1 /*- 2 * Copyright (c) 2016-2018 Yandex LLC 3 * Copyright (c) 2016-2018 Andrey V. Elsukov <ae@FreeBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include "opt_inet.h" 32 #include "opt_inet6.h" 33 #include "opt_ipsec.h" 34 35 #include <sys/param.h> 36 #include <sys/systm.h> 37 #include <sys/kernel.h> 38 #include <sys/fnv_hash.h> 39 #include <sys/jail.h> 40 #include <sys/lock.h> 41 #include <sys/malloc.h> 42 #include <sys/mbuf.h> 43 #include <sys/module.h> 44 #include <sys/socket.h> 45 #include <sys/sockio.h> 46 #include <sys/sx.h> 47 #include <sys/errno.h> 48 #include <sys/sysctl.h> 49 #include <sys/priv.h> 50 #include <sys/proc.h> 51 #include <sys/conf.h> 52 53 #include <net/if.h> 54 #include <net/if_var.h> 55 #include <net/if_clone.h> 56 #include <net/if_types.h> 57 #include <net/bpf.h> 58 #include <net/route.h> 59 #include <net/vnet.h> 60 61 #include <netinet/in.h> 62 #include <netinet/in_var.h> 63 #include <netinet/ip.h> 64 #include <netinet/ip_encap.h> 65 66 #include <netinet/ip6.h> 67 #include <netinet6/in6_var.h> 68 #include <netinet6/scope6_var.h> 69 70 #include <netipsec/ipsec.h> 71 #ifdef INET6 72 #include <netipsec/ipsec6.h> 73 #endif 74 75 #include <net/if_ipsec.h> 76 #include <netipsec/key.h> 77 78 #include <security/mac/mac_framework.h> 79 80 static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface"); 81 static const char ipsecname[] = "ipsec"; 82 83 #if defined(INET) && defined(INET6) 84 #define IPSEC_SPCOUNT 4 85 #else 86 #define IPSEC_SPCOUNT 2 87 #endif 88 89 struct ipsec_softc { 90 struct ifnet *ifp; 91 struct secpolicy *sp[IPSEC_SPCOUNT]; 92 uint32_t reqid; 93 u_int family; 94 u_int fibnum; 95 96 CK_LIST_ENTRY(ipsec_softc) idhash; 97 CK_LIST_ENTRY(ipsec_softc) srchash; 98 }; 99 100 #define IPSEC_RLOCK_TRACKER struct epoch_tracker ipsec_et 101 #define IPSEC_RLOCK() epoch_enter_preempt(net_epoch_preempt, &ipsec_et) 102 #define IPSEC_RUNLOCK() epoch_exit_preempt(net_epoch_preempt, &ipsec_et) 103 #define IPSEC_WAIT() epoch_wait_preempt(net_epoch_preempt) 104 105 #ifndef IPSEC_HASH_SIZE 106 #define IPSEC_HASH_SIZE (1 << 5) 107 #endif 108 109 CK_LIST_HEAD(ipsec_iflist, ipsec_softc); 110 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec_idhtbl) = NULL; 111 #define V_ipsec_idhtbl VNET(ipsec_idhtbl) 112 113 #ifdef INET 114 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec4_srchtbl) = NULL; 115 #define V_ipsec4_srchtbl VNET(ipsec4_srchtbl) 116 static const struct srcaddrtab *ipsec4_srctab = NULL; 117 #endif 118 119 #ifdef INET6 120 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec6_srchtbl) = NULL; 121 #define V_ipsec6_srchtbl VNET(ipsec6_srchtbl) 122 static const struct srcaddrtab *ipsec6_srctab = NULL; 123 #endif 124 125 static struct ipsec_iflist * 126 ipsec_idhash(uint32_t id) 127 { 128 129 return (&V_ipsec_idhtbl[fnv_32_buf(&id, sizeof(id), 130 FNV1_32_INIT) & (IPSEC_HASH_SIZE - 1)]); 131 } 132 133 static struct ipsec_iflist * 134 ipsec_srchash(const struct sockaddr *sa) 135 { 136 uint32_t hval; 137 138 switch (sa->sa_family) { 139 #ifdef INET 140 case AF_INET: 141 hval = fnv_32_buf( 142 &((const struct sockaddr_in *)sa)->sin_addr.s_addr, 143 sizeof(in_addr_t), FNV1_32_INIT); 144 return (&V_ipsec4_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]); 145 #endif 146 #ifdef INET6 147 case AF_INET6: 148 hval = fnv_32_buf( 149 &((const struct sockaddr_in6 *)sa)->sin6_addr, 150 sizeof(struct in6_addr), FNV1_32_INIT); 151 return (&V_ipsec6_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]); 152 #endif 153 } 154 return (NULL); 155 } 156 157 /* 158 * ipsec_ioctl_sx protects from concurrent ioctls. 