Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'introducing-openvpn-data-channel-offload'
Antonio Quartulli says:
====================
Introducing OpenVPN Data Channel Offload
Notable changes since v25:
* removed netdev notifier (was only used for our own devices)
* added .dellink implementation to address what was previously
done in notifier
* removed .ndo_open and moved netif_carrier_off() call to .ndo_init
* fixed author in MODULE_AUTHOR()
* properly indented checks in ovpn.yaml
* switched from TSTATS to DSTATS
* removed obsolete comment in ovpn_socket_new()
* removed unrelated hunk in ovpn_socket_new()
The latest code can also be found at:
https://github.com/OpenVPN/ovpn-net-next
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
====================
Link: https://patch.msgid.link/20250415-b4-ovpn-v26-0-577f6097b964@openvpn.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+9940
-5
+367
Documentation/netlink/specs/ovpn.yaml
+367
Documentation/netlink/specs/ovpn.yaml
···
1
+
# SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)
2
+
#
3
+
# Author: Antonio Quartulli <antonio@openvpn.net>
4
+
#
5
+
# Copyright (c) 2024-2025, OpenVPN Inc.
6
+
#
7
+
8
+
name: ovpn
9
+
10
+
protocol: genetlink
11
+
12
+
doc: Netlink protocol to control OpenVPN network devices
13
+
14
+
definitions:
15
+
-
16
+
type: const
17
+
name: nonce-tail-size
18
+
value: 8
19
+
-
20
+
type: enum
21
+
name: cipher-alg
22
+
entries: [ none, aes-gcm, chacha20-poly1305 ]
23
+
-
24
+
type: enum
25
+
name: del-peer-reason
26
+
entries:
27
+
- teardown
28
+
- userspace
29
+
- expired
30
+
- transport-error
31
+
- transport-disconnect
32
+
-
33
+
type: enum
34
+
name: key-slot
35
+
entries: [ primary, secondary ]
36
+
37
+
attribute-sets:
38
+
-
39
+
name: peer
40
+
attributes:
41
+
-
42
+
name: id
43
+
type: u32
44
+
doc: >-
45
+
The unique ID of the peer in the device context. To be used to identify
46
+
peers during operations for a specific device
47
+
checks:
48
+
max: 0xFFFFFF
49
+
-
50
+
name: remote-ipv4
51
+
type: u32
52
+
doc: The remote IPv4 address of the peer
53
+
byte-order: big-endian
54
+
display-hint: ipv4
55
+
-
56
+
name: remote-ipv6
57
+
type: binary
58
+
doc: The remote IPv6 address of the peer
59
+
display-hint: ipv6
60
+
checks:
61
+
exact-len: 16
62
+
-
63
+
name: remote-ipv6-scope-id
64
+
type: u32
65
+
doc: The scope id of the remote IPv6 address of the peer (RFC2553)
66
+
-
67
+
name: remote-port
68
+
type: u16
69
+
doc: The remote port of the peer
70
+
byte-order: big-endian
71
+
checks:
72
+
min: 1
73
+
-
74
+
name: socket
75
+
type: u32
76
+
doc: The socket to be used to communicate with the peer
77
+
-
78
+
name: socket-netnsid
79
+
type: s32
80
+
doc: The ID of the netns the socket assigned to this peer lives in
81
+
-
82
+
name: vpn-ipv4
83
+
type: u32
84
+
doc: The IPv4 address assigned to the peer by the server
85
+
byte-order: big-endian
86
+
display-hint: ipv4
87
+
-
88
+
name: vpn-ipv6
89
+
type: binary
90
+
doc: The IPv6 address assigned to the peer by the server
91
+
display-hint: ipv6
92
+
checks:
93
+
exact-len: 16
94
+
-
95
+
name: local-ipv4
96
+
type: u32
97
+
doc: The local IPv4 to be used to send packets to the peer (UDP only)
98
+
byte-order: big-endian
99
+
display-hint: ipv4
100
+
-
101
+
name: local-ipv6
102
+
type: binary
103
+
doc: The local IPv6 to be used to send packets to the peer (UDP only)
104
+
display-hint: ipv6
105
+
checks:
106
+
exact-len: 16
107
+
-
108
+
name: local-port
109
+
type: u16
110
+
doc: The local port to be used to send packets to the peer (UDP only)
111
+
byte-order: big-endian
112
+
checks:
113
+
min: 1
114
+
-
115
+
name: keepalive-interval
116
+
type: u32
117
+
doc: >-
118
+
The number of seconds after which a keep alive message is sent to the
119
+
peer
120
+
-
121
+
name: keepalive-timeout
122
+
type: u32
123
+
doc: >-
124
+
The number of seconds from the last activity after which the peer is
125
+
assumed dead
126
+
-
127
+
name: del-reason
128
+
type: u32
129
+
doc: The reason why a peer was deleted
130
+
enum: del-peer-reason
131
+
-
132
+
name: vpn-rx-bytes
133
+
type: uint
134
+
doc: Number of bytes received over the tunnel
135
+
-
136
+
name: vpn-tx-bytes
137
+
type: uint
138
+
doc: Number of bytes transmitted over the tunnel
139
+
-
140
+
name: vpn-rx-packets
141
+
type: uint
142
+
doc: Number of packets received over the tunnel
143
+
-
144
+
name: vpn-tx-packets
145
+
type: uint
146
+
doc: Number of packets transmitted over the tunnel
147
+
-
148
+
name: link-rx-bytes
149
+
type: uint
150
+
doc: Number of bytes received at the transport level
151
+
-
152
+
name: link-tx-bytes
153
+
type: uint
154
+
doc: Number of bytes transmitted at the transport level
155
+
-
156
+
name: link-rx-packets
157
+
type: uint
158
+
doc: Number of packets received at the transport level
159
+
-
160
+
name: link-tx-packets
161
+
type: uint
162
+
doc: Number of packets transmitted at the transport level
163
+
-
164
+
name: keyconf
165
+
attributes:
166
+
-
167
+
name: peer-id
168
+
type: u32
169
+
doc: >-
170
+
The unique ID of the peer in the device context. To be used to
171
+
identify peers during key operations
172
+
checks:
173
+
max: 0xFFFFFF
174
+
-
175
+
name: slot
176
+
type: u32
177
+
doc: The slot where the key should be stored
178
+
enum: key-slot
179
+
-
180
+
name: key-id
181
+
doc: >-
182
+
The unique ID of the key in the peer context. Used to fetch the
183
+
correct key upon decryption
184
+
type: u32
185
+
checks:
186
+
max: 7
187
+
-
188
+
name: cipher-alg
189
+
type: u32
190
+
doc: The cipher to be used when communicating with the peer
191
+
enum: cipher-alg
192
+
-
193
+
name: encrypt-dir
194
+
type: nest
195
+
doc: Key material for encrypt direction
196
+
nested-attributes: keydir
197
+
-
198
+
name: decrypt-dir
199
+
type: nest
200
+
doc: Key material for decrypt direction
201
+
nested-attributes: keydir
202
+
-
203
+
name: keydir
204
+
attributes:
205
+
-
206
+
name: cipher-key
207
+
type: binary
208
+
doc: The actual key to be used by the cipher
209
+
checks:
210
+
max-len: 256
211
+
-
212
+
name: nonce-tail
213
+
type: binary
214
+
doc: >-
215
+
Random nonce to be concatenated to the packet ID, in order to
216
+
obtain the actual cipher IV
217
+
checks:
218
+
exact-len: nonce-tail-size
219
+
-
220
+
name: ovpn
221
+
attributes:
222
+
-
223
+
name: ifindex
224
+
type: u32
225
+
doc: Index of the ovpn interface to operate on
226
+
-
227
+
name: peer
228
+
type: nest
229
+
doc: >-
230
+
The peer object containing the attributed of interest for the specific
231
+
operation
232
+
nested-attributes: peer
233
+
-
234
+
name: keyconf
235
+
type: nest
236
+
doc: Peer specific cipher configuration
237
+
nested-attributes: keyconf
238
+
239
+
operations:
240
+
list:
241
+
-
242
+
name: peer-new
243
+
attribute-set: ovpn
244
+
flags: [ admin-perm ]
245
+
doc: Add a remote peer
246
+
do:
247
+
pre: ovpn-nl-pre-doit
248
+
post: ovpn-nl-post-doit
249
+
request:
250
+
attributes:
251
+
- ifindex
252
+
- peer
253
+
-
254
+
name: peer-set
255
+
attribute-set: ovpn
256
+
flags: [ admin-perm ]
257
+
doc: modify a remote peer
258
+
do:
259
+
pre: ovpn-nl-pre-doit
260
+
post: ovpn-nl-post-doit
261
+
request:
262
+
attributes:
263
+
- ifindex
264
+
- peer
265
+
-
266
+
name: peer-get
267
+
attribute-set: ovpn
268
+
flags: [ admin-perm ]
269
+
doc: Retrieve data about existing remote peers (or a specific one)
270
+
do:
271
+
pre: ovpn-nl-pre-doit
272
+
post: ovpn-nl-post-doit
273
+
request:
274
+
attributes:
275
+
- ifindex
276
+
- peer
277
+
reply:
278
+
attributes:
279
+
- peer
280
+
dump:
281
+
request:
282
+
attributes:
283
+
- ifindex
284
+
reply:
285
+
attributes:
286
+
- peer
287
+
-
288
+
name: peer-del
289
+
attribute-set: ovpn
290
+
flags: [ admin-perm ]
291
+
doc: Delete existing remote peer
292
+
do:
293
+
pre: ovpn-nl-pre-doit
294
+
post: ovpn-nl-post-doit
295
+
request:
296
+
attributes:
297
+
- ifindex
298
+
- peer
299
+
-
300
+
name: peer-del-ntf
301
+
doc: Notification about a peer being deleted
302
+
notify: peer-get
303
+
mcgrp: peers
304
+
305
+
-
306
+
name: key-new
307
+
attribute-set: ovpn
308
+
flags: [ admin-perm ]
309
+
doc: Add a cipher key for a specific peer
310
+
do:
311
+
pre: ovpn-nl-pre-doit
312
+
post: ovpn-nl-post-doit
313
+
request:
314
+
attributes:
315
+
- ifindex
316
+
- keyconf
317
+
-
318
+
name: key-get
319
+
attribute-set: ovpn
320
+
flags: [ admin-perm ]
321
+
doc: Retrieve non-sensitive data about peer key and cipher
322
+
do:
323
+
pre: ovpn-nl-pre-doit
324
+
post: ovpn-nl-post-doit
325
+
request:
326
+
attributes:
327
+
- ifindex
328
+
- keyconf
329
+
reply:
330
+
attributes:
331
+
- keyconf
332
+
-
333
+
name: key-swap
334
+
attribute-set: ovpn
335
+
flags: [ admin-perm ]
336
+
doc: Swap primary and secondary session keys for a specific peer
337
+
do:
338
+
pre: ovpn-nl-pre-doit
339
+
post: ovpn-nl-post-doit
340
+
request:
341
+
attributes:
342
+
- ifindex
343
+
- keyconf
344
+
-
345
+
name: key-swap-ntf
346
+
notify: key-get
347
+
doc: >-
348
+
Notification about key having exhausted its IV space and requiring
349
+
renegotiation
350
+
mcgrp: peers
351
+
-
352
+
name: key-del
353
+
attribute-set: ovpn
354
+
flags: [ admin-perm ]
355
+
doc: Delete cipher key for a specific peer
356
+
do:
357
+
pre: ovpn-nl-pre-doit
358
+
post: ovpn-nl-post-doit
359
+
request:
360
+
attributes:
361
+
- ifindex
362
+
- keyconf
363
+
364
+
mcast-groups:
365
+
list:
366
+
-
367
+
name: peers
+16
Documentation/netlink/specs/rt-link.yaml
+16
Documentation/netlink/specs/rt-link.yaml
···
938
938
entries:
939
939
- name: none
940
940
- name: default
941
+
-
942
+
name: ovpn-mode
943
+
type: enum
944
+
entries:
945
+
- p2p
946
+
- mp
941
947
942
948
attribute-sets:
943
949
-
···
2278
2272
-
2279
2273
name: tailroom
2280
2274
type: u16
2275
+
-
2276
+
name: linkinfo-ovpn-attrs
2277
+
attributes:
2278
+
-
2279
+
name: mode
2280
+
type: u8
2281
+
enum: ovpn-mode
2281
2282
2282
2283
sub-messages:
2283
2284
-
···
2335
2322
-
2336
2323
value: netkit
2337
2324
attribute-set: linkinfo-netkit-attrs
2325
+
-
2326
+
value: ovpn
2327
+
attribute-set: linkinfo-ovpn-attrs
2338
2328
-
2339
2329
name: linkinfo-member-data-msg
2340
2330
formats:
+11
MAINTAINERS
+11
MAINTAINERS
···
18125
18125
F: drivers/irqchip/irq-ompic.c
18126
18126
F: drivers/irqchip/irq-or1k-*
18127
18127
18128
+
OPENVPN DATA CHANNEL OFFLOAD
18129
+
M: Antonio Quartulli <antonio@openvpn.net>
18130
+
L: openvpn-devel@lists.sourceforge.net (subscribers-only)
18131
+
L: netdev@vger.kernel.org
18132
+
S: Supported
18133
+
T: git https://github.com/OpenVPN/linux-kernel-ovpn.git
18134
+
F: Documentation/netlink/specs/ovpn.yaml
18135
+
F: drivers/net/ovpn/
18136
+
F: include/uapi/linux/ovpn.h
18137
+
F: tools/testing/selftests/net/ovpn/
18138
+
18128
18139
OPENVSWITCH
18129
18140
M: Aaron Conole <aconole@redhat.com>
18130
18141
M: Eelco Chaudron <echaudro@redhat.com>
+15
drivers/net/Kconfig
+15
drivers/net/Kconfig
···
115
115
116
116
Say N here unless you know what you're doing.
117
117
118
+
config OVPN
119
+
tristate "OpenVPN data channel offload"
120
+
depends on NET && INET
121
+
depends on IPV6 || !IPV6
122
+
select DST_CACHE
123
+
select NET_UDP_TUNNEL
124
+
select CRYPTO
125
+
select CRYPTO_AES
126
+
select CRYPTO_GCM
127
+
select CRYPTO_CHACHA20POLY1305
128
+
select STREAM_PARSER
129
+
help
130
+
This module enhances the performance of the OpenVPN userspace software
131
+
by offloading the data channel processing to kernelspace.
132
+
118
133
config EQUALIZER
119
134
tristate "EQL (serial line load balancing) support"
120
135
help
+1
drivers/net/Makefile
+1
drivers/net/Makefile
+22
drivers/net/ovpn/Makefile
+22
drivers/net/ovpn/Makefile
···
1
+
# SPDX-License-Identifier: GPL-2.0
2
+
#
3
+
# ovpn -- OpenVPN data channel offload in kernel space
4
+
#
5
+
# Copyright (C) 2020-2025 OpenVPN, Inc.
6
+
#
7
+
# Author: Antonio Quartulli <antonio@openvpn.net>
8
+
9
+
obj-$(CONFIG_OVPN) := ovpn.o
10
+
ovpn-y += bind.o
11
+
ovpn-y += crypto.o
12
+
ovpn-y += crypto_aead.o
13
+
ovpn-y += main.o
14
+
ovpn-y += io.o
15
+
ovpn-y += netlink.o
16
+
ovpn-y += netlink-gen.o
17
+
ovpn-y += peer.o
18
+
ovpn-y += pktid.o
19
+
ovpn-y += socket.o
20
+
ovpn-y += stats.o
21
+
ovpn-y += tcp.o
22
+
ovpn-y += udp.o
+55
drivers/net/ovpn/bind.c
+55
drivers/net/ovpn/bind.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2012-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#include <linux/netdevice.h>
11
+
#include <linux/socket.h>
12
+
13
+
#include "ovpnpriv.h"
14
+
#include "bind.h"
15
+
#include "peer.h"
16
+
17
+
/**
18
+
* ovpn_bind_from_sockaddr - retrieve binding matching sockaddr
19
+
* @ss: the sockaddr to match
20
+
*
21
+
* Return: the bind matching the passed sockaddr if found, NULL otherwise
22
+
*/
23
+
struct ovpn_bind *ovpn_bind_from_sockaddr(const struct sockaddr_storage *ss)
24
+
{
25
+
struct ovpn_bind *bind;
26
+
size_t sa_len;
27
+
28
+
if (ss->ss_family == AF_INET)
29
+
sa_len = sizeof(struct sockaddr_in);
30
+
else if (ss->ss_family == AF_INET6)
31
+
sa_len = sizeof(struct sockaddr_in6);
32
+
else
33
+
return ERR_PTR(-EAFNOSUPPORT);
34
+
35
+
bind = kzalloc(sizeof(*bind), GFP_ATOMIC);
36
+
if (unlikely(!bind))
37
+
return ERR_PTR(-ENOMEM);
38
+
39
+
memcpy(&bind->remote, ss, sa_len);
40
+
41
+
return bind;
42
+
}
43
+
44
+
/**
45
+
* ovpn_bind_reset - assign new binding to peer
46
+
* @peer: the peer whose binding has to be replaced
47
+
* @new: the new bind to assign
48
+
*/
49
+
void ovpn_bind_reset(struct ovpn_peer *peer, struct ovpn_bind *new)
50
+
{
51
+
lockdep_assert_held(&peer->lock);
52
+
53
+
kfree_rcu(rcu_replace_pointer(peer->bind, new,
54
+
lockdep_is_held(&peer->lock)), rcu);
55
+
}
+101
drivers/net/ovpn/bind.h
+101
drivers/net/ovpn/bind.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2012-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#ifndef _NET_OVPN_OVPNBIND_H_
11
+
#define _NET_OVPN_OVPNBIND_H_
12
+
13
+
#include <net/ip.h>
14
+
#include <linux/in.h>
15
+
#include <linux/in6.h>
16
+
#include <linux/rcupdate.h>
17
+
#include <linux/skbuff.h>
18
+
#include <linux/spinlock.h>
19
+
20
+
struct ovpn_peer;
21
+
22
+
/**
23
+
* union ovpn_sockaddr - basic transport layer address
24
+
* @in4: IPv4 address
25
+
* @in6: IPv6 address
26
+
*/
27
+
union ovpn_sockaddr {
28
+
struct sockaddr_in in4;
29
+
struct sockaddr_in6 in6;
30
+
};
31
+
32
+
/**
33
+
* struct ovpn_bind - remote peer binding
34
+
* @remote: the remote peer sockaddress
35
+
* @local: local endpoint used to talk to the peer
36
+
* @local.ipv4: local IPv4 used to talk to the peer
37
+
* @local.ipv6: local IPv6 used to talk to the peer
38
+
* @rcu: used to schedule RCU cleanup job
39
+
*/
40
+
struct ovpn_bind {
41
+
union ovpn_sockaddr remote; /* remote sockaddr */
42
+
43
+
union {
44
+
struct in_addr ipv4;
45
+
struct in6_addr ipv6;
46
+
} local;
47
+
48
+
struct rcu_head rcu;
49
+
};
50
+
51
+
/**
52
+
* ovpn_bind_skb_src_match - match packet source with binding
53
+
* @bind: the binding to match
54
+
* @skb: the packet to match
55
+
*
56
+
* Return: true if the packet source matches the remote peer sockaddr
57
+
* in the binding
58
+
*/
59
+
static inline bool ovpn_bind_skb_src_match(const struct ovpn_bind *bind,
60
+
const struct sk_buff *skb)
61
+
{
62
+
const union ovpn_sockaddr *remote;
63
+
64
+
if (unlikely(!bind))
65
+
return false;
66
+
67
+
remote = &bind->remote;
68
+
69
+
switch (skb->protocol) {
70
+
case htons(ETH_P_IP):
71
+
if (unlikely(remote->in4.sin_family != AF_INET))
72
+
return false;
73
+
74
+
if (unlikely(remote->in4.sin_addr.s_addr != ip_hdr(skb)->saddr))
75
+
return false;
76
+
77
+
if (unlikely(remote->in4.sin_port != udp_hdr(skb)->source))
78
+
return false;
79
+
break;
80
+
case htons(ETH_P_IPV6):
81
+
if (unlikely(remote->in6.sin6_family != AF_INET6))
82
+
return false;
83
+
84
+
if (unlikely(!ipv6_addr_equal(&remote->in6.sin6_addr,
85
+
&ipv6_hdr(skb)->saddr)))
86
+
return false;
87
+
88
+
if (unlikely(remote->in6.sin6_port != udp_hdr(skb)->source))
89
+
return false;
90
+
break;
91
+
default:
92
+
return false;
93
+
}
94
+
95
+
return true;
96
+
}
97
+
98
+
struct ovpn_bind *ovpn_bind_from_sockaddr(const struct sockaddr_storage *sa);
99
+
void ovpn_bind_reset(struct ovpn_peer *peer, struct ovpn_bind *bind);
100
+
101
+
#endif /* _NET_OVPN_OVPNBIND_H_ */
+210
drivers/net/ovpn/crypto.c
+210
drivers/net/ovpn/crypto.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#include <linux/types.h>
11
+
#include <linux/net.h>
12
+
#include <linux/netdevice.h>
13
+
#include <uapi/linux/ovpn.h>
14
+
15
+
#include "ovpnpriv.h"
16
+
#include "main.h"
17
+
#include "pktid.h"
18
+
#include "crypto_aead.h"
19
+
#include "crypto.h"
20
+
21
+
static void ovpn_ks_destroy_rcu(struct rcu_head *head)
22
+
{
23
+
struct ovpn_crypto_key_slot *ks;
24
+
25
+
ks = container_of(head, struct ovpn_crypto_key_slot, rcu);
26
+
ovpn_aead_crypto_key_slot_destroy(ks);
27
+
}
28
+
29
+
void ovpn_crypto_key_slot_release(struct kref *kref)
30
+
{
31
+
struct ovpn_crypto_key_slot *ks;
32
+
33
+
ks = container_of(kref, struct ovpn_crypto_key_slot, refcount);
34
+
call_rcu(&ks->rcu, ovpn_ks_destroy_rcu);
35
+
}
36
+
37
+
/* can only be invoked when all peer references have been dropped (i.e. RCU
38
+
* release routine)
39
+
*/
40
+
void ovpn_crypto_state_release(struct ovpn_crypto_state *cs)
41
+
{
42
+
struct ovpn_crypto_key_slot *ks;
43
+
44
+
ks = rcu_access_pointer(cs->slots[0]);
45
+
if (ks) {
46
+
RCU_INIT_POINTER(cs->slots[0], NULL);
47
+
ovpn_crypto_key_slot_put(ks);
48
+
}
49
+
50
+
ks = rcu_access_pointer(cs->slots[1]);
51
+
if (ks) {
52
+
RCU_INIT_POINTER(cs->slots[1], NULL);
53
+
ovpn_crypto_key_slot_put(ks);
54
+
}
55
+
}
56
+
57
+
/* removes the key matching the specified id from the crypto context */
58
+
bool ovpn_crypto_kill_key(struct ovpn_crypto_state *cs, u8 key_id)
59
+
{
60
+
struct ovpn_crypto_key_slot *ks = NULL;
61
+
62
+
spin_lock_bh(&cs->lock);
63
+
if (rcu_access_pointer(cs->slots[0])->key_id == key_id) {
64
+
ks = rcu_replace_pointer(cs->slots[0], NULL,
65
+
lockdep_is_held(&cs->lock));
66
+
} else if (rcu_access_pointer(cs->slots[1])->key_id == key_id) {
67
+
ks = rcu_replace_pointer(cs->slots[1], NULL,
68
+
lockdep_is_held(&cs->lock));
69
+
}
70
+
spin_unlock_bh(&cs->lock);
71
+
72
+
if (ks)
73
+
ovpn_crypto_key_slot_put(ks);
74
+
75
+
/* let the caller know if a key was actually killed */
76
+
return ks;
77
+
}
78
+
79
+
/* Reset the ovpn_crypto_state object in a way that is atomic
80
+
* to RCU readers.
81
+
*/
82
+
int ovpn_crypto_state_reset(struct ovpn_crypto_state *cs,
83
+
const struct ovpn_peer_key_reset *pkr)
84
+
{
85
+
struct ovpn_crypto_key_slot *old = NULL, *new;
86
+
u8 idx;
87
+
88
+
if (pkr->slot != OVPN_KEY_SLOT_PRIMARY &&
89
+
pkr->slot != OVPN_KEY_SLOT_SECONDARY)
90
+
return -EINVAL;
91
+
92
+
new = ovpn_aead_crypto_key_slot_new(&pkr->key);
93
+
if (IS_ERR(new))
94
+
return PTR_ERR(new);
95
+
96
+
spin_lock_bh(&cs->lock);
97
+
idx = cs->primary_idx;
98
+
switch (pkr->slot) {
99
+
case OVPN_KEY_SLOT_PRIMARY:
100
+
old = rcu_replace_pointer(cs->slots[idx], new,
101
+
lockdep_is_held(&cs->lock));
102
+
break;
103
+
case OVPN_KEY_SLOT_SECONDARY:
104
+
old = rcu_replace_pointer(cs->slots[!idx], new,
105
+
lockdep_is_held(&cs->lock));
106
+
break;
107
+
}
108
+
spin_unlock_bh(&cs->lock);
109
+
110
+
if (old)
111
+
ovpn_crypto_key_slot_put(old);
112
+
113
+
return 0;
114
+
}
115
+
116
+
void ovpn_crypto_key_slot_delete(struct ovpn_crypto_state *cs,
117
+
enum ovpn_key_slot slot)
118
+
{
119
+
struct ovpn_crypto_key_slot *ks = NULL;
120
+
u8 idx;
121
+
122
+
if (slot != OVPN_KEY_SLOT_PRIMARY &&
123
+
slot != OVPN_KEY_SLOT_SECONDARY) {
124
+
pr_warn("Invalid slot to release: %u\n", slot);
125
+
return;
126
+
}
127
+
128
+
spin_lock_bh(&cs->lock);
129
+
idx = cs->primary_idx;
130
+
switch (slot) {
131
+
case OVPN_KEY_SLOT_PRIMARY:
132
+
ks = rcu_replace_pointer(cs->slots[idx], NULL,
133
+
lockdep_is_held(&cs->lock));
134
+
break;
135
+
case OVPN_KEY_SLOT_SECONDARY:
136
+
ks = rcu_replace_pointer(cs->slots[!idx], NULL,
137
+
lockdep_is_held(&cs->lock));
138
+
break;
139
+
}
140
+
spin_unlock_bh(&cs->lock);
141
+
142
+
if (!ks) {
143
+
pr_debug("Key slot already released: %u\n", slot);
144
+
return;
145
+
}
146
+
147
+
pr_debug("deleting key slot %u, key_id=%u\n", slot, ks->key_id);
148
+
ovpn_crypto_key_slot_put(ks);
149
+
}
150
+
151
+
void ovpn_crypto_key_slots_swap(struct ovpn_crypto_state *cs)
152
+
{
153
+
const struct ovpn_crypto_key_slot *old_primary, *old_secondary;
154
+
u8 idx;
155
+
156
+
spin_lock_bh(&cs->lock);
157
+
idx = cs->primary_idx;
158
+
old_primary = rcu_dereference_protected(cs->slots[idx],
159
+
lockdep_is_held(&cs->lock));
160
+
old_secondary = rcu_dereference_protected(cs->slots[!idx],
161
+
lockdep_is_held(&cs->lock));
162
+
/* perform real swap by switching the index of the primary key */
163
+
WRITE_ONCE(cs->primary_idx, !cs->primary_idx);
164
+
165
+
pr_debug("key swapped: (old primary) %d <-> (new primary) %d\n",
166
+
old_primary ? old_primary->key_id : -1,
167
+
old_secondary ? old_secondary->key_id : -1);
168
+
169
+
spin_unlock_bh(&cs->lock);
170
+
}
171
+
172
+
/**
173
+
* ovpn_crypto_config_get - populate keyconf object with non-sensible key data
174
+
* @cs: the crypto state to extract the key data from
175
+
* @slot: the specific slot to inspect
176
+
* @keyconf: the output object to populate
177
+
*
178
+
* Return: 0 on success or a negative error code otherwise
179
+
*/
180
+
int ovpn_crypto_config_get(struct ovpn_crypto_state *cs,
181
+
enum ovpn_key_slot slot,
182
+
struct ovpn_key_config *keyconf)
183
+
{
184
+
struct ovpn_crypto_key_slot *ks;
185
+
int idx;
186
+
187
+
switch (slot) {
188
+
case OVPN_KEY_SLOT_PRIMARY:
189
+
idx = cs->primary_idx;
190
+
break;
191
+
case OVPN_KEY_SLOT_SECONDARY:
192
+
idx = !cs->primary_idx;
193
+
break;
194
+
default:
195
+
return -EINVAL;
196
+
}
197
+
198
+
rcu_read_lock();
199
+
ks = rcu_dereference(cs->slots[idx]);
200
+
if (!ks) {
201
+
rcu_read_unlock();
202
+
return -ENOENT;
203
+
}
204
+
205
+
keyconf->cipher_alg = ovpn_aead_crypto_alg(ks);
206
+
keyconf->key_id = ks->key_id;
207
+
rcu_read_unlock();
208
+
209
+
return 0;
210
+
}
+145
drivers/net/ovpn/crypto.h
+145
drivers/net/ovpn/crypto.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#ifndef _NET_OVPN_OVPNCRYPTO_H_
11
+
#define _NET_OVPN_OVPNCRYPTO_H_
12
+
13
+
#include "pktid.h"
14
+
#include "proto.h"
15
+
16
+
/* info needed for both encrypt and decrypt directions */
17
+
struct ovpn_key_direction {
18
+
const u8 *cipher_key;
19
+
size_t cipher_key_size;
20
+
const u8 *nonce_tail; /* only needed for GCM modes */
21
+
size_t nonce_tail_size; /* only needed for GCM modes */
22
+
};
23
+
24
+
/* all info for a particular symmetric key (primary or secondary) */
25
+
struct ovpn_key_config {
26
+
enum ovpn_cipher_alg cipher_alg;
27
+
u8 key_id;
28
+
struct ovpn_key_direction encrypt;
29
+
struct ovpn_key_direction decrypt;
30
+
};
31
+
32
+
/* used to pass settings from netlink to the crypto engine */
33
+
struct ovpn_peer_key_reset {
34
+
enum ovpn_key_slot slot;
35
+
struct ovpn_key_config key;
36
+
};
37
+
38
+
struct ovpn_crypto_key_slot {
39
+
u8 key_id;
40
+
41
+
struct crypto_aead *encrypt;
42
+
struct crypto_aead *decrypt;
43
+
u8 nonce_tail_xmit[OVPN_NONCE_TAIL_SIZE];
44
+
u8 nonce_tail_recv[OVPN_NONCE_TAIL_SIZE];
45
+
46
+
struct ovpn_pktid_recv pid_recv ____cacheline_aligned_in_smp;
47
+
struct ovpn_pktid_xmit pid_xmit ____cacheline_aligned_in_smp;
48
+
struct kref refcount;
49
+
struct rcu_head rcu;
50
+
};
51
+
52
+
struct ovpn_crypto_state {
53
+
struct ovpn_crypto_key_slot __rcu *slots[2];
54
+
u8 primary_idx;
55
+
56
+
/* protects primary and secondary slots */
57
+
spinlock_t lock;
58
+
};
59
+
60
+
static inline bool ovpn_crypto_key_slot_hold(struct ovpn_crypto_key_slot *ks)
61
+
{
62
+
return kref_get_unless_zero(&ks->refcount);
63
+
}
64
+
65
+
static inline void ovpn_crypto_state_init(struct ovpn_crypto_state *cs)
66
+
{
67
+
RCU_INIT_POINTER(cs->slots[0], NULL);
68
+
RCU_INIT_POINTER(cs->slots[1], NULL);
69
+
cs->primary_idx = 0;
70
+
spin_lock_init(&cs->lock);
71
+
}
72
+
73
+
static inline struct ovpn_crypto_key_slot *
74
+
ovpn_crypto_key_id_to_slot(const struct ovpn_crypto_state *cs, u8 key_id)
75
+
{
76
+
struct ovpn_crypto_key_slot *ks;
77
+
u8 idx;
78
+
79
+
if (unlikely(!cs))
80
+
return NULL;
81
+
82
+
rcu_read_lock();
83
+
idx = READ_ONCE(cs->primary_idx);
84
+
ks = rcu_dereference(cs->slots[idx]);
85
+
if (ks && ks->key_id == key_id) {
86
+
if (unlikely(!ovpn_crypto_key_slot_hold(ks)))
87
+
ks = NULL;
88
+
goto out;
89
+
}
90
+
91
+
ks = rcu_dereference(cs->slots[!idx]);
92
+
if (ks && ks->key_id == key_id) {
93
+
if (unlikely(!ovpn_crypto_key_slot_hold(ks)))
94
+
ks = NULL;
95
+
goto out;
96
+
}
97
+
98
+
/* when both key slots are occupied but no matching key ID is found, ks
99
+
* has to be reset to NULL to avoid carrying a stale pointer
100
+
*/
101
+
ks = NULL;
102
+
out:
103
+
rcu_read_unlock();
104
+
105
+
return ks;
106
+
}
107
+
108
+
static inline struct ovpn_crypto_key_slot *
109
+
ovpn_crypto_key_slot_primary(const struct ovpn_crypto_state *cs)
110
+
{
111
+
struct ovpn_crypto_key_slot *ks;
112
+
113
+
rcu_read_lock();
114
+
ks = rcu_dereference(cs->slots[cs->primary_idx]);
115
+
if (unlikely(ks && !ovpn_crypto_key_slot_hold(ks)))
116
+
ks = NULL;
117
+
rcu_read_unlock();
118
+
119
+
return ks;
120
+
}
121
+
122
+
void ovpn_crypto_key_slot_release(struct kref *kref);
123
+
124
+
static inline void ovpn_crypto_key_slot_put(struct ovpn_crypto_key_slot *ks)
125
+
{
126
+
kref_put(&ks->refcount, ovpn_crypto_key_slot_release);
127
+
}
128
+
129
+
int ovpn_crypto_state_reset(struct ovpn_crypto_state *cs,
130
+
const struct ovpn_peer_key_reset *pkr);
131
+
132
+
void ovpn_crypto_key_slot_delete(struct ovpn_crypto_state *cs,
133
+
enum ovpn_key_slot slot);
134
+
135
+
void ovpn_crypto_state_release(struct ovpn_crypto_state *cs);
136
+
137
+
void ovpn_crypto_key_slots_swap(struct ovpn_crypto_state *cs);
138
+
139
+
int ovpn_crypto_config_get(struct ovpn_crypto_state *cs,
140
+
enum ovpn_key_slot slot,
141
+
struct ovpn_key_config *keyconf);
142
+
143
+
bool ovpn_crypto_kill_key(struct ovpn_crypto_state *cs, u8 key_id);
144
+
145
+
#endif /* _NET_OVPN_OVPNCRYPTO_H_ */
+383
drivers/net/ovpn/crypto_aead.c
+383
drivers/net/ovpn/crypto_aead.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#include <crypto/aead.h>
11
+
#include <linux/skbuff.h>
12
+
#include <net/ip.h>
13
+
#include <net/ipv6.h>
14
+
#include <net/udp.h>
15
+
16
+
#include "ovpnpriv.h"
17
+
#include "main.h"
18
+
#include "io.h"
19
+
#include "pktid.h"
20
+
#include "crypto_aead.h"
21
+
#include "crypto.h"
22
+
#include "peer.h"
23
+
#include "proto.h"
24
+
#include "skb.h"
25
+
26
+
#define OVPN_AUTH_TAG_SIZE 16
27
+
#define OVPN_AAD_SIZE (OVPN_OPCODE_SIZE + OVPN_NONCE_WIRE_SIZE)
28
+
29
+
#define ALG_NAME_AES "gcm(aes)"
30
+
#define ALG_NAME_CHACHAPOLY "rfc7539(chacha20,poly1305)"
31
+
32
+
static int ovpn_aead_encap_overhead(const struct ovpn_crypto_key_slot *ks)
33
+
{
34
+
return OVPN_OPCODE_SIZE + /* OP header size */
35
+
sizeof(u32) + /* Packet ID */
36
+
crypto_aead_authsize(ks->encrypt); /* Auth Tag */
37
+
}
38
+
39
+
int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
40
+
struct sk_buff *skb)
41
+
{
42
+
const unsigned int tag_size = crypto_aead_authsize(ks->encrypt);
43
+
struct aead_request *req;
44
+
struct sk_buff *trailer;
45
+
struct scatterlist *sg;
46
+
int nfrags, ret;
47
+
u32 pktid, op;
48
+
u8 *iv;
49
+
50
+
ovpn_skb_cb(skb)->peer = peer;
51
+
ovpn_skb_cb(skb)->ks = ks;
52
+
53
+
/* Sample AEAD header format:
54
+
* 48000001 00000005 7e7046bd 444a7e28 cc6387b1 64a4d6c1 380275a...
55
+
* [ OP32 ] [seq # ] [ auth tag ] [ payload ... ]
56
+
* [4-byte
57
+
* IV head]
58
+
*/
59
+
60
+
/* check that there's enough headroom in the skb for packet
61
+
* encapsulation
62
+
*/
63
+
if (unlikely(skb_cow_head(skb, OVPN_HEAD_ROOM)))
64
+
return -ENOBUFS;
65
+
66
+
/* get number of skb frags and ensure that packet data is writable */
67
+
nfrags = skb_cow_data(skb, 0, &trailer);
68
+
if (unlikely(nfrags < 0))
69
+
return nfrags;
70
+
71
+
if (unlikely(nfrags + 2 > (MAX_SKB_FRAGS + 2)))
72
+
return -ENOSPC;
73
+
74
+
/* sg may be required by async crypto */
75
+
ovpn_skb_cb(skb)->sg = kmalloc(sizeof(*ovpn_skb_cb(skb)->sg) *
76
+
(nfrags + 2), GFP_ATOMIC);
77
+
if (unlikely(!ovpn_skb_cb(skb)->sg))
78
+
return -ENOMEM;
79
+
80
+
sg = ovpn_skb_cb(skb)->sg;
81
+
82
+
/* sg table:
83
+
* 0: op, wire nonce (AD, len=OVPN_OP_SIZE_V2+OVPN_NONCE_WIRE_SIZE),
84
+
* 1, 2, 3, ..., n: payload,
85
+
* n+1: auth_tag (len=tag_size)
86
+
*/
87
+
sg_init_table(sg, nfrags + 2);
88
+
89
+
/* build scatterlist to encrypt packet payload */
90
+
ret = skb_to_sgvec_nomark(skb, sg + 1, 0, skb->len);
91
+
if (unlikely(nfrags != ret))
92
+
return -EINVAL;
93
+
94
+
/* append auth_tag onto scatterlist */
95
+
__skb_push(skb, tag_size);
96
+
sg_set_buf(sg + nfrags + 1, skb->data, tag_size);
97
+
98
+
/* obtain packet ID, which is used both as a first
99
+
* 4 bytes of nonce and last 4 bytes of associated data.
100
+
*/
101
+
ret = ovpn_pktid_xmit_next(&ks->pid_xmit, &pktid);
102
+
if (unlikely(ret < 0))
103
+
return ret;
104
+
105
+
/* iv may be required by async crypto */
106
+
ovpn_skb_cb(skb)->iv = kmalloc(OVPN_NONCE_SIZE, GFP_ATOMIC);
107
+
if (unlikely(!ovpn_skb_cb(skb)->iv))
108
+
return -ENOMEM;
109
+
110
+
iv = ovpn_skb_cb(skb)->iv;
111
+
112
+
/* concat 4 bytes packet id and 8 bytes nonce tail into 12 bytes
113
+
* nonce
114
+
*/
115
+
ovpn_pktid_aead_write(pktid, ks->nonce_tail_xmit, iv);
116
+
117
+
/* make space for packet id and push it to the front */
118
+
__skb_push(skb, OVPN_NONCE_WIRE_SIZE);
119
+
memcpy(skb->data, iv, OVPN_NONCE_WIRE_SIZE);
120
+
121
+
/* add packet op as head of additional data */
122
+
op = ovpn_opcode_compose(OVPN_DATA_V2, ks->key_id, peer->id);
123
+
__skb_push(skb, OVPN_OPCODE_SIZE);
124
+
BUILD_BUG_ON(sizeof(op) != OVPN_OPCODE_SIZE);
125
+
*((__force __be32 *)skb->data) = htonl(op);
126
+
127
+
/* AEAD Additional data */
128
+
sg_set_buf(sg, skb->data, OVPN_AAD_SIZE);
129
+
130
+
req = aead_request_alloc(ks->encrypt, GFP_ATOMIC);
131
+
if (unlikely(!req))
132
+
return -ENOMEM;
133
+
134
+
ovpn_skb_cb(skb)->req = req;
135
+
136
+
/* setup async crypto operation */
137
+
aead_request_set_tfm(req, ks->encrypt);
138
+
aead_request_set_callback(req, 0, ovpn_encrypt_post, skb);
139
+
aead_request_set_crypt(req, sg, sg,
140
+
skb->len - ovpn_aead_encap_overhead(ks), iv);
141
+
aead_request_set_ad(req, OVPN_AAD_SIZE);
142
+
143
+
/* encrypt it */
144
+
return crypto_aead_encrypt(req);
145
+
}
146
+
147
+
int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
148
+
struct sk_buff *skb)
149
+
{
150
+
const unsigned int tag_size = crypto_aead_authsize(ks->decrypt);
151
+
int ret, payload_len, nfrags;
152
+
unsigned int payload_offset;
153
+
struct aead_request *req;
154
+
struct sk_buff *trailer;
155
+
struct scatterlist *sg;
156
+
u8 *iv;
157
+
158
+
payload_offset = OVPN_AAD_SIZE + tag_size;
159
+
payload_len = skb->len - payload_offset;
160
+
161
+
ovpn_skb_cb(skb)->payload_offset = payload_offset;
162
+
ovpn_skb_cb(skb)->peer = peer;
163
+
ovpn_skb_cb(skb)->ks = ks;
164
+
165
+
/* sanity check on packet size, payload size must be >= 0 */
166
+
if (unlikely(payload_len < 0))
167
+
return -EINVAL;
168
+
169
+
/* Prepare the skb data buffer to be accessed up until the auth tag.
170
+
* This is required because this area is directly mapped into the sg
171
+
* list.
172
+
*/
173
+
if (unlikely(!pskb_may_pull(skb, payload_offset)))
174
+
return -ENODATA;
175
+
176
+
/* get number of skb frags and ensure that packet data is writable */
177
+
nfrags = skb_cow_data(skb, 0, &trailer);
178
+
if (unlikely(nfrags < 0))
179
+
return nfrags;
180
+
181
+
if (unlikely(nfrags + 2 > (MAX_SKB_FRAGS + 2)))
182
+
return -ENOSPC;
183
+
184
+
/* sg may be required by async crypto */
185
+
ovpn_skb_cb(skb)->sg = kmalloc(sizeof(*ovpn_skb_cb(skb)->sg) *
186
+
(nfrags + 2), GFP_ATOMIC);
187
+
if (unlikely(!ovpn_skb_cb(skb)->sg))
188
+
return -ENOMEM;
189
+
190
+
sg = ovpn_skb_cb(skb)->sg;
191
+
192
+
/* sg table:
193
+
* 0: op, wire nonce (AD, len=OVPN_OPCODE_SIZE+OVPN_NONCE_WIRE_SIZE),
194
+
* 1, 2, 3, ..., n: payload,
195
+
* n+1: auth_tag (len=tag_size)
196
+
*/
197
+
sg_init_table(sg, nfrags + 2);
198
+
199
+
/* packet op is head of additional data */
200
+
sg_set_buf(sg, skb->data, OVPN_AAD_SIZE);
201
+
202
+
/* build scatterlist to decrypt packet payload */
203
+
ret = skb_to_sgvec_nomark(skb, sg + 1, payload_offset, payload_len);
204
+
if (unlikely(nfrags != ret))
205
+
return -EINVAL;
206
+
207
+
/* append auth_tag onto scatterlist */
208
+
sg_set_buf(sg + nfrags + 1, skb->data + OVPN_AAD_SIZE, tag_size);
209
+
210
+
/* iv may be required by async crypto */
211
+
ovpn_skb_cb(skb)->iv = kmalloc(OVPN_NONCE_SIZE, GFP_ATOMIC);
212
+
if (unlikely(!ovpn_skb_cb(skb)->iv))
213
+
return -ENOMEM;
214
+
215
+
iv = ovpn_skb_cb(skb)->iv;
216
+
217
+
/* copy nonce into IV buffer */
218
+
memcpy(iv, skb->data + OVPN_OPCODE_SIZE, OVPN_NONCE_WIRE_SIZE);
219
+
memcpy(iv + OVPN_NONCE_WIRE_SIZE, ks->nonce_tail_recv,
220
+
OVPN_NONCE_TAIL_SIZE);
221
+
222
+
req = aead_request_alloc(ks->decrypt, GFP_ATOMIC);
223
+
if (unlikely(!req))
224
+
return -ENOMEM;
225
+
226
+
ovpn_skb_cb(skb)->req = req;
227
+
228
+
/* setup async crypto operation */
229
+
aead_request_set_tfm(req, ks->decrypt);
230
+
aead_request_set_callback(req, 0, ovpn_decrypt_post, skb);
231
+
aead_request_set_crypt(req, sg, sg, payload_len + tag_size, iv);
232
+
233
+
aead_request_set_ad(req, OVPN_AAD_SIZE);
234
+
235
+
/* decrypt it */
236
+
return crypto_aead_decrypt(req);
237
+
}
238
+
239
+
/* Initialize a struct crypto_aead object */
240
+
static struct crypto_aead *ovpn_aead_init(const char *title,
241
+
const char *alg_name,
242
+
const unsigned char *key,
243
+
unsigned int keylen)
244
+
{
245
+
struct crypto_aead *aead;
246
+
int ret;
247
+
248
+
aead = crypto_alloc_aead(alg_name, 0, 0);
249
+
if (IS_ERR(aead)) {
250
+
ret = PTR_ERR(aead);
251
+
pr_err("%s crypto_alloc_aead failed, err=%d\n", title, ret);
252
+
aead = NULL;
253
+
goto error;
254
+
}
255
+
256
+
ret = crypto_aead_setkey(aead, key, keylen);
257
+
if (ret) {
258
+
pr_err("%s crypto_aead_setkey size=%u failed, err=%d\n", title,
259
+
keylen, ret);
260
+
goto error;
261
+
}
262
+
263
+
ret = crypto_aead_setauthsize(aead, OVPN_AUTH_TAG_SIZE);
264
+
if (ret) {
265
+
pr_err("%s crypto_aead_setauthsize failed, err=%d\n", title,
266
+
ret);
267
+
goto error;
268
+
}
269
+
270
+
/* basic AEAD assumption */
271
+
if (crypto_aead_ivsize(aead) != OVPN_NONCE_SIZE) {
272
+
pr_err("%s IV size must be %d\n", title, OVPN_NONCE_SIZE);
273
+
ret = -EINVAL;
274
+
goto error;
275
+
}
276
+
277
+
pr_debug("********* Cipher %s (%s)\n", alg_name, title);
278
+
pr_debug("*** IV size=%u\n", crypto_aead_ivsize(aead));
279
+
pr_debug("*** req size=%u\n", crypto_aead_reqsize(aead));
280
+
pr_debug("*** block size=%u\n", crypto_aead_blocksize(aead));
281
+
pr_debug("*** auth size=%u\n", crypto_aead_authsize(aead));
282
+
pr_debug("*** alignmask=0x%x\n", crypto_aead_alignmask(aead));
283
+
284
+
return aead;
285
+
286
+
error:
287
+
crypto_free_aead(aead);
288
+
return ERR_PTR(ret);
289
+
}
290
+
291
+
void ovpn_aead_crypto_key_slot_destroy(struct ovpn_crypto_key_slot *ks)
292
+
{
293
+
if (!ks)
294
+
return;
295
+
296
+
crypto_free_aead(ks->encrypt);
297
+
crypto_free_aead(ks->decrypt);
298
+
kfree(ks);
299
+
}
300
+
301
+
struct ovpn_crypto_key_slot *
302
+
ovpn_aead_crypto_key_slot_new(const struct ovpn_key_config *kc)
303
+
{
304
+
struct ovpn_crypto_key_slot *ks = NULL;
305
+
const char *alg_name;
306
+
int ret;
307
+
308
+
/* validate crypto alg */
309
+
switch (kc->cipher_alg) {
310
+
case OVPN_CIPHER_ALG_AES_GCM:
311
+
alg_name = ALG_NAME_AES;
312
+
break;
313
+
case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
314
+
alg_name = ALG_NAME_CHACHAPOLY;
315
+
break;
316
+
default:
317
+
return ERR_PTR(-EOPNOTSUPP);
318
+
}
319
+
320
+
if (kc->encrypt.nonce_tail_size != OVPN_NONCE_TAIL_SIZE ||
321
+
kc->decrypt.nonce_tail_size != OVPN_NONCE_TAIL_SIZE)
322
+
return ERR_PTR(-EINVAL);
323
+
324
+
/* build the key slot */
325
+
ks = kmalloc(sizeof(*ks), GFP_KERNEL);
326
+
if (!ks)
327
+
return ERR_PTR(-ENOMEM);
328
+
329
+
ks->encrypt = NULL;
330
+
ks->decrypt = NULL;
331
+
kref_init(&ks->refcount);
332
+
ks->key_id = kc->key_id;
333
+
334
+
ks->encrypt = ovpn_aead_init("encrypt", alg_name,
335
+
kc->encrypt.cipher_key,
336
+
kc->encrypt.cipher_key_size);
337
+
if (IS_ERR(ks->encrypt)) {
338
+
ret = PTR_ERR(ks->encrypt);
339
+
ks->encrypt = NULL;
340
+
goto destroy_ks;
341
+
}
342
+
343
+
ks->decrypt = ovpn_aead_init("decrypt", alg_name,
344
+
kc->decrypt.cipher_key,
345
+
kc->decrypt.cipher_key_size);
346
+
if (IS_ERR(ks->decrypt)) {
347
+
ret = PTR_ERR(ks->decrypt);
348
+
ks->decrypt = NULL;
349
+
goto destroy_ks;
350
+
}
351
+
352
+
memcpy(ks->nonce_tail_xmit, kc->encrypt.nonce_tail,
353
+
OVPN_NONCE_TAIL_SIZE);
354
+
memcpy(ks->nonce_tail_recv, kc->decrypt.nonce_tail,
355
+
OVPN_NONCE_TAIL_SIZE);
356
+
357
+
/* init packet ID generation/validation */
358
+
ovpn_pktid_xmit_init(&ks->pid_xmit);
359
+
ovpn_pktid_recv_init(&ks->pid_recv);
360
+
361
+
return ks;
362
+
363
+
destroy_ks:
364
+
ovpn_aead_crypto_key_slot_destroy(ks);
365
+
return ERR_PTR(ret);
366
+
}
367
+
368
+
enum ovpn_cipher_alg ovpn_aead_crypto_alg(struct ovpn_crypto_key_slot *ks)
369
+
{
370
+
const char *alg_name;
371
+
372
+
if (!ks->encrypt)
373
+
return OVPN_CIPHER_ALG_NONE;
374
+
375
+
alg_name = crypto_tfm_alg_name(crypto_aead_tfm(ks->encrypt));
376
+
377
+
if (!strcmp(alg_name, ALG_NAME_AES))
378
+
return OVPN_CIPHER_ALG_AES_GCM;
379
+
else if (!strcmp(alg_name, ALG_NAME_CHACHAPOLY))
380
+
return OVPN_CIPHER_ALG_CHACHA20_POLY1305;
381
+
else
382
+
return OVPN_CIPHER_ALG_NONE;
383
+
}
+29
drivers/net/ovpn/crypto_aead.h
+29
drivers/net/ovpn/crypto_aead.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#ifndef _NET_OVPN_OVPNAEAD_H_
11
+
#define _NET_OVPN_OVPNAEAD_H_
12
+
13
+
#include "crypto.h"
14
+
15
+
#include <asm/types.h>
16
+
#include <linux/skbuff.h>
17
+
18
+
int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
19
+
struct sk_buff *skb);
20
+
int ovpn_aead_decrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
21
+
struct sk_buff *skb);
22
+
23
+
struct ovpn_crypto_key_slot *
24
+
ovpn_aead_crypto_key_slot_new(const struct ovpn_key_config *kc);
25
+
void ovpn_aead_crypto_key_slot_destroy(struct ovpn_crypto_key_slot *ks);
26
+
27
+
enum ovpn_cipher_alg ovpn_aead_crypto_alg(struct ovpn_crypto_key_slot *ks);
28
+
29
+
#endif /* _NET_OVPN_OVPNAEAD_H_ */
+446
drivers/net/ovpn/io.c
+446
drivers/net/ovpn/io.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2019-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#include <crypto/aead.h>
11
+
#include <linux/netdevice.h>
12
+
#include <linux/skbuff.h>
13
+
#include <net/gro_cells.h>
14
+
#include <net/gso.h>
15
+
#include <net/ip.h>
16
+
17
+
#include "ovpnpriv.h"
18
+
#include "peer.h"
19
+
#include "io.h"
20
+
#include "bind.h"
21
+
#include "crypto.h"
22
+
#include "crypto_aead.h"
23
+
#include "netlink.h"
24
+
#include "proto.h"
25
+
#include "tcp.h"
26
+
#include "udp.h"
27
+
#include "skb.h"
28
+
#include "socket.h"
29
+
30
+
const unsigned char ovpn_keepalive_message[OVPN_KEEPALIVE_SIZE] = {
31
+
0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb,
32
+
0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48
33
+
};
34
+
35
+
/**
36
+
* ovpn_is_keepalive - check if skb contains a keepalive message
37
+
* @skb: packet to check
38
+
*
39
+
* Assumes that the first byte of skb->data is defined.
