xref: /linux/tools/testing/selftests/net/ovpn/ovpn-cli.c (revision 8804d970fab45726b3c7cd7f240b31122aa94219)
1 // SPDX-License-Identifier: GPL-2.0
2 /*  OpenVPN data channel accelerator
3  *
4  *  Copyright (C) 2020-2025 OpenVPN, Inc.
5  *
6  *  Author:	Antonio Quartulli <antonio@openvpn.net>
7  */
8 
9 #include <stdio.h>
10 #include <inttypes.h>
11 #include <stdbool.h>
12 #include <string.h>
13 #include <errno.h>
14 #include <unistd.h>
15 #include <arpa/inet.h>
16 #include <net/if.h>
17 #include <netinet/in.h>
18 #include <time.h>
19 
20 #include <linux/ovpn.h>
21 #include <linux/types.h>
22 #include <linux/netlink.h>
23 
24 #include <netlink/socket.h>
25 #include <netlink/netlink.h>
26 #include <netlink/genl/genl.h>
27 #include <netlink/genl/family.h>
28 #include <netlink/genl/ctrl.h>
29 
30 #include <mbedtls/base64.h>
31 #include <mbedtls/error.h>
32 
33 #include <sys/socket.h>
34 
35 #include "../../kselftest.h"
36 
37 /* defines to make checkpatch happy */
38 #define strscpy strncpy
39 
40 /* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we
41  * have to explicitly do it to prevent the kernel from failing upon
42  * parsing of the message
43  */
44 #define nla_nest_start(_msg, _type) \
45 	nla_nest_start(_msg, (_type) | NLA_F_NESTED)
46 
47 /* libnl < 3.11.0 does not implement nla_get_uint() */
ovpn_nla_get_uint(struct nlattr * attr)48 uint64_t ovpn_nla_get_uint(struct nlattr *attr)
49 {
50 	if (nla_len(attr) == sizeof(uint32_t))
51 		return nla_get_u32(attr);
52 	else
53 		return nla_get_u64(attr);
54 }
55 
56 typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg);
57 
58 enum ovpn_key_direction {
59 	KEY_DIR_IN = 0,
60 	KEY_DIR_OUT,
61 };
62 
63 #define KEY_LEN (256 / 8)
64 #define NONCE_LEN 8
65 
66 #define PEER_ID_UNDEF 0x00FFFFFF
67 #define MAX_PEERS 10
68 
69 struct nl_ctx {
70 	struct nl_sock *nl_sock;
71 	struct nl_msg *nl_msg;
72 	struct nl_cb *nl_cb;
73 
74 	int ovpn_dco_id;
75 };
76 
77 enum ovpn_cmd {
78 	CMD_INVALID,
79 	CMD_NEW_IFACE,
80 	CMD_DEL_IFACE,
81 	CMD_LISTEN,
82 	CMD_CONNECT,
83 	CMD_NEW_PEER,
84 	CMD_NEW_MULTI_PEER,
85 	CMD_SET_PEER,
86 	CMD_DEL_PEER,
87 	CMD_GET_PEER,
88 	CMD_NEW_KEY,
89 	CMD_DEL_KEY,
90 	CMD_GET_KEY,
91 	CMD_SWAP_KEYS,
92 	CMD_LISTEN_MCAST,
93 };
94 
95 struct ovpn_ctx {
96 	enum ovpn_cmd cmd;
97 
98 	__u8 key_enc[KEY_LEN];
99 	__u8 key_dec[KEY_LEN];
100 	__u8 nonce[NONCE_LEN];
101 
102 	enum ovpn_cipher_alg cipher;
103 
104 	sa_family_t sa_family;
105 
106 	unsigned long peer_id;
107 	unsigned long lport;
108 
109 	union {
110 		struct sockaddr_in in4;
111 		struct sockaddr_in6 in6;
112 	} remote;
113 
114 	union {
115 		struct sockaddr_in in4;
116 		struct sockaddr_in6 in6;
117 	} peer_ip;
118 
119 	bool peer_ip_set;
120 
121 	unsigned int ifindex;
122 	char ifname[IFNAMSIZ];
123 	enum ovpn_mode mode;
124 	bool mode_set;
125 
126 	int socket;
127 	int cli_sockets[MAX_PEERS];
128 
129 	__u32 keepalive_interval;
130 	__u32 keepalive_timeout;
131 
132 	enum ovpn_key_direction key_dir;
133 	enum ovpn_key_slot key_slot;
134 	int key_id;
135 
136 	const char *peers_file;
137 };
138 
ovpn_nl_recvmsgs(struct nl_ctx * ctx)139 static int ovpn_nl_recvmsgs(struct nl_ctx *ctx)
140 {
141 	int ret;
142 
143 	ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb);
144 
145 	switch (ret) {
146 	case -NLE_INTR:
147 		fprintf(stderr,
148 			"netlink received interrupt due to signal - ignoring\n");
149 		break;
150 	case -NLE_NOMEM:
151 		fprintf(stderr, "netlink out of memory error\n");
152 		break;
153 	case -NLE_AGAIN:
154 		fprintf(stderr,
155 			"netlink reports blocking read - aborting wait\n");
156 		break;
157 	default:
158 		if (ret)
159 			fprintf(stderr, "netlink reports error (%d): %s\n",
160 				ret, nl_geterror(-ret));
161 		break;
162 	}
163 
164 	return ret;
165 }
166 
nl_ctx_alloc_flags(struct ovpn_ctx * ovpn,int cmd,int flags)167 static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd,
168 					 int flags)
169 {
170 	struct nl_ctx *ctx;
171 	int err, ret;
172 
173 	ctx = calloc(1, sizeof(*ctx));
174 	if (!ctx)
175 		return NULL;
176 
177 	ctx->nl_sock = nl_socket_alloc();
178 	if (!ctx->nl_sock) {
179 		fprintf(stderr, "cannot allocate netlink socket\n");
180 		goto err_free;
181 	}
182 
183 	nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192);
184 
185 	ret = genl_connect(ctx->nl_sock);
186 	if (ret) {
187 		fprintf(stderr, "cannot connect to generic netlink: %s\n",
188 			nl_geterror(ret));
189 		goto err_sock;
190 	}
191 
192 	/* enable Extended ACK for detailed error reporting */
193 	err = 1;
194 	setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK,
195 		   &err, sizeof(err));
196 
197 	ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME);
198 	if (ctx->ovpn_dco_id < 0) {
199 		fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n",
200 			ctx->ovpn_dco_id);
201 		goto err_free;
202 	}
203 
204 	ctx->nl_msg = nlmsg_alloc();
205 	if (!ctx->nl_msg) {
206 		fprintf(stderr, "cannot allocate netlink message\n");
207 		goto err_sock;
208 	}
209 
210 	ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT);
211 	if (!ctx->nl_cb) {
212 		fprintf(stderr, "failed to allocate netlink callback\n");
213 		goto err_msg;
214 	}
215 
216 	nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb);
217 
218 	genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0);
219 
220 	if (ovpn->ifindex > 0)
221 		NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex);
222 
223 	return ctx;
224 nla_put_failure:
225 err_msg:
226 	nlmsg_free(ctx->nl_msg);
227 err_sock:
228 	nl_socket_free(ctx->nl_sock);
229 err_free:
230 	free(ctx);
231 	return NULL;
232 }
233 
nl_ctx_alloc(struct ovpn_ctx * ovpn,int cmd)234 static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd)
235 {
236 	return nl_ctx_alloc_flags(ovpn, cmd, 0);
237 }
238 
nl_ctx_free(struct nl_ctx * ctx)239 static void nl_ctx_free(struct nl_ctx *ctx)
240 {
241 	if (!ctx)
242 		return;
243 
244 	nl_socket_free(ctx->nl_sock);
245 	nlmsg_free(ctx->nl_msg);
246 	nl_cb_put(ctx->nl_cb);
247 	free(ctx);
248 }
249 
ovpn_nl_cb_error(struct sockaddr_nl (* nla)__always_unused,struct nlmsgerr * err,void * arg)250 static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused,
251 			    struct nlmsgerr *err, void *arg)
252 {
253 	struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1;
254 	struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1];
255 	int len = nlh->nlmsg_len;
256 	struct nlattr *attrs;
257 	int *ret = arg;
258 	int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh);
259 
260 	*ret = err->error;
261 
262 	if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS))
263 		return NL_STOP;
264 
265 	if (!(nlh->nlmsg_flags & NLM_F_CAPPED))
266 		ack_len += err->msg.nlmsg_len - sizeof(*nlh);
267 
268 	if (len <= ack_len)
269 		return NL_STOP;
270 
271 	attrs = (void *)((uint8_t *)nlh + ack_len);
272 	len -= ack_len;
273 
274 	nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL);
275 	if (tb_msg[NLMSGERR_ATTR_MSG]) {
276 		len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]),
277 			      nla_len(tb_msg[NLMSGERR_ATTR_MSG]));
278 		fprintf(stderr, "kernel error: %*s\n", len,
279 			(char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]));
280 	}
281 
282 	if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) {
283 		fprintf(stderr, "missing required nesting type %u\n",
284 			nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST]));
285 	}
286 
287 	if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) {
288 		fprintf(stderr, "missing required attribute type %u\n",
289 			nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE]));
290 	}
291 
292 	return NL_STOP;
293 }
294 
ovpn_nl_cb_finish(struct nl_msg (* msg)__always_unused,void * arg)295 static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused,
296 			     void *arg)
297 {
298 	int *status = arg;
299 
300 	*status = 0;
301 	return NL_SKIP;
302 }
303 
ovpn_nl_cb_ack(struct nl_msg (* msg)__always_unused,void * arg)304 static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused,
305 			  void *arg)
306 {
307 	int *status = arg;
308 
309 	*status = 0;
310 	return NL_STOP;
311 }
312 
ovpn_nl_msg_send(struct nl_ctx * ctx,ovpn_nl_cb cb)313 static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb)
314 {
315 	int status = 1;
316 
317 	nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status);
318 	nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish,
319 		  &status);
320 	nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status);
321 
322 	if (cb)
323 		nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx);
324 
