search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mtw(4) remove misplaced DEBUG_FLAGS
[freebsd/src.git] / sys / net / if_ipsec.c
blobdf10af66471ce2a76f2c0a05d5e02560db243d18
1 /*-
2 * Copyright (c) 2016-2018 Yandex LLC
3 * Copyright (c) 2016-2018 Andrey V. Elsukov <ae@FreeBSD.org>
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 #include <sys/cdefs.h>
29 #include "opt_inet.h"
30 #include "opt_inet6.h"
31 #include "opt_ipsec.h"
32
33 #include <sys/param.h>
34 #include <sys/systm.h>
35 #include <sys/kernel.h>
36 #include <sys/fnv_hash.h>
37 #include <sys/jail.h>
38 #include <sys/lock.h>
39 #include <sys/malloc.h>
40 #include <sys/mbuf.h>
41 #include <sys/module.h>
42 #include <sys/socket.h>
43 #include <sys/sockio.h>
44 #include <sys/sx.h>
45 #include <sys/errno.h>
46 #include <sys/sysctl.h>
47 #include <sys/priv.h>
48 #include <sys/proc.h>
49 #include <sys/conf.h>
50
51 #include <net/if.h>
52 #include <net/if_var.h>
53 #include <net/if_private.h>
54 #include <net/if_clone.h>
55 #include <net/if_types.h>
56 #include <net/bpf.h>
57 #include <net/route.h>
58 #include <net/vnet.h>
59
60 #include <netinet/in.h>
61 #include <netinet/in_var.h>
62 #include <netinet/ip.h>
63 #include <netinet/ip_encap.h>
64
65 #include <netinet/ip6.h>
66 #include <netinet6/in6_var.h>
67 #include <netinet6/scope6_var.h>
68
69 #include <netipsec/ipsec.h>
70 #ifdef INET6
71 #include <netipsec/ipsec6.h>
72 #endif
73
74 #include <net/if_ipsec.h>
75 #include <netipsec/key.h>
76
77 #include <security/mac/mac_framework.h>
78
79 static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface");
80 static const char ipsecname[] = "ipsec";
81
82 #if defined(INET) && defined(INET6)
83 #define IPSEC_SPCOUNT 4
84 #else
85 #define IPSEC_SPCOUNT 2
86 #endif
87
88 struct ipsec_softc {
89 struct ifnet *ifp;
90 struct secpolicy *sp[IPSEC_SPCOUNT];
91 uint32_t reqid;
92 u_int family;
93 u_int fibnum;
94
95 CK_LIST_ENTRY(ipsec_softc) idhash;
96 CK_LIST_ENTRY(ipsec_softc) srchash;
97 };
98
99 #define IPSEC_RLOCK_TRACKER struct epoch_tracker ipsec_et
100 #define IPSEC_RLOCK() epoch_enter_preempt(net_epoch_preempt, &ipsec_et)
101 #define IPSEC_RUNLOCK() epoch_exit_preempt(net_epoch_preempt, &ipsec_et)
102 #define IPSEC_WAIT() epoch_wait_preempt(net_epoch_preempt)
103
104 #ifndef IPSEC_HASH_SIZE
105 #define IPSEC_HASH_SIZE (1 << 5)
106 #endif
107
108 CK_LIST_HEAD(ipsec_iflist, ipsec_softc);
109 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec_idhtbl) = NULL;
110 #define V_ipsec_idhtbl VNET(ipsec_idhtbl)
111
112 #ifdef INET
113 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec4_srchtbl) = NULL;
114 #define V_ipsec4_srchtbl VNET(ipsec4_srchtbl)
115 static const struct srcaddrtab *ipsec4_srctab = NULL;
116 #endif
117
118 #ifdef INET6
119 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec6_srchtbl) = NULL;
120 #define V_ipsec6_srchtbl VNET(ipsec6_srchtbl)
121 static const struct srcaddrtab *ipsec6_srctab = NULL;
122 #endif
123
124 static struct ipsec_iflist *
125 ipsec_idhash(uint32_t id)
126 {
127
128 return (&V_ipsec_idhtbl[fnv_32_buf(&id, sizeof(id),
129 FNV1_32_INIT) & (IPSEC_HASH_SIZE - 1)]);
130 }
131
132 static struct ipsec_iflist *
133 ipsec_srchash(const struct sockaddr *sa)
134 {
135 uint32_t hval;
136
137 switch (sa->sa_family) {
138 #ifdef INET
139 case AF_INET:
140 hval = fnv_32_buf(
141 &((const struct sockaddr_in *)sa)->sin_addr.s_addr,
142 sizeof(in_addr_t), FNV1_32_INIT);
143 return (&V_ipsec4_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]);
144 #endif
145 #ifdef INET6
146 case AF_INET6:
147 hval = fnv_32_buf(
148 &((const struct sockaddr_in6 *)sa)->sin6_addr,
149 sizeof(struct in6_addr), FNV1_32_INIT);
150 return (&V_ipsec6_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]);
151 #endif
152 }
153 return (NULL);
154 }
155
156 /*
157 * ipsec_ioctl_sx protects from concurrent ioctls.
