![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to ip_auth.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Apple XNU] / XNU / bsd / netinet|
Return to ip_auth.c CVS log | Up to [Apple XNU] / XNU / bsd / netinet |
1.1 root 1: /*
2: * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
3: *
4: * @APPLE_LICENSE_HEADER_START@
5: *
6: * The contents of this file constitute Original Code as defined in and
7: * are subject to the Apple Public Source License Version 1.1 (the
8: * "License"). You may not use this file except in compliance with the
9: * License. Please obtain a copy of the License at
10: * http://www.apple.com/publicsource and read it before using this file.
11: *
12: * This Original Code and all software distributed under the License are
13: * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14: * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15: * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16: * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17: * License for the specific language governing rights and limitations
18: * under the License.
19: *
20: * @APPLE_LICENSE_HEADER_END@
21: */
22: /*
23: * Copyright (C) 1997 by Darren Reed & Guido van Rooij.
24: *
25: * Redistribution and use in source and binary forms are permitted
26: * provided that this notice is preserved and due credit is given
27: * to the original author and the contributors.
28: */
29:
30: #define __FreeBSD_version 300000 /* just a hack - no <sys/osreldate.h> */
31:
32: #if !defined(KERNEL)
33: # include <stdlib.h>
34: # include <string.h>
35: #endif
36: #include <sys/errno.h>
37: #include <sys/types.h>
38: #include <sys/param.h>
39: #include <sys/time.h>
40: #include <sys/file.h>
41: #if defined(KERNEL) && (__FreeBSD_version >= 220000)
42: # include <sys/filio.h>
43: # include <sys/fcntl.h>
44: #else
45: # include <sys/ioctl.h>
46: #endif
47: #include <sys/uio.h>
48: #ifndef linux
49: # include <sys/protosw.h>
50: #endif
51: #include <sys/socket.h>
52: #if defined(KERNEL)
53: # include <sys/systm.h>
54: #endif
55: #if !defined(__SVR4) && !defined(__svr4__)
56: # ifndef linux
57: # include <sys/mbuf.h>
58: # endif
59: #else
60: # include <sys/filio.h>
61: # include <sys/byteorder.h>
62: # include <sys/dditypes.h>
63: # include <sys/stream.h>
64: # include <sys/kmem.h>
65: #endif
66: #if defined(KERNEL) && (__FreeBSD_version >= 300000)
67: # include <sys/malloc.h>
68: #endif
69: #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
70: # include <kern/cpu_number.h>
71: #endif
72: #include <net/if.h>
73: #ifdef sun
74: #include <net/af.h>
75: #endif
76: #if !defined(KERNEL) && (__FreeBSD_version >= 300000)
77: # include <net/if_var.h>
78: #endif
79: #include <net/route.h>
80: #include <netinet/in.h>
81: #include <netinet/in_systm.h>
82: #include <netinet/ip.h>
83: #ifndef KERNEL
84: #define KERNEL
85: #define NOT_KERNEL
86: #endif
87: #ifndef linux
88: # include <netinet/ip_var.h>
89: #endif
90: #ifdef NOT_KERNEL
91: #undef KERNEL
92: #endif
93: #ifdef __sgi
94: # ifdef IFF_DRVRLOCK /* IRIX6 */
95: #include <sys/hashing.h>
96: # endif
97: #endif
98: #include <netinet/tcp.h>
99: #if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */
100: extern struct ifqueue ipintrq; /* ip packet input queue */
101: #else
102: # ifndef linux
103: # include <netinet/in_var.h>
104: # include <netinet/tcp_fsm.h>
105: # endif
106: #endif
107: #include <netinet/udp.h>
108: #include <netinet/ip_icmp.h>
109: #include "netinet/ip_compat.h"
110: #include <netinet/tcpip.h>
111: #include "netinet/ip_fil.h"
112: #include "netinet/ip_auth.h"
113: #if !SOLARIS && !defined(linux)
114: # include <net/netisr.h>
115: # ifdef __FreeBSD__
116: # include <machine/cpufunc.h>
117: # endif
118: #endif
119:
120:
121: #if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
122: extern kmutex_t ipf_auth;
123: # if SOLARIS
124: extern kcondvar_t ipfauthwait;
125: # endif
126: #endif
127: #ifdef linux
128: static struct wait_queue *ipfauthwait = NULL;
129: #endif
130:
131: int fr_authsize = FR_NUMAUTH;
132: int fr_authused = 0;
133: int fr_defaultauthage = 600;
134: fr_authstat_t fr_authstats;
135: static frauth_t fr_auth[FR_NUMAUTH];
136: mb_t *fr_authpkts[FR_NUMAUTH];
137: static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0;
138: static frauthent_t *fae_list = NULL;
139: frentry_t *ipauth = NULL;
140:
141:
142: /*
143: * Check if a packet has authorization. If the packet is found to match an
144: * authorization result and that would result in a feedback loop (i.e. it
145: * will end up returning FR_AUTH) then return FR_BLOCK instead.
