1 // SPDX-License-Identifier: GPL-2.0 2 /* OpenVPN data channel accelerator 3 * 4 * Copyright (C) 2020-2025 OpenVPN, Inc. 5 * 6 * Author: Antonio Quartulli <antonio@openvpn.net> 7 */ 8 9 #include <stdint.h> 10 #include <stdio.h> 11 #include <inttypes.h> 12 #include <stdbool.h> 13 #include <string.h> 14 #include <errno.h> 15 #include <unistd.h> 16 #include <arpa/inet.h> 17 #include <net/if.h> 18 #include <netinet/in.h> 19 #include <time.h> 20 21 #include <linux/ovpn.h> 22 #include <linux/types.h> 23 #include <linux/netlink.h> 24 25 #include <netlink/socket.h> 26 #include <netlink/netlink.h> 27 #include <netlink/genl/genl.h> 28 #include <netlink/genl/family.h> 29 #include <netlink/genl/ctrl.h> 30 31 #include <mbedtls/base64.h> 32 #include <mbedtls/error.h> 33 34 #include <sys/socket.h> 35 36 #include "kselftest.h" 37 38 /* defines to make checkpatch happy */ 39 #define strscpy strncpy 40 41 /* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we 42 * have to explicitly do it to prevent the kernel from failing upon 43 * parsing of the message 44 */ 45 #define nla_nest_start(_msg, _type) \ 46 nla_nest_start(_msg, (_type) | NLA_F_NESTED) 47 48 /* libnl < 3.11.0 does not implement nla_get_uint() */ 49 uint64_t ovpn_nla_get_uint(struct nlattr *attr) 50 { 51 if (nla_len(attr) == sizeof(uint32_t)) 52 return nla_get_u32(attr); 53 else 54 return nla_get_u64(attr); 55 } 56 57 typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg); 58 59 enum ovpn_key_direction { 60 KEY_DIR_IN = 0, 61 KEY_DIR_OUT, 62 }; 63 64 #define KEY_LEN (256 / 8) 65 #define NONCE_LEN 8 66 67 #define PEER_ID_UNDEF 0x00FFFFFF 68 #define MAX_PEERS 10 69 70 struct nl_ctx { 71 struct nl_sock *nl_sock; 72 struct nl_msg *nl_msg; 73 struct nl_cb *nl_cb; 74 75 int ovpn_dco_id; 76 }; 77 78 enum ovpn_cmd { 79 CMD_INVALID, 80 CMD_NEW_IFACE, 81 CMD_DEL_IFACE, 82 CMD_LISTEN, 83 CMD_CONNECT, 84 CMD_NEW_PEER, 85 CMD_NEW_MULTI_PEER, 86 CMD_SET_PEER, 87 CMD_DEL_PEER, 88 CMD_GET_PEER, 89 CMD_NEW_KEY, 90 CMD_DEL_KEY, 91 CMD_GET_KEY, 92 CMD_SWAP_KEYS, 93 CMD_LISTEN_MCAST, 94 }; 95 96 struct ovpn_ctx { 97 enum ovpn_cmd cmd; 98 99 __u8 key_enc[KEY_LEN]; 100 __u8 key_dec[KEY_LEN]; 101 __u8 nonce[NONCE_LEN]; 102 103 enum ovpn_cipher_alg cipher; 104 105 sa_family_t sa_family; 106 107 unsigned long peer_id, tx_id; 108 unsigned long lport; 109 110 union { 111 struct sockaddr_in in4; 112 struct sockaddr_in6 in6; 113 } remote; 114 115 union { 116 struct sockaddr_in in4; 117 struct sockaddr_in6 in6; 118 } peer_ip; 119 120 bool peer_ip_set; 121 122 unsigned int ifindex; 123 char ifname[IFNAMSIZ]; 124 enum ovpn_mode mode; 125 bool mode_set; 126 127 int socket; 128 int cli_sockets[MAX_PEERS]; 129 130 __u32 keepalive_interval; 131 __u32 keepalive_timeout; 132 133 enum ovpn_key_direction key_dir; 134 enum ovpn_key_slot key_slot; 135 int key_id; 136 137 uint32_t mark; 138 bool asymm_id; 139 140 const char *peers_file; 141 }; 142 143 static int ovpn_nl_recvmsgs(struct nl_ctx *ctx) 144 { 145 int ret; 146 147 ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb); 148 149 switch (ret) { 150 case -NLE_INTR: 151 fprintf(stderr, 152 "netlink received interrupt due to signal - ignoring\n"); 153 break; 154 case -NLE_NOMEM: 155 fprintf(stderr, "netlink out of memory error\n"); 156 break; 157 case -NLE_AGAIN: 158 fprintf(stderr, 159 "netlink reports blocking read - aborting wait\n"); 160 break; 161 default: 162 if (ret) 163 fprintf(stderr, "netlink reports error (%d): %s\n", 164 ret, nl_geterror(-ret)); 165 break; 166 } 167 168 return ret; 169 } 170 171 static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd, 172 int flags) 173 { 174 struct nl_ctx *ctx; 175 int err, ret; 176 177 ctx = calloc(1, sizeof(*ctx)); 178 if (!ctx) 179 return NULL; 180 181 ctx->nl_sock = nl_socket_alloc(); 182 if (!ctx->nl_sock) { 183 fprintf(stderr, "cannot allocate netlink socket\n"); 184 goto err_free; 185 } 186 187 nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192); 188 189 ret = genl_connect(ctx->nl_sock); 190 if (ret) { 191 fprintf(stderr, "cannot connect to generic netlink: %s\n", 192 nl_geterror(ret)); 193 goto err_sock; 194 } 195 196 /* enable Extended ACK for detailed error reporting */ 197 err = 1; 198 setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK, 199 &err, sizeof(err)); 200 201 ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME); 202 if (ctx->ovpn_dco_id < 0) { 203 fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n", 204 ctx->ovpn_dco_id); 205 goto err_free; 206 } 207 208 ctx->nl_msg = nlmsg_alloc(); 209 if (!ctx->nl_msg) { 210 fprintf(stderr, "cannot allocate netlink message\n"); 211 goto err_sock; 212 } 213 214 ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT); 215 if (!ctx->nl_cb) { 216 fprintf(stderr, "failed to allocate netlink callback\n"); 217 goto err_msg; 218 } 219 220 nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb); 221 222 genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0); 223 224 if (ovpn->ifindex > 0) 225 NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex); 226 227 return ctx; 228 nla_put_failure: 229 err_msg: 230 nlmsg_free(ctx->nl_msg); 231 err_sock: 232 nl_socket_free(ctx->nl_sock); 233 err_free: 234 free(ctx); 235 return NULL; 236 } 237 238 static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd) 239 { 240 return nl_ctx_alloc_flags(ovpn, cmd, 0); 241 } 242 243 static void nl_ctx_free(struct nl_ctx *ctx) 244 { 245 if (!ctx) 246 return; 247 248 nl_socket_free(ctx->nl_sock); 249 nlmsg_free(ctx->nl_msg); 250 nl_cb_put(ctx->nl_cb); 251 free(ctx); 252 } 253 254 static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused, 255 struct nlmsgerr *err, void *arg) 256 { 257 struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1; 258 struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1]; 259 int len = nlh->nlmsg_len; 260 struct nlattr *attrs; 261 int *ret = arg; 262 int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh); 263 264 *ret = err->error; 265 266 if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS)) 267 return NL_STOP; 268 269 if (!(nlh->nlmsg_flags & NLM_F_CAPPED)) 270 ack_len += err->msg.nlmsg_len - sizeof(*nlh); 271 272 if (len <= ack_len) 273 return NL_STOP; 274 275 attrs = (void *)((uint8_t *)nlh + ack_len); 276 len -= ack_len; 277 278 nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL); 279 if (tb_msg[NLMSGERR_ATTR_MSG]) { 280 len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]), 281 nla_len(tb_msg[NLMSGERR_ATTR_MSG])); 282 fprintf(stderr, "kernel error: %*s\n", len, 283 (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG])); 284 } 285 286 if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) { 287 fprintf(stderr, "missing required nesting type %u\n", 288 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST])); 289 } 290 291 if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) { 292 fprintf(stderr, "missing required attribute type %u\n", 293 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE])); 294 } 295 296 return NL_STOP; 297 } 298 299 static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused, 300 void *arg) 301 { 302 int *status = arg; 303 304 *status = 0; 305 return NL_SKIP; 306 } 307 308 static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused, 309 void *arg) 310 { 311 int *status = arg; 312 313 *status = 0; 314 return NL_STOP; 315 } 316 317 static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb) 318 { 319 int status = 1; 320 321 nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status); 322 nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish, 323 &status); 324 nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status); 325 326 if (cb) 327 nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx); 328 329 nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg); 330 331 while (status == 1) 332 ovpn_nl_recvmsgs(ctx); 333 334 if (status < 0) 335 fprintf(stderr, "failed to send netlink message: %s (%d)\n", 336 strerror(-status), status); 337 338 return status; 339 } 340 341 static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx) 342 { 343 int idx_enc, idx_dec, ret = -1; 344 unsigned char *ckey = NULL; 345 __u8 *bkey = NULL; 346 size_t olen = 0; 347 long ckey_len; 348 FILE *fp; 349 350 fp = fopen(file, "r"); 351 if (!fp) { 352 fprintf(stderr, "cannot open: %s\n", file); 353 return -1; 354 } 355 356 /* get file size */ 357 fseek(fp, 0L, SEEK_END); 358 ckey_len = ftell(fp); 359 rewind(fp); 360 361 /* if the file is longer, let's just read a portion */ 362 if (ckey_len > 256) 363 ckey_len = 256; 364 365 ckey = malloc(ckey_len); 366 if (!ckey) 367 goto err; 368 369 ret = fread(ckey, 1, ckey_len, fp); 370 if (ret != ckey_len) { 371 fprintf(stderr, 372 "couldn't read enough data from key file: %dbytes read\n", 373 ret); 374 goto err; 375 } 376 377 olen = 0; 378 ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len); 379 if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) { 380 char buf[256]; 381 382 mbedtls_strerror(ret, buf, sizeof(buf)); 383 fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf, 384 ret); 385 386 goto err; 387 } 388 389 bkey = malloc(olen); 390 if (!bkey) { 391 fprintf(stderr, "cannot allocate binary key buffer\n"); 392 goto err; 393 } 394 395 ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len); 396 if (ret) { 397 char buf[256]; 398 399 mbedtls_strerror(ret, buf, sizeof(buf)); 400 fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf, 401 ret); 402 403 goto err; 404 } 405 406 if (olen < 2 * KEY_LEN + NONCE_LEN) { 407 fprintf(stderr, 408 "not enough data in key file, found %zdB but needs %dB\n", 409 olen, 2 * KEY_LEN + NONCE_LEN); 410 goto err; 411 } 412 413 switch (ctx->key_dir) { 414 case KEY_DIR_IN: 415 idx_enc = 0; 416 idx_dec = 1; 417 break; 418 case KEY_DIR_OUT: 419 idx_enc = 1; 420 idx_dec = 0; 421 break; 422 default: 423 goto err; 424 } 425 426 memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN); 427 memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN); 428 memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN); 429 430 ret = 0; 431 432 err: 433 fclose(fp); 434 free(bkey); 435 free(ckey); 436 437 return ret; 438 } 439 440 static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx) 441 { 442 if (strcmp(cipher, "aes") == 0) 443 ctx->cipher = OVPN_CIPHER_ALG_AES_GCM; 444 else if (strcmp(cipher, "chachapoly") == 0) 445 ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305; 446 else if (strcmp(cipher, "none") == 0) 447 ctx->cipher = OVPN_CIPHER_ALG_NONE; 448 else 449 return -ENOTSUP; 450 451 return 0; 452 } 453 454 static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx) 455 { 456 int in_dir; 457 458 in_dir = strtoll(dir, NULL, 10); 459 switch (in_dir) { 460 case KEY_DIR_IN: 461 case KEY_DIR_OUT: 462 ctx->key_dir = in_dir; 463 break; 464 default: 465 fprintf(stderr, 466 "invalid key direction provided. Can be 0 or 1 only\n"); 467 return -1; 468 } 469 470 return 0; 471 } 472 473 static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto) 474 { 475 struct sockaddr_storage local_sock = { 0 }; 476 struct sockaddr_in6 *in6; 477 struct sockaddr_in *in; 478 int ret, s, sock_type; 479 size_t sock_len; 480 481 if (proto == IPPROTO_UDP) 482 sock_type = SOCK_DGRAM; 483 else if (proto == IPPROTO_TCP) 484 sock_type = SOCK_STREAM; 485 else 486 return -EINVAL; 487 488 s = socket(family, sock_type, 0); 489 if (s < 0) { 490 perror("cannot create socket"); 491 return -1; 492 } 493 494 switch (family) { 495 case AF_INET: 496 in = (struct sockaddr_in *)&local_sock; 497 in->sin_family = family; 498 in->sin_port = htons(ctx->lport); 499 in->sin_addr.s_addr = htonl(INADDR_ANY); 500 sock_len = sizeof(*in); 501 break; 502 case AF_INET6: 503 in6 = (struct sockaddr_in6 *)&local_sock; 504 in6->sin6_family = family; 505 in6->sin6_port = htons(ctx->lport); 506 in6->sin6_addr = in6addr_any; 507 sock_len = sizeof(*in6); 508 break; 509 default: 510 return -1; 511 } 512 513 int opt = 1; 514 515 ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)); 516 517 if (ret < 0) { 518 perror("setsockopt for SO_REUSEADDR"); 519 return ret; 520 } 521 522 ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt)); 523 if (ret < 0) { 524 perror("setsockopt for SO_REUSEPORT"); 525 return ret; 526 } 527 528 if (ctx->mark != 0) { 529 ret = setsockopt(s, SOL_SOCKET, SO_MARK, (void *)&ctx->mark, 530 sizeof(ctx->mark)); 531 if (ret < 0) { 532 perror("setsockopt for SO_MARK"); 533 return ret; 534 } 535 } 536 537 if (family == AF_INET6) { 538 opt = 0; 539 if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt, 540 sizeof(opt))) { 541 perror("failed to set IPV6_V6ONLY"); 542 return -1; 543 } 544 } 545 546 ret = bind(s, (struct sockaddr *)&local_sock, sock_len); 547 if (ret < 0) { 548 perror("cannot bind socket"); 549 goto err_socket; 550 } 551 552 ctx->socket = s; 553 ctx->sa_family = family; 554 return 0; 555 556 err_socket: 557 close(s); 558 return -1; 559 } 560 561 static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family) 562 { 563 return ovpn_socket(ctx, family, IPPROTO_UDP); 564 } 565 566 static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family) 567 { 568 int ret; 569 570 ret = ovpn_socket(ctx, family, IPPROTO_TCP); 571 if (ret < 0) 572 return ret; 573 574 ret = listen(ctx->socket, 10); 575 if (ret < 0) { 576 perror("listen"); 577 close(ctx->socket); 578 return -1; 579 } 580 581 return 0; 582 } 583 584 static int ovpn_accept(struct ovpn_ctx *ctx) 585 { 586 socklen_t socklen; 587 int ret; 588 589 socklen = sizeof(ctx->remote); 590 ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen); 591 if (ret < 0) { 592 perror("accept"); 593 goto err; 594 } 595 596 fprintf(stderr, "Connection received!\n"); 597 598 switch (socklen) { 599 case sizeof(struct sockaddr_in): 600 case sizeof(struct sockaddr_in6): 601 break; 602 default: 603 fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n"); 604 close(ret); 605 ret = -EINVAL; 606 goto err; 607 } 608 609 return ret; 610 err: 611 close(ctx->socket); 612 return ret; 613 } 614 615 static int ovpn_connect(struct ovpn_ctx *ovpn) 616 { 617 socklen_t socklen; 618 int s, ret; 619 620 s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0); 621 if (s < 0) { 622 perror("cannot create socket"); 623 return -1; 624 } 625 626 switch (ovpn->remote.in4.sin_family) { 627 case AF_INET: 628 socklen = sizeof(struct sockaddr_in); 629 break; 630 case AF_INET6: 631 socklen = sizeof(struct sockaddr_in6); 632 break; 633 default: 634 return -EOPNOTSUPP; 635 } 636 637 ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen); 638 if (ret < 0) { 639 perror("connect"); 640 goto err; 641 } 642 643 fprintf(stderr, "connected\n"); 644 645 ovpn->socket = s; 646 647 return 0; 648 err: 649 close(s); 650 return ret; 651 } 652 653 static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp) 654 { 655 struct nlattr *attr; 656 struct nl_ctx *ctx; 657 int ret = -1; 658 659 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW); 660 if (!ctx) 661 return -ENOMEM; 662 663 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 664 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 665 if (ovpn->asymm_id) 666 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_TX_ID, ovpn->tx_id); 667 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket); 668 669 if (!is_tcp) { 670 switch (ovpn->remote.in4.sin_family) { 671 case AF_INET: 672 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4, 673 ovpn->remote.in4.sin_addr.s_addr); 674 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 675 ovpn->remote.in4.sin_port); 676 break; 677 case AF_INET6: 678 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6, 679 sizeof(ovpn->remote.in6.sin6_addr), 680 &ovpn->remote.in6.sin6_addr); 681 NLA_PUT_U32(ctx->nl_msg, 682 OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, 683 ovpn->remote.in6.sin6_scope_id); 684 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 685 ovpn->remote.in6.sin6_port); 686 break; 687 default: 688 fprintf(stderr, 689 "Invalid family for remote socket address\n"); 690 goto nla_put_failure; 691 } 692 } 693 694 if (ovpn->peer_ip_set) { 695 switch (ovpn->peer_ip.in4.sin_family) { 696 case AF_INET: 697 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4, 698 ovpn->peer_ip.in4.sin_addr.s_addr); 699 break; 700 case