1 // SPDX-License-Identifier: GPL-2.0 2 /* OpenVPN data channel accelerator 3 * 4 * Copyright (C) 2020-2025 OpenVPN, Inc. 5 * 6 * Author: Antonio Quartulli <antonio@openvpn.net> 7 */ 8 9 #include <stdio.h> 10 #include <inttypes.h> 11 #include <stdbool.h> 12 #include <string.h> 13 #include <errno.h> 14 #include <unistd.h> 15 #include <arpa/inet.h> 16 #include <net/if.h> 17 #include <netinet/in.h> 18 #include <time.h> 19 20 #include <linux/ovpn.h> 21 #include <linux/types.h> 22 #include <linux/netlink.h> 23 24 #include <netlink/socket.h> 25 #include <netlink/netlink.h> 26 #include <netlink/genl/genl.h> 27 #include <netlink/genl/family.h> 28 #include <netlink/genl/ctrl.h> 29 30 #include <mbedtls/base64.h> 31 #include <mbedtls/error.h> 32 33 #include <sys/socket.h> 34 35 /* defines to make checkpatch happy */ 36 #define strscpy strncpy 37 #define __always_unused __attribute__((__unused__)) 38 39 /* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we 40 * have to explicitly do it to prevent the kernel from failing upon 41 * parsing of the message 42 */ 43 #define nla_nest_start(_msg, _type) \ 44 nla_nest_start(_msg, (_type) | NLA_F_NESTED) 45 46 /* libnl < 3.11.0 does not implement nla_get_uint() */ 47 uint64_t ovpn_nla_get_uint(struct nlattr *attr) 48 { 49 if (nla_len(attr) == sizeof(uint32_t)) 50 return nla_get_u32(attr); 51 else 52 return nla_get_u64(attr); 53 } 54 55 typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg); 56 57 enum ovpn_key_direction { 58 KEY_DIR_IN = 0, 59 KEY_DIR_OUT, 60 }; 61 62 #define KEY_LEN (256 / 8) 63 #define NONCE_LEN 8 64 65 #define PEER_ID_UNDEF 0x00FFFFFF 66 #define MAX_PEERS 10 67 68 struct nl_ctx { 69 struct nl_sock *nl_sock; 70 struct nl_msg *nl_msg; 71 struct nl_cb *nl_cb; 72 73 int ovpn_dco_id; 74 }; 75 76 enum ovpn_cmd { 77 CMD_INVALID, 78 CMD_NEW_IFACE, 79 CMD_DEL_IFACE, 80 CMD_LISTEN, 81 CMD_CONNECT, 82 CMD_NEW_PEER, 83 CMD_NEW_MULTI_PEER, 84 CMD_SET_PEER, 85 CMD_DEL_PEER, 86 CMD_GET_PEER, 87 CMD_NEW_KEY, 88 CMD_DEL_KEY, 89 CMD_GET_KEY, 90 CMD_SWAP_KEYS, 91 CMD_LISTEN_MCAST, 92 }; 93 94 struct ovpn_ctx { 95 enum ovpn_cmd cmd; 96 97 __u8 key_enc[KEY_LEN]; 98 __u8 key_dec[KEY_LEN]; 99 __u8 nonce[NONCE_LEN]; 100 101 enum ovpn_cipher_alg cipher; 102 103 sa_family_t sa_family; 104 105 unsigned long peer_id; 106 unsigned long lport; 107 108 union { 109 struct sockaddr_in in4; 110 struct sockaddr_in6 in6; 111 } remote; 112 113 union { 114 struct sockaddr_in in4; 115 struct sockaddr_in6 in6; 116 } peer_ip; 117 118 bool peer_ip_set; 119 120 unsigned int ifindex; 121 char ifname[IFNAMSIZ]; 122 enum ovpn_mode mode; 123 bool mode_set; 124 125 int socket; 126 int cli_sockets[MAX_PEERS]; 127 128 __u32 keepalive_interval; 129 __u32 keepalive_timeout; 130 131 enum ovpn_key_direction key_dir; 132 enum ovpn_key_slot key_slot; 133 int key_id; 134 135 const char *peers_file; 136 }; 137 138 static int ovpn_nl_recvmsgs(struct nl_ctx *ctx) 139 { 140 int ret; 141 142 ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb); 143 144 switch (ret) { 145 case -NLE_INTR: 146 fprintf(stderr, 147 "netlink received interrupt due to signal - ignoring\n"); 148 break; 149 case -NLE_NOMEM: 150 fprintf(stderr, "netlink out of memory error\n"); 151 break; 152 case -NLE_AGAIN: 153 fprintf(stderr, 154 "netlink reports blocking read - aborting wait\n"); 155 break; 156 default: 157 if (ret) 158 fprintf(stderr, "netlink reports error (%d): %s\n", 159 ret, nl_geterror(-ret)); 160 break; 161 } 162 163 return ret; 164 } 165 166 static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd, 167 int flags) 168 { 169 struct nl_ctx *ctx; 170 int err, ret; 171 172 ctx = calloc(1, sizeof(*ctx)); 173 if (!ctx) 174 return NULL; 175 176 ctx->nl_sock = nl_socket_alloc(); 177 if (!ctx->nl_sock) { 178 fprintf(stderr, "cannot allocate netlink socket\n"); 179 goto err_free; 180 } 181 182 nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192); 183 184 ret = genl_connect(ctx->nl_sock); 185 if (ret) { 186 fprintf(stderr, "cannot connect to generic netlink: %s\n", 187 nl_geterror(ret)); 188 goto err_sock; 189 } 190 191 /* enable Extended ACK for detailed error reporting */ 192 err = 1; 193 setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK, 194 &err, sizeof(err)); 195 196 ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME); 197 if (ctx->ovpn_dco_id < 0) { 198 fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n", 199 ctx->ovpn_dco_id); 200 goto err_free; 201 } 202 203 ctx->nl_msg = nlmsg_alloc(); 204 if (!ctx->nl_msg) { 205 fprintf(stderr, "cannot allocate netlink message\n"); 206 goto err_sock; 207 } 208 209 ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT); 210 if (!ctx->nl_cb) { 211 fprintf(stderr, "failed to allocate netlink callback\n"); 212 goto err_msg; 213 } 214 215 nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb); 216 217 genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0); 218 219 if (ovpn->ifindex > 0) 220 NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex); 221 222 return ctx; 223 nla_put_failure: 224 err_msg: 225 nlmsg_free(ctx->nl_msg); 226 err_sock: 227 nl_socket_free(ctx->nl_sock); 228 err_free: 229 free(ctx); 230 return NULL; 231 } 232 233 static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd) 234 { 235 return nl_ctx_alloc_flags(ovpn, cmd, 0); 236 } 237 238 static void nl_ctx_free(struct nl_ctx *ctx) 239 { 240 if (!ctx) 241 return; 242 243 nl_socket_free(ctx->nl_sock); 244 nlmsg_free(ctx->nl_msg); 245 nl_cb_put(ctx->nl_cb); 246 free(ctx); 247 } 248 249 static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused, 250 struct nlmsgerr *err, void *arg) 251 { 252 struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1; 253 struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1]; 254 int len = nlh->nlmsg_len; 255 struct nlattr *attrs; 256 int *ret = arg; 257 int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh); 258 259 *ret = err->error; 260 261 if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS)) 262 return NL_STOP; 263 264 if (!(nlh->nlmsg_flags & NLM_F_CAPPED)) 265 ack_len += err->msg.nlmsg_len - sizeof(*nlh); 266 267 if (len <= ack_len) 268 return NL_STOP; 269 270 attrs = (void *)((uint8_t *)nlh + ack_len); 271 len -= ack_len; 272 273 nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL); 274 if (tb_msg[NLMSGERR_ATTR_MSG]) { 275 len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]), 276 nla_len(tb_msg[NLMSGERR_ATTR_MSG])); 277 fprintf(stderr, "kernel error: %*s\n", len, 278 (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG])); 279 } 280 281 if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) { 282 fprintf(stderr, "missing required nesting type %u\n", 283 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST])); 284 } 285 286 if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) { 287 fprintf(stderr, "missing required attribute type %u\n", 288 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE])); 289 } 290 291 return NL_STOP; 292 } 293 294 static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused, 295 void *arg) 296 { 297 int *status = arg; 298 299 *status = 0; 300 return NL_SKIP; 301 } 302 303 static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused, 304 void *arg) 305 { 306 int *status = arg; 307 308 *status = 0; 309 return NL_STOP; 310 } 311 312 static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb) 313 { 314 int status = 1; 315 316 nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status); 317 nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish, 318 &status); 319 nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status); 320 321 if (cb) 322 nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx); 323 324 nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg); 325 326 while (status == 