1 // SPDX-License-Identifier: GPL-2.0
2 /* OpenVPN data channel offload
3 *
4 * Copyright (C) 2020-2025 OpenVPN, Inc.
5 *
6 * Author: Antonio Quartulli <antonio@openvpn.net>
7 */
8
9 #include <linux/netdevice.h>
10 #include <linux/types.h>
11 #include <net/genetlink.h>
12
13 #include <uapi/linux/ovpn.h>
14
15 #include "ovpnpriv.h"
16 #include "main.h"
17 #include "netlink.h"
18 #include "netlink-gen.h"
19 #include "bind.h"
20 #include "crypto.h"
21 #include "peer.h"
22 #include "socket.h"
23
24 MODULE_ALIAS_GENL_FAMILY(OVPN_FAMILY_NAME);
25
26 /**
27 * ovpn_get_dev_from_attrs - retrieve the ovpn private data from the netdevice
28 * a netlink message is targeting
29 * @net: network namespace where to look for the interface
30 * @info: generic netlink info from the user request
31 * @tracker: tracker object to be used for the netdev reference acquisition
32 *
33 * Return: the ovpn private data, if found, or an error otherwise
34 */
35 static struct ovpn_priv *
ovpn_get_dev_from_attrs(struct net * net,const struct genl_info * info,netdevice_tracker * tracker)36 ovpn_get_dev_from_attrs(struct net *net, const struct genl_info *info,
37 netdevice_tracker *tracker)
38 {
39 struct ovpn_priv *ovpn;
40 struct net_device *dev;
41 int ifindex;
42
43 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_IFINDEX))
44 return ERR_PTR(-EINVAL);
45
46 ifindex = nla_get_u32(info->attrs[OVPN_A_IFINDEX]);
47
48 rcu_read_lock();
49 dev = dev_get_by_index_rcu(net, ifindex);
50 if (!dev) {
51 rcu_read_unlock();
52 NL_SET_ERR_MSG_MOD(info->extack,
53 "ifindex does not match any interface");
54 return ERR_PTR(-ENODEV);
55 }
56
57 if (!ovpn_dev_is_valid(dev)) {
58 rcu_read_unlock();
59 NL_SET_ERR_MSG_MOD(info->extack,
60 "specified interface is not ovpn");
61 NL_SET_BAD_ATTR(info->extack, info->attrs[OVPN_A_IFINDEX]);
62 return ERR_PTR(-EINVAL);
63 }
64
65 ovpn = netdev_priv(dev);
66 netdev_hold(dev, tracker, GFP_ATOMIC);
67 rcu_read_unlock();
68
69 return ovpn;
70 }
71
ovpn_nl_pre_doit(const struct genl_split_ops * ops,struct sk_buff * skb,struct genl_info * info)72 int ovpn_nl_pre_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
73 struct genl_info *info)
74 {
75 netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1];
76 struct ovpn_priv *ovpn = ovpn_get_dev_from_attrs(genl_info_net(info),
77 info, tracker);
78
79 if (IS_ERR(ovpn))
80 return PTR_ERR(ovpn);
81
82 info->user_ptr[0] = ovpn;
83
84 return 0;
85 }
86
ovpn_nl_post_doit(const struct genl_split_ops * ops,struct sk_buff * skb,struct genl_info * info)87 void ovpn_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
88 struct genl_info *info)
89 {
90 netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1];
91 struct ovpn_priv *ovpn = info->user_ptr[0];
92
93 if (ovpn)
94 netdev_put(ovpn->dev, tracker);
95 }
96
ovpn_nl_attr_sockaddr_remote(struct nlattr ** attrs,struct sockaddr_storage * ss)97 static bool ovpn_nl_attr_sockaddr_remote(struct nlattr **attrs,
98 struct sockaddr_storage *ss)
99 {
100 struct sockaddr_in6 *sin6;
101 struct sockaddr_in *sin;
102 struct in6_addr *in6;
103 __be16 port = 0;
104 __be32 *in;
105
106 ss->ss_family = AF_UNSPEC;
107
108 if (attrs[OVPN_A_PEER_REMOTE_PORT])
109 port = nla_get_be16(attrs[OVPN_A_PEER_REMOTE_PORT]);
110
111 if (attrs[OVPN_A_PEER_REMOTE_IPV4]) {
112 ss->ss_family = AF_INET;
113 in = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV4]);
114 } else if (attrs[OVPN_A_PEER_REMOTE_IPV6]) {
115 ss->ss_family = AF_INET6;
116 in6 = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]);
117 } else {
118 return false;
119 }
120
121 switch (ss->ss_family) {
122 case AF_INET6:
123 /* If this is a regular IPv6 just break and move on,
124 * otherwise switch to AF_INET and extract the IPv4 accordingly
125 */
126 if (!ipv6_addr_v4mapped(in6)) {
127 sin6 = (struct sockaddr_in6 *)ss;
128 sin6->sin6_port = port;
129 memcpy(&sin6->sin6_addr, in6, sizeof(*in6));
130 break;
131 }
132
133 /* v4-mapped-v6 address */
134 ss->ss_family = AF_INET;
135 in = &in6->s6_addr32[3];
136 fallthrough;
137 case AF_INET:
138 sin = (struct sockaddr_in *)ss;
139 sin->sin_port = port;
140 sin->sin_addr.s_addr = *in;
141 break;
142 }
143
144 return true;
145 }
146
ovpn_nl_attr_local_ip(struct nlattr ** attrs)147 static u8 *ovpn_nl_attr_local_ip(struct nlattr **attrs)
148 {
149 u8 *addr6;
150
151 if (!attrs[OVPN_A_PEER_LOCAL_IPV4] && !attrs[OVPN_A_PEER_LOCAL_IPV6])
152 return NULL;
153
154 if (attrs[OVPN_A_PEER_LOCAL_IPV4])
155 return nla_data(attrs[OVPN_A_PEER_LOCAL_IPV4]);
156
157 addr6 = nla_data(attrs[OVPN_A_PEER_LOCAL_IPV6]);
158 /* this is an IPv4-mapped IPv6 address, therefore extract the actual
159 * v4 address from the last 4 bytes
160 */
161 if (ipv6_addr_v4mapped((struct in6_addr *)addr6))
162 return addr6 + 12;
163
164 return addr6;
165 }
166
