1 /*	$NetBSD: policy_parse.y,v 1.9.6.2 2009/02/16 18:38:26 tteras Exp $	*/
2 
3 /*	$KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $	*/
4 
5 /*
6  * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 /*
35  * IN/OUT bound policy configuration take place such below:
36  *	in <priority> <policy>
37  *	out <priority> <policy>
38  *
39  * <priority> is one of the following:
40  * priority <signed int> where the integer is an offset from the default
41  *                       priority, where negative numbers indicate lower
42  *                       priority (towards end of list) and positive numbers
43  *                       indicate higher priority (towards beginning of list)
44  *
45  * priority {low,def,high} {+,-} <unsigned int>  where low and high are
46  *                                               constants which are closer
47  *                                               to the end of the list and
48  *                                               beginning of the list,
49  *                                               respectively
50  *
51  * <policy> is one of following:
52  *	"discard", "none", "ipsec <requests>", "entrust", "bypass",
53  *
54  * The following requests are accepted as <requests>:
55  *
56  *	protocol/mode/src-dst/level
57  *	protocol/mode/src-dst		parsed as protocol/mode/src-dst/default
58  *	protocol/mode/src-dst/		parsed as protocol/mode/src-dst/default
59  *	protocol/transport		parsed as protocol/mode/any-any/default
60  *	protocol/transport//level	parsed as protocol/mode/any-any/level
61  *
62  * You can concatenate these requests with either ' '(single space) or '\n'.
63  */
64 
65 %{
66 #ifdef HAVE_CONFIG_H
67 #include "config.h"
68 #endif
69 
70 #include <sys/types.h>
71 #include <sys/param.h>
72 #include <sys/socket.h>
73 
74 #include <netinet/in.h>
75 #include PATH_IPSEC_H
76 
77 #include <stdlib.h>
78 #include <stdio.h>
79 #include <string.h>
80 #include <netdb.h>
81 
82 #include <errno.h>
83 
84 #include "config.h"
85 
86 #include "ipsec_strerror.h"
87 #include "libpfkey.h"
88 
89 #ifndef INT32_MAX
90 #define INT32_MAX	(0xffffffff)
91 #endif
92 
93 #ifndef INT32_MIN
94 #define INT32_MIN	(-INT32_MAX-1)
95 #endif
96 
97 #define ATOX(c) \
98   (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) ))
99 
100 static u_int8_t *pbuf = NULL;		/* sadb_x_policy buffer */
101 static int tlen = 0;			/* total length of pbuf */
102 static int offset = 0;			/* offset of pbuf */
103 static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid;
104 static u_int32_t p_priority = 0;
105 static long p_priority_offset = 0;
106 static struct sockaddr *p_src = NULL;
107 static struct sockaddr *p_dst = NULL;
108 
109 struct _val;
110 extern void yyerror __P((char *msg));
111 static struct sockaddr *parse_sockaddr __P((struct _val *addrbuf,
112     struct _val *portbuf));
113 static int rule_check __P((void));
114 static int init_x_policy __P((void));
115 static int set_x_request __P((struct sockaddr *, struct sockaddr *));
