1 // SPDX-License-Identifier: GPL-2.0
2 /* OpenVPN data channel accelerator
3 *
4 * Copyright (C) 2020-2025 OpenVPN, Inc.
5 *
6 * Author: Antonio Quartulli <antonio@openvpn.net>
7 */
8
9 #include <stdio.h>
10 #include <inttypes.h>
11 #include <stdbool.h>
12 #include <string.h>
13 #include <errno.h>
14 #include <unistd.h>
15 #include <arpa/inet.h>
16 #include <net/if.h>
17 #include <netinet/in.h>
18 #include <time.h>
19
20 #include <linux/ovpn.h>
21 #include <linux/types.h>
22 #include <linux/netlink.h>
23
24 #include <netlink/socket.h>
25 #include <netlink/netlink.h>
26 #include <netlink/genl/genl.h>
27 #include <netlink/genl/family.h>
28 #include <netlink/genl/ctrl.h>
29
30 #include <mbedtls/base64.h>
31 #include <mbedtls/error.h>
32
33 #include <sys/socket.h>
34
35 /* defines to make checkpatch happy */
36 #define strscpy strncpy
37 #define __always_unused __attribute__((__unused__))
38
39 /* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we
40 * have to explicitly do it to prevent the kernel from failing upon
41 * parsing of the message
42 */
43 #define nla_nest_start(_msg, _type) \
44 nla_nest_start(_msg, (_type) | NLA_F_NESTED)
45
46 /* libnl < 3.11.0 does not implement nla_get_uint() */
ovpn_nla_get_uint(struct nlattr * attr)47 uint64_t ovpn_nla_get_uint(struct nlattr *attr)
48 {
49 if (nla_len(attr) == sizeof(uint32_t))
50 return nla_get_u32(attr);
51 else
52 return nla_get_u64(attr);
53 }
54
55 typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg);
56
57 enum ovpn_key_direction {
58 KEY_DIR_IN = 0,
59 KEY_DIR_OUT,
60 };
61
62 #define KEY_LEN (256 / 8)
63 #define NONCE_LEN 8
64
65 #define PEER_ID_UNDEF 0x00FFFFFF
66 #define MAX_PEERS 10
67
68 struct nl_ctx {
69 struct nl_sock *nl_sock;
70 struct nl_msg *nl_msg;
71 struct nl_cb *nl_cb;
72
73 int ovpn_dco_id;
74 };
75
76 enum ovpn_cmd {
77 CMD_INVALID,
78 CMD_NEW_IFACE,
79 CMD_DEL_IFACE,
80 CMD_LISTEN,
81 CMD_CONNECT,
82 CMD_NEW_PEER,
83 CMD_NEW_MULTI_PEER,
84 CMD_SET_PEER,
85 CMD_DEL_PEER,
86 CMD_GET_PEER,
87 CMD_NEW_KEY,
88 CMD_DEL_KEY,
89 CMD_GET_KEY,
90 CMD_SWAP_KEYS,
91 CMD_LISTEN_MCAST,
92 };
93
94 struct ovpn_ctx {
95 enum ovpn_cmd cmd;
96
97 __u8 key_enc[KEY_LEN];
98 __u8 key_dec[KEY_LEN];
99 __u8 nonce[NONCE_LEN];
100
101 enum ovpn_cipher_alg cipher;
102
103 sa_family_t sa_family;
104
105 unsigned long peer_id;
106 unsigned long lport;
107
108 union {
109 struct sockaddr_in in4;
110 struct sockaddr_in6 in6;
111 } remote;
112
113 union {
114 struct sockaddr_in in4;
115 struct sockaddr_in6 in6;
116 } peer_ip;
117
118 bool peer_ip_set;
119
120 unsigned int ifindex;
121 char ifname[IFNAMSIZ];
122 enum ovpn_mode mode;
123 bool mode_set;
124
125 int socket;
126 int cli_sockets[MAX_PEERS];
127
128 __u32 keepalive_interval;
129 __u32 keepalive_timeout;
130
131 enum ovpn_key_direction key_dir;
132 enum ovpn_key_slot key_slot;
133 int key_id;
134
135 const char *peers_file;
136 };
137
ovpn_nl_recvmsgs(struct nl_ctx * ctx)138 static int ovpn_nl_recvmsgs(struct nl_ctx *ctx)
139 {
140 int ret;
141
142 ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb);
143
144 switch (ret) {
145 case -NLE_INTR:
146 fprintf(stderr,
147 "netlink received interrupt due to signal - ignoring\n");
148 break;
149 case -NLE_NOMEM:
150 fprintf(stderr, "netlink out of memory error\n");
151 break;
152 case -NLE_AGAIN:
153 fprintf(stderr,
154 "netlink reports blocking read - aborting wait\n");
155 break;
156 default:
157 if (ret)
158 fprintf(stderr, "netlink reports error (%d): %s\n",
159 ret, nl_geterror(-ret));
160 break;
161 }
162
163 return ret;
164 }
165
nl_ctx_alloc_flags(struct ovpn_ctx * ovpn,int cmd,int flags)166 static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd,
167 int flags)
168 {
169 struct nl_ctx *ctx;
170 int err, ret;
171
172 ctx = calloc(1, sizeof(*ctx));
173 if (!ctx)
174 return NULL;
175
176 ctx->nl_sock = nl_socket_alloc();
177 if (!ctx->nl_sock) {
178 fprintf(stderr, "cannot allocate netlink socket\n");
179 goto err_free;
180 }
181
182 nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192);
183
184 ret = genl_connect(ctx->nl_sock);
185 if (ret) {
186 fprintf(stderr, "cannot connect to generic netlink: %s\n",
187 nl_geterror(ret));
188 goto err_sock;
189 }
190
191 /* enable Extended ACK for detailed error reporting */
192 err = 1;
193 setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK,
194 &err, sizeof(err));
195
196 ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME);
197 if (ctx->ovpn_dco_id < 0) {
198 fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n",
199 ctx->ovpn_dco_id);
200 goto err_free;
201 }
202
203 ctx->nl_msg = nlmsg_alloc();
204 if (!ctx->nl_msg) {
205 fprintf(stderr, "cannot allocate netlink message\n");
206 goto err_sock;
207 }
208
209 ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT);
210 if (!ctx->nl_cb) {
211 fprintf(stderr, "failed to allocate netlink callback\n");
212 goto err_msg;
213 }
214
215 nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb);
216
217 genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0);
218
219 if (ovpn->ifindex > 0)
220 NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex);
221
222 return ctx;
223 nla_put_failure:
224 err_msg:
225 nlmsg_free(ctx->nl_msg);
226 err_sock:
227 nl_socket_free(ctx->nl_sock);
228 err_free:
229 free(ctx);
230 return NULL;
231 }
232
nl_ctx_alloc(struct ovpn_ctx * ovpn,int cmd)233 static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd)
234 {
235 return nl_ctx_alloc_flags(ovpn, cmd, 0);
236 }
237
nl_ctx_free(struct nl_ctx * ctx)238 static void nl_ctx_free(struct nl_ctx *ctx)
239 {
240 if (!ctx)
241 return;
242
243 nl_socket_free(ctx->nl_sock);
244 nlmsg_free(ctx->nl_msg);
245 nl_cb_put(ctx->nl_cb);
246 free(ctx);
247 }
248
ovpn_nl_cb_error(struct sockaddr_nl (* nla)__always_unused,struct nlmsgerr * err,void * arg)249 static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused,
250 struct nlmsgerr *err, void *arg)
251 {
252 struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1;
253 struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1];
254 int len = nlh->nlmsg_len;
255 struct nlattr *attrs;
256 int *ret = arg;
257 int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh);
258
259 *ret = err->error;
260
261 if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS))
262 return NL_STOP;
263
264 if (!(nlh->nlmsg_flags & NLM_F_CAPPED))
265 ack_len += err->msg.nlmsg_len - sizeof(*nlh);
266
267 if (len <= ack_len)
268 return NL_STOP;
269
270 attrs = (void *)((uint8_t *)nlh + ack_len);
271 len -= ack_len;
272
273 nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL);
274 if (tb_msg[NLMSGERR_ATTR_MSG]) {
275 len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]),
276 nla_len(tb_msg[NLMSGERR_ATTR_MSG]));
277 fprintf(stderr, "kernel error: %*s\n", len,
278 (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]));
279 }
280
281 if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) {
282 fprintf(stderr, "missing required nesting type %u\n",
283 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST]));
284 }
285
286 if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) {
287 fprintf(stderr, "missing required attribute type %u\n",
288 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE]));
289 }
290
291 return NL_STOP;
292 }
293
ovpn_nl_cb_finish(struct nl_msg (* msg)__always_unused,void * arg)294 static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused,
295 void *arg)
296 {
297 int *status = arg;
298
299 *status = 0;
300 return NL_SKIP;
301 }
302
ovpn_nl_cb_ack(struct nl_msg (* msg)__always_unused,void * arg)303 static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused,
304 void *arg)
305 {
306 int *status = arg;
307
308 *status = 0;
309 return NL_STOP;
310 }
311
ovpn_nl_msg_send(struct nl_ctx * ctx,ovpn_nl_cb cb)312 static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb)
313 {
314 int status = 1;
315
316 nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status);
317 nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish,
318 &status);
319 nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status);
320
321 if (cb)
322 nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx);
