OpenVPN
dco_freebsd.c
Go to the documentation of this file.
1/*
2 * Interface to FreeBSD dco networking code
3 *
4 * Copyright (C) 2022 Rubicon Communications, LLC (Netgate). All Rights Reserved.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2
8 * as published by the Free Software Foundation.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program (see the file COPYING included with this
17 * distribution); if not, see <https://www.gnu.org/licenses/>.
18 */
19
20#ifdef HAVE_CONFIG_H
21#include "config.h"
22#endif
23
24#if defined(ENABLE_DCO) && defined(TARGET_FREEBSD)
25
26#include "syshead.h"
27
28#include <sys/param.h>
29#include <sys/linker.h>
30#include <sys/nv.h>
31#include <sys/utsname.h>
32
33#include <netinet/in.h>
34
35#include "dco_freebsd.h"
36#include "dco.h"
37#include "tun.h"
38#include "crypto.h"
39#include "multi.h"
40#include "ssl_common.h"
41
42static nvlist_t *
43sockaddr_to_nvlist(const struct sockaddr *sa)
44{
45 nvlist_t *nvl = nvlist_create(0);
46
47 nvlist_add_number(nvl, "af", sa->sa_family);
48
49 switch (sa->sa_family)
50 {
51 case AF_INET:
52 {
53 const struct sockaddr_in *in = (const struct sockaddr_in *)sa;
54 nvlist_add_binary(nvl, "address", &in->sin_addr, sizeof(in->sin_addr));
55 nvlist_add_number(nvl, "port", in->sin_port);
56 break;
57 }
58
59 case AF_INET6:
60 {
61 const struct sockaddr_in6 *in6 = (const struct sockaddr_in6 *)sa;
62 nvlist_add_binary(nvl, "address", &in6->sin6_addr, sizeof(in6->sin6_addr));
63 nvlist_add_number(nvl, "port", in6->sin6_port);
64 nvlist_add_number(nvl, "scopeid", in6->sin6_scope_id);
65 break;
66 }
67
68 default:
69 ASSERT(0);
70 }
71
72 return (nvl);
73}
74
75static bool
76nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *ss)
77{
78 if (!nvlist_exists_number(nvl, "af"))
79 {
80 return (false);
81 }
82 if (!nvlist_exists_binary(nvl, "address"))
83 {
84 return (false);
85 }
86 if (!nvlist_exists_number(nvl, "port"))
87 {
88 return (false);
89 }
90
91 ss->ss_family = (unsigned char)nvlist_get_number(nvl, "af");
92
93 switch (ss->ss_family)
94 {
95 case AF_INET:
96 {
97 struct sockaddr_in *in = (struct sockaddr_in *)ss;
98 const void *data;
99 size_t len;
100
101 in->sin_len = sizeof(*in);
102 data = nvlist_get_binary(nvl, "address", &len);
103 ASSERT(len == sizeof(in->sin_addr));
104 memcpy(&in->sin_addr, data, sizeof(in->sin_addr));
105 in->sin_port = (in_port_t)nvlist_get_number(nvl, "port");
106 break;
107 }
108
109 case AF_INET6:
110 {
111 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)ss;
112 const void *data;
113 size_t len;
114
115 in6->sin6_len = sizeof(*in6);
116 data = nvlist_get_binary(nvl, "address", &len);
117 ASSERT(len == sizeof(in6->sin6_addr));
118 memcpy(&in6->sin6_addr, data, sizeof(in6->sin6_addr));
119 in6->sin6_port = (in_port_t)nvlist_get_number(nvl, "port");
120
121 if (nvlist_exists_number(nvl, "scopeid"))
122 {
123 in6->sin6_scope_id = (uint32_t)nvlist_get_number(nvl, "scopeid");
124 }
125 break;
126 }
127
128 default:
129 return (false);
130 }
131
132 return (true);
133}
134
135int
136dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr,
137 struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
138{
139 struct ifdrv drv;
140 nvlist_t *nvl, *local_nvl, *remote_nvl;
141 int ret;
142
143 nvl = nvlist_create(0);
144
145 msg(D_DCO_DEBUG, "%s: peer-id %u, fd %d", __func__, peerid, sd);
146
147 if (localaddr)
148 {
149 local_nvl = sockaddr_to_nvlist(localaddr);
