1 // SPDX-License-Identifier: GPL-2.0
2 /* OpenVPN data channel offload
3 *
4 * Copyright (C) 2020-2025 OpenVPN, Inc.
5 *
6 * Author: Antonio Quartulli <antonio@openvpn.net>
7 */
8
9 #include <linux/netdevice.h>
10 #include <linux/types.h>
11 #include <net/genetlink.h>
12
13 #include <uapi/linux/ovpn.h>
14
15 #include "ovpnpriv.h"
16 #include "main.h"
17 #include "netlink.h"
18 #include "netlink-gen.h"
19 #include "bind.h"
20 #include "crypto.h"
21 #include "peer.h"
22 #include "socket.h"
23
24 MODULE_ALIAS_GENL_FAMILY(OVPN_FAMILY_NAME);
25
26 /**
27 * ovpn_get_dev_from_attrs - retrieve the ovpn private data from the netdevice
28 * a netlink message is targeting
29 * @net: network namespace where to look for the interface
30 * @info: generic netlink info from the user request
31 * @tracker: tracker object to be used for the netdev reference acquisition
32 *
33 * Return: the ovpn private data, if found, or an error otherwise
34 */
35 static struct ovpn_priv *
ovpn_get_dev_from_attrs(struct net * net,const struct genl_info * info,netdevice_tracker * tracker)36 ovpn_get_dev_from_attrs(struct net *net, const struct genl_info *info,
37 netdevice_tracker *tracker)
38 {
39 struct ovpn_priv *ovpn;
40 struct net_device *dev;
41 int ifindex;
42
43 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_IFINDEX))
44 return ERR_PTR(-EINVAL);
45
46 ifindex = nla_get_u32(info->attrs[OVPN_A_IFINDEX]);
47
48 rcu_read_lock();
49 dev = dev_get_by_index_rcu(net, ifindex);
50 if (!dev) {
51 rcu_read_unlock();
52 NL_SET_ERR_MSG_MOD(info->extack,
53 "ifindex does not match any interface");
54 return ERR_PTR(-ENODEV);
55 }
56
57 if (!ovpn_dev_is_valid(dev)) {
58 rcu_read_unlock();
59 NL_SET_ERR_MSG_MOD(info->extack,
60 "specified interface is not ovpn");
61 NL_SET_BAD_ATTR(info->extack, info->attrs[OVPN_A_IFINDEX]);
62 return ERR_PTR(-EINVAL);
63 }
64
65 ovpn = netdev_priv(dev);
66 netdev_hold(dev, tracker, GFP_ATOMIC);
67 rcu_read_unlock();
68
69 return ovpn;
70 }
71
ovpn_nl_pre_doit(const struct genl_split_ops * ops,struct sk_buff * skb,struct genl_info * info)72 int ovpn_nl_pre_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
73 struct genl_info *info)
74 {
75 netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1];
76 struct ovpn_priv *ovpn = ovpn_get_dev_from_attrs(genl_info_net(info),
77 info, tracker);
78
79 if (IS_ERR(ovpn))
80 return PTR_ERR(ovpn);
81
82 info->user_ptr[0] = ovpn;
83
84 return 0;
85 }
86
ovpn_nl_post_doit(const struct genl_split_ops * ops,struct sk_buff * skb,struct genl_info * info)87 void ovpn_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
88 struct genl_info *info)
89 {
90 netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1];
91 struct ovpn_priv *ovpn = info->user_ptr[0];
92
93 if (ovpn)
94 netdev_put(ovpn->dev, tracker);
95 }
96
ovpn_nl_attr_sockaddr_remote(struct nlattr ** attrs,struct sockaddr_storage * ss)97 static bool ovpn_nl_attr_sockaddr_remote(struct nlattr **attrs,
98 struct sockaddr_storage *ss)
99 {
100 struct sockaddr_in6 *sin6;
101 struct sockaddr_in *sin;
102 struct in6_addr *in6;
103 __be16 port = 0;
104 __be32 *in;
105
106 ss->ss_family = AF_UNSPEC;
107
108 if (attrs[OVPN_A_PEER_REMOTE_PORT])
109 port = nla_get_be16(attrs[OVPN_A_PEER_REMOTE_PORT]);
110
111 if (attrs[OVPN_A_PEER_REMOTE_IPV4]) {
112 ss->ss_family = AF_INET;
113 in = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV4]);
114 } else if (attrs[OVPN_A_PEER_REMOTE_IPV6]) {
115 ss->ss_family = AF_INET6;
116 in6 = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]);
117 } else {
118 return false;
119 }
120
121 switch (ss->ss_family) {
122 case AF_INET6:
123 /* If this is a regular IPv6 just break and move on,
124 * otherwise switch to AF_INET and extract the IPv4 accordingly
125 */
126 if (!ipv6_addr_v4mapped(in6)) {
127 sin6 = (struct sockaddr_in6 *)ss;
128 sin6->sin6_port = port;
129 memcpy(&sin6->sin6_addr, in6, sizeof(*in6));
130 break;
131 }
132
133 /* v4-mapped-v6 address */
134 ss->ss_family = AF_INET;
135 in = &in6->s6_addr32[3];
136 fallthrough;
137 case AF_INET:
138 sin = (struct sockaddr_in *)ss;
139 sin->sin_port = port;
140 sin->sin_addr.s_addr = *in;
141 break;
142 }
143
144 return true;
145 }
146
ovpn_nl_attr_local_ip(struct nlattr ** attrs)147 static u8 *ovpn_nl_attr_local_ip(struct nlattr **attrs)
148 {
149 u8 *addr6;
150
151 if (!attrs[OVPN_A_PEER_LOCAL_IPV4] && !attrs[OVPN_A_PEER_LOCAL_IPV6])
152 return NULL;
153
154 if (attrs[OVPN_A_PEER_LOCAL_IPV4])
155 return nla_data(attrs[OVPN_A_PEER_LOCAL_IPV4]);
156
157 addr6 = nla_data(attrs[OVPN_A_PEER_LOCAL_IPV6]);
