| /* $NetBSD: policy_parse.y,v 1.9.6.2 2009/02/16 18:38:26 tteras Exp $ */ |
| |
| /* $KAME: policy_parse.y,v 1.21 2003/12/12 08:01:26 itojun Exp $ */ |
| |
| /* |
| * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. |
| * All rights reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| * modification, are permitted provided that the following conditions |
| * are met: |
| * 1. Redistributions of source code must retain the above copyright |
| * notice, this list of conditions and the following disclaimer. |
| * 2. Redistributions in binary form must reproduce the above copyright |
| * notice, this list of conditions and the following disclaimer in the |
| * documentation and/or other materials provided with the distribution. |
| * 3. Neither the name of the project nor the names of its contributors |
| * may be used to endorse or promote products derived from this software |
| * without specific prior written permission. |
| * |
| * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
| * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
| * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| * SUCH DAMAGE. |
| */ |
| |
| /* |
| * IN/OUT bound policy configuration take place such below: |
| * in <priority> <policy> |
| * out <priority> <policy> |
| * |
| * <priority> is one of the following: |
| * priority <signed int> where the integer is an offset from the default |
| * priority, where negative numbers indicate lower |
| * priority (towards end of list) and positive numbers |
| * indicate higher priority (towards beginning of list) |
| * |
| * priority {low,def,high} {+,-} <unsigned int> where low and high are |
| * constants which are closer |
| * to the end of the list and |
| * beginning of the list, |
| * respectively |
| * |
| * <policy> is one of following: |
| * "discard", "none", "ipsec <requests>", "entrust", "bypass", |
| * |
| * The following requests are accepted as <requests>: |
| * |
| * protocol/mode/src-dst/level |
| * protocol/mode/src-dst parsed as protocol/mode/src-dst/default |
| * protocol/mode/src-dst/ parsed as protocol/mode/src-dst/default |
| * protocol/transport parsed as protocol/mode/any-any/default |
| * protocol/transport//level parsed as protocol/mode/any-any/level |
| * |
| * You can concatenate these requests with either ' '(single space) or '\n'. |
| */ |
| |
| %{ |
| #ifdef HAVE_CONFIG_H |
| #include "config.h" |
| #endif |
| |
| #include <sys/types.h> |
| #include <sys/param.h> |
| #include <sys/socket.h> |
| |
| #include <netinet/in.h> |
| #include PATH_IPSEC_H |
| |
| #include <stdlib.h> |
| #include <stdio.h> |
| #include <string.h> |
| #include <netdb.h> |
| |
| #include <errno.h> |
| |
| #include "config.h" |
| |
| #include "ipsec_strerror.h" |
| #include "libpfkey.h" |
| |
| #ifndef INT32_MAX |
| #define INT32_MAX (0xffffffff) |
| #endif |
| |
| #ifndef INT32_MIN |
| #define INT32_MIN (-INT32_MAX-1) |
| #endif |
| |
| #define ATOX(c) \ |