150 nvlist_add_nvlist(nvl, "local", local_nvl);
151 }
152
153 if (remoteaddr)
154 {
155 remote_nvl = sockaddr_to_nvlist(remoteaddr);
156 nvlist_add_nvlist(nvl, "remote", remote_nvl);
157 }
158
159 if (vpn_ipv4)
160 {
161 nvlist_add_binary(nvl, "vpn_ipv4", &vpn_ipv4->s_addr, sizeof(vpn_ipv4->s_addr));
162 }
163
164 if (vpn_ipv6)
165 {
166 nvlist_add_binary(nvl, "vpn_ipv6", vpn_ipv6, sizeof(*vpn_ipv6));
167 }
168
169 nvlist_add_number(nvl, "fd", sd);
170 nvlist_add_number(nvl, "peerid", peerid);
171
172 CLEAR(drv);
173 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
174 drv.ifd_cmd = OVPN_NEW_PEER;
175 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
176
177 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
178 if (ret)
179 {
180 msg(M_ERR | M_ERRNO, "Failed to create new peer");
181 }
182
183 free(drv.ifd_data);
184 if (localaddr)
185 {
186 nvlist_destroy(local_nvl);
187 }
188 if (remoteaddr)
189 {
190 nvlist_destroy(remote_nvl);
191 }
192 nvlist_destroy(nvl);
193
194 return ret;
195}
196
197static int
198open_fd(dco_context_t *dco)
199{
200 int ret;
201
202 ret = pipe2(dco->pipefd, O_CLOEXEC | O_NONBLOCK);
203 if (ret != 0)
204 {
205 return -1;
206 }
207
208 dco->fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
209 if (dco->fd != -1)
210 {
211 dco->open = true;
212 }
213
214 return dco->fd;
215}
216
217static void
218close_fd(dco_context_t *dco)
219{
220 close(dco->pipefd[0]);
221 close(dco->pipefd[1]);
222 close(dco->fd);
223}
224
225bool
226ovpn_dco_init(struct context *c)
227{
228 c->c1.tuntap->dco.c = c;
229
230 if (open_fd(&c->c1.tuntap->dco) < 0)
231 {
232 msg(M_ERR, "Failed to open socket");
233 return false;
234 }
235 return true;
236}
237
238static int
239dco_set_ifmode(dco_context_t *dco, int ifmode)
240{
241 struct ifdrv drv;
242 nvlist_t *nvl;
243 int ret;
244
245 nvl = nvlist_create(0);
246 nvlist_add_number(nvl, "ifmode", ifmode);
247
248 CLEAR(drv);
249 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
250 drv.ifd_cmd = OVPN_SET_IFMODE;
251 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
252
253 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
254 if (ret)
255 {
256 msg(M_WARN | M_ERRNO, "dco_set_ifmode: failed to set ifmode=%08x", ifmode);
257 }
258
259 free(drv.ifd_data);
260 nvlist_destroy(nvl);
261
262 return ret;
263}
264
265static int
266create_interface(struct tuntap *tt, const char *dev)
267{
268 int ret;
269 struct ifreq ifr;
270
271 CLEAR(ifr);
272
273 /* Create ovpnx first, then rename it. */
274 snprintf(ifr.ifr_name, IFNAMSIZ, "ovpn");
275 ret = ioctl(tt->dco.fd, SIOCIFCREATE2, &ifr);
276 if (ret)
277 {
278 ret = -errno;
279 msg(M_WARN | M_ERRNO, "Failed to create interface %s (SIOCIFCREATE2)", ifr.ifr_name);
280 return ret;
281 }
282
283 /* Rename */
284 if (!strcmp(dev, "tun"))
285 {
286 ifr.ifr_data = "ovpn";
287 }
288 else
289 {
290 ifr.ifr_data = (char *)dev;
291 }
292
293 snprintf(tt->dco.ifname, IFNAMSIZ, "%s", ifr.ifr_data);
294
295 ret = ioctl(tt->dco.fd, SIOCSIFNAME, &ifr);
296 if (ret)
297 {
298 ret = -errno;
299 /* Delete the created interface again. */
300 (void)ioctl(tt->dco.fd, SIOCIFDESTROY, &ifr);
301 msg(M_WARN | M_ERRNO, "Failed to create interface %s (SIOCSIFNAME)", ifr.ifr_data);
302 return ret;
303 }
304
305 return 0;
306}
307
308static int
309remove_interface(struct tuntap *tt)
310{
311 int ret;
312 struct ifreq ifr;
313
314 CLEAR(ifr);
