1 // SPDX-License-Identifier: GPL-2.0 2 /* OpenVPN data channel accelerator 3 * 4 * Copyright (C) 2020-2025 OpenVPN, Inc. 5 * 6 * Author: Antonio Quartulli <antonio@openvpn.net> 7 */ 8 9 #include <stdio.h> 10 #include <inttypes.h> 11 #include <stdbool.h> 12 #include <string.h> 13 #include <errno.h> 14 #include <unistd.h> 15 #include <arpa/inet.h> 16 #include <net/if.h> 17 #include <netinet/in.h> 18 #include <time.h> 19 20 #include <linux/ovpn.h> 21 #include <linux/types.h> 22 #include <linux/netlink.h> 23 24 #include <netlink/socket.h> 25 #include <netlink/netlink.h> 26 #include <netlink/genl/genl.h> 27 #include <netlink/genl/family.h> 28 #include <netlink/genl/ctrl.h> 29 30 #include <mbedtls/base64.h> 31 #include <mbedtls/error.h> 32 33 #include <sys/socket.h> 34 35 #include "kselftest.h" 36 37 /* defines to make checkpatch happy */ 38 #define strscpy strncpy 39 40 /* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we 41 * have to explicitly do it to prevent the kernel from failing upon 42 * parsing of the message 43 */ 44 #define nla_nest_start(_msg, _type) \ 45 nla_nest_start(_msg, (_type) | NLA_F_NESTED) 46 47 /* libnl < 3.11.0 does not implement nla_get_uint() */ 48 uint64_t ovpn_nla_get_uint(struct nlattr *attr) 49 { 50 if (nla_len(attr) == sizeof(uint32_t)) 51 return nla_get_u32(attr); 52 else 53 return nla_get_u64(attr); 54 } 55 56 typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg); 57 58 enum ovpn_key_direction { 59 KEY_DIR_IN = 0, 60 KEY_DIR_OUT, 61 }; 62 63 #define KEY_LEN (256 / 8) 64 #define NONCE_LEN 8 65 66 #define PEER_ID_UNDEF 0x00FFFFFF 67 #define MAX_PEERS 10 68 69 struct nl_ctx { 70 struct nl_sock *nl_sock; 71 struct nl_msg *nl_msg; 72 struct nl_cb *nl_cb; 73 74 int ovpn_dco_id; 75 }; 76 77 enum ovpn_cmd { 78 CMD_INVALID, 79 CMD_NEW_IFACE, 80 CMD_DEL_IFACE, 81 CMD_LISTEN, 82 CMD_CONNECT, 83 CMD_NEW_PEER, 84 CMD_NEW_MULTI_PEER, 85 CMD_SET_PEER, 86 CMD_DEL_PEER, 87 CMD_GET_PEER, 88 CMD_NEW_KEY, 89 CMD_DEL_KEY, 90 CMD_GET_KEY, 91 CMD_SWAP_KEYS, 92 CMD_LISTEN_MCAST, 93 }; 94 95 struct ovpn_ctx { 96 enum ovpn_cmd cmd; 97 98 __u8 key_enc[KEY_LEN]; 99 __u8 key_dec[KEY_LEN]; 100 __u8 nonce[NONCE_LEN]; 101 102 enum ovpn_cipher_alg cipher; 103 104 sa_family_t sa_family; 105 106 unsigned long peer_id; 107 unsigned long lport; 108 109 union { 110 struct sockaddr_in in4; 111 struct sockaddr_in6 in6; 112 } remote; 113 114 union { 115 struct sockaddr_in in4; 116 struct sockaddr_in6 in6; 117 } peer_ip; 118 119 bool peer_ip_set; 120 121 unsigned int ifindex; 122 char ifname[IFNAMSIZ]; 123 enum ovpn_mode mode; 124 bool mode_set; 125 126 int socket; 127 int cli_sockets[MAX_PEERS]; 128 129 __u32 keepalive_interval; 130 __u32 keepalive_timeout; 131 132 enum ovpn_key_direction key_dir; 133 enum ovpn_key_slot key_slot; 134 int key_id; 135 136 const char *peers_file; 137 }; 138 139 static int ovpn_nl_recvmsgs(struct nl_ctx *ctx) 140 { 141 int ret; 142 143 ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb); 144 145 switch (ret) { 146 case -NLE_INTR: 147 fprintf(stderr, 148 "netlink received interrupt due to signal - ignoring\n"); 149 break; 150 case -NLE_NOMEM: 151 fprintf(stderr, "netlink out of memory error\n"); 152 break; 153 case -NLE_AGAIN: 154 fprintf(stderr, 155 "netlink reports blocking read - aborting wait\n"); 156 break; 157 default: 158 if (ret) 159 fprintf(stderr, "netlink reports error (%d): %s\n", 160 ret, nl_geterror(-ret)); 161 break; 162 } 163 164 return ret; 165 } 166 167 static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd, 168 int flags) 169 { 170 struct nl_ctx *ctx; 171 int err, ret; 172 173 ctx = calloc(1, sizeof(*ctx)); 174 if (!ctx) 175 return NULL; 176 177 ctx->nl_sock = nl_socket_alloc(); 178 if (!ctx->nl_sock) { 179 fprintf(stderr, "cannot allocate netlink socket\n"); 180 goto err_free; 181 } 182 183 nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192); 184 185 ret = genl_connect(ctx->nl_sock); 186 if (ret) { 187 fprintf(stderr, "cannot connect to generic netlink: %s\n", 188 nl_geterror(ret)); 189 goto err_sock; 190 } 191 192 /* enable Extended ACK for detailed error reporting */ 193 err = 1; 194 setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK, 195 &err, sizeof(err)); 196 197 ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME); 198 if (ctx->ovpn_dco_id < 0) { 199 fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n", 200 ctx->ovpn_dco_id); 201 goto err_free; 202 } 203 204 ctx->nl_msg = nlmsg_alloc(); 205 if (!ctx->nl_msg) { 206 fprintf(stderr, "cannot allocate netlink message\n"); 207 goto err_sock; 208 } 209 210 ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT); 211 if (!ctx->nl_cb) { 212 fprintf(stderr, "failed to allocate netlink callback\n"); 213 goto err_msg; 214 } 215 216 nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb); 217 218 genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0); 219 220 if (ovpn->ifindex > 0) 221 NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex); 222 223 return ctx; 224 nla_put_failure: 225 err_msg: 226 nlmsg_free(ctx->nl_msg); 227 err_sock: 228 nl_socket_free(ctx->nl_sock); 229 err_free: 230 free(ctx); 231 return NULL; 232 } 233 234 static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd) 235 { 236 return nl_ctx_alloc_flags(ovpn, cmd, 0); 237 } 238 239 static void nl_ctx_free(struct nl_ctx *ctx) 240 { 241 if (!ctx) 242 return; 243 244 nl_socket_free(ctx->nl_sock); 245 nlmsg_free(ctx->nl_msg); 246 nl_cb_put(ctx->nl_cb); 247 free(ctx); 248 } 249 250 static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused, 251 struct nlmsgerr *err, void *arg) 252 { 253 struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1; 254 struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1]; 255 int len = nlh->nlmsg_len; 256 struct nlattr *attrs; 257 int *ret = arg; 258 int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh); 259 260 *ret = err->error; 261 262 if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS)) 263 return NL_STOP; 264 265 if (!(nlh->nlmsg_flags & NLM_F_CAPPED)) 266 ack_len += err->msg.nlmsg_len - sizeof(*nlh); 267 268 if (len <= ack_len) 269 return NL_STOP; 270 271 attrs = (void *)((uint8_t *)nlh + ack_len); 272 len -= ack_len; 273 274 nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL); 275 if (tb_msg[NLMSGERR_ATTR_MSG]) { 276 len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]), 277 nla_len(tb_msg[NLMSGERR_ATTR_MSG])); 278 fprintf(stderr, "kernel error: %*s\n", len, 279 (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG])); 280 } 281 282 if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) { 283 fprintf(stderr, "missing required nesting type %u\n", 284 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST])); 285 } 286 287 if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) { 288 fprintf(stderr, "missing required attribute type %u\n", 289 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE])); 290 } 291 292 return NL_STOP; 293 } 294 295 static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused, 296 void *arg) 297 { 298 int *status = arg; 299 300 *status = 0; 301 return NL_SKIP; 302 } 303 304 static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused, 305 void *arg) 306 { 307 int *status = arg; 308 309 *status = 0; 310 return NL_STOP; 311 } 312 313 static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb) 314 { 315 int status = 1; 316 317 nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status); 318 nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish, 319 &status); 320 nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status); 321 322 if (cb) 323 nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx); 324 325 nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg); 326 327 while (status == 1) 328 ovpn_nl_recvmsgs(ctx); 329 330 if (status < 0) 331 