1 // SPDX-License-Identifier: GPL-2.0
2 /* OpenVPN data channel accelerator
3 *
4 * Copyright (C) 2020-2025 OpenVPN, Inc.
5 *
6 * Author: Antonio Quartulli <antonio@openvpn.net>
7 */
8
9 #include <stdio.h>
10 #include <inttypes.h>
11 #include <stdbool.h>
12 #include <string.h>
13 #include <errno.h>
14 #include <unistd.h>
15 #include <arpa/inet.h>
16 #include <net/if.h>
17 #include <netinet/in.h>
18 #include <time.h>
19
20 #include <linux/ovpn.h>
21 #include <linux/types.h>
22 #include <linux/netlink.h>
23
24 #include <netlink/socket.h>
25 #include <netlink/netlink.h>
26 #include <netlink/genl/genl.h>
27 #include <netlink/genl/family.h>
28 #include <netlink/genl/ctrl.h>
29
30 #include <mbedtls/base64.h>
31 #include <mbedtls/error.h>
32
33 #include <sys/socket.h>
34
35 #include "../../kselftest.h"
36
37 /* defines to make checkpatch happy */
38 #define strscpy strncpy
39
40 /* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we
41 * have to explicitly do it to prevent the kernel from failing upon
42 * parsing of the message
43 */
44 #define nla_nest_start(_msg, _type) \
45 nla_nest_start(_msg, (_type) | NLA_F_NESTED)
46
47 /* libnl < 3.11.0 does not implement nla_get_uint() */
ovpn_nla_get_uint(struct nlattr * attr)48 uint64_t ovpn_nla_get_uint(struct nlattr *attr)
49 {
50 if (nla_len(attr) == sizeof(uint32_t))
51 return nla_get_u32(attr);
52 else
53 return nla_get_u64(attr);
54 }
55
56 typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg);
57
58 enum ovpn_key_direction {
59 KEY_DIR_IN = 0,
60 KEY_DIR_OUT,
61 };
62
63 #define KEY_LEN (256 / 8)
64 #define NONCE_LEN 8
65
66 #define PEER_ID_UNDEF 0x00FFFFFF
67 #define MAX_PEERS 10
68
69 struct nl_ctx {
70 struct nl_sock *nl_sock;
71 struct nl_msg *nl_msg;
72 struct nl_cb *nl_cb;
73
74 int ovpn_dco_id;
75 };
76
77 enum ovpn_cmd {
78 CMD_INVALID,
79 CMD_NEW_IFACE,
80 CMD_DEL_IFACE,
81 CMD_LISTEN,
82 CMD_CONNECT,
83 CMD_NEW_PEER,
84 CMD_NEW_MULTI_PEER,
85 CMD_SET_PEER,
86 CMD_DEL_PEER,
87 CMD_GET_PEER,
88 CMD_NEW_KEY,
89 CMD_DEL_KEY,
90 CMD_GET_KEY,
91 CMD_SWAP_KEYS,
92 CMD_LISTEN_MCAST,
93 };
94
95 struct ovpn_ctx {
96 enum ovpn_cmd cmd;
97
98 __u8 key_enc[KEY_LEN];
99 __u8 key_dec[KEY_LEN];
100 __u8 nonce[NONCE_LEN];
101
102 enum ovpn_cipher_alg cipher;
103
104 sa_family_t sa_family;
105
106 unsigned long peer_id;
107 unsigned long lport;
108
109 union {
110 struct sockaddr_in in4;
111 struct sockaddr_in6 in6;
112 } remote;
113
114 union {
115 struct sockaddr_in in4;
116 struct sockaddr_in6 in6;
117 } peer_ip;
118
119 bool peer_ip_set;
120
121 unsigned int ifindex;
122 char ifname[IFNAMSIZ];
123 enum ovpn_mode mode;
124 bool mode_set;
125
126 int socket;
127 int cli_sockets[MAX_PEERS];
128
129 __u32 keepalive_interval;
130 __u32 keepalive_timeout;
131
132 enum ovpn_key_direction key_dir;
133 enum ovpn_key_slot key_slot;
134 int key_id;
135
136 const char *peers_file;
137 };
138
ovpn_nl_recvmsgs(struct nl_ctx * ctx)139 static int ovpn_nl_recvmsgs(struct nl_ctx *ctx)
140 {
141 int ret;
142
143 ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb);
144
145 switch (ret) {
146 case -NLE_INTR:
147 fprintf(stderr,
148 "netlink received interrupt due to signal - ignoring\n");
149 break;
150 case -NLE_NOMEM:
151 fprintf(stderr, "netlink out of memory error\n");
152 break;
153 case -NLE_AGAIN:
154 fprintf(stderr,
155 "netlink reports blocking read - aborting wait\n");
156 break;
157 default:
158 if (ret)
159 fprintf(stderr, "netlink reports error (%d): %s\n",
160 ret, nl_geterror(-ret));
161 break;
162 }
163
164 return ret;
165 }
166
nl_ctx_alloc_flags(struct ovpn_ctx * ovpn,int cmd,int flags)167 static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd,
168 int flags)
169 {
170 struct nl_ctx *ctx;
171 int err, ret;
172
173 ctx = calloc(1, sizeof(*ctx));
174 if (!ctx)
175 return NULL;
176
177 ctx->nl_sock = nl_socket_alloc();
178 if (!ctx->nl_sock) {
179 fprintf(stderr, "cannot allocate netlink socket\n");
180 goto err_free;
181 }
182
183 nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192);
184
185 ret = genl_connect(ctx->nl_sock);
186 if (ret) {
187 fprintf(stderr, "cannot connect to generic netlink: %s\n",
188 nl_geterror(ret));
189 goto err_sock;
190 }
191
192 /* enable Extended ACK for detailed error reporting */
193 err = 1;
194 setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK,
195 &err, sizeof(err));
196
197 ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME);
198 if (ctx->ovpn_dco_id < 0) {
199 fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n",
200 ctx->ovpn_dco_id);
201 goto err_free;
202 }
203
204 ctx->nl_msg = nlmsg_alloc();
205 if (!ctx->nl_msg) {
206 fprintf(stderr, "cannot allocate netlink message\n");
207 goto err_sock;
208 }
209
210 ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT);
211 if (!ctx->nl_cb) {
212 fprintf(stderr, "failed to allocate netlink callback\n");
213 goto err_msg;
214 }
215
216 nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb);
217
218 genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0);
219
220 if (ovpn->ifindex > 0)
221 NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex);
222
223 return ctx;
224 nla_put_failure:
225 err_msg:
226 nlmsg_free(ctx->nl_msg);
227 err_sock:
228 nl_socket_free(ctx->nl_sock);
229 err_free:
230 free(ctx);
231 return NULL;
232 }
233
nl_ctx_alloc(struct ovpn_ctx * ovpn,int cmd)234 static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd)
235 {
236 return nl_ctx_alloc_flags(ovpn, cmd, 0);
237 }
238
nl_ctx_free(struct nl_ctx * ctx)239 static void nl_ctx_free(struct nl_ctx *ctx)
240 {
241 if (!ctx)
242 return;
243
244 nl_socket_free(ctx->nl_sock);
245 nlmsg_free(ctx->nl_msg);
246 nl_cb_put(ctx->nl_cb);
247 free(ctx);
248 }
249
ovpn_nl_cb_error(struct sockaddr_nl (* nla)__always_unused,struct nlmsgerr * err,void * arg)250 static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused,
251 struct nlmsgerr *err, void *arg)
252 {
253 struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1;
254 struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1];
255 int len = nlh->nlmsg_len;
256 struct nlattr *attrs;
257 int *ret = arg;
258 int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh);
259
260 *ret = err->error;
261
262 if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS))
263 return NL_STOP;
264
265 if (!(nlh->nlmsg_flags & NLM_F_CAPPED))
266 ack_len += err->msg.nlmsg_len - sizeof(*nlh);
267
268 if (len <= ack_len)
269 return NL_STOP;
270
271 attrs = (void *)((uint8_t *)nlh + ack_len);
272 len -= ack_len;
273
274 nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL);
275 if (tb_msg[NLMSGERR_ATTR_MSG]) {
276 len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]),
277 nla_len(tb_msg[NLMSGERR_ATTR_MSG]));
278 fprintf(stderr, "kernel error: %*s\n", len,
279 (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]));
280 }
281
282 if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) {
283 fprintf(stderr, "missing required nesting type %u\n",
284 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST]));
285 }
286
287 if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) {
288 fprintf(stderr, "missing required attribute type %u\n",
289 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE]));
290 }
291
292 return NL_STOP;
293 }
294
ovpn_nl_cb_finish(struct nl_msg (* msg)__always_unused,void * arg)295 static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused,
296 void *arg)
297 {
298 int *status = arg;
299
300 *status = 0;
301 return NL_SKIP;
302 }
303
ovpn_nl_cb_ack(struct nl_msg (* msg)__always_unused,void * arg)304 static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused,
305 void *arg)
306 {
307 int *status = arg;
308
309 *status = 0;
310 return NL_STOP;
311 }
312
ovpn_nl_msg_send(struct nl_ctx * ctx,ovpn_nl_cb cb)313 static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb)
314 {
315 int status = 1;
316
317 nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status);
318 nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish,
319 &status);
320 nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status);
321
322 if (cb)
323 nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx);