158 /* this is an IPv4-mapped IPv6 address, therefore extract the actual
159 * v4 address from the last 4 bytes
160 */
161 if (ipv6_addr_v4mapped((struct in6_addr *)addr6))
162 return addr6 + 12;
163
164 return addr6;
165 }
166
ovpn_nl_family_get(struct nlattr * addr4,struct nlattr * addr6)167 static sa_family_t ovpn_nl_family_get(struct nlattr *addr4,
168 struct nlattr *addr6)
169 {
170 if (addr4)
171 return AF_INET;
172
173 if (addr6) {
174 if (ipv6_addr_v4mapped((struct in6_addr *)nla_data(addr6)))
175 return AF_INET;
176 return AF_INET6;
177 }
178
179 return AF_UNSPEC;
180 }
181
ovpn_nl_peer_precheck(struct ovpn_priv * ovpn,struct genl_info * info,struct nlattr ** attrs)182 static int ovpn_nl_peer_precheck(struct ovpn_priv *ovpn,
183 struct genl_info *info,
184 struct nlattr **attrs)
185 {
186 sa_family_t local_fam, remote_fam;
187
188 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
189 OVPN_A_PEER_ID))
190 return -EINVAL;
191
192 if (attrs[OVPN_A_PEER_REMOTE_IPV4] && attrs[OVPN_A_PEER_REMOTE_IPV6]) {
193 NL_SET_ERR_MSG_MOD(info->extack,
194 "cannot specify both remote IPv4 or IPv6 address");
195 return -EINVAL;
196 }
197
198 if (!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
199 !attrs[OVPN_A_PEER_REMOTE_IPV6] && attrs[OVPN_A_PEER_REMOTE_PORT]) {
200 NL_SET_ERR_MSG_MOD(info->extack,
201 "cannot specify remote port without IP address");
202 return -EINVAL;
203 }
204
205 if ((attrs[OVPN_A_PEER_REMOTE_IPV4] ||
206 attrs[OVPN_A_PEER_REMOTE_IPV6]) &&
207 !attrs[OVPN_A_PEER_REMOTE_PORT]) {
208 NL_SET_ERR_MSG_MOD(info->extack,
209 "cannot specify remote IP address without port");
210 return -EINVAL;
211 }
212
213 if (!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
214 attrs[OVPN_A_PEER_LOCAL_IPV4]) {
215 NL_SET_ERR_MSG_MOD(info->extack,
216 "cannot specify local IPv4 address without remote");
217 return -EINVAL;
218 }
219
220 if (!attrs[OVPN_A_PEER_REMOTE_IPV6] &&
221 attrs[OVPN_A_PEER_LOCAL_IPV6]) {
222 NL_SET_ERR_MSG_MOD(info->extack,
223 "cannot specify local IPV6 address without remote");
224 return -EINVAL;
225 }
226
227 /* check that local and remote address families are the same even
228 * after parsing v4mapped IPv6 addresses.
229 * (if addresses are not provided, family will be AF_UNSPEC and
230 * the check is skipped)
231 */
232 local_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_LOCAL_IPV4],
233 attrs[OVPN_A_PEER_LOCAL_IPV6]);
234 remote_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_REMOTE_IPV4],
235 attrs[OVPN_A_PEER_REMOTE_IPV6]);
236 if (local_fam != AF_UNSPEC && remote_fam != AF_UNSPEC &&
237 local_fam != remote_fam) {
238 NL_SET_ERR_MSG_MOD(info->extack,
239 "mismatching local and remote address families");
240 return -EINVAL;
241 }
242
243 if (remote_fam != AF_INET6 && attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) {
244 NL_SET_ERR_MSG_MOD(info->extack,
245 "cannot specify scope id without remote IPv6 address");
246 return -EINVAL;
247 }
248
249 /* VPN IPs are needed only in MP mode for selecting the right peer */
250 if (ovpn->mode == OVPN_MODE_P2P && (attrs[OVPN_A_PEER_VPN_IPV4] ||
251 attrs[OVPN_A_PEER_VPN_IPV6])) {
252 NL_SET_ERR_MSG_FMT_MOD(info->extack,
253 "unexpected VPN IP in P2P mode");
254 return -EINVAL;
255 }
256
257 if ((attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
258 !attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) ||
259 (!attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
260 attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])) {
261 NL_SET_ERR_MSG_FMT_MOD(info->extack,
262 "keepalive interval and timeout are required together");
263 return -EINVAL;
264 }
265
266 return 0;
267 }
268
269 /**
270 * ovpn_nl_peer_modify - modify the peer attributes according to the incoming msg
271 * @peer: the peer to modify
272 * @info: generic netlink info from the user request
273 * @attrs: the attributes from the user request
274 *
275 * Return: a negative error code in case of failure, 0 on success or 1 on
276 * success and the VPN IPs have been modified (requires rehashing in MP
277 * mode)
278 */
ovpn_nl_peer_modify(struct ovpn_peer * peer,struct genl_info * info,struct nlattr ** attrs)279 static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info,
280 struct nlattr **attrs)
281 {
282 struct sockaddr_storage ss = {};
283 void *local_ip = NULL;
284 u32 interv, timeout;
285 bool rehash = false;
286 int ret;
287
288 spin_lock_bh(&peer->lock);
289
290 if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) {
291 /* we carry the local IP in a generic container.