1) 327 ovpn_nl_recvmsgs(ctx); 328 329 if (status < 0) 330 fprintf(stderr, "failed to send netlink message: %s (%d)\n", 331 strerror(-status), status); 332 333 return status; 334 } 335 336 static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx) 337 { 338 int idx_enc, idx_dec, ret = -1; 339 unsigned char *ckey = NULL; 340 __u8 *bkey = NULL; 341 size_t olen = 0; 342 long ckey_len; 343 FILE *fp; 344 345 fp = fopen(file, "r"); 346 if (!fp) { 347 fprintf(stderr, "cannot open: %s\n", file); 348 return -1; 349 } 350 351 /* get file size */ 352 fseek(fp, 0L, SEEK_END); 353 ckey_len = ftell(fp); 354 rewind(fp); 355 356 /* if the file is longer, let's just read a portion */ 357 if (ckey_len > 256) 358 ckey_len = 256; 359 360 ckey = malloc(ckey_len); 361 if (!ckey) 362 goto err; 363 364 ret = fread(ckey, 1, ckey_len, fp); 365 if (ret != ckey_len) { 366 fprintf(stderr, 367 "couldn't read enough data from key file: %dbytes read\n", 368 ret); 369 goto err; 370 } 371 372 olen = 0; 373 ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len); 374 if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) { 375 char buf[256]; 376 377 mbedtls_strerror(ret, buf, sizeof(buf)); 378 fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf, 379 ret); 380 381 goto err; 382 } 383 384 bkey = malloc(olen); 385 if (!bkey) { 386 fprintf(stderr, "cannot allocate binary key buffer\n"); 387 goto err; 388 } 389 390 ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len); 391 if (ret) { 392 char buf[256]; 393 394 mbedtls_strerror(ret, buf, sizeof(buf)); 395 fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf, 396 ret); 397 398 goto err; 399 } 400 401 if (olen < 2 * KEY_LEN + NONCE_LEN) { 402 fprintf(stderr, 403 "not enough data in key file, found %zdB but needs %dB\n", 404 olen, 2 * KEY_LEN + NONCE_LEN); 405 goto err; 406 } 407 408 switch (ctx->key_dir) { 409 case KEY_DIR_IN: 410 idx_enc = 0; 411 idx_dec = 1; 412 break; 413 case KEY_DIR_OUT: 414 idx_enc = 1; 415 idx_dec = 0; 416 break; 417 default: 418 goto err; 419 } 420 421 memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN); 422 memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN); 423 memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN); 424 425 ret = 0; 426 427 err: 428 fclose(fp); 429 free(bkey); 430 free(ckey); 431 432 return ret; 433 } 434 435 static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx) 436 { 437 if (strcmp(cipher, "aes") == 0) 438 ctx->cipher = OVPN_CIPHER_ALG_AES_GCM; 439 else if (strcmp(cipher, "chachapoly") == 0) 440 ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305; 441 else if (strcmp(cipher, "none") == 0) 442 ctx->cipher = OVPN_CIPHER_ALG_NONE; 443 else 444 return -ENOTSUP; 445 446 return 0; 447 } 448 449 static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx) 450 { 451 int in_dir; 452 453 in_dir = strtoll(dir, NULL, 10); 454 switch (in_dir) { 455 case KEY_DIR_IN: 456 case KEY_DIR_OUT: 457 ctx->key_dir = in_dir; 458 break; 459 default: 460 fprintf(stderr, 461 "invalid key direction provided. Can be 0 or 1 only\n"); 462 return -1; 463 } 464 465 return 0; 466 } 467 468 static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto) 469 { 470 struct sockaddr_storage local_sock = { 0 }; 471 struct sockaddr_in6 *in6; 472 struct sockaddr_in *in; 473 int ret, s, sock_type; 474 size_t sock_len; 475 476 if (proto == IPPROTO_UDP) 477 sock_type = SOCK_DGRAM; 478 else if (proto == IPPROTO_TCP) 479 sock_type = SOCK_STREAM; 480 else 481 return -EINVAL; 482 483 s = socket(family, sock_type, 0); 484 if (s < 0) { 485 perror("cannot create socket"); 486 return -1; 487 } 488 489 switch (family) { 490 case AF_INET: 491 in = (struct sockaddr_in *)&local_sock; 492 in->sin_family = family; 493 in->sin_port = htons(ctx->lport); 494 in->sin_addr.s_addr = htonl(INADDR_ANY); 495 sock_len = sizeof(*in); 496 break; 497 case AF_INET6: 498 in6 = (struct sockaddr_in6 *)&local_sock; 499 in6->sin6_family = family; 500 in6->sin6_port = htons(ctx->lport); 501 in6->sin6_addr = in6addr_any; 502 sock_len = sizeof(*in6); 503 break; 504 default: 505 return -1; 506 } 507 508 int opt = 1; 509 510 ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)); 511 512 if (ret < 0) { 513 perror("setsockopt for SO_REUSEADDR"); 514 return ret; 515 } 516 517 ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt)); 518 if (ret < 0) { 519 perror("setsockopt for SO_REUSEPORT"); 520 return ret; 521 } 522 523 if (family == AF_INET6) { 524 opt = 0; 525 if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt, 526 sizeof(opt))) { 527 perror("failed to set IPV6_V6ONLY"); 528 return -1; 529 } 530 } 531 532 ret = bind(s, (struct sockaddr *)&local_sock, sock_len); 533 if (ret < 0) { 534 perror("cannot bind socket"); 535 goto err_socket; 536 } 537 538 ctx->socket = s; 539 ctx->sa_family = family; 540 return 0; 541 542 err_socket: 543 close(s); 544 return -1; 545 } 546 547 static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family) 548 { 549 return ovpn_socket(ctx, family, IPPROTO_UDP); 550 } 551 552 static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family) 553 { 554 int ret; 555 556 ret = ovpn_socket(ctx, family, IPPROTO_TCP); 557 if (ret < 0) 558 return ret; 559 560 ret = listen(ctx->socket, 10); 561 if (ret < 0) { 562 perror("listen"); 563 close(ctx->socket); 564 return -1; 565 } 566 567 return 0; 568 } 569 570 static int ovpn_accept(struct ovpn_ctx *ctx) 571 { 572 socklen_t socklen; 573 int ret; 574 575 socklen = sizeof(ctx->remote); 576 ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen); 577 if (ret < 0) { 578 perror("accept"); 579 goto err; 580 } 581 582 fprintf(stderr, "Connection received!\n"); 583 584 switch (socklen) { 585 case sizeof(struct sockaddr_in): 586 case sizeof(struct sockaddr_in6): 587 break; 588 default: 589 fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n"); 590 close(ret); 591 ret = -EINVAL; 592 goto err; 593 } 594 595 return ret; 596 err: 597 close(ctx->socket); 598 return ret; 599 } 600 601 static int ovpn_connect(struct ovpn_ctx *ovpn) 602 { 603 socklen_t socklen; 604 int s, ret; 605 606 s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0); 607 if (s < 0) { 608 perror("cannot create socket"); 609 return -1; 610 } 611 612 switch (ovpn->remote.in4.sin_family) { 613 case AF_INET: 614 socklen = sizeof(struct sockaddr_in); 615 break; 616 case AF_INET6: 617 socklen = sizeof(struct sockaddr_in6); 618 break; 619 default: 620 return -EOPNOTSUPP; 621 } 622 623 ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen); 624 if (ret < 0) { 625 perror("connect"); 626 goto err; 627 } 628 629 fprintf(stderr, "connected\n"); 630 631 ovpn->socket = s; 632 633 return 0; 634 err: 635 close(s); 636 return ret; 637 } 638 639 static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp) 640 { 641 struct nlattr *attr; 642 struct nl_ctx *ctx; 643 int ret = -1; 644 645 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW); 646 if (!ctx) 647 return -ENOMEM; 648 649 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 650 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 651 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket); 652 653 if (!is_tcp) { 654 switch (ovpn->remote.in4.sin_family) { 655 case AF_INET: 656 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4, 657 ovpn->remote.in4.sin_addr.s_addr); 658 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 659 ovpn->remote.in4.sin_port); 660 break; 661 case AF_INET6: 662 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6, 663 sizeof(ovpn->remote.in6.sin6_addr), 664 &ovpn->remote.in6.sin6_addr); 665 NLA_PUT_U32(ctx->nl_msg, 666 OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, 667 ovpn->remote.in6.sin6_scope_id); 668 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 669 