ovpn_nl_family_get(struct nlattr * addr4,struct nlattr * addr6)167 static sa_family_t ovpn_nl_family_get(struct nlattr *addr4,
168 struct nlattr *addr6)
169 {
170 if (addr4)
171 return AF_INET;
172
173 if (addr6) {
174 if (ipv6_addr_v4mapped((struct in6_addr *)nla_data(addr6)))
175 return AF_INET;
176 return AF_INET6;
177 }
178
179 return AF_UNSPEC;
180 }
181
ovpn_nl_peer_precheck(struct ovpn_priv * ovpn,struct genl_info * info,struct nlattr ** attrs)182 static int ovpn_nl_peer_precheck(struct ovpn_priv *ovpn,
183 struct genl_info *info,
184 struct nlattr **attrs)
185 {
186 sa_family_t local_fam, remote_fam;
187
188 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
189 OVPN_A_PEER_ID))
190 return -EINVAL;
191
192 if (attrs[OVPN_A_PEER_REMOTE_IPV4] && attrs[OVPN_A_PEER_REMOTE_IPV6]) {
193 NL_SET_ERR_MSG_MOD(info->extack,
194 "cannot specify both remote IPv4 or IPv6 address");
195 return -EINVAL;
196 }
197
198 if (!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
199 !attrs[OVPN_A_PEER_REMOTE_IPV6] && attrs[OVPN_A_PEER_REMOTE_PORT]) {
200 NL_SET_ERR_MSG_MOD(info->extack,
201 "cannot specify remote port without IP address");
202 return -EINVAL;
203 }
204
205 if ((attrs[OVPN_A_PEER_REMOTE_IPV4] ||
206 attrs[OVPN_A_PEER_REMOTE_IPV6]) &&
207 !attrs[OVPN_A_PEER_REMOTE_PORT]) {
208 NL_SET_ERR_MSG_MOD(info->extack,
209 "cannot specify remote IP address without port");
210 return -EINVAL;
211 }
212
213 if (!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
214 attrs[OVPN_A_PEER_LOCAL_IPV4]) {
215 NL_SET_ERR_MSG_MOD(info->extack,
216 "cannot specify local IPv4 address without remote");
217 return -EINVAL;
218 }
219
220 if (!attrs[OVPN_A_PEER_REMOTE_IPV6] &&
221 attrs[OVPN_A_PEER_LOCAL_IPV6]) {
222 NL_SET_ERR_MSG_MOD(info->extack,
223 "cannot specify local IPV6 address without remote");
224 return -EINVAL;
225 }
226
227 /* check that local and remote address families are the same even
228 * after parsing v4mapped IPv6 addresses.
229 * (if addresses are not provided, family will be AF_UNSPEC and
230 * the check is skipped)
231 */
232 local_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_LOCAL_IPV4],
233 attrs[OVPN_A_PEER_LOCAL_IPV6]);
234 remote_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_REMOTE_IPV4],
235 attrs[OVPN_A_PEER_REMOTE_IPV6]);
236 if (local_fam != AF_UNSPEC && remote_fam != AF_UNSPEC &&
237 local_fam != remote_fam) {
238 NL_SET_ERR_MSG_MOD(info->extack,
239 "mismatching local and remote address families");
240 return -EINVAL;
241 }
242
243 if (remote_fam != AF_INET6 && attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) {
244 NL_SET_ERR_MSG_MOD(info->extack,
245 "cannot specify scope id without remote IPv6 address");
246 return -EINVAL;
247 }
248
249 /* VPN IPs are needed only in MP mode for selecting the right peer */
250 if (ovpn->mode == OVPN_MODE_P2P && (attrs[OVPN_A_PEER_VPN_IPV4] ||
251 attrs[OVPN_A_PEER_VPN_IPV6])) {
252 NL_SET_ERR_MSG_FMT_MOD(info->extack,
253 "unexpected VPN IP in P2P mode");
254 return -EINVAL;
255 }
256
257 if ((attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
258 !attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) ||
259 (!attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
260 attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])) {
261 NL_SET_ERR_MSG_FMT_MOD(info->extack,
262 "keepalive interval and timeout are required together");
263 return -EINVAL;
264 }
265
266 return 0;
267 }
268
269 /**
270 * ovpn_nl_peer_modify - modify the peer attributes according to the incoming msg
271 * @peer: the peer to modify
272 * @info: generic netlink info from the user request
273 * @attrs: the attributes from the user request
274 *
275 * Return: a negative error code in case of failure, 0 on success or 1 on
276 * success and the VPN IPs have been modified (requires rehashing in MP
277 * mode)
278 */
ovpn_nl_peer_modify(struct ovpn_peer * peer,struct genl_info * info,struct nlattr ** attrs)279 static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info,
280 struct nlattr **attrs)
281 {
282 struct sockaddr_storage ss = {};
283 void *local_ip = NULL;
284 u32 interv, timeout;
285 bool rehash = false;
286 int ret;
287
288 spin_lock_bh(&peer->lock);
289
290 if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) {
291 /* we carry the local IP in a generic container.
292 * ovpn_peer_reset_sockaddr() will properly interpret it
293 * based on ss.ss_family
294 */
295 local_ip = ovpn_nl_attr_local_ip(attrs);
296
297 /* set peer sockaddr */
298 ret = ovpn_peer_reset_sockaddr(peer, &ss, local_ip);
299 if (ret < 0) {
300 NL_SET_ERR_MSG_FMT_MOD(info->extack,
301 "cannot set peer sockaddr: %d",
302 ret);
303 goto err_unlock;
304 }
305 dst_cache_reset(&peer->dst_cache);
306 }
307
308 /* In a multipeer-to-multipeer setup we may have asymmetric peer IDs,
309 * that is peer->id might be different from peer->tx_id.
