1 // SPDX-License-Identifier: GPL-2.0 2 /* OpenVPN data channel offload 3 * 4 * Copyright (C) 2020-2025 OpenVPN, Inc. 5 * 6 * Author: Antonio Quartulli <antonio@openvpn.net> 7 */ 8 9 #include <linux/netdevice.h> 10 #include <linux/types.h> 11 #include <net/genetlink.h> 12 13 #include <uapi/linux/ovpn.h> 14 15 #include "ovpnpriv.h" 16 #include "main.h" 17 #include "netlink.h" 18 #include "netlink-gen.h" 19 #include "bind.h" 20 #include "crypto.h" 21 #include "peer.h" 22 #include "socket.h" 23 24 MODULE_ALIAS_GENL_FAMILY(OVPN_FAMILY_NAME); 25 26 /** 27 * ovpn_get_dev_from_attrs - retrieve the ovpn private data from the netdevice 28 * a netlink message is targeting 29 * @net: network namespace where to look for the interface 30 * @info: generic netlink info from the user request 31 * @tracker: tracker object to be used for the netdev reference acquisition 32 * 33 * Return: the ovpn private data, if found, or an error otherwise 34 */ 35 static struct ovpn_priv * 36 ovpn_get_dev_from_attrs(struct net *net, const struct genl_info *info, 37 netdevice_tracker *tracker) 38 { 39 struct ovpn_priv *ovpn; 40 struct net_device *dev; 41 int ifindex; 42 43 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_IFINDEX)) 44 return ERR_PTR(-EINVAL); 45 46 ifindex = nla_get_u32(info->attrs[OVPN_A_IFINDEX]); 47 48 rcu_read_lock(); 49 dev = dev_get_by_index_rcu(net, ifindex); 50 if (!dev) { 51 rcu_read_unlock(); 52 NL_SET_ERR_MSG_MOD(info->extack, 53 "ifindex does not match any interface"); 54 return ERR_PTR(-ENODEV); 55 } 56 57 if (!ovpn_dev_is_valid(dev)) { 58 rcu_read_unlock(); 59 NL_SET_ERR_MSG_MOD(info->extack, 60 "specified interface is not ovpn"); 61 NL_SET_BAD_ATTR(info->extack, info->attrs[OVPN_A_IFINDEX]); 62 return ERR_PTR(-EINVAL); 63 } 64 65 ovpn = netdev_priv(dev); 66 netdev_hold(dev, tracker, GFP_ATOMIC); 67 rcu_read_unlock(); 68 69 return ovpn; 70 } 71 72 int ovpn_nl_pre_doit(const struct genl_split_ops *ops, struct sk_buff *skb, 73 struct genl_info *info) 74 { 75 netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1]; 76 struct ovpn_priv *ovpn = ovpn_get_dev_from_attrs(genl_info_net(info), 77 info, tracker); 78 79 if (IS_ERR(ovpn)) 80 return PTR_ERR(ovpn); 81 82 info->user_ptr[0] = ovpn; 83 84 return 0; 85 } 86 87 void ovpn_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb, 88 struct genl_info *info) 89 { 90 netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1]; 91 struct ovpn_priv *ovpn = info->user_ptr[0]; 92 93 if (ovpn) 94 netdev_put(ovpn->dev, tracker); 95 } 96 97 static bool ovpn_nl_attr_sockaddr_remote(struct nlattr **attrs, 98 struct sockaddr_storage *ss) 99 { 100 struct sockaddr_in6 *sin6; 101 struct sockaddr_in *sin; 102 struct in6_addr *in6; 103 __be16 port = 0; 104 __be32 *in; 105 106 ss->ss_family = AF_UNSPEC; 107 108 if (attrs[OVPN_A_PEER_REMOTE_PORT]) 109 port = nla_get_be16(attrs[OVPN_A_PEER_REMOTE_PORT]); 110 111 if (attrs[OVPN_A_PEER_REMOTE_IPV4]) { 112 ss->ss_family = AF_INET; 113 in = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV4]); 114 } else if (attrs[OVPN_A_PEER_REMOTE_IPV6]) { 115 ss->ss_family = AF_INET6; 116 in6 = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]); 117 } else { 118 return false; 119 } 120 121 switch (ss->ss_family) { 122 case AF_INET6: 123 /* If this is a regular IPv6 just break and move on, 124 * otherwise switch to AF_INET and extract the IPv4 accordingly 125 */ 126 if (!ipv6_addr_v4mapped(in6)) { 127 sin6 = (struct sockaddr_in6 *)ss; 128 sin6->sin6_port = port; 129 memcpy(&sin6->sin6_addr, in6, sizeof(*in6)); 130 break; 131 } 132 133 /* v4-mapped-v6 address */ 134 ss->ss_family = AF_INET; 135 in = &in6->s6_addr32[3]; 136 fallthrough; 137 case AF_INET: 138 sin = (struct sockaddr_in *)ss; 139 sin->sin_port = port; 140 sin->sin_addr.s_addr = *in; 141 break; 142 } 143 144 return true; 145 } 146 147 static u8 *ovpn_nl_attr_local_ip(struct nlattr **attrs) 148 { 149 u8 *addr6; 150 151 if (!attrs[OVPN_A_PEER_LOCAL_IPV4] && !attrs[OVPN_A_PEER_LOCAL_IPV6]) 152 return NULL; 153 154 if (attrs[OVPN_A_PEER_LOCAL_IPV4]) 155 return nla_data(attrs[OVPN_A_PEER_LOCAL_IPV4]); 156 157 addr6 = nla_data(attrs[OVPN_A_PEER_LOCAL_IPV6]); 158 /* this is an IPv4-mapped IPv6 address, therefore extract the actual 159 * v4 address from the last 4 bytes 160 */ 161 if (ipv6_addr_v4mapped((struct in6_addr *)addr6)) 162 return addr6 + 12; 163 164 return addr6; 165 } 166 167 static sa_family_t ovpn_nl_family_get(struct nlattr *addr4, 168 struct nlattr *addr6) 169 { 170 if (addr4) 171 return AF_INET; 172 173 if (addr6) { 174 if (ipv6_addr_v4mapped((struct in6_addr *)nla_data(addr6))) 175 return AF_INET; 176 return AF_INET6; 177 } 178 179 return AF_UNSPEC; 180 } 181 182 static int ovpn_nl_peer_precheck(struct ovpn_priv *ovpn, 183 struct genl_info *info, 184 struct nlattr **attrs) 185 { 186 sa_family_t local_fam, remote_fam; 187 188 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs, 189 OVPN_A_PEER_ID)) 190 return -EINVAL; 191 192 if (attrs[OVPN_A_PEER_REMOTE_IPV4] && attrs[OVPN_A_PEER_REMOTE_IPV6]) { 