323
324 nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg);
325
326 while (status == 1)
327 ovpn_nl_recvmsgs(ctx);
328
329 if (status < 0)
330 fprintf(stderr, "failed to send netlink message: %s (%d)\n",
331 strerror(-status), status);
332
333 return status;
334 }
335
ovpn_parse_key(const char * file,struct ovpn_ctx * ctx)336 static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx)
337 {
338 int idx_enc, idx_dec, ret = -1;
339 unsigned char *ckey = NULL;
340 __u8 *bkey = NULL;
341 size_t olen = 0;
342 long ckey_len;
343 FILE *fp;
344
345 fp = fopen(file, "r");
346 if (!fp) {
347 fprintf(stderr, "cannot open: %s\n", file);
348 return -1;
349 }
350
351 /* get file size */
352 fseek(fp, 0L, SEEK_END);
353 ckey_len = ftell(fp);
354 rewind(fp);
355
356 /* if the file is longer, let's just read a portion */
357 if (ckey_len > 256)
358 ckey_len = 256;
359
360 ckey = malloc(ckey_len);
361 if (!ckey)
362 goto err;
363
364 ret = fread(ckey, 1, ckey_len, fp);
365 if (ret != ckey_len) {
366 fprintf(stderr,
367 "couldn't read enough data from key file: %dbytes read\n",
368 ret);
369 goto err;
370 }
371
372 olen = 0;
373 ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len);
374 if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) {
375 char buf[256];
376
377 mbedtls_strerror(ret, buf, sizeof(buf));
378 fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf,
379 ret);
380
381 goto err;
382 }
383
384 bkey = malloc(olen);
385 if (!bkey) {
386 fprintf(stderr, "cannot allocate binary key buffer\n");
387 goto err;
388 }
389
390 ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len);
391 if (ret) {
392 char buf[256];
393
394 mbedtls_strerror(ret, buf, sizeof(buf));
395 fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf,
396 ret);
397
398 goto err;
399 }
400
401 if (olen < 2 * KEY_LEN + NONCE_LEN) {
402 fprintf(stderr,
403 "not enough data in key file, found %zdB but needs %dB\n",
404 olen, 2 * KEY_LEN + NONCE_LEN);
405 goto err;
406 }
407
408 switch (ctx->key_dir) {
409 case KEY_DIR_IN:
410 idx_enc = 0;
411 idx_dec = 1;
412 break;
413 case KEY_DIR_OUT:
414 idx_enc = 1;
415 idx_dec = 0;
416 break;
417 default:
418 goto err;
419 }
420
421 memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN);
422 memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN);
423 memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN);
424
425 ret = 0;
426
427 err:
428 fclose(fp);
429 free(bkey);
430 free(ckey);
431
432 return ret;
433 }
434
ovpn_parse_cipher(const char * cipher,struct ovpn_ctx * ctx)435 static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx)
436 {
437 if (strcmp(cipher, "aes") == 0)
438 ctx->cipher = OVPN_CIPHER_ALG_AES_GCM;
439 else if (strcmp(cipher, "chachapoly") == 0)
440 ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305;
441 else if (strcmp(cipher, "none") == 0)
442 ctx->cipher = OVPN_CIPHER_ALG_NONE;
443 else
444 return -ENOTSUP;
445
446 return 0;
447 }
448
ovpn_parse_key_direction(const char * dir,struct ovpn_ctx * ctx)449 static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx)
450 {
451 int in_dir;
452
453 in_dir = strtoll(dir, NULL, 10);
454 switch (in_dir) {
455 case KEY_DIR_IN:
456 case KEY_DIR_OUT:
457 ctx->key_dir = in_dir;
458 break;
459 default:
460 fprintf(stderr,
461 "invalid key direction provided. Can be 0 or 1 only\n");
462 return -1;
463 }
464
465 return 0;
466 }
467
ovpn_socket(struct ovpn_ctx * ctx,sa_family_t family,int proto)468 static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto)
469 {
470 struct sockaddr_storage local_sock = { 0 };
471 struct sockaddr_in6 *in6;
472 struct sockaddr_in *in;
473 int ret, s, sock_type;
474 size_t sock_len;
475
476 if (proto == IPPROTO_UDP)
477 sock_type = SOCK_DGRAM;
478 else if (proto == IPPROTO_TCP)
479 sock_type = SOCK_STREAM;
480 else
481 return -EINVAL;
482
483 s = socket(family, sock_type, 0);
484 if (s < 0) {
485 perror("cannot create socket");
486 return -1;
487 }
488
489 switch (family) {
490 case AF_INET:
491 in = (struct sockaddr_in *)&local_sock;
492 in->sin_family = family;
493 in->sin_port = htons(ctx->lport);
494 in->sin_addr.s_addr = htonl(INADDR_ANY);
495 sock_len = sizeof(*in);
496 break;
497 case AF_INET6:
498 in6 = (struct sockaddr_in6 *)&local_sock;
499 in6->sin6_family = family;
500 in6->sin6_port = htons(ctx->lport);
501 in6->sin6_addr = in6addr_any;
502 sock_len = sizeof(*in6);
503 break;
504 default:
505 return -1;
506 }
507
508 int opt = 1;
509
510 ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
511
512 if (ret < 0) {
513 perror("setsockopt for SO_REUSEADDR");
514 return ret;
515 }
516
517 ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt));
518 if (ret < 0) {
519 perror("setsockopt for SO_REUSEPORT");
520 return ret;
521 }
522
523 if (family == AF_INET6) {
524 opt = 0;
525 if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt,
526 sizeof(opt))) {
527 perror("failed to set IPV6_V6ONLY");
528 return -1;
529 }
530 }
531
532 ret = bind(s, (struct sockaddr *)&local_sock, sock_len);
533 if (ret < 0) {
534 perror("cannot bind socket");
535 goto err_socket;
536 }
537
538 ctx->socket = s;
539 ctx->sa_family = family;
540 return 0;
541
542 err_socket:
543 close(s);
544 return -1;
545 }
546
ovpn_udp_socket(struct ovpn_ctx * ctx,sa_family_t family)547 static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family)
548 {
549 return ovpn_socket(ctx, family, IPPROTO_UDP);
550 }
551
ovpn_listen(struct ovpn_ctx * ctx,sa_family_t family)552 static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family)
553 {
554 int ret;
555
556 ret = ovpn_socket(ctx, family, IPPROTO_TCP);
557 if (ret < 0)
558 return ret;
559
560 ret = listen(ctx->socket, 10);
561 if (ret < 0) {
562 perror("listen");
563 close(ctx->socket);
564 return -1;
565 }
566
567 return 0;
568 }
569
ovpn_accept(struct ovpn_ctx * ctx)570 static int ovpn_accept(struct ovpn_ctx *ctx)
571 {
572 socklen_t socklen;
573 int ret;
574
575 socklen = sizeof(ctx->remote);
576 ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen);
577 if (ret < 0) {
578 perror("accept");
579 goto err;
580 }
581
582 fprintf(stderr, "Connection received!\n");
583
584 switch (socklen) {
585 case sizeof(struct sockaddr_in):
586 case sizeof(struct sockaddr_in6):
587 break;
588 default:
589 fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n");
590 close(ret);
591 ret = -EINVAL;
592 goto err;
593 }
594
595 return ret;
596 err:
597 close(ctx->socket);
598 return ret;
599 }
600
ovpn_connect(struct ovpn_ctx * ovpn)601 static int ovpn_connect(struct ovpn_ctx *ovpn)
602 {
603 socklen_t socklen;
604 int s, ret;
605
606 s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0);
607 if (s < 0) {
608 perror("cannot create socket");
609 return -1;
610 }
611
612 switch (ovpn->remote.in4.sin_family) {
613 case AF_INET:
614 socklen = sizeof(struct sockaddr_in);
615 break;
616 case AF_INET6:
617 socklen = sizeof(struct sockaddr_in6);
618 break;
619 default:
620 return -EOPNOTSUPP;
621 }
622
623 ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen);
624 if (ret < 0) {
625 perror("connect");
626 goto err;
627 }
628
629 fprintf(stderr, "connected\n");
630
631 ovpn->socket = s;
632
633 return 0;
634 err:
635 close(s);
636 return ret;
637 }
638
ovpn_new_peer(struct ovpn_ctx * ovpn,bool is_tcp)639 static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp)
640 {
641 struct nlattr *attr;
642 struct nl_ctx *ctx;
643 int ret = -1;
644
645 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW);
646 if (!ctx)
647 return -ENOMEM;
648
649 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
650 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
651 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket);
652
653 if (!is_tcp) {
654 switch (ovpn->remote.in4.sin_family) {
655 case AF_INET:
656 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4,
657 ovpn->remote.in4.sin_addr.s_addr);
658 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
659 ovpn->remote.in4.sin_port);
660 break;
661 case AF_INET6:
662 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6,
663 sizeof(ovpn->remote.in6.sin6_addr),
664 &ovpn->remote.in6.sin6_addr);
