1 /*- 2 * Copyright (c) 2016-2018 Yandex LLC 3 * Copyright (c) 2016-2018 Andrey V. Elsukov <ae@FreeBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include "opt_inet.h" 32 #include "opt_inet6.h" 33 34 #include <sys/param.h> 35 #include <sys/systm.h> 36 #include <sys/kernel.h> 37 #include <sys/fnv_hash.h> 38 #include <sys/jail.h> 39 #include <sys/lock.h> 40 #include <sys/malloc.h> 41 #include <sys/mbuf.h> 42 #include <sys/module.h> 43 #include <sys/socket.h> 44 #include <sys/sockio.h> 45 #include <sys/sx.h> 46 #include <sys/errno.h> 47 #include <sys/sysctl.h> 48 #include <sys/priv.h> 49 #include <sys/proc.h> 50 #include <sys/conf.h> 51 52 #include <net/if.h> 53 #include <net/if_var.h> 54 #include <net/if_clone.h> 55 #include <net/if_types.h> 56 #include <net/bpf.h> 57 #include <net/route.h> 58 #include <net/vnet.h> 59 60 #include <netinet/in.h> 61 #include <netinet/in_var.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_encap.h> 64 65 #include <netinet/ip6.h> 66 #include <netinet6/in6_var.h> 67 #include <netinet6/scope6_var.h> 68 69 #include <netipsec/ipsec.h> 70 #ifdef INET6 71 #include <netipsec/ipsec6.h> 72 #endif 73 74 #include <net/if_ipsec.h> 75 #include <netipsec/key.h> 76 77 #include <security/mac/mac_framework.h> 78 79 static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface"); 80 static const char ipsecname[] = "ipsec"; 81 82 #if defined(INET) && defined(INET6) 83 #define IPSEC_SPCOUNT 4 84 #else 85 #define IPSEC_SPCOUNT 2 86 #endif 87 88 struct ipsec_softc { 89 struct ifnet *ifp; 90 struct secpolicy *sp[IPSEC_SPCOUNT]; 91 uint32_t reqid; 92 u_int family; 93 u_int fibnum; 94 95 CK_LIST_ENTRY(ipsec_softc) idhash; 96 CK_LIST_ENTRY(ipsec_softc) srchash; 97 }; 98 99 #define IPSEC_RLOCK_TRACKER struct epoch_tracker ipsec_et 100 #define IPSEC_RLOCK() epoch_enter_preempt(net_epoch_preempt, &ipsec_et) 101 #define IPSEC_RUNLOCK() epoch_exit_preempt(net_epoch_preempt, &ipsec_et) 102 #define IPSEC_WAIT() epoch_wait_preempt(net_epoch_preempt) 103 104 #ifndef IPSEC_HASH_SIZE 105 #define IPSEC_HASH_SIZE (1 << 5) 106 #endif 107 108 CK_LIST_HEAD(ipsec_iflist, ipsec_softc); 109 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec_idhtbl) = NULL; 110 #define V_ipsec_idhtbl VNET(ipsec_idhtbl) 111 112 #ifdef INET 113 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec4_srchtbl) = NULL; 114 #define V_ipsec4_srchtbl VNET(ipsec4_srchtbl) 115 static const struct srcaddrtab *ipsec4_srctab = NULL; 116 #endif 117 118 #ifdef INET6 119 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec6_srchtbl) = NULL; 120 #define V_ipsec6_srchtbl VNET(ipsec6_srchtbl) 121 static const struct srcaddrtab *ipsec6_srctab = NULL; 122 #endif 123 124 static struct ipsec_iflist * 125 ipsec_idhash(uint32_t id) 126 { 127 128 return (&V_ipsec_idhtbl[fnv_32_buf(&id, sizeof(id), 129 FNV1_32_INIT) & (IPSEC_HASH_SIZE - 1)]); 130 } 131 132 static struct ipsec_iflist * 133 ipsec_srchash(const struct sockaddr *sa) 134 { 135 uint32_t hval; 136 137 switch (sa->sa_family) { 138 #ifdef INET 139 case AF_INET: 140 hval = fnv_32_buf( 141 &((const struct sockaddr_in *)sa)->sin_addr.s_addr, 142 sizeof(in_addr_t), FNV1_32_INIT); 143 return (&V_ipsec4_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]); 144 #endif 145 #ifdef INET6 146 case AF_INET6: 147 hval = fnv_32_buf( 148 &((const struct sockaddr_in6 *)sa)->sin6_addr, 149 sizeof(struct in6_addr), FNV1_32_INIT); 150 return (&V_ipsec6_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]); 151 #endif 152 } 153 return (NULL); 154 } 155 156 /* 157 * ipsec_ioctl_sx protects from concurrent ioctls. 