| (isdigit(c) ? (c - '0') : (isupper(c) ? (c - 'A' + 10) : (c - 'a' + 10) )) |
| |
| static u_int8_t *pbuf = NULL; /* sadb_x_policy buffer */ |
| static int tlen = 0; /* total length of pbuf */ |
| static int offset = 0; /* offset of pbuf */ |
| static int p_dir, p_type, p_protocol, p_mode, p_level, p_reqid; |
| static u_int32_t p_priority = 0; |
| static long p_priority_offset = 0; |
| static struct sockaddr *p_src = NULL; |
| static struct sockaddr *p_dst = NULL; |
| |
| struct _val; |
| extern void yyerror __P((char *msg)); |
| static struct sockaddr *parse_sockaddr __P((struct _val *addrbuf, |
| struct _val *portbuf)); |
| static int rule_check __P((void)); |
| static int init_x_policy __P((void)); |
| static int set_x_request __P((struct sockaddr *, struct sockaddr *)); |
| static int set_sockaddr __P((struct sockaddr *)); |
| static void policy_parse_request_init __P((void)); |
| static void *policy_parse __P((const char *, int)); |
| |
| extern void __policy__strbuffer__init__ __P((const char *)); |
| extern void __policy__strbuffer__free__ __P((void)); |
| extern int yyparse __P((void)); |
| extern int yylex __P((void)); |
| |
| extern char *__libipsectext; /*XXX*/ |
| |
| %} |
| |
| %union { |
| u_int num; |
| u_int32_t num32; |
| struct _val { |
| int len; |
| char *buf; |
| } val; |
| } |
| |
| %token DIR |
| %token PRIORITY PLUS |
| %token <num32> PRIO_BASE |
| %token <val> PRIO_OFFSET |
| %token ACTION PROTOCOL MODE LEVEL LEVEL_SPECIFY IPADDRESS PORT |
| %token ME ANY |
| %token SLASH HYPHEN |
| %type <num> DIR PRIORITY ACTION PROTOCOL MODE LEVEL |
| %type <val> IPADDRESS LEVEL_SPECIFY PORT |
| |
| %% |
| policy_spec |
| : DIR ACTION |
| { |
| p_dir = $1; |
| p_type = $2; |
| |
| #ifdef HAVE_PFKEY_POLICY_PRIORITY |
| p_priority = PRIORITY_DEFAULT; |
| #else |
| p_priority = 0; |
| #endif |
| |
| if (init_x_policy()) |
| return -1; |
| } |
| rules |
| | DIR PRIORITY PRIO_OFFSET ACTION |
| { |
| p_dir = $1; |
| p_type = $4; |
| p_priority_offset = -atol($3.buf); |
| |
| errno = 0; |
| if (errno != 0 || p_priority_offset < INT32_MIN) |
| { |
| __ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET; |
| return -1; |
| } |
| |
| p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset; |
| |
| if (init_x_policy()) |
| return -1; |
| } |
| rules |
| | DIR PRIORITY HYPHEN PRIO_OFFSET ACTION |
| { |
| p_dir = $1; |
| p_type = $5; |
| |
| errno = 0; |
| p_priority_offset = atol($4.buf); |
| |
| if (errno != 0 || p_priority_offset > INT32_MAX) |
| { |
| __ipsec_errcode = EIPSEC_INVAL_PRIORITY_OFFSET; |
| return -1; |
| } |
| |
| /* negative input value means lower priority, therefore higher |
| actual value so that is closer to the end of the list */ |
| p_priority = PRIORITY_DEFAULT + (u_int32_t) p_priority_offset; |
| |
| if (init_x_policy()) |
| return -1; |
| } |
| rules |
| | DIR PRIORITY PRIO_BASE ACTION |
| { |
| p_dir = $1; |
| p_type = $4; |
| |
| p_priority = $3; |
| |
| if (init_x_policy()) |
| return -1; |
| } |
| rules |