665 NLA_PUT_U32(ctx->nl_msg,
666 OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
667 ovpn->remote.in6.sin6_scope_id);
668 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
669 ovpn->remote.in6.sin6_port);
670 break;
671 default:
672 fprintf(stderr,
673 "Invalid family for remote socket address\n");
674 goto nla_put_failure;
675 }
676 }
677
678 if (ovpn->peer_ip_set) {
679 switch (ovpn->peer_ip.in4.sin_family) {
680 case AF_INET:
681 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4,
682 ovpn->peer_ip.in4.sin_addr.s_addr);
683 break;
684 case AF_INET6:
685 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6,
686 sizeof(struct in6_addr),
687 &ovpn->peer_ip.in6.sin6_addr);
688 break;
689 default:
690 fprintf(stderr, "Invalid family for peer address\n");
691 goto nla_put_failure;
692 }
693 }
694
695 nla_nest_end(ctx->nl_msg, attr);
696
697 ret = ovpn_nl_msg_send(ctx, NULL);
698 nla_put_failure:
699 nl_ctx_free(ctx);
700 return ret;
701 }
702
ovpn_set_peer(struct ovpn_ctx * ovpn)703 static int ovpn_set_peer(struct ovpn_ctx *ovpn)
704 {
705 struct nlattr *attr;
706 struct nl_ctx *ctx;
707 int ret = -1;
708
709 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET);
710 if (!ctx)
711 return -ENOMEM;
712
713 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
714 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
715 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL,
716 ovpn->keepalive_interval);
717 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
718 ovpn->keepalive_timeout);
719 nla_nest_end(ctx->nl_msg, attr);
720
721 ret = ovpn_nl_msg_send(ctx, NULL);
722 nla_put_failure:
723 nl_ctx_free(ctx);
724 return ret;
725 }
726
ovpn_del_peer(struct ovpn_ctx * ovpn)727 static int ovpn_del_peer(struct ovpn_ctx *ovpn)
728 {
729 struct nlattr *attr;
730 struct nl_ctx *ctx;
731 int ret = -1;
732
733 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL);
734 if (!ctx)
735 return -ENOMEM;
736
737 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
738 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
739 nla_nest_end(ctx->nl_msg, attr);
740
741 ret = ovpn_nl_msg_send(ctx, NULL);
742 nla_put_failure:
743 nl_ctx_free(ctx);
744 return ret;
745 }
746
ovpn_handle_peer(struct nl_msg * msg,void (* arg)__always_unused)747 static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused)
748 {
749 struct nlattr *pattrs[OVPN_A_PEER_MAX + 1];
750 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
751 struct nlattr *attrs[OVPN_A_MAX + 1];
752 __u16 rport = 0, lport = 0;
753
754 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
755 genlmsg_attrlen(gnlh, 0), NULL);
756
757 if (!attrs[OVPN_A_PEER]) {
758 fprintf(stderr, "no packet content in netlink message\n");
759 return NL_SKIP;
760 }
761
762 nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]),
763 nla_len(attrs[OVPN_A_PEER]), NULL);
764
765 if (pattrs[OVPN_A_PEER_ID])
766 fprintf(stderr, "* Peer %u\n",
767 nla_get_u32(pattrs[OVPN_A_PEER_ID]));
768
769 if (pattrs[OVPN_A_PEER_SOCKET_NETNSID])
770 fprintf(stderr, "\tsocket NetNS ID: %d\n",
771 nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID]));
772
773 if (pattrs[OVPN_A_PEER_VPN_IPV4]) {
774 char buf[INET_ADDRSTRLEN];
775
776 inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]),
777 buf, sizeof(buf));
778 fprintf(stderr, "\tVPN IPv4: %s\n", buf);
779 }
780
781 if (pattrs[OVPN_A_PEER_VPN_IPV6]) {
782 char buf[INET6_ADDRSTRLEN];
783
784 inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]),
785 buf, sizeof(buf));
786 fprintf(stderr, "\tVPN IPv6: %s\n", buf);
787 }
788
789 if (pattrs[OVPN_A_PEER_LOCAL_PORT])
790 lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT]));
791
792 if (pattrs[OVPN_A_PEER_REMOTE_PORT])
793 rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT]));
794
795 if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) {
796 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6];
797 char buf[INET6_ADDRSTRLEN];
798 int scope_id = -1;
799
800 if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) {
801 void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID];
802
803 scope_id = nla_get_u32(p);
804 }
805
806 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
807 fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport,
808 scope_id);
809
810 if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) {
811 void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6];
812
813 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
814 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
815 }
816 }
817
818 if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) {
819 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4];
820 char buf[INET_ADDRSTRLEN];
821
822 inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf));
823 fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport);
824
825 if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) {
826 void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4];
827
828 inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf));
829 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
830 }
831 }
832
833 if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) {
834 void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL];
835
836 fprintf(stderr, "\tKeepalive interval: %u sec\n",
837 nla_get_u32(p));
838 }
839
840 if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])
841 fprintf(stderr, "\tKeepalive timeout: %u sec\n",
842 nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]));
843
844 if (pattrs[OVPN_A_PEER_VPN_RX_BYTES])
845 fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n",
846 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES]));
847
848 if (pattrs[OVPN_A_PEER_VPN_TX_BYTES])
849 fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n",
850 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES]));
851
852 if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS])
853 fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n",
854 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS]));
855
856 if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS])
857 fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n",
858 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS]));
859
860 if (pattrs[OVPN_A_PEER_LINK_RX_BYTES])
861 fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n",
862 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES]));
863
864 if (pattrs[OVPN_A_PEER_LINK_TX_BYTES])
865 fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n",
866 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES]));
867
868 if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS])
869 fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n",
870 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS]));
871
872 if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS])
873 fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n",
874 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS]));
875
876 return NL_SKIP;
877 }
878
ovpn_get_peer(struct ovpn_ctx * ovpn)879 static int ovpn_get_peer(struct ovpn_ctx *ovpn)
880 {
881 int flags = 0, ret = -1;
882 struct nlattr *attr;
883 struct nl_ctx *ctx;
884
885 if (ovpn->peer_id == PEER_ID_UNDEF)
886 flags = NLM_F_DUMP;
887
888 ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags);
889 if (!ctx)
890 return -ENOMEM;
891
892 if (ovpn->peer_id != PEER_ID_UNDEF) {
893 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
894 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
895 nla_nest_end(ctx->nl_msg, attr);
896 }
897
898 ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer);
899 nla_put_failure:
900 nl_ctx_free(ctx);
901 return ret;
902 }
903
ovpn_new_key(struct ovpn_ctx * ovpn)904 static int ovpn_new_key(struct ovpn_ctx *ovpn)
905 {
906 struct nlattr *keyconf, *key_dir;
907 struct nl_ctx *ctx;
908 int ret = -1;
909
910 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW);
911 if (!ctx)
912 return -ENOMEM;
913
914 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
915 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
916 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