292 * ovpn_peer_reset_sockaddr() will properly interpret it
293 * based on ss.ss_family
294 */
295 local_ip = ovpn_nl_attr_local_ip(attrs);
296
297 /* set peer sockaddr */
298 ret = ovpn_peer_reset_sockaddr(peer, &ss, local_ip);
299 if (ret < 0) {
300 NL_SET_ERR_MSG_FMT_MOD(info->extack,
301 "cannot set peer sockaddr: %d",
302 ret);
303 goto err_unlock;
304 }
305 dst_cache_reset(&peer->dst_cache);
306 }
307
308 if (attrs[OVPN_A_PEER_VPN_IPV4]) {
309 rehash = true;
310 peer->vpn_addrs.ipv4.s_addr =
311 nla_get_in_addr(attrs[OVPN_A_PEER_VPN_IPV4]);
312 }
313
314 if (attrs[OVPN_A_PEER_VPN_IPV6]) {
315 rehash = true;
316 peer->vpn_addrs.ipv6 =
317 nla_get_in6_addr(attrs[OVPN_A_PEER_VPN_IPV6]);
318 }
319
320 /* when setting the keepalive, both parameters have to be configured */
321 if (attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
322 attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) {
323 interv = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]);
324 timeout = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]);
325 ovpn_peer_keepalive_set(peer, interv, timeout);
326 }
327
328 netdev_dbg(peer->ovpn->dev,
329 "modify peer id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n",
330 peer->id, &ss,
331 &peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6);
332
333 spin_unlock_bh(&peer->lock);
334
335 return rehash ? 1 : 0;
336 err_unlock:
337 spin_unlock_bh(&peer->lock);
338 return ret;
339 }
340
ovpn_nl_peer_new_doit(struct sk_buff * skb,struct genl_info * info)341 int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info)
342 {
343 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
344 struct ovpn_priv *ovpn = info->user_ptr[0];
345 struct ovpn_socket *ovpn_sock;
346 struct socket *sock = NULL;
347 struct ovpn_peer *peer;
348 u32 sockfd, peer_id;
349 int ret;
350
351 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
352 return -EINVAL;
353
354 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
355 ovpn_peer_new_input_nl_policy, info->extack);
356 if (ret)
357 return ret;
358
359 ret = ovpn_nl_peer_precheck(ovpn, info, attrs);
360 if (ret < 0)
361 return ret;
362
363 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
364 OVPN_A_PEER_SOCKET))
365 return -EINVAL;
366
367 /* in MP mode VPN IPs are required for selecting the right peer */
368 if (ovpn->mode == OVPN_MODE_MP && !attrs[OVPN_A_PEER_VPN_IPV4] &&
369 !attrs[OVPN_A_PEER_VPN_IPV6]) {
370 NL_SET_ERR_MSG_FMT_MOD(info->extack,
371 "VPN IP must be provided in MP mode");
372 return -EINVAL;
373 }
374
375 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
376 peer = ovpn_peer_new(ovpn, peer_id);
377 if (IS_ERR(peer)) {
378 NL_SET_ERR_MSG_FMT_MOD(info->extack,
379 "cannot create new peer object for peer %u: %ld",
380 peer_id, PTR_ERR(peer));
381 return PTR_ERR(peer);
382 }
383
384 /* lookup the fd in the kernel table and extract the socket object */
385 sockfd = nla_get_u32(attrs[OVPN_A_PEER_SOCKET]);
386 /* sockfd_lookup() increases sock's refcounter */
387 sock = sockfd_lookup(sockfd, &ret);
388 if (!sock) {
389 NL_SET_ERR_MSG_FMT_MOD(info->extack,
390 "cannot lookup peer socket (fd=%u): %d",
391 sockfd, ret);
392 ret = -ENOTSOCK;
393 goto peer_release;
394 }
395
396 /* Only when using UDP as transport protocol the remote endpoint
397 * can be configured so that ovpn knows where to send packets to.
398 */
399 if (sock->sk->sk_protocol == IPPROTO_UDP &&
400 !attrs[OVPN_A_PEER_REMOTE_IPV4] &&
401 !attrs[OVPN_A_PEER_REMOTE_IPV6]) {
402 NL_SET_ERR_MSG_FMT_MOD(info->extack,
403 "missing remote IP address for UDP socket");
404 sockfd_put(sock);
405 ret = -EINVAL;
406 goto peer_release;
407 }
408
409 /* In case of TCP, the socket is connected to the peer and ovpn
410 * will just send bytes over it, without the need to specify a
411 * destination.
412 */
413 if (sock->sk->sk_protocol == IPPROTO_TCP &&
414 (attrs[OVPN_A_PEER_REMOTE_IPV4] ||
415 attrs[OVPN_A_PEER_REMOTE_IPV6])) {
416 NL_SET_ERR_MSG_FMT_MOD(info->extack,
417 "unexpected remote IP address with TCP socket");
418 sockfd_put(sock);
419 ret = -EINVAL;
420 goto peer_release;
421 }
422
423 ovpn_sock = ovpn_socket_new(sock, peer);
424 /* at this point we unconditionally drop the reference to the socket:
425 * - in case of error, the socket has to be dropped
426 * - if case of success, the socket is configured and let
427 * userspace own the reference, so that the latter can
428 * trigger the final close()
429 */
430 sockfd_put(sock);
431 if (IS_ERR(ovpn_sock)) {
432 NL_SET_ERR_MSG_FMT_MOD(info->extack,
433 "cannot encapsulate socket: %ld",
434 PTR_ERR(ovpn_sock));
435 ret = -ENOTSOCK;
436 goto peer_release;
437 }
438
439 rcu_assign_pointer(peer->sock, ovpn_sock);
440
441 ret = ovpn_nl_peer_modify(peer, info, attrs);
442 if (ret < 0)
443 goto sock_release;
444
445 ret = ovpn_peer_add(ovpn, peer);
446 if (ret < 0) {
447 NL_SET_ERR_MSG_FMT_MOD(info->extack,
448 "cannot add new peer (id=%u) to hashtable: %d",
449 peer->id, ret);
450 goto sock_release;
451 }
452
