1 /* $NetBSD: policy_parse.y,v 1.14 2018/05/28 20:45:38 maxv Exp $ */
2
3 /* $KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * IN/OUT bound policy configuration take place such below:
36 * in <priority> <policy>
37 * out <priority> <policy>
38 *
39 * <priority> is one of the following:
40 * priority <signed int> where the integer is an offset from the default
41 * priority, where negative numbers indicate lower
42 * priority (towards end of list) and positive numbers
43 * indicate higher priority (towards beginning of list)
44 *
45 * priority {low,def,high} {+,-} <unsigned int> where low and high are
46 * constants which are closer
47 * to the end of the list and
48 * beginning of the list,
49 * respectively
50 *
51 * <policy> is one of following:
52 * "discard", "none", "ipsec <requests>", "entrust", "bypass",
53 *
54 * The following requests are accepted as <requests>:
55 *
56 * protocol/mode/src-dst/level
57 * protocol/mode/src-dst parsed as protocol/mode/src-dst/default
58 * protocol/mode/src-dst/ parsed as protocol/mode/src-dst/default
59 * protocol/transport parsed as protocol/mode/any-any/default
60 * protocol/transport//level parsed as protocol/mode/any-any/level
61 *
62 * You can concatenate these requests with either ' '(single space) or '\n'.
63 */
64
65 %{
66 #ifdef HAVE_CONFIG_H
67 #include "config.h"
68 #endif
69
70 #include <sys/types.h>
71 #include <sys/param.h>
72 #include <sys/socket.h>
73
74 #include <netinet/in.h>
75 #include PATH_IPSEC_H
76
77 #include <stdlib.h>
78 #include <stdio.h>
79 #include <string.h>
80 #include <netdb.h>
81
82 #include <errno.h>
83
84 #include "config.h"
85
86 #include "ipsec_strerror.h"
87 #include "libpfkey.h"
88
89 #ifndef INT32_MAX
90 #define INT32_MAX (0xffffffff)
91 #endif
92
93 #ifndef INT32_MIN
94 #define INT32_MIN (-INT32_MAX-1)
95 #endif
96
97 #define ATOX(c) \
98 (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
99
100 static u_int8_t *pbuf = NULL; /* sadb_x_policy buffer */
101 static int tlen = 0; /* total length of pbuf */
102 static int offset = 0; /* offset of pbuf */
103 static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
104 static u_int32_t p_priority = 0;
105 static long p_priority_offset = 0;
106 static struct sockaddr *p_src = NULL;
107 static struct sockaddr *p_dst = NULL;
108
109 struct _val;
110 extern void yyerror(const char *msg);
111 static struct sockaddr *parse_sockaddr(struct _val *addrbuf,
112 struct _val *portbuf);
113 static int rule_check(void);
114 static int init_x_policy(void);
115 static int set_x_request(struct sockaddr *, struct sockaddr *);
116 static int set_sockaddr(struct sockaddr *);
117 static void policy_parse_request_init(void);
118 static void *policy_parse(const char *, int);
119
120 extern void __policy__strbuffer__init__(const char *);
121 extern void __policy__strbuffer__free__(void);
122 extern int yyparse(void);
123 extern int yylex(void);
124
125 extern char *__libipsectext; /*XXX*/
126
127 %}
128
129 %union {
130 u_int num;
131 u_int32_t num32;
132 struct _val {
133 int len;
134 char *buf;
135 } val;
136 }
137
138 %token DIR
139 %token PRIORITY PLUS
140 %token <num32> PRIO_BASE
141 %token <val> PRIO_OFFSET
142 %token ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY IPADDRESS PORT
143 %token ME ANY
144 %token SLASH HYPHEN
145 %type <num> DIR PRIORITY ACTION PROTOCOL MODE LEVEL
146 %type <val> IPADDRESS LEVEL_SPECIFY PORT
147
148 %%
149 policy_spec
150 : DIR ACTION
151 {
152 p_dir = $1;
153 p_type = $2;
154
