg, SADB_FLUSH, $2, sizeof(msg));
214 			sendkeymsg((char *)&msg, sizeof(msg));
215 		}
216 	;
217 
218 	/* dump */
219 dump_command
220 	:	DUMP protocol_spec EOT
221 		{
222 			struct sadb_msg msg;
223 			setkeymsg0(&msg, SADB_DUMP, $2, sizeof(msg));
224 			sendkeymsg((char *)&msg, sizeof(msg));
225 		}
226 	;
227 
228 protocol_spec
229 	:	/*NOTHING*/
230 		{
231 			$$ = SADB_SATYPE_UNSPEC;
232 		}
233 	|	PR_ESP
234 		{
235 			$$ = SADB_SATYPE_ESP;
236 			if ($1 == 1)
237 				p_ext |= SADB_X_EXT_OLD;
238 			else
239 				p_ext &= ~SADB_X_EXT_OLD;
240 		}
241 	|	PR_AH
242 		{
243 			$$ = SADB_SATYPE_AH;
244 			if ($1 == 1)
245 				p_ext |= SADB_X_EXT_OLD;
246 			else
247 				p_ext &= ~SADB_X_EXT_OLD;
248 		}
249 	|	PR_IPCOMP
250 		{
251 			$$ = SADB_X_SATYPE_IPCOMP;
252 		}
253 	|	PR_TCP
254 		{
255 			$$ = SADB_X_SATYPE_TCPSIGNATURE;
256 		}
257 	;
258 
259 spi
260 	:	DECSTRING { p_spi = $1; }
261 	|	HEXSTRING
262 		{
263 			char *ep;
264 			unsigned long v;
265 
266 			ep = NULL;
267 			v = strtoul($1.buf, &ep, 16);
268 			if (!ep || *ep) {
269 				yyerror("invalid SPI");
270 				return -1;
271 			}
272 			if (v & ~0xffffffff) {
273 				yyerror("SPI too big.");
274 				return -1;
275 			}
276 
277 			p_spi = v;
278 		}
279 	;
280 
281 algorithm_spec
282 	:	esp_spec
283 	|	ah_spec
284 	|	ipcomp_spec
285 	;
286 
287 esp_spec
288 	:	F_ENC enc_alg F_AUTH auth_alg
289 	|	F_ENC enc_alg
290 	;
291 
292 ah_spec
293 	:	F_AUTH auth_alg
294 	;
295 
296 ipcomp_spec
297 	:	F_COMP ALG_COMP
298 		{
299 			if ($2 < 0) {
300 				yyerror("unsupported algorithm");
301 				return -1;
302 			}
303 			p_alg_enc = $2;
304 		}
305 	|	F_COMP ALG_COMP F_RAWCPI
306 		{
307 			if ($2 < 0) {
308 				yyerror("unsupported algorithm");
309 				return -1;
310 			}
311 			p_alg_enc = $2;
312 			p_ext |= SADB_X_EXT_RAWCPI;
313 		}
314 	;
315 
316 enc_alg
317 	:	ALG_ENC_NOKEY {
318 			if ($1 < 0) {
319 				yyerror("unsupported algorithm");
320 				return -1;
321 			}
322 			p_alg_enc = $1;
323 
324 			p_key_enc_len = 0;
325 			p_key_enc = NULL;
326 			if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
327 			    p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
328 				yyerror(ipsec_strerror());
329 				return -1;
330 			}
331 		}
332 	|	ALG_ENC key_string {
333 			if ($1 < 0) {
334 				yyerror("unsupported algorithm");
335 				return -1;
336 			}
337 			p_alg_enc = $1;
338 
339 			p_key_enc_len = $2.len;
340 			p_key_enc = $2.buf;
341 			if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
342 			    p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
343 				yyerror(ipsec_strerror());
344 				return -1;
345 			}
346 		}
347 	|	ALG_ENC_OLD {
348 			if ($1 < 0) {
349 				yyerror("unsupported algorithm");
350 				return -1;
351 			}
352 			yyerror("WARNING: obsolete algorithm");
353 			p_alg_enc = $1;
354 
355 			p_key_enc_len = 0;
356 			p_key_enc = NULL;
357 			if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
358 			    p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
359 				yyerror(ipsec_strerror());
360 				return -1;
361 			}
362 		}
363 	|	ALG_ENC_DESDERIV key_string
364 		{
365 			if ($1 < 0) {
366 				yyerror("unsupported algorithm");
367 				return -1;
