1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021-2022 Rubicon Communications, LLC (Netgate) 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 * 27 */ 28 #include "opt_inet.h" 29 #include "opt_inet6.h" 30 31 #include <sys/param.h> 32 #include <sys/systm.h> 33 #include <sys/buf_ring.h> 34 #include <sys/epoch.h> 35 #include <sys/file.h> 36 #include <sys/filedesc.h> 37 #include <sys/jail.h> 38 #include <sys/kernel.h> 39 #include <sys/malloc.h> 40 #include <sys/mbuf.h> 41 #include <sys/module.h> 42 #include <sys/nv.h> 43 #include <sys/osd.h> 44 #include <sys/priv.h> 45 #include <sys/protosw.h> 46 #include <sys/rmlock.h> 47 #include <sys/sdt.h> 48 #include <sys/smp.h> 49 #include <sys/socket.h> 50 #include <sys/socketvar.h> 51 #include <sys/sockio.h> 52 #include <sys/sysctl.h> 53 #include <sys/time.h> 54 55 #include <machine/atomic.h> 56 57 #include <net/bpf.h> 58 #include <net/if.h> 59 #include <net/if_clone.h> 60 #include <net/if_types.h> 61 #include <net/if_var.h> 62 #include <net/if_private.h> 63 #include <net/netisr.h> 64 #include <net/route/nhop.h> 65 66 #include <netinet/in.h> 67 #include <netinet/in_fib.h> 68 #include <netinet/ip.h> 69 #include <netinet/ip6.h> 70 #include <netinet/ip_var.h> 71 #include <netinet/udp.h> 72 #include <netinet/udp_var.h> 73 74 #include <netinet6/ip6_var.h> 75 #include <netinet6/in6_fib.h> 76 77 #include <machine/in_cksum.h> 78 79 #include <opencrypto/cryptodev.h> 80 81 #include "if_ovpn.h" 82 83 struct ovpn_kkey_dir { 84 uint8_t key[32]; 85 uint8_t keylen; 86 uint8_t nonce[8]; 87 uint8_t noncelen; 88 enum ovpn_key_cipher cipher; 89 crypto_session_t cryptoid; 90 91 struct mtx replay_mtx; 92 /* 93 * Last seen gapless sequence number. New rx seq numbers must be 94 * strictly higher than this. 95 */ 96 uint32_t rx_seq; 97 uint64_t tx_seq; 98 99 /* Seen packets, relative to rx_seq. bit(0) will always be 0. */ 100 uint64_t rx_window; 101 }; 102 103 struct ovpn_kkey { 104 struct ovpn_kkey_dir *encrypt; 105 struct ovpn_kkey_dir *decrypt; 106 uint8_t keyid; 107 uint32_t peerid; 108 }; 109 110 struct ovpn_keepalive { 111 uint32_t interval; 112 uint32_t timeout; 113 }; 114 115 struct ovpn_wire_header { 116 uint32_t opcode; /* opcode, key id, peer id */ 117 uint32_t seq; 118 uint8_t auth_tag[16]; 119 }; 120 121 struct ovpn_peer_counters { 122 uint64_t pkt_in; 123 uint64_t pkt_out; 124 uint64_t bytes_in; 125 uint64_t bytes_out; 126 }; 127 #define OVPN_PEER_COUNTER_SIZE (sizeof(struct ovpn_peer_counters)/sizeof(uint64_t)) 128 129 struct ovpn_notification { 130 enum ovpn_notif_type type; 131 uint32_t peerid; 132 133 /* Delete notification */ 134 enum ovpn_del_reason del_reason; 135 struct ovpn_peer_counters counters; 136 137 /* Float notification */ 138 struct sockaddr_storage address; 139 }; 140 141 struct ovpn_softc; 142 143 struct ovpn_kpeer { 144 RB_ENTRY(ovpn_kpeer) tree; 145 int refcount; 146 uint32_t peerid; 147 148 struct ovpn_softc *sc; 149 struct sockaddr_storage local; 150 struct sockaddr_storage remote; 151 152 struct in_addr vpn4; 153 struct in6_addr vpn6; 154 155 struct ovpn_kkey keys[2]; 156 157 enum ovpn_del_reason del_reason; 158 struct ovpn_keepalive keepalive; 159 uint32_t *last_active; 160 struct callout ping_send; 161 struct callout ping_rcv; 162 163 counter_u64_t counters[OVPN_PEER_COUNTER_SIZE]; 164 }; 165 166 struct ovpn_counters { 167 uint64_t lost_ctrl_pkts_in; 168 uint64_t lost_ctrl_pkts_out; 169 uint64_t lost_data_pkts_in; 170 uint64_t lost_data_pkts_out; 171 uint64_t nomem_data_pkts_in; 172 uint64_t nomem_data_pkts_out; 173 uint64_t received_ctrl_pkts; 174 uint64_t received_data_pkts; 175 uint64_t sent_ctrl_pkts; 176 uint64_t sent_data_pkts; 177 178 uint64_t transport_bytes_sent; 179 uint64_t transport_bytes_received; 180 uint64_t tunnel_bytes_sent; 181 uint64_t tunnel_bytes_received; 182 }; 183 #define OVPN_COUNTER_SIZE (sizeof(struct ovpn_counters)/sizeof(uint64_t)) 184 185 RB_HEAD(ovpn_kpeers, ovpn_kpeer); 186 187 struct ovpn_softc { 188 int refcount; 189 struct rmlock lock; 190 struct ifnet *ifp; 191 struct socket *so; 192 int peercount; 193 struct ovpn_kpeers peers; 194 195 /* Pending notification */ 196 struct buf_ring *notifring; 197 198 counter_u64_t counters[OVPN_COUNTER_SIZE]; 199 200 struct epoch_context epoch_ctx; 201 }; 202 203 struct ovpn_mtag { 204 struct sockaddr_storage addr; 205 }; 206 207 static struct ovpn_kpeer *ovpn_find_peer(struct ovpn_softc *, uint32_t); 208 static bool ovpn_udp_input(struct mbuf *, int, struct inpcb *, 209 const struct sockaddr *, void *); 210 static int ovpn_transmit_to_peer(struct ifnet *, struct mbuf *, 211 struct ovpn_kpeer *, struct rm_priotracker *); 212 static int ovpn_encap(struct ovpn_softc *, uint32_t, struct mbuf *); 213 static int ovpn_get_af(struct mbuf *); 214 static void ovpn_free_kkey_dir(struct ovpn_kkey_dir *); 215 static bool ovpn_check_replay(struct ovpn_kkey_dir *, uint32_t); 216 static int ovpn_peer_compare(const struct ovpn_kpeer *, 217 const struct ovpn_kpeer *); 218 static bool ovpn_sockaddr_compare(const struct sockaddr *, 219 const struct sockaddr *); 220 221 static RB_PROTOTYPE(ovpn_kpeers, ovpn_kpeer, tree, ovpn_peer_compare); 222 static RB_GENERATE(ovpn_kpeers, ovpn_kpeer, tree, ovpn_peer_compare); 223 224 #define OVPN_MTU_MIN 576 225 #define OVPN_MTU_MAX (IP_MAXPACKET - sizeof(struct ip) - \ 226 sizeof(struct udphdr) - sizeof(struct ovpn_wire_header)) 227 228 #define OVPN_OP_DATA_V2 0x09 229 #define OVPN_OP_SHIFT 3 230 #define OVPN_SEQ_ROTATE 0x80000000 231 232 VNET_DEFINE_STATIC(struct if_clone *, ovpn_cloner); 233 #define V_ovpn_cloner VNET(ovpn_cloner) 234 235 #define OVPN_RLOCK_TRACKER struct rm_priotracker _ovpn_lock_tracker; \ 236 struct rm_priotracker *_ovpn_lock_trackerp = &_ovpn_lock_tracker 237 #define OVPN_RLOCK(sc) rm_rlock(&(sc)->lock, _ovpn_lock_trackerp) 238 #define OVPN_RUNLOCK(sc) rm_runlock(&(sc)->lock, _ovpn_lock_trackerp) 239 #define OVPN_WLOCK(sc) rm_wlock(&(sc)->lock) 240 #define OVPN_WUNLOCK(sc) rm_wunlock(&(sc)->lock) 241 #define OVPN_ASSERT(sc) rm_assert(&(sc)->lock, RA_LOCKED) 242 #define OVPN_RASSERT(sc) rm_assert(&(sc)->lock, RA_RLOCKED) 243 #define OVPN_WASSERT(sc) rm_assert(&(sc)->lock, RA_WLOCKED) 244 #define OVPN_UNLOCK_ASSERT(sc) rm_assert(&(sc)->lock, RA_UNLOCKED) 245 246 #define OVPN_COUNTER(sc, name) \ 247 ((sc)->counters[offsetof(struct ovpn_counters, name)/sizeof(uint64_t)]) 248 #define OVPN_PEER_COUNTER(peer, name) \ 249 ((peer)->counters[offsetof(struct ovpn_peer_counters, name) / \ 250 sizeof(uint64_t)]) 251 252 #define OVPN_COUNTER_ADD(sc, name, val) \ 253 counter_u64_add(OVPN_COUNTER(sc, name), val) 254 #define OVPN_PEER_COUNTER_ADD(p, name, val) \ 255 counter_u64_add(OVPN_PEER_COUNTER(p, name), val) 256 257 #define TO_IN(x) ((struct sockaddr_in *)(x)) 258 #define TO_IN6(x) ((struct sockaddr_in6 *)(x)) 259 260 SDT_PROVIDER_DEFINE(if_ovpn); 261 SDT_PROBE_DEFINE1(if_ovpn, tx, transmit, start, "struct mbuf *"); 262 SDT_PROBE_DEFINE2(if_ovpn, tx, route, ip4, "struct in_addr *", "struct ovpn_kpeer *"); 263 SDT_PROBE_DEFINE2(if_ovpn, tx, route, ip6, "struct in6_addr *", "struct ovpn_kpeer *"); 264 265 static const char ovpnname[] = "ovpn"; 266 static const char ovpngroupname[] = "openvpn"; 267 268 static MALLOC_DEFINE(M_OVPN, ovpnname, "OpenVPN DCO Interface"); 269 #define MTAG_OVPN_LOOP 0x6f76706e /* ovpn */ 270 271 SYSCTL_DECL(_net_link); 272 static SYSCTL_NODE(_net_link, IFT_OTHER, openvpn, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 273 "OpenVPN DCO Interface"); 274 VNET_DEFINE_STATIC(int, replay_protection) = 0; 275 #define V_replay_protection VNET(replay_protection) 276 SYSCTL_INT(_net_link_openvpn, OID_AUTO, replay_protection, CTLFLAG_VNET | CTLFLAG_RW, 277 &VNET_NAME(replay_protection), 0, "Validate sequence numbers"); 278 279 VNET_DEFINE_STATIC(int, async_crypto); 280 #define V_async_crypto VNET(async_crypto) 281 SYSCTL_INT(_net_link_openvpn, OID_AUTO, async_crypto, 282 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(async_crypto), 0, 283 "Use asynchronous mode to parallelize crypto jobs."); 284 285 VNET_DEFINE_STATIC(int, async_netisr_queue); 286 #define V_async_netisr_queue VNET(async_netisr_queue) 287 SYSCTL_INT(_net_link_openvpn, OID_AUTO, netisr_queue, 288 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(async_netisr_queue), 0, 289 "Use netisr_queue() rather than netisr_dispatch()."); 290 291 static int 292 ovpn_peer_compare(const struct ovpn_kpeer *a, const struct ovpn_kpeer *b) 293 { 294 return (a->peerid - b->peerid); 295 } 296 297 static bool 298 ovpn_sockaddr_compare(const struct sockaddr *a, 299 const struct sockaddr *b) 300 { 301 if (a->sa_family != b->sa_family) 302 return (false); 303 MPASS(a->sa_len == b->sa_len); 304 305 switch (a->sa_family) { 306 case AF_INET: { 307 const struct sockaddr_in *a4, *b4; 308 309 a4 = (const struct sockaddr_in *)a; 310 b4 = (const struct sockaddr_in *)b; 311 312 if (a4->sin_port != b4->sin_port) 313 return (false); 314 315 return (a4->sin_addr.s_addr == b4->sin_addr.s_addr); 316 } 317 case AF_INET6: { 318 const struct sockaddr_in6 *a6, *b6; 319 320 a6 = (const struct sockaddr_in6 *)a; 321 b6 = (const struct sockaddr_in6 *)b; 322 323 if (a6->sin6_port != b6->sin6_port) 324 return (false); 325 326 return (memcmp(&a6->sin6_addr, &b6->sin6_addr, 