1 /*- 2 * Copyright (c) 2016-2018 Yandex LLC 3 * Copyright (c) 2016-2018 Andrey V. Elsukov <ae@FreeBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 #include "opt_inet.h" 30 #include "opt_inet6.h" 31 #include "opt_ipsec.h" 32 33 #include <sys/param.h> 34 #include <sys/systm.h> 35 #include <sys/kernel.h> 36 #include <sys/fnv_hash.h> 37 #include <sys/jail.h> 38 #include <sys/lock.h> 39 #include <sys/malloc.h> 40 #include <sys/mbuf.h> 41 #include <sys/module.h> 42 #include <sys/socket.h> 43 #include <sys/sockio.h> 44 #include <sys/sx.h> 45 #include <sys/errno.h> 46 #include <sys/sysctl.h> 47 #include <sys/priv.h> 48 #include <sys/proc.h> 49 #include <sys/conf.h> 50 51 #include <net/if.h> 52 #include <net/if_var.h> 53 #include <net/if_private.h> 54 #include <net/if_clone.h> 55 #include <net/if_types.h> 56 #include <net/bpf.h> 57 #include <net/route.h> 58 #include <net/vnet.h> 59 60 #include <netinet/in.h> 61 #include <netinet/in_var.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_encap.h> 64 65 #include <netinet/ip6.h> 66 #include <netinet6/in6_var.h> 67 #include <netinet6/scope6_var.h> 68 69 #include <netipsec/ipsec.h> 70 #ifdef INET6 71 #include <netipsec/ipsec6.h> 72 #endif 73 74 #include <net/if_ipsec.h> 75 #include <netipsec/key.h> 76 77 #include <security/mac/mac_framework.h> 78 79 static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface"); 80 static const char ipsecname[] = "ipsec"; 81 82 #if defined(INET) && defined(INET6) 83 #define IPSEC_SPCOUNT 4 84 #else 85 #define IPSEC_SPCOUNT 2 86 #endif 87 88 struct ipsec_softc { 89 struct ifnet *ifp; 90 struct secpolicy *sp[IPSEC_SPCOUNT]; 91 uint32_t reqid; 92 u_int family; 93 u_int fibnum; 94 95 CK_LIST_ENTRY(ipsec_softc) idhash; 96 CK_LIST_ENTRY(ipsec_softc) srchash; 97 }; 98 99 #define IPSEC_RLOCK_TRACKER struct epoch_tracker ipsec_et 100 #define IPSEC_RLOCK() epoch_enter_preempt(net_epoch_preempt, &ipsec_et) 101 #define IPSEC_RUNLOCK() epoch_exit_preempt(net_epoch_preempt, &ipsec_et) 102 #define IPSEC_WAIT() epoch_wait_preempt(net_epoch_preempt) 103 104 #ifndef IPSEC_HASH_SIZE 105 #define IPSEC_HASH_SIZE (1 << 5) 106 #endif 107 108 CK_LIST_HEAD(ipsec_iflist, ipsec_softc); 109 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec_idhtbl) = NULL; 110 #define V_ipsec_idhtbl VNET(ipsec_idhtbl) 111 112 #ifdef INET 113 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec4_srchtbl) = NULL; 114 #define V_ipsec4_srchtbl VNET(ipsec4_srchtbl) 115 static const struct srcaddrtab *ipsec4_srctab = NULL; 116 #endif 117 118 #ifdef INET6 119 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec6_srchtbl) = NULL; 120 #define V_ipsec6_srchtbl VNET(ipsec6_srchtbl) 121 static const struct srcaddrtab *ipsec6_srctab = NULL; 122 #endif 123 124 static struct ipsec_iflist * 125 ipsec_idhash(uint32_t id) 126 { 127 128 return (&V_ipsec_idhtbl[fnv_32_buf(&id, sizeof(id), 129 FNV1_32_INIT) & (IPSEC_HASH_SIZE - 1)]); 130 } 131 132 static struct ipsec_iflist * 133 ipsec_srchash(const struct sockaddr *sa) 134 { 135 uint32_t hval; 136 137 switch (sa->sa_family) { 138 #ifdef INET 139 case AF_INET: 140 hval = fnv_32_buf( 141 &((const struct sockaddr_in *)sa)->sin_addr.s_addr, 142 sizeof(in_addr_t), FNV1_32_INIT); 143 return (&V_ipsec4_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]); 144 #endif 145 #ifdef INET6 146 case AF_INET6: 147 hval = fnv_32_buf( 148 &((const struct sockaddr_in6 *)sa)->sin6_addr, 149 sizeof(struct in6_addr), FNV1_32_INIT); 150 return (&V_ipsec6_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]); 151 #endif 152 } 153 return (NULL); 154 } 155 156 /* 157 * ipsec_ioctl_sx protects from concurrent ioctls. 