1 // SPDX-License-Identifier: GPL-2.0 2 /* OpenVPN data channel accelerator 3 * 4 * Copyright (C) 2020-2025 OpenVPN, Inc. 5 * 6 * Author: Antonio Quartulli <antonio@openvpn.net> 7 */ 8 9 #include <stdio.h> 10 #include <inttypes.h> 11 #include <stdbool.h> 12 #include <string.h> 13 #include <errno.h> 14 #include <unistd.h> 15 #include <arpa/inet.h> 16 #include <net/if.h> 17 #include <netinet/in.h> 18 #include <time.h> 19 20 #include <linux/ovpn.h> 21 #include <linux/types.h> 22 #include <linux/netlink.h> 23 24 #include <netlink/socket.h> 25 #include <netlink/netlink.h> 26 #include <netlink/genl/genl.h> 27 #include <netlink/genl/family.h> 28 #include <netlink/genl/ctrl.h> 29 30 #include <mbedtls/base64.h> 31 #include <mbedtls/error.h> 32 33 #include <sys/socket.h> 34 35 /* defines to make checkpatch happy */ 36 #define strscpy strncpy 37 #define __always_unused __attribute__((__unused__)) 38 39 /* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we 40 * have to explicitly do it to prevent the kernel from failing upon 41 * parsing of the message 42 */ 43 #define nla_nest_start(_msg, _type) \ 44 nla_nest_start(_msg, (_type) | NLA_F_NESTED) 45 46 /* libnl < 3.11.0 does not implement nla_get_uint() */ 47 uint64_t ovpn_nla_get_uint(struct nlattr *attr) 48 { 49 if (nla_len(attr) == sizeof(uint32_t)) 50 return nla_get_u32(attr); 51 else 52 return nla_get_u64(attr); 53 } 54 55 typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg); 56 57 enum ovpn_key_direction { 58 KEY_DIR_IN = 0, 59 KEY_DIR_OUT, 60 }; 61 62 #define KEY_LEN (256 / 8) 63 #define NONCE_LEN 8 64 65 #define PEER_ID_UNDEF 0x00FFFFFF 66 #define MAX_PEERS 10 67 68 struct nl_ctx { 69 struct nl_sock *nl_sock; 70 struct nl_msg *nl_msg; 71 struct nl_cb *nl_cb; 72 73 int ovpn_dco_id; 74 }; 75 76 enum ovpn_cmd { 77 CMD_INVALID, 78 CMD_NEW_IFACE, 79 CMD_DEL_IFACE, 80 CMD_LISTEN, 81 CMD_CONNECT, 82 CMD_NEW_PEER, 83 CMD_NEW_MULTI_PEER, 84 CMD_SET_PEER, 85 CMD_DEL_PEER, 86 CMD_GET_PEER, 87 CMD_NEW_KEY, 88 CMD_DEL_KEY, 89 CMD_GET_KEY, 90 CMD_SWAP_KEYS, 91 CMD_LISTEN_MCAST, 92 }; 93 94 struct ovpn_ctx { 95 enum ovpn_cmd cmd; 96 97 __u8 key_enc[KEY_LEN]; 98 __u8 key_dec[KEY_LEN]; 99 __u8 nonce[NONCE_LEN]; 100 101 enum ovpn_cipher_alg cipher; 102 103 sa_family_t sa_family; 104 105 unsigned long peer_id; 106 unsigned long lport; 107 108 union { 109 struct sockaddr_in in4; 110 struct sockaddr_in6 in6; 111 } remote; 112 113 union { 114 struct sockaddr_in in4; 115 struct sockaddr_in6 in6; 116 } peer_ip; 117 118 bool peer_ip_set; 119 120 unsigned int ifindex; 121 char ifname[IFNAMSIZ]; 122 enum ovpn_mode mode; 123 bool mode_set; 124 125 int socket; 126 int cli_sockets[MAX_PEERS]; 127 128 __u32 keepalive_interval; 129 __u32 keepalive_timeout; 130 131 enum ovpn_key_direction key_dir; 132 enum ovpn_key_slot key_slot; 133 int key_id; 134 135 const char *peers_file; 136 }; 137 138 static int ovpn_nl_recvmsgs(struct nl_ctx *ctx) 139 { 140 int ret; 141 142 ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb); 143 144 switch (ret) { 145 case -NLE_INTR: 146 fprintf(stderr, 147 "netlink received interrupt due to signal - ignoring\n"); 148 break; 149 case -NLE_NOMEM: 150 fprintf(stderr, "netlink out of memory error\n"); 151 break; 152 case -NLE_AGAIN: 153 fprintf(stderr, 154 "netlink reports blocking read - aborting wait\n"); 155 break; 156 default: 157 if (ret) 158 fprintf(stderr, "netlink reports error (%d): %s\n", 159 ret, nl_geterror(-ret)); 160 break; 161 } 162 163 return ret; 164 } 165 166 static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd, 167 int flags) 168 { 169 struct nl_ctx *ctx; 170 int err, ret; 171 172 ctx = calloc(1, sizeof(*ctx)); 173 if (!ctx) 174 return NULL; 175 176 ctx->nl_sock = nl_socket_alloc(); 177 if (!ctx->nl_sock) { 178 fprintf(stderr, "cannot allocate netlink socket\n"); 179 goto err_free; 180 } 181 182 nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192); 183 184 ret = genl_connect(ctx->nl_sock); 185 if (ret) { 186 fprintf(stderr, "cannot connect to generic netlink: %s\n", 187 nl_geterror(ret)); 188 goto err_sock; 189 } 190 191 /* enable Extended ACK for detailed error reporting */ 192 err = 1; 193 setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK, 194 &err, sizeof(err)); 195 196 ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME); 197 if (ctx->ovpn_dco_id < 0) { 198 fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n", 199 ctx->ovpn_dco_id); 200 goto err_free; 201 } 202 203 ctx->nl_msg = nlmsg_alloc(); 204 if (!ctx->nl_msg) { 205 fprintf(stderr, "cannot allocate netlink message\n"); 206 goto err_sock; 207 } 208 209 ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT); 210 if (!ctx->nl_cb) { 211 fprintf(stderr, "failed to allocate netlink callback\n"); 212 goto err_msg; 213 } 214 215 nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb); 216 217 genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0); 218 219 if (ovpn->ifindex > 0) 220 NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex); 221 222 return ctx; 223 nla_put_failure: 224 err_msg: 225 nlmsg_free(ctx->nl_msg); 226 err_sock: 227 nl_socket_free(ctx->nl_sock); 228 err_free: 229 free(ctx); 230 return NULL; 231 } 232 233 static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd) 234 { 235 return nl_ctx_alloc_flags(ovpn, cmd, 0); 236 } 237 238 static void nl_ctx_free(struct nl_ctx *ctx) 239 { 240 if (!ctx) 241 return; 242 243 nl_socket_free(ctx->nl_sock); 244 nlmsg_free(ctx->nl_msg); 245 nl_cb_put(ctx->nl_cb); 246 free(ctx); 247 } 248 249 static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused, 250 struct nlmsgerr *err, void *arg) 251 { 252 struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1; 253 struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1]; 254 int len = nlh->nlmsg_len; 255 struct nlattr *attrs; 256 int *ret = arg; 257 int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh); 258 259 *ret = err->error; 260 261 if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS)) 262 return NL_STOP; 263 264 if (!(nlh->nlmsg_flags & NLM_F_CAPPED)) 265 ack_len += err->msg.nlmsg_len - sizeof(*nlh); 266 267 if (len <= ack_len) 268 return NL_STOP; 269 270 attrs = (void *)((uint8_t *)nlh + ack_len); 271 len -= ack_len; 272 273 nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL); 274 if (tb_msg[NLMSGERR_ATTR_MSG]) { 275 len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]), 276 nla_len(tb_msg[NLMSGERR_ATTR_MSG])); 277 fprintf(stderr, "kernel error: %*s\n", len, 278 (char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG])); 279 } 280 281 if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) { 282 fprintf(stderr, "missing required nesting type %u\n", 283 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST])); 284 } 285 286 if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) { 287 fprintf(stderr, "missing required attribute type %u\n", 288 nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE])); 289 } 290 291 return NL_STOP; 292 } 293 294 static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused, 295 void *arg) 296 { 297 int *status = arg; 298 299 *status = 0; 300 return NL_SKIP; 301 } 302 303 static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused, 304 void *arg) 305 { 306 int *status = arg; 307 308 *status = 0; 309 return NL_STOP; 310 } 311 312 static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb) 313 { 314 int status = 1; 315 316 nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status); 317 nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish, 318 &status); 319 nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status); 320 321 if (cb) 322 nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx); 323 324 nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg); 325 326 while (status == 1) 327 ovpn_nl_recvmsgs(ctx); 