1 /*- 2 * Copyright (c) 2016-2018 Yandex LLC 3 * Copyright (c) 2016-2018 Andrey V. Elsukov <ae@FreeBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include "opt_inet.h" 32 #include "opt_inet6.h" 33 #include "opt_ipsec.h" 34 35 #include <sys/param.h> 36 #include <sys/systm.h> 37 #include <sys/kernel.h> 38 #include <sys/fnv_hash.h> 39 #include <sys/jail.h> 40 #include <sys/lock.h> 41 #include <sys/malloc.h> 42 #include <sys/mbuf.h> 43 #include <sys/module.h> 44 #include <sys/socket.h> 45 #include <sys/sockio.h> 46 #include <sys/sx.h> 47 #include <sys/errno.h> 48 #include <sys/sysctl.h> 49 #include <sys/priv.h> 50 #include <sys/proc.h> 51 #include <sys/conf.h> 52 53 #include <net/if.h> 54 #include <net/if_var.h> 55 #include <net/if_clone.h> 56 #include <net/if_types.h> 57 #include <net/bpf.h> 58 #include <net/route.h> 59 #include <net/vnet.h> 60 61 #include <netinet/in.h> 62 #include <netinet/in_var.h> 63 #include <netinet/ip.h> 64 #include <netinet/ip_encap.h> 65 66 #include <netinet/ip6.h> 67 #include <netinet6/in6_var.h> 68 #include <netinet6/scope6_var.h> 69 70 #include <netipsec/ipsec.h> 71 #ifdef INET6 72 #include <netipsec/ipsec6.h> 73 #endif 74 75 #include <net/if_ipsec.h> 76 #include <netipsec/key.h> 77 78 #include <security/mac/mac_framework.h> 79 80 static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface"); 81 static const char ipsecname[] = "ipsec"; 82 83 #if defined(INET) && defined(INET6) 84 #define IPSEC_SPCOUNT 4 85 #else 86 #define IPSEC_SPCOUNT 2 87 #endif 88 89 struct ipsec_softc { 90 struct ifnet *ifp; 91 struct secpolicy *sp[IPSEC_SPCOUNT]; 92 uint32_t reqid; 93 u_int family; 94 u_int fibnum; 95 96 CK_LIST_ENTRY(ipsec_softc) idhash; 97 CK_LIST_ENTRY(ipsec_softc) srchash; 98 }; 99 100 #define IPSEC_RLOCK_TRACKER struct epoch_tracker ipsec_et 101 #define IPSEC_RLOCK() epoch_enter_preempt(net_epoch_preempt, &ipsec_et) 102 #define IPSEC_RUNLOCK() epoch_exit_preempt(net_epoch_preempt, &ipsec_et) 103 #define IPSEC_WAIT() epoch_wait_preempt(net_epoch_preempt) 104 105 #ifndef IPSEC_HASH_SIZE 106 #define IPSEC_HASH_SIZE (1 << 5) 107 #endif 108 109 CK_LIST_HEAD(ipsec_iflist, ipsec_softc); 110 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec_idhtbl) = NULL; 111 #define V_ipsec_idhtbl VNET(ipsec_idhtbl) 112 113 #ifdef INET 114 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec4_srchtbl) = NULL; 115 #define V_ipsec4_srchtbl VNET(ipsec4_srchtbl) 116 static const struct srcaddrtab *ipsec4_srctab = NULL; 117 #endif 118 119 #ifdef INET6 120 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec6_srchtbl) = NULL; 121 #define V_ipsec6_srchtbl VNET(ipsec6_srchtbl) 122 static const struct srcaddrtab *ipsec6_srctab = NULL; 123 #endif 124 125 static struct ipsec_iflist * 126 ipsec_idhash(uint32_t id) 127 { 128 129 return (&V_ipsec_idhtbl[fnv_32_buf(&id, sizeof(id), 130 FNV1_32_INIT) & (IPSEC_HASH_SIZE - 1)]); 131 } 132 133 static struct ipsec_iflist * 134 ipsec_srchash(const struct sockaddr *sa) 135 { 136 uint32_t hval; 137 138 switch (sa->sa_family) { 139 #ifdef INET 140 case AF_INET: 141 hval = fnv_32_buf( 142 &((const struct sockaddr_in *)sa)->sin_addr.s_addr, 143 sizeof(in_addr_t), FNV1_32_INIT); 144 return (&V_ipsec4_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]); 145 #endif 146 #ifdef INET6 147 case AF_INET6: 148 hval = fnv_32_buf( 149 &((const struct sockaddr_in6 *)sa)->sin6_addr, 150 sizeof(struct in6_addr), FNV1_32_INIT); 151 return (&V_ipsec6_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]); 152 #endif 153 } 154 return (NULL); 155 } 156 157 /* 158 * ipsec_ioctl_sx protects from concurrent ioctls. 