fprintf(stderr, "failed to send netlink message: %s (%d)\n", 332 strerror(-status), status); 333 334 return status; 335 } 336 337 static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx) 338 { 339 int idx_enc, idx_dec, ret = -1; 340 unsigned char *ckey = NULL; 341 __u8 *bkey = NULL; 342 size_t olen = 0; 343 long ckey_len; 344 FILE *fp; 345 346 fp = fopen(file, "r"); 347 if (!fp) { 348 fprintf(stderr, "cannot open: %s\n", file); 349 return -1; 350 } 351 352 /* get file size */ 353 fseek(fp, 0L, SEEK_END); 354 ckey_len = ftell(fp); 355 rewind(fp); 356 357 /* if the file is longer, let's just read a portion */ 358 if (ckey_len > 256) 359 ckey_len = 256; 360 361 ckey = malloc(ckey_len); 362 if (!ckey) 363 goto err; 364 365 ret = fread(ckey, 1, ckey_len, fp); 366 if (ret != ckey_len) { 367 fprintf(stderr, 368 "couldn't read enough data from key file: %dbytes read\n", 369 ret); 370 goto err; 371 } 372 373 olen = 0; 374 ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len); 375 if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) { 376 char buf[256]; 377 378 mbedtls_strerror(ret, buf, sizeof(buf)); 379 fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf, 380 ret); 381 382 goto err; 383 } 384 385 bkey = malloc(olen); 386 if (!bkey) { 387 fprintf(stderr, "cannot allocate binary key buffer\n"); 388 goto err; 389 } 390 391 ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len); 392 if (ret) { 393 char buf[256]; 394 395 mbedtls_strerror(ret, buf, sizeof(buf)); 396 fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf, 397 ret); 398 399 goto err; 400 } 401 402 if (olen < 2 * KEY_LEN + NONCE_LEN) { 403 fprintf(stderr, 404 "not enough data in key file, found %zdB but needs %dB\n", 405 olen, 2 * KEY_LEN + NONCE_LEN); 406 goto err; 407 } 408 409 switch (ctx->key_dir) { 410 case KEY_DIR_IN: 411 idx_enc = 0; 412 idx_dec = 1; 413 break; 414 case KEY_DIR_OUT: 415 idx_enc = 1; 416 idx_dec = 0; 417 break; 418 default: 419 goto err; 420 } 421 422 memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN); 423 memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN); 424 memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN); 425 426 ret = 0; 427 428 err: 429 fclose(fp); 430 free(bkey); 431 free(ckey); 432 433 return ret; 434 } 435 436 static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx) 437 { 438 if (strcmp(cipher, "aes") == 0) 439 ctx->cipher = OVPN_CIPHER_ALG_AES_GCM; 440 else if (strcmp(cipher, "chachapoly") == 0) 441 ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305; 442 else if (strcmp(cipher, "none") == 0) 443 ctx->cipher = OVPN_CIPHER_ALG_NONE; 444 else 445 return -ENOTSUP; 446 447 return 0; 448 } 449 450 static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx) 451 { 452 int in_dir; 453 454 in_dir = strtoll(dir, NULL, 10); 455 switch (in_dir) { 456 case KEY_DIR_IN: 457 case KEY_DIR_OUT: 458 ctx->key_dir = in_dir; 459 break; 460 default: 461 fprintf(stderr, 462 "invalid key direction provided. Can be 0 or 1 only\n"); 463 return -1; 464 } 465 466 return 0; 467 } 468 469 static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto) 470 { 471 struct sockaddr_storage local_sock = { 0 }; 472 struct sockaddr_in6 *in6; 473 struct sockaddr_in *in; 474 int ret, s, sock_type; 475 size_t sock_len; 476 477 if (proto == IPPROTO_UDP) 478 sock_type = SOCK_DGRAM; 479 else if (proto == IPPROTO_TCP) 480 sock_type = SOCK_STREAM; 481 else 482 return -EINVAL; 483 484 s = socket(family, sock_type, 0); 485 if (s < 0) { 486 perror("cannot create socket"); 487 return -1; 488 } 489 490 switch (family) { 491 case AF_INET: 492 in = (struct sockaddr_in *)&local_sock; 493 in->sin_family = family; 494 in->sin_port = htons(ctx->lport); 495 in->sin_addr.s_addr = htonl(INADDR_ANY); 496 sock_len = sizeof(*in); 497 break; 498 case AF_INET6: 499 in6 = (struct sockaddr_in6 *)&local_sock; 500 in6->sin6_family = family; 501 in6->sin6_port = htons(ctx->lport); 502 in6->sin6_addr = in6addr_any; 503 sock_len = sizeof(*in6); 504 break; 505 default: 506 return -1; 507 } 508 509 int opt = 1; 510 511 ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)); 512 513 if (ret < 0) { 514 perror("setsockopt for SO_REUSEADDR"); 515 return ret; 516 } 517 518 ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt)); 519 if (ret < 0) { 520 perror("setsockopt for SO_REUSEPORT"); 521 return ret; 522 } 523 524 if (family == AF_INET6) { 525 opt = 0; 526 if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt, 527 sizeof(opt))) { 528 perror("failed to set IPV6_V6ONLY"); 529 return -1; 530 } 531 } 532 533 ret = bind(s, (struct sockaddr *)&local_sock, sock_len); 534 if (ret < 0) { 535 perror("cannot bind socket"); 536 goto err_socket; 537 } 538 539 ctx->socket = s; 540 ctx->sa_family = family; 541 return 0; 542 543 err_socket: 544 close(s); 545 return -1; 546 } 547 548 static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family) 549 { 550 return ovpn_socket(ctx, family, IPPROTO_UDP); 551 } 552 553 static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family) 554 { 555 int ret; 556 557 ret = ovpn_socket(ctx, family, IPPROTO_TCP); 558 if (ret < 0) 559 return ret; 560 561 ret = listen(ctx->socket, 10); 562 if (ret < 0) { 563 perror("listen"); 564 close(ctx->socket); 565 return -1; 566 } 567 568 return 0; 569 } 570 571 static int ovpn_accept(struct ovpn_ctx *ctx) 572 { 573 socklen_t socklen; 574 int ret; 575 576 socklen = sizeof(ctx->remote); 577 ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen); 578 if (ret < 0) { 579 perror("accept"); 580 goto err; 581 } 582 583 fprintf(stderr, "Connection received!\n"); 584 585 switch (socklen) { 586 case sizeof(struct sockaddr_in): 587 case sizeof(struct sockaddr_in6): 588 break; 589 default: 590 fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n"); 591 close(ret); 592 ret = -EINVAL; 593 goto err; 594 } 595 596 return ret; 597 err: 598 close(ctx->socket); 599 return ret; 600 } 601 602 static int ovpn_connect(struct ovpn_ctx *ovpn) 603 { 604 socklen_t socklen; 605 int s, ret; 606 607 s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0); 608 if (s < 0) { 609 perror("cannot create socket"); 610 return -1; 611 } 612 613 switch (ovpn->remote.in4.sin_family) { 614 case AF_INET: 615 socklen = sizeof(struct sockaddr_in); 616 break; 617 case AF_INET6: 618 socklen = sizeof(struct sockaddr_in6); 619 break; 620 default: 621 return -EOPNOTSUPP; 622 } 623 624 ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen); 625 if (ret < 0) { 626 perror("connect"); 627 goto err; 628 } 629 630 fprintf(stderr, "connected\n"); 631 632 ovpn->socket = s; 633 634 return 0; 635 err: 636 close(s); 637 return ret; 638 } 639 640 static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp) 641 { 642 struct nlattr *attr; 643 struct nl_ctx *ctx; 644 int ret = -1; 645 646 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW); 647 if (!ctx) 648 return -ENOMEM; 649 650 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 651 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 652 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket); 653 654 if (!is_tcp) { 655 switch (ovpn->remote.in4.sin_family) { 656 case AF_INET: 657 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4, 658 ovpn->remote.in4.sin_addr.s_addr); 659 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 660 ovpn->remote.in4.sin_port); 661 break; 662 case AF_INET6: 663 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6, 664 sizeof(ovpn->remote.in6.sin6_addr), 665 &ovpn->remote.in6.sin6_addr); 666 NLA_PUT_U32(ctx->nl_msg, 667 OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, 668 ovpn->remote.in6.sin6_scope_id); 669 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 670 ovpn->remote.in6.sin6_port); 671 break; 672 default: 673 fprintf(stderr, 674 "Invalid family for remote socket address\n"); 