CoCalc -- if

GitHub Repository: freebsd/freebsd-src
Path: blob/main/sys/net/if_ipsec.c
³⁹⁴⁷⁵ views
1
/*-
2
 * Copyright (c) 2016-2018 Yandex LLC
3
 * Copyright (c) 2016-2018 Andrey V. Elsukov <[email protected]>
4
 * All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 *
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 *
16
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26
 */
27

28
#include <sys/cdefs.h>
29
#include "opt_inet.h"
30
#include "opt_inet6.h"
31
#include "opt_ipsec.h"
32

33
#include <sys/param.h>
34
#include <sys/systm.h>
35
#include <sys/kernel.h>
36
#include <sys/fnv_hash.h>
37
#include <sys/jail.h>
38
#include <sys/lock.h>
39
#include <sys/malloc.h>
40
#include <sys/mbuf.h>
41
#include <sys/module.h>
42
#include <sys/socket.h>
43
#include <sys/sockio.h>
44
#include <sys/sx.h>
45
#include <sys/errno.h>
46
#include <sys/sysctl.h>
47
#include <sys/priv.h>
48
#include <sys/proc.h>
49
#include <sys/conf.h>
50

51
#include <net/if.h>
52
#include <net/if_var.h>
53
#include <net/if_private.h>
54
#include <net/if_clone.h>
55
#include <net/if_types.h>
56
#include <net/bpf.h>
57
#include <net/route.h>
58
#include <net/vnet.h>
59

60
#include <netinet/in.h>
61
#include <netinet/in_var.h>
62
#include <netinet/ip.h>
63
#include <netinet/ip_encap.h>
64

65
#include <netinet/ip6.h>
66
#include <netinet6/in6_var.h>
67
#include <netinet6/scope6_var.h>
68

69
#include <netipsec/ipsec.h>
70
#ifdef INET6
71
#include <netipsec/ipsec6.h>
72
#endif
73

74
#include <net/if_ipsec.h>
75
#include <netipsec/key.h>
76

77
#include <security/mac/mac_framework.h>
78

79
static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface");
80
static const char ipsecname[] = "ipsec";
81

82
#if defined(INET) && defined(INET6)
83
#define	IPSEC_SPCOUNT		4
84
#else
85
#define	IPSEC_SPCOUNT		2
86
#endif
87

88
struct ipsec_softc {
89
	struct ifnet		*ifp;
90
	struct secpolicy	*sp[IPSEC_SPCOUNT];
91
	uint32_t		reqid;
92
	u_int			family;
93
	u_int			fibnum;
94

95
	CK_LIST_ENTRY(ipsec_softc) idhash;
96
	CK_LIST_ENTRY(ipsec_softc) srchash;
97
};
98

99
#define	IPSEC_RLOCK_TRACKER	struct epoch_tracker ipsec_et
100
#define	IPSEC_RLOCK()	epoch_enter_preempt(net_epoch_preempt, &ipsec_et)
101
#define	IPSEC_RUNLOCK()	epoch_exit_preempt(net_epoch_preempt, &ipsec_et)
102
#define	IPSEC_WAIT()	epoch_wait_preempt(net_epoch_preempt)
103

104
#ifndef IPSEC_HASH_SIZE
105
#define	IPSEC_HASH_SIZE	(1 << 5)
106
#endif
107

108
CK_LIST_HEAD(ipsec_iflist, ipsec_softc);
109
VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec_idhtbl) = NULL;
110
#define	V_ipsec_idhtbl		VNET(ipsec_idhtbl)
111

112
#ifdef INET
113
VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec4_srchtbl) = NULL;
114
#define	V_ipsec4_srchtbl	VNET(ipsec4_srchtbl)
115
static const struct srcaddrtab *ipsec4_srctab = NULL;
116
#endif
117

118
#ifdef INET6
119
VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec6_srchtbl) = NULL;
120
#define	V_ipsec6_srchtbl	VNET(ipsec6_srchtbl)
121
static const struct srcaddrtab *ipsec6_srctab = NULL;
122
#endif
123

124
static struct ipsec_iflist *
125
ipsec_idhash(uint32_t id)
126
{
127

128
	return (&V_ipsec_idhtbl[fnv_32_buf(&id, sizeof(id),
129
	    FNV1_32_INIT) & (IPSEC_HASH_SIZE - 1)]);
130
}
131

132
static struct ipsec_iflist *
133
ipsec_srchash(const struct sockaddr *sa)
134
{
135
	uint32_t hval;
136

