OpenVPN
dco_freebsd.c
Go to the documentation of this file.
1/*
2 * Interface to FreeBSD dco networking code
3 *
4 * Copyright (C) 2022 Rubicon Communications, LLC (Netgate). All Rights Reserved.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2
8 * as published by the Free Software Foundation.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program (see the file COPYING included with this
17 * distribution); if not, see <https://www.gnu.org/licenses/>.
18 */
19
20#ifdef HAVE_CONFIG_H
21#include "config.h"
22#endif
23
24#if defined(ENABLE_DCO) && defined(TARGET_FREEBSD)
25
26#include "syshead.h"
27
28#include <sys/param.h>
29#include <sys/linker.h>
30#include <sys/nv.h>
31#include <sys/utsname.h>
32
33#include <netinet/in.h>
34
35#include "dco_freebsd.h"
36#include "dco.h"
37#include "tun.h"
38#include "crypto.h"
39#include "multi.h"
40#include "ssl_common.h"
41
42static nvlist_t *
43sockaddr_to_nvlist(const struct sockaddr *sa)
44{
45 nvlist_t *nvl = nvlist_create(0);
46
47 nvlist_add_number(nvl, "af", sa->sa_family);
48
49 switch (sa->sa_family)
50 {
51 case AF_INET:
52 {
53 const struct sockaddr_in *in = (const struct sockaddr_in *)sa;
54 nvlist_add_binary(nvl, "address", &in->sin_addr, sizeof(in->sin_addr));
55 nvlist_add_number(nvl, "port", in->sin_port);
56 break;
57 }
58
59 case AF_INET6:
60 {
61 const struct sockaddr_in6 *in6 = (const struct sockaddr_in6 *)sa;
62 nvlist_add_binary(nvl, "address", &in6->sin6_addr, sizeof(in6->sin6_addr));
63 nvlist_add_number(nvl, "port", in6->sin6_port);
64 nvlist_add_number(nvl, "scopeid", in6->sin6_scope_id);
65 break;
66 }
67
68 default:
69 ASSERT(0);
70 }
71
72 return (nvl);
73}
74
75static bool
76nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *ss)
77{
78 if (!nvlist_exists_number(nvl, "af"))
79 {
80 return (false);
81 }
82 if (!nvlist_exists_binary(nvl, "address"))
83 {
84 return (false);
85 }
86 if (!nvlist_exists_number(nvl, "port"))
87 {
88 return (false);
89 }
90
91 ss->ss_family = (unsigned char)nvlist_get_number(nvl, "af");
92
93 switch (ss->ss_family)
94 {
95 case AF_INET:
96 {
97 struct sockaddr_in *in = (struct sockaddr_in *)ss;
98 const void *data;
99 size_t len;
100
101 in->sin_len = sizeof(*in);
102 data = nvlist_get_binary(nvl, "address", &len);
103 ASSERT(len == sizeof(in->sin_addr));
104 memcpy(&in->sin_addr, data, sizeof(in->sin_addr));
105 in->sin_port = (in_port_t)nvlist_get_number(nvl, "port");
106 break;
107 }
108
109 case AF_INET6:
110 {
111 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)ss;
112 const void *data;
113 size_t len;
114
115 in6->sin6_len = sizeof(*in6);
116 data = nvlist_get_binary(nvl, "address", &len);
117 ASSERT(len == sizeof(in6->sin6_addr));
118 memcpy(&in6->sin6_addr, data, sizeof(in6->sin6_addr));
119 in6->sin6_port = (in_port_t)nvlist_get_number(nvl, "port");
120
121 if (nvlist_exists_number(nvl, "scopeid"))
122 {
123 in6->sin6_scope_id = (uint32_t)nvlist_get_number(nvl, "scopeid");
124 }
125 break;
126 }
127
128 default:
129 return (false);
130 }
131
132 return (true);
133}
134
135int
136dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr,
137 struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
138{
139 struct ifdrv drv;
140 nvlist_t *nvl, *local_nvl, *remote_nvl;
141 int ret;
142
143 nvl = nvlist_create(0);
144
145 msg(D_DCO_DEBUG, "%s: peer-id %u, fd %d", __func__, peerid, sd);
146
147 if (localaddr)
148 {
149 local_nvl = sockaddr_to_nvlist(localaddr);
150 nvlist_add_nvlist(nvl, "local", local_nvl);
151 }
152
153 if (remoteaddr)
154 {
155 remote_nvl = sockaddr_to_nvlist(remoteaddr);
