1 // SPDX-License-Identifier: GPL-2.0
2 /* OpenVPN data channel offload
3 *
4 * Copyright (C) 2020-2025 OpenVPN, Inc.
5 *
6 * Author: Antonio Quartulli <antonio@openvpn.net>
7 */
8
9 #include <linux/netdevice.h>
10 #include <linux/types.h>
11 #include <net/genetlink.h>
12
13 #include <uapi/linux/ovpn.h>
14
15 #include "ovpnpriv.h"
16 #include "main.h"
17 #include "netlink.h"
18 #include "netlink-gen.h"
19 #include "bind.h"
20 #include "crypto.h"
21 #include "peer.h"
22 #include "socket.h"
23
24 MODULE_ALIAS_GENL_FAMILY(OVPN_FAMILY_NAME);
25
26 /**
27 * ovpn_get_dev_from_attrs - retrieve the ovpn private data from the netdevice
28 * a netlink message is targeting
29 * @net: network namespace where to look for the interface
30 * @info: generic netlink info from the user request
31 * @tracker: tracker object to be used for the netdev reference acquisition
32 *
33 * Return: the ovpn private data, if found, or an error otherwise
34 */
35 static struct ovpn_priv *
ovpn_get_dev_from_attrs(struct net * net,const struct genl_info * info,netdevice_tracker * tracker)36 ovpn_get_dev_from_attrs(struct net *net, const struct genl_info *info,
37 netdevice_tracker *tracker)
38 {
39 struct ovpn_priv *ovpn;
40 struct net_device *dev;
41 int ifindex;
42
43 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_IFINDEX))
44 return ERR_PTR(-EINVAL);
45
46 ifindex = nla_get_u32(info->attrs[OVPN_A_IFINDEX]);
47
48 rcu_read_lock();
49 dev = dev_get_by_index_rcu(net, ifindex);
50 if (!dev) {
51 rcu_read_unlock();
52 NL_SET_ERR_MSG_MOD(info->extack,
53 "ifindex does not match any interface");
54 return ERR_PTR(-ENODEV);
55 }
56
57 if (!ovpn_dev_is_valid(dev)) {
58 rcu_read_unlock();
59 NL_SET_ERR_MSG_MOD(info->extack,
60 "specified interface is not ovpn");
61 NL_SET_BAD_ATTR(info->extack, info->attrs[OVPN_A_IFINDEX]);
62 return ERR_PTR(-EINVAL);
63 }
64
65 ovpn = netdev_priv(dev);
66 netdev_hold(dev, tracker, GFP_ATOMIC);
67 rcu_read_unlock();
68
69 return ovpn;
70 }
71
ovpn_nl_pre_doit(const struct genl_split_ops * ops,struct sk_buff * skb,struct genl_info * info)72 int ovpn_nl_pre_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
73 struct genl_info *info)
74 {
75 netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1];
76 struct ovpn_priv *ovpn = ovpn_get_dev_from_attrs(genl_info_net(info),
77 info, tracker);
78
79 if (IS_ERR(ovpn))
80 return PTR_ERR(ovpn);
81
82 info->user_ptr[0] = ovpn;
83
84 return 0;
85 }
86
ovpn_nl_post_doit(const struct genl_split_ops * ops,struct sk_buff * skb,struct genl_info * info)87 void ovpn_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
88 struct genl_info *info)
89 {
90 netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1];
91 struct ovpn_priv *ovpn = info->user_ptr[0];
92
93 if (ovpn)
94 netdev_put(ovpn->dev, tracker);
95 }
96
ovpn_nl_attr_sockaddr_remote(struct nlattr ** attrs,struct sockaddr_storage * ss)97 static bool ovpn_nl_attr_sockaddr_remote(struct nlattr **attrs,
98 struct sockaddr_storage *ss)
99 {
100 struct sockaddr_in6 *sin6;
101 struct sockaddr_in *sin;
102 struct in6_addr *in6;
103 __be16 port = 0;
104 __be32 *in;
105
106 ss->ss_family = AF_UNSPEC;
107
108 if (attrs[OVPN_A_PEER_REMOTE_PORT])
109 port = nla_get_be16(attrs[OVPN_A_PEER_REMOTE_PORT]);
110
111 if (attrs[OVPN_A_PEER_REMOTE_IPV4]) {
112 ss->ss_family = AF_INET;
113 in = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV4]);
114 } else if (attrs[OVPN_A_PEER_REMOTE_IPV6]) {
115 ss->ss_family = AF_INET6;
116 in6 = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]);
117 } else {
118 return false;
119 }
120
121 switch (ss->ss_family) {
122 case AF_INET6:
123 /* If this is a regular IPv6 just break and move on,
124 * otherwise switch to AF_INET and extract the IPv4 accordingly
125 */
126 if (!ipv6_addr_v4mapped(in6)) {
127 sin6 = (struct sockaddr_in6 *)ss;
128 sin6->sin6_port = port;
129 memcpy(&sin6->sin6_addr, in6, sizeof(*in6));
130 break;
131 }
132
133 /* v4-mapped-v6 address */
134 ss->ss_family = AF_INET;
135 in = &in6->s6_addr32[3];
136 fallthrough;
137 case AF_INET:
138 sin = (struct sockaddr_in *)ss;
139 sin->sin_port = port;
140 sin->sin_addr.s_addr = *in;
141 break;
142 }
143
144 return true;
145 }
146
ovpn_nl_attr_local_ip(struct nlattr ** attrs)147 static u8 *ovpn_nl_attr_local_ip(struct nlattr **attrs)
148 {
149 u8 *addr6;
150
151 if (!attrs[OVPN_A_PEER_LOCAL_IPV4] && !attrs[OVPN_A_PEER_LOCAL_IPV6])
152 return NULL;
153
154 if (attrs[OVPN_A_PEER_LOCAL_IPV4])
155 return nla_data(attrs[OVPN_A_PEER_LOCAL_IPV4]);
156
157 addr6 = nla_data(attrs[OVPN_A_PEER_LOCAL_IPV6]);