193 NL_SET_ERR_MSG_MOD(info->extack, 194 "cannot specify both remote IPv4 or IPv6 address"); 195 return -EINVAL; 196 } 197 198 if (!attrs[OVPN_A_PEER_REMOTE_IPV4] && 199 !attrs[OVPN_A_PEER_REMOTE_IPV6] && attrs[OVPN_A_PEER_REMOTE_PORT]) { 200 NL_SET_ERR_MSG_MOD(info->extack, 201 "cannot specify remote port without IP address"); 202 return -EINVAL; 203 } 204 205 if ((attrs[OVPN_A_PEER_REMOTE_IPV4] || 206 attrs[OVPN_A_PEER_REMOTE_IPV6]) && 207 !attrs[OVPN_A_PEER_REMOTE_PORT]) { 208 NL_SET_ERR_MSG_MOD(info->extack, 209 "cannot specify remote IP address without port"); 210 return -EINVAL; 211 } 212 213 if (!attrs[OVPN_A_PEER_REMOTE_IPV4] && 214 attrs[OVPN_A_PEER_LOCAL_IPV4]) { 215 NL_SET_ERR_MSG_MOD(info->extack, 216 "cannot specify local IPv4 address without remote"); 217 return -EINVAL; 218 } 219 220 if (!attrs[OVPN_A_PEER_REMOTE_IPV6] && 221 attrs[OVPN_A_PEER_LOCAL_IPV6]) { 222 NL_SET_ERR_MSG_MOD(info->extack, 223 "cannot specify local IPV6 address without remote"); 224 return -EINVAL; 225 } 226 227 /* check that local and remote address families are the same even 228 * after parsing v4mapped IPv6 addresses. 229 * (if addresses are not provided, family will be AF_UNSPEC and 230 * the check is skipped) 231 */ 232 local_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_LOCAL_IPV4], 233 attrs[OVPN_A_PEER_LOCAL_IPV6]); 234 remote_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_REMOTE_IPV4], 235 attrs[OVPN_A_PEER_REMOTE_IPV6]); 236 if (local_fam != AF_UNSPEC && remote_fam != AF_UNSPEC && 237 local_fam != remote_fam) { 238 NL_SET_ERR_MSG_MOD(info->extack, 239 "mismatching local and remote address families"); 240 return -EINVAL; 241 } 242 243 if (remote_fam != AF_INET6 && attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) { 244 NL_SET_ERR_MSG_MOD(info->extack, 245 "cannot specify scope id without remote IPv6 address"); 246 return -EINVAL; 247 } 248 249 /* VPN IPs are needed only in MP mode for selecting the right peer */ 250 if (ovpn->mode == OVPN_MODE_P2P && (attrs[OVPN_A_PEER_VPN_IPV4] || 251 attrs[OVPN_A_PEER_VPN_IPV6])) { 252 NL_SET_ERR_MSG_FMT_MOD(info->extack, 253 "unexpected VPN IP in P2P mode"); 254 return -EINVAL; 255 } 256 257 if ((attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] && 258 !attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) || 259 (!attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] && 260 attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])) { 261 NL_SET_ERR_MSG_FMT_MOD(info->extack, 262 "keepalive interval and timeout are required together"); 263 return -EINVAL; 264 } 265 266 return 0; 267 } 268 269 /** 270 * ovpn_nl_peer_modify - modify the peer attributes according to the incoming msg 271 * @peer: the peer to modify 272 * @info: generic netlink info from the user request 273 * @attrs: the attributes from the user request 274 * 275 * Return: a negative error code in case of failure, 0 on success or 1 on 276 * success and the VPN IPs have been modified (requires rehashing in MP 277 * mode) 278 */ 279 static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info, 280 struct nlattr **attrs) 281 { 282 struct sockaddr_storage ss = {}; 283 void *local_ip = NULL; 284 u32 interv, timeout; 285 bool rehash = false; 286 int ret; 287 288 spin_lock_bh(&peer->lock); 289 290 if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) { 291 /* we carry the local IP in a generic container. 292 * ovpn_peer_reset_sockaddr() will properly interpret it 293 * based on ss.ss_family 294 */ 295 local_ip = ovpn_nl_attr_local_ip(attrs); 296 297 /* set peer sockaddr */ 298 ret = ovpn_peer_reset_sockaddr(peer, &ss, local_ip); 299 if (ret < 0) { 300 NL_SET_ERR_MSG_FMT_MOD(info->extack, 301 "cannot set peer sockaddr: %d", 302 ret); 303 goto err_unlock; 304 } 305 dst_cache_reset(&peer->dst_cache); 306 } 307 308 /* In a multipeer-to-multipeer setup we may have asymmetric peer IDs, 309 * that is peer->id might be different from peer->tx_id. 310 */ 311 if (attrs[OVPN_A_PEER_TX_ID]) 312 peer->tx_id = nla_get_u32(attrs[OVPN_A_PEER_TX_ID]); 313 314 if (attrs[OVPN_A_PEER_VPN_IPV4]) { 315 rehash = true; 316 peer->vpn_addrs.ipv4.s_addr = 317 nla_get_in_addr(attrs[OVPN_A_PEER_VPN_IPV4]); 318 } 319 320 if (attrs[OVPN_A_PEER_VPN_IPV6]) { 321 rehash = true; 322 peer->vpn_addrs.ipv6 = 323 nla_get_in6_addr(attrs[OVPN_A_PEER_VPN_IPV6]); 324 } 325 326 /* when setting the keepalive, both parameters have to be configured */ 327 if (attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] && 328 attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) { 329 interv = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]); 330 timeout = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]); 331 ovpn_peer_keepalive_set(peer, interv, timeout); 332 } 333 334 netdev_dbg(peer->ovpn->dev, 335 "modify peer id=%u tx_id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n", 336 peer->id, peer->tx_id, &ss, 337 &peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6); 338 339 spin_unlock_bh(&peer->lock); 340 341 return rehash ? 