156 nvlist_add_nvlist(nvl, "remote", remote_nvl);
157 }
158
159 if (vpn_ipv4)
160 {
161 nvlist_add_binary(nvl, "vpn_ipv4", &vpn_ipv4->s_addr, sizeof(vpn_ipv4->s_addr));
162 }
163
164 if (vpn_ipv6)
165 {
166 nvlist_add_binary(nvl, "vpn_ipv6", vpn_ipv6, sizeof(*vpn_ipv6));
167 }
168
169 nvlist_add_number(nvl, "fd", sd);
170 nvlist_add_number(nvl, "peerid", peerid);
171
172 CLEAR(drv);
173 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
174 drv.ifd_cmd = OVPN_NEW_PEER;
175 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
176
177 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
178 if (ret)
179 {
180 msg(M_ERR, "Failed to create new peer");
181 }
182
183 free(drv.ifd_data);
184 if (localaddr)
185 {
186 nvlist_destroy(local_nvl);
187 }
188 if (remoteaddr)
189 {
190 nvlist_destroy(remote_nvl);
191 }
192 nvlist_destroy(nvl);
193
194 return ret;
195}
196
197static int
198open_fd(dco_context_t *dco)
199{
200 int ret;
201
202 ret = pipe2(dco->pipefd, O_CLOEXEC | O_NONBLOCK);
203 if (ret != 0)
204 {
205 return -1;
206 }
207
208 dco->fd = socket(AF_LOCAL, SOCK_DGRAM | SOCK_CLOEXEC, 0);
209 if (dco->fd != -1)
210 {
211 dco->open = true;
212 }
213
214 return dco->fd;
215}
216
217static void
218close_fd(dco_context_t *dco)
219{
220 close(dco->pipefd[0]);
221 close(dco->pipefd[1]);
222 close(dco->fd);
223}
224
225bool
226ovpn_dco_init(struct context *c)
227{
228 c->c1.tuntap->dco.c = c;
229
230 if (open_fd(&c->c1.tuntap->dco) < 0)
231 {
232 msg(M_ERR, "Failed to open socket");
233 return false;
234 }
235 return true;
236}
237
238static int
239dco_set_ifmode(dco_context_t *dco, int ifmode)
240{
241 struct ifdrv drv;
242 nvlist_t *nvl;
243 int ret;
244
245 nvl = nvlist_create(0);
246 nvlist_add_number(nvl, "ifmode", ifmode);
247
248 CLEAR(drv);
249 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
250 drv.ifd_cmd = OVPN_SET_IFMODE;
251 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
252
253 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
254 if (ret)
255 {
256 msg(M_WARN | M_ERRNO, "dco_set_ifmode: failed to set ifmode=%08x", ifmode);
257 }
258
259 free(drv.ifd_data);
260 nvlist_destroy(nvl);
261
262 return ret;
263}
264
265static int
266create_interface(struct tuntap *tt, const char *dev)
267{
268 int ret;
269 struct ifreq ifr;
270
271 CLEAR(ifr);
272
273 /* Create ovpnx first, then rename it. */
274 snprintf(ifr.ifr_name, IFNAMSIZ, "ovpn");
275 ret = ioctl(tt->dco.fd, SIOCIFCREATE2, &ifr);
276 if (ret)
277 {
278 ret = -errno;
279 msg(M_WARN | M_ERRNO, "Failed to create interface %s (SIOCIFCREATE2)", ifr.ifr_name);
280 return ret;
281 }
282
283 /* Rename */
284 if (!strcmp(dev, "tun"))
285 {
286 ifr.ifr_data = "ovpn";
287 }
288 else
289 {
290 ifr.ifr_data = (char *)dev;
291 }
292
293 snprintf(tt->dco.ifname, IFNAMSIZ, "%s", ifr.ifr_data);
294
295 ret = ioctl(tt->dco.fd, SIOCSIFNAME, &ifr);
296 if (ret)
297 {
298 ret = -errno;
299 /* Delete the created interface again. */
300 (void)ioctl(tt->dco.fd, SIOCIFDESTROY, &ifr);
301 msg(M_WARN | M_ERRNO, "Failed to create interface %s (SIOCSIFNAME)", ifr.ifr_data);
302 return ret;
303 }
304
305 return 0;
306}
307
308static int
309remove_interface(struct tuntap *tt)
310{
311 int ret;
312 struct ifreq ifr;
313
314 CLEAR(ifr);
315 snprintf(ifr.ifr_name, IFNAMSIZ, "%s", tt->dco.ifname);
316
317 ret = ioctl(tt->dco.fd, SIOCIFDESTROY, &ifr);
318 if (ret)
319 {
320 msg(M_ERR, "Failed to remove interface %s", ifr.ifr_name);
321 }
322
323 tt->dco.ifname[0] = 0;
324
325 return ret;
326}
327
328int
329open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
330{
331 int ret = create_interface(tt, dev);
