Lines Matching +full:has +full:- +full:in6
1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2021-2022 Rubicon Communications, LLC (Netgate)
225 #define OVPN_MTU_MAX (IP_MAXPACKET - sizeof(struct ip) - \
226 sizeof(struct udphdr) - sizeof(struct ovpn_wire_header))
237 #define OVPN_RLOCK(sc) rm_rlock(&(sc)->lock, _ovpn_lock_trackerp)
238 #define OVPN_RUNLOCK(sc) rm_runlock(&(sc)->lock, _ovpn_lock_trackerp)
239 #define OVPN_WLOCK(sc) rm_wlock(&(sc)->lock)
240 #define OVPN_WUNLOCK(sc) rm_wunlock(&(sc)->lock)
241 #define OVPN_ASSERT(sc) rm_assert(&(sc)->lock, RA_LOCKED)
242 #define OVPN_RASSERT(sc) rm_assert(&(sc)->lock, RA_RLOCKED)
243 #define OVPN_WASSERT(sc) rm_assert(&(sc)->lock, RA_WLOCKED)
244 #define OVPN_UNLOCK_ASSERT(sc) rm_assert(&(sc)->lock, RA_UNLOCKED)
247 ((sc)->counters[offsetof(struct ovpn_counters, name)/sizeof(uint64_t)])
249 ((peer)->counters[offsetof(struct ovpn_peer_counters, name) / \
294 return (a->peerid - b->peerid); in ovpn_peer_compare()
301 if (a->sa_family != b->sa_family) in ovpn_sockaddr_compare()
303 MPASS(a->sa_len == b->sa_len); in ovpn_sockaddr_compare()
305 switch (a->sa_family) { in ovpn_sockaddr_compare()
312 if (a4->sin_port != b4->sin_port) in ovpn_sockaddr_compare()
315 return (a4->sin_addr.s_addr == b4->sin_addr.s_addr); in ovpn_sockaddr_compare()
323 if (a6->sin6_port != b6->sin6_port) in ovpn_sockaddr_compare()
325 if (a6->sin6_scope_id != b6->sin6_scope_id) in ovpn_sockaddr_compare()
328 return (memcmp(&a6->sin6_addr, &b6->sin6_addr, in ovpn_sockaddr_compare()
329 sizeof(a6->sin6_addr)) == 0); in ovpn_sockaddr_compare()
332 panic("Unknown address family %d", a->sa_family); in ovpn_sockaddr_compare()
345 return (RB_FIND(ovpn_kpeers, &sc->peers, &p)); in ovpn_find_peer()
353 return (RB_ROOT(&sc->peers)); in ovpn_find_only_peer()
359 switch (s->ss_family) { in ovpn_get_port()
362 return (in->sin_port); in ovpn_get_port()
365 const struct sockaddr_in6 *in6 = (const struct sockaddr_in6 *)s; in ovpn_get_port() local
366 return (in6->sin6_port); in ovpn_get_port()
369 panic("Unsupported address family %d", s->ss_family); in ovpn_get_port()
376 switch (s->ss_family) { in ovpn_set_port()
379 in->sin_port = port; in ovpn_set_port()
383 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)s; in ovpn_set_port() local
384 in6->sin6_port = port; in ovpn_set_port()
388 panic("Unsupported address family %d", s->ss_family); in ovpn_set_port()
415 in->sin_family = af; in ovpn_nvlist_to_sockaddr()
416 in->sin_len = sizeof(*in); in ovpn_nvlist_to_sockaddr()
417 if (len != sizeof(in->sin_addr)) in ovpn_nvlist_to_sockaddr()
420 memcpy(&in->sin_addr, addr, sizeof(in->sin_addr)); in ovpn_nvlist_to_sockaddr()
421 in->sin_port = nvlist_get_number(nvl, "port"); in ovpn_nvlist_to_sockaddr()
427 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)sa; in ovpn_nvlist_to_sockaddr() local
431 memset(in6, 0, sizeof(*in6)); in ovpn_nvlist_to_sockaddr()
432 in6->sin6_family = af; in ovpn_nvlist_to_sockaddr()
433 in6->sin6_len = sizeof(*in6); in ovpn_nvlist_to_sockaddr()
434 if (len != sizeof(in6->sin6_addr)) in ovpn_nvlist_to_sockaddr()
437 memcpy(&in6->sin6_addr, addr, sizeof(in6->sin6_addr)); in ovpn_nvlist_to_sockaddr()
438 in6->sin6_port = nvlist_get_number(nvl, "port"); in ovpn_nvlist_to_sockaddr()
441 in6->sin6_scope_id = nvlist_get_number(nvl, "scopeid"); in ovpn_nvlist_to_sockaddr()
462 nvlist_add_number(nvl, "af", s->sa_family); in ovpn_add_sockaddr()
464 switch (s->sa_family) { in ovpn_add_sockaddr()
468 nvlist_add_number(nvl, "port", s4->sin_port); in ovpn_add_sockaddr()
469 nvlist_add_binary(nvl, "address", &s4->sin_addr, in ovpn_add_sockaddr()
470 sizeof(s4->sin_addr)); in ovpn_add_sockaddr()
476 nvlist_add_number(nvl, "port", s6->sin6_port); in ovpn_add_sockaddr()
477 nvlist_add_binary(nvl, "address", &s6->sin6_addr, in ovpn_add_sockaddr()
