xref: /freebsd/sys/net/if_enc.c (revision 2b8331622f0b212cf3bb4fc4914a501e5321d506)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3  *
4  * Copyright (c) 2006 The FreeBSD Project.
5  * Copyright (c) 2015 Andrey V. Elsukov <ae@FreeBSD.org>
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28  * SUCH DAMAGE.
29  *
30  * $FreeBSD$
31  */
32 
33 #include "opt_inet.h"
34 #include "opt_inet6.h"
35 #include "opt_ipsec.h"
36 
37 #include <sys/param.h>
38 #include <sys/systm.h>
39 #include <sys/hhook.h>
40 #include <sys/kernel.h>
41 #include <sys/malloc.h>
42 #include <sys/mbuf.h>
43 #include <sys/module.h>
44 #include <machine/bus.h>
45 #include <sys/rman.h>
46 #include <sys/socket.h>
47 #include <sys/sockio.h>
48 #include <sys/sysctl.h>
49 
50 #include <net/if.h>
51 #include <net/if_enc.h>
52 #include <net/if_var.h>
53 #include <net/if_private.h>
54 #include <net/if_clone.h>
55 #include <net/if_types.h>
56 #include <net/pfil.h>
57 #include <net/route.h>
58 #include <net/netisr.h>
59 #include <net/bpf.h>
60 #include <net/vnet.h>
61 
62 #include <netinet/in.h>
63 #include <netinet/in_systm.h>
64 #include <netinet/ip.h>
65 #include <netinet/ip_var.h>
66 #include <netinet/in_var.h>
67 
68 #ifdef INET6
69 #include <netinet/ip6.h>
70 #include <netinet6/ip6_var.h>
71 #endif
72 
73 #include <netipsec/ipsec.h>
74 #include <netipsec/xform.h>
75 
76 #define ENCMTU		(1024+512)
77 
78 /* XXX this define must have the same value as in OpenBSD */
79 #define M_CONF		0x0400	/* payload was encrypted (ESP-transport) */
80 #define M_AUTH		0x0800	/* payload was authenticated (AH or ESP auth) */
81 #define M_AUTH_AH	0x2000	/* header was authenticated (AH) */
82 
83 struct enchdr {
84 	u_int32_t af;
85 	u_int32_t spi;
86 	u_int32_t flags;
87 };
88 struct enc_softc {
89 	struct	ifnet *sc_ifp;
90 };
91 VNET_DEFINE_STATIC(struct enc_softc *, enc_sc);
92 #define	V_enc_sc	VNET(enc_sc)
93 VNET_DEFINE_STATIC(struct if_clone *, enc_cloner);
94 #define	V_enc_cloner	VNET(enc_cloner)
95 
96 static int	enc_ioctl(struct ifnet *, u_long, caddr_t);
97 static int	enc_output(struct ifnet *, struct mbuf *,
98     const struct sockaddr *, struct route *);
99 static int	enc_clone_create(struct if_clone *, int, caddr_t);
100 static void	enc_clone_destroy(struct ifnet *);
101 static int	enc_add_hhooks(struct enc_softc *);
102 static void	enc_remove_hhooks(struct enc_softc *);
103 
104 static const char encname[] = "enc";
105 
106 #define	IPSEC_ENC_AFTER_PFIL	0x04
107 /*
108  * Before and after are relative to when we are stripping the
109  * outer IP header.
110  *
111  * AFTER_PFIL flag used only for bpf_mask_*. It enables BPF capturing
112  * after PFIL hook execution. It might be useful when PFIL hook does
113  * some changes to the packet, e.g. address translation. If PFIL hook
114  * consumes mbuf, nothing will be captured.
