Google Git
Sign in
kernel / pub / scm / linux / kernel / git / rafael / linux-pm / testing / . / drivers / net / ovpn / netlink.c
blob: c7f382437630292df56fa90df303135f69e5828e [file] [log] [blame]
// SPDX-License-Identifier: GPL-2.0
/* OpenVPN data channel offload
*
* Copyright (C) 2020-2025 OpenVPN, Inc.
*
* Author: Antonio Quartulli <antonio@openvpn.net>
*/
#include <linux/netdevice.h>
#include <linux/types.h>
#include <net/genetlink.h>
#include <uapi/linux/ovpn.h>
#include "ovpnpriv.h"
#include "main.h"
#include "netlink.h"
#include "netlink-gen.h"
#include "bind.h"
#include "crypto.h"
#include "peer.h"
#include "socket.h"
MODULE_ALIAS_GENL_FAMILY(OVPN_FAMILY_NAME);
/**
* ovpn_get_dev_from_attrs - retrieve the ovpn private data from the netdevice
* a netlink message is targeting
* @net: network namespace where to look for the interface
* @info: generic netlink info from the user request
* @tracker: tracker object to be used for the netdev reference acquisition
*
* Return: the ovpn private data, if found, or an error otherwise
*/
static struct ovpn_priv *
ovpn_get_dev_from_attrs(struct net *net, const struct genl_info *info,
netdevice_tracker *tracker)
{
struct ovpn_priv *ovpn;
struct net_device *dev;
int ifindex;
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_IFINDEX))
return ERR_PTR(-EINVAL);
ifindex = nla_get_u32(info->attrs[OVPN_A_IFINDEX]);
rcu_read_lock();
dev = dev_get_by_index_rcu(net, ifindex);
if (!dev) {
rcu_read_unlock();
NL_SET_ERR_MSG_MOD(info->extack,
"ifindex does not match any interface");
return ERR_PTR(-ENODEV);
}
if (!ovpn_dev_is_valid(dev)) {
rcu_read_unlock();
NL_SET_ERR_MSG_MOD(info->extack,
"specified interface is not ovpn");
NL_SET_BAD_ATTR(info->extack, info->attrs[OVPN_A_IFINDEX]);
return ERR_PTR(-EINVAL);
}
ovpn = netdev_priv(dev);
netdev_hold(dev, tracker, GFP_ATOMIC);
rcu_read_unlock();
return ovpn;
}
int ovpn_nl_pre_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
struct genl_info *info)
{
netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1];
struct ovpn_priv *ovpn = ovpn_get_dev_from_attrs(genl_info_net(info),
info, tracker);
if (IS_ERR(ovpn))
return PTR_ERR(ovpn);
info->user_ptr[0] = ovpn;
return 0;
}
void ovpn_nl_post_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
struct genl_info *info)
{
netdevice_tracker *tracker = (netdevice_tracker *)&info->user_ptr[1];
struct ovpn_priv *ovpn = info->user_ptr[0];
if (ovpn)
netdev_put(ovpn->dev, tracker);
}
static bool ovpn_nl_attr_sockaddr_remote(struct nlattr **attrs,
struct sockaddr_storage *ss)
{
struct sockaddr_in6 *sin6;
struct sockaddr_in *sin;
struct in6_addr *in6;
__be16 port = 0;
__be32 *in;
ss->ss_family = AF_UNSPEC;
if (attrs[OVPN_A_PEER_REMOTE_PORT])
port = nla_get_be16(attrs[OVPN_A_PEER_REMOTE_PORT]);
if (attrs[OVPN_A_PEER_REMOTE_IPV4]) {
ss->ss_family = AF_INET;
in = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV4]);
} else if (attrs[OVPN_A_PEER_REMOTE_IPV6]) {
ss->ss_family = AF_INET6;
in6 = nla_data(attrs[OVPN_A_PEER_REMOTE_IPV6]);
} else {
return false;
}
switch (ss->ss_family) {
case AF_INET6:
/* If this is a regular IPv6 just break and move on,
* otherwise switch to AF_INET and extract the IPv4 accordingly
*/
if (!ipv6_addr_v4mapped(in6)) {
sin6 = (struct sockaddr_in6 *)ss;
sin6->sin6_port = port;
memcpy(&sin6->sin6_addr, in6, sizeof(*in6));
break;
}
/* v4-mapped-v6 address */
ss->ss_family = AF_INET;
in = &in6->s6_addr32[3];
fallthrough;
case AF_INET:
sin = (struct sockaddr_in *)ss;
sin->sin_port = port;
sin->sin_addr.s_addr = *in;
break;
}
return true;
}
static u8 *ovpn_nl_attr_local_ip(struct nlattr **attrs)
{
u8 *addr6;
if (!attrs[OVPN_A_PEER_LOCAL_IPV4] && !attrs[OVPN_A_PEER_LOCAL_IPV6])
return NULL;
if (attrs[OVPN_A_PEER_LOCAL_IPV4])