158 /* this is an IPv4-mapped IPv6 address, therefore extract the actual
159 * v4 address from the last 4 bytes
160 */
161 if (ipv6_addr_v4mapped((struct in6_addr *)addr6))
162 return addr6 + 12;
163
164 return addr6;
165 }
166
ovpn_nl_family_get(struct nlattr * addr4,struct nlattr * addr6)167 static sa_family_t ovpn_nl_family_get(struct nlattr *addr4,
168 struct nlattr *addr6)
169 {
170 if (addr4)
171 return AF_INET;
172
173 if (addr6) {
174 if (ipv6_addr_v4mapped((struct in6_addr *)nla_data(addr6)))
175 return AF_INET;
176 return AF_INET6;
177 }
178
179 return AF_UNSPEC;
180 }
181
ovpn_nl_peer_precheck(struct ovpn_priv * ovpn,struct genl_info * info,struct nlattr ** attrs)182 static int ovpn_nl_peer_precheck(struct ovpn_priv *ovpn,
183 struct genl_info *info,
184 struct nlattr **attrs)
185 {
186 sa_family_t local_fam, remote_fam;
187
188 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
189 OVPN_A_PEER_ID))
190 return -EINVAL;
191
192 if (attrs[OVPN_A_PEER_REMOTE_IPV4] && attrs[OVPN_A_PEER_REMOTE_IPV6]) {
193 NL_SET_ERR_MSG_MOD(info->extack,
194 "cannot specify both remote IPv4 or IPv6 address");
195 return -EINVAL;
196 }
197
198 if (!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
199 !attrs[OVPN_A_PEER_REMOTE_IPV6] && attrs[OVPN_A_PEER_REMOTE_PORT]) {
200 NL_SET_ERR_MSG_MOD(info->extack,
201 "cannot specify remote port without IP address");
202 return -EINVAL;
203 }
204
205 if ((attrs[OVPN_A_PEER_REMOTE_IPV4] ||
206 attrs[OVPN_A_PEER_REMOTE_IPV6]) &&
207 !attrs[OVPN_A_PEER_REMOTE_PORT]) {
208 NL_SET_ERR_MSG_MOD(info->extack,
209 "cannot specify remote IP address without port");
210 return -EINVAL;
211 }
212
213 if (!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
214 attrs[OVPN_A_PEER_LOCAL_IPV4]) {
215 NL_SET_ERR_MSG_MOD(info->extack,
216 "cannot specify local IPv4 address without remote");
217 return -EINVAL;
218 }
219
220 if (!attrs[OVPN_A_PEER_REMOTE_IPV6] &&
221 attrs[OVPN_A_PEER_LOCAL_IPV6]) {
222 NL_SET_ERR_MSG_MOD(info->extack,
223 "cannot specify local IPV6 address without remote");
224 return -EINVAL;
225 }
226
227 /* check that local and remote address families are the same even
228 * after parsing v4mapped IPv6 addresses.
229 * (if addresses are not provided, family will be AF_UNSPEC and
230 * the check is skipped)
231 */
232 local_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_LOCAL_IPV4],
233 attrs[OVPN_A_PEER_LOCAL_IPV6]);
234 remote_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_REMOTE_IPV4],
235 attrs[OVPN_A_PEER_REMOTE_IPV6]);
236 if (local_fam != AF_UNSPEC && remote_fam != AF_UNSPEC &&
237 local_fam != remote_fam) {
238 NL_SET_ERR_MSG_MOD(info->extack,
239 "mismatching local and remote address families");
240 return -EINVAL;
241 }
242
243 if (remote_fam != AF_INET6 && attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) {
244 NL_SET_ERR_MSG_MOD(info->extack,
245 "cannot specify scope id without remote IPv6 address");
246 return -EINVAL;
247 }
248
249 /* VPN IPs are needed only in MP mode for selecting the right peer */
250 if (ovpn->mode == OVPN_MODE_P2P && (attrs[OVPN_A_PEER_VPN_IPV4] ||
251 attrs[OVPN_A_PEER_VPN_IPV6])) {
252 NL_SET_ERR_MSG_FMT_MOD(info->extack,
253 "unexpected VPN IP in P2P mode");
254 return -EINVAL;
255 }
256
257 if ((attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
258 !attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) ||
259 (!attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
260 attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])) {
261 NL_SET_ERR_MSG_FMT_MOD(info->extack,
262 "keepalive interval and timeout are required together");
263 return -EINVAL;
264 }
265
266 return 0;
267 }
268
269 /**
270 * ovpn_nl_peer_modify - modify the peer attributes according to the incoming msg
271 * @peer: the peer to modify
272 * @info: generic netlink info from the user request
273 * @attrs: the attributes from the user request
274 *
275 * Return: a negative error code in case of failure, 0 on success or 1 on
276 * success and the VPN IPs have been modified (requires rehashing in MP
277 * mode)
278 */
ovpn_nl_peer_modify(struct ovpn_peer * peer,struct genl_info * info,struct nlattr ** attrs)279 static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info,
280 struct nlattr **attrs)
281 {
282 struct sockaddr_storage ss = {};
283 void *local_ip = NULL;
284 u32 interv, timeout;
285 bool rehash = false;
286 int ret;
287
288 spin_lock_bh(&peer->lock);
289
290 if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) {
291 /* we carry the local IP in a generic container.