1 : 0; 342 err_unlock: 343 spin_unlock_bh(&peer->lock); 344 return ret; 345 } 346 347 int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info) 348 { 349 struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; 350 struct ovpn_priv *ovpn = info->user_ptr[0]; 351 struct ovpn_socket *ovpn_sock; 352 struct socket *sock = NULL; 353 struct ovpn_peer *peer; 354 u32 sockfd, peer_id; 355 int ret; 356 357 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER)) 358 return -EINVAL; 359 360 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER], 361 ovpn_peer_new_input_nl_policy, info->extack); 362 if (ret) 363 return ret; 364 365 ret = ovpn_nl_peer_precheck(ovpn, info, attrs); 366 if (ret < 0) 367 return ret; 368 369 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs, 370 OVPN_A_PEER_SOCKET)) 371 return -EINVAL; 372 373 /* in MP mode VPN IPs are required for selecting the right peer */ 374 if (ovpn->mode == OVPN_MODE_MP && !attrs[OVPN_A_PEER_VPN_IPV4] && 375 !attrs[OVPN_A_PEER_VPN_IPV6]) { 376 NL_SET_ERR_MSG_FMT_MOD(info->extack, 377 "VPN IP must be provided in MP mode"); 378 return -EINVAL; 379 } 380 381 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]); 382 383 peer = ovpn_peer_new(ovpn, peer_id); 384 if (IS_ERR(peer)) { 385 NL_SET_ERR_MSG_FMT_MOD(info->extack, 386 "cannot create new peer object for peer %u: %ld", 387 peer_id, PTR_ERR(peer)); 388 return PTR_ERR(peer); 389 } 390 391 /* lookup the fd in the kernel table and extract the socket object */ 392 sockfd = nla_get_u32(attrs[OVPN_A_PEER_SOCKET]); 393 /* sockfd_lookup() increases sock's refcounter */ 394 sock = sockfd_lookup(sockfd, &ret); 395 if (!sock) { 396 NL_SET_ERR_MSG_FMT_MOD(info->extack, 397 "cannot lookup peer socket (fd=%u): %d", 398 sockfd, ret); 399 ret = -ENOTSOCK; 400 goto peer_release; 401 } 402 403 /* Only when using UDP as transport protocol the remote endpoint 404 * can be configured so that ovpn knows where to send packets to. 405 */ 406 if (sock->sk->sk_protocol == IPPROTO_UDP && 407 !attrs[OVPN_A_PEER_REMOTE_IPV4] && 408 !attrs[OVPN_A_PEER_REMOTE_IPV6]) { 409 NL_SET_ERR_MSG_FMT_MOD(info->extack, 410 "missing remote IP address for UDP socket"); 411 sockfd_put(sock); 412 ret = -EINVAL; 413 goto peer_release; 414 } 415 416 /* In case of TCP, the socket is connected to the peer and ovpn 417 * will just send bytes over it, without the need to specify a 418 * destination. 419 */ 420 if (sock->sk->sk_protocol == IPPROTO_TCP && 421 (attrs[OVPN_A_PEER_REMOTE_IPV4] || 422 attrs[OVPN_A_PEER_REMOTE_IPV6])) { 423 NL_SET_ERR_MSG_FMT_MOD(info->extack, 424 "unexpected remote IP address with TCP socket"); 425 sockfd_put(sock); 426 ret = -EINVAL; 427 goto peer_release; 428 } 429 430 ovpn_sock = ovpn_socket_new(sock, peer); 431 /* at this point we unconditionally drop the reference to the socket: 432 * - in case of error, the socket has to be dropped 433 * - if case of success, the socket is configured and let 434 * userspace own the reference, so that the latter can 435 * trigger the final close() 436 */ 437 sockfd_put(sock); 438 if (IS_ERR(ovpn_sock)) { 439 NL_SET_ERR_MSG_FMT_MOD(info->extack, 440 "cannot encapsulate socket: %ld", 441 PTR_ERR(ovpn_sock)); 442 ret = -ENOTSOCK; 443 goto peer_release; 444 } 445 446 rcu_assign_pointer(peer->sock, ovpn_sock); 447 448 ret = ovpn_nl_peer_modify(peer, info, attrs); 449 if (ret < 0) 450 goto sock_release; 451 452 ret = ovpn_peer_add(ovpn, peer); 453 if (ret < 0) { 454 NL_SET_ERR_MSG_FMT_MOD(info->extack, 455 "cannot add new peer (id=%u) to hashtable: %d", 456 peer->id, ret); 457 goto sock_release; 458 } 459 460 return 0; 461 462 sock_release: 463 ovpn_socket_release(peer); 464 peer_release: 465 /* For UDP, the peer is unreachable until added to the hashtables, so 466 * dropping the initial reference is enough. For TCP, the peer may be 467 * concurrently reachable via sk_user_data->peer until 468 * ovpn_socket_release() detaches; rely on the refcount. 469 */ 470 ovpn_peer_put(peer); 471 472 return ret; 473 } 474 475 int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info) 476 { 477 struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; 478 struct ovpn_priv *ovpn = info->user_ptr[0]; 479 struct ovpn_socket *sock; 480 struct ovpn_peer *peer; 481 u32 peer_id; 482 int ret; 483 484 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER)) 485 return -EINVAL; 486 487 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER], 488 ovpn_peer_set_input_nl_policy, info->extack); 489 if (ret) 490 return ret; 491 492 ret = ovpn_nl_peer_precheck(ovpn, info, attrs); 493 if (ret < 0) 494 return ret; 495 496 if (attrs[OVPN_A_PEER_SOCKET]) { 497 NL_SET_ERR_MSG_FMT_MOD(info->extack, 498 "socket cannot be modified"); 499 return -EINVAL; 500 } 501 502 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]); 503 peer = ovpn_peer_get_by_id(ovpn, peer_id); 504 if (!peer) { 505 NL_SET_ERR_MSG_FMT_MOD(info->extack, 506 "cannot find peer with id %u", peer_id); 507 return -ENOENT; 508 } 509 510 /* when using a TCP socket the remote IP is not expected */ 511 rcu_read_lock(); 512 sock = rcu_dereference(peer->sock); 513 if (sock && sock->sk->sk_protocol == IPPROTO_TCP && 514 (attrs[OVPN_A_PEER_REMOTE_IPV4] || 515 attrs[OVPN_A_PEER_REMOTE_IPV6])) { 516 rcu_read_unlock(); 517 NL_SET_ERR_MSG_FMT_MOD(info->extack, 518 "unexpected remote IP address with TCP socket"); 519 ovpn_peer_put(peer); 520 return -EINVAL; 521 } 522 rcu_read_unlock(); 523 524 spin_lock_bh(&ovpn->lock); 525 ret = ovpn_nl_peer_modify(peer, info, attrs); 526 if (ret < 0) { 527 spin_unlock_bh(&ovpn->lock); 528 ovpn_peer_put(peer); 529 return ret; 530 } 531 532 /* ret == 1 means that VPN IPv4/6 has been modified and rehashing 533 * is required 534 */ 535 if (ret > 0) 536 ovpn_peer_hash_vpn_ip(peer); 537 spin_unlock_bh(&ovpn->lock); 538 ovpn_peer_put(peer); 539 540 return 0; 541 } 542 543 static int ovpn_nl_send_peer(struct sk_buff *skb, const struct genl_info *info, 544 const struct ovpn_peer *peer, u32 portid, u32 seq, 545 int flags) 546 { 547 const struct ovpn_bind *bind; 548 struct ovpn_socket *sock; 549 int ret = -EMSGSIZE; 550 struct nlattr *attr; 551 __be16 local_port; 552 void *hdr; 553 int id; 554 555 hdr = genlmsg_put(skb, portid, seq, &ovpn_nl_family, flags, 556 OVPN_CMD_PEER_GET); 557 if (!hdr) 558 return -ENOBUFS; 559 560 attr = nla_nest_start(skb, OVPN_A_PEER); 561 if (!attr) 562 goto err; 563 564 rcu_read_lock(); 565 sock = rcu_dereference(peer->sock); 566 if (!sock) { 567 ret = -EINVAL; 568 goto err_unlock; 569 } 570 571 if (!net_eq(genl_info_net(info), sock_net(sock->sk))) { 572 id = peernet2id_alloc(genl_info_net(info), 573 sock_net(sock->sk), 574 GFP_ATOMIC); 575 if (nla_put_s32(skb, OVPN_A_PEER_SOCKET_NETNSID, id)) 576 goto err_unlock; 577 } 578 local_port = inet_sk(sock->sk)->inet_sport; 579 rcu_read_unlock(); 580 581 if (nla_put_u32(skb, OVPN_A_PEER_ID, peer->id)) 582 goto err; 583 584 if (nla_put_u32(skb, OVPN_A_PEER_TX_ID, peer->tx_id)) 585 goto err; 586 587 if (peer->vpn_addrs.ipv4.s_addr != htonl(INADDR_ANY)) 588 if (nla_put_in_addr(skb, OVPN_A_PEER_VPN_IPV4, 589 peer->vpn_addrs.ipv4.s_addr)) 590 goto err; 591 592 if (!ipv6_addr_equal(&peer->vpn_addrs.ipv6, &in6addr_any)) 593 if (nla_put_in6_addr(skb, OVPN_A_PEER_VPN_IPV6, 594 &peer->vpn_addrs.ipv6)) 595 goto err; 596 597 if (nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_INTERVAL, 598 peer->keepalive_interval) || 599 nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_TIMEOUT, 600 peer->keepalive_timeout)) 601 goto err; 602 603 rcu_read_lock(); 604 bind = rcu_dereference(peer->bind); 605 if (bind) { 606 if (bind->remote.in4.sin_family == AF_INET) { 607 if (nla_put_in_addr(skb, OVPN_A_PEER_REMOTE_IPV4, 608 bind->remote.in4.sin_addr.s_addr) || 609 nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT, 610 bind->remote.in4.sin_port) || 611 nla_put_in_addr(skb, OVPN_A_PEER_LOCAL_IPV4, 612 bind->local.ipv4.s_addr)) 613 goto err_unlock; 614 } else if (bind->remote.in4.sin_family == AF_INET6) { 615 if (nla_put_in6_addr(skb, OVPN_A_PEER_REMOTE_IPV6, 616 &bind->remote.in6.sin6_addr) || 617 nla_put_u32(skb, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, 618 bind->remote.in6.sin6_scope_id) || 619 nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT, 620 bind->remote.in6.sin6_port) || 621 nla_put_in6_addr(skb, OVPN_A_PEER_LOCAL_IPV6, 622 &bind->local.ipv6)) 623 goto err_unlock; 624 } 625 } 626 rcu_read_unlock(); 627 628 if (nla_put_net16(skb, OVPN_A_PEER_LOCAL_PORT, local_port) || 629 /* VPN RX stats */ 630 nla_put_uint(skb, OVPN_A_PEER_VPN_RX_BYTES, 631 atomic64_read(&peer->vpn_stats.rx.bytes)) || 632 nla_put_uint(skb, OVPN_A_PEER_VPN_RX_PACKETS, 633 atomic64_read(&peer->vpn_stats.rx.packets)) || 634 /* VPN TX stats */ 635 nla_put_uint(skb, OVPN_A_PEER_VPN_TX_BYTES, 636 atomic64_read(&peer->vpn_stats.tx.bytes)) || 637 nla_put_uint(skb, OVPN_A_PEER_VPN_TX_PACKETS, 638 atomic64_read(&peer->vpn_stats.tx.packets)) || 639 /* link RX stats */ 640 nla_put_uint(skb, OVPN_A_PEER_LINK_RX_BYTES, 641 atomic64_read(&peer->link_stats.rx.bytes)) || 642 nla_put_uint(skb, OVPN_A_PEER_LINK_RX_PACKETS, 643 atomic64_read(&peer->link_stats.rx.packets)) || 644 /* link TX stats */ 645 nla_put_uint(skb, OVPN_A_PEER_LINK_TX_BYTES, 646 atomic64_read(&peer->link_stats.tx.bytes)) || 647 nla_put_uint(skb, OVPN_A_PEER_LINK_TX_PACKETS, 648 atomic64_read(&peer->link_stats.tx.packets))) 649 goto err; 650 651 nla_nest_end(skb, attr); 652 genlmsg_end(skb, hdr); 653 654 return 0; 655 err_unlock: 656 rcu_read_unlock(); 657 err: 658 genlmsg_cancel(skb, hdr); 659 return ret; 660 } 661 662 int ovpn_nl_peer_get_doit(struct sk_buff *skb, struct genl_info *info) 663 { 664 struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; 665 struct ovpn_priv *ovpn = info->user_ptr[0]; 666 struct ovpn_peer *peer; 667 struct sk_buff *msg; 668 u32 peer_id; 669 int ret, i; 670 671 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER)) 672 return -EINVAL; 673 674 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER], 675 ovpn_peer_nl_policy, info->extack); 676 if (ret) 677 return ret; 678 679 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs, 680 OVPN_A_PEER_ID)) 681 return -EINVAL; 682 683 /* OVPN_CMD_PEER_GET expects only the PEER_ID, therefore 684 * ensure that the user hasn't specified any other attribute. 