159 */ 160 static struct sx ipsec_ioctl_sx; 161 SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl"); 162 163 static int ipsec_init_reqid(struct ipsec_softc *); 164 static int ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *, 165 struct sockaddr *, uint32_t); 166 static void ipsec_delete_tunnel(struct ipsec_softc *); 167 168 static int ipsec_set_addresses(struct ifnet *, struct sockaddr *, 169 struct sockaddr *); 170 static int ipsec_set_reqid(struct ipsec_softc *, uint32_t); 171 static void ipsec_set_running(struct ipsec_softc *); 172 173 static void ipsec_srcaddr(void *, const struct sockaddr *, int); 174 static int ipsec_ioctl(struct ifnet *, u_long, caddr_t); 175 static int ipsec_transmit(struct ifnet *, struct mbuf *); 176 static int ipsec_output(struct ifnet *, struct mbuf *, 177 const struct sockaddr *, struct route *); 178 static void ipsec_qflush(struct ifnet *); 179 static int ipsec_clone_create(struct if_clone *, int, caddr_t); 180 static void ipsec_clone_destroy(struct ifnet *); 181 182 VNET_DEFINE_STATIC(struct if_clone *, ipsec_cloner); 183 #define V_ipsec_cloner VNET(ipsec_cloner) 184 185 static int 186 ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params) 187 { 188 struct ipsec_softc *sc; 189 struct ifnet *ifp; 190 191 sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO); 192 sc->fibnum = curthread->td_proc->p_fibnum; 193 sc->ifp = ifp = if_alloc(IFT_TUNNEL); 194 ifp->if_softc = sc; 195 if_initname(ifp, ipsecname, unit); 196 197 ifp->if_addrlen = 0; 198 ifp->if_mtu = IPSEC_MTU; 199 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 200 ifp->if_ioctl = ipsec_ioctl; 201 ifp->if_transmit = ipsec_transmit; 202 ifp->if_qflush = ipsec_qflush; 203 ifp->if_output = ipsec_output; 204 if_attach(ifp); 205 bpfattach(ifp, DLT_NULL, sizeof(uint32_t)); 206 207 return (0); 208 } 209 210 static void 211 ipsec_clone_destroy(struct ifnet *ifp) 212 { 213 struct ipsec_softc *sc; 214 215 sx_xlock(&ipsec_ioctl_sx); 216 sc = ifp->if_softc; 217 ipsec_delete_tunnel(sc); 218 /* 219 * Delete softc from idhash on interface destroy, since 220 * ipsec_delete_tunnel() keeps reqid unchanged. 221 */ 222 if (sc->reqid != 0) 223 CK_LIST_REMOVE(sc, idhash); 224 bpfdetach(ifp); 225 if_detach(ifp); 226 ifp->if_softc = NULL; 227 sx_xunlock(&ipsec_ioctl_sx); 228 229 IPSEC_WAIT(); 230 if_free(ifp); 231 free(sc, M_IPSEC); 232 } 233 234 static struct ipsec_iflist * 235 ipsec_hashinit(void) 236 { 237 struct ipsec_iflist *hash; 238 int i; 239 240 hash = malloc(sizeof(struct ipsec_iflist) * IPSEC_HASH_SIZE, 241 M_IPSEC, M_WAITOK); 242 for (i = 0; i < IPSEC_HASH_SIZE; i++) 243 CK_LIST_INIT(&hash[i]); 244 245 return (hash); 246 } 247 248 static void 249 vnet_ipsec_init(const void *unused __unused) 250 { 251 252 V_ipsec_idhtbl = ipsec_hashinit(); 253 #ifdef INET 254 V_ipsec4_srchtbl = ipsec_hashinit(); 255 if (IS_DEFAULT_VNET(curvnet)) 256 ipsec4_srctab = ip_encap_register_srcaddr(ipsec_srcaddr, 257 NULL, M_WAITOK); 258 #endif 259 #ifdef INET6 260 V_ipsec6_srchtbl = ipsec_hashinit(); 261 if (IS_DEFAULT_VNET(curvnet)) 262 ipsec6_srctab = ip6_encap_register_srcaddr(ipsec_srcaddr, 263 NULL, M_WAITOK); 264 #endif 265 V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create, 266 ipsec_clone_destroy, 0); 267 } 268 VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 269 vnet_ipsec_init, NULL); 270 271 static void 272 vnet_ipsec_uninit(const void *unused __unused) 273 { 274 275 if_clone_detach(V_ipsec_cloner); 276 free(V_ipsec_idhtbl, M_IPSEC); 277 /* 278 * Use V_ipsec_idhtbl pointer as indicator that VNET is going to be 279 * destroyed, it is used by ipsec_srcaddr() callback. 280 */ 281 V_ipsec_idhtbl = NULL; 282 IPSEC_WAIT(); 283 284 #ifdef INET 285 if (IS_DEFAULT_VNET(curvnet)) 286 ip_encap_unregister_srcaddr(ipsec4_srctab); 287 free(V_ipsec4_srchtbl, M_IPSEC); 288 #endif 289 #ifdef INET6 290 if (IS_DEFAULT_VNET(curvnet)) 291 ip6_encap_unregister_srcaddr(ipsec6_srctab); 292 free(V_ipsec6_srchtbl, M_IPSEC); 293 #endif 294 } 295 VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 296 vnet_ipsec_uninit, NULL); 297 298 static struct secpolicy * 299 ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af) 300 { 301 302 switch (af) { 303 #ifdef INET 304 case AF_INET: 305 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]); 306 #endif 307 #ifdef INET6 308 case AF_INET6: 309 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1) 310 #ifdef INET 311 + 2 312 #endif 313 ]); 314 #endif 315 } 316 return (NULL); 317 } 318 319 static struct secasindex * 320 ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af) 321 { 322 struct secpolicy *sp; 323 324 sp = ipsec_getpolicy(sc, dir, af); 325 if (sp == NULL) 326 return (NULL); 327 return (&sp->req[0]->saidx); 328 } 329 330 static int 331 ipsec_transmit(struct ifnet *ifp, struct mbuf *m) 332 { 333 IPSEC_RLOCK_TRACKER; 334 struct ipsec_softc *sc; 335 struct secpolicy *sp; 336 struct ip *ip; 337 uint32_t af; 338 int error; 339 340 IPSEC_RLOCK(); 341 #ifdef MAC 342 error = mac_ifnet_check_transmit(ifp, m); 343 if (error) { 344 m_freem(m); 345 goto err; 346 } 347 #endif 348 error = ENETDOWN; 349 sc = ifp->if_softc; 350 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || 351 (ifp->if_flags & IFF_MONITOR) != 0 || 352 (ifp->if_flags & IFF_UP) == 0 || sc->family == 0) { 353 m_freem(m); 354 goto err; 355 } 356 357 /* Determine address family to correctly handle packet in BPF */ 358 ip = mtod(m, struct ip *); 359 switch (ip->ip_v) { 360 #ifdef INET 361 case IPVERSION: 362 af = AF_INET; 363 break; 364 #endif 365 #ifdef INET6 366 case (IPV6_VERSION >> 4): 367 af = AF_INET6; 368 break; 369 #endif 370 default: 371 error = EAFNOSUPPORT; 372 m_freem(m); 373 goto err; 374 } 375 376 /* 377 * Loop prevention. 378 * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag. 379 * We can read full chain and compare destination address, 380 * proto and mode from xform_history with values from softc. 