315 snprintf(ifr.ifr_name, IFNAMSIZ, "%s", tt->dco.ifname);
316
317 ret = ioctl(tt->dco.fd, SIOCIFDESTROY, &ifr);
318 if (ret)
319 {
320 msg(M_ERR | M_ERRNO, "Failed to remove interface %s", ifr.ifr_name);
321 }
322
323 tt->dco.ifname[0] = 0;
324
325 return ret;
326}
327
328int
329open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
330{
331 int ret = create_interface(tt, dev);
332
333 if (ret >= 0 || ret == -EEXIST)
334 {
335 /* see "Interface Flags" in ifnet(9) */
336 int i = IFF_POINTOPOINT | IFF_MULTICAST;
337 if (tt->topology == TOP_SUBNET)
338 {
339 i = IFF_BROADCAST | IFF_MULTICAST;
340 }
341 dco_set_ifmode(&tt->dco, i);
342 }
343
344 return ret;
345}
346
347void
348close_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx)
349{
350 remove_interface(tt);
351 close_fd(&tt->dco);
352}
353
354int
355dco_swap_keys(dco_context_t *dco, unsigned int peerid)
356{
357 struct ifdrv drv;
358 nvlist_t *nvl;
359 int ret;
360
361 msg(D_DCO_DEBUG, "%s: peer-id %u", __func__, peerid);
362
363 nvl = nvlist_create(0);
364 nvlist_add_number(nvl, "peerid", peerid);
365
366 CLEAR(drv);
367 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
368 drv.ifd_cmd = OVPN_SWAP_KEYS;
369 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
370
371 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
372 if (ret)
373 {
374 msg(M_WARN | M_ERRNO, "Failed to swap keys");
375 }
376
377 free(drv.ifd_data);
378 nvlist_destroy(nvl);
379
380 return ret;
381}
382
383int
384dco_del_peer(dco_context_t *dco, unsigned int peerid)
385{
386 struct ifdrv drv;
387 nvlist_t *nvl;
388 int ret;
389
390 msg(D_DCO_DEBUG, "%s: peer-id %u", __func__, peerid);
391
392 nvl = nvlist_create(0);
393 nvlist_add_number(nvl, "peerid", peerid);
394
395 CLEAR(drv);
396 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
397 drv.ifd_cmd = OVPN_DEL_PEER;
398 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
399
400 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
401 if (ret)
402 {
403 msg(M_WARN | M_ERRNO, "Failed to delete peer");
404 }
405
406 free(drv.ifd_data);
407 nvlist_destroy(nvl);
408
409 return ret;
410}
411
412int
413dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
414{
415 struct ifdrv drv;
416 nvlist_t *nvl;
417 int ret;
418
419 msg(D_DCO_DEBUG, "%s: peer-id %u, slot %d", __func__, peerid, slot);
420
421 nvl = nvlist_create(0);
422 nvlist_add_number(nvl, "slot", slot);
423 nvlist_add_number(nvl, "peerid", peerid);
424
425 CLEAR(drv);
426 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
427 drv.ifd_cmd = OVPN_DEL_KEY;
428 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
429
430 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
431 if (ret)
432 {
433 msg(M_WARN | M_ERRNO, "Failed to delete key");
434 }
435
436 free(drv.ifd_data);
437 nvlist_destroy(nvl);
438
439 return ret;
440}
441
442static nvlist_t *
443key_to_nvlist(const uint8_t *key, const uint8_t *implicit_iv, const char *ciphername)
444{
445 nvlist_t *nvl;
446 size_t key_len;
447
448 nvl = nvlist_create(0);
449
450 nvlist_add_string(nvl, "cipher", ciphername);
451
452 if (strcmp(ciphername, "none") != 0)
453 {
454 key_len = cipher_kt_key_size(ciphername);
455
456 nvlist_add_binary(nvl, "key", key, key_len);
457 nvlist_add_binary(nvl, "iv", implicit_iv, 8);
458 }
459
460 return (nvl);
461}
462
463static int
464start_tun(dco_context_t *dco)
465{
466 struct ifdrv drv;
467 int ret;
468
469 CLEAR(drv);