327 sizeof(a6->sin6_addr)) == 0); 328 } 329 default: 330 panic("Unknown address family %d", a->sa_family); 331 } 332 } 333 334 static struct ovpn_kpeer * 335 ovpn_find_peer(struct ovpn_softc *sc, uint32_t peerid) 336 { 337 struct ovpn_kpeer p; 338 339 OVPN_ASSERT(sc); 340 341 p.peerid = peerid; 342 343 return (RB_FIND(ovpn_kpeers, &sc->peers, &p)); 344 } 345 346 static struct ovpn_kpeer * 347 ovpn_find_only_peer(struct ovpn_softc *sc) 348 { 349 OVPN_ASSERT(sc); 350 351 return (RB_ROOT(&sc->peers)); 352 } 353 354 static uint16_t 355 ovpn_get_port(const struct sockaddr_storage *s) 356 { 357 switch (s->ss_family) { 358 case AF_INET: { 359 const struct sockaddr_in *in = (const struct sockaddr_in *)s; 360 return (in->sin_port); 361 } 362 case AF_INET6: { 363 const struct sockaddr_in6 *in6 = (const struct sockaddr_in6 *)s; 364 return (in6->sin6_port); 365 } 366 default: 367 panic("Unsupported address family %d", s->ss_family); 368 } 369 } 370 371 static void 372 ovpn_set_port(struct sockaddr_storage *s, unsigned short port) 373 { 374 switch (s->ss_family) { 375 case AF_INET: { 376 struct sockaddr_in *in = (struct sockaddr_in *)s; 377 in->sin_port = port; 378 break; 379 } 380 case AF_INET6: { 381 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)s; 382 in6->sin6_port = port; 383 break; 384 } 385 default: 386 panic("Unsupported address family %d", s->ss_family); 387 } 388 } 389 390 static int 391 ovpn_nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *sa) 392 { 393 int af; 394 395 if (! nvlist_exists_number(nvl, "af")) 396 return (EINVAL); 397 if (! nvlist_exists_binary(nvl, "address")) 398 return (EINVAL); 399 if (! nvlist_exists_number(nvl, "port")) 400 return (EINVAL); 401 402 af = nvlist_get_number(nvl, "af"); 403 switch (af) { 404 #ifdef INET 405 case AF_INET: { 406 struct sockaddr_in *in = (struct sockaddr_in *)sa; 407 size_t len; 408 const void *addr = nvlist_get_binary(nvl, "address", &len); 409 410 memset(in, 0, sizeof(*in)); 411 in->sin_family = af; 412 in->sin_len = sizeof(*in); 413 if (len != sizeof(in->sin_addr)) 414 return (EINVAL); 415 416 memcpy(&in->sin_addr, addr, sizeof(in->sin_addr)); 417 in->sin_port = nvlist_get_number(nvl, "port"); 418 break; 419 } 420 #endif 421 #ifdef INET6 422 case AF_INET6: { 423 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)sa; 424 size_t len; 425 const void *addr = nvlist_get_binary(nvl, "address", &len); 426 427 memset(in6, 0, sizeof(*in6)); 428 in6->sin6_family = af; 429 in6->sin6_len = sizeof(*in6); 430 if (len != sizeof(in6->sin6_addr)) 431 return (EINVAL); 432 433 memcpy(&in6->sin6_addr, addr, sizeof(in6->sin6_addr)); 434 in6->sin6_port = nvlist_get_number(nvl, "port"); 435 break; 436 } 437 #endif 438 default: 439 return (EINVAL); 440 } 441 442 return (0); 443 } 444 445 static int 446 ovpn_add_sockaddr(nvlist_t *parent, const char *name, const struct sockaddr *s) 447 { 448 nvlist_t *nvl; 449 450 nvl = nvlist_create(0); 451 if (nvl == NULL) 452 return (ENOMEM); 453 454 nvlist_add_number(nvl, "af", s->sa_family); 455 456 switch (s->sa_family) { 457 case AF_INET: { 458 const struct sockaddr_in *s4 = (const struct sockaddr_in *)s; 459 460 nvlist_add_number(nvl, "port", s4->sin_port); 461 nvlist_add_binary(nvl, "address", &s4->sin_addr, 462 sizeof(s4->sin_addr)); 463 break; 464 } 465 case AF_INET6: { 466 const struct sockaddr_in6 *s6 = (const struct sockaddr_in6 *)s; 467 468 nvlist_add_number(nvl, "port", s6->sin6_port); 469 nvlist_add_binary(nvl, "address", &s6->sin6_addr, 470 sizeof(s6->sin6_addr)); 471 break; 472 } 473 default: 474 nvlist_destroy(nvl); 475 return (EINVAL); 476 } 477 478 nvlist_move_nvlist(parent, name, nvl); 479 480 return (0); 481 } 482 483 static void 484 ovpn_notify_del_peer(struct ovpn_softc *sc, struct ovpn_kpeer *peer) 485 { 486 struct ovpn_notification *n; 487 488 OVPN_WASSERT(sc); 489 490 n = malloc(sizeof(*n), M_OVPN, M_NOWAIT); 491 if (n == NULL) 492 return; 493 494 n->peerid = peer->peerid; 495 n->type = OVPN_NOTIF_DEL_PEER; 496 n->del_reason = peer->del_reason; 497 498 n->counters.pkt_in = counter_u64_fetch(OVPN_PEER_COUNTER(peer, pkt_in)); 499 n->counters.pkt_out = counter_u64_fetch(OVPN_PEER_COUNTER(peer, pkt_out)); 500 n->counters.bytes_in = counter_u64_fetch(OVPN_PEER_COUNTER(peer, bytes_in)); 501 n->counters.bytes_out = counter_u64_fetch(OVPN_PEER_COUNTER(peer, bytes_out)); 502 503 if (buf_ring_enqueue(sc->notifring, n) != 0) { 504 free(n, M_OVPN); 505 } else if (sc->so != NULL) { 506 /* Wake up userspace */ 507 sc->so->so_error = EAGAIN; 508 sorwakeup(sc->so); 509 sowwakeup(sc->so); 510 } 511 } 512 513 static void 514 ovpn_notify_key_rotation(struct ovpn_softc *sc, struct ovpn_kpeer *peer) 515 { 516 struct ovpn_notification *n; 517 518 n = malloc(sizeof(*n), M_OVPN, M_NOWAIT | M_ZERO); 519 if (n == NULL) 520 return; 521 522 n->peerid = peer->peerid; 523 n->type = OVPN_NOTIF_ROTATE_KEY; 524 525 if (buf_ring_enqueue(sc->notifring, n) != 0) { 526 free(n, M_OVPN); 527 } else if (sc->so != NULL) { 528 /* Wake up userspace */ 529 sc->so->so_error = EAGAIN; 530 sorwakeup(sc->so); 531 sowwakeup(sc->so); 532 } 533 } 534 535 static int 536 ovpn_notify_float(struct ovpn_softc *sc, uint32_t peerid, 537 const struct sockaddr_storage *remote) 538 { 539 struct ovpn_notification *n; 540 541 n = malloc(sizeof(*n), M_OVPN, M_NOWAIT | M_ZERO); 542 if (n == NULL) 543 return (ENOMEM); 544 545 n->peerid = peerid; 546 n->type = OVPN_NOTIF_FLOAT; 547 memcpy(&n->address, remote, sizeof(n->address)); 548 549 if (buf_ring_enqueue(sc->notifring, n) != 0) { 550 free(n, M_OVPN); 551 return (ENOMEM); 552 } else if (sc->so != NULL) { 553 /* Wake up userspace */ 554 sc->so->so_error = EAGAIN; 555 sorwakeup(sc->so); 556 sowwakeup(sc->so); 557 } 558 559 return (0); 560 } 561 562 static void 563 ovpn_peer_release_ref(struct ovpn_kpeer *peer, bool locked) 564 { 565 struct ovpn_softc *sc; 566 567 CURVNET_ASSERT_SET(); 568 569 atomic_add_int(&peer->refcount, -1); 570 571 if (atomic_load_int(&peer->refcount) > 0) 572 return; 573 574 sc = peer->sc; 575 576 if (! locked) { 577 OVPN_WLOCK(sc); 578 579 /* Might have changed before we acquired the lock. */ 580 if (atomic_load_int(&peer->refcount) > 0) { 581 OVPN_WUNLOCK(sc); 582 return; 583 } 584 } 585 586 OVPN_ASSERT(sc); 587 588 /* The peer should have been removed from the list already. */ 589 MPASS(ovpn_find_peer(sc, peer->peerid) == NULL); 590 591 ovpn_notify_del_peer(sc, peer); 592 593 for (int i = 0; i < 2; i++) { 594 ovpn_free_kkey_dir(peer->keys[i].encrypt); 595 ovpn_free_kkey_dir(peer->keys[i].decrypt); 596 } 597 598 callout_stop(&peer->ping_send); 599 callout_stop(&peer->ping_rcv); 600 uma_zfree_pcpu(pcpu_zone_4, peer->last_active); 601 free(peer, M_OVPN); 602 603 if (! locked) 604 OVPN_WUNLOCK(sc); 605 } 606 607 static int 608 ovpn_new_peer(struct ifnet *ifp, const nvlist_t *nvl) 609 { 610 #ifdef INET6 611 struct epoch_tracker et; 612 #endif 613 struct sockaddr_storage local, remote; 614 struct ovpn_kpeer *peer = NULL; 615 struct file *fp = NULL; 616 struct ovpn_softc *sc = ifp->if_softc; 617 struct thread *td = curthread; 618 struct socket *so = NULL; 619 int fd; 620 uint32_t peerid; 621 int ret = 0; 622 bool setcb = false; 623 624 if (nvl == NULL) 625 return (EINVAL); 626 627 if (! nvlist_exists_number(nvl, "peerid")) 628 return (EINVAL); 629 630 if (! nvlist_exists_number(nvl, "fd")) 631 return (EINVAL); 632 633 if (! nvlist_exists_nvlist(nvl, "remote")) 634 return (EINVAL); 635 636 peerid = nvlist_get_number(nvl, "peerid"); 637 638 ret = ovpn_nvlist_to_sockaddr(nvlist_get_nvlist(nvl, "remote"), 639 &remote); 640 if (ret != 0) 641 return (ret); 642 643 fd = nvlist_get_number(nvl, "fd"); 644 645 /* Look up the userspace process and use the fd to find the socket. */ 646 ret = getsock(td, fd, &cap_connect_rights, &fp); 647 if (ret != 0) 648 return (ret); 649 650 so = fp->f_data; 651 652 peer = malloc(sizeof(*peer), M_OVPN, M_WAITOK | M_ZERO); 653 peer->peerid = peerid; 654 peer->sc = sc; 655 peer->refcount = 1; 656 peer->last_active = uma_zalloc_pcpu(pcpu_zone_4, M_WAITOK | M_ZERO); 657 COUNTER_ARRAY_ALLOC(peer->counters, OVPN_PEER_COUNTER_SIZE, M_WAITOK); 658 659 if (nvlist_exists_binary(nvl, "vpn_ipv4")) { 660 size_t len; 661 const void *addr = nvlist_get_binary(nvl, "vpn_ipv4", &len); 662 if (len != sizeof(peer->vpn4)) { 663 ret = EINVAL; 664 goto error; 665 } 666 memcpy(&peer->vpn4, addr, len); 667 } 668 669 if (nvlist_exists_binary(nvl, "vpn_ipv6")) { 670 size_t len; 671 const void *addr = nvlist_get_binary(nvl, "vpn_ipv6", &len); 672 if (len != sizeof(peer->vpn6)) { 673 ret = EINVAL; 674 goto error; 675 } 676 memcpy(&peer->vpn6, addr, len); 677 } 678 679 callout_init_rm(&peer->ping_send, &sc->lock, CALLOUT_SHAREDLOCK); 680 callout_init_rm(&peer->ping_rcv, &sc->lock, 0); 681 682 memset(&local, 0, sizeof(local)); 683 local.ss_len = sizeof(local); 684 ret = sosockaddr(so, (struct sockaddr *)&local); 685 if (ret != 0) 686 goto error; 687 if (nvlist_exists_nvlist(nvl, "local")) { 688 struct sockaddr_storage local1; 689 690 ret = ovpn_nvlist_to_sockaddr(nvlist_get_nvlist(nvl, "local"), 691 &local1); 692 if (ret != 0) 693 goto error; 694 695 /* 696 * openvpn doesn't provide a port here when in multihome mode, 697 * just steal the one the socket is bound to. 