381 */ 382 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) { 383 m_freem(m); 384 goto err; 385 } 386 387 sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af); 388 key_addref(sp); 389 M_SETFIB(m, sc->fibnum); 390 391 BPF_MTAP2(ifp, &af, sizeof(af), m); 392 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 393 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); 394 395 switch (af) { 396 #ifdef INET 397 case AF_INET: 398 error = ipsec4_process_packet(m, sp, NULL); 399 break; 400 #endif 401 #ifdef INET6 402 case AF_INET6: 403 error = ipsec6_process_packet(m, sp, NULL); 404 break; 405 #endif 406 default: 407 panic("%s: unknown address family\n", __func__); 408 } 409 err: 410 if (error != 0) 411 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 412 IPSEC_RUNLOCK(); 413 return (error); 414 } 415 416 static void 417 ipsec_qflush(struct ifnet *ifp __unused) 418 { 419 420 } 421 422 static int 423 ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 424 struct route *ro) 425 { 426 427 return (ifp->if_transmit(ifp, m)); 428 } 429 430 int 431 ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af) 432 { 433 IPSEC_RLOCK_TRACKER; 434 struct secasindex *saidx; 435 struct ipsec_softc *sc; 436 struct ifnet *ifp; 437 438 if (sav->state != SADB_SASTATE_MATURE && 439 sav->state != SADB_SASTATE_DYING) { 440 m_freem(m); 441 return (ENETDOWN); 442 } 443 444 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL || 445 sav->sah->saidx.proto != IPPROTO_ESP) 446 return (0); 447 448 IPSEC_RLOCK(); 449 CK_LIST_FOREACH(sc, ipsec_idhash(sav->sah->saidx.reqid), idhash) { 450 if (sc->family == 0) 451 continue; 452 saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND, 453 sav->sah->saidx.src.sa.sa_family); 454 /* SA's reqid should match reqid in SP */ 455 if (saidx == NULL || 456 sav->sah->saidx.reqid != saidx->reqid) 457 continue; 458 /* SAH's addresses should match tunnel endpoints. */ 459 if (key_sockaddrcmp(&sav->sah->saidx.dst.sa, 460 &saidx->dst.sa, 0) != 0) 461 continue; 462 if (key_sockaddrcmp(&sav->sah->saidx.src.sa, 463 &saidx->src.sa, 0) == 0) 464 break; 465 } 466 if (sc == NULL) { 467 IPSEC_RUNLOCK(); 468 /* Tunnel was not found. Nothing to do. */ 469 return (0); 470 } 471 ifp = sc->ifp; 472 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || 473 (ifp->if_flags & IFF_UP) == 0) { 474 IPSEC_RUNLOCK(); 475 m_freem(m); 476 return (ENETDOWN); 477 } 478 /* 479 * We found matching and working tunnel. 480 * Set its ifnet as receiving interface. 481 */ 482 m->m_pkthdr.rcvif = ifp; 483 484 m_clrprotoflags(m); 485 M_SETFIB(m, ifp->if_fib); 486 BPF_MTAP2(ifp, &af, sizeof(af), m); 487 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 488 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); 489 if ((ifp->if_flags & IFF_MONITOR) != 0) { 490 IPSEC_RUNLOCK(); 491 m_freem(m); 492 return (ENETDOWN); 493 } 494 IPSEC_RUNLOCK(); 495 return (0); 496 } 497 498 static int 499 ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) 500 { 501 struct ifreq *ifr = (struct ifreq*)data; 502 struct sockaddr *dst, *src; 503 struct ipsec_softc *sc; 504 struct secasindex *saidx; 505 #ifdef INET 506 struct sockaddr_in *sin = NULL; 507 #endif 508 #ifdef INET6 509 struct sockaddr_in6 *sin6 = NULL; 510 #endif 511 uint32_t reqid; 512 int error; 513 514 switch (cmd) { 515 case SIOCSIFADDR: 516 ifp->if_flags |= IFF_UP; 517 case SIOCADDMULTI: 518 case SIOCDELMULTI: 519 case SIOCGIFMTU: 520 case SIOCSIFFLAGS: 521 return (0); 522 case SIOCSIFMTU: 523 if (ifr->ifr_mtu < IPSEC_MTU_MIN || 524 ifr->ifr_mtu > IPSEC_MTU_MAX) 525 return (EINVAL); 526 else 527 ifp->if_mtu = ifr->ifr_mtu; 528 return (0); 529 } 530 sx_xlock(&ipsec_ioctl_sx); 531 sc = ifp->if_softc; 532 /* Check that softc is still here */ 533 if (sc == NULL) { 534 error = ENXIO; 535 