470 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
471 drv.ifd_cmd = OVPN_START_VPN;
472
473 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
474 if (ret)
475 {
476 msg(M_ERR | M_ERRNO, "Failed to start vpn");
477 }
478
479 return ret;
480}
481
482int
483dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot,
484 const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key,
485 const uint8_t *decrypt_iv, const char *ciphername, bool epoch)
486{
487 struct ifdrv drv;
488 nvlist_t *nvl, *encrypt_nvl, *decrypt_nvl;
489 int ret;
490
491 msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %u, cipher %s, epoch %d", __func__, slot, keyid, peerid,
492 ciphername, epoch);
493
494 nvl = nvlist_create(0);
495
496 nvlist_add_number(nvl, "slot", slot);
497 nvlist_add_number(nvl, "keyid", keyid);
498 nvlist_add_number(nvl, "peerid", peerid);
499
500 encrypt_nvl = key_to_nvlist(encrypt_key, encrypt_iv, ciphername);
501 decrypt_nvl = key_to_nvlist(decrypt_key, decrypt_iv, ciphername);
502
503 nvlist_add_nvlist(nvl, "encrypt", encrypt_nvl);
504 nvlist_add_nvlist(nvl, "decrypt", decrypt_nvl);
505
506 CLEAR(drv);
507 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
508 drv.ifd_cmd = OVPN_NEW_KEY;
509 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
510
511 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
512 if (ret)
513 {
514 msg(M_ERR | M_ERRNO, "Failed to set key");
515 }
516 else
517 {
518 ret = start_tun(dco);
519 }
520
521 free(drv.ifd_data);
522 nvlist_destroy(encrypt_nvl);
523 nvlist_destroy(decrypt_nvl);
524 nvlist_destroy(nvl);
525
526 return ret;
527}
528
529int
530dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout,
531 int mss)
532{
533 struct ifdrv drv;
534 nvlist_t *nvl;
535 int ret;
536
537 msg(D_DCO_DEBUG, "%s: peer-id %u, ping interval %d, ping timeout %d", __func__, peerid,
538 keepalive_interval, keepalive_timeout);
539
540 nvl = nvlist_create(0);
541 nvlist_add_number(nvl, "peerid", peerid);
542 nvlist_add_number(nvl, "interval", keepalive_interval);
543 nvlist_add_number(nvl, "timeout", keepalive_timeout);
544
545 CLEAR(drv);
546 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
547 drv.ifd_cmd = OVPN_SET_PEER;
548 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
549
550 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
551 if (ret)
552 {
553 msg(M_WARN | M_ERRNO, "Failed to set keepalive");
554 }
555
556 free(drv.ifd_data);
557 nvlist_destroy(nvl);
558
559 return ret;
560}
561
562static void
563dco_update_peer_stat(struct multi_context *m, uint32_t peerid, const nvlist_t *nvl)
564{
565 if (peerid >= m->max_clients || !m->instances[peerid])
566 {
567 msg(M_WARN, "dco_update_peer_stat: invalid peer ID %u returned by kernel", peerid);
568 return;
569 }
570
571 struct multi_instance *mi = m->instances[peerid];
572
573 mi->context.c2.dco_read_bytes = nvlist_get_number(nvl, "in");
574 mi->context.c2.dco_write_bytes = nvlist_get_number(nvl, "out");
575
576 msg(D_DCO_DEBUG, "%s: peer-id %u, dco_read_bytes: " counter_format " dco_write_bytes: " counter_format,
577 __func__, peerid, mi->context.c2.dco_read_bytes, mi->context.c2.dco_write_bytes);
578}
579
580int
581dco_do_read(dco_context_t *dco)
582{
583 struct ifdrv drv;
584 uint8_t buf[4096];
585 nvlist_t *nvl;
586 enum ovpn_notif_type type;
587 int ret;
588
589 /* Flush any pending data from the pipe. */
590 (void)read(dco->pipefd[1], buf, sizeof(buf));
591
592 CLEAR(drv);