137
	switch (sa->sa_family) {
138
#ifdef INET
139
	case AF_INET:
140
		hval = fnv_32_buf(
141
		    &((const struct sockaddr_in *)sa)->sin_addr.s_addr,
142
		    sizeof(in_addr_t), FNV1_32_INIT);
143
		return (&V_ipsec4_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]);
144
#endif
145
#ifdef INET6
146
	case AF_INET6:
147
		hval = fnv_32_buf(
148
		    &((const struct sockaddr_in6 *)sa)->sin6_addr,
149
		    sizeof(struct in6_addr), FNV1_32_INIT);
150
		return (&V_ipsec6_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]);
151
#endif
152
	}
153
	return (NULL);
154
}
155

156
/*
157
 * ipsec_ioctl_sx protects from concurrent ioctls.
158
 */
159
static struct sx ipsec_ioctl_sx;
160
SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl");
161

162
static int	ipsec_init_reqid(struct ipsec_softc *);
163
static int	ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *,
164
    struct sockaddr *, uint32_t);
165
static void	ipsec_delete_tunnel(struct ipsec_softc *);
166

167
static int	ipsec_set_addresses(struct ifnet *, struct sockaddr *,
168
    struct sockaddr *);
169
static int	ipsec_set_reqid(struct ipsec_softc *, uint32_t);
170
static void	ipsec_set_running(struct ipsec_softc *);
171

172
#ifdef VIMAGE
173
static void	ipsec_reassign(struct ifnet *, struct vnet *, char *);
174
#endif
175
static void	ipsec_srcaddr(void *, const struct sockaddr *, int);
176
static int	ipsec_ioctl(struct ifnet *, u_long, caddr_t);
177
static int	ipsec_transmit(struct ifnet *, struct mbuf *);
178
static int	ipsec_output(struct ifnet *, struct mbuf *,
179
    const struct sockaddr *, struct route *);
180
static void	ipsec_qflush(struct ifnet *);
181
static int	ipsec_clone_create(struct if_clone *, int, caddr_t);
182
static void	ipsec_clone_destroy(struct ifnet *);
183

184
VNET_DEFINE_STATIC(struct if_clone *, ipsec_cloner);
185
#define	V_ipsec_cloner		VNET(ipsec_cloner)
186

187
static int
188
ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params)
189
{
190
	struct ipsec_softc *sc;
191
	struct ifnet *ifp;
192

193
	sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO);
194
	sc->fibnum = curthread->td_proc->p_fibnum;
195
	sc->ifp = ifp = if_alloc(IFT_TUNNEL);
196
	ifp->if_softc = sc;
197
	if_initname(ifp, ipsecname, unit);
198

199
	ifp->if_addrlen = 0;
200
	ifp->if_mtu = IPSEC_MTU;
201
	ifp->if_flags  = IFF_POINTOPOINT | IFF_MULTICAST;
202
	ifp->if_ioctl  = ipsec_ioctl;
203
	ifp->if_transmit  = ipsec_transmit;
204
	ifp->if_qflush  = ipsec_qflush;
205
	ifp->if_output = ipsec_output;
206
#ifdef VIMAGE
207
	ifp->if_reassign = ipsec_reassign;
208
#endif
209
	if_attach(ifp);
210
	bpfattach(ifp, DLT_NULL, sizeof(uint32_t));
211

212
	return (0);
213
}
214

215
#ifdef VIMAGE
216
static void
217
ipsec_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused,
218
    char *unused __unused)
219
{
220
	struct ipsec_softc *sc;
221

222
	sx_xlock(&ipsec_ioctl_sx);
223
	sc = ifp->if_softc;
224
	if (sc != NULL)
225
		ipsec_delete_tunnel(sc);
226
	sx_xunlock(&ipsec_ioctl_sx);
227
}
228
#endif /* VIMAGE */
229

230
static void
231
ipsec_clone_destroy(struct ifnet *ifp)
232
{
233
	struct ipsec_softc *sc;
234

235
	sx_xlock(&ipsec_ioctl_sx);
236
	sc = ifp->if_softc;
237
	ipsec_delete_tunnel(sc);
238
	/*
239
	 * Delete softc from idhash on interface destroy, since
240
	 * ipsec_delete_tunnel() keeps reqid unchanged.
241
	 */
242
	if (sc->reqid != 0)
243
		CK_LIST_REMOVE(sc, idhash);
244
	bpfdetach(ifp);
245
	if_detach(ifp);
246
	ifp->if_softc = NULL;
247
	sx_xunlock(&ipsec_ioctl_sx);
248

249
	IPSEC_WAIT();
250
	if_free(ifp);
251
	free(sc, M_IPSEC);
252
}
253

254
static struct ipsec_iflist *
255
ipsec_hashinit(void)
256
{
257
	struct ipsec_iflist *hash;
258
	int i;
259