325 	nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg);
326 
327 	while (status == 1)
328 		ovpn_nl_recvmsgs(ctx);
329 
330 	if (status < 0)
331 		fprintf(stderr, "failed to send netlink message: %s (%d)\n",
332 			strerror(-status), status);
333 
334 	return status;
335 }
336 
ovpn_parse_key(const char * file,struct ovpn_ctx * ctx)337 static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx)
338 {
339 	int idx_enc, idx_dec, ret = -1;
340 	unsigned char *ckey = NULL;
341 	__u8 *bkey = NULL;
342 	size_t olen = 0;
343 	long ckey_len;
344 	FILE *fp;
345 
346 	fp = fopen(file, "r");
347 	if (!fp) {
348 		fprintf(stderr, "cannot open: %s\n", file);
349 		return -1;
350 	}
351 
352 	/* get file size */
353 	fseek(fp, 0L, SEEK_END);
354 	ckey_len = ftell(fp);
355 	rewind(fp);
356 
357 	/* if the file is longer, let's just read a portion */
358 	if (ckey_len > 256)
359 		ckey_len = 256;
360 
361 	ckey = malloc(ckey_len);
362 	if (!ckey)
363 		goto err;
364 
365 	ret = fread(ckey, 1, ckey_len, fp);
366 	if (ret != ckey_len) {
367 		fprintf(stderr,
368 			"couldn't read enough data from key file: %dbytes read\n",
369 			ret);
370 		goto err;
371 	}
372 
373 	olen = 0;
374 	ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len);
375 	if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) {
376 		char buf[256];
377 
378 		mbedtls_strerror(ret, buf, sizeof(buf));
379 		fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf,
380 			ret);
381 
382 		goto err;
383 	}
384 
385 	bkey = malloc(olen);
386 	if (!bkey) {
387 		fprintf(stderr, "cannot allocate binary key buffer\n");
388 		goto err;
389 	}
390 
391 	ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len);
392 	if (ret) {
393 		char buf[256];
394 
395 		mbedtls_strerror(ret, buf, sizeof(buf));
396 		fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf,
397 			ret);
398 
399 		goto err;
400 	}
401 
402 	if (olen < 2 * KEY_LEN + NONCE_LEN) {
403 		fprintf(stderr,
404 			"not enough data in key file, found %zdB but needs %dB\n",
405 			olen, 2 * KEY_LEN + NONCE_LEN);
406 		goto err;
407 	}
408 
409 	switch (ctx->key_dir) {
410 	case KEY_DIR_IN:
411 		idx_enc = 0;
412 		idx_dec = 1;
413 		break;
414 	case KEY_DIR_OUT:
415 		idx_enc = 1;
416 		idx_dec = 0;
417 		break;
418 	default:
419 		goto err;
420 	}
421 
422 	memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN);
423 	memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN);
424 	memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN);
425 
426 	ret = 0;
427 
428 err:
429 	fclose(fp);
430 	free(bkey);
431 	free(ckey);
432 
433 	return ret;
434 }
435 
ovpn_parse_cipher(const char * cipher,struct ovpn_ctx * ctx)436 static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx)
437 {
438 	if (strcmp(cipher, "aes") == 0)
439 		ctx->cipher = OVPN_CIPHER_ALG_AES_GCM;
440 	else if (strcmp(cipher, "chachapoly") == 0)
441 		ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305;
442 	else if (strcmp(cipher, "none") == 0)
443 		ctx->cipher = OVPN_CIPHER_ALG_NONE;
444 	else
445 		return -ENOTSUP;
446 
447 	return 0;
448 }
449 
ovpn_parse_key_direction(const char * dir,struct ovpn_ctx * ctx)450 static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx)
451 {
452 	int in_dir;
453 
454 	in_dir = strtoll(dir, NULL, 10);
455 	switch (in_dir) {
456 	case KEY_DIR_IN:
457 	case KEY_DIR_OUT:
458 		ctx->key_dir = in_dir;
459 		break;
460 	default:
461 		fprintf(stderr,
462 			"invalid key direction provided. Can be 0 or 1 only\n");
463 		return -1;
464 	}
465 
466 	return 0;
467 }
468 
ovpn_socket(struct ovpn_ctx * ctx,sa_family_t family,int proto)469 static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto)
470 {
471 	struct sockaddr_storage local_sock = { 0 };
472 	struct sockaddr_in6 *in6;
473 	struct sockaddr_in *in;
474 	int ret, s, sock_type;
475 	size_t sock_len;
476 
477 	if (proto == IPPROTO_UDP)
478 		sock_type = SOCK_DGRAM;
479 	else if (proto == IPPROTO_TCP)
480 		sock_type = SOCK_STREAM;
481 	else
482 		return -EINVAL;
483 
484 	s = socket(family, sock_type, 0);
485 	if (s < 0) {
486 		perror("cannot create socket");
487 		return -1;
488 	}
489 
490 	switch (family) {
491 	case AF_INET:
492 		in = (struct sockaddr_in *)&local_sock;
493 		in->sin_family = family;
494 		in->sin_port = htons(ctx->lport);
495 		in->sin_addr.s_addr = htonl(INADDR_ANY);
496 		sock_len = sizeof(*in);
497 		break;
498 	case AF_INET6:
499 		in6 = (struct sockaddr_in6 *)&local_sock;
500 		in6->sin6_family = family;
501 		in6->sin6_port = htons(ctx->lport);
502 		in6->sin6_addr = in6addr_any;
503 		sock_len = sizeof(*in6);
504 		break;
505 	default:
506 		return -1;
507 	}
508 
509 	int opt = 1;
510 
511 	ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
512 
513 	if (ret < 0) {
514 		perror("setsockopt for SO_REUSEADDR");
515 		return ret;
516 	}
517 
518 	ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt));
519 	if (ret < 0) {
520 		perror("setsockopt for SO_REUSEPORT");
521 		return ret;
522 	}
523 
524 	if (family == AF_INET6) {
525 		opt = 0;
526 		if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt,
527 			       sizeof(opt))) {
528 			perror("failed to set IPV6_V6ONLY");
529 			return -1;
530 		}
531 	}
532 
533 	ret = bind(s, (struct sockaddr *)&local_sock, sock_len);
534 	if (ret < 0) {
535 		perror("cannot bind socket");
536 		goto err_socket;
537 	}
538 
539 	ctx->socket = s;
540 	ctx->sa_family = family;
541 	return 0;
542 
543 err_socket:
544 	close(s);
545 	return -1;
546 }
547 
ovpn_udp_socket(struct ovpn_ctx * ctx,sa_family_t family)548 static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family)
549 {
550 	return ovpn_socket(ctx, family, IPPROTO_UDP);
551 }
552 
ovpn_listen(struct ovpn_ctx * ctx,sa_family_t family)553 static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family)
554 {
555 	int ret;
556 
557 	ret = ovpn_socket(ctx, family, IPPROTO_TCP);
558 	if (ret < 0)
559 		return ret;
560 
561 	ret = listen(ctx->socket, 10);
562 	if (ret < 0) {
563 		perror("listen");
564 		close(ctx->socket);
565 		return -1;
566 	}
567 
568 	return 0;
569 }
570 
ovpn_accept(struct ovpn_ctx * ctx)571 static int ovpn_accept(struct ovpn_ctx *ctx)
572 {
573 	socklen_t socklen;
574 	int ret;
575 
576 	socklen = sizeof(ctx->remote);
577 	ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen);
578 	if (ret < 0) {
579 		perror("accept");
580 		goto err;
581 	}
582 
583 	fprintf(stderr, "Connection received!\n");
584 
585 	switch (socklen) {
586 	case sizeof(struct sockaddr_in):
587 	case sizeof(struct sockaddr_in6):
588 		break;
589 	default:
590 		fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n");
591 		close(ret);
592 		ret = -EINVAL;
593 		goto err;
594 	}
595 
596 	return ret;
597 err:
598 	close(ctx->socket);
599 	return ret;
600 }
601 
ovpn_connect(struct ovpn_ctx * ovpn)602 static int ovpn_connect(struct ovpn_ctx *ovpn)
603 {
604 	socklen_t socklen;
605 	int s, ret;
606 
607 	s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0);
608 	if (s < 0) {
609 		perror("cannot create socket");
610 		return -1;
611 	}
612 
613 	switch (ovpn->remote.in4.sin_family) {
614 	case AF_INET:
615 		socklen = sizeof(struct sockaddr_in);
616 		break;
617 	case AF_INET6:
618 		socklen = sizeof(struct sockaddr_in6);
619 		break;
620 	default:
621 		return -EOPNOTSUPP;
622 	}
623 
624 	ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen);
625 	if (ret < 0) {
626 		perror("connect");
627 		goto err;
628 	}
629 
630 	fprintf(stderr, "connected\n");
631 
632 	ovpn->socket = s;
633 
634 	return 0;
635 err:
636 	close(s);
637 	return ret;
638 }
639 
ovpn_new_peer(struct ovpn_ctx * ovpn,bool is_tcp)640 static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp)
641 {
642 	struct nlattr *attr;
643 	struct nl_ctx *ctx;
644 	int ret = -1;
645 
646 	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW);
647 	if (!ctx)
648 		return -ENOMEM;
649 
650 	attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
651 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
652 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket);
653 
654 	if (!is_tcp) {
655 		switch (ovpn->remote.in4.sin_family) {
656 		case AF_INET:
657 			NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4,
658 				    ovpn->remote.in4.sin_addr.s_addr);
659 			NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
660 				    ovpn->remote.in4.sin_port);
661 			break;
662 		case AF_INET6:
663 			NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6,
664 				sizeof(ovpn->remote.in6.sin6_addr),
665 				&ovpn->remote.in6.sin6_addr);
666 			NLA_PUT_U32(ctx->nl_msg,
667 				    OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