40
+
*
41
+
* Return: true if skb contains a keepalive or false otherwise
42
+
*/
43
+
static bool ovpn_is_keepalive(struct sk_buff *skb)
44
+
{
45
+
if (*skb->data != ovpn_keepalive_message[0])
46
+
return false;
47
+
48
+
if (skb->len != OVPN_KEEPALIVE_SIZE)
49
+
return false;
50
+
51
+
if (!pskb_may_pull(skb, OVPN_KEEPALIVE_SIZE))
52
+
return false;
53
+
54
+
return !memcmp(skb->data, ovpn_keepalive_message, OVPN_KEEPALIVE_SIZE);
55
+
}
56
+
57
+
/* Called after decrypt to write the IP packet to the device.
58
+
* This method is expected to manage/free the skb.
59
+
*/
60
+
static void ovpn_netdev_write(struct ovpn_peer *peer, struct sk_buff *skb)
61
+
{
62
+
unsigned int pkt_len;
63
+
int ret;
64
+
65
+
/* we can't guarantee the packet wasn't corrupted before entering the
66
+
* VPN, therefore we give other layers a chance to check that
67
+
*/
68
+
skb->ip_summed = CHECKSUM_NONE;
69
+
70
+
/* skb hash for transport packet no longer valid after decapsulation */
71
+
skb_clear_hash(skb);
72
+
73
+
/* post-decrypt scrub -- prepare to inject encapsulated packet onto the
74
+
* interface, based on __skb_tunnel_rx() in dst.h
75
+
*/
76
+
skb->dev = peer->ovpn->dev;
77
+
skb_set_queue_mapping(skb, 0);
78
+
skb_scrub_packet(skb, true);
79
+
80
+
/* network header reset in ovpn_decrypt_post() */
81
+
skb_reset_transport_header(skb);
82
+
skb_reset_inner_headers(skb);
83
+
84
+
/* cause packet to be "received" by the interface */
85
+
pkt_len = skb->len;
86
+
ret = gro_cells_receive(&peer->ovpn->gro_cells, skb);
87
+
if (likely(ret == NET_RX_SUCCESS)) {
88
+
/* update RX stats with the size of decrypted packet */
89
+
ovpn_peer_stats_increment_rx(&peer->vpn_stats, pkt_len);
90
+
dev_dstats_rx_add(peer->ovpn->dev, pkt_len);
91
+
}
92
+
}
93
+
94
+
void ovpn_decrypt_post(void *data, int ret)
95
+
{
96
+
struct ovpn_crypto_key_slot *ks;
97
+
unsigned int payload_offset = 0;
98
+
struct sk_buff *skb = data;
99
+
struct ovpn_socket *sock;
100
+
struct ovpn_peer *peer;
101
+
__be16 proto;
102
+
__be32 *pid;
103
+
104
+
/* crypto is happening asynchronously. this function will be called
105
+
* again later by the crypto callback with a proper return code
106
+
*/
107
+
if (unlikely(ret == -EINPROGRESS))
108
+
return;
109
+
110
+
payload_offset = ovpn_skb_cb(skb)->payload_offset;
111
+
ks = ovpn_skb_cb(skb)->ks;
112
+
peer = ovpn_skb_cb(skb)->peer;
113
+
114
+
/* crypto is done, cleanup skb CB and its members */
115
+
kfree(ovpn_skb_cb(skb)->iv);
116
+
kfree(ovpn_skb_cb(skb)->sg);
117
+
aead_request_free(ovpn_skb_cb(skb)->req);
118
+
119
+
if (unlikely(ret < 0))
120
+
goto drop;
121
+
122
+
/* PID sits after the op */
123
+
pid = (__force __be32 *)(skb->data + OVPN_OPCODE_SIZE);
124
+
ret = ovpn_pktid_recv(&ks->pid_recv, ntohl(*pid), 0);
125
+
if (unlikely(ret < 0)) {
126
+
net_err_ratelimited("%s: PKT ID RX error for peer %u: %d\n",
127
+
netdev_name(peer->ovpn->dev), peer->id,
128
+
ret);
129
+
goto drop;
130
+
}
131
+
132
+
/* keep track of last received authenticated packet for keepalive */
133
+
WRITE_ONCE(peer->last_recv, ktime_get_real_seconds());
134
+
135
+
rcu_read_lock();
136
+
sock = rcu_dereference(peer->sock);
137
+
if (sock && sock->sock->sk->sk_protocol == IPPROTO_UDP)
138
+
/* check if this peer changed local or remote endpoint */
139
+
ovpn_peer_endpoints_update(peer, skb);
140
+
rcu_read_unlock();
141
+
142
+
/* point to encapsulated IP packet */
143
+
__skb_pull(skb, payload_offset);
144
+
145
+
/* check if this is a valid datapacket that has to be delivered to the
146
+
* ovpn interface
147
+
*/
148
+
skb_reset_network_header(skb);
149
+
proto = ovpn_ip_check_protocol(skb);
150
+
if (unlikely(!proto)) {
151
+
/* check if null packet */
152
+
if (unlikely(!pskb_may_pull(skb, 1))) {
153
+
net_info_ratelimited("%s: NULL packet received from peer %u\n",
154
+
netdev_name(peer->ovpn->dev),
155
+
peer->id);
156
+
goto drop;
157
+
}
158
+
159
+
if (ovpn_is_keepalive(skb)) {
160
+
net_dbg_ratelimited("%s: ping received from peer %u\n",
161
+
netdev_name(peer->ovpn->dev),
162
+
peer->id);
163
+
/* we drop the packet, but this is not a failure */
164
+
consume_skb(skb);
165
+
goto drop_nocount;
166
+
}
167
+
168
+
net_info_ratelimited("%s: unsupported protocol received from peer %u\n",
169
+
netdev_name(peer->ovpn->dev), peer->id);
170
+
goto drop;
171
+
}
172
+
skb->protocol = proto;
173
+
174
+
/* perform Reverse Path Filtering (RPF) */
175
+
if (unlikely(!ovpn_peer_check_by_src(peer->ovpn, skb, peer))) {
176
+
if (skb->protocol == htons(ETH_P_IPV6))
177
+
net_dbg_ratelimited("%s: RPF dropped packet from peer %u, src: %pI6c\n",
178
+
netdev_name(peer->ovpn->dev),
179
+
peer->id, &ipv6_hdr(skb)->saddr);
180
+
else
181
+
net_dbg_ratelimited("%s: RPF dropped packet from peer %u, src: %pI4\n",
182
+
netdev_name(peer->ovpn->dev),
183
+
peer->id, &ip_hdr(skb)->saddr);
184
+
goto drop;
185
+
}
186
+
187
+
ovpn_netdev_write(peer, skb);
188
+
/* skb is passed to upper layer - don't free it */
189
+
skb = NULL;
190
+
drop:
191
+
if (unlikely(skb))
192
+
dev_dstats_rx_dropped(peer->ovpn->dev);
193
+
kfree_skb(skb);
194
+
drop_nocount:
195
+
if (likely(peer))
196
+
ovpn_peer_put(peer);
197
+
if (likely(ks))
198
+
ovpn_crypto_key_slot_put(ks);
199
+
}
200
+
201
+
/* RX path entry point: decrypt packet and forward it to the device */
202
+
void ovpn_recv(struct ovpn_peer *peer, struct sk_buff *skb)
203
+
{
204
+
struct ovpn_crypto_key_slot *ks;
205
+
u8 key_id;
206
+
207
+
ovpn_peer_stats_increment_rx(&peer->link_stats, skb->len);
208
+
209
+
/* get the key slot matching the key ID in the received packet */
210
+
key_id = ovpn_key_id_from_skb(skb);
211
+
ks = ovpn_crypto_key_id_to_slot(&peer->crypto, key_id);
212
+
if (unlikely(!ks)) {
213
+
net_info_ratelimited("%s: no available key for peer %u, key-id: %u\n",
214
+
netdev_name(peer->ovpn->dev), peer->id,
215
+
key_id);
216
+
dev_dstats_rx_dropped(peer->ovpn->dev);
217
+
kfree_skb(skb);
218
+
ovpn_peer_put(peer);
219
+
return;
220
+
}
221
+
222
+
memset(ovpn_skb_cb(skb), 0, sizeof(struct ovpn_cb));
223
+
ovpn_decrypt_post(skb, ovpn_aead_decrypt(peer, ks, skb));
224
+
}
225
+
226
+
void ovpn_encrypt_post(void *data, int ret)
227
+
{
228
+
struct ovpn_crypto_key_slot *ks;
229
+
struct sk_buff *skb = data;
230
+
struct ovpn_socket *sock;
231
+
struct ovpn_peer *peer;
232
+
unsigned int orig_len;
233
+
234
+
/* encryption is happening asynchronously. This function will be
235
+
* called later by the crypto callback with a proper return value
236
+
*/
237
+
if (unlikely(ret == -EINPROGRESS))
238
+
return;
239
+
240
+
ks = ovpn_skb_cb(skb)->ks;
241
+
peer = ovpn_skb_cb(skb)->peer;
242
+
243
+
/* crypto is done, cleanup skb CB and its members */
244
+
kfree(ovpn_skb_cb(skb)->iv);
245
+
kfree(ovpn_skb_cb(skb)->sg);
246
+
aead_request_free(ovpn_skb_cb(skb)->req);
247
+
248
+
if (unlikely(ret == -ERANGE)) {
249
+
/* we ran out of IVs and we must kill the key as it can't be
250
+
* use anymore
251
+
*/
252
+
netdev_warn(peer->ovpn->dev,
253
+
"killing key %u for peer %u\n", ks->key_id,
254
+
peer->id);
255
+
if (ovpn_crypto_kill_key(&peer->crypto, ks->key_id))
256
+
/* let userspace know so that a new key must be negotiated */
257
+
ovpn_nl_key_swap_notify(peer, ks->key_id);
258
+
259
+
goto err;
260
+
}
261
+
262
+
if (unlikely(ret < 0))
263
+
goto err;
264
+
265
+
skb_mark_not_on_list(skb);
266
+
orig_len = skb->len;
267
+
268
+
rcu_read_lock();
269
+
sock = rcu_dereference(peer->sock);
270
+
if (unlikely(!sock))
271
+
goto err_unlock;
272
+
273
+
switch (sock->sock->sk->sk_protocol) {
274
+
case IPPROTO_UDP:
275
+
ovpn_udp_send_skb(peer, sock->sock, skb);
276
+
break;
277
+
case IPPROTO_TCP:
278
+
ovpn_tcp_send_skb(peer, sock->sock, skb);
279
+
break;
280
+
default:
281
+
/* no transport configured yet */
282
+
goto err_unlock;
283
+
}
284
+
285
+
ovpn_peer_stats_increment_tx(&peer->link_stats, orig_len);
286
+
/* keep track of last sent packet for keepalive */
287
+
WRITE_ONCE(peer->last_sent, ktime_get_real_seconds());
288
+
/* skb passed down the stack - don't free it */
289
+
skb = NULL;
290
+
err_unlock:
291
+
rcu_read_unlock();
292
+
err:
293
+
if (unlikely(skb))
294
+
dev_dstats_tx_dropped(peer->ovpn->dev);
295
+
if (likely(peer))
296
+
ovpn_peer_put(peer);
297
+
if (likely(ks))
298
+
ovpn_crypto_key_slot_put(ks);
299
+
kfree_skb(skb);
300
+
}
301
+
302
+
static bool ovpn_encrypt_one(struct ovpn_peer *peer, struct sk_buff *skb)
303
+
{
304
+
struct ovpn_crypto_key_slot *ks;
305
+
306
+
/* get primary key to be used for encrypting data */
307
+
ks = ovpn_crypto_key_slot_primary(&peer->crypto);
308
+
if (unlikely(!ks))
309
+
return false;
310
+
311
+
/* take a reference to the peer because the crypto code may run async.
312
+
* ovpn_encrypt_post() will release it upon completion
313
+
*/
314
+
if (unlikely(!ovpn_peer_hold(peer))) {
315
+
DEBUG_NET_WARN_ON_ONCE(1);
316
+
ovpn_crypto_key_slot_put(ks);
317
+
return false;
318
+
}
319
+
320
+
memset(ovpn_skb_cb(skb), 0, sizeof(struct ovpn_cb));
321
+
ovpn_encrypt_post(skb, ovpn_aead_encrypt(peer, ks, skb));
322
+
return true;
323
+
}
324
+
325
+
/* send skb to connected peer, if any */
326
+
static void ovpn_send(struct ovpn_priv *ovpn, struct sk_buff *skb,
327
+
struct ovpn_peer *peer)
328
+
{
329
+
struct sk_buff *curr, *next;
330
+
331
+
/* this might be a GSO-segmented skb list: process each skb
332
+
* independently
333
+
*/
334
+
skb_list_walk_safe(skb, curr, next) {
335
+
if (unlikely(!ovpn_encrypt_one(peer, curr))) {
336
+
dev_dstats_tx_dropped(ovpn->dev);
337
+
kfree_skb(curr);
338
+
}
339
+
}
340
+
341
+
ovpn_peer_put(peer);
342
+
}
343
+
344
+
/* Send user data to the network
345
+
*/
346
+
netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev)
347
+
{
348
+
struct ovpn_priv *ovpn = netdev_priv(dev);
349
+
struct sk_buff *segments, *curr, *next;
350
+
struct sk_buff_head skb_list;
351
+
struct ovpn_peer *peer;
352
+
__be16 proto;
353
+
int ret;
354
+
355
+
/* reset netfilter state */
356
+
nf_reset_ct(skb);
357
+
358
+
/* verify IP header size in network packet */
359
+
proto = ovpn_ip_check_protocol(skb);
360
+
if (unlikely(!proto || skb->protocol != proto))
361
+
goto drop;
362
+
363
+
if (skb_is_gso(skb)) {
364
+
segments = skb_gso_segment(skb, 0);
365
+
if (IS_ERR(segments)) {
366
+
ret = PTR_ERR(segments);
367
+
net_err_ratelimited("%s: cannot segment payload packet: %d\n",
368
+
netdev_name(dev), ret);
369
+
goto drop;
370
+
}
371
+
372
+
consume_skb(skb);
373
+
skb = segments;
374
+
}
375
+
376
+
/* from this moment on, "skb" might be a list */
377
+
378
+
__skb_queue_head_init(&skb_list);
379
+
skb_list_walk_safe(skb, curr, next) {
380
+
skb_mark_not_on_list(curr);
381
+
382
+
curr = skb_share_check(curr, GFP_ATOMIC);
383
+
if (unlikely(!curr)) {
384
+
net_err_ratelimited("%s: skb_share_check failed for payload packet\n",
385
+
netdev_name(dev));
386
+
dev_dstats_tx_dropped(ovpn->dev);
387
+
continue;
388
+
}
389
+
390
+
__skb_queue_tail(&skb_list, curr);
391
+
}
392
+
skb_list.prev->next = NULL;
393
+
394
+
/* retrieve peer serving the destination IP of this packet */
395
+
peer = ovpn_peer_get_by_dst(ovpn, skb);
396
+
if (unlikely(!peer)) {
397
+
net_dbg_ratelimited("%s: no peer to send data to\n",
398
+
netdev_name(ovpn->dev));
399
+
goto drop;
400
+
}
401
+
402
+
ovpn_peer_stats_increment_tx(&peer->vpn_stats, skb->len);
403
+
ovpn_send(ovpn, skb_list.next, peer);
404
+
405
+
return NETDEV_TX_OK;
406
+
407
+
drop:
408
+
dev_dstats_tx_dropped(ovpn->dev);
409
+
skb_tx_error(skb);
410
+
kfree_skb_list(skb);
411
+
return NET_XMIT_DROP;
412
+
}
413
+
414
+
/**
415
+
* ovpn_xmit_special - encrypt and transmit an out-of-band message to peer
416
+
* @peer: peer to send the message to
417
+
* @data: message content
418
+
* @len: message length
419
+
*
420
+
* Assumes that caller holds a reference to peer, which will be
421
+
* passed to ovpn_send()
422
+
*/
423
+
void ovpn_xmit_special(struct ovpn_peer *peer, const void *data,
424
+
const unsigned int len)
425
+
{
426
+
struct ovpn_priv *ovpn;
427
+
struct sk_buff *skb;
428
+
429
+
ovpn = peer->ovpn;
430
+
if (unlikely(!ovpn)) {
431
+
ovpn_peer_put(peer);
432
+
return;
433
+
}
434
+
435
+
skb = alloc_skb(256 + len, GFP_ATOMIC);
436
+
if (unlikely(!skb)) {
437
+
ovpn_peer_put(peer);
438
+
return;
439
+
}
440
+
441
+
skb_reserve(skb, 128);
442
+
skb->priority = TC_PRIO_BESTEFFORT;
443
+
__skb_put_data(skb, data, len);
444
+
445
+
ovpn_send(ovpn, skb, peer);
446
+
}
+34
drivers/net/ovpn/io.h
+34
drivers/net/ovpn/io.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2019-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#ifndef _NET_OVPN_OVPN_H_
11
+
#define _NET_OVPN_OVPN_H_
12
+
13
+
/* DATA_V2 header size with AEAD encryption */
14
+
#define OVPN_HEAD_ROOM (OVPN_OPCODE_SIZE + OVPN_NONCE_WIRE_SIZE + \
15
+
16 /* AEAD TAG length */ + \
16
+
max(sizeof(struct udphdr), sizeof(struct tcphdr)) +\
17
+
max(sizeof(struct ipv6hdr), sizeof(struct iphdr)))
18
+
19
+
/* max padding required by encryption */
20
+
#define OVPN_MAX_PADDING 16
21
+
22
+
#define OVPN_KEEPALIVE_SIZE 16
23
+
extern const unsigned char ovpn_keepalive_message[OVPN_KEEPALIVE_SIZE];
24
+
25
+
netdev_tx_t ovpn_net_xmit(struct sk_buff *skb, struct net_device *dev);
26
+
27
+
void ovpn_recv(struct ovpn_peer *peer, struct sk_buff *skb);
28
+
void ovpn_xmit_special(struct ovpn_peer *peer, const void *data,
29
+
const unsigned int len);
30
+
31
+
void ovpn_encrypt_post(void *data, int ret);
32
+
void ovpn_decrypt_post(void *data, int ret);
33
+
34
+
#endif /* _NET_OVPN_OVPN_H_ */
+274
drivers/net/ovpn/main.c
+274
drivers/net/ovpn/main.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
* James Yonan <james@openvpn.net>
8
+
*/
9
+
10
+
#include <linux/ethtool.h>
11
+
#include <linux/genetlink.h>
12
+
#include <linux/module.h>
13
+
#include <linux/netdevice.h>
14
+
#include <linux/inetdevice.h>
15
+
#include <net/gro_cells.h>
16
+
#include <net/ip.h>
17
+
#include <net/rtnetlink.h>
18
+
#include <uapi/linux/if_arp.h>
19
+
20
+
#include "ovpnpriv.h"
21
+
#include "main.h"
22
+
#include "netlink.h"
23
+
#include "io.h"
24
+
#include "peer.h"
25
+
#include "proto.h"
26
+
#include "tcp.h"
27
+
#include "udp.h"
28
+
29
+
static void ovpn_priv_free(struct net_device *net)
30
+
{
31
+
struct ovpn_priv *ovpn = netdev_priv(net);
32
+
33
+
kfree(ovpn->peers);
34
+
}
35
+
36
+
static int ovpn_mp_alloc(struct ovpn_priv *ovpn)
37
+
{
38
+
struct in_device *dev_v4;
39
+
int i;
40
+
41
+
if (ovpn->mode != OVPN_MODE_MP)
42
+
return 0;
43
+
44
+
dev_v4 = __in_dev_get_rtnl(ovpn->dev);
45
+
if (dev_v4) {
46
+
/* disable redirects as Linux gets confused by ovpn
47
+
* handling same-LAN routing.
48
+
* This happens because a multipeer interface is used as
49
+
* relay point between hosts in the same subnet, while
50
+
* in a classic LAN this would not be needed because the
51
+
* two hosts would be able to talk directly.
52
+
*/
53
+
IN_DEV_CONF_SET(dev_v4, SEND_REDIRECTS, false);
54
+
IPV4_DEVCONF_ALL(dev_net(ovpn->dev), SEND_REDIRECTS) = false;
55
+
}
56
+
57
+
/* the peer container is fairly large, therefore we allocate it only in
58
+
* MP mode
59
+
*/
60
+
ovpn->peers = kzalloc(sizeof(*ovpn->peers), GFP_KERNEL);
61
+
if (!ovpn->peers)
62
+
return -ENOMEM;
63
+
64
+
for (i = 0; i < ARRAY_SIZE(ovpn->peers->by_id); i++) {
65
+
INIT_HLIST_HEAD(&ovpn->peers->by_id[i]);
66
+
INIT_HLIST_NULLS_HEAD(&ovpn->peers->by_vpn_addr4[i], i);
67
+
INIT_HLIST_NULLS_HEAD(&ovpn->peers->by_vpn_addr6[i], i);
68
+
INIT_HLIST_NULLS_HEAD(&ovpn->peers->by_transp_addr[i], i);
69
+
}
70
+
71
+
return 0;
72
+
}
73
+
74
+
static int ovpn_net_init(struct net_device *dev)
75
+
{
76
+
struct ovpn_priv *ovpn = netdev_priv(dev);
77
+
int err = gro_cells_init(&ovpn->gro_cells, dev);
78
+
79
+
if (err < 0)
80
+
return err;
81
+
82
+
err = ovpn_mp_alloc(ovpn);
83
+
if (err < 0) {
84
+
gro_cells_destroy(&ovpn->gro_cells);
85
+
return err;
86
+
}
87
+
88
+
return 0;
89
+
}
90
+
91
+
static void ovpn_net_uninit(struct net_device *dev)
92
+
{
93
+
struct ovpn_priv *ovpn = netdev_priv(dev);
94
+
95
+
gro_cells_destroy(&ovpn->gro_cells);
96
+
}
97
+
98
+
static const struct net_device_ops ovpn_netdev_ops = {
99
+
.ndo_init = ovpn_net_init,
100
+
.ndo_uninit = ovpn_net_uninit,
101
+
.ndo_start_xmit = ovpn_net_xmit,
102
+
};
103
+
104
+
static const struct device_type ovpn_type = {
105
+
.name = OVPN_FAMILY_NAME,
106
+
};
107
+
108
+
static const struct nla_policy ovpn_policy[IFLA_OVPN_MAX + 1] = {
109
+
[IFLA_OVPN_MODE] = NLA_POLICY_RANGE(NLA_U8, OVPN_MODE_P2P,
110
+
OVPN_MODE_MP),
111
+
};
112
+
113
+
/**
114
+
* ovpn_dev_is_valid - check if the netdevice is of type 'ovpn'
115
+
* @dev: the interface to check
116
+
*
117
+
* Return: whether the netdevice is of type 'ovpn'
118
+
*/
119
+
bool ovpn_dev_is_valid(const struct net_device *dev)
120
+
{
121
+
return dev->netdev_ops == &ovpn_netdev_ops;
122
+
}
123
+
124
+
static void ovpn_get_drvinfo(struct net_device *dev,
125
+
struct ethtool_drvinfo *info)
126
+
{
127
+
strscpy(info->driver, "ovpn", sizeof(info->driver));
128
+
strscpy(info->bus_info, "ovpn", sizeof(info->bus_info));
129
+
}
130
+
131
+
static const struct ethtool_ops ovpn_ethtool_ops = {
132
+
.get_drvinfo = ovpn_get_drvinfo,
133
+
.get_link = ethtool_op_get_link,
134
+
.get_ts_info = ethtool_op_get_ts_info,
135
+
};
136
+
137
+
static void ovpn_setup(struct net_device *dev)
138
+
{
139
+
netdev_features_t feat = NETIF_F_SG | NETIF_F_GSO |
140
+
NETIF_F_GSO_SOFTWARE | NETIF_F_HIGHDMA;
141
+
142
+
dev->needs_free_netdev = true;
143
+
144
+
dev->pcpu_stat_type = NETDEV_PCPU_STAT_DSTATS;
145
+
146
+
dev->ethtool_ops = &ovpn_ethtool_ops;
147
+
dev->netdev_ops = &ovpn_netdev_ops;
148
+
149
+
dev->priv_destructor = ovpn_priv_free;
150
+
151
+
dev->hard_header_len = 0;
152
+
dev->addr_len = 0;
153
+
dev->mtu = ETH_DATA_LEN - OVPN_HEAD_ROOM;
154
+
dev->min_mtu = IPV4_MIN_MTU;
155
+
dev->max_mtu = IP_MAX_MTU - OVPN_HEAD_ROOM;
156
+
157
+
dev->type = ARPHRD_NONE;
158
+
dev->flags = IFF_POINTOPOINT | IFF_NOARP;
159
+
dev->priv_flags |= IFF_NO_QUEUE;
160
+
161
+
dev->lltx = true;
162
+
dev->features |= feat;
163
+
dev->hw_features |= feat;
164
+
dev->hw_enc_features |= feat;
165
+
166
+
dev->needed_headroom = ALIGN(OVPN_HEAD_ROOM, 4);
167
+
dev->needed_tailroom = OVPN_MAX_PADDING;
168
+
169
+
SET_NETDEV_DEVTYPE(dev, &ovpn_type);
170
+
}
171
+
172
+
static int ovpn_newlink(struct net_device *dev,
173
+
struct rtnl_newlink_params *params,
174
+
struct netlink_ext_ack *extack)
175
+
{
176
+
struct ovpn_priv *ovpn = netdev_priv(dev);
177
+
struct nlattr **data = params->data;
178
+
enum ovpn_mode mode = OVPN_MODE_P2P;
179
+
180
+
if (data && data[IFLA_OVPN_MODE]) {
181
+
mode = nla_get_u8(data[IFLA_OVPN_MODE]);
182
+
netdev_dbg(dev, "setting device mode: %u\n", mode);
183
+
}
184
+
185
+
ovpn->dev = dev;
186
+
ovpn->mode = mode;
187
+
spin_lock_init(&ovpn->lock);
188
+
INIT_DELAYED_WORK(&ovpn->keepalive_work, ovpn_peer_keepalive_work);
189
+
190
+
/* Set carrier explicitly after registration, this way state is
191
+
* clearly defined.
192
+
*
193
+
* In case of MP interfaces we keep the carrier always on.
194
+
*
195
+
* Carrier for P2P interfaces is initially off and it is then
196
+
* switched on and off when the remote peer is added or deleted.
197
+
*/
198
+
if (ovpn->mode == OVPN_MODE_MP)
199
+
netif_carrier_on(dev);
200
+
else
201
+
netif_carrier_off(dev);
202
+
203
+
return register_netdevice(dev);
204
+
}
205
+
206
+
static void ovpn_dellink(struct net_device *dev, struct list_head *head)
207
+
{
208
+
struct ovpn_priv *ovpn = netdev_priv(dev);
209
+
210
+
cancel_delayed_work_sync(&ovpn->keepalive_work);
211
+
ovpn_peers_free(ovpn, NULL, OVPN_DEL_PEER_REASON_TEARDOWN);
212
+
unregister_netdevice_queue(dev, head);
213
+
}
214
+
215
+
static int ovpn_fill_info(struct sk_buff *skb, const struct net_device *dev)
216
+
{
217
+
struct ovpn_priv *ovpn = netdev_priv(dev);
218
+
219
+
if (nla_put_u8(skb, IFLA_OVPN_MODE, ovpn->mode))
220
+
return -EMSGSIZE;
221
+
222
+
return 0;
223
+
}
224
+
225
+
static struct rtnl_link_ops ovpn_link_ops = {
226
+
.kind = "ovpn",
227
+
.netns_refund = false,
228
+
.priv_size = sizeof(struct ovpn_priv),
229
+
.setup = ovpn_setup,
230
+
.policy = ovpn_policy,
231
+
.maxtype = IFLA_OVPN_MAX,
232
+
.newlink = ovpn_newlink,
233
+
.dellink = ovpn_dellink,
234
+
.fill_info = ovpn_fill_info,
235
+
};
236
+
237
+
static int __init ovpn_init(void)
238
+
{
239
+
int err = rtnl_link_register(&ovpn_link_ops);
240
+
241
+
if (err) {
242
+
pr_err("ovpn: can't register rtnl link ops: %d\n", err);
243
+
return err;
244
+
}
245
+
246
+
err = ovpn_nl_register();
247
+
if (err) {
248
+
pr_err("ovpn: can't register netlink family: %d\n", err);
249
+
goto unreg_rtnl;
250
+
}
251
+
252
+
ovpn_tcp_init();
253
+
254
+
return 0;
255
+
256
+
unreg_rtnl:
257
+
rtnl_link_unregister(&ovpn_link_ops);
258
+
return err;
259
+
}
260
+
261
+
static __exit void ovpn_cleanup(void)
262
+
{
263
+
ovpn_nl_unregister();
264
+
rtnl_link_unregister(&ovpn_link_ops);
265
+
266
+
rcu_barrier();
267
+
}
268
+
269
+
module_init(ovpn_init);
270
+
module_exit(ovpn_cleanup);
271
+
272
+
MODULE_DESCRIPTION("OpenVPN data channel offload (ovpn)");
273
+
MODULE_AUTHOR("Antonio Quartulli <antonio@openvpn.net>");
274
+
MODULE_LICENSE("GPL");
+14
drivers/net/ovpn/main.h
+14
drivers/net/ovpn/main.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
*/
8
+
9
+
#ifndef _NET_OVPN_MAIN_H_
10
+
#define _NET_OVPN_MAIN_H_
11
+
12
+
bool ovpn_dev_is_valid(const struct net_device *dev);
13
+
14
+
#endif /* _NET_OVPN_MAIN_H_ */
+213
drivers/net/ovpn/netlink-gen.c
+213
drivers/net/ovpn/netlink-gen.c
···
1
+
// SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)
2
+
/* Do not edit directly, auto-generated from: */
3
+
/* Documentation/netlink/specs/ovpn.yaml */
4
+
/* YNL-GEN kernel source */
5
+
6
+
#include <net/netlink.h>
7
+
#include <net/genetlink.h>
8
+
9
+
#include "netlink-gen.h"
10
+
11
+
#include <uapi/linux/ovpn.h>
12
+
13
+
/* Integer value ranges */
14
+
static const struct netlink_range_validation ovpn_a_peer_id_range = {
15
+
.max = 16777215ULL,
16
+
};
17
+
18
+
static const struct netlink_range_validation ovpn_a_keyconf_peer_id_range = {
19
+
.max = 16777215ULL,
20
+
};
21
+
22
+
/* Common nested types */
23
+
const struct nla_policy ovpn_keyconf_nl_policy[OVPN_A_KEYCONF_DECRYPT_DIR + 1] = {
24
+
[OVPN_A_KEYCONF_PEER_ID] = NLA_POLICY_FULL_RANGE(NLA_U32, &ovpn_a_keyconf_peer_id_range),
25
+
[OVPN_A_KEYCONF_SLOT] = NLA_POLICY_MAX(NLA_U32, 1),
26
+
[OVPN_A_KEYCONF_KEY_ID] = NLA_POLICY_MAX(NLA_U32, 7),
27
+
[OVPN_A_KEYCONF_CIPHER_ALG] = NLA_POLICY_MAX(NLA_U32, 2),
28
+
[OVPN_A_KEYCONF_ENCRYPT_DIR] = NLA_POLICY_NESTED(ovpn_keydir_nl_policy),
29
+
[OVPN_A_KEYCONF_DECRYPT_DIR] = NLA_POLICY_NESTED(ovpn_keydir_nl_policy),
30
+
};
31
+
32
+
const struct nla_policy ovpn_keydir_nl_policy[OVPN_A_KEYDIR_NONCE_TAIL + 1] = {
33
+
[OVPN_A_KEYDIR_CIPHER_KEY] = NLA_POLICY_MAX_LEN(256),
34
+
[OVPN_A_KEYDIR_NONCE_TAIL] = NLA_POLICY_EXACT_LEN(OVPN_NONCE_TAIL_SIZE),
35
+
};
36
+
37
+
const struct nla_policy ovpn_peer_nl_policy[OVPN_A_PEER_LINK_TX_PACKETS + 1] = {
38
+
[OVPN_A_PEER_ID] = NLA_POLICY_FULL_RANGE(NLA_U32, &ovpn_a_peer_id_range),
39
+
[OVPN_A_PEER_REMOTE_IPV4] = { .type = NLA_BE32, },
40
+
[OVPN_A_PEER_REMOTE_IPV6] = NLA_POLICY_EXACT_LEN(16),
41
+
[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID] = { .type = NLA_U32, },
42
+
[OVPN_A_PEER_REMOTE_PORT] = NLA_POLICY_MIN(NLA_BE16, 1),
43
+
[OVPN_A_PEER_SOCKET] = { .type = NLA_U32, },
44
+
[OVPN_A_PEER_SOCKET_NETNSID] = { .type = NLA_S32, },
45
+
[OVPN_A_PEER_VPN_IPV4] = { .type = NLA_BE32, },
46
+
[OVPN_A_PEER_VPN_IPV6] = NLA_POLICY_EXACT_LEN(16),
47
+
[OVPN_A_PEER_LOCAL_IPV4] = { .type = NLA_BE32, },
48
+
[OVPN_A_PEER_LOCAL_IPV6] = NLA_POLICY_EXACT_LEN(16),
49
+
[OVPN_A_PEER_LOCAL_PORT] = NLA_POLICY_MIN(NLA_BE16, 1),
50
+
[OVPN_A_PEER_KEEPALIVE_INTERVAL] = { .type = NLA_U32, },
51
+
[OVPN_A_PEER_KEEPALIVE_TIMEOUT] = { .type = NLA_U32, },
52
+
[OVPN_A_PEER_DEL_REASON] = NLA_POLICY_MAX(NLA_U32, 4),
53
+
[OVPN_A_PEER_VPN_RX_BYTES] = { .type = NLA_UINT, },
54
+
[OVPN_A_PEER_VPN_TX_BYTES] = { .type = NLA_UINT, },
55
+
[OVPN_A_PEER_VPN_RX_PACKETS] = { .type = NLA_UINT, },
56
+
[OVPN_A_PEER_VPN_TX_PACKETS] = { .type = NLA_UINT, },
57
+
[OVPN_A_PEER_LINK_RX_BYTES] = { .type = NLA_UINT, },
58
+
[OVPN_A_PEER_LINK_TX_BYTES] = { .type = NLA_UINT, },
59
+
[OVPN_A_PEER_LINK_RX_PACKETS] = { .type = NLA_UINT, },
60
+
[OVPN_A_PEER_LINK_TX_PACKETS] = { .type = NLA_UINT, },
61
+
};
62
+
63
+
/* OVPN_CMD_PEER_NEW - do */
64
+
static const struct nla_policy ovpn_peer_new_nl_policy[OVPN_A_PEER + 1] = {
65
+
[OVPN_A_IFINDEX] = { .type = NLA_U32, },
66
+
[OVPN_A_PEER] = NLA_POLICY_NESTED(ovpn_peer_nl_policy),
67
+
};
68
+
69
+
/* OVPN_CMD_PEER_SET - do */
70
+
static const struct nla_policy ovpn_peer_set_nl_policy[OVPN_A_PEER + 1] = {
71
+
[OVPN_A_IFINDEX] = { .type = NLA_U32, },
72
+
[OVPN_A_PEER] = NLA_POLICY_NESTED(ovpn_peer_nl_policy),
73
+
};
74
+
75
+
/* OVPN_CMD_PEER_GET - do */
76
+
static const struct nla_policy ovpn_peer_get_do_nl_policy[OVPN_A_PEER + 1] = {
77
+
[OVPN_A_IFINDEX] = { .type = NLA_U32, },
78
+
[OVPN_A_PEER] = NLA_POLICY_NESTED(ovpn_peer_nl_policy),
79
+
};
80
+
81
+
/* OVPN_CMD_PEER_GET - dump */
82
+
static const struct nla_policy ovpn_peer_get_dump_nl_policy[OVPN_A_IFINDEX + 1] = {
83
+
[OVPN_A_IFINDEX] = { .type = NLA_U32, },
84
+
};
85
+
86
+
/* OVPN_CMD_PEER_DEL - do */
87
+
static const struct nla_policy ovpn_peer_del_nl_policy[OVPN_A_PEER + 1] = {
88
+
[OVPN_A_IFINDEX] = { .type = NLA_U32, },
89
+
[OVPN_A_PEER] = NLA_POLICY_NESTED(ovpn_peer_nl_policy),
90
+
};
91
+
92
+
/* OVPN_CMD_KEY_NEW - do */
93
+
static const struct nla_policy ovpn_key_new_nl_policy[OVPN_A_KEYCONF + 1] = {
94
+
[OVPN_A_IFINDEX] = { .type = NLA_U32, },
95
+
[OVPN_A_KEYCONF] = NLA_POLICY_NESTED(ovpn_keyconf_nl_policy),
96
+
};
97
+
98
+
/* OVPN_CMD_KEY_GET - do */
99
+
static const struct nla_policy ovpn_key_get_nl_policy[OVPN_A_KEYCONF + 1] = {
100
+
[OVPN_A_IFINDEX] = { .type = NLA_U32, },
101
+
[OVPN_A_KEYCONF] = NLA_POLICY_NESTED(ovpn_keyconf_nl_policy),
102
+
};
103
+
104
+
/* OVPN_CMD_KEY_SWAP - do */
105
+
static const struct nla_policy ovpn_key_swap_nl_policy[OVPN_A_KEYCONF + 1] = {
106
+
[OVPN_A_IFINDEX] = { .type = NLA_U32, },
107
+
[OVPN_A_KEYCONF] = NLA_POLICY_NESTED(ovpn_keyconf_nl_policy),
108
+
};
109
+
110
+
/* OVPN_CMD_KEY_DEL - do */
111
+
static const struct nla_policy ovpn_key_del_nl_policy[OVPN_A_KEYCONF + 1] = {
112
+
[OVPN_A_IFINDEX] = { .type = NLA_U32, },
113
+
[OVPN_A_KEYCONF] = NLA_POLICY_NESTED(ovpn_keyconf_nl_policy),
114
+
};
115
+
116
+
/* Ops table for ovpn */
117
+
static const struct genl_split_ops ovpn_nl_ops[] = {
118
+
{
119
+
.cmd = OVPN_CMD_PEER_NEW,
120
+
.pre_doit = ovpn_nl_pre_doit,
121
+
.doit = ovpn_nl_peer_new_doit,
122
+
.post_doit = ovpn_nl_post_doit,
123
+
.policy = ovpn_peer_new_nl_policy,
124
+
.maxattr = OVPN_A_PEER,
125
+
.flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
126
+
},
127
+
{
128
+
.cmd = OVPN_CMD_PEER_SET,
129
+
.pre_doit = ovpn_nl_pre_doit,
130
+
.doit = ovpn_nl_peer_set_doit,
131
+
.post_doit = ovpn_nl_post_doit,
132
+
.policy = ovpn_peer_set_nl_policy,
133
+
.maxattr = OVPN_A_PEER,
134
+
.flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
135
+
},
136
+
{
137
+
.cmd = OVPN_CMD_PEER_GET,
138
+
.pre_doit = ovpn_nl_pre_doit,
139
+
.doit = ovpn_nl_peer_get_doit,
140
+
.post_doit = ovpn_nl_post_doit,
141
+
.policy = ovpn_peer_get_do_nl_policy,
142
+
.maxattr = OVPN_A_PEER,
143
+
.flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
144
+
},
145
+
{
146
+
.cmd = OVPN_CMD_PEER_GET,
147
+
.dumpit = ovpn_nl_peer_get_dumpit,
148
+
.policy = ovpn_peer_get_dump_nl_policy,
149
+
.maxattr = OVPN_A_IFINDEX,
150
+
.flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DUMP,
151
+
},
152
+
{
153
+
.cmd = OVPN_CMD_PEER_DEL,
154
+
.pre_doit = ovpn_nl_pre_doit,
155
+
.doit = ovpn_nl_peer_del_doit,
156
+
.post_doit = ovpn_nl_post_doit,
157
+
.policy = ovpn_peer_del_nl_policy,
158
+
.maxattr = OVPN_A_PEER,
159
+
.flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
160
+
},
161
+
{
162
+
.cmd = OVPN_CMD_KEY_NEW,
163
+
.pre_doit = ovpn_nl_pre_doit,
164
+
.doit = ovpn_nl_key_new_doit,
165
+
.post_doit = ovpn_nl_post_doit,
166
+
.policy = ovpn_key_new_nl_policy,
167
+
.maxattr = OVPN_A_KEYCONF,
168
+
.flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
169
+
},
170
+
{
171
+
.cmd = OVPN_CMD_KEY_GET,
172
+
.pre_doit = ovpn_nl_pre_doit,
173
+
.doit = ovpn_nl_key_get_doit,
174
+
.post_doit = ovpn_nl_post_doit,
175
+
.policy = ovpn_key_get_nl_policy,
176
+
.maxattr = OVPN_A_KEYCONF,
177
+
.flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
178
+
},
179
+
{
180
+
.cmd = OVPN_CMD_KEY_SWAP,
181
+
.pre_doit = ovpn_nl_pre_doit,
182
+
.doit = ovpn_nl_key_swap_doit,
183
+
.post_doit = ovpn_nl_post_doit,
184
+
.policy = ovpn_key_swap_nl_policy,
185
+
.maxattr = OVPN_A_KEYCONF,
186
+
.flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
187
+
},
188
+
{
189
+
.cmd = OVPN_CMD_KEY_DEL,
190
+
.pre_doit = ovpn_nl_pre_doit,
191
+
.doit = ovpn_nl_key_del_doit,
192
+
.post_doit = ovpn_nl_post_doit,
193
+
.policy = ovpn_key_del_nl_policy,
194
+
.maxattr = OVPN_A_KEYCONF,
195
+
.flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
196
+
},
197
+
};
198
+
199
+
static const struct genl_multicast_group ovpn_nl_mcgrps[] = {
200
+
[OVPN_NLGRP_PEERS] = { "peers", },
201
+
};
202
+
203
+
struct genl_family ovpn_nl_family __ro_after_init = {
204
+
.name = OVPN_FAMILY_NAME,
205
+
.version = OVPN_FAMILY_VERSION,
206
+
.netnsok = true,
207
+
.parallel_ops = true,
208
+
.module = THIS_MODULE,
209
+
.split_ops = ovpn_nl_ops,
210
+
.n_split_ops = ARRAY_SIZE(ovpn_nl_ops),
211
+
.mcgrps = ovpn_nl_mcgrps,
212
+
.n_mcgrps = ARRAY_SIZE(ovpn_nl_mcgrps),
213
+
};
+41
drivers/net/ovpn/netlink-gen.h
+41
drivers/net/ovpn/netlink-gen.h
···
1
+
/* SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) */
2
+
/* Do not edit directly, auto-generated from: */
3
+
/* Documentation/netlink/specs/ovpn.yaml */
4
+
/* YNL-GEN kernel header */
5
+
6
+
#ifndef _LINUX_OVPN_GEN_H
7
+
#define _LINUX_OVPN_GEN_H
8
+
9
+
#include <net/netlink.h>
10
+
#include <net/genetlink.h>
11
+
12
+
#include <uapi/linux/ovpn.h>
13
+
14
+
/* Common nested types */
15
+
extern const struct nla_policy ovpn_keyconf_nl_policy[OVPN_A_KEYCONF_DECRYPT_DIR + 1];
16
+
extern const struct nla_policy ovpn_keydir_nl_policy[OVPN_A_KEYDIR_NONCE_TAIL + 1];
17
+
extern const struct nla_policy ovpn_peer_nl_policy[OVPN_A_PEER_LINK_TX_PACKETS + 1];
18
+
19
+
int ovpn_nl_pre_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
20
+
struct genl_info *info);
21
+
void
22
+
ovpn_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
23
+
struct genl_info *info);
24
+
25
+
int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info);
26
+
int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info);
27
+
int ovpn_nl_peer_get_doit(struct sk_buff *skb, struct genl_info *info);
28
+
int ovpn_nl_peer_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb);
29
+
int ovpn_nl_peer_del_doit(struct sk_buff *skb, struct genl_info *info);
30
+
int ovpn_nl_key_new_doit(struct sk_buff *skb, struct genl_info *info);
31
+
int ovpn_nl_key_get_doit(struct sk_buff *skb, struct genl_info *info);
32
+
int ovpn_nl_key_swap_doit(struct sk_buff *skb, struct genl_info *info);
33
+
int ovpn_nl_key_del_doit(struct sk_buff *skb, struct genl_info *info);
34
+
35
+
enum {
36
+
OVPN_NLGRP_PEERS,
37
+
};
38
+
39
+
extern struct genl_family ovpn_nl_family;
40
+
41
+
#endif /* _LINUX_OVPN_GEN_H */
+1258
drivers/net/ovpn/netlink.c
+1258
drivers/net/ovpn/netlink.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
*/
8
+
9
+
#include <linux/netdevice.h>
10
+
#include <linux/types.h>
11
+
#include <net/genetlink.h>
12
+
13
+
#include <uapi/linux/ovpn.h>
14
+
15
+
#include "ovpnpriv.h"
16
+
#include "main.h"
17
+
#include "netlink.h"
18
+
#include "netlink-gen.h"
19
+
#include "bind.h"
20
+
#include "crypto.h"
21
+
#include "peer.h"
22
+
#include "socket.h"
23
+
24
+
MODULE_ALIAS_GENL_FAMILY(OVPN_FAMILY_NAME);
25
+
26
+
/**
27
+
* ovpn_get_dev_from_attrs - retrieve the ovpn private data from the netdevice
28
+
* a netlink message is targeting
29
+
* @net: network namespace where to look for the interface
30
+
* @info: generic netlink info from the user request
31
+
* @tracker: tracker object to be used for the netdev reference acquisition
32
+
*
33
+
* Return: the ovpn private data, if found, or an error otherwise
34
+
*/
35
+
static struct ovpn_priv *
36
+
ovpn_get_dev_from_attrs(struct net *net, const struct genl_info *info,
37
+
netdevice_tracker *tracker)
38
+
{
39
+
struct ovpn_priv *ovpn;
40
+
struct net_device *dev;
41
+
int ifindex;
42
+
43
+
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_IFINDEX))
44
+
return ERR_PTR(-EINVAL);
45
+
46
+
ifindex = nla_get_u32(info->attrs[OVPN_A_IFINDEX]);
47
+
48
+
rcu_read_lock();
49
+
dev = dev_get_by_index_rcu(net, ifindex);
50
+
if (!dev) {
51
+
rcu_read_unlock();
52
+
NL_SET_ERR_MSG_MOD(info->extack,
53
+
"ifindex does not match any interface");
54
+
return ERR_PTR(-ENODEV);
55
+
}
56
+
57
+
if (!ovpn_dev_is_valid(dev)) {
58
+
rcu_read_unlock();
59
+
NL_SET_ERR_MSG_MOD(info->extack,
60
+
"specified interface is not ovpn");
61
+
NL_SET_BAD_ATTR(info->extack, info->attrs[OVPN_A_IFINDEX]);
62
+
return ERR_PTR(-EINVAL);
63
+
}
64
+
65
+
ovpn = netdev_priv(dev);
66
+
netdev_hold(dev, tracker, GFP_ATOMIC);
67
+
rcu_read_unlock();
68
+
69
+
return ovpn;
70
+
}
71
+
72
+
int ovpn_nl_pre_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
73
+
struct genl_info *info)
74
+
{
75
+
netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1];
76
+
struct ovpn_priv *ovpn = ovpn_get_dev_from_attrs(genl_info_net(info),
77
+
info, tracker);
78
+
79
+
if (IS_ERR(ovpn))
80
+
return PTR_ERR(ovpn);
81
+
82
+
info->user_ptr[0] = ovpn;
83
+
84
+
return 0;
85
+
}
86
+
87
+
void ovpn_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
88
+
struct genl_info *info)
89
+
{
90
+
netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1];
91
+
struct ovpn_priv *ovpn = info->user_ptr[0];
92
+
93
+
if (ovpn)
94
+
netdev_put(ovpn->dev, tracker);
95
+
}
96
+
97
+
static bool ovpn_nl_attr_sockaddr_remote(struct nlattr **attrs,
98
+
struct sockaddr_storage *ss)
99
+
{
100
+
struct sockaddr_in6 *sin6;
101
+
struct sockaddr_in *sin;
102
+
struct in6_addr *in6;
103
+
__be16 port = 0;
104
+
__be32 *in;
105
+
106
+
ss->ss_family = AF_UNSPEC;
107
+
108
+
if (attrs[OVPN_A_PEER_REMOTE_PORT])
109
+
port = nla_get_be16(attrs[OVPN_A_PEER_REMOTE_PORT]);
110
+
111
+
if (attrs[OVPN_A_PEER_REMOTE_IPV4]) {
112
+
ss->ss_family = AF_INET;
113
+
in = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV4]);
114
+
} else if (attrs[OVPN_A_PEER_REMOTE_IPV6]) {
115
+
ss->ss_family = AF_INET6;
116
+
in6 = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]);
117
+
} else {
118
+
return false;
119
+
}
120
+
121
+
switch (ss->ss_family) {
122
+
case AF_INET6:
123
+
/* If this is a regular IPv6 just break and move on,
124
+
* otherwise switch to AF_INET and extract the IPv4 accordingly
125
+
*/
126
+
if (!ipv6_addr_v4mapped(in6)) {
127
+
sin6 = (struct sockaddr_in6 *)ss;
128
+
sin6->sin6_port = port;
129
+
memcpy(&sin6->sin6_addr, in6, sizeof(*in6));
130
+
break;
131
+
}
132
+
133
+
/* v4-mapped-v6 address */
134
+
ss->ss_family = AF_INET;
135
+
in = &in6->s6_addr32[3];
136
+
fallthrough;
137
+
case AF_INET:
138
+
sin = (struct sockaddr_in *)ss;
139
+
sin->sin_port = port;
140
+
sin->sin_addr.s_addr = *in;
141
+
break;
142
+
}
143
+
144
+
return true;
145
+
}
146
+
147
+
static u8 *ovpn_nl_attr_local_ip(struct nlattr **attrs)
148
+
{
149
+
u8 *addr6;
150
+
151
+
if (!attrs[OVPN_A_PEER_LOCAL_IPV4] && !attrs[OVPN_A_PEER_LOCAL_IPV6])
152
+
return NULL;
153
+
154
+
if (attrs[OVPN_A_PEER_LOCAL_IPV4])
155
+
return nla_data(attrs[OVPN_A_PEER_LOCAL_IPV4]);
156
+
157
+
addr6 = nla_data(attrs[OVPN_A_PEER_LOCAL_IPV6]);
158
+
/* this is an IPv4-mapped IPv6 address, therefore extract the actual
159
+
* v4 address from the last 4 bytes
160
+
*/
161
+
if (ipv6_addr_v4mapped((struct in6_addr *)addr6))
162
+
return addr6 + 12;
163
+
164
+
return addr6;
165
+
}
166
+
167
+
static sa_family_t ovpn_nl_family_get(struct nlattr *addr4,
168
+
struct nlattr *addr6)
169
+
{
170
+
if (addr4)
171
+
return AF_INET;
172
+
173
+
if (addr6) {
174
+
if (ipv6_addr_v4mapped((struct in6_addr *)nla_data(addr6)))
175
+
return AF_INET;
176
+
return AF_INET6;
177
+
}
178
+
179
+
return AF_UNSPEC;
180
+
}
181
+
182
+
static int ovpn_nl_peer_precheck(struct ovpn_priv *ovpn,
183
+
struct genl_info *info,
184
+
struct nlattr **attrs)
185
+
{
186
+
sa_family_t local_fam, remote_fam;
187
+
188
+
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
189
+
OVPN_A_PEER_ID))
190
+
return -EINVAL;
191
+
192
+
if (attrs[OVPN_A_PEER_REMOTE_IPV4] && attrs[OVPN_A_PEER_REMOTE_IPV6]) {
193
+
NL_SET_ERR_MSG_MOD(info->extack,
194
+
"cannot specify both remote IPv4 or IPv6 address");
195
+
return -EINVAL;
196
+
}
197
+
198
+
if (!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
199
+
!attrs[OVPN_A_PEER_REMOTE_IPV6] && attrs[OVPN_A_PEER_REMOTE_PORT]) {
200
+
NL_SET_ERR_MSG_MOD(info->extack,
201
+
"cannot specify remote port without IP address");
202
+
return -EINVAL;
203
+
}
204
+
205
+
if ((attrs[OVPN_A_PEER_REMOTE_IPV4] ||
206
+
attrs[OVPN_A_PEER_REMOTE_IPV6]) &&
207
+
!attrs[OVPN_A_PEER_REMOTE_PORT]) {
208
+
NL_SET_ERR_MSG_MOD(info->extack,
209
+
"cannot specify remote IP address without port");
210
+
return -EINVAL;
211
+
}
212
+
213
+
if (!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
214
+
attrs[OVPN_A_PEER_LOCAL_IPV4]) {
215
+
NL_SET_ERR_MSG_MOD(info->extack,
216
+
"cannot specify local IPv4 address without remote");
217
+
return -EINVAL;
218
+
}
219
+
220
+
if (!attrs[OVPN_A_PEER_REMOTE_IPV6] &&
221
+
attrs[OVPN_A_PEER_LOCAL_IPV6]) {
222
+
NL_SET_ERR_MSG_MOD(info->extack,
223
+
"cannot specify local IPV6 address without remote");
224
+
return -EINVAL;
225
+
}
226
+
227
+
/* check that local and remote address families are the same even
228
+
* after parsing v4mapped IPv6 addresses.