453 return 0;
454
455 sock_release:
456 ovpn_socket_release(peer);
457 peer_release:
458 /* release right away because peer was not yet hashed, thus it is not
459 * used in any context
460 */
461 ovpn_peer_release(peer);
462
463 return ret;
464 }
465
ovpn_nl_peer_set_doit(struct sk_buff * skb,struct genl_info * info)466 int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info)
467 {
468 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
469 struct ovpn_priv *ovpn = info->user_ptr[0];
470 struct ovpn_socket *sock;
471 struct ovpn_peer *peer;
472 u32 peer_id;
473 int ret;
474
475 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
476 return -EINVAL;
477
478 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
479 ovpn_peer_set_input_nl_policy, info->extack);
480 if (ret)
481 return ret;
482
483 ret = ovpn_nl_peer_precheck(ovpn, info, attrs);
484 if (ret < 0)
485 return ret;
486
487 if (attrs[OVPN_A_PEER_SOCKET]) {
488 NL_SET_ERR_MSG_FMT_MOD(info->extack,
489 "socket cannot be modified");
490 return -EINVAL;
491 }
492
493 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
494 peer = ovpn_peer_get_by_id(ovpn, peer_id);
495 if (!peer) {
496 NL_SET_ERR_MSG_FMT_MOD(info->extack,
497 "cannot find peer with id %u", peer_id);
498 return -ENOENT;
499 }
500
501 /* when using a TCP socket the remote IP is not expected */
502 rcu_read_lock();
503 sock = rcu_dereference(peer->sock);
504 if (sock && sock->sk->sk_protocol == IPPROTO_TCP &&
505 (attrs[OVPN_A_PEER_REMOTE_IPV4] ||
506 attrs[OVPN_A_PEER_REMOTE_IPV6])) {
507 rcu_read_unlock();
508 NL_SET_ERR_MSG_FMT_MOD(info->extack,
509 "unexpected remote IP address with TCP socket");
510 ovpn_peer_put(peer);
511 return -EINVAL;
512 }
513 rcu_read_unlock();
514
515 spin_lock_bh(&ovpn->lock);
516 ret = ovpn_nl_peer_modify(peer, info, attrs);
517 if (ret < 0) {
518 spin_unlock_bh(&ovpn->lock);
519 ovpn_peer_put(peer);
520 return ret;
521 }
522
523 /* ret == 1 means that VPN IPv4/6 has been modified and rehashing
524 * is required
525 */
526 if (ret > 0)
527 ovpn_peer_hash_vpn_ip(peer);
528 spin_unlock_bh(&ovpn->lock);
529 ovpn_peer_put(peer);
530
531 return 0;
532 }
533
ovpn_nl_send_peer(struct sk_buff * skb,const struct genl_info * info,const struct ovpn_peer * peer,u32 portid,u32 seq,int flags)534 static int ovpn_nl_send_peer(struct sk_buff *skb, const struct genl_info *info,
535 const struct ovpn_peer *peer, u32 portid, u32 seq,
536 int flags)
537 {
538 const struct ovpn_bind *bind;
539 struct ovpn_socket *sock;
540 int ret = -EMSGSIZE;
541 struct nlattr *attr;
542 __be16 local_port;
543 void *hdr;
544 int id;
545
546 hdr = genlmsg_put(skb, portid, seq, &ovpn_nl_family, flags,
547 OVPN_CMD_PEER_GET);
548 if (!hdr)
549 return -ENOBUFS;
550
551 attr = nla_nest_start(skb, OVPN_A_PEER);
552 if (!attr)
553 goto err;
554
555 rcu_read_lock();
556 sock = rcu_dereference(peer->sock);
557 if (!sock) {
558 ret = -EINVAL;
559 goto err_unlock;
560 }
561
562 if (!net_eq(genl_info_net(info), sock_net(sock->sk))) {
563 id = peernet2id_alloc(genl_info_net(info),
564 sock_net(sock->sk),
565 GFP_ATOMIC);
566 if (nla_put_s32(skb, OVPN_A_PEER_SOCKET_NETNSID, id))
567 goto err_unlock;
568 }
569 local_port = inet_sk(sock->sk)->inet_sport;
570 rcu_read_unlock();
571
572 if (nla_put_u32(skb, OVPN_A_PEER_ID, peer->id))
573 goto err;
574
575 if (peer->vpn_addrs.ipv4.s_addr != htonl(INADDR_ANY))
576 if (nla_put_in_addr(skb, OVPN_A_PEER_VPN_IPV4,
577 peer->vpn_addrs.ipv4.s_addr))
578 goto err;
579
580 if (!ipv6_addr_equal(&peer->vpn_addrs.ipv6, &in6addr_any))
581 if (nla_put_in6_addr(skb, OVPN_A_PEER_VPN_IPV6,
582 &peer->vpn_addrs.ipv6))
583 goto err;
584
585 if (nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_INTERVAL,
586 peer->keepalive_interval) ||
587 nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
588 peer->keepalive_timeout))
589 goto err;
590
591 rcu_read_lock();
592 bind = rcu_dereference(peer->bind);
593 if (bind) {
594 if (bind->remote.in4.sin_family == AF_INET) {
595 if (nla_put_in_addr(skb, OVPN_A_PEER_REMOTE_IPV4,
596 bind->remote.in4.sin_addr.s_addr) ||
597 nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT,
598 bind->remote.in4.sin_port) ||
599 nla_put_in_addr(skb, OVPN_A_PEER_LOCAL_IPV4,
600 bind->local.ipv4.s_addr))
601 goto err_unlock;
602 } else if (bind->remote.in4.sin_family == AF_INET6) {
603 if (nla_put_in6_addr(skb, OVPN_A_PEER_REMOTE_IPV6,
604 &bind->remote.in6.sin6_addr) ||
605 nla_put_u32(skb, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
606 bind->remote.in6.sin6_scope_id) ||
607 nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT,
608 bind->remote.in6.sin6_port) ||
609 nla_put_in6_addr(skb, OVPN_A_PEER_LOCAL_IPV6,
610 &bind->local.ipv6))
611 goto err_unlock;
612 }
613 }
614 rcu_read_unlock();
615
616 if (nla_put_net16(skb, OVPN_A_PEER_LOCAL_PORT, local_port) ||
617 /* VPN RX stats */
618 nla_put_uint(skb, OVPN_A_PEER_VPN_RX_BYTES,
619 atomic64_read(&peer->vpn_stats.rx.bytes)) ||
620 nla_put_uint(skb, OVPN_A_PEER_VPN_RX_PACKETS,
