tools/testing/selftests/net/ovpn/ovpn-cli.c at master

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / tools / testing / selftests / net / ovpn / ovpn-cli.c
at master 2467 lines 57 kB view raw
wrap content
   1// SPDX-License-Identifier: GPL-2.0
   2/*  OpenVPN data channel accelerator
   3 *
   4 *  Copyright (C) 2020-2025 OpenVPN, Inc.
   5 *
   6 *  Author:	Antonio Quartulli <antonio@openvpn.net>
   7 */
   8
   9#include <stdint.h>
  10#include <stdio.h>
  11#include <inttypes.h>
  12#include <stdbool.h>
  13#include <string.h>
  14#include <errno.h>
  15#include <unistd.h>
  16#include <arpa/inet.h>
  17#include <net/if.h>
  18#include <netinet/in.h>
  19#include <time.h>
  20
  21#include <linux/ovpn.h>
  22#include <linux/types.h>
  23#include <linux/netlink.h>
  24
  25#include <netlink/socket.h>
  26#include <netlink/netlink.h>
  27#include <netlink/genl/genl.h>
  28#include <netlink/genl/family.h>
  29#include <netlink/genl/ctrl.h>
  30
  31#include <mbedtls/base64.h>
  32#include <mbedtls/error.h>
  33
  34#include <sys/socket.h>
  35
  36#include "kselftest.h"
  37
  38/* defines to make checkpatch happy */
  39#define strscpy strncpy
  40
  41/* libnl < 3.5.0 does not set the NLA_F_NESTED on its own, therefore we
  42 * have to explicitly do it to prevent the kernel from failing upon
  43 * parsing of the message
  44 */
  45#define nla_nest_start(_msg, _type) \
  46	nla_nest_start(_msg, (_type) | NLA_F_NESTED)
  47
  48/* libnl < 3.11.0 does not implement nla_get_uint() */
  49uint64_t ovpn_nla_get_uint(struct nlattr *attr)
  50{
  51	if (nla_len(attr) == sizeof(uint32_t))
  52		return nla_get_u32(attr);
  53	else
  54		return nla_get_u64(attr);
  55}
  56
  57typedef int (*ovpn_nl_cb)(struct nl_msg *msg, void *arg);
  58
  59enum ovpn_key_direction {
  60	KEY_DIR_IN = 0,
  61	KEY_DIR_OUT,
  62};
  63
  64#define KEY_LEN (256 / 8)
  65#define NONCE_LEN 8
  66
  67#define PEER_ID_UNDEF 0x00FFFFFF
  68#define MAX_PEERS 10
  69
  70struct nl_ctx {
  71	struct nl_sock *nl_sock;
  72	struct nl_msg *nl_msg;
  73	struct nl_cb *nl_cb;
  74
  75	int ovpn_dco_id;
  76};
  77
  78enum ovpn_cmd {
  79	CMD_INVALID,
  80	CMD_NEW_IFACE,
  81	CMD_DEL_IFACE,
  82	CMD_LISTEN,
  83	CMD_CONNECT,
  84	CMD_NEW_PEER,
  85	CMD_NEW_MULTI_PEER,
  86	CMD_SET_PEER,
  87	CMD_DEL_PEER,
  88	CMD_GET_PEER,
  89	CMD_NEW_KEY,
  90	CMD_DEL_KEY,
  91	CMD_GET_KEY,
  92	CMD_SWAP_KEYS,
  93	CMD_LISTEN_MCAST,
  94};
  95
  96struct ovpn_ctx {
  97	enum ovpn_cmd cmd;
  98
  99	__u8 key_enc[KEY_LEN];
 100	__u8 key_dec[KEY_LEN];
 101	__u8 nonce[NONCE_LEN];
 102
 103	enum ovpn_cipher_alg cipher;
 104
 105	sa_family_t sa_family;
 106
 107	unsigned long peer_id, tx_id;
 108	unsigned long lport;
 109
 110	union {
 111		struct sockaddr_in in4;
 112		struct sockaddr_in6 in6;
 113	} remote;
 114
 115	union {
 116		struct sockaddr_in in4;
 117		struct sockaddr_in6 in6;
 118	} peer_ip;
 119
 120	bool peer_ip_set;
 121
 122	unsigned int ifindex;
 123	char ifname[IFNAMSIZ];
 124	enum ovpn_mode mode;
 125	bool mode_set;
 126
 127	int socket;
 128	int cli_sockets[MAX_PEERS];
 129
 130	__u32 keepalive_interval;
 131	__u32 keepalive_timeout;
 132
 133	enum ovpn_key_direction key_dir;
 134	enum ovpn_key_slot key_slot;
 135	int key_id;
 136
 137	uint32_t mark;
 138	bool asymm_id;
 139
 140	const char *peers_file;
 141};
 142
 143static int ovpn_nl_recvmsgs(struct nl_ctx *ctx)
 144{
 145	int ret;
 146
 147	ret = nl_recvmsgs(ctx->nl_sock, ctx->nl_cb);
 148
 149	switch (ret) {
 150	case -NLE_INTR:
 151		fprintf(stderr,
 152			"netlink received interrupt due to signal - ignoring\n");
 153		break;
 154	case -NLE_NOMEM:
 155		fprintf(stderr, "netlink out of memory error\n");
 156		break;
 157	case -NLE_AGAIN:
 158		fprintf(stderr,
 159			"netlink reports blocking read - aborting wait\n");
 160		break;
 161	default:
 162		if (ret)
 163			fprintf(stderr, "netlink reports error (%d): %s\n",
 164				ret, nl_geterror(-ret));
 165		break;
 166	}
 167
 168	return ret;
 169}
 170
 171static struct nl_ctx *nl_ctx_alloc_flags(struct ovpn_ctx *ovpn, int cmd,
 172					 int flags)
 173{
 174	struct nl_ctx *ctx;
 175	int err, ret;
 176
 177	ctx = calloc(1, sizeof(*ctx));
 178	if (!ctx)
 179		return NULL;
 180
 181	ctx->nl_sock = nl_socket_alloc();
 182	if (!ctx->nl_sock) {
 183		fprintf(stderr, "cannot allocate netlink socket\n");
 184		goto err_free;
 185	}
 186
 187	nl_socket_set_buffer_size(ctx->nl_sock, 8192, 8192);
 188
 189	ret = genl_connect(ctx->nl_sock);
 190	if (ret) {
 191		fprintf(stderr, "cannot connect to generic netlink: %s\n",
 192			nl_geterror(ret));
 193		goto err_sock;
 194	}
 195
 196	/* enable Extended ACK for detailed error reporting */
 197	err = 1;
 198	setsockopt(nl_socket_get_fd(ctx->nl_sock), SOL_NETLINK, NETLINK_EXT_ACK,
 199		   &err, sizeof(err));
 200
 201	ctx->ovpn_dco_id = genl_ctrl_resolve(ctx->nl_sock, OVPN_FAMILY_NAME);
 202	if (ctx->ovpn_dco_id < 0) {
 203		fprintf(stderr, "cannot find ovpn_dco netlink component: %d\n",
 204			ctx->ovpn_dco_id);
 205		goto err_free;
 206	}
 207
 208	ctx->nl_msg = nlmsg_alloc();
 209	if (!ctx->nl_msg) {
 210		fprintf(stderr, "cannot allocate netlink message\n");
 211		goto err_sock;
 212	}
 213
 214	ctx->nl_cb = nl_cb_alloc(NL_CB_DEFAULT);
 215	if (!ctx->nl_cb) {
 216		fprintf(stderr, "failed to allocate netlink callback\n");
 217		goto err_msg;
 218	}
 219
 220	nl_socket_set_cb(ctx->nl_sock, ctx->nl_cb);
 221
 222	genlmsg_put(ctx->nl_msg, 0, 0, ctx->ovpn_dco_id, 0, flags, cmd, 0);
 223
 224	if (ovpn->ifindex > 0)
 225		NLA_PUT_U32(ctx->nl_msg, OVPN_A_IFINDEX, ovpn->ifindex);
 226
 227	return ctx;
 228nla_put_failure:
 229err_msg:
 230	nlmsg_free(ctx->nl_msg);
 231err_sock:
 232	nl_socket_free(ctx->nl_sock);
 233err_free:
 234	free(ctx);
 235	return NULL;
 236}
 237
 238static struct nl_ctx *nl_ctx_alloc(struct ovpn_ctx *ovpn, int cmd)
 239{
 240	return nl_ctx_alloc_flags(ovpn, cmd, 0);
 241}
 242
 243static void nl_ctx_free(struct nl_ctx *ctx)
 244{
 245	if (!ctx)
 246		return;
 247
 248	nl_socket_free(ctx->nl_sock);
 249	nlmsg_free(ctx->nl_msg);
 250	nl_cb_put(ctx->nl_cb);
 251	free(ctx);
 252}
 253
 254static int ovpn_nl_cb_error(struct sockaddr_nl (*nla)__always_unused,
 255			    struct nlmsgerr *err, void *arg)
 256{
 257	struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1;
 258	struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1];
 259	int len = nlh->nlmsg_len;
 260	struct nlattr *attrs;
 261	int *ret = arg;
 262	int ack_len = sizeof(*nlh) + sizeof(int) + sizeof(*nlh);
 263
 264	*ret = err->error;
 265
 266	if (!(nlh->nlmsg_flags & NLM_F_ACK_TLVS))
 267		return NL_STOP;
 268
 269	if (!(nlh->nlmsg_flags & NLM_F_CAPPED))
 270		ack_len += err->msg.nlmsg_len - sizeof(*nlh);
 271
 272	if (len <= ack_len)
 273		return NL_STOP;
 274
 275	attrs = (void *)((uint8_t *)nlh + ack_len);
 276	len -= ack_len;
 277
 278	nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL);
 279	if (tb_msg[NLMSGERR_ATTR_MSG]) {
 280		len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]),
 281			      nla_len(tb_msg[NLMSGERR_ATTR_MSG]));
 282		fprintf(stderr, "kernel error: %*s\n", len,
 283			(char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]));
 284	}
 285
 286	if (tb_msg[NLMSGERR_ATTR_MISS_NEST]) {
 287		fprintf(stderr, "missing required nesting type %u\n",
 288			nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_NEST]));
 289	}
 290
 291	if (tb_msg[NLMSGERR_ATTR_MISS_TYPE]) {
 292		fprintf(stderr, "missing required attribute type %u\n",
 293			nla_get_u32(tb_msg[NLMSGERR_ATTR_MISS_TYPE]));
 294	}
 295
 296	return NL_STOP;
 297}
 298
 299static int ovpn_nl_cb_finish(struct nl_msg (*msg)__always_unused,
 300			     void *arg)
 301{
 302	int *status = arg;
 303
 304	*status = 0;
 305	return NL_SKIP;
 306}
 307
 308static int ovpn_nl_cb_ack(struct nl_msg (*msg)__always_unused,
 309			  void *arg)
 310{
 311	int *status = arg;
 312
 313	*status = 0;
 314	return NL_STOP;
 315}
 316
 317static int ovpn_nl_msg_send(struct nl_ctx *ctx, ovpn_nl_cb cb)
 318{
 319	int status = 1;
 320
 321	nl_cb_err(ctx->nl_cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &status);
 322	nl_cb_set(ctx->nl_cb, NL_CB_FINISH, NL_CB_CUSTOM, ovpn_nl_cb_finish,
 323		  &status);
 324	nl_cb_set(ctx->nl_cb, NL_CB_ACK, NL_CB_CUSTOM, ovpn_nl_cb_ack, &status);
 325
 326	if (cb)
 327		nl_cb_set(ctx->nl_cb, NL_CB_VALID, NL_CB_CUSTOM, cb, ctx);
 328
 329	nl_send_auto_complete(ctx->nl_sock, ctx->nl_msg);
 330
 331	while (status == 1)
 332		ovpn_nl_recvmsgs(ctx);
 333
 334	if (status < 0)
