2 /* $KAME: parse.y,v 1.83 2004/05/18 08:48:23 sakane Exp $ */
5 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include <sys/types.h>
35 #include <sys/param.h>
36 #include <sys/socket.h>
38 #include <net/route.h>
39 #include <netinet/in.h>
40 #include <net/pfkeyv2.h>
41 #include <netipsec/key_var.h>
42 #include <netipsec/ipsec.h>
43 #include <arpa/inet.h>
57 (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10)))
60 u_int p_ext, p_alg_enc, p_alg_auth, p_replay, p_mode;
62 u_int p_key_enc_len, p_key_auth_len;
63 caddr_t p_key_enc, p_key_auth;
64 time_t p_lt_hard, p_lt_soft;
66 static int p_aiflags = 0, p_aifamily = PF_UNSPEC;
68 static struct addrinfo *parse_addr(char *, char *);
69 static int fix_portstr(vchar_t *, vchar_t *, vchar_t *);
70 static int setvarbuf(char *, int *, struct sadb_ext *, int, caddr_t, int);
71 void parse_init(void);
72 void free_buffer(void);
74 int setkeymsg0(struct sadb_msg *, unsigned int, unsigned int, size_t);
75 static int setkeymsg_spdaddr(unsigned int, unsigned int, vchar_t *,
76 struct addrinfo *, int, struct addrinfo *, int);
77 static int setkeymsg_addr(unsigned int, unsigned int,
78 struct addrinfo *, struct addrinfo *, int);
79 static int setkeymsg_add(unsigned int, unsigned int,
80 struct addrinfo *, struct addrinfo *);
81 extern int setkeymsg(char *, size_t *);
82 extern int sendkeymsg(char *, size_t);
84 extern int yylex(void);
85 extern void yyfatal(const char *);
86 extern void yyerror(const char *);
96 %token EOT SLASH BLCL ELCL
97 %token ADD GET DELETE DELETEALL FLUSH DUMP
98 %token PR_ESP PR_AH PR_IPCOMP PR_TCP
99 %token F_PROTOCOL F_AUTH F_ENC F_REPLAY F_COMP F_RAWCPI
100 %token F_MODE MODE F_REQID
101 %token F_EXT EXTENSION NOCYCLICSEQ
102 %token ALG_AUTH ALG_AUTH_NOKEY
103 %token ALG_ENC ALG_ENC_NOKEY ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD
106 %token F_LIFETIME_HARD F_LIFETIME_SOFT
107 %token DECSTRING QUOTEDSTRING HEXSTRING STRING ANY
109 %token SPDADD SPDDELETE SPDDUMP SPDFLUSH
110 %token F_POLICY PL_REQUESTS
114 %type <num> prefix protocol_spec upper_spec
115 %type <num> ALG_ENC ALG_ENC_DESDERIV ALG_ENC_DES32IV ALG_ENC_OLD ALG_ENC_NOKEY
116 %type <num> ALG_ENC_SALT
117 %type <num> ALG_AUTH ALG_AUTH_NOKEY
119 %type <num> PR_ESP PR_AH PR_IPCOMP PR_TCP
120 %type <num> EXTENSION MODE
121 %type <ulnum> DECSTRING
122 %type <val> PL_REQUESTS portstr key_string
123 %type <val> policy_requests
124 %type <val> QUOTEDSTRING HEXSTRING STRING
125 %type <val> F_AIFLAGS
126 %type <val> upper_misc_spec policy_spec
151 /* commands concerned with management, there is in tail of this file. */
155 : ADD ipaddropts ipaddr ipaddr protocol_spec spi extension_spec algorithm_spec EOT
159 status = setkeymsg_add(SADB_ADD, $5, $3, $4);
167 : DELETE ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
171 if ($3->ai_next || $4->ai_next) {
172 yyerror("multiple address specified");
175 if (p_mode != IPSEC_MODE_ANY)
176 yyerror("WARNING: mode is obsolete");
178 status = setkeymsg_addr(SADB_DELETE, $5, $3, $4, 0);
184 /* deleteall command */
186 : DELETEALL ipaddropts ipaddr ipaddr protocol_spec EOT
190 status = setkeymsg_addr(SADB_DELETE, $5, $3, $4, 1);
198 : GET ipaddropts ipaddr ipaddr protocol_spec spi extension_spec EOT
202 if (p_mode != IPSEC_MODE_ANY)
203 yyerror("WARNING: mode is obsolete");
205 status = setkeymsg_addr(SADB_GET, $5, $3, $4, 0);
