NetBSD/sys/net/if_wg.c

5066 lines
131 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/* $NetBSD: if_wg.c,v 1.76 2023/04/11 14:03:46 jakllsch Exp $ */
/*
* Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* This network interface aims to implement the WireGuard protocol.
* The implementation is based on the paper of WireGuard as of
* 2018-06-30 [1]. The paper is referred in the source code with label
* [W]. Also the specification of the Noise protocol framework as of
* 2018-07-11 [2] is referred with label [N].
*
* [1] https://www.wireguard.com/papers/wireguard.pdf
* [2] http://noiseprotocol.org/noise.pdf
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.76 2023/04/11 14:03:46 jakllsch Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq_enabled.h"
#include "opt_inet.h"
#endif
#include <sys/param.h>
#include <sys/types.h>
#include <sys/atomic.h>
#include <sys/callout.h>
#include <sys/cprng.h>
#include <sys/cpu.h>
#include <sys/device.h>
#include <sys/domain.h>
#include <sys/errno.h>
#include <sys/intr.h>
#include <sys/ioctl.h>
#include <sys/kernel.h>
#include <sys/kmem.h>
#include <sys/mbuf.h>
#include <sys/module.h>
#include <sys/mutex.h>
#include <sys/once.h>
#include <sys/percpu.h>
#include <sys/pserialize.h>
#include <sys/psref.h>
#include <sys/queue.h>
#include <sys/rwlock.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sockio.h>
#include <sys/sysctl.h>
#include <sys/syslog.h>
#include <sys/systm.h>
#include <sys/thmap.h>
#include <sys/threadpool.h>
#include <sys/time.h>
#include <sys/timespec.h>
#include <sys/workqueue.h>
#include <net/bpf.h>
#include <net/if.h>
#include <net/if_types.h>
#include <net/if_wg.h>
#include <net/pktqueue.h>
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_pcb.h>
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/ip_var.h>
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#ifdef INET6
#include <netinet/ip6.h>
#include <netinet6/in6_pcb.h>
#include <netinet6/in6_var.h>
#include <netinet6/ip6_var.h>
#include <netinet6/udp6_var.h>
#endif /* INET6 */
#include <prop/proplib.h>
#include <crypto/blake2/blake2s.h>
#include <crypto/sodium/crypto_aead_chacha20poly1305.h>
#include <crypto/sodium/crypto_aead_xchacha20poly1305.h>
#include <crypto/sodium/crypto_scalarmult.h>
#include "ioconf.h"
#ifdef WG_RUMPKERNEL
#include "wg_user.h"
#endif
/*
* Data structures
* - struct wg_softc is an instance of wg interfaces
* - It has a list of peers (struct wg_peer)
* - It has a threadpool job that sends/receives handshake messages and
* runs event handlers
* - It has its own two routing tables: one is for IPv4 and the other IPv6
* - struct wg_peer is a representative of a peer
* - It has a struct work to handle handshakes and timer tasks
* - It has a pair of session instances (struct wg_session)
* - It has a pair of endpoint instances (struct wg_sockaddr)
* - Normally one endpoint is used and the second one is used only on
* a peer migration (a change of peer's IP address)
* - It has a list of IP addresses and sub networks called allowedips
* (struct wg_allowedip)
* - A packets sent over a session is allowed if its destination matches
* any IP addresses or sub networks of the list
* - struct wg_session represents a session of a secure tunnel with a peer
* - Two instances of sessions belong to a peer; a stable session and a
* unstable session
* - A handshake process of a session always starts with a unstable instance
* - Once a session is established, its instance becomes stable and the
* other becomes unstable instead
* - Data messages are always sent via a stable session
*
* Locking notes:
* - Each wg has a mutex(9) wg_lock, and a rwlock(9) wg_rwlock
* - Changes to the peer list are serialized by wg_lock
* - The peer list may be read with pserialize(9) and psref(9)
* - The rwlock (wg_rwlock) protects the routing tables (wg_rtable_ipv[46])
* => XXX replace by pserialize when routing table is psz-safe
* - Each peer (struct wg_peer, wgp) has a mutex wgp_lock, which can be taken
* only in thread context and serializes:
* - the stable and unstable session pointers
* - all unstable session state
* - Packet processing may be done in softint context:
* - The stable session can be read under pserialize(9) or psref(9)
* - The stable session is always ESTABLISHED
* - On a session swap, we must wait for all readers to release a
* reference to a stable session before changing wgs_state and
* session states
* - Lock order: wg_lock -> wgp_lock
*/
#define WGLOG(level, fmt, args...) \
log(level, "%s: " fmt, __func__, ##args)
/* Debug options */
#ifdef WG_DEBUG
/* Output debug logs */
#ifndef WG_DEBUG_LOG
#define WG_DEBUG_LOG
#endif
/* Output trace logs */
#ifndef WG_DEBUG_TRACE
#define WG_DEBUG_TRACE
#endif
/* Output hash values, etc. */
#ifndef WG_DEBUG_DUMP
#define WG_DEBUG_DUMP
#endif
/* Make some internal parameters configurable for testing and debugging */
#ifndef WG_DEBUG_PARAMS
#define WG_DEBUG_PARAMS
#endif
#endif
#ifdef WG_DEBUG_TRACE
#define WG_TRACE(msg) \
log(LOG_DEBUG, "%s:%d: %s\n", __func__, __LINE__, (msg))
#else
#define WG_TRACE(msg) __nothing
#endif
#ifdef WG_DEBUG_LOG
#define WG_DLOG(fmt, args...) log(LOG_DEBUG, "%s: " fmt, __func__, ##args)
#else
#define WG_DLOG(fmt, args...) __nothing
#endif
#define WG_LOG_RATECHECK(wgprc, level, fmt, args...) do { \
if (ppsratecheck(&(wgprc)->wgprc_lasttime, \
&(wgprc)->wgprc_curpps, 1)) { \
log(level, fmt, ##args); \
} \
} while (0)
#ifdef WG_DEBUG_PARAMS
static bool wg_force_underload = false;
#endif
#ifdef WG_DEBUG_DUMP
static char *
gethexdump(const char *p, size_t n)
{
char *buf;
size_t i;
if (n > SIZE_MAX/3 - 1)
return NULL;
buf = kmem_alloc(3*n + 1, KM_NOSLEEP);
if (buf == NULL)
return NULL;
for (i = 0; i < n; i++)
snprintf(buf + 3*i, 3 + 1, " %02hhx", p[i]);
return buf;
}
static void
puthexdump(char *buf, const void *p, size_t n)
{
if (buf == NULL)
return;
kmem_free(buf, 3*n + 1);
}
#ifdef WG_RUMPKERNEL
static void
wg_dump_buf(const char *func, const char *buf, const size_t size)
{
char *hex = gethexdump(buf, size);
log(LOG_DEBUG, "%s: %s\n", func, hex ? hex : "(enomem)");
puthexdump(hex, buf, size);
}
#endif
static void
wg_dump_hash(const uint8_t *func, const uint8_t *name, const uint8_t *hash,
const size_t size)
{
char *hex = gethexdump(hash, size);
log(LOG_DEBUG, "%s: %s: %s\n", func, name, hex ? hex : "(enomem)");
puthexdump(hex, hash, size);
}
#define WG_DUMP_HASH(name, hash) \
wg_dump_hash(__func__, name, hash, WG_HASH_LEN)
#define WG_DUMP_HASH48(name, hash) \
wg_dump_hash(__func__, name, hash, 48)
#define WG_DUMP_BUF(buf, size) \
wg_dump_buf(__func__, buf, size)
#else
#define WG_DUMP_HASH(name, hash) __nothing
#define WG_DUMP_HASH48(name, hash) __nothing
#define WG_DUMP_BUF(buf, size) __nothing
#endif /* WG_DEBUG_DUMP */
/* chosen somewhat arbitrarily -- fits in signed 16 bits NUL-terminated */
#define WG_MAX_PROPLEN 32766
#define WG_MTU 1420
#define WG_ALLOWEDIPS 16
#define CURVE25519_KEY_LEN 32
#define TAI64N_LEN sizeof(uint32_t) * 3
#define POLY1305_AUTHTAG_LEN 16
#define HMAC_BLOCK_LEN 64
/* [N] 4.1: "DHLEN must be 32 or greater." WireGuard chooses 32. */
/* [N] 4.3: Hash functions */
#define NOISE_DHLEN 32
/* [N] 4.3: "Must be 32 or 64." WireGuard chooses 32. */
#define NOISE_HASHLEN 32
#define NOISE_BLOCKLEN 64
#define NOISE_HKDF_OUTPUT_LEN NOISE_HASHLEN
/* [N] 5.1: "k" */
#define NOISE_CIPHER_KEY_LEN 32
/*
* [N] 9.2: "psk"
* "... psk is a 32-byte secret value provided by the application."
*/
#define NOISE_PRESHARED_KEY_LEN 32
#define WG_STATIC_KEY_LEN CURVE25519_KEY_LEN
#define WG_TIMESTAMP_LEN TAI64N_LEN
#define WG_PRESHARED_KEY_LEN NOISE_PRESHARED_KEY_LEN
#define WG_COOKIE_LEN 16
#define WG_MAC_LEN 16
#define WG_RANDVAL_LEN 24
#define WG_EPHEMERAL_KEY_LEN CURVE25519_KEY_LEN
/* [N] 5.2: "ck: A chaining key of HASHLEN bytes" */
#define WG_CHAINING_KEY_LEN NOISE_HASHLEN
/* [N] 5.2: "h: A hash output of HASHLEN bytes" */
#define WG_HASH_LEN NOISE_HASHLEN
#define WG_CIPHER_KEY_LEN NOISE_CIPHER_KEY_LEN
#define WG_DH_OUTPUT_LEN NOISE_DHLEN
#define WG_KDF_OUTPUT_LEN NOISE_HKDF_OUTPUT_LEN
#define WG_AUTHTAG_LEN POLY1305_AUTHTAG_LEN
#define WG_DATA_KEY_LEN 32
#define WG_SALT_LEN 24
/*
* The protocol messages
*/
struct wg_msg {
uint32_t wgm_type;
} __packed;
/* [W] 5.4.2 First Message: Initiator to Responder */
struct wg_msg_init {
uint32_t wgmi_type;
uint32_t wgmi_sender;
uint8_t wgmi_ephemeral[WG_EPHEMERAL_KEY_LEN];
uint8_t wgmi_static[WG_STATIC_KEY_LEN + WG_AUTHTAG_LEN];
uint8_t wgmi_timestamp[WG_TIMESTAMP_LEN + WG_AUTHTAG_LEN];
uint8_t wgmi_mac1[WG_MAC_LEN];
uint8_t wgmi_mac2[WG_MAC_LEN];
} __packed;
/* [W] 5.4.3 Second Message: Responder to Initiator */
struct wg_msg_resp {
uint32_t wgmr_type;
uint32_t wgmr_sender;
uint32_t wgmr_receiver;
uint8_t wgmr_ephemeral[WG_EPHEMERAL_KEY_LEN];
uint8_t wgmr_empty[0 + WG_AUTHTAG_LEN];
uint8_t wgmr_mac1[WG_MAC_LEN];
uint8_t wgmr_mac2[WG_MAC_LEN];
} __packed;
/* [W] 5.4.6 Subsequent Messages: Transport Data Messages */
struct wg_msg_data {
uint32_t wgmd_type;
uint32_t wgmd_receiver;
uint64_t wgmd_counter;
uint32_t wgmd_packet[0];
} __packed;
/* [W] 5.4.7 Under Load: Cookie Reply Message */
struct wg_msg_cookie {
uint32_t wgmc_type;
uint32_t wgmc_receiver;
uint8_t wgmc_salt[WG_SALT_LEN];
uint8_t wgmc_cookie[WG_COOKIE_LEN + WG_AUTHTAG_LEN];
} __packed;
#define WG_MSG_TYPE_INIT 1
#define WG_MSG_TYPE_RESP 2
#define WG_MSG_TYPE_COOKIE 3
#define WG_MSG_TYPE_DATA 4
#define WG_MSG_TYPE_MAX WG_MSG_TYPE_DATA
/* Sliding windows */
#define SLIWIN_BITS 2048u
#define SLIWIN_TYPE uint32_t
#define SLIWIN_BPW NBBY*sizeof(SLIWIN_TYPE)
#define SLIWIN_WORDS howmany(SLIWIN_BITS, SLIWIN_BPW)
#define SLIWIN_NPKT (SLIWIN_BITS - NBBY*sizeof(SLIWIN_TYPE))
struct sliwin {
SLIWIN_TYPE B[SLIWIN_WORDS];
uint64_t T;
};
static void
sliwin_reset(struct sliwin *W)
{
memset(W, 0, sizeof(*W));
}
static int
sliwin_check_fast(const volatile struct sliwin *W, uint64_t S)
{
/*
* If it's more than one window older than the highest sequence
* number we've seen, reject.
