24#if defined(ENABLE_DCO) && defined(TARGET_FREEBSD)
29#include <sys/linker.h>
31#include <sys/utsname.h>
33#include <netinet/in.h>
43sockaddr_to_nvlist(
const struct sockaddr *sa)
45 nvlist_t *nvl = nvlist_create(0);
47 nvlist_add_number(nvl,
"af", sa->sa_family);
49 switch (sa->sa_family)
53 const struct sockaddr_in *in = (
const struct sockaddr_in *)sa;
54 nvlist_add_binary(nvl,
"address", &in->sin_addr,
sizeof(in->sin_addr));
55 nvlist_add_number(nvl,
"port", in->sin_port);
61 const struct sockaddr_in6 *in6 = (
const struct sockaddr_in6 *)sa;
62 nvlist_add_binary(nvl,
"address", &in6->sin6_addr,
sizeof(in6->sin6_addr));
63 nvlist_add_number(nvl,
"port", in6->sin6_port);
64 nvlist_add_number(nvl,
"scopeid", in6->sin6_scope_id);
76nvlist_to_sockaddr(
const nvlist_t *nvl,
struct sockaddr_storage *ss)
78 if (!nvlist_exists_number(nvl,
"af"))
82 if (!nvlist_exists_binary(nvl,
"address"))
86 if (!nvlist_exists_number(nvl,
"port"))
91 ss->ss_family = nvlist_get_number(nvl,
"af");
93 switch (ss->ss_family)
97 struct sockaddr_in *in = (
struct sockaddr_in *)ss;
101 in->sin_len =
sizeof(*in);
102 data = nvlist_get_binary(nvl,
"address", &len);
103 ASSERT(len ==
sizeof(in->sin_addr));
104 memcpy(&in->sin_addr, data,
sizeof(in->sin_addr));
105 in->sin_port = nvlist_get_number(nvl,
"port");
111 struct sockaddr_in6 *in6 = (
struct sockaddr_in6 *)ss;
115 in6->sin6_len =
sizeof(*in6);
116 data = nvlist_get_binary(nvl,
"address", &len);
117 ASSERT(len ==
sizeof(in6->sin6_addr));
118 memcpy(&in6->sin6_addr, data,
sizeof(in6->sin6_addr));
119 in6->sin6_port = nvlist_get_number(nvl,
"port");
121 if (nvlist_exists_number(nvl,
"scopeid"))
123 in6->sin6_scope_id = nvlist_get_number(nvl,
"scopeid");
137 struct sockaddr *remoteaddr,
struct in_addr *vpn_ipv4,
struct in6_addr *vpn_ipv6)
140 nvlist_t *nvl, *local_nvl, *remote_nvl;
143 nvl = nvlist_create(0);
149 local_nvl = sockaddr_to_nvlist(localaddr);
150 nvlist_add_nvlist(nvl,
"local", local_nvl);
155 remote_nvl = sockaddr_to_nvlist(remoteaddr);
156 nvlist_add_nvlist(nvl,
"remote", remote_nvl);
161 nvlist_add_binary(nvl,
"vpn_ipv4", &vpn_ipv4->s_addr,
sizeof(vpn_ipv4->s_addr));
166 nvlist_add_binary(nvl,
"vpn_ipv6", vpn_ipv6,
sizeof(*vpn_ipv6));
169 nvlist_add_number(nvl,
"fd", sd);
170 nvlist_add_number(nvl,
"peerid", peerid);
173 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
175 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
177 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
186 nvlist_destroy(local_nvl);
190 nvlist_destroy(remote_nvl);
202 ret = pipe2(dco->pipefd, O_CLOEXEC | O_NONBLOCK);
208 dco->fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
220 close(dco->pipefd[0]);
221 close(dco->pipefd[1]);
232 msg(
M_ERR,
"Failed to open socket");
245 nvl = nvlist_create(0);
246 nvlist_add_number(nvl,
"ifmode", ifmode);
249 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
251 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
253 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
266create_interface(
struct tuntap *tt,
const char *dev)
274 snprintf(ifr.ifr_name, IFNAMSIZ,
"ovpn");
275 ret = ioctl(tt->
dco.fd, SIOCIFCREATE2, &ifr);
279 msg(
M_WARN |
M_ERRNO,
"Failed to create interface %s (SIOCIFCREATE2)", ifr.ifr_name);
284 if (!strcmp(dev,
"tun"))
286 ifr.ifr_data =
"ovpn";
290 ifr.ifr_data = (
char *)dev;
293 snprintf(tt->
dco.ifname, IFNAMSIZ,
"%s", ifr.ifr_data);
295 ret = ioctl(tt->
dco.fd, SIOCSIFNAME, &ifr);
300 (void)ioctl(tt->
dco.fd, SIOCIFDESTROY, &ifr);
301 msg(
M_WARN |
M_ERRNO,
"Failed to create interface %s (SIOCSIFNAME)", ifr.ifr_data);
309remove_interface(
struct tuntap *tt)
315 snprintf(ifr.ifr_name, IFNAMSIZ,
"%s", tt->
dco.ifname);
317 ret = ioctl(tt->
dco.fd, SIOCIFDESTROY, &ifr);
323 tt->