AF_INET6: 701 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6, 702 sizeof(struct in6_addr), 703 &ovpn->peer_ip.in6.sin6_addr); 704 break; 705 default: 706 fprintf(stderr, "Invalid family for peer address\n"); 707 goto nla_put_failure; 708 } 709 } 710 711 nla_nest_end(ctx->nl_msg, attr); 712 713 ret = ovpn_nl_msg_send(ctx, NULL); 714 nla_put_failure: 715 nl_ctx_free(ctx); 716 return ret; 717 } 718 719 static int ovpn_set_peer(struct ovpn_ctx *ovpn) 720 { 721 struct nlattr *attr; 722 struct nl_ctx *ctx; 723 int ret = -1; 724 725 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET); 726 if (!ctx) 727 return -ENOMEM; 728 729 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 730 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 731 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL, 732 ovpn->keepalive_interval); 733 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT, 734 ovpn->keepalive_timeout); 735 nla_nest_end(ctx->nl_msg, attr); 736 737 ret = ovpn_nl_msg_send(ctx, NULL); 738 nla_put_failure: 739 nl_ctx_free(ctx); 740 return ret; 741 } 742 743 static int ovpn_del_peer(struct ovpn_ctx *ovpn) 744 { 745 struct nlattr *attr; 746 struct nl_ctx *ctx; 747 int ret = -1; 748 749 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL); 750 if (!ctx) 751 return -ENOMEM; 752 753 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 754 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 755 nla_nest_end(ctx->nl_msg, attr); 756 757 ret = ovpn_nl_msg_send(ctx, NULL); 758 nla_put_failure: 759 nl_ctx_free(ctx); 760 return ret; 761 } 762 763 static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused) 764 { 765 struct nlattr *pattrs[OVPN_A_PEER_MAX + 1]; 766 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 767 struct nlattr *attrs[OVPN_A_MAX + 1]; 768 __u16 rport = 0, lport = 0; 769 770 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 771 genlmsg_attrlen(gnlh, 0), NULL); 772 773 if (!attrs[OVPN_A_PEER]) { 774 fprintf(stderr, "no packet content in netlink message\n"); 775 return NL_SKIP; 776 } 777 778 nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]), 779 nla_len(attrs[OVPN_A_PEER]), NULL); 780 781 if (pattrs[OVPN_A_PEER_ID]) 782 fprintf(stderr, "* Peer %u\n", 783 nla_get_u32(pattrs[OVPN_A_PEER_ID])); 784 785 if (pattrs[OVPN_A_PEER_TX_ID]) 786 fprintf(stderr, "\tTX peer ID %u\n", 787 nla_get_u32(pattrs[OVPN_A_PEER_TX_ID])); 788 789 if (pattrs[OVPN_A_PEER_SOCKET_NETNSID]) 790 fprintf(stderr, "\tsocket NetNS ID: %d\n", 791 nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID])); 792 793 if (pattrs[OVPN_A_PEER_VPN_IPV4]) { 794 char buf[INET_ADDRSTRLEN]; 795 796 inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]), 797 buf, sizeof(buf)); 798 fprintf(stderr, "\tVPN IPv4: %s\n", buf); 799 } 800 801 if (pattrs[OVPN_A_PEER_VPN_IPV6]) { 802 char buf[INET6_ADDRSTRLEN]; 803 804 inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]), 805 buf, sizeof(buf)); 806 fprintf(stderr, "\tVPN IPv6: %s\n", buf); 807 } 808 809 if (pattrs[OVPN_A_PEER_LOCAL_PORT]) 810 lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT])); 811 812 if (pattrs[OVPN_A_PEER_REMOTE_PORT]) 813 rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT])); 814 815 if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) { 816 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6]; 817 char buf[INET6_ADDRSTRLEN]; 818 int scope_id = -1; 819 820 if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) { 821 void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]; 822 823 scope_id = nla_get_u32(p); 824 } 825 826 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 827 fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport, 828 scope_id); 829 830 if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) { 831 void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6]; 832 833 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 834 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 835 } 836 } 837 838 if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) { 839 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4]; 840 char buf[INET_ADDRSTRLEN]; 841 842 inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf)); 843 fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport); 844 845 if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) { 846 void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4]; 847 848 inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf)); 849 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 850 } 851 } 852 853 if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) { 854 void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]; 855 856 fprintf(stderr, "\tKeepalive interval: %u sec\n", 857 nla_get_u32(p)); 858 } 859 860 if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) 861 fprintf(stderr, "\tKeepalive timeout: %u sec\n", 862 nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])); 863 864 if (pattrs[OVPN_A_PEER_VPN_RX_BYTES]) 865 fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n", 866 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES])); 867 868 if (pattrs[OVPN_A_PEER_VPN_TX_BYTES]) 869 fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n", 870 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES])); 871 872 if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS]) 873 fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n", 874 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS])); 875 876 if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS]) 877 fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n", 878 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS])); 879 880 if (pattrs[OVPN_A_PEER_LINK_RX_BYTES]) 881 fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n", 882 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES])); 883 884 if (pattrs[OVPN_A_PEER_LINK_TX_BYTES]) 885 fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n", 886 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES])); 887 888 if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS]) 889 fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n", 890 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS])); 891 892 if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS]) 893 fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n", 894 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS])); 895 896 return NL_SKIP; 897 } 898 899 static int ovpn_get_peer(struct ovpn_ctx *ovpn) 900 { 901 int flags = 0, ret = -1; 902 struct nlattr *attr; 903 struct nl_ctx *ctx; 904 905 if (ovpn->peer_id == PEER_ID_UNDEF) 906 flags = NLM_F_DUMP; 907 908 ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags); 909 if (!ctx) 910 return -ENOMEM; 911 912 if (ovpn->peer_id != PEER_ID_UNDEF) { 913 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 914 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 915 nla_nest_end(ctx->nl_msg, attr); 916 } 917 918 ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer); 919 nla_put_failure: 920 nl_ctx_free(ctx); 921 return ret; 922 } 923 924 static int ovpn_new_key(struct ovpn_ctx *ovpn) 925 { 926 struct nlattr *keyconf, *key_dir; 927 struct nl_ctx *ctx; 928 int ret = -1; 929 930 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW); 931 if (!ctx) 932 return -ENOMEM; 933 934 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 935 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 936 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 937 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id); 938 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher); 939 940 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR); 941 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc); 942 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 943 nla_nest_end(ctx->nl_msg, key_dir); 944 945 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR); 946 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec); 947 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 948 nla_nest_end(ctx->nl_msg, key_dir); 949 950 nla_nest_end(ctx->nl_msg, keyconf); 951 952 ret = ovpn_nl_msg_send(ctx, NULL); 