159 */ 160 static struct sx ipsec_ioctl_sx; 161 SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl"); 162 163 static int ipsec_init_reqid(struct ipsec_softc *); 164 static int ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *, 165 struct sockaddr *, uint32_t); 166 static void ipsec_delete_tunnel(struct ipsec_softc *); 167 168 static int ipsec_set_addresses(struct ifnet *, struct sockaddr *, 169 struct sockaddr *); 170 static int ipsec_set_reqid(struct ipsec_softc *, uint32_t); 171 static void ipsec_set_running(struct ipsec_softc *); 172 173 #ifdef VIMAGE 174 static void ipsec_reassign(struct ifnet *, struct vnet *, char *); 175 #endif 176 static void ipsec_srcaddr(void *, const struct sockaddr *, int); 177 static int ipsec_ioctl(struct ifnet *, u_long, caddr_t); 178 static int ipsec_transmit(struct ifnet *, struct mbuf *); 179 static int ipsec_output(struct ifnet *, struct mbuf *, 180 const struct sockaddr *, struct route *); 181 static void ipsec_qflush(struct ifnet *); 182 static int ipsec_clone_create(struct if_clone *, int, caddr_t); 183 static void ipsec_clone_destroy(struct ifnet *); 184 185 VNET_DEFINE_STATIC(struct if_clone *, ipsec_cloner); 186 #define V_ipsec_cloner VNET(ipsec_cloner) 187 188 static int 189 ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params) 190 { 191 struct ipsec_softc *sc; 192 struct ifnet *ifp; 193 194 sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO); 195 sc->fibnum = curthread->td_proc->p_fibnum; 196 sc->ifp = ifp = if_alloc(IFT_TUNNEL); 197 ifp->if_softc = sc; 198 if_initname(ifp, ipsecname, unit); 199 200 ifp->if_addrlen = 0; 201 ifp->if_mtu = IPSEC_MTU; 202 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 203 ifp->if_ioctl = ipsec_ioctl; 204 ifp->if_transmit = ipsec_transmit; 205 ifp->if_qflush = ipsec_qflush; 206 ifp->if_output = ipsec_output; 207 #ifdef VIMAGE 208 ifp->if_reassign = ipsec_reassign; 209 #endif 210 if_attach(ifp); 211 bpfattach(ifp, DLT_NULL, sizeof(uint32_t)); 212 213 return (0); 214 } 215 216 #ifdef VIMAGE 217 static void 218 ipsec_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused, 219 char *unused __unused) 220 { 221 struct ipsec_softc *sc; 222 223 sx_xlock(&ipsec_ioctl_sx); 224 sc = ifp->if_softc; 225 if (sc != NULL) 226 ipsec_delete_tunnel(sc); 227 sx_xunlock(&ipsec_ioctl_sx); 228 } 229 #endif /* VIMAGE */ 230 231 static void 232 ipsec_clone_destroy(struct ifnet *ifp) 233 { 234 struct ipsec_softc *sc; 235 236 sx_xlock(&ipsec_ioctl_sx); 237 sc = ifp->if_softc; 238 ipsec_delete_tunnel(sc); 239 /* 240 * Delete softc from idhash on interface destroy, since 241 * ipsec_delete_tunnel() keeps reqid unchanged. 242 */ 243 if (sc->reqid != 0) 244 CK_LIST_REMOVE(sc, idhash); 245 bpfdetach(ifp); 246 if_detach(ifp); 247 ifp->if_softc = NULL; 248 sx_xunlock(&ipsec_ioctl_sx); 249 250 IPSEC_WAIT(); 251 if_free(ifp); 252 free(sc, M_IPSEC); 253 } 254 255 static struct ipsec_iflist * 256 ipsec_hashinit(void) 257 { 258 struct ipsec_iflist *hash; 259 int i; 260 261 hash = malloc(sizeof(struct ipsec_iflist) * IPSEC_HASH_SIZE, 262 M_IPSEC, M_WAITOK); 263 for (i = 0; i < IPSEC_HASH_SIZE; i++) 264 CK_LIST_INIT(&hash[i]); 265 266 return (hash); 267 } 268 