24#if defined(ENABLE_DCO) && defined(TARGET_FREEBSD)
29#include <sys/linker.h>
31#include <sys/utsname.h>
33#include <netinet/in.h>
43sockaddr_to_nvlist(
const struct sockaddr *sa)
45 nvlist_t *nvl = nvlist_create(0);
47 nvlist_add_number(nvl,
"af", sa->sa_family);
49 switch (sa->sa_family)
53 const struct sockaddr_in *in = (
const struct sockaddr_in *)sa;
54 nvlist_add_binary(nvl,
"address", &in->sin_addr,
sizeof(in->sin_addr));
55 nvlist_add_number(nvl,
"port", in->sin_port);
61 const struct sockaddr_in6 *in6 = (
const struct sockaddr_in6 *)sa;
62 nvlist_add_binary(nvl,
"address", &in6->sin6_addr,
sizeof(in6->sin6_addr));
63 nvlist_add_number(nvl,
"port", in6->sin6_port);
64 nvlist_add_number(nvl,
"scopeid", in6->sin6_scope_id);
75#if defined(__GNUC__) || defined(__clang__)
76#pragma GCC diagnostic push
77#pragma GCC diagnostic ignored "-Wconversion"
81nvlist_to_sockaddr(
const nvlist_t *nvl,
struct sockaddr_storage *ss)
83 if (!nvlist_exists_number(nvl,
"af"))
87 if (!nvlist_exists_binary(nvl,
"address"))
91 if (!nvlist_exists_number(nvl,
"port"))
96 ss->ss_family = nvlist_get_number(nvl,
"af");
98 switch (ss->ss_family)
102 struct sockaddr_in *in = (
struct sockaddr_in *)ss;
106 in->sin_len =
sizeof(*in);
107 data = nvlist_get_binary(nvl,
"address", &len);
108 ASSERT(len ==
sizeof(in->sin_addr));
109 memcpy(&in->sin_addr, data,
sizeof(in->sin_addr));
110 in->sin_port = nvlist_get_number(nvl,
"port");
116 struct sockaddr_in6 *in6 = (
struct sockaddr_in6 *)ss;
120 in6->sin6_len =
sizeof(*in6);
121 data = nvlist_get_binary(nvl,
"address", &len);
122 ASSERT(len ==
sizeof(in6->sin6_addr));
123 memcpy(&in6->sin6_addr, data,
sizeof(in6->sin6_addr));
124 in6->sin6_port = nvlist_get_number(nvl,
"port");
126 if (nvlist_exists_number(nvl,
"scopeid"))
128 in6->sin6_scope_id = nvlist_get_number(nvl,
"scopeid");
142 struct sockaddr *remoteaddr,
struct in_addr *vpn_ipv4,
struct in6_addr *vpn_ipv6)
145 nvlist_t *nvl, *local_nvl, *remote_nvl;
148 nvl = nvlist_create(0);
154 local_nvl = sockaddr_to_nvlist(localaddr);
155 nvlist_add_nvlist(nvl,
"local", local_nvl);
160 remote_nvl = sockaddr_to_nvlist(remoteaddr);
161 nvlist_add_nvlist(nvl,
"remote", remote_nvl);
166 nvlist_add_binary(nvl,
"vpn_ipv4", &vpn_ipv4->s_addr,
sizeof(vpn_ipv4->s_addr));
171 nvlist_add_binary(nvl,
"vpn_ipv6", vpn_ipv6,
sizeof(*vpn_ipv6));
174 nvlist_add_number(nvl,
"fd", sd);
175 nvlist_add_number(nvl,
"peerid", peerid);
178 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
180 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
182 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
191 nvlist_destroy(local_nvl);
195 nvlist_destroy(remote_nvl);
207 ret = pipe2(dco->pipefd, O_CLOEXEC | O_NONBLOCK);
213 dco->fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
225 close(dco->pipefd[0]);
226 close(dco->pipefd[1]);
237 msg(
M_ERR,
"Failed to open socket");
250 nvl = nvlist_create(0);
251 nvlist_add_number(nvl,
"ifmode", ifmode);
254 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
256 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
258 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
271create_interface(
struct tuntap *tt,
const char *dev)
279 snprintf(ifr.ifr_name, IFNAMSIZ,
"ovpn");
280 ret = ioctl(tt->
dco.fd, SIOCIFCREATE2, &ifr);
284 msg(
M_WARN |
M_ERRNO,
"Failed to create interface %s (SIOCIFCREATE2)", ifr.ifr_name);
289 if (!strcmp(dev,
"tun"))
291 ifr.ifr_data =
"ovpn";
295 ifr.ifr_data = (
char *)dev;
298 snprintf(tt->
dco.ifname, IFNAMSIZ,
"%s", ifr.ifr_data);
300 ret = ioctl(tt->
dco.fd, SIOCSIFNAME, &ifr);
305 (void)ioctl(tt->
dco.fd, SIOCIFDESTROY, &ifr);
306 msg(
M_WARN |
M_ERRNO,
"Failed to create interface %s (SIOCSIFNAME)", ifr.ifr_data);
314remove_interface(
struct tuntap *tt)
320 snprintf(ifr.ifr_name, IFNAMSIZ,
"%s", tt->
dco.ifname);