324
325 nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg);
326
327 while (status == 1)
328 ovpn_nl_recvmsgs(ctx);
329
330 if (status < 0)
331 fprintf(stderr, "failed to send netlink message: %s (%d)\n",
332 strerror(-status), status);
333
334 return status;
335 }
336
ovpn_parse_key(const char * file,struct ovpn_ctx * ctx)337 static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx)
338 {
339 int idx_enc, idx_dec, ret = -1;
340 unsigned char *ckey = NULL;
341 __u8 *bkey = NULL;
342 size_t olen = 0;
343 long ckey_len;
344 FILE *fp;
345
346 fp = fopen(file, "r");
347 if (!fp) {
348 fprintf(stderr, "cannot open: %s\n", file);
349 return -1;
350 }
351
352 /* get file size */
353 fseek(fp, 0L, SEEK_END);
354 ckey_len = ftell(fp);
355 rewind(fp);
356
357 /* if the file is longer, let's just read a portion */
358 if (ckey_len > 256)
359 ckey_len = 256;
360
361 ckey = malloc(ckey_len);
362 if (!ckey)
363 goto err;
364
365 ret = fread(ckey, 1, ckey_len, fp);
366 if (ret != ckey_len) {
367 fprintf(stderr,
368 "couldn't read enough data from key file: %dbytes read\n",
369 ret);
370 goto err;
371 }
372
373 olen = 0;
374 ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len);
375 if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) {
376 char buf[256];
377
378 mbedtls_strerror(ret, buf, sizeof(buf));
379 fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf,
380 ret);
381
382 goto err;
383 }
384
385 bkey = malloc(olen);
386 if (!bkey) {
387 fprintf(stderr, "cannot allocate binary key buffer\n");
388 goto err;
389 }
390
391 ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len);
392 if (ret) {
393 char buf[256];
394
395 mbedtls_strerror(ret, buf, sizeof(buf));
396 fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf,
397 ret);
398
399 goto err;
400 }
401
402 if (olen < 2 * KEY_LEN + NONCE_LEN) {
403 fprintf(stderr,
404 "not enough data in key file, found %zdB but needs %dB\n",
405 olen, 2 * KEY_LEN + NONCE_LEN);
406 goto err;
407 }
408
409 switch (ctx->key_dir) {
410 case KEY_DIR_IN:
411 idx_enc = 0;
412 idx_dec = 1;
413 break;
414 case KEY_DIR_OUT:
415 idx_enc = 1;
416 idx_dec = 0;
417 break;
418 default:
419 goto err;
420 }
421
422 memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN);
423 memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN);
424 memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN);
425
426 ret = 0;
427
428 err:
429 fclose(fp);
430 free(bkey);
431 free(ckey);
432
433 return ret;
434 }
435
ovpn_parse_cipher(const char * cipher,struct ovpn_ctx * ctx)436 static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx)
437 {
438 if (strcmp(cipher, "aes") == 0)
439 ctx->cipher = OVPN_CIPHER_ALG_AES_GCM;
440 else if (strcmp(cipher, "chachapoly") == 0)
441 ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305;
442 else if (strcmp(cipher, "none") == 0)
443 ctx->cipher = OVPN_CIPHER_ALG_NONE;
444 else
445 return -ENOTSUP;
446
447 return 0;
448 }
449
ovpn_parse_key_direction(const char * dir,struct ovpn_ctx * ctx)450 static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx)
451 {
452 int in_dir;
453
454 in_dir = strtoll(dir, NULL, 10);
455 switch (in_dir) {
456 case KEY_DIR_IN:
457 case KEY_DIR_OUT:
458 ctx->key_dir = in_dir;
459 break;
460 default:
461 fprintf(stderr,
462 "invalid key direction provided. Can be 0 or 1 only\n");
463 return -1;
464 }
465
466 return 0;
467 }
468
ovpn_socket(struct ovpn_ctx * ctx,sa_family_t family,int proto)469 static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto)
470 {
471 struct sockaddr_storage local_sock = { 0 };
472 struct sockaddr_in6 *in6;
473 struct sockaddr_in *in;
474 int ret, s, sock_type;
475 size_t sock_len;
476
477 if (proto == IPPROTO_UDP)
478 sock_type = SOCK_DGRAM;
479 else if (proto == IPPROTO_TCP)
480 sock_type = SOCK_STREAM;
481 else
482 return -EINVAL;
483
484 s = socket(family, sock_type, 0);
485 if (s < 0) {
486 perror("cannot create socket");
487 return -1;
488 }
489
490 switch (family) {
491 case AF_INET:
492 in = (struct sockaddr_in *)&local_sock;
493 in->sin_family = family;
494 in->sin_port = htons(ctx->lport);
495 in->sin_addr.s_addr = htonl(INADDR_ANY);
496 sock_len = sizeof(*in);
497 break;
498 case AF_INET6:
499 in6 = (struct sockaddr_in6 *)&local_sock;
500 in6->sin6_family = family;
501 in6->sin6_port = htons(ctx->lport);
502 in6->sin6_addr = in6addr_any;
503 sock_len = sizeof(*in6);
504 break;
505 default:
506 return -1;
507 }
508
509 int opt = 1;
510
511 ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
512
513 if (ret < 0) {
514 perror("setsockopt for SO_REUSEADDR");
515 return ret;
516 }
517
518 ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt));
519 if (ret < 0) {
520 perror("setsockopt for SO_REUSEPORT");
521 return ret;
522 }
523
524 if (family == AF_INET6) {
525 opt = 0;
526 if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt,
527 sizeof(opt))) {
528 perror("failed to set IPV6_V6ONLY");
529 return -1;
530 }
531 }
532
533 ret = bind(s, (struct sockaddr *)&local_sock, sock_len);
534 if (ret < 0) {
535 perror("cannot bind socket");
536 goto err_socket;
537 }
538
539 ctx->socket = s;
540 ctx->sa_family = family;
541 return 0;
542
543 err_socket:
544 close(s);
545 return -1;
546 }
547
ovpn_udp_socket(struct ovpn_ctx * ctx,sa_family_t family)548 static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family)
549 {
550 return ovpn_socket(ctx, family, IPPROTO_UDP);
551 }
552
ovpn_listen(struct ovpn_ctx * ctx,sa_family_t family)553 static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family)
554 {
555 int ret;
556
557 ret = ovpn_socket(ctx, family, IPPROTO_TCP);
558 if (ret < 0)
559 return ret;
560
561 ret = listen(ctx->socket, 10);
562 if (ret < 0) {
563 perror("listen");
564 close(ctx->socket);
565 return -1;
566 }
567
568 return 0;
569 }
570
ovpn_accept(struct ovpn_ctx * ctx)571 static int ovpn_accept(struct ovpn_ctx *ctx)
572 {
573 socklen_t socklen;
574 int ret;
575
576 socklen = sizeof(ctx->remote);
577 ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen);
578 if (ret < 0) {
579 perror("accept");
580 goto err;
581 }
582
583 fprintf(stderr, "Connection received!\n");
584
585 switch (socklen) {
586 case sizeof(struct sockaddr_in):
587 case sizeof(struct sockaddr_in6):
588 break;
589 default:
590 fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n");
591 close(ret);
592 ret = -EINVAL;
593 goto err;
594 }
595
596 return ret;
597 err:
598 close(ctx->socket);
599 return ret;
600 }
601
ovpn_connect(struct ovpn_ctx * ovpn)602 static int ovpn_connect(struct ovpn_ctx *ovpn)
603 {
604 socklen_t socklen;
605 int s, ret;
606
607 s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0);
608 if (s < 0) {
609 perror("cannot create socket");
610 return -1;
611 }
612
613 switch (ovpn->remote.in4.sin_family) {
614 case AF_INET:
615 socklen = sizeof(struct sockaddr_in);
616 break;
617 case AF_INET6:
618 socklen = sizeof(struct sockaddr_in6);
619 break;
620 default:
621 return -EOPNOTSUPP;
622 }
623
624 ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen);
625 if (ret < 0) {
626 perror("connect");
627 goto err;
628 }
629
630 fprintf(stderr, "connected\n");
631
632 ovpn->socket = s;
633
634 return 0;
635 err:
636 close(s);
637 return ret;
638 }
639
ovpn_new_peer(struct ovpn_ctx * ovpn,bool is_tcp)640 static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp)
641 {
642 struct nlattr *attr;
643 struct nl_ctx *ctx;
644 int ret = -1;
645
646 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW);
647 if (!ctx)
648 return -ENOMEM;
649
650 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
651 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
652 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket);
653
654 if (!is_tcp) {
655 switch (ovpn->remote.in4.sin_family) {
656 case AF_INET:
657 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4,
658 ovpn->remote.in4.sin_addr.s_addr);
659 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
660 ovpn->remote.in4.sin_port);
661 break;
662 case AF_INET6:
663 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6,
664 sizeof(ovpn->remote.in6.sin6_addr),
665 &ovpn->remote.in6.sin6_addr);
666 NLA_PUT_U32(ctx->nl_msg,