368 			}
369 			p_alg_enc = $1;
370 			if (p_ext & SADB_X_EXT_OLD) {
371 				yyerror("algorithm mismatched");
372 				return -1;
373 			}
374 			p_ext |= SADB_X_EXT_DERIV;
375 
376 			p_key_enc_len = $2.len;
377 			p_key_enc = $2.buf;
378 			if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
379 			    p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
380 				yyerror(ipsec_strerror());
381 				return -1;
382 			}
383 		}
384 	|	ALG_ENC_DES32IV key_string
385 		{
386 			if ($1 < 0) {
387 				yyerror("unsupported algorithm");
388 				return -1;
389 			}
390 			p_alg_enc = $1;
391 			if (!(p_ext & SADB_X_EXT_OLD)) {
392 				yyerror("algorithm mismatched");
393 				return -1;
394 			}
395 			p_ext |= SADB_X_EXT_IV4B;
396 
397 			p_key_enc_len = $2.len;
398 			p_key_enc = $2.buf;
399 			if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
400 			    p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
401 				yyerror(ipsec_strerror());
402 				return -1;
403 			}
404 		}
405 	;
406 
407 auth_alg
408 	:	ALG_AUTH key_string {
409 			if ($1 < 0) {
410 				yyerror("unsupported algorithm");
411 				return -1;
412 			}
413 			p_alg_auth = $1;
414 
415 			p_key_auth_len = $2.len;
416 			p_key_auth = $2.buf;
417 
418 			if (p_alg_auth == SADB_X_AALG_TCP_MD5) {
419 				if ((p_key_auth_len < 1) || (p_key_auth_len >
420 				    80))
421 					return -1;
422 			} else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
423 			    p_alg_auth, PFKEY_UNUNIT64(p_key_auth_len)) < 0) {
424 				yyerror(ipsec_strerror());
425 				return -1;
426 			}
427 		}
428 	|	ALG_AUTH_NOKEY {
429 			if ($1 < 0) {
430 				yyerror("unsupported algorithm");
431 				return -1;
432 			}
433 			p_alg_auth = $1;
434 
435 			p_key_auth_len = 0;
436 			p_key_auth = NULL;
437 		}
438 	;
439 
440 key_string
441 	:	QUOTEDSTRING
442 		{
443 			$$ = $1;
444 		}
445 	|	HEXSTRING
446 		{
447 			caddr_t pp_key;
448 			caddr_t bp;
449 			caddr_t yp = $1.buf;
450 			int l;
451 
452 			l = strlen(yp) % 2 + strlen(yp) / 2;
453 			if ((pp_key = malloc(l)) == 0) {
454 				yyerror("not enough core");
455 				return -1;
456 			}
457 			memset(pp_key, 0, l);
458 
459 			bp = pp_key;
460 			if (strlen(yp) % 2) {
461 				*bp = ATOX(yp[0]);
462 				yp++, bp++;
463 			}
464 			while (*yp) {
465 				*bp = (ATOX(yp[0]) << 4) | ATOX(yp[1]);
466 				yp += 2, bp++;
467 			}
468 
469 			$$.len = l;
470 			$$.buf = pp_key;
471 		}
472 	;
473 
474 extension_spec
475 	:	/*NOTHING*/
476 	|	extension_spec extension
477 	;
478 
479 extension
480 	:	F_EXT EXTENSION { p_ext |= $2; }
481 	|	F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; }
482 	|	F_MODE MODE { p_mode = $2; }
483 	|	F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
484 	|	F_REQID DECSTRING { p_reqid = $2; }
485 	|	F_REPLAY DECSTRING
486 		{
487 			if ((p_ext & SADB_X_EXT_OLD) != 0) {
488 				yyerror("replay prevention cannot be used with "
489 				    "ah/esp-old");
490 				return -1;
491 			}
492 			p_replay = $2;
493 		}
494 	|	F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; }
495 	|	F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; }
496 	;
497 
498 	/* definition about command for SPD management */
499 	/* spdadd */
500 spdadd_command