668 				    ovpn->remote.in6.sin6_scope_id);
669 			NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
670 				    ovpn->remote.in6.sin6_port);
671 			break;
672 		default:
673 			fprintf(stderr,
674 				"Invalid family for remote socket address\n");
675 			goto nla_put_failure;
676 		}
677 	}
678 
679 	if (ovpn->peer_ip_set) {
680 		switch (ovpn->peer_ip.in4.sin_family) {
681 		case AF_INET:
682 			NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4,
683 				    ovpn->peer_ip.in4.sin_addr.s_addr);
684 			break;
685 		case AF_INET6:
686 			NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6,
687 				sizeof(struct in6_addr),
688 				&ovpn->peer_ip.in6.sin6_addr);
689 			break;
690 		default:
691 			fprintf(stderr, "Invalid family for peer address\n");
692 			goto nla_put_failure;
693 		}
694 	}
695 
696 	nla_nest_end(ctx->nl_msg, attr);
697 
698 	ret = ovpn_nl_msg_send(ctx, NULL);
699 nla_put_failure:
700 	nl_ctx_free(ctx);
701 	return ret;
702 }
703 
ovpn_set_peer(struct ovpn_ctx * ovpn)704 static int ovpn_set_peer(struct ovpn_ctx *ovpn)
705 {
706 	struct nlattr *attr;
707 	struct nl_ctx *ctx;
708 	int ret = -1;
709 
710 	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET);
711 	if (!ctx)
712 		return -ENOMEM;
713 
714 	attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
715 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
716 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL,
717 		    ovpn->keepalive_interval);
718 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
719 		    ovpn->keepalive_timeout);
720 	nla_nest_end(ctx->nl_msg, attr);
721 
722 	ret = ovpn_nl_msg_send(ctx, NULL);
723 nla_put_failure:
724 	nl_ctx_free(ctx);
725 	return ret;
726 }
727 
ovpn_del_peer(struct ovpn_ctx * ovpn)728 static int ovpn_del_peer(struct ovpn_ctx *ovpn)
729 {
730 	struct nlattr *attr;
731 	struct nl_ctx *ctx;
732 	int ret = -1;
733 
734 	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL);
735 	if (!ctx)
736 		return -ENOMEM;
737 
738 	attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
739 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
740 	nla_nest_end(ctx->nl_msg, attr);
741 
742 	ret = ovpn_nl_msg_send(ctx, NULL);
743 nla_put_failure:
744 	nl_ctx_free(ctx);
745 	return ret;
746 }
747 
ovpn_handle_peer(struct nl_msg * msg,void (* arg)__always_unused)748 static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused)
749 {
750 	struct nlattr *pattrs[OVPN_A_PEER_MAX + 1];
751 	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
752 	struct nlattr *attrs[OVPN_A_MAX + 1];
753 	__u16 rport = 0, lport = 0;
754 
755 	nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
756 		  genlmsg_attrlen(gnlh, 0), NULL);
757 
758 	if (!attrs[OVPN_A_PEER]) {
759 		fprintf(stderr, "no packet content in netlink message\n");
760 		return NL_SKIP;
761 	}
762 
763 	nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]),
764 		  nla_len(attrs[OVPN_A_PEER]), NULL);
765 
766 	if (pattrs[OVPN_A_PEER_ID])
767 		fprintf(stderr, "* Peer %u\n",
768 			nla_get_u32(pattrs[OVPN_A_PEER_ID]));
769 
770 	if (pattrs[OVPN_A_PEER_SOCKET_NETNSID])
771 		fprintf(stderr, "\tsocket NetNS ID: %d\n",
772 			nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID]));
773 
774 	if (pattrs[OVPN_A_PEER_VPN_IPV4]) {
775 		char buf[INET_ADDRSTRLEN];
776 
777 		inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]),
778 			  buf, sizeof(buf));
779 		fprintf(stderr, "\tVPN IPv4: %s\n", buf);
780 	}
781 
782 	if (pattrs[OVPN_A_PEER_VPN_IPV6]) {
783 		char buf[INET6_ADDRSTRLEN];
784 
785 		inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]),
786 			  buf, sizeof(buf));
787 		fprintf(stderr, "\tVPN IPv6: %s\n", buf);
788 	}
789 
790 	if (pattrs[OVPN_A_PEER_LOCAL_PORT])
791 		lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT]));
792 
793 	if (pattrs[OVPN_A_PEER_REMOTE_PORT])
794 		rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT]));
795 
796 	if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) {
797 		void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6];
798 		char buf[INET6_ADDRSTRLEN];
799 		int scope_id = -1;
800 
801 		if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) {
802 			void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID];
803 
804 			scope_id = nla_get_u32(p);
805 		}
806 
807 		inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
808 		fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport,
809 			scope_id);
810 
811 		if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) {
812 			void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6];
813 
814 			inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
815 			fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
816 		}
817 	}
818 
819 	if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) {
820 		void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4];
821 		char buf[INET_ADDRSTRLEN];
822 
823 		inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf));
824 		fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport);
825 
826 		if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) {
827 			void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4];
828 
829 			inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf));
830 			fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
831 		}
832 	}
833 
834 	if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) {
835 		void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL];
836 
837 		fprintf(stderr, "\tKeepalive interval: %u sec\n",
838 			nla_get_u32(p));
839 	}
840 
841 	if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])
842 		fprintf(stderr, "\tKeepalive timeout: %u sec\n",
843 			nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]));
844 
845 	if (pattrs[OVPN_A_PEER_VPN_RX_BYTES])
846 		fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n",
847 			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES]));
848 
849 	if (pattrs[OVPN_A_PEER_VPN_TX_BYTES])
850 		fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n",
851 			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES]));
852 
853 	if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS])
854 		fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n",
855 			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS]));
856 
857 	if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS])
858 		fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n",
859 			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS]));
860 
861 	if (pattrs[OVPN_A_PEER_LINK_RX_BYTES])
862 		fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n",
863 			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES]));
864 
865 	if (pattrs[OVPN_A_PEER_LINK_TX_BYTES])
866 		fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n",
867 			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES]));
868 
869 	if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS])
870 		fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n",
871 			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS]));
872 
873 	if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS])
874 		fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n",
875 			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS]));
876 
877 	return NL_SKIP;
878 }
879 
ovpn_get_peer(struct ovpn_ctx * ovpn)880 static int ovpn_get_peer(struct ovpn_ctx *ovpn)
881 {
882 	int flags = 0, ret = -1;
883 	struct nlattr *attr;
884 	struct nl_ctx *ctx;
885 
886 	if (ovpn->peer_id == PEER_ID_UNDEF)
887 		flags = NLM_F_DUMP;
888 
889 	ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags);
890 	if (!ctx)
891 		return -ENOMEM;
892 
893 	if (ovpn->peer_id != PEER_ID_UNDEF) {
894 		attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
895 		NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
896 		nla_nest_end(ctx->nl_msg, attr);
897 	}
898 
899 	ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer);
900 nla_put_failure:
901 	nl_ctx_free(ctx);
902 	return ret;
903 }
904 
ovpn_new_key(struct ovpn_ctx * ovpn)905 static int ovpn_new_key(struct ovpn_ctx *ovpn)
906 {
907 	struct nlattr *keyconf, *key_dir;
908 	struct nl_ctx *ctx;
909 	int ret = -1;
910 
911 	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW);
912 	if (!ctx)
913 		return -ENOMEM;
914 
915 	keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
916 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
917 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
918 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id);
919 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher);
920 
