1 /* $FreeBSD: src/usr.sbin/setkey/parse.y,v 1.1.2.2 2001/07/03 11:02:17 ume Exp $ */
2 /* $DragonFly: src/usr.sbin/setkey/parse.y,v 1.4 2004/03/24 18:23:46 cpressey Exp $ */
3 /* $KAME: kame/kame/kame/setkey/parse.y,v 1.36 2001/06/07 15:53:12 sakane Exp $ */
6 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #include <sys/types.h>
36 #include <sys/param.h>
37 #include <sys/socket.h>
39 #include <net/route.h>
40 #include <netinet/in.h>
41 #include <net/pfkeyv2.h>
42 #include <netkey/key_var.h>
43 #include <netinet6/ipsec.h>
44 #include <arpa/inet.h>
58 (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
63 struct sockaddr *p_src, *p_dst;
64 u_int p_prefs, p_prefd, p_upper;
65 u_int p_satype, p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
67 u_int p_key_enc_len, p_key_auth_len;
68 caddr_t p_key_enc, p_key_auth;
69 time_t p_lt_hard, p_lt_soft;
74 /* temporary buffer */
75 static struct sockaddr *pp_addr;
76 static u_int pp_prefix;
78 static caddr_t pp_key;
80 extern u_char m_buf[BUFSIZ];
82 extern char cmdarg[8192];
85 static struct addrinfo *parse_addr(char *, char *, int);
86 static int setvarbuf(int *, struct sadb_ext *, int, caddr_t, int);
87 void parse_init(void);
88 void free_buffer(void);
90 extern int setkeymsg(void);
91 extern int sendkeymsg(void);
93 extern int yylex(void);
94 extern void yyfatal(const char *);
95 extern void yyerror(const char *);
104 %token ADD GET DELETE DELETEALL FLUSH DUMP
105 %token ADDRESS PREFIX PORT PORTANY
106 %token UP_PROTO PR_ESP PR_AH PR_IPCOMP PR_TCP
107 %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
108 %token F_MODE MODE F_REQID
109 %token F_EXT EXTENSION NOCYCLICSEQ
110 %token ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
111 %token F_LIFETIME_HARD F_LIFETIME_SOFT
112 %token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY
114 %token SPDADD SPDDELETE SPDDUMP SPDFLUSH
115 %token F_POLICY PL_REQUESTS
117 %type <num> PORT PREFIX EXTENSION MODE
118 %type <num> UP_PROTO PR_ESP PR_AH PR_IPCOMP PR_TCP
119 %type <num> ALG_AUTH ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_COMP
120 %type <num> DECSTRING
121 %type <val> ADDRESS PL_REQUESTS
122 %type <val> key_string policy_requests
123 %type <val> QUOTEDSTRING HEXSTRING STRING
131 printf("cmdarg:\n%s\n", cmdarg);
153 /* commands concerned with management, there is in tail of this file. */
157 : ADD { p_type = SADB_ADD; }
158 sa_selector_spec extension_spec algorithm_spec EOT
163 : DELETE { p_type = SADB_DELETE; }
164 sa_selector_spec extension_spec
166 if (p_mode != IPSEC_MODE_ANY)
167 yyerror("WARNING: mode is obsoleted.");
172 /* deleteall command */
174 : DELETEALL { p_type = SADB_DELETE; }
175 ipaddress { p_src = pp_addr; }
176 ipaddress { p_dst = pp_addr; }
184 : GET { p_type = SADB_GET; }
185 sa_selector_spec extension_spec
187 if (p_mode != IPSEC_MODE_ANY)
188 yyerror("WARNING: mode is obsoleted.");
195 : FLUSH { p_type = SADB_FLUSH; }
201 : DUMP { p_type = SADB_DUMP; }
205 /* sa_selector_spec */
207 : ipaddress { p_src = pp_addr; }
208 ipaddress { p_dst = pp_addr; }
213 : /*NOTHING*/ { p_satype = SADB_SATYPE_UNSPEC; }
216 p_satype = SADB_SATYPE_ESP;
218 p_ext |= SADB_X_EXT_OLD;
220 p_ext &= ~SADB_X_EXT_OLD;
224 p_satype = SADB_SATYPE_AH;
226 p_ext |= SADB_X_EXT_OLD;
228 p_ext &= ~SADB_X_EXT_OLD;
232 p_satype = SADB_X_SATYPE_IPCOMP;
236 p_satype = SADB_X_SATYPE_TCPSIGNATURE;
241 : DECSTRING { p_spi = $1; }
246 char buf0[4], buf[4];
251 yyerror("SPI too big.");
258 *bp = (ATOX(yp[0]) << 4) | ATOX(yp[1]);