155 #ifdef HAVE_PFKEY_POLICY_PRIORITY
156 p_priority = PRIORITY_DEFAULT;
157 #else
158 p_priority = 0;
159 #endif
160
161 if (init_x_policy())
162 return -1;
163 }
164 rules
165 | DIR PRIORITY PRIO_OFFSET ACTION
166 {
167 p_dir = $1;
168 p_type = $4;
169 p_priority_offset = -atol($3.buf);
170
171 errno = 0;
172 if (errno != 0 || p_priority_offset < INT32_MIN)
173 {
174 __ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET;
175 return -1;
176 }
177
178 p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset;
179
180 if (init_x_policy())
181 return -1;
182 }
183 rules
184 | DIR PRIORITY HYPHEN PRIO_OFFSET ACTION
185 {
186 p_dir = $1;
187 p_type = $5;
188
189 errno = 0;
190 p_priority_offset = atol($4.buf);
191
192 if (errno != 0 || p_priority_offset > INT32_MAX)
193 {
194 __ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET;
195 return -1;
196 }
197
198 /* negative input value means lower priority, therefore higher
199 actual value so that is closer to the end of the list */
200 p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset;
201
202 if (init_x_policy())
203 return -1;
204 }
205 rules
206 | DIR PRIORITY PRIO_BASE ACTION
207 {
208 p_dir = $1;
209 p_type = $4;
210
211 p_priority = $3;
212
213 if (init_x_policy())
214 return -1;
215 }
216 rules
217 | DIR PRIORITY PRIO_BASE PLUS PRIO_OFFSET ACTION
218 {
219 p_dir = $1;
220 p_type = $6;
221
222 errno = 0;
223 p_priority_offset = atol($5.buf);
224
225 if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_NEGATIVE_MAX)
226 {
227 __ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET;
228 return -1;
229 }
230
231 /* adding value means higher priority, therefore lower
232 actual value so that is closer to the beginning of the list */
233 p_priority = $3 - (u_int32_t) p_priority_offset;
234
235 if (init_x_policy())
236 return -1;
237 }
238 rules
239 | DIR PRIORITY PRIO_BASE HYPHEN PRIO_OFFSET ACTION
240 {
241 p_dir = $1;
242 p_type = $6;
243
244 errno = 0;
245 p_priority_offset = atol($5.buf);
246
247 if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_POSITIVE_MAX)
248 {
249 __ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET;
250 return -1;
251 }
252
253 /* subtracting value means lower priority, therefore higher
254 actual value so that is closer to the end of the list */
255 p_priority = $3 + (u_int32_t) p_priority_offset;
256
257 if (init_x_policy())
258 return -1;
259 }
260 rules
261 | DIR
262 {
263 p_dir = $1;
264 p_type = 0; /* ignored it by kernel */
265
266 p_priority = 0;
267
268 if (init_x_policy())
269 return -1;
270 }
271 ;
272
273 rules
274 : /*NOTHING*/
275 | rules rule {
276 if (rule_check() < 0)
277 return -1;
278
279 if (set_x_request(p_src, p_dst) < 0)
280 return -1;
281
282 policy_parse_request_init();
283 }
284 ;
285
286 rule
287 : protocol SLASH mode SLASH addresses SLASH level
288 | protocol SLASH mode SLASH addresses SLASH
289 | protocol SLASH mode SLASH addresses
290 | protocol SLASH mode SLASH
291 | protocol SLASH mode SLASH SLASH level
292 | protocol SLASH mode
293 | protocol SLASH {
294 __ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
295 return -1;
296 }
297 | protocol {
298 __ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
299 return -1;
300 }
301 ;
302
303 protocol
304 : PROTOCOL { p_protocol = $1; }
305 ;
306
307 mode
308 : MODE { p_mode = $1; }
309 ;
310
311 level
312 : LEVEL {
313 p_level = $1;
314 p_reqid = 0;
315 }
316 | LEVEL_SPECIFY {
317 p_level = IPSEC_LEVEL_UNIQUE;
318 p_reqid = atol($1.buf); /* atol() is good. */
319 }
