aboutsummaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet/ip_auth.c')
-rw-r--r--sys/netinet/ip_auth.c494
1 files changed, 494 insertions, 0 deletions
diff --git a/sys/netinet/ip_auth.c b/sys/netinet/ip_auth.c
new file mode 100644
index 000000000000..2640a77245cc
--- /dev/null
+++ b/sys/netinet/ip_auth.c
@@ -0,0 +1,494 @@
+/*
+ * Copyright (C) 1997 by Darren Reed & Guido van Rooij.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and due credit is given
+ * to the original author and the contributors.
+ */
+#if !defined(lint)
+static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.2 1997/11/12 10:45:51 darrenr Exp $";
+#endif
+
+#if !defined(_KERNEL) && !defined(KERNEL)
+# include <stdlib.h>
+# include <string.h>
+#endif
+#include <sys/errno.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <sys/file.h>
+#if defined(KERNEL) && (__FreeBSD_version >= 220000)
+# include <sys/filio.h>
+# include <sys/fcntl.h>
+#else
+# include <sys/ioctl.h>
+#endif
+#include <sys/uio.h>
+#ifndef linux
+# include <sys/protosw.h>
+#endif
+#include <sys/socket.h>
+#if defined(_KERNEL) && !defined(linux)
+# include <sys/systm.h>
+#endif
+#if !defined(__SVR4) && !defined(__svr4__)
+# ifndef linux
+# include <sys/mbuf.h>
+# endif
+#else
+# include <sys/filio.h>
+# include <sys/byteorder.h>
+# include <sys/dditypes.h>
+# include <sys/stream.h>
+# include <sys/kmem.h>
+#endif
+#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
+# include <machine/cpu.h>
+#endif
+#include <net/if.h>
+#ifdef sun
+#include <net/af.h>
+#endif
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#ifndef KERNEL
+#define KERNEL
+#define NOT_KERNEL
+#endif
+#ifndef linux
+# include <netinet/ip_var.h>
+#endif
+#ifdef NOT_KERNEL
+#undef KERNEL
+#endif
+#ifdef __sgi
+# ifdef IFF_DRVRLOCK /* IRIX6 */
+#include <sys/hashing.h>
+# endif
+#endif
+#include <netinet/tcp.h>
+#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
+extern struct ifqueue ipintrq; /* ip packet input queue */
+#else
+# ifndef linux
+# include <netinet/in_var.h>
+# include <netinet/tcp_fsm.h>
+# endif
+#endif
+#include <netinet/udp.h>
+#include <netinet/ip_icmp.h>
+#include "netinet/ip_compat.h"
+#include <netinet/tcpip.h>
+#include "netinet/ip_fil.h"
+#include "netinet/ip_auth.h"
+#if !SOLARIS && !defined(linux)
+# include <net/netisr.h>
+#endif
+
+
+#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
+extern kmutex_t ipf_auth;
+# if SOLARIS
+extern kcondvar_t ipfauthwait;
+# endif
+#endif
+#ifdef linux
+static struct wait_queue *ipfauthwait = NULL;
+#endif
+
+int fr_authsize = FR_NUMAUTH;
+int fr_authused = 0;
+int fr_defaultauthage = 600;
+fr_authstat_t fr_authstats;
+frauth_t fr_auth[FR_NUMAUTH];
+mb_t *fr_authpkts[FR_NUMAUTH];
+int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
+frauthent_t *fae_list = NULL;
+frentry_t *ipauth = NULL;
+
+
+/*
+ * Check if a packet has authorization. If the packet is found to match an
+ * authorization result and that would result in a feedback loop (i.e. it
+ * will end up returning FR_AUTH) then return FR_BLOCK instead.
+ */
+int fr_checkauth(ip, fin)
+ip_t *ip;
+fr_info_t *fin;
+{
+ u_short id = ip->ip_id;
+ u_32_t pass;
+ int i;
+
+ MUTEX_ENTER(&ipf_auth);
+ for (i = fr_authstart; i != fr_authend; ) {
+ /*
+ * index becomes -2 only after an SIOCAUTHW. Check this in
+ * case the same packet gets sent again and it hasn't yet been
+ * auth'd.
+ */
+ if ((fr_auth[i].fra_index == -2) &&
+ (id == fr_auth[i].fra_info.fin_id) &&
+ !bcmp((char *)fin,(char *)&fr_auth[i].fra_info,FI_CSIZE)) {
+ /*
+ * Avoid feedback loop.
+ */
+ if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH))
+ pass = FR_BLOCK;
+ fr_authstats.fas_hits++;
+ fr_auth[i].fra_index = -1;
+ fr_authused--;
+ if (i == fr_authstart) {
+ while (fr_auth[i].fra_index == -1) {
+ i++;
+ if (i == FR_NUMAUTH)
+ i = 0;
+ fr_authstart = i;
+ if (i == fr_authend)
+ break;
+ }
+ if (fr_authstart == fr_authend) {
+ fr_authnext = 0;
+ fr_authstart = fr_authend = 0;
+ }
+ }
+ MUTEX_EXIT(&ipf_auth);
+ return pass;
+ }
+ i++;
+ if (i == FR_NUMAUTH)
+ i = 0;
+ }
+ fr_authstats.fas_miss++;
+ MUTEX_EXIT(&ipf_auth);
+ return 0;
+}
+
+
+/*
+ * Check if we have room in the auth array to hold details for another packet.