263 for (i = 0; i < 4; i++) buf[i] = 0;
265 for (j = $1.len - 1, i = 3; j >= 0; j--, i--)
269 p_spi = ntohl(*(u_int32_t *)buf);
282 : F_ENC enc_alg enc_key F_AUTH auth_alg auth_key
283 | F_ENC enc_alg enc_key
287 : F_AUTH auth_alg auth_key
291 : F_COMP ALG_COMP { p_alg_enc = $2; }
292 | F_COMP ALG_COMP { p_alg_enc = $2; }
293 F_RAWCPI { p_ext |= SADB_X_EXT_RAWCPI; }
297 : ALG_ENC { p_alg_enc = $1; }
301 if (p_ext & SADB_X_EXT_OLD) {
302 yyerror("algorithm mismatched.");
305 p_ext |= SADB_X_EXT_DERIV;
310 if (!(p_ext & SADB_X_EXT_OLD)) {
311 yyerror("algorithm mismatched.");
314 p_ext |= SADB_X_EXT_IV4B;
321 if (p_alg_enc != SADB_EALG_NULL) {
322 yyerror("no key found.");
328 p_key_enc_len = $1.len;
331 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
333 PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
334 yyerror(ipsec_strerror());
341 : ALG_AUTH { p_alg_auth = $1; }
347 if (p_alg_auth != SADB_X_AALG_NULL) {
348 yyerror("no key found.");
354 p_key_auth_len = $1.len;
357 if (p_alg_auth == SADB_X_AALG_TCP_MD5) {
358 if ((p_key_auth_len < 1) || (p_key_auth_len >
361 } else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
363 PFKEY_UNUNIT64(p_key_auth_len)) < 0) {
364 yyerror(ipsec_strerror());
374 /* free pp_key later */
381 if ((pp_key = malloc($1.len)) == 0) {
383 yyerror("not enough core");
386 memset(pp_key, 0, $1.len);
390 *bp = (ATOX(yp[0]) << 4) | ATOX(yp[1]);
400 | extension_spec extension
404 : F_EXT EXTENSION { p_ext |= $2; }
405 | F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; }
406 | F_MODE MODE { p_mode = $2; }
407 | F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
408 | F_REQID DECSTRING { p_reqid = $2; }
411 if (p_ext & SADB_X_EXT_OLD) {
412 yyerror("replay prevention "
413 "only use on new spec.");
418 | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; }
419 | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; }
422 /* definition about command for SPD management */
427 p_type = SADB_X_SPDADD;
428 p_satype = SADB_SATYPE_UNSPEC;
430 sp_selector_spec policy_spec EOT
436 p_type = SADB_X_SPDDELETE;
437 p_satype = SADB_SATYPE_UNSPEC;
439 sp_selector_spec policy_spec EOT
445 p_type = SADB_X_SPDDUMP;
446 p_satype = SADB_SATYPE_UNSPEC;
454 p_type = SADB_X_SPDFLUSH;
455 p_satype = SADB_SATYPE_UNSPEC;
460 /* sp_selector_spec */
462 : ipaddress { p_src = pp_addr; }
463 prefix { p_prefs = pp_prefix; }
466 switch (p_src->sa_family) {
468 ((struct sockaddr_in *)p_src)->sin_port =
473 ((struct sockaddr_in6 *)p_src)->sin6_port =
481 ipaddress { p_dst = pp_addr; }
482 prefix { p_prefd = pp_prefix; }
485 switch (p_dst->sa_family) {
487 ((struct sockaddr_in *)p_dst)->sin_port =
492 ((struct sockaddr_in6 *)p_dst)->sin6_port =
502 /* XXX is it something userland should check? */
507 if (_INPORTBYSA(p_src) != IPSEC_PORT_ANY
508 || _INPORTBYSA(p_dst) != IPSEC_PORT_ANY) {
509 yyerror("port number must be \"any\".");
512 if ((pp_addr->sa_family == AF_INET6
513 && p_upper == IPPROTO_ICMP)
514 || (pp_addr->sa_family == AF_INET
515 && p_upper == IPPROTO_ICMPV6)) {
516 yyerror("upper layer protocol "
531 struct addrinfo *res;
533 res = parse_addr($1.buf, NULL, AI_NUMERICHOST);
538 pp_addr = (struct sockaddr *)malloc(res->ai_addrlen);
540 yyerror("not enough core");
544 memcpy(pp_addr, res->ai_addr, res->ai_addrlen);
552 : /*NOTHING*/ { pp_prefix = ~0; }
553 | PREFIX { pp_prefix = $1; }
557 : /*NOTHING*/ { pp_port = IPSEC_PORT_ANY; }
558 | PORT { pp_port = $1; }
559 | PORTANY { pp_port = IPSEC_PORT_ANY; }