229
+
* (if addresses are not provided, family will be AF_UNSPEC and
230
+
* the check is skipped)
231
+
*/
232
+
local_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_LOCAL_IPV4],
233
+
attrs[OVPN_A_PEER_LOCAL_IPV6]);
234
+
remote_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_REMOTE_IPV4],
235
+
attrs[OVPN_A_PEER_REMOTE_IPV6]);
236
+
if (local_fam != AF_UNSPEC && remote_fam != AF_UNSPEC &&
237
+
local_fam != remote_fam) {
238
+
NL_SET_ERR_MSG_MOD(info->extack,
239
+
"mismatching local and remote address families");
240
+
return -EINVAL;
241
+
}
242
+
243
+
if (remote_fam != AF_INET6 && attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) {
244
+
NL_SET_ERR_MSG_MOD(info->extack,
245
+
"cannot specify scope id without remote IPv6 address");
246
+
return -EINVAL;
247
+
}
248
+
249
+
/* VPN IPs are needed only in MP mode for selecting the right peer */
250
+
if (ovpn->mode == OVPN_MODE_P2P && (attrs[OVPN_A_PEER_VPN_IPV4] ||
251
+
attrs[OVPN_A_PEER_VPN_IPV6])) {
252
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
253
+
"unexpected VPN IP in P2P mode");
254
+
return -EINVAL;
255
+
}
256
+
257
+
if ((attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
258
+
!attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) ||
259
+
(!attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
260
+
attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])) {
261
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
262
+
"keepalive interval and timeout are required together");
263
+
return -EINVAL;
264
+
}
265
+
266
+
return 0;
267
+
}
268
+
269
+
/**
270
+
* ovpn_nl_peer_modify - modify the peer attributes according to the incoming msg
271
+
* @peer: the peer to modify
272
+
* @info: generic netlink info from the user request
273
+
* @attrs: the attributes from the user request
274
+
*
275
+
* Return: a negative error code in case of failure, 0 on success or 1 on
276
+
* success and the VPN IPs have been modified (requires rehashing in MP
277
+
* mode)
278
+
*/
279
+
static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info,
280
+
struct nlattr **attrs)
281
+
{
282
+
struct sockaddr_storage ss = {};
283
+
void *local_ip = NULL;
284
+
u32 interv, timeout;
285
+
bool rehash = false;
286
+
int ret;
287
+
288
+
spin_lock_bh(&peer->lock);
289
+
290
+
if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) {
291
+
/* we carry the local IP in a generic container.
292
+
* ovpn_peer_reset_sockaddr() will properly interpret it
293
+
* based on ss.ss_family
294
+
*/
295
+
local_ip = ovpn_nl_attr_local_ip(attrs);
296
+
297
+
/* set peer sockaddr */
298
+
ret = ovpn_peer_reset_sockaddr(peer, &ss, local_ip);
299
+
if (ret < 0) {
300
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
301
+
"cannot set peer sockaddr: %d",
302
+
ret);
303
+
goto err_unlock;
304
+
}
305
+
dst_cache_reset(&peer->dst_cache);
306
+
}
307
+
308
+
if (attrs[OVPN_A_PEER_VPN_IPV4]) {
309
+
rehash = true;
310
+
peer->vpn_addrs.ipv4.s_addr =
311
+
nla_get_in_addr(attrs[OVPN_A_PEER_VPN_IPV4]);
312
+
}
313
+
314
+
if (attrs[OVPN_A_PEER_VPN_IPV6]) {
315
+
rehash = true;
316
+
peer->vpn_addrs.ipv6 =
317
+
nla_get_in6_addr(attrs[OVPN_A_PEER_VPN_IPV6]);
318
+
}
319
+
320
+
/* when setting the keepalive, both parameters have to be configured */
321
+
if (attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
322
+
attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) {
323
+
interv = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]);
324
+
timeout = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]);
325
+
ovpn_peer_keepalive_set(peer, interv, timeout);
326
+
}
327
+
328
+
netdev_dbg(peer->ovpn->dev,
329
+
"modify peer id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n",
330
+
peer->id, &ss,
331
+
&peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6);
332
+
333
+
spin_unlock_bh(&peer->lock);
334
+
335
+
return rehash ? 1 : 0;
336
+
err_unlock:
337
+
spin_unlock_bh(&peer->lock);
338
+
return ret;
339
+
}
340
+
341
+
int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info)
342
+
{
343
+
struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
344
+
struct ovpn_priv *ovpn = info->user_ptr[0];
345
+
struct ovpn_socket *ovpn_sock;
346
+
struct socket *sock = NULL;
347
+
struct ovpn_peer *peer;
348
+
u32 sockfd, peer_id;
349
+
int ret;
350
+
351
+
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
352
+
return -EINVAL;
353
+
354
+
ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
355
+
ovpn_peer_nl_policy, info->extack);
356
+
if (ret)
357
+
return ret;
358
+
359
+
ret = ovpn_nl_peer_precheck(ovpn, info, attrs);
360
+
if (ret < 0)
361
+
return ret;
362
+
363
+
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
364
+
OVPN_A_PEER_SOCKET))
365
+
return -EINVAL;
366
+
367
+
/* in MP mode VPN IPs are required for selecting the right peer */
368
+
if (ovpn->mode == OVPN_MODE_MP && !attrs[OVPN_A_PEER_VPN_IPV4] &&
369
+
!attrs[OVPN_A_PEER_VPN_IPV6]) {
370
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
371
+
"VPN IP must be provided in MP mode");
372
+
return -EINVAL;
373
+
}
374
+
375
+
peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
376
+
peer = ovpn_peer_new(ovpn, peer_id);
377
+
if (IS_ERR(peer)) {
378
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
379
+
"cannot create new peer object for peer %u: %ld",
380
+
peer_id, PTR_ERR(peer));
381
+
return PTR_ERR(peer);
382
+
}
383
+
384
+
/* lookup the fd in the kernel table and extract the socket object */
385
+
sockfd = nla_get_u32(attrs[OVPN_A_PEER_SOCKET]);
386
+
/* sockfd_lookup() increases sock's refcounter */
387
+
sock = sockfd_lookup(sockfd, &ret);
388
+
if (!sock) {
389
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
390
+
"cannot lookup peer socket (fd=%u): %d",
391
+
sockfd, ret);
392
+
ret = -ENOTSOCK;
393
+
goto peer_release;
394
+
}
395
+
396
+
/* Only when using UDP as transport protocol the remote endpoint
397
+
* can be configured so that ovpn knows where to send packets to.
398
+
*/
399
+
if (sock->sk->sk_protocol == IPPROTO_UDP &&
400
+
!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
401
+
!attrs[OVPN_A_PEER_REMOTE_IPV6]) {
402
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
403
+
"missing remote IP address for UDP socket");
404
+
sockfd_put(sock);
405
+
ret = -EINVAL;
406
+
goto peer_release;
407
+
}
408
+
409
+
/* In case of TCP, the socket is connected to the peer and ovpn
410
+
* will just send bytes over it, without the need to specify a
411
+
* destination.
412
+
*/
413
+
if (sock->sk->sk_protocol == IPPROTO_TCP &&
414
+
(attrs[OVPN_A_PEER_REMOTE_IPV4] ||
415
+
attrs[OVPN_A_PEER_REMOTE_IPV6])) {
416
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
417
+
"unexpected remote IP address with TCP socket");
418
+
sockfd_put(sock);
419
+
ret = -EINVAL;
420
+
goto peer_release;
421
+
}
422
+
423
+
ovpn_sock = ovpn_socket_new(sock, peer);
424
+
/* at this point we unconditionally drop the reference to the socket:
425
+
* - in case of error, the socket has to be dropped
426
+
* - if case of success, the socket is configured and let
427
+
* userspace own the reference, so that the latter can
428
+
* trigger the final close()
429
+
*/
430
+
sockfd_put(sock);
431
+
if (IS_ERR(ovpn_sock)) {
432
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
433
+
"cannot encapsulate socket: %ld",
434
+
PTR_ERR(ovpn_sock));
435
+
ret = -ENOTSOCK;
436
+
goto peer_release;
437
+
}
438
+
439
+
rcu_assign_pointer(peer->sock, ovpn_sock);
440
+
441
+
ret = ovpn_nl_peer_modify(peer, info, attrs);
442
+
if (ret < 0)
443
+
goto sock_release;
444
+
445
+
ret = ovpn_peer_add(ovpn, peer);
446
+
if (ret < 0) {
447
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
448
+
"cannot add new peer (id=%u) to hashtable: %d",
449
+
peer->id, ret);
450
+
goto sock_release;
451
+
}
452
+
453
+
return 0;
454
+
455
+
sock_release:
456
+
ovpn_socket_release(peer);
457
+
peer_release:
458
+
/* release right away because peer was not yet hashed, thus it is not
459
+
* used in any context
460
+
*/
461
+
ovpn_peer_release(peer);
462
+
463
+
return ret;
464
+
}
465
+
466
+
int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info)
467
+
{
468
+
struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
469
+
struct ovpn_priv *ovpn = info->user_ptr[0];
470
+
struct ovpn_socket *sock;
471
+
struct ovpn_peer *peer;
472
+
u32 peer_id;
473
+
int ret;
474
+
475
+
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
476
+
return -EINVAL;
477
+
478
+
ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
479
+
ovpn_peer_nl_policy, info->extack);
480
+
if (ret)
481
+
return ret;
482
+
483
+
ret = ovpn_nl_peer_precheck(ovpn, info, attrs);
484
+
if (ret < 0)
485
+
return ret;
486
+
487
+
if (attrs[OVPN_A_PEER_SOCKET]) {
488
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
489
+
"socket cannot be modified");
490
+
return -EINVAL;
491
+
}
492
+
493
+
peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
494
+
peer = ovpn_peer_get_by_id(ovpn, peer_id);
495
+
if (!peer) {
496
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
497
+
"cannot find peer with id %u", peer_id);
498
+
return -ENOENT;
499
+
}
500
+
501
+
/* when using a TCP socket the remote IP is not expected */
502
+
rcu_read_lock();
503
+
sock = rcu_dereference(peer->sock);
504
+
if (sock && sock->sock->sk->sk_protocol == IPPROTO_TCP &&
505
+
(attrs[OVPN_A_PEER_REMOTE_IPV4] ||
506
+
attrs[OVPN_A_PEER_REMOTE_IPV6])) {
507
+
rcu_read_unlock();
508
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
509
+
"unexpected remote IP address with TCP socket");
510
+
ovpn_peer_put(peer);
511
+
return -EINVAL;
512
+
}
513
+
rcu_read_unlock();
514
+
515
+
spin_lock_bh(&ovpn->lock);
516
+
ret = ovpn_nl_peer_modify(peer, info, attrs);
517
+
if (ret < 0) {
518
+
spin_unlock_bh(&ovpn->lock);
519
+
ovpn_peer_put(peer);
520
+
return ret;
521
+
}
522
+
523
+
/* ret == 1 means that VPN IPv4/6 has been modified and rehashing
524
+
* is required
525
+
*/
526
+
if (ret > 0)
527
+
ovpn_peer_hash_vpn_ip(peer);
528
+
spin_unlock_bh(&ovpn->lock);
529
+
ovpn_peer_put(peer);
530
+
531
+
return 0;
532
+
}
533
+
534
+
static int ovpn_nl_send_peer(struct sk_buff *skb, const struct genl_info *info,
535
+
const struct ovpn_peer *peer, u32 portid, u32 seq,
536
+
int flags)
537
+
{
538
+
const struct ovpn_bind *bind;
539
+
struct ovpn_socket *sock;
540
+
int ret = -EMSGSIZE;
541
+
struct nlattr *attr;
542
+
__be16 local_port;
543
+
void *hdr;
544
+
int id;
545
+
546
+
hdr = genlmsg_put(skb, portid, seq, &ovpn_nl_family, flags,
547
+
OVPN_CMD_PEER_GET);
548
+
if (!hdr)
549
+
return -ENOBUFS;
550
+
551
+
attr = nla_nest_start(skb, OVPN_A_PEER);
552
+
if (!attr)
553
+
goto err;
554
+
555
+
rcu_read_lock();
556
+
sock = rcu_dereference(peer->sock);
557
+
if (!sock) {
558
+
ret = -EINVAL;
559
+
goto err_unlock;
560
+
}
561
+
562
+
if (!net_eq(genl_info_net(info), sock_net(sock->sock->sk))) {
563
+
id = peernet2id_alloc(genl_info_net(info),
564
+
sock_net(sock->sock->sk),
565
+
GFP_ATOMIC);
566
+
if (nla_put_s32(skb, OVPN_A_PEER_SOCKET_NETNSID, id))
567
+
goto err_unlock;
568
+
}
569
+
local_port = inet_sk(sock->sock->sk)->inet_sport;
570
+
rcu_read_unlock();
571
+
572
+
if (nla_put_u32(skb, OVPN_A_PEER_ID, peer->id))
573
+
goto err;
574
+
575
+
if (peer->vpn_addrs.ipv4.s_addr != htonl(INADDR_ANY))
576
+
if (nla_put_in_addr(skb, OVPN_A_PEER_VPN_IPV4,
577
+
peer->vpn_addrs.ipv4.s_addr))
578
+
goto err;
579
+
580
+
if (!ipv6_addr_equal(&peer->vpn_addrs.ipv6, &in6addr_any))
581
+
if (nla_put_in6_addr(skb, OVPN_A_PEER_VPN_IPV6,
582
+
&peer->vpn_addrs.ipv6))
583
+
goto err;
584
+
585
+
if (nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_INTERVAL,
586
+
peer->keepalive_interval) ||
587
+
nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
588
+
peer->keepalive_timeout))
589
+
goto err;
590
+
591
+
rcu_read_lock();
592
+
bind = rcu_dereference(peer->bind);
593
+
if (bind) {
594
+
if (bind->remote.in4.sin_family == AF_INET) {
595
+
if (nla_put_in_addr(skb, OVPN_A_PEER_REMOTE_IPV4,
596
+
bind->remote.in4.sin_addr.s_addr) ||
597
+
nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT,
598
+
bind->remote.in4.sin_port) ||
599
+
nla_put_in_addr(skb, OVPN_A_PEER_LOCAL_IPV4,
600
+
bind->local.ipv4.s_addr))
601
+
goto err_unlock;
602
+
} else if (bind->remote.in4.sin_family == AF_INET6) {
603
+
if (nla_put_in6_addr(skb, OVPN_A_PEER_REMOTE_IPV6,
604
+
&bind->remote.in6.sin6_addr) ||
605
+
nla_put_u32(skb, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
606
+
bind->remote.in6.sin6_scope_id) ||
607
+
nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT,
608
+
bind->remote.in6.sin6_port) ||
609
+
nla_put_in6_addr(skb, OVPN_A_PEER_LOCAL_IPV6,
610
+
&bind->local.ipv6))
611
+
goto err_unlock;
612
+
}
613
+
}
614
+
rcu_read_unlock();
615
+
616
+
if (nla_put_net16(skb, OVPN_A_PEER_LOCAL_PORT, local_port) ||
617
+
/* VPN RX stats */
618
+
nla_put_uint(skb, OVPN_A_PEER_VPN_RX_BYTES,
619
+
atomic64_read(&peer->vpn_stats.rx.bytes)) ||
620
+
nla_put_uint(skb, OVPN_A_PEER_VPN_RX_PACKETS,
621
+
atomic64_read(&peer->vpn_stats.rx.packets)) ||
622
+
/* VPN TX stats */
623
+
nla_put_uint(skb, OVPN_A_PEER_VPN_TX_BYTES,
624
+
atomic64_read(&peer->vpn_stats.tx.bytes)) ||
625
+
nla_put_uint(skb, OVPN_A_PEER_VPN_TX_PACKETS,
626
+
atomic64_read(&peer->vpn_stats.tx.packets)) ||
627
+
/* link RX stats */
628
+
nla_put_uint(skb, OVPN_A_PEER_LINK_RX_BYTES,
629
+
atomic64_read(&peer->link_stats.rx.bytes)) ||
630
+
nla_put_uint(skb, OVPN_A_PEER_LINK_RX_PACKETS,
631
+
atomic64_read(&peer->link_stats.rx.packets)) ||
632
+
/* link TX stats */
633
+
nla_put_uint(skb, OVPN_A_PEER_LINK_TX_BYTES,
634
+
atomic64_read(&peer->link_stats.tx.bytes)) ||
635
+
nla_put_uint(skb, OVPN_A_PEER_LINK_TX_PACKETS,
636
+
atomic64_read(&peer->link_stats.tx.packets)))
637
+
goto err;
638
+
639
+
nla_nest_end(skb, attr);
640
+
genlmsg_end(skb, hdr);
641
+
642
+
return 0;
643
+
err_unlock:
644
+
rcu_read_unlock();
645
+
err:
646
+
genlmsg_cancel(skb, hdr);
647
+
return ret;
648
+
}
649
+
650
+
int ovpn_nl_peer_get_doit(struct sk_buff *skb, struct genl_info *info)
651
+
{
652
+
struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
653
+
struct ovpn_priv *ovpn = info->user_ptr[0];
654
+
struct ovpn_peer *peer;
655
+
struct sk_buff *msg;
656
+
u32 peer_id;
657
+
int ret;
658
+
659
+
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
660
+
return -EINVAL;
661
+
662
+
ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
663
+
ovpn_peer_nl_policy, info->extack);
664
+
if (ret)
665
+
return ret;
666
+
667
+
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
668
+
OVPN_A_PEER_ID))
669
+
return -EINVAL;
670
+
671
+
peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
672
+
peer = ovpn_peer_get_by_id(ovpn, peer_id);
673
+
if (!peer) {
674
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
675
+
"cannot find peer with id %u", peer_id);
676
+
return -ENOENT;
677
+
}
678
+
679
+
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
680
+
if (!msg) {
681
+
ret = -ENOMEM;
682
+
goto err;
683
+
}
684
+
685
+
ret = ovpn_nl_send_peer(msg, info, peer, info->snd_portid,
686
+
info->snd_seq, 0);
687
+
if (ret < 0) {
688
+
nlmsg_free(msg);
689
+
goto err;
690
+
}
691
+
692
+
ret = genlmsg_reply(msg, info);
693
+
err:
694
+
ovpn_peer_put(peer);
695
+
return ret;
696
+
}
697
+
698
+
int ovpn_nl_peer_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
699
+
{
700
+
const struct genl_info *info = genl_info_dump(cb);
701
+
int bkt, last_idx = cb->args[1], dumped = 0;
702
+
netdevice_tracker tracker;
703
+
struct ovpn_priv *ovpn;
704
+
struct ovpn_peer *peer;
705
+
706
+
ovpn = ovpn_get_dev_from_attrs(sock_net(cb->skb->sk), info, &tracker);
707
+
if (IS_ERR(ovpn))
708
+
return PTR_ERR(ovpn);
709
+
710
+
if (ovpn->mode == OVPN_MODE_P2P) {
711
+
/* if we already dumped a peer it means we are done */
712
+
if (last_idx)
713
+
goto out;
714
+
715
+
rcu_read_lock();
716
+
peer = rcu_dereference(ovpn->peer);
717
+
if (peer) {
718
+
if (ovpn_nl_send_peer(skb, info, peer,
719
+
NETLINK_CB(cb->skb).portid,
720
+
cb->nlh->nlmsg_seq,
721
+
NLM_F_MULTI) == 0)
722
+
dumped++;
723
+
}
724
+
rcu_read_unlock();
725
+
} else {
726
+
rcu_read_lock();
727
+
hash_for_each_rcu(ovpn->peers->by_id, bkt, peer,
728
+
hash_entry_id) {
729
+
/* skip already dumped peers that were dumped by
730
+
* previous invocations
731
+
*/
732
+
if (last_idx > 0) {
733
+
last_idx--;
734
+
continue;
735
+
}
736
+
737
+
if (ovpn_nl_send_peer(skb, info, peer,
738
+
NETLINK_CB(cb->skb).portid,
739
+
cb->nlh->nlmsg_seq,
740
+
NLM_F_MULTI) < 0)
741
+
break;
742
+
743
+
/* count peers being dumped during this invocation */
744
+
dumped++;
745
+
}
746
+
rcu_read_unlock();
747
+
}
748
+
749
+
out:
750
+
netdev_put(ovpn->dev, &tracker);
751
+
752
+
/* sum up peers dumped in this message, so that at the next invocation
753
+
* we can continue from where we left
754
+
*/
755
+
cb->args[1] += dumped;
756
+
return skb->len;
757
+
}
758
+
759
+
int ovpn_nl_peer_del_doit(struct sk_buff *skb, struct genl_info *info)
760
+
{
761
+
struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
762
+
struct ovpn_priv *ovpn = info->user_ptr[0];
763
+
struct ovpn_peer *peer;
764
+
u32 peer_id;
765
+
int ret;
766
+
767
+
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
768
+
return -EINVAL;
769
+
770
+
ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
771
+
ovpn_peer_nl_policy, info->extack);
772
+
if (ret)
773
+
return ret;
774
+
775
+
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
776
+
OVPN_A_PEER_ID))
777
+
return -EINVAL;
778
+
779
+
peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
780
+
peer = ovpn_peer_get_by_id(ovpn, peer_id);
781
+
if (!peer) {
782
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
783
+
"cannot find peer with id %u", peer_id);
784
+
return -ENOENT;
785
+
}
786
+
787
+
netdev_dbg(ovpn->dev, "del peer %u\n", peer->id);
788
+
ret = ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_USERSPACE);
789
+
ovpn_peer_put(peer);
790
+
791
+
return ret;
792
+
}
793
+
794
+
static int ovpn_nl_get_key_dir(struct genl_info *info, struct nlattr *key,
795
+
enum ovpn_cipher_alg cipher,
796
+
struct ovpn_key_direction *dir)
797
+
{
798
+
struct nlattr *attrs[OVPN_A_KEYDIR_MAX + 1];
799
+
int ret;
800
+
801
+
ret = nla_parse_nested(attrs, OVPN_A_KEYDIR_MAX, key,
802
+
ovpn_keydir_nl_policy, info->extack);
803
+
if (ret)
804
+
return ret;
805
+
806
+
switch (cipher) {
807
+
case OVPN_CIPHER_ALG_AES_GCM:
808
+
case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
809
+
if (NL_REQ_ATTR_CHECK(info->extack, key, attrs,
810
+
OVPN_A_KEYDIR_CIPHER_KEY) ||
811
+
NL_REQ_ATTR_CHECK(info->extack, key, attrs,
812
+
OVPN_A_KEYDIR_NONCE_TAIL))
813
+
return -EINVAL;
814
+
815
+
dir->cipher_key = nla_data(attrs[OVPN_A_KEYDIR_CIPHER_KEY]);
816
+
dir->cipher_key_size = nla_len(attrs[OVPN_A_KEYDIR_CIPHER_KEY]);
817
+
818
+
/* These algorithms require a 96bit nonce,
819
+
* Construct it by combining 4-bytes packet id and
820
+
* 8-bytes nonce-tail from userspace
821
+
*/
822
+
dir->nonce_tail = nla_data(attrs[OVPN_A_KEYDIR_NONCE_TAIL]);
823
+
dir->nonce_tail_size = nla_len(attrs[OVPN_A_KEYDIR_NONCE_TAIL]);
824
+
break;
825
+
default:
826
+
NL_SET_ERR_MSG_MOD(info->extack, "unsupported cipher");
827
+
return -EINVAL;
828
+
}
829
+
830
+
return 0;
831
+
}
832
+
833
+
/**
834
+
* ovpn_nl_key_new_doit - configure a new key for the specified peer
835
+
* @skb: incoming netlink message
836
+
* @info: genetlink metadata
837
+
*
838
+
* This function allows the user to install a new key in the peer crypto
839
+
* state.
840
+
* Each peer has two 'slots', namely 'primary' and 'secondary', where
841
+
* keys can be installed. The key in the 'primary' slot is used for
842
+
* encryption, while both keys can be used for decryption by matching the
843
+
* key ID carried in the incoming packet.
844
+
*
845
+
* The user is responsible for rotating keys when necessary. The user
846
+
* may fetch peer traffic statistics via netlink in order to better
847
+
* identify the right time to rotate keys.
848
+
* The renegotiation follows these steps:
849
+
* 1. a new key is computed by the user and is installed in the 'secondary'
850
+
* slot
851
+
* 2. at user discretion (usually after a predetermined time) 'primary' and
852
+
* 'secondary' contents are swapped and the new key starts being used for
853
+
* encryption, while the old key is kept around for decryption of late
854
+
* packets.
855
+
*
856
+
* Return: 0 on success or a negative error code otherwise.
857
+
*/
858
+
int ovpn_nl_key_new_doit(struct sk_buff *skb, struct genl_info *info)
859
+
{
860
+
struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
861
+
struct ovpn_priv *ovpn = info->user_ptr[0];
862
+
struct ovpn_peer_key_reset pkr;
863
+
struct ovpn_peer *peer;
864
+
u32 peer_id;
865
+
int ret;
866
+
867
+
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
868
+
return -EINVAL;
869
+
870
+
ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
871
+
info->attrs[OVPN_A_KEYCONF],
872
+
ovpn_keyconf_nl_policy, info->extack);
873
+
if (ret)
874
+
return ret;
875
+
876
+
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
877
+
OVPN_A_KEYCONF_PEER_ID))
878
+
return -EINVAL;
879
+
880
+
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
881
+
OVPN_A_KEYCONF_SLOT) ||
882
+
NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
883
+
OVPN_A_KEYCONF_KEY_ID) ||
884
+
NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
885
+
OVPN_A_KEYCONF_CIPHER_ALG) ||
886
+
NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
887
+
OVPN_A_KEYCONF_ENCRYPT_DIR) ||
888
+
NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
889
+
OVPN_A_KEYCONF_DECRYPT_DIR))
890
+
return -EINVAL;
891
+
892
+
pkr.slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
893
+
pkr.key.key_id = nla_get_u32(attrs[OVPN_A_KEYCONF_KEY_ID]);
894
+
pkr.key.cipher_alg = nla_get_u32(attrs[OVPN_A_KEYCONF_CIPHER_ALG]);
895
+
896
+
ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_ENCRYPT_DIR],
897
+
pkr.key.cipher_alg, &pkr.key.encrypt);
898
+
if (ret < 0)
899
+
return ret;
900
+
901
+
ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_DECRYPT_DIR],
902
+
pkr.key.cipher_alg, &pkr.key.decrypt);
903
+
if (ret < 0)
904
+
return ret;
905
+
906
+
peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
907
+
peer = ovpn_peer_get_by_id(ovpn, peer_id);
908
+
if (!peer) {
909
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
910
+
"no peer with id %u to set key for",
911
+
peer_id);
912
+
return -ENOENT;
913
+
}
914
+
915
+
ret = ovpn_crypto_state_reset(&peer->crypto, &pkr);
916
+
if (ret < 0) {
917
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
918
+
"cannot install new key for peer %u",
919
+
peer_id);
920
+
goto out;
921
+
}
922
+
923
+
netdev_dbg(ovpn->dev, "new key installed (id=%u) for peer %u\n",
924
+
pkr.key.key_id, peer_id);
925
+
out:
926
+
ovpn_peer_put(peer);
927
+
return ret;
928
+
}
929
+
930
+
static int ovpn_nl_send_key(struct sk_buff *skb, const struct genl_info *info,
931
+
u32 peer_id, enum ovpn_key_slot slot,
932
+
const struct ovpn_key_config *keyconf)
933
+
{
934
+
struct nlattr *attr;
935
+
void *hdr;
936
+
937
+
hdr = genlmsg_put(skb, info->snd_portid, info->snd_seq, &ovpn_nl_family,
938
+
0, OVPN_CMD_KEY_GET);
939
+
if (!hdr)
940
+
return -ENOBUFS;
941
+
942
+
attr = nla_nest_start(skb, OVPN_A_KEYCONF);
943
+
if (!attr)
944
+
goto err;
945
+
946
+
if (nla_put_u32(skb, OVPN_A_KEYCONF_PEER_ID, peer_id))
947
+
goto err;
948
+
949
+
if (nla_put_u32(skb, OVPN_A_KEYCONF_SLOT, slot) ||
950
+
nla_put_u32(skb, OVPN_A_KEYCONF_KEY_ID, keyconf->key_id) ||
951
+
nla_put_u32(skb, OVPN_A_KEYCONF_CIPHER_ALG, keyconf->cipher_alg))
952
+
goto err;
953
+
954
+
nla_nest_end(skb, attr);
955
+
genlmsg_end(skb, hdr);
956
+
957
+
return 0;
958
+
err:
959
+
genlmsg_cancel(skb, hdr);
960
+
return -EMSGSIZE;
961
+
}
962
+
963
+
int ovpn_nl_key_get_doit(struct sk_buff *skb, struct genl_info *info)
964
+
{
965
+
struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
966
+
struct ovpn_priv *ovpn = info->user_ptr[0];
967
+
struct ovpn_key_config keyconf = { 0 };
968
+
enum ovpn_key_slot slot;
969
+
struct ovpn_peer *peer;
970
+
struct sk_buff *msg;
971
+
u32 peer_id;
972
+
int ret;
973
+
974
+
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
975
+
return -EINVAL;
976
+
977
+
ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
978
+
info->attrs[OVPN_A_KEYCONF],
979
+
ovpn_keyconf_nl_policy, info->extack);
980
+
if (ret)
981
+
return ret;
982
+
983
+
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
984
+
OVPN_A_KEYCONF_PEER_ID))
985
+
return -EINVAL;
986
+
987
+
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
988
+
OVPN_A_KEYCONF_SLOT))
989
+
return -EINVAL;
990
+
991
+
peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
992
+
peer = ovpn_peer_get_by_id(ovpn, peer_id);
993
+
if (!peer) {
994
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
995
+
"cannot find peer with id %u", peer_id);
996
+
return -ENOENT;
997
+
}
998
+
999
+
slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
1000
+
1001
+
ret = ovpn_crypto_config_get(&peer->crypto, slot, &keyconf);
1002
+
if (ret < 0) {
1003
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
1004
+
"cannot extract key from slot %u for peer %u",
1005
+
slot, peer_id);
1006
+
goto err;
1007
+
}
1008
+
1009
+
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1010
+
if (!msg) {
1011
+
ret = -ENOMEM;
1012
+
goto err;
1013
+
}
1014
+
1015
+
ret = ovpn_nl_send_key(msg, info, peer->id, slot, &keyconf);
1016
+
if (ret < 0) {
1017
+
nlmsg_free(msg);
1018
+
goto err;
1019
+
}
1020
+
1021
+
ret = genlmsg_reply(msg, info);
1022
+
err:
1023
+
ovpn_peer_put(peer);
1024
+
return ret;
1025
+
}
1026
+
1027
+
int ovpn_nl_key_swap_doit(struct sk_buff *skb, struct genl_info *info)
1028
+
{
1029
+
struct ovpn_priv *ovpn = info->user_ptr[0];
1030
+
struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
1031
+
struct ovpn_peer *peer;
1032
+
u32 peer_id;
1033
+
int ret;
1034
+
1035
+
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
1036
+
return -EINVAL;
1037
+
1038
+
ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
1039
+
info->attrs[OVPN_A_KEYCONF],
1040
+
ovpn_keyconf_nl_policy, info->extack);
1041
+
if (ret)
1042
+
return ret;
1043
+
1044
+
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1045
+
OVPN_A_KEYCONF_PEER_ID))
1046
+
return -EINVAL;
1047
+
1048
+
peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
1049
+
peer = ovpn_peer_get_by_id(ovpn, peer_id);
1050
+
if (!peer) {
1051
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
1052
+
"no peer with id %u to swap keys for",
1053
+
peer_id);
1054
+
return -ENOENT;
1055
+
}
1056
+
1057
+
ovpn_crypto_key_slots_swap(&peer->crypto);
1058
+
ovpn_peer_put(peer);
1059
+
1060
+
return 0;
1061
+
}
1062
+
1063
+
int ovpn_nl_key_del_doit(struct sk_buff *skb, struct genl_info *info)
1064
+
{
1065
+
struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
1066
+
struct ovpn_priv *ovpn = info->user_ptr[0];
1067
+
enum ovpn_key_slot slot;
1068
+
struct ovpn_peer *peer;
1069
+
u32 peer_id;
1070
+
int ret;
1071
+
1072
+
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
1073
+
return -EINVAL;
1074
+
1075
+
ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
1076
+
info->attrs[OVPN_A_KEYCONF],
1077
+
ovpn_keyconf_nl_policy, info->extack);
1078
+
if (ret)
1079
+
return ret;
1080
+
1081
+
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1082
+
OVPN_A_KEYCONF_PEER_ID))
1083
+
return -EINVAL;
1084
+
1085
+
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
1086
+
OVPN_A_KEYCONF_SLOT))
1087
+
return -EINVAL;
1088
+
1089
+
peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
1090
+
slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
1091
+
1092
+
peer = ovpn_peer_get_by_id(ovpn, peer_id);
1093
+
if (!peer) {
1094
+
NL_SET_ERR_MSG_FMT_MOD(info->extack,
1095
+
"no peer with id %u to delete key for",
1096
+
peer_id);
1097
+
return -ENOENT;
1098
+
}
1099
+
1100
+
ovpn_crypto_key_slot_delete(&peer->crypto, slot);
1101
+
ovpn_peer_put(peer);
1102
+
1103
+
return 0;
1104
+
}
1105
+
1106
+
/**
1107
+
* ovpn_nl_peer_del_notify - notify userspace about peer being deleted
1108
+
* @peer: the peer being deleted
1109
+
*
1110
+
* Return: 0 on success or a negative error code otherwise
1111
+
*/
1112
+
int ovpn_nl_peer_del_notify(struct ovpn_peer *peer)
1113
+
{
1114
+
struct ovpn_socket *sock;
1115
+
struct sk_buff *msg;
1116
+
struct nlattr *attr;
1117
+
int ret = -EMSGSIZE;
1118
+
void *hdr;
1119
+
1120
+
netdev_info(peer->ovpn->dev, "deleting peer with id %u, reason %d\n",
1121
+
peer->id, peer->delete_reason);
1122
+
1123
+
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1124
+
if (!msg)
1125
+
return -ENOMEM;
1126
+
1127
+
hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_PEER_DEL_NTF);
1128
+
if (!hdr) {
1129
+
ret = -ENOBUFS;
1130
+
goto err_free_msg;
1131
+
}
1132
+
1133
+
if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
1134
+
goto err_cancel_msg;
1135
+
1136
+
attr = nla_nest_start(msg, OVPN_A_PEER);
1137
+
if (!attr)
1138
+
goto err_cancel_msg;
1139
+
1140
+
if (nla_put_u32(msg, OVPN_A_PEER_DEL_REASON, peer->delete_reason))
1141
+
goto err_cancel_msg;
1142
+
1143
+
if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id))
1144
+
goto err_cancel_msg;
1145
+
1146
+
nla_nest_end(msg, attr);
1147
+
1148
+
genlmsg_end(msg, hdr);
1149
+
1150
+
rcu_read_lock();
1151
+
sock = rcu_dereference(peer->sock);
1152
+
if (!sock) {
1153
+
ret = -EINVAL;
1154
+
goto err_unlock;
1155
+
}
1156
+
genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sock->sk),
1157
+
msg, 0, OVPN_NLGRP_PEERS, GFP_ATOMIC);
1158
+
rcu_read_unlock();
1159
+
1160
+
return 0;
1161
+
1162
+
err_unlock:
1163
+
rcu_read_unlock();
1164
+
err_cancel_msg:
1165
+
genlmsg_cancel(msg, hdr);
1166
+
err_free_msg:
1167
+
nlmsg_free(msg);
1168
+
return ret;
1169
+
}
1170
+
1171
+
/**
1172
+
* ovpn_nl_key_swap_notify - notify userspace peer's key must be renewed
1173
+
* @peer: the peer whose key needs to be renewed
1174
+
* @key_id: the ID of the key that needs to be renewed
1175
+
*
1176
+
* Return: 0 on success or a negative error code otherwise
1177
+
*/
1178
+
int ovpn_nl_key_swap_notify(struct ovpn_peer *peer, u8 key_id)
1179
+
{
1180
+
struct ovpn_socket *sock;
1181
+
struct nlattr *k_attr;
1182
+
struct sk_buff *msg;
1183
+
int ret = -EMSGSIZE;
1184
+
void *hdr;
1185
+
1186
+
netdev_info(peer->ovpn->dev, "peer with id %u must rekey - primary key unusable.\n",
1187
+
peer->id);
1188
+
1189
+
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1190
+
if (!msg)
1191
+
return -ENOMEM;
1192
+
1193
+
hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_KEY_SWAP_NTF);
1194
+
if (!hdr) {
1195
+
ret = -ENOBUFS;
1196
+
goto err_free_msg;
1197
+
}
1198
+
1199
+
if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
1200
+
goto err_cancel_msg;
1201
+
1202
+
k_attr = nla_nest_start(msg, OVPN_A_KEYCONF);
1203
+
if (!k_attr)
1204
+
goto err_cancel_msg;
1205
+
1206
+
if (nla_put_u32(msg, OVPN_A_KEYCONF_PEER_ID, peer->id))
1207
+
goto err_cancel_msg;
1208
+
1209
+
if (nla_put_u16(msg, OVPN_A_KEYCONF_KEY_ID, key_id))
1210
+
goto err_cancel_msg;
1211
+
1212
+
nla_nest_end(msg, k_attr);
1213
+
genlmsg_end(msg, hdr);
1214
+
1215
+
rcu_read_lock();
1216
+
sock = rcu_dereference(peer->sock);
1217
+
if (!sock) {
1218
+
ret = -EINVAL;
1219
+
goto err_unlock;
1220
+
}
1221
+
genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sock->sk),
1222
+
msg, 0, OVPN_NLGRP_PEERS, GFP_ATOMIC);
1223
+
rcu_read_unlock();
1224
+
1225
+
return 0;
1226
+
err_unlock:
1227
+
rcu_read_unlock();
1228
+
err_cancel_msg:
1229
+
genlmsg_cancel(msg, hdr);
1230
+
err_free_msg:
1231
+
nlmsg_free(msg);
1232
+
return ret;
1233
+
}
1234
+
1235
+
/**
1236
+
* ovpn_nl_register - perform any needed registration in the NL subsustem
1237
+
*
1238
+
* Return: 0 on success, a negative error code otherwise
1239
+
*/
1240
+
int __init ovpn_nl_register(void)
1241
+
{
1242
+
int ret = genl_register_family(&ovpn_nl_family);
1243
+
1244
+
if (ret) {
1245
+
pr_err("ovpn: genl_register_family failed: %d\n", ret);
1246
+
return ret;
1247
+
}
1248
+
1249
+
return 0;
1250
+
}
1251
+
1252
+
/**
1253
+
* ovpn_nl_unregister - undo any module wide netlink registration
1254
+
*/
1255
+
void ovpn_nl_unregister(void)
1256
+
{
1257
+
genl_unregister_family(&ovpn_nl_family);
1258
+
}
+18
drivers/net/ovpn/netlink.h
+18
drivers/net/ovpn/netlink.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
*/
8
+
9
+
#ifndef _NET_OVPN_NETLINK_H_
10
+
#define _NET_OVPN_NETLINK_H_
11
+
12
+
int ovpn_nl_register(void);
13
+
void ovpn_nl_unregister(void);
14
+
15
+
int ovpn_nl_peer_del_notify(struct ovpn_peer *peer);
16
+
int ovpn_nl_key_swap_notify(struct ovpn_peer *peer, u8 key_id);
17
+
18
+
#endif /* _NET_OVPN_NETLINK_H_ */
+55
drivers/net/ovpn/ovpnpriv.h
+55
drivers/net/ovpn/ovpnpriv.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2019-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#ifndef _NET_OVPN_OVPNSTRUCT_H_
11
+
#define _NET_OVPN_OVPNSTRUCT_H_
12
+
13
+
#include <linux/workqueue.h>
14
+
#include <net/gro_cells.h>
15
+
#include <uapi/linux/if_link.h>
16
+
#include <uapi/linux/ovpn.h>
17
+
18
+
/**
19
+
* struct ovpn_peer_collection - container of peers for MultiPeer mode
20
+
* @by_id: table of peers index by ID
21
+
* @by_vpn_addr4: table of peers indexed by VPN IPv4 address (items can be
22
+
* rehashed on the fly due to peer IP change)
23
+
* @by_vpn_addr6: table of peers indexed by VPN IPv6 address (items can be
24
+
* rehashed on the fly due to peer IP change)
25
+
* @by_transp_addr: table of peers indexed by transport address (items can be
26
+
* rehashed on the fly due to peer IP change)
27
+
*/
28
+
struct ovpn_peer_collection {
29
+
DECLARE_HASHTABLE(by_id, 12);
30
+
struct hlist_nulls_head by_vpn_addr4[1 << 12];
31
+
struct hlist_nulls_head by_vpn_addr6[1 << 12];
32
+
struct hlist_nulls_head by_transp_addr[1 << 12];
33
+
};
34
+
35
+
/**
36
+
* struct ovpn_priv - per ovpn interface state
37
+
* @dev: the actual netdev representing the tunnel
38
+
* @mode: device operation mode (i.e. p2p, mp, ..)
