1 /*- 2 * Copyright (c) 2016-2018 Yandex LLC 3 * Copyright (c) 2016-2018 Andrey V. Elsukov <ae@FreeBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 #include "opt_inet.h" 30 #include "opt_inet6.h" 31 #include "opt_ipsec.h" 32 33 #include <sys/param.h> 34 #include <sys/systm.h> 35 #include <sys/kernel.h> 36 #include <sys/fnv_hash.h> 37 #include <sys/jail.h> 38 #include <sys/lock.h> 39 #include <sys/malloc.h> 40 #include <sys/mbuf.h> 41 #include <sys/module.h> 42 #include <sys/socket.h> 43 #include <sys/sockio.h> 44 #include <sys/sx.h> 45 #include <sys/errno.h> 46 #include <sys/sysctl.h> 47 #include <sys/priv.h> 48 #include <sys/proc.h> 49 #include <sys/conf.h> 50 51 #include <net/if.h> 52 #include <net/if_var.h> 53 #include <net/if_private.h> 54 #include <net/if_clone.h> 55 #include <net/if_types.h> 56 #include <net/bpf.h> 57 #include <net/route.h> 58 #include <net/vnet.h> 59 60 #include <netinet/in.h> 61 #include <netinet/in_var.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_encap.h> 64 65 #include <netinet/ip6.h> 66 #include <netinet6/in6_var.h> 67 #include <netinet6/scope6_var.h> 68 69 #include <netipsec/ipsec.h> 70 #ifdef INET6 71 #include <netipsec/ipsec6.h> 72 #endif 73 74 #include <net/if_ipsec.h> 75 #include <netipsec/key.h> 76 77 #include <security/mac/mac_framework.h> 78 79 static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface"); 80 static const char ipsecname[] = "ipsec"; 81 82 #if defined(INET) && defined(INET6) 83 #define IPSEC_SPCOUNT 4 84 #else 85 #define IPSEC_SPCOUNT 2 86 #endif 87 88 struct ipsec_softc { 89 struct ifnet *ifp; 90 struct secpolicy *sp[IPSEC_SPCOUNT]; 91 uint32_t reqid; 92 u_int family; 93 u_int fibnum; 94 95 CK_LIST_ENTRY(ipsec_softc) idhash; 96 CK_LIST_ENTRY(ipsec_softc) srchash; 97 }; 98 99 #define IPSEC_RLOCK_TRACKER struct epoch_tracker ipsec_et 100 #define IPSEC_RLOCK() epoch_enter_preempt(net_epoch_preempt, &ipsec_et) 101 #define IPSEC_RUNLOCK() epoch_exit_preempt(net_epoch_preempt, &ipsec_et) 102 #define IPSEC_WAIT() epoch_wait_preempt(net_epoch_preempt) 103 104 #ifndef IPSEC_HASH_SIZE 105 #define IPSEC_HASH_SIZE (1 << 5) 106 #endif 107 108 CK_LIST_HEAD(ipsec_iflist, ipsec_softc); 109 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec_idhtbl) = NULL; 110 #define V_ipsec_idhtbl VNET(ipsec_idhtbl) 111 112 #ifdef INET 113 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec4_srchtbl) = NULL; 114 #define V_ipsec4_srchtbl VNET(ipsec4_srchtbl) 115 static const struct srcaddrtab *ipsec4_srctab = NULL; 116 #endif 117 118 #ifdef INET6 119 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec6_srchtbl) = NULL; 120 #define V_ipsec6_srchtbl VNET(ipsec6_srchtbl) 121 static const struct srcaddrtab *ipsec6_srctab = NULL; 122 #endif 123 124 static struct ipsec_iflist * 125 ipsec_idhash(uint32_t id) 126 { 127 128 return (&V_ipsec_idhtbl[fnv_32_buf(&id, sizeof(id), 129 FNV1_32_INIT) & (IPSEC_HASH_SIZE - 1)]); 130 } 131 132 static struct ipsec_iflist * 133 ipsec_srchash(const struct sockaddr *sa) 134 { 135 uint32_t hval; 136 137 switch (sa->sa_family) { 138 #ifdef INET 139 case AF_INET: 140 hval = fnv_32_buf( 141 &((const struct sockaddr_in *)sa)->sin_addr.s_addr, 142 sizeof(in_addr_t), FNV1_32_INIT); 143 return (&V_ipsec4_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]); 144 #endif 145 #ifdef INET6 146 case AF_INET6: 147 hval = fnv_32_buf( 148 &((const struct sockaddr_in6 *)sa)->sin6_addr, 149 sizeof(struct in6_addr), FNV1_32_INIT); 150 return (&V_ipsec6_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]); 151 #endif 152 } 153 return (NULL); 154 } 155 156 /* 157 * ipsec_ioctl_sx protects from concurrent ioctls. 