1 // SPDX-License-Identifier: GPL-2.0
2 /* OpenVPN data channel accelerator
3 *
4 * Copyright (C) 2020-2025 OpenVPN, Inc.
5 *
6 * Author: Antonio Quartulli <antonio@openvpn.net>
7 */
8
9 #include <stdio.h>
10 #include <inttypes.h>
11 #include <stdbool.h>
12 #include <string.h>
13 #include <errno.h>
14 #include <unistd.h>
15 #include <arpa/inet.h>
16 #include <net/if.h>
17 #include <netinet/in.h>
18 #include <time.h>
19
20 #include <linux/ovpn.h>
21 #include <linux/types.h>
22 #include <linux/netlink.h>
23
24 #include <netlink/socket.h>
25 #include <netlink/netlink.h>
26 #include <netlink/genl/genl.h>
27 #include <netlink/genl/family.h>
28 #include <netlink/genl/ctrl.h>
29
30 #include <mbedtls/base64.h>
31 #include <mbedtls/error.h>
32
33 #include <sys/socket.h>
34
35 #include "../../kselftest.h"
36
37 /* defines to make checkpatch happy */
38 #define strscpy strncpy
39
40 /* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we
41 * have to explicitly do it to prevent the kernel from failing upon
42 * parsing of the message
43 */
44 #define nla_nest_start(_msg, _type) \
45 nla_nest_start(_msg, (_type) | NLA_F_NESTED)
46
47 /* libnl < 3.11.0 does not implement nla_get_uint() */
ovpn_nla_get_uint(struct nlattr * attr)48 uint64_t ovpn_nla_get_uint(struct nlattr *attr)
49 {
50 if (nla_len(attr) == sizeof(uint32_t))
51 return nla_get_u32(attr);
52 else
53 return nla_get_u64(attr);
54 }
55
56 typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg);
57
58 enum ovpn_key_direction {
59 KEY_DIR_IN = 0,
60 KEY_DIR_OUT,
61 };
62
63 #define KEY_LEN (256 / 8)
64 #define NONCE_LEN 8
65
66 #define PEER_ID_UNDEF 0x00FFFFFF
67 #define MAX_PEERS 10
68
69 struct nl_ctx {
70 struct nl_sock *nl_sock;
71 struct nl_msg *nl_msg;
72 struct nl_cb *nl_cb;
73
74 int ovpn_dco_id;
75 };
76
77 enum ovpn_cmd {
78 CMD_INVALID,
79 CMD_NEW_IFACE,
80 CMD_DEL_IFACE,
81 CMD_LISTEN,
82 CMD_CONNECT,
83 CMD_NEW_PEER,
84 CMD_NEW_MULTI_PEER,
85 CMD_SET_PEER,
86 CMD_DEL_PEER,
87 CMD_GET_PEER,
88 CMD_NEW_KEY,
89 CMD_DEL_KEY,
90 CMD_GET_KEY,
91 CMD_SWAP_KEYS,
92 CMD_LISTEN_MCAST,
93 };
94
95 struct ovpn_ctx {
96 enum ovpn_cmd cmd;
97
98 __u8 key_enc[KEY_LEN];
99 __u8 key_dec[KEY_LEN];
100 __u8 nonce[NONCE_LEN];
101
102 enum ovpn_cipher_alg cipher;
103
104 sa_family_t sa_family;
105
106 unsigned long peer_id;
107 unsigned long lport;
108
109 union {
110 struct sockaddr_in in4;
111 struct sockaddr_in6 in6;
112 } remote;
113
114 union {
115 struct sockaddr_in in4;
116 struct sockaddr_in6 in6;
117 } peer_ip;
118
119 bool peer_ip_set;
120
121 unsigned int ifindex;
122 char ifname[IFNAMSIZ];
123 enum ovpn_mode mode;
124 bool mode_set;
125
126 int socket;
127 int cli_sockets[MAX_PEERS];
128
129 __u32 keepalive_interval;
130 __u32 keepalive_timeout;
131
132 enum ovpn_key_direction key_dir;
133 enum ovpn_key_slot key_slot;
134 int key_id;
135
136 const char *peers_file;
137 };
138
ovpn_nl_recvmsgs(struct nl_ctx * ctx)139 static int ovpn_nl_recvmsgs(struct nl_ctx *ctx)
140 {
141 int ret;
142
143 ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb);
144
145 switch (ret) {
146 case -NLE_INTR:
147 fprintf(stderr,
148 "netlink received interrupt due to signal - ignoring\n");
149 break;
150 case -NLE_NOMEM:
151 fprintf(stderr, "netlink out of memory error\n");
152 break;
153 case -NLE_AGAIN:
154 fprintf(stderr,
155 "netlink reports blocking read - aborting wait\n");
156 break;
157 default:
158 if (ret)
159 fprintf(stderr, "netlink reports error (%d): %s\n",
160 ret, nl_geterror(-ret));
161 break;
162 }
163
164 return ret;
165 }
166
nl_ctx_alloc_flags(struct ovpn_ctx * ovpn,int cmd,int flags)167 static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd,
168 int flags)
169 {
170 struct nl_ctx *ctx;
171 int err, ret;
172
173 ctx = calloc(1, sizeof(*ctx));
174 if (!ctx)
175 return NULL;
176
177 ctx->nl_sock = nl_socket_alloc();
178 if (!ctx->nl_sock) {
179 fprintf(stderr, "cannot allocate netlink socket\n");
180 goto err_free;
181 }
182
183 nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192);
184
185 ret = genl_connect(ctx->nl_sock);
186 if (ret) {
187 fprintf(stderr, "cannot connect to generic netlink: %s\n",
188 nl_geterror(ret));
189 goto err_sock;
190 }
191
192 /* enable Extended ACK for detailed error reporting */
193 err = 1;
194 setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK,
195 &err, sizeof(err));
196
197 ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME);
198 if (ctx->ovpn_dco_id < 0) {
199 fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n",
200 ctx->ovpn_dco_id);
201 goto err_free;
202 }
203
204 ctx->nl_msg = nlmsg_alloc();
205 if (!ctx->nl_msg) {
206 fprintf(stderr, "cannot allocate netlink message\n");
207 goto err_sock;
208 }
209
210 ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT);
211 if (!ctx->nl_cb) {
212 fprintf(stderr, "failed to allocate netlink callback\n");
213 goto err_msg;
214 }
215
216 nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb);
217
218 genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0);
219
220 if (ovpn->ifindex > 0)
221 NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex);
222
223 return ctx;
224 nla_put_failure:
225 err_msg:
226 nlmsg_free(ctx->nl_msg);
227 err_sock:
228 nl_socket_free(ctx->nl_sock);
229 err_free:
230 free(ctx);
231 return NULL;
232 }
233
nl_ctx_alloc(struct ovpn_ctx * ovpn,int cmd)234 static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd)
235 {
236 return nl_ctx_alloc_flags(ovpn, cmd, 0);
237 }
238
nl_ctx_free(struct nl_ctx * ctx)239 static void nl_ctx_free(struct nl_ctx *ctx)
240 {
241 if (!ctx)
242 return;
243
244 nl_socket_free(ctx->nl_sock);
245 nlmsg_free(ctx->nl_msg);
246 nl_cb_put(ctx->nl_cb);
247 free(ctx);
248 }
249
ovpn_nl_cb_error(struct sockaddr_nl (* nla)__always_unused,struct nlmsgerr * err,void * arg)250 static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused,
251 struct nlmsgerr *err, void *arg)
252 {
253 struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1;
254 struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1];
255 int len = nlh->nlmsg_len;
256 struct nlattr *attrs;
257 int *ret = arg;
258 int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh);
259
260 *ret = err->error;
261
262 if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS))
263 return NL_STOP;
264
265 if (!(nlh->nlmsg_flags & NLM_F_CAPPED))
266 ack_len += err->msg.nlmsg_len - sizeof(*nlh);
267
268 if (len <= ack_len)
269 return NL_STOP;
270
271 attrs = (void *)((uint8_t *)nlh + ack_len);
272 len -= ack_len;
273
274 nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL);
275 if (tb_msg[NLMSGERR_ATTR_MSG]) {
276 len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]),
277 nla_len(tb_msg[NLMSGERR_ATTR_MSG]));
278 fprintf(stderr, "kernel error: %*s\n", len,
279 (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]));
280 }
281
282 if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) {
283 fprintf(stderr, "missing required nesting type %u\n",
284 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST]));
285 }
286
287 if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) {
288 fprintf(stderr, "missing required attribute type %u\n",
289 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE]));
290 }
291
292 return NL_STOP;
293 }
294
ovpn_nl_cb_finish(struct nl_msg (* msg)__always_unused,void * arg)295 static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused,
296 void *arg)
297 {
298 int *status = arg;
299
300 *status = 0;
301 return NL_SKIP;
302 }
303
ovpn_nl_cb_ack(struct nl_msg (* msg)__always_unused,void * arg)304 static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused,
305 void *arg)
306 {
307 int *status = arg;
308
309 *status = 0;
310 return NL_STOP;
311 }
312
ovpn_nl_msg_send(struct nl_ctx * ctx,ovpn_nl_cb cb)313 static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb)
314 {
315 int status = 1;
316
317 nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status);
318 nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish,
319 &status);
320 nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status);
321
322 if (cb)
323 nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx);
324