158 */
159 static struct sx ipsec_ioctl_sx;
160 SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl");
161
162 static int ipsec_init_reqid(struct ipsec_softc *);
163 static int ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *,
164 struct sockaddr *, uint32_t);
165 static void ipsec_delete_tunnel(struct ipsec_softc *);
166
167 static int ipsec_set_addresses(struct ifnet *, struct sockaddr *,
168 struct sockaddr *);
169 static int ipsec_set_reqid(struct ipsec_softc *, uint32_t);
170 static void ipsec_set_running(struct ipsec_softc *);
171
172 #ifdef VIMAGE
173 static void ipsec_reassign(struct ifnet *, struct vnet *, char *);
174 #endif
175 static void ipsec_srcaddr(void *, const struct sockaddr *, int);
176 static int ipsec_ioctl(struct ifnet *, u_long, caddr_t);
177 static int ipsec_transmit(struct ifnet *, struct mbuf *);
178 static int ipsec_output(struct ifnet *, struct mbuf *,
179 const struct sockaddr *, struct route *);
180 static void ipsec_qflush(struct ifnet *);
181 static int ipsec_clone_create(struct if_clone *, int, caddr_t);
182 static void ipsec_clone_destroy(struct ifnet *);
183
184 VNET_DEFINE_STATIC(struct if_clone *, ipsec_cloner);
185 #define V_ipsec_cloner VNET(ipsec_cloner)
186
187 static int
188 ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params)
189 {
190 struct ipsec_softc *sc;
191 struct ifnet *ifp;
192
193 sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO);
194 sc->fibnum = curthread->td_proc->p_fibnum;
195 sc->ifp = ifp = if_alloc(IFT_TUNNEL);
196 ifp->if_softc = sc;
197 if_initname(ifp, ipsecname, unit);
198
199 ifp->if_addrlen = 0;
200 ifp->if_mtu = IPSEC_MTU;
201 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST;
202 ifp->if_ioctl = ipsec_ioctl;
203 ifp->if_transmit = ipsec_transmit;
204 ifp->if_qflush = ipsec_qflush;
205 ifp->if_output = ipsec_output;
206 #ifdef VIMAGE
207 ifp->if_reassign = ipsec_reassign;
208 #endif
209 if_attach(ifp);
210 bpfattach(ifp, DLT_NULL, sizeof(uint32_t));
211
212 return (0);
213 }
214
215 #ifdef VIMAGE
216 static void
217 ipsec_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused,
218 char *unused __unused)
219 {
220 struct ipsec_softc *sc;
221
222 sx_xlock(&ipsec_ioctl_sx);
223 sc = ifp->if_softc;
224 if (sc != NULL)
225 ipsec_delete_tunnel(sc);
226 sx_xunlock(&ipsec_ioctl_sx);
227 }
228 #endif /* VIMAGE */
229
230 static void
231 ipsec_clone_destroy(struct ifnet *ifp)
232 {
233 struct ipsec_softc *sc;
234
235 sx_xlock(&ipsec_ioctl_sx);
236 sc = ifp->if_softc;
237 ipsec_delete_tunnel(sc);
238 /*
239 * Delete softc from idhash on interface destroy, since
240 * ipsec_delete_tunnel() keeps reqid unchanged.