292 * ovpn_peer_reset_sockaddr() will properly interpret it
293 * based on ss.ss_family
294 */
295 local_ip = ovpn_nl_attr_local_ip(attrs);
296
297 /* set peer sockaddr */
298 ret = ovpn_peer_reset_sockaddr(peer, &ss, local_ip);
299 if (ret < 0) {
300 NL_SET_ERR_MSG_FMT_MOD(info->extack,
301 "cannot set peer sockaddr: %d",
302 ret);
303 goto err_unlock;
304 }
305 dst_cache_reset(&peer->dst_cache);
306 }
307
308 if (attrs[OVPN_A_PEER_VPN_IPV4]) {
309 rehash = true;
310 peer->vpn_addrs.ipv4.s_addr =
311 nla_get_in_addr(attrs[OVPN_A_PEER_VPN_IPV4]);
312 }
313
314 if (attrs[OVPN_A_PEER_VPN_IPV6]) {
315 rehash = true;
316 peer->vpn_addrs.ipv6 =
317 nla_get_in6_addr(attrs[OVPN_A_PEER_VPN_IPV6]);
318 }
319
320 /* when setting the keepalive, both parameters have to be configured */
321 if (attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
322 attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) {
323 interv = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]);
324 timeout = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]);
325 ovpn_peer_keepalive_set(peer, interv, timeout);
326 }
327
328 netdev_dbg(peer->ovpn->dev,
329 "modify peer id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n",
330 peer->id, &ss,
331 &peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6);
332
333 spin_unlock_bh(&peer->lock);
334
335 return rehash ? 1 : 0;
336 err_unlock:
337 spin_unlock_bh(&peer->lock);
338 return ret;
339 }
340
ovpn_nl_peer_new_doit(struct sk_buff * skb,struct genl_info * info)341 int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info)
342 {
343 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
344 struct ovpn_priv *ovpn = info->user_ptr[0];
345 struct ovpn_socket *ovpn_sock;
346 struct socket *sock = NULL;
347 struct ovpn_peer *peer;
348 u32 sockfd, peer_id;
349 int ret;
350
351 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
352 return -EINVAL;
353
354 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
355 ovpn_peer_nl_policy, info->extack);
356 if (ret)
357 return ret;
358
359 ret = ovpn_nl_peer_precheck(ovpn, info, attrs);
360 if (ret < 0)
361 return ret;
362
363 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
364 OVPN_A_PEER_SOCKET))
365 return -EINVAL;
366
367 /* in MP mode VPN IPs are required for selecting the right peer */
368 if (ovpn->mode == OVPN_MODE_MP && !attrs[OVPN_A_PEER_VPN_IPV4] &&
369 !attrs[OVPN_A_PEER_VPN_IPV6]) {
370 NL_SET_ERR_MSG_FMT_MOD(info->extack,
371 "VPN IP must be provided in MP mode");
372 return -EINVAL;
373 }
374
375 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
376 peer = ovpn_peer_new(ovpn, peer_id);
377 if (IS_ERR(peer)) {
378 NL_SET_ERR_MSG_FMT_MOD(info->extack,
379 "cannot create new peer object for peer %u: %ld",
380 peer_id, PTR_ERR(peer));
381 return PTR_ERR(peer);
382 }
383
384 /* lookup the fd in the kernel table and extract the socket object */
385 sockfd = nla_get_u32(attrs[OVPN_A_PEER_SOCKET]);
386 /* sockfd_lookup() increases sock's refcounter */
387 sock = sockfd_lookup(sockfd, &ret);
388 if (!sock) {
389 NL_SET_ERR_MSG_FMT_MOD(info->extack,
390 "cannot lookup peer socket (fd=%u): %d",
391 sockfd, ret);
392 ret = -ENOTSOCK;
393 goto peer_release;
394 }
395
396 /* Only when using UDP as transport protocol the remote endpoint
397 * can be configured so that ovpn knows where to send packets to.
398 */
399 if (sock->sk->sk_protocol == IPPROTO_UDP &&
400 !attrs[OVPN_A_PEER_REMOTE_IPV4] &&
401 !attrs[OVPN_A_PEER_REMOTE_IPV6]) {
402 NL_SET_ERR_MSG_FMT_MOD(info->extack,
403 "missing remote IP address for UDP socket");
404 sockfd_put(sock);
405 ret = -EINVAL;
406 goto peer_release;
407 }
408
409 /* In case of TCP, the socket is connected to the peer and ovpn
410 * will just send bytes over it, without the need to specify a
411 * destination.
