1 /* $FreeBSD: stable/10/sys/contrib/ipfilter/netinet/ip_auth.c 266829 2014-05-29 02:55:07Z cy $ */
2
3 /*
4 * Copyright (C) 2012 by Darren Reed.
5 *
6 * See the IPFILTER.LICENCE file for details on licencing.
7 */
8 #if defined(KERNEL) || defined(_KERNEL)
9 # undef KERNEL
10 # undef _KERNEL
11 # define KERNEL 1
12 # define _KERNEL 1
13 #endif
14 #include <sys/errno.h>
15 #include <sys/types.h>
16 #include <sys/param.h>
17 #include <sys/time.h>
18 #include <sys/file.h>
19 #if !defined(_KERNEL)
20 # include <stdio.h>
21 # include <stdlib.h>
22 # ifdef _STDC_C99
23 # include <stdbool.h>
24 # endif
25 # include <string.h>
26 # define _KERNEL
27 # ifdef __OpenBSD__
28 struct file;
29 # endif
30 # include <sys/uio.h>
31 # undef _KERNEL
32 #endif
33 #if defined(_KERNEL) && (__FreeBSD_version >= 220000)
34 # include <sys/filio.h>
35 # include <sys/fcntl.h>
36 #else
37 # include <sys/ioctl.h>
38 #endif
39 #if !defined(linux)
40 # include <sys/protosw.h>
41 #endif
42 #include <sys/socket.h>
43 #if defined(_KERNEL)
44 # include <sys/systm.h>
45 # if !defined(__SVR4) && !defined(__svr4__) && !defined(linux)
46 # include <sys/mbuf.h>
47 # endif
48 #endif
49 #if defined(__SVR4) || defined(__svr4__)
50 # include <sys/filio.h>
51 # include <sys/byteorder.h>
52 # ifdef _KERNEL
53 # include <sys/dditypes.h>
54 # endif
55 # include <sys/stream.h>
56 # include <sys/kmem.h>
57 #endif
58 #if (defined(_BSDI_VERSION) && (_BSDI_VERSION >= 199802)) || \
59 (defined(__FreeBSD_version) &&(__FreeBSD_version >= 400000))
60 # include <sys/queue.h>
61 #endif
62 #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi)
63 # include <machine/cpu.h>
64 #endif
65 #if defined(_KERNEL) && defined(__NetBSD__) && (__NetBSD_Version__ >= 104000000)
66 # include <sys/proc.h>
67 #endif
68 #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 400000) && \
69 !defined(_KERNEL)
70 # include <stdbool.h>
71 #endif
72 #include <net/if.h>
73 #ifdef sun
74 # include <net/af.h>
75 #endif
76 #include <netinet/in.h>
77 #include <netinet/in_systm.h>
78 #include <netinet/ip.h>
79 #if !defined(linux)
80 # include <netinet/ip_var.h>
81 #endif
82 #if !defined(_KERNEL) && !defined(__osf__) && !defined(__sgi)
83 # define KERNEL
84 # define _KERNEL
85 # define NOT_KERNEL
86 #endif
87 #ifdef NOT_KERNEL
88 # undef _KERNEL
89 # undef KERNEL
90 #endif
91 #include <netinet/tcp.h>
92 #if defined(IRIX) && (IRIX < 60516) /* IRIX < 6 */
93 extern struct ifqueue ipintrq; /* ip packet input queue */
94 #else
95 # if !defined(__hpux) && !defined(linux)
96 # if __FreeBSD_version >= 300000
97 # include <net/if_var.h>
98 # if __FreeBSD_version >= 500042
99 # define IF_QFULL _IF_QFULL
100 # define IF_DROP _IF_DROP
101 # endif /* __FreeBSD_version >= 500042 */
102 # endif
103 # include <netinet/in_var.h>
104 # include <netinet/tcp_fsm.h>
105 # endif
106 #endif
107 #include <netinet/udp.h>
108 #include <netinet/ip_icmp.h>
109 #include "netinet/ip_compat.h"
110 #include <netinet/tcpip.h>
111 #include "netinet/ip_fil.h"
112 #include "netinet/ip_auth.h"
113 #if !defined(MENTAT) && !defined(linux)
114 # include <net/netisr.h>
115 # ifdef __FreeBSD__
116 # include <machine/cpufunc.h>
117 # endif
118 #endif
119 #if (__FreeBSD_version >= 300000)
120 # include <sys/malloc.h>
121 # if defined(_KERNEL) && !defined(IPFILTER_LKM)
122 # include <sys/libkern.h>
123 # include <sys/systm.h>
124 # endif
125 #endif
126 /* END OF INCLUDES */
127
128 #if !defined(lint)
129 static const char rcsid[] = "@(#)$FreeBSD: stable/10/sys/contrib/ipfilter/netinet/ip_auth.c 266829 2014-05-29 02:55:07Z cy $";
130 /* static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.24 2007/09/09 11:32:04 darrenr Exp $"; */
131 #endif
132
133
134 static void ipf_auth_deref __P((frauthent_t **));
135 static void ipf_auth_deref_unlocked __P((ipf_auth_softc_t *, frauthent_t **));
136 static int ipf_auth_geniter __P((ipf_main_softc_t *, ipftoken_t *,
137 ipfgeniter_t *, ipfobj_t *));
138 static int ipf_auth_reply __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *));
139 static int ipf_auth_wait __P((ipf_main_softc_t *, ipf_auth_softc_t *, char *));
140 static int ipf_auth_flush __P((void *));
141
142
143 /* ------------------------------------------------------------------------ */
144 /* Function: ipf_auth_main_load */
145 /* Returns: int - 0 == success, else error */
146 /* Parameters: None */
147 /* */
148 /* A null-op function that exists as a placeholder so that the flow in */
149 /* other functions is obvious. */
150 /* ------------------------------------------------------------------------ */
151 int
ipf_auth_main_load()152 ipf_auth_main_load()