*/
#ifdef __HAVE_ATOMIC64_LOADSTORE
if (S + SLIWIN_NPKT < atomic_load_relaxed(&W->T))
return EAUTH;
#endif
/*
* Otherwise, we need to take the lock to decide, so don't
* reject just yet. Caller must serialize a call to
* sliwin_update in this case.
*/
return 0;
}
static int
sliwin_update(struct sliwin *W, uint64_t S)
{
unsigned word, bit;
/*
* If it's more than one window older than the highest sequence
* number we've seen, reject.
*/
if (S + SLIWIN_NPKT < W->T)
return EAUTH;
/*
* If it's higher than the highest sequence number we've seen,
* advance the window.
*/
if (S > W->T) {
uint64_t i = W->T / SLIWIN_BPW;
uint64_t j = S / SLIWIN_BPW;
unsigned k;
for (k = 0; k < MIN(j - i, SLIWIN_WORDS); k++)
W->B[(i + k + 1) % SLIWIN_WORDS] = 0;
#ifdef __HAVE_ATOMIC64_LOADSTORE
atomic_store_relaxed(&W->T, S);
#else
W->T = S;
#endif
}
/* Test and set the bit -- if already set, reject. */
word = (S / SLIWIN_BPW) % SLIWIN_WORDS;
bit = S % SLIWIN_BPW;
if (W->B[word] & (1UL << bit))
return EAUTH;
W->B[word] |= 1U << bit;
/* Accept! */
return 0;
}
struct wg_session {
struct wg_peer *wgs_peer;
struct psref_target
wgs_psref;
int wgs_state;
#define WGS_STATE_UNKNOWN 0
#define WGS_STATE_INIT_ACTIVE 1
#define WGS_STATE_INIT_PASSIVE 2
#define WGS_STATE_ESTABLISHED 3
#define WGS_STATE_DESTROYING 4
time_t wgs_time_established;
time_t wgs_time_last_data_sent;
bool wgs_is_initiator;
uint32_t wgs_local_index;
uint32_t wgs_remote_index;
#ifdef __HAVE_ATOMIC64_LOADSTORE
volatile uint64_t
wgs_send_counter;
#else
kmutex_t wgs_send_counter_lock;
uint64_t wgs_send_counter;
#endif
struct {
kmutex_t lock;
struct sliwin window;
} *wgs_recvwin;
uint8_t wgs_handshake_hash[WG_HASH_LEN];
uint8_t wgs_chaining_key[WG_CHAINING_KEY_LEN];
uint8_t wgs_ephemeral_key_pub[WG_EPHEMERAL_KEY_LEN];
uint8_t wgs_ephemeral_key_priv[WG_EPHEMERAL_KEY_LEN];
uint8_t wgs_ephemeral_key_peer[WG_EPHEMERAL_KEY_LEN];
uint8_t wgs_tkey_send[WG_DATA_KEY_LEN];
uint8_t wgs_tkey_recv[WG_DATA_KEY_LEN];
};
struct wg_sockaddr {
union {
struct sockaddr_storage _ss;
struct sockaddr _sa;
struct sockaddr_in _sin;
struct sockaddr_in6 _sin6;
};
struct psref_target wgsa_psref;
};
#define wgsatoss(wgsa) (&(wgsa)->_ss)
#define wgsatosa(wgsa) (&(wgsa)->_sa)
#define wgsatosin(wgsa) (&(wgsa)->_sin)
#define wgsatosin6(wgsa) (&(wgsa)->_sin6)
#define wgsa_family(wgsa) (wgsatosa(wgsa)->sa_family)
struct wg_peer;
struct wg_allowedip {
struct radix_node wga_nodes[2];
struct wg_sockaddr _wga_sa_addr;
struct wg_sockaddr _wga_sa_mask;
#define wga_sa_addr _wga_sa_addr._sa
#define wga_sa_mask _wga_sa_mask._sa
int wga_family;
uint8_t wga_cidr;
union {
struct in_addr _ip4;
struct in6_addr _ip6;
} wga_addr;
#define wga_addr4 wga_addr._ip4
#define wga_addr6 wga_addr._ip6
struct wg_peer *wga_peer;
};
typedef uint8_t wg_timestamp_t[WG_TIMESTAMP_LEN];
struct wg_ppsratecheck {
struct timeval wgprc_lasttime;
int wgprc_curpps;
};
struct wg_softc;
struct wg_peer {
struct wg_softc *wgp_sc;
char wgp_name[WG_PEER_NAME_MAXLEN + 1];
struct pslist_entry wgp_peerlist_entry;
pserialize_t wgp_psz;
struct psref_target wgp_psref;
kmutex_t *wgp_lock;
kmutex_t *wgp_intr_lock;
uint8_t wgp_pubkey[WG_STATIC_KEY_LEN];
struct wg_sockaddr *wgp_endpoint;
struct wg_sockaddr *wgp_endpoint0;
volatile unsigned wgp_endpoint_changing;
bool wgp_endpoint_available;
/* The preshared key (optional) */
uint8_t wgp_psk[WG_PRESHARED_KEY_LEN];
struct wg_session *wgp_session_stable;
struct wg_session *wgp_session_unstable;
/* first outgoing packet awaiting session initiation */
struct mbuf *wgp_pending;
/* timestamp in big-endian */
wg_timestamp_t wgp_timestamp_latest_init;
struct timespec wgp_last_handshake_time;
callout_t wgp_rekey_timer;
callout_t wgp_handshake_timeout_timer;
callout_t wgp_session_dtor_timer;
time_t wgp_handshake_start_time;
int wgp_n_allowedips;
struct wg_allowedip wgp_allowedips[WG_ALLOWEDIPS];
time_t wgp_latest_cookie_time;
uint8_t wgp_latest_cookie[WG_COOKIE_LEN];
uint8_t wgp_last_sent_mac1[WG_MAC_LEN];
bool wgp_last_sent_mac1_valid;
uint8_t wgp_last_sent_cookie[WG_COOKIE_LEN];
bool wgp_last_sent_cookie_valid;
time_t wgp_last_msg_received_time[WG_MSG_TYPE_MAX];
time_t wgp_last_genrandval_time;
uint32_t wgp_randval;
struct wg_ppsratecheck wgp_ppsratecheck;
struct work wgp_work;
unsigned int wgp_tasks;
#define WGP_TASK_SEND_INIT_MESSAGE __BIT(0)
#define WGP_TASK_RETRY_HANDSHAKE __BIT(1)
#define WGP_TASK_ESTABLISH_SESSION __BIT(2)
#define WGP_TASK_ENDPOINT_CHANGED __BIT(3)
#define WGP_TASK_SEND_KEEPALIVE_MESSAGE __BIT(4)
#define WGP_TASK_DESTROY_PREV_SESSION __BIT(5)
};
struct wg_ops;
struct wg_softc {
struct ifnet wg_if;
LIST_ENTRY(wg_softc) wg_list;
kmutex_t *wg_lock;
kmutex_t *wg_intr_lock;
krwlock_t *wg_rwlock;
uint8_t wg_privkey[WG_STATIC_KEY_LEN];
uint8_t wg_pubkey[WG_STATIC_KEY_LEN];
int wg_npeers;
struct pslist_head wg_peers;
struct thmap *wg_peers_bypubkey;
struct thmap *wg_peers_byname;
struct thmap *wg_sessions_byindex;
uint16_t wg_listen_port;
struct threadpool *wg_threadpool;
struct threadpool_job wg_job;
int wg_upcalls;
#define WG_UPCALL_INET __BIT(0)
#define WG_UPCALL_INET6 __BIT(1)
#ifdef INET
struct socket *wg_so4;
struct radix_node_head *wg_rtable_ipv4;
#endif
#ifdef INET6
struct socket *wg_so6;
struct radix_node_head *wg_rtable_ipv6;
#endif
struct wg_ppsratecheck wg_ppsratecheck;
struct wg_ops *wg_ops;
#ifdef WG_RUMPKERNEL
struct wg_user *wg_user;
#endif
};
/* [W] 6.1 Preliminaries */
#define WG_REKEY_AFTER_MESSAGES (1ULL << 60)
#define WG_REJECT_AFTER_MESSAGES (UINT64_MAX - (1 << 13))
#define WG_REKEY_AFTER_TIME 120
#define WG_REJECT_AFTER_TIME 180
#define WG_REKEY_ATTEMPT_TIME 90
#define WG_REKEY_TIMEOUT 5
#define WG_KEEPALIVE_TIMEOUT 10
#define WG_COOKIE_TIME 120
#define WG_RANDVAL_TIME (2 * 60)
static uint64_t wg_rekey_after_messages = WG_REKEY_AFTER_MESSAGES;
static uint64_t wg_reject_after_messages = WG_REJECT_AFTER_MESSAGES;
static unsigned wg_rekey_after_time = WG_REKEY_AFTER_TIME;
static unsigned wg_reject_after_time = WG_REJECT_AFTER_TIME;
static unsigned wg_rekey_attempt_time = WG_REKEY_ATTEMPT_TIME;
static unsigned wg_rekey_timeout = WG_REKEY_TIMEOUT;
static unsigned wg_keepalive_timeout = WG_KEEPALIVE_TIMEOUT;
static struct mbuf *
wg_get_mbuf(size_t, size_t);
static int wg_send_data_msg(struct wg_peer *, struct wg_session *,
struct mbuf *);
static int wg_send_cookie_msg(struct wg_softc *, struct wg_peer *,
const uint32_t, const uint8_t [], const struct sockaddr *);
static int wg_send_handshake_msg_resp(struct wg_softc *, struct wg_peer *,
struct wg_session *, const struct wg_msg_init *);
static void wg_send_keepalive_msg(struct wg_peer *, struct wg_session *);
static struct wg_peer *
wg_pick_peer_by_sa(struct wg_softc *, const struct sockaddr *,
struct psref *);
static struct wg_peer *
wg_lookup_peer_by_pubkey(struct wg_softc *,
const uint8_t [], struct psref *);
static struct wg_session *
wg_lookup_session_by_index(struct wg_softc *,
const uint32_t, struct psref *);
static void wg_update_endpoint_if_necessary(struct wg_peer *,
const struct sockaddr *);
static void wg_schedule_rekey_timer(struct wg_peer *);
static void wg_schedule_session_dtor_timer(struct wg_peer *);
static bool wg_is_underload(struct wg_softc *, struct wg_peer *, int);
static void wg_calculate_keys(struct wg_session *, const bool);
static void wg_clear_states(struct wg_session *);
static void wg_get_peer(struct wg_peer *, struct psref *);
static void wg_put_peer(struct wg_peer *, struct psref *);
static int wg_send_so(struct wg_peer *, struct mbuf *);
static int wg_send_udp(struct wg_peer *, struct mbuf *);
static int wg_output(struct ifnet *, struct mbuf *,
const struct sockaddr *, const struct rtentry *);
static void wg_input(struct ifnet *, struct mbuf *, const int);
static int wg_ioctl(struct ifnet *, u_long, void *);
static int wg_bind_port(struct wg_softc *, const uint16_t);
static int wg_init(struct ifnet *);
#ifdef ALTQ
static void wg_start(struct ifnet *);
#endif
static void wg_stop(struct ifnet *, int);
static void wg_peer_work(struct work *, void *);
static void wg_job(struct threadpool_job *);
static void wgintr(void *);
static void wg_purge_pending_packets(struct wg_peer *);
static int wg_clone_create(struct if_clone *, int);
static int wg_clone_destroy(struct ifnet *);
struct wg_ops {
int (*send_hs_msg)(struct wg_peer *, struct mbuf *);
int (*send_data_msg)(struct wg_peer *, struct mbuf *);
void (*input)(struct ifnet *, struct mbuf *, const int);
int (*bind_port)(struct wg_softc *, const uint16_t);
};
struct wg_ops wg_ops_rumpkernel = {
.send_hs_msg = wg_send_so,
.send_data_msg = wg_send_udp,
.input = wg_input,
.bind_port = wg_bind_port,
};
#ifdef WG_RUMPKERNEL
static bool wg_user_mode(struct wg_softc *);
static int wg_ioctl_linkstr(struct wg_softc *, struct ifdrv *);
static int wg_send_user(struct wg_peer *, struct mbuf *);
static void wg_input_user(struct ifnet *, struct mbuf *, const int);
static int wg_bind_port_user(struct wg_softc *, const uint16_t);
struct wg_ops wg_ops_rumpuser = {
.send_hs_msg = wg_send_user,
.send_data_msg = wg_send_user,
.input = wg_input_user,
.bind_port = wg_bind_port_user,
};
#endif
#define WG_PEER_READER_FOREACH(wgp, wg) \
PSLIST_READER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer, \
wgp_peerlist_entry)
#define WG_PEER_WRITER_FOREACH(wgp, wg) \
PSLIST_WRITER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer, \
wgp_peerlist_entry)
#define WG_PEER_WRITER_INSERT_HEAD(wgp, wg) \
PSLIST_WRITER_INSERT_HEAD(&(wg)->wg_peers, (wgp), wgp_peerlist_entry)
#define WG_PEER_WRITER_REMOVE(wgp) \
PSLIST_WRITER_REMOVE((wgp), wgp_peerlist_entry)
struct wg_route {
struct radix_node wgr_nodes[2];
struct wg_peer *wgr_peer;
};
static struct radix_node_head *
wg_rnh(struct wg_softc *wg, const int family)
{
switch (family) {
case AF_INET:
return wg->wg_rtable_ipv4;
#ifdef INET6
case AF_INET6:
return wg->wg_rtable_ipv6;
#endif
default:
return NULL;
}
}
/*
* Global variables
*/
static volatile unsigned wg_count __cacheline_aligned;
struct psref_class *wg_psref_class __read_mostly;
static struct if_clone wg_cloner =
IF_CLONE_INITIALIZER("wg", wg_clone_create, wg_clone_destroy);
static struct pktqueue *wg_pktq __read_mostly;
static struct workqueue *wg_wq __read_mostly;
void wgattach(int);
/* ARGSUSED */
void
wgattach(int count)
{
/*
* Nothing to do here, initialization is handled by the
* module initialization code in wginit() below).