675 goto nla_put_failure; 676 } 677 } 678 679 if (ovpn->peer_ip_set) { 680 switch (ovpn->peer_ip.in4.sin_family) { 681 case AF_INET: 682 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4, 683 ovpn->peer_ip.in4.sin_addr.s_addr); 684 break; 685 case AF_INET6: 686 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6, 687 sizeof(struct in6_addr), 688 &ovpn->peer_ip.in6.sin6_addr); 689 break; 690 default: 691 fprintf(stderr, "Invalid family for peer address\n"); 692 goto nla_put_failure; 693 } 694 } 695 696 nla_nest_end(ctx->nl_msg, attr); 697 698 ret = ovpn_nl_msg_send(ctx, NULL); 699 nla_put_failure: 700 nl_ctx_free(ctx); 701 return ret; 702 } 703 704 static int ovpn_set_peer(struct ovpn_ctx *ovpn) 705 { 706 struct nlattr *attr; 707 struct nl_ctx *ctx; 708 int ret = -1; 709 710 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET); 711 if (!ctx) 712 return -ENOMEM; 713 714 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 715 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 716 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL, 717 ovpn->keepalive_interval); 718 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT, 719 ovpn->keepalive_timeout); 720 nla_nest_end(ctx->nl_msg, attr); 721 722 ret = ovpn_nl_msg_send(ctx, NULL); 723 nla_put_failure: 724 nl_ctx_free(ctx); 725 return ret; 726 } 727 728 static int ovpn_del_peer(struct ovpn_ctx *ovpn) 729 { 730 struct nlattr *attr; 731 struct nl_ctx *ctx; 732 int ret = -1; 733 734 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL); 735 if (!ctx) 736 return -ENOMEM; 737 738 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 739 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 740 nla_nest_end(ctx->nl_msg, attr); 741 742 ret = ovpn_nl_msg_send(ctx, NULL); 743 nla_put_failure: 744 nl_ctx_free(ctx); 745 return ret; 746 } 747 748 static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused) 749 { 750 struct nlattr *pattrs[OVPN_A_PEER_MAX + 1]; 751 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 752 struct nlattr *attrs[OVPN_A_MAX + 1]; 753 __u16 rport = 0, lport = 0; 754 755 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 756 genlmsg_attrlen(gnlh, 0), NULL); 757 758 if (!attrs[OVPN_A_PEER]) { 759 fprintf(stderr, "no packet content in netlink message\n"); 760 return NL_SKIP; 761 } 762 763 nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]), 764 nla_len(attrs[OVPN_A_PEER]), NULL); 765 766 if (pattrs[OVPN_A_PEER_ID]) 767 fprintf(stderr, "* Peer %u\n", 768 nla_get_u32(pattrs[OVPN_A_PEER_ID])); 769 770 if (pattrs[OVPN_A_PEER_SOCKET_NETNSID]) 771 fprintf(stderr, "\tsocket NetNS ID: %d\n", 772 nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID])); 773 774 if (pattrs[OVPN_A_PEER_VPN_IPV4]) { 775 char buf[INET_ADDRSTRLEN]; 776 777 inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]), 778 buf, sizeof(buf)); 779 fprintf(stderr, "\tVPN IPv4: %s\n", buf); 780 } 781 782 if (pattrs[OVPN_A_PEER_VPN_IPV6]) { 783 char buf[INET6_ADDRSTRLEN]; 784 785 inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]), 786 buf, sizeof(buf)); 787 fprintf(stderr, "\tVPN IPv6: %s\n", buf); 788 } 789 790 if (pattrs[OVPN_A_PEER_LOCAL_PORT]) 791 lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT])); 792 793 if (pattrs[OVPN_A_PEER_REMOTE_PORT]) 794 rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT])); 795 796 if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) { 797 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6]; 798 char buf[INET6_ADDRSTRLEN]; 799 int scope_id = -1; 800 801 if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) { 802 void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]; 803 804 scope_id = nla_get_u32(p); 805 } 806 807 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 808 fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport, 809 scope_id); 810 811 if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) { 812 void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6]; 813 814 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 815 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 816 } 817 } 818 819 if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) { 820 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4]; 821 char buf[INET_ADDRSTRLEN]; 822 823 inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf)); 824 fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport); 825 826 if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) { 827 void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4]; 828 829 inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf)); 830 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 831 } 832 } 833 834 if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) { 835 void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]; 836 837 fprintf(stderr, "\tKeepalive interval: %u sec\n", 838 nla_get_u32(p)); 839 } 840 841 if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) 842 fprintf(stderr, "\tKeepalive timeout: %u sec\n", 843 nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])); 844 845 if (pattrs[OVPN_A_PEER_VPN_RX_BYTES]) 846 fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n", 847 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES])); 848 849 if (pattrs[OVPN_A_PEER_VPN_TX_BYTES]) 850 fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n", 851 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES])); 852 853 if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS]) 854 fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n", 855 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS])); 856 857 if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS]) 858 fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n", 859 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS])); 860 861 if (pattrs[OVPN_A_PEER_LINK_RX_BYTES]) 862 fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n", 863 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES])); 864 865 if (pattrs[OVPN_A_PEER_LINK_TX_BYTES]) 866 fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n", 867 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES])); 868 869 if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS]) 870 fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n", 871 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS])); 872 873 if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS]) 874 fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n", 875 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS])); 876 877 return NL_SKIP; 878 } 879 880 static int ovpn_get_peer(struct ovpn_ctx *ovpn) 881 { 882 int flags = 0, ret = -1; 883 struct nlattr *attr; 884 struct nl_ctx *ctx; 885 886 if (ovpn->peer_id == PEER_ID_UNDEF) 887 flags = NLM_F_DUMP; 888 889 ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags); 890 if (!ctx) 891 return -ENOMEM; 892 893 if (ovpn->peer_id != PEER_ID_UNDEF) { 894 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 895 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 896 nla_nest_end(ctx->nl_msg, attr); 897 } 898 899 ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer); 900 nla_put_failure: 901 nl_ctx_free(ctx); 902 return ret; 903 } 904 905 static int ovpn_new_key(struct ovpn_ctx *ovpn) 906 { 907 struct nlattr *keyconf, *key_dir; 908 struct nl_ctx *ctx; 909 int ret = -1; 910 911 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW); 912 if (!ctx) 913 return -ENOMEM; 914 915 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 916 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 917 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 918 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id); 919 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher); 920 921 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR); 922 