158 */ 159 static struct sx ipsec_ioctl_sx; 160 SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl"); 161 162 static int ipsec_init_reqid(struct ipsec_softc *); 163 static int ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *, 164 struct sockaddr *, uint32_t); 165 static void ipsec_delete_tunnel(struct ipsec_softc *); 166 167 static int ipsec_set_addresses(struct ifnet *, struct sockaddr *, 168 struct sockaddr *); 169 static int ipsec_set_reqid(struct ipsec_softc *, uint32_t); 170 static void ipsec_set_running(struct ipsec_softc *); 171 172 #ifdef VIMAGE 173 static void ipsec_reassign(struct ifnet *, struct vnet *, char *); 174 #endif 175 static void ipsec_srcaddr(void *, const struct sockaddr *, int); 176 static int ipsec_ioctl(struct ifnet *, u_long, caddr_t); 177 static int ipsec_transmit(struct ifnet *, struct mbuf *); 178 static int ipsec_output(struct ifnet *, struct mbuf *, 179 const struct sockaddr *, struct route *); 180 static void ipsec_qflush(struct ifnet *); 181 static int ipsec_clone_create(struct if_clone *, int, caddr_t); 182 static void ipsec_clone_destroy(struct ifnet *); 183 184 VNET_DEFINE_STATIC(struct if_clone *, ipsec_cloner); 185 #define V_ipsec_cloner VNET(ipsec_cloner) 186 187 static int 188 ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params) 189 { 190 struct ipsec_softc *sc; 191 struct ifnet *ifp; 192 193 sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO); 194 sc->fibnum = curthread->td_proc->p_fibnum; 195 sc->ifp = ifp = if_alloc(IFT_TUNNEL); 196 ifp->if_softc = sc; 197 if_initname(ifp, ipsecname, unit); 198 199 ifp->if_addrlen = 0; 200 ifp->if_mtu = IPSEC_MTU; 201 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 202 ifp->if_ioctl = ipsec_ioctl; 203 ifp->if_transmit = ipsec_transmit; 204 ifp->if_qflush = ipsec_qflush; 205 ifp->if_output = ipsec_output; 206 #ifdef VIMAGE 207 ifp->if_reassign = ipsec_reassign; 208 #endif 209 if_attach(ifp); 210 bpfattach(ifp, DLT_NULL, sizeof(uint32_t)); 211 212 return (0); 213 } 214 215 #ifdef VIMAGE 216 static void 217 ipsec_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused, 218 char *unused __unused) 219 { 220 struct ipsec_softc *sc; 221 222 sx_xlock(&ipsec_ioctl_sx); 223 sc = ifp->if_softc; 224 if (sc != NULL) 225 ipsec_delete_tunnel(sc); 226 sx_xunlock(&ipsec_ioctl_sx); 227 } 228 #endif /* VIMAGE */ 229 230 static void 231 ipsec_clone_destroy(struct ifnet *ifp) 232 { 233 struct ipsec_softc *sc; 234 235 sx_xlock(&ipsec_ioctl_sx); 236 sc = ifp->if_softc; 237 ipsec_delete_tunnel(sc); 238 /* 239 * Delete softc from idhash on interface destroy, since 240 * ipsec_delete_tunnel() keeps reqid unchanged. 241 */ 242 if (sc->reqid != 0) 243 CK_LIST_REMOVE(sc, idhash); 244 bpfdetach(ifp); 245 if_detach(ifp); 246 ifp->if_softc = NULL; 247 sx_xunlock(&ipsec_ioctl_sx); 248 249 IPSEC_WAIT(); 250 if_free(ifp); 251 free(sc, M_IPSEC); 252 } 253 254 static struct ipsec_iflist * 255 ipsec_hashinit(void) 256 { 257 struct ipsec_iflist *hash; 258 int i; 259 260 hash = malloc(sizeof(struct ipsec_iflist) * IPSEC_HASH_SIZE, 261 M_IPSEC, M_WAITOK); 262 for (i = 0; i < IPSEC_HASH_SIZE; i++) 263 CK_LIST_INIT(&hash[i]); 264 265 return (hash); 266 } 267 268 static void 269 vnet_ipsec_init(const void *unused __unused) 270 { 271 272 V_ipsec_idhtbl = ipsec_hashinit(); 273 #ifdef INET 274 V_ipsec4_srchtbl = ipsec_hashinit(); 275 if (IS_DEFAULT_VNET(curvnet)) 276 ipsec4_srctab = ip_encap_register_srcaddr(ipsec_srcaddr, 277 NULL, M_WAITOK); 278 #endif 279 #ifdef INET6 280 V_ipsec6_srchtbl = ipsec_hashinit(); 281 if (IS_DEFAULT_VNET(curvnet)) 282 ipsec6_srctab = ip6_encap_register_srcaddr(ipsec_srcaddr, 283 NULL, M_WAITOK); 284 #endif 285 V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create, 286 ipsec_clone_destroy, 0); 287 } 288 VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 289 vnet_ipsec_init, NULL); 290 291 static void 292 vnet_ipsec_uninit(const void *unused __unused) 293 { 294 295 if_clone_detach(V_ipsec_cloner); 296 free(V_ipsec_idhtbl, M_IPSEC); 297 /* 298 * Use V_ipsec_idhtbl pointer as indicator that VNET is going to be 299 * destroyed, it is used by ipsec_srcaddr() callback. 300 */ 301 V_ipsec_idhtbl = NULL; 302 IPSEC_WAIT(); 303 304 #ifdef INET 305 if (IS_DEFAULT_VNET(curvnet)) 306 ip_encap_unregister_srcaddr(ipsec4_srctab); 307 free(V_ipsec4_srchtbl, M_IPSEC); 308 #endif 309 #ifdef INET6 310 if (IS_DEFAULT_VNET(curvnet)) 311 ip6_encap_unregister_srcaddr(ipsec6_srctab); 312 free(V_ipsec6_srchtbl, M_IPSEC); 313 #endif 314 } 315 VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 316 vnet_ipsec_uninit, NULL); 317 318 static struct secpolicy * 319 ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af) 320 { 321 322 switch (af) { 323 #ifdef INET 324 case AF_INET: 325 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]); 326 #endif 327 #ifdef INET6 328 case AF_INET6: 329 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1) 330 #ifdef INET 331 + 2 332 #endif 333 ]); 334 #endif 335 } 336 return (NULL); 337 } 338 339 static struct secasindex * 340 ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af) 341 { 342 struct secpolicy *sp; 343 344 sp = ipsec_getpolicy(sc, dir, af); 345 if (sp == NULL) 346 return (NULL); 347 return (&sp->req[0]->saidx); 348 } 349 350 static int 351 ipsec_transmit(struct ifnet *ifp, struct mbuf *m) 352 { 353 IPSEC_RLOCK_TRACKER; 354 struct ipsec_softc *sc; 355 struct secpolicy *sp; 356 struct ip *ip, iph; 357 uint32_t af; 358 int error; 359 360 IPSEC_RLOCK(); 361 #ifdef MAC 362 error = mac_ifnet_check_transmit(ifp, m); 363 if (error) { 364 m_freem(m); 365 goto err; 366 } 367 #endif 368 error = ENETDOWN; 369 sc = ifp->if_softc; 370 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || 371 (ifp->if_flags & IFF_MONITOR) != 0 || 372 (ifp->if_flags & IFF_UP) == 0 || sc->family == 0) { 373 m_freem(m); 374 goto err; 375 } 376 377 /* Determine address family to correctly handle packet in BPF */ 378 ip = &iph; 379 m_copydata(m, 0, sizeof(*ip), (char *)ip); 380 switch (ip->ip_v) { 381 #ifdef INET 382 case IPVERSION: 383 af = AF_INET; 384 break; 385 #endif 386 #ifdef INET6 387 case (IPV6_VERSION >> 4): 388 af = AF_INET6; 389 break; 390 #endif 391 default: 392 error = EAFNOSUPPORT; 393 m_freem(m); 394 goto err; 395 } 396 397 /* 398 * Loop prevention. 399 * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag. 400 * We can read full chain and compare destination address, 401 * proto and mode from xform_history with values from softc. 