213 : FLUSH protocol_spec EOT
216 setkeymsg0(&msg, SADB_FLUSH, $2, sizeof(msg));
217 sendkeymsg((char *)&msg, sizeof(msg));
223 : DUMP protocol_spec EOT
226 setkeymsg0(&msg, SADB_DUMP, $2, sizeof(msg));
227 sendkeymsg((char *)&msg, sizeof(msg));
234 $$ = SADB_SATYPE_UNSPEC;
238 $$ = SADB_SATYPE_ESP;
240 p_ext |= SADB_X_EXT_OLD;
242 p_ext &= ~SADB_X_EXT_OLD;
248 p_ext |= SADB_X_EXT_OLD;
250 p_ext &= ~SADB_X_EXT_OLD;
254 $$ = SADB_X_SATYPE_IPCOMP;
258 $$ = SADB_X_SATYPE_TCPSIGNATURE;
263 : DECSTRING { p_spi = $1; }
270 v = strtoul($1.buf, &ep, 16);
272 yyerror("invalid SPI");
275 if (v & ~0xffffffff) {
276 yyerror("SPI too big.");
291 : F_ENC enc_alg F_AUTH auth_alg
303 yyerror("unsupported algorithm");
308 | F_COMP ALG_COMP F_RAWCPI
311 yyerror("unsupported algorithm");
315 p_ext |= SADB_X_EXT_RAWCPI;
322 yyerror("unsupported algorithm");
329 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
330 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
331 yyerror(ipsec_strerror());
335 | ALG_ENC key_string {
337 yyerror("unsupported algorithm");
342 p_key_enc_len = $2.len;
344 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
345 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
346 yyerror(ipsec_strerror());
352 yyerror("unsupported algorithm");
355 yyerror("WARNING: obsolete algorithm");
360 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
361 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
362 yyerror(ipsec_strerror());
366 | ALG_ENC_DESDERIV key_string
369 yyerror("unsupported algorithm");
373 if (p_ext & SADB_X_EXT_OLD) {
374 yyerror("algorithm mismatched");
377 p_ext |= SADB_X_EXT_DERIV;
379 p_key_enc_len = $2.len;
381 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
382 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
383 yyerror(ipsec_strerror());
387 | ALG_ENC_DES32IV key_string
390 yyerror("unsupported algorithm");
394 if (!(p_ext & SADB_X_EXT_OLD)) {
395 yyerror("algorithm mismatched");
398 p_ext |= SADB_X_EXT_IV4B;
400 p_key_enc_len = $2.len;
402 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
403 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len)) < 0) {
404 yyerror(ipsec_strerror());
408 | ALG_ENC_SALT key_string
411 yyerror("unsupported algorithm");
416 p_key_enc_len = $2.len;
420 * Salted keys include a 4 byte value that is
421 * not part of the key.
423 if (ipsec_check_keylen(SADB_EXT_SUPPORTED_ENCRYPT,
424 p_alg_enc, PFKEY_UNUNIT64(p_key_enc_len - 4)) < 0) {
425 yyerror(ipsec_strerror());
432 : ALG_AUTH key_string {
434 yyerror("unsupported algorithm");
439 p_key_auth_len = $2.len;
442 if (p_alg_auth == SADB_X_AALG_TCP_MD5) {
443 if ((p_key_auth_len < 1) || (p_key_auth_len >
446 } else if (ipsec_check_keylen(SADB_EXT_SUPPORTED_AUTH,
447 p_alg_auth, PFKEY_UNUNIT64(p_key_auth_len)) < 0) {
448 yyerror(ipsec_strerror());
454 yyerror("unsupported algorithm");
476 l = strlen(yp) % 2 + strlen(yp) / 2;
477 if ((pp_key = malloc(l)) == 0) {
478 yyerror("not enough core");
481 memset(pp_key, 0, l);
484 if (strlen(yp) % 2) {
489 *bp = (ATOX(yp[0]) << 4) | ATOX(yp[1]);
500 | extension_spec extension
504 : F_EXT EXTENSION { p_ext |= $2; }
505 | F_EXT NOCYCLICSEQ { p_ext &= ~SADB_X_EXT_CYCSEQ; }
506 | F_MODE MODE { p_mode = $2; }
507 | F_MODE ANY { p_mode = IPSEC_MODE_ANY; }
508 | F_REQID DECSTRING { p_reqid = $2; }
