2 /* $KAME: parse.y,v 1.83 2004/05/18 08:48:23 sakane Exp $ */
5 * SPDX-License-Identifier: BSD-3-Clause
7 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the project nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include <sys/types.h>
37 #include <sys/param.h>
38 #include <sys/socket.h>
40 #include <net/route.h>
41 #include <netinet/in.h>
42 #include <net/pfkeyv2.h>
43 #include <netipsec/key_var.h>
44 #include <netipsec/ipsec.h>
45 #include <arpa/inet.h>
59 (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10)))
62 u_int p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
64 u_int p_key_enc_len, p_key_auth_len;
65 caddr_t p_key_enc, p_key_auth;
66 time_t p_lt_hard, p_lt_soft;
68 static int p_aiflags = 0, p_aifamily = PF_UNSPEC;
70 static struct addrinfo *parse_addr(char *, char *);
71 static int fix_portstr(vchar_t *, vchar_t *, vchar_t *);
72 static int setvarbuf(char *, int *, struct sadb_ext *, int, caddr_t, int);
73 void parse_init(void);
74 void free_buffer(void);
76 int setkeymsg0(struct sadb_msg *, unsigned int, unsigned int, size_t);
77 static int setkeymsg_spdaddr(unsigned int, unsigned int, vchar_t *,
78 struct addrinfo *, int, struct addrinfo *, int);
79 static int setkeymsg_addr(unsigned int, unsigned int,
80 struct addrinfo *, struct addrinfo *, int);
81 static int setkeymsg_add(unsigned int, unsigned int,
82 struct addrinfo *, struct addrinfo *);
83 extern int setkeymsg(char *, size_t *);
84 extern int sendkeymsg(char *, size_t);
86 extern int yylex(void);
87 extern void yyfatal(const char *);
88 extern void yyerror(const char *);
98 %token EOT SLASH BLCL ELCL
99 %token ADD GET DELETE DELETEALL FLUSH DUMP
100 %token PR_ESP PR_AH PR_IPCOMP PR_TCP
101 %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
102 %token F_MODE MODE F_REQID
103 %token F_EXT EXTENSION NOCYCLICSEQ
104 %token ALG_AUTH ALG_AUTH_NOKEY
105 %token ALG_ENC ALG_ENC_NOKEY ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD
108 %token F_LIFETIME_HARD F_LIFETIME_SOFT
109 %token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY
111 %token SPDADD SPDDELETE SPDDUMP SPDFLUSH
112 %token F_POLICY PL_REQUESTS
116 %type <num> prefix protocol_spec upper_spec
117 %type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY
118 %type <num> ALG_ENC_SALT
119 %type <num> ALG_AUTH ALG_AUTH_NOKEY
121 %type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP
122 %type <num> EXTENSION MODE
123 %type <ulnum> DECSTRING
124 %type <val> PL_REQUESTS portstr key_string
125 %type <val> policy_requests
126 %type <val> QUOTEDSTRING HEXSTRING STRING
127 %type <val> F_AIFLAGS
128 %type <val> upper_misc_spec policy_spec
153 /* commands concerned with management, there is in tail of this file. */
157 : ADD ipaddropts ipaddr ipaddr protocol_spec spi extension_spec algorithm_spec EOT
161 status = setkeymsg_add(SADB_ADD, $5, $3, $4);
169 : DELETE ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
173 if ($3->ai_next || $4->ai_next) {
174 yyerror("multiple address specified");
177 if (p_mode != IPSEC_MODE_ANY)
178 yyerror("WARNING: mode is obsolete");
180 status = setkeymsg_addr(SADB_DELETE, $5, $3, $4, 0);
186 /* deleteall command */
188 : DELETEALL ipaddropts ipaddr ipaddr protocol_spec EOT
192 status = setkeymsg_addr(SADB_DELETE, $5, $3, $4, 1);
200 : GET ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
204 if (p_mode != IPSEC_MODE_ANY)