593 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
594 drv.ifd_cmd = OVPN_GET_PKT;
595 drv.ifd_data = buf;
596 drv.ifd_len = sizeof(buf);
597
598 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
599 if (ret)
600 {
601 msg(M_WARN | M_ERRNO, "Failed to read control packet");
602 return -errno;
603 }
604
605 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
606 if (!nvl)
607 {
608 msg(M_WARN, "Failed to unpack nvlist");
609 return -EINVAL;
610 }
611
612 /* dco_message_peer_id is signed int, because other parts of the
613 * code treat "-1" as "this is a message not specific to one peer"
614 */
615 dco->dco_message_peer_id = (int)nvlist_get_number(nvl, "peerid");
616
617 type = (enum ovpn_notif_type)nvlist_get_number(nvl, "notification");
618
619 switch (type)
620 {
621 case OVPN_NOTIF_DEL_PEER:
622 dco->dco_del_peer_reason = OVPN_DEL_PEER_REASON_EXPIRED;
623
624 if (nvlist_exists_number(nvl, "del_reason"))
625 {
626 uint32_t reason = (uint32_t)nvlist_get_number(nvl, "del_reason");
627 if (reason == OVPN_DEL_REASON_TIMEOUT)
628 {
629 dco->dco_del_peer_reason = OVPN_DEL_PEER_REASON_EXPIRED;
630 }
631 else
632 {
633 dco->dco_del_peer_reason = OVPN_DEL_PEER_REASON_USERSPACE;
634 }
635 }
636 msg(D_DCO_DEBUG, "%s: received NOTIF_DEL_PEER for peer-id=%d, reason=%d", __func__,
637 dco->dco_message_peer_id, dco->dco_del_peer_reason);
638
639 if (nvlist_exists_nvlist(nvl, "bytes"))
640 {
641 const nvlist_t *bytes = nvlist_get_nvlist(nvl, "bytes");
642
643 if (dco->c->mode == CM_TOP)
644 {
645 dco_update_peer_stat(dco->c->multi, dco->dco_message_peer_id, bytes);
646 }
647 else
648 {
649 dco->c->c2.dco_read_bytes = nvlist_get_number(bytes, "in");
650 dco->c->c2.dco_write_bytes = nvlist_get_number(bytes, "out");
651 }
652 }
653
654 dco->dco_message_type = OVPN_CMD_DEL_PEER;
655 break;
656
657 case OVPN_NOTIF_ROTATE_KEY:
658 msg(D_DCO_DEBUG, "%s: received NOTIF_ROTATE_KEY for peer-id=%d", __func__,
659 dco->dco_message_peer_id);
660 dco->dco_message_type = OVPN_CMD_SWAP_KEYS;
661 break;
662
663 case OVPN_NOTIF_FLOAT:
664 {
665 const nvlist_t *address;
666
667 if (!nvlist_exists_nvlist(nvl, "address"))
668 {
669 msg(M_WARN, "Float notification without address");
670 break;
671 }
672
673 address = nvlist_get_nvlist(nvl, "address");
674 if (!nvlist_to_sockaddr(address, &dco->dco_float_peer_ss))
675 {
676 msg(M_WARN, "Failed to parse float notification");
677 break;
678 }
679 msg(D_DCO_DEBUG, "%s: received NOTIF_FLOAT for peer-id=%d", __func__,
680 dco->dco_message_peer_id);
681 dco->dco_message_type = OVPN_CMD_FLOAT_PEER;
682 break;
683 }
684
685 default:
686 msg(M_WARN, "%s: unknown kernel notification %d", __func__, type);
687 break;
688 }
689
690 nvlist_destroy(nvl);
691
692 return 0;
693}
694
695bool
696dco_available(msglvl_t msglevel)
697{
698 struct if_clonereq ifcr;
699 char *buf = NULL;
700 int fd;
701 int ret;
702 bool available = false;
703
704 /* Attempt to load the module. Ignore errors, because it might already be
705 * loaded, or built into the kernel. */
706 (void)kldload("if_ovpn");
707
708 fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
709 if (fd < 0)
710 {
711 return false;
712 }
713
714 CLEAR(ifcr);
715
716 /* List cloners and check if openvpn is there. That tells us if this kernel
717 * supports if_ovpn (i.e. DCO) or not. */
718 ret = ioctl(fd, SIOCIFGCLONERS, &ifcr);
719 if (ret != 0)
720 {
721 goto out;
722 }
723
724 buf = malloc(ifcr.ifcr_total * IFNAMSIZ);