153 {
154 return 0;
155 }
156
157
158 /* ------------------------------------------------------------------------ */
159 /* Function: ipf_auth_main_unload */
160 /* Returns: int - 0 == success, else error */
161 /* Parameters: None */
162 /* */
163 /* A null-op function that exists as a placeholder so that the flow in */
164 /* other functions is obvious. */
165 /* ------------------------------------------------------------------------ */
166 int
ipf_auth_main_unload()167 ipf_auth_main_unload()
168 {
169 return 0;
170 }
171
172
173 /* ------------------------------------------------------------------------ */
174 /* Function: ipf_auth_soft_create */
175 /* Returns: int - NULL = failure, else success */
176 /* Parameters: softc(I) - pointer to soft context data */
177 /* */
178 /* Create a structre to store all of the run-time data for packet auth in */
179 /* and initialise some fields to their defaults. */
180 /* ------------------------------------------------------------------------ */
181 void *
ipf_auth_soft_create(softc)182 ipf_auth_soft_create(softc)
183 ipf_main_softc_t *softc;
184 {
185 ipf_auth_softc_t *softa;
186
187 KMALLOC(softa, ipf_auth_softc_t *);
188 if (softa == NULL)
189 return NULL;
190
191 bzero((char *)softa, sizeof(*softa));
192
193 softa->ipf_auth_size = FR_NUMAUTH;
194 softa->ipf_auth_defaultage = 600;
195
196 RWLOCK_INIT(&softa->ipf_authlk, "ipf IP User-Auth rwlock");
197 MUTEX_INIT(&softa->ipf_auth_mx, "ipf auth log mutex");
198 #if SOLARIS && defined(_KERNEL)
199 cv_init(&softa->ipf_auth_wait, "ipf auth condvar", CV_DRIVER, NULL);
200 #endif
201
202 return softa;
203 }
204
205 /* ------------------------------------------------------------------------ */
206 /* Function: ipf_auth_soft_init */
207 /* Returns: int - 0 == success, else error */
208 /* Parameters: softc(I) - pointer to soft context data */
209 /* arg(I) - opaque pointer to auth context data */
210 /* */
211 /* Allocate memory and initialise data structures used in handling auth */
212 /* rules. */
213 /* ------------------------------------------------------------------------ */
214 int
ipf_auth_soft_init(softc,arg)215 ipf_auth_soft_init(softc, arg)
216 ipf_main_softc_t *softc;
217 void *arg;
218 {
219 ipf_auth_softc_t *softa = arg;
220
221 KMALLOCS(softa->ipf_auth, frauth_t *,
222 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
223 if (softa->ipf_auth == NULL)
224 return -1;
225 bzero((char *)softa->ipf_auth,
226 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
227
228 KMALLOCS(softa->ipf_auth_pkts, mb_t **,
229 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
230 if (softa->ipf_auth_pkts == NULL)
231 return -2;
232 bzero((char *)softa->ipf_auth_pkts,
233 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
234
235 #if defined(linux) && defined(_KERNEL)
236 init_waitqueue_head(&softa->ipf_auth_next_linux);
237 #endif
238
239 return 0;
240 }
241
242
243 /* ------------------------------------------------------------------------ */
244 /* Function: ipf_auth_soft_fini */
245 /* Returns: int - 0 == success, else error */
246 /* Parameters: softc(I) - pointer to soft context data */
247 /* arg(I) - opaque pointer to auth context data */
248 /* */
249 /* Free all network buffer memory used to keep saved packets that have been */
250 /* connectedd to the soft soft context structure *but* do not free that: it */
251 /* is free'd by _destroy(). */
252 /* ------------------------------------------------------------------------ */
253 int
ipf_auth_soft_fini(softc,arg)254 ipf_auth_soft_fini(softc, arg)
255 ipf_main_softc_t *softc;
256 void *arg;
257 {
258 ipf_auth_softc_t *softa = arg;
259 frauthent_t *fae, **faep;
260 frentry_t *fr, **frp;
261 mb_t *m;
262 int i;
263
264 if (softa->ipf_auth != NULL) {
265 KFREES(softa->ipf_auth,
266 softa->ipf_auth_size * sizeof(*softa->ipf_auth));
267 softa->ipf_auth = NULL;
268 }
269
270 if (softa->ipf_auth_pkts != NULL) {
271 for (i = 0; i < softa->ipf_auth_size; i++) {
272 m = softa->ipf_auth_pkts[i];
273 if (m != NULL) {
274 FREE_MB_T(m);
275 softa->ipf_auth_pkts[i] = NULL;
276 }
277 }
278 KFREES(softa->ipf_auth_pkts,
279 softa->ipf_auth_size * sizeof(*softa->ipf_auth_pkts));
280 softa->ipf_auth_pkts = NULL;
281 }
282
283 faep = &softa->ipf_auth_entries;
284 while ((fae = *faep) != NULL) {
285 *faep = fae->fae_next;
286 KFREE(fae);
287 }
288 softa->ipf_auth_ip = NULL;
289
290 if (softa->ipf_auth_rules != NULL) {
291 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) {
292 if (fr->fr_ref == 1) {
293 *frp = fr->fr_next;
294 MUTEX_DESTROY(&fr->fr_lock);