260
	hash = malloc(sizeof(struct ipsec_iflist) * IPSEC_HASH_SIZE,
261
	    M_IPSEC, M_WAITOK);
262
	for (i = 0; i < IPSEC_HASH_SIZE; i++)
263
		CK_LIST_INIT(&hash[i]);
264

265
	return (hash);
266
}
267

268
static void
269
vnet_ipsec_init(const void *unused __unused)
270
{
271

272
	V_ipsec_idhtbl = ipsec_hashinit();
273
#ifdef INET
274
	V_ipsec4_srchtbl = ipsec_hashinit();
275
	if (IS_DEFAULT_VNET(curvnet))
276
		ipsec4_srctab = ip_encap_register_srcaddr(ipsec_srcaddr,
277
		    NULL, M_WAITOK);
278
#endif
279
#ifdef INET6
280
	V_ipsec6_srchtbl = ipsec_hashinit();
281
	if (IS_DEFAULT_VNET(curvnet))
282
		ipsec6_srctab = ip6_encap_register_srcaddr(ipsec_srcaddr,
283
		    NULL, M_WAITOK);
284
#endif
285
	V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create,
286
	    ipsec_clone_destroy, 0);
287
}
288
VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
289
    vnet_ipsec_init, NULL);
290

291
static void
292
vnet_ipsec_uninit(const void *unused __unused)
293
{
294

295
	if_clone_detach(V_ipsec_cloner);
296
	free(V_ipsec_idhtbl, M_IPSEC);
297
	/*
298
	 * Use V_ipsec_idhtbl pointer as indicator that VNET is going to be
299
	 * destroyed, it is used by ipsec_srcaddr() callback.
300
	 */
301
	V_ipsec_idhtbl = NULL;
302
	IPSEC_WAIT();
303

304
#ifdef INET
305
	if (IS_DEFAULT_VNET(curvnet))
306
		ip_encap_unregister_srcaddr(ipsec4_srctab);
307
	free(V_ipsec4_srchtbl, M_IPSEC);
308
#endif
309
#ifdef INET6
310
	if (IS_DEFAULT_VNET(curvnet))
311
		ip6_encap_unregister_srcaddr(ipsec6_srctab);
312
	free(V_ipsec6_srchtbl, M_IPSEC);
313
#endif
314
}
315
VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
316
    vnet_ipsec_uninit, NULL);
317

318
static struct secpolicy *
319
ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af)
320
{
321

322
	switch (af) {
323
#ifdef INET
324
	case AF_INET:
325
		return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]);
326
#endif
327
#ifdef INET6
328
	case AF_INET6:
329
		return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)
330
#ifdef INET
331
			+ 2
332
#endif
333
		]);
334
#endif
335
	}
336
	return (NULL);
337
}
338

339
static struct secasindex *
340
ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af)
341
{
342
	struct secpolicy *sp;
343

344
	sp = ipsec_getpolicy(sc, dir, af);
345
	if (sp == NULL)
346
		return (NULL);
347
	return (&sp->req[0]->saidx);
348
}
349

350
static int
351
ipsec_transmit(struct ifnet *ifp, struct mbuf *m)
352
{
353
	IPSEC_RLOCK_TRACKER;
354
	struct ipsec_softc *sc;
355
	struct secpolicy *sp;
356
	struct ip *ip, iph;
357
	uint32_t af;
358
	int error;
359

360
	IPSEC_RLOCK();
361
#ifdef MAC
362
	error = mac_ifnet_check_transmit(ifp, m);
363
	if (error) {
364
		m_freem(m);
365
		goto err;
366
	}
367
#endif
368
	error = ENETDOWN;
369
	sc = ifp->if_softc;
370
	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
371
	    (ifp->if_flags & IFF_MONITOR) != 0 ||
372
	    (ifp->if_flags & IFF_UP) == 0 || sc->family == 0) {
373
		m_freem(m);
374
		goto err;
375
	}
376

377
	/* Determine address family to correctly handle packet in BPF */
378
	ip = &iph;
379
	m_copydata(m, 0, sizeof(*ip), (char *)ip);
380
	switch (ip->ip_v) {
381
#ifdef INET
382
	case IPVERSION:
383
		af = AF_INET;
384
		break;
385
#endif
386
#ifdef INET6
387
	case (IPV6_VERSION >> 4):
388
		af = AF_INET6;
389
		break;
390
#endif
391
	default:
392
		error = EAFNOSUPPORT;
393
		m_freem(m);
394
		goto err;
395
	}
396

397
	/*
398
	 * Loop prevention.
399
	 * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag.
400
	 *      We can read full chain and compare destination address,
401
	 *      proto and mode from xform_history with values from softc.
402
	 */
403
	if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) {
404
		m_freem(m);
405
		goto err;
406
	}
407