158 */ 159 static struct sx ipsec_ioctl_sx; 160 SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl"); 161 162 static int ipsec_init_reqid(struct ipsec_softc *); 163 static int ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *, 164 struct sockaddr *, uint32_t); 165 static void ipsec_delete_tunnel(struct ipsec_softc *); 166 167 static int ipsec_set_addresses(struct ifnet *, struct sockaddr *, 168 struct sockaddr *); 169 static int ipsec_set_reqid(struct ipsec_softc *, uint32_t); 170 static void ipsec_set_running(struct ipsec_softc *); 171 172 static void ipsec_srcaddr(void *, const struct sockaddr *, int); 173 static int ipsec_ioctl(struct ifnet *, u_long, caddr_t); 174 static int ipsec_transmit(struct ifnet *, struct mbuf *); 175 static int ipsec_output(struct ifnet *, struct mbuf *, 176 const struct sockaddr *, struct route *); 177 static void ipsec_qflush(struct ifnet *); 178 static int ipsec_clone_create(struct if_clone *, int, caddr_t); 179 static void ipsec_clone_destroy(struct ifnet *); 180 181 VNET_DEFINE_STATIC(struct if_clone *, ipsec_cloner); 182 #define V_ipsec_cloner VNET(ipsec_cloner) 183 184 static int 185 ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params) 186 { 187 struct ipsec_softc *sc; 188 struct ifnet *ifp; 189 190 sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO); 191 sc->fibnum = curthread->td_proc->p_fibnum; 192 sc->ifp = ifp = if_alloc(IFT_TUNNEL); 193 ifp->if_softc = sc; 194 if_initname(ifp, ipsecname, unit); 195 196 ifp->if_addrlen = 0; 197 ifp->if_mtu = IPSEC_MTU; 198 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 199 ifp->if_ioctl = ipsec_ioctl; 200 ifp->if_transmit = ipsec_transmit; 201 ifp->if_qflush = ipsec_qflush; 202 ifp->if_output = ipsec_output; 203 if_attach(ifp); 204 bpfattach(ifp, DLT_NULL, sizeof(uint32_t)); 205 206 return (0); 207 } 208 209 static void 210 ipsec_clone_destroy(struct ifnet *ifp) 211 { 212 struct ipsec_softc *sc; 213 214 sx_xlock(&ipsec_ioctl_sx); 215 sc = ifp->if_softc; 216 ipsec_delete_tunnel(sc); 217 /* 218 * Delete softc from idhash on interface destroy, since 219 * ipsec_delete_tunnel() keeps reqid unchanged. 220 */ 221 if (sc->reqid != 0) 222 CK_LIST_REMOVE(sc, idhash); 223 bpfdetach(ifp); 224 if_detach(ifp); 225 ifp->if_softc = NULL; 226 sx_xunlock(&ipsec_ioctl_sx); 227 228 IPSEC_WAIT(); 229 if_free(ifp); 230 free(sc, M_IPSEC); 231 } 232 233 static struct ipsec_iflist * 234 ipsec_hashinit(void) 235 { 236 struct ipsec_iflist *hash; 237 int i; 238 239 hash = malloc(sizeof(struct ipsec_iflist) * IPSEC_HASH_SIZE, 240 M_IPSEC, M_WAITOK); 241 for (i = 0; i < IPSEC_HASH_SIZE; i++) 242 CK_LIST_INIT(&hash[i]); 243 244 return (hash); 245 } 246 247 static void 248 vnet_ipsec_init(const void *unused __unused) 249 { 250 251 V_ipsec_idhtbl = ipsec_hashinit(); 252 #ifdef INET 253 V_ipsec4_srchtbl = ipsec_hashinit(); 254 if (IS_DEFAULT_VNET(curvnet)) 255 ipsec4_srctab = ip_encap_register_srcaddr(ipsec_srcaddr, 256 NULL, M_WAITOK); 257 #endif 258 #ifdef INET6 259 V_ipsec6_srchtbl = ipsec_hashinit(); 260 if (IS_DEFAULT_VNET(curvnet)) 261 ipsec6_srctab = ip6_encap_register_srcaddr(ipsec_srcaddr, 262 NULL, M_WAITOK); 263 #endif 264 V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create, 265 ipsec_clone_destroy, 0); 266 } 267 VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 268 vnet_ipsec_init, NULL); 269 270 static void 271 vnet_ipsec_uninit(const void *unused __unused) 272 { 273 274 if_clone_detach(V_ipsec_cloner); 275 free(V_ipsec_idhtbl, M_IPSEC); 276 /* 277 * Use V_ipsec_idhtbl pointer as indicator that VNET is going to be 278 * destroyed, it is used by ipsec_srcaddr() callback. 