310 */
311 if (attrs[OVPN_A_PEER_TX_ID])
312 peer->tx_id = nla_get_u32(attrs[OVPN_A_PEER_TX_ID]);
313
314 if (attrs[OVPN_A_PEER_VPN_IPV4]) {
315 rehash = true;
316 peer->vpn_addrs.ipv4.s_addr =
317 nla_get_in_addr(attrs[OVPN_A_PEER_VPN_IPV4]);
318 }
319
320 if (attrs[OVPN_A_PEER_VPN_IPV6]) {
321 rehash = true;
322 peer->vpn_addrs.ipv6 =
323 nla_get_in6_addr(attrs[OVPN_A_PEER_VPN_IPV6]);
324 }
325
326 /* when setting the keepalive, both parameters have to be configured */
327 if (attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
328 attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) {
329 interv = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]);
330 timeout = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]);
331 ovpn_peer_keepalive_set(peer, interv, timeout);
332 }
333
334 netdev_dbg(peer->ovpn->dev,
335 "modify peer id=%u tx_id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n",
336 peer->id, peer->tx_id, &ss,
337 &peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6);
338
339 spin_unlock_bh(&peer->lock);
340
341 return rehash ? 1 : 0;
342 err_unlock:
343 spin_unlock_bh(&peer->lock);
344 return ret;
345 }
346
ovpn_nl_peer_new_doit(struct sk_buff * skb,struct genl_info * info)347 int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info)
348 {
349 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
350 struct ovpn_priv *ovpn = info->user_ptr[0];
351 struct ovpn_socket *ovpn_sock;
352 struct socket *sock = NULL;
353 struct ovpn_peer *peer;
354 u32 sockfd, peer_id;
355 int ret;
356
357 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
358 return -EINVAL;
359
360 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
361 ovpn_peer_new_input_nl_policy, info->extack);
362 if (ret)
363 return ret;
364
365 ret = ovpn_nl_peer_precheck(ovpn, info, attrs);
366 if (ret < 0)
367 return ret;
368
369 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
370 OVPN_A_PEER_SOCKET))
371 return -EINVAL;
372
373 /* in MP mode VPN IPs are required for selecting the right peer */
374 if (ovpn->mode == OVPN_MODE_MP && !attrs[OVPN_A_PEER_VPN_IPV4] &&
375 !attrs[OVPN_A_PEER_VPN_IPV6]) {
376 NL_SET_ERR_MSG_FMT_MOD(info->extack,
377 "VPN IP must be provided in MP mode");
378 return -EINVAL;
379 }
380
381 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
382
383 peer = ovpn_peer_new(ovpn, peer_id);
384 if (IS_ERR(peer)) {
385 NL_SET_ERR_MSG_FMT_MOD(info->extack,
386 "cannot create new peer object for peer %u: %ld",
387 peer_id, PTR_ERR(peer));
388 return PTR_ERR(peer);
389 }
390
391 /* lookup the fd in the kernel table and extract the socket object */
392 sockfd = nla_get_u32(attrs[OVPN_A_PEER_SOCKET]);
393 /* sockfd_lookup() increases sock's refcounter */
394 sock = sockfd_lookup(sockfd, &ret);
395 if (!sock) {
396 NL_SET_ERR_MSG_FMT_MOD(info->extack,
397 "cannot lookup peer socket (fd=%u): %d",
398 sockfd, ret);
399 ret = -ENOTSOCK;
400 goto peer_release;
401 }
402
403 /* Only when using UDP as transport protocol the remote endpoint
404 * can be configured so that ovpn knows where to send packets to.
405 */
406 if (sock->sk->sk_protocol == IPPROTO_UDP &&
407 !attrs[OVPN_A_PEER_REMOTE_IPV4] &&
408 !attrs[OVPN_A_PEER_REMOTE_IPV6]) {
409 NL_SET_ERR_MSG_FMT_MOD(info->extack,
410 "missing remote IP address for UDP socket");
411 sockfd_put(sock);
412 ret = -EINVAL;
413 goto peer_release;
414 }
415
416 /* In case of TCP, the socket is connected to the peer and ovpn
417 * will just send bytes over it, without the need to specify a
418 * destination.
419 */
420 if (sock->sk->sk_protocol == IPPROTO_TCP &&
421 (attrs[OVPN_A_PEER_REMOTE_IPV4] ||
422 attrs[OVPN_A_PEER_REMOTE_IPV6])) {
423 NL_SET_ERR_MSG_FMT_MOD(info->extack,
424 "unexpected remote IP address with TCP socket");
425 sockfd_put(sock);
426 ret = -EINVAL;
427 goto peer_release;
428 }
429
430 ovpn_sock = ovpn_socket_new(sock, peer);
431 /* at this point we unconditionally drop the reference to the socket:
432 * - in case of error, the socket has to be dropped
433 * - if case of success, the socket is configured and let
434 * userspace own the reference, so that the latter can
435 * trigger the final close()
436 */
437 sockfd_put(sock);
438 if (IS_ERR(ovpn_sock)) {
439 NL_SET_ERR_MSG_FMT_MOD(info->extack,
440 "cannot encapsulate socket: %ld",
441 PTR_ERR(ovpn_sock));
442 ret = -ENOTSOCK;
443 goto peer_release;
444 }
445
446 rcu_assign_pointer(peer->sock, ovpn_sock);
447
448 ret = ovpn_nl_peer_modify(peer, info, attrs);
449 if (ret < 0)
450 goto sock_release;
451
452 ret = ovpn_peer_add(ovpn, peer);
453 if (ret < 0) {
454 NL_SET_ERR_MSG_FMT_MOD(info->extack,
455 "cannot add new peer (id=%u) to hashtable: %d",
456 peer->id, ret);
457 goto sock_release;
458 }
459
460 return 0;
461
462 sock_release:
463 ovpn_socket_release(peer);
464 peer_release:
465 /* For UDP, the peer is unreachable until added to the hashtables, so
466 * dropping the initial reference is enough. For TCP, the peer may be
467 * concurrently reachable via sk_user_data->peer until
468 * ovpn_socket_release() detaches; rely on the refcount.