408
	sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af);
409
	key_addref(sp);
410
	M_SETFIB(m, sc->fibnum);
411

412
	BPF_MTAP2(ifp, &af, sizeof(af), m);
413
	if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
414
	if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len);
415

416
	switch (af) {
417
#ifdef INET
418
	case AF_INET:
419
		error = ipsec4_process_packet(ifp, m, ip, sp, NULL,
420
		    ifp->if_mtu);
421
		break;
422
#endif
423
#ifdef INET6
424
	case AF_INET6:
425
		error = ipsec6_process_packet(ifp, m, sp, NULL, ifp->if_mtu);
426
		break;
427
#endif
428
	default:
429
		panic("%s: unknown address family\n", __func__);
430
	}
431
err:
432
	if (error != 0)
433
		if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
434
	IPSEC_RUNLOCK();
435
	return (error);
436
}
437

438
static void
439
ipsec_qflush(struct ifnet *ifp __unused)
440
{
441

442
}
443

444
static int
445
ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
446
	struct route *ro)
447
{
448

449
	return (ifp->if_transmit(ifp, m));
450
}
451

452
int
453
ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af)
454
{
455
	IPSEC_RLOCK_TRACKER;
456
	struct secasindex *saidx;
457
	struct ipsec_softc *sc;
458
	struct ifnet *ifp;
459

460
	if (sav->state != SADB_SASTATE_MATURE &&
461
	    sav->state != SADB_SASTATE_DYING) {
462
		m_freem(m);
463
		return (ENETDOWN);
464
	}
465

466
	if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL ||
467
	    sav->sah->saidx.proto != IPPROTO_ESP)
468
		return (0);
469

470
	IPSEC_RLOCK();
471
	CK_LIST_FOREACH(sc, ipsec_idhash(sav->sah->saidx.reqid), idhash) {
472
		if (sc->family == 0)
473
			continue;
474
		saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND,
475
		    sav->sah->saidx.src.sa.sa_family);
476
		/* SA's reqid should match reqid in SP */
477
		if (saidx == NULL ||
478
		    sav->sah->saidx.reqid != saidx->reqid)
479
			continue;
480
		/* SAH's addresses should match tunnel endpoints. */
481
		if (key_sockaddrcmp(&sav->sah->saidx.dst.sa,
482
		    &saidx->dst.sa, 0) != 0)
483
			continue;
484
		if (key_sockaddrcmp(&sav->sah->saidx.src.sa,
485
		    &saidx->src.sa, 0) == 0)
486
			break;
487
	}
488
	if (sc == NULL) {
489
		IPSEC_RUNLOCK();
490
		/* Tunnel was not found. Nothing to do. */
491
		return (0);
492
	}
493
	ifp = sc->ifp;
494
	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
495
	    (ifp->if_flags & IFF_UP) == 0) {
496
		IPSEC_RUNLOCK();
497
		m_freem(m);
498
		return (ENETDOWN);
499
	}
500
	/*
501
	 * We found matching and working tunnel.
502
	 * Set its ifnet as receiving interface.
503
	 */
504
	m->m_pkthdr.rcvif = ifp;
505

506
	m_clrprotoflags(m);
507
	M_SETFIB(m, ifp->if_fib);
508
	BPF_MTAP2(ifp, &af, sizeof(af), m);
509
	if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
510
	if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len);
511
	if ((ifp->if_flags & IFF_MONITOR) != 0) {
512
		IPSEC_RUNLOCK();
513
		m_freem(m);
514
		return (ENETDOWN);
515
	}
516
	IPSEC_RUNLOCK();
517
	return (0);
518
}
519

520
static int
521
ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
522
{
523
	struct ifreq *ifr = (struct ifreq*)data;
524
	struct sockaddr *dst, *src;
525
	struct ipsec_softc *sc;
526
	struct secasindex *saidx;
527
#ifdef INET
528
	struct sockaddr_in *sin = NULL;
529
#endif
530
#ifdef INET6
531
	struct sockaddr_in6 *sin6 = NULL;
532
#endif
533
	uint32_t reqid;
534
	int error;
535