563 : DECSTRING { p_upper = $1; }
564 | UP_PROTO { p_upper = $1; }
565 | ANY { p_upper = IPSEC_ULPROTO_ANY; }
568 struct protoent *ent;
570 ent = getprotobyname($1.buf);
572 p_upper = ent->p_proto;
574 if (strcmp("icmp6", $1.buf) == 0) {
575 p_upper = IPPROTO_ICMPV6;
576 } else if(strcmp("ip4", $1.buf) == 0) {
577 p_upper = IPPROTO_IPV4;
579 yyerror("invalid upper layer protocol");
589 : F_POLICY policy_requests
591 p_policy = ipsec_set_policy($2.buf, $2.len);
592 if (p_policy == NULL) {
595 yyerror(ipsec_strerror());
599 p_policy_len = ipsec_get_policylen(p_policy);
606 : PL_REQUESTS { $$ = $1; }
614 struct sadb_msg m_msg;
616 m_msg.sadb_msg_version = PF_KEY_V2;
617 m_msg.sadb_msg_type = p_type;
618 m_msg.sadb_msg_errno = 0;
619 m_msg.sadb_msg_satype = p_satype;
620 m_msg.sadb_msg_reserved = 0;
621 m_msg.sadb_msg_seq = 0;
622 m_msg.sadb_msg_pid = getpid();
624 m_len = sizeof(struct sadb_msg);
625 memcpy(m_buf, &m_msg, m_len);
633 /* set encryption algorithm, if present. */
634 if (p_satype != SADB_X_SATYPE_IPCOMP && p_alg_enc != SADB_EALG_NONE) {
635 struct sadb_key m_key;
638 PFKEY_UNIT64(sizeof(m_key)
639 + PFKEY_ALIGN8(p_key_enc_len));
640 m_key.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
641 m_key.sadb_key_bits = p_key_enc_len * 8;
642 m_key.sadb_key_reserved = 0;
645 (struct sadb_ext *)&m_key, sizeof(m_key),
646 (caddr_t)p_key_enc, p_key_enc_len);
649 /* set authentication algorithm, if present. */
650 if (p_alg_auth != SADB_AALG_NONE) {
651 struct sadb_key m_key;
654 PFKEY_UNIT64(sizeof(m_key)
655 + PFKEY_ALIGN8(p_key_auth_len));
656 m_key.sadb_key_exttype = SADB_EXT_KEY_AUTH;
657 m_key.sadb_key_bits = p_key_auth_len * 8;
658 m_key.sadb_key_reserved = 0;
661 (struct sadb_ext *)&m_key, sizeof(m_key),
662 (caddr_t)p_key_auth, p_key_auth_len);
665 /* set lifetime for HARD */
666 if (p_lt_hard != 0) {
667 struct sadb_lifetime m_lt;
668 u_int len = sizeof(struct sadb_lifetime);
670 m_lt.sadb_lifetime_len = PFKEY_UNIT64(len);
671 m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
672 m_lt.sadb_lifetime_allocations = 0;
673 m_lt.sadb_lifetime_bytes = 0;
674 m_lt.sadb_lifetime_addtime = p_lt_hard;
675 m_lt.sadb_lifetime_usetime = 0;
677 memcpy(m_buf + m_len, &m_lt, len);
681 /* set lifetime for SOFT */
682 if (p_lt_soft != 0) {
683 struct sadb_lifetime m_lt;
684 u_int len = sizeof(struct sadb_lifetime);
686 m_lt.sadb_lifetime_len = PFKEY_UNIT64(len);
687 m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
688 m_lt.sadb_lifetime_allocations = 0;
689 m_lt.sadb_lifetime_bytes = 0;
690 m_lt.sadb_lifetime_addtime = p_lt_soft;
691 m_lt.sadb_lifetime_usetime = 0;
693 memcpy(m_buf + m_len, &m_lt, len);
702 struct sadb_x_sa2 m_sa2;
703 struct sadb_address m_addr;
707 len = sizeof(struct sadb_sa);
708 m_sa.sadb_sa_len = PFKEY_UNIT64(len);
709 m_sa.sadb_sa_exttype = SADB_EXT_SA;
710 m_sa.sadb_sa_spi = htonl(p_spi);
711 m_sa.sadb_sa_replay = p_replay;
712 m_sa.sadb_sa_state = 0;
713 m_sa.sadb_sa_auth = p_alg_auth;
714 m_sa.sadb_sa_encrypt = p_alg_enc;
715 m_sa.sadb_sa_flags = p_ext;
717 memcpy(m_buf + m_len, &m_sa, len);
720 len = sizeof(struct sadb_x_sa2);
721 m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
722 m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
723 m_sa2.sadb_x_sa2_mode = p_mode;
724 m_sa2.sadb_x_sa2_reqid = p_reqid;
726 memcpy(m_buf + m_len, &m_sa2, len);
731 m_addr.sadb_address_len =
732 PFKEY_UNIT64(sizeof(m_addr)
733 + PFKEY_ALIGN8(p_src->sa_len));
734 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