325 nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg);
326
327 while (status == 1)
328 ovpn_nl_recvmsgs(ctx);
329
330 if (status < 0)
331 fprintf(stderr, "failed to send netlink message: %s (%d)\n",
332 strerror(-status), status);
333
334 return status;
335 }
336
ovpn_parse_key(const char * file,struct ovpn_ctx * ctx)337 static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx)
338 {
339 int idx_enc, idx_dec, ret = -1;
340 unsigned char *ckey = NULL;
341 __u8 *bkey = NULL;
342 size_t olen = 0;
343 long ckey_len;
344 FILE *fp;
345
346 fp = fopen(file, "r");
347 if (!fp) {
348 fprintf(stderr, "cannot open: %s\n", file);
349 return -1;
350 }
351
352 /* get file size */
353 fseek(fp, 0L, SEEK_END);
354 ckey_len = ftell(fp);
355 rewind(fp);
356
357 /* if the file is longer, let's just read a portion */
358 if (ckey_len > 256)
359 ckey_len = 256;
360
361 ckey = malloc(ckey_len);
362 if (!ckey)
363 goto err;
364
365 ret = fread(ckey, 1, ckey_len, fp);
366 if (ret != ckey_len) {
367 fprintf(stderr,
368 "couldn't read enough data from key file: %dbytes read\n",
369 ret);
370 goto err;
371 }
372
373 olen = 0;
374 ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len);
375 if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) {
376 char buf[256];
377
378 mbedtls_strerror(ret, buf, sizeof(buf));
379 fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf,
380 ret);
381
382 goto err;
383 }
384
385 bkey = malloc(olen);
386 if (!bkey) {
387 fprintf(stderr, "cannot allocate binary key buffer\n");
388 goto err;
389 }
390
391 ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len);
392 if (ret) {
393 char buf[256];
394
395 mbedtls_strerror(ret, buf, sizeof(buf));
396 fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf,
397 ret);
398
399 goto err;
400 }
401
402 if (olen < 2 * KEY_LEN + NONCE_LEN) {
403 fprintf(stderr,
404 "not enough data in key file, found %zdB but needs %dB\n",
405 olen, 2 * KEY_LEN + NONCE_LEN);
406 goto err;
407 }
408
409 switch (ctx->key_dir) {
410 case KEY_DIR_IN:
411 idx_enc = 0;
412 idx_dec = 1;
413 break;
414 case KEY_DIR_OUT:
415 idx_enc = 1;
416 idx_dec = 0;
417 break;
418 default:
419 goto err;
420 }
421
422 memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN);
423 memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN);
424 memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN);
425
426 ret = 0;
427
428 err:
429 fclose(fp);
430 free(bkey);
431 free(ckey);
432
433 return ret;
434 }
435
ovpn_parse_cipher(const char * cipher,struct ovpn_ctx * ctx)436 static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx)
437 {
438 if (strcmp(cipher, "aes") == 0)
439 ctx->cipher = OVPN_CIPHER_ALG_AES_GCM;
440 else if (strcmp(cipher, "chachapoly") == 0)
441 ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305;
442 else if (strcmp(cipher, "none") == 0)
443 ctx->cipher = OVPN_CIPHER_ALG_NONE;
444 else
445 return -ENOTSUP;
446
447 return 0;
448 }
449
ovpn_parse_key_direction(const char * dir,struct ovpn_ctx * ctx)450 static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx)
451 {
452 int in_dir;
453
454 in_dir = strtoll(dir, NULL, 10);
455 switch (in_dir) {
456 case KEY_DIR_IN:
457 case KEY_DIR_OUT:
458 ctx->key_dir = in_dir;
459 break;
460 default:
461 fprintf(stderr,
462 "invalid key direction provided. Can be 0 or 1 only\n");
463 return -1;
464 }
465
466 return 0;
467 }
468
ovpn_socket(struct ovpn_ctx * ctx,sa_family_t family,int proto)469 static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto)
470 {
471 struct sockaddr_storage local_sock = { 0 };
472 struct sockaddr_in6 *in6;
473 struct sockaddr_in *in;
474 int ret, s, sock_type;
475 size_t sock_len;
476
477 if (proto == IPPROTO_UDP)
478 sock_type = SOCK_DGRAM;
479 else if (proto == IPPROTO_TCP)
480 sock_type = SOCK_STREAM;
481 else
482 return -EINVAL;
483
484 s = socket(family, sock_type, 0);
485 if (s < 0) {
486 perror("cannot create socket");
487 return -1;
488 }
489
490 switch (family) {
491 case AF_INET:
492 in = (struct sockaddr_in *)&local_sock;
493 in->sin_family = family;
494 in->sin_port = htons(ctx->lport);
495 in->sin_addr.s_addr = htonl(INADDR_ANY);
496 sock_len = sizeof(*in);
497 break;
498 case AF_INET6:
499 in6 = (struct sockaddr_in6 *)&local_sock;
500 in6->sin6_family = family;
501 in6->sin6_port = htons(ctx->lport);
502 in6->sin6_addr = in6addr_any;
503 sock_len = sizeof(*in6);
504 break;
505 default:
506 return -1;
507 }
508
509 int opt = 1;
510
511 ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
512
513 if (ret < 0) {
514 perror("setsockopt for SO_REUSEADDR");
515 return ret;
516 }
517
518 ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt));
519 if (ret < 0) {
520 perror("setsockopt for SO_REUSEPORT");
521 return ret;
522 }
523
524 if (family == AF_INET6) {
525 opt = 0;
526 if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt,
527 sizeof(opt))) {
528 perror("failed to set IPV6_V6ONLY");
529 return -1;
530 }
531 }
532
533 ret = bind(s, (struct sockaddr *)&local_sock, sock_len);
534 if (ret < 0) {
535 perror("cannot bind socket");
536 goto err_socket;
537 }
538
539 ctx->socket = s;
540 ctx->sa_family = family;
541 return 0;
542
543 err_socket:
544 close(s);
545 return -1;
546 }
547
ovpn_udp_socket(struct ovpn_ctx * ctx,sa_family_t family)548 static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family)
549 {
550 return ovpn_socket(ctx, family, IPPROTO_UDP);
551 }
552
ovpn_listen(struct ovpn_ctx * ctx,sa_family_t family)553 static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family)
554 {
555 int ret;
556
557 ret = ovpn_socket(ctx, family, IPPROTO_TCP);
558 if (ret < 0)
559 return ret;
560
561 ret = listen(ctx->socket, 10);
562 if (ret < 0) {
563 perror("listen");
564 close(ctx->socket);
565 return -1;
566 }
567
568 return 0;
569 }
570
ovpn_accept(struct ovpn_ctx * ctx)571 static int ovpn_accept(struct ovpn_ctx *ctx)
572 {
573 socklen_t socklen;
574 int ret;
575
576 socklen = sizeof(ctx->remote);
577 ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen);
578 if (ret < 0) {
579 perror("accept");
580 goto err;
581 }
582
583 fprintf(stderr, "Connection received!\n");
584
585 switch (socklen) {
586 case sizeof(struct sockaddr_in):
587 case sizeof(struct sockaddr_in6):
588 break;
589 default:
590 fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n");
591 close(ret);
592 ret = -EINVAL;
593 goto err;
594 }
595
596 return ret;
597 err:
598 close(ctx->socket);
599 return ret;
600 }
601
ovpn_connect(struct ovpn_ctx * ovpn)602 static int ovpn_connect(struct ovpn_ctx *ovpn)
603 {
604 socklen_t socklen;
605 int s, ret;
606
607 s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0);
608 if (s < 0) {
609 perror("cannot create socket");
610 return -1;
611 }
612
613 switch (ovpn->remote.in4.sin_family) {
614 case AF_INET:
615 socklen = sizeof(struct sockaddr_in);
616 break;
617 case AF_INET6:
618 socklen = sizeof(struct sockaddr_in6);
619 break;
620 default:
621 return -EOPNOTSUPP;
622 }
623
624 ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen);
625 if (ret < 0) {
626 perror("connect");
627 goto err;
628 }
629
630 fprintf(stderr, "connected\n");
631
632 ovpn->socket = s;
633
634 return 0;
635 err:
636 close(s);
637 return ret;
638 }
639
ovpn_new_peer(struct ovpn_ctx * ovpn,bool is_tcp)640 static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp)
641 {
642 struct nlattr *attr;
643 struct nl_ctx *ctx;
644 int ret = -1;
645
646 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW);
647 if (!ctx)
648 return -ENOMEM;
649
650 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
651 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
652 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket);
653
654 if (!is_tcp) {
655 switch (ovpn->remote.in4.sin_family) {
656 case AF_INET:
657 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4,
658 ovpn->remote.in4.sin_addr.s_addr);
659 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
660 ovpn->remote.in4.sin_port);
661 break;
662 case AF_INET6:
663 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6,
664 sizeof(ovpn->remote.in6.sin6_addr),
665 &ovpn->remote.in6.sin6_addr);
666 NLA_PUT_U32(ctx->nl_msg,