 335		fprintf(stderr, "failed to send netlink message: %s (%d)\n",
 336			strerror(-status), status);
 337
 338	return status;
 339}
 340
 341static int ovpn_parse_key(const char *file, struct ovpn_ctx *ctx)
 342{
 343	int idx_enc, idx_dec, ret = -1;
 344	unsigned char *ckey = NULL;
 345	__u8 *bkey = NULL;
 346	size_t olen = 0;
 347	long ckey_len;
 348	FILE *fp;
 349
 350	fp = fopen(file, "r");
 351	if (!fp) {
 352		fprintf(stderr, "cannot open: %s\n", file);
 353		return -1;
 354	}
 355
 356	/* get file size */
 357	fseek(fp, 0L, SEEK_END);
 358	ckey_len = ftell(fp);
 359	rewind(fp);
 360
 361	/* if the file is longer, let's just read a portion */
 362	if (ckey_len > 256)
 363		ckey_len = 256;
 364
 365	ckey = malloc(ckey_len);
 366	if (!ckey)
 367		goto err;
 368
 369	ret = fread(ckey, 1, ckey_len, fp);
 370	if (ret != ckey_len) {
 371		fprintf(stderr,
 372			"couldn't read enough data from key file: %dbytes read\n",
 373			ret);
 374		goto err;
 375	}
 376
 377	olen = 0;
 378	ret = mbedtls_base64_decode(NULL, 0, &olen, ckey, ckey_len);
 379	if (ret != MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) {
 380		char buf[256];
 381
 382		mbedtls_strerror(ret, buf, sizeof(buf));
 383		fprintf(stderr, "unexpected base64 error1: %s (%d)\n", buf,
 384			ret);
 385
 386		goto err;
 387	}
 388
 389	bkey = malloc(olen);
 390	if (!bkey) {
 391		fprintf(stderr, "cannot allocate binary key buffer\n");
 392		goto err;
 393	}
 394
 395	ret = mbedtls_base64_decode(bkey, olen, &olen, ckey, ckey_len);
 396	if (ret) {
 397		char buf[256];
 398
 399		mbedtls_strerror(ret, buf, sizeof(buf));
 400		fprintf(stderr, "unexpected base64 error2: %s (%d)\n", buf,
 401			ret);
 402
 403		goto err;
 404	}
 405
 406	if (olen < 2 * KEY_LEN + NONCE_LEN) {
 407		fprintf(stderr,
 408			"not enough data in key file, found %zdB but needs %dB\n",
 409			olen, 2 * KEY_LEN + NONCE_LEN);
 410		goto err;
 411	}
 412
 413	switch (ctx->key_dir) {
 414	case KEY_DIR_IN:
 415		idx_enc = 0;
 416		idx_dec = 1;
 417		break;
 418	case KEY_DIR_OUT:
 419		idx_enc = 1;
 420		idx_dec = 0;
 421		break;
 422	default:
 423		goto err;
 424	}
 425
 426	memcpy(ctx->key_enc, bkey + KEY_LEN * idx_enc, KEY_LEN);
 427	memcpy(ctx->key_dec, bkey + KEY_LEN * idx_dec, KEY_LEN);
 428	memcpy(ctx->nonce, bkey + 2 * KEY_LEN, NONCE_LEN);
 429
 430	ret = 0;
 431
 432err:
 433	fclose(fp);
 434	free(bkey);
 435	free(ckey);
 436
 437	return ret;
 438}
 439
 440static int ovpn_parse_cipher(const char *cipher, struct ovpn_ctx *ctx)
 441{
 442	if (strcmp(cipher, "aes") == 0)
 443		ctx->cipher = OVPN_CIPHER_ALG_AES_GCM;
 444	else if (strcmp(cipher, "chachapoly") == 0)
 445		ctx->cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305;
 446	else if (strcmp(cipher, "none") == 0)
 447		ctx->cipher = OVPN_CIPHER_ALG_NONE;
 448	else
 449		return -ENOTSUP;
 450
 451	return 0;
 452}
 453
 454static int ovpn_parse_key_direction(const char *dir, struct ovpn_ctx *ctx)
 455{
 456	int in_dir;
 457
 458	in_dir = strtoll(dir, NULL, 10);
 459	switch (in_dir) {
 460	case KEY_DIR_IN:
 461	case KEY_DIR_OUT:
 462		ctx->key_dir = in_dir;
 463		break;
 464	default:
 465		fprintf(stderr,
 466			"invalid key direction provided. Can be 0 or 1 only\n");
 467		return -1;
 468	}
 469
 470	return 0;
 471}
 472
 473static int ovpn_socket(struct ovpn_ctx *ctx, sa_family_t family, int proto)
 474{
 475	struct sockaddr_storage local_sock = { 0 };
 476	struct sockaddr_in6 *in6;
 477	struct sockaddr_in *in;
 478	int ret, s, sock_type;
 479	size_t sock_len;
 480
 481	if (proto == IPPROTO_UDP)
 482		sock_type = SOCK_DGRAM;
 483	else if (proto == IPPROTO_TCP)
 484		sock_type = SOCK_STREAM;
 485	else
 486		return -EINVAL;
 487
 488	s = socket(family, sock_type, 0);
 489	if (s < 0) {
 490		perror("cannot create socket");
 491		return -1;
 492	}
 493
 494	switch (family) {
 495	case AF_INET:
 496		in = (struct sockaddr_in *)&local_sock;
 497		in->sin_family = family;
 498		in->sin_port = htons(ctx->lport);
 499		in->sin_addr.s_addr = htonl(INADDR_ANY);
 500		sock_len = sizeof(*in);
 501		break;
 502	case AF_INET6:
 503		in6 = (struct sockaddr_in6 *)&local_sock;
 504		in6->sin6_family = family;
 505		in6->sin6_port = htons(ctx->lport);
 506		in6->sin6_addr = in6addr_any;
 507		sock_len = sizeof(*in6);
 508		break;
 509	default:
 510		return -1;
 511	}
 512
 513	int opt = 1;
 514
 515	ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
 516
 517	if (ret < 0) {
 518		perror("setsockopt for SO_REUSEADDR");
 519		return ret;
 520	}
 521
 522	ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt));
 523	if (ret < 0) {
 524		perror("setsockopt for SO_REUSEPORT");
 525		return ret;
 526	}
 527
 528	if (ctx->mark != 0) {
 529		ret = setsockopt(s, SOL_SOCKET, SO_MARK, (void *)&ctx->mark,
 530				 sizeof(ctx->mark));
 531		if (ret < 0) {
 532			perror("setsockopt for SO_MARK");
 533			return ret;
 534		}
 535	}
 536
 537	if (family == AF_INET6) {
 538		opt = 0;
 539		if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &opt,
 540			       sizeof(opt))) {
 541			perror("failed to set IPV6_V6ONLY");
 542			return -1;
 543		}
 544	}
 545
 546	ret = bind(s, (struct sockaddr *)&local_sock, sock_len);
 547	if (ret < 0) {
 548		perror("cannot bind socket");
 549		goto err_socket;
 550	}
 551
 552	ctx->socket = s;
 553	ctx->sa_family = family;
 554	return 0;
 555
 556err_socket:
 557	close(s);
 558	return -1;
 559}
 560
 561static int ovpn_udp_socket(struct ovpn_ctx *ctx, sa_family_t family)
 562{
 563	return ovpn_socket(ctx, family, IPPROTO_UDP);
 564}
 565
 566static int ovpn_listen(struct ovpn_ctx *ctx, sa_family_t family)
 567{
 568	int ret;
 569
 570	ret = ovpn_socket(ctx, family, IPPROTO_TCP);
 571	if (ret < 0)
 572		return ret;
 573
 574	ret = listen(ctx->socket, 10);
 575	if (ret < 0) {
 576		perror("listen");
 577		close(ctx->socket);
 578		return -1;
 579	}
 580
 581	return 0;
 582}
 583
 584static int ovpn_accept(struct ovpn_ctx *ctx)
 585{
 586	socklen_t socklen;
 587	int ret;
 588
 589	socklen = sizeof(ctx->remote);
 590	ret = accept(ctx->socket, (struct sockaddr *)&ctx->remote, &socklen);
 591	if (ret < 0) {
 592		perror("accept");
 593		goto err;
 594	}
 595
 596	fprintf(stderr, "Connection received!\n");
 597
 598	switch (socklen) {
 599	case sizeof(struct sockaddr_in):
 600	case sizeof(struct sockaddr_in6):
 601		break;
 602	default:
 603		fprintf(stderr, "error: expecting IPv4 or IPv6 connection\n");
 604		close(ret);
 605		ret = -EINVAL;
 606		goto err;
 607	}
 608
 609	return ret;
 610err:
 611	close(ctx->socket);
 612	return ret;
 613}
 614
 615static int ovpn_connect(struct ovpn_ctx *ovpn)
 616{
 617	socklen_t socklen;
 618	int s, ret;
 619
 620	s = socket(ovpn->remote.in4.sin_family, SOCK_STREAM, 0);
 621	if (s < 0) {
 622		perror("cannot create socket");
 623		return -1;
 624	}
 625
 626	switch (ovpn->remote.in4.sin_family) {
 627	case AF_INET:
 628		socklen = sizeof(struct sockaddr_in);
 629		break;
 630	case AF_INET6:
 631		socklen = sizeof(struct sockaddr_in6);
 632		break;
 633	default:
 634		return -EOPNOTSUPP;
 635	}
 636
 637	ret = connect(s, (struct sockaddr *)&ovpn->remote, socklen);
 638	if (ret < 0) {
 639		perror("connect");
 640		goto err;
 641	}
 642
 643	fprintf(stderr, "connected\n");
 644
 645	ovpn->socket = s;
 646
 647	return 0;
 648err:
 649	close(s);
 650	return ret;
 651}
 652
 653static int ovpn_new_peer(struct ovpn_ctx *ovpn, bool is_tcp)
 654{
 655	struct nlattr *attr;
 656	struct nl_ctx *ctx;
 657	int ret = -1;
 658
 659	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_NEW);
 660	if (!ctx)
 661		return -ENOMEM;
 662
 663	attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
 664	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
 665	if (ovpn->asymm_id)
 666		NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_TX_ID, ovpn->tx_id);
 667	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_SOCKET, ovpn->socket);
 668
 669	if (!is_tcp) {
 670		switch (ovpn->remote.in4.sin_family) {
 671		case AF_INET:
 672			NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV4,
 673				    ovpn->remote.in4.sin_addr.s_addr);
 674			NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
 675				    ovpn->remote.in4.sin_port);
 676			break;
 677		case AF_INET6:
 678			NLA_PUT(ctx->nl_msg, OVPN_A_PEER_REMOTE_IPV6,
 679				sizeof(ovpn->remote.in6.sin6_addr),
 680				&ovpn->remote.in6.sin6_addr);
 681			NLA_PUT_U32(ctx->nl_msg,
 682				    OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID,
 683				    ovpn->remote.in6.sin6_scope_id);