402 */ 403 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) { 404 m_freem(m); 405 goto err; 406 } 407 408 sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af); 409 key_addref(sp); 410 M_SETFIB(m, sc->fibnum); 411 412 BPF_MTAP2(ifp, &af, sizeof(af), m); 413 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 414 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); 415 416 switch (af) { 417 #ifdef INET 418 case AF_INET: 419 error = ipsec4_process_packet(ifp, m, ip, sp, NULL, 420 ifp->if_mtu); 421 break; 422 #endif 423 #ifdef INET6 424 case AF_INET6: 425 error = ipsec6_process_packet(ifp, m, sp, NULL, ifp->if_mtu); 426 break; 427 #endif 428 default: 429 panic("%s: unknown address family\n", __func__); 430 } 431 err: 432 if (error != 0) 433 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 434 IPSEC_RUNLOCK(); 435 return (error); 436 } 437 438 static void 439 ipsec_qflush(struct ifnet *ifp __unused) 440 { 441 442 } 443 444 static int 445 ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 446 struct route *ro) 447 { 448 449 return (ifp->if_transmit(ifp, m)); 450 } 451 452 int 453 ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af, 454 struct rm_priotracker *sahtree_tracker) 455 { 456 IPSEC_RLOCK_TRACKER; 457 struct secasindex *saidx; 458 struct ipsec_softc *sc; 459 struct ifnet *ifp; 460 461 if (sav->state != SADB_SASTATE_MATURE && 462 sav->state != SADB_SASTATE_DYING) { 463 ipsec_sahtree_runlock(sahtree_tracker); 464 m_freem(m); 465 return (ENETDOWN); 466 } 467 468 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL || 469 sav->sah->saidx.proto != IPPROTO_ESP) { 470 ipsec_sahtree_runlock(sahtree_tracker); 471 return (0); 472 } 473 474 IPSEC_RLOCK(); 475 CK_LIST_FOREACH(sc, ipsec_idhash(sav->sah->saidx.reqid), idhash) { 476 if (sc->family == 0) 477 continue; 478 saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND, 479 sav->sah->saidx.src.sa.sa_family); 480 /* SA's reqid should match reqid in SP */ 481 if (saidx == NULL || 482 sav->sah->saidx.reqid != saidx->reqid) 483 continue; 484 /* SAH's addresses should match tunnel endpoints. */ 485 if (key_sockaddrcmp(&sav->sah->saidx.dst.sa, 486 &saidx->dst.sa, 0) != 0) 487 continue; 488 if (key_sockaddrcmp(&sav->sah->saidx.src.sa, 489 &saidx->src.sa, 0) == 0) 490 break; 491 } 492 if (sc == NULL) { 493 IPSEC_RUNLOCK(); 494 ipsec_sahtree_runlock(sahtree_tracker); 495 /* Tunnel was not found. Nothing to do. */ 496 return (0); 497 } 498 ifp = sc->ifp; 499 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || 500 (ifp->if_flags & IFF_UP) == 0) { 501 IPSEC_RUNLOCK(); 502 ipsec_sahtree_runlock(sahtree_tracker); 503 m_freem(m); 504 return (ENETDOWN); 505 } 506 /* 507 * We found matching and working tunnel. 508 * Set its ifnet as receiving interface. 509 */ 510 m->m_pkthdr.rcvif = ifp; 511 512 ipsec_sahtree_runlock(sahtree_tracker); 513 514 m_clrprotoflags(m); 515 M_SETFIB(m, ifp->if_fib); 516 BPF_MTAP2(ifp, &af, sizeof(af), m); 517 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 518 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); 519 if ((ifp->if_flags & IFF_MONITOR) != 0) { 520 IPSEC_RUNLOCK(); 521 m_freem(m); 522 return (ENETDOWN); 523 } 524 IPSEC_RUNLOCK(); 525 return (0); 526 } 527 528 static int 529 ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) 530 { 531 struct ifreq *ifr = (struct ifreq*)data; 532 struct sockaddr *dst, *src; 533 struct ipsec_softc *sc; 534 struct secasindex *saidx; 535 #ifdef INET 536 struct sockaddr_in *sin = NULL; 537 #endif 538 #ifdef INET6 539 struct sockaddr_in6 *sin6 = NULL; 540 #endif 541 uint32_t reqid; 542 int error; 543 544 switch (cmd) { 545 case SIOCSIFADDR: 546 ifp->if_flags |= IFF_UP; 547 case SIOCADDMULTI: 548 case SIOCDELMULTI: 549 case SIOCGIFMTU: 550 case SIOCSIFFLAGS: 551 return (0); 552 case SIOCSIFMTU: 553 if (ifr->ifr_mtu < IPSEC_MTU_MIN || 554 ifr->ifr_mtu > IPSEC_MTU_MAX) 555 return (EINVAL); 556 else 557 