ovpn->remote.in6.sin6_port); 670 break; 671 default: 672 fprintf(stderr, 673 "Invalid family for remote socket address\n"); 674 goto nla_put_failure; 675 } 676 } 677 678 if (ovpn->peer_ip_set) { 679 switch (ovpn->peer_ip.in4.sin_family) { 680 case AF_INET: 681 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4, 682 ovpn->peer_ip.in4.sin_addr.s_addr); 683 break; 684 case AF_INET6: 685 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6, 686 sizeof(struct in6_addr), 687 &ovpn->peer_ip.in6.sin6_addr); 688 break; 689 default: 690 fprintf(stderr, "Invalid family for peer address\n"); 691 goto nla_put_failure; 692 } 693 } 694 695 nla_nest_end(ctx->nl_msg, attr); 696 697 ret = ovpn_nl_msg_send(ctx, NULL); 698 nla_put_failure: 699 nl_ctx_free(ctx); 700 return ret; 701 } 702 703 static int ovpn_set_peer(struct ovpn_ctx *ovpn) 704 { 705 struct nlattr *attr; 706 struct nl_ctx *ctx; 707 int ret = -1; 708 709 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET); 710 if (!ctx) 711 return -ENOMEM; 712 713 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 714 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 715 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL, 716 ovpn->keepalive_interval); 717 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT, 718 ovpn->keepalive_timeout); 719 nla_nest_end(ctx->nl_msg, attr); 720 721 ret = ovpn_nl_msg_send(ctx, NULL); 722 nla_put_failure: 723 nl_ctx_free(ctx); 724 return ret; 725 } 726 727 static int ovpn_del_peer(struct ovpn_ctx *ovpn) 728 { 729 struct nlattr *attr; 730 struct nl_ctx *ctx; 731 int ret = -1; 732 733 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL); 734 if (!ctx) 735 return -ENOMEM; 736 737 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 738 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 739 nla_nest_end(ctx->nl_msg, attr); 740 741 ret = ovpn_nl_msg_send(ctx, NULL); 742 nla_put_failure: 743 nl_ctx_free(ctx); 744 return ret; 745 } 746 747 static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused) 748 { 749 struct nlattr *pattrs[OVPN_A_PEER_MAX + 1]; 750 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 751 struct nlattr *attrs[OVPN_A_MAX + 1]; 752 __u16 rport = 0, lport = 0; 753 754 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 755 genlmsg_attrlen(gnlh, 0), NULL); 756 757 if (!attrs[OVPN_A_PEER]) { 758 fprintf(stderr, "no packet content in netlink message\n"); 759 return NL_SKIP; 760 } 761 762 nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]), 763 nla_len(attrs[OVPN_A_PEER]), NULL); 764 765 if (pattrs[OVPN_A_PEER_ID]) 766 fprintf(stderr, "* Peer %u\n", 767 nla_get_u32(pattrs[OVPN_A_PEER_ID])); 768 769 if (pattrs[OVPN_A_PEER_SOCKET_NETNSID]) 770 fprintf(stderr, "\tsocket NetNS ID: %d\n", 771 nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID])); 772 773 if (pattrs[OVPN_A_PEER_VPN_IPV4]) { 774 char buf[INET_ADDRSTRLEN]; 775 776 inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]), 777 buf, sizeof(buf)); 778 fprintf(stderr, "\tVPN IPv4: %s\n", buf); 779 } 780 781 if (pattrs[OVPN_A_PEER_VPN_IPV6]) { 782 char buf[INET6_ADDRSTRLEN]; 783 784 inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]), 785 buf, sizeof(buf)); 786 fprintf(stderr, "\tVPN IPv6: %s\n", buf); 787 } 788 789 if (pattrs[OVPN_A_PEER_LOCAL_PORT]) 790 lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT])); 791 792 if (pattrs[OVPN_A_PEER_REMOTE_PORT]) 793 rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT])); 794 795 if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) { 796 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6]; 797 char buf[INET6_ADDRSTRLEN]; 798 int scope_id = -1; 799 800 if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) { 801 void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]; 802 803 scope_id = nla_get_u32(p); 804 } 805 806 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 807 fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport, 808 scope_id); 809 810 if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) { 811 void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6]; 812 813 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 814 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 815 } 816 } 817 818 if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) { 819 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4]; 820 char buf[INET_ADDRSTRLEN]; 821 822 inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf)); 823 fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport); 824 825 if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) { 826 void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4]; 827 828 inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf)); 829 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 830 } 831 } 832 833 if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) { 834 void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]; 835 836 fprintf(stderr, "\tKeepalive interval: %u sec\n", 837 nla_get_u32(p)); 838 } 839 840 if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) 841 fprintf(stderr, "\tKeepalive timeout: %u sec\n", 842 nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])); 843 844 if (pattrs[OVPN_A_PEER_VPN_RX_BYTES]) 845 fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n", 846 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES])); 847 848 if (pattrs[OVPN_A_PEER_VPN_TX_BYTES]) 849 fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n", 850 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES])); 851 852 if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS]) 853 fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n", 854 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS])); 855 856 if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS]) 857 fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n", 858 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS])); 859 860 if (pattrs[OVPN_A_PEER_LINK_RX_BYTES]) 861 fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n", 862 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES])); 863 864 if (pattrs[OVPN_A_PEER_LINK_TX_BYTES]) 865 fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n", 866 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES])); 867 868 if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS]) 869 fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n", 870 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS])); 871 872 if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS]) 873 fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n", 874 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS])); 875 876 return NL_SKIP; 877 } 878 879 static int ovpn_get_peer(struct ovpn_ctx *ovpn) 880 { 881 int flags = 0, ret = -1; 882 struct nlattr *attr; 883 struct nl_ctx *ctx; 884 885 if (ovpn->peer_id == PEER_ID_UNDEF) 886 flags = NLM_F_DUMP; 887 888 ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags); 889 if (!ctx) 890 return -ENOMEM; 891 892 if (ovpn->peer_id != PEER_ID_UNDEF) { 893 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 894 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 895 nla_nest_end(ctx->nl_msg, attr); 896 } 897 898 ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer); 899 nla_put_failure: 900 nl_ctx_free(ctx); 901 return ret; 902 } 903 904 static int ovpn_new_key(struct ovpn_ctx *ovpn) 905 { 906 struct nlattr *keyconf, *key_dir; 907 struct nl_ctx *ctx; 908 int ret = -1; 909 910 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW); 911 if (!ctx) 912 return -ENOMEM; 913 914 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 915 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 916 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 917 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id); 