621 atomic64_read(&peer->vpn_stats.rx.packets)) ||
622 /* VPN TX stats */
623 nla_put_uint(skb, OVPN_A_PEER_VPN_TX_BYTES,
624 atomic64_read(&peer->vpn_stats.tx.bytes)) ||
625 nla_put_uint(skb, OVPN_A_PEER_VPN_TX_PACKETS,
626 atomic64_read(&peer->vpn_stats.tx.packets)) ||
627 /* link RX stats */
628 nla_put_uint(skb, OVPN_A_PEER_LINK_RX_BYTES,
629 atomic64_read(&peer->link_stats.rx.bytes)) ||
630 nla_put_uint(skb, OVPN_A_PEER_LINK_RX_PACKETS,
631 atomic64_read(&peer->link_stats.rx.packets)) ||
632 /* link TX stats */
633 nla_put_uint(skb, OVPN_A_PEER_LINK_TX_BYTES,
634 atomic64_read(&peer->link_stats.tx.bytes)) ||
635 nla_put_uint(skb, OVPN_A_PEER_LINK_TX_PACKETS,
636 atomic64_read(&peer->link_stats.tx.packets)))
637 goto err;
638
639 nla_nest_end(skb, attr);
640 genlmsg_end(skb, hdr);
641
642 return 0;
643 err_unlock:
644 rcu_read_unlock();
645 err:
646 genlmsg_cancel(skb, hdr);
647 return ret;
648 }
649
ovpn_nl_peer_get_doit(struct sk_buff * skb,struct genl_info * info)650 int ovpn_nl_peer_get_doit(struct sk_buff *skb, struct genl_info *info)
651 {
652 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
653 struct ovpn_priv *ovpn = info->user_ptr[0];
654 struct ovpn_peer *peer;
655 struct sk_buff *msg;
656 u32 peer_id;
657 int ret, i;
658
659 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
660 return -EINVAL;
661
662 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
663 ovpn_peer_nl_policy, info->extack);
664 if (ret)
665 return ret;
666
667 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
668 OVPN_A_PEER_ID))
669 return -EINVAL;
670
671 /* OVPN_CMD_PEER_GET expects only the PEER_ID, therefore
672 * ensure that the user hasn't specified any other attribute.
673 *
674 * Unfortunately this check cannot be performed via netlink
675 * spec/policy and must be open-coded.
676 */
677 for (i = 0; i < OVPN_A_PEER_MAX + 1; i++) {
678 if (i == OVPN_A_PEER_ID)
679 continue;
680
681 if (attrs[i]) {
682 NL_SET_ERR_MSG_FMT_MOD(info->extack,
683 "unexpected attribute %u", i);
684 return -EINVAL;
685 }
686 }
687
688 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
689 peer = ovpn_peer_get_by_id(ovpn, peer_id);
690 if (!peer) {
691 NL_SET_ERR_MSG_FMT_MOD(info->extack,
692 "cannot find peer with id %u", peer_id);
693 return -ENOENT;
694 }
695
696 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
697 if (!msg) {
698 ret = -ENOMEM;
699 goto err;
700 }
701
702 ret = ovpn_nl_send_peer(msg, info, peer, info->snd_portid,
703 info->snd_seq, 0);
704 if (ret < 0) {
705 nlmsg_free(msg);
706 goto err;
707 }
708
709 ret = genlmsg_reply(msg, info);
710 err:
711 ovpn_peer_put(peer);
712 return ret;
713 }
714
ovpn_nl_peer_get_dumpit(struct sk_buff * skb,struct netlink_callback * cb)715 int ovpn_nl_peer_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
716 {
717 const struct genl_info *info = genl_info_dump(cb);
718 int bkt, last_idx = cb->args[1], dumped = 0;
719 netdevice_tracker tracker;
720 struct ovpn_priv *ovpn;
721 struct ovpn_peer *peer;
722
723 ovpn = ovpn_get_dev_from_attrs(sock_net(cb->skb->sk), info, &tracker);
724 if (IS_ERR(ovpn))
725 return PTR_ERR(ovpn);
726
727 if (ovpn->mode == OVPN_MODE_P2P) {
728 /* if we already dumped a peer it means we are done */
729 if (last_idx)
730 goto out;
731
732 rcu_read_lock();
733 peer = rcu_dereference(ovpn->peer);
734 if (peer) {
735 if (ovpn_nl_send_peer(skb, info, peer,
736 NETLINK_CB(cb->skb).portid,
737 cb->nlh->nlmsg_seq,
738 NLM_F_MULTI) == 0)
739 dumped++;
740 }
741 rcu_read_unlock();
742 } else {
743 rcu_read_lock();
744 hash_for_each_rcu(ovpn->peers->by_id, bkt, peer,
745 hash_entry_id) {
746 /* skip already dumped peers that were dumped by
747 * previous invocations
748 */
749 if (last_idx > 0) {
750 last_idx--;
751 continue;
752 }
753
754 if (ovpn_nl_send_peer(skb, info, peer,
755 NETLINK_CB(cb->skb).portid,
756 cb->nlh->nlmsg_seq,
757 NLM_F_MULTI) < 0)
758 break;
759
760 /* count peers being dumped during this invocation */
761 dumped++;
762 }
763 rcu_read_unlock();
764 }
765
766 out:
767 netdev_put(ovpn->dev, &tracker);
768
769 /* sum up peers dumped in this message, so that at the next invocation
770 * we can continue from where we left
771 */
772 cb->args[1] += dumped;
773 return skb->len;
774 }
775
ovpn_nl_peer_del_doit(struct sk_buff * skb,struct genl_info * info)776 int ovpn_nl_peer_del_doit(struct sk_buff *skb, struct genl_info *info)
777 {
778 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
779 struct ovpn_priv *ovpn = info->user_ptr[0];
780 struct ovpn_peer *peer;
781 u32 peer_id;
782 int ret;
783
784 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
785 return -EINVAL;
786
787 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
788 ovpn_peer_del_input_nl_policy, info->extack);
789 if (ret)
790 return ret;
791
792 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
793 OVPN_A_PEER_ID))
794 return -EINVAL;
795
796 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
797 peer = ovpn_peer_get_by_id(ovpn, peer_id);
