1 // SPDX-License-Identifier: GPL-2.0 2 /* OpenVPN data channel offload 3 * 4 * Copyright (C) 2020-2025 OpenVPN, Inc. 5 * 6 * Author: Antonio Quartulli <antonio@openvpn.net> 7 */ 8 9 #include <linux/netdevice.h> 10 #include <linux/types.h> 11 #include <net/genetlink.h> 12 13 #include <uapi/linux/ovpn.h> 14 15 #include "ovpnpriv.h" 16 #include "main.h" 17 #include "netlink.h" 18 #include "netlink-gen.h" 19 #include "bind.h" 20 #include "crypto.h" 21 #include "peer.h" 22 #include "socket.h" 23 24 MODULE_ALIAS_GENL_FAMILY(OVPN_FAMILY_NAME); 25 26 /** 27 * ovpn_get_dev_from_attrs - retrieve the ovpn private data from the netdevice 28 * a netlink message is targeting 29 * @net: network namespace where to look for the interface 30 * @info: generic netlink info from the user request 31 * @tracker: tracker object to be used for the netdev reference acquisition 32 * 33 * Return: the ovpn private data, if found, or an error otherwise 34 */ 35 static struct ovpn_priv * 36 ovpn_get_dev_from_attrs(struct net *net, const struct genl_info *info, 37 netdevice_tracker *tracker) 38 { 39 struct ovpn_priv *ovpn; 40 struct net_device *dev; 41 int ifindex; 42 43 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_IFINDEX)) 44 return ERR_PTR(-EINVAL); 45 46 ifindex = nla_get_u32(info->attrs[OVPN_A_IFINDEX]); 47 48 rcu_read_lock(); 49 dev = dev_get_by_index_rcu(net, ifindex); 50 if (!dev) { 51 rcu_read_unlock(); 52 NL_SET_ERR_MSG_MOD(info->extack, 53 "ifindex does not match any interface"); 54 return ERR_PTR(-ENODEV); 55 } 56 57 if (!ovpn_dev_is_valid(dev)) { 58 rcu_read_unlock(); 59 NL_SET_ERR_MSG_MOD(info->extack, 60 "specified interface is not ovpn"); 61 NL_SET_BAD_ATTR(info->extack, info->attrs[OVPN_A_IFINDEX]); 62 return ERR_PTR(-EINVAL); 63 } 64 65 ovpn = netdev_priv(dev); 66 netdev_hold(dev, tracker, GFP_ATOMIC); 67 rcu_read_unlock(); 68 69 return ovpn; 70 } 71 72 int ovpn_nl_pre_doit(const struct genl_split_ops *ops, struct sk_buff *skb, 73 struct genl_info *info) 74 { 75 netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1]; 76 struct ovpn_priv *ovpn = ovpn_get_dev_from_attrs(genl_info_net(info), 77 info, tracker); 78 79 if (IS_ERR(ovpn)) 80 return PTR_ERR(ovpn); 81 82 info->user_ptr[0] = ovpn; 83 84 return 0; 85 } 86 87 void ovpn_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb, 88 struct genl_info *info) 89 { 90 netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1]; 91 struct ovpn_priv *ovpn = info->user_ptr[0]; 92 93 if (ovpn) 94 netdev_put(ovpn->dev, tracker); 95 } 96 97 static bool ovpn_nl_attr_sockaddr_remote(struct nlattr **attrs, 98 struct sockaddr_storage *ss) 99 { 100 struct sockaddr_in6 *sin6; 101 struct sockaddr_in *sin; 102 struct in6_addr *in6; 103 __be16 port = 0; 104 __be32 *in; 105 106 ss->ss_family = AF_UNSPEC; 107 108 if (attrs[OVPN_A_PEER_REMOTE_PORT]) 109 port = nla_get_be16(attrs[OVPN_A_PEER_REMOTE_PORT]); 110 111 if (attrs[OVPN_A_PEER_REMOTE_IPV4]) { 112 ss->ss_family = AF_INET; 113 in = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV4]); 114 } else if (attrs[OVPN_A_PEER_REMOTE_IPV6]) { 115 ss->ss_family = AF_INET6; 116 in6 = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]); 117 } else { 118 return false; 119 } 120 121 switch (ss->ss_family) { 122 case AF_INET6: 123 /* If this is a regular IPv6 just break and move on, 124 * otherwise switch to AF_INET and extract the IPv4 accordingly 125 */ 126 if (!ipv6_addr_v4mapped(in6)) { 127 sin6 = (struct sockaddr_in6 *)ss; 128 sin6->sin6_port = port; 129 memcpy(&sin6->sin6_addr, in6, sizeof(*in6)); 130 break; 131 } 132 133 /* v4-mapped-v6 address */ 134 ss->ss_family = AF_INET; 135 in = &in6->s6_addr32[3]; 136 fallthrough; 137 case AF_INET: 138 sin = (struct sockaddr_in *)ss; 139 sin->sin_port = port; 140 sin->sin_addr.s_addr = *in; 141 break; 142 } 143 144 return true; 145 } 146 147 static u8 *ovpn_nl_attr_local_ip(struct nlattr **attrs) 148 { 149 u8 *addr6; 150 151 if (!attrs[OVPN_A_PEER_LOCAL_IPV4] && !attrs[OVPN_A_PEER_LOCAL_IPV6]) 152 return NULL; 153 154 if (attrs[OVPN_A_PEER_LOCAL_IPV4]) 155 return nla_data(attrs[OVPN_A_PEER_LOCAL_IPV4]); 156 157 addr6 = nla_data(attrs[OVPN_A_PEER_LOCAL_IPV6]); 158 /* this is an IPv4-mapped IPv6 address, therefore extract the actual 159 * v4 address from the last 4 bytes 160 */ 161 if (ipv6_addr_v4mapped((struct in6_addr *)addr6)) 162 return addr6 + 12; 163 164 return addr6; 165 } 166 167 static sa_family_t ovpn_nl_family_get(struct nlattr *addr4, 168 struct nlattr *addr6) 169 { 170 if (addr4) 171 return AF_INET; 172 173 if (addr6) { 174 if (ipv6_addr_v4mapped((struct in6_addr *)nla_data(addr6))) 175 return AF_INET; 176 return AF_INET6; 177 } 178 179 return AF_UNSPEC; 180 } 181 182 static int ovpn_nl_peer_precheck(struct ovpn_priv *ovpn, 183 struct genl_info *info, 184 struct nlattr **attrs) 185 { 186 sa_family_t local_fam, remote_fam; 187 188 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs, 189 OVPN_A_PEER_ID)) 190 return -EINVAL; 191 192 if (attrs[OVPN_A_PEER_REMOTE_IPV4] && attrs[OVPN_A_PEER_REMOTE_IPV6]) { 193 NL_SET_ERR_MSG_MOD(info->extack, 194 "cannot specify both remote IPv4 or IPv6 address"); 195 return -EINVAL; 196 } 197 198 if (!attrs[OVPN_A_PEER_REMOTE_IPV4] && 199 !attrs[OVPN_A_PEER_REMOTE_IPV6] && attrs[OVPN_A_PEER_REMOTE_PORT]) { 200 NL_SET_ERR_MSG_MOD(info->extack, 201 "cannot specify remote port without IP address"); 202 return -EINVAL; 203 } 204 205 if ((attrs[OVPN_A_PEER_REMOTE_IPV4] || 206 attrs[OVPN_A_PEER_REMOTE_IPV6]) && 207 !attrs[OVPN_A_PEER_REMOTE_PORT]) { 208 NL_SET_ERR_MSG_MOD(info->extack, 209 "cannot specify remote IP address without port"); 210 return -EINVAL; 211 } 212 213 if (!attrs[OVPN_A_PEER_REMOTE_IPV4] && 214 attrs[OVPN_A_PEER_LOCAL_IPV4]) { 215 NL_SET_ERR_MSG_MOD(info->extack, 216 "cannot specify local IPv4 address without remote"); 217 return -EINVAL; 218 } 219 220 if (!attrs[OVPN_A_PEER_REMOTE_IPV6] && 221 attrs[OVPN_A_PEER_LOCAL_IPV6]) { 222 NL_SET_ERR_MSG_MOD(info->extack, 223 "cannot specify local IPV6 address without remote"); 224 return -EINVAL; 225 } 226 227 /* check that local and remote address families are the same even 228 * after parsing v4mapped IPv6 addresses. 229 * (if addresses are not provided, family will be AF_UNSPEC and 230 * the check is skipped) 231 */ 232 local_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_LOCAL_IPV4], 233 attrs[OVPN_A_PEER_LOCAL_IPV6]); 234 remote_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_REMOTE_IPV4], 235 attrs[OVPN_A_PEER_REMOTE_IPV6]); 236 if (local_fam != AF_UNSPEC && remote_fam != AF_UNSPEC && 237 local_fam != remote_fam) { 238 NL_SET_ERR_MSG_MOD(info->extack, 239 "mismatching local and remote address families"); 240 return -EINVAL; 241 } 242 243 if (remote_fam != AF_INET6 && attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) { 244 NL_SET_ERR_MSG_MOD(info->extack, 245 "cannot specify scope id without remote IPv6 address"); 246 return -EINVAL; 247 } 248 249 /* VPN IPs are needed only in MP mode for selecting the right peer */ 250 if (ovpn->mode == OVPN_MODE_P2P && (attrs[OVPN_A_PEER_VPN_IPV4] || 251 attrs[OVPN_A_PEER_VPN_IPV6])) { 252 NL_SET_ERR_MSG_FMT_MOD(info->extack, 253 "unexpected VPN IP in P2P mode"); 254 return -EINVAL; 255 } 256 257 if ((attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] && 258 !attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) || 259 (!attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] && 260 attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])) { 261 NL_SET_ERR_MSG_FMT_MOD(info->extack, 262 "keepalive interval and timeout are required together"); 263 return -EINVAL; 264 } 265 266 return 0; 267 } 268 269 /** 270 * ovpn_nl_peer_modify - modify the peer attributes according to the incoming msg 271 * @peer: the peer to modify 272 * @info: generic netlink info from the user request 273 * @attrs: the attributes from the user request 274 * 275 * Return: a negative error code in case of failure, 0 on success or 1 on 276 * success and the VPN IPs have been modified (requires rehashing in MP 277 * mode) 278 */ 279 static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info, 280 struct nlattr **attrs) 281 { 282 struct sockaddr_storage ss = {}; 283 void *local_ip = NULL; 284 u32 interv, timeout; 285 bool rehash = false; 286 int ret; 287 288 spin_lock_bh(&peer->lock); 289 290 if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) { 291 /* we carry the local IP in a generic container. 292 * ovpn_peer_reset_sockaddr() will properly interpret it 293 * based on ss.ss_family 294 */ 295 local_ip = ovpn_nl_attr_local_ip(attrs); 296 297 /* set peer sockaddr */ 298 ret = ovpn_peer_reset_sockaddr(peer, &ss, local_ip); 299 if (ret < 0) { 300 NL_SET_ERR_MSG_FMT_MOD(info->extack, 301 "cannot set peer sockaddr: %d", 302 ret); 303 goto err_unlock; 304 } 305 dst_cache_reset(&peer->dst_cache); 306 } 307 308 /* In a multipeer-to-multipeer setup we may have asymmetric peer IDs, 309 * that is peer->id might be different from peer->tx_id. 310 */ 311 if (attrs[OVPN_A_PEER_TX_ID]) 312 peer->tx_id = nla_get_u32(attrs[OVPN_A_PEER_TX_ID]); 313 314 if (attrs[OVPN_A_PEER_VPN_IPV4]) { 315 rehash = true; 316 peer->vpn_addrs.ipv4.s_addr = 317 nla_get_in_addr(attrs[OVPN_A_PEER_VPN_IPV4]); 318 } 319 320 if (attrs[OVPN_A_PEER_VPN_IPV6]) { 321 rehash = true; 322 peer->vpn_addrs.ipv6 = 323 nla_get_in6_addr(attrs[OVPN_A_PEER_VPN_IPV6]); 324 } 325 326 /* when setting the keepalive, both parameters have to be configured */ 327 if (attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] && 328 attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) { 329 interv = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]); 330 timeout = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]); 331 ovpn_peer_keepalive_set(peer, interv, timeout); 332 } 333 334 netdev_dbg(peer->ovpn->dev, 335 "modify peer id=%u tx_id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n", 336 peer->id, peer->tx_id, &ss, 337 &peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6); 338 339 spin_unlock_bh(&peer->lock); 340 341 return rehash ? 