953 nla_put_failure: 954 nl_ctx_free(ctx); 955 return ret; 956 } 957 958 static int ovpn_del_key(struct ovpn_ctx *ovpn) 959 { 960 struct nlattr *keyconf; 961 struct nl_ctx *ctx; 962 int ret = -1; 963 964 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL); 965 if (!ctx) 966 return -ENOMEM; 967 968 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 969 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 970 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 971 nla_nest_end(ctx->nl_msg, keyconf); 972 973 ret = ovpn_nl_msg_send(ctx, NULL); 974 nla_put_failure: 975 nl_ctx_free(ctx); 976 return ret; 977 } 978 979 static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused) 980 { 981 struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1]; 982 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 983 struct nlattr *attrs[OVPN_A_MAX + 1]; 984 985 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 986 genlmsg_attrlen(gnlh, 0), NULL); 987 988 if (!attrs[OVPN_A_KEYCONF]) { 989 fprintf(stderr, "no packet content in netlink message\n"); 990 return NL_SKIP; 991 } 992 993 nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]), 994 nla_len(attrs[OVPN_A_KEYCONF]), NULL); 995 996 if (kattrs[OVPN_A_KEYCONF_PEER_ID]) 997 fprintf(stderr, "* Peer %u\n", 998 nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID])); 999 if (kattrs[OVPN_A_KEYCONF_SLOT]) { 1000 fprintf(stderr, "\t- Slot: "); 1001 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) { 1002 case OVPN_KEY_SLOT_PRIMARY: 1003 fprintf(stderr, "primary\n"); 1004 break; 1005 case OVPN_KEY_SLOT_SECONDARY: 1006 fprintf(stderr, "secondary\n"); 1007 break; 1008 default: 1009 fprintf(stderr, "invalid (%u)\n", 1010 nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])); 1011 break; 1012 } 1013 } 1014 if (kattrs[OVPN_A_KEYCONF_KEY_ID]) 1015 fprintf(stderr, "\t- Key ID: %u\n", 1016 nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID])); 1017 if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) { 1018 fprintf(stderr, "\t- Cipher: "); 1019 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) { 1020 case OVPN_CIPHER_ALG_NONE: 1021 fprintf(stderr, "none\n"); 1022 break; 1023 case OVPN_CIPHER_ALG_AES_GCM: 1024 fprintf(stderr, "aes-gcm\n"); 1025 break; 1026 case OVPN_CIPHER_ALG_CHACHA20_POLY1305: 1027 fprintf(stderr, "chacha20poly1305\n"); 1028 break; 1029 default: 1030 fprintf(stderr, "invalid (%u)\n", 1031 nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])); 1032 break; 1033 } 1034 } 1035 1036 return NL_SKIP; 1037 } 1038 1039 static int ovpn_get_key(struct ovpn_ctx *ovpn) 1040 { 1041 struct nlattr *keyconf; 1042 struct nl_ctx *ctx; 1043 int ret = -1; 1044 1045 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET); 1046 if (!ctx) 1047 return -ENOMEM; 1048 1049 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1050 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1051 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 1052 nla_nest_end(ctx->nl_msg, keyconf); 1053 1054 ret = ovpn_nl_msg_send(ctx, ovpn_handle_key); 1055 nla_put_failure: 1056 nl_ctx_free(ctx); 1057 return ret; 1058 } 1059 1060 static int ovpn_swap_keys(struct ovpn_ctx *ovpn) 1061 { 1062 struct nl_ctx *ctx; 1063 struct nlattr *kc; 1064 int ret = -1; 1065 1066 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP); 1067 if (!ctx) 1068 return -ENOMEM; 1069 1070 kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1071 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1072 nla_nest_end(ctx->nl_msg, kc); 1073 1074 ret = ovpn_nl_msg_send(ctx, NULL); 1075 nla_put_failure: 1076 nl_ctx_free(ctx); 1077 return ret; 1078 } 1079 1080 /* Helper function used to easily add attributes to a rtnl message */ 1081 static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type, 1082 const void *data, int alen) 1083 { 1084 int len = RTA_LENGTH(alen); 1085 struct rtattr *rta; 1086 1087 if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen) { 1088 fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n", 1089 __func__, maxlen); 1090 return -EMSGSIZE; 1091 } 1092 1093 rta = nlmsg_tail(n); 1094 rta->rta_type = type; 1095 rta->rta_len = len; 1096 1097 if (!data) 1098 memset(RTA_DATA(rta), 0, alen); 1099 else 1100 memcpy(RTA_DATA(rta), data, alen); 1101 1102 n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len); 1103 1104 return 0; 1105 } 1106 1107 static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size, 1108 int attr) 1109 { 1110 struct rtattr *nest = nlmsg_tail(msg); 1111 1112 if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0) 1113 return NULL; 1114 1115 return nest; 1116 } 1117 1118 static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest) 1119 { 1120 nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest; 1121 } 1122 1123 #define RT_SNDBUF_SIZE (1024 * 2) 1124 #define RT_RCVBUF_SIZE (1024 * 4) 1125 1126 /* Open RTNL socket */ 1127 static int ovpn_rt_socket(void) 1128 { 1129 int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd; 1130 1131 fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); 1132 if (fd < 0) { 1133 fprintf(stderr, "%s: cannot open netlink socket\n", __func__); 1134 return fd; 1135 } 1136 1137 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, 1138 sizeof(sndbuf)) < 0) { 1139 fprintf(stderr, "%s: SO_SNDBUF\n", __func__); 1140 close(fd); 1141 return -1; 1142 } 1143 1144 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf, 1145 sizeof(rcvbuf)) < 0) { 1146 fprintf(stderr, "%s: SO_RCVBUF\n", __func__); 1147 close(fd); 1148 return -1; 1149 } 1150 1151 return fd; 1152 } 1153 1154 /* Bind socket to Netlink subsystem */ 1155 static int ovpn_rt_bind(int fd, uint32_t groups) 1156 { 1157 struct sockaddr_nl local = { 0 }; 1158 socklen_t addr_len; 1159 1160 local.nl_family = AF_NETLINK; 1161 local.nl_groups = groups; 1162 1163 if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) { 1164 fprintf(stderr, "%s: cannot bind netlink socket: %d\n", 1165 __func__, errno); 1166 return -errno; 1167 } 1168 1169 addr_len = sizeof(local); 1170 if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) { 1171 fprintf(stderr, "%s: cannot getsockname: %d\n", __func__, 1172 errno); 1173 return -errno; 1174 } 1175 1176 if (addr_len != sizeof(local)) { 1177 fprintf(stderr, "%s: wrong address length %d\n", __func__, 1178 addr_len); 1179 return -EINVAL; 1180 } 1181 1182 if (local.nl_family != AF_NETLINK) { 1183 fprintf(stderr, "%s: wrong address family %d\n", __func__, 1184 local.nl_family); 1185 return -EINVAL; 1186 } 1187 1188 return 0; 1189 } 1190 1191 typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg); 1192 1193 /* Send Netlink message and run callback on reply (if specified) */ 1194 static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer, 1195 unsigned int groups, ovpn_parse_reply_cb cb, 1196 void *arg_cb) 1197 { 1198 int len, rem_len, fd, ret, rcv_len; 1199 struct sockaddr_nl nladdr = { 0 }; 1200 struct nlmsgerr *err; 1201 struct nlmsghdr *h; 1202 char buf[1024 * 16]; 1203 struct iovec iov = { 1204 .iov_base = payload, 1205 .iov_len = payload->nlmsg_len, 1206 }; 1207 struct msghdr nlmsg = { 1208 .msg_name = &nladdr, 1209 .msg_namelen = sizeof(nladdr), 1210 .msg_iov = &iov, 1211 .msg_iovlen = 1, 1212 }; 1213 1214 nladdr.nl_family = AF_NETLINK; 1215 nladdr.nl_pid = peer; 1216 nladdr.nl_groups = groups; 1217 1218 payload->nlmsg_seq = time(NULL); 1219 1220 /* no need to send reply */ 1221 if (!cb) 1222 payload->nlmsg_flags |= NLM_F_ACK; 1223 1224 fd = ovpn_rt_socket(); 1225 if (fd < 0) { 1226 fprintf(stderr, "%s: can't open rtnl socket\n", __func__); 1227 return -errno; 1228 } 1229 1230 ret = ovpn_rt_bind(fd, 0); 1231 if (ret < 0) { 1232 fprintf(stderr, "%s: can't bind rtnl socket\n", __func__); 1233 ret = -errno; 1234 goto out; 1235 } 1236 1237 ret = sendmsg(fd, &nlmsg, 0); 1238 if (ret < 0) { 1239 fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__); 1240 ret = -errno; 1241 goto out; 1242 } 1243 1244 /* prepare buffer to store RTNL replies */ 1245 memset(buf, 0, sizeof(buf)); 1246 iov.iov_base = buf; 1247 1248 while (1) { 1249 /* 1250 * iov_len is modified by recvmsg(), therefore has