469 */
470 ovpn_peer_put(peer);
471
472 return ret;
473 }
474
ovpn_nl_peer_set_doit(struct sk_buff * skb,struct genl_info * info)475 int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info)
476 {
477 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
478 struct ovpn_priv *ovpn = info->user_ptr[0];
479 struct ovpn_socket *sock;
480 struct ovpn_peer *peer;
481 u32 peer_id;
482 int ret;
483
484 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
485 return -EINVAL;
486
487 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
488 ovpn_peer_set_input_nl_policy, info->extack);
489 if (ret)
490 return ret;
491
492 ret = ovpn_nl_peer_precheck(ovpn, info, attrs);
493 if (ret < 0)
494 return ret;
495
496 if (attrs[OVPN_A_PEER_SOCKET]) {
497 NL_SET_ERR_MSG_FMT_MOD(info->extack,
498 "socket cannot be modified");
499 return -EINVAL;
500 }
501
502 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
503 peer = ovpn_peer_get_by_id(ovpn, peer_id);
504 if (!peer) {
505 NL_SET_ERR_MSG_FMT_MOD(info->extack,
506 "cannot find peer with id %u", peer_id);
507 return -ENOENT;
508 }
509
510 /* when using a TCP socket the remote IP is not expected */
511 rcu_read_lock();
512 sock = rcu_dereference(peer->sock);
513 if (sock && sock->sk->sk_protocol == IPPROTO_TCP &&
514 (attrs[OVPN_A_PEER_REMOTE_IPV4] ||
515 attrs[OVPN_A_PEER_REMOTE_IPV6])) {
516 rcu_read_unlock();
517 NL_SET_ERR_MSG_FMT_MOD(info->extack,
518 "unexpected remote IP address with TCP socket");
519 ovpn_peer_put(peer);
520 return -EINVAL;
521 }
522 rcu_read_unlock();
523
524 spin_lock_bh(&ovpn->lock);
525 ret = ovpn_nl_peer_modify(peer, info, attrs);
526 if (ret < 0) {
527 spin_unlock_bh(&ovpn->lock);
528 ovpn_peer_put(peer);
529 return ret;
530 }
531
532 /* ret == 1 means that VPN IPv4/6 has been modified and rehashing
533 * is required
534 */
535 if (ret > 0)
536 ovpn_peer_hash_vpn_ip(peer);
537 spin_unlock_bh(&ovpn->lock);
538 ovpn_peer_put(peer);
539
540 return 0;
541 }
542
ovpn_nl_send_peer(struct sk_buff * skb,const struct genl_info * info,const struct ovpn_peer * peer,u32 portid,u32 seq,int flags)543 static int ovpn_nl_send_peer(struct sk_buff *skb, const struct genl_info *info,
544 const struct ovpn_peer *peer, u32 portid, u32 seq,
545 int flags)
546 {
547 const struct ovpn_bind *bind;
548 struct ovpn_socket *sock;
549 int ret = -EMSGSIZE;
550 struct nlattr *attr;
551 __be16 local_port;
552 void *hdr;
553 int id;
554
555 hdr = genlmsg_put(skb, portid, seq, &ovpn_nl_family, flags,
556 OVPN_CMD_PEER_GET);
557 if (!hdr)
558 return -ENOBUFS;
559
560 attr = nla_nest_start(skb, OVPN_A_PEER);
561 if (!attr)
562 goto err;
563
564 rcu_read_lock();
565 sock = rcu_dereference(peer->sock);
566 if (!sock) {
567 ret = -EINVAL;
568 goto err_unlock;
569 }
570
571 if (!net_eq(genl_info_net(info), sock_net(sock->sk))) {
572 id = peernet2id_alloc(genl_info_net(info),
573 sock_net(sock->sk),
574 GFP_ATOMIC);
575 if (nla_put_s32(skb, OVPN_A_PEER_SOCKET_NETNSID, id))
576 goto err_unlock;
577 }
578 local_port = inet_sk(sock->sk)->inet_sport;
579 rcu_read_unlock();
580
581 if (nla_put_u32(skb, OVPN_A_PEER_ID, peer->id))
582 goto err;
583
584 if (nla_put_u32(skb, OVPN_A_PEER_TX_ID, peer->tx_id))
585 goto err;
586
587 if (peer->vpn_addrs.ipv4.s_addr != htonl(INADDR_ANY))
588 if (nla_put_in_addr(skb, OVPN_A_PEER_VPN_IPV4,
589 peer->vpn_addrs.ipv4.s_addr))
590 goto err;
591
592 if (!ipv6_addr_equal(&peer->vpn_addrs.ipv6, &in6addr_any))
593 if (nla_put_in6_addr(skb, OVPN_A_PEER_VPN_IPV6,
594 &peer->vpn_addrs.ipv6))
595 goto err;
596
597 if (nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_INTERVAL,
598 peer->keepalive_interval) ||
599 nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
600 peer->keepalive_timeout))
601 goto err;
602
603 rcu_read_lock();
604 bind = rcu_dereference(peer->bind);
605 if (bind) {
606 if (bind->remote.in4.sin_family == AF_INET) {
607 if (nla_put_in_addr(skb, OVPN_A_PEER_REMOTE_IPV4,
608 bind->remote.in4.sin_addr.s_addr) ||
609 nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT,
610 bind->remote.in4.sin_port) ||
611 nla_put_in_addr(skb, OVPN_A_PEER_LOCAL_IPV4,
612 bind->local.ipv4.s_addr))
613 goto err_unlock;
614 } else if (bind->remote.in4.sin_family == AF_INET6) {
615 if (nla_put_in6_addr(skb, OVPN_A_PEER_REMOTE_IPV6,
616 &bind->remote.in6.sin6_addr) ||
617 nla_put_u32(skb, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
618 bind->remote.in6.sin6_scope_id) ||
619 nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT,
620 bind->remote.in6.sin6_port) ||
621 nla_put_in6_addr(skb, OVPN_A_PEER_LOCAL_IPV6,
622 &bind->local.ipv6))
623 goto err_unlock;
624 }
625 }
626 rcu_read_unlock();
627
628 if (nla_put_net16(skb, OVPN_A_PEER_LOCAL_PORT, local_port) ||
629 /* VPN RX stats */
630 nla_put_uint(skb, OVPN_A_PEER_VPN_RX_BYTES,
631 atomic64_read(&peer->vpn_stats.rx.bytes)) ||
632 nla_put_uint(skb, OVPN_A_PEER_VPN_RX_PACKETS,
633 atomic64_read(&peer->vpn_stats.rx.packets)) ||
634 /* VPN TX stats */
635 nla_put_uint(skb, OVPN_A_PEER_VPN_TX_BYTES,
636 atomic64_read(&peer->vpn_stats.tx.bytes)) ||
637 nla_put_uint(skb, OVPN_A_PEER_VPN_TX_PACKETS,
638 atomic64_read(&peer->vpn_stats.tx.packets)) ||
639 /* link RX stats */
640 nla_put_uint(skb, OVPN_A_PEER_LINK_RX_BYTES,
641 atomic64_read(&peer->link_stats.rx.bytes)) ||
642 nla_put_uint(skb, OVPN_A_PEER_LINK_RX_PACKETS,
643 atomic64_read(&peer->link_stats.rx.packets)) ||
644 /* link TX stats */
645 nla_put_uint(skb, OVPN_A_PEER_LINK_TX_BYTES,
646 atomic64_read(&peer->link_stats.tx.bytes)) ||
647 nla_put_uint(skb, OVPN_A_PEER_LINK_TX_PACKETS,
648 atomic64_read(&peer->link_stats.tx.packets)))
649 goto err;
650
651 nla_nest_end(skb, attr);
652 genlmsg_end(skb, hdr);
653
654 return 0;
655 err_unlock:
656 rcu_read_unlock();
657 err:
658 genlmsg_cancel(skb, hdr);
659 return ret;
660 }
661
ovpn_nl_peer_get_doit(struct sk_buff * skb,struct genl_info * info)662 int ovpn_nl_peer_get_doit(struct sk_buff *skb, struct genl_info *info)
663 {
664 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
665 struct ovpn_priv *ovpn = info->user_ptr[0];
666 struct ovpn_peer *peer;
667 struct sk_buff *msg;
668 u32 peer_id;
669 int ret, i;
670
671 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
672 return -EINVAL;
673
674 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
675 ovpn_peer_nl_policy, info->extack);
676 if (ret)
677 return ret;
678
679 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
680 OVPN_A_PEER_ID))
681 return -EINVAL;
682
683 /* OVPN_CMD_PEER_GET expects only the PEER_ID, therefore
684 * ensure that the user hasn't specified any other attribute.