511 if ((p_ext & SADB_X_EXT_OLD) != 0) {
512 yyerror("replay prevention cannot be used with "
517 if (p_replay > (UINT32_MAX - 32) >> 3)
518 yyerror("replay window is too large");
520 | F_LIFETIME_HARD DECSTRING { p_lt_hard = $2; }
521 | F_LIFETIME_SOFT DECSTRING { p_lt_soft = $2; }
524 /* definition about command for SPD management */
527 : SPDADD ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec policy_spec EOT
530 struct addrinfo *src, *dst;
532 /* fixed port fields if ulp is icmpv6 */
533 if ($10.buf != NULL) {
534 if ($9 != IPPROTO_ICMPV6)
538 if (fix_portstr(&$10, &$5, &$8))
542 src = parse_addr($3.buf, $5.buf);
543 dst = parse_addr($6.buf, $8.buf);
545 /* yyerror is already called */
548 if (src->ai_next || dst->ai_next) {
549 yyerror("multiple address specified");
555 status = setkeymsg_spdaddr(SADB_X_SPDADD, $9, &$11,
562 | SPDADD TAGGED QUOTEDSTRING policy_spec EOT
569 : SPDDELETE ipaddropts STRING prefix portstr STRING prefix portstr upper_spec upper_misc_spec policy_spec EOT
572 struct addrinfo *src, *dst;
574 /* fixed port fields if ulp is icmpv6 */
575 if ($10.buf != NULL) {
576 if ($9 != IPPROTO_ICMPV6)
580 if (fix_portstr(&$10, &$5, &$8))
584 src = parse_addr($3.buf, $5.buf);
585 dst = parse_addr($6.buf, $8.buf);
587 /* yyerror is already called */
590 if (src->ai_next || dst->ai_next) {
591 yyerror("multiple address specified");
597 status = setkeymsg_spdaddr(SADB_X_SPDDELETE, $9, &$11,
610 setkeymsg0(&msg, SADB_X_SPDDUMP, SADB_SATYPE_UNSPEC,
612 sendkeymsg((char *)&msg, sizeof(msg));
620 setkeymsg0(&msg, SADB_X_SPDFLUSH, SADB_SATYPE_UNSPEC,
622 sendkeymsg((char *)&msg, sizeof(msg));
628 | ipaddropts ipaddropt
636 for (p = $1.buf + 1; *p; p++)
639 p_aifamily = AF_INET;
643 p_aifamily = AF_INET6;
647 p_aiflags = AI_NUMERICHOST;
650 yyerror("invalid flag");
659 $$ = parse_addr($1.buf, NULL);
661 /* yyerror already called by parse_addr */
668 : /*NOTHING*/ { $$ = -1; }
669 | SLASH DECSTRING { $$ = $2; }
675 $$.buf = strdup("0");
677 yyerror("insufficient memory");
680 $$.len = strlen($$.buf);
684 $$.buf = strdup("0");
686 yyerror("insufficient memory");
689 $$.len = strlen($$.buf);
691 | BLCL DECSTRING ELCL
694 snprintf(buf, sizeof(buf), "%lu", $2);
695 $$.buf = strdup(buf);
697 yyerror("insufficient memory");
700 $$.len = strlen($$.buf);
709 : DECSTRING { $$ = $1; }
710 | ANY { $$ = IPSEC_ULPROTO_ANY; }
711 | PR_TCP { $$ = IPPROTO_TCP; }
712 | PR_ESP { $$ = IPPROTO_ESP; }
715 struct protoent *ent;
717 ent = getprotobyname($1.buf);
721 if (strcmp("icmp6", $1.buf) == 0) {
723 } else if(strcmp("ip4", $1.buf) == 0) {
726 yyerror("invalid upper layer protocol");
742 $$.buf = strdup($1.buf);
744 yyerror("insufficient memory");
747 $$.len = strlen($$.buf);
752 : F_POLICY policy_requests
756 policy = ipsec_set_policy($2.buf, $2.len);
757 if (policy == NULL) {
758 yyerror(ipsec_strerror());
763 $$.len = ipsec_get_policylen(policy);
768 : PL_REQUESTS { $$ = $1; }
774 setkeymsg0(msg, type, satype, l)
775 struct sadb_msg *msg;
781 msg->sadb_msg_version = PF_KEY_V2;
782 msg->sadb_msg_type = type;
783 msg->sadb_msg_errno = 0;
784 msg->sadb_msg_satype = satype;
785 msg->sadb_msg_reserved = 0;
786 msg->sadb_msg_seq = 0;
787 msg->sadb_msg_pid = getpid();
788 msg->sadb_msg_len = PFKEY_UNIT64(l);
792 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
794 setkeymsg_spdaddr(type, upper, policy, srcs, splen, dsts, dplen)