332
333 if (ret >= 0 || ret == -EEXIST)
334 {
335 /* see "Interface Flags" in ifnet(9) */
336 int i = IFF_POINTOPOINT | IFF_MULTICAST;
337 if (tt->topology == TOP_SUBNET)
338 {
339 i = IFF_BROADCAST | IFF_MULTICAST;
340 }
341 dco_set_ifmode(&tt->dco, i);
342 }
343
344 return ret;
345}
346
347void
348close_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx)
349{
350 remove_interface(tt);
351 close_fd(&tt->dco);
352}
353
354int
355dco_swap_keys(dco_context_t *dco, unsigned int peerid)
356{
357 struct ifdrv drv;
358 nvlist_t *nvl;
359 int ret;
360
361 msg(D_DCO_DEBUG, "%s: peer-id %u", __func__, peerid);
362
363 nvl = nvlist_create(0);
364 nvlist_add_number(nvl, "peerid", peerid);
365
366 CLEAR(drv);
367 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
368 drv.ifd_cmd = OVPN_SWAP_KEYS;
369 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
370
371 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
372 if (ret)
373 {
374 msg(M_WARN | M_ERRNO, "Failed to swap keys");
375 }
376
377 free(drv.ifd_data);
378 nvlist_destroy(nvl);
379
380 return ret;
381}
382
383int
384dco_del_peer(dco_context_t *dco, unsigned int peerid)
385{
386 struct ifdrv drv;
387 nvlist_t *nvl;
388 int ret;
389
390 msg(D_DCO_DEBUG, "%s: peer-id %u", __func__, peerid);
391
392 nvl = nvlist_create(0);
393 nvlist_add_number(nvl, "peerid", peerid);
394
395 CLEAR(drv);
396 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
397 drv.ifd_cmd = OVPN_DEL_PEER;
398 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
399
400 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
401 if (ret)
402 {
403 msg(M_WARN | M_ERRNO, "Failed to delete peer");
404 }
405
406 free(drv.ifd_data);
407 nvlist_destroy(nvl);
408
409 return ret;
410}
411
412int
413dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
414{
415 struct ifdrv drv;
416 nvlist_t *nvl;
417 int ret;
418
419 msg(D_DCO_DEBUG, "%s: peer-id %u, slot %d", __func__, peerid, slot);
420
421 nvl = nvlist_create(0);
422 nvlist_add_number(nvl, "slot", slot);
423 nvlist_add_number(nvl, "peerid", peerid);
424
425 CLEAR(drv);
426 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
427 drv.ifd_cmd = OVPN_DEL_KEY;
428 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
429
430 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
431 if (ret)
432 {
433 msg(M_WARN | M_ERRNO, "Failed to delete key");
434 }
435
436 free(drv.ifd_data);
437 nvlist_destroy(nvl);
438
439 return ret;
440}
441
442static nvlist_t *
443key_to_nvlist(const uint8_t *key, const uint8_t *implicit_iv, const char *ciphername)
444{
445 nvlist_t *nvl;
446 size_t key_len;
447
448 nvl = nvlist_create(0);
449
450 nvlist_add_string(nvl, "cipher", ciphername);
451
452 if (strcmp(ciphername, "none") != 0)
453 {
454 key_len = cipher_kt_key_size(ciphername);
455
456 nvlist_add_binary(nvl, "key", key, key_len);
457 nvlist_add_binary(nvl, "iv", implicit_iv, 8);
458 }
459
460 return (nvl);
461}
462
463static int
464start_tun(dco_context_t *dco)
465{
466 struct ifdrv drv;
467 int ret;
468
469 CLEAR(drv);
470 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
471 drv.ifd_cmd = OVPN_START_VPN;
472
473 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
474 if (ret)
475 {
476 msg(M_ERR, "Failed to start vpn");
477 }
478
479 return ret;
480}
481
482int
483dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot,
484 const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key,
485 const uint8_t *decrypt_iv, const char *ciphername, bool epoch)
486{
487 struct ifdrv drv;
488 nvlist_t *nvl, *encrypt_nvl, *decrypt_nvl;
489 int ret;
490