158 */ 159 static struct sx ipsec_ioctl_sx; 160 SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl"); 161 162 static int ipsec_init_reqid(struct ipsec_softc *); 163 static int ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *, 164 struct sockaddr *, uint32_t); 165 static void ipsec_delete_tunnel(struct ipsec_softc *); 166 167 static int ipsec_set_addresses(struct ifnet *, struct sockaddr *, 168 struct sockaddr *); 169 static int ipsec_set_reqid(struct ipsec_softc *, uint32_t); 170 static void ipsec_set_running(struct ipsec_softc *); 171 172 #ifdef VIMAGE 173 static void ipsec_reassign(struct ifnet *, struct vnet *, char *); 174 #endif 175 static void ipsec_srcaddr(void *, const struct sockaddr *, int); 176 static int ipsec_ioctl(struct ifnet *, u_long, caddr_t); 177 static int ipsec_transmit(struct ifnet *, struct mbuf *); 178 static int ipsec_output(struct ifnet *, struct mbuf *, 179 const struct sockaddr *, struct route *); 180 static void ipsec_qflush(struct ifnet *); 181 static int ipsec_clone_create(struct if_clone *, int, caddr_t); 182 static void ipsec_clone_destroy(struct ifnet *); 183 184 VNET_DEFINE_STATIC(struct if_clone *, ipsec_cloner); 185 #define V_ipsec_cloner VNET(ipsec_cloner) 186 187 static int 188 ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params) 189 { 190 struct ipsec_softc *sc; 191 struct ifnet *ifp; 192 193 sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO); 194 sc->fibnum = curthread->td_proc->p_fibnum; 195 sc->ifp = ifp = if_alloc(IFT_TUNNEL); 196 ifp->if_softc = sc; 197 if_initname(ifp, ipsecname, unit); 198 199 ifp->if_addrlen = 0; 200 ifp->if_mtu = IPSEC_MTU; 201 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 202 ifp->if_ioctl = ipsec_ioctl; 203 ifp->if_transmit = ipsec_transmit; 204 ifp->if_qflush = ipsec_qflush; 205 ifp->if_output = ipsec_output; 206 #ifdef VIMAGE 207 ifp->if_reassign = ipsec_reassign; 208 #endif 209 if_attach(ifp); 210 bpfattach(ifp, DLT_NULL, sizeof(uint32_t)); 211 212 return (0); 213 } 214 215 #ifdef VIMAGE 216 static void 217 ipsec_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused, 218 char *unused __unused) 219 { 220 struct ipsec_softc *sc; 221 222 sx_xlock(&ipsec_ioctl_sx); 223 sc = ifp->if_softc; 224 if (sc != NULL) 225 ipsec_delete_tunnel(sc); 226 sx_xunlock(&ipsec_ioctl_sx); 227 } 228 #endif /* VIMAGE */ 229 230 static void 231 ipsec_clone_destroy(struct ifnet *ifp) 232 { 233 struct ipsec_softc *sc; 234 235 sx_xlock(&ipsec_ioctl_sx); 236 sc = ifp->if_softc; 237 ipsec_delete_tunnel(sc); 238 /* 239 * Delete softc from idhash on interface destroy, since 240 * ipsec_delete_tunnel() keeps reqid unchanged. 241 */ 242 if (sc->reqid != 0) 243 CK_LIST_REMOVE(sc, idhash); 244 bpfdetach(ifp); 245 if_detach(ifp); 246 ifp->if_softc = NULL; 247 sx_xunlock(&ipsec_ioctl_sx); 248 249 IPSEC_WAIT(); 250 if_free(ifp); 251 free(sc, M_IPSEC); 252 } 253 254 static struct ipsec_iflist * 255 ipsec_hashinit(void) 256 { 257 struct ipsec_iflist *hash; 258 int i; 259 260 hash = malloc(sizeof(struct ipsec_iflist) * IPSEC_HASH_SIZE, 261 M_IPSEC, M_WAITOK); 262 for (i = 0; i < IPSEC_HASH_SIZE; i++) 263 CK_LIST_INIT(&hash[i]); 264 265 return (hash); 266 } 267 268 static void 269 vnet_ipsec_init(const void *unused __unused) 270 { 271 272 V_ipsec_idhtbl = ipsec_hashinit(); 273 #ifdef INET 274 V_ipsec4_srchtbl = ipsec_hashinit(); 275 if (IS_DEFAULT_VNET(curvnet)) 276 ipsec4_srctab = ip_encap_register_srcaddr(ipsec_srcaddr, 277 NULL, M_WAITOK); 278 #endif 279 #ifdef INET6 280 V_ipsec6_srchtbl = ipsec_hashinit(); 281 if (IS_DEFAULT_VNET(curvnet)) 282 ipsec6_srctab = ip6_encap_register_srcaddr(ipsec_srcaddr, 283 NULL, M_WAITOK); 284 #endif 285 V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create, 286 ipsec_clone_destroy, 0); 287 } 288 VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 289 vnet_ipsec_init, NULL); 290 291 static void 292 vnet_ipsec_uninit(const void *unused __unused) 293 { 294 295 if_clone_detach(V_ipsec_cloner); 296 free(V_ipsec_idhtbl, M_IPSEC); 297 /* 298 * Use V_ipsec_idhtbl pointer as indicator that VNET is going to be 299 * destroyed, it is used by ipsec_srcaddr() callback. 300 */ 301 V_ipsec_idhtbl = NULL; 302 IPSEC_WAIT(); 303 304 #ifdef INET 305 if (IS_DEFAULT_VNET(curvnet)) 306 ip_encap_unregister_srcaddr(ipsec4_srctab); 307 free(V_ipsec4_srchtbl, M_IPSEC); 308 #endif 309 #ifdef INET6 310 if (IS_DEFAULT_VNET(curvnet)) 311 ip6_encap_unregister_srcaddr(ipsec6_srctab); 312 free(V_ipsec6_srchtbl, M_IPSEC); 313 #endif 314 } 315 VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 316 vnet_ipsec_uninit, NULL); 317 318 static struct secpolicy * 319 ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af) 320 { 321 322 switch (af) { 323 #ifdef INET 324 case AF_INET: 325 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]); 326 #endif 327 #ifdef INET6 328 case AF_INET6: 329 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1) 330 #ifdef INET 331 + 2 332 #endif 333 ]); 334 #endif 335 } 336 return (NULL); 337 } 338 339 static struct secasindex * 340 ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af) 341 { 342 struct secpolicy *sp; 343 344 sp = ipsec_getpolicy(sc, dir, af); 345 if (sp == NULL) 346 return (NULL); 347 return (&sp->req[0]->saidx); 348 } 349 350 static int 351 ipsec_transmit(struct ifnet *ifp, struct mbuf *m) 352 { 353 IPSEC_RLOCK_TRACKER; 354 struct ipsec_softc *sc; 355 struct secpolicy *sp; 356 struct ip *ip, iph; 357 uint32_t af; 358 int error; 359 360 IPSEC_RLOCK(); 361 #ifdef MAC 362 error = mac_ifnet_check_transmit(ifp, m); 363 if (error) { 364 m_freem(m); 365 goto err; 366 } 367 #endif 368 error = ENETDOWN; 369 sc = ifp->if_softc; 370 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || 371 (ifp->if_flags & IFF_MONITOR) != 0 || 372 (ifp->if_flags & IFF_UP) == 0 || sc->family == 0) { 373 m_freem(m); 374 goto err; 375 } 376 377 /* Determine address family to correctly handle packet in BPF */ 378 ip = &iph; 379 m_copydata(m, 0, sizeof(*ip), (char *)ip); 380 switch (ip->ip_v) { 381 #ifdef INET 382 case IPVERSION: 383 af = AF_INET; 384 break; 385 #endif 386 #ifdef INET6 387 case (IPV6_VERSION >> 4): 388 af = AF_INET6; 389 break; 390 #endif 391 default: 392 error = EAFNOSUPPORT; 393 m_freem(m); 394 goto err; 395 } 396 397 /* 398 * Loop prevention. 399 * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag. 400 * We can read full chain and compare destination address, 401 * proto and mode from xform_history with values from softc. 