328 329 if (status < 0) 330 fprintf(stderr, "failed to send netlink message: %s (%d)\n", 331 strerror(-status), status); 332 333 return status; 334 } 335 336 static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx) 337 { 338 int idx_enc, idx_dec, ret = -1; 339 unsigned char *ckey = NULL; 340 __u8 *bkey = NULL; 341 size_t olen = 0; 342 long ckey_len; 343 FILE *fp; 344 345 fp = fopen(file, "r"); 346 if (!fp) { 347 fprintf(stderr, "cannot open: %s\n", file); 348 return -1; 349 } 350 351 /* get file size */ 352 fseek(fp, 0L, SEEK_END); 353 ckey_len = ftell(fp); 354 rewind(fp); 355 356 /* if the file is longer, let's just read a portion */ 357 if (ckey_len > 256) 358 ckey_len = 256; 359 360 ckey = malloc(ckey_len); 361 if (!ckey) 362 goto err; 363 364 ret = fread(ckey, 1, ckey_len, fp); 365 if (ret != ckey_len) { 366 fprintf(stderr, 367 "couldn't read enough data from key file: %dbytes read\n", 368 ret); 369 goto err; 370 } 371 372 olen = 0; 373 ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len); 374 if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) { 375 char buf[256]; 376 377 mbedtls_strerror(ret, buf, sizeof(buf)); 378 fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf, 379 ret); 380 381 goto err; 382 } 383 384 bkey = malloc(olen); 385 if (!bkey) { 386 fprintf(stderr, "cannot allocate binary key buffer\n"); 387 goto err; 388 } 389 390 ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len); 391 if (ret) { 392 char buf[256]; 393 394 mbedtls_strerror(ret, buf, sizeof(buf)); 395 fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf, 396 ret); 397 398 goto err; 399 } 400 401 if (olen < 2 * KEY_LEN + NONCE_LEN) { 402 fprintf(stderr, 403 "not enough data in key file, found %zdB but needs %dB\n", 404 olen, 2 * KEY_LEN + NONCE_LEN); 405 goto err; 406 } 407 408 switch (ctx->key_dir) { 409 case KEY_DIR_IN: 410 idx_enc = 0; 411 idx_dec = 1; 412 break; 413 case KEY_DIR_OUT: 414 idx_enc = 1; 415 idx_dec = 0; 416 break; 417 default: 418 goto err; 419 } 420 421 memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN); 422 memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN); 423 memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN); 424 425 ret = 0; 426 427 err: 428 fclose(fp); 429 free(bkey); 430 free(ckey); 431 432 return ret; 433 } 434 435 static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx) 436 { 437 if (strcmp(cipher, "aes") == 0) 438 ctx->cipher = OVPN_CIPHER_ALG_AES_GCM; 439 else if (strcmp(cipher, "chachapoly") == 0) 440 ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305; 441 else if (strcmp(cipher, "none") == 0) 442 ctx->cipher = OVPN_CIPHER_ALG_NONE; 443 else 444 return -ENOTSUP; 445 446 return 0; 447 } 448 449 static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx) 450 { 451 int in_dir; 452 453 in_dir = strtoll(dir, NULL, 10); 454 switch (in_dir) { 455 case KEY_DIR_IN: 456 case KEY_DIR_OUT: 457 ctx->key_dir = in_dir; 458 break; 459 default: 460 fprintf(stderr, 461 "invalid key direction provided. Can be 0 or 1 only\n"); 462 return -1; 463 } 464 465 return 0; 466 } 467 468 static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto) 469 { 470 struct sockaddr_storage local_sock = { 0 }; 471 struct sockaddr_in6 *in6; 472 struct sockaddr_in *in; 473 int ret, s, sock_type; 474 size_t sock_len; 475 476 if (proto == IPPROTO_UDP) 477 sock_type = SOCK_DGRAM; 478 else if (proto == IPPROTO_TCP) 479 sock_type = SOCK_STREAM; 480 else 481 return -EINVAL; 482 483 s = socket(family, sock_type, 0); 484 if (s < 0) { 485 perror("cannot create socket"); 486 return -1; 487 } 488 489 switch (family) { 490 case AF_INET: 491 in = (struct sockaddr_in *)&local_sock; 492 in->sin_family = family; 493 in->sin_port = htons(ctx->lport); 494 in->sin_addr.s_addr = htonl(INADDR_ANY); 495 sock_len = sizeof(*in); 496 break; 497 case AF_INET6: 498 in6 = (struct sockaddr_in6 *)&local_sock; 499 in6->sin6_family = family; 500 in6->sin6_port = htons(ctx->lport); 501 in6->sin6_addr = in6addr_any; 502 sock_len = sizeof(*in6); 503 break; 504 default: 505 return -1; 506 } 507 508 int opt = 1; 509 510 ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)); 511 512 if (ret < 0) { 513 perror("setsockopt for SO_REUSEADDR"); 514 return ret; 515 } 516 517 ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt)); 518 if (ret < 0) { 519 perror("setsockopt for SO_REUSEPORT"); 520 return ret; 521 } 522 523 if (family == AF_INET6) { 524 opt = 0; 525 if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt, 526 sizeof(opt))) { 527 perror("failed to set IPV6_V6ONLY"); 528 return -1; 529 } 530 } 531 532 ret = bind(s, (struct sockaddr *)&local_sock, sock_len); 533 if (ret < 0) { 534 perror("cannot bind socket"); 535 goto err_socket; 536 } 537 538 ctx->socket = s; 539 ctx->sa_family = family; 540 return 0; 541 542 err_socket: 543 close(s); 544 return -1; 545 } 546 547 static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family) 548 { 549 return ovpn_socket(ctx, family, IPPROTO_UDP); 550 } 551 552 static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family) 553 { 554 int ret; 555 556 ret = ovpn_socket(ctx, family, IPPROTO_TCP); 557 if (ret < 0) 558 return ret; 559 560 ret = listen(ctx->socket, 10); 561 if (ret < 0) { 562 perror("listen"); 563 close(ctx->socket); 564 return -1; 565 } 566 567 return 0; 568 } 569 570 static int ovpn_accept(struct ovpn_ctx *ctx) 571 { 572 socklen_t socklen; 573 int ret; 574 575 socklen = sizeof(ctx->remote); 576 ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen); 577 if (ret < 0) { 578 perror("accept"); 579 goto err; 580 } 581 582 fprintf(stderr, "Connection received!\n"); 583 584 switch (socklen) { 585 case sizeof(struct sockaddr_in): 586 case sizeof(struct sockaddr_in6): 587 break; 588 default: 589 fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n"); 590 close(ret); 591 ret = -EINVAL; 592 goto err; 593 } 594 595 return ret; 596 err: 597 close(ctx->socket); 598 return ret; 599 } 600 601 static int ovpn_connect(struct ovpn_ctx *ovpn) 602 { 603 socklen_t socklen; 604 int s, ret; 605 606 s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0); 607 if (s < 0) { 608 perror("cannot create socket"); 609 return -1; 610 } 611 612 switch (ovpn->remote.in4.sin_family) { 613 case AF_INET: 614 socklen = sizeof(struct sockaddr_in); 615 break; 616 case AF_INET6: 617 socklen = sizeof(struct sockaddr_in6); 618 break; 619 default: 620 return -EOPNOTSUPP; 621 } 622 623 ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen); 624 if (ret < 0) { 625 perror("connect"); 626 goto err; 627 } 628 629 fprintf(stderr, "connected\n"); 630 631 ovpn->socket = s; 632 633 return 0; 634 err: 635 close(s); 636 return ret; 637 } 638 639 static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp) 640 { 641 struct nlattr *attr; 642 struct nl_ctx *ctx; 643 int ret = -1; 644 645 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW); 646 if (!ctx) 647 return -ENOMEM; 648 649 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 650 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 651 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket); 652 653 if (!is_tcp) { 654 switch (ovpn->remote.in4.sin_family) { 655 case AF_INET: 656 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4, 657 ovpn->remote.in4.sin_addr.s_addr); 658 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 659 ovpn->remote.in4.sin_port); 660 break; 661 case AF_INET6: 662 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6, 663 sizeof(ovpn->remote.in6.sin6_addr), 664 &ovpn->remote.in6.sin6_addr); 665 NLA_PUT_U32(ctx->nl_msg, 666 OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID, 667 ovpn->remote.in6.sin6_scope_id); 668 NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT, 669 ovpn->remote.in6.sin6_port); 670 break; 671 default: 672 fprintf(stderr, 