1
/*-
2
 * Copyright (c) 2016-2018 Yandex LLC
3
 * Copyright (c) 2016-2018 Andrey V. Elsukov <[email protected]>
4
 * All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 *
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 * 2. Redistributions in binary form must reproduce the above copyright
13
 *    notice, this list of conditions and the following disclaimer in the
14
 *    documentation and/or other materials provided with the distribution.
15
 *
16
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26
 */
27

28
#include <sys/cdefs.h>
29
#include "opt_inet.h"
30
#include "opt_inet6.h"
31
#include "opt_ipsec.h"
32

33
#include <sys/param.h>
34
#include <sys/systm.h>
35
#include <sys/kernel.h>
36
#include <sys/fnv_hash.h>
37
#include <sys/jail.h>
38
#include <sys/lock.h>
39
#include <sys/malloc.h>
40
#include <sys/mbuf.h>
41
#include <sys/module.h>
42
#include <sys/socket.h>
43
#include <sys/sockio.h>
44
#include <sys/sx.h>
45
#include <sys/errno.h>
46
#include <sys/sysctl.h>
47
#include <sys/priv.h>
48
#include <sys/proc.h>
49
#include <sys/conf.h>
50

51
#include <net/if.h>
52
#include <net/if_var.h>
53
#include <net/if_private.h>
54
#include <net/if_clone.h>
55
#include <net/if_types.h>
56
#include <net/bpf.h>
57
#include <net/route.h>
58
#include <net/vnet.h>
59

60
#include <netinet/in.h>
61
#include <netinet/in_var.h>
62
#include <netinet/ip.h>
63
#include <netinet/ip_encap.h>
64

65
#include <netinet/ip6.h>
66
#include <netinet6/in6_var.h>
67
#include <netinet6/scope6_var.h>
68

69
#include <netipsec/ipsec.h>
70
#ifdef INET6
71
#include <netipsec/ipsec6.h>
72
#endif
73

74
#include <net/if_ipsec.h>
75
#include <netipsec/key.h>
76

77
#include <security/mac/mac_framework.h>
78

79
static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface");
80
static const char ipsecname[] = "ipsec";
81

82
#if defined(INET) && defined(INET6)
83
#define	IPSEC_SPCOUNT		4
84
#else
85
#define	IPSEC_SPCOUNT		2
86
#endif
87

88
struct ipsec_softc {
89
	struct ifnet		*ifp;
90
	struct secpolicy	*sp[IPSEC_SPCOUNT];
91
	uint32_t		reqid;
92
	u_int			family;
93
	u_int			fibnum;
94

95
	CK_LIST_ENTRY(ipsec_softc) idhash;
96
	CK_LIST_ENTRY(ipsec_softc) srchash;
97
};
98

99
#define	IPSEC_RLOCK_TRACKER	struct epoch_tracker ipsec_et
100
#define	IPSEC_RLOCK()	epoch_enter_preempt(net_epoch_preempt, &ipsec_et)
101
#define	IPSEC_RUNLOCK()	epoch_exit_preempt(net_epoch_preempt, &ipsec_et)
102
#define	IPSEC_WAIT()	epoch_wait_preempt(net_epoch_preempt)
103

104
#ifndef IPSEC_HASH_SIZE
105
#define	IPSEC_HASH_SIZE	(1 << 5)
106
#endif
107

108
CK_LIST_HEAD(ipsec_iflist, ipsec_softc);
109
VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec_idhtbl) = NULL;
110
#define	V_ipsec_idhtbl		VNET(ipsec_idhtbl)
111

112
#ifdef INET
113
VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec4_srchtbl) = NULL;
114
#define	V_ipsec4_srchtbl	VNET(ipsec4_srchtbl)
115
static const struct srcaddrtab *ipsec4_srctab = NULL;
116
#endif
117

118
#ifdef INET6
119
VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec6_srchtbl) = NULL;
120
#define	V_ipsec6_srchtbl	VNET(ipsec6_srchtbl)
121
static const struct srcaddrtab *ipsec6_srctab = NULL;
122
#endif
123

124
static struct ipsec_iflist *
125
ipsec_idhash(uint32_t id)
126
{
127

128
	return (&V_ipsec_idhtbl[fnv_32_buf(&id, sizeof(id),
129
	    FNV1_32_INIT) & (IPSEC_HASH_SIZE - 1)]);
130
}
131

132
static struct ipsec_iflist *
133
ipsec_srchash(const struct sockaddr *sa)
134
{
135
	uint32_t hval;
136

