1 // SPDX-License-Identifier: GPL-2.0 2 /* OpenVPN data channel accelerator 3 * 4 * Copyright (C) 2020-2025 OpenVPN, Inc. 5 * 6 * Author: Antonio Quartulli <antonio@openvpn.net> 7 */ 8 9 #include <stdio.h> 10 #include <inttypes.h> 11 #include <stdbool.h> 12 #include <string.h> 13 #include <errno.h> 14 #include <unistd.h> 15 #include <arpa/inet.h> 16 #include <net/if.h> 17 #include <netinet/in.h> 18 #include <time.h> 19 20 #include <linux/ovpn.h> 21 #include <linux/types.h> 22 #include <linux/netlink.h> 23 24 #include <netlink/socket.h> 25 #include <netlink/netlink.h> 26 #include <netlink/genl/genl.h> 27 #include <netlink/genl/family.h> 28 #include <netlink/genl/ctrl.h> 29 30 #include <mbedtls/base64.h> 31 #include <mbedtls/error.h> 32 33 #include <sys/socket.h> 34 35 #include "../../kselftest.h" 36 37 /* defines to make checkpatch happy */ 38 #define strscpy strncpy 39 40 /* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we 41 * have to explicitly do it to prevent the kernel from failing upon 42 * parsing of the message 43 */ 44 #define nla_nest_start(_msg, _type) \ 45 nla_nest_start(_msg, (_type) | NLA_F_NESTED) 46 47 /* libnl < 3.11.0 does not implement nla_get_uint() */ 48 uint64_t ovpn_nla_get_uint(struct nlattr *attr) 49 { 50 if (nla_len(attr) == sizeof(uint32_t)) 51 return nla_get_u32(attr); 52 else 53 return nla_get_u64(attr); 54 } 55 56 typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg); 57 58 enum ovpn_key_direction { 59 KEY_DIR_IN = 0, 60 KEY_DIR_OUT, 61 }; 62 63 #define KEY_LEN (256 / 8) 64 #define NONCE_LEN 8 65 66 #define PEER_ID_UNDEF 0x00FFFFFF 67 #define MAX_PEERS 10 68 69 struct nl_ctx { 70 struct nl_sock *nl_sock; 71 struct nl_msg *nl_msg; 72 struct nl_cb *nl_cb; 73 74 int ovpn_dco_id; 75 }; 76 77 enum ovpn_cmd { 78 CMD_INVALID, 79 CMD_NEW_IFACE, 80 CMD_DEL_IFACE, 81 CMD_LISTEN, 82 CMD_CONNECT, 83 CMD_NEW_PEER, 84 CMD_NEW_MULTI_PEER, 85 CMD_SET_PEER, 86 CMD_DEL_PEER, 87 CMD_GET_PEER, 88 CMD_NEW_KEY, 89 CMD_DEL_KEY, 90 CMD_GET_KEY, 91 CMD_SWAP_KEYS, 92 CMD_LISTEN_MCAST, 93 }; 94 95 struct ovpn_ctx { 96 enum ovpn_cmd cmd; 97 98 __u8 key_enc[KEY_LEN]; 99 __u8 key_dec[KEY_LEN]; 100 __u8 nonce[NONCE_LEN]; 101 102 enum ovpn_cipher_alg cipher; 103 104 sa_family_t sa_family; 105 106 unsigned long peer_id; 107 unsigned long lport; 108 109 union { 110 struct sockaddr_in in4; 111 struct sockaddr_in6 in6; 112 } remote; 113 114 union { 115 struct sockaddr_in in4; 116 struct sockaddr_in6 in6; 117 } peer_ip; 118 119 bool peer_ip_set; 120 121 unsigned int ifindex; 122 char ifname[IFNAMSIZ]; 123 enum ovpn_mode mode; 124 bool mode_set; 125 126 int socket; 127 int cli_sockets[MAX_PEERS]; 128 129 __u32 keepalive_interval; 130 __u32 keepalive_timeout; 131 132 enum ovpn_key_direction key_dir; 133 enum ovpn_key_slot key_slot; 134 int key_id; 135 136 const char *peers_file; 137 }; 138 139 static int ovpn_nl_recvmsgs(struct nl_ctx *ctx) 140 { 141 int ret; 142 143 ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb); 144 145 switch (ret) { 146 case -NLE_INTR: 147 fprintf(stderr, 148 "netlink received interrupt due to signal - ignoring\n"); 149 break; 150 case -NLE_NOMEM: 151 fprintf(stderr, "netlink out of memory error\n"); 152 break; 153 case -NLE_AGAIN: 154 fprintf(stderr, 155 "netlink reports blocking read - aborting wait\n"); 156 break; 157 default: 158 if (ret) 159 fprintf(stderr, "netlink reports error (%d): %s\n", 160 ret, nl_geterror(-ret)); 161 break; 162 } 163 164 return ret; 165 } 166 167 static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd, 168 int flags) 169 { 170 struct nl_ctx *ctx; 171 int err, ret; 172 173 ctx = calloc(1, sizeof(*ctx)); 174 if (!ctx) 175 return NULL; 176 177 ctx->nl_sock = nl_socket_alloc(); 178 if (!ctx->nl_sock) { 179 fprintf(stderr, "cannot allocate netlink socket\n"); 180 goto err_free; 181 } 182 183 nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192); 184 185 ret = genl_connect(ctx->nl_sock); 186 if (ret) { 187 fprintf(stderr, "cannot connect to generic netlink: %s\n", 188 nl_geterror(ret)); 189 goto err_sock; 190 } 191 192 /* enable Extended ACK for detailed error reporting */ 193 err = 1; 194 setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK, 195 &err, sizeof(err)); 196 197 ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME); 198 if (ctx->ovpn_dco_id < 0) { 199 fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n", 200 ctx->ovpn_dco_id); 201 goto err_free; 202 } 203 204 ctx->nl_msg = nlmsg_alloc(); 205 if (!ctx->nl_msg) { 206 fprintf(stderr, "cannot allocate netlink message\n"); 207 goto err_sock; 208 } 209 210 ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT); 211 if (!ctx->nl_cb) { 212 fprintf(stderr, "failed to allocate netlink callback\n"); 213 goto err_msg; 214 } 215 216 nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb); 217 218 genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0); 219 220 if (ovpn->ifindex > 0) 221 NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex); 222 223 return ctx; 224 nla_put_failure: 225 err_msg: 226 nlmsg_free(ctx->nl_msg); 227 err_sock: 228 nl_socket_free(ctx->nl_sock); 229 err_free: 230 free(ctx); 231 return NULL; 232 } 233 234 static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd) 235 { 236 return nl_ctx_alloc_flags(ovpn, cmd, 0); 237 } 238 239 static void nl_ctx_free(struct nl_ctx *ctx) 240 { 241 if (!ctx) 242 return; 243 244 nl_socket_free(ctx->nl_sock); 245 nlmsg_free(ctx->nl_msg); 246 nl_cb_put(ctx->nl_cb); 247 free(ctx); 248 } 249 250 static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused, 251 struct nlmsgerr *err, void *arg) 252 { 253 struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1; 254 struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1]; 255 int len = nlh->nlmsg_len; 256 struct nlattr *attrs; 257 int *ret = arg; 258 int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh); 259 260 *ret = err->error; 261 262 if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS)) 263 return NL_STOP; 264 265 if (!(nlh->nlmsg_flags & NLM_F_CAPPED)) 266 ack_len += err->msg.nlmsg_len - sizeof(*nlh); 267 268 if (len <= ack_len) 269 return NL_STOP; 270 271 attrs = (void *)((uint8_t *)nlh + ack_len); 272 len -= ack_len; 273 274 nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL); 275 if (tb_msg[NLMSGERR_ATTR_MSG]) { 276 len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]), 277 nla_len(tb_msg[NLMSGERR_ATTR_MSG])); 278 fprintf(stderr, "kernel error: %*s\n", len, 279 (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG])); 280 } 281 282 if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) { 283 fprintf(stderr, "missing required nesting type %u\n", 284 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST])); 285 } 286 287 if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) { 288 fprintf(stderr, "missing required attribute type %u\n", 289 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE])); 290 } 291 292 return NL_STOP; 293 } 294 295 static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused, 296 void *arg) 297 { 298 int *status = arg; 299 300 *status = 0; 301 return NL_SKIP; 302 } 303 304 static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused, 305 void *arg) 306 { 307 int *status = arg; 308 309 *status = 0; 310 return NL_STOP; 311 } 312 313 static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb) 314 { 315 int status = 1; 316 317 nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status); 318 nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish, 319 &status); 320 nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status); 321 322 if (cb) 323 nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx); 324 325 nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg); 326 327 while (status == 1) 328 ovpn_nl_recvmsgs(ctx); 329 330 if (status < 0) 331 fprintf(stderr, "failed to send netlink message: %s (%d)\n", 332 strerror(-status), status); 333 334 return status; 335 } 336 337 static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx) 338 { 339 int idx_enc, idx_dec, ret = -1; 340 unsigned char *ckey = NULL; 341 __u8 *bkey = NULL; 342 size_t olen = 0; 343 long ckey_len; 344 FILE *fp; 345 346 fp = fopen(file, "r"); 347 if (!fp) { 348 fprintf(stderr, "cannot open: %s\n", file); 349 return -1; 350 } 351 352 /* get file size */ 353 fseek(fp, 0L, SEEK_END); 354 ckey_len = ftell(fp); 355 rewind(fp); 356 357 /* if the file is longer, let's just read a portion */ 358 if (ckey_len > 256) 359 ckey_len = 256; 360 361 ckey = malloc(ckey_len); 362 if (!ckey) 363 goto err; 364 365 ret = fread(ckey, 1, ckey_len, fp); 366 if (ret != ckey_len) { 367 fprintf(stderr, 368 "couldn't read enough data from key file: %dbytes read\n", 369 ret); 370 goto err; 371 } 372 373 olen = 0; 374 ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len); 375 if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) { 376 char buf[256]; 377 378 mbedtls_strerror(ret, buf, sizeof(buf)); 379 fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf, 380 ret); 381 382 goto err; 383 } 384 385 bkey = malloc(olen); 386 if (!bkey) { 387 fprintf(stderr, "cannot allocate binary key buffer\n"); 388 goto err; 389 } 390 391 ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len); 392 if (ret) { 393 char buf[256]; 394 395 mbedtls_strerror(ret, buf, sizeof(buf)); 396 fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf, 397 ret); 398 399 goto err; 400 } 401 402 if (olen < 2 * KEY_LEN + NONCE_LEN) { 403 fprintf(stderr, 404 "not enough data in key file, found %zdB but needs %dB\n", 405 olen, 2 * KEY_LEN + NONCE_LEN); 406 goto err; 407 } 408 409 switch (ctx->key_dir) { 410 case KEY_DIR_IN: 411 idx_enc = 0; 412 idx_dec = 1; 413 break; 414 case KEY_DIR_OUT: 415 idx_enc = 1; 416 idx_dec = 0; 417 break; 418 default: 419 goto err; 420 } 421 422 memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN); 423 memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN); 424 memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN); 425 426 ret = 0; 427 428 err: 429 fclose(fp); 430 free(bkey); 431 free(ckey); 432 433 return ret; 434 } 435 436 static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx) 437 { 438 if (strcmp(cipher, "aes") == 0) 439 ctx->cipher = OVPN_CIPHER_ALG_AES_GCM; 440 else if (strcmp(cipher, "chachapoly") == 0) 441 ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305; 442 else if (strcmp(cipher, "none") == 0) 443 ctx->cipher = OVPN_CIPHER_ALG_NONE; 444 else 445 return -ENOTSUP; 446 447 return 0; 448 } 449 450 static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx) 451 { 452 int in_dir; 453 454 in_dir = strtoll(dir, NULL, 10); 455 switch (in_dir) { 456 case KEY_DIR_IN: 457 case KEY_DIR_OUT: 458 ctx->key_dir = in_dir; 459 break; 460 default: 461 fprintf(stderr, 462 "invalid key direction provided. Can be 0 or 1 only\n"); 463 return -1; 464 } 465 466 return 0; 467 } 468 469 static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto) 470 { 471 struct sockaddr_storage local_sock = { 0 }; 472 struct sockaddr_in6 *in6; 473 struct sockaddr_in *in; 474 int ret, s, sock_type; 475 size_t sock_len; 476 477 if (proto == IPPROTO_UDP) 478 sock_type = SOCK_DGRAM; 479 else if (proto == IPPROTO_TCP) 480 sock_type = SOCK_STREAM; 481 else 482 return -EINVAL; 483 484 s = socket(family, sock_type, 0); 485 if (s < 0) { 486 perror("cannot create socket"); 487 return -1; 488 } 489 490 switch (family) { 491 case AF_INET: 492 in = (struct sockaddr_in *)&local_sock; 493 in->sin_family = family; 494 in->sin_port = htons(ctx->lport); 495 in->sin_addr.s_addr = htonl(INADDR_ANY); 496 sock_len = sizeof(*in); 497 break; 498 case AF_INET6: 499 in6 = (struct sockaddr_in6 *)&local_sock; 500 in6->sin6_family = family; 501 in6->sin6_port = htons(ctx->lport); 502 in6->sin6_addr = in6addr_any; 503 sock_len = sizeof(*in6); 504 break; 505 default: 506 return -1; 507 } 508 509 int opt = 1; 510 511 ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)); 512 513 if (ret < 0) { 514 perror("setsockopt for SO_REUSEADDR"); 515 return ret; 516 } 517 518 ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt)); 519 if (ret < 0) { 520 perror("setsockopt for SO_REUSEPORT"); 521 return ret; 522 } 523 524 if (family == AF_INET6) { 525 opt = 0; 526 if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt, 527 sizeof(opt))) { 528 perror("failed to set IPV6_V6ONLY"); 529 return -1; 530 } 531 } 532 533 ret = bind(s, (struct sockaddr *)&local_sock, sock_len); 534 if (ret < 0) { 535 perror("cannot bind socket"); 536 goto err_socket; 537 } 538 539 ctx->socket = s; 540 ctx->sa_family = family; 541 return 0; 542 543 err_socket: 544 close(s); 545 return -1; 546 } 547 548 static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family) 549 { 550 return ovpn_socket(ctx, family, IPPROTO_UDP); 551 } 552 553 static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family) 554 { 555 int ret; 556 557 ret = ovpn_socket(ctx, family, IPPROTO_TCP); 558 if (ret < 0) 559 return ret; 560 561 ret = listen(ctx->socket, 10); 562 if (ret < 0) { 563 perror("listen"); 564 close(ctx->socket); 565 return -1; 566 } 567 568 return 0; 569 } 570 571 static int ovpn_accept(struct ovpn_ctx *ctx) 572 { 573 socklen_t socklen; 574 int ret; 575 576 socklen = sizeof(ctx->remote); 577 ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen); 578 if (ret < 0) { 579 perror("accept"); 580 goto err; 581 } 582 583 fprintf(stderr, "Connection received!\n"); 584 585 switch (socklen) { 586 case sizeof(struct sockaddr_in): 587 case sizeof(struct sockaddr_in6): 588 break; 589 default: 590 fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n"); 591 close(ret); 592 ret = -EINVAL; 593 goto err; 594 } 595 596 return ret; 597 err: 598 close(ctx->socket); 599 return ret; 600 } 601 602 static int ovpn_connect(struct ovpn_ctx *ovpn) 603 { 604 socklen_t socklen; 605 int s, ret; 606 607 s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0); 608 if (s < 0) { 609 perror("cannot create socket"); 610 return -1; 611 } 612 613 switch (ovpn->remote.in4.sin_family) { 614 case AF_INET: 615 socklen = sizeof(struct sockaddr_in); 616 break; 617 case AF_INET6: 618 socklen = sizeof(struct sockaddr_in6); 619 break; 620 default: 621 return -EOPNOTSUPP; 622 } 623 624 ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen); 625 if (ret < 0) { 626 perror("connect"); 627 goto err; 628 } 629 630 fprintf(stderr, "connected\n"); 631 632 ovpn->socket = s; 633 634 return 0; 635 err: 636 close(s); 637 return ret; 638 } 639 640 static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp) 641 { 642 struct nlattr *attr; 643 struct nl_ctx *ctx; 644 int ret = -1; 645 646 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW); 647 if (!ctx) 648 return -ENOMEM; 649 650 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 651 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 652 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket); 653 654 if (!is_tcp) { 655 switch (ovpn->remote.in4.sin_family) { 656 case AF_INET: 657 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4, 658 ovpn->remote.in4.sin_addr.s_addr); 659 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 660 ovpn->remote.in4.sin_port); 661 break; 662 case AF_INET6: 663 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6, 664 sizeof(ovpn->remote.in6.sin6_addr), 665 &ovpn->remote.in6.sin6_addr); 666 NLA_PUT_U32(ctx->nl_msg, 667 OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, 668 ovpn->remote.in6.sin6_scope_id); 669 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 670 ovpn->remote.in6.sin6_port); 671 break; 672 default: 673 fprintf(stderr, 674 "Invalid family for remote socket address\n"); 675 goto nla_put_failure; 676 } 677 } 678 679 if (ovpn->peer_ip_set) { 680 switch (ovpn->peer_ip.in4.sin_family) { 681 case AF_INET: 682 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4, 683 ovpn->peer_ip.in4.sin_addr.s_addr); 684 break; 685 case AF_INET6: 686 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6, 687 sizeof(struct in6_addr), 688 &ovpn->peer_ip.in6.sin6_addr); 689 break; 690 default: 691 fprintf(stderr, "Invalid family for peer address\n"); 692 goto nla_put_failure; 693 } 694 } 695 696 nla_nest_end(ctx->nl_msg, attr); 697 698 ret = ovpn_nl_msg_send(ctx, NULL); 699 nla_put_failure: 700 nl_ctx_free(ctx); 701 return ret; 702 } 703 704 static int ovpn_set_peer(struct ovpn_ctx *ovpn) 705 { 706 struct nlattr *attr; 707 struct nl_ctx *ctx; 708 int ret = -1; 709 710 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET); 711 if (!ctx) 712 return -ENOMEM; 713 714 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 715 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 716 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL, 717 ovpn->keepalive_interval); 718 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT, 719 ovpn->keepalive_timeout); 720 nla_nest_end(ctx->nl_msg, attr); 721 722 ret = ovpn_nl_msg_send(ctx, NULL); 723 nla_put_failure: 724 nl_ctx_free(ctx); 725 return ret; 726 } 727 728 static int ovpn_del_peer(struct ovpn_ctx *ovpn) 729 { 730 struct nlattr *attr; 731 struct nl_ctx *ctx; 732 int ret = -1; 733 734 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL); 735 if (!ctx) 736 return -ENOMEM; 737 738 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 739 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 740 nla_nest_end(ctx->nl_msg, attr); 741 742 ret = ovpn_nl_msg_send(ctx, NULL); 743 nla_put_failure: 744 nl_ctx_free(ctx); 745 return ret; 746 } 747 748 static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused) 749 { 750 struct nlattr *pattrs[OVPN_A_PEER_MAX + 1]; 751 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 752 struct nlattr *attrs[OVPN_A_MAX + 1]; 753 __u16 rport = 0, lport = 0; 754 755 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 756 genlmsg_attrlen(gnlh, 0), NULL); 757 758 if (!attrs[OVPN_A_PEER]) { 759 fprintf(stderr, "no packet content in netlink message\n"); 760 return NL_SKIP; 761 } 762 763 nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]), 764 nla_len(attrs[OVPN_A_PEER]), NULL); 765 766 if (pattrs[OVPN_A_PEER_ID]) 767 fprintf(stderr, "* Peer %u\n", 768 nla_get_u32(pattrs[OVPN_A_PEER_ID])); 769 770 if (pattrs[OVPN_A_PEER_SOCKET_NETNSID]) 771 fprintf(stderr, "\tsocket NetNS ID: %d\n", 772 nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID])); 773 774 if (pattrs[OVPN_A_PEER_VPN_IPV4]) { 775 char buf[INET_ADDRSTRLEN]; 776 777 inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]), 778 buf, sizeof(buf)); 779 fprintf(stderr, "\tVPN IPv4: %s\n", buf); 780 } 781 782 if (pattrs[OVPN_A_PEER_VPN_IPV6]) { 783 char buf[INET6_ADDRSTRLEN]; 784 785 inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]), 786 buf, sizeof(buf)); 787 fprintf(stderr, "\tVPN IPv6: %s\n", buf); 788 } 789 790 if (pattrs[OVPN_A_PEER_LOCAL_PORT]) 791 lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT])); 792 793 if (pattrs[OVPN_A_PEER_REMOTE_PORT]) 794 rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT])); 795 796 if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) { 797 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6]; 798 char buf[INET6_ADDRSTRLEN]; 799 int scope_id = -1; 800 801 if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) { 802 void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]; 803 804 scope_id = nla_get_u32(p); 805 } 806 807 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 808 fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport, 809 scope_id); 810 811 if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) { 812 void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6]; 813 814 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 815 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 816 } 817 } 818 819 if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) { 820 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4]; 821 char buf[INET_ADDRSTRLEN]; 822 823 inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf)); 824 fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport); 825 826 if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) { 827 void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4]; 828 829 inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf)); 830 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 831 } 832 } 833 834 if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) { 835 void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]; 836 837 fprintf(stderr, "\tKeepalive interval: %u sec\n", 838 nla_get_u32(p)); 839 } 840 841 if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) 842 fprintf(stderr, "\tKeepalive timeout: %u sec\n", 843 nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])); 844 845 if (pattrs[OVPN_A_PEER_VPN_RX_BYTES]) 846 fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n", 847 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES])); 848 849 if (pattrs[OVPN_A_PEER_VPN_TX_BYTES]) 850 fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n", 851 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES])); 852 853 if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS]) 854 fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n", 855 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS])); 856 857 if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS]) 858 fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n", 859 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS])); 860 861 if (pattrs[OVPN_A_PEER_LINK_RX_BYTES]) 862 fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n", 863 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES])); 864 865 if (pattrs[OVPN_A_PEER_LINK_TX_BYTES]) 866 fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n", 867 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES])); 868 869 if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS]) 870 fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n", 871 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS])); 872 873 if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS]) 874 fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n", 875 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS])); 876 877 return NL_SKIP; 878 } 879 880 static int ovpn_get_peer(struct ovpn_ctx *ovpn) 881 { 882 int flags = 0, ret = -1; 883 struct nlattr *attr; 884 struct nl_ctx *ctx; 885 886 if (ovpn->peer_id == PEER_ID_UNDEF) 887 flags = NLM_F_DUMP; 888 889 ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags); 890 if (!ctx) 891 return -ENOMEM; 892 893 if (ovpn->peer_id != PEER_ID_UNDEF) { 894 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 895 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 896 nla_nest_end(ctx->nl_msg, attr); 897 } 898 899 ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer); 900 nla_put_failure: 901 nl_ctx_free(ctx); 902 return ret; 903 } 904 905 static int ovpn_new_key(struct ovpn_ctx *ovpn) 906 { 907 struct nlattr *keyconf, *key_dir; 908 struct nl_ctx *ctx; 909 int ret = -1; 910 911 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW); 912 if (!ctx) 913 return -ENOMEM; 914 915 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 916 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 917 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 918 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id); 919 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher); 920 921 