146: */
147: int fr_checkauth(ip, fin)
148: ip_t *ip;
149: fr_info_t *fin;
150: {
151: u_short id = ip->ip_id;
152: u_32_t pass;
153: int i;
154:
155: MUTEX_ENTER(&ipf_auth);
156: for (i = fr_authstart; i != fr_authend; ) {
157: /*
158: * index becomes -2 only after an SIOCAUTHW. Check this in
159: * case the same packet gets sent again and it hasn't yet been
160: * auth'd.
161: */
162: if ((fr_auth[i].fra_index == -2) &&
163: (id == fr_auth[i].fra_info.fin_id) &&
164: !bcmp((char *)fin,(char *)&fr_auth[i].fra_info,FI_CSIZE)) {
165: /*
166: * Avoid feedback loop.
167: */
168: if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH))
169: pass = FR_BLOCK;
170: fr_authstats.fas_hits++;
171: fr_auth[i].fra_index = -1;
172: fr_authused--;
173: if (i == fr_authstart) {
174: while (fr_auth[i].fra_index == -1) {
175: i++;
176: if (i == FR_NUMAUTH)
177: i = 0;
178: fr_authstart = i;
179: if (i == fr_authend)
180: break;
181: }
182: if (fr_authstart == fr_authend) {
183: fr_authnext = 0;
184: fr_authstart = fr_authend = 0;
185: }
186: }
187: MUTEX_EXIT(&ipf_auth);
188: return pass;
189: }
190: i++;
191: if (i == FR_NUMAUTH)
192: i = 0;
193: }
194: fr_authstats.fas_miss++;
195: MUTEX_EXIT(&ipf_auth);
196: return 0;
197: }
198:
199:
200: /*
201: * Check if we have room in the auth array to hold details for another packet.
202: * If we do, store it and wake up any user programs which are waiting to
203: * hear about these events.
204: */
205: int fr_newauth(m, fin, ip
206: #if defined(_KERNEL) && SOLARIS
207: , qif)
208: qif_t *qif;
209: #else
210: )
211: #endif
212: mb_t *m;
213: fr_info_t *fin;
214: ip_t *ip;
215: {
216: int i;
217:
218: MUTEX_ENTER(&ipf_auth);
219: if ((fr_authstart > fr_authend) && (fr_authstart - fr_authend == -1)) {
220: fr_authstats.fas_nospace++;
221: MUTEX_EXIT(&ipf_auth);
222: return 0;
223: }
224: if (fr_authend - fr_authstart == FR_NUMAUTH - 1) {
225: fr_authstats.fas_nospace++;
226: MUTEX_EXIT(&ipf_auth);
227: return 0;
228: }
229:
230: fr_authstats.fas_added++;
231: fr_authused++;
232: i = fr_authend++;
233: if (fr_authend == FR_NUMAUTH)
234: fr_authend = 0;
235: MUTEX_EXIT(&ipf_auth);
236: fr_auth[i].fra_index = i;
237: fr_auth[i].fra_pass = 0;
238: fr_auth[i].fra_age = fr_defaultauthage;
239: bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin));
240: #if !defined(sparc) && !defined(m68k)
241: /*
242: * No need to copyback here as we want to undo the changes, not keep
243: * them.