501 	:	SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec policy_spec EOT
502 		{
503 			int status;
504 			struct addrinfo *src, *dst;
505 
506 			/* fixed port fields if ulp is icmpv6 */
507 			if ($10.buf != NULL) {
508 				if ($9 != IPPROTO_ICMPV6)
509 					return -1;
510 				free($5.buf);
511 				free($8.buf);
512 				if (fix_portstr(&$10, &$5, &$8))
513 					return -1;
514 			}
515 
516 			src = parse_addr($3.buf, $5.buf);
517 			dst = parse_addr($6.buf, $8.buf);
518 			if (!src || !dst) {
519 				/* yyerror is already called */
520 				return -1;
521 			}
522 			if (src->ai_next || dst->ai_next) {
523 				yyerror("multiple address specified");
524 				freeaddrinfo(src);
525 				freeaddrinfo(dst);
526 				return -1;
527 			}
528 
529 			status = setkeymsg_spdaddr(SADB_X_SPDADD, $9, &$11,
530 			    src, $4, dst, $7);
531 			freeaddrinfo(src);
532 			freeaddrinfo(dst);
533 			if (status < 0)
534 				return -1;
535 		}
536 	|	SPDADD TAGGED QUOTEDSTRING policy_spec EOT
537 		{
538 			return -1;
539 		}
540 	;
541 
542 spddelete_command
543 	:	SPDDELETE ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec policy_spec EOT
544 		{
545 			int status;
546 			struct addrinfo *src, *dst;
547 
548 			/* fixed port fields if ulp is icmpv6 */
549 			if ($10.buf != NULL) {
550 				if ($9 != IPPROTO_ICMPV6)
551 					return -1;
552 				free($5.buf);
553 				free($8.buf);
554 				if (fix_portstr(&$10, &$5, &$8))
555 					return -1;
556 			}
557 
558 			src = parse_addr($3.buf, $5.buf);
559 			dst = parse_addr($6.buf, $8.buf);
560 			if (!src || !dst) {
561 				/* yyerror is already called */
562 				return -1;
563 			}
564 			if (src->ai_next || dst->ai_next) {
565 				yyerror("multiple address specified");
566 				freeaddrinfo(src);
567 				freeaddrinfo(dst);
568 				return -1;
569 			}
570 
571 			status = setkeymsg_spdaddr(SADB_X_SPDDELETE, $9, &$11,
572 			    src, $4, dst, $7);
573 			freeaddrinfo(src);
574 			freeaddrinfo(dst);
575 			if (status < 0)
576 				return -1;
577 		}
578 	;
579 
580 spddump_command:
581 		SPDDUMP EOT
582 		{
583 			struct sadb_msg msg;
584 			setkeymsg0(&msg, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC,
585 			    sizeof(msg));
586 			sendkeymsg((char *)&msg, sizeof(msg));
587 		}
588 	;
589 
590 spdflush_command:
591 		SPDFLUSH EOT
592 		{
593 			struct sadb_msg msg;
594 			setkeymsg0(&msg, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC,
595 			    sizeof(msg));
596 			sendkeymsg((char *)&msg, sizeof(msg));
597 		}
598 	;
599 
600 ipaddropts
601 	:	/* nothing */
602 	|	ipaddropts ipaddropt
603 	;
604 
605 ipaddropt
606 	:	F_AIFLAGS
607 		{
608 			char *p;
609 
610 			for (p = $1.buf + 1; *p; p++)
611 				switch (*p) {
612 				case '4':
613 					p_aifamily = AF_INET;
614 					break;
615 #ifdef INET6
616 				case '6':
617 					p_aifamily = AF_INET6;
618 					break;
619 #endif
620 				case 'n':
621 					p_aiflags = AI_NUMERICHOST;
622 					break;
623 				default:
624 					yyerror("invalid flag");
625 					return -1;
626 				}
627 		}
628 	;
629 
630 ipaddr
631 	:	STRING
632 		{
633 			$$ = parse_addr($1.buf, NULL);
634 			if ($$ == NULL) {
635 				/* yyerror already called by parse_addr */
636 				return -1;
