1c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh/* $NetBSD: throttle.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */ 20a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 30a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* Id: throttle.c,v 1.5 2006/04/05 20:54:50 manubsd Exp */ 40a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 50a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang/* 60a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Copyright (C) 2004 Emmanuel Dreyfus 70a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * All rights reserved. 80a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 90a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * Redistribution and use in source and binary forms, with or without 100a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * modification, are permitted provided that the following conditions 110a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * are met: 120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 1. Redistributions of source code must retain the above copyright 130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * notice, this list of conditions and the following disclaimer. 140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 2. Redistributions in binary form must reproduce the above copyright 150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * notice, this list of conditions and the following disclaimer in the 160a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * documentation and/or other materials provided with the distribution. 170a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 3. Neither the name of the project nor the names of its contributors 180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * may be used to endorse or promote products derived from this software 190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * without specific prior written permission. 200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * 210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * SUCH DAMAGE. 320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 330a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 340a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "config.h" 350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 36c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#include <stdio.h> 370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <stdlib.h> 380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <string.h> 39c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#if TIME_WITH_SYS_TIME 40c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh# include <sys/time.h> 41c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh# include <time.h> 42c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#else 43c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh# if HAVE_SYS_TIME_H 44c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh# include <sys/time.h> 45c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh# else 46c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh# include <time.h> 47c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh# endif 48c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#endif 490a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <sys/param.h> 500a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <sys/queue.h> 51c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#include <sys/socket.h> 52c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <netinet/in.h> 540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include <resolv.h> 550a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 560a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "vmbuf.h" 570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "misc.h" 580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "plog.h" 590a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "throttle.h" 600a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "sockmisc.h" 61c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh#include "libpfkey.h" 620a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp_var.h" 630a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp.h" 640a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp_xauth.h" 650a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "isakmp_cfg.h" 660a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang#include "gcmalloc.h" 670a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 68c91307af2622f6625525f3c1f9c954376df950adChia-chi Yehstruct throttle_list throttle_list = TAILQ_HEAD_INITIALIZER(throttle_list); 69c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 700a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 710a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangstruct throttle_entry * 720a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangthrottle_add(addr) 730a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct sockaddr *addr; 740a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 750a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct throttle_entry *te; 760a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang size_t len; 770a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 780a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang len = sizeof(*te) 790a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang - sizeof(struct sockaddr_storage) 800a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang + sysdep_sa_len(addr); 810a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 820a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if ((te = racoon_malloc(len)) == NULL) 830a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return NULL; 840a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 85c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh te->penalty = time(NULL) + isakmp_cfg_config.auth_throttle; 860a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang memcpy(&te->host, addr, sysdep_sa_len(addr)); 870a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang TAILQ_INSERT_HEAD(&throttle_list, te, next); 880a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 890a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return te; 900a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 910a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 920a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangint 930a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangthrottle_host(addr, authfail) 940a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct sockaddr *addr; 950a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int authfail; 960a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang{ 970a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang struct throttle_entry *te; 980a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang int found = 0; 99c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh time_t now; 1000a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1010a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (isakmp_cfg_config.auth_throttle == 0) 1020a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 1030a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 104c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh now = time(NULL); 105c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 1060a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wangrestart: 1070a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang RACOON_TAILQ_FOREACH_REVERSE(te, &throttle_list, throttle_list, next) { 108c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh /* 109c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh * Remove outdated entries 110c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh */ 111c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (te->penalty < now) { 1120a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang TAILQ_REMOVE(&throttle_list, te, next); 1130a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang racoon_free(te); 1140a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang goto restart; 1150a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 116c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 117c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (cmpsaddrwop(addr, (struct sockaddr *)&te->host) == 0) { 1180a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang found = 1; 1190a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang break; 1200a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1210a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1220a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 1230a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* 1240a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * No match, if auth failed, allocate a new throttle entry 1250a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * give no penalty even on error: this is the first time 1260a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * and we are indulgent. 1270a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 1280a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (!found) { 1290a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (authfail) { 1300a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if ((te = throttle_add(addr)) == NULL) { 1310a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang plog(LLV_ERROR, LOCATION, NULL, 1320a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang "Throttle insertion failed\n"); 133c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh return (time(NULL) 134c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh + isakmp_cfg_config.auth_throttle); 1350a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1360a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1370a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang return 0; 1380a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } else { 1390a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang /* 1400a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang * We had a match and auth failed, increase penalty. 1410a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang */ 1420a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang if (authfail) { 143c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh time_t remaining; 144c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh time_t new; 145c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 146c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh remaining = te->penalty - now; 147c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh new = remaining + isakmp_cfg_config.auth_throttle; 148c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 149c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh if (new > THROTTLE_PENALTY_MAX) 150c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh new = THROTTLE_PENALTY_MAX; 151c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 152c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh te->penalty = now + new; 1530a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 1540a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang } 155c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh 156c91307af2622f6625525f3c1f9c954376df950adChia-chi Yeh return te->penalty; 1570a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang} 1580a1907d434839af6a9cb6329bbde60b237bf53dcChung-yih Wang 159