ovpn: add support for asymmetric peer IDs

In order to support the multipeer architecture, upon connection setup
each side of a tunnel advertises a unique ID that the other side must
include in packets sent to them. Therefore when transmitting a packet, a
peer inserts the recipient's advertised ID for that specific tunnel into
the peer ID field. When receiving a packet, a peer expects to find its
own unique receive ID for that specific tunnel in the peer ID field.

Add support for the TX peer ID and embed it into transmitting packets.
If no TX peer ID is specified, fallback to using the same peer ID both
for RX and TX in order to be compatible with the non-multipeer compliant
peers.

Cc: horms@kernel.org
Cc: donald.hunter@gmail.com
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>

diff --git a/Documentation/netlink/specs/ovpn.yaml b/Documentation/netlink/specs/ovpn.yaml
index 0d0c028bf96f893849db950f7d1a120126947593..b0c782e59a32baa96b31bb5f7631d5f98c5d83f5 100644 (file)
--- a/Documentation/netlink/specs/ovpn.yaml
+++ b/Documentation/netlink/specs/ovpn.yaml
@@ -43,7 +43,8 @@ attribute-sets:
         type: u32
         doc: >-
           The unique ID of the peer in the device context. To be used to
-          identify peers during operations for a specific device
+          identify peers during operations for a specific device.
+          Also used to match packets received from this peer.
         checks:
           max: 0xFFFFFF
       -
@@ -160,6 +161,16 @@ attribute-sets:
         name: link-tx-packets
         type: uint
         doc: Number of packets transmitted at the transport level
+      -
+        name: tx-id
+        type: u32
+        doc: >-
+          The ID value used when transmitting packets to this peer. This
+          way outgoing packets can have a different ID than incoming ones.
+          Useful in multipeer-to-multipeer connections, where each peer
+          will advertise the tx-id to be used on the link.
+        checks:
+          max: 0xFFFFFF
   -
     name: peer-new-input
     subset-of: peer
@@ -188,6 +199,8 @@ attribute-sets:
         name: keepalive-interval
       -
         name: keepalive-timeout
+      -
+        name: tx-id
   -
     name: peer-set-input
     subset-of: peer
@@ -214,6 +227,8 @@ attribute-sets:
         name: keepalive-interval
       -
         name: keepalive-timeout
+      -
+        name: tx-id
   -
     name: peer-del-input
     subset-of: peer

diff --git a/drivers/net/ovpn/crypto_aead.c b/drivers/net/ovpn/crypto_aead.c
index 77be0942a2691391e84065f2b965ac74993d706f..59848c41b7b20d86c28dab5fb21944f4bf48245b 100644 (file)
--- a/drivers/net/ovpn/crypto_aead.c
+++ b/drivers/net/ovpn/crypto_aead.c
@@ -122,7 +122,7 @@ int ovpn_aead_encrypt(struct ovpn_peer *peer, struct ovpn_crypto_key_slot *ks,
        memcpy(skb->data, iv, OVPN_NONCE_WIRE_SIZE);
 
        /* add packet op as head of additional data */
-       op = ovpn_opcode_compose(OVPN_DATA_V2, ks->key_id, peer->id);
+       op = ovpn_opcode_compose(OVPN_DATA_V2, ks->key_id, peer->tx_id);
        __skb_push(skb, OVPN_OPCODE_SIZE);
        BUILD_BUG_ON(sizeof(op) != OVPN_OPCODE_SIZE);
        *((__force __be32 *)skb->data) = htonl(op);

diff --git a/drivers/net/ovpn/netlink-gen.c b/drivers/net/ovpn/netlink-gen.c
index ecbe9dcf4f7de6548003291b7f07d3f51eb525c4..2147cec7c2c524086473cca4f385ef61ebef94b9 100644 (file)
--- a/drivers/net/ovpn/netlink-gen.c
+++ b/drivers/net/ovpn/netlink-gen.c
@@ -16,6 +16,10 @@ static const struct netlink_range_validation ovpn_a_peer_id_range = {
        .max    = 16777215ULL,
 };
 
