system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-22 02:37:15 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
freebsd-src/sys/net/if_ovpn.c
Kristof Provost 59a6666ec9 if_ovpn: cope with loops 
User misconfiguration may lead to routing loops where we try to send the tunnel
packet into the tunnel. This eventually leads to stack overflows and panics.

Avoid this using if_tunnel_check_nesting(), which will drop the packet if we're
looping or we hit three layers of nested tunnels.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2024-05-13 12:11:06 +02:00

2585 lines
58 KiB
C
Raw Blame History

/*-
* SPDX-License-Identifier: BSD-2-Clause
*
* Copyright (c) 2021-2022 Rubicon Communications, LLC (Netgate)
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#include "opt_inet.h"
#include "opt_inet6.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/buf_ring.h>
#include <sys/epoch.h>
#include <sys/file.h>
#include <sys/filedesc.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/module.h>
#include <sys/nv.h>
#include <sys/priv.h>
#include <sys/protosw.h>
#include <sys/rmlock.h>
#include <sys/sdt.h>
#include <sys/smp.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sockio.h>
#include <sys/sysctl.h>
#include <sys/time.h>
#include <machine/atomic.h>
#include <net/bpf.h>
#include <net/if.h>
#include <net/if_clone.h>
#include <net/if_types.h>
#include <net/if_var.h>
#include <net/if_private.h>
#include <net/netisr.h>
#include <net/route/nhop.h>
#include <netinet/in.h>
#include <netinet/in_fib.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <netinet/ip_var.h>
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#include <netinet6/ip6_var.h>
#include <netinet6/in6_fib.h>
#include <machine/in_cksum.h>
#include <opencrypto/cryptodev.h>
#include "if_ovpn.h"
struct ovpn_kkey_dir {
int refcount;
uint8_t key[32];
uint8_t keylen;
uint8_t nonce[8];
uint8_t noncelen;
enum ovpn_key_cipher cipher;
crypto_session_t cryptoid;
struct mtx replay_mtx;
/*
* Last seen gapless sequence number. New rx seq numbers must be
* strictly higher than this.
*/
uint32_t rx_seq;
uint64_t tx_seq;
/* Seen packets, relative to rx_seq. bit(0) will always be 0. */
uint64_t rx_window;
};
struct ovpn_kkey {
struct ovpn_kkey_dir *encrypt;
struct ovpn_kkey_dir *decrypt;
uint8_t keyid;
uint32_t peerid;
};
struct ovpn_keepalive {
uint32_t interval;
uint32_t timeout;
};
struct ovpn_wire_header {
uint32_t opcode; /* opcode, key id, peer id */
uint32_t seq;
uint8_t auth_tag[16];
};
struct ovpn_peer_counters {
uint64_t pkt_in;
uint64_t pkt_out;
uint64_t bytes_in;
uint64_t bytes_out;
};
#define OVPN_PEER_COUNTER_SIZE (sizeof(struct ovpn_peer_counters)/sizeof(uint64_t))
struct ovpn_notification {
enum ovpn_notif_type type;
uint32_t peerid;
/* Delete notification */
enum ovpn_del_reason del_reason;
struct ovpn_peer_counters counters;
};
struct ovpn_softc;
struct ovpn_kpeer {
RB_ENTRY(ovpn_kpeer) tree;
int refcount;
uint32_t peerid;
struct ovpn_softc *sc;
struct sockaddr_storage local;
struct sockaddr_storage remote;
struct in_addr vpn4;
struct in6_addr vpn6;
struct ovpn_kkey keys[2];
enum ovpn_del_reason del_reason;
struct ovpn_keepalive keepalive;
uint32_t *last_active;
struct callout ping_send;
struct callout ping_rcv;
counter_u64_t counters[OVPN_PEER_COUNTER_SIZE];
};
struct ovpn_counters {
uint64_t lost_ctrl_pkts_in;
uint64_t lost_ctrl_pkts_out;
uint64_t lost_data_pkts_in;
uint64_t lost_data_pkts_out;
uint64_t nomem_data_pkts_in;
uint64_t nomem_data_pkts_out;
uint64_t received_ctrl_pkts;
uint64_t received_data_pkts;
uint64_t sent_ctrl_pkts;
uint64_t sent_data_pkts;
uint64_t transport_bytes_sent;
uint64_t transport_bytes_received;
uint64_t tunnel_bytes_sent;
uint64_t tunnel_bytes_received;
};
#define OVPN_COUNTER_SIZE (sizeof(struct ovpn_counters)/sizeof(uint64_t))
RB_HEAD(ovpn_kpeers, ovpn_kpeer);
struct ovpn_softc {
int refcount;
struct rmlock lock;
struct ifnet *ifp;
struct socket *so;
int peercount;
struct ovpn_kpeers peers;
/* Pending notification */
struct buf_ring *notifring;
counter_u64_t counters[OVPN_COUNTER_SIZE];
struct epoch_context epoch_ctx;
};
static struct ovpn_kpeer *ovpn_find_peer(struct ovpn_softc *, uint32_t);
static bool ovpn_udp_input(struct mbuf *, int, struct inpcb *,
const struct sockaddr *, void *);
static int ovpn_transmit_to_peer(struct ifnet *, struct mbuf *,
struct ovpn_kpeer *, struct rm_priotracker *);
static int ovpn_encap(struct ovpn_softc *, uint32_t, struct mbuf *);
static int ovpn_get_af(struct mbuf *);
static void ovpn_free_kkey_dir(struct ovpn_kkey_dir *);
static bool ovpn_check_replay(struct ovpn_kkey_dir *, uint32_t);
static int ovpn_peer_compare(struct ovpn_kpeer *, struct ovpn_kpeer *);
static RB_PROTOTYPE(ovpn_kpeers, ovpn_kpeer, tree, ovpn_peer_compare);
static RB_GENERATE(ovpn_kpeers, ovpn_kpeer, tree, ovpn_peer_compare);
#define OVPN_MTU_MIN 576
#define OVPN_MTU_MAX (IP_MAXPACKET - sizeof(struct ip) - \
sizeof(struct udphdr) - sizeof(struct ovpn_wire_header))
#define OVPN_OP_DATA_V2 0x09
#define OVPN_OP_SHIFT 3
#define OVPN_SEQ_ROTATE 0x80000000
VNET_DEFINE_STATIC(struct if_clone *, ovpn_cloner);
#define V_ovpn_cloner VNET(ovpn_cloner)
#define OVPN_RLOCK_TRACKER struct rm_priotracker _ovpn_lock_tracker; \
struct rm_priotracker *_ovpn_lock_trackerp = &_ovpn_lock_tracker
#define OVPN_RLOCK(sc) rm_rlock(&(sc)->lock, _ovpn_lock_trackerp)
#define OVPN_RUNLOCK(sc) rm_runlock(&(sc)->lock, _ovpn_lock_trackerp)
#define OVPN_WLOCK(sc) rm_wlock(&(sc)->lock)
#define OVPN_WUNLOCK(sc) rm_wunlock(&(sc)->lock)
#define OVPN_ASSERT(sc) rm_assert(&(sc)->lock, RA_LOCKED)
#define OVPN_RASSERT(sc) rm_assert(&(sc)->lock, RA_RLOCKED)
#define OVPN_WASSERT(sc) rm_assert(&(sc)->lock, RA_WLOCKED)
#define OVPN_UNLOCK_ASSERT(sc) rm_assert(&(sc)->lock, RA_UNLOCKED)
#define OVPN_COUNTER(sc, name) \
((sc)->counters[offsetof(struct ovpn_counters, name)/sizeof(uint64_t)])
#define OVPN_PEER_COUNTER(peer, name) \
((peer)->counters[offsetof(struct ovpn_peer_counters, name) / \
sizeof(uint64_t)])
#define OVPN_COUNTER_ADD(sc, name, val) \
counter_u64_add(OVPN_COUNTER(sc, name), val)
#define OVPN_PEER_COUNTER_ADD(p, name, val) \
counter_u64_add(OVPN_PEER_COUNTER(p, name), val)
#define TO_IN(x) ((struct sockaddr_in *)(x))
#define TO_IN6(x) ((struct sockaddr_in6 *)(x))
SDT_PROVIDER_DEFINE(if_ovpn);
SDT_PROBE_DEFINE1(if_ovpn, tx, transmit, start, "struct mbuf *");
SDT_PROBE_DEFINE2(if_ovpn, tx, route, ip4, "struct in_addr *", "struct ovpn_kpeer *");
SDT_PROBE_DEFINE2(if_ovpn, tx, route, ip6, "struct in6_addr *", "struct ovpn_kpeer *");
static const char ovpnname[] = "ovpn";
static const char ovpngroupname[] = "openvpn";
static MALLOC_DEFINE(M_OVPN, ovpnname, "OpenVPN DCO Interface");
#define MTAG_OVPN_LOOP 0x6f76706e /* ovpn */
SYSCTL_DECL(_net_link);
static SYSCTL_NODE(_net_link, IFT_OTHER, openvpn, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
"OpenVPN DCO Interface");
VNET_DEFINE_STATIC(int, replay_protection) = 0;
#define V_replay_protection VNET(replay_protection)