to be initialized before 1251 * using it again 1252 */ 1253 iov.iov_len = sizeof(buf); 1254 rcv_len = recvmsg(fd, &nlmsg, 0); 1255 if (rcv_len < 0) { 1256 if (errno == EINTR || errno == EAGAIN) { 1257 fprintf(stderr, "%s: interrupted call\n", 1258 __func__); 1259 continue; 1260 } 1261 fprintf(stderr, "%s: rtnl: error on recvmsg()\n", 1262 __func__); 1263 ret = -errno; 1264 goto out; 1265 } 1266 1267 if (rcv_len == 0) { 1268 fprintf(stderr, 1269 "%s: rtnl: socket reached unexpected EOF\n", 1270 __func__); 1271 ret = -EIO; 1272 goto out; 1273 } 1274 1275 if (nlmsg.msg_namelen != sizeof(nladdr)) { 1276 fprintf(stderr, 1277 "%s: sender address length: %u (expected %zu)\n", 1278 __func__, nlmsg.msg_namelen, sizeof(nladdr)); 1279 ret = -EIO; 1280 goto out; 1281 } 1282 1283 h = (struct nlmsghdr *)buf; 1284 while (rcv_len >= (int)sizeof(*h)) { 1285 len = h->nlmsg_len; 1286 rem_len = len - sizeof(*h); 1287 1288 if (rem_len < 0 || len > rcv_len) { 1289 if (nlmsg.msg_flags & MSG_TRUNC) { 1290 fprintf(stderr, "%s: truncated message\n", 1291 __func__); 1292 ret = -EIO; 1293 goto out; 1294 } 1295 fprintf(stderr, "%s: malformed message: len=%d\n", 1296 __func__, len); 1297 ret = -EIO; 1298 goto out; 1299 } 1300 1301 if (h->nlmsg_type == NLMSG_DONE) { 1302 ret = 0; 1303 goto out; 1304 } 1305 1306 if (h->nlmsg_type == NLMSG_ERROR) { 1307 err = (struct nlmsgerr *)NLMSG_DATA(h); 1308 if (rem_len < (int)sizeof(struct nlmsgerr)) { 1309 fprintf(stderr, "%s: ERROR truncated\n", 1310 __func__); 1311 ret = -EIO; 1312 goto out; 1313 } 1314 1315 if (err->error) { 1316 fprintf(stderr, "%s: (%d) %s\n", 1317 __func__, err->error, 1318 strerror(-err->error)); 1319 ret = err->error; 1320 goto out; 1321 } 1322 1323 ret = 0; 1324 if (cb) { 1325 int r = cb(h, arg_cb); 1326 1327 if (r <= 0) 1328 ret = r; 1329 } 1330 goto out; 1331 } 1332 1333 if (cb) { 1334 int r = cb(h, arg_cb); 1335 1336 if (r <= 0) { 1337 ret = r; 1338 goto out; 1339 } 1340 } else { 1341 fprintf(stderr, "%s: RTNL: unexpected reply\n", 1342 __func__); 1343 } 1344 1345 rcv_len -= NLMSG_ALIGN(len); 1346 h = (struct nlmsghdr *)((uint8_t *)h + 1347 NLMSG_ALIGN(len)); 1348 } 1349 1350 if (nlmsg.msg_flags & MSG_TRUNC) { 1351 fprintf(stderr, "%s: message truncated\n", __func__); 1352 continue; 1353 } 1354 1355 if (rcv_len) { 1356 fprintf(stderr, "%s: rtnl: %d not parsed bytes\n", 1357 __func__, rcv_len); 1358 ret = -1; 1359 goto out; 1360 } 1361 } 1362 out: 1363 close(fd); 1364 1365 return ret; 1366 } 1367 1368 struct ovpn_link_req { 1369 struct nlmsghdr n; 1370 struct ifinfomsg i; 1371 char buf[256]; 1372 }; 1373 1374 static int ovpn_new_iface(struct ovpn_ctx *ovpn) 1375 { 1376 struct rtattr *linkinfo, *data; 1377 struct ovpn_link_req req = { 0 }; 1378 int ret = -1; 1379 1380 fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname, 1381 ovpn->mode); 1382 1383 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1384 req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL; 1385 req.n.nlmsg_type = RTM_NEWLINK; 1386 1387 if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname, 1388 strlen(ovpn->ifname) + 1) < 0) 1389 goto err; 1390 1391 linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO); 1392 if (!linkinfo) 1393 goto err; 1394 1395 if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME, 1396 strlen(OVPN_FAMILY_NAME) + 1) < 0) 1397 goto err; 1398 1399 if (ovpn->mode_set) { 1400 data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA); 1401 if (!data) 1402 goto err; 1403 1404 if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE, 1405 &ovpn->mode, sizeof(uint8_t)) < 0) 1406 goto err; 1407 1408 ovpn_nest_end(&req.n, data); 1409 } 1410 1411 ovpn_nest_end(&req.n, linkinfo); 1412 1413 req.i.ifi_family = AF_PACKET; 1414 1415 ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1416 err: 1417 return ret; 1418 } 1419 1420 static int ovpn_del_iface(struct ovpn_ctx *ovpn) 1421 { 1422 struct ovpn_link_req req = { 0 }; 1423 1424 fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname, 1425 ovpn->ifindex); 1426 1427 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1428 req.n.nlmsg_flags = NLM_F_REQUEST; 1429 req.n.nlmsg_type = RTM_DELLINK; 1430 1431 req.i.ifi_family = AF_PACKET; 1432 req.i.ifi_index = ovpn->ifindex; 1433 1434 return ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1435 } 1436 1437 static int nl_seq_check(struct nl_msg (*msg)__always_unused, 1438 void (*arg)__always_unused) 1439 { 1440 return NL_OK; 1441 } 1442 1443 struct mcast_handler_args { 1444 const char *group; 1445 int id; 1446 }; 1447 1448 static int mcast_family_handler(struct nl_msg *msg, void *arg) 1449 { 1450 struct mcast_handler_args *grp = arg; 1451 struct nlattr *tb[CTRL_ATTR_MAX + 1]; 1452 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1453 struct nlattr *mcgrp; 1454 int rem_mcgrp; 1455 1456 nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0), 1457 genlmsg_attrlen(gnlh, 0), NULL); 1458 1459 if (!tb[CTRL_ATTR_MCAST_GROUPS]) 1460 return NL_SKIP; 1461 1462 nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) { 1463 struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1]; 1464 1465 nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX, 1466 nla_data(mcgrp), nla_len(mcgrp), NULL); 1467 1468 if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] || 1469 !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]) 1470 continue; 1471 if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]), 1472 grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]))) 1473 continue; 1474 grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]); 1475 break; 1476 } 1477 1478 return NL_SKIP; 1479 } 1480 1481 static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused, 1482 struct nlmsgerr *err, void *arg) 1483 { 1484 int *ret = arg; 1485 1486 *ret = err->error; 1487 return NL_STOP; 1488 } 1489 1490 static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg) 1491 { 1492 int *ret = arg; 1493 1494 *ret = 0; 1495 return NL_STOP; 1496 } 1497 1498 static int ovpn_handle_msg(struct nl_msg *msg, void *arg) 1499 { 1500 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1501 struct nlattr *attrs[OVPN_A_MAX + 1]; 1502 struct nlmsghdr *nlh = nlmsg_hdr(msg); 1503 char ifname[IF_NAMESIZE]; 1504 int *ret = arg; 1505 __u32 ifindex; 1506 1507 fprintf(stderr, "received message from ovpn-dco\n"); 1508 1509 *ret = -1; 1510 1511 if (!genlmsg_valid_hdr(nlh, 0)) { 1512 fprintf(stderr, "invalid header\n"); 1513 return NL_STOP; 1514 } 1515 1516 if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 1517 genlmsg_attrlen(gnlh, 0), NULL)) { 1518 fprintf(stderr, "received bogus data from ovpn-dco\n"); 1519 return NL_STOP; 1520 } 1521 1522 if (!attrs[OVPN_A_IFINDEX]) { 1523 fprintf(stderr, "no ifindex in this message\n"); 1524 return NL_STOP; 1525 } 1526 1527 ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]); 1528 if (!if_indextoname(ifindex, ifname)) { 1529 fprintf(stderr, "cannot resolve ifname for ifindex: %u\n", 1530 ifindex); 1531 return NL_STOP; 1532 } 1533 1534 switch (gnlh->cmd) { 1535 case OVPN_CMD_PEER_DEL_NTF: 1536 fprintf(stdout, "received CMD_PEER_DEL_NTF\n"); 1537 break; 1538 case OVPN_CMD_PEER_FLOAT_NTF: 1539 fprintf(stdout, "received CMD_PEER_FLOAT_NTF\n"); 1540 break; 1541 case OVPN_CMD_KEY_SWAP_NTF: 1542 fprintf(stdout, "received CMD_KEY_SWAP_NTF\n"); 1543 break; 1544 default: 1545 fprintf(stderr, "received unknown command: %d\n", gnlh->cmd); 1546 return NL_STOP; 1547 } 1548 1549 *ret = 0; 1550 return NL_OK; 1551 } 1552 1553 static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family, 1554 const char *group) 1555 { 1556 struct nl_msg *msg; 1557 struct nl_cb *cb; 1558 int ret, ctrlid; 1559 struct mcast_handler_args grp = { 1560 .group = group, 1561 .id = -ENOENT, 1562 }; 1563 1564 msg = nlmsg_alloc(); 1565 if (!msg) 1566 return -ENOMEM; 1567 1568 cb = nl_cb_alloc(NL_CB_DEFAULT); 1569 if (!cb) { 1570 ret = -ENOMEM; 1571 goto out_fail_cb; 1572 } 1573 1574 ctrlid = genl_ctrl_resolve(sock, "nlctrl"); 1575 1576 genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0); 1577 1578 ret = -ENOBUFS; 1579 NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family); 