536
	switch (cmd) {
537
	case SIOCSIFADDR:
538
		ifp->if_flags |= IFF_UP;
539
	case SIOCADDMULTI:
540
	case SIOCDELMULTI:
541
	case SIOCGIFMTU:
542
	case SIOCSIFFLAGS:
543
		return (0);
544
	case SIOCSIFMTU:
545
		if (ifr->ifr_mtu < IPSEC_MTU_MIN ||
546
		    ifr->ifr_mtu > IPSEC_MTU_MAX)
547
			return (EINVAL);
548
		else
549
			ifp->if_mtu = ifr->ifr_mtu;
550
		return (0);
551
	}
552
	sx_xlock(&ipsec_ioctl_sx);
553
	sc = ifp->if_softc;
554
	/* Check that softc is still here */
555
	if (sc == NULL) {
556
		error = ENXIO;
557
		goto bad;
558
	}
559
	error = 0;
560
	switch (cmd) {
561
	case SIOCSIFPHYADDR:
562
#ifdef INET6
563
	case SIOCSIFPHYADDR_IN6:
564
#endif
565
		error = EINVAL;
566
		switch (cmd) {
567
#ifdef INET
568
		case SIOCSIFPHYADDR:
569
			src = (struct sockaddr *)
570
				&(((struct in_aliasreq *)data)->ifra_addr);
571
			dst = (struct sockaddr *)
572
				&(((struct in_aliasreq *)data)->ifra_dstaddr);
573
			break;
574
#endif
575
#ifdef INET6
576
		case SIOCSIFPHYADDR_IN6:
577
			src = (struct sockaddr *)
578
				&(((struct in6_aliasreq *)data)->ifra_addr);
579
			dst = (struct sockaddr *)
580
				&(((struct in6_aliasreq *)data)->ifra_dstaddr);
581
			break;
582
#endif
583
		default:
584
			goto bad;
585
		}
586
		/* sa_family must be equal */
587
		if (src->sa_family != dst->sa_family ||
588
		    src->sa_len != dst->sa_len)
589
			goto bad;
590