return nla_data(attrs[OVPN_A_PEER_LOCAL_IPV4]);
addr6 = nla_data(attrs[OVPN_A_PEER_LOCAL_IPV6]);
/* this is an IPv4-mapped IPv6 address, therefore extract the actual
* v4 address from the last 4 bytes
*/
if (ipv6_addr_v4mapped((struct in6_addr *)addr6))
return addr6 + 12;
return addr6;
}
static sa_family_t ovpn_nl_family_get(struct nlattr *addr4,
struct nlattr *addr6)
{
if (addr4)
return AF_INET;
if (addr6) {
if (ipv6_addr_v4mapped((struct in6_addr *)nla_data(addr6)))
return AF_INET;
return AF_INET6;
}
return AF_UNSPEC;
}
static int ovpn_nl_peer_precheck(struct ovpn_priv *ovpn,
struct genl_info *info,
struct nlattr **attrs)
{
sa_family_t local_fam, remote_fam;
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
OVPN_A_PEER_ID))
return -EINVAL;
if (attrs[OVPN_A_PEER_REMOTE_IPV4] && attrs[OVPN_A_PEER_REMOTE_IPV6]) {
NL_SET_ERR_MSG_MOD(info->extack,
"cannot specify both remote IPv4 or IPv6 address");
return -EINVAL;
}
if (!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
!attrs[OVPN_A_PEER_REMOTE_IPV6] && attrs[OVPN_A_PEER_REMOTE_PORT]) {
NL_SET_ERR_MSG_MOD(info->extack,
"cannot specify remote port without IP address");
return -EINVAL;
}
if ((attrs[OVPN_A_PEER_REMOTE_IPV4] ||
attrs[OVPN_A_PEER_REMOTE_IPV6]) &&
!attrs[OVPN_A_PEER_REMOTE_PORT]) {
NL_SET_ERR_MSG_MOD(info->extack,
"cannot specify remote IP address without port");
return -EINVAL;
}
if (!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
attrs[OVPN_A_PEER_LOCAL_IPV4]) {
NL_SET_ERR_MSG_MOD(info->extack,
"cannot specify local IPv4 address without remote");
return -EINVAL;
}
if (!attrs[OVPN_A_PEER_REMOTE_IPV6] &&
attrs[OVPN_A_PEER_LOCAL_IPV6]) {
NL_SET_ERR_MSG_MOD(info->extack,
"cannot specify local IPV6 address without remote");
return -EINVAL;
}
/* check that local and remote address families are the same even
* after parsing v4mapped IPv6 addresses.
* (if addresses are not provided, family will be AF_UNSPEC and
* the check is skipped)
*/
local_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_LOCAL_IPV4],
attrs[OVPN_A_PEER_LOCAL_IPV6]);
remote_fam = ovpn_nl_family_get(attrs[OVPN_A_PEER_REMOTE_IPV4],
attrs[OVPN_A_PEER_REMOTE_IPV6]);
if (local_fam != AF_UNSPEC && remote_fam != AF_UNSPEC &&
local_fam != remote_fam) {
NL_SET_ERR_MSG_MOD(info->extack,
"mismatching local and remote address families");
return -EINVAL;
}
if (remote_fam != AF_INET6 && attrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) {
NL_SET_ERR_MSG_MOD(info->extack,
"cannot specify scope id without remote IPv6 address");
return -EINVAL;
}
/* VPN IPs are needed only in MP mode for selecting the right peer */
if (ovpn->mode == OVPN_MODE_P2P && (attrs[OVPN_A_PEER_VPN_IPV4] ||
attrs[OVPN_A_PEER_VPN_IPV6])) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"unexpected VPN IP in P2P mode");
return -EINVAL;
}
if ((attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
!attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) ||
(!attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"keepalive interval and timeout are required together");
return -EINVAL;
}
return 0;
}
/**
* ovpn_nl_peer_modify - modify the peer attributes according to the incoming msg
* @peer: the peer to modify
* @info: generic netlink info from the user request
* @attrs: the attributes from the user request
*
* Return: a negative error code in case of failure, 0 on success or 1 on
* success and the VPN IPs have been modified (requires rehashing in MP
* mode)
*/
static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info,
struct nlattr **attrs)
{
struct sockaddr_storage ss = {};
void *local_ip = NULL;
u32 interv, timeout;
bool rehash = false;
int ret;
spin_lock_bh(&peer->lock);
if (ovpn_nl_attr_sockaddr_remote(attrs, &ss)) {
/* we carry the local IP in a generic container.