478 sizeof(s6->sin6_addr)); in ovpn_add_sockaddr()
479 nvlist_add_number(nvl, "scopeid", s6->sin6_scope_id); in ovpn_add_sockaddr()
503 n->peerid = peer->peerid; in ovpn_notify_del_peer()
504 n->type = OVPN_NOTIF_DEL_PEER; in ovpn_notify_del_peer()
505 n->del_reason = peer->del_reason; in ovpn_notify_del_peer()
507 n->counters.pkt_in = counter_u64_fetch(OVPN_PEER_COUNTER(peer, pkt_in)); in ovpn_notify_del_peer()
508 n->counters.pkt_out = counter_u64_fetch(OVPN_PEER_COUNTER(peer, pkt_out)); in ovpn_notify_del_peer()
509 n->counters.bytes_in = counter_u64_fetch(OVPN_PEER_COUNTER(peer, bytes_in)); in ovpn_notify_del_peer()
510 n->counters.bytes_out = counter_u64_fetch(OVPN_PEER_COUNTER(peer, bytes_out)); in ovpn_notify_del_peer()
512 if (buf_ring_enqueue(sc->notifring, n) != 0) { in ovpn_notify_del_peer()
514 } else if (sc->so != NULL) { in ovpn_notify_del_peer()
516 sc->so->so_error = EAGAIN; in ovpn_notify_del_peer()
517 sorwakeup(sc->so); in ovpn_notify_del_peer()
518 sowwakeup(sc->so); in ovpn_notify_del_peer()
531 n->peerid = peer->peerid; in ovpn_notify_key_rotation()
532 n->type = OVPN_NOTIF_ROTATE_KEY; in ovpn_notify_key_rotation()
534 if (buf_ring_enqueue(sc->notifring, n) != 0) { in ovpn_notify_key_rotation()
536 } else if (sc->so != NULL) { in ovpn_notify_key_rotation()
538 sc->so->so_error = EAGAIN; in ovpn_notify_key_rotation()
539 sorwakeup(sc->so); in ovpn_notify_key_rotation()
540 sowwakeup(sc->so); in ovpn_notify_key_rotation()
554 n->peerid = peerid; in ovpn_notify_float()
555 n->type = OVPN_NOTIF_FLOAT; in ovpn_notify_float()
556 memcpy(&n->address, remote, sizeof(n->address)); in ovpn_notify_float()
558 if (buf_ring_enqueue(sc->notifring, n) != 0) { in ovpn_notify_float()
561 } else if (sc->so != NULL) { in ovpn_notify_float()
563 sc->so->so_error = EAGAIN; in ovpn_notify_float()
564 sorwakeup(sc->so); in ovpn_notify_float()
565 sowwakeup(sc->so); in ovpn_notify_float()
578 atomic_add_int(&peer->refcount, -1); in ovpn_peer_release_ref()
580 if (atomic_load_int(&peer->refcount) > 0) in ovpn_peer_release_ref()
583 sc = peer->sc; in ovpn_peer_release_ref()
589 if (atomic_load_int(&peer->refcount) > 0) { in ovpn_peer_release_ref()
598 MPASS(ovpn_find_peer(sc, peer->peerid) == NULL); in ovpn_peer_release_ref()
603 ovpn_free_kkey_dir(peer->keys[i].encrypt); in ovpn_peer_release_ref()
604 ovpn_free_kkey_dir(peer->keys[i].decrypt); in ovpn_peer_release_ref()
607 callout_stop(&peer->ping_send); in ovpn_peer_release_ref()
608 callout_stop(&peer->ping_rcv); in ovpn_peer_release_ref()
609 uma_zfree_pcpu(pcpu_zone_4, peer->last_active); in ovpn_peer_release_ref()
625 struct ovpn_softc *sc = ifp->if_softc; in ovpn_new_peer()
659 so = fp->f_data; in ovpn_new_peer()
662 peer->peerid = peerid; in ovpn_new_peer()
663 peer->sc = sc; in ovpn_new_peer()
664 peer->refcount = 1; in ovpn_new_peer()
665 peer->last_active = uma_zalloc_pcpu(pcpu_zone_4, M_WAITOK | M_ZERO); in ovpn_new_peer()
666 COUNTER_ARRAY_ALLOC(peer->counters, OVPN_PEER_COUNTER_SIZE, M_WAITOK); in ovpn_new_peer()
671 if (len != sizeof(peer->vpn4)) { in ovpn_new_peer()
675 memcpy(&peer->vpn4, addr, len); in ovpn_new_peer()
681 if (len != sizeof(peer->vpn6)) { in ovpn_new_peer()
685 memcpy(&peer->vpn6, addr, len); in ovpn_new_peer()
688 callout_init_rm(&peer->ping_send, &sc->lock, CALLOUT_SHAREDLOCK); in ovpn_new_peer()
689 callout_init_rm(&peer->ping_rcv, &sc->lock, 0); in ovpn_new_peer()
721 memcpy(&peer->local, &local, sizeof(local)); in ovpn_new_peer()
722 memcpy(&peer->remote, &remote, sizeof(remote)); in ovpn_new_peer()
725 if (peer->local.ss_family == AF_INET6 && in ovpn_new_peer()
726 IN6_IS_ADDR_V4MAPPED(&TO_IN6(&peer->remote)->sin6_addr)) { in ovpn_new_peer()
728 in6_sin6_2_sin_in_sock((struct sockaddr *)&peer->local); in ovpn_new_peer()
729 in6_sin6_2_sin_in_sock((struct sockaddr *)&peer->remote); in ovpn_new_peer()