725 if (!buf)
726 {
727 goto out;
728 }
729
730 ifcr.ifcr_count = ifcr.ifcr_total;
731 ifcr.ifcr_buffer = buf;
732 ret = ioctl(fd, SIOCIFGCLONERS, &ifcr);
733 if (ret != 0)
734 {
735 goto out;
736 }
737
738 for (int i = 0; i < ifcr.ifcr_total; i++)
739 {
740 if (strcmp(buf + (i * IFNAMSIZ), "openvpn") == 0)
741 {
742 available = true;
743 goto out;
744 }
745 }
746
747out:
748 free(buf);
749 close(fd);
750
751 return available;
752}
753
754const char *
755dco_version_string(struct gc_arena *gc)
756{
757 struct utsname *uts;
758 ALLOC_OBJ_GC(uts, struct utsname, gc);
759
760 if (uname(uts) != 0)
761 {
762 return "N/A";
763 }
764
765 return uts->version;
766}
767
768void
769dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
770{
771 struct ifdrv drv;
772 nvlist_t *nvl;
773 uint8_t buf[128];
774 int ret;
775
776 if (!dco || !dco->open)
777 {
778 return;
779 }
780
781 CLEAR(drv);
782 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
783 drv.ifd_cmd = OVPN_POLL_PKT;
784 drv.ifd_len = sizeof(buf);
785 drv.ifd_data = buf;
786
787 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
788 if (ret)
789 {
790 msg(M_WARN | M_ERRNO, "Failed to poll for packets");
791 return;
792 }
793
794 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
795 if (!nvl)
796 {
797 msg(M_WARN, "Failed to unpack nvlist");
798 return;
799 }
800
801 if (nvlist_get_number(nvl, "pending") > 0)
802 {
803 (void)write(dco->pipefd[0], " ", 1);
804 event_ctl(es, dco->pipefd[1], EVENT_READ, arg);
805 }
806
807 nvlist_destroy(nvl);
808}
809
810int
811dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
812{
813 struct ifdrv drv;
814 uint8_t *buf = NULL;
815 size_t buf_size = 4096;
816 nvlist_t *nvl;
817 const nvlist_t *const *nvpeers;
818 size_t npeers;
819 int ret;
820
821 if (!dco || !dco->open)
822 {
823 return 0;
824 }
825
826 msg(D_DCO_DEBUG, __func__);
827
828 CLEAR(drv);
829 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
830 drv.ifd_cmd = OVPN_GET_PEER_STATS;
831
832retry:
833 buf = realloc(buf, buf_size);
834 drv.ifd_len = buf_size;
835 drv.ifd_data = buf;
836
837 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
838 if (ret && errno == ENOSPC)
839 {
840 buf_size *= 2;
841 goto retry;
842 }
843
844 if (ret)
845 {
846 free(buf);
847 msg(M_WARN | M_ERRNO, "Failed to get peer stats");
848 return -EINVAL;
849 }
850
851 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
852 free(buf);
853 if (!nvl)
854 {
855 msg(M_WARN, "Failed to unpack nvlist");
856 return -EINVAL;
857 }
858
859 if (!nvlist_exists_nvlist_array(nvl, "peers"))
860 {
861 /* no peers */
862 nvlist_destroy(nvl);
863 return 0;
864 }
865
866 nvpeers = nvlist_get_nvlist_array(nvl, "peers", &npeers);
867 for (size_t i = 0; i < npeers; i++)
868 {
869 const nvlist_t *peer = nvpeers[i];
870 uint32_t peerid = (uint32_t)nvlist_get_number(peer, "peerid");
871 const nvlist_t *bytes = nvlist_get_nvlist(peer, "bytes");
872
873 /* we can end here in p2mp mode, or in p2p mode via
874 * the call to "dco_get_peer_stat()"
875 */
876 if (dco->c->mode == CM_TOP)
877 {
878 dco_update_peer_stat(dco->c->multi, peerid, bytes);
879 }
880 else
881 {
882 dco->c->c2.dco_read_bytes = nvlist_get_number(bytes, "in");
883 dco->c->c2.dco_write_bytes = nvlist_get_number(bytes, "out");
884 }
885 }
886
887 nvlist_destroy(nvl);
888 return 0;
889}
890
891/* get stats for a single peer
892 * we can get here for "the peer stats" in p2p client mode, or by
