1 /* $NetBSD: policy_parse.y,v 1.11 2009/02/16 18:36:21 tteras Exp $ */ 2 3 /* $KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* 35 * IN/OUT bound policy configuration take place such below: 36 * in <priority> <policy> 37 * out <priority> <policy> 38 * 39 * <priority> is one of the following: 40 * priority <signed int> where the integer is an offset from the default 41 * priority, where negative numbers indicate lower 42 * priority (towards end of list) and positive numbers 43 * indicate higher priority (towards beginning of list) 44 * 45 * priority {low,def,high} {+,-} <unsigned int> where low and high are 46 * constants which are closer 47 * to the end of the list and 48 * beginning of the list, 49 * respectively 50 * 51 * <policy> is one of following: 52 * "discard", "none", "ipsec <requests>", "entrust", "bypass", 53 * 54 * The following requests are accepted as <requests>: 55 * 56 * protocol/mode/src-dst/level 57 * protocol/mode/src-dst parsed as protocol/mode/src-dst/default 58 * protocol/mode/src-dst/ parsed as protocol/mode/src-dst/default 59 * protocol/transport parsed as protocol/mode/any-any/default 60 * protocol/transport//level parsed as protocol/mode/any-any/level 61 * 62 * You can concatenate these requests with either ' '(single space) or '\n'. 63 */ 64 65 %{ 66 #ifdef HAVE_CONFIG_H 67 #include "config.h" 68 #endif 69 70 #include <sys/types.h> 71 #include <sys/param.h> 72 #include <sys/socket.h> 73 74 #include <netinet/in.h> 75 #include PATH_IPSEC_H 76 77 #include <stdlib.h> 78 #include <stdio.h> 79 #include <string.h> 80 #include <netdb.h> 81 82 #include <errno.h> 83 84 #include "config.h" 85 86 #include "ipsec_strerror.h" 87 #include "libpfkey.h" 88 89 #ifndef INT32_MAX 90 #define INT32_MAX (0xffffffff) 91 #endif 92 93 #ifndef INT32_MIN 94 #define INT32_MIN (-INT32_MAX-1) 95 #endif 96 97 #define ATOX(c) \ 98 (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) )) 99 100 static u_int8_t *pbuf = NULL; /* sadb_x_policy buffer */ 101 static int tlen = 0; /* total length of pbuf */ 102 static int offset = 0; /* offset of pbuf */ 103 static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid; 104 static u_int32_t p_priority = 0; 105 static long p_priority_offset = 0; 106 static struct sockaddr *p_src = NULL; 107 static struct sockaddr *p_dst = NULL; 108 109 struct _val; 110 extern void yyerror __P((char *msg)); 111 static struct sockaddr *parse_sockaddr __P((struct _val *addrbuf, 112 struct _val *portbuf)); 113 static int rule_check __P((void)); 114 static int init_x_policy __P((void)); 115 static int set_x_request __P((struct sockaddr *, struct sockaddr *)); 116 static int set_sockaddr __P((struct sockaddr *)); 117 static void policy_parse_request_init __P((void)); 118 static void *policy_parse __P((const char *, int)); 119 120 extern void __policy__strbuffer__init__ __P((const char *)); 121 extern void __policy__strbuffer__free__ __P((void)); 122 extern int yyparse __P((void)); 123 extern int yylex __P((void)); 124 125 extern char *__libipsectext; /*XXX*/ 126 127 %} 128 129 %union { 130 u_int num; 131 u_int32_t num32; 132 struct _val { 133 int len; 134 char *buf; 135 } val; 136 } 137 138 %token DIR 139 %token PRIORITY PLUS 140 %token <num32> PRIO_BASE 141 %token <val> PRIO_OFFSET 142 %token ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY IPADDRESS PORT 143 %token ME ANY 144 %token SLASH HYPHEN 145 %type <num> DIR PRIORITY ACTION PROTOCOL MODE LEVEL 146 %type <val> IPADDRESS LEVEL_SPECIFY PORT 147 148 %% 149 policy_spec 150 : DIR ACTION 151 { 152 p_dir = $1; 153 p_type = $2; 154 155 #ifdef HAVE_PFKEY_POLICY_PRIORITY 156 p_priority = PRIORITY_DEFAULT; 157 #else 158 p_priority = 0; 159 #endif 160 161 if (init_x_policy()) 162 return -1; 163 } 164 rules 165 | DIR PRIORITY PRIO_OFFSET ACTION 166 { 167 p_dir = $1; 168 p_type = $4; 169 p_priority_offset = -atol($3.buf); 170 171 errno = 0; 172 if (errno != 0 || p_priority_offset < INT32_MIN) 173 { 174 __ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET; 175 return -1; 176 } 177 178 p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset; 179 180 if (init_x_policy()) 181 return -1; 182 } 183 rules 184 | DIR PRIORITY HYPHEN PRIO_OFFSET ACTION 185 { 186 p_dir = $1; 187 p_type = $5; 188 189 errno = 0; 190 p_priority_offset = atol($4.buf); 191 192 if (errno != 0 || p_priority_offset > INT32_MAX) 193 { 194 __ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET; 195 return -1; 196 } 197 198 /* negative input value means lower priority, therefore higher 199 actual value so that is closer to the end of the list */ 200 p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset; 201 202 if (init_x_policy()) 203 return -1; 204 } 205 rules 206 | DIR PRIORITY PRIO_BASE ACTION 207 { 208 p_dir = $1; 209 p_type = $4; 210 211 p_priority = $3; 212 213 if (init_x_policy()) 214 return -1; 215 } 216 rules 217 | DIR PRIORITY PRIO_BASE PLUS PRIO_OFFSET ACTION 218 { 219 p_dir = $1; 220 p_type = $6; 221 222 errno = 0; 223 p_priority_offset = atol($5.buf); 224 225 if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_NEGATIVE_MAX) 226 { 227 __ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET; 228 return -1; 229 } 230 231 /* adding value means higher priority, therefore lower 232 actual value so that is closer to the beginning of the list */ 233 p_priority = $3 - (u_int32_t) p_priority_offset; 234 235 if (init_x_policy()) 236 return -1; 237 } 238 rules 239 | DIR PRIORITY PRIO_BASE HYPHEN PRIO_OFFSET ACTION 240 { 241 p_dir = $1; 242 p_type = $6; 243 244 errno = 0; 245 p_priority_offset = atol($5.buf); 246 247 if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_POSITIVE_MAX) 248 { 249 __ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET; 250 return -1; 251 } 252 253 /* subtracting value means lower priority, therefore higher 254 actual value so that is closer to the end of the list */ 255 p_priority = $3 + (u_int32_t) p_priority_offset; 256 257 if (init_x_policy()) 258 return -1; 259 } 260 rules 261 | DIR 262 { 263 p_dir = $1; 264 p_type = 0; /* ignored it by kernel */ 265 266 p_priority = 0; 267 268 if (init_x_policy()) 269 return -1; 270 } 271 ; 272 273 rules 274 : /*NOTHING*/ 275 | rules rule { 276 if (rule_check() < 0) 277 return -1; 278 279 if (set_x_request(p_src, p_dst) < 0) 280 return -1; 281 282 policy_parse_request_init(); 283 } 284 ; 285 286 rule 287 : protocol SLASH mode SLASH addresses SLASH level 288 | protocol SLASH mode SLASH addresses SLASH 289 | protocol SLASH mode SLASH addresses 290 | protocol SLASH mode SLASH 291 | protocol SLASH mode SLASH SLASH level 292 | protocol SLASH mode 293 | protocol SLASH { 294 __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; 295 return -1; 296 } 297 | protocol { 298 __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; 299 return -1; 300 } 301 ; 302 303 protocol 304 : PROTOCOL { p_protocol = $1; } 305 ; 306 307 mode 308 : MODE { p_mode = $1; } 309 ; 310 311 level 