637 			}
638 		}
639 	;
640 
641 prefix
642 	:	/*NOTHING*/ { $$ = -1; }
643 	|	SLASH DECSTRING { $$ = $2; }
644 	;
645 
646 portstr
647 	:	/*NOTHING*/
648 		{
649 			$$.buf = strdup("0");
650 			if (!$$.buf) {
651 				yyerror("insufficient memory");
652 				return -1;
653 			}
654 			$$.len = strlen($$.buf);
655 		}
656 	|	BLCL ANY ELCL
657 		{
658 			$$.buf = strdup("0");
659 			if (!$$.buf) {
660 				yyerror("insufficient memory");
661 				return -1;
662 			}
663 			$$.len = strlen($$.buf);
664 		}
665 	|	BLCL DECSTRING ELCL
666 		{
667 			char buf[20];
668 			snprintf(buf, sizeof(buf), "%lu", $2);
669 			$$.buf = strdup(buf);
670 			if (!$$.buf) {
671 				yyerror("insufficient memory");
672 				return -1;
673 			}
674 			$$.len = strlen($$.buf);
675 		}
676 	|	BLCL STRING ELCL
677 		{
678 			$$ = $2;
679 		}
680 	;
681 
682 upper_spec
683 	:	DECSTRING { $$ = $1; }
684 	|	ANY { $$ = IPSEC_ULPROTO_ANY; }
685 	|	PR_TCP { $$ = IPPROTO_TCP; }
686 	|	PR_ESP { $$ = IPPROTO_ESP; }
687 	|	STRING
688 		{
689 			struct protoent *ent;
690 
691 			ent = getprotobyname($1.buf);
692 			if (ent)
693 				$$ = ent->p_proto;
694 			else {
695 				if (strcmp("icmp6", $1.buf) == 0) {
696 					$$ = IPPROTO_ICMPV6;
697 				} else if(strcmp("ip4", $1.buf) == 0) {
698 					$$ = IPPROTO_IPV4;
699 				} else {
700 					yyerror("invalid upper layer protocol");
701 					return -1;
702 				}
703 			}
704 			endprotoent();
705 		}
706 	;
707 
708 upper_misc_spec
709 	:	/*NOTHING*/
710 		{
711 			$$.buf = NULL;
712 			$$.len = 0;
713 		}
714 	|	STRING
715 		{
716 			$$.buf = strdup($1.buf);
717 			if (!$$.buf) {
718 				yyerror("insufficient memory");
719 				return -1;
720 			}
721 			$$.len = strlen($$.buf);
722 		}
723 	;
724 
725 policy_spec
726 	:	F_POLICY policy_requests
727 		{
728 			char *policy;
729 
730 			policy = ipsec_set_policy($2.buf, $2.len);
731 			if (policy == NULL) {
732 				yyerror(ipsec_strerror());
733 				return -1;
734 			}
735 
736 			$$.buf = policy;
737 			$$.len = ipsec_get_policylen(policy);
738 		}
739 	;
740 
741 policy_requests
742 	:	PL_REQUESTS { $$ = $1; }
743 	;
744 
745 %%
746 
747 int
748 setkeymsg0(msg, type, satype, l)
749 	struct sadb_msg *msg;
750 	unsigned int type;
751 	unsigned int satype;
752 	size_t l;
753 {
754 
755 	msg->sadb_msg_version = PF_KEY_V2;
756 	msg->sadb_msg_type = type;
757 	msg->sadb_msg_errno = 0;
758 	msg->sadb_msg_satype = satype;
759 	msg->sadb_msg_reserved = 0;
760 	msg->sadb_msg_seq = 0;
761 	msg->sadb_msg_pid = getpid();
762 	msg->sadb_msg_len = PFKEY_UNIT64(l);
763 	return 0;
764 }
765 
766 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
767 static int
768 setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen)
769 	unsigned int type;
770 	unsigned int upper;
771 	vchar_t *policy;
772 	struct addrinfo *srcs;
773 	int splen;
774 	struct addrinfo *dsts;
775 	int dplen;
776 {
777 	struct sadb_msg *msg;
778 	char buf[BUFSIZ];
779 	int l, l0;
780 	struct sadb_address m_addr;
781 	struct addrinfo *s, *d;
782 	int n;
783 	int plen;
784 	struct sockaddr *sa;
785 	int salen;
786 
787 	msg = (struct sadb_msg *)buf;
788 
789 	if (!srcs || !dsts)
790 		return -1;
791 
792 	/* fix up length afterwards */