269 static void 270 vnet_ipsec_init(const void *unused __unused) 271 { 272 273 V_ipsec_idhtbl = ipsec_hashinit(); 274 #ifdef INET 275 V_ipsec4_srchtbl = ipsec_hashinit(); 276 if (IS_DEFAULT_VNET(curvnet)) 277 ipsec4_srctab = ip_encap_register_srcaddr(ipsec_srcaddr, 278 NULL, M_WAITOK); 279 #endif 280 #ifdef INET6 281 V_ipsec6_srchtbl = ipsec_hashinit(); 282 if (IS_DEFAULT_VNET(curvnet)) 283 ipsec6_srctab = ip6_encap_register_srcaddr(ipsec_srcaddr, 284 NULL, M_WAITOK); 285 #endif 286 V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create, 287 ipsec_clone_destroy, 0); 288 } 289 VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 290 vnet_ipsec_init, NULL); 291 292 static void 293 vnet_ipsec_uninit(const void *unused __unused) 294 { 295 296 if_clone_detach(V_ipsec_cloner); 297 free(V_ipsec_idhtbl, M_IPSEC); 298 /* 299 * Use V_ipsec_idhtbl pointer as indicator that VNET is going to be 300 * destroyed, it is used by ipsec_srcaddr() callback. 301 */ 302 V_ipsec_idhtbl = NULL; 303 IPSEC_WAIT(); 304 305 #ifdef INET 306 if (IS_DEFAULT_VNET(curvnet)) 307 ip_encap_unregister_srcaddr(ipsec4_srctab); 308 free(V_ipsec4_srchtbl, M_IPSEC); 309 #endif 310 #ifdef INET6 311 if (IS_DEFAULT_VNET(curvnet)) 312 ip6_encap_unregister_srcaddr(ipsec6_srctab); 313 free(V_ipsec6_srchtbl, M_IPSEC); 314 #endif 315 } 316 VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 317 vnet_ipsec_uninit, NULL); 318 319 static struct secpolicy * 320 ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af) 321 { 322 323 switch (af) { 324 #ifdef INET 325 case AF_INET: 326 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]); 327 #endif 328 #ifdef INET6 329 case AF_INET6: 330 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1) 331 #ifdef INET 332 + 2 333 #endif 334 ]); 335 #endif 336 } 337 return (NULL); 338 } 339 340 static struct secasindex * 341 ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af) 342 { 343 struct secpolicy *sp; 344 345 sp = ipsec_getpolicy(sc, dir, af); 346 if (sp == NULL) 347 return (NULL); 348 return (&sp->req[0]->saidx); 349 } 350 351 static int 352 ipsec_transmit(struct ifnet *ifp, struct mbuf *m) 353 { 354 IPSEC_RLOCK_TRACKER; 355 struct ipsec_softc *sc; 356 struct secpolicy *sp; 357 struct ip *ip; 358 uint32_t af; 359 int error; 360 361 IPSEC_RLOCK(); 362 #ifdef MAC 363 error = mac_ifnet_check_transmit(ifp, m); 364 if (error) { 365 m_freem(m); 366 goto err; 367 } 368 #endif 369 error = ENETDOWN; 370 sc = ifp->if_softc; 371 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || 372 (ifp->if_flags & IFF_MONITOR) != 0 || 373 (ifp->if_flags & IFF_UP) == 0 || sc->family == 0) { 374 m_freem(m); 375 goto err; 376 } 377 378 /* Determine address family to correctly handle packet in BPF */ 379 ip = mtod(m, struct ip *); 380 switch (ip->ip_v) { 381 #ifdef INET 382 case IPVERSION: 383 af = AF_INET; 384 break; 385 #endif 386 #ifdef INET6 387 case (IPV6_VERSION >> 4): 388 af = AF_INET6; 389 break; 390 #endif 391 default: 392 error = EAFNOSUPPORT; 393 m_freem(m); 394 goto err; 395 } 396 397 /* 398 * Loop prevention. 399 * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag. 400 * We can read full chain and compare destination address, 401 * proto and mode from xform_history with values from softc. 