491 msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %u, cipher %s, epoch %d", __func__, slot, keyid, peerid,
492 ciphername, epoch);
493
494 nvl = nvlist_create(0);
495
496 nvlist_add_number(nvl, "slot", slot);
497 nvlist_add_number(nvl, "keyid", keyid);
498 nvlist_add_number(nvl, "peerid", peerid);
499
500 encrypt_nvl = key_to_nvlist(encrypt_key, encrypt_iv, ciphername);
501 decrypt_nvl = key_to_nvlist(decrypt_key, decrypt_iv, ciphername);
502
503 nvlist_add_nvlist(nvl, "encrypt", encrypt_nvl);
504 nvlist_add_nvlist(nvl, "decrypt", decrypt_nvl);
505
506 CLEAR(drv);
507 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
508 drv.ifd_cmd = OVPN_NEW_KEY;
509 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
510
511 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
512 if (ret)
513 {
514 msg(M_ERR, "Failed to set key");
515 }
516 else
517 {
518 ret = start_tun(dco);
519 }
520
521 free(drv.ifd_data);
522 nvlist_destroy(encrypt_nvl);
523 nvlist_destroy(decrypt_nvl);
524 nvlist_destroy(nvl);
525
526 return ret;
527}
528
529int
530dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout,
531 int mss)
532{
533 struct ifdrv drv;
534 nvlist_t *nvl;
535 int ret;
536
537 msg(D_DCO_DEBUG, "%s: peer-id %u, ping interval %d, ping timeout %d", __func__, peerid,
538 keepalive_interval, keepalive_timeout);
539
540 nvl = nvlist_create(0);
541 nvlist_add_number(nvl, "peerid", peerid);
542 nvlist_add_number(nvl, "interval", keepalive_interval);
543 nvlist_add_number(nvl, "timeout", keepalive_timeout);
544
545 CLEAR(drv);
546 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
547 drv.ifd_cmd = OVPN_SET_PEER;
548 drv.ifd_data = nvlist_pack(nvl, &drv.ifd_len);
549
550 ret = ioctl(dco->fd, SIOCSDRVSPEC, &drv);
551 if (ret)
552 {
553 msg(M_WARN | M_ERRNO, "Failed to set keepalive");
554 }
555
556 free(drv.ifd_data);
557 nvlist_destroy(nvl);
558
559 return ret;
560}
561
562#if defined(__GNUC__) || defined(__clang__)
563#pragma GCC diagnostic push
564#pragma GCC diagnostic ignored "-Wsign-compare"
565#endif
566
567static void
568dco_update_peer_stat(struct multi_context *m, uint32_t peerid, const nvlist_t *nvl)
569{
570 if (peerid >= m->max_clients || !m->instances[peerid])
571 {
572 msg(M_WARN, "dco_update_peer_stat: invalid peer ID %u returned by kernel", peerid);
573 return;
574 }
575
576 struct multi_instance *mi = m->instances[peerid];
577
578 mi->context.c2.dco_read_bytes = nvlist_get_number(nvl, "in");
579 mi->context.c2.dco_write_bytes = nvlist_get_number(nvl, "out");
580
581 msg(D_DCO_DEBUG, "%s: peer-id %u, dco_read_bytes: " counter_format " dco_write_bytes: " counter_format,
582 __func__, peerid, mi->context.c2.dco_read_bytes, mi->context.c2.dco_write_bytes);
583}
584
585#if defined(__GNUC__) || defined(__clang__)
586#pragma GCC diagnostic pop
587#endif
588
589int
590dco_read_and_process(dco_context_t *dco)
591{
592 struct ifdrv drv;
593 uint8_t buf[4096];
594 nvlist_t *nvl;
595 enum ovpn_notif_type type;
596 int ret;
597
598 /* Flush any pending data from the pipe. */
599 (void)read(dco->pipefd[1], buf, sizeof(buf));
600
601 CLEAR(drv);
602 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
603 drv.ifd_cmd = OVPN_GET_PKT;
604 drv.ifd_data = buf;
605 drv.ifd_len = sizeof(buf);
606
607 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
608 if (ret)
609 {
610 msg(M_WARN | M_ERRNO, "Failed to read control packet");
611 return -errno;
612 }
613
614 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
615 if (!nvl)
616 {
617 msg(M_WARN, "Failed to unpack nvlist");
618 return -EINVAL;
619 }
620