1 : 0; 342 err_unlock: 343 spin_unlock_bh(&peer->lock); 344 return ret; 345 } 346 347 int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) 348 { 349 struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; 350 struct ovpn_priv *ovpn = info->user_ptr[0]; 351 struct ovpn_socket *ovpn_sock; 352 struct socket *sock = NULL; 353 struct ovpn_peer *peer; 354 u32 sockfd, peer_id; 355 int ret; 356 357 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER)) 358 return -EINVAL; 359 360 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER], 361 ovpn_peer_new_input_nl_policy, info->extack); 362 if (ret) 363 return ret; 364 365 ret = ovpn_nl_peer_precheck(ovpn, info, attrs); 366 if (ret < 0) 367 return ret; 368 369 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs, 370 OVPN_A_PEER_SOCKET)) 371 return -EINVAL; 372 373 /* in MP mode VPN IPs are required for selecting the right peer */ 374 if (ovpn->mode == OVPN_MODE_MP && !attrs[OVPN_A_PEER_VPN_IPV4] && 375 !attrs[OVPN_A_PEER_VPN_IPV6]) { 376 NL_SET_ERR_MSG_FMT_MOD(info->extack, 377 "VPN IP must be provided in MP mode"); 378 return -EINVAL; 379 } 380 381 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]); 382 383 peer = ovpn_peer_new(ovpn, peer_id); 384 if (IS_ERR(peer)) { 385 NL_SET_ERR_MSG_FMT_MOD(info->extack, 386 "cannot create new peer object for peer %u: %ld", 387 peer_id, PTR_ERR(peer)); 388 return PTR_ERR(peer); 389 } 390 391 /* lookup the fd in the kernel table and extract the socket object */ 392 sockfd = nla_get_u32(attrs[OVPN_A_PEER_SOCKET]); 393 /* sockfd_lookup() increases sock's refcounter */ 394 sock = sockfd_lookup(sockfd, &ret); 395 if (!sock) { 396 NL_SET_ERR_MSG_FMT_MOD(info->extack, 397 "cannot lookup peer socket (fd=%u): %d", 398 sockfd, ret); 399 ret = -ENOTSOCK; 400 goto peer_release; 401 } 402 403 /* Only when using UDP as transport protocol the remote endpoint 404 * can be configured so that ovpn knows where to send packets to. 405 */ 406 if (sock->sk->sk_protocol == IPPROTO_UDP && 407 !attrs[OVPN_A_PEER_REMOTE_IPV4] && 408 !attrs[OVPN_A_PEER_REMOTE_IPV6]) { 409 NL_SET_ERR_MSG_FMT_MOD(info->extack, 410 "missing remote IP address for UDP socket"); 411 sockfd_put(sock); 412 ret = -EINVAL; 413 goto peer_release; 414 } 415 416 /* In case of TCP, the socket is connected to the peer and ovpn 417 * will just send bytes over it, without the need to specify a 418 * destination. 419 */ 420 if (sock->sk->sk_protocol == IPPROTO_TCP && 421 (attrs[OVPN_A_PEER_REMOTE_IPV4] || 422 attrs[OVPN_A_PEER_REMOTE_IPV6])) { 423 NL_SET_ERR_MSG_FMT_MOD(info->extack, 424 "unexpected remote IP address with TCP socket"); 425 sockfd_put(sock); 426 ret = -EINVAL; 427 goto peer_release; 428 } 429 430 ovpn_sock = ovpn_socket_new(sock, peer); 431 /* at this point we unconditionally drop the reference to the socket: 432 * - in case of error, the socket has to be dropped 433 * - if case of success, the socket is configured and let 434 * userspace own the reference, so that the latter can 435 * trigger the final close() 436 */ 437 sockfd_put(sock); 438 if (IS_ERR(ovpn_sock)) { 439 NL_SET_ERR_MSG_FMT_MOD(info->extack, 440 "cannot encapsulate socket: %ld", 441 PTR_ERR(ovpn_sock)); 442 ret = -ENOTSOCK; 443 goto peer_release; 444 } 445 446 rcu_assign_pointer(peer->sock, ovpn_sock); 447 448 ret = ovpn_nl_peer_modify(peer, info, attrs); 449 if (ret < 0) 450 goto sock_release; 451 452 ret = ovpn_peer_add(ovpn, peer); 453 if (ret < 0) { 454 NL_SET_ERR_MSG_FMT_MOD(info->extack, 455 "cannot add new peer (id=%u) to hashtable: %d", 456 peer->id, ret); 457 goto sock_release; 458 } 459 460 return 0; 461 462 sock_release: 463 ovpn_socket_release(peer); 464 peer_release: 465 /* release right away because peer was not yet hashed, thus it is not 466 * used in any context 467 */ 468 ovpn_peer_release(peer); 469 470 return ret; 471 } 472 473 int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info) 474 { 475 struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; 476 struct ovpn_priv *ovpn = info->user_ptr[0]; 477 struct ovpn_socket *sock; 478 struct ovpn_peer *peer; 479 u32 peer_id; 480 int ret; 481 482 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER)) 483 return -EINVAL; 484 485 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER], 486 ovpn_peer_set_input_nl_policy, info->extack); 487 if (ret) 488 return ret; 489 490 ret = ovpn_nl_peer_precheck(ovpn, info, attrs); 491 if (ret < 0) 492 return ret; 493 494 if (attrs[OVPN_A_PEER_SOCKET]) { 495 NL_SET_ERR_MSG_FMT_MOD(info->extack, 496 "socket cannot be modified"); 497 return -EINVAL; 498 } 499 500 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]); 501 peer = ovpn_peer_get_by_id(ovpn, peer_id); 502 if (!peer) { 503 NL_SET_ERR_MSG_FMT_MOD(info->extack, 504 "cannot find peer with id %u", peer_id); 505 return -ENOENT; 506 } 507 508 /* when using a TCP socket the remote IP is not expected */ 509 rcu_read_lock(); 510 sock = rcu_dereference(peer->sock); 511 if (sock && sock->sk->sk_protocol == IPPROTO_TCP && 512 (attrs[OVPN_A_PEER_REMOTE_IPV4] || 513 attrs[OVPN_A_PEER_REMOTE_IPV6])) { 514 rcu_read_unlock(); 515 NL_SET_ERR_MSG_FMT_MOD(info->extack, 516 "unexpected remote IP address with TCP socket"); 517 ovpn_peer_put(peer); 518 return -EINVAL; 519 } 520 rcu_read_unlock(); 521 522 spin_lock_bh(&ovpn->lock); 523 ret = ovpn_nl_peer_modify(peer, info, attrs); 524 if (ret < 0) { 525 spin_unlock_bh(&ovpn->lock); 526 ovpn_peer_put(peer); 527 return ret; 528 } 529 530 /* ret == 1 means that VPN IPv4/6 has been modified and rehashing 531 * is required 532 */ 533 if (ret > 0) 534 ovpn_peer_hash_vpn_ip(peer); 535 spin_unlock_bh(&ovpn->lock); 536 ovpn_peer_put(peer); 537 538 return 0; 539 } 540 541 static int ovpn_nl_send_peer(struct sk_buff *skb, const struct genl_info *info, 542 const struct ovpn_peer *peer, u32 portid, u32 seq, 543 int flags) 544 { 545 const struct ovpn_bind *bind; 546 struct ovpn_socket *sock; 547 int ret = -EMSGSIZE; 548 struct nlattr *attr; 549 __be16 local_port; 550 void *hdr; 551 int id; 552 553 hdr = genlmsg_put(skb, portid, seq, &ovpn_nl_family, flags, 554 OVPN_CMD_PEER_GET); 555 if (!hdr) 556 return -ENOBUFS; 557 558 attr = nla_nest_start(skb, OVPN_A_PEER); 559 if (!attr) 560 goto err; 561 562 rcu_read_lock(); 563 sock = rcu_dereference(peer->sock); 564 if (!sock) { 565 ret = -EINVAL; 566 goto err_unlock; 567 } 568 569 if (!net_eq(genl_info_net(info), sock_net(sock->sk))) { 570 id = peernet2id_alloc(genl_info_net(info), 571 sock_net(sock->sk), 572 GFP_ATOMIC); 573 if (nla_put_s32(skb, OVPN_A_PEER_SOCKET_NETNSID, id)) 574 goto err_unlock; 575 } 576 local_port = inet_sk(sock->sk)->inet_sport; 577 rcu_read_unlock(); 578 579 if (nla_put_u32(skb, OVPN_A_PEER_ID, peer->id)) 580 goto err; 581 582 if (nla_put_u32(skb, OVPN_A_PEER_TX_ID, peer->tx_id)) 583 goto err; 584 585 if (peer->vpn_addrs.ipv4.s_addr != htonl(INADDR_ANY)) 586 if (nla_put_in_addr(skb, OVPN_A_PEER_VPN_IPV4, 587 peer->vpn_addrs.ipv4.s_addr)) 588 goto err; 589 590 if (!ipv6_addr_equal(&peer->vpn_addrs.ipv6, &in6addr_any)) 591 if (nla_put_in6_addr(skb, OVPN_A_PEER_VPN_IPV6, 592 &peer->vpn_addrs.ipv6)) 593 goto err; 594 595 if (nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_INTERVAL, 596 peer->keepalive_interval) || 597 nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_TIMEOUT, 598 peer->keepalive_timeout)) 599 goto err; 600 601 rcu_read_lock(); 602 bind = rcu_dereference(peer->bind); 603 if (bind) { 604 if (bind->remote.in4.sin_family == AF_INET) { 605 if (nla_put_in_addr(skb, OVPN_A_PEER_REMOTE_IPV4, 606 bind->remote.in4.sin_addr.s_addr) || 607 nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT, 608 bind->remote.in4.sin_port) || 609 nla_put_in_addr(skb, OVPN_A_PEER_LOCAL_IPV4, 610 bind->local.ipv4.s_addr)) 611 goto err_unlock; 612 } else if (bind->remote.in4.sin_family == AF_INET6) { 613 if (nla_put_in6_addr(skb, OVPN_A_PEER_REMOTE_IPV6, 614 &bind->remote.in6.sin6_addr) || 615 nla_put_u32(skb, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, 616 bind->remote.in6.sin6_scope_id) || 617 nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT, 618 bind->remote.in6.sin6_port) || 619 nla_put_in6_addr(skb, OVPN_A_PEER_LOCAL_IPV6, 620 &bind->local.ipv6)) 621 goto err_unlock; 622 } 623 } 624 rcu_read_unlock(); 625 626 if (nla_put_net16(skb, OVPN_A_PEER_LOCAL_PORT, local_port) || 627 /* VPN RX stats */ 628 nla_put_uint(skb, OVPN_A_PEER_VPN_RX_BYTES, 629 atomic64_read(&peer->vpn_stats.rx.bytes)) || 630 nla_put_uint(skb, OVPN_A_PEER_VPN_RX_PACKETS, 631 atomic64_read(&peer->vpn_stats.rx.packets)) || 632 /* VPN TX stats */ 633 nla_put_uint(skb, OVPN_A_PEER_VPN_TX_BYTES, 634 atomic64_read(&peer->vpn_stats.tx.bytes)) || 635 nla_put_uint(skb, OVPN_A_PEER_VPN_TX_PACKETS, 636 atomic64_read(&peer->vpn_stats.tx.packets)) || 637 /* link RX stats */ 638 nla_put_uint(skb, OVPN_A_PEER_LINK_RX_BYTES, 639 atomic64_read(&peer->link_stats.rx.bytes)) || 640 nla_put_uint(skb, OVPN_A_PEER_LINK_RX_PACKETS, 641 atomic64_read(&peer->link_stats.rx.packets)) || 642 /* link TX stats */ 643 nla_put_uint(skb, OVPN_A_PEER_LINK_TX_BYTES, 644 atomic64_read(&peer->link_stats.tx.bytes)) || 645 nla_put_uint(skb, OVPN_A_PEER_LINK_TX_PACKETS, 646 atomic64_read(&peer->link_stats.tx.packets))) 647 goto err; 648 649 nla_nest_end(skb, attr); 650 genlmsg_end(skb, hdr); 651 652 return 0; 653 err_unlock: 654 rcu_read_unlock(); 655 err: 656 genlmsg_cancel(skb, hdr); 657 return ret; 658 } 659 660 int ovpn_nl_peer_get_doit(struct sk_buff *skb, struct genl_info *info) 661 { 662 struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; 663 struct ovpn_priv *ovpn = info->user_ptr[0]; 664 struct ovpn_peer *peer; 665 struct sk_buff *msg; 666 u32 peer_id; 667 int ret, i; 668 669 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER)) 670 return -EINVAL; 671 672 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER], 673 ovpn_peer_nl_policy, info->extack); 674 if (ret) 675 return ret; 676 677 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs, 678 OVPN_A_PEER_ID)) 679 return -EINVAL; 680 681 /* OVPN_CMD_PEER_GET expects only the PEER_ID, therefore 682 * ensure that the user hasn't specified any other attribute. 