 684			NLA_PUT_U16(ctx->nl_msg, OVPN_A_PEER_REMOTE_PORT,
 685				    ovpn->remote.in6.sin6_port);
 686			break;
 687		default:
 688			fprintf(stderr,
 689				"Invalid family for remote socket address\n");
 690			goto nla_put_failure;
 691		}
 692	}
 693
 694	if (ovpn->peer_ip_set) {
 695		switch (ovpn->peer_ip.in4.sin_family) {
 696		case AF_INET:
 697			NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_VPN_IPV4,
 698				    ovpn->peer_ip.in4.sin_addr.s_addr);
 699			break;
 700		case AF_INET6:
 701			NLA_PUT(ctx->nl_msg, OVPN_A_PEER_VPN_IPV6,
 702				sizeof(struct in6_addr),
 703				&ovpn->peer_ip.in6.sin6_addr);
 704			break;
 705		default:
 706			fprintf(stderr, "Invalid family for peer address\n");
 707			goto nla_put_failure;
 708		}
 709	}
 710
 711	nla_nest_end(ctx->nl_msg, attr);
 712
 713	ret = ovpn_nl_msg_send(ctx, NULL);
 714nla_put_failure:
 715	nl_ctx_free(ctx);
 716	return ret;
 717}
 718
 719static int ovpn_set_peer(struct ovpn_ctx *ovpn)
 720{
 721	struct nlattr *attr;
 722	struct nl_ctx *ctx;
 723	int ret = -1;
 724
 725	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_SET);
 726	if (!ctx)
 727		return -ENOMEM;
 728
 729	attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
 730	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
 731	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_INTERVAL,
 732		    ovpn->keepalive_interval);
 733	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_KEEPALIVE_TIMEOUT,
 734		    ovpn->keepalive_timeout);
 735	nla_nest_end(ctx->nl_msg, attr);
 736
 737	ret = ovpn_nl_msg_send(ctx, NULL);
 738nla_put_failure:
 739	nl_ctx_free(ctx);
 740	return ret;
 741}
 742
 743static int ovpn_del_peer(struct ovpn_ctx *ovpn)
 744{
 745	struct nlattr *attr;
 746	struct nl_ctx *ctx;
 747	int ret = -1;
 748
 749	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_PEER_DEL);
 750	if (!ctx)
 751		return -ENOMEM;
 752
 753	attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
 754	NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
 755	nla_nest_end(ctx->nl_msg, attr);
 756
 757	ret = ovpn_nl_msg_send(ctx, NULL);
 758nla_put_failure:
 759	nl_ctx_free(ctx);
 760	return ret;
 761}
 762
 763static int ovpn_handle_peer(struct nl_msg *msg, void (*arg)__always_unused)
 764{
 765	struct nlattr *pattrs[OVPN_A_PEER_MAX + 1];
 766	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
 767	struct nlattr *attrs[OVPN_A_MAX + 1];
 768	__u16 rport = 0, lport = 0;
 769
 770	nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
 771		  genlmsg_attrlen(gnlh, 0), NULL);
 772
 773	if (!attrs[OVPN_A_PEER]) {
 774		fprintf(stderr, "no packet content in netlink message\n");
 775		return NL_SKIP;
 776	}
 777
 778	nla_parse(pattrs, OVPN_A_PEER_MAX, nla_data(attrs[OVPN_A_PEER]),
 779		  nla_len(attrs[OVPN_A_PEER]), NULL);
 780
 781	if (pattrs[OVPN_A_PEER_ID])
 782		fprintf(stderr, "* Peer %u\n",
 783			nla_get_u32(pattrs[OVPN_A_PEER_ID]));
 784
 785	if (pattrs[OVPN_A_PEER_TX_ID])
 786		fprintf(stderr, "\tTX peer ID %u\n",
 787			nla_get_u32(pattrs[OVPN_A_PEER_TX_ID]));
 788
 789	if (pattrs[OVPN_A_PEER_SOCKET_NETNSID])
 790		fprintf(stderr, "\tsocket NetNS ID: %d\n",
 791			nla_get_s32(pattrs[OVPN_A_PEER_SOCKET_NETNSID]));
 792
 793	if (pattrs[OVPN_A_PEER_VPN_IPV4]) {
 794		char buf[INET_ADDRSTRLEN];
 795
 796		inet_ntop(AF_INET, nla_data(pattrs[OVPN_A_PEER_VPN_IPV4]),
 797			  buf, sizeof(buf));
 798		fprintf(stderr, "\tVPN IPv4: %s\n", buf);
 799	}
 800
 801	if (pattrs[OVPN_A_PEER_VPN_IPV6]) {
 802		char buf[INET6_ADDRSTRLEN];
 803
 804		inet_ntop(AF_INET6, nla_data(pattrs[OVPN_A_PEER_VPN_IPV6]),
 805			  buf, sizeof(buf));
 806		fprintf(stderr, "\tVPN IPv6: %s\n", buf);
 807	}
 808
 809	if (pattrs[OVPN_A_PEER_LOCAL_PORT])
 810		lport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_LOCAL_PORT]));
 811
 812	if (pattrs[OVPN_A_PEER_REMOTE_PORT])
 813		rport = ntohs(nla_get_u16(pattrs[OVPN_A_PEER_REMOTE_PORT]));
 814
 815	if (pattrs[OVPN_A_PEER_REMOTE_IPV6]) {
 816		void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV6];
 817		char buf[INET6_ADDRSTRLEN];
 818		int scope_id = -1;
 819
 820		if (pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID]) {
 821			void *p = pattrs[OVPN_A_PEER_REMOTE_IPV6_SCOPE_ID];
 822
 823			scope_id = nla_get_u32(p);
 824		}
 825
 826		inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
 827		fprintf(stderr, "\tRemote: %s:%hu (scope-id: %u)\n", buf, rport,
 828			scope_id);
 829
 830		if (pattrs[OVPN_A_PEER_LOCAL_IPV6]) {
 831			void *ip = pattrs[OVPN_A_PEER_LOCAL_IPV6];
 832
 833			inet_ntop(AF_INET6, nla_data(ip), buf, sizeof(buf));
 834			fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
 835		}
 836	}
 837
 838	if (pattrs[OVPN_A_PEER_REMOTE_IPV4]) {
 839		void *ip = pattrs[OVPN_A_PEER_REMOTE_IPV4];
 840		char buf[INET_ADDRSTRLEN];
 841
 842		inet_ntop(AF_INET, nla_data(ip), buf, sizeof(buf));
 843		fprintf(stderr, "\tRemote: %s:%hu\n", buf, rport);
 844
 845		if (pattrs[OVPN_A_PEER_LOCAL_IPV4]) {
 846			void *p = pattrs[OVPN_A_PEER_LOCAL_IPV4];
 847
 848			inet_ntop(AF_INET, nla_data(p), buf, sizeof(buf));
 849			fprintf(stderr, "\tLocal: %s:%hu\n", buf, lport);
 850		}
 851	}
 852
 853	if (pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL]) {
 854		void *p = pattrs[OVPN_A_PEER_KEEPALIVE_INTERVAL];
 855
 856		fprintf(stderr, "\tKeepalive interval: %u sec\n",
 857			nla_get_u32(p));
 858	}
 859
 860	if (pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT])
 861		fprintf(stderr, "\tKeepalive timeout: %u sec\n",
 862			nla_get_u32(pattrs[OVPN_A_PEER_KEEPALIVE_TIMEOUT]));
 863
 864	if (pattrs[OVPN_A_PEER_VPN_RX_BYTES])
 865		fprintf(stderr, "\tVPN RX bytes: %" PRIu64 "\n",
 866			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_BYTES]));
 867
 868	if (pattrs[OVPN_A_PEER_VPN_TX_BYTES])
 869		fprintf(stderr, "\tVPN TX bytes: %" PRIu64 "\n",
 870			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_BYTES]));
 871
 872	if (pattrs[OVPN_A_PEER_VPN_RX_PACKETS])
 873		fprintf(stderr, "\tVPN RX packets: %" PRIu64 "\n",
 874			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_RX_PACKETS]));
 875
 876	if (pattrs[OVPN_A_PEER_VPN_TX_PACKETS])
 877		fprintf(stderr, "\tVPN TX packets: %" PRIu64 "\n",
 878			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_VPN_TX_PACKETS]));
 879
 880	if (pattrs[OVPN_A_PEER_LINK_RX_BYTES])
 881		fprintf(stderr, "\tLINK RX bytes: %" PRIu64 "\n",
 882			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_BYTES]));
 883
 884	if (pattrs[OVPN_A_PEER_LINK_TX_BYTES])
 885		fprintf(stderr, "\tLINK TX bytes: %" PRIu64 "\n",
 886			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_BYTES]));
 887
 888	if (pattrs[OVPN_A_PEER_LINK_RX_PACKETS])
 889		fprintf(stderr, "\tLINK RX packets: %" PRIu64 "\n",
 890			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_RX_PACKETS]));
 891
 892	if (pattrs[OVPN_A_PEER_LINK_TX_PACKETS])
 893		fprintf(stderr, "\tLINK TX packets: %" PRIu64 "\n",
 894			ovpn_nla_get_uint(pattrs[OVPN_A_PEER_LINK_TX_PACKETS]));
 895
 896	return NL_SKIP;
 897}
 898
 899static int ovpn_get_peer(struct ovpn_ctx *ovpn)
 900{
 901	int flags = 0, ret = -1;
 902	struct nlattr *attr;
 903	struct nl_ctx *ctx;
 904
 905	if (ovpn->peer_id == PEER_ID_UNDEF)
 906		flags = NLM_F_DUMP;
 907
 908	ctx = nl_ctx_alloc_flags(ovpn, OVPN_CMD_PEER_GET, flags);
 909	if (!ctx)
 910		return -ENOMEM;
 911
 912	if (ovpn->peer_id != PEER_ID_UNDEF) {
 913		attr = nla_nest_start(ctx->nl_msg, OVPN_A_PEER);
 914		NLA_PUT_U32(ctx->nl_msg, OVPN_A_PEER_ID, ovpn->peer_id);
 915		nla_nest_end(ctx->nl_msg, attr);
 916	}
 917
 918	ret = ovpn_nl_msg_send(ctx, ovpn_handle_peer);
 919nla_put_failure:
 920	nl_ctx_free(ctx);
 921	return ret;
 922}
 923
 924static int ovpn_new_key(struct ovpn_ctx *ovpn)
 925{
 926	struct nlattr *keyconf, *key_dir;
 927	struct nl_ctx *ctx;
 928	int ret = -1;
 929
 930	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_NEW);
 931	if (!ctx)
 932		return -ENOMEM;
 933
 934	keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
 935	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
 936	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
 937	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_KEY_ID, ovpn->key_id);
 938	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_CIPHER_ALG, ovpn->cipher);
 939
 940	key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_ENCRYPT_DIR);
 941	NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_enc);
 942	NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
 943	nla_nest_end(ctx->nl_msg, key_dir);