SYSCTL_INT(_net_link_openvpn, OID_AUTO, replay_protection, CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(replay_protection), 0, "Validate sequence numbers");
VNET_DEFINE_STATIC(int, async_crypto);
#define V_async_crypto VNET(async_crypto)
SYSCTL_INT(_net_link_openvpn, OID_AUTO, async_crypto,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(async_crypto), 0,
"Use asynchronous mode to parallelize crypto jobs.");
VNET_DEFINE_STATIC(int, async_netisr_queue);
#define V_async_netisr_queue VNET(async_netisr_queue)
SYSCTL_INT(_net_link_openvpn, OID_AUTO, netisr_queue,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(async_netisr_queue), 0,
"Use netisr_queue() rather than netisr_dispatch().");
static int
ovpn_peer_compare(struct ovpn_kpeer *a, struct ovpn_kpeer *b)
{
return (a->peerid - b->peerid);
}
static struct ovpn_kpeer *
ovpn_find_peer(struct ovpn_softc *sc, uint32_t peerid)
{
struct ovpn_kpeer p;
OVPN_ASSERT(sc);
p.peerid = peerid;
return (RB_FIND(ovpn_kpeers, &sc->peers, &p));
}
static struct ovpn_kpeer *
ovpn_find_only_peer(struct ovpn_softc *sc)
{
OVPN_ASSERT(sc);
return (RB_ROOT(&sc->peers));
}
static uint16_t
ovpn_get_port(struct sockaddr_storage *s)
{
switch (s->ss_family) {
case AF_INET: {
struct sockaddr_in *in = (struct sockaddr_in *)s;
return (in->sin_port);
}
case AF_INET6: {
struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)s;
return (in6->sin6_port);
}
default:
panic("Unsupported address family %d", s->ss_family);
}
}
static int
ovpn_nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *sa)
{
int af;
if (! nvlist_exists_number(nvl, "af"))
return (EINVAL);
if (! nvlist_exists_binary(nvl, "address"))
return (EINVAL);
if (! nvlist_exists_number(nvl, "port"))
return (EINVAL);
af = nvlist_get_number(nvl, "af");
switch (af) {
#ifdef INET
case AF_INET: {
struct sockaddr_in *in = (struct sockaddr_in *)sa;
size_t len;
const void *addr = nvlist_get_binary(nvl, "address", &len);
in->sin_family = af;
if (len != sizeof(in->sin_addr))
return (EINVAL);
memcpy(&in->sin_addr, addr, sizeof(in->sin_addr));
in->sin_port = nvlist_get_number(nvl, "port");
break;
}
#endif
#ifdef INET6
case AF_INET6: {
struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)sa;
size_t len;
const void *addr = nvlist_get_binary(nvl, "address", &len);
in6->sin6_family = af;
if (len != sizeof(in6->sin6_addr))
return (EINVAL);
memcpy(&in6->sin6_addr, addr, sizeof(in6->sin6_addr));
in6->sin6_port = nvlist_get_number(nvl, "port");
break;
}
#endif
default:
return (EINVAL);
}
return (0);
}
static bool
ovpn_has_peers(struct ovpn_softc *sc)
{
OVPN_ASSERT(sc);
return (sc->peercount > 0);
}
static void
ovpn_rele_so(struct ovpn_softc *sc, struct ovpn_kpeer *peer)
{
bool has_peers;
OVPN_WASSERT(sc);
if (sc->so == NULL)
return;
has_peers = ovpn_has_peers(sc);
/* Only remove the tunnel function if we're releasing the socket for
* the last peer. */
if (! has_peers)
(void)udp_set_kernel_tunneling(sc->so, NULL, NULL, NULL);
sorele(sc->so);
if (! has_peers)
sc->so = NULL;
}
static void
ovpn_notify_del_peer(struct ovpn_softc *sc, struct ovpn_kpeer *peer)
{
struct ovpn_notification *n;
OVPN_WASSERT(sc);
n = malloc(sizeof(*n), M_OVPN, M_NOWAIT);
if (n == NULL)
return;
n->peerid = peer->peerid;
n->type = OVPN_NOTIF_DEL_PEER;
n->del_reason = peer->del_reason;
n->counters.pkt_in = counter_u64_fetch(OVPN_PEER_COUNTER(peer, pkt_in));
n->counters.pkt_out = counter_u64_fetch(OVPN_PEER_COUNTER(peer, pkt_out));
n->counters.bytes_in = counter_u64_fetch(OVPN_PEER_COUNTER(peer, bytes_in));
n->counters.bytes_out = counter_u64_fetch(OVPN_PEER_COUNTER(peer, bytes_out));
if (buf_ring_enqueue(sc->notifring, n) != 0) {
free(n, M_OVPN);
} else if (sc->so != NULL) {
/* Wake up userspace */
sc->so->so_error = EAGAIN;
sorwakeup(sc->so);
sowwakeup(sc->so);
}
}
static void
ovpn_notify_key_rotation(struct ovpn_softc *sc, struct ovpn_kpeer *peer)
{
struct ovpn_notification *n;
n = malloc(sizeof(*n), M_OVPN, M_NOWAIT | M_ZERO);
if (n == NULL)
return;
n->peerid = peer->peerid;
n->type = OVPN_NOTIF_ROTATE_KEY;
if (buf_ring_enqueue(sc->notifring, n) != 0) {
free(n, M_OVPN);
} else if (sc->so != NULL) {
/* Wake up userspace */
sc->so->so_error = EAGAIN;
sorwakeup(sc->so);
sowwakeup(sc->so);
}
}
static void
ovpn_peer_release_ref(struct ovpn_kpeer *peer, bool locked)
{
struct ovpn_softc *sc;
CURVNET_ASSERT_SET();
atomic_add_int(&peer->refcount, -1);
if (atomic_load_int(&peer->refcount) > 0)
return;
sc = peer->sc;
if (! locked) {
OVPN_WLOCK(sc);
/* Might have changed before we acquired the lock. */
if (atomic_load_int(&peer->refcount) > 0) {
OVPN_WUNLOCK(sc);
return;
}
}
OVPN_ASSERT(sc);
/* The peer should have been removed from the list already. */
MPASS(ovpn_find_peer(sc, peer->peerid) == NULL);
ovpn_notify_del_peer(sc, peer);
for (int i = 0; i < 2; i++) {
ovpn_free_kkey_dir(peer->keys[i].encrypt);
ovpn_free_kkey_dir(peer->keys[i].decrypt);
}
ovpn_rele_so(sc, peer);
callout_stop(&peer->ping_send);
callout_stop(&peer->ping_rcv);
uma_zfree_pcpu(pcpu_zone_4, peer->last_active);
free(peer, M_OVPN);
if (! locked)
OVPN_WUNLOCK(sc);
}
static int
ovpn_new_peer(struct ifnet *ifp, const nvlist_t *nvl)
{
#ifdef INET6
struct epoch_tracker et;
#endif
struct sockaddr_storage remote;
struct ovpn_kpeer *peer = NULL;
struct file *fp = NULL;
struct ovpn_softc *sc = ifp->if_softc;
struct thread *td = curthread;
struct socket *so = NULL;
int fd;
uint32_t peerid;
int ret = 0;
if (nvl == NULL)
return (EINVAL);
if (! nvlist_exists_number(nvl, "peerid"))
return (EINVAL);
if (! nvlist_exists_number(nvl, "fd"))
return (EINVAL);
if (! nvlist_exists_nvlist(nvl, "remote"))
return (EINVAL);
peerid = nvlist_get_number(nvl, "peerid");
ret = ovpn_nvlist_to_sockaddr(nvlist_get_nvlist(nvl, "remote"),
&remote);
if (ret != 0)
return (ret);
fd = nvlist_get_number(nvl, "fd");
/* Look up the userspace process and use the fd to find the socket. */
ret = getsock(td, fd, &cap_connect_rights, &fp);
if (ret != 0)
return (ret);
so = fp->f_data;
peer = malloc(sizeof(*peer), M_OVPN, M_WAITOK | M_ZERO);
peer->peerid = peerid;
peer->sc = sc;
peer->refcount = 1;
peer->last_active = uma_zalloc_pcpu(pcpu_zone_4, M_WAITOK | M_ZERO);
COUNTER_ARRAY_ALLOC(peer->counters, OVPN_PEER_COUNTER_SIZE, M_WAITOK);
if (nvlist_exists_binary(nvl, "vpn_ipv4")) {
size_t len;
const void *addr = nvlist_get_binary(nvl, "vpn_ipv4", &len);
if (len != sizeof(peer->vpn4)) {
ret = EINVAL;
goto error;
}
memcpy(&peer->vpn4, addr, len);
}
if (nvlist_exists_binary(nvl, "vpn_ipv6")) {
size_t len;
const void *addr = nvlist_get_binary(nvl, "vpn_ipv6", &len);
if (len != sizeof(peer->vpn6)) {
ret = EINVAL;
goto error;
}
memcpy(&peer->vpn6, addr, len);
}
callout_init_rm(&peer->ping_send, &sc->lock, CALLOUT_SHAREDLOCK);
callout_init_rm(&peer->ping_rcv, &sc->lock, 0);
peer->local.ss_len = sizeof(peer->local);
ret = sosockaddr(so, (struct sockaddr *)&peer->local);
if (ret)
goto error;
if (ovpn_get_port(&peer->local) == 0) {
ret = EINVAL;
goto error;
}
if (peer->local.ss_family != remote.ss_family) {