39
+
* @lock: protect this object
40
+
* @peers: data structures holding multi-peer references
41
+
* @peer: in P2P mode, this is the only remote peer
42
+
* @gro_cells: pointer to the Generic Receive Offload cell
43
+
* @keepalive_work: struct used to schedule keepalive periodic job
44
+
*/
45
+
struct ovpn_priv {
46
+
struct net_device *dev;
47
+
enum ovpn_mode mode;
48
+
spinlock_t lock; /* protect writing to the ovpn_priv object */
49
+
struct ovpn_peer_collection *peers;
50
+
struct ovpn_peer __rcu *peer;
51
+
struct gro_cells gro_cells;
52
+
struct delayed_work keepalive_work;
53
+
};
54
+
55
+
#endif /* _NET_OVPN_OVPNSTRUCT_H_ */
+1365
drivers/net/ovpn/peer.c
+1365
drivers/net/ovpn/peer.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#include <linux/skbuff.h>
11
+
#include <linux/list.h>
12
+
#include <linux/hashtable.h>
13
+
#include <net/ip6_route.h>
14
+
15
+
#include "ovpnpriv.h"
16
+
#include "bind.h"
17
+
#include "pktid.h"
18
+
#include "crypto.h"
19
+
#include "io.h"
20
+
#include "main.h"
21
+
#include "netlink.h"
22
+
#include "peer.h"
23
+
#include "socket.h"
24
+
25
+
static void unlock_ovpn(struct ovpn_priv *ovpn,
26
+
struct llist_head *release_list)
27
+
__releases(&ovpn->lock)
28
+
{
29
+
struct ovpn_peer *peer;
30
+
31
+
spin_unlock_bh(&ovpn->lock);
32
+
33
+
llist_for_each_entry(peer, release_list->first, release_entry) {
34
+
ovpn_socket_release(peer);
35
+
ovpn_peer_put(peer);
36
+
}
37
+
}
38
+
39
+
/**
40
+
* ovpn_peer_keepalive_set - configure keepalive values for peer
41
+
* @peer: the peer to configure
42
+
* @interval: outgoing keepalive interval
43
+
* @timeout: incoming keepalive timeout
44
+
*/
45
+
void ovpn_peer_keepalive_set(struct ovpn_peer *peer, u32 interval, u32 timeout)
46
+
{
47
+
time64_t now = ktime_get_real_seconds();
48
+
49
+
netdev_dbg(peer->ovpn->dev,
50
+
"scheduling keepalive for peer %u: interval=%u timeout=%u\n",
51
+
peer->id, interval, timeout);
52
+
53
+
peer->keepalive_interval = interval;
54
+
WRITE_ONCE(peer->last_sent, now);
55
+
peer->keepalive_xmit_exp = now + interval;
56
+
57
+
peer->keepalive_timeout = timeout;
58
+
WRITE_ONCE(peer->last_recv, now);
59
+
peer->keepalive_recv_exp = now + timeout;
60
+
61
+
/* now that interval and timeout have been changed, kick
62
+
* off the worker so that the next delay can be recomputed
63
+
*/
64
+
mod_delayed_work(system_wq, &peer->ovpn->keepalive_work, 0);
65
+
}
66
+
67
+
/**
68
+
* ovpn_peer_keepalive_send - periodic worker sending keepalive packets
69
+
* @work: pointer to the work member of the related peer object
70
+
*
71
+
* NOTE: the reference to peer is not dropped because it gets inherited
72
+
* by ovpn_xmit_special()
73
+
*/
74
+
static void ovpn_peer_keepalive_send(struct work_struct *work)
75
+
{
76
+
struct ovpn_peer *peer = container_of(work, struct ovpn_peer,
77
+
keepalive_work);
78
+
79
+
local_bh_disable();
80
+
ovpn_xmit_special(peer, ovpn_keepalive_message,
81
+
sizeof(ovpn_keepalive_message));
82
+
local_bh_enable();
83
+
}
84
+
85
+
/**
86
+
* ovpn_peer_new - allocate and initialize a new peer object
87
+
* @ovpn: the openvpn instance inside which the peer should be created
88
+
* @id: the ID assigned to this peer
89
+
*
90
+
* Return: a pointer to the new peer on success or an error code otherwise
91
+
*/
92
+
struct ovpn_peer *ovpn_peer_new(struct ovpn_priv *ovpn, u32 id)
93
+
{
94
+
struct ovpn_peer *peer;
95
+
int ret;
96
+
97
+
/* alloc and init peer object */
98
+
peer = kzalloc(sizeof(*peer), GFP_KERNEL);
99
+
if (!peer)
100
+
return ERR_PTR(-ENOMEM);
101
+
102
+
peer->id = id;
103
+
peer->ovpn = ovpn;
104
+
105
+
peer->vpn_addrs.ipv4.s_addr = htonl(INADDR_ANY);
106
+
peer->vpn_addrs.ipv6 = in6addr_any;
107
+
108
+
RCU_INIT_POINTER(peer->bind, NULL);
109
+
ovpn_crypto_state_init(&peer->crypto);
110
+
spin_lock_init(&peer->lock);
111
+
kref_init(&peer->refcount);
112
+
ovpn_peer_stats_init(&peer->vpn_stats);
113
+
ovpn_peer_stats_init(&peer->link_stats);
114
+
INIT_WORK(&peer->keepalive_work, ovpn_peer_keepalive_send);
115
+
116
+
ret = dst_cache_init(&peer->dst_cache, GFP_KERNEL);
117
+
if (ret < 0) {
118
+
netdev_err(ovpn->dev,
119
+
"cannot initialize dst cache for peer %u\n",
120
+
peer->id);
121
+
kfree(peer);
122
+
return ERR_PTR(ret);
123
+
}
124
+
125
+
netdev_hold(ovpn->dev, &peer->dev_tracker, GFP_KERNEL);
126
+
127
+
return peer;
128
+
}
129
+
130
+
/**
131
+
* ovpn_peer_reset_sockaddr - recreate binding for peer
132
+
* @peer: peer to recreate the binding for
133
+
* @ss: sockaddr to use as remote endpoint for the binding
134
+
* @local_ip: local IP for the binding
135
+
*
136
+
* Return: 0 on success or a negative error code otherwise
137
+
*/
138
+
int ovpn_peer_reset_sockaddr(struct ovpn_peer *peer,
139
+
const struct sockaddr_storage *ss,
140
+
const void *local_ip)
141
+
{
142
+
struct ovpn_bind *bind;
143
+
size_t ip_len;
144
+
145
+
lockdep_assert_held(&peer->lock);
146
+
147
+
/* create new ovpn_bind object */
148
+
bind = ovpn_bind_from_sockaddr(ss);
149
+
if (IS_ERR(bind))
150
+
return PTR_ERR(bind);
151
+
152
+
if (local_ip) {
153
+
if (ss->ss_family == AF_INET) {
154
+
ip_len = sizeof(struct in_addr);
155
+
} else if (ss->ss_family == AF_INET6) {
156
+
ip_len = sizeof(struct in6_addr);
157
+
} else {
158
+
net_dbg_ratelimited("%s: invalid family %u for remote endpoint for peer %u\n",
159
+
netdev_name(peer->ovpn->dev),
160
+
ss->ss_family, peer->id);
161
+
kfree(bind);
162
+
return -EINVAL;
163
+
}
164
+
165
+
memcpy(&bind->local, local_ip, ip_len);
166
+
}
167
+
168
+
/* set binding */
169
+
ovpn_bind_reset(peer, bind);
170
+
171
+
return 0;
172
+
}
173
+
174
+
/* variable name __tbl2 needs to be different from __tbl1
175
+
* in the macro below to avoid confusing clang
176
+
*/
177
+
#define ovpn_get_hash_slot(_tbl, _key, _key_len) ({ \
178
+
typeof(_tbl) *__tbl2 = &(_tbl); \
179
+
jhash(_key, _key_len, 0) % HASH_SIZE(*__tbl2); \
180
+
})
181
+
182
+
#define ovpn_get_hash_head(_tbl, _key, _key_len) ({ \
183
+
typeof(_tbl) *__tbl1 = &(_tbl); \
184
+
&(*__tbl1)[ovpn_get_hash_slot(*__tbl1, _key, _key_len)];\
185
+
})
186
+
187
+
/**
188
+
* ovpn_peer_endpoints_update - update remote or local endpoint for peer
189
+
* @peer: peer to update the remote endpoint for
190
+
* @skb: incoming packet to retrieve the source/destination address from
191
+
*/
192
+
void ovpn_peer_endpoints_update(struct ovpn_peer *peer, struct sk_buff *skb)
193
+
{
194
+
struct hlist_nulls_head *nhead;
195
+
struct sockaddr_storage ss;
196
+
struct sockaddr_in6 *sa6;
197
+
bool reset_cache = false;
198
+
struct sockaddr_in *sa;
199
+
struct ovpn_bind *bind;
200
+
const void *local_ip;
201
+
size_t salen = 0;
202
+
203
+
spin_lock_bh(&peer->lock);
204
+
bind = rcu_dereference_protected(peer->bind,
205
+
lockdep_is_held(&peer->lock));
206
+
if (unlikely(!bind))
207
+
goto unlock;
208
+
209
+
switch (skb->protocol) {
210
+
case htons(ETH_P_IP):
211
+
/* float check */
212
+
if (unlikely(!ovpn_bind_skb_src_match(bind, skb))) {
213
+
/* unconditionally save local endpoint in case
214
+
* of float, as it may have changed as well
215
+
*/
216
+
local_ip = &ip_hdr(skb)->daddr;
217
+
sa = (struct sockaddr_in *)&ss;
218
+
sa->sin_family = AF_INET;
219
+
sa->sin_addr.s_addr = ip_hdr(skb)->saddr;
220
+
sa->sin_port = udp_hdr(skb)->source;
221
+
salen = sizeof(*sa);
222
+
reset_cache = true;
223
+
break;
224
+
}
225
+
226
+
/* if no float happened, let's double check if the local endpoint
227
+
* has changed
228
+
*/
229
+
if (unlikely(bind->local.ipv4.s_addr != ip_hdr(skb)->daddr)) {
230
+
net_dbg_ratelimited("%s: learning local IPv4 for peer %d (%pI4 -> %pI4)\n",
231
+
netdev_name(peer->ovpn->dev),
232
+
peer->id, &bind->local.ipv4.s_addr,
233
+
&ip_hdr(skb)->daddr);
234
+
bind->local.ipv4.s_addr = ip_hdr(skb)->daddr;
235
+
reset_cache = true;
236
+
}
237
+
break;
238
+
case htons(ETH_P_IPV6):
239
+
/* float check */
240
+
if (unlikely(!ovpn_bind_skb_src_match(bind, skb))) {
241
+
/* unconditionally save local endpoint in case
242
+
* of float, as it may have changed as well
243
+
*/
244
+
local_ip = &ipv6_hdr(skb)->daddr;
245
+
sa6 = (struct sockaddr_in6 *)&ss;
246
+
sa6->sin6_family = AF_INET6;
247
+
sa6->sin6_addr = ipv6_hdr(skb)->saddr;
248
+
sa6->sin6_port = udp_hdr(skb)->source;
249
+
sa6->sin6_scope_id = ipv6_iface_scope_id(&ipv6_hdr(skb)->saddr,
250
+
skb->skb_iif);
251
+
salen = sizeof(*sa6);
252
+
reset_cache = true;
253
+
break;
254
+
}
255
+
256
+
/* if no float happened, let's double check if the local endpoint
257
+
* has changed
258
+
*/
259
+
if (unlikely(!ipv6_addr_equal(&bind->local.ipv6,
260
+
&ipv6_hdr(skb)->daddr))) {
261
+
net_dbg_ratelimited("%s: learning local IPv6 for peer %d (%pI6c -> %pI6c\n",
262
+
netdev_name(peer->ovpn->dev),
263
+
peer->id, &bind->local.ipv6,
264
+
&ipv6_hdr(skb)->daddr);
265
+
bind->local.ipv6 = ipv6_hdr(skb)->daddr;
266
+
reset_cache = true;
267
+
}
268
+
break;
269
+
default:
270
+
goto unlock;
271
+
}
272
+
273
+
if (unlikely(reset_cache))
274
+
dst_cache_reset(&peer->dst_cache);
275
+
276
+
/* if the peer did not float, we can bail out now */
277
+
if (likely(!salen))
278
+
goto unlock;
279
+
280
+
if (unlikely(ovpn_peer_reset_sockaddr(peer,
281
+
(struct sockaddr_storage *)&ss,
282
+
local_ip) < 0))
283
+
goto unlock;
284
+
285
+
net_dbg_ratelimited("%s: peer %d floated to %pIScp",
286
+
netdev_name(peer->ovpn->dev), peer->id, &ss);
287
+
288
+
spin_unlock_bh(&peer->lock);
289
+
290
+
/* rehashing is required only in MP mode as P2P has one peer
291
+
* only and thus there is no hashtable
292
+
*/
293
+
if (peer->ovpn->mode == OVPN_MODE_MP) {
294
+
spin_lock_bh(&peer->ovpn->lock);
295
+
spin_lock_bh(&peer->lock);
296
+
bind = rcu_dereference_protected(peer->bind,
297
+
lockdep_is_held(&peer->lock));
298
+
if (unlikely(!bind)) {
299
+
spin_unlock_bh(&peer->lock);
300
+
spin_unlock_bh(&peer->ovpn->lock);
301
+
return;
302
+
}
303
+
304
+
/* This function may be invoked concurrently, therefore another
305
+
* float may have happened in parallel: perform rehashing
306
+
* using the peer->bind->remote directly as key
307
+
*/
308
+
309
+
switch (bind->remote.in4.sin_family) {
310
+
case AF_INET:
311
+
salen = sizeof(*sa);
312
+
break;
313
+
case AF_INET6:
314
+
salen = sizeof(*sa6);
315
+
break;
316
+
}
317
+
318
+
/* remove old hashing */
319
+
hlist_nulls_del_init_rcu(&peer->hash_entry_transp_addr);
320
+
/* re-add with new transport address */
321
+
nhead = ovpn_get_hash_head(peer->ovpn->peers->by_transp_addr,
322
+
&bind->remote, salen);
323
+
hlist_nulls_add_head_rcu(&peer->hash_entry_transp_addr, nhead);
324
+
spin_unlock_bh(&peer->lock);
325
+
spin_unlock_bh(&peer->ovpn->lock);
326
+
}
327
+
return;
328
+
unlock:
329
+
spin_unlock_bh(&peer->lock);
330
+
}
331
+
332
+
/**
333
+
* ovpn_peer_release_rcu - RCU callback performing last peer release steps
334
+
* @head: RCU member of the ovpn_peer
335
+
*/
336
+
static void ovpn_peer_release_rcu(struct rcu_head *head)
337
+
{
338
+
struct ovpn_peer *peer = container_of(head, struct ovpn_peer, rcu);
339
+
340
+
/* this call will immediately free the dst_cache, therefore we
341
+
* perform it in the RCU callback, when all contexts are done
342
+
*/
343
+
dst_cache_destroy(&peer->dst_cache);
344
+
kfree(peer);
345
+
}
346
+
347
+
/**
348
+
* ovpn_peer_release - release peer private members
349
+
* @peer: the peer to release
350
+
*/
351
+
void ovpn_peer_release(struct ovpn_peer *peer)
352
+
{
353
+
ovpn_crypto_state_release(&peer->crypto);
354
+
spin_lock_bh(&peer->lock);
355
+
ovpn_bind_reset(peer, NULL);
356
+
spin_unlock_bh(&peer->lock);
357
+
call_rcu(&peer->rcu, ovpn_peer_release_rcu);
358
+
netdev_put(peer->ovpn->dev, &peer->dev_tracker);
359
+
}
360
+
361
+
/**
362
+
* ovpn_peer_release_kref - callback for kref_put
363
+
* @kref: the kref object belonging to the peer
364
+
*/
365
+
void ovpn_peer_release_kref(struct kref *kref)
366
+
{
367
+
struct ovpn_peer *peer = container_of(kref, struct ovpn_peer, refcount);
368
+
369
+
ovpn_peer_release(peer);
370
+
}
371
+
372
+
/**
373
+
* ovpn_peer_skb_to_sockaddr - fill sockaddr with skb source address
374
+
* @skb: the packet to extract data from
375
+
* @ss: the sockaddr to fill
376
+
*
377
+
* Return: sockaddr length on success or -1 otherwise
378
+
*/
379
+
static int ovpn_peer_skb_to_sockaddr(struct sk_buff *skb,
380
+
struct sockaddr_storage *ss)
381
+
{
382
+
struct sockaddr_in6 *sa6;
383
+
struct sockaddr_in *sa4;
384
+
385
+
switch (skb->protocol) {
386
+
case htons(ETH_P_IP):
387
+
sa4 = (struct sockaddr_in *)ss;
388
+
sa4->sin_family = AF_INET;
389
+
sa4->sin_addr.s_addr = ip_hdr(skb)->saddr;
390
+
sa4->sin_port = udp_hdr(skb)->source;
391
+
return sizeof(*sa4);
392
+
case htons(ETH_P_IPV6):
393
+
sa6 = (struct sockaddr_in6 *)ss;
394
+
sa6->sin6_family = AF_INET6;
395
+
sa6->sin6_addr = ipv6_hdr(skb)->saddr;
396
+
sa6->sin6_port = udp_hdr(skb)->source;
397
+
return sizeof(*sa6);
398
+
}
399
+
400
+
return -1;
401
+
}
402
+
403
+
/**
404
+
* ovpn_nexthop_from_skb4 - retrieve IPv4 nexthop for outgoing skb
405
+
* @skb: the outgoing packet
406
+
*
407
+
* Return: the IPv4 of the nexthop
408
+
*/
409
+
static __be32 ovpn_nexthop_from_skb4(struct sk_buff *skb)
410
+
{
411
+
const struct rtable *rt = skb_rtable(skb);
412
+
413
+
if (rt && rt->rt_uses_gateway)
414
+
return rt->rt_gw4;
415
+
416
+
return ip_hdr(skb)->daddr;
417
+
}
418
+
419
+
/**
420
+
* ovpn_nexthop_from_skb6 - retrieve IPv6 nexthop for outgoing skb
421
+
* @skb: the outgoing packet
422
+
*
423
+
* Return: the IPv6 of the nexthop
424
+
*/
425
+
static struct in6_addr ovpn_nexthop_from_skb6(struct sk_buff *skb)
426
+
{
427
+
const struct rt6_info *rt = skb_rt6_info(skb);
428
+
429
+
if (!rt || !(rt->rt6i_flags & RTF_GATEWAY))
430
+
return ipv6_hdr(skb)->daddr;
431
+
432
+
return rt->rt6i_gateway;
433
+
}
434
+
435
+
/**
436
+
* ovpn_peer_get_by_vpn_addr4 - retrieve peer by its VPN IPv4 address
437
+
* @ovpn: the openvpn instance to search
438
+
* @addr: VPN IPv4 to use as search key
439
+
*
440
+
* Refcounter is not increased for the returned peer.
441
+
*
442
+
* Return: the peer if found or NULL otherwise
443
+
*/
444
+
static struct ovpn_peer *ovpn_peer_get_by_vpn_addr4(struct ovpn_priv *ovpn,
445
+
__be32 addr)
446
+
{
447
+
struct hlist_nulls_head *nhead;
448
+
struct hlist_nulls_node *ntmp;
449
+
struct ovpn_peer *tmp;
450
+
unsigned int slot;
451
+
452
+
begin:
453
+
slot = ovpn_get_hash_slot(ovpn->peers->by_vpn_addr4, &addr,
454
+
sizeof(addr));
455
+
nhead = &ovpn->peers->by_vpn_addr4[slot];
456
+
457
+
hlist_nulls_for_each_entry_rcu(tmp, ntmp, nhead, hash_entry_addr4)
458
+
if (addr == tmp->vpn_addrs.ipv4.s_addr)
459
+
return tmp;
460
+
461
+
/* item may have moved during lookup - check nulls and restart
462
+
* if that's the case
463
+
*/
464
+
if (get_nulls_value(ntmp) != slot)
465
+
goto begin;
466
+
467
+
return NULL;
468
+
}
469
+
470
+
/**
471
+
* ovpn_peer_get_by_vpn_addr6 - retrieve peer by its VPN IPv6 address
472
+
* @ovpn: the openvpn instance to search
473
+
* @addr: VPN IPv6 to use as search key
474
+
*
475
+
* Refcounter is not increased for the returned peer.
476
+
*
477
+
* Return: the peer if found or NULL otherwise
478
+
*/
479
+
static struct ovpn_peer *ovpn_peer_get_by_vpn_addr6(struct ovpn_priv *ovpn,
480
+
struct in6_addr *addr)
481
+
{
482
+
struct hlist_nulls_head *nhead;
483
+
struct hlist_nulls_node *ntmp;
484
+
struct ovpn_peer *tmp;
485
+
unsigned int slot;
486
+
487
+
begin:
488
+
slot = ovpn_get_hash_slot(ovpn->peers->by_vpn_addr6, addr,
489
+
sizeof(*addr));
490
+
nhead = &ovpn->peers->by_vpn_addr6[slot];
491
+
492
+
hlist_nulls_for_each_entry_rcu(tmp, ntmp, nhead, hash_entry_addr6)
493
+
if (ipv6_addr_equal(addr, &tmp->vpn_addrs.ipv6))
494
+
return tmp;
495
+
496
+
/* item may have moved during lookup - check nulls and restart
497
+
* if that's the case
498
+
*/
499
+
if (get_nulls_value(ntmp) != slot)
500
+
goto begin;
501
+
502
+
return NULL;
503
+
}
504
+
505
+
/**
506
+
* ovpn_peer_transp_match - check if sockaddr and peer binding match
507
+
* @peer: the peer to get the binding from
508
+
* @ss: the sockaddr to match
509
+
*
510
+
* Return: true if sockaddr and binding match or false otherwise
511
+
*/
512
+
static bool ovpn_peer_transp_match(const struct ovpn_peer *peer,
513
+
const struct sockaddr_storage *ss)
514
+
{
515
+
struct ovpn_bind *bind = rcu_dereference(peer->bind);
516
+
struct sockaddr_in6 *sa6;
517
+
struct sockaddr_in *sa4;
518
+
519
+
if (unlikely(!bind))
520
+
return false;
521
+
522
+
if (ss->ss_family != bind->remote.in4.sin_family)
523
+
return false;
524
+
525
+
switch (ss->ss_family) {
526
+
case AF_INET:
527
+
sa4 = (struct sockaddr_in *)ss;
528
+
if (sa4->sin_addr.s_addr != bind->remote.in4.sin_addr.s_addr)
529
+
return false;
530
+
if (sa4->sin_port != bind->remote.in4.sin_port)
531
+
return false;
532
+
break;
533
+
case AF_INET6:
534
+
sa6 = (struct sockaddr_in6 *)ss;
535
+
if (!ipv6_addr_equal(&sa6->sin6_addr,
536
+
&bind->remote.in6.sin6_addr))
537
+
return false;
538
+
if (sa6->sin6_port != bind->remote.in6.sin6_port)
539
+
return false;
540
+
break;
541
+
default:
542
+
return false;
543
+
}
544
+
545
+
return true;
546
+
}
547
+
548
+
/**
549
+
* ovpn_peer_get_by_transp_addr_p2p - get peer by transport address in a P2P
550
+
* instance
551
+
* @ovpn: the openvpn instance to search
552
+
* @ss: the transport socket address
553
+
*
554
+
* Return: the peer if found or NULL otherwise
555
+
*/
556
+
static struct ovpn_peer *
557
+
ovpn_peer_get_by_transp_addr_p2p(struct ovpn_priv *ovpn,
558
+
struct sockaddr_storage *ss)
559
+
{
560
+
struct ovpn_peer *tmp, *peer = NULL;
561
+
562
+
rcu_read_lock();
563
+
tmp = rcu_dereference(ovpn->peer);
564
+
if (likely(tmp && ovpn_peer_transp_match(tmp, ss) &&
565
+
ovpn_peer_hold(tmp)))
566
+
peer = tmp;
567
+
rcu_read_unlock();
568
+
569
+
return peer;
570
+
}
571
+
572
+
/**
573
+
* ovpn_peer_get_by_transp_addr - retrieve peer by transport address
574
+
* @ovpn: the openvpn instance to search
575
+
* @skb: the skb to retrieve the source transport address from
576
+
*
577
+
* Return: a pointer to the peer if found or NULL otherwise
578
+
*/
579
+
struct ovpn_peer *ovpn_peer_get_by_transp_addr(struct ovpn_priv *ovpn,
580
+
struct sk_buff *skb)
581
+
{
582
+
struct ovpn_peer *tmp, *peer = NULL;
583
+
struct sockaddr_storage ss = { 0 };
584
+
struct hlist_nulls_head *nhead;
585
+
struct hlist_nulls_node *ntmp;
586
+
unsigned int slot;
587
+
ssize_t sa_len;
588
+
589
+
sa_len = ovpn_peer_skb_to_sockaddr(skb, &ss);
590
+
if (unlikely(sa_len < 0))
591
+
return NULL;
592
+
593
+
if (ovpn->mode == OVPN_MODE_P2P)
594
+
return ovpn_peer_get_by_transp_addr_p2p(ovpn, &ss);
595
+
596
+
rcu_read_lock();
597
+
begin:
598
+
slot = ovpn_get_hash_slot(ovpn->peers->by_transp_addr, &ss, sa_len);
599
+
nhead = &ovpn->peers->by_transp_addr[slot];
600
+
601
+
hlist_nulls_for_each_entry_rcu(tmp, ntmp, nhead,
602
+
hash_entry_transp_addr) {
603
+
if (!ovpn_peer_transp_match(tmp, &ss))
604
+
continue;
605
+
606
+
if (!ovpn_peer_hold(tmp))
607
+
continue;
608
+
609
+
peer = tmp;
610
+
break;
611
+
}
612
+
613
+
/* item may have moved during lookup - check nulls and restart
614
+
* if that's the case
615
+
*/
616
+
if (!peer && get_nulls_value(ntmp) != slot)
617
+
goto begin;
618
+
rcu_read_unlock();
619
+
620
+
return peer;
621
+
}
622
+
623
+
/**
624
+
* ovpn_peer_get_by_id_p2p - get peer by ID in a P2P instance
625
+
* @ovpn: the openvpn instance to search
626
+
* @peer_id: the ID of the peer to find
627
+
*
628
+
* Return: the peer if found or NULL otherwise
629
+
*/
630
+
static struct ovpn_peer *ovpn_peer_get_by_id_p2p(struct ovpn_priv *ovpn,
631
+
u32 peer_id)
632
+
{
633
+
struct ovpn_peer *tmp, *peer = NULL;
634
+
635
+
rcu_read_lock();
636
+
tmp = rcu_dereference(ovpn->peer);
637
+
if (likely(tmp && tmp->id == peer_id && ovpn_peer_hold(tmp)))
638
+
peer = tmp;
639
+
rcu_read_unlock();
640
+
641
+
return peer;
642
+
}
643
+
644
+
/**
645
+
* ovpn_peer_get_by_id - retrieve peer by ID
646
+
* @ovpn: the openvpn instance to search
647
+
* @peer_id: the unique peer identifier to match
648
+
*
649
+
* Return: a pointer to the peer if found or NULL otherwise
650
+
*/
651
+
struct ovpn_peer *ovpn_peer_get_by_id(struct ovpn_priv *ovpn, u32 peer_id)
652
+
{
653
+
struct ovpn_peer *tmp, *peer = NULL;
654
+
struct hlist_head *head;
655
+
656
+
if (ovpn->mode == OVPN_MODE_P2P)
657
+
return ovpn_peer_get_by_id_p2p(ovpn, peer_id);
658
+
659
+
head = ovpn_get_hash_head(ovpn->peers->by_id, &peer_id,
660
+
sizeof(peer_id));
661
+
662
+
rcu_read_lock();
663
+
hlist_for_each_entry_rcu(tmp, head, hash_entry_id) {
664
+
if (tmp->id != peer_id)
665
+
continue;
666
+
667
+
if (!ovpn_peer_hold(tmp))
668
+
continue;
669
+
670
+
peer = tmp;
671
+
break;
672
+
}
673
+
rcu_read_unlock();
674
+
675
+
return peer;
676
+
}
677
+
678
+
static void ovpn_peer_remove(struct ovpn_peer *peer,
679
+
enum ovpn_del_peer_reason reason,
680
+
struct llist_head *release_list)
681
+
{
682
+
lockdep_assert_held(&peer->ovpn->lock);
683
+
684
+
switch (peer->ovpn->mode) {
685
+
case OVPN_MODE_MP:
686
+
/* prevent double remove */
687
+
if (hlist_unhashed(&peer->hash_entry_id))
688
+
return;
689
+
690
+
hlist_del_init_rcu(&peer->hash_entry_id);
691
+
hlist_nulls_del_init_rcu(&peer->hash_entry_addr4);
692
+
hlist_nulls_del_init_rcu(&peer->hash_entry_addr6);
693
+
hlist_nulls_del_init_rcu(&peer->hash_entry_transp_addr);
694
+
break;
695
+
case OVPN_MODE_P2P:
696
+
/* prevent double remove */
697
+
if (peer != rcu_access_pointer(peer->ovpn->peer))
698
+
return;
699
+
700
+
RCU_INIT_POINTER(peer->ovpn->peer, NULL);
701
+
/* in P2P mode the carrier is switched off when the peer is
702
+
* deleted so that third party protocols can react accordingly
703
+
*/
704
+
netif_carrier_off(peer->ovpn->dev);
705
+
break;
706
+
}
707
+
708
+
peer->delete_reason = reason;
709
+
ovpn_nl_peer_del_notify(peer);
710
+
711
+
/* append to provided list for later socket release and ref drop */
712
+
llist_add(&peer->release_entry, release_list);
713
+
}
714
+
715
+
/**
716
+
* ovpn_peer_get_by_dst - Lookup peer to send skb to
717
+
* @ovpn: the private data representing the current VPN session
718
+
* @skb: the skb to extract the destination address from
719
+
*
720
+
* This function takes a tunnel packet and looks up the peer to send it to
721
+
* after encapsulation. The skb is expected to be the in-tunnel packet, without
722
+
* any OpenVPN related header.
723
+
*
724
+
* Assume that the IP header is accessible in the skb data.
725
+
*
726
+
* Return: the peer if found or NULL otherwise.
727
+
*/
728
+
struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn,
729
+
struct sk_buff *skb)
730
+
{
731
+
struct ovpn_peer *peer = NULL;
732
+
struct in6_addr addr6;
733
+
__be32 addr4;
734
+
735
+
/* in P2P mode, no matter the destination, packets are always sent to
736
+
* the single peer listening on the other side
737
+
*/
738
+
if (ovpn->mode == OVPN_MODE_P2P) {
739
+
rcu_read_lock();
740
+
peer = rcu_dereference(ovpn->peer);
741
+
if (unlikely(peer && !ovpn_peer_hold(peer)))
742
+
peer = NULL;
743
+
rcu_read_unlock();
744
+
return peer;
745
+
}
746
+
747
+
rcu_read_lock();
748
+
switch (skb->protocol) {
749
+
case htons(ETH_P_IP):
750
+
addr4 = ovpn_nexthop_from_skb4(skb);
751
+
peer = ovpn_peer_get_by_vpn_addr4(ovpn, addr4);
752
+
break;
753
+
case htons(ETH_P_IPV6):
754
+
addr6 = ovpn_nexthop_from_skb6(skb);
755
+
peer = ovpn_peer_get_by_vpn_addr6(ovpn, &addr6);
756
+
break;
757
+
}
758
+
759
+
if (unlikely(peer && !ovpn_peer_hold(peer)))
760
+
peer = NULL;
761
+
rcu_read_unlock();
762
+
763
+
return peer;
764
+
}
765
+
766
+
/**
767
+
* ovpn_nexthop_from_rt4 - look up the IPv4 nexthop for the given destination
768
+
* @ovpn: the private data representing the current VPN session
769
+
* @dest: the destination to be looked up
770
+
*
771
+
* Looks up in the IPv4 system routing table the IP of the nexthop to be used
772
+
* to reach the destination passed as argument. If no nexthop can be found, the
773
+
* destination itself is returned as it probably has to be used as nexthop.
774
+
*
775
+
* Return: the IP of the next hop if found or dest itself otherwise
776
+
*/
777
+
static __be32 ovpn_nexthop_from_rt4(struct ovpn_priv *ovpn, __be32 dest)
778
+
{
779
+
struct rtable *rt;
780
+
struct flowi4 fl = {
781
+
.daddr = dest
782
+
};
783
+
784
+
rt = ip_route_output_flow(dev_net(ovpn->dev), &fl, NULL);
785
+
if (IS_ERR(rt)) {
786
+
net_dbg_ratelimited("%s: no route to host %pI4\n",
787
+
netdev_name(ovpn->dev), &dest);
788
+
/* if we end up here this packet is probably going to be
789
+
* thrown away later
790
+
*/
791
+
return dest;
792
+
}
793
+
794
+
if (!rt->rt_uses_gateway)
795
+
goto out;
796
+
797
+
dest = rt->rt_gw4;
798
+
out:
799
+
ip_rt_put(rt);
800
+
return dest;
801
+
}
802
+
803
+
/**
804
+
* ovpn_nexthop_from_rt6 - look up the IPv6 nexthop for the given destination
805
+
* @ovpn: the private data representing the current VPN session
806
+
* @dest: the destination to be looked up
807
+
*
808
+
* Looks up in the IPv6 system routing table the IP of the nexthop to be used
809
+
* to reach the destination passed as argument. If no nexthop can be found, the
810
+
* destination itself is returned as it probably has to be used as nexthop.
811
+
*
812
+
* Return: the IP of the next hop if found or dest itself otherwise
813
+
*/
814
+
static struct in6_addr ovpn_nexthop_from_rt6(struct ovpn_priv *ovpn,
815
+
struct in6_addr dest)
816
+
{
817
+
#if IS_ENABLED(CONFIG_IPV6)
818
+
struct dst_entry *entry;
819
+
struct rt6_info *rt;
820
+
struct flowi6 fl = {
821
+
.daddr = dest,
822
+
};
823
+
824
+
entry = ipv6_stub->ipv6_dst_lookup_flow(dev_net(ovpn->dev), NULL, &fl,
825
+
NULL);
826
+
if (IS_ERR(entry)) {
827
+
net_dbg_ratelimited("%s: no route to host %pI6c\n",
828
+
netdev_name(ovpn->dev), &dest);
829
+
/* if we end up here this packet is probably going to be
830
+
* thrown away later
831
+
*/
832
+
return dest;
833
+
}
834
+
835
+
rt = dst_rt6_info(entry);
836
+
837
+
if (!(rt->rt6i_flags & RTF_GATEWAY))
838
+
goto out;
839
+
840
+
dest = rt->rt6i_gateway;
841
+
out:
842
+
dst_release((struct dst_entry *)rt);
843
+
#endif
844
+
return dest;
845
+
}
846
+
847
+
/**
848
+
* ovpn_peer_check_by_src - check that skb source is routed via peer
849
+
* @ovpn: the openvpn instance to search
850
+
* @skb: the packet to extract source address from
851
+
* @peer: the peer to check against the source address
852
+
*
853
+
* Return: true if the peer is matching or false otherwise
854
+
*/
855
+
bool ovpn_peer_check_by_src(struct ovpn_priv *ovpn, struct sk_buff *skb,
856
+
struct ovpn_peer *peer)
857
+
{
858
+
bool match = false;
859
+
struct in6_addr addr6;
860
+
__be32 addr4;
861
+
862
+
if (ovpn->mode == OVPN_MODE_P2P) {
863
+
/* in P2P mode, no matter the destination, packets are always
864
+
* sent to the single peer listening on the other side
865
+
*/
866
+
return peer == rcu_access_pointer(ovpn->peer);
867
+
}
868
+
869
+
/* This function performs a reverse path check, therefore we now
870
+
* lookup the nexthop we would use if we wanted to route a packet
871
+
* to the source IP. If the nexthop matches the sender we know the
872
+
* latter is valid and we allow the packet to come in
873
+
*/
874
+
875
+
switch (skb->protocol) {
876
+
case htons(ETH_P_IP):
877
+
addr4 = ovpn_nexthop_from_rt4(ovpn, ip_hdr(skb)->saddr);
878
+
rcu_read_lock();
879
+
match = (peer == ovpn_peer_get_by_vpn_addr4(ovpn, addr4));
880
+
rcu_read_unlock();
881
+
break;
882
+
case htons(ETH_P_IPV6):
883
+
addr6 = ovpn_nexthop_from_rt6(ovpn, ipv6_hdr(skb)->saddr);
884
+
rcu_read_lock();
885
+
match = (peer == ovpn_peer_get_by_vpn_addr6(ovpn, &addr6));
886
+
rcu_read_unlock();
887
+
break;
888
+
}
889
+
890
+
return match;
891
+
}
892
+
893
+
void ovpn_peer_hash_vpn_ip(struct ovpn_peer *peer)
894
+
{
895
+
struct hlist_nulls_head *nhead;
896
+
897
+
lockdep_assert_held(&peer->ovpn->lock);
898
+
899
+
/* rehashing makes sense only in multipeer mode */
900
+
if (peer->ovpn->mode != OVPN_MODE_MP)
901
+
return;
902
+
903
+
if (peer->vpn_addrs.ipv4.s_addr != htonl(INADDR_ANY)) {
904
+
/* remove potential old hashing */
905
+
hlist_nulls_del_init_rcu(&peer->hash_entry_addr4);
906
+
907
+
nhead = ovpn_get_hash_head(peer->ovpn->peers->by_vpn_addr4,
908
+
&peer->vpn_addrs.ipv4,
909
+
sizeof(peer->vpn_addrs.ipv4));
910
+
hlist_nulls_add_head_rcu(&peer->hash_entry_addr4, nhead);
911
+
}
912
+
913
+
if (!ipv6_addr_any(&peer->vpn_addrs.ipv6)) {
914
+
/* remove potential old hashing */
915
+
hlist_nulls_del_init_rcu(&peer->hash_entry_addr6);
916
+
917
+
nhead = ovpn_get_hash_head(peer->ovpn->peers->by_vpn_addr6,
918
+
&peer->vpn_addrs.ipv6,
919
+
sizeof(peer->vpn_addrs.ipv6));
920
+
hlist_nulls_add_head_rcu(&peer->hash_entry_addr6, nhead);
921
+
}
922
+
}
923
+
924
+
/**
925
+
* ovpn_peer_add_mp - add peer to related tables in a MP instance
926
+
* @ovpn: the instance to add the peer to
927
+
* @peer: the peer to add
928
+
*
929
+
* Return: 0 on success or a negative error code otherwise
930
+
*/
931
+
static int ovpn_peer_add_mp(struct ovpn_priv *ovpn, struct ovpn_peer *peer)
932
+
{
933
+
struct sockaddr_storage sa = { 0 };
934
+
struct hlist_nulls_head *nhead;
935
+
struct sockaddr_in6 *sa6;
936
+
struct sockaddr_in *sa4;
937
+
struct ovpn_bind *bind;
938
+
struct ovpn_peer *tmp;
939
+
size_t salen;
940
+
int ret = 0;
941
+
942
+
spin_lock_bh(&ovpn->lock);
943
+
/* do not add duplicates */
944
+
tmp = ovpn_peer_get_by_id(ovpn, peer->id);
945
+
if (tmp) {
946
+
ovpn_peer_put(tmp);
947
+
ret = -EEXIST;
948
+
goto out;
949
+
}
950
+
951
+
bind = rcu_dereference_protected(peer->bind, true);
952
+
/* peers connected via TCP have bind == NULL */
953
+
if (bind) {
954
+
switch (bind->remote.in4.sin_family) {
955
+
case AF_INET:
956
+
sa4 = (struct sockaddr_in *)&sa;
957
+
958
+
sa4->sin_family = AF_INET;
959
+
sa4->sin_addr.s_addr = bind->remote.in4.sin_addr.s_addr;
960
+
sa4->sin_port = bind->remote.in4.sin_port;
961
+
salen = sizeof(*sa4);
962
+
break;
963
+
case AF_INET6:
964
+
sa6 = (struct sockaddr_in6 *)&sa;
965
+
966
+
sa6->sin6_family = AF_INET6;
967
+
sa6->sin6_addr = bind->remote.in6.sin6_addr;
968
+
sa6->sin6_port = bind->remote.in6.sin6_port;
969
+
salen = sizeof(*sa6);
970
+
break;
971
+
default:
972
+
ret = -EPROTONOSUPPORT;
973
+
goto out;
974
+
}
975
+
976
+
nhead = ovpn_get_hash_head(ovpn->peers->by_transp_addr, &sa,
977
+
salen);
978
+
hlist_nulls_add_head_rcu(&peer->hash_entry_transp_addr, nhead);
979
+
}
980
+
981
+
hlist_add_head_rcu(&peer->hash_entry_id,
982
+
ovpn_get_hash_head(ovpn->peers->by_id, &peer->id,
983
+
sizeof(peer->id)));
984
+
985
+
ovpn_peer_hash_vpn_ip(peer);
986
+
out:
987
+
spin_unlock_bh(&ovpn->lock);
988
+
return ret;
989
+
}
990
+
991
+
/**
992
+
* ovpn_peer_add_p2p - add peer to related tables in a P2P instance
993
+
* @ovpn: the instance to add the peer to
994
+
* @peer: the peer to add
995
+
*
996
+
* Return: 0 on success or a negative error code otherwise
997
+
*/
998
+
static int ovpn_peer_add_p2p(struct ovpn_priv *ovpn, struct ovpn_peer *peer)
999
+
{
1000
+
LLIST_HEAD(release_list);
1001
+
struct ovpn_peer *tmp;
1002
+
1003
+
spin_lock_bh(&ovpn->lock);
1004
+
/* in p2p mode it is possible to have a single peer only, therefore the
1005
+
* old one is released and substituted by the new one
1006
+
*/
1007
+
tmp = rcu_dereference_protected(ovpn->peer,
1008
+
lockdep_is_held(&ovpn->lock));
1009
+
if (tmp)
1010
+
ovpn_peer_remove(tmp, OVPN_DEL_PEER_REASON_TEARDOWN,
1011
+
&release_list);
1012
+
1013
+
rcu_assign_pointer(ovpn->peer, peer);
1014
+
/* in P2P mode the carrier is switched on when the peer is added */
1015
+
netif_carrier_on(ovpn->dev);
1016
+
unlock_ovpn(ovpn, &release_list);
1017
+
1018
+
return 0;
1019
+
}
1020
+
1021
+
/**
1022
+
* ovpn_peer_add - add peer to the related tables
1023
+
* @ovpn: the openvpn instance the peer belongs to
1024
+
* @peer: the peer object to add
1025
+
*
1026
+
* Assume refcounter was increased by caller
1027
+
*
1028
+
* Return: 0 on success or a negative error code otherwise
1029
+
*/
1030
+
int ovpn_peer_add(struct ovpn_priv *ovpn, struct ovpn_peer *peer)
1031
+
{
1032
+
switch (ovpn->mode) {
1033
+
case OVPN_MODE_MP:
1034
+
return ovpn_peer_add_mp(ovpn, peer);
1035
+
case OVPN_MODE_P2P:
1036
+
return ovpn_peer_add_p2p(ovpn, peer);
1037
+
}
1038
+
1039
+
return -EOPNOTSUPP;
1040
+
}
1041
+
1042
+
/**
1043
+
* ovpn_peer_del_mp - delete peer from related tables in a MP instance
1044
+
* @peer: the peer to delete
1045
+
* @reason: reason why the peer was deleted (sent to userspace)
1046
+
* @release_list: list where delete peer should be appended
1047
+
*
1048
+
* Return: 0 on success or a negative error code otherwise
1049
+
*/
1050
+
static int ovpn_peer_del_mp(struct ovpn_peer *peer,
1051
+
enum ovpn_del_peer_reason reason,
1052
+
struct llist_head *release_list)
1053
+
{
1054
+
struct ovpn_peer *tmp;
1055
+
int ret = -ENOENT;
1056
+
1057
+
lockdep_assert_held(&peer->ovpn->lock);
1058
+
1059
+
tmp = ovpn_peer_get_by_id(peer->ovpn, peer->id);
1060
+
if (tmp == peer) {
1061
+
ovpn_peer_remove(peer, reason, release_list);
1062
+
ret = 0;
1063
+
}
1064
+
1065
+
if (tmp)
1066
+
ovpn_peer_put(tmp);
1067
+
1068
+
return ret;
1069
+
}
1070
+
1071
+
/**
1072
+
* ovpn_peer_del_p2p - delete peer from related tables in a P2P instance
1073
+
* @peer: the peer to delete
1074
+
* @reason: reason why the peer was deleted (sent to userspace)
1075
+
* @release_list: list where delete peer should be appended
1076
+
*
1077
+
* Return: 0 on success or a negative error code otherwise
1078
+
*/
1079
+
static int ovpn_peer_del_p2p(struct ovpn_peer *peer,
1080
+
enum ovpn_del_peer_reason reason,
1081
+
struct llist_head *release_list)
1082
+
{
1083
+
struct ovpn_peer *tmp;
1084
+
1085
+
lockdep_assert_held(&peer->ovpn->lock);
1086
+
1087
+
tmp = rcu_dereference_protected(peer->ovpn->peer,
1088
+
lockdep_is_held(&peer->ovpn->lock));
1089
+
if (tmp != peer)
1090
+
return -ENOENT;
1091
+
1092
+
ovpn_peer_remove(peer, reason, release_list);
1093
+
1094
+
return 0;
1095
+
}
1096
+
1097
+
/**
1098
+
* ovpn_peer_del - delete peer from related tables
1099
+
* @peer: the peer object to delete
1100
+
* @reason: reason for deleting peer (will be sent to userspace)
1101
+
*
1102
+
* Return: 0 on success or a negative error code otherwise
1103
+
*/
1104
+
int ovpn_peer_del(struct ovpn_peer *peer, enum ovpn_del_peer_reason reason)
1105
+
{
1106
+
LLIST_HEAD(release_list);
1107
+
int ret = -EOPNOTSUPP;
1108
+
1109
+
spin_lock_bh(&peer->ovpn->lock);
1110
+
switch (peer->ovpn->mode) {
1111
+
case OVPN_MODE_MP:
1112
+
ret = ovpn_peer_del_mp(peer, reason, &release_list);
1113
+
break;
1114
+
case OVPN_MODE_P2P:
1115
+
ret = ovpn_peer_del_p2p(peer, reason, &release_list);
1116
+
break;
1117
+
default:
1118
+
break;
1119
+
}
1120
+
unlock_ovpn(peer->ovpn, &release_list);
1121
+
1122
+
return ret;
1123
+
}
1124
+
1125
+
/**
1126
+
* ovpn_peer_release_p2p - release peer upon P2P device teardown
1127
+
* @ovpn: the instance being torn down
1128
+
* @sk: if not NULL, release peer only if it's using this specific socket
1129
+
* @reason: the reason for releasing the peer
1130
+
*/
1131
+
static void ovpn_peer_release_p2p(struct ovpn_priv *ovpn, struct sock *sk,
1132
+
enum ovpn_del_peer_reason reason)
1133
+
{
1134
+
struct ovpn_socket *ovpn_sock;
1135
+
LLIST_HEAD(release_list);
1136
+
struct ovpn_peer *peer;
1137
+
1138
+
spin_lock_bh(&ovpn->lock);
1139
+
peer = rcu_dereference_protected(ovpn->peer,
1140
+
lockdep_is_held(&ovpn->lock));
1141
+
if (!peer) {
1142
+
spin_unlock_bh(&ovpn->lock);
1143
+
return;
1144
+
}
1145
+
1146
+
if (sk) {
1147
+
ovpn_sock = rcu_access_pointer(peer->sock);
1148
+
if (!ovpn_sock || ovpn_sock->sock->sk != sk) {
1149
+
spin_unlock_bh(&ovpn->lock);
1150
+
ovpn_peer_put(peer);
1151
+
return;
1152
+
}
1153
+
}
1154
+
1155
+
ovpn_peer_remove(peer, reason, &release_list);
1156
+
unlock_ovpn(ovpn, &release_list);
1157
+
}
1158
+
1159
+
static void ovpn_peers_release_mp(struct ovpn_priv *ovpn, struct sock *sk,
1160
+
enum ovpn_del_peer_reason reason)
1161
+
{
1162
+
struct ovpn_socket *ovpn_sock;
1163
+
LLIST_HEAD(release_list);
1164
+
struct ovpn_peer *peer;
1165
+
struct hlist_node *tmp;
1166
+
int bkt;
1167
+
1168
+
spin_lock_bh(&ovpn->lock);
1169
+
hash_for_each_safe(ovpn->peers->by_id, bkt, tmp, peer, hash_entry_id) {
1170
+
bool remove = true;
1171
+
1172
+
/* if a socket was passed as argument, skip all peers except
1173
+
* those using it
1174
+
*/
1175
+
if (sk) {
1176
+
rcu_read_lock();
1177
+
ovpn_sock = rcu_dereference(peer->sock);
1178
+
remove = ovpn_sock && ovpn_sock->sock->sk == sk;
1179
+
rcu_read_unlock();
1180
+
}
1181
+
1182
+
if (remove)
1183
+
ovpn_peer_remove(peer, reason, &release_list);
1184
+
}
1185
+
unlock_ovpn(ovpn, &release_list);
1186
+
}
1187
+
1188
+
/**
1189
+
* ovpn_peers_free - free all peers in the instance
1190
+
* @ovpn: the instance whose peers should be released
1191
+
* @sk: if not NULL, only peers using this socket are removed and the socket
1192
+
* is released immediately
1193
+
* @reason: the reason for releasing all peers
1194
+
*/
1195
+
void ovpn_peers_free(struct ovpn_priv *ovpn, struct sock *sk,
1196
+
enum ovpn_del_peer_reason reason)
1197
+
{
1198
+
switch (ovpn->mode) {
1199
+
case OVPN_MODE_P2P:
1200
+
ovpn_peer_release_p2p(ovpn, sk, reason);
1201
+
break;
1202
+
case OVPN_MODE_MP:
1203
+
ovpn_peers_release_mp(ovpn, sk, reason);
1204
+
break;
1205
+
}
1206
+
}
1207
+
1208
+
static time64_t ovpn_peer_keepalive_work_single(struct ovpn_peer *peer,
1209
+
time64_t now,
1210
+
struct llist_head *release_list)
1211
+
{
1212
+
time64_t last_recv, last_sent, next_run1, next_run2;
1213
+
unsigned long timeout, interval;
1214
+
bool expired;
1215
+
1216
+
spin_lock_bh(&peer->lock);
1217
+
/* we expect both timers to be configured at the same time,
1218
+
* therefore bail out if either is not set
1219
+
*/
1220
+
if (!peer->keepalive_timeout || !peer->keepalive_interval) {
1221
+
spin_unlock_bh(&peer->lock);
1222
+
return 0;
1223
+
}
1224
+
1225
+
/* check for peer timeout */
1226
+
expired = false;
1227
+
timeout = peer->keepalive_timeout;
1228
+
last_recv = READ_ONCE(peer->last_recv);
1229
+
if (now < last_recv + timeout) {
1230
+
peer->keepalive_recv_exp = last_recv + timeout;
1231
+
next_run1 = peer->keepalive_recv_exp;
1232
+
} else if (peer->keepalive_recv_exp > now) {
1233
+
next_run1 = peer->keepalive_recv_exp;
1234
+
} else {
1235
+
expired = true;
1236
+
}
1237
+
1238
+
if (expired) {
1239
+
/* peer is dead -> kill it and move on */
1240
+
spin_unlock_bh(&peer->lock);
1241
+
netdev_dbg(peer->ovpn->dev, "peer %u expired\n",
1242
+
peer->id);
1243
+
ovpn_peer_remove(peer, OVPN_DEL_PEER_REASON_EXPIRED,
1244
+
release_list);
1245
+
return 0;
1246
+
}
1247
+
1248
+
/* check for peer keepalive */
1249
+
expired = false;
1250
+
interval = peer->keepalive_interval;
1251
+
last_sent = READ_ONCE(peer->last_sent);
1252
+
if (now < last_sent + interval) {
1253
+
peer->keepalive_xmit_exp = last_sent + interval;
1254
+
next_run2 = peer->keepalive_xmit_exp;
1255
+
} else if (peer->keepalive_xmit_exp > now) {
1256
+
next_run2 = peer->keepalive_xmit_exp;
1257
+
} else {
1258
+
expired = true;
1259
+
next_run2 = now + interval;
1260
+
}
1261
+
spin_unlock_bh(&peer->lock);
1262
+
1263
+
if (expired) {
1264
+
/* a keepalive packet is required */
1265
+
netdev_dbg(peer->ovpn->dev,
1266
+
"sending keepalive to peer %u\n",
1267
+
peer->id);
1268
+
if (schedule_work(&peer->keepalive_work))
1269
+
ovpn_peer_hold(peer);
1270
+
}
1271
+
1272
+
if (next_run1 < next_run2)
1273
+
return next_run1;
1274
+
1275
+
return next_run2;
1276
+
}
1277
+
1278
+
static time64_t ovpn_peer_keepalive_work_mp(struct ovpn_priv *ovpn,
1279
+
time64_t now,
1280
+
struct llist_head *release_list)
1281
+
{
1282
+
time64_t tmp_next_run, next_run = 0;
1283
+
struct hlist_node *tmp;
1284
+
struct ovpn_peer *peer;
1285
+
int bkt;
1286
+
1287
+
lockdep_assert_held(&ovpn->lock);
1288
+
1289
+
hash_for_each_safe(ovpn->peers->by_id, bkt, tmp, peer, hash_entry_id) {
1290
+
tmp_next_run = ovpn_peer_keepalive_work_single(peer, now,
1291
+
release_list);
1292
+
if (!tmp_next_run)
1293
+
continue;
1294
+
1295
+
/* the next worker run will be scheduled based on the shortest
1296
+
* required interval across all peers
1297
+
*/
1298
+
if (!next_run || tmp_next_run < next_run)
1299
+
next_run = tmp_next_run;
1300
+
}
1301
+
1302
+
return next_run;
1303
+
}
1304
+
1305
+
static time64_t ovpn_peer_keepalive_work_p2p(struct ovpn_priv *ovpn,
1306
+
time64_t now,
1307
+
struct llist_head *release_list)
1308
+
{
1309
+
struct ovpn_peer *peer;
1310
+
time64_t next_run = 0;
1311
+
1312
+
lockdep_assert_held(&ovpn->lock);
1313
+
1314
+
peer = rcu_dereference_protected(ovpn->peer,
1315
+
lockdep_is_held(&ovpn->lock));
1316
+
if (peer)
1317
+
next_run = ovpn_peer_keepalive_work_single(peer, now,
1318
+
release_list);
1319
+
1320
+
return next_run;
1321
+
}
1322
+
1323
+
/**
1324
+
* ovpn_peer_keepalive_work - run keepalive logic on each known peer
1325
+
* @work: pointer to the work member of the related ovpn object
1326
+
*
1327
+
* Each peer has two timers (if configured):
1328
+
* 1. peer timeout: when no data is received for a certain interval,
1329
+
* the peer is considered dead and it gets killed.