698 */ 699 if (ovpn_get_port(&local1) == 0) 700 ovpn_set_port(&local1, ovpn_get_port(&local)); 701 memcpy(&local, &local1, sizeof(local1)); 702 } 703 if (ovpn_get_port(&local) == 0) { 704 ret = EINVAL; 705 goto error; 706 } 707 if (local.ss_family != remote.ss_family) { 708 ret = EINVAL; 709 goto error; 710 } 711 712 memcpy(&peer->local, &local, sizeof(local)); 713 memcpy(&peer->remote, &remote, sizeof(remote)); 714 715 #ifdef INET6 716 if (peer->local.ss_family == AF_INET6 && 717 IN6_IS_ADDR_V4MAPPED(&TO_IN6(&peer->remote)->sin6_addr)) { 718 /* V4 mapped address, so treat this as v4, not v6. */ 719 in6_sin6_2_sin_in_sock((struct sockaddr *)&peer->local); 720 in6_sin6_2_sin_in_sock((struct sockaddr *)&peer->remote); 721 } 722 723 if (peer->local.ss_family == AF_INET6 && 724 IN6_IS_ADDR_UNSPECIFIED(&TO_IN6(&peer->local)->sin6_addr)) { 725 NET_EPOCH_ENTER(et); 726 ret = in6_selectsrc_addr(curthread->td_proc->p_fibnum, 727 &TO_IN6(&peer->remote)->sin6_addr, 728 0, NULL, &TO_IN6(&peer->local)->sin6_addr, NULL); 729 NET_EPOCH_EXIT(et); 730 if (ret != 0) { 731 goto error; 732 } 733 } 734 #endif 735 OVPN_WLOCK(sc); 736 737 /* Disallow peer id re-use. */ 738 if (ovpn_find_peer(sc, peerid) != NULL) { 739 ret = EEXIST; 740 goto error_locked; 741 } 742 743 /* Make sure this is really a UDP socket. */ 744 if (so->so_type != SOCK_DGRAM || so->so_proto->pr_type != SOCK_DGRAM) { 745 ret = EPROTOTYPE; 746 goto error_locked; 747 } 748 749 /* Must be the same socket as for other peers on this interface. */ 750 if (sc->so != NULL && so != sc->so) { 751 if (! RB_EMPTY(&sc->peers)) { 752 ret = EBUSY; 753 goto error_locked; 754 } 755 756 /* 757 * If we have no peers we can safely release the socket and accept 758 * a new one. 759 */ 760 ret = udp_set_kernel_tunneling(sc->so, NULL, NULL, NULL); 761 MPASS(ret == 0); 762 sorele(sc->so); 763 sc->so = NULL; 764 } 765 766 if (sc->so == NULL) { 767 sc->so = so; 768 /* 769 * Maintain one extra ref so the socket doesn't go away until 770 * we're destroying the ifp. 771 */ 772 soref(sc->so); 773 setcb = true; 774 } 775 776 /* Insert the peer into the list. */ 777 RB_INSERT(ovpn_kpeers, &sc->peers, peer); 778 sc->peercount++; 779 780 OVPN_WUNLOCK(sc); 781 782 if (setcb) { 783 ret = udp_set_kernel_tunneling(sc->so, ovpn_udp_input, NULL, sc); 784 MPASS(ret == 0); 785 } 786 787 goto done; 788 789 error_locked: 790 OVPN_WUNLOCK(sc); 791 error: 792 COUNTER_ARRAY_FREE(peer->counters, OVPN_PEER_COUNTER_SIZE); 793 uma_zfree_pcpu(pcpu_zone_4, peer->last_active); 794 free(peer, M_OVPN); 795 done: 796 if (fp != NULL) 797 fdrop(fp, td); 798 799 return (ret); 800 } 801 802 static int 803 _ovpn_del_peer(struct ovpn_softc *sc, struct ovpn_kpeer *peer) 804 { 805 struct ovpn_kpeer *tmp __diagused; 806 807 OVPN_WASSERT(sc); 808 CURVNET_ASSERT_SET(); 809 810 MPASS(RB_FIND(ovpn_kpeers, &sc->peers, peer) == peer); 811 812 tmp = RB_REMOVE(ovpn_kpeers, &sc->peers, peer); 813 MPASS(tmp != NULL); 814 815 sc->peercount--; 816 817 ovpn_peer_release_ref(peer, true); 818 819 return (0); 820 } 821 822 static int 823 ovpn_del_peer(struct ifnet *ifp, nvlist_t *nvl) 824 { 825 struct ovpn_softc *sc = ifp->if_softc; 826 struct ovpn_kpeer *peer; 827 uint32_t peerid; 828 int ret; 829 830 OVPN_WASSERT(sc); 831 832 if (nvl == NULL) 833 return (EINVAL); 834 835 if (! nvlist_exists_number(nvl, "peerid")) 836 return (EINVAL); 837 838 peerid = nvlist_get_number(nvl, "peerid"); 839 840 peer = ovpn_find_peer(sc, peerid); 841 if (peer == NULL) 842 return (ENOENT); 843 844 peer->del_reason = OVPN_DEL_REASON_REQUESTED; 845 ret = _ovpn_del_peer(sc, peer); 846 847 return (ret); 848 } 849 850 static int 851 ovpn_create_kkey_dir(struct ovpn_kkey_dir **kdirp, 852 const nvlist_t *nvl) 853 { 854 struct crypto_session_params csp; 855 struct ovpn_kkey_dir *kdir; 856 const char *ciphername; 857 enum ovpn_key_cipher cipher; 858 const void *key, *iv; 859 size_t keylen = 0, ivlen = 0; 860 int error; 861 862 if (! nvlist_exists_string(nvl, "cipher")) 863 return (EINVAL); 864 ciphername = nvlist_get_string(nvl, "cipher"); 865 866 if (strcmp(ciphername, "none") == 0) 867 cipher = OVPN_CIPHER_ALG_NONE; 868 else if (strcmp(ciphername, "AES-256-GCM") == 0 || 869 strcmp(ciphername, "AES-192-GCM") == 0 || 870 strcmp(ciphername, "AES-128-GCM") == 0) 871 cipher = OVPN_CIPHER_ALG_AES_GCM; 872 else if (strcmp(ciphername, "CHACHA20-POLY1305") == 0) 873 cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305; 874 else 875 return (EINVAL); 876 877 if (cipher != OVPN_CIPHER_ALG_NONE) { 878 if (! nvlist_exists_binary(nvl, "key")) 879 return (EINVAL); 880 key = nvlist_get_binary(nvl, "key", &keylen); 881 if (keylen > sizeof(kdir->key)) 882 return (E2BIG); 883 884 if (! nvlist_exists_binary(nvl, "iv")) 885 return (EINVAL); 886 iv = nvlist_get_binary(nvl, "iv", &ivlen); 887 if (ivlen != 8) 888 return (E2BIG); 889 } 890 891 kdir = malloc(sizeof(struct ovpn_kkey_dir), M_OVPN, 892 M_WAITOK | M_ZERO); 893 894 kdir->cipher = cipher; 895 kdir->keylen = keylen; 896 kdir->tx_seq = 1; 897 memcpy(kdir->key, key, keylen); 898 kdir->noncelen = ivlen; 899 memcpy(kdir->nonce, iv, ivlen); 900 901 if (kdir->cipher != OVPN_CIPHER_ALG_NONE) { 902 /* Crypto init */ 903 bzero(&csp, sizeof(csp)); 904 csp.csp_mode = CSP_MODE_AEAD; 905 906 if (kdir->cipher == OVPN_CIPHER_ALG_CHACHA20_POLY1305) 907 csp.csp_cipher_alg = CRYPTO_CHACHA20_POLY1305; 908 else 909 csp.csp_cipher_alg = CRYPTO_AES_NIST_GCM_16; 910 911 csp.csp_flags |= CSP_F_SEPARATE_AAD; 912 913 csp.csp_cipher_klen = kdir->keylen; 914 csp.csp_cipher_key = kdir->key; 915 csp.csp_ivlen = 96 / 8; 916 917 error = crypto_newsession(&kdir->cryptoid, &csp, 918 CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE); 919 if (error) { 920 free(kdir, M_OVPN); 921 return (error); 922 } 923 } 924 925 mtx_init(&kdir->replay_mtx, "if_ovpn rx replay", NULL, MTX_DEF); 926 *kdirp = kdir; 927 928 return (0); 929 } 930 931 static void 932 ovpn_free_kkey_dir(struct ovpn_kkey_dir *kdir) 933 { 934 if (kdir == NULL) 935 return; 936 937 mtx_destroy(&kdir->replay_mtx); 938 939 crypto_freesession(kdir->cryptoid); 940 free(kdir, M_OVPN); 941 } 942 943 static int 944 ovpn_set_key(struct ifnet *ifp, const nvlist_t *nvl) 945 { 946 struct ovpn_softc *sc = ifp->if_softc; 947 struct ovpn_kkey_dir *enc, *dec; 948 struct ovpn_kpeer *peer; 949 int slot, keyid, peerid; 950 int error; 951 952 if (nvl == NULL) 953 return (EINVAL); 954 955 if (! nvlist_exists_number(nvl, "slot")) 956 return (EINVAL); 957 slot = nvlist_get_number(nvl, "slot"); 958 959 if (! nvlist_exists_number(nvl, "keyid")) 960 return (EINVAL); 961 keyid = nvlist_get_number(nvl, "keyid"); 962 963 if (! nvlist_exists_number(nvl, "peerid")) 964 return (EINVAL); 965 peerid = nvlist_get_number(nvl, "peerid"); 966 967 if (slot != OVPN_KEY_SLOT_PRIMARY && 968 slot != OVPN_KEY_SLOT_SECONDARY) 969 return (EINVAL); 970 971 if (! nvlist_exists_nvlist(nvl, "encrypt") || 972 ! nvlist_exists_nvlist(nvl, "decrypt")) 973 return (EINVAL); 974 975 error = ovpn_create_kkey_dir(&enc, nvlist_get_nvlist(nvl, "encrypt")); 976 if (error) 977 return (error); 978 979 error = ovpn_create_kkey_dir(&dec, nvlist_get_nvlist(nvl, "decrypt")); 980 if (error) { 981 ovpn_free_kkey_dir(enc); 982 return (error); 983 } 984 985 OVPN_WLOCK(sc); 986 987 peer = ovpn_find_peer(sc, peerid); 988 if (peer == NULL) { 989 ovpn_free_kkey_dir(dec); 990 ovpn_free_kkey_dir(enc); 991 OVPN_WUNLOCK(sc); 992 return (ENOENT); 993 } 994 995 ovpn_free_kkey_dir(peer->keys[slot].encrypt); 996 ovpn_free_kkey_dir(peer->keys[slot].decrypt); 997 998 peer->keys[slot].encrypt = enc; 999 peer->keys[slot].decrypt = dec; 1000 1001 peer->keys[slot].keyid = keyid; 1002 peer->keys[slot].peerid = peerid; 1003 1004 OVPN_WUNLOCK(sc); 1005 1006 return (0); 1007 } 1008 1009 static int 1010 ovpn_check_key(struct ovpn_softc *sc, struct ovpn_kpeer *peer, enum ovpn_key_slot slot) 1011 { 1012 OVPN_ASSERT(sc); 1013 1014 if (peer->keys[slot].encrypt == NULL) 1015 return (ENOLINK); 1016 1017 if (peer->keys[slot].decrypt == NULL) 1018 return (ENOLINK); 1019 1020 return (0); 1021 } 1022 1023 static int 1024 ovpn_start(struct ifnet *ifp) 1025 { 1026 struct ovpn_softc *sc = ifp->if_softc; 1027 1028 OVPN_WLOCK(sc); 1029 1030 ifp->if_flags |= IFF_UP; 1031 ifp->if_drv_flags |= IFF_DRV_RUNNING; 1032 if_link_state_change(ifp, LINK_STATE_UP); 1033 1034 OVPN_WUNLOCK(sc); 1035 1036 return (0); 1037 } 1038 1039 static int 1040 ovpn_swap_keys(struct ifnet *ifp, nvlist_t *nvl) 1041 { 1042 struct ovpn_softc *sc = ifp->if_softc; 1043 struct ovpn_kpeer *peer; 1044 struct ovpn_kkey tmpkey; 1045 int error; 1046 1047 if (nvl == NULL) 1048 return (EINVAL); 1049 1050 if (! nvlist_exists_number(nvl, "peerid")) 1051 return (EINVAL); 1052 1053 OVPN_WLOCK(sc); 1054 1055 peer = ovpn_find_peer(sc, nvlist_get_number(nvl, "peerid")); 1056 if (peer == NULL) { 1057 OVPN_WUNLOCK(sc); 1058 return (ENOENT); 1059 } 1060 1061 /* Check that we have a second key to swap to. */ 1062 error = ovpn_check_key(sc, peer, OVPN_KEY_SLOT_SECONDARY); 1063 if (error) { 1064 OVPN_WUNLOCK(sc); 1065 return (error); 1066 } 1067 1068 tmpkey = peer->keys[0]; 1069 peer->keys[0] = peer->keys[1]; 1070 peer->keys[1] = tmpkey; 1071 1072 OVPN_WUNLOCK(sc); 1073 1074 return (0); 1075 } 1076 1077 static int 1078 