917 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id);
918 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher);
919
920 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR);
921 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc);
922 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
923 nla_nest_end(ctx->nl_msg, key_dir);
924
925 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR);
926 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec);
927 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
928 nla_nest_end(ctx->nl_msg, key_dir);
929
930 nla_nest_end(ctx->nl_msg, keyconf);
931
932 ret = ovpn_nl_msg_send(ctx, NULL);
933 nla_put_failure:
934 nl_ctx_free(ctx);
935 return ret;
936 }
937
ovpn_del_key(struct ovpn_ctx * ovpn)938 static int ovpn_del_key(struct ovpn_ctx *ovpn)
939 {
940 struct nlattr *keyconf;
941 struct nl_ctx *ctx;
942 int ret = -1;
943
944 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL);
945 if (!ctx)
946 return -ENOMEM;
947
948 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
949 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
950 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
951 nla_nest_end(ctx->nl_msg, keyconf);
952
953 ret = ovpn_nl_msg_send(ctx, NULL);
954 nla_put_failure:
955 nl_ctx_free(ctx);
956 return ret;
957 }
958
ovpn_handle_key(struct nl_msg * msg,void (* arg)__always_unused)959 static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused)
960 {
961 struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1];
962 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
963 struct nlattr *attrs[OVPN_A_MAX + 1];
964
965 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
966 genlmsg_attrlen(gnlh, 0), NULL);
967
968 if (!attrs[OVPN_A_KEYCONF]) {
969 fprintf(stderr, "no packet content in netlink message\n");
970 return NL_SKIP;
971 }
972
973 nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]),
974 nla_len(attrs[OVPN_A_KEYCONF]), NULL);
975
976 if (kattrs[OVPN_A_KEYCONF_PEER_ID])
977 fprintf(stderr, "* Peer %u\n",
978 nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID]));
979 if (kattrs[OVPN_A_KEYCONF_SLOT]) {
980 fprintf(stderr, "\t- Slot: ");
981 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) {
982 case OVPN_KEY_SLOT_PRIMARY:
983 fprintf(stderr, "primary\n");
984 break;
985 case OVPN_KEY_SLOT_SECONDARY:
986 fprintf(stderr, "secondary\n");
987 break;
988 default:
989 fprintf(stderr, "invalid (%u)\n",
990 nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT]));
991 break;
992 }
993 }
994 if (kattrs[OVPN_A_KEYCONF_KEY_ID])
995 fprintf(stderr, "\t- Key ID: %u\n",
996 nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID]));
997 if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) {
998 fprintf(stderr, "\t- Cipher: ");
999 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) {
1000 case OVPN_CIPHER_ALG_NONE:
1001 fprintf(stderr, "none\n");
1002 break;
1003 case OVPN_CIPHER_ALG_AES_GCM:
1004 fprintf(stderr, "aes-gcm\n");
1005 break;
1006 case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
1007 fprintf(stderr, "chacha20poly1305\n");
1008 break;
1009 default:
1010 fprintf(stderr, "invalid (%u)\n",
1011 nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG]));
1012 break;
1013 }
1014 }
1015
1016 return NL_SKIP;
1017 }
1018
ovpn_get_key(struct ovpn_ctx * ovpn)1019 static int ovpn_get_key(struct ovpn_ctx *ovpn)
1020 {
1021 struct nlattr *keyconf;
1022 struct nl_ctx *ctx;
1023 int ret = -1;
1024
1025 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET);
1026 if (!ctx)
1027 return -ENOMEM;
1028
1029 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1030 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1031 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
1032 nla_nest_end(ctx->nl_msg, keyconf);
1033
1034 ret = ovpn_nl_msg_send(ctx, ovpn_handle_key);
1035 nla_put_failure:
1036 nl_ctx_free(ctx);
1037 return ret;
1038 }
1039
ovpn_swap_keys(struct ovpn_ctx * ovpn)1040 static int ovpn_swap_keys(struct ovpn_ctx *ovpn)
1041 {
1042 struct nl_ctx *ctx;
1043 struct nlattr *kc;
1044 int ret = -1;
1045
1046 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP);
1047 if (!ctx)
1048 return -ENOMEM;
1049
1050 kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1051 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1052 nla_nest_end(ctx->nl_msg, kc);
1053
1054 ret = ovpn_nl_msg_send(ctx, NULL);
1055 nla_put_failure:
1056 nl_ctx_free(ctx);
1057 return ret;
1058 }
1059
1060 /* Helper function used to easily add attributes to a rtnl message */
ovpn_addattr(struct nlmsghdr * n,int maxlen,int type,const void * data,int alen)1061 static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type,
1062 const void *data, int alen)
1063 {
1064 int len = RTA_LENGTH(alen);
1065 struct rtattr *rta;
1066
1067 if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen) {
1068 fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n",
1069 __func__, maxlen);
1070 return -EMSGSIZE;
1071 }
1072
1073 rta = nlmsg_tail(n);
1074 rta->rta_type = type;
1075 rta->rta_len = len;
1076
1077 if (!data)
1078 memset(RTA_DATA(rta), 0, alen);
1079 else
1080 memcpy(RTA_DATA(rta), data, alen);
1081
1082 n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len);
1083
1084 return 0;
1085 }
1086
ovpn_nest_start(struct nlmsghdr * msg,size_t max_size,int attr)1087 static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size,
1088 int attr)
1089 {
1090 struct rtattr *nest = nlmsg_tail(msg);
1091
1092 if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0)
1093 return NULL;
1094
1095 return nest;
1096 }
1097
ovpn_nest_end(struct nlmsghdr * msg,struct rtattr * nest)1098 static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest)
1099 {
1100 nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest;
1101 }
1102
1103 #define RT_SNDBUF_SIZE (1024 * 2)
1104 #define RT_RCVBUF_SIZE (1024 * 4)
1105
1106 /* Open RTNL socket */
ovpn_rt_socket(void)1107 static int ovpn_rt_socket(void)
1108 {
1109 int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd;
1110
1111 fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
1112 if (fd < 0) {
1113 fprintf(stderr, "%s: cannot open netlink socket\n", __func__);
1114 return fd;
1115 }
1116
1117 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf,
1118 sizeof(sndbuf)) < 0) {
1119 fprintf(stderr, "%s: SO_SNDBUF\n", __func__);
1120 close(fd);
1121 return -1;
1122 }
1123
1124 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf,
1125 sizeof(rcvbuf)) < 0) {
1126 fprintf(stderr, "%s: SO_RCVBUF\n", __func__);
1127 close(fd);
1128 return -1;
1129 }
1130
1131 return fd;
1132 }
1133
1134 /* Bind socket to Netlink subsystem */
ovpn_rt_bind(int fd,uint32_t groups)1135 static int ovpn_rt_bind(int fd, uint32_t groups)
1136 {
1137 struct sockaddr_nl local = { 0 };
1138 socklen_t addr_len;
1139
1140 local.nl_family = AF_NETLINK;
1141 local.nl_groups = groups;
1142
1143 if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) {
1144 fprintf(stderr, "%s: cannot bind netlink socket: %d\n",
1145 __func__, errno);
1146 return -errno;
1147 }
1148
1149 addr_len = sizeof(local);
1150 if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) {
1151 fprintf(stderr, "%s: cannot getsockname: %d\n", __func__,
1152 errno);
1153 return -errno;
1154 }
1155
1156 if (addr_len != sizeof(local)) {
1157 fprintf(stderr, "%s: wrong address length %d\n", __func__,
1158 addr_len);
1159 return -EINVAL;
1160 }
1161
1162 if (local.nl_family != AF_NETLINK) {
1163 fprintf(stderr, "%s: wrong address family %d\n", __func__,
1164 local.nl_family);
1165 return -EINVAL;
1166 }
1167
1168 return 0;
1169 }
1170
1171 typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg);
1172
1173 /* Send Netlink message and run callback on reply (if specified) */
ovpn_rt_send(struct nlmsghdr * payload,pid_t peer,unsigned int groups,ovpn_parse_reply_cb cb,void * arg_cb)1174 static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer,
1175 unsigned int groups, ovpn_parse_reply_cb cb,
1176 void *arg_cb)
1177 {
1178 int len, rem_len, fd, ret, rcv_len;
1179 struct sockaddr_nl nladdr = { 0 };
1180 struct nlmsgerr *err;
1181 struct nlmsghdr *h;