| | DIR PRIORITY PRIO_BASE PLUS PRIO_OFFSET ACTION |
| { |
| p_dir = $1; |
| p_type = $6; |
| |
| errno = 0; |
| p_priority_offset = atol($5.buf); |
| |
| if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_NEGATIVE_MAX) |
| { |
| __ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET; |
| return -1; |
| } |
| |
| /* adding value means higher priority, therefore lower |
| actual value so that is closer to the beginning of the list */ |
| p_priority = $3 - (u_int32_t) p_priority_offset; |
| |
| if (init_x_policy()) |
| return -1; |
| } |
| rules |
| | DIR PRIORITY PRIO_BASE HYPHEN PRIO_OFFSET ACTION |
| { |
| p_dir = $1; |
| p_type = $6; |
| |
| errno = 0; |
| p_priority_offset = atol($5.buf); |
| |
| if (errno != 0 || p_priority_offset > PRIORITY_OFFSET_POSITIVE_MAX) |
| { |
| __ipsec_errcode = EIPSEC_INVAL_PRIORITY_BASE_OFFSET; |
| return -1; |
| } |
| |
| /* subtracting value means lower priority, therefore higher |
| actual value so that is closer to the end of the list */ |
| p_priority = $3 + (u_int32_t) p_priority_offset; |
| |
| if (init_x_policy()) |
| return -1; |
| } |
| rules |
| | DIR |
| { |
| p_dir = $1; |
| p_type = 0; /* ignored it by kernel */ |
| |
| p_priority = 0; |
| |
| if (init_x_policy()) |
| return -1; |
| } |
| ; |
| |
| rules |
| : /*NOTHING*/ |
| | rules rule { |
| if (rule_check() < 0) |
| return -1; |
| |
| if (set_x_request(p_src, p_dst) < 0) |
| return -1; |
| |
| policy_parse_request_init(); |
| } |
| ; |
| |
| rule |
| : protocol SLASH mode SLASH addresses SLASH level |
| | protocol SLASH mode SLASH addresses SLASH |
| | protocol SLASH mode SLASH addresses |
| | protocol SLASH mode SLASH |
| | protocol SLASH mode SLASH SLASH level |
| | protocol SLASH mode |
| | protocol SLASH { |
| __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; |
| return -1; |
| } |
| | protocol { |
| __ipsec_errcode = EIPSEC_FEW_ARGUMENTS; |
| return -1; |
| } |
| ; |
| |
| protocol |
| : PROTOCOL { p_protocol = $1; } |
| ; |
| |
| mode |
| : MODE { p_mode = $1; } |
| ; |
| |
| level |
| : LEVEL { |
| p_level = $1; |
| p_reqid = 0; |
| } |
| | LEVEL_SPECIFY { |
| p_level = IPSEC_LEVEL_UNIQUE; |
| p_reqid = atol($1.buf); /* atol() is good. */ |
| } |
| ; |
| |
| addresses |
| : IPADDRESS { |
| p_src = parse_sockaddr(&$1, NULL); |
| if (p_src == NULL) |
| return -1; |
| } |
| HYPHEN |
| IPADDRESS { |
| p_dst = parse_sockaddr(&$4, NULL); |
| if (p_dst == NULL) |
| return -1; |
| } |
| | IPADDRESS PORT { |
| p_src = parse_sockaddr(&$1, &$2); |
| if (p_src == NULL) |
| return -1; |
| } |
| HYPHEN |
| IPADDRESS PORT { |
| p_dst = parse_sockaddr(&$5, &$6); |
| if (p_dst == NULL) |
| return -1; |
| } |
| | ME HYPHEN ANY { |
| if (p_dir != IPSEC_DIR_OUTBOUND) { |
| __ipsec_errcode = EIPSEC_INVAL_DIR; |
| return -1; |
| } |
| } |
| | ANY HYPHEN ME { |
| if (p_dir != IPSEC_DIR_INBOUND) { |
| __ipsec_errcode = EIPSEC_INVAL_DIR; |
| return -1; |
| } |
| } |
| /* |
| | ME HYPHEN ME |
| */ |
| ; |
| |
| %% |
| |
| void |