ovpn_del_key(struct ifnet *ifp, const nvlist_t *nvl) 1079 { 1080 enum ovpn_key_slot slot; 1081 struct ovpn_kpeer *peer; 1082 struct ovpn_softc *sc = ifp->if_softc; 1083 1084 if (nvl == NULL) 1085 return (EINVAL); 1086 1087 if (! nvlist_exists_number(nvl, "peerid")) 1088 return (EINVAL); 1089 1090 if (! nvlist_exists_number(nvl, "slot")) 1091 return (EINVAL); 1092 slot = nvlist_get_number(nvl, "slot"); 1093 1094 if (slot != OVPN_KEY_SLOT_PRIMARY && 1095 slot != OVPN_KEY_SLOT_SECONDARY) 1096 return (EINVAL); 1097 1098 OVPN_WLOCK(sc); 1099 1100 peer = ovpn_find_peer(sc, nvlist_get_number(nvl, "peerid")); 1101 if (peer == NULL) { 1102 OVPN_WUNLOCK(sc); 1103 return (ENOENT); 1104 } 1105 1106 ovpn_free_kkey_dir(peer->keys[slot].encrypt); 1107 ovpn_free_kkey_dir(peer->keys[slot].decrypt); 1108 1109 peer->keys[slot].encrypt = NULL; 1110 peer->keys[slot].decrypt = NULL; 1111 1112 peer->keys[slot].keyid = 0; 1113 peer->keys[slot].peerid = 0; 1114 1115 OVPN_WUNLOCK(sc); 1116 1117 return (0); 1118 } 1119 1120 static void 1121 ovpn_send_ping(void *arg) 1122 { 1123 static const uint8_t ping_str[] = { 1124 0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb, 1125 0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48 1126 }; 1127 1128 struct epoch_tracker et; 1129 struct ovpn_kpeer *peer = arg; 1130 struct ovpn_softc *sc = peer->sc; 1131 struct mbuf *m; 1132 1133 OVPN_RASSERT(sc); 1134 1135 /* Ensure we repeat! */ 1136 callout_reset(&peer->ping_send, peer->keepalive.interval * hz, 1137 ovpn_send_ping, peer); 1138 1139 m = m_get2(sizeof(ping_str), M_NOWAIT, MT_DATA, M_PKTHDR); 1140 if (m == NULL) 1141 return; 1142 1143 m_copyback(m, 0, sizeof(ping_str), ping_str); 1144 m->m_len = m->m_pkthdr.len = sizeof(ping_str); 1145 1146 CURVNET_SET(sc->ifp->if_vnet); 1147 NET_EPOCH_ENTER(et); 1148 (void)ovpn_transmit_to_peer(sc->ifp, m, peer, NULL); 1149 NET_EPOCH_EXIT(et); 1150 CURVNET_RESTORE(); 1151 } 1152 1153 static void 1154 ovpn_timeout(void *arg) 1155 { 1156 struct ovpn_kpeer *peer = arg; 1157 struct ovpn_softc *sc = peer->sc; 1158 uint32_t last, _last_active; 1159 int ret __diagused; 1160 int cpu; 1161 1162 OVPN_WASSERT(sc); 1163 1164 last = 0; 1165 CPU_FOREACH(cpu) { 1166 _last_active = *zpcpu_get_cpu(peer->last_active, cpu); 1167 if (_last_active > last) 1168 last = _last_active; 1169 } 1170 1171 if (last + peer->keepalive.timeout > time_uptime) { 1172 callout_reset(&peer->ping_rcv, 1173 (peer->keepalive.timeout - (time_uptime - last)) * hz, 1174 ovpn_timeout, peer); 1175 return; 1176 } 1177 1178 CURVNET_SET(sc->ifp->if_vnet); 1179 peer->del_reason = OVPN_DEL_REASON_TIMEOUT; 1180 ret = _ovpn_del_peer(sc, peer); 1181 MPASS(ret == 0); 1182 CURVNET_RESTORE(); 1183 } 1184 1185 static int 1186 ovpn_set_peer(struct ifnet *ifp, const nvlist_t *nvl) 1187 { 1188 struct ovpn_softc *sc = ifp->if_softc; 1189 struct ovpn_kpeer *peer; 1190 1191 if (nvl == NULL) 1192 return (EINVAL); 1193 1194 if (! nvlist_exists_number(nvl, "interval") || 1195 ! nvlist_exists_number(nvl, "timeout") || 1196 ! nvlist_exists_number(nvl, "peerid")) 1197 return (EINVAL); 1198 1199 OVPN_WLOCK(sc); 1200 1201 peer = ovpn_find_peer(sc, nvlist_get_number(nvl, "peerid")); 1202 if (peer == NULL) { 1203 OVPN_WUNLOCK(sc); 1204 return (ENOENT); 1205 } 1206 1207 peer->keepalive.interval = nvlist_get_number(nvl, "interval"); 1208 peer->keepalive.timeout = nvlist_get_number(nvl, "timeout"); 1209 1210 if (peer->keepalive.interval > 0) 1211 callout_reset(&peer->ping_send, peer->keepalive.interval * hz, 1212 ovpn_send_ping, peer); 1213 if (peer->keepalive.timeout > 0) 1214 callout_reset(&peer->ping_rcv, peer->keepalive.timeout * hz, 1215 ovpn_timeout, peer); 1216 1217 OVPN_WUNLOCK(sc); 1218 1219 return (0); 1220 } 1221 1222 static int 1223 ovpn_set_ifmode(struct ifnet *ifp, const nvlist_t *nvl) 1224 { 1225 struct ovpn_softc *sc = ifp->if_softc; 1226 int ifmode; 1227 1228 if (nvl == NULL) 1229 return (EINVAL); 1230 1231 if (! nvlist_exists_number(nvl, "ifmode") ) 1232 return (EINVAL); 1233 1234 ifmode = nvlist_get_number(nvl, "ifmode"); 1235 1236 OVPN_WLOCK(sc); 1237 1238 /* deny this if UP */ 1239 if (ifp->if_flags & IFF_UP) { 1240 OVPN_WUNLOCK(sc); 1241 return (EBUSY); 1242 } 1243 1244 switch (ifmode & ~IFF_MULTICAST) { 1245 case IFF_POINTOPOINT: 1246 case IFF_BROADCAST: 1247 ifp->if_flags &= 1248 ~(IFF_BROADCAST|IFF_POINTOPOINT|IFF_MULTICAST); 1249 ifp->if_flags |= ifmode; 1250 break; 1251 default: 1252 OVPN_WUNLOCK(sc); 1253 return (EINVAL); 1254 } 1255 1256 OVPN_WUNLOCK(sc); 1257 1258 return (0); 1259 } 1260 1261 static int 1262 ovpn_ioctl_set(struct ifnet *ifp, struct ifdrv *ifd) 1263 { 1264 struct ovpn_softc *sc = ifp->if_softc; 1265 uint8_t *buf = NULL; 1266 nvlist_t *nvl = NULL; 1267 int ret; 1268 1269 if (ifd->ifd_len != 0) { 1270 if (ifd->ifd_len > OVPN_MAX_REQUEST_SIZE) 1271 return (E2BIG); 1272 1273 buf = malloc(ifd->ifd_len, M_OVPN, M_WAITOK); 1274 1275 ret = copyin(ifd->ifd_data, buf, ifd->ifd_len); 1276 if (ret != 0) { 1277 free(buf, M_OVPN); 1278 return (ret); 1279 } 1280 1281 nvl = nvlist_unpack(buf, ifd->ifd_len, 0); 1282 free(buf, M_OVPN); 1283 if (nvl == NULL) { 1284 return (EINVAL); 1285 } 1286 } 1287 1288 switch (ifd->ifd_cmd) { 1289 case OVPN_NEW_PEER: 1290 ret = ovpn_new_peer(ifp, nvl); 1291 break; 1292 case OVPN_DEL_PEER: 1293 OVPN_WLOCK(sc); 1294 ret = ovpn_del_peer(ifp, nvl); 1295 OVPN_WUNLOCK(sc); 1296 break; 1297 case OVPN_NEW_KEY: 1298 ret = ovpn_set_key(ifp, nvl); 1299 break; 1300 case OVPN_START_VPN: 1301 ret = ovpn_start(ifp); 1302 break; 1303 case OVPN_SWAP_KEYS: 1304 ret = ovpn_swap_keys(ifp, nvl); 1305 break; 1306 case OVPN_DEL_KEY: 1307 ret = ovpn_del_key(ifp, nvl); 1308 break; 1309 case OVPN_SET_PEER: 1310 ret = ovpn_set_peer(ifp, nvl); 1311 break; 1312 case OVPN_SET_IFMODE: 1313 ret = ovpn_set_ifmode(ifp, nvl); 1314 break; 1315 default: 1316 ret = ENOTSUP; 1317 } 1318 1319 nvlist_destroy(nvl); 1320 return (ret); 1321 } 1322 1323 static int 1324 ovpn_add_counters(nvlist_t *parent, const char *name, counter_u64_t in, 1325 counter_u64_t out) 1326 { 1327 nvlist_t *nvl; 1328 1329 nvl = nvlist_create(0); 1330 if (nvl == NULL) 1331 return (ENOMEM); 1332 1333 nvlist_add_number(nvl, "in", counter_u64_fetch(in)); 1334 nvlist_add_number(nvl, "out", counter_u64_fetch(out)); 1335 1336 nvlist_add_nvlist(parent, name, nvl); 1337 1338 nvlist_destroy(nvl); 1339 1340 return (0); 1341 } 1342 1343 static int 1344 ovpn_get_stats(struct ovpn_softc *sc, nvlist_t **onvl) 1345 { 1346 nvlist_t *nvl; 1347 int ret; 1348 1349 nvl = nvlist_create(0); 1350 if (nvl == NULL) 1351 return (ENOMEM); 1352 1353 #define OVPN_COUNTER_OUT(name, in, out) \ 1354 do { \ 1355 ret = ovpn_add_counters(nvl, name, OVPN_COUNTER(sc, in), \ 1356 OVPN_COUNTER(sc, out)); \ 1357 if (ret != 0) \ 1358 goto error; \ 1359 } while(0) 1360 1361 OVPN_COUNTER_OUT("lost_ctrl", lost_ctrl_pkts_in, lost_ctrl_pkts_out); 1362 OVPN_COUNTER_OUT("lost_data", lost_data_pkts_in, lost_data_pkts_out); 1363 OVPN_COUNTER_OUT("nomem_data", nomem_data_pkts_in, 1364 nomem_data_pkts_out); 1365 OVPN_COUNTER_OUT("data", received_data_pkts, sent_data_pkts); 1366 OVPN_COUNTER_OUT("ctrl", received_ctrl_pkts, sent_ctrl_pkts); 1367 OVPN_COUNTER_OUT("tunnel", tunnel_bytes_received, 1368 tunnel_bytes_received); 1369 OVPN_COUNTER_OUT("transport", transport_bytes_received, 1370 transport_bytes_received); 1371 #undef OVPN_COUNTER_OUT 1372 1373 *onvl = nvl; 1374 1375 return (0); 1376 1377 error: 1378 nvlist_destroy(nvl); 1379 return (ret); 1380 } 1381 1382 static int 1383 ovpn_get_peer_stats(struct ovpn_softc *sc, nvlist_t **nvl) 1384 { 1385 struct ovpn_kpeer *peer; 1386 nvlist_t *nvpeer = NULL; 1387 int ret; 1388 1389 OVPN_RLOCK_TRACKER; 1390 1391 *nvl = nvlist_create(0); 1392 if (*nvl == NULL) 1393 return (ENOMEM); 1394 1395 #define OVPN_PEER_COUNTER_OUT(name, in, out) \ 1396 do { \ 1397 ret = ovpn_add_counters(nvpeer, name, \ 1398 OVPN_PEER_COUNTER(peer, in), OVPN_PEER_COUNTER(peer, out)); \ 1399 if (ret != 0) \ 1400 goto error; \ 1401 } while(0) 1402 1403 OVPN_RLOCK(sc); 1404 RB_FOREACH(peer, ovpn_kpeers, &sc->peers) { 1405 nvpeer = nvlist_create(0); 1406 if (nvpeer == NULL) { 1407 OVPN_RUNLOCK(sc); 1408 nvlist_destroy(*nvl); 1409 *nvl = NULL; 1410 return (ENOMEM); 1411 } 1412 1413 nvlist_add_number(nvpeer, "peerid", peer->peerid); 1414 1415 OVPN_PEER_COUNTER_OUT("packets", pkt_in, pkt_out); 1416 OVPN_PEER_COUNTER_OUT("bytes", bytes_in, bytes_out); 1417 1418 nvlist_append_nvlist_array(*nvl, "peers", nvpeer); 1419 nvlist_destroy(nvpeer); 1420 } 1421 #undef OVPN_PEER_COUNTER_OUT 1422 OVPN_RUNLOCK(sc); 1423 1424 return (0); 1425 1426 error: 1427 nvlist_destroy(nvpeer); 1428 nvlist_destroy(*nvl); 1429 *nvl = NULL; 1430 return (ret); 1431 } 1432 1433 static int 1434 ovpn_poll_pkt(struct ovpn_softc *sc, nvlist_t **onvl) 1435 { 1436 nvlist_t *nvl; 1437 1438 nvl = nvlist_create(0); 1439 if (nvl == NULL) 1440 return (ENOMEM); 1441 1442 nvlist_add_number(nvl, "pending", buf_ring_count(sc->notifring)); 1443 1444 *onvl = nvl; 1445 1446 return (0); 1447 } 1448 1449 static void 1450 ovpn_notif_add_counters(nvlist_t *parent, struct ovpn_notification *n) 1451 { 1452 nvlist_t *nvl; 1453 1454 nvl = nvlist_create(0); 1455 if (nvl == NULL) 1456 return; 1457 1458 nvlist_add_number(nvl, "in", n->counters.pkt_in); 