* ovpn_peer_reset_sockaddr() will properly interpret it
* based on ss.ss_family
*/
local_ip = ovpn_nl_attr_local_ip(attrs);
/* set peer sockaddr */
ret = ovpn_peer_reset_sockaddr(peer, &ss, local_ip);
if (ret < 0) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"cannot set peer sockaddr: %d",
ret);
goto err_unlock;
}
dst_cache_reset(&peer->dst_cache);
}
if (attrs[OVPN_A_PEER_VPN_IPV4]) {
rehash = true;
peer->vpn_addrs.ipv4.s_addr =
nla_get_in_addr(attrs[OVPN_A_PEER_VPN_IPV4]);
}
if (attrs[OVPN_A_PEER_VPN_IPV6]) {
rehash = true;
peer->vpn_addrs.ipv6 =
nla_get_in6_addr(attrs[OVPN_A_PEER_VPN_IPV6]);
}
/* when setting the keepalive, both parameters have to be configured */
if (attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL] &&
attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]) {
interv = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]);
timeout = nla_get_u32(attrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]);
ovpn_peer_keepalive_set(peer, interv, timeout);
}
netdev_dbg(peer->ovpn->dev,
"modify peer id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n",
peer->id, &ss,
&peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6);
spin_unlock_bh(&peer->lock);
return rehash ? 1 : 0;
err_unlock:
spin_unlock_bh(&peer->lock);
return ret;
}
int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info)
{
struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
struct ovpn_priv *ovpn = info->user_ptr[0];
struct ovpn_socket *ovpn_sock;
struct socket *sock = NULL;
struct ovpn_peer *peer;
u32 sockfd, peer_id;
int ret;
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
return -EINVAL;
ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
ovpn_peer_new_input_nl_policy, info->extack);
if (ret)
return ret;
ret = ovpn_nl_peer_precheck(ovpn, info, attrs);
if (ret < 0)
return ret;
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
OVPN_A_PEER_SOCKET))
return -EINVAL;
/* in MP mode VPN IPs are required for selecting the right peer */
if (ovpn->mode == OVPN_MODE_MP && !attrs[OVPN_A_PEER_VPN_IPV4] &&
!attrs[OVPN_A_PEER_VPN_IPV6]) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"VPN IP must be provided in MP mode");
return -EINVAL;
}
peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
peer = ovpn_peer_new(ovpn, peer_id);
if (IS_ERR(peer)) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"cannot create new peer object for peer %u: %ld",
peer_id, PTR_ERR(peer));
return PTR_ERR(peer);
}
/* lookup the fd in the kernel table and extract the socket object */
sockfd = nla_get_u32(attrs[OVPN_A_PEER_SOCKET]);
/* sockfd_lookup() increases sock's refcounter */
sock = sockfd_lookup(sockfd, &ret);
if (!sock) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"cannot lookup peer socket (fd=%u): %d",
sockfd, ret);
ret = -ENOTSOCK;
goto peer_release;
}
/* Only when using UDP as transport protocol the remote endpoint
* can be configured so that ovpn knows where to send packets to.
*/
if (sock->sk->sk_protocol == IPPROTO_UDP &&
!attrs[OVPN_A_PEER_REMOTE_IPV4] &&
!attrs[OVPN_A_PEER_REMOTE_IPV6]) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"missing remote IP address for UDP socket");
sockfd_put(sock);
ret = -EINVAL;
goto peer_release;
}
/* In case of TCP, the socket is connected to the peer and ovpn
* will just send bytes over it, without the need to specify a
* destination.
*/
if (sock->sk->sk_protocol == IPPROTO_TCP &&
(attrs[OVPN_A_PEER_REMOTE_IPV4] ||
attrs[OVPN_A_PEER_REMOTE_IPV6])) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"unexpected remote IP address with TCP socket");
sockfd_put(sock);
ret = -EINVAL;
goto peer_release;
}
ovpn_sock = ovpn_socket_new(sock, peer);
/* at this point we unconditionally drop the reference to the socket:
* - in case of error, the socket has to be dropped
* - if case of success, the socket is configured and let
* userspace own the reference, so that the latter can
* trigger the final close()
*/
sockfd_put(sock);
if (IS_ERR(ovpn_sock)) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"cannot encapsulate socket: %ld",
PTR_ERR(ovpn_sock));
ret = -ENOTSOCK;
goto peer_release;
}