 944
 945	key_dir = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF_DECRYPT_DIR);
 946	NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_CIPHER_KEY, KEY_LEN, ovpn->key_dec);
 947	NLA_PUT(ctx->nl_msg, OVPN_A_KEYDIR_NONCE_TAIL, NONCE_LEN, ovpn->nonce);
 948	nla_nest_end(ctx->nl_msg, key_dir);
 949
 950	nla_nest_end(ctx->nl_msg, keyconf);
 951
 952	ret = ovpn_nl_msg_send(ctx, NULL);
 953nla_put_failure:
 954	nl_ctx_free(ctx);
 955	return ret;
 956}
 957
 958static int ovpn_del_key(struct ovpn_ctx *ovpn)
 959{
 960	struct nlattr *keyconf;
 961	struct nl_ctx *ctx;
 962	int ret = -1;
 963
 964	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_DEL);
 965	if (!ctx)
 966		return -ENOMEM;
 967
 968	keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
 969	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
 970	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
 971	nla_nest_end(ctx->nl_msg, keyconf);
 972
 973	ret = ovpn_nl_msg_send(ctx, NULL);
 974nla_put_failure:
 975	nl_ctx_free(ctx);
 976	return ret;
 977}
 978
 979static int ovpn_handle_key(struct nl_msg *msg, void (*arg)__always_unused)
 980{
 981	struct nlattr *kattrs[OVPN_A_KEYCONF_MAX + 1];
 982	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
 983	struct nlattr *attrs[OVPN_A_MAX + 1];
 984
 985	nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
 986		  genlmsg_attrlen(gnlh, 0), NULL);
 987
 988	if (!attrs[OVPN_A_KEYCONF]) {
 989		fprintf(stderr, "no packet content in netlink message\n");
 990		return NL_SKIP;
 991	}
 992
 993	nla_parse(kattrs, OVPN_A_KEYCONF_MAX, nla_data(attrs[OVPN_A_KEYCONF]),
 994		  nla_len(attrs[OVPN_A_KEYCONF]), NULL);
 995
 996	if (kattrs[OVPN_A_KEYCONF_PEER_ID])
 997		fprintf(stderr, "* Peer %u\n",
 998			nla_get_u32(kattrs[OVPN_A_KEYCONF_PEER_ID]));
 999	if (kattrs[OVPN_A_KEYCONF_SLOT]) {
1000		fprintf(stderr, "\t- Slot: ");
1001		switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT])) {
1002		case OVPN_KEY_SLOT_PRIMARY:
1003			fprintf(stderr, "primary\n");
1004			break;
1005		case OVPN_KEY_SLOT_SECONDARY:
1006			fprintf(stderr, "secondary\n");
1007			break;
1008		default:
1009			fprintf(stderr, "invalid (%u)\n",
1010				nla_get_u32(kattrs[OVPN_A_KEYCONF_SLOT]));
1011			break;
1012		}
1013	}
1014	if (kattrs[OVPN_A_KEYCONF_KEY_ID])
1015		fprintf(stderr, "\t- Key ID: %u\n",
1016			nla_get_u32(kattrs[OVPN_A_KEYCONF_KEY_ID]));
1017	if (kattrs[OVPN_A_KEYCONF_CIPHER_ALG]) {
1018		fprintf(stderr, "\t- Cipher: ");
1019		switch (nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG])) {
1020		case OVPN_CIPHER_ALG_NONE:
1021			fprintf(stderr, "none\n");
1022			break;
1023		case OVPN_CIPHER_ALG_AES_GCM:
1024			fprintf(stderr, "aes-gcm\n");
1025			break;
1026		case OVPN_CIPHER_ALG_CHACHA20_POLY1305:
1027			fprintf(stderr, "chacha20poly1305\n");
1028			break;
1029		default:
1030			fprintf(stderr, "invalid (%u)\n",
1031				nla_get_u32(kattrs[OVPN_A_KEYCONF_CIPHER_ALG]));
1032			break;
1033		}
1034	}
1035
1036	return NL_SKIP;
1037}
1038
1039static int ovpn_get_key(struct ovpn_ctx *ovpn)
1040{
1041	struct nlattr *keyconf;
1042	struct nl_ctx *ctx;
1043	int ret = -1;
1044
1045	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_GET);
1046	if (!ctx)
1047		return -ENOMEM;
1048
1049	keyconf = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1050	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1051	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_SLOT, ovpn->key_slot);
1052	nla_nest_end(ctx->nl_msg, keyconf);
1053
1054	ret = ovpn_nl_msg_send(ctx, ovpn_handle_key);
1055nla_put_failure:
1056	nl_ctx_free(ctx);
1057	return ret;
1058}
1059
1060static int ovpn_swap_keys(struct ovpn_ctx *ovpn)
1061{
1062	struct nl_ctx *ctx;
1063	struct nlattr *kc;
1064	int ret = -1;
1065
1066	ctx = nl_ctx_alloc(ovpn, OVPN_CMD_KEY_SWAP);
1067	if (!ctx)
1068		return -ENOMEM;
1069
1070	kc = nla_nest_start(ctx->nl_msg, OVPN_A_KEYCONF);
1071	NLA_PUT_U32(ctx->nl_msg, OVPN_A_KEYCONF_PEER_ID, ovpn->peer_id);
1072	nla_nest_end(ctx->nl_msg, kc);
1073
1074	ret = ovpn_nl_msg_send(ctx, NULL);
1075nla_put_failure:
1076	nl_ctx_free(ctx);
1077	return ret;
1078}
1079
1080/* Helper function used to easily add attributes to a rtnl message */
1081static int ovpn_addattr(struct nlmsghdr *n, int maxlen, int type,
1082			const void *data, int alen)
1083{
1084	int len = RTA_LENGTH(alen);
1085	struct rtattr *rta;
1086
1087	if ((int)(NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len)) > maxlen)	{
1088		fprintf(stderr, "%s: rtnl: message exceeded bound of %d\n",
1089			__func__, maxlen);
1090		return -EMSGSIZE;
1091	}
1092
1093	rta = nlmsg_tail(n);
1094	rta->rta_type = type;
1095	rta->rta_len = len;
1096
1097	if (!data)
1098		memset(RTA_DATA(rta), 0, alen);
1099	else
1100		memcpy(RTA_DATA(rta), data, alen);
1101
1102	n->nlmsg_len = NLMSG_ALIGN(n->nlmsg_len) + RTA_ALIGN(len);
1103
1104	return 0;
1105}
1106
1107static struct rtattr *ovpn_nest_start(struct nlmsghdr *msg, size_t max_size,
1108				      int attr)
1109{
1110	struct rtattr *nest = nlmsg_tail(msg);
1111
1112	if (ovpn_addattr(msg, max_size, attr, NULL, 0) < 0)
1113		return NULL;
1114
1115	return nest;
1116}
1117
1118static void ovpn_nest_end(struct nlmsghdr *msg, struct rtattr *nest)
1119{
1120	nest->rta_len = (uint8_t *)nlmsg_tail(msg) - (uint8_t *)nest;
1121}
1122
1123#define RT_SNDBUF_SIZE (1024 * 2)
1124#define RT_RCVBUF_SIZE (1024 * 4)
1125
1126/* Open RTNL socket */
1127static int ovpn_rt_socket(void)
1128{
1129	int sndbuf = RT_SNDBUF_SIZE, rcvbuf = RT_RCVBUF_SIZE, fd;
1130
1131	fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
1132	if (fd < 0) {
1133		fprintf(stderr, "%s: cannot open netlink socket\n", __func__);
1134		return fd;
1135	}
1136
1137	if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf,
1138		       sizeof(sndbuf)) < 0) {
1139		fprintf(stderr, "%s: SO_SNDBUF\n", __func__);
1140		close(fd);
1141		return -1;
1142	}
1143
1144	if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf,
1145		       sizeof(rcvbuf)) < 0) {
1146		fprintf(stderr, "%s: SO_RCVBUF\n", __func__);
1147		close(fd);
1148		return -1;
1149	}
1150
1151	return fd;
1152}
1153
1154/* Bind socket to Netlink subsystem */
1155static int ovpn_rt_bind(int fd, uint32_t groups)
1156{
1157	struct sockaddr_nl local = { 0 };
1158	socklen_t addr_len;
1159
1160	local.nl_family = AF_NETLINK;
1161	local.nl_groups = groups;
1162
1163	if (bind(fd, (struct sockaddr *)&local, sizeof(local)) < 0) {
1164		fprintf(stderr, "%s: cannot bind netlink socket: %d\n",
1165			__func__, errno);
1166		return -errno;
1167	}
1168
1169	addr_len = sizeof(local);
1170	if (getsockname(fd, (struct sockaddr *)&local, &addr_len) < 0) {
1171		fprintf(stderr, "%s: cannot getsockname: %d\n", __func__,
1172			errno);
1173		return -errno;
1174	}
1175
1176	if (addr_len != sizeof(local)) {
1177		fprintf(stderr, "%s: wrong address length %d\n", __func__,
1178			addr_len);
1179		return -EINVAL;
1180	}
1181
1182	if (local.nl_family != AF_NETLINK) {
1183		fprintf(stderr, "%s: wrong address family %d\n", __func__,
1184			local.nl_family);
1185		return -EINVAL;
1186	}
1187
1188	return 0;
1189}
1190
1191typedef int (*ovpn_parse_reply_cb)(struct nlmsghdr *msg, void *arg);
1192
1193/* Send Netlink message and run callback on reply (if specified) */
1194static int ovpn_rt_send(struct nlmsghdr *payload, pid_t peer,
1195			unsigned int groups, ovpn_parse_reply_cb cb,
1196			void *arg_cb)
1197{
1198	int len, rem_len, fd, ret, rcv_len;
1199	struct sockaddr_nl nladdr = { 0 };
1200	struct nlmsgerr *err;
1201	struct nlmsghdr *h;
1202	char buf[1024 * 16];
1203	struct iovec iov = {
1204		.iov_base = payload,
1205		.iov_len = payload->nlmsg_len,
1206	};
1207	struct msghdr nlmsg = {
1208		.msg_name = &nladdr,
1209		.msg_namelen = sizeof(nladdr),
1210		.msg_iov = &iov,
1211		.msg_iovlen = 1,
1212	};
1213
1214	nladdr.nl_family = AF_NETLINK;
1215	nladdr.nl_pid = peer;
1216	nladdr.nl_groups = groups;
1217
1218	payload->nlmsg_seq = time(NULL);
1219
1220	/* no need to send reply */
1221	if (!cb)
1222		payload->nlmsg_flags |= NLM_F_ACK;
1223
1224	fd = ovpn_rt_socket();
1225	if (fd < 0) {
1226		fprintf(stderr, "%s: can't open rtnl socket\n", __func__);
1227		return -errno;
1228	}
1229
1230	ret = ovpn_rt_bind(fd, 0);
1231	if (ret < 0) {
1232		fprintf(stderr, "%s: can't bind rtnl socket\n", __func__);
1233		ret = -errno;
1234		goto out;
1235	}
1236
1237	ret = sendmsg(fd, &nlmsg, 0);
1238	if (ret < 0) {
1239		fprintf(stderr, "%s: rtnl: error on sendmsg()\n", __func__);
1240		ret = -errno;
1241		goto out;
1242	}
1243