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR); 922 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc); 923 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 924 nla_nest_end(ctx->nl_msg, key_dir); 925 926 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR); 927 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec); 928 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 929 nla_nest_end(ctx->nl_msg, key_dir); 930 931 nla_nest_end(ctx->nl_msg, keyconf); 932 933 ret = ovpn_nl_msg_send(ctx, NULL); 934 nla_put_failure: 935 nl_ctx_free(ctx); 936 return ret; 937 } 938 939 static int ovpn_del_key(struct ovpn_ctx *ovpn) 940 { 941 struct nlattr *keyconf; 942 struct nl_ctx *ctx; 943 int ret = -1; 944 945 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL); 946 if (!ctx) 947 return -ENOMEM; 948 949 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 950 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 951 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 952 nla_nest_end(ctx->nl_msg, keyconf); 953 954 ret = ovpn_nl_msg_send(ctx, NULL); 955 nla_put_failure: 956 nl_ctx_free(ctx); 957 return ret; 958 } 959 960 static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused) 961 { 962 struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1]; 963 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 964 struct nlattr *attrs[OVPN_A_MAX + 1]; 965 966 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 967 genlmsg_attrlen(gnlh, 0), NULL); 968 969 if (!attrs[OVPN_A_KEYCONF]) { 970 fprintf(stderr, "no packet content in netlink message\n"); 971 return NL_SKIP; 972 } 973 974 nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]), 975 nla_len(attrs[OVPN_A_KEYCONF]), NULL); 976 977 if (kattrs[OVPN_A_KEYCONF_PEER_ID]) 978 fprintf(stderr, "* Peer %u\n", 979 nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID])); 980 if (kattrs[OVPN_A_KEYCONF_SLOT]) { 981 fprintf(stderr, "\t- Slot: "); 982 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) { 983 case OVPN_KEY_SLOT_PRIMARY: 984 fprintf(stderr, "primary\n"); 985 break; 986 case OVPN_KEY_SLOT_SECONDARY: 987 fprintf(stderr, "secondary\n"); 988 break; 989 default: 990 fprintf(stderr, "invalid (%u)\n", 991 nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])); 992 break; 993 } 994 } 995 if (kattrs[OVPN_A_KEYCONF_KEY_ID]) 996 fprintf(stderr, "\t- Key ID: %u\n", 997 nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID])); 998 if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) { 999 fprintf(stderr, "\t- Cipher: "); 1000 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) { 1001 case OVPN_CIPHER_ALG_NONE: 1002 fprintf(stderr, "none\n"); 1003 break; 1004 case OVPN_CIPHER_ALG_AES_GCM: 1005 fprintf(stderr, "aes-gcm\n"); 1006 break; 1007 case OVPN_CIPHER_ALG_CHACHA20_POLY1305: 1008 fprintf(stderr, "chacha20poly1305\n"); 1009 break; 1010 default: 1011 fprintf(stderr, "invalid (%u)\n", 1012 nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])); 1013 break; 1014 } 1015 } 1016 1017 return NL_SKIP; 1018 } 1019 1020 static int ovpn_get_key(struct ovpn_ctx *ovpn) 1021 { 1022 struct nlattr *keyconf; 1023 struct nl_ctx *ctx; 1024 int ret = -1; 1025 1026 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET); 1027 if (!ctx) 1028 return -ENOMEM; 1029 1030 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1031 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1032 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 1033 nla_nest_end(ctx->nl_msg, keyconf); 1034 1035 ret = ovpn_nl_msg_send(ctx, ovpn_handle_key); 1036 nla_put_failure: 1037 nl_ctx_free(ctx); 1038 return ret; 1039 } 1040 1041 static int ovpn_swap_keys(struct ovpn_ctx *ovpn) 1042 { 1043 struct nl_ctx *ctx; 1044 struct nlattr *kc; 1045 int ret = -1; 1046 1047 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP); 1048 if (!ctx) 1049 return -ENOMEM; 1050 1051 kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1052 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1053 nla_nest_end(ctx->nl_msg, kc); 1054 1055 ret = ovpn_nl_msg_send(ctx, NULL); 1056 nla_put_failure: 1057 nl_ctx_free(ctx); 1058 return ret; 1059 } 1060 1061 /* Helper function used to easily add attributes to a rtnl message */ 1062 static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type, 1063 const void *data, int alen) 1064 { 1065 int len = RTA_LENGTH(alen); 1066 struct rtattr *rta; 1067 1068 if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen) { 1069 fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n", 1070 __func__, maxlen); 1071 return -EMSGSIZE; 1072 } 1073 1074 rta = nlmsg_tail(n); 1075 rta->rta_type = type; 1076 rta->rta_len = len; 1077 1078 if (!data) 1079 memset(RTA_DATA(rta), 0, alen); 1080 else 1081 memcpy(RTA_DATA(rta), data, alen); 1082 1083 n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len); 1084 1085 return 0; 1086 } 1087 1088 static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size, 1089 int attr) 1090 { 1091 struct rtattr *nest = nlmsg_tail(msg); 1092 1093 if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0) 1094 return NULL; 1095 1096 return nest; 1097 } 1098 1099 static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest) 1100 { 1101 nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest; 1102 } 1103 1104 #define RT_SNDBUF_SIZE (1024 * 2) 1105 #define RT_RCVBUF_SIZE (1024 * 4) 1106 1107 /* Open RTNL socket */ 1108 static int ovpn_rt_socket(void) 1109 { 1110 int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd; 1111 1112 fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); 1113 if (fd < 0) { 1114 fprintf(stderr, "%s: cannot open netlink socket\n", __func__); 1115 return fd; 1116 } 1117 1118 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, 1119 sizeof(sndbuf)) < 0) { 1120 fprintf(stderr, "%s: SO_SNDBUF\n", __func__); 1121 close(fd); 1122 return -1; 1123 } 1124 1125 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf, 1126 sizeof(rcvbuf)) < 0) { 1127 fprintf(stderr, "%s: SO_RCVBUF\n", __func__); 1128 close(fd); 1129 return -1; 1130 } 1131 1132 return fd; 1133 } 1134 1135 /* Bind socket to Netlink subsystem */ 1136 static int ovpn_rt_bind(int fd, uint32_t groups) 1137 { 1138 struct sockaddr_nl local = { 0 }; 1139 socklen_t addr_len; 1140 1141 local.nl_family = AF_NETLINK; 1142 local.nl_groups = groups; 1143 1144 if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) { 1145 fprintf(stderr, "%s: cannot bind netlink socket: %d\n", 1146 __func__, errno); 1147 return -errno; 1148 } 1149 1150 addr_len = sizeof(local); 1151 if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) { 1152 fprintf(stderr, "%s: cannot getsockname: %d\n", __func__, 1153 errno); 1154 return -errno; 1155 } 1156 1157 if (addr_len != sizeof(local)) { 1158 fprintf(stderr, "%s: wrong address length %d\n", __func__, 1159 addr_len); 1160 return -EINVAL; 1161 } 1162 1163 if (local.nl_family != AF_NETLINK) { 1164 fprintf(stderr, "%s: wrong address family %d\n", __func__, 1165 local.nl_family); 1166 return -EINVAL; 1167 } 1168 1169 return 0; 1170 } 1171 1172 typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg); 1173 1174 /* Send Netlink message and run callback on reply (if specified) */ 1175 static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer, 1176 unsigned int groups, ovpn_parse_reply_cb cb, 1177 void *arg_cb) 1178 { 1179 int len, rem_len, fd, ret, rcv_len; 1180 struct sockaddr_nl nladdr = { 0 }; 1181 struct nlmsgerr *err; 1182 struct nlmsghdr *h; 1183 char buf[1024 * 16]; 1184 struct iovec iov = { 1185 .iov_base = payload, 1186 .iov_len = payload->nlmsg_len, 1187 }; 1188 struct msghdr nlmsg = { 1189 .msg_name = &nladdr, 1190 .msg_namelen = sizeof(nladdr), 1191 .msg_iov = &iov, 1192 .msg_iovlen = 1, 1193 }; 1194 1195 nladdr.nl_family = AF_NETLINK; 1196 nladdr.nl_pid = peer; 1197 