921 	key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR);
922 	NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc);
923 	NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
924 	nla_nest_end(ctx->nl_msg, key_dir);
925 
926 	key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR);
927 	NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec);
928 	NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
929 	nla_nest_end(ctx->nl_msg, key_dir);
930 
931 	nla_nest_end(ctx->nl_msg, keyconf);
932 
933 	ret = ovpn_nl_msg_send(ctx, NULL);
934 nla_put_failure:
935 	nl_ctx_free(ctx);
936 	return ret;
937 }
938 
ovpn_del_key(struct ovpn_ctx * ovpn)939 static int ovpn_del_key(struct ovpn_ctx *ovpn)
940 {
941 	struct nlattr *keyconf;
942 	struct nl_ctx *ctx;
943 	int ret = -1;
944 
945 	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL);
946 	if (!ctx)
947 		return -ENOMEM;
948 
949 	keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
950 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
951 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
952 	nla_nest_end(ctx->nl_msg, keyconf);
953 
954 	ret = ovpn_nl_msg_send(ctx, NULL);
955 nla_put_failure:
956 	nl_ctx_free(ctx);
957 	return ret;
958 }
959 
ovpn_handle_key(struct nl_msg * msg,void (* arg)__always_unused)960 static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused)
961 {
962 	struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1];
963 	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
964 	struct nlattr *attrs[OVPN_A_MAX + 1];
965 
966 	nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
967 		  genlmsg_attrlen(gnlh, 0), NULL);
968 
969 	if (!attrs[OVPN_A_KEYCONF]) {
970 		fprintf(stderr, "no packet content in netlink message\n");
971 		return NL_SKIP;
972 	}
973 
974 	nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]),
975 		  nla_len(attrs[OVPN_A_KEYCONF]), NULL);
976 
977 	if (kattrs[OVPN_A_KEYCONF_PEER_ID])
978 		fprintf(stderr, "* Peer %u\n",
979 			nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID]));
980 	if (kattrs[OVPN_A_KEYCONF_SLOT]) {
981 		fprintf(stderr, "\t- Slot: ");
982 		switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) {
983 		case OVPN_KEY_SLOT_PRIMARY:
984 			fprintf(stderr, "primary\n");
985 			break;
986 		case OVPN_KEY_SLOT_SECONDARY:
987 			fprintf(stderr, "secondary\n");
988 			break;
989 		default:
990 			fprintf(stderr, "invalid (%u)\n",
991 				nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT]));
992 			break;
993 		}
994 	}
995 	if (kattrs[OVPN_A_KEYCONF_KEY_ID])
996 		fprintf(stderr, "\t- Key ID: %u\n",
997 			nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID]));
998 	if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) {
999 		fprintf(stderr, "\t- Cipher: ");
1000 		switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) {
1001 		case OVPN_CIPHER_ALG_NONE:
1002 			fprintf(stderr, "none\n");
1003 			break;
1004 		case OVPN_CIPHER_ALG_AES_GCM:
1005 			fprintf(stderr, "aes-gcm\n");
1006 			break;
1007 		case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
1008 			fprintf(stderr, "chacha20poly1305\n");
1009 			break;
1010 		default:
1011 			fprintf(stderr, "invalid (%u)\n",
1012 				nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG]));
1013 			break;
1014 		}
1015 	}
1016 
1017 	return NL_SKIP;
1018 }
1019 
ovpn_get_key(struct ovpn_ctx * ovpn)1020 static int ovpn_get_key(struct ovpn_ctx *ovpn)
1021 {
1022 	struct nlattr *keyconf;
1023 	struct nl_ctx *ctx;
1024 	int ret = -1;
1025 
1026 	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET);
1027 	if (!ctx)
1028 		return -ENOMEM;
1029 
1030 	keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1031 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1032 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
1033 	nla_nest_end(ctx->nl_msg, keyconf);
1034 
1035 	ret = ovpn_nl_msg_send(ctx, ovpn_handle_key);
1036 nla_put_failure:
1037 	nl_ctx_free(ctx);
1038 	return ret;
1039 }
1040 
ovpn_swap_keys(struct ovpn_ctx * ovpn)1041 static int ovpn_swap_keys(struct ovpn_ctx *ovpn)
1042 {
1043 	struct nl_ctx *ctx;
1044 	struct nlattr *kc;
1045 	int ret = -1;
1046 
1047 	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP);
1048 	if (!ctx)
1049 		return -ENOMEM;
1050 
1051 	kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1052 	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1053 	nla_nest_end(ctx->nl_msg, kc);
1054 
1055 	ret = ovpn_nl_msg_send(ctx, NULL);
1056 nla_put_failure:
1057 	nl_ctx_free(ctx);
1058 	return ret;
1059 }
1060 
1061 /* Helper function used to easily add attributes to a rtnl message */
ovpn_addattr(struct nlmsghdr * n,int maxlen,int type,const void * data,int alen)1062 static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type,
1063 			const void *data, int alen)
1064 {
1065 	int len = RTA_LENGTH(alen);
1066 	struct rtattr *rta;
1067 
1068 	if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen)	{
1069 		fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n",
1070 			__func__, maxlen);
1071 		return -EMSGSIZE;
1072 	}
1073 
1074 	rta = nlmsg_tail(n);
1075 	rta->rta_type = type;
1076 	rta->rta_len = len;
1077 
1078 	if (!data)
1079 		memset(RTA_DATA(rta), 0, alen);
1080 	else
1081 		memcpy(RTA_DATA(rta), data, alen);
1082 
1083 	n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len);
1084 
1085 	return 0;
1086 }
1087 
ovpn_nest_start(struct nlmsghdr * msg,size_t max_size,int attr)1088 static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size,
1089 				      int attr)
1090 {
1091 	struct rtattr *nest = nlmsg_tail(msg);
1092 
1093 	if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0)
1094 		return NULL;
1095 
1096 	return nest;
1097 }
1098 
ovpn_nest_end(struct nlmsghdr * msg,struct rtattr * nest)1099 static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest)
1100 {
1101 	nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest;
1102 }
1103 
1104 #define RT_SNDBUF_SIZE (1024 * 2)
1105 #define RT_RCVBUF_SIZE (1024 * 4)
1106 
1107 /* Open RTNL socket */
ovpn_rt_socket(void)1108 static int ovpn_rt_socket(void)
1109 {
1110 	int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd;
1111 
1112 	fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
1113 	if (fd < 0) {
1114 		fprintf(stderr, "%s: cannot open netlink socket\n", __func__);
1115 		return fd;
1116 	}
1117 
1118 	if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf,
1119 		       sizeof(sndbuf)) < 0) {
1120 		fprintf(stderr, "%s: SO_SNDBUF\n", __func__);
1121 		close(fd);
1122 		return -1;
1123 	}
1124 
1125 	if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf,
1126 		       sizeof(rcvbuf)) < 0) {
1127 		fprintf(stderr, "%s: SO_RCVBUF\n", __func__);
1128 		close(fd);
1129 		return -1;
1130 	}
1131 
1132 	return fd;
1133 }
1134 
1135 /* Bind socket to Netlink subsystem */
ovpn_rt_bind(int fd,uint32_t groups)1136 static int ovpn_rt_bind(int fd, uint32_t groups)
1137 {
1138 	struct sockaddr_nl local = { 0 };
1139 	socklen_t addr_len;
1140 
1141 	local.nl_family = AF_NETLINK;
1142 	local.nl_groups = groups;
1143 
1144 	if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) {
1145 		fprintf(stderr, "%s: cannot bind netlink socket: %d\n",
1146 			__func__, errno);
1147 		return -errno;
1148 	}
1149 
1150 	addr_len = sizeof(local);
1151 	if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) {
1152 		fprintf(stderr, "%s: cannot getsockname: %d\n", __func__,
1153 			errno);
1154 		return -errno;
1155 	}
1156 
1157 	if (addr_len != sizeof(local)) {
1158 		fprintf(stderr, "%s: wrong address length %d\n", __func__,
1159 			addr_len);
1160 		return -EINVAL;
1161 	}
1162 
1163 	if (local.nl_family != AF_NETLINK) {
1164 		fprintf(stderr, "%s: wrong address family %d\n", __func__,
1165 			local.nl_family);
1166 		return -EINVAL;
1167 	}
1168 
1169 	return 0;
1170 }
1171 
1172 typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg);
1173 
1174 /* Send Netlink message and run callback on reply (if specified) */
ovpn_rt_send(struct nlmsghdr * payload,pid_t peer,unsigned int groups,ovpn_parse_reply_cb cb,void * arg_cb)1175 static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer,
1176 			unsigned int groups, ovpn_parse_reply_cb cb,
1177 			void *arg_cb)
1178 {
1179 	int len, rem_len, fd, ret, rcv_len;
1180 	struct sockaddr_nl nladdr = { 0 };
1181 	struct nlmsgerr *err;
1182 	struct nlmsghdr *h;
1183 	char buf[1024 * 16];
1184 	struct iovec iov = {
1185 		.iov_base = payload,
1186 		.iov_len = payload->nlmsg_len,
1187 	};
1188 	struct msghdr nlmsg = {
1189 		.msg_name = &nladdr,
1190 		.msg_namelen = sizeof(nladdr),
1191 		.msg_iov = &iov,