ret = EINVAL;
goto error;
}
memcpy(&peer->remote, &remote, sizeof(remote));
if (peer->local.ss_family == AF_INET6 &&
IN6_IS_ADDR_V4MAPPED(&TO_IN6(&peer->remote)->sin6_addr)) {
/* V4 mapped address, so treat this as v4, not v6. */
in6_sin6_2_sin_in_sock((struct sockaddr *)&peer->local);
in6_sin6_2_sin_in_sock((struct sockaddr *)&peer->remote);
}
#ifdef INET6
if (peer->local.ss_family == AF_INET6 &&
IN6_IS_ADDR_UNSPECIFIED(&TO_IN6(&peer->local)->sin6_addr)) {
NET_EPOCH_ENTER(et);
ret = in6_selectsrc_addr(curthread->td_proc->p_fibnum,
&TO_IN6(&peer->remote)->sin6_addr,
0, NULL, &TO_IN6(&peer->local)->sin6_addr, NULL);
NET_EPOCH_EXIT(et);
if (ret != 0) {
goto error;
}
}
#endif
OVPN_WLOCK(sc);
/* Disallow peer id re-use. */
if (ovpn_find_peer(sc, peerid) != NULL) {
ret = EEXIST;
goto error_locked;
}
/* Make sure this is really a UDP socket. */
if (so->so_type != SOCK_DGRAM || so->so_proto->pr_type != SOCK_DGRAM) {
ret = EPROTOTYPE;
goto error_locked;
}
/* Must be the same socket as for other peers on this interface. */
if (sc->so != NULL && so != sc->so)
goto error_locked;
if (sc->so == NULL)
sc->so = so;
/* Insert the peer into the list. */
RB_INSERT(ovpn_kpeers, &sc->peers, peer);
sc->peercount++;
soref(sc->so);
ret = udp_set_kernel_tunneling(sc->so, ovpn_udp_input, NULL, sc);
if (ret == EBUSY) {
/* Fine, another peer already set the input function. */
ret = 0;
}
if (ret != 0) {
RB_REMOVE(ovpn_kpeers, &sc->peers, peer);
sc->peercount--;
goto error_locked;
}
OVPN_WUNLOCK(sc);
goto done;
error_locked:
OVPN_WUNLOCK(sc);
error:
COUNTER_ARRAY_FREE(peer->counters, OVPN_PEER_COUNTER_SIZE);
uma_zfree_pcpu(pcpu_zone_4, peer->last_active);
free(peer, M_OVPN);
done:
if (fp != NULL)
fdrop(fp, td);
return (ret);
}
static int
_ovpn_del_peer(struct ovpn_softc *sc, struct ovpn_kpeer *peer)
{
struct ovpn_kpeer *tmp __diagused;
OVPN_WASSERT(sc);
CURVNET_ASSERT_SET();
MPASS(RB_FIND(ovpn_kpeers, &sc->peers, peer) == peer);
tmp = RB_REMOVE(ovpn_kpeers, &sc->peers, peer);
MPASS(tmp != NULL);
sc->peercount--;
ovpn_peer_release_ref(peer, true);
return (0);
}
static int
ovpn_del_peer(struct ifnet *ifp, nvlist_t *nvl)
{
struct ovpn_softc *sc = ifp->if_softc;
struct ovpn_kpeer *peer;
uint32_t peerid;
int ret;
OVPN_WASSERT(sc);
if (nvl == NULL)
return (EINVAL);
if (! nvlist_exists_number(nvl, "peerid"))
return (EINVAL);
peerid = nvlist_get_number(nvl, "peerid");
peer = ovpn_find_peer(sc, peerid);
if (peer == NULL)
return (ENOENT);
peer->del_reason = OVPN_DEL_REASON_REQUESTED;
ret = _ovpn_del_peer(sc, peer);
return (ret);
}
static int
ovpn_create_kkey_dir(struct ovpn_kkey_dir **kdirp,
const nvlist_t *nvl)
{
struct crypto_session_params csp;
struct ovpn_kkey_dir *kdir;
const char *ciphername;
enum ovpn_key_cipher cipher;
const void *key, *iv;
size_t keylen = 0, ivlen = 0;
int error;
if (! nvlist_exists_string(nvl, "cipher"))
return (EINVAL);
ciphername = nvlist_get_string(nvl, "cipher");
if (strcmp(ciphername, "none") == 0)
cipher = OVPN_CIPHER_ALG_NONE;
else if (strcmp(ciphername, "AES-256-GCM") == 0 ||
strcmp(ciphername, "AES-192-GCM") == 0 ||
strcmp(ciphername, "AES-128-GCM") == 0)
cipher = OVPN_CIPHER_ALG_AES_GCM;
else if (strcmp(ciphername, "CHACHA20-POLY1305") == 0)
cipher = OVPN_CIPHER_ALG_CHACHA20_POLY1305;
else
return (EINVAL);
if (cipher != OVPN_CIPHER_ALG_NONE) {
if (! nvlist_exists_binary(nvl, "key"))
return (EINVAL);
key = nvlist_get_binary(nvl, "key", &keylen);
if (keylen > sizeof(kdir->key))
return (E2BIG);
if (! nvlist_exists_binary(nvl, "iv"))
return (EINVAL);
iv = nvlist_get_binary(nvl, "iv", &ivlen);
if (ivlen != 8)
return (E2BIG);
}
kdir = malloc(sizeof(struct ovpn_kkey_dir), M_OVPN,
M_WAITOK | M_ZERO);
kdir->cipher = cipher;
kdir->keylen = keylen;
kdir->tx_seq = 1;
memcpy(kdir->key, key, keylen);
kdir->noncelen = ivlen;
memcpy(kdir->nonce, iv, ivlen);
if (kdir->cipher != OVPN_CIPHER_ALG_NONE) {
/* Crypto init */
bzero(&csp, sizeof(csp));
csp.csp_mode = CSP_MODE_AEAD;
if (kdir->cipher == OVPN_CIPHER_ALG_CHACHA20_POLY1305)
csp.csp_cipher_alg = CRYPTO_CHACHA20_POLY1305;
else
csp.csp_cipher_alg = CRYPTO_AES_NIST_GCM_16;
csp.csp_flags |= CSP_F_SEPARATE_AAD;
csp.csp_cipher_klen = kdir->keylen;
csp.csp_cipher_key = kdir->key;
csp.csp_ivlen = 96 / 8;
error = crypto_newsession(&kdir->cryptoid, &csp,
CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE);
if (error) {
free(kdir, M_OVPN);
return (error);
}
}
mtx_init(&kdir->replay_mtx, "if_ovpn rx replay", NULL, MTX_DEF);
*kdirp = kdir;
return (0);
}
static void
ovpn_free_kkey_dir(struct ovpn_kkey_dir *kdir)
{
if (kdir == NULL)
return;
mtx_destroy(&kdir->replay_mtx);
crypto_freesession(kdir->cryptoid);
free(kdir, M_OVPN);
}
static int
ovpn_set_key(struct ifnet *ifp, const nvlist_t *nvl)
{
struct ovpn_softc *sc = ifp->if_softc;
struct ovpn_kkey_dir *enc, *dec;
struct ovpn_kpeer *peer;
int slot, keyid, peerid;
int error;
if (nvl == NULL)
return (EINVAL);
if (! nvlist_exists_number(nvl, "slot"))
return (EINVAL);
slot = nvlist_get_number(nvl, "slot");
if (! nvlist_exists_number(nvl, "keyid"))
return (EINVAL);
keyid = nvlist_get_number(nvl, "keyid");
if (! nvlist_exists_number(nvl, "peerid"))
return (EINVAL);
peerid = nvlist_get_number(nvl, "peerid");
if (slot != OVPN_KEY_SLOT_PRIMARY &&
slot != OVPN_KEY_SLOT_SECONDARY)
return (EINVAL);
if (! nvlist_exists_nvlist(nvl, "encrypt") ||
! nvlist_exists_nvlist(nvl, "decrypt"))
return (EINVAL);
error = ovpn_create_kkey_dir(&enc, nvlist_get_nvlist(nvl, "encrypt"));
if (error)
return (error);
error = ovpn_create_kkey_dir(&dec, nvlist_get_nvlist(nvl, "decrypt"));
if (error) {
ovpn_free_kkey_dir(enc);
return (error);
}
OVPN_WLOCK(sc);
peer = ovpn_find_peer(sc, peerid);
if (peer == NULL) {
ovpn_free_kkey_dir(dec);
ovpn_free_kkey_dir(enc);
OVPN_WUNLOCK(sc);
return (ENOENT);
}
ovpn_free_kkey_dir(peer->keys[slot].encrypt);
ovpn_free_kkey_dir(peer->keys[slot].decrypt);
peer->keys[slot].encrypt = enc;
peer->keys[slot].decrypt = dec;
peer->keys[slot].keyid = keyid;
peer->keys[slot].peerid = peerid;
OVPN_WUNLOCK(sc);
return (0);
}
static int
ovpn_check_key(struct ovpn_softc *sc, struct ovpn_kpeer *peer, enum ovpn_key_slot slot)
{
OVPN_ASSERT(sc);
if (peer->keys[slot].encrypt == NULL)
return (ENOLINK);
if (peer->keys[slot].decrypt == NULL)
return (ENOLINK);
return (0);
}
static int
ovpn_start(struct ifnet *ifp)
{
struct ovpn_softc *sc = ifp->if_softc;
OVPN_WLOCK(sc);
ifp->if_flags |= IFF_UP;
ifp->if_drv_flags |= IFF_DRV_RUNNING;
if_link_state_change(ifp, LINK_STATE_UP);
OVPN_WUNLOCK(sc);
return (0);
}
static int
ovpn_swap_keys(struct ifnet *ifp, nvlist_t *nvl)
{
struct ovpn_softc *sc = ifp->if_softc;
struct ovpn_kpeer *peer;
struct ovpn_kkey tmpkey;
int error;
if (nvl == NULL)
return (EINVAL);
if (! nvlist_exists_number(nvl, "peerid"))
return (EINVAL);
OVPN_WLOCK(sc);
peer = ovpn_find_peer(sc, nvlist_get_number(nvl, "peerid"));
if (peer == NULL) {
OVPN_WUNLOCK(sc);
return (ENOENT);
}
/* Check that we have a second key to swap to. */
error = ovpn_check_key(sc, peer, OVPN_KEY_SLOT_SECONDARY);