673 "Invalid family for remote socket address\n"); 674 goto nla_put_failure; 675 } 676 } 677 678 if (ovpn->peer_ip_set) { 679 switch (ovpn->peer_ip.in4.sin_family) { 680 case AF_INET: 681 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4, 682 ovpn->peer_ip.in4.sin_addr.s_addr); 683 break; 684 case AF_INET6: 685 NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6, 686 sizeof(struct in6_addr), 687 &ovpn->peer_ip.in6.sin6_addr); 688 break; 689 default: 690 fprintf(stderr, "Invalid family for peer address\n"); 691 goto nla_put_failure; 692 } 693 } 694 695 nla_nest_end(ctx->nl_msg, attr); 696 697 ret = ovpn_nl_msg_send(ctx, NULL); 698 nla_put_failure: 699 nl_ctx_free(ctx); 700 return ret; 701 } 702 703 static int ovpn_set_peer(struct ovpn_ctx *ovpn) 704 { 705 struct nlattr *attr; 706 struct nl_ctx *ctx; 707 int ret = -1; 708 709 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET); 710 if (!ctx) 711 return -ENOMEM; 712 713 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 714 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 715 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL, 716 ovpn->keepalive_interval); 717 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT, 718 ovpn->keepalive_timeout); 719 nla_nest_end(ctx->nl_msg, attr); 720 721 ret = ovpn_nl_msg_send(ctx, NULL); 722 nla_put_failure: 723 nl_ctx_free(ctx); 724 return ret; 725 } 726 727 static int ovpn_del_peer(struct ovpn_ctx *ovpn) 728 { 729 struct nlattr *attr; 730 struct nl_ctx *ctx; 731 int ret = -1; 732 733 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL); 734 if (!ctx) 735 return -ENOMEM; 736 737 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 738 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 739 nla_nest_end(ctx->nl_msg, attr); 740 741 ret = ovpn_nl_msg_send(ctx, NULL); 742 nla_put_failure: 743 nl_ctx_free(ctx); 744 return ret; 745 } 746 747 static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused) 748 { 749 struct nlattr *pattrs[OVPN_A_PEER_MAX + 1]; 750 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 751 struct nlattr *attrs[OVPN_A_MAX + 1]; 752 __u16 rport = 0, lport = 0; 753 754 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 755 genlmsg_attrlen(gnlh, 0), NULL); 756 757 if (!attrs[OVPN_A_PEER]) { 758 fprintf(stderr, "no packet content in netlink message\n"); 759 return NL_SKIP; 760 } 761 762 nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]), 763 nla_len(attrs[OVPN_A_PEER]), NULL); 764 765 if (pattrs[OVPN_A_PEER_ID]) 766 fprintf(stderr, "* Peer %u\n", 767 nla_get_u32(pattrs[OVPN_A_PEER_ID])); 768 769 if (pattrs[OVPN_A_PEER_SOCKET_NETNSID]) 770 fprintf(stderr, "\tsocket NetNS ID: %d\n", 771 nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID])); 772 773 if (pattrs[OVPN_A_PEER_VPN_IPV4]) { 774 char buf[INET_ADDRSTRLEN]; 775 776 inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]), 777 buf, sizeof(buf)); 778 fprintf(stderr, "\tVPN IPv4: %s\n", buf); 779 } 780 781 if (pattrs[OVPN_A_PEER_VPN_IPV6]) { 782 char buf[INET6_ADDRSTRLEN]; 783 784 inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]), 785 buf, sizeof(buf)); 786 fprintf(stderr, "\tVPN IPv6: %s\n", buf); 787 } 788 789 if (pattrs[OVPN_A_PEER_LOCAL_PORT]) 790 lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT])); 791 792 if (pattrs[OVPN_A_PEER_REMOTE_PORT]) 793 rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT])); 794 795 if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) { 796 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6]; 797 char buf[INET6_ADDRSTRLEN]; 798 int scope_id = -1; 799 800 if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) { 801 void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]; 802 803 scope_id = nla_get_u32(p); 804 } 805 806 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 807 fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport, 808 scope_id); 809 810 if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) { 811 void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6]; 812 813 inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf)); 814 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 815 } 816 } 817 818 if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) { 819 void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4]; 820 char buf[INET_ADDRSTRLEN]; 821 822 inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf)); 823 fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport); 824 825 if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) { 826 void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4]; 827 828 inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf)); 829 fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport); 830 } 831 } 832 833 if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) { 834 void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]; 835 836 fprintf(stderr, "\tKeepalive interval: %u sec\n", 837 nla_get_u32(p)); 838 } 839 840 if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) 841 fprintf(stderr, "\tKeepalive timeout: %u sec\n", 842 nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])); 843 844 if (pattrs[OVPN_A_PEER_VPN_RX_BYTES]) 845 fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n", 846 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES])); 847 848 if (pattrs[OVPN_A_PEER_VPN_TX_BYTES]) 849 fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n", 850 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES])); 851 852 if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS]) 853 fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n", 854 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS])); 855 856 if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS]) 857 fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n", 858 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS])); 859 860 if (pattrs[OVPN_A_PEER_LINK_RX_BYTES]) 861 fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n", 862 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES])); 863 864 if (pattrs[OVPN_A_PEER_LINK_TX_BYTES]) 865 fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n", 866 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES])); 867 868 if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS]) 869 fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n", 870 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS])); 871 872 if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS]) 873 fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n", 874 ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS])); 875 876 return NL_SKIP; 877 } 878 879 static int ovpn_get_peer(struct ovpn_ctx *ovpn) 880 { 881 int flags = 0, ret = -1; 882 struct nlattr *attr; 883 struct nl_ctx *ctx; 884 885 if (ovpn->peer_id == PEER_ID_UNDEF) 886 flags = NLM_F_DUMP; 887 888 ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags); 889 if (!ctx) 890 return -ENOMEM; 891 892 if (ovpn->peer_id != PEER_ID_UNDEF) { 893 attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER); 894 NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id); 895 nla_nest_end(ctx->nl_msg, attr); 896 } 897 898 ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer); 899 nla_put_failure: 900 nl_ctx_free(ctx); 901 return ret; 902 } 903 904 static int ovpn_new_key(struct ovpn_ctx *ovpn) 905 { 906 struct nlattr *keyconf, *key_dir; 907 struct nl_ctx *ctx; 908 int ret = -1; 909 910 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW); 911 if (!ctx) 912 return -ENOMEM; 913 914 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 915 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 916 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 917 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id); 918 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher); 