1192 		.msg_iovlen = 1,
1193 	};
1194 
1195 	nladdr.nl_family = AF_NETLINK;
1196 	nladdr.nl_pid = peer;
1197 	nladdr.nl_groups = groups;
1198 
1199 	payload->nlmsg_seq = time(NULL);
1200 
1201 	/* no need to send reply */
1202 	if (!cb)
1203 		payload->nlmsg_flags |= NLM_F_ACK;
1204 
1205 	fd = ovpn_rt_socket();
1206 	if (fd < 0) {
1207 		fprintf(stderr, "%s: can't open rtnl socket\n", __func__);
1208 		return -errno;
1209 	}
1210 
1211 	ret = ovpn_rt_bind(fd, 0);
1212 	if (ret < 0) {
1213 		fprintf(stderr, "%s: can't bind rtnl socket\n", __func__);
1214 		ret = -errno;
1215 		goto out;
1216 	}
1217 
1218 	ret = sendmsg(fd, &nlmsg, 0);
1219 	if (ret < 0) {
1220 		fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__);
1221 		ret = -errno;
1222 		goto out;
1223 	}
1224 
1225 	/* prepare buffer to store RTNL replies */
1226 	memset(buf, 0, sizeof(buf));
1227 	iov.iov_base = buf;
1228 
1229 	while (1) {
1230 		/*
1231 		 * iov_len is modified by recvmsg(), therefore has to be initialized before
1232 		 * using it again
1233 		 */
1234 		iov.iov_len = sizeof(buf);
1235 		rcv_len = recvmsg(fd, &nlmsg, 0);
1236 		if (rcv_len < 0) {
1237 			if (errno == EINTR || errno == EAGAIN) {
1238 				fprintf(stderr, "%s: interrupted call\n",
1239 					__func__);
1240 				continue;
1241 			}
1242 			fprintf(stderr, "%s: rtnl: error on recvmsg()\n",
1243 				__func__);
1244 			ret = -errno;
1245 			goto out;
1246 		}
1247 
1248 		if (rcv_len == 0) {
1249 			fprintf(stderr,
1250 				"%s: rtnl: socket reached unexpected EOF\n",
1251 				__func__);
1252 			ret = -EIO;
1253 			goto out;
1254 		}
1255 
1256 		if (nlmsg.msg_namelen != sizeof(nladdr)) {
1257 			fprintf(stderr,
1258 				"%s: sender address length: %u (expected %zu)\n",
1259 				__func__, nlmsg.msg_namelen, sizeof(nladdr));
1260 			ret = -EIO;
1261 			goto out;
1262 		}
1263 
1264 		h = (struct nlmsghdr *)buf;
1265 		while (rcv_len >= (int)sizeof(*h)) {
1266 			len = h->nlmsg_len;
1267 			rem_len = len - sizeof(*h);
1268 
1269 			if (rem_len < 0 || len > rcv_len) {
1270 				if (nlmsg.msg_flags & MSG_TRUNC) {
1271 					fprintf(stderr, "%s: truncated message\n",
1272 						__func__);
1273 					ret = -EIO;
1274 					goto out;
1275 				}
1276 				fprintf(stderr, "%s: malformed message: len=%d\n",
1277 					__func__, len);
1278 				ret = -EIO;
1279 				goto out;
1280 			}
1281 
1282 			if (h->nlmsg_type == NLMSG_DONE) {
1283 				ret = 0;
1284 				goto out;
1285 			}
1286 
1287 			if (h->nlmsg_type == NLMSG_ERROR) {
1288 				err = (struct nlmsgerr *)NLMSG_DATA(h);
1289 				if (rem_len < (int)sizeof(struct nlmsgerr)) {
1290 					fprintf(stderr, "%s: ERROR truncated\n",
1291 						__func__);
1292 					ret = -EIO;
1293 					goto out;
1294 				}
1295 
1296 				if (err->error) {
1297 					fprintf(stderr, "%s: (%d) %s\n",
1298 						__func__, err->error,
1299 						strerror(-err->error));
1300 					ret = err->error;
1301 					goto out;
1302 				}
1303 
1304 				ret = 0;
1305 				if (cb)	{
1306 					int r = cb(h, arg_cb);
1307 
1308 					if (r <= 0)
1309 						ret = r;
1310 				}
1311 				goto out;
1312 			}
1313 
1314 			if (cb) {
1315 				int r = cb(h, arg_cb);
1316 
1317 				if (r <= 0) {
1318 					ret = r;
1319 					goto out;
1320 				}
1321 			} else {
1322 				fprintf(stderr, "%s: RTNL: unexpected reply\n",
1323 					__func__);
1324 			}
1325 
1326 			rcv_len -= NLMSG_ALIGN(len);
1327 			h = (struct nlmsghdr *)((uint8_t *)h +
1328 						NLMSG_ALIGN(len));
1329 		}
1330 
1331 		if (nlmsg.msg_flags & MSG_TRUNC) {
1332 			fprintf(stderr, "%s: message truncated\n", __func__);
1333 			continue;
1334 		}
1335 
1336 		if (rcv_len) {
1337 			fprintf(stderr, "%s: rtnl: %d not parsed bytes\n",
1338 				__func__, rcv_len);
1339 			ret = -1;
1340 			goto out;
1341 		}
1342 	}
1343 out:
1344 	close(fd);
1345 
1346 	return ret;
1347 }
1348 
1349 struct ovpn_link_req {
1350 	struct nlmsghdr n;
1351 	struct ifinfomsg i;
1352 	char buf[256];
1353 };
1354 
ovpn_new_iface(struct ovpn_ctx * ovpn)1355 static int ovpn_new_iface(struct ovpn_ctx *ovpn)
1356 {
1357 	struct rtattr *linkinfo, *data;
1358 	struct ovpn_link_req req = { 0 };
1359 	int ret = -1;
1360 
1361 	fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname,
1362 		ovpn->mode);
1363 
1364 	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1365 	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL;
1366 	req.n.nlmsg_type = RTM_NEWLINK;
1367 
1368 	if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname,
1369 			 strlen(ovpn->ifname) + 1) < 0)
1370 		goto err;
1371 
1372 	linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO);
1373 	if (!linkinfo)
1374 		goto err;
1375 
1376 	if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME,
1377 			 strlen(OVPN_FAMILY_NAME) + 1) < 0)
1378 		goto err;
1379 
1380 	if (ovpn->mode_set) {
1381 		data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA);
1382 		if (!data)
1383 			goto err;
1384 
1385 		if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE,
1386 				 &ovpn->mode, sizeof(uint8_t)) < 0)
1387 			goto err;
1388 
1389 		ovpn_nest_end(&req.n, data);
1390 	}
1391 
1392 	ovpn_nest_end(&req.n, linkinfo);
1393 
1394 	req.i.ifi_family = AF_PACKET;
1395 
1396 	ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1397 err:
1398 	return ret;
1399 }
1400 
ovpn_del_iface(struct ovpn_ctx * ovpn)1401 static int ovpn_del_iface(struct ovpn_ctx *ovpn)
1402 {
1403 	struct ovpn_link_req req = { 0 };
1404 
1405 	fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname,
1406 		ovpn->ifindex);
1407 
1408 	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1409 	req.n.nlmsg_flags = NLM_F_REQUEST;
1410 	req.n.nlmsg_type = RTM_DELLINK;
1411 
1412 	req.i.ifi_family = AF_PACKET;
1413 	req.i.ifi_index = ovpn->ifindex;
1414 
1415 	return ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1416 }
1417 
nl_seq_check(struct nl_msg (* msg)__always_unused,void (* arg)__always_unused)1418 static int nl_seq_check(struct nl_msg (*msg)__always_unused,
1419 			void (*arg)__always_unused)
1420 {
1421 	return NL_OK;
1422 }
1423 
1424 struct mcast_handler_args {
1425 	const char *group;
1426 	int id;
1427 };
1428 
mcast_family_handler(struct nl_msg * msg,void * arg)1429 static int mcast_family_handler(struct nl_msg *msg, void *arg)
1430 {
1431 	struct mcast_handler_args *grp = arg;
1432 	struct nlattr *tb[CTRL_ATTR_MAX + 1];
1433 	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1434 	struct nlattr *mcgrp;
1435 	int rem_mcgrp;
1436 
1437 	nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
1438 		  genlmsg_attrlen(gnlh, 0), NULL);
1439 
1440 	if (!tb[CTRL_ATTR_MCAST_GROUPS])
1441 		return NL_SKIP;
1442 
1443 	nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) {
1444 		struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1];
1445 
1446 		nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX,
1447 			  nla_data(mcgrp), nla_len(mcgrp), NULL);
1448 
1449 		if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] ||
1450 		    !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID])
1451 			continue;
1452 		if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]),
1453 			    grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME])))
1454 			continue;
1455 		grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]);
1456 		break;
1457 	}
1458 
1459 	return NL_SKIP;
1460 }
1461 
mcast_error_handler(struct sockaddr_nl (* nla)__always_unused,struct nlmsgerr * err,void * arg)1462 static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused,
1463 			       struct nlmsgerr *err, void *arg)
1464 {
1465 	int *ret = arg;
1466 
1467 	*ret = err->error;
1468 	return NL_STOP;
1469 }
1470 
mcast_ack_handler(struct nl_msg (* msg)__always_unused,void * arg)1471 static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg)
1472 {
1473 	int *ret = arg;
1474 
1475 	*ret = 0;
1476 	return NL_STOP;
1477 }
1478 
ovpn_handle_msg(struct nl_msg * msg,void * arg)1479 static int ovpn_handle_msg(struct nl_msg *msg, void *arg)
1480 {
1481 	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1482 	struct nlattr *attrs[OVPN_A_MAX + 1];
1483 	struct nlmsghdr *nlh = nlmsg_hdr(msg);
1484 	char ifname[IF_NAMESIZE];
1485 	int *ret = arg;
1486 	__u32 ifindex;
1487 
1488 	fprintf(stderr, "received message from ovpn-dco\n");
1489 
1490 	*ret = -1;
1491 
1492 	if (!genlmsg_valid_hdr(nlh, 0)) {
1493 		fprintf(stderr, "invalid header\n");
1494 		return NL_STOP;
1495 	}
1496 
1497 	if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
1498 		      genlmsg_attrlen(gnlh, 0), NULL)) {
1499 		fprintf(stderr, "received bogus data from ovpn-dco\n");
1500 		return NL_STOP;