ifp->if_mtu = ifr->ifr_mtu; 558 return (0); 559 } 560 sx_xlock(&ipsec_ioctl_sx); 561 sc = ifp->if_softc; 562 /* Check that softc is still here */ 563 if (sc == NULL) { 564 error = ENXIO; 565 goto bad; 566 } 567 error = 0; 568 switch (cmd) { 569 case SIOCSIFPHYADDR: 570 #ifdef INET6 571 case SIOCSIFPHYADDR_IN6: 572 #endif 573 error = EINVAL; 574 switch (cmd) { 575 #ifdef INET 576 case SIOCSIFPHYADDR: 577 src = (struct sockaddr *) 578 &(((struct in_aliasreq *)data)->ifra_addr); 579 dst = (struct sockaddr *) 580 &(((struct in_aliasreq *)data)->ifra_dstaddr); 581 break; 582 #endif 583 #ifdef INET6 584 case SIOCSIFPHYADDR_IN6: 585 src = (struct sockaddr *) 586 &(((struct in6_aliasreq *)data)->ifra_addr); 587 dst = (struct sockaddr *) 588 &(((struct in6_aliasreq *)data)->ifra_dstaddr); 589 break; 590 #endif 591 default: 592 goto bad; 593 } 594 /* sa_family must be equal */ 595 if (src->sa_family != dst->sa_family || 596 src->sa_len != dst->sa_len) 597 goto bad; 598 599 /* validate sa_len */ 600 switch (src->sa_family) { 601 #ifdef INET 602 case AF_INET: 603 if (src->sa_len != sizeof(struct sockaddr_in)) 604 goto bad; 605 break; 606 #endif 607 #ifdef INET6 608 case AF_INET6: 609 if (src->sa_len != sizeof(struct sockaddr_in6)) 610 goto bad; 611 break; 612 #endif 613 default: 614 error = EAFNOSUPPORT; 615 goto bad; 616 } 617 /* check sa_family looks sane for the cmd */ 618 error = EAFNOSUPPORT; 619 switch (cmd) { 620 #ifdef INET 621 case SIOCSIFPHYADDR: 622 if (src->sa_family == AF_INET) 623 break; 624 goto bad; 625 #endif 626 #ifdef INET6 627 case SIOCSIFPHYADDR_IN6: 628 if (src->sa_family == AF_INET6) 629 break; 630 goto bad; 631 #endif 632 } 633 error = EADDRNOTAVAIL; 634 switch (src->sa_family) { 635 #ifdef INET 636 case AF_INET: 637 if (satosin(src)->sin_addr.s_addr == INADDR_ANY || 638 satosin(dst)->sin_addr.s_addr == INADDR_ANY) 639 goto bad; 640 break; 641 #endif 642 #ifdef INET6 643 case AF_INET6: 644 if (IN6_IS_ADDR_UNSPECIFIED( 645 &satosin6(src)->sin6_addr) || 646 IN6_IS_ADDR_UNSPECIFIED( 647 &satosin6(dst)->sin6_addr)) 648 goto bad; 649 /* 650 * Check validity of the scope zone ID of the 651 * addresses, and convert it into the kernel 652 * internal form if necessary. 653 */ 654 error = sa6_embedscope(satosin6(src), 0); 655 if (error != 0) 656 goto bad; 657 error = sa6_embedscope(satosin6(dst), 0); 658 if (error != 0) 659 goto bad; 660 #endif 661 }; 662 error = ipsec_set_addresses(ifp, src, dst); 663 break; 664 case SIOCDIFPHYADDR: 665 ipsec_delete_tunnel(sc); 666 break; 667 case SIOCGIFPSRCADDR: 668 case SIOCGIFPDSTADDR: 669 #ifdef INET6 670 case SIOCGIFPSRCADDR_IN6: 671 case SIOCGIFPDSTADDR_IN6: 672 #endif 673 if (sc->family == 0) { 674 error = EADDRNOTAVAIL; 675 break; 676 } 677 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 678 if (saidx == NULL) { 679 error = ENXIO; 680 break; 681 } 682 switch (cmd) { 683 #ifdef INET 684 case SIOCGIFPSRCADDR: 685 case SIOCGIFPDSTADDR: 686 if (saidx->src.sa.sa_family != AF_INET) { 687 error = EADDRNOTAVAIL; 688 break; 689 } 690 sin = (struct sockaddr_in *)&ifr->ifr_addr; 691 memset(sin, 0, sizeof(*sin)); 692 sin->sin_family = AF_INET; 693 sin->sin_len = sizeof(*sin); 694 break; 695 #endif 696 #ifdef INET6 697 case SIOCGIFPSRCADDR_IN6: 698 case SIOCGIFPDSTADDR_IN6: 699 if (saidx->src.sa.sa_family != AF_INET6) { 700 error = EADDRNOTAVAIL; 701 break; 702 } 703 sin6 = (struct sockaddr_in6 *) 704 &(((struct in6_ifreq *)data)->ifr_addr); 705 memset(sin6, 0, sizeof(*sin6)); 706 sin6->sin6_family = AF_INET6; 707 sin6->sin6_len = sizeof(*sin6); 708 break; 709 #endif 710 default: 711 error = EAFNOSUPPORT; 712 } 713 if (error == 0) { 714 switch (cmd) { 715 #ifdef INET 716 case SIOCGIFPSRCADDR: 717 sin->sin_addr = saidx->src.sin.sin_addr; 718 break; 719 case SIOCGIFPDSTADDR: 720 sin->sin_addr = saidx->dst.sin.sin_addr; 721 break; 722 #endif 723 #ifdef INET6 724 case SIOCGIFPSRCADDR_IN6: 725 sin6->sin6_addr = saidx->src.sin6.sin6_addr; 726 break; 727 case SIOCGIFPDSTADDR_IN6: 728 sin6->sin6_addr = saidx->dst.sin6.sin6_addr; 729 break; 730 #endif 731 } 732 } 733 if (error != 0) 734 break; 735 switch (cmd) { 736 #ifdef INET 737 case SIOCGIFPSRCADDR: 738 case SIOCGIFPDSTADDR: 739 error = prison_if(curthread->td_ucred, 740 (struct sockaddr *)sin); 741 if (error != 0) 742 memset(sin, 0, sizeof(*sin)); 743 break; 744 #endif 745 #ifdef INET6 746 case SIOCGIFPSRCADDR_IN6: 747 case SIOCGIFPDSTADDR_IN6: 748 error = prison_if(curthread->td_ucred, 749 (struct sockaddr *)sin6); 750 if (error == 0) 751 error = sa6_recoverscope(sin6); 752 if (error != 0) 753 memset(sin6, 0, sizeof(*sin6)); 754 #endif 755 } 756 break; 757 case SIOCGTUNFIB: 758 ifr->ifr_fib = sc->fibnum; 759 break; 760 case SIOCSTUNFIB: 761 if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0) 762 break; 763 if (ifr->ifr_fib >= rt_numfibs) 764 error = EINVAL; 765 else 766 sc->fibnum = ifr->ifr_fib; 767 break; 768 case IPSECGREQID: 769 reqid = sc->reqid; 770 error = copyout(&reqid, ifr_data_get_ptr(ifr), sizeof(reqid)); 771 break; 772 case IPSECSREQID: 773 if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0) 774 break; 775 error = copyin(ifr_data_get_ptr(ifr), &reqid, sizeof(reqid)); 776 if (error != 0) 777 break; 778 error = ipsec_set_reqid(sc, reqid); 779 break; 780 default: 781 error = EINVAL; 782 break; 783 } 784 bad: 785 sx_xunlock(&ipsec_ioctl_sx); 786 return (error); 787 } 788 789 /* 790 * Check that ingress address belongs to local host. 791 */ 792 static void 793 ipsec_set_running(struct ipsec_softc *sc) 794 { 795 struct secasindex *saidx; 796 int localip; 797 798 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 799 if (saidx == NULL) 800 return; 801 localip = 0; 802 switch (sc->family) { 803 #ifdef INET 804 case AF_INET: 805 localip = in_localip(saidx->src.sin.sin_addr); 806 break; 807 #endif 808 #ifdef INET6 809 case AF_INET6: 810 localip = in6_localip(&saidx->src.sin6.sin6_addr); 811 break; 812 #endif 813 } 814 if (localip != 0) 815 sc->ifp->if_drv_flags |= IFF_DRV_RUNNING; 816 else 817 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 818 } 819 820 /* 821 * ifaddr_event handler. 822 * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent 823 * source address spoofing. 824 */ 825 static void 826 ipsec_srcaddr(void *arg __unused, const struct sockaddr *sa, 827 int event __unused) 828 { 829 struct ipsec_softc *sc; 830 struct secasindex *saidx; 831 struct ipsec_iflist *iflist; 832 833 /* Check that VNET is ready */ 834 if (V_ipsec_idhtbl == NULL) 835 return; 836 837 NET_EPOCH_ASSERT(); 838 iflist = ipsec_srchash(sa); 839 if (iflist == NULL) 840 return; 841 CK_LIST_FOREACH(sc, iflist, srchash) { 842 if (sc->family == 0) 843 continue; 844 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sa->sa_family); 845 if (saidx == NULL || 846 key_sockaddrcmp(&saidx->src.sa, sa, 0) != 0) 847 continue; 848 ipsec_set_running(sc); 849 } 850 } 851 852 /* 853 * Allocate new private security policies for tunneling interface. 