685 *
686 * Unfortunately this check cannot be performed via netlink
687 * spec/policy and must be open-coded.
688 */
689 for (i = 0; i < OVPN_A_PEER_MAX + 1; i++) {
690 if (i == OVPN_A_PEER_ID)
691 continue;
692
693 if (attrs[i]) {
694 NL_SET_ERR_MSG_FMT_MOD(info->extack,
695 "unexpected attribute %u", i);
696 return -EINVAL;
697 }
698 }
699
700 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
701 peer = ovpn_peer_get_by_id(ovpn, peer_id);
702 if (!peer) {
703 NL_SET_ERR_MSG_FMT_MOD(info->extack,
704 "cannot find peer with id %u", peer_id);
705 return -ENOENT;
706 }
707
708 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
709 if (!msg) {
710 ret = -ENOMEM;
711 goto err;
712 }
713
714 ret = ovpn_nl_send_peer(msg, info, peer, info->snd_portid,
715 info->snd_seq, 0);
716 if (ret < 0) {
717 nlmsg_free(msg);
718 goto err;
719 }
720
721 ret = genlmsg_reply(msg, info);
722 err:
723 ovpn_peer_put(peer);
724 return ret;
725 }
726
ovpn_nl_peer_get_dumpit(struct sk_buff * skb,struct netlink_callback * cb)727 int ovpn_nl_peer_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
728 {
729 const struct genl_info *info = genl_info_dump(cb);
730 int bkt, last_idx = cb->args[1], dumped = 0;
731 netdevice_tracker tracker;
732 struct ovpn_priv *ovpn;
733 struct ovpn_peer *peer;
734
735 ovpn = ovpn_get_dev_from_attrs(sock_net(cb->skb->sk), info, &tracker);
736 if (IS_ERR(ovpn))
737 return PTR_ERR(ovpn);
738
739 if (ovpn->mode == OVPN_MODE_P2P) {
740 /* if we already dumped a peer it means we are done */
741 if (last_idx)
742 goto out;
743
744 rcu_read_lock();
745 peer = rcu_dereference(ovpn->peer);
746 if (peer) {
747 if (ovpn_nl_send_peer(skb, info, peer,
748 NETLINK_CB(cb->skb).portid,
749 cb->nlh->nlmsg_seq,
750 NLM_F_MULTI) == 0)
751 dumped++;
752 }
753 rcu_read_unlock();
754 } else {
755 rcu_read_lock();
756 hash_for_each_rcu(ovpn->peers->by_id, bkt, peer,
757 hash_entry_id) {
758 /* skip already dumped peers that were dumped by
759 * previous invocations
760 */
761 if (last_idx > 0) {
762 last_idx--;
763 continue;
764 }
765
766 if (ovpn_nl_send_peer(skb, info, peer,
767 NETLINK_CB(cb->skb).portid,
768 cb->nlh->nlmsg_seq,
769 NLM_F_MULTI) < 0)
770 break;
771
772 /* count peers being dumped during this invocation */
773 dumped++;
774 }
775 rcu_read_unlock();
776 }
777
778 out:
779 netdev_put(ovpn->dev, &tracker);
780
781 /* sum up peers dumped in this message, so that at the next invocation
782 * we can continue from where we left
783 */
784 cb->args[1] += dumped;
785 return skb->len;
786 }
787
ovpn_nl_peer_del_doit(struct sk_buff * skb,struct genl_info * info)788 int ovpn_nl_peer_del_doit(struct sk_buff *skb, struct genl_info *info)
789 {
790 struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
791 struct ovpn_priv *ovpn = info->user_ptr[0];
792 struct ovpn_peer *peer;
793 u32 peer_id;
794 int ret;
795
796 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
797 return -EINVAL;
798
799 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
800 ovpn_peer_del_input_nl_policy, info->extack);
801 if (ret)
802 return ret;
803
804 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
805 OVPN_A_PEER_ID))
806 return -EINVAL;
807
808 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
809 peer = ovpn_peer_get_by_id(ovpn, peer_id);
810 if (!peer) {
811 NL_SET_ERR_MSG_FMT_MOD(info->extack,
812 "cannot find peer with id %u", peer_id);
813 return -ENOENT;
814 }
815
816 netdev_dbg(ovpn->dev, "del peer %u\n", peer->id);
817 ret = ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_USERSPACE);
818 ovpn_peer_put(peer);
819
820 return ret;
821 }
822
ovpn_nl_get_key_dir(struct genl_info * info,struct nlattr * key,enum ovpn_cipher_alg cipher,struct ovpn_key_direction * dir)823 static int ovpn_nl_get_key_dir(struct genl_info *info, struct nlattr *key,
824 enum ovpn_cipher_alg cipher,
825 struct ovpn_key_direction *dir)
826 {
827 struct nlattr *attrs[OVPN_A_KEYDIR_MAX + 1];
828 int ret;
829
830 ret = nla_parse_nested(attrs, OVPN_A_KEYDIR_MAX, key,
831 ovpn_keydir_nl_policy, info->extack);
832 if (ret)
833 return ret;
834
835 switch (cipher) {
836 case OVPN_CIPHER_ALG_AES_GCM:
837 case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
838 if (NL_REQ_ATTR_CHECK(info->extack, key, attrs,
839 OVPN_A_KEYDIR_CIPHER_KEY) ||
840 NL_REQ_ATTR_CHECK(info->extack, key, attrs,
841 OVPN_A_KEYDIR_NONCE_TAIL))
842 return -EINVAL;
843
844 dir->cipher_key = nla_data(attrs[OVPN_A_KEYDIR_CIPHER_KEY]);
845 dir->cipher_key_size = nla_len(attrs[OVPN_A_KEYDIR_CIPHER_KEY]);
846
847 /* These algorithms require a 96bit nonce,
848 * Construct it by combining 4-bytes packet id and
849 * 8-bytes nonce-tail from userspace
850 */
851 dir->nonce_tail = nla_data(attrs[OVPN_A_KEYDIR_NONCE_TAIL]);
852 dir->nonce_tail_size = nla_len(attrs[OVPN_A_KEYDIR_NONCE_TAIL]);
853 break;
854 default:
855 NL_SET_ERR_MSG_MOD(info->extack, "unsupported cipher");
856 return -EINVAL;
857 }
858
859 return 0;
860 }
861
862 /**
863 * ovpn_nl_key_new_doit - configure a new key for the specified peer
864 * @skb: incoming netlink message
865 * @info: genetlink metadata
866 *
867 * This function allows the user to install a new key in the peer crypto
868 * state.