732 if (peer->local.ss_family == AF_INET6 && in ovpn_new_peer()
733 IN6_IS_ADDR_UNSPECIFIED(&TO_IN6(&peer->local)->sin6_addr)) { in ovpn_new_peer()
735 ret = in6_selectsrc_addr(curthread->td_proc->p_fibnum, in ovpn_new_peer()
736 &TO_IN6(&peer->remote)->sin6_addr, in ovpn_new_peer()
737 TO_IN6(&peer->remote)->sin6_scope_id, NULL, in ovpn_new_peer()
738 &TO_IN6(&peer->local)->sin6_addr, NULL); in ovpn_new_peer()
747 /* Disallow peer id re-use. */ in ovpn_new_peer()
754 if (so->so_type != SOCK_DGRAM || so->so_proto->pr_type != SOCK_DGRAM) { in ovpn_new_peer()
760 if (sc->so != NULL && so != sc->so) { in ovpn_new_peer()
761 if (! RB_EMPTY(&sc->peers)) { in ovpn_new_peer()
770 ret = udp_set_kernel_tunneling(sc->so, NULL, NULL, NULL); in ovpn_new_peer()
772 sorele(sc->so); in ovpn_new_peer()
773 sc->so = NULL; in ovpn_new_peer()
776 if (sc->so == NULL) { in ovpn_new_peer()
777 sc->so = so; in ovpn_new_peer()
782 soref(sc->so); in ovpn_new_peer()
787 RB_INSERT(ovpn_kpeers, &sc->peers, peer); in ovpn_new_peer()
788 sc->peercount++; in ovpn_new_peer()
793 ret = udp_set_kernel_tunneling(sc->so, ovpn_udp_input, NULL, sc); in ovpn_new_peer()
802 COUNTER_ARRAY_FREE(peer->counters, OVPN_PEER_COUNTER_SIZE); in ovpn_new_peer()
803 uma_zfree_pcpu(pcpu_zone_4, peer->last_active); in ovpn_new_peer()
820 MPASS(RB_FIND(ovpn_kpeers, &sc->peers, peer) == peer); in _ovpn_del_peer()
822 tmp = RB_REMOVE(ovpn_kpeers, &sc->peers, peer); in _ovpn_del_peer()
825 sc->peercount--; in _ovpn_del_peer()
835 struct ovpn_softc *sc = ifp->if_softc; in ovpn_del_peer()
854 peer->del_reason = OVPN_DEL_REASON_REQUESTED; in ovpn_del_peer()
878 else if (strcmp(ciphername, "AES-256-GCM") == 0 || in ovpn_create_kkey_dir()
879 strcmp(ciphername, "AES-192-GCM") == 0 || in ovpn_create_kkey_dir()
880 strcmp(ciphername, "AES-128-GCM") == 0) in ovpn_create_kkey_dir()
882 else if (strcmp(ciphername, "CHACHA20-POLY1305") == 0) in ovpn_create_kkey_dir()
891 if (keylen > sizeof(kdir->key)) in ovpn_create_kkey_dir()
904 kdir->cipher = cipher; in ovpn_create_kkey_dir()
905 kdir->keylen = keylen; in ovpn_create_kkey_dir()
906 kdir->tx_seq = 1; in ovpn_create_kkey_dir()
908 memcpy(kdir->key, key, keylen); in ovpn_create_kkey_dir()
909 kdir->noncelen = ivlen; in ovpn_create_kkey_dir()
911 memcpy(kdir->nonce, iv, ivlen); in ovpn_create_kkey_dir()
913 if (kdir->cipher != OVPN_CIPHER_ALG_NONE) { in ovpn_create_kkey_dir()
918 if (kdir->cipher == OVPN_CIPHER_ALG_CHACHA20_POLY1305) in ovpn_create_kkey_dir()
925 csp.csp_cipher_klen = kdir->keylen; in ovpn_create_kkey_dir()
926 csp.csp_cipher_key = kdir->key; in ovpn_create_kkey_dir()
929 error = crypto_newsession(&kdir->cryptoid, &csp, in ovpn_create_kkey_dir()
937 mtx_init(&kdir->replay_mtx, "if_ovpn rx replay", NULL, MTX_DEF); in ovpn_create_kkey_dir()
949 mtx_destroy(&kdir->replay_mtx); in ovpn_free_kkey_dir()
951 crypto_freesession(kdir->cryptoid); in ovpn_free_kkey_dir()
958 struct ovpn_softc *sc = ifp->if_softc; in ovpn_set_key()
1007 ovpn_free_kkey_dir(peer->keys[slot].encrypt); in ovpn_set_key()
1008 ovpn_free_kkey_dir(peer->keys[slot].decrypt); in ovpn_set_key()
1010 peer->keys[slot].encrypt = enc; in ovpn_set_key()
1011 peer->keys[slot].decrypt = dec; in ovpn_set_key()
1013 peer->keys[slot].keyid = keyid; in ovpn_set_key()
1014 peer->keys[slot].peerid = peerid; in ovpn_set_key()
1026 if (peer->keys[slot].encrypt == NULL) in ovpn_check_key()
1029 if (peer->keys[slot].decrypt == NULL) in ovpn_check_key()
1038 struct ovpn_softc *sc = ifp->if_softc; in ovpn_start()
1042 ifp->if_flags |= IFF_UP; in ovpn_start()
1043 ifp->if_drv_flags |= IFF_DRV_RUNNING; in ovpn_start()
1054 struct ovpn_softc *sc = ifp->if_softc; in ovpn_swap_keys()
1080 tmpkey = peer->keys[0]; in ovpn_swap_keys()
1081 peer->keys[0] = peer->keys[1]; in ovpn_swap_keys()
1082 peer->keys[1] = tmpkey; in ovpn_swap_keys()
1094 struct ovpn_softc *sc = ifp->if_softc; in ovpn_del_key()