412 */
413 if (sock->sk->sk_protocol == IPPROTO_TCP &&
414 (attrs[OVPN_A_PEER_REMOTE_IPV4] ||
415 attrs[OVPN_A_PEER_REMOTE_IPV6])) {
416 NL_SET_ERR_MSG_FMT_MOD(info->extack,
417 "unexpected remote IP address with TCP socket");
418 sockfd_put(sock);
419 ret = -EINVAL;
420 goto peer_release;
421 }
422
423 ovpn_sock = ovpn_socket_new(sock, peer);
424 /* at this point we unconditionally drop the reference to the socket:
425 * - in case of error, the socket has to be dropped
426 * - if case of success, the socket is configured and let
427 * userspace own the reference, so that the latter can
428 * trigger the final close()
429 */
430 sockfd_put(sock);
431 if (IS_ERR(ovpn_sock)) {
432 NL_SET_ERR_MSG_FMT_MOD(info->extack,
433 "cannot encapsulate socket: %ld",
434 PTR_ERR(ovpn_sock));
435 ret = -ENOTSOCK;
436 goto peer_release;
437 }
438
439 rcu_assign_pointer(peer->sock, ovpn_sock);
440
441 ret = ovpn_nl_peer_modify(peer, info, attrs);
442 if (ret < 0)
443 goto sock_release;
444
445 ret = ovpn_peer_add(ovpn, peer);
446 if (ret < 0) {
447 NL_SET_ERR_MSG_FMT_MOD(info->extack,
448 "cannot add new peer (id=%u) to hashtable: %d",
449 peer->id, ret);
450 goto sock_release;
451 }
452
453 return 0;
454
455 sock_release:
456 ovpn_socket_release(peer);
457 peer_release:
458 /* release right away because peer was not yet hashed, thus it is not
459 * used in any context
460 */
461 ovpn_peer_release(peer);
462
463 return ret;
464 }
465
ovpn_nl_peer_set_doit(struct sk_buff * skb,struct genl_info * info)466 int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info)
467 {
468 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
469 struct ovpn_priv *ovpn = info->user_ptr[0];
470 struct ovpn_socket *sock;
471 struct ovpn_peer *peer;
472 u32 peer_id;
473 int ret;
474
475 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
476 return -EINVAL;
477
478 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
479 ovpn_peer_nl_policy, info->extack);
480 if (ret)
481 return ret;
482
483 ret = ovpn_nl_peer_precheck(ovpn, info, attrs);
484 if (ret < 0)
485 return ret;
486
487 if (attrs[OVPN_A_PEER_SOCKET]) {
488 NL_SET_ERR_MSG_FMT_MOD(info->extack,
489 "socket cannot be modified");
490 return -EINVAL;
491 }
492
493 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
494 peer = ovpn_peer_get_by_id(ovpn, peer_id);
495 if (!peer) {
496 NL_SET_ERR_MSG_FMT_MOD(info->extack,
497 "cannot find peer with id %u", peer_id);
498 return -ENOENT;
499 }
500
501 /* when using a TCP socket the remote IP is not expected */
502 rcu_read_lock();
503 sock = rcu_dereference(peer->sock);
504 if (sock && sock->sk->sk_protocol == IPPROTO_TCP &&
505 (attrs[OVPN_A_PEER_REMOTE_IPV4] ||
506 attrs[OVPN_A_PEER_REMOTE_IPV6])) {
507 rcu_read_unlock();
508 NL_SET_ERR_MSG_FMT_MOD(info->extack,
509 "unexpected remote IP address with TCP socket");
510 ovpn_peer_put(peer);
511 return -EINVAL;
512 }
513 rcu_read_unlock();
514
515 spin_lock_bh(&ovpn->lock);
516 ret = ovpn_nl_peer_modify(peer, info, attrs);
517 if (ret < 0) {
518 spin_unlock_bh(&ovpn->lock);
519 ovpn_peer_put(peer);
520 return ret;
521 }
522
523 /* ret == 1 means that VPN IPv4/6 has been modified and rehashing
524 * is required
525 */
526 if (ret > 0)
527 ovpn_peer_hash_vpn_ip(peer);
528 spin_unlock_bh(&ovpn->lock);
529 ovpn_peer_put(peer);
530
531 return 0;
532 }
533
ovpn_nl_send_peer(struct sk_buff * skb,const struct genl_info * info,const struct ovpn_peer * peer,u32 portid,u32 seq,int flags)534 static int ovpn_nl_send_peer(struct sk_buff *skb, const struct genl_info *info,
535 const struct ovpn_peer *peer, u32 portid, u32 seq,
536 int flags)
537 {
538 const struct ovpn_bind *bind;
539 struct ovpn_socket *sock;
540 int ret = -EMSGSIZE;
541 struct nlattr *attr;
542 __be16 local_port;
543 void *hdr;
544 int id;
545
546 hdr = genlmsg_put(skb, portid, seq, &ovpn_nl_family, flags,
547 OVPN_CMD_PEER_GET);
548 if (!hdr)
549 return -ENOBUFS;
550
551 attr = nla_nest_start(skb, OVPN_A_PEER);
552 if (!attr)
553 goto err;
554
555 rcu_read_lock();
556 sock = rcu_dereference(peer->sock);
557 if (!sock) {
558 ret = -EINVAL;
559 goto err_unlock;
560 }
561
562 if (!net_eq(genl_info_net(info), sock_net(sock->sk))) {
563 id = peernet2id_alloc(genl_info_net(info),
564 sock_net(sock->sk),
565 GFP_ATOMIC);
566 if (nla_put_s32(skb, OVPN_A_PEER_SOCKET_NETNSID, id))
567 goto err_unlock;
568 }
569 local_port = inet_sk(sock->sk)->inet_sport;
570 rcu_read_unlock();
571
572 if (nla_put_u32(skb, OVPN_A_PEER_ID, peer->id))
573 goto err;
574
575 if (peer->vpn_addrs.ipv4.s_addr != htonl(INADDR_ANY))
576 if (nla_put_in_addr(skb, OVPN_A_PEER_VPN_IPV4,
577 peer->vpn_addrs.ipv4.s_addr))
578 goto err;
579
580 if (!ipv6_addr_equal(&peer->vpn_addrs.ipv6, &in6addr_any))
581 if (nla_put_in6_addr(skb, OVPN_A_PEER_VPN_IPV6,
582 &peer->vpn_addrs.ipv6))
583 goto err;
584
585 if (nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_INTERVAL,
586 peer->keepalive_interval) ||
587 nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
588 peer->keepalive_timeout))