137
	switch (sa->sa_family) {
138
#ifdef INET
139
	case AF_INET:
140
		hval = fnv_32_buf(
141
		    &((const struct sockaddr_in *)sa)->sin_addr.s_addr,
142
		    sizeof(in_addr_t), FNV1_32_INIT);
143
		return (&V_ipsec4_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]);
144
#endif
145
#ifdef INET6
146
	case AF_INET6:
147
		hval = fnv_32_buf(
148
		    &((const struct sockaddr_in6 *)sa)->sin6_addr,
149
		    sizeof(struct in6_addr), FNV1_32_INIT);
150
		return (&V_ipsec6_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]);
151
#endif
152
	}
153
	return (NULL);
154
}
155

156
/*
157
 * ipsec_ioctl_sx protects from concurrent ioctls.
158
 */
159
static struct sx ipsec_ioctl_sx;
160
SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl");
161

162
static int	ipsec_init_reqid(struct ipsec_softc *);
163
static int	ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *,
164
    struct sockaddr *, uint32_t);
165
static void	ipsec_delete_tunnel(struct ipsec_softc *);
166

167
static int	ipsec_set_addresses(struct ifnet *, struct sockaddr *,
168
    struct sockaddr *);
169
static int	ipsec_set_reqid(struct ipsec_softc *, uint32_t);
170
static void	ipsec_set_running(struct ipsec_softc *);
171

172
#ifdef VIMAGE
173
static void	ipsec_reassign(struct ifnet *, struct vnet *, char *);
174
#endif
175
static void	ipsec_srcaddr(void *, const struct sockaddr *, int);
176
static int	ipsec_ioctl(struct ifnet *, u_long, caddr_t);
177
static int	ipsec_transmit(struct ifnet *, struct mbuf *);
178
static int	ipsec_output(struct ifnet *, struct mbuf *,
179
    const struct sockaddr *, struct route *);
180
static void	ipsec_qflush(struct ifnet *);
181
static int	ipsec_clone_create(struct if_clone *, int, caddr_t);
182
static void	ipsec_clone_destroy(struct ifnet *);
183

184
VNET_DEFINE_STATIC(struct if_clone *, ipsec_cloner);
185
#define	V_ipsec_cloner		VNET(ipsec_cloner)
186

187
static int
188
ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params)
189
{
190
	struct ipsec_softc *sc;
191
	struct ifnet *ifp;
192

193
	sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO);
194
	sc->fibnum = curthread->td_proc->p_fibnum;
195
	sc->ifp = ifp = if_alloc(IFT_TUNNEL);
196
	ifp->if_softc = sc;
197
	if_initname(ifp, ipsecname, unit);
198

199
	ifp->if_addrlen = 0;
200
	ifp->if_mtu = IPSEC_MTU;
201
	ifp->if_flags  = IFF_POINTOPOINT | IFF_MULTICAST;
202
	ifp->if_ioctl  = ipsec_ioctl;
203
	ifp->if_transmit  = ipsec_transmit;
204
	ifp->if_qflush  = ipsec_qflush;
205
	ifp->if_output = ipsec_output;
206
#ifdef VIMAGE
207
	ifp->if_reassign = ipsec_reassign;
208
#endif
209
	if_attach(ifp);
210
	bpfattach(ifp, DLT_NULL, sizeof(uint32_t));
211

212
	return (0);
213
}
214

215
#ifdef VIMAGE
216
static void
217
ipsec_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused,
218
    char *unused __unused)
219
{
220
	struct ipsec_softc *sc;
221

222
	sx_xlock(&ipsec_ioctl_sx);
223
	sc = ifp->if_softc;
224
	if (sc != NULL)
225
		ipsec_delete_tunnel(sc);
226
	sx_xunlock(&ipsec_ioctl_sx);
227
}
228
#endif /* VIMAGE */
229

230
static void
231
ipsec_clone_destroy(struct ifnet *ifp)
232
{
233
	struct ipsec_softc *sc;
234

235
	sx_xlock(&ipsec_ioctl_sx);
236
	sc = ifp->if_softc;
237
	ipsec_delete_tunnel(sc);
238
	/*
239
	 * Delete softc from idhash on interface destroy, since
240
	 * ipsec_delete_tunnel() keeps reqid unchanged.
241
	 */
242
	if (sc->reqid != 0)
243
		CK_LIST_REMOVE(sc, idhash);
244
	bpfdetach(ifp);
245
	if_detach(ifp);
246
	ifp->if_softc = NULL;
247
	sx_xunlock(&ipsec_ioctl_sx);
248

249
	IPSEC_WAIT();
250
	if_free(ifp);
251
	free(sc, M_IPSEC);
252
}
253

254
static struct ipsec_iflist *
255
ipsec_hashinit(void)
256
{
257
	struct ipsec_iflist *hash;
258
	int i;
259