295 KFREE(fr);
296 } else
297 frp = &fr->fr_next;
298 }
299 }
300
301 return 0;
302 }
303
304
305 /* ------------------------------------------------------------------------ */
306 /* Function: ipf_auth_soft_destroy */
307 /* Returns: void */
308 /* Parameters: softc(I) - pointer to soft context data */
309 /* arg(I) - opaque pointer to auth context data */
310 /* */
311 /* Undo what was done in _create() - i.e. free the soft context data. */
312 /* ------------------------------------------------------------------------ */
313 void
ipf_auth_soft_destroy(softc,arg)314 ipf_auth_soft_destroy(softc, arg)
315 ipf_main_softc_t *softc;
316 void *arg;
317 {
318 ipf_auth_softc_t *softa = arg;
319
320 # if SOLARIS && defined(_KERNEL)
321 cv_destroy(&softa->ipf_auth_wait);
322 # endif
323 MUTEX_DESTROY(&softa->ipf_auth_mx);
324 RW_DESTROY(&softa->ipf_authlk);
325
326 KFREE(softa);
327 }
328
329
330 /* ------------------------------------------------------------------------ */
331 /* Function: ipf_auth_setlock */
332 /* Returns: void */
333 /* Paramters: arg(I) - pointer to soft context data */
334 /* tmp(I) - value to assign to auth lock */
335 /* */
336 /* ------------------------------------------------------------------------ */
337 void
ipf_auth_setlock(arg,tmp)338 ipf_auth_setlock(arg, tmp)
339 void *arg;
340 int tmp;
341 {
342 ipf_auth_softc_t *softa = arg;
343
344 softa->ipf_auth_lock = tmp;
345 }
346
347
348 /* ------------------------------------------------------------------------ */
349 /* Function: ipf_auth_check */
350 /* Returns: frentry_t* - pointer to ipf rule if match found, else NULL */
351 /* Parameters: fin(I) - pointer to ipftoken structure */
352 /* passp(I) - pointer to ipfgeniter structure */
353 /* */
354 /* Check if a packet has authorization. If the packet is found to match an */
355 /* authorization result and that would result in a feedback loop (i.e. it */
356 /* will end up returning FR_AUTH) then return FR_BLOCK instead. */
357 /* ------------------------------------------------------------------------ */
358 frentry_t *
ipf_auth_check(fin,passp)359 ipf_auth_check(fin, passp)
360 fr_info_t *fin;
361 u_32_t *passp;
362 {
363 ipf_main_softc_t *softc = fin->fin_main_soft;
364 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
365 frentry_t *fr;
366 frauth_t *fra;
367 u_32_t pass;
368 u_short id;
369 ip_t *ip;
370 int i;
371
372 if (softa->ipf_auth_lock || !softa->ipf_auth_used)
373 return NULL;
374
375 ip = fin->fin_ip;
376 id = ip->ip_id;
377
378 READ_ENTER(&softa->ipf_authlk);
379 for (i = softa->ipf_auth_start; i != softa->ipf_auth_end; ) {
380 /*
381 * index becomes -2 only after an SIOCAUTHW. Check this in
382 * case the same packet gets sent again and it hasn't yet been
383 * auth'd.
384 */
385 fra = softa->ipf_auth + i;
386 if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) &&
387 !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) {
388 /*
389 * Avoid feedback loop.
390 */
391 if (!(pass = fra->fra_pass) || (FR_ISAUTH(pass))) {
392 pass = FR_BLOCK;
393 fin->fin_reason = FRB_AUTHFEEDBACK;
394 }
395 /*
396 * Create a dummy rule for the stateful checking to
397 * use and return. Zero out any values we don't
398 * trust from userland!
399 */
400 if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) &&
401 (fin->fin_flx & FI_FRAG))) {
402 KMALLOC(fr, frentry_t *);
403 if (fr) {
404 bcopy((char *)fra->fra_info.fin_fr,
405 (char *)fr, sizeof(*fr));
406 fr->fr_grp = NULL;
407 fr->fr_ifa = fin->fin_ifp;
408 fr->fr_func = NULL;
409 fr->fr_ref = 1;
410 fr->fr_flags = pass;
411 fr->fr_ifas[1] = NULL;
412 fr->fr_ifas[2] = NULL;
413 fr->fr_ifas[3] = NULL;
414 MUTEX_INIT(&fr->fr_lock,
415 "ipf auth rule");
416 }
417 } else
418 fr = fra->fra_info.fin_fr;
419 fin->fin_fr = fr;
420 fin->fin_flx |= fra->fra_flx;
421 RWLOCK_EXIT(&softa->ipf_authlk);
422
423 WRITE_ENTER(&softa->ipf_authlk);
424 /*
425 * ipf_auth_rules is populated with the rules malloc'd
426 * above and only those.
427 */
428 if ((fr != NULL) && (fr != fra->fra_info.fin_fr)) {
429 fr->fr_next = softa->ipf_auth_rules;
430 softa->ipf_auth_rules = fr;
431 }
432 softa->ipf_auth_stats.fas_hits++;
433 fra->fra_index = -1;
434 softa->ipf_auth_used--;
435 softa->ipf_auth_replies--;
436 if (i == softa->ipf_auth_start) {
437 while (fra->fra_index == -1) {
438 i++;
439 fra++;
440 if (i == softa->ipf_auth_size) {
441 i = 0;
442 fra = softa->ipf_auth;
443 }
444 softa->ipf_auth_start = i;
445 if (i == softa->ipf_auth_end)
446 break;
447 }
448 if (softa->ipf_auth_start ==
449 softa->ipf_auth_end) {
450 softa->ipf_auth_next = 0;
451 softa->ipf_auth_start = 0;