| yyerror(msg) |
| char *msg; |
| { |
| fprintf(stderr, "libipsec: %s while parsing \"%s\"\n", |
| msg, __libipsectext); |
| |
| return; |
| } |
| |
| static struct sockaddr * |
| parse_sockaddr(addrbuf, portbuf) |
| struct _val *addrbuf; |
| struct _val *portbuf; |
| { |
| struct addrinfo hints, *res; |
| char *addr; |
| char *serv = NULL; |
| int error; |
| struct sockaddr *newaddr = NULL; |
| |
| if ((addr = malloc(addrbuf->len + 1)) == NULL) { |
| yyerror("malloc failed"); |
| __ipsec_set_strerror(strerror(errno)); |
| return NULL; |
| } |
| |
| if (portbuf && ((serv = malloc(portbuf->len + 1)) == NULL)) { |
| free(addr); |
| yyerror("malloc failed"); |
| __ipsec_set_strerror(strerror(errno)); |
| return NULL; |
| } |
| |
| strncpy(addr, addrbuf->buf, addrbuf->len); |
| addr[addrbuf->len] = '\0'; |
| |
| if (portbuf) { |
| strncpy(serv, portbuf->buf, portbuf->len); |
| serv[portbuf->len] = '\0'; |
| } |
| |
| memset(&hints, 0, sizeof(hints)); |
| hints.ai_family = PF_UNSPEC; |
| hints.ai_flags = AI_NUMERICHOST; |
| hints.ai_socktype = SOCK_DGRAM; |
| error = getaddrinfo(addr, serv, &hints, &res); |
| free(addr); |
| if (serv != NULL) |
| free(serv); |
| if (error != 0) { |
| yyerror("invalid IP address"); |
| __ipsec_set_strerror(gai_strerror(error)); |
| return NULL; |
| } |
| |
| if (res->ai_addr == NULL) { |
| yyerror("invalid IP address"); |
| __ipsec_set_strerror(gai_strerror(error)); |
| return NULL; |
| } |
| |
| newaddr = malloc(res->ai_addrlen); |
| if (newaddr == NULL) { |
| __ipsec_errcode = EIPSEC_NO_BUFS; |
| freeaddrinfo(res); |
| return NULL; |
| } |
| memcpy(newaddr, res->ai_addr, res->ai_addrlen); |
| |
| freeaddrinfo(res); |
| |
| __ipsec_errcode = EIPSEC_NO_ERROR; |
| return newaddr; |
| } |
| |
| static int |
| rule_check() |
| { |
| if (p_type == IPSEC_POLICY_IPSEC) { |
| if (p_protocol == IPPROTO_IP) { |
| __ipsec_errcode = EIPSEC_NO_PROTO; |
| return -1; |
| } |
| |
| if (p_mode != IPSEC_MODE_TRANSPORT |
| && p_mode != IPSEC_MODE_TUNNEL) { |
| __ipsec_errcode = EIPSEC_INVAL_MODE; |
| return -1; |
| } |
| |
| if (p_src == NULL && p_dst == NULL) { |
| if (p_mode != IPSEC_MODE_TRANSPORT) { |
| __ipsec_errcode = EIPSEC_INVAL_ADDRESS; |
| return -1; |
| } |
| } |
| else if (p_src->sa_family != p_dst->sa_family) { |
| __ipsec_errcode = EIPSEC_FAMILY_MISMATCH; |
| return -1; |
| } |
| } |
| |
| __ipsec_errcode = EIPSEC_NO_ERROR; |
| return 0; |
| } |
| |
| static int |
| init_x_policy() |
| { |
| struct sadb_x_policy *p; |
| |
| if (pbuf) { |
| free(pbuf); |
| tlen = 0; |
| } |
| pbuf = malloc(sizeof(struct sadb_x_policy)); |
| if (pbuf == NULL) { |
| __ipsec_errcode = EIPSEC_NO_BUFS; |
| return -1; |
| } |
| tlen = sizeof(struct sadb_x_policy); |
| |
| memset(pbuf, 0, tlen); |
| p = (struct sadb_x_policy *)pbuf; |
| p->sadb_x_policy_len = 0; /* must update later */ |
| p->sadb_x_policy_exttype = SADB_X_EXT_POLICY; |
| p->sadb_x_policy_type = p_type; |
| p->sadb_x_policy_dir = p_dir; |
| p->sadb_x_policy_id = 0; |