667 OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
668 ovpn->remote.in6.sin6_scope_id);
669 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
670 ovpn->remote.in6.sin6_port);
671 break;
672 default:
673 fprintf(stderr,
674 "Invalid family for remote socket address\n");
675 goto nla_put_failure;
676 }
677 }
678
679 if (ovpn->peer_ip_set) {
680 switch (ovpn->peer_ip.in4.sin_family) {
681 case AF_INET:
682 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4,
683 ovpn->peer_ip.in4.sin_addr.s_addr);
684 break;
685 case AF_INET6:
686 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6,
687 sizeof(struct in6_addr),
688 &ovpn->peer_ip.in6.sin6_addr);
689 break;
690 default:
691 fprintf(stderr, "Invalid family for peer address\n");
692 goto nla_put_failure;
693 }
694 }
695
696 nla_nest_end(ctx->nl_msg, attr);
697
698 ret = ovpn_nl_msg_send(ctx, NULL);
699 nla_put_failure:
700 nl_ctx_free(ctx);
701 return ret;
702 }
703
ovpn_set_peer(struct ovpn_ctx * ovpn)704 static int ovpn_set_peer(struct ovpn_ctx *ovpn)
705 {
706 struct nlattr *attr;
707 struct nl_ctx *ctx;
708 int ret = -1;
709
710 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET);
711 if (!ctx)
712 return -ENOMEM;
713
714 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
715 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
716 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL,
717 ovpn->keepalive_interval);
718 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
719 ovpn->keepalive_timeout);
720 nla_nest_end(ctx->nl_msg, attr);
721
722 ret = ovpn_nl_msg_send(ctx, NULL);
723 nla_put_failure:
724 nl_ctx_free(ctx);
725 return ret;
726 }
727
ovpn_del_peer(struct ovpn_ctx * ovpn)728 static int ovpn_del_peer(struct ovpn_ctx *ovpn)
729 {
730 struct nlattr *attr;
731 struct nl_ctx *ctx;
732 int ret = -1;
733
734 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL);
735 if (!ctx)
736 return -ENOMEM;
737
738 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
739 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
740 nla_nest_end(ctx->nl_msg, attr);
741
742 ret = ovpn_nl_msg_send(ctx, NULL);
743 nla_put_failure:
744 nl_ctx_free(ctx);
745 return ret;
746 }
747
ovpn_handle_peer(struct nl_msg * msg,void (* arg)__always_unused)748 static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused)
749 {
750 struct nlattr *pattrs[OVPN_A_PEER_MAX + 1];
751 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
752 struct nlattr *attrs[OVPN_A_MAX + 1];
753 __u16 rport = 0, lport = 0;
754
755 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
756 genlmsg_attrlen(gnlh, 0), NULL);
757
758 if (!attrs[OVPN_A_PEER]) {
759 fprintf(stderr, "no packet content in netlink message\n");
760 return NL_SKIP;
761 }
762
763 nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]),
764 nla_len(attrs[OVPN_A_PEER]), NULL);
765
766 if (pattrs[OVPN_A_PEER_ID])
767 fprintf(stderr, "* Peer %u\n",
768 nla_get_u32(pattrs[OVPN_A_PEER_ID]));
769
770 if (pattrs[OVPN_A_PEER_SOCKET_NETNSID])
771 fprintf(stderr, "\tsocket NetNS ID: %d\n",
772 nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID]));
773
774 if (pattrs[OVPN_A_PEER_VPN_IPV4]) {
775 char buf[INET_ADDRSTRLEN];
776
777 inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]),
778 buf, sizeof(buf));
779 fprintf(stderr, "\tVPN IPv4: %s\n", buf);
780 }
781
782 if (pattrs[OVPN_A_PEER_VPN_IPV6]) {
783 char buf[INET6_ADDRSTRLEN];
784
785 inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]),
786 buf, sizeof(buf));
787 fprintf(stderr, "\tVPN IPv6: %s\n", buf);
788 }
789
790 if (pattrs[OVPN_A_PEER_LOCAL_PORT])
791 lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT]));
792
793 if (pattrs[OVPN_A_PEER_REMOTE_PORT])
794 rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT]));
795
796 if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) {
797 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6];
798 char buf[INET6_ADDRSTRLEN];
799 int scope_id = -1;
800
801 if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) {
802 void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID];
803
804 scope_id = nla_get_u32(p);
805 }
806
807 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
808 fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport,
809 scope_id);
810
811 if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) {
812 void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6];
813
814 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
815 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
816 }
817 }
818
819 if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) {
820 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4];
821 char buf[INET_ADDRSTRLEN];
822
823 inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf));
824 fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport);
825
826 if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) {
827 void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4];
828
829 inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf));
830 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
831 }
832 }
833
834 if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) {
835 void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL];
836
837 fprintf(stderr, "\tKeepalive interval: %u sec\n",
838 nla_get_u32(p));
839 }
840
841 if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])
842 fprintf(stderr, "\tKeepalive timeout: %u sec\n",
843 nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]));
844
845 if (pattrs[OVPN_A_PEER_VPN_RX_BYTES])
846 fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n",
847 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES]));
848
849 if (pattrs[OVPN_A_PEER_VPN_TX_BYTES])
850 fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n",
851 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES]));
852
853 if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS])
854 fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n",
855 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS]));
856
857 if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS])
858 fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n",
859 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS]));
860
861 if (pattrs[OVPN_A_PEER_LINK_RX_BYTES])
862 fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n",
863 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES]));
864
865 if (pattrs[OVPN_A_PEER_LINK_TX_BYTES])
866 fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n",
867 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES]));
868
869 if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS])
870 fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n",
871 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS]));
872
873 if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS])
874 fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n",
875 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS]));
876
877 return NL_SKIP;
878 }
879
ovpn_get_peer(struct ovpn_ctx * ovpn)880 static int ovpn_get_peer(struct ovpn_ctx *ovpn)
881 {
882 int flags = 0, ret = -1;
883 struct nlattr *attr;
884 struct nl_ctx *ctx;
885
886 if (ovpn->peer_id == PEER_ID_UNDEF)
887 flags = NLM_F_DUMP;
888
889 ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags);
890 if (!ctx)
891 return -ENOMEM;
892
893 if (ovpn->peer_id != PEER_ID_UNDEF) {
894 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
895 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
896 nla_nest_end(ctx->nl_msg, attr);
897 }
898
899 ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer);
900 nla_put_failure:
901 nl_ctx_free(ctx);
902 return ret;
903 }
904
ovpn_new_key(struct ovpn_ctx * ovpn)905 static int ovpn_new_key(struct ovpn_ctx *ovpn)
906 {
907 struct nlattr *keyconf, *key_dir;
908 struct nl_ctx *ctx;
909 int ret = -1;
910
911 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW);
912 if (!ctx)
913 return -ENOMEM;
914
915 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
916 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
917 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