241 */
242 if (sc->reqid != 0)
243 CK_LIST_REMOVE(sc, idhash);
244 bpfdetach(ifp);
245 if_detach(ifp);
246 ifp->if_softc = NULL;
247 sx_xunlock(&ipsec_ioctl_sx);
248
249 IPSEC_WAIT();
250 if_free(ifp);
251 free(sc, M_IPSEC);
252 }
253
254 static struct ipsec_iflist *
255 ipsec_hashinit(void)
256 {
257 struct ipsec_iflist *hash;
258 int i;
259
260 hash = malloc(sizeof(struct ipsec_iflist) * IPSEC_HASH_SIZE,
261 M_IPSEC, M_WAITOK);
262 for (i = 0; i < IPSEC_HASH_SIZE; i++)
263 CK_LIST_INIT(&hash[i]);
264
265 return (hash);
266 }
267
268 static void
269 vnet_ipsec_init(const void *unused __unused)
270 {
271
272 V_ipsec_idhtbl = ipsec_hashinit();
273 #ifdef INET
274 V_ipsec4_srchtbl = ipsec_hashinit();
275 if (IS_DEFAULT_VNET(curvnet))
276 ipsec4_srctab = ip_encap_register_srcaddr(ipsec_srcaddr,
277 NULL, M_WAITOK);
278 #endif
279 #ifdef INET6
280 V_ipsec6_srchtbl = ipsec_hashinit();
281 if (IS_DEFAULT_VNET(curvnet))
282 ipsec6_srctab = ip6_encap_register_srcaddr(ipsec_srcaddr,
283 NULL, M_WAITOK);
284 #endif
285 V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create,
286 ipsec_clone_destroy, 0);
287 }
288 VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
289 vnet_ipsec_init, NULL);
290
291 static void
292 vnet_ipsec_uninit(const void *unused __unused)
293 {
294
295 if_clone_detach(V_ipsec_cloner);
296 free(V_ipsec_idhtbl, M_IPSEC);
297 /*
298 * Use V_ipsec_idhtbl pointer as indicator that VNET is going to be
299 * destroyed, it is used by ipsec_srcaddr() callback.
300 */
301 V_ipsec_idhtbl = NULL;
302 IPSEC_WAIT();
303
304 #ifdef INET
305 if (IS_DEFAULT_VNET(curvnet))
306 ip_encap_unregister_srcaddr(ipsec4_srctab);
307 free(V_ipsec4_srchtbl, M_IPSEC);
308 #endif
309 #ifdef INET6
310 if (IS_DEFAULT_VNET(curvnet))
311 ip6_encap_unregister_srcaddr(ipsec6_srctab);
312 free(V_ipsec6_srchtbl, M_IPSEC);
313 #endif
314 }
315 VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
316 vnet_ipsec_uninit, NULL);
317
318 static struct secpolicy *
319 ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af)
320 {
321
322 switch (af) {
323 #ifdef INET
324 case AF_INET:
325 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]);
326 #endif
327 #ifdef INET6
328 case AF_INET6:
329 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)
330 #ifdef INET
331 + 2
332 #endif
333 ]);
334 #endif
335 }
336 return (NULL);
337 }
338
339 static struct secasindex *
340 ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af)
341 {
342 struct secpolicy *sp;
343
344 sp = ipsec_getpolicy(sc, dir, af);
345 if (sp == NULL)
346 return (NULL);
347 return (&sp->req[0]->saidx);
348 }
349
350 static int
351 ipsec_transmit(struct ifnet *ifp, struct mbuf *m)
352 {
353 IPSEC_RLOCK_TRACKER;
354 struct ipsec_softc *sc;
355 struct secpolicy *sp;
356 struct ip *ip, iph;
357 uint32_t af;
358 int error;
359
360 IPSEC_RLOCK();
361 #ifdef MAC
362 error = mac_ifnet_check_transmit(ifp, m);
363 if (error) {
364 m_freem(m);
365 goto err;
366 }
367 #endif
368 error = ENETDOWN;
369 sc = ifp->if_softc;
370 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
371 (ifp->if_flags & IFF_MONITOR) != 0 ||
372 (ifp->if_flags & IFF_UP) == 0 || sc->family == 0) {
373 m_freem(m);
374 goto err;
375 }
376
377 /* Determine address family to correctly handle packet in BPF */
378 ip = &iph;
379 m_copydata(m, 0, sizeof(*ip), (char *)ip);
380 switch (ip->ip_v) {
381 #ifdef INET
382 case IPVERSION:
383 af = AF_INET;
384 break;
385 #endif
386 #ifdef INET6
387 case (IPV6_VERSION >> 4):
388 af = AF_INET6;
389 break;
390 #endif
391 default:
392 error = EAFNOSUPPORT;
393 m_freem(m);
394 goto err;
395 }
396
397 /*
398 * Loop prevention.