735 m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
736 switch (p_src->sa_family) {
738 m_addr.sadb_address_prefixlen =
739 sizeof(struct in_addr) << 3;
743 m_addr.sadb_address_prefixlen =
744 sizeof(struct in6_addr) << 3;
748 yyerror("unsupported address family");
751 m_addr.sadb_address_reserved = 0;
754 (struct sadb_ext *)&m_addr, sizeof(m_addr),
755 (caddr_t)p_src, p_src->sa_len);
758 m_addr.sadb_address_len =
759 PFKEY_UNIT64(sizeof(m_addr)
760 + PFKEY_ALIGN8(p_dst->sa_len));
761 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
762 m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
763 switch (p_dst->sa_family) {
765 m_addr.sadb_address_prefixlen =
766 sizeof(struct in_addr) << 3;
770 m_addr.sadb_address_prefixlen =
771 sizeof(struct in6_addr) << 3;
775 yyerror("unsupported address family");
778 m_addr.sadb_address_reserved = 0;
781 (struct sadb_ext *)&m_addr, sizeof(m_addr),
782 (caddr_t)p_dst, p_dst->sa_len);
786 /* for SPD management */
787 case SADB_X_SPDFLUSH:
792 case SADB_X_SPDDELETE:
794 struct sadb_address m_addr;
797 memcpy(m_buf + m_len, p_policy, p_policy_len);
798 m_len += p_policy_len;
803 m_addr.sadb_address_len =
804 PFKEY_UNIT64(sizeof(m_addr)
805 + PFKEY_ALIGN8(p_src->sa_len));
806 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
807 m_addr.sadb_address_proto = p_upper;
808 switch (p_src->sa_family) {
810 plen = sizeof(struct in_addr) << 3;
814 plen = sizeof(struct in6_addr) << 3;
818 yyerror("unsupported address family");
821 m_addr.sadb_address_prefixlen =
822 (p_prefs != ~0 ? p_prefs : plen);
823 m_addr.sadb_address_reserved = 0;
826 (struct sadb_ext *)&m_addr, sizeof(m_addr),
827 (caddr_t)p_src, p_src->sa_len);
830 m_addr.sadb_address_len =
831 PFKEY_UNIT64(sizeof(m_addr)
832 + PFKEY_ALIGN8(p_dst->sa_len));
833 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
834 m_addr.sadb_address_proto = p_upper;
835 switch (p_dst->sa_family) {
837 plen = sizeof(struct in_addr) << 3;
841 plen = sizeof(struct in6_addr) << 3;
845 yyerror("unsupported address family");
848 m_addr.sadb_address_prefixlen =
849 (p_prefd != ~0 ? p_prefd : plen);
850 m_addr.sadb_address_reserved = 0;
853 (struct sadb_ext *)&m_addr, sizeof(m_addr),
854 (caddr_t)p_dst, p_dst->sa_len);
859 ((struct sadb_msg *)m_buf)->sadb_msg_len = PFKEY_UNIT64(m_len);
864 static struct addrinfo *
865 parse_addr(char *host, char *port, int flag)
867 struct addrinfo hints, *res = NULL;
870 memset(&hints, 0, sizeof(hints));
871 hints.ai_family = PF_UNSPEC;
872 hints.ai_socktype = SOCK_DGRAM;
873 hints.ai_flags = flag;
874 error = getaddrinfo(host, port, &hints, &res);
876 yyerror(gai_strerror(error));
879 if (res->ai_next != NULL) {
880 yyerror(gai_strerror(error));
886 setvarbuf(int *off, struct sadb_ext *ebuf, int elen, caddr_t vbuf, int vlen)
888 memset(m_buf + *off, 0, PFKEY_UNUNIT64(ebuf->sadb_ext_len));
889 memcpy(m_buf + *off, (caddr_t)ebuf, elen);
890 memcpy(m_buf + *off + elen, vbuf, vlen);
891 (*off) += PFKEY_ALIGN8(elen + vlen);
903 p_src = 0, p_dst = 0;
904 pp_prefix = p_prefs = p_prefd = ~0;
905 pp_port = IPSEC_PORT_ANY;
909 p_ext = SADB_X_EXT_CYCSEQ;
910 p_alg_enc = SADB_EALG_NONE;
911 p_alg_auth = SADB_AALG_NONE;
912 p_mode = IPSEC_MODE_ANY;
915 p_key_enc_len = p_key_auth_len = 0;
916 p_key_enc = p_key_auth = 0;
917 p_lt_hard = p_lt_soft = 0;
922 memset(cmdarg, 0, sizeof(cmdarg));
930 if (p_src) free(p_src);
931 if (p_dst) free(p_dst);
932 if (p_key_enc) free(p_key_enc);
933 if (p_key_auth) free(p_key_auth);