621 /* dco_message_peer_id is signed int, because other parts of the
622 * code treat "-1" as "this is a message not specific to one peer"
623 */
624 dco->dco_message_peer_id = (int)nvlist_get_number(nvl, "peerid");
625
626 type = (enum ovpn_notif_type)nvlist_get_number(nvl, "notification");
627
628 switch (type)
629 {
630 case OVPN_NOTIF_DEL_PEER:
631 dco->dco_del_peer_reason = OVPN_DEL_PEER_REASON_EXPIRED;
632
633 if (nvlist_exists_number(nvl, "del_reason"))
634 {
635 uint32_t reason = (uint32_t)nvlist_get_number(nvl, "del_reason");
636 if (reason == OVPN_DEL_REASON_TIMEOUT)
637 {
638 dco->dco_del_peer_reason = OVPN_DEL_PEER_REASON_EXPIRED;
639 }
640 else
641 {
642 dco->dco_del_peer_reason = OVPN_DEL_PEER_REASON_USERSPACE;
643 }
644 }
645 msg(D_DCO_DEBUG, "%s: received NOTIF_DEL_PEER for peer-id=%d, reason=%d", __func__,
646 dco->dco_message_peer_id, dco->dco_del_peer_reason);
647
648 if (nvlist_exists_nvlist(nvl, "bytes"))
649 {
650 const nvlist_t *bytes = nvlist_get_nvlist(nvl, "bytes");
651
652 if (dco->c->mode == CM_TOP)
653 {
654 dco_update_peer_stat(dco->c->multi, dco->dco_message_peer_id, bytes);
655 }
656 else
657 {
658 dco->c->c2.dco_read_bytes = nvlist_get_number(bytes, "in");
659 dco->c->c2.dco_write_bytes = nvlist_get_number(bytes, "out");
660 }
661 }
662
663 dco->dco_message_type = OVPN_CMD_DEL_PEER;
664 break;
665
666 case OVPN_NOTIF_ROTATE_KEY:
667 msg(D_DCO_DEBUG, "%s: received NOTIF_ROTATE_KEY for peer-id=%d", __func__,
668 dco->dco_message_peer_id);
669 dco->dco_message_type = OVPN_CMD_SWAP_KEYS;
670 break;
671
672 case OVPN_NOTIF_FLOAT:
673 {
674 const nvlist_t *address;
675
676 if (!nvlist_exists_nvlist(nvl, "address"))
677 {
678 msg(M_WARN, "Float notification without address");
679 break;
680 }
681
682 address = nvlist_get_nvlist(nvl, "address");
683 if (!nvlist_to_sockaddr(address, &dco->dco_float_peer_ss))
684 {
685 msg(M_WARN, "Failed to parse float notification");
686 break;
687 }
688 msg(D_DCO_DEBUG, "%s: received NOTIF_FLOAT for peer-id=%d", __func__,
689 dco->dco_message_peer_id);
690 dco->dco_message_type = OVPN_CMD_FLOAT_PEER;
691 break;
692 }
693
694 default:
695 msg(M_WARN, "%s: unknown kernel notification %d", __func__, type);
696 dco->dco_message_type = 0;
697 break;
698 }
699
700 nvlist_destroy(nvl);
701
702 if (dco->c->mode == CM_TOP)
703 {
704 multi_process_incoming_dco(dco);
705 }
706 else
707 {
708 process_incoming_dco(dco);
709 }
710
711 return 0;
712}
713
714bool
715dco_available(msglvl_t msglevel)
716{
717 struct if_clonereq ifcr;
718 char *buf = NULL;
719 int fd;
720 int ret;
721 bool available = false;
722
723 /* Attempt to load the module. Ignore errors, because it might already be
724 * loaded, or built into the kernel. */
725 (void)kldload("if_ovpn");
726
727 fd = socket(AF_LOCAL, SOCK_DGRAM | SOCK_CLOEXEC, 0);
728 if (fd < 0)
729 {
730 msg(M_WARN | M_ERRNO, "%s: socket() failed, disabling data channel offload", __func__);
731 return false;
732 }
733
734 CLEAR(ifcr);
735
736 /* List cloners and check if openvpn is there. That tells us if this kernel
737 * supports if_ovpn (i.e. DCO) or not. */
738 ret = ioctl(fd, SIOCIFGCLONERS, &ifcr);
739 if (ret != 0)
740 {
741 goto out;
742 }
743
744 buf = malloc(ifcr.ifcr_total * IFNAMSIZ);
745 if (!buf)
746 {
747 goto out;
748 }
749
750 ifcr.ifcr_count = ifcr.ifcr_total;
751 ifcr.ifcr_buffer = buf;
752 ret = ioctl(fd, SIOCIFGCLONERS, &ifcr);
753 if (ret != 0)
754 {
755 goto out;
756 }
757
758 for (int i = 0; i < ifcr.ifcr_total; i++)
759 {
760 if (strcmp(buf + (i * IFNAMSIZ), "openvpn") == 0)
761 {
762 available = true;
763 goto out;
764 }
765 }
766