402 */ 403 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) { 404 m_freem(m); 405 goto err; 406 } 407 408 sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af); 409 key_addref(sp); 410 M_SETFIB(m, sc->fibnum); 411 412 BPF_MTAP2(ifp, &af, sizeof(af), m); 413 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 414 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); 415 416 switch (af) { 417 #ifdef INET 418 case AF_INET: 419 error = ipsec4_process_packet(m, sp, NULL); 420 break; 421 #endif 422 #ifdef INET6 423 case AF_INET6: 424 error = ipsec6_process_packet(m, sp, NULL); 425 break; 426 #endif 427 default: 428 panic("%s: unknown address family\n", __func__); 429 } 430 err: 431 if (error != 0) 432 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 433 IPSEC_RUNLOCK(); 434 return (error); 435 } 436 437 static void 438 ipsec_qflush(struct ifnet *ifp __unused) 439 { 440 441 } 442 443 static int 444 ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 445 struct route *ro) 446 { 447 448 return (ifp->if_transmit(ifp, m)); 449 } 450 451 int 452 ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af) 453 { 454 IPSEC_RLOCK_TRACKER; 455 struct secasindex *saidx; 456 struct ipsec_softc *sc; 457 struct ifnet *ifp; 458 459 if (sav->state != SADB_SASTATE_MATURE && 460 sav->state != SADB_SASTATE_DYING) { 461 m_freem(m); 462 return (ENETDOWN); 463 } 464 465 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL || 466 sav->sah->saidx.proto != IPPROTO_ESP) 467 return (0); 468 469 IPSEC_RLOCK(); 470 CK_LIST_FOREACH(sc, ipsec_idhash(sav->sah->saidx.reqid), idhash) { 471 if (sc->family == 0) 472 continue; 473 saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND, 474 sav->sah->saidx.src.sa.sa_family); 475 /* SA's reqid should match reqid in SP */ 476 if (saidx == NULL || 477 sav->sah->saidx.reqid != saidx->reqid) 478 continue; 479 /* SAH's addresses should match tunnel endpoints. */ 480 if (key_sockaddrcmp(&sav->sah->saidx.dst.sa, 481 &saidx->dst.sa, 0) != 0) 482 continue; 483 if (key_sockaddrcmp(&sav->sah->saidx.src.sa, 484 &saidx->src.sa, 0) == 0) 485 break; 486 } 487 if (sc == NULL) { 488 IPSEC_RUNLOCK(); 489 /* Tunnel was not found. Nothing to do. */ 490 return (0); 491 } 492 ifp = sc->ifp; 493 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || 494 (ifp->if_flags & IFF_UP) == 0) { 495 IPSEC_RUNLOCK(); 496 m_freem(m); 497 return (ENETDOWN); 498 } 499 /* 500 * We found matching and working tunnel. 501 * Set its ifnet as receiving interface. 502 */ 503 m->m_pkthdr.rcvif = ifp; 504 505 m_clrprotoflags(m); 506 M_SETFIB(m, ifp->if_fib); 507 BPF_MTAP2(ifp, &af, sizeof(af), m); 508 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 509 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); 510 if ((ifp->if_flags & IFF_MONITOR) != 0) { 511 IPSEC_RUNLOCK(); 512 m_freem(m); 513 return (ENETDOWN); 514 } 515 IPSEC_RUNLOCK(); 516 return (0); 517 } 518 519 static int 520 ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) 521 { 522 struct ifreq *ifr = (struct ifreq*)data; 523 struct sockaddr *dst, *src; 524 struct ipsec_softc *sc; 525 struct secasindex *saidx; 526 #ifdef INET 527 struct sockaddr_in *sin = NULL; 528 #endif 529 #ifdef INET6 530 struct sockaddr_in6 *sin6 = NULL; 531 #endif 532 uint32_t reqid; 533 int error; 534 535 switch (cmd) { 536 case SIOCSIFADDR: 537 ifp->if_flags |= IFF_UP; 538 case SIOCADDMULTI: 539 case SIOCDELMULTI: 540 case SIOCGIFMTU: 541 case SIOCSIFFLAGS: 542 return (0); 543 case SIOCSIFMTU: 544 if (ifr->ifr_mtu < IPSEC_MTU_MIN || 545 ifr->ifr_mtu > IPSEC_MTU_MAX) 546 return (EINVAL); 547 else 548 ifp->if_mtu = ifr->ifr_mtu; 549 return (0); 550 } 551 sx_xlock(&ipsec_ioctl_sx); 552 sc = ifp->if_softc; 553 /* Check that softc is still here */ 554 if (sc == NULL) { 555 error = ENXIO; 556 goto bad; 557 } 558 error = 0; 559 switch (cmd) { 560 case SIOCSIFPHYADDR: 561 #ifdef INET6 562 case SIOCSIFPHYADDR_IN6: 563 #endif 564 error = EINVAL; 565 switch (cmd) { 566 #ifdef INET 567 case SIOCSIFPHYADDR: 568 src = (struct sockaddr *) 569 &(((struct in_aliasreq *)data)->ifra_addr); 570 dst = (struct sockaddr *) 571 &(((struct in_aliasreq *)data)->ifra_dstaddr); 572 break; 573 #endif 574 #ifdef INET6 575 case SIOCSIFPHYADDR_IN6: 576 src = (struct sockaddr *) 577 &(((struct in6_aliasreq *)data)->ifra_addr); 578 dst = (struct sockaddr *) 579 &(((struct in6_aliasreq *)data)->ifra_dstaddr); 580 break; 581 #endif 582 default: 583 goto bad; 584 } 585 /* sa_family must be equal */ 586 if (src->sa_family != dst->sa_family || 587 src->sa_len != dst->sa_len) 588 goto bad; 589 590 /* validate sa_len */ 591 switch (src->sa_family) { 592 #ifdef INET 593 case AF_INET: 594 if (src->sa_len != sizeof(struct sockaddr_in)) 595 goto bad; 596 break; 597 #endif 598 #ifdef INET6 599 case AF_INET6: 600 if (src->sa_len != sizeof(struct sockaddr_in6)) 601 goto bad; 602 break; 603 #endif 604 default: 605 error = EAFNOSUPPORT; 606 goto bad; 607 } 608 /* check sa_family looks sane for the cmd */ 609 error = EAFNOSUPPORT; 610 switch (cmd) { 611 #ifdef INET 612 case SIOCSIFPHYADDR: 613 if (src->sa_family == AF_INET) 614 break; 615 goto bad; 616 #endif 617 #ifdef INET6 618 case SIOCSIFPHYADDR_IN6: 619 if (src->sa_family == AF_INET6) 620 break; 621 goto bad; 622 #endif 623 } 624 error = EADDRNOTAVAIL; 625 switch (src->sa_family) { 626 #ifdef INET 627 case AF_INET: 628 if (satosin(src)->sin_addr.s_addr == INADDR_ANY || 629 satosin(dst)->sin_addr.s_addr == INADDR_ANY) 630 goto bad; 631 break; 632 #endif 633 #ifdef INET6 634 case AF_INET6: 635 if (IN6_IS_ADDR_UNSPECIFIED( 636 &satosin6(src)->sin6_addr) || 637 IN6_IS_ADDR_UNSPECIFIED( 638 &satosin6(dst)->sin6_addr)) 639 goto bad; 640 /* 641 * Check validity of the scope zone ID of the 642 * addresses, and convert it into the kernel 643 * internal form if necessary. 644 */ 645 error = sa6_embedscope(satosin6(src), 0); 646 if (error != 0) 647 goto bad; 648 error = sa6_embedscope(satosin6(dst), 0); 649 if (error != 0) 650 goto bad; 651 #endif 652 }; 653 error = ipsec_set_addresses(ifp, src, dst); 654 break; 655 case SIOCDIFPHYADDR: 656 ipsec_delete_tunnel(sc); 657 break; 658 case SIOCGIFPSRCADDR: 659 case SIOCGIFPDSTADDR: 660 #ifdef INET6 661 case SIOCGIFPSRCADDR_IN6: 662 case SIOCGIFPDSTADDR_IN6: 663 #endif 664 if (sc->family == 0) { 665 error = EADDRNOTAVAIL; 666 break; 667 } 668 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 669 switch (cmd) { 670 #ifdef INET 671 case SIOCGIFPSRCADDR: 672 case SIOCGIFPDSTADDR: 673 if (saidx->src.sa.sa_family != AF_INET) { 674 error = EADDRNOTAVAIL; 675 break; 676 } 677 sin = (struct sockaddr_in *)&ifr->ifr_addr; 678 memset(sin, 0, sizeof(*sin)); 679 sin->sin_family = AF_INET; 680 sin->sin_len = sizeof(*sin); 681 break; 682 #endif 683 #ifdef INET6 684 case SIOCGIFPSRCADDR_IN6: 685 case SIOCGIFPDSTADDR_IN6: 686 if (saidx->src.sa.sa_family != AF_INET6) { 687 error = EADDRNOTAVAIL; 688 break; 689 } 690 sin6 = (struct sockaddr_in6 *) 691 &(((struct in6_ifreq *)data)->ifr_addr); 692 memset(sin6, 0, sizeof(*sin6)); 693 sin6->sin6_family = AF_INET6; 694 sin6->sin6_len = sizeof(*sin6); 695 break; 696 #endif 697 default: 698 error = EAFNOSUPPORT; 699 } 700 if (error == 0) { 701 switch (cmd) { 702 #ifdef INET 703 case SIOCGIFPSRCADDR: 704 sin->sin_addr = saidx->src.sin.sin_addr; 705 break; 706 case SIOCGIFPDSTADDR: 707 sin->sin_addr = saidx->dst.sin.sin_addr; 708 break; 709 #endif 710 #ifdef INET6 711 case SIOCGIFPSRCADDR_IN6: 712 sin6->sin6_addr = saidx->src.sin6.sin6_addr; 713 break; 714 case SIOCGIFPDSTADDR_IN6: 715 sin6->sin6_addr = saidx->dst.sin6.sin6_addr; 716 break; 717 #endif 718 } 719 } 720 if (error != 0) 721 break; 722 switch (cmd) { 723 #ifdef INET 724 case SIOCGIFPSRCADDR: 725 case SIOCGIFPDSTADDR: 726 error = prison_if(curthread->td_ucred, 727 (struct sockaddr *)sin); 728 if (error != 0) 729 memset(sin, 0, sizeof(*sin)); 730 break; 731 #endif 732 #ifdef INET6 733 case SIOCGIFPSRCADDR_IN6: 734 case SIOCGIFPDSTADDR_IN6: 735 error = prison_if(curthread->td_ucred, 736 (struct sockaddr *)sin6); 737 if (error == 0) 738 error = sa6_recoverscope(sin6); 739 if (error != 0) 740 memset(sin6, 0, sizeof(*sin6)); 741 #endif 742 } 743 break; 744 case SIOCGTUNFIB: 745 ifr->ifr_fib = sc->fibnum; 746 break; 747 case SIOCSTUNFIB: 748 if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0) 749 break; 750 if (ifr->ifr_fib >= rt_numfibs) 751 error = EINVAL; 752 else 753 sc->fibnum = ifr->ifr_fib; 754 break; 755 case IPSECGREQID: 756 reqid = sc->reqid; 757 error = copyout(&reqid, ifr_data_get_ptr(ifr), sizeof(reqid)); 758 break; 759 case IPSECSREQID: 760 if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0) 761 break; 762 error = copyin(ifr_data_get_ptr(ifr), &reqid, sizeof(reqid)); 763 if (error != 0) 764 break; 765 error = ipsec_set_reqid(sc, reqid); 766 break; 767 default: 768 error = EINVAL; 769 break; 770 } 771 bad: 772 sx_xunlock(&ipsec_ioctl_sx); 773 return (error); 774 } 775 776 /* 777 * Check that ingress address belongs to local host. 778 */ 779 static void 780 ipsec_set_running(struct ipsec_softc *sc) 781 { 782 struct secasindex *saidx; 783 int localip; 784 785 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 786 localip = 0; 787 switch (sc->family) { 788 #ifdef INET 789 case AF_INET: 790 localip = in_localip(saidx->src.sin.sin_addr); 791 break; 792 #endif 793 #ifdef INET6 794 case AF_INET6: 795 localip = in6_localip(&saidx->src.sin6.sin6_addr); 796 break; 797 #endif 798 } 799 if (localip != 0) 800 sc->ifp->if_drv_flags |= IFF_DRV_RUNNING; 801 else 802 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 803 } 804 805 /* 806 * ifaddr_event handler. 807 * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent 808 * source address spoofing. 809 */ 810 static void 811 ipsec_srcaddr(void *arg __unused, const struct sockaddr *sa, 812 int event __unused) 813 { 814 struct ipsec_softc *sc; 815 struct secasindex *saidx; 816 817 /* Check that VNET is ready */ 818 if (V_ipsec_idhtbl == NULL) 819 return; 820 821 NET_EPOCH_ASSERT(); 822 CK_LIST_FOREACH(sc, ipsec_srchash(sa), srchash) { 823 if (sc->family == 0) 824 continue; 825 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sa->sa_family); 826 if (saidx == NULL || 827 key_sockaddrcmp(&saidx->src.sa, sa, 0) != 0) 828 continue; 829 ipsec_set_running(sc); 830 } 831 } 832 833 /* 834 * Allocate new private security policies for tunneling interface. 