685 * 686 * Unfortunately this check cannot be performed via netlink 687 * spec/policy and must be open-coded. 688 */ 689 for (i = 0; i < OVPN_A_PEER_MAX + 1; i++) { 690 if (i == OVPN_A_PEER_ID) 691 continue; 692 693 if (attrs[i]) { 694 NL_SET_ERR_MSG_FMT_MOD(info->extack, 695 "unexpected attribute %u", i); 696 return -EINVAL; 697 } 698 } 699 700 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]); 701 peer = ovpn_peer_get_by_id(ovpn, peer_id); 702 if (!peer) { 703 NL_SET_ERR_MSG_FMT_MOD(info->extack, 704 "cannot find peer with id %u", peer_id); 705 return -ENOENT; 706 } 707 708 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 709 if (!msg) { 710 ret = -ENOMEM; 711 goto err; 712 } 713 714 ret = ovpn_nl_send_peer(msg, info, peer, info->snd_portid, 715 info->snd_seq, 0); 716 if (ret < 0) { 717 nlmsg_free(msg); 718 goto err; 719 } 720 721 ret = genlmsg_reply(msg, info); 722 err: 723 ovpn_peer_put(peer); 724 return ret; 725 } 726 727 int ovpn_nl_peer_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb) 728 { 729 const struct genl_info *info = genl_info_dump(cb); 730 int bkt, last_idx = cb->args[1], dumped = 0; 731 netdevice_tracker tracker; 732 struct ovpn_priv *ovpn; 733 struct ovpn_peer *peer; 734 735 ovpn = ovpn_get_dev_from_attrs(sock_net(cb->skb->sk), info, &tracker); 736 if (IS_ERR(ovpn)) 737 return PTR_ERR(ovpn); 738 739 if (ovpn->mode == OVPN_MODE_P2P) { 740 /* if we already dumped a peer it means we are done */ 741 if (last_idx) 742 goto out; 743 744 rcu_read_lock(); 745 peer = rcu_dereference(ovpn->peer); 746 if (peer) { 747 if (ovpn_nl_send_peer(skb, info, peer, 748 NETLINK_CB(cb->skb).portid, 749 cb->nlh->nlmsg_seq, 750 NLM_F_MULTI) == 0) 751 dumped++; 752 } 753 rcu_read_unlock(); 754 } else { 755 rcu_read_lock(); 756 hash_for_each_rcu(ovpn->peers->by_id, bkt, peer, 757 hash_entry_id) { 758 /* skip already dumped peers that were dumped by 759 * previous invocations 760 */ 761 if (last_idx > 0) { 762 last_idx--; 763 continue; 764 } 765 766 if (ovpn_nl_send_peer(skb, info, peer, 767 NETLINK_CB(cb->skb).portid, 768 cb->nlh->nlmsg_seq, 769 NLM_F_MULTI) < 0) 770 break; 771 772 /* count peers being dumped during this invocation */ 773 dumped++; 774 } 775 rcu_read_unlock(); 776 } 777 778 out: 779 netdev_put(ovpn->dev, &tracker); 780 781 /* sum up peers dumped in this message, so that at the next invocation 782 * we can continue from where we left 783 */ 784 cb->args[1] += dumped; 785 return skb->len; 786 } 787 788 int ovpn_nl_peer_del_doit(struct sk_buff *skb, struct genl_info *info) 789 { 790 struct nlattr *attrs[OVPN_A_PEER_MAX + 1]; 791 struct ovpn_priv *ovpn = info->user_ptr[0]; 792 struct ovpn_peer *peer; 793 u32 peer_id; 794 int ret; 795 796 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER)) 797 return -EINVAL; 798 799 ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER], 800 ovpn_peer_del_input_nl_policy, info->extack); 801 if (ret) 802 return ret; 803 804 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs, 805 OVPN_A_PEER_ID)) 806 return -EINVAL; 807 808 peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]); 809 peer = ovpn_peer_get_by_id(ovpn, peer_id); 810 if (!peer) { 811 NL_SET_ERR_MSG_FMT_MOD(info->extack, 812 "cannot find peer with id %u", peer_id); 813 return -ENOENT; 814 } 815 816 netdev_dbg(ovpn->dev, "del peer %u\n", peer->id); 817 ret = ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_USERSPACE); 818 ovpn_peer_put(peer); 819 820 return ret; 821 } 822 823 static int ovpn_nl_get_key_dir(struct genl_info *info, struct nlattr *key, 824 enum ovpn_cipher_alg cipher, 825 struct ovpn_key_direction *dir) 826 { 827 struct nlattr *attrs[OVPN_A_KEYDIR_MAX + 1]; 828 int ret; 829 830 ret = nla_parse_nested(attrs, OVPN_A_KEYDIR_MAX, key, 831 ovpn_keydir_nl_policy, info->extack); 832 if (ret) 833 return ret; 834 835 switch (cipher) { 836 case OVPN_CIPHER_ALG_AES_GCM: 837 case OVPN_CIPHER_ALG_CHACHA20_POLY1305: 838 if (NL_REQ_ATTR_CHECK(info->extack, key, attrs, 839 OVPN_A_KEYDIR_CIPHER_KEY) || 840 NL_REQ_ATTR_CHECK(info->extack, key, attrs, 841 OVPN_A_KEYDIR_NONCE_TAIL)) 842 return -EINVAL; 843 844 dir->cipher_key = nla_data(attrs[OVPN_A_KEYDIR_CIPHER_KEY]); 845 dir->cipher_key_size = nla_len(attrs[OVPN_A_KEYDIR_CIPHER_KEY]); 846 847 /* These algorithms require a 96bit nonce, 848 * Construct it by combining 4-bytes packet id and 849 * 8-bytes nonce-tail from userspace 850 */ 851 dir->nonce_tail = nla_data(attrs[OVPN_A_KEYDIR_NONCE_TAIL]); 852 dir->nonce_tail_size = nla_len(attrs[OVPN_A_KEYDIR_NONCE_TAIL]); 853 break; 854 default: 855 NL_SET_ERR_MSG_MOD(info->extack, "unsupported cipher"); 856 return -EINVAL; 857 } 858 859 return 0; 860 } 861 862 /** 863 * ovpn_nl_key_new_doit - configure a new key for the specified peer 864 * @skb: incoming netlink message 865 * @info: genetlink metadata 866 * 867 * This function allows the user to install a new key in the peer crypto 868 * state. 