683 * 684 * Unfortunately this check cannot be performed via netlink 685 * spec/policy and must be open-coded. 686 */ 687 for (i = 0; i < OVPN_A_PEER_MAX + 1; i++) { 688 if (i == OVPN_A_PEER_ID) 689 continue; 690 691 if (attrs[i]) { 692 NL_SET_ERR_MSG_FMT_MOD(info->extack, 693 "unexpected attribute %u", i); 694 return -EINVAL; 695 } 696 } 697 698 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]); 699 peer = ovpn_peer_get_by_id(ovpn, peer_id); 700 if (!peer) { 701 NL_SET_ERR_MSG_FMT_MOD(info->extack, 702 "cannot find peer with id %u", peer_id); 703 return -ENOENT; 704 } 705 706 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 707 if (!msg) { 708 ret = -ENOMEM; 709 goto err; 710 } 711 712 ret = ovpn_nl_send_peer(msg, info, peer, info->snd_portid, 713 info->snd_seq, 0); 714 if (ret < 0) { 715 nlmsg_free(msg); 716 goto err; 717 } 718 719 ret = genlmsg_reply(msg, info); 720 err: 721 ovpn_peer_put(peer); 722 return ret; 723 } 724 725 int ovpn_nl_peer_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb) 726 { 727 const struct genl_info *info = genl_info_dump(cb); 728 int bkt, last_idx = cb->args[1], dumped = 0; 729 netdevice_tracker tracker; 730 struct ovpn_priv *ovpn; 731 struct ovpn_peer *peer; 732 733 ovpn = ovpn_get_dev_from_attrs(sock_net(cb->skb->sk), info, &tracker); 734 if (IS_ERR(ovpn)) 735 return PTR_ERR(ovpn); 736 737 if (ovpn->mode == OVPN_MODE_P2P) { 738 /* if we already dumped a peer it means we are done */ 739 if (last_idx) 740 goto out; 741 742 rcu_read_lock(); 743 peer = rcu_dereference(ovpn->peer); 744 if (peer) { 745 if (ovpn_nl_send_peer(skb, info, peer, 746 NETLINK_CB(cb->skb).portid, 747 cb->nlh->nlmsg_seq, 748 NLM_F_MULTI) == 0) 749 dumped++; 750 } 751 rcu_read_unlock(); 752 } else { 753 rcu_read_lock(); 754 hash_for_each_rcu(ovpn->peers->by_id, bkt, peer, 755 hash_entry_id) { 756 /* skip already dumped peers that were dumped by 757 * previous invocations 758 */ 759 if (last_idx > 0) { 760 last_idx--; 761 continue; 762 } 763 764 if (ovpn_nl_send_peer(skb, info, peer, 765 NETLINK_CB(cb->skb).portid, 766 cb->nlh->nlmsg_seq, 767 NLM_F_MULTI) < 0) 768 break; 769 770 /* count peers being dumped during this invocation */ 771 dumped++; 772 } 773 rcu_read_unlock(); 774 } 775 776 out: 777 netdev_put(ovpn->dev, &tracker); 778 779 /* sum up peers dumped in this message, so that at the next invocation 780 * we can continue from where we left 781 */ 782 cb->args[1] += dumped; 783 return skb->len; 784 } 785 786 int ovpn_nl_peer_del_doit(struct sk_buff *skb, struct genl_info *info) 787 { 788 struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; 789 struct ovpn_priv *ovpn = info->user_ptr[0]; 790 struct ovpn_peer *peer; 791 u32 peer_id; 792 int ret; 793 794 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER)) 795 return -EINVAL; 796 797 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER], 798 ovpn_peer_del_input_nl_policy, info->extack); 799 if (ret) 800 return ret; 801 802 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs, 803 OVPN_A_PEER_ID)) 804 return -EINVAL; 805 806 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]); 807 peer = ovpn_peer_get_by_id(ovpn, peer_id); 808 if (!peer) { 809 NL_SET_ERR_MSG_FMT_MOD(info->extack, 810 "cannot find peer with id %u", peer_id); 811 return -ENOENT; 812 } 813 814 netdev_dbg(ovpn->dev, "del peer %u\n", peer->id); 815 ret = ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_USERSPACE); 816 ovpn_peer_put(peer); 817 818 return ret; 819 } 820 821 static int ovpn_nl_get_key_dir(struct genl_info *info, struct nlattr *key, 822 enum ovpn_cipher_alg cipher, 823 struct ovpn_key_direction *dir) 824 { 825 struct nlattr *attrs[OVPN_A_KEYDIR_MAX + 1]; 826 int ret; 827 828 ret = nla_parse_nested(attrs, OVPN_A_KEYDIR_MAX, key, 829 ovpn_keydir_nl_policy, info->extack); 830 if (ret) 831 return ret; 832 833 switch (cipher) { 834 case OVPN_CIPHER_ALG_AES_GCM: 835 case OVPN_CIPHER_ALG_CHACHA20_POLY1305: 836 if (NL_REQ_ATTR_CHECK(info->extack, key, attrs, 837 OVPN_A_KEYDIR_CIPHER_KEY) || 838 NL_REQ_ATTR_CHECK(info->extack, key, attrs, 839 OVPN_A_KEYDIR_NONCE_TAIL)) 840 return -EINVAL; 841 842 dir->cipher_key = nla_data(attrs[OVPN_A_KEYDIR_CIPHER_KEY]); 843 dir->cipher_key_size = nla_len(attrs[OVPN_A_KEYDIR_CIPHER_KEY]); 844 845 /* These algorithms require a 96bit nonce, 846 * Construct it by combining 4-bytes packet id and 847 * 8-bytes nonce-tail from userspace 848 */ 849 dir->nonce_tail = nla_data(attrs[OVPN_A_KEYDIR_NONCE_TAIL]); 850 dir->nonce_tail_size = nla_len(attrs[OVPN_A_KEYDIR_NONCE_TAIL]); 851 break; 852 default: 853 NL_SET_ERR_MSG_MOD(info->extack, "unsupported cipher"); 854 return -EINVAL; 855 } 856 857 return 0; 858 } 859 860 /** 861 * ovpn_nl_key_new_doit - configure a new key for the specified peer 862 * @skb: incoming netlink message 863 * @info: genetlink metadata 864 * 865 * This function allows the user to install a new key in the peer crypto 866 * state. 