1182 char buf[1024 * 16];
1183 struct iovec iov = {
1184 .iov_base = payload,
1185 .iov_len = payload->nlmsg_len,
1186 };
1187 struct msghdr nlmsg = {
1188 .msg_name = &nladdr,
1189 .msg_namelen = sizeof(nladdr),
1190 .msg_iov = &iov,
1191 .msg_iovlen = 1,
1192 };
1193
1194 nladdr.nl_family = AF_NETLINK;
1195 nladdr.nl_pid = peer;
1196 nladdr.nl_groups = groups;
1197
1198 payload->nlmsg_seq = time(NULL);
1199
1200 /* no need to send reply */
1201 if (!cb)
1202 payload->nlmsg_flags |= NLM_F_ACK;
1203
1204 fd = ovpn_rt_socket();
1205 if (fd < 0) {
1206 fprintf(stderr, "%s: can't open rtnl socket\n", __func__);
1207 return -errno;
1208 }
1209
1210 ret = ovpn_rt_bind(fd, 0);
1211 if (ret < 0) {
1212 fprintf(stderr, "%s: can't bind rtnl socket\n", __func__);
1213 ret = -errno;
1214 goto out;
1215 }
1216
1217 ret = sendmsg(fd, &nlmsg, 0);
1218 if (ret < 0) {
1219 fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__);
1220 ret = -errno;
1221 goto out;
1222 }
1223
1224 /* prepare buffer to store RTNL replies */
1225 memset(buf, 0, sizeof(buf));
1226 iov.iov_base = buf;
1227
1228 while (1) {
1229 /*
1230 * iov_len is modified by recvmsg(), therefore has to be initialized before
1231 * using it again
1232 */
1233 iov.iov_len = sizeof(buf);
1234 rcv_len = recvmsg(fd, &nlmsg, 0);
1235 if (rcv_len < 0) {
1236 if (errno == EINTR || errno == EAGAIN) {
1237 fprintf(stderr, "%s: interrupted call\n",
1238 __func__);
1239 continue;
1240 }
1241 fprintf(stderr, "%s: rtnl: error on recvmsg()\n",
1242 __func__);
1243 ret = -errno;
1244 goto out;
1245 }
1246
1247 if (rcv_len == 0) {
1248 fprintf(stderr,
1249 "%s: rtnl: socket reached unexpected EOF\n",
1250 __func__);
1251 ret = -EIO;
1252 goto out;
1253 }
1254
1255 if (nlmsg.msg_namelen != sizeof(nladdr)) {
1256 fprintf(stderr,
1257 "%s: sender address length: %u (expected %zu)\n",
1258 __func__, nlmsg.msg_namelen, sizeof(nladdr));
1259 ret = -EIO;
1260 goto out;
1261 }
1262
1263 h = (struct nlmsghdr *)buf;
1264 while (rcv_len >= (int)sizeof(*h)) {
1265 len = h->nlmsg_len;
1266 rem_len = len - sizeof(*h);
1267
1268 if (rem_len < 0 || len > rcv_len) {
1269 if (nlmsg.msg_flags & MSG_TRUNC) {
1270 fprintf(stderr, "%s: truncated message\n",
1271 __func__);
1272 ret = -EIO;
1273 goto out;
1274 }
1275 fprintf(stderr, "%s: malformed message: len=%d\n",
1276 __func__, len);
1277 ret = -EIO;
1278 goto out;
1279 }
1280
1281 if (h->nlmsg_type == NLMSG_DONE) {
1282 ret = 0;
1283 goto out;
1284 }
1285
1286 if (h->nlmsg_type == NLMSG_ERROR) {
1287 err = (struct nlmsgerr *)NLMSG_DATA(h);
1288 if (rem_len < (int)sizeof(struct nlmsgerr)) {
1289 fprintf(stderr, "%s: ERROR truncated\n",
1290 __func__);
1291 ret = -EIO;
1292 goto out;
1293 }
1294
1295 if (err->error) {
1296 fprintf(stderr, "%s: (%d) %s\n",
1297 __func__, err->error,
1298 strerror(-err->error));
1299 ret = err->error;
1300 goto out;
1301 }
1302
1303 ret = 0;
1304 if (cb) {
1305 int r = cb(h, arg_cb);
1306
1307 if (r <= 0)
1308 ret = r;
1309 }
1310 goto out;
1311 }
1312
1313 if (cb) {
1314 int r = cb(h, arg_cb);
1315
1316 if (r <= 0) {
1317 ret = r;
1318 goto out;
1319 }
1320 } else {
1321 fprintf(stderr, "%s: RTNL: unexpected reply\n",
1322 __func__);
1323 }
1324
1325 rcv_len -= NLMSG_ALIGN(len);
1326 h = (struct nlmsghdr *)((uint8_t *)h +
1327 NLMSG_ALIGN(len));
1328 }
1329
1330 if (nlmsg.msg_flags & MSG_TRUNC) {
1331 fprintf(stderr, "%s: message truncated\n", __func__);
1332 continue;
1333 }
1334
1335 if (rcv_len) {
1336 fprintf(stderr, "%s: rtnl: %d not parsed bytes\n",
1337 __func__, rcv_len);
1338 ret = -1;
1339 goto out;
1340 }
1341 }
1342 out:
1343 close(fd);
1344
1345 return ret;
1346 }
1347
1348 struct ovpn_link_req {
1349 struct nlmsghdr n;
1350 struct ifinfomsg i;
1351 char buf[256];
1352 };
1353
ovpn_new_iface(struct ovpn_ctx * ovpn)1354 static int ovpn_new_iface(struct ovpn_ctx *ovpn)
1355 {
1356 struct rtattr *linkinfo, *data;
1357 struct ovpn_link_req req = { 0 };
1358 int ret = -1;
1359
1360 fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname,
1361 ovpn->mode);
1362
1363 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1364 req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL;
1365 req.n.nlmsg_type = RTM_NEWLINK;
1366
1367 if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname,
1368 strlen(ovpn->ifname) + 1) < 0)
1369 goto err;
1370
1371 linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO);
1372 if (!linkinfo)
1373 goto err;
1374
1375 if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME,
1376 strlen(OVPN_FAMILY_NAME) + 1) < 0)
1377 goto err;
1378
1379 if (ovpn->mode_set) {
1380 data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA);
1381 if (!data)
1382 goto err;
1383
1384 if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE,
1385 &ovpn->mode, sizeof(uint8_t)) < 0)
1386 goto err;
1387
1388 ovpn_nest_end(&req.n, data);
1389 }
1390
1391 ovpn_nest_end(&req.n, linkinfo);
1392
1393 req.i.ifi_family = AF_PACKET;
1394
1395 ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1396 err:
1397 return ret;
1398 }
1399
ovpn_del_iface(struct ovpn_ctx * ovpn)1400 static int ovpn_del_iface(struct ovpn_ctx *ovpn)
1401 {
1402 struct ovpn_link_req req = { 0 };
1403
1404 fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname,
1405 ovpn->ifindex);
1406
1407 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1408 req.n.nlmsg_flags = NLM_F_REQUEST;
1409 req.n.nlmsg_type = RTM_DELLINK;
1410
1411 req.i.ifi_family = AF_PACKET;
1412 req.i.ifi_index = ovpn->ifindex;
1413
1414 return ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1415 }
1416
nl_seq_check(struct nl_msg (* msg)__always_unused,void (* arg)__always_unused)1417 static int nl_seq_check(struct nl_msg (*msg)__always_unused,
1418 void (*arg)__always_unused)
1419 {
1420 return NL_OK;
1421 }
1422
1423 struct mcast_handler_args {
1424 const char *group;
1425 int id;
1426 };
1427
mcast_family_handler(struct nl_msg * msg,void * arg)1428 static int mcast_family_handler(struct nl_msg *msg, void *arg)
1429 {
1430 struct mcast_handler_args *grp = arg;
1431 struct nlattr *tb[CTRL_ATTR_MAX + 1];
1432 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1433 struct nlattr *mcgrp;
1434 int rem_mcgrp;
1435
1436 nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
1437 genlmsg_attrlen(gnlh, 0), NULL);
1438
1439 if (!tb[CTRL_ATTR_MCAST_GROUPS])
1440 return NL_SKIP;
1441
1442 nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) {
1443 struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1];
1444
1445 nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX,
1446 nla_data(mcgrp), nla_len(mcgrp), NULL);
1447
1448 if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] ||
1449 !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID])
1450 continue;
1451 if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]),
1452 grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME])))
1453 continue;
1454 grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]);
1455 break;
1456 }
1457
1458 return NL_SKIP;
1459 }
1460
mcast_error_handler(struct sockaddr_nl (* nla)__always_unused,struct nlmsgerr * err,void * arg)1461 static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused,
1462 struct nlmsgerr *err, void *arg)
1463 {
1464 int *ret = arg;
1465
1466 *ret = err->error;
1467 return NL_STOP;
1468 }
1469
mcast_ack_handler(struct nl_msg (* msg)__always_unused,void * arg)1470 static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg)
1471 {
1472 int *ret = arg;
1473
1474 *ret = 0;
1475 return NL_STOP;
1476 }
1477
ovpn_handle_msg(struct nl_msg * msg,void * arg)1478 static int ovpn_handle_msg(struct nl_msg *msg, void *arg)
1479 {
1480 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1481 struct nlattr *attrs[OVPN_A_MAX + 1];
1482 struct nlmsghdr *nlh = nlmsg_hdr(msg);
1483 char ifname[IF_NAMESIZE];
1484 int *ret = arg;
1485 __u32 ifindex;
1486
1487 fprintf(stderr, "received message from ovpn-dco\n");
1488
1489 *ret = -1;
1490
1491 if (!genlmsg_valid_hdr(nlh, 0)) {
1492 fprintf(stderr, "invalid header\n");
1493 return NL_STOP;
1494 }
1495
1496 if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
1497 genlmsg_attrlen(gnlh, 0), NULL)) {