591
		/* validate sa_len */
592
		switch (src->sa_family) {
593
#ifdef INET
594
		case AF_INET:
595
			if (src->sa_len != sizeof(struct sockaddr_in))
596
				goto bad;
597
			break;
598
#endif
599
#ifdef INET6
600
		case AF_INET6:
601
			if (src->sa_len != sizeof(struct sockaddr_in6))
602
				goto bad;
603
			break;
604
#endif
605
		default:
606
			error = EAFNOSUPPORT;
607
			goto bad;
608
		}
609
		/* check sa_family looks sane for the cmd */
610
		error = EAFNOSUPPORT;
611
		switch (cmd) {
612
#ifdef INET
613
		case SIOCSIFPHYADDR:
614
			if (src->sa_family == AF_INET)
615
				break;
616
			goto bad;
617
#endif
618
#ifdef INET6
619
		case SIOCSIFPHYADDR_IN6:
620
			if (src->sa_family == AF_INET6)
621
				break;
622
			goto bad;
623
#endif
624
		}
625
		error = EADDRNOTAVAIL;
626
		switch (src->sa_family) {
627
#ifdef INET
628
		case AF_INET:
629
			if (satosin(src)->sin_addr.s_addr == INADDR_ANY ||
630
			    satosin(dst)->sin_addr.s_addr == INADDR_ANY)
631
				goto bad;
632
			break;
633
#endif
634
#ifdef INET6
635
		case AF_INET6:
636
			if (IN6_IS_ADDR_UNSPECIFIED(
637
			    &satosin6(src)->sin6_addr) ||
638
			    IN6_IS_ADDR_UNSPECIFIED(
639
			    &satosin6(dst)->sin6_addr))
640
				goto bad;
641
			/*
642
			 * Check validity of the scope zone ID of the
643
			 * addresses, and convert it into the kernel
644
			 * internal form if necessary.
645
			 */
646
			error = sa6_embedscope(satosin6(src), 0);
647
			if (error != 0)
648
				goto bad;
649
			error = sa6_embedscope(satosin6(dst), 0);
650
			if (error != 0)
651
				goto bad;
652
#endif
653
		};
654
		error = ipsec_set_addresses(ifp, src, dst);
655
		break;
656
	case SIOCDIFPHYADDR:
657
		ipsec_delete_tunnel(sc);
658
		break;
659
	case SIOCGIFPSRCADDR:
660
	case SIOCGIFPDSTADDR:
661
#ifdef INET6
662
	case SIOCGIFPSRCADDR_IN6:
663
	case SIOCGIFPDSTADDR_IN6:
664
#endif
665
		if (sc->family == 0) {
666
			error = EADDRNOTAVAIL;
667
			break;
668
		}
669
		saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
670
		if (saidx == NULL) {
671
			error = ENXIO;
672
			break;
673
		}
674
		switch (cmd) {
675
#ifdef INET
676
		case SIOCGIFPSRCADDR:
677
		case SIOCGIFPDSTADDR:
678
			if (saidx->src.sa.sa_family != AF_INET) {
679
				error = EADDRNOTAVAIL;
680
				break;
681
			}
682
			sin = (struct sockaddr_in *)&ifr->ifr_addr;
683
			memset(sin, 0, sizeof(*sin));
684
			sin->sin_family = AF_INET;
685
			sin->sin_len = sizeof(*sin);
686
			break;
687
#endif
688
#ifdef INET6
689
		case SIOCGIFPSRCADDR_IN6:
690
		case SIOCGIFPDSTADDR_IN6:
691
			if (saidx->src.sa.sa_family != AF_INET6) {
692
				error = EADDRNOTAVAIL;
693
				break;
694
			}
695
			sin6 = (struct sockaddr_in6 *)
696
				&(((struct in6_ifreq *)data)->ifr_addr);
697
			memset(sin6, 0, sizeof(*sin6));
698
			sin6->sin6_family = AF_INET6;
699
			sin6->sin6_len = sizeof(*sin6);
700
			break;
701
#endif
702
		default:
703
			error = EAFNOSUPPORT;
704
		}
705
		if (error == 0) {
706
			switch (cmd) {
707
#ifdef INET
708
			case SIOCGIFPSRCADDR:
709
				sin->sin_addr = saidx->src.sin.sin_addr;
710
				break;
711
			case SIOCGIFPDSTADDR:
712
				sin->sin_addr = saidx->dst.sin.sin_addr;
713
				break;
714
#endif
715
#ifdef INET6
716
			case SIOCGIFPSRCADDR_IN6:
717
				sin6->sin6_addr = saidx->src.sin6.sin6_addr;
718
				break;
719
			case SIOCGIFPDSTADDR_IN6:
720
				sin6->sin6_addr = saidx->dst.sin6.sin6_addr;
721
				break;
722
#endif
723
			}
724
		}
725
		if (error != 0)
726
			break;
727
		switch (cmd) {
728
#ifdef INET
729
		case SIOCGIFPSRCADDR:
730
		case SIOCGIFPDSTADDR:
731
			error = prison_if(curthread->td_ucred,
732
			    (struct sockaddr *)sin);
733
			if (error != 0)
734
				memset(sin, 0, sizeof(*sin));
735
			break;
736
#endif
737
#ifdef INET6
738
		case SIOCGIFPSRCADDR_IN6:
739
		case SIOCGIFPDSTADDR_IN6:
740
			error = prison_if(curthread->td_ucred,
741
			    (struct sockaddr *)sin6);
742
			if (error == 0)
743
				error = sa6_recoverscope(sin6);
744
			if (error != 0)
745
				memset(sin6, 0, sizeof(*sin6));
746
#endif
747
		}
748
		break;
749
	case SIOCGTUNFIB:
750
		ifr->ifr_fib = sc->fibnum;
751
		break;
752
	case SIOCSTUNFIB:
753
		if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0)
754
			break;
755
		if (ifr->ifr_fib >= rt_numfibs)
756
			error = EINVAL;
757
		else
758
			sc->fibnum = ifr->ifr_fib;
759
		break;
760
	case IPSECGREQID:
761
		reqid = sc->reqid;
762
		error = copyout(&reqid, ifr_data_get_ptr(ifr), sizeof(reqid));
763
		break;
764
	case IPSECSREQID:
765
		if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0)
766
			break;
767
		error = copyin(ifr_data_get_ptr(ifr), &reqid, sizeof(reqid));
768
		if (error != 0)
769
			break;
770
		error = ipsec_set_reqid(sc, reqid);
771
		break;
772
	default:
773
		error = EINVAL;
774
		break;
775
	}
776
bad:
777
	sx_xunlock(&ipsec_ioctl_sx);
778
	return (error);
779
}
780

781
/*
782
 * Check that ingress address belongs to local host.
783
 */
784
static void
785
ipsec_set_running(struct ipsec_softc *sc)
786
{
787
	struct secasindex *saidx;
788
	int localip;
789

790
	saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
791
	if (saidx == NULL)
792
		return;
793
	localip = 0;
794
	switch (sc->family) {
795
#ifdef INET
796
	case AF_INET:
797
		localip = in_localip(saidx->src.sin.sin_addr);
798
		break;
799
#endif
800
#ifdef INET6
801
	case AF_INET6:
802
		localip = in6_localip(&saidx->src.sin6.sin6_addr);
803
		break;
804
#endif
805
	}
806
	if (localip != 0)
807
		sc->ifp->if_drv_flags |= IFF_DRV_RUNNING;
808
	else
809
		sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
810
}
811

812
/*
813
 * ifaddr_event handler.
814
 * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent
815
 * source address spoofing.
816
 */
817
static void
818
ipsec_srcaddr(void *arg __unused, const struct sockaddr *sa,
819
    int event __unused)
820
{
821
	struct ipsec_softc *sc;
822
	struct secasindex *saidx;
823
	struct ipsec_iflist *iflist;
824