918 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id);
919 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher);
920
921 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR);
922 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc);
923 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
924 nla_nest_end(ctx->nl_msg, key_dir);
925
926 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR);
927 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec);
928 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
929 nla_nest_end(ctx->nl_msg, key_dir);
930
931 nla_nest_end(ctx->nl_msg, keyconf);
932
933 ret = ovpn_nl_msg_send(ctx, NULL);
934 nla_put_failure:
935 nl_ctx_free(ctx);
936 return ret;
937 }
938
ovpn_del_key(struct ovpn_ctx * ovpn)939 static int ovpn_del_key(struct ovpn_ctx *ovpn)
940 {
941 struct nlattr *keyconf;
942 struct nl_ctx *ctx;
943 int ret = -1;
944
945 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL);
946 if (!ctx)
947 return -ENOMEM;
948
949 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
950 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
951 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
952 nla_nest_end(ctx->nl_msg, keyconf);
953
954 ret = ovpn_nl_msg_send(ctx, NULL);
955 nla_put_failure:
956 nl_ctx_free(ctx);
957 return ret;
958 }
959
ovpn_handle_key(struct nl_msg * msg,void (* arg)__always_unused)960 static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused)
961 {
962 struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1];
963 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
964 struct nlattr *attrs[OVPN_A_MAX + 1];
965
966 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
967 genlmsg_attrlen(gnlh, 0), NULL);
968
969 if (!attrs[OVPN_A_KEYCONF]) {
970 fprintf(stderr, "no packet content in netlink message\n");
971 return NL_SKIP;
972 }
973
974 nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]),
975 nla_len(attrs[OVPN_A_KEYCONF]), NULL);
976
977 if (kattrs[OVPN_A_KEYCONF_PEER_ID])
978 fprintf(stderr, "* Peer %u\n",
979 nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID]));
980 if (kattrs[OVPN_A_KEYCONF_SLOT]) {
981 fprintf(stderr, "\t- Slot: ");
982 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) {
983 case OVPN_KEY_SLOT_PRIMARY:
984 fprintf(stderr, "primary\n");
985 break;
986 case OVPN_KEY_SLOT_SECONDARY:
987 fprintf(stderr, "secondary\n");
988 break;
989 default:
990 fprintf(stderr, "invalid (%u)\n",
991 nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT]));
992 break;
993 }
994 }
995 if (kattrs[OVPN_A_KEYCONF_KEY_ID])
996 fprintf(stderr, "\t- Key ID: %u\n",
997 nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID]));
998 if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) {
999 fprintf(stderr, "\t- Cipher: ");
1000 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) {
1001 case OVPN_CIPHER_ALG_NONE:
1002 fprintf(stderr, "none\n");
1003 break;
1004 case OVPN_CIPHER_ALG_AES_GCM:
1005 fprintf(stderr, "aes-gcm\n");
1006 break;
1007 case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
1008 fprintf(stderr, "chacha20poly1305\n");
1009 break;
1010 default:
1011 fprintf(stderr, "invalid (%u)\n",
1012 nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG]));
1013 break;
1014 }
1015 }
1016
1017 return NL_SKIP;
1018 }
1019
ovpn_get_key(struct ovpn_ctx * ovpn)1020 static int ovpn_get_key(struct ovpn_ctx *ovpn)
1021 {
1022 struct nlattr *keyconf;
1023 struct nl_ctx *ctx;
1024 int ret = -1;
1025
1026 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET);
1027 if (!ctx)
1028 return -ENOMEM;
1029
1030 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1031 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1032 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
1033 nla_nest_end(ctx->nl_msg, keyconf);
1034
1035 ret = ovpn_nl_msg_send(ctx, ovpn_handle_key);
1036 nla_put_failure:
1037 nl_ctx_free(ctx);
1038 return ret;
1039 }
1040
ovpn_swap_keys(struct ovpn_ctx * ovpn)1041 static int ovpn_swap_keys(struct ovpn_ctx *ovpn)
1042 {
1043 struct nl_ctx *ctx;
1044 struct nlattr *kc;
1045 int ret = -1;
1046
1047 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP);
1048 if (!ctx)
1049 return -ENOMEM;
1050
1051 kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1052 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1053 nla_nest_end(ctx->nl_msg, kc);
1054
1055 ret = ovpn_nl_msg_send(ctx, NULL);
1056 nla_put_failure:
1057 nl_ctx_free(ctx);
1058 return ret;
1059 }
1060
1061 /* Helper function used to easily add attributes to a rtnl message */
ovpn_addattr(struct nlmsghdr * n,int maxlen,int type,const void * data,int alen)1062 static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type,
1063 const void *data, int alen)
1064 {
1065 int len = RTA_LENGTH(alen);
1066 struct rtattr *rta;
1067
1068 if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen) {
1069 fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n",
1070 __func__, maxlen);
1071 return -EMSGSIZE;
1072 }
1073
1074 rta = nlmsg_tail(n);
1075 rta->rta_type = type;
1076 rta->rta_len = len;
1077
1078 if (!data)
1079 memset(RTA_DATA(rta), 0, alen);
1080 else
1081 memcpy(RTA_DATA(rta), data, alen);
1082
1083 n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len);
1084
1085 return 0;
1086 }
1087
ovpn_nest_start(struct nlmsghdr * msg,size_t max_size,int attr)1088 static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size,
1089 int attr)
1090 {
1091 struct rtattr *nest = nlmsg_tail(msg);
1092
1093 if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0)
1094 return NULL;
1095
1096 return nest;
1097 }
1098
ovpn_nest_end(struct nlmsghdr * msg,struct rtattr * nest)1099 static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest)
1100 {
1101 nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest;
1102 }
1103
1104 #define RT_SNDBUF_SIZE (1024 * 2)
1105 #define RT_RCVBUF_SIZE (1024 * 4)
1106
1107 /* Open RTNL socket */
ovpn_rt_socket(void)1108 static int ovpn_rt_socket(void)
1109 {
1110 int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd;
1111
1112 fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
1113 if (fd < 0) {
1114 fprintf(stderr, "%s: cannot open netlink socket\n", __func__);
1115 return fd;
1116 }
1117
1118 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf,
1119 sizeof(sndbuf)) < 0) {
1120 fprintf(stderr, "%s: SO_SNDBUF\n", __func__);
1121 close(fd);
1122 return -1;
1123 }
1124
1125 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf,
1126 sizeof(rcvbuf)) < 0) {
1127 fprintf(stderr, "%s: SO_RCVBUF\n", __func__);
1128 close(fd);
1129 return -1;
1130 }
1131
1132 return fd;
1133 }
1134
1135 /* Bind socket to Netlink subsystem */
ovpn_rt_bind(int fd,uint32_t groups)1136 static int ovpn_rt_bind(int fd, uint32_t groups)
1137 {
1138 struct sockaddr_nl local = { 0 };
1139 socklen_t addr_len;
1140
1141 local.nl_family = AF_NETLINK;
1142 local.nl_groups = groups;
1143
1144 if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) {
1145 fprintf(stderr, "%s: cannot bind netlink socket: %d\n",
1146 __func__, errno);
1147 return -errno;
1148 }
1149
1150 addr_len = sizeof(local);
1151 if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) {
1152 fprintf(stderr, "%s: cannot getsockname: %d\n", __func__,
1153 errno);
1154 return -errno;
1155 }
1156
1157 if (addr_len != sizeof(local)) {
1158 fprintf(stderr, "%s: wrong address length %d\n", __func__,
1159 addr_len);
1160 return -EINVAL;
1161 }
1162
1163 if (local.nl_family != AF_NETLINK) {
1164 fprintf(stderr, "%s: wrong address family %d\n", __func__,
1165 local.nl_family);
1166 return -EINVAL;
1167 }
1168
1169 return 0;
1170 }
1171
1172 typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg);
1173
1174 /* Send Netlink message and run callback on reply (if specified) */
ovpn_rt_send(struct nlmsghdr * payload,pid_t peer,unsigned int groups,ovpn_parse_reply_cb cb,void * arg_cb)1175 static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer,
1176 unsigned int groups, ovpn_parse_reply_cb cb,
1177 void *arg_cb)
1178 {
1179 int len, rem_len, fd, ret, rcv_len;
1180 struct sockaddr_nl nladdr = { 0 };
1181 struct nlmsgerr *err;
1182 struct nlmsghdr *h;
1183 char buf[1024 * 16];