589 goto err;
590
591 rcu_read_lock();
592 bind = rcu_dereference(peer->bind);
593 if (bind) {
594 if (bind->remote.in4.sin_family == AF_INET) {
595 if (nla_put_in_addr(skb, OVPN_A_PEER_REMOTE_IPV4,
596 bind->remote.in4.sin_addr.s_addr) ||
597 nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT,
598 bind->remote.in4.sin_port) ||
599 nla_put_in_addr(skb, OVPN_A_PEER_LOCAL_IPV4,
600 bind->local.ipv4.s_addr))
601 goto err_unlock;
602 } else if (bind->remote.in4.sin_family == AF_INET6) {
603 if (nla_put_in6_addr(skb, OVPN_A_PEER_REMOTE_IPV6,
604 &bind->remote.in6.sin6_addr) ||
605 nla_put_u32(skb, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
606 bind->remote.in6.sin6_scope_id) ||
607 nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT,
608 bind->remote.in6.sin6_port) ||
609 nla_put_in6_addr(skb, OVPN_A_PEER_LOCAL_IPV6,
610 &bind->local.ipv6))
611 goto err_unlock;
612 }
613 }
614 rcu_read_unlock();
615
616 if (nla_put_net16(skb, OVPN_A_PEER_LOCAL_PORT, local_port) ||
617 /* VPN RX stats */
618 nla_put_uint(skb, OVPN_A_PEER_VPN_RX_BYTES,
619 atomic64_read(&peer->vpn_stats.rx.bytes)) ||
620 nla_put_uint(skb, OVPN_A_PEER_VPN_RX_PACKETS,
621 atomic64_read(&peer->vpn_stats.rx.packets)) ||
622 /* VPN TX stats */
623 nla_put_uint(skb, OVPN_A_PEER_VPN_TX_BYTES,
624 atomic64_read(&peer->vpn_stats.tx.bytes)) ||
625 nla_put_uint(skb, OVPN_A_PEER_VPN_TX_PACKETS,
626 atomic64_read(&peer->vpn_stats.tx.packets)) ||
627 /* link RX stats */
628 nla_put_uint(skb, OVPN_A_PEER_LINK_RX_BYTES,
629 atomic64_read(&peer->link_stats.rx.bytes)) ||
630 nla_put_uint(skb, OVPN_A_PEER_LINK_RX_PACKETS,
631 atomic64_read(&peer->link_stats.rx.packets)) ||
632 /* link TX stats */
633 nla_put_uint(skb, OVPN_A_PEER_LINK_TX_BYTES,
634 atomic64_read(&peer->link_stats.tx.bytes)) ||
635 nla_put_uint(skb, OVPN_A_PEER_LINK_TX_PACKETS,
636 atomic64_read(&peer->link_stats.tx.packets)))
637 goto err;
638
639 nla_nest_end(skb, attr);
640 genlmsg_end(skb, hdr);
641
642 return 0;
643 err_unlock:
644 rcu_read_unlock();
645 err:
646 genlmsg_cancel(skb, hdr);
647 return ret;
648 }
649
ovpn_nl_peer_get_doit(struct sk_buff * skb,struct genl_info * info)650 int ovpn_nl_peer_get_doit(struct sk_buff *skb, struct genl_info *info)
651 {
652 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
653 struct ovpn_priv *ovpn = info->user_ptr[0];
654 struct ovpn_peer *peer;
655 struct sk_buff *msg;
656 u32 peer_id;
657 int ret;
658
659 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
660 return -EINVAL;
661
662 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
663 ovpn_peer_nl_policy, info->extack);
664 if (ret)
665 return ret;
666
667 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
668 OVPN_A_PEER_ID))
669 return -EINVAL;
670
671 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
672 peer = ovpn_peer_get_by_id(ovpn, peer_id);
673 if (!peer) {
674 NL_SET_ERR_MSG_FMT_MOD(info->extack,
675 "cannot find peer with id %u", peer_id);
676 return -ENOENT;
677 }
678
679 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
680 if (!msg) {
681 ret = -ENOMEM;
682 goto err;
683 }
684
685 ret = ovpn_nl_send_peer(msg, info, peer, info->snd_portid,
686 info->snd_seq, 0);
687 if (ret < 0) {
688 nlmsg_free(msg);
689 goto err;
690 }
691
692 ret = genlmsg_reply(msg, info);
693 err:
694 ovpn_peer_put(peer);
695 return ret;
696 }
697
ovpn_nl_peer_get_dumpit(struct sk_buff * skb,struct netlink_callback * cb)698 int ovpn_nl_peer_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
699 {
700 const struct genl_info *info = genl_info_dump(cb);
701 int bkt, last_idx = cb->args[1], dumped = 0;
702 netdevice_tracker tracker;
703 struct ovpn_priv *ovpn;
704 struct ovpn_peer *peer;
705
706 ovpn = ovpn_get_dev_from_attrs(sock_net(cb->skb->sk), info, &tracker);
707 if (IS_ERR(ovpn))
708 return PTR_ERR(ovpn);
709
710 if (ovpn->mode == OVPN_MODE_P2P) {
711 /* if we already dumped a peer it means we are done */
712 if (last_idx)
713 goto out;
714
715 rcu_read_lock();
716 peer = rcu_dereference(ovpn->peer);
717 if (peer) {
718 if (ovpn_nl_send_peer(skb, info, peer,
719 NETLINK_CB(cb->skb).portid,
720 cb->nlh->nlmsg_seq,
721 NLM_F_MULTI) == 0)
722 dumped++;
723 }
724 rcu_read_unlock();
725 } else {
726 rcu_read_lock();
727 hash_for_each_rcu(ovpn->peers->by_id, bkt, peer,
728 hash_entry_id) {
729 /* skip already dumped peers that were dumped by
730 * previous invocations
731 */
732 if (last_idx > 0) {
733 last_idx--;
734 continue;
735 }
736
737 if (ovpn_nl_send_peer(skb, info, peer,
738 NETLINK_CB(cb->skb).portid,
739 cb->nlh->nlmsg_seq,
740 NLM_F_MULTI) < 0)
741 break;
742
743 /* count peers being dumped during this invocation */
744 dumped++;
745 }
746 rcu_read_unlock();
747 }
748
749 out:
750 netdev_put(ovpn->dev, &tracker);
751
752 /* sum up peers dumped in this message, so that at the next invocation
753 * we can continue from where we left
754 */
755 cb->args[1] += dumped;
756 return skb->len;
757 }
758
ovpn_nl_peer_del_doit(struct sk_buff * skb,struct genl_info * info)759 int ovpn_nl_peer_del_doit(struct sk_buff *skb, struct genl_info *info)