115  */
116 VNET_DEFINE_STATIC(int, filter_mask_in) = IPSEC_ENC_BEFORE;
117 VNET_DEFINE_STATIC(int, bpf_mask_in) = IPSEC_ENC_BEFORE;
118 VNET_DEFINE_STATIC(int, filter_mask_out) = IPSEC_ENC_BEFORE;
119 VNET_DEFINE_STATIC(int, bpf_mask_out) = IPSEC_ENC_BEFORE | IPSEC_ENC_AFTER;
120 #define	V_filter_mask_in	VNET(filter_mask_in)
121 #define	V_bpf_mask_in		VNET(bpf_mask_in)
122 #define	V_filter_mask_out	VNET(filter_mask_out)
123 #define	V_bpf_mask_out		VNET(bpf_mask_out)
124 
125 static SYSCTL_NODE(_net, OID_AUTO, enc, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
126     "enc sysctl");
127 static SYSCTL_NODE(_net_enc, OID_AUTO, in, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
128     "enc input sysctl");
129 static SYSCTL_NODE(_net_enc, OID_AUTO, out, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
130     "enc output sysctl");
131 SYSCTL_INT(_net_enc_in, OID_AUTO, ipsec_filter_mask,
132     CTLFLAG_RW | CTLFLAG_VNET, &VNET_NAME(filter_mask_in), 0,
133     "IPsec input firewall filter mask");
134 SYSCTL_INT(_net_enc_in, OID_AUTO, ipsec_bpf_mask,
135     CTLFLAG_RW | CTLFLAG_VNET, &VNET_NAME(bpf_mask_in), 0,
136     "IPsec input bpf mask");
137 SYSCTL_INT(_net_enc_out, OID_AUTO, ipsec_filter_mask,
138     CTLFLAG_RW | CTLFLAG_VNET, &VNET_NAME(filter_mask_out), 0,
139     "IPsec output firewall filter mask");
140 SYSCTL_INT(_net_enc_out, OID_AUTO, ipsec_bpf_mask,
141     CTLFLAG_RW | CTLFLAG_VNET, &VNET_NAME(bpf_mask_out), 0,
142     "IPsec output bpf mask");
143 
144 static void
145 enc_clone_destroy(struct ifnet *ifp)
146 {
147 	struct enc_softc *sc;
148 
149 	sc = ifp->if_softc;
150 	KASSERT(sc == V_enc_sc, ("sc != ifp->if_softc"));
151 
152 	bpfdetach(ifp);
153 	if_detach(ifp);
154 	if_free(ifp);
155 	free(sc, M_DEVBUF);
156 	V_enc_sc = NULL;
157 }
158 
159 static int
160 enc_clone_create(struct if_clone *ifc, int unit, caddr_t params)
161 {
162 	struct ifnet *ifp;
163 	struct enc_softc *sc;
164 
165 	sc = malloc(sizeof(struct enc_softc), M_DEVBUF,
166 	    M_WAITOK | M_ZERO);
167 	ifp = sc->sc_ifp = if_alloc(IFT_ENC);
168 	if (ifp == NULL) {
169 		free(sc, M_DEVBUF);
170 		return (ENOSPC);
171 	}
172 	if (V_enc_sc != NULL) {
173 		if_free(ifp);
174 		free(sc, M_DEVBUF);
175 		return (EEXIST);
176 	}
177 	V_enc_sc = sc;
178 	if_initname(ifp, encname, unit);
179 	ifp->if_mtu = ENCMTU;
180 	ifp->if_ioctl = enc_ioctl;
181 	ifp->if_output = enc_output;
182 	ifp->if_softc = sc;
183 	if_attach(ifp);
184 	bpfattach(ifp, DLT_ENC, sizeof(struct enchdr));
185 	return (0);
186 }
187 
188 static int
189 enc_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
190     struct route *ro)
191 {
192 
193 	m_freem(m);
194 	return (0);
195 }
196 
197 static int
198 enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
199 {
200 
201 	if (cmd != SIOCSIFFLAGS)
202 		return (EINVAL);
203 	if (ifp->if_flags & IFF_UP)
204 		ifp->if_drv_flags |= IFF_DRV_RUNNING;
205 	else
206 		ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
207 	return (0);
208 }
209 
210 static void
211 enc_bpftap(struct ifnet *ifp, struct mbuf *m, const struct secasvar *sav,
212     int32_t hhook_type, uint8_t enc, uint8_t af)
213 {
214 	struct enchdr hdr;
215 
216 	if (hhook_type == HHOOK_TYPE_IPSEC_IN &&
217 	    (enc & V_bpf_mask_in) == 0)
218 		return;
219 	else if (hhook_type == HHOOK_TYPE_IPSEC_OUT &&
220 	    (enc & V_bpf_mask_out) == 0)
221 		return;
222 	if (bpf_peers_present(ifp->if_bpf) == 0)
223 		return;
224 	hdr.af = af;
225 	hdr.spi = sav->spi;
226 	hdr.flags = 0;
227 	if (sav->alg_enc != SADB_EALG_NONE)
228 		hdr.flags |= M_CONF;
229 	if (sav->alg_auth != SADB_AALG_NONE)
230 		hdr.flags |= M_AUTH;
231 	bpf_mtap2(ifp->if_bpf, &hdr, sizeof(hdr), m);
232 }
233 
234 /*
235  * One helper hook function is used by any hook points.
236  * + from hhook_type we can determine the packet direction:
237  *   HHOOK_TYPE_IPSEC_IN or HHOOK_TYPE_IPSEC_OUT;
238  * + from hhook_id we can determine address family: AF_INET or AF_INET6;
239  * + udata contains pointer to enc_softc;
240  * + ctx_data contains pointer to struct ipsec_ctx_data.