798 if (!peer) {
799 NL_SET_ERR_MSG_FMT_MOD(info->extack,
800 "cannot find peer with id %u", peer_id);
801 return -ENOENT;
802 }
803
804 netdev_dbg(ovpn->dev, "del peer %u\n", peer->id);
805 ret = ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_USERSPACE);
806 ovpn_peer_put(peer);
807
808 return ret;
809 }
810
ovpn_nl_get_key_dir(struct genl_info * info,struct nlattr * key,enum ovpn_cipher_alg cipher,struct ovpn_key_direction * dir)811 static int ovpn_nl_get_key_dir(struct genl_info *info, struct nlattr *key,
812 enum ovpn_cipher_alg cipher,
813 struct ovpn_key_direction *dir)
814 {
815 struct nlattr *attrs[OVPN_A_KEYDIR_MAX + 1];
816 int ret;
817
818 ret = nla_parse_nested(attrs, OVPN_A_KEYDIR_MAX, key,
819 ovpn_keydir_nl_policy, info->extack);
820 if (ret)
821 return ret;
822
823 switch (cipher) {
824 case OVPN_CIPHER_ALG_AES_GCM:
825 case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
826 if (NL_REQ_ATTR_CHECK(info->extack, key, attrs,
827 OVPN_A_KEYDIR_CIPHER_KEY) ||
828 NL_REQ_ATTR_CHECK(info->extack, key, attrs,
829 OVPN_A_KEYDIR_NONCE_TAIL))
830 return -EINVAL;
831
832 dir->cipher_key = nla_data(attrs[OVPN_A_KEYDIR_CIPHER_KEY]);
833 dir->cipher_key_size = nla_len(attrs[OVPN_A_KEYDIR_CIPHER_KEY]);
834
835 /* These algorithms require a 96bit nonce,
836 * Construct it by combining 4-bytes packet id and
837 * 8-bytes nonce-tail from userspace
838 */
839 dir->nonce_tail = nla_data(attrs[OVPN_A_KEYDIR_NONCE_TAIL]);
840 dir->nonce_tail_size = nla_len(attrs[OVPN_A_KEYDIR_NONCE_TAIL]);
841 break;
842 default:
843 NL_SET_ERR_MSG_MOD(info->extack, "unsupported cipher");
844 return -EINVAL;
845 }
846
847 return 0;
848 }
849
850 /**
851 * ovpn_nl_key_new_doit - configure a new key for the specified peer
852 * @skb: incoming netlink message
853 * @info: genetlink metadata
854 *
855 * This function allows the user to install a new key in the peer crypto
856 * state.
857 * Each peer has two 'slots', namely 'primary' and 'secondary', where
858 * keys can be installed. The key in the 'primary' slot is used for
859 * encryption, while both keys can be used for decryption by matching the
860 * key ID carried in the incoming packet.
861 *
862 * The user is responsible for rotating keys when necessary. The user
863 * may fetch peer traffic statistics via netlink in order to better
864 * identify the right time to rotate keys.
865 * The renegotiation follows these steps:
866 * 1. a new key is computed by the user and is installed in the 'secondary'
867 * slot
868 * 2. at user discretion (usually after a predetermined time) 'primary' and
869 * 'secondary' contents are swapped and the new key starts being used for
870 * encryption, while the old key is kept around for decryption of late
871 * packets.
872 *
873 * Return: 0 on success or a negative error code otherwise.
874 */
ovpn_nl_key_new_doit(struct sk_buff * skb,struct genl_info * info)875 int ovpn_nl_key_new_doit(struct sk_buff *skb, struct genl_info *info)
876 {
877 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
878 struct ovpn_priv *ovpn = info->user_ptr[0];
879 struct ovpn_peer_key_reset pkr;
880 struct ovpn_peer *peer;
881 u32 peer_id;
882 int ret;
883
884 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
885 return -EINVAL;
886
887 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
888 info->attrs[OVPN_A_KEYCONF],
889 ovpn_keyconf_nl_policy, info->extack);
890 if (ret)
891 return ret;
892
893 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
894 OVPN_A_KEYCONF_PEER_ID))
895 return -EINVAL;
896
897 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
898 OVPN_A_KEYCONF_SLOT) ||
899 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
900 OVPN_A_KEYCONF_KEY_ID) ||
901 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
902 OVPN_A_KEYCONF_CIPHER_ALG) ||
903 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
904 OVPN_A_KEYCONF_ENCRYPT_DIR) ||
905 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
906 OVPN_A_KEYCONF_DECRYPT_DIR))
907 return -EINVAL;
908
909 pkr.slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
910 pkr.key.key_id = nla_get_u32(attrs[OVPN_A_KEYCONF_KEY_ID]);
911 pkr.key.cipher_alg = nla_get_u32(attrs[OVPN_A_KEYCONF_CIPHER_ALG]);
912
913 ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_ENCRYPT_DIR],
914 pkr.key.cipher_alg, &pkr.key.encrypt);
915 if (ret < 0)
916 return ret;
917
918 ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_DECRYPT_DIR],
919 pkr.key.cipher_alg, &pkr.key.decrypt);
920 if (ret < 0)
921 return ret;
922
923 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
924 peer = ovpn_peer_get_by_id(ovpn, peer_id);
925 if (!peer) {
926 NL_SET_ERR_MSG_FMT_MOD(info->extack,
927 "no peer with id %u to set key for",
928 peer_id);
929 return -ENOENT;
930 }
931
932 ret = ovpn_crypto_state_reset(&peer->crypto, &pkr);
933 if (ret < 0) {
934 NL_SET_ERR_MSG_FMT_MOD(info->extack,
935 "cannot install new key for peer %u",
936 peer_id);
937 goto out;
938 }
939
940 netdev_dbg(ovpn->dev, "new key installed (id=%u) for peer %u\n",