if (error) {
OVPN_WUNLOCK(sc);
return (error);
}
tmpkey = peer->keys[0];
peer->keys[0] = peer->keys[1];
peer->keys[1] = tmpkey;
OVPN_WUNLOCK(sc);
return (0);
}
static int
ovpn_del_key(struct ifnet *ifp, const nvlist_t *nvl)
{
enum ovpn_key_slot slot;
struct ovpn_kpeer *peer;
struct ovpn_softc *sc = ifp->if_softc;
if (nvl == NULL)
return (EINVAL);
if (! nvlist_exists_number(nvl, "peerid"))
return (EINVAL);
if (! nvlist_exists_number(nvl, "slot"))
return (EINVAL);
slot = nvlist_get_number(nvl, "slot");
if (slot != OVPN_KEY_SLOT_PRIMARY &&
slot != OVPN_KEY_SLOT_SECONDARY)
return (EINVAL);
OVPN_WLOCK(sc);
peer = ovpn_find_peer(sc, nvlist_get_number(nvl, "peerid"));
if (peer == NULL) {
OVPN_WUNLOCK(sc);
return (ENOENT);
}
ovpn_free_kkey_dir(peer->keys[slot].encrypt);
ovpn_free_kkey_dir(peer->keys[slot].decrypt);
peer->keys[slot].encrypt = NULL;
peer->keys[slot].decrypt = NULL;
peer->keys[slot].keyid = 0;
peer->keys[slot].peerid = 0;
OVPN_WUNLOCK(sc);
return (0);
}
static void
ovpn_send_ping(void *arg)
{
static const uint8_t ping_str[] = {
0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb,
0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48
};
struct epoch_tracker et;
struct ovpn_kpeer *peer = arg;
struct ovpn_softc *sc = peer->sc;
struct mbuf *m;
OVPN_RASSERT(sc);
/* Ensure we repeat! */
callout_reset(&peer->ping_send, peer->keepalive.interval * hz,
ovpn_send_ping, peer);
m = m_get2(sizeof(ping_str), M_NOWAIT, MT_DATA, M_PKTHDR);
if (m == NULL)
return;
m_copyback(m, 0, sizeof(ping_str), ping_str);
m->m_len = m->m_pkthdr.len = sizeof(ping_str);
CURVNET_SET(sc->ifp->if_vnet);
NET_EPOCH_ENTER(et);
(void)ovpn_transmit_to_peer(sc->ifp, m, peer, NULL);
NET_EPOCH_EXIT(et);
CURVNET_RESTORE();
}
static void
ovpn_timeout(void *arg)
{
struct ovpn_kpeer *peer = arg;
struct ovpn_softc *sc = peer->sc;
uint32_t last, _last_active;
int ret __diagused;
int cpu;
OVPN_WASSERT(sc);
last = 0;
CPU_FOREACH(cpu) {
_last_active = *zpcpu_get_cpu(peer->last_active, cpu);
if (_last_active > last)
last = _last_active;
}
if (last + peer->keepalive.timeout > time_uptime) {
callout_reset(&peer->ping_rcv,
(peer->keepalive.timeout - (time_uptime - last)) * hz,
ovpn_timeout, peer);
return;
}
CURVNET_SET(sc->ifp->if_vnet);
peer->del_reason = OVPN_DEL_REASON_TIMEOUT;
ret = _ovpn_del_peer(sc, peer);
MPASS(ret == 0);
CURVNET_RESTORE();
}
static int
ovpn_set_peer(struct ifnet *ifp, const nvlist_t *nvl)
{
struct ovpn_softc *sc = ifp->if_softc;
struct ovpn_kpeer *peer;
if (nvl == NULL)
return (EINVAL);
if (! nvlist_exists_number(nvl, "interval") ||
! nvlist_exists_number(nvl, "timeout") ||
! nvlist_exists_number(nvl, "peerid"))
return (EINVAL);
OVPN_WLOCK(sc);
peer = ovpn_find_peer(sc, nvlist_get_number(nvl, "peerid"));
if (peer == NULL) {
OVPN_WUNLOCK(sc);
return (ENOENT);
}
peer->keepalive.interval = nvlist_get_number(nvl, "interval");
peer->keepalive.timeout = nvlist_get_number(nvl, "timeout");
if (peer->keepalive.interval > 0)
callout_reset(&peer->ping_send, peer->keepalive.interval * hz,
ovpn_send_ping, peer);
if (peer->keepalive.timeout > 0)
callout_reset(&peer->ping_rcv, peer->keepalive.timeout * hz,
ovpn_timeout, peer);
OVPN_WUNLOCK(sc);
return (0);
}
static int
ovpn_set_ifmode(struct ifnet *ifp, const nvlist_t *nvl)
{
struct ovpn_softc *sc = ifp->if_softc;
int ifmode;
if (nvl == NULL)
return (EINVAL);
if (! nvlist_exists_number(nvl, "ifmode") )
return (EINVAL);
ifmode = nvlist_get_number(nvl, "ifmode");
OVPN_WLOCK(sc);
/* deny this if UP */
if (ifp->if_flags & IFF_UP) {
OVPN_WUNLOCK(sc);
return (EBUSY);
}
switch (ifmode & ~IFF_MULTICAST) {
case IFF_POINTOPOINT:
case IFF_BROADCAST:
ifp->if_flags &=
~(IFF_BROADCAST|IFF_POINTOPOINT|IFF_MULTICAST);
ifp->if_flags |= ifmode;
break;
default:
OVPN_WUNLOCK(sc);
return (EINVAL);
}
OVPN_WUNLOCK(sc);
return (0);
}
static int
ovpn_ioctl_set(struct ifnet *ifp, struct ifdrv *ifd)
{
struct ovpn_softc *sc = ifp->if_softc;
uint8_t *buf = NULL;
nvlist_t *nvl = NULL;
int ret;
if (ifd->ifd_len != 0) {
if (ifd->ifd_len > OVPN_MAX_REQUEST_SIZE)
return (E2BIG);
buf = malloc(ifd->ifd_len, M_OVPN, M_WAITOK);
ret = copyin(ifd->ifd_data, buf, ifd->ifd_len);
if (ret != 0) {
free(buf, M_OVPN);
return (ret);
}
nvl = nvlist_unpack(buf, ifd->ifd_len, 0);
free(buf, M_OVPN);
if (nvl == NULL) {
return (EINVAL);
}
}
switch (ifd->ifd_cmd) {
case OVPN_NEW_PEER:
ret = ovpn_new_peer(ifp, nvl);
break;
case OVPN_DEL_PEER:
OVPN_WLOCK(sc);
ret = ovpn_del_peer(ifp, nvl);
OVPN_WUNLOCK(sc);
break;
case OVPN_NEW_KEY:
ret = ovpn_set_key(ifp, nvl);
break;
case OVPN_START_VPN:
ret = ovpn_start(ifp);
break;
case OVPN_SWAP_KEYS:
ret = ovpn_swap_keys(ifp, nvl);
break;
case OVPN_DEL_KEY:
ret = ovpn_del_key(ifp, nvl);
break;
case OVPN_SET_PEER:
ret = ovpn_set_peer(ifp, nvl);
break;
case OVPN_SET_IFMODE:
ret = ovpn_set_ifmode(ifp, nvl);
break;
default:
ret = ENOTSUP;
}
nvlist_destroy(nvl);
return (ret);
}
static int
ovpn_add_counters(nvlist_t *parent, const char *name, counter_u64_t in,
counter_u64_t out)
{
nvlist_t *nvl;
nvl = nvlist_create(0);
if (nvl == NULL)
return (ENOMEM);
nvlist_add_number(nvl, "in", counter_u64_fetch(in));
nvlist_add_number(nvl, "out", counter_u64_fetch(out));
nvlist_add_nvlist(parent, name, nvl);
nvlist_destroy(nvl);
return (0);
}
static int
ovpn_get_stats(struct ovpn_softc *sc, nvlist_t **onvl)
{
nvlist_t *nvl;
int ret;
nvl = nvlist_create(0);
if (nvl == NULL)
return (ENOMEM);
#define OVPN_COUNTER_OUT(name, in, out) \
do { \
ret = ovpn_add_counters(nvl, name, OVPN_COUNTER(sc, in), \
OVPN_COUNTER(sc, out)); \
if (ret != 0) \
goto error; \
} while(0)
OVPN_COUNTER_OUT("lost_ctrl", lost_ctrl_pkts_in, lost_ctrl_pkts_out);
OVPN_COUNTER_OUT("lost_data", lost_data_pkts_in, lost_data_pkts_out);
OVPN_COUNTER_OUT("nomem_data", nomem_data_pkts_in,
nomem_data_pkts_out);
OVPN_COUNTER_OUT("data", received_data_pkts, sent_data_pkts);
OVPN_COUNTER_OUT("ctrl", received_ctrl_pkts, sent_ctrl_pkts);
OVPN_COUNTER_OUT("tunnel", tunnel_bytes_received,
tunnel_bytes_received);
OVPN_COUNTER_OUT("transport", transport_bytes_received,
transport_bytes_received);
#undef OVPN_COUNTER_OUT
*onvl = nvl;
return (0);
error:
nvlist_destroy(nvl);
return (ret);
}
static int
ovpn_get_peer_stats(struct ovpn_softc *sc, nvlist_t **nvl)
{
struct ovpn_kpeer *peer;
nvlist_t *nvpeer = NULL;
int ret;
OVPN_RLOCK_TRACKER;
*nvl = nvlist_create(0);
if (*nvl == NULL)
return (ENOMEM);
#define OVPN_PEER_COUNTER_OUT(name, in, out) \
do { \
ret = ovpn_add_counters(nvpeer, name, \
OVPN_PEER_COUNTER(peer, in), OVPN_PEER_COUNTER(peer, out)); \
if (ret != 0) \
goto error; \
} while(0)
OVPN_RLOCK(sc);
RB_FOREACH(peer, ovpn_kpeers, &sc->peers) {
nvpeer = nvlist_create(0);
if (nvpeer == NULL) {
OVPN_RUNLOCK(sc);
nvlist_destroy(*nvl);
*nvl = NULL;
return (ENOMEM);
}
nvlist_add_number(nvpeer, "peerid", peer->peerid);
OVPN_PEER_COUNTER_OUT("packets", pkt_in, pkt_out);
OVPN_PEER_COUNTER_OUT("bytes", bytes_in, bytes_out);
nvlist_append_nvlist_array(*nvl, "peers", nvpeer);
nvlist_destroy(nvpeer);
}
#undef OVPN_PEER_COUNTER_OUT