1501 	}
1502 
1503 	if (!attrs[OVPN_A_IFINDEX]) {
1504 		fprintf(stderr, "no ifindex in this message\n");
1505 		return NL_STOP;
1506 	}
1507 
1508 	ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]);
1509 	if (!if_indextoname(ifindex, ifname)) {
1510 		fprintf(stderr, "cannot resolve ifname for ifindex: %u\n",
1511 			ifindex);
1512 		return NL_STOP;
1513 	}
1514 
1515 	switch (gnlh->cmd) {
1516 	case OVPN_CMD_PEER_DEL_NTF:
1517 		fprintf(stdout, "received CMD_PEER_DEL_NTF\n");
1518 		break;
1519 	case OVPN_CMD_KEY_SWAP_NTF:
1520 		fprintf(stdout, "received CMD_KEY_SWAP_NTF\n");
1521 		break;
1522 	default:
1523 		fprintf(stderr, "received unknown command: %d\n", gnlh->cmd);
1524 		return NL_STOP;
1525 	}
1526 
1527 	*ret = 0;
1528 	return NL_OK;
1529 }
1530 
ovpn_get_mcast_id(struct nl_sock * sock,const char * family,const char * group)1531 static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family,
1532 			     const char *group)
1533 {
1534 	struct nl_msg *msg;
1535 	struct nl_cb *cb;
1536 	int ret, ctrlid;
1537 	struct mcast_handler_args grp = {
1538 		.group = group,
1539 		.id = -ENOENT,
1540 	};
1541 
1542 	msg = nlmsg_alloc();
1543 	if (!msg)
1544 		return -ENOMEM;
1545 
1546 	cb = nl_cb_alloc(NL_CB_DEFAULT);
1547 	if (!cb) {
1548 		ret = -ENOMEM;
1549 		goto out_fail_cb;
1550 	}
1551 
1552 	ctrlid = genl_ctrl_resolve(sock, "nlctrl");
1553 
1554 	genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0);
1555 
1556 	ret = -ENOBUFS;
1557 	NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family);
1558 
1559 	ret = nl_send_auto_complete(sock, msg);
1560 	if (ret < 0)
1561 		goto nla_put_failure;
1562 
1563 	ret = 1;
1564 
1565 	nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret);
1566 	nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret);
1567 	nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp);
1568 
1569 	while (ret > 0)
1570 		nl_recvmsgs(sock, cb);
1571 
1572 	if (ret == 0)
1573 		ret = grp.id;
1574  nla_put_failure:
1575 	nl_cb_put(cb);
1576  out_fail_cb:
1577 	nlmsg_free(msg);
1578 	return ret;
1579 }
1580 
ovpn_listen_mcast(void)1581 static int ovpn_listen_mcast(void)
1582 {
1583 	struct nl_sock *sock;
1584 	struct nl_cb *cb;
1585 	int mcid, ret;
1586 
1587 	sock = nl_socket_alloc();
1588 	if (!sock) {
1589 		fprintf(stderr, "cannot allocate netlink socket\n");
1590 		goto err_free;
1591 	}
1592 
1593 	nl_socket_set_buffer_size(sock, 8192, 8192);
1594 
1595 	ret = genl_connect(sock);
1596 	if (ret < 0) {
1597 		fprintf(stderr, "cannot connect to generic netlink: %s\n",
1598 			nl_geterror(ret));
1599 		goto err_free;
1600 	}
1601 
1602 	mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS);
1603 	if (mcid < 0) {
1604 		fprintf(stderr, "cannot get mcast group: %s\n",
1605 			nl_geterror(mcid));
1606 		goto err_free;
1607 	}
1608 
1609 	ret = nl_socket_add_membership(sock, mcid);
1610 	if (ret) {
1611 		fprintf(stderr, "failed to join mcast group: %d\n", ret);
1612 		goto err_free;
1613 	}
1614 
1615 	ret = 1;
1616 	cb = nl_cb_alloc(NL_CB_DEFAULT);
1617 	nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL);
1618 	nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret);
1619 	nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret);
1620 
1621 	while (ret == 1) {
1622 		int err = nl_recvmsgs(sock, cb);
1623 
1624 		if (err < 0) {
1625 			fprintf(stderr,
1626 				"cannot receive netlink message: (%d) %s\n",
1627 				err, nl_geterror(-err));
1628 			ret = -1;
1629 			break;
1630 		}
1631 	}
1632 
1633 	nl_cb_put(cb);
1634 err_free:
1635 	nl_socket_free(sock);
1636 	return ret;
1637 }
1638 
usage(const char * cmd)1639 static void usage(const char *cmd)
1640 {
1641 	fprintf(stderr,
1642 		"Usage %s <command> <iface> [arguments..]\n",
1643 		cmd);
1644 	fprintf(stderr, "where <command> can be one of the following\n\n");
1645 
1646 	fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n");
1647 	fprintf(stderr, "\tiface: ovpn interface name\n");
1648 	fprintf(stderr, "\tmode:\n");
1649 	fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n");
1650 	fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n");
1651 
1652 	fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n");
1653 	fprintf(stderr, "\tiface: ovpn interface name\n");
1654 
1655 	fprintf(stderr,
1656 		"* listen <iface> <lport> <peers_file> [ipv6]: listen for incoming peer TCP connections\n");
1657 	fprintf(stderr, "\tiface: ovpn interface name\n");
1658 	fprintf(stderr, "\tlport: TCP port to listen to\n");
1659 	fprintf(stderr,
1660 		"\tpeers_file: file containing one peer per line: Line format:\n");
1661 	fprintf(stderr, "\t\t<peer_id> <vpnaddr>\n");
1662 	fprintf(stderr,
1663 		"\tipv6: whether the socket should listen to the IPv6 wildcard address\n");
1664 
1665 	fprintf(stderr,
1666 		"* connect <iface> <peer_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n");
1667 	fprintf(stderr, "\tiface: ovpn interface name\n");
1668 	fprintf(stderr, "\tpeer_id: peer ID of the connecting peer\n");
1669 	fprintf(stderr, "\traddr: peer IP address to connect to\n");
1670 	fprintf(stderr, "\trport: peer TCP port to connect to\n");
1671 	fprintf(stderr,
1672 		"\tkey_file: file containing the symmetric key for encryption\n");
1673 
1674 	fprintf(stderr,
1675 		"* new_peer <iface> <peer_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n");
1676 	fprintf(stderr, "\tiface: ovpn interface name\n");
1677 	fprintf(stderr, "\tlport: local UDP port to bind to\n");
1678 	fprintf(stderr,
1679 		"\tpeer_id: peer ID to be used in data packets to/from this peer\n");
1680 	fprintf(stderr, "\traddr: peer IP address\n");
1681 	fprintf(stderr, "\trport: peer UDP port\n");
1682 	fprintf(stderr, "\tvpnaddr: peer VPN IP\n");
1683 
1684 	fprintf(stderr,
1685 		"* new_multi_peer <iface> <lport> <peers_file>: add multiple peers as listed in the file\n");
1686 	fprintf(stderr, "\tiface: ovpn interface name\n");
1687 	fprintf(stderr, "\tlport: local UDP port to bind to\n");
1688 	fprintf(stderr,
1689 		"\tpeers_file: text file containing one peer per line. Line format:\n");
1690 	fprintf(stderr, "\t\t<peer_id> <raddr> <rport> <vpnaddr>\n");
1691 
1692 	fprintf(stderr,
1693 		"* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n");
1694 	fprintf(stderr, "\tiface: ovpn interface name\n");
1695 	fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1696 	fprintf(stderr,
1697 		"\tkeepalive_interval: interval for sending ping messages\n");
1698 	fprintf(stderr,
1699 		"\tkeepalive_timeout: time after which a peer is timed out\n");
1700 
1701 	fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n");
1702 	fprintf(stderr, "\tiface: ovpn interface name\n");
1703 	fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n");
1704 
1705 	fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n");
1706 	fprintf(stderr, "\tiface: ovpn interface name\n");
1707 	fprintf(stderr,
1708 		"\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n");
1709 
1710 	fprintf(stderr,
1711 		"* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n");
1712 	fprintf(stderr, "\tiface: ovpn interface name\n");
1713 	fprintf(stderr,
1714 		"\tpeer_id: peer ID of the peer to configure the key for\n");
1715 	fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1716 	fprintf(stderr, "\tkey_id: an ID from 0 to 7\n");
1717 	fprintf(stderr,
1718 		"\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n");
1719 	fprintf(stderr,
1720 		"\tkey_dir: key direction, must 0 on one host and 1 on the other\n");
1721 	fprintf(stderr, "\tkey_file: file containing the pre-shared key\n");
1722 
1723 	fprintf(stderr,
1724 		"* del_key <iface> <peer_id> [slot]: erase existing data channel key\n");
1725 	fprintf(stderr, "\tiface: ovpn interface name\n");
1726 	fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1727 	fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n");
1728 
1729 	fprintf(stderr,
1730 		"* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n");
1731 	fprintf(stderr, "\tiface: ovpn interface name\n");
1732 	fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n");
1733 	fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1734 
1735 	fprintf(stderr,
1736 		"* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n");
1737 	fprintf(stderr, "\tiface: ovpn interface name\n");
1738 	fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1739 
1740 	fprintf(stderr,
1741 		"* listen_mcast: listen to ovpn netlink multicast messages\n");
1742 }
1743 
ovpn_parse_remote(struct ovpn_ctx * ovpn,const char * host,const char * service,const char * vpnip)1744 static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host,