1580 1581 ret = nl_send_auto_complete(sock, msg); 1582 if (ret < 0) 1583 goto nla_put_failure; 1584 1585 ret = 1; 1586 1587 nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret); 1588 nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret); 1589 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp); 1590 1591 while (ret > 0) 1592 nl_recvmsgs(sock, cb); 1593 1594 if (ret == 0) 1595 ret = grp.id; 1596 nla_put_failure: 1597 nl_cb_put(cb); 1598 out_fail_cb: 1599 nlmsg_free(msg); 1600 return ret; 1601 } 1602 1603 static int ovpn_listen_mcast(void) 1604 { 1605 struct nl_sock *sock; 1606 struct nl_cb *cb; 1607 int mcid, ret; 1608 1609 sock = nl_socket_alloc(); 1610 if (!sock) { 1611 fprintf(stderr, "cannot allocate netlink socket\n"); 1612 ret = -ENOMEM; 1613 goto err_free; 1614 } 1615 1616 nl_socket_set_buffer_size(sock, 8192, 8192); 1617 1618 ret = genl_connect(sock); 1619 if (ret < 0) { 1620 fprintf(stderr, "cannot connect to generic netlink: %s\n", 1621 nl_geterror(ret)); 1622 goto err_free; 1623 } 1624 1625 mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS); 1626 if (mcid < 0) { 1627 fprintf(stderr, "cannot get mcast group: %s\n", 1628 nl_geterror(mcid)); 1629 goto err_free; 1630 } 1631 1632 ret = nl_socket_add_membership(sock, mcid); 1633 if (ret) { 1634 fprintf(stderr, "failed to join mcast group: %d\n", ret); 1635 goto err_free; 1636 } 1637 1638 ret = 1; 1639 cb = nl_cb_alloc(NL_CB_DEFAULT); 1640 nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL); 1641 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret); 1642 nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret); 1643 1644 while (ret == 1) { 1645 int err = nl_recvmsgs(sock, cb); 1646 1647 if (err < 0) { 1648 fprintf(stderr, 1649 "cannot receive netlink message: (%d) %s\n", 1650 err, nl_geterror(-err)); 1651 ret = -1; 1652 break; 1653 } 1654 } 1655 1656 nl_cb_put(cb); 1657 err_free: 1658 nl_socket_free(sock); 1659 return ret; 1660 } 1661 1662 static void usage(const char *cmd) 1663 { 1664 fprintf(stderr, 1665 "Usage %s <command> <iface> [arguments..]\n", 1666 cmd); 1667 fprintf(stderr, "where <command> can be one of the following\n\n"); 1668 1669 fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n"); 1670 fprintf(stderr, "\tiface: ovpn interface name\n"); 1671 fprintf(stderr, "\tmode:\n"); 1672 fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n"); 1673 fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n"); 1674 1675 fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n"); 1676 fprintf(stderr, "\tiface: ovpn interface name\n"); 1677 1678 fprintf(stderr, 1679 "* listen <iface> <lport> <id_type> <peers_file> [ipv6]: listen for incoming peer TCP connections\n"); 1680 fprintf(stderr, "\tiface: ovpn interface name\n"); 1681 fprintf(stderr, "\tlport: TCP port to listen to\n"); 1682 fprintf(stderr, "\tid_type:\n"); 1683 fprintf(stderr, 1684 "\t\t- SYMM for ignoring the TX peer ID from the peers_file\n"); 1685 fprintf(stderr, 1686 "\t\t- ASYMM for using the TX peer ID from the peers_file\n"); 1687 fprintf(stderr, 1688 "\tpeers_file: file containing one peer per line: Line format:\n"); 1689 fprintf(stderr, "\t\t<peer_id> <tx_id> <vpnaddr>\n"); 1690 fprintf(stderr, 1691 "\tipv6: whether the socket should listen to the IPv6 wildcard address\n"); 1692 1693 fprintf(stderr, 1694 "* connect <iface> <peer_id> <tx_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n"); 1695 fprintf(stderr, "\tiface: ovpn interface name\n"); 1696 fprintf(stderr, 1697 "\tpeer_id: peer ID found in data packets received from this peer\n"); 1698 fprintf(stderr, 1699 "\ttx_id: peer ID to be used when sending to this peer, 'none' for symmetric peer ID\n"); 1700 fprintf(stderr, "\traddr: peer IP address to connect to\n"); 1701 fprintf(stderr, "\trport: peer TCP port to connect to\n"); 1702 fprintf(stderr, 1703 "\tkey_file: file containing the symmetric key for encryption\n"); 1704 1705 fprintf(stderr, 1706 "* new_peer <iface> <peer_id> <tx_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n"); 1707 fprintf(stderr, "\tiface: ovpn interface name\n"); 1708 fprintf(stderr, 1709 "\tpeer_id: peer ID found in data packets received from this peer\n"); 1710 fprintf(stderr, 1711 "\ttx_id: peer ID to be used when sending to this peer, 'none' for symmetric peer ID\n"); 1712 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1713 fprintf(stderr, "\traddr: peer IP address\n"); 1714 fprintf(stderr, "\trport: peer UDP port\n"); 1715 fprintf(stderr, "\tvpnaddr: peer VPN IP\n"); 1716 1717 fprintf(stderr, 1718 "* new_multi_peer <iface> <lport> <id_type> <peers_file> [mark]: add multiple peers as listed in the file\n"); 1719 fprintf(stderr, "\tiface: ovpn interface name\n"); 1720 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1721 fprintf(stderr, "\tid_type:\n"); 1722 fprintf(stderr, 1723 "\t\t- SYMM for ignoring the TX peer ID from the peers_file\n"); 1724 fprintf(stderr, 1725 "\t\t- ASYMM for using the TX peer ID from the peers_file\n"); 1726 fprintf(stderr, 1727 "\tpeers_file: text file containing one peer per line. Line format:\n"); 1728 fprintf(stderr, 1729 "\t\t<peer_id> <tx_id> <raddr> <rport> <laddr> <lport> <vpnaddr>\n"); 1730 fprintf(stderr, "\tmark: socket FW mark value\n"); 1731 1732 fprintf(stderr, 1733 "* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n"); 1734 fprintf(stderr, "\tiface: ovpn interface name\n"); 1735 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1736 fprintf(stderr, 1737 "\tkeepalive_interval: interval for sending ping messages\n"); 1738 fprintf(stderr, 1739 "\tkeepalive_timeout: time after which a peer is timed out\n"); 1740 1741 fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n"); 1742 fprintf(stderr, "\tiface: ovpn interface name\n"); 1743 fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n"); 1744 1745 fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n"); 1746 fprintf(stderr, "\tiface: ovpn interface name\n"); 1747 fprintf(stderr, 1748 "\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n"); 1749 1750 fprintf(stderr, 1751 "* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n"); 1752 fprintf(stderr, "\tiface: ovpn interface name\n"); 1753 fprintf(stderr, 1754 "\tpeer_id: peer ID of the peer to configure the key for\n"); 1755 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1756 fprintf(stderr, "\tkey_id: an ID from 0 to 7\n"); 1757 fprintf(stderr, 1758 "\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n"); 1759 fprintf(stderr, 1760 "\tkey_dir: key direction, must 0 on one host and 1 on the other\n"); 1761 fprintf(stderr, "\tkey_file: file containing the pre-shared key\n"); 1762 1763 fprintf(stderr, 1764 "* del_key <iface> <peer_id> [slot]: erase existing data channel key\n"); 1765 fprintf(stderr, "\tiface: ovpn interface name\n"); 1766 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1767 fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n"); 1768 1769 fprintf(stderr, 1770 "* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n"); 1771 fprintf(stderr, "\tiface: ovpn interface name\n"); 1772 fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n"); 1773 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1774 1775 fprintf(stderr, 1776 "* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n"); 1777 fprintf(stderr, "\tiface: ovpn interface name\n"); 1778 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1779 1780 fprintf(stderr, 1781 "* listen_mcast: listen to ovpn netlink multicast messages\n"); 1782 } 1783 1784 static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host, 1785 const char *service, const char *vpnip) 1786 { 1787 int ret; 1788 struct addrinfo *result; 1789 struct addrinfo hints = { 1790 .ai_family = ovpn->sa_family, 1791 .ai_socktype = SOCK_DGRAM, 1792 .ai_protocol = IPPROTO_UDP 1793 }; 1794 1795 if (host) { 1796 ret = getaddrinfo(host, service, &hints, &result); 1797 if (ret) { 1798 fprintf(stderr, "getaddrinfo on remote error: %s\n", 1799 gai_strerror(ret)); 1800 return -1; 1801 } 1802 1803 if (!(result->ai_family == AF_INET && 1804 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1805 !