1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2021-2022 Rubicon Communications, LLC (Netgate) 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 * 27 */ 28 #include "opt_inet.h" 29 #include "opt_inet6.h" 30 31 #include <sys/param.h> 32 #include <sys/systm.h> 33 #include <sys/buf_ring.h> 34 #include <sys/epoch.h> 35 #include <sys/file.h> 36 #include <sys/filedesc.h> 37 #include <sys/kernel.h> 38 #include <sys/malloc.h> 39 #include <sys/mbuf.h> 40 #include <sys/module.h> 41 #include <sys/nv.h> 42 #include <sys/priv.h> 43 #include <sys/protosw.h> 44 #include <sys/rmlock.h> 45 #include <sys/sdt.h> 46 #include <sys/smp.h> 47 #include <sys/socket.h> 48 #include <sys/socketvar.h> 49 #include <sys/sockio.h> 50 #include <sys/sysctl.h> 51 #include <sys/time.h> 52 53 #include <machine/atomic.h> 54 55 #include <net/bpf.h> 56 #include <net/if.h> 57 #include <net/if_clone.h> 58 #include <net/if_types.h> 59 #include <net/if_var.h> 60 #include <net/netisr.h> 61 #include <net/route/nhop.h> 62 63 #include <netinet/in.h> 64 #include <netinet/in_fib.h> 65 #include <netinet/ip.h> 66 #include <netinet/ip6.h> 67 #include <netinet/ip_var.h> 68 #include <netinet/udp.h> 69 #include <netinet/udp_var.h> 70 71 #include <netinet6/ip6_var.h> 72 #include <netinet6/in6_fib.h> 73 74 #include <machine/in_cksum.h> 75 76 #include <opencrypto/cryptodev.h> 77 78 #include "if_ovpn.h" 79 80 struct ovpn_kkey_dir { 81 int refcount; 82 uint8_t key[32]; 83 uint8_t keylen; 84 uint8_t nonce[8]; 85 uint8_t noncelen; 86 enum ovpn_key_cipher cipher; 87 crypto_session_t cryptoid; 88 89 struct mtx replay_mtx; 90 /* 91 * Last seen gapless sequence number. New rx seq numbers must be 92 * strictly higher than this. 93 */ 94 uint32_t rx_seq; 95 /* Seen packets, relative to rx_seq. bit(0) will always be 0. */ 96 uint64_t rx_window; 97 }; 98 99 struct ovpn_kkey { 100 struct ovpn_kkey_dir *encrypt; 101 struct ovpn_kkey_dir *decrypt; 102 uint8_t keyid; 103 uint32_t peerid; 104 }; 105 106 struct ovpn_keepalive { 107 uint32_t interval; 108 uint32_t timeout; 109 }; 110 111 struct ovpn_wire_header { 112 uint32_t opcode; /* opcode, key id, peer id */ 113 uint32_t seq; 114 uint8_t auth_tag[16]; 115 }; 116 117 struct ovpn_notification { 118 enum ovpn_notif_type type; 119 enum ovpn_del_reason del_reason; 120 uint32_t peerid; 121 }; 122 123 struct ovpn_softc; 124 125 struct ovpn_kpeer { 126 RB_ENTRY(ovpn_kpeer) tree; 127 int refcount; 128 uint32_t peerid; 129 130 struct ovpn_softc *sc; 131 struct sockaddr_storage local; 132 struct sockaddr_storage remote; 133 134 struct in_addr vpn4; 135 struct in6_addr vpn6; 136 137 struct ovpn_kkey keys[2]; 138 uint32_t tx_seq; 139 140 enum ovpn_del_reason del_reason; 141 struct ovpn_keepalive keepalive; 142 uint32_t *last_active; 143 struct callout ping_send; 144 struct callout ping_rcv; 145 }; 146 147 struct ovpn_counters { 148 uint64_t lost_ctrl_pkts_in; 149 uint64_t lost_ctrl_pkts_out; 150 uint64_t lost_data_pkts_in; 151 uint64_t lost_data_pkts_out; 152 uint64_t nomem_data_pkts_in; 153 uint64_t nomem_data_pkts_out; 154 uint64_t received_ctrl_pkts; 155 uint64_t received_data_pkts; 156 uint64_t sent_ctrl_pkts; 157 uint64_t sent_data_pkts; 158 159 uint64_t transport_bytes_sent; 160 uint64_t transport_bytes_received; 161 uint64_t tunnel_bytes_sent; 162 uint64_t tunnel_bytes_received; 163 }; 164 #define OVPN_COUNTER_SIZE (sizeof(struct ovpn_counters)/sizeof(uint64_t)) 165 166 RB_HEAD(ovpn_kpeers, ovpn_kpeer); 167 168 struct ovpn_softc { 169 int refcount; 170 struct rmlock lock; 171 struct ifnet *ifp; 172 struct socket *so; 173 int peercount; 174 struct ovpn_kpeers peers; 175 176 /* Pending notification */ 177 struct buf_ring *notifring; 178 179 counter_u64_t counters[OVPN_COUNTER_SIZE]; 180 181 struct epoch_context epoch_ctx; 182 }; 183 184 static struct ovpn_kpeer *ovpn_find_peer(struct ovpn_softc *, uint32_t); 185 static bool ovpn_udp_input(struct mbuf *, int, struct inpcb *, 186 const struct sockaddr *, void *); 187 static int ovpn_transmit_to_peer(struct ifnet *, struct mbuf *, 188 struct ovpn_kpeer *, struct rm_priotracker *); 189 static int ovpn_encap(struct ovpn_softc *, uint32_t, struct mbuf *); 190 static int ovpn_get_af(struct mbuf *); 191 static void ovpn_free_kkey_dir(struct ovpn_kkey_dir *); 192 static bool ovpn_check_replay(struct ovpn_kkey_dir *, uint32_t); 193 static int ovpn_peer_compare(struct ovpn_kpeer *, struct ovpn_kpeer *); 194 195 static RB_PROTOTYPE(ovpn_kpeers, ovpn_kpeer, tree, ovpn_peer_compare); 196 static RB_GENERATE(ovpn_kpeers, ovpn_kpeer, tree, ovpn_peer_compare); 197 198 #define OVPN_MTU_MIN 576 199 #define OVPN_MTU_MAX (IP_MAXPACKET - sizeof(struct ip) - \ 200 sizeof(struct udphdr) - sizeof(struct ovpn_wire_header)) 201 202 #define OVPN_OP_DATA_V2 0x09 203 #define OVPN_OP_SHIFT 3 204 205 VNET_DEFINE_STATIC(struct if_clone *, ovpn_cloner); 206 #define V_ovpn_cloner VNET(ovpn_cloner) 207 208 #define OVPN_RLOCK_TRACKER struct rm_priotracker _ovpn_lock_tracker; \ 209 struct rm_priotracker *_ovpn_lock_trackerp = &_ovpn_lock_tracker 210 #define OVPN_RLOCK(sc) rm_rlock(&(sc)->lock, _ovpn_lock_trackerp) 211 #define OVPN_RUNLOCK(sc) rm_runlock(&(sc)->lock, _ovpn_lock_trackerp) 212 #define OVPN_WLOCK(sc) rm_wlock(&(sc)->lock) 213 #define OVPN_WUNLOCK(sc) rm_wunlock(&(sc)->lock) 214 #define OVPN_ASSERT(sc) rm_assert(&(sc)->lock, RA_LOCKED) 215 #define OVPN_RASSERT(sc) rm_assert(&(sc)->lock, RA_RLOCKED) 216 #define OVPN_WASSERT(sc) rm_assert(&(sc)->lock, RA_WLOCKED) 217 #define OVPN_UNLOCK_ASSERT(sc) rm_assert(&(sc)->lock, RA_UNLOCKED) 218 219 #define OVPN_COUNTER_ADD(sc, name, val) \ 220 counter_u64_add(sc->counters[offsetof(struct ovpn_counters, name) / \ 221 sizeof(uint64_t)], val) 222 223 #define TO_IN(x) ((struct sockaddr_in *)(x)) 224 #define TO_IN6(x) ((struct sockaddr_in6 *)(x)) 225 226 SDT_PROVIDER_DEFINE(if_ovpn); 227 SDT_PROBE_DEFINE1(if_ovpn, tx, transmit, start, "struct mbuf *"); 228 SDT_PROBE_DEFINE2(if_ovpn, tx, route, ip4, "struct in_addr *", "struct ovpn_kpeer *"); 229 SDT_PROBE_DEFINE2(if_ovpn, tx, route, ip6, "struct in6_addr *", "struct ovpn_kpeer *"); 230 231 static const char ovpnname[] = "ovpn"; 232 static const char ovpngroupname[] = "openvpn"; 233 234 static MALLOC_DEFINE(M_OVPN, ovpnname, "OpenVPN DCO Interface"); 235 236 SYSCTL_DECL(_net_link); 237 static SYSCTL_NODE(_net_link, IFT_OTHER, openvpn, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 238 "OpenVPN DCO Interface"); 239 VNET_DEFINE_STATIC(int, replay_protection) = 0; 240 #define V_replay_protection VNET(replay_protection) 241 SYSCTL_INT(_net_link_openvpn, OID_AUTO, replay_protection, CTLFLAG_VNET | CTLFLAG_RW, 242 &VNET_NAME(replay_protection), 0, "Validate sequence numbers"); 243 244 VNET_DEFINE_STATIC(int, async_crypto); 245 #define V_async_crypto VNET(async_crypto) 246 SYSCTL_INT(_net_link_openvpn, OID_AUTO, async_crypto, 247 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(async_crypto), 0, 248 "Use asynchronous mode to parallelize crypto jobs."); 249 250 VNET_DEFINE_STATIC(int, async_netisr_queue); 251 #define V_async_netisr_queue VNET(async_netisr_queue) 252 SYSCTL_INT(_net_link_openvpn, OID_AUTO, netisr_queue, 253 CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(async_netisr_queue), 0, 254 "Use netisr_queue() rather than netisr_dispatch()."); 255 256 static int 257 ovpn_peer_compare(struct ovpn_kpeer *a, struct ovpn_kpeer *b) 258 { 259 return (a->peerid - b->peerid); 260 } 261 262 static struct ovpn_kpeer * 263 ovpn_find_peer(struct ovpn_softc *sc, uint32_t peerid) 264 { 265 struct ovpn_kpeer p; 266 267 OVPN_ASSERT(sc); 268 269 p.peerid = peerid; 270 271 return (RB_FIND(ovpn_kpeers, &sc->peers, &p)); 272 } 273 274 static struct ovpn_kpeer * 275 ovpn_find_only_peer(struct ovpn_softc *sc) 276 { 277 OVPN_ASSERT(sc); 278 279 return (RB_ROOT(&sc->peers)); 280 } 281 282 static uint16_t 283 ovpn_get_port(struct sockaddr_storage *s) 284 { 285 switch (s->ss_family) { 286 case AF_INET: { 287 struct sockaddr_in *in = (struct sockaddr_in *)s; 288 return (in->sin_port); 289 } 290 case AF_INET6: { 291 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)s; 292 return (in6->sin6_port); 293 } 294 default: 295 panic("Unsupported address family %d", s->ss_family); 296 } 297 } 298 299 static int 300 ovpn_nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *sa) 301 { 302 int af; 303 304 if (! nvlist_exists_number(nvl, "af")) 305 return (EINVAL); 306 if (! nvlist_exists_binary(nvl, "address")) 307 return (EINVAL); 308 if (! nvlist_exists_number(nvl, "port")) 309 return (EINVAL); 310 311 af = nvlist_get_number(nvl, "af"); 312 313 switch (af) { 314 #ifdef INET 315 case AF_INET: { 316 struct sockaddr_in *in = (struct sockaddr_in *)sa; 317 size_t len; 318 const void *addr = nvlist_get_binary(nvl, "address", &len); 319 in->sin_family = af; 320 if (len != sizeof(in->sin_addr)) 321 return (EINVAL); 322 323 memcpy(&in->sin_addr, addr, sizeof(in->sin_addr)); 324 in->sin_port = nvlist_get_number(nvl, "port"); 325 break; 326 } 327 #endif 328 #ifdef INET6 329 case AF_INET6: { 330 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)sa; 331 size_t len; 332 const void *addr = nvlist_get_binary(nvl, "address", &len); 333 in6->sin6_family = af; 334 if (len != sizeof(in6->sin6_addr)) 335 return (EINVAL); 336 337 memcpy(&in6->sin6_addr, addr, sizeof(in6->sin6_addr)); 338 in6->sin6_port = nvlist_get_number(nvl, "port"); 339 break; 340 } 341 #endif 342 default: 343 return (EINVAL); 344 } 345 346 return (0); 347 } 348 349 static bool 350 ovpn_has_peers(struct ovpn_softc *sc) 351 { 352 OVPN_ASSERT(sc); 353 354 return (sc->peercount > 0); 355 } 356 357 static void 358 ovpn_rele_so(struct ovpn_softc *sc, struct ovpn_kpeer *peer) 359 { 360 bool has_peers; 361 362 OVPN_WASSERT(sc); 363 364 if (sc->so == NULL) 365 return; 366 367 has_peers = ovpn_has_peers(sc); 368 369 /* Only remove the tunnel function if we're releasing the socket for 370 * the last peer. */ 371 if (! has_peers) 372 (void)udp_set_kernel_tunneling(sc->so, NULL, NULL, NULL); 373 374 sorele(sc->so); 375 376 if (! has_peers) 377 sc->so = NULL; 378 } 379 380 static void 381 ovpn_notify_del_peer(struct ovpn_softc *sc, struct ovpn_kpeer *peer) 382 { 383 struct ovpn_notification *n; 384 385 OVPN_WASSERT(sc); 386 387 n = malloc(sizeof(*n), M_OVPN, M_NOWAIT); 388 if (n == NULL) 389 return; 390 391 n->peerid = peer->peerid; 392 n->type = OVPN_NOTIF_DEL_PEER; 393 n->del_reason = peer->del_reason; 394 if (buf_ring_enqueue(sc->notifring, n) != 0) { 395 free(n, M_OVPN); 396 } else if (sc->so != NULL) { 397 /* Wake up userspace */ 398 sc->so->so_error = EAGAIN; 399 sorwakeup(sc->so); 400 sowwakeup(sc->so); 401 } 402 } 403 404 static void 405 ovpn_peer_release_ref(struct ovpn_kpeer *peer, bool locked) 406 { 407 struct ovpn_softc *sc; 408 409 CURVNET_ASSERT_SET(); 410 411 atomic_add_int(&peer->refcount, -1); 412 413 if (atomic_load_int(&peer->refcount) > 0) 414 return; 415 416 sc = peer->sc; 417 418 if (! locked) { 419 OVPN_WLOCK(sc); 420 421 /* Might have changed before we acquired the lock. */ 422 if (atomic_load_int(&peer->refcount) > 0) { 423 OVPN_WUNLOCK(sc); 424 return; 425 } 426 } 427 428 OVPN_ASSERT(sc); 429 430 /* The peer should have been removed from the list already. */ 431 MPASS(ovpn_find_peer(sc, peer->peerid) == NULL); 432 433 ovpn_notify_del_peer(sc, peer); 434 435 for (int i = 0; i < 2; i++) { 436 ovpn_free_kkey_dir(peer->keys[i].encrypt); 437 ovpn_free_kkey_dir(peer->keys[i].decrypt); 438 } 439 440 ovpn_rele_so(sc, peer); 441 442 callout_stop(&peer->ping_send); 443 callout_stop(&peer->ping_rcv); 444 uma_zfree_pcpu(pcpu_zone_4, peer->last_active); 445 free(peer, M_OVPN); 446 447 if (! locked) 448 OVPN_WUNLOCK(sc); 449 } 450 451 static int 452 ovpn_new_peer(struct ifnet *ifp, const nvlist_t *nvl) 453 { 454 #ifdef INET6 455 struct epoch_tracker et; 456 #endif 457 struct sockaddr_storage remote; 458 struct ovpn_kpeer *peer = NULL; 459 struct file *fp = NULL; 460 struct sockaddr *name = NULL; 461 struct ovpn_softc *sc = ifp->if_softc; 462 struct thread *td = curthread; 463 struct socket *so = NULL; 464 int fd; 465 uint32_t peerid; 466 int ret = 0; 467 468 if (nvl == NULL) 469 return (EINVAL); 470 471 if (! nvlist_exists_number(nvl, "peerid")) 472 return (EINVAL); 473 474 if (! nvlist_exists_number(nvl, "fd")) 475 return (EINVAL); 476 477 if (! nvlist_exists_nvlist(nvl, "remote")) 478 return (EINVAL); 479 480 peerid = nvlist_get_number(nvl, "peerid"); 481 482 ret = ovpn_nvlist_to_sockaddr(nvlist_get_nvlist(nvl, "remote"), 483 &remote); 484 if (ret != 0) 485 return (ret); 486 487 fd = nvlist_get_number(nvl, "fd"); 488 489 /* Look up the userspace process and use the fd to find the socket. */ 490 ret = getsock(td, fd, &cap_connect_rights, &fp); 491 if (ret != 0) 492 return (ret); 493 494 so = fp->f_data; 495 496 peer = malloc(sizeof(*peer), M_OVPN, M_WAITOK | M_ZERO); 497 peer->peerid = peerid; 498 peer->sc = sc; 499 peer->tx_seq = 1; 500 peer->refcount = 1; 501 peer->last_active = uma_zalloc_pcpu(pcpu_zone_4, M_WAITOK | M_ZERO); 502 503 if (nvlist_exists_binary(nvl, "vpn_ipv4")) { 504 size_t len; 505 const void *addr = nvlist_get_binary(nvl, "vpn_ipv4", &len); 506 if (len != sizeof(peer->vpn4)) { 507 ret = EINVAL; 508 goto error; 509 } 510 memcpy(&peer->vpn4, addr, len); 511 } 512 513 if (nvlist_exists_binary(nvl, "vpn_ipv6")) { 514 size_t len; 515 const void *addr = nvlist_get_binary(nvl, "vpn_ipv6", &len); 516 if (len != sizeof(peer->vpn6)) { 517 ret = EINVAL; 518 goto error; 519 } 520 memcpy(&peer->vpn6, addr, len); 521 } 522 523 callout_init_rm(&peer->ping_send, &sc->lock, CALLOUT_SHAREDLOCK); 524 callout_init_rm(&peer->ping_rcv, &sc->lock, 0); 525 526 ret = so->so_proto->pr_sockaddr(so, &name); 527 if (ret) 528 goto error; 529 530 if (ovpn_get_port((struct sockaddr_storage *)name) == 0) { 531 ret = EINVAL; 532 goto error; 533 } 534 if (name->sa_family != remote.ss_family) { 535 ret = EINVAL; 536 goto error; 537 } 538 539 memcpy(&peer->local, name, name->sa_len); 540 memcpy(&peer->remote, &remote, sizeof(remote)); 541 free(name, M_SONAME); 542 name = NULL; 543 544 if (peer->local.ss_family == AF_INET6 && 545 IN6_IS_ADDR_V4MAPPED(&TO_IN6(&peer->remote)->sin6_addr)) { 546 /* V4 mapped address, so treat this as v4, not v6. */ 547 in6_sin6_2_sin_in_sock((struct sockaddr *)&peer->local); 548 in6_sin6_2_sin_in_sock((struct sockaddr *)&peer->remote); 549 } 550 551 #ifdef INET6 552 if (peer->local.ss_family == AF_INET6 && 553 IN6_IS_ADDR_UNSPECIFIED(&TO_IN6(&peer->local)->sin6_addr)) { 554 NET_EPOCH_ENTER(et); 555 ret = in6_selectsrc_addr(curthread->td_proc->p_fibnum, 556 &TO_IN6(&peer->remote)->sin6_addr, 557 0, NULL, &TO_IN6(&peer->local)->sin6_addr, NULL); 558 NET_EPOCH_EXIT(et); 559 if (ret != 0) { 560 goto error; 561 } 562 } 563 #endif 564 OVPN_WLOCK(sc); 565 566 /* Disallow peer id re-use. */ 567 if (ovpn_find_peer(sc, peerid) != NULL) { 568 ret = EEXIST; 569 goto error_locked; 570 } 571 572 /* Make sure this is really a UDP socket. */ 573 if (so->so_type != SOCK_DGRAM || so->so_proto->pr_type != SOCK_DGRAM) { 574 ret = EPROTOTYPE; 575 goto error_locked; 576 } 577 578 /* Must be the same socket as for other peers on this interface. */ 579 if (sc->so != NULL && so != sc->so) 580 goto error_locked; 581 582 if (sc->so == NULL) 583 sc->so = so; 584 585 /* Insert the peer into the list. */ 586 RB_INSERT(ovpn_kpeers, &sc->peers, peer); 587 sc->peercount++; 588 soref(sc->so); 589 590 ret = udp_set_kernel_tunneling(sc->so, ovpn_udp_input, NULL, sc); 591 if (ret == EBUSY) { 592 /* Fine, another peer already set the input function. */ 593 ret = 0; 594 } 595 if (ret != 0) { 596 RB_REMOVE(ovpn_kpeers, &sc->peers, peer); 597 sc->peercount--; 598 goto error_locked; 599 } 600 601 OVPN_WUNLOCK(sc); 602 603 goto done; 604 605 error_locked: 606 OVPN_WUNLOCK(sc); 607 error: 608 