1184 struct iovec iov = {
1185 .iov_base = payload,
1186 .iov_len = payload->nlmsg_len,
1187 };
1188 struct msghdr nlmsg = {
1189 .msg_name = &nladdr,
1190 .msg_namelen = sizeof(nladdr),
1191 .msg_iov = &iov,
1192 .msg_iovlen = 1,
1193 };
1194
1195 nladdr.nl_family = AF_NETLINK;
1196 nladdr.nl_pid = peer;
1197 nladdr.nl_groups = groups;
1198
1199 payload->nlmsg_seq = time(NULL);
1200
1201 /* no need to send reply */
1202 if (!cb)
1203 payload->nlmsg_flags |= NLM_F_ACK;
1204
1205 fd = ovpn_rt_socket();
1206 if (fd < 0) {
1207 fprintf(stderr, "%s: can't open rtnl socket\n", __func__);
1208 return -errno;
1209 }
1210
1211 ret = ovpn_rt_bind(fd, 0);
1212 if (ret < 0) {
1213 fprintf(stderr, "%s: can't bind rtnl socket\n", __func__);
1214 ret = -errno;
1215 goto out;
1216 }
1217
1218 ret = sendmsg(fd, &nlmsg, 0);
1219 if (ret < 0) {
1220 fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__);
1221 ret = -errno;
1222 goto out;
1223 }
1224
1225 /* prepare buffer to store RTNL replies */
1226 memset(buf, 0, sizeof(buf));
1227 iov.iov_base = buf;
1228
1229 while (1) {
1230 /*
1231 * iov_len is modified by recvmsg(), therefore has to be initialized before
1232 * using it again
1233 */
1234 iov.iov_len = sizeof(buf);
1235 rcv_len = recvmsg(fd, &nlmsg, 0);
1236 if (rcv_len < 0) {
1237 if (errno == EINTR || errno == EAGAIN) {
1238 fprintf(stderr, "%s: interrupted call\n",
1239 __func__);
1240 continue;
1241 }
1242 fprintf(stderr, "%s: rtnl: error on recvmsg()\n",
1243 __func__);
1244 ret = -errno;
1245 goto out;
1246 }
1247
1248 if (rcv_len == 0) {
1249 fprintf(stderr,
1250 "%s: rtnl: socket reached unexpected EOF\n",
1251 __func__);
1252 ret = -EIO;
1253 goto out;
1254 }
1255
1256 if (nlmsg.msg_namelen != sizeof(nladdr)) {
1257 fprintf(stderr,
1258 "%s: sender address length: %u (expected %zu)\n",
1259 __func__, nlmsg.msg_namelen, sizeof(nladdr));
1260 ret = -EIO;
1261 goto out;
1262 }
1263
1264 h = (struct nlmsghdr *)buf;
1265 while (rcv_len >= (int)sizeof(*h)) {
1266 len = h->nlmsg_len;
1267 rem_len = len - sizeof(*h);
1268
1269 if (rem_len < 0 || len > rcv_len) {
1270 if (nlmsg.msg_flags & MSG_TRUNC) {
1271 fprintf(stderr, "%s: truncated message\n",
1272 __func__);
1273 ret = -EIO;
1274 goto out;
1275 }
1276 fprintf(stderr, "%s: malformed message: len=%d\n",
1277 __func__, len);
1278 ret = -EIO;
1279 goto out;
1280 }
1281
1282 if (h->nlmsg_type == NLMSG_DONE) {
1283 ret = 0;
1284 goto out;
1285 }
1286
1287 if (h->nlmsg_type == NLMSG_ERROR) {
1288 err = (struct nlmsgerr *)NLMSG_DATA(h);
1289 if (rem_len < (int)sizeof(struct nlmsgerr)) {
1290 fprintf(stderr, "%s: ERROR truncated\n",
1291 __func__);
1292 ret = -EIO;
1293 goto out;
1294 }
1295
1296 if (err->error) {
1297 fprintf(stderr, "%s: (%d) %s\n",
1298 __func__, err->error,
1299 strerror(-err->error));
1300 ret = err->error;
1301 goto out;
1302 }
1303
1304 ret = 0;
1305 if (cb) {
1306 int r = cb(h, arg_cb);
1307
1308 if (r <= 0)
1309 ret = r;
1310 }
1311 goto out;
1312 }
1313
1314 if (cb) {
1315 int r = cb(h, arg_cb);
1316
1317 if (r <= 0) {
1318 ret = r;
1319 goto out;
1320 }
1321 } else {
1322 fprintf(stderr, "%s: RTNL: unexpected reply\n",
1323 __func__);
1324 }
1325
1326 rcv_len -= NLMSG_ALIGN(len);
1327 h = (struct nlmsghdr *)((uint8_t *)h +
1328 NLMSG_ALIGN(len));
1329 }
1330
1331 if (nlmsg.msg_flags & MSG_TRUNC) {
1332 fprintf(stderr, "%s: message truncated\n", __func__);
1333 continue;
1334 }
1335
1336 if (rcv_len) {
1337 fprintf(stderr, "%s: rtnl: %d not parsed bytes\n",
1338 __func__, rcv_len);
1339 ret = -1;
1340 goto out;
1341 }
1342 }
1343 out:
1344 close(fd);
1345
1346 return ret;
1347 }
1348
1349 struct ovpn_link_req {
1350 struct nlmsghdr n;
1351 struct ifinfomsg i;
1352 char buf[256];
1353 };
1354
ovpn_new_iface(struct ovpn_ctx * ovpn)1355 static int ovpn_new_iface(struct ovpn_ctx *ovpn)
1356 {
1357 struct rtattr *linkinfo, *data;
1358 struct ovpn_link_req req = { 0 };
1359 int ret = -1;
1360
1361 fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname,
1362 ovpn->mode);
1363
1364 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1365 req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL;
1366 req.n.nlmsg_type = RTM_NEWLINK;
1367
1368 if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname,
1369 strlen(ovpn->ifname) + 1) < 0)
1370 goto err;
1371
1372 linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO);
1373 if (!linkinfo)
1374 goto err;
1375
1376 if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME,
1377 strlen(OVPN_FAMILY_NAME) + 1) < 0)
1378 goto err;
1379
1380 if (ovpn->mode_set) {
1381 data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA);
1382 if (!data)
1383 goto err;
1384
1385 if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE,
1386 &ovpn->mode, sizeof(uint8_t)) < 0)
1387 goto err;
1388
1389 ovpn_nest_end(&req.n, data);
1390 }
1391
1392 ovpn_nest_end(&req.n, linkinfo);
1393
1394 req.i.ifi_family = AF_PACKET;
1395
1396 ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1397 err:
1398 return ret;
1399 }
1400
ovpn_del_iface(struct ovpn_ctx * ovpn)1401 static int ovpn_del_iface(struct ovpn_ctx *ovpn)
1402 {
1403 struct ovpn_link_req req = { 0 };
1404
1405 fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname,
1406 ovpn->ifindex);
1407
1408 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1409 req.n.nlmsg_flags = NLM_F_REQUEST;
1410 req.n.nlmsg_type = RTM_DELLINK;
1411
1412 req.i.ifi_family = AF_PACKET;
1413 req.i.ifi_index = ovpn->ifindex;
1414
1415 return ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1416 }
1417
nl_seq_check(struct nl_msg (* msg)__always_unused,void (* arg)__always_unused)1418 static int nl_seq_check(struct nl_msg (*msg)__always_unused,
1419 void (*arg)__always_unused)
1420 {
1421 return NL_OK;
1422 }
1423
1424 struct mcast_handler_args {
1425 const char *group;
1426 int id;
1427 };
1428
mcast_family_handler(struct nl_msg * msg,void * arg)1429 static int mcast_family_handler(struct nl_msg *msg, void *arg)
1430 {
1431 struct mcast_handler_args *grp = arg;
1432 struct nlattr *tb[CTRL_ATTR_MAX + 1];
1433 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1434 struct nlattr *mcgrp;
1435 int rem_mcgrp;
1436
1437 nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
1438 genlmsg_attrlen(gnlh, 0), NULL);
1439
1440 if (!tb[CTRL_ATTR_MCAST_GROUPS])
1441 return NL_SKIP;
1442
1443 nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) {
1444 struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1];
1445
1446 nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX,
1447 nla_data(mcgrp), nla_len(mcgrp), NULL);
1448
1449 if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] ||
1450 !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID])
1451 continue;
1452 if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]),
1453 grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME])))
1454 continue;
1455 grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]);
1456 break;
1457 }
1458
1459 return NL_SKIP;
1460 }
1461
mcast_error_handler(struct sockaddr_nl (* nla)__always_unused,struct nlmsgerr * err,void * arg)1462 static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused,
1463 struct nlmsgerr *err, void *arg)
1464 {
1465 int *ret = arg;
1466
1467 *ret = err->error;
1468 return NL_STOP;
1469 }
1470
mcast_ack_handler(struct nl_msg (* msg)__always_unused,void * arg)1471 static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg)
1472 {
1473 int *ret = arg;
1474
1475 *ret = 0;
1476 return NL_STOP;
1477 }
1478
ovpn_handle_msg(struct nl_msg * msg,void * arg)1479 static int ovpn_handle_msg(struct nl_msg *msg, void *arg)
1480 {
1481 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1482 struct nlattr *attrs[OVPN_A_MAX + 1];
1483 struct nlmsghdr *nlh = nlmsg_hdr(msg);
1484 char ifname[IF_NAMESIZE];
1485 int *ret = arg;
1486 __u32 ifindex;
1487
1488 fprintf(stderr, "received message from ovpn-dco\n");
1489
1490 *ret = -1;
1491
1492 if (!genlmsg_valid_hdr(nlh, 0)) {
1493 fprintf(stderr, "invalid header\n");
1494 return NL_STOP;
1495 }
1496
1497 if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
1498 genlmsg_attrlen(gnlh, 0), NULL)) {