402 */ 403 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) { 404 m_freem(m); 405 goto err; 406 } 407 408 sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af); 409 key_addref(sp); 410 M_SETFIB(m, sc->fibnum); 411 412 BPF_MTAP2(ifp, &af, sizeof(af), m); 413 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 414 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); 415 416 switch (af) { 417 #ifdef INET 418 case AF_INET: 419 error = ipsec4_process_packet(ifp, m, ip, sp, NULL, 420 ifp->if_mtu); 421 break; 422 #endif 423 #ifdef INET6 424 case AF_INET6: 425 error = ipsec6_process_packet(ifp, m, sp, NULL, ifp->if_mtu); 426 break; 427 #endif 428 default: 429 panic("%s: unknown address family\n", __func__); 430 } 431 err: 432 if (error != 0) 433 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 434 IPSEC_RUNLOCK(); 435 return (error); 436 } 437 438 static void 439 ipsec_qflush(struct ifnet *ifp __unused) 440 { 441 442 } 443 444 static int 445 ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 446 struct route *ro) 447 { 448 449 return (ifp->if_transmit(ifp, m)); 450 } 451 452 int 453 ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af) 454 { 455 IPSEC_RLOCK_TRACKER; 456 struct secasindex *saidx; 457 struct ipsec_softc *sc; 458 struct ifnet *ifp; 459 460 if (sav->state != SADB_SASTATE_MATURE && 461 sav->state != SADB_SASTATE_DYING) { 462 m_freem(m); 463 return (ENETDOWN); 464 } 465 466 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL || 467 sav->sah->saidx.proto != IPPROTO_ESP) 468 return (0); 469 470 IPSEC_RLOCK(); 471 CK_LIST_FOREACH(sc, ipsec_idhash(sav->sah->saidx.reqid), idhash) { 472 if (sc->family == 0) 473 continue; 474 saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND, 475 sav->sah->saidx.src.sa.sa_family); 476 /* SA's reqid should match reqid in SP */ 477 if (saidx == NULL || 478 sav->sah->saidx.reqid != saidx->reqid) 479 continue; 480 /* SAH's addresses should match tunnel endpoints. */ 481 if (key_sockaddrcmp(&sav->sah->saidx.dst.sa, 482 &saidx->dst.sa, 0) != 0) 483 continue; 484 if (key_sockaddrcmp(&sav->sah->saidx.src.sa, 485 &saidx->src.sa, 0) == 0) 486 break; 487 } 488 if (sc == NULL) { 489 IPSEC_RUNLOCK(); 490 /* Tunnel was not found. Nothing to do. */ 491 return (0); 492 } 493 ifp = sc->ifp; 494 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || 495 (ifp->if_flags & IFF_UP) == 0) { 496 IPSEC_RUNLOCK(); 497 m_freem(m); 498 return (ENETDOWN); 499 } 500 /* 501 * We found matching and working tunnel. 502 * Set its ifnet as receiving interface. 503 */ 504 m->m_pkthdr.rcvif = ifp; 505 506 m_clrprotoflags(m); 507 M_SETFIB(m, ifp->if_fib); 508 BPF_MTAP2(ifp, &af, sizeof(af), m); 509 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 510 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); 511 if ((ifp->if_flags & IFF_MONITOR) != 0) { 512 IPSEC_RUNLOCK(); 513 m_freem(m); 514 return (ENETDOWN); 515 } 516 IPSEC_RUNLOCK(); 517 return (0); 518 } 519 520 static int 521 ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) 522 { 523 struct ifreq *ifr = (struct ifreq*)data; 524 struct sockaddr *dst, *src; 525 struct ipsec_softc *sc; 526 struct secasindex *saidx; 527 #ifdef INET 528 struct sockaddr_in *sin = NULL; 529 #endif 530 #ifdef INET6 531 struct sockaddr_in6 *sin6 = NULL; 532 #endif 533 uint32_t reqid; 534 int error; 535 536 switch (cmd) { 537 case SIOCSIFADDR: 538 ifp->if_flags |= IFF_UP; 539 case SIOCADDMULTI: 540 case SIOCDELMULTI: 541 case SIOCGIFMTU: 542 case SIOCSIFFLAGS: 543 return (0); 544 case SIOCSIFMTU: 545 if (ifr->ifr_mtu < IPSEC_MTU_MIN || 546 ifr->ifr_mtu > IPSEC_MTU_MAX) 547 return (EINVAL); 548 else 549 ifp->if_mtu = ifr->ifr_mtu; 550 return (0); 551 } 552 sx_xlock(&ipsec_ioctl_sx); 553 sc = ifp->if_softc; 554 /* Check that softc is