918 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher); 919 920 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR); 921 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc); 922 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 923 nla_nest_end(ctx->nl_msg, key_dir); 924 925 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR); 926 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec); 927 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 928 nla_nest_end(ctx->nl_msg, key_dir); 929 930 nla_nest_end(ctx->nl_msg, keyconf); 931 932 ret = ovpn_nl_msg_send(ctx, NULL); 933 nla_put_failure: 934 nl_ctx_free(ctx); 935 return ret; 936 } 937 938 static int ovpn_del_key(struct ovpn_ctx *ovpn) 939 { 940 struct nlattr *keyconf; 941 struct nl_ctx *ctx; 942 int ret = -1; 943 944 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL); 945 if (!ctx) 946 return -ENOMEM; 947 948 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 949 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 950 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 951 nla_nest_end(ctx->nl_msg, keyconf); 952 953 ret = ovpn_nl_msg_send(ctx, NULL); 954 nla_put_failure: 955 nl_ctx_free(ctx); 956 return ret; 957 } 958 959 static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused) 960 { 961 struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1]; 962 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 963 struct nlattr *attrs[OVPN_A_MAX + 1]; 964 965 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 966 genlmsg_attrlen(gnlh, 0), NULL); 967 968 if (!attrs[OVPN_A_KEYCONF]) { 969 fprintf(stderr, "no packet content in netlink message\n"); 970 return NL_SKIP; 971 } 972 973 nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]), 974 nla_len(attrs[OVPN_A_KEYCONF]), NULL); 975 976 if (kattrs[OVPN_A_KEYCONF_PEER_ID]) 977 fprintf(stderr, "* Peer %u\n", 978 nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID])); 979 if (kattrs[OVPN_A_KEYCONF_SLOT]) { 980 fprintf(stderr, "\t- Slot: "); 981 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) { 982 case OVPN_KEY_SLOT_PRIMARY: 983 fprintf(stderr, "primary\n"); 984 break; 985 case OVPN_KEY_SLOT_SECONDARY: 986 fprintf(stderr, "secondary\n"); 987 break; 988 default: 989 fprintf(stderr, "invalid (%u)\n", 990 nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])); 991 break; 992 } 993 } 994 if (kattrs[OVPN_A_KEYCONF_KEY_ID]) 995 fprintf(stderr, "\t- Key ID: %u\n", 996 nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID])); 997 if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) { 998 fprintf(stderr, "\t- Cipher: "); 999 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) { 1000 case OVPN_CIPHER_ALG_NONE: 1001 fprintf(stderr, "none\n"); 1002 break; 1003 case OVPN_CIPHER_ALG_AES_GCM: 1004 fprintf(stderr, "aes-gcm\n"); 1005 break; 1006 case OVPN_CIPHER_ALG_CHACHA20_POLY1305: 1007 fprintf(stderr, "chacha20poly1305\n"); 1008 break; 1009 default: 1010 fprintf(stderr, "invalid (%u)\n", 1011 nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])); 1012 break; 1013 } 1014 } 1015 1016 return NL_SKIP; 1017 } 1018 1019 static int ovpn_get_key(struct ovpn_ctx *ovpn) 1020 { 1021 struct nlattr *keyconf; 1022 struct nl_ctx *ctx; 1023 int ret = -1; 1024 1025 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET); 1026 if (!ctx) 1027 return -ENOMEM; 1028 1029 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1030 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1031 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 1032 nla_nest_end(ctx->nl_msg, keyconf); 1033 1034 ret = ovpn_nl_msg_send(ctx, ovpn_handle_key); 1035 nla_put_failure: 1036 nl_ctx_free(ctx); 1037 return ret; 1038 } 1039 1040 static int ovpn_swap_keys(struct ovpn_ctx *ovpn) 1041 { 1042 struct nl_ctx *ctx; 1043 struct nlattr *kc; 1044 int ret = -1; 1045 1046 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP); 1047 if (!ctx) 1048 return -ENOMEM; 1049 1050 kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1051 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1052 nla_nest_end(ctx->nl_msg, kc); 1053 1054 ret = ovpn_nl_msg_send(ctx, NULL); 1055 nla_put_failure: 1056 nl_ctx_free(ctx); 1057 return ret; 1058 } 1059 1060 /* Helper function used to easily add attributes to a rtnl message */ 1061 static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type, 1062 const void *data, int alen) 1063 { 1064 int len = RTA_LENGTH(alen); 1065 struct rtattr *rta; 1066 1067 if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen) { 1068 fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n", 1069 __func__, maxlen); 1070 return -EMSGSIZE; 1071 } 1072 1073 rta = nlmsg_tail(n); 1074 rta->rta_type = type; 1075 rta->rta_len = len; 1076 1077 if (!data) 1078 memset(RTA_DATA(rta), 0, alen); 1079 else 1080 memcpy(RTA_DATA(rta), data, alen); 1081 1082 n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len); 1083 1084 return 0; 1085 } 1086 1087 static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size, 1088 int attr) 1089 { 1090 struct rtattr *nest = nlmsg_tail(msg); 1091 1092 if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0) 1093 return NULL; 1094 1095 return nest; 1096 } 1097 1098 static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest) 1099 { 1100 nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest; 1101 } 1102 1103 #define RT_SNDBUF_SIZE (1024 * 2) 1104 #define RT_RCVBUF_SIZE (1024 * 4) 1105 1106 /* Open RTNL socket */ 1107 static int ovpn_rt_socket(void) 1108 { 1109 int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd; 1110 1111 fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); 1112 if (fd < 0) { 1113 fprintf(stderr, "%s: cannot open netlink socket\n", __func__); 1114 return fd; 1115 } 1116 1117 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, 1118 sizeof(sndbuf)) < 0) { 1119 fprintf(stderr, "%s: SO_SNDBUF\n", __func__); 1120 close(fd); 1121 return -1; 1122 } 1123 1124 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf, 1125 sizeof(rcvbuf)) < 0) { 1126 fprintf(stderr, "%s: SO_RCVBUF\n", __func__); 1127 close(fd); 1128 return -1; 1129 } 1130 1131 return fd; 1132 } 1133 1134 /* Bind socket to Netlink subsystem */ 1135 static int ovpn_rt_bind(int fd, uint32_t groups) 1136 { 1137 struct sockaddr_nl local = { 0 }; 1138 socklen_t addr_len; 1139 1140 local.nl_family = AF_NETLINK; 1141 local.nl_groups = groups; 1142 1143 if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) { 1144 fprintf(stderr, "%s: cannot bind netlink socket: %d\n", 1145 __func__, errno); 1146 return -errno; 1147 } 1148 1149 addr_len = sizeof(local); 1150 if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) { 1151 fprintf(stderr, "%s: cannot getsockname: %d\n", __func__, 1152 errno); 1153 return -errno; 1154 } 1155 1156 if (addr_len != sizeof(local)) { 1157 fprintf(stderr, "%s: wrong address length %d\n", __func__, 1158 addr_len); 1159 return -EINVAL; 1160 } 1161 1162 if (local.nl_family != AF_NETLINK) { 1163 fprintf(stderr, "%s: wrong address family %d\n", __func__, 1164 local.nl_family); 1165 return -EINVAL; 1166 } 1167 1168 return 0; 1169 } 1170 1171 typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg); 1172 1173 /* Send Netlink message and run callback on reply (if specified) */ 1174 static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer, 1175 unsigned int groups, ovpn_parse_reply_cb cb, 1176 void *arg_cb) 1177 { 1178 int len, rem_len, fd, ret, rcv_len; 1179 struct sockaddr_nl nladdr = { 0 }; 1180 struct nlmsgerr *err; 1181 struct nlmsghdr *h; 1182 char buf[1024 * 16]; 1183 struct iovec iov = { 1184 .iov_base = payload, 1185 .iov_len = payload->nlmsg_len, 1186 }; 1187 struct msghdr nlmsg = { 1188 .msg_name = &nladdr, 1189 .msg_namelen = sizeof(nladdr), 1190 .msg_iov = &iov, 1191 .msg_iovlen = 1, 1192 }; 1193 1194 nladdr.nl_family = AF_NETLINK; 1195 nladdr.nl_pid = peer; 1196 nladdr.nl_groups = groups; 1197 1198 payload->nlmsg_seq = time(NULL); 1199 1200 /* no need to send reply */ 1201 if (!cb) 1202 payload->nlmsg_flags |= NLM_F_ACK; 1203 1204 fd = ovpn_rt_socket(); 1205 if (fd < 0) { 1206 fprintf(stderr, "%s: can't open rtnl socket\n", __func__); 1207 return -errno; 1208 } 1209 1210 ret = ovpn_rt_bind(fd, 0); 1211 if (ret < 0) { 1212 fprintf(stderr, "%s: can't bind rtnl socket\n", __func__); 1213 ret = -errno; 1214 goto out; 1215 } 1216 1217 ret = sendmsg(fd, &nlmsg, 0); 1218 if (ret < 0) { 1219 fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__); 1220 ret = -errno; 1221 goto out; 1222 } 1223 1224 /* prepare buffer to store RTNL replies */ 1225 memset(buf, 0, sizeof(buf)); 1226 iov.iov_base = buf; 1227 1228 while (1) { 1229 /* 1230 * iov_len is modified by recvmsg(), therefore has to be initialized before 1231 * using it again 1232 */ 1233 iov.iov_len = sizeof(buf); 1234 rcv_len = recvmsg(fd, &nlmsg, 0); 1235 if (rcv_len < 0) { 1236 if (errno == EINTR || errno == EAGAIN) { 1237 fprintf(stderr, "%s: interrupted call\n", 1238 __func__); 1239 continue; 1240 } 1241 fprintf(stderr, "%s: rtnl: error on recvmsg()\n", 1242 __func__); 1243 ret = -errno; 1244 goto out; 1245 } 1246 1247 if (rcv_len == 0) { 1248 fprintf(stderr, 1249 "%s: rtnl: socket reached unexpected EOF\n", 1250 __func__); 1251 ret = -EIO; 1252 goto out; 1253 } 1254 1255 if (nlmsg.msg_namelen != sizeof(nladdr)) { 1256 fprintf(stderr, 1257 "%s: sender address length: %u (expected %zu)\n", 1258 __func__, nlmsg.msg_namelen, sizeof(nladdr)); 1259 ret = -EIO; 1260 goto out; 1261 } 1262 1263 h = (struct nlmsghdr *)buf; 1264 while (rcv_len >= (int)sizeof(*h)) { 1265 len = h->nlmsg_len; 1266 rem_len = len - sizeof(*h); 1267 1268 if (rem_len < 0 || len > rcv_len) { 1269 if (nlmsg.msg_flags & MSG_TRUNC) { 1270 fprintf(stderr, "%s: truncated message\n", 1271 __func__); 1272 ret = -EIO; 1273 goto out; 1274 } 1275 fprintf(stderr, "%s: malformed message: len=%d\n", 1276 __func__, len); 1277 ret = -EIO; 1278 goto out; 1279 } 1280 1281 if (h->nlmsg_type == NLMSG_DONE) { 1282 ret = 0; 1283 goto out; 1284 } 1285 1286 if (h->nlmsg_type == NLMSG_ERROR) { 1287 err = (struct nlmsgerr *)NLMSG_DATA(h); 1288 if (rem_len < (int)sizeof(struct nlmsgerr)) { 1289 fprintf(stderr, "%s: ERROR truncated\n", 1290 __func__); 1291 ret = -EIO; 1292 goto out; 1293 } 1294 1295 if (err->error) { 1296 fprintf(stderr, "%s: (%d) %s\n", 1297 __func__, err->error, 1298 strerror(-err->error)); 1299 ret = err->error; 1300 goto out; 1301 } 1302 1303 ret = 0; 1304 if (cb) { 1305 int r = cb(h, arg_cb); 1306 1307 if (r <= 0) 1308 ret = r; 1309 } 1310 goto out; 1311 } 1312 1313 if (cb) { 1314 int r = cb(h, arg_cb); 1315 1316 if (r <= 0) { 1317 ret = r; 1318 goto out; 1319 } 1320 } else { 1321 fprintf(stderr, "%s: RTNL: unexpected reply\n", 1322 __func__); 1323 } 1324 1325 rcv_len -= NLMSG_ALIGN(len); 1326 h = (struct nlmsghdr *)((uint8_t *)h + 1327 NLMSG_ALIGN(len)); 1328 } 1329 1330 if (nlmsg.msg_flags & MSG_TRUNC) { 1331 fprintf(stderr, "%s: message truncated\n", __func__); 1332 continue; 1333 } 1334 1335 if (rcv_len) { 1336 fprintf(stderr, "%s: rtnl: %d not parsed bytes\n", 1337 __func__, rcv_len); 1338 ret = -1; 1339 goto out; 1340 } 1341 } 1342 out: 1343 close(fd); 1344 1345 return ret; 1346 } 1347 1348 struct ovpn_link_req { 1349 struct nlmsghdr n; 1350 struct ifinfomsg i; 1351 char buf[256]; 1352 }; 1353 1354 static int ovpn_new_iface(struct ovpn_ctx *ovpn) 1355 { 1356 struct rtattr *linkinfo, *data; 1357 struct ovpn_link_req req = { 0 }; 1358 int ret = -1; 1359 1360 fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname, 1361 ovpn->mode); 1362 1363 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1364 req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL; 1365 req.n.nlmsg_type = RTM_NEWLINK; 1366 1367 if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname, 1368 strlen(ovpn->ifname) + 1) < 0) 1369 goto err; 1370 1371 linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO); 1372 if (!linkinfo) 1373 goto err; 1374 1375 if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME, 1376 strlen(OVPN_FAMILY_NAME) + 1) < 0) 1377 goto err; 1378 1379 if (ovpn->mode_set) { 1380 data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA); 1381 if (!data) 1382 goto err; 1383 1384 if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE, 1385 &ovpn->mode, sizeof(uint8_t)) < 0) 1386 goto err; 1387 1388 ovpn_nest_end(&req.n, data); 1389 } 1390 1391 ovpn_nest_end(&req.n, linkinfo); 1392 1393 req.i.ifi_family = AF_PACKET; 1394 1395 ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1396 err: 1397 return ret; 1398 } 1399 1400 static int ovpn_del_iface(struct ovpn_ctx *ovpn) 1401 { 1402 struct ovpn_link_req req = { 0 }; 1403 1404 fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname, 1405 ovpn->ifindex); 1406 1407 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1408 req.n.nlmsg_flags = NLM_F_REQUEST; 1409 req.n.nlmsg_type = RTM_DELLINK; 1410 1411 req.i.ifi_family = AF_PACKET; 1412 req.i.ifi_index = ovpn->ifindex; 1413 1414 return ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1415 } 1416 1417 static int nl_seq_check(struct nl_msg (*msg)__always_unused, 1418 void (*arg)__always_unused) 1419 { 1420 return NL_OK; 1421 } 1422 1423 struct mcast_handler_args { 1424 const char *group; 1425 int id; 1426 }; 1427 1428 static int mcast_family_handler(struct nl_msg *msg, void *arg) 1429 { 1430 struct mcast_handler_args *grp = arg; 1431 struct nlattr *tb[CTRL_ATTR_MAX + 1]; 1432 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1433 struct nlattr *mcgrp; 1434 int rem_mcgrp; 1435 1436 nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0), 1437 genlmsg_attrlen(gnlh, 0), NULL); 1438 1439 if (!tb[CTRL_ATTR_MCAST_GROUPS]) 1440 return NL_SKIP; 1441 1442 nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) { 1443 struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1]; 1444 1445 nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX, 1446 nla_data(mcgrp), nla_len(mcgrp), NULL); 1447 1448 if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] || 1449 !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]) 1450 continue; 1451 if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]), 1452 grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]))) 1453 continue; 1454 grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]); 1455 break; 1456 } 1457 1458 return NL_SKIP; 1459 } 1460 1461 static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused, 1462 struct nlmsgerr *err, void *arg) 1463 { 1464 int *ret = arg; 1465 1466 *ret = err->error; 1467 return NL_STOP; 1468 } 1469 1470 static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg) 1471 { 1472 int *ret = arg; 1473 1474 *ret = 0; 1475 return NL_STOP; 1476 } 1477 1478 static int ovpn_handle_msg(struct nl_msg *msg, void *arg) 1479 { 1480 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1481 struct nlattr *attrs[OVPN_A_MAX + 1]; 1482 struct nlmsghdr *nlh = nlmsg_hdr(msg); 1483 char ifname[IF_NAMESIZE]; 1484 int *ret = arg; 1485 __u32 ifindex; 1486 1487 fprintf(stderr, "received message from ovpn-dco\n"); 1488 1489 *ret = -1; 1490 1491 if (!genlmsg_valid_hdr(nlh, 0)) { 1492 fprintf(stderr, "invalid header\n"); 1493 return NL_STOP; 1494 } 1495 1496 if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 1497 genlmsg_attrlen(gnlh, 0), NULL)) { 1498 fprintf(stderr, "received bogus data from ovpn-dco\n"); 1499 return NL_STOP; 1500 } 1501 1502 if (!attrs[OVPN_A_IFINDEX]) { 1503 fprintf(stderr, "no ifindex in this message\n"); 1504 return NL_STOP; 1505 } 1506 1507 ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]); 