/*	$NetBSD: prsa_par.y,v 1.4 2006/09/09 16:22:10 manu Exp $	*/

/* Id: prsa_par.y,v 1.3 2004/11/08 12:04:23 ludvigm Exp */

%{
/*
 * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
 * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

/* This file contains a parser for FreeS/WAN-style ipsec.secrets RSA keys. */

#include "config.h"

#include <stdio.h>
#include <stdarg.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>

#ifdef HAVE_STDARG_H
#include <stdarg.h>
#else
#include <varargs.h>
#endif

#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <sys/types.h>

#include <sys/stat.h>
#include <unistd.h>

#include <openssl/bn.h>
#include <openssl/rsa.h>

#include "misc.h"
#include "vmbuf.h"
#include "plog.h"
#include "oakley.h"
#include "isakmp_var.h"
#include "handler.h"
#include "crypto_openssl.h"
#include "sockmisc.h"
#include "rsalist.h"

extern void prsaerror(const char *str, ...);
extern int prsawrap (void);
extern int prsalex (void);

extern char *prsatext;
extern int prsa_cur_lineno;
extern char *prsa_cur_fname;
extern FILE *prsain;

int prsa_cur_lineno = 0;
char *prsa_cur_fname = NULL;
struct genlist *prsa_cur_list = NULL;
enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY;

static RSA *rsa_cur;

void
prsaerror(const char *s, ...)
{
	char fmt[512];

	va_list ap;
#ifdef HAVE_STDARG_H
	va_start(ap, s);
#else
	va_start(ap);
#endif
	snprintf(fmt, sizeof(fmt), "%s:%d: %s",
		prsa_cur_fname, prsa_cur_lineno, s);
	plogv(LLV_ERROR, LOCATION, NULL, fmt, ap);
	va_end(ap);
}

void
prsawarning(const char *s, ...)
{
	char fmt[512];

	va_list ap;
#ifdef HAVE_STDARG_H
	va_start(ap, s);
#else
	va_start(ap);
#endif
	snprintf(fmt, sizeof(fmt), "%s:%d: %s",
		prsa_cur_fname, prsa_cur_lineno, s);
	plogv(LLV_WARNING, LOCATION, NULL, fmt, ap);
	va_end(ap);
}

int
prsawrap()
{
	return 1;
} 
%}
%union {
	BIGNUM *bn;
	RSA *rsa;
	char *chr;
	long num;
	struct netaddr *naddr;
}

%token COLON HEX
%token OBRACE EBRACE COLON HEX
%token TAG_RSA TAG_PUB TAG_PSK
%token MODULUS PUBLIC_EXPONENT PRIVATE_EXPONENT 
%token PRIME1 PRIME2 EXPONENT1 EXPONENT2 COEFFICIENT
%token ADDR4 ADDR6 ADDRANY SLASH NUMBER BASE64

%type <bn>	HEX
%type <num>	NUMBER
%type <chr>	ADDR4 ADDR6 BASE64

%type <rsa>	rsa_statement
%type <num>	prefix
%type <naddr>	addr4 addr6 addr

%%
statements:
	statements statement
	| statement
	;

statement:
	addr addr COLON rsa_statement
	{
		rsa_key_insert(prsa_cur_list, $1, $2, $4);
	}
	| addr COLON rsa_statement 
	{
		rsa_key_insert(prsa_cur_list, NULL, $1, $3);
	}
	| COLON rsa_statement 
	{
		rsa_key_insert(prsa_cur_list, NULL, NULL, $2);
	}
	;

rsa_statement:
	TAG_RSA OBRACE params EBRACE
	{
		if (prsa_cur_type == RSA_TYPE_PUBLIC) {
			prsawarning("Using private key for public key purpose.\n");
			if (!rsa_cur->n || !rsa_cur->e) {
				prsaerror("Incomplete key. Mandatory parameters are missing!\n");
				YYABORT;
			}
		}
		else {
			if (!rsa_cur->n || !rsa_cur->e || !rsa_cur->d) {
				prsaerror("Incomplete key. Mandatory parameters are missing!\n");
				YYABORT;
			}
			if (!rsa_cur->p || !rsa_cur->q || !rsa_cur->dmp1
			    || !rsa_cur->dmq1 || !rsa_cur->iqmp) {
				if (rsa_cur->p) BN_clear_free(rsa_cur->p);
				if (rsa_cur->q) BN_clear_free(rsa_cur->q);
				if (rsa_cur->dmp1) BN_clear_free(rsa_cur->dmp1);
				if (rsa_cur->dmq1) BN_clear_free(rsa_cur->dmq1);
				if (rsa_cur->iqmp) BN_clear_free(rsa_cur->iqmp);