still here */ 555 if (sc == NULL) { 556 error = ENXIO; 557 goto bad; 558 } 559 error = 0; 560 switch (cmd) { 561 case SIOCSIFPHYADDR: 562 #ifdef INET6 563 case SIOCSIFPHYADDR_IN6: 564 #endif 565 error = EINVAL; 566 switch (cmd) { 567 #ifdef INET 568 case SIOCSIFPHYADDR: 569 src = (struct sockaddr *) 570 &(((struct in_aliasreq *)data)->ifra_addr); 571 dst = (struct sockaddr *) 572 &(((struct in_aliasreq *)data)->ifra_dstaddr); 573 break; 574 #endif 575 #ifdef INET6 576 case SIOCSIFPHYADDR_IN6: 577 src = (struct sockaddr *) 578 &(((struct in6_aliasreq *)data)->ifra_addr); 579 dst = (struct sockaddr *) 580 &(((struct in6_aliasreq *)data)->ifra_dstaddr); 581 break; 582 #endif 583 default: 584 goto bad; 585 } 586 /* sa_family must be equal */ 587 if (src->sa_family != dst->sa_family || 588 src->sa_len != dst->sa_len) 589 goto bad; 590 591 /* validate sa_len */ 592 switch (src->sa_family) { 593 #ifdef INET 594 case AF_INET: 595 if (src->sa_len != sizeof(struct sockaddr_in)) 596 goto bad; 597 break; 598 #endif 599 #ifdef INET6 600 case AF_INET6: 601 if (src->sa_len != sizeof(struct sockaddr_in6)) 602 goto bad; 603 break; 604 #endif 605 default: 606 error = EAFNOSUPPORT; 607 goto bad; 608 } 609 /* check sa_family looks sane for the cmd */ 610 error = EAFNOSUPPORT; 611 switch (cmd) { 612 #ifdef INET 613 case SIOCSIFPHYADDR: 614 if (src->sa_family == AF_INET) 615 break; 616 goto bad; 617 #endif 618 #ifdef INET6 619 case SIOCSIFPHYADDR_IN6: 620 if (src->sa_family == AF_INET6) 621 break; 622 goto bad; 623 #endif 624 } 625 error = EADDRNOTAVAIL; 626 switch (src->sa_family) { 627 #ifdef INET 628 case AF_INET: 629 if (satosin(src)->sin_addr.s_addr == INADDR_ANY || 630 satosin(dst)->sin_addr.s_addr == INADDR_ANY) 631 goto bad; 632 break; 633 #endif 634 #ifdef INET6 635 case AF_INET6: 636 if (IN6_IS_ADDR_UNSPECIFIED( 637 &satosin6(src)->sin6_addr) || 638 IN6_IS_ADDR_UNSPECIFIED( 639 &satosin6(dst)->sin6_addr)) 640 goto bad; 641 /* 642 * Check validity of the scope zone ID of the 643 * addresses, and convert it into the kernel 644 * internal form if necessary. 645 */ 646 error = sa6_embedscope(satosin6(src), 0); 647 if (error != 0) 648 goto bad; 649 error = sa6_embedscope(satosin6(dst), 0); 650 if (error != 0) 651 goto bad; 652 #endif 653 }; 654 error = ipsec_set_addresses(ifp, src, dst); 655 break; 656 case SIOCDIFPHYADDR: 657 ipsec_delete_tunnel(sc); 658 break; 659 case SIOCGIFPSRCADDR: 660 case SIOCGIFPDSTADDR: 661 #ifdef INET6 662 case SIOCGIFPSRCADDR_IN6: 663 case SIOCGIFPDSTADDR_IN6: 664 #endif 665 if (sc->family == 0) { 666 error = EADDRNOTAVAIL; 667 break; 668 } 669 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 670 if (saidx == NULL) { 671 error = ENXIO; 672 break; 673 } 674 switch (cmd) { 675 #ifdef INET 676 case SIOCGIFPSRCADDR: 677 case SIOCGIFPDSTADDR: 678 if (saidx->src.sa.sa_family != AF_INET) { 679 error = EADDRNOTAVAIL; 680 break; 681 } 682 sin = (struct sockaddr_in *)&ifr->ifr_addr; 683 memset(sin, 0, sizeof(*sin)); 684 sin->sin_family = AF_INET; 685 sin->sin_len = sizeof(*sin); 686 break; 687 #endif 688 #ifdef INET6 689 case SIOCGIFPSRCADDR_IN6: 690 case SIOCGIFPDSTADDR_IN6: 691 if (saidx->src.sa.sa_family != AF_INET6) { 692 error = EADDRNOTAVAIL; 693 break; 694 } 695 sin6 = (struct sockaddr_in6 *) 696 &(((struct in6_ifreq *)data)->ifr_addr); 697 memset(sin6, 0, sizeof(*sin6)); 698 sin6->sin6_family = AF_INET6; 699 sin6->sin6_len = sizeof(*sin6); 700 break; 701 #endif 702 default: 703 error = EAFNOSUPPORT; 