452 softa->ipf_auth_end = 0;
453 }
454 }
455 RWLOCK_EXIT(&softa->ipf_authlk);
456 if (passp != NULL)
457 *passp = pass;
458 softa->ipf_auth_stats.fas_hits++;
459 return fr;
460 }
461 i++;
462 if (i == softa->ipf_auth_size)
463 i = 0;
464 }
465 RWLOCK_EXIT(&softa->ipf_authlk);
466 softa->ipf_auth_stats.fas_miss++;
467 return NULL;
468 }
469
470
471 /* ------------------------------------------------------------------------ */
472 /* Function: ipf_auth_new */
473 /* Returns: int - 1 == success, 0 = did not put packet on auth queue */
474 /* Parameters: m(I) - pointer to mb_t with packet in it */
475 /* fin(I) - pointer to packet information */
476 /* */
477 /* Check if we have room in the auth array to hold details for another */
478 /* packet. If we do, store it and wake up any user programs which are */
479 /* waiting to hear about these events. */
480 /* ------------------------------------------------------------------------ */
481 int
ipf_auth_new(m,fin)482 ipf_auth_new(m, fin)
483 mb_t *m;
484 fr_info_t *fin;
485 {
486 ipf_main_softc_t *softc = fin->fin_main_soft;
487 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
488 #if defined(_KERNEL) && defined(MENTAT)
489 qpktinfo_t *qpi = fin->fin_qpi;
490 #endif
491 frauth_t *fra;
492 #if !defined(sparc) && !defined(m68k)
493 ip_t *ip;
494 #endif
495 int i;
496
497 if (softa->ipf_auth_lock)
498 return 0;
499
500 WRITE_ENTER(&softa->ipf_authlk);
501 if (((softa->ipf_auth_end + 1) % softa->ipf_auth_size) ==
502 softa->ipf_auth_start) {
503 softa->ipf_auth_stats.fas_nospace++;
504 RWLOCK_EXIT(&softa->ipf_authlk);
505 return 0;
506 }
507
508 softa->ipf_auth_stats.fas_added++;
509 softa->ipf_auth_used++;
510 i = softa->ipf_auth_end++;
511 if (softa->ipf_auth_end == softa->ipf_auth_size)
512 softa->ipf_auth_end = 0;
513
514 fra = softa->ipf_auth + i;
515 fra->fra_index = i;
516 if (fin->fin_fr != NULL)
517 fra->fra_pass = fin->fin_fr->fr_flags;
518 else
519 fra->fra_pass = 0;
520 fra->fra_age = softa->ipf_auth_defaultage;
521 bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin));
522 fra->fra_flx = fra->fra_info.fin_flx & (FI_STATE|FI_NATED);
523 fra->fra_info.fin_flx &= ~(FI_STATE|FI_NATED);
524 #if !defined(sparc) && !defined(m68k)
525 /*
526 * No need to copyback here as we want to undo the changes, not keep
527 * them.
528 */
529 ip = fin->fin_ip;
530 # if defined(MENTAT) && defined(_KERNEL)
531 if ((ip == (ip_t *)m->b_rptr) && (fin->fin_v == 4))
532 # endif
533 {
534 register u_short bo;
535
536 bo = ip->ip_len;
537 ip->ip_len = htons(bo);
538 bo = ip->ip_off;
539 ip->ip_off = htons(bo);
540 }
541 #endif
542 #if SOLARIS && defined(_KERNEL)
543 COPYIFNAME(fin->fin_v, fin->fin_ifp, fra->fra_info.fin_ifname);
544 m->b_rptr -= qpi->qpi_off;
545 fra->fra_q = qpi->qpi_q; /* The queue can disappear! */
546 fra->fra_m = *fin->fin_mp;
547 fra->fra_info.fin_mp = &fra->fra_m;
548 softa->ipf_auth_pkts[i] = *(mblk_t **)fin->fin_mp;
549 RWLOCK_EXIT(&softa->ipf_authlk);
550 cv_signal(&softa->ipf_auth_wait);
551 pollwakeup(&softc->ipf_poll_head[IPL_LOGAUTH], POLLIN|POLLRDNORM);
552 #else
553 softa->ipf_auth_pkts[i] = m;
554 RWLOCK_EXIT(&softa->ipf_authlk);
555 WAKEUP(&softa->ipf_auth_next, 0);
556 #endif
557 return 1;
558 }
559
560
561 /* ------------------------------------------------------------------------ */
562 /* Function: ipf_auth_ioctl */
563 /* Returns: int - 0 == success, else error */
564 /* Parameters: data(IO) - pointer to ioctl data */
565 /* cmd(I) - ioctl command */
566 /* mode(I) - mode flags associated with open descriptor */
567 /* uid(I) - uid associatd with application making the call */
568 /* ctx(I) - pointer for context */
569 /* */
570 /* This function handles all of the ioctls recognised by the auth component */
571 /* in IPFilter - ie ioctls called on an open fd for /dev/ipf_auth */
572 /* ------------------------------------------------------------------------ */
573 int
ipf_auth_ioctl(softc,data,cmd,mode,uid,ctx)574 ipf_auth_ioctl(softc, data, cmd, mode, uid, ctx)
575 ipf_main_softc_t *softc;
576 caddr_t data;
577 ioctlcmd_t cmd;
578 int mode, uid;
579 void *ctx;
580 {
581 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
582 int error = 0, i;
583 SPL_INT(s);
584
585 switch (cmd)
586 {
587 case SIOCGENITER :
588 {
589 ipftoken_t *token;
590 ipfgeniter_t iter;
591 ipfobj_t obj;
592
593 error = ipf_inobj(softc, data, &obj, &iter, IPFOBJ_GENITER);
594 if (error != 0)
595 break;
596
597 SPL_SCHED(s);
598 token = ipf_token_find(softc, IPFGENITER_AUTH, uid, ctx);
599 if (token != NULL)
600 error = ipf_auth_geniter(softc, token, &iter, &obj);