rcu_assign_pointer(peer->sock, ovpn_sock);
ret = ovpn_nl_peer_modify(peer, info, attrs);
if (ret < 0)
goto sock_release;
ret = ovpn_peer_add(ovpn, peer);
if (ret < 0) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"cannot add new peer (id=%u) to hashtable: %d",
peer->id, ret);
goto sock_release;
}
return 0;
sock_release:
ovpn_socket_release(peer);
peer_release:
/* release right away because peer was not yet hashed, thus it is not
* used in any context
*/
ovpn_peer_release(peer);
return ret;
}
int ovpn_nl_peer_set_doit(struct sk_buff *skb, struct genl_info *info)
{
struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
struct ovpn_priv *ovpn = info->user_ptr[0];
struct ovpn_socket *sock;
struct ovpn_peer *peer;
u32 peer_id;
int ret;
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
return -EINVAL;
ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
ovpn_peer_set_input_nl_policy, info->extack);
if (ret)
return ret;
ret = ovpn_nl_peer_precheck(ovpn, info, attrs);
if (ret < 0)
return ret;
if (attrs[OVPN_A_PEER_SOCKET]) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"socket cannot be modified");
return -EINVAL;
}
peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
peer = ovpn_peer_get_by_id(ovpn, peer_id);
if (!peer) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"cannot find peer with id %u", peer_id);
return -ENOENT;
}
/* when using a TCP socket the remote IP is not expected */
rcu_read_lock();
sock = rcu_dereference(peer->sock);
if (sock && sock->sk->sk_protocol == IPPROTO_TCP &&
(attrs[OVPN_A_PEER_REMOTE_IPV4] ||
attrs[OVPN_A_PEER_REMOTE_IPV6])) {
rcu_read_unlock();
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"unexpected remote IP address with TCP socket");
ovpn_peer_put(peer);
return -EINVAL;
}
rcu_read_unlock();
spin_lock_bh(&ovpn->lock);
ret = ovpn_nl_peer_modify(peer, info, attrs);
if (ret < 0) {
spin_unlock_bh(&ovpn->lock);
ovpn_peer_put(peer);
return ret;
}
/* ret == 1 means that VPN IPv4/6 has been modified and rehashing
* is required
*/
if (ret > 0)
ovpn_peer_hash_vpn_ip(peer);
spin_unlock_bh(&ovpn->lock);
ovpn_peer_put(peer);
return 0;
}
static int ovpn_nl_send_peer(struct sk_buff *skb, const struct genl_info *info,
const struct ovpn_peer *peer, u32 portid, u32 seq,
int flags)
{
const struct ovpn_bind *bind;
struct ovpn_socket *sock;
int ret = -EMSGSIZE;
struct nlattr *attr;
__be16 local_port;
void *hdr;
int id;
hdr = genlmsg_put(skb, portid, seq, &ovpn_nl_family, flags,
OVPN_CMD_PEER_GET);
if (!hdr)
return -ENOBUFS;
attr = nla_nest_start(skb, OVPN_A_PEER);
if (!attr)
goto err;
rcu_read_lock();
sock = rcu_dereference(peer->sock);
if (!sock) {
ret = -EINVAL;
goto err_unlock;
}
if (!net_eq(genl_info_net(info), sock_net(sock->sk))) {
id = peernet2id_alloc(genl_info_net(info),
sock_net(sock->sk),
GFP_ATOMIC);
if (nla_put_s32(skb, OVPN_A_PEER_SOCKET_NETNSID, id))
goto err_unlock;
}
local_port = inet_sk(sock->sk)->inet_sport;
rcu_read_unlock();
if (nla_put_u32(skb, OVPN_A_PEER_ID, peer->id))
goto err;
if (peer->vpn_addrs.ipv4.s_addr != htonl(INADDR_ANY))
if (nla_put_in_addr(skb, OVPN_A_PEER_VPN_IPV4,
peer->vpn_addrs.ipv4.s_addr))
goto err;
if (!ipv6_addr_equal(&peer->vpn_addrs.ipv6, &in6addr_any))
if (nla_put_in6_addr(skb, OVPN_A_PEER_VPN_IPV6,
&peer->vpn_addrs.ipv6))
goto err;
if (nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_INTERVAL,
peer->keepalive_interval) ||
nla_put_u32(skb, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
peer->keepalive_timeout))
goto err;
rcu_read_lock();
bind = rcu_dereference(peer->bind);
if (bind) {
if (bind->remote.in4.sin_family == AF_INET) {
if (nla_put_in_addr(skb, OVPN_A_PEER_REMOTE_IPV4,
bind->remote.in4.sin_addr.s_addr) ||
nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT,
bind->remote.in4.sin_port) ||
nla_put_in_addr(skb, OVPN_A_PEER_LOCAL_IPV4,
bind->local.ipv4.s_addr))
goto err_unlock;
} else if (bind->remote.in4.sin_family == AF_INET6) {
if (nla_put_in6_addr(skb, OVPN_A_PEER_REMOTE_IPV6,
&bind->remote.in6.sin6_addr) ||
nla_put_u32(skb, OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
bind->remote.in6.sin6_scope_id) ||
nla_put_net16(skb, OVPN_A_PEER_REMOTE_PORT,