704 } 705 if (error == 0) { 706 switch (cmd) { 707 #ifdef INET 708 case SIOCGIFPSRCADDR: 709 sin->sin_addr = saidx->src.sin.sin_addr; 710 break; 711 case SIOCGIFPDSTADDR: 712 sin->sin_addr = saidx->dst.sin.sin_addr; 713 break; 714 #endif 715 #ifdef INET6 716 case SIOCGIFPSRCADDR_IN6: 717 sin6->sin6_addr = saidx->src.sin6.sin6_addr; 718 break; 719 case SIOCGIFPDSTADDR_IN6: 720 sin6->sin6_addr = saidx->dst.sin6.sin6_addr; 721 break; 722 #endif 723 } 724 } 725 if (error != 0) 726 break; 727 switch (cmd) { 728 #ifdef INET 729 case SIOCGIFPSRCADDR: 730 case SIOCGIFPDSTADDR: 731 error = prison_if(curthread->td_ucred, 732 (struct sockaddr *)sin); 733 if (error != 0) 734 memset(sin, 0, sizeof(*sin)); 735 break; 736 #endif 737 #ifdef INET6 738 case SIOCGIFPSRCADDR_IN6: 739 case SIOCGIFPDSTADDR_IN6: 740 error = prison_if(curthread->td_ucred, 741 (struct sockaddr *)sin6); 742 if (error == 0) 743 error = sa6_recoverscope(sin6); 744 if (error != 0) 745 memset(sin6, 0, sizeof(*sin6)); 746 #endif 747 } 748 break; 749 case SIOCGTUNFIB: 750 ifr->ifr_fib = sc->fibnum; 751 break; 752 case SIOCSTUNFIB: 753 if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0) 754 break; 755 if (ifr->ifr_fib >= rt_numfibs) 756 error = EINVAL; 757 else 758 sc->fibnum = ifr->ifr_fib; 759 break; 760 case IPSECGREQID: 761 reqid = sc->reqid; 762 error = copyout(&reqid, ifr_data_get_ptr(ifr), sizeof(reqid)); 763 break; 764 case IPSECSREQID: 765 if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0) 766 break; 767 error = copyin(ifr_data_get_ptr(ifr), &reqid, sizeof(reqid)); 768 if (error != 0) 769 break; 770 error = ipsec_set_reqid(sc, reqid); 771 break; 772 default: 773 error = EINVAL; 774 break; 775 } 776 bad: 777 sx_xunlock(&ipsec_ioctl_sx); 778 return (error); 779 } 780 781 /* 782 * Check that ingress address belongs to local host. 783 */ 784 static void 785 ipsec_set_running(struct ipsec_softc *sc) 786 { 787 struct secasindex *saidx; 788 int localip; 789 790 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 791 if (saidx == NULL) 792 return; 793 localip = 0; 794 switch (sc->family) { 795 #ifdef INET 796 case AF_INET: 797 localip = in_localip(saidx->src.sin.sin_addr); 798 break; 799 #endif 800 #ifdef INET6 801 case AF_INET6: 802 localip = in6_localip(&saidx->src.sin6.sin6_addr); 803 break; 804 #endif 805 } 806 if (localip != 0) 807 sc->ifp->if_drv_flags |= IFF_DRV_RUNNING; 808 else 809 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 810 } 811 812 /* 813 * ifaddr_event handler. 814 * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent 815 * source address spoofing. 816 */ 817 static void 818 ipsec_srcaddr(void *arg __unused, const struct sockaddr *sa, 819 int event __unused) 820 { 821 struct ipsec_softc *sc; 822 struct secasindex *saidx; 823 struct ipsec_iflist *iflist; 824 825 /* Check that VNET is ready */ 826 if (V_ipsec_idhtbl == NULL) 827 return; 828 829 NET_EPOCH_ASSERT(); 830 iflist = ipsec_srchash(sa); 831 if (iflist == NULL) 832 return; 833 CK_LIST_FOREACH(sc, iflist, srchash) { 834 if (sc->family == 0) 835 continue; 836 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sa->sa_family); 837 if (saidx == NULL || 838 key_sockaddrcmp(&saidx->src.sa, sa, 0) != 0) 839 continue; 840 ipsec_set_running(sc); 841 } 842 } 843 844 /* 845 * Allocate new private security policies for tunneling interface. 