1459 nvlist_add_number(nvl, "out", n->counters.pkt_out); 1460 1461 nvlist_add_nvlist(parent, "packets", nvl); 1462 nvlist_destroy(nvl); 1463 1464 nvl = nvlist_create(0); 1465 if (nvl == NULL) 1466 return; 1467 1468 nvlist_add_number(nvl, "in", n->counters.bytes_in); 1469 nvlist_add_number(nvl, "out", n->counters.bytes_out); 1470 1471 nvlist_add_nvlist(parent, "bytes", nvl); 1472 nvlist_destroy(nvl); 1473 } 1474 1475 static int 1476 opvn_get_pkt(struct ovpn_softc *sc, nvlist_t **onvl) 1477 { 1478 struct ovpn_notification *n; 1479 nvlist_t *nvl; 1480 1481 /* Check if we have notifications pending. */ 1482 n = buf_ring_dequeue_mc(sc->notifring); 1483 if (n == NULL) 1484 return (ENOENT); 1485 1486 nvl = nvlist_create(0); 1487 if (nvl == NULL) { 1488 free(n, M_OVPN); 1489 return (ENOMEM); 1490 } 1491 nvlist_add_number(nvl, "peerid", n->peerid); 1492 nvlist_add_number(nvl, "notification", n->type); 1493 switch (n->type) { 1494 case OVPN_NOTIF_DEL_PEER: { 1495 nvlist_add_number(nvl, "del_reason", n->del_reason); 1496 1497 /* No error handling, because we want to send the notification 1498 * even if we can't attach the counters. */ 1499 ovpn_notif_add_counters(nvl, n); 1500 break; 1501 } 1502 case OVPN_NOTIF_FLOAT: { 1503 int ret; 1504 1505 ret = ovpn_add_sockaddr(nvl, "address", 1506 (struct sockaddr *)&n->address); 1507 1508 if (ret) { 1509 /* 1510 * Try to re-enqueue the notification. Maybe we'll 1511 * have better luck next time. No error handling, 1512 * because if we fail to re-enqueue there's nothing we can do. 1513 */ 1514 (void)ovpn_notify_float(sc, n->peerid, &n->address); 1515 nvlist_destroy(nvl); 1516 free(n, M_OVPN); 1517 return (ret); 1518 } 1519 break; 1520 } 1521 default: 1522 break; 1523 } 1524 free(n, M_OVPN); 1525 1526 *onvl = nvl; 1527 1528 return (0); 1529 } 1530 1531 static int 1532 ovpn_ioctl_get(struct ifnet *ifp, struct ifdrv *ifd) 1533 { 1534 struct ovpn_softc *sc = ifp->if_softc; 1535 nvlist_t *nvl = NULL; 1536 int error; 1537 1538 switch (ifd->ifd_cmd) { 1539 case OVPN_GET_STATS: 1540 error = ovpn_get_stats(sc, &nvl); 1541 break; 1542 case OVPN_GET_PEER_STATS: 1543 error = ovpn_get_peer_stats(sc, &nvl); 1544 break; 1545 case OVPN_POLL_PKT: 1546 error = ovpn_poll_pkt(sc, &nvl); 1547 break; 1548 case OVPN_GET_PKT: 1549 error = opvn_get_pkt(sc, &nvl); 1550 break; 1551 default: 1552 error = ENOTSUP; 1553 break; 1554 } 1555 1556 if (error == 0) { 1557 void *packed = NULL; 1558 size_t len; 1559 1560 MPASS(nvl != NULL); 1561 1562 packed = nvlist_pack(nvl, &len); 1563 if (! packed) { 1564 nvlist_destroy(nvl); 1565 return (ENOMEM); 1566 } 1567 1568 if (len > ifd->ifd_len) { 1569 free(packed, M_NVLIST); 1570 nvlist_destroy(nvl); 1571 return (ENOSPC); 1572 } 1573 1574 error = copyout(packed, ifd->ifd_data, len); 1575 ifd->ifd_len = len; 1576 1577 free(packed, M_NVLIST); 1578 nvlist_destroy(nvl); 1579 } 1580 1581 return (error); 1582 } 1583 1584 static int 1585 ovpn_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) 1586 { 1587 struct ifdrv *ifd; 1588 int error; 1589 1590 CURVNET_ASSERT_SET(); 1591 1592 switch (cmd) { 1593 case SIOCSDRVSPEC: 1594 case SIOCGDRVSPEC: 1595 error = priv_check(curthread, PRIV_NET_OVPN); 1596 if (error) 1597 return (error); 1598 break; 1599 } 1600 1601 switch (cmd) { 1602 case SIOCSDRVSPEC: 1603 ifd = (struct ifdrv *)data; 1604 error = ovpn_ioctl_set(ifp, ifd); 1605 break; 1606 case SIOCGDRVSPEC: 1607 ifd = (struct ifdrv *)data; 1608 error = ovpn_ioctl_get(ifp, ifd); 1609 break; 1610 case SIOCSIFMTU: { 1611 struct ifreq *ifr = (struct ifreq *)data; 1612 if (ifr->ifr_mtu < OVPN_MTU_MIN || ifr->ifr_mtu > OVPN_MTU_MAX) 1613 return (EINVAL); 1614 1615 ifp->if_mtu = ifr->ifr_mtu; 1616 return (0); 1617 } 1618 case SIOCSIFADDR: 1619 case SIOCADDMULTI: 1620 case SIOCDELMULTI: 1621 case SIOCGIFMTU: 1622 case SIOCSIFFLAGS: 1623 return (0); 1624 default: 1625 error = EINVAL; 1626 } 1627 1628 return (error); 1629 } 1630 1631 static int 1632 ovpn_encrypt_tx_cb(struct cryptop *crp) 1633 { 1634 struct epoch_tracker et; 1635 struct ovpn_kpeer *peer = crp->crp_opaque; 1636 struct ovpn_softc *sc = peer->sc; 1637 struct mbuf *m = crp->crp_buf.cb_mbuf; 1638 int tunnel_len; 1639 int ret; 1640 1641 CURVNET_SET(sc->ifp->if_vnet); 1642 NET_EPOCH_ENTER(et); 1643 1644 if (crp->crp_etype != 0) { 1645 crypto_freereq(crp); 1646 ovpn_peer_release_ref(peer, false); 1647 NET_EPOCH_EXIT(et); 1648 CURVNET_RESTORE(); 1649 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 1650 m_freem(m); 1651 return (0); 1652 } 1653 1654 MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF); 1655 1656 tunnel_len = m->m_pkthdr.len - sizeof(struct ovpn_wire_header); 1657 ret = ovpn_encap(sc, peer->peerid, m); 1658 if (ret == 0) { 1659 OVPN_COUNTER_ADD(sc, sent_data_pkts, 1); 1660 OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, tunnel_len); 1661 } 1662 1663 crypto_freereq(crp); 1664 ovpn_peer_release_ref(peer, false); 1665 1666 NET_EPOCH_EXIT(et); 1667 CURVNET_RESTORE(); 1668 1669 return (0); 1670 } 1671 1672 static void 1673 ovpn_finish_rx(struct ovpn_softc *sc, struct mbuf *m, 1674 struct ovpn_kpeer *peer, struct ovpn_kkey *key, uint32_t seq, 1675 struct rm_priotracker *_ovpn_lock_trackerp) 1676 { 1677 uint32_t af; 1678 struct m_tag *mtag; 1679 1680 OVPN_RASSERT(sc); 1681 NET_EPOCH_ASSERT(); 1682 1683 /* Replay protection. */ 1684 if (V_replay_protection && ! ovpn_check_replay(key->decrypt, seq)) { 1685 OVPN_RUNLOCK(sc); 1686 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 1687 m_freem(m); 1688 return; 1689 } 1690 1691 critical_enter(); 1692 *zpcpu_get(peer->last_active) = time_uptime; 1693 critical_exit(); 1694 1695 OVPN_RUNLOCK(sc); 1696 1697 /* Check if the peer changed to a new source address. */ 1698 mtag = m_tag_find(m, PACKET_TAG_OVPN, NULL); 1699 if (mtag != NULL) { 1700 struct ovpn_mtag *ot = (struct ovpn_mtag *)(mtag + 1); 1701 1702 OVPN_WLOCK(sc); 1703 1704 /* 1705 * Check the address against the peer's remote again, because we may race 1706 * against ourselves (i.e. we may have tagged multiple packets to indicate we 1707 * floated). 1708 */ 1709 if (ovpn_sockaddr_compare((struct sockaddr *)&ot->addr, 1710 (struct sockaddr *)&peer->remote)) { 1711 OVPN_WUNLOCK(sc); 1712 goto skip_float; 1713 } 1714 1715 /* And notify userspace. */ 1716 if (ovpn_notify_float(sc, peer->peerid, &ot->addr) == 0) { 1717 /* 1718 * Update the 'remote' for this peer, but only if 1719 * we've actually enqueued the notification. 1720 * Otherwise we can try again later. 1721 */ 1722 memcpy(&peer->remote, &ot->addr, sizeof(peer->remote)); 1723 } 1724 1725 OVPN_WUNLOCK(sc); 1726 } 1727 1728 skip_float: 1729 OVPN_COUNTER_ADD(sc, received_data_pkts, 1); 1730 OVPN_COUNTER_ADD(sc, tunnel_bytes_received, m->m_pkthdr.len); 1731 OVPN_PEER_COUNTER_ADD(peer, pkt_in, 1); 1732 OVPN_PEER_COUNTER_ADD(peer, bytes_in, m->m_pkthdr.len); 1733 1734 /* Receive the packet on our interface. */ 1735 m->m_pkthdr.rcvif = sc->ifp; 1736 1737 /* Clear checksum flags in case the real hardware set them. */ 1738 m->m_pkthdr.csum_flags = 0; 1739 1740 /* Clear mbuf tags & flags */ 1741 m_tag_delete_nonpersistent(m); 1742 m_clrprotoflags(m); 1743 1744 /* Ensure we can read the first byte. */ 1745 m = m_pullup(m, 1); 1746 if (m == NULL) { 1747 OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); 1748 return; 1749 } 1750 1751 /* 1752 * Check for address family, and disregard any control packets (e.g. 1753 * keepalive). 1754 */ 1755 af = ovpn_get_af(m); 1756 if (af != 0) { 1757 BPF_MTAP2(sc->ifp, &af, sizeof(af), m); 1758 if (V_async_netisr_queue) 1759 netisr_queue(af == AF_INET ? NETISR_IP : NETISR_IPV6, m); 1760 else 1761 netisr_dispatch(af == AF_INET ? NETISR_IP : NETISR_IPV6, m); 1762 } else { 1763 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 1764 m_freem(m); 1765 } 1766 } 1767 1768 static struct ovpn_kkey * 1769 ovpn_find_key(struct ovpn_softc *sc, struct ovpn_kpeer *peer, 1770 const struct ovpn_wire_header *ohdr) 1771 { 1772 struct ovpn_kkey *key = NULL; 1773 uint8_t keyid; 1774 1775 OVPN_RASSERT(sc); 1776 1777 keyid = (ntohl(ohdr->opcode) >> 24) & 0x07; 1778 1779 if (peer->keys[0].keyid == keyid) 1780 key = &peer->keys[0]; 1781 else if (peer->keys[1].keyid == keyid) 1782 key = &peer->keys[1]; 1783 1784 return (key); 1785 } 1786 1787 static int 1788 ovpn_decrypt_rx_cb(struct cryptop *crp) 1789 { 1790 struct epoch_tracker et; 1791 struct ovpn_softc *sc = crp->crp_opaque; 1792 struct mbuf *m = crp->crp_buf.cb_mbuf; 1793 struct ovpn_kkey *key; 1794 struct ovpn_kpeer *peer; 1795 struct ovpn_wire_header *ohdr; 1796 uint32_t peerid; 1797 1798 OVPN_RLOCK_TRACKER; 1799 1800 OVPN_RLOCK(sc); 1801 1802 MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF); 1803 1804 if (crp->crp_etype != 0) { 1805 crypto_freereq(crp); 1806 atomic_add_int(&sc->refcount, -1); 1807 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 1808 OVPN_RUNLOCK(sc); 1809 m_freem(m); 1810 return (0); 1811 } 1812 1813 CURVNET_SET(sc->ifp->if_vnet); 1814 1815 ohdr = mtodo(m, sizeof(struct udphdr)); 1816 1817 peerid = ntohl(ohdr->opcode) & 0x00ffffff; 1818 peer = ovpn_find_peer(sc, peerid); 1819 if (peer == NULL) { 1820 /* No such peer. Drop packet. */ 1821 crypto_freereq(crp); 1822 atomic_add_int(&sc->refcount, -1); 1823 OVPN_RUNLOCK(sc); 1824 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 1825 m_freem(m); 1826 CURVNET_RESTORE(); 1827 return (0); 1828 } 1829 1830 key = ovpn_find_key(sc, peer, ohdr); 1831 if (key == NULL) { 1832 crypto_freereq(crp); 1833 atomic_add_int(&sc->refcount, -1); 1834 /* 1835 * Has this key been removed between us starting the decrypt 1836 * and finishing it? 1837 */ 1838 OVPN_RUNLOCK(sc); 1839 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 1840 m_freem(m); 1841 CURVNET_RESTORE(); 1842 return (0); 1843 } 1844 1845 /* Now remove the outer headers */ 1846 m_adj_decap(m, sizeof(struct udphdr) + 1847 sizeof(struct ovpn_wire_header)); 1848 1849 NET_EPOCH_ENTER(et); 1850 ovpn_finish_rx(sc, m, peer, key, ntohl(ohdr->seq), _ovpn_lock_trackerp); 1851 NET_EPOCH_EXIT(et); 1852 OVPN_UNLOCK_ASSERT(sc); 1853 1854 CURVNET_RESTORE(); 1855 1856 crypto_freereq(crp); 1857 atomic_add_int(&sc->refcount, -1); 1858 1859 return (0); 1860 } 1861 1862 static int 1863 ovpn_get_af(struct mbuf *m) 1864 { 1865 struct ip *ip; 1866 struct ip6_hdr *ip6; 1867 1868 /* 1869 * We should pullup, but we're only interested in the first byte, so 1870 * that'll always be contiguous. 