869 * Each peer has two 'slots', namely 'primary' and 'secondary', where 870 * keys can be installed. The key in the 'primary' slot is used for 871 * encryption, while both keys can be used for decryption by matching the 872 * key ID carried in the incoming packet. 873 * 874 * The user is responsible for rotating keys when necessary. The user 875 * may fetch peer traffic statistics via netlink in order to better 876 * identify the right time to rotate keys. 877 * The renegotiation follows these steps: 878 * 1. a new key is computed by the user and is installed in the 'secondary' 879 * slot 880 * 2. at user discretion (usually after a predetermined time) 'primary' and 881 * 'secondary' contents are swapped and the new key starts being used for 882 * encryption, while the old key is kept around for decryption of late 883 * packets. 884 * 885 * Return: 0 on success or a negative error code otherwise. 886 */ 887 int ovpn_nl_key_new_doit(struct sk_buff *skb, struct genl_info *info) 888 { 889 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1]; 890 struct ovpn_priv *ovpn = info->user_ptr[0]; 891 struct ovpn_peer_key_reset pkr; 892 struct ovpn_peer *peer; 893 u32 peer_id; 894 int ret; 895 896 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF)) 897 return -EINVAL; 898 899 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX, 900 info->attrs[OVPN_A_KEYCONF], 901 ovpn_keyconf_nl_policy, info->extack); 902 if (ret) 903 return ret; 904 905 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 906 OVPN_A_KEYCONF_PEER_ID)) 907 return -EINVAL; 908 909 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 910 OVPN_A_KEYCONF_SLOT) || 911 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 912 OVPN_A_KEYCONF_KEY_ID) || 913 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 914 OVPN_A_KEYCONF_CIPHER_ALG) || 915 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 916 OVPN_A_KEYCONF_ENCRYPT_DIR) || 917 NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 918 OVPN_A_KEYCONF_DECRYPT_DIR)) 919 return -EINVAL; 920 921 pkr.slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]); 922 pkr.key.key_id = nla_get_u32(attrs[OVPN_A_KEYCONF_KEY_ID]); 923 pkr.key.cipher_alg = nla_get_u32(attrs[OVPN_A_KEYCONF_CIPHER_ALG]); 924 925 ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_ENCRYPT_DIR], 926 pkr.key.cipher_alg, &pkr.key.encrypt); 927 if (ret < 0) 928 return ret; 929 930 ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_DECRYPT_DIR], 931 pkr.key.cipher_alg, &pkr.key.decrypt); 932 if (ret < 0) 933 return ret; 934 935 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]); 936 peer = ovpn_peer_get_by_id(ovpn, peer_id); 937 if (!peer) { 938 NL_SET_ERR_MSG_FMT_MOD(info->extack, 939 "no peer with id %u to set key for", 940 peer_id); 941 return -ENOENT; 942 } 943 944 ret = ovpn_crypto_state_reset(&peer->crypto, &pkr); 945 if (ret < 0) { 946 NL_SET_ERR_MSG_FMT_MOD(info->extack, 947 "cannot install new key for peer %u", 948 peer_id); 949 goto out; 950 } 951 952 netdev_dbg(ovpn->dev, "new key installed (id=%u) for peer %u\n", 953 pkr.key.key_id, peer_id); 954 out: 955 ovpn_peer_put(peer); 956 return ret; 957 } 958 959 static int ovpn_nl_send_key(struct sk_buff *skb, const struct genl_info *info, 960 u32 peer_id, enum ovpn_key_slot slot, 961 const struct ovpn_key_config *keyconf) 962 { 963 struct nlattr *attr; 964 void *hdr; 965 966 hdr = genlmsg_put(skb, info->snd_portid, info->snd_seq, &ovpn_nl_family, 967 0, OVPN_CMD_KEY_GET); 968 if (!hdr) 969 return -ENOBUFS; 970 971 attr = nla_nest_start(skb, OVPN_A_KEYCONF); 972 if (!attr) 973 goto err; 974 975 if (nla_put_u32(skb, OVPN_A_KEYCONF_PEER_ID, peer_id)) 976 goto err; 977 978 if (nla_put_u32(skb, OVPN_A_KEYCONF_SLOT, slot) || 979 nla_put_u32(skb, OVPN_A_KEYCONF_KEY_ID, keyconf->key_id) || 980 nla_put_u32(skb, OVPN_A_KEYCONF_CIPHER_ALG, keyconf->cipher_alg)) 981 goto err; 982 983 nla_nest_end(skb, attr); 984 genlmsg_end(skb, hdr); 985 986 return 0; 987 err: 988 genlmsg_cancel(skb, hdr); 989 return -EMSGSIZE; 990 } 991 992 int ovpn_nl_key_get_doit(struct sk_buff *skb, struct genl_info *info) 993 { 994 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1]; 995 struct ovpn_priv *ovpn = info->user_ptr[0]; 996 struct ovpn_key_config keyconf = { 0 }; 997 enum ovpn_key_slot slot; 998 struct ovpn_peer *peer; 999 struct sk_buff *msg; 1000 u32 peer_id; 1001 int ret, i; 1002 1003 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF)) 1004 return -EINVAL; 1005 1006 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX, 1007 info->attrs[OVPN_A_KEYCONF], 1008 ovpn_keyconf_get_nl_policy, info->extack); 1009 if (ret) 1010 return ret; 1011 1012 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 1013 OVPN_A_KEYCONF_PEER_ID)) 1014 return -EINVAL; 1015 1016 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 1017 OVPN_A_KEYCONF_SLOT)) 1018 return -EINVAL; 1019 1020 /* OVPN_CMD_KEY_GET expects only the PEER_ID and the SLOT, therefore 1021 * ensure that the user hasn't specified any other attribute. 