798 struct addrinfo *srcs;
800 struct addrinfo *dsts;
803 struct sadb_msg *msg;
806 struct sadb_address m_addr;
807 struct addrinfo *s, *d;
813 msg = (struct sadb_msg *)buf;
818 /* fix up length afterwards */
819 setkeymsg0(msg, type, SADB_SATYPE_UNSPEC, 0);
820 l = sizeof(struct sadb_msg);
822 memcpy(buf + l, policy->buf, policy->len);
828 /* do it for all src/dst pairs */
829 for (s = srcs; s; s = s->ai_next) {
830 for (d = dsts; d; d = d->ai_next) {
834 if (s->ai_addr->sa_family != d->ai_addr->sa_family)
836 switch (s->ai_addr->sa_family) {
838 plen = sizeof(struct in_addr) << 3;
842 plen = sizeof(struct in6_addr) << 3;
851 salen = s->ai_addr->sa_len;
852 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
853 PFKEY_ALIGN8(salen));
854 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
855 m_addr.sadb_address_proto = upper;
856 m_addr.sadb_address_prefixlen =
857 (splen >= 0 ? splen : plen);
858 m_addr.sadb_address_reserved = 0;
860 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
861 sizeof(m_addr), (caddr_t)sa, salen);
865 salen = d->ai_addr->sa_len;
866 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
867 PFKEY_ALIGN8(salen));
868 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
869 m_addr.sadb_address_proto = upper;
870 m_addr.sadb_address_prefixlen =
871 (dplen >= 0 ? dplen : plen);
872 m_addr.sadb_address_reserved = 0;
874 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
875 sizeof(m_addr), (caddr_t)sa, salen);
877 msg->sadb_msg_len = PFKEY_UNIT64(l);
891 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
893 setkeymsg_addr(type, satype, srcs, dsts, no_spi)
896 struct addrinfo *srcs;
897 struct addrinfo *dsts;
900 struct sadb_msg *msg;
904 struct sadb_x_sa2 m_sa2;
905 struct sadb_x_sa_replay m_replay;
906 struct sadb_address m_addr;
907 struct addrinfo *s, *d;
913 msg = (struct sadb_msg *)buf;
918 /* fix up length afterwards */
919 setkeymsg0(msg, type, satype, 0);
920 l = sizeof(struct sadb_msg);
923 len = sizeof(struct sadb_sa);
924 m_sa.sadb_sa_len = PFKEY_UNIT64(len);
925 m_sa.sadb_sa_exttype = SADB_EXT_SA;
926 m_sa.sadb_sa_spi = htonl(p_spi);
927 m_sa.sadb_sa_replay = p_replay > UINT8_MAX ? UINT8_MAX:
929 m_sa.sadb_sa_state = 0;
930 m_sa.sadb_sa_auth = p_alg_auth;
931 m_sa.sadb_sa_encrypt = p_alg_enc;
932 m_sa.sadb_sa_flags = p_ext;
934 memcpy(buf + l, &m_sa, len);
937 len = sizeof(struct sadb_x_sa2);
938 m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
939 m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
940 m_sa2.sadb_x_sa2_mode = p_mode;
941 m_sa2.sadb_x_sa2_reqid = p_reqid;
943 memcpy(buf + l, &m_sa2, len);
946 if (p_replay > UINT8_MAX) {
947 len = sizeof(struct sadb_x_sa_replay);
948 m_replay.sadb_x_sa_replay_len = PFKEY_UNIT64(len);
949 m_replay.sadb_x_sa_replay_exttype =
950 SADB_X_EXT_SA_REPLAY;
951 m_replay.sadb_x_sa_replay_replay = p_replay << 3;
953 memcpy(buf + l, &m_replay, len);
961 /* do it for all src/dst pairs */
962 for (s = srcs; s; s = s->ai_next) {
963 for (d = dsts; d; d = d->ai_next) {
967 if (s->ai_addr->sa_family != d->ai_addr->sa_family)
969 switch (s->ai_addr->sa_family) {
971 plen = sizeof(struct in_addr) << 3;
975 plen = sizeof(struct in6_addr) << 3;
984 salen = s->ai_addr->sa_len;
985 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
986 PFKEY_ALIGN8(salen));