835 * Each tunneling interface has following security policies for 836 * both AF: 837 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \ 838 * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid 839 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \ 840 * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid 841 */ 842 static int 843 ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT], 844 const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid) 845 { 846 struct ipsecrequest *isr; 847 int i; 848 849 memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT); 850 for (i = 0; i < IPSEC_SPCOUNT; i++) { 851 if ((sp[i] = key_newsp()) == NULL) 852 goto fail; 853 if ((isr = ipsec_newisr()) == NULL) 854 goto fail; 855 856 sp[i]->policy = IPSEC_POLICY_IPSEC; 857 sp[i]->state = IPSEC_SPSTATE_DEAD; 858 sp[i]->req[sp[i]->tcount++] = isr; 859 sp[i]->created = time_second; 860 /* Use priority field to store if_index */ 861 sp[i]->priority = sc->ifp->if_index; 862 isr->level = IPSEC_LEVEL_UNIQUE; 863 isr->saidx.proto = IPPROTO_ESP; 864 isr->saidx.mode = IPSEC_MODE_TUNNEL; 865 isr->saidx.reqid = reqid; 866 if (i % 2 == 0) { 867 sp[i]->spidx.dir = IPSEC_DIR_INBOUND; 868 bcopy(src, &isr->saidx.dst, src->sa_len); 869 bcopy(dst, &isr->saidx.src, dst->sa_len); 870 } else { 871 sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND; 872 bcopy(src, &isr->saidx.src, src->sa_len); 873 bcopy(dst, &isr->saidx.dst, dst->sa_len); 874 } 875 sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY; 876 #ifdef INET 877 if (i < 2) { 878 sp[i]->spidx.src.sa.sa_family = 879 sp[i]->spidx.dst.sa.sa_family = AF_INET; 880 sp[i]->spidx.src.sa.sa_len = 881 sp[i]->spidx.dst.sa.sa_len = 882 sizeof(struct sockaddr_in); 883 continue; 884 } 885 #endif 886 #ifdef INET6 887 sp[i]->spidx.src.sa.sa_family = 888 sp[i]->spidx.dst.sa.sa_family = AF_INET6; 889 sp[i]->spidx.src.sa.sa_len = 890 sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6); 891 #endif 892 } 893 return (0); 894 fail: 895 for (i = 0; i < IPSEC_SPCOUNT; i++) 896 key_freesp(&sp[i]); 897 return (ENOMEM); 898 } 899 900 static int 901 ipsec_check_reqid(uint32_t reqid) 902 { 903 struct ipsec_softc *sc; 904 905 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 906 CK_LIST_FOREACH(sc, ipsec_idhash(reqid), idhash) { 907 if (sc->reqid == reqid) 908 return (EEXIST); 909 } 910 return (0); 911 } 912 913 /* 914 * We use key_newreqid() to automatically obtain unique reqid. 915 * Then we check that given id is unique, i.e. it is not used by 916 * another if_ipsec(4) interface. This macro limits the number of 917 * tries to get unique id. 918 */ 919 #define IPSEC_REQID_TRYCNT 64 920 static int 921 ipsec_init_reqid(struct ipsec_softc *sc) 922 { 923 uint32_t reqid; 924 int trycount; 925 926 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 927 if (sc->reqid != 0) /* already initialized */ 928 return (0); 929 930 trycount = IPSEC_REQID_TRYCNT; 931 while (--trycount > 0) { 932 reqid = key_newreqid(); 933 if (ipsec_check_reqid(reqid) == 0) 934 break; 935 } 936 if (trycount == 0) 937 return (EEXIST); 938 sc->reqid = reqid; 939 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash); 940 return (0); 941 } 942 943 /* 944 * Set or update reqid for given tunneling interface. 945 * When specified reqid is zero, generate new one. 946 * We are protected by ioctl_sx lock from concurrent id generation. 