667 OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
668 ovpn->remote.in6.sin6_scope_id);
669 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
670 ovpn->remote.in6.sin6_port);
671 break;
672 default:
673 fprintf(stderr,
674 "Invalid family for remote socket address\n");
675 goto nla_put_failure;
676 }
677 }
678
679 if (ovpn->peer_ip_set) {
680 switch (ovpn->peer_ip.in4.sin_family) {
681 case AF_INET:
682 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4,
683 ovpn->peer_ip.in4.sin_addr.s_addr);
684 break;
685 case AF_INET6:
686 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6,
687 sizeof(struct in6_addr),
688 &ovpn->peer_ip.in6.sin6_addr);
689 break;
690 default:
691 fprintf(stderr, "Invalid family for peer address\n");
692 goto nla_put_failure;
693 }
694 }
695
696 nla_nest_end(ctx->nl_msg, attr);
697
698 ret = ovpn_nl_msg_send(ctx, NULL);
699 nla_put_failure:
700 nl_ctx_free(ctx);
701 return ret;
702 }
703
ovpn_set_peer(struct ovpn_ctx * ovpn)704 static int ovpn_set_peer(struct ovpn_ctx *ovpn)
705 {
706 struct nlattr *attr;
707 struct nl_ctx *ctx;
708 int ret = -1;
709
710 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET);
711 if (!ctx)
712 return -ENOMEM;
713
714 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
715 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
716 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL,
717 ovpn->keepalive_interval);
718 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
719 ovpn->keepalive_timeout);
720 nla_nest_end(ctx->nl_msg, attr);
721
722 ret = ovpn_nl_msg_send(ctx, NULL);
723 nla_put_failure:
724 nl_ctx_free(ctx);
725 return ret;
726 }
727
ovpn_del_peer(struct ovpn_ctx * ovpn)728 static int ovpn_del_peer(struct ovpn_ctx *ovpn)
729 {
730 struct nlattr *attr;
731 struct nl_ctx *ctx;
732 int ret = -1;
733
734 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL);
735 if (!ctx)
736 return -ENOMEM;
737
738 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
739 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
740 nla_nest_end(ctx->nl_msg, attr);
741
742 ret = ovpn_nl_msg_send(ctx, NULL);
743 nla_put_failure:
744 nl_ctx_free(ctx);
745 return ret;
746 }
747
ovpn_handle_peer(struct nl_msg * msg,void (* arg)__always_unused)748 static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused)
749 {
750 struct nlattr *pattrs[OVPN_A_PEER_MAX + 1];
751 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
752 struct nlattr *attrs[OVPN_A_MAX + 1];
753 __u16 rport = 0, lport = 0;
754
755 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
756 genlmsg_attrlen(gnlh, 0), NULL);
757
758 if (!attrs[OVPN_A_PEER]) {
759 fprintf(stderr, "no packet content in netlink message\n");
760 return NL_SKIP;
761 }
762
763 nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]),
764 nla_len(attrs[OVPN_A_PEER]), NULL);
765
766 if (pattrs[OVPN_A_PEER_ID])
767 fprintf(stderr, "* Peer %u\n",
768 nla_get_u32(pattrs[OVPN_A_PEER_ID]));
769
770 if (pattrs[OVPN_A_PEER_SOCKET_NETNSID])
771 fprintf(stderr, "\tsocket NetNS ID: %d\n",
772 nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID]));
773
774 if (pattrs[OVPN_A_PEER_VPN_IPV4]) {
775 char buf[INET_ADDRSTRLEN];
776
777 inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]),
778 buf, sizeof(buf));
779 fprintf(stderr, "\tVPN IPv4: %s\n", buf);
780 }
781
782 if (pattrs[OVPN_A_PEER_VPN_IPV6]) {
783 char buf[INET6_ADDRSTRLEN];
784
785 inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]),
786 buf, sizeof(buf));
787 fprintf(stderr, "\tVPN IPv6: %s\n", buf);
788 }
789
790 if (pattrs[OVPN_A_PEER_LOCAL_PORT])
791 lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT]));
792
793 if (pattrs[OVPN_A_PEER_REMOTE_PORT])
794 rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT]));
795
796 if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) {
797 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6];
798 char buf[INET6_ADDRSTRLEN];
799 int scope_id = -1;
800
801 if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) {
802 void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID];
803
804 scope_id = nla_get_u32(p);
805 }
806
807 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
808 fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport,
809 scope_id);
810
811 if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) {
812 void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6];
813
814 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
815 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
816 }
817 }
818
819 if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) {
820 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4];
821 char buf[INET_ADDRSTRLEN];
822
823 inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf));
824 fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport);
825
826 if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) {
827 void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4];
828
829 inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf));
830 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
831 }
832 }
833
834 if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) {
835 void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL];
836
837 fprintf(stderr, "\tKeepalive interval: %u sec\n",
838 nla_get_u32(p));
839 }
840
841 if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])
842 fprintf(stderr, "\tKeepalive timeout: %u sec\n",
843 nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]));
844
845 if (pattrs[OVPN_A_PEER_VPN_RX_BYTES])
846 fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n",
847 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES]));
848
849 if (pattrs[OVPN_A_PEER_VPN_TX_BYTES])
850 fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n",
851 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES]));
852
853 if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS])
854 fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n",
855 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS]));
856
857 if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS])
858 fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n",
859 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS]));
860
861 if (pattrs[OVPN_A_PEER_LINK_RX_BYTES])
862 fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n",
863 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES]));
864
865 if (pattrs[OVPN_A_PEER_LINK_TX_BYTES])
866 fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n",
867 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES]));
868
869 if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS])
870 fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n",
871 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS]));
872
873 if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS])
874 fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n",
875 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS]));
876
877 return NL_SKIP;
878 }
879
ovpn_get_peer(struct ovpn_ctx * ovpn)880 static int ovpn_get_peer(struct ovpn_ctx *ovpn)
881 {
882 int flags = 0, ret = -1;
883 struct nlattr *attr;
884 struct nl_ctx *ctx;
885
886 if (ovpn->peer_id == PEER_ID_UNDEF)
887 flags = NLM_F_DUMP;
888
889 ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags);
890 if (!ctx)
891 return -ENOMEM;
892
893 if (ovpn->peer_id != PEER_ID_UNDEF) {
894 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
895 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
896 nla_nest_end(ctx->nl_msg, attr);
897 }
898
899 ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer);
900 nla_put_failure:
901 nl_ctx_free(ctx);
902 return ret;
903 }
904
ovpn_new_key(struct ovpn_ctx * ovpn)905 static int ovpn_new_key(struct ovpn_ctx *ovpn)
906 {
907 struct nlattr *keyconf, *key_dir;
908 struct nl_ctx *ctx;
909 int ret = -1;
910
911 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW);
912 if (!ctx)
913 return -ENOMEM;
914
915 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
916 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
917 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
918 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id);