1499 fprintf(stderr, "received bogus data from ovpn-dco\n");
1500 return NL_STOP;
1501 }
1502
1503 if (!attrs[OVPN_A_IFINDEX]) {
1504 fprintf(stderr, "no ifindex in this message\n");
1505 return NL_STOP;
1506 }
1507
1508 ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]);
1509 if (!if_indextoname(ifindex, ifname)) {
1510 fprintf(stderr, "cannot resolve ifname for ifindex: %u\n",
1511 ifindex);
1512 return NL_STOP;
1513 }
1514
1515 switch (gnlh->cmd) {
1516 case OVPN_CMD_PEER_DEL_NTF:
1517 fprintf(stdout, "received CMD_PEER_DEL_NTF\n");
1518 break;
1519 case OVPN_CMD_KEY_SWAP_NTF:
1520 fprintf(stdout, "received CMD_KEY_SWAP_NTF\n");
1521 break;
1522 default:
1523 fprintf(stderr, "received unknown command: %d\n", gnlh->cmd);
1524 return NL_STOP;
1525 }
1526
1527 *ret = 0;
1528 return NL_OK;
1529 }
1530
ovpn_get_mcast_id(struct nl_sock * sock,const char * family,const char * group)1531 static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family,
1532 const char *group)
1533 {
1534 struct nl_msg *msg;
1535 struct nl_cb *cb;
1536 int ret, ctrlid;
1537 struct mcast_handler_args grp = {
1538 .group = group,
1539 .id = -ENOENT,
1540 };
1541
1542 msg = nlmsg_alloc();
1543 if (!msg)
1544 return -ENOMEM;
1545
1546 cb = nl_cb_alloc(NL_CB_DEFAULT);
1547 if (!cb) {
1548 ret = -ENOMEM;
1549 goto out_fail_cb;
1550 }
1551
1552 ctrlid = genl_ctrl_resolve(sock, "nlctrl");
1553
1554 genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0);
1555
1556 ret = -ENOBUFS;
1557 NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family);
1558
1559 ret = nl_send_auto_complete(sock, msg);
1560 if (ret < 0)
1561 goto nla_put_failure;
1562
1563 ret = 1;
1564
1565 nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret);
1566 nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret);
1567 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp);
1568
1569 while (ret > 0)
1570 nl_recvmsgs(sock, cb);
1571
1572 if (ret == 0)
1573 ret = grp.id;
1574 nla_put_failure:
1575 nl_cb_put(cb);
1576 out_fail_cb:
1577 nlmsg_free(msg);
1578 return ret;
1579 }
1580
ovpn_listen_mcast(void)1581 static int ovpn_listen_mcast(void)
1582 {
1583 struct nl_sock *sock;
1584 struct nl_cb *cb;
1585 int mcid, ret;
1586
1587 sock = nl_socket_alloc();
1588 if (!sock) {
1589 fprintf(stderr, "cannot allocate netlink socket\n");
1590 goto err_free;
1591 }
1592
1593 nl_socket_set_buffer_size(sock, 8192, 8192);
1594
1595 ret = genl_connect(sock);
1596 if (ret < 0) {
1597 fprintf(stderr, "cannot connect to generic netlink: %s\n",
1598 nl_geterror(ret));
1599 goto err_free;
1600 }
1601
1602 mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS);
1603 if (mcid < 0) {
1604 fprintf(stderr, "cannot get mcast group: %s\n",
1605 nl_geterror(mcid));
1606 goto err_free;
1607 }
1608
1609 ret = nl_socket_add_membership(sock, mcid);
1610 if (ret) {
1611 fprintf(stderr, "failed to join mcast group: %d\n", ret);
1612 goto err_free;
1613 }
1614
1615 ret = 1;
1616 cb = nl_cb_alloc(NL_CB_DEFAULT);
1617 nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL);
1618 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret);
1619 nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret);
1620
1621 while (ret == 1) {
1622 int err = nl_recvmsgs(sock, cb);
1623
1624 if (err < 0) {
1625 fprintf(stderr,
1626 "cannot receive netlink message: (%d) %s\n",
1627 err, nl_geterror(-err));
1628 ret = -1;
1629 break;
1630 }
1631 }
1632
1633 nl_cb_put(cb);
1634 err_free:
1635 nl_socket_free(sock);
1636 return ret;
1637 }
1638
usage(const char * cmd)1639 static void usage(const char *cmd)
1640 {
1641 fprintf(stderr,
1642 "Usage %s <command> <iface> [arguments..]\n",
1643 cmd);
1644 fprintf(stderr, "where <command> can be one of the following\n\n");
1645
1646 fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n");
1647 fprintf(stderr, "\tiface: ovpn interface name\n");
1648 fprintf(stderr, "\tmode:\n");
1649 fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n");
1650 fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n");
1651
1652 fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n");
1653 fprintf(stderr, "\tiface: ovpn interface name\n");
1654
1655 fprintf(stderr,
1656 "* listen <iface> <lport> <peers_file> [ipv6]: listen for incoming peer TCP connections\n");
1657 fprintf(stderr, "\tiface: ovpn interface name\n");
1658 fprintf(stderr, "\tlport: TCP port to listen to\n");
1659 fprintf(stderr,
1660 "\tpeers_file: file containing one peer per line: Line format:\n");
1661 fprintf(stderr, "\t\t<peer_id> <vpnaddr>\n");
1662 fprintf(stderr,
1663 "\tipv6: whether the socket should listen to the IPv6 wildcard address\n");
1664
1665 fprintf(stderr,
1666 "* connect <iface> <peer_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n");
1667 fprintf(stderr, "\tiface: ovpn interface name\n");
1668 fprintf(stderr, "\tpeer_id: peer ID of the connecting peer\n");
1669 fprintf(stderr, "\traddr: peer IP address to connect to\n");
1670 fprintf(stderr, "\trport: peer TCP port to connect to\n");
1671 fprintf(stderr,
1672 "\tkey_file: file containing the symmetric key for encryption\n");
1673
1674 fprintf(stderr,
1675 "* new_peer <iface> <peer_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n");
1676 fprintf(stderr, "\tiface: ovpn interface name\n");
1677 fprintf(stderr, "\tlport: local UDP port to bind to\n");
1678 fprintf(stderr,
1679 "\tpeer_id: peer ID to be used in data packets to/from this peer\n");
1680 fprintf(stderr, "\traddr: peer IP address\n");
1681 fprintf(stderr, "\trport: peer UDP port\n");
1682 fprintf(stderr, "\tvpnaddr: peer VPN IP\n");
1683
1684 fprintf(stderr,
1685 "* new_multi_peer <iface> <lport> <peers_file>: add multiple peers as listed in the file\n");
1686 fprintf(stderr, "\tiface: ovpn interface name\n");
1687 fprintf(stderr, "\tlport: local UDP port to bind to\n");
1688 fprintf(stderr,
1689 "\tpeers_file: text file containing one peer per line. Line format:\n");
1690 fprintf(stderr, "\t\t<peer_id> <raddr> <rport> <vpnaddr>\n");
1691
1692 fprintf(stderr,
1693 "* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n");
1694 fprintf(stderr, "\tiface: ovpn interface name\n");
1695 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1696 fprintf(stderr,
1697 "\tkeepalive_interval: interval for sending ping messages\n");
1698 fprintf(stderr,
1699 "\tkeepalive_timeout: time after which a peer is timed out\n");
1700
1701 fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n");
1702 fprintf(stderr, "\tiface: ovpn interface name\n");
1703 fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n");
1704
1705 fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n");
1706 fprintf(stderr, "\tiface: ovpn interface name\n");
1707 fprintf(stderr,
1708 "\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n");
1709
1710 fprintf(stderr,
1711 "* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n");
1712 fprintf(stderr, "\tiface: ovpn interface name\n");
1713 fprintf(stderr,
1714 "\tpeer_id: peer ID of the peer to configure the key for\n");
1715 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1716 fprintf(stderr, "\tkey_id: an ID from 0 to 7\n");
1717 fprintf(stderr,
1718 "\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n");
1719 fprintf(stderr,
1720 "\tkey_dir: key direction, must 0 on one host and 1 on the other\n");
1721 fprintf(stderr, "\tkey_file: file containing the pre-shared key\n");
1722
1723 fprintf(stderr,
1724 "* del_key <iface> <peer_id> [slot]: erase existing data channel key\n");
1725 fprintf(stderr, "\tiface: ovpn interface name\n");
1726 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1727 fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n");
1728
1729 fprintf(stderr,
1730 "* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n");
1731 fprintf(stderr, "\tiface: ovpn interface name\n");
1732 fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n");
1733 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1734
1735 fprintf(stderr,
1736 "* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n");
1737 fprintf(stderr, "\tiface: ovpn interface name\n");
1738 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1739
1740 fprintf(stderr,