*/
}
static void
wginit(void)
{
wg_psref_class = psref_class_create("wg", IPL_SOFTNET);
if_clone_attach(&wg_cloner);
}
/*
* XXX Kludge: This should just happen in wginit, but workqueue_create
* cannot be run until after CPUs have been detected, and wginit runs
* before configure.
*/
static int
wginitqueues(void)
{
int error __diagused;
wg_pktq = pktq_create(IFQ_MAXLEN, wgintr, NULL);
KASSERT(wg_pktq != NULL);
error = workqueue_create(&wg_wq, "wgpeer", wg_peer_work, NULL,
PRI_NONE, IPL_SOFTNET, WQ_MPSAFE|WQ_PERCPU);
KASSERT(error == 0);
return 0;
}
static void
wg_guarantee_initialized(void)
{
static ONCE_DECL(init);
int error __diagused;
error = RUN_ONCE(&init, wginitqueues);
KASSERT(error == 0);
}
static int
wg_count_inc(void)
{
unsigned o, n;
do {
o = atomic_load_relaxed(&wg_count);
if (o == UINT_MAX)
return ENFILE;
n = o + 1;
} while (atomic_cas_uint(&wg_count, o, n) != o);
return 0;
}
static void
wg_count_dec(void)
{
unsigned c __diagused;
c = atomic_dec_uint_nv(&wg_count);
KASSERT(c != UINT_MAX);
}
static int
wgdetach(void)
{
/* Prevent new interface creation. */
if_clone_detach(&wg_cloner);
/* Check whether there are any existing interfaces. */
if (atomic_load_relaxed(&wg_count)) {
/* Back out -- reattach the cloner. */
if_clone_attach(&wg_cloner);
return EBUSY;
}
/* No interfaces left. Nuke it. */
workqueue_destroy(wg_wq);
pktq_destroy(wg_pktq);
psref_class_destroy(wg_psref_class);
return 0;
}
static void
wg_init_key_and_hash(uint8_t ckey[WG_CHAINING_KEY_LEN],
uint8_t hash[WG_HASH_LEN])
{
/* [W] 5.4: CONSTRUCTION */
const char *signature = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s";
/* [W] 5.4: IDENTIFIER */
const char *id = "WireGuard v1 zx2c4 Jason@zx2c4.com";
struct blake2s state;
blake2s(ckey, WG_CHAINING_KEY_LEN, NULL, 0,
signature, strlen(signature));
CTASSERT(WG_HASH_LEN == WG_CHAINING_KEY_LEN);
memcpy(hash, ckey, WG_CHAINING_KEY_LEN);
blake2s_init(&state, WG_HASH_LEN, NULL, 0);
blake2s_update(&state, ckey, WG_CHAINING_KEY_LEN);
blake2s_update(&state, id, strlen(id));
blake2s_final(&state, hash);
WG_DUMP_HASH("ckey", ckey);
WG_DUMP_HASH("hash", hash);
}
static void
wg_algo_hash(uint8_t hash[WG_HASH_LEN], const uint8_t input[],
const size_t inputsize)
{
struct blake2s state;
blake2s_init(&state, WG_HASH_LEN, NULL, 0);
blake2s_update(&state, hash, WG_HASH_LEN);
blake2s_update(&state, input, inputsize);
blake2s_final(&state, hash);
}
static void
wg_algo_mac(uint8_t out[], const size_t outsize,
const uint8_t key[], const size_t keylen,
const uint8_t input1[], const size_t input1len,
const uint8_t input2[], const size_t input2len)
{
struct blake2s state;
blake2s_init(&state, outsize, key, keylen);
blake2s_update(&state, input1, input1len);
if (input2 != NULL)
blake2s_update(&state, input2, input2len);
blake2s_final(&state, out);
}
static void
wg_algo_mac_mac1(uint8_t out[], const size_t outsize,
const uint8_t input1[], const size_t input1len,
const uint8_t input2[], const size_t input2len)
{
struct blake2s state;
/* [W] 5.4: LABEL-MAC1 */
const char *label = "mac1----";
uint8_t key[WG_HASH_LEN];
blake2s_init(&state, sizeof(key), NULL, 0);
blake2s_update(&state, label, strlen(label));
blake2s_update(&state, input1, input1len);
blake2s_final(&state, key);
blake2s_init(&state, outsize, key, sizeof(key));
if (input2 != NULL)
blake2s_update(&state, input2, input2len);
blake2s_final(&state, out);
}
static void
wg_algo_mac_cookie(uint8_t out[], const size_t outsize,
const uint8_t input1[], const size_t input1len)
{
struct blake2s state;
/* [W] 5.4: LABEL-COOKIE */
const char *label = "cookie--";
blake2s_init(&state, outsize, NULL, 0);
blake2s_update(&state, label, strlen(label));
blake2s_update(&state, input1, input1len);
blake2s_final(&state, out);
}
static void
wg_algo_generate_keypair(uint8_t pubkey[WG_EPHEMERAL_KEY_LEN],
uint8_t privkey[WG_EPHEMERAL_KEY_LEN])
{
CTASSERT(WG_EPHEMERAL_KEY_LEN == crypto_scalarmult_curve25519_BYTES);
cprng_strong(kern_cprng, privkey, WG_EPHEMERAL_KEY_LEN, 0);
crypto_scalarmult_base(pubkey, privkey);
}
static void
wg_algo_dh(uint8_t out[WG_DH_OUTPUT_LEN],
const uint8_t privkey[WG_STATIC_KEY_LEN],
const uint8_t pubkey[WG_STATIC_KEY_LEN])
{
CTASSERT(WG_STATIC_KEY_LEN == crypto_scalarmult_curve25519_BYTES);
int ret __diagused = crypto_scalarmult(out, privkey, pubkey);
KASSERT(ret == 0);
}
static void
wg_algo_hmac(uint8_t out[], const size_t outlen,
const uint8_t key[], const size_t keylen,
const uint8_t in[], const size_t inlen)
{
#define IPAD 0x36
#define OPAD 0x5c
uint8_t hmackey[HMAC_BLOCK_LEN] = {0};
uint8_t ipad[HMAC_BLOCK_LEN];
uint8_t opad[HMAC_BLOCK_LEN];
size_t i;
struct blake2s state;
KASSERT(outlen == WG_HASH_LEN);
KASSERT(keylen <= HMAC_BLOCK_LEN);
memcpy(hmackey, key, keylen);
for (i = 0; i < sizeof(hmackey); i++) {
ipad[i] = hmackey[i] ^ IPAD;
opad[i] = hmackey[i] ^ OPAD;
}
blake2s_init(&state, WG_HASH_LEN, NULL, 0);
blake2s_update(&state, ipad, sizeof(ipad));
blake2s_update(&state, in, inlen);
blake2s_final(&state, out);
blake2s_init(&state, WG_HASH_LEN, NULL, 0);
blake2s_update(&state, opad, sizeof(opad));
blake2s_update(&state, out, WG_HASH_LEN);
blake2s_final(&state, out);
#undef IPAD
#undef OPAD
}
static void
wg_algo_kdf(uint8_t out1[WG_KDF_OUTPUT_LEN], uint8_t out2[WG_KDF_OUTPUT_LEN],
uint8_t out3[WG_KDF_OUTPUT_LEN], const uint8_t ckey[WG_CHAINING_KEY_LEN],
const uint8_t input[], const size_t inputlen)
{
uint8_t tmp1[WG_KDF_OUTPUT_LEN], tmp2[WG_KDF_OUTPUT_LEN + 1];
uint8_t one[1];
/*
* [N] 4.3: "an input_key_material byte sequence with length
* either zero bytes, 32 bytes, or DHLEN bytes."