869 * Each peer has two 'slots', namely 'primary' and 'secondary', where
870 * keys can be installed. The key in the 'primary' slot is used for
871 * encryption, while both keys can be used for decryption by matching the
872 * key ID carried in the incoming packet.
873 *
874 * The user is responsible for rotating keys when necessary. The user
875 * may fetch peer traffic statistics via netlink in order to better
876 * identify the right time to rotate keys.
877 * The renegotiation follows these steps:
878 * 1. a new key is computed by the user and is installed in the 'secondary'
879 * slot
880 * 2. at user discretion (usually after a predetermined time) 'primary' and
881 * 'secondary' contents are swapped and the new key starts being used for
882 * encryption, while the old key is kept around for decryption of late
883 * packets.
884 *
885 * Return: 0 on success or a negative error code otherwise.
886 */
ovpn_nl_key_new_doit(struct sk_buff * skb,struct genl_info * info)887 int ovpn_nl_key_new_doit(struct sk_buff *skb, struct genl_info *info)
888 {
889 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
890 struct ovpn_priv *ovpn = info->user_ptr[0];
891 struct ovpn_peer_key_reset pkr;
892 struct ovpn_peer *peer;
893 u32 peer_id;
894 int ret;
895
896 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
897 return -EINVAL;
898
899 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
900 info->attrs[OVPN_A_KEYCONF],
901 ovpn_keyconf_nl_policy, info->extack);
902 if (ret)
903 return ret;
904
905 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
906 OVPN_A_KEYCONF_PEER_ID))
907 return -EINVAL;
908
909 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
910 OVPN_A_KEYCONF_SLOT) ||
911 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
912 OVPN_A_KEYCONF_KEY_ID) ||
913 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
914 OVPN_A_KEYCONF_CIPHER_ALG) ||
915 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
916 OVPN_A_KEYCONF_ENCRYPT_DIR) ||
917 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
918 OVPN_A_KEYCONF_DECRYPT_DIR))
919 return -EINVAL;
920
921 pkr.slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
922 pkr.key.key_id = nla_get_u32(attrs[OVPN_A_KEYCONF_KEY_ID]);
923 pkr.key.cipher_alg = nla_get_u32(attrs[OVPN_A_KEYCONF_CIPHER_ALG]);
924
925 ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_ENCRYPT_DIR],
926 pkr.key.cipher_alg, &pkr.key.encrypt);
927 if (ret < 0)
928 return ret;
929
930 ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_DECRYPT_DIR],
931 pkr.key.cipher_alg, &pkr.key.decrypt);
932 if (ret < 0)
933 return ret;
934
935 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
936 peer = ovpn_peer_get_by_id(ovpn, peer_id);
937 if (!peer) {
938 NL_SET_ERR_MSG_FMT_MOD(info->extack,
939 "no peer with id %u to set key for",
940 peer_id);
941 return -ENOENT;
942 }
943
944 ret = ovpn_crypto_state_reset(&peer->crypto, &pkr);
945 if (ret < 0) {
946 NL_SET_ERR_MSG_FMT_MOD(info->extack,
947 "cannot install new key for peer %u",
948 peer_id);
949 goto out;
950 }
951
952 netdev_dbg(ovpn->dev, "new key installed (id=%u) for peer %u\n",
953 pkr.key.key_id, peer_id);
954 out:
955 ovpn_peer_put(peer);
956 return ret;
957 }
958
ovpn_nl_send_key(struct sk_buff * skb,const struct genl_info * info,u32 peer_id,enum ovpn_key_slot slot,const struct ovpn_key_config * keyconf)959 static int ovpn_nl_send_key(struct sk_buff *skb, const struct genl_info *info,
960 u32 peer_id, enum ovpn_key_slot slot,
961 const struct ovpn_key_config *keyconf)
962 {
963 struct nlattr *attr;
964 void *hdr;
965
966 hdr = genlmsg_put(skb, info->snd_portid, info->snd_seq, &ovpn_nl_family,
967 0, OVPN_CMD_KEY_GET);
968 if (!hdr)
969 return -ENOBUFS;
970
971 attr = nla_nest_start(skb, OVPN_A_KEYCONF);
972 if (!attr)
973 goto err;
974
975 if (nla_put_u32(skb, OVPN_A_KEYCONF_PEER_ID, peer_id))
976 goto err;
977
978 if (nla_put_u32(skb, OVPN_A_KEYCONF_SLOT, slot) ||
979 nla_put_u32(skb, OVPN_A_KEYCONF_KEY_ID, keyconf->key_id) ||
980 nla_put_u32(skb, OVPN_A_KEYCONF_CIPHER_ALG, keyconf->cipher_alg))
981 goto err;
982
983 nla_nest_end(skb, attr);
984 genlmsg_end(skb, hdr);
985
986 return 0;
987 err:
988 genlmsg_cancel(skb, hdr);
989 return -EMSGSIZE;
990 }
991
ovpn_nl_key_get_doit(struct sk_buff * skb,struct genl_info * info)992 int ovpn_nl_key_get_doit(struct sk_buff *skb, struct genl_info *info)
993 {
994 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
995 struct ovpn_priv *ovpn = info->user_ptr[0];
996 struct ovpn_key_config keyconf = { 0 };
997 enum ovpn_key_slot slot;
998 struct ovpn_peer *peer;
999 struct sk_buff *msg;
1000 u32 peer_id;
1001 int ret, i;
1002
1003 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
1004 return -EINVAL;
1005
1006 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
1007 info->attrs[OVPN_A_KEYCONF],
1008 ovpn_keyconf_get_nl_policy, info->extack);
1009 if (ret)
1010 return ret;
1011
1012 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1013 OVPN_A_KEYCONF_PEER_ID))
1014 return -EINVAL;
1015
1016 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1017 OVPN_A_KEYCONF_SLOT))
1018 return -EINVAL;
1019
1020 /* OVPN_CMD_KEY_GET expects only the PEER_ID and the SLOT, therefore
1021 * ensure that the user hasn't specified any other attribute.