919 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher);
920
921 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR);
922 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc);
923 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
924 nla_nest_end(ctx->nl_msg, key_dir);
925
926 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR);
927 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec);
928 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
929 nla_nest_end(ctx->nl_msg, key_dir);
930
931 nla_nest_end(ctx->nl_msg, keyconf);
932
933 ret = ovpn_nl_msg_send(ctx, NULL);
934 nla_put_failure:
935 nl_ctx_free(ctx);
936 return ret;
937 }
938
ovpn_del_key(struct ovpn_ctx * ovpn)939 static int ovpn_del_key(struct ovpn_ctx *ovpn)
940 {
941 struct nlattr *keyconf;
942 struct nl_ctx *ctx;
943 int ret = -1;
944
945 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL);
946 if (!ctx)
947 return -ENOMEM;
948
949 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
950 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
951 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
952 nla_nest_end(ctx->nl_msg, keyconf);
953
954 ret = ovpn_nl_msg_send(ctx, NULL);
955 nla_put_failure:
956 nl_ctx_free(ctx);
957 return ret;
958 }
959
ovpn_handle_key(struct nl_msg * msg,void (* arg)__always_unused)960 static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused)
961 {
962 struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1];
963 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
964 struct nlattr *attrs[OVPN_A_MAX + 1];
965
966 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
967 genlmsg_attrlen(gnlh, 0), NULL);
968
969 if (!attrs[OVPN_A_KEYCONF]) {
970 fprintf(stderr, "no packet content in netlink message\n");
971 return NL_SKIP;
972 }
973
974 nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]),
975 nla_len(attrs[OVPN_A_KEYCONF]), NULL);
976
977 if (kattrs[OVPN_A_KEYCONF_PEER_ID])
978 fprintf(stderr, "* Peer %u\n",
979 nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID]));
980 if (kattrs[OVPN_A_KEYCONF_SLOT]) {
981 fprintf(stderr, "\t- Slot: ");
982 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) {
983 case OVPN_KEY_SLOT_PRIMARY:
984 fprintf(stderr, "primary\n");
985 break;
986 case OVPN_KEY_SLOT_SECONDARY:
987 fprintf(stderr, "secondary\n");
988 break;
989 default:
990 fprintf(stderr, "invalid (%u)\n",
991 nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT]));
992 break;
993 }
994 }
995 if (kattrs[OVPN_A_KEYCONF_KEY_ID])
996 fprintf(stderr, "\t- Key ID: %u\n",
997 nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID]));
998 if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) {
999 fprintf(stderr, "\t- Cipher: ");
1000 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) {
1001 case OVPN_CIPHER_ALG_NONE:
1002 fprintf(stderr, "none\n");
1003 break;
1004 case OVPN_CIPHER_ALG_AES_GCM:
1005 fprintf(stderr, "aes-gcm\n");
1006 break;
1007 case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
1008 fprintf(stderr, "chacha20poly1305\n");
1009 break;
1010 default:
1011 fprintf(stderr, "invalid (%u)\n",
1012 nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG]));
1013 break;
1014 }
1015 }
1016
1017 return NL_SKIP;
1018 }
1019
ovpn_get_key(struct ovpn_ctx * ovpn)1020 static int ovpn_get_key(struct ovpn_ctx *ovpn)
1021 {
1022 struct nlattr *keyconf;
1023 struct nl_ctx *ctx;
1024 int ret = -1;
1025
1026 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET);
1027 if (!ctx)
1028 return -ENOMEM;
1029
1030 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1031 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1032 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
1033 nla_nest_end(ctx->nl_msg, keyconf);
1034
1035 ret = ovpn_nl_msg_send(ctx, ovpn_handle_key);
1036 nla_put_failure:
1037 nl_ctx_free(ctx);
1038 return ret;
1039 }
1040
ovpn_swap_keys(struct ovpn_ctx * ovpn)1041 static int ovpn_swap_keys(struct ovpn_ctx *ovpn)
1042 {
1043 struct nl_ctx *ctx;
1044 struct nlattr *kc;
1045 int ret = -1;
1046
1047 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP);
1048 if (!ctx)
1049 return -ENOMEM;
1050
1051 kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1052 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1053 nla_nest_end(ctx->nl_msg, kc);
1054
1055 ret = ovpn_nl_msg_send(ctx, NULL);
1056 nla_put_failure:
1057 nl_ctx_free(ctx);
1058 return ret;
1059 }
1060
1061 /* Helper function used to easily add attributes to a rtnl message */
ovpn_addattr(struct nlmsghdr * n,int maxlen,int type,const void * data,int alen)1062 static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type,
1063 const void *data, int alen)
1064 {
1065 int len = RTA_LENGTH(alen);
1066 struct rtattr *rta;
1067
1068 if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen) {
1069 fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n",
1070 __func__, maxlen);
1071 return -EMSGSIZE;
1072 }
1073
1074 rta = nlmsg_tail(n);
1075 rta->rta_type = type;
1076 rta->rta_len = len;
1077
1078 if (!data)
1079 memset(RTA_DATA(rta), 0, alen);
1080 else
1081 memcpy(RTA_DATA(rta), data, alen);
1082
1083 n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len);
1084
1085 return 0;
1086 }
1087
ovpn_nest_start(struct nlmsghdr * msg,size_t max_size,int attr)1088 static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size,
1089 int attr)
1090 {
1091 struct rtattr *nest = nlmsg_tail(msg);
1092
1093 if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0)
1094 return NULL;
1095
1096 return nest;
1097 }
1098
ovpn_nest_end(struct nlmsghdr * msg,struct rtattr * nest)1099 static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest)
1100 {
1101 nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest;
1102 }
1103
1104 #define RT_SNDBUF_SIZE (1024 * 2)
1105 #define RT_RCVBUF_SIZE (1024 * 4)
1106
1107 /* Open RTNL socket */
ovpn_rt_socket(void)1108 static int ovpn_rt_socket(void)
1109 {
1110 int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd;
1111
1112 fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
1113 if (fd < 0) {
1114 fprintf(stderr, "%s: cannot open netlink socket\n", __func__);
1115 return fd;
1116 }
1117
1118 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf,
1119 sizeof(sndbuf)) < 0) {
1120 fprintf(stderr, "%s: SO_SNDBUF\n", __func__);
1121 close(fd);
1122 return -1;
1123 }
1124
1125 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf,
1126 sizeof(rcvbuf)) < 0) {
1127 fprintf(stderr, "%s: SO_RCVBUF\n", __func__);
1128 close(fd);
1129 return -1;
1130 }
1131
1132 return fd;
1133 }
1134
1135 /* Bind socket to Netlink subsystem */
ovpn_rt_bind(int fd,uint32_t groups)1136 static int ovpn_rt_bind(int fd, uint32_t groups)
1137 {
1138 struct sockaddr_nl local = { 0 };
1139 socklen_t addr_len;
1140
1141 local.nl_family = AF_NETLINK;
1142 local.nl_groups = groups;
1143
1144 if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) {
1145 fprintf(stderr, "%s: cannot bind netlink socket: %d\n",
1146 __func__, errno);
1147 return -errno;
1148 }
1149
1150 addr_len = sizeof(local);
1151 if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) {
1152 fprintf(stderr, "%s: cannot getsockname: %d\n", __func__,
1153 errno);
1154 return -errno;
1155 }
1156
1157 if (addr_len != sizeof(local)) {
1158 fprintf(stderr, "%s: wrong address length %d\n", __func__,
1159 addr_len);
1160 return -EINVAL;
1161 }
1162
1163 if (local.nl_family != AF_NETLINK) {
1164 fprintf(stderr, "%s: wrong address family %d\n", __func__,
1165 local.nl_family);
1166 return -EINVAL;
1167 }
1168
1169 return 0;
1170 }
1171
1172 typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg);
1173
1174 /* Send Netlink message and run callback on reply (if specified) */
ovpn_rt_send(struct nlmsghdr * payload,pid_t peer,unsigned int groups,ovpn_parse_reply_cb cb,void * arg_cb)1175 static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer,
1176 unsigned int groups, ovpn_parse_reply_cb cb,
1177 void *arg_cb)
1178 {
1179 int len, rem_len, fd, ret, rcv_len;
1180 struct sockaddr_nl nladdr = { 0 };
1181 struct nlmsgerr *err;
1182 struct nlmsghdr *h;
1183 char buf[1024 * 16];
1184 struct iovec iov = {