bind->remote.in6.sin6_port) ||
nla_put_in6_addr(skb, OVPN_A_PEER_LOCAL_IPV6,
&bind->local.ipv6))
goto err_unlock;
}
}
rcu_read_unlock();
if (nla_put_net16(skb, OVPN_A_PEER_LOCAL_PORT, local_port) ||
/* VPN RX stats */
nla_put_uint(skb, OVPN_A_PEER_VPN_RX_BYTES,
atomic64_read(&peer->vpn_stats.rx.bytes)) ||
nla_put_uint(skb, OVPN_A_PEER_VPN_RX_PACKETS,
atomic64_read(&peer->vpn_stats.rx.packets)) ||
/* VPN TX stats */
nla_put_uint(skb, OVPN_A_PEER_VPN_TX_BYTES,
atomic64_read(&peer->vpn_stats.tx.bytes)) ||
nla_put_uint(skb, OVPN_A_PEER_VPN_TX_PACKETS,
atomic64_read(&peer->vpn_stats.tx.packets)) ||
/* link RX stats */
nla_put_uint(skb, OVPN_A_PEER_LINK_RX_BYTES,
atomic64_read(&peer->link_stats.rx.bytes)) ||
nla_put_uint(skb, OVPN_A_PEER_LINK_RX_PACKETS,
atomic64_read(&peer->link_stats.rx.packets)) ||
/* link TX stats */
nla_put_uint(skb, OVPN_A_PEER_LINK_TX_BYTES,
atomic64_read(&peer->link_stats.tx.bytes)) ||
nla_put_uint(skb, OVPN_A_PEER_LINK_TX_PACKETS,
atomic64_read(&peer->link_stats.tx.packets)))
goto err;
nla_nest_end(skb, attr);
genlmsg_end(skb, hdr);
return 0;
err_unlock:
rcu_read_unlock();
err:
genlmsg_cancel(skb, hdr);
return ret;
}
int ovpn_nl_peer_get_doit(struct sk_buff *skb, struct genl_info *info)
{
struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
struct ovpn_priv *ovpn = info->user_ptr[0];
struct ovpn_peer *peer;
struct sk_buff *msg;
u32 peer_id;
int ret, i;
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
return -EINVAL;
ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
ovpn_peer_nl_policy, info->extack);
if (ret)
return ret;
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
OVPN_A_PEER_ID))
return -EINVAL;
/* OVPN_CMD_PEER_GET expects only the PEER_ID, therefore
* ensure that the user hasn't specified any other attribute.
*
* Unfortunately this check cannot be performed via netlink
* spec/policy and must be open-coded.
*/
for (i = 0; i < OVPN_A_PEER_MAX + 1; i++) {
if (i == OVPN_A_PEER_ID)
continue;
if (attrs[i]) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"unexpected attribute %u", i);
return -EINVAL;
}
}
peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
peer = ovpn_peer_get_by_id(ovpn, peer_id);
if (!peer) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"cannot find peer with id %u", peer_id);
return -ENOENT;
}
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (!msg) {
ret = -ENOMEM;
goto err;
}
ret = ovpn_nl_send_peer(msg, info, peer, info->snd_portid,
info->snd_seq, 0);
if (ret < 0) {
nlmsg_free(msg);
goto err;
}
ret = genlmsg_reply(msg, info);
err:
ovpn_peer_put(peer);
return ret;
}
int ovpn_nl_peer_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
{
const struct genl_info *info = genl_info_dump(cb);
int bkt, last_idx = cb->args[1], dumped = 0;
netdevice_tracker tracker;
struct ovpn_priv *ovpn;
struct ovpn_peer *peer;
ovpn = ovpn_get_dev_from_attrs(sock_net(cb->skb->sk), info, &tracker);
if (IS_ERR(ovpn))
return PTR_ERR(ovpn);
if (ovpn->mode == OVPN_MODE_P2P) {
/* if we already dumped a peer it means we are done */
if (last_idx)
goto out;
rcu_read_lock();
peer = rcu_dereference(ovpn->peer);
if (peer) {
if (ovpn_nl_send_peer(skb, info, peer,
NETLINK_CB(cb->skb).portid,
cb->nlh->nlmsg_seq,
NLM_F_MULTI) == 0)
dumped++;
}
rcu_read_unlock();
} else {
rcu_read_lock();
hash_for_each_rcu(ovpn->peers->by_id, bkt, peer,
hash_entry_id) {
/* skip already dumped peers that were dumped by
* previous invocations
*/
if (last_idx > 0) {
last_idx--;
continue;
}
if (ovpn_nl_send_peer(skb, info, peer,
NETLINK_CB(cb->skb).portid,
cb->nlh->nlmsg_seq,
NLM_F_MULTI) < 0)
break;
/* count peers being dumped during this invocation */
dumped++;
}
rcu_read_unlock();
}
out:
netdev_put(ovpn->dev, &tracker);
/* sum up peers dumped in this message, so that at the next invocation
* we can continue from where we left
*/
cb->args[1] += dumped;
return skb->len;
}
int ovpn_nl_peer_del_doit(struct sk_buff *skb, struct genl_info *info)
{
struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
struct ovpn_priv *ovpn = info->user_ptr[0];
struct ovpn_peer *peer;
u32 peer_id;
int ret;
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_PEER))