dco.ifname[0] = 0;
331 int ret = create_interface(tt, dev);
333 if (ret >= 0 || ret == -EEXIST)
336 int i = IFF_POINTOPOINT | IFF_MULTICAST;
339 i = IFF_BROADCAST | IFF_MULTICAST;
341 dco_set_ifmode(&tt->
dco,
i);
350 remove_interface(tt);
363 nvl = nvlist_create(0);
364 nvlist_add_number(nvl,
"peerid", peerid);
367 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
369 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
371 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
392 nvl = nvlist_create(0);
393 nvlist_add_number(nvl,
"peerid", peerid);
396 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
398 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
400 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
419 msg(
D_DCO_DEBUG,
"%s: peer-id %d, slot %d", __func__, peerid, slot);
421 nvl = nvlist_create(0);
422 nvlist_add_number(nvl,
"slot", slot);
423 nvlist_add_number(nvl,
"peerid", peerid);
426 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
428 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
430 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
443key_to_nvlist(
const uint8_t *
key,
const uint8_t *implicit_iv,
const char *ciphername)
448 nvl = nvlist_create(0);
450 nvlist_add_string(nvl,
"cipher", ciphername);
452 if (strcmp(ciphername,
"none") != 0)
456 nvlist_add_binary(nvl,
"key",
key, key_len);
457 nvlist_add_binary(nvl,
"iv", implicit_iv, 8);
470 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
473 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
484 const uint8_t *encrypt_key,
const uint8_t *encrypt_iv,
const uint8_t *decrypt_key,
485 const uint8_t *decrypt_iv,
const char *ciphername)
488 nvlist_t *nvl, *encrypt_nvl, *decrypt_nvl;
491 msg(
D_DCO_DEBUG,
"%s: slot %d, key-id %d, peer-id %d, cipher %s", __func__, slot, keyid, peerid,
494 nvl = nvlist_create(0);
496 nvlist_add_number(nvl,
"slot", slot);
497 nvlist_add_number(nvl,
"keyid", keyid);
498 nvlist_add_number(nvl,
"peerid", peerid);
500 encrypt_nvl = key_to_nvlist(encrypt_key, encrypt_iv, ciphername);
501 decrypt_nvl = key_to_nvlist(decrypt_key, decrypt_iv, ciphername);
503 nvlist_add_nvlist(nvl,
"encrypt", encrypt_nvl);
504 nvlist_add_nvlist(nvl,
"decrypt", decrypt_nvl);
507 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
509 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
511 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
518 ret = start_tun(dco);
522 nvlist_destroy(encrypt_nvl);
523 nvlist_destroy(decrypt_nvl);
537 msg(
D_DCO_DEBUG,
"%s: peer-id %d, ping interval %d, ping timeout %d", __func__, peerid,
538 keepalive_interval, keepalive_timeout);
540 nvl = nvlist_create(0);
541 nvlist_add_number(nvl,
"peerid", peerid);
542 nvlist_add_number(nvl,
"interval", keepalive_interval);
543 nvlist_add_number(nvl,
"timeout", keepalive_timeout);
546 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
548 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
550 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
572 (void)
read(dco->pipefd[1], buf,
sizeof(buf));
575 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
578 drv.ifd_len =
sizeof(buf);
580 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
587 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
594 dco->dco_message_peer_id = nvlist_get_number(nvl,
"peerid");
596 type = nvlist_get_number(nvl,
"notification");
602 if (nvlist_exists_number(nvl,
"del_reason"))
604 uint32_t reason = nvlist_get_number(nvl,
"del_reason");
615 if (nvlist_exists_nvlist(nvl,
"bytes"))
617 const nvlist_t *bytes = nvlist_get_nvlist(nvl,
"bytes");
619 dco->dco_read_bytes = nvlist_get_number(bytes,
"in");
620 dco->dco_write_bytes = nvlist_get_number(bytes,
"out");
634 if (!nvlist_exists_nvlist(nvl,
"address"))
636 msg(
M_WARN,