(result->ai_family == AF_INET6 && 1806 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1807 ret = -EINVAL; 1808 goto out; 1809 } 1810 1811 memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen); 1812 } 1813 1814 if (vpnip) { 1815 ret = getaddrinfo(vpnip, NULL, &hints, &result); 1816 if (ret) { 1817 fprintf(stderr, "getaddrinfo on vpnip error: %s\n", 1818 gai_strerror(ret)); 1819 return -1; 1820 } 1821 1822 if (!(result->ai_family == AF_INET && 1823 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1824 !(result->ai_family == AF_INET6 && 1825 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1826 ret = -EINVAL; 1827 goto out; 1828 } 1829 1830 memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen); 1831 ovpn->sa_family = result->ai_family; 1832 1833 ovpn->peer_ip_set = true; 1834 } 1835 1836 ret = 0; 1837 out: 1838 freeaddrinfo(result); 1839 return ret; 1840 } 1841 1842 static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id, 1843 const char *tx_id, const char *raddr, 1844 const char *rport, const char *vpnip) 1845 { 1846 ovpn->peer_id = strtoul(peer_id, NULL, 10); 1847 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 1848 fprintf(stderr, "rx peer ID value out of range\n"); 1849 return -1; 1850 } 1851 1852 if (ovpn->asymm_id) { 1853 ovpn->tx_id = strtoul(tx_id, NULL, 10); 1854 if (errno == ERANGE || ovpn->tx_id > PEER_ID_UNDEF) { 1855 fprintf(stderr, "tx peer ID value out of range\n"); 1856 return -1; 1857 } 1858 } 1859 1860 return ovpn_parse_remote(ovpn, raddr, rport, vpnip); 1861 } 1862 1863 static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn) 1864 { 1865 int slot = strtoul(arg, NULL, 10); 1866 1867 if (errno == ERANGE || slot < 1 || slot > 2) { 1868 fprintf(stderr, "key slot out of range\n"); 1869 return -1; 1870 } 1871 1872 switch (slot) { 1873 case 1: 1874 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 1875 break; 1876 case 2: 1877 ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY; 1878 break; 1879 } 1880 1881 return 0; 1882 } 1883 1884 static int ovpn_send_tcp_data(int socket) 1885 { 1886 uint16_t len = htons(1000); 1887 uint8_t buf[1002]; 1888 int ret; 1889 1890 memcpy(buf, &len, sizeof(len)); 1891 memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len)); 1892 1893 ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1894 1895 fprintf(stdout, "Sent %u bytes over TCP socket\n", ret); 1896 1897 return ret > 0 ? 0 : ret; 1898 } 1899 1900 static int ovpn_recv_tcp_data(int socket) 1901 { 1902 uint8_t buf[1002]; 1903 uint16_t len; 1904 int ret; 1905 1906 ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1907 1908 if (ret < 2) { 1909 fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret); 1910 return ret; 1911 } 1912 1913 memcpy(&len, buf, sizeof(len)); 1914 len = ntohs(len); 1915 1916 fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n", 1917 ret, len); 1918 1919 return 0; 1920 } 1921 1922 static enum ovpn_cmd ovpn_parse_cmd(const char *cmd) 1923 { 1924 if (!strcmp(cmd, "new_iface")) 1925 return CMD_NEW_IFACE; 1926 1927 if (!strcmp(cmd, "del_iface")) 1928 return CMD_DEL_IFACE; 1929 1930 if (!strcmp(cmd, "listen")) 1931 return CMD_LISTEN; 1932 1933 if (!strcmp(cmd, "connect")) 1934 return CMD_CONNECT; 1935 1936 if (!strcmp(cmd, "new_peer")) 1937 return CMD_NEW_PEER; 1938 1939 if (!strcmp(cmd, "new_multi_peer")) 1940 return CMD_NEW_MULTI_PEER; 1941 1942 if (!strcmp(cmd, "set_peer")) 1943 return CMD_SET_PEER; 1944 1945 if (!strcmp(cmd, "del_peer")) 1946 return CMD_DEL_PEER; 1947 1948 if (!strcmp(cmd, "get_peer")) 1949 return CMD_GET_PEER; 1950 1951 if (!strcmp(cmd, "new_key")) 1952 return CMD_NEW_KEY; 1953 1954 if (!strcmp(cmd, "del_key")) 1955 return CMD_DEL_KEY; 1956 1957 if (!strcmp(cmd, "get_key")) 1958 return CMD_GET_KEY; 1959 1960 if (!strcmp(cmd, "swap_keys")) 1961 return CMD_SWAP_KEYS; 1962 1963 if (!strcmp(cmd, "listen_mcast")) 1964 return CMD_LISTEN_MCAST; 1965 1966 return CMD_INVALID; 1967 } 1968 1969 /* Send process to background and waits for signal. 1970 * 1971 * This helper is called at the end of commands 1972 * creating sockets, so that the latter stay alive 1973 * along with the process that created them. 1974 * 1975 * A signal is expected to be delivered in order to 1976 * terminate the waiting processes 1977 */ 1978 static void ovpn_waitbg(void) 1979 { 1980 daemon(1, 1); 1981 pause(); 1982 } 1983 1984 static int ovpn_run_cmd(struct ovpn_ctx *ovpn) 1985 { 1986 char peer_id[10], tx_id[10], vpnip[INET6_ADDRSTRLEN], laddr[128]; 1987 char lport[10], raddr[128], rport[10]; 1988 int n, ret; 1989 FILE *fp; 1990 1991 switch (ovpn->cmd) { 1992 case CMD_NEW_IFACE: 1993 ret = ovpn_new_iface(ovpn); 1994 break; 1995 case CMD_DEL_IFACE: 1996 ret = ovpn_del_iface(ovpn); 1997 break; 1998 case CMD_LISTEN: 1999 ret = ovpn_listen(ovpn, ovpn->sa_family); 2000 if (ret < 0) { 2001 fprintf(stderr, "cannot listen on TCP socket\n"); 2002 return ret; 2003 } 2004 2005 fp = fopen(ovpn->peers_file, "r"); 2006 if (!fp) { 2007 fprintf(stderr, "cannot open file: %s\n", 2008 ovpn->peers_file); 2009 return -1; 2010 } 2011 2012 int num_peers = 0; 2013 2014 while ((n = fscanf(fp, "%s %s %s\n", peer_id, tx_id, 2015 vpnip)) == 3) { 2016 struct ovpn_ctx peer_ctx = { 0 }; 2017 2018 if (num_peers == MAX_PEERS) { 2019 fprintf(stderr, "max peers reached!\n"); 2020 return -E2BIG; 2021 } 2022 2023 peer_ctx.ifindex = ovpn->ifindex; 2024 peer_ctx.sa_family = ovpn->sa_family; 2025 peer_ctx.asymm_id = ovpn->asymm_id; 2026 2027 peer_ctx.socket = ovpn_accept(ovpn); 2028 if (peer_ctx.socket < 0) { 2029 fprintf(stderr, "cannot accept connection!\n"); 2030 return -1; 2031 } 2032 2033 /* store peer sockets to test TCP I/O */ 2034 ovpn->cli_sockets[num_peers] = peer_ctx.socket; 2035 2036 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, tx_id, 2037 NULL, NULL, vpnip); 2038 if (ret < 0) { 2039 fprintf(stderr, "error while parsing line\n"); 2040 return -1; 2041 } 2042 2043 ret = ovpn_new_peer(&peer_ctx, true); 2044 if (ret < 0) { 2045 fprintf(stderr, 2046 "cannot add peer to VPN: %s %s\n", 2047 peer_id, vpnip); 2048 return ret; 2049 } 2050 num_peers++; 2051 } 2052 2053 for (int i = 0; i < num_peers; i++) { 2054 ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]); 2055 if (ret < 0) 2056 break; 2057 } 2058 ovpn_waitbg(); 2059 break; 2060 case CMD_CONNECT: 2061 ret = ovpn_connect(ovpn); 2062 if (ret < 0) { 2063 fprintf(stderr, "cannot connect TCP socket\n"); 2064 return ret; 2065 } 2066 2067 ret = ovpn_new_peer(ovpn, true); 2068 if (ret < 0) { 2069 fprintf(stderr, "cannot add peer to VPN\n"); 2070 close(ovpn->socket); 2071 return ret; 2072 } 2073 2074 if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) { 2075 ret = ovpn_new_key(ovpn); 2076 if (ret < 0) { 2077 fprintf(stderr, "cannot set key\n"); 2078 return ret; 2079 } 2080 } 2081 2082 ret = ovpn_send_tcp_data(ovpn->socket); 2083 ovpn_waitbg(); 2084 break; 2085 case CMD_NEW_PEER: 2086 ret = ovpn_udp_socket(ovpn, AF_INET6); 2087 if (ret < 0) 2088 return ret; 2089 2090 ret = ovpn_new_peer(ovpn, false); 2091 ovpn_waitbg(); 2092 break; 2093 case CMD_NEW_MULTI_PEER: 2094 ret = ovpn_udp_socket(ovpn, AF_INET6); 2095 if (ret < 0) 2096 return ret; 2097 2098 fp = fopen(ovpn->peers_file, "r"); 2099 if (!fp) { 2100 fprintf(stderr, "cannot open file: %s\n", 2101 ovpn->peers_file); 2102 return -1; 2103 } 2104 2105 while ((n = fscanf(fp, "%s %s %s %s %s %s %s\n", peer_id, tx_id, 2106 laddr, lport, raddr, rport, vpnip)) == 7) { 2107 struct ovpn_ctx peer_ctx = { 0 }; 2108 2109 peer_ctx.ifindex = ovpn->ifindex; 2110 peer_ctx.socket = ovpn->socket; 2111 peer_ctx.sa_family = AF_UNSPEC; 2112 peer_ctx.asymm_id = ovpn->asymm_id; 2113 2114 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, tx_id, 2115 raddr, rport, vpnip); 2116 if (ret < 0) { 2117 fprintf(stderr, "error while parsing line\n"); 2118 return -1; 2119 } 2120 2121 ret = ovpn_new_peer(&peer_ctx, false); 2122 if (ret < 0) { 2123 fprintf(stderr, 2124 "cannot add peer to VPN: %s %s %s %s\n", 2125 peer_id, raddr, rport, vpnip); 2126 return ret; 2127 } 2128 } 2129 ovpn_waitbg(); 2130 break; 2131 case CMD_SET_PEER: 2132 ret = ovpn_set_peer(ovpn); 2133 break; 2134 