399 * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag.
400 * We can read full chain and compare destination address,
401 * proto and mode from xform_history with values from softc.
402 */
403 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) {
404 m_freem(m);
405 goto err;
406 }
407
408 sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af);
409 key_addref(sp);
410 M_SETFIB(m, sc->fibnum);
411
412 BPF_MTAP2(ifp, &af, sizeof(af), m);
413 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
414 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len);
415
416 switch (af) {
417 #ifdef INET
418 case AF_INET:
419 error = ipsec4_process_packet(ifp, m, ip, sp, NULL,
420 ifp->if_mtu);
421 break;
422 #endif
423 #ifdef INET6
424 case AF_INET6:
425 error = ipsec6_process_packet(ifp, m, sp, NULL, ifp->if_mtu);
426 break;
427 #endif
428 default:
429 panic("%s: unknown address family\n", __func__);
430 }
431 err:
432 if (error != 0)
433 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
434 IPSEC_RUNLOCK();
435 return (error);
436 }
437
438 static void
439 ipsec_qflush(struct ifnet *ifp __unused)
440 {
441
442 }
443
444 static int
445 ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
446 struct route *ro)
447 {
448
449 return (ifp->if_transmit(ifp, m));
450 }
451
452 int
453 ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af)
454 {
455 IPSEC_RLOCK_TRACKER;
456 struct secasindex *saidx;
457 struct ipsec_softc *sc;
458 struct ifnet *ifp;
459
460 if (sav->state != SADB_SASTATE_MATURE &&
461 sav->state != SADB_SASTATE_DYING) {
462 m_freem(m);
463 return (ENETDOWN);
464 }
465
466 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL ||
467 sav->sah->saidx.proto != IPPROTO_ESP)
468 return (0);
469
470 IPSEC_RLOCK();
471 CK_LIST_FOREACH(sc, ipsec_idhash(sav->sah->saidx.reqid), idhash) {
472 if (sc->family == 0)
473 continue;
474 saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND,
475 sav->sah->saidx.src.sa.sa_family);
476 /* SA's reqid should match reqid in SP */
477 if (saidx == NULL ||
478 sav->sah->saidx.reqid != saidx->reqid)
479 continue;
480 /* SAH's addresses should match tunnel endpoints. */
481 if (key_sockaddrcmp(&sav->sah->saidx.dst.sa,
482 &saidx->dst.sa, 0) != 0)
483 continue;
484 if (key_sockaddrcmp(&sav->sah->saidx.src.sa,
485 &saidx->src.sa, 0) == 0)
486 break;
487 }
488 if (sc == NULL) {
489 IPSEC_RUNLOCK();
490 /* Tunnel was not found. Nothing to do. */
491 return (0);
492 }
493 ifp = sc->ifp;
494 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
495 (ifp->if_flags & IFF_UP) == 0) {
496 IPSEC_RUNLOCK();
497 m_freem(m);
498 return (ENETDOWN);
499 }
500 /*
501 * We found matching and working tunnel.
502 * Set its ifnet as receiving interface.
503 */
504 m->m_pkthdr.rcvif = ifp;
505
506 m_clrprotoflags(m);
507 M_SETFIB(m, ifp->if_fib);
508 BPF_MTAP2(ifp, &af, sizeof(af), m);
509 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
510 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len);
511 if ((ifp->if_flags & IFF_MONITOR) != 0) {