free(name, M_SONAME); 609 uma_zfree_pcpu(pcpu_zone_4, peer->last_active); 610 free(peer, M_OVPN); 611 done: 612 if (fp != NULL) 613 fdrop(fp, td); 614 615 return (ret); 616 } 617 618 static int 619 _ovpn_del_peer(struct ovpn_softc *sc, struct ovpn_kpeer *peer) 620 { 621 struct ovpn_kpeer *tmp __diagused; 622 623 OVPN_WASSERT(sc); 624 CURVNET_ASSERT_SET(); 625 626 MPASS(RB_FIND(ovpn_kpeers, &sc->peers, peer) == peer); 627 628 tmp = RB_REMOVE(ovpn_kpeers, &sc->peers, peer); 629 MPASS(tmp != NULL); 630 631 sc->peercount--; 632 633 ovpn_peer_release_ref(peer, true); 634 635 return (0); 636 } 637 638 static int 639 ovpn_del_peer(struct ifnet *ifp, nvlist_t *nvl) 640 { 641 struct ovpn_softc *sc = ifp->if_softc; 642 struct ovpn_kpeer *peer; 643 uint32_t peerid; 644 int ret; 645 646 OVPN_WASSERT(sc); 647 648 if (nvl == NULL) 649 return (EINVAL); 650 651 if (! nvlist_exists_number(nvl, "peerid")) 652 return (EINVAL); 653 654 peerid = nvlist_get_number(nvl, "peerid"); 655 656 peer = ovpn_find_peer(sc, peerid); 657 if (peer == NULL) 658 return (ENOENT); 659 660 peer->del_reason = OVPN_DEL_REASON_REQUESTED; 661 ret = _ovpn_del_peer(sc, peer); 662 663 return (ret); 664 } 665 666 static int 667 ovpn_create_kkey_dir(struct ovpn_kkey_dir **kdirp, 668 const nvlist_t *nvl) 669 { 670 struct crypto_session_params csp; 671 struct ovpn_kkey_dir *kdir; 672 const char *ciphername; 673 enum ovpn_key_cipher cipher; 674 const void *key, *iv; 675 size_t keylen = 0, ivlen = 0; 676 int error; 677 678 if (! nvlist_exists_string(nvl, "cipher")) 679 return (EINVAL); 680 ciphername = nvlist_get_string(nvl, "cipher"); 681 682 if (strcmp(ciphername, "none") == 0) 683 cipher = OVPN_CIPHER_ALG_NONE; 684 else if (strcmp(ciphername, "AES-256-GCM") == 0 || 685 strcmp(ciphername, "AES-192-GCM") == 0 || 686 strcmp(ciphername, "AES-128-GCM") == 0) 687 cipher = OVPN_CIPHER_ALG_AES_GCM; 688 else if (strcmp(ciphername, "CHACHA20-POLY1305") == 0) 689 cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305; 690 else 691 return (EINVAL); 692 693 if (cipher != OVPN_CIPHER_ALG_NONE) { 694 if (! nvlist_exists_binary(nvl, "key")) 695 return (EINVAL); 696 key = nvlist_get_binary(nvl, "key", &keylen); 697 if (keylen > sizeof(kdir->key)) 698 return (E2BIG); 699 700 if (! nvlist_exists_binary(nvl, "iv")) 701 return (EINVAL); 702 iv = nvlist_get_binary(nvl, "iv", &ivlen); 703 if (ivlen != 8) 704 return (E2BIG); 705 } 706 707 kdir = malloc(sizeof(struct ovpn_kkey_dir), M_OVPN, 708 M_WAITOK | M_ZERO); 709 710 kdir->cipher = cipher; 711 kdir->keylen = keylen; 712 memcpy(kdir->key, key, keylen); 713 kdir->noncelen = ivlen; 714 memcpy(kdir->nonce, iv, ivlen); 715 716 if (kdir->cipher != OVPN_CIPHER_ALG_NONE) { 717 /* Crypto init */ 718 bzero(&csp, sizeof(csp)); 719 csp.csp_mode = CSP_MODE_AEAD; 720 721 if (kdir->cipher == OVPN_CIPHER_ALG_CHACHA20_POLY1305) 722 csp.csp_cipher_alg = CRYPTO_CHACHA20_POLY1305; 723 else 724 csp.csp_cipher_alg = CRYPTO_AES_NIST_GCM_16; 725 726 csp.csp_flags |= CSP_F_SEPARATE_AAD; 727 728 csp.csp_cipher_klen = kdir->keylen; 729 csp.csp_cipher_key = kdir->key; 730 csp.csp_ivlen = 96 / 8; 731 732 error = crypto_newsession(&kdir->cryptoid, &csp, 733 CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE); 734 if (error) { 735 free(kdir, M_OVPN); 736 return (error); 737 } 738 } 739 740 mtx_init(&kdir->replay_mtx, "if_ovpn rx replay", NULL, MTX_DEF); 741 *kdirp = kdir; 742 743 return (0); 744 } 745 746 static void 747 ovpn_free_kkey_dir(struct ovpn_kkey_dir *kdir) 748 { 749 if (kdir == NULL) 750 return; 751 752 mtx_destroy(&kdir->replay_mtx); 753 754 crypto_freesession(kdir->cryptoid); 755 free(kdir, M_OVPN); 756 } 757 758 static int 759 ovpn_set_key(struct ifnet *ifp, const nvlist_t *nvl) 760 { 761 struct ovpn_softc *sc = ifp->if_softc; 762 struct ovpn_kkey_dir *enc, *dec; 763 struct ovpn_kpeer *peer; 764 int slot, keyid, peerid; 765 int error; 766 767 if (nvl == NULL) 768 return (EINVAL); 769 770 if (! nvlist_exists_number(nvl, "slot")) 771 return (EINVAL); 772 slot = nvlist_get_number(nvl, "slot"); 773 774 if (! nvlist_exists_number(nvl, "keyid")) 775 return (EINVAL); 776 keyid = nvlist_get_number(nvl, "keyid"); 777 778 if (! nvlist_exists_number(nvl, "peerid")) 779 return (EINVAL); 780 peerid = nvlist_get_number(nvl, "peerid"); 781 782 if (slot != OVPN_KEY_SLOT_PRIMARY && 783 slot != OVPN_KEY_SLOT_SECONDARY) 784 return (EINVAL); 785 786 if (! nvlist_exists_nvlist(nvl, "encrypt") || 787 ! nvlist_exists_nvlist(nvl, "decrypt")) 788 return (EINVAL); 789 790 error = ovpn_create_kkey_dir(&enc, nvlist_get_nvlist(nvl, "encrypt")); 791 if (error) 792 return (error); 793 794 error = ovpn_create_kkey_dir(&dec, nvlist_get_nvlist(nvl, "decrypt")); 795 if (error) { 796 ovpn_free_kkey_dir(enc); 797 return (error); 798 } 799 800 OVPN_WLOCK(sc); 801 802 peer = ovpn_find_peer(sc, peerid); 803 if (peer == NULL) { 804 ovpn_free_kkey_dir(dec); 805 ovpn_free_kkey_dir(enc); 806 OVPN_WUNLOCK(sc); 807 return (ENOENT); 808 } 809 810 ovpn_free_kkey_dir(peer->keys[slot].encrypt); 811 ovpn_free_kkey_dir(peer->keys[slot].decrypt); 812 813 peer->keys[slot].encrypt = enc; 814 peer->keys[slot].decrypt = dec; 815 816 peer->keys[slot].keyid = keyid; 817 peer->keys[slot].peerid = peerid; 818 819 OVPN_WUNLOCK(sc); 820 821 return (0); 822 } 823 824 static int 825 ovpn_check_key(struct ovpn_softc *sc, struct ovpn_kpeer *peer, enum ovpn_key_slot slot) 826 { 827 OVPN_ASSERT(sc); 828 829 if (peer->keys[slot].encrypt == NULL) 830 return (ENOLINK); 831 832 if (peer->keys[slot].decrypt == NULL) 833 return (ENOLINK); 834 835 return (0); 836 } 837 838 static int 839 ovpn_start(struct ifnet *ifp) 840 { 841 struct ovpn_softc *sc = ifp->if_softc; 842 843 OVPN_WLOCK(sc); 844 845 ifp->if_flags |= IFF_UP; 846 ifp->if_drv_flags |= IFF_DRV_RUNNING; 847 if_link_state_change(ifp, LINK_STATE_UP); 848 849 OVPN_WUNLOCK(sc); 850 851 return (0); 852 } 853 854 static int 855 ovpn_swap_keys(struct ifnet *ifp, nvlist_t *nvl) 856 { 857 struct ovpn_softc *sc = ifp->if_softc; 858 struct ovpn_kpeer *peer; 859 struct ovpn_kkey tmpkey; 860 int error; 861 862 if (nvl == NULL) 863 return (EINVAL); 864 865 if (! nvlist_exists_number(nvl, "peerid")) 866 return (EINVAL); 867 868 OVPN_WLOCK(sc); 869 870 peer = ovpn_find_peer(sc, nvlist_get_number(nvl, "peerid")); 871 if (peer == NULL) { 872 OVPN_WUNLOCK(sc); 873 return (ENOENT); 874 } 875 876 /* Check that we have a second key to swap to. */ 877 error = ovpn_check_key(sc, peer, OVPN_KEY_SLOT_SECONDARY); 878 if (error) { 879 OVPN_WUNLOCK(sc); 880 return (error); 881 } 882 883 tmpkey = peer->keys[0]; 884 peer->keys[0] = peer->keys[1]; 885 peer->keys[1] = tmpkey; 886 887 OVPN_WUNLOCK(sc); 888 889 return (0); 890 } 891 892 static int 893 ovpn_del_key(struct ifnet *ifp, const nvlist_t *nvl) 894 { 895 enum ovpn_key_slot slot; 896 struct ovpn_kpeer *peer; 897 struct ovpn_softc *sc = ifp->if_softc; 898 899 if (nvl == NULL) 900 return (EINVAL); 901 902 if (! nvlist_exists_number(nvl, "peerid")) 903 return (EINVAL); 904 905 if (! nvlist_exists_number(nvl, "slot")) 906 return (EINVAL); 907 slot = nvlist_get_number(nvl, "slot"); 908 909 if (slot != OVPN_KEY_SLOT_PRIMARY && 910 slot != OVPN_KEY_SLOT_SECONDARY) 911 return (EINVAL); 912 913 OVPN_WLOCK(sc); 914 915 peer = ovpn_find_peer(sc, nvlist_get_number(nvl, "peerid")); 916 if (peer == NULL) { 917 OVPN_WUNLOCK(sc); 918 return (ENOENT); 919 } 920 921 ovpn_free_kkey_dir(peer->keys[slot].encrypt); 922 ovpn_free_kkey_dir(peer->keys[slot].decrypt); 923 924 peer->keys[slot].encrypt = NULL; 925 peer->keys[slot].decrypt = NULL; 926 927 peer->keys[slot].keyid = 0; 928 peer->keys[slot].peerid = 0; 929 930 OVPN_WUNLOCK(sc); 931 932 return (0); 933 } 934 935 static int 936 ovpn_send_pkt(struct ifnet *ifp, const nvlist_t *nvl) 937 { 938 struct epoch_tracker et; 939 struct ovpn_softc *sc = ifp->if_softc; 940 struct mbuf *m; 941 const uint8_t *pkt; 942 size_t pktlen; 943 uint32_t peerid; 944 int