1871 */ 1872 ip = mtod(m, struct ip *); 1873 if (ip->ip_v == IPVERSION) 1874 return (AF_INET); 1875 1876 ip6 = mtod(m, struct ip6_hdr *); 1877 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION) 1878 return (AF_INET6); 1879 1880 return (0); 1881 } 1882 1883 #ifdef INET 1884 static struct ovpn_kpeer * 1885 ovpn_find_peer_by_ip(struct ovpn_softc *sc, const struct in_addr addr) 1886 { 1887 struct ovpn_kpeer *peer = NULL; 1888 1889 OVPN_ASSERT(sc); 1890 1891 /* TODO: Add a second RB so we can look up by IP. */ 1892 RB_FOREACH(peer, ovpn_kpeers, &sc->peers) { 1893 if (addr.s_addr == peer->vpn4.s_addr) 1894 return (peer); 1895 } 1896 1897 return (peer); 1898 } 1899 #endif 1900 1901 #ifdef INET6 1902 static struct ovpn_kpeer * 1903 ovpn_find_peer_by_ip6(struct ovpn_softc *sc, const struct in6_addr *addr) 1904 { 1905 struct ovpn_kpeer *peer = NULL; 1906 1907 OVPN_ASSERT(sc); 1908 1909 /* TODO: Add a third RB so we can look up by IPv6 address. */ 1910 RB_FOREACH(peer, ovpn_kpeers, &sc->peers) { 1911 if (memcmp(addr, &peer->vpn6, sizeof(*addr)) == 0) 1912 return (peer); 1913 } 1914 1915 return (peer); 1916 } 1917 #endif 1918 1919 static struct ovpn_kpeer * 1920 ovpn_route_peer(struct ovpn_softc *sc, struct mbuf **m0, 1921 const struct sockaddr *dst) 1922 { 1923 struct ovpn_kpeer *peer = NULL; 1924 int af; 1925 1926 NET_EPOCH_ASSERT(); 1927 OVPN_ASSERT(sc); 1928 1929 /* Shortcut if we're a client (or are a server and have only one client). */ 1930 if (sc->peercount == 1) 1931 return (ovpn_find_only_peer(sc)); 1932 1933 if (dst != NULL) 1934 af = dst->sa_family; 1935 else 1936 af = ovpn_get_af(*m0); 1937 1938 switch (af) { 1939 #ifdef INET 1940 case AF_INET: { 1941 const struct sockaddr_in *sa = (const struct sockaddr_in *)dst; 1942 struct nhop_object *nh; 1943 const struct in_addr *ip_dst; 1944 1945 if (sa != NULL) { 1946 ip_dst = &sa->sin_addr; 1947 } else { 1948 struct ip *ip; 1949 1950 *m0 = m_pullup(*m0, sizeof(struct ip)); 1951 if (*m0 == NULL) 1952 return (NULL); 1953 ip = mtod(*m0, struct ip *); 1954 ip_dst = &ip->ip_dst; 1955 } 1956 1957 peer = ovpn_find_peer_by_ip(sc, *ip_dst); 1958 SDT_PROBE2(if_ovpn, tx, route, ip4, ip_dst, peer); 1959 if (peer == NULL) { 1960 nh = fib4_lookup(M_GETFIB(*m0), *ip_dst, 0, 1961 NHR_NONE, 0); 1962 if (nh && (nh->nh_flags & NHF_GATEWAY)) { 1963 peer = ovpn_find_peer_by_ip(sc, 1964 nh->gw4_sa.sin_addr); 1965 SDT_PROBE2(if_ovpn, tx, route, ip4, 1966 &nh->gw4_sa.sin_addr, peer); 1967 } 1968 } 1969 break; 1970 } 1971 #endif 1972 #ifdef INET6 1973 case AF_INET6: { 1974 const struct sockaddr_in6 *sa6 = 1975 (const struct sockaddr_in6 *)dst; 1976 struct nhop_object *nh; 1977 const struct in6_addr *ip6_dst; 1978 1979 if (sa6 != NULL) { 1980 ip6_dst = &sa6->sin6_addr; 1981 } else { 1982 struct ip6_hdr *ip6; 1983 1984 *m0 = m_pullup(*m0, sizeof(struct ip6_hdr)); 1985 if (*m0 == NULL) 1986 return (NULL); 1987 ip6 = mtod(*m0, struct ip6_hdr *); 1988 ip6_dst = &ip6->ip6_dst; 1989 } 1990 1991 peer = ovpn_find_peer_by_ip6(sc, ip6_dst); 1992 SDT_PROBE2(if_ovpn, tx, route, ip6, ip6_dst, peer); 1993 if (peer == NULL) { 1994 nh = fib6_lookup(M_GETFIB(*m0), ip6_dst, 0, 1995 NHR_NONE, 0); 1996 if (nh && (nh->nh_flags & NHF_GATEWAY)) { 1997 peer = ovpn_find_peer_by_ip6(sc, 1998 &nh->gw6_sa.sin6_addr); 1999 SDT_PROBE2(if_ovpn, tx, route, ip6, 2000 &nh->gw6_sa.sin6_addr, peer); 2001 } 2002 } 2003 break; 2004 } 2005 #endif 2006 } 2007 2008 return (peer); 2009 } 2010 2011 static int 2012 ovpn_transmit(struct ifnet *ifp, struct mbuf *m) 2013 { 2014 return (ifp->if_output(ifp, m, NULL, NULL)); 2015 } 2016 2017 static int 2018 ovpn_transmit_to_peer(struct ifnet *ifp, struct mbuf *m, 2019 struct ovpn_kpeer *peer, struct rm_priotracker *_ovpn_lock_trackerp) 2020 { 2021 struct ovpn_wire_header *ohdr; 2022 struct ovpn_kkey *key; 2023 struct ovpn_softc *sc; 2024 struct cryptop *crp; 2025 uint32_t af, seq; 2026 uint64_t seq64; 2027 size_t len, ovpn_hdr_len; 2028 int tunnel_len; 2029 int ret; 2030 2031 sc = ifp->if_softc; 2032 2033 OVPN_RASSERT(sc); 2034 2035 tunnel_len = m->m_pkthdr.len; 2036 2037 key = &peer->keys[OVPN_KEY_SLOT_PRIMARY]; 2038 if (key->encrypt == NULL) { 2039 if (_ovpn_lock_trackerp != NULL) 2040 OVPN_RUNLOCK(sc); 2041 m_freem(m); 2042 return (ENOLINK); 2043 } 2044 2045 af = ovpn_get_af(m); 2046 /* Don't capture control packets. */ 2047 if (af != 0) 2048 BPF_MTAP2(ifp, &af, sizeof(af), m); 2049 2050 if (__predict_false(if_tunnel_check_nesting(ifp, m, MTAG_OVPN_LOOP, 3))) { 2051 if (_ovpn_lock_trackerp != NULL) 2052 OVPN_RUNLOCK(sc); 2053 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 2054 m_freem(m); 2055 return (ELOOP); 2056 } 2057 2058 len = m->m_pkthdr.len; 2059 MPASS(len <= ifp->if_mtu); 2060 2061 ovpn_hdr_len = sizeof(struct ovpn_wire_header); 2062 if (key->encrypt->cipher == OVPN_CIPHER_ALG_NONE) 2063 ovpn_hdr_len -= 16; /* No auth tag. */ 2064 2065 M_PREPEND(m, ovpn_hdr_len, M_NOWAIT); 2066 if (m == NULL) { 2067 if (_ovpn_lock_trackerp != NULL) 2068 OVPN_RUNLOCK(sc); 2069 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 2070 return (ENOBUFS); 2071 } 2072 ohdr = mtod(m, struct ovpn_wire_header *); 2073 ohdr->opcode = (OVPN_OP_DATA_V2 << OVPN_OP_SHIFT) | key->keyid; 2074 ohdr->opcode <<= 24; 2075 ohdr->opcode |= key->peerid; 2076 ohdr->opcode = htonl(ohdr->opcode); 2077 2078 seq64 = atomic_fetchadd_64(&peer->keys[OVPN_KEY_SLOT_PRIMARY].encrypt->tx_seq, 1); 2079 if (seq64 == OVPN_SEQ_ROTATE) { 2080 ovpn_notify_key_rotation(sc, peer); 2081 } else if (seq64 > UINT32_MAX) { 2082 /* We've wrapped, give up on this packet. */ 2083 if (_ovpn_lock_trackerp != NULL) 2084 OVPN_RUNLOCK(sc); 2085 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 2086 2087 /* Let's avoid (very unlikely, but still) wraparounds of the 2088 * 64-bit counter taking us back to 0. */ 2089 atomic_store_64(&peer->keys[OVPN_KEY_SLOT_PRIMARY].encrypt->tx_seq, 2090 UINT32_MAX); 2091 2092 return (ENOBUFS); 2093 } 2094 2095 seq = htonl(seq64 & UINT32_MAX); 2096 ohdr->seq = seq; 2097 2098 OVPN_PEER_COUNTER_ADD(peer, pkt_out, 1); 2099 OVPN_PEER_COUNTER_ADD(peer, bytes_out, len); 2100 2101 if (key->encrypt->cipher == OVPN_CIPHER_ALG_NONE) { 2102 ret = ovpn_encap(sc, peer->peerid, m); 2103 if (_ovpn_lock_trackerp != NULL) 2104 OVPN_RUNLOCK(sc); 2105 if (ret == 0) { 2106 OVPN_COUNTER_ADD(sc, sent_data_pkts, 1); 2107 OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, tunnel_len); 2108 } 2109 return (ret); 2110 } 2111 2112 crp = crypto_getreq(key->encrypt->cryptoid, M_NOWAIT); 2113 if (crp == NULL) { 2114 if (_ovpn_lock_trackerp != NULL) 2115 OVPN_RUNLOCK(sc); 2116 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 2117 m_freem(m); 2118 return (ENOBUFS); 2119 } 2120 2121 /* Encryption covers only the payload, not the header. */ 2122 crp->crp_payload_start = sizeof(*ohdr); 2123 crp->crp_payload_length = len; 2124 crp->crp_op = CRYPTO_OP_ENCRYPT; 2125 2126 /* 2127 * AAD data covers the ovpn_wire_header minus the auth 2128 * tag. 2129 */ 2130 crp->crp_aad_length = sizeof(*ohdr) - sizeof(ohdr->auth_tag); 2131 crp->crp_aad = ohdr; 2132 crp->crp_aad_start = 0; 2133 crp->crp_op |= CRYPTO_OP_COMPUTE_DIGEST; 2134 crp->crp_digest_start = offsetof(struct ovpn_wire_header, auth_tag); 2135 2136 crp->crp_flags |= CRYPTO_F_IV_SEPARATE; 2137 memcpy(crp->crp_iv, &seq, sizeof(seq)); 2138 memcpy(crp->crp_iv + sizeof(seq), key->encrypt->nonce, 2139 key->encrypt->noncelen); 2140 2141 crypto_use_mbuf(crp, m); 2142 crp->crp_flags |= CRYPTO_F_CBIFSYNC; 2143 crp->crp_callback = ovpn_encrypt_tx_cb; 2144 crp->crp_opaque = peer; 2145 2146 atomic_add_int(&peer->refcount, 1); 2147 if (_ovpn_lock_trackerp != NULL) 2148 OVPN_RUNLOCK(sc); 2149 if (V_async_crypto) 2150 ret = crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED); 2151 else 2152 ret = crypto_dispatch(crp); 2153 if (ret) { 2154 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 2155 } 2156 2157 return (ret); 2158 } 2159 2160 /* 2161 * Note: Expects to hold the read lock on entry, and will release it itself. 