312 : LEVEL { 313 p_level = $1; 314 p_reqid = 0; 315 } 316 | LEVEL_SPECIFY { 317 p_level = IPSEC_LEVEL_UNIQUE; 318 p_reqid = atol($1.buf); /* atol() is good. */ 319 } 320 ; 321 322 addresses 323 : IPADDRESS { 324 p_src = parse_sockaddr(&$1, NULL); 325 if (p_src == NULL) 326 return -1; 327 } 328 HYPHEN 329 IPADDRESS { 330 p_dst = parse_sockaddr(&$4, NULL); 331 if (p_dst == NULL) 332 return -1; 333 } 334 | IPADDRESS PORT { 335 p_src = parse_sockaddr(&$1, &$2); 336 if (p_src == NULL) 337 return -1; 338 } 339 HYPHEN 340 IPADDRESS PORT { 341 p_dst = parse_sockaddr(&$5, &$6); 342 if (p_dst == NULL) 343 return -1; 344 } 345 | ME HYPHEN ANY { 346 if (p_dir != IPSEC_DIR_OUTBOUND) { 347 __ipsec_errcode = EIPSEC_INVAL_DIR; 348 return -1; 349 } 350 } 351 | ANY HYPHEN ME { 352 if (p_dir != IPSEC_DIR_INBOUND) { 353 __ipsec_errcode = EIPSEC_INVAL_DIR; 354 return -1; 355 } 356 } 357 /* 358 | ME HYPHEN ME 359 */ 360 ; 361 362 %% 363 364 void 365 yyerror(msg) 366 char *msg; 367 { 368 fprintf(stderr, "libipsec: %s while parsing \"%s\"\n", 369 msg, __libipsectext); 370 371 return; 372 } 373 374 static struct sockaddr * 375 parse_sockaddr(addrbuf, portbuf) 376 struct _val *addrbuf; 377 struct _val *portbuf; 378 { 379 struct addrinfo hints, *res; 380 char *addr; 381 char *serv = NULL; 382 int error; 383 struct sockaddr *newaddr = NULL; 384 385 if ((addr = malloc(addrbuf->len + 1)) == NULL) { 386 yyerror("malloc failed"); 387 __ipsec_set_strerror(strerror(errno)); 388 return NULL; 389 } 390 391 if (portbuf && ((serv = malloc(portbuf->len + 1)) == NULL)) { 392 free(addr); 393 yyerror("malloc failed"); 394 __ipsec_set_strerror(strerror(errno)); 395 return NULL; 396 } 397 398 strncpy(addr, addrbuf->buf, addrbuf->len); 399 addr[addrbuf->len] = '\0'; 400 401 if (portbuf) { 402 strncpy(serv, portbuf->buf, portbuf->len); 403 serv[portbuf->len] = '\0'; 404 } 405 406 memset(&hints, 0, sizeof(hints)); 407 hints.ai_family = PF_UNSPEC; 408 hints.ai_flags = AI_NUMERICHOST; 409 hints.ai_socktype = SOCK_DGRAM; 410 error = getaddrinfo(addr, serv, &hints, &res); 411 free(addr); 412 if (serv != NULL) 413 free(serv); 414 if (error != 0) { 415 yyerror("invalid IP address"); 416 __ipsec_set_strerror(gai_strerror(error)); 417 return NULL; 418 } 419 420 if (res->ai_addr == NULL) { 421 yyerror("invalid IP address"); 422 __ipsec_set_strerror(gai_strerror(error)); 423 return NULL; 424 } 425 426 newaddr = malloc(res->ai_addrlen); 427 if (newaddr == NULL) { 428 __ipsec_errcode = EIPSEC_NO_BUFS; 429 freeaddrinfo(res); 430 return NULL; 431 } 432 memcpy(newaddr, res->ai_addr, res->ai_addrlen); 433 434 freeaddrinfo(res); 435 436 __ipsec_errcode = EIPSEC_NO_ERROR; 437 return newaddr; 438 } 439 440 static int 441 rule_check() 442 { 443 if (p_type == IPSEC_POLICY_IPSEC) { 444 if (p_protocol == IPPROTO_IP) { 445 __ipsec_errcode = EIPSEC_NO_PROTO; 446 return -1; 447 } 448 449 if (p_mode != IPSEC_MODE_TRANSPORT 450 && p_mode != IPSEC_MODE_TUNNEL) { 451 __ipsec_errcode = EIPSEC_INVAL_MODE; 452 return -1; 453 } 454 455 if (p_src == NULL && p_dst == NULL) { 456 if (p_mode != IPSEC_MODE_TRANSPORT) { 457 __ipsec_errcode = EIPSEC_INVAL_ADDRESS; 458 return -1; 459 } 460 } 461 else if (p_src->sa_family != p_dst->sa_family) { 462 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; 463 return -1; 464 } 465 } 466 467 __ipsec_errcode = EIPSEC_NO_ERROR; 468 return 0; 469 } 470 471 static int 472 init_x_policy() 473 { 474 struct sadb_x_policy *p; 475 476 if (pbuf) { 477 