893 * being queried for a particular peer in p2mp mode, for --inactive
894 */
895int
896dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
897{
898 ASSERT(c->c2.tls_multi);
899 msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, c->c2.tls_multi->dco_peer_id);
900
901 if (c->c2.tls_multi->dco_peer_id < 0)
902 {
903 return -EINVAL; /* DCO not active yet */
904 }
905
906 /* unfortunately, the FreeBSD kernel has no peer-specific query - so
907 * we just get all the stats - and if we're there anyway, we can save it
908 * for all peers, too...
909 */
910 return dco_get_peer_stats_multi(&c->c1.tuntap->dco, raise_sigusr1_on_err);
911}
912
913const char *
914dco_get_supported_ciphers(void)
915{
916 return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305";
917}
918
919bool
920dco_supports_epoch_data(struct context *c)
921{
922 return false;
923}
924
925#endif /* defined(ENABLE_DCO) && defined(TARGET_FREEBSD) */
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1084
counter_format
#define counter_format
Definition common.h:32
crypto.h
Data Channel Cryptography Module.
cipher_kt_key_size
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
Definition crypto_openssl.c:673
dco_get_peer_stats_multi
static int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
Definition dco.h:368
dco_set_peer
static int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition dco.h:340
dco_get_supported_ciphers
static const char * dco_get_supported_ciphers(void)
Definition dco.h:380
dco_supports_epoch_data
static bool dco_supports_epoch_data(struct context *c)
Definition dco.h:386
dco_do_read
static int dco_do_read(dco_context_t *dco)
Definition dco.h:308
dco_event_set
static void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
Definition dco.h:315
open_tun_dco
static int open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
Definition dco.h:297
dco_available
static bool dco_available(msglvl_t msglevel)
Definition dco.h:261
ovpn_dco_init
static bool ovpn_dco_init(struct context *c)
Definition dco.h:291
dco_context_t
void * dco_context_t
Definition dco.h:258
dco_version_string
static const char * dco_version_string(struct gc_arena *gc)
Definition dco.h:267
close_tun_dco
static void close_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition dco.h:303
dco_get_peer_stats
static int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
Definition dco.h:374
dco_freebsd.h
dco_del_key
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
Definition dco_win.c:584
dco_del_peer
int dco_del_peer(dco_context_t *dco, unsigned int peerid)
Definition dco_win.c:469
dco_new_peer
int dco_new_peer(dco_context_t *dco, unsigned int peerid, socket_descriptor_t sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
Definition dco_win.c:418
dco_swap_keys
int dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
Definition dco_win.c:592
dco_new_key
int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername, bool epoch)
Definition dco_win.c:529
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition errlevel.h:117
EVENT_READ
#define EVENT_READ
Definition event.h:37
event_ctl
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition event.h:182
address
@ address
Definition interactive.c:84
write
@ write
Definition interactive.c:212
read
@ read
Definition interactive.c:211
multi.h
Header file for server-mode related structures and functions.