919 920 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR); 921 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc); 922 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 923 nla_nest_end(ctx->nl_msg, key_dir); 924 925 key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR); 926 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec); 927 NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce); 928 nla_nest_end(ctx->nl_msg, key_dir); 929 930 nla_nest_end(ctx->nl_msg, keyconf); 931 932 ret = ovpn_nl_msg_send(ctx, NULL); 933 nla_put_failure: 934 nl_ctx_free(ctx); 935 return ret; 936 } 937 938 static int ovpn_del_key(struct ovpn_ctx *ovpn) 939 { 940 struct nlattr *keyconf; 941 struct nl_ctx *ctx; 942 int ret = -1; 943 944 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL); 945 if (!ctx) 946 return -ENOMEM; 947 948 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 949 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 950 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 951 nla_nest_end(ctx->nl_msg, keyconf); 952 953 ret = ovpn_nl_msg_send(ctx, NULL); 954 nla_put_failure: 955 nl_ctx_free(ctx); 956 return ret; 957 } 958 959 static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused) 960 { 961 struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1]; 962 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 963 struct nlattr *attrs[OVPN_A_MAX + 1]; 964 965 nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 966 genlmsg_attrlen(gnlh, 0), NULL); 967 968 if (!attrs[OVPN_A_KEYCONF]) { 969 fprintf(stderr, "no packet content in netlink message\n"); 970 return NL_SKIP; 971 } 972 973 nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]), 974 nla_len(attrs[OVPN_A_KEYCONF]), NULL); 975 976 if (kattrs[OVPN_A_KEYCONF_PEER_ID]) 977 fprintf(stderr, "* Peer %u\n", 978 nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID])); 979 if (kattrs[OVPN_A_KEYCONF_SLOT]) { 980 fprintf(stderr, "\t- Slot: "); 981 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) { 982 case OVPN_KEY_SLOT_PRIMARY: 983 fprintf(stderr, "primary\n"); 984 break; 985 case OVPN_KEY_SLOT_SECONDARY: 986 fprintf(stderr, "secondary\n"); 987 break; 988 default: 989 fprintf(stderr, "invalid (%u)\n", 990 nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])); 991 break; 992 } 993 } 994 if (kattrs[OVPN_A_KEYCONF_KEY_ID]) 995 fprintf(stderr, "\t- Key ID: %u\n", 996 nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID])); 997 if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) { 998 fprintf(stderr, "\t- Cipher: "); 999 switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) { 1000 case OVPN_CIPHER_ALG_NONE: 1001 fprintf(stderr, "none\n"); 1002 break; 1003 case OVPN_CIPHER_ALG_AES_GCM: 1004 fprintf(stderr, "aes-gcm\n"); 1005 break; 1006 case OVPN_CIPHER_ALG_CHACHA20_POLY1305: 1007 fprintf(stderr, "chacha20poly1305\n"); 1008 break; 1009 default: 1010 fprintf(stderr, "invalid (%u)\n", 1011 nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])); 1012 break; 1013 } 1014 } 1015 1016 return NL_SKIP; 1017 } 1018 1019 static int ovpn_get_key(struct ovpn_ctx *ovpn) 1020 { 1021 struct nlattr *keyconf; 1022 struct nl_ctx *ctx; 1023 int ret = -1; 1024 1025 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET); 1026 if (!ctx) 1027 return -ENOMEM; 1028 1029 keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1030 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1031 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot); 1032 nla_nest_end(ctx->nl_msg, keyconf); 1033 1034 ret = ovpn_nl_msg_send(ctx, ovpn_handle_key); 1035 nla_put_failure: 1036 nl_ctx_free(ctx); 1037 return ret; 1038 } 1039 1040 static int ovpn_swap_keys(struct ovpn_ctx *ovpn) 1041 { 1042 struct nl_ctx *ctx; 1043 struct nlattr *kc; 1044 int ret = -1; 1045 1046 ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP); 1047 if (!ctx) 1048 return -ENOMEM; 1049 1050 kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF); 1051 NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id); 1052 nla_nest_end(ctx->nl_msg, kc); 1053 1054 ret = ovpn_nl_msg_send(ctx, NULL); 1055 nla_put_failure: 1056 nl_ctx_free(ctx); 1057 return ret; 1058 } 1059 1060 /* Helper function used to easily add attributes to a rtnl message */ 1061 static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type, 1062 const void *data, int alen) 1063 { 1064 int len = RTA_LENGTH(alen); 1065 struct rtattr *rta; 1066 1067 if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen) { 1068 fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n", 1069 __func__, maxlen); 1070 return -EMSGSIZE; 1071 } 1072 1073 rta = nlmsg_tail(n); 1074 rta->rta_type = type; 1075 rta->rta_len = len; 1076 1077 if (!data) 1078 memset(RTA_DATA(rta), 0, alen); 1079 else 1080 memcpy(RTA_DATA(rta), data, alen); 1081 1082 n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len); 1083 1084 return 0; 1085 } 1086 1087 static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size, 1088 int attr) 1089 { 1090 struct rtattr *nest = nlmsg_tail(msg); 1091 1092 if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0) 1093 return NULL; 1094 1095 return nest; 1096 } 1097 1098 static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest) 1099 { 1100 nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest; 1101 } 1102 1103 #define RT_SNDBUF_SIZE (1024 * 2) 1104 #define RT_RCVBUF_SIZE (1024 * 4) 1105 1106 /* Open RTNL socket */ 1107 static int ovpn_rt_socket(void) 1108 { 1109 int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd; 1110 1111 fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); 1112 if (fd < 0) { 1113 fprintf(stderr, "%s: cannot open netlink socket\n", __func__); 1114 return fd; 1115 } 1116 1117 if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, 1118 sizeof(sndbuf)) < 0) { 1119 fprintf(stderr, "%s: SO_SNDBUF\n", __func__); 1120 close(fd); 1121 return -1; 1122 } 1123 1124 if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf, 1125 sizeof(rcvbuf)) < 0) { 1126 fprintf(stderr, "%s: SO_RCVBUF\n", __func__); 1127 close(fd); 1128 return -1; 1129 } 1130 1131 return fd; 1132 } 1133 1134 /* Bind socket to Netlink subsystem */ 1135 static int ovpn_rt_bind(int fd, uint32_t groups) 1136 { 1137 struct sockaddr_nl local = { 0 }; 1138 socklen_t addr_len; 1139 1140 local.nl_family = AF_NETLINK; 1141 local.nl_groups = groups; 1142 1143 if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) { 1144 fprintf(stderr, "%s: cannot bind netlink socket: %d\n", 1145 __func__, errno); 1146 return -errno; 1147 } 1148 1149 addr_len = sizeof(local); 1150 if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) { 1151 fprintf(stderr, "%s: cannot getsockname: %d\n", __func__, 1152 errno); 1153 return -errno; 1154 } 1155 1156 if (addr_len != sizeof(local)) { 1157 fprintf(stderr, "%s: wrong address length %d\n", __func__, 1158 addr_len); 1159 return -EINVAL; 1160 } 1161 1162 if (local.nl_family != AF_NETLINK) { 1163 fprintf(stderr, "%s: wrong address family %d\n", __func__, 1164 local.nl_family); 1165 return -EINVAL; 1166 } 1167 1168 return 0; 1169 } 1170 1171 typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg); 1172 1173 /* Send Netlink message and run callback on reply (if specified) */ 1174 static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer, 1175 unsigned int groups, ovpn_parse_reply_cb cb, 1176 void *arg_cb) 1177 { 1178 int len, rem_len, fd, ret, rcv_len; 1179 struct sockaddr_nl nladdr = { 0 }; 1180 struct nlmsgerr *err; 1181 struct nlmsghdr *h; 1182 char buf[1024 * 16]; 1183 struct iovec iov = { 1184 .iov_base = payload, 1185 .iov_len = payload->nlmsg_len, 1186 }; 1187 struct msghdr nlmsg = { 1188 .msg_name = &nladdr, 1189 .msg_namelen = sizeof(nladdr), 1190 .msg_iov = &iov, 1191 .msg_iovlen = 1, 1192 }; 1193 1194 