793 	setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0);
794 	l = sizeof(struct sadb_msg);
795 
796 	memcpy(buf + l, policy->buf, policy->len);
797 	l += policy->len;
798 
799 	l0 = l;
800 	n = 0;
801 
802 	/* do it for all src/dst pairs */
803 	for (s = srcs; s; s = s->ai_next) {
804 		for (d = dsts; d; d = d->ai_next) {
805 			/* rewind pointer */
806 			l = l0;
807 
808 			if (s->ai_addr->sa_family != d->ai_addr->sa_family)
809 				continue;
810 			switch (s->ai_addr->sa_family) {
811 			case AF_INET:
812 				plen = sizeof(struct in_addr) << 3;
813 				break;
814 #ifdef INET6
815 			case AF_INET6:
816 				plen = sizeof(struct in6_addr) << 3;
817 				break;
818 #endif
819 			default:
820 				continue;
821 			}
822 
823 			/* set src */
824 			sa = s->ai_addr;
825 			salen = s->ai_addr->sa_len;
826 			m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
827 			    PFKEY_ALIGN8(salen));
828 			m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
829 			m_addr.sadb_address_proto = upper;
830 			m_addr.sadb_address_prefixlen =
831 			    (splen >= 0 ? splen : plen);
832 			m_addr.sadb_address_reserved = 0;
833 
834 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
835 			    sizeof(m_addr), (caddr_t)sa, salen);
836 
837 			/* set dst */
838 			sa = d->ai_addr;
839 			salen = d->ai_addr->sa_len;
840 			m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
841 			    PFKEY_ALIGN8(salen));
842 			m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
843 			m_addr.sadb_address_proto = upper;
844 			m_addr.sadb_address_prefixlen =
845 			    (dplen >= 0 ? dplen : plen);
846 			m_addr.sadb_address_reserved = 0;
847 
848 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
849 			    sizeof(m_addr), (caddr_t)sa, salen);
850 
851 			msg->sadb_msg_len = PFKEY_UNIT64(l);
852 
853 			sendkeymsg(buf, l);
854 
855 			n++;
856 		}
857 	}
858 
859 	if (n == 0)
860 		return -1;
861 	else
862 		return 0;
863 }
864 
865 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
866 static int
867 setkeymsg_addr(type, satype, srcs, dsts, no_spi)
868 	unsigned int type;
869 	unsigned int satype;
870 	struct addrinfo *srcs;
871 	struct addrinfo *dsts;
872 	int no_spi;
873 {
874 	struct sadb_msg *msg;
875 	char buf[BUFSIZ];
876 	int l, l0, len;
877 	struct sadb_sa m_sa;
878 	struct sadb_x_sa2 m_sa2;
879 	struct sadb_address m_addr;
880 	struct addrinfo *s, *d;
881 	int n;
882 	int plen;
883 	struct sockaddr *sa;
884 	int salen;
885 
886 	msg = (struct sadb_msg *)buf;
887 
888 	if (!srcs || !dsts)
889 		return -1;
890 
891 	/* fix up length afterwards */
892 	setkeymsg0(msg, type, satype, 0);
893 	l = sizeof(struct sadb_msg);
894 
895 	if (!no_spi) {
896 		len = sizeof(struct sadb_sa);
897 		m_sa.sadb_sa_len = PFKEY_UNIT64(len);
898 		m_sa.sadb_sa_exttype = SADB_EXT_SA;
899 		m_sa.sadb_sa_spi = htonl(p_spi);
900 		m_sa.sadb_sa_replay = p_replay;
901 		m_sa.sadb_sa_state = 0;
902 		m_sa.sadb_sa_auth = p_alg_auth;
903 		m_sa.sadb_sa_encrypt = p_alg_enc;
904 		m_sa.sadb_sa_flags = p_ext;
905 
906 		memcpy(buf + l, &m_sa, len);
907 		l += len;
908 
909 		len = sizeof(struct sadb_x_sa2);
910 		m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
911 		m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