825
	/* Check that VNET is ready */
826
	if (V_ipsec_idhtbl == NULL)
827
		return;
828

829
	NET_EPOCH_ASSERT();
830
	iflist = ipsec_srchash(sa);
831
	if (iflist == NULL)
832
		return;
833
	CK_LIST_FOREACH(sc, iflist, srchash) {
834
		if (sc->family == 0)
835
			continue;
836
		saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sa->sa_family);
837
		if (saidx == NULL ||
838
		    key_sockaddrcmp(&saidx->src.sa, sa, 0) != 0)
839
			continue;
840
		ipsec_set_running(sc);
841
	}
842
}
843

844
/*
845
 * Allocate new private security policies for tunneling interface.
846
 * Each tunneling interface has following security policies for
847
 * both AF:
848
 *   0.0.0.0/0[any] 0.0.0.0/0[any] -P in \
849
 *	ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid
850
 *   0.0.0.0/0[any] 0.0.0.0/0[any] -P out \
851
 *	ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid
852
 */
853
static int
854
ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT],
855
    const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid)
856
{
857
	struct ipsecrequest *isr;
858
	int i;
859

860
	memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT);
861
	for (i = 0; i < IPSEC_SPCOUNT; i++) {
862
		if ((sp[i] = key_newsp()) == NULL)
863
			goto fail;
864
		if ((isr = ipsec_newisr()) == NULL)
865
			goto fail;
866

867
		sp[i]->policy = IPSEC_POLICY_IPSEC;
868
		sp[i]->state = IPSEC_SPSTATE_DEAD;
869
		sp[i]->req[sp[i]->tcount++] = isr;
870
		sp[i]->created = time_second;
871
		/* Use priority field to store if_index */
872
		sp[i]->priority = sc->ifp->if_index;
873
		isr->level = IPSEC_LEVEL_UNIQUE;
874
		isr->saidx.proto = IPPROTO_ESP;
875
		isr->saidx.mode = IPSEC_MODE_TUNNEL;
876
		isr->saidx.reqid = reqid;
877
		if (i % 2 == 0) {
878
			sp[i]->spidx.dir = IPSEC_DIR_INBOUND;
879
			bcopy(src, &isr->saidx.dst, src->sa_len);
880
			bcopy(dst, &isr->saidx.src, dst->sa_len);
881
		} else {
882
			sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND;
883
			bcopy(src, &isr->saidx.src, src->sa_len);
884
			bcopy(dst, &isr->saidx.dst, dst->sa_len);
885
		}
886
		sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY;
887
#ifdef INET
888
		if (i < 2) {
889
			sp[i]->spidx.src.sa.sa_family =
890
			    sp[i]->spidx.dst.sa.sa_family = AF_INET;
891
			sp[i]->spidx.src.sa.sa_len =
892
			    sp[i]->spidx.dst.sa.sa_len =
893
			    sizeof(struct sockaddr_in);
894
			continue;
895
		}
896
#endif
897
#ifdef INET6
898
		sp[i]->spidx.src.sa.sa_family =
899
		    sp[i]->spidx.dst.sa.sa_family = AF_INET6;
900
		sp[i]->spidx.src.sa.sa_len =
901
		    sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6);
902
#endif
903
	}
904
	return (0);
905
fail:
906
	for (i = 0; i < IPSEC_SPCOUNT; i++) {
907
		if (sp[i] != NULL)
908
			key_freesp(&sp[i]);
909
	}
910
	return (ENOMEM);
911
}
912

913
static int
914
ipsec_check_reqid(uint32_t reqid)
915
{
916
	struct ipsec_softc *sc;
917

918
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
919
	CK_LIST_FOREACH(sc, ipsec_idhash(reqid), idhash) {
920
		if (sc->reqid == reqid)
921
			return (EEXIST);
922
	}
923
	return (0);
924
}
925

926
/*
927
 * We use key_newreqid() to automatically obtain unique reqid.
928
 * Then we check that given id is unique, i.e. it is not used by
929
 * another if_ipsec(4) interface. This macro limits the number of
930
 * tries to get unique id.
931
 */
932
#define	IPSEC_REQID_TRYCNT	64
933
static int
934
ipsec_init_reqid(struct ipsec_softc *sc)
935
{
936
	uint32_t reqid;
937
	int trycount;
938

939
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
940
	if (sc->reqid != 0) /* already initialized */
941
		return (0);
942

943
	trycount = IPSEC_REQID_TRYCNT;
944
	while (--trycount > 0) {
945
		reqid = key_newreqid();
946
		if (ipsec_check_reqid(reqid) == 0)
947
			break;
948
	}
949
	if (trycount == 0)
950
		return (EEXIST);
951
	sc->reqid = reqid;
952
	CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash);
953
	return (0);
954
}
955