279 */ 280 V_ipsec_idhtbl = NULL; 281 IPSEC_WAIT(); 282 283 #ifdef INET 284 if (IS_DEFAULT_VNET(curvnet)) 285 ip_encap_unregister_srcaddr(ipsec4_srctab); 286 free(V_ipsec4_srchtbl, M_IPSEC); 287 #endif 288 #ifdef INET6 289 if (IS_DEFAULT_VNET(curvnet)) 290 ip6_encap_unregister_srcaddr(ipsec6_srctab); 291 free(V_ipsec6_srchtbl, M_IPSEC); 292 #endif 293 } 294 VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY, 295 vnet_ipsec_uninit, NULL); 296 297 static struct secpolicy * 298 ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af) 299 { 300 301 switch (af) { 302 #ifdef INET 303 case AF_INET: 304 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]); 305 #endif 306 #ifdef INET6 307 case AF_INET6: 308 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1) 309 #ifdef INET 310 + 2 311 #endif 312 ]); 313 #endif 314 } 315 return (NULL); 316 } 317 318 static struct secasindex * 319 ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af) 320 { 321 struct secpolicy *sp; 322 323 sp = ipsec_getpolicy(sc, dir, af); 324 if (sp == NULL) 325 return (NULL); 326 return (&sp->req[0]->saidx); 327 } 328 329 static int 330 ipsec_transmit(struct ifnet *ifp, struct mbuf *m) 331 { 332 IPSEC_RLOCK_TRACKER; 333 struct ipsec_softc *sc; 334 struct secpolicy *sp; 335 struct ip *ip; 336 uint32_t af; 337 int error; 338 339 IPSEC_RLOCK(); 340 #ifdef MAC 341 error = mac_ifnet_check_transmit(ifp, m); 342 if (error) { 343 m_freem(m); 344 goto err; 345 } 346 #endif 347 error = ENETDOWN; 348 sc = ifp->if_softc; 349 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || 350 (ifp->if_flags & IFF_MONITOR) != 0 || 351 (ifp->if_flags & IFF_UP) == 0 || sc->family == 0) { 352 m_freem(m); 353 goto err; 354 } 355 356 /* Determine address family to correctly handle packet in BPF */ 357 ip = mtod(m, struct ip *); 358 switch (ip->ip_v) { 359 #ifdef INET 360 case IPVERSION: 361 af = AF_INET; 362 break; 363 #endif 364 #ifdef INET6 365 case (IPV6_VERSION >> 4): 366 af = AF_INET6; 367 break; 368 #endif 369 default: 370 error = EAFNOSUPPORT; 371 m_freem(m); 372 goto err; 373 } 374 375 /* 376 * Loop prevention. 377 * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag. 378 * We can read full chain and compare destination address, 379 * proto and mode from xform_history with values from softc. 380 */ 381 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) { 382 m_freem(m); 383 goto err; 384 } 385 386 sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af); 387 key_addref(sp); 388 M_SETFIB(m, sc->fibnum); 389 390 BPF_MTAP2(ifp, &af, sizeof(af), m); 391 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); 392 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); 393 394 switch (af) { 395 #ifdef INET 396 case AF_INET: 397 error = ipsec4_process_packet(m, sp, NULL); 398 break; 399 #endif 400 #ifdef INET6 401 case AF_INET6: 402 error = ipsec6_process_packet(m, sp, NULL); 403 break; 404 #endif 405 default: 406 panic("%s: unknown address family\n", __func__); 