return -EINVAL;
ret = nla_parse_nested(attrs, OVPN_A_PEER_MAX, info->attrs[OVPN_A_PEER],
ovpn_peer_del_input_nl_policy, info->extack);
if (ret)
return ret;
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_PEER], attrs,
OVPN_A_PEER_ID))
return -EINVAL;
peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
peer = ovpn_peer_get_by_id(ovpn, peer_id);
if (!peer) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"cannot find peer with id %u", peer_id);
return -ENOENT;
}
netdev_dbg(ovpn->dev, "del peer %u\n", peer->id);
ret = ovpn_peer_del(peer, OVPN_DEL_PEER_REASON_USERSPACE);
ovpn_peer_put(peer);
return ret;
}
static int ovpn_nl_get_key_dir(struct genl_info *info, struct nlattr *key,
enum ovpn_cipher_alg cipher,
struct ovpn_key_direction *dir)
{
struct nlattr *attrs[OVPN_A_KEYDIR_MAX + 1];
int ret;
ret = nla_parse_nested(attrs, OVPN_A_KEYDIR_MAX, key,
ovpn_keydir_nl_policy, info->extack);
if (ret)
return ret;
switch (cipher) {
case OVPN_CIPHER_ALG_AES_GCM:
case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
if (NL_REQ_ATTR_CHECK(info->extack, key, attrs,
OVPN_A_KEYDIR_CIPHER_KEY) ||
NL_REQ_ATTR_CHECK(info->extack, key, attrs,
OVPN_A_KEYDIR_NONCE_TAIL))
return -EINVAL;
dir->cipher_key = nla_data(attrs[OVPN_A_KEYDIR_CIPHER_KEY]);
dir->cipher_key_size = nla_len(attrs[OVPN_A_KEYDIR_CIPHER_KEY]);
/* These algorithms require a 96bit nonce,
* Construct it by combining 4-bytes packet id and
* 8-bytes nonce-tail from userspace
*/
dir->nonce_tail = nla_data(attrs[OVPN_A_KEYDIR_NONCE_TAIL]);
dir->nonce_tail_size = nla_len(attrs[OVPN_A_KEYDIR_NONCE_TAIL]);
break;
default:
NL_SET_ERR_MSG_MOD(info->extack, "unsupported cipher");
return -EINVAL;
}
return 0;
}
/**
* ovpn_nl_key_new_doit - configure a new key for the specified peer
* @skb: incoming netlink message
* @info: genetlink metadata
*
* This function allows the user to install a new key in the peer crypto
* state.
* Each peer has two 'slots', namely 'primary' and 'secondary', where
* keys can be installed. The key in the 'primary' slot is used for
* encryption, while both keys can be used for decryption by matching the
* key ID carried in the incoming packet.
*
* The user is responsible for rotating keys when necessary. The user
* may fetch peer traffic statistics via netlink in order to better
* identify the right time to rotate keys.
* The renegotiation follows these steps:
* 1. a new key is computed by the user and is installed in the 'secondary'
* slot
* 2. at user discretion (usually after a predetermined time) 'primary' and
* 'secondary' contents are swapped and the new key starts being used for
* encryption, while the old key is kept around for decryption of late
* packets.
*
* Return: 0 on success or a negative error code otherwise.
*/
int ovpn_nl_key_new_doit(struct sk_buff *skb, struct genl_info *info)
{
struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
struct ovpn_priv *ovpn = info->user_ptr[0];
struct ovpn_peer_key_reset pkr;
struct ovpn_peer *peer;
u32 peer_id;
int ret;
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
return -EINVAL;
ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
info->attrs[OVPN_A_KEYCONF],
ovpn_keyconf_nl_policy, info->extack);
if (ret)
return ret;
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
OVPN_A_KEYCONF_PEER_ID))
return -EINVAL;
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
OVPN_A_KEYCONF_SLOT) ||
NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
OVPN_A_KEYCONF_KEY_ID) ||
NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
OVPN_A_KEYCONF_CIPHER_ALG) ||
NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
OVPN_A_KEYCONF_ENCRYPT_DIR) ||
NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
OVPN_A_KEYCONF_DECRYPT_DIR))
return -EINVAL;
pkr.slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
pkr.key.key_id = nla_get_u32(attrs[OVPN_A_KEYCONF_KEY_ID]);
pkr.key.cipher_alg = nla_get_u32(attrs[OVPN_A_KEYCONF_CIPHER_ALG]);
ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_ENCRYPT_DIR],
pkr.key.cipher_alg, &pkr.key.encrypt);
if (ret < 0)
return ret;
ret = ovpn_nl_get_key_dir(info, attrs[OVPN_A_KEYCONF_DECRYPT_DIR],