1118 ovpn_free_kkey_dir(peer->keys[slot].encrypt); in ovpn_del_key()
1119 ovpn_free_kkey_dir(peer->keys[slot].decrypt); in ovpn_del_key()
1121 peer->keys[slot].encrypt = NULL; in ovpn_del_key()
1122 peer->keys[slot].decrypt = NULL; in ovpn_del_key()
1124 peer->keys[slot].keyid = 0; in ovpn_del_key()
1125 peer->keys[slot].peerid = 0; in ovpn_del_key()
1142 struct ovpn_softc *sc = peer->sc; in ovpn_send_ping()
1148 callout_reset(&peer->ping_send, peer->keepalive.interval * hz, in ovpn_send_ping()
1156 m->m_len = m->m_pkthdr.len = sizeof(ping_str); in ovpn_send_ping()
1158 CURVNET_SET(sc->ifp->if_vnet); in ovpn_send_ping()
1160 (void)ovpn_transmit_to_peer(sc->ifp, m, peer, NULL); in ovpn_send_ping()
1169 struct ovpn_softc *sc = peer->sc; in ovpn_timeout()
1178 _last_active = *zpcpu_get_cpu(peer->last_active, cpu); in ovpn_timeout()
1183 if (last + peer->keepalive.timeout > time_uptime) { in ovpn_timeout()
1184 callout_reset(&peer->ping_rcv, in ovpn_timeout()
1185 (peer->keepalive.timeout - (time_uptime - last)) * hz, in ovpn_timeout()
1190 CURVNET_SET(sc->ifp->if_vnet); in ovpn_timeout()
1191 peer->del_reason = OVPN_DEL_REASON_TIMEOUT; in ovpn_timeout()
1200 struct ovpn_softc *sc = ifp->if_softc; in ovpn_set_peer()
1219 peer->keepalive.interval = nvlist_get_number(nvl, "interval"); in ovpn_set_peer()
1220 peer->keepalive.timeout = nvlist_get_number(nvl, "timeout"); in ovpn_set_peer()
1222 if (peer->keepalive.interval > 0) in ovpn_set_peer()
1223 callout_reset(&peer->ping_send, peer->keepalive.interval * hz, in ovpn_set_peer()
1225 if (peer->keepalive.timeout > 0) in ovpn_set_peer()
1226 callout_reset(&peer->ping_rcv, peer->keepalive.timeout * hz, in ovpn_set_peer()
1237 struct ovpn_softc *sc = ifp->if_softc; in ovpn_set_ifmode()
1251 if (ifp->if_flags & IFF_UP) { in ovpn_set_ifmode()
1259 ifp->if_flags &= in ovpn_set_ifmode()
1261 ifp->if_flags |= ifmode; in ovpn_set_ifmode()
1276 struct ovpn_softc *sc = ifp->if_softc; in ovpn_ioctl_set()
1281 if (ifd->ifd_len != 0) { in ovpn_ioctl_set()
1282 if (ifd->ifd_len > OVPN_MAX_REQUEST_SIZE) in ovpn_ioctl_set()
1285 buf = malloc(ifd->ifd_len, M_OVPN, M_WAITOK); in ovpn_ioctl_set()
1287 ret = copyin(ifd->ifd_data, buf, ifd->ifd_len); in ovpn_ioctl_set()
1293 nvl = nvlist_unpack(buf, ifd->ifd_len, 0); in ovpn_ioctl_set()
1300 switch (ifd->ifd_cmd) { in ovpn_ioctl_set()
1416 RB_FOREACH(peer, ovpn_kpeers, &sc->peers) { in ovpn_get_peer_stats()
1425 nvlist_add_number(nvpeer, "peerid", peer->peerid); in ovpn_get_peer_stats()
1454 nvlist_add_number(nvl, "pending", buf_ring_count(sc->notifring)); in ovpn_poll_pkt()
1470 nvlist_add_number(nvl, "in", n->counters.pkt_in); in ovpn_notif_add_counters()
1471 nvlist_add_number(nvl, "out", n->counters.pkt_out); in ovpn_notif_add_counters()
1480 nvlist_add_number(nvl, "in", n->counters.bytes_in); in ovpn_notif_add_counters()
1481 nvlist_add_number(nvl, "out", n->counters.bytes_out); in ovpn_notif_add_counters()
1494 n = buf_ring_dequeue_mc(sc->notifring); in opvn_get_pkt()
1503 nvlist_add_number(nvl, "peerid", n->peerid); in opvn_get_pkt()
1504 nvlist_add_number(nvl, "notification", n->type); in opvn_get_pkt()
1505 switch (n->type) { in opvn_get_pkt()
1507 nvlist_add_number(nvl, "del_reason", n->del_reason); in opvn_get_pkt()
1518 (struct sockaddr *)&n->address); in opvn_get_pkt()
1522 * Try to re-enqueue the notification. Maybe we'll in opvn_get_pkt()
1524 * because if we fail to re-enqueue there's nothing we can do. in opvn_get_pkt()
1526 (void)ovpn_notify_float(sc, n->peerid, &n->address); in opvn_get_pkt()
1546 struct ovpn_softc *sc = ifp->if_softc; in ovpn_ioctl_get()
1550 switch (ifd->ifd_cmd) { in ovpn_ioctl_get()
1580 if (len > ifd->ifd_len) { in ovpn_ioctl_get()
1586 error = copyout(packed, ifd->ifd_data, len); in ovpn_ioctl_get()
1587 ifd->ifd_len = len; in ovpn_ioctl_get()