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc); 923 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 924 nla_nest_end(ctx->nl_msg, key_dir); 925 926 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR); 927 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec); 928 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 929 nla_nest_end(ctx->nl_msg, key_dir); 930 931 nla_nest_end(ctx->nl_msg, keyconf); 932 933 ret = ovpn_nl_msg_send(ctx, NULL); 934 nla_put_failure: 935 nl_ctx_free(ctx); 936 return ret; 937 } 938 939 static int ovpn_del_key(struct ovpn_ctx *ovpn) 940 { 941 struct nlattr *keyconf; 942 struct nl_ctx *ctx; 943 int ret = -1; 944 945 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL); 946 if (!ctx) 947 return -ENOMEM; 948 949 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 950 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 951 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 952 nla_nest_end(ctx->nl_msg, keyconf); 953 954 ret = ovpn_nl_msg_send(ctx, NULL); 955 nla_put_failure: 956 nl_ctx_free(ctx); 957 return ret; 958 } 959 960 static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused) 961 { 962 struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1]; 963 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 964 struct nlattr *attrs[OVPN_A_MAX + 1]; 965 966 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 967 genlmsg_attrlen(gnlh, 0), NULL); 968 969 if (!attrs[OVPN_A_KEYCONF]) { 970 fprintf(stderr, "no packet content in netlink message\n"); 971 return NL_SKIP; 972 } 973 974 nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]), 975 nla_len(attrs[OVPN_A_KEYCONF]), NULL); 976 977 if (kattrs[OVPN_A_KEYCONF_PEER_ID]) 978 fprintf(stderr, "* Peer %u\n", 979 nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID])); 980 if (kattrs[OVPN_A_KEYCONF_SLOT]) { 981 fprintf(stderr, "\t- Slot: "); 982 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) { 983 case OVPN_KEY_SLOT_PRIMARY: 984 fprintf(stderr, "primary\n"); 985 break; 986 case OVPN_KEY_SLOT_SECONDARY: 987 fprintf(stderr, "secondary\n"); 988 break; 989 default: 990 fprintf(stderr, "invalid (%u)\n", 991 nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])); 992 break; 993 } 994 } 995 if (kattrs[OVPN_A_KEYCONF_KEY_ID]) 996 fprintf(stderr, "\t- Key ID: %u\n", 997 nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID])); 998 if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) { 999 fprintf(stderr, "\t- Cipher: "); 1000 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) { 1001 case OVPN_CIPHER_ALG_NONE: 1002 fprintf(stderr, "none\n"); 1003 break; 1004 case OVPN_CIPHER_ALG_AES_GCM: 1005 fprintf(stderr, "aes-gcm\n"); 1006 break; 1007 case OVPN_CIPHER_ALG_CHACHA20_POLY1305: 1008 fprintf(stderr, "chacha20poly1305\n"); 1009 break; 1010 default: 1011 fprintf(stderr, "invalid (%u)\n", 1012 nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])); 1013 break; 1014 } 1015 } 1016 1017 return NL_SKIP; 1018 } 1019 1020 static int ovpn_get_key(struct ovpn_ctx *ovpn) 1021 { 1022 struct nlattr *keyconf; 1023 struct nl_ctx *ctx; 1024 int ret = -1; 1025 1026 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET); 1027 if (!ctx) 1028 return -ENOMEM; 1029 1030 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1031 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1032 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 1033 nla_nest_end(ctx->nl_msg, keyconf); 1034 1035 ret = ovpn_nl_msg_send(ctx, ovpn_handle_key); 1036 nla_put_failure: 1037 nl_ctx_free(ctx); 1038 return ret; 1039 } 1040 1041 static int ovpn_swap_keys(struct ovpn_ctx *ovpn) 1042 { 1043 struct nl_ctx *ctx; 1044 struct nlattr *kc; 1045 int ret = -1; 1046 1047 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP); 1048 if (!ctx) 1049 return -ENOMEM; 1050 1051 kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1052 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1053 nla_nest_end(ctx->nl_msg, kc); 1054 1055 ret = ovpn_nl_msg_send(ctx, NULL); 1056 nla_put_failure: 1057 nl_ctx_free(ctx); 1058 return ret; 1059 } 1060 1061 /* Helper function used to easily add attributes to a rtnl message */ 1062 static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type, 1063 const void *data, int alen) 1064 { 1065 int len = RTA_LENGTH(alen); 1066 struct rtattr *rta; 1067 1068 if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen) { 1069 fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n", 1070 __func__, maxlen); 1071 return -EMSGSIZE; 1072 } 1073 1074 rta = nlmsg_tail(n); 1075 rta->rta_type = type; 1076 rta->rta_len = len; 1077 1078 if (!data) 1079 memset(RTA_DATA(rta), 0, alen); 1080 else 1081 memcpy(RTA_DATA(rta), data, alen); 1082 1083 n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len); 1084 1085 return 0; 1086 } 1087 1088 static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size, 1089 int attr) 1090 { 1091 struct rtattr *nest = nlmsg_tail(msg); 1092 1093 if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0) 1094 return NULL; 1095 1096 return nest; 1097 } 1098 1099 static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest) 1100 { 1101 nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest; 1102 } 1103 1104 #define RT_SNDBUF_SIZE (1024 * 2) 1105 #define RT_RCVBUF_SIZE (1024 * 4) 1106 1107 /* Open RTNL socket */ 1108 static int ovpn_rt_socket(void) 1109 { 1110 int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd; 1111 1112 fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); 1113 if (fd < 0) { 1114 fprintf(stderr, "%s: cannot open netlink socket\n", __func__); 1115 return fd; 1116 } 1117 1118 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, 1119 sizeof(sndbuf)) < 0) { 1120 fprintf(stderr, "%s: SO_SNDBUF\n", __func__); 1121 close(fd); 1122 return -1; 1123 } 1124 1125 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf, 1126 sizeof(rcvbuf)) < 0) { 1127 fprintf(stderr, "%s: SO_RCVBUF\n", __func__); 1128 close(fd); 1129 return -1; 1130 } 1131 1132 return fd; 1133 } 1134 1135 /* Bind socket to Netlink subsystem */ 1136 static int ovpn_rt_bind(int fd, uint32_t groups) 1137 { 1138 struct sockaddr_nl local = { 0 }; 1139 socklen_t addr_len; 1140 1141 local.nl_family = AF_NETLINK; 1142 local.nl_groups = groups; 1143 1144 if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) { 1145 fprintf(stderr, "%s: cannot bind netlink socket: %d\n", 1146 __func__, errno); 1147 return -errno; 1148 } 1149 1150 addr_len = sizeof(local); 1151 if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) { 1152 fprintf(stderr, "%s: cannot getsockname: %d\n", __func__, 1153 errno); 1154 return -errno; 1155 } 1156 1157 if (addr_len != sizeof(local)) { 1158 fprintf(stderr, "%s: wrong address length %d\n", __func__, 1159 addr_len); 1160 return -EINVAL; 1161 } 1162 1163 if (local.nl_family != AF_NETLINK) { 1164 fprintf(stderr, "%s: wrong address family %d\n", __func__, 1165 local.nl_family); 1166 return -EINVAL; 1167 } 1168 1169 return 0; 1170 } 1171 1172 typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg); 1173 1174 /* Send Netlink message and run callback on reply (if specified) */ 1175 static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer, 1176 unsigned int groups, ovpn_parse_reply_cb cb, 1177 void *arg_cb) 1178 { 1179 int len, rem_len, fd, ret, rcv_len; 1180 struct sockaddr_nl nladdr = { 0 }; 1181 struct nlmsgerr *err; 1182 struct nlmsghdr *h; 1183 char buf[1024 * 16]; 1184 struct iovec iov = { 1185 .iov_base = payload, 1186 .iov_len = payload->nlmsg_len, 1187 }; 1188 struct msghdr nlmsg = { 1189 .msg_name = &nladdr, 1190 .msg_namelen = sizeof(nladdr), 1191 .msg_iov = &iov, 1192 .msg_iovlen = 1, 1193 }; 1194 1195 nladdr.nl_family = AF_NETLINK; 1196 nladdr.nl_pid = peer; 1197 nladdr.nl_groups = groups; 1198 1199 payload->nlmsg_seq = time(NULL); 