pkr.key.cipher_alg, &pkr.key.decrypt);
if (ret < 0)
return ret;
peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
peer = ovpn_peer_get_by_id(ovpn, peer_id);
if (!peer) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"no peer with id %u to set key for",
peer_id);
return -ENOENT;
}
ret = ovpn_crypto_state_reset(&peer->crypto, &pkr);
if (ret < 0) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"cannot install new key for peer %u",
peer_id);
goto out;
}
netdev_dbg(ovpn->dev, "new key installed (id=%u) for peer %u\n",
pkr.key.key_id, peer_id);
out:
ovpn_peer_put(peer);
return ret;
}
static int ovpn_nl_send_key(struct sk_buff *skb, const struct genl_info *info,
u32 peer_id, enum ovpn_key_slot slot,
const struct ovpn_key_config *keyconf)
{
struct nlattr *attr;
void *hdr;
hdr = genlmsg_put(skb, info->snd_portid, info->snd_seq, &ovpn_nl_family,
0, OVPN_CMD_KEY_GET);
if (!hdr)
return -ENOBUFS;
attr = nla_nest_start(skb, OVPN_A_KEYCONF);
if (!attr)
goto err;
if (nla_put_u32(skb, OVPN_A_KEYCONF_PEER_ID, peer_id))
goto err;
if (nla_put_u32(skb, OVPN_A_KEYCONF_SLOT, slot) ||
nla_put_u32(skb, OVPN_A_KEYCONF_KEY_ID, keyconf->key_id) ||
nla_put_u32(skb, OVPN_A_KEYCONF_CIPHER_ALG, keyconf->cipher_alg))
goto err;
nla_nest_end(skb, attr);
genlmsg_end(skb, hdr);
return 0;
err:
genlmsg_cancel(skb, hdr);
return -EMSGSIZE;
}
int ovpn_nl_key_get_doit(struct sk_buff *skb, struct genl_info *info)
{
struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
struct ovpn_priv *ovpn = info->user_ptr[0];
struct ovpn_key_config keyconf = { 0 };
enum ovpn_key_slot slot;
struct ovpn_peer *peer;
struct sk_buff *msg;
u32 peer_id;
int ret, i;
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
return -EINVAL;
ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
info->attrs[OVPN_A_KEYCONF],
ovpn_keyconf_get_nl_policy, info->extack);
if (ret)
return ret;
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
OVPN_A_KEYCONF_PEER_ID))
return -EINVAL;
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
OVPN_A_KEYCONF_SLOT))
return -EINVAL;
/* OVPN_CMD_KEY_GET expects only the PEER_ID and the SLOT, therefore
* ensure that the user hasn't specified any other attribute.
*
* Unfortunately this check cannot be performed via netlink
* spec/policy and must be open-coded.
*/
for (i = 0; i < OVPN_A_KEYCONF_MAX + 1; i++) {
if (i == OVPN_A_KEYCONF_PEER_ID ||
i == OVPN_A_KEYCONF_SLOT)
continue;
if (attrs[i]) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"unexpected attribute %u", i);
return -EINVAL;
}
}
peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
peer = ovpn_peer_get_by_id(ovpn, peer_id);
if (!peer) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"cannot find peer with id %u", peer_id);
return -ENOENT;
}
slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
ret = ovpn_crypto_config_get(&peer->crypto, slot, &keyconf);
if (ret < 0) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"cannot extract key from slot %u for peer %u",
slot, peer_id);
goto err;
}
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (!msg) {
ret = -ENOMEM;
goto err;
}
ret = ovpn_nl_send_key(msg, info, peer->id, slot, &keyconf);
if (ret < 0) {
nlmsg_free(msg);
goto err;
}
ret = genlmsg_reply(msg, info);
err:
ovpn_peer_put(peer);
return ret;
}
int ovpn_nl_key_swap_doit(struct sk_buff *skb, struct genl_info *info)
{
struct ovpn_priv *ovpn = info->user_ptr[0];
struct nlattr *attrs[OVPN_A_PEER_MAX + 1];
struct ovpn_peer *peer;
u32 peer_id;
int ret;
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
return -EINVAL;
ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
info->attrs[OVPN_A_KEYCONF],
ovpn_keyconf_swap_input_nl_policy, info->extack);
if (ret)
return ret;
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
OVPN_A_KEYCONF_PEER_ID))
return -EINVAL;
peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
peer = ovpn_peer_get_by_id(ovpn, peer_id);
if (!peer) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"no peer with id %u to swap keys for",
peer_id);
return -ENOENT;
}
ovpn_crypto_key_slots_swap(&peer->crypto);
ovpn_peer_put(peer);
return 0;
}
int ovpn_nl_key_del_doit(struct sk_buff *skb, struct genl_info *info)