1185 .iov_base = payload,
1186 .iov_len = payload->nlmsg_len,
1187 };
1188 struct msghdr nlmsg = {
1189 .msg_name = &nladdr,
1190 .msg_namelen = sizeof(nladdr),
1191 .msg_iov = &iov,
1192 .msg_iovlen = 1,
1193 };
1194
1195 nladdr.nl_family = AF_NETLINK;
1196 nladdr.nl_pid = peer;
1197 nladdr.nl_groups = groups;
1198
1199 payload->nlmsg_seq = time(NULL);
1200
1201 /* no need to send reply */
1202 if (!cb)
1203 payload->nlmsg_flags |= NLM_F_ACK;
1204
1205 fd = ovpn_rt_socket();
1206 if (fd < 0) {
1207 fprintf(stderr, "%s: can't open rtnl socket\n", __func__);
1208 return -errno;
1209 }
1210
1211 ret = ovpn_rt_bind(fd, 0);
1212 if (ret < 0) {
1213 fprintf(stderr, "%s: can't bind rtnl socket\n", __func__);
1214 ret = -errno;
1215 goto out;
1216 }
1217
1218 ret = sendmsg(fd, &nlmsg, 0);
1219 if (ret < 0) {
1220 fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__);
1221 ret = -errno;
1222 goto out;
1223 }
1224
1225 /* prepare buffer to store RTNL replies */
1226 memset(buf, 0, sizeof(buf));
1227 iov.iov_base = buf;
1228
1229 while (1) {
1230 /*
1231 * iov_len is modified by recvmsg(), therefore has to be initialized before
1232 * using it again
1233 */
1234 iov.iov_len = sizeof(buf);
1235 rcv_len = recvmsg(fd, &nlmsg, 0);
1236 if (rcv_len < 0) {
1237 if (errno == EINTR || errno == EAGAIN) {
1238 fprintf(stderr, "%s: interrupted call\n",
1239 __func__);
1240 continue;
1241 }
1242 fprintf(stderr, "%s: rtnl: error on recvmsg()\n",
1243 __func__);
1244 ret = -errno;
1245 goto out;
1246 }
1247
1248 if (rcv_len == 0) {
1249 fprintf(stderr,
1250 "%s: rtnl: socket reached unexpected EOF\n",
1251 __func__);
1252 ret = -EIO;
1253 goto out;
1254 }
1255
1256 if (nlmsg.msg_namelen != sizeof(nladdr)) {
1257 fprintf(stderr,
1258 "%s: sender address length: %u (expected %zu)\n",
1259 __func__, nlmsg.msg_namelen, sizeof(nladdr));
1260 ret = -EIO;
1261 goto out;
1262 }
1263
1264 h = (struct nlmsghdr *)buf;
1265 while (rcv_len >= (int)sizeof(*h)) {
1266 len = h->nlmsg_len;
1267 rem_len = len - sizeof(*h);
1268
1269 if (rem_len < 0 || len > rcv_len) {
1270 if (nlmsg.msg_flags & MSG_TRUNC) {
1271 fprintf(stderr, "%s: truncated message\n",
1272 __func__);
1273 ret = -EIO;
1274 goto out;
1275 }
1276 fprintf(stderr, "%s: malformed message: len=%d\n",
1277 __func__, len);
1278 ret = -EIO;
1279 goto out;
1280 }
1281
1282 if (h->nlmsg_type == NLMSG_DONE) {
1283 ret = 0;
1284 goto out;
1285 }
1286
1287 if (h->nlmsg_type == NLMSG_ERROR) {
1288 err = (struct nlmsgerr *)NLMSG_DATA(h);
1289 if (rem_len < (int)sizeof(struct nlmsgerr)) {
1290 fprintf(stderr, "%s: ERROR truncated\n",
1291 __func__);
1292 ret = -EIO;
1293 goto out;
1294 }
1295
1296 if (err->error) {
1297 fprintf(stderr, "%s: (%d) %s\n",
1298 __func__, err->error,
1299 strerror(-err->error));
1300 ret = err->error;
1301 goto out;
1302 }
1303
1304 ret = 0;
1305 if (cb) {
1306 int r = cb(h, arg_cb);
1307
1308 if (r <= 0)
1309 ret = r;
1310 }
1311 goto out;
1312 }
1313
1314 if (cb) {
1315 int r = cb(h, arg_cb);
1316
1317 if (r <= 0) {
1318 ret = r;
1319 goto out;
1320 }
1321 } else {
1322 fprintf(stderr, "%s: RTNL: unexpected reply\n",
1323 __func__);
1324 }
1325
1326 rcv_len -= NLMSG_ALIGN(len);
1327 h = (struct nlmsghdr *)((uint8_t *)h +
1328 NLMSG_ALIGN(len));
1329 }
1330
1331 if (nlmsg.msg_flags & MSG_TRUNC) {
1332 fprintf(stderr, "%s: message truncated\n", __func__);
1333 continue;
1334 }
1335
1336 if (rcv_len) {
1337 fprintf(stderr, "%s: rtnl: %d not parsed bytes\n",
1338 __func__, rcv_len);
1339 ret = -1;
1340 goto out;
1341 }
1342 }
1343 out:
1344 close(fd);
1345
1346 return ret;
1347 }
1348
1349 struct ovpn_link_req {
1350 struct nlmsghdr n;
1351 struct ifinfomsg i;
1352 char buf[256];
1353 };
1354
ovpn_new_iface(struct ovpn_ctx * ovpn)1355 static int ovpn_new_iface(struct ovpn_ctx *ovpn)
1356 {
1357 struct rtattr *linkinfo, *data;
1358 struct ovpn_link_req req = { 0 };
1359 int ret = -1;
1360
1361 fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname,
1362 ovpn->mode);
1363
1364 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1365 req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL;
1366 req.n.nlmsg_type = RTM_NEWLINK;
1367
1368 if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname,
1369 strlen(ovpn->ifname) + 1) < 0)
1370 goto err;
1371
1372 linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO);
1373 if (!linkinfo)
1374 goto err;
1375
1376 if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME,
1377 strlen(OVPN_FAMILY_NAME) + 1) < 0)
1378 goto err;
1379
1380 if (ovpn->mode_set) {
1381 data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA);
1382 if (!data)
1383 goto err;
1384
1385 if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE,
1386 &ovpn->mode, sizeof(uint8_t)) < 0)
1387 goto err;
1388
1389 ovpn_nest_end(&req.n, data);
1390 }
1391
1392 ovpn_nest_end(&req.n, linkinfo);
1393
1394 req.i.ifi_family = AF_PACKET;
1395
1396 ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1397 err:
1398 return ret;
1399 }
1400
ovpn_del_iface(struct ovpn_ctx * ovpn)1401 static int ovpn_del_iface(struct ovpn_ctx *ovpn)
1402 {
1403 struct ovpn_link_req req = { 0 };
1404
1405 fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname,
1406 ovpn->ifindex);
1407
1408 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1409 req.n.nlmsg_flags = NLM_F_REQUEST;
1410 req.n.nlmsg_type = RTM_DELLINK;
1411
1412 req.i.ifi_family = AF_PACKET;
1413 req.i.ifi_index = ovpn->ifindex;
1414
1415 return ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1416 }
1417
nl_seq_check(struct nl_msg (* msg)__always_unused,void (* arg)__always_unused)1418 static int nl_seq_check(struct nl_msg (*msg)__always_unused,
1419 void (*arg)__always_unused)
1420 {
1421 return NL_OK;
1422 }
1423
1424 struct mcast_handler_args {
1425 const char *group;
1426 int id;
1427 };
1428
mcast_family_handler(struct nl_msg * msg,void * arg)1429 static int mcast_family_handler(struct nl_msg *msg, void *arg)
1430 {
1431 struct mcast_handler_args *grp = arg;
1432 struct nlattr *tb[CTRL_ATTR_MAX + 1];
1433 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1434 struct nlattr *mcgrp;
1435 int rem_mcgrp;
1436
1437 nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
1438 genlmsg_attrlen(gnlh, 0), NULL);
1439
1440 if (!tb[CTRL_ATTR_MCAST_GROUPS])
1441 return NL_SKIP;
1442
1443 nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) {
1444 struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1];
1445
1446 nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX,
1447 nla_data(mcgrp), nla_len(mcgrp), NULL);
1448
1449 if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] ||
1450 !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID])
1451 continue;
1452 if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]),
1453 grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME])))
1454 continue;
1455 grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]);
1456 break;
1457 }
1458
1459 return NL_SKIP;
1460 }
1461
mcast_error_handler(struct sockaddr_nl (* nla)__always_unused,struct nlmsgerr * err,void * arg)1462 static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused,
1463 struct nlmsgerr *err, void *arg)
1464 {
1465 int *ret = arg;
1466
1467 *ret = err->error;
1468 return NL_STOP;
1469 }
1470
mcast_ack_handler(struct nl_msg (* msg)__always_unused,void * arg)1471 static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg)
1472 {
1473 int *ret = arg;
1474
1475 *ret = 0;
1476 return NL_STOP;
1477 }
1478
ovpn_handle_msg(struct nl_msg * msg,void * arg)1479 static int ovpn_handle_msg(struct nl_msg *msg, void *arg)
1480 {
1481 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1482 struct nlattr *attrs[OVPN_A_MAX + 1];
1483 struct nlmsghdr *nlh = nlmsg_hdr(msg);
1484 char ifname[IF_NAMESIZE];
1485 int *ret = arg;
1486 __u32 ifindex;
1487
1488 fprintf(stderr, "received message from ovpn-dco\n");
1489
1490 *ret = -1;
1491
1492 if (!genlmsg_valid_hdr(nlh, 0)) {
1493 fprintf(stderr, "invalid header\n");
1494 return NL_STOP;
1495 }
1496
1497 if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
1498 genlmsg_attrlen(gnlh, 0), NULL)) {
1499 fprintf(stderr, "received bogus data from ovpn-dco\n");