case CMD_DEL_PEER: 2135 ret = ovpn_del_peer(ovpn); 2136 break; 2137 case CMD_GET_PEER: 2138 if (ovpn->peer_id == PEER_ID_UNDEF) 2139 fprintf(stderr, "List of peers connected to: %s\n", 2140 ovpn->ifname); 2141 2142 ret = ovpn_get_peer(ovpn); 2143 break; 2144 case CMD_NEW_KEY: 2145 ret = ovpn_new_key(ovpn); 2146 break; 2147 case CMD_DEL_KEY: 2148 ret = ovpn_del_key(ovpn); 2149 break; 2150 case CMD_GET_KEY: 2151 ret = ovpn_get_key(ovpn); 2152 break; 2153 case CMD_SWAP_KEYS: 2154 ret = ovpn_swap_keys(ovpn); 2155 break; 2156 case CMD_LISTEN_MCAST: 2157 ret = ovpn_listen_mcast(); 2158 break; 2159 case CMD_INVALID: 2160 ret = -EINVAL; 2161 break; 2162 } 2163 2164 return ret; 2165 } 2166 2167 static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[]) 2168 { 2169 int ret; 2170 2171 /* no args required for LISTEN_MCAST */ 2172 if (ovpn->cmd == CMD_LISTEN_MCAST) 2173 return 0; 2174 2175 /* all commands need an ifname */ 2176 if (argc < 3) 2177 return -EINVAL; 2178 2179 strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1); 2180 ovpn->ifname[IFNAMSIZ - 1] = '\0'; 2181 2182 /* all commands, except NEW_IFNAME, needs an ifindex */ 2183 if (ovpn->cmd != CMD_NEW_IFACE) { 2184 ovpn->ifindex = if_nametoindex(ovpn->ifname); 2185 if (!ovpn->ifindex) { 2186 fprintf(stderr, "cannot find interface: %s\n", 2187 strerror(errno)); 2188 return -1; 2189 } 2190 } 2191 2192 switch (ovpn->cmd) { 2193 case CMD_NEW_IFACE: 2194 if (argc < 4) 2195 break; 2196 2197 if (!strcmp(argv[3], "P2P")) { 2198 ovpn->mode = OVPN_MODE_P2P; 2199 } else if (!strcmp(argv[3], "MP")) { 2200 ovpn->mode = OVPN_MODE_MP; 2201 } else { 2202 fprintf(stderr, "Cannot parse iface mode: %s\n", 2203 argv[3]); 2204 return -1; 2205 } 2206 ovpn->mode_set = true; 2207 break; 2208 case CMD_DEL_IFACE: 2209 break; 2210 case CMD_LISTEN: 2211 if (argc < 6) 2212 return -EINVAL; 2213 2214 ovpn->lport = strtoul(argv[3], NULL, 10); 2215 if (errno == ERANGE || ovpn->lport > 65535) { 2216 fprintf(stderr, "lport value out of range\n"); 2217 return -1; 2218 } 2219 2220 if (strcmp(argv[4], "SYMM") == 0) { 2221 ovpn->asymm_id = false; 2222 } else if (strcmp(argv[4], "ASYMM") == 0) { 2223 ovpn->asymm_id = true; 2224 } else { 2225 fprintf(stderr, "Cannot parse id type: %s\n", argv[4]); 2226 return -1; 2227 } 2228 2229 ovpn->peers_file = argv[5]; 2230 2231 ovpn->sa_family = AF_INET; 2232 if (argc > 6 && !strcmp(argv[6], "ipv6")) 2233 ovpn->sa_family = AF_INET6; 2234 break; 2235 case CMD_CONNECT: 2236 if (argc < 7) 2237 return -EINVAL; 2238 2239 ovpn->sa_family = AF_INET; 2240 ovpn->asymm_id = strcmp(argv[4], "none"); 2241 2242 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5], 2243 argv[6], NULL); 2244 if (ret < 0) { 2245 fprintf(stderr, "Cannot parse remote peer data\n"); 2246 return -1; 2247 } 2248 2249 if (argc > 7) { 2250 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 2251 ovpn->key_id = 0; 2252 ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM; 2253 ovpn->key_dir = KEY_DIR_OUT; 2254 2255 ret = ovpn_parse_key(argv[7], ovpn); 2256 if (ret) 2257 return -1; 2258 } 2259 break; 2260 case CMD_NEW_PEER: 2261 if (argc < 8) 2262 return -EINVAL; 2263 2264 ovpn->asymm_id = strcmp(argv[4], "none"); 2265 2266 ovpn->lport = strtoul(argv[5], NULL, 10); 2267 if (errno == ERANGE || ovpn->lport > 65535) { 2268 fprintf(stderr, "lport value out of range\n"); 2269 return -1; 2270 } 2271 2272 const char *vpnip = (argc > 8) ? argv[8] : NULL; 2273 2274 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[6], 2275 argv[7], vpnip); 2276 if (ret < 0) 2277 return -1; 2278 break; 2279 case CMD_NEW_MULTI_PEER: 2280 if (argc < 6) 2281 return -EINVAL; 2282 2283 ovpn->lport = strtoul(argv[3], NULL, 10); 2284 if (errno == ERANGE || ovpn->lport > 65535) { 2285 fprintf(stderr, "lport value out of range\n"); 2286 return -1; 2287 } 2288 2289 if (!strcmp(argv[4], "SYMM")) { 2290 ovpn->asymm_id = false; 2291 } else if (!strcmp(argv[4], "ASYMM")) { 2292 ovpn->asymm_id = true; 2293 } else { 2294 fprintf(stderr, "Cannot parse id type: %s\n", argv[4]); 2295 return -1; 2296 } 2297 2298 ovpn->peers_file = argv[5]; 2299 2300 ovpn->mark = 0; 2301 if (argc > 6) { 2302 ovpn->mark = strtoul(argv[6], NULL, 10); 2303 if (errno == ERANGE || ovpn->mark > UINT32_MAX) { 2304 fprintf(stderr, "mark value out of range\n"); 2305 return -1; 2306 } 2307 } 2308 break; 2309 case CMD_SET_PEER: 2310 if (argc < 6) 2311 return -EINVAL; 2312 2313 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2314 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2315 fprintf(stderr, "peer ID value out of range\n"); 2316 return -1; 2317 } 2318 2319 ovpn->keepalive_interval = strtoul(argv[4], NULL, 10); 2320 if (errno == ERANGE) { 2321 fprintf(stderr, 2322 "keepalive interval value out of range\n"); 2323 return -1; 2324 } 2325 2326 ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10); 2327 if (errno == ERANGE) { 2328 fprintf(stderr, 2329 "keepalive interval value out of range\n"); 2330 return -1; 2331 } 2332 break; 2333 case CMD_DEL_PEER: 2334 if (argc < 4) 2335 return -EINVAL; 2336 2337 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2338 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2339 fprintf(stderr, "peer ID value out of range\n"); 2340 return -1; 2341 } 2342 break; 2343 case CMD_GET_PEER: 2344 ovpn->peer_id = PEER_ID_UNDEF; 2345 if (argc > 3) { 2346 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2347 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2348 fprintf(stderr, "peer ID value out of range\n"); 2349 return -1; 2350 } 2351 } 2352 break; 2353 case CMD_NEW_KEY: 2354 if (argc < 9) 2355 return -EINVAL; 2356 2357 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2358 if (errno == ERANGE) { 2359 fprintf(stderr, "peer ID value out of range\n"); 2360 return -1; 2361 } 2362 2363 ret = ovpn_parse_key_slot(argv[4], ovpn); 2364 if (ret) 2365 return -1; 2366 2367 ovpn->key_id = strtoul(argv[5], NULL, 10); 2368 if (errno == ERANGE || ovpn->key_id > 2) { 2369 fprintf(stderr, "key ID out of range\n"); 2370 return -1; 2371 } 2372 2373 ret = ovpn_parse_cipher(argv[6], ovpn); 2374 if (ret < 0) 2375 return -1; 2376 2377 ret = ovpn_parse_key_direction(argv[7], ovpn); 2378 if (ret < 0) 2379 return -1; 2380 2381 ret = ovpn_parse_key(argv[8], ovpn); 2382 if (ret) 2383 return -1; 2384 break; 2385 case CMD_DEL_KEY: 2386 if (argc < 4) 2387 return -EINVAL; 2388 2389 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2390 if (errno == ERANGE) { 2391 fprintf(stderr, "peer ID value out of range\n"); 2392 return -1; 2393 } 2394 2395 ret = ovpn_parse_key_slot(argv[4], ovpn); 2396 if (ret) 2397 return ret; 2398 break; 2399 case CMD_GET_KEY: 2400 if (argc < 5) 2401 return -EINVAL; 2402 2403 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2404 if (errno == ERANGE) { 2405 fprintf(stderr, "peer ID value out of range\n"); 2406 return -1; 2407 } 2408 2409 ret = ovpn_parse_key_slot(argv[4], ovpn); 2410 if (ret) 2411 return ret; 2412 break; 2413 case CMD_SWAP_KEYS: 2414 if (argc < 4) 2415 return -EINVAL; 2416 2417 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2418 if (errno == ERANGE) { 2419 fprintf(stderr, "peer ID value out of range\n"); 2420 return -1; 2421 } 2422 break; 2423 case CMD_LISTEN_MCAST: 2424 break; 2425 case CMD_INVALID: 2426 break; 2427 } 2428 2429 return 0; 2430 } 2431 2432 int main(int argc, char *argv[]) 2433 { 2434 struct ovpn_ctx ovpn; 2435 int ret; 2436 2437 if (argc < 2) { 2438 usage(argv[0]); 2439 return -1; 2440 } 2441 2442 memset(&ovpn, 0, sizeof(ovpn)); 2443 ovpn.sa_family = AF_UNSPEC; 2444 ovpn.cipher = OVPN_CIPHER_ALG_NONE; 2445 2446 ovpn.cmd = ovpn_parse_cmd(argv[1]); 2447 if (ovpn.cmd == CMD_INVALID) { 2448 fprintf(stderr, "Error: unknown command.\n\n"); 2449 usage(argv[0]); 2450 return -1; 2451 } 2452 2453 ret = ovpn_parse_cmd_args(&ovpn, argc, argv); 2454 if (ret < 0) { 2455 fprintf(stderr, "Error: invalid arguments.\n\n"); 2456 if (ret == -EINVAL) 2457 usage(argv[0]); 2458 return ret; 2459 } 2460 2461 ret = ovpn_run_cmd(&ovpn); 2462 if (ret) 2463 fprintf(stderr, "Cannot execute command: %s (%d)\n", 2464 strerror(-ret), ret); 2465 2466 return ret; 2467 } 2468