1 // SPDX-License-Identifier: GPL-2.0 2 /* OpenVPN data channel accelerator 3 * 4 * Copyright (C) 2020-2025 OpenVPN, Inc. 5 * 6 * Author: Antonio Quartulli <antonio@openvpn.net> 7 */ 8 9 #include <stdio.h> 10 #include <inttypes.h> 11 #include <stdbool.h> 12 #include <string.h> 13 #include <errno.h> 14 #include <unistd.h> 15 #include <arpa/inet.h> 16 #include <net/if.h> 17 #include <netinet/in.h> 18 #include <time.h> 19 20 #include <linux/ovpn.h> 21 #include <linux/types.h> 22 #include <linux/netlink.h> 23 24 #include <netlink/socket.h> 25 #include <netlink/netlink.h> 26 #include <netlink/genl/genl.h> 27 #include <netlink/genl/family.h> 28 #include <netlink/genl/ctrl.h> 29 30 #include <mbedtls/base64.h> 31 #include <mbedtls/error.h> 32 33 #include <sys/socket.h> 34 35 #include "kselftest.h" 36 37 /* defines to make checkpatch happy */ 38 #define strscpy strncpy 39 40 /* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we 41 * have to explicitly do it to prevent the kernel from failing upon 42 * parsing of the message 43 */ 44 #define nla_nest_start(_msg, _type) \ 45 nla_nest_start(_msg, (_type) | NLA_F_NESTED) 46 47 /* libnl < 3.11.0 does not implement nla_get_uint() */ 48 uint64_t ovpn_nla_get_uint(struct nlattr *attr) 49 { 50 if (nla_len(attr) == sizeof(uint32_t)) 51 return nla_get_u32(attr); 52 else 53 return nla_get_u64(attr); 54 } 55 56 typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg); 57 58 enum ovpn_key_direction { 59 KEY_DIR_IN = 0, 60 KEY_DIR_OUT, 61 }; 62 63 #define KEY_LEN (256 / 8) 64 #define NONCE_LEN 8 65 66 #define PEER_ID_UNDEF 0x00FFFFFF 67 #define MAX_PEERS 10 68 69 struct nl_ctx { 70 struct nl_sock *nl_sock; 71 struct nl_msg *nl_msg; 72 struct nl_cb *nl_cb; 73 74 int ovpn_dco_id; 75 }; 76 77 enum ovpn_cmd { 78 CMD_INVALID, 79 CMD_NEW_IFACE, 80 CMD_DEL_IFACE, 81 CMD_LISTEN, 82 CMD_CONNECT, 83 CMD_NEW_PEER, 84 CMD_NEW_MULTI_PEER, 85 CMD_SET_PEER, 86 CMD_DEL_PEER, 87 CMD_GET_PEER, 88 CMD_NEW_KEY, 89 CMD_DEL_KEY, 90 CMD_GET_KEY, 91 CMD_SWAP_KEYS, 92 CMD_LISTEN_MCAST, 93 }; 94 95 struct ovpn_ctx { 96 enum ovpn_cmd cmd; 97 98 __u8 key_enc[KEY_LEN]; 99 __u8 key_dec[KEY_LEN]; 100 __u8 nonce[NONCE_LEN]; 101 102 enum ovpn_cipher_alg cipher; 103 104 sa_family_t sa_family; 105 106 unsigned long peer_id, tx_id; 107 unsigned long lport; 108 109 union { 110 struct sockaddr_in in4; 111 struct sockaddr_in6 in6; 112 } remote; 113 114 union { 115 struct sockaddr_in in4; 116 struct sockaddr_in6 in6; 117 } peer_ip; 118 119 bool peer_ip_set; 120 121 unsigned int ifindex; 122 char ifname[IFNAMSIZ]; 123 enum ovpn_mode mode; 124 bool mode_set; 125 126 int socket; 127 int cli_sockets[MAX_PEERS]; 128 129 __u32 keepalive_interval; 130 __u32 keepalive_timeout; 131 132 enum ovpn_key_direction key_dir; 133 enum ovpn_key_slot key_slot; 134 int key_id; 135 136 bool asymm_id; 137 138 const char *peers_file; 139 }; 140 141 static int ovpn_nl_recvmsgs(struct nl_ctx *ctx) 142 { 143 int ret; 144 145 ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb); 146 147 switch (ret) { 148 case -NLE_INTR: 149 fprintf(stderr, 150 "netlink received interrupt due to signal - ignoring\n"); 151 break; 152 case -NLE_NOMEM: 153 fprintf(stderr, "netlink out of memory error\n"); 154 break; 155 case -NLE_AGAIN: 156 fprintf(stderr, 157 "netlink reports blocking read - aborting wait\n"); 158 break; 159 default: 160 if (ret) 161 fprintf(stderr, "netlink reports error (%d): %s\n", 162 ret, nl_geterror(-ret)); 163 break; 164 } 165 166 return ret; 167 } 168 169 static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd, 170 int flags) 171 { 172 struct nl_ctx *ctx; 173 int err, ret; 174 175 ctx = calloc(1, sizeof(*ctx)); 176 if (!ctx) 177 return NULL; 178 179 ctx->nl_sock = nl_socket_alloc(); 180 if (!ctx->nl_sock) { 181 fprintf(stderr, "cannot allocate netlink socket\n"); 182 goto err_free; 183 } 184 185 nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192); 186 187 ret = genl_connect(ctx->nl_sock); 188 if (ret) { 189 fprintf(stderr, "cannot connect to generic netlink: %s\n", 190 nl_geterror(ret)); 191 goto err_sock; 192 } 193 194 /* enable Extended ACK for detailed error reporting */ 195 err = 1; 196 setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK, 197 &err, sizeof(err)); 198 199 ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME); 200 if (ctx->ovpn_dco_id < 0) { 201 fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n", 202 ctx->ovpn_dco_id); 203 goto err_free; 204 } 205 206 ctx->nl_msg = nlmsg_alloc(); 207 if (!ctx->nl_msg) { 208 fprintf(stderr, "cannot allocate netlink message\n"); 209 goto err_sock; 210 } 211 212 ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT); 213 if (!ctx->nl_cb) { 214 fprintf(stderr, "failed to allocate netlink callback\n"); 215 goto err_msg; 216 } 217 218 nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb); 219 220 genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0); 221 222 if (ovpn->ifindex > 0) 223 NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex); 224 225 return ctx; 226 nla_put_failure: 227 err_msg: 228 nlmsg_free(ctx->nl_msg); 229 err_sock: 230 nl_socket_free(ctx->nl_sock); 231 err_free: 232 free(ctx); 233 return NULL; 234 } 235 236 static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd) 237 { 238 return nl_ctx_alloc_flags(ovpn, cmd, 0); 239 } 240 241 static void nl_ctx_free(struct nl_ctx *ctx) 242 { 243 if (!ctx) 244 return; 245 246 nl_socket_free(ctx->nl_sock); 247 nlmsg_free(ctx->nl_msg); 248 nl_cb_put(ctx->nl_cb); 249 free(ctx); 250 } 251 252 static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused, 253 struct nlmsgerr *err, void *arg) 254 { 255 struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1; 256 struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1]; 257 int len = nlh->nlmsg_len; 258 struct nlattr *attrs; 259 int *ret = arg; 260 int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh); 261 262 *ret = err->error; 263 264 if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS)) 265 return NL_STOP; 266 267 if (!(nlh->nlmsg_flags & NLM_F_CAPPED)) 268 ack_len += err->msg.nlmsg_len - sizeof(*nlh); 269 270 if (len <= ack_len) 271 return NL_STOP; 272 273 attrs = (void *)((uint8_t *)nlh + ack_len); 274 len -= ack_len; 275 276 nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL); 277 if (tb_msg[NLMSGERR_ATTR_MSG]) { 278 len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]), 279 nla_len(tb_msg[NLMSGERR_ATTR_MSG])); 280 fprintf(stderr, "kernel error: %*s\n", len, 281 (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG])); 282 } 283 284 if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) { 285 fprintf(stderr, "missing required nesting type %u\n", 286 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST])); 287 } 288 289 if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) { 290 fprintf(stderr, "missing required attribute type %u\n", 291 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE])); 292 } 293 294 return NL_STOP; 295 } 296 297 static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused, 298 void *arg) 299 { 300 int *status = arg; 301 302 *status = 0; 303 return NL_SKIP; 304 } 305 306 static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused, 307 void *arg) 308 { 309 int *status = arg; 310 311 *status = 0; 312 return NL_STOP; 313 } 314 315 static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb) 316 { 317 int status = 1; 318 319 nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status); 320 nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish, 321 &status); 322 nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status); 323 324 if (cb) 325 nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx); 326 327 nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg); 328 329 while (status == 1) 330 ovpn_nl_recvmsgs(ctx); 331 332 if (status < 0) 333 fprintf(stderr, "failed to send netlink message: %s (%d)\n", 334 strerror(-status), status); 335 336 return status; 337 } 338 339 static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx) 340 { 341 int idx_enc, idx_dec, ret = -1; 342 unsigned char *ckey = NULL; 343 __u8 *bkey = NULL; 344 size_t olen = 0; 345 long ckey_len; 346 FILE *fp; 347 348 fp = fopen(file, "r"); 349 if (!fp) { 350 fprintf(stderr, "cannot open: %s\n", file); 351 return -1; 352 } 353 354 /* get file size */ 355 fseek(fp, 0L, SEEK_END); 356 ckey_len = ftell(fp); 357 rewind(fp); 358 359 /* if the file is longer, let's just read a portion */ 360 if (ckey_len > 256) 361 ckey_len = 256; 362 363 ckey = malloc(ckey_len); 364 if (!ckey) 365 goto err; 366 367 ret = fread(ckey, 1, ckey_len, fp); 368 if (ret != ckey_len) { 369 fprintf(stderr, 370 "couldn't read enough data from key file: %dbytes read\n", 371 ret); 372 goto err; 373 } 374 375 olen = 0; 376 ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len); 377 if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) { 378 char buf[256]; 379 380 mbedtls_strerror(ret, buf, sizeof(buf)); 381 fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf, 382 ret); 383 384 goto err; 385 } 386 387 bkey = malloc(olen); 388 if (!bkey) { 389 fprintf(stderr, "cannot allocate binary key buffer\n"); 390 goto err; 391 } 392 393 ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len); 394 if (ret) { 395 char buf[256]; 396 397 mbedtls_strerror(ret, buf, sizeof(buf)); 398 fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf, 399 ret); 400 401 goto err; 402 } 403 404 if (olen < 2 * KEY_LEN + NONCE_LEN) { 405 fprintf(stderr, 406 "not enough data in key file, found %zdB but needs %dB\n", 407 olen, 2 * KEY_LEN + NONCE_LEN); 408 goto err; 409 } 410 411 switch (ctx->key_dir) { 412 case KEY_DIR_IN: 413 idx_enc = 0; 414 idx_dec = 1; 415 break; 416 case KEY_DIR_OUT: 417 idx_enc = 1; 418 idx_dec = 0; 419 break; 420 default: 421 goto err; 422 } 423 424 memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN); 425 memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN); 426 memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN); 427 428 ret = 0; 429 430 err: 431 fclose(fp); 432 free(bkey); 433 free(ckey); 434 435 return ret; 436 } 437 438 static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx) 439 { 440 if (strcmp(cipher, "aes") == 0) 441 ctx->cipher = OVPN_CIPHER_ALG_AES_GCM; 442 else if (strcmp(cipher, "chachapoly") == 0) 443 ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305; 444 else if (strcmp(cipher, "none") == 0) 445 ctx->cipher = OVPN_CIPHER_ALG_NONE; 446 else 447 return -ENOTSUP; 448 449 return 0; 450 } 451 452 static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx) 453 { 454 int in_dir; 455 456 in_dir = strtoll(dir, NULL, 10); 457 switch (in_dir) { 458 case KEY_DIR_IN: 459 case KEY_DIR_OUT: 460 ctx->key_dir = in_dir; 461 break; 462 default: 463 fprintf(stderr, 464 "invalid key direction provided. Can be 0 or 1 only\n"); 465 return -1; 466 } 467 468 return 0; 469 } 470 471 static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto) 472 { 473 struct sockaddr_storage local_sock = { 0 }; 474 struct sockaddr_in6 *in6; 475 struct sockaddr_in *in; 476 int ret, s, sock_type; 477 size_t sock_len; 478 479 if (proto == IPPROTO_UDP) 480 sock_type = SOCK_DGRAM; 481 else if (proto == IPPROTO_TCP) 482 sock_type = SOCK_STREAM; 483 else 484 return -EINVAL; 485 486 s = socket(family, sock_type, 0); 487 if (s < 0) { 488 perror("cannot create socket"); 489 return -1; 490 } 491 492 switch (family) { 493 case AF_INET: 494 in = (struct sockaddr_in *)&local_sock; 495 in->sin_family = family; 496 in->sin_port = htons(ctx->lport); 497 in->sin_addr.s_addr = htonl(INADDR_ANY); 498 sock_len = sizeof(*in); 499 break; 500 case AF_INET6: 501 in6 = (struct sockaddr_in6 *)&local_sock; 502 in6->sin6_family = family; 503 in6->sin6_port = htons(ctx->lport); 504 in6->sin6_addr = in6addr_any; 505 sock_len = sizeof(*in6); 506 break; 507 default: 508 return -1; 509 } 510 511 int opt = 1; 512 513 ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)); 514 515 if (ret < 0) { 516 perror("setsockopt for SO_REUSEADDR"); 517 return ret; 518 } 519 520 ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt)); 521 if (ret < 0) { 522 perror("setsockopt for SO_REUSEPORT"); 523 return ret; 524 } 525 526 if (family == AF_INET6) { 527 opt = 0; 528 if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt, 529 sizeof(opt))) { 530 perror("failed to set IPV6_V6ONLY"); 531 return -1; 532 } 533 } 534 535 ret = bind(s, (struct sockaddr *)&local_sock, sock_len); 536 if (ret < 0) { 537 perror("cannot bind socket"); 538 goto err_socket; 539 } 540 541 ctx->socket = s; 542 ctx->sa_family = family; 543 return 0; 544 545 err_socket: 546 close(s); 547 return -1; 548 } 549 550 static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family) 551 { 552 return ovpn_socket(ctx, family, IPPROTO_UDP); 553 } 554 555 static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family) 556 { 557 int ret; 558 559 ret = ovpn_socket(ctx, family, IPPROTO_TCP); 560 if (ret < 0) 561 return ret; 562 563 ret = listen(ctx->socket, 10); 564 if (ret < 0) { 565 perror("listen"); 566 close(ctx->socket); 567 return -1; 568 } 569 570 return 0; 571 } 572 573 static int ovpn_accept(struct ovpn_ctx *ctx) 574 { 575 socklen_t socklen; 576 int ret; 577 578 socklen = sizeof(ctx->remote); 579 ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen); 580 if (ret < 0) { 581 perror("accept"); 582 goto err; 583 } 584 585 fprintf(stderr, "Connection received!\n"); 586 587 switch (socklen) { 588 case sizeof(struct sockaddr_in): 589 case sizeof(struct sockaddr_in6): 590 break; 591 default: 592 fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n"); 593 close(ret); 594 ret = -EINVAL; 595 goto err; 596 } 597 598 return ret; 599 err: 600 close(ctx->socket); 601 return ret; 602 } 603 604 static int ovpn_connect(struct ovpn_ctx *ovpn) 605 { 606 socklen_t socklen; 607 int s, ret; 608 609 s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0); 610 if (s < 0) { 611 perror("cannot create socket"); 612 return -1; 613 } 614 615 switch (ovpn->remote.in4.sin_family) { 616 case AF_INET: 617 socklen = sizeof(struct sockaddr_in); 618 break; 619 case AF_INET6: 620 socklen = sizeof(struct sockaddr_in6); 621 break; 622 default: 623 return -EOPNOTSUPP; 624 } 625 626 ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen); 627 if (ret < 0) { 628 perror("connect"); 629 goto err; 630 } 631 632 fprintf(stderr, "connected\n"); 633 634 ovpn->socket = s; 635 636 return 0; 637 err: 638 close(s); 639 return ret; 640 } 641 642 static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp) 643 { 644 struct nlattr *attr; 645 struct nl_ctx *ctx; 646 int ret = -1; 647 648 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW); 649 if (!ctx) 650 return -ENOMEM; 651 652 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 653 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 654 if (ovpn->asymm_id) 655 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_TX_ID, ovpn->tx_id); 656 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket); 657 658 if (!is_tcp) { 659 switch (ovpn->remote.in4.sin_family) { 660 case AF_INET: 661 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4, 662 ovpn->remote.in4.sin_addr.s_addr); 663 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 664 ovpn->remote.in4.sin_port); 665 break; 666 case AF_INET6: 667 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6, 668 sizeof(ovpn->remote.in6.sin6_addr), 669 &ovpn->remote.in6.sin6_addr); 670 NLA_PUT_U32(ctx->nl_msg, 671 OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, 672 ovpn->remote.in6.sin6_scope_id); 673 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 674 ovpn->remote.in6.sin6_port); 675 break; 676 default: 677 fprintf(stderr, 678 "Invalid family for remote socket address\n"); 679 goto nla_put_failure; 680 } 681 } 682 683 if (ovpn->peer_ip_set) { 684 switch (ovpn->peer_ip.in4.sin_family) { 685 case AF_INET: 686 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4, 687 ovpn->peer_ip.in4.sin_addr.s_addr); 688 break; 689 case AF_INET6: 690 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6, 691 sizeof(struct in6_addr), 692 &ovpn->peer_ip.in6.sin6_addr); 693 break; 694 default: 695 fprintf(stderr, "Invalid family for peer address\n"); 696 goto nla_put_failure; 697 } 698 } 699 700 nla_nest_end(ctx->nl_msg, attr); 701 702 ret = ovpn_nl_msg_send(ctx, NULL); 703 nla_put_failure: 704 nl_ctx_free(ctx); 705 return ret; 706 } 707 708 static int ovpn_set_peer(struct ovpn_ctx *ovpn) 709 { 710 struct nlattr *attr; 711 struct nl_ctx *ctx; 712 int ret = -1; 713 714 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET); 715 if (!ctx) 716 return -ENOMEM; 717 718 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 719 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 720 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL, 721 ovpn->keepalive_interval); 722 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT, 723 ovpn->keepalive_timeout); 724 nla_nest_end(ctx->nl_msg, attr); 725 726 ret = ovpn_nl_msg_send(ctx, NULL); 727 nla_put_failure: 728 nl_ctx_free(ctx); 729 return ret; 730 } 731 732 static int ovpn_del_peer(struct ovpn_ctx *ovpn) 733 { 734 struct nlattr *attr; 735 struct nl_ctx *ctx; 736 int ret = -1; 737 738 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL); 739 if (!ctx) 740 return -ENOMEM; 741 742 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 743 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 744 nla_nest_end(ctx->nl_msg, attr); 745 746 ret = ovpn_nl_msg_send(ctx, NULL); 747 nla_put_failure: 748 nl_ctx_free(ctx); 749 return ret; 750 } 751 752 static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused) 753 { 754 struct nlattr *pattrs[OVPN_A_PEER_MAX + 1]; 755 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 756 struct nlattr *attrs[OVPN_A_MAX + 1]; 757 __u16 rport = 0, lport = 0; 758 759 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 760 genlmsg_attrlen(gnlh, 0), NULL); 761 762 if (!attrs[OVPN_A_PEER]) { 763 fprintf(stderr, "no packet content in netlink message\n"); 764 return NL_SKIP; 765 } 766 767 nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]), 768 nla_len(attrs[OVPN_A_PEER]), NULL); 769 770 if (pattrs[OVPN_A_PEER_ID]) 771 fprintf(stderr, "* Peer %u\n", 772 nla_get_u32(pattrs[OVPN_A_PEER_ID])); 773 774 if (pattrs[OVPN_A_PEER_TX_ID]) 775 fprintf(stderr, "\tTX peer ID %u\n", 776 nla_get_u32(pattrs[OVPN_A_PEER_TX_ID])); 777 778 if (pattrs[OVPN_A_PEER_SOCKET_NETNSID]) 779 fprintf(stderr, "\tsocket NetNS ID: %d\n", 780 nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID])); 781 782 if (pattrs[OVPN_A_PEER_VPN_IPV4]) { 783 char buf[INET_ADDRSTRLEN]; 784 785 inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]), 786 buf, sizeof(buf)); 787 fprintf(stderr, "\tVPN IPv4: %s\n", buf); 788 } 789 790 if (pattrs[OVPN_A_PEER_VPN_IPV6]) { 791 char buf[INET6_ADDRSTRLEN]; 792 793 inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]), 794 buf, sizeof(buf)); 795 fprintf(stderr, "\tVPN IPv6: %s\n", buf); 796 } 797 798 if (pattrs[OVPN_A_PEER_LOCAL_PORT]) 799 lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT])); 800 801 if (pattrs[OVPN_A_PEER_REMOTE_PORT]) 802 rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT])); 803 804 if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) { 805 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6]; 806 char buf[INET6_ADDRSTRLEN]; 807 int scope_id = -1; 808 809 if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) { 810 void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]; 811 812 scope_id = nla_get_u32(p); 813 } 814 815 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 816 fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport, 817 scope_id); 818 819 if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) { 820 void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6]; 821 822 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 823 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 824 } 825 } 826 827 if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) { 828 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4]; 829 char buf[INET_ADDRSTRLEN]; 830 831 inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf)); 832 fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport); 833 834 if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) { 835 void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4]; 836 837 inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf)); 838 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 839 } 840 } 841 842 if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) { 843 void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]; 844 845 fprintf(stderr, "\tKeepalive interval: %u sec\n", 846 nla_get_u32(p)); 847 } 848 849 if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) 850 fprintf(stderr, "\tKeepalive timeout: %u sec\n", 851 nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])); 852 853 if (pattrs[OVPN_A_PEER_VPN_RX_BYTES]) 854 fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n", 855 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES])); 856 857 if (pattrs[OVPN_A_PEER_VPN_TX_BYTES]) 858 fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n", 859 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES])); 860 861 if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS]) 862 fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n", 863 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS])); 864 865 if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS]) 866 fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n", 867 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS])); 868 869 if (pattrs[OVPN_A_PEER_LINK_RX_BYTES]) 870 fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n", 871 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES])); 872 873 if (pattrs[OVPN_A_PEER_LINK_TX_BYTES]) 874 fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n", 875 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES])); 876 877 if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS]) 878 fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n", 879 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS])); 880 881 if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS]) 882 fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n", 883 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS])); 884 885 return NL_SKIP; 886 } 887 888 static int ovpn_get_peer(struct ovpn_ctx *ovpn) 889 { 890 int flags = 0, ret = -1; 891 struct nlattr *attr; 892 struct nl_ctx *ctx; 893 894 if (ovpn->peer_id == PEER_ID_UNDEF) 895 flags = NLM_F_DUMP; 896 897 ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags); 898 if (!ctx) 899 return -ENOMEM; 900 901 if (ovpn->peer_id != PEER_ID_UNDEF) { 902 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 903 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 904 nla_nest_end(ctx->nl_msg, attr); 905 } 906 907 ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer); 908 nla_put_failure: 909 nl_ctx_free(ctx); 910 return ret; 911 } 912 913 static int ovpn_new_key(struct ovpn_ctx *ovpn) 914 { 915 struct nlattr *keyconf, *key_dir; 916 struct nl_ctx *ctx; 917 int ret = -1; 918 919 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW); 920 if (!ctx) 921 return -ENOMEM; 922 923 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 924 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 925 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 926 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id); 927 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher); 928 929 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR); 930 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc); 931 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 932 nla_nest_end(ctx->nl_msg, key_dir); 933 934 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR); 935 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec); 936 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 937 nla_nest_end(ctx->nl_msg, key_dir); 938 939 nla_nest_end(ctx->nl_msg, keyconf); 940 941 ret = ovpn_nl_msg_send(ctx, NULL); 942 nla_put_failure: 943 