linux/drivers/net/ovpn/proto.h

/* SPDX-License-Identifier: GPL-2.0-only */
/*  OpenVPN data channel offload
 *
 *  Copyright (C) 2020-2025 OpenVPN, Inc.
 *
 *  Author:	Antonio Quartulli <antonio@openvpn.net>
 *		James Yonan <james@openvpn.net>
 */

#ifndef _NET_OVPN_PROTO_H_
#define _NET_OVPN_PROTO_H_

#include "main.h"

#include <linux/bitfield.h>
#include <linux/skbuff.h>

/* When the OpenVPN protocol is ran in AEAD mode, use
 * the OpenVPN packet ID as the AEAD nonce:
 *
 *    00000005 521c3b01 4308c041
 *    [seq # ] [  nonce_tail   ]
 *    [     12-byte full IV    ] -> OVPN_NONCE_SIZE
 *    [4-bytes                   -> OVPN_NONCE_WIRE_SIZE
 *    on wire]
 */

/* nonce size (96bits) as required by AEAD ciphers */
#define OVPN_NONCE_SIZE			12
/* last 8 bytes of AEAD nonce: provided by userspace and usually derived
 * from key material generated during TLS handshake
 */
#define OVPN_NONCE_TAIL_SIZE		8

/* OpenVPN nonce size reduced by 8-byte nonce tail -- this is the
 * size of the AEAD Associated Data (AD) sent over the wire
 * and is normally the head of the IV
 */
#define OVPN_NONCE_WIRE_SIZE (OVPN_NONCE_SIZE - OVPN_NONCE_TAIL_SIZE)

#define OVPN_OPCODE_SIZE		4 /* DATA_V2 opcode size */
#define OVPN_OPCODE_KEYID_MASK		0x07000000
#define OVPN_OPCODE_PKTTYPE_MASK	0xF8000000
#define OVPN_OPCODE_PEERID_MASK		0x00FFFFFF

/* packet opcodes of interest to us */
#define OVPN_DATA_V1			6 /* data channel v1 packet */
#define OVPN_DATA_V2			9 /* data channel v2 packet */

#define OVPN_PEER_ID_UNDEF		0x00FFFFFF

/**
 * ovpn_opcode_from_skb - extract OP code from skb at specified offset
 * @skb: the packet to extract the OP code from
 * @offset: the offset in the data buffer where the OP code is located
 *
 * Note: this function assumes that the skb head was pulled enough
 * to access the first 4 bytes.
 *
 * Return: the OP code
 */
static inline u8 ovpn_opcode_from_skb(const struct sk_buff *skb, u16 offset)
{
	u32 opcode = be32_to_cpu(*(__be32 *)(skb->data + offset));

	return FIELD_GET(OVPN_OPCODE_PKTTYPE_MASK, opcode);
}

/**
 * ovpn_peer_id_from_skb - extract peer ID from skb at specified offset
 * @skb: the packet to extract the OP code from
 * @offset: the offset in the data buffer where the OP code is located
 *
 * Note: this function assumes that the skb head was pulled enough
 * to access the first 4 bytes.
 *
 * Return: the peer ID
 */
static inline u32 ovpn_peer_id_from_skb(const struct sk_buff *skb, u16 offset)
{
	u32 opcode = be32_to_cpu(*(__be32 *)(skb->data + offset));

	return FIELD_GET(OVPN_OPCODE_PEERID_MASK, opcode);
}

/**
 * ovpn_key_id_from_skb - extract key ID from the skb head
 * @skb: the packet to extract the key ID code from
 *
 * Note: this function assumes that the skb head was pulled enough
 * to access the first 4 bytes.
 *
 * Return: the key ID
 */
static inline u8 ovpn_key_id_from_skb(const struct sk_buff *skb)
{
	u32 opcode = be32_to_cpu(*(__be32 *)skb->data);

	return FIELD_GET(OVPN_OPCODE_KEYID_MASK, opcode);
}

/**
 * ovpn_opcode_compose - combine OP code, key ID and peer ID to wire format
 * @opcode: the OP code
 * @key_id: the key ID
 * @peer_id: the peer ID
 *
 * Return: a 4 bytes integer obtained combining all input values following the
 * OpenVPN wire format. This integer can then be written to the packet header.
 */
static inline u32 ovpn_opcode_compose(u8 opcode, u8 key_id, u32 peer_id)
{
	return FIELD_PREP(OVPN_OPCODE_PKTTYPE_MASK, opcode) |
	       FIELD_PREP(OVPN_OPCODE_KEYID_MASK, key_id) |
	       FIELD_PREP(OVPN_OPCODE_PEERID_MASK, peer_id);
}

#endif /* _NET_OVPN_OVPNPROTO_H_ */