1200 1201 /* no need to send reply */ 1202 if (!cb) 1203 payload->nlmsg_flags |= NLM_F_ACK; 1204 1205 fd = ovpn_rt_socket(); 1206 if (fd < 0) { 1207 fprintf(stderr, "%s: can't open rtnl socket\n", __func__); 1208 return -errno; 1209 } 1210 1211 ret = ovpn_rt_bind(fd, 0); 1212 if (ret < 0) { 1213 fprintf(stderr, "%s: can't bind rtnl socket\n", __func__); 1214 ret = -errno; 1215 goto out; 1216 } 1217 1218 ret = sendmsg(fd, &nlmsg, 0); 1219 if (ret < 0) { 1220 fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__); 1221 ret = -errno; 1222 goto out; 1223 } 1224 1225 /* prepare buffer to store RTNL replies */ 1226 memset(buf, 0, sizeof(buf)); 1227 iov.iov_base = buf; 1228 1229 while (1) { 1230 /* 1231 * iov_len is modified by recvmsg(), therefore has to be initialized before 1232 * using it again 1233 */ 1234 iov.iov_len = sizeof(buf); 1235 rcv_len = recvmsg(fd, &nlmsg, 0); 1236 if (rcv_len < 0) { 1237 if (errno == EINTR || errno == EAGAIN) { 1238 fprintf(stderr, "%s: interrupted call\n", 1239 __func__); 1240 continue; 1241 } 1242 fprintf(stderr, "%s: rtnl: error on recvmsg()\n", 1243 __func__); 1244 ret = -errno; 1245 goto out; 1246 } 1247 1248 if (rcv_len == 0) { 1249 fprintf(stderr, 1250 "%s: rtnl: socket reached unexpected EOF\n", 1251 __func__); 1252 ret = -EIO; 1253 goto out; 1254 } 1255 1256 if (nlmsg.msg_namelen != sizeof(nladdr)) { 1257 fprintf(stderr, 1258 "%s: sender address length: %u (expected %zu)\n", 1259 __func__, nlmsg.msg_namelen, sizeof(nladdr)); 1260 ret = -EIO; 1261 goto out; 1262 } 1263 1264 h = (struct nlmsghdr *)buf; 1265 while (rcv_len >= (int)sizeof(*h)) { 1266 len = h->nlmsg_len; 1267 rem_len = len - sizeof(*h); 1268 1269 if (rem_len < 0 || len > rcv_len) { 1270 if (nlmsg.msg_flags & MSG_TRUNC) { 1271 fprintf(stderr, "%s: truncated message\n", 1272 __func__); 1273 ret = -EIO; 1274 goto out; 1275 } 1276 fprintf(stderr, "%s: malformed message: len=%d\n", 1277 __func__, len); 1278 ret = -EIO; 1279 goto out; 1280 } 1281 1282 if (h->nlmsg_type == NLMSG_DONE) { 1283 ret = 0; 1284 goto out; 1285 } 1286 1287 if (h->nlmsg_type == NLMSG_ERROR) { 1288 err = (struct nlmsgerr *)NLMSG_DATA(h); 1289 if (rem_len < (int)sizeof(struct nlmsgerr)) { 1290 fprintf(stderr, "%s: ERROR truncated\n", 1291 __func__); 1292 ret = -EIO; 1293 goto out; 1294 } 1295 1296 if (err->error) { 1297 fprintf(stderr, "%s: (%d) %s\n", 1298 __func__, err->error, 1299 strerror(-err->error)); 1300 ret = err->error; 1301 goto out; 1302 } 1303 1304 ret = 0; 1305 if (cb) { 1306 int r = cb(h, arg_cb); 1307 1308 if (r <= 0) 1309 ret = r; 1310 } 1311 goto out; 1312 } 1313 1314 if (cb) { 1315 int r = cb(h, arg_cb); 1316 1317 if (r <= 0) { 1318 ret = r; 1319 goto out; 1320 } 1321 } else { 1322 fprintf(stderr, "%s: RTNL: unexpected reply\n", 1323 __func__); 1324 } 1325 1326 rcv_len -= NLMSG_ALIGN(len); 1327 h = (struct nlmsghdr *)((uint8_t *)h + 1328 NLMSG_ALIGN(len)); 1329 } 1330 1331 if (nlmsg.msg_flags & MSG_TRUNC) { 1332 fprintf(stderr, "%s: message truncated\n", __func__); 1333 continue; 1334 } 1335 1336 if (rcv_len) { 1337 fprintf(stderr, "%s: rtnl: %d not parsed bytes\n", 1338 __func__, rcv_len); 1339 ret = -1; 1340 goto out; 1341 } 1342 } 1343 out: 1344 close(fd); 1345 1346 return ret; 1347 } 1348 1349 struct ovpn_link_req { 1350 struct nlmsghdr n; 1351 struct ifinfomsg i; 1352 char buf[256]; 1353 }; 1354 1355 static int ovpn_new_iface(struct ovpn_ctx *ovpn) 1356 { 1357 struct rtattr *linkinfo, *data; 1358 struct ovpn_link_req req = { 0 }; 1359 int ret = -1; 1360 1361 fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname, 1362 ovpn->mode); 1363 1364 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1365 req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL; 1366 req.n.nlmsg_type = RTM_NEWLINK; 1367 1368 if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname, 1369 strlen(ovpn->ifname) + 1) < 0) 1370 goto err; 1371 1372 linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO); 1373 if (!linkinfo) 1374 goto err; 1375 1376 if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME, 1377 strlen(OVPN_FAMILY_NAME) + 1) < 0) 1378 goto err; 1379 1380 if (ovpn->mode_set) { 1381 data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA); 1382 if (!data) 1383 goto err; 1384 1385 if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE, 1386 &ovpn->mode, sizeof(uint8_t)) < 0) 1387 goto err; 1388 1389 ovpn_nest_end(&req.n, data); 1390 } 1391 1392 ovpn_nest_end(&req.n, linkinfo); 1393 1394 req.i.ifi_family = AF_PACKET; 1395 1396 ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1397 err: 1398 return ret; 1399 } 1400 1401 static int ovpn_del_iface(struct ovpn_ctx *ovpn) 1402 { 1403 struct ovpn_link_req req = { 0 }; 1404 1405 fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname, 1406 ovpn->ifindex); 1407 1408 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1409 req.n.nlmsg_flags = NLM_F_REQUEST; 1410 req.n.nlmsg_type = RTM_DELLINK; 1411 1412 req.i.ifi_family = AF_PACKET; 1413 req.i.ifi_index = ovpn->ifindex; 1414 1415 return ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1416 } 1417 1418 static int nl_seq_check(struct nl_msg (*msg)__always_unused, 1419 void (*arg)__always_unused) 1420 { 1421 return NL_OK; 1422 } 1423 1424 struct mcast_handler_args { 1425 const char *group; 1426 int id; 1427 }; 1428 1429 static int mcast_family_handler(struct nl_msg *msg, void *arg) 1430 { 1431 struct mcast_handler_args *grp = arg; 1432 struct nlattr *tb[CTRL_ATTR_MAX + 1]; 1433 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1434 struct nlattr *mcgrp; 1435 int rem_mcgrp; 1436 1437 nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0), 1438 genlmsg_attrlen(gnlh, 0), NULL); 1439 1440 if (!tb[CTRL_ATTR_MCAST_GROUPS]) 1441 return NL_SKIP; 1442 1443 nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) { 1444 struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1]; 1445 1446 nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX, 1447 nla_data(mcgrp), nla_len(mcgrp), NULL); 1448 1449 if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] || 1450 !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]) 1451 continue; 1452 if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]), 1453 grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]))) 1454 continue; 1455 grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]); 1456 break; 1457 } 1458 1459 return NL_SKIP; 1460 } 1461 1462 static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused, 1463 struct nlmsgerr *err, void *arg) 1464 { 1465 int *ret = arg; 1466 1467 *ret = err->error; 1468 return NL_STOP; 1469 } 1470 1471 static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg) 1472 { 1473 int *ret = arg; 1474 1475 *ret = 0; 1476 return NL_STOP; 1477 } 1478 1479 static int ovpn_handle_msg(struct nl_msg *msg, void *arg) 1480 { 1481 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1482 struct nlattr *attrs[OVPN_A_MAX + 1]; 1483 struct nlmsghdr *nlh = nlmsg_hdr(msg); 1484 char ifname[IF_NAMESIZE]; 1485 int *ret = arg; 1486 __u32 ifindex; 1487 1488 fprintf(stderr, "received message from ovpn-dco\n"); 1489 1490 *ret = -1; 1491 1492 if (!genlmsg_valid_hdr(nlh, 0)) { 1493 fprintf(stderr, "invalid header\n"); 1494 return NL_STOP; 1495 } 1496 1497 if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 1498 genlmsg_attrlen(gnlh, 0), NULL)) { 1499 fprintf(stderr, "received bogus data from ovpn-dco\n"); 1500 return NL_STOP; 1501 } 1502 1503 if (!attrs[OVPN_A_IFINDEX]) { 1504 fprintf(stderr, "no ifindex in this message\n"); 1505 return NL_STOP; 1506 } 1507 1508 ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]); 1509 if (!if_indextoname(ifindex, ifname)) { 1510 fprintf(stderr, "cannot resolve ifname for ifindex: %u\n", 1511 ifindex); 1512 return NL_STOP; 1513 } 1514 1515 switch (gnlh->cmd) { 1516 case