1498 fprintf(stderr, "received bogus data from ovpn-dco\n");
1499 return NL_STOP;
1500 }
1501
1502 if (!attrs[OVPN_A_IFINDEX]) {
1503 fprintf(stderr, "no ifindex in this message\n");
1504 return NL_STOP;
1505 }
1506
1507 ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]);
1508 if (!if_indextoname(ifindex, ifname)) {
1509 fprintf(stderr, "cannot resolve ifname for ifindex: %u\n",
1510 ifindex);
1511 return NL_STOP;
1512 }
1513
1514 switch (gnlh->cmd) {
1515 case OVPN_CMD_PEER_DEL_NTF:
1516 fprintf(stdout, "received CMD_PEER_DEL_NTF\n");
1517 break;
1518 case OVPN_CMD_KEY_SWAP_NTF:
1519 fprintf(stdout, "received CMD_KEY_SWAP_NTF\n");
1520 break;
1521 default:
1522 fprintf(stderr, "received unknown command: %d\n", gnlh->cmd);
1523 return NL_STOP;
1524 }
1525
1526 *ret = 0;
1527 return NL_OK;
1528 }
1529
ovpn_get_mcast_id(struct nl_sock * sock,const char * family,const char * group)1530 static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family,
1531 const char *group)
1532 {
1533 struct nl_msg *msg;
1534 struct nl_cb *cb;
1535 int ret, ctrlid;
1536 struct mcast_handler_args grp = {
1537 .group = group,
1538 .id = -ENOENT,
1539 };
1540
1541 msg = nlmsg_alloc();
1542 if (!msg)
1543 return -ENOMEM;
1544
1545 cb = nl_cb_alloc(NL_CB_DEFAULT);
1546 if (!cb) {
1547 ret = -ENOMEM;
1548 goto out_fail_cb;
1549 }
1550
1551 ctrlid = genl_ctrl_resolve(sock, "nlctrl");
1552
1553 genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0);
1554
1555 ret = -ENOBUFS;
1556 NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family);
1557
1558 ret = nl_send_auto_complete(sock, msg);
1559 if (ret < 0)
1560 goto nla_put_failure;
1561
1562 ret = 1;
1563
1564 nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret);
1565 nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret);
1566 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp);
1567
1568 while (ret > 0)
1569 nl_recvmsgs(sock, cb);
1570
1571 if (ret == 0)
1572 ret = grp.id;
1573 nla_put_failure:
1574 nl_cb_put(cb);
1575 out_fail_cb:
1576 nlmsg_free(msg);
1577 return ret;
1578 }
1579
ovpn_listen_mcast(void)1580 static int ovpn_listen_mcast(void)
1581 {
1582 struct nl_sock *sock;
1583 struct nl_cb *cb;
1584 int mcid, ret;
1585
1586 sock = nl_socket_alloc();
1587 if (!sock) {
1588 fprintf(stderr, "cannot allocate netlink socket\n");
1589 goto err_free;
1590 }
1591
1592 nl_socket_set_buffer_size(sock, 8192, 8192);
1593
1594 ret = genl_connect(sock);
1595 if (ret < 0) {
1596 fprintf(stderr, "cannot connect to generic netlink: %s\n",
1597 nl_geterror(ret));
1598 goto err_free;
1599 }
1600
1601 mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS);
1602 if (mcid < 0) {
1603 fprintf(stderr, "cannot get mcast group: %s\n",
1604 nl_geterror(mcid));
1605 goto err_free;
1606 }
1607
1608 ret = nl_socket_add_membership(sock, mcid);
1609 if (ret) {
1610 fprintf(stderr, "failed to join mcast group: %d\n", ret);
1611 goto err_free;
1612 }
1613
1614 ret = 1;
1615 cb = nl_cb_alloc(NL_CB_DEFAULT);
1616 nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL);
1617 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret);
1618 nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret);
1619
1620 while (ret == 1) {
1621 int err = nl_recvmsgs(sock, cb);
1622
1623 if (err < 0) {
1624 fprintf(stderr,
1625 "cannot receive netlink message: (%d) %s\n",
1626 err, nl_geterror(-err));
1627 ret = -1;
1628 break;
1629 }
1630 }
1631
1632 nl_cb_put(cb);
1633 err_free:
1634 nl_socket_free(sock);
1635 return ret;
1636 }
1637
usage(const char * cmd)1638 static void usage(const char *cmd)
1639 {
1640 fprintf(stderr,
1641 "Usage %s <command> <iface> [arguments..]\n",
1642 cmd);
1643 fprintf(stderr, "where <command> can be one of the following\n\n");
1644
1645 fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n");
1646 fprintf(stderr, "\tiface: ovpn interface name\n");
1647 fprintf(stderr, "\tmode:\n");
1648 fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n");
1649 fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n");
1650
1651 fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n");
1652 fprintf(stderr, "\tiface: ovpn interface name\n");
1653
1654 fprintf(stderr,
1655 "* listen <iface> <lport> <peers_file> [ipv6]: listen for incoming peer TCP connections\n");
1656 fprintf(stderr, "\tiface: ovpn interface name\n");
1657 fprintf(stderr, "\tlport: TCP port to listen to\n");
1658 fprintf(stderr,
1659 "\tpeers_file: file containing one peer per line: Line format:\n");
1660 fprintf(stderr, "\t\t<peer_id> <vpnaddr>\n");
1661 fprintf(stderr,
1662 "\tipv6: whether the socket should listen to the IPv6 wildcard address\n");
1663
1664 fprintf(stderr,
1665 "* connect <iface> <peer_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n");
1666 fprintf(stderr, "\tiface: ovpn interface name\n");
1667 fprintf(stderr, "\tpeer_id: peer ID of the connecting peer\n");
1668 fprintf(stderr, "\traddr: peer IP address to connect to\n");
1669 fprintf(stderr, "\trport: peer TCP port to connect to\n");
1670 fprintf(stderr,
1671 "\tkey_file: file containing the symmetric key for encryption\n");
1672
1673 fprintf(stderr,
1674 "* new_peer <iface> <peer_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n");
1675 fprintf(stderr, "\tiface: ovpn interface name\n");
1676 fprintf(stderr, "\tlport: local UDP port to bind to\n");
1677 fprintf(stderr,
1678 "\tpeer_id: peer ID to be used in data packets to/from this peer\n");
1679 fprintf(stderr, "\traddr: peer IP address\n");
1680 fprintf(stderr, "\trport: peer UDP port\n");
1681 fprintf(stderr, "\tvpnaddr: peer VPN IP\n");
1682
1683 fprintf(stderr,
1684 "* new_multi_peer <iface> <lport> <peers_file>: add multiple peers as listed in the file\n");
1685 fprintf(stderr, "\tiface: ovpn interface name\n");
1686 fprintf(stderr, "\tlport: local UDP port to bind to\n");
1687 fprintf(stderr,
1688 "\tpeers_file: text file containing one peer per line. Line format:\n");
1689 fprintf(stderr, "\t\t<peer_id> <raddr> <rport> <vpnaddr>\n");
1690
1691 fprintf(stderr,
1692 "* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n");
1693 fprintf(stderr, "\tiface: ovpn interface name\n");
1694 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1695 fprintf(stderr,
1696 "\tkeepalive_interval: interval for sending ping messages\n");
1697 fprintf(stderr,
1698 "\tkeepalive_timeout: time after which a peer is timed out\n");
1699
1700 fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n");
1701 fprintf(stderr, "\tiface: ovpn interface name\n");
1702 fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n");
1703
1704 fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n");
1705 fprintf(stderr, "\tiface: ovpn interface name\n");
1706 fprintf(stderr,
1707 "\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n");
1708
1709 fprintf(stderr,
1710 "* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n");
1711 fprintf(stderr, "\tiface: ovpn interface name\n");
1712 fprintf(stderr,
1713 "\tpeer_id: peer ID of the peer to configure the key for\n");
1714 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1715 fprintf(stderr, "\tkey_id: an ID from 0 to 7\n");
1716 fprintf(stderr,
1717 "\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n");
1718 fprintf(stderr,
1719 "\tkey_dir: key direction, must 0 on one host and 1 on the other\n");
1720 fprintf(stderr, "\tkey_file: file containing the pre-shared key\n");
1721
1722 fprintf(stderr,
1723 "* del_key <iface> <peer_id> [slot]: erase existing data channel key\n");
1724 fprintf(stderr, "\tiface: ovpn interface name\n");
1725 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1726 fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n");
1727
1728 fprintf(stderr,
1729 "* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n");
1730 fprintf(stderr, "\tiface: ovpn interface name\n");
1731 fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n");
1732 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1733
1734 fprintf(stderr,
1735 "* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n");
1736 fprintf(stderr, "\tiface: ovpn interface name\n");
1737 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1738