116 static int set_sockaddr __P((struct sockaddr *));
117 static void policy_parse_request_init __P((void));
118 static void *policy_parse __P((const char *, int));
119 
120 extern void __policy__strbuffer__init__ __P((const char *));
121 extern void __policy__strbuffer__free__ __P((void));
122 extern int yyparse __P((void));
123 extern int yylex __P((void));
124 
125 extern char *__libipsectext;	/*XXX*/
126 
127 %}
128 
129 %union {
130 	u_int num;
131 	u_int32_t num32;
132 	struct _val {
133 		int len;
134 		char *buf;
135 	} val;
136 }
137 
138 %token DIR
139 %token PRIORITY PLUS
140 %token <num32> PRIO_BASE
141 %token <val> PRIO_OFFSET
142 %token ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY IPADDRESS PORT
143 %token ME ANY
144 %token SLASH HYPHEN
145 %type <num> DIR PRIORITY ACTION PROTOCOL MODE LEVEL
146 %type <val> IPADDRESS LEVEL_SPECIFY PORT
147 
148 %%
149 policy_spec
150 	:	DIR ACTION
151 		{
152 			p_dir = $1;
153 			p_type = $2;
154 
155 #ifdef HAVE_PFKEY_POLICY_PRIORITY
156 			p_priority = PRIORITY_DEFAULT;
157 #else
158 			p_priority = 0;
159 #endif
160 
161 			if (init_x_policy())
162 				return -1;
163 		}
164 		rules
165 	|	DIR PRIORITY PRIO_OFFSET ACTION
166 		{
167 			p_dir = $1;
168 			p_type = $4;
169 			p_priority_offset = -atol($3.buf);
170 
171 			errno = 0;
172 			if (errno != 0 || p_priority_offset < INT32_MIN)
173 			{
174 				__ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET;
175 				return -1;
176 			}
177 
178 			p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset;
179 
180 			if (init_x_policy())
181 				return -1;
182 		}
183 		rules
184 	|	DIR PRIORITY HYPHEN PRIO_OFFSET ACTION
185 		{
186 			p_dir = $1;
187 			p_type = $5;
188 
189 			errno = 0;
190 			p_priority_offset = atol($4.buf);
191 
192 			if (errno != 0 || p_priority_offset > INT32_MAX)
193 			{
194 				__ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET;
195 				return -1;
196 			}
197 
198 			/* negative input value means lower priority, therefore higher
199 			   actual value so that is closer to the end of the list */
200 			p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset;
201 
202 			if (init_x_policy())
203 				return -1;
204 		}
205 		rules
206 	|	DIR PRIORITY PRIO_BASE ACTION
207 		{
208 			p_dir = $1;
209 			p_type = $4;
210 
211 			p_priority = $3;
212 
213 			if (init_x_policy())
214 				return -1;
215 		}
216 		rules
217 	|	DIR PRIORITY PRIO_BASE PLUS PRIO_OFFSET ACTION
218 		{
219 			p_dir = $1;
220 			p_type = $6;
221 
222 			errno = 0;
223 			p_priority_offset = atol($5.buf);
224 
225 			if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_NEGATIVE_MAX)
226 			{
227 				__ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET;
228 				return -1;
229 			}
230 
231 			/* adding value means higher priority, therefore lower
232 			   actual value so that is closer to the beginning of the list */
233 			p_priority = $3 - (u_int32_t) p_priority_offset;
234 
235 			if (init_x_policy())
236 				return -1;
237 		}
238 		rules
239 	|	DIR PRIORITY PRIO_BASE HYPHEN PRIO_OFFSET ACTION