956
/*
957
 * Set or update reqid for given tunneling interface.
958
 * When specified reqid is zero, generate new one.
959
 * We are protected by ioctl_sx lock from concurrent id generation.
960
 * Also softc would not disappear while we hold ioctl_sx lock.
961
 */
962
static int
963
ipsec_set_reqid(struct ipsec_softc *sc, uint32_t reqid)
964
{
965
	struct secasindex *saidx;
966

967
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
968

969
	if (sc->reqid == reqid && reqid != 0)
970
		return (0);
971

972
	if (reqid != 0) {
973
		/* Check that specified reqid doesn't exist */
974
		if (ipsec_check_reqid(reqid) != 0)
975
			return (EEXIST);
976
		if (sc->reqid != 0) {
977
			CK_LIST_REMOVE(sc, idhash);
978
			IPSEC_WAIT();
979
		}
980
		sc->reqid = reqid;
981
		CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash);
982
	} else {
983
		/* Generate new reqid */
984
		if (ipsec_init_reqid(sc) != 0)
985
			return (EEXIST);
986
	}
987

988
	/* Tunnel isn't fully configured, just return. */
989
	if (sc->family == 0)
990
		return (0);
991

992
	saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
993
	KASSERT(saidx != NULL,
994
	    ("saidx is NULL, but family is %d", sc->family));
995
	return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa,
996
	    sc->reqid));
997
}
998

999
/*
1000
 * Set tunnel endpoints addresses.
1001
 */
1002
static int
1003
ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src,
1004
    struct sockaddr *dst)
1005
{
1006
	struct ipsec_softc *sc;
1007
	struct secasindex *saidx;
1008

1009
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1010

1011
	sc = ifp->if_softc;
1012
	if (sc->family != 0) {
1013
		saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND,
1014
		    src->sa_family);
1015
		if (saidx != NULL && saidx->reqid == sc->reqid &&
1016
		    key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 &&
1017
		    key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0)
1018
			return (0); /* Nothing has been changed. */
1019
	}
1020
	/* If reqid is not set, generate new one. */
1021
	if (ipsec_init_reqid(sc) != 0)
1022
		return (EEXIST);
1023
	return (ipsec_set_tunnel(sc, src, dst, sc->reqid));
1024
}
1025

1026
static int
1027
ipsec_set_tunnel(struct ipsec_softc *sc, struct sockaddr *src,
1028
    struct sockaddr *dst, uint32_t reqid)
1029
{
1030
	struct epoch_tracker et;
1031
	struct ipsec_iflist *iflist;
1032
	struct secpolicy *sp[IPSEC_SPCOUNT];
1033
	int i;
1034

1035
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1036

1037
	/* Allocate SP with new addresses. */
1038
	iflist = ipsec_srchash(src);
1039
	if (iflist == NULL) {
1040
		sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1041
		return (EAFNOSUPPORT);
1042
	}
1043
	if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) {
1044
		/* Add new policies to SPDB */
1045
		if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) {
1046
			for (i = 0; i < IPSEC_SPCOUNT; i++)
1047
				key_freesp(&sp[i]);
1048
			return (EAGAIN);
1049
		}
1050
		if (sc->family != 0)
1051
			ipsec_delete_tunnel(sc);
1052
		for (i = 0; i < IPSEC_SPCOUNT; i++)
1053
			sc->sp[i] = sp[i];
1054
		sc->family = src->sa_family;
1055
		CK_LIST_INSERT_HEAD(iflist, sc, srchash);
1056
	} else {
1057
		sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1058
		return (ENOMEM);
1059
	}
1060
	NET_EPOCH_ENTER(et);
1061
	ipsec_set_running(sc);
1062
	NET_EPOCH_EXIT(et);
1063
	return (0);
1064
}
1065

1066
static void
1067
ipsec_delete_tunnel(struct ipsec_softc *sc)
1068
{
1069
	int i;
1070

1071
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1072

1073
	sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1074
	if (sc->family != 0) {
1075
		CK_LIST_REMOVE(sc, srchash);
1076
		sc->family = 0;
1077
		/*
1078
		 * Make sure that ipsec_if_input() will not do access
1079
		 * to softc's policies.
1080
		 */
1081
		IPSEC_WAIT();
1082

1083
		key_unregister_ifnet(sc->sp, IPSEC_SPCOUNT);
1084
		for (i = 0; i < IPSEC_SPCOUNT; i++)
1085
			key_freesp(&sc->sp[i]);
1086
	}
1087
}
1088

1089
Product

Resources

Company