*/
KASSERT(inputlen == 0 || inputlen == 32 || inputlen == NOISE_DHLEN);
WG_DUMP_HASH("ckey", ckey);
if (input != NULL)
WG_DUMP_HASH("input", input);
wg_algo_hmac(tmp1, sizeof(tmp1), ckey, WG_CHAINING_KEY_LEN,
input, inputlen);
WG_DUMP_HASH("tmp1", tmp1);
one[0] = 1;
wg_algo_hmac(out1, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1),
one, sizeof(one));
WG_DUMP_HASH("out1", out1);
if (out2 == NULL)
return;
memcpy(tmp2, out1, WG_KDF_OUTPUT_LEN);
tmp2[WG_KDF_OUTPUT_LEN] = 2;
wg_algo_hmac(out2, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1),
tmp2, sizeof(tmp2));
WG_DUMP_HASH("out2", out2);
if (out3 == NULL)
return;
memcpy(tmp2, out2, WG_KDF_OUTPUT_LEN);
tmp2[WG_KDF_OUTPUT_LEN] = 3;
wg_algo_hmac(out3, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1),
tmp2, sizeof(tmp2));
WG_DUMP_HASH("out3", out3);
}
static void __noinline
wg_algo_dh_kdf(uint8_t ckey[WG_CHAINING_KEY_LEN],
uint8_t cipher_key[WG_CIPHER_KEY_LEN],
const uint8_t local_key[WG_STATIC_KEY_LEN],
const uint8_t remote_key[WG_STATIC_KEY_LEN])
{
uint8_t dhout[WG_DH_OUTPUT_LEN];
wg_algo_dh(dhout, local_key, remote_key);
wg_algo_kdf(ckey, cipher_key, NULL, ckey, dhout, sizeof(dhout));
WG_DUMP_HASH("dhout", dhout);
WG_DUMP_HASH("ckey", ckey);
if (cipher_key != NULL)
WG_DUMP_HASH("cipher_key", cipher_key);
}
static void
wg_algo_aead_enc(uint8_t out[], size_t expected_outsize, const uint8_t key[],
const uint64_t counter, const uint8_t plain[], const size_t plainsize,
const uint8_t auth[], size_t authlen)
{
uint8_t nonce[(32 + 64) / 8] = {0};
long long unsigned int outsize;
int error __diagused;
le64enc(&nonce[4], counter);
error = crypto_aead_chacha20poly1305_ietf_encrypt(out, &outsize, plain,
plainsize, auth, authlen, NULL, nonce, key);
KASSERT(error == 0);
KASSERT(outsize == expected_outsize);
}
static int
wg_algo_aead_dec(uint8_t out[], size_t expected_outsize, const uint8_t key[],
const uint64_t counter, const uint8_t encrypted[],
const size_t encryptedsize, const uint8_t auth[], size_t authlen)
{
uint8_t nonce[(32 + 64) / 8] = {0};
long long unsigned int outsize;
int error;
le64enc(&nonce[4], counter);
error = crypto_aead_chacha20poly1305_ietf_decrypt(out, &outsize, NULL,
encrypted, encryptedsize, auth, authlen, nonce, key);
if (error == 0)
KASSERT(outsize == expected_outsize);
return error;
}
static void
wg_algo_xaead_enc(uint8_t out[], const size_t expected_outsize,
const uint8_t key[], const uint8_t plain[], const size_t plainsize,
const uint8_t auth[], size_t authlen,
const uint8_t nonce[WG_SALT_LEN])
{
long long unsigned int outsize;
int error __diagused;
CTASSERT(WG_SALT_LEN == crypto_aead_xchacha20poly1305_ietf_NPUBBYTES);
error = crypto_aead_xchacha20poly1305_ietf_encrypt(out, &outsize,
plain, plainsize, auth, authlen, NULL, nonce, key);
KASSERT(error == 0);
KASSERT(outsize == expected_outsize);
}
static int
wg_algo_xaead_dec(uint8_t out[], const size_t expected_outsize,
const uint8_t key[], const uint8_t encrypted[], const size_t encryptedsize,
const uint8_t auth[], size_t authlen,
const uint8_t nonce[WG_SALT_LEN])
{
long long unsigned int outsize;
int error;
error = crypto_aead_xchacha20poly1305_ietf_decrypt(out, &outsize, NULL,
encrypted, encryptedsize, auth, authlen, nonce, key);
if (error == 0)
KASSERT(outsize == expected_outsize);
return error;
}
static void
wg_algo_tai64n(wg_timestamp_t timestamp)
{
struct timespec ts;
/* FIXME strict TAI64N (https://cr.yp.to/libtai/tai64.html) */
getnanotime(&ts);
/* TAI64 label in external TAI64 format */
be32enc(timestamp, 0x40000000U + (uint32_t)(ts.tv_sec >> 32));
/* second beginning from 1970 TAI */
be32enc(timestamp + 4, (uint32_t)(ts.tv_sec & 0xffffffffU));
/* nanosecond in big-endian format */
be32enc(timestamp + 8, (uint32_t)ts.tv_nsec);
}
/*
* wg_get_stable_session(wgp, psref)
*
* Get a passive reference to the current stable session, or
* return NULL if there is no current stable session.
*
* The pointer is always there but the session is not necessarily
* ESTABLISHED; if it is not ESTABLISHED, return NULL. However,
* the session may transition from ESTABLISHED to DESTROYING while
* holding the passive reference.
*/
static struct wg_session *
wg_get_stable_session(struct wg_peer *wgp, struct psref *psref)
{
int s;
struct wg_session *wgs;
s = pserialize_read_enter();
wgs = atomic_load_consume(&wgp->wgp_session_stable);
if (__predict_false(wgs->wgs_state != WGS_STATE_ESTABLISHED))
wgs = NULL;
else
psref_acquire(psref, &wgs->wgs_psref, wg_psref_class);
pserialize_read_exit(s);
return wgs;
}
static void
wg_put_session(struct wg_session *wgs, struct psref *psref)
{
psref_release(psref, &wgs->wgs_psref, wg_psref_class);
}
static void
wg_destroy_session(struct wg_softc *wg, struct wg_session *wgs)
{
struct wg_peer *wgp = wgs->wgs_peer;
struct wg_session *wgs0 __diagused;
void *garbage;
KASSERT(mutex_owned(wgp->wgp_lock));
KASSERT(wgs->wgs_state != WGS_STATE_UNKNOWN);
/* Remove the session from the table. */
wgs0 = thmap_del(wg->wg_sessions_byindex,
&wgs->wgs_local_index, sizeof(wgs->wgs_local_index));
KASSERT(wgs0 == wgs);
garbage = thmap_stage_gc(wg->wg_sessions_byindex);
/* Wait for passive references to drain. */
pserialize_perform(wgp->wgp_psz);
psref_target_destroy(&wgs->wgs_psref, wg_psref_class);
/* Free memory, zero state, and transition to UNKNOWN. */
thmap_gc(wg->wg_sessions_byindex, garbage);
wg_clear_states(wgs);
wgs->wgs_state = WGS_STATE_UNKNOWN;
}
/*
* wg_get_session_index(wg, wgs)
*
* Choose a session index for wgs->wgs_local_index, and store it
* in wg's table of sessions by index.
*
* wgs must be the unstable session of its peer, and must be
* transitioning out of the UNKNOWN state.
*/
static void
wg_get_session_index(struct wg_softc *wg, struct wg_session *wgs)
{
struct wg_peer *wgp __diagused = wgs->wgs_peer;
struct wg_session *wgs0;
uint32_t index;
KASSERT(mutex_owned(wgp->wgp_lock));
KASSERT(wgs == wgp->wgp_session_unstable);
KASSERT(wgs->wgs_state == WGS_STATE_UNKNOWN);
do {
/* Pick a uniform random index. */
index = cprng_strong32();
/* Try to take it. */
wgs->wgs_local_index = index;
wgs0 = thmap_put(wg->wg_sessions_byindex,
&wgs->wgs_local_index, sizeof wgs->wgs_local_index, wgs);
/* If someone else beat us, start over. */
} while (__predict_false(wgs0 != wgs));
}
/*
* wg_put_session_index(wg, wgs)
*
* Remove wgs from the table of sessions by index, wait for any
* passive references to drain, and transition the session to the
* UNKNOWN state.
*
* wgs must be the unstable session of its peer, and must not be
* UNKNOWN or ESTABLISHED.
*/
static void
wg_put_session_index(struct wg_softc *wg, struct wg_session *wgs)
{
struct wg_peer *wgp __diagused = wgs->wgs_peer;
KASSERT(mutex_owned(wgp->wgp_lock));
KASSERT(wgs == wgp->wgp_session_unstable);
KASSERT(wgs->wgs_state != WGS_STATE_UNKNOWN);
KASSERT(wgs->wgs_state != WGS_STATE_ESTABLISHED);
wg_destroy_session(wg, wgs);
psref_target_init(&wgs->wgs_psref, wg_psref_class);
}
/*
* Handshake patterns
*
* [W] 5: "These messages use the "IK" pattern from Noise"
* [N] 7.5. Interactive handshake patterns (fundamental)
* "The first character refers to the initiators static key:"
* "I = Static key for initiator Immediately transmitted to responder,
* despite reduced or absent identity hiding"
* "The second character refers to the responders static key:"
* "K = Static key for responder Known to initiator"
* "IK:
* <- s
* ...
* -> e, es, s, ss
* <- e, ee, se"
* [N] 9.4. Pattern modifiers
* "IKpsk2:
* <- s
* ...
* -> e, es, s, ss
* <- e, ee, se, psk"
*/
static void
wg_fill_msg_init(struct wg_softc *wg, struct wg_peer *wgp,
struct wg_session *wgs, struct wg_msg_init *wgmi)
{
uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */
uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */
uint8_t cipher_key[WG_CIPHER_KEY_LEN];
uint8_t pubkey[WG_EPHEMERAL_KEY_LEN];
uint8_t privkey[WG_EPHEMERAL_KEY_LEN];
KASSERT(mutex_owned(wgp->wgp_lock));
KASSERT(wgs == wgp->wgp_session_unstable);
KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE);
wgmi->wgmi_type = htole32(WG_MSG_TYPE_INIT);
wgmi->wgmi_sender = wgs->wgs_local_index;
/* [W] 5.4.2: First Message: Initiator to Responder */
/* Ci := HASH(CONSTRUCTION) */
/* Hi := HASH(Ci || IDENTIFIER) */
wg_init_key_and_hash(ckey, hash);
/* Hi := HASH(Hi || Sr^pub) */
wg_algo_hash(hash, wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey));
WG_DUMP_HASH("hash", hash);
/* [N] 2.2: "e" */
/* Ei^priv, Ei^pub := DH-GENERATE() */
wg_algo_generate_keypair(pubkey, privkey);
/* Ci := KDF1(Ci, Ei^pub) */
wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey));
/* msg.ephemeral := Ei^pub */
memcpy(wgmi->wgmi_ephemeral, pubkey, sizeof(wgmi->wgmi_ephemeral));
/* Hi := HASH(Hi || msg.ephemeral) */
wg_algo_hash(hash, pubkey, sizeof(pubkey));
WG_DUMP_HASH("ckey", ckey);
WG_DUMP_HASH("hash", hash);
/* [N] 2.2: "es" */
/* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */
wg_algo_dh_kdf(ckey, cipher_key, privkey, wgp->wgp_pubkey);
/* [N] 2.2: "s" */
/* msg.static := AEAD(k, 0, Si^pub, Hi) */
wg_algo_aead_enc(wgmi->wgmi_static, sizeof(wgmi->wgmi_static),
cipher_key, 0, wg->wg_pubkey, sizeof(wg->wg_pubkey),
hash, sizeof(hash));
/* Hi := HASH(Hi || msg.static) */
wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static));
WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static);
/* [N] 2.2: "ss" */
/* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */
wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey);
/* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */
wg_timestamp_t timestamp;
wg_algo_tai64n(timestamp);
wg_algo_aead_enc(wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp),
cipher_key, 0, timestamp, sizeof(timestamp), hash, sizeof(hash));
/* Hi := HASH(Hi || msg.timestamp) */
wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp));
/* [W] 5.4.4 Cookie MACs */
wg_algo_mac_mac1(wgmi->wgmi_mac1, sizeof(wgmi->wgmi_mac1),
wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey),
(const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1));
/* Need mac1 to decrypt a cookie from a cookie message */
memcpy(wgp->wgp_last_sent_mac1, wgmi->wgmi_mac1,
sizeof(wgp->wgp_last_sent_mac1));
wgp->wgp_last_sent_mac1_valid = true;
if (wgp->wgp_latest_cookie_time == 0 ||
(time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME)
memset(wgmi->wgmi_mac2, 0, sizeof(wgmi->wgmi_mac2));
else {
wg_algo_mac(wgmi->wgmi_mac2, sizeof(wgmi->wgmi_mac2),
wgp->wgp_latest_cookie, WG_COOKIE_LEN,
(const uint8_t *)wgmi,
offsetof(struct wg_msg_init, wgmi_mac2),
NULL, 0);
}
memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey));
memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey));
memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash));
memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey));
WG_DLOG("%s: sender=%x\n", __func__, wgs->wgs_local_index);
}
static void __noinline
wg_handle_msg_init(struct wg_softc *wg, const struct wg_msg_init *wgmi,
const struct sockaddr *src)
{
uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */
uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */
uint8_t cipher_key[WG_CIPHER_KEY_LEN];
uint8_t peer_pubkey[WG_STATIC_KEY_LEN];
struct wg_peer *wgp;
struct wg_session *wgs;
int error, ret;
struct psref psref_peer;
uint8_t mac1[WG_MAC_LEN];
WG_TRACE("init msg received");
wg_algo_mac_mac1(mac1, sizeof(mac1),
wg->wg_pubkey, sizeof(wg->wg_pubkey),
(const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1));
/*
* [W] 5.3: Denial of Service Mitigation & Cookies
* "the responder, ..., must always reject messages with an invalid
* msg.mac1"
*/
if (!consttime_memequal(mac1, wgmi->wgmi_mac1, sizeof(mac1))) {
WG_DLOG("mac1 is invalid\n");
return;
}
/*
* [W] 5.4.2: First Message: Initiator to Responder
* "When the responder receives this message, it does the same
* operations so that its final state variables are identical,
* replacing the operands of the DH function to produce equivalent
* values."