241  */
242 static int
243 enc_hhook(int32_t hhook_type, int32_t hhook_id, void *udata, void *ctx_data,
244     void *hdata, struct osd *hosd)
245 {
246 	struct ipsec_ctx_data *ctx;
247 	struct enc_softc *sc;
248 	struct ifnet *ifp, *rcvif;
249 	struct pfil_head *ph;
250 	int pdir, ret;
251 
252 	sc = (struct enc_softc *)udata;
253 	ifp = sc->sc_ifp;
254 	if ((ifp->if_flags & IFF_UP) == 0)
255 		return (0);
256 
257 	ctx = (struct ipsec_ctx_data *)ctx_data;
258 	/* XXX: wrong hook point was used by caller? */
259 	if (ctx->af != hhook_id)
260 		return (EPFNOSUPPORT);
261 
262 	enc_bpftap(ifp, *ctx->mp, ctx->sav, hhook_type, ctx->enc, ctx->af);
263 	switch (hhook_type) {
264 	case HHOOK_TYPE_IPSEC_IN:
265 		if (ctx->enc == IPSEC_ENC_BEFORE) {
266 			/* Do accounting only once */
267 			if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
268 			if_inc_counter(ifp, IFCOUNTER_IBYTES,
269 			    (*ctx->mp)->m_pkthdr.len);
270 		}
271 		if ((ctx->enc & V_filter_mask_in) == 0)
272 			return (0); /* skip pfil processing */
273 		pdir = PFIL_IN;
274 		break;
275 	case HHOOK_TYPE_IPSEC_OUT:
276 		if (ctx->enc == IPSEC_ENC_BEFORE) {
277 			/* Do accounting only once */
278 			if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
279 			if_inc_counter(ifp, IFCOUNTER_OBYTES,
280 			    (*ctx->mp)->m_pkthdr.len);
281 		}
282 		if ((ctx->enc & V_filter_mask_out) == 0)
283 			return (0); /* skip pfil processing */
284 		pdir = PFIL_OUT;
285 		break;
286 	default:
287 		return (EINVAL);
288 	}
289 
290 	switch (hhook_id) {
291 #ifdef INET
292 	case AF_INET:
293 		ph = V_inet_pfil_head;
294 		break;
295 #endif
296 #ifdef INET6
297 	case AF_INET6:
298 		ph = V_inet6_pfil_head;
299 		break;
300 #endif
301 	default:
302 		ph = NULL;
303 	}
304 	if (ph == NULL || (pdir == PFIL_OUT && !PFIL_HOOKED_OUT(ph)) ||
305 	    (pdir == PFIL_IN && !PFIL_HOOKED_IN(ph)))
306 		return (0);
307 	/* Make a packet looks like it was received on enc(4) */
308 	rcvif = (*ctx->mp)->m_pkthdr.rcvif;
309 	(*ctx->mp)->m_pkthdr.rcvif = ifp;
310 	if (pdir == PFIL_IN)
311 		ret = pfil_mbuf_in(ph, ctx->mp, ifp, ctx->inp);
312 	else
313 		ret = pfil_mbuf_out(ph, ctx->mp, ifp, ctx->inp);
314 	if (ret != PFIL_PASS) {
315 		*ctx->mp = NULL; /* consumed by filter */
316 		return (EACCES);
317 	}
318 	(*ctx->mp)->m_pkthdr.rcvif = rcvif;
319 	enc_bpftap(ifp, *ctx->mp, ctx->sav, hhook_type,
320 	    IPSEC_ENC_AFTER_PFIL, ctx->af);
321 	return (0);
322 }
323 
324 static int
325 enc_add_hhooks(struct enc_softc *sc)
326 {
327 	struct hookinfo hki;
328 	int error;
329 
330 	error = EPFNOSUPPORT;
331 	hki.hook_func = enc_hhook;
332 	hki.hook_helper = NULL;
333 	hki.hook_udata = sc;
334 #ifdef INET
335 	hki.hook_id = AF_INET;
336 	hki.hook_type = HHOOK_TYPE_IPSEC_IN;
337 	error = hhook_add_hook(V_ipsec_hhh_in[HHOOK_IPSEC_INET],
338 	    &hki, HHOOK_WAITOK);
339 	if (error != 0)
340 		return (error);
341 	hki.hook_type = HHOOK_TYPE_IPSEC_OUT;
342 	error = hhook_add_hook(V_ipsec_hhh_out[HHOOK_IPSEC_INET],
343 	    &hki, HHOOK_WAITOK);
344 	if (error != 0)