1330
+
* 2. peer keepalive: when no data is sent to a certain peer for a
1331
+
* certain interval, a special 'keepalive' packet is explicitly sent.
1332
+
*
1333
+
* This function iterates across the whole peer collection while
1334
+
* checking the timers described above.
1335
+
*/
1336
+
void ovpn_peer_keepalive_work(struct work_struct *work)
1337
+
{
1338
+
struct ovpn_priv *ovpn = container_of(work, struct ovpn_priv,
1339
+
keepalive_work.work);
1340
+
time64_t next_run = 0, now = ktime_get_real_seconds();
1341
+
LLIST_HEAD(release_list);
1342
+
1343
+
spin_lock_bh(&ovpn->lock);
1344
+
switch (ovpn->mode) {
1345
+
case OVPN_MODE_MP:
1346
+
next_run = ovpn_peer_keepalive_work_mp(ovpn, now,
1347
+
&release_list);
1348
+
break;
1349
+
case OVPN_MODE_P2P:
1350
+
next_run = ovpn_peer_keepalive_work_p2p(ovpn, now,
1351
+
&release_list);
1352
+
break;
1353
+
}
1354
+
1355
+
/* prevent rearming if the interface is being destroyed */
1356
+
if (next_run > 0 &&
1357
+
READ_ONCE(ovpn->dev->reg_state) == NETREG_REGISTERED) {
1358
+
netdev_dbg(ovpn->dev,
1359
+
"scheduling keepalive work: now=%llu next_run=%llu delta=%llu\n",
1360
+
next_run, now, next_run - now);
1361
+
schedule_delayed_work(&ovpn->keepalive_work,
1362
+
(next_run - now) * HZ);
1363
+
}
1364
+
unlock_ovpn(ovpn, &release_list);
1365
+
}
+163
drivers/net/ovpn/peer.h
+163
drivers/net/ovpn/peer.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#ifndef _NET_OVPN_OVPNPEER_H_
11
+
#define _NET_OVPN_OVPNPEER_H_
12
+
13
+
#include <net/dst_cache.h>
14
+
#include <net/strparser.h>
15
+
16
+
#include "crypto.h"
17
+
#include "socket.h"
18
+
#include "stats.h"
19
+
20
+
/**
21
+
* struct ovpn_peer - the main remote peer object
22
+
* @ovpn: main openvpn instance this peer belongs to
23
+
* @dev_tracker: reference tracker for associated dev
24
+
* @id: unique identifier
25
+
* @vpn_addrs: IP addresses assigned over the tunnel
26
+
* @vpn_addrs.ipv4: IPv4 assigned to peer on the tunnel
27
+
* @vpn_addrs.ipv6: IPv6 assigned to peer on the tunnel
28
+
* @hash_entry_id: entry in the peer ID hashtable
29
+
* @hash_entry_addr4: entry in the peer IPv4 hashtable
30
+
* @hash_entry_addr6: entry in the peer IPv6 hashtable
31
+
* @hash_entry_transp_addr: entry in the peer transport address hashtable
32
+
* @sock: the socket being used to talk to this peer
33
+
* @tcp: keeps track of TCP specific state
34
+
* @tcp.strp: stream parser context (TCP only)
35
+
* @tcp.user_queue: received packets that have to go to userspace (TCP only)
36
+
* @tcp.out_queue: packets on hold while socket is taken by user (TCP only)
37
+
* @tcp.tx_in_progress: true if TX is already ongoing (TCP only)
38
+
* @tcp.out_msg.skb: packet scheduled for sending (TCP only)
39
+
* @tcp.out_msg.offset: offset where next send should start (TCP only)
40
+
* @tcp.out_msg.len: remaining data to send within packet (TCP only)
41
+
* @tcp.sk_cb.sk_data_ready: pointer to original cb (TCP only)
42
+
* @tcp.sk_cb.sk_write_space: pointer to original cb (TCP only)
43
+
* @tcp.sk_cb.prot: pointer to original prot object (TCP only)
44
+
* @tcp.sk_cb.ops: pointer to the original prot_ops object (TCP only)
45
+
* @crypto: the crypto configuration (ciphers, keys, etc..)
46
+
* @dst_cache: cache for dst_entry used to send to peer
47
+
* @bind: remote peer binding
48
+
* @keepalive_interval: seconds after which a new keepalive should be sent
49
+
* @keepalive_xmit_exp: future timestamp when next keepalive should be sent
50
+
* @last_sent: timestamp of the last successfully sent packet
51
+
* @keepalive_timeout: seconds after which an inactive peer is considered dead
52
+
* @keepalive_recv_exp: future timestamp when the peer should expire
53
+
* @last_recv: timestamp of the last authenticated received packet
54
+
* @vpn_stats: per-peer in-VPN TX/RX stats
55
+
* @link_stats: per-peer link/transport TX/RX stats
56
+
* @delete_reason: why peer was deleted (i.e. timeout, transport error, ..)
57
+
* @lock: protects binding to peer (bind) and keepalive* fields
58
+
* @refcount: reference counter
59
+
* @rcu: used to free peer in an RCU safe way
60
+
* @release_entry: entry for the socket release list
61
+
* @keepalive_work: used to schedule keepalive sending
62
+
*/
63
+
struct ovpn_peer {
64
+
struct ovpn_priv *ovpn;
65
+
netdevice_tracker dev_tracker;
66
+
u32 id;
67
+
struct {
68
+
struct in_addr ipv4;
69
+
struct in6_addr ipv6;
70
+
} vpn_addrs;
71
+
struct hlist_node hash_entry_id;
72
+
struct hlist_nulls_node hash_entry_addr4;
73
+
struct hlist_nulls_node hash_entry_addr6;
74
+
struct hlist_nulls_node hash_entry_transp_addr;
75
+
struct ovpn_socket __rcu *sock;
76
+
77
+
struct {
78
+
struct strparser strp;
79
+
struct sk_buff_head user_queue;
80
+
struct sk_buff_head out_queue;
81
+
bool tx_in_progress;
82
+
83
+
struct {
84
+
struct sk_buff *skb;
85
+
int offset;
86
+
int len;
87
+
} out_msg;
88
+
89
+
struct {
90
+
void (*sk_data_ready)(struct sock *sk);
91
+
void (*sk_write_space)(struct sock *sk);
92
+
struct proto *prot;
93
+
const struct proto_ops *ops;
94
+
} sk_cb;
95
+
96
+
struct work_struct defer_del_work;
97
+
} tcp;
98
+
struct ovpn_crypto_state crypto;
99
+
struct dst_cache dst_cache;
100
+
struct ovpn_bind __rcu *bind;
101
+
unsigned long keepalive_interval;
102
+
unsigned long keepalive_xmit_exp;
103
+
time64_t last_sent;
104
+
unsigned long keepalive_timeout;
105
+
unsigned long keepalive_recv_exp;
106
+
time64_t last_recv;
107
+
struct ovpn_peer_stats vpn_stats;
108
+
struct ovpn_peer_stats link_stats;
109
+
enum ovpn_del_peer_reason delete_reason;
110
+
spinlock_t lock; /* protects bind and keepalive* */
111
+
struct kref refcount;
112
+
struct rcu_head rcu;
113
+
struct llist_node release_entry;
114
+
struct work_struct keepalive_work;
115
+
};
116
+
117
+
/**
118
+
* ovpn_peer_hold - increase reference counter
119
+
* @peer: the peer whose counter should be increased
120
+
*
121
+
* Return: true if the counter was increased or false if it was zero already
122
+
*/
123
+
static inline bool ovpn_peer_hold(struct ovpn_peer *peer)
124
+
{
125
+
return kref_get_unless_zero(&peer->refcount);
126
+
}
127
+
128
+
void ovpn_peer_release(struct ovpn_peer *peer);
129
+
void ovpn_peer_release_kref(struct kref *kref);
130
+
131
+
/**
132
+
* ovpn_peer_put - decrease reference counter
133
+
* @peer: the peer whose counter should be decreased
134
+
*/
135
+
static inline void ovpn_peer_put(struct ovpn_peer *peer)
136
+
{
137
+
kref_put(&peer->refcount, ovpn_peer_release_kref);
138
+
}
139
+
140
+
struct ovpn_peer *ovpn_peer_new(struct ovpn_priv *ovpn, u32 id);
141
+
int ovpn_peer_add(struct ovpn_priv *ovpn, struct ovpn_peer *peer);
142
+
int ovpn_peer_del(struct ovpn_peer *peer, enum ovpn_del_peer_reason reason);
143
+
void ovpn_peers_free(struct ovpn_priv *ovpn, struct sock *sock,
144
+
enum ovpn_del_peer_reason reason);
145
+
146
+
struct ovpn_peer *ovpn_peer_get_by_transp_addr(struct ovpn_priv *ovpn,
147
+
struct sk_buff *skb);
148
+
struct ovpn_peer *ovpn_peer_get_by_id(struct ovpn_priv *ovpn, u32 peer_id);
149
+
struct ovpn_peer *ovpn_peer_get_by_dst(struct ovpn_priv *ovpn,
150
+
struct sk_buff *skb);
151
+
void ovpn_peer_hash_vpn_ip(struct ovpn_peer *peer);
152
+
bool ovpn_peer_check_by_src(struct ovpn_priv *ovpn, struct sk_buff *skb,
153
+
struct ovpn_peer *peer);
154
+
155
+
void ovpn_peer_keepalive_set(struct ovpn_peer *peer, u32 interval, u32 timeout);
156
+
void ovpn_peer_keepalive_work(struct work_struct *work);
157
+
158
+
void ovpn_peer_endpoints_update(struct ovpn_peer *peer, struct sk_buff *skb);
159
+
int ovpn_peer_reset_sockaddr(struct ovpn_peer *peer,
160
+
const struct sockaddr_storage *ss,
161
+
const void *local_ip);
162
+
163
+
#endif /* _NET_OVPN_OVPNPEER_H_ */
+129
drivers/net/ovpn/pktid.c
+129
drivers/net/ovpn/pktid.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
* James Yonan <james@openvpn.net>
8
+
*/
9
+
10
+
#include <linux/atomic.h>
11
+
#include <linux/jiffies.h>
12
+
#include <linux/net.h>
13
+
#include <linux/netdevice.h>
14
+
#include <linux/types.h>
15
+
16
+
#include "ovpnpriv.h"
17
+
#include "main.h"
18
+
#include "pktid.h"
19
+
20
+
void ovpn_pktid_xmit_init(struct ovpn_pktid_xmit *pid)
21
+
{
22
+
atomic_set(&pid->seq_num, 1);
23
+
}
24
+
25
+
void ovpn_pktid_recv_init(struct ovpn_pktid_recv *pr)
26
+
{
27
+
memset(pr, 0, sizeof(*pr));
28
+
spin_lock_init(&pr->lock);
29
+
}
30
+
31
+
/* Packet replay detection.
32
+
* Allows ID backtrack of up to REPLAY_WINDOW_SIZE - 1.
33
+
*/
34
+
int ovpn_pktid_recv(struct ovpn_pktid_recv *pr, u32 pkt_id, u32 pkt_time)
35
+
{
36
+
const unsigned long now = jiffies;
37
+
int ret;
38
+
39
+
/* ID must not be zero */
40
+
if (unlikely(pkt_id == 0))
41
+
return -EINVAL;
42
+
43
+
spin_lock_bh(&pr->lock);
44
+
45
+
/* expire backtracks at or below pr->id after PKTID_RECV_EXPIRE time */
46
+
if (unlikely(time_after_eq(now, pr->expire)))
47
+
pr->id_floor = pr->id;
48
+
49
+
/* time changed? */
50
+
if (unlikely(pkt_time != pr->time)) {
51
+
if (pkt_time > pr->time) {
52
+
/* time moved forward, accept */
53
+
pr->base = 0;
54
+
pr->extent = 0;
55
+
pr->id = 0;
56
+
pr->time = pkt_time;
57
+
pr->id_floor = 0;
58
+
} else {
59
+
/* time moved backward, reject */
60
+
ret = -ETIME;
61
+
goto out;
62
+
}
63
+
}
64
+
65
+
if (likely(pkt_id == pr->id + 1)) {
66
+
/* well-formed ID sequence (incremented by 1) */
67
+
pr->base = REPLAY_INDEX(pr->base, -1);
68
+
pr->history[pr->base / 8] |= (1 << (pr->base % 8));
69
+
if (pr->extent < REPLAY_WINDOW_SIZE)
70
+
++pr->extent;
71
+
pr->id = pkt_id;
72
+
} else if (pkt_id > pr->id) {
73
+
/* ID jumped forward by more than one */
74
+
const unsigned int delta = pkt_id - pr->id;
75
+
76
+
if (delta < REPLAY_WINDOW_SIZE) {
77
+
unsigned int i;
78
+
79
+
pr->base = REPLAY_INDEX(pr->base, -delta);
80
+
pr->history[pr->base / 8] |= (1 << (pr->base % 8));
81
+
pr->extent += delta;
82
+
if (pr->extent > REPLAY_WINDOW_SIZE)
83
+
pr->extent = REPLAY_WINDOW_SIZE;
84
+
for (i = 1; i < delta; ++i) {
85
+
unsigned int newb = REPLAY_INDEX(pr->base, i);
86
+
87
+
pr->history[newb / 8] &= ~BIT(newb % 8);
88
+
}
89
+
} else {
90
+
pr->base = 0;
91
+
pr->extent = REPLAY_WINDOW_SIZE;
92
+
memset(pr->history, 0, sizeof(pr->history));
93
+
pr->history[0] = 1;
94
+
}
95
+
pr->id = pkt_id;
96
+
} else {
97
+
/* ID backtrack */
98
+
const unsigned int delta = pr->id - pkt_id;
99
+
100
+
if (delta > pr->max_backtrack)
101
+
pr->max_backtrack = delta;
102
+
if (delta < pr->extent) {
103
+
if (pkt_id > pr->id_floor) {
104
+
const unsigned int ri = REPLAY_INDEX(pr->base,
105
+
delta);
106
+
u8 *p = &pr->history[ri / 8];
107
+
const u8 mask = (1 << (ri % 8));
108
+
109
+
if (*p & mask) {
110
+
ret = -EINVAL;
111
+
goto out;
112
+
}
113
+
*p |= mask;
114
+
} else {
115
+
ret = -EINVAL;
116
+
goto out;
117
+
}
118
+
} else {
119
+
ret = -EINVAL;
120
+
goto out;
121
+
}
122
+
}
123
+
124
+
pr->expire = now + PKTID_RECV_EXPIRE;
125
+
ret = 0;
126
+
out:
127
+
spin_unlock_bh(&pr->lock);
128
+
return ret;
129
+
}
+86
drivers/net/ovpn/pktid.h
+86
drivers/net/ovpn/pktid.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
* James Yonan <james@openvpn.net>
8
+
*/
9
+
10
+
#ifndef _NET_OVPN_OVPNPKTID_H_
11
+
#define _NET_OVPN_OVPNPKTID_H_
12
+
13
+
#include "proto.h"
14
+
15
+
/* If no packets received for this length of time, set a backtrack floor
16
+
* at highest received packet ID thus far.
17
+
*/
18
+
#define PKTID_RECV_EXPIRE (30 * HZ)
19
+
20
+
/* Packet-ID state for transmitter */
21
+
struct ovpn_pktid_xmit {
22
+
atomic_t seq_num;
23
+
};
24
+
25
+
/* replay window sizing in bytes = 2^REPLAY_WINDOW_ORDER */
26
+
#define REPLAY_WINDOW_ORDER 8
27
+
28
+
#define REPLAY_WINDOW_BYTES BIT(REPLAY_WINDOW_ORDER)
29
+
#define REPLAY_WINDOW_SIZE (REPLAY_WINDOW_BYTES * 8)
30
+
#define REPLAY_INDEX(base, i) (((base) + (i)) & (REPLAY_WINDOW_SIZE - 1))
31
+
32
+
/* Packet-ID state for receiver.
33
+
* Other than lock member, can be zeroed to initialize.
34
+
*/
35
+
struct ovpn_pktid_recv {
36
+
/* "sliding window" bitmask of recent packet IDs received */
37
+
u8 history[REPLAY_WINDOW_BYTES];
38
+
/* bit position of deque base in history */
39
+
unsigned int base;
40
+
/* extent (in bits) of deque in history */
41
+
unsigned int extent;
42
+
/* expiration of history in jiffies */
43
+
unsigned long expire;
44
+
/* highest sequence number received */
45
+
u32 id;
46
+
/* highest time stamp received */
47
+
u32 time;
48
+
/* we will only accept backtrack IDs > id_floor */
49
+
u32 id_floor;
50
+
unsigned int max_backtrack;
51
+
/* protects entire pktd ID state */
52
+
spinlock_t lock;
53
+
};
54
+
55
+
/* Get the next packet ID for xmit */
56
+
static inline int ovpn_pktid_xmit_next(struct ovpn_pktid_xmit *pid, u32 *pktid)
57
+
{
58
+
const u32 seq_num = atomic_fetch_add_unless(&pid->seq_num, 1, 0);
59
+
/* when the 32bit space is over, we return an error because the packet
60
+
* ID is used to create the cipher IV and we do not want to reuse the
61
+
* same value more than once
62
+
*/
63
+
if (unlikely(!seq_num))
64
+
return -ERANGE;
65
+
66
+
*pktid = seq_num;
67
+
68
+
return 0;
69
+
}
70
+
71
+
/* Write 12-byte AEAD IV to dest */
72
+
static inline void ovpn_pktid_aead_write(const u32 pktid,
73
+
const u8 nt[],
74
+
unsigned char *dest)
75
+
{
76
+
*(__force __be32 *)(dest) = htonl(pktid);
77
+
BUILD_BUG_ON(4 + OVPN_NONCE_TAIL_SIZE != OVPN_NONCE_SIZE);
78
+
memcpy(dest + 4, nt, OVPN_NONCE_TAIL_SIZE);
79
+
}
80
+
81
+
void ovpn_pktid_xmit_init(struct ovpn_pktid_xmit *pid);
82
+
void ovpn_pktid_recv_init(struct ovpn_pktid_recv *pr);
83
+
84
+
int ovpn_pktid_recv(struct ovpn_pktid_recv *pr, u32 pkt_id, u32 pkt_time);
85
+
86
+
#endif /* _NET_OVPN_OVPNPKTID_H_ */
+118
drivers/net/ovpn/proto.h
+118
drivers/net/ovpn/proto.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
* James Yonan <james@openvpn.net>
8
+
*/
9
+
10
+
#ifndef _NET_OVPN_PROTO_H_
11
+
#define _NET_OVPN_PROTO_H_
12
+
13
+
#include "main.h"
14
+
15
+
#include <linux/bitfield.h>
16
+
#include <linux/skbuff.h>
17
+
18
+
/* When the OpenVPN protocol is ran in AEAD mode, use
19
+
* the OpenVPN packet ID as the AEAD nonce:
20
+
*
21
+
* 00000005 521c3b01 4308c041
22
+
* [seq # ] [ nonce_tail ]
23
+
* [ 12-byte full IV ] -> OVPN_NONCE_SIZE
24
+
* [4-bytes -> OVPN_NONCE_WIRE_SIZE
25
+
* on wire]
26
+
*/
27
+
28
+
/* nonce size (96bits) as required by AEAD ciphers */
29
+
#define OVPN_NONCE_SIZE 12
30
+
/* last 8 bytes of AEAD nonce: provided by userspace and usually derived
31
+
* from key material generated during TLS handshake
32
+
*/
33
+
#define OVPN_NONCE_TAIL_SIZE 8
34
+
35
+
/* OpenVPN nonce size reduced by 8-byte nonce tail -- this is the
36
+
* size of the AEAD Associated Data (AD) sent over the wire
37
+
* and is normally the head of the IV
38
+
*/
39
+
#define OVPN_NONCE_WIRE_SIZE (OVPN_NONCE_SIZE - OVPN_NONCE_TAIL_SIZE)
40
+
41
+
#define OVPN_OPCODE_SIZE 4 /* DATA_V2 opcode size */
42
+
#define OVPN_OPCODE_KEYID_MASK 0x07000000
43
+
#define OVPN_OPCODE_PKTTYPE_MASK 0xF8000000
44
+
#define OVPN_OPCODE_PEERID_MASK 0x00FFFFFF
45
+
46
+
/* packet opcodes of interest to us */
47
+
#define OVPN_DATA_V1 6 /* data channel v1 packet */
48
+
#define OVPN_DATA_V2 9 /* data channel v2 packet */
49
+
50
+
#define OVPN_PEER_ID_UNDEF 0x00FFFFFF
51
+
52
+
/**
53
+
* ovpn_opcode_from_skb - extract OP code from skb at specified offset
54
+
* @skb: the packet to extract the OP code from
55
+
* @offset: the offset in the data buffer where the OP code is located
56
+
*
57
+
* Note: this function assumes that the skb head was pulled enough
58
+
* to access the first 4 bytes.
59
+
*
60
+
* Return: the OP code
61
+
*/
62
+
static inline u8 ovpn_opcode_from_skb(const struct sk_buff *skb, u16 offset)
63
+
{
64
+
u32 opcode = be32_to_cpu(*(__be32 *)(skb->data + offset));
65
+
66
+
return FIELD_GET(OVPN_OPCODE_PKTTYPE_MASK, opcode);
67
+
}
68
+
69
+
/**
70
+
* ovpn_peer_id_from_skb - extract peer ID from skb at specified offset
71
+
* @skb: the packet to extract the OP code from
72
+
* @offset: the offset in the data buffer where the OP code is located
73
+
*
74
+
* Note: this function assumes that the skb head was pulled enough
75
+
* to access the first 4 bytes.
76
+
*
77
+
* Return: the peer ID
78
+
*/
79
+
static inline u32 ovpn_peer_id_from_skb(const struct sk_buff *skb, u16 offset)
80
+
{
81
+
u32 opcode = be32_to_cpu(*(__be32 *)(skb->data + offset));
82
+
83
+
return FIELD_GET(OVPN_OPCODE_PEERID_MASK, opcode);
84
+
}
85
+
86
+
/**
87
+
* ovpn_key_id_from_skb - extract key ID from the skb head
88
+
* @skb: the packet to extract the key ID code from
89
+
*
90
+
* Note: this function assumes that the skb head was pulled enough
91
+
* to access the first 4 bytes.
92
+
*
93
+
* Return: the key ID
94
+
*/
95
+
static inline u8 ovpn_key_id_from_skb(const struct sk_buff *skb)
96
+
{
97
+
u32 opcode = be32_to_cpu(*(__be32 *)skb->data);
98
+
99
+
return FIELD_GET(OVPN_OPCODE_KEYID_MASK, opcode);
100
+
}
101
+
102
+
/**
103
+
* ovpn_opcode_compose - combine OP code, key ID and peer ID to wire format
104
+
* @opcode: the OP code
105
+
* @key_id: the key ID
106
+
* @peer_id: the peer ID
107
+
*
108
+
* Return: a 4 bytes integer obtained combining all input values following the
109
+
* OpenVPN wire format. This integer can then be written to the packet header.
110
+
*/
111
+
static inline u32 ovpn_opcode_compose(u8 opcode, u8 key_id, u32 peer_id)
112
+
{
113
+
return FIELD_PREP(OVPN_OPCODE_PKTTYPE_MASK, opcode) |
114
+
FIELD_PREP(OVPN_OPCODE_KEYID_MASK, key_id) |
115
+
FIELD_PREP(OVPN_OPCODE_PEERID_MASK, peer_id);
116
+
}
117
+
118
+
#endif /* _NET_OVPN_OVPNPROTO_H_ */
+61
drivers/net/ovpn/skb.h
+61
drivers/net/ovpn/skb.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
* James Yonan <james@openvpn.net>
8
+
*/
9
+
10
+
#ifndef _NET_OVPN_SKB_H_
11
+
#define _NET_OVPN_SKB_H_
12
+
13
+
#include <linux/in.h>
14
+
#include <linux/in6.h>
15
+
#include <linux/ip.h>
16
+
#include <linux/ipv6.h>
17
+
#include <linux/skbuff.h>
18
+
#include <linux/socket.h>
19
+
#include <linux/types.h>
20
+
21
+
struct ovpn_cb {
22
+
struct ovpn_peer *peer;
23
+
struct ovpn_crypto_key_slot *ks;
24
+
struct aead_request *req;
25
+
struct scatterlist *sg;
26
+
u8 *iv;
27
+
unsigned int payload_offset;
28
+
bool nosignal;
29
+
};
30
+
31
+
static inline struct ovpn_cb *ovpn_skb_cb(struct sk_buff *skb)
32
+
{
33
+
BUILD_BUG_ON(sizeof(struct ovpn_cb) > sizeof(skb->cb));
34
+
return (struct ovpn_cb *)skb->cb;
35
+
}
36
+
37
+
/* Return IP protocol version from skb header.
38
+
* Return 0 if protocol is not IPv4/IPv6 or cannot be read.
39
+
*/
40
+
static inline __be16 ovpn_ip_check_protocol(struct sk_buff *skb)
41
+
{
42
+
__be16 proto = 0;
43
+
44
+
/* skb could be non-linear,
45
+
* make sure IP header is in non-fragmented part
46
+
*/
47
+
if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))
48
+
return 0;
49
+
50
+
if (ip_hdr(skb)->version == 4) {
51
+
proto = htons(ETH_P_IP);
52
+
} else if (ip_hdr(skb)->version == 6) {
53
+
if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))
54
+
return 0;
55
+
proto = htons(ETH_P_IPV6);
56
+
}
57
+
58
+
return proto;
59
+
}
60
+
61
+
#endif /* _NET_OVPN_SKB_H_ */
+233
drivers/net/ovpn/socket.c
+233
drivers/net/ovpn/socket.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#include <linux/net.h>
11
+
#include <linux/netdevice.h>
12
+
#include <linux/udp.h>
13
+
14
+
#include "ovpnpriv.h"
15
+
#include "main.h"
16
+
#include "io.h"
17
+
#include "peer.h"
18
+
#include "socket.h"
19
+
#include "tcp.h"
20
+
#include "udp.h"
21
+
22
+
static void ovpn_socket_release_kref(struct kref *kref)
23
+
{
24
+
struct ovpn_socket *sock = container_of(kref, struct ovpn_socket,
25
+
refcount);
26
+
27
+
if (sock->sock->sk->sk_protocol == IPPROTO_UDP)
28
+
ovpn_udp_socket_detach(sock);
29
+
else if (sock->sock->sk->sk_protocol == IPPROTO_TCP)
30
+
ovpn_tcp_socket_detach(sock);
31
+
}
32
+
33
+
/**
34
+
* ovpn_socket_put - decrease reference counter
35
+
* @peer: peer whose socket reference counter should be decreased
36
+
* @sock: the RCU protected peer socket
37
+
*
38
+
* This function is only used internally. Users willing to release
39
+
* references to the ovpn_socket should use ovpn_socket_release()
40
+
*
41
+
* Return: true if the socket was released, false otherwise
42
+
*/
43
+
static bool ovpn_socket_put(struct ovpn_peer *peer, struct ovpn_socket *sock)
44
+
{
45
+
return kref_put(&sock->refcount, ovpn_socket_release_kref);
46
+
}
47
+
48
+
/**
49
+
* ovpn_socket_release - release resources owned by socket user
50
+
* @peer: peer whose socket should be released
51
+
*
52
+
* This function should be invoked when the peer is being removed
53
+
* and wants to drop its link to the socket.
54
+
*
55
+
* In case of UDP, the detach routine will drop a reference to the
56
+
* ovpn netdev, pointed by the ovpn_socket.
57
+
*
58
+
* In case of TCP, releasing the socket will cause dropping
59
+
* the refcounter for the peer it is linked to, thus allowing the peer
60
+
* disappear as well.
61
+
*
62
+
* This function is expected to be invoked exactly once per peer
63
+
*
64
+
* NOTE: this function may sleep
65
+
*/
66
+
void ovpn_socket_release(struct ovpn_peer *peer)
67
+
{
68
+
struct ovpn_socket *sock;
69
+
bool released;
70
+
71
+
might_sleep();
72
+
73
+
sock = rcu_replace_pointer(peer->sock, NULL, true);
74
+
/* release may be invoked after socket was detached */
75
+
if (!sock)
76
+
return;
77
+
78
+
/* sanity check: we should not end up here if the socket
79
+
* was already closed
80
+
*/
81
+
if (!sock->sock->sk) {
82
+
DEBUG_NET_WARN_ON_ONCE(1);
83
+
return;
84
+
}
85
+
86
+
/* Drop the reference while holding the sock lock to avoid
87
+
* concurrent ovpn_socket_new call to mess up with a partially
88
+
* detached socket.
89
+
*
90
+
* Holding the lock ensures that a socket with refcnt 0 is fully
91
+
* detached before it can be picked by a concurrent reader.
92
+
*/
93
+
lock_sock(sock->sock->sk);
94
+
released = ovpn_socket_put(peer, sock);
95
+
release_sock(sock->sock->sk);
96
+
97
+
/* align all readers with sk_user_data being NULL */
98
+
synchronize_rcu();
99
+
100
+
/* following cleanup should happen with lock released */
101
+
if (released) {
102
+
if (sock->sock->sk->sk_protocol == IPPROTO_UDP) {
103
+
netdev_put(sock->ovpn->dev, &sock->dev_tracker);
104
+
} else if (sock->sock->sk->sk_protocol == IPPROTO_TCP) {
105
+
/* wait for TCP jobs to terminate */
106
+
ovpn_tcp_socket_wait_finish(sock);
107
+
ovpn_peer_put(sock->peer);
108
+
}
109
+
/* we can call plain kfree() because we already waited one RCU
110
+
* period due to synchronize_rcu()
111
+
*/
112
+
kfree(sock);
113
+
}
114
+
}
115
+
116
+
static bool ovpn_socket_hold(struct ovpn_socket *sock)
117
+
{
118
+
return kref_get_unless_zero(&sock->refcount);
119
+
}
120
+
121
+
static int ovpn_socket_attach(struct ovpn_socket *sock, struct ovpn_peer *peer)
122
+
{
123
+
if (sock->sock->sk->sk_protocol == IPPROTO_UDP)
124
+
return ovpn_udp_socket_attach(sock, peer->ovpn);
125
+
else if (sock->sock->sk->sk_protocol == IPPROTO_TCP)
126
+
return ovpn_tcp_socket_attach(sock, peer);
127
+
128
+
return -EOPNOTSUPP;
129
+
}
130
+
131
+
/**
132
+
* ovpn_socket_new - create a new socket and initialize it
133
+
* @sock: the kernel socket to embed
134
+
* @peer: the peer reachable via this socket
135
+
*
136
+
* Return: an openvpn socket on success or a negative error code otherwise
137
+
*/
138
+
struct ovpn_socket *ovpn_socket_new(struct socket *sock, struct ovpn_peer *peer)
139
+
{
140
+
struct ovpn_socket *ovpn_sock;
141
+
int ret;
142
+
143
+
lock_sock(sock->sk);
144
+
145
+
/* a TCP socket can only be owned by a single peer, therefore there
146
+
* can't be any other user
147
+
*/
148
+
if (sock->sk->sk_protocol == IPPROTO_TCP && sock->sk->sk_user_data) {
149
+
ovpn_sock = ERR_PTR(-EBUSY);
150
+
goto sock_release;
151
+
}
152
+
153
+
/* a UDP socket can be shared across multiple peers, but we must make
154
+
* sure it is not owned by something else
155
+
*/
156
+
if (sock->sk->sk_protocol == IPPROTO_UDP) {
157
+
u8 type = READ_ONCE(udp_sk(sock->sk)->encap_type);
158
+
159
+
/* socket owned by other encapsulation module */
160
+
if (type && type != UDP_ENCAP_OVPNINUDP) {
161
+
ovpn_sock = ERR_PTR(-EBUSY);
162
+
goto sock_release;
163
+
}
164
+
165
+
rcu_read_lock();
166
+
ovpn_sock = rcu_dereference_sk_user_data(sock->sk);
167
+
if (ovpn_sock) {
168
+
/* socket owned by another ovpn instance, we can't use it */
169
+
if (ovpn_sock->ovpn != peer->ovpn) {
170
+
ovpn_sock = ERR_PTR(-EBUSY);
171
+
rcu_read_unlock();
172
+
goto sock_release;
173
+
}
174
+
175
+
/* this socket is already owned by this instance,
176
+
* therefore we can increase the refcounter and
177
+
* use it as expected
178
+
*/
179
+
if (WARN_ON(!ovpn_socket_hold(ovpn_sock))) {
180
+
/* this should never happen because setting
181
+
* the refcnt to 0 and detaching the socket
182
+
* is expected to be atomic
183
+
*/
184
+
ovpn_sock = ERR_PTR(-EAGAIN);
185
+
rcu_read_unlock();
186
+
goto sock_release;
187
+
}
188
+
189
+
rcu_read_unlock();
190
+
goto sock_release;
191
+
}
192
+
rcu_read_unlock();
193
+
}
194
+
195
+
/* socket is not owned: attach to this ovpn instance */
196
+
197
+
ovpn_sock = kzalloc(sizeof(*ovpn_sock), GFP_KERNEL);
198
+
if (!ovpn_sock) {
199
+
ovpn_sock = ERR_PTR(-ENOMEM);
200
+
goto sock_release;
201
+
}
202
+
203
+
ovpn_sock->sock = sock;
204
+
kref_init(&ovpn_sock->refcount);
205
+
206
+
ret = ovpn_socket_attach(ovpn_sock, peer);
207
+
if (ret < 0) {
208
+
kfree(ovpn_sock);
209
+
ovpn_sock = ERR_PTR(ret);
210
+
goto sock_release;
211
+
}
212
+
213
+
/* TCP sockets are per-peer, therefore they are linked to their unique
214
+
* peer
215
+
*/
216
+
if (sock->sk->sk_protocol == IPPROTO_TCP) {
217
+
INIT_WORK(&ovpn_sock->tcp_tx_work, ovpn_tcp_tx_work);
218
+
ovpn_sock->peer = peer;
219
+
ovpn_peer_hold(peer);
220
+
} else if (sock->sk->sk_protocol == IPPROTO_UDP) {
221
+
/* in UDP we only link the ovpn instance since the socket is
222
+
* shared among multiple peers
223
+
*/
224
+
ovpn_sock->ovpn = peer->ovpn;
225
+
netdev_hold(peer->ovpn->dev, &ovpn_sock->dev_tracker,
226
+
GFP_KERNEL);
227
+
}
228
+
229
+
rcu_assign_sk_user_data(sock->sk, ovpn_sock);
230
+
sock_release:
231
+
release_sock(sock->sk);
232
+
return ovpn_sock;
233
+
}
+49
drivers/net/ovpn/socket.h
+49
drivers/net/ovpn/socket.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#ifndef _NET_OVPN_SOCK_H_
11
+
#define _NET_OVPN_SOCK_H_
12
+
13
+
#include <linux/net.h>
14
+
#include <linux/kref.h>
15
+
#include <net/sock.h>
16
+
17
+
struct ovpn_priv;
18
+
struct ovpn_peer;
19
+
20
+
/**
21
+
* struct ovpn_socket - a kernel socket referenced in the ovpn code
22
+
* @ovpn: ovpn instance owning this socket (UDP only)
23
+
* @dev_tracker: reference tracker for associated dev (UDP only)
24
+
* @peer: unique peer transmitting over this socket (TCP only)
25
+
* @sock: the low level sock object
26
+
* @refcount: amount of contexts currently referencing this object
27
+
* @work: member used to schedule release routine (it may block)
28
+
* @tcp_tx_work: work for deferring outgoing packet processing (TCP only)
29
+
*/
30
+
struct ovpn_socket {
31
+
union {
32
+
struct {
33
+
struct ovpn_priv *ovpn;
34
+
netdevice_tracker dev_tracker;
35
+
};
36
+
struct ovpn_peer *peer;
37
+
};
38
+
39
+
struct socket *sock;
40
+
struct kref refcount;
41
+
struct work_struct work;
42
+
struct work_struct tcp_tx_work;
43
+
};
44
+
45
+
struct ovpn_socket *ovpn_socket_new(struct socket *sock,
46
+
struct ovpn_peer *peer);
47
+
void ovpn_socket_release(struct ovpn_peer *peer);
48
+
49
+
#endif /* _NET_OVPN_SOCK_H_ */
+21
drivers/net/ovpn/stats.c
+21
drivers/net/ovpn/stats.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
*/
9
+
10
+
#include <linux/atomic.h>
11
+
12
+
#include "stats.h"
13
+
14
+
void ovpn_peer_stats_init(struct ovpn_peer_stats *ps)
15
+
{
16
+
atomic64_set(&ps->rx.bytes, 0);
17
+
atomic64_set(&ps->rx.packets, 0);
18
+
19
+
atomic64_set(&ps->tx.bytes, 0);
20
+
atomic64_set(&ps->tx.packets, 0);
21
+
}
+47
drivers/net/ovpn/stats.h
+47
drivers/net/ovpn/stats.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: James Yonan <james@openvpn.net>
7
+
* Antonio Quartulli <antonio@openvpn.net>
8
+
* Lev Stipakov <lev@openvpn.net>
9
+
*/
10
+
11
+
#ifndef _NET_OVPN_OVPNSTATS_H_
12
+
#define _NET_OVPN_OVPNSTATS_H_
13
+
14
+
/* one stat */
15
+
struct ovpn_peer_stat {
16
+
atomic64_t bytes;
17
+
atomic64_t packets;
18
+
};
19
+
20
+
/* rx and tx stats combined */
21
+
struct ovpn_peer_stats {
22
+
struct ovpn_peer_stat rx;
23
+
struct ovpn_peer_stat tx;
24
+
};
25
+
26
+
void ovpn_peer_stats_init(struct ovpn_peer_stats *ps);
27
+
28
+
static inline void ovpn_peer_stats_increment(struct ovpn_peer_stat *stat,
29
+
const unsigned int n)
30
+
{
31
+
atomic64_add(n, &stat->bytes);
32
+
atomic64_inc(&stat->packets);
33
+
}
34
+
35
+
static inline void ovpn_peer_stats_increment_rx(struct ovpn_peer_stats *stats,
36
+
const unsigned int n)
37
+
{
38
+
ovpn_peer_stats_increment(&stats->rx, n);
39
+
}
40
+
41
+
static inline void ovpn_peer_stats_increment_tx(struct ovpn_peer_stats *stats,
42
+
const unsigned int n)
43
+
{
44
+
ovpn_peer_stats_increment(&stats->tx, n);
45
+
}
46
+
47
+
#endif /* _NET_OVPN_OVPNSTATS_H_ */
+598
drivers/net/ovpn/tcp.c
+598
drivers/net/ovpn/tcp.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2019-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
*/
8
+
9
+
#include <linux/skbuff.h>
10
+
#include <net/hotdata.h>
11
+
#include <net/inet_common.h>
12
+
#include <net/ipv6.h>
13
+
#include <net/tcp.h>
14
+
#include <net/transp_v6.h>
15
+
#include <net/route.h>
16
+
#include <trace/events/sock.h>
17
+
18
+
#include "ovpnpriv.h"
19
+
#include "main.h"
20
+
#include "io.h"
21
+
#include "peer.h"
22
+
#include "proto.h"
23
+
#include "skb.h"
24
+
#include "tcp.h"
25
+
26
+
#define OVPN_TCP_DEPTH_NESTING 2
27
+
#if OVPN_TCP_DEPTH_NESTING == SINGLE_DEPTH_NESTING
28
+
#error "OVPN TCP requires its own lockdep subclass"
29
+
#endif
30
+
31
+
static struct proto ovpn_tcp_prot __ro_after_init;
32
+
static struct proto_ops ovpn_tcp_ops __ro_after_init;
33
+
static struct proto ovpn_tcp6_prot __ro_after_init;
34
+
static struct proto_ops ovpn_tcp6_ops __ro_after_init;
35
+
36
+
static int ovpn_tcp_parse(struct strparser *strp, struct sk_buff *skb)
37
+
{
38
+
struct strp_msg *rxm = strp_msg(skb);
39
+
__be16 blen;
40
+
u16 len;
41
+
int err;
42
+
43
+
/* when packets are written to the TCP stream, they are prepended with
44
+
* two bytes indicating the actual packet size.