1624 if (ifr->ifr_mtu < OVPN_MTU_MIN || ifr->ifr_mtu > OVPN_MTU_MAX) in ovpn_ioctl()
1627 ifp->if_mtu = ifr->ifr_mtu; in ovpn_ioctl()
1647 struct ovpn_kpeer *peer = crp->crp_opaque; in ovpn_encrypt_tx_cb()
1648 struct ovpn_softc *sc = peer->sc; in ovpn_encrypt_tx_cb()
1649 struct mbuf *m = crp->crp_buf.cb_mbuf; in ovpn_encrypt_tx_cb()
1653 CURVNET_SET(sc->ifp->if_vnet); in ovpn_encrypt_tx_cb()
1656 if (crp->crp_etype != 0) { in ovpn_encrypt_tx_cb()
1666 MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF); in ovpn_encrypt_tx_cb()
1668 tunnel_len = m->m_pkthdr.len - sizeof(struct ovpn_wire_header); in ovpn_encrypt_tx_cb()
1669 ret = ovpn_encap(sc, peer->peerid, m); in ovpn_encrypt_tx_cb()
1696 if (V_replay_protection && ! ovpn_check_replay(key->decrypt, seq)) { in ovpn_finish_rx()
1704 *zpcpu_get(peer->last_active) = time_uptime; in ovpn_finish_rx()
1721 if (ovpn_sockaddr_compare((struct sockaddr *)&ot->addr, in ovpn_finish_rx()
1722 (struct sockaddr *)&peer->remote)) { in ovpn_finish_rx()
1728 if (ovpn_notify_float(sc, peer->peerid, &ot->addr) == 0) { in ovpn_finish_rx()
1734 memcpy(&peer->remote, &ot->addr, sizeof(peer->remote)); in ovpn_finish_rx()
1742 OVPN_COUNTER_ADD(sc, tunnel_bytes_received, m->m_pkthdr.len); in ovpn_finish_rx()
1744 OVPN_PEER_COUNTER_ADD(peer, bytes_in, m->m_pkthdr.len); in ovpn_finish_rx()
1747 m->m_pkthdr.rcvif = sc->ifp; in ovpn_finish_rx()
1750 m->m_pkthdr.csum_flags = 0; in ovpn_finish_rx()
1769 BPF_MTAP2(sc->ifp, &af, sizeof(af), m); in ovpn_finish_rx()
1789 keyid = (ntohl(ohdr->opcode) >> 24) & 0x07; in ovpn_find_key()
1791 if (peer->keys[0].keyid == keyid) in ovpn_find_key()
1792 key = &peer->keys[0]; in ovpn_find_key()
1793 else if (peer->keys[1].keyid == keyid) in ovpn_find_key()
1794 key = &peer->keys[1]; in ovpn_find_key()
1803 struct ovpn_softc *sc = crp->crp_opaque; in ovpn_decrypt_rx_cb()
1804 struct mbuf *m = crp->crp_buf.cb_mbuf; in ovpn_decrypt_rx_cb()
1814 MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF); in ovpn_decrypt_rx_cb()
1816 if (crp->crp_etype != 0) { in ovpn_decrypt_rx_cb()
1818 atomic_add_int(&sc->refcount, -1); in ovpn_decrypt_rx_cb()
1825 CURVNET_SET(sc->ifp->if_vnet); in ovpn_decrypt_rx_cb()
1829 peerid = ntohl(ohdr->opcode) & 0x00ffffff; in ovpn_decrypt_rx_cb()
1834 atomic_add_int(&sc->refcount, -1); in ovpn_decrypt_rx_cb()
1845 atomic_add_int(&sc->refcount, -1); in ovpn_decrypt_rx_cb()
1847 * Has this key been removed between us starting the decrypt in ovpn_decrypt_rx_cb()
1862 ovpn_finish_rx(sc, m, peer, key, ntohl(ohdr->seq), _ovpn_lock_trackerp); in ovpn_decrypt_rx_cb()
1869 atomic_add_int(&sc->refcount, -1); in ovpn_decrypt_rx_cb()
1885 if (ip->ip_v == IPVERSION) in ovpn_get_af()
1889 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION) in ovpn_get_af()
1904 RB_FOREACH(peer, ovpn_kpeers, &sc->peers) { in ovpn_find_peer_by_ip()
1905 if (addr.s_addr == peer->vpn4.s_addr) in ovpn_find_peer_by_ip()
1922 RB_FOREACH(peer, ovpn_kpeers, &sc->peers) { in ovpn_find_peer_by_ip6()
1923 if (memcmp(addr, &peer->vpn6, sizeof(*addr)) == 0) in ovpn_find_peer_by_ip6()
1942 if (sc->peercount == 1) in ovpn_route_peer()
1946 af = dst->sa_family; in ovpn_route_peer()
1958 ip_dst = &sa->sin_addr; in ovpn_route_peer()
1966 ip_dst = &ip->ip_dst; in ovpn_route_peer()
1974 if (nh && (nh->nh_flags & NHF_GATEWAY)) { in ovpn_route_peer()
1976 nh->gw4_sa.sin_addr); in ovpn_route_peer()
1978 &nh->gw4_sa.sin_addr, peer); in ovpn_route_peer()
1992 ip6_dst = &sa6->sin6_addr; in ovpn_route_peer()
2000 ip6_dst = &ip6->ip6_dst; in ovpn_route_peer()
2008 if (nh && (nh->nh_flags & NHF_GATEWAY)) { in ovpn_route_peer()
2010 &nh->gw6_sa.sin6_addr); in ovpn_route_peer()
2012 &nh->gw6_sa.sin6_addr, peer); in ovpn_route_peer()
2026 return (ifp->if_output(ifp, m, NULL, NULL)); in ovpn_transmit()
2043 sc = ifp->if_softc; in ovpn_transmit_to_peer()