* Note that the following comments of operations are just copies of
* the initiator's ones.
*/
/* Ci := HASH(CONSTRUCTION) */
/* Hi := HASH(Ci || IDENTIFIER) */
wg_init_key_and_hash(ckey, hash);
/* Hi := HASH(Hi || Sr^pub) */
wg_algo_hash(hash, wg->wg_pubkey, sizeof(wg->wg_pubkey));
/* [N] 2.2: "e" */
/* Ci := KDF1(Ci, Ei^pub) */
wg_algo_kdf(ckey, NULL, NULL, ckey, wgmi->wgmi_ephemeral,
sizeof(wgmi->wgmi_ephemeral));
/* Hi := HASH(Hi || msg.ephemeral) */
wg_algo_hash(hash, wgmi->wgmi_ephemeral, sizeof(wgmi->wgmi_ephemeral));
WG_DUMP_HASH("ckey", ckey);
/* [N] 2.2: "es" */
/* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */
wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgmi->wgmi_ephemeral);
WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static);
/* [N] 2.2: "s" */
/* msg.static := AEAD(k, 0, Si^pub, Hi) */
error = wg_algo_aead_dec(peer_pubkey, WG_STATIC_KEY_LEN, cipher_key, 0,
wgmi->wgmi_static, sizeof(wgmi->wgmi_static), hash, sizeof(hash));
if (error != 0) {
WG_LOG_RATECHECK(&wg->wg_ppsratecheck, LOG_DEBUG,
"%s: wg_algo_aead_dec for secret key failed\n",
if_name(&wg->wg_if));
return;
}
/* Hi := HASH(Hi || msg.static) */
wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static));
wgp = wg_lookup_peer_by_pubkey(wg, peer_pubkey, &psref_peer);
if (wgp == NULL) {
WG_DLOG("peer not found\n");
return;
}
/*
* Lock the peer to serialize access to cookie state.
*
* XXX Can we safely avoid holding the lock across DH? Take it
* just to verify mac2 and then unlock/DH/lock?
*/
mutex_enter(wgp->wgp_lock);
if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_INIT))) {
WG_TRACE("under load");
/*
* [W] 5.3: Denial of Service Mitigation & Cookies
* "the responder, ..., and when under load may reject messages
* with an invalid msg.mac2. If the responder receives a
* message with a valid msg.mac1 yet with an invalid msg.mac2,
* and is under load, it may respond with a cookie reply
* message"
*/
uint8_t zero[WG_MAC_LEN] = {0};
if (consttime_memequal(wgmi->wgmi_mac2, zero, sizeof(zero))) {
WG_TRACE("sending a cookie message: no cookie included");
(void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender,
wgmi->wgmi_mac1, src);
goto out;
}
if (!wgp->wgp_last_sent_cookie_valid) {
WG_TRACE("sending a cookie message: no cookie sent ever");
(void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender,
wgmi->wgmi_mac1, src);
goto out;
}
uint8_t mac2[WG_MAC_LEN];
wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie,
WG_COOKIE_LEN, (const uint8_t *)wgmi,
offsetof(struct wg_msg_init, wgmi_mac2), NULL, 0);
if (!consttime_memequal(mac2, wgmi->wgmi_mac2, sizeof(mac2))) {
WG_DLOG("mac2 is invalid\n");
goto out;
}
WG_TRACE("under load, but continue to sending");
}
/* [N] 2.2: "ss" */
/* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */
wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey);
/* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */
wg_timestamp_t timestamp;
error = wg_algo_aead_dec(timestamp, sizeof(timestamp), cipher_key, 0,
wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp),
hash, sizeof(hash));
if (error != 0) {
WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
"%s: peer %s: wg_algo_aead_dec for timestamp failed\n",
if_name(&wg->wg_if), wgp->wgp_name);
goto out;
}
/* Hi := HASH(Hi || msg.timestamp) */
wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp));
/*
* [W] 5.1 "The responder keeps track of the greatest timestamp
* received per peer and discards packets containing
* timestamps less than or equal to it."
*/
ret = memcmp(timestamp, wgp->wgp_timestamp_latest_init,
sizeof(timestamp));
if (ret <= 0) {
WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
"%s: peer %s: invalid init msg: timestamp is old\n",
if_name(&wg->wg_if), wgp->wgp_name);
goto out;
}
memcpy(wgp->wgp_timestamp_latest_init, timestamp, sizeof(timestamp));
/*
* Message is good -- we're committing to handle it now, unless
* we were already initiating a session.
*/
wgs = wgp->wgp_session_unstable;
switch (wgs->wgs_state) {
case WGS_STATE_UNKNOWN: /* new session initiated by peer */
wg_get_session_index(wg, wgs);
break;
case WGS_STATE_INIT_ACTIVE: /* we're already initiating, drop */
WG_TRACE("Session already initializing, ignoring the message");
goto out;
case WGS_STATE_INIT_PASSIVE: /* peer is retrying, start over */
WG_TRACE("Session already initializing, destroying old states");
wg_clear_states(wgs);
/* keep session index */
break;
case WGS_STATE_ESTABLISHED: /* can't happen */
panic("unstable session can't be established");
break;
case WGS_STATE_DESTROYING: /* rekey initiated by peer */
WG_TRACE("Session destroying, but force to clear");
callout_stop(&wgp->wgp_session_dtor_timer);
wg_clear_states(wgs);
/* keep session index */
break;
default:
panic("invalid session state: %d", wgs->wgs_state);
}
wgs->wgs_state = WGS_STATE_INIT_PASSIVE;
memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash));
memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey));
memcpy(wgs->wgs_ephemeral_key_peer, wgmi->wgmi_ephemeral,
sizeof(wgmi->wgmi_ephemeral));
wg_update_endpoint_if_necessary(wgp, src);
(void)wg_send_handshake_msg_resp(wg, wgp, wgs, wgmi);
wg_calculate_keys(wgs, false);
wg_clear_states(wgs);
out:
mutex_exit(wgp->wgp_lock);
wg_put_peer(wgp, &psref_peer);
}
static struct socket *
wg_get_so_by_af(struct wg_softc *wg, const int af)
{
switch (af) {
#ifdef INET
case AF_INET:
return wg->wg_so4;
#endif
#ifdef INET6
case AF_INET6:
return wg->wg_so6;
#endif
default:
panic("wg: no such af: %d", af);
}
}
static struct socket *
wg_get_so_by_peer(struct wg_peer *wgp, struct wg_sockaddr *wgsa)
{
return wg_get_so_by_af(wgp->wgp_sc, wgsa_family(wgsa));
}
static struct wg_sockaddr *
wg_get_endpoint_sa(struct wg_peer *wgp, struct psref *psref)
{
struct wg_sockaddr *wgsa;
int s;
s = pserialize_read_enter();
wgsa = atomic_load_consume(&wgp->wgp_endpoint);
psref_acquire(psref, &wgsa->wgsa_psref, wg_psref_class);
pserialize_read_exit(s);
return wgsa;
}
static void
wg_put_sa(struct wg_peer *wgp, struct wg_sockaddr *wgsa, struct psref *psref)
{
psref_release(psref, &wgsa->wgsa_psref, wg_psref_class);
}
static int
wg_send_so(struct wg_peer *wgp, struct mbuf *m)
{
int error;
struct socket *so;
struct psref psref;
struct wg_sockaddr *wgsa;
wgsa = wg_get_endpoint_sa(wgp, &psref);
so = wg_get_so_by_peer(wgp, wgsa);
error = sosend(so, wgsatosa(wgsa), NULL, m, NULL, 0, curlwp);
wg_put_sa(wgp, wgsa, &psref);
return error;
}
static int
wg_send_handshake_msg_init(struct wg_softc *wg, struct wg_peer *wgp)
{
int error;
struct mbuf *m;
struct wg_msg_init *wgmi;
struct wg_session *wgs;
KASSERT(mutex_owned(wgp->wgp_lock));
wgs = wgp->wgp_session_unstable;
/* XXX pull dispatch out into wg_task_send_init_message */
switch (wgs->wgs_state) {
case WGS_STATE_UNKNOWN: /* new session initiated by us */
wg_get_session_index(wg, wgs);
break;
case WGS_STATE_INIT_ACTIVE: /* we're already initiating, stop */
WG_TRACE("Session already initializing, skip starting new one");
return EBUSY;
case WGS_STATE_INIT_PASSIVE: /* peer was trying -- XXX what now? */
WG_TRACE("Session already initializing, destroying old states");
wg_clear_states(wgs);
/* keep session index */
break;
case WGS_STATE_ESTABLISHED: /* can't happen */
panic("unstable session can't be established");
break;
case WGS_STATE_DESTROYING: /* rekey initiated by us too early */
WG_TRACE("Session destroying");
/* XXX should wait? */
return EBUSY;
}
wgs->wgs_state = WGS_STATE_INIT_ACTIVE;
m = m_gethdr(M_WAIT, MT_DATA);
if (sizeof(*wgmi) > MHLEN) {
m_clget(m, M_WAIT);
CTASSERT(sizeof(*wgmi) <= MCLBYTES);
}
m->m_pkthdr.len = m->m_len = sizeof(*wgmi);
wgmi = mtod(m, struct wg_msg_init *);
wg_fill_msg_init(wg, wgp, wgs, wgmi);
error = wg->wg_ops->send_hs_msg(wgp, m);
if (error == 0) {
WG_TRACE("init msg sent");
if (wgp->wgp_handshake_start_time == 0)
wgp->wgp_handshake_start_time = time_uptime;
callout_schedule(&wgp->wgp_handshake_timeout_timer,
MIN(wg_rekey_timeout, (unsigned)(INT_MAX / hz)) * hz);
} else {
wg_put_session_index(wg, wgs);
/* Initiation failed; toss packet waiting for it if any. */
if ((m = atomic_swap_ptr(&wgp->wgp_pending, NULL)) != NULL)
m_freem(m);
}
return error;
}
static void
wg_fill_msg_resp(struct wg_softc *wg, struct wg_peer *wgp,
struct wg_session *wgs, struct wg_msg_resp *wgmr,
const struct wg_msg_init *wgmi)
{
uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */
uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Hr */
uint8_t cipher_key[WG_KDF_OUTPUT_LEN];
uint8_t pubkey[WG_EPHEMERAL_KEY_LEN];
uint8_t privkey[WG_EPHEMERAL_KEY_LEN];
KASSERT(mutex_owned(wgp->wgp_lock));
KASSERT(wgs == wgp->wgp_session_unstable);
KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE);
memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash));
memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey));
wgmr->wgmr_type = htole32(WG_MSG_TYPE_RESP);
wgmr->wgmr_sender = wgs->wgs_local_index;
wgmr->wgmr_receiver = wgmi->wgmi_sender;
/* [W] 5.4.3 Second Message: Responder to Initiator */
/* [N] 2.2: "e" */
/* Er^priv, Er^pub := DH-GENERATE() */
wg_algo_generate_keypair(pubkey, privkey);
/* Cr := KDF1(Cr, Er^pub) */
wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey));
/* msg.ephemeral := Er^pub */
memcpy(wgmr->wgmr_ephemeral, pubkey, sizeof(wgmr->wgmr_ephemeral));
/* Hr := HASH(Hr || msg.ephemeral) */
wg_algo_hash(hash, pubkey, sizeof(pubkey));
WG_DUMP_HASH("ckey", ckey);
WG_DUMP_HASH("hash", hash);
/* [N] 2.2: "ee" */
/* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */
wg_algo_dh_kdf(ckey, NULL, privkey, wgs->wgs_ephemeral_key_peer);
/* [N] 2.2: "se" */
/* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */
wg_algo_dh_kdf(ckey, NULL, privkey, wgp->wgp_pubkey);
/* [N] 9.2: "psk" */
{
uint8_t kdfout[WG_KDF_OUTPUT_LEN];
/* Cr, r, k := KDF3(Cr, Q) */
wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk,
sizeof(wgp->wgp_psk));
/* Hr := HASH(Hr || r) */
wg_algo_hash(hash, kdfout, sizeof(kdfout));
}
/* msg.empty := AEAD(k, 0, e, Hr) */
wg_algo_aead_enc(wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty),
cipher_key, 0, NULL, 0, hash, sizeof(hash));
/* Hr := HASH(Hr || msg.empty) */
wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty));
WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty);
/* [W] 5.4.4: Cookie MACs */
/* msg.mac1 := MAC(HASH(LABEL-MAC1 || Sm'^pub), msg_a) */
wg_algo_mac_mac1(wgmr->wgmr_mac1, sizeof(wgmi->wgmi_mac1),
wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey),
(const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1));
/* Need mac1 to decrypt a cookie from a cookie message */
memcpy(wgp->wgp_last_sent_mac1, wgmr->wgmr_mac1,
sizeof(wgp->wgp_last_sent_mac1));
wgp->wgp_last_sent_mac1_valid = true;
if (wgp->wgp_latest_cookie_time == 0 ||
(time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME)
/* msg.mac2 := 0^16 */
memset(wgmr->wgmr_mac2, 0, sizeof(wgmr->wgmr_mac2));
else {
/* msg.mac2 := MAC(Lm, msg_b) */
wg_algo_mac(wgmr->wgmr_mac2, sizeof(wgmi->wgmi_mac2),
wgp->wgp_latest_cookie, WG_COOKIE_LEN,
(const uint8_t *)wgmr,
offsetof(struct wg_msg_resp, wgmr_mac2),
NULL, 0);
}
memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash));
memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey));
memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey));
memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey));
wgs->wgs_remote_index = wgmi->wgmi_sender;
WG_DLOG("sender=%x\n", wgs->wgs_local_index);
WG_DLOG("receiver=%x\n", wgs->wgs_remote_index);
}
static void
wg_swap_sessions(struct wg_peer *wgp)
{
struct wg_session *wgs, *wgs_prev;
KASSERT(mutex_owned(wgp->wgp_lock));
wgs = wgp->wgp_session_unstable;
KASSERT(wgs->wgs_state == WGS_STATE_ESTABLISHED);
wgs_prev = wgp->wgp_session_stable;
KASSERT(wgs_prev->wgs_state == WGS_STATE_ESTABLISHED ||
wgs_prev->wgs_state == WGS_STATE_UNKNOWN);
atomic_store_release(&wgp->wgp_session_stable, wgs);
wgp->wgp_session_unstable = wgs_prev;
}
static void __noinline
wg_handle_msg_resp(struct wg_softc *wg, const struct wg_msg_resp *wgmr,
const struct sockaddr *src)
{
uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */
uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Kr */
uint8_t cipher_key[WG_KDF_OUTPUT_LEN];
struct wg_peer *wgp;
struct wg_session *wgs;
struct psref psref;
int error;
uint8_t mac1[WG_MAC_LEN];
struct wg_session *wgs_prev;
struct mbuf *m;
wg_algo_mac_mac1(mac1, sizeof(mac1),
wg->wg_pubkey, sizeof(wg->wg_pubkey),
(const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1));
/*
* [W] 5.3: Denial of Service Mitigation & Cookies
* "the responder, ..., must always reject messages with an invalid
* msg.mac1"
*/
if (!consttime_memequal(mac1, wgmr->wgmr_mac1, sizeof(mac1))) {
WG_DLOG("mac1 is invalid\n");
return;
}
WG_TRACE("resp msg received");
wgs = wg_lookup_session_by_index(wg, wgmr->wgmr_receiver, &psref);
if (wgs == NULL) {
WG_TRACE("No session found");
return;
}
wgp = wgs->wgs_peer;
mutex_enter(wgp->wgp_lock);
/* If we weren't waiting for a handshake response, drop it. */
if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE) {
WG_TRACE("peer sent spurious handshake response, ignoring");
goto out;
}
if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_RESP))) {
WG_TRACE("under load");
/*
* [W] 5.3: Denial of Service Mitigation & Cookies
* "the responder, ..., and when under load may reject messages
* with an invalid msg.mac2. If the responder receives a
* message with a valid msg.mac1 yet with an invalid msg.mac2,
* and is under load, it may respond with a cookie reply
* message"
*/
uint8_t zero[WG_MAC_LEN] = {0};
if (consttime_memequal(wgmr->wgmr_mac2, zero, sizeof(zero))) {
WG_TRACE("sending a cookie message: no cookie included");
(void)wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender,
wgmr->wgmr_mac1, src);
goto out;
}
if (!wgp->wgp_last_sent_cookie_valid) {
WG_TRACE("sending a cookie message: no cookie sent ever");
(void)wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender,
wgmr->wgmr_mac1, src);
goto out;
}
uint8_t mac2[WG_MAC_LEN];
wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie,
WG_COOKIE_LEN, (const uint8_t *)wgmr,
offsetof(struct wg_msg_resp, wgmr_mac2), NULL, 0);
if (!consttime_memequal(mac2, wgmr->wgmr_mac2, sizeof(mac2))) {
WG_DLOG("mac2 is invalid\n");
goto out;
}
WG_TRACE("under load, but continue to sending");
}
memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash));
memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey));
/*
* [W] 5.4.3 Second Message: Responder to Initiator
* "When the initiator receives this message, it does the same
* operations so that its final state variables are identical,
* replacing the operands of the DH function to produce equivalent
* values."
* Note that the following comments of operations are just copies of
* the initiator's ones.
*/
/* [N] 2.2: "e" */
/* Cr := KDF1(Cr, Er^pub) */
wg_algo_kdf(ckey, NULL, NULL, ckey, wgmr->wgmr_ephemeral,
sizeof(wgmr->wgmr_ephemeral));
/* Hr := HASH(Hr || msg.ephemeral) */
wg_algo_hash(hash, wgmr->wgmr_ephemeral, sizeof(wgmr->wgmr_ephemeral));
WG_DUMP_HASH("ckey", ckey);
WG_DUMP_HASH("hash", hash);
/* [N] 2.2: "ee" */
/* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */
wg_algo_dh_kdf(ckey, NULL, wgs->wgs_ephemeral_key_priv,
wgmr->wgmr_ephemeral);
/* [N] 2.2: "se" */
/* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */
wg_algo_dh_kdf(ckey, NULL, wg->wg_privkey, wgmr->wgmr_ephemeral);
/* [N] 9.2: "psk" */
{
uint8_t kdfout[WG_KDF_OUTPUT_LEN];
/* Cr, r, k := KDF3(Cr, Q) */
wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk,
sizeof(wgp->wgp_psk));
/* Hr := HASH(Hr || r) */
wg_algo_hash(hash, kdfout, sizeof(kdfout));
}
{
uint8_t out[sizeof(wgmr->wgmr_empty)]; /* for safety */
/* msg.empty := AEAD(k, 0, e, Hr) */
error = wg_algo_aead_dec(out, 0, cipher_key, 0, wgmr->wgmr_empty,
sizeof(wgmr->wgmr_empty), hash, sizeof(hash));
WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty);
if (error != 0) {
WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
"%s: peer %s: wg_algo_aead_dec for empty message failed\n",
if_name(&wg->wg_if), wgp->wgp_name);
goto out;
}
/* Hr := HASH(Hr || msg.empty) */
wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty));
}
memcpy(wgs->wgs_handshake_hash, hash, sizeof(wgs->wgs_handshake_hash));
memcpy(wgs->wgs_chaining_key, ckey, sizeof(wgs->wgs_chaining_key));
wgs->wgs_remote_index = wgmr->wgmr_sender;
WG_DLOG("receiver=%x\n", wgs->wgs_remote_index);
KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE);
wgs->wgs_state = WGS_STATE_ESTABLISHED;
wgs->wgs_time_established = time_uptime;
wgs->wgs_time_last_data_sent = 0;
wgs->wgs_is_initiator = true;
wg_calculate_keys(wgs, true);
wg_clear_states(wgs);
WG_TRACE("WGS_STATE_ESTABLISHED");
callout_stop(&wgp->wgp_handshake_timeout_timer);
wg_swap_sessions(wgp);
KASSERT(wgs == wgp->wgp_session_stable);
wgs_prev = wgp->wgp_session_unstable;
getnanotime(&wgp->wgp_last_handshake_time);
wgp->wgp_handshake_start_time = 0;
wgp->wgp_last_sent_mac1_valid = false;
wgp->wgp_last_sent_cookie_valid = false;
wg_schedule_rekey_timer(wgp);
wg_update_endpoint_if_necessary(wgp, src);
/*
* If we had a data packet queued up, send it; otherwise send a
* keepalive message -- either way we have to send something
* immediately or else the responder will never answer.