854 * Each tunneling interface has following security policies for 855 * both AF: 856 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \ 857 * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid 858 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \ 859 * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid 860 */ 861 static int 862 ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT], 863 const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid) 864 { 865 struct ipsecrequest *isr; 866 int i; 867 868 memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT); 869 for (i = 0; i < IPSEC_SPCOUNT; i++) { 870 if ((sp[i] = key_newsp()) == NULL) 871 goto fail; 872 if ((isr = ipsec_newisr()) == NULL) 873 goto fail; 874 875 sp[i]->policy = IPSEC_POLICY_IPSEC; 876 sp[i]->state = IPSEC_SPSTATE_DEAD; 877 sp[i]->req[sp[i]->tcount++] = isr; 878 sp[i]->created = time_second; 879 /* Use priority field to store if_index */ 880 sp[i]->priority = sc->ifp->if_index; 881 isr->level = IPSEC_LEVEL_UNIQUE; 882 isr->saidx.proto = IPPROTO_ESP; 883 isr->saidx.mode = IPSEC_MODE_TUNNEL; 884 isr->saidx.reqid = reqid; 885 if (i % 2 == 0) { 886 sp[i]->spidx.dir = IPSEC_DIR_INBOUND; 887 bcopy(src, &isr->saidx.dst, src->sa_len); 888 bcopy(dst, &isr->saidx.src, dst->sa_len); 889 } else { 890 sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND; 891 bcopy(src, &isr->saidx.src, src->sa_len); 892 bcopy(dst, &isr->saidx.dst, dst->sa_len); 893 } 894 sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY; 895 #ifdef INET 896 if (i < 2) { 897 sp[i]->spidx.src.sa.sa_family = 898 sp[i]->spidx.dst.sa.sa_family = AF_INET; 899 sp[i]->spidx.src.sa.sa_len = 900 sp[i]->spidx.dst.sa.sa_len = 901 sizeof(struct sockaddr_in); 902 continue; 903 } 904 #endif 905 #ifdef INET6 906 sp[i]->spidx.src.sa.sa_family = 907 sp[i]->spidx.dst.sa.sa_family = AF_INET6; 908 sp[i]->spidx.src.sa.sa_len = 909 sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6); 910 #endif 911 } 912 return (0); 913 fail: 914 for (i = 0; i < IPSEC_SPCOUNT; i++) { 915 if (sp[i] != NULL) 916 key_freesp(&sp[i]); 917 } 918 return (ENOMEM); 919 } 920 921 static int 922 ipsec_check_reqid(uint32_t reqid) 923 { 924 struct ipsec_softc *sc; 925 926 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 927 CK_LIST_FOREACH(sc, ipsec_idhash(reqid), idhash) { 928 if (sc->reqid == reqid) 929 return (EEXIST); 930 } 931 return (0); 932 } 933 934 /* 935 * We use key_newreqid() to automatically obtain unique reqid. 936 * Then we check that given id is unique, i.e. it is not used by 937 * another if_ipsec(4) interface. This macro limits the number of 938 * tries to get unique id. 939 */ 940 #define IPSEC_REQID_TRYCNT 64 941 static int 942 ipsec_init_reqid(struct ipsec_softc *sc) 943 { 944 uint32_t reqid; 945 int trycount; 946 947 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 948 if (sc->reqid != 0) /* already initialized */ 949 return (0); 950 951 trycount = IPSEC_REQID_TRYCNT; 952 while (--trycount > 0) { 953 reqid = key_newreqid(); 954 if (ipsec_check_reqid(reqid) == 0) 955 break; 956 } 957 if (trycount == 0) 958 return (EEXIST); 959 sc->reqid = reqid; 960 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash); 961 return (0); 962 } 963 964 /* 965 * Set or update reqid for given tunneling interface. 966 * When specified reqid is zero, generate new one. 967 * We are protected by ioctl_sx lock from concurrent id generation. 