1500 return NL_STOP;
1501 }
1502
1503 if (!attrs[OVPN_A_IFINDEX]) {
1504 fprintf(stderr, "no ifindex in this message\n");
1505 return NL_STOP;
1506 }
1507
1508 ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]);
1509 if (!if_indextoname(ifindex, ifname)) {
1510 fprintf(stderr, "cannot resolve ifname for ifindex: %u\n",
1511 ifindex);
1512 return NL_STOP;
1513 }
1514
1515 switch (gnlh->cmd) {
1516 case OVPN_CMD_PEER_DEL_NTF:
1517 fprintf(stdout, "received CMD_PEER_DEL_NTF\n");
1518 break;
1519 case OVPN_CMD_KEY_SWAP_NTF:
1520 fprintf(stdout, "received CMD_KEY_SWAP_NTF\n");
1521 break;
1522 default:
1523 fprintf(stderr, "received unknown command: %d\n", gnlh->cmd);
1524 return NL_STOP;
1525 }
1526
1527 *ret = 0;
1528 return NL_OK;
1529 }
1530
ovpn_get_mcast_id(struct nl_sock * sock,const char * family,const char * group)1531 static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family,
1532 const char *group)
1533 {
1534 struct nl_msg *msg;
1535 struct nl_cb *cb;
1536 int ret, ctrlid;
1537 struct mcast_handler_args grp = {
1538 .group = group,
1539 .id = -ENOENT,
1540 };
1541
1542 msg = nlmsg_alloc();
1543 if (!msg)
1544 return -ENOMEM;
1545
1546 cb = nl_cb_alloc(NL_CB_DEFAULT);
1547 if (!cb) {
1548 ret = -ENOMEM;
1549 goto out_fail_cb;
1550 }
1551
1552 ctrlid = genl_ctrl_resolve(sock, "nlctrl");
1553
1554 genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0);
1555
1556 ret = -ENOBUFS;
1557 NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family);
1558
1559 ret = nl_send_auto_complete(sock, msg);
1560 if (ret < 0)
1561 goto nla_put_failure;
1562
1563 ret = 1;
1564
1565 nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret);
1566 nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret);
1567 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp);
1568
1569 while (ret > 0)
1570 nl_recvmsgs(sock, cb);
1571
1572 if (ret == 0)
1573 ret = grp.id;
1574 nla_put_failure:
1575 nl_cb_put(cb);
1576 out_fail_cb:
1577 nlmsg_free(msg);
1578 return ret;
1579 }
1580
ovpn_listen_mcast(void)1581 static int ovpn_listen_mcast(void)
1582 {
1583 struct nl_sock *sock;
1584 struct nl_cb *cb;
1585 int mcid, ret;
1586
1587 sock = nl_socket_alloc();
1588 if (!sock) {
1589 fprintf(stderr, "cannot allocate netlink socket\n");
1590 ret = -ENOMEM;
1591 goto err_free;
1592 }
1593
1594 nl_socket_set_buffer_size(sock, 8192, 8192);
1595
1596 ret = genl_connect(sock);
1597 if (ret < 0) {
1598 fprintf(stderr, "cannot connect to generic netlink: %s\n",
1599 nl_geterror(ret));
1600 goto err_free;
1601 }
1602
1603 mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS);
1604 if (mcid < 0) {
1605 fprintf(stderr, "cannot get mcast group: %s\n",
1606 nl_geterror(mcid));
1607 goto err_free;
1608 }
1609
1610 ret = nl_socket_add_membership(sock, mcid);
1611 if (ret) {
1612 fprintf(stderr, "failed to join mcast group: %d\n", ret);
1613 goto err_free;
1614 }
1615
1616 ret = 1;
1617 cb = nl_cb_alloc(NL_CB_DEFAULT);
1618 nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL);
1619 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret);
1620 nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret);
1621
1622 while (ret == 1) {
1623 int err = nl_recvmsgs(sock, cb);
1624
1625 if (err < 0) {
1626 fprintf(stderr,
1627 "cannot receive netlink message: (%d) %s\n",
1628 err, nl_geterror(-err));
1629 ret = -1;
1630 break;
1631 }
1632 }
1633
1634 nl_cb_put(cb);
1635 err_free:
1636 nl_socket_free(sock);
1637 return ret;
1638 }
1639
usage(const char * cmd)1640 static void usage(const char *cmd)
1641 {
1642 fprintf(stderr,
1643 "Usage %s <command> <iface> [arguments..]\n",
1644 cmd);
1645 fprintf(stderr, "where <command> can be one of the following\n\n");
1646
1647 fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n");
1648 fprintf(stderr, "\tiface: ovpn interface name\n");
1649 fprintf(stderr, "\tmode:\n");
1650 fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n");
1651 fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n");
1652
1653 fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n");
1654 fprintf(stderr, "\tiface: ovpn interface name\n");
1655
1656 fprintf(stderr,
1657 "* listen <iface> <lport> <peers_file> [ipv6]: listen for incoming peer TCP connections\n");
1658 fprintf(stderr, "\tiface: ovpn interface name\n");
1659 fprintf(stderr, "\tlport: TCP port to listen to\n");
1660 fprintf(stderr,
1661 "\tpeers_file: file containing one peer per line: Line format:\n");
1662 fprintf(stderr, "\t\t<peer_id> <vpnaddr>\n");
1663 fprintf(stderr,
1664 "\tipv6: whether the socket should listen to the IPv6 wildcard address\n");
1665
1666 fprintf(stderr,
1667 "* connect <iface> <peer_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n");
1668 fprintf(stderr, "\tiface: ovpn interface name\n");
1669 fprintf(stderr, "\tpeer_id: peer ID of the connecting peer\n");
1670 fprintf(stderr, "\traddr: peer IP address to connect to\n");
1671 fprintf(stderr, "\trport: peer TCP port to connect to\n");
1672 fprintf(stderr,
1673 "\tkey_file: file containing the symmetric key for encryption\n");
1674
1675 fprintf(stderr,
1676 "* new_peer <iface> <peer_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n");
1677 fprintf(stderr, "\tiface: ovpn interface name\n");
1678 fprintf(stderr, "\tlport: local UDP port to bind to\n");
1679 fprintf(stderr,
1680 "\tpeer_id: peer ID to be used in data packets to/from this peer\n");
1681 fprintf(stderr, "\traddr: peer IP address\n");
1682 fprintf(stderr, "\trport: peer UDP port\n");
1683 fprintf(stderr, "\tvpnaddr: peer VPN IP\n");
1684
1685 fprintf(stderr,
1686 "* new_multi_peer <iface> <lport> <peers_file>: add multiple peers as listed in the file\n");
1687 fprintf(stderr, "\tiface: ovpn interface name\n");
1688 fprintf(stderr, "\tlport: local UDP port to bind to\n");
1689 fprintf(stderr,
1690 "\tpeers_file: text file containing one peer per line. Line format:\n");
1691 fprintf(stderr, "\t\t<peer_id> <raddr> <rport> <vpnaddr>\n");
1692
1693 fprintf(stderr,
1694 "* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n");
1695 fprintf(stderr, "\tiface: ovpn interface name\n");
1696 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1697 fprintf(stderr,
1698 "\tkeepalive_interval: interval for sending ping messages\n");
1699 fprintf(stderr,
1700 "\tkeepalive_timeout: time after which a peer is timed out\n");
1701
1702 fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n");
1703 fprintf(stderr, "\tiface: ovpn interface name\n");
1704 fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n");
1705
1706 fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n");
1707 fprintf(stderr, "\tiface: ovpn interface name\n");
1708 fprintf(stderr,
1709 "\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n");
1710
1711 fprintf(stderr,
1712 "* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n");
1713 fprintf(stderr, "\tiface: ovpn interface name\n");
1714 fprintf(stderr,
1715 "\tpeer_id: peer ID of the peer to configure the key for\n");
1716 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1717 fprintf(stderr, "\tkey_id: an ID from 0 to 7\n");
1718 fprintf(stderr,
1719 "\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n");
1720 fprintf(stderr,
1721 "\tkey_dir: key direction, must 0 on one host and 1 on the other\n");
1722 fprintf(stderr, "\tkey_file: file containing the pre-shared key\n");
1723
1724 fprintf(stderr,
1725 "* del_key <iface> <peer_id> [slot]: erase existing data channel key\n");
1726 fprintf(stderr, "\tiface: ovpn interface name\n");
1727 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1728 fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n");
1729
1730 fprintf(stderr,
1731 "* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n");
1732 fprintf(stderr, "\tiface: ovpn interface name\n");
1733 fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n");
1734 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1735
1736 fprintf(stderr,
1737 "* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n");
1738 fprintf(stderr, "\tiface: ovpn interface name\n");
1739 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1740
1741 fprintf(stderr,