912 		m_sa2.sadb_x_sa2_mode = p_mode;
913 		m_sa2.sadb_x_sa2_reqid = p_reqid;
914 
915 		memcpy(buf + l, &m_sa2, len);
916 		l += len;
917 	}
918 
919 	l0 = l;
920 	n = 0;
921 
922 	/* do it for all src/dst pairs */
923 	for (s = srcs; s; s = s->ai_next) {
924 		for (d = dsts; d; d = d->ai_next) {
925 			/* rewind pointer */
926 			l = l0;
927 
928 			if (s->ai_addr->sa_family != d->ai_addr->sa_family)
929 				continue;
930 			switch (s->ai_addr->sa_family) {
931 			case AF_INET:
932 				plen = sizeof(struct in_addr) << 3;
933 				break;
934 #ifdef INET6
935 			case AF_INET6:
936 				plen = sizeof(struct in6_addr) << 3;
937 				break;
938 #endif
939 			default:
940 				continue;
941 			}
942 
943 			/* set src */
944 			sa = s->ai_addr;
945 			salen = s->ai_addr->sa_len;
946 			m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
947 			    PFKEY_ALIGN8(salen));
948 			m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
949 			m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
950 			m_addr.sadb_address_prefixlen = plen;
951 			m_addr.sadb_address_reserved = 0;
952 
953 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
954 			    sizeof(m_addr), (caddr_t)sa, salen);
955 
956 			/* set dst */
957 			sa = d->ai_addr;
958 			salen = d->ai_addr->sa_len;
959 			m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
960 			    PFKEY_ALIGN8(salen));
961 			m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
962 			m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
963 			m_addr.sadb_address_prefixlen = plen;
964 			m_addr.sadb_address_reserved = 0;
965 
966 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
967 			    sizeof(m_addr), (caddr_t)sa, salen);
968 
969 			msg->sadb_msg_len = PFKEY_UNIT64(l);
970 
971 			sendkeymsg(buf, l);
972 
973 			n++;
974 		}
975 	}
976 
977 	if (n == 0)
978 		return -1;
979 	else
980 		return 0;
981 }
982 
983 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
984 static int
985 setkeymsg_add(type, satype, srcs, dsts)
986 	unsigned int type;
987 	unsigned int satype;
988 	struct addrinfo *srcs;
989 	struct addrinfo *dsts;
990 {
991 	struct sadb_msg *msg;
992 	char buf[BUFSIZ];
993 	int l, l0, len;
994 	struct sadb_sa m_sa;
995 	struct sadb_x_sa2 m_sa2;
996 	struct sadb_address m_addr;
997 	struct addrinfo *s, *d;
998 	int n;
999 	int plen;
1000 	struct sockaddr *sa;
1001 	int salen;
1002 
1003 	msg = (struct sadb_msg *)buf;
1004 
1005 	if (!srcs || !dsts)
1006 		return -1;
1007 
1008 	/* fix up length afterwards */
1009 	setkeymsg0(msg, type, satype, 0);
1010 	l = sizeof(struct sadb_msg);
1011 
1012 	/* set encryption algorithm, if present. */
1013 	if (satype != SADB_X_SATYPE_IPCOMP && p_key_enc) {
1014 		struct sadb_key m_key;
1015 
1016 		m_key.sadb_key_len =
1017 			PFKEY_UNIT64(sizeof(m_key)
1018 				   + PFKEY_ALIGN8(p_key_enc_len));
1019 		m_key.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1020 		m_key.sadb_key_bits = p_key_enc_len * 8;
1021 		m_key.sadb_key_reserved = 0;
1022 
1023 		setvarbuf(buf, &l,
1024 			(struct sadb_ext *)&m_key, sizeof(m_key),
1025 			(caddr_t)p_key_enc, p_key_enc_len);
1026 	}
1027 
1028 	/* set authentication algorithm, if present. */