260
	hash = malloc(sizeof(struct ipsec_iflist) * IPSEC_HASH_SIZE,
261
	    M_IPSEC, M_WAITOK);
262
	for (i = 0; i < IPSEC_HASH_SIZE; i++)
263
		CK_LIST_INIT(&hash[i]);
264

265
	return (hash);
266
}
267

268
static void
269
vnet_ipsec_init(const void *unused __unused)
270
{
271

272
	V_ipsec_idhtbl = ipsec_hashinit();
273
#ifdef INET
274
	V_ipsec4_srchtbl = ipsec_hashinit();
275
	if (IS_DEFAULT_VNET(curvnet))
276
		ipsec4_srctab = ip_encap_register_srcaddr(ipsec_srcaddr,
277
		    NULL, M_WAITOK);
278
#endif
279
#ifdef INET6
280
	V_ipsec6_srchtbl = ipsec_hashinit();
281
	if (IS_DEFAULT_VNET(curvnet))
282
		ipsec6_srctab = ip6_encap_register_srcaddr(ipsec_srcaddr,
283
		    NULL, M_WAITOK);
284
#endif
285
	V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create,
286
	    ipsec_clone_destroy, 0);
287
}
288
VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
289
    vnet_ipsec_init, NULL);
290

291
static void
292
vnet_ipsec_uninit(const void *unused __unused)
293
{
294

295
	if_clone_detach(V_ipsec_cloner);
296
	free(V_ipsec_idhtbl, M_IPSEC);
297
	/*
298
	 * Use V_ipsec_idhtbl pointer as indicator that VNET is going to be
299
	 * destroyed, it is used by ipsec_srcaddr() callback.
300
	 */
301
	V_ipsec_idhtbl = NULL;
302
	IPSEC_WAIT();
303

304
#ifdef INET
305
	if (IS_DEFAULT_VNET(curvnet))
306
		ip_encap_unregister_srcaddr(ipsec4_srctab);
307
	free(V_ipsec4_srchtbl, M_IPSEC);
308
#endif
309
#ifdef INET6
310
	if (IS_DEFAULT_VNET(curvnet))
311
		ip6_encap_unregister_srcaddr(ipsec6_srctab);
312
	free(V_ipsec6_srchtbl, M_IPSEC);
313
#endif
314
}
315
VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
316
    vnet_ipsec_uninit, NULL);
317

318
static struct secpolicy *
319
ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af)
320
{
321

322
	switch (af) {
323
#ifdef INET
324
	case AF_INET:
325
		return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]);
326
#endif
327
#ifdef INET6
328
	case AF_INET6:
329
		return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)
330
#ifdef INET
331
			+ 2
332
#endif
333
		]);
334
#endif
335
	}
336
	return (NULL);
337
}
338

339
static struct secasindex *
340
ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af)
341
{
342
	struct secpolicy *sp;
343

344
	sp = ipsec_getpolicy(sc, dir, af);
345
	if (sp == NULL)
346
		return (NULL);
347
	return (&sp->req[0]->saidx);
348
}
349

350
static int
351
ipsec_transmit(struct ifnet *ifp, struct mbuf *m)
352
{
353
	IPSEC_RLOCK_TRACKER;
354
	struct ipsec_softc *sc;
355
	struct secpolicy *sp;
356
	struct ip *ip, iph;
357
	uint32_t af;
358
	int error;
359

360
	IPSEC_RLOCK();
361
#ifdef MAC
362
	error = mac_ifnet_check_transmit(ifp, m);
363
	if (error) {
364
		m_freem(m);
365
		goto err;
366
	}
367
#endif
368
	error = ENETDOWN;
369
	sc = ifp->if_softc;
370
	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
371
	    (ifp->if_flags & IFF_MONITOR) != 0 ||
372
	    (ifp->if_flags & IFF_UP) == 0 || sc->family == 0) {
373
		m_freem(m);
374
		goto err;
375
	}
376

377
	/* Determine address family to correctly handle packet in BPF */
378
	ip = &iph;
379
	m_copydata(m, 0, sizeof(*ip), (char *)ip);
380
	switch (ip->ip_v) {
381
#ifdef INET
382
	case IPVERSION:
383
		af = AF_INET;
384
		break;
385
#endif
386
#ifdef INET6
387
	case (IPV6_VERSION >> 4):
388
		af = AF_INET6;
389
		break;
390
#endif
391
	default:
392
		error = EAFNOSUPPORT;
393
		m_freem(m);
394
		goto err;
395
	}
396

397
	/*
398
	 * Loop prevention.
399
	 * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag.
400
	 *      We can read full chain and compare destination address,
401
	 *      proto and mode from xform_history with values from softc.
402
	 */
403
	if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) {
404
		m_freem(m);
405
		goto err;
406
	}
407

408
	sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af);
409
	key_addref(sp);
410
	M_SETFIB(m, sc->fibnum);
411