nladdr.nl_family = AF_NETLINK; 1195 nladdr.nl_pid = peer; 1196 nladdr.nl_groups = groups; 1197 1198 payload->nlmsg_seq = time(NULL); 1199 1200 /* no need to send reply */ 1201 if (!cb) 1202 payload->nlmsg_flags |= NLM_F_ACK; 1203 1204 fd = ovpn_rt_socket(); 1205 if (fd < 0) { 1206 fprintf(stderr, "%s: can't open rtnl socket\n", __func__); 1207 return -errno; 1208 } 1209 1210 ret = ovpn_rt_bind(fd, 0); 1211 if (ret < 0) { 1212 fprintf(stderr, "%s: can't bind rtnl socket\n", __func__); 1213 ret = -errno; 1214 goto out; 1215 } 1216 1217 ret = sendmsg(fd, &nlmsg, 0); 1218 if (ret < 0) { 1219 fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__); 1220 ret = -errno; 1221 goto out; 1222 } 1223 1224 /* prepare buffer to store RTNL replies */ 1225 memset(buf, 0, sizeof(buf)); 1226 iov.iov_base = buf; 1227 1228 while (1) { 1229 /* 1230 * iov_len is modified by recvmsg(), therefore has to be initialized before 1231 * using it again 1232 */ 1233 iov.iov_len = sizeof(buf); 1234 rcv_len = recvmsg(fd, &nlmsg, 0); 1235 if (rcv_len < 0) { 1236 if (errno == EINTR || errno == EAGAIN) { 1237 fprintf(stderr, "%s: interrupted call\n", 1238 __func__); 1239 continue; 1240 } 1241 fprintf(stderr, "%s: rtnl: error on recvmsg()\n", 1242 __func__); 1243 ret = -errno; 1244 goto out; 1245 } 1246 1247 if (rcv_len == 0) { 1248 fprintf(stderr, 1249 "%s: rtnl: socket reached unexpected EOF\n", 1250 __func__); 1251 ret = -EIO; 1252 goto out; 1253 } 1254 1255 if (nlmsg.msg_namelen != sizeof(nladdr)) { 1256 fprintf(stderr, 1257 "%s: sender address length: %u (expected %zu)\n", 1258 __func__, nlmsg.msg_namelen, sizeof(nladdr)); 1259 ret = -EIO; 1260 goto out; 1261 } 1262 1263 h = (struct nlmsghdr *)buf; 1264 while (rcv_len >= (int)sizeof(*h)) { 1265 len = h->nlmsg_len; 1266 rem_len = len - sizeof(*h); 1267 1268 if (rem_len < 0 || len > rcv_len) { 1269 if (nlmsg.msg_flags & MSG_TRUNC) { 1270 fprintf(stderr, "%s: truncated message\n", 1271 __func__); 1272 ret = -EIO; 1273 goto out; 1274 } 1275 fprintf(stderr, "%s: malformed message: len=%d\n", 1276 __func__, len); 1277 ret = -EIO; 1278 goto out; 1279 } 1280 1281 if (h->nlmsg_type == NLMSG_DONE) { 1282 ret = 0; 1283 goto out; 1284 } 1285 1286 if (h->nlmsg_type == NLMSG_ERROR) { 1287 err = (struct nlmsgerr *)NLMSG_DATA(h); 1288 if (rem_len < (int)sizeof(struct nlmsgerr)) { 1289 fprintf(stderr, "%s: ERROR truncated\n", 1290 __func__); 1291 ret = -EIO; 1292 goto out; 1293 } 1294 1295 if (err->error) { 1296 fprintf(stderr, "%s: (%d) %s\n", 1297 __func__, err->error, 1298 strerror(-err->error)); 1299 ret = err->error; 1300 goto out; 1301 } 1302 1303 ret = 0; 1304 if (cb) { 1305 int r = cb(h, arg_cb); 1306 1307 if (r <= 0) 1308 ret = r; 1309 } 1310 goto out; 1311 } 1312 1313 if (cb) { 1314 int r = cb(h, arg_cb); 1315 1316 if (r <= 0) { 1317 ret = r; 1318 goto out; 1319 } 1320 } else { 1321 fprintf(stderr, "%s: RTNL: unexpected reply\n", 1322 __func__); 1323 } 1324 1325 rcv_len -= NLMSG_ALIGN(len); 1326 h = (struct nlmsghdr *)((uint8_t *)h + 1327 NLMSG_ALIGN(len)); 1328 } 1329 1330 if (nlmsg.msg_flags & MSG_TRUNC) { 1331 fprintf(stderr, "%s: message truncated\n", __func__); 1332 continue; 1333 } 1334 1335 if (rcv_len) { 1336 fprintf(stderr, "%s: rtnl: %d not parsed bytes\n", 1337 __func__, rcv_len); 1338 ret = -1; 1339 goto out; 1340 } 1341 } 1342 out: 1343 close(fd); 1344 1345 return ret; 1346 } 1347 1348 struct ovpn_link_req { 1349 struct nlmsghdr n; 1350 struct ifinfomsg i; 1351 char buf[256]; 1352 }; 1353 1354 static int ovpn_new_iface(struct ovpn_ctx *ovpn) 1355 { 1356 struct rtattr *linkinfo, *data; 1357 struct ovpn_link_req req = { 0 }; 1358 int ret = -1; 1359 1360 fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname, 1361 ovpn->mode); 1362 1363 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1364 req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL; 1365 req.n.nlmsg_type = RTM_NEWLINK; 1366 1367 if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname, 1368 strlen(ovpn->ifname) + 1) < 0) 1369 goto err; 1370 1371 linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO); 1372 if (!linkinfo) 1373 goto err; 1374 1375 if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME, 1376 strlen(OVPN_FAMILY_NAME) + 1) < 0) 1377 goto err; 1378 1379 if (ovpn->mode_set) { 1380 data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA); 1381 if (!data) 1382 goto err; 1383 1384 if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE, 1385 &ovpn->mode, sizeof(uint8_t)) < 0) 1386 goto err; 1387 1388 ovpn_nest_end(&req.n, data); 1389 } 1390 1391 ovpn_nest_end(&req.n, linkinfo); 1392 1393 req.i.ifi_family = AF_PACKET; 1394 1395 ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1396 err: 1397 return ret; 1398 } 1399 1400 static int ovpn_del_iface(struct ovpn_ctx *ovpn) 1401 { 1402 struct ovpn_link_req req = { 0 }; 1403 1404 fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname, 1405 ovpn->ifindex); 1406 1407 req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i)); 1408 req.n.nlmsg_flags = NLM_F_REQUEST; 1409 req.n.nlmsg_type = RTM_DELLINK; 1410 1411 req.i.ifi_family = AF_PACKET; 1412 req.i.ifi_index = ovpn->ifindex; 1413 1414 return ovpn_rt_send(&req.n, 0, 0, NULL, NULL); 1415 } 1416 1417 static int nl_seq_check(struct nl_msg (*msg)__always_unused, 1418 void (*arg)__always_unused) 1419 { 1420 return NL_OK; 1421 } 1422 1423 struct mcast_handler_args { 1424 const char *group; 1425 int id; 1426 }; 1427 1428 static int mcast_family_handler(struct nl_msg *msg, void *arg) 1429 { 1430 struct mcast_handler_args *grp = arg; 1431 struct nlattr *tb[CTRL_ATTR_MAX + 1]; 1432 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1433 struct nlattr *mcgrp; 1434 int rem_mcgrp; 1435 1436 nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0), 1437 genlmsg_attrlen(gnlh, 0), NULL); 1438 1439 if (!tb[CTRL_ATTR_MCAST_GROUPS]) 1440 return NL_SKIP; 1441 1442 nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) { 1443 struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1]; 1444 1445 nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX, 1446 nla_data(mcgrp), nla_len(mcgrp), NULL); 1447 1448 if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] || 1449 !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]) 1450 continue; 1451 if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]), 1452 grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]))) 1453 continue; 1454 grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]); 1455 break; 1456 } 1457 1458 return NL_SKIP; 1459 } 1460 1461 static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused, 1462 struct nlmsgerr *err, void *arg) 1463 { 1464 int *ret = arg; 1465 1466 *ret = err->error; 1467 return NL_STOP; 1468 } 1469 1470 static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg) 1471 { 1472 int *ret = arg; 1473 1474 *ret = 0; 1475 return NL_STOP; 1476 } 1477 1478 static int ovpn_handle_msg(struct nl_msg *msg, void *arg) 1479 { 1480 struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); 1481 struct nlattr *attrs[OVPN_A_MAX + 1]; 1482 struct nlmsghdr *nlh = nlmsg_hdr(msg); 1483 char ifname[IF_NAMESIZE]; 1484 int *ret = arg; 1485 __u32 ifindex; 1486 1487 fprintf(stderr, "received message from ovpn-dco\n"); 1488 1489 *ret = -1; 1490 1491 if (!genlmsg_valid_hdr(nlh, 0)) { 1492 fprintf(stderr, "invalid header\n"); 1493 return NL_STOP; 1494 } 1495 1496 if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0), 1497 genlmsg_attrlen(gnlh, 0), NULL)) { 1498 fprintf(stderr, "received bogus data from ovpn-dco\n"); 1499 return NL_STOP; 1500 } 1501 1502 if (!attrs[OVPN_A_IFINDEX]) { 1503 fprintf(stderr, "no ifindex in this message\n"); 1504 return NL_STOP; 1505 } 1506 1507 ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]); 1508 if (!if_indextoname(ifindex, ifname)) { 1509 