601 else {
602 WRITE_ENTER(&softc->ipf_tokens);
603 ipf_token_deref(softc, token);
604 RWLOCK_EXIT(&softc->ipf_tokens);
605 IPFERROR(10001);
606 error = ESRCH;
607 }
608 SPL_X(s);
609
610 break;
611 }
612
613 case SIOCADAFR :
614 case SIOCRMAFR :
615 if (!(mode & FWRITE)) {
616 IPFERROR(10002);
617 error = EPERM;
618 } else
619 error = frrequest(softc, IPL_LOGAUTH, cmd, data,
620 softc->ipf_active, 1);
621 break;
622
623 case SIOCSTLCK :
624 if (!(mode & FWRITE)) {
625 IPFERROR(10003);
626 error = EPERM;
627 } else {
628 error = ipf_lock(data, &softa->ipf_auth_lock);
629 }
630 break;
631
632 case SIOCATHST:
633 softa->ipf_auth_stats.fas_faelist = softa->ipf_auth_entries;
634 error = ipf_outobj(softc, data, &softa->ipf_auth_stats,
635 IPFOBJ_AUTHSTAT);
636 break;
637
638 case SIOCIPFFL:
639 SPL_NET(s);
640 WRITE_ENTER(&softa->ipf_authlk);
641 i = ipf_auth_flush(softa);
642 RWLOCK_EXIT(&softa->ipf_authlk);
643 SPL_X(s);
644 error = BCOPYOUT(&i, data, sizeof(i));
645 if (error != 0) {
646 IPFERROR(10004);
647 error = EFAULT;
648 }
649 break;
650
651 case SIOCAUTHW:
652 error = ipf_auth_wait(softc, softa, data);
653 break;
654
655 case SIOCAUTHR:
656 error = ipf_auth_reply(softc, softa, data);
657 break;
658
659 default :
660 IPFERROR(10005);
661 error = EINVAL;
662 break;
663 }
664 return error;
665 }
666
667
668 /* ------------------------------------------------------------------------ */
669 /* Function: ipf_auth_expire */
670 /* Returns: None */
671 /* Parameters: None */
672 /* */
673 /* Slowly expire held auth records. Timeouts are set in expectation of */
674 /* this being called twice per second. */
675 /* ------------------------------------------------------------------------ */
676 void
ipf_auth_expire(softc)677 ipf_auth_expire(softc)
678 ipf_main_softc_t *softc;
679 {
680 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
681 frauthent_t *fae, **faep;
682 frentry_t *fr, **frp;
683 frauth_t *fra;
684 mb_t *m;
685 int i;
686 SPL_INT(s);
687
688 if (softa->ipf_auth_lock)
689 return;
690 SPL_NET(s);
691 WRITE_ENTER(&softa->ipf_authlk);
692 for (i = 0, fra = softa->ipf_auth; i < softa->ipf_auth_size;
693 i++, fra++) {
694 fra->fra_age--;
695 if ((fra->fra_age == 0) &&
696 (softa->ipf_auth[i].fra_index != -1)) {
697 if ((m = softa->ipf_auth_pkts[i]) != NULL) {
698 FREE_MB_T(m);
699 softa->ipf_auth_pkts[i] = NULL;
700 } else if (softa->ipf_auth[i].fra_index == -2) {
701 softa->ipf_auth_replies--;
702 }
703 softa->ipf_auth[i].fra_index = -1;
704 softa->ipf_auth_stats.fas_expire++;
705 softa->ipf_auth_used--;
706 }
707 }
708
709 /*
710 * Expire pre-auth rules
711 */
712 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) {
713 fae->fae_age--;
714 if (fae->fae_age == 0) {
715 ipf_auth_deref(&fae);
716 softa->ipf_auth_stats.fas_expire++;
717 } else
718 faep = &fae->fae_next;
719 }
720 if (softa->ipf_auth_entries != NULL)
721 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr;
722 else
723 softa->ipf_auth_ip = NULL;
724
725 for (frp = &softa->ipf_auth_rules; ((fr = *frp) != NULL); ) {
726 if (fr->fr_ref == 1) {
727 *frp = fr->fr_next;
728 MUTEX_DESTROY(&fr->fr_lock);
729 KFREE(fr);
730 } else
731 frp = &fr->fr_next;
732 }
733 RWLOCK_EXIT(&softa->ipf_authlk);
734 SPL_X(s);
735 }
736
737
738 /* ------------------------------------------------------------------------ */
739 /* Function: ipf_auth_precmd */
740 /* Returns: int - 0 == success, else error */
741 /* Parameters: cmd(I) - ioctl command for rule */
742 /* fr(I) - pointer to ipf rule */
743 /* fptr(I) - pointer to caller's 'fr' */
744 /* */
745 /* ------------------------------------------------------------------------ */
746 int
ipf_auth_precmd(softc,cmd,fr,frptr)747 ipf_auth_precmd(softc, cmd, fr, frptr)
748 ipf_main_softc_t *softc;
749 ioctlcmd_t cmd;
750 frentry_t *fr, **frptr;
751 {
752 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
753 frauthent_t *fae, **faep;
754 int error = 0;
755 SPL_INT(s);
756
757 if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
758 IPFERROR(10006);
759 return EIO;
760 }
761
762 for (faep = &softa->ipf_auth_entries; ((fae = *faep) != NULL); ) {
763 if (&fae->fae_fr == fr)
764 break;
765 else
766 faep = &fae->fae_next;
767 }
768
769 if (cmd == (ioctlcmd_t)SIOCRMAFR) {
770 if (fr == NULL || frptr == NULL) {
771 IPFERROR(10007);
772 error = EINVAL;
773
774 } else if (fae == NULL) {
775 IPFERROR(10008);
776 error = ESRCH;
777
778 } else {
779 SPL_NET(s);
780 WRITE_ENTER(&softa->ipf_authlk);
781 *faep = fae->fae_next;
782 if (softa->ipf_auth_ip == &fae->fae_fr)
783 softa->ipf_auth_ip = softa->ipf_auth_entries ?