nl_ctx_free(ctx); 944 return ret; 945 } 946 947 static int ovpn_del_key(struct ovpn_ctx *ovpn) 948 { 949 struct nlattr *keyconf; 950 struct nl_ctx *ctx; 951 int ret = -1; 952 953 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL); 954 if (!ctx) 955 return -ENOMEM; 956 957 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 958 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 959 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 960 nla_nest_end(ctx->nl_msg, keyconf); 961 962 ret = ovpn_nl_msg_send(ctx, NULL); 963 nla_put_failure: 964 nl_ctx_free(ctx); 965 return ret; 966 } 967 968 static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused) 969 { 970 struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1]; 971 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 972 struct nlattr *attrs[OVPN_A_MAX + 1]; 973 974 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 975 genlmsg_attrlen(gnlh, 0), NULL); 976 977 if (!attrs[OVPN_A_KEYCONF]) { 978 fprintf(stderr, "no packet content in netlink message\n"); 979 return NL_SKIP; 980 } 981 982 nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]), 983 nla_len(attrs[OVPN_A_KEYCONF]), NULL); 984 985 if (kattrs[OVPN_A_KEYCONF_PEER_ID]) 986 fprintf(stderr, "* Peer %u\n", 987 nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID])); 988 if (kattrs[OVPN_A_KEYCONF_SLOT]) { 989 fprintf(stderr, "\t- Slot: "); 990 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) { 991 case OVPN_KEY_SLOT_PRIMARY: 992 fprintf(stderr, "primary\n"); 993 break; 994 case OVPN_KEY_SLOT_SECONDARY: 995 fprintf(stderr, "secondary\n"); 996 break; 997 default: 998 fprintf(stderr, "invalid (%u)\n", 999 nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])); 1000 break; 1001 } 1002 } 1003 if (kattrs[OVPN_A_KEYCONF_KEY_ID]) 1004 fprintf(stderr, "\t- Key ID: %u\n", 1005 nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID])); 1006 if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) { 1007 fprintf(stderr, "\t- Cipher: "); 1008 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) { 1009 case OVPN_CIPHER_ALG_NONE: 1010 fprintf(stderr, "none\n"); 1011 break; 1012 case OVPN_CIPHER_ALG_AES_GCM: 1013 fprintf(stderr, "aes-gcm\n"); 1014 break; 1015 case OVPN_CIPHER_ALG_CHACHA20_POLY1305: 1016 fprintf(stderr, "chacha20poly1305\n"); 1017 break; 1018 default: 1019 fprintf(stderr, "invalid (%u)\n", 1020 nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])); 1021 break; 1022 } 1023 } 1024 1025 return NL_SKIP; 1026 } 1027 1028 static int ovpn_get_key(struct ovpn_ctx *ovpn) 1029 { 1030 struct nlattr *keyconf; 1031 struct nl_ctx *ctx; 1032 int ret = -1; 1033 1034 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET); 1035 if (!ctx) 1036 return -ENOMEM; 1037 1038 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1039 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1040 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 1041 nla_nest_end(ctx->nl_msg, keyconf); 1042 1043 ret = ovpn_nl_msg_send(ctx, ovpn_handle_key); 1044 nla_put_failure: 1045 nl_ctx_free(ctx); 1046 return ret; 1047 } 1048 1049 static int ovpn_swap_keys(struct ovpn_ctx *ovpn) 1050 { 1051 struct nl_ctx *ctx; 1052 struct nlattr *kc; 1053 int ret = -1; 1054 1055 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP); 1056 if (!ctx) 1057 return -ENOMEM; 1058 1059 kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1060 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1061 nla_nest_end(ctx->nl_msg, kc); 1062 1063 ret = ovpn_nl_msg_send(ctx, NULL); 1064 nla_put_failure: 1065 nl_ctx_free(ctx); 1066 return ret; 1067 } 1068 1069 /* Helper function used to easily add attributes to a rtnl message */ 1070 static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type, 1071 const void *data, int alen) 1072 { 1073 int len = RTA_LENGTH(alen); 1074 struct rtattr *rta; 1075 1076 if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen) { 1077 fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n", 1078 __func__, maxlen); 1079 return -EMSGSIZE; 1080 } 1081 1082 rta = nlmsg_tail(n); 1083 rta->rta_type = type; 1084 rta->rta_len = len; 1085 1086 if (!data) 1087 memset(RTA_DATA(rta), 0, alen); 1088 else 1089 memcpy(RTA_DATA(rta), data, alen); 1090 1091 n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len); 1092 1093 return 0; 1094 } 1095 1096 static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size, 1097 int attr) 1098 { 1099 struct rtattr *nest = nlmsg_tail(msg); 1100 1101 if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0) 1102 return NULL; 1103 1104 return nest; 1105 } 1106 1107 static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest) 1108 { 1109 nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest; 1110 } 1111 1112 #define RT_SNDBUF_SIZE (1024 * 2) 1113 #define RT_RCVBUF_SIZE (1024 * 4) 1114 1115 /* Open RTNL socket */ 1116 static int ovpn_rt_socket(void) 1117 { 1118 int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd; 1119 1120 fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); 1121 if (fd < 0) { 1122 fprintf(stderr, "%s: cannot open netlink socket\n", __func__); 1123 return fd; 1124 } 1125 1126 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, 1127 sizeof(sndbuf)) < 0) { 1128 fprintf(stderr, "%s: SO_SNDBUF\n", __func__); 1129 close(fd); 1130 return -1; 1131 } 1132 1133 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf, 1134 sizeof(rcvbuf)) < 0) { 1135 fprintf(stderr, "%s: SO_RCVBUF\n", __func__); 1136 close(fd); 1137 return -1; 1138 } 1139 1140 return fd; 1141 } 1142 1143 /* Bind socket to Netlink subsystem */ 1144 static int ovpn_rt_bind(int fd, uint32_t groups) 1145 { 1146 struct sockaddr_nl local = { 0 }; 1147 socklen_t addr_len; 1148 1149 local.nl_family = AF_NETLINK; 1150 local.nl_groups = groups; 1151 1152 if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) { 1153 fprintf(stderr, "%s: cannot bind netlink socket: %d\n", 1154 __func__, errno); 1155 return -errno; 1156 } 1157 1158 addr_len = sizeof(local); 1159 if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) { 1160 fprintf(stderr, "%s: cannot getsockname: %d\n", __func__, 1161 errno); 1162 return -errno; 1163 } 1164 1165 if (addr_len != sizeof(local)) { 1166 fprintf(stderr, "%s: wrong address length %d\n", __func__, 1167 addr_len); 1168 return -EINVAL; 1169 } 1170 1171 if (local.nl_family != AF_NETLINK) { 1172 fprintf(stderr, "%s: wrong address family %d\n", __func__, 1173 local.nl_family); 1174 return -EINVAL; 1175 } 1176 1177 return 0; 1178 } 1179 1180 typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg); 1181 1182 /* Send Netlink message and run callback on reply (if specified) */ 1183 static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer, 1184 unsigned int groups, ovpn_parse_reply_cb cb, 1185 void *arg_cb) 1186 { 1187 int len, rem_len, fd, ret, rcv_len; 1188 struct sockaddr_nl nladdr = { 0 }; 1189 struct nlmsgerr *err; 1190 struct nlmsghdr *h; 1191 char buf[1024 * 16]; 1192 struct iovec iov = { 1193 .iov_base = payload, 1194 .iov_len = payload->nlmsg_len, 1195 }; 1196 struct msghdr nlmsg = { 1197 .msg_name = &nladdr, 1198 .msg_namelen = sizeof(nladdr), 1199 .msg_iov = &iov, 1200 .msg_iovlen = 1, 1201 }; 1202 1203 nladdr.nl_family = AF_NETLINK; 1204 nladdr.nl_pid = peer; 1205 nladdr.nl_groups = groups; 1206 1207 payload->nlmsg_seq = time(NULL); 1208 1209 /* no need to send reply */ 1210 if (!cb) 1211 payload->nlmsg_flags |= NLM_F_ACK; 1212 1213 fd = ovpn_rt_socket(); 1214 if (fd < 0) { 1215 fprintf(stderr, "%s: can't open rtnl socket\n", __func__); 1216 return -errno; 1217 } 1218 1219 ret = ovpn_rt_bind(fd, 0); 1220 if (ret < 0) { 1221 fprintf(stderr, "%s: can't bind rtnl socket\n", __func__); 1222 ret = -errno; 1223 goto out; 1224 } 1225 1226 ret = sendmsg(fd, &nlmsg, 0); 1227 if (ret < 0) { 1228 fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__); 1229 ret = -errno; 1230 goto out; 1231 } 1232 1233 /* prepare buffer to store RTNL replies */ 1234 memset(buf, 0, sizeof(buf)); 1235 iov.iov_base = buf; 1236 1237 while (1) { 1238 /* 1239 * iov_len is modified by