205 yyerror("WARNING: mode is obsolete");
207 status = setkeymsg_addr(SADB_GET, $5, $3, $4, 0);
215 : FLUSH protocol_spec EOT
218 setkeymsg0(&msg, SADB_FLUSH, $2, sizeof(msg));
219 sendkeymsg((char *)&msg, sizeof(msg));
225 : DUMP protocol_spec EOT
228 setkeymsg0(&msg, SADB_DUMP, $2, sizeof(msg));
229 sendkeymsg((char *)&msg, sizeof(msg));
236 $$ = SADB_SATYPE_UNSPEC;
240 $$ = SADB_SATYPE_ESP;
242 p_ext |= SADB_X_EXT_OLD;
244 p_ext &= ~SADB_X_EXT_OLD;
250 p_ext |= SADB_X_EXT_OLD;
252 p_ext &= ~SADB_X_EXT_OLD;
256 $$ = SADB_X_SATYPE_IPCOMP;
260 $$ = SADB_X_SATYPE_TCPSIGNATURE;
265 : DECSTRING { p_spi = $1; }
272 v = strtoul($1.buf, &ep, 16);
274 yyerror("invalid SPI");
277 if (v & ~0xffffffff) {
278 yyerror("SPI too big.");
293 : F_ENC enc_alg F_AUTH auth_alg
305 yyerror("unsupported algorithm");
310 | F_COMP ALG_COMP F_RAWCPI
313 yyerror("unsupported algorithm");
317 p_ext |= SADB_X_EXT_RAWCPI;
324 yyerror("unsupported algorithm");
331 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
332 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
333 yyerror(ipsec_strerror());
337 | ALG_ENC key_string {
339 yyerror("unsupported algorithm");
344 p_key_enc_len = $2.len;
346 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
347 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
348 yyerror(ipsec_strerror());
354 yyerror("unsupported algorithm");
357 yyerror("WARNING: obsolete algorithm");
362 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
363 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
364 yyerror(ipsec_strerror());
368 | ALG_ENC_DESDERIV key_string
371 yyerror("unsupported algorithm");
375 if (p_ext & SADB_X_EXT_OLD) {
376 yyerror("algorithm mismatched");
379 p_ext |= SADB_X_EXT_DERIV;
381 p_key_enc_len = $2.len;
383 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
384 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
385 yyerror(ipsec_strerror());
389 | ALG_ENC_DES32IV key_string
392 yyerror("unsupported algorithm");
396 if (!(p_ext & SADB_X_EXT_OLD)) {
397 yyerror("algorithm mismatched");
400 p_ext |= SADB_X_EXT_IV4B;
402 p_key_enc_len = $2.len;
404 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
405 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
406 yyerror(ipsec_strerror());
410 | ALG_ENC_SALT key_string
413 yyerror("unsupported algorithm");
418 p_key_enc_len = $2.len;
422 * Salted keys include a 4 byte value that is
423 * not part of the key.
425 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
426 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len - 4)) < 0) {
427 yyerror(ipsec_strerror());
434 : ALG_AUTH key_string {
436 yyerror("unsupported algorithm");
441 p_key_auth_len = $2.len;
444 if (p_alg_auth == SADB_X_AALG_TCP_MD5) {
445 if ((p_key_auth_len < 1) || (p_key_auth_len >
448 } else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
449 p_alg_auth, PFKEY_UNUNIT64(p_key_auth_len)) < 0) {
450 yyerror(ipsec_strerror());
456 yyerror("unsupported algorithm");
478 l = strlen(yp) % 2 + strlen(yp) / 2;
479 if ((pp_key = malloc(l)) == 0) {
480 yyerror("not enough core");
483 memset(pp_key, 0, l);
486 if (strlen(yp) % 2) {
491 *bp = (ATOX(yp[0]) << 4) | ATOX(yp[1]);
502 | extension_spec extension
506 : F_EXT EXTENSION { p_ext |= $2; }
507 | F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; }
508 | F_MODE MODE { p_mode = $2; }