240 		{
241 			p_dir = $1;
242 			p_type = $6;
243 
244 			errno = 0;
245 			p_priority_offset = atol($5.buf);
246 
247 			if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_POSITIVE_MAX)
248 			{
249 				__ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET;
250 				return -1;
251 			}
252 
253 			/* subtracting value means lower priority, therefore higher
254 			   actual value so that is closer to the end of the list */
255 			p_priority = $3 + (u_int32_t) p_priority_offset;
256 
257 			if (init_x_policy())
258 				return -1;
259 		}
260 		rules
261 	|	DIR
262 		{
263 			p_dir = $1;
264 			p_type = 0;	/* ignored it by kernel */
265 
266 			p_priority = 0;
267 
268 			if (init_x_policy())
269 				return -1;
270 		}
271 	;
272 
273 rules
274 	:	/*NOTHING*/
275 	|	rules rule {
276 			if (rule_check() < 0)
277 				return -1;
278 
279 			if (set_x_request(p_src, p_dst) < 0)
280 				return -1;
281 
282 			policy_parse_request_init();
283 		}
284 	;
285 
286 rule
287 	:	protocol SLASH mode SLASH addresses SLASH level
288 	|	protocol SLASH mode SLASH addresses SLASH
289 	|	protocol SLASH mode SLASH addresses
290 	|	protocol SLASH mode SLASH
291 	|	protocol SLASH mode SLASH SLASH level
292 	|	protocol SLASH mode
293 	|	protocol SLASH {
294 			__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
295 			return -1;
296 		}
297 	|	protocol {
298 			__ipsec_errcode = EIPSEC_FEW_ARGUMENTS;
299 			return -1;
300 		}
301 	;
302 
303 protocol
304 	:	PROTOCOL { p_protocol = $1; }
305 	;
306 
307 mode
308 	:	MODE { p_mode = $1; }
309 	;
310 
311 level
312 	:	LEVEL {
313 			p_level = $1;
314 			p_reqid = 0;
315 		}
316 	|	LEVEL_SPECIFY {
317 			p_level = IPSEC_LEVEL_UNIQUE;
318 			p_reqid = atol($1.buf);	/* atol() is good. */
319 		}
320 	;
321 
322 addresses
323 	:	IPADDRESS {
324 			p_src = parse_sockaddr(&$1, NULL);
325 			if (p_src == NULL)
326 				return -1;
327 		}
328 		HYPHEN
329 		IPADDRESS {
330 			p_dst = parse_sockaddr(&$4, NULL);
331 			if (p_dst == NULL)
332 				return -1;
333 		}
334 	|	IPADDRESS PORT {
335 			p_src = parse_sockaddr(&$1, &$2);
336 			if (p_src == NULL)
337 				return -1;
338 		}
339 		HYPHEN
340 		IPADDRESS PORT {
341 			p_dst = parse_sockaddr(&$5, &$6);
342 			if (p_dst == NULL)
343 				return -1;
344 		}
345 	|	ME HYPHEN ANY {
346 			if (p_dir != IPSEC_DIR_OUTBOUND) {
347 				__ipsec_errcode = EIPSEC_INVAL_DIR;
348 				return -1;
349 			}
350 		}
351 	|	ANY HYPHEN ME {
352 			if (p_dir != IPSEC_DIR_INBOUND) {
353 				__ipsec_errcode = EIPSEC_INVAL_DIR;
354 				return -1;
355 			}
356 		}
357 		/*
358 	|	ME HYPHEN ME
359 		*/
360 	;
361 
362 %%
363 
364 void
yyerror(msg)365 yyerror(msg)
366 	char *msg;
367 {
368 	fprintf(stderr, "libipsec: %s while parsing \"%s\"\n",
369 		msg, __libipsectext);
370 
371 	return;
372 }
373 
374 static struct sockaddr *
parse_sockaddr(addrbuf,portbuf)375 parse_sockaddr(addrbuf, portbuf)
376 	struct _val *addrbuf;
377 	struct _val *portbuf;
378 {
379 	struct addrinfo hints, *res;
380 	char *addr;
381 	char *serv = NULL;