244: */
245: # if SOLARIS && defined(KERNEL)
246: if (ip == (ip_t *)m->b_rptr)
247: # endif
248: {
249: register u_short bo;
250:
251: bo = ip->ip_len;
252: ip->ip_len = htons(bo);
253: # if !SOLARIS /* 4.4BSD converts this ip_input.c, but I don't in solaris.c */
254: bo = ip->ip_id;
255: ip->ip_id = htons(bo);
256: # endif
257: bo = ip->ip_off;
258: ip->ip_off = htons(bo);
259: }
260: #endif
261: #if SOLARIS && defined(KERNEL)
262: m->b_rptr -= qif->qf_off;
263: fr_authpkts[i] = *(mblk_t **)fin->fin_mp;
264: fr_auth[i].fra_q = qif->qf_q;
265: cv_signal(&ipfauthwait);
266: #else
267: fr_authpkts[i] = m;
268: # if defined(linux) && defined(KERNEL)
269: wake_up_interruptible(&ipfauthwait);
270: # else
271: WAKEUP(&fr_authnext);
272: # endif
273: #endif
274: return 1;
275: }
276:
277:
278: int fr_auth_ioctl(data, cmd, fr, frptr)
279: caddr_t data;
280: #if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
281: u_long cmd;
282: #else
283: int cmd;
284: #endif
285: frentry_t *fr, **frptr;
286: {
287: mb_t *m;
288: #if defined(KERNEL)
289: # if !SOLARIS
290: struct ifqueue *ifq;
291: int s;
292: # endif
293: #endif
294: frauth_t auth, *au = &auth;
295: frauthent_t *fae, **faep;
296: int i, error = 0;
297:
298: switch (cmd)
299: {
300: case SIOCINIFR :
301: case SIOCRMIFR :
302: case SIOCADIFR :
303: error = EINVAL;
304: break;
305: case SIOCINAFR :
306: case SIOCRMAFR :
307: case SIOCADAFR :
308: for (faep = &fae_list; (fae = *faep); )
309: if (&fae->fae_fr == fr)
310: break;
311: else
312: faep = &fae->fae_next;
313: if (cmd == SIOCRMAFR) {
314: if (!fae)
315: error = ESRCH;
316: else {
317: *faep = fae->fae_next;
318: *frptr = fr->fr_next;
319: KFREE(fae);
320: }
321: } else {
322: KMALLOC(fae, frauthent_t *, sizeof(*fae));
323: if (fae != NULL) {
324: IRCOPY((char *)data, (char *)&fae->fae_fr,
325: sizeof(fae->fae_fr));
326: if (!fae->fae_age)
327: fae->fae_age = fr_defaultauthage;
328: fae->fae_fr.fr_hits = 0;
329: fae->fae_fr.fr_next = *frptr;
330: *frptr = &fae->fae_fr;
331: fae->fae_next = *faep;
332: *faep = fae;
333: } else
334: error = ENOMEM;
335: }
336: break;
337: case SIOCATHST:
338: IWCOPY((char *)&fr_authstats, data, sizeof(fr_authstats));
339: break;
340: case SIOCAUTHW:
341: fr_authioctlloop:
342: MUTEX_ENTER(&ipf_auth);
343: if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
344: IWCOPY((char *)&fr_auth[fr_authnext++], data,
345: sizeof(fr_info_t));
346: if (fr_authnext == FR_NUMAUTH)
347: fr_authnext = 0;
348: MUTEX_EXIT(&ipf_auth);
349: return 0;
350: }
351: #ifdef KERNEL
352: # if SOLARIS
353: if (!cv_wait_sig(&ipfauthwait, &ipf_auth)) {
354: mutex_exit(&ipf_auth);
355: return EINTR;
356: }
357: # else
358: # ifdef linux
359: interruptible_sleep_on(&ipfauthwait);
360: if (current->signal & ~current->blocked)
361: error = -EINTR;
362: # else
363: error = SLEEP(&fr_authnext, "fr_authnext");
364: # endif
365: # endif
366: #endif
367: MUTEX_EXIT(&ipf_auth);
368: if (!error)
369: goto fr_authioctlloop;
370: break;
371: case SIOCAUTHR:
372: IRCOPY(data, (caddr_t)&auth, sizeof(auth));
373: MUTEX_ENTER(&ipf_auth);
374: i = au->fra_index;
375: if ((i < 0) || (i > FR_NUMAUTH) ||
376: (fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) {
377: MUTEX_EXIT(&ipf_auth);
378: return EINVAL;
379: }