512 IPSEC_RUNLOCK();
513 m_freem(m);
514 return (ENETDOWN);
515 }
516 IPSEC_RUNLOCK();
517 return (0);
518 }
519
520 static int
521 ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
522 {
523 struct ifreq *ifr = (struct ifreq*)data;
524 struct sockaddr *dst, *src;
525 struct ipsec_softc *sc;
526 struct secasindex *saidx;
527 #ifdef INET
528 struct sockaddr_in *sin = NULL;
529 #endif
530 #ifdef INET6
531 struct sockaddr_in6 *sin6 = NULL;
532 #endif
533 uint32_t reqid;
534 int error;
535
536 switch (cmd) {
537 case SIOCSIFADDR:
538 ifp->if_flags |= IFF_UP;
539 case SIOCADDMULTI:
540 case SIOCDELMULTI:
541 case SIOCGIFMTU:
542 case SIOCSIFFLAGS:
543 return (0);
544 case SIOCSIFMTU:
545 if (ifr->ifr_mtu < IPSEC_MTU_MIN ||
546 ifr->ifr_mtu > IPSEC_MTU_MAX)
547 return (EINVAL);
548 else
549 ifp->if_mtu = ifr->ifr_mtu;
550 return (0);
551 }
552 sx_xlock(&ipsec_ioctl_sx);
553 sc = ifp->if_softc;
554 /* Check that softc is still here */
555 if (sc == NULL) {
556 error = ENXIO;
557 goto bad;
558 }
559 error = 0;
560 switch (cmd) {
561 case SIOCSIFPHYADDR:
562 #ifdef INET6
563 case SIOCSIFPHYADDR_IN6:
564 #endif
565 error = EINVAL;
566 switch (cmd) {
567 #ifdef INET
568 case SIOCSIFPHYADDR:
569 src = (struct sockaddr *)
570 &(((struct in_aliasreq *)data)->ifra_addr);
571 dst = (struct sockaddr *)
572 &(((struct in_aliasreq *)data)->ifra_dstaddr);
573 break;
574 #endif
575 #ifdef INET6
576 case SIOCSIFPHYADDR_IN6:
577 src = (struct sockaddr *)
578 &(((struct in6_aliasreq *)data)->ifra_addr);
579 dst = (struct sockaddr *)
580 &(((struct in6_aliasreq *)data)->ifra_dstaddr);
581 break;
582 #endif
583 default:
584 goto bad;
585 }
586 /* sa_family must be equal */
587 if (src->sa_family != dst->sa_family ||
588 src->sa_len != dst->sa_len)
589 goto bad;
590
591 /* validate sa_len */
592 switch (src->sa_family) {
593 #ifdef INET
594 case AF_INET:
595 if (src->sa_len != sizeof(struct sockaddr_in))
596 goto bad;
597 break;
598 #endif
599 #ifdef INET6
600 case AF_INET6:
601 if (src->sa_len != sizeof(struct sockaddr_in6))
602 goto bad;
603 break;
604 #endif
605 default:
606 error = EAFNOSUPPORT;
607 goto bad;
608 }
609 /* check sa_family looks sane for the cmd */
610 error = EAFNOSUPPORT;
611 switch (cmd) {
612 #ifdef INET
613 case SIOCSIFPHYADDR:
614 if (src->sa_family == AF_INET)
615 break;
616 goto bad;
617 #endif
618 #ifdef INET6
619 case SIOCSIFPHYADDR_IN6:
620 if (src->sa_family == AF_INET6)
621 break;
622 goto bad;
623 #endif
624 }
625 error = EADDRNOTAVAIL;
626 switch (src->sa_family) {
627 #ifdef INET
628 case AF_INET:
629 if (satosin(src)->sin_addr.s_addr == INADDR_ANY ||
630 satosin(dst)->sin_addr.s_addr == INADDR_ANY)
631 goto bad;
632 break;
633 #endif
634 #ifdef INET6
635 case AF_INET6:
636 if (IN6_IS_ADDR_UNSPECIFIED(
637 &satosin6(src)->sin6_addr) ||
638 IN6_IS_ADDR_UNSPECIFIED(
639 &satosin6(dst)->sin6_addr))
640 goto bad;
641 /*
642 * Check validity of the scope zone ID of the
643 * addresses, and convert it into the kernel
644 * internal form if necessary.