767out:
768 free(buf);
769 close(fd);
770
771 return available;
772}
773
774const char *
775dco_version_string(struct gc_arena *gc)
776{
777 struct utsname *uts;
778 ALLOC_OBJ_GC(uts, struct utsname, gc);
779
780 if (uname(uts) != 0)
781 {
782 return "N/A";
783 }
784
785 return uts->version;
786}
787
788void
789dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
790{
791 struct ifdrv drv;
792 nvlist_t *nvl;
793 uint8_t buf[128];
794 int ret;
795
796 if (!dco || !dco->open)
797 {
798 return;
799 }
800
801 CLEAR(drv);
802 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
803 drv.ifd_cmd = OVPN_POLL_PKT;
804 drv.ifd_len = sizeof(buf);
805 drv.ifd_data = buf;
806
807 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
808 if (ret)
809 {
810 msg(M_WARN | M_ERRNO, "Failed to poll for packets");
811 return;
812 }
813
814 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
815 if (!nvl)
816 {
817 msg(M_WARN, "Failed to unpack nvlist");
818 return;
819 }
820
821 if (nvlist_get_number(nvl, "pending") > 0)
822 {
823 (void)write(dco->pipefd[0], " ", 1);
824 event_ctl(es, dco->pipefd[1], EVENT_READ, arg);
825 }
826
827 nvlist_destroy(nvl);
828}
829
830int
831dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
832{
833 struct ifdrv drv;
834 uint8_t *buf = NULL;
835 size_t buf_size = 4096;
836 nvlist_t *nvl;
837 const nvlist_t *const *nvpeers;
838 size_t npeers;
839 int ret;
840
841 if (!dco || !dco->open)
842 {
843 return 0;
844 }
845
846 msg(D_DCO_DEBUG, __func__);
847
848 CLEAR(drv);
849 snprintf(drv.ifd_name, IFNAMSIZ, "%s", dco->ifname);
850 drv.ifd_cmd = OVPN_GET_PEER_STATS;
851
852retry:
853 buf = realloc(buf, buf_size);
854 drv.ifd_len = buf_size;
855 drv.ifd_data = buf;
856
857 ret = ioctl(dco->fd, SIOCGDRVSPEC, &drv);
858 if (ret && errno == ENOSPC)
859 {
860 buf_size *= 2;
861 goto retry;
862 }
863
864 if (ret)
865 {
866 free(buf);
867 msg(M_WARN | M_ERRNO, "Failed to get peer stats");
868 return -EINVAL;
869 }
870
871 nvl = nvlist_unpack(buf, drv.ifd_len, 0);
872 free(buf);
873 if (!nvl)
874 {
875 msg(M_WARN, "Failed to unpack nvlist");
876 return -EINVAL;
877 }
878
879 if (!nvlist_exists_nvlist_array(nvl, "peers"))
880 {
881 /* no peers */
882 nvlist_destroy(nvl);
883 return 0;
884 }
885
886 nvpeers = nvlist_get_nvlist_array(nvl, "peers", &npeers);
887 for (size_t i = 0; i < npeers; i++)
888 {
889 const nvlist_t *peer = nvpeers[i];
890 uint32_t peerid = (uint32_t)nvlist_get_number(peer, "peerid");
891 const nvlist_t *bytes = nvlist_get_nvlist(peer, "bytes");
892
893 /* we can end here in p2mp mode, or in p2p mode via
894 * the call to "dco_get_peer_stat()"
895 */
896 if (dco->c->mode == CM_TOP)
897 {
898 dco_update_peer_stat(dco->c->multi, peerid, bytes);
899 }
900 else
901 {
902 dco->c->c2.dco_read_bytes = nvlist_get_number(bytes, "in");
903 dco->c->c2.dco_write_bytes = nvlist_get_number(bytes, "out");
904 }
905 }
906
907 nvlist_destroy(nvl);
908 return 0;
909}
910
911/* get stats for a single peer
912 * we can get here for "the peer stats" in p2p client mode, or by
913 * being queried for a particular peer in p2mp mode, for --inactive
914 */
915int
916dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
917{
918 ASSERT(c->c2.tls_multi);
919 msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, c->c2.tls_multi->dco_peer_id);
920
921 if (c->c2.tls_multi->dco_peer_id < 0)
922 {
923 return -EINVAL; /* DCO not active yet */
924 }
925
926 /* unfortunately, the FreeBSD kernel has no peer-specific query - so
927 * we just get all the stats - and if we're there anyway, we can save it
928 * for all peers, too...