1741 "* listen_mcast: listen to ovpn netlink multicast messages\n");
1742 }
1743
ovpn_parse_remote(struct ovpn_ctx * ovpn,const char * host,const char * service,const char * vpnip)1744 static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host,
1745 const char *service, const char *vpnip)
1746 {
1747 int ret;
1748 struct addrinfo *result;
1749 struct addrinfo hints = {
1750 .ai_family = ovpn->sa_family,
1751 .ai_socktype = SOCK_DGRAM,
1752 .ai_protocol = IPPROTO_UDP
1753 };
1754
1755 if (host) {
1756 ret = getaddrinfo(host, service, &hints, &result);
1757 if (ret) {
1758 fprintf(stderr, "getaddrinfo on remote error: %s\n",
1759 gai_strerror(ret));
1760 return -1;
1761 }
1762
1763 if (!(result->ai_family == AF_INET &&
1764 result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1765 !(result->ai_family == AF_INET6 &&
1766 result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1767 ret = -EINVAL;
1768 goto out;
1769 }
1770
1771 memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen);
1772 }
1773
1774 if (vpnip) {
1775 ret = getaddrinfo(vpnip, NULL, &hints, &result);
1776 if (ret) {
1777 fprintf(stderr, "getaddrinfo on vpnip error: %s\n",
1778 gai_strerror(ret));
1779 return -1;
1780 }
1781
1782 if (!(result->ai_family == AF_INET &&
1783 result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1784 !(result->ai_family == AF_INET6 &&
1785 result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1786 ret = -EINVAL;
1787 goto out;
1788 }
1789
1790 memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen);
1791 ovpn->sa_family = result->ai_family;
1792
1793 ovpn->peer_ip_set = true;
1794 }
1795
1796 ret = 0;
1797 out:
1798 freeaddrinfo(result);
1799 return ret;
1800 }
1801
ovpn_parse_new_peer(struct ovpn_ctx * ovpn,const char * peer_id,const char * raddr,const char * rport,const char * vpnip)1802 static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id,
1803 const char *raddr, const char *rport,
1804 const char *vpnip)
1805 {
1806 ovpn->peer_id = strtoul(peer_id, NULL, 10);
1807 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
1808 fprintf(stderr, "peer ID value out of range\n");
1809 return -1;
1810 }
1811
1812 return ovpn_parse_remote(ovpn, raddr, rport, vpnip);
1813 }
1814
ovpn_parse_key_slot(const char * arg,struct ovpn_ctx * ovpn)1815 static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn)
1816 {
1817 int slot = strtoul(arg, NULL, 10);
1818
1819 if (errno == ERANGE || slot < 1 || slot > 2) {
1820 fprintf(stderr, "key slot out of range\n");
1821 return -1;
1822 }
1823
1824 switch (slot) {
1825 case 1:
1826 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
1827 break;
1828 case 2:
1829 ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY;
1830 break;
1831 }
1832
1833 return 0;
1834 }
1835
ovpn_send_tcp_data(int socket)1836 static int ovpn_send_tcp_data(int socket)
1837 {
1838 uint16_t len = htons(1000);
1839 uint8_t buf[1002];
1840 int ret;
1841
1842 memcpy(buf, &len, sizeof(len));
1843 memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len));
1844
1845 ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1846
1847 fprintf(stdout, "Sent %u bytes over TCP socket\n", ret);
1848
1849 return ret > 0 ? 0 : ret;
1850 }
1851
ovpn_recv_tcp_data(int socket)1852 static int ovpn_recv_tcp_data(int socket)
1853 {
1854 uint8_t buf[1002];
1855 uint16_t len;
1856 int ret;
1857
1858 ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1859
1860 if (ret < 2) {
1861 fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret);
1862 return ret;
1863 }
1864
1865 memcpy(&len, buf, sizeof(len));
1866 len = ntohs(len);
1867
1868 fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n",
1869 ret, len);
1870
1871 return 0;
1872 }
1873
ovpn_parse_cmd(const char * cmd)1874 static enum ovpn_cmd ovpn_parse_cmd(const char *cmd)
1875 {
1876 if (!strcmp(cmd, "new_iface"))
1877 return CMD_NEW_IFACE;
1878
1879 if (!strcmp(cmd, "del_iface"))
1880 return CMD_DEL_IFACE;
1881
1882 if (!strcmp(cmd, "listen"))
1883 return CMD_LISTEN;
1884
1885 if (!strcmp(cmd, "connect"))
1886 return CMD_CONNECT;
1887
1888 if (!strcmp(cmd, "new_peer"))
1889 return CMD_NEW_PEER;
1890
1891 if (!strcmp(cmd, "new_multi_peer"))
1892 return CMD_NEW_MULTI_PEER;
1893
1894 if (!strcmp(cmd, "set_peer"))
1895 return CMD_SET_PEER;
1896
1897 if (!strcmp(cmd, "del_peer"))
1898 return CMD_DEL_PEER;
1899
1900 if (!strcmp(cmd, "get_peer"))
1901 return CMD_GET_PEER;
1902
1903 if (!strcmp(cmd, "new_key"))
1904 return CMD_NEW_KEY;
1905
1906 if (!strcmp(cmd, "del_key"))
1907 return CMD_DEL_KEY;
1908
1909 if (!strcmp(cmd, "get_key"))
1910 return CMD_GET_KEY;
1911
1912 if (!strcmp(cmd, "swap_keys"))
1913 return CMD_SWAP_KEYS;
1914
1915 if (!strcmp(cmd, "listen_mcast"))
1916 return CMD_LISTEN_MCAST;
1917
1918 return CMD_INVALID;
1919 }
1920
1921 /* Send process to background and waits for signal.
1922 *
1923 * This helper is called at the end of commands
1924 * creating sockets, so that the latter stay alive
1925 * along with the process that created them.
1926 *
1927 * A signal is expected to be delivered in order to
1928 * terminate the waiting processes
1929 */
ovpn_waitbg(void)1930 static void ovpn_waitbg(void)
1931 {
1932 daemon(1, 1);
1933 pause();
1934 }
1935
ovpn_run_cmd(struct ovpn_ctx * ovpn)1936 static int ovpn_run_cmd(struct ovpn_ctx *ovpn)
1937 {
1938 char peer_id[10], vpnip[INET6_ADDRSTRLEN], laddr[128], lport[10];
1939 char raddr[128], rport[10];
1940 int n, ret;
1941 FILE *fp;
1942
1943 switch (ovpn->cmd) {
1944 case CMD_NEW_IFACE:
1945 ret = ovpn_new_iface(ovpn);
1946 break;
1947 case CMD_DEL_IFACE:
1948 ret = ovpn_del_iface(ovpn);
1949 break;
1950 case CMD_LISTEN:
1951 ret = ovpn_listen(ovpn, ovpn->sa_family);
1952 if (ret < 0) {
1953 fprintf(stderr, "cannot listen on TCP socket\n");
1954 return ret;
1955 }
1956
1957 fp = fopen(ovpn->peers_file, "r");
1958 if (!fp) {
1959 fprintf(stderr, "cannot open file: %s\n",
1960 ovpn->peers_file);
1961 return -1;
1962 }
1963
1964 int num_peers = 0;
1965
1966 while ((n = fscanf(fp, "%s %s\n", peer_id, vpnip)) == 2) {
1967 struct ovpn_ctx peer_ctx = { 0 };
1968
1969 if (num_peers == MAX_PEERS) {
1970 fprintf(stderr, "max peers reached!\n");
1971 return -E2BIG;
1972 }
1973
1974 peer_ctx.ifindex = ovpn->ifindex;
1975 peer_ctx.sa_family = ovpn->sa_family;
1976
1977 peer_ctx.socket = ovpn_accept(ovpn);
1978 if (peer_ctx.socket < 0) {
1979 fprintf(stderr, "cannot accept connection!\n");
1980 return -1;
1981 }
1982
1983 /* store peer sockets to test TCP I/O */
1984 ovpn->cli_sockets[num_peers] = peer_ctx.socket;
1985
1986 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, NULL,
1987 NULL, vpnip);
1988 if (ret < 0) {
1989 fprintf(stderr, "error while parsing line\n");
1990 return -1;
1991 }
1992
1993 ret = ovpn_new_peer(&peer_ctx, true);
1994 if (ret < 0) {
1995 fprintf(stderr,
1996 "cannot add peer to VPN: %s %s\n",
1997 peer_id, vpnip);
1998 return ret;
1999 }
2000 num_peers++;
2001 }
2002
2003 for (int i = 0; i < num_peers; i++) {
2004 ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]);
2005 if (ret < 0)
2006 break;
2007 }
2008 ovpn_waitbg();
2009 break;
2010 case CMD_CONNECT:
2011 ret = ovpn_connect(ovpn);
2012 if (ret < 0) {
2013 fprintf(stderr, "cannot connect TCP socket\n");
2014 return ret;
2015 }
2016
2017 ret = ovpn_new_peer(ovpn, true);
2018 if (ret < 0) {
2019 fprintf(stderr, "cannot add peer to VPN\n");
2020 close(ovpn->socket);
2021 return ret;
2022 }
2023
2024 if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) {
2025 ret = ovpn_new_key(ovpn);
2026 if (ret < 0) {
2027 fprintf(stderr, "cannot set key\n");
2028 return ret;
2029 }
2030 }
2031
2032 ret = ovpn_send_tcp_data(ovpn->socket);
2033 ovpn_waitbg();
2034 break;
2035 case CMD_NEW_PEER:
2036 ret = ovpn_udp_socket(ovpn, AF_INET6);
2037 if (ret < 0)
2038 return ret;
2039
2040 ret = ovpn_new_peer(ovpn, false);
2041 ovpn_waitbg();
2042 break;
2043 case CMD_NEW_MULTI_PEER:
2044 ret = ovpn_udp_socket(ovpn, AF_INET6);
2045 if (ret < 0)
2046 return ret;
2047
2048 fp = fopen(ovpn->peers_file, "r");
2049 if (!fp) {
2050 fprintf(stderr, "cannot open file: %s\n",
2051 ovpn->peers_file);
2052 return -1;
2053 }