407 } 408 err: 409 if (error != 0) 410 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1); 411 IPSEC_RUNLOCK(); 412 return (error); 413 } 414 415 static void 416 ipsec_qflush(struct ifnet *ifp __unused) 417 { 418 419 } 420 421 static int 422 ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 423 struct route *ro) 424 { 425 426 return (ifp->if_transmit(ifp, m)); 427 } 428 429 int 430 ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af) 431 { 432 IPSEC_RLOCK_TRACKER; 433 struct secasindex *saidx; 434 struct ipsec_softc *sc; 435 struct ifnet *ifp; 436 437 if (sav->state != SADB_SASTATE_MATURE && 438 sav->state != SADB_SASTATE_DYING) { 439 m_freem(m); 440 return (ENETDOWN); 441 } 442 443 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL || 444 sav->sah->saidx.proto != IPPROTO_ESP) 445 return (0); 446 447 IPSEC_RLOCK(); 448 CK_LIST_FOREACH(sc, ipsec_idhash(sav->sah->saidx.reqid), idhash) { 449 if (sc->family == 0) 450 continue; 451 saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND, 452 sav->sah->saidx.src.sa.sa_family); 453 /* SA's reqid should match reqid in SP */ 454 if (saidx == NULL || 455 sav->sah->saidx.reqid != saidx->reqid) 456 continue; 457 /* SAH's addresses should match tunnel endpoints. */ 458 if (key_sockaddrcmp(&sav->sah->saidx.dst.sa, 459 &saidx->dst.sa, 0) != 0) 460 continue; 461 if (key_sockaddrcmp(&sav->sah->saidx.src.sa, 462 &saidx->src.sa, 0) == 0) 463 break; 464 } 465 if (sc == NULL) { 466 IPSEC_RUNLOCK(); 467 /* Tunnel was not found. Nothing to do. */ 468 return (0); 469 } 470 ifp = sc->ifp; 471 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 || 472 (ifp->if_flags & IFF_UP) == 0) { 473 IPSEC_RUNLOCK(); 474 m_freem(m); 475 return (ENETDOWN); 476 } 477 /* 478 * We found matching and working tunnel. 479 * Set its ifnet as receiving interface. 480 */ 481 m->m_pkthdr.rcvif = ifp; 482 483 m_clrprotoflags(m); 484 M_SETFIB(m, ifp->if_fib); 485 BPF_MTAP2(ifp, &af, sizeof(af), m); 486 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1); 487 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len); 488 if ((ifp->if_flags & IFF_MONITOR) != 0) { 489 IPSEC_RUNLOCK(); 490 m_freem(m); 491 return (ENETDOWN); 492 } 493 IPSEC_RUNLOCK(); 494 return (0); 495 } 496 497 static int 498 ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) 499 { 500 struct ifreq *ifr = (struct ifreq*)data; 501 struct sockaddr *dst, *src; 502 struct ipsec_softc *sc; 503 struct secasindex *saidx; 504 #ifdef INET 505 struct sockaddr_in *sin = NULL; 506 #endif 507 #ifdef INET6 508 struct sockaddr_in6 *sin6 = NULL; 509 #endif 510 uint32_t reqid; 511 int error; 512 513 switch (cmd) { 514 case SIOCSIFADDR: 515 ifp->if_flags |= IFF_UP; 516 case SIOCADDMULTI: 517 case SIOCDELMULTI: 518 case SIOCGIFMTU: 519 case SIOCSIFFLAGS: 520 return (0); 521 case SIOCSIFMTU: 522 if (ifr->ifr_mtu < IPSEC_MTU_MIN || 523 ifr->ifr_mtu > IPSEC_MTU_MAX) 524 return (EINVAL); 525 else 526 ifp->if_mtu = ifr->ifr_mtu; 527 return (0); 528 } 529 sx_xlock(&ipsec_ioctl_sx); 530 sc = ifp->if_softc; 531 /* Check that softc is still here */ 532 if (sc == NULL) { 533 error = ENXIO; 534 goto bad; 535 } 536 error = 0; 537 switch (cmd) { 538 case SIOCSIFPHYADDR: 539 #ifdef INET6 540 case SIOCSIFPHYADDR_IN6: 541 #endif 542 error = EINVAL; 543 switch (cmd) { 544 #ifdef INET 545 case SIOCSIFPHYADDR: 546 src = (struct sockaddr *) 547 &(((struct in_aliasreq *)data)->ifra_addr); 548 dst = (struct sockaddr *) 549 &(((struct in_aliasreq *)data)->ifra_dstaddr); 550 break; 551 #endif 552 #ifdef INET6 553 case SIOCSIFPHYADDR_IN6: 554 src = (struct sockaddr *) 555 &(((struct in6_aliasreq *)data)->ifra_addr); 556 dst = (struct sockaddr *) 557 &(((struct in6_aliasreq *)data)->ifra_dstaddr); 558 break; 559 #endif 560 default: 561 goto bad; 562 } 563 /* sa_family must be equal */ 564 if (src->sa_family != dst->sa_family || 565 src->sa_len != dst->sa_len) 566 goto bad; 567 568 /* validate sa_len */ 569 switch (src->sa_family) { 570 #ifdef INET 571 case AF_INET: 572 if (src->sa_len != sizeof(struct sockaddr_in)) 573 goto bad; 574 break; 575 #endif 576 #ifdef INET6 577 case AF_INET6: 578 if (src->sa_len != sizeof(struct sockaddr_in6)) 579 goto bad; 580 break; 581 #endif 582 default: 583 error = EAFNOSUPPORT; 584 goto bad; 585 } 586 /* check sa_family looks sane for the cmd */ 587 error = EAFNOSUPPORT; 588 switch (cmd) { 589 #ifdef INET 590 case SIOCSIFPHYADDR: 591 if (src->sa_family == AF_INET) 592 break; 593 goto bad; 594 #endif 595 #ifdef INET6 596 case SIOCSIFPHYADDR_IN6: 597 if (src->sa_family == AF_INET6) 598 break; 599 goto bad; 600 #endif 601 } 602 error = EADDRNOTAVAIL; 603 switch (src->sa_family) { 604 #ifdef INET 605 case AF_INET: 606 if (satosin(src)->sin_addr.s_addr == INADDR_ANY || 607 satosin(dst)->sin_addr.s_addr == INADDR_ANY) 608 goto bad; 609 break; 610 #endif 611 #ifdef INET6 612 case AF_INET6: 613 if (IN6_IS_ADDR_UNSPECIFIED( 614 &satosin6(src)->sin6_addr) || 615 IN6_IS_ADDR_UNSPECIFIED( 616 &satosin6(dst)->sin6_addr)) 617 goto bad; 618 /* 619 * Check validity of the scope zone ID of the 620 * addresses, and convert it into the kernel 621 * internal form if necessary. 622 */ 623 error = sa6_embedscope(satosin6(src), 0); 624 if (error != 0) 625 goto bad; 626 error = sa6_embedscope(satosin6(dst), 0); 627 if (error != 0) 628 goto bad; 629 #endif 630 }; 631 error = ipsec_set_addresses(ifp, src, dst); 632 break; 633 case SIOCDIFPHYADDR: 634 ipsec_delete_tunnel(sc); 635 break; 636 case SIOCGIFPSRCADDR: 637 case SIOCGIFPDSTADDR: 638 #ifdef INET6 639 case SIOCGIFPSRCADDR_IN6: 640 case SIOCGIFPDSTADDR_IN6: 641 #endif 642 if (sc->family == 0) { 643 error = EADDRNOTAVAIL; 644 break; 645 } 646 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 647 switch (cmd) { 648 #ifdef INET 649 case SIOCGIFPSRCADDR: 650 case SIOCGIFPDSTADDR: 651 if (saidx->src.sa.sa_family != AF_INET) { 652 error = EADDRNOTAVAIL; 653 break; 654 } 655 sin = (struct sockaddr_in *)&ifr->ifr_addr; 656 memset(sin, 0, sizeof(*sin)); 657 sin->sin_family = AF_INET; 658 sin->sin_len = sizeof(*sin); 659 break; 660 #endif 661 #ifdef INET6 662 case SIOCGIFPSRCADDR_IN6: 663 case SIOCGIFPDSTADDR_IN6: 664 if (saidx->src.sa.sa_family != AF_INET6) { 665 error = EADDRNOTAVAIL; 666 break; 667 } 668 sin6 = (struct sockaddr_in6 *) 669 &(((struct in6_ifreq *)data)->ifr_addr); 670 memset(sin6, 0, sizeof(*sin6)); 671 sin6->sin6_family = AF_INET6; 672 sin6->sin6_len = sizeof(*sin6); 673 break; 674 #endif 675 default: 676 error = EAFNOSUPPORT; 677 } 678 if (error == 0) { 679 switch (cmd) { 680 #ifdef INET 681 case SIOCGIFPSRCADDR: 682 sin->sin_addr = saidx->src.sin.sin_addr; 683 break; 684 case SIOCGIFPDSTADDR: 685 sin->sin_addr = saidx->dst.sin.sin_addr; 686 break; 687 #endif 688 #ifdef INET6 689 case SIOCGIFPSRCADDR_IN6: 690 sin6->sin6_addr = saidx->src.sin6.sin6_addr; 691 break; 692 case SIOCGIFPDSTADDR_IN6: 693 sin6->sin6_addr = saidx->dst.sin6.sin6_addr; 694 break; 695 #endif 696 } 697 } 698 if (error != 0) 699 break; 700 switch (cmd) { 701 #ifdef INET 702 case SIOCGIFPSRCADDR: 703 case SIOCGIFPDSTADDR: 704 error = prison_if(curthread->td_ucred, 705 (struct sockaddr *)sin); 706 if (error != 0) 707 memset(sin, 0, sizeof(*sin)); 708 break; 709 #endif 710 #ifdef INET6 711 case SIOCGIFPSRCADDR_IN6: 712 case SIOCGIFPDSTADDR_IN6: 713 error = prison_if(curthread->td_ucred, 714 (struct sockaddr *)sin6); 715 if (error == 0) 716 error = sa6_recoverscope(sin6); 717 if (error != 0) 718 memset(sin6, 0, sizeof(*sin6)); 719 #endif 720 } 721 break; 722 case SIOCGTUNFIB: 723 ifr->ifr_fib = sc->fibnum; 724 break; 725 case SIOCSTUNFIB: 726 if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0) 727 break; 728 if (ifr->ifr_fib >= rt_numfibs) 729 error = EINVAL; 730 else 731 sc->fibnum = ifr->ifr_fib; 732 break; 733 case IPSECGREQID: 734 reqid = sc->reqid; 735 error = copyout(&reqid, ifr_data_get_ptr(ifr), sizeof(reqid)); 736 break; 737 case IPSECSREQID: 738 if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0) 739 break; 740 error = copyin(ifr_data_get_ptr(ifr), &reqid, sizeof(reqid)); 741 if (error != 0) 742 break; 743 error = ipsec_set_reqid(sc, reqid); 744 break; 745 default: 746 error = EINVAL; 747 break; 748 } 749 bad: 750 sx_xunlock(&ipsec_ioctl_sx); 751 return (error); 752 } 753 754 /* 755 * Check that ingress address belongs to local host. 756 */ 757 static void 758 ipsec_set_running(struct ipsec_softc *sc) 759 { 760 struct secasindex *saidx; 761 int localip; 762 763 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 764 localip = 0; 765 switch (sc->family) { 766 #ifdef INET 767 case AF_INET: 768 localip = in_localip(saidx->src.sin.sin_addr); 769 break; 770 #endif 771 #ifdef INET6 772 case AF_INET6: 773 localip = in6_localip(&saidx->src.sin6.sin6_addr); 774 break; 775 #endif 776 } 777 if (localip != 0) 778 sc->ifp->if_drv_flags |= IFF_DRV_RUNNING; 779 else 780 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 781 } 782 783 /* 784 * ifaddr_event handler. 785 * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent 786 * source address spoofing. 787 */ 788 static void 789 ipsec_srcaddr(void *arg __unused, const struct sockaddr *sa, 790 int event __unused) 791 { 792 struct ipsec_softc *sc; 793 struct secasindex *saidx; 794 795 /* Check that VNET is ready */ 796 if (V_ipsec_idhtbl == NULL) 797 return; 798 799 MPASS(in_epoch(net_epoch_preempt)); 800 CK_LIST_FOREACH(sc, ipsec_srchash(sa), srchash) { 801 if (sc->family == 0) 802 continue; 803 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sa->sa_family); 804 if (saidx == NULL || 805 key_sockaddrcmp(&saidx->src.sa, sa, 0) != 0) 806 continue; 807 ipsec_set_running(sc); 808 } 809 } 810 811 /* 812 * Allocate new private security policies for tunneling interface. 