509 | F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
510 | F_REQID DECSTRING { p_reqid = $2; }
513 if ((p_ext & SADB_X_EXT_OLD) != 0) {
514 yyerror("replay prevention cannot be used with "
519 if (p_replay > (UINT32_MAX - 32) >> 3)
520 yyerror("replay window is too large");
522 | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; }
523 | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; }
526 /* definition about command for SPD management */
529 : SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec policy_spec EOT
532 struct addrinfo *src, *dst;
534 /* fixed port fields if ulp is icmpv6 */
535 if ($10.buf != NULL) {
536 if ($9 != IPPROTO_ICMPV6)
540 if (fix_portstr(&$10, &$5, &$8))
544 src = parse_addr($3.buf, $5.buf);
545 dst = parse_addr($6.buf, $8.buf);
547 /* yyerror is already called */
550 if (src->ai_next || dst->ai_next) {
551 yyerror("multiple address specified");
557 status = setkeymsg_spdaddr(SADB_X_SPDADD, $9, &$11,
564 | SPDADD TAGGED QUOTEDSTRING policy_spec EOT
571 : SPDDELETE ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec policy_spec EOT
574 struct addrinfo *src, *dst;
576 /* fixed port fields if ulp is icmpv6 */
577 if ($10.buf != NULL) {
578 if ($9 != IPPROTO_ICMPV6)
582 if (fix_portstr(&$10, &$5, &$8))
586 src = parse_addr($3.buf, $5.buf);
587 dst = parse_addr($6.buf, $8.buf);
589 /* yyerror is already called */
592 if (src->ai_next || dst->ai_next) {
593 yyerror("multiple address specified");
599 status = setkeymsg_spdaddr(SADB_X_SPDDELETE, $9, &$11,
612 setkeymsg0(&msg, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC,
614 sendkeymsg((char *)&msg, sizeof(msg));
622 setkeymsg0(&msg, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC,
624 sendkeymsg((char *)&msg, sizeof(msg));
630 | ipaddropts ipaddropt
638 for (p = $1.buf + 1; *p; p++)
641 p_aifamily = AF_INET;
645 p_aifamily = AF_INET6;
649 p_aiflags = AI_NUMERICHOST;
652 yyerror("invalid flag");
661 $$ = parse_addr($1.buf, NULL);
663 /* yyerror already called by parse_addr */
670 : /*NOTHING*/ { $$ = -1; }
671 | SLASH DECSTRING { $$ = $2; }
677 $$.buf = strdup("0");
679 yyerror("insufficient memory");
682 $$.len = strlen($$.buf);
686 $$.buf = strdup("0");
688 yyerror("insufficient memory");
691 $$.len = strlen($$.buf);
693 | BLCL DECSTRING ELCL
696 snprintf(buf, sizeof(buf), "%lu", $2);
697 $$.buf = strdup(buf);
699 yyerror("insufficient memory");
702 $$.len = strlen($$.buf);
711 : DECSTRING { $$ = $1; }
712 | ANY { $$ = IPSEC_ULPROTO_ANY; }
713 | PR_TCP { $$ = IPPROTO_TCP; }
714 | PR_ESP { $$ = IPPROTO_ESP; }
717 struct protoent *ent;
719 ent = getprotobyname($1.buf);
723 if (strcmp("icmp6", $1.buf) == 0) {
725 } else if(strcmp("ip4", $1.buf) == 0) {
728 yyerror("invalid upper layer protocol");
744 $$.buf = strdup($1.buf);
746 yyerror("insufficient memory");
749 $$.len = strlen($$.buf);
754 : F_POLICY policy_requests
758 policy = ipsec_set_policy($2.buf, $2.len);
759 if (policy == NULL) {
760 yyerror(ipsec_strerror());
765 $$.len = ipsec_get_policylen(policy);
770 : PL_REQUESTS { $$ = $1; }
776 setkeymsg0(msg, type, satype, l)
777 struct sadb_msg *msg;
783 msg->sadb_msg_version = PF_KEY_V2;
784 msg->sadb_msg_type = type;
785 msg->sadb_msg_errno = 0;
786 msg->sadb_msg_satype = satype;
787 msg->sadb_msg_reserved = 0;
788 msg->sadb_msg_seq = 0;
789 msg->sadb_msg_pid = getpid();
790 msg->sadb_msg_len = PFKEY_UNIT64(l);