recvmsg(), therefore has to be initialized before 1240 * using it again 1241 */ 1242 iov.iov_len = sizeof(buf); 1243 rcv_len = recvmsg(fd, &nlmsg, 0); 1244 if (rcv_len < 0) { 1245 if (errno == EINTR || errno == EAGAIN) { 1246 fprintf(stderr, "%s: interrupted call\n", 1247 __func__); 1248 continue; 1249 } 1250 fprintf(stderr, "%s: rtnl: error on recvmsg()\n", 1251 __func__); 1252 ret = -errno; 1253 goto out; 1254 } 1255 1256 if (rcv_len == 0) { 1257 fprintf(stderr, 1258 "%s: rtnl: socket reached unexpected EOF\n", 1259 __func__); 1260 ret = -EIO; 1261 goto out; 1262 } 1263 1264 if (nlmsg.msg_namelen != sizeof(nladdr)) { 1265 fprintf(stderr, 1266 "%s: sender address length: %u (expected %zu)\n", 1267 __func__, nlmsg.msg_namelen, sizeof(nladdr)); 1268 ret = -EIO; 1269 goto out; 1270 } 1271 1272 h = (struct nlmsghdr *)buf; 1273 while (rcv_len >= (int)sizeof(*h)) { 1274 len = h->nlmsg_len; 1275 rem_len = len - sizeof(*h); 1276 1277 if (rem_len < 0 || len > rcv_len) { 1278 if (nlmsg.msg_flags & MSG_TRUNC) { 1279 fprintf(stderr, "%s: truncated message\n", 1280 __func__); 1281 ret = -EIO; 1282 goto out; 1283 } 1284 fprintf(stderr, "%s: malformed message: len=%d\n", 1285 __func__, len); 1286 ret = -EIO; 1287 goto out; 1288 } 1289 1290 if (h->nlmsg_type == NLMSG_DONE) { 1291 ret = 0; 1292 goto out; 1293 } 1294 1295 if (h->nlmsg_type == NLMSG_ERROR) { 1296 err = (struct nlmsgerr *)NLMSG_DATA(h); 1297 if (rem_len < (int)sizeof(struct nlmsgerr)) { 1298 fprintf(stderr, "%s: ERROR truncated\n", 1299 __func__); 1300 ret = -EIO; 1301 goto out; 1302 } 1303 1304 if (err->error) { 1305 fprintf(stderr, "%s: (%d) %s\n", 1306 __func__, err->error, 1307 strerror(-err->error)); 1308 ret = err->error; 1309 goto out; 1310 } 1311 1312 ret = 0; 1313 if (cb) { 1314 int r = cb(h, arg_cb); 1315 1316 if (r <= 0) 1317 ret = r; 1318 } 1319 goto out; 1320 } 1321 1322 if (cb) { 1323 int r = cb(h, arg_cb); 1324 1325 if (r <= 0) { 1326 ret = r; 1327 goto out; 1328 } 1329 } else { 1330 fprintf(stderr, "%s: RTNL: unexpected reply\n", 1331 __func__); 1332 } 1333 1334 rcv_len -= NLMSG_ALIGN(len); 1335 h = (struct nlmsghdr *)((uint8_t *)h + 1336 NLMSG_ALIGN(len)); 1337 } 1338 1339 if (nlmsg.msg_flags & MSG_TRUNC) { 1340 fprintf(stderr, "%s: message truncated\n", __func__); 1341 continue; 1342 } 1343 1344 if (rcv_len) { 1345 fprintf(stderr, "%s: rtnl: %d not parsed bytes\n", 1346 __func__, rcv_len); 1347 ret = -1; 1348 goto out; 1349 } 1350 } 1351 out: 1352 close(fd); 1353 1354 return ret; 1355 } 1356 1357 struct ovpn_link_req { 1358 struct nlmsghdr n; 1359 struct ifinfomsg i; 1360 char buf[256]; 1361 }; 1362 1363 static int ovpn_new_iface(struct ovpn_ctx *ovpn) 1364 { 1365 struct rtattr *linkinfo, *data; 1366 struct ovpn_link_req req = { 0 }; 1367 int ret = -1; 1368 1369 fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname, 1370 ovpn->mode); 1371 1372 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1373 req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL; 1374 req.n.nlmsg_type = RTM_NEWLINK; 1375 1376 if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname, 1377 strlen(ovpn->ifname) + 1) < 0) 1378 goto err; 1379 1380 linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO); 1381 if (!linkinfo) 1382 goto err; 1383 1384 if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME, 1385 strlen(OVPN_FAMILY_NAME) + 1) < 0) 1386 goto err; 1387 1388 if (ovpn->mode_set) { 1389 data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA); 1390 if (!data) 1391 goto err; 1392 1393 if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE, 1394 &ovpn->mode, sizeof(uint8_t)) < 0) 1395 goto err; 1396 1397 ovpn_nest_end(&req.n, data); 1398 } 1399 1400 ovpn_nest_end(&req.n, linkinfo); 1401 1402 req.i.ifi_family = AF_PACKET; 1403 1404 ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1405 err: 1406 return ret; 1407 } 1408 1409 static int ovpn_del_iface(struct ovpn_ctx *ovpn) 1410 { 1411 struct ovpn_link_req req = { 0 }; 1412 1413 fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname, 1414 ovpn->ifindex); 1415 1416 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1417 req.n.nlmsg_flags = NLM_F_REQUEST; 1418 req.n.nlmsg_type = RTM_DELLINK; 1419 1420 req.i.ifi_family = AF_PACKET; 1421 req.i.ifi_index = ovpn->ifindex; 1422 1423 return ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1424 } 1425 1426 static int nl_seq_check(struct nl_msg (*msg)__always_unused, 1427 void (*arg)__always_unused) 1428 { 1429 return NL_OK; 1430 } 1431 1432 struct mcast_handler_args { 1433 const char *group; 1434 int id; 1435 }; 1436 1437 static int mcast_family_handler(struct nl_msg *msg, void *arg) 1438 { 1439 struct mcast_handler_args *grp = arg; 1440 struct nlattr *tb[CTRL_ATTR_MAX + 1]; 1441 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1442 struct nlattr *mcgrp; 1443 int rem_mcgrp; 1444 1445 nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0), 1446 genlmsg_attrlen(gnlh, 0), NULL); 1447 1448 if (!tb[CTRL_ATTR_MCAST_GROUPS]) 1449 return NL_SKIP; 1450 1451 nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) { 1452 struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1]; 1453 1454 nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX, 1455 nla_data(mcgrp), nla_len(mcgrp), NULL); 1456 1457 if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] || 1458 !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]) 1459 continue; 1460 if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]), 1461 grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]))) 1462 continue; 1463 grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]); 1464 break; 1465 } 1466 1467 return NL_SKIP; 1468 } 1469 1470 static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused, 1471 struct nlmsgerr *err, void *arg) 1472 { 1473 int *ret = arg; 1474 1475 *ret = err->error; 1476 return NL_STOP; 1477 } 1478 1479 static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg) 1480 { 1481 int *ret = arg; 1482 1483 *ret = 0; 1484 return NL_STOP; 1485 } 1486 1487 static int ovpn_handle_msg(struct nl_msg *msg, void *arg) 1488 { 1489 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1490 struct nlattr *attrs[OVPN_A_MAX + 1]; 1491 struct nlmsghdr *nlh = nlmsg_hdr(msg); 1492 char ifname[IF_NAMESIZE]; 1493 int *ret = arg; 1494 __u32 ifindex; 1495 1496 fprintf(stderr, "received message from ovpn-dco\n"); 1497 1498 *ret = -1; 1499 1500 if (!genlmsg_valid_hdr(nlh, 0)) { 1501 fprintf(stderr, "invalid header\n"); 1502 return NL_STOP; 1503 } 1504 1505 if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 1506 genlmsg_attrlen(gnlh, 0), NULL)) { 1507 fprintf(stderr, "received bogus data from ovpn-dco\n"); 1508 return NL_STOP; 1509 } 1510 1511 if (!attrs[OVPN_A_IFINDEX]) { 1512 fprintf(stderr, "no ifindex in this message\n"); 1513 return NL_STOP; 1514 } 1515 1516 ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]); 1517 if (!if_indextoname(ifindex, ifname)) { 1518 fprintf(stderr, "cannot resolve ifname for ifindex: %u\n", 1519 ifindex); 1520 return NL_STOP; 1521 } 1522 1523 switch (gnlh->cmd) { 1524 case OVPN_CMD_PEER_DEL_NTF: 1525 fprintf(stdout, "received CMD_PEER_DEL_NTF\n"); 1526 break; 1527 case OVPN_CMD_PEER_FLOAT_NTF: 1528 fprintf(stdout, "received CMD_PEER_FLOAT_NTF\n"); 1529 break; 1530 case OVPN_CMD_KEY_SWAP_NTF: 1531 fprintf(stdout, "received CMD_KEY_SWAP_NTF\n"); 1532 break; 1533 default: 1534 fprintf(stderr, "received unknown command: %d\n", gnlh->cmd); 1535 return NL_STOP; 1536 } 1537 1538 *ret = 0; 1539 return NL_OK; 1540 } 1541 1542 static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family, 1543 const char *group) 1544 { 1545 struct nl_msg *msg; 1546 struct nl_cb *cb; 1547 int ret, ctrlid; 1548 struct mcast_handler_args grp = { 1549 .group = group, 1550 .id = -ENOENT, 1551 }; 1552 1553 msg = nlmsg_alloc(); 1554 if (!msg) 1555 return -ENOMEM; 1556 1557 cb = nl_cb_alloc(NL_CB_DEFAULT); 1558 if (!cb) { 1559 ret = -ENOMEM; 1560 goto out_fail_cb; 1561 } 1562 1563 ctrlid = genl_ctrl_resolve(sock, "nlctrl"); 1564 1565 genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0); 