320 ;
321
322 addresses
323 : IPADDRESS {
324 p_src = parse_sockaddr(&$1, NULL);
325 if (p_src == NULL)
326 return -1;
327 }
328 HYPHEN
329 IPADDRESS {
330 p_dst = parse_sockaddr(&$4, NULL);
331 if (p_dst == NULL)
332 return -1;
333 }
334 | IPADDRESS PORT {
335 p_src = parse_sockaddr(&$1, &$2);
336 if (p_src == NULL)
337 return -1;
338 }
339 HYPHEN
340 IPADDRESS PORT {
341 p_dst = parse_sockaddr(&$5, &$6);
342 if (p_dst == NULL)
343 return -1;
344 }
345 | ME HYPHEN ANY {
346 if (p_dir != IPSEC_DIR_OUTBOUND) {
347 __ipsec_errcode = EIPSEC_INVAL_DIR;
348 return -1;
349 }
350 }
351 | ANY HYPHEN ME {
352 if (p_dir != IPSEC_DIR_INBOUND) {
353 __ipsec_errcode = EIPSEC_INVAL_DIR;
354 return -1;
355 }
356 }
357 /*
358 | ME HYPHEN ME
359 */
360 ;
361
362 %%
363
364 void
365 yyerror(const char *msg)
366 {
367 fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
368 msg, __libipsectext);
369
370 return;
371 }
372
373 static struct sockaddr *
parse_sockaddr(struct _val * addrbuf,struct _val * portbuf)374 parse_sockaddr(struct _val *addrbuf, struct _val *portbuf)
375 {
376 struct addrinfo hints, *res;
377 char *addr;
378 char *serv = NULL;
379 int error;
380 struct sockaddr *newaddr = NULL;
381
382 if ((addr = malloc(addrbuf->len + 1)) == NULL) {
383 yyerror("malloc failed");
384 __ipsec_set_strerror(strerror(errno));
385 return NULL;
386 }
387
388 if (portbuf && ((serv = malloc(portbuf->len + 1)) == NULL)) {
389 free(addr);
390 yyerror("malloc failed");
391 __ipsec_set_strerror(strerror(errno));
392 return NULL;
393 }
394
395 strncpy(addr, addrbuf->buf, addrbuf->len);
396 addr[addrbuf->len] = '\0';
397
398 if (portbuf) {
399 strncpy(serv, portbuf->buf, portbuf->len);
400 serv[portbuf->len] = '\0';
401 }
402
403 memset(&hints, 0, sizeof(hints));
404 hints.ai_family = PF_UNSPEC;
405 hints.ai_flags = AI_NUMERICHOST;
406 hints.ai_socktype = SOCK_DGRAM;
407 error = getaddrinfo(addr, serv, &hints, &res);
408 free(addr);
409 if (serv != NULL)
410 free(serv);
411 if (error != 0) {
412 yyerror("invalid IP address");
413 __ipsec_set_strerror(gai_strerror(error));
414 return NULL;
415 }
416
417 if (res->ai_addr == NULL) {
418 yyerror("invalid IP address");
419 __ipsec_set_strerror(gai_strerror(error));
420 return NULL;
421 }
422
423 newaddr = malloc(res->ai_addrlen);
424 if (newaddr == NULL) {
425 __ipsec_errcode = EIPSEC_NO_BUFS;
426 freeaddrinfo(res);
427 return NULL;
428 }
429 memcpy(newaddr, res->ai_addr, res->ai_addrlen);
430
431 freeaddrinfo(res);
432
433 __ipsec_errcode = EIPSEC_NO_ERROR;
434 return newaddr;
435 }
436
437 static int
rule_check(void)438 rule_check(void)
439 {
440 if (p_type == IPSEC_POLICY_IPSEC) {
441 if (p_protocol == IPPROTO_IP) {
442 __ipsec_errcode = EIPSEC_NO_PROTO;
443 return -1;
444 }
445
446 if (p_mode != IPSEC_MODE_TRANSPORT
447 && p_mode != IPSEC_MODE_TUNNEL) {
448 __ipsec_errcode = EIPSEC_INVAL_MODE;
449 return -1;
450 }
451
452 if (p_src == NULL && p_dst == NULL) {
453 if (p_mode != IPSEC_MODE_TRANSPORT) {
454 __ipsec_errcode = EIPSEC_INVAL_ADDRESS;
455 return -1;
456 }
457 }
458 else if (p_src->sa_family != p_dst->sa_family) {
459 __ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
460 return -1;
461 }
462 }
463
464 __ipsec_errcode = EIPSEC_NO_ERROR;
465 return 0;
466 }
467
468 static int
init_x_policy(void)469 init_x_policy(void)
470 {
471 struct sadb_x_policy *p;
472
473 if (pbuf) {
474 free(pbuf);
475 tlen = 0;
476 }
477 pbuf = malloc(sizeof(struct sadb_x_policy));
478 if (pbuf == NULL) {
479 __ipsec_errcode = EIPSEC_NO_BUFS;