OVPN_RUNLOCK(sc);
return (0);
error:
nvlist_destroy(nvpeer);
nvlist_destroy(*nvl);
*nvl = NULL;
return (ret);
}
static int
ovpn_poll_pkt(struct ovpn_softc *sc, nvlist_t **onvl)
{
nvlist_t *nvl;
nvl = nvlist_create(0);
if (nvl == NULL)
return (ENOMEM);
nvlist_add_number(nvl, "pending", buf_ring_count(sc->notifring));
*onvl = nvl;
return (0);
}
static void
ovpn_notif_add_counters(nvlist_t *parent, struct ovpn_notification *n)
{
nvlist_t *nvl;
nvl = nvlist_create(0);
if (nvl == NULL)
return;
nvlist_add_number(nvl, "in", n->counters.pkt_in);
nvlist_add_number(nvl, "out", n->counters.pkt_out);
nvlist_add_nvlist(parent, "packets", nvl);
nvlist_destroy(nvl);
nvl = nvlist_create(0);
if (nvl == NULL)
return;
nvlist_add_number(nvl, "in", n->counters.bytes_in);
nvlist_add_number(nvl, "out", n->counters.bytes_out);
nvlist_add_nvlist(parent, "bytes", nvl);
nvlist_destroy(nvl);
}
static int
opvn_get_pkt(struct ovpn_softc *sc, nvlist_t **onvl)
{
struct ovpn_notification *n;
nvlist_t *nvl;
/* Check if we have notifications pending. */
n = buf_ring_dequeue_mc(sc->notifring);
if (n == NULL)
return (ENOENT);
nvl = nvlist_create(0);
if (nvl == NULL) {
free(n, M_OVPN);
return (ENOMEM);
}
nvlist_add_number(nvl, "peerid", n->peerid);
nvlist_add_number(nvl, "notification", n->type);
if (n->type == OVPN_NOTIF_DEL_PEER) {
nvlist_add_number(nvl, "del_reason", n->del_reason);
/* No error handling, because we want to send the notification
* even if we can't attach the counters. */
ovpn_notif_add_counters(nvl, n);
}
free(n, M_OVPN);
*onvl = nvl;
return (0);
}
static int
ovpn_ioctl_get(struct ifnet *ifp, struct ifdrv *ifd)
{
struct ovpn_softc *sc = ifp->if_softc;
nvlist_t *nvl = NULL;
int error;
switch (ifd->ifd_cmd) {
case OVPN_GET_STATS:
error = ovpn_get_stats(sc, &nvl);
break;
case OVPN_GET_PEER_STATS:
error = ovpn_get_peer_stats(sc, &nvl);
break;
case OVPN_POLL_PKT:
error = ovpn_poll_pkt(sc, &nvl);
break;
case OVPN_GET_PKT:
error = opvn_get_pkt(sc, &nvl);
break;
default:
error = ENOTSUP;
break;
}
if (error == 0) {
void *packed = NULL;
size_t len;
MPASS(nvl != NULL);
packed = nvlist_pack(nvl, &len);
if (! packed) {
nvlist_destroy(nvl);
return (ENOMEM);
}
if (len > ifd->ifd_len) {
free(packed, M_NVLIST);
nvlist_destroy(nvl);
return (ENOSPC);
}
error = copyout(packed, ifd->ifd_data, len);
ifd->ifd_len = len;
free(packed, M_NVLIST);
nvlist_destroy(nvl);
}
return (error);
}
static int
ovpn_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
{
struct ifdrv *ifd;
int error;
CURVNET_ASSERT_SET();
switch (cmd) {
case SIOCSDRVSPEC:
case SIOCGDRVSPEC:
error = priv_check(curthread, PRIV_NET_OVPN);
if (error)
return (error);
break;
}
switch (cmd) {
case SIOCSDRVSPEC:
ifd = (struct ifdrv *)data;
error = ovpn_ioctl_set(ifp, ifd);
break;
case SIOCGDRVSPEC:
ifd = (struct ifdrv *)data;
error = ovpn_ioctl_get(ifp, ifd);
break;
case SIOCSIFMTU: {
struct ifreq *ifr = (struct ifreq *)data;
if (ifr->ifr_mtu < OVPN_MTU_MIN || ifr->ifr_mtu > OVPN_MTU_MAX)
return (EINVAL);
ifp->if_mtu = ifr->ifr_mtu;
return (0);
}
case SIOCSIFADDR:
case SIOCADDMULTI:
case SIOCDELMULTI:
case SIOCGIFMTU:
case SIOCSIFFLAGS:
return (0);
default:
error = EINVAL;
}
return (error);
}
static int
ovpn_encrypt_tx_cb(struct cryptop *crp)
{
struct epoch_tracker et;
struct ovpn_kpeer *peer = crp->crp_opaque;
struct ovpn_softc *sc = peer->sc;
struct mbuf *m = crp->crp_buf.cb_mbuf;
int tunnel_len;
int ret;
CURVNET_SET(sc->ifp->if_vnet);
NET_EPOCH_ENTER(et);
if (crp->crp_etype != 0) {
crypto_freereq(crp);
ovpn_peer_release_ref(peer, false);
NET_EPOCH_EXIT(et);
CURVNET_RESTORE();
OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1);
m_freem(m);
return (0);
}
MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF);
tunnel_len = m->m_pkthdr.len - sizeof(struct ovpn_wire_header);
ret = ovpn_encap(sc, peer->peerid, m);
if (ret == 0) {
OVPN_COUNTER_ADD(sc, sent_data_pkts, 1);
OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, tunnel_len);
}
crypto_freereq(crp);
ovpn_peer_release_ref(peer, false);
NET_EPOCH_EXIT(et);
CURVNET_RESTORE();
return (0);
}
static void
ovpn_finish_rx(struct ovpn_softc *sc, struct mbuf *m,
struct ovpn_kpeer *peer, struct ovpn_kkey *key, uint32_t seq,
struct rm_priotracker *_ovpn_lock_trackerp)
{
uint32_t af;
OVPN_RASSERT(sc);
NET_EPOCH_ASSERT();
/* Replay protection. */
if (V_replay_protection && ! ovpn_check_replay(key->decrypt, seq)) {
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1);
m_freem(m);
return;
}
critical_enter();
*zpcpu_get(peer->last_active) = time_uptime;
critical_exit();
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, received_data_pkts, 1);
OVPN_COUNTER_ADD(sc, tunnel_bytes_received, m->m_pkthdr.len);
OVPN_PEER_COUNTER_ADD(peer, pkt_in, 1);
OVPN_PEER_COUNTER_ADD(peer, bytes_in, m->m_pkthdr.len);
/* Receive the packet on our interface. */
m->m_pkthdr.rcvif = sc->ifp;
/* Clear checksum flags in case the real hardware set them. */
m->m_pkthdr.csum_flags = 0;
/* Clear mbuf tags & flags */
m_tag_delete_nonpersistent(m);
m_clrprotoflags(m);
/* Ensure we can read the first byte. */
m = m_pullup(m, 1);
if (m == NULL) {
OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
return;
}
/*
* Check for address family, and disregard any control packets (e.g.
* keepalive).
*/
af = ovpn_get_af(m);
if (af != 0) {
BPF_MTAP2(sc->ifp, &af, sizeof(af), m);
if (V_async_netisr_queue)
netisr_queue(af == AF_INET ? NETISR_IP : NETISR_IPV6, m);
else
netisr_dispatch(af == AF_INET ? NETISR_IP : NETISR_IPV6, m);
} else {
OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1);
m_freem(m);
}
}
static struct ovpn_kkey *
ovpn_find_key(struct ovpn_softc *sc, struct ovpn_kpeer *peer,
const struct ovpn_wire_header *ohdr)
{
struct ovpn_kkey *key = NULL;
uint8_t keyid;
OVPN_RASSERT(sc);
keyid = (ntohl(ohdr->opcode) >> 24) & 0x07;
if (peer->keys[0].keyid == keyid)
key = &peer->keys[0];
else if (peer->keys[1].keyid == keyid)
key = &peer->keys[1];
return (key);
}
static int
ovpn_decrypt_rx_cb(struct cryptop *crp)
{
struct epoch_tracker et;
struct ovpn_softc *sc = crp->crp_opaque;
struct mbuf *m = crp->crp_buf.cb_mbuf;
struct ovpn_kkey *key;
struct ovpn_kpeer *peer;
struct ovpn_wire_header *ohdr;
uint32_t peerid;
OVPN_RLOCK_TRACKER;
OVPN_RLOCK(sc);
MPASS(crp->crp_buf.cb_type == CRYPTO_BUF_MBUF);
if (crp->crp_etype != 0) {
crypto_freereq(crp);
atomic_add_int(&sc->refcount, -1);
OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1);
OVPN_RUNLOCK(sc);
m_freem(m);
return (0);
}
CURVNET_SET(sc->ifp->if_vnet);
ohdr = mtodo(m, sizeof(struct udphdr));
peerid = ntohl(ohdr->opcode) & 0x00ffffff;
peer = ovpn_find_peer(sc, peerid);
if (peer == NULL) {
/* No such peer. Drop packet. */
crypto_freereq(crp);
atomic_add_int(&sc->refcount, -1);
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1);
m_freem(m);
CURVNET_RESTORE();
return (0);
}
key = ovpn_find_key(sc, peer, ohdr);
if (key == NULL) {
crypto_freereq(crp);
atomic_add_int(&sc->refcount, -1);
/*
* Has this key been removed between us starting the decrypt
* and finishing it?