412
	BPF_MTAP2(ifp, &af, sizeof(af), m);
413
	if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
414
	if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len);
415

416
	switch (af) {
417
#ifdef INET
418
	case AF_INET:
419
		error = ipsec4_process_packet(ifp, m, ip, sp, NULL,
420
		    ifp->if_mtu);
421
		break;
422
#endif
423
#ifdef INET6
424
	case AF_INET6:
425
		error = ipsec6_process_packet(ifp, m, sp, NULL, ifp->if_mtu);
426
		break;
427
#endif
428
	default:
429
		panic("%s: unknown address family\n", __func__);
430
	}
431
err:
432
	if (error != 0)
433
		if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
434
	IPSEC_RUNLOCK();
435
	return (error);
436
}
437

438
static void
439
ipsec_qflush(struct ifnet *ifp __unused)
440
{
441

442
}
443

444
static int
445
ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
446
	struct route *ro)
447
{
448

449
	return (ifp->if_transmit(ifp, m));
450
}
451

452
int
453
ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af,
454
    struct rm_priotracker *sahtree_tracker)
455
{
456
	IPSEC_RLOCK_TRACKER;
457
	struct secasindex *saidx;
458
	struct ipsec_softc *sc;
459
	struct ifnet *ifp;
460

461
	if (sav->state != SADB_SASTATE_MATURE &&
462
	    sav->state != SADB_SASTATE_DYING) {
463
		ipsec_sahtree_runlock(sahtree_tracker);
464
		m_freem(m);
465
		return (ENETDOWN);
466
	}
467

468
	if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL ||
469
	    sav->sah->saidx.proto != IPPROTO_ESP) {
470
		ipsec_sahtree_runlock(sahtree_tracker);
471
		return (0);
472
	}
473

474
	IPSEC_RLOCK();
475
	CK_LIST_FOREACH(sc, ipsec_idhash(sav->sah->saidx.reqid), idhash) {
476
		if (sc->family == 0)
477
			continue;
478
		saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND,
479
		    sav->sah->saidx.src.sa.sa_family);
480
		/* SA's reqid should match reqid in SP */
481
		if (saidx == NULL ||
482
		    sav->sah->saidx.reqid != saidx->reqid)
483
			continue;
484
		/* SAH's addresses should match tunnel endpoints. */
485
		if (key_sockaddrcmp(&sav->sah->saidx.dst.sa,
486
		    &saidx->dst.sa, 0) != 0)
487
			continue;
488
		if (key_sockaddrcmp(&sav->sah->saidx.src.sa,
489
		    &saidx->src.sa, 0) == 0)
490
			break;
491
	}
492
	if (sc == NULL) {
493
		IPSEC_RUNLOCK();
494
		ipsec_sahtree_runlock(sahtree_tracker);
495
		/* Tunnel was not found. Nothing to do. */
496
		return (0);
497
	}
498
	ifp = sc->ifp;
499
	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
500
	    (ifp->if_flags & IFF_UP) == 0) {
501
		IPSEC_RUNLOCK();
502
		ipsec_sahtree_runlock(sahtree_tracker);
503
		m_freem(m);
504
		return (ENETDOWN);
505
	}
506
	/*
507
	 * We found matching and working tunnel.
508
	 * Set its ifnet as receiving interface.
509
	 */
510
	m->m_pkthdr.rcvif = ifp;
511

512
	ipsec_sahtree_runlock(sahtree_tracker);
513

514
	m_clrprotoflags(m);
515
	M_SETFIB(m, ifp->if_fib);
516
	BPF_MTAP2(ifp, &af, sizeof(af), m);
517
	if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
518
	if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len);
519
	if ((ifp->if_flags & IFF_MONITOR) != 0) {
520
		IPSEC_RUNLOCK();
521
		m_freem(m);
522
		return (ENETDOWN);
523
	}
524
	IPSEC_RUNLOCK();
525
	return (0);
526
}
527

528
static int
529
ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
530
{
531
	struct ifreq *ifr = (struct ifreq*)data;
532
	struct sockaddr *dst, *src;
533
	struct ipsec_softc *sc;
534
	struct secasindex *saidx;
535
#ifdef INET
536
	struct sockaddr_in *sin = NULL;
537
#endif
538
#ifdef INET6
539
	struct sockaddr_in6 *sin6 = NULL;
540
#endif
541
	uint32_t reqid;
542
	int error;
543