1508 if (!if_indextoname(ifindex, ifname)) { 1509 fprintf(stderr, "cannot resolve ifname for ifindex: %u\n", 1510 ifindex); 1511 return NL_STOP; 1512 } 1513 1514 switch (gnlh->cmd) { 1515 case OVPN_CMD_PEER_DEL_NTF: 1516 fprintf(stdout, "received CMD_PEER_DEL_NTF\n"); 1517 break; 1518 case OVPN_CMD_KEY_SWAP_NTF: 1519 fprintf(stdout, "received CMD_KEY_SWAP_NTF\n"); 1520 break; 1521 default: 1522 fprintf(stderr, "received unknown command: %d\n", gnlh->cmd); 1523 return NL_STOP; 1524 } 1525 1526 *ret = 0; 1527 return NL_OK; 1528 } 1529 1530 static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family, 1531 const char *group) 1532 { 1533 struct nl_msg *msg; 1534 struct nl_cb *cb; 1535 int ret, ctrlid; 1536 struct mcast_handler_args grp = { 1537 .group = group, 1538 .id = -ENOENT, 1539 }; 1540 1541 msg = nlmsg_alloc(); 1542 if (!msg) 1543 return -ENOMEM; 1544 1545 cb = nl_cb_alloc(NL_CB_DEFAULT); 1546 if (!cb) { 1547 ret = -ENOMEM; 1548 goto out_fail_cb; 1549 } 1550 1551 ctrlid = genl_ctrl_resolve(sock, "nlctrl"); 1552 1553 genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0); 1554 1555 ret = -ENOBUFS; 1556 NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family); 1557 1558 ret = nl_send_auto_complete(sock, msg); 1559 if (ret < 0) 1560 goto nla_put_failure; 1561 1562 ret = 1; 1563 1564 nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret); 1565 nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret); 1566 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp); 1567 1568 while (ret > 0) 1569 nl_recvmsgs(sock, cb); 1570 1571 if (ret == 0) 1572 ret = grp.id; 1573 nla_put_failure: 1574 nl_cb_put(cb); 1575 out_fail_cb: 1576 nlmsg_free(msg); 1577 return ret; 1578 } 1579 1580 static int ovpn_listen_mcast(void) 1581 { 1582 struct nl_sock *sock; 1583 struct nl_cb *cb; 1584 int mcid, ret; 1585 1586 sock = nl_socket_alloc(); 1587 if (!sock) { 1588 fprintf(stderr, "cannot allocate netlink socket\n"); 1589 goto err_free; 1590 } 1591 1592 nl_socket_set_buffer_size(sock, 8192, 8192); 1593 1594 ret = genl_connect(sock); 1595 if (ret < 0) { 1596 fprintf(stderr, "cannot connect to generic netlink: %s\n", 1597 nl_geterror(ret)); 1598 goto err_free; 1599 } 1600 1601 mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS); 1602 if (mcid < 0) { 1603 fprintf(stderr, "cannot get mcast group: %s\n", 1604 nl_geterror(mcid)); 1605 goto err_free; 1606 } 1607 1608 ret = nl_socket_add_membership(sock, mcid); 1609 if (ret) { 1610 fprintf(stderr, "failed to join mcast group: %d\n", ret); 1611 goto err_free; 1612 } 1613 1614 ret = 1; 1615 cb = nl_cb_alloc(NL_CB_DEFAULT); 1616 nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL); 1617 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret); 1618 nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret); 1619 1620 while (ret == 1) { 1621 int err = nl_recvmsgs(sock, cb); 1622 1623 if (err < 0) { 1624 fprintf(stderr, 1625 "cannot receive netlink message: (%d) %s\n", 1626 err, nl_geterror(-err)); 1627 ret = -1; 1628 break; 1629 } 1630 } 1631 1632 nl_cb_put(cb); 1633 err_free: 1634 nl_socket_free(sock); 1635 return ret; 1636 } 1637 1638 static void usage(const char *cmd) 1639 { 1640 fprintf(stderr, 1641 "Usage %s <command> <iface> [arguments..]\n", 1642 cmd); 1643 fprintf(stderr, "where <command> can be one of the following\n\n"); 1644 1645 fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n"); 1646 fprintf(stderr, "\tiface: ovpn interface name\n"); 1647 fprintf(stderr, "\tmode:\n"); 1648 fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n"); 1649 fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n"); 1650 1651 fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n"); 1652 fprintf(stderr, "\tiface: ovpn interface name\n"); 1653 1654 fprintf(stderr, 1655 "* listen <iface> <lport> <peers_file> [ipv6]: listen for incoming peer TCP connections\n"); 1656 fprintf(stderr, "\tiface: ovpn interface name\n"); 1657 fprintf(stderr, "\tlport: TCP port to listen to\n"); 1658 fprintf(stderr, 1659 "\tpeers_file: file containing one peer per line: Line format:\n"); 1660 fprintf(stderr, "\t\t<peer_id> <vpnaddr>\n"); 1661 fprintf(stderr, 1662 "\tipv6: whether the socket should listen to the IPv6 wildcard address\n"); 1663 1664 fprintf(stderr, 1665 "* connect <iface> <peer_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n"); 1666 fprintf(stderr, "\tiface: ovpn interface name\n"); 1667 fprintf(stderr, "\tpeer_id: peer ID of the connecting peer\n"); 1668 fprintf(stderr, "\traddr: peer IP address to connect to\n"); 1669 fprintf(stderr, "\trport: peer TCP port to connect to\n"); 1670 fprintf(stderr, 1671 "\tkey_file: file containing the symmetric key for encryption\n"); 1672 1673 fprintf(stderr, 1674 "* new_peer <iface> <peer_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n"); 1675 fprintf(stderr, "\tiface: ovpn interface name\n"); 1676 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1677 fprintf(stderr, 1678 "\tpeer_id: peer ID to be used in data packets to/from this peer\n"); 1679 fprintf(stderr, "\traddr: peer IP address\n"); 1680 fprintf(stderr, "\trport: peer UDP port\n"); 1681 fprintf(stderr, "\tvpnaddr: peer VPN IP\n"); 1682 1683 fprintf(stderr, 1684 "* new_multi_peer <iface> <lport> <peers_file>: add multiple peers as listed in the file\n"); 1685 fprintf(stderr, "\tiface: ovpn interface name\n"); 1686 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1687 fprintf(stderr, 1688 "\tpeers_file: text file containing one peer per line. Line format:\n"); 1689 fprintf(stderr, "\t\t<peer_id> <raddr> <rport> <vpnaddr>\n"); 1690 1691 fprintf(stderr, 1692 "* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n"); 1693 fprintf(stderr, "\tiface: ovpn interface name\n"); 1694 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1695 fprintf(stderr, 1696 "\tkeepalive_interval: interval for sending ping messages\n"); 1697 fprintf(stderr, 1698 "\tkeepalive_timeout: time after which a peer is timed out\n"); 1699 1700 fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n"); 1701 fprintf(stderr, "\tiface: ovpn interface name\n"); 1702 fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n"); 1703 1704 fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n"); 1705 fprintf(stderr, "\tiface: ovpn interface name\n"); 1706 fprintf(stderr, 1707 "\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n"); 1708 1709 fprintf(stderr, 1710 "* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n"); 1711 fprintf(stderr, "\tiface: ovpn interface name\n"); 1712 fprintf(stderr, 1713 "\tpeer_id: peer ID of the peer to configure the key for\n"); 1714 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1715 fprintf(stderr, "\tkey_id: an ID from 0 to 7\n"); 1716 fprintf(stderr, 1717 "\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n"); 1718 fprintf(stderr, 1719 "\tkey_dir: key direction, must 0 on one host and 1 on the other\n"); 1720 fprintf(stderr, "\tkey_file: file containing the pre-shared key\n"); 1721 1722 fprintf(stderr, 1723 "* del_key <iface> <peer_id> [slot]: erase existing data channel key\n"); 1724 fprintf(stderr, "\tiface: ovpn interface name\n"); 1725 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1726 fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n"); 1727 1728 fprintf(stderr, 1729 "* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n"); 1730 fprintf(stderr, "\tiface: ovpn interface name\n"); 1731 fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n"); 1732 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1733 1734 fprintf(stderr, 1735 "* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n"); 1736 fprintf(stderr, "\tiface: ovpn interface name\n"); 1737 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1738 1739 fprintf(stderr, 1740 "* listen_mcast: listen to ovpn netlink multicast messages\n"); 1741 } 1742 1743 static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host, 1744 const char *service, const char *vpnip) 1745 { 1746 int ret; 1747 struct addrinfo *result; 1748 struct addrinfo hints = { 1749 .ai_family = ovpn->sa_family, 1750 .ai_socktype = SOCK_DGRAM, 1751 .ai_protocol = IPPROTO_UDP 1752 }; 1753 1754 if (host) { 1755 ret = getaddrinfo(host, service, &hints, &result); 1756 if (ret == EAI_NONAME || ret == EAI_FAIL) 1757 return -1; 1758 1759 if (!