867 * Each peer has two 'slots', namely 'primary' and 'secondary', where 868 * keys can be installed. The key in the 'primary' slot is used for 869 * encryption, while both keys can be used for decryption by matching the 870 * key ID carried in the incoming packet. 871 * 872 * The user is responsible for rotating keys when necessary. The user 873 * may fetch peer traffic statistics via netlink in order to better 874 * identify the right time to rotate keys. 875 * The renegotiation follows these steps: 876 * 1. a new key is computed by the user and is installed in the 'secondary' 877 * slot 878 * 2. at user discretion (usually after a predetermined time) 'primary' and 879 * 'secondary' contents are swapped and the new key starts being used for 880 * encryption, while the old key is kept around for decryption of late 881 * packets. 882 * 883 * Return: 0 on success or a negative error code otherwise. 884 */ 885 int ovpn_nl_key_new_doit(struct sk_buff *skb, struct genl_info *info) 886 { 887 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1]; 888 struct ovpn_priv *ovpn = info->user_ptr[0]; 889 struct ovpn_peer_key_reset pkr; 890 struct ovpn_peer *peer; 891 u32 peer_id; 892 int ret; 893 894 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF)) 895 return -EINVAL; 896 897 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX, 898 info->attrs[OVPN_A_KEYCONF], 899 ovpn_keyconf_nl_policy, info->extack); 900 if (ret) 901 return ret; 902 903 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 904 OVPN_A_KEYCONF_PEER_ID)) 905 return -EINVAL; 906 907 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 908 OVPN_A_KEYCONF_SLOT) || 909 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 910 OVPN_A_KEYCONF_KEY_ID) || 911 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 912 OVPN_A_KEYCONF_CIPHER_ALG) || 913 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 914 OVPN_A_KEYCONF_ENCRYPT_DIR) || 915 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 916 OVPN_A_KEYCONF_DECRYPT_DIR)) 917 return -EINVAL; 918 919 pkr.slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]); 920 pkr.key.key_id = nla_get_u32(attrs[OVPN_A_KEYCONF_KEY_ID]); 921 pkr.key.cipher_alg = nla_get_u32(attrs[OVPN_A_KEYCONF_CIPHER_ALG]); 922 923 ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_ENCRYPT_DIR], 924 pkr.key.cipher_alg, &pkr.key.encrypt); 925 if (ret < 0) 926 return ret; 927 928 ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_DECRYPT_DIR], 929 pkr.key.cipher_alg, &pkr.key.decrypt); 930 if (ret < 0) 931 return ret; 932 933 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]); 934 peer = ovpn_peer_get_by_id(ovpn, peer_id); 935 if (!peer) { 936 NL_SET_ERR_MSG_FMT_MOD(info->extack, 937 "no peer with id %u to set key for", 938 peer_id); 939 return -ENOENT; 940 } 941 942 ret = ovpn_crypto_state_reset(&peer->crypto, &pkr); 943 if (ret < 0) { 944 NL_SET_ERR_MSG_FMT_MOD(info->extack, 945 "cannot install new key for peer %u", 946 peer_id); 947 goto out; 948 } 949 950 netdev_dbg(ovpn->dev, "new key installed (id=%u) for peer %u\n", 951 pkr.key.key_id, peer_id); 952 out: 953 ovpn_peer_put(peer); 954 return ret; 955 } 956 957 static int ovpn_nl_send_key(struct sk_buff *skb, const struct genl_info *info, 958 u32 peer_id, enum ovpn_key_slot slot, 959 const struct ovpn_key_config *keyconf) 960 { 961 struct nlattr *attr; 962 void *hdr; 963 964 hdr = genlmsg_put(skb, info->snd_portid, info->snd_seq, &ovpn_nl_family, 965 0, OVPN_CMD_KEY_GET); 966 if (!hdr) 967 return -ENOBUFS; 968 969 attr = nla_nest_start(skb, OVPN_A_KEYCONF); 970 if (!attr) 971 goto err; 972 973 if (nla_put_u32(skb, OVPN_A_KEYCONF_PEER_ID, peer_id)) 974 goto err; 975 976 if (nla_put_u32(skb, OVPN_A_KEYCONF_SLOT, slot) || 977 nla_put_u32(skb, OVPN_A_KEYCONF_KEY_ID, keyconf->key_id) || 978 nla_put_u32(skb, OVPN_A_KEYCONF_CIPHER_ALG, keyconf->cipher_alg)) 979 goto err; 980 981 nla_nest_end(skb, attr); 982 genlmsg_end(skb, hdr); 983 984 return 0; 985 err: 986 genlmsg_cancel(skb, hdr); 987 return -EMSGSIZE; 988 } 989 990 int ovpn_nl_key_get_doit(struct sk_buff *skb, struct genl_info *info) 991 { 992 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1]; 993 struct ovpn_priv *ovpn = info->user_ptr[0]; 994 struct ovpn_key_config keyconf = { 0 }; 995 enum ovpn_key_slot slot; 996 struct ovpn_peer *peer; 997 struct sk_buff *msg; 998 u32 peer_id; 999 int ret, i; 1000 1001 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF)) 1002 return -EINVAL; 1003 1004 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX, 1005 info->attrs[OVPN_A_KEYCONF], 1006 ovpn_keyconf_get_nl_policy, info->extack); 1007 if (ret) 1008 return ret; 1009 1010 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 1011 OVPN_A_KEYCONF_PEER_ID)) 1012 return -EINVAL; 1013 1014 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 1015 OVPN_A_KEYCONF_SLOT)) 1016 return -EINVAL; 1017 1018 /* OVPN_CMD_KEY_GET expects only the PEER_ID and the SLOT, therefore 1019 * ensure that the user hasn't specified any other attribute. 