322 ret = ioctl(tt->
dco.fd, SIOCIFDESTROY, &ifr);
328 tt->
dco.ifname[0] = 0;
336 int ret = create_interface(tt, dev);
338 if (ret >= 0 || ret == -EEXIST)
341 int i = IFF_POINTOPOINT | IFF_MULTICAST;
344 i = IFF_BROADCAST | IFF_MULTICAST;
346 dco_set_ifmode(&tt->
dco,
i);
355 remove_interface(tt);
368 nvl = nvlist_create(0);
369 nvlist_add_number(nvl,
"peerid", peerid);
372 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
374 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
376 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
397 nvl = nvlist_create(0);
398 nvlist_add_number(nvl,
"peerid", peerid);
401 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
403 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
405 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
424 msg(
D_DCO_DEBUG,
"%s: peer-id %d, slot %d", __func__, peerid, slot);
426 nvl = nvlist_create(0);
427 nvlist_add_number(nvl,
"slot", slot);
428 nvlist_add_number(nvl,
"peerid", peerid);
431 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
433 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
435 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
448key_to_nvlist(
const uint8_t *
key,
const uint8_t *implicit_iv,
const char *ciphername)
453 nvl = nvlist_create(0);
455 nvlist_add_string(nvl,
"cipher", ciphername);
457 if (strcmp(ciphername,
"none") != 0)
461 nvlist_add_binary(nvl,
"key",
key, key_len);
462 nvlist_add_binary(nvl,
"iv", implicit_iv, 8);
475 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
478 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
489 const uint8_t *encrypt_key,
const uint8_t *encrypt_iv,
const uint8_t *decrypt_key,
490 const uint8_t *decrypt_iv,
const char *ciphername)
493 nvlist_t *nvl, *encrypt_nvl, *decrypt_nvl;
496 msg(
D_DCO_DEBUG,
"%s: slot %d, key-id %d, peer-id %d, cipher %s", __func__, slot, keyid, peerid,
499 nvl = nvlist_create(0);
501 nvlist_add_number(nvl,
"slot", slot);
502 nvlist_add_number(nvl,
"keyid", keyid);
503 nvlist_add_number(nvl,
"peerid", peerid);
505 encrypt_nvl = key_to_nvlist(encrypt_key, encrypt_iv, ciphername);
506 decrypt_nvl = key_to_nvlist(decrypt_key, decrypt_iv, ciphername);
508 nvlist_add_nvlist(nvl,
"encrypt", encrypt_nvl);
509 nvlist_add_nvlist(nvl,
"decrypt", decrypt_nvl);
512 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
514 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
516 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
523 ret = start_tun(dco);
527 nvlist_destroy(encrypt_nvl);
528 nvlist_destroy(decrypt_nvl);
542 msg(
D_DCO_DEBUG,
"%s: peer-id %d, ping interval %d, ping timeout %d", __func__, peerid,
543 keepalive_interval, keepalive_timeout);
545 nvl = nvlist_create(0);
546 nvlist_add_number(nvl,
"peerid", peerid);
547 nvlist_add_number(nvl,
"interval", keepalive_interval);
548 nvlist_add_number(nvl,
"timeout", keepalive_timeout);
551 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
553 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
555 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
577 (void)
read(dco->pipefd[1], buf,
sizeof(buf));
580 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
583 drv.ifd_len =
sizeof(buf);
585 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
592 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
599 dco->dco_message_peer_id = nvlist_get_number(nvl,
"peerid");
601 type = nvlist_get_number(nvl,
"notification");
607 if (nvlist_exists_number(nvl,
"del_reason"))
609 uint32_t reason = nvlist_get_number(nvl,
"del_reason");
620 if (nvlist_exists_nvlist(nvl,
"bytes"))
622 const nvlist_t *bytes = nvlist_get_nvlist(nvl,
"bytes");
624 dco->dco_read_bytes = nvlist_get_number(bytes,
"in");
625 dco->dco_write_bytes = nvlist_get_number(bytes,
"out");
639 if (!nvlist_exists_nvlist(nvl,
"address"))
641 msg(
M_WARN,