968 * Also softc would not disappear while we hold ioctl_sx lock. 969 */ 970 static int 971 ipsec_set_reqid(struct ipsec_softc *sc, uint32_t reqid) 972 { 973 struct secasindex *saidx; 974 975 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 976 977 if (sc->reqid == reqid && reqid != 0) 978 return (0); 979 980 if (reqid != 0) { 981 /* Check that specified reqid doesn't exist */ 982 if (ipsec_check_reqid(reqid) != 0) 983 return (EEXIST); 984 if (sc->reqid != 0) { 985 CK_LIST_REMOVE(sc, idhash); 986 IPSEC_WAIT(); 987 } 988 sc->reqid = reqid; 989 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash); 990 } else { 991 /* Generate new reqid */ 992 if (ipsec_init_reqid(sc) != 0) 993 return (EEXIST); 994 } 995 996 /* Tunnel isn't fully configured, just return. */ 997 if (sc->family == 0) 998 return (0); 999 1000 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 1001 KASSERT(saidx != NULL, 1002 ("saidx is NULL, but family is %d", sc->family)); 1003 return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa, 1004 sc->reqid)); 1005 } 1006 1007 /* 1008 * Set tunnel endpoints addresses. 1009 */ 1010 static int 1011 ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src, 1012 struct sockaddr *dst) 1013 { 1014 struct ipsec_softc *sc; 1015 struct secasindex *saidx; 1016 1017 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1018 1019 sc = ifp->if_softc; 1020 if (sc->family != 0) { 1021 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, 1022 src->sa_family); 1023 if (saidx != NULL && saidx->reqid == sc->reqid && 1024 key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 && 1025 key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0) 1026 return (0); /* Nothing has been changed. */ 1027 } 1028 /* If reqid is not set, generate new one. */ 1029 if (ipsec_init_reqid(sc) != 0) 1030 return (EEXIST); 1031 return (ipsec_set_tunnel(sc, src, dst, sc->reqid)); 1032 } 1033 1034 static int 1035 ipsec_set_tunnel(struct ipsec_softc *sc, struct sockaddr *src, 1036 struct sockaddr *dst, uint32_t reqid) 1037 { 1038 struct epoch_tracker et; 1039 struct ipsec_iflist *iflist; 1040 struct secpolicy *sp[IPSEC_SPCOUNT]; 1041 int i; 1042 1043 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1044 1045 /* Allocate SP with new addresses. */ 1046 iflist = ipsec_srchash(src); 1047 if (iflist == NULL) { 1048 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1049 return (EAFNOSUPPORT); 1050 } 1051 if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) { 1052 /* Add new policies to SPDB */ 1053 if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) { 1054 for (i = 0; i < IPSEC_SPCOUNT; i++) 1055 key_freesp(&sp[i]); 1056 return (EAGAIN); 1057 } 1058 if (sc->family != 0) 1059 ipsec_delete_tunnel(sc); 1060 for (i = 0; i < IPSEC_SPCOUNT; i++) 1061 sc->sp[i] = sp[i]; 1062 sc->family = src->sa_family; 1063 CK_LIST_INSERT_HEAD(iflist, sc, srchash); 1064 } else { 1065 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1066 return (ENOMEM); 1067 } 1068 NET_EPOCH_ENTER(et); 1069 ipsec_set_running(sc); 1070 NET_EPOCH_EXIT(et); 1071 return (0); 1072 } 1073 1074 static void 1075 ipsec_delete_tunnel(struct ipsec_softc *sc) 1076 { 1077 int i; 1078 1079 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1080 1081 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1082 if (sc->family != 0) { 1083 CK_LIST_REMOVE(sc, srchash); 1084 sc->family = 0; 1085 /* 1086 * Make sure that ipsec_if_input() will not do access 1087 * to softc's policies. 1088 */ 1089 IPSEC_WAIT(); 1090 1091 key_unregister_ifnet(sc->sp, IPSEC_SPCOUNT); 1092 for (i = 0; i < IPSEC_SPCOUNT; i++) 1093 key_freesp(&sc->sp[i]); 1094 } 1095 } 1096