544
	switch (cmd) {
545
	case SIOCSIFADDR:
546
		ifp->if_flags |= IFF_UP;
547
	case SIOCADDMULTI:
548
	case SIOCDELMULTI:
549
	case SIOCGIFMTU:
550
	case SIOCSIFFLAGS:
551
		return (0);
552
	case SIOCSIFMTU:
553
		if (ifr->ifr_mtu < IPSEC_MTU_MIN ||
554
		    ifr->ifr_mtu > IPSEC_MTU_MAX)
555
			return (EINVAL);
556
		else
557
			ifp->if_mtu = ifr->ifr_mtu;
558
		return (0);
559
	}
560
	sx_xlock(&ipsec_ioctl_sx);
561
	sc = ifp->if_softc;
562
	/* Check that softc is still here */
563
	if (sc == NULL) {
564
		error = ENXIO;
565
		goto bad;
566
	}
567
	error = 0;
568
	switch (cmd) {
569
	case SIOCSIFPHYADDR:
570
#ifdef INET6
571
	case SIOCSIFPHYADDR_IN6:
572
#endif
573
		error = EINVAL;
574
		switch (cmd) {
575
#ifdef INET
576
		case SIOCSIFPHYADDR:
577
			src = (struct sockaddr *)
578
				&(((struct in_aliasreq *)data)->ifra_addr);
579
			dst = (struct sockaddr *)
580
				&(((struct in_aliasreq *)data)->ifra_dstaddr);
581
			break;
582
#endif
583
#ifdef INET6
584
		case SIOCSIFPHYADDR_IN6:
585
			src = (struct sockaddr *)
586
				&(((struct in6_aliasreq *)data)->ifra_addr);
587
			dst = (struct sockaddr *)
588
				&(((struct in6_aliasreq *)data)->ifra_dstaddr);
589
			break;
590
#endif
591
		default:
592
			goto bad;
593
		}
594
		/* sa_family must be equal */
595
		if (src->sa_family != dst->sa_family ||
596
		    src->sa_len != dst->sa_len)
597
			goto bad;
598