*/
if ((m = atomic_swap_ptr(&wgp->wgp_pending, NULL)) != NULL) {
kpreempt_disable();
const uint32_t h = curcpu()->ci_index; // pktq_rps_hash(m)
M_SETCTX(m, wgp);
if (__predict_false(!pktq_enqueue(wg_pktq, m, h))) {
WGLOG(LOG_ERR, "%s: pktq full, dropping\n",
if_name(&wg->wg_if));
m_freem(m);
}
kpreempt_enable();
} else {
wg_send_keepalive_msg(wgp, wgs);
}
if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) {
/* Wait for wg_get_stable_session to drain. */
pserialize_perform(wgp->wgp_psz);
/* Transition ESTABLISHED->DESTROYING. */
wgs_prev->wgs_state = WGS_STATE_DESTROYING;
/* We can't destroy the old session immediately */
wg_schedule_session_dtor_timer(wgp);
} else {
KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN,
"state=%d", wgs_prev->wgs_state);
}
out:
mutex_exit(wgp->wgp_lock);
wg_put_session(wgs, &psref);
}
static int
wg_send_handshake_msg_resp(struct wg_softc *wg, struct wg_peer *wgp,
struct wg_session *wgs, const struct wg_msg_init *wgmi)
{
int error;
struct mbuf *m;
struct wg_msg_resp *wgmr;
KASSERT(mutex_owned(wgp->wgp_lock));
KASSERT(wgs == wgp->wgp_session_unstable);
KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE);
m = m_gethdr(M_WAIT, MT_DATA);
if (sizeof(*wgmr) > MHLEN) {
m_clget(m, M_WAIT);
CTASSERT(sizeof(*wgmr) <= MCLBYTES);
}
m->m_pkthdr.len = m->m_len = sizeof(*wgmr);
wgmr = mtod(m, struct wg_msg_resp *);
wg_fill_msg_resp(wg, wgp, wgs, wgmr, wgmi);
error = wg->wg_ops->send_hs_msg(wgp, m);
if (error == 0)
WG_TRACE("resp msg sent");
return error;
}
static struct wg_peer *
wg_lookup_peer_by_pubkey(struct wg_softc *wg,
const uint8_t pubkey[WG_STATIC_KEY_LEN], struct psref *psref)
{
struct wg_peer *wgp;
int s = pserialize_read_enter();
wgp = thmap_get(wg->wg_peers_bypubkey, pubkey, WG_STATIC_KEY_LEN);
if (wgp != NULL)
wg_get_peer(wgp, psref);
pserialize_read_exit(s);
return wgp;
}
static void
wg_fill_msg_cookie(struct wg_softc *wg, struct wg_peer *wgp,
struct wg_msg_cookie *wgmc, const uint32_t sender,
const uint8_t mac1[WG_MAC_LEN], const struct sockaddr *src)
{
uint8_t cookie[WG_COOKIE_LEN];
uint8_t key[WG_HASH_LEN];
uint8_t addr[sizeof(struct in6_addr)];
size_t addrlen;
uint16_t uh_sport; /* be */
KASSERT(mutex_owned(wgp->wgp_lock));
wgmc->wgmc_type = htole32(WG_MSG_TYPE_COOKIE);
wgmc->wgmc_receiver = sender;
cprng_fast(wgmc->wgmc_salt, sizeof(wgmc->wgmc_salt));
/*
* [W] 5.4.7: Under Load: Cookie Reply Message
* "The secret variable, Rm, changes every two minutes to a
* random value"
*/
if ((time_uptime - wgp->wgp_last_genrandval_time) > WG_RANDVAL_TIME) {
wgp->wgp_randval = cprng_strong32();
wgp->wgp_last_genrandval_time = time_uptime;
}
switch (src->sa_family) {
case AF_INET: {
const struct sockaddr_in *sin = satocsin(src);
addrlen = sizeof(sin->sin_addr);
memcpy(addr, &sin->sin_addr, addrlen);
uh_sport = sin->sin_port;
break;
}
#ifdef INET6
case AF_INET6: {
const struct sockaddr_in6 *sin6 = satocsin6(src);
addrlen = sizeof(sin6->sin6_addr);
memcpy(addr, &sin6->sin6_addr, addrlen);
uh_sport = sin6->sin6_port;
break;
}
#endif
default:
panic("invalid af=%d", src->sa_family);
}
wg_algo_mac(cookie, sizeof(cookie),
(const uint8_t *)&wgp->wgp_randval, sizeof(wgp->wgp_randval),
addr, addrlen, (const uint8_t *)&uh_sport, sizeof(uh_sport));
wg_algo_mac_cookie(key, sizeof(key), wg->wg_pubkey,
sizeof(wg->wg_pubkey));
wg_algo_xaead_enc(wgmc->wgmc_cookie, sizeof(wgmc->wgmc_cookie), key,
cookie, sizeof(cookie), mac1, WG_MAC_LEN, wgmc->wgmc_salt);
/* Need to store to calculate mac2 */
memcpy(wgp->wgp_last_sent_cookie, cookie, sizeof(cookie));
wgp->wgp_last_sent_cookie_valid = true;
}
static int
wg_send_cookie_msg(struct wg_softc *wg, struct wg_peer *wgp,
const uint32_t sender, const uint8_t mac1[WG_MAC_LEN],
const struct sockaddr *src)
{
int error;
struct mbuf *m;
struct wg_msg_cookie *wgmc;
KASSERT(mutex_owned(wgp->wgp_lock));
m = m_gethdr(M_WAIT, MT_DATA);
if (sizeof(*wgmc) > MHLEN) {
m_clget(m, M_WAIT);
CTASSERT(sizeof(*wgmc) <= MCLBYTES);
}
m->m_pkthdr.len = m->m_len = sizeof(*wgmc);
wgmc = mtod(m, struct wg_msg_cookie *);
wg_fill_msg_cookie(wg, wgp, wgmc, sender, mac1, src);
error = wg->wg_ops->send_hs_msg(wgp, m);
if (error == 0)
WG_TRACE("cookie msg sent");
return error;
}
static bool
wg_is_underload(struct wg_softc *wg, struct wg_peer *wgp, int msgtype)
{
#ifdef WG_DEBUG_PARAMS
if (wg_force_underload)
return true;
#endif
/*
* XXX we don't have a means of a load estimation. The purpose of
* the mechanism is a DoS mitigation, so we consider frequent handshake
* messages as (a kind of) load; if a message of the same type comes
* to a peer within 1 second, we consider we are under load.
*/
time_t last = wgp->wgp_last_msg_received_time[msgtype];
wgp->wgp_last_msg_received_time[msgtype] = time_uptime;
return (time_uptime - last) == 0;
}
static void
wg_calculate_keys(struct wg_session *wgs, const bool initiator)
{
KASSERT(mutex_owned(wgs->wgs_peer->wgp_lock));
/*
* [W] 5.4.5: Ti^send = Tr^recv, Ti^recv = Tr^send := KDF2(Ci = Cr, e)
*/
if (initiator) {
wg_algo_kdf(wgs->wgs_tkey_send, wgs->wgs_tkey_recv, NULL,
wgs->wgs_chaining_key, NULL, 0);
} else {
wg_algo_kdf(wgs->wgs_tkey_recv, wgs->wgs_tkey_send, NULL,
wgs->wgs_chaining_key, NULL, 0);
}
WG_DUMP_HASH("wgs_tkey_send", wgs->wgs_tkey_send);
WG_DUMP_HASH("wgs_tkey_recv", wgs->wgs_tkey_recv);
}
static uint64_t
wg_session_get_send_counter(struct wg_session *wgs)
{
#ifdef __HAVE_ATOMIC64_LOADSTORE
return atomic_load_relaxed(&wgs->wgs_send_counter);
#else
uint64_t send_counter;
mutex_enter(&wgs->wgs_send_counter_lock);
send_counter = wgs->wgs_send_counter;
mutex_exit(&wgs->wgs_send_counter_lock);
return send_counter;
#endif
}
static uint64_t
wg_session_inc_send_counter(struct wg_session *wgs)
{
#ifdef __HAVE_ATOMIC64_LOADSTORE
return atomic_inc_64_nv(&wgs->wgs_send_counter) - 1;
#else
uint64_t send_counter;
mutex_enter(&wgs->wgs_send_counter_lock);
send_counter = wgs->wgs_send_counter++;
mutex_exit(&wgs->wgs_send_counter_lock);
return send_counter;
#endif
}
static void
wg_clear_states(struct wg_session *wgs)
{
KASSERT(mutex_owned(wgs->wgs_peer->wgp_lock));
wgs->wgs_send_counter = 0;
sliwin_reset(&wgs->wgs_recvwin->window);
#define wgs_clear(v) explicit_memset(wgs->wgs_##v, 0, sizeof(wgs->wgs_##v))
wgs_clear(handshake_hash);
wgs_clear(chaining_key);
wgs_clear(ephemeral_key_pub);
wgs_clear(ephemeral_key_priv);
wgs_clear(ephemeral_key_peer);
#undef wgs_clear
}
static struct wg_session *
wg_lookup_session_by_index(struct wg_softc *wg, const uint32_t index,
struct psref *psref)
{
struct wg_session *wgs;
int s = pserialize_read_enter();
wgs = thmap_get(wg->wg_sessions_byindex, &index, sizeof index);
if (wgs != NULL) {
KASSERT(atomic_load_relaxed(&wgs->wgs_state) !=
WGS_STATE_UNKNOWN);
psref_acquire(psref, &wgs->wgs_psref, wg_psref_class);
}
pserialize_read_exit(s);
return wgs;
}
static void
wg_schedule_rekey_timer(struct wg_peer *wgp)
{
int timeout = MIN(wg_rekey_after_time, (unsigned)(INT_MAX / hz));
callout_schedule(&wgp->wgp_rekey_timer, timeout * hz);
}
static void
wg_send_keepalive_msg(struct wg_peer *wgp, struct wg_session *wgs)
{
struct mbuf *m;
/*
* [W] 6.5 Passive Keepalive
* "A keepalive message is simply a transport data message with
* a zero-length encapsulated encrypted inner-packet."
*/
m = m_gethdr(M_WAIT, MT_DATA);
wg_send_data_msg(wgp, wgs, m);
}
static bool
wg_need_to_send_init_message(struct wg_session *wgs)
{
/*
* [W] 6.2 Transport Message Limits
* "if a peer is the initiator of a current secure session,
* WireGuard will send a handshake initiation message to begin
* a new secure session ... if after receiving a transport data
* message, the current secure session is (REJECT-AFTER-TIME
* KEEPALIVE-TIMEOUT REKEY-TIMEOUT) seconds old and it has
* not yet acted upon this event."
*/
return wgs->wgs_is_initiator && wgs->wgs_time_last_data_sent == 0 &&
(time_uptime - wgs->wgs_time_established) >=
(wg_reject_after_time - wg_keepalive_timeout - wg_rekey_timeout);
}
static void
wg_schedule_peer_task(struct wg_peer *wgp, unsigned int task)
{
mutex_enter(wgp->wgp_intr_lock);
WG_DLOG("tasks=%d, task=%d\n", wgp->wgp_tasks, task);
if (wgp->wgp_tasks == 0)
/*
* XXX If the current CPU is already loaded -- e.g., if
* there's already a bunch of handshakes queued up --
* consider tossing this over to another CPU to
* distribute the load.
*/
workqueue_enqueue(wg_wq, &wgp->wgp_work, NULL);
wgp->wgp_tasks |= task;
mutex_exit(wgp->wgp_intr_lock);
}
static void
wg_change_endpoint(struct wg_peer *wgp, const struct sockaddr *new)
{
struct wg_sockaddr *wgsa_prev;
WG_TRACE("Changing endpoint");
memcpy(wgp->wgp_endpoint0, new, new->sa_len);
wgsa_prev = wgp->wgp_endpoint;
atomic_store_release(&wgp->wgp_endpoint, wgp->wgp_endpoint0);
wgp->wgp_endpoint0 = wgsa_prev;
atomic_store_release(&wgp->wgp_endpoint_available, true);
wg_schedule_peer_task(wgp, WGP_TASK_ENDPOINT_CHANGED);
}
static bool
wg_validate_inner_packet(const char *packet, size_t decrypted_len, int *af)
{
uint16_t packet_len;
const struct ip *ip;
if (__predict_false(decrypted_len < sizeof(struct ip)))
return false;
ip = (const struct ip *)packet;
if (ip->ip_v == 4)
*af = AF_INET;
else if (ip->ip_v == 6)
*af = AF_INET6;
else
return false;
WG_DLOG("af=%d\n", *af);
switch (*af) {
#ifdef INET
case AF_INET:
packet_len = ntohs(ip->ip_len);
break;
#endif
#ifdef INET6
case AF_INET6: {
const struct ip6_hdr *ip6;
if (__predict_false(decrypted_len < sizeof(struct ip6_hdr)))
return false;
ip6 = (const struct ip6_hdr *)packet;
packet_len = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen);
break;
}
#endif
default:
return false;
}
WG_DLOG("packet_len=%u\n", packet_len);
if (packet_len > decrypted_len)
return false;
return true;
}
static bool
wg_validate_route(struct wg_softc *wg, struct wg_peer *wgp_expected,
int af, char *packet)
{
struct sockaddr_storage ss;
struct sockaddr *sa;
struct psref psref;
struct wg_peer *wgp;
bool ok;
/*
* II CRYPTOKEY ROUTING
* "it will only accept it if its source IP resolves in the
* table to the public key used in the secure session for
* decrypting it."