+ * If we do, store it and wake up any user programs which are waiting to
+ * hear about these events.
+ */
+int fr_newauth(m, fin, ip
+#if defined(_KERNEL) && SOLARIS
+, qif)
+qif_t *qif;
+#else
+)
+#endif
+mb_t *m;
+fr_info_t *fin;
+ip_t *ip;
+{
+ int i;
+
+ MUTEX_ENTER(&ipf_auth);
+ if ((fr_authstart > fr_authend) && (fr_authstart - fr_authend == -1)) {
+ fr_authstats.fas_nospace++;
+ MUTEX_EXIT(&ipf_auth);
+ return 0;
+ }
+ if (fr_authend - fr_authstart == FR_NUMAUTH - 1) {
+ fr_authstats.fas_nospace++;
+ MUTEX_EXIT(&ipf_auth);
+ return 0;
+ }
+
+ fr_authstats.fas_added++;
+ fr_authused++;
+ i = fr_authend++;
+ if (fr_authend == FR_NUMAUTH)
+ fr_authend = 0;
+ MUTEX_EXIT(&ipf_auth);
+ fr_auth[i].fra_index = i;
+ fr_auth[i].fra_pass = 0;
+ fr_auth[i].fra_age = fr_defaultauthage;
+ bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin));
+#if !defined(sparc) && !defined(m68k)
+ /*
+ * No need to copyback here as we want to undo the changes, not keep
+ * them.
+ */
+# if SOLARIS && defined(_KERNEL)
+ if (ip == (ip_t *)m->b_rptr)
+# endif
+ {
+ register u_short bo;
+
+ bo = ip->ip_len;
+ ip->ip_len = htons(bo);
+# if !SOLARIS /* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
+ bo = ip->ip_id;
+ ip->ip_id = htons(bo);
+# endif
+ bo = ip->ip_off;
+ ip->ip_off = htons(bo);
+ }
+#endif
+#if SOLARIS && defined(_KERNEL)
+ m->b_rptr -= qif->qf_off;
+ fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
+ fr_auth[i].fra_q = qif->qf_q;
+ cv_signal(&ipfauthwait);
+#else
+ fr_authpkts[i] = m;
+# if defined(linux) && defined(_KERNEL)
+ wake_up_interruptible(&ipfauthwait);
+# else
+ WAKEUP(&fr_authnext);
+# endif
+#endif
+ return 1;
+}
+
+
+int fr_auth_ioctl(data, cmd, fr, frptr)
+caddr_t data;
+#if defined(__NetBSD__) || defined(__OpenBSD__)
+u_long cmd;
+#else
+int cmd;
+#endif
+frentry_t *fr, **frptr;
+{
+ mb_t *m;
+#if defined(_KERNEL)
+# if !SOLARIS
+ struct ifqueue *ifq;
+ int s;
+# endif
+#endif
+ frauth_t auth, *au = &auth;
+ frauthent_t *fae, **faep;
+ int i, error = 0;
+
+ switch (cmd)
+ {
+ case SIOCINIFR :
+ case SIOCRMIFR :
+ case SIOCADIFR :
+ error = EINVAL;
+ break;
+ case SIOCINAFR :
+ case SIOCRMAFR :
+ case SIOCADAFR :
+ for (faep = &fae_list; (fae = *faep); )
+ if (&fae->fae_fr == fr)
+ break;
+ else
+ faep = &fae->fae_next;
+ if (cmd == SIOCRMAFR) {
+ if (!fae)
+ error = ESRCH;
+ else {
+ *faep = fae->fae_next;
+ *frptr = fr->fr_next;
+ KFREE(fae);
+ }
+ } else {
+ KMALLOC(fae, frauthent_t *, sizeof(*fae));
+ if (fae != NULL) {
+ IRCOPY((char *)data, (char *)&fae->fae_fr,
+ sizeof(fae->fae_fr));
+ if (!fae->fae_age)
+ fae->fae_age = fr_defaultauthage;
+ fae->fae_fr.fr_hits = 0;
+ fae->fae_fr.fr_next = *frptr;
+ *frptr = &fae->fae_fr;
+ fae->fae_next = *faep;
+ *faep = fae;
+ } else
+ error = ENOMEM;
+ }
+ break;
+ case SIOCATHST:
+ IWCOPY((char *)&fr_authstats, data, sizeof(fr_authstats));
+ break;
+ case SIOCAUTHW:
+fr_authioctlloop:
+ MUTEX_ENTER(&ipf_auth);
+ if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
+ IWCOPY((char *)&fr_auth[fr_authnext++], data,
+ sizeof(fr_info_t));
+ if (fr_authnext == FR_NUMAUTH)
+ fr_authnext = 0;
+ MUTEX_EXIT(&ipf_auth);
+ return 0;
+ }
+#ifdef _KERNEL
+# if SOLARIS
+ if (!cv_wait_sig(&ipfauthwait, &ipf_auth)) {
+ mutex_exit(&ipf_auth);
+ return EINTR;
+ }
+# else