380: m = fr_authpkts[i];
381: fr_auth[i].fra_index = -2;
382: fr_auth[i].fra_pass = au->fra_pass;
383: fr_authpkts[i] = NULL;
384: #ifdef KERNEL
385: MUTEX_EXIT(&ipf_auth);
386: SPL_NET(s);
387: # ifndef linux
388: if (m && au->fra_info.fin_out) {
389: # if SOLARIS
390: error = fr_qout(fr_auth[i].fra_q, m);
391: # else /* SOLARIS */
392: error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL);
393: # endif /* SOLARIS */
394: if (error)
395: fr_authstats.fas_sendfail++;
396: else
397: fr_authstats.fas_sendok++;
398: } else if (m) {
399: # if SOLARIS
400: error = fr_qin(fr_auth[i].fra_q, m);
401: # else /* SOLARIS */
402: ifq = &ipintrq;
403: if (IF_QFULL(ifq)) {
404: IF_DROP(ifq);
405: m_freem(m);
406: error = ENOBUFS;
407: } else {
408: IF_ENQUEUE(ifq, m);
409: schednetisr(NETISR_IP);
410: }
411: # endif /* SOLARIS */
412: if (error)
413: fr_authstats.fas_quefail++;
414: else
415: fr_authstats.fas_queok++;
416: } else
417: error = EINVAL;
418: # endif
419: # if SOLARIS
420: if (error)
421: error = EINVAL;
422: # else
423: /*
424: * If we experience an error which will result in the packet
425: * not being processed, make sure we advance to the next one.
426: */
427: if (error == ENOBUFS) {
428: fr_authused--;
429: fr_auth[i].fra_index = -1;
430: fr_auth[i].fra_pass = 0;
431: if (i == fr_authstart) {
432: while (fr_auth[i].fra_index == -1) {
433: i++;
434: if (i == FR_NUMAUTH)
435: i = 0;
436: fr_authstart = i;
437: if (i == fr_authend)
438: break;
439: }
440: if (fr_authstart == fr_authend) {
441: fr_authnext = 0;
442: fr_authstart = fr_authend = 0;
443: }
444: }
445: }
446: # endif
447: SPL_X(s);
448: #endif /* KERNEL */
449: break;
450: default :
451: error = EINVAL;
452: break;
453: }
454: return error;
455: }
456:
457:
458: #ifdef KERNEL
459: /*
460: * Free all network buffer memory used to keep saved packets.
461: */
462: void fr_authunload()
463: {
464: register int i;
465: register frauthent_t *fae, **faep;
466: mb_t *m;
467:
468: MUTEX_ENTER(&ipf_auth);
469: for (i = 0; i < FR_NUMAUTH; i++) {
470: if ((m = fr_authpkts[i])) {
471: FREE_MB_T(m);
472: fr_authpkts[i] = NULL;
473: fr_auth[i].fra_index = -1;
474: }
475: }
476:
477:
478: for (faep = &fae_list; (fae = *faep); ) {
479: *faep = fae->fae_next;
480: KFREE(fae);
481: }
482: MUTEX_EXIT(&ipf_auth);
483: }
484:
485:
486: /*
487: * Slowly expire held auth records. Timeouts are set
488: * in expectation of this being called twice per second.
489: */
490: void fr_authexpire()
491: {
492: register int i;
493: register frauth_t *fra;
494: register frauthent_t *fae, **faep;
495: mb_t *m;
496: #if !SOLARIS
497: int s;
498: #endif
499:
500: SPL_NET(s);
501: MUTEX_ENTER(&ipf_auth);
502: for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) {
503: if ((!--fra->fra_age) && (m = fr_authpkts[i])) {
504: FREE_MB_T(m);
505: fr_authpkts[i] = NULL;
506: fr_auth[i].fra_index = -1;
507: fr_authstats.fas_expire++;
508: fr_authused--;
509: }
510: }
511:
512: for (faep = &fae_list; (fae = *faep); ) {
513: if (!--fra->fra_age) {
514: *faep = fae->fae_next;
515: KFREE(fae);
516: fr_authstats.fas_expire++;
517: } else
518: faep = &fae->fae_next;
519: }
520: MUTEX_EXIT(&ipf_auth);
521: SPL_X(s);
522: }
523: #endif
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.