345 		return (error);
346 #endif
347 #ifdef INET6
348 	hki.hook_id = AF_INET6;
349 	hki.hook_type = HHOOK_TYPE_IPSEC_IN;
350 	error = hhook_add_hook(V_ipsec_hhh_in[HHOOK_IPSEC_INET6],
351 	    &hki, HHOOK_WAITOK);
352 	if (error != 0)
353 		return (error);
354 	hki.hook_type = HHOOK_TYPE_IPSEC_OUT;
355 	error = hhook_add_hook(V_ipsec_hhh_out[HHOOK_IPSEC_INET6],
356 	    &hki, HHOOK_WAITOK);
357 	if (error != 0)
358 		return (error);
359 #endif
360 	return (error);
361 }
362 
363 static void
364 enc_remove_hhooks(struct enc_softc *sc)
365 {
366 	struct hookinfo hki;
367 
368 	hki.hook_func = enc_hhook;
369 	hki.hook_helper = NULL;
370 	hki.hook_udata = sc;
371 #ifdef INET
372 	hki.hook_id = AF_INET;
373 	hki.hook_type = HHOOK_TYPE_IPSEC_IN;
374 	hhook_remove_hook(V_ipsec_hhh_in[HHOOK_IPSEC_INET], &hki);
375 	hki.hook_type = HHOOK_TYPE_IPSEC_OUT;
376 	hhook_remove_hook(V_ipsec_hhh_out[HHOOK_IPSEC_INET], &hki);
377 #endif
378 #ifdef INET6
379 	hki.hook_id = AF_INET6;
380 	hki.hook_type = HHOOK_TYPE_IPSEC_IN;
381 	hhook_remove_hook(V_ipsec_hhh_in[HHOOK_IPSEC_INET6], &hki);
382 	hki.hook_type = HHOOK_TYPE_IPSEC_OUT;
383 	hhook_remove_hook(V_ipsec_hhh_out[HHOOK_IPSEC_INET6], &hki);
384 #endif
385 }
386 
387 static void
388 vnet_enc_init(const void *unused __unused)
389 {
390 
391 	V_enc_sc = NULL;
392 	V_enc_cloner = if_clone_simple(encname, enc_clone_create,
393 	    enc_clone_destroy, 1);
394 }
395 VNET_SYSINIT(vnet_enc_init, SI_SUB_PSEUDO, SI_ORDER_ANY,
396     vnet_enc_init, NULL);
397 
398 static void
399 vnet_enc_init_proto(void *unused __unused)
400 {
401 	KASSERT(V_enc_sc != NULL, ("%s: V_enc_sc is %p\n", __func__, V_enc_sc));
402 
403 	if (enc_add_hhooks(V_enc_sc) != 0)
404 		enc_clone_destroy(V_enc_sc->sc_ifp);
405 }
406 VNET_SYSINIT(vnet_enc_init_proto, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
407     vnet_enc_init_proto, NULL);
408 
409 static void
410 vnet_enc_uninit(const void *unused __unused)
411 {
412 	KASSERT(V_enc_sc != NULL, ("%s: V_enc_sc is %p\n", __func__, V_enc_sc));
413 
414 	if_clone_detach(V_enc_cloner);
415 }
416 VNET_SYSUNINIT(vnet_enc_uninit, SI_SUB_INIT_IF, SI_ORDER_ANY,
417     vnet_enc_uninit, NULL);
418 
419 /*
420  * The hhook consumer needs to go before ip[6]_destroy are called on
421  * SI_ORDER_THIRD.
422  */
423 static void
424 vnet_enc_uninit_hhook(const void *unused __unused)
425 {
426 	KASSERT(V_enc_sc != NULL, ("%s: V_enc_sc is %p\n", __func__, V_enc_sc));
427 
428 	enc_remove_hhooks(V_enc_sc);
429 }
430 VNET_SYSUNINIT(vnet_enc_uninit_hhook, SI_SUB_PROTO_DOMAIN, SI_ORDER_FOURTH,
431     vnet_enc_uninit_hhook, NULL);
432 
433 static int
434 enc_modevent(module_t mod, int type, void *data)
435 {
436 
437 	switch (type) {
438 	case MOD_LOAD:
439 	case MOD_UNLOAD:
440 		break;
441 	default:
442 		return (EOPNOTSUPP);
443 	}
444 	return (0);
445 }
446 
447 static moduledata_t enc_mod = {
448 	"if_enc",
449 	enc_modevent,
450 	0
451 };
452 
453 DECLARE_MODULE(if_enc, enc_mod, SI_SUB_PSEUDO, SI_ORDER_ANY);
454 MODULE_VERSION(if_enc, 1);
455