929 */
930 return dco_get_peer_stats_multi(&c->c1.tuntap->dco, raise_sigusr1_on_err);
931}
932
933const char *
934dco_get_supported_ciphers(void)
935{
936 return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305";
937}
938
939bool
940dco_supports_epoch_data(struct context *c)
941{
942 return false;
943}
944
945#endif /* defined(ENABLE_DCO) && defined(TARGET_FREEBSD) */
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1120
counter_format
#define counter_format
Definition common.h:32
crypto.h
Data Channel Cryptography Module.
cipher_kt_key_size
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
Definition crypto_openssl.c:673
dco_get_peer_stats_multi
static int dco_get_peer_stats_multi(dco_context_t *dco, const bool raise_sigusr1_on_err)
Definition dco.h:369
dco_set_peer
static int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition dco.h:341
dco_get_supported_ciphers
static const char * dco_get_supported_ciphers(void)
Definition dco.h:381
dco_supports_epoch_data
static bool dco_supports_epoch_data(struct context *c)
Definition dco.h:387
dco_event_set
static void dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
Definition dco.h:316
open_tun_dco
static int open_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx, const char *dev)
Definition dco.h:298
dco_read_and_process
static int dco_read_and_process(dco_context_t *dco)
Definition dco.h:309
dco_available
static bool dco_available(msglvl_t msglevel)
Definition dco.h:262
ovpn_dco_init
static bool ovpn_dco_init(struct context *c)
Definition dco.h:292
dco_context_t
void * dco_context_t
Definition dco.h:259
dco_version_string
static const char * dco_version_string(struct gc_arena *gc)
Definition dco.h:268
close_tun_dco
static void close_tun_dco(struct tuntap *tt, openvpn_net_ctx_t *ctx)
Definition dco.h:304
dco_get_peer_stats
static int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
Definition dco.h:375
dco_freebsd.h
dco_del_key
int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot)
Definition dco_win.c:584
dco_del_peer
int dco_del_peer(dco_context_t *dco, unsigned int peerid)
Definition dco_win.c:469
dco_new_peer
int dco_new_peer(dco_context_t *dco, unsigned int peerid, socket_descriptor_t sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
Definition dco_win.c:418
dco_swap_keys
int dco_swap_keys(dco_context_t *dco, unsigned int peer_id)
Definition dco_win.c:592
dco_new_key
int dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, const char *ciphername, bool epoch)
Definition dco_win.c:529
D_DCO_DEBUG
#define D_DCO_DEBUG
Definition errlevel.h:117
EVENT_READ
#define EVENT_READ
Definition event.h:37
event_ctl
static void event_ctl(struct event_set *es, event_t event, unsigned int rwflags, void *arg)
Definition event.h:180
process_incoming_dco
void process_incoming_dco(dco_context_t *dco)
Process an incoming DCO message (from kernel space).
Definition forward.c:1247
address
@ address
Definition interactive.c:84
write
@ write
Definition interactive.c:213
read
@ read
Definition interactive.c:212
multi.h
Header file for server-mode related structures and functions.
multi_process_incoming_dco
void multi_process_incoming_dco(dco_context_t *dco)
Process an incoming DCO message (from kernel space).