1566 1567 ret = -ENOBUFS; 1568 NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family); 1569 1570 ret = nl_send_auto_complete(sock, msg); 1571 if (ret < 0) 1572 goto nla_put_failure; 1573 1574 ret = 1; 1575 1576 nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret); 1577 nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret); 1578 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp); 1579 1580 while (ret > 0) 1581 nl_recvmsgs(sock, cb); 1582 1583 if (ret == 0) 1584 ret = grp.id; 1585 nla_put_failure: 1586 nl_cb_put(cb); 1587 out_fail_cb: 1588 nlmsg_free(msg); 1589 return ret; 1590 } 1591 1592 static int ovpn_listen_mcast(void) 1593 { 1594 struct nl_sock *sock; 1595 struct nl_cb *cb; 1596 int mcid, ret; 1597 1598 sock = nl_socket_alloc(); 1599 if (!sock) { 1600 fprintf(stderr, "cannot allocate netlink socket\n"); 1601 ret = -ENOMEM; 1602 goto err_free; 1603 } 1604 1605 nl_socket_set_buffer_size(sock, 8192, 8192); 1606 1607 ret = genl_connect(sock); 1608 if (ret < 0) { 1609 fprintf(stderr, "cannot connect to generic netlink: %s\n", 1610 nl_geterror(ret)); 1611 goto err_free; 1612 } 1613 1614 mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS); 1615 if (mcid < 0) { 1616 fprintf(stderr, "cannot get mcast group: %s\n", 1617 nl_geterror(mcid)); 1618 goto err_free; 1619 } 1620 1621 ret = nl_socket_add_membership(sock, mcid); 1622 if (ret) { 1623 fprintf(stderr, "failed to join mcast group: %d\n", ret); 1624 goto err_free; 1625 } 1626 1627 ret = 1; 1628 cb = nl_cb_alloc(NL_CB_DEFAULT); 1629 nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL); 1630 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret); 1631 nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret); 1632 1633 while (ret == 1) { 1634 int err = nl_recvmsgs(sock, cb); 1635 1636 if (err < 0) { 1637 fprintf(stderr, 1638 "cannot receive netlink message: (%d) %s\n", 1639 err, nl_geterror(-err)); 1640 ret = -1; 1641 break; 1642 } 1643 } 1644 1645 nl_cb_put(cb); 1646 err_free: 1647 nl_socket_free(sock); 1648 return ret; 1649 } 1650 1651 static void usage(const char *cmd) 1652 { 1653 fprintf(stderr, 1654 "Usage %s <command> <iface> [arguments..]\n", 1655 cmd); 1656 fprintf(stderr, "where <command> can be one of the following\n\n"); 1657 1658 fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n"); 1659 fprintf(stderr, "\tiface: ovpn interface name\n"); 1660 fprintf(stderr, "\tmode:\n"); 1661 fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n"); 1662 fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n"); 1663 1664 fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n"); 1665 fprintf(stderr, "\tiface: ovpn interface name\n"); 1666 1667 fprintf(stderr, 1668 "* listen <iface> <lport> <id_type> <peers_file> [ipv6]: listen for incoming peer TCP connections\n"); 1669 fprintf(stderr, "\tiface: ovpn interface name\n"); 1670 fprintf(stderr, "\tlport: TCP port to listen to\n"); 1671 fprintf(stderr, "\tid_type:\n"); 1672 fprintf(stderr, 1673 "\t\t- SYMM for ignoring the TX peer ID from the peers_file\n"); 1674 fprintf(stderr, 1675 "\t\t- ASYMM for using the TX peer ID from the peers_file\n"); 1676 fprintf(stderr, 1677 "\tpeers_file: file containing one peer per line: Line format:\n"); 1678 fprintf(stderr, "\t\t<peer_id> <tx_id> <vpnaddr>\n"); 1679 fprintf(stderr, 1680 "\tipv6: whether the socket should listen to the IPv6 wildcard address\n"); 1681 1682 fprintf(stderr, 1683 "* connect <iface> <peer_id> <tx_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n"); 1684 fprintf(stderr, "\tiface: ovpn interface name\n"); 1685 fprintf(stderr, 1686 "\tpeer_id: peer ID found in data packets received from this peer\n"); 1687 fprintf(stderr, 1688 "\ttx_id: peer ID to be used when sending to this peer, 'none' for symmetric peer ID\n"); 1689 fprintf(stderr, "\traddr: peer IP address to connect to\n"); 1690 fprintf(stderr, "\trport: peer TCP port to connect to\n"); 1691 fprintf(stderr, 1692 "\tkey_file: file containing the symmetric key for encryption\n"); 1693 1694 fprintf(stderr, 1695 "* new_peer <iface> <peer_id> <tx_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n"); 1696 fprintf(stderr, "\tiface: ovpn interface name\n"); 1697 fprintf(stderr, 1698 "\tpeer_id: peer ID found in data packets received from this peer\n"); 1699 fprintf(stderr, 1700 "\ttx_id: peer ID to be used when sending to this peer, 'none' for symmetric peer ID\n"); 1701 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1702 fprintf(stderr, "\traddr: peer IP address\n"); 1703 fprintf(stderr, "\trport: peer UDP port\n"); 1704 fprintf(stderr, "\tvpnaddr: peer VPN IP\n"); 1705 1706 fprintf(stderr, 1707 "* new_multi_peer <iface> <lport> <id_type> <peers_file>: add multiple peers as listed in the file\n"); 1708 fprintf(stderr, "\tiface: ovpn interface name\n"); 1709 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1710 fprintf(stderr, "\tid_type:\n"); 1711 fprintf(stderr, 1712 "\t\t- SYMM for ignoring the TX peer ID from the peers_file\n"); 1713 fprintf(stderr, 1714 "\t\t- ASYMM for using the TX peer ID from the peers_file\n"); 1715 fprintf(stderr, 1716 "\tpeers_file: text file containing one peer per line. Line format:\n"); 1717 fprintf(stderr, 1718 "\t\t<peer_id> <tx_id> <raddr> <rport> <laddr> <lport> <vpnaddr>\n"); 1719 1720 fprintf(stderr, 1721 "* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n"); 1722 fprintf(stderr, "\tiface: ovpn interface name\n"); 1723 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1724 fprintf(stderr, 1725 "\tkeepalive_interval: interval for sending ping messages\n"); 1726 fprintf(stderr, 1727 "\tkeepalive_timeout: time after which a peer is timed out\n"); 1728 1729 fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n"); 1730 fprintf(stderr, "\tiface: ovpn interface name\n"); 1731 fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n"); 1732 1733 fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n"); 1734 fprintf(stderr, "\tiface: ovpn interface name\n"); 1735 fprintf(stderr, 1736 "\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n"); 1737 1738 fprintf(stderr, 1739 "* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n"); 1740 fprintf(stderr, "\tiface: ovpn interface name\n"); 1741 fprintf(stderr, 1742 "\tpeer_id: peer ID of the peer to configure the key for\n"); 1743 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1744 fprintf(stderr, "\tkey_id: an ID from 0 to 7\n"); 1745 fprintf(stderr, 1746 "\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n"); 1747 fprintf(stderr, 1748 "\tkey_dir: key direction, must 0 on one host and 1 on the other\n"); 1749 fprintf(stderr, "\tkey_file: file containing the pre-shared key\n"); 1750 1751 fprintf(stderr, 1752 "* del_key <iface> <peer_id> [slot]: erase existing data channel key\n"); 1753 fprintf(stderr, "\tiface: ovpn interface name\n"); 1754 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1755 fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n"); 1756 1757 fprintf(stderr, 1758 "* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n"); 1759 fprintf(stderr, "\tiface: ovpn interface name\n"); 1760 fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n"); 1761 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1762 1763 fprintf(stderr, 1764 "* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n"); 1765 fprintf(stderr, "\tiface: ovpn interface name\n"); 1766 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1767 1768 fprintf(stderr, 1769 "* listen_mcast: listen to ovpn netlink multicast messages\n"); 1770 } 1771 1772 static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host, 1773 const char *service, const char *vpnip) 1774 { 1775 int ret; 1776 struct addrinfo *result; 1777 struct addrinfo hints = { 1778 .ai_family = ovpn->sa_family, 1779 .ai_socktype = SOCK_DGRAM, 1780 .ai_protocol = IPPROTO_UDP 1781 }; 1782 1783 if (host) { 1784 ret = getaddrinfo(host, service, &hints, &result); 1785 if (ret) { 1786 fprintf(stderr, "getaddrinfo on remote error: %s\n", 1787 gai_strerror(ret)); 1788 return -1; 1789 } 1790 1791 if (!