ret; 945 946 if (nvl == NULL) 947 return (EINVAL); 948 949 if (! nvlist_exists_binary(nvl, "packet")) 950 return (EINVAL); 951 pkt = nvlist_get_binary(nvl, "packet", &pktlen); 952 953 if (! nvlist_exists_number(nvl, "peerid")) 954 return (EINVAL); 955 956 peerid = nvlist_get_number(nvl, "peerid"); 957 958 /* 959 * Check that userspace isn't giving us a data packet. That might lead 960 * to IV re-use, which would be bad. 961 */ 962 if ((pkt[0] >> OVPN_OP_SHIFT) == OVPN_OP_DATA_V2) 963 return (EINVAL); 964 965 m = m_get2(pktlen, M_WAITOK, MT_DATA, M_PKTHDR); 966 if (m == NULL) 967 return (ENOMEM); 968 969 m->m_len = m->m_pkthdr.len = pktlen; 970 m_copyback(m, 0, m->m_len, pkt); 971 972 /* Now prepend IP/UDP headers and transmit the mbuf. */ 973 NET_EPOCH_ENTER(et); 974 ret = ovpn_encap(sc, peerid, m); 975 NET_EPOCH_EXIT(et); 976 if (ret == 0) 977 OVPN_COUNTER_ADD(sc, sent_ctrl_pkts, 1); 978 else 979 OVPN_COUNTER_ADD(sc, lost_ctrl_pkts_out, 1); 980 981 return (ret); 982 } 983 984 static void 985 ovpn_send_ping(void *arg) 986 { 987 static const uint8_t ping_str[] = { 988 0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb, 989 0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48 990 }; 991 992 struct epoch_tracker et; 993 struct ovpn_kpeer *peer = arg; 994 struct ovpn_softc *sc = peer->sc; 995 struct mbuf *m; 996 997 OVPN_RASSERT(sc); 998 999 /* Ensure we repeat! */ 1000 callout_reset(&peer->ping_send, peer->keepalive.interval * hz, 1001 ovpn_send_ping, peer); 1002 1003 m = m_get2(sizeof(ping_str), M_NOWAIT, MT_DATA, M_PKTHDR); 1004 if (m == NULL) 1005 return; 1006 1007 m_copyback(m, 0, sizeof(ping_str), ping_str); 1008 m->m_len = m->m_pkthdr.len = sizeof(ping_str); 1009 1010 CURVNET_SET(sc->ifp->if_vnet); 1011 NET_EPOCH_ENTER(et); 1012 (void)ovpn_transmit_to_peer(sc->ifp, m, peer, NULL); 1013 NET_EPOCH_EXIT(et); 1014 CURVNET_RESTORE(); 1015 } 1016 1017 static void 1018 ovpn_timeout(void *arg) 1019 { 1020 struct ovpn_kpeer *peer = arg; 1021 struct ovpn_softc *sc = peer->sc; 1022 uint32_t last, _last_active; 1023 int ret __diagused; 1024 int cpu; 1025 1026 OVPN_WASSERT(sc); 1027 1028 last = 0; 1029 CPU_FOREACH(cpu) { 1030 _last_active = *zpcpu_get_cpu(peer->last_active, cpu); 1031 if (_last_active > last) 1032 last = _last_active; 1033 } 1034 1035 if (last + peer->keepalive.timeout > time_uptime) { 1036 callout_reset(&peer->ping_rcv, 1037 (peer->keepalive.timeout - (time_uptime - last)) * hz, 1038 ovpn_timeout, peer); 1039 return; 1040 } 1041 1042 CURVNET_SET(sc->ifp->if_vnet); 1043 peer->del_reason = OVPN_DEL_REASON_TIMEOUT; 1044 ret = _ovpn_del_peer(sc, peer); 1045 MPASS(ret == 0); 1046 CURVNET_RESTORE(); 1047 } 1048 1049 static int 1050 ovpn_set_peer(struct ifnet *ifp, const nvlist_t *nvl) 1051 { 1052 struct ovpn_softc *sc = ifp->if_softc; 1053 struct ovpn_kpeer *peer; 1054 1055 if (nvl == NULL) 1056 return (EINVAL); 1057 1058 if (! nvlist_exists_number(nvl, "interval") || 1059 ! nvlist_exists_number(nvl, "timeout") || 1060 ! nvlist_exists_number(nvl, "peerid")) 1061 return (EINVAL); 1062 1063 OVPN_WLOCK(sc); 1064 1065 peer = ovpn_find_peer(sc, nvlist_get_number(nvl, "peerid")); 1066 if (peer == NULL) { 1067 OVPN_WUNLOCK(sc); 1068 return (ENOENT); 1069 } 1070 1071 peer->keepalive.interval = nvlist_get_number(nvl, "interval"); 1072 peer->keepalive.timeout = nvlist_get_number(nvl, "timeout"); 1073 1074 if (peer->keepalive.interval > 0) 1075 callout_reset(&peer->ping_send, peer->keepalive.interval * hz, 1076 ovpn_send_ping, peer); 1077 if (peer->keepalive.timeout > 0) 1078 callout_reset(&peer->ping_rcv, peer->keepalive.timeout * hz, 1079 ovpn_timeout, peer); 1080 1081 OVPN_WUNLOCK(sc); 1082 1083 return (0); 1084 } 1085 1086 static int 1087 ovpn_set_ifmode(struct ifnet *ifp, const nvlist_t *nvl) 1088 { 1089 struct ovpn_softc *sc = ifp->if_softc; 1090 int ifmode; 1091 1092 if (nvl == NULL) 1093 return (EINVAL); 1094 1095 if (! nvlist_exists_number(nvl, "ifmode") ) 1096 return (EINVAL); 1097 1098 ifmode = nvlist_get_number(nvl, "ifmode"); 1099 1100 OVPN_WLOCK(sc); 1101 1102 /* deny this if UP */ 1103 if (ifp->if_flags & IFF_UP) { 1104 OVPN_WUNLOCK(sc); 1105 return (EBUSY); 1106 } 1107 1108 switch (ifmode & ~IFF_MULTICAST) { 1109 case IFF_POINTOPOINT: 1110 case IFF_BROADCAST: 1111 ifp->if_flags &= 1112 ~(IFF_BROADCAST|IFF_POINTOPOINT|IFF_MULTICAST); 1113 ifp->if_flags |= ifmode; 1114 break; 1115 default: 1116 OVPN_WUNLOCK(sc); 1117 return (EINVAL); 1118 } 1119 1120 OVPN_WUNLOCK(sc); 1121 1122 return (0); 1123 } 1124 1125 static int 1126 ovpn_ioctl_set(struct ifnet *ifp, struct ifdrv *ifd) 1127 { 1128 struct ovpn_softc *sc = ifp->if_softc; 1129 uint8_t *buf = NULL; 1130 nvlist_t *nvl = NULL; 1131 int ret; 1132 1133 if (ifd->ifd_len != 0) { 1134 if (ifd->ifd_len > OVPN_MAX_REQUEST_SIZE) 1135 return (E2BIG); 1136 1137 buf = malloc(ifd->ifd_len, M_OVPN, M_WAITOK); 1138 1139 ret = copyin(ifd->ifd_data, buf, ifd->ifd_len); 1140 if (ret != 0) { 1141 free(buf, M_OVPN); 1142 return (ret); 1143 } 1144 1145 nvl = nvlist_unpack(buf, ifd->ifd_len, 0); 1146 free(buf, M_OVPN); 1147 if (nvl == NULL) { 1148 return (EINVAL); 1149 } 1150 } 1151 1152 switch (ifd->ifd_cmd) { 1153 case OVPN_NEW_PEER: 1154 ret = ovpn_new_peer(ifp, nvl); 1155 break; 1156 case OVPN_DEL_PEER: 1157 OVPN_WLOCK(sc); 1158 ret = ovpn_del_peer(ifp, nvl); 1159 OVPN_WUNLOCK(sc); 1160 break; 1161 case OVPN_NEW_KEY: 1162 ret = ovpn_set_key(ifp, nvl); 1163 break; 1164 case OVPN_START_VPN: 1165 ret = ovpn_start(ifp); 1166 break; 1167 case OVPN_SWAP_KEYS: 1168 ret = ovpn_swap_keys(ifp, nvl); 1169 break; 1170 case OVPN_DEL_KEY: 1171 ret = ovpn_del_key(ifp, nvl); 1172 break; 1173 case OVPN_SEND_PKT: 1174 ret = ovpn_send_pkt(ifp, nvl); 1175 break; 1176 case OVPN_SET_PEER: 1177 ret = ovpn_set_peer(ifp, nvl); 1178 break; 1179 case OVPN_SET_IFMODE: 1180 ret = ovpn_set_ifmode(ifp, nvl); 1181 break; 1182 default: 1183 ret = ENOTSUP; 1184 } 1185 1186 nvlist_destroy(nvl); 1187 return (ret); 1188 } 1189 1190 static int 1191 ovpn_add_counters(nvlist_t *parent, const char *name, counter_u64_t in, 1192 counter_u64_t out) 1193 { 1194 nvlist_t *nvl; 1195 1196 nvl = nvlist_create(0); 1197 if (nvl == NULL) 1198 return (ENOMEM); 1199 1200 nvlist_add_number(nvl, "in", counter_u64_fetch(in)); 1201 nvlist_add_number(nvl, "out", counter_u64_fetch(out)); 1202 1203 nvlist_add_nvlist(parent, name, nvl); 1204 1205 nvlist_destroy(nvl); 1206 1207 return (0); 1208 } 1209 1210 static int 1211 ovpn_get_stats(struct ovpn_softc *sc, nvlist_t **onvl) 1212 { 1213 nvlist_t *nvl; 1214 int ret; 1215 1216 nvl = nvlist_create(0); 1217 if (nvl == NULL) 1218 return (ENOMEM); 1219 1220 #define OVPN_COUNTER_OUT(name, in, out) \ 1221 do { \ 1222 ret = ovpn_add_counters(nvl, name, \ 1223 sc->counters[offsetof(struct ovpn_counters, in) / \ 1224 sizeof(uint64_t)], \ 1225 sc->counters[offsetof(struct ovpn_counters, out) / \ 1226 sizeof(uint64_t)]); \ 1227 if (ret != 0) \ 1228 goto error; \ 1229 } while(0) 1230 1231 OVPN_COUNTER_OUT("lost_ctrl", lost_ctrl_pkts_in, lost_ctrl_pkts_out); 1232 OVPN_COUNTER_OUT("lost_data", lost_data_pkts_in, lost_data_pkts_out); 1233 OVPN_COUNTER_OUT("nomem_data", nomem_data_pkts_in, 1234 nomem_data_pkts_out); 1235 OVPN_COUNTER_OUT("data", received_data_pkts, sent_data_pkts); 1236 OVPN_COUNTER_OUT("ctrl", received_ctrl_pkts, sent_ctrl_pkts); 1237 OVPN_COUNTER_OUT("tunnel", tunnel_bytes_received, 1238 tunnel_bytes_received); 1239 OVPN_COUNTER_OUT("transport", transport_bytes_received, 1240 transport_bytes_received); 1241 #undef OVPN_COUNTER_OUT 1242 1243 *onvl = nvl; 1244 1245 return (0); 1246 1247 error: 1248 nvlist_destroy(nvl); 1249 return (ret); 1250 } 1251 1252 static int 1253 ovpn_poll_pkt(struct ovpn_softc *sc, nvlist_t **onvl) 1254 { 1255 nvlist_t *nvl; 1256 1257 nvl = nvlist_create(0); 1258 if (nvl == NULL) 1259 return (ENOMEM); 1260 1261 nvlist_add_number(nvl, "pending", buf_ring_count(sc->notifring)); 1262 1263 *onvl = nvl; 1264 1265 return (0); 1266 } 1267 1268 static int 1269 opvn_get_pkt(struct ovpn_softc *sc, nvlist_t **onvl) 1270 { 1271 struct ovpn_notification *n; 1272 nvlist_t *nvl; 1273 1274 /* Check if we have notifications pending. */ 1275 n = buf_ring_dequeue_mc(sc->notifring); 1276 if (n == NULL) 1277 return (ENOENT); 1278 1279 nvl = nvlist_create(0); 1280 if (nvl == NULL) { 1281 free(n, M_OVPN); 1282 return (ENOMEM); 1283 } 1284 nvlist_add_number(nvl, "peerid", n->peerid); 1285 nvlist_add_number(nvl, "notification", n->type); 1286 if (n->type == OVPN_NOTIF_DEL_PEER) 1287 nvlist_add_number(nvl, "del_reason", n->del_reason); 1288 free(n, M_OVPN); 1289 1290 *onvl = nvl; 1291 1292 return (0); 1293 } 1294 1295 static int 1296 ovpn_ioctl_get(struct ifnet *ifp, struct ifdrv *ifd) 1297 { 1298 struct ovpn_softc *sc = ifp->if_softc; 1299 nvlist_t *nvl = NULL; 1300 int error; 1301 1302 switch (ifd->ifd_cmd) { 1303 case OVPN_GET_STATS: 1304 error = ovpn_get_stats(sc, &nvl); 1305 break; 1306 case OVPN_POLL_PKT: 1307 error = ovpn_poll_pkt(sc, &nvl); 1308 break; 1309 case OVPN_GET_PKT: 1310 error = opvn_get_pkt(sc, &nvl); 1311 break; 1312 default: 1313 error = ENOTSUP; 1314 break; 1315 } 1316 1317 if (error == 0) { 1318 void *packed = NULL; 1319 size_t len; 1320 1321 MPASS(nvl != NULL); 1322 1323 packed = nvlist_pack(nvl, &len); 1324 if (! packed) { 1325 nvlist_destroy(nvl); 1326 return (ENOMEM); 1327 } 1328 1329 if (len > ifd->ifd_len) { 1330 free(packed, M_NVLIST); 1331 nvlist_destroy(nvl); 1332 return (ENOSPC); 1333 } 1334 1335 error = copyout(packed, ifd->ifd_data, len); 1336 ifd->ifd_len = len; 1337 1338 free(packed, M_NVLIST); 1339 nvlist_destroy(nvl); 1340 } 1341 1342 return (error); 1343 } 1344 1345 static int 1346 ovpn_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) 1347 { 1348 struct ifdrv *ifd; 1349 int error; 1350 1351 CURVNET_ASSERT_SET(); 1352 1353 switch (cmd) { 1354 case SIOCSDRVSPEC: 1355 case SIOCGDRVSPEC: 1356 error = priv_check(curthread, PRIV_NET_OVPN); 1357 if (error) 1358 return (error); 1359 break; 1360 } 1361 1362 switch (cmd) { 1363 case SIOCSDRVSPEC: 1364 ifd = (struct ifdrv *)data; 1365 error = ovpn_ioctl_set(ifp, ifd); 1366 break; 1367 case SIOCGDRVSPEC: 1368 ifd = (struct ifdrv *)data; 1369 error = ovpn_ioctl_get(ifp, ifd); 1370 break; 1371 case SIOCSIFMTU: { 1372 struct ifreq *ifr = (struct ifreq *)data; 1373 if (ifr->ifr_mtu < OVPN_MTU_MIN || ifr->ifr_mtu > OVPN_MTU_MAX) 1374 return (EINVAL); 1375 1376 ifp->if_mtu = ifr->ifr_mtu; 1377 return (0); 1378 } 1379 case SIOCSIFADDR: 1380 case SIOCADDMULTI: 1381 case SIOCDELMULTI: 1382 case SIOCGIFMTU: 1383 case SIOCSIFFLAGS: 1384 return (0); 1385 default: 1386 error = EINVAL; 1387 } 1388 1389 return (error); 1390 } 1391 1392 static int 1393 ovpn_encrypt_tx_cb(struct cryptop *crp) 1394 { 1395 struct epoch_tracker et; 1396 struct ovpn_kpeer *peer = crp->crp_opaque; 1397 struct ovpn_softc *sc = peer->sc; 1398 struct mbuf *m = crp->crp_buf.cb_mbuf; 1399 int tunnel_len; 1400 int ret; 1401 1402 CURVNET_SET(sc->ifp->if_vnet); 1403 NET_EPOCH_ENTER(et); 1404 1405 if (crp->crp_etype != 0) { 1406 crypto_freereq(crp); 1407 ovpn_peer_release_ref(peer, false); 1408 NET_EPOCH_EXIT(et); 1409 CURVNET_RESTORE(); 1410 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 1411 m_freem(m); 1412 return (0); 1413 } 1414 1415 MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF); 1416 1417 tunnel_len = m->m_pkthdr.len - sizeof(struct ovpn_wire_header); 1418 ret = ovpn_encap(sc, peer->peerid, m); 1419 if (ret == 0) { 1420 OVPN_COUNTER_ADD(sc, sent_data_pkts, 1); 1421 OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, tunnel_len); 1422 } 1423 1424 crypto_freereq(crp); 1425 ovpn_peer_release_ref(peer, false); 1426 1427 NET_EPOCH_EXIT(et); 1428 CURVNET_RESTORE(); 1429 1430 return (0); 1431 } 1432 1433 static void 1434 ovpn_finish_rx(struct ovpn_softc *sc, struct mbuf *m, 1435 struct ovpn_kpeer *peer, struct ovpn_kkey *key, uint32_t seq, 1436 struct rm_priotracker *_ovpn_lock_trackerp) 1437 { 1438 uint32_t af; 1439 1440 OVPN_RASSERT(sc); 1441 NET_EPOCH_ASSERT(); 1442 1443 /* Replay protection. */ 1444 if (V_replay_protection && ! ovpn_check_replay(key->decrypt, seq)) { 1445 OVPN_RUNLOCK(sc); 1446 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 1447 m_freem(m); 1448 return; 1449 } 1450 1451 critical_enter(); 1452 *zpcpu_get(peer->last_active) = time_uptime; 1453 critical_exit(); 1454 1455 OVPN_RUNLOCK(sc); 1456 1457 OVPN_COUNTER_ADD(sc, received_data_pkts, 1); 1458 OVPN_COUNTER_ADD(sc, tunnel_bytes_received, m->m_pkthdr.len); 1459 1460 /* Receive the packet on our interface. */ 1461 m->m_pkthdr.rcvif = sc->ifp; 1462 1463 /* Clear checksum flags in case the real hardware set them. */ 1464 m->m_pkthdr.csum_flags = 0; 1465 1466 /* Ensure we can read the first byte. */ 1467 m = m_pullup(m, 1); 1468 if (m == NULL) { 1469 OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); 1470 return; 1471 } 1472 1473 /* 1474 * Check for address family, and disregard any control packets (e.g. 1475 * keepalive). 1476 */ 1477 af = ovpn_get_af(m); 1478 if (af != 0) { 1479 BPF_MTAP2(sc->ifp, &af, sizeof(af), m); 1480 if (V_async_netisr_queue) 1481 netisr_queue(af == AF_INET ? NETISR_IP : NETISR_IPV6, m); 1482 else 1483 netisr_dispatch(af == AF_INET ? NETISR_IP : NETISR_IPV6, m); 1484 } else { 1485 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 1486 m_freem(m); 1487 } 1488 } 1489 1490 static struct ovpn_kkey * 1491 ovpn_find_key(struct ovpn_softc *sc, struct ovpn_kpeer *peer, 1492 const struct ovpn_wire_header *ohdr) 1493 { 1494 struct ovpn_kkey *key = NULL; 1495 uint8_t keyid; 1496 1497 OVPN_RASSERT(sc); 1498 1499 keyid = (ntohl(ohdr->opcode) >> 24) & 0x07; 1500 1501 if (peer->keys[0].keyid == keyid) 1502 key = &peer->keys[0]; 1503 else if (peer->keys[1].keyid == keyid) 1504 key = &peer->keys[1]; 1505 1506 return (key); 1507 } 1508 1509 static int 1510 ovpn_decrypt_rx_cb(struct cryptop *crp) 1511 { 1512 struct epoch_tracker et; 1513 struct ovpn_softc *sc = crp->crp_opaque; 1514 struct mbuf *m = crp->crp_buf.cb_mbuf; 1515 struct ovpn_kkey *key; 1516 struct ovpn_kpeer *peer; 1517 struct ovpn_wire_header *ohdr; 1518 uint32_t peerid; 1519 1520 OVPN_RLOCK_TRACKER; 1521 1522 OVPN_RLOCK(sc); 1523 1524 MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF); 1525 1526 if (crp->crp_etype != 0) { 1527 crypto_freereq(crp); 1528 atomic_add_int(&sc->refcount, -1); 1529 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 1530 OVPN_RUNLOCK(sc); 1531 m_freem(m); 1532 return (0); 1533 } 1534 1535 CURVNET_SET(sc->ifp->if_vnet); 1536 1537 ohdr = mtodo(m, sizeof(struct udphdr)); 1538 1539 peerid = ntohl(ohdr->opcode) & 0x00ffffff; 1540 peer = ovpn_find_peer(sc, peerid); 1541 if (peer == NULL) { 1542 /* No such peer. Drop packet. */ 1543 crypto_freereq(crp); 1544 atomic_add_int(&sc->refcount, -1); 1545 OVPN_RUNLOCK(sc); 1546 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 1547 m_freem(m); 1548 CURVNET_RESTORE(); 1549 return (0); 1550 } 1551 1552 key = ovpn_find_key(sc, peer, ohdr); 1553 if (key == NULL) { 1554 crypto_freereq(crp); 1555 atomic_add_int(&sc->refcount, -1); 1556 /* 1557 * Has this key been removed between us starting the decrypt 1558 * and finishing it? 1559 */ 1560 OVPN_RUNLOCK(sc); 1561 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 1562 m_freem(m); 1563 CURVNET_RESTORE(); 1564 return (0); 1565 } 1566 1567 /* Now remove the outer headers */ 1568 m_adj_decap(m, sizeof(struct udphdr) + 1569 sizeof(struct ovpn_wire_header)); 1570 1571 NET_EPOCH_ENTER(et); 1572 ovpn_finish_rx(sc, m, peer, key, ntohl(ohdr->seq), _ovpn_lock_trackerp); 1573 NET_EPOCH_EXIT(et); 1574 OVPN_UNLOCK_ASSERT(sc); 1575 1576 CURVNET_RESTORE(); 1577 1578 crypto_freereq(crp); 1579 atomic_add_int(&sc->refcount, -1); 1580 1581 return (0); 1582 } 1583 1584 static int 1585 ovpn_get_af(struct mbuf *m) 1586 { 1587 struct ip *ip; 1588 struct ip6_hdr *ip6; 1589 1590 /* 1591 * We should pullup, but we're only interested in the first byte, so 1592 * that'll always be contiguous. 