45
+
* Parse accordingly and return the actual size (including the size
46
+
* header)
47
+
*/
48
+
49
+
if (skb->len < rxm->offset + 2)
50
+
return 0;
51
+
52
+
err = skb_copy_bits(skb, rxm->offset, &blen, sizeof(blen));
53
+
if (err < 0)
54
+
return err;
55
+
56
+
len = be16_to_cpu(blen);
57
+
if (len < 2)
58
+
return -EINVAL;
59
+
60
+
return len + 2;
61
+
}
62
+
63
+
/* queue skb for sending to userspace via recvmsg on the socket */
64
+
static void ovpn_tcp_to_userspace(struct ovpn_peer *peer, struct sock *sk,
65
+
struct sk_buff *skb)
66
+
{
67
+
skb_set_owner_r(skb, sk);
68
+
memset(skb->cb, 0, sizeof(skb->cb));
69
+
skb_queue_tail(&peer->tcp.user_queue, skb);
70
+
peer->tcp.sk_cb.sk_data_ready(sk);
71
+
}
72
+
73
+
static void ovpn_tcp_rcv(struct strparser *strp, struct sk_buff *skb)
74
+
{
75
+
struct ovpn_peer *peer = container_of(strp, struct ovpn_peer, tcp.strp);
76
+
struct strp_msg *msg = strp_msg(skb);
77
+
size_t pkt_len = msg->full_len - 2;
78
+
size_t off = msg->offset + 2;
79
+
u8 opcode;
80
+
81
+
/* ensure skb->data points to the beginning of the openvpn packet */
82
+
if (!pskb_pull(skb, off)) {
83
+
net_warn_ratelimited("%s: packet too small for peer %u\n",
84
+
netdev_name(peer->ovpn->dev), peer->id);
85
+
goto err;
86
+
}
87
+
88
+
/* strparser does not trim the skb for us, therefore we do it now */
89
+
if (pskb_trim(skb, pkt_len) != 0) {
90
+
net_warn_ratelimited("%s: trimming skb failed for peer %u\n",
91
+
netdev_name(peer->ovpn->dev), peer->id);
92
+
goto err;
93
+
}
94
+
95
+
/* we need the first 4 bytes of data to be accessible
96
+
* to extract the opcode and the key ID later on
97
+
*/
98
+
if (!pskb_may_pull(skb, OVPN_OPCODE_SIZE)) {
99
+
net_warn_ratelimited("%s: packet too small to fetch opcode for peer %u\n",
100
+
netdev_name(peer->ovpn->dev), peer->id);
101
+
goto err;
102
+
}
103
+
104
+
/* DATA_V2 packets are handled in kernel, the rest goes to user space */
105
+
opcode = ovpn_opcode_from_skb(skb, 0);
106
+
if (unlikely(opcode != OVPN_DATA_V2)) {
107
+
if (opcode == OVPN_DATA_V1) {
108
+
net_warn_ratelimited("%s: DATA_V1 detected on the TCP stream\n",
109
+
netdev_name(peer->ovpn->dev));
110
+
goto err;
111
+
}
112
+
113
+
/* The packet size header must be there when sending the packet
114
+
* to userspace, therefore we put it back
115
+
*/
116
+
skb_push(skb, 2);
117
+
ovpn_tcp_to_userspace(peer, strp->sk, skb);
118
+
return;
119
+
}
120
+
121
+
/* hold reference to peer as required by ovpn_recv().
122
+
*
123
+
* NOTE: in this context we should already be holding a reference to
124
+
* this peer, therefore ovpn_peer_hold() is not expected to fail
125
+
*/
126
+
if (WARN_ON(!ovpn_peer_hold(peer)))
127
+
goto err;
128
+
129
+
ovpn_recv(peer, skb);
130
+
return;
131
+
err:
132
+
dev_dstats_rx_dropped(peer->ovpn->dev);
133
+
kfree_skb(skb);
134
+
ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_TRANSPORT_ERROR);
135
+
}
136
+
137
+
static int ovpn_tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
138
+
int flags, int *addr_len)
139
+
{
140
+
int err = 0, off, copied = 0, ret;
141
+
struct ovpn_socket *sock;
142
+
struct ovpn_peer *peer;
143
+
struct sk_buff *skb;
144
+
145
+
rcu_read_lock();
146
+
sock = rcu_dereference_sk_user_data(sk);
147
+
if (unlikely(!sock || !sock->peer || !ovpn_peer_hold(sock->peer))) {
148
+
rcu_read_unlock();
149
+
return -EBADF;
150
+
}
151
+
peer = sock->peer;
152
+
rcu_read_unlock();
153
+
154
+
skb = __skb_recv_datagram(sk, &peer->tcp.user_queue, flags, &off, &err);
155
+
if (!skb) {
156
+
if (err == -EAGAIN && sk->sk_shutdown & RCV_SHUTDOWN) {
157
+
ret = 0;
158
+
goto out;
159
+
}
160
+
ret = err;
161
+
goto out;
162
+
}
163
+
164
+
copied = len;
165
+
if (copied > skb->len)
166
+
copied = skb->len;
167
+
else if (copied < skb->len)
168
+
msg->msg_flags |= MSG_TRUNC;
169
+
170
+
err = skb_copy_datagram_msg(skb, 0, msg, copied);
171
+
if (unlikely(err)) {
172
+
kfree_skb(skb);
173
+
ret = err;
174
+
goto out;
175
+
}
176
+
177
+
if (flags & MSG_TRUNC)
178
+
copied = skb->len;
179
+
kfree_skb(skb);
180
+
ret = copied;
181
+
out:
182
+
ovpn_peer_put(peer);
183
+
return ret;
184
+
}
185
+
186
+
void ovpn_tcp_socket_detach(struct ovpn_socket *ovpn_sock)
187
+
{
188
+
struct ovpn_peer *peer = ovpn_sock->peer;
189
+
struct socket *sock = ovpn_sock->sock;
190
+
191
+
strp_stop(&peer->tcp.strp);
192
+
skb_queue_purge(&peer->tcp.user_queue);
193
+
194
+
/* restore CBs that were saved in ovpn_sock_set_tcp_cb() */
195
+
sock->sk->sk_data_ready = peer->tcp.sk_cb.sk_data_ready;
196
+
sock->sk->sk_write_space = peer->tcp.sk_cb.sk_write_space;
197
+
sock->sk->sk_prot = peer->tcp.sk_cb.prot;
198
+
sock->sk->sk_socket->ops = peer->tcp.sk_cb.ops;
199
+
200
+
rcu_assign_sk_user_data(sock->sk, NULL);
201
+
}
202
+
203
+
void ovpn_tcp_socket_wait_finish(struct ovpn_socket *sock)
204
+
{
205
+
struct ovpn_peer *peer = sock->peer;
206
+
207
+
/* NOTE: we don't wait for peer->tcp.defer_del_work to finish:
208
+
* either the worker is not running or this function
209
+
* was invoked by that worker.
210
+
*/
211
+
212
+
cancel_work_sync(&sock->tcp_tx_work);
213
+
strp_done(&peer->tcp.strp);
214
+
215
+
skb_queue_purge(&peer->tcp.out_queue);
216
+
kfree_skb(peer->tcp.out_msg.skb);
217
+
peer->tcp.out_msg.skb = NULL;
218
+
}
219
+
220
+
static void ovpn_tcp_send_sock(struct ovpn_peer *peer, struct sock *sk)
221
+
{
222
+
struct sk_buff *skb = peer->tcp.out_msg.skb;
223
+
int ret, flags;
224
+
225
+
if (!skb)
226
+
return;
227
+
228
+
if (peer->tcp.tx_in_progress)
229
+
return;
230
+
231
+
peer->tcp.tx_in_progress = true;
232
+
233
+
do {
234
+
flags = ovpn_skb_cb(skb)->nosignal ? MSG_NOSIGNAL : 0;
235
+
ret = skb_send_sock_locked_with_flags(sk, skb,
236
+
peer->tcp.out_msg.offset,
237
+
peer->tcp.out_msg.len,
238
+
flags);
239
+
if (unlikely(ret < 0)) {
240
+
if (ret == -EAGAIN)
241
+
goto out;
242
+
243
+
net_warn_ratelimited("%s: TCP error to peer %u: %d\n",
244
+
netdev_name(peer->ovpn->dev),
245
+
peer->id, ret);
246
+
247
+
/* in case of TCP error we can't recover the VPN
248
+
* stream therefore we abort the connection
249
+
*/
250
+
ovpn_peer_hold(peer);
251
+
schedule_work(&peer->tcp.defer_del_work);
252
+
253
+
/* we bail out immediately and keep tx_in_progress set
254
+
* to true. This way we prevent more TX attempts
255
+
* which would lead to more invocations of
256
+
* schedule_work()
257
+
*/
258
+
return;
259
+
}
260
+
261
+
peer->tcp.out_msg.len -= ret;
262
+
peer->tcp.out_msg.offset += ret;
263
+
} while (peer->tcp.out_msg.len > 0);
264
+
265
+
if (!peer->tcp.out_msg.len) {
266
+
preempt_disable();
267
+
dev_dstats_tx_add(peer->ovpn->dev, skb->len);
268
+
preempt_enable();
269
+
}
270
+
271
+
kfree_skb(peer->tcp.out_msg.skb);
272
+
peer->tcp.out_msg.skb = NULL;
273
+
peer->tcp.out_msg.len = 0;
274
+
peer->tcp.out_msg.offset = 0;
275
+
276
+
out:
277
+
peer->tcp.tx_in_progress = false;
278
+
}
279
+
280
+
void ovpn_tcp_tx_work(struct work_struct *work)
281
+
{
282
+
struct ovpn_socket *sock;
283
+
284
+
sock = container_of(work, struct ovpn_socket, tcp_tx_work);
285
+
286
+
lock_sock(sock->sock->sk);
287
+
if (sock->peer)
288
+
ovpn_tcp_send_sock(sock->peer, sock->sock->sk);
289
+
release_sock(sock->sock->sk);
290
+
}
291
+
292
+
static void ovpn_tcp_send_sock_skb(struct ovpn_peer *peer, struct sock *sk,
293
+
struct sk_buff *skb)
294
+
{
295
+
if (peer->tcp.out_msg.skb)
296
+
ovpn_tcp_send_sock(peer, sk);
297
+
298
+
if (peer->tcp.out_msg.skb) {
299
+
dev_dstats_tx_dropped(peer->ovpn->dev);
300
+
kfree_skb(skb);
301
+
return;
302
+
}
303
+
304
+
peer->tcp.out_msg.skb = skb;
305
+
peer->tcp.out_msg.len = skb->len;
306
+
peer->tcp.out_msg.offset = 0;
307
+
ovpn_tcp_send_sock(peer, sk);
308
+
}
309
+
310
+
void ovpn_tcp_send_skb(struct ovpn_peer *peer, struct socket *sock,
311
+
struct sk_buff *skb)
312
+
{
313
+
u16 len = skb->len;
314
+
315
+
*(__be16 *)__skb_push(skb, sizeof(u16)) = htons(len);
316
+
317
+
spin_lock_nested(&sock->sk->sk_lock.slock, OVPN_TCP_DEPTH_NESTING);
318
+
if (sock_owned_by_user(sock->sk)) {
319
+
if (skb_queue_len(&peer->tcp.out_queue) >=
320
+
READ_ONCE(net_hotdata.max_backlog)) {
321
+
dev_dstats_tx_dropped(peer->ovpn->dev);
322
+
kfree_skb(skb);
323
+
goto unlock;
324
+
}
325
+
__skb_queue_tail(&peer->tcp.out_queue, skb);
326
+
} else {
327
+
ovpn_tcp_send_sock_skb(peer, sock->sk, skb);
328
+
}
329
+
unlock:
330
+
spin_unlock(&sock->sk->sk_lock.slock);
331
+
}
332
+
333
+
static void ovpn_tcp_release(struct sock *sk)
334
+
{
335
+
struct sk_buff_head queue;
336
+
struct ovpn_socket *sock;
337
+
struct ovpn_peer *peer;
338
+
struct sk_buff *skb;
339
+
340
+
rcu_read_lock();
341
+
sock = rcu_dereference_sk_user_data(sk);
342
+
if (!sock) {
343
+
rcu_read_unlock();
344
+
return;
345
+
}
346
+
347
+
peer = sock->peer;
348
+
349
+
/* during initialization this function is called before
350
+
* assigning sock->peer
351
+
*/
352
+
if (unlikely(!peer || !ovpn_peer_hold(peer))) {
353
+
rcu_read_unlock();
354
+
return;
355
+
}
356
+
rcu_read_unlock();
357
+
358
+
__skb_queue_head_init(&queue);
359
+
skb_queue_splice_init(&peer->tcp.out_queue, &queue);
360
+
361
+
while ((skb = __skb_dequeue(&queue)))
362
+
ovpn_tcp_send_sock_skb(peer, sk, skb);
363
+
364
+
peer->tcp.sk_cb.prot->release_cb(sk);
365
+
ovpn_peer_put(peer);
366
+
}
367
+
368
+
static int ovpn_tcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
369
+
{
370
+
struct ovpn_socket *sock;
371
+
int ret, linear = PAGE_SIZE;
372
+
struct ovpn_peer *peer;
373
+
struct sk_buff *skb;
374
+
375
+
lock_sock(sk);
376
+
rcu_read_lock();
377
+
sock = rcu_dereference_sk_user_data(sk);
378
+
if (unlikely(!sock || !sock->peer || !ovpn_peer_hold(sock->peer))) {
379
+
rcu_read_unlock();
380
+
release_sock(sk);
381
+
return -EIO;
382
+
}
383
+
rcu_read_unlock();
384
+
peer = sock->peer;
385
+
386
+
if (msg->msg_flags & ~(MSG_DONTWAIT | MSG_NOSIGNAL)) {
387
+
ret = -EOPNOTSUPP;
388
+
goto peer_free;
389
+
}
390
+
391
+
if (peer->tcp.out_msg.skb) {
392
+
ret = -EAGAIN;
393
+
goto peer_free;
394
+
}
395
+
396
+
if (size < linear)
397
+
linear = size;
398
+
399
+
skb = sock_alloc_send_pskb(sk, linear, size - linear,
400
+
msg->msg_flags & MSG_DONTWAIT, &ret, 0);
401
+
if (!skb) {
402
+
net_err_ratelimited("%s: skb alloc failed: %d\n",
403
+
netdev_name(peer->ovpn->dev), ret);
404
+
goto peer_free;
405
+
}
406
+
407
+
skb_put(skb, linear);
408
+
skb->len = size;
409
+
skb->data_len = size - linear;
410
+
411
+
ret = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, size);
412
+
if (ret) {
413
+
kfree_skb(skb);
414
+
net_err_ratelimited("%s: skb copy from iter failed: %d\n",
415
+
netdev_name(peer->ovpn->dev), ret);
416
+
goto peer_free;
417
+
}
418
+
419
+
ovpn_skb_cb(skb)->nosignal = msg->msg_flags & MSG_NOSIGNAL;
420
+
ovpn_tcp_send_sock_skb(peer, sk, skb);
421
+
ret = size;
422
+
peer_free:
423
+
release_sock(sk);
424
+
ovpn_peer_put(peer);
425
+
return ret;
426
+
}
427
+
428
+
static int ovpn_tcp_disconnect(struct sock *sk, int flags)
429
+
{
430
+
return -EBUSY;
431
+
}
432
+
433
+
static void ovpn_tcp_data_ready(struct sock *sk)
434
+
{
435
+
struct ovpn_socket *sock;
436
+
437
+
trace_sk_data_ready(sk);
438
+
439
+
rcu_read_lock();
440
+
sock = rcu_dereference_sk_user_data(sk);
441
+
if (likely(sock && sock->peer))
442
+
strp_data_ready(&sock->peer->tcp.strp);
443
+
rcu_read_unlock();
444
+
}
445
+
446
+
static void ovpn_tcp_write_space(struct sock *sk)
447
+
{
448
+
struct ovpn_socket *sock;
449
+
450
+
rcu_read_lock();
451
+
sock = rcu_dereference_sk_user_data(sk);
452
+
if (likely(sock && sock->peer)) {
453
+
schedule_work(&sock->tcp_tx_work);
454
+
sock->peer->tcp.sk_cb.sk_write_space(sk);
455
+
}
456
+
rcu_read_unlock();
457
+
}
458
+
459
+
static void ovpn_tcp_build_protos(struct proto *new_prot,
460
+
struct proto_ops *new_ops,
461
+
const struct proto *orig_prot,
462
+
const struct proto_ops *orig_ops);
463
+
464
+
static void ovpn_tcp_peer_del_work(struct work_struct *work)
465
+
{
466
+
struct ovpn_peer *peer = container_of(work, struct ovpn_peer,
467
+
tcp.defer_del_work);
468
+
469
+
ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_TRANSPORT_ERROR);
470
+
ovpn_peer_put(peer);
471
+
}
472
+
473
+
/* Set TCP encapsulation callbacks */
474
+
int ovpn_tcp_socket_attach(struct ovpn_socket *ovpn_sock,
475
+
struct ovpn_peer *peer)
476
+
{
477
+
struct socket *sock = ovpn_sock->sock;
478
+
struct strp_callbacks cb = {
479
+
.rcv_msg = ovpn_tcp_rcv,
480
+
.parse_msg = ovpn_tcp_parse,
481
+
};
482
+
int ret;
483
+
484
+
/* make sure no pre-existing encapsulation handler exists */
485
+
if (sock->sk->sk_user_data)
486
+
return -EBUSY;
487
+
488
+
/* only a fully connected socket is expected. Connection should be
489
+
* handled in userspace
490
+
*/
491
+
if (sock->sk->sk_state != TCP_ESTABLISHED) {
492
+
net_err_ratelimited("%s: provided TCP socket is not in ESTABLISHED state: %d\n",
493
+
netdev_name(peer->ovpn->dev),
494
+
sock->sk->sk_state);
495
+
return -EINVAL;
496
+
}
497
+
498
+
ret = strp_init(&peer->tcp.strp, sock->sk, &cb);
499
+
if (ret < 0) {
500
+
DEBUG_NET_WARN_ON_ONCE(1);
501
+
return ret;
502
+
}
503
+
504
+
INIT_WORK(&peer->tcp.defer_del_work, ovpn_tcp_peer_del_work);
505
+
506
+
__sk_dst_reset(sock->sk);
507
+
skb_queue_head_init(&peer->tcp.user_queue);
508
+
skb_queue_head_init(&peer->tcp.out_queue);
509
+
510
+
/* save current CBs so that they can be restored upon socket release */
511
+
peer->tcp.sk_cb.sk_data_ready = sock->sk->sk_data_ready;
512
+
peer->tcp.sk_cb.sk_write_space = sock->sk->sk_write_space;
513
+
peer->tcp.sk_cb.prot = sock->sk->sk_prot;
514
+
peer->tcp.sk_cb.ops = sock->sk->sk_socket->ops;
515
+
516
+
/* assign our static CBs and prot/ops */
517
+
sock->sk->sk_data_ready = ovpn_tcp_data_ready;
518
+
sock->sk->sk_write_space = ovpn_tcp_write_space;
519
+
520
+
if (sock->sk->sk_family == AF_INET) {
521
+
sock->sk->sk_prot = &ovpn_tcp_prot;
522
+
sock->sk->sk_socket->ops = &ovpn_tcp_ops;
523
+
} else {
524
+
sock->sk->sk_prot = &ovpn_tcp6_prot;
525
+
sock->sk->sk_socket->ops = &ovpn_tcp6_ops;
526
+
}
527
+
528
+
/* avoid using task_frag */
529
+
sock->sk->sk_allocation = GFP_ATOMIC;
530
+
sock->sk->sk_use_task_frag = false;
531
+
532
+
/* enqueue the RX worker */
533
+
strp_check_rcv(&peer->tcp.strp);
534
+
535
+
return 0;
536
+
}
537
+
538
+
static void ovpn_tcp_close(struct sock *sk, long timeout)
539
+
{
540
+
struct ovpn_socket *sock;
541
+
struct ovpn_peer *peer;
542
+
543
+
rcu_read_lock();
544
+
sock = rcu_dereference_sk_user_data(sk);
545
+
if (!sock || !sock->peer || !ovpn_peer_hold(sock->peer)) {
546
+
rcu_read_unlock();
547
+
return;
548
+
}
549
+
peer = sock->peer;
550
+
rcu_read_unlock();
551
+
552
+
ovpn_peer_del(sock->peer, OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT);
553
+
peer->tcp.sk_cb.prot->close(sk, timeout);
554
+
ovpn_peer_put(peer);
555
+
}
556
+
557
+
static __poll_t ovpn_tcp_poll(struct file *file, struct socket *sock,
558
+
poll_table *wait)
559
+
{
560
+
__poll_t mask = datagram_poll(file, sock, wait);
561
+
struct ovpn_socket *ovpn_sock;
562
+
563
+
rcu_read_lock();
564
+
ovpn_sock = rcu_dereference_sk_user_data(sock->sk);
565
+
if (ovpn_sock && ovpn_sock->peer &&
566
+
!skb_queue_empty(&ovpn_sock->peer->tcp.user_queue))
567
+
mask |= EPOLLIN | EPOLLRDNORM;
568
+
rcu_read_unlock();
569
+
570
+
return mask;
571
+
}
572
+
573
+
static void ovpn_tcp_build_protos(struct proto *new_prot,
574
+
struct proto_ops *new_ops,
575
+
const struct proto *orig_prot,
576
+
const struct proto_ops *orig_ops)
577
+
{
578
+
memcpy(new_prot, orig_prot, sizeof(*new_prot));
579
+
memcpy(new_ops, orig_ops, sizeof(*new_ops));
580
+
new_prot->recvmsg = ovpn_tcp_recvmsg;
581
+
new_prot->sendmsg = ovpn_tcp_sendmsg;
582
+
new_prot->disconnect = ovpn_tcp_disconnect;
583
+
new_prot->close = ovpn_tcp_close;
584
+
new_prot->release_cb = ovpn_tcp_release;
585
+
new_ops->poll = ovpn_tcp_poll;
586
+
}
587
+
588
+
/* Initialize TCP static objects */
589
+
void __init ovpn_tcp_init(void)
590
+
{
591
+
ovpn_tcp_build_protos(&ovpn_tcp_prot, &ovpn_tcp_ops, &tcp_prot,
592
+
&inet_stream_ops);
593
+
594
+
#if IS_ENABLED(CONFIG_IPV6)
595
+
ovpn_tcp_build_protos(&ovpn_tcp6_prot, &ovpn_tcp6_ops, &tcpv6_prot,
596
+
&inet6_stream_ops);
597
+
#endif
598
+
}
+36
drivers/net/ovpn/tcp.h
+36
drivers/net/ovpn/tcp.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2019-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
*/
8
+
9
+
#ifndef _NET_OVPN_TCP_H_
10
+
#define _NET_OVPN_TCP_H_
11
+
12
+
#include <linux/net.h>
13
+
#include <linux/skbuff.h>
14
+
#include <linux/types.h>
15
+
16
+
#include "peer.h"
17
+
#include "skb.h"
18
+
#include "socket.h"
19
+
20
+
void __init ovpn_tcp_init(void);
21
+
22
+
int ovpn_tcp_socket_attach(struct ovpn_socket *ovpn_sock,
23
+
struct ovpn_peer *peer);
24
+
void ovpn_tcp_socket_detach(struct ovpn_socket *ovpn_sock);
25
+
void ovpn_tcp_socket_wait_finish(struct ovpn_socket *sock);
26
+
27
+
/* Prepare skb and enqueue it for sending to peer.
28
+
*
29
+
* Preparation consist in prepending the skb payload with its size.
30
+
* Required by the OpenVPN protocol in order to extract packets from
31
+
* the TCP stream on the receiver side.
32
+
*/
33
+
void ovpn_tcp_send_skb(struct ovpn_peer *peer, struct socket *sock, struct sk_buff *skb);
34
+
void ovpn_tcp_tx_work(struct work_struct *work);
35
+
36
+
#endif /* _NET_OVPN_TCP_H_ */
+439
drivers/net/ovpn/udp.c
+439
drivers/net/ovpn/udp.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2019-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
*/
8
+
9
+
#include <linux/netdevice.h>
10
+
#include <linux/inetdevice.h>
11
+
#include <linux/skbuff.h>
12
+
#include <linux/socket.h>
13
+
#include <linux/udp.h>
14
+
#include <net/addrconf.h>
15
+
#include <net/dst_cache.h>
16
+
#include <net/route.h>
17
+
#include <net/ipv6_stubs.h>
18
+
#include <net/transp_v6.h>
19
+
#include <net/udp.h>
20
+
#include <net/udp_tunnel.h>
21
+
22
+
#include "ovpnpriv.h"
23
+
#include "main.h"
24
+
#include "bind.h"
25
+
#include "io.h"
26
+
#include "peer.h"
27
+
#include "proto.h"
28
+
#include "socket.h"
29
+
#include "udp.h"
30
+
31
+
/* Retrieve the corresponding ovpn object from a UDP socket
32
+
* rcu_read_lock must be held on entry
33
+
*/
34
+
static struct ovpn_socket *ovpn_socket_from_udp_sock(struct sock *sk)
35
+
{
36
+
struct ovpn_socket *ovpn_sock;
37
+
38
+
if (unlikely(READ_ONCE(udp_sk(sk)->encap_type) != UDP_ENCAP_OVPNINUDP))
39
+
return NULL;
40
+
41
+
ovpn_sock = rcu_dereference_sk_user_data(sk);
42
+
if (unlikely(!ovpn_sock))
43
+
return NULL;
44
+
45
+
/* make sure that sk matches our stored transport socket */
46
+
if (unlikely(!ovpn_sock->sock || sk != ovpn_sock->sock->sk))
47
+
return NULL;
48
+
49
+
return ovpn_sock;
50
+
}
51
+
52
+
/**
53
+
* ovpn_udp_encap_recv - Start processing a received UDP packet.
54
+
* @sk: socket over which the packet was received
55
+
* @skb: the received packet
56
+
*
57
+
* If the first byte of the payload is:
58
+
* - DATA_V2 the packet is accepted for further processing,
59
+
* - DATA_V1 the packet is dropped as not supported,
60
+
* - anything else the packet is forwarded to the UDP stack for
61
+
* delivery to user space.
62
+
*
63
+
* Return:
64
+
* 0 if skb was consumed or dropped
65
+
* >0 if skb should be passed up to userspace as UDP (packet not consumed)
66
+
* <0 if skb should be resubmitted as proto -N (packet not consumed)
67
+
*/
68
+
static int ovpn_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
69
+
{
70
+
struct ovpn_socket *ovpn_sock;
71
+
struct ovpn_priv *ovpn;
72
+
struct ovpn_peer *peer;
73
+
u32 peer_id;
74
+
u8 opcode;
75
+
76
+
ovpn_sock = ovpn_socket_from_udp_sock(sk);
77
+
if (unlikely(!ovpn_sock)) {
78
+
net_err_ratelimited("ovpn: %s invoked on non ovpn socket\n",
79
+
__func__);
80
+
goto drop_noovpn;
81
+
}
82
+
83
+
ovpn = ovpn_sock->ovpn;
84
+
if (unlikely(!ovpn)) {
85
+
net_err_ratelimited("ovpn: cannot obtain ovpn object from UDP socket\n");
86
+
goto drop_noovpn;
87
+
}
88
+
89
+
/* Make sure the first 4 bytes of the skb data buffer after the UDP
90
+
* header are accessible.
91
+
* They are required to fetch the OP code, the key ID and the peer ID.
92
+
*/
93
+
if (unlikely(!pskb_may_pull(skb, sizeof(struct udphdr) +
94
+
OVPN_OPCODE_SIZE))) {
95
+
net_dbg_ratelimited("%s: packet too small from UDP socket\n",
96
+
netdev_name(ovpn->dev));
97
+
goto drop;
98
+
}
99
+
100
+
opcode = ovpn_opcode_from_skb(skb, sizeof(struct udphdr));
101
+
if (unlikely(opcode != OVPN_DATA_V2)) {
102
+
/* DATA_V1 is not supported */
103
+
if (opcode == OVPN_DATA_V1)
104
+
goto drop;
105
+
106
+
/* unknown or control packet: let it bubble up to userspace */
107
+
return 1;
108
+
}
109
+
110
+
peer_id = ovpn_peer_id_from_skb(skb, sizeof(struct udphdr));
111
+
/* some OpenVPN server implementations send data packets with the
112
+
* peer-id set to UNDEF. In this case we skip the peer lookup by peer-id
113
+
* and we try with the transport address
114
+
*/
115
+
if (peer_id == OVPN_PEER_ID_UNDEF)
116
+
peer = ovpn_peer_get_by_transp_addr(ovpn, skb);
117
+
else
118
+
peer = ovpn_peer_get_by_id(ovpn, peer_id);
119
+
120
+
if (unlikely(!peer))
121
+
goto drop;
122
+
123
+
/* pop off outer UDP header */
124
+
__skb_pull(skb, sizeof(struct udphdr));
125
+
ovpn_recv(peer, skb);
126
+
return 0;
127
+
128
+
drop:
129
+
dev_dstats_rx_dropped(ovpn->dev);
130
+
drop_noovpn:
131
+
kfree_skb(skb);
132
+
return 0;
133
+
}
134
+
135
+
/**
136
+
* ovpn_udp4_output - send IPv4 packet over udp socket
137
+
* @peer: the destination peer
138
+
* @bind: the binding related to the destination peer
139
+
* @cache: dst cache
140
+
* @sk: the socket to send the packet over
141
+
* @skb: the packet to send
142
+
*
143
+
* Return: 0 on success or a negative error code otherwise
144
+
*/
145
+
static int ovpn_udp4_output(struct ovpn_peer *peer, struct ovpn_bind *bind,
146
+
struct dst_cache *cache, struct sock *sk,
147
+
struct sk_buff *skb)
148
+
{
149
+
struct rtable *rt;
150
+
struct flowi4 fl = {
151
+
.saddr = bind->local.ipv4.s_addr,
152
+
.daddr = bind->remote.in4.sin_addr.s_addr,
153
+
.fl4_sport = inet_sk(sk)->inet_sport,
154
+
.fl4_dport = bind->remote.in4.sin_port,
155
+
.flowi4_proto = sk->sk_protocol,
156
+
.flowi4_mark = sk->sk_mark,
157
+
};
158
+
int ret;
159
+
160
+
local_bh_disable();
161
+
rt = dst_cache_get_ip4(cache, &fl.saddr);
162
+
if (rt)
163
+
goto transmit;
164
+
165
+
if (unlikely(!inet_confirm_addr(sock_net(sk), NULL, 0, fl.saddr,
166
+
RT_SCOPE_HOST))) {
167
+
/* we may end up here when the cached address is not usable
168
+
* anymore. In this case we reset address/cache and perform a
169
+
* new look up
170
+
*/
171
+
fl.saddr = 0;
172
+
spin_lock_bh(&peer->lock);
173
+
bind->local.ipv4.s_addr = 0;
174
+
spin_unlock_bh(&peer->lock);
175
+
dst_cache_reset(cache);
176
+
}
177
+
178
+
rt = ip_route_output_flow(sock_net(sk), &fl, sk);
179
+
if (IS_ERR(rt) && PTR_ERR(rt) == -EINVAL) {
180
+
fl.saddr = 0;
181
+
spin_lock_bh(&peer->lock);
182
+
bind->local.ipv4.s_addr = 0;
183
+
spin_unlock_bh(&peer->lock);
184
+
dst_cache_reset(cache);
185
+
186
+
rt = ip_route_output_flow(sock_net(sk), &fl, sk);
187
+
}
188
+
189
+
if (IS_ERR(rt)) {
190
+
ret = PTR_ERR(rt);
191
+
net_dbg_ratelimited("%s: no route to host %pISpc: %d\n",
192
+
netdev_name(peer->ovpn->dev),
193
+
&bind->remote.in4,
194
+
ret);
195
+
goto err;
196
+
}
197
+
dst_cache_set_ip4(cache, &rt->dst, fl.saddr);
198
+
199
+
transmit:
200
+
udp_tunnel_xmit_skb(rt, sk, skb, fl.saddr, fl.daddr, 0,
201
+
ip4_dst_hoplimit(&rt->dst), 0, fl.fl4_sport,
202
+
fl.fl4_dport, false, sk->sk_no_check_tx);
203
+
ret = 0;
204
+
err:
205
+
local_bh_enable();
206
+
return ret;
207
+
}
208
+
209
+
#if IS_ENABLED(CONFIG_IPV6)
210
+
/**
211
+
* ovpn_udp6_output - send IPv6 packet over udp socket
212
+
* @peer: the destination peer
213
+
* @bind: the binding related to the destination peer
214
+
* @cache: dst cache
215
+
* @sk: the socket to send the packet over
216
+
* @skb: the packet to send
217
+
*
218
+
* Return: 0 on success or a negative error code otherwise
219
+
*/
220
+
static int ovpn_udp6_output(struct ovpn_peer *peer, struct ovpn_bind *bind,
221
+
struct dst_cache *cache, struct sock *sk,
222
+
struct sk_buff *skb)
223
+
{
224
+
struct dst_entry *dst;
225
+
int ret;
226
+
227
+
struct flowi6 fl = {
228
+
.saddr = bind->local.ipv6,
229
+
.daddr = bind->remote.in6.sin6_addr,
230
+
.fl6_sport = inet_sk(sk)->inet_sport,
231
+
.fl6_dport = bind->remote.in6.sin6_port,
232
+
.flowi6_proto = sk->sk_protocol,
233
+
.flowi6_mark = sk->sk_mark,
234
+
.flowi6_oif = bind->remote.in6.sin6_scope_id,
235
+
};
236
+
237
+
local_bh_disable();
238
+
dst = dst_cache_get_ip6(cache, &fl.saddr);
239
+
if (dst)
240
+
goto transmit;
241
+
242
+
if (unlikely(!ipv6_chk_addr(sock_net(sk), &fl.saddr, NULL, 0))) {
243
+
/* we may end up here when the cached address is not usable
244
+
* anymore. In this case we reset address/cache and perform a
245
+
* new look up
246
+
*/
247
+
fl.saddr = in6addr_any;
248
+
spin_lock_bh(&peer->lock);
249
+
bind->local.ipv6 = in6addr_any;
250
+
spin_unlock_bh(&peer->lock);
251
+
dst_cache_reset(cache);
252
+
}
253
+
254
+
dst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(sk), sk, &fl, NULL);
255
+
if (IS_ERR(dst)) {
256
+
ret = PTR_ERR(dst);
257
+
net_dbg_ratelimited("%s: no route to host %pISpc: %d\n",
258
+
netdev_name(peer->ovpn->dev),
259
+
&bind->remote.in6, ret);
260
+
goto err;
261
+
}
262
+
dst_cache_set_ip6(cache, dst, &fl.saddr);
263
+
264
+
transmit:
265
+
udp_tunnel6_xmit_skb(dst, sk, skb, skb->dev, &fl.saddr, &fl.daddr, 0,
266
+
ip6_dst_hoplimit(dst), 0, fl.fl6_sport,
267
+
fl.fl6_dport, udp_get_no_check6_tx(sk));
268
+
ret = 0;
269
+
err:
270
+
local_bh_enable();
271
+
return ret;
272
+
}
273
+
#endif
274
+
275
+
/**
276
+
* ovpn_udp_output - transmit skb using udp-tunnel
277
+
* @peer: the destination peer
278
+
* @cache: dst cache
279
+
* @sk: the socket to send the packet over
280
+
* @skb: the packet to send
281
+
*
282
+
* rcu_read_lock should be held on entry.
283
+
* On return, the skb is consumed.
284
+
*
285
+
* Return: 0 on success or a negative error code otherwise
286
+
*/
287
+
static int ovpn_udp_output(struct ovpn_peer *peer, struct dst_cache *cache,
288
+
struct sock *sk, struct sk_buff *skb)
289
+
{
290
+
struct ovpn_bind *bind;
291
+
int ret;
292
+
293
+
/* set sk to null if skb is already orphaned */
294
+
if (!skb->destructor)
295
+
skb->sk = NULL;
296
+
297
+
rcu_read_lock();
298
+
bind = rcu_dereference(peer->bind);
299
+
if (unlikely(!bind)) {
300
+
net_warn_ratelimited("%s: no bind for remote peer %u\n",
301
+
netdev_name(peer->ovpn->dev), peer->id);
302
+
ret = -ENODEV;
303
+
goto out;
304
+
}
305
+
306
+
switch (bind->remote.in4.sin_family) {
307
+
case AF_INET:
308
+
ret = ovpn_udp4_output(peer, bind, cache, sk, skb);
309
+
break;
310
+
#if IS_ENABLED(CONFIG_IPV6)
311
+
case AF_INET6:
312
+
ret = ovpn_udp6_output(peer, bind, cache, sk, skb);
313
+
break;
314
+
#endif
315
+
default:
316
+
ret = -EAFNOSUPPORT;
317
+
break;
318
+
}
319
+
320
+
out:
321
+
rcu_read_unlock();
322
+
return ret;
323
+
}
324
+
325
+
/**
326
+
* ovpn_udp_send_skb - prepare skb and send it over via UDP
327
+
* @peer: the destination peer
328
+
* @sock: the RCU protected peer socket
329
+
* @skb: the packet to send
330
+
*/
331
+
void ovpn_udp_send_skb(struct ovpn_peer *peer, struct socket *sock,
332
+
struct sk_buff *skb)
333
+
{
334
+
int ret = -1;
335
+
336
+
skb->dev = peer->ovpn->dev;
337
+
/* no checksum performed at this layer */
338
+
skb->ip_summed = CHECKSUM_NONE;
339
+
340
+
/* get socket info */
341
+
if (unlikely(!sock)) {
342
+
net_warn_ratelimited("%s: no sock for remote peer %u\n",
343
+
netdev_name(peer->ovpn->dev), peer->id);
344
+
goto out;
345
+
}
346
+
347
+
/* crypto layer -> transport (UDP) */
348
+
ret = ovpn_udp_output(peer, &peer->dst_cache, sock->sk, skb);
349
+
out:
350
+
if (unlikely(ret < 0)) {
351
+
kfree_skb(skb);
352
+
return;
353
+
}
354
+
}
355
+
356
+
static void ovpn_udp_encap_destroy(struct sock *sk)
357
+
{
358
+
struct ovpn_socket *sock;
359
+
struct ovpn_priv *ovpn;
360
+
361
+
rcu_read_lock();
362
+
sock = rcu_dereference_sk_user_data(sk);
363
+
if (!sock || !sock->ovpn) {
364
+
rcu_read_unlock();
365
+
return;
366
+
}
367
+
ovpn = sock->ovpn;
368
+
rcu_read_unlock();
369
+
370
+
ovpn_peers_free(ovpn, sk, OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT);
371
+
}
372
+
373
+
/**
374
+
* ovpn_udp_socket_attach - set udp-tunnel CBs on socket and link it to ovpn
375
+
* @ovpn_sock: socket to configure
376
+
* @ovpn: the openvp instance to link
377
+
*
378
+
* After invoking this function, the sock will be controlled by ovpn so that
379
+
* any incoming packet may be processed by ovpn first.
380
+
*
381
+
* Return: 0 on success or a negative error code otherwise
382
+
*/
383
+
int ovpn_udp_socket_attach(struct ovpn_socket *ovpn_sock,
384
+
struct ovpn_priv *ovpn)
385
+
{
386
+
struct udp_tunnel_sock_cfg cfg = {
387
+
.encap_type = UDP_ENCAP_OVPNINUDP,
388
+
.encap_rcv = ovpn_udp_encap_recv,
389
+
.encap_destroy = ovpn_udp_encap_destroy,
390
+
};
391
+
struct socket *sock = ovpn_sock->sock;
392
+
struct ovpn_socket *old_data;
393
+
int ret;
394
+
395
+
/* make sure no pre-existing encapsulation handler exists */
396
+
rcu_read_lock();
397
+
old_data = rcu_dereference_sk_user_data(sock->sk);
398
+
if (!old_data) {
399
+
/* socket is currently unused - we can take it */
400
+
rcu_read_unlock();
401
+
setup_udp_tunnel_sock(sock_net(sock->sk), sock, &cfg);
402
+
return 0;
403
+
}
404
+
405
+
/* socket is in use. We need to understand if it's owned by this ovpn
406
+
* instance or by something else.
407
+
* In the former case, we can increase the refcounter and happily
408
+
* use it, because the same UDP socket is expected to be shared among
409
+
* different peers.
410
+
*
411
+
* Unlikely TCP, a single UDP socket can be used to talk to many remote
412
+
* hosts and therefore openvpn instantiates one only for all its peers
413
+
*/
414
+
if ((READ_ONCE(udp_sk(sock->sk)->encap_type) == UDP_ENCAP_OVPNINUDP) &&
415
+
old_data->ovpn == ovpn) {
416
+
netdev_dbg(ovpn->dev,
417
+
"provided socket already owned by this interface\n");
418
+
ret = -EALREADY;
419
+
} else {
420
+
netdev_dbg(ovpn->dev,
421
+
"provided socket already taken by other user\n");
422
+
ret = -EBUSY;
423
+
}
424
+
rcu_read_unlock();
425
+
426
+
return ret;
427
+
}
428
+
429
+
/**
430
+
* ovpn_udp_socket_detach - clean udp-tunnel status for this socket
431
+
* @ovpn_sock: the socket to clean
432
+
*/
433
+
void ovpn_udp_socket_detach(struct ovpn_socket *ovpn_sock)
434
+
{
435
+
struct udp_tunnel_sock_cfg cfg = { };
436
+
437
+
setup_udp_tunnel_sock(sock_net(ovpn_sock->sock->sk), ovpn_sock->sock,
438
+
&cfg);
439
+
}
+25
drivers/net/ovpn/udp.h
+25
drivers/net/ovpn/udp.h
···
1
+
/* SPDX-License-Identifier: GPL-2.0-only */
2
+
/* OpenVPN data channel offload
3
+
*
4
+
* Copyright (C) 2019-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
*/
8
+
9
+
#ifndef _NET_OVPN_UDP_H_
10
+
#define _NET_OVPN_UDP_H_
11
+
12
+
#include <net/sock.h>
13
+
14
+
struct ovpn_peer;
15
+
struct ovpn_priv;
16
+
struct socket;
17
+
18
+
int ovpn_udp_socket_attach(struct ovpn_socket *ovpn_sock,
19
+
struct ovpn_priv *ovpn);
20
+
void ovpn_udp_socket_detach(struct ovpn_socket *ovpn_sock);
21
+
22
+
void ovpn_udp_send_skb(struct ovpn_peer *peer, struct socket *sock,
23
+
struct sk_buff *skb);
24
+
25
+
#endif /* _NET_OVPN_UDP_H_ */
+2
include/linux/skbuff.h
+2
include/linux/skbuff.h
···
4145
4145
unsigned int flags);
4146
4146
int skb_send_sock_locked(struct sock *sk, struct sk_buff *skb, int offset,
4147
4147
int len);
4148
+
int skb_send_sock_locked_with_flags(struct sock *sk, struct sk_buff *skb,
4149
+
int offset, int len, int flags);
4148
4150
int skb_send_sock(struct sock *sk, struct sk_buff *skb, int offset, int len);
4149
4151
void skb_copy_and_csum_dev(const struct sk_buff *skb, u8 *to);
4150
4152
unsigned int skb_zerocopy_headlen(const struct sk_buff *from);
+15
include/uapi/linux/if_link.h
+15
include/uapi/linux/if_link.h
···
1986
1986
1987
1987
#define IFLA_DSA_MAX (__IFLA_DSA_MAX - 1)
1988
1988
1989
+
/* OVPN section */
1990
+
1991
+
enum ovpn_mode {
1992
+
OVPN_MODE_P2P,
1993
+
OVPN_MODE_MP,
1994
+
};
1995
+
1996
+
enum {
1997
+
IFLA_OVPN_UNSPEC,
1998
+
IFLA_OVPN_MODE,
1999
+
__IFLA_OVPN_MAX,
2000
+
};
2001
+
2002
+
#define IFLA_OVPN_MAX (__IFLA_OVPN_MAX - 1)
2003
+
1989
2004
#endif /* _UAPI_LINUX_IF_LINK_H */
+109
include/uapi/linux/ovpn.h
+109
include/uapi/linux/ovpn.h
···
1
+
/* SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) */
2
+
/* Do not edit directly, auto-generated from: */
3
+
/* Documentation/netlink/specs/ovpn.yaml */
4
+
/* YNL-GEN uapi header */
5
+
6
+
#ifndef _UAPI_LINUX_OVPN_H
7
+
#define _UAPI_LINUX_OVPN_H
8
+
9
+
#define OVPN_FAMILY_NAME "ovpn"
10
+
#define OVPN_FAMILY_VERSION 1
11
+
12
+
#define OVPN_NONCE_TAIL_SIZE 8
13
+
14
+
enum ovpn_cipher_alg {
15
+
OVPN_CIPHER_ALG_NONE,
16
+
OVPN_CIPHER_ALG_AES_GCM,
17
+
OVPN_CIPHER_ALG_CHACHA20_POLY1305,
18
+
};
19
+
20
+
enum ovpn_del_peer_reason {
21
+
OVPN_DEL_PEER_REASON_TEARDOWN,
22
+
OVPN_DEL_PEER_REASON_USERSPACE,
23
+
OVPN_DEL_PEER_REASON_EXPIRED,
24
+
OVPN_DEL_PEER_REASON_TRANSPORT_ERROR,
25
+
OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT,
26
+
};
27
+
28
+
enum ovpn_key_slot {
29
+
OVPN_KEY_SLOT_PRIMARY,
30
+
OVPN_KEY_SLOT_SECONDARY,
31
+
};
32
+
33
+
enum {
34
+
OVPN_A_PEER_ID = 1,
35
+
OVPN_A_PEER_REMOTE_IPV4,
36
+
OVPN_A_PEER_REMOTE_IPV6,
37
+
OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
38
+
OVPN_A_PEER_REMOTE_PORT,
39
+
OVPN_A_PEER_SOCKET,
40
+
OVPN_A_PEER_SOCKET_NETNSID,
41
+
OVPN_A_PEER_VPN_IPV4,
42
+
OVPN_A_PEER_VPN_IPV6,
43
+
OVPN_A_PEER_LOCAL_IPV4,
44
+
OVPN_A_PEER_LOCAL_IPV6,
45
+
OVPN_A_PEER_LOCAL_PORT,
46
+
OVPN_A_PEER_KEEPALIVE_INTERVAL,
47
+
OVPN_A_PEER_KEEPALIVE_TIMEOUT,
48
+
OVPN_A_PEER_DEL_REASON,
49
+
OVPN_A_PEER_VPN_RX_BYTES,
50
+
OVPN_A_PEER_VPN_TX_BYTES,
51
+
OVPN_A_PEER_VPN_RX_PACKETS,
52
+
OVPN_A_PEER_VPN_TX_PACKETS,
53
+
OVPN_A_PEER_LINK_RX_BYTES,
54
+
OVPN_A_PEER_LINK_TX_BYTES,
55
+
OVPN_A_PEER_LINK_RX_PACKETS,
56
+
OVPN_A_PEER_LINK_TX_PACKETS,
57
+
58
+
__OVPN_A_PEER_MAX,
59
+
OVPN_A_PEER_MAX = (__OVPN_A_PEER_MAX - 1)
60
+
};
61
+
62
+
enum {
63
+
OVPN_A_KEYCONF_PEER_ID = 1,
64
+
OVPN_A_KEYCONF_SLOT,
65
+
OVPN_A_KEYCONF_KEY_ID,
66
+
OVPN_A_KEYCONF_CIPHER_ALG,
67
+
OVPN_A_KEYCONF_ENCRYPT_DIR,
68
+
OVPN_A_KEYCONF_DECRYPT_DIR,
69
+
70
+
__OVPN_A_KEYCONF_MAX,
71
+
OVPN_A_KEYCONF_MAX = (__OVPN_A_KEYCONF_MAX - 1)
72
+
};
73
+
74
+
enum {
75
+
OVPN_A_KEYDIR_CIPHER_KEY = 1,
76
+
OVPN_A_KEYDIR_NONCE_TAIL,
77
+
78
+
__OVPN_A_KEYDIR_MAX,
79
+
OVPN_A_KEYDIR_MAX = (__OVPN_A_KEYDIR_MAX - 1)
80
+
};
81
+
82
+
enum {
83
+
OVPN_A_IFINDEX = 1,
84
+
OVPN_A_PEER,
85
+
OVPN_A_KEYCONF,
86
+
87
+
__OVPN_A_MAX,
88
+
OVPN_A_MAX = (__OVPN_A_MAX - 1)
89
+
};
90
+
91
+
enum {
92
+
OVPN_CMD_PEER_NEW = 1,
93
+
OVPN_CMD_PEER_SET,
94
+
OVPN_CMD_PEER_GET,
95
+
OVPN_CMD_PEER_DEL,
96
+
OVPN_CMD_PEER_DEL_NTF,
97
+
OVPN_CMD_KEY_NEW,
98
+
OVPN_CMD_KEY_GET,
99
+
OVPN_CMD_KEY_SWAP,
100
+
OVPN_CMD_KEY_SWAP_NTF,
101
+
OVPN_CMD_KEY_DEL,
102
+
103
+
__OVPN_CMD_MAX,
104
+
OVPN_CMD_MAX = (__OVPN_CMD_MAX - 1)
105
+
};
106
+
107
+
#define OVPN_MCGRP_PEERS "peers"
108
+
109
+
#endif /* _UAPI_LINUX_OVPN_H */
+1
include/uapi/linux/udp.h
+1
include/uapi/linux/udp.h
+13
-5
net/core/skbuff.c
+13
-5
net/core/skbuff.c
···
3227
3227
3228
3228
typedef int (*sendmsg_func)(struct sock *sk, struct msghdr *msg);
3229
3229
static int __skb_send_sock(struct sock *sk, struct sk_buff *skb, int offset,
3230
-
int len, sendmsg_func sendmsg)
3230
+
int len, sendmsg_func sendmsg, int flags)
3231
3231
{
3232
3232
unsigned int orig_len = len;
3233
3233
struct sk_buff *head = skb;
···
3245
3245
kv.iov_base = skb->data + offset;
3246
3246
kv.iov_len = slen;
3247
3247
memset(&msg, 0, sizeof(msg));
3248
-
msg.msg_flags = MSG_DONTWAIT;
3248
+
msg.msg_flags = MSG_DONTWAIT | flags;
3249
3249
3250
3250
iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, &kv, 1, slen);
3251
3251
ret = INDIRECT_CALL_2(sendmsg, sendmsg_locked,
···
3282
3282
while (slen) {
3283
3283
struct bio_vec bvec;
3284
3284
struct msghdr msg = {
3285
-
.msg_flags = MSG_SPLICE_PAGES | MSG_DONTWAIT,
3285
+
.msg_flags = MSG_SPLICE_PAGES | MSG_DONTWAIT |
3286
+
flags,
3286
3287
};
3287
3288
3288
3289
bvec_set_page(&bvec, skb_frag_page(frag), slen,
···
3329
3328
int skb_send_sock_locked(struct sock *sk, struct sk_buff *skb, int offset,
3330
3329
int len)
3331
3330
{
3332
-
return __skb_send_sock(sk, skb, offset, len, sendmsg_locked);
3331
+
return __skb_send_sock(sk, skb, offset, len, sendmsg_locked, 0);
3333
3332
}
3334
3333
EXPORT_SYMBOL_GPL(skb_send_sock_locked);
3334
+
3335
+
int skb_send_sock_locked_with_flags(struct sock *sk, struct sk_buff *skb,
3336
+
int offset, int len, int flags)
3337
+
{
3338
+
return __skb_send_sock(sk, skb, offset, len, sendmsg_locked, flags);
3339
+
}
3340
+
EXPORT_SYMBOL_GPL(skb_send_sock_locked_with_flags);
3335
3341
3336
3342
/* Send skb data on a socket. Socket must be unlocked. */
3337
3343
int skb_send_sock(struct sock *sk, struct sk_buff *skb, int offset, int len)
3338
3344
{
3339
-
return __skb_send_sock(sk, skb, offset, len, sendmsg_unlocked);
3345
+
return __skb_send_sock(sk, skb, offset, len, sendmsg_unlocked, 0);