1244	/* prepare buffer to store RTNL replies */
1245	memset(buf, 0, sizeof(buf));
1246	iov.iov_base = buf;
1247
1248	while (1) {
1249		/*
1250		 * iov_len is modified by recvmsg(), therefore has to be initialized before
1251		 * using it again
1252		 */
1253		iov.iov_len = sizeof(buf);
1254		rcv_len = recvmsg(fd, &nlmsg, 0);
1255		if (rcv_len < 0) {
1256			if (errno == EINTR || errno == EAGAIN) {
1257				fprintf(stderr, "%s: interrupted call\n",
1258					__func__);
1259				continue;
1260			}
1261			fprintf(stderr, "%s: rtnl: error on recvmsg()\n",
1262				__func__);
1263			ret = -errno;
1264			goto out;
1265		}
1266
1267		if (rcv_len == 0) {
1268			fprintf(stderr,
1269				"%s: rtnl: socket reached unexpected EOF\n",
1270				__func__);
1271			ret = -EIO;
1272			goto out;
1273		}
1274
1275		if (nlmsg.msg_namelen != sizeof(nladdr)) {
1276			fprintf(stderr,
1277				"%s: sender address length: %u (expected %zu)\n",
1278				__func__, nlmsg.msg_namelen, sizeof(nladdr));
1279			ret = -EIO;
1280			goto out;
1281		}
1282
1283		h = (struct nlmsghdr *)buf;
1284		while (rcv_len >= (int)sizeof(*h)) {
1285			len = h->nlmsg_len;
1286			rem_len = len - sizeof(*h);
1287
1288			if (rem_len < 0 || len > rcv_len) {
1289				if (nlmsg.msg_flags & MSG_TRUNC) {
1290					fprintf(stderr, "%s: truncated message\n",
1291						__func__);
1292					ret = -EIO;
1293					goto out;
1294				}
1295				fprintf(stderr, "%s: malformed message: len=%d\n",
1296					__func__, len);
1297				ret = -EIO;
1298				goto out;
1299			}
1300
1301			if (h->nlmsg_type == NLMSG_DONE) {
1302				ret = 0;
1303				goto out;
1304			}
1305
1306			if (h->nlmsg_type == NLMSG_ERROR) {
1307				err = (struct nlmsgerr *)NLMSG_DATA(h);
1308				if (rem_len < (int)sizeof(struct nlmsgerr)) {
1309					fprintf(stderr, "%s: ERROR truncated\n",
1310						__func__);
1311					ret = -EIO;
1312					goto out;
1313				}
1314
1315				if (err->error) {
1316					fprintf(stderr, "%s: (%d) %s\n",
1317						__func__, err->error,
1318						strerror(-err->error));
1319					ret = err->error;
1320					goto out;
1321				}
1322
1323				ret = 0;
1324				if (cb)	{
1325					int r = cb(h, arg_cb);
1326
1327					if (r <= 0)
1328						ret = r;
1329				}
1330				goto out;
1331			}
1332
1333			if (cb) {
1334				int r = cb(h, arg_cb);
1335
1336				if (r <= 0) {
1337					ret = r;
1338					goto out;
1339				}
1340			} else {
1341				fprintf(stderr, "%s: RTNL: unexpected reply\n",
1342					__func__);
1343			}
1344
1345			rcv_len -= NLMSG_ALIGN(len);
1346			h = (struct nlmsghdr *)((uint8_t *)h +
1347						NLMSG_ALIGN(len));
1348		}
1349
1350		if (nlmsg.msg_flags & MSG_TRUNC) {
1351			fprintf(stderr, "%s: message truncated\n", __func__);
1352			continue;
1353		}
1354
1355		if (rcv_len) {
1356			fprintf(stderr, "%s: rtnl: %d not parsed bytes\n",
1357				__func__, rcv_len);
1358			ret = -1;
1359			goto out;
1360		}
1361	}
1362out:
1363	close(fd);
1364
1365	return ret;
1366}
1367
1368struct ovpn_link_req {
1369	struct nlmsghdr n;
1370	struct ifinfomsg i;
1371	char buf[256];
1372};
1373
1374static int ovpn_new_iface(struct ovpn_ctx *ovpn)
1375{
1376	struct rtattr *linkinfo, *data;
1377	struct ovpn_link_req req = { 0 };
1378	int ret = -1;
1379
1380	fprintf(stdout, "Creating interface %s with mode %u\n", ovpn->ifname,
1381		ovpn->mode);
1382
1383	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1384	req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL;
1385	req.n.nlmsg_type = RTM_NEWLINK;
1386
1387	if (ovpn_addattr(&req.n, sizeof(req), IFLA_IFNAME, ovpn->ifname,
1388			 strlen(ovpn->ifname) + 1) < 0)
1389		goto err;
1390
1391	linkinfo = ovpn_nest_start(&req.n, sizeof(req), IFLA_LINKINFO);
1392	if (!linkinfo)
1393		goto err;
1394
1395	if (ovpn_addattr(&req.n, sizeof(req), IFLA_INFO_KIND, OVPN_FAMILY_NAME,
1396			 strlen(OVPN_FAMILY_NAME) + 1) < 0)
1397		goto err;
1398
1399	if (ovpn->mode_set) {
1400		data = ovpn_nest_start(&req.n, sizeof(req), IFLA_INFO_DATA);
1401		if (!data)
1402			goto err;
1403
1404		if (ovpn_addattr(&req.n, sizeof(req), IFLA_OVPN_MODE,
1405				 &ovpn->mode, sizeof(uint8_t)) < 0)
1406			goto err;
1407
1408		ovpn_nest_end(&req.n, data);
1409	}
1410
1411	ovpn_nest_end(&req.n, linkinfo);
1412
1413	req.i.ifi_family = AF_PACKET;
1414
1415	ret = ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1416err:
1417	return ret;
1418}
1419
1420static int ovpn_del_iface(struct ovpn_ctx *ovpn)
1421{
1422	struct ovpn_link_req req = { 0 };
1423
1424	fprintf(stdout, "Deleting interface %s ifindex %u\n", ovpn->ifname,
1425		ovpn->ifindex);
1426
1427	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
1428	req.n.nlmsg_flags = NLM_F_REQUEST;
1429	req.n.nlmsg_type = RTM_DELLINK;
1430
1431	req.i.ifi_family = AF_PACKET;
1432	req.i.ifi_index = ovpn->ifindex;
1433
1434	return ovpn_rt_send(&req.n, 0, 0, NULL, NULL);
1435}
1436
1437static int nl_seq_check(struct nl_msg (*msg)__always_unused,
1438			void (*arg)__always_unused)
1439{
1440	return NL_OK;
1441}
1442
1443struct mcast_handler_args {
1444	const char *group;
1445	int id;
1446};
1447
1448static int mcast_family_handler(struct nl_msg *msg, void *arg)
1449{
1450	struct mcast_handler_args *grp = arg;
1451	struct nlattr *tb[CTRL_ATTR_MAX + 1];
1452	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1453	struct nlattr *mcgrp;
1454	int rem_mcgrp;
1455
1456	nla_parse(tb, CTRL_ATTR_MAX, genlmsg_attrdata(gnlh, 0),
1457		  genlmsg_attrlen(gnlh, 0), NULL);
1458
1459	if (!tb[CTRL_ATTR_MCAST_GROUPS])
1460		return NL_SKIP;
1461
1462	nla_for_each_nested(mcgrp, tb[CTRL_ATTR_MCAST_GROUPS], rem_mcgrp) {
1463		struct nlattr *tb_mcgrp[CTRL_ATTR_MCAST_GRP_MAX + 1];
1464
1465		nla_parse(tb_mcgrp, CTRL_ATTR_MCAST_GRP_MAX,
1466			  nla_data(mcgrp), nla_len(mcgrp), NULL);
1467
1468		if (!tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME] ||
1469		    !tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID])
1470			continue;
1471		if (strncmp(nla_data(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME]),
1472			    grp->group, nla_len(tb_mcgrp[CTRL_ATTR_MCAST_GRP_NAME])))
1473			continue;
1474		grp->id = nla_get_u32(tb_mcgrp[CTRL_ATTR_MCAST_GRP_ID]);
1475		break;
1476	}
1477
1478	return NL_SKIP;
1479}
1480
1481static int mcast_error_handler(struct sockaddr_nl (*nla)__always_unused,
1482			       struct nlmsgerr *err, void *arg)
1483{
1484	int *ret = arg;
1485
1486	*ret = err->error;
1487	return NL_STOP;
1488}
1489
1490static int mcast_ack_handler(struct nl_msg (*msg)__always_unused, void *arg)
1491{
1492	int *ret = arg;
1493
1494	*ret = 0;
1495	return NL_STOP;
1496}
1497
1498static int ovpn_handle_msg(struct nl_msg *msg, void *arg)
1499{
1500	struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
1501	struct nlattr *attrs[OVPN_A_MAX + 1];
1502	struct nlmsghdr *nlh = nlmsg_hdr(msg);
1503	char ifname[IF_NAMESIZE];
1504	int *ret = arg;
1505	__u32 ifindex;
1506
1507	fprintf(stderr, "received message from ovpn-dco\n");
1508
1509	*ret = -1;
1510
1511	if (!genlmsg_valid_hdr(nlh, 0)) {
1512		fprintf(stderr, "invalid header\n");
1513		return NL_STOP;
1514	}
1515
1516	if (nla_parse(attrs, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
1517		      genlmsg_attrlen(gnlh, 0), NULL)) {
1518		fprintf(stderr, "received bogus data from ovpn-dco\n");
1519		return NL_STOP;
1520	}
1521
1522	if (!attrs[OVPN_A_IFINDEX]) {
1523		fprintf(stderr, "no ifindex in this message\n");
1524		return NL_STOP;
1525	}
1526
1527	ifindex = nla_get_u32(attrs[OVPN_A_IFINDEX]);
1528	if (!if_indextoname(ifindex, ifname)) {
1529		fprintf(stderr, "cannot resolve ifname for ifindex: %u\n",
1530			ifindex);
1531		return NL_STOP;
1532	}
1533
1534	switch (gnlh->cmd) {
1535	case OVPN_CMD_PEER_DEL_NTF:
1536		fprintf(stdout, "received CMD_PEER_DEL_NTF\n");
1537		break;
1538	case OVPN_CMD_PEER_FLOAT_NTF:
1539		fprintf(stdout, "received CMD_PEER_FLOAT_NTF\n");
1540		break;
1541	case OVPN_CMD_KEY_SWAP_NTF:
1542		fprintf(stdout, "received CMD_KEY_SWAP_NTF\n");
1543		break;
1544	default:
1545		fprintf(stderr, "received unknown command: %d\n", gnlh->cmd);
1546		return NL_STOP;
1547	}
1548
1549	*ret = 0;
1550	return NL_OK;
1551}
1552
1553static int ovpn_get_mcast_id(struct nl_sock *sock, const char *family,
1554			     const char *group)
1555{
1556	struct nl_msg *msg;
1557	struct nl_cb *cb;
1558	int ret, ctrlid;
1559	struct mcast_handler_args grp = {
1560		.group = group,
1561		.id = -ENOENT,
1562	};
1563
1564	msg = nlmsg_alloc();
1565	if (!msg)
1566		return -ENOMEM;
1567
1568	cb = nl_cb_alloc(NL_CB_DEFAULT);
1569	if (!cb) {
1570		ret = -ENOMEM;
1571		goto out_fail_cb;
1572	}
1573