+# ifdef linux
+ interruptible_sleep_on(&ipfauthwait);
+ if (current->signal & ~current->blocked)
+ error = -EINTR;
+# else
+ error = SLEEP(&fr_authnext, "fr_authnext");
+# endif
+# endif
+#endif
+ MUTEX_EXIT(&ipf_auth);
+ if (!error)
+ goto fr_authioctlloop;
+ break;
+ case SIOCAUTHR:
+ IRCOPY(data, (caddr_t)&auth, sizeof(auth));
+ MUTEX_ENTER(&ipf_auth);
+ i = au->fra_index;
+ if ((i < 0) || (i > FR_NUMAUTH) ||
+ (fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) {
+ MUTEX_EXIT(&ipf_auth);
+ return EINVAL;
+ }
+ m = fr_authpkts[i];
+ fr_auth[i].fra_index = -2;
+ fr_auth[i].fra_pass = au->fra_pass;
+ fr_authpkts[i] = NULL;
+#ifdef _KERNEL
+ MUTEX_EXIT(&ipf_auth);
+ SPL_NET(s);
+# ifndef linux
+ if (m && au->fra_info.fin_out) {
+# if SOLARIS
+ error = fr_qout(fr_auth[i].fra_q, m);
+# else /* SOLARIS */
+ error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
+# endif /* SOLARIS */
+ if (error)
+ fr_authstats.fas_sendfail++;
+ else
+ fr_authstats.fas_sendok++;
+ } else if (m) {
+# if SOLARIS
+ error = fr_qin(fr_auth[i].fra_q, m);
+# else /* SOLARIS */
+ ifq = &ipintrq;
+ if (IF_QFULL(ifq)) {
+ IF_DROP(ifq);
+ m_freem(m);
+ error = ENOBUFS;
+ } else {
+ IF_ENQUEUE(ifq, m);
+ schednetisr(NETISR_IP);
+ }
+# endif /* SOLARIS */
+ if (error)
+ fr_authstats.fas_quefail++;
+ else
+ fr_authstats.fas_queok++;
+ } else
+ error = EINVAL;
+# endif
+# if SOLARIS
+ if (error)
+ error = EINVAL;
+# else
+ /*
+ * If we experience an error which will result in the packet
+ * not being processed, make sure we advance to the next one.
+ */
+ if (error == ENOBUFS) {
+ fr_authused--;
+ fr_auth[i].fra_index = -1;
+ fr_auth[i].fra_pass = 0;
+ if (i == fr_authstart) {
+ while (fr_auth[i].fra_index == -1) {
+ i++;
+ if (i == FR_NUMAUTH)
+ i = 0;
+ fr_authstart = i;
+ if (i == fr_authend)
+ break;
+ }
+ if (fr_authstart == fr_authend) {
+ fr_authnext = 0;
+ fr_authstart = fr_authend = 0;
+ }
+ }
+ }
+# endif
+ SPL_X(s);
+#endif /* _KERNEL */
+ break;
+ default :
+ error = EINVAL;
+ break;
+ }
+ return error;
+}
+
+
+#ifdef _KERNEL
+/*
+ * Free all network buffer memory used to keep saved packets.
+ */
+void fr_authunload()
+{
+ register int i;
+ register frauthent_t *fae, **faep;
+ mb_t *m;
+
+ MUTEX_ENTER(&ipf_auth);
+ for (i = 0; i < FR_NUMAUTH; i++) {
+ if ((m = fr_authpkts[i])) {
+ FREE_MB_T(m);
+ fr_authpkts[i] = NULL;
+ fr_auth[i].fra_index = -1;
+ }
+ }
+
+
+ for (faep = &fae_list; (fae = *faep); ) {
+ *faep = fae->fae_next;
+ KFREE(fae);
+ }
+ MUTEX_EXIT(&ipf_auth);
+}
+
+
+/*
+ * Slowly expire held auth records. Timeouts are set
+ * in expectation of this being called twice per second.
+ */
+void fr_authexpire()
+{
+ register int i;
+ register frauth_t *fra;
+ register frauthent_t *fae, **faep;
+ mb_t *m;
+#if !SOLARIS
+ int s;
+#endif
+
+ SPL_NET(s);
+ MUTEX_ENTER(&ipf_auth);
+ for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
+ if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
+ FREE_MB_T(m);
+ fr_authpkts[i] = NULL;
+ fr_auth[i].fra_index = -1;
+ fr_authstats.fas_expire++;
+ fr_authused--;
+ }
+ }
+
+ for (faep = &fae_list; (fae = *faep); ) {
+ if (!--fra->fra_age) {
+ *faep = fae->fae_next;
+ KFREE(fae);
+ fr_authstats.fas_expire++;
+ } else
+ faep = &fae->fae_next;
+ }
+ MUTEX_EXIT(&ipf_auth);
+ SPL_X(s);
+}
+#endif