784 &softa->ipf_auth_entries->fae_fr : NULL;
785 RWLOCK_EXIT(&softa->ipf_authlk);
786 SPL_X(s);
787
788 KFREE(fae);
789 }
790 } else if (fr != NULL && frptr != NULL) {
791 KMALLOC(fae, frauthent_t *);
792 if (fae != NULL) {
793 bcopy((char *)fr, (char *)&fae->fae_fr,
794 sizeof(*fr));
795 SPL_NET(s);
796 WRITE_ENTER(&softa->ipf_authlk);
797 fae->fae_age = softa->ipf_auth_defaultage;
798 fae->fae_fr.fr_hits = 0;
799 fae->fae_fr.fr_next = *frptr;
800 fae->fae_ref = 1;
801 *frptr = &fae->fae_fr;
802 fae->fae_next = *faep;
803 *faep = fae;
804 softa->ipf_auth_ip = &softa->ipf_auth_entries->fae_fr;
805 RWLOCK_EXIT(&softa->ipf_authlk);
806 SPL_X(s);
807 } else {
808 IPFERROR(10009);
809 error = ENOMEM;
810 }
811 } else {
812 IPFERROR(10010);
813 error = EINVAL;
814 }
815 return error;
816 }
817
818
819 /* ------------------------------------------------------------------------ */
820 /* Function: ipf_auth_flush */
821 /* Returns: int - number of auth entries flushed */
822 /* Parameters: None */
823 /* Locks: WRITE(ipf_authlk) */
824 /* */
825 /* This function flushs the ipf_auth_pkts array of any packet data with */
826 /* references still there. */
827 /* It is expected that the caller has already acquired the correct locks or */
828 /* set the priority level correctly for this to block out other code paths */
829 /* into these data structures. */
830 /* ------------------------------------------------------------------------ */
831 static int
ipf_auth_flush(arg)832 ipf_auth_flush(arg)
833 void *arg;
834 {
835 ipf_auth_softc_t *softa = arg;
836 int i, num_flushed;
837 mb_t *m;
838
839 if (softa->ipf_auth_lock)
840 return -1;
841
842 num_flushed = 0;
843
844 for (i = 0 ; i < softa->ipf_auth_size; i++) {
845 if (softa->ipf_auth[i].fra_index != -1) {
846 m = softa->ipf_auth_pkts[i];
847 if (m != NULL) {
848 FREE_MB_T(m);
849 softa->ipf_auth_pkts[i] = NULL;
850 }
851
852 softa->ipf_auth[i].fra_index = -1;
853 /* perhaps add & use a flush counter inst.*/
854 softa->ipf_auth_stats.fas_expire++;
855 num_flushed++;
856 }
857 }
858
859 softa->ipf_auth_start = 0;
860 softa->ipf_auth_end = 0;
861 softa->ipf_auth_next = 0;
862 softa->ipf_auth_used = 0;
863 softa->ipf_auth_replies = 0;
864
865 return num_flushed;
866 }
867
868
869 /* ------------------------------------------------------------------------ */
870 /* Function: ipf_auth_waiting */
871 /* Returns: int - number of packets in the auth queue */
872 /* Parameters: None */
873 /* */
874 /* Simple truth check to see if there are any packets waiting in the auth */
875 /* queue. */
876 /* ------------------------------------------------------------------------ */
877 int
ipf_auth_waiting(softc)878 ipf_auth_waiting(softc)
879 ipf_main_softc_t *softc;
880 {
881 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
882
883 return (softa->ipf_auth_used != 0);
884 }
885
886
887 /* ------------------------------------------------------------------------ */
888 /* Function: ipf_auth_geniter */
889 /* Returns: int - 0 == success, else error */
890 /* Parameters: token(I) - pointer to ipftoken structure */
891 /* itp(I) - pointer to ipfgeniter structure */
892 /* objp(I) - pointer to ipf object destription */
893 /* */
894 /* Iterate through the list of entries in the auth queue list. */
895 /* objp is used here to get the location of where to do the copy out to. */
896 /* Stomping over various fields with new information will not harm anything */
897 /* ------------------------------------------------------------------------ */
898 static int
ipf_auth_geniter(softc,token,itp,objp)899 ipf_auth_geniter(softc, token, itp, objp)
900 ipf_main_softc_t *softc;
901 ipftoken_t *token;
902 ipfgeniter_t *itp;
903 ipfobj_t *objp;
904 {
905 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
906 frauthent_t *fae, *next, zero;
907 int error;
908
909 if (itp->igi_data == NULL) {
910 IPFERROR(10011);
911 return EFAULT;
912 }
913
914 if (itp->igi_type != IPFGENITER_AUTH) {
915 IPFERROR(10012);
916 return EINVAL;
917 }
918
919 objp->ipfo_type = IPFOBJ_FRAUTH;
920 objp->ipfo_ptr = itp->igi_data;
921 objp->ipfo_size = sizeof(frauth_t);
922
923 READ_ENTER(&softa->ipf_authlk);
924
925 fae = token->ipt_data;
926 if (fae == NULL) {
927 next = softa->ipf_auth_entries;
928 } else {
929 next = fae->fae_next;
930 }
931
932 /*
933 * If we found an auth entry to use, bump its reference count
934 * so that it can be used for is_next when we come back.
