1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* OpenVPN data channel offload 3 * 4 * Copyright (C) 2020-2025 OpenVPN, Inc. 5 * 6 * Author: Antonio Quartulli <antonio@openvpn.net> 7 * James Yonan <james@openvpn.net> 8 */ 9 10 #ifndef _NET_OVPN_PROTO_H_ 11 #define _NET_OVPN_PROTO_H_ 12 13 #include "main.h" 14 15 #include <linux/bitfield.h> 16 #include <linux/skbuff.h> 17 18 /* When the OpenVPN protocol is ran in AEAD mode, use 19 * the OpenVPN packet ID as the AEAD nonce: 20 * 21 * 00000005 521c3b01 4308c041 22 * [seq # ] [ nonce_tail ] 23 * [ 12-byte full IV ] -> OVPN_NONCE_SIZE 24 * [4-bytes -> OVPN_NONCE_WIRE_SIZE 25 * on wire] 26 */ 27 28 /* nonce size (96bits) as required by AEAD ciphers */ 29 #define OVPN_NONCE_SIZE 12 30 /* last 8 bytes of AEAD nonce: provided by userspace and usually derived 31 * from key material generated during TLS handshake 32 */ 33 #define OVPN_NONCE_TAIL_SIZE 8 34 35 /* OpenVPN nonce size reduced by 8-byte nonce tail -- this is the 36 * size of the AEAD Associated Data (AD) sent over the wire 37 * and is normally the head of the IV 38 */ 39 #define OVPN_NONCE_WIRE_SIZE (OVPN_NONCE_SIZE - OVPN_NONCE_TAIL_SIZE) 40 41 #define OVPN_OPCODE_SIZE 4 /* DATA_V2 opcode size */ 42 #define OVPN_OPCODE_KEYID_MASK 0x07000000 43 #define OVPN_OPCODE_PKTTYPE_MASK 0xF8000000 44 #define OVPN_OPCODE_PEERID_MASK 0x00FFFFFF 45 46 /* packet opcodes of interest to us */ 47 #define OVPN_DATA_V1 6 /* data channel v1 packet */ 48 #define OVPN_DATA_V2 9 /* data channel v2 packet */ 49 50 #define OVPN_PEER_ID_UNDEF 0x00FFFFFF 51 52 /** 53 * ovpn_opcode_from_skb - extract OP code from skb at specified offset 54 * @skb: the packet to extract the OP code from 55 * @offset: the offset in the data buffer where the OP code is located 56 * 57 * Note: this function assumes that the skb head was pulled enough 58 * to access the first 4 bytes. 59 * 60 * Return: the OP code 61 */ 62 static inline u8 ovpn_opcode_from_skb(const struct sk_buff *skb, u16 offset) 63 { 64 u32 opcode = be32_to_cpu(*(__be32 *)(skb->data + offset)); 65 66 return FIELD_GET(OVPN_OPCODE_PKTTYPE_MASK, opcode); 67 } 68 69 /** 70 * ovpn_peer_id_from_skb - extract peer ID from skb at specified offset 71 * @skb: the packet to extract the OP code from 72 * @offset: the offset in the data buffer where the OP code is located 73 * 74 * Note: this function assumes that the skb head was pulled enough 75 * to access the first 4 bytes. 76 * 77 * Return: the peer ID 78 */ 79 static inline u32 ovpn_peer_id_from_skb(const struct sk_buff *skb, u16 offset) 80 { 81 u32 opcode = be32_to_cpu(*(__be32 *)(skb->data + offset)); 82 83 return FIELD_GET(OVPN_OPCODE_PEERID_MASK, opcode); 84 } 85 86 /** 87 * ovpn_key_id_from_skb - extract key ID from the skb head 88 * @skb: the packet to extract the key ID code from 89 * 90 * Note: this function assumes that the skb head was pulled enough 91 * to access the first 4 bytes. 92 * 93 * Return: the key ID 94 */ 95 static inline u8 ovpn_key_id_from_skb(const struct sk_buff *skb) 96 { 97 u32 opcode = be32_to_cpu(*(__be32 *)skb->data); 98 99 return FIELD_GET(OVPN_OPCODE_KEYID_MASK, opcode); 100 } 101 102 /** 103 * ovpn_opcode_compose - combine OP code, key ID and peer ID to wire format 104 * @opcode: the OP code 105 * @key_id: the key ID 106 * @peer_id: the peer ID 107 * 108 * Return: a 4 bytes integer obtained combining all input values following the 109 * OpenVPN wire format. This integer can then be written to the packet header. 110 */ 111 static inline u32 ovpn_opcode_compose(u8 opcode, u8 key_id, u32 peer_id) 112 { 113 return FIELD_PREP(OVPN_OPCODE_PKTTYPE_MASK, opcode) | 114 FIELD_PREP(OVPN_OPCODE_KEYID_MASK, key_id) | 115 FIELD_PREP(OVPN_OPCODE_PEERID_MASK, peer_id); 116 } 117 118 #endif /* _NET_OVPN_OVPNPROTO_H_ */ 119