goto bad; 536 } 537 error = 0; 538 switch (cmd) { 539 case SIOCSIFPHYADDR: 540 #ifdef INET6 541 case SIOCSIFPHYADDR_IN6: 542 #endif 543 error = EINVAL; 544 switch (cmd) { 545 #ifdef INET 546 case SIOCSIFPHYADDR: 547 src = (struct sockaddr *) 548 &(((struct in_aliasreq *)data)->ifra_addr); 549 dst = (struct sockaddr *) 550 &(((struct in_aliasreq *)data)->ifra_dstaddr); 551 break; 552 #endif 553 #ifdef INET6 554 case SIOCSIFPHYADDR_IN6: 555 src = (struct sockaddr *) 556 &(((struct in6_aliasreq *)data)->ifra_addr); 557 dst = (struct sockaddr *) 558 &(((struct in6_aliasreq *)data)->ifra_dstaddr); 559 break; 560 #endif 561 default: 562 goto bad; 563 } 564 /* sa_family must be equal */ 565 if (src->sa_family != dst->sa_family || 566 src->sa_len != dst->sa_len) 567 goto bad; 568 569 /* validate sa_len */ 570 switch (src->sa_family) { 571 #ifdef INET 572 case AF_INET: 573 if (src->sa_len != sizeof(struct sockaddr_in)) 574 goto bad; 575 break; 576 #endif 577 #ifdef INET6 578 case AF_INET6: 579 if (src->sa_len != sizeof(struct sockaddr_in6)) 580 goto bad; 581 break; 582 #endif 583 default: 584 error = EAFNOSUPPORT; 585 goto bad; 586 } 587 /* check sa_family looks sane for the cmd */ 588 error = EAFNOSUPPORT; 589 switch (cmd) { 590 #ifdef INET 591 case SIOCSIFPHYADDR: 592 if (src->sa_family == AF_INET) 593 break; 594 goto bad; 595 #endif 596 #ifdef INET6 597 case SIOCSIFPHYADDR_IN6: 598 if (src->sa_family == AF_INET6) 599 break; 600 goto bad; 601 #endif 602 } 603 error = EADDRNOTAVAIL; 604 switch (src->sa_family) { 605 #ifdef INET 606 case AF_INET: 607 if (satosin(src)->sin_addr.s_addr == INADDR_ANY || 608 satosin(dst)->sin_addr.s_addr == INADDR_ANY) 609 goto bad; 610 break; 611 #endif 612 #ifdef INET6 613 case AF_INET6: 614 if (IN6_IS_ADDR_UNSPECIFIED( 615 &satosin6(src)->sin6_addr) || 616 IN6_IS_ADDR_UNSPECIFIED( 617 &satosin6(dst)->sin6_addr)) 618 goto bad; 619 /* 620 * Check validity of the scope zone ID of the 621 * addresses, and convert it into the kernel 622 * internal form if necessary. 623 */ 624 error = sa6_embedscope(satosin6(src), 0); 625 if (error != 0) 626 goto bad; 627 error = sa6_embedscope(satosin6(dst), 0); 628 if (error != 0) 629 goto bad; 630 #endif 631 }; 632 error = ipsec_set_addresses(ifp, src, dst); 633 break; 634 case SIOCDIFPHYADDR: 635 ipsec_delete_tunnel(sc); 636 break; 637 case SIOCGIFPSRCADDR: 638 case SIOCGIFPDSTADDR: 639 #ifdef INET6 640 case SIOCGIFPSRCADDR_IN6: 641 case SIOCGIFPDSTADDR_IN6: 642 #endif 643 if (sc->family == 0) { 644 error = EADDRNOTAVAIL; 645 break; 646 } 647 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 648 switch (cmd) { 649 #ifdef INET 650 case SIOCGIFPSRCADDR: 651 case SIOCGIFPDSTADDR: 652 if (saidx->src.sa.sa_family != AF_INET) { 653 error = EADDRNOTAVAIL; 654 break; 655 } 656 sin = (struct sockaddr_in *)&ifr->ifr_addr; 657 memset(sin, 0, sizeof(*sin)); 658 sin->sin_family = AF_INET; 659 sin->sin_len = sizeof(*sin); 660 break; 661 #endif 662 #ifdef INET6 663 case SIOCGIFPSRCADDR_IN6: 664 case SIOCGIFPDSTADDR_IN6: 665 if (saidx->src.sa.sa_family != AF_INET6) { 666 error = EADDRNOTAVAIL; 667 break; 668 } 669 sin6 = (struct sockaddr_in6 *) 670 &(((struct in6_ifreq *)data)->ifr_addr); 671 memset(sin6, 0, sizeof(*sin6)); 672 sin6->sin6_family = AF_INET6; 673 sin6->sin6_len = sizeof(*sin6); 674 break; 675 #endif 676 default: 