3340
3346
}
3341
3347
3342
3348
/**
+1
net/ipv6/af_inet6.c
+1
net/ipv6/af_inet6.c
+1
tools/testing/selftests/Makefile
+1
tools/testing/selftests/Makefile
+2
tools/testing/selftests/net/ovpn/.gitignore
+2
tools/testing/selftests/net/ovpn/.gitignore
+31
tools/testing/selftests/net/ovpn/Makefile
+31
tools/testing/selftests/net/ovpn/Makefile
···
1
+
# SPDX-License-Identifier: GPL-2.0
2
+
# Copyright (C) 2020-2025 OpenVPN, Inc.
3
+
#
4
+
CFLAGS = -pedantic -Wextra -Wall -Wl,--no-as-needed -g -O0 -ggdb $(KHDR_INCLUDES)
5
+
VAR_CFLAGS = $(shell pkg-config --cflags libnl-3.0 libnl-genl-3.0 2>/dev/null)
6
+
ifeq ($(VAR_CFLAGS),)
7
+
VAR_CFLAGS = -I/usr/include/libnl3
8
+
endif
9
+
CFLAGS += $(VAR_CFLAGS)
10
+
11
+
12
+
LDLIBS = -lmbedtls -lmbedcrypto
13
+
VAR_LDLIBS = $(shell pkg-config --libs libnl-3.0 libnl-genl-3.0 2>/dev/null)
14
+
ifeq ($(VAR_LDLIBS),)
15
+
VAR_LDLIBS = -lnl-genl-3 -lnl-3
16
+
endif
17
+
LDLIBS += $(VAR_LDLIBS)
18
+
19
+
20
+
TEST_FILES = common.sh
21
+
22
+
TEST_PROGS = test.sh \
23
+
test-chachapoly.sh \
24
+
test-tcp.sh \
25
+
test-float.sh \
26
+
test-close-socket.sh \
27
+
test-close-socket-tcp.sh
28
+
29
+
TEST_GEN_FILES := ovpn-cli
30
+
31
+
include ../../lib.mk
+92
tools/testing/selftests/net/ovpn/common.sh
+92
tools/testing/selftests/net/ovpn/common.sh
···
1
+
#!/bin/bash
2
+
# SPDX-License-Identifier: GPL-2.0
3
+
# Copyright (C) 2020-2025 OpenVPN, Inc.
4
+
#
5
+
# Author: Antonio Quartulli <antonio@openvpn.net>
6
+
7
+
UDP_PEERS_FILE=${UDP_PEERS_FILE:-udp_peers.txt}
8
+
TCP_PEERS_FILE=${TCP_PEERS_FILE:-tcp_peers.txt}
9
+
OVPN_CLI=${OVPN_CLI:-./ovpn-cli}
10
+
ALG=${ALG:-aes}
11
+
PROTO=${PROTO:-UDP}
12
+
FLOAT=${FLOAT:-0}
13
+
14
+
create_ns() {
15
+
ip netns add peer${1}
16
+
}
17
+
18
+
setup_ns() {
19
+
MODE="P2P"
20
+
21
+
if [ ${1} -eq 0 ]; then
22
+
MODE="MP"
23
+
for p in $(seq 1 ${NUM_PEERS}); do
24
+
ip link add veth${p} netns peer0 type veth peer name veth${p} netns peer${p}
25
+
26
+
ip -n peer0 addr add 10.10.${p}.1/24 dev veth${p}
27
+
ip -n peer0 link set veth${p} up
28
+
29
+
ip -n peer${p} addr add 10.10.${p}.2/24 dev veth${p}
30
+
ip -n peer${p} link set veth${p} up
31
+
done
32
+
fi
33
+
34
+
ip netns exec peer${1} ${OVPN_CLI} new_iface tun${1} $MODE
35
+
ip -n peer${1} addr add ${2} dev tun${1}
36
+
ip -n peer${1} link set tun${1} up
37
+
}
38
+
39
+
add_peer() {
40
+
if [ "${PROTO}" == "UDP" ]; then
41
+
if [ ${1} -eq 0 ]; then
42
+
ip netns exec peer0 ${OVPN_CLI} new_multi_peer tun0 1 ${UDP_PEERS_FILE}
43
+
44
+
for p in $(seq 1 ${NUM_PEERS}); do
45
+
ip netns exec peer0 ${OVPN_CLI} new_key tun0 ${p} 1 0 ${ALG} 0 \
46
+
data64.key
47
+
done
48
+
else
49
+
ip netns exec peer${1} ${OVPN_CLI} new_peer tun${1} ${1} 1 10.10.${1}.1 1
50
+
ip netns exec peer${1} ${OVPN_CLI} new_key tun${1} ${1} 1 0 ${ALG} 1 \
51
+
data64.key
52
+
fi
53
+
else
54
+
if [ ${1} -eq 0 ]; then
55
+
(ip netns exec peer0 ${OVPN_CLI} listen tun0 1 ${TCP_PEERS_FILE} && {
56
+
for p in $(seq 1 ${NUM_PEERS}); do
57
+
ip netns exec peer0 ${OVPN_CLI} new_key tun0 ${p} 1 0 \
58
+
${ALG} 0 data64.key
59
+
done
60
+
}) &
61
+
sleep 5
62
+
else
63
+
ip netns exec peer${1} ${OVPN_CLI} connect tun${1} ${1} 10.10.${1}.1 1 \
64
+
data64.key
65
+
fi
66
+
fi
67
+
}
68
+
69
+
cleanup() {
70
+
# some ovpn-cli processes sleep in background so they need manual poking
71
+
killall $(basename ${OVPN_CLI}) 2>/dev/null || true
72
+
73
+
# netns peer0 is deleted without erasing ifaces first
74
+
for p in $(seq 1 10); do
75
+
ip -n peer${p} link set tun${p} down 2>/dev/null || true
76
+
ip netns exec peer${p} ${OVPN_CLI} del_iface tun${p} 2>/dev/null || true
77
+
done
78
+
for p in $(seq 1 10); do
79
+
ip -n peer0 link del veth${p} 2>/dev/null || true
80
+
done
81
+
for p in $(seq 0 10); do
82
+
ip netns del peer${p} 2>/dev/null || true
83
+
done
84
+
}
85
+
86
+
if [ "${PROTO}" == "UDP" ]; then
87
+
NUM_PEERS=${NUM_PEERS:-$(wc -l ${UDP_PEERS_FILE} | awk '{print $1}')}
88
+
else
89
+
NUM_PEERS=${NUM_PEERS:-$(wc -l ${TCP_PEERS_FILE} | awk '{print $1}')}
90
+
fi
91
+
92
+
+10
tools/testing/selftests/net/ovpn/config
+10
tools/testing/selftests/net/ovpn/config
+5
tools/testing/selftests/net/ovpn/data64.key
+5
tools/testing/selftests/net/ovpn/data64.key
···
1
+
jRqMACN7d7/aFQNT8S7jkrBD8uwrgHbG5OQZP2eu4R1Y7tfpS2bf5RHv06Vi163CGoaIiTX99R3B
2
+
ia9ycAH8Wz1+9PWv51dnBLur9jbShlgZ2QHLtUc4a/gfT7zZwULXuuxdLnvR21DDeMBaTbkgbai9
3
+
uvAa7ne1liIgGFzbv+Bas4HDVrygxIxuAnP5Qgc3648IJkZ0QEXPF+O9f0n5+QIvGCxkAUVx+5K6
4
+
KIs+SoeWXnAopELmoGSjUpFtJbagXK82HfdqpuUxT2Tnuef0/14SzVE/vNleBNu2ZbyrSAaah8tE
5
+
BofkPJUBFY+YQcfZNM5Dgrw3i+Bpmpq/gpdg5w==
+2376
tools/testing/selftests/net/ovpn/ovpn-cli.c
+2376
tools/testing/selftests/net/ovpn/ovpn-cli.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* OpenVPN data channel accelerator
3
+
*
4
+
* Copyright (C) 2020-2025 OpenVPN, Inc.
5
+
*
6
+
* Author: Antonio Quartulli <antonio@openvpn.net>
7
+
*/
8
+
9
+
#include <stdio.h>
10
+
#include <inttypes.h>
11
+
#include <stdbool.h>
12
+
#include <string.h>
13
+
#include <errno.h>
14
+
#include <unistd.h>
15
+
#include <arpa/inet.h>
16
+
#include <net/if.h>
17
+
#include <netinet/in.h>
18
+
#include <time.h>
19
+
20
+
#include <linux/ovpn.h>
21
+
#include <linux/types.h>
22
+
#include <linux/netlink.h>
23
+
24
+
#include <netlink/socket.h>
25
+
#include <netlink/netlink.h>
26
+
#include <netlink/genl/genl.h>
27
+
#include <netlink/genl/family.h>
28
+
#include <netlink/genl/ctrl.h>
29
+
30
+
#include <mbedtls/base64.h>
31
+
#include <mbedtls/error.h>
32
+
33
+
#include <sys/socket.h>
34
+
35
+
/* defines to make checkpatch happy */
36
+
#define strscpy strncpy
37
+
#define __always_unused __attribute__((__unused__))
38
+
39
+
/* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we
40
+
* have to explicitly do it to prevent the kernel from failing upon
41
+
* parsing of the message
42
+
*/
43
+
#define nla_nest_start(_msg, _type) \
44
+
nla_nest_start(_msg, (_type) | NLA_F_NESTED)
45
+
46
+
/* libnl < 3.11.0 does not implement nla_get_uint() */
47
+
uint64_t ovpn_nla_get_uint(struct nlattr *attr)
48
+
{
49
+
if (nla_len(attr) == sizeof(uint32_t))
50
+
return nla_get_u32(attr);
51
+
else
52
+
return nla_get_u64(attr);
53
+
}
54
+
55
+
typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg);
56
+
57
+
enum ovpn_key_direction {
58
+
KEY_DIR_IN = 0,
59
+
KEY_DIR_OUT,
60
+
};
61
+
62
+
#define KEY_LEN (256 / 8)
63
+
#define NONCE_LEN 8
64
+
65
+
#define PEER_ID_UNDEF 0x00FFFFFF
66
+
#define MAX_PEERS 10
67
+
68
+
struct nl_ctx {
69
+
struct nl_sock *nl_sock;
70
+
struct nl_msg *nl_msg;
71
+
struct nl_cb *nl_cb;
72
+
73
+
int ovpn_dco_id;
74
+
};
75
+
76
+
enum ovpn_cmd {
77
+
CMD_INVALID,
78
+
CMD_NEW_IFACE,
79
+
CMD_DEL_IFACE,
80
+
CMD_LISTEN,
81
+
CMD_CONNECT,
82
+
CMD_NEW_PEER,
83
+
CMD_NEW_MULTI_PEER,
84
+
CMD_SET_PEER,
85
+
CMD_DEL_PEER,
86
+
CMD_GET_PEER,
87
+
CMD_NEW_KEY,
88
+
CMD_DEL_KEY,
89
+
CMD_GET_KEY,
90
+
CMD_SWAP_KEYS,
91
+
CMD_LISTEN_MCAST,
92
+
};
93
+
94
+
struct ovpn_ctx {
95
+
enum ovpn_cmd cmd;
96
+
97
+
__u8 key_enc[KEY_LEN];
98
+
__u8 key_dec[KEY_LEN];
99
+
__u8 nonce[NONCE_LEN];
100
+
101
+
enum ovpn_cipher_alg cipher;
102
+
103
+
sa_family_t sa_family;
104
+
105
+
unsigned long peer_id;
106
+
unsigned long lport;
107
+
108
+
union {
109
+
struct sockaddr_in in4;
110
+
struct sockaddr_in6 in6;
111
+
} remote;
112
+
113
+
union {
114
+
struct sockaddr_in in4;
115
+
struct sockaddr_in6 in6;
116
+
} peer_ip;
117
+
118
+
bool peer_ip_set;
119
+
120
+
unsigned int ifindex;
121
+
char ifname[IFNAMSIZ];
122
+
enum ovpn_mode mode;
123
+
bool mode_set;
124
+
125
+
int socket;
126
+
int cli_sockets[MAX_PEERS];
127
+
128
+
__u32 keepalive_interval;
129
+
__u32 keepalive_timeout;
130
+
131
+
enum ovpn_key_direction key_dir;
132
+
enum ovpn_key_slot key_slot;
133
+
int key_id;
134
+
135
+
const char *peers_file;
136
+
};
137
+
138
+
static int ovpn_nl_recvmsgs(struct nl_ctx *ctx)
139
+
{
140
+
int ret;
141
+
142
+
ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb);
143
+
144
+
switch (ret) {
145
+
case -NLE_INTR:
146
+
fprintf(stderr,
147
+
"netlink received interrupt due to signal - ignoring\n");
148
+
break;
149
+
case -NLE_NOMEM:
150
+
fprintf(stderr, "netlink out of memory error\n");
151
+
break;
152
+
case -NLE_AGAIN:
153
+
fprintf(stderr,
154
+
"netlink reports blocking read - aborting wait\n");
155
+
break;
156
+
default:
157
+
if (ret)
158
+
fprintf(stderr, "netlink reports error (%d): %s\n",
159
+
ret, nl_geterror(-ret));
160
+
break;
161
+
}
162
+
163
+
return ret;
164
+
}
165
+
166
+
static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd,
167
+
int flags)
168
+
{
169
+
struct nl_ctx *ctx;
170
+
int err, ret;
171
+
172
+
ctx = calloc(1, sizeof(*ctx));
173
+
if (!ctx)
174
+
return NULL;
175
+
176
+
ctx->nl_sock = nl_socket_alloc();
177
+
if (!ctx->nl_sock) {
178
+
fprintf(stderr, "cannot allocate netlink socket\n");
179
+
goto err_free;
180
+
}
181
+
182
+
nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192);
183
+
184
+
ret = genl_connect(ctx->nl_sock);
185
+
if (ret) {
186
+
fprintf(stderr, "cannot connect to generic netlink: %s\n",
187
+
nl_geterror(ret));
188
+
goto err_sock;
189
+
}
190
+
191
+
/* enable Extended ACK for detailed error reporting */
192
+
err = 1;
193
+
setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK,
194
+
&err, sizeof(err));
195
+
196
+
ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME);
197
+
if (ctx->ovpn_dco_id < 0) {
198
+
fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n",
199
+
ctx->ovpn_dco_id);
200
+
goto err_free;
201
+
}
202
+
203
+
ctx->nl_msg = nlmsg_alloc();
204
+
if (!ctx->nl_msg) {
205
+
fprintf(stderr, "cannot allocate netlink message\n");
206
+
goto err_sock;
207
+
}
208
+
209
+
ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT);
210
+
if (!ctx->nl_cb) {
211
+
fprintf(stderr, "failed to allocate netlink callback\n");
212
+
goto err_msg;
213
+
}
214
+
215
+
nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb);
216
+
217
+
genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0);
218
+
219
+
if (ovpn->ifindex > 0)
220
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex);
221
+
222
+
return ctx;
223
+
nla_put_failure:
224
+
err_msg:
225
+
nlmsg_free(ctx->nl_msg);
226
+
err_sock:
227
+
nl_socket_free(ctx->nl_sock);
228
+
err_free:
229
+
free(ctx);
230
+
return NULL;
231
+
}
232
+
233
+
static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd)
234
+
{
235
+
return nl_ctx_alloc_flags(ovpn, cmd, 0);
236
+
}
237
+
238
+
static void nl_ctx_free(struct nl_ctx *ctx)
239
+
{
240
+
if (!ctx)
241
+
return;
242
+
243
+
nl_socket_free(ctx->nl_sock);
244
+
nlmsg_free(ctx->nl_msg);
245
+
nl_cb_put(ctx->nl_cb);
246
+
free(ctx);
247
+
}
248
+
249
+
static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused,
250
+
struct nlmsgerr *err, void *arg)
251
+
{
252
+
struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1;
253
+
struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1];
254
+
int len = nlh->nlmsg_len;
255
+
struct nlattr *attrs;
256
+
int *ret = arg;
257
+
int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh);
258
+
259
+
*ret = err->error;
260
+
261
+
if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS))
262
+
return NL_STOP;
263
+
264
+
if (!(nlh->nlmsg_flags & NLM_F_CAPPED))
265
+
ack_len += err->msg.nlmsg_len - sizeof(*nlh);
266
+
267
+
if (len <= ack_len)
268
+
return NL_STOP;
269
+
270
+
attrs = (void *)((uint8_t *)nlh + ack_len);
271
+
len -= ack_len;
272
+
273
+
nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL);
274
+
if (tb_msg[NLMSGERR_ATTR_MSG]) {
275
+
len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]),
276
+
nla_len(tb_msg[NLMSGERR_ATTR_MSG]));
277
+
fprintf(stderr, "kernel error: %*s\n", len,
278
+
(char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]));
279
+
}
280
+
281
+
if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) {
282
+
fprintf(stderr, "missing required nesting type %u\n",
283
+
nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST]));
284
+
}
285
+
286
+
if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) {
287
+
fprintf(stderr, "missing required attribute type %u\n",
288
+
nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE]));
289
+
}
290
+
291
+
return NL_STOP;
292
+
}
293
+
294
+
static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused,
295
+
void *arg)
296
+
{
297
+
int *status = arg;
298
+
299
+
*status = 0;
300
+
return NL_SKIP;
301
+
}
302
+
303
+
static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused,
304
+
void *arg)
305
+
{
306
+
int *status = arg;
307
+
308
+
*status = 0;
309
+
return NL_STOP;
310
+
}
311
+
312
+
static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb)
313
+
{
314
+
int status = 1;
315
+
316
+
nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status);
317
+
nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish,
318
+
&status);
319
+
nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status);
320
+
321
+
if (cb)
322
+
nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx);
323
+
324
+
nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg);
325
+
326
+
while (status == 1)
327
+
ovpn_nl_recvmsgs(ctx);
328
+
329
+
if (status < 0)
330
+
fprintf(stderr, "failed to send netlink message: %s (%d)\n",
331
+
strerror(-status), status);
332
+
333
+
return status;
334
+
}
335
+
336
+
static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx)
337
+
{
338
+
int idx_enc, idx_dec, ret = -1;
339
+
unsigned char *ckey = NULL;
340
+
__u8 *bkey = NULL;
341
+
size_t olen = 0;
342
+
long ckey_len;
343
+
FILE *fp;
344
+
345
+
fp = fopen(file, "r");
346
+
if (!fp) {
347
+
fprintf(stderr, "cannot open: %s\n", file);
348
+
return -1;
349
+
}
350
+
351
+
/* get file size */
352
+
fseek(fp, 0L, SEEK_END);
353
+
ckey_len = ftell(fp);
354
+
rewind(fp);
355
+
356
+
/* if the file is longer, let's just read a portion */
357
+
if (ckey_len > 256)
358
+
ckey_len = 256;
359
+
360
+
ckey = malloc(ckey_len);
361
+
if (!ckey)
362
+
goto err;
363
+
364
+
ret = fread(ckey, 1, ckey_len, fp);
365
+
if (ret != ckey_len) {
366
+
fprintf(stderr,
367
+
"couldn't read enough data from key file: %dbytes read\n",
368
+
ret);
369
+
goto err;
370
+
}
371
+
372
+
olen = 0;
373
+
ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len);
374
+
if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) {
375
+
char buf[256];
376
+
377
+
mbedtls_strerror(ret, buf, sizeof(buf));
378
+
fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf,
379
+
ret);
380
+
381
+
goto err;
382
+
}
383
+
384
+
bkey = malloc(olen);
385
+
if (!bkey) {
386
+
fprintf(stderr, "cannot allocate binary key buffer\n");
387
+
goto err;
388
+
}
389
+
390
+
ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len);
391
+
if (ret) {
392
+
char buf[256];
393
+
394
+
mbedtls_strerror(ret, buf, sizeof(buf));
395
+
fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf,
396
+
ret);
397
+
398
+
goto err;
399
+
}
400
+
401
+
if (olen < 2 * KEY_LEN + NONCE_LEN) {
402
+
fprintf(stderr,
403
+
"not enough data in key file, found %zdB but needs %dB\n",
404
+
olen, 2 * KEY_LEN + NONCE_LEN);
405
+
goto err;
406
+
}
407
+
408
+
switch (ctx->key_dir) {
409
+
case KEY_DIR_IN:
410
+
idx_enc = 0;
411
+
idx_dec = 1;
412
+
break;
413
+
case KEY_DIR_OUT:
414
+
idx_enc = 1;
415
+
idx_dec = 0;
416
+
break;
417
+
default:
418
+
goto err;
419
+
}
420
+
421
+
memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN);
422
+
memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN);
423
+
memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN);
424
+
425
+
ret = 0;
426
+
427
+
err:
428
+
fclose(fp);
429
+
free(bkey);
430
+
free(ckey);
431
+
432
+
return ret;
433
+
}
434
+
435
+
static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx)
436
+
{
437
+
if (strcmp(cipher, "aes") == 0)
438
+
ctx->cipher = OVPN_CIPHER_ALG_AES_GCM;
439
+
else if (strcmp(cipher, "chachapoly") == 0)
440
+
ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305;
441
+
else if (strcmp(cipher, "none") == 0)
442
+
ctx->cipher = OVPN_CIPHER_ALG_NONE;
443
+
else
444
+
return -ENOTSUP;
445
+
446
+
return 0;
447
+
}
448
+
449
+
static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx)
450
+
{
451
+
int in_dir;
452
+
453
+
in_dir = strtoll(dir, NULL, 10);
454
+
switch (in_dir) {
455
+
case KEY_DIR_IN:
456
+
case KEY_DIR_OUT:
457
+
ctx->key_dir = in_dir;
458
+
break;
459
+
default:
460
+
fprintf(stderr,
461
+
"invalid key direction provided. Can be 0 or 1 only\n");
462
+
return -1;
463
+
}
464
+
465
+
return 0;
466
+
}
467
+
468
+
static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto)
469
+
{
470
+
struct sockaddr_storage local_sock = { 0 };
471
+
struct sockaddr_in6 *in6;
472
+
struct sockaddr_in *in;
473
+
int ret, s, sock_type;
474
+
size_t sock_len;
475
+
476
+
if (proto == IPPROTO_UDP)
477
+
sock_type = SOCK_DGRAM;
478
+
else if (proto == IPPROTO_TCP)
479
+
sock_type = SOCK_STREAM;
480
+
else
481
+
return -EINVAL;
482
+
483
+
s = socket(family, sock_type, 0);
484
+
if (s < 0) {
485
+
perror("cannot create socket");
486
+
return -1;
487
+
}
488
+
489
+
switch (family) {
490
+
case AF_INET:
491
+
in = (struct sockaddr_in *)&local_sock;
492
+
in->sin_family = family;
493
+
in->sin_port = htons(ctx->lport);
494
+
in->sin_addr.s_addr = htonl(INADDR_ANY);
495
+
sock_len = sizeof(*in);
496
+
break;
497
+
case AF_INET6:
498
+
in6 = (struct sockaddr_in6 *)&local_sock;
499
+
in6->sin6_family = family;
500
+
in6->sin6_port = htons(ctx->lport);
501
+
in6->sin6_addr = in6addr_any;
502
+
sock_len = sizeof(*in6);
503
+
break;
504
+
default:
505
+
return -1;
506
+
}
507
+
508
+
int opt = 1;
509
+
510
+
ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
511
+
512
+
if (ret < 0) {
513
+
perror("setsockopt for SO_REUSEADDR");
514
+
return ret;
515
+
}
516
+
517
+
ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt));
518
+
if (ret < 0) {
519
+
perror("setsockopt for SO_REUSEPORT");
520
+
return ret;
521
+
}
522
+
523
+
if (family == AF_INET6) {
524
+
opt = 0;
525
+
if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt,
526
+
sizeof(opt))) {
527
+
perror("failed to set IPV6_V6ONLY");
528
+
return -1;
529
+
}
530
+
}
531
+
532
+
ret = bind(s, (struct sockaddr *)&local_sock, sock_len);
533
+
if (ret < 0) {
534
+
perror("cannot bind socket");
535
+
goto err_socket;
536
+
}
537
+
538
+
ctx->socket = s;
539
+
ctx->sa_family = family;
540
+
return 0;
541
+
542
+
err_socket:
543
+
close(s);
544
+
return -1;
545
+
}
546
+
547
+
static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family)
548
+
{
549
+
return ovpn_socket(ctx, family, IPPROTO_UDP);
550
+
}
551
+
552
+
static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family)
553
+
{
554
+
int ret;
555
+
556
+
ret = ovpn_socket(ctx, family, IPPROTO_TCP);
557
+
if (ret < 0)
558
+
return ret;
559
+
560
+
ret = listen(ctx->socket, 10);
561
+
if (ret < 0) {
562
+
perror("listen");
563
+
close(ctx->socket);
564
+
return -1;
565
+
}
566
+
567
+
return 0;
568
+
}
569
+
570
+
static int ovpn_accept(struct ovpn_ctx *ctx)
571
+
{
572
+
socklen_t socklen;
573
+
int ret;
574
+
575
+
socklen = sizeof(ctx->remote);
576
+
ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen);
577
+
if (ret < 0) {
578
+
perror("accept");
579
+
goto err;
580
+
}
581
+
582
+
fprintf(stderr, "Connection received!\n");
583
+
584
+
switch (socklen) {
585
+
case sizeof(struct sockaddr_in):
586
+
case sizeof(struct sockaddr_in6):
587
+
break;
588
+
default:
589
+
fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n");
590
+
close(ret);
591
+
ret = -EINVAL;
592
+
goto err;
593
+
}
594
+
595
+
return ret;
596
+
err:
597
+
close(ctx->socket);
598
+
return ret;
599
+
}
600
+
601
+
static int ovpn_connect(struct ovpn_ctx *ovpn)
602
+
{
603
+
socklen_t socklen;
604
+
int s, ret;
605
+
606
+
s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0);
607
+
if (s < 0) {
608
+
perror("cannot create socket");
609
+
return -1;
610
+
}
611
+
612
+
switch (ovpn->remote.in4.sin_family) {
613
+
case AF_INET:
614
+
socklen = sizeof(struct sockaddr_in);
615
+
break;
616
+
case AF_INET6:
617
+
socklen = sizeof(struct sockaddr_in6);
618
+
break;
619
+
default:
620
+
return -EOPNOTSUPP;
621
+
}
622
+
623
+
ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen);
624
+
if (ret < 0) {
625
+
perror("connect");
626
+
goto err;
627
+
}
628
+
629
+
fprintf(stderr, "connected\n");
630
+
631
+
ovpn->socket = s;
632
+
633
+
return 0;
634
+
err:
635
+
close(s);
636
+
return ret;
637
+
}
638
+
639
+
static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp)
640
+
{
641
+
struct nlattr *attr;
642
+
struct nl_ctx *ctx;
643
+
int ret = -1;
644
+
645
+
ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW);
646
+
if (!ctx)
647
+
return -ENOMEM;
648
+
649
+
attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
650
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
651
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket);
652
+
653
+
if (!is_tcp) {
654
+
switch (ovpn->remote.in4.sin_family) {
655
+
case AF_INET:
656
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4,
657
+
ovpn->remote.in4.sin_addr.s_addr);
658
+
NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
659
+
ovpn->remote.in4.sin_port);
660
+
break;
661
+
case AF_INET6:
662
+
NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6,
663
+
sizeof(ovpn->remote.in6.sin6_addr),
664
+
&ovpn->remote.in6.sin6_addr);
665
+
NLA_PUT_U32(ctx->nl_msg,
666
+
OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
667
+
ovpn->remote.in6.sin6_scope_id);
668
+
NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
669
+
ovpn->remote.in6.sin6_port);
670
+
break;
671
+
default:
672
+
fprintf(stderr,
673
+
"Invalid family for remote socket address\n");
674
+
goto nla_put_failure;
675
+
}
676
+
}
677
+
678
+
if (ovpn->peer_ip_set) {
679
+
switch (ovpn->peer_ip.in4.sin_family) {
680
+
case AF_INET:
681
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4,
682
+
ovpn->peer_ip.in4.sin_addr.s_addr);
683
+
break;
684
+
case AF_INET6:
685
+
NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6,
686
+
sizeof(struct in6_addr),
687
+
&ovpn->peer_ip.in6.sin6_addr);
688
+
break;
689
+
default:
690
+
fprintf(stderr, "Invalid family for peer address\n");
691
+
goto nla_put_failure;
692
+
}
693
+
}
694
+
695
+
nla_nest_end(ctx->nl_msg, attr);
696
+
697
+
ret = ovpn_nl_msg_send(ctx, NULL);
698
+
nla_put_failure:
699
+
nl_ctx_free(ctx);
700
+
return ret;
701
+
}
702
+
703
+
static int ovpn_set_peer(struct ovpn_ctx *ovpn)
704
+
{
705
+
struct nlattr *attr;
706
+
struct nl_ctx *ctx;
707
+
int ret = -1;
708
+
709
+
ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET);
710
+
if (!ctx)
711
+
return -ENOMEM;
712
+
713
+
attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
714
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
715
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL,
716
+
ovpn->keepalive_interval);
717
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
718
+
ovpn->keepalive_timeout);
719
+
nla_nest_end(ctx->nl_msg, attr);
720
+
721
+
ret = ovpn_nl_msg_send(ctx, NULL);
722
+
nla_put_failure:
723
+
nl_ctx_free(ctx);
724
+
return ret;
725
+
}
726
+
727
+
static int ovpn_del_peer(struct ovpn_ctx *ovpn)
728
+
{
729
+
struct nlattr *attr;
730
+
struct nl_ctx *ctx;
731
+
int ret = -1;
732
+
733
+
ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL);
734
+
if (!ctx)
735
+
return -ENOMEM;
736
+
737
+
attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
738
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
739
+
nla_nest_end(ctx->nl_msg, attr);
740
+
741
+
ret = ovpn_nl_msg_send(ctx, NULL);
742
+
nla_put_failure:
743
+
nl_ctx_free(ctx);
744
+
return ret;
745
+
}
746
+
747
+
static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused)
748
+
{
749
+
struct nlattr *pattrs[OVPN_A_PEER_MAX + 1];
750
+
struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
751
+
struct nlattr *attrs[OVPN_A_MAX + 1];
752
+
__u16 rport = 0, lport = 0;
753
+
754
+
nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
755
+
genlmsg_attrlen(gnlh, 0), NULL);
756
+
757
+
if (!attrs[OVPN_A_PEER]) {
758
+
fprintf(stderr, "no packet content in netlink message\n");
759
+
return NL_SKIP;
760
+
}
761
+
762
+
nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]),
763
+
nla_len(attrs[OVPN_A_PEER]), NULL);
764
+
765
+
if (pattrs[OVPN_A_PEER_ID])
766
+
fprintf(stderr, "* Peer %u\n",
767
+
nla_get_u32(pattrs[OVPN_A_PEER_ID]));
768
+
769
+
if (pattrs[OVPN_A_PEER_SOCKET_NETNSID])
770
+
fprintf(stderr, "\tsocket NetNS ID: %d\n",
771
+
nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID]));
772
+
773
+
if (pattrs[OVPN_A_PEER_VPN_IPV4]) {
774
+
char buf[INET_ADDRSTRLEN];
775
+
776
+
inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]),
777
+
buf, sizeof(buf));
778
+
fprintf(stderr, "\tVPN IPv4: %s\n", buf);
779
+
}
780
+
781
+
if (pattrs[OVPN_A_PEER_VPN_IPV6]) {
782
+
char buf[INET6_ADDRSTRLEN];
783
+
784
+
inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]),
785
+
buf, sizeof(buf));
786
+
fprintf(stderr, "\tVPN IPv6: %s\n", buf);
787
+
}
788
+
789
+
if (pattrs[OVPN_A_PEER_LOCAL_PORT])
790
+
lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT]));
791
+
792
+
if (pattrs[OVPN_A_PEER_REMOTE_PORT])
793
+
rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT]));
794
+
795
+
if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) {
796
+
void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6];
797
+
char buf[INET6_ADDRSTRLEN];
798
+
int scope_id = -1;
799
+
800
+
if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) {
801
+
void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID];
802
+
803
+
scope_id = nla_get_u32(p);
804
+
}
805
+
806
+
inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
807
+
fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport,
808
+
scope_id);
809
+
810
+
if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) {
811
+
void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6];
812
+
813
+
inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
814
+
fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
815
+
}
816
+
}
817
+
818
+
if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) {
819
+
void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4];
820
+
char buf[INET_ADDRSTRLEN];
821
+
822
+
inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf));
823
+
fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport);
824
+
825
+
if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) {
826
+
void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4];
827
+
828
+
inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf));
829
+
fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
830
+
}
831
+
}
832
+
833
+
if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) {
834
+
void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL];
835
+
836
+
fprintf(stderr, "\tKeepalive interval: %u sec\n",
837
+
nla_get_u32(p));
838
+
}
839
+
840
+
if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])
841
+
fprintf(stderr, "\tKeepalive timeout: %u sec\n",
842
+
nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]));
843
+
844
+
if (pattrs[OVPN_A_PEER_VPN_RX_BYTES])
845
+
fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n",
846
+
ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES]));
847
+
848
+
if (pattrs[OVPN_A_PEER_VPN_TX_BYTES])
849
+
fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n",
850
+
ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES]));
851
+
852
+
if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS])
853
+
fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n",
854
+
ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS]));
855
+
856
+
if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS])
857
+
fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n",
858
+
ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS]));
859
+
860
+
if (pattrs[OVPN_A_PEER_LINK_RX_BYTES])
861
+
fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n",
862
+
ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES]));
863
+
864
+
if (pattrs[OVPN_A_PEER_LINK_TX_BYTES])
865
+
fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n",
866
+
ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES]));
867
+
868
+
if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS])
869
+
fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n",
870
+
ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS]));
871
+
872
+
if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS])
873
+
fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n",
874
+
ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS]));
875
+
876
+
return NL_SKIP;
877
+
}
878
+
879
+
static int ovpn_get_peer(struct ovpn_ctx *ovpn)
880
+
{
881
+
int flags = 0, ret = -1;
882
+
struct nlattr *attr;
883
+
struct nl_ctx *ctx;
884
+
885
+
if (ovpn->peer_id == PEER_ID_UNDEF)
886
+
flags = NLM_F_DUMP;
887
+
888
+
ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags);
889
+
if (!ctx)
890
+
return -ENOMEM;
891
+
892
+
if (ovpn->peer_id != PEER_ID_UNDEF) {
893
+
attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
894
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
895
+
nla_nest_end(ctx->nl_msg, attr);
896
+
}
897
+
898
+
ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer);
899
+
nla_put_failure:
900
+
nl_ctx_free(ctx);
901
+
return ret;
902
+
}
903
+
904
+
static int ovpn_new_key(struct ovpn_ctx *ovpn)
905
+
{
906
+
struct nlattr *keyconf, *key_dir;
907
+
struct nl_ctx *ctx;
908
+
int ret = -1;
909
+
910
+
ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW);
911
+
if (!ctx)
912
+
return -ENOMEM;
913
+
914
+
keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
915
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
916
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
917
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id);
918
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher);
919
+
920
+
key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR);
921
+
NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc);
922
+
NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
923
+
nla_nest_end(ctx->nl_msg, key_dir);
924
+
925
+
key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR);
926
+
NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec);
927
+
NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
928
+
nla_nest_end(ctx->nl_msg, key_dir);
929
+
930
+
nla_nest_end(ctx->nl_msg, keyconf);
931
+
932
+
ret = ovpn_nl_msg_send(ctx, NULL);
933
+
nla_put_failure:
934
+
nl_ctx_free(ctx);
935
+
return ret;
936
+
}
937
+
938
+
static int ovpn_del_key(struct ovpn_ctx *ovpn)
939
+
{
940
+
struct nlattr *keyconf;
941
+
struct nl_ctx *ctx;
942
+
int ret = -1;
943
+
944
+
ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL);
945
+
if (!ctx)
946
+
return -ENOMEM;
947
+
948
+
keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
949
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
950
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
951
+
nla_nest_end(ctx->nl_msg, keyconf);
952
+
953
+
ret = ovpn_nl_msg_send(ctx, NULL);
954
+
nla_put_failure:
955
+
nl_ctx_free(ctx);
956
+
return ret;
957
+
}
958
+
959
+
static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused)
960
+
{
961
+
struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1];
962
+
struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
963
+
struct nlattr *attrs[OVPN_A_MAX + 1];
964
+
965
+
nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
966
+
genlmsg_attrlen(gnlh, 0), NULL);
967
+
968
+
if (!attrs[OVPN_A_KEYCONF]) {
969
+
fprintf(stderr, "no packet content in netlink message\n");
970
+
return NL_SKIP;
971
+
}
972
+
973
+
nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]),
974
+
nla_len(attrs[OVPN_A_KEYCONF]), NULL);
975
+
976
+
if (kattrs[OVPN_A_KEYCONF_PEER_ID])
977
+
fprintf(stderr, "* Peer %u\n",
978
+
nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID]));
979
+
if (kattrs[OVPN_A_KEYCONF_SLOT]) {
980
+
fprintf(stderr, "\t- Slot: ");
981
+
switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) {
982
+
case OVPN_KEY_SLOT_PRIMARY:
983
+
fprintf(stderr, "primary\n");
984
+
break;
985
+
case OVPN_KEY_SLOT_SECONDARY:
986
+
fprintf(stderr, "secondary\n");
987
+
break;
988
+
default:
989
+
fprintf(stderr, "invalid (%u)\n",
990
+
nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT]));
991
+
break;
992
+
}
993
+
}
994
+
if (kattrs[OVPN_A_KEYCONF_KEY_ID])
995
+
fprintf(stderr, "\t- Key ID: %u\n",
996
+
nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID]));
997
+
if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) {
998
+
fprintf(stderr, "\t- Cipher: ");
999
+
switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) {
1000
+
case OVPN_CIPHER_ALG_NONE:
1001
+
fprintf(stderr, "none\n");
1002
+
break;
1003
+
case OVPN_CIPHER_ALG_AES_GCM:
1004
+
fprintf(stderr, "aes-gcm\n");
1005
+
break;
1006
+
case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
1007
+
fprintf(stderr, "chacha20poly1305\n");
1008
+
break;
1009
+
default:
1010
+
fprintf(stderr, "invalid (%u)\n",
1011
+
nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG]));
1012
+
break;
1013
+
}
1014
+
}
1015
+
1016
+
return NL_SKIP;
1017
+
}
1018
+
1019
+
static int ovpn_get_key(struct ovpn_ctx *ovpn)
1020
+
{
1021
+
struct nlattr *keyconf;
1022
+
struct nl_ctx *ctx;
1023
+
int ret = -1;
1024
+
1025
+
ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET);
1026
+
if (!ctx)
1027
+
return -ENOMEM;
1028
+
1029
+
keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1030
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1031
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
1032
+
nla_nest_end(ctx->nl_msg, keyconf);
1033
+
1034
+
ret = ovpn_nl_msg_send(ctx, ovpn_handle_key);
1035
+
nla_put_failure:
1036
+
nl_ctx_free(ctx);
1037
+
return ret;
1038
+
}
1039
+
1040
+
static int ovpn_swap_keys(struct ovpn_ctx *ovpn)
1041
+
{
1042
+
struct nl_ctx *ctx;
1043
+
struct nlattr *kc;
1044
+
int ret = -1;
1045
+
1046
+
ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP);
1047
+
if (!ctx)
1048
+
return -ENOMEM;
1049
+
1050
+
kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1051
+
NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1052
+
nla_nest_end(ctx->nl_msg, kc);
1053
+
1054
+
ret = ovpn_nl_msg_send(ctx, NULL);
1055
+
nla_put_failure:
1056
+
nl_ctx_free(ctx);
1057
+
return ret;
1058
+
}
1059
+
1060
+
/* Helper function used to easily add attributes to a rtnl message */
1061
+
static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type,
1062
+
const void *data, int alen)
1063
+
{
1064
+
int len = RTA_LENGTH(alen);
1065
+
struct rtattr *rta;
1066
+
1067
+
if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen) {
1068
+
fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n",
1069
+
__func__, maxlen);
1070
+
return -EMSGSIZE;
1071
+
}
1072
+
1073
+
rta = nlmsg_tail(n);
1074
+
rta->rta_type = type;
1075
+
rta->rta_len = len;
1076
+
1077
+
if (!data)
1078
+
memset(RTA_DATA(rta), 0, alen);
1079
+
else
1080
+
memcpy(RTA_DATA(rta), data, alen);
1081
+
1082
+
n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len);
1083
+
1084
+
return 0;
1085
+
}
1086
+
1087
+
static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size,
1088
+
int attr)
1089
+
{
1090
+
struct rtattr *nest = nlmsg_tail(msg);
1091
+
1092
+
if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0)
1093
+
return NULL;
1094
+
1095
+
return nest;
1096
+
}
1097
+
1098
+
static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest)
1099
+
{
1100
+
nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest;
1101
+
}
1102
+
1103
+
#define RT_SNDBUF_SIZE (1024 * 2)
1104
+
#define RT_RCVBUF_SIZE (1024 * 4)
1105
+
1106
+
/* Open RTNL socket */
1107
+
static int ovpn_rt_socket(void)
1108
+
{
1109
+
int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd;
1110
+
1111
+
fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
1112
+
if (fd < 0) {
1113
+
fprintf(stderr, "%s: cannot open netlink socket\n", __func__);
1114
+
return fd;
1115
+
}
1116
+
1117
+
if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf,
1118
+
sizeof(sndbuf)) < 0) {
1119
+
fprintf(stderr, "%s: SO_SNDBUF\n", __func__);
1120
+
close(fd);
1121
+
return -1;
1122
+
}
1123
+
1124
+
if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf,
1125
+
sizeof(rcvbuf)) < 0) {
1126
+
fprintf(stderr, "%s: SO_RCVBUF\n", __func__);
1127
+
close(fd);
1128
+
return -1;
1129
+
}
1130
+
1131
+
return fd;
1132
+
}
1133
+
1134
+
/* Bind socket to Netlink subsystem */
1135
+
static int ovpn_rt_bind(int fd, uint32_t groups)
1136
+
{
1137
+
struct sockaddr_nl local = { 0 };
1138
+
socklen_t addr_len;
1139
+
1140
+
local.nl_family = AF_NETLINK;
1141
+
local.nl_groups = groups;
1142
+
1143
+
if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) {
1144
+
fprintf(stderr, "%s: cannot bind netlink socket: %d\n",
1145
+
__func__, errno);
1146
+
return -errno;
1147
+
}
1148
+
1149
+
addr_len = sizeof(local);
1150
+
if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) {
1151
+
fprintf(stderr, "%s: cannot getsockname: %d\n", __func__,
1152
+
errno);
1153
+
return -errno;
1154
+
}
1155
+
1156
+
if (addr_len != sizeof(local)) {
1157
+
fprintf(stderr, "%s: wrong address length %d\n", __func__,
1158
+
addr_len);
1159
+
return -EINVAL;
1160
+
}
1161
+
1162
+
if (local.nl_family != AF_NETLINK) {
1163
+
fprintf(stderr, "%s: wrong address family %d\n", __func__,
1164
+
local.nl_family);
1165
+
return -EINVAL;
1166
+
}
1167
+
1168
+
return 0;
1169
+
}
1170
+
1171
+
typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg);
1172
+
1173
+
/* Send Netlink message and run callback on reply (if specified) */
1174
+
static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer,
1175
+
unsigned int groups, ovpn_parse_reply_cb cb,
1176
+
void *arg_cb)
1177
+
{
1178
+
int len, rem_len, fd, ret, rcv_len;
1179
+
struct sockaddr_nl nladdr = { 0 };
1180
+
struct nlmsgerr *err;
1181
+
struct nlmsghdr *h;
1182
+
char buf[1024 * 16];
1183
+
struct iovec iov = {
1184
+
.iov_base = payload,
1185
+
.iov_len = payload->nlmsg_len,
1186
+
};
1187
+
struct msghdr nlmsg = {
1188
+
.msg_name = &nladdr,
1189
+
.msg_namelen = sizeof(nladdr),
1190
+
.msg_iov = &iov,
1191
+
.msg_iovlen = 1,
1192
+
};
1193
+
1194
+
nladdr.nl_family = AF_NETLINK;
1195
+
nladdr.nl_pid = peer;
1196
+
nladdr.nl_groups = groups;
1197
+
1198
+