OVPN_CMD_PEER_DEL_NTF: 1517 fprintf(stdout, "received CMD_PEER_DEL_NTF\n"); 1518 break; 1519 case OVPN_CMD_PEER_FLOAT_NTF: 1520 fprintf(stdout, "received CMD_PEER_FLOAT_NTF\n"); 1521 break; 1522 case OVPN_CMD_KEY_SWAP_NTF: 1523 fprintf(stdout, "received CMD_KEY_SWAP_NTF\n"); 1524 break; 1525 default: 1526 fprintf(stderr, "received unknown command: %d\n", gnlh->cmd); 1527 return NL_STOP; 1528 } 1529 1530 *ret = 0; 1531 return NL_OK; 1532 } 1533 1534 static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family, 1535 const char *group) 1536 { 1537 struct nl_msg *msg; 1538 struct nl_cb *cb; 1539 int ret, ctrlid; 1540 struct mcast_handler_args grp = { 1541 .group = group, 1542 .id = -ENOENT, 1543 }; 1544 1545 msg = nlmsg_alloc(); 1546 if (!msg) 1547 return -ENOMEM; 1548 1549 cb = nl_cb_alloc(NL_CB_DEFAULT); 1550 if (!cb) { 1551 ret = -ENOMEM; 1552 goto out_fail_cb; 1553 } 1554 1555 ctrlid = genl_ctrl_resolve(sock, "nlctrl"); 1556 1557 genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0); 1558 1559 ret = -ENOBUFS; 1560 NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family); 1561 1562 ret = nl_send_auto_complete(sock, msg); 1563 if (ret < 0) 1564 goto nla_put_failure; 1565 1566 ret = 1; 1567 1568 nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret); 1569 nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret); 1570 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp); 1571 1572 while (ret > 0) 1573 nl_recvmsgs(sock, cb); 1574 1575 if (ret == 0) 1576 ret = grp.id; 1577 nla_put_failure: 1578 nl_cb_put(cb); 1579 out_fail_cb: 1580 nlmsg_free(msg); 1581 return ret; 1582 } 1583 1584 static int ovpn_listen_mcast(void) 1585 { 1586 struct nl_sock *sock; 1587 struct nl_cb *cb; 1588 int mcid, ret; 1589 1590 sock = nl_socket_alloc(); 1591 if (!sock) { 1592 fprintf(stderr, "cannot allocate netlink socket\n"); 1593 ret = -ENOMEM; 1594 goto err_free; 1595 } 1596 1597 nl_socket_set_buffer_size(sock, 8192, 8192); 1598 1599 ret = genl_connect(sock); 1600 if (ret < 0) { 1601 fprintf(stderr, "cannot connect to generic netlink: %s\n", 1602 nl_geterror(ret)); 1603 goto err_free; 1604 } 1605 1606 mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS); 1607 if (mcid < 0) { 1608 fprintf(stderr, "cannot get mcast group: %s\n", 1609 nl_geterror(mcid)); 1610 goto err_free; 1611 } 1612 1613 ret = nl_socket_add_membership(sock, mcid); 1614 if (ret) { 1615 fprintf(stderr, "failed to join mcast group: %d\n", ret); 1616 goto err_free; 1617 } 1618 1619 ret = 1; 1620 cb = nl_cb_alloc(NL_CB_DEFAULT); 1621 nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL); 1622 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret); 1623 nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret); 1624 1625 while (ret == 1) { 1626 int err = nl_recvmsgs(sock, cb); 1627 1628 if (err < 0) { 1629 fprintf(stderr, 1630 "cannot receive netlink message: (%d) %s\n", 1631 err, nl_geterror(-err)); 1632 ret = -1; 1633 break; 1634 } 1635 } 1636 1637 nl_cb_put(cb); 1638 err_free: 1639 nl_socket_free(sock); 1640 return ret; 1641 } 1642 1643 static void usage(const char *cmd) 1644 { 1645 fprintf(stderr, 1646 "Usage %s <command> <iface> [arguments..]\n", 1647 cmd); 1648 fprintf(stderr, "where <command> can be one of the following\n\n"); 1649 1650 fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n"); 1651 fprintf(stderr, "\tiface: ovpn interface name\n"); 1652 fprintf(stderr, "\tmode:\n"); 1653 fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n"); 1654 fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n"); 1655 1656 fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n"); 1657 fprintf(stderr, "\tiface: ovpn interface name\n"); 1658 1659 fprintf(stderr, 1660 "* listen <iface> <lport> <peers_file> [ipv6]: listen for incoming peer TCP connections\n"); 1661 fprintf(stderr, "\tiface: ovpn interface name\n"); 1662 fprintf(stderr, "\tlport: TCP port to listen to\n"); 1663 fprintf(stderr, 1664 "\tpeers_file: file containing one peer per line: Line format:\n"); 1665 fprintf(stderr, "\t\t<peer_id> <vpnaddr>\n"); 1666 fprintf(stderr, 1667 "\tipv6: whether the socket should listen to the IPv6 wildcard address\n"); 1668 1669 fprintf(stderr, 1670 "* connect <iface> <peer_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n"); 1671 fprintf(stderr, "\tiface: ovpn interface name\n"); 1672 fprintf(stderr, "\tpeer_id: peer ID of the connecting peer\n"); 1673 fprintf(stderr, "\traddr: peer IP address to connect to\n"); 1674 fprintf(stderr, "\trport: peer TCP port to connect to\n"); 1675 fprintf(stderr, 1676 "\tkey_file: file containing the symmetric key for encryption\n"); 1677 1678 fprintf(stderr, 1679 "* new_peer <iface> <peer_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n"); 1680 fprintf(stderr, "\tiface: ovpn interface name\n"); 1681 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1682 fprintf(stderr, 1683 "\tpeer_id: peer ID to be used in data packets to/from this peer\n"); 1684 fprintf(stderr, "\traddr: peer IP address\n"); 1685 fprintf(stderr, "\trport: peer UDP port\n"); 1686 fprintf(stderr, "\tvpnaddr: peer VPN IP\n"); 1687 1688 fprintf(stderr, 1689 "* new_multi_peer <iface> <lport> <peers_file>: add multiple peers as listed in the file\n"); 1690 fprintf(stderr, "\tiface: ovpn interface name\n"); 1691 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1692 fprintf(stderr, 1693 "\tpeers_file: text file containing one peer per line. Line format:\n"); 1694 fprintf(stderr, "\t\t<peer_id> <raddr> <rport> <vpnaddr>\n"); 1695 1696 fprintf(stderr, 1697 "* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n"); 1698 fprintf(stderr, "\tiface: ovpn interface name\n"); 1699 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1700 fprintf(stderr, 1701 "\tkeepalive_interval: interval for sending ping messages\n"); 1702 fprintf(stderr, 1703 "\tkeepalive_timeout: time after which a peer is timed out\n"); 1704 1705 fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n"); 1706 fprintf(stderr, "\tiface: ovpn interface name\n"); 1707 fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n"); 1708 1709 fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n"); 1710 fprintf(stderr, "\tiface: ovpn interface name\n"); 1711 fprintf(stderr, 1712 "\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n"); 1713 1714 fprintf(stderr, 1715 "* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n"); 1716 fprintf(stderr, "\tiface: ovpn interface name\n"); 1717 fprintf(stderr, 1718 "\tpeer_id: peer ID of the peer to configure the key for\n"); 1719 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1720 fprintf(stderr, "\tkey_id: an ID from 0 to 7\n"); 1721 fprintf(stderr, 1722 "\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n"); 1723 fprintf(stderr, 1724 "\tkey_dir: key direction, must 0 on one host and 1 on the other\n"); 1725 fprintf(stderr, "\tkey_file: file containing the pre-shared key\n"); 1726 1727 fprintf(stderr, 1728 "* del_key <iface> <peer_id> [slot]: erase existing data channel key\n"); 1729 fprintf(stderr, "\tiface: ovpn interface name\n"); 1730 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1731 fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n"); 1732 1733 fprintf(stderr, 1734 "* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n"); 1735 fprintf(stderr, "\tiface: ovpn interface name\n"); 1736 fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n"); 1737 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1738 1739 fprintf(stderr, 1740 "* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n"); 1741 fprintf(stderr, "\tiface: ovpn interface name\n"); 1742 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1743 1744 fprintf(stderr, 1745 "* listen_mcast: listen to ovpn netlink multicast messages\n"); 1746 } 1747 1748 static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host, 1749 const char *service, const char *vpnip) 1750 { 1751 int ret; 1752 struct addrinfo *result; 1753 struct addrinfo hints = { 1754 .ai_family = ovpn->sa_family, 1755 .ai_socktype = SOCK_DGRAM, 1756 .ai_protocol = IPPROTO_UDP 1757 }; 1758 1759 if (host) { 1760 ret = getaddrinfo(host, service, &hints, &result); 1761 if (ret) { 1762 fprintf(stderr, "getaddrinfo on remote error: %s\n", 1763 gai_strerror(ret)); 1764 return -1; 1765 } 1766 1767 if (!