935 */
936 if (next != NULL) {
937 ATOMIC_INC(next->fae_ref);
938 token->ipt_data = next;
939 } else {
940 bzero(&zero, sizeof(zero));
941 next = &zero;
942 token->ipt_data = NULL;
943 }
944
945 RWLOCK_EXIT(&softa->ipf_authlk);
946
947 error = ipf_outobjk(softc, objp, next);
948 if (fae != NULL)
949 ipf_auth_deref_unlocked(softa, &fae);
950
951 if (next->fae_next == NULL)
952 ipf_token_mark_complete(token);
953 return error;
954 }
955
956
957 /* ------------------------------------------------------------------------ */
958 /* Function: ipf_auth_deref_unlocked */
959 /* Returns: None */
960 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */
961 /* */
962 /* Wrapper for ipf_auth_deref for when a write lock on ipf_authlk is not */
963 /* held. */
964 /* ------------------------------------------------------------------------ */
965 static void
ipf_auth_deref_unlocked(softa,faep)966 ipf_auth_deref_unlocked(softa, faep)
967 ipf_auth_softc_t *softa;
968 frauthent_t **faep;
969 {
970 WRITE_ENTER(&softa->ipf_authlk);
971 ipf_auth_deref(faep);
972 RWLOCK_EXIT(&softa->ipf_authlk);
973 }
974
975
976 /* ------------------------------------------------------------------------ */
977 /* Function: ipf_auth_deref */
978 /* Returns: None */
979 /* Parameters: faep(IO) - pointer to caller's frauthent_t pointer */
980 /* Locks: WRITE(ipf_authlk) */
981 /* */
982 /* This function unconditionally sets the pointer in the caller to NULL, */
983 /* to make it clear that it should no longer use that pointer, and drops */
984 /* the reference count on the structure by 1. If it reaches 0, free it up. */
985 /* ------------------------------------------------------------------------ */
986 static void
ipf_auth_deref(faep)987 ipf_auth_deref(faep)
988 frauthent_t **faep;
989 {
990 frauthent_t *fae;
991
992 fae = *faep;
993 *faep = NULL;
994
995 fae->fae_ref--;
996 if (fae->fae_ref == 0) {
997 KFREE(fae);
998 }
999 }
1000
1001
1002 /* ------------------------------------------------------------------------ */
1003 /* Function: ipf_auth_wait_pkt */
1004 /* Returns: int - 0 == success, else error */
1005 /* Parameters: data(I) - pointer to data from ioctl call */
1006 /* */
1007 /* This function is called when an application is waiting for a packet to */
1008 /* match an "auth" rule by issuing an SIOCAUTHW ioctl. If there is already */
1009 /* a packet waiting on the queue then we will return that _one_ immediately.*/
1010 /* If there are no packets present in the queue (ipf_auth_pkts) then we go */
1011 /* to sleep. */
1012 /* ------------------------------------------------------------------------ */
1013 static int
ipf_auth_wait(softc,softa,data)1014 ipf_auth_wait(softc, softa, data)
1015 ipf_main_softc_t *softc;
1016 ipf_auth_softc_t *softa;
1017 char *data;
1018 {
1019 frauth_t auth, *au = &auth;
1020 int error, len, i;
1021 mb_t *m;
1022 char *t;
1023 SPL_INT(s);
1024
1025 ipf_auth_ioctlloop:
1026 error = ipf_inobj(softc, data, NULL, au, IPFOBJ_FRAUTH);
1027 if (error != 0)
1028 return error;
1029
1030 /*
1031 * XXX Locks are held below over calls to copyout...a better
1032 * solution needs to be found so this isn't necessary. The situation
1033 * we are trying to guard against here is an error in the copyout
1034 * steps should not cause the packet to "disappear" from the queue.
1035 */
1036 SPL_NET(s);
1037 READ_ENTER(&softa->ipf_authlk);
1038
1039 /*
1040 * If ipf_auth_next is not equal to ipf_auth_end it will be because
1041 * there is a packet waiting to be delt with in the ipf_auth_pkts
1042 * array. We copy as much of that out to user space as requested.
1043 */
1044 if (softa->ipf_auth_used > 0) {
1045 while (softa->ipf_auth_pkts[softa->ipf_auth_next] == NULL) {
1046 softa->ipf_auth_next++;
1047 if (softa->ipf_auth_next == softa->ipf_auth_size)
1048 softa->ipf_auth_next = 0;
1049 }
1050
1051 error = ipf_outobj(softc, data,
1052 &softa->ipf_auth[softa->ipf_auth_next],
1053 IPFOBJ_FRAUTH);
1054 if (error != 0) {
1055 RWLOCK_EXIT(&softa->ipf_authlk);
1056 SPL_X(s);
1057 return error;
1058 }
1059
1060 if (auth.fra_len != 0 && auth.fra_buf != NULL) {
1061 /*
1062 * Copy packet contents out to user space if
1063 * requested. Bail on an error.
1064 */
1065 m = softa->ipf_auth_pkts[softa->ipf_auth_next];
1066 len = MSGDSIZE(m);
1067 if (len > auth.fra_len)
1068 len = auth.fra_len;
1069 auth.fra_len = len;
1070
1071 for (t = auth.fra_buf; m && (len > 0); ) {
1072 i = MIN(M_LEN(m), len);
1073 error = copyoutptr(softc, MTOD(m, char *),
1074 &t, i);
1075 len -= i;
1076 t += i;
1077 if (error != 0) {
1078 RWLOCK_EXIT(&softa->ipf_authlk);
1079 SPL_X(s);
1080 return error;
1081 }
1082 m = m->m_next;
1083 }
1084 }
1085 RWLOCK_EXIT(&softa->ipf_authlk);
1086
1087 SPL_NET(s);
1088 WRITE_ENTER(&softa->ipf_authlk);
1089 softa->ipf_auth_next++;
1090 if (softa->ipf_auth_next == softa->ipf_auth_size)
1091 softa->ipf_auth_next = 0;
1092 RWLOCK_EXIT(&softa->ipf_authlk);
1093 SPL_X(s);
1094
1095 return 0;
1096 }
1097 RWLOCK_EXIT(&softa->ipf_authlk);
1098 SPL_X(s);
1099
1100 MUTEX_ENTER(&softa->ipf_auth_mx);