1022 * 1023 * Unfortunately this check cannot be performed via netlink 1024 * spec/policy and must be open-coded. 1025 */ 1026 for (i = 0; i < OVPN_A_KEYCONF_MAX + 1; i++) { 1027 if (i == OVPN_A_KEYCONF_PEER_ID || 1028 i == OVPN_A_KEYCONF_SLOT) 1029 continue; 1030 1031 if (attrs[i]) { 1032 NL_SET_ERR_MSG_FMT_MOD(info->extack, 1033 "unexpected attribute %u", i); 1034 return -EINVAL; 1035 } 1036 } 1037 1038 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]); 1039 peer = ovpn_peer_get_by_id(ovpn, peer_id); 1040 if (!peer) { 1041 NL_SET_ERR_MSG_FMT_MOD(info->extack, 1042 "cannot find peer with id %u", peer_id); 1043 return -ENOENT; 1044 } 1045 1046 slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]); 1047 1048 ret = ovpn_crypto_config_get(&peer->crypto, slot, &keyconf); 1049 if (ret < 0) { 1050 NL_SET_ERR_MSG_FMT_MOD(info->extack, 1051 "cannot extract key from slot %u for peer %u", 1052 slot, peer_id); 1053 goto err; 1054 } 1055 1056 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1057 if (!msg) { 1058 ret = -ENOMEM; 1059 goto err; 1060 } 1061 1062 ret = ovpn_nl_send_key(msg, info, peer->id, slot, &keyconf); 1063 if (ret < 0) { 1064 nlmsg_free(msg); 1065 goto err; 1066 } 1067 1068 ret = genlmsg_reply(msg, info); 1069 err: 1070 ovpn_peer_put(peer); 1071 return ret; 1072 } 1073 1074 int ovpn_nl_key_swap_doit(struct sk_buff *skb, struct genl_info *info) 1075 { 1076 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1]; 1077 struct ovpn_priv *ovpn = info->user_ptr[0]; 1078 struct ovpn_peer *peer; 1079 u32 peer_id; 1080 int ret; 1081 1082 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF)) 1083 return -EINVAL; 1084 1085 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX, 1086 info->attrs[OVPN_A_KEYCONF], 1087 ovpn_keyconf_swap_input_nl_policy, info->extack); 1088 if (ret) 1089 return ret; 1090 1091 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 1092 OVPN_A_KEYCONF_PEER_ID)) 1093 return -EINVAL; 1094 1095 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]); 1096 peer = ovpn_peer_get_by_id(ovpn, peer_id); 1097 if (!peer) { 1098 NL_SET_ERR_MSG_FMT_MOD(info->extack, 1099 "no peer with id %u to swap keys for", 1100 peer_id); 1101 return -ENOENT; 1102 } 1103 1104 ovpn_crypto_key_slots_swap(&peer->crypto); 1105 ovpn_peer_put(peer); 1106 1107 return 0; 1108 } 1109 1110 int ovpn_nl_key_del_doit(struct sk_buff *skb, struct genl_info *info) 1111 { 1112 struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1]; 1113 struct ovpn_priv *ovpn = info->user_ptr[0]; 1114 enum ovpn_key_slot slot; 1115 struct ovpn_peer *peer; 1116 u32 peer_id; 1117 int ret; 1118 1119 if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF)) 1120 return -EINVAL; 1121 1122 ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX, 1123 info->attrs[OVPN_A_KEYCONF], 1124 ovpn_keyconf_del_input_nl_policy, info->extack); 1125 if (ret) 1126 return ret; 1127 1128 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 1129 OVPN_A_KEYCONF_PEER_ID)) 1130 return -EINVAL; 1131 1132 if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs, 1133 OVPN_A_KEYCONF_SLOT)) 1134 return -EINVAL; 1135 1136 peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]); 1137 slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]); 1138 1139 peer = ovpn_peer_get_by_id(ovpn, peer_id); 1140 if (!peer) { 1141 NL_SET_ERR_MSG_FMT_MOD(info->extack, 1142 "no peer with id %u to delete key for", 1143 peer_id); 1144 return -ENOENT; 1145 } 1146 1147 ovpn_crypto_key_slot_delete(&peer->crypto, slot); 1148 ovpn_peer_put(peer); 1149 1150 return 0; 1151 } 1152 1153 /** 1154 * ovpn_nl_peer_del_notify - notify userspace about peer being deleted 1155 * @peer: the peer being deleted 1156 * 1157 * Return: 0 on success or a negative error code otherwise 1158 */ 1159 int ovpn_nl_peer_del_notify(struct ovpn_peer *peer) 1160 { 1161 struct ovpn_socket *sock; 1162 struct sk_buff *msg; 1163 struct nlattr *attr; 1164 int ret = -EMSGSIZE; 1165 void *hdr; 1166 1167 netdev_info(peer->ovpn->dev, "deleting peer with id %u, reason %d\n", 1168 peer->id, peer->delete_reason); 1169 1170 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 1171 if (!msg) 1172 return -ENOMEM; 1173 1174 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_PEER_DEL_NTF); 1175 if (!hdr) { 1176 ret = -ENOBUFS; 1177 goto err_free_msg; 1178 } 1179 1180 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex)) 1181 goto err_cancel_msg; 1182 1183 attr = nla_nest_start(msg, OVPN_A_PEER); 1184 if (!attr) 1185 goto err_cancel_msg; 1186 1187 if (nla_put_u32(msg, OVPN_A_PEER_DEL_REASON, peer->delete_reason)) 1188 goto err_cancel_msg; 1189 1190 if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id)) 1191 goto err_cancel_msg; 1192 1193 nla_nest_end(msg, attr); 1194 1195 genlmsg_end(msg, hdr); 1196 1197 rcu_read_lock(); 