1742 "* listen_mcast: listen to ovpn netlink multicast messages\n");
1743 }
1744
ovpn_parse_remote(struct ovpn_ctx * ovpn,const char * host,const char * service,const char * vpnip)1745 static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host,
1746 const char *service, const char *vpnip)
1747 {
1748 int ret;
1749 struct addrinfo *result;
1750 struct addrinfo hints = {
1751 .ai_family = ovpn->sa_family,
1752 .ai_socktype = SOCK_DGRAM,
1753 .ai_protocol = IPPROTO_UDP
1754 };
1755
1756 if (host) {
1757 ret = getaddrinfo(host, service, &hints, &result);
1758 if (ret) {
1759 fprintf(stderr, "getaddrinfo on remote error: %s\n",
1760 gai_strerror(ret));
1761 return -1;
1762 }
1763
1764 if (!(result->ai_family == AF_INET &&
1765 result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1766 !(result->ai_family == AF_INET6 &&
1767 result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1768 ret = -EINVAL;
1769 goto out;
1770 }
1771
1772 memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen);
1773 }
1774
1775 if (vpnip) {
1776 ret = getaddrinfo(vpnip, NULL, &hints, &result);
1777 if (ret) {
1778 fprintf(stderr, "getaddrinfo on vpnip error: %s\n",
1779 gai_strerror(ret));
1780 return -1;
1781 }
1782
1783 if (!(result->ai_family == AF_INET &&
1784 result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1785 !(result->ai_family == AF_INET6 &&
1786 result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1787 ret = -EINVAL;
1788 goto out;
1789 }
1790
1791 memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen);
1792 ovpn->sa_family = result->ai_family;
1793
1794 ovpn->peer_ip_set = true;
1795 }
1796
1797 ret = 0;
1798 out:
1799 freeaddrinfo(result);
1800 return ret;
1801 }
1802
ovpn_parse_new_peer(struct ovpn_ctx * ovpn,const char * peer_id,const char * raddr,const char * rport,const char * vpnip)1803 static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id,
1804 const char *raddr, const char *rport,
1805 const char *vpnip)
1806 {
1807 ovpn->peer_id = strtoul(peer_id, NULL, 10);
1808 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
1809 fprintf(stderr, "peer ID value out of range\n");
1810 return -1;
1811 }
1812
1813 return ovpn_parse_remote(ovpn, raddr, rport, vpnip);
1814 }
1815
ovpn_parse_key_slot(const char * arg,struct ovpn_ctx * ovpn)1816 static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn)
1817 {
1818 int slot = strtoul(arg, NULL, 10);
1819
1820 if (errno == ERANGE || slot < 1 || slot > 2) {
1821 fprintf(stderr, "key slot out of range\n");
1822 return -1;
1823 }
1824
1825 switch (slot) {
1826 case 1:
1827 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
1828 break;
1829 case 2:
1830 ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY;
1831 break;
1832 }
1833
1834 return 0;
1835 }
1836
ovpn_send_tcp_data(int socket)1837 static int ovpn_send_tcp_data(int socket)
1838 {
1839 uint16_t len = htons(1000);
1840 uint8_t buf[1002];
1841 int ret;
1842
1843 memcpy(buf, &len, sizeof(len));
1844 memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len));
1845
1846 ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1847
1848 fprintf(stdout, "Sent %u bytes over TCP socket\n", ret);
1849
1850 return ret > 0 ? 0 : ret;
1851 }
1852
ovpn_recv_tcp_data(int socket)1853 static int ovpn_recv_tcp_data(int socket)
1854 {
1855 uint8_t buf[1002];
1856 uint16_t len;
1857 int ret;
1858
1859 ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1860
1861 if (ret < 2) {
1862 fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret);
1863 return ret;
1864 }
1865
1866 memcpy(&len, buf, sizeof(len));
1867 len = ntohs(len);
1868
1869 fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n",
1870 ret, len);
1871
1872 return 0;
1873 }
1874
ovpn_parse_cmd(const char * cmd)1875 static enum ovpn_cmd ovpn_parse_cmd(const char *cmd)
1876 {
1877 if (!strcmp(cmd, "new_iface"))
1878 return CMD_NEW_IFACE;
1879
1880 if (!strcmp(cmd, "del_iface"))
1881 return CMD_DEL_IFACE;
1882
1883 if (!strcmp(cmd, "listen"))
1884 return CMD_LISTEN;
1885
1886 if (!strcmp(cmd, "connect"))
1887 return CMD_CONNECT;
1888
1889 if (!strcmp(cmd, "new_peer"))
1890 return CMD_NEW_PEER;
1891
1892 if (!strcmp(cmd, "new_multi_peer"))
1893 return CMD_NEW_MULTI_PEER;
1894
1895 if (!strcmp(cmd, "set_peer"))
1896 return CMD_SET_PEER;
1897
1898 if (!strcmp(cmd, "del_peer"))
1899 return CMD_DEL_PEER;
1900
1901 if (!strcmp(cmd, "get_peer"))
1902 return CMD_GET_PEER;
1903
1904 if (!strcmp(cmd, "new_key"))
1905 return CMD_NEW_KEY;
1906
1907 if (!strcmp(cmd, "del_key"))
1908 return CMD_DEL_KEY;
1909
1910 if (!strcmp(cmd, "get_key"))
1911 return CMD_GET_KEY;
1912
1913 if (!strcmp(cmd, "swap_keys"))
1914 return CMD_SWAP_KEYS;
1915
1916 if (!strcmp(cmd, "listen_mcast"))
1917 return CMD_LISTEN_MCAST;
1918
1919 return CMD_INVALID;
1920 }
1921
1922 /* Send process to background and waits for signal.
1923 *
1924 * This helper is called at the end of commands
1925 * creating sockets, so that the latter stay alive
1926 * along with the process that created them.
1927 *
1928 * A signal is expected to be delivered in order to
1929 * terminate the waiting processes
1930 */
ovpn_waitbg(void)1931 static void ovpn_waitbg(void)
1932 {
1933 daemon(1, 1);
1934 pause();
1935 }
1936
ovpn_run_cmd(struct ovpn_ctx * ovpn)1937 static int ovpn_run_cmd(struct ovpn_ctx *ovpn)
1938 {
1939 char peer_id[10], vpnip[INET6_ADDRSTRLEN], laddr[128], lport[10];
1940 char raddr[128], rport[10];
1941 int n, ret;
1942 FILE *fp;
1943
1944 switch (ovpn->cmd) {
1945 case CMD_NEW_IFACE:
1946 ret = ovpn_new_iface(ovpn);
1947 break;
1948 case CMD_DEL_IFACE:
1949 ret = ovpn_del_iface(ovpn);
1950 break;
1951 case CMD_LISTEN:
1952 ret = ovpn_listen(ovpn, ovpn->sa_family);
1953 if (ret < 0) {
1954 fprintf(stderr, "cannot listen on TCP socket\n");
1955 return ret;
1956 }
1957
1958 fp = fopen(ovpn->peers_file, "r");
1959 if (!fp) {
1960 fprintf(stderr, "cannot open file: %s\n",
1961 ovpn->peers_file);
1962 return -1;
1963 }
1964
1965 int num_peers = 0;
1966
1967 while ((n = fscanf(fp, "%s %s\n", peer_id, vpnip)) == 2) {
1968 struct ovpn_ctx peer_ctx = { 0 };
1969
1970 if (num_peers == MAX_PEERS) {
1971 fprintf(stderr, "max peers reached!\n");
1972 return -E2BIG;
1973 }
1974
1975 peer_ctx.ifindex = ovpn->ifindex;
1976 peer_ctx.sa_family = ovpn->sa_family;
1977
1978 peer_ctx.socket = ovpn_accept(ovpn);
1979 if (peer_ctx.socket < 0) {
1980 fprintf(stderr, "cannot accept connection!\n");
1981 return -1;
1982 }
1983
1984 /* store peer sockets to test TCP I/O */
1985 ovpn->cli_sockets[num_peers] = peer_ctx.socket;
1986
1987 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, NULL,
1988 NULL, vpnip);
1989 if (ret < 0) {
1990 fprintf(stderr, "error while parsing line\n");
1991 return -1;
1992 }
1993
1994 ret = ovpn_new_peer(&peer_ctx, true);
1995 if (ret < 0) {
1996 fprintf(stderr,
1997 "cannot add peer to VPN: %s %s\n",
1998 peer_id, vpnip);
1999 return ret;
2000 }
2001 num_peers++;
2002 }
2003
2004 for (int i = 0; i < num_peers; i++) {
2005 ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]);
2006 if (ret < 0)
2007 break;
2008 }
2009 ovpn_waitbg();
2010 break;
2011 case CMD_CONNECT:
2012 ret = ovpn_connect(ovpn);
2013 if (ret < 0) {
2014 fprintf(stderr, "cannot connect TCP socket\n");
2015 return ret;
2016 }
2017
2018 ret = ovpn_new_peer(ovpn, true);
2019 if (ret < 0) {
2020 fprintf(stderr, "cannot add peer to VPN\n");
2021 close(ovpn->socket);
2022 return ret;
2023 }
2024
2025 if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) {
2026 ret = ovpn_new_key(ovpn);
2027 if (ret < 0) {
2028 fprintf(stderr, "cannot set key\n");
2029 return ret;
2030 }
2031 }
2032
2033 ret = ovpn_send_tcp_data(ovpn->socket);
2034 ovpn_waitbg();
2035 break;
2036 case CMD_NEW_PEER:
2037 ret = ovpn_udp_socket(ovpn, AF_INET6);
2038 if (ret < 0)
2039 return ret;
2040
2041 ret = ovpn_new_peer(ovpn, false);
2042 ovpn_waitbg();
2043 break;
2044 case CMD_NEW_MULTI_PEER:
2045 ret = ovpn_udp_socket(ovpn, AF_INET6);
2046 if (ret < 0)
2047 return ret;
2048
2049 fp = fopen(ovpn->peers_file, "r");
2050 if (!fp) {
2051 fprintf(stderr, "cannot open file: %s\n",
2052 ovpn->peers_file);
2053 return -1;
2054 }
2055