941 pkr.key.key_id, peer_id);
942 out:
943 ovpn_peer_put(peer);
944 return ret;
945 }
946
ovpn_nl_send_key(struct sk_buff * skb,const struct genl_info * info,u32 peer_id,enum ovpn_key_slot slot,const struct ovpn_key_config * keyconf)947 static int ovpn_nl_send_key(struct sk_buff *skb, const struct genl_info *info,
948 u32 peer_id, enum ovpn_key_slot slot,
949 const struct ovpn_key_config *keyconf)
950 {
951 struct nlattr *attr;
952 void *hdr;
953
954 hdr = genlmsg_put(skb, info->snd_portid, info->snd_seq, &ovpn_nl_family,
955 0, OVPN_CMD_KEY_GET);
956 if (!hdr)
957 return -ENOBUFS;
958
959 attr = nla_nest_start(skb, OVPN_A_KEYCONF);
960 if (!attr)
961 goto err;
962
963 if (nla_put_u32(skb, OVPN_A_KEYCONF_PEER_ID, peer_id))
964 goto err;
965
966 if (nla_put_u32(skb, OVPN_A_KEYCONF_SLOT, slot) ||
967 nla_put_u32(skb, OVPN_A_KEYCONF_KEY_ID, keyconf->key_id) ||
968 nla_put_u32(skb, OVPN_A_KEYCONF_CIPHER_ALG, keyconf->cipher_alg))
969 goto err;
970
971 nla_nest_end(skb, attr);
972 genlmsg_end(skb, hdr);
973
974 return 0;
975 err:
976 genlmsg_cancel(skb, hdr);
977 return -EMSGSIZE;
978 }
979
ovpn_nl_key_get_doit(struct sk_buff * skb,struct genl_info * info)980 int ovpn_nl_key_get_doit(struct sk_buff *skb, struct genl_info *info)
981 {
982 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
983 struct ovpn_priv *ovpn = info->user_ptr[0];
984 struct ovpn_key_config keyconf = { 0 };
985 enum ovpn_key_slot slot;
986 struct ovpn_peer *peer;
987 struct sk_buff *msg;
988 u32 peer_id;
989 int ret, i;
990
991 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
992 return -EINVAL;
993
994 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
995 info->attrs[OVPN_A_KEYCONF],
996 ovpn_keyconf_get_nl_policy, info->extack);
997 if (ret)
998 return ret;
999
1000 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1001 OVPN_A_KEYCONF_PEER_ID))
1002 return -EINVAL;
1003
1004 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1005 OVPN_A_KEYCONF_SLOT))
1006 return -EINVAL;
1007
1008 /* OVPN_CMD_KEY_GET expects only the PEER_ID and the SLOT, therefore
1009 * ensure that the user hasn't specified any other attribute.
1010 *
1011 * Unfortunately this check cannot be performed via netlink
1012 * spec/policy and must be open-coded.
1013 */
1014 for (i = 0; i < OVPN_A_KEYCONF_MAX + 1; i++) {
1015 if (i == OVPN_A_KEYCONF_PEER_ID ||
1016 i == OVPN_A_KEYCONF_SLOT)
1017 continue;
1018
1019 if (attrs[i]) {
1020 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1021 "unexpected attribute %u", i);
1022 return -EINVAL;
1023 }
1024 }
1025
1026 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
1027 peer = ovpn_peer_get_by_id(ovpn, peer_id);
1028 if (!peer) {
1029 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1030 "cannot find peer with id %u", peer_id);
1031 return -ENOENT;
1032 }
1033
1034 slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
1035
1036 ret = ovpn_crypto_config_get(&peer->crypto, slot, &keyconf);
1037 if (ret < 0) {
1038 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1039 "cannot extract key from slot %u for peer %u",
1040 slot, peer_id);
1041 goto err;
1042 }
1043
1044 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1045 if (!msg) {
1046 ret = -ENOMEM;
1047 goto err;
1048 }
1049
1050 ret = ovpn_nl_send_key(msg, info, peer->id, slot, &keyconf);
1051 if (ret < 0) {
1052 nlmsg_free(msg);
1053 goto err;
1054 }
1055
1056 ret = genlmsg_reply(msg, info);
1057 err:
1058 ovpn_peer_put(peer);
1059 return ret;
1060 }
1061
ovpn_nl_key_swap_doit(struct sk_buff * skb,struct genl_info * info)1062 int ovpn_nl_key_swap_doit(struct sk_buff *skb, struct genl_info *info)
1063 {
1064 struct ovpn_priv *ovpn = info->user_ptr[0];
1065 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
1066 struct ovpn_peer *peer;
1067 u32 peer_id;
1068 int ret;
1069
1070 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
1071 return -EINVAL;
1072
1073 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
1074 info->attrs[OVPN_A_KEYCONF],
1075 ovpn_keyconf_swap_input_nl_policy, info->extack);
1076 if (ret)
1077 return ret;
1078
1079 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1080 OVPN_A_KEYCONF_PEER_ID))
1081 return -EINVAL;
1082
1083 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
1084 peer = ovpn_peer_get_by_id(ovpn, peer_id);
1085 if (!peer) {
1086 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1087 "no peer with id %u to swap keys for",
1088 peer_id);
1089 return -ENOENT;
1090 }
1091
1092 ovpn_crypto_key_slots_swap(&peer->crypto);
1093 ovpn_peer_put(peer);
1094
1095 return 0;
1096 }
1097
ovpn_nl_key_del_doit(struct sk_buff * skb,struct genl_info * info)1098 int ovpn_nl_key_del_doit(struct sk_buff *skb, struct genl_info *info)
1099 {
1100 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
1101 struct ovpn_priv *ovpn = info->user_ptr[0];
1102 enum ovpn_key_slot slot;
1103 struct ovpn_peer *peer;
1104 u32 peer_id;
1105 int ret;
1106
1107 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