846 * Each tunneling interface has following security policies for 847 * both AF: 848 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \ 849 * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid 850 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \ 851 * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid 852 */ 853 static int 854 ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT], 855 const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid) 856 { 857 struct ipsecrequest *isr; 858 int i; 859 860 memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT); 861 for (i = 0; i < IPSEC_SPCOUNT; i++) { 862 if ((sp[i] = key_newsp()) == NULL) 863 goto fail; 864 if ((isr = ipsec_newisr()) == NULL) 865 goto fail; 866 867 sp[i]->policy = IPSEC_POLICY_IPSEC; 868 sp[i]->state = IPSEC_SPSTATE_DEAD; 869 sp[i]->req[sp[i]->tcount++] = isr; 870 sp[i]->created = time_second; 871 /* Use priority field to store if_index */ 872 sp[i]->priority = sc->ifp->if_index; 873 isr->level = IPSEC_LEVEL_UNIQUE; 874 isr->saidx.proto = IPPROTO_ESP; 875 isr->saidx.mode = IPSEC_MODE_TUNNEL; 876 isr->saidx.reqid = reqid; 877 if (i % 2 == 0) { 878 sp[i]->spidx.dir = IPSEC_DIR_INBOUND; 879 bcopy(src, &isr->saidx.dst, src->sa_len); 880 bcopy(dst, &isr->saidx.src, dst->sa_len); 881 } else { 882 sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND; 883 bcopy(src, &isr->saidx.src, src->sa_len); 884 bcopy(dst, &isr->saidx.dst, dst->sa_len); 885 } 886 sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY; 887 #ifdef INET 888 if (i < 2) { 889 sp[i]->spidx.src.sa.sa_family = 890 sp[i]->spidx.dst.sa.sa_family = AF_INET; 891 sp[i]->spidx.src.sa.sa_len = 892 sp[i]->spidx.dst.sa.sa_len = 893 sizeof(struct sockaddr_in); 894 continue; 895 } 896 #endif 897 #ifdef INET6 898 sp[i]->spidx.src.sa.sa_family = 899 sp[i]->spidx.dst.sa.sa_family = AF_INET6; 900 sp[i]->spidx.src.sa.sa_len = 901 sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6); 902 #endif 903 } 904 return (0); 905 fail: 906 for (i = 0; i < IPSEC_SPCOUNT; i++) { 907 if (sp[i] != NULL) 908 key_freesp(&sp[i]); 909 } 910 return (ENOMEM); 911 } 912 913 static int 914 ipsec_check_reqid(uint32_t reqid) 915 { 916 struct ipsec_softc *sc; 917 918 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 919 CK_LIST_FOREACH(sc, ipsec_idhash(reqid), idhash) { 920 if (sc->reqid == reqid) 921 return (EEXIST); 922 } 923 return (0); 924 } 925 926 /* 927 * We use key_newreqid() to automatically obtain unique reqid. 928 * Then we check that given id is unique, i.e. it is not used by 929 * another if_ipsec(4) interface. This macro limits the number of 930 * tries to get unique id. 931 */ 932 #define IPSEC_REQID_TRYCNT 64 933 static int 934 ipsec_init_reqid(struct ipsec_softc *sc) 935 { 936 uint32_t reqid; 937 int trycount; 938 939 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 940 if (sc->reqid != 0) /* already initialized */ 941 return (0); 942 943 trycount = IPSEC_REQID_TRYCNT; 944 while (--trycount > 0) { 945 reqid = key_newreqid(); 946 if (ipsec_check_reqid(reqid) == 0) 947 break; 948 } 949 if (trycount == 0) 950 return (EEXIST); 951 sc->reqid = reqid; 952 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash); 953 return (0); 954 } 955 956 /* 957 * Set or update reqid for given tunneling interface. 958 * When specified reqid is zero, generate new one. 959 * We are protected by ioctl_sx lock from concurrent id generation. 