677 error = EAFNOSUPPORT; 678 } 679 if (error == 0) { 680 switch (cmd) { 681 #ifdef INET 682 case SIOCGIFPSRCADDR: 683 sin->sin_addr = saidx->src.sin.sin_addr; 684 break; 685 case SIOCGIFPDSTADDR: 686 sin->sin_addr = saidx->dst.sin.sin_addr; 687 break; 688 #endif 689 #ifdef INET6 690 case SIOCGIFPSRCADDR_IN6: 691 sin6->sin6_addr = saidx->src.sin6.sin6_addr; 692 break; 693 case SIOCGIFPDSTADDR_IN6: 694 sin6->sin6_addr = saidx->dst.sin6.sin6_addr; 695 break; 696 #endif 697 } 698 } 699 if (error != 0) 700 break; 701 switch (cmd) { 702 #ifdef INET 703 case SIOCGIFPSRCADDR: 704 case SIOCGIFPDSTADDR: 705 error = prison_if(curthread->td_ucred, 706 (struct sockaddr *)sin); 707 if (error != 0) 708 memset(sin, 0, sizeof(*sin)); 709 break; 710 #endif 711 #ifdef INET6 712 case SIOCGIFPSRCADDR_IN6: 713 case SIOCGIFPDSTADDR_IN6: 714 error = prison_if(curthread->td_ucred, 715 (struct sockaddr *)sin6); 716 if (error == 0) 717 error = sa6_recoverscope(sin6); 718 if (error != 0) 719 memset(sin6, 0, sizeof(*sin6)); 720 #endif 721 } 722 break; 723 case SIOCGTUNFIB: 724 ifr->ifr_fib = sc->fibnum; 725 break; 726 case SIOCSTUNFIB: 727 if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0) 728 break; 729 if (ifr->ifr_fib >= rt_numfibs) 730 error = EINVAL; 731 else 732 sc->fibnum = ifr->ifr_fib; 733 break; 734 case IPSECGREQID: 735 reqid = sc->reqid; 736 error = copyout(&reqid, ifr_data_get_ptr(ifr), sizeof(reqid)); 737 break; 738 case IPSECSREQID: 739 if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0) 740 break; 741 error = copyin(ifr_data_get_ptr(ifr), &reqid, sizeof(reqid)); 742 if (error != 0) 743 break; 744 error = ipsec_set_reqid(sc, reqid); 745 break; 746 default: 747 error = EINVAL; 748 break; 749 } 750 bad: 751 sx_xunlock(&ipsec_ioctl_sx); 752 return (error); 753 } 754 755 /* 756 * Check that ingress address belongs to local host. 757 */ 758 static void 759 ipsec_set_running(struct ipsec_softc *sc) 760 { 761 struct secasindex *saidx; 762 int localip; 763 764 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 765 localip = 0; 766 switch (sc->family) { 767 #ifdef INET 768 case AF_INET: 769 localip = in_localip(saidx->src.sin.sin_addr); 770 break; 771 #endif 772 #ifdef INET6 773 case AF_INET6: 774 localip = in6_localip(&saidx->src.sin6.sin6_addr); 775 break; 776 #endif 777 } 778 if (localip != 0) 779 sc->ifp->if_drv_flags |= IFF_DRV_RUNNING; 780 else 781 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 782 } 783 784 /* 785 * ifaddr_event handler. 786 * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent 787 * source address spoofing. 788 */ 789 static void 790 ipsec_srcaddr(void *arg __unused, const struct sockaddr *sa, 791 int event __unused) 792 { 793 struct ipsec_softc *sc; 794 struct secasindex *saidx; 795 796 /* Check that VNET is ready */ 797 if (V_ipsec_idhtbl == NULL) 798 return; 799 800 NET_EPOCH_ASSERT(); 801 CK_LIST_FOREACH(sc, ipsec_srchash(sa), srchash) { 802 if (sc->family == 0) 803 continue; 804 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sa->sa_family); 805 if (saidx == NULL || 806 key_sockaddrcmp(&saidx->src.sa, sa, 0) != 0) 807 continue; 808 ipsec_set_running(sc); 809 } 810 } 811 812 /* 813 * Allocate new private security policies for tunneling interface. 