2056 while ((n = fscanf(fp, "%s %s %s %s %s %s\n", peer_id, laddr,
2057 lport, raddr, rport, vpnip)) == 6) {
2058 struct ovpn_ctx peer_ctx = { 0 };
2059
2060 peer_ctx.ifindex = ovpn->ifindex;
2061 peer_ctx.socket = ovpn->socket;
2062 peer_ctx.sa_family = AF_UNSPEC;
2063
2064 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, raddr,
2065 rport, vpnip);
2066 if (ret < 0) {
2067 fprintf(stderr, "error while parsing line\n");
2068 return -1;
2069 }
2070
2071 ret = ovpn_new_peer(&peer_ctx, false);
2072 if (ret < 0) {
2073 fprintf(stderr,
2074 "cannot add peer to VPN: %s %s %s %s\n",
2075 peer_id, raddr, rport, vpnip);
2076 return ret;
2077 }
2078 }
2079 ovpn_waitbg();
2080 break;
2081 case CMD_SET_PEER:
2082 ret = ovpn_set_peer(ovpn);
2083 break;
2084 case CMD_DEL_PEER:
2085 ret = ovpn_del_peer(ovpn);
2086 break;
2087 case CMD_GET_PEER:
2088 if (ovpn->peer_id == PEER_ID_UNDEF)
2089 fprintf(stderr, "List of peers connected to: %s\n",
2090 ovpn->ifname);
2091
2092 ret = ovpn_get_peer(ovpn);
2093 break;
2094 case CMD_NEW_KEY:
2095 ret = ovpn_new_key(ovpn);
2096 break;
2097 case CMD_DEL_KEY:
2098 ret = ovpn_del_key(ovpn);
2099 break;
2100 case CMD_GET_KEY:
2101 ret = ovpn_get_key(ovpn);
2102 break;
2103 case CMD_SWAP_KEYS:
2104 ret = ovpn_swap_keys(ovpn);
2105 break;
2106 case CMD_LISTEN_MCAST:
2107 ret = ovpn_listen_mcast();
2108 break;
2109 case CMD_INVALID:
2110 ret = -EINVAL;
2111 break;
2112 }
2113
2114 return ret;
2115 }
2116
ovpn_parse_cmd_args(struct ovpn_ctx * ovpn,int argc,char * argv[])2117 static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[])
2118 {
2119 int ret;
2120
2121 /* no args required for LISTEN_MCAST */
2122 if (ovpn->cmd == CMD_LISTEN_MCAST)
2123 return 0;
2124
2125 /* all commands need an ifname */
2126 if (argc < 3)
2127 return -EINVAL;
2128
2129 strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1);
2130 ovpn->ifname[IFNAMSIZ - 1] = '\0';
2131
2132 /* all commands, except NEW_IFNAME, needs an ifindex */
2133 if (ovpn->cmd != CMD_NEW_IFACE) {
2134 ovpn->ifindex = if_nametoindex(ovpn->ifname);
2135 if (!ovpn->ifindex) {
2136 fprintf(stderr, "cannot find interface: %s\n",
2137 strerror(errno));
2138 return -1;
2139 }
2140 }
2141
2142 switch (ovpn->cmd) {
2143 case CMD_NEW_IFACE:
2144 if (argc < 4)
2145 break;
2146
2147 if (!strcmp(argv[3], "P2P")) {
2148 ovpn->mode = OVPN_MODE_P2P;
2149 } else if (!strcmp(argv[3], "MP")) {
2150 ovpn->mode = OVPN_MODE_MP;
2151 } else {
2152 fprintf(stderr, "Cannot parse iface mode: %s\n",
2153 argv[3]);
2154 return -1;
2155 }
2156 ovpn->mode_set = true;
2157 break;
2158 case CMD_DEL_IFACE:
2159 break;
2160 case CMD_LISTEN:
2161 if (argc < 5)
2162 return -EINVAL;
2163
2164 ovpn->lport = strtoul(argv[3], NULL, 10);
2165 if (errno == ERANGE || ovpn->lport > 65535) {
2166 fprintf(stderr, "lport value out of range\n");
2167 return -1;
2168 }
2169
2170 ovpn->peers_file = argv[4];
2171
2172 ovpn->sa_family = AF_INET;
2173 if (argc > 5 && !strcmp(argv[5], "ipv6"))
2174 ovpn->sa_family = AF_INET6;
2175 break;
2176 case CMD_CONNECT:
2177 if (argc < 6)
2178 return -EINVAL;
2179
2180 ovpn->sa_family = AF_INET;
2181
2182 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5],
2183 NULL);
2184 if (ret < 0) {
2185 fprintf(stderr, "Cannot parse remote peer data\n");
2186 return -1;
2187 }
2188
2189 if (argc > 6) {
2190 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
2191 ovpn->key_id = 0;
2192 ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM;
2193 ovpn->key_dir = KEY_DIR_OUT;
2194
2195 ret = ovpn_parse_key(argv[6], ovpn);
2196 if (ret)
2197 return -1;
2198 }
2199 break;
2200 case CMD_NEW_PEER:
2201 if (argc < 7)
2202 return -EINVAL;
2203
2204 ovpn->lport = strtoul(argv[4], NULL, 10);
2205 if (errno == ERANGE || ovpn->lport > 65535) {
2206 fprintf(stderr, "lport value out of range\n");
2207 return -1;
2208 }
2209
2210 const char *vpnip = (argc > 7) ? argv[7] : NULL;
2211
2212 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[5], argv[6],
2213 vpnip);
2214 if (ret < 0)
2215 return -1;
2216 break;
2217 case CMD_NEW_MULTI_PEER:
2218 if (argc < 5)
2219 return -EINVAL;
2220
2221 ovpn->lport = strtoul(argv[3], NULL, 10);
2222 if (errno == ERANGE || ovpn->lport > 65535) {
2223 fprintf(stderr, "lport value out of range\n");
2224 return -1;
2225 }
2226
2227 ovpn->peers_file = argv[4];
2228 break;
2229 case CMD_SET_PEER:
2230 if (argc < 6)
2231 return -EINVAL;
2232
2233 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2234 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2235 fprintf(stderr, "peer ID value out of range\n");
2236 return -1;
2237 }
2238
2239 ovpn->keepalive_interval = strtoul(argv[4], NULL, 10);
2240 if (errno == ERANGE) {
2241 fprintf(stderr,
2242 "keepalive interval value out of range\n");
2243 return -1;
2244 }
2245
2246 ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10);
2247 if (errno == ERANGE) {
2248 fprintf(stderr,
2249 "keepalive interval value out of range\n");
2250 return -1;
2251 }
2252 break;
2253 case CMD_DEL_PEER:
2254 if (argc < 4)
2255 return -EINVAL;
2256
2257 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2258 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2259 fprintf(stderr, "peer ID value out of range\n");
2260 return -1;
2261 }
2262 break;
2263 case CMD_GET_PEER:
2264 ovpn->peer_id = PEER_ID_UNDEF;
2265 if (argc > 3) {
2266 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2267 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2268 fprintf(stderr, "peer ID value out of range\n");
2269 return -1;
2270 }
2271 }
2272 break;
2273 case CMD_NEW_KEY:
2274 if (argc < 9)
2275 return -EINVAL;
2276
2277 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2278 if (errno == ERANGE) {
2279 fprintf(stderr, "peer ID value out of range\n");
2280 return -1;
2281 }
2282
2283 ret = ovpn_parse_key_slot(argv[4], ovpn);
2284 if (ret)
2285 return -1;
2286
2287 ovpn->key_id = strtoul(argv[5], NULL, 10);
2288 if (errno == ERANGE || ovpn->key_id > 2) {
2289 fprintf(stderr, "key ID out of range\n");
2290 return -1;
2291 }
2292
2293 ret = ovpn_parse_cipher(argv[6], ovpn);
2294 if (ret < 0)
2295 return -1;
2296
2297 ret = ovpn_parse_key_direction(argv[7], ovpn);
2298 if (ret < 0)
2299 return -1;
2300
2301 ret = ovpn_parse_key(argv[8], ovpn);
2302 if (ret)
2303 return -1;
2304 break;
2305 case CMD_DEL_KEY:
2306 if (argc < 4)
2307 return -EINVAL;
2308
2309 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2310 if (errno == ERANGE) {
2311 fprintf(stderr, "peer ID value out of range\n");
2312 return -1;
2313 }
2314
2315 ret = ovpn_parse_key_slot(argv[4], ovpn);
2316 if (ret)
2317 return ret;
2318 break;
2319 case CMD_GET_KEY:
2320 if (argc < 5)
2321 return -EINVAL;
2322
2323 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2324 if (errno == ERANGE) {
2325 fprintf(stderr, "peer ID value out of range\n");
2326 return -1;
2327 }
2328
2329 ret = ovpn_parse_key_slot(argv[4], ovpn);
2330 if (ret)
2331 return ret;
2332 break;
2333 case CMD_SWAP_KEYS:
2334 if (argc < 4)
2335 return -EINVAL;
2336
2337 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2338 if (errno == ERANGE) {
2339 fprintf(stderr, "peer ID value out of range\n");
2340 return -1;
2341 }
2342 break;
2343 case CMD_LISTEN_MCAST:
2344 break;
2345 case CMD_INVALID:
2346 break;
2347 }
2348
2349 return 0;
2350 }
2351
main(int argc,char * argv[])2352 int main(int argc, char *argv[])
2353 {
2354 struct ovpn_ctx ovpn;
2355 int ret;
2356
2357 if (argc < 2) {
2358 usage(argv[0]);
2359 return -1;
2360 }
2361
2362 memset(&ovpn, 0, sizeof(ovpn));
2363 ovpn.sa_family = AF_UNSPEC;
2364 ovpn.cipher = OVPN_CIPHER_ALG_NONE;
2365
2366 ovpn.cmd = ovpn_parse_cmd(argv[1]);
2367 if (ovpn.cmd == CMD_INVALID) {
2368 fprintf(stderr, "Error: unknown command.\n\n");
2369 usage(argv[0]);
2370 return -1;
2371 }
2372
2373 ret = ovpn_parse_cmd_args(&ovpn, argc, argv);
2374 if (ret < 0) {
2375 fprintf(stderr, "Error: invalid arguments.\n\n");
2376 if (ret == -EINVAL)
2377 usage(argv[0]);
2378 return ret;
2379 }
2380
2381 ret = ovpn_run_cmd(&ovpn);
2382 if (ret)
2383 fprintf(stderr, "Cannot execute command: %s (%d)\n",
2384 strerror(-ret), ret);
2385
2386 return ret;
2387 }
2388