794 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
796 setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen)
800 struct addrinfo *srcs;
802 struct addrinfo *dsts;
805 struct sadb_msg *msg;
808 struct sadb_address m_addr;
809 struct addrinfo *s, *d;
815 msg = (struct sadb_msg *)buf;
820 /* fix up length afterwards */
821 setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0);
822 l = sizeof(struct sadb_msg);
824 memcpy(buf + l, policy->buf, policy->len);
830 /* do it for all src/dst pairs */
831 for (s = srcs; s; s = s->ai_next) {
832 for (d = dsts; d; d = d->ai_next) {
836 if (s->ai_addr->sa_family != d->ai_addr->sa_family)
838 switch (s->ai_addr->sa_family) {
840 plen = sizeof(struct in_addr) << 3;
844 plen = sizeof(struct in6_addr) << 3;
853 salen = s->ai_addr->sa_len;
854 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
855 PFKEY_ALIGN8(salen));
856 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
857 m_addr.sadb_address_proto = upper;
858 m_addr.sadb_address_prefixlen =
859 (splen >= 0 ? splen : plen);
860 m_addr.sadb_address_reserved = 0;
862 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
863 sizeof(m_addr), (caddr_t)sa, salen);
867 salen = d->ai_addr->sa_len;
868 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
869 PFKEY_ALIGN8(salen));
870 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
871 m_addr.sadb_address_proto = upper;
872 m_addr.sadb_address_prefixlen =
873 (dplen >= 0 ? dplen : plen);
874 m_addr.sadb_address_reserved = 0;
876 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
877 sizeof(m_addr), (caddr_t)sa, salen);
879 msg->sadb_msg_len = PFKEY_UNIT64(l);
893 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
895 setkeymsg_addr(type, satype, srcs, dsts, no_spi)
898 struct addrinfo *srcs;
899 struct addrinfo *dsts;
902 struct sadb_msg *msg;
906 struct sadb_x_sa2 m_sa2;
907 struct sadb_x_sa_replay m_replay;
908 struct sadb_address m_addr;
909 struct addrinfo *s, *d;
915 msg = (struct sadb_msg *)buf;
920 /* fix up length afterwards */
921 setkeymsg0(msg, type, satype, 0);
922 l = sizeof(struct sadb_msg);
925 len = sizeof(struct sadb_sa);
926 m_sa.sadb_sa_len = PFKEY_UNIT64(len);
927 m_sa.sadb_sa_exttype = SADB_EXT_SA;
928 m_sa.sadb_sa_spi = htonl(p_spi);
929 m_sa.sadb_sa_replay = p_replay > UINT8_MAX ? UINT8_MAX:
931 m_sa.sadb_sa_state = 0;
932 m_sa.sadb_sa_auth = p_alg_auth;
933 m_sa.sadb_sa_encrypt = p_alg_enc;
934 m_sa.sadb_sa_flags = p_ext;
936 memcpy(buf + l, &m_sa, len);
939 len = sizeof(struct sadb_x_sa2);
940 m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
941 m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
942 m_sa2.sadb_x_sa2_mode = p_mode;
943 m_sa2.sadb_x_sa2_reqid = p_reqid;
945 memcpy(buf + l, &m_sa2, len);
948 if (p_replay > UINT8_MAX) {
949 len = sizeof(struct sadb_x_sa_replay);
950 m_replay.sadb_x_sa_replay_len = PFKEY_UNIT64(len);
951 m_replay.sadb_x_sa_replay_exttype =
952 SADB_X_EXT_SA_REPLAY;
953 m_replay.sadb_x_sa_replay_replay = p_replay << 3;
955 memcpy(buf + l, &m_replay, len);
963 /* do it for all src/dst pairs */
964 for (s = srcs; s; s = s->ai_next) {
965 for (d = dsts; d; d = d->ai_next) {
969 if (s->ai_addr->sa_family != d->ai_addr->sa_family)
971 switch (s->ai_addr->sa_family) {
973 plen = sizeof(struct in_addr) << 3;
977 plen = sizeof(struct in6_addr) << 3;
986 salen = s->ai_addr->sa_len;
987 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