(result->ai_family == AF_INET && 1792 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1793 !(result->ai_family == AF_INET6 && 1794 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1795 ret = -EINVAL; 1796 goto out; 1797 } 1798 1799 memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen); 1800 } 1801 1802 if (vpnip) { 1803 ret = getaddrinfo(vpnip, NULL, &hints, &result); 1804 if (ret) { 1805 fprintf(stderr, "getaddrinfo on vpnip error: %s\n", 1806 gai_strerror(ret)); 1807 return -1; 1808 } 1809 1810 if (!(result->ai_family == AF_INET && 1811 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1812 !(result->ai_family == AF_INET6 && 1813 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1814 ret = -EINVAL; 1815 goto out; 1816 } 1817 1818 memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen); 1819 ovpn->sa_family = result->ai_family; 1820 1821 ovpn->peer_ip_set = true; 1822 } 1823 1824 ret = 0; 1825 out: 1826 freeaddrinfo(result); 1827 return ret; 1828 } 1829 1830 static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id, 1831 const char *tx_id, const char *raddr, 1832 const char *rport, const char *vpnip) 1833 { 1834 ovpn->peer_id = strtoul(peer_id, NULL, 10); 1835 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 1836 fprintf(stderr, "rx peer ID value out of range\n"); 1837 return -1; 1838 } 1839 1840 if (ovpn->asymm_id) { 1841 ovpn->tx_id = strtoul(tx_id, NULL, 10); 1842 if (errno == ERANGE || ovpn->tx_id > PEER_ID_UNDEF) { 1843 fprintf(stderr, "tx peer ID value out of range\n"); 1844 return -1; 1845 } 1846 } 1847 1848 return ovpn_parse_remote(ovpn, raddr, rport, vpnip); 1849 } 1850 1851 static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn) 1852 { 1853 int slot = strtoul(arg, NULL, 10); 1854 1855 if (errno == ERANGE || slot < 1 || slot > 2) { 1856 fprintf(stderr, "key slot out of range\n"); 1857 return -1; 1858 } 1859 1860 switch (slot) { 1861 case 1: 1862 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 1863 break; 1864 case 2: 1865 ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY; 1866 break; 1867 } 1868 1869 return 0; 1870 } 1871 1872 static int ovpn_send_tcp_data(int socket) 1873 { 1874 uint16_t len = htons(1000); 1875 uint8_t buf[1002]; 1876 int ret; 1877 1878 memcpy(buf, &len, sizeof(len)); 1879 memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len)); 1880 1881 ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1882 1883 fprintf(stdout, "Sent %u bytes over TCP socket\n", ret); 1884 1885 return ret > 0 ? 0 : ret; 1886 } 1887 1888 static int ovpn_recv_tcp_data(int socket) 1889 { 1890 uint8_t buf[1002]; 1891 uint16_t len; 1892 int ret; 1893 1894 ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1895 1896 if (ret < 2) { 1897 fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret); 1898 return ret; 1899 } 1900 1901 memcpy(&len, buf, sizeof(len)); 1902 len = ntohs(len); 1903 1904 fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n", 1905 ret, len); 1906 1907 return 0; 1908 } 1909 1910 static enum ovpn_cmd ovpn_parse_cmd(const char *cmd) 1911 { 1912 if (!strcmp(cmd, "new_iface")) 1913 return CMD_NEW_IFACE; 1914 1915 if (!strcmp(cmd, "del_iface")) 1916 return CMD_DEL_IFACE; 1917 1918 if (!strcmp(cmd, "listen")) 1919 return CMD_LISTEN; 1920 1921 if (!strcmp(cmd, "connect")) 1922 return CMD_CONNECT; 1923 1924 if (!strcmp(cmd, "new_peer")) 1925 return CMD_NEW_PEER; 1926 1927 if (!strcmp(cmd, "new_multi_peer")) 1928 return CMD_NEW_MULTI_PEER; 1929 1930 if (!strcmp(cmd, "set_peer")) 1931 return CMD_SET_PEER; 1932 1933 if (!strcmp(cmd, "del_peer")) 1934 return CMD_DEL_PEER; 1935 1936 if (!strcmp(cmd, "get_peer")) 1937 return CMD_GET_PEER; 1938 1939 if (!strcmp(cmd, "new_key")) 1940 return CMD_NEW_KEY; 1941 1942 if (!strcmp(cmd, "del_key")) 1943 return CMD_DEL_KEY; 1944 1945 if (!strcmp(cmd, "get_key")) 1946 return CMD_GET_KEY; 1947 1948 if (!strcmp(cmd, "swap_keys")) 1949 return CMD_SWAP_KEYS; 1950 1951 if (!strcmp(cmd, "listen_mcast")) 1952 return CMD_LISTEN_MCAST; 1953 1954 return CMD_INVALID; 1955 } 1956 1957 /* Send process to background and waits for signal. 1958 * 1959 * This helper is called at the end of commands 1960 * creating sockets, so that the latter stay alive 1961 * along with the process that created them. 1962 * 1963 * A signal is expected to be delivered in order to 1964 * terminate the waiting processes 1965 */ 1966 static void ovpn_waitbg(void) 1967 { 1968 daemon(1, 1); 1969 pause(); 1970 } 1971 1972 static int ovpn_run_cmd(struct ovpn_ctx *ovpn) 1973 { 1974 char peer_id[10], tx_id[10], vpnip[INET6_ADDRSTRLEN], laddr[128]; 1975 char lport[10], raddr[128], rport[10]; 1976 int n, ret; 1977 FILE *fp; 1978 1979 switch (ovpn->cmd) { 1980 case CMD_NEW_IFACE: 1981 ret = ovpn_new_iface(ovpn); 1982 break; 1983 case CMD_DEL_IFACE: 1984 ret = ovpn_del_iface(ovpn); 1985 break; 1986 case CMD_LISTEN: 1987 ret = ovpn_listen(ovpn, ovpn->sa_family); 1988 if (ret < 0) { 1989 fprintf(stderr, "cannot listen on TCP socket\n"); 1990 return ret; 1991 } 1992 1993 fp = fopen(ovpn->peers_file, "r"); 1994 if (!fp) { 1995 fprintf(stderr, "cannot open file: %s\n", 1996 ovpn->peers_file); 1997 return -1; 1998 } 1999 2000 int num_peers = 0; 2001 2002 while ((n = fscanf(fp, "%s %s %s\n", peer_id, tx_id, 2003 vpnip)) == 3) { 2004 struct ovpn_ctx peer_ctx = { 0 }; 2005 2006 if (num_peers == MAX_PEERS) { 2007 fprintf(stderr, "max peers reached!\n"); 2008 return -E2BIG; 2009 } 2010 2011 peer_ctx.ifindex = ovpn->ifindex; 2012 peer_ctx.sa_family = ovpn->sa_family; 2013 peer_ctx.asymm_id = ovpn->asymm_id; 2014 2015 peer_ctx.socket = ovpn_accept(ovpn); 2016 if (peer_ctx.socket < 0) { 2017 fprintf(stderr, "cannot accept connection!\n"); 2018 return -1; 2019 } 2020 2021 /* store peer sockets to test TCP I/O */ 2022 ovpn->cli_sockets[num_peers] = peer_ctx.socket; 2023 2024 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, tx_id, 2025 NULL, NULL, vpnip); 2026 if (ret < 0) { 2027 fprintf(stderr, "error while parsing line\n"); 2028 return -1; 2029 } 2030 2031 ret = ovpn_new_peer(&peer_ctx, true); 2032 if (ret < 0) { 2033 fprintf(stderr, 2034 "cannot add peer to VPN: %s %s\n", 2035 peer_id, vpnip); 2036 return ret; 2037 } 2038 num_peers++; 2039 } 2040 2041 for (int i = 0; i < num_peers; i++) { 2042 ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]); 2043 if (ret < 0) 2044 break; 2045 } 2046 ovpn_waitbg(); 2047 break; 2048 case CMD_CONNECT: 2049 ret = ovpn_connect(ovpn); 2050 if (ret < 0) { 2051 fprintf(stderr, "cannot connect TCP socket\n"); 2052 return ret; 2053 } 2054 2055 ret = ovpn_new_peer(ovpn, true); 2056 if (ret < 0) { 2057 fprintf(stderr, "cannot add peer to VPN\n"); 2058 close(ovpn->socket); 2059 return ret; 2060 } 2061 2062 if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) { 2063 ret = ovpn_new_key(ovpn); 2064 if (ret < 0) { 2065 fprintf(stderr, "cannot set key\n"); 2066 return ret; 2067 } 2068 } 2069 2070 ret = ovpn_send_tcp_data(ovpn->socket); 2071 ovpn_waitbg(); 2072 break; 2073 case CMD_NEW_PEER: 2074 ret = ovpn_udp_socket(ovpn, AF_INET6); 2075 if (ret < 0) 2076 return ret; 2077 2078 ret = ovpn_new_peer(ovpn, false); 2079 ovpn_waitbg(); 2080 break; 2081 case CMD_NEW_MULTI_PEER: 2082 ret = ovpn_udp_socket(ovpn, AF_INET6); 2083 if (ret < 0) 2084 return ret; 2085 2086 fp = fopen(ovpn->peers_file, "r"); 2087 if (!fp) { 2088 fprintf(stderr, "cannot open file: %s\n", 2089 ovpn->peers_file); 2090 return -1; 2091 } 2092 2093 while ((n = fscanf(fp, "%s %s %s %s %s %s %s\n", peer_id, tx_id, 2094 laddr, lport, raddr, rport, vpnip)) == 7) { 2095 struct ovpn_ctx peer_ctx = { 0 }; 2096 2097 peer_ctx.ifindex = ovpn->ifindex; 2098 peer_ctx.socket = ovpn->socket; 2099 peer_ctx.sa_family = AF_UNSPEC; 2100 peer_ctx.asymm_id = ovpn->asymm_id; 2101 2102 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, tx_id, 2103 raddr, rport, vpnip); 2104 if (ret < 0) { 2105 fprintf(stderr, "error while parsing line\n"); 2106 return -1; 2107 } 2108 2109 ret = ovpn_new_peer(&peer_ctx, false); 2110 if (ret < 0) { 2111 fprintf(stderr, 2112 "cannot add peer to VPN: %s %s %s %s\n", 2113 