(result->ai_family == AF_INET && 1768 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1769 !(result->ai_family == AF_INET6 && 1770 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1771 ret = -EINVAL; 1772 goto out; 1773 } 1774 1775 memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen); 1776 } 1777 1778 if (vpnip) { 1779 ret = getaddrinfo(vpnip, NULL, &hints, &result); 1780 if (ret) { 1781 fprintf(stderr, "getaddrinfo on vpnip error: %s\n", 1782 gai_strerror(ret)); 1783 return -1; 1784 } 1785 1786 if (!(result->ai_family == AF_INET && 1787 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1788 !(result->ai_family == AF_INET6 && 1789 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1790 ret = -EINVAL; 1791 goto out; 1792 } 1793 1794 memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen); 1795 ovpn->sa_family = result->ai_family; 1796 1797 ovpn->peer_ip_set = true; 1798 } 1799 1800 ret = 0; 1801 out: 1802 freeaddrinfo(result); 1803 return ret; 1804 } 1805 1806 static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id, 1807 const char *raddr, const char *rport, 1808 const char *vpnip) 1809 { 1810 ovpn->peer_id = strtoul(peer_id, NULL, 10); 1811 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 1812 fprintf(stderr, "peer ID value out of range\n"); 1813 return -1; 1814 } 1815 1816 return ovpn_parse_remote(ovpn, raddr, rport, vpnip); 1817 } 1818 1819 static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn) 1820 { 1821 int slot = strtoul(arg, NULL, 10); 1822 1823 if (errno == ERANGE || slot < 1 || slot > 2) { 1824 fprintf(stderr, "key slot out of range\n"); 1825 return -1; 1826 } 1827 1828 switch (slot) { 1829 case 1: 1830 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 1831 break; 1832 case 2: 1833 ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY; 1834 break; 1835 } 1836 1837 return 0; 1838 } 1839 1840 static int ovpn_send_tcp_data(int socket) 1841 { 1842 uint16_t len = htons(1000); 1843 uint8_t buf[1002]; 1844 int ret; 1845 1846 memcpy(buf, &len, sizeof(len)); 1847 memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len)); 1848 1849 ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1850 1851 fprintf(stdout, "Sent %u bytes over TCP socket\n", ret); 1852 1853 return ret > 0 ? 0 : ret; 1854 } 1855 1856 static int ovpn_recv_tcp_data(int socket) 1857 { 1858 uint8_t buf[1002]; 1859 uint16_t len; 1860 int ret; 1861 1862 ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1863 1864 if (ret < 2) { 1865 fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret); 1866 return ret; 1867 } 1868 1869 memcpy(&len, buf, sizeof(len)); 1870 len = ntohs(len); 1871 1872 fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n", 1873 ret, len); 1874 1875 return 0; 1876 } 1877 1878 static enum ovpn_cmd ovpn_parse_cmd(const char *cmd) 1879 { 1880 if (!strcmp(cmd, "new_iface")) 1881 return CMD_NEW_IFACE; 1882 1883 if (!strcmp(cmd, "del_iface")) 1884 return CMD_DEL_IFACE; 1885 1886 if (!strcmp(cmd, "listen")) 1887 return CMD_LISTEN; 1888 1889 if (!strcmp(cmd, "connect")) 1890 return CMD_CONNECT; 1891 1892 if (!strcmp(cmd, "new_peer")) 1893 return CMD_NEW_PEER; 1894 1895 if (!strcmp(cmd, "new_multi_peer")) 1896 return CMD_NEW_MULTI_PEER; 1897 1898 if (!strcmp(cmd, "set_peer")) 1899 return CMD_SET_PEER; 1900 1901 if (!strcmp(cmd, "del_peer")) 1902 return CMD_DEL_PEER; 1903 1904 if (!strcmp(cmd, "get_peer")) 1905 return CMD_GET_PEER; 1906 1907 if (!strcmp(cmd, "new_key")) 1908 return CMD_NEW_KEY; 1909 1910 if (!strcmp(cmd, "del_key")) 1911 return CMD_DEL_KEY; 1912 1913 if (!strcmp(cmd, "get_key")) 1914 return CMD_GET_KEY; 1915 1916 if (!strcmp(cmd, "swap_keys")) 1917 return CMD_SWAP_KEYS; 1918 1919 if (!strcmp(cmd, "listen_mcast")) 1920 return CMD_LISTEN_MCAST; 1921 1922 return CMD_INVALID; 1923 } 1924 1925 /* Send process to background and waits for signal. 1926 * 1927 * This helper is called at the end of commands 1928 * creating sockets, so that the latter stay alive 1929 * along with the process that created them. 1930 * 1931 * A signal is expected to be delivered in order to 1932 * terminate the waiting processes 1933 */ 1934 static void ovpn_waitbg(void) 1935 { 1936 daemon(1, 1); 1937 pause(); 1938 } 1939 1940 static int ovpn_run_cmd(struct ovpn_ctx *ovpn) 1941 { 1942 char peer_id[10], vpnip[INET6_ADDRSTRLEN], laddr[128], lport[10]; 1943 char raddr[128], rport[10]; 1944 int n, ret; 1945 FILE *fp; 1946 1947 switch (ovpn->cmd) { 1948 case CMD_NEW_IFACE: 1949 ret = ovpn_new_iface(ovpn); 1950 break; 1951 case CMD_DEL_IFACE: 1952 ret = ovpn_del_iface(ovpn); 1953 break; 1954 case CMD_LISTEN: 1955 ret = ovpn_listen(ovpn, ovpn->sa_family); 1956 if (ret < 0) { 1957 fprintf(stderr, "cannot listen on TCP socket\n"); 1958 return ret; 1959 } 1960 1961 fp = fopen(ovpn->peers_file, "r"); 1962 if (!fp) { 1963 fprintf(stderr, "cannot open file: %s\n", 1964 ovpn->peers_file); 1965 return -1; 1966 } 1967 1968 int num_peers = 0; 1969 1970 while ((n = fscanf(fp, "%s %s\n", peer_id, vpnip)) == 2) { 1971 struct ovpn_ctx peer_ctx = { 0 }; 1972 1973 if (num_peers == MAX_PEERS) { 1974 fprintf(stderr, "max peers reached!\n"); 1975 return -E2BIG; 1976 } 1977 1978 peer_ctx.ifindex = ovpn->ifindex; 1979 peer_ctx.sa_family = ovpn->sa_family; 1980 1981 peer_ctx.socket = ovpn_accept(ovpn); 1982 if (peer_ctx.socket < 0) { 1983 fprintf(stderr, "cannot accept connection!\n"); 1984 return -1; 1985 } 1986 1987 /* store peer sockets to test TCP I/O */ 1988 ovpn->cli_sockets[num_peers] = peer_ctx.socket; 1989 1990 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, NULL, 1991 NULL, vpnip); 1992 if (ret < 0) { 1993 fprintf(stderr, "error while parsing line\n"); 1994 return -1; 1995 } 1996 1997 ret = ovpn_new_peer(&peer_ctx, true); 1998 if (ret < 0) { 1999 fprintf(stderr, 2000 "cannot add peer to VPN: %s %s\n", 2001 peer_id, vpnip); 2002 return ret; 2003 } 2004 num_peers++; 2005 } 2006 2007 for (int i = 0; i < num_peers; i++) { 2008 ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]); 2009 if (ret < 0) 2010 break; 2011 } 2012 ovpn_waitbg(); 2013 break; 2014 case CMD_CONNECT: 2015 ret = ovpn_connect(ovpn); 2016 if (ret < 0) { 2017 fprintf(stderr, "cannot connect TCP socket\n"); 2018 return ret; 2019 } 2020 2021 ret = ovpn_new_peer(ovpn, true); 2022 if (ret < 0) { 2023 fprintf(stderr, "cannot add peer to VPN\n"); 2024 close(ovpn->socket); 2025 return ret; 2026 } 2027 2028 if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) { 2029 ret = ovpn_new_key(ovpn); 2030 if (ret < 0) { 2031 fprintf(stderr, "cannot set key\n"); 2032 return ret; 2033 } 2034 } 2035 2036 ret = ovpn_send_tcp_data(ovpn->socket); 2037 ovpn_waitbg(); 2038 break; 2039 case CMD_NEW_PEER: 2040 ret = ovpn_udp_socket(ovpn, AF_INET6); 2041 if (ret < 0) 2042 return ret; 2043 2044 ret = ovpn_new_peer(ovpn, false); 2045 ovpn_waitbg(); 2046 break; 2047 case CMD_NEW_MULTI_PEER: 2048 ret = ovpn_udp_socket(ovpn, AF_INET6); 2049 if (ret < 0) 2050 return ret; 2051 2052 fp = fopen(ovpn->peers_file, "r"); 2053 if (!fp) { 2054 fprintf(stderr, "cannot open file: %s\n", 2055 ovpn->peers_file); 2056 return -1; 2057 } 2058 2059 while ((n = fscanf(fp, "%s %s %s %s %s %s\n", peer_id, laddr, 2060 lport, raddr, rport, vpnip)) == 6) { 2061 struct ovpn_ctx peer_ctx = { 0 }; 2062 2063 peer_ctx.ifindex = ovpn->ifindex; 2064 peer_ctx.socket = ovpn->socket; 2065 peer_ctx.sa_family = AF_UNSPEC; 2066 2067 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, raddr, 2068 rport, vpnip); 2069 if (ret < 0) { 2070 fprintf(stderr, "error while parsing line\n"); 2071 return -1; 2072 } 2073 2074 ret = ovpn_new_peer(&peer_ctx, false); 2075 if (ret < 0) { 2076 fprintf(stderr, 2077 "cannot add peer to VPN: %s %s %s %s\n", 2078 peer_id, raddr, rport, vpnip); 2079 return ret; 2080 } 2081 } 2082 ovpn_waitbg(); 2083 break; 2084 case CMD_SET_PEER: 2085 ret = ovpn_set_peer(ovpn); 2086 break; 2087 case CMD_DEL_PEER: 2088 ret = ovpn_del_peer(ovpn); 2089 break; 2090 case CMD_GET_PEER: 2091 if (ovpn->peer_id == PEER_ID_UNDEF) 2092 fprintf(stderr, "List of peers connected to: %s\n", 2093 ovpn->ifname); 2094 2095 ret = ovpn_get_peer(ovpn); 2096 break; 2097 case CMD_NEW_KEY: 2098 ret = ovpn_new_key(ovpn); 2099 break; 2100 case CMD_DEL_KEY: 2101 ret = ovpn_del_key(ovpn); 2102 break; 2103 case CMD_GET_KEY: 2104 ret = ovpn_get_key(ovpn); 2105 break; 2106 case CMD_SWAP_KEYS: 2107 ret = ovpn_swap_keys(ovpn); 2108 break; 2109 case CMD_LISTEN_MCAST: 2110 ret = ovpn_listen_mcast(); 2111 break; 2112 case CMD_INVALID: 2113 ret = -EINVAL; 2114 break; 2115 } 2116 2117 return ret; 2118 } 2119 2120 static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[]) 2121 { 2122 int ret; 2123 2124 /* no args required for LISTEN_MCAST */ 2125 if (ovpn->cmd == CMD_LISTEN_MCAST) 2126 return 0; 2127 2128 /* all commands need an ifname */ 2129 if (argc < 3) 2130 return -EINVAL; 2131 2132 strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1); 2133 ovpn->ifname[IFNAMSIZ - 1] = '\0'; 2134 2135 /* all commands, except NEW_IFNAME, needs an ifindex */ 2136 if (ovpn->cmd != CMD_NEW_IFACE) { 2137 ovpn->ifindex = if_nametoindex(ovpn->ifname); 2138 if (!ovpn->ifindex) { 2139 fprintf(stderr, "cannot find interface: %s\n", 2140 strerror(errno)); 2141 return -1; 2142 } 2143 } 2144 2145 switch (ovpn->cmd) { 2146 case CMD_NEW_IFACE: 2147 if (argc < 4) 2148 break; 2149 2150 if (!strcmp(argv[3], "P2P")) { 2151 ovpn->mode = OVPN_MODE_P2P; 2152 } else if (!strcmp(argv[3], "MP")) { 2153 ovpn->mode = OVPN_MODE_MP; 2154 } else { 2155 fprintf(stderr, "Cannot parse iface mode: %s\n", 2156 argv[3]); 2157 return -1; 2158 } 2159 ovpn->mode_set = true; 2160 break; 2161 case CMD_DEL_IFACE: 2162 break; 2163 case CMD_LISTEN: 2164 if (argc < 5) 2165 return -EINVAL; 2166 2167 ovpn->lport = strtoul(argv[3], NULL, 10); 2168 if (errno == ERANGE || ovpn->lport > 65535) { 2169 fprintf(stderr, "lport value out of range\n"); 2170 return -1; 2171 } 2172 2173 ovpn->peers_file = argv[4]; 2174 2175 ovpn->sa_family = AF_INET; 2176 if (argc > 5 && !strcmp(argv[5], "ipv6")) 2177 ovpn->sa_family = AF_INET6; 2178 break; 2179 case CMD_CONNECT: 2180 if (argc < 6) 2181 return -EINVAL; 2182 2183 ovpn->sa_family = AF_INET; 2184 2185 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5], 2186 NULL); 2187 if (ret < 0) { 2188 fprintf(stderr, "Cannot parse remote peer data\n"); 2189 return -1; 2190 } 2191 2192 if (argc > 6) { 2193 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 2194 ovpn->key_id = 0; 2195 ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM; 2196 ovpn->key_dir = KEY_DIR_OUT; 2197 2198 ret = ovpn_parse_key(argv[6], ovpn); 2199 if (ret) 2200 return -1; 2201 } 2202 break; 2203 case CMD_NEW_PEER: 2204 if (argc < 7) 2205 return -EINVAL; 2206 2207 ovpn->lport = strtoul(argv[4], NULL, 10); 2208 if (errno == ERANGE || ovpn->lport > 65535) { 2209 fprintf(stderr, "lport value out of range\n"); 2210 return -1; 2211 } 2212 2213 const char *vpnip = (argc > 7) ? argv[7] : NULL; 2214 2215 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[5], argv[6], 2216 vpnip); 2217 if (ret < 0) 2218 return -1; 2219 break; 2220 case CMD_NEW_MULTI_PEER: 2221 if (argc < 5) 2222 return -EINVAL; 2223 2224 ovpn->lport = strtoul(argv[3], NULL, 10); 2225 if (errno == ERANGE || ovpn->lport > 65535) { 2226 fprintf(stderr, "lport value out of range\n"); 2227 return -1; 2228 } 2229 2230 ovpn->peers_file = argv[4]; 2231 break; 2232 case CMD_SET_PEER: 2233 if (argc < 6) 2234 return -EINVAL; 2235 2236 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2237 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2238 fprintf(stderr, "peer ID value out of range\n"); 2239 return -1; 2240 } 2241 2242 ovpn->keepalive_interval = strtoul(argv[4], NULL, 10); 2243 if (errno == ERANGE) { 2244 fprintf(stderr, 2245 "keepalive interval value out of range\n"); 2246 return -1; 2247 } 2248 2249 ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10); 2250 if (errno == ERANGE) { 2251 fprintf(stderr, 2252 "keepalive interval value out of range\n"); 2253 return -1; 2254 } 2255 break; 2256 case CMD_DEL_PEER: 2257 if (argc < 4) 2258 return -EINVAL; 2259 2260 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2261 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2262 fprintf(stderr, "peer ID value out of range\n"); 2263 return -1; 2264 } 2265 break; 2266 case CMD_GET_PEER: 2267 ovpn->peer_id = PEER_ID_UNDEF; 2268 if (argc > 3) { 2269 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2270 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2271 fprintf(stderr, "peer ID value out of range\n"); 2272 return -1; 2273 } 2274 } 2275 break; 2276 case CMD_NEW_KEY: 2277 if (argc < 9) 2278 return -EINVAL; 2279 2280 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2281 if (errno == ERANGE) { 2282 fprintf(stderr, "peer ID value out of range\n"); 2283 return -1; 2284 } 2285 2286 ret = ovpn_parse_key_slot(argv[4], ovpn); 2287 if (ret) 2288 return -1; 2289 2290 ovpn->key_id = strtoul(argv[5], NULL, 10); 2291 if (errno == ERANGE || ovpn->key_id > 2) { 2292 fprintf(stderr, "key ID out of range\n"); 2293 return -1; 2294 } 2295 2296 ret = ovpn_parse_cipher(argv[6], ovpn); 2297 if (ret < 0) 2298 return -1; 2299 2300 ret = ovpn_parse_key_direction(argv[7], ovpn); 2301 if (ret < 0) 2302 return -1; 2303 2304 ret = ovpn_parse_key(argv[8], ovpn); 2305 if (ret) 2306 return -1; 2307 break; 2308 case CMD_DEL_KEY: 2309 if (argc < 4) 2310 return -EINVAL; 2311 2312 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2313 if (errno == ERANGE) { 2314 fprintf(stderr, "peer ID value out of range\n"); 2315 return -1; 2316 } 2317 2318 ret = ovpn_parse_key_slot(argv[4], ovpn); 2319 if (ret) 2320 return ret; 2321 break; 2322 case CMD_GET_KEY: 2323 if (argc < 5) 2324 return -EINVAL; 2325 2326 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2327 if (errno == ERANGE) { 2328 fprintf(stderr, "peer ID value out of range\n"); 2329 return -1; 2330 } 2331 2332 ret = ovpn_parse_key_slot(argv[4], ovpn); 2333 if (ret) 2334 return ret; 2335 break; 2336 case CMD_SWAP_KEYS: 2337 if (argc < 4) 2338 return -EINVAL; 2339 2340 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2341 if (errno == ERANGE) { 2342 fprintf(stderr, "peer ID value out of range\n"); 2343 return -1; 2344 } 2345 break; 2346 case CMD_LISTEN_MCAST: 2347 break; 2348 case CMD_INVALID: 2349 break; 2350 } 2351 2352 return 0; 2353 } 2354 2355 int main(int argc, char *argv[]) 2356 { 2357 struct ovpn_ctx ovpn; 2358 int ret; 2359 2360 if (argc < 2) { 2361 usage(argv[0]); 2362 return -1; 2363 } 2364 2365 memset(&ovpn, 0, sizeof(ovpn)); 2366 ovpn.sa_family = AF_UNSPEC; 2367 ovpn.cipher = OVPN_CIPHER_ALG_NONE; 2368 2369 ovpn.cmd = ovpn_parse_cmd(argv[1]); 2370 if (ovpn.cmd == CMD_INVALID) { 2371 fprintf(stderr, "Error: unknown command.\n\n"); 2372 usage(argv[0]); 2373 return -1; 2374 } 2375 2376 ret = ovpn_parse_cmd_args(&ovpn, argc, argv); 2377 if (ret < 0) { 2378 fprintf(stderr, "Error: invalid arguments.\n\n"); 2379 if (ret == -EINVAL) 2380 usage(argv[0]); 2381 return ret; 2382 } 2383 2384 ret = ovpn_run_cmd(&ovpn); 2385 if (ret) 2386 fprintf(stderr, "Cannot execute command: %s (%d)\n", 2387 strerror(-ret), ret); 2388 2389 return ret; 2390 } 2391