814 * Each tunneling interface has following security policies for 815 * both AF: 816 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \ 817 * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid 818 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \ 819 * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid 820 */ 821 static int 822 ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT], 823 const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid) 824 { 825 struct ipsecrequest *isr; 826 int i; 827 828 memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT); 829 for (i = 0; i < IPSEC_SPCOUNT; i++) { 830 if ((sp[i] = key_newsp()) == NULL) 831 goto fail; 832 if ((isr = ipsec_newisr()) == NULL) 833 goto fail; 834 835 sp[i]->policy = IPSEC_POLICY_IPSEC; 836 sp[i]->state = IPSEC_SPSTATE_DEAD; 837 sp[i]->req[sp[i]->tcount++] = isr; 838 sp[i]->created = time_second; 839 /* Use priority field to store if_index */ 840 sp[i]->priority = sc->ifp->if_index; 841 isr->level = IPSEC_LEVEL_UNIQUE; 842 isr->saidx.proto = IPPROTO_ESP; 843 isr->saidx.mode = IPSEC_MODE_TUNNEL; 844 isr->saidx.reqid = reqid; 845 if (i % 2 == 0) { 846 sp[i]->spidx.dir = IPSEC_DIR_INBOUND; 847 bcopy(src, &isr->saidx.dst, src->sa_len); 848 bcopy(dst, &isr->saidx.src, dst->sa_len); 849 } else { 850 sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND; 851 bcopy(src, &isr->saidx.src, src->sa_len); 852 bcopy(dst, &isr->saidx.dst, dst->sa_len); 853 } 854 sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY; 855 #ifdef INET 856 if (i < 2) { 857 sp[i]->spidx.src.sa.sa_family = 858 sp[i]->spidx.dst.sa.sa_family = AF_INET; 859 sp[i]->spidx.src.sa.sa_len = 860 sp[i]->spidx.dst.sa.sa_len = 861 sizeof(struct sockaddr_in); 862 continue; 863 } 864 #endif 865 #ifdef INET6 866 sp[i]->spidx.src.sa.sa_family = 867 sp[i]->spidx.dst.sa.sa_family = AF_INET6; 868 sp[i]->spidx.src.sa.sa_len = 869 sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6); 870 #endif 871 } 872 return (0); 873 fail: 874 for (i = 0; i < IPSEC_SPCOUNT; i++) 875 key_freesp(&sp[i]); 876 return (ENOMEM); 877 } 878 879 static int 880 ipsec_check_reqid(uint32_t reqid) 881 { 882 struct ipsec_softc *sc; 883 884 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 885 CK_LIST_FOREACH(sc, ipsec_idhash(reqid), idhash) { 886 if (sc->reqid == reqid) 887 return (EEXIST); 888 } 889 return (0); 890 } 891 892 /* 893 * We use key_newreqid() to automatically obtain unique reqid. 894 * Then we check that given id is unique, i.e. it is not used by 895 * another if_ipsec(4) interface. This macro limits the number of 896 * tries to get unique id. 897 */ 898 #define IPSEC_REQID_TRYCNT 64 899 static int 900 ipsec_init_reqid(struct ipsec_softc *sc) 901 { 902 uint32_t reqid; 903 int trycount; 904 905 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 906 if (sc->reqid != 0) /* already initialized */ 907 return (0); 908 909 trycount = IPSEC_REQID_TRYCNT; 910 while (--trycount > 0) { 911 reqid = key_newreqid(); 912 if (ipsec_check_reqid(reqid) == 0) 913 break; 914 } 915 if (trycount == 0) 916 return (EEXIST); 917 sc->reqid = reqid; 918 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash); 919 return (0); 920 } 921 922 /* 923 * Set or update reqid for given tunneling interface. 924 * When specified reqid is zero, generate new one. 925 * We are protected by ioctl_sx lock from concurrent id generation. 