960 * Also softc would not disappear while we hold ioctl_sx lock. 961 */ 962 static int 963 ipsec_set_reqid(struct ipsec_softc *sc, uint32_t reqid) 964 { 965 struct secasindex *saidx; 966 967 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 968 969 if (sc->reqid == reqid && reqid != 0) 970 return (0); 971 972 if (reqid != 0) { 973 /* Check that specified reqid doesn't exist */ 974 if (ipsec_check_reqid(reqid) != 0) 975 return (EEXIST); 976 if (sc->reqid != 0) { 977 CK_LIST_REMOVE(sc, idhash); 978 IPSEC_WAIT(); 979 } 980 sc->reqid = reqid; 981 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash); 982 } else { 983 /* Generate new reqid */ 984 if (ipsec_init_reqid(sc) != 0) 985 return (EEXIST); 986 } 987 988 /* Tunnel isn't fully configured, just return. */ 989 if (sc->family == 0) 990 return (0); 991 992 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 993 KASSERT(saidx != NULL, 994 ("saidx is NULL, but family is %d", sc->family)); 995 return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa, 996 sc->reqid)); 997 } 998 999 /* 1000 * Set tunnel endpoints addresses. 1001 */ 1002 static int 1003 ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src, 1004 struct sockaddr *dst) 1005 { 1006 struct ipsec_softc *sc; 1007 struct secasindex *saidx; 1008 1009 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1010 1011 sc = ifp->if_softc; 1012 if (sc->family != 0) { 1013 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, 1014 src->sa_family); 1015 if (saidx != NULL && saidx->reqid == sc->reqid && 1016 key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 && 1017 key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0) 1018 return (0); /* Nothing has been changed. */ 1019 } 1020 /* If reqid is not set, generate new one. */ 1021 if (ipsec_init_reqid(sc) != 0) 1022 return (EEXIST); 1023 return (ipsec_set_tunnel(sc, src, dst, sc->reqid)); 1024 } 1025 1026 static int 1027 ipsec_set_tunnel(struct ipsec_softc *sc, struct sockaddr *src, 1028 struct sockaddr *dst, uint32_t reqid) 1029 { 1030 struct epoch_tracker et; 1031 struct ipsec_iflist *iflist; 1032 struct secpolicy *sp[IPSEC_SPCOUNT]; 1033 int i; 1034 1035 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1036 1037 /* Allocate SP with new addresses. */ 1038 iflist = ipsec_srchash(src); 1039 if (iflist == NULL) { 1040 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1041 return (EAFNOSUPPORT); 1042 } 1043 if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) { 1044 /* Add new policies to SPDB */ 1045 if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) { 1046 for (i = 0; i < IPSEC_SPCOUNT; i++) 1047 key_freesp(&sp[i]); 1048 return (EAGAIN); 1049 } 1050 if (sc->family != 0) 1051 ipsec_delete_tunnel(sc); 1052 for (i = 0; i < IPSEC_SPCOUNT; i++) 1053 sc->sp[i] = sp[i]; 1054 sc->family = src->sa_family; 1055 CK_LIST_INSERT_HEAD(iflist, sc, srchash); 1056 } else { 1057 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1058 return (ENOMEM); 1059 } 1060 NET_EPOCH_ENTER(et); 1061 ipsec_set_running(sc); 1062 NET_EPOCH_EXIT(et); 1063 return (0); 1064 } 1065 1066 static void 1067 ipsec_delete_tunnel(struct ipsec_softc *sc) 1068 { 1069 int i; 1070 1071 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1072 1073 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1074 if (sc->family != 0) { 1075 CK_LIST_REMOVE(sc, srchash); 1076 sc->family = 0; 1077 /* 1078 * Make sure that ipsec_if_input() will not do access 1079 * to softc's policies. 1080 */ 1081 IPSEC_WAIT(); 1082 1083 key_unregister_ifnet(sc->sp, IPSEC_SPCOUNT); 1084 for (i = 0; i < IPSEC_SPCOUNT; i++) 1085 key_freesp(&sc->sp[i]); 1086 } 1087 } 1088