2047 tunnel_len = m->m_pkthdr.len; in ovpn_transmit_to_peer()
2049 key = &peer->keys[OVPN_KEY_SLOT_PRIMARY]; in ovpn_transmit_to_peer()
2050 if (key->encrypt == NULL) { in ovpn_transmit_to_peer()
2070 len = m->m_pkthdr.len; in ovpn_transmit_to_peer()
2071 MPASS(len <= ifp->if_mtu); in ovpn_transmit_to_peer()
2074 if (key->encrypt->cipher == OVPN_CIPHER_ALG_NONE) in ovpn_transmit_to_peer()
2075 ovpn_hdr_len -= 16; /* No auth tag. */ in ovpn_transmit_to_peer()
2085 ohdr->opcode = (OVPN_OP_DATA_V2 << OVPN_OP_SHIFT) | key->keyid; in ovpn_transmit_to_peer()
2086 ohdr->opcode <<= 24; in ovpn_transmit_to_peer()
2087 ohdr->opcode |= key->peerid; in ovpn_transmit_to_peer()
2088 ohdr->opcode = htonl(ohdr->opcode); in ovpn_transmit_to_peer()
2090 seq64 = atomic_fetchadd_64(&peer->keys[OVPN_KEY_SLOT_PRIMARY].encrypt->tx_seq, 1); in ovpn_transmit_to_peer()
2100 * 64-bit counter taking us back to 0. */ in ovpn_transmit_to_peer()
2101 atomic_store_64(&peer->keys[OVPN_KEY_SLOT_PRIMARY].encrypt->tx_seq, in ovpn_transmit_to_peer()
2108 ohdr->seq = seq; in ovpn_transmit_to_peer()
2113 if (key->encrypt->cipher == OVPN_CIPHER_ALG_NONE) { in ovpn_transmit_to_peer()
2114 ret = ovpn_encap(sc, peer->peerid, m); in ovpn_transmit_to_peer()
2124 crp = crypto_getreq(key->encrypt->cryptoid, M_NOWAIT); in ovpn_transmit_to_peer()
2134 crp->crp_payload_start = sizeof(*ohdr); in ovpn_transmit_to_peer()
2135 crp->crp_payload_length = len; in ovpn_transmit_to_peer()
2136 crp->crp_op = CRYPTO_OP_ENCRYPT; in ovpn_transmit_to_peer()
2142 crp->crp_aad_length = sizeof(*ohdr) - sizeof(ohdr->auth_tag); in ovpn_transmit_to_peer()
2143 crp->crp_aad = ohdr; in ovpn_transmit_to_peer()
2144 crp->crp_aad_start = 0; in ovpn_transmit_to_peer()
2145 crp->crp_op |= CRYPTO_OP_COMPUTE_DIGEST; in ovpn_transmit_to_peer()
2146 crp->crp_digest_start = offsetof(struct ovpn_wire_header, auth_tag); in ovpn_transmit_to_peer()
2148 crp->crp_flags |= CRYPTO_F_IV_SEPARATE; in ovpn_transmit_to_peer()
2149 memcpy(crp->crp_iv, &seq, sizeof(seq)); in ovpn_transmit_to_peer()
2150 memcpy(crp->crp_iv + sizeof(seq), key->encrypt->nonce, in ovpn_transmit_to_peer()
2151 key->encrypt->noncelen); in ovpn_transmit_to_peer()
2154 crp->crp_flags |= CRYPTO_F_CBIFSYNC; in ovpn_transmit_to_peer()
2155 crp->crp_callback = ovpn_encrypt_tx_cb; in ovpn_transmit_to_peer()
2156 crp->crp_opaque = peer; in ovpn_transmit_to_peer()
2158 atomic_add_int(&peer->refcount, 1); in ovpn_transmit_to_peer()
2188 if (peer == NULL || sc->ifp->if_link_state != LINK_STATE_UP) { in ovpn_encap()
2195 len = m->m_pkthdr.len; in ovpn_encap()
2206 MPASS(peer->local.ss_family == peer->remote.ss_family); in ovpn_encap()
2208 udp->uh_sport = ovpn_get_port(&peer->local); in ovpn_encap()
2209 udp->uh_dport = ovpn_get_port(&peer->remote); in ovpn_encap()
2210 udp->uh_ulen = htons(sizeof(struct udphdr) + len); in ovpn_encap()
2212 switch (peer->remote.ss_family) { in ovpn_encap()
2215 struct sockaddr_in *in_local = TO_IN(&peer->local); in ovpn_encap()
2216 struct sockaddr_in *in_remote = TO_IN(&peer->remote); in ovpn_encap()
2224 udp->uh_sum = 0; in ovpn_encap()
2227 m->m_pkthdr.csum_flags |= CSUM_IP; in ovpn_encap()
2228 m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum); in ovpn_encap()
2238 ip->ip_tos = 0; in ovpn_encap()
2239 ip->ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + in ovpn_encap()
2241 ip->ip_off = 0; in ovpn_encap()
2242 ip->ip_ttl = V_ip_defttl; in ovpn_encap()
2243 ip->ip_p = IPPROTO_UDP; in ovpn_encap()
2244 ip->ip_sum = 0; in ovpn_encap()
2245 if (in_local->sin_port != 0) in ovpn_encap()
2246 ip->ip_src = in_local->sin_addr; in ovpn_encap()
2248 ip->ip_src.s_addr = INADDR_ANY; in ovpn_encap()
2249 ip->ip_dst = in_remote->sin_addr; in ovpn_encap()
2252 OVPN_COUNTER_ADD(sc, transport_bytes_sent, m->m_pkthdr.len); in ovpn_encap()
2259 struct sockaddr_in6 *in6_local = TO_IN6(&peer->local); in ovpn_encap()