nladdr.nl_groups = groups; 1198 1199 payload->nlmsg_seq = time(NULL); 1200 1201 /* no need to send reply */ 1202 if (!cb) 1203 payload->nlmsg_flags |= NLM_F_ACK; 1204 1205 fd = ovpn_rt_socket(); 1206 if (fd < 0) { 1207 fprintf(stderr, "%s: can't open rtnl socket\n", __func__); 1208 return -errno; 1209 } 1210 1211 ret = ovpn_rt_bind(fd, 0); 1212 if (ret < 0) { 1213 fprintf(stderr, "%s: can't bind rtnl socket\n", __func__); 1214 ret = -errno; 1215 goto out; 1216 } 1217 1218 ret = sendmsg(fd, &nlmsg, 0); 1219 if (ret < 0) { 1220 fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__); 1221 ret = -errno; 1222 goto out; 1223 } 1224 1225 /* prepare buffer to store RTNL replies */ 1226 memset(buf, 0, sizeof(buf)); 1227 iov.iov_base = buf; 1228 1229 while (1) { 1230 /* 1231 * iov_len is modified by recvmsg(), therefore has to be initialized before 1232 * using it again 1233 */ 1234 iov.iov_len = sizeof(buf); 1235 rcv_len = recvmsg(fd, &nlmsg, 0); 1236 if (rcv_len < 0) { 1237 if (errno == EINTR || errno == EAGAIN) { 1238 fprintf(stderr, "%s: interrupted call\n", 1239 __func__); 1240 continue; 1241 } 1242 fprintf(stderr, "%s: rtnl: error on recvmsg()\n", 1243 __func__); 1244 ret = -errno; 1245 goto out; 1246 } 1247 1248 if (rcv_len == 0) { 1249 fprintf(stderr, 1250 "%s: rtnl: socket reached unexpected EOF\n", 1251 __func__); 1252 ret = -EIO; 1253 goto out; 1254 } 1255 1256 if (nlmsg.msg_namelen != sizeof(nladdr)) { 1257 fprintf(stderr, 1258 "%s: sender address length: %u (expected %zu)\n", 1259 __func__, nlmsg.msg_namelen, sizeof(nladdr)); 1260 ret = -EIO; 1261 goto out; 1262 } 1263 1264 h = (struct nlmsghdr *)buf; 1265 while (rcv_len >= (int)sizeof(*h)) { 1266 len = h->nlmsg_len; 1267 rem_len = len - sizeof(*h); 1268 1269 if (rem_len < 0 || len > rcv_len) { 1270 if (nlmsg.msg_flags & MSG_TRUNC) { 1271 fprintf(stderr, "%s: truncated message\n", 1272 __func__); 1273 ret = -EIO; 1274 goto out; 1275 } 1276 fprintf(stderr, "%s: malformed message: len=%d\n", 1277 __func__, len); 1278 ret = -EIO; 1279 goto out; 1280 } 1281 1282 if (h->nlmsg_type == NLMSG_DONE) { 1283 ret = 0; 1284 goto out; 1285 } 1286 1287 if (h->nlmsg_type == NLMSG_ERROR) { 1288 err = (struct nlmsgerr *)NLMSG_DATA(h); 1289 if (rem_len < (int)sizeof(struct nlmsgerr)) { 1290 fprintf(stderr, "%s: ERROR truncated\n", 1291 __func__); 1292 ret = -EIO; 1293 goto out; 1294 } 1295 1296 if (err->error) { 1297 fprintf(stderr, "%s: (%d) %s\n", 1298 __func__, err->error, 1299 strerror(-err->error)); 1300 ret = err->error; 1301 goto out; 1302 } 1303 1304 ret = 0; 1305 if (cb) { 1306 int r = cb(h, arg_cb); 1307 1308 if (r <= 0) 1309 ret = r; 1310 } 1311 goto out; 1312 } 1313 1314 if (cb) { 1315 int r = cb(h, arg_cb); 1316 1317 if (r <= 0) { 1318 ret = r; 1319 goto out; 1320 } 1321 } else { 1322 fprintf(stderr, "%s: RTNL: unexpected reply\n", 1323 __func__); 1324 } 1325 1326 rcv_len -= NLMSG_ALIGN(len); 1327 h = (struct nlmsghdr *)((uint8_t *)h + 1328 NLMSG_ALIGN(len)); 1329 } 1330 1331 if (nlmsg.msg_flags & MSG_TRUNC) { 1332 fprintf(stderr, "%s: message truncated\n", __func__); 1333 continue; 1334 } 1335 1336 if (rcv_len) { 1337 fprintf(stderr, "%s: rtnl: %d not parsed bytes\n", 1338 __func__, rcv_len); 1339 ret = -1; 1340 goto out; 1341 } 1342 } 1343 out: 1344 close(fd); 1345 1346 return ret; 1347 } 1348 1349 struct ovpn_link_req { 1350 struct nlmsghdr n; 1351 struct ifinfomsg i; 1352 char buf[256]; 1353 }; 1354 1355 static int ovpn_new_iface(struct ovpn_ctx *ovpn) 1356 { 1357 struct rtattr *linkinfo, *data; 1358 struct ovpn_link_req req = { 0 }; 1359 int ret = -1; 1360 1361 fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname, 1362 ovpn->mode); 1363 1364 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1365 req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL; 1366 req.n.nlmsg_type = RTM_NEWLINK; 1367 1368 if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname, 1369 strlen(ovpn->ifname) + 1) < 0) 1370 goto err; 1371 1372 linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO); 1373 if (!linkinfo) 1374 goto err; 1375 1376 if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME, 1377 strlen(OVPN_FAMILY_NAME) + 1) < 0) 1378 goto err; 1379 1380 if (ovpn->mode_set) { 1381 data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA); 1382 if (!data) 1383 goto err; 1384 1385 if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE, 1386 &ovpn->mode, sizeof(uint8_t)) < 0) 1387 goto err; 1388 1389 ovpn_nest_end(&req.n, data); 1390 } 1391 1392 ovpn_nest_end(&req.n, linkinfo); 1393 1394 req.i.ifi_family = AF_PACKET; 1395 1396 ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1397 err: 1398 return ret; 1399 } 1400 1401 static int ovpn_del_iface(struct ovpn_ctx *ovpn) 1402 { 1403 struct ovpn_link_req req = { 0 }; 1404 1405 fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname, 1406 ovpn->ifindex); 1407 1408 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1409 req.n.nlmsg_flags = NLM_F_REQUEST; 1410 req.n.nlmsg_type = RTM_DELLINK; 1411 1412 req.i.ifi_family = AF_PACKET; 1413 req.i.ifi_index = ovpn->ifindex; 1414 1415 return ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1416 } 1417 1418 static int nl_seq_check(struct nl_msg (*msg)__always_unused, 1419 void (*arg)__always_unused) 1420 { 1421 return NL_OK; 1422 } 1423 1424 struct mcast_handler_args { 1425 const char *group; 1426 int id; 1427 }; 1428 1429 static int mcast_family_handler(struct nl_msg *msg, void *arg) 1430 { 1431 struct mcast_handler_args *grp = arg; 1432 struct nlattr *tb[CTRL_ATTR_MAX + 1]; 1433 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1434 struct nlattr *mcgrp; 1435 int rem_mcgrp; 1436 1437 nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0), 1438 genlmsg_attrlen(gnlh, 0), NULL); 1439 1440 if (!tb[CTRL_ATTR_MCAST_GROUPS]) 1441 return NL_SKIP; 1442 1443 nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) { 1444 struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1]; 1445 1446 nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX, 1447 nla_data(mcgrp), nla_len(mcgrp), NULL); 1448 1449 if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] || 1450 !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]) 1451 continue; 1452 if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]), 1453 grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]))) 1454 continue; 1455 grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]); 1456 break; 1457 } 1458 1459 return NL_SKIP; 1460 } 1461 1462 static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused, 1463 struct nlmsgerr *err, void *arg) 1464 { 1465 int *ret = arg; 1466 1467 *ret = err->error; 1468 return NL_STOP; 1469 } 1470 1471 static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg) 1472 { 1473 int *ret = arg; 1474 1475 *ret = 0; 1476 return NL_STOP; 1477 } 1478 1479 static int ovpn_handle_msg(struct nl_msg *msg, void *arg) 1480 { 1481 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1482 struct nlattr *attrs[OVPN_A_MAX + 1]; 1483 struct nlmsghdr *nlh = nlmsg_hdr(msg); 1484 char ifname[IF_NAMESIZE]; 1485 int *ret = arg; 1486 __u32 ifindex; 1487 1488 fprintf(stderr, "received message from ovpn-dco\n"); 1489 1490 *ret = -1; 1491 1492 if (!genlmsg_valid_hdr(nlh, 0)) { 1493 fprintf(stderr, "invalid header\n"); 1494 return NL_STOP; 1495 } 1496 1497 if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 1498 genlmsg_attrlen(gnlh, 0), NULL)) { 1499 fprintf(stderr, "received bogus data from ovpn-dco\n"); 1500 return NL_STOP; 1501 } 1502 1503 if (!attrs[OVPN_A_IFINDEX]) { 1504 fprintf(stderr, "no ifindex in this message\n"); 1505 return NL_STOP; 1506 } 1507 1508 ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]); 1509 if (!if_indextoname(ifindex, ifname)) { 1510 fprintf(stderr, "cannot resolve ifname for ifindex: %u\n", 