599
		/* validate sa_len */
600
		switch (src->sa_family) {
601
#ifdef INET
602
		case AF_INET:
603
			if (src->sa_len != sizeof(struct sockaddr_in))
604
				goto bad;
605
			break;
606
#endif
607
#ifdef INET6
608
		case AF_INET6:
609
			if (src->sa_len != sizeof(struct sockaddr_in6))
610
				goto bad;
611
			break;
612
#endif
613
		default:
614
			error = EAFNOSUPPORT;
615
			goto bad;
616
		}
617
		/* check sa_family looks sane for the cmd */
618
		error = EAFNOSUPPORT;
619
		switch (cmd) {
620
#ifdef INET
621
		case SIOCSIFPHYADDR:
622
			if (src->sa_family == AF_INET)
623
				break;
624
			goto bad;
625
#endif
626
#ifdef INET6
627
		case SIOCSIFPHYADDR_IN6:
628
			if (src->sa_family == AF_INET6)
629
				break;
630
			goto bad;
631
#endif
632
		}
633
		error = EADDRNOTAVAIL;
634
		switch (src->sa_family) {
635
#ifdef INET
636
		case AF_INET:
637
			if (satosin(src)->sin_addr.s_addr == INADDR_ANY ||
638
			    satosin(dst)->sin_addr.s_addr == INADDR_ANY)
639
				goto bad;
640
			break;
641
#endif
642
#ifdef INET6
643
		case AF_INET6:
644
			if (IN6_IS_ADDR_UNSPECIFIED(
645
			    &satosin6(src)->sin6_addr) ||
646
			    IN6_IS_ADDR_UNSPECIFIED(
647
			    &satosin6(dst)->sin6_addr))
648
				goto bad;
649
			/*
650
			 * Check validity of the scope zone ID of the
651
			 * addresses, and convert it into the kernel
652
			 * internal form if necessary.
653
			 */
654
			error = sa6_embedscope(satosin6(src), 0);
655
			if (error != 0)
656
				goto bad;
657
			error = sa6_embedscope(satosin6(dst), 0);
658
			if (error != 0)
659
				goto bad;
660
#endif
661
		};
662
		error = ipsec_set_addresses(ifp, src, dst);
663
		break;
664
	case SIOCDIFPHYADDR:
665
		ipsec_delete_tunnel(sc);
666
		break;
667
	case SIOCGIFPSRCADDR:
668
	case SIOCGIFPDSTADDR:
669
#ifdef INET6
670
	case SIOCGIFPSRCADDR_IN6:
671
	case SIOCGIFPDSTADDR_IN6:
672
#endif
673
		if (sc->family == 0) {
674
			error = EADDRNOTAVAIL;
675
			break;
676
		}
677
		saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
678
		if (saidx == NULL) {
679
			error = ENXIO;
680
			break;
681
		}
682
		switch (cmd) {
683
#ifdef INET
684
		case SIOCGIFPSRCADDR:
685
		case SIOCGIFPDSTADDR:
686
			if (saidx->src.sa.sa_family != AF_INET) {
687
				error = EADDRNOTAVAIL;
688
				break;
689
			}
690
			sin = (struct sockaddr_in *)&ifr->ifr_addr;
691
			memset(sin, 0, sizeof(*sin));
692
			sin->sin_family = AF_INET;
693
			sin->sin_len = sizeof(*sin);
694
			break;
695
#endif
696
#ifdef INET6
697
		case SIOCGIFPSRCADDR_IN6:
698
		case SIOCGIFPDSTADDR_IN6:
699
			if (saidx->src.sa.sa_family != AF_INET6) {
700
				error = EADDRNOTAVAIL;
701
				break;
702
			}
703
			sin6 = (struct sockaddr_in6 *)
704
				&(((struct in6_ifreq *)data)->ifr_addr);
705
			memset(sin6, 0, sizeof(*sin6));
706
			sin6->sin6_family = AF_INET6;
707
			sin6->sin6_len = sizeof(*sin6);
708
			break;
709
#endif
710
		default:
711
			error = EAFNOSUPPORT;
712
		}
713
		if (error == 0) {
714
			switch (cmd) {
715
#ifdef INET
716
			case SIOCGIFPSRCADDR:
717
				sin->sin_addr = saidx->src.sin.sin_addr;
718
				break;
719
			case SIOCGIFPDSTADDR:
720
				sin->sin_addr = saidx->dst.sin.sin_addr;
721
				break;
722
#endif
723
#ifdef INET6
724
			case SIOCGIFPSRCADDR_IN6:
725
				sin6->sin6_addr = saidx->src.sin6.sin6_addr;
726
				break;
727
			case SIOCGIFPDSTADDR_IN6:
728
				sin6->sin6_addr = saidx->dst.sin6.sin6_addr;
729
				break;
730
#endif
731
			}
732
		}
733
		if (error != 0)
734
			break;
735
		switch (cmd) {
736
#ifdef INET
737
		case SIOCGIFPSRCADDR:
738
		case SIOCGIFPDSTADDR:
739
			error = prison_if(curthread->td_ucred,
740
			    (struct sockaddr *)sin);
741
			if (error != 0)
742
				memset(sin, 0, sizeof(*sin));
743
			break;
744
#endif
745
#ifdef INET6
746
		case SIOCGIFPSRCADDR_IN6:
747
		case SIOCGIFPDSTADDR_IN6:
748
			error = prison_if(curthread->td_ucred,
749
			    (struct sockaddr *)sin6);
750
			if (error == 0)
751
				error = sa6_recoverscope(sin6);
752
			if (error != 0)
753
				memset(sin6, 0, sizeof(*sin6));
754
#endif
755
		}
756
		break;
757
	case SIOCGTUNFIB:
758
		ifr->ifr_fib = sc->fibnum;
759
		break;
760
	case SIOCSTUNFIB:
761
		if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0)
762
			break;
763
		if (ifr->ifr_fib >= rt_numfibs)
764
			error = EINVAL;
765
		else
766
			sc->fibnum = ifr->ifr_fib;
767
		break;
768
	case IPSECGREQID:
769
		reqid = sc->reqid;
770
		error = copyout(&reqid, ifr_data_get_ptr(ifr), sizeof(reqid));
771
		break;
772
	case IPSECSREQID:
773
		if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0)
774
			break;
775
		error = copyin(ifr_data_get_ptr(ifr), &reqid, sizeof(reqid));
776
		if (error != 0)
777
			break;
778
		error = ipsec_set_reqid(sc, reqid);
779
		break;
780
	default:
781
		error = EINVAL;
782
		break;
783
	}
784
bad:
785
	sx_xunlock(&ipsec_ioctl_sx);
786
	return (error);
787
}
788

789
/*
790
 * Check that ingress address belongs to local host.
791
 */
792
static void
793
ipsec_set_running(struct ipsec_softc *sc)
794
{
795
	struct secasindex *saidx;
796
	int localip;
797

798
	saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
799
	if (saidx == NULL)
800
		return;
801
	localip = 0;
802
	switch (sc->family) {
803
#ifdef INET
804
	case AF_INET:
805
		localip = in_localip(saidx->src.sin.sin_addr);
806
		break;
807
#endif
808
#ifdef INET6
809
	case AF_INET6:
810
		localip = in6_localip(&saidx->src.sin6.sin6_addr);
811
		break;
812
#endif
813
	}
814
	if (localip != 0)
815
		sc->ifp->if_drv_flags |= IFF_DRV_RUNNING;
816
	else
817
		sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
818
}
819

820
/*
821
 * ifaddr_event handler.
822
 * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent
823
 * source address spoofing.
824
 */
825
static void
826
ipsec_srcaddr(void *arg __unused, const struct sockaddr *sa,
827
    int event __unused)
828
{
829
	struct ipsec_softc *sc;
830
	struct secasindex *saidx;
831
	struct ipsec_iflist *iflist;
832