"Float notification without address");
645 address = nvlist_get_nvlist(nvl,
"address");
646 if (!nvlist_to_sockaddr(
address, &dco->dco_float_peer_ss))
648 msg(
M_WARN,
"Failed to parse float notification");
656 msg(
M_WARN,
"Unknown kernel notification %d", type);
668 struct if_clonereq ifcr;
672 bool available =
false;
676 (void)kldload(
"if_ovpn");
678 fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
688 ret = ioctl(fd, SIOCIFGCLONERS, &ifcr);
694 buf = malloc(ifcr.ifcr_total * IFNAMSIZ);
700 ifcr.ifcr_count = ifcr.ifcr_total;
701 ifcr.ifcr_buffer = buf;
702 ret = ioctl(fd, SIOCIFGCLONERS, &ifcr);
708 for (
int i = 0;
i < ifcr.ifcr_total;
i++)
710 if (strcmp(buf + (
i * IFNAMSIZ),
"openvpn") == 0)
746 if (!dco || !dco->open)
752 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
754 drv.ifd_len =
sizeof(buf);
757 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
764 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
771 if (nvlist_get_number(nvl,
"pending") > 0)
773 (void)
write(dco->pipefd[0],
" ", 1);
781dco_update_peer_stat(
struct multi_context *m, uint32_t peerid,
const nvlist_t *nvl)
785 msg(
M_WARN,
"dco_update_peer_stat: invalid peer ID %d returned by kernel", peerid);
800 size_t buf_size = 4096;
802 const nvlist_t *
const *nvpeers;
806 if (!dco || !dco->open)
812 snprintf(drv.ifd_name, IFNAMSIZ,
"%s", dco->ifname);
816 buf = realloc(buf, buf_size);
817 drv.ifd_len = buf_size;
820 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
821 if (ret && errno == ENOSPC)
834 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
842 if (!nvlist_exists_nvlist_array(nvl,
"peers"))
849 nvpeers = nvlist_get_nvlist_array(nvl,
"peers", &npeers);
850 for (
size_t i = 0;
i < npeers;
i++)
852 const nvlist_t *peer = nvpeers[
i];
853 uint32_t peerid = nvlist_get_number(peer,
"peerid");
855 dco_update_peer_stat(dco->c->multi, peerid, nvlist_get_nvlist(peer,
"bytes"));
862#if defined(__GNUC__) || defined(__clang__)
863#pragma GCC diagnostic pop
876 return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305";
#define ALLOC_OBJ_GC(dptr, type, gc)
Data Channel Cryptography Module.
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
static int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
static int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
static const char * dco_get_supported_ciphers(void)
static int dco_do_read(dco_context_t *dco)
static void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
static int open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
static bool dco_available(msglvl_t msglevel)
static bool ovpn_dco_init(struct context *c)
static const char * dco_version_string(struct gc_arena *gc)
static void close_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx)
static int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
int dco_del_peer(dco_context_t *dco, unsigned int peerid)
int dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername)
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Header file for server-mode related structures and functions.
@ OVPN_DEL_REASON_TIMEOUT
#define OVPN_GET_PEER_STATS
@ OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_USERSPACE
Control Channel Common Data Structures.
struct tuntap * tuntap
Tun/tap virtual network interface.
counter_type dco_read_bytes
counter_type dco_write_bytes
Contains all state information for one tunnel.
struct context_2 c2
Level 2 context.
struct context_1 c1
Level 1 context.
Garbage collection arena used to keep track of dynamically allocated memory.
Container for unidirectional cipher and HMAC key material.
Main OpenVPN server state structure.
struct multi_instance ** instances
Array of multi_instances.
Server-mode state structure for one single VPN tunnel.
struct context context
The context structure storing state for this VPN tunnel.