1593 */ 1594 ip = mtod(m, struct ip *); 1595 if (ip->ip_v == IPVERSION) 1596 return (AF_INET); 1597 1598 ip6 = mtod(m, struct ip6_hdr *); 1599 if ((ip6->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION) 1600 return (AF_INET6); 1601 1602 return (0); 1603 } 1604 1605 #ifdef INET 1606 static struct ovpn_kpeer * 1607 ovpn_find_peer_by_ip(struct ovpn_softc *sc, const struct in_addr addr) 1608 { 1609 struct ovpn_kpeer *peer = NULL; 1610 1611 OVPN_ASSERT(sc); 1612 1613 /* TODO: Add a second RB so we can look up by IP. */ 1614 RB_FOREACH(peer, ovpn_kpeers, &sc->peers) { 1615 if (addr.s_addr == peer->vpn4.s_addr) 1616 return (peer); 1617 } 1618 1619 return (peer); 1620 } 1621 #endif 1622 1623 #ifdef INET6 1624 static struct ovpn_kpeer * 1625 ovpn_find_peer_by_ip6(struct ovpn_softc *sc, const struct in6_addr *addr) 1626 { 1627 struct ovpn_kpeer *peer = NULL; 1628 1629 OVPN_ASSERT(sc); 1630 1631 /* TODO: Add a third RB so we can look up by IPv6 address. */ 1632 RB_FOREACH(peer, ovpn_kpeers, &sc->peers) { 1633 if (memcmp(addr, &peer->vpn6, sizeof(*addr)) == 0) 1634 return (peer); 1635 } 1636 1637 return (peer); 1638 } 1639 #endif 1640 1641 static struct ovpn_kpeer * 1642 ovpn_route_peer(struct ovpn_softc *sc, struct mbuf **m0, 1643 const struct sockaddr *dst) 1644 { 1645 struct ovpn_kpeer *peer = NULL; 1646 int af; 1647 1648 NET_EPOCH_ASSERT(); 1649 OVPN_ASSERT(sc); 1650 1651 /* Shortcut if we're a client (or are a server and have only one client). */ 1652 if (sc->peercount == 1) 1653 return (ovpn_find_only_peer(sc)); 1654 1655 if (dst != NULL) 1656 af = dst->sa_family; 1657 else 1658 af = ovpn_get_af(*m0); 1659 1660 switch (af) { 1661 #ifdef INET 1662 case AF_INET: { 1663 const struct sockaddr_in *sa = (const struct sockaddr_in *)dst; 1664 struct nhop_object *nh; 1665 const struct in_addr *ip_dst; 1666 1667 if (sa != NULL) { 1668 ip_dst = &sa->sin_addr; 1669 } else { 1670 struct ip *ip; 1671 1672 *m0 = m_pullup(*m0, sizeof(struct ip)); 1673 if (*m0 == NULL) 1674 return (NULL); 1675 ip = mtod(*m0, struct ip *); 1676 ip_dst = &ip->ip_dst; 1677 } 1678 1679 peer = ovpn_find_peer_by_ip(sc, *ip_dst); 1680 SDT_PROBE2(if_ovpn, tx, route, ip4, ip_dst, peer); 1681 if (peer == NULL) { 1682 nh = fib4_lookup(M_GETFIB(*m0), *ip_dst, 0, 1683 NHR_NONE, 0); 1684 if (nh && (nh->nh_flags & NHF_GATEWAY)) { 1685 peer = ovpn_find_peer_by_ip(sc, 1686 nh->gw4_sa.sin_addr); 1687 SDT_PROBE2(if_ovpn, tx, route, ip4, 1688 &nh->gw4_sa.sin_addr, peer); 1689 } 1690 } 1691 break; 1692 } 1693 #endif 1694 #ifdef INET6 1695 case AF_INET6: { 1696 const struct sockaddr_in6 *sa6 = 1697 (const struct sockaddr_in6 *)dst; 1698 struct nhop_object *nh; 1699 const struct in6_addr *ip6_dst; 1700 1701 if (sa6 != NULL) { 1702 ip6_dst = &sa6->sin6_addr; 1703 } else { 1704 struct ip6_hdr *ip6; 1705 1706 *m0 = m_pullup(*m0, sizeof(struct ip6_hdr)); 1707 if (*m0 == NULL) 1708 return (NULL); 1709 ip6 = mtod(*m0, struct ip6_hdr *); 1710 ip6_dst = &ip6->ip6_dst; 1711 } 1712 1713 peer = ovpn_find_peer_by_ip6(sc, ip6_dst); 1714 SDT_PROBE2(if_ovpn, tx, route, ip6, ip6_dst, peer); 1715 if (peer == NULL) { 1716 nh = fib6_lookup(M_GETFIB(*m0), ip6_dst, 0, 1717 NHR_NONE, 0); 1718 if (nh && (nh->nh_flags & NHF_GATEWAY)) { 1719 peer = ovpn_find_peer_by_ip6(sc, 1720 &nh->gw6_sa.sin6_addr); 1721 SDT_PROBE2(if_ovpn, tx, route, ip6, 1722 &nh->gw6_sa.sin6_addr, peer); 1723 } 1724 } 1725 break; 1726 } 1727 #endif 1728 } 1729 1730 return (peer); 1731 } 1732 1733 static int 1734 ovpn_transmit(struct ifnet *ifp, struct mbuf *m) 1735 { 1736 return (ifp->if_output(ifp, m, NULL, NULL)); 1737 } 1738 1739 static int 1740 ovpn_transmit_to_peer(struct ifnet *ifp, struct mbuf *m, 1741 struct ovpn_kpeer *peer, struct rm_priotracker *_ovpn_lock_trackerp) 1742 { 1743 struct ovpn_wire_header *ohdr; 1744 struct ovpn_kkey *key; 1745 struct ovpn_softc *sc; 1746 struct cryptop *crp; 1747 uint32_t af, seq; 1748 size_t len, ovpn_hdr_len; 1749 int tunnel_len; 1750 int ret; 1751 1752 sc = ifp->if_softc; 1753 1754 OVPN_RASSERT(sc); 1755 1756 tunnel_len = m->m_pkthdr.len; 1757 1758 key = &peer->keys[OVPN_KEY_SLOT_PRIMARY]; 1759 if (key->encrypt == NULL) { 1760 if (_ovpn_lock_trackerp != NULL) 1761 OVPN_RUNLOCK(sc); 1762 m_freem(m); 1763 return (ENOLINK); 1764 } 1765 1766 af = ovpn_get_af(m); 1767 /* Don't capture control packets. */ 1768 if (af != 0) 1769 BPF_MTAP2(ifp, &af, sizeof(af), m); 1770 1771 len = m->m_pkthdr.len; 1772 MPASS(len <= ifp->if_mtu); 1773 1774 ovpn_hdr_len = sizeof(struct ovpn_wire_header); 1775 if (key->encrypt->cipher == OVPN_CIPHER_ALG_NONE) 1776 ovpn_hdr_len -= 16; /* No auth tag. */ 1777 1778 M_PREPEND(m, ovpn_hdr_len, M_NOWAIT); 1779 if (m == NULL) { 1780 if (_ovpn_lock_trackerp != NULL) 1781 OVPN_RUNLOCK(sc); 1782 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 1783 return (ENOBUFS); 1784 } 1785 ohdr = mtod(m, struct ovpn_wire_header *); 1786 ohdr->opcode = (OVPN_OP_DATA_V2 << OVPN_OP_SHIFT) | key->keyid; 1787 ohdr->opcode <<= 24; 1788 ohdr->opcode |= key->peerid; 1789 ohdr->opcode = htonl(ohdr->opcode); 1790 1791 seq = atomic_fetchadd_32(&peer->tx_seq, 1); 1792 seq = htonl(seq); 1793 ohdr->seq = seq; 1794 1795 if (key->encrypt->cipher == OVPN_CIPHER_ALG_NONE) { 1796 ret = ovpn_encap(sc, peer->peerid, m); 1797 if (_ovpn_lock_trackerp != NULL) 1798 OVPN_RUNLOCK(sc); 1799 if (ret == 0) { 1800 OVPN_COUNTER_ADD(sc, sent_data_pkts, 1); 1801 OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, tunnel_len); 1802 } 1803 return (ret); 1804 } 1805 1806 crp = crypto_getreq(key->encrypt->cryptoid, M_NOWAIT); 1807 if (crp == NULL) { 1808 if (_ovpn_lock_trackerp != NULL) 1809 OVPN_RUNLOCK(sc); 1810 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 1811 m_freem(m); 1812 return (ENOBUFS); 1813 } 1814 1815 /* Encryption covers only the payload, not the header. */ 1816 crp->crp_payload_start = sizeof(*ohdr); 1817 crp->crp_payload_length = len; 1818 crp->crp_op = CRYPTO_OP_ENCRYPT; 1819 1820 /* 1821 * AAD data covers the ovpn_wire_header minus the auth 1822 * tag. 1823 */ 1824 crp->crp_aad_length = sizeof(*ohdr) - sizeof(ohdr->auth_tag); 1825 crp->crp_aad = ohdr; 1826 crp->crp_aad_start = 0; 1827 crp->crp_op |= CRYPTO_OP_COMPUTE_DIGEST; 1828 crp->crp_digest_start = offsetof(struct ovpn_wire_header, auth_tag); 1829 1830 crp->crp_flags |= CRYPTO_F_IV_SEPARATE; 1831 memcpy(crp->crp_iv, &seq, sizeof(seq)); 1832 memcpy(crp->crp_iv + sizeof(seq), key->encrypt->nonce, 1833 key->encrypt->noncelen); 1834 1835 crypto_use_mbuf(crp, m); 1836 crp->crp_flags |= CRYPTO_F_CBIFSYNC; 1837 crp->crp_callback = ovpn_encrypt_tx_cb; 1838 crp->crp_opaque = peer; 1839 1840 atomic_add_int(&peer->refcount, 1); 1841 if (_ovpn_lock_trackerp != NULL) 1842 OVPN_RUNLOCK(sc); 1843 if (V_async_crypto) 1844 ret = crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED); 1845 else 1846 ret = crypto_dispatch(crp); 1847 if (ret) { 1848 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 1849 } 1850 1851 return (ret); 1852 } 1853 1854 /* 1855 * Note: Expects to hold the read lock on entry, and will release it itself. 