1739 fprintf(stderr,
1740 "* listen_mcast: listen to ovpn netlink multicast messages\n");
1741 }
1742
ovpn_parse_remote(struct ovpn_ctx * ovpn,const char * host,const char * service,const char * vpnip)1743 static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host,
1744 const char *service, const char *vpnip)
1745 {
1746 int ret;
1747 struct addrinfo *result;
1748 struct addrinfo hints = {
1749 .ai_family = ovpn->sa_family,
1750 .ai_socktype = SOCK_DGRAM,
1751 .ai_protocol = IPPROTO_UDP
1752 };
1753
1754 if (host) {
1755 ret = getaddrinfo(host, service, &hints, &result);
1756 if (ret) {
1757 fprintf(stderr, "getaddrinfo on remote error: %s\n",
1758 gai_strerror(ret));
1759 return -1;
1760 }
1761
1762 if (!(result->ai_family == AF_INET &&
1763 result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1764 !(result->ai_family == AF_INET6 &&
1765 result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1766 ret = -EINVAL;
1767 goto out;
1768 }
1769
1770 memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen);
1771 }
1772
1773 if (vpnip) {
1774 ret = getaddrinfo(vpnip, NULL, &hints, &result);
1775 if (ret) {
1776 fprintf(stderr, "getaddrinfo on vpnip error: %s\n",
1777 gai_strerror(ret));
1778 return -1;
1779 }
1780
1781 if (!(result->ai_family == AF_INET &&
1782 result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1783 !(result->ai_family == AF_INET6 &&
1784 result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1785 ret = -EINVAL;
1786 goto out;
1787 }
1788
1789 memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen);
1790 ovpn->sa_family = result->ai_family;
1791
1792 ovpn->peer_ip_set = true;
1793 }
1794
1795 ret = 0;
1796 out:
1797 freeaddrinfo(result);
1798 return ret;
1799 }
1800
ovpn_parse_new_peer(struct ovpn_ctx * ovpn,const char * peer_id,const char * raddr,const char * rport,const char * vpnip)1801 static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id,
1802 const char *raddr, const char *rport,
1803 const char *vpnip)
1804 {
1805 ovpn->peer_id = strtoul(peer_id, NULL, 10);
1806 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
1807 fprintf(stderr, "peer ID value out of range\n");
1808 return -1;
1809 }
1810
1811 return ovpn_parse_remote(ovpn, raddr, rport, vpnip);
1812 }
1813
ovpn_parse_key_slot(const char * arg,struct ovpn_ctx * ovpn)1814 static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn)
1815 {
1816 int slot = strtoul(arg, NULL, 10);
1817
1818 if (errno == ERANGE || slot < 1 || slot > 2) {
1819 fprintf(stderr, "key slot out of range\n");
1820 return -1;
1821 }
1822
1823 switch (slot) {
1824 case 1:
1825 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
1826 break;
1827 case 2:
1828 ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY;
1829 break;
1830 }
1831
1832 return 0;
1833 }
1834
ovpn_send_tcp_data(int socket)1835 static int ovpn_send_tcp_data(int socket)
1836 {
1837 uint16_t len = htons(1000);
1838 uint8_t buf[1002];
1839 int ret;
1840
1841 memcpy(buf, &len, sizeof(len));
1842 memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len));
1843
1844 ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1845
1846 fprintf(stdout, "Sent %u bytes over TCP socket\n", ret);
1847
1848 return ret > 0 ? 0 : ret;
1849 }
1850
ovpn_recv_tcp_data(int socket)1851 static int ovpn_recv_tcp_data(int socket)
1852 {
1853 uint8_t buf[1002];
1854 uint16_t len;
1855 int ret;
1856
1857 ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1858
1859 if (ret < 2) {
1860 fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret);
1861 return ret;
1862 }
1863
1864 memcpy(&len, buf, sizeof(len));
1865 len = ntohs(len);
1866
1867 fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n",
1868 ret, len);
1869
1870 return 0;
1871 }
1872
ovpn_parse_cmd(const char * cmd)1873 static enum ovpn_cmd ovpn_parse_cmd(const char *cmd)
1874 {
1875 if (!strcmp(cmd, "new_iface"))
1876 return CMD_NEW_IFACE;
1877
1878 if (!strcmp(cmd, "del_iface"))
1879 return CMD_DEL_IFACE;
1880
1881 if (!strcmp(cmd, "listen"))
1882 return CMD_LISTEN;
1883
1884 if (!strcmp(cmd, "connect"))
1885 return CMD_CONNECT;
1886
1887 if (!strcmp(cmd, "new_peer"))
1888 return CMD_NEW_PEER;
1889
1890 if (!strcmp(cmd, "new_multi_peer"))
1891 return CMD_NEW_MULTI_PEER;
1892
1893 if (!strcmp(cmd, "set_peer"))
1894 return CMD_SET_PEER;
1895
1896 if (!strcmp(cmd, "del_peer"))
1897 return CMD_DEL_PEER;
1898
1899 if (!strcmp(cmd, "get_peer"))
1900 return CMD_GET_PEER;
1901
1902 if (!strcmp(cmd, "new_key"))
1903 return CMD_NEW_KEY;
1904
1905 if (!strcmp(cmd, "del_key"))
1906 return CMD_DEL_KEY;
1907
1908 if (!strcmp(cmd, "get_key"))
1909 return CMD_GET_KEY;
1910
1911 if (!strcmp(cmd, "swap_keys"))
1912 return CMD_SWAP_KEYS;
1913
1914 if (!strcmp(cmd, "listen_mcast"))
1915 return CMD_LISTEN_MCAST;
1916
1917 return CMD_INVALID;
1918 }
1919
1920 /* Send process to background and waits for signal.
1921 *
1922 * This helper is called at the end of commands
1923 * creating sockets, so that the latter stay alive
1924 * along with the process that created them.
1925 *
1926 * A signal is expected to be delivered in order to
1927 * terminate the waiting processes
1928 */
ovpn_waitbg(void)1929 static void ovpn_waitbg(void)
1930 {
1931 daemon(1, 1);
1932 pause();
1933 }
1934
ovpn_run_cmd(struct ovpn_ctx * ovpn)1935 static int ovpn_run_cmd(struct ovpn_ctx *ovpn)
1936 {
1937 char peer_id[10], vpnip[INET6_ADDRSTRLEN], laddr[128], lport[10];
1938 char raddr[128], rport[10];
1939 int n, ret;
1940 FILE *fp;
1941
1942 switch (ovpn->cmd) {
1943 case CMD_NEW_IFACE:
1944 ret = ovpn_new_iface(ovpn);
1945 break;
1946 case CMD_DEL_IFACE:
1947 ret = ovpn_del_iface(ovpn);
1948 break;
1949 case CMD_LISTEN:
1950 ret = ovpn_listen(ovpn, ovpn->sa_family);
1951 if (ret < 0) {
1952 fprintf(stderr, "cannot listen on TCP socket\n");
1953 return ret;
1954 }
1955
1956 fp = fopen(ovpn->peers_file, "r");
1957 if (!fp) {
1958 fprintf(stderr, "cannot open file: %s\n",
1959 ovpn->peers_file);
1960 return -1;
1961 }
1962
1963 int num_peers = 0;
1964
1965 while ((n = fscanf(fp, "%s %s\n", peer_id, vpnip)) == 2) {
1966 struct ovpn_ctx peer_ctx = { 0 };
1967
1968 if (num_peers == MAX_PEERS) {
1969 fprintf(stderr, "max peers reached!\n");
1970 return -E2BIG;
1971 }
1972
1973 peer_ctx.ifindex = ovpn->ifindex;
1974 peer_ctx.sa_family = ovpn->sa_family;
1975
1976 peer_ctx.socket = ovpn_accept(ovpn);
1977 if (peer_ctx.socket < 0) {
1978 fprintf(stderr, "cannot accept connection!\n");
1979 return -1;
1980 }
1981
1982 /* store peer sockets to test TCP I/O */
1983 ovpn->cli_sockets[num_peers] = peer_ctx.socket;
1984
1985 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, NULL,
1986 NULL, vpnip);
1987 if (ret < 0) {
1988 fprintf(stderr, "error while parsing line\n");
1989 return -1;
1990 }
1991
1992 ret = ovpn_new_peer(&peer_ctx, true);
1993 if (ret < 0) {
1994 fprintf(stderr,
1995 "cannot add peer to VPN: %s %s\n",
1996 peer_id, vpnip);
1997 return ret;
1998 }
1999 num_peers++;
2000 }
2001
2002 for (int i = 0; i < num_peers; i++) {
2003 ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]);
2004 if (ret < 0)
2005 break;
2006 }
2007 ovpn_waitbg();
2008 break;
2009 case CMD_CONNECT:
2010 ret = ovpn_connect(ovpn);
2011 if (ret < 0) {
2012 fprintf(stderr, "cannot connect TCP socket\n");
2013 return ret;
2014 }
2015
2016 ret = ovpn_new_peer(ovpn, true);
2017 if (ret < 0) {
2018 fprintf(stderr, "cannot add peer to VPN\n");
2019 close(ovpn->socket);
2020 return ret;
2021 }
2022
2023 if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) {
2024 ret = ovpn_new_key(ovpn);
2025 if (ret < 0) {
2026 fprintf(stderr, "cannot set key\n");
2027 return ret;
2028 }
2029 }
2030
2031 ret = ovpn_send_tcp_data(ovpn->socket);
2032 ovpn_waitbg();
2033 break;
2034 case CMD_NEW_PEER:
2035 ret = ovpn_udp_socket(ovpn, AF_INET6);
2036 if (ret < 0)
2037 return ret;
2038
2039 ret = ovpn_new_peer(ovpn, false);
2040 ovpn_waitbg();
2041 break;
2042 case CMD_NEW_MULTI_PEER:
2043 ret = ovpn_udp_socket(ovpn, AF_INET6);
2044 if (ret < 0)
2045 return ret;
2046
2047 fp = fopen(ovpn->peers_file, "r");
2048 if (!fp) {
2049 fprintf(stderr, "cannot open file: %s\n",
2050 ovpn->peers_file);
2051 return -1;