645 */
646 error = sa6_embedscope(satosin6(src), 0);
647 if (error != 0)
648 goto bad;
649 error = sa6_embedscope(satosin6(dst), 0);
650 if (error != 0)
651 goto bad;
652 #endif
653 };
654 error = ipsec_set_addresses(ifp, src, dst);
655 break;
656 case SIOCDIFPHYADDR:
657 ipsec_delete_tunnel(sc);
658 break;
659 case SIOCGIFPSRCADDR:
660 case SIOCGIFPDSTADDR:
661 #ifdef INET6
662 case SIOCGIFPSRCADDR_IN6:
663 case SIOCGIFPDSTADDR_IN6:
664 #endif
665 if (sc->family == 0) {
666 error = EADDRNOTAVAIL;
667 break;
668 }
669 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
670 if (saidx == NULL) {
671 error = ENXIO;
672 break;
673 }
674 switch (cmd) {
675 #ifdef INET
676 case SIOCGIFPSRCADDR:
677 case SIOCGIFPDSTADDR:
678 if (saidx->src.sa.sa_family != AF_INET) {
679 error = EADDRNOTAVAIL;
680 break;
681 }
682 sin = (struct sockaddr_in *)&ifr->ifr_addr;
683 memset(sin, 0, sizeof(*sin));
684 sin->sin_family = AF_INET;
685 sin->sin_len = sizeof(*sin);
686 break;
687 #endif
688 #ifdef INET6
689 case SIOCGIFPSRCADDR_IN6:
690 case SIOCGIFPDSTADDR_IN6:
691 if (saidx->src.sa.sa_family != AF_INET6) {
692 error = EADDRNOTAVAIL;
693 break;
694 }
695 sin6 = (struct sockaddr_in6 *)
696 &(((struct in6_ifreq *)data)->ifr_addr);
697 memset(sin6, 0, sizeof(*sin6));
698 sin6->sin6_family = AF_INET6;
699 sin6->sin6_len = sizeof(*sin6);
700 break;
701 #endif
702 default:
703 error = EAFNOSUPPORT;
704 }
705 if (error == 0) {
706 switch (cmd) {
707 #ifdef INET
708 case SIOCGIFPSRCADDR:
709 sin->sin_addr = saidx->src.sin.sin_addr;
710 break;
711 case SIOCGIFPDSTADDR:
712 sin->sin_addr = saidx->dst.sin.sin_addr;
713 break;
714 #endif
715 #ifdef INET6
716 case SIOCGIFPSRCADDR_IN6:
717 sin6->sin6_addr = saidx->src.sin6.sin6_addr;
718 break;
719 case SIOCGIFPDSTADDR_IN6:
720 sin6->sin6_addr = saidx->dst.sin6.sin6_addr;
721 break;
722 #endif
723 }
724 }
725 if (error != 0)
726 break;
727 switch (cmd) {
728 #ifdef INET
729 case SIOCGIFPSRCADDR:
730 case SIOCGIFPDSTADDR:
731 error = prison_if(curthread->td_ucred,
732 (struct sockaddr *)sin);
733 if (error != 0)
734 memset(sin, 0, sizeof(*sin));
735 break;
736 #endif
737 #ifdef INET6
738 case SIOCGIFPSRCADDR_IN6:
739 case SIOCGIFPDSTADDR_IN6:
740 error = prison_if(curthread->td_ucred,
741 (struct sockaddr *)sin6);
742 if (error == 0)
743 error = sa6_recoverscope(sin6);
744 if (error != 0)
745 memset(sin6, 0, sizeof(*sin6));
746 #endif
747 }
748 break;
749 case SIOCGTUNFIB:
750 ifr->ifr_fib = sc->fibnum;
751 break;
752 case SIOCSTUNFIB:
753 if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0)
754 break;
755 if (ifr->ifr_fib >= rt_numfibs)
756 error = EINVAL;
757 else
758 sc->fibnum = ifr->ifr_fib;
759 break;
760 case IPSECGREQID:
761 reqid = sc->reqid;
762 error = copyout(&reqid, ifr_data_get_ptr(ifr), sizeof(reqid));
763 break;
764 case IPSECSREQID:
765 if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0)
766 break;
767 error = copyin(ifr_data_get_ptr(ifr), &reqid, sizeof(reqid));
768 if (error != 0)
769 break;
770 error = ipsec_set_reqid(sc, reqid);
771 break;
772 default:
773 error = EINVAL;
774 break;
775 }
776 bad:
777 sx_xunlock(&ipsec_ioctl_sx);
778 return (error);
779 }
780
781 /*
782 * Check that ingress address belongs to local host.
783 */
784 static void
785 ipsec_set_running(struct ipsec_softc *sc)
786 {
787 struct secasindex *saidx;
788 int localip;
789
790 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
791 if (saidx == NULL)
792 return;
793 localip = 0;
794 switch (sc->family) {
795 #ifdef INET
796 case AF_INET:
797 localip = in_localip(saidx->src.sin.sin_addr);
798 break;
799 #endif
800 #ifdef INET6
801 case AF_INET6:
802 localip = in6_localip(&saidx->src.sin6.sin6_addr);
803 break;
804 #endif
805 }
806 if (localip != 0)
807 sc->ifp->if_drv_flags |= IFF_DRV_RUNNING;
808 else
809 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
810 }
811
812 /*
813 * ifaddr_event handler.
814 * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent
815 * source address spoofing.