2260 struct sockaddr_in6 *in6_remote = TO_IN6(&peer->remote); in ovpn_encap()
2278 ip6->ip6_vfc = IPV6_VERSION; in ovpn_encap()
2279 ip6->ip6_flow &= ~IPV6_FLOWINFO_MASK; in ovpn_encap()
2280 ip6->ip6_plen = htons(sizeof(*ip6) + sizeof(struct udphdr) + in ovpn_encap()
2282 ip6->ip6_nxt = IPPROTO_UDP; in ovpn_encap()
2283 ip6->ip6_hlim = V_ip6_defhlim; in ovpn_encap()
2285 memcpy(&ip6->ip6_src, &in6_local->sin6_addr, in ovpn_encap()
2286 sizeof(ip6->ip6_src)); in ovpn_encap()
2287 memcpy(&ip6->ip6_dst, &in6_remote->sin6_addr, in ovpn_encap()
2288 sizeof(ip6->ip6_dst)); in ovpn_encap()
2290 if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src)) { in ovpn_encap()
2292 ip6->ip6_src.__u6_addr.__u6_addr16[1] = in ovpn_encap()
2293 htons(in6_remote->sin6_scope_id & 0xffff); in ovpn_encap()
2295 if (IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_dst)) in ovpn_encap()
2296 ip6->ip6_dst.__u6_addr.__u6_addr16[1] = in ovpn_encap()
2297 htons(in6_remote->sin6_scope_id & 0xffff); in ovpn_encap()
2300 udp->uh_sum = in6_cksum_pseudo(ip6, in ovpn_encap()
2301 m->m_pkthdr.len - sizeof(struct ip6_hdr), in ovpn_encap()
2304 m->m_pkthdr.csum_flags |= CSUM_UDP_IPV6; in ovpn_encap()
2305 m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum); in ovpn_encap()
2308 OVPN_COUNTER_ADD(sc, transport_bytes_sent, m->m_pkthdr.len); in ovpn_encap()
2316 peer->remote.ss_family); in ovpn_encap()
2329 sc = ifp->if_softc; in ovpn_output()
2341 if (__predict_false(ifp->if_link_state != LINK_STATE_UP)) { in ovpn_output()
2350 * That's our indication that we're being called through pf's route-to, in ovpn_output()
2353 * non-server IP in the subnet as the gateway. If we always use that in ovpn_output()
2355 * tl;dr: 'ro == NULL' tells us pf is doing a route-to, and then but in ovpn_output()
2374 mtx_lock(&key->replay_mtx); in ovpn_check_replay()
2377 if (seq <= key->rx_seq) { in ovpn_check_replay()
2378 mtx_unlock(&key->replay_mtx); in ovpn_check_replay()
2383 if (seq > (key->rx_seq + (sizeof(key->rx_window) * 8))) { in ovpn_check_replay()
2384 key->rx_seq = seq; in ovpn_check_replay()
2385 key->rx_window = 0; in ovpn_check_replay()
2386 mtx_unlock(&key->replay_mtx); in ovpn_check_replay()
2391 if ((seq == key->rx_seq + 1) && key->rx_window == 0) { in ovpn_check_replay()
2392 key->rx_seq++; in ovpn_check_replay()
2393 mtx_unlock(&key->replay_mtx); in ovpn_check_replay()
2397 d = seq - key->rx_seq - 1; in ovpn_check_replay()
2399 if (key->rx_window & ((uint64_t)1 << d)) { in ovpn_check_replay()
2401 mtx_unlock(&key->replay_mtx); in ovpn_check_replay()
2405 key->rx_window |= (uint64_t)1 << d; in ovpn_check_replay()
2407 while (key->rx_window & 1) { in ovpn_check_replay()
2408 key->rx_seq++; in ovpn_check_replay()
2409 key->rx_window >>= 1; in ovpn_check_replay()
2412 mtx_unlock(&key->replay_mtx); in ovpn_check_replay()
2422 const size_t hdrlen = sizeof(ohdr) - sizeof(ohdr.auth_tag); in ovpn_peer_from_mbuf()
2455 OVPN_COUNTER_ADD(sc, transport_bytes_received, m->m_pkthdr.len - off); in ovpn_udp_input()
2457 ohdrlen = sizeof(*ohdr) - sizeof(ohdr->auth_tag); in ovpn_udp_input()
2505 if (key == NULL || key->decrypt == NULL) { in ovpn_udp_input()
2517 if (! ovpn_sockaddr_compare((struct sockaddr *)&peer->remote, sa)) { in ovpn_udp_input()
2521 MPASS(sa->sa_len <= sizeof(ot->addr)); in ovpn_udp_input()
2529 memcpy(&ot->addr, sa, sa->sa_len); in ovpn_udp_input()
2535 if (key->decrypt->cipher == OVPN_CIPHER_ALG_NONE) { in ovpn_udp_input()
2541 ovpn_finish_rx(sc, m, peer, key, ntohl(ohdr->seq), in ovpn_udp_input()
2547 ohdrlen += sizeof(ohdr->auth_tag); in ovpn_udp_input()
2559 crp = crypto_getreq(key->decrypt->cryptoid, M_NOWAIT); in ovpn_udp_input()
2567 crp->crp_payload_start = sizeof(struct udphdr) + sizeof(*ohdr); in ovpn_udp_input()
2568 crp->crp_payload_length = ntohs(uhdr->uh_ulen) - in ovpn_udp_input()