1856 */ 1857 static int 1858 ovpn_encap(struct ovpn_softc *sc, uint32_t peerid, struct mbuf *m) 1859 { 1860 struct udphdr *udp; 1861 struct ovpn_kpeer *peer; 1862 int len; 1863 1864 OVPN_RLOCK_TRACKER; 1865 1866 OVPN_RLOCK(sc); 1867 NET_EPOCH_ASSERT(); 1868 1869 peer = ovpn_find_peer(sc, peerid); 1870 if (peer == NULL || sc->ifp->if_link_state != LINK_STATE_UP) { 1871 OVPN_RUNLOCK(sc); 1872 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 1873 m_freem(m); 1874 return (ENETDOWN); 1875 } 1876 1877 len = m->m_pkthdr.len; 1878 1879 M_PREPEND(m, sizeof(struct udphdr), M_NOWAIT); 1880 if (m == NULL) { 1881 OVPN_RUNLOCK(sc); 1882 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 1883 m_freem(m); 1884 return (ENOBUFS); 1885 } 1886 udp = mtod(m, struct udphdr *); 1887 1888 MPASS(peer->local.ss_family == peer->remote.ss_family); 1889 1890 udp->uh_sport = ovpn_get_port(&peer->local); 1891 udp->uh_dport = ovpn_get_port(&peer->remote); 1892 udp->uh_ulen = htons(sizeof(struct udphdr) + len); 1893 1894 switch (peer->remote.ss_family) { 1895 #ifdef INET 1896 case AF_INET: { 1897 struct sockaddr_in *in_local = TO_IN(&peer->local); 1898 struct sockaddr_in *in_remote = TO_IN(&peer->remote); 1899 struct ip *ip; 1900 1901 /* 1902 * This requires knowing the source IP, which we don't. Happily 1903 * we're allowed to keep this at 0, and the checksum won't do 1904 * anything the crypto won't already do. 1905 */ 1906 udp->uh_sum = 0; 1907 1908 /* Set the checksum flags so we recalculate checksums. */ 1909 m->m_pkthdr.csum_flags |= CSUM_IP; 1910 m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum); 1911 1912 M_PREPEND(m, sizeof(struct ip), M_NOWAIT); 1913 if (m == NULL) { 1914 OVPN_RUNLOCK(sc); 1915 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 1916 return (ENOBUFS); 1917 } 1918 ip = mtod(m, struct ip *); 1919 1920 ip->ip_tos = 0; 1921 ip->ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + 1922 len); 1923 ip->ip_off = 0; 1924 ip->ip_ttl = V_ip_defttl; 1925 ip->ip_p = IPPROTO_UDP; 1926 ip->ip_sum = 0; 1927 if (in_local->sin_port != 0) 1928 ip->ip_src = in_local->sin_addr; 1929 else 1930 ip->ip_src.s_addr = INADDR_ANY; 1931 ip->ip_dst = in_remote->sin_addr; 1932 1933 OVPN_RUNLOCK(sc); 1934 OVPN_COUNTER_ADD(sc, transport_bytes_sent, m->m_pkthdr.len); 1935 1936 return (ip_output(m, NULL, NULL, 0, NULL, NULL)); 1937 } 1938 #endif 1939 #ifdef INET6 1940 case AF_INET6: { 1941 struct sockaddr_in6 *in6_local = TO_IN6(&peer->local); 1942 struct sockaddr_in6 *in6_remote = TO_IN6(&peer->remote); 1943 struct ip6_hdr *ip6; 1944 1945 M_PREPEND(m, sizeof(struct ip6_hdr), M_NOWAIT); 1946 if (m == NULL) { 1947 OVPN_RUNLOCK(sc); 1948 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 1949 return (ENOBUFS); 1950 } 1951 m = m_pullup(m, sizeof(*ip6) + sizeof(*udp)); 1952 if (m == NULL) { 1953 OVPN_RUNLOCK(sc); 1954 OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1); 1955 return (ENOBUFS); 1956 } 1957 1958 ip6 = mtod(m, struct ip6_hdr *); 1959 1960 ip6->ip6_vfc = IPV6_VERSION; 1961 ip6->ip6_flow &= ~IPV6_FLOWINFO_MASK; 1962 ip6->ip6_plen = htons(sizeof(*ip6) + sizeof(struct udphdr) + 1963 len); 1964 ip6->ip6_nxt = IPPROTO_UDP; 1965 ip6->ip6_hlim = V_ip6_defhlim; 1966 1967 memcpy(&ip6->ip6_src, &in6_local->sin6_addr, 1968 sizeof(ip6->ip6_src)); 1969 memcpy(&ip6->ip6_dst, &in6_remote->sin6_addr, 1970 sizeof(ip6->ip6_dst)); 1971 1972 udp = mtodo(m, sizeof(*ip6)); 1973 udp->uh_sum = in6_cksum_pseudo(ip6, 1974 m->m_pkthdr.len - sizeof(struct ip6_hdr), 1975 IPPROTO_UDP, 0); 1976 1977 m->m_pkthdr.csum_flags |= CSUM_UDP_IPV6; 1978 m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum); 1979 1980 OVPN_RUNLOCK(sc); 1981 OVPN_COUNTER_ADD(sc, transport_bytes_sent, m->m_pkthdr.len); 1982 1983 return (ip6_output(m, NULL, NULL, IPV6_UNSPECSRC, NULL, NULL, 1984 NULL)); 1985 } 1986 #endif 1987 default: 1988 panic("Unsupported address family %d", 1989 peer->remote.ss_family); 1990 } 1991 } 1992 1993 static int 1994 ovpn_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 1995 struct route *ro) 1996 { 1997 struct ovpn_softc *sc; 1998 struct ovpn_kpeer *peer; 1999 2000 OVPN_RLOCK_TRACKER; 2001 2002 sc = ifp->if_softc; 2003 2004 OVPN_RLOCK(sc); 2005 2006 SDT_PROBE1(if_ovpn, tx, transmit, start, m); 2007 2008 if (__predict_false(ifp->if_link_state != LINK_STATE_UP)) { 2009 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 2010 OVPN_RUNLOCK(sc); 2011 m_freem(m); 2012 return (ENETDOWN); 2013 } 2014 2015 /** 2016 * Only obey 'dst' (i.e. the gateway) if no route is supplied. 2017 * That's our indication that we're being called through pf's route-to, 2018 * and we should route according to 'dst' instead. We can't do so 2019 * consistently, because the usual openvpn configuration sets the first 2020 * non-server IP in the subnet as the gateway. If we always use that 2021 * one we'd end up routing all traffic to the first client. 2022 * tl;dr: 'ro == NULL' tells us pf is doing a route-to, and then but 2023 * only then, we should treat 'dst' as the destination. */ 2024 peer = ovpn_route_peer(sc, &m, ro == NULL ? dst : NULL); 2025 if (peer == NULL) { 2026 /* No destination. */ 2027 OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1); 2028 OVPN_RUNLOCK(sc); 2029 m_freem(m); 2030 return (ENETDOWN); 2031 } 2032 2033 return (ovpn_transmit_to_peer(ifp, m, peer, _ovpn_lock_trackerp)); 2034 } 2035 2036 static bool 2037 ovpn_check_replay(struct ovpn_kkey_dir *key, uint32_t seq) 2038 { 2039 uint32_t d; 2040 2041 mtx_lock(&key->replay_mtx); 2042 2043 /* Sequence number must be strictly greater than rx_seq */ 2044 if (seq <= key->rx_seq) { 2045 mtx_unlock(&key->replay_mtx); 2046 return (false); 2047 } 2048 2049 /* Large jump. The packet authenticated okay, so just accept that. */ 2050 if (seq > (key->rx_seq + (sizeof(key->rx_window) * 8))) { 2051 key->rx_seq = seq; 2052 key->rx_window = 0; 2053 mtx_unlock(&key->replay_mtx); 2054 return (true); 2055 } 2056 2057 /* Happy case. */ 2058 if ((seq == key->rx_seq + 1) && key->rx_window == 0) { 2059 key->rx_seq++; 2060 mtx_unlock(&key->replay_mtx); 2061 return (true); 2062 } 2063 2064 d = seq - key->rx_seq - 1; 2065 2066 if (key->rx_window & ((uint64_t)1 << d)) { 2067 /* Dupe! */ 2068 mtx_unlock(&key->replay_mtx); 2069 return (false); 2070 } 2071 2072 key->rx_window |= (uint64_t)1 << d; 2073 2074 while (key->rx_window & 1) { 2075 key->rx_seq++; 2076 key->rx_window >>= 1; 2077 } 2078 2079 mtx_unlock(&key->replay_mtx); 2080 2081 return (true); 2082 } 2083 2084 static struct ovpn_kpeer * 2085 ovpn_peer_from_mbuf(struct ovpn_softc *sc, struct mbuf *m, int off) 2086 { 2087 struct ovpn_wire_header ohdr; 2088 uint32_t peerid; 2089 const size_t hdrlen = sizeof(ohdr) - sizeof(ohdr.auth_tag); 2090 2091 OVPN_RASSERT(sc); 2092 2093 if (m_length(m, NULL) < (off + sizeof(struct udphdr) + hdrlen)) 2094 return (NULL); 2095 2096 m_copydata(m, off + sizeof(struct udphdr), hdrlen, (caddr_t)&ohdr); 2097 2098 peerid = ntohl(ohdr.opcode) & 0x00ffffff; 2099 2100 return (ovpn_find_peer(sc, peerid)); 2101 } 2102 2103 static bool 2104 ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp, 2105 const struct sockaddr *sa, void *ctx) 2106 { 2107 struct ovpn_softc *sc = ctx; 2108 struct ovpn_wire_header tmphdr; 2109 struct ovpn_wire_header *ohdr; 2110 struct udphdr *uhdr; 2111 struct ovpn_kkey *key; 2112 struct cryptop *crp; 2113 struct ovpn_kpeer *peer; 2114 size_t ohdrlen; 2115 int ret; 2116 uint8_t op; 2117 2118 OVPN_RLOCK_TRACKER; 2119 2120 M_ASSERTPKTHDR(m); 2121 2122 OVPN_COUNTER_ADD(sc, transport_bytes_received, m->m_pkthdr.len - off); 2123 2124 ohdrlen = sizeof(*ohdr) - sizeof(ohdr->auth_tag); 2125 2126 OVPN_RLOCK(sc); 2127 2128 peer = ovpn_peer_from_mbuf(sc, m, off); 2129 if (peer == NULL) { 2130 OVPN_RUNLOCK(sc); 2131 return (false); 2132 } 2133 2134 if (m_length(m, NULL) < (off + sizeof(*uhdr) + ohdrlen)) { 2135 /* Short packet. */ 2136 OVPN_RUNLOCK(sc); 2137 return (false); 2138 } 2139 2140 m_copydata(m, off + sizeof(*uhdr), ohdrlen, (caddr_t)&tmphdr); 2141 2142 op = ntohl(tmphdr.opcode) >> 24 >> OVPN_OP_SHIFT; 2143 if (op != OVPN_OP_DATA_V2) { 2144 /* Control packet? */ 2145 OVPN_RUNLOCK(sc); 2146 return (false); 2147 } 2148 2149 m = m_pullup(m, off + sizeof(*uhdr) + ohdrlen); 2150 if (m == NULL) { 2151 OVPN_RUNLOCK(sc); 2152 OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); 2153 return (true); 2154 } 2155 2156 /* 2157 * Simplify things by getting rid of the preceding headers, we don't 2158 * care about them. 2159 */ 2160 m_adj_decap(m, off); 2161 2162 uhdr = mtodo(m, 0); 2163 ohdr = mtodo(m, sizeof(*uhdr)); 2164 2165 key = ovpn_find_key(sc, peer, ohdr); 2166 if (key == NULL || key->decrypt == NULL) { 2167 OVPN_RUNLOCK(sc); 2168 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 2169 m_freem(m); 2170 return (true); 2171 } 2172 2173 if (key->decrypt->cipher == OVPN_CIPHER_ALG_NONE) { 2174 /* Now remove the outer headers */ 2175 m_adj_decap(m, sizeof(struct udphdr) + ohdrlen); 2176 2177 ohdr = mtodo(m, sizeof(*uhdr)); 2178 2179 ovpn_finish_rx(sc, m, peer, key, ntohl(ohdr->seq), 2180 _ovpn_lock_trackerp); 2181 OVPN_UNLOCK_ASSERT(sc); 2182 return (true); 2183 } 2184 2185 ohdrlen += sizeof(ohdr->auth_tag); 2186 2187 m = m_pullup(m, sizeof(*uhdr) + ohdrlen); 2188 if (m == NULL) { 2189 OVPN_RUNLOCK(sc); 2190 OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); 2191 return (true); 2192 } 2193 uhdr = mtodo(m, 0); 2194 ohdr = mtodo(m, sizeof(*uhdr)); 2195 2196 /* Decrypt */ 2197 crp = crypto_getreq(key->decrypt->cryptoid, M_NOWAIT); 2198 if (crp == NULL) { 2199 OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1); 2200 OVPN_RUNLOCK(sc); 2201 m_freem(m); 2202 return (true); 2203 } 2204 2205 crp->crp_payload_start = sizeof(struct udphdr) + sizeof(*ohdr); 2206 crp->crp_payload_length = ntohs(uhdr->uh_ulen) - 2207 sizeof(*uhdr) - sizeof(*ohdr); 2208 crp->crp_op = CRYPTO_OP_DECRYPT; 2209 2210 /* AAD validation. */ 2211 crp->crp_aad_length = sizeof(*ohdr) - sizeof(ohdr->auth_tag); 2212 crp->crp_aad = ohdr; 2213 crp->crp_aad_start = 0; 2214 crp->crp_op |= CRYPTO_OP_VERIFY_DIGEST; 2215 crp->crp_digest_start = sizeof(struct udphdr) + 2216 offsetof(struct ovpn_wire_header, auth_tag); 2217 2218 crp->crp_flags |= CRYPTO_F_IV_SEPARATE; 2219 memcpy(crp->crp_iv, &ohdr->seq, sizeof(ohdr->seq)); 2220 memcpy(crp->crp_iv + sizeof(ohdr->seq), key->decrypt->nonce, 2221 key->decrypt->noncelen); 2222 2223 crypto_use_mbuf(crp, m); 2224 crp->crp_flags |= CRYPTO_F_CBIFSYNC; 2225 crp->crp_callback = ovpn_decrypt_rx_cb; 2226 crp->crp_opaque = sc; 2227 2228 atomic_add_int(&sc->refcount, 1); 2229 OVPN_RUNLOCK(sc); 2230 if (V_async_crypto) 2231 ret = crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED); 2232 else 2233 ret = crypto_dispatch(crp); 2234 if (ret != 0) { 2235 OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1); 2236 } 2237 2238 return (true); 2239 } 2240 2241 static void 2242 ovpn_qflush(struct ifnet *ifp __unused) 2243 { 2244 2245 } 2246 2247 static void 2248 ovpn_flush_rxring(struct ovpn_softc *sc) 2249 { 2250 struct ovpn_notification *n; 2251 2252 OVPN_WASSERT(sc); 2253 2254 while (! buf_ring_empty(sc->notifring)) { 2255 n = buf_ring_dequeue_sc(sc->notifring); 2256 free(n, M_OVPN); 2257 } 2258 } 2259 2260 #ifdef VIMAGE 2261 static void 2262 ovpn_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused, 2263 char *unused __unused) 2264 { 2265 struct ovpn_softc *sc = ifp->if_softc; 2266 struct ovpn_kpeer *peer, *tmppeer; 2267 int ret __diagused; 2268 2269 OVPN_WLOCK(sc); 2270 2271 /* Flush keys & configuration. */ 2272 RB_FOREACH_SAFE(peer, ovpn_kpeers, &sc->peers, tmppeer) { 2273 peer->del_reason = OVPN_DEL_REASON_REQUESTED; 2274 ret = _ovpn_del_peer(sc, peer); 2275 MPASS(ret == 0); 2276 } 2277 2278 ovpn_flush_rxring(sc); 2279 2280 OVPN_WUNLOCK(sc); 2281 } 2282 #endif 2283 2284 static int 2285 ovpn_clone_match(struct if_clone *ifc, const char *name) 2286 { 2287 /* 2288 * Allow all names that start with 'ovpn', specifically because pfSense 2289 * uses ovpnc1 / ovpns2 2290 */ 2291 return (strncmp(ovpnname, name, strlen(ovpnname)) == 0); 2292 } 2293 2294 static int 2295 ovpn_clone_create(struct if_clone *ifc, char *name, size_t len, 2296 struct ifc_data *ifd, struct ifnet **ifpp) 2297 { 2298 struct ovpn_softc *sc; 2299 struct ifnet *ifp; 2300 char *dp; 2301 int error, unit, wildcard; 2302 2303 /* Try to see if a special unit was requested. */ 2304 error = ifc_name2unit(name, &unit); 2305 if (error != 0) 2306 return (error); 2307 wildcard = (unit < 0); 2308 2309 error = ifc_alloc_unit(ifc, &unit); 2310 if (error != 0) 2311 return (error); 2312 2313 /* 2314 * If no unit had been given, we need to adjust the ifName. 2315 */ 2316 for (dp = name; *dp != '\0'; dp++); 2317 if (wildcard) { 2318 error = snprintf(dp, len - (dp - name), "%d", unit); 2319 if (error > len - (dp - name)) { 2320 /* ifName too long. */ 2321 ifc_free_unit(ifc, unit); 2322 return (ENOSPC); 2323 } 2324 dp += error; 2325 } 2326 2327 /* Make sure it doesn't already exist. */ 2328 if (ifunit(name) != NULL) 2329 return (EEXIST); 2330 2331 sc = malloc(sizeof(struct ovpn_softc), M_OVPN, M_WAITOK | M_ZERO); 2332 sc->ifp = if_alloc(IFT_ENC); 2333 rm_init_flags(&sc->lock, "if_ovpn_lock", RM_RECURSE); 2334 sc->refcount = 0; 2335 2336 sc->notifring = buf_ring_alloc(32, M_OVPN, M_WAITOK, NULL); 2337 2338 COUNTER_ARRAY_ALLOC(sc->counters, OVPN_COUNTER_SIZE, M_WAITOK); 2339 2340 ifp = sc->ifp; 2341 ifp->if_softc = sc; 2342 strlcpy(ifp->if_xname, name, IFNAMSIZ); 2343 ifp->if_dname = ovpngroupname; 2344 ifp->if_dunit = unit; 2345 2346 ifp->if_addrlen = 0; 2347 ifp->if_mtu = 1428; 2348 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST; 2349 ifp->if_ioctl = ovpn_ioctl; 2350 ifp->if_transmit = ovpn_transmit; 2351 ifp->if_output = ovpn_output; 2352 ifp->if_qflush = ovpn_qflush; 2353 #ifdef VIMAGE 2354 ifp->if_reassign = ovpn_reassign; 2355 #endif 2356 ifp->if_capabilities |= IFCAP_LINKSTATE; 2357 ifp->if_capenable |= IFCAP_LINKSTATE; 2358 2359 if_attach(ifp); 2360 bpfattach(ifp, DLT_NULL, sizeof(uint32_t)); 2361 *ifpp = ifp; 2362 2363 return (0); 2364 } 2365 2366 static void 2367 ovpn_clone_destroy_cb(struct epoch_context *ctx) 2368 { 2369 struct ovpn_softc *sc; 2370 2371 sc = __containerof(ctx, struct ovpn_softc, epoch_ctx); 2372 2373 MPASS(sc->peercount == 0); 2374 MPASS(RB_EMPTY(&sc->peers)); 2375 2376 COUNTER_ARRAY_FREE(sc->counters, OVPN_COUNTER_SIZE); 2377 2378 if_free(sc->ifp); 2379 free(sc, M_OVPN); 2380 } 2381 2382 static int 2383 ovpn_clone_destroy(struct if_clone *ifc, struct ifnet *ifp, uint32_t flags) 2384 { 2385 struct ovpn_softc *sc; 2386 struct ovpn_kpeer *peer, *tmppeer; 2387 int unit; 2388 int ret __diagused; 2389 2390 sc = ifp->if_softc; 2391 unit = ifp->if_dunit; 2392 2393 OVPN_WLOCK(sc); 2394 2395 if (atomic_load_int(&sc->refcount) > 0) { 2396 OVPN_WUNLOCK(sc); 2397 return (EBUSY); 2398 } 2399 2400 RB_FOREACH_SAFE(peer, ovpn_kpeers, &sc->peers, tmppeer) { 2401 peer->del_reason = OVPN_DEL_REASON_REQUESTED; 2402 ret = _ovpn_del_peer(sc, peer); 2403 MPASS(ret == 0); 2404 } 2405 2406 ovpn_flush_rxring(sc); 2407 buf_ring_free(sc->notifring, M_OVPN); 2408 2409 OVPN_WUNLOCK(sc); 2410 2411 bpfdetach(ifp); 2412 if_detach(ifp); 2413 ifp->if_softc = NULL; 2414 2415 NET_EPOCH_CALL(ovpn_clone_destroy_cb, &sc->epoch_ctx); 2416 2417 if (unit != IF_DUNIT_NONE) 2418 ifc_free_unit(ifc, unit); 2419 2420 NET_EPOCH_DRAIN_CALLBACKS(); 2421 2422 return (0); 2423 } 2424 2425 static void 2426 vnet_ovpn_init(const void *unused __unused) 2427 { 2428 struct if_clone_addreq req = { 2429 .match_f = ovpn_clone_match, 2430 .create_f = ovpn_clone_create, 2431 .destroy_f = ovpn_clone_destroy, 2432 }; 2433 V_ovpn_cloner = ifc_attach_cloner(ovpngroupname, &req); 2434 } 2435 VNET_SYSINIT(vnet_ovpn_init, SI_SUB_PSEUDO, SI_ORDER_ANY, 2436 vnet_ovpn_init, NULL); 2437 2438 static void 2439 vnet_ovpn_uninit(const void *unused __unused) 2440 { 2441 if_clone_detach(V_ovpn_cloner); 2442 } 2443 VNET_SYSUNINIT(vnet_ovpn_uninit, SI_SUB_PSEUDO, SI_ORDER_ANY, 2444 vnet_ovpn_uninit, NULL); 2445 2446 static int 2447 ovpnmodevent(module_t mod, int type, void *data) 2448 { 2449 switch (type) { 2450 case MOD_LOAD: 2451 /* Done in vnet_ovpn_init() */ 2452 break; 2453 case MOD_UNLOAD: 2454 /* Done in vnet_ovpn_uninit() */ 2455 break; 2456 default: 2457 return (EOPNOTSUPP); 2458 } 2459 2460 return (0); 2461 } 2462 2463 static moduledata_t ovpn_mod = { 2464 "if_ovpn", 2465 ovpnmodevent, 2466 0 2467 }; 2468 2469 DECLARE_MODULE(if_ovpn, ovpn_mod, SI_SUB_PSEUDO, SI_ORDER_ANY); 2470 MODULE_VERSION(if_ovpn, 1); 2471