2162 */ 2163 static int 2164 ovpn_encap(struct ovpn_softc *sc, uint32_t peerid, struct mbuf *m) 2165 { 2166 struct udphdr *udp; 2167 struct ovpn_kpeer *peer; 2168 int len; 2169 2170 OVPN_RLOCK_TRACKER; 2171 2172 OVPN_RLOCK(sc); 2173 NET_EPOCH_ASSERT(); 2174 2175 peer = ovpn_find_peer(sc, peerid); 2176 if (peer == NULL || sc->ifp->if_link_state != LINK_STATE_UP) { 2177 OVPN_RUNLOCK(sc); 2178 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 2179 m_freem(m); 2180 return (ENETDOWN); 2181 } 2182 2183 len = m->m_pkthdr.len; 2184 2185 M_PREPEND(m, sizeof(struct udphdr), M_NOWAIT); 2186 if (m == NULL) { 2187 OVPN_RUNLOCK(sc); 2188 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 2189 m_freem(m); 2190 return (ENOBUFS); 2191 } 2192 udp = mtod(m, struct udphdr *); 2193 2194 MPASS(peer->local.ss_family == peer->remote.ss_family); 2195 2196 udp->uh_sport = ovpn_get_port(&peer->local); 2197 udp->uh_dport = ovpn_get_port(&peer->remote); 2198 udp->uh_ulen = htons(sizeof(struct udphdr) + len); 2199 2200 switch (peer->remote.ss_family) { 2201 #ifdef INET 2202 case AF_INET: { 2203 struct sockaddr_in *in_local = TO_IN(&peer->local); 2204 struct sockaddr_in *in_remote = TO_IN(&peer->remote); 2205 struct ip *ip; 2206 2207 /* 2208 * This requires knowing the source IP, which we don't. Happily 2209 * we're allowed to keep this at 0, and the checksum won't do 2210 * anything the crypto won't already do. 2211 */ 2212 udp->uh_sum = 0; 2213 2214 /* Set the checksum flags so we recalculate checksums. */ 2215 m->m_pkthdr.csum_flags |= CSUM_IP; 2216 m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum); 2217 2218 M_PREPEND(m, sizeof(struct ip), M_NOWAIT); 2219 if (m == NULL) { 2220 OVPN_RUNLOCK(sc); 2221 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 2222 return (ENOBUFS); 2223 } 2224 ip = mtod(m, struct ip *); 2225 2226 ip->ip_tos = 0; 2227 ip->ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + 2228 len); 2229 ip->ip_off = 0; 2230 ip->ip_ttl = V_ip_defttl; 2231 ip->ip_p = IPPROTO_UDP; 2232 ip->ip_sum = 0; 2233 if (in_local->sin_port != 0) 2234 ip->ip_src = in_local->sin_addr; 2235 else 2236 ip->ip_src.s_addr = INADDR_ANY; 2237 ip->ip_dst = in_remote->sin_addr; 2238 2239 OVPN_RUNLOCK(sc); 2240 OVPN_COUNTER_ADD(sc, transport_bytes_sent, m->m_pkthdr.len); 2241 2242 return (ip_output(m, NULL, NULL, 0, NULL, NULL)); 2243 } 2244 #endif 2245 #ifdef INET6 2246 case AF_INET6: { 2247 struct sockaddr_in6 *in6_local = TO_IN6(&peer->local); 2248 struct sockaddr_in6 *in6_remote = TO_IN6(&peer->remote); 2249 struct ip6_hdr *ip6; 2250 2251 M_PREPEND(m, sizeof(struct ip6_hdr), M_NOWAIT); 2252 if (m == NULL) { 2253 OVPN_RUNLOCK(sc); 2254 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 2255 return (ENOBUFS); 2256 } 2257 m = m_pullup(m, sizeof(*ip6) + sizeof(*udp)); 2258 if (m == NULL) { 2259 OVPN_RUNLOCK(sc); 2260 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 2261 return (ENOBUFS); 2262 } 2263 2264 ip6 = mtod(m, struct ip6_hdr *); 2265 2266 ip6->ip6_vfc = IPV6_VERSION; 2267 ip6->ip6_flow &= ~IPV6_FLOWINFO_MASK; 2268 ip6->ip6_plen = htons(sizeof(*ip6) + sizeof(struct udphdr) + 2269 len); 2270 ip6->ip6_nxt = IPPROTO_UDP; 2271 ip6->ip6_hlim = V_ip6_defhlim; 2272 2273 memcpy(&ip6->ip6_src, &in6_local->sin6_addr, 2274 sizeof(ip6->ip6_src)); 2275 memcpy(&ip6->ip6_dst, &in6_remote->sin6_addr, 2276 sizeof(ip6->ip6_dst)); 2277 2278 udp = mtodo(m, sizeof(*ip6)); 2279 udp->uh_sum = in6_cksum_pseudo(ip6, 2280 m->m_pkthdr.len - sizeof(struct ip6_hdr), 2281 IPPROTO_UDP, 0); 2282 2283 m->m_pkthdr.csum_flags |= CSUM_UDP_IPV6; 2284 m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum); 2285 2286 OVPN_RUNLOCK(sc); 2287 OVPN_COUNTER_ADD(sc, transport_bytes_sent, m->m_pkthdr.len); 2288 2289 return (ip6_output(m, NULL, NULL, IPV6_UNSPECSRC, NULL, NULL, 2290 NULL)); 2291 } 2292 #endif 2293 default: 2294 panic("Unsupported address family %d", 2295 peer->remote.ss_family); 2296 } 2297 } 2298 2299 static int 2300 ovpn_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 2301 struct route *ro) 2302 { 2303 struct ovpn_softc *sc; 2304 struct ovpn_kpeer *peer; 2305 2306 OVPN_RLOCK_TRACKER; 2307 2308 sc = ifp->if_softc; 2309 2310 m = m_unshare(m, M_NOWAIT); 2311 if (m == NULL) { 2312 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 2313 return (ENOBUFS); 2314 } 2315 2316 OVPN_RLOCK(sc); 2317 2318 SDT_PROBE1(if_ovpn, tx, transmit, start, m); 2319 2320 if (__predict_false(ifp->if_link_state != LINK_STATE_UP)) { 2321 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 2322 OVPN_RUNLOCK(sc); 2323 m_freem(m); 2324 return (ENETDOWN); 2325 } 2326 2327 /** 2328 * Only obey 'dst' (i.e. the gateway) if no route is supplied. 2329 * That's our indication that we're being called through pf's route-to, 2330 * and we should route according to 'dst' instead. We can't do so 2331 * consistently, because the usual openvpn configuration sets the first 2332 * non-server IP in the subnet as the gateway. If we always use that 2333 * one we'd end up routing all traffic to the first client. 2334 * tl;dr: 'ro == NULL' tells us pf is doing a route-to, and then but 2335 * only then, we should treat 'dst' as the destination. */ 2336 peer = ovpn_route_peer(sc, &m, ro == NULL ? dst : NULL); 2337 if (peer == NULL) { 2338 /* No destination. */ 2339 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 2340 OVPN_RUNLOCK(sc); 2341 m_freem(m); 2342 return (ENETDOWN); 2343 } 2344 2345 return (ovpn_transmit_to_peer(ifp, m, peer, _ovpn_lock_trackerp)); 2346 } 2347 2348 static bool 2349 ovpn_check_replay(struct ovpn_kkey_dir *key, uint32_t seq) 2350 { 2351 uint32_t d; 2352 2353 mtx_lock(&key->replay_mtx); 2354 2355 /* Sequence number must be strictly greater than rx_seq */ 2356 if (seq <= key->rx_seq) { 2357 mtx_unlock(&key->replay_mtx); 2358 return (false); 2359 } 2360 2361 /* Large jump. The packet authenticated okay, so just accept that. */ 2362 if (seq > (key->rx_seq + (sizeof(key->rx_window) * 8))) { 2363 key->rx_seq = seq; 2364 key->rx_window = 0; 2365 mtx_unlock(&key->replay_mtx); 2366 return (true); 2367 } 2368 2369 /* Happy case. */ 2370 if ((seq == key->rx_seq + 1) && key->rx_window == 0) { 2371 key->rx_seq++; 2372 mtx_unlock(&key->replay_mtx); 2373 return (true); 2374 } 2375 2376 d = seq - key->rx_seq - 1; 2377 2378 if (key->rx_window & ((uint64_t)1 << d)) { 2379 /* Dupe! */ 2380 mtx_unlock(&key->replay_mtx); 2381 return (false); 2382 } 2383 2384 key->rx_window |= (uint64_t)1 << d; 2385 2386 while (key->rx_window & 1) { 2387 key->rx_seq++; 2388 key->rx_window >>= 1; 2389 } 2390 2391 mtx_unlock(&key->replay_mtx); 2392 2393 return (true); 2394 } 2395 2396 static struct ovpn_kpeer * 2397 ovpn_peer_from_mbuf(struct ovpn_softc *sc, struct mbuf *m, int off) 2398 { 2399 struct ovpn_wire_header ohdr; 2400 uint32_t peerid; 2401 const size_t hdrlen = sizeof(ohdr) - sizeof(ohdr.auth_tag); 2402 2403 OVPN_RASSERT(sc); 2404 2405 if (m_length(m, NULL) < (off + sizeof(struct udphdr) + hdrlen)) 2406 return (NULL); 2407 2408 m_copydata(m, off + sizeof(struct udphdr), hdrlen, (caddr_t)&ohdr); 2409 2410 peerid = ntohl(ohdr.opcode) & 0x00ffffff; 2411 2412 return (ovpn_find_peer(sc, peerid)); 2413 } 2414 2415 static bool 2416 ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp, 2417 const struct sockaddr *sa, void *ctx) 2418 { 2419 struct ovpn_softc *sc = ctx; 2420 struct ovpn_wire_header tmphdr; 2421 struct ovpn_wire_header *ohdr; 2422 struct udphdr *uhdr; 2423 struct ovpn_kkey *key; 2424 struct cryptop *crp; 2425 struct ovpn_kpeer *peer; 2426 size_t ohdrlen; 2427 int ret; 2428 uint8_t op; 2429 2430 OVPN_RLOCK_TRACKER; 2431 2432 M_ASSERTPKTHDR(m); 2433 2434 OVPN_COUNTER_ADD(sc, transport_bytes_received, m->m_pkthdr.len - off); 2435 2436 ohdrlen = sizeof(*ohdr) - sizeof(ohdr->auth_tag); 2437 2438 OVPN_RLOCK(sc); 2439 2440 peer = ovpn_peer_from_mbuf(sc, m, off); 2441 if (peer == NULL) { 2442 OVPN_RUNLOCK(sc); 2443 return (false); 2444 } 2445 2446 if (m_length(m, NULL) < (off + sizeof(*uhdr) + ohdrlen)) { 2447 /* Short packet. */ 2448 OVPN_RUNLOCK(sc); 2449 return (false); 2450 } 2451 2452 m_copydata(m, off + sizeof(*uhdr), ohdrlen, (caddr_t)&tmphdr); 2453 2454 op = ntohl(tmphdr.opcode) >> 24 >> OVPN_OP_SHIFT; 2455 if (op != OVPN_OP_DATA_V2) { 2456 /* Control packet? */ 2457 OVPN_RUNLOCK(sc); 2458 return (false); 2459 } 2460 2461 m = m_unshare(m, M_NOWAIT); 2462 if (m == NULL) { 2463 OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); 2464 return (true); 2465 } 2466 2467 m = m_pullup(m, off + sizeof(*uhdr) + ohdrlen); 2468 if (m == NULL) { 2469 OVPN_RUNLOCK(sc); 2470 OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); 2471 return (true); 2472 } 2473 2474 /* 2475 * Simplify things by getting rid of the preceding headers, we don't 2476 * care about them. 2477 */ 2478 m_adj_decap(m, off); 2479 2480 uhdr = mtodo(m, 0); 2481 ohdr = mtodo(m, sizeof(*uhdr)); 2482 2483 key = ovpn_find_key(sc, peer, ohdr); 2484 if (key == NULL || key->decrypt == NULL) { 2485 OVPN_RUNLOCK(sc); 2486 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 2487 m_freem(m); 2488 return (true); 2489 } 2490 2491 /* 2492 * If we got this from a different address than we expected tag the packet. 2493 * We'll deal with notifiying userspace later, after we've decrypted and 2494 * verified. 