2052 }
2053
2054 while ((n = fscanf(fp, "%s %s %s %s %s %s\n", peer_id, laddr,
2055 lport, raddr, rport, vpnip)) == 6) {
2056 struct ovpn_ctx peer_ctx = { 0 };
2057
2058 peer_ctx.ifindex = ovpn->ifindex;
2059 peer_ctx.socket = ovpn->socket;
2060 peer_ctx.sa_family = AF_UNSPEC;
2061
2062 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, raddr,
2063 rport, vpnip);
2064 if (ret < 0) {
2065 fprintf(stderr, "error while parsing line\n");
2066 return -1;
2067 }
2068
2069 ret = ovpn_new_peer(&peer_ctx, false);
2070 if (ret < 0) {
2071 fprintf(stderr,
2072 "cannot add peer to VPN: %s %s %s %s\n",
2073 peer_id, raddr, rport, vpnip);
2074 return ret;
2075 }
2076 }
2077 ovpn_waitbg();
2078 break;
2079 case CMD_SET_PEER:
2080 ret = ovpn_set_peer(ovpn);
2081 break;
2082 case CMD_DEL_PEER:
2083 ret = ovpn_del_peer(ovpn);
2084 break;
2085 case CMD_GET_PEER:
2086 if (ovpn->peer_id == PEER_ID_UNDEF)
2087 fprintf(stderr, "List of peers connected to: %s\n",
2088 ovpn->ifname);
2089
2090 ret = ovpn_get_peer(ovpn);
2091 break;
2092 case CMD_NEW_KEY:
2093 ret = ovpn_new_key(ovpn);
2094 break;
2095 case CMD_DEL_KEY:
2096 ret = ovpn_del_key(ovpn);
2097 break;
2098 case CMD_GET_KEY:
2099 ret = ovpn_get_key(ovpn);
2100 break;
2101 case CMD_SWAP_KEYS:
2102 ret = ovpn_swap_keys(ovpn);
2103 break;
2104 case CMD_LISTEN_MCAST:
2105 ret = ovpn_listen_mcast();
2106 break;
2107 case CMD_INVALID:
2108 break;
2109 }
2110
2111 return ret;
2112 }
2113
ovpn_parse_cmd_args(struct ovpn_ctx * ovpn,int argc,char * argv[])2114 static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[])
2115 {
2116 int ret;
2117
2118 /* no args required for LISTEN_MCAST */
2119 if (ovpn->cmd == CMD_LISTEN_MCAST)
2120 return 0;
2121
2122 /* all commands need an ifname */
2123 if (argc < 3)
2124 return -EINVAL;
2125
2126 strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1);
2127 ovpn->ifname[IFNAMSIZ - 1] = '\0';
2128
2129 /* all commands, except NEW_IFNAME, needs an ifindex */
2130 if (ovpn->cmd != CMD_NEW_IFACE) {
2131 ovpn->ifindex = if_nametoindex(ovpn->ifname);
2132 if (!ovpn->ifindex) {
2133 fprintf(stderr, "cannot find interface: %s\n",
2134 strerror(errno));
2135 return -1;
2136 }
2137 }
2138
2139 switch (ovpn->cmd) {
2140 case CMD_NEW_IFACE:
2141 if (argc < 4)
2142 break;
2143
2144 if (!strcmp(argv[3], "P2P")) {
2145 ovpn->mode = OVPN_MODE_P2P;
2146 } else if (!strcmp(argv[3], "MP")) {
2147 ovpn->mode = OVPN_MODE_MP;
2148 } else {
2149 fprintf(stderr, "Cannot parse iface mode: %s\n",
2150 argv[3]);
2151 return -1;
2152 }
2153 ovpn->mode_set = true;
2154 break;
2155 case CMD_DEL_IFACE:
2156 break;
2157 case CMD_LISTEN:
2158 if (argc < 5)
2159 return -EINVAL;
2160
2161 ovpn->lport = strtoul(argv[3], NULL, 10);
2162 if (errno == ERANGE || ovpn->lport > 65535) {
2163 fprintf(stderr, "lport value out of range\n");
2164 return -1;
2165 }
2166
2167 ovpn->peers_file = argv[4];
2168
2169 ovpn->sa_family = AF_INET;
2170 if (argc > 5 && !strcmp(argv[5], "ipv6"))
2171 ovpn->sa_family = AF_INET6;
2172 break;
2173 case CMD_CONNECT:
2174 if (argc < 6)
2175 return -EINVAL;
2176
2177 ovpn->sa_family = AF_INET;
2178
2179 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5],
2180 NULL);
2181 if (ret < 0) {
2182 fprintf(stderr, "Cannot parse remote peer data\n");
2183 return -1;
2184 }
2185
2186 if (argc > 6) {
2187 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
2188 ovpn->key_id = 0;
2189 ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM;
2190 ovpn->key_dir = KEY_DIR_OUT;
2191
2192 ret = ovpn_parse_key(argv[6], ovpn);
2193 if (ret)
2194 return -1;
2195 }
2196 break;
2197 case CMD_NEW_PEER:
2198 if (argc < 7)
2199 return -EINVAL;
2200
2201 ovpn->lport = strtoul(argv[4], NULL, 10);
2202 if (errno == ERANGE || ovpn->lport > 65535) {
2203 fprintf(stderr, "lport value out of range\n");
2204 return -1;
2205 }
2206
2207 const char *vpnip = (argc > 7) ? argv[7] : NULL;
2208
2209 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[5], argv[6],
2210 vpnip);
2211 if (ret < 0)
2212 return -1;
2213 break;
2214 case CMD_NEW_MULTI_PEER:
2215 if (argc < 5)
2216 return -EINVAL;
2217
2218 ovpn->lport = strtoul(argv[3], NULL, 10);
2219 if (errno == ERANGE || ovpn->lport > 65535) {
2220 fprintf(stderr, "lport value out of range\n");
2221 return -1;
2222 }
2223
2224 ovpn->peers_file = argv[4];
2225 break;
2226 case CMD_SET_PEER:
2227 if (argc < 6)
2228 return -EINVAL;
2229
2230 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2231 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2232 fprintf(stderr, "peer ID value out of range\n");
2233 return -1;
2234 }
2235
2236 ovpn->keepalive_interval = strtoul(argv[4], NULL, 10);
2237 if (errno == ERANGE) {
2238 fprintf(stderr,
2239 "keepalive interval value out of range\n");
2240 return -1;
2241 }
2242
2243 ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10);
2244 if (errno == ERANGE) {
2245 fprintf(stderr,
2246 "keepalive interval value out of range\n");
2247 return -1;
2248 }
2249 break;
2250 case CMD_DEL_PEER:
2251 if (argc < 4)
2252 return -EINVAL;
2253
2254 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2255 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2256 fprintf(stderr, "peer ID value out of range\n");
2257 return -1;
2258 }
2259 break;
2260 case CMD_GET_PEER:
2261 ovpn->peer_id = PEER_ID_UNDEF;
2262 if (argc > 3) {
2263 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2264 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2265 fprintf(stderr, "peer ID value out of range\n");
2266 return -1;
2267 }
2268 }
2269 break;
2270 case CMD_NEW_KEY:
2271 if (argc < 9)
2272 return -EINVAL;
2273
2274 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2275 if (errno == ERANGE) {
2276 fprintf(stderr, "peer ID value out of range\n");
2277 return -1;
2278 }
2279
2280 ret = ovpn_parse_key_slot(argv[4], ovpn);
2281 if (ret)
2282 return -1;
2283
2284 ovpn->key_id = strtoul(argv[5], NULL, 10);
2285 if (errno == ERANGE || ovpn->key_id > 2) {
2286 fprintf(stderr, "key ID out of range\n");
2287 return -1;
2288 }
2289
2290 ret = ovpn_parse_cipher(argv[6], ovpn);
2291 if (ret < 0)
2292 return -1;
2293
2294 ret = ovpn_parse_key_direction(argv[7], ovpn);
2295 if (ret < 0)
2296 return -1;
2297
2298 ret = ovpn_parse_key(argv[8], ovpn);
2299 if (ret)
2300 return -1;
2301 break;
2302 case CMD_DEL_KEY:
2303 if (argc < 4)
2304 return -EINVAL;
2305
2306 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2307 if (errno == ERANGE) {
2308 fprintf(stderr, "peer ID value out of range\n");
2309 return -1;
2310 }
2311
2312 ret = ovpn_parse_key_slot(argv[4], ovpn);
2313 if (ret)
2314 return ret;
2315 break;
2316 case CMD_GET_KEY:
2317 if (argc < 5)
2318 return -EINVAL;
2319
2320 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2321 if (errno == ERANGE) {
2322 fprintf(stderr, "peer ID value out of range\n");
2323 return -1;
2324 }
2325
2326 ret = ovpn_parse_key_slot(argv[4], ovpn);
2327 if (ret)
2328 return ret;
2329 break;
2330 case CMD_SWAP_KEYS:
2331 if (argc < 4)
2332 return -EINVAL;
2333
2334 ovpn->peer_id = strtoul(argv[3], NULL, 10);
2335 if (errno == ERANGE) {
2336 fprintf(stderr, "peer ID value out of range\n");
2337 return -1;
2338 }
2339 break;
2340 case CMD_LISTEN_MCAST:
2341 break;
2342 case CMD_INVALID:
2343 break;
2344 }
2345
2346 return 0;
2347 }
2348
main(int argc,char * argv[])2349 int main(int argc, char *argv[])
2350 {
2351 struct ovpn_ctx ovpn;
2352 int ret;
2353
2354 if (argc < 2) {
2355 usage(argv[0]);
2356 return -1;
2357 }
2358
2359 memset(&ovpn, 0, sizeof(ovpn));
2360 ovpn.sa_family = AF_UNSPEC;
2361 ovpn.cipher = OVPN_CIPHER_ALG_NONE;
2362
2363 ovpn.cmd = ovpn_parse_cmd(argv[1]);
2364 if (ovpn.cmd == CMD_INVALID) {
2365 fprintf(stderr, "Error: unknown command.\n\n");
2366 usage(argv[0]);
2367 return -1;
2368 }
2369
2370 ret = ovpn_parse_cmd_args(&ovpn, argc, argv);
2371 if (ret < 0) {
2372 fprintf(stderr, "Error: invalid arguments.\n\n");
2373 if (ret == -EINVAL)
2374 usage(argv[0]);
2375 return ret;
2376 }
2377
2378 ret = ovpn_run_cmd(&ovpn);
2379 if (ret)
2380 fprintf(stderr, "Cannot execute command: %s (%d)\n",
2381 strerror(-ret), ret);
2382
2383 return ret;
2384 }
2385