1101 #ifdef _KERNEL
1102 # if SOLARIS
1103 error = 0;
1104 if (!cv_wait_sig(&softa->ipf_auth_wait, &softa->ipf_auth_mx.ipf_lk)) {
1105 IPFERROR(10014);
1106 error = EINTR;
1107 }
1108 # else /* SOLARIS */
1109 # ifdef __hpux
1110 {
1111 lock_t *l;
1112
1113 l = get_sleep_lock(&softa->ipf_auth_next);
1114 error = sleep(&softa->ipf_auth_next, PZERO+1);
1115 spinunlock(l);
1116 }
1117 # else
1118 # ifdef __osf__
1119 error = mpsleep(&softa->ipf_auth_next, PSUSP|PCATCH, "ipf_auth_next",
1120 0, &softa->ipf_auth_mx, MS_LOCK_SIMPLE);
1121 # else
1122 error = SLEEP(&softa->ipf_auth_next, "ipf_auth_next");
1123 # endif /* __osf__ */
1124 # endif /* __hpux */
1125 # endif /* SOLARIS */
1126 #endif
1127 MUTEX_EXIT(&softa->ipf_auth_mx);
1128 if (error == 0)
1129 goto ipf_auth_ioctlloop;
1130 return error;
1131 }
1132
1133
1134 /* ------------------------------------------------------------------------ */
1135 /* Function: ipf_auth_reply */
1136 /* Returns: int - 0 == success, else error */
1137 /* Parameters: data(I) - pointer to data from ioctl call */
1138 /* */
1139 /* This function is called by an application when it wants to return a */
1140 /* decision on a packet using the SIOCAUTHR ioctl. This is after it has */
1141 /* received information using an SIOCAUTHW. The decision returned in the */
1142 /* form of flags, the same as those used in each rule. */
1143 /* ------------------------------------------------------------------------ */
1144 static int
ipf_auth_reply(softc,softa,data)1145 ipf_auth_reply(softc, softa, data)
1146 ipf_main_softc_t *softc;
1147 ipf_auth_softc_t *softa;
1148 char *data;
1149 {
1150 frauth_t auth, *au = &auth, *fra;
1151 fr_info_t fin;
1152 int error, i;
1153 mb_t *m;
1154 SPL_INT(s);
1155
1156 error = ipf_inobj(softc, data, NULL, &auth, IPFOBJ_FRAUTH);
1157 if (error != 0)
1158 return error;
1159
1160 SPL_NET(s);
1161 WRITE_ENTER(&softa->ipf_authlk);
1162
1163 i = au->fra_index;
1164 fra = softa->ipf_auth + i;
1165 error = 0;
1166
1167 /*
1168 * Check the validity of the information being returned with two simple
1169 * checks. First, the auth index value should be within the size of
1170 * the array and second the packet id being returned should also match.
1171 */
1172 if ((i < 0) || (i >= softa->ipf_auth_size)) {
1173 RWLOCK_EXIT(&softa->ipf_authlk);
1174 SPL_X(s);
1175 IPFERROR(10015);
1176 return ESRCH;
1177 }
1178 if (fra->fra_info.fin_id != au->fra_info.fin_id) {
1179 RWLOCK_EXIT(&softa->ipf_authlk);
1180 SPL_X(s);
1181 IPFERROR(10019);
1182 return ESRCH;
1183 }
1184
1185 m = softa->ipf_auth_pkts[i];
1186 fra->fra_index = -2;
1187 fra->fra_pass = au->fra_pass;
1188 softa->ipf_auth_pkts[i] = NULL;
1189 softa->ipf_auth_replies++;
1190 bcopy(&fra->fra_info, &fin, sizeof(fin));
1191
1192 RWLOCK_EXIT(&softa->ipf_authlk);
1193
1194 /*
1195 * Re-insert the packet back into the packet stream flowing through
1196 * the kernel in a manner that will mean IPFilter sees the packet
1197 * again. This is not the same as is done with fastroute,
1198 * deliberately, as we want to resume the normal packet processing
1199 * path for it.
1200 */
1201 #ifdef _KERNEL
1202 if ((m != NULL) && (au->fra_info.fin_out != 0)) {
1203 error = ipf_inject(&fin, m);
1204 if (error != 0) {
1205 IPFERROR(10016);
1206 error = ENOBUFS;
1207 softa->ipf_auth_stats.fas_sendfail++;
1208 } else {
1209 softa->ipf_auth_stats.fas_sendok++;
1210 }
1211 } else if (m) {
1212 error = ipf_inject(&fin, m);
1213 if (error != 0) {
1214 IPFERROR(10017);
1215 error = ENOBUFS;
1216 softa->ipf_auth_stats.fas_quefail++;
1217 } else {
1218 softa->ipf_auth_stats.fas_queok++;
1219 }
1220 } else {
1221 IPFERROR(10018);
1222 error = EINVAL;
1223 }
1224
1225 /*
1226 * If we experience an error which will result in the packet
1227 * not being processed, make sure we advance to the next one.
1228 */
1229 if (error == ENOBUFS) {
1230 WRITE_ENTER(&softa->ipf_authlk);
1231 softa->ipf_auth_used--;
1232 fra->fra_index = -1;
1233 fra->fra_pass = 0;
1234 if (i == softa->ipf_auth_start) {
1235 while (fra->fra_index == -1) {
1236 i++;
1237 if (i == softa->ipf_auth_size)
1238 i = 0;
1239 softa->ipf_auth_start = i;
1240 if (i == softa->ipf_auth_end)
1241 break;
1242 }
1243 if (softa->ipf_auth_start == softa->ipf_auth_end) {
1244 softa->ipf_auth_next = 0;
1245 softa->ipf_auth_start = 0;
1246 softa->ipf_auth_end = 0;
1247 }
1248 }
1249 RWLOCK_EXIT(&softa->ipf_authlk);
1250 }
1251 #endif /* _KERNEL */
1252 SPL_X(s);
1253
1254 return 0;
1255 }
1256
1257
1258 u_32_t
ipf_auth_pre_scanlist(softc,fin,pass)1259 ipf_auth_pre_scanlist(softc, fin, pass)
1260 ipf_main_softc_t *softc;
1261 fr_info_t *fin;
1262 u_32_t pass;
1263 {
1264 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
1265
1266 if (softa->ipf_auth_ip != NULL)
1267 return ipf_scanlist(fin, softc->ipf_pass);
1268
1269 return pass;
1270 }
1271
1272
1273 frentry_t **
ipf_auth_rulehead(softc)1274 ipf_auth_rulehead(softc)
1275 ipf_main_softc_t *softc;
1276 {
1277 ipf_auth_softc_t *softa = softc->ipf_auth_soft;
1278
1279 return &softa->ipf_auth_ip;
1280 }
1281