1022 *
1023 * Unfortunately this check cannot be performed via netlink
1024 * spec/policy and must be open-coded.
1025 */
1026 for (i = 0; i < OVPN_A_KEYCONF_MAX + 1; i++) {
1027 if (i == OVPN_A_KEYCONF_PEER_ID ||
1028 i == OVPN_A_KEYCONF_SLOT)
1029 continue;
1030
1031 if (attrs[i]) {
1032 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1033 "unexpected attribute %u", i);
1034 return -EINVAL;
1035 }
1036 }
1037
1038 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
1039 peer = ovpn_peer_get_by_id(ovpn, peer_id);
1040 if (!peer) {
1041 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1042 "cannot find peer with id %u", peer_id);
1043 return -ENOENT;
1044 }
1045
1046 slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
1047
1048 ret = ovpn_crypto_config_get(&peer->crypto, slot, &keyconf);
1049 if (ret < 0) {
1050 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1051 "cannot extract key from slot %u for peer %u",
1052 slot, peer_id);
1053 goto err;
1054 }
1055
1056 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1057 if (!msg) {
1058 ret = -ENOMEM;
1059 goto err;
1060 }
1061
1062 ret = ovpn_nl_send_key(msg, info, peer->id, slot, &keyconf);
1063 if (ret < 0) {
1064 nlmsg_free(msg);
1065 goto err;
1066 }
1067
1068 ret = genlmsg_reply(msg, info);
1069 err:
1070 ovpn_peer_put(peer);
1071 return ret;
1072 }
1073
ovpn_nl_key_swap_doit(struct sk_buff * skb,struct genl_info * info)1074 int ovpn_nl_key_swap_doit(struct sk_buff *skb, struct genl_info *info)
1075 {
1076 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
1077 struct ovpn_priv *ovpn = info->user_ptr[0];
1078 struct ovpn_peer *peer;
1079 u32 peer_id;
1080 int ret;
1081
1082 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
1083 return -EINVAL;
1084
1085 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
1086 info->attrs[OVPN_A_KEYCONF],
1087 ovpn_keyconf_swap_input_nl_policy, info->extack);
1088 if (ret)
1089 return ret;
1090
1091 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1092 OVPN_A_KEYCONF_PEER_ID))
1093 return -EINVAL;
1094
1095 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
1096 peer = ovpn_peer_get_by_id(ovpn, peer_id);
1097 if (!peer) {
1098 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1099 "no peer with id %u to swap keys for",
1100 peer_id);
1101 return -ENOENT;
1102 }
1103
1104 ovpn_crypto_key_slots_swap(&peer->crypto);
1105 ovpn_peer_put(peer);
1106
1107 return 0;
1108 }
1109
ovpn_nl_key_del_doit(struct sk_buff * skb,struct genl_info * info)1110 int ovpn_nl_key_del_doit(struct sk_buff *skb, struct genl_info *info)
1111 {
1112 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
1113 struct ovpn_priv *ovpn = info->user_ptr[0];
1114 enum ovpn_key_slot slot;
1115 struct ovpn_peer *peer;
1116 u32 peer_id;
1117 int ret;
1118
1119 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
1120 return -EINVAL;
1121
1122 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
1123 info->attrs[OVPN_A_KEYCONF],
1124 ovpn_keyconf_del_input_nl_policy, info->extack);
1125 if (ret)
1126 return ret;
1127
1128 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1129 OVPN_A_KEYCONF_PEER_ID))
1130 return -EINVAL;
1131
1132 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1133 OVPN_A_KEYCONF_SLOT))
1134 return -EINVAL;
1135
1136 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
1137 slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
1138
1139 peer = ovpn_peer_get_by_id(ovpn, peer_id);
1140 if (!peer) {
1141 NL_SET_ERR_MSG_FMT_MOD(info->extack,
1142 "no peer with id %u to delete key for",
1143 peer_id);
1144 return -ENOENT;
1145 }
1146
1147 ovpn_crypto_key_slot_delete(&peer->crypto, slot);
1148 ovpn_peer_put(peer);
1149
1150 return 0;
1151 }
1152
1153 /**
1154 * ovpn_nl_peer_del_notify - notify userspace about peer being deleted
1155 * @peer: the peer being deleted
1156 *
1157 * Return: 0 on success or a negative error code otherwise
1158 */
ovpn_nl_peer_del_notify(struct ovpn_peer * peer)1159 int ovpn_nl_peer_del_notify(struct ovpn_peer *peer)
1160 {
1161 struct ovpn_socket *sock;
1162 struct sk_buff *msg;
1163 struct nlattr *attr;
1164 int ret = -EMSGSIZE;
1165 void *hdr;
1166
1167 netdev_info(peer->ovpn->dev, "deleting peer with id %u, reason %d\n",
1168 peer->id, peer->delete_reason);
1169
1170 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1171 if (!msg)
1172 return -ENOMEM;
1173
1174 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_PEER_DEL_NTF);
1175 if (!hdr) {
1176 ret = -ENOBUFS;
1177 goto err_free_msg;
1178 }
1179
1180 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
1181 goto err_cancel_msg;
1182
1183 attr = nla_nest_start(msg, OVPN_A_PEER);
1184 if (!attr)
1185 goto err_cancel_msg;
1186
1187 if (nla_put_u32(msg, OVPN_A_PEER_DEL_REASON, peer->delete_reason))
1188 goto err_cancel_msg;
1189
1190 if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id))
1191 goto err_cancel_msg;
1192
1193 nla_nest_end(msg, attr);
1194
1195 genlmsg_end(msg, hdr);
1196
1197 rcu_read_lock();
1198 sock = rcu_dereference(peer->sock);
1199 if (!sock) {
1200 ret = -EINVAL;
1201 goto err_unlock;