382 	int error;
383 	struct sockaddr *newaddr = NULL;
384 
385 	if ((addr = malloc(addrbuf->len + 1)) == NULL) {
386 		yyerror("malloc failed");
387 		__ipsec_set_strerror(strerror(errno));
388 		return NULL;
389 	}
390 
391 	if (portbuf && ((serv = malloc(portbuf->len + 1)) == NULL)) {
392 		free(addr);
393 		yyerror("malloc failed");
394 		__ipsec_set_strerror(strerror(errno));
395 		return NULL;
396 	}
397 
398 	strncpy(addr, addrbuf->buf, addrbuf->len);
399 	addr[addrbuf->len] = '\0';
400 
401 	if (portbuf) {
402 		strncpy(serv, portbuf->buf, portbuf->len);
403 		serv[portbuf->len] = '\0';
404 	}
405 
406 	memset(&hints, 0, sizeof(hints));
407 	hints.ai_family = PF_UNSPEC;
408 	hints.ai_flags = AI_NUMERICHOST;
409 	hints.ai_socktype = SOCK_DGRAM;
410 	error = getaddrinfo(addr, serv, &hints, &res);
411 	free(addr);
412 	if (serv != NULL)
413 		free(serv);
414 	if (error != 0) {
415 		yyerror("invalid IP address");
416 		__ipsec_set_strerror(gai_strerror(error));
417 		return NULL;
418 	}
419 
420 	if (res->ai_addr == NULL) {
421 		yyerror("invalid IP address");
422 		__ipsec_set_strerror(gai_strerror(error));
423 		return NULL;
424 	}
425 
426 	newaddr = malloc(res->ai_addrlen);
427 	if (newaddr == NULL) {
428 		__ipsec_errcode = EIPSEC_NO_BUFS;
429 		freeaddrinfo(res);
430 		return NULL;
431 	}
432 	memcpy(newaddr, res->ai_addr, res->ai_addrlen);
433 
434 	freeaddrinfo(res);
435 
436 	__ipsec_errcode = EIPSEC_NO_ERROR;
437 	return newaddr;
438 }
439 
440 static int
rule_check()441 rule_check()
442 {
443 	if (p_type == IPSEC_POLICY_IPSEC) {
444 		if (p_protocol == IPPROTO_IP) {
445 			__ipsec_errcode = EIPSEC_NO_PROTO;
446 			return -1;
447 		}
448 
449 		if (p_mode != IPSEC_MODE_TRANSPORT
450 		 && p_mode != IPSEC_MODE_TUNNEL) {
451 			__ipsec_errcode = EIPSEC_INVAL_MODE;
452 			return -1;
453 		}
454 
455 		if (p_src == NULL && p_dst == NULL) {
456 			 if (p_mode != IPSEC_MODE_TRANSPORT) {
457 				__ipsec_errcode = EIPSEC_INVAL_ADDRESS;
458 				return -1;
459 			}
460 		}
461 		else if (p_src->sa_family != p_dst->sa_family) {
462 			__ipsec_errcode = EIPSEC_FAMILY_MISMATCH;
463 			return -1;
464 		}
465 	}
466 
467 	__ipsec_errcode = EIPSEC_NO_ERROR;
468 	return 0;
469 }
470 
471 static int
init_x_policy()472 init_x_policy()
473 {
474 	struct sadb_x_policy *p;
475 
476 	if (pbuf) {
477 		free(pbuf);
478 		tlen = 0;
479 	}
480 	pbuf = malloc(sizeof(struct sadb_x_policy));
481 	if (pbuf == NULL) {
482 		__ipsec_errcode = EIPSEC_NO_BUFS;
483 		return -1;
484 	}
485 	tlen = sizeof(struct sadb_x_policy);
486 
487 	memset(pbuf, 0, tlen);
488 	p = (struct sadb_x_policy *)pbuf;
489 	p->sadb_x_policy_len = 0;	/* must update later */
490 	p->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
491 	p->sadb_x_policy_type = p_type;
492 	p->sadb_x_policy_dir = p_dir;
493 	p->sadb_x_policy_id = 0;
494 #ifdef HAVE_PFKEY_POLICY_PRIORITY
495 	p->sadb_x_policy_priority = p_priority;
496 #else
497     /* fail if given a priority and libipsec was not compiled with
498 	   priority support */