fprintf(stderr, "cannot resolve ifname for ifindex: %u\n", 1510 ifindex); 1511 return NL_STOP; 1512 } 1513 1514 switch (gnlh->cmd) { 1515 case OVPN_CMD_PEER_DEL_NTF: 1516 fprintf(stdout, "received CMD_PEER_DEL_NTF\n"); 1517 break; 1518 case OVPN_CMD_KEY_SWAP_NTF: 1519 fprintf(stdout, "received CMD_KEY_SWAP_NTF\n"); 1520 break; 1521 default: 1522 fprintf(stderr, "received unknown command: %d\n", gnlh->cmd); 1523 return NL_STOP; 1524 } 1525 1526 *ret = 0; 1527 return NL_OK; 1528 } 1529 1530 static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family, 1531 const char *group) 1532 { 1533 struct nl_msg *msg; 1534 struct nl_cb *cb; 1535 int ret, ctrlid; 1536 struct mcast_handler_args grp = { 1537 .group = group, 1538 .id = -ENOENT, 1539 }; 1540 1541 msg = nlmsg_alloc(); 1542 if (!msg) 1543 return -ENOMEM; 1544 1545 cb = nl_cb_alloc(NL_CB_DEFAULT); 1546 if (!cb) { 1547 ret = -ENOMEM; 1548 goto out_fail_cb; 1549 } 1550 1551 ctrlid = genl_ctrl_resolve(sock, "nlctrl"); 1552 1553 genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0); 1554 1555 ret = -ENOBUFS; 1556 NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family); 1557 1558 ret = nl_send_auto_complete(sock, msg); 1559 if (ret < 0) 1560 goto nla_put_failure; 1561 1562 ret = 1; 1563 1564 nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret); 1565 nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret); 1566 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp); 1567 1568 while (ret > 0) 1569 nl_recvmsgs(sock, cb); 1570 1571 if (ret == 0) 1572 ret = grp.id; 1573 nla_put_failure: 1574 nl_cb_put(cb); 1575 out_fail_cb: 1576 nlmsg_free(msg); 1577 return ret; 1578 } 1579 1580 static int ovpn_listen_mcast(void) 1581 { 1582 struct nl_sock *sock; 1583 struct nl_cb *cb; 1584 int mcid, ret; 1585 1586 sock = nl_socket_alloc(); 1587 if (!sock) { 1588 fprintf(stderr, "cannot allocate netlink socket\n"); 1589 goto err_free; 1590 } 1591 1592 nl_socket_set_buffer_size(sock, 8192, 8192); 1593 1594 ret = genl_connect(sock); 1595 if (ret < 0) { 1596 fprintf(stderr, "cannot connect to generic netlink: %s\n", 1597 nl_geterror(ret)); 1598 goto err_free; 1599 } 1600 1601 mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS); 1602 if (mcid < 0) { 1603 fprintf(stderr, "cannot get mcast group: %s\n", 1604 nl_geterror(mcid)); 1605 goto err_free; 1606 } 1607 1608 ret = nl_socket_add_membership(sock, mcid); 1609 if (ret) { 1610 fprintf(stderr, "failed to join mcast group: %d\n", ret); 1611 goto err_free; 1612 } 1613 1614 ret = 1; 1615 cb = nl_cb_alloc(NL_CB_DEFAULT); 1616 nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL); 1617 nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret); 1618 nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret); 1619 1620 while (ret == 1) { 1621 int err = nl_recvmsgs(sock, cb); 1622 1623 if (err < 0) { 1624 fprintf(stderr, 1625 "cannot receive netlink message: (%d) %s\n", 1626 err, nl_geterror(-err)); 1627 ret = -1; 1628 break; 1629 } 1630 } 1631 1632 nl_cb_put(cb); 1633 err_free: 1634 nl_socket_free(sock); 1635 return ret; 1636 } 1637 1638 static void usage(const char *cmd) 1639 { 1640 fprintf(stderr, 1641 "Usage %s <command> <iface> [arguments..]\n", 1642 cmd); 1643 fprintf(stderr, "where <command> can be one of the following\n\n"); 1644 1645 fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n"); 1646 fprintf(stderr, "\tiface: ovpn interface name\n"); 1647 fprintf(stderr, "\tmode:\n"); 1648 fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n"); 1649 fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n"); 1650 1651 fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n"); 1652 fprintf(stderr, "\tiface: ovpn interface name\n"); 1653 1654 fprintf(stderr, 1655 "* listen <iface> <lport> <peers_file> [ipv6]: listen for incoming peer TCP connections\n"); 1656 fprintf(stderr, "\tiface: ovpn interface name\n"); 1657 fprintf(stderr, "\tlport: TCP port to listen to\n"); 1658 fprintf(stderr, 1659 "\tpeers_file: file containing one peer per line: Line format:\n"); 1660 fprintf(stderr, "\t\t<peer_id> <vpnaddr>\n"); 1661 fprintf(stderr, 1662 "\tipv6: whether the socket should listen to the IPv6 wildcard address\n"); 1663 1664 fprintf(stderr, 1665 "* connect <iface> <peer_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n"); 1666 fprintf(stderr, "\tiface: ovpn interface name\n"); 1667 fprintf(stderr, "\tpeer_id: peer ID of the connecting peer\n"); 1668 fprintf(stderr, "\traddr: peer IP address to connect to\n"); 1669 fprintf(stderr, "\trport: peer TCP port to connect to\n"); 1670 fprintf(stderr, 1671 "\tkey_file: file containing the symmetric key for encryption\n"); 1672 1673 fprintf(stderr, 1674 "* new_peer <iface> <peer_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n"); 1675 fprintf(stderr, "\tiface: ovpn interface name\n"); 1676 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1677 fprintf(stderr, 1678 "\tpeer_id: peer ID to be used in data packets to/from this peer\n"); 1679 fprintf(stderr, "\traddr: peer IP address\n"); 1680 fprintf(stderr, "\trport: peer UDP port\n"); 1681 fprintf(stderr, "\tvpnaddr: peer VPN IP\n"); 1682 1683 fprintf(stderr, 1684 "* new_multi_peer <iface> <lport> <peers_file>: add multiple peers as listed in the file\n"); 1685 fprintf(stderr, "\tiface: ovpn interface name\n"); 1686 fprintf(stderr, "\tlport: local UDP port to bind to\n"); 1687 fprintf(stderr, 1688 "\tpeers_file: text file containing one peer per line. Line format:\n"); 1689 fprintf(stderr, "\t\t<peer_id> <raddr> <rport> <vpnaddr>\n"); 1690 1691 fprintf(stderr, 1692 "* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n"); 1693 fprintf(stderr, "\tiface: ovpn interface name\n"); 1694 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1695 fprintf(stderr, 1696 "\tkeepalive_interval: interval for sending ping messages\n"); 1697 fprintf(stderr, 1698 "\tkeepalive_timeout: time after which a peer is timed out\n"); 1699 1700 fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n"); 1701 fprintf(stderr, "\tiface: ovpn interface name\n"); 1702 fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n"); 1703 1704 fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n"); 1705 fprintf(stderr, "\tiface: ovpn interface name\n"); 1706 fprintf(stderr, 1707 "\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n"); 1708 1709 fprintf(stderr, 1710 "* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n"); 1711 fprintf(stderr, "\tiface: ovpn interface name\n"); 1712 fprintf(stderr, 1713 "\tpeer_id: peer ID of the peer to configure the key for\n"); 1714 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1715 fprintf(stderr, "\tkey_id: an ID from 0 to 7\n"); 1716 fprintf(stderr, 1717 "\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n"); 1718 fprintf(stderr, 1719 "\tkey_dir: key direction, must 0 on one host and 1 on the other\n"); 1720 fprintf(stderr, "\tkey_file: file containing the pre-shared key\n"); 1721 1722 fprintf(stderr, 1723 "* del_key <iface> <peer_id> [slot]: erase existing data channel key\n"); 1724 fprintf(stderr, "\tiface: ovpn interface name\n"); 1725 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1726 fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n"); 1727 1728 fprintf(stderr, 1729 "* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n"); 1730 fprintf(stderr, "\tiface: ovpn interface name\n"); 1731 fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n"); 1732 fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n"); 1733 1734 fprintf(stderr, 1735 "* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n"); 1736 fprintf(stderr, "\tiface: ovpn interface name\n"); 1737 fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n"); 1738 1739 fprintf(stderr, 1740 "* listen_mcast: listen to ovpn netlink multicast messages\n"); 1741 } 1742 1743 static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host, 1744 const char *service, const char *vpnip) 1745 { 1746 int ret; 1747 struct addrinfo *result; 1748 struct addrinfo hints = { 1749 .ai_family = ovpn->sa_family, 1750 .ai_socktype = SOCK_DGRAM, 1751 .ai_protocol = IPPROTO_UDP 1752 }; 1753 1754 if (host) { 1755 ret = getaddrinfo(host, service, &hints, &result); 1756 if (ret) { 1757 fprintf(stderr, "getaddrinfo on remote error: %s\n", 1758 gai_strerror(ret)); 1759 return -1; 1760 } 1761 1762 if (!