+static const struct netlink_range_validation ovpn_a_peer_tx_id_range = {
+       .max    = 16777215ULL,
+};
+
 static const struct netlink_range_validation ovpn_a_keyconf_peer_id_range = {
        .max    = 16777215ULL,
 };
@@ -51,7 +55,7 @@ const struct nla_policy ovpn_keydir_nl_policy[OVPN_A_KEYDIR_NONCE_TAIL + 1] = {
        [OVPN_A_KEYDIR_NONCE_TAIL] = NLA_POLICY_EXACT_LEN(OVPN_NONCE_TAIL_SIZE),
 };
 
-const struct nla_policy ovpn_peer_nl_policy[OVPN_A_PEER_LINK_TX_PACKETS + 1] = {
+const struct nla_policy ovpn_peer_nl_policy[OVPN_A_PEER_TX_ID + 1] = {
        [OVPN_A_PEER_ID] = NLA_POLICY_FULL_RANGE(NLA_U32, &ovpn_a_peer_id_range),
        [OVPN_A_PEER_REMOTE_IPV4] = { .type = NLA_BE32, },
        [OVPN_A_PEER_REMOTE_IPV6] = NLA_POLICY_EXACT_LEN(16),
@@ -75,13 +79,14 @@ const struct nla_policy ovpn_peer_nl_policy[OVPN_A_PEER_LINK_TX_PACKETS + 1] = {
        [OVPN_A_PEER_LINK_TX_BYTES] = { .type = NLA_UINT, },
        [OVPN_A_PEER_LINK_RX_PACKETS] = { .type = NLA_UINT, },
        [OVPN_A_PEER_LINK_TX_PACKETS] = { .type = NLA_UINT, },
+       [OVPN_A_PEER_TX_ID] = NLA_POLICY_FULL_RANGE(NLA_U32, &ovpn_a_peer_tx_id_range),
 };
 
 const struct nla_policy ovpn_peer_del_input_nl_policy[OVPN_A_PEER_ID + 1] = {
        [OVPN_A_PEER_ID] = NLA_POLICY_FULL_RANGE(NLA_U32, &ovpn_a_peer_id_range),
 };
 
-const struct nla_policy ovpn_peer_new_input_nl_policy[OVPN_A_PEER_KEEPALIVE_TIMEOUT + 1] = {
+const struct nla_policy ovpn_peer_new_input_nl_policy[OVPN_A_PEER_TX_ID + 1] = {
        [OVPN_A_PEER_ID] = NLA_POLICY_FULL_RANGE(NLA_U32, &ovpn_a_peer_id_range),
        [OVPN_A_PEER_REMOTE_IPV4] = { .type = NLA_BE32, },
        [OVPN_A_PEER_REMOTE_IPV6] = NLA_POLICY_EXACT_LEN(16),
@@ -94,9 +99,10 @@ const struct nla_policy ovpn_peer_new_input_nl_policy[OVPN_A_PEER_KEEPALIVE_TIME
        [OVPN_A_PEER_LOCAL_IPV6] = NLA_POLICY_EXACT_LEN(16),
        [OVPN_A_PEER_KEEPALIVE_INTERVAL] = { .type = NLA_U32, },
        [OVPN_A_PEER_KEEPALIVE_TIMEOUT] = { .type = NLA_U32, },
+       [OVPN_A_PEER_TX_ID] = NLA_POLICY_FULL_RANGE(NLA_U32, &ovpn_a_peer_tx_id_range),
 };
 
-const struct nla_policy ovpn_peer_set_input_nl_policy[OVPN_A_PEER_KEEPALIVE_TIMEOUT + 1] = {
+const struct nla_policy ovpn_peer_set_input_nl_policy[OVPN_A_PEER_TX_ID + 1] = {
        [OVPN_A_PEER_ID] = NLA_POLICY_FULL_RANGE(NLA_U32, &ovpn_a_peer_id_range),
        [OVPN_A_PEER_REMOTE_IPV4] = { .type = NLA_BE32, },
        [OVPN_A_PEER_REMOTE_IPV6] = NLA_POLICY_EXACT_LEN(16),
@@ -108,6 +114,7 @@ const struct nla_policy ovpn_peer_set_input_nl_policy[OVPN_A_PEER_KEEPALIVE_TIME
        [OVPN_A_PEER_LOCAL_IPV6] = NLA_POLICY_EXACT_LEN(16),
        [OVPN_A_PEER_KEEPALIVE_INTERVAL] = { .type = NLA_U32, },
        [OVPN_A_PEER_KEEPALIVE_TIMEOUT] = { .type = NLA_U32, },
+       [OVPN_A_PEER_TX_ID] = NLA_POLICY_FULL_RANGE(NLA_U32, &ovpn_a_peer_tx_id_range),
 };
 