free(pbuf); 478 tlen = 0; 479 } 480 pbuf = malloc(sizeof(struct sadb_x_policy)); 481 if (pbuf == NULL) { 482 __ipsec_errcode = EIPSEC_NO_BUFS; 483 return -1; 484 } 485 tlen = sizeof(struct sadb_x_policy); 486 487 memset(pbuf, 0, tlen); 488 p = (struct sadb_x_policy *)pbuf; 489 p->sadb_x_policy_len = 0; /* must update later */ 490 p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; 491 p->sadb_x_policy_type = p_type; 492 p->sadb_x_policy_dir = p_dir; 493 p->sadb_x_policy_id = 0; 494 #ifdef HAVE_PFKEY_POLICY_PRIORITY 495 p->sadb_x_policy_priority = p_priority; 496 #else 497 /* fail if given a priority and libipsec was not compiled with 498 priority support */ 499 if (p_priority != 0) 500 { 501 __ipsec_errcode = EIPSEC_PRIORITY_NOT_COMPILED; 502 return -1; 503 } 504 #endif 505 506 offset = tlen; 507 508 __ipsec_errcode = EIPSEC_NO_ERROR; 509 return 0; 510 } 511 512 static int 513 set_x_request(src, dst) 514 struct sockaddr *src, *dst; 515 { 516 struct sadb_x_ipsecrequest *p; 517 int reqlen; 518 u_int8_t *n; 519 520 reqlen = sizeof(*p) 521 + (src ? sysdep_sa_len(src) : 0) 522 + (dst ? sysdep_sa_len(dst) : 0); 523 tlen += reqlen; /* increment to total length */ 524 525 n = realloc(pbuf, tlen); 526 if (n == NULL) { 527 __ipsec_errcode = EIPSEC_NO_BUFS; 528 return -1; 529 } 530 pbuf = n; 531 532 p = (struct sadb_x_ipsecrequest *)&pbuf[offset]; 533 p->sadb_x_ipsecrequest_len = reqlen; 534 p->sadb_x_ipsecrequest_proto = p_protocol; 535 p->sadb_x_ipsecrequest_mode = p_mode; 536 p->sadb_x_ipsecrequest_level = p_level; 537 p->sadb_x_ipsecrequest_reqid = p_reqid; 538 offset += sizeof(*p); 539 540 if (set_sockaddr(src) || set_sockaddr(dst)) 541 return -1; 542 543 __ipsec_errcode = EIPSEC_NO_ERROR; 544 return 0; 545 } 546 547 static int 548 set_sockaddr(addr) 549 struct sockaddr *addr; 550 { 551 if (addr == NULL) { 552 __ipsec_errcode = EIPSEC_NO_ERROR; 553 return 0; 554 } 555 556 /* tlen has already incremented */ 557 558 memcpy(&pbuf[offset], addr, sysdep_sa_len(addr)); 559 560 offset += sysdep_sa_len(addr); 561 562 __ipsec_errcode = EIPSEC_NO_ERROR; 563 return 0; 564 } 565 566 static void 567 policy_parse_request_init() 568 { 569 p_protocol = IPPROTO_IP; 570 p_mode = IPSEC_MODE_ANY; 571 p_level = IPSEC_LEVEL_DEFAULT; 572 p_reqid = 0; 573 if (p_src != NULL) { 574 free(p_src); 575 p_src = NULL; 576 } 577 if (p_dst != NULL) { 578 free(p_dst); 579 p_dst = NULL; 580 } 581 582 return; 583 } 584 585 static void * 586 policy_parse(msg, msglen) 587 const char *msg; 588 int msglen; 589 { 590 int error; 591 592 pbuf = NULL; 593 tlen = 0; 594 595 /* initialize */ 596 p_dir = IPSEC_DIR_INVALID; 597 p_type = IPSEC_POLICY_DISCARD; 598 policy_parse_request_init(); 599 __policy__strbuffer__init__(msg); 600 601 error = yyparse(); /* it must be set errcode. */ 602 __policy__strbuffer__free__(); 603 604 if (error) { 605 if (pbuf != NULL) 606 free(pbuf); 607 return NULL; 608 } 609 610 /* update total length */ 611 ((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen); 612 613 __ipsec_errcode = EIPSEC_NO_ERROR; 614 615 return pbuf; 616 } 617 618 ipsec_policy_t 619 ipsec_set_policy(msg, msglen) 620 __ipsec_const char *msg; 621 int msglen; 622 { 623 caddr_t policy; 624 625 policy = policy_parse(msg, msglen); 626 if (policy == NULL) { 627 if (__ipsec_errcode == EIPSEC_NO_ERROR) 628 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; 629 return NULL; 630 } 631 632 __ipsec_errcode = EIPSEC_NO_ERROR; 633 return policy; 634 } 635