1574	ctrlid = genl_ctrl_resolve(sock, "nlctrl");
1575
1576	genlmsg_put(msg, 0, 0, ctrlid, 0, 0, CTRL_CMD_GETFAMILY, 0);
1577
1578	ret = -ENOBUFS;
1579	NLA_PUT_STRING(msg, CTRL_ATTR_FAMILY_NAME, family);
1580
1581	ret = nl_send_auto_complete(sock, msg);
1582	if (ret < 0)
1583		goto nla_put_failure;
1584
1585	ret = 1;
1586
1587	nl_cb_err(cb, NL_CB_CUSTOM, mcast_error_handler, &ret);
1588	nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, mcast_ack_handler, &ret);
1589	nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, mcast_family_handler, &grp);
1590
1591	while (ret > 0)
1592		nl_recvmsgs(sock, cb);
1593
1594	if (ret == 0)
1595		ret = grp.id;
1596 nla_put_failure:
1597	nl_cb_put(cb);
1598 out_fail_cb:
1599	nlmsg_free(msg);
1600	return ret;
1601}
1602
1603static int ovpn_listen_mcast(void)
1604{
1605	struct nl_sock *sock;
1606	struct nl_cb *cb;
1607	int mcid, ret;
1608
1609	sock = nl_socket_alloc();
1610	if (!sock) {
1611		fprintf(stderr, "cannot allocate netlink socket\n");
1612		ret = -ENOMEM;
1613		goto err_free;
1614	}
1615
1616	nl_socket_set_buffer_size(sock, 8192, 8192);
1617
1618	ret = genl_connect(sock);
1619	if (ret < 0) {
1620		fprintf(stderr, "cannot connect to generic netlink: %s\n",
1621			nl_geterror(ret));
1622		goto err_free;
1623	}
1624
1625	mcid = ovpn_get_mcast_id(sock, OVPN_FAMILY_NAME, OVPN_MCGRP_PEERS);
1626	if (mcid < 0) {
1627		fprintf(stderr, "cannot get mcast group: %s\n",
1628			nl_geterror(mcid));
1629		goto err_free;
1630	}
1631
1632	ret = nl_socket_add_membership(sock, mcid);
1633	if (ret) {
1634		fprintf(stderr, "failed to join mcast group: %d\n", ret);
1635		goto err_free;
1636	}
1637
1638	ret = 1;
1639	cb = nl_cb_alloc(NL_CB_DEFAULT);
1640	nl_cb_set(cb, NL_CB_SEQ_CHECK, NL_CB_CUSTOM, nl_seq_check, NULL);
1641	nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, ovpn_handle_msg, &ret);
1642	nl_cb_err(cb, NL_CB_CUSTOM, ovpn_nl_cb_error, &ret);
1643
1644	while (ret == 1) {
1645		int err = nl_recvmsgs(sock, cb);
1646
1647		if (err < 0) {
1648			fprintf(stderr,
1649				"cannot receive netlink message: (%d) %s\n",
1650				err, nl_geterror(-err));
1651			ret = -1;
1652			break;
1653		}
1654	}
1655
1656	nl_cb_put(cb);
1657err_free:
1658	nl_socket_free(sock);
1659	return ret;
1660}
1661
1662static void usage(const char *cmd)
1663{
1664	fprintf(stderr,
1665		"Usage %s <command> <iface> [arguments..]\n",
1666		cmd);
1667	fprintf(stderr, "where <command> can be one of the following\n\n");
1668
1669	fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn interface\n");
1670	fprintf(stderr, "\tiface: ovpn interface name\n");
1671	fprintf(stderr, "\tmode:\n");
1672	fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. client)\n");
1673	fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n");
1674
1675	fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n");
1676	fprintf(stderr, "\tiface: ovpn interface name\n");
1677
1678	fprintf(stderr,
1679		"* listen <iface> <lport> <id_type> <peers_file> [ipv6]: listen for incoming peer TCP connections\n");
1680	fprintf(stderr, "\tiface: ovpn interface name\n");
1681	fprintf(stderr, "\tlport: TCP port to listen to\n");
1682	fprintf(stderr, "\tid_type:\n");
1683	fprintf(stderr,
1684		"\t\t- SYMM for ignoring the TX peer ID from the peers_file\n");
1685	fprintf(stderr,
1686		"\t\t- ASYMM for using the TX peer ID from the peers_file\n");
1687	fprintf(stderr,
1688		"\tpeers_file: file containing one peer per line: Line format:\n");
1689	fprintf(stderr, "\t\t<peer_id> <tx_id> <vpnaddr>\n");
1690	fprintf(stderr,
1691		"\tipv6: whether the socket should listen to the IPv6 wildcard address\n");
1692
1693	fprintf(stderr,
1694		"* connect <iface> <peer_id> <tx_id> <raddr> <rport> [key_file]: start connecting peer of TCP-based VPN session\n");
1695	fprintf(stderr, "\tiface: ovpn interface name\n");
1696	fprintf(stderr,
1697		"\tpeer_id: peer ID found in data packets received from this peer\n");
1698	fprintf(stderr,
1699		"\ttx_id: peer ID to be used when sending to this peer, 'none' for symmetric peer ID\n");
1700	fprintf(stderr, "\traddr: peer IP address to connect to\n");
1701	fprintf(stderr, "\trport: peer TCP port to connect to\n");
1702	fprintf(stderr,
1703		"\tkey_file: file containing the symmetric key for encryption\n");
1704
1705	fprintf(stderr,
1706		"* new_peer <iface> <peer_id> <tx_id> <lport> <raddr> <rport> [vpnaddr]: add new peer\n");
1707	fprintf(stderr, "\tiface: ovpn interface name\n");
1708	fprintf(stderr,
1709		"\tpeer_id: peer ID found in data packets received from this peer\n");
1710	fprintf(stderr,
1711		"\ttx_id: peer ID to be used when sending to this peer, 'none' for symmetric peer ID\n");
1712	fprintf(stderr, "\tlport: local UDP port to bind to\n");
1713	fprintf(stderr, "\traddr: peer IP address\n");
1714	fprintf(stderr, "\trport: peer UDP port\n");
1715	fprintf(stderr, "\tvpnaddr: peer VPN IP\n");
1716
1717	fprintf(stderr,
1718		"* new_multi_peer <iface> <lport> <id_type> <peers_file> [mark]: add multiple peers as listed in the file\n");
1719	fprintf(stderr, "\tiface: ovpn interface name\n");
1720	fprintf(stderr, "\tlport: local UDP port to bind to\n");
1721	fprintf(stderr, "\tid_type:\n");
1722	fprintf(stderr,
1723		"\t\t- SYMM for ignoring the TX peer ID from the peers_file\n");
1724	fprintf(stderr,
1725		"\t\t- ASYMM for using the TX peer ID from the peers_file\n");
1726	fprintf(stderr,
1727		"\tpeers_file: text file containing one peer per line. Line format:\n");
1728	fprintf(stderr,
1729		"\t\t<peer_id> <tx_id> <raddr> <rport> <laddr> <lport> <vpnaddr>\n");
1730	fprintf(stderr, "\tmark: socket FW mark value\n");
1731
1732	fprintf(stderr,
1733		"* set_peer <iface> <peer_id> <keepalive_interval> <keepalive_timeout>: set peer attributes\n");
1734	fprintf(stderr, "\tiface: ovpn interface name\n");
1735	fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1736	fprintf(stderr,
1737		"\tkeepalive_interval: interval for sending ping messages\n");
1738	fprintf(stderr,
1739		"\tkeepalive_timeout: time after which a peer is timed out\n");
1740
1741	fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n");
1742	fprintf(stderr, "\tiface: ovpn interface name\n");
1743	fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n");
1744
1745	fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) status\n");
1746	fprintf(stderr, "\tiface: ovpn interface name\n");
1747	fprintf(stderr,
1748		"\tpeer_id: peer ID of the peer to query. All peers are returned if omitted\n");
1749
1750	fprintf(stderr,
1751		"* new_key <iface> <peer_id> <slot> <key_id> <cipher> <key_dir> <key_file>: set data channel key\n");
1752	fprintf(stderr, "\tiface: ovpn interface name\n");
1753	fprintf(stderr,
1754		"\tpeer_id: peer ID of the peer to configure the key for\n");
1755	fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1756	fprintf(stderr, "\tkey_id: an ID from 0 to 7\n");
1757	fprintf(stderr,
1758		"\tcipher: cipher to use, supported: aes (AES-GCM), chachapoly (CHACHA20POLY1305)\n");
1759	fprintf(stderr,
1760		"\tkey_dir: key direction, must 0 on one host and 1 on the other\n");
1761	fprintf(stderr, "\tkey_file: file containing the pre-shared key\n");
1762
1763	fprintf(stderr,
1764		"* del_key <iface> <peer_id> [slot]: erase existing data channel key\n");
1765	fprintf(stderr, "\tiface: ovpn interface name\n");
1766	fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1767	fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n");
1768
1769	fprintf(stderr,
1770		"* get_key <iface> <peer_id> <slot>: retrieve non sensible key data\n");
1771	fprintf(stderr, "\tiface: ovpn interface name\n");
1772	fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n");
1773	fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
1774
1775	fprintf(stderr,
1776		"* swap_keys <iface> <peer_id>: swap content of primary and secondary key slots\n");
1777	fprintf(stderr, "\tiface: ovpn interface name\n");
1778	fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
1779
1780	fprintf(stderr,
1781		"* listen_mcast: listen to ovpn netlink multicast messages\n");
1782}
1783
1784static int ovpn_parse_remote(struct ovpn_ctx *ovpn, const char *host,
1785			     const char *service, const char *vpnip)
1786{
1787	int ret;
1788	struct addrinfo *result;
1789	struct addrinfo hints = {
1790		.ai_family = ovpn->sa_family,
1791		.ai_socktype = SOCK_DGRAM,
1792		.ai_protocol = IPPROTO_UDP
1793	};
1794
1795	if (host) {
1796		ret = getaddrinfo(host, service, &hints, &result);
1797		if (ret) {
1798			fprintf(stderr, "getaddrinfo on remote error: %s\n",