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:38
CLEAR
#define CLEAR(x)
Definition basic.h:32
M_ERR
#define M_ERR
Definition error.h:106
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
M_ERRNO
#define M_ERRNO
Definition error.h:95
CM_TOP
#define CM_TOP
Definition openvpn.h:480
OVPN_SET_IFMODE
#define OVPN_SET_IFMODE
Definition ovpn_dco_freebsd.h:74
OVPN_SWAP_KEYS
#define OVPN_SWAP_KEYS
Definition ovpn_dco_freebsd.h:67
OVPN_POLL_PKT
#define OVPN_POLL_PKT
Definition ovpn_dco_freebsd.h:72
OVPN_DEL_PEER
#define OVPN_DEL_PEER
Definition ovpn_dco_freebsd.h:64
OVPN_DEL_REASON_TIMEOUT
@ OVPN_DEL_REASON_TIMEOUT
Definition ovpn_dco_freebsd.h:47
OVPN_GET_PKT
#define OVPN_GET_PKT
Definition ovpn_dco_freebsd.h:73
OVPN_GET_PEER_STATS
#define OVPN_GET_PEER_STATS
Definition ovpn_dco_freebsd.h:75
OVPN_START_VPN
#define OVPN_START_VPN
Definition ovpn_dco_freebsd.h:70
OVPN_NEW_KEY
#define OVPN_NEW_KEY
Definition ovpn_dco_freebsd.h:66
OVPN_NEW_PEER
#define OVPN_NEW_PEER
Definition ovpn_dco_freebsd.h:63
ovpn_notif_type
ovpn_notif_type
Definition ovpn_dco_freebsd.h:38
OVPN_NOTIF_DEL_PEER
@ OVPN_NOTIF_DEL_PEER
Definition ovpn_dco_freebsd.h:39
OVPN_NOTIF_ROTATE_KEY
@ OVPN_NOTIF_ROTATE_KEY
Definition ovpn_dco_freebsd.h:40
OVPN_NOTIF_FLOAT
@ OVPN_NOTIF_FLOAT
Definition ovpn_dco_freebsd.h:41
OVPN_SET_PEER
#define OVPN_SET_PEER
Definition ovpn_dco_freebsd.h:69
OVPN_DEL_KEY
#define OVPN_DEL_KEY
Definition ovpn_dco_freebsd.h:68
OVPN_DEL_PEER_REASON_EXPIRED
@ OVPN_DEL_PEER_REASON_EXPIRED
Definition ovpn_dco_linux.h:23
OVPN_DEL_PEER_REASON_USERSPACE
@ OVPN_DEL_PEER_REASON_USERSPACE
Definition ovpn_dco_linux.h:22
OVPN_CMD_FLOAT_PEER
@ OVPN_CMD_FLOAT_PEER
Definition ovpn_dco_win.h:167
OVPN_CMD_SWAP_KEYS
@ OVPN_CMD_SWAP_KEYS
Definition ovpn_dco_win.h:166
OVPN_CMD_DEL_PEER
@ OVPN_CMD_DEL_PEER
Definition ovpn_dco_win.h:165
TOP_SUBNET
#define TOP_SUBNET
Definition proto.h:43
ssl_common.h
Control Channel Common Data Structures.
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
context_2::dco_read_bytes
counter_type dco_read_bytes
Definition openvpn.h:267
context_2::dco_write_bytes
counter_type dco_write_bytes
Definition openvpn.h:270
context_2::tls_multi
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition openvpn.h:323
context
Contains all state information for one tunnel.
Definition openvpn.h:471
context::c2
struct context_2 c2
Level 2 context.
Definition openvpn.h:514
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:513
event_set
Definition event.h:128
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
multi_context
Main OpenVPN server state structure.
Definition multi.h:163
multi_context::max_clients
int max_clients
Definition multi.h:186
multi_context::instances
struct multi_instance ** instances
Array of multi_instances.
Definition multi.h:164
multi_instance
Server-mode state structure for one single VPN tunnel.
Definition multi.h:102
multi_instance::context
struct context context
The context structure storing state for this VPN tunnel.
Definition multi.h:143
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:723
tuntap
Definition tun.h:183
tuntap::topology
int topology
Definition tun.h:188
tuntap::dco
dco_context_t dco
Definition tun.h:249
in_port_t
uint16_t in_port_t
Definition syshead.h:53
es
struct env_set * es
Definition test_pkcs11.c:138
gc
struct gc_arena gc
Definition test_ssl.c:131
Generated by doxygen 1.9.8