*/
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1);
m_freem(m);
CURVNET_RESTORE();
return (0);
}
/* Now remove the outer headers */
m_adj_decap(m, sizeof(struct udphdr) +
sizeof(struct ovpn_wire_header));
NET_EPOCH_ENTER(et);
ovpn_finish_rx(sc, m, peer, key, ntohl(ohdr->seq), _ovpn_lock_trackerp);
NET_EPOCH_EXIT(et);
OVPN_UNLOCK_ASSERT(sc);
CURVNET_RESTORE();
crypto_freereq(crp);
atomic_add_int(&sc->refcount, -1);
return (0);
}
static int
ovpn_get_af(struct mbuf *m)
{
struct ip *ip;
struct ip6_hdr *ip6;
/*
* We should pullup, but we're only interested in the first byte, so
* that'll always be contiguous.
*/
ip = mtod(m, struct ip *);
if (ip->ip_v == IPVERSION)
return (AF_INET);
ip6 = mtod(m, struct ip6_hdr *);
if ((ip6->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION)
return (AF_INET6);
return (0);
}
#ifdef INET
static struct ovpn_kpeer *
ovpn_find_peer_by_ip(struct ovpn_softc *sc, const struct in_addr addr)
{
struct ovpn_kpeer *peer = NULL;
OVPN_ASSERT(sc);
/* TODO: Add a second RB so we can look up by IP. */
RB_FOREACH(peer, ovpn_kpeers, &sc->peers) {
if (addr.s_addr == peer->vpn4.s_addr)
return (peer);
}
return (peer);
}
#endif
#ifdef INET6
static struct ovpn_kpeer *
ovpn_find_peer_by_ip6(struct ovpn_softc *sc, const struct in6_addr *addr)
{
struct ovpn_kpeer *peer = NULL;
OVPN_ASSERT(sc);
/* TODO: Add a third RB so we can look up by IPv6 address. */
RB_FOREACH(peer, ovpn_kpeers, &sc->peers) {
if (memcmp(addr, &peer->vpn6, sizeof(*addr)) == 0)
return (peer);
}
return (peer);
}
#endif
static struct ovpn_kpeer *
ovpn_route_peer(struct ovpn_softc *sc, struct mbuf **m0,
const struct sockaddr *dst)
{
struct ovpn_kpeer *peer = NULL;
int af;
NET_EPOCH_ASSERT();
OVPN_ASSERT(sc);
/* Shortcut if we're a client (or are a server and have only one client). */
if (sc->peercount == 1)
return (ovpn_find_only_peer(sc));
if (dst != NULL)
af = dst->sa_family;
else
af = ovpn_get_af(*m0);
switch (af) {
#ifdef INET
case AF_INET: {
const struct sockaddr_in *sa = (const struct sockaddr_in *)dst;
struct nhop_object *nh;
const struct in_addr *ip_dst;
if (sa != NULL) {
ip_dst = &sa->sin_addr;
} else {
struct ip *ip;
*m0 = m_pullup(*m0, sizeof(struct ip));
if (*m0 == NULL)
return (NULL);
ip = mtod(*m0, struct ip *);
ip_dst = &ip->ip_dst;
}
peer = ovpn_find_peer_by_ip(sc, *ip_dst);
SDT_PROBE2(if_ovpn, tx, route, ip4, ip_dst, peer);
if (peer == NULL) {
nh = fib4_lookup(M_GETFIB(*m0), *ip_dst, 0,
NHR_NONE, 0);
if (nh && (nh->nh_flags & NHF_GATEWAY)) {
peer = ovpn_find_peer_by_ip(sc,
nh->gw4_sa.sin_addr);
SDT_PROBE2(if_ovpn, tx, route, ip4,
&nh->gw4_sa.sin_addr, peer);
}
}
break;
}
#endif
#ifdef INET6
case AF_INET6: {
const struct sockaddr_in6 *sa6 =
(const struct sockaddr_in6 *)dst;
struct nhop_object *nh;
const struct in6_addr *ip6_dst;
if (sa6 != NULL) {
ip6_dst = &sa6->sin6_addr;
} else {
struct ip6_hdr *ip6;
*m0 = m_pullup(*m0, sizeof(struct ip6_hdr));
if (*m0 == NULL)
return (NULL);
ip6 = mtod(*m0, struct ip6_hdr *);
ip6_dst = &ip6->ip6_dst;
}
peer = ovpn_find_peer_by_ip6(sc, ip6_dst);
SDT_PROBE2(if_ovpn, tx, route, ip6, ip6_dst, peer);
if (peer == NULL) {
nh = fib6_lookup(M_GETFIB(*m0), ip6_dst, 0,
NHR_NONE, 0);
if (nh && (nh->nh_flags & NHF_GATEWAY)) {
peer = ovpn_find_peer_by_ip6(sc,
&nh->gw6_sa.sin6_addr);
SDT_PROBE2(if_ovpn, tx, route, ip6,
&nh->gw6_sa.sin6_addr, peer);
}
}
break;
}
#endif
}
return (peer);
}
static int
ovpn_transmit(struct ifnet *ifp, struct mbuf *m)
{
return (ifp->if_output(ifp, m, NULL, NULL));
}
static int
ovpn_transmit_to_peer(struct ifnet *ifp, struct mbuf *m,
struct ovpn_kpeer *peer, struct rm_priotracker *_ovpn_lock_trackerp)
{
struct ovpn_wire_header *ohdr;
struct ovpn_kkey *key;
struct ovpn_softc *sc;
struct cryptop *crp;
uint32_t af, seq;
uint64_t seq64;
size_t len, ovpn_hdr_len;
int tunnel_len;
int ret;
sc = ifp->if_softc;
OVPN_RASSERT(sc);
tunnel_len = m->m_pkthdr.len;
key = &peer->keys[OVPN_KEY_SLOT_PRIMARY];
if (key->encrypt == NULL) {
if (_ovpn_lock_trackerp != NULL)
OVPN_RUNLOCK(sc);
m_freem(m);
return (ENOLINK);
}
af = ovpn_get_af(m);
/* Don't capture control packets. */
if (af != 0)
BPF_MTAP2(ifp, &af, sizeof(af), m);
if (__predict_false(if_tunnel_check_nesting(ifp, m, MTAG_OVPN_LOOP, 3))) {
if (_ovpn_lock_trackerp != NULL)
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1);
m_freem(m);
return (ELOOP);
}
len = m->m_pkthdr.len;
MPASS(len <= ifp->if_mtu);
ovpn_hdr_len = sizeof(struct ovpn_wire_header);
if (key->encrypt->cipher == OVPN_CIPHER_ALG_NONE)
ovpn_hdr_len -= 16; /* No auth tag. */
M_PREPEND(m, ovpn_hdr_len, M_NOWAIT);
if (m == NULL) {
if (_ovpn_lock_trackerp != NULL)
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1);
return (ENOBUFS);
}
ohdr = mtod(m, struct ovpn_wire_header *);
ohdr->opcode = (OVPN_OP_DATA_V2 << OVPN_OP_SHIFT) | key->keyid;
ohdr->opcode <<= 24;
ohdr->opcode |= key->peerid;
ohdr->opcode = htonl(ohdr->opcode);
seq64 = atomic_fetchadd_64(&peer->keys[OVPN_KEY_SLOT_PRIMARY].encrypt->tx_seq, 1);
if (seq64 == OVPN_SEQ_ROTATE) {
ovpn_notify_key_rotation(sc, peer);
} else if (seq64 > UINT32_MAX) {
/* We've wrapped, give up on this packet. */
if (_ovpn_lock_trackerp != NULL)
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1);
/* Let's avoid (very unlikely, but still) wraparounds of the
* 64-bit counter taking us back to 0. */
atomic_store_64(&peer->keys[OVPN_KEY_SLOT_PRIMARY].encrypt->tx_seq,
UINT32_MAX);
return (ENOBUFS);
}
seq = htonl(seq64 & UINT32_MAX);
ohdr->seq = seq;
OVPN_PEER_COUNTER_ADD(peer, pkt_out, 1);
OVPN_PEER_COUNTER_ADD(peer, bytes_out, len);
if (key->encrypt->cipher == OVPN_CIPHER_ALG_NONE) {
ret = ovpn_encap(sc, peer->peerid, m);
if (_ovpn_lock_trackerp != NULL)
OVPN_RUNLOCK(sc);
if (ret == 0) {
OVPN_COUNTER_ADD(sc, sent_data_pkts, 1);
OVPN_COUNTER_ADD(sc, tunnel_bytes_sent, tunnel_len);
}
return (ret);
}
crp = crypto_getreq(key->encrypt->cryptoid, M_NOWAIT);
if (crp == NULL) {
if (_ovpn_lock_trackerp != NULL)
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1);
m_freem(m);
return (ENOBUFS);
}
/* Encryption covers only the payload, not the header. */
crp->crp_payload_start = sizeof(*ohdr);
crp->crp_payload_length = len;
crp->crp_op = CRYPTO_OP_ENCRYPT;
/*
* AAD data covers the ovpn_wire_header minus the auth
* tag.