1020 * 1021 * Unfortunately this check cannot be performed via netlink 1022 * spec/policy and must be open-coded. 1023 */ 1024 for (i = 0; i < OVPN_A_KEYCONF_MAX + 1; i++) { 1025 if (i == OVPN_A_KEYCONF_PEER_ID || 1026 i == OVPN_A_KEYCONF_SLOT) 1027 continue; 1028 1029 if (attrs[i]) { 1030 NL_SET_ERR_MSG_FMT_MOD(info->extack, 1031 "unexpected attribute %u", i); 1032 return -EINVAL; 1033 } 1034 } 1035 1036 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]); 1037 peer = ovpn_peer_get_by_id(ovpn, peer_id); 1038 if (!peer) { 1039 NL_SET_ERR_MSG_FMT_MOD(info->extack, 1040 "cannot find peer with id %u", peer_id); 1041 return -ENOENT; 1042 } 1043 1044 slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]); 1045 1046 ret = ovpn_crypto_config_get(&peer->crypto, slot, &keyconf); 1047 if (ret < 0) { 1048 NL_SET_ERR_MSG_FMT_MOD(info->extack, 1049 "cannot extract key from slot %u for peer %u", 1050 slot, peer_id); 1051 goto err; 1052 } 1053 1054 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1055 if (!msg) { 1056 ret = -ENOMEM; 1057 goto err; 1058 } 1059 1060 ret = ovpn_nl_send_key(msg, info, peer->id, slot, &keyconf); 1061 if (ret < 0) { 1062 nlmsg_free(msg); 1063 goto err; 1064 } 1065 1066 ret = genlmsg_reply(msg, info); 1067 err: 1068 ovpn_peer_put(peer); 1069 return ret; 1070 } 1071 1072 int ovpn_nl_key_swap_doit(struct sk_buff *skb, struct genl_info *info) 1073 { 1074 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1]; 1075 struct ovpn_priv *ovpn = info->user_ptr[0]; 1076 struct ovpn_peer *peer; 1077 u32 peer_id; 1078 int ret; 1079 1080 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF)) 1081 return -EINVAL; 1082 1083 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX, 1084 info->attrs[OVPN_A_KEYCONF], 1085 ovpn_keyconf_swap_input_nl_policy, info->extack); 1086 if (ret) 1087 return ret; 1088 1089 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 1090 OVPN_A_KEYCONF_PEER_ID)) 1091 return -EINVAL; 1092 1093 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]); 1094 peer = ovpn_peer_get_by_id(ovpn, peer_id); 1095 if (!peer) { 1096 NL_SET_ERR_MSG_FMT_MOD(info->extack, 1097 "no peer with id %u to swap keys for", 1098 peer_id); 1099 return -ENOENT; 1100 } 1101 1102 ovpn_crypto_key_slots_swap(&peer->crypto); 1103 ovpn_peer_put(peer); 1104 1105 return 0; 1106 } 1107 1108 int ovpn_nl_key_del_doit(struct sk_buff *skb, struct genl_info *info) 1109 { 1110 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1]; 1111 struct ovpn_priv *ovpn = info->user_ptr[0]; 1112 enum ovpn_key_slot slot; 1113 struct ovpn_peer *peer; 1114 u32 peer_id; 1115 int ret; 1116 1117 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF)) 1118 return -EINVAL; 1119 1120 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX, 1121 info->attrs[OVPN_A_KEYCONF], 1122 ovpn_keyconf_del_input_nl_policy, info->extack); 1123 if (ret) 1124 return ret; 1125 1126 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 1127 OVPN_A_KEYCONF_PEER_ID)) 1128 return -EINVAL; 1129 1130 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 1131 OVPN_A_KEYCONF_SLOT)) 1132 return -EINVAL; 1133 1134 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]); 1135 slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]); 1136 1137 peer = ovpn_peer_get_by_id(ovpn, peer_id); 1138 if (!peer) { 1139 NL_SET_ERR_MSG_FMT_MOD(info->extack, 1140 "no peer with id %u to delete key for", 1141 peer_id); 1142 return -ENOENT; 1143 } 1144 1145 ovpn_crypto_key_slot_delete(&peer->crypto, slot); 1146 ovpn_peer_put(peer); 1147 1148 return 0; 1149 } 1150 1151 /** 1152 * ovpn_nl_peer_del_notify - notify userspace about peer being deleted 1153 * @peer: the peer being deleted 1154 * 1155 * Return: 0 on success or a negative error code otherwise 1156 */ 1157 int ovpn_nl_peer_del_notify(struct ovpn_peer *peer) 1158 { 1159 struct ovpn_socket *sock; 1160 struct sk_buff *msg; 1161 struct nlattr *attr; 1162 int ret = -EMSGSIZE; 1163 void *hdr; 1164 1165 netdev_info(peer->ovpn->dev, "deleting peer with id %u, reason %d\n", 1166 peer->id, peer->delete_reason); 1167 1168 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 1169 if (!msg) 1170 return -ENOMEM; 1171 1172 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_PEER_DEL_NTF); 1173 if (!hdr) { 1174 ret = -ENOBUFS; 1175 goto err_free_msg; 1176 } 1177 1178 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex)) 1179 goto err_cancel_msg; 1180 1181 attr = nla_nest_start(msg, OVPN_A_PEER); 1182 if (!attr) 1183 goto err_cancel_msg; 1184 1185 if (nla_put_u32(msg, OVPN_A_PEER_DEL_REASON, peer->delete_reason)) 1186 goto err_cancel_msg; 1187 1188 if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id)) 1189 goto err_cancel_msg; 1190 1191 nla_nest_end(msg, attr); 1192 1193 genlmsg_end(msg, hdr); 1194 1195 rcu_read_lock(); 1196 sock = rcu_dereference(peer->sock); 1197 if (!sock) { 1198 ret = -EINVAL; 1199 goto err_unlock; 1200 } 1201 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0, 1202 OVPN_NLGRP_PEERS, GFP_ATOMIC); 1203 rcu_read_unlock(); 1204 1205 return 0; 1206 1207 err_unlock: 1208 rcu_read_unlock(); 1209 err_cancel_msg: 1210 genlmsg_cancel(msg, hdr); 1211 err_free_msg: 1212 nlmsg_free(msg); 1213 return ret; 1214 } 1215 1216 /** 1217 * ovpn_nl_peer_float_notify - notify userspace about peer floating 1218 * @peer: the floated peer 1219 * @ss: sockaddr representing the new remote endpoint 1220 * 1221 * Return: 0 on success or a negative error code otherwise 1222 */ 1223 int ovpn_nl_peer_float_notify(struct ovpn_peer *peer, 1224 const struct sockaddr_storage *ss) 1225 { 1226 struct ovpn_socket *sock; 1227 struct sockaddr_in6 *sa6; 1228 struct sockaddr_in *sa; 1229 struct sk_buff *msg; 1230 struct nlattr *attr; 1231 int ret = -EMSGSIZE; 1232 void *hdr; 1233 1234 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 1235 if (!msg) 1236 return -ENOMEM; 1237 1238 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, 1239 OVPN_CMD_PEER_FLOAT_NTF); 1240 if (!hdr) { 1241 ret = -ENOBUFS; 1242 goto err_free_msg; 1243 } 1244 1245 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex)) 1246 goto err_cancel_msg; 1247 1248 attr = nla_nest_start(msg, OVPN_A_PEER); 1249 if (!attr) 1250 goto err_cancel_msg; 1251 1252 if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id)) 1253 goto err_cancel_msg; 1254 1255 if (ss->ss_family == AF_INET) { 1256 sa = (struct sockaddr_in *)ss; 1257 if (nla_put_in_addr(msg, OVPN_A_PEER_REMOTE_IPV4, 1258 sa->sin_addr.s_addr) || 1259 nla_put_net16(msg, OVPN_A_PEER_REMOTE_PORT, sa->sin_port)) 1260 goto err_cancel_msg; 1261 } else if (ss->ss_family == AF_INET6) { 1262 sa6 = (struct sockaddr_in6 *)ss; 1263 if (nla_put_in6_addr(msg, OVPN_A_PEER_REMOTE_IPV6, 1264 &sa6->sin6_addr) || 1265 nla_put_u32(msg, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, 1266 sa6->sin6_scope_id) || 1267 nla_put_net16(msg, OVPN_A_PEER_REMOTE_PORT, sa6->sin6_port)) 1268 goto err_cancel_msg; 1269 } else { 1270 ret = -EAFNOSUPPORT; 1271 goto err_cancel_msg; 1272 } 1273 1274 nla_nest_end(msg, attr); 1275 genlmsg_end(msg, hdr); 1276 1277 rcu_read_lock(); 1278 sock = rcu_dereference(peer->sock); 1279 if (!sock) { 1280 ret = -EINVAL; 1281 goto err_unlock; 1282 } 1283 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 1284 0, OVPN_NLGRP_PEERS, GFP_ATOMIC); 1285 rcu_read_unlock(); 1286 1287 return 0; 1288 1289 err_unlock: 1290 rcu_read_unlock(); 1291 err_cancel_msg: 1292 genlmsg_cancel(msg, hdr); 1293 err_free_msg: 1294 nlmsg_free(msg); 1295 return ret; 1296 } 1297 1298 /** 1299 * ovpn_nl_key_swap_notify - notify userspace peer's key must be renewed 1300 * @peer: the peer whose key needs to be renewed 1301 * @key_id: the ID of the key that needs to be renewed 1302 * 1303 * Return: 0 on success or a negative error code otherwise 1304 */ 1305 int ovpn_nl_key_swap_notify(struct ovpn_peer *peer, u8 key_id) 1306 { 1307 struct ovpn_socket *sock; 1308 struct nlattr *k_attr; 1309 struct sk_buff *msg; 1310 int ret = -EMSGSIZE; 1311 void *hdr; 1312 1313 netdev_info(peer->ovpn->dev, "peer with id %u must rekey - primary key unusable.\n", 1314 peer->id); 1315 1316 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 1317 if (!msg) 1318 return -ENOMEM; 1319 1320 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_KEY_SWAP_NTF); 1321 if (!hdr) { 1322 ret = -ENOBUFS; 1323 goto err_free_msg; 1324 } 1325 1326 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex)) 1327 goto err_cancel_msg; 1328 1329 k_attr = nla_nest_start(msg, OVPN_A_KEYCONF); 1330 if (!k_attr) 1331 goto err_cancel_msg; 1332 1333 if (nla_put_u32(msg, OVPN_A_KEYCONF_PEER_ID, peer->id)) 1334 goto err_cancel_msg; 1335 1336 if (nla_put_u16(msg, OVPN_A_KEYCONF_KEY_ID, key_id)) 1337 goto err_cancel_msg; 1338 1339 nla_nest_end(msg, k_attr); 1340 genlmsg_end(msg, hdr); 1341 1342 rcu_read_lock(); 1343 sock = rcu_dereference(peer->sock); 1344 if (!sock) { 1345 ret = -EINVAL; 1346 goto err_unlock; 1347 } 1348 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0, 1349 OVPN_NLGRP_PEERS, GFP_ATOMIC); 1350 rcu_read_unlock(); 1351 1352 return 0; 1353 err_unlock: 1354 rcu_read_unlock(); 1355 err_cancel_msg: 1356 genlmsg_cancel(msg, hdr); 1357 err_free_msg: 1358 nlmsg_free(msg); 1359 return ret; 1360 } 1361 1362 /** 1363 * ovpn_nl_register - perform any needed registration in the NL subsustem 1364 * 1365 * Return: 0 on success, a negative error code otherwise 1366 */ 1367 int __init ovpn_nl_register(void) 1368 { 1369 int ret = genl_register_family(&ovpn_nl_family); 1370 1371 if (ret) { 1372 pr_err("ovpn: genl_register_family failed: %d\n", ret); 1373 return ret; 1374 } 1375 1376 return 0; 1377 } 1378 1379 /** 1380 * ovpn_nl_unregister - undo any module wide netlink registration 1381 */ 1382 void ovpn_nl_unregister(void) 1383 { 1384 genl_unregister_family(&ovpn_nl_family); 1385 } 1386