{
struct nlattr *attrs[OVPN_A_KEYCONF_MAX + 1];
struct ovpn_priv *ovpn = info->user_ptr[0];
enum ovpn_key_slot slot;
struct ovpn_peer *peer;
u32 peer_id;
int ret;
if (GENL_REQ_ATTR_CHECK(info, OVPN_A_KEYCONF))
return -EINVAL;
ret = nla_parse_nested(attrs, OVPN_A_KEYCONF_MAX,
info->attrs[OVPN_A_KEYCONF],
ovpn_keyconf_del_input_nl_policy, info->extack);
if (ret)
return ret;
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
OVPN_A_KEYCONF_PEER_ID))
return -EINVAL;
if (NL_REQ_ATTR_CHECK(info->extack, info->attrs[OVPN_A_KEYCONF], attrs,
OVPN_A_KEYCONF_SLOT))
return -EINVAL;
peer_id = nla_get_u32(attrs[OVPN_A_KEYCONF_PEER_ID]);
slot = nla_get_u32(attrs[OVPN_A_KEYCONF_SLOT]);
peer = ovpn_peer_get_by_id(ovpn, peer_id);
if (!peer) {
NL_SET_ERR_MSG_FMT_MOD(info->extack,
"no peer with id %u to delete key for",
peer_id);
return -ENOENT;
}
ovpn_crypto_key_slot_delete(&peer->crypto, slot);
ovpn_peer_put(peer);
return 0;
}
/**
* ovpn_nl_peer_del_notify - notify userspace about peer being deleted
* @peer: the peer being deleted
*
* Return: 0 on success or a negative error code otherwise
*/
int ovpn_nl_peer_del_notify(struct ovpn_peer *peer)
{
struct ovpn_socket *sock;
struct sk_buff *msg;
struct nlattr *attr;
int ret = -EMSGSIZE;
void *hdr;
netdev_info(peer->ovpn->dev, "deleting peer with id %u, reason %d\n",
peer->id, peer->delete_reason);
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
if (!msg)
return -ENOMEM;
hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_PEER_DEL_NTF);
if (!hdr) {
ret = -ENOBUFS;
goto err_free_msg;
}
if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
goto err_cancel_msg;
attr = nla_nest_start(msg, OVPN_A_PEER);
if (!attr)
goto err_cancel_msg;
if (nla_put_u32(msg, OVPN_A_PEER_DEL_REASON, peer->delete_reason))
goto err_cancel_msg;
if (nla_put_u32(msg, OVPN_A_PEER_ID, peer->id))
goto err_cancel_msg;
nla_nest_end(msg, attr);
genlmsg_end(msg, hdr);
rcu_read_lock();
sock = rcu_dereference(peer->sock);
if (!sock) {
ret = -EINVAL;
goto err_unlock;
}
genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0,
OVPN_NLGRP_PEERS, GFP_ATOMIC);
rcu_read_unlock();
return 0;
err_unlock:
rcu_read_unlock();
err_cancel_msg:
genlmsg_cancel(msg, hdr);
err_free_msg:
nlmsg_free(msg);
return ret;
}
/**
* ovpn_nl_key_swap_notify - notify userspace peer's key must be renewed
* @peer: the peer whose key needs to be renewed
* @key_id: the ID of the key that needs to be renewed
*
* Return: 0 on success or a negative error code otherwise
*/
int ovpn_nl_key_swap_notify(struct ovpn_peer *peer, u8 key_id)
{
struct ovpn_socket *sock;
struct nlattr *k_attr;
struct sk_buff *msg;
int ret = -EMSGSIZE;
void *hdr;
netdev_info(peer->ovpn->dev, "peer with id %u must rekey - primary key unusable.\n",
peer->id);
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
if (!msg)
return -ENOMEM;
hdr = genlmsg_put(msg, 0, 0, &ovpn_nl_family, 0, OVPN_CMD_KEY_SWAP_NTF);
if (!hdr) {
ret = -ENOBUFS;
goto err_free_msg;
}
if (nla_put_u32(msg, OVPN_A_IFINDEX, peer->ovpn->dev->ifindex))
goto err_cancel_msg;
k_attr = nla_nest_start(msg, OVPN_A_KEYCONF);
if (!k_attr)
goto err_cancel_msg;
if (nla_put_u32(msg, OVPN_A_KEYCONF_PEER_ID, peer->id))
goto err_cancel_msg;
if (nla_put_u16(msg, OVPN_A_KEYCONF_KEY_ID, key_id))
goto err_cancel_msg;
nla_nest_end(msg, k_attr);
genlmsg_end(msg, hdr);
rcu_read_lock();
sock = rcu_dereference(peer->sock);
if (!sock) {
ret = -EINVAL;
goto err_unlock;
}
genlmsg_multicast_netns(&ovpn_nl_family, sock_net(sock->sk), msg, 0,
OVPN_NLGRP_PEERS, GFP_ATOMIC);
rcu_read_unlock();
return 0;
err_unlock:
rcu_read_unlock();
err_cancel_msg:
genlmsg_cancel(msg, hdr);
err_free_msg:
nlmsg_free(msg);
return ret;
}
/**
* ovpn_nl_register - perform any needed registration in the NL subsustem
*
* Return: 0 on success, a negative error code otherwise
*/
int __init ovpn_nl_register(void)
{
int ret = genl_register_family(&ovpn_nl_family);
if (ret) {
pr_err("ovpn: genl_register_family failed: %d\n", ret);
return ret;
}
return 0;
}
/**
* ovpn_nl_unregister - undo any module wide netlink registration
*/
void ovpn_nl_unregister(void)
{
genl_unregister_family(&ovpn_nl_family);
}