*/
crp->crp_aad_length = sizeof(*ohdr) - sizeof(ohdr->auth_tag);
crp->crp_aad = ohdr;
crp->crp_aad_start = 0;
crp->crp_op |= CRYPTO_OP_COMPUTE_DIGEST;
crp->crp_digest_start = offsetof(struct ovpn_wire_header, auth_tag);
crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
memcpy(crp->crp_iv, &seq, sizeof(seq));
memcpy(crp->crp_iv + sizeof(seq), key->encrypt->nonce,
key->encrypt->noncelen);
crypto_use_mbuf(crp, m);
crp->crp_flags |= CRYPTO_F_CBIFSYNC;
crp->crp_callback = ovpn_encrypt_tx_cb;
crp->crp_opaque = peer;
atomic_add_int(&peer->refcount, 1);
if (_ovpn_lock_trackerp != NULL)
OVPN_RUNLOCK(sc);
if (V_async_crypto)
ret = crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED);
else
ret = crypto_dispatch(crp);
if (ret) {
OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1);
}
return (ret);
}
/*
* Note: Expects to hold the read lock on entry, and will release it itself.
*/
static int
ovpn_encap(struct ovpn_softc *sc, uint32_t peerid, struct mbuf *m)
{
struct udphdr *udp;
struct ovpn_kpeer *peer;
int len;
OVPN_RLOCK_TRACKER;
OVPN_RLOCK(sc);
NET_EPOCH_ASSERT();
peer = ovpn_find_peer(sc, peerid);
if (peer == NULL || sc->ifp->if_link_state != LINK_STATE_UP) {
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1);
m_freem(m);
return (ENETDOWN);
}
len = m->m_pkthdr.len;
M_PREPEND(m, sizeof(struct udphdr), M_NOWAIT);
if (m == NULL) {
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1);
m_freem(m);
return (ENOBUFS);
}
udp = mtod(m, struct udphdr *);
MPASS(peer->local.ss_family == peer->remote.ss_family);
udp->uh_sport = ovpn_get_port(&peer->local);
udp->uh_dport = ovpn_get_port(&peer->remote);
udp->uh_ulen = htons(sizeof(struct udphdr) + len);
switch (peer->remote.ss_family) {
#ifdef INET
case AF_INET: {
struct sockaddr_in *in_local = TO_IN(&peer->local);
struct sockaddr_in *in_remote = TO_IN(&peer->remote);
struct ip *ip;
/*
* This requires knowing the source IP, which we don't. Happily
* we're allowed to keep this at 0, and the checksum won't do
* anything the crypto won't already do.
*/
udp->uh_sum = 0;
/* Set the checksum flags so we recalculate checksums. */
m->m_pkthdr.csum_flags |= CSUM_IP;
m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum);
M_PREPEND(m, sizeof(struct ip), M_NOWAIT);
if (m == NULL) {
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1);
return (ENOBUFS);
}
ip = mtod(m, struct ip *);
ip->ip_tos = 0;
ip->ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) +
len);
ip->ip_off = 0;
ip->ip_ttl = V_ip_defttl;
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0;
if (in_local->sin_port != 0)
ip->ip_src = in_local->sin_addr;
else
ip->ip_src.s_addr = INADDR_ANY;
ip->ip_dst = in_remote->sin_addr;
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, transport_bytes_sent, m->m_pkthdr.len);
return (ip_output(m, NULL, NULL, 0, NULL, NULL));
}
#endif
#ifdef INET6
case AF_INET6: {
struct sockaddr_in6 *in6_local = TO_IN6(&peer->local);
struct sockaddr_in6 *in6_remote = TO_IN6(&peer->remote);
struct ip6_hdr *ip6;
M_PREPEND(m, sizeof(struct ip6_hdr), M_NOWAIT);
if (m == NULL) {
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1);
return (ENOBUFS);
}
m = m_pullup(m, sizeof(*ip6) + sizeof(*udp));
if (m == NULL) {
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, nomem_data_pkts_out, 1);
return (ENOBUFS);
}
ip6 = mtod(m, struct ip6_hdr *);
ip6->ip6_vfc = IPV6_VERSION;
ip6->ip6_flow &= ~IPV6_FLOWINFO_MASK;
ip6->ip6_plen = htons(sizeof(*ip6) + sizeof(struct udphdr) +
len);
ip6->ip6_nxt = IPPROTO_UDP;
ip6->ip6_hlim = V_ip6_defhlim;
memcpy(&ip6->ip6_src, &in6_local->sin6_addr,
sizeof(ip6->ip6_src));
memcpy(&ip6->ip6_dst, &in6_remote->sin6_addr,
sizeof(ip6->ip6_dst));
udp = mtodo(m, sizeof(*ip6));
udp->uh_sum = in6_cksum_pseudo(ip6,
m->m_pkthdr.len - sizeof(struct ip6_hdr),
IPPROTO_UDP, 0);
m->m_pkthdr.csum_flags |= CSUM_UDP_IPV6;
m->m_pkthdr.csum_data = offsetof(struct udphdr, uh_sum);
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, transport_bytes_sent, m->m_pkthdr.len);
return (ip6_output(m, NULL, NULL, IPV6_UNSPECSRC, NULL, NULL,
NULL));
}
#endif
default:
panic("Unsupported address family %d",
peer->remote.ss_family);
}
}
static int
ovpn_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
struct route *ro)
{
struct ovpn_softc *sc;
struct ovpn_kpeer *peer;
OVPN_RLOCK_TRACKER;
sc = ifp->if_softc;
OVPN_RLOCK(sc);
SDT_PROBE1(if_ovpn, tx, transmit, start, m);
if (__predict_false(ifp->if_link_state != LINK_STATE_UP)) {
OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1);
OVPN_RUNLOCK(sc);
m_freem(m);
return (ENETDOWN);
}
/**
* Only obey 'dst' (i.e. the gateway) if no route is supplied.
* That's our indication that we're being called through pf's route-to,
* and we should route according to 'dst' instead. We can't do so
* consistently, because the usual openvpn configuration sets the first
* non-server IP in the subnet as the gateway. If we always use that
* one we'd end up routing all traffic to the first client.
* tl;dr: 'ro == NULL' tells us pf is doing a route-to, and then but
* only then, we should treat 'dst' as the destination. */
peer = ovpn_route_peer(sc, &m, ro == NULL ? dst : NULL);
if (peer == NULL) {
/* No destination. */
OVPN_COUNTER_ADD(sc, lost_data_pkts_out, 1);
OVPN_RUNLOCK(sc);
m_freem(m);
return (ENETDOWN);
}
return (ovpn_transmit_to_peer(ifp, m, peer, _ovpn_lock_trackerp));
}
static bool
ovpn_check_replay(struct ovpn_kkey_dir *key, uint32_t seq)
{
uint32_t d;
mtx_lock(&key->replay_mtx);
/* Sequence number must be strictly greater than rx_seq */
if (seq <= key->rx_seq) {
mtx_unlock(&key->replay_mtx);
return (false);
}
/* Large jump. The packet authenticated okay, so just accept that. */
if (seq > (key->rx_seq + (sizeof(key->rx_window) * 8))) {
key->rx_seq = seq;
key->rx_window = 0;
mtx_unlock(&key->replay_mtx);
return (true);
}
/* Happy case. */
if ((seq == key->rx_seq + 1) && key->rx_window == 0) {
key->rx_seq++;
mtx_unlock(&key->replay_mtx);
return (true);
}
d = seq - key->rx_seq - 1;
if (key->rx_window & ((uint64_t)1 << d)) {
/* Dupe! */
mtx_unlock(&key->replay_mtx);
return (false);
}
key->rx_window |= (uint64_t)1 << d;
while (key->rx_window & 1) {
key->rx_seq++;
key->rx_window >>= 1;
}
mtx_unlock(&key->replay_mtx);
return (true);
}
static struct ovpn_kpeer *
ovpn_peer_from_mbuf(struct ovpn_softc *sc, struct mbuf *m, int off)
{
struct ovpn_wire_header ohdr;
uint32_t peerid;
const size_t hdrlen = sizeof(ohdr) - sizeof(ohdr.auth_tag);
OVPN_RASSERT(sc);
if (m_length(m, NULL) < (off + sizeof(struct udphdr) + hdrlen))
return (NULL);
m_copydata(m, off + sizeof(struct udphdr), hdrlen, (caddr_t)&ohdr);
peerid = ntohl(ohdr.opcode) & 0x00ffffff;
return (ovpn_find_peer(sc, peerid));
}
static bool
ovpn_udp_input(struct mbuf *m, int off, struct inpcb *inp,
const struct sockaddr *sa, void *ctx)
{
struct ovpn_softc *sc = ctx;
struct ovpn_wire_header tmphdr;
struct ovpn_wire_header *ohdr;
struct udphdr *uhdr;
struct ovpn_kkey *key;
struct cryptop *crp;
struct ovpn_kpeer *peer;
size_t ohdrlen;
int ret;
uint8_t op;
OVPN_RLOCK_TRACKER;
M_ASSERTPKTHDR(m);
OVPN_COUNTER_ADD(sc, transport_bytes_received, m->m_pkthdr.len - off);
ohdrlen = sizeof(*ohdr) - sizeof(ohdr->auth_tag);
OVPN_RLOCK(sc);
peer = ovpn_peer_from_mbuf(sc, m, off);
if (peer == NULL) {
OVPN_RUNLOCK(sc);
return (false);
}
if (m_length(m, NULL) < (off + sizeof(*uhdr) + ohdrlen)) {
/* Short packet. */
OVPN_RUNLOCK(sc);
return (false);
}
m_copydata(m, off + sizeof(*uhdr), ohdrlen, (caddr_t)&tmphdr);
op = ntohl(tmphdr.opcode) >> 24 >> OVPN_OP_SHIFT;
if (op != OVPN_OP_DATA_V2) {
/* Control packet? */
OVPN_RUNLOCK(sc);
return (false);
}
m = m_pullup(m, off + sizeof(*uhdr) + ohdrlen);
if (m == NULL) {
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
return (true);
}
/*
* Simplify things by getting rid of the preceding headers, we don't
* care about them.