926 * Also softc would not disappear while we hold ioctl_sx lock. 927 */ 928 static int 929 ipsec_set_reqid(struct ipsec_softc *sc, uint32_t reqid) 930 { 931 struct secasindex *saidx; 932 933 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 934 935 if (sc->reqid == reqid && reqid != 0) 936 return (0); 937 938 if (reqid != 0) { 939 /* Check that specified reqid doesn't exist */ 940 if (ipsec_check_reqid(reqid) != 0) 941 return (EEXIST); 942 if (sc->reqid != 0) { 943 CK_LIST_REMOVE(sc, idhash); 944 IPSEC_WAIT(); 945 } 946 sc->reqid = reqid; 947 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash); 948 } else { 949 /* Generate new reqid */ 950 if (ipsec_init_reqid(sc) != 0) 951 return (EEXIST); 952 } 953 954 /* Tunnel isn't fully configured, just return. */ 955 if (sc->family == 0) 956 return (0); 957 958 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 959 KASSERT(saidx != NULL, 960 ("saidx is NULL, but family is %d", sc->family)); 961 return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa, 962 sc->reqid)); 963 } 964 965 /* 966 * Set tunnel endpoints addresses. 967 */ 968 static int 969 ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src, 970 struct sockaddr *dst) 971 { 972 struct ipsec_softc *sc; 973 struct secasindex *saidx; 974 975 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 976 977 sc = ifp->if_softc; 978 if (sc->family != 0) { 979 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, 980 src->sa_family); 981 if (saidx != NULL && saidx->reqid == sc->reqid && 982 key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 && 983 key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0) 984 return (0); /* Nothing has been changed. */ 985 986 } 987 /* If reqid is not set, generate new one. */ 988 if (ipsec_init_reqid(sc) != 0) 989 return (EEXIST); 990 return (ipsec_set_tunnel(sc, src, dst, sc->reqid)); 991 } 992 993 static int 994 ipsec_set_tunnel(struct ipsec_softc *sc, struct sockaddr *src, 995 struct sockaddr *dst, uint32_t reqid) 996 { 997 struct secpolicy *sp[IPSEC_SPCOUNT]; 998 int i; 999 1000 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1001 1002 /* Allocate SP with new addresses. */ 1003 if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) { 1004 /* Add new policies to SPDB */ 1005 if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) { 1006 for (i = 0; i < IPSEC_SPCOUNT; i++) 1007 key_freesp(&sp[i]); 1008 return (EAGAIN); 1009 } 1010 if (sc->family != 0) 1011 ipsec_delete_tunnel(sc); 1012 for (i = 0; i < IPSEC_SPCOUNT; i++) 1013 sc->sp[i] = sp[i]; 1014 sc->family = src->sa_family; 1015 CK_LIST_INSERT_HEAD(ipsec_srchash(src), sc, srchash); 1016 } else { 1017 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1018 return (ENOMEM); 1019 } 1020 ipsec_set_running(sc); 1021 return (0); 1022 } 1023 1024 static void 1025 ipsec_delete_tunnel(struct ipsec_softc *sc) 1026 { 1027 int i; 1028 1029 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1030 1031 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1032 if (sc->family != 0) { 1033 CK_LIST_REMOVE(sc, srchash); 1034 sc->family = 0; 1035 /* 1036 * Make sure that ipsec_if_input() will not do access 1037 * to softc's policies. 1038 */ 1039 IPSEC_WAIT(); 1040 1041 key_unregister_ifnet(sc->sp, IPSEC_SPCOUNT); 1042 for (i = 0; i < IPSEC_SPCOUNT; i++) 1043 key_freesp(&sc->sp[i]); 1044 } 1045 } 1046