816 */
817 static void
818 ipsec_srcaddr(void *arg __unused, const struct sockaddr *sa,
819 int event __unused)
820 {
821 struct ipsec_softc *sc;
822 struct secasindex *saidx;
823 struct ipsec_iflist *iflist;
824
825 /* Check that VNET is ready */
826 if (V_ipsec_idhtbl == NULL)
827 return;
828
829 NET_EPOCH_ASSERT();
830 iflist = ipsec_srchash(sa);
831 if (iflist == NULL)
832 return;
833 CK_LIST_FOREACH(sc, iflist, srchash) {
834 if (sc->family == 0)
835 continue;
836 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sa->sa_family);
837 if (saidx == NULL ||
838 key_sockaddrcmp(&saidx->src.sa, sa, 0) != 0)
839 continue;
840 ipsec_set_running(sc);
841 }
842 }
843
844 /*
845 * Allocate new private security policies for tunneling interface.
846 * Each tunneling interface has following security policies for
847 * both AF:
848 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \
849 * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid
850 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \
851 * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid
852 */
853 static int
854 ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT],
855 const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid)
856 {
857 struct ipsecrequest *isr;
858 int i;
859
860 memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT);
861 for (i = 0; i < IPSEC_SPCOUNT; i++) {
862 if ((sp[i] = key_newsp()) == NULL)
863 goto fail;
864 if ((isr = ipsec_newisr()) == NULL)
865 goto fail;
866
867 sp[i]->policy = IPSEC_POLICY_IPSEC;
868 sp[i]->state = IPSEC_SPSTATE_DEAD;
869 sp[i]->req[sp[i]->tcount++] = isr;
870 sp[i]->created = time_second;
871 /* Use priority field to store if_index */
872 sp[i]->priority = sc->ifp->if_index;
873 isr->level = IPSEC_LEVEL_UNIQUE;
874 isr->saidx.proto = IPPROTO_ESP;
875 isr->saidx.mode = IPSEC_MODE_TUNNEL;
876 isr->saidx.reqid = reqid;
877 if (i % 2 == 0) {
878 sp[i]->spidx.dir = IPSEC_DIR_INBOUND;
879 bcopy(src, &isr->saidx.dst, src->sa_len);
880 bcopy(dst, &isr->saidx.src, dst->sa_len);
881 } else {
882 sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND;
883 bcopy(src, &isr->saidx.src, src->sa_len);
884 bcopy(dst, &isr->saidx.dst, dst->sa_len);
885 }
886 sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY;
887 #ifdef INET
888 if (i < 2) {
889 sp[i]->spidx.src.sa.sa_family =
890 sp[i]->spidx.dst.sa.sa_family = AF_INET;
891 sp[i]->spidx.src.sa.sa_len =
892 sp[i]->spidx.dst.sa.sa_len =
893 sizeof(struct sockaddr_in);
894 continue;
895 }
896 #endif
897 #ifdef INET6
898 sp[i]->spidx.src.sa.sa_family =
899 sp[i]->spidx.dst.sa.sa_family = AF_INET6;
900 sp[i]->spidx.src.sa.sa_len =
901 sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6);
902 #endif
903 }
904 return (0);
905 fail:
906 for (i = 0; i < IPSEC_SPCOUNT; i++) {
907 if (sp[i] != NULL)
908 key_freesp(&sp[i]);
909 }
910 return (ENOMEM);
911 }
912
913 static int
914 ipsec_check_reqid(uint32_t reqid)
915 {
916 struct ipsec_softc *sc;
917
918 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
919 CK_LIST_FOREACH(sc, ipsec_idhash(reqid), idhash) {
920 if (sc->reqid == reqid)
921 return (EEXIST);
922 }
923 return (0);
924 }
925
926 /*
927 * We use key_newreqid() to automatically obtain unique reqid.
928 * Then we check that given id is unique, i.e. it is not used by
929 * another if_ipsec(4) interface. This macro limits the number of
930 * tries to get unique id.
931 */
932 #define IPSEC_REQID_TRYCNT 64
933 static int
934 ipsec_init_reqid(struct ipsec_softc *sc)
935 {
936 uint32_t reqid;
937 int trycount;
938
939 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
940 if (sc->reqid != 0) /* already initialized */
941 return (0);
942
943 trycount = IPSEC_REQID_TRYCNT;
944 while (--trycount > 0) {
945 reqid = key_newreqid();
946 if (ipsec_check_reqid(reqid) == 0)
947 break;
948 }
949 if (trycount == 0)
950 return (EEXIST);
951 sc->reqid = reqid;
952 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash);
953 return (0);
954 }
955
956 /*
957 * Set or update reqid for given tunneling interface.