499 	if (p_priority != 0)
500 	{
501 		__ipsec_errcode = EIPSEC_PRIORITY_NOT_COMPILED;
502 		return -1;
503 	}
504 #endif
505 
506 	offset = tlen;
507 
508 	__ipsec_errcode = EIPSEC_NO_ERROR;
509 	return 0;
510 }
511 
512 static int
set_x_request(src,dst)513 set_x_request(src, dst)
514 	struct sockaddr *src, *dst;
515 {
516 	struct sadb_x_ipsecrequest *p;
517 	int reqlen;
518 	u_int8_t *n;
519 
520 	reqlen = sizeof(*p)
521 		+ (src ? sysdep_sa_len(src) : 0)
522 		+ (dst ? sysdep_sa_len(dst) : 0);
523 	tlen += reqlen;		/* increment to total length */
524 
525 	n = realloc(pbuf, tlen);
526 	if (n == NULL) {
527 		__ipsec_errcode = EIPSEC_NO_BUFS;
528 		return -1;
529 	}
530 	pbuf = n;
531 
532 	p = (struct sadb_x_ipsecrequest *)&pbuf[offset];
533 	p->sadb_x_ipsecrequest_len = reqlen;
534 	p->sadb_x_ipsecrequest_proto = p_protocol;
535 	p->sadb_x_ipsecrequest_mode = p_mode;
536 	p->sadb_x_ipsecrequest_level = p_level;
537 	p->sadb_x_ipsecrequest_reqid = p_reqid;
538 	offset += sizeof(*p);
539 
540 	if (set_sockaddr(src) || set_sockaddr(dst))
541 		return -1;
542 
543 	__ipsec_errcode = EIPSEC_NO_ERROR;
544 	return 0;
545 }
546 
547 static int
set_sockaddr(addr)548 set_sockaddr(addr)
549 	struct sockaddr *addr;
550 {
551 	if (addr == NULL) {
552 		__ipsec_errcode = EIPSEC_NO_ERROR;
553 		return 0;
554 	}
555 
556 	/* tlen has already incremented */
557 
558 	memcpy(&pbuf[offset], addr, sysdep_sa_len(addr));
559 
560 	offset += sysdep_sa_len(addr);
561 
562 	__ipsec_errcode = EIPSEC_NO_ERROR;
563 	return 0;
564 }
565 
566 static void
policy_parse_request_init()567 policy_parse_request_init()
568 {
569 	p_protocol = IPPROTO_IP;
570 	p_mode = IPSEC_MODE_ANY;
571 	p_level = IPSEC_LEVEL_DEFAULT;
572 	p_reqid = 0;
573 	if (p_src != NULL) {
574 		free(p_src);
575 		p_src = NULL;
576 	}
577 	if (p_dst != NULL) {
578 		free(p_dst);
579 		p_dst = NULL;
580 	}
581 
582 	return;
583 }
584 
585 static void *
policy_parse(msg,msglen)586 policy_parse(msg, msglen)
587 	const char *msg;
588 	int msglen;
589 {
590 	int error;
591 
592 	pbuf = NULL;
593 	tlen = 0;
594 
595 	/* initialize */
596 	p_dir = IPSEC_DIR_INVALID;
597 	p_type = IPSEC_POLICY_DISCARD;
598 	policy_parse_request_init();
599 	__policy__strbuffer__init__(msg);
600 
601 	error = yyparse();	/* it must be set errcode. */
602 	__policy__strbuffer__free__();
603 
604 	if (error) {
605 		if (pbuf != NULL)
606 			free(pbuf);
607 		return NULL;
608 	}
609 
610 	/* update total length */
611 	((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen);
612 
613 	__ipsec_errcode = EIPSEC_NO_ERROR;
614 
615 	return pbuf;
616 }
617 
618 ipsec_policy_t
ipsec_set_policy(msg,msglen)619 ipsec_set_policy(msg, msglen)
620 	__ipsec_const char *msg;
621 	int msglen;
622 {
623 	caddr_t policy;
624 
625 	policy = policy_parse(msg, msglen);
626 	if (policy == NULL) {
627 		if (__ipsec_errcode == EIPSEC_NO_ERROR)
628 			__ipsec_errcode = EIPSEC_INVAL_ARGUMENT;
629 		return NULL;
630 	}
631 
632 	__ipsec_errcode = EIPSEC_NO_ERROR;
633 	return policy;
634 }
635