				rsa_cur->p = NULL;
				rsa_cur->q = NULL;
				rsa_cur->dmp1 = NULL;
				rsa_cur->dmq1 = NULL;
				rsa_cur->iqmp = NULL;
			}
		}
		$$ = rsa_cur;
		rsa_cur = RSA_new();
	}
	| TAG_PUB BASE64
	{
		if (prsa_cur_type == RSA_TYPE_PRIVATE) {
			prsaerror("Public key in private-key file!\n");
			YYABORT;
		}
		$$ = base64_pubkey2rsa($2);
	}
	| TAG_PUB HEX
	{
		if (prsa_cur_type == RSA_TYPE_PRIVATE) {
			prsaerror("Public key in private-key file!\n");
			YYABORT;
		}
		$$ = bignum_pubkey2rsa($2);
	}
	;

addr:
	addr4
	| addr6
	| ADDRANY
	{
		$$ = NULL;
	}
	;

addr4:
	ADDR4 prefix
	{
		int err;
		struct sockaddr_in *sap;
		
		if ($2 == -1) $2 = 32;
		if ($2 < 0 || $2 > 32) {
			prsaerror ("Invalid IPv4 prefix\n");
			YYABORT;
		}
		$$ = calloc (sizeof(struct netaddr), 1);
		$$->prefix = $2;
		sap = (struct sockaddr_in *)(&$$->sa);
		sap->sin_family = AF_INET;
		err = inet_pton(AF_INET, $1, (struct in_addr*)(&sap->sin_addr));
		if (err <= 0) {
			prsaerror("inet_pton(%s): %s\n", $1, strerror(errno));
			YYABORT;
		}
	}
	;

addr6:
	ADDR6 prefix
	{
		int err;
		struct sockaddr_in6 *sap;
		
		if ($2 == -1) $2 = 128;
		if ($2 < 0 || $2 > 128) {
			prsaerror ("Invalid IPv6 prefix\n");
			YYABORT;
		}
		$$ = calloc (sizeof(struct netaddr), 1);
		$$->prefix = $2;
		sap = (struct sockaddr_in6 *)(&$$->sa);
		sap->sin6_family = AF_INET6;
		err = inet_pton(AF_INET6, $1, (struct in6_addr*)(&sap->sin6_addr));
		if (err <= 0) {
			prsaerror("inet_pton(%s): %s\n", $1, strerror(errno));
			YYABORT;
		}
	}
	;

prefix:
	/* nothing */ { $$ = -1; }
	| SLASH NUMBER { $$ = $2; }
	;
params:
	params param
	| param
	;

param:
	MODULUS COLON HEX 
	{ if (!rsa_cur->n) rsa_cur->n = $3; else { prsaerror ("Modulus already defined\n"); YYABORT; } }
	| PUBLIC_EXPONENT COLON HEX 
	{ if (!rsa_cur->e) rsa_cur->e = $3; else { prsaerror ("PublicExponent already defined\n"); YYABORT; } }
	| PRIVATE_EXPONENT COLON HEX 
	{ if (!rsa_cur->d) rsa_cur->d = $3; else { prsaerror ("PrivateExponent already defined\n"); YYABORT; } }
	| PRIME1 COLON HEX 
	{ if (!rsa_cur->p) rsa_cur->p = $3; else { prsaerror ("Prime1 already defined\n"); YYABORT; } }
	| PRIME2 COLON HEX 
	{ if (!rsa_cur->q) rsa_cur->q = $3; else { prsaerror ("Prime2 already defined\n"); YYABORT; } }
	| EXPONENT1 COLON HEX 
	{ if (!rsa_cur->dmp1) rsa_cur->dmp1 = $3; else { prsaerror ("Exponent1 already defined\n"); YYABORT; } }
	| EXPONENT2 COLON HEX 
	{ if (!rsa_cur->dmq1) rsa_cur->dmq1 = $3; else { prsaerror ("Exponent2 already defined\n"); YYABORT; } }
	| COEFFICIENT COLON HEX 
	{ if (!rsa_cur->iqmp) rsa_cur->iqmp = $3; else { prsaerror ("Coefficient already defined\n"); YYABORT; } }
	;
%%

int prsaparse(void);

int
prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type)
{
	FILE *fp = NULL;
	int ret;
	
	if (!fname)
		return -1;
	if (type == RSA_TYPE_PRIVATE) {
		struct stat st;
		if (stat(fname, &st) < 0)
			return -1;
		if (st.st_mode & (S_IRWXG | S_IRWXO)) {
			plog(LLV_ERROR, LOCATION, NULL,
				"Too slack permissions on private key '%s'\n", 
				fname);
			plog(LLV_ERROR, LOCATION, NULL,
				"Should be at most 0600, now is 0%o\n",
				st.st_mode & 0777);
			return -1;
		}
	}
	fp = fopen(fname, "r");
	if (!fp)
		return -1;
	prsain = fp;
	prsa_cur_lineno = 1;
	prsa_cur_fname = fname;
	prsa_cur_list = list;
	prsa_cur_type = type;
	rsa_cur = RSA_new();
	ret = prsaparse();
	if (rsa_cur) {
		RSA_free(rsa_cur);
		rsa_cur = NULL;
	}
	fclose (fp);
	prsain = NULL;
	return ret;
}