760 {
761 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
762 struct ovpn_priv *ovpn = info->user_ptr[0];
763 struct ovpn_peer *peer;
764 u32 peer_id;
765 int ret;
766
767 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
768 return -EINVAL;
769
770 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
771 ovpn_peer_nl_policy, info->extack);
772 if (ret)
773 return ret;
774
775 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
776 OVPN_A_PEER_ID))
777 return -EINVAL;
778
779 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
780 peer = ovpn_peer_get_by_id(ovpn, peer_id);
781 if (!peer) {
782 NL_SET_ERR_MSG_FMT_MOD(info->extack,
783 "cannot find peer with id %u", peer_id);
784 return -ENOENT;
785 }
786
787 netdev_dbg(ovpn->dev, "del peer %u\n", peer->id);
788 ret = ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_USERSPACE);
789 ovpn_peer_put(peer);
790
791 return ret;
792 }
793
ovpn_nl_get_key_dir(struct genl_info * info,struct nlattr * key,enum ovpn_cipher_alg cipher,struct ovpn_key_direction * dir)794 static int ovpn_nl_get_key_dir(struct genl_info *info, struct nlattr *key,
795 enum ovpn_cipher_alg cipher,
796 struct ovpn_key_direction *dir)
797 {
798 struct nlattr *attrs[OVPN_A_KEYDIR_MAX + 1];
799 int ret;
800
801 ret = nla_parse_nested(attrs, OVPN_A_KEYDIR_MAX, key,
802 ovpn_keydir_nl_policy, info->extack);
803 if (ret)
804 return ret;
805
806 switch (cipher) {
807 case OVPN_CIPHER_ALG_AES_GCM:
808 case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
809 if (NL_REQ_ATTR_CHECK(info->extack, key, attrs,
810 OVPN_A_KEYDIR_CIPHER_KEY) ||
811 NL_REQ_ATTR_CHECK(info->extack, key, attrs,
812 OVPN_A_KEYDIR_NONCE_TAIL))
813 return -EINVAL;
814
815 dir->cipher_key = nla_data(attrs[OVPN_A_KEYDIR_CIPHER_KEY]);
816 dir->cipher_key_size = nla_len(attrs[OVPN_A_KEYDIR_CIPHER_KEY]);
817
818 /* These algorithms require a 96bit nonce,
819 * Construct it by combining 4-bytes packet id and
820 * 8-bytes nonce-tail from userspace
821 */
822 dir->nonce_tail = nla_data(attrs[OVPN_A_KEYDIR_NONCE_TAIL]);
823 dir->nonce_tail_size = nla_len(attrs[OVPN_A_KEYDIR_NONCE_TAIL]);
824 break;
825 default:
826 NL_SET_ERR_MSG_MOD(info->extack, "unsupported cipher");
827 return -EINVAL;
828 }
829
830 return 0;
831 }
832
833 /**
834 * ovpn_nl_key_new_doit - configure a new key for the specified peer
835 * @skb: incoming netlink message
836 * @info: genetlink metadata
837 *
838 * This function allows the user to install a new key in the peer crypto
839 * state.
840 * Each peer has two 'slots', namely 'primary' and 'secondary', where
841 * keys can be installed. The key in the 'primary' slot is used for
842 * encryption, while both keys can be used for decryption by matching the
843 * key ID carried in the incoming packet.
844 *
845 * The user is responsible for rotating keys when necessary. The user
846 * may fetch peer traffic statistics via netlink in order to better
847 * identify the right time to rotate keys.
848 * The renegotiation follows these steps:
849 * 1. a new key is computed by the user and is installed in the 'secondary'
850 * slot
851 * 2. at user discretion (usually after a predetermined time) 'primary' and
852 * 'secondary' contents are swapped and the new key starts being used for
853 * encryption, while the old key is kept around for decryption of late
854 * packets.
855 *
856 * Return: 0 on success or a negative error code otherwise.
857 */
ovpn_nl_key_new_doit(struct sk_buff * skb,struct genl_info * info)858 int ovpn_nl_key_new_doit(struct sk_buff *skb, struct genl_info *info)
859 {
860 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
861 struct ovpn_priv *ovpn = info->user_ptr[0];
862 struct ovpn_peer_key_reset pkr;
863 struct ovpn_peer *peer;
864 u32 peer_id;
865 int ret;
866
867 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
868 return -EINVAL;
869
870 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
871 info->attrs[OVPN_A_KEYCONF],
872 ovpn_keyconf_nl_policy, info->extack);
873 if (ret)
874 return ret;
875
876 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
877 OVPN_A_KEYCONF_PEER_ID))
878 return -EINVAL;
879
880 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
881 OVPN_A_KEYCONF_SLOT) ||
882 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
883 OVPN_A_KEYCONF_KEY_ID) ||
884 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
885 OVPN_A_KEYCONF_CIPHER_ALG) ||
886 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
887 OVPN_A_KEYCONF_ENCRYPT_DIR) ||
888 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
889 OVPN_A_KEYCONF_DECRYPT_DIR))
890 return -EINVAL;
891
892 pkr.slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
893 pkr.key.key_id = nla_get_u32(attrs[OVPN_A_KEYCONF_KEY_ID]);
894 pkr.key.cipher_alg = nla_get_u32(attrs[OVPN_A_KEYCONF_CIPHER_ALG]);
895
896 ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_ENCRYPT_DIR],
897 pkr.key.cipher_alg, &pkr.key.encrypt);
898 if (ret < 0)
899 return ret;