958 * When specified reqid is zero, generate new one.
959 * We are protected by ioctl_sx lock from concurrent id generation.
960 * Also softc would not disappear while we hold ioctl_sx lock.
961 */
962 static int
963 ipsec_set_reqid(struct ipsec_softc *sc, uint32_t reqid)
964 {
965 struct secasindex *saidx;
966
967 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
968
969 if (sc->reqid == reqid && reqid != 0)
970 return (0);
971
972 if (reqid != 0) {
973 /* Check that specified reqid doesn't exist */
974 if (ipsec_check_reqid(reqid) != 0)
975 return (EEXIST);
976 if (sc->reqid != 0) {
977 CK_LIST_REMOVE(sc, idhash);
978 IPSEC_WAIT();
979 }
980 sc->reqid = reqid;
981 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash);
982 } else {
983 /* Generate new reqid */
984 if (ipsec_init_reqid(sc) != 0)
985 return (EEXIST);
986 }
987
988 /* Tunnel isn't fully configured, just return. */
989 if (sc->family == 0)
990 return (0);
991
992 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
993 KASSERT(saidx != NULL,
994 ("saidx is NULL, but family is %d", sc->family));
995 return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa,
996 sc->reqid));
997 }
998
999 /*
1000 * Set tunnel endpoints addresses.
1001 */
1002 static int
1003 ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src,
1004 struct sockaddr *dst)
1005 {
1006 struct ipsec_softc *sc;
1007 struct secasindex *saidx;
1008
1009 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1010
1011 sc = ifp->if_softc;
1012 if (sc->family != 0) {
1013 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND,
1014 src->sa_family);
1015 if (saidx != NULL && saidx->reqid == sc->reqid &&
1016 key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 &&
1017 key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0)
1018 return (0); /* Nothing has been changed. */
1019 }
1020 /* If reqid is not set, generate new one. */
1021 if (ipsec_init_reqid(sc) != 0)
1022 return (EEXIST);
1023 return (ipsec_set_tunnel(sc, src, dst, sc->reqid));
1024 }
1025
1026 static int
1027 ipsec_set_tunnel(struct ipsec_softc *sc, struct sockaddr *src,
1028 struct sockaddr *dst, uint32_t reqid)
1029 {
1030 struct epoch_tracker et;
1031 struct ipsec_iflist *iflist;
1032 struct secpolicy *sp[IPSEC_SPCOUNT];
1033 int i;
1034
1035 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1036
1037 /* Allocate SP with new addresses. */
1038 iflist = ipsec_srchash(src);
1039 if (iflist == NULL) {
1040 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1041 return (EAFNOSUPPORT);
1042 }
1043 if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) {
1044 /* Add new policies to SPDB */
1045 if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) {
1046 for (i = 0; i < IPSEC_SPCOUNT; i++)
1047 key_freesp(&sp[i]);
1048 return (EAGAIN);
1049 }
1050 if (sc->family != 0)
1051 ipsec_delete_tunnel(sc);
1052 for (i = 0; i < IPSEC_SPCOUNT; i++)
1053 sc->sp[i] = sp[i];
1054 sc->family = src->sa_family;
1055 CK_LIST_INSERT_HEAD(iflist, sc, srchash);
1056 } else {
1057 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1058 return (ENOMEM);
1059 }
1060 NET_EPOCH_ENTER(et);
1061 ipsec_set_running(sc);
1062 NET_EPOCH_EXIT(et);
1063 return (0);
1064 }
1065
1066 static void
1067 ipsec_delete_tunnel(struct ipsec_softc *sc)
1068 {
1069 int i;
1070
1071 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1072
1073 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1074 if (sc->family != 0) {
1075 CK_LIST_REMOVE(sc, srchash);
1076 sc->family = 0;
1077 /*
1078 * Make sure that ipsec_if_input() will not do access
1079 * to softc's policies.
1080 */
1081 IPSEC_WAIT();
1082
1083 key_unregister_ifnet(sc->sp, IPSEC_SPCOUNT);
1084 for (i = 0; i < IPSEC_SPCOUNT; i++)
1085 key_freesp(&sc->sp[i]);
1086 }
1087 }
The FreeBSD Project