813 * Each tunneling interface has following security policies for 814 * both AF: 815 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \ 816 * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid 817 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \ 818 * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid 819 */ 820 static int 821 ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT], 822 const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid) 823 { 824 struct ipsecrequest *isr; 825 int i; 826 827 memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT); 828 for (i = 0; i < IPSEC_SPCOUNT; i++) { 829 if ((sp[i] = key_newsp()) == NULL) 830 goto fail; 831 if ((isr = ipsec_newisr()) == NULL) 832 goto fail; 833 834 sp[i]->policy = IPSEC_POLICY_IPSEC; 835 sp[i]->state = IPSEC_SPSTATE_DEAD; 836 sp[i]->req[sp[i]->tcount++] = isr; 837 sp[i]->created = time_second; 838 /* Use priority field to store if_index */ 839 sp[i]->priority = sc->ifp->if_index; 840 isr->level = IPSEC_LEVEL_UNIQUE; 841 isr->saidx.proto = IPPROTO_ESP; 842 isr->saidx.mode = IPSEC_MODE_TUNNEL; 843 isr->saidx.reqid = reqid; 844 if (i % 2 == 0) { 845 sp[i]->spidx.dir = IPSEC_DIR_INBOUND; 846 bcopy(src, &isr->saidx.dst, src->sa_len); 847 bcopy(dst, &isr->saidx.src, dst->sa_len); 848 } else { 849 sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND; 850 bcopy(src, &isr->saidx.src, src->sa_len); 851 bcopy(dst, &isr->saidx.dst, dst->sa_len); 852 } 853 sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY; 854 #ifdef INET 855 if (i < 2) { 856 sp[i]->spidx.src.sa.sa_family = 857 sp[i]->spidx.dst.sa.sa_family = AF_INET; 858 sp[i]->spidx.src.sa.sa_len = 859 sp[i]->spidx.dst.sa.sa_len = 860 sizeof(struct sockaddr_in); 861 continue; 862 } 863 #endif 864 #ifdef INET6 865 sp[i]->spidx.src.sa.sa_family = 866 sp[i]->spidx.dst.sa.sa_family = AF_INET6; 867 sp[i]->spidx.src.sa.sa_len = 868 sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6); 869 #endif 870 } 871 return (0); 872 fail: 873 for (i = 0; i < IPSEC_SPCOUNT; i++) 874 key_freesp(&sp[i]); 875 return (ENOMEM); 876 } 877 878 static int 879 ipsec_check_reqid(uint32_t reqid) 880 { 881 struct ipsec_softc *sc; 882 883 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 884 CK_LIST_FOREACH(sc, ipsec_idhash(reqid), idhash) { 885 if (sc->reqid == reqid) 886 return (EEXIST); 887 } 888 return (0); 889 } 890 891 /* 892 * We use key_newreqid() to automatically obtain unique reqid. 893 * Then we check that given id is unique, i.e. it is not used by 894 * another if_ipsec(4) interface. This macro limits the number of 895 * tries to get unique id. 896 */ 897 #define IPSEC_REQID_TRYCNT 64 898 static int 899 ipsec_init_reqid(struct ipsec_softc *sc) 900 { 901 uint32_t reqid; 902 int trycount; 903 904 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 905 if (sc->reqid != 0) /* already initialized */ 906 return (0); 907 908 trycount = IPSEC_REQID_TRYCNT; 909 while (--trycount > 0) { 910 reqid = key_newreqid(); 911 if (ipsec_check_reqid(reqid) == 0) 912 break; 913 } 914 if (trycount == 0) 915 return (EEXIST); 916 sc->reqid = reqid; 917 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash); 918 return (0); 919 } 920 921 /* 922 * Set or update reqid for given tunneling interface. 923 * When specified reqid is zero, generate new one. 924 * We are protected by ioctl_sx lock from concurrent id generation. 