2495 */ 2496 if (! ovpn_sockaddr_compare((struct sockaddr *)&peer->remote, sa)) { 2497 struct m_tag *mt; 2498 struct ovpn_mtag *ot; 2499 2500 MPASS(sa->sa_len <= sizeof(ot->addr)); 2501 mt = m_tag_get(PACKET_TAG_OVPN, sizeof(*ot), M_NOWAIT); 2502 /* 2503 * If we fail to allocate here we'll just try again on the next 2504 * packet. 2505 */ 2506 if (mt != NULL) { 2507 ot = (struct ovpn_mtag *)(mt + 1); 2508 memcpy(&ot->addr, sa, sa->sa_len); 2509 2510 m_tag_prepend(m, mt); 2511 } 2512 } 2513 2514 if (key->decrypt->cipher == OVPN_CIPHER_ALG_NONE) { 2515 /* Now remove the outer headers */ 2516 m_adj_decap(m, sizeof(struct udphdr) + ohdrlen); 2517 2518 ohdr = mtodo(m, sizeof(*uhdr)); 2519 2520 ovpn_finish_rx(sc, m, peer, key, ntohl(ohdr->seq), 2521 _ovpn_lock_trackerp); 2522 OVPN_UNLOCK_ASSERT(sc); 2523 return (true); 2524 } 2525 2526 ohdrlen += sizeof(ohdr->auth_tag); 2527 2528 m = m_pullup(m, sizeof(*uhdr) + ohdrlen); 2529 if (m == NULL) { 2530 OVPN_RUNLOCK(sc); 2531 OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); 2532 return (true); 2533 } 2534 uhdr = mtodo(m, 0); 2535 ohdr = mtodo(m, sizeof(*uhdr)); 2536 2537 /* Decrypt */ 2538 crp = crypto_getreq(key->decrypt->cryptoid, M_NOWAIT); 2539 if (crp == NULL) { 2540 OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); 2541 OVPN_RUNLOCK(sc); 2542 m_freem(m); 2543 return (true); 2544 } 2545 2546 crp->crp_payload_start = sizeof(struct udphdr) + sizeof(*ohdr); 2547 crp->crp_payload_length = ntohs(uhdr->uh_ulen) - 2548 sizeof(*uhdr) - sizeof(*ohdr); 2549 crp->crp_op = CRYPTO_OP_DECRYPT; 2550 2551 /* AAD validation. */ 2552 crp->crp_aad_length = sizeof(*ohdr) - sizeof(ohdr->auth_tag); 2553 crp->crp_aad = ohdr; 2554 crp->crp_aad_start = 0; 2555 crp->crp_op |= CRYPTO_OP_VERIFY_DIGEST; 2556 crp->crp_digest_start = sizeof(struct udphdr) + 2557 offsetof(struct ovpn_wire_header, auth_tag); 2558 2559 crp->crp_flags |= CRYPTO_F_IV_SEPARATE; 2560 memcpy(crp->crp_iv, &ohdr->seq, sizeof(ohdr->seq)); 2561 memcpy(crp->crp_iv + sizeof(ohdr->seq), key->decrypt->nonce, 2562 key->decrypt->noncelen); 2563 2564 crypto_use_mbuf(crp, m); 2565 crp->crp_flags |= CRYPTO_F_CBIFSYNC; 2566 crp->crp_callback = ovpn_decrypt_rx_cb; 2567 crp->crp_opaque = sc; 2568 2569 atomic_add_int(&sc->refcount, 1); 2570 OVPN_RUNLOCK(sc); 2571 if (V_async_crypto) 2572 ret = crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED); 2573 else 2574 ret = crypto_dispatch(crp); 2575 if (ret != 0) { 2576 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 2577 } 2578 2579 return (true); 2580 } 2581 2582 static void 2583 ovpn_qflush(struct ifnet *ifp __unused) 2584 { 2585 2586 } 2587 2588 static void 2589 ovpn_flush_rxring(struct ovpn_softc *sc) 2590 { 2591 struct ovpn_notification *n; 2592 2593 OVPN_WASSERT(sc); 2594 2595 while (! buf_ring_empty(sc->notifring)) { 2596 n = buf_ring_dequeue_sc(sc->notifring); 2597 free(n, M_OVPN); 2598 } 2599 } 2600 2601 #ifdef VIMAGE 2602 static void 2603 ovpn_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused, 2604 char *unused __unused) 2605 { 2606 struct ovpn_softc *sc = ifp->if_softc; 2607 struct ovpn_kpeer *peer, *tmppeer; 2608 int ret __diagused; 2609 2610 OVPN_WLOCK(sc); 2611 2612 /* Flush keys & configuration. */ 2613 RB_FOREACH_SAFE(peer, ovpn_kpeers, &sc->peers, tmppeer) { 2614 peer->del_reason = OVPN_DEL_REASON_REQUESTED; 2615 ret = _ovpn_del_peer(sc, peer); 2616 MPASS(ret == 0); 2617 } 2618 2619 ovpn_flush_rxring(sc); 2620 2621 OVPN_WUNLOCK(sc); 2622 } 2623 #endif 2624 2625 static int 2626 ovpn_clone_match(struct if_clone *ifc, const char *name) 2627 { 2628 /* 2629 * Allow all names that start with 'ovpn', specifically because pfSense 2630 * uses ovpnc1 / ovpns2 2631 */ 2632 return (strncmp(ovpnname, name, strlen(ovpnname)) == 0); 2633 } 2634 2635 static int 2636 ovpn_clone_create(struct if_clone *ifc, char *name, size_t len, 2637 struct ifc_data *ifd, struct ifnet **ifpp) 2638 { 2639 struct ovpn_softc *sc; 2640 struct ifnet *ifp; 2641 char *dp; 2642 int error, unit, wildcard; 2643 2644 /* Try to see if a special unit was requested. */ 2645 error = ifc_name2unit(name, &unit); 2646 if (error != 0) 2647 return (error); 2648 wildcard = (unit < 0); 2649 2650 error = ifc_alloc_unit(ifc, &unit); 2651 if (error != 0) 2652 return (error); 2653 2654 /* 2655 * If no unit had been given, we need to adjust the ifName. 2656 */ 2657 for (dp = name; *dp != '\0'; dp++); 2658 if (wildcard) { 2659 error = snprintf(dp, len - (dp - name), "%d", unit); 2660 if (error > len - (dp - name)) { 2661 /* ifName too long. */ 2662 ifc_free_unit(ifc, unit); 2663 return (ENOSPC); 2664 } 2665 dp += error; 2666 } 2667 2668 /* Make sure it doesn't already exist. */ 2669 if (ifunit(name) != NULL) 2670 return (EEXIST); 2671 2672 sc = malloc(sizeof(struct ovpn_softc), M_OVPN, M_WAITOK | M_ZERO); 2673 sc->ifp = if_alloc(IFT_ENC); 2674 rm_init_flags(&sc->lock, "if_ovpn_lock", RM_RECURSE); 2675 sc->refcount = 0; 2676 2677 sc->notifring = buf_ring_alloc(32, M_OVPN, M_WAITOK, NULL); 2678 2679 COUNTER_ARRAY_ALLOC(sc->counters, OVPN_COUNTER_SIZE, M_WAITOK); 2680 2681 ifp = sc->ifp; 2682 ifp->if_softc = sc; 2683 strlcpy(ifp->if_xname, name, IFNAMSIZ); 2684 ifp->if_dname = ovpngroupname; 2685 ifp->if_dunit = unit; 2686 2687 ifp->if_addrlen = 0; 2688 ifp->if_mtu = 1428; 2689 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 2690 ifp->if_ioctl = ovpn_ioctl; 2691 ifp->if_transmit = ovpn_transmit; 2692 ifp->if_output = ovpn_output; 2693 ifp->if_qflush = ovpn_qflush; 2694 #ifdef VIMAGE 2695 ifp->if_reassign = ovpn_reassign; 2696 #endif 2697 ifp->if_capabilities |= IFCAP_LINKSTATE; 2698 ifp->if_capenable |= IFCAP_LINKSTATE; 2699 2700 if_attach(ifp); 2701 bpfattach(ifp, DLT_NULL, sizeof(uint32_t)); 2702 *ifpp = ifp; 2703 2704 return (0); 2705 } 2706 2707 static void 2708 ovpn_clone_destroy_cb(struct epoch_context *ctx) 2709 { 2710 struct ovpn_softc *sc; 2711 int ret __diagused; 2712 2713 sc = __containerof(ctx, struct ovpn_softc, epoch_ctx); 2714 2715 MPASS(sc->peercount == 0); 2716 MPASS(RB_EMPTY(&sc->peers)); 2717 2718 if (sc->so != NULL) { 2719 CURVNET_SET(sc->ifp->if_vnet); 2720 ret = udp_set_kernel_tunneling(sc->so, NULL, NULL, NULL); 2721 MPASS(ret == 0); 2722 sorele(sc->so); 2723 CURVNET_RESTORE(); 2724 } 2725 2726 COUNTER_ARRAY_FREE(sc->counters, OVPN_COUNTER_SIZE); 2727 2728 rm_destroy(&sc->lock); 2729 if_free(sc->ifp); 2730 free(sc, M_OVPN); 2731 } 2732 2733 static int 2734 ovpn_clone_destroy(struct if_clone *ifc, struct ifnet *ifp, uint32_t flags) 2735 { 2736 struct ovpn_softc *sc; 2737 struct ovpn_kpeer *peer, *tmppeer; 2738 int unit; 2739 int ret __diagused; 2740 2741 sc = ifp->if_softc; 2742 unit = ifp->if_dunit; 2743 2744 OVPN_WLOCK(sc); 2745 2746 if (atomic_load_int(&sc->refcount) > 0) { 2747 OVPN_WUNLOCK(sc); 2748 return (EBUSY); 2749 } 2750 2751 RB_FOREACH_SAFE(peer, ovpn_kpeers, &sc->peers, tmppeer) { 2752 peer->del_reason = OVPN_DEL_REASON_REQUESTED; 2753 ret = _ovpn_del_peer(sc, peer); 2754 MPASS(ret == 0); 2755 } 2756 2757 ovpn_flush_rxring(sc); 2758 buf_ring_free(sc->notifring, M_OVPN); 2759 2760 OVPN_WUNLOCK(sc); 2761 2762 bpfdetach(ifp); 2763 if_detach(ifp); 2764 ifp->if_softc = NULL; 2765 2766 NET_EPOCH_CALL(ovpn_clone_destroy_cb, &sc->epoch_ctx); 2767 2768 if (unit != IF_DUNIT_NONE) 2769 ifc_free_unit(ifc, unit); 2770 2771 NET_EPOCH_DRAIN_CALLBACKS(); 2772 2773 return (0); 2774 } 2775 2776 static void 2777 vnet_ovpn_init(const void *unused __unused) 2778 { 2779 struct if_clone_addreq req = { 2780 .match_f = ovpn_clone_match, 2781 .create_f = ovpn_clone_create, 2782 .destroy_f = ovpn_clone_destroy, 2783 }; 2784 V_ovpn_cloner = ifc_attach_cloner(ovpngroupname, &req); 2785 } 2786 VNET_SYSINIT(vnet_ovpn_init, SI_SUB_PSEUDO, SI_ORDER_ANY, 2787 vnet_ovpn_init, NULL); 2788 2789 static int 2790 ovpn_prison_remove(void *obj, void *data __unused) 2791 { 2792 #ifdef VIMAGE 2793 struct prison *pr; 2794 2795 pr = obj; 2796 if (prison_owns_vnet(pr)) { 2797 CURVNET_SET(pr->pr_vnet); 2798 if (V_ovpn_cloner != NULL) { 2799 ifc_detach_cloner(V_ovpn_cloner); 2800 V_ovpn_cloner = NULL; 2801 } 2802 CURVNET_RESTORE(); 2803 } 2804 #endif 2805 return (0); 2806 } 2807 2808 static int 2809 ovpnmodevent(module_t mod, int type, void *data) 2810 { 2811 static int ovpn_osd_jail_slot; 2812 2813 switch (type) { 2814 case MOD_LOAD: { 2815 /* 2816 * Registration is handled in vnet_ovpn_init(), but cloned 2817 * interfaces must be destroyed via PR_METHOD_REMOVE since they 2818 * hold a reference to the prison via the UDP socket, which 2819 * prevents the prison from being destroyed. 2820 */ 2821 osd_method_t methods[PR_MAXMETHOD] = { 2822 [PR_METHOD_REMOVE] = ovpn_prison_remove, 2823 }; 2824 ovpn_osd_jail_slot = osd_jail_register(NULL, methods); 2825 break; 2826 } 2827 case MOD_UNLOAD: 2828 if (ovpn_osd_jail_slot != 0) 2829 osd_jail_deregister(ovpn_osd_jail_slot); 2830 CURVNET_SET(vnet0); 2831 if (V_ovpn_cloner != NULL) { 2832 ifc_detach_cloner(V_ovpn_cloner); 2833 V_ovpn_cloner = NULL; 2834 } 2835 CURVNET_RESTORE(); 2836 break; 2837 default: 2838 return (EOPNOTSUPP); 2839 } 2840 2841 return (0); 2842 } 2843 2844 static moduledata_t ovpn_mod = { 2845 "if_ovpn", 2846 ovpnmodevent, 2847 0 2848 }; 2849 2850 DECLARE_MODULE(if_ovpn, ovpn_mod, SI_SUB_PSEUDO, SI_ORDER_ANY); 2851 MODULE_VERSION(if_ovpn, 1); 2852 MODULE_DEPEND(if_ovpn, crypto, 1, 1, 1); 2853