947 * Also softc would not disappear while we hold ioctl_sx lock. 948 */ 949 static int 950 ipsec_set_reqid(struct ipsec_softc *sc, uint32_t reqid) 951 { 952 struct secasindex *saidx; 953 954 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 955 956 if (sc->reqid == reqid && reqid != 0) 957 return (0); 958 959 if (reqid != 0) { 960 /* Check that specified reqid doesn't exist */ 961 if (ipsec_check_reqid(reqid) != 0) 962 return (EEXIST); 963 if (sc->reqid != 0) { 964 CK_LIST_REMOVE(sc, idhash); 965 IPSEC_WAIT(); 966 } 967 sc->reqid = reqid; 968 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash); 969 } else { 970 /* Generate new reqid */ 971 if (ipsec_init_reqid(sc) != 0) 972 return (EEXIST); 973 } 974 975 /* Tunnel isn't fully configured, just return. */ 976 if (sc->family == 0) 977 return (0); 978 979 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 980 KASSERT(saidx != NULL, 981 ("saidx is NULL, but family is %d", sc->family)); 982 return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa, 983 sc->reqid)); 984 } 985 986 /* 987 * Set tunnel endpoints addresses. 988 */ 989 static int 990 ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src, 991 struct sockaddr *dst) 992 { 993 struct ipsec_softc *sc; 994 struct secasindex *saidx; 995 996 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 997 998 sc = ifp->if_softc; 999 if (sc->family != 0) { 1000 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, 1001 src->sa_family); 1002 if (saidx != NULL && saidx->reqid == sc->reqid && 1003 key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 && 1004 key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0) 1005 return (0); /* Nothing has been changed. */ 1006 } 1007 /* If reqid is not set, generate new one. */ 1008 if (ipsec_init_reqid(sc) != 0) 1009 return (EEXIST); 1010 return (ipsec_set_tunnel(sc, src, dst, sc->reqid)); 1011 } 1012 1013 static int 1014 ipsec_set_tunnel(struct ipsec_softc *sc, struct sockaddr *src, 1015 struct sockaddr *dst, uint32_t reqid) 1016 { 1017 struct secpolicy *sp[IPSEC_SPCOUNT]; 1018 int i; 1019 1020 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1021 1022 /* Allocate SP with new addresses. */ 1023 if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) { 1024 /* Add new policies to SPDB */ 1025 if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) { 1026 for (i = 0; i < IPSEC_SPCOUNT; i++) 1027 key_freesp(&sp[i]); 1028 return (EAGAIN); 1029 } 1030 if (sc->family != 0) 1031 ipsec_delete_tunnel(sc); 1032 for (i = 0; i < IPSEC_SPCOUNT; i++) 1033 sc->sp[i] = sp[i]; 1034 sc->family = src->sa_family; 1035 CK_LIST_INSERT_HEAD(ipsec_srchash(src), sc, srchash); 1036 } else { 1037 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1038 return (ENOMEM); 1039 } 1040 ipsec_set_running(sc); 1041 return (0); 1042 } 1043 1044 static void 1045 ipsec_delete_tunnel(struct ipsec_softc *sc) 1046 { 1047 int i; 1048 1049 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1050 1051 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1052 if (sc->family != 0) { 1053 CK_LIST_REMOVE(sc, srchash); 1054 sc->family = 0; 1055 /* 1056 * Make sure that ipsec_if_input() will not do access 1057 * to softc's policies. 1058 */ 1059 IPSEC_WAIT(); 1060 1061 key_unregister_ifnet(sc->sp, IPSEC_SPCOUNT); 1062 for (i = 0; i < IPSEC_SPCOUNT; i++) 1063 key_freesp(&sc->sp[i]); 1064 } 1065 } 1066