1029 	if (p_key_auth) {
1030 		struct sadb_key m_key;
1031 
1032 		m_key.sadb_key_len =
1033 			PFKEY_UNIT64(sizeof(m_key)
1034 				   + PFKEY_ALIGN8(p_key_auth_len));
1035 		m_key.sadb_key_exttype = SADB_EXT_KEY_AUTH;
1036 		m_key.sadb_key_bits = p_key_auth_len * 8;
1037 		m_key.sadb_key_reserved = 0;
1038 
1039 		setvarbuf(buf, &l,
1040 			(struct sadb_ext *)&m_key, sizeof(m_key),
1041 			(caddr_t)p_key_auth, p_key_auth_len);
1042 	}
1043 
1044 	/* set lifetime for HARD */
1045 	if (p_lt_hard != 0) {
1046 		struct sadb_lifetime m_lt;
1047 		u_int slen = sizeof(struct sadb_lifetime);
1048 
1049 		m_lt.sadb_lifetime_len = PFKEY_UNIT64(slen);
1050 		m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1051 		m_lt.sadb_lifetime_allocations = 0;
1052 		m_lt.sadb_lifetime_bytes = 0;
1053 		m_lt.sadb_lifetime_addtime = p_lt_hard;
1054 		m_lt.sadb_lifetime_usetime = 0;
1055 
1056 		memcpy(buf + l, &m_lt, slen);
1057 		l += slen;
1058 	}
1059 
1060 	/* set lifetime for SOFT */
1061 	if (p_lt_soft != 0) {
1062 		struct sadb_lifetime m_lt;
1063 		u_int slen = sizeof(struct sadb_lifetime);
1064 
1065 		m_lt.sadb_lifetime_len = PFKEY_UNIT64(slen);
1066 		m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1067 		m_lt.sadb_lifetime_allocations = 0;
1068 		m_lt.sadb_lifetime_bytes = 0;
1069 		m_lt.sadb_lifetime_addtime = p_lt_soft;
1070 		m_lt.sadb_lifetime_usetime = 0;
1071 
1072 		memcpy(buf + l, &m_lt, slen);
1073 		l += slen;
1074 	}
1075 
1076 	len = sizeof(struct sadb_sa);
1077 	m_sa.sadb_sa_len = PFKEY_UNIT64(len);
1078 	m_sa.sadb_sa_exttype = SADB_EXT_SA;
1079 	m_sa.sadb_sa_spi = htonl(p_spi);
1080 	m_sa.sadb_sa_replay = p_replay;
1081 	m_sa.sadb_sa_state = 0;
1082 	m_sa.sadb_sa_auth = p_alg_auth;
1083 	m_sa.sadb_sa_encrypt = p_alg_enc;
1084 	m_sa.sadb_sa_flags = p_ext;
1085 
1086 	memcpy(buf + l, &m_sa, len);
1087 	l += len;
1088 
1089 	len = sizeof(struct sadb_x_sa2);
1090 	m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
1091 	m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1092 	m_sa2.sadb_x_sa2_mode = p_mode;
1093 	m_sa2.sadb_x_sa2_reqid = p_reqid;
1094 
1095 	memcpy(buf + l, &m_sa2, len);
1096 	l += len;
1097 
1098 	l0 = l;
1099 	n = 0;
1100 
1101 	/* do it for all src/dst pairs */
1102 	for (s = srcs; s; s = s->ai_next) {
1103 		for (d = dsts; d; d = d->ai_next) {
1104 			/* rewind pointer */
1105 			l = l0;
1106 
1107 			if (s->ai_addr->sa_family != d->ai_addr->sa_family)
1108 				continue;
1109 			switch (s->ai_addr->sa_family) {
1110 			case AF_INET:
1111 				plen = sizeof(struct in_addr) << 3;
1112 				break;
1113 #ifdef INET6
1114 			case AF_INET6:
1115 				plen = sizeof(struct in6_addr) << 3;
1116 				break;
1117 #endif
1118 			default:
1119 				continue;
1120 			}
1121 
1122 			/* set src */
1123 			sa = s->ai_addr;
1124 			salen = s->ai_addr->sa_len;
1125 			m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
1126 			    PFKEY_ALIGN8(salen));
1127 			m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1128 			m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
1129 			m_addr.sadb_address_prefixlen = plen;
1130 			m_addr.sadb_address_reserved = 0;
1131 
1132 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
1133 			    sizeof(m_addr), (caddr_t)sa, salen);