peer_id, raddr, rport, vpnip); 2114 return ret; 2115 } 2116 } 2117 ovpn_waitbg(); 2118 break; 2119 case CMD_SET_PEER: 2120 ret = ovpn_set_peer(ovpn); 2121 break; 2122 case CMD_DEL_PEER: 2123 ret = ovpn_del_peer(ovpn); 2124 break; 2125 case CMD_GET_PEER: 2126 if (ovpn->peer_id == PEER_ID_UNDEF) 2127 fprintf(stderr, "List of peers connected to: %s\n", 2128 ovpn->ifname); 2129 2130 ret = ovpn_get_peer(ovpn); 2131 break; 2132 case CMD_NEW_KEY: 2133 ret = ovpn_new_key(ovpn); 2134 break; 2135 case CMD_DEL_KEY: 2136 ret = ovpn_del_key(ovpn); 2137 break; 2138 case CMD_GET_KEY: 2139 ret = ovpn_get_key(ovpn); 2140 break; 2141 case CMD_SWAP_KEYS: 2142 ret = ovpn_swap_keys(ovpn); 2143 break; 2144 case CMD_LISTEN_MCAST: 2145 ret = ovpn_listen_mcast(); 2146 break; 2147 case CMD_INVALID: 2148 ret = -EINVAL; 2149 break; 2150 } 2151 2152 return ret; 2153 } 2154 2155 static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[]) 2156 { 2157 int ret; 2158 2159 /* no args required for LISTEN_MCAST */ 2160 if (ovpn->cmd == CMD_LISTEN_MCAST) 2161 return 0; 2162 2163 /* all commands need an ifname */ 2164 if (argc < 3) 2165 return -EINVAL; 2166 2167 strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1); 2168 ovpn->ifname[IFNAMSIZ - 1] = '\0'; 2169 2170 /* all commands, except NEW_IFNAME, needs an ifindex */ 2171 if (ovpn->cmd != CMD_NEW_IFACE) { 2172 ovpn->ifindex = if_nametoindex(ovpn->ifname); 2173 if (!ovpn->ifindex) { 2174 fprintf(stderr, "cannot find interface: %s\n", 2175 strerror(errno)); 2176 return -1; 2177 } 2178 } 2179 2180 switch (ovpn->cmd) { 2181 case CMD_NEW_IFACE: 2182 if (argc < 4) 2183 break; 2184 2185 if (!strcmp(argv[3], "P2P")) { 2186 ovpn->mode = OVPN_MODE_P2P; 2187 } else if (!strcmp(argv[3], "MP")) { 2188 ovpn->mode = OVPN_MODE_MP; 2189 } else { 2190 fprintf(stderr, "Cannot parse iface mode: %s\n", 2191 argv[3]); 2192 return -1; 2193 } 2194 ovpn->mode_set = true; 2195 break; 2196 case CMD_DEL_IFACE: 2197 break; 2198 case CMD_LISTEN: 2199 if (argc < 6) 2200 return -EINVAL; 2201 2202 ovpn->lport = strtoul(argv[3], NULL, 10); 2203 if (errno == ERANGE || ovpn->lport > 65535) { 2204 fprintf(stderr, "lport value out of range\n"); 2205 return -1; 2206 } 2207 2208 if (strcmp(argv[4], "SYMM") == 0) { 2209 ovpn->asymm_id = false; 2210 } else if (strcmp(argv[4], "ASYMM") == 0) { 2211 ovpn->asymm_id = true; 2212 } else { 2213 fprintf(stderr, "Cannot parse id type: %s\n", argv[4]); 2214 return -1; 2215 } 2216 2217 ovpn->peers_file = argv[5]; 2218 2219 ovpn->sa_family = AF_INET; 2220 if (argc > 6 && !strcmp(argv[6], "ipv6")) 2221 ovpn->sa_family = AF_INET6; 2222 break; 2223 case CMD_CONNECT: 2224 if (argc < 7) 2225 return -EINVAL; 2226 2227 ovpn->sa_family = AF_INET; 2228 ovpn->asymm_id = strcmp(argv[4], "none"); 2229 2230 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5], 2231 argv[6], NULL); 2232 if (ret < 0) { 2233 fprintf(stderr, "Cannot parse remote peer data\n"); 2234 return -1; 2235 } 2236 2237 if (argc > 7) { 2238 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 2239 ovpn->key_id = 0; 2240 ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM; 2241 ovpn->key_dir = KEY_DIR_OUT; 2242 2243 ret = ovpn_parse_key(argv[7], ovpn); 2244 if (ret) 2245 return -1; 2246 } 2247 break; 2248 case CMD_NEW_PEER: 2249 if (argc < 8) 2250 return -EINVAL; 2251 2252 ovpn->asymm_id = strcmp(argv[4], "none"); 2253 2254 ovpn->lport = strtoul(argv[5], NULL, 10); 2255 if (errno == ERANGE || ovpn->lport > 65535) { 2256 fprintf(stderr, "lport value out of range\n"); 2257 return -1; 2258 } 2259 2260 const char *vpnip = (argc > 8) ? argv[8] : NULL; 2261 2262 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[6], 2263 argv[7], vpnip); 2264 if (ret < 0) 2265 return -1; 2266 break; 2267 case CMD_NEW_MULTI_PEER: 2268 if (argc < 6) 2269 return -EINVAL; 2270 2271 ovpn->lport = strtoul(argv[3], NULL, 10); 2272 if (errno == ERANGE || ovpn->lport > 65535) { 2273 fprintf(stderr, "lport value out of range\n"); 2274 return -1; 2275 } 2276 2277 if (!strcmp(argv[4], "SYMM")) { 2278 ovpn->asymm_id = false; 2279 } else if (!strcmp(argv[4], "ASYMM")) { 2280 ovpn->asymm_id = true; 2281 } else { 2282 fprintf(stderr, "Cannot parse id type: %s\n", argv[4]); 2283 return -1; 2284 } 2285 2286 ovpn->peers_file = argv[5]; 2287 break; 2288 case CMD_SET_PEER: 2289 if (argc < 6) 2290 return -EINVAL; 2291 2292 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2293 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2294 fprintf(stderr, "peer ID value out of range\n"); 2295 return -1; 2296 } 2297 2298 ovpn->keepalive_interval = strtoul(argv[4], NULL, 10); 2299 if (errno == ERANGE) { 2300 fprintf(stderr, 2301 "keepalive interval value out of range\n"); 2302 return -1; 2303 } 2304 2305 ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10); 2306 if (errno == ERANGE) { 2307 fprintf(stderr, 2308 "keepalive interval value out of range\n"); 2309 return -1; 2310 } 2311 break; 2312 case CMD_DEL_PEER: 2313 if (argc < 4) 2314 return -EINVAL; 2315 2316 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2317 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2318 fprintf(stderr, "peer ID value out of range\n"); 2319 return -1; 2320 } 2321 break; 2322 case CMD_GET_PEER: 2323 ovpn->peer_id = PEER_ID_UNDEF; 2324 if (argc > 3) { 2325 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2326 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2327 fprintf(stderr, "peer ID value out of range\n"); 2328 return -1; 2329 } 2330 } 2331 break; 2332 case CMD_NEW_KEY: 2333 if (argc < 9) 2334 return -EINVAL; 2335 2336 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2337 if (errno == ERANGE) { 2338 fprintf(stderr, "peer ID value out of range\n"); 2339 return -1; 2340 } 2341 2342 ret = ovpn_parse_key_slot(argv[4], ovpn); 2343 if (ret) 2344 return -1; 2345 2346 ovpn->key_id = strtoul(argv[5], NULL, 10); 2347 if (errno == ERANGE || ovpn->key_id > 2) { 2348 fprintf(stderr, "key ID out of range\n"); 2349 return -1; 2350 } 2351 2352 ret = ovpn_parse_cipher(argv[6], ovpn); 2353 if (ret < 0) 2354 return -1; 2355 2356 ret = ovpn_parse_key_direction(argv[7], ovpn); 2357 if (ret < 0) 2358 return -1; 2359 2360 ret = ovpn_parse_key(argv[8], ovpn); 2361 if (ret) 2362 return -1; 2363 break; 2364 case CMD_DEL_KEY: 2365 if (argc < 4) 2366 return -EINVAL; 2367 2368 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2369 if (errno == ERANGE) { 2370 fprintf(stderr, "peer ID value out of range\n"); 2371 return -1; 2372 } 2373 2374 ret = ovpn_parse_key_slot(argv[4], ovpn); 2375 if (ret) 2376 return ret; 2377 break; 2378 case CMD_GET_KEY: 2379 if (argc < 5) 2380 return -EINVAL; 2381 2382 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2383 if (errno == ERANGE) { 2384 fprintf(stderr, "peer ID value out of range\n"); 2385 return -1; 2386 } 2387 2388 ret = ovpn_parse_key_slot(argv[4], ovpn); 2389 if (ret) 2390 return ret; 2391 break; 2392 case CMD_SWAP_KEYS: 2393 if (argc < 4) 2394 return -EINVAL; 2395 2396 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2397 if (errno == ERANGE) { 2398 fprintf(stderr, "peer ID value out of range\n"); 2399 return -1; 2400 } 2401 break; 2402 case CMD_LISTEN_MCAST: 2403 break; 2404 case CMD_INVALID: 2405 break; 2406 } 2407 2408 return 0; 2409 } 2410 2411 int main(int argc, char *argv[]) 2412 { 2413 struct ovpn_ctx ovpn; 2414 int ret; 2415 2416 if (argc < 2) { 2417 usage(argv[0]); 2418 return -1; 2419 } 2420 2421 memset(&ovpn, 0, sizeof(ovpn)); 2422 ovpn.sa_family = AF_UNSPEC; 2423 ovpn.cipher = OVPN_CIPHER_ALG_NONE; 2424 2425 ovpn.cmd = ovpn_parse_cmd(argv[1]); 2426 if (ovpn.cmd == CMD_INVALID) { 2427 fprintf(stderr, "Error: unknown command.\n\n"); 2428 usage(argv[0]); 2429 return -1; 2430 } 2431 2432 ret = ovpn_parse_cmd_args(&ovpn, argc, argv); 2433 if (ret < 0) { 2434 fprintf(stderr, "Error: invalid arguments.\n\n"); 2435 if (ret == -EINVAL) 2436 usage(argv[0]); 2437 return ret; 2438 } 2439 2440 ret = ovpn_run_cmd(&ovpn); 2441 if (ret) 2442 fprintf(stderr, "Cannot execute command: %s (%d)\n", 2443 strerror(-ret), ret); 2444 2445 return ret; 2446 } 2447