900
901 ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_DECRYPT_DIR],
902 pkr.key.cipher_alg, &pkr.key.decrypt);
903 if (ret < 0)
904 return ret;
905
906 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
907 peer = ovpn_peer_get_by_id(ovpn, peer_id);
908 if (!peer) {
909 NL_SET_ERR_MSG_FMT_MOD(info->extack,
910 "no peer with id %u to set key for",
911 peer_id);
912 return -ENOENT;
913 }
914
915 ret = ovpn_crypto_state_reset(&peer->crypto, &pkr);
916 if (ret < 0) {
917 NL_SET_ERR_MSG_FMT_MOD(info->extack,
918 "cannot install new key for peer %u",
919 peer_id);
920 goto out;
921 }
922
923 netdev_dbg(ovpn->dev, "new key installed (id=%u) for peer %u\n",
924 pkr.key.key_id, peer_id);
925 out:
926 ovpn_peer_put(peer);
927 return ret;
928 }
929
ovpn_nl_send_key(struct sk_buff * skb,const struct genl_info * info,u32 peer_id,enum ovpn_key_slot slot,const struct ovpn_key_config * keyconf)930 static int ovpn_nl_send_key(struct sk_buff *skb, const struct genl_info *info,
931 u32 peer_id, enum ovpn_key_slot slot,
932 const struct ovpn_key_config *keyconf)
933 {
934 struct nlattr *attr;
935 void *hdr;
936
937 hdr = genlmsg_put(skb, info->snd_portid, info->snd_seq, &ovpn_nl_family,
938 0, OVPN_CMD_KEY_GET);
939 if (!hdr)
940 return -ENOBUFS;
941
942 attr = nla_nest_start(skb, OVPN_A_KEYCONF);
943 if (!attr)
944 goto err;
945
946 if (nla_put_u32(skb, OVPN_A_KEYCONF_PEER_ID, peer_id))
947 goto err;
948
949 if (nla_put_u32(skb, OVPN_A_KEYCONF_SLOT, slot) ||
950 nla_put_u32(skb, OVPN_A_KEYCONF_KEY_ID, keyconf->key_id) ||
951 nla_put_u32(skb, OVPN_A_KEYCONF_CIPHER_ALG, keyconf->cipher_alg))
952 goto err;
953
954 nla_nest_end(skb, attr);
955 genlmsg_end(skb, hdr);
956
957 return 0;
958 err:
959 genlmsg_cancel(skb, hdr);
960 return -EMSGSIZE;
961 }
962
ovpn_nl_key_get_doit(struct sk_buff * skb,struct genl_info * info)963 int ovpn_nl_key_get_doit(struct sk_buff *skb, struct genl_info *info)
964 {
965 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
966 struct ovpn_priv *ovpn = info->user_ptr[0];
967 struct ovpn_key_config keyconf = { 0 };
968 enum ovpn_key_slot slot;
969 struct ovpn_peer *peer;
970 struct sk_buff *msg;
971 u32 peer_id;
972 int ret;
973
974 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
975 return -EINVAL;
976
977 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
978 info->attrs[OVPN_A_KEYCONF],
979 ovpn_keyconf_nl_policy, info->extack);
980 if (ret)
981 return ret;
982
983 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
984 OVPN_A_KEYCONF_PEER_ID))
985 return -EINVAL;
986
987 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
988 OVPN_A_KEYCONF_SLOT))
989 return -EINVAL;
990
991 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
992 peer = ovpn_peer_get_by_id(ovpn, peer_id);
993 if (!peer) {
994 NL_SET_ERR_MSG_FMT_MOD(info->extack,
995 "cannot find peer with id %u", peer_id);
996 return -ENOENT;
997 }
998
999 slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
1000
1001 ret = ovpn_crypto_config_get(&peer->crypto, slot, &keyconf);
1002 if (ret < 0) {
1003 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1004 "cannot extract key from slot %u for peer %u",
1005 slot, peer_id);
1006 goto err;
1007 }
1008
1009 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1010 if (!msg) {
1011 ret = -ENOMEM;
1012 goto err;
1013 }
1014
1015 ret = ovpn_nl_send_key(msg, info, peer->id, slot, &keyconf);
1016 if (ret < 0) {
1017 nlmsg_free(msg);
1018 goto err;
1019 }
1020
1021 ret = genlmsg_reply(msg, info);
1022 err:
1023 ovpn_peer_put(peer);
1024 return ret;
1025 }
1026
ovpn_nl_key_swap_doit(struct sk_buff * skb,struct genl_info * info)1027 int ovpn_nl_key_swap_doit(struct sk_buff *skb, struct genl_info *info)
1028 {
1029 struct ovpn_priv *ovpn = info->user_ptr[0];
1030 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
1031 struct ovpn_peer *peer;
1032 u32 peer_id;
1033 int ret;
1034
1035 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
1036 return -EINVAL;
1037
1038 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
1039 info->attrs[OVPN_A_KEYCONF],
1040 ovpn_keyconf_nl_policy, info->extack);
1041 if (ret)
1042 return ret;
1043
1044 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1045 OVPN_A_KEYCONF_PEER_ID))
1046 return -EINVAL;
1047
1048 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
1049 peer = ovpn_peer_get_by_id(ovpn, peer_id);
1050 if (!peer) {
1051 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1052 "no peer with id %u to swap keys for",
1053 peer_id);
1054 return -ENOENT;
1055 }
1056
1057 ovpn_crypto_key_slots_swap(&peer->crypto);
1058 ovpn_peer_put(peer);
1059
1060 return 0;
1061 }
1062
ovpn_nl_key_del_doit(struct sk_buff * skb,struct genl_info * info)1063 int ovpn_nl_key_del_doit(struct sk_buff *skb, struct genl_info *info)
1064 {
1065 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
1066 struct ovpn_priv *ovpn = info->user_ptr[0];
1067 enum ovpn_key_slot slot;
1068 struct ovpn_peer *peer;
1069 u32 peer_id;
1070 int ret;
1071