1799				gai_strerror(ret));
1800			return -1;
1801		}
1802
1803		if (!(result->ai_family == AF_INET &&
1804		      result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1805		    !(result->ai_family == AF_INET6 &&
1806		      result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1807			ret = -EINVAL;
1808			goto out;
1809		}
1810
1811		memcpy(&ovpn->remote, result->ai_addr, result->ai_addrlen);
1812	}
1813
1814	if (vpnip) {
1815		ret = getaddrinfo(vpnip, NULL, &hints, &result);
1816		if (ret) {
1817			fprintf(stderr, "getaddrinfo on vpnip error: %s\n",
1818				gai_strerror(ret));
1819			return -1;
1820		}
1821
1822		if (!(result->ai_family == AF_INET &&
1823		      result->ai_addrlen == sizeof(struct sockaddr_in)) &&
1824		    !(result->ai_family == AF_INET6 &&
1825		      result->ai_addrlen == sizeof(struct sockaddr_in6))) {
1826			ret = -EINVAL;
1827			goto out;
1828		}
1829
1830		memcpy(&ovpn->peer_ip, result->ai_addr, result->ai_addrlen);
1831		ovpn->sa_family = result->ai_family;
1832
1833		ovpn->peer_ip_set = true;
1834	}
1835
1836	ret = 0;
1837out:
1838	freeaddrinfo(result);
1839	return ret;
1840}
1841
1842static int ovpn_parse_new_peer(struct ovpn_ctx *ovpn, const char *peer_id,
1843			       const char *tx_id, const char *raddr,
1844			       const char *rport, const char *vpnip)
1845{
1846	ovpn->peer_id = strtoul(peer_id, NULL, 10);
1847	if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
1848		fprintf(stderr, "rx peer ID value out of range\n");
1849		return -1;
1850	}
1851
1852	if (ovpn->asymm_id) {
1853		ovpn->tx_id = strtoul(tx_id, NULL, 10);
1854		if (errno == ERANGE || ovpn->tx_id > PEER_ID_UNDEF) {
1855			fprintf(stderr, "tx peer ID value out of range\n");
1856			return -1;
1857		}
1858	}
1859
1860	return ovpn_parse_remote(ovpn, raddr, rport, vpnip);
1861}
1862
1863static int ovpn_parse_key_slot(const char *arg, struct ovpn_ctx *ovpn)
1864{
1865	int slot = strtoul(arg, NULL, 10);
1866
1867	if (errno == ERANGE || slot < 1 || slot > 2) {
1868		fprintf(stderr, "key slot out of range\n");
1869		return -1;
1870	}
1871
1872	switch (slot) {
1873	case 1:
1874		ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
1875		break;
1876	case 2:
1877		ovpn->key_slot = OVPN_KEY_SLOT_SECONDARY;
1878		break;
1879	}
1880
1881	return 0;
1882}
1883
1884static int ovpn_send_tcp_data(int socket)
1885{
1886	uint16_t len = htons(1000);
1887	uint8_t buf[1002];
1888	int ret;
1889
1890	memcpy(buf, &len, sizeof(len));
1891	memset(buf + sizeof(len), 0x86, sizeof(buf) - sizeof(len));
1892
1893	ret = send(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1894
1895	fprintf(stdout, "Sent %u bytes over TCP socket\n", ret);
1896
1897	return ret > 0 ? 0 : ret;
1898}
1899
1900static int ovpn_recv_tcp_data(int socket)
1901{
1902	uint8_t buf[1002];
1903	uint16_t len;
1904	int ret;
1905
1906	ret = recv(socket, buf, sizeof(buf), MSG_NOSIGNAL);
1907
1908	if (ret < 2) {
1909		fprintf(stderr, ">>>> Error while reading TCP data: %d\n", ret);
1910		return ret;
1911	}
1912
1913	memcpy(&len, buf, sizeof(len));
1914	len = ntohs(len);
1915
1916	fprintf(stdout, ">>>> Received %u bytes over TCP socket, header: %u\n",
1917		ret, len);
1918
1919	return 0;
1920}
1921
1922static enum ovpn_cmd ovpn_parse_cmd(const char *cmd)
1923{
1924	if (!strcmp(cmd, "new_iface"))
1925		return CMD_NEW_IFACE;
1926
1927	if (!strcmp(cmd, "del_iface"))
1928		return CMD_DEL_IFACE;
1929
1930	if (!strcmp(cmd, "listen"))
1931		return CMD_LISTEN;
1932
1933	if (!strcmp(cmd, "connect"))
1934		return CMD_CONNECT;
1935
1936	if (!strcmp(cmd, "new_peer"))
1937		return CMD_NEW_PEER;
1938
1939	if (!strcmp(cmd, "new_multi_peer"))
1940		return CMD_NEW_MULTI_PEER;
1941
1942	if (!strcmp(cmd, "set_peer"))
1943		return CMD_SET_PEER;
1944
1945	if (!strcmp(cmd, "del_peer"))
1946		return CMD_DEL_PEER;
1947
1948	if (!strcmp(cmd, "get_peer"))
1949		return CMD_GET_PEER;
1950
1951	if (!strcmp(cmd, "new_key"))
1952		return CMD_NEW_KEY;
1953
1954	if (!strcmp(cmd, "del_key"))
1955		return CMD_DEL_KEY;
1956
1957	if (!strcmp(cmd, "get_key"))
1958		return CMD_GET_KEY;
1959
1960	if (!strcmp(cmd, "swap_keys"))
1961		return CMD_SWAP_KEYS;
1962
1963	if (!strcmp(cmd, "listen_mcast"))
1964		return CMD_LISTEN_MCAST;
1965
1966	return CMD_INVALID;
1967}
1968
1969/* Send process to background and waits for signal.
1970 *
1971 * This helper is called at the end of commands
1972 * creating sockets, so that the latter stay alive
1973 * along with the process that created them.
1974 *
1975 * A signal is expected to be delivered in order to
1976 * terminate the waiting processes
1977 */
1978static void ovpn_waitbg(void)
1979{
1980	daemon(1, 1);
1981	pause();
1982}
1983
1984static int ovpn_run_cmd(struct ovpn_ctx *ovpn)
1985{
1986	char peer_id[10], tx_id[10], vpnip[INET6_ADDRSTRLEN], laddr[128];
1987	char lport[10], raddr[128], rport[10];
1988	int n, ret;
1989	FILE *fp;
1990
1991	switch (ovpn->cmd) {
1992	case CMD_NEW_IFACE:
1993		ret = ovpn_new_iface(ovpn);
1994		break;
1995	case CMD_DEL_IFACE:
1996		ret = ovpn_del_iface(ovpn);
1997		break;
1998	case CMD_LISTEN:
1999		ret = ovpn_listen(ovpn, ovpn->sa_family);
2000		if (ret < 0) {
2001			fprintf(stderr, "cannot listen on TCP socket\n");
2002			return ret;
2003		}
2004
2005		fp = fopen(ovpn->peers_file, "r");
2006		if (!fp) {
2007			fprintf(stderr, "cannot open file: %s\n",
2008				ovpn->peers_file);
2009			return -1;
2010		}
2011
2012		int num_peers = 0;
2013
2014		while ((n = fscanf(fp, "%s %s %s\n", peer_id, tx_id,
2015				   vpnip)) == 3) {
2016			struct ovpn_ctx peer_ctx = { 0 };
2017
2018			if (num_peers == MAX_PEERS) {
2019				fprintf(stderr, "max peers reached!\n");
2020				return -E2BIG;
2021			}
2022
2023			peer_ctx.ifindex = ovpn->ifindex;
2024			peer_ctx.sa_family = ovpn->sa_family;
2025			peer_ctx.asymm_id = ovpn->asymm_id;
2026
2027			peer_ctx.socket = ovpn_accept(ovpn);
2028			if (peer_ctx.socket < 0) {
2029				fprintf(stderr, "cannot accept connection!\n");
2030				return -1;
2031			}
2032
2033			/* store peer sockets to test TCP I/O */
2034			ovpn->cli_sockets[num_peers] = peer_ctx.socket;
2035
2036			ret = ovpn_parse_new_peer(&peer_ctx, peer_id, tx_id,
2037						  NULL, NULL, vpnip);
2038			if (ret < 0) {
2039				fprintf(stderr, "error while parsing line\n");
2040				return -1;
2041			}
2042
2043			ret = ovpn_new_peer(&peer_ctx, true);
2044			if (ret < 0) {
2045				fprintf(stderr,
2046					"cannot add peer to VPN: %s %s\n",
2047					peer_id, vpnip);
2048				return ret;
2049			}
2050			num_peers++;
2051		}
2052
2053		for (int i = 0; i < num_peers; i++) {
2054			ret = ovpn_recv_tcp_data(ovpn->cli_sockets[i]);
2055			if (ret < 0)
2056				break;
2057		}
2058		ovpn_waitbg();
2059		break;
2060	case CMD_CONNECT:
2061		ret = ovpn_connect(ovpn);
2062		if (ret < 0) {
2063			fprintf(stderr, "cannot connect TCP socket\n");
2064			return ret;
2065		}
2066
2067		ret = ovpn_new_peer(ovpn, true);
2068		if (ret < 0) {
2069			fprintf(stderr, "cannot add peer to VPN\n");
2070			close(ovpn->socket);
2071			return ret;
2072		}
2073
2074		if (ovpn->cipher != OVPN_CIPHER_ALG_NONE) {
2075			ret = ovpn_new_key(ovpn);
2076			if (ret < 0) {
2077				fprintf(stderr, "cannot set key\n");
2078				return ret;
2079			}
2080		}
2081
2082		ret = ovpn_send_tcp_data(ovpn->socket);
2083		ovpn_waitbg();
2084		break;
2085	case CMD_NEW_PEER:
2086		ret = ovpn_udp_socket(ovpn, AF_INET6);
2087		if (ret < 0)
2088			return ret;
2089
2090		ret = ovpn_new_peer(ovpn, false);
2091		ovpn_waitbg();
2092		break;
2093	case CMD_NEW_MULTI_PEER:
2094		ret = ovpn_udp_socket(ovpn, AF_INET6);
2095		if (ret < 0)
2096			return ret;
2097
2098		fp = fopen(ovpn->peers_file, "r");
2099		if (!fp) {
2100			fprintf(stderr, "cannot open file: %s\n",
2101				ovpn->peers_file);
2102			return -1;
2103		}
2104
2105		while ((n = fscanf(fp, "%s %s %s %s %s %s %s\n", peer_id, tx_id,
2106				   laddr, lport, raddr, rport, vpnip)) == 7) {
2107			struct ovpn_ctx peer_ctx = { 0 };
2108
2109			peer_ctx.ifindex = ovpn->ifindex;
2110			peer_ctx.socket = ovpn->socket;
2111			peer_ctx.sa_family = AF_UNSPEC;
2112			peer_ctx.asymm_id = ovpn->asymm_id;
2113
2114			ret = ovpn_parse_new_peer(&peer_ctx, peer_id, tx_id,
2115						  raddr, rport, vpnip);
2116			if (ret < 0) {
2117				fprintf(stderr, "error while parsing line\n");
2118				return -1;
2119			}
2120
2121			ret = ovpn_new_peer(&peer_ctx, false);
2122			if (ret < 0) {
2123				fprintf(stderr,
2124					"cannot add peer to VPN: %s %s %s %s\n",
2125					peer_id, raddr, rport, vpnip);
2126				return ret;
2127			}
2128		}
2129		ovpn_waitbg();