payload->nlmsg_seq = time(NULL);
1199
+
1200
+
/* no need to send reply */
1201
+
if (!cb)
1202
+
payload->nlmsg_flags |= NLM_F_ACK;
1203
+
1204
+
fd = ovpn_rt_socket();
1205
+
if (fd < 0) {
1206
+
fprintf(stderr, "%s: can't open rtnl socket\n", __func__);
1207
+
return -errno;
1208
+
}
1209
+
1210
+
ret = ovpn_rt_bind(fd, 0);
1211
+
if (ret < 0) {
1212
+
fprintf(stderr, "%s: can't bind rtnl socket\n", __func__);
1213
+
ret = -errno;
1214
+
goto out;
1215
+
}
1216
+
1217
+
ret = sendmsg(fd, &nlmsg, 0);
1218
+
if (ret < 0) {
1219
+
fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__);
1220
+
ret = -errno;
1221
+
goto out;
1222
+
}
1223
+
1224
+
/* prepare buffer to store RTNL replies */
1225
+
memset(buf, 0, sizeof(buf));
1226
+
iov.iov_base = buf;
1227
+
1228
+
while (1) {
1229
+
/*
1230
+
* iov_len is modified by recvmsg(), therefore has to be initialized before
1231
+
* using it again
1232
+
*/
1233
+
iov.iov_len = sizeof(buf);
1234
+
rcv_len = recvmsg(fd, &nlmsg, 0);
1235
+
if (rcv_len < 0) {
1236
+
if (errno == EINTR || errno == EAGAIN) {
1237
+
fprintf(stderr, "%s: interrupted call\n",
1238
+
__func__);
1239
+
continue;
1240
+
}
1241
+
fprintf(stderr, "%s: rtnl: error on recvmsg()\n",
1242
+
__func__);
1243
+
ret = -errno;
1244
+
goto out;
1245
+
}
1246
+
1247
+
if (rcv_len == 0) {
1248
+
fprintf(stderr,
1249
+
"%s: rtnl: socket reached unexpected EOF\n",
1250
+
__func__);
1251
+
ret = -EIO;
1252
+
goto out;
1253
+
}
1254
+
1255
+
if (nlmsg.msg_namelen != sizeof(nladdr)) {
1256
+
fprintf(stderr,
1257
+
"%s: sender address length: %u (expected %zu)\n",
1258
+
__func__, nlmsg.msg_namelen, sizeof(nladdr));
1259
+
ret = -EIO;
1260
+
goto out;
1261
+
}
1262
+
1263
+
h = (struct nlmsghdr *)buf;
1264
+
while (rcv_len >= (int)sizeof(*h)) {
1265
+
len = h->nlmsg_len;
1266
+
rem_len = len - sizeof(*h);
1267
+
1268
+
if (rem_len < 0 || len > rcv_len) {
1269
+
if (nlmsg.msg_flags & MSG_TRUNC) {
1270
+
fprintf(stderr, "%s: truncated message\n",
1271
+
__func__);
1272
+
ret = -EIO;
1273
+
goto out;
1274
+
}
1275
+
fprintf(stderr, "%s: malformed message: len=%d\n",
1276
+
__func__, len);
1277
+
ret = -EIO;
1278
+
goto out;
1279
+
}
1280
+
1281
+
if (h->nlmsg_type == NLMSG_DONE) {
1282
+
ret = 0;
1283
+
goto out;
1284
+
}
1285
+
1286
+
if (h->nlmsg_type == NLMSG_ERROR) {
1287
+
err = (struct nlmsgerr *)NLMSG_DATA(h);
1288
+
if (rem_len < (int)sizeof(struct nlmsgerr)) {
1289
+
fprintf(stderr, "%s: ERROR truncated\n",
1290
+
__func__);
1291
+
ret = -EIO;
1292
+
goto out;
1293
+
}
1294
+
1295
+
if (err->error) {
1296
+
fprintf(stderr, "%s: (%d) %s\n",
1297
+
__func__, err->error,
1298
+
strerror(-err->error));
1299
+
ret = err->error;
1300
+
goto out;
1301
+
}
1302
+
1303
+
ret = 0;
1304
+
if (cb) {
1305
+
int r = cb(h, arg_cb);
1306
+
1307
+
if (r <= 0)
1308
+
ret = r;
1309
+
}
1310
+
goto out;
1311
+
}
1312
+
1313
+
if (cb) {
1314
+
int r = cb(h, arg_cb);
1315
+
1316
+
if (r <= 0) {
1317
+
ret = r;
1318
+
goto out;
1319
+
}
1320
+
} else {
1321
+
fprintf(stderr, "%s: RTNL: unexpected reply\n",
1322
+
__func__);
1323
+
}
1324
+
1325
+
rcv_len -= NLMSG_ALIGN(len);
1326
+
h = (struct nlmsghdr *)((uint8_t *)h +
1327
+
NLMSG_ALIGN(len));
1328
+
}
1329
+
1330
+
if (nlmsg.msg_flags & MSG_TRUNC) {
1331
+
fprintf(stderr, "%s: message truncated\n", __func__);
1332
+
continue;
1333
+
}
1334
+
1335
+
if (rcv_len) {
1336
+
fprintf(stderr, "%s: rtnl: %d not parsed bytes\n",
1337
+
__func__, rcv_len);
1338
+
ret = -1;
1339
+
goto out;
1340
+
}
1341
+
}
1342
+
out:
1343
+
close(fd);
1344
+
1345
+
return ret;
1346
+
}
1347
+
1348
+
struct ovpn_link_req {
1349
+
struct nlmsghdr n;
1350
+
struct ifinfomsg i;
1351
+
char buf[256];
1352
+
};
1353
+
1354
+
static int ovpn_new_iface(struct ovpn_ctx *ovpn)
1355
+
{
1356
+
struct rtattr *linkinfo, *data;
1357
+
struct ovpn_link_req req = { 0 };
1358
+
int ret = -1;
1359
+
1360
+
fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname,
1361
+
ovpn->mode);
1362
+
1363
+
req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1364
+
req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL;
1365
+
req.n.nlmsg_type = RTM_NEWLINK;
1366
+
1367
+
if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname,
1368
+
strlen(ovpn->ifname) + 1) < 0)
1369
+
goto err;
1370
+
1371
+
linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO);
1372
+
if (!linkinfo)
1373
+
goto err;
1374
+
1375
+
if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME,
1376
+
strlen(OVPN_FAMILY_NAME) + 1) < 0)
1377
+
goto err;
1378
+
1379
+
if (ovpn->mode_set) {
1380
+
data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA);
1381
+
if (!data)
1382
+
goto err;
1383
+
1384
+
if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE,
1385
+
&ovpn->mode, sizeof(uint8_t)) < 0)
1386
+
goto err;
1387
+
1388
+
ovpn_nest_end(&req.n, data);
1389
+
}
1390
+
1391
+
ovpn_nest_end(&req.n, linkinfo);
1392
+
1393
+
req.i.ifi_family = AF_PACKET;
1394
+
1395
+
ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1396
+
err:
1397
+
return ret;
1398
+
}
1399
+
1400
+
static int ovpn_del_iface(struct ovpn_ctx *ovpn)
1401
+
{
1402
+
struct ovpn_link_req req = { 0 };
1403
+
1404
+
fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname,
1405
+
ovpn->ifindex);
1406
+
1407
+
req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1408
+
req.n.nlmsg_flags = NLM_F_REQUEST;
1409
+
req.n.nlmsg_type = RTM_DELLINK;
1410
+
1411
+
req.i.ifi_family = AF_PACKET;
1412
+
req.i.ifi_index = ovpn->ifindex;
1413
+
1414
+
return ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1415
+
}
1416
+
1417
+
static int nl_seq_check(struct nl_msg (*msg)__always_unused,
1418
+
void (*arg)__always_unused)
1419
+
{
1420
+
return NL_OK;
1421
+
}
1422
+
1423
+
struct mcast_handler_args {
1424
+
const char *group;
1425
+
int id;
1426
+
};
1427
+
1428
+
static int mcast_family_handler(struct nl_msg *msg, void *arg)
1429
+
{
1430
+
struct mcast_handler_args *grp = arg;
1431
+
struct nlattr *tb[CTRL_ATTR_MAX + 1];
1432
+
struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1433
+
struct nlattr *mcgrp;
1434
+
int rem_mcgrp;
1435
+
1436
+
nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
1437
+
genlmsg_attrlen(gnlh, 0), NULL);
1438
+
1439
+
if (!tb[CTRL_ATTR_MCAST_GROUPS])
1440
+
return NL_SKIP;
1441
+
1442
+
nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) {
1443
+
struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1];
1444
+
1445
+
nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX,
1446
+
nla_data(mcgrp), nla_len(mcgrp), NULL);
1447
+
1448
+
if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] ||
1449
+
!tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID])
1450
+
continue;
1451
+
if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]),
1452
+
grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME])))
1453
+
continue;
1454
+
grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]);
1455
+
break;
1456
+
}
1457
+
1458
+
return NL_SKIP;
1459
+
}
1460
+
1461
+
static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused,
1462
+
struct nlmsgerr *err, void *arg)
1463
+
{
1464
+
int *ret = arg;
1465
+
1466
+
*ret = err->error;
1467
+
return NL_STOP;
1468
+
}
1469
+
1470
+
static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg)
1471
+
{
1472
+
int *ret = arg;
1473
+
1474
+
*ret = 0;
1475
+
return NL_STOP;
1476
+
}
1477
+
1478
+
static int ovpn_handle_msg(struct nl_msg *msg, void *arg)
1479
+
{
1480
+
struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1481
+
struct nlattr *attrs[OVPN_A_MAX + 1];
1482
+
struct nlmsghdr *nlh = nlmsg_hdr(msg);
1483
+
char ifname[IF_NAMESIZE];
1484
+
int *ret = arg;
1485
+
__u32 ifindex;
1486
+
1487
+
fprintf(stderr, "received message from ovpn-dco\n");
1488
+
1489
+
*ret = -1;
1490
+
1491
+
if (!genlmsg_valid_hdr(nlh, 0)) {
1492
+
fprintf(stderr, "invalid header\n");
1493
+
return NL_STOP;
1494
+
}
1495
+
1496
+
if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
1497
+
genlmsg_attrlen(gnlh, 0), NULL)) {
1498
+
fprintf(stderr, "received bogus data from ovpn-dco\n");
1499
+
return NL_STOP;
1500
+
}
1501
+
1502
+
if (!attrs[OVPN_A_IFINDEX]) {
1503
+
fprintf(stderr, "no ifindex in this message\n");
1504
+
return NL_STOP;
1505
+
}
1506
+
1507
+
ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]);
1508
+
if (!if_indextoname(ifindex, ifname)) {
1509
+
fprintf(stderr, "cannot resolve ifname for ifindex: %u\n",
1510
+
ifindex);
1511
+
return NL_STOP;
1512
+
}
1513
+
1514
+
switch (gnlh->cmd) {
1515
+
case OVPN_CMD_PEER_DEL_NTF:
1516
+
fprintf(stdout, "received CMD_PEER_DEL_NTF\n");
1517
+
break;
1518
+
case OVPN_CMD_KEY_SWAP_NTF:
1519
+
fprintf(stdout, "received CMD_KEY_SWAP_NTF\n");
1520
+
break;
1521
+
default:
1522
+
fprintf(stderr, "received unknown command: %d\n", gnlh->cmd);
1523
+
return NL_STOP;
1524
+
}
1525
+
1526
+
*ret = 0;
1527
+
return NL_OK;
1528
+
}
1529
+
1530
+
static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family,
1531
+
const char *group)
1532
+
{
1533
+
struct nl_msg *msg;
1534
+
struct nl_cb *cb;
1535
+
int ret, ctrlid;
1536
+
struct mcast_handler_args grp = {
1537
+
.group = group,
1538
+
.id = -ENOENT,
1539
+
};
1540
+
1541
+
msg = nlmsg_alloc();
1542
+
if (!msg)
1543
+
return -ENOMEM;
1544
+
1545
+
cb = nl_cb_alloc(NL_CB_DEFAULT);
1546
+
if (!cb) {
1547
+
ret = -ENOMEM;
1548
+
goto out_fail_cb;
1549
+
}
1550
+
1551
+
ctrlid = genl_ctrl_resolve(sock, "nlctrl");
1552
+
1553
+
genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0);
1554
+
1555
+
ret = -ENOBUFS;
1556
+
NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family);
1557
+
1558
+
ret = nl_send_auto_complete(sock, msg);
1559
+
if (ret < 0)
1560
+
goto nla_put_failure;
1561
+
1562
+
ret = 1;
1563
+
1564
+
nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret);
1565
+
nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret);
1566
+
nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp);
1567
+
1568
+
while (ret > 0)
1569
+
nl_recvmsgs(sock, cb);
1570
+
1571
+
if (ret == 0)
1572
+
ret = grp.id;
1573
+
nla_put_failure:
1574
+
nl_cb_put(cb);
1575
+
out_fail_cb:
1576
+
nlmsg_free(msg);
1577
+
return ret;
1578
+
}
1579
+
1580
+
static int ovpn_listen_mcast(void)
1581
+
{
1582
+
struct nl_sock *sock;
1583
+
struct nl_cb *cb;
1584
+
int mcid, ret;
1585
+
1586
+
sock = nl_socket_alloc();
1587
+
if (!sock) {
1588
+
fprintf(stderr, "cannot allocate netlink socket\n");
1589
+
goto err_free;
1590
+
}
1591
+
1592
+
nl_socket_set_buffer_size(sock, 8192, 8192);
1593
+
1594
+
ret = genl_connect(sock);
1595
+
if (ret < 0) {
1596
+
fprintf(stderr, "cannot connect to generic netlink: %s\n",
1597
+
nl_geterror(ret));
1598
+
goto err_free;
1599
+
}
1600
+
1601
+
mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS);
1602
+
if (mcid < 0) {
1603
+
fprintf(stderr, "cannot get mcast group: %s\n",
1604
+
nl_geterror(mcid));
1605
+
goto err_free;
1606
+
}
1607
+
1608
+
ret = nl_socket_add_membership(sock, mcid);
1609
+
if (ret) {
1610
+
fprintf(stderr, "failed to join mcast group: %d\n", ret);
1611
+
goto err_free;
1612
+
}
1613
+
1614
+
ret = 1;
1615
+
cb = nl_cb_alloc(NL_CB_DEFAULT);
1616
+
nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL);
1617
+
nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret);
1618
+
nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret);
1619
+
1620
+
while (ret == 1) {
1621
+
int err = nl_recvmsgs(sock, cb);
1622
+
1623
+
if (err < 0) {
1624
+
fprintf(stderr,
1625
+
"cannot receive netlink message: (%d) %s\n",
1626
+
err, nl_geterror(-err));
1627
+
ret = -1;
1628
+
break;
1629
+
}
1630
+
}
1631
+
1632
+
nl_cb_put(cb);
1633
+
err_free:
1634
+
nl_socket_free(sock);
1635
+
return ret;
1636
+
}
1637
+
1638
+
static void usage(const char *cmd)
1639
+
{
1640
+
fprintf(stderr,
1641
+
"Usage %s <command> <iface> [arguments..]\n",
1642
+
cmd);
1643
+
fprintf(stderr, "where <command> can be one of the following\n\n");
1644
+
1645
+
fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n");
1646
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1647
+
fprintf(stderr, "\tmode:\n");
1648
+
fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n");
1649
+
fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n");
1650
+
1651
+
fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n");
1652
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1653
+
1654
+
fprintf(stderr,
1655
+
"* listen <iface> <lport> <peers_file> [ipv6]: listen for incoming peer TCP connections\n");
1656
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1657
+
fprintf(stderr, "\tlport: TCP port to listen to\n");
1658
+
fprintf(stderr,
1659
+
"\tpeers_file: file containing one peer per line: Line format:\n");
1660
+
fprintf(stderr, "\t\t<peer_id> <vpnaddr>\n");
1661
+
fprintf(stderr,
1662
+
"\tipv6: whether the socket should listen to the IPv6 wildcard address\n");
1663
+
1664
+
fprintf(stderr,
1665
+
"* connect <iface> <peer_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n");
1666
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1667
+
fprintf(stderr, "\tpeer_id: peer ID of the connecting peer\n");
1668
+
fprintf(stderr, "\traddr: peer IP address to connect to\n");
1669
+
fprintf(stderr, "\trport: peer TCP port to connect to\n");
1670
+
fprintf(stderr,
1671
+
"\tkey_file: file containing the symmetric key for encryption\n");
1672
+
1673
+
fprintf(stderr,
1674
+
"* new_peer <iface> <peer_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n");
1675
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1676
+
fprintf(stderr, "\tlport: local UDP port to bind to\n");
1677
+
fprintf(stderr,
1678
+
"\tpeer_id: peer ID to be used in data packets to/from this peer\n");
1679
+
fprintf(stderr, "\traddr: peer IP address\n");
1680
+
fprintf(stderr, "\trport: peer UDP port\n");
1681
+
fprintf(stderr, "\tvpnaddr: peer VPN IP\n");
1682
+
1683
+
fprintf(stderr,
1684
+
"* new_multi_peer <iface> <lport> <peers_file>: add multiple peers as listed in the file\n");
1685
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1686
+
fprintf(stderr, "\tlport: local UDP port to bind to\n");
1687
+
fprintf(stderr,
1688
+
"\tpeers_file: text file containing one peer per line. Line format:\n");
1689
+
fprintf(stderr, "\t\t<peer_id> <raddr> <rport> <vpnaddr>\n");
1690
+
1691
+
fprintf(stderr,
1692
+
"* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n");
1693
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1694
+
fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1695
+
fprintf(stderr,
1696
+
"\tkeepalive_interval: interval for sending ping messages\n");
1697
+
fprintf(stderr,
1698
+
"\tkeepalive_timeout: time after which a peer is timed out\n");
1699
+
1700
+
fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n");
1701
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1702
+
fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n");
1703
+
1704
+
fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n");
1705
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1706
+
fprintf(stderr,
1707
+
"\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n");
1708
+
1709
+
fprintf(stderr,
1710
+
"* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n");
1711
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1712
+
fprintf(stderr,
1713
+
"\tpeer_id: peer ID of the peer to configure the key for\n");
1714
+
fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1715
+
fprintf(stderr, "\tkey_id: an ID from 0 to 7\n");
1716
+
fprintf(stderr,
1717
+
"\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n");
1718
+
fprintf(stderr,
1719
+
"\tkey_dir: key direction, must 0 on one host and 1 on the other\n");
1720
+
fprintf(stderr, "\tkey_file: file containing the pre-shared key\n");
1721
+
1722
+
fprintf(stderr,
1723
+
"* del_key <iface> <peer_id> [slot]: erase existing data channel key\n");
1724
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1725
+
fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1726
+
fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n");
1727
+
1728
+
fprintf(stderr,
1729
+
"* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n");
1730
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1731
+
fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n");
1732
+
fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1733
+
1734
+
fprintf(stderr,
1735
+
"* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n");
1736
+
fprintf(stderr, "\tiface: ovpn interface name\n");
1737
+
fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1738
+
1739
+
fprintf(stderr,
1740
+
"* listen_mcast: listen to ovpn netlink multicast messages\n");
1741
+
}
1742
+
1743
+
static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host,
1744
+
const char *service, const char *vpnip)
1745
+
{
1746
+
int ret;
1747
+
struct addrinfo *result;
1748
+
struct addrinfo hints = {
1749
+
.ai_family = ovpn->sa_family,
1750
+
.ai_socktype = SOCK_DGRAM,
1751
+
.ai_protocol = IPPROTO_UDP
1752
+
};
1753
+
1754
+
if (host) {
1755
+
ret = getaddrinfo(host, service, &hints, &result);
1756
+
if (ret == EAI_NONAME || ret == EAI_FAIL)
1757
+
return -1;
1758
+
1759
+
if (!(result->ai_family == AF_INET &&
1760
+
result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1761
+
!(result->ai_family == AF_INET6 &&
1762
+
result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1763
+
ret = -EINVAL;
1764
+
goto out;
1765
+
}
1766
+
1767
+
memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen);
1768
+
}
1769
+
1770
+
if (vpnip) {
1771
+
ret = getaddrinfo(vpnip, NULL, &hints, &result);
1772
+
if (ret == EAI_NONAME || ret == EAI_FAIL)
1773
+
return -1;
1774
+
1775
+
if (!(result->ai_family == AF_INET &&
1776
+
result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1777
+
!(result->ai_family == AF_INET6 &&
1778
+
result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1779
+
ret = -EINVAL;
1780
+
goto out;
1781
+
}
1782
+
1783
+
memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen);
1784
+
ovpn->sa_family = result->ai_family;
1785
+
1786
+
ovpn->peer_ip_set = true;
1787
+
}
1788
+
1789
+
ret = 0;
1790
+
out:
1791
+
freeaddrinfo(result);
1792
+
return ret;
1793
+
}
1794
+
1795
+
static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id,
1796
+
const char *raddr, const char *rport,
1797
+
const char *vpnip)
1798
+
{
1799
+
ovpn->peer_id = strtoul(peer_id, NULL, 10);
1800
+
if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
1801
+
fprintf(stderr, "peer ID value out of range\n");
1802
+
return -1;
1803
+
}
1804
+
1805
+
return ovpn_parse_remote(ovpn, raddr, rport, vpnip);
1806
+
}
1807
+
1808
+
static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn)
1809
+
{
1810
+
int slot = strtoul(arg, NULL, 10);
1811
+
1812
+
if (errno == ERANGE || slot < 1 || slot > 2) {
1813
+
fprintf(stderr, "key slot out of range\n");
1814
+
return -1;
1815
+
}
1816
+
1817
+
switch (slot) {
1818
+
case 1:
1819
+
ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
1820
+
break;
1821
+
case 2:
1822
+
ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY;
1823
+
break;
1824
+
}
1825
+
1826
+
return 0;
1827
+
}
1828
+
1829
+
static int ovpn_send_tcp_data(int socket)
1830
+
{
1831
+
uint16_t len = htons(1000);
1832
+
uint8_t buf[1002];
1833
+
int ret;
1834
+
1835
+
memcpy(buf, &len, sizeof(len));
1836
+
memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len));
1837
+
1838
+
ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1839
+
1840
+
fprintf(stdout, "Sent %u bytes over TCP socket\n", ret);
1841
+
1842
+
return ret > 0 ? 0 : ret;
1843
+
}
1844
+
1845
+
static int ovpn_recv_tcp_data(int socket)
1846
+
{
1847
+
uint8_t buf[1002];
1848
+
uint16_t len;
1849
+
int ret;
1850
+
1851
+
ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1852
+
1853
+
if (ret < 2) {
1854
+
fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret);
1855
+
return ret;
1856
+
}
1857
+
1858
+
memcpy(&len, buf, sizeof(len));
1859
+
len = ntohs(len);
1860
+
1861
+
fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n",
1862
+
ret, len);
1863
+
1864
+
return 0;
1865
+
}
1866
+
1867
+
static enum ovpn_cmd ovpn_parse_cmd(const char *cmd)
1868
+
{
1869
+
if (!strcmp(cmd, "new_iface"))
1870
+
return CMD_NEW_IFACE;
1871
+
1872
+
if (!strcmp(cmd, "del_iface"))
1873
+
return CMD_DEL_IFACE;
1874
+
1875
+
if (!strcmp(cmd, "listen"))
1876
+
return CMD_LISTEN;
1877
+
1878
+
if (!strcmp(cmd, "connect"))
1879
+
return CMD_CONNECT;
1880
+
1881
+
if (!strcmp(cmd, "new_peer"))
1882
+
return CMD_NEW_PEER;
1883
+
1884
+
if (!strcmp(cmd, "new_multi_peer"))
1885
+
return CMD_NEW_MULTI_PEER;
1886
+
1887
+
if (!strcmp(cmd, "set_peer"))
1888
+
return CMD_SET_PEER;
1889
+
1890
+
if (!strcmp(cmd, "del_peer"))
1891
+
return CMD_DEL_PEER;
1892
+
1893
+
if (!strcmp(cmd, "get_peer"))
1894
+
return CMD_GET_PEER;
1895
+
1896
+
if (!strcmp(cmd, "new_key"))
1897
+
return CMD_NEW_KEY;
1898
+
1899
+
if (!strcmp(cmd, "del_key"))
1900
+
return CMD_DEL_KEY;
1901
+
1902
+
if (!strcmp(cmd, "get_key"))
1903
+
return CMD_GET_KEY;
1904
+
1905
+
if (!strcmp(cmd, "swap_keys"))
1906
+
return CMD_SWAP_KEYS;
1907
+
1908
+
if (!strcmp(cmd, "listen_mcast"))
1909
+
return CMD_LISTEN_MCAST;
1910
+
1911
+
return CMD_INVALID;
1912
+
}
1913
+
1914
+
/* Send process to background and waits for signal.
1915
+
*
1916
+
* This helper is called at the end of commands
1917
+
* creating sockets, so that the latter stay alive
1918
+
* along with the process that created them.
1919
+
*
1920
+
* A signal is expected to be delivered in order to
1921
+
* terminate the waiting processes
1922
+
*/
1923
+
static void ovpn_waitbg(void)
1924
+
{
1925
+
daemon(1, 1);
1926
+
pause();
1927
+
}
1928
+
1929
+
static int ovpn_run_cmd(struct ovpn_ctx *ovpn)
1930
+
{
1931
+
char peer_id[10], vpnip[INET6_ADDRSTRLEN], raddr[128], rport[10];
1932
+
int n, ret;
1933
+
FILE *fp;
1934
+
1935
+
switch (ovpn->cmd) {
1936
+
case CMD_NEW_IFACE:
1937
+
ret = ovpn_new_iface(ovpn);
1938
+
break;
1939
+
case CMD_DEL_IFACE:
1940
+
ret = ovpn_del_iface(ovpn);
1941
+
break;
1942
+
case CMD_LISTEN:
1943
+
ret = ovpn_listen(ovpn, ovpn->sa_family);
1944
+
if (ret < 0) {
1945
+
fprintf(stderr, "cannot listen on TCP socket\n");
1946
+
return ret;
1947
+
}
1948
+
1949
+
fp = fopen(ovpn->peers_file, "r");
1950
+
if (!fp) {
1951
+
fprintf(stderr, "cannot open file: %s\n",
1952
+
ovpn->peers_file);
1953
+
return -1;
1954
+
}
1955
+
1956
+
int num_peers = 0;
1957
+
1958
+
while ((n = fscanf(fp, "%s %s\n", peer_id, vpnip)) == 2) {
1959
+
struct ovpn_ctx peer_ctx = { 0 };
1960
+
1961
+
if (num_peers == MAX_PEERS) {
1962
+
fprintf(stderr, "max peers reached!\n");
1963
+
return -E2BIG;
1964
+
}
1965
+
1966
+
peer_ctx.ifindex = ovpn->ifindex;
1967
+
peer_ctx.sa_family = ovpn->sa_family;
1968
+
1969
+
peer_ctx.socket = ovpn_accept(ovpn);
1970
+
if (peer_ctx.socket < 0) {
1971
+
fprintf(stderr, "cannot accept connection!\n");
1972
+
return -1;
1973
+
}
1974
+
1975
+
/* store peer sockets to test TCP I/O */
1976
+
ovpn->cli_sockets[num_peers] = peer_ctx.socket;
1977
+
1978
+
ret = ovpn_parse_new_peer(&peer_ctx, peer_id, NULL,
1979
+
NULL, vpnip);
1980
+
if (ret < 0) {
1981
+
fprintf(stderr, "error while parsing line\n");
1982
+
return -1;
1983
+
}
1984
+
1985
+
ret = ovpn_new_peer(&peer_ctx, true);
1986
+
if (ret < 0) {
1987
+
fprintf(stderr,
1988
+
"cannot add peer to VPN: %s %s\n",
1989
+
peer_id, vpnip);
1990
+
return ret;
1991
+
}
1992
+
num_peers++;
1993
+
}
1994
+
1995
+
for (int i = 0; i < num_peers; i++) {
1996
+
ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]);
1997
+
if (ret < 0)
1998
+
break;
1999
+
}
2000
+
ovpn_waitbg();
2001
+
break;
2002
+
case CMD_CONNECT:
2003
+
ret = ovpn_connect(ovpn);
2004
+
if (ret < 0) {
2005
+
fprintf(stderr, "cannot connect TCP socket\n");
2006
+
return ret;
2007
+
}
2008
+
2009
+
ret = ovpn_new_peer(ovpn, true);
2010
+
if (ret < 0) {
2011
+
fprintf(stderr, "cannot add peer to VPN\n");
2012
+
close(ovpn->socket);
2013
+
return ret;
2014
+
}
2015
+
2016
+
if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) {
2017
+
ret = ovpn_new_key(ovpn);
2018
+
if (ret < 0) {
2019
+
fprintf(stderr, "cannot set key\n");
2020
+
return ret;
2021
+
}
2022
+
}
2023
+
2024
+
ret = ovpn_send_tcp_data(ovpn->socket);
2025
+
ovpn_waitbg();
2026
+
break;
2027
+
case CMD_NEW_PEER:
2028
+
ret = ovpn_udp_socket(ovpn, AF_INET6);
2029
+
if (ret < 0)
2030
+
return ret;
2031
+
2032
+
ret = ovpn_new_peer(ovpn, false);
2033
+
ovpn_waitbg();
2034
+
break;
2035
+
case CMD_NEW_MULTI_PEER:
2036
+
ret = ovpn_udp_socket(ovpn, AF_INET6);
2037
+
if (ret < 0)
2038
+
return ret;
2039
+
2040
+
fp = fopen(ovpn->peers_file, "r");
2041
+
if (!fp) {
2042
+
fprintf(stderr, "cannot open file: %s\n",
2043
+
ovpn->peers_file);
2044
+
return -1;
2045
+
}
2046
+
2047
+
while ((n = fscanf(fp, "%s %s %s %s\n", peer_id, raddr, rport,
2048
+
vpnip)) == 4) {
2049
+
struct ovpn_ctx peer_ctx = { 0 };
2050
+
2051
+
peer_ctx.ifindex = ovpn->ifindex;
2052
+
peer_ctx.socket = ovpn->socket;
2053
+
peer_ctx.sa_family = AF_UNSPEC;
2054
+
2055
+
ret = ovpn_parse_new_peer(&peer_ctx, peer_id, raddr,
2056
+
rport, vpnip);
2057
+
if (ret < 0) {
2058
+
fprintf(stderr, "error while parsing line\n");
2059
+
return -1;
2060
+
}
2061
+
2062
+
ret = ovpn_new_peer(&peer_ctx, false);
2063
+
if (ret < 0) {
2064
+
fprintf(stderr,
2065
+
"cannot add peer to VPN: %s %s %s %s\n",
2066
+
peer_id, raddr, rport, vpnip);
2067
+
return ret;
2068
+
}
2069
+
}
2070
+
ovpn_waitbg();
2071
+
break;
2072
+
case CMD_SET_PEER:
2073
+
ret = ovpn_set_peer(ovpn);
2074
+
break;
2075
+
case CMD_DEL_PEER:
2076
+
ret = ovpn_del_peer(ovpn);
2077
+
break;
2078
+
case CMD_GET_PEER:
2079
+
if (ovpn->peer_id == PEER_ID_UNDEF)
2080
+
fprintf(stderr, "List of peers connected to: %s\n",
2081
+
ovpn->ifname);
2082
+
2083
+
ret = ovpn_get_peer(ovpn);
2084
+
break;
2085
+
case CMD_NEW_KEY:
2086
+
ret = ovpn_new_key(ovpn);
2087
+
break;
2088
+
case CMD_DEL_KEY:
2089
+
ret = ovpn_del_key(ovpn);
2090
+
break;
2091
+
case CMD_GET_KEY:
2092
+
ret = ovpn_get_key(ovpn);
2093
+
break;
2094
+
case CMD_SWAP_KEYS:
2095
+
ret = ovpn_swap_keys(ovpn);
2096
+
break;
2097
+
case CMD_LISTEN_MCAST:
2098
+
ret = ovpn_listen_mcast();
2099
+
break;
2100
+
case CMD_INVALID:
2101
+
break;
2102
+
}
2103
+
2104
+
return ret;
2105
+
}
2106
+
2107
+
static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[])
2108
+
{
2109
+
int ret;
2110
+
2111
+
/* no args required for LISTEN_MCAST */
2112
+
if (ovpn->cmd == CMD_LISTEN_MCAST)
2113
+
return 0;
2114
+
2115
+
/* all commands need an ifname */
2116
+
if (argc < 3)
2117
+
return -EINVAL;
2118
+
2119
+
strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1);
2120
+
ovpn->ifname[IFNAMSIZ - 1] = '\0';
2121
+
2122
+
/* all commands, except NEW_IFNAME, needs an ifindex */
2123
+
if (ovpn->cmd != CMD_NEW_IFACE) {
2124
+
ovpn->ifindex = if_nametoindex(ovpn->ifname);
2125
+
if (!ovpn->ifindex) {
2126
+
fprintf(stderr, "cannot find interface: %s\n",
2127
+
strerror(errno));
2128
+
return -1;
2129
+
}
2130
+
}
2131
+
2132
+
switch (ovpn->cmd) {
2133
+
case CMD_NEW_IFACE:
2134
+
if (argc < 4)
2135
+
break;
2136
+
2137
+
if (!strcmp(argv[3], "P2P")) {
2138
+
ovpn->mode = OVPN_MODE_P2P;
2139
+
} else if (!strcmp(argv[3], "MP")) {
2140
+
ovpn->mode = OVPN_MODE_MP;
2141
+
} else {
2142
+
fprintf(stderr, "Cannot parse iface mode: %s\n",
2143
+
argv[3]);
2144
+
return -1;
2145
+
}
2146
+
ovpn->mode_set = true;
2147
+
break;
2148
+
case CMD_DEL_IFACE:
2149
+
break;
2150
+
case CMD_LISTEN:
2151
+
if (argc < 5)
2152
+
return -EINVAL;
2153
+
2154
+
ovpn->lport = strtoul(argv[3], NULL, 10);
2155
+
if (errno == ERANGE || ovpn->lport > 65535) {
2156
+
fprintf(stderr, "lport value out of range\n");
2157
+
return -1;
2158
+
}
2159
+
2160
+
ovpn->peers_file = argv[4];
2161
+
2162
+
if (argc > 5 && !strcmp(argv[5], "ipv6"))
2163
+
ovpn->sa_family = AF_INET6;
2164
+
break;
2165
+
case CMD_CONNECT:
2166
+
if (argc < 6)
2167
+
return -EINVAL;
2168
+
2169
+
ovpn->sa_family = AF_INET;
2170
+
2171
+
ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5],
2172
+
NULL);
2173
+
if (ret < 0) {
2174
+
fprintf(stderr, "Cannot parse remote peer data\n");
2175
+
return -1;
2176
+
}
2177
+
2178
+
if (argc > 6) {
2179
+
ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
2180
+
ovpn->key_id = 0;
2181
+
ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM;
2182
+
ovpn->key_dir = KEY_DIR_OUT;
2183
+
2184
+
ret = ovpn_parse_key(argv[6], ovpn);
2185
+
if (ret)
2186
+
return -1;
2187
+
}
2188
+
break;
2189
+
case CMD_NEW_PEER:
2190
+
if (argc < 7)
2191
+
return -EINVAL;
2192
+
2193
+
ovpn->lport = strtoul(argv[4], NULL, 10);
2194
+
if (errno == ERANGE || ovpn->lport > 65535) {
2195
+
fprintf(stderr, "lport value out of range\n");
2196
+
return -1;
2197
+
}
2198
+
2199
+
const char *vpnip = (argc > 7) ? argv[7] : NULL;
2200
+
2201
+
ret = ovpn_parse_new_peer(ovpn, argv[3], argv[5], argv[6],
2202
+
vpnip);
2203
+
if (ret < 0)
2204
+
return -1;
2205
+
break;
2206
+
case CMD_NEW_MULTI_PEER:
2207
+
if (argc < 5)
2208
+
return -EINVAL;
2209
+
2210
+
ovpn->lport = strtoul(argv[3], NULL, 10);
2211
+
if (errno == ERANGE || ovpn->lport > 65535) {
2212
+
fprintf(stderr, "lport value out of range\n");
2213
+
return -1;
2214
+
}
2215
+
2216
+
ovpn->peers_file = argv[4];
2217
+
break;
2218
+
case CMD_SET_PEER:
2219
+
if (argc < 6)
2220
+
return -EINVAL;
2221
+
2222
+
ovpn->peer_id = strtoul(argv[3], NULL, 10);
2223
+
if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2224
+
fprintf(stderr, "peer ID value out of range\n");
2225
+
return -1;
2226
+
}
2227
+
2228
+
ovpn->keepalive_interval = strtoul(argv[4], NULL, 10);
2229
+
if (errno == ERANGE) {
2230
+
fprintf(stderr,
2231
+
"keepalive interval value out of range\n");
2232
+
return -1;
2233
+
}
2234
+
2235
+
ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10);
2236
+
if (errno == ERANGE) {
2237
+
fprintf(stderr,
2238
+
"keepalive interval value out of range\n");
2239
+
return -1;
2240
+
}
2241
+
break;
2242
+
case CMD_DEL_PEER:
2243
+
if (argc < 4)
2244
+
return -EINVAL;
2245
+
2246
+
ovpn->peer_id = strtoul(argv[3], NULL, 10);
2247
+
if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2248
+
fprintf(stderr, "peer ID value out of range\n");
2249
+
return -1;
2250
+
}
2251
+
break;
2252
+
case CMD_GET_PEER:
2253
+
ovpn->peer_id = PEER_ID_UNDEF;
2254
+
if (argc > 3) {
2255
+
ovpn->peer_id = strtoul(argv[3], NULL, 10);
2256
+
if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2257
+
fprintf(stderr, "peer ID value out of range\n");
2258
+
return -1;
2259
+
}
2260
+
}
2261
+
break;
2262
+
case CMD_NEW_KEY:
2263
+
if (argc < 9)
2264
+
return -EINVAL;
2265
+
2266
+
ovpn->peer_id = strtoul(argv[3], NULL, 10);
2267
+
if (errno == ERANGE) {
2268
+
fprintf(stderr, "peer ID value out of range\n");
2269
+
return -1;
2270
+
}
2271
+
2272
+
ret = ovpn_parse_key_slot(argv[4], ovpn);
2273
+
if (ret)
2274
+
return -1;
2275
+
2276
+
ovpn->key_id = strtoul(argv[5], NULL, 10);
2277
+
if (errno == ERANGE || ovpn->key_id > 2) {
2278
+
fprintf(stderr, "key ID out of range\n");
2279
+
return -1;
2280
+
}
2281
+
2282
+
ret = ovpn_parse_cipher(argv[6], ovpn);
2283
+
if (ret < 0)
2284
+
return -1;
2285
+
2286
+
ret = ovpn_parse_key_direction(argv[7], ovpn);
2287
+
if (ret < 0)
2288
+
return -1;
2289
+
2290
+
ret = ovpn_parse_key(argv[8], ovpn);
2291
+
if (ret)
2292
+
return -1;
2293
+
break;
2294
+
case CMD_DEL_KEY:
2295
+
if (argc < 4)
2296
+
return -EINVAL;
2297
+
2298
+
ovpn->peer_id = strtoul(argv[3], NULL, 10);
2299
+
if (errno == ERANGE) {
2300
+
fprintf(stderr, "peer ID value out of range\n");
2301
+
return -1;
2302
+
}
2303
+
2304
+
ret = ovpn_parse_key_slot(argv[4], ovpn);
2305
+
if (ret)
2306
+
return ret;
2307
+
break;
2308
+
case CMD_GET_KEY:
2309
+
if (argc < 5)
2310
+
return -EINVAL;
2311
+
2312
+
ovpn->peer_id = strtoul(argv[3], NULL, 10);
2313
+
if (errno == ERANGE) {
2314
+
fprintf(stderr, "peer ID value out of range\n");
2315
+
return -1;
2316
+
}
2317
+
2318
+
ret = ovpn_parse_key_slot(argv[4], ovpn);
2319
+
if (ret)
2320
+
return ret;
2321
+
break;
2322
+
case CMD_SWAP_KEYS:
2323
+
if (argc < 4)
2324
+
return -EINVAL;
2325
+
2326
+
ovpn->peer_id = strtoul(argv[3], NULL, 10);
2327
+
if (errno == ERANGE) {
2328
+
fprintf(stderr, "peer ID value out of range\n");
2329
+
return -1;
2330
+
}
2331
+
break;
2332
+
case CMD_LISTEN_MCAST:
2333
+
break;
2334
+
case CMD_INVALID:
2335
+
break;
2336
+
}
2337
+
2338
+
return 0;
2339
+
}
2340
+
2341
+
int main(int argc, char *argv[])
2342
+
{
2343
+
struct ovpn_ctx ovpn;
2344
+
int ret;
2345
+
2346
+
if (argc < 2) {
2347
+
usage(argv[0]);
2348
+
return -1;
2349
+
}
2350
+
2351
+
memset(&ovpn, 0, sizeof(ovpn));
2352
+
ovpn.sa_family = AF_INET;
2353
+
ovpn.cipher = OVPN_CIPHER_ALG_NONE;
2354
+
2355
+
ovpn.cmd = ovpn_parse_cmd(argv[1]);
2356
+
if (ovpn.cmd == CMD_INVALID) {
2357
+
fprintf(stderr, "Error: unknown command.\n\n");
2358
+
usage(argv[0]);
2359
+
return -1;
2360
+
}
2361
+
2362
+
ret = ovpn_parse_cmd_args(&ovpn, argc, argv);
2363
+
if (ret < 0) {
2364
+
fprintf(stderr, "Error: invalid arguments.\n\n");
2365
+
if (ret == -EINVAL)
2366
+
usage(argv[0]);
2367
+
return ret;
2368
+
}
2369
+
2370
+
ret = ovpn_run_cmd(&ovpn);
2371
+
if (ret)
2372
+
fprintf(stderr, "Cannot execute command: %s (%d)\n",
2373
+
strerror(-ret), ret);
2374
+
2375
+
return ret;
2376
+
}
+5
tools/testing/selftests/net/ovpn/tcp_peers.txt
+5
tools/testing/selftests/net/ovpn/tcp_peers.txt
+9
tools/testing/selftests/net/ovpn/test-chachapoly.sh
+9
tools/testing/selftests/net/ovpn/test-chachapoly.sh
+9
tools/testing/selftests/net/ovpn/test-close-socket-tcp.sh
+9
tools/testing/selftests/net/ovpn/test-close-socket-tcp.sh
+45
tools/testing/selftests/net/ovpn/test-close-socket.sh
+45
tools/testing/selftests/net/ovpn/test-close-socket.sh
···
1
+
#!/bin/bash
2
+
# SPDX-License-Identifier: GPL-2.0
3
+
# Copyright (C) 2020-2025 OpenVPN, Inc.
4
+
#
5
+
# Author: Antonio Quartulli <antonio@openvpn.net>
6
+
7
+
#set -x
8
+
set -e
9
+
10
+
source ./common.sh
11
+
12
+
cleanup
13
+
14
+
modprobe -q ovpn || true
15
+
16
+
for p in $(seq 0 ${NUM_PEERS}); do
17
+
create_ns ${p}
18
+
done
19
+
20
+
for p in $(seq 0 ${NUM_PEERS}); do
21
+
setup_ns ${p} 5.5.5.$((${p} + 1))/24
22
+
done
23
+
24
+
for p in $(seq 0 ${NUM_PEERS}); do
25
+
add_peer ${p}
26
+
done
27
+
28
+
for p in $(seq 1 ${NUM_PEERS}); do
29
+
ip netns exec peer0 ${OVPN_CLI} set_peer tun0 ${p} 60 120
30
+
ip netns exec peer${p} ${OVPN_CLI} set_peer tun${p} ${p} 60 120
31
+
done
32
+
33
+
sleep 1
34
+
35
+
for p in $(seq 1 ${NUM_PEERS}); do
36
+
ip netns exec peer0 ping -qfc 500 -w 3 5.5.5.$((${p} + 1))
37
+
done
38
+
39
+
ip netns exec peer0 iperf3 -1 -s &
40
+
sleep 1
41
+
ip netns exec peer1 iperf3 -Z -t 3 -c 5.5.5.1
42
+
43
+
cleanup
44
+
45
+
modprobe -r ovpn || true
+9
tools/testing/selftests/net/ovpn/test-float.sh
+9
tools/testing/selftests/net/ovpn/test-float.sh
+9
tools/testing/selftests/net/ovpn/test-tcp.sh
+9
tools/testing/selftests/net/ovpn/test-tcp.sh
+113
tools/testing/selftests/net/ovpn/test.sh
+113
tools/testing/selftests/net/ovpn/test.sh
···
1
+
#!/bin/bash
2
+
# SPDX-License-Identifier: GPL-2.0
3
+
# Copyright (C) 2020-2025 OpenVPN, Inc.
4
+
#
5
+
# Author: Antonio Quartulli <antonio@openvpn.net>
6
+
7
+
#set -x
8
+
set -e
9
+
10
+
source ./common.sh
11
+
12
+
cleanup
13
+
14
+
modprobe -q ovpn || true
15
+
16
+
for p in $(seq 0 ${NUM_PEERS}); do
17
+
create_ns ${p}
18
+
done
19
+
20
+
for p in $(seq 0 ${NUM_PEERS}); do
21
+
setup_ns ${p} 5.5.5.$((${p} + 1))/24
22
+
done
23
+
24
+
for p in $(seq 0 ${NUM_PEERS}); do
25
+
add_peer ${p}
26
+
done
27
+
28
+
for p in $(seq 1 ${NUM_PEERS}); do
29
+
ip netns exec peer0 ${OVPN_CLI} set_peer tun0 ${p} 60 120
30
+
ip netns exec peer${p} ${OVPN_CLI} set_peer tun${p} ${p} 60 120
31
+
done
32
+
33
+
sleep 1
34
+
35
+
for p in $(seq 1 ${NUM_PEERS}); do
36
+
ip netns exec peer0 ping -qfc 500 -w 3 5.5.5.$((${p} + 1))
37
+
done
38
+
39
+
if [ "$FLOAT" == "1" ]; then
40
+
# make clients float..
41
+
for p in $(seq 1 ${NUM_PEERS}); do
42
+
ip -n peer${p} addr del 10.10.${p}.2/24 dev veth${p}
43
+
ip -n peer${p} addr add 10.10.${p}.3/24 dev veth${p}
44
+
done
45
+
for p in $(seq 1 ${NUM_PEERS}); do
46
+
ip netns exec peer${p} ping -qfc 500 -w 3 5.5.5.1
47
+
done
48
+
fi
49
+
50
+
ip netns exec peer0 iperf3 -1 -s &
51
+
sleep 1
52
+
ip netns exec peer1 iperf3 -Z -t 3 -c 5.5.5.1
53
+
54
+
echo "Adding secondary key and then swap:"
55
+
for p in $(seq 1 ${NUM_PEERS}); do
56
+
ip netns exec peer0 ${OVPN_CLI} new_key tun0 ${p} 2 1 ${ALG} 0 data64.key
57
+
ip netns exec peer${p} ${OVPN_CLI} new_key tun${p} ${p} 2 1 ${ALG} 1 data64.key
58
+
ip netns exec peer${p} ${OVPN_CLI} swap_keys tun${p} ${p}
59
+
done
60
+
61
+
sleep 1
62
+
63
+
echo "Querying all peers:"
64
+
ip netns exec peer0 ${OVPN_CLI} get_peer tun0
65
+
ip netns exec peer1 ${OVPN_CLI} get_peer tun1
66
+
67
+
echo "Querying peer 1:"
68
+
ip netns exec peer0 ${OVPN_CLI} get_peer tun0 1
69
+
70
+
echo "Querying non-existent peer 10:"
71
+
ip netns exec peer0 ${OVPN_CLI} get_peer tun0 10 || true
72
+
73
+
echo "Deleting peer 1:"
74
+
ip netns exec peer0 ${OVPN_CLI} del_peer tun0 1
75
+
ip netns exec peer1 ${OVPN_CLI} del_peer tun1 1
76
+
77
+
echo "Querying keys:"
78
+
for p in $(seq 2 ${NUM_PEERS}); do
79
+
ip netns exec peer${p} ${OVPN_CLI} get_key tun${p} ${p} 1
80
+
ip netns exec peer${p} ${OVPN_CLI} get_key tun${p} ${p} 2
81
+
done
82
+
83
+
echo "Deleting peer while sending traffic:"
84
+
(ip netns exec peer2 ping -qf -w 4 5.5.5.1)&
85
+
sleep 2
86
+
ip netns exec peer0 ${OVPN_CLI} del_peer tun0 2
87
+
# following command fails in TCP mode
88
+
# (both ends get conn reset when one peer disconnects)
89
+
ip netns exec peer2 ${OVPN_CLI} del_peer tun2 2 || true
90
+
91
+
echo "Deleting keys:"
92
+
for p in $(seq 3 ${NUM_PEERS}); do
93
+
ip netns exec peer${p} ${OVPN_CLI} del_key tun${p} ${p} 1
94
+
ip netns exec peer${p} ${OVPN_CLI} del_key tun${p} ${p} 2
95
+
done
96
+
97
+
echo "Setting timeout to 3s MP:"
98
+
for p in $(seq 3 ${NUM_PEERS}); do
99
+
ip netns exec peer0 ${OVPN_CLI} set_peer tun0 ${p} 3 3 || true
100
+
ip netns exec peer${p} ${OVPN_CLI} set_peer tun${p} ${p} 0 0
101
+
done
102
+
# wait for peers to timeout
103
+
sleep 5
104
+
105
+
echo "Setting timeout to 3s P2P:"
106
+
for p in $(seq 3 ${NUM_PEERS}); do
107
+
ip netns exec peer${p} ${OVPN_CLI} set_peer tun${p} ${p} 3 3
108
+
done
109
+
sleep 5
110
+
111
+
cleanup
112
+
113
+
modprobe -r ovpn || true