(result->ai_family == AF_INET && 1760 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1761 !(result->ai_family == AF_INET6 && 1762 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1763 ret = -EINVAL; 1764 goto out; 1765 } 1766 1767 memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen); 1768 } 1769 1770 if (vpnip) { 1771 ret = getaddrinfo(vpnip, NULL, &hints, &result); 1772 if (ret == EAI_NONAME || ret == EAI_FAIL) 1773 return -1; 1774 1775 if (!(result->ai_family == AF_INET && 1776 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1777 !(result->ai_family == AF_INET6 && 1778 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1779 ret = -EINVAL; 1780 goto out; 1781 } 1782 1783 memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen); 1784 ovpn->sa_family = result->ai_family; 1785 1786 ovpn->peer_ip_set = true; 1787 } 1788 1789 ret = 0; 1790 out: 1791 freeaddrinfo(result); 1792 return ret; 1793 } 1794 1795 static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id, 1796 const char *raddr, const char *rport, 1797 const char *vpnip) 1798 { 1799 ovpn->peer_id = strtoul(peer_id, NULL, 10); 1800 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 1801 fprintf(stderr, "peer ID value out of range\n"); 1802 return -1; 1803 } 1804 1805 return ovpn_parse_remote(ovpn, raddr, rport, vpnip); 1806 } 1807 1808 static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn) 1809 { 1810 int slot = strtoul(arg, NULL, 10); 1811 1812 if (errno == ERANGE || slot < 1 || slot > 2) { 1813 fprintf(stderr, "key slot out of range\n"); 1814 return -1; 1815 } 1816 1817 switch (slot) { 1818 case 1: 1819 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 1820 break; 1821 case 2: 1822 ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY; 1823 break; 1824 } 1825 1826 return 0; 1827 } 1828 1829 static int ovpn_send_tcp_data(int socket) 1830 { 1831 uint16_t len = htons(1000); 1832 uint8_t buf[1002]; 1833 int ret; 1834 1835 memcpy(buf, &len, sizeof(len)); 1836 memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len)); 1837 1838 ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1839 1840 fprintf(stdout, "Sent %u bytes over TCP socket\n", ret); 1841 1842 return ret > 0 ? 0 : ret; 1843 } 1844 1845 static int ovpn_recv_tcp_data(int socket) 1846 { 1847 uint8_t buf[1002]; 1848 uint16_t len; 1849 int ret; 1850 1851 ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1852 1853 if (ret < 2) { 1854 fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret); 1855 return ret; 1856 } 1857 1858 memcpy(&len, buf, sizeof(len)); 1859 len = ntohs(len); 1860 1861 fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n", 1862 ret, len); 1863 1864 return 0; 1865 } 1866 1867 static enum ovpn_cmd ovpn_parse_cmd(const char *cmd) 1868 { 1869 if (!strcmp(cmd, "new_iface")) 1870 return CMD_NEW_IFACE; 1871 1872 if (!strcmp(cmd, "del_iface")) 1873 return CMD_DEL_IFACE; 1874 1875 if (!strcmp(cmd, "listen")) 1876 return CMD_LISTEN; 1877 1878 if (!strcmp(cmd, "connect")) 1879 return CMD_CONNECT; 1880 1881 if (!strcmp(cmd, "new_peer")) 1882 return CMD_NEW_PEER; 1883 1884 if (!strcmp(cmd, "new_multi_peer")) 1885 return CMD_NEW_MULTI_PEER; 1886 1887 if (!strcmp(cmd, "set_peer")) 1888 return CMD_SET_PEER; 1889 1890 if (!strcmp(cmd, "del_peer")) 1891 return CMD_DEL_PEER; 1892 1893 if (!strcmp(cmd, "get_peer")) 1894 return CMD_GET_PEER; 1895 1896 if (!strcmp(cmd, "new_key")) 1897 return CMD_NEW_KEY; 1898 1899 if (!strcmp(cmd, "del_key")) 1900 return CMD_DEL_KEY; 1901 1902 if (!strcmp(cmd, "get_key")) 1903 return CMD_GET_KEY; 1904 1905 if (!strcmp(cmd, "swap_keys")) 1906 return CMD_SWAP_KEYS; 1907 1908 if (!strcmp(cmd, "listen_mcast")) 1909 return CMD_LISTEN_MCAST; 1910 1911 return CMD_INVALID; 1912 } 1913 1914 /* Send process to background and waits for signal. 1915 * 1916 * This helper is called at the end of commands 1917 * creating sockets, so that the latter stay alive 1918 * along with the process that created them. 1919 * 1920 * A signal is expected to be delivered in order to 1921 * terminate the waiting processes 1922 */ 1923 static void ovpn_waitbg(void) 1924 { 1925 daemon(1, 1); 1926 pause(); 1927 } 1928 1929 static int ovpn_run_cmd(struct ovpn_ctx *ovpn) 1930 { 1931 char peer_id[10], vpnip[INET6_ADDRSTRLEN], raddr[128], rport[10]; 1932 int n, ret; 1933 FILE *fp; 1934 1935 switch (ovpn->cmd) { 1936 case CMD_NEW_IFACE: 1937 ret = ovpn_new_iface(ovpn); 1938 break; 1939 case CMD_DEL_IFACE: 1940 ret = ovpn_del_iface(ovpn); 1941 break; 1942 case CMD_LISTEN: 1943 ret = ovpn_listen(ovpn, ovpn->sa_family); 1944 if (ret < 0) { 1945 fprintf(stderr, "cannot listen on TCP socket\n"); 1946 return ret; 1947 } 1948 1949 fp = fopen(ovpn->peers_file, "r"); 1950 if (!fp) { 1951 fprintf(stderr, "cannot open file: %s\n", 1952 ovpn->peers_file); 1953 return -1; 1954 } 1955 1956 int num_peers = 0; 1957 1958 while ((n = fscanf(fp, "%s %s\n", peer_id, vpnip)) == 2) { 1959 struct ovpn_ctx peer_ctx = { 0 }; 1960 1961 if (num_peers == MAX_PEERS) { 1962 fprintf(stderr, "max peers reached!\n"); 1963 return -E2BIG; 1964 } 1965 1966 peer_ctx.ifindex = ovpn->ifindex; 1967 peer_ctx.sa_family = ovpn->sa_family; 1968 1969 peer_ctx.socket = ovpn_accept(ovpn); 1970 if (peer_ctx.socket < 0) { 1971 fprintf(stderr, "cannot accept connection!\n"); 1972 return -1; 1973 } 1974 1975 /* store peer sockets to test TCP I/O */ 1976 ovpn->cli_sockets[num_peers] = peer_ctx.socket; 1977 1978 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, NULL, 1979 NULL, vpnip); 1980 if (ret < 0) { 1981 fprintf(stderr, "error while parsing line\n"); 1982 return -1; 1983 } 1984 1985 ret = ovpn_new_peer(&peer_ctx, true); 1986 if (ret < 0) { 1987 fprintf(stderr, 1988 "cannot add peer to VPN: %s %s\n", 1989 peer_id, vpnip); 1990 return ret; 1991 } 1992 num_peers++; 1993 } 1994 1995 for (int i = 0; i < num_peers; i++) { 1996 ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]); 1997 if (ret < 0) 1998 break; 1999 } 2000 ovpn_waitbg(); 2001 break; 2002 case CMD_CONNECT: 2003 ret = ovpn_connect(ovpn); 2004 if (ret < 0) { 2005 fprintf(stderr, "cannot connect TCP socket\n"); 2006 return ret; 2007 } 2008 2009 ret = ovpn_new_peer(ovpn, true); 2010 if (ret < 0) { 2011 fprintf(stderr, "cannot add peer to VPN\n"); 2012 close(ovpn->socket); 2013 return ret; 2014 } 2015 2016 if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) { 2017 ret = ovpn_new_key(ovpn); 2018 if (ret < 0) { 2019 fprintf(stderr, "cannot set key\n"); 2020 return ret; 2021 } 2022 } 2023 2024 ret = ovpn_send_tcp_data(ovpn->socket); 2025 ovpn_waitbg(); 2026 break; 2027 case CMD_NEW_PEER: 2028 ret = ovpn_udp_socket(ovpn, AF_INET6); 2029 if (ret < 0) 2030 return ret; 2031 2032 ret = ovpn_new_peer(ovpn, false); 2033 ovpn_waitbg(); 2034 break; 2035 case CMD_NEW_MULTI_PEER: 2036 ret = ovpn_udp_socket(ovpn, AF_INET6); 2037 if (ret < 0) 2038 return ret; 2039 2040 fp = fopen(ovpn->peers_file, "r"); 2041 if (!fp) { 2042 fprintf(stderr, "cannot open file: %s\n", 2043 ovpn->peers_file); 2044 return -1; 2045 } 2046 2047 while ((n = fscanf(fp, "%s %s %s %s\n", peer_id, raddr, rport, 2048 vpnip)) == 4) { 2049 struct ovpn_ctx peer_ctx = { 0 }; 2050 2051 peer_ctx.ifindex = ovpn->ifindex; 2052 peer_ctx.socket = ovpn->socket; 2053 