480 return -1;
481 }
482 tlen = sizeof(struct sadb_x_policy);
483
484 memset(pbuf, 0, tlen);
485 p = (struct sadb_x_policy *)pbuf;
486 p->sadb_x_policy_len = 0; /* must update later */
487 p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
488 p->sadb_x_policy_type = p_type;
489 p->sadb_x_policy_dir = p_dir;
490 p->sadb_x_policy_id = 0;
491 #ifdef HAVE_PFKEY_POLICY_PRIORITY
492 p->sadb_x_policy_priority = p_priority;
493 #else
494 /* fail if given a priority and libipsec was not compiled with
495 priority support */
496 if (p_priority != 0)
497 {
498 __ipsec_errcode = EIPSEC_PRIORITY_NOT_COMPILED;
499 return -1;
500 }
501 #endif
502
503 offset = tlen;
504
505 __ipsec_errcode = EIPSEC_NO_ERROR;
506 return 0;
507 }
508
509 static int
set_x_request(struct sockaddr * src,struct sockaddr * dst)510 set_x_request(struct sockaddr *src, struct sockaddr *dst)
511 {
512 struct sadb_x_ipsecrequest *p;
513 int reqlen;
514 u_int8_t *n;
515
516 reqlen = sizeof(*p)
517 + (src ? sysdep_sa_len(src) : 0)
518 + (dst ? sysdep_sa_len(dst) : 0);
519 tlen += reqlen; /* increment to total length */
520
521 n = realloc(pbuf, tlen);
522 if (n == NULL) {
523 __ipsec_errcode = EIPSEC_NO_BUFS;
524 return -1;
525 }
526 pbuf = n;
527
528 p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
529 p->sadb_x_ipsecrequest_len = reqlen;
530 p->sadb_x_ipsecrequest_proto = p_protocol;
531 p->sadb_x_ipsecrequest_mode = p_mode;
532 p->sadb_x_ipsecrequest_level = p_level;
533 p->sadb_x_ipsecrequest_reqid = p_reqid;
534 offset += sizeof(*p);
535
536 if (set_sockaddr(src) || set_sockaddr(dst))
537 return -1;
538
539 __ipsec_errcode = EIPSEC_NO_ERROR;
540 return 0;
541 }
542
543 static int
set_sockaddr(struct sockaddr * addr)544 set_sockaddr(struct sockaddr *addr)
545 {
546 if (addr == NULL) {
547 __ipsec_errcode = EIPSEC_NO_ERROR;
548 return 0;
549 }
550
551 /* tlen has already incremented */
552
553 memcpy(&pbuf[offset], addr, sysdep_sa_len(addr));
554
555 offset += sysdep_sa_len(addr);
556
557 __ipsec_errcode = EIPSEC_NO_ERROR;
558 return 0;
559 }
560
561 static void
policy_parse_request_init(void)562 policy_parse_request_init(void)
563 {
564 p_protocol = IPPROTO_IP;
565 p_mode = IPSEC_MODE_ANY;
566 p_level = IPSEC_LEVEL_DEFAULT;
567 p_reqid = 0;
568 if (p_src != NULL) {
569 free(p_src);
570 p_src = NULL;
571 }
572 if (p_dst != NULL) {
573 free(p_dst);
574 p_dst = NULL;
575 }
576
577 return;
578 }
579
580 static void *
policy_parse(const char * msg,int msglen)581 policy_parse(const char *msg, int msglen)
582 {
583 int error;
584
585 pbuf = NULL;
586 tlen = 0;
587
588 /* initialize */
589 p_dir = IPSEC_DIR_INVALID;
590 p_type = IPSEC_POLICY_DISCARD;
591 policy_parse_request_init();
592 __policy__strbuffer__init__(msg);
593
594 error = yyparse(); /* it must be set errcode. */
595 __policy__strbuffer__free__();
596
597 if (error) {
598 if (pbuf != NULL)
599 free(pbuf);
600 return NULL;
601 }
602
603 /* update total length */
604 ((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
605
606 __ipsec_errcode = EIPSEC_NO_ERROR;
607
608 return pbuf;
609 }
610
611 ipsec_policy_t
ipsec_set_policy(__ipsec_const char * msg,int msglen)612 ipsec_set_policy(__ipsec_const char *msg, int msglen)
613 {
614 caddr_t policy;
615
616 policy = policy_parse(msg, msglen);
617 if (policy == NULL) {
618 if (__ipsec_errcode == EIPSEC_NO_ERROR)
619 __ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
620 return NULL;
621 }
622
623 __ipsec_errcode = EIPSEC_NO_ERROR;
624 return policy;
625 }
626