"Float notification without address");
640 address = nvlist_get_nvlist(nvl,
"address");
641 if (!nvlist_to_sockaddr(
address, &dco->dco_float_peer_ss))
643 msg(
M_WARN,
"Failed to parse float notification");
651 msg(
M_WARN,
"Unknown kernel notification %d", type);
663 struct if_clonereq ifcr;
667 bool available =
false;
671 (void)kldload(
"if_ovpn");
673 fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
683 ret = ioctl(fd, SIOCIFGCLONERS, &ifcr);
689 buf = malloc(ifcr.ifcr_total * IFNAMSIZ);
695 ifcr.ifcr_count = ifcr.ifcr_total;
696 ifcr.ifcr_buffer = buf;
697 ret = ioctl(fd, SIOCIFGCLONERS, &ifcr);
703 for (
int i = 0;
i < ifcr.ifcr_total;
i++)
705 if (strcmp(buf + (
i * IFNAMSIZ),
"openvpn") == 0)
741 if (!dco || !dco->open)
747 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
749 drv.ifd_len =
sizeof(buf);
752 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
759 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
766 if (nvlist_get_number(nvl,
"pending") > 0)
768 (void)
write(dco->pipefd[0],
" ", 1);
776dco_update_peer_stat(
struct multi_context *m, uint32_t peerid,
const nvlist_t *nvl)
780 msg(
M_WARN,
"dco_update_peer_stat: invalid peer ID %d returned by kernel", peerid);
795 size_t buf_size = 4096;
797 const nvlist_t *
const *nvpeers;
801 if (!dco || !dco->open)
807 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
811 buf = realloc(buf, buf_size);
812 drv.ifd_len = buf_size;
815 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
816 if (ret && errno == ENOSPC)
829 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
837 if (!nvlist_exists_nvlist_array(nvl,
"peers"))
844 nvpeers = nvlist_get_nvlist_array(nvl,
"peers", &npeers);
845 for (
size_t i = 0;
i < npeers;
i++)
847 const nvlist_t *peer = nvpeers[
i];
848 uint32_t peerid = nvlist_get_number(peer,
"peerid");
850 dco_update_peer_stat(dco->c->multi, peerid, nvlist_get_nvlist(peer,
"bytes"));
867 return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305";
#define ALLOC_OBJ_GC(dptr, type, gc)
Data Channel Cryptography Module.
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
static bool dco_available(int msglevel)
static int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
static int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
static const char * dco_get_supported_ciphers(void)
static int dco_do_read(dco_context_t *dco)
static void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
static int open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
static bool ovpn_dco_init(struct context *c)
static const char * dco_version_string(struct gc_arena *gc)
static void close_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx)
static int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
int dco_del_peer(dco_context_t *dco, unsigned int peerid)
int dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername)
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Header file for server-mode related structures and functions.
@ OVPN_DEL_REASON_TIMEOUT
#define OVPN_GET_PEER_STATS
@ OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_USERSPACE
Control Channel Common Data Structures.
struct tuntap * tuntap
Tun/tap virtual network interface.
counter_type dco_read_bytes
counter_type dco_write_bytes
Contains all state information for one tunnel.
struct context_2 c2
Level 2 context.
struct context_1 c1
Level 1 context.
Garbage collection arena used to keep track of dynamically allocated memory.
Container for unidirectional cipher and HMAC key material.
Main OpenVPN server state structure.
struct multi_instance ** instances
Array of multi_instances.
Server-mode state structure for one single VPN tunnel.
struct context context
The context structure storing state for this VPN tunnel.