1745 			     const char *service, const char *vpnip)
1746 {
1747 	int ret;
1748 	struct addrinfo *result;
1749 	struct addrinfo hints = {
1750 		.ai_family = ovpn->sa_family,
1751 		.ai_socktype = SOCK_DGRAM,
1752 		.ai_protocol = IPPROTO_UDP
1753 	};
1754 
1755 	if (host) {
1756 		ret = getaddrinfo(host, service, &hints, &result);
1757 		if (ret) {
1758 			fprintf(stderr, "getaddrinfo on remote error: %s\n",
1759 				gai_strerror(ret));
1760 			return -1;
1761 		}
1762 
1763 		if (!(result->ai_family == AF_INET &&
1764 		      result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1765 		    !(result->ai_family == AF_INET6 &&
1766 		      result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1767 			ret = -EINVAL;
1768 			goto out;
1769 		}
1770 
1771 		memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen);
1772 	}
1773 
1774 	if (vpnip) {
1775 		ret = getaddrinfo(vpnip, NULL, &hints, &result);
1776 		if (ret) {
1777 			fprintf(stderr, "getaddrinfo on vpnip error: %s\n",
1778 				gai_strerror(ret));
1779 			return -1;
1780 		}
1781 
1782 		if (!(result->ai_family == AF_INET &&
1783 		      result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1784 		    !(result->ai_family == AF_INET6 &&
1785 		      result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1786 			ret = -EINVAL;
1787 			goto out;
1788 		}
1789 
1790 		memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen);
1791 		ovpn->sa_family = result->ai_family;
1792 
1793 		ovpn->peer_ip_set = true;
1794 	}
1795 
1796 	ret = 0;
1797 out:
1798 	freeaddrinfo(result);
1799 	return ret;
1800 }
1801 
ovpn_parse_new_peer(struct ovpn_ctx * ovpn,const char * peer_id,const char * raddr,const char * rport,const char * vpnip)1802 static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id,
1803 			       const char *raddr, const char *rport,
1804 			       const char *vpnip)
1805 {
1806 	ovpn->peer_id = strtoul(peer_id, NULL, 10);
1807 	if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
1808 		fprintf(stderr, "peer ID value out of range\n");
1809 		return -1;
1810 	}
1811 
1812 	return ovpn_parse_remote(ovpn, raddr, rport, vpnip);
1813 }
1814 
ovpn_parse_key_slot(const char * arg,struct ovpn_ctx * ovpn)1815 static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn)
1816 {
1817 	int slot = strtoul(arg, NULL, 10);
1818 
1819 	if (errno == ERANGE || slot < 1 || slot > 2) {
1820 		fprintf(stderr, "key slot out of range\n");
1821 		return -1;
1822 	}
1823 
1824 	switch (slot) {
1825 	case 1:
1826 		ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
1827 		break;
1828 	case 2:
1829 		ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY;
1830 		break;
1831 	}
1832 
1833 	return 0;
1834 }
1835 
ovpn_send_tcp_data(int socket)1836 static int ovpn_send_tcp_data(int socket)
1837 {
1838 	uint16_t len = htons(1000);
1839 	uint8_t buf[1002];
1840 	int ret;
1841 
1842 	memcpy(buf, &len, sizeof(len));
1843 	memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len));
1844 
1845 	ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1846 
1847 	fprintf(stdout, "Sent %u bytes over TCP socket\n", ret);
1848 
1849 	return ret > 0 ? 0 : ret;
1850 }
1851 
ovpn_recv_tcp_data(int socket)1852 static int ovpn_recv_tcp_data(int socket)
1853 {
1854 	uint8_t buf[1002];
1855 	uint16_t len;
1856 	int ret;
1857 
1858 	ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1859 
1860 	if (ret < 2) {
1861 		fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret);
1862 		return ret;
1863 	}
1864 
1865 	memcpy(&len, buf, sizeof(len));
1866 	len = ntohs(len);
1867 
1868 	fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n",
1869 		ret, len);
1870 
1871 	return 0;
1872 }
1873 
ovpn_parse_cmd(const char * cmd)1874 static enum ovpn_cmd ovpn_parse_cmd(const char *cmd)
1875 {
1876 	if (!strcmp(cmd, "new_iface"))
1877 		return CMD_NEW_IFACE;
1878 
1879 	if (!strcmp(cmd, "del_iface"))
1880 		return CMD_DEL_IFACE;
1881 
1882 	if (!strcmp(cmd, "listen"))
1883 		return CMD_LISTEN;
1884 
1885 	if (!strcmp(cmd, "connect"))
1886 		return CMD_CONNECT;
1887 
1888 	if (!strcmp(cmd, "new_peer"))
1889 		return CMD_NEW_PEER;
1890 
1891 	if (!strcmp(cmd, "new_multi_peer"))
1892 		return CMD_NEW_MULTI_PEER;
1893 
1894 	if (!strcmp(cmd, "set_peer"))
1895 		return CMD_SET_PEER;
1896 
1897 	if (!strcmp(cmd, "del_peer"))
1898 		return CMD_DEL_PEER;
1899 
1900 	if (!strcmp(cmd, "get_peer"))
1901 		return CMD_GET_PEER;
1902 
1903 	if (!strcmp(cmd, "new_key"))
1904 		return CMD_NEW_KEY;
1905 
1906 	if (!strcmp(cmd, "del_key"))
1907 		return CMD_DEL_KEY;
1908 
1909 	if (!strcmp(cmd, "get_key"))
1910 		return CMD_GET_KEY;
1911 
1912 	if (!strcmp(cmd, "swap_keys"))
1913 		return CMD_SWAP_KEYS;
1914 
1915 	if (!strcmp(cmd, "listen_mcast"))
1916 		return CMD_LISTEN_MCAST;
1917 
1918 	return CMD_INVALID;
1919 }
1920 
1921 /* Send process to background and waits for signal.
1922  *
1923  * This helper is called at the end of commands
1924  * creating sockets, so that the latter stay alive
1925  * along with the process that created them.
1926  *
1927  * A signal is expected to be delivered in order to
1928  * terminate the waiting processes
1929  */
ovpn_waitbg(void)1930 static void ovpn_waitbg(void)
1931 {
1932 	daemon(1, 1);
1933 	pause();
1934 }
1935 
ovpn_run_cmd(struct ovpn_ctx * ovpn)1936 static int ovpn_run_cmd(struct ovpn_ctx *ovpn)
1937 {
1938 	char peer_id[10], vpnip[INET6_ADDRSTRLEN], laddr[128], lport[10];
1939 	char raddr[128], rport[10];
1940 	int n, ret;
1941 	FILE *fp;
1942 
1943 	switch (ovpn->cmd) {
1944 	case CMD_NEW_IFACE:
1945 		ret = ovpn_new_iface(ovpn);
1946 		break;
1947 	case CMD_DEL_IFACE:
1948 		ret = ovpn_del_iface(ovpn);
1949 		break;
1950 	case CMD_LISTEN:
1951 		ret = ovpn_listen(ovpn, ovpn->sa_family);
1952 		if (ret < 0) {
1953 			fprintf(stderr, "cannot listen on TCP socket\n");
1954 			return ret;
1955 		}
1956 
1957 		fp = fopen(ovpn->peers_file, "r");
1958 		if (!fp) {
1959 			fprintf(stderr, "cannot open file: %s\n",
1960 				ovpn->peers_file);
1961 			return -1;
1962 		}
1963 
1964 		int num_peers = 0;
1965 
1966 		while ((n = fscanf(fp, "%s %s\n", peer_id, vpnip)) == 2) {
1967 			struct ovpn_ctx peer_ctx = { 0 };
1968 
1969 			if (num_peers == MAX_PEERS) {
1970 				fprintf(stderr, "max peers reached!\n");
1971 				return -E2BIG;
1972 			}
1973 
1974 			peer_ctx.ifindex = ovpn->ifindex;
1975 			peer_ctx.sa_family = ovpn->sa_family;
1976 
1977 			peer_ctx.socket = ovpn_accept(ovpn);
1978 			if (peer_ctx.socket < 0) {
1979 				fprintf(stderr, "cannot accept connection!\n");
1980 				return -1;
1981 			}
1982 
1983 			/* store peer sockets to test TCP I/O */
1984 			ovpn->cli_sockets[num_peers] = peer_ctx.socket;
1985 
1986 			ret = ovpn_parse_new_peer(&peer_ctx, peer_id, NULL,
1987 						  NULL, vpnip);
1988 			if (ret < 0) {
1989 				fprintf(stderr, "error while parsing line\n");
1990 				return -1;
1991 			}
1992 
1993 			ret = ovpn_new_peer(&peer_ctx, true);
1994 			if (ret < 0) {
1995 				fprintf(stderr,
1996 					"cannot add peer to VPN: %s %s\n",
1997 					peer_id, vpnip);
1998 				return ret;
1999 			}
2000 			num_peers++;
2001 		}
2002 
2003 		for (int i = 0; i < num_peers; i++) {
2004 			ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]);
2005 			if (ret < 0)
2006 				break;
2007 		}
2008 		ovpn_waitbg();
2009 		break;
2010 	case CMD_CONNECT:
2011 		ret = ovpn_connect(ovpn);
2012 		if (ret < 0) {
2013 			fprintf(stderr, "cannot connect TCP socket\n");
2014 			return ret;
2015 		}
2016 
2017 		ret = ovpn_new_peer(ovpn, true);
2018 		if (ret < 0) {
2019 			fprintf(stderr, "cannot add peer to VPN\n");
2020 			close(ovpn->socket);
2021 			return ret;
2022 		}
2023 
2024 		if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) {
2025 			ret = ovpn_new_key(ovpn);
2026 			if (ret < 0) {
2027 				fprintf(stderr, "cannot set key\n");
2028 				return ret;
2029 			}
2030 		}
2031 
2032 		ret = ovpn_send_tcp_data(ovpn->socket);
2033 		ovpn_waitbg();
2034 		break;
2035 	case CMD_NEW_PEER:
2036 		ret = ovpn_udp_socket(ovpn, AF_INET6);
2037 		if (ret < 0)
2038 			return ret;
2039 
2040 		ret = ovpn_new_peer(ovpn, false);
2041 		ovpn_waitbg();
2042 		break;
2043 	case CMD_NEW_MULTI_PEER:
2044 		ret = ovpn_udp_socket(ovpn, AF_INET6);
2045 		if (ret < 0)
2046 			return ret;
2047 
2048 		fp = fopen(ovpn->peers_file, "r");
2049 		if (!fp) {
2050 			fprintf(stderr, "cannot open file: %s\n",
2051 				ovpn->peers_file);
2052 			return -1;
2053 		}
2054 
2055 		while ((n = fscanf(fp, "%s %s %s %s %s %s\n", peer_id, laddr,
2056 				   lport, raddr, rport, vpnip)) == 6) {
2057 			struct ovpn_ctx peer_ctx = { 0 };