peer_ctx.sa_family = AF_UNSPEC; 2054 2055 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, raddr, 2056 rport, vpnip); 2057 if (ret < 0) { 2058 fprintf(stderr, "error while parsing line\n"); 2059 return -1; 2060 } 2061 2062 ret = ovpn_new_peer(&peer_ctx, false); 2063 if (ret < 0) { 2064 fprintf(stderr, 2065 "cannot add peer to VPN: %s %s %s %s\n", 2066 peer_id, raddr, rport, vpnip); 2067 return ret; 2068 } 2069 } 2070 ovpn_waitbg(); 2071 break; 2072 case CMD_SET_PEER: 2073 ret = ovpn_set_peer(ovpn); 2074 break; 2075 case CMD_DEL_PEER: 2076 ret = ovpn_del_peer(ovpn); 2077 break; 2078 case CMD_GET_PEER: 2079 if (ovpn->peer_id == PEER_ID_UNDEF) 2080 fprintf(stderr, "List of peers connected to: %s\n", 2081 ovpn->ifname); 2082 2083 ret = ovpn_get_peer(ovpn); 2084 break; 2085 case CMD_NEW_KEY: 2086 ret = ovpn_new_key(ovpn); 2087 break; 2088 case CMD_DEL_KEY: 2089 ret = ovpn_del_key(ovpn); 2090 break; 2091 case CMD_GET_KEY: 2092 ret = ovpn_get_key(ovpn); 2093 break; 2094 case CMD_SWAP_KEYS: 2095 ret = ovpn_swap_keys(ovpn); 2096 break; 2097 case CMD_LISTEN_MCAST: 2098 ret = ovpn_listen_mcast(); 2099 break; 2100 case CMD_INVALID: 2101 break; 2102 } 2103 2104 return ret; 2105 } 2106 2107 static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[]) 2108 { 2109 int ret; 2110 2111 /* no args required for LISTEN_MCAST */ 2112 if (ovpn->cmd == CMD_LISTEN_MCAST) 2113 return 0; 2114 2115 /* all commands need an ifname */ 2116 if (argc < 3) 2117 return -EINVAL; 2118 2119 strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1); 2120 ovpn->ifname[IFNAMSIZ - 1] = '\0'; 2121 2122 /* all commands, except NEW_IFNAME, needs an ifindex */ 2123 if (ovpn->cmd != CMD_NEW_IFACE) { 2124 ovpn->ifindex = if_nametoindex(ovpn->ifname); 2125 if (!ovpn->ifindex) { 2126 fprintf(stderr, "cannot find interface: %s\n", 2127 strerror(errno)); 2128 return -1; 2129 } 2130 } 2131 2132 switch (ovpn->cmd) { 2133 case CMD_NEW_IFACE: 2134 if (argc < 4) 2135 break; 2136 2137 if (!strcmp(argv[3], "P2P")) { 2138 ovpn->mode = OVPN_MODE_P2P; 2139 } else if (!strcmp(argv[3], "MP")) { 2140 ovpn->mode = OVPN_MODE_MP; 2141 } else { 2142 fprintf(stderr, "Cannot parse iface mode: %s\n", 2143 argv[3]); 2144 return -1; 2145 } 2146 ovpn->mode_set = true; 2147 break; 2148 case CMD_DEL_IFACE: 2149 break; 2150 case CMD_LISTEN: 2151 if (argc < 5) 2152 return -EINVAL; 2153 2154 ovpn->lport = strtoul(argv[3], NULL, 10); 2155 if (errno == ERANGE || ovpn->lport > 65535) { 2156 fprintf(stderr, "lport value out of range\n"); 2157 return -1; 2158 } 2159 2160 ovpn->peers_file = argv[4]; 2161 2162 if (argc > 5 && !strcmp(argv[5], "ipv6")) 2163 ovpn->sa_family = AF_INET6; 2164 break; 2165 case CMD_CONNECT: 2166 if (argc < 6) 2167 return -EINVAL; 2168 2169 ovpn->sa_family = AF_INET; 2170 2171 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5], 2172 NULL); 2173 if (ret < 0) { 2174 fprintf(stderr, "Cannot parse remote peer data\n"); 2175 return -1; 2176 } 2177 2178 if (argc > 6) { 2179 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 2180 ovpn->key_id = 0; 2181 ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM; 2182 ovpn->key_dir = KEY_DIR_OUT; 2183 2184 ret = ovpn_parse_key(argv[6], ovpn); 2185 if (ret) 2186 return -1; 2187 } 2188 break; 2189 case CMD_NEW_PEER: 2190 if (argc < 7) 2191 return -EINVAL; 2192 2193 ovpn->lport = strtoul(argv[4], NULL, 10); 2194 if (errno == ERANGE || ovpn->lport > 65535) { 2195 fprintf(stderr, "lport value out of range\n"); 2196 return -1; 2197 } 2198 2199 const char *vpnip = (argc > 7) ? argv[7] : NULL; 2200 2201 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[5], argv[6], 2202 vpnip); 2203 if (ret < 0) 2204 return -1; 2205 break; 2206 case CMD_NEW_MULTI_PEER: 2207 if (argc < 5) 2208 return -EINVAL; 2209 2210 ovpn->lport = strtoul(argv[3], NULL, 10); 2211 if (errno == ERANGE || ovpn->lport > 65535) { 2212 fprintf(stderr, "lport value out of range\n"); 2213 return -1; 2214 } 2215 2216 ovpn->peers_file = argv[4]; 2217 break; 2218 case CMD_SET_PEER: 2219 if (argc < 6) 2220 return -EINVAL; 2221 2222 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2223 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2224 fprintf(stderr, "peer ID value out of range\n"); 2225 return -1; 2226 } 2227 2228 ovpn->keepalive_interval = strtoul(argv[4], NULL, 10); 2229 if (errno == ERANGE) { 2230 fprintf(stderr, 2231 "keepalive interval value out of range\n"); 2232 return -1; 2233 } 2234 2235 ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10); 2236 if (errno == ERANGE) { 2237 fprintf(stderr, 2238 "keepalive interval value out of range\n"); 2239 return -1; 2240 } 2241 break; 2242 case CMD_DEL_PEER: 2243 if (argc < 4) 2244 return -EINVAL; 2245 2246 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2247 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2248 fprintf(stderr, "peer ID value out of range\n"); 2249 return -1; 2250 } 2251 break; 2252 case CMD_GET_PEER: 2253 ovpn->peer_id = PEER_ID_UNDEF; 2254 if (argc > 3) { 2255 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2256 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2257 fprintf(stderr, "peer ID value out of range\n"); 2258 return -1; 2259 } 2260 } 2261 break; 2262 case CMD_NEW_KEY: 2263 if (argc < 9) 2264 return -EINVAL; 2265 2266 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2267 if (errno == ERANGE) { 2268 fprintf(stderr, "peer ID value out of range\n"); 2269 return -1; 2270 } 2271 2272 ret = ovpn_parse_key_slot(argv[4], ovpn); 2273 if (ret) 2274 return -1; 2275 2276 ovpn->key_id = strtoul(argv[5], NULL, 10); 2277 if (errno == ERANGE || ovpn->key_id > 2) { 2278 fprintf(stderr, "key ID out of range\n"); 2279 return -1; 2280 } 2281 2282 ret = ovpn_parse_cipher(argv[6], ovpn); 2283 if (ret < 0) 2284 return -1; 2285 2286 ret = ovpn_parse_key_direction(argv[7], ovpn); 2287 if (ret < 0) 2288 return -1; 2289 2290 ret = ovpn_parse_key(argv[8], ovpn); 2291 if (ret) 2292 return -1; 2293 break; 2294 case CMD_DEL_KEY: 2295 if (argc < 4) 2296 return -EINVAL; 2297 2298 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2299 if (errno == ERANGE) { 2300 fprintf(stderr, "peer ID value out of range\n"); 2301 return -1; 2302 } 2303 2304 ret = ovpn_parse_key_slot(argv[4], ovpn); 2305 if (ret) 2306 return ret; 2307 break; 2308 case CMD_GET_KEY: 2309 if (argc < 5) 2310 return -EINVAL; 2311 2312 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2313 if (errno == ERANGE) { 2314 fprintf(stderr, "peer ID value out of range\n"); 2315 return -1; 2316 } 2317 2318 ret = ovpn_parse_key_slot(argv[4], ovpn); 2319 if (ret) 2320 return ret; 2321 break; 2322 case CMD_SWAP_KEYS: 2323 if (argc < 4) 2324 return -EINVAL; 2325 2326 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2327 if (errno == ERANGE) { 2328 fprintf(stderr, "peer ID value out of range\n"); 2329 return -1; 2330 } 2331 break; 2332 case CMD_LISTEN_MCAST: 2333 break; 2334 case CMD_INVALID: 2335 break; 2336 } 2337 2338 return 0; 2339 } 2340 2341 int main(int argc, char *argv[]) 2342 { 2343 struct ovpn_ctx ovpn; 2344 int ret; 2345 2346 if (argc < 2) { 2347 usage(argv[0]); 2348 return -1; 2349 } 2350 2351 memset(&ovpn, 0, sizeof(ovpn)); 2352 ovpn.sa_family = AF_INET; 2353 ovpn.cipher = OVPN_CIPHER_ALG_NONE; 2354 2355 ovpn.cmd = ovpn_parse_cmd(argv[1]); 2356 if (ovpn.cmd == CMD_INVALID) { 2357 fprintf(stderr, "Error: unknown command.\n\n"); 2358 usage(argv[0]); 2359 return -1; 2360 } 2361 2362 ret = ovpn_parse_cmd_args(&ovpn, argc, argv); 2363 if (ret < 0) { 2364 fprintf(stderr, "Error: invalid arguments.\n\n"); 2365 if (ret == -EINVAL) 2366 usage(argv[0]); 2367 return ret; 2368 } 2369 2370 ret = ovpn_run_cmd(&ovpn); 2371 if (ret) 2372 fprintf(stderr, "Cannot execute command: %s (%d)\n", 2373 strerror(-ret), ret); 2374 2375 return ret; 2376 } 2377