1108 return -EINVAL;
1109
1110 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
1111 info->attrs[OVPN_A_KEYCONF],
1112 ovpn_keyconf_del_input_nl_policy, info->extack);
1113 if (ret)
1114 return ret;
1115
1116 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1117 OVPN_A_KEYCONF_PEER_ID))
1118 return -EINVAL;
1119
1120 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1121 OVPN_A_KEYCONF_SLOT))
1122 return -EINVAL;
1123
1124 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
1125 slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
1126
1127 peer = ovpn_peer_get_by_id(ovpn, peer_id);
1128 if (!peer) {
1129 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1130 "no peer with id %u to delete key for",
1131 peer_id);
1132 return -ENOENT;
1133 }
1134
1135 ovpn_crypto_key_slot_delete(&peer->crypto, slot);
1136 ovpn_peer_put(peer);
1137
1138 return 0;
1139 }
1140
1141 /**
1142 * ovpn_nl_peer_del_notify - notify userspace about peer being deleted
1143 * @peer: the peer being deleted
1144 *
1145 * Return: 0 on success or a negative error code otherwise
1146 */
ovpn_nl_peer_del_notify(struct ovpn_peer * peer)1147 int ovpn_nl_peer_del_notify(struct ovpn_peer *peer)
1148 {
1149 struct ovpn_socket *sock;
1150 struct sk_buff *msg;
1151 struct nlattr *attr;
1152 int ret = -EMSGSIZE;
1153 void *hdr;
1154
1155 netdev_info(peer->ovpn->dev, "deleting peer with id %u, reason %d\n",
1156 peer->id, peer->delete_reason);
1157
1158 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1159 if (!msg)
1160 return -ENOMEM;
1161
1162 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_PEER_DEL_NTF);
1163 if (!hdr) {
1164 ret = -ENOBUFS;
1165 goto err_free_msg;
1166 }
1167
1168 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
1169 goto err_cancel_msg;
1170
1171 attr = nla_nest_start(msg, OVPN_A_PEER);
1172 if (!attr)
1173 goto err_cancel_msg;
1174
1175 if (nla_put_u32(msg, OVPN_A_PEER_DEL_REASON, peer->delete_reason))
1176 goto err_cancel_msg;
1177
1178 if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id))
1179 goto err_cancel_msg;
1180
1181 nla_nest_end(msg, attr);
1182
1183 genlmsg_end(msg, hdr);
1184
1185 rcu_read_lock();
1186 sock = rcu_dereference(peer->sock);
1187 if (!sock) {
1188 ret = -EINVAL;
1189 goto err_unlock;
1190 }
1191 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0,
1192 OVPN_NLGRP_PEERS, GFP_ATOMIC);
1193 rcu_read_unlock();
1194
1195 return 0;
1196
1197 err_unlock:
1198 rcu_read_unlock();
1199 err_cancel_msg:
1200 genlmsg_cancel(msg, hdr);
1201 err_free_msg:
1202 nlmsg_free(msg);
1203 return ret;
1204 }
1205
1206 /**
1207 * ovpn_nl_key_swap_notify - notify userspace peer's key must be renewed
1208 * @peer: the peer whose key needs to be renewed
1209 * @key_id: the ID of the key that needs to be renewed
1210 *
1211 * Return: 0 on success or a negative error code otherwise
1212 */
ovpn_nl_key_swap_notify(struct ovpn_peer * peer,u8 key_id)1213 int ovpn_nl_key_swap_notify(struct ovpn_peer *peer, u8 key_id)
1214 {
1215 struct ovpn_socket *sock;
1216 struct nlattr *k_attr;
1217 struct sk_buff *msg;
1218 int ret = -EMSGSIZE;
1219 void *hdr;
1220
1221 netdev_info(peer->ovpn->dev, "peer with id %u must rekey - primary key unusable.\n",
1222 peer->id);
1223
1224 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1225 if (!msg)
1226 return -ENOMEM;
1227
1228 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_KEY_SWAP_NTF);
1229 if (!hdr) {
1230 ret = -ENOBUFS;
1231 goto err_free_msg;
1232 }
1233
1234 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
1235 goto err_cancel_msg;
1236
1237 k_attr = nla_nest_start(msg, OVPN_A_KEYCONF);
1238 if (!k_attr)
1239 goto err_cancel_msg;
1240
1241 if (nla_put_u32(msg, OVPN_A_KEYCONF_PEER_ID, peer->id))
1242 goto err_cancel_msg;
1243
1244 if (nla_put_u16(msg, OVPN_A_KEYCONF_KEY_ID, key_id))
1245 goto err_cancel_msg;
1246
1247 nla_nest_end(msg, k_attr);
1248 genlmsg_end(msg, hdr);
1249
1250 rcu_read_lock();
1251 sock = rcu_dereference(peer->sock);
1252 if (!sock) {
1253 ret = -EINVAL;
1254 goto err_unlock;
1255 }
1256 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0,
1257 OVPN_NLGRP_PEERS, GFP_ATOMIC);
1258 rcu_read_unlock();
1259
1260 return 0;
1261 err_unlock:
1262 rcu_read_unlock();
1263 err_cancel_msg:
1264 genlmsg_cancel(msg, hdr);
1265 err_free_msg:
1266 nlmsg_free(msg);
1267 return ret;
1268 }
1269
1270 /**
1271 * ovpn_nl_register - perform any needed registration in the NL subsustem
1272 *
1273 * Return: 0 on success, a negative error code otherwise
1274 */
ovpn_nl_register(void)1275 int __init ovpn_nl_register(void)
1276 {
1277 int ret = genl_register_family(&ovpn_nl_family);
1278
1279 if (ret) {
1280 pr_err("ovpn: genl_register_family failed: %d\n", ret);
1281 return ret;
1282 }
1283
1284 return 0;
1285 }
1286
1287 /**
1288 * ovpn_nl_unregister - undo any module wide netlink registration
1289 */
ovpn_nl_unregister(void)1290 void ovpn_nl_unregister(void)
1291 {
1292 genl_unregister_family(&ovpn_nl_family);
1293 }
1294