833
	/* Check that VNET is ready */
834
	if (V_ipsec_idhtbl == NULL)
835
		return;
836

837
	NET_EPOCH_ASSERT();
838
	iflist = ipsec_srchash(sa);
839
	if (iflist == NULL)
840
		return;
841
	CK_LIST_FOREACH(sc, iflist, srchash) {
842
		if (sc->family == 0)
843
			continue;
844
		saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sa->sa_family);
845
		if (saidx == NULL ||
846
		    key_sockaddrcmp(&saidx->src.sa, sa, 0) != 0)
847
			continue;
848
		ipsec_set_running(sc);
849
	}
850
}
851

852
/*
853
 * Allocate new private security policies for tunneling interface.
854
 * Each tunneling interface has following security policies for
855
 * both AF:
856
 *   0.0.0.0/0[any] 0.0.0.0/0[any] -P in \
857
 *	ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid
858
 *   0.0.0.0/0[any] 0.0.0.0/0[any] -P out \
859
 *	ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid
860
 */
861
static int
862
ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT],
863
    const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid)
864
{
865
	struct ipsecrequest *isr;
866
	int i;
867

868
	memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT);
869
	for (i = 0; i < IPSEC_SPCOUNT; i++) {
870
		if ((sp[i] = key_newsp()) == NULL)
871
			goto fail;
872
		if ((isr = ipsec_newisr()) == NULL)
873
			goto fail;
874

875
		sp[i]->policy = IPSEC_POLICY_IPSEC;
876
		sp[i]->state = IPSEC_SPSTATE_DEAD;
877
		sp[i]->req[sp[i]->tcount++] = isr;
878
		sp[i]->created = time_second;
879
		/* Use priority field to store if_index */
880
		sp[i]->priority = sc->ifp->if_index;
881
		isr->level = IPSEC_LEVEL_UNIQUE;
882
		isr->saidx.proto = IPPROTO_ESP;
883
		isr->saidx.mode = IPSEC_MODE_TUNNEL;
884
		isr->saidx.reqid = reqid;
885
		if (i % 2 == 0) {
886
			sp[i]->spidx.dir = IPSEC_DIR_INBOUND;
887
			bcopy(src, &isr->saidx.dst, src->sa_len);
888
			bcopy(dst, &isr->saidx.src, dst->sa_len);
889
		} else {
890
			sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND;
891
			bcopy(src, &isr->saidx.src, src->sa_len);
892
			bcopy(dst, &isr->saidx.dst, dst->sa_len);
893
		}
894
		sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY;
895
#ifdef INET
896
		if (i < 2) {
897
			sp[i]->spidx.src.sa.sa_family =
898
			    sp[i]->spidx.dst.sa.sa_family = AF_INET;
899
			sp[i]->spidx.src.sa.sa_len =
900
			    sp[i]->spidx.dst.sa.sa_len =
901
			    sizeof(struct sockaddr_in);
902
			continue;
903
		}
904
#endif
905
#ifdef INET6
906
		sp[i]->spidx.src.sa.sa_family =
907
		    sp[i]->spidx.dst.sa.sa_family = AF_INET6;
908
		sp[i]->spidx.src.sa.sa_len =
909
		    sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6);
910
#endif
911
	}
912
	return (0);
913
fail:
914
	for (i = 0; i < IPSEC_SPCOUNT; i++) {
915
		if (sp[i] != NULL)
916
			key_freesp(&sp[i]);
917
	}
918
	return (ENOMEM);
919
}
920

921
static int
922
ipsec_check_reqid(uint32_t reqid)
923
{
924
	struct ipsec_softc *sc;
925

926
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
927
	CK_LIST_FOREACH(sc, ipsec_idhash(reqid), idhash) {
928
		if (sc->reqid == reqid)
929
			return (EEXIST);
930
	}
931
	return (0);
932
}
933

934
/*
935
 * We use key_newreqid() to automatically obtain unique reqid.
936
 * Then we check that given id is unique, i.e. it is not used by
937
 * another if_ipsec(4) interface. This macro limits the number of
938
 * tries to get unique id.
939
 */
940
#define	IPSEC_REQID_TRYCNT	64
941
static int
942
ipsec_init_reqid(struct ipsec_softc *sc)
943
{
944
	uint32_t reqid;
945
	int trycount;
946

947
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
948
	if (sc->reqid != 0) /* already initialized */
949
		return (0);
950