988 PFKEY_ALIGN8(salen));
989 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
990 m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
991 m_addr.sadb_address_prefixlen = plen;
992 m_addr.sadb_address_reserved = 0;
994 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
995 sizeof(m_addr), (caddr_t)sa, salen);
999 salen = d->ai_addr->sa_len;
1000 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
1001 PFKEY_ALIGN8(salen));
1002 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1003 m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
1004 m_addr.sadb_address_prefixlen = plen;
1005 m_addr.sadb_address_reserved = 0;
1007 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
1008 sizeof(m_addr), (caddr_t)sa, salen);
1010 msg->sadb_msg_len = PFKEY_UNIT64(l);
1024 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
1026 setkeymsg_add(type, satype, srcs, dsts)
1028 unsigned int satype;
1029 struct addrinfo *srcs;
1030 struct addrinfo *dsts;
1032 struct sadb_msg *msg;
1035 struct sadb_sa m_sa;
1036 struct sadb_x_sa2 m_sa2;
1037 struct sadb_address m_addr;
1038 struct sadb_x_sa_replay m_replay;
1039 struct addrinfo *s, *d;
1042 struct sockaddr *sa;
1045 msg = (struct sadb_msg *)buf;
1050 /* fix up length afterwards */
1051 setkeymsg0(msg, type, satype, 0);
1052 l = sizeof(struct sadb_msg);
1054 /* set encryption algorithm, if present. */
1055 if (satype != SADB_X_SATYPE_IPCOMP && p_key_enc) {
1056 struct sadb_key m_key;
1058 m_key.sadb_key_len =
1059 PFKEY_UNIT64(sizeof(m_key)
1060 + PFKEY_ALIGN8(p_key_enc_len));
1061 m_key.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1062 m_key.sadb_key_bits = p_key_enc_len * 8;
1063 m_key.sadb_key_reserved = 0;
1066 (struct sadb_ext *)&m_key, sizeof(m_key),
1067 (caddr_t)p_key_enc, p_key_enc_len);
1070 /* set authentication algorithm, if present. */
1072 struct sadb_key m_key;
1074 m_key.sadb_key_len =
1075 PFKEY_UNIT64(sizeof(m_key)
1076 + PFKEY_ALIGN8(p_key_auth_len));
1077 m_key.sadb_key_exttype = SADB_EXT_KEY_AUTH;
1078 m_key.sadb_key_bits = p_key_auth_len * 8;
1079 m_key.sadb_key_reserved = 0;
1082 (struct sadb_ext *)&m_key, sizeof(m_key),
1083 (caddr_t)p_key_auth, p_key_auth_len);
1086 /* set lifetime for HARD */
1087 if (p_lt_hard != 0) {
1088 struct sadb_lifetime m_lt;
1089 u_int slen = sizeof(struct sadb_lifetime);
1091 m_lt.sadb_lifetime_len = PFKEY_UNIT64(slen);
1092 m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1093 m_lt.sadb_lifetime_allocations = 0;
1094 m_lt.sadb_lifetime_bytes = 0;
1095 m_lt.sadb_lifetime_addtime = p_lt_hard;
1096 m_lt.sadb_lifetime_usetime = 0;
1098 memcpy(buf + l, &m_lt, slen);
1102 /* set lifetime for SOFT */
1103 if (p_lt_soft != 0) {
1104 struct sadb_lifetime m_lt;
1105 u_int slen = sizeof(struct sadb_lifetime);
1107 m_lt.sadb_lifetime_len = PFKEY_UNIT64(slen);
1108 m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1109 m_lt.sadb_lifetime_allocations = 0;
1110 m_lt.sadb_lifetime_bytes = 0;
1111 m_lt.sadb_lifetime_addtime = p_lt_soft;
1112 m_lt.sadb_lifetime_usetime = 0;
1114 memcpy(buf + l, &m_lt, slen);
1118 len = sizeof(struct sadb_sa);
1119 m_sa.sadb_sa_len = PFKEY_UNIT64(len);
1120 m_sa.sadb_sa_exttype = SADB_EXT_SA;
1121 m_sa.sadb_sa_spi = htonl(p_spi);
1122 m_sa.sadb_sa_replay = p_replay > UINT8_MAX ? UINT8_MAX: p_replay;
1123 m_sa.sadb_sa_state = 0;
1124 m_sa.sadb_sa_auth = p_alg_auth;