(result->ai_family == AF_INET && 1763 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1764 !(result->ai_family == AF_INET6 && 1765 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1766 ret = -EINVAL; 1767 goto out; 1768 } 1769 1770 memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen); 1771 } 1772 1773 if (vpnip) { 1774 ret = getaddrinfo(vpnip, NULL, &hints, &result); 1775 if (ret) { 1776 fprintf(stderr, "getaddrinfo on vpnip error: %s\n", 1777 gai_strerror(ret)); 1778 return -1; 1779 } 1780 1781 if (!(result->ai_family == AF_INET && 1782 result->ai_addrlen == sizeof(struct sockaddr_in)) && 1783 !(result->ai_family == AF_INET6 && 1784 result->ai_addrlen == sizeof(struct sockaddr_in6))) { 1785 ret = -EINVAL; 1786 goto out; 1787 } 1788 1789 memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen); 1790 ovpn->sa_family = result->ai_family; 1791 1792 ovpn->peer_ip_set = true; 1793 } 1794 1795 ret = 0; 1796 out: 1797 freeaddrinfo(result); 1798 return ret; 1799 } 1800 1801 static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id, 1802 const char *raddr, const char *rport, 1803 const char *vpnip) 1804 { 1805 ovpn->peer_id = strtoul(peer_id, NULL, 10); 1806 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 1807 fprintf(stderr, "peer ID value out of range\n"); 1808 return -1; 1809 } 1810 1811 return ovpn_parse_remote(ovpn, raddr, rport, vpnip); 1812 } 1813 1814 static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn) 1815 { 1816 int slot = strtoul(arg, NULL, 10); 1817 1818 if (errno == ERANGE || slot < 1 || slot > 2) { 1819 fprintf(stderr, "key slot out of range\n"); 1820 return -1; 1821 } 1822 1823 switch (slot) { 1824 case 1: 1825 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 1826 break; 1827 case 2: 1828 ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY; 1829 break; 1830 } 1831 1832 return 0; 1833 } 1834 1835 static int ovpn_send_tcp_data(int socket) 1836 { 1837 uint16_t len = htons(1000); 1838 uint8_t buf[1002]; 1839 int ret; 1840 1841 memcpy(buf, &len, sizeof(len)); 1842 memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len)); 1843 1844 ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1845 1846 fprintf(stdout, "Sent %u bytes over TCP socket\n", ret); 1847 1848 return ret > 0 ? 0 : ret; 1849 } 1850 1851 static int ovpn_recv_tcp_data(int socket) 1852 { 1853 uint8_t buf[1002]; 1854 uint16_t len; 1855 int ret; 1856 1857 ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL); 1858 1859 if (ret < 2) { 1860 fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret); 1861 return ret; 1862 } 1863 1864 memcpy(&len, buf, sizeof(len)); 1865 len = ntohs(len); 1866 1867 fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n", 1868 ret, len); 1869 1870 return 0; 1871 } 1872 1873 static enum ovpn_cmd ovpn_parse_cmd(const char *cmd) 1874 { 1875 if (!strcmp(cmd, "new_iface")) 1876 return CMD_NEW_IFACE; 1877 1878 if (!strcmp(cmd, "del_iface")) 1879 return CMD_DEL_IFACE; 1880 1881 if (!strcmp(cmd, "listen")) 1882 return CMD_LISTEN; 1883 1884 if (!strcmp(cmd, "connect")) 1885 return CMD_CONNECT; 1886 1887 if (!strcmp(cmd, "new_peer")) 1888 return CMD_NEW_PEER; 1889 1890 if (!strcmp(cmd, "new_multi_peer")) 1891 return CMD_NEW_MULTI_PEER; 1892 1893 if (!strcmp(cmd, "set_peer")) 1894 return CMD_SET_PEER; 1895 1896 if (!strcmp(cmd, "del_peer")) 1897 return CMD_DEL_PEER; 1898 1899 if (!strcmp(cmd, "get_peer")) 1900 return CMD_GET_PEER; 1901 1902 if (!strcmp(cmd, "new_key")) 1903 return CMD_NEW_KEY; 1904 1905 if (!strcmp(cmd, "del_key")) 1906 return CMD_DEL_KEY; 1907 1908 if (!strcmp(cmd, "get_key")) 1909 return CMD_GET_KEY; 1910 1911 if (!strcmp(cmd, "swap_keys")) 1912 return CMD_SWAP_KEYS; 1913 1914 if (!strcmp(cmd, "listen_mcast")) 1915 return CMD_LISTEN_MCAST; 1916 1917 return CMD_INVALID; 1918 } 1919 1920 /* Send process to background and waits for signal. 1921 * 1922 * This helper is called at the end of commands 1923 * creating sockets, so that the latter stay alive 1924 * along with the process that created them. 1925 * 1926 * A signal is expected to be delivered in order to 1927 * terminate the waiting processes 1928 */ 1929 static void ovpn_waitbg(void) 1930 { 1931 daemon(1, 1); 1932 pause(); 1933 } 1934 1935 static int ovpn_run_cmd(struct ovpn_ctx *ovpn) 1936 { 1937 char peer_id[10], vpnip[INET6_ADDRSTRLEN], laddr[128], lport[10]; 1938 char raddr[128], rport[10]; 1939 int n, ret; 1940 FILE *fp; 1941 1942 switch (ovpn->cmd) { 1943 case CMD_NEW_IFACE: 1944 ret = ovpn_new_iface(ovpn); 1945 break; 1946 case CMD_DEL_IFACE: 1947 ret = ovpn_del_iface(ovpn); 1948 break; 1949 case CMD_LISTEN: 1950 ret = ovpn_listen(ovpn, ovpn->sa_family); 1951 if (ret < 0) { 1952 fprintf(stderr, "cannot listen on TCP socket\n"); 1953 return ret; 1954 } 1955 1956 fp = fopen(ovpn->peers_file, "r"); 1957 if (!fp) { 1958 fprintf(stderr, "cannot open file: %s\n", 1959 ovpn->peers_file); 1960 return -1; 1961 } 1962 1963 int num_peers = 0; 1964 1965 while ((n = fscanf(fp, "%s %s\n", peer_id, vpnip)) == 2) { 1966 struct ovpn_ctx peer_ctx = { 0 }; 1967 1968 if (num_peers == MAX_PEERS) { 1969 fprintf(stderr, "max peers reached!\n"); 1970 return -E2BIG; 1971 } 1972 1973 peer_ctx.ifindex = ovpn->ifindex; 1974 peer_ctx.sa_family = ovpn->sa_family; 1975 1976 peer_ctx.socket = ovpn_accept(ovpn); 1977 if (peer_ctx.socket < 0) { 1978 fprintf(stderr, "cannot accept connection!\n"); 1979 return -1; 1980 } 1981 1982 /* store peer sockets to test TCP I/O */ 1983 ovpn->cli_sockets[num_peers] = peer_ctx.socket; 1984 1985 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, NULL, 1986 NULL, vpnip); 1987 if (ret < 0) { 1988 fprintf(stderr, "error while parsing line\n"); 1989 return -1; 1990 } 1991 1992 ret = ovpn_new_peer(&peer_ctx, true); 1993 if (ret < 0) { 1994 fprintf(stderr, 1995 "cannot add peer to VPN: %s %s\n", 1996 peer_id, vpnip); 1997 return ret; 1998 } 1999 num_peers++; 2000 } 2001 2002 for (int i = 0; i < num_peers; i++) { 2003 ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]); 2004 if (ret < 0) 2005 break; 2006 } 2007 ovpn_waitbg(); 2008 break; 2009 case CMD_CONNECT: 2010 ret = ovpn_connect(ovpn); 2011 if (ret < 0) { 2012 fprintf(stderr, "cannot connect TCP socket\n"); 2013 return ret; 2014 } 2015 2016 ret = ovpn_new_peer(ovpn, true); 2017 if (ret < 0) { 2018 fprintf(stderr, "cannot add peer to VPN\n"); 2019 close(ovpn->socket); 2020 return ret; 2021 } 2022 2023 if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) { 2024 ret = ovpn_new_key(ovpn); 2025 if (ret < 0) { 2026 fprintf(stderr, "cannot set key\n"); 2027 return ret; 2028 } 2029 } 2030 2031 ret = ovpn_send_tcp_data(ovpn->socket); 2032 ovpn_waitbg(); 2033 break; 2034 case CMD_NEW_PEER: 2035 ret = ovpn_udp_socket(ovpn, AF_INET6); 2036 if (ret < 0) 2037 return ret; 2038 2039 ret = ovpn_new_peer(ovpn, false); 2040 ovpn_waitbg(); 2041 break; 2042 case CMD_NEW_MULTI_PEER: 2043 ret = ovpn_udp_socket(ovpn, AF_INET6); 2044 if (ret < 0) 2045 return ret; 2046 2047 fp = fopen(ovpn->peers_file, "r"); 2048 if (!fp) { 2049 fprintf(stderr, "cannot open file: %s\n", 2050 ovpn->peers_file); 2051 return -1; 2052 } 2053 2054 while ((n = fscanf(fp, "%s %s %s %s %s %s\n", peer_id, laddr, 2055 lport, raddr, rport, vpnip)) == 6) { 2056 struct ovpn_ctx peer_ctx = { 0 }; 2057 2058 peer_ctx.ifindex = ovpn->ifindex; 