1134 
1135 			/* set dst */
1136 			sa = d->ai_addr;
1137 			salen = d->ai_addr->sa_len;
1138 			m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
1139 			    PFKEY_ALIGN8(salen));
1140 			m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1141 			m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
1142 			m_addr.sadb_address_prefixlen = plen;
1143 			m_addr.sadb_address_reserved = 0;
1144 
1145 			setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
1146 			    sizeof(m_addr), (caddr_t)sa, salen);
1147 
1148 			msg->sadb_msg_len = PFKEY_UNIT64(l);
1149 
1150 			sendkeymsg(buf, l);
1151 
1152 			n++;
1153 		}
1154 	}
1155 
1156 	if (n == 0)
1157 		return -1;
1158 	else
1159 		return 0;
1160 }
1161 
1162 static struct addrinfo *
1163 parse_addr(host, port)
1164 	char *host;
1165 	char *port;
1166 {
1167 	struct addrinfo hints, *res = NULL;
1168 	int error;
1169 
1170 	memset(&hints, 0, sizeof(hints));
1171 	hints.ai_family = p_aifamily;
1172 	hints.ai_socktype = SOCK_DGRAM;		/*dummy*/
1173 	hints.ai_protocol = IPPROTO_UDP;	/*dummy*/
1174 	hints.ai_flags = p_aiflags;
1175 	error = getaddrinfo(host, port, &hints, &res);
1176 	if (error != 0) {
1177 		yyerror(gai_strerror(error));
1178 		return NULL;
1179 	}
1180 	return res;
1181 }
1182 
1183 static int
1184 fix_portstr(spec, sport, dport)
1185 	vchar_t *spec, *sport, *dport;
1186 {
1187 	char *p, *p2;
1188 	u_int l;
1189 
1190 	l = 0;
1191 	for (p = spec->buf; *p != ',' && *p != '\0' && l < spec->len; p++, l++)
1192 		;
1193 	if (*p == '\0') {
1194 		p2 = "0";
1195 	} else {
1196 		if (*p == ',') {
1197 			*p = '\0';
1198 			p2 = ++p;
1199 		}
1200 		for (p = p2; *p != '\0' && l < spec->len; p++, l++)
1201 			;
1202 		if (*p != '\0' || *p2 == '\0') {
1203 			yyerror("invalid an upper layer protocol spec");
1204 			return -1;
1205 		}
1206 	}
1207 
1208 	sport->buf = strdup(spec->buf);
1209 	if (!sport->buf) {
1210 		yyerror("insufficient memory");
1211 		return -1;
1212 	}
1213 	sport->len = strlen(sport->buf);
1214 	dport->buf = strdup(p2);
1215 	if (!dport->buf) {
1216 		yyerror("insufficient memory");
1217 		return -1;
1218 	}
1219 	dport->len = strlen(dport->buf);
1220 
1221 	return 0;
1222 }
1223 
1224 static int
1225 setvarbuf(buf, off, ebuf, elen, vbuf, vlen)
1226 	char *buf;
1227 	int *off;
1228 	struct sadb_ext *ebuf;
1229 	int elen;
1230 	caddr_t vbuf;
1231 	int vlen;
1232 {
1233 	memset(buf + *off, 0, PFKEY_UNUNIT64(ebuf->sadb_ext_len));
1234 	memcpy(buf + *off, (caddr_t)ebuf, elen);
1235 	memcpy(buf + *off + elen, vbuf, vlen);
1236 	(*off) += PFKEY_ALIGN8(elen + vlen);
1237 
1238 	return 0;
1239 }
1240 
1241 void
1242 parse_init()
1243 {
1244 	p_spi = 0;
1245 
1246 	p_ext = SADB_X_EXT_CYCSEQ;
1247 	p_alg_enc = SADB_EALG_NONE;
1248 	p_alg_auth = SADB_AALG_NONE;
1249 	p_mode = IPSEC_MODE_ANY;
1250 	p_reqid = 0;
1251 	p_replay = 0;
1252 	p_key_enc_len = p_key_auth_len = 0;
1253 	p_key_enc = p_key_auth = 0;
1254 	p_lt_hard = p_lt_soft = 0;
1255 
1256 	p_aiflags = 0;
1257 	p_aifamily = PF_UNSPEC;
1258 
1259 	return;
1260 }
1261 
1262 void
1263 free_buffer()
1264 {
1265 	/* we got tons of memory leaks in the parser anyways, leave them */
1266 
1267 	return;
1268 }
1269