1511 ifindex); 1512 return NL_STOP; 1513 } 1514 1515 switch (gnlh->cmd) { 1516 case OVPN_CMD_PEER_DEL_NTF: 1517 fprintf(stdout, "received CMD_PEER_DEL_NTF\n"); 1518 break; 1519 case OVPN_CMD_KEY_SWAP_NTF: 1520 fprintf(stdout, "received CMD_KEY_SWAP_NTF\n"); 1521 break; 1522 default: 1523 fprintf(stderr, "received unknown command: %d\n", gnlh->cmd); 1524 return NL_STOP; 1525 } 1526 1527 *ret = 0; 1528 return NL_OK; 1529 } 1530 1531 static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family, 1532 const char *group) 1533 { 1534 struct nl_msg *msg; 1535 struct nl_cb *cb; 1536 int ret, ctrlid; 1537 struct mcast_handler_args grp = { 1538 .group = group, 1539 .id = -ENOENT, 1540 }; 1541 1542 msg = nlmsg_alloc(); 1543 if (!msg) 1544 return -ENOMEM; 1545 1546 cb = nl_cb_alloc(NL_CB_DEFAULT); 1547 if (!cb) { 1548 ret = -ENOMEM; 1549 goto out_fail_cb; 1550 } 1551 1552 ctrlid = genl_ctrl_resolve(sock, "nlctrl"); 1553 1554 genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0); 1555 1556 ret = -ENOBUFS; 1557 NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family); 1558 1559 ret = nl_send_auto_complete(sock, msg); 1560 if (ret < 0) 1561 goto nla_put_failure; 1562 1563 ret = 1; 1564 1565 nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret); 1566 nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret); 1567 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp); 1568 1569 while (ret > 0) 1570 nl_recvmsgs(sock, cb); 1571 1572 if (ret == 0) 1573 ret = grp.id; 1574 nla_put_failure: 1575 nl_cb_put(cb); 1576 out_fail_cb: 1577 nlmsg_free(msg); 1578 return ret; 1579 } 1580 1581 static int ovpn_listen_mcast(void) 1582 { 1583 struct nl_sock *sock; 1584 struct nl_cb *cb; 1585 int mcid, ret; 1586 1587 sock = nl_socket_alloc(); 1588 if (!sock) { 1589 fprintf(stderr, "cannot allocate netlink socket\n"); 1590 goto err_free; 1591 } 1592 1593 nl_socket_set_buffer_size(sock, 8192, 8192); 1594 1595 ret = genl_connect(sock); 1596 if (ret < 0) { 1597 fprintf(stderr, "cannot connect to generic netlink: %s\n", 1598 nl_geterror(ret)); 1599 goto err_free; 1600 } 1601 1602 mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS); 1603 if (mcid < 0) { 1604 fprintf(stderr, "cannot get mcast group: %s\n", 1605 nl_geterror(mcid)); 1606 goto err_free; 1607 } 1608 1609 ret = nl_socket_add_membership(sock, mcid); 1610 if (ret) { 1611 fprintf(stderr, "failed to join mcast group: %d\n", ret); 1612 goto err_free; 1613 } 1614 1615 ret = 1; 1616 cb = nl_cb_alloc(NL_CB_DEFAULT); 1617 nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL); 1618 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret); 1619 nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret); 1620 1621 while (ret == 1) { 1622 int err = nl_recvmsgs(sock, cb); 1623 1624 if (err < 0) { 1625 fprintf(stderr, 1626 "cannot receive netlink message: (%d) %s\n", 1627 err, nl_geterror(-err)); 1628 ret = -1; 1629 break; 1630 } 1631 } 1632 1633 nl_cb_put(cb); 1634 err_free: 1635 nl_socket_free(sock); 1636 return ret; 1637 } 1638 1639 static void usage(const char *cmd) 1640 { 1641 fprintf(stderr, 1642 "Usage %s <command> <iface> [arguments..]\n", 1643 cmd); 1644 fprintf(stderr, "where <command> can be one of the following\n\n"); 1645 1646 fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n"); 1647 fprintf(stderr, "\tiface: ovpn interface name\n"); 1648 fprintf(stderr, "\tmode:\n"); 1649 fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n"); 1650 fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n"); 1651 1652 fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n"); 1653 fprintf(stderr, "\tiface: ovpn interface name\n"); 1654 1655 fprintf(stderr, 1656 "* listen <iface> <lport> <peers_file> [ipv6]: listen for incoming peer TCP connections\n"); 1657 fprintf(stderr, "\tiface: ovpn interface name\n"); 1658 fprintf(stderr, "\tlport: TCP port to listen to\n"); 1659 fprintf(stderr, 1660 "\tpeers_file: file containing one peer per line: Line format:\n"); 1661 fprintf(stderr, "\t\t<peer_id> <vpnaddr>\n"); 1662 fprintf(stderr, 1663 "\tipv6: whether the socket should listen to the IPv6 wildcard address\n"); 1664 1665 fprintf(stderr, 1666 "* connect <iface> <peer_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n"); 1667 fprintf(stderr, "\tiface: ovpn interface name\n"); 1668 fprintf(stderr, "\tpeer_id: peer ID of the connecting peer\n"); 1669 fprintf(stderr, "\traddr: peer IP address to connect to\n"); 1670 fprintf(stderr, "\trport: peer TCP port to connect to\n"); 1671 fprintf(stderr, 1672 "\tkey_file: file containing the symmetric key for encryption\n"); 1673 1674 fprintf(stderr, 1675 "* new_peer <iface> <peer_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n"); 1676 fprintf(stderr, "\tiface: ovpn interface name\n"); 1677 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1678 fprintf(stderr, 1679 "\tpeer_id: peer ID to be used in data packets to/from this peer\n"); 1680 fprintf(stderr, "\traddr: peer IP address\n"); 1681 fprintf(stderr, "\trport: peer UDP port\n"); 1682 fprintf(stderr, "\tvpnaddr: peer VPN IP\n"); 1683 1684 fprintf(stderr, 1685 "* new_multi_peer <iface> <lport> <peers_file>: add multiple peers as listed in the file\n"); 1686 fprintf(stderr, "\tiface: ovpn interface name\n"); 1687 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1688 fprintf(stderr, 1689 "\tpeers_file: text file containing one peer per line. Line format:\n"); 1690 fprintf(stderr, "\t\t<peer_id> <raddr> <rport> <vpnaddr>\n"); 1691 1692 fprintf(stderr, 1693 "* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n"); 1694 fprintf(stderr, "\tiface: ovpn interface name\n"); 1695 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1696 fprintf(stderr, 1697 "\tkeepalive_interval: interval for sending ping messages\n"); 1698 fprintf(stderr, 1699 "\tkeepalive_timeout: time after which a peer is timed out\n"); 1700 1701 fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n"); 1702 fprintf(stderr, "\tiface: ovpn interface name\n"); 1703 fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n"); 1704 1705 fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n"); 1706 fprintf(stderr, "\tiface: ovpn interface name\n"); 1707 fprintf(stderr, 1708 "\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n"); 1709 1710 fprintf(stderr, 1711 "* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n"); 1712 fprintf(stderr, "\tiface: ovpn interface name\n"); 1713 fprintf(stderr, 1714 "\tpeer_id: peer ID of the peer to configure the key for\n"); 1715 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1716 fprintf(stderr, "\tkey_id: an ID from 0 to 7\n"); 1717 fprintf(stderr, 1718 "\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n"); 1719 fprintf(stderr, 1720 "\tkey_dir: key direction, must 0 on one host and 1 on the other\n"); 1721 fprintf(stderr, "\tkey_file: file containing the pre-shared key\n"); 1722 1723 fprintf(stderr, 1724 "* del_key <iface> <peer_id> [slot]: erase existing data channel key\n"); 1725 fprintf(stderr, "\tiface: ovpn interface name\n"); 1726 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1727 fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n"); 1728 1729 fprintf(stderr, 1730 "* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n"); 1731 fprintf(stderr, "\tiface: ovpn interface name\n"); 1732 fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n"); 1733 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1734 1735 fprintf(stderr, 1736 "* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n"); 1737 fprintf(stderr, "\tiface: ovpn interface name\n"); 1738 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1739 1740 fprintf(stderr, 1741 "* listen_mcast: listen to ovpn netlink multicast messages\n"); 1742 } 1743 1744 static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host, 1745 const char *service, const char *vpnip) 1746 { 1747 int ret; 1748 struct addrinfo *result; 1749 struct addrinfo hints = { 1750 .ai_family = ovpn->sa_family, 1751 .ai_socktype = SOCK_DGRAM, 1752 .ai_protocol = IPPROTO_UDP 1753 }; 1754 1755 if (host) { 1756 ret = getaddrinfo(host, service, &hints, &result); 1757 if (ret) { 1758 fprintf(stderr, "getaddrinfo on remote error: %s\n", 1759 gai_strerror(ret)); 1760 return -1; 1761 } 1762 1763 if (!