| #ifdef HAVE_PFKEY_POLICY_PRIORITY |
| p->sadb_x_policy_priority = p_priority; |
| #else |
| /* fail if given a priority and libipsec was not compiled with |
| priority support */ |
| if (p_priority != 0) |
| { |
| __ipsec_errcode = EIPSEC_PRIORITY_NOT_COMPILED; |
| return -1; |
| } |
| #endif |
| |
| offset = tlen; |
| |
| __ipsec_errcode = EIPSEC_NO_ERROR; |
| return 0; |
| } |
| |
| static int |
| set_x_request(src, dst) |
| struct sockaddr *src, *dst; |
| { |
| struct sadb_x_ipsecrequest *p; |
| int reqlen; |
| u_int8_t *n; |
| |
| reqlen = sizeof(*p) |
| + (src ? sysdep_sa_len(src) : 0) |
| + (dst ? sysdep_sa_len(dst) : 0); |
| tlen += reqlen; /* increment to total length */ |
| |
| n = realloc(pbuf, tlen); |
| if (n == NULL) { |
| __ipsec_errcode = EIPSEC_NO_BUFS; |
| return -1; |
| } |
| pbuf = n; |
| |
| p = (struct sadb_x_ipsecrequest *)&pbuf[offset]; |
| p->sadb_x_ipsecrequest_len = reqlen; |
| p->sadb_x_ipsecrequest_proto = p_protocol; |
| p->sadb_x_ipsecrequest_mode = p_mode; |
| p->sadb_x_ipsecrequest_level = p_level; |
| p->sadb_x_ipsecrequest_reqid = p_reqid; |
| offset += sizeof(*p); |
| |
| if (set_sockaddr(src) || set_sockaddr(dst)) |
| return -1; |
| |
| __ipsec_errcode = EIPSEC_NO_ERROR; |
| return 0; |
| } |
| |
| static int |
| set_sockaddr(addr) |
| struct sockaddr *addr; |
| { |
| if (addr == NULL) { |
| __ipsec_errcode = EIPSEC_NO_ERROR; |
| return 0; |
| } |
| |
| /* tlen has already incremented */ |
| |
| memcpy(&pbuf[offset], addr, sysdep_sa_len(addr)); |
| |
| offset += sysdep_sa_len(addr); |
| |
| __ipsec_errcode = EIPSEC_NO_ERROR; |
| return 0; |
| } |
| |
| static void |
| policy_parse_request_init() |
| { |
| p_protocol = IPPROTO_IP; |
| p_mode = IPSEC_MODE_ANY; |
| p_level = IPSEC_LEVEL_DEFAULT; |
| p_reqid = 0; |
| if (p_src != NULL) { |
| free(p_src); |
| p_src = NULL; |
| } |
| if (p_dst != NULL) { |
| free(p_dst); |
| p_dst = NULL; |
| } |
| |
| return; |
| } |
| |
| static void * |
| policy_parse(msg, msglen) |
| const char *msg; |
| int msglen; |
| { |
| int error; |
| |
| pbuf = NULL; |
| tlen = 0; |
| |
| /* initialize */ |
| p_dir = IPSEC_DIR_INVALID; |
| p_type = IPSEC_POLICY_DISCARD; |
| policy_parse_request_init(); |
| __policy__strbuffer__init__(msg); |
| |
| error = yyparse(); /* it must be set errcode. */ |
| __policy__strbuffer__free__(); |
| |
| if (error) { |
| if (pbuf != NULL) |
| free(pbuf); |
| return NULL; |
| } |
| |
| /* update total length */ |
| ((struct sadb_x_policy *)pbuf)->sadb_x_policy_len = PFKEY_UNIT64(tlen); |
| |
| __ipsec_errcode = EIPSEC_NO_ERROR; |
| |
| return pbuf; |
| } |
| |
| ipsec_policy_t |
| ipsec_set_policy(msg, msglen) |
| __ipsec_const char *msg; |
| int msglen; |
| { |
| caddr_t policy; |
| |
| policy = policy_parse(msg, msglen); |
| if (policy == NULL) { |
| if (__ipsec_errcode == EIPSEC_NO_ERROR) |
| __ipsec_errcode = EIPSEC_INVAL_ARGUMENT; |
| return NULL; |
| } |
| |
| __ipsec_errcode = EIPSEC_NO_ERROR; |
| return policy; |
| } |