987 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
988 m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
989 m_addr.sadb_address_prefixlen = plen;
990 m_addr.sadb_address_reserved = 0;
992 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
993 sizeof(m_addr), (caddr_t)sa, salen);
997 salen = d->ai_addr->sa_len;
998 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
999 PFKEY_ALIGN8(salen));
1000 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1001 m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
1002 m_addr.sadb_address_prefixlen = plen;
1003 m_addr.sadb_address_reserved = 0;
1005 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
1006 sizeof(m_addr), (caddr_t)sa, salen);
1008 msg->sadb_msg_len = PFKEY_UNIT64(l);
1022 /* XXX NO BUFFER OVERRUN CHECK! BAD BAD! */
1024 setkeymsg_add(type, satype, srcs, dsts)
1026 unsigned int satype;
1027 struct addrinfo *srcs;
1028 struct addrinfo *dsts;
1030 struct sadb_msg *msg;
1033 struct sadb_sa m_sa;
1034 struct sadb_x_sa2 m_sa2;
1035 struct sadb_address m_addr;
1036 struct sadb_x_sa_replay m_replay;
1037 struct addrinfo *s, *d;
1040 struct sockaddr *sa;
1043 msg = (struct sadb_msg *)buf;
1048 /* fix up length afterwards */
1049 setkeymsg0(msg, type, satype, 0);
1050 l = sizeof(struct sadb_msg);
1052 /* set encryption algorithm, if present. */
1053 if (satype != SADB_X_SATYPE_IPCOMP && p_key_enc) {
1054 struct sadb_key m_key;
1056 m_key.sadb_key_len =
1057 PFKEY_UNIT64(sizeof(m_key)
1058 + PFKEY_ALIGN8(p_key_enc_len));
1059 m_key.sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
1060 m_key.sadb_key_bits = p_key_enc_len * 8;
1061 m_key.sadb_key_reserved = 0;
1064 (struct sadb_ext *)&m_key, sizeof(m_key),
1065 (caddr_t)p_key_enc, p_key_enc_len);
1068 /* set authentication algorithm, if present. */
1070 struct sadb_key m_key;
1072 m_key.sadb_key_len =
1073 PFKEY_UNIT64(sizeof(m_key)
1074 + PFKEY_ALIGN8(p_key_auth_len));
1075 m_key.sadb_key_exttype = SADB_EXT_KEY_AUTH;
1076 m_key.sadb_key_bits = p_key_auth_len * 8;
1077 m_key.sadb_key_reserved = 0;
1080 (struct sadb_ext *)&m_key, sizeof(m_key),
1081 (caddr_t)p_key_auth, p_key_auth_len);
1084 /* set lifetime for HARD */
1085 if (p_lt_hard != 0) {
1086 struct sadb_lifetime m_lt;
1087 u_int slen = sizeof(struct sadb_lifetime);
1089 m_lt.sadb_lifetime_len = PFKEY_UNIT64(slen);
1090 m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
1091 m_lt.sadb_lifetime_allocations = 0;
1092 m_lt.sadb_lifetime_bytes = 0;
1093 m_lt.sadb_lifetime_addtime = p_lt_hard;
1094 m_lt.sadb_lifetime_usetime = 0;
1096 memcpy(buf + l, &m_lt, slen);
1100 /* set lifetime for SOFT */
1101 if (p_lt_soft != 0) {
1102 struct sadb_lifetime m_lt;
1103 u_int slen = sizeof(struct sadb_lifetime);
1105 m_lt.sadb_lifetime_len = PFKEY_UNIT64(slen);
1106 m_lt.sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
1107 m_lt.sadb_lifetime_allocations = 0;
1108 m_lt.sadb_lifetime_bytes = 0;
1109 m_lt.sadb_lifetime_addtime = p_lt_soft;
1110 m_lt.sadb_lifetime_usetime = 0;
1112 memcpy(buf + l, &m_lt, slen);
1116 len = sizeof(struct sadb_sa);
1117 m_sa.sadb_sa_len = PFKEY_UNIT64(len);
1118 m_sa.sadb_sa_exttype = SADB_EXT_SA;
1119 m_sa.sadb_sa_spi = htonl(p_spi);
1120 m_sa.sadb_sa_replay = p_replay > UINT8_MAX ? UINT8_MAX: p_replay;
1121 m_sa.sadb_sa_state = 0;
1122 m_sa.sadb_sa_auth = p_alg_auth;
1123 m_sa.sadb_sa_encrypt = p_alg_enc;