2059 peer_ctx.socket = ovpn->socket; 2060 peer_ctx.sa_family = AF_UNSPEC; 2061 2062 ret = ovpn_parse_new_peer(&peer_ctx, peer_id, raddr, 2063 rport, vpnip); 2064 if (ret < 0) { 2065 fprintf(stderr, "error while parsing line\n"); 2066 return -1; 2067 } 2068 2069 ret = ovpn_new_peer(&peer_ctx, false); 2070 if (ret < 0) { 2071 fprintf(stderr, 2072 "cannot add peer to VPN: %s %s %s %s\n", 2073 peer_id, raddr, rport, vpnip); 2074 return ret; 2075 } 2076 } 2077 ovpn_waitbg(); 2078 break; 2079 case CMD_SET_PEER: 2080 ret = ovpn_set_peer(ovpn); 2081 break; 2082 case CMD_DEL_PEER: 2083 ret = ovpn_del_peer(ovpn); 2084 break; 2085 case CMD_GET_PEER: 2086 if (ovpn->peer_id == PEER_ID_UNDEF) 2087 fprintf(stderr, "List of peers connected to: %s\n", 2088 ovpn->ifname); 2089 2090 ret = ovpn_get_peer(ovpn); 2091 break; 2092 case CMD_NEW_KEY: 2093 ret = ovpn_new_key(ovpn); 2094 break; 2095 case CMD_DEL_KEY: 2096 ret = ovpn_del_key(ovpn); 2097 break; 2098 case CMD_GET_KEY: 2099 ret = ovpn_get_key(ovpn); 2100 break; 2101 case CMD_SWAP_KEYS: 2102 ret = ovpn_swap_keys(ovpn); 2103 break; 2104 case CMD_LISTEN_MCAST: 2105 ret = ovpn_listen_mcast(); 2106 break; 2107 case CMD_INVALID: 2108 break; 2109 } 2110 2111 return ret; 2112 } 2113 2114 static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[]) 2115 { 2116 int ret; 2117 2118 /* no args required for LISTEN_MCAST */ 2119 if (ovpn->cmd == CMD_LISTEN_MCAST) 2120 return 0; 2121 2122 /* all commands need an ifname */ 2123 if (argc < 3) 2124 return -EINVAL; 2125 2126 strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1); 2127 ovpn->ifname[IFNAMSIZ - 1] = '\0'; 2128 2129 /* all commands, except NEW_IFNAME, needs an ifindex */ 2130 if (ovpn->cmd != CMD_NEW_IFACE) { 2131 ovpn->ifindex = if_nametoindex(ovpn->ifname); 2132 if (!ovpn->ifindex) { 2133 fprintf(stderr, "cannot find interface: %s\n", 2134 strerror(errno)); 2135 return -1; 2136 } 2137 } 2138 2139 switch (ovpn->cmd) { 2140 case CMD_NEW_IFACE: 2141 if (argc < 4) 2142 break; 2143 2144 if (!strcmp(argv[3], "P2P")) { 2145 ovpn->mode = OVPN_MODE_P2P; 2146 } else if (!strcmp(argv[3], "MP")) { 2147 ovpn->mode = OVPN_MODE_MP; 2148 } else { 2149 fprintf(stderr, "Cannot parse iface mode: %s\n", 2150 argv[3]); 2151 return -1; 2152 } 2153 ovpn->mode_set = true; 2154 break; 2155 case CMD_DEL_IFACE: 2156 break; 2157 case CMD_LISTEN: 2158 if (argc < 5) 2159 return -EINVAL; 2160 2161 ovpn->lport = strtoul(argv[3], NULL, 10); 2162 if (errno == ERANGE || ovpn->lport > 65535) { 2163 fprintf(stderr, "lport value out of range\n"); 2164 return -1; 2165 } 2166 2167 ovpn->peers_file = argv[4]; 2168 2169 if (argc > 5 && !strcmp(argv[5], "ipv6")) 2170 ovpn->sa_family = AF_INET6; 2171 break; 2172 case CMD_CONNECT: 2173 if (argc < 6) 2174 return -EINVAL; 2175 2176 ovpn->sa_family = AF_INET; 2177 2178 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5], 2179 NULL); 2180 if (ret < 0) { 2181 fprintf(stderr, "Cannot parse remote peer data\n"); 2182 return -1; 2183 } 2184 2185 if (argc > 6) { 2186 ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY; 2187 ovpn->key_id = 0; 2188 ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM; 2189 ovpn->key_dir = KEY_DIR_OUT; 2190 2191 ret = ovpn_parse_key(argv[6], ovpn); 2192 if (ret) 2193 return -1; 2194 } 2195 break; 2196 case CMD_NEW_PEER: 2197 if (argc < 7) 2198 return -EINVAL; 2199 2200 ovpn->lport = strtoul(argv[4], NULL, 10); 2201 if (errno == ERANGE || ovpn->lport > 65535) { 2202 fprintf(stderr, "lport value out of range\n"); 2203 return -1; 2204 } 2205 2206 const char *vpnip = (argc > 7) ? argv[7] : NULL; 2207 2208 ret = ovpn_parse_new_peer(ovpn, argv[3], argv[5], argv[6], 2209 vpnip); 2210 if (ret < 0) 2211 return -1; 2212 break; 2213 case CMD_NEW_MULTI_PEER: 2214 if (argc < 5) 2215 return -EINVAL; 2216 2217 ovpn->lport = strtoul(argv[3], NULL, 10); 2218 if (errno == ERANGE || ovpn->lport > 65535) { 2219 fprintf(stderr, "lport value out of range\n"); 2220 return -1; 2221 } 2222 2223 ovpn->peers_file = argv[4]; 2224 break; 2225 case CMD_SET_PEER: 2226 if (argc < 6) 2227 return -EINVAL; 2228 2229 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2230 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2231 fprintf(stderr, "peer ID value out of range\n"); 2232 return -1; 2233 } 2234 2235 ovpn->keepalive_interval = strtoul(argv[4], NULL, 10); 2236 if (errno == ERANGE) { 2237 fprintf(stderr, 2238 "keepalive interval value out of range\n"); 2239 return -1; 2240 } 2241 2242 ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10); 2243 if (errno == ERANGE) { 2244 fprintf(stderr, 2245 "keepalive interval value out of range\n"); 2246 return -1; 2247 } 2248 break; 2249 case CMD_DEL_PEER: 2250 if (argc < 4) 2251 return -EINVAL; 2252 2253 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2254 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2255 fprintf(stderr, "peer ID value out of range\n"); 2256 return -1; 2257 } 2258 break; 2259 case CMD_GET_PEER: 2260 ovpn->peer_id = PEER_ID_UNDEF; 2261 if (argc > 3) { 2262 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2263 if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) { 2264 fprintf(stderr, "peer ID value out of range\n"); 2265 return -1; 2266 } 2267 } 2268 break; 2269 case CMD_NEW_KEY: 2270 if (argc < 9) 2271 return -EINVAL; 2272 2273 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2274 if (errno == ERANGE) { 2275 fprintf(stderr, "peer ID value out of range\n"); 2276 return -1; 2277 } 2278 2279 ret = ovpn_parse_key_slot(argv[4], ovpn); 2280 if (ret) 2281 return -1; 2282 2283 ovpn->key_id = strtoul(argv[5], NULL, 10); 2284 if (errno == ERANGE || ovpn->key_id > 2) { 2285 fprintf(stderr, "key ID out of range\n"); 2286 return -1; 2287 } 2288 2289 ret = ovpn_parse_cipher(argv[6], ovpn); 2290 if (ret < 0) 2291 return -1; 2292 2293 ret = ovpn_parse_key_direction(argv[7], ovpn); 2294 if (ret < 0) 2295 return -1; 2296 2297 ret = ovpn_parse_key(argv[8], ovpn); 2298 if (ret) 2299 return -1; 2300 break; 2301 case CMD_DEL_KEY: 2302 if (argc < 4) 2303 return -EINVAL; 2304 2305 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2306 if (errno == ERANGE) { 2307 fprintf(stderr, "peer ID value out of range\n"); 2308 return -1; 2309 } 2310 2311 ret = ovpn_parse_key_slot(argv[4], ovpn); 2312 if (ret) 2313 return ret; 2314 break; 2315 case CMD_GET_KEY: 2316 if (argc < 5) 2317 return -EINVAL; 2318 2319 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2320 if (errno == ERANGE) { 2321 fprintf(stderr, "peer ID value out of range\n"); 2322 return -1; 2323 } 2324 2325 ret = ovpn_parse_key_slot(argv[4], ovpn); 2326 if (ret) 2327 return ret; 2328 break; 2329 case CMD_SWAP_KEYS: 2330 if (argc < 4) 2331 return -EINVAL; 2332 2333 ovpn->peer_id = strtoul(argv[3], NULL, 10); 2334 if (errno == ERANGE) { 2335 fprintf(stderr, "peer ID value out of range\n"); 2336 return -1; 2337 } 2338 break; 2339 case CMD_LISTEN_MCAST: 2340 break; 2341 case CMD_INVALID: 2342 break; 2343 } 2344 2345 return 0; 2346 } 2347 2348 int main(int argc, char *argv[]) 2349 { 2350 struct ovpn_ctx ovpn; 2351 int ret; 2352 2353 if (argc < 2) { 2354 usage(argv[0]); 2355 return -1; 2356 } 2357 2358 memset(&ovpn, 0, sizeof(ovpn)); 2359 ovpn.sa_family = AF_UNSPEC; 2360 ovpn.cipher = OVPN_CIPHER_ALG_NONE; 2361 2362 ovpn.cmd = ovpn_parse_cmd(argv[1]); 2363 if (ovpn.cmd == CMD_INVALID) { 2364 fprintf(stderr, "Error: unknown command.\n\n"); 2365 usage(argv[0]); 2366 return -1; 2367 } 2368 2369 ret = ovpn_parse_cmd_args(&ovpn, argc, argv); 2370 if (ret < 0) { 2371 fprintf(stderr, "Error: invalid arguments.\n\n"); 2372 if (ret == -EINVAL) 2373 usage(argv[0]); 2374 return ret; 2375 } 2376 2377 ret = ovpn_run_cmd(&ovpn); 2378 if (ret) 2379 fprintf(stderr, "Cannot execute command: %s (%d)\n", 2380 strerror(-ret), ret); 2381 2382 return ret; 2383 } 2384