 /* OVPN_CMD_PEER_NEW - do */

diff --git a/drivers/net/ovpn/netlink-gen.h b/drivers/net/ovpn/netlink-gen.h
index b2301580770fd0e86004fe71b6d9c9583f3ec8f7..67cd85f86173fb8a3bc80eb6d8aefa5a0e3ec59f 100644 (file)
--- a/drivers/net/ovpn/netlink-gen.h
+++ b/drivers/net/ovpn/netlink-gen.h
@@ -18,10 +18,10 @@ extern const struct nla_policy ovpn_keyconf_del_input_nl_policy[OVPN_A_KEYCONF_S
 extern const struct nla_policy ovpn_keyconf_get_nl_policy[OVPN_A_KEYCONF_CIPHER_ALG + 1];
 extern const struct nla_policy ovpn_keyconf_swap_input_nl_policy[OVPN_A_KEYCONF_PEER_ID + 1];
 extern const struct nla_policy ovpn_keydir_nl_policy[OVPN_A_KEYDIR_NONCE_TAIL + 1];
-extern const struct nla_policy ovpn_peer_nl_policy[OVPN_A_PEER_LINK_TX_PACKETS + 1];
+extern const struct nla_policy ovpn_peer_nl_policy[OVPN_A_PEER_TX_ID + 1];
 extern const struct nla_policy ovpn_peer_del_input_nl_policy[OVPN_A_PEER_ID + 1];
-extern const struct nla_policy ovpn_peer_new_input_nl_policy[OVPN_A_PEER_KEEPALIVE_TIMEOUT + 1];
-extern const struct nla_policy ovpn_peer_set_input_nl_policy[OVPN_A_PEER_KEEPALIVE_TIMEOUT + 1];
+extern const struct nla_policy ovpn_peer_new_input_nl_policy[OVPN_A_PEER_TX_ID + 1];
+extern const struct nla_policy ovpn_peer_set_input_nl_policy[OVPN_A_PEER_TX_ID + 1];
 
 int ovpn_nl_pre_doit(const struct genl_split_ops *ops, struct sk_buff *skb,
                     struct genl_info *info);

diff --git a/drivers/net/ovpn/netlink.c b/drivers/net/ovpn/netlink.c
index e10d7f9a28f50ac17f1413312a509ab1c64460d0..291e2e5bb450dbc20df04659c21b29ac231e7e4c 100644 (file)
--- a/drivers/net/ovpn/netlink.c
+++ b/drivers/net/ovpn/netlink.c
@@ -305,6 +305,12 @@ static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info,
                dst_cache_reset(&peer->dst_cache);
        }
 
+       /* In a multipeer-to-multipeer setup we may have asymmetric peer IDs,
+        * that is peer->id might be different from peer->tx_id.
+        */
+       if (attrs[OVPN_A_PEER_TX_ID])
+               peer->tx_id = nla_get_u32(attrs[OVPN_A_PEER_TX_ID]);
+
        if (attrs[OVPN_A_PEER_VPN_IPV4]) {
                rehash = true;
                peer->vpn_addrs.ipv4.s_addr =
@@ -326,8 +332,8 @@ static int ovpn_nl_peer_modify(struct ovpn_peer *peer, struct genl_info *info,
        }
 
        netdev_dbg(peer->ovpn->dev,
-                  "modify peer id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n",
-                  peer->id, &ss,
+                  "modify peer id=%u tx_id=%u endpoint=%pIScp VPN-IPv4=%pI4 VPN-IPv6=%pI6c\n",
+                  peer->id, peer->tx_id, &ss,
                   &peer->vpn_addrs.ipv4.s_addr, &peer->vpn_addrs.ipv6);
 