925 * Also softc would not disappear while we hold ioctl_sx lock. 926 */ 927 static int 928 ipsec_set_reqid(struct ipsec_softc *sc, uint32_t reqid) 929 { 930 struct secasindex *saidx; 931 932 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 933 934 if (sc->reqid == reqid && reqid != 0) 935 return (0); 936 937 if (reqid != 0) { 938 /* Check that specified reqid doesn't exist */ 939 if (ipsec_check_reqid(reqid) != 0) 940 return (EEXIST); 941 if (sc->reqid != 0) { 942 CK_LIST_REMOVE(sc, idhash); 943 IPSEC_WAIT(); 944 } 945 sc->reqid = reqid; 946 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash); 947 } else { 948 /* Generate new reqid */ 949 if (ipsec_init_reqid(sc) != 0) 950 return (EEXIST); 951 } 952 953 /* Tunnel isn't fully configured, just return. */ 954 if (sc->family == 0) 955 return (0); 956 957 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family); 958 KASSERT(saidx != NULL, 959 ("saidx is NULL, but family is %d", sc->family)); 960 return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa, 961 sc->reqid)); 962 } 963 964 /* 965 * Set tunnel endpoints addresses. 966 */ 967 static int 968 ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src, 969 struct sockaddr *dst) 970 { 971 struct ipsec_softc *sc, *tsc; 972 struct secasindex *saidx; 973 974 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 975 976 sc = ifp->if_softc; 977 if (sc->family != 0) { 978 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, 979 src->sa_family); 980 if (saidx != NULL && saidx->reqid == sc->reqid && 981 key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 && 982 key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0) 983 return (0); /* Nothing has been changed. */ 984 985 } 986 /* Check that given addresses aren't already configured */ 987 CK_LIST_FOREACH(tsc, ipsec_srchash(src), srchash) { 988 if (tsc == sc) 989 continue; 990 MPASS(tsc->family == src->sa_family); 991 saidx = ipsec_getsaidx(tsc, IPSEC_DIR_OUTBOUND, tsc->family); 992 if (key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 && 993 key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0) { 994 /* We already have tunnel with such addresses */ 995 return (EADDRNOTAVAIL); 996 } 997 } 998 /* If reqid is not set, generate new one. */ 999 if (ipsec_init_reqid(sc) != 0) 1000 return (EEXIST); 1001 return (ipsec_set_tunnel(sc, src, dst, sc->reqid)); 1002 } 1003 1004 static int 1005 ipsec_set_tunnel(struct ipsec_softc *sc, struct sockaddr *src, 1006 struct sockaddr *dst, uint32_t reqid) 1007 { 1008 struct secpolicy *sp[IPSEC_SPCOUNT]; 1009 int i; 1010 1011 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1012 1013 /* Allocate SP with new addresses. */ 1014 if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) { 1015 /* Add new policies to SPDB */ 1016 if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) { 1017 for (i = 0; i < IPSEC_SPCOUNT; i++) 1018 key_freesp(&sp[i]); 1019 return (EAGAIN); 1020 } 1021 if (sc->family != 0) 1022 ipsec_delete_tunnel(sc); 1023 for (i = 0; i < IPSEC_SPCOUNT; i++) 1024 sc->sp[i] = sp[i]; 1025 sc->family = src->sa_family; 1026 CK_LIST_INSERT_HEAD(ipsec_srchash(src), sc, srchash); 1027 } else { 1028 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1029 return (ENOMEM); 1030 } 1031 ipsec_set_running(sc); 1032 return (0); 1033 } 1034 1035 static void 1036 ipsec_delete_tunnel(struct ipsec_softc *sc) 1037 { 1038 int i; 1039 1040 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); 1041 1042 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING; 1043 if (sc->family != 0) { 1044 CK_LIST_REMOVE(sc, srchash); 1045 sc->family = 0; 1046 /* 1047 * Make sure that ipsec_if_input() will not do access 1048 * to softc's policies. 1049 */ 1050 IPSEC_WAIT(); 1051 1052 key_unregister_ifnet(sc->sp, IPSEC_SPCOUNT); 1053 for (i = 0; i < IPSEC_SPCOUNT; i++) 1054 key_freesp(&sc->sp[i]); 1055 } 1056 } 1057