(result->ai_family == AF_INET && 1764 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1765 !(result->ai_family == AF_INET6 && 1766 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1767 ret = -EINVAL; 1768 goto out; 1769 } 1770 1771 memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen); 1772 } 1773 1774 if (vpnip) { 1775 ret = getaddrinfo(vpnip, NULL, &hints, &result); 1776 if (ret) { 1777 fprintf(stderr, "getaddrinfo on vpnip error: %s\n", 1778 gai_strerror(ret)); 1779 return -1; 1780 } 1781 1782 if (!(result->ai_family == AF_INET && 1783 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1784 !(result->ai_family == AF_INET6 && 1785 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1786 ret = -EINVAL; 1787 goto out; 1788 } 1789 1790 memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen); 1791 ovpn->sa_family = result->ai_family; 1792 1793 ovpn->peer_ip_set = true; 1794 } 1795 1796 ret = 0; 1797 out: 1798 freeaddrinfo(result); 1799 return ret; 1800 } 1801 1802 static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id, 1803 const char *raddr, const char *rport, 1804 const char *vpnip) 1805 { 1806 ovpn->peer_id = strtoul(peer_id, NULL, 10); 1807 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 1808 fprintf(stderr, "peer ID value out of range\n"); 1809 return -1; 1810 } 1811 1812 return ovpn_parse_remote(ovpn, raddr, rport, vpnip); 1813 } 1814 1815 static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn) 1816 { 1817 int slot = strtoul(arg, NULL, 10); 1818 1819 if (errno == ERANGE || slot < 1 || slot > 2) { 1820 fprintf(stderr, "key slot out of range\n"); 1821 return -1; 1822 } 1823 1824 switch (slot) { 1825 case 1: 1826 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 1827 break; 1828 case 2: 1829 ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY; 1830 break; 1831 } 1832 1833 return 0; 1834 } 1835 1836 static int ovpn_send_tcp_data(int socket) 1837 { 1838 uint16_t len = htons(1000); 1839 uint8_t buf[1002]; 1840 int ret; 1841 1842 memcpy(buf, &len, sizeof(len)); 1843 memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len)); 1844 1845 ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1846 1847 fprintf(stdout, "Sent %u bytes over TCP socket\n", ret); 1848 1849 return ret > 0 ? 0 : ret; 1850 } 1851 1852 static int ovpn_recv_tcp_data(int socket) 1853 { 1854 uint8_t buf[1002]; 1855 uint16_t len; 1856 int ret; 1857 1858 ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1859 1860 if (ret < 2) { 1861 fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret); 1862 return ret; 1863 } 1864 1865 memcpy(&len, buf, sizeof(len)); 1866 len = ntohs(len); 1867 1868 fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n", 1869 ret, len); 1870 1871 return 0; 1872 } 1873 1874 static enum ovpn_cmd ovpn_parse_cmd(const char *cmd) 1875 { 1876 if (!strcmp(cmd, "new_iface")) 1877 return CMD_NEW_IFACE; 1878 1879 if (!strcmp(cmd, "del_iface")) 1880 return CMD_DEL_IFACE; 1881 1882 if (!strcmp(cmd, "listen")) 1883 return CMD_LISTEN; 1884 1885 if (!strcmp(cmd, "connect")) 1886 return CMD_CONNECT; 1887 1888 if (!strcmp(cmd, "new_peer")) 1889 return CMD_NEW_PEER; 1890 1891 if (!strcmp(cmd, "new_multi_peer")) 1892 return CMD_NEW_MULTI_PEER; 1893 1894 if (!strcmp(cmd, "set_peer")) 1895 return CMD_SET_PEER; 1896 1897 if (!strcmp(cmd, "del_peer")) 1898 return CMD_DEL_PEER; 1899 1900 if (!strcmp(cmd, "get_peer")) 1901 return CMD_GET_PEER; 1902 1903 if (!strcmp(cmd, "new_key")) 1904 return CMD_NEW_KEY; 1905 1906 if (!strcmp(cmd, "del_key")) 1907 return CMD_DEL_KEY; 1908 1909 if (!strcmp(cmd, "get_key")) 1910 return CMD_GET_KEY; 1911 1912 if (!strcmp(cmd, "swap_keys")) 1913 return CMD_SWAP_KEYS; 1914 1915 if (!strcmp(cmd, "listen_mcast")) 1916 return CMD_LISTEN_MCAST; 1917 1918 return CMD_INVALID; 1919 } 1920 1921 /* Send process to background and waits for signal. 1922 * 1923 * This helper is called at the end of commands 1924 * creating sockets, so that the latter stay alive 1925 * along with the process that created them. 1926 * 1927 * A signal is expected to be delivered in order to 1928 * terminate the waiting processes 1929 */ 1930 static void ovpn_waitbg(void) 1931 { 1932 daemon(1, 1); 1933 pause(); 1934 } 1935 1936 static int ovpn_run_cmd(struct ovpn_ctx *ovpn) 1937 { 1938 char peer_id[10], vpnip[INET6_ADDRSTRLEN], laddr[128], lport[10]; 1939 char raddr[128], rport[10]; 1940 int n, ret; 1941 FILE *fp; 1942 1943 switch (ovpn->cmd) { 1944 case CMD_NEW_IFACE: 1945 ret = ovpn_new_iface(ovpn); 1946 break; 1947 case CMD_DEL_IFACE: 1948 ret = ovpn_del_iface(ovpn); 1949 break; 1950 case CMD_LISTEN: 1951 ret = ovpn_listen(ovpn, ovpn->sa_family); 1952 if (ret < 0) { 1953 fprintf(stderr, "cannot listen on TCP socket\n"); 1954 return ret; 1955 } 1956 1957 fp = fopen(ovpn->peers_file, "r"); 1958 if (!fp) { 1959 fprintf(stderr, "cannot open file: %s\n", 1960 ovpn->peers_file); 1961 return -1; 1962 } 1963 1964 int num_peers = 0; 1965 1966 while ((n = fscanf(fp, "%s %s\n", peer_id, vpnip)) == 2) { 1967 struct ovpn_ctx peer_ctx = { 0 }; 1968 1969 if (num_peers == MAX_PEERS) { 1970 fprintf(stderr, "max peers reached!\n"); 1971 return -E2BIG; 1972 } 1973 1974 peer_ctx.ifindex = ovpn->ifindex; 1975 peer_ctx.sa_family = ovpn->sa_family; 1976 1977 peer_ctx.socket = ovpn_accept(ovpn); 1978 if (peer_ctx.socket < 0) { 1979 fprintf(stderr, "cannot accept connection!\n"); 1980 return -1; 1981 } 1982 1983 /* store peer sockets to test TCP I/O */ 1984 ovpn->cli_sockets[num_peers] = peer_ctx.socket; 1985 1986 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, NULL, 1987 NULL, vpnip); 1988 if (ret < 0) { 1989 fprintf(stderr, "error while parsing line\n"); 1990 return -1; 1991 } 1992 1993 ret = ovpn_new_peer(&peer_ctx, true); 1994 if (ret < 0) { 1995 fprintf(stderr, 1996 "cannot add peer to VPN: %s %s\n", 1997 peer_id, vpnip); 1998 return ret; 1999 } 2000 num_peers++; 2001 } 2002 2003 for (int i = 0; i < num_peers; i++) { 2004 ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]); 2005 if (ret < 0) 2006 break; 2007 } 2008 ovpn_waitbg(); 2009 break; 2010 case CMD_CONNECT: 2011 ret = ovpn_connect(ovpn); 2012 if (ret < 0) { 2013 fprintf(stderr, "cannot connect TCP socket\n"); 2014 return ret; 2015 } 2016 2017 ret = ovpn_new_peer(ovpn, true); 2018 if (ret < 0) { 2019 fprintf(stderr, "cannot add peer to VPN\n"); 2020 close(ovpn->socket); 2021 return ret; 2022 } 2023 2024 if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) { 2025 ret = ovpn_new_key(ovpn); 2026 if (ret < 0) { 2027 fprintf(stderr, "cannot set key\n"); 2028 return ret; 2029 } 2030 } 2031 2032 ret = ovpn_send_tcp_data(ovpn->socket); 2033 ovpn_waitbg(); 2034 break; 2035 case CMD_NEW_PEER: 2036 ret = ovpn_udp_socket(ovpn, AF_INET6); 2037 if (ret < 0) 2038 return ret; 2039 2040 ret = ovpn_new_peer(ovpn, false); 2041 ovpn_waitbg(); 2042 break; 2043 case CMD_NEW_MULTI_PEER: 2044 ret = ovpn_udp_socket(ovpn, AF_INET6); 2045 if (ret < 0) 2046 return ret; 2047 2048 fp = fopen(ovpn->peers_file, "r"); 2049 if (!fp) { 2050 fprintf(stderr, "cannot open file: %s\n", 2051 ovpn->peers_file); 2052 return -1; 2053 } 2054 2055 while ((n = fscanf(fp, "%s %s %s %s %s %s\n", peer_id, laddr, 2056 lport, raddr, rport, vpnip)) == 6) { 2057 struct ovpn_ctx peer_ctx = { 0 }; 2058 2059 peer_ctx.ifindex = ovpn->ifindex; 2060 peer_ctx.socket = ovpn->socket; 2061 peer_ctx.sa_family = AF_UNSPEC; 2062 2063 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, raddr, 2064 rport, vpnip); 2065 if (ret < 0) { 2066 fprintf(stderr, "error while parsing line\n"); 2067 return -1; 2068 } 2069 2070 ret = ovpn_new_peer(&peer_ctx, false); 2071 if (ret < 0) { 2072 fprintf(stderr, 2073 "cannot add peer to VPN: %s %s %s %s\n", 2074 peer_id, raddr, rport, vpnip); 2075 return ret; 2076 } 2077 } 2078 ovpn_waitbg(); 2079 break; 2080 case CMD_SET_PEER: 2081 ret = ovpn_set_peer(ovpn); 2082 break; 2083 case CMD_DEL_PEER: 2084 ret = ovpn_del_peer(ovpn); 2085 break; 2086 case CMD_GET_PEER: 2087 if (ovpn->peer_id == PEER_ID_UNDEF) 2088 fprintf(stderr, "List of peers connected to: %s\n", 2089 ovpn->ifname); 2090 2091 ret = ovpn_get_peer(ovpn); 2092 break; 2093 case CMD_NEW_KEY: 2094 ret = ovpn_new_key(ovpn); 2095 break; 2096 case CMD_DEL_KEY: 2097 ret = ovpn_del_key(ovpn); 2098 break; 2099 case CMD_GET_KEY: 2100 ret = ovpn_get_key(ovpn); 2101 break; 2102 case CMD_SWAP_KEYS: 2103 ret = ovpn_swap_keys(ovpn); 2104 break; 2105 case CMD_LISTEN_MCAST: 2106 ret = ovpn_listen_mcast(); 2107 break; 2108 case CMD_INVALID: 2109 break; 2110 } 2111 2112 return ret; 2113 } 2114 2115 static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[]) 2116 { 2117 int ret; 2118 2119 /* no args required for LISTEN_MCAST */ 2120 if (ovpn->cmd == CMD_LISTEN_MCAST) 2121 return 0; 2122 2123 /* all commands need an ifname */ 2124 if (argc < 3) 2125 return -EINVAL; 2126 2127 strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1); 2128 ovpn->ifname[IFNAMSIZ - 1] = '\0'; 2129 2130 /* all commands, except NEW_IFNAME, needs an ifindex */ 2131 if (ovpn->cmd != CMD_NEW_IFACE) { 2132 ovpn->ifindex = if_nametoindex(ovpn->ifname); 2133 if (!ovpn->ifindex) { 2134 fprintf(stderr, "cannot find interface: %s\n", 2135 strerror(errno)); 2136 return -1; 2137 } 2138 } 2139 2140 switch (ovpn->cmd) { 2141 case CMD_NEW_IFACE: 2142 if (argc < 4) 2143 break; 2144 2145 if (!strcmp(argv[3], "P2P")) { 2146 ovpn->mode = OVPN_MODE_P2P; 2147 } else if (!strcmp(argv[3], "MP")) { 2148 ovpn->mode = OVPN_MODE_MP; 2149 } else { 2150 fprintf(stderr, "Cannot parse iface mode: %s\n", 2151 argv[3]); 2152 return -1; 2153 } 2154 ovpn->mode_set = true; 2155 break; 2156 case CMD_DEL_IFACE: 2157 break; 2158 case CMD_LISTEN: 2159 if (argc < 5) 2160 return -EINVAL; 2161 2162 ovpn->lport = strtoul(argv[3], NULL, 10); 2163 if (errno == ERANGE || ovpn->lport > 65535) { 2164 fprintf(stderr, "lport value out of range\n"); 2165 return -1; 2166 } 2167 2168 ovpn->peers_file = argv[4]; 2169 2170 ovpn->sa_family = AF_INET; 2171 if (argc > 5 && !strcmp(argv[5], "ipv6")) 2172 ovpn->sa_family = AF_INET6; 2173 break; 2174 case CMD_CONNECT: 2175 if (argc < 6) 2176 return -EINVAL; 2177 2178 ovpn->sa_family = AF_INET; 2179 2180 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5], 2181 NULL); 2182 if (ret < 0) { 2183 fprintf(stderr, "Cannot parse remote peer data\n"); 2184 return -1; 2185 } 2186 2187 if (argc > 6) { 2188 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 2189 ovpn->key_id = 0; 2190 ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM; 2191 ovpn->key_dir = KEY_DIR_OUT; 2192 2193 ret = ovpn_parse_key(argv[6], ovpn); 2194 if (ret) 2195 return -1; 2196 } 2197 break; 2198 case CMD_NEW_PEER: 2199 if (argc < 7) 2200 return -EINVAL; 2201 2202 ovpn->lport = strtoul(argv[4], NULL, 10); 2203 if (errno == ERANGE || ovpn->lport > 65535) { 2204 fprintf(stderr, "lport value out of range\n"); 2205 return -1; 2206 } 2207 2208 const char *vpnip = (argc > 7) ? argv[7] : NULL; 2209 2210 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[5], argv[6], 2211 vpnip); 2212 if (ret < 0) 2213 return -1; 2214 break; 2215 case CMD_NEW_MULTI_PEER: 2216 if (argc < 5) 2217 return -EINVAL; 2218 2219 ovpn->lport = strtoul(argv[3], NULL, 10); 2220 if (errno == ERANGE || ovpn->lport > 65535) { 2221 fprintf(stderr, "lport value out of range\n"); 2222 return -1; 2223 } 2224 2225 ovpn->peers_file = argv[4]; 2226 break; 2227 case CMD_SET_PEER: 2228 if (argc < 6) 2229 return -EINVAL; 2230 2231 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2232 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2233 fprintf(stderr, "peer ID value out of range\n"); 2234 return -1; 2235 } 2236 2237 ovpn->keepalive_interval = strtoul(argv[4], NULL, 10); 2238 if (errno == ERANGE) { 2239 fprintf(stderr, 2240 "keepalive interval value out of range\n"); 2241 return -1; 2242 } 2243 2244 ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10); 2245 if (errno == ERANGE) { 2246 fprintf(stderr, 2247 "keepalive interval value out of range\n"); 2248 return -1; 2249 } 2250 break; 2251 case CMD_DEL_PEER: 2252 if (argc < 4) 2253 return -EINVAL; 2254 2255 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2256 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2257 fprintf(stderr, "peer ID value out of range\n"); 2258 return -1; 2259 } 2260 break; 2261 case CMD_GET_PEER: 2262 ovpn->peer_id = PEER_ID_UNDEF; 2263 if (argc > 3) { 2264 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2265 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2266 fprintf(stderr, "peer ID value out of range\n"); 2267 return -1; 2268 } 2269 } 2270 break; 2271 case CMD_NEW_KEY: 2272 if (argc < 9) 2273 return -EINVAL; 2274 2275 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2276 if (errno == ERANGE) { 2277 fprintf(stderr, "peer ID value out of range\n"); 2278 return -1; 2279 } 2280 2281 ret = ovpn_parse_key_slot(argv[4], ovpn); 2282 if (ret) 2283 return -1; 2284 2285 ovpn->key_id = strtoul(argv[5], NULL, 10); 2286 if (errno == ERANGE || ovpn->key_id > 2) { 2287 fprintf(stderr, "key ID out of range\n"); 2288 return -1; 2289 } 2290 2291 ret = ovpn_parse_cipher(argv[6], ovpn); 2292 if (ret < 0) 2293 return -1; 2294 2295 ret = ovpn_parse_key_direction(argv[7], ovpn); 2296 if (ret < 0) 2297 return -1; 2298 2299 ret = ovpn_parse_key(argv[8], ovpn); 2300 if (ret) 2301 return -1; 2302 break; 2303 case CMD_DEL_KEY: 2304 if (argc < 4) 2305 return -EINVAL; 2306 2307 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2308 if (errno == ERANGE) { 2309 fprintf(stderr, "peer ID value out of range\n"); 2310 return -1; 2311 } 2312 2313 ret = ovpn_parse_key_slot(argv[4], ovpn); 2314 if (ret) 2315 return ret; 2316 break; 2317 case CMD_GET_KEY: 2318 if (argc < 5) 2319 return -EINVAL; 2320 2321 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2322 if (errno == ERANGE) { 2323 fprintf(stderr, "peer ID value out of range\n"); 2324 return -1; 2325 } 2326 2327 ret = ovpn_parse_key_slot(argv[4], ovpn); 2328 if (ret) 2329 return ret; 2330 break; 2331 case CMD_SWAP_KEYS: 2332 if (argc < 4) 2333 return -EINVAL; 2334 2335 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2336 if (errno == ERANGE) { 2337 fprintf(stderr, "peer ID value out of range\n"); 2338 return -1; 2339 } 2340 break; 2341 case CMD_LISTEN_MCAST: 2342 break; 2343 case CMD_INVALID: 2344 break; 2345 } 2346 2347 return 0; 2348 } 2349 2350 int main(int argc, char *argv[]) 2351 { 2352 struct ovpn_ctx ovpn; 2353 int ret; 2354 2355 if (argc < 2) { 2356 usage(argv[0]); 2357 return -1; 2358 } 2359 2360 memset(&ovpn, 0, sizeof(ovpn)); 2361 ovpn.sa_family = AF_UNSPEC; 2362 ovpn.cipher = OVPN_CIPHER_ALG_NONE; 2363 2364 ovpn.cmd = ovpn_parse_cmd(argv[1]); 2365 if (ovpn.cmd == CMD_INVALID) { 2366 fprintf(stderr, "Error: unknown command.\n\n"); 2367 usage(argv[0]); 2368 return -1; 2369 } 2370 2371 ret = ovpn_parse_cmd_args(&ovpn, argc, argv); 2372 if (ret < 0) { 2373 fprintf(stderr, "Error: invalid arguments.\n\n"); 2374 if (ret == -EINVAL) 2375 usage(argv[0]); 2376 return ret; 2377 } 2378 2379 ret = ovpn_run_cmd(&ovpn); 2380 if (ret) 2381 fprintf(stderr, "Cannot execute command: %s (%d)\n", 2382 strerror(-ret), ret); 2383 2384 return ret; 2385 } 2386