2054
2055 while ((n = fscanf(fp, "%s %s %s %s %s %s\n", peer_id, laddr,
2056 lport, raddr, rport, vpnip)) == 6) {
2057 struct ovpn_ctx peer_ctx = { 0 };
2058
2059 peer_ctx.ifindex = ovpn->ifindex;
2060 peer_ctx.socket = ovpn->socket;
2061 peer_ctx.sa_family = AF_UNSPEC;
2062
2063 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, raddr,
2064 rport, vpnip);
2065 if (ret < 0) {
2066 fprintf(stderr, "error while parsing line\n");
2067 return -1;
2068 }
2069
2070 ret = ovpn_new_peer(&peer_ctx, false);
2071 if (ret < 0) {
2072 fprintf(stderr,
2073 "cannot add peer to VPN: %s %s %s %s\n",
2074 peer_id, raddr, rport, vpnip);
2075 return ret;
2076 }
2077 }
2078 ovpn_waitbg();
2079 break;
2080 case CMD_SET_PEER:
2081 ret = ovpn_set_peer(ovpn);
2082 break;
2083 case CMD_DEL_PEER:
2084 ret = ovpn_del_peer(ovpn);
2085 break;
2086 case CMD_GET_PEER:
2087 if (ovpn->peer_id == PEER_ID_UNDEF)
2088 fprintf(stderr, "List of peers connected to: %s\n",
2089 ovpn->ifname);
2090
2091 ret = ovpn_get_peer(ovpn);
2092 break;
2093 case CMD_NEW_KEY:
2094 ret = ovpn_new_key(ovpn);
2095 break;
2096 case CMD_DEL_KEY:
2097 ret = ovpn_del_key(ovpn);
2098 break;
2099 case CMD_GET_KEY:
2100 ret = ovpn_get_key(ovpn);
2101 break;
2102 case CMD_SWAP_KEYS:
2103 ret = ovpn_swap_keys(ovpn);
2104 break;
2105 case CMD_LISTEN_MCAST:
2106 ret = ovpn_listen_mcast();
2107 break;
2108 case CMD_INVALID:
2109 break;
2110 }
2111
2112 return ret;
2113 }
2114
ovpn_parse_cmd_args(struct ovpn_ctx * ovpn,int argc,char * argv[])2115 static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[])
2116 {
2117 int ret;
2118
2119 /* no args required for LISTEN_MCAST */
2120 if (ovpn->cmd == CMD_LISTEN_MCAST)
2121 return 0;
2122
2123 /* all commands need an ifname */
2124 if (argc < 3)
2125 return -EINVAL;
2126
2127 strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1);
2128 ovpn->ifname[IFNAMSIZ - 1] = '\0';
2129
2130 /* all commands, except NEW_IFNAME, needs an ifindex */
2131 if (ovpn->cmd != CMD_NEW_IFACE) {
2132 ovpn->ifindex = if_nametoindex(ovpn->ifname);
2133 if (!ovpn->ifindex) {
2134 fprintf(stderr, "cannot find interface: %s\n",
2135 strerror(errno));
2136 return -1;
2137 }
2138 }
2139
2140 switch (ovpn->cmd) {
2141 case CMD_NEW_IFACE:
2142 if (argc < 4)
2143 break;
2144
2145 if (!strcmp(argv[3], "P2P")) {
2146 ovpn->mode = OVPN_MODE_P2P;
2147 } else if (!strcmp(argv[3], "MP")) {
2148 ovpn->mode = OVPN_MODE_MP;
2149 } else {
2150 fprintf(stderr, "Cannot parse iface mode: %s\n",
2151 argv[3]);
2152 return -1;
2153 }
2154 ovpn->mode_set = true;
2155 break;
2156 case CMD_DEL_IFACE:
2157 break;
2158 case CMD_LISTEN:
2159 if (argc < 5)
2160 return -EINVAL;
2161
2162 ovpn->lport = strtoul(argv[3], NULL, 10);
2163 if (errno == ERANGE || ovpn->lport > 65535) {
2164 fprintf(stderr, "lport value out of range\n");
2165 return -1;
2166 }
2167
2168 ovpn->peers_file = argv[4];
2169
2170 ovpn->sa_family = AF_INET;
2171 if (argc > 5 && !strcmp(argv[5], "ipv6"))
2172 ovpn->sa_family = AF_INET6;
2173 break;
2174 case CMD_CONNECT:
2175 if (argc < 6)
2176 return -EINVAL;
2177
2178 ovpn->sa_family = AF_INET;
2179
2180 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5],
2181 NULL);
2182 if (ret < 0) {
2183 fprintf(stderr, "Cannot parse remote peer data\n");
2184 return -1;
2185 }
2186
2187 if (argc > 6) {
2188 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
2189 ovpn->key_id = 0;
2190 ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM;
2191 ovpn->key_dir = KEY_DIR_OUT;
2192
2193 ret = ovpn_parse_key(argv[6], ovpn);
2194 if (ret)
2195 return -1;
2196 }
2197 break;
2198 case CMD_NEW_PEER:
2199 if (argc < 7)
2200 return -EINVAL;
2201
2202 ovpn->lport = strtoul(argv[4], NULL, 10);
2203 if (errno == ERANGE || ovpn->lport > 65535) {
2204 fprintf(stderr, "lport value out of range\n");
2205 return -1;
2206 }
2207
2208 const char *vpnip = (argc > 7) ? argv[7] : NULL;
2209
2210 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[5], argv[6],
2211 vpnip);
2212 if (ret < 0)
2213 return -1;
2214 break;
2215 case CMD_NEW_MULTI_PEER:
2216 if (argc < 5)
2217 return -EINVAL;
2218
2219 ovpn->lport = strtoul(argv[3], NULL, 10);
2220 if (errno == ERANGE || ovpn->lport > 65535) {
2221 fprintf(stderr, "lport value out of range\n");
2222 return -1;
2223 }
2224
2225 ovpn->peers_file = argv[4];
2226 break;
2227 case CMD_SET_PEER:
2228 if (argc < 6)
2229 return -EINVAL;
2230
2231 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2232 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2233 fprintf(stderr, "peer ID value out of range\n");
2234 return -1;
2235 }
2236
2237 ovpn->keepalive_interval = strtoul(argv[4], NULL, 10);
2238 if (errno == ERANGE) {
2239 fprintf(stderr,
2240 "keepalive interval value out of range\n");
2241 return -1;
2242 }
2243
2244 ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10);
2245 if (errno == ERANGE) {
2246 fprintf(stderr,
2247 "keepalive interval value out of range\n");
2248 return -1;
2249 }
2250 break;
2251 case CMD_DEL_PEER:
2252 if (argc < 4)
2253 return -EINVAL;
2254
2255 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2256 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2257 fprintf(stderr, "peer ID value out of range\n");
2258 return -1;
2259 }
2260 break;
2261 case CMD_GET_PEER:
2262 ovpn->peer_id = PEER_ID_UNDEF;
2263 if (argc > 3) {
2264 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2265 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2266 fprintf(stderr, "peer ID value out of range\n");
2267 return -1;
2268 }
2269 }
2270 break;
2271 case CMD_NEW_KEY:
2272 if (argc < 9)
2273 return -EINVAL;
2274
2275 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2276 if (errno == ERANGE) {
2277 fprintf(stderr, "peer ID value out of range\n");
2278 return -1;
2279 }
2280
2281 ret = ovpn_parse_key_slot(argv[4], ovpn);
2282 if (ret)
2283 return -1;
2284
2285 ovpn->key_id = strtoul(argv[5], NULL, 10);
2286 if (errno == ERANGE || ovpn->key_id > 2) {
2287 fprintf(stderr, "key ID out of range\n");
2288 return -1;
2289 }
2290
2291 ret = ovpn_parse_cipher(argv[6], ovpn);
2292 if (ret < 0)
2293 return -1;
2294
2295 ret = ovpn_parse_key_direction(argv[7], ovpn);
2296 if (ret < 0)
2297 return -1;
2298
2299 ret = ovpn_parse_key(argv[8], ovpn);
2300 if (ret)
2301 return -1;
2302 break;
2303 case CMD_DEL_KEY:
2304 if (argc < 4)
2305 return -EINVAL;
2306
2307 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2308 if (errno == ERANGE) {
2309 fprintf(stderr, "peer ID value out of range\n");
2310 return -1;
2311 }
2312
2313 ret = ovpn_parse_key_slot(argv[4], ovpn);
2314 if (ret)
2315 return ret;
2316 break;
2317 case CMD_GET_KEY:
2318 if (argc < 5)
2319 return -EINVAL;
2320
2321 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2322 if (errno == ERANGE) {
2323 fprintf(stderr, "peer ID value out of range\n");
2324 return -1;
2325 }
2326
2327 ret = ovpn_parse_key_slot(argv[4], ovpn);
2328 if (ret)
2329 return ret;
2330 break;
2331 case CMD_SWAP_KEYS:
2332 if (argc < 4)
2333 return -EINVAL;
2334
2335 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2336 if (errno == ERANGE) {
2337 fprintf(stderr, "peer ID value out of range\n");
2338 return -1;
2339 }
2340 break;
2341 case CMD_LISTEN_MCAST:
2342 break;
2343 case CMD_INVALID:
2344 break;
2345 }
2346
2347 return 0;
2348 }
2349
main(int argc,char * argv[])2350 int main(int argc, char *argv[])
2351 {
2352 struct ovpn_ctx ovpn;
2353 int ret;
2354
2355 if (argc < 2) {
2356 usage(argv[0]);
2357 return -1;
2358 }
2359
2360 memset(&ovpn, 0, sizeof(ovpn));
2361 ovpn.sa_family = AF_UNSPEC;
2362 ovpn.cipher = OVPN_CIPHER_ALG_NONE;
2363
2364 ovpn.cmd = ovpn_parse_cmd(argv[1]);
2365 if (ovpn.cmd == CMD_INVALID) {
2366 fprintf(stderr, "Error: unknown command.\n\n");
2367 usage(argv[0]);
2368 return -1;
2369 }
2370
2371 ret = ovpn_parse_cmd_args(&ovpn, argc, argv);
2372 if (ret < 0) {
2373 fprintf(stderr, "Error: invalid arguments.\n\n");
2374 if (ret == -EINVAL)
2375 usage(argv[0]);
2376 return ret;
2377 }
2378
2379 ret = ovpn_run_cmd(&ovpn);
2380 if (ret)
2381 fprintf(stderr, "Cannot execute command: %s (%d)\n",
2382 strerror(-ret), ret);
2383
2384 return ret;
2385 }
2386