1198 sock = rcu_dereference(peer->sock); 1199 if (!sock) { 1200 ret = -EINVAL; 1201 goto err_unlock; 1202 } 1203 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0, 1204 OVPN_NLGRP_PEERS, GFP_ATOMIC); 1205 rcu_read_unlock(); 1206 1207 return 0; 1208 1209 err_unlock: 1210 rcu_read_unlock(); 1211 err_cancel_msg: 1212 genlmsg_cancel(msg, hdr); 1213 err_free_msg: 1214 nlmsg_free(msg); 1215 return ret; 1216 } 1217 1218 /** 1219 * ovpn_nl_peer_float_notify - notify userspace about peer floating 1220 * @peer: the floated peer 1221 * @ss: sockaddr representing the new remote endpoint 1222 * 1223 * Return: 0 on success or a negative error code otherwise 1224 */ 1225 int ovpn_nl_peer_float_notify(struct ovpn_peer *peer, 1226 const struct sockaddr_storage *ss) 1227 { 1228 struct ovpn_socket *sock; 1229 struct sockaddr_in6 *sa6; 1230 struct sockaddr_in *sa; 1231 struct sk_buff *msg; 1232 struct nlattr *attr; 1233 int ret = -EMSGSIZE; 1234 void *hdr; 1235 1236 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 1237 if (!msg) 1238 return -ENOMEM; 1239 1240 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, 1241 OVPN_CMD_PEER_FLOAT_NTF); 1242 if (!hdr) { 1243 ret = -ENOBUFS; 1244 goto err_free_msg; 1245 } 1246 1247 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex)) 1248 goto err_cancel_msg; 1249 1250 attr = nla_nest_start(msg, OVPN_A_PEER); 1251 if (!attr) 1252 goto err_cancel_msg; 1253 1254 if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id)) 1255 goto err_cancel_msg; 1256 1257 if (ss->ss_family == AF_INET) { 1258 sa = (struct sockaddr_in *)ss; 1259 if (nla_put_in_addr(msg, OVPN_A_PEER_REMOTE_IPV4, 1260 sa->sin_addr.s_addr) || 1261 nla_put_net16(msg, OVPN_A_PEER_REMOTE_PORT, sa->sin_port)) 1262 goto err_cancel_msg; 1263 } else if (ss->ss_family == AF_INET6) { 1264 sa6 = (struct sockaddr_in6 *)ss; 1265 if (nla_put_in6_addr(msg, OVPN_A_PEER_REMOTE_IPV6, 1266 &sa6->sin6_addr) || 1267 nla_put_u32(msg, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, 1268 sa6->sin6_scope_id) || 1269 nla_put_net16(msg, OVPN_A_PEER_REMOTE_PORT, sa6->sin6_port)) 1270 goto err_cancel_msg; 1271 } else { 1272 ret = -EAFNOSUPPORT; 1273 goto err_cancel_msg; 1274 } 1275 1276 nla_nest_end(msg, attr); 1277 genlmsg_end(msg, hdr); 1278 1279 rcu_read_lock(); 1280 sock = rcu_dereference(peer->sock); 1281 if (!sock) { 1282 ret = -EINVAL; 1283 goto err_unlock; 1284 } 1285 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 1286 0, OVPN_NLGRP_PEERS, GFP_ATOMIC); 1287 rcu_read_unlock(); 1288 1289 return 0; 1290 1291 err_unlock: 1292 rcu_read_unlock(); 1293 err_cancel_msg: 1294 genlmsg_cancel(msg, hdr); 1295 err_free_msg: 1296 nlmsg_free(msg); 1297 return ret; 1298 } 1299 1300 /** 1301 * ovpn_nl_key_swap_notify - notify userspace peer's key must be renewed 1302 * @peer: the peer whose key needs to be renewed 1303 * @key_id: the ID of the key that needs to be renewed 1304 * 1305 * Return: 0 on success or a negative error code otherwise 1306 */ 1307 int ovpn_nl_key_swap_notify(struct ovpn_peer *peer, u8 key_id) 1308 { 1309 struct ovpn_socket *sock; 1310 struct nlattr *k_attr; 1311 struct sk_buff *msg; 1312 int ret = -EMSGSIZE; 1313 void *hdr; 1314 1315 netdev_info(peer->ovpn->dev, "peer with id %u must rekey - primary key unusable.\n", 1316 peer->id); 1317 1318 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 1319 if (!msg) 1320 return -ENOMEM; 1321 1322 hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_KEY_SWAP_NTF); 1323 if (!hdr) { 1324 ret = -ENOBUFS; 1325 goto err_free_msg; 1326 } 1327 1328 if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex)) 1329 goto err_cancel_msg; 1330 1331 k_attr = nla_nest_start(msg, OVPN_A_KEYCONF); 1332 if (!k_attr) 1333 goto err_cancel_msg; 1334 1335 if (nla_put_u32(msg, OVPN_A_KEYCONF_PEER_ID, peer->id)) 1336 goto err_cancel_msg; 1337 1338 if (nla_put_u16(msg, OVPN_A_KEYCONF_KEY_ID, key_id)) 1339 goto err_cancel_msg; 1340 1341 nla_nest_end(msg, k_attr); 1342 genlmsg_end(msg, hdr); 1343 1344 rcu_read_lock(); 1345 sock = rcu_dereference(peer->sock); 1346 if (!sock) { 1347 ret = -EINVAL; 1348 goto err_unlock; 1349 } 1350 genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0, 1351 OVPN_NLGRP_PEERS, GFP_ATOMIC); 1352 rcu_read_unlock(); 1353 1354 return 0; 1355 err_unlock: 1356 rcu_read_unlock(); 1357 err_cancel_msg: 1358 genlmsg_cancel(msg, hdr); 1359 err_free_msg: 1360 nlmsg_free(msg); 1361 return ret; 1362 } 1363 1364 /** 1365 * ovpn_nl_register - perform any needed registration in the NL subsustem 1366 * 1367 * Return: 0 on success, a negative error code otherwise 1368 */ 1369 int __init ovpn_nl_register(void) 1370 { 1371 int ret = genl_register_family(&ovpn_nl_family); 1372 1373 if (ret) { 1374 pr_err("ovpn: genl_register_family failed: %d\n", ret); 1375 return ret; 1376 } 1377 1378 return 0; 1379 } 1380 1381 /** 1382 * ovpn_nl_unregister - undo any module wide netlink registration 1383 */ 1384 void ovpn_nl_unregister(void) 1385 { 1386 genl_unregister_family(&ovpn_nl_family); 1387 } 1388