2569 sizeof(*uhdr) - sizeof(*ohdr); in ovpn_udp_input()
2570 crp->crp_op = CRYPTO_OP_DECRYPT; in ovpn_udp_input()
2573 crp->crp_aad_length = sizeof(*ohdr) - sizeof(ohdr->auth_tag); in ovpn_udp_input()
2574 crp->crp_aad = ohdr; in ovpn_udp_input()
2575 crp->crp_aad_start = 0; in ovpn_udp_input()
2576 crp->crp_op |= CRYPTO_OP_VERIFY_DIGEST; in ovpn_udp_input()
2577 crp->crp_digest_start = sizeof(struct udphdr) + in ovpn_udp_input()
2580 crp->crp_flags |= CRYPTO_F_IV_SEPARATE; in ovpn_udp_input()
2581 memcpy(crp->crp_iv, &ohdr->seq, sizeof(ohdr->seq)); in ovpn_udp_input()
2582 memcpy(crp->crp_iv + sizeof(ohdr->seq), key->decrypt->nonce, in ovpn_udp_input()
2583 key->decrypt->noncelen); in ovpn_udp_input()
2586 crp->crp_flags |= CRYPTO_F_CBIFSYNC; in ovpn_udp_input()
2587 crp->crp_callback = ovpn_decrypt_rx_cb; in ovpn_udp_input()
2588 crp->crp_opaque = sc; in ovpn_udp_input()
2590 atomic_add_int(&sc->refcount, 1); in ovpn_udp_input()
2616 while (! buf_ring_empty(sc->notifring)) { in ovpn_flush_rxring()
2617 n = buf_ring_dequeue_sc(sc->notifring); in ovpn_flush_rxring()
2627 struct ovpn_softc *sc = ifp->if_softc; in ovpn_reassign()
2634 RB_FOREACH_SAFE(peer, ovpn_kpeers, &sc->peers, tmppeer) { in ovpn_reassign()
2635 peer->del_reason = OVPN_DEL_REASON_REQUESTED; in ovpn_reassign()
2680 error = snprintf(dp, len - (dp - name), "%d", unit); in ovpn_clone_create()
2681 if (error > len - (dp - name)) { in ovpn_clone_create()
2694 sc->ifp = if_alloc(IFT_TUNNEL); in ovpn_clone_create()
2695 rm_init_flags(&sc->lock, "if_ovpn_lock", RM_RECURSE); in ovpn_clone_create()
2696 sc->refcount = 0; in ovpn_clone_create()
2698 sc->notifring = buf_ring_alloc(32, M_OVPN, M_WAITOK, NULL); in ovpn_clone_create()
2700 COUNTER_ARRAY_ALLOC(sc->counters, OVPN_COUNTER_SIZE, M_WAITOK); in ovpn_clone_create()
2702 ifp = sc->ifp; in ovpn_clone_create()
2703 ifp->if_softc = sc; in ovpn_clone_create()
2704 strlcpy(ifp->if_xname, name, IFNAMSIZ); in ovpn_clone_create()
2705 ifp->if_dname = ovpngroupname; in ovpn_clone_create()
2706 ifp->if_dunit = unit; in ovpn_clone_create()
2708 ifp->if_addrlen = 0; in ovpn_clone_create()
2709 ifp->if_mtu = 1428; in ovpn_clone_create()
2710 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; in ovpn_clone_create()
2711 ifp->if_ioctl = ovpn_ioctl; in ovpn_clone_create()
2712 ifp->if_transmit = ovpn_transmit; in ovpn_clone_create()
2713 ifp->if_output = ovpn_output; in ovpn_clone_create()
2714 ifp->if_qflush = ovpn_qflush; in ovpn_clone_create()
2716 ifp->if_reassign = ovpn_reassign; in ovpn_clone_create()
2718 ifp->if_capabilities |= IFCAP_LINKSTATE; in ovpn_clone_create()
2719 ifp->if_capenable |= IFCAP_LINKSTATE; in ovpn_clone_create()
2736 MPASS(sc->peercount == 0); in ovpn_clone_destroy_cb()
2737 MPASS(RB_EMPTY(&sc->peers)); in ovpn_clone_destroy_cb()
2739 if (sc->so != NULL) { in ovpn_clone_destroy_cb()
2740 CURVNET_SET(sc->ifp->if_vnet); in ovpn_clone_destroy_cb()
2741 ret = udp_set_kernel_tunneling(sc->so, NULL, NULL, NULL); in ovpn_clone_destroy_cb()
2743 sorele(sc->so); in ovpn_clone_destroy_cb()
2747 COUNTER_ARRAY_FREE(sc->counters, OVPN_COUNTER_SIZE); in ovpn_clone_destroy_cb()
2749 rm_destroy(&sc->lock); in ovpn_clone_destroy_cb()
2750 if_free(sc->ifp); in ovpn_clone_destroy_cb()
2762 sc = ifp->if_softc; in ovpn_clone_destroy()
2763 unit = ifp->if_dunit; in ovpn_clone_destroy()
2767 if (atomic_load_int(&sc->refcount) > 0) { in ovpn_clone_destroy()
2772 RB_FOREACH_SAFE(peer, ovpn_kpeers, &sc->peers, tmppeer) { in ovpn_clone_destroy()
2773 peer->del_reason = OVPN_DEL_REASON_REQUESTED; in ovpn_clone_destroy()
2779 buf_ring_free(sc->notifring, M_OVPN); in ovpn_clone_destroy()
2785 ifp->if_softc = NULL; in ovpn_clone_destroy()
2787 NET_EPOCH_CALL(ovpn_clone_destroy_cb, &sc->epoch_ctx); in ovpn_clone_destroy()
2818 CURVNET_SET(pr->pr_vnet); in ovpn_prison_remove()