1125 m_sa.sadb_sa_encrypt = p_alg_enc;
1126 m_sa.sadb_sa_flags = p_ext;
1128 memcpy(buf + l, &m_sa, len);
1131 len = sizeof(struct sadb_x_sa2);
1132 m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
1133 m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1134 m_sa2.sadb_x_sa2_mode = p_mode;
1135 m_sa2.sadb_x_sa2_reqid = p_reqid;
1137 memcpy(buf + l, &m_sa2, len);
1140 if (p_replay > UINT8_MAX) {
1141 len = sizeof(struct sadb_x_sa_replay);
1142 m_replay.sadb_x_sa_replay_len = PFKEY_UNIT64(len);
1143 m_replay.sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY;
1144 m_replay.sadb_x_sa_replay_replay = p_replay << 3;
1146 memcpy(buf + l, &m_replay, len);
1152 /* do it for all src/dst pairs */
1153 for (s = srcs; s; s = s->ai_next) {
1154 for (d = dsts; d; d = d->ai_next) {
1155 /* rewind pointer */
1158 if (s->ai_addr->sa_family != d->ai_addr->sa_family)
1160 switch (s->ai_addr->sa_family) {
1162 plen = sizeof(struct in_addr) << 3;
1166 plen = sizeof(struct in6_addr) << 3;
1175 salen = s->ai_addr->sa_len;
1176 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
1177 PFKEY_ALIGN8(salen));
1178 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1179 m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
1180 m_addr.sadb_address_prefixlen = plen;
1181 m_addr.sadb_address_reserved = 0;
1183 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
1184 sizeof(m_addr), (caddr_t)sa, salen);
1188 salen = d->ai_addr->sa_len;
1189 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
1190 PFKEY_ALIGN8(salen));
1191 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1192 m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
1193 m_addr.sadb_address_prefixlen = plen;
1194 m_addr.sadb_address_reserved = 0;
1196 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
1197 sizeof(m_addr), (caddr_t)sa, salen);
1199 msg->sadb_msg_len = PFKEY_UNIT64(l);
1213 static struct addrinfo *
1214 parse_addr(host, port)
1218 struct addrinfo hints, *res = NULL;
1221 memset(&hints, 0, sizeof(hints));
1222 hints.ai_family = p_aifamily;
1223 hints.ai_socktype = SOCK_DGRAM; /*dummy*/
1224 hints.ai_protocol = IPPROTO_UDP; /*dummy*/
1225 hints.ai_flags = p_aiflags;
1226 error = getaddrinfo(host, port, &hints, &res);
1228 yyerror(gai_strerror(error));
1235 fix_portstr(spec, sport, dport)
1236 vchar_t *spec, *sport, *dport;
1242 for (p = spec->buf; *p != ',' && *p != '\0' && l < spec->len; p++, l++)
1251 for (p = p2; *p != '\0' && l < spec->len; p++, l++)
1253 if (*p != '\0' || *p2 == '\0') {
1254 yyerror("invalid an upper layer protocol spec");
1259 sport->buf = strdup(spec->buf);
1261 yyerror("insufficient memory");
1264 sport->len = strlen(sport->buf);
1265 dport->buf = strdup(p2);
1267 yyerror("insufficient memory");
1270 dport->len = strlen(dport->buf);
1276 setvarbuf(buf, off, ebuf, elen, vbuf, vlen)
1279 struct sadb_ext *ebuf;
1284 memset(buf + *off, 0, PFKEY_UNUNIT64(ebuf->sadb_ext_len));
1285 memcpy(buf + *off, (caddr_t)ebuf, elen);
1286 memcpy(buf + *off + elen, vbuf, vlen);
1287 (*off) += PFKEY_ALIGN8(elen + vlen);
1297 p_ext = SADB_X_EXT_CYCSEQ;
1298 p_alg_enc = SADB_EALG_NONE;
1299 p_alg_auth = SADB_AALG_NONE;
1300 p_mode = IPSEC_MODE_ANY;
1303 p_key_enc_len = p_key_auth_len = 0;
1304 p_key_enc = p_key_auth = 0;
1305 p_lt_hard = p_lt_soft = 0;
1308 p_aifamily = PF_UNSPEC;
1316 /* we got tons of memory leaks in the parser anyways, leave them */