2058 
2059 			peer_ctx.ifindex = ovpn->ifindex;
2060 			peer_ctx.socket = ovpn->socket;
2061 			peer_ctx.sa_family = AF_UNSPEC;
2062 
2063 			ret = ovpn_parse_new_peer(&peer_ctx, peer_id, raddr,
2064 						  rport, vpnip);
2065 			if (ret < 0) {
2066 				fprintf(stderr, "error while parsing line\n");
2067 				return -1;
2068 			}
2069 
2070 			ret = ovpn_new_peer(&peer_ctx, false);
2071 			if (ret < 0) {
2072 				fprintf(stderr,
2073 					"cannot add peer to VPN: %s %s %s %s\n",
2074 					peer_id, raddr, rport, vpnip);
2075 				return ret;
2076 			}
2077 		}
2078 		ovpn_waitbg();
2079 		break;
2080 	case CMD_SET_PEER:
2081 		ret = ovpn_set_peer(ovpn);
2082 		break;
2083 	case CMD_DEL_PEER:
2084 		ret = ovpn_del_peer(ovpn);
2085 		break;
2086 	case CMD_GET_PEER:
2087 		if (ovpn->peer_id == PEER_ID_UNDEF)
2088 			fprintf(stderr, "List of peers connected to: %s\n",
2089 				ovpn->ifname);
2090 
2091 		ret = ovpn_get_peer(ovpn);
2092 		break;
2093 	case CMD_NEW_KEY:
2094 		ret = ovpn_new_key(ovpn);
2095 		break;
2096 	case CMD_DEL_KEY:
2097 		ret = ovpn_del_key(ovpn);
2098 		break;
2099 	case CMD_GET_KEY:
2100 		ret = ovpn_get_key(ovpn);
2101 		break;
2102 	case CMD_SWAP_KEYS:
2103 		ret = ovpn_swap_keys(ovpn);
2104 		break;
2105 	case CMD_LISTEN_MCAST:
2106 		ret = ovpn_listen_mcast();
2107 		break;
2108 	case CMD_INVALID:
2109 		break;
2110 	}
2111 
2112 	return ret;
2113 }
2114 
ovpn_parse_cmd_args(struct ovpn_ctx * ovpn,int argc,char * argv[])2115 static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[])
2116 {
2117 	int ret;
2118 
2119 	/* no args required for LISTEN_MCAST */
2120 	if (ovpn->cmd == CMD_LISTEN_MCAST)
2121 		return 0;
2122 
2123 	/* all commands need an ifname */
2124 	if (argc < 3)
2125 		return -EINVAL;
2126 
2127 	strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1);
2128 	ovpn->ifname[IFNAMSIZ - 1] = '\0';
2129 
2130 	/* all commands, except NEW_IFNAME, needs an ifindex */
2131 	if (ovpn->cmd != CMD_NEW_IFACE) {
2132 		ovpn->ifindex = if_nametoindex(ovpn->ifname);
2133 		if (!ovpn->ifindex) {
2134 			fprintf(stderr, "cannot find interface: %s\n",
2135 				strerror(errno));
2136 			return -1;
2137 		}
2138 	}
2139 
2140 	switch (ovpn->cmd) {
2141 	case CMD_NEW_IFACE:
2142 		if (argc < 4)
2143 			break;
2144 
2145 		if (!strcmp(argv[3], "P2P")) {
2146 			ovpn->mode = OVPN_MODE_P2P;
2147 		} else if (!strcmp(argv[3], "MP")) {
2148 			ovpn->mode = OVPN_MODE_MP;
2149 		} else {
2150 			fprintf(stderr, "Cannot parse iface mode: %s\n",
2151 				argv[3]);
2152 			return -1;
2153 		}
2154 		ovpn->mode_set = true;
2155 		break;
2156 	case CMD_DEL_IFACE:
2157 		break;
2158 	case CMD_LISTEN:
2159 		if (argc < 5)
2160 			return -EINVAL;
2161 
2162 		ovpn->lport = strtoul(argv[3], NULL, 10);
2163 		if (errno == ERANGE || ovpn->lport > 65535) {
2164 			fprintf(stderr, "lport value out of range\n");
2165 			return -1;
2166 		}
2167 
2168 		ovpn->peers_file = argv[4];
2169 
2170 		ovpn->sa_family = AF_INET;
2171 		if (argc > 5 && !strcmp(argv[5], "ipv6"))
2172 			ovpn->sa_family = AF_INET6;
2173 		break;
2174 	case CMD_CONNECT:
2175 		if (argc < 6)
2176 			return -EINVAL;
2177 
2178 		ovpn->sa_family = AF_INET;
2179 
2180 		ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5],
2181 					  NULL);
2182 		if (ret < 0) {
2183 			fprintf(stderr, "Cannot parse remote peer data\n");
2184 			return -1;
2185 		}
2186 
2187 		if (argc > 6) {
2188 			ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
2189 			ovpn->key_id = 0;
2190 			ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM;
2191 			ovpn->key_dir = KEY_DIR_OUT;
2192 
2193 			ret = ovpn_parse_key(argv[6], ovpn);
2194 			if (ret)
2195 				return -1;
2196 		}
2197 		break;
2198 	case CMD_NEW_PEER:
2199 		if (argc < 7)
2200 			return -EINVAL;
2201 
2202 		ovpn->lport = strtoul(argv[4], NULL, 10);
2203 		if (errno == ERANGE || ovpn->lport > 65535) {
2204 			fprintf(stderr, "lport value out of range\n");
2205 			return -1;
2206 		}
2207 
2208 		const char *vpnip = (argc > 7) ? argv[7] : NULL;
2209 
2210 		ret = ovpn_parse_new_peer(ovpn, argv[3], argv[5], argv[6],
2211 					  vpnip);
2212 		if (ret < 0)
2213 			return -1;
2214 		break;
2215 	case CMD_NEW_MULTI_PEER:
2216 		if (argc < 5)
2217 			return -EINVAL;
2218 
2219 		ovpn->lport = strtoul(argv[3], NULL, 10);
2220 		if (errno == ERANGE || ovpn->lport > 65535) {
2221 			fprintf(stderr, "lport value out of range\n");
2222 			return -1;
2223 		}
2224 
2225 		ovpn->peers_file = argv[4];
2226 		break;
2227 	case CMD_SET_PEER:
2228 		if (argc < 6)
2229 			return -EINVAL;
2230 
2231 		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2232 		if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2233 			fprintf(stderr, "peer ID value out of range\n");
2234 			return -1;
2235 		}
2236 
2237 		ovpn->keepalive_interval = strtoul(argv[4], NULL, 10);
2238 		if (errno == ERANGE) {
2239 			fprintf(stderr,
2240 				"keepalive interval value out of range\n");
2241 			return -1;
2242 		}
2243 
2244 		ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10);
2245 		if (errno == ERANGE) {
2246 			fprintf(stderr,
2247 				"keepalive interval value out of range\n");
2248 			return -1;
2249 		}
2250 		break;
2251 	case CMD_DEL_PEER:
2252 		if (argc < 4)
2253 			return -EINVAL;
2254 
2255 		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2256 		if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2257 			fprintf(stderr, "peer ID value out of range\n");
2258 			return -1;
2259 		}
2260 		break;
2261 	case CMD_GET_PEER:
2262 		ovpn->peer_id = PEER_ID_UNDEF;
2263 		if (argc > 3) {
2264 			ovpn->peer_id = strtoul(argv[3], NULL, 10);
2265 			if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2266 				fprintf(stderr, "peer ID value out of range\n");
2267 				return -1;
2268 			}
2269 		}
2270 		break;
2271 	case CMD_NEW_KEY:
2272 		if (argc < 9)
2273 			return -EINVAL;
2274 
2275 		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2276 		if (errno == ERANGE) {
2277 			fprintf(stderr, "peer ID value out of range\n");
2278 			return -1;
2279 		}
2280 
2281 		ret = ovpn_parse_key_slot(argv[4], ovpn);
2282 		if (ret)
2283 			return -1;
2284 
2285 		ovpn->key_id = strtoul(argv[5], NULL, 10);
2286 		if (errno == ERANGE || ovpn->key_id > 2) {
2287 			fprintf(stderr, "key ID out of range\n");
2288 			return -1;
2289 		}
2290 
2291 		ret = ovpn_parse_cipher(argv[6], ovpn);
2292 		if (ret < 0)
2293 			return -1;
2294 
2295 		ret = ovpn_parse_key_direction(argv[7], ovpn);
2296 		if (ret < 0)
2297 			return -1;
2298 
2299 		ret = ovpn_parse_key(argv[8], ovpn);
2300 		if (ret)
2301 			return -1;
2302 		break;
2303 	case CMD_DEL_KEY:
2304 		if (argc < 4)
2305 			return -EINVAL;
2306 
2307 		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2308 		if (errno == ERANGE) {
2309 			fprintf(stderr, "peer ID value out of range\n");
2310 			return -1;
2311 		}
2312 
2313 		ret = ovpn_parse_key_slot(argv[4], ovpn);
2314 		if (ret)
2315 			return ret;
2316 		break;
2317 	case CMD_GET_KEY:
2318 		if (argc < 5)
2319 			return -EINVAL;
2320 
2321 		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2322 		if (errno == ERANGE) {
2323 			fprintf(stderr, "peer ID value out of range\n");
2324 			return -1;
2325 		}
2326 
2327 		ret = ovpn_parse_key_slot(argv[4], ovpn);
2328 		if (ret)
2329 			return ret;
2330 		break;
2331 	case CMD_SWAP_KEYS:
2332 		if (argc < 4)
2333 			return -EINVAL;
2334 
2335 		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2336 		if (errno == ERANGE) {
2337 			fprintf(stderr, "peer ID value out of range\n");
2338 			return -1;
2339 		}
2340 		break;
2341 	case CMD_LISTEN_MCAST:
2342 		break;
2343 	case CMD_INVALID:
2344 		break;
2345 	}
2346 
2347 	return 0;
2348 }
2349 
main(int argc,char * argv[])2350 int main(int argc, char *argv[])
2351 {
2352 	struct ovpn_ctx ovpn;
2353 	int ret;
2354 
2355 	if (argc < 2) {
2356 		usage(argv[0]);
2357 		return -1;
2358 	}
2359 
2360 	memset(&ovpn, 0, sizeof(ovpn));
2361 	ovpn.sa_family = AF_UNSPEC;
2362 	ovpn.cipher = OVPN_CIPHER_ALG_NONE;
2363 
2364 	ovpn.cmd = ovpn_parse_cmd(argv[1]);
2365 	if (ovpn.cmd == CMD_INVALID) {
2366 		fprintf(stderr, "Error: unknown command.\n\n");
2367 		usage(argv[0]);
2368 		return -1;
2369 	}
2370 
2371 	ret = ovpn_parse_cmd_args(&ovpn, argc, argv);
2372 	if (ret < 0) {
2373 		fprintf(stderr, "Error: invalid arguments.\n\n");
2374 		if (ret == -EINVAL)
2375 			usage(argv[0]);
2376 		return ret;
2377 	}
2378 
2379 	ret = ovpn_run_cmd(&ovpn);
2380 	if (ret)
2381 		fprintf(stderr, "Cannot execute command: %s (%d)\n",
2382 			strerror(-ret), ret);
2383 
2384 	return ret;
2385 }
2386