2130		break;
2131	case CMD_SET_PEER:
2132		ret = ovpn_set_peer(ovpn);
2133		break;
2134	case CMD_DEL_PEER:
2135		ret = ovpn_del_peer(ovpn);
2136		break;
2137	case CMD_GET_PEER:
2138		if (ovpn->peer_id == PEER_ID_UNDEF)
2139			fprintf(stderr, "List of peers connected to: %s\n",
2140				ovpn->ifname);
2141
2142		ret = ovpn_get_peer(ovpn);
2143		break;
2144	case CMD_NEW_KEY:
2145		ret = ovpn_new_key(ovpn);
2146		break;
2147	case CMD_DEL_KEY:
2148		ret = ovpn_del_key(ovpn);
2149		break;
2150	case CMD_GET_KEY:
2151		ret = ovpn_get_key(ovpn);
2152		break;
2153	case CMD_SWAP_KEYS:
2154		ret = ovpn_swap_keys(ovpn);
2155		break;
2156	case CMD_LISTEN_MCAST:
2157		ret = ovpn_listen_mcast();
2158		break;
2159	case CMD_INVALID:
2160		ret = -EINVAL;
2161		break;
2162	}
2163
2164	return ret;
2165}
2166
2167static int ovpn_parse_cmd_args(struct ovpn_ctx *ovpn, int argc, char *argv[])
2168{
2169	int ret;
2170
2171	/* no args required for LISTEN_MCAST */
2172	if (ovpn->cmd == CMD_LISTEN_MCAST)
2173		return 0;
2174
2175	/* all commands need an ifname */
2176	if (argc < 3)
2177		return -EINVAL;
2178
2179	strscpy(ovpn->ifname, argv[2], IFNAMSIZ - 1);
2180	ovpn->ifname[IFNAMSIZ - 1] = '\0';
2181
2182	/* all commands, except NEW_IFNAME, needs an ifindex */
2183	if (ovpn->cmd != CMD_NEW_IFACE) {
2184		ovpn->ifindex = if_nametoindex(ovpn->ifname);
2185		if (!ovpn->ifindex) {
2186			fprintf(stderr, "cannot find interface: %s\n",
2187				strerror(errno));
2188			return -1;
2189		}
2190	}
2191
2192	switch (ovpn->cmd) {
2193	case CMD_NEW_IFACE:
2194		if (argc < 4)
2195			break;
2196
2197		if (!strcmp(argv[3], "P2P")) {
2198			ovpn->mode = OVPN_MODE_P2P;
2199		} else if (!strcmp(argv[3], "MP")) {
2200			ovpn->mode = OVPN_MODE_MP;
2201		} else {
2202			fprintf(stderr, "Cannot parse iface mode: %s\n",
2203				argv[3]);
2204			return -1;
2205		}
2206		ovpn->mode_set = true;
2207		break;
2208	case CMD_DEL_IFACE:
2209		break;
2210	case CMD_LISTEN:
2211		if (argc < 6)
2212			return -EINVAL;
2213
2214		ovpn->lport = strtoul(argv[3], NULL, 10);
2215		if (errno == ERANGE || ovpn->lport > 65535) {
2216			fprintf(stderr, "lport value out of range\n");
2217			return -1;
2218		}
2219
2220		if (strcmp(argv[4], "SYMM") == 0) {
2221			ovpn->asymm_id = false;
2222		} else if (strcmp(argv[4], "ASYMM") == 0) {
2223			ovpn->asymm_id = true;
2224		} else {
2225			fprintf(stderr, "Cannot parse id type: %s\n", argv[4]);
2226			return -1;
2227		}
2228
2229		ovpn->peers_file = argv[5];
2230
2231		ovpn->sa_family = AF_INET;
2232		if (argc > 6 && !strcmp(argv[6], "ipv6"))
2233			ovpn->sa_family = AF_INET6;
2234		break;
2235	case CMD_CONNECT:
2236		if (argc < 7)
2237			return -EINVAL;
2238
2239		ovpn->sa_family = AF_INET;
2240		ovpn->asymm_id = strcmp(argv[4], "none");
2241
2242		ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[5],
2243					  argv[6], NULL);
2244		if (ret < 0) {
2245			fprintf(stderr, "Cannot parse remote peer data\n");
2246			return -1;
2247		}
2248
2249		if (argc > 7) {
2250			ovpn->key_slot = OVPN_KEY_SLOT_PRIMARY;
2251			ovpn->key_id = 0;
2252			ovpn->cipher = OVPN_CIPHER_ALG_AES_GCM;
2253			ovpn->key_dir = KEY_DIR_OUT;
2254
2255			ret = ovpn_parse_key(argv[7], ovpn);
2256			if (ret)
2257				return -1;
2258		}
2259		break;
2260	case CMD_NEW_PEER:
2261		if (argc < 8)
2262			return -EINVAL;
2263
2264		ovpn->asymm_id = strcmp(argv[4], "none");
2265
2266		ovpn->lport = strtoul(argv[5], NULL, 10);
2267		if (errno == ERANGE || ovpn->lport > 65535) {
2268			fprintf(stderr, "lport value out of range\n");
2269			return -1;
2270		}
2271
2272		const char *vpnip = (argc > 8) ? argv[8] : NULL;
2273
2274		ret = ovpn_parse_new_peer(ovpn, argv[3], argv[4], argv[6],
2275					  argv[7], vpnip);
2276		if (ret < 0)
2277			return -1;
2278		break;
2279	case CMD_NEW_MULTI_PEER:
2280		if (argc < 6)
2281			return -EINVAL;
2282
2283		ovpn->lport = strtoul(argv[3], NULL, 10);
2284		if (errno == ERANGE || ovpn->lport > 65535) {
2285			fprintf(stderr, "lport value out of range\n");
2286			return -1;
2287		}
2288
2289		if (!strcmp(argv[4], "SYMM")) {
2290			ovpn->asymm_id = false;
2291		} else if (!strcmp(argv[4], "ASYMM")) {
2292			ovpn->asymm_id = true;
2293		} else {
2294			fprintf(stderr, "Cannot parse id type: %s\n", argv[4]);
2295			return -1;
2296		}
2297
2298		ovpn->peers_file = argv[5];
2299
2300		ovpn->mark = 0;
2301		if (argc > 6) {
2302			ovpn->mark = strtoul(argv[6], NULL, 10);
2303			if (errno == ERANGE || ovpn->mark > UINT32_MAX) {
2304				fprintf(stderr, "mark value out of range\n");
2305				return -1;
2306			}
2307		}
2308		break;
2309	case CMD_SET_PEER:
2310		if (argc < 6)
2311			return -EINVAL;
2312
2313		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2314		if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2315			fprintf(stderr, "peer ID value out of range\n");
2316			return -1;
2317		}
2318
2319		ovpn->keepalive_interval = strtoul(argv[4], NULL, 10);
2320		if (errno == ERANGE) {
2321			fprintf(stderr,
2322				"keepalive interval value out of range\n");
2323			return -1;
2324		}
2325
2326		ovpn->keepalive_timeout = strtoul(argv[5], NULL, 10);
2327		if (errno == ERANGE) {
2328			fprintf(stderr,
2329				"keepalive interval value out of range\n");
2330			return -1;
2331		}
2332		break;
2333	case CMD_DEL_PEER:
2334		if (argc < 4)
2335			return -EINVAL;
2336
2337		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2338		if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2339			fprintf(stderr, "peer ID value out of range\n");
2340			return -1;
2341		}
2342		break;
2343	case CMD_GET_PEER:
2344		ovpn->peer_id = PEER_ID_UNDEF;
2345		if (argc > 3) {
2346			ovpn->peer_id = strtoul(argv[3], NULL, 10);
2347			if (errno == ERANGE || ovpn->peer_id > PEER_ID_UNDEF) {
2348				fprintf(stderr, "peer ID value out of range\n");
2349				return -1;
2350			}
2351		}
2352		break;
2353	case CMD_NEW_KEY:
2354		if (argc < 9)
2355			return -EINVAL;
2356
2357		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2358		if (errno == ERANGE) {
2359			fprintf(stderr, "peer ID value out of range\n");
2360			return -1;
2361		}
2362
2363		ret = ovpn_parse_key_slot(argv[4], ovpn);
2364		if (ret)
2365			return -1;
2366
2367		ovpn->key_id = strtoul(argv[5], NULL, 10);
2368		if (errno == ERANGE || ovpn->key_id > 2) {
2369			fprintf(stderr, "key ID out of range\n");
2370			return -1;
2371		}
2372
2373		ret = ovpn_parse_cipher(argv[6], ovpn);
2374		if (ret < 0)
2375			return -1;
2376
2377		ret = ovpn_parse_key_direction(argv[7], ovpn);
2378		if (ret < 0)
2379			return -1;
2380
2381		ret = ovpn_parse_key(argv[8], ovpn);
2382		if (ret)
2383			return -1;
2384		break;
2385	case CMD_DEL_KEY:
2386		if (argc < 4)
2387			return -EINVAL;
2388
2389		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2390		if (errno == ERANGE) {
2391			fprintf(stderr, "peer ID value out of range\n");
2392			return -1;
2393		}
2394
2395		ret = ovpn_parse_key_slot(argv[4], ovpn);
2396		if (ret)
2397			return ret;
2398		break;
2399	case CMD_GET_KEY:
2400		if (argc < 5)
2401			return -EINVAL;
2402
2403		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2404		if (errno == ERANGE) {
2405			fprintf(stderr, "peer ID value out of range\n");
2406			return -1;
2407		}
2408
2409		ret = ovpn_parse_key_slot(argv[4], ovpn);
2410		if (ret)
2411			return ret;
2412		break;
2413	case CMD_SWAP_KEYS:
2414		if (argc < 4)
2415			return -EINVAL;
2416
2417		ovpn->peer_id = strtoul(argv[3], NULL, 10);
2418		if (errno == ERANGE) {
2419			fprintf(stderr, "peer ID value out of range\n");
2420			return -1;
2421		}
2422		break;
2423	case CMD_LISTEN_MCAST:
2424		break;
2425	case CMD_INVALID:
2426		break;
2427	}
2428
2429	return 0;
2430}
2431
2432int main(int argc, char *argv[])
2433{
2434	struct ovpn_ctx ovpn;
2435	int ret;
2436
2437	if (argc < 2) {
2438		usage(argv[0]);
2439		return -1;
2440	}
2441
2442	memset(&ovpn, 0, sizeof(ovpn));
2443	ovpn.sa_family = AF_UNSPEC;
2444	ovpn.cipher = OVPN_CIPHER_ALG_NONE;
2445
2446	ovpn.cmd = ovpn_parse_cmd(argv[1]);
2447	if (ovpn.cmd == CMD_INVALID) {
2448		fprintf(stderr, "Error: unknown command.\n\n");
2449		usage(argv[0]);
2450		return -1;
2451	}
2452
2453	ret = ovpn_parse_cmd_args(&ovpn, argc, argv);
2454	if (ret < 0) {
2455		fprintf(stderr, "Error: invalid arguments.\n\n");
2456		if (ret == -EINVAL)
2457			usage(argv[0]);
2458		return ret;
2459	}
2460
2461	ret = ovpn_run_cmd(&ovpn);
2462	if (ret)
2463		fprintf(stderr, "Cannot execute command: %s (%d)\n",
2464			strerror(-ret), ret);
2465
2466	return ret;
2467}
Configure Feed

Configure Feed