951
	trycount = IPSEC_REQID_TRYCNT;
952
	while (--trycount > 0) {
953
		reqid = key_newreqid();
954
		if (ipsec_check_reqid(reqid) == 0)
955
			break;
956
	}
957
	if (trycount == 0)
958
		return (EEXIST);
959
	sc->reqid = reqid;
960
	CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash);
961
	return (0);
962
}
963

964
/*
965
 * Set or update reqid for given tunneling interface.
966
 * When specified reqid is zero, generate new one.
967
 * We are protected by ioctl_sx lock from concurrent id generation.
968
 * Also softc would not disappear while we hold ioctl_sx lock.
969
 */
970
static int
971
ipsec_set_reqid(struct ipsec_softc *sc, uint32_t reqid)
972
{
973
	struct secasindex *saidx;
974

975
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
976

977
	if (sc->reqid == reqid && reqid != 0)
978
		return (0);
979

980
	if (reqid != 0) {
981
		/* Check that specified reqid doesn't exist */
982
		if (ipsec_check_reqid(reqid) != 0)
983
			return (EEXIST);
984
		if (sc->reqid != 0) {
985
			CK_LIST_REMOVE(sc, idhash);
986
			IPSEC_WAIT();
987
		}
988
		sc->reqid = reqid;
989
		CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash);
990
	} else {
991
		/* Generate new reqid */
992
		if (ipsec_init_reqid(sc) != 0)
993
			return (EEXIST);
994
	}
995

996
	/* Tunnel isn't fully configured, just return. */
997
	if (sc->family == 0)
998
		return (0);
999

1000
	saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
1001
	KASSERT(saidx != NULL,
1002
	    ("saidx is NULL, but family is %d", sc->family));
1003
	return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa,
1004
	    sc->reqid));
1005
}
1006

1007
/*
1008
 * Set tunnel endpoints addresses.
1009
 */
1010
static int
1011
ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src,
1012
    struct sockaddr *dst)
1013
{
1014
	struct ipsec_softc *sc;
1015
	struct secasindex *saidx;
1016

1017
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1018

1019
	sc = ifp->if_softc;
1020
	if (sc->family != 0) {
1021
		saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND,
1022
		    src->sa_family);
1023
		if (saidx != NULL && saidx->reqid == sc->reqid &&
1024
		    key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 &&
1025
		    key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0)
1026
			return (0); /* Nothing has been changed. */
1027
	}
1028
	/* If reqid is not set, generate new one. */
1029
	if (ipsec_init_reqid(sc) != 0)
1030
		return (EEXIST);
1031
	return (ipsec_set_tunnel(sc, src, dst, sc->reqid));
1032
}
1033

1034
static int
1035
ipsec_set_tunnel(struct ipsec_softc *sc, struct sockaddr *src,
1036
    struct sockaddr *dst, uint32_t reqid)
1037
{
1038
	struct epoch_tracker et;
1039
	struct ipsec_iflist *iflist;
1040
	struct secpolicy *sp[IPSEC_SPCOUNT];
1041
	int i;
1042

1043
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1044

1045
	/* Allocate SP with new addresses. */
1046
	iflist = ipsec_srchash(src);
1047
	if (iflist == NULL) {
1048
		sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1049
		return (EAFNOSUPPORT);
1050
	}
1051
	if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) {
1052
		/* Add new policies to SPDB */
1053
		if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) {
1054
			for (i = 0; i < IPSEC_SPCOUNT; i++)
1055
				key_freesp(&sp[i]);
1056
			return (EAGAIN);
1057
		}
1058
		if (sc->family != 0)
1059
			ipsec_delete_tunnel(sc);
1060
		for (i = 0; i < IPSEC_SPCOUNT; i++)
1061
			sc->sp[i] = sp[i];
1062
		sc->family = src->sa_family;
1063
		CK_LIST_INSERT_HEAD(iflist, sc, srchash);
1064
	} else {
1065
		sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1066
		return (ENOMEM);
1067
	}
1068
	NET_EPOCH_ENTER(et);
1069
	ipsec_set_running(sc);
1070
	NET_EPOCH_EXIT(et);
1071
	return (0);
1072
}
1073

1074
static void
1075
ipsec_delete_tunnel(struct ipsec_softc *sc)
1076
{
1077
	int i;
1078

1079
	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1080

1081
	sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1082
	if (sc->family != 0) {
1083
		CK_LIST_REMOVE(sc, srchash);
1084
		sc->family = 0;
1085
		/*
1086
		 * Make sure that ipsec_if_input() will not do access
1087
		 * to softc's policies.
1088
		 */
1089
		IPSEC_WAIT();
1090

1091
		key_unregister_ifnet(sc->sp, IPSEC_SPCOUNT);
1092
		for (i = 0; i < IPSEC_SPCOUNT; i++)
1093
			key_freesp(&sc->sp[i]);
1094
	}
1095
}
1096

1097