*/
m_adj_decap(m, off);
uhdr = mtodo(m, 0);
ohdr = mtodo(m, sizeof(*uhdr));
key = ovpn_find_key(sc, peer, ohdr);
if (key == NULL || key->decrypt == NULL) {
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1);
m_freem(m);
return (true);
}
if (key->decrypt->cipher == OVPN_CIPHER_ALG_NONE) {
/* Now remove the outer headers */
m_adj_decap(m, sizeof(struct udphdr) + ohdrlen);
ohdr = mtodo(m, sizeof(*uhdr));
ovpn_finish_rx(sc, m, peer, key, ntohl(ohdr->seq),
_ovpn_lock_trackerp);
OVPN_UNLOCK_ASSERT(sc);
return (true);
}
ohdrlen += sizeof(ohdr->auth_tag);
m = m_pullup(m, sizeof(*uhdr) + ohdrlen);
if (m == NULL) {
OVPN_RUNLOCK(sc);
OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
return (true);
}
uhdr = mtodo(m, 0);
ohdr = mtodo(m, sizeof(*uhdr));
/* Decrypt */
crp = crypto_getreq(key->decrypt->cryptoid, M_NOWAIT);
if (crp == NULL) {
OVPN_COUNTER_ADD(sc, nomem_data_pkts_in, 1);
OVPN_RUNLOCK(sc);
m_freem(m);
return (true);
}
crp->crp_payload_start = sizeof(struct udphdr) + sizeof(*ohdr);
crp->crp_payload_length = ntohs(uhdr->uh_ulen) -
sizeof(*uhdr) - sizeof(*ohdr);
crp->crp_op = CRYPTO_OP_DECRYPT;
/* AAD validation. */
crp->crp_aad_length = sizeof(*ohdr) - sizeof(ohdr->auth_tag);
crp->crp_aad = ohdr;
crp->crp_aad_start = 0;
crp->crp_op |= CRYPTO_OP_VERIFY_DIGEST;
crp->crp_digest_start = sizeof(struct udphdr) +
offsetof(struct ovpn_wire_header, auth_tag);
crp->crp_flags |= CRYPTO_F_IV_SEPARATE;
memcpy(crp->crp_iv, &ohdr->seq, sizeof(ohdr->seq));
memcpy(crp->crp_iv + sizeof(ohdr->seq), key->decrypt->nonce,
key->decrypt->noncelen);
crypto_use_mbuf(crp, m);
crp->crp_flags |= CRYPTO_F_CBIFSYNC;
crp->crp_callback = ovpn_decrypt_rx_cb;
crp->crp_opaque = sc;
atomic_add_int(&sc->refcount, 1);
OVPN_RUNLOCK(sc);
if (V_async_crypto)
ret = crypto_dispatch_async(crp, CRYPTO_ASYNC_ORDERED);
else
ret = crypto_dispatch(crp);
if (ret != 0) {
OVPN_COUNTER_ADD(sc, lost_data_pkts_in, 1);
}
return (true);
}
static void
ovpn_qflush(struct ifnet *ifp __unused)
{
}
static void
ovpn_flush_rxring(struct ovpn_softc *sc)
{
struct ovpn_notification *n;
OVPN_WASSERT(sc);
while (! buf_ring_empty(sc->notifring)) {
n = buf_ring_dequeue_sc(sc->notifring);
free(n, M_OVPN);
}
}
#ifdef VIMAGE
static void
ovpn_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused,
char *unused __unused)
{
struct ovpn_softc *sc = ifp->if_softc;
struct ovpn_kpeer *peer, *tmppeer;
int ret __diagused;
OVPN_WLOCK(sc);
/* Flush keys & configuration. */
RB_FOREACH_SAFE(peer, ovpn_kpeers, &sc->peers, tmppeer) {
peer->del_reason = OVPN_DEL_REASON_REQUESTED;
ret = _ovpn_del_peer(sc, peer);
MPASS(ret == 0);
}
ovpn_flush_rxring(sc);
OVPN_WUNLOCK(sc);
}
#endif
static int
ovpn_clone_match(struct if_clone *ifc, const char *name)
{
/*
* Allow all names that start with 'ovpn', specifically because pfSense
* uses ovpnc1 / ovpns2
*/
return (strncmp(ovpnname, name, strlen(ovpnname)) == 0);
}
static int
ovpn_clone_create(struct if_clone *ifc, char *name, size_t len,
struct ifc_data *ifd, struct ifnet **ifpp)
{
struct ovpn_softc *sc;
struct ifnet *ifp;
char *dp;
int error, unit, wildcard;
/* Try to see if a special unit was requested. */
error = ifc_name2unit(name, &unit);
if (error != 0)
return (error);
wildcard = (unit < 0);
error = ifc_alloc_unit(ifc, &unit);
if (error != 0)
return (error);
/*
* If no unit had been given, we need to adjust the ifName.
*/
for (dp = name; *dp != '\0'; dp++);
if (wildcard) {
error = snprintf(dp, len - (dp - name), "%d", unit);
if (error > len - (dp - name)) {
/* ifName too long. */
ifc_free_unit(ifc, unit);
return (ENOSPC);
}
dp += error;
}
/* Make sure it doesn't already exist. */
if (ifunit(name) != NULL)
return (EEXIST);
sc = malloc(sizeof(struct ovpn_softc), M_OVPN, M_WAITOK | M_ZERO);
sc->ifp = if_alloc(IFT_ENC);
rm_init_flags(&sc->lock, "if_ovpn_lock", RM_RECURSE);
sc->refcount = 0;
sc->notifring = buf_ring_alloc(32, M_OVPN, M_WAITOK, NULL);
COUNTER_ARRAY_ALLOC(sc->counters, OVPN_COUNTER_SIZE, M_WAITOK);
ifp = sc->ifp;
ifp->if_softc = sc;
strlcpy(ifp->if_xname, name, IFNAMSIZ);
ifp->if_dname = ovpngroupname;
ifp->if_dunit = unit;
ifp->if_addrlen = 0;
ifp->if_mtu = 1428;
ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST;
ifp->if_ioctl = ovpn_ioctl;
ifp->if_transmit = ovpn_transmit;
ifp->if_output = ovpn_output;
ifp->if_qflush = ovpn_qflush;
#ifdef VIMAGE
ifp->if_reassign = ovpn_reassign;
#endif
ifp->if_capabilities |= IFCAP_LINKSTATE;
ifp->if_capenable |= IFCAP_LINKSTATE;
if_attach(ifp);
bpfattach(ifp, DLT_NULL, sizeof(uint32_t));
*ifpp = ifp;
return (0);
}
static void
ovpn_clone_destroy_cb(struct epoch_context *ctx)
{
struct ovpn_softc *sc;
sc = __containerof(ctx, struct ovpn_softc, epoch_ctx);
MPASS(sc->peercount == 0);
MPASS(RB_EMPTY(&sc->peers));
COUNTER_ARRAY_FREE(sc->counters, OVPN_COUNTER_SIZE);
if_free(sc->ifp);
free(sc, M_OVPN);
}
static int
ovpn_clone_destroy(struct if_clone *ifc, struct ifnet *ifp, uint32_t flags)
{
struct ovpn_softc *sc;
struct ovpn_kpeer *peer, *tmppeer;
int unit;
int ret __diagused;
sc = ifp->if_softc;
unit = ifp->if_dunit;
OVPN_WLOCK(sc);
if (atomic_load_int(&sc->refcount) > 0) {
OVPN_WUNLOCK(sc);
return (EBUSY);
}
RB_FOREACH_SAFE(peer, ovpn_kpeers, &sc->peers, tmppeer) {
peer->del_reason = OVPN_DEL_REASON_REQUESTED;
ret = _ovpn_del_peer(sc, peer);
MPASS(ret == 0);
}
ovpn_flush_rxring(sc);
buf_ring_free(sc->notifring, M_OVPN);
OVPN_WUNLOCK(sc);
bpfdetach(ifp);
if_detach(ifp);
ifp->if_softc = NULL;
NET_EPOCH_CALL(ovpn_clone_destroy_cb, &sc->epoch_ctx);
if (unit != IF_DUNIT_NONE)
ifc_free_unit(ifc, unit);
NET_EPOCH_DRAIN_CALLBACKS();
return (0);
}
static void
vnet_ovpn_init(const void *unused __unused)
{
struct if_clone_addreq req = {
.match_f = ovpn_clone_match,
.create_f = ovpn_clone_create,
.destroy_f = ovpn_clone_destroy,
};
V_ovpn_cloner = ifc_attach_cloner(ovpngroupname, &req);
}
VNET_SYSINIT(vnet_ovpn_init, SI_SUB_PSEUDO, SI_ORDER_ANY,
vnet_ovpn_init, NULL);
static void
vnet_ovpn_uninit(const void *unused __unused)
{
if_clone_detach(V_ovpn_cloner);
}
VNET_SYSUNINIT(vnet_ovpn_uninit, SI_SUB_PSEUDO, SI_ORDER_ANY,
vnet_ovpn_uninit, NULL);
static int
ovpnmodevent(module_t mod, int type, void *data)
{
switch (type) {
case MOD_LOAD:
/* Done in vnet_ovpn_init() */
break;
case MOD_UNLOAD:
/* Done in vnet_ovpn_uninit() */
break;
default:
return (EOPNOTSUPP);
}
return (0);
}
static moduledata_t ovpn_mod = {
"if_ovpn",
ovpnmodevent,
0
};
DECLARE_MODULE(if_ovpn, ovpn_mod, SI_SUB_PSEUDO, SI_ORDER_ANY);
MODULE_VERSION(if_ovpn, 1);
Reference in a new issue View git blame Copy permalink