        spin_unlock_bh(&peer->lock);
@@ -373,6 +379,7 @@ int ovpn_nl_peer_new_doit(struct sk_buff *skb, struct genl_info *info)
        }
 
        peer_id = nla_get_u32(attrs[OVPN_A_PEER_ID]);
+
        peer = ovpn_peer_new(ovpn, peer_id);
        if (IS_ERR(peer)) {
                NL_SET_ERR_MSG_FMT_MOD(info->extack,
@@ -572,6 +579,9 @@ static int ovpn_nl_send_peer(struct sk_buff *skb, const struct genl_info *info,
        if (nla_put_u32(skb, OVPN_A_PEER_ID, peer->id))
                goto err;
 
+       if (nla_put_u32(skb, OVPN_A_PEER_TX_ID, peer->tx_id))
+               goto err;
+
        if (peer->vpn_addrs.ipv4.s_addr != htonl(INADDR_ANY))
                if (nla_put_in_addr(skb, OVPN_A_PEER_VPN_IPV4,
                                    peer->vpn_addrs.ipv4.s_addr))

diff --git a/drivers/net/ovpn/peer.c b/drivers/net/ovpn/peer.c
index 4e145b4497e6658cdfb71c55dca11d447982a03e..26b55d813f0ee031cd08985fddc9af4ba4823a97 100644 (file)
--- a/drivers/net/ovpn/peer.c
+++ b/drivers/net/ovpn/peer.c
@@ -99,7 +99,11 @@ struct ovpn_peer *ovpn_peer_new(struct ovpn_priv *ovpn, u32 id)
        if (!peer)
                return ERR_PTR(-ENOMEM);
 
+       /* in the default case TX and RX IDs are the same.
+        * the user may set a different TX ID via netlink
+        */
        peer->id = id;
+       peer->tx_id = id;
        peer->ovpn = ovpn;
 
        peer->vpn_addrs.ipv4.s_addr = htonl(INADDR_ANY);

diff --git a/drivers/net/ovpn/peer.h b/drivers/net/ovpn/peer.h
index a1423f2b09e066d9c2392685d3765a2ec29a82ba..328401570cba838631058cfec3129927816ef4ca 100644 (file)
--- a/drivers/net/ovpn/peer.h
+++ b/drivers/net/ovpn/peer.h
@@ -21,7 +21,8 @@
  * struct ovpn_peer - the main remote peer object
  * @ovpn: main openvpn instance this peer belongs to
  * @dev_tracker: reference tracker for associated dev
- * @id: unique identifier
+ * @id: unique identifier, used to match incoming packets
+ * @tx_id: identifier to be used in TX packets
  * @vpn_addrs: IP addresses assigned over the tunnel
  * @vpn_addrs.ipv4: IPv4 assigned to peer on the tunnel
  * @vpn_addrs.ipv6: IPv6 assigned to peer on the tunnel
@@ -64,6 +65,7 @@ struct ovpn_peer {
        struct ovpn_priv *ovpn;
        netdevice_tracker dev_tracker;
        u32 id;
+       u32 tx_id;
        struct {
                struct in_addr ipv4;
                struct in6_addr ipv6;

diff --git a/include/uapi/linux/ovpn.h b/include/uapi/linux/ovpn.h
index 0cce0d58b830288cd5e32d2e1cfa3d4f76277041..06690090a1a956f56666488c91140fd266bf5c2b 100644 (file)
--- a/include/uapi/linux/ovpn.h
+++ b/include/uapi/linux/ovpn.h
@@ -55,6 +55,7 @@ enum {
        OVPN_A_PEER_LINK_TX_BYTES,
        OVPN_A_PEER_LINK_RX_PACKETS,
        OVPN_A_PEER_LINK_TX_PACKETS,
+       OVPN_A_PEER_TX_ID,
 
        __OVPN_A_PEER_MAX,
        OVPN_A_PEER_MAX = (__OVPN_A_PEER_MAX - 1)