1202 }
1203 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0,
1204 OVPN_NLGRP_PEERS, GFP_ATOMIC);
1205 rcu_read_unlock();
1206
1207 return 0;
1208
1209 err_unlock:
1210 rcu_read_unlock();
1211 err_cancel_msg:
1212 genlmsg_cancel(msg, hdr);
1213 err_free_msg:
1214 nlmsg_free(msg);
1215 return ret;
1216 }
1217
1218 /**
1219 * ovpn_nl_peer_float_notify - notify userspace about peer floating
1220 * @peer: the floated peer
1221 * @ss: sockaddr representing the new remote endpoint
1222 *
1223 * Return: 0 on success or a negative error code otherwise
1224 */
ovpn_nl_peer_float_notify(struct ovpn_peer * peer,const struct sockaddr_storage * ss)1225 int ovpn_nl_peer_float_notify(struct ovpn_peer *peer,
1226 const struct sockaddr_storage *ss)
1227 {
1228 struct ovpn_socket *sock;
1229 struct sockaddr_in6 *sa6;
1230 struct sockaddr_in *sa;
1231 struct sk_buff *msg;
1232 struct nlattr *attr;
1233 int ret = -EMSGSIZE;
1234 void *hdr;
1235
1236 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1237 if (!msg)
1238 return -ENOMEM;
1239
1240 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0,
1241 OVPN_CMD_PEER_FLOAT_NTF);
1242 if (!hdr) {
1243 ret = -ENOBUFS;
1244 goto err_free_msg;
1245 }
1246
1247 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
1248 goto err_cancel_msg;
1249
1250 attr = nla_nest_start(msg, OVPN_A_PEER);
1251 if (!attr)
1252 goto err_cancel_msg;
1253
1254 if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id))
1255 goto err_cancel_msg;
1256
1257 if (ss->ss_family == AF_INET) {
1258 sa = (struct sockaddr_in *)ss;
1259 if (nla_put_in_addr(msg, OVPN_A_PEER_REMOTE_IPV4,
1260 sa->sin_addr.s_addr) ||
1261 nla_put_net16(msg, OVPN_A_PEER_REMOTE_PORT, sa->sin_port))
1262 goto err_cancel_msg;
1263 } else if (ss->ss_family == AF_INET6) {
1264 sa6 = (struct sockaddr_in6 *)ss;
1265 if (nla_put_in6_addr(msg, OVPN_A_PEER_REMOTE_IPV6,
1266 &sa6->sin6_addr) ||
1267 nla_put_u32(msg, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
1268 sa6->sin6_scope_id) ||
1269 nla_put_net16(msg, OVPN_A_PEER_REMOTE_PORT, sa6->sin6_port))
1270 goto err_cancel_msg;
1271 } else {
1272 ret = -EAFNOSUPPORT;
1273 goto err_cancel_msg;
1274 }
1275
1276 nla_nest_end(msg, attr);
1277 genlmsg_end(msg, hdr);
1278
1279 rcu_read_lock();
1280 sock = rcu_dereference(peer->sock);
1281 if (!sock) {
1282 ret = -EINVAL;
1283 goto err_unlock;
1284 }
1285 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg,
1286 0, OVPN_NLGRP_PEERS, GFP_ATOMIC);
1287 rcu_read_unlock();
1288
1289 return 0;
1290
1291 err_unlock:
1292 rcu_read_unlock();
1293 err_cancel_msg:
1294 genlmsg_cancel(msg, hdr);
1295 err_free_msg:
1296 nlmsg_free(msg);
1297 return ret;
1298 }
1299
1300 /**
1301 * ovpn_nl_key_swap_notify - notify userspace peer's key must be renewed
1302 * @peer: the peer whose key needs to be renewed
1303 * @key_id: the ID of the key that needs to be renewed
1304 *
1305 * Return: 0 on success or a negative error code otherwise
1306 */
ovpn_nl_key_swap_notify(struct ovpn_peer * peer,u8 key_id)1307 int ovpn_nl_key_swap_notify(struct ovpn_peer *peer, u8 key_id)
1308 {
1309 struct ovpn_socket *sock;
1310 struct nlattr *k_attr;
1311 struct sk_buff *msg;
1312 int ret = -EMSGSIZE;
1313 void *hdr;
1314
1315 netdev_info(peer->ovpn->dev, "peer with id %u must rekey - primary key unusable.\n",
1316 peer->id);
1317
1318 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1319 if (!msg)
1320 return -ENOMEM;
1321
1322 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_KEY_SWAP_NTF);
1323 if (!hdr) {
1324 ret = -ENOBUFS;
1325 goto err_free_msg;
1326 }
1327
1328 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
1329 goto err_cancel_msg;
1330
1331 k_attr = nla_nest_start(msg, OVPN_A_KEYCONF);
1332 if (!k_attr)
1333 goto err_cancel_msg;
1334
1335 if (nla_put_u32(msg, OVPN_A_KEYCONF_PEER_ID, peer->id))
1336 goto err_cancel_msg;
1337
1338 if (nla_put_u16(msg, OVPN_A_KEYCONF_KEY_ID, key_id))
1339 goto err_cancel_msg;
1340
1341 nla_nest_end(msg, k_attr);
1342 genlmsg_end(msg, hdr);
1343
1344 rcu_read_lock();
1345 sock = rcu_dereference(peer->sock);
1346 if (!sock) {
1347 ret = -EINVAL;
1348 goto err_unlock;
1349 }
1350 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0,
1351 OVPN_NLGRP_PEERS, GFP_ATOMIC);
1352 rcu_read_unlock();
1353
1354 return 0;
1355 err_unlock:
1356 rcu_read_unlock();
1357 err_cancel_msg:
1358 genlmsg_cancel(msg, hdr);
1359 err_free_msg:
1360 nlmsg_free(msg);
1361 return ret;
1362 }
1363
1364 /**
1365 * ovpn_nl_register - perform any needed registration in the NL subsustem
1366 *
1367 * Return: 0 on success, a negative error code otherwise
1368 */
ovpn_nl_register(void)1369 int __init ovpn_nl_register(void)
1370 {
1371 int ret = genl_register_family(&ovpn_nl_family);
1372
1373 if (ret) {
1374 pr_err("ovpn: genl_register_family failed: %d\n", ret);
1375 return ret;
1376 }
1377
1378 return 0;
1379 }
1380
1381 /**
1382 * ovpn_nl_unregister - undo any module wide netlink registration
1383 */
ovpn_nl_unregister(void)1384 void ovpn_nl_unregister(void)
1385 {
1386 genl_unregister_family(&ovpn_nl_family);
1387 }
1388