1072 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
1073 return -EINVAL;
1074
1075 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
1076 info->attrs[OVPN_A_KEYCONF],
1077 ovpn_keyconf_nl_policy, info->extack);
1078 if (ret)
1079 return ret;
1080
1081 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1082 OVPN_A_KEYCONF_PEER_ID))
1083 return -EINVAL;
1084
1085 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1086 OVPN_A_KEYCONF_SLOT))
1087 return -EINVAL;
1088
1089 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
1090 slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
1091
1092 peer = ovpn_peer_get_by_id(ovpn, peer_id);
1093 if (!peer) {
1094 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1095 "no peer with id %u to delete key for",
1096 peer_id);
1097 return -ENOENT;
1098 }
1099
1100 ovpn_crypto_key_slot_delete(&peer->crypto, slot);
1101 ovpn_peer_put(peer);
1102
1103 return 0;
1104 }
1105
1106 /**
1107 * ovpn_nl_peer_del_notify - notify userspace about peer being deleted
1108 * @peer: the peer being deleted
1109 *
1110 * Return: 0 on success or a negative error code otherwise
1111 */
ovpn_nl_peer_del_notify(struct ovpn_peer * peer)1112 int ovpn_nl_peer_del_notify(struct ovpn_peer *peer)
1113 {
1114 struct ovpn_socket *sock;
1115 struct sk_buff *msg;
1116 struct nlattr *attr;
1117 int ret = -EMSGSIZE;
1118 void *hdr;
1119
1120 netdev_info(peer->ovpn->dev, "deleting peer with id %u, reason %d\n",
1121 peer->id, peer->delete_reason);
1122
1123 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1124 if (!msg)
1125 return -ENOMEM;
1126
1127 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_PEER_DEL_NTF);
1128 if (!hdr) {
1129 ret = -ENOBUFS;
1130 goto err_free_msg;
1131 }
1132
1133 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
1134 goto err_cancel_msg;
1135
1136 attr = nla_nest_start(msg, OVPN_A_PEER);
1137 if (!attr)
1138 goto err_cancel_msg;
1139
1140 if (nla_put_u32(msg, OVPN_A_PEER_DEL_REASON, peer->delete_reason))
1141 goto err_cancel_msg;
1142
1143 if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id))
1144 goto err_cancel_msg;
1145
1146 nla_nest_end(msg, attr);
1147
1148 genlmsg_end(msg, hdr);
1149
1150 rcu_read_lock();
1151 sock = rcu_dereference(peer->sock);
1152 if (!sock) {
1153 ret = -EINVAL;
1154 goto err_unlock;
1155 }
1156 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0,
1157 OVPN_NLGRP_PEERS, GFP_ATOMIC);
1158 rcu_read_unlock();
1159
1160 return 0;
1161
1162 err_unlock:
1163 rcu_read_unlock();
1164 err_cancel_msg:
1165 genlmsg_cancel(msg, hdr);
1166 err_free_msg:
1167 nlmsg_free(msg);
1168 return ret;
1169 }
1170
1171 /**
1172 * ovpn_nl_key_swap_notify - notify userspace peer's key must be renewed
1173 * @peer: the peer whose key needs to be renewed
1174 * @key_id: the ID of the key that needs to be renewed
1175 *
1176 * Return: 0 on success or a negative error code otherwise
1177 */
ovpn_nl_key_swap_notify(struct ovpn_peer * peer,u8 key_id)1178 int ovpn_nl_key_swap_notify(struct ovpn_peer *peer, u8 key_id)
1179 {
1180 struct ovpn_socket *sock;
1181 struct nlattr *k_attr;
1182 struct sk_buff *msg;
1183 int ret = -EMSGSIZE;
1184 void *hdr;
1185
1186 netdev_info(peer->ovpn->dev, "peer with id %u must rekey - primary key unusable.\n",
1187 peer->id);
1188
1189 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1190 if (!msg)
1191 return -ENOMEM;
1192
1193 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_KEY_SWAP_NTF);
1194 if (!hdr) {
1195 ret = -ENOBUFS;
1196 goto err_free_msg;
1197 }
1198
1199 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
1200 goto err_cancel_msg;
1201
1202 k_attr = nla_nest_start(msg, OVPN_A_KEYCONF);
1203 if (!k_attr)
1204 goto err_cancel_msg;
1205
1206 if (nla_put_u32(msg, OVPN_A_KEYCONF_PEER_ID, peer->id))
1207 goto err_cancel_msg;
1208
1209 if (nla_put_u16(msg, OVPN_A_KEYCONF_KEY_ID, key_id))
1210 goto err_cancel_msg;
1211
1212 nla_nest_end(msg, k_attr);
1213 genlmsg_end(msg, hdr);
1214
1215 rcu_read_lock();
1216 sock = rcu_dereference(peer->sock);
1217 if (!sock) {
1218 ret = -EINVAL;
1219 goto err_unlock;
1220 }
1221 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0,
1222 OVPN_NLGRP_PEERS, GFP_ATOMIC);
1223 rcu_read_unlock();
1224
1225 return 0;
1226 err_unlock:
1227 rcu_read_unlock();
1228 err_cancel_msg:
1229 genlmsg_cancel(msg, hdr);
1230 err_free_msg:
1231 nlmsg_free(msg);
1232 return ret;
1233 }
1234
1235 /**
1236 * ovpn_nl_register - perform any needed registration in the NL subsustem
1237 *
1238 * Return: 0 on success, a negative error code otherwise
1239 */
ovpn_nl_register(void)1240 int __init ovpn_nl_register(void)
1241 {
1242 int ret = genl_register_family(&ovpn_nl_family);
1243
1244 if (ret) {
1245 pr_err("ovpn: genl_register_family failed: %d\n", ret);
1246 return ret;
1247 }
1248
1249 return 0;
1250 }
1251
1252 /**
1253 * ovpn_nl_unregister - undo any module wide netlink registration
1254 */
ovpn_nl_unregister(void)1255 void ovpn_nl_unregister(void)
1256 {
1257 genl_unregister_family(&ovpn_nl_family);
1258 }
1259