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:38
CLEAR
#define CLEAR(x)
Definition basic.h:32
M_ERR
#define M_ERR
Definition error.h:106
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
M_ERRNO
#define M_ERRNO
Definition error.h:95
CM_TOP
#define CM_TOP
Definition openvpn.h:483
OVPN_SET_IFMODE
#define OVPN_SET_IFMODE
Definition ovpn_dco_freebsd.h:74
OVPN_SWAP_KEYS
#define OVPN_SWAP_KEYS
Definition ovpn_dco_freebsd.h:67
OVPN_POLL_PKT
#define OVPN_POLL_PKT
Definition ovpn_dco_freebsd.h:72
OVPN_DEL_PEER
#define OVPN_DEL_PEER
Definition ovpn_dco_freebsd.h:64
OVPN_DEL_REASON_TIMEOUT
@ OVPN_DEL_REASON_TIMEOUT
Definition ovpn_dco_freebsd.h:47
OVPN_GET_PKT
#define OVPN_GET_PKT
Definition ovpn_dco_freebsd.h:73
OVPN_GET_PEER_STATS
#define OVPN_GET_PEER_STATS
Definition ovpn_dco_freebsd.h:75
OVPN_START_VPN
#define OVPN_START_VPN
Definition ovpn_dco_freebsd.h:70
OVPN_NEW_KEY
#define OVPN_NEW_KEY
Definition ovpn_dco_freebsd.h:66
OVPN_NEW_PEER
#define OVPN_NEW_PEER
Definition ovpn_dco_freebsd.h:63
ovpn_notif_type
ovpn_notif_type
Definition ovpn_dco_freebsd.h:38
OVPN_NOTIF_DEL_PEER
@ OVPN_NOTIF_DEL_PEER
Definition ovpn_dco_freebsd.h:39
OVPN_NOTIF_ROTATE_KEY
@ OVPN_NOTIF_ROTATE_KEY
Definition ovpn_dco_freebsd.h:40
OVPN_NOTIF_FLOAT
@ OVPN_NOTIF_FLOAT
Definition ovpn_dco_freebsd.h:41
OVPN_SET_PEER
#define OVPN_SET_PEER
Definition ovpn_dco_freebsd.h:69
OVPN_DEL_KEY
#define OVPN_DEL_KEY
Definition ovpn_dco_freebsd.h:68
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition ovpn_dco_linux.h:23
OVPN_DEL_PEER_REASON_USERSPACE
@ OVPN_DEL_PEER_REASON_USERSPACE
Definition ovpn_dco_linux.h:22
OVPN_CMD_FLOAT_PEER
@ OVPN_CMD_FLOAT_PEER
Definition ovpn_dco_win.h:167
OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_SWAP_KEYS
Definition ovpn_dco_win.h:166
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
Definition ovpn_dco_win.h:165
TOP_SUBNET
#define TOP_SUBNET
Definition proto.h:43
ssl_common.h
Control Channel Common Data Structures.
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
context_2::dco_read_bytes
counter_type dco_read_bytes
Definition openvpn.h:267
context_2::dco_write_bytes
counter_type dco_write_bytes
Definition openvpn.h:270
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
context
Contains all state information for one tunnel.
Definition openvpn.h:474
context::c2
struct context_2 c2
Level 2 context.
Definition openvpn.h:517
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
event_set
Definition event.h:130
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
multi_context
Main OpenVPN server state structure.
Definition multi.h:163
multi_context::max_clients
int max_clients
Definition multi.h:186
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition multi.h:164
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition multi.h:102
multi_instance::context
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:143
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:724
tuntap
Definition tun.h:183
tuntap::topology
int topology
Definition tun.h:188
tuntap::dco
dco_context_t dco
Definition tun.h:249
es
struct env_set * es
Definition test_pkcs11.c:138
gc
struct gc_arena gc
Definition test_ssl.c:131
Generated by doxygen 1.9.8