1124 m_sa.sadb_sa_flags = p_ext;
1126 memcpy(buf + l, &m_sa, len);
1129 len = sizeof(struct sadb_x_sa2);
1130 m_sa2.sadb_x_sa2_len = PFKEY_UNIT64(len);
1131 m_sa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2;
1132 m_sa2.sadb_x_sa2_mode = p_mode;
1133 m_sa2.sadb_x_sa2_reqid = p_reqid;
1135 memcpy(buf + l, &m_sa2, len);
1138 if (p_replay > UINT8_MAX) {
1139 len = sizeof(struct sadb_x_sa_replay);
1140 m_replay.sadb_x_sa_replay_len = PFKEY_UNIT64(len);
1141 m_replay.sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY;
1142 m_replay.sadb_x_sa_replay_replay = p_replay << 3;
1144 memcpy(buf + l, &m_replay, len);
1150 /* do it for all src/dst pairs */
1151 for (s = srcs; s; s = s->ai_next) {
1152 for (d = dsts; d; d = d->ai_next) {
1153 /* rewind pointer */
1156 if (s->ai_addr->sa_family != d->ai_addr->sa_family)
1158 switch (s->ai_addr->sa_family) {
1160 plen = sizeof(struct in_addr) << 3;
1164 plen = sizeof(struct in6_addr) << 3;
1173 salen = s->ai_addr->sa_len;
1174 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
1175 PFKEY_ALIGN8(salen));
1176 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
1177 m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
1178 m_addr.sadb_address_prefixlen = plen;
1179 m_addr.sadb_address_reserved = 0;
1181 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
1182 sizeof(m_addr), (caddr_t)sa, salen);
1186 salen = d->ai_addr->sa_len;
1187 m_addr.sadb_address_len = PFKEY_UNIT64(sizeof(m_addr) +
1188 PFKEY_ALIGN8(salen));
1189 m_addr.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
1190 m_addr.sadb_address_proto = IPSEC_ULPROTO_ANY;
1191 m_addr.sadb_address_prefixlen = plen;
1192 m_addr.sadb_address_reserved = 0;
1194 setvarbuf(buf, &l, (struct sadb_ext *)&m_addr,
1195 sizeof(m_addr), (caddr_t)sa, salen);
1197 msg->sadb_msg_len = PFKEY_UNIT64(l);
1211 static struct addrinfo *
1212 parse_addr(host, port)
1216 struct addrinfo hints, *res = NULL;
1219 memset(&hints, 0, sizeof(hints));
1220 hints.ai_family = p_aifamily;
1221 hints.ai_socktype = SOCK_DGRAM; /*dummy*/
1222 hints.ai_protocol = IPPROTO_UDP; /*dummy*/
1223 hints.ai_flags = p_aiflags;
1224 error = getaddrinfo(host, port, &hints, &res);
1226 yyerror(gai_strerror(error));
1233 fix_portstr(spec, sport, dport)
1234 vchar_t *spec, *sport, *dport;
1240 for (p = spec->buf; *p != ',' && *p != '\0' && l < spec->len; p++, l++)
1249 for (p = p2; *p != '\0' && l < spec->len; p++, l++)
1251 if (*p != '\0' || *p2 == '\0') {
1252 yyerror("invalid an upper layer protocol spec");
1257 sport->buf = strdup(spec->buf);
1259 yyerror("insufficient memory");
1262 sport->len = strlen(sport->buf);
1263 dport->buf = strdup(p2);
1265 yyerror("insufficient memory");
1268 dport->len = strlen(dport->buf);
1274 setvarbuf(buf, off, ebuf, elen, vbuf, vlen)
1277 struct sadb_ext *ebuf;
1282 memset(buf + *off, 0, PFKEY_UNUNIT64(ebuf->sadb_ext_len));
1283 memcpy(buf + *off, (caddr_t)ebuf, elen);
1284 memcpy(buf + *off + elen, vbuf, vlen);
1285 (*off) += PFKEY_ALIGN8(elen + vlen);
1295 p_ext = SADB_X_EXT_CYCSEQ;
1296 p_alg_enc = SADB_EALG_NONE;
1297 p_alg_auth = SADB_AALG_NONE;
1298 p_mode = IPSEC_MODE_ANY;
1301 p_key_enc_len = p_key_auth_len = 0;
1302 p_key_enc = p_key_auth = 0;
1303 p_lt_hard = p_lt_soft = 0;
1306 p_aifamily = PF_UNSPEC;
1314 /* we got tons of memory leaks in the parser anyways, leave them */