*/
if (af == AF_INET) {
const struct ip *ip = (const struct ip *)packet;
struct sockaddr_in *sin = (struct sockaddr_in *)&ss;
sockaddr_in_init(sin, &ip->ip_src, 0);
sa = sintosa(sin);
#ifdef INET6
} else {
const struct ip6_hdr *ip6 = (const struct ip6_hdr *)packet;
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss;
sockaddr_in6_init(sin6, &ip6->ip6_src, 0, 0, 0);
sa = sin6tosa(sin6);
#endif
}
wgp = wg_pick_peer_by_sa(wg, sa, &psref);
ok = (wgp == wgp_expected);
if (wgp != NULL)
wg_put_peer(wgp, &psref);
return ok;
}
static void
wg_session_dtor_timer(void *arg)
{
struct wg_peer *wgp = arg;
WG_TRACE("enter");
wg_schedule_peer_task(wgp, WGP_TASK_DESTROY_PREV_SESSION);
}
static void
wg_schedule_session_dtor_timer(struct wg_peer *wgp)
{
/* 1 second grace period */
callout_schedule(&wgp->wgp_session_dtor_timer, hz);
}
static bool
sockaddr_port_match(const struct sockaddr *sa1, const struct sockaddr *sa2)
{
if (sa1->sa_family != sa2->sa_family)
return false;
switch (sa1->sa_family) {
#ifdef INET
case AF_INET:
return satocsin(sa1)->sin_port == satocsin(sa2)->sin_port;
#endif
#ifdef INET6
case AF_INET6:
return satocsin6(sa1)->sin6_port == satocsin6(sa2)->sin6_port;
#endif
default:
return false;
}
}
static void
wg_update_endpoint_if_necessary(struct wg_peer *wgp,
const struct sockaddr *src)
{
struct wg_sockaddr *wgsa;
struct psref psref;
wgsa = wg_get_endpoint_sa(wgp, &psref);
#ifdef WG_DEBUG_LOG
char oldaddr[128], newaddr[128];
sockaddr_format(wgsatosa(wgsa), oldaddr, sizeof(oldaddr));
sockaddr_format(src, newaddr, sizeof(newaddr));
WG_DLOG("old=%s, new=%s\n", oldaddr, newaddr);
#endif
/*
* III: "Since the packet has authenticated correctly, the source IP of
* the outer UDP/IP packet is used to update the endpoint for peer..."
*/
if (__predict_false(sockaddr_cmp(src, wgsatosa(wgsa)) != 0 ||
!sockaddr_port_match(src, wgsatosa(wgsa)))) {
/* XXX We can't change the endpoint twice in a short period */
if (atomic_swap_uint(&wgp->wgp_endpoint_changing, 1) == 0) {
wg_change_endpoint(wgp, src);
}
}
wg_put_sa(wgp, wgsa, &psref);
}
static void __noinline
wg_handle_msg_data(struct wg_softc *wg, struct mbuf *m,
const struct sockaddr *src)
{
struct wg_msg_data *wgmd;
char *encrypted_buf = NULL, *decrypted_buf;
size_t encrypted_len, decrypted_len;
struct wg_session *wgs;
struct wg_peer *wgp;
int state;
size_t mlen;
struct psref psref;
int error, af;
bool success, free_encrypted_buf = false, ok;
struct mbuf *n;
KASSERT(m->m_len >= sizeof(struct wg_msg_data));
wgmd = mtod(m, struct wg_msg_data *);
KASSERT(wgmd->wgmd_type == htole32(WG_MSG_TYPE_DATA));
WG_TRACE("data");
/* Find the putative session, or drop. */
wgs = wg_lookup_session_by_index(wg, wgmd->wgmd_receiver, &psref);
if (wgs == NULL) {
WG_TRACE("No session found");
m_freem(m);
return;
}
/*
* We are only ready to handle data when in INIT_PASSIVE,
* ESTABLISHED, or DESTROYING. All transitions out of that
* state dissociate the session index and drain psrefs.
*/
state = atomic_load_relaxed(&wgs->wgs_state);
switch (state) {
case WGS_STATE_UNKNOWN:
panic("wg session %p in unknown state has session index %u",
wgs, wgmd->wgmd_receiver);
case WGS_STATE_INIT_ACTIVE:
WG_TRACE("not yet ready for data");
goto out;
case WGS_STATE_INIT_PASSIVE:
case WGS_STATE_ESTABLISHED:
case WGS_STATE_DESTROYING:
break;
}
/*
* Get the peer, for rate-limited logs (XXX MPSAFE, dtrace) and
* to update the endpoint if authentication succeeds.
*/
wgp = wgs->wgs_peer;
/*
* Reject outrageously wrong sequence numbers before doing any
* crypto work or taking any locks.
*/
error = sliwin_check_fast(&wgs->wgs_recvwin->window,
le64toh(wgmd->wgmd_counter));
if (error) {
WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
"%s: peer %s: out-of-window packet: %"PRIu64"\n",
if_name(&wg->wg_if), wgp->wgp_name,
le64toh(wgmd->wgmd_counter));
goto out;
}
/* Ensure the payload and authenticator are contiguous. */
mlen = m_length(m);
encrypted_len = mlen - sizeof(*wgmd);
if (encrypted_len < WG_AUTHTAG_LEN) {
WG_DLOG("Short encrypted_len: %lu\n", encrypted_len);
goto out;
}
success = m_ensure_contig(&m, sizeof(*wgmd) + encrypted_len);
if (success) {
encrypted_buf = mtod(m, char *) + sizeof(*wgmd);
} else {
encrypted_buf = kmem_intr_alloc(encrypted_len, KM_NOSLEEP);
if (encrypted_buf == NULL) {
WG_DLOG("failed to allocate encrypted_buf\n");
goto out;
}
m_copydata(m, sizeof(*wgmd), encrypted_len, encrypted_buf);
free_encrypted_buf = true;
}
/* m_ensure_contig may change m regardless of its result */
KASSERT(m->m_len >= sizeof(*wgmd));
wgmd = mtod(m, struct wg_msg_data *);
/*
* Get a buffer for the plaintext. Add WG_AUTHTAG_LEN to avoid
* a zero-length buffer (XXX). Drop if plaintext is longer
* than MCLBYTES (XXX).
*/
decrypted_len = encrypted_len - WG_AUTHTAG_LEN;
if (decrypted_len > MCLBYTES) {
/* FIXME handle larger data than MCLBYTES */
WG_DLOG("couldn't handle larger data than MCLBYTES\n");
goto out;
}
n = wg_get_mbuf(0, decrypted_len + WG_AUTHTAG_LEN);
if (n == NULL) {
WG_DLOG("wg_get_mbuf failed\n");
goto out;
}
decrypted_buf = mtod(n, char *);
/* Decrypt and verify the packet. */
WG_DLOG("mlen=%lu, encrypted_len=%lu\n", mlen, encrypted_len);
error = wg_algo_aead_dec(decrypted_buf,
encrypted_len - WG_AUTHTAG_LEN /* can be 0 */,
wgs->wgs_tkey_recv, le64toh(wgmd->wgmd_counter), encrypted_buf,
encrypted_len, NULL, 0);
if (error != 0) {
WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
"%s: peer %s: failed to wg_algo_aead_dec\n",
if_name(&wg->wg_if), wgp->wgp_name);
m_freem(n);
goto out;
}
WG_DLOG("outsize=%u\n", (u_int)decrypted_len);
/* Packet is genuine. Reject it if a replay or just too old. */
mutex_enter(&wgs->wgs_recvwin->lock);
error = sliwin_update(&wgs->wgs_recvwin->window,
le64toh(wgmd->wgmd_counter));
mutex_exit(&wgs->wgs_recvwin->lock);
if (error) {
WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
"%s: peer %s: replay or out-of-window packet: %"PRIu64"\n",
if_name(&wg->wg_if), wgp->wgp_name,
le64toh(wgmd->wgmd_counter));
m_freem(n);
goto out;
}
/* We're done with m now; free it and chuck the pointers. */
m_freem(m);
m = NULL;
wgmd = NULL;
/*
* Validate the encapsulated packet header and get the address
* family, or drop.
*/
ok = wg_validate_inner_packet(decrypted_buf, decrypted_len, &af);
if (!ok) {
m_freem(n);
goto out;
}
/*
* The packet is genuine. Update the peer's endpoint if the
* source address changed.
*
* XXX How to prevent DoS by replaying genuine packets from the
* wrong source address?
*/
wg_update_endpoint_if_necessary(wgp, src);
/* Submit it into our network stack if routable. */
ok = wg_validate_route(wg, wgp, af, decrypted_buf);
if (ok) {
wg->wg_ops->input(&wg->wg_if, n, af);
} else {
char addrstr[INET6_ADDRSTRLEN];
memset(addrstr, 0, sizeof(addrstr));
if (af == AF_INET) {
const struct ip *ip = (const struct ip *)decrypted_buf;
IN_PRINT(addrstr, &ip->ip_src);
#ifdef INET6
} else if (af == AF_INET6) {
const struct ip6_hdr *ip6 =
(const struct ip6_hdr *)decrypted_buf;
IN6_PRINT(addrstr, &ip6->ip6_src);
#endif
}
WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
"%s: peer %s: invalid source address (%s)\n",
if_name(&wg->wg_if), wgp->wgp_name, addrstr);
m_freem(n);
/*
* The inner address is invalid however the session is valid
* so continue the session processing below.
*/
}
n = NULL;
/* Update the state machine if necessary. */
if (__predict_false(state == WGS_STATE_INIT_PASSIVE)) {
/*
* We were waiting for the initiator to send their
* first data transport message, and that has happened.
* Schedule a task to establish this session.
*/
wg_schedule_peer_task(wgp, WGP_TASK_ESTABLISH_SESSION);
} else {
if (__predict_false(wg_need_to_send_init_message(wgs))) {
wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE);
}
/*
* [W] 6.5 Passive Keepalive
* "If a peer has received a validly-authenticated transport
* data message (section 5.4.6), but does not have any packets
* itself to send back for KEEPALIVE-TIMEOUT seconds, it sends
* a keepalive message."
*/
WG_DLOG("time_uptime=%ju wgs_time_last_data_sent=%ju\n",
(uintmax_t)time_uptime,
(uintmax_t)wgs->wgs_time_last_data_sent);
if ((time_uptime - wgs->wgs_time_last_data_sent) >=
wg_keepalive_timeout) {
WG_TRACE("Schedule sending keepalive message");
/*
* We can't send a keepalive message here to avoid
* a deadlock; we already hold the solock of a socket
* that is used to send the message.
*/
wg_schedule_peer_task(wgp,
WGP_TASK_SEND_KEEPALIVE_MESSAGE);
}
}
out:
wg_put_session(wgs, &psref);
if (m != NULL)
m_freem(m);
if (free_encrypted_buf)
kmem_intr_free(encrypted_buf, encrypted_len);
}
static void __noinline
wg_handle_msg_cookie(struct wg_softc *wg, const struct wg_msg_cookie *wgmc)
{
struct wg_session *wgs;
struct wg_peer *wgp;
struct psref psref;
int error;
uint8_t key[WG_HASH_LEN];
uint8_t cookie[WG_COOKIE_LEN];
WG_TRACE("cookie msg received");
/* Find the putative session. */
wgs = wg_lookup_session_by_index(wg, wgmc->wgmc_receiver, &psref);
if (wgs == NULL) {
WG_TRACE("No session found");
return;
}
/* Lock the peer so we can update the cookie state. */
wgp = wgs->wgs_peer;
mutex_enter(wgp->wgp_lock);
if (!wgp->wgp_last_sent_mac1_valid) {
WG_TRACE("No valid mac1 sent (or expired)");
goto out;
}
/* Decrypt the cookie and store it for later handshake retry. */
wg_algo_mac_cookie(key, sizeof(key), wgp->wgp_pubkey,
sizeof(wgp->wgp_pubkey));
error = wg_algo_xaead_dec(cookie, sizeof(cookie), key,
wgmc->wgmc_cookie, sizeof(wgmc->wgmc_cookie),
wgp->wgp_last_sent_mac1, sizeof(wgp->wgp_last_sent_mac1),
wgmc->wgmc_salt);
if (error != 0) {
WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
"%s: peer %s: wg_algo_aead_dec for cookie failed: "
"error=%d\n", if_name(&wg->wg_if), wgp->wgp_name, error);
goto out;
}
/*
* [W] 6.6: Interaction with Cookie Reply System
* "it should simply store the decrypted cookie value from the cookie
* reply message, and wait for the expiration of the REKEY-TIMEOUT
* timer for retrying a handshake initiation message."
*/
wgp->wgp_latest_cookie_time = time_uptime;
memcpy(wgp->wgp_latest_cookie, cookie, sizeof(wgp->wgp_latest_cookie));
out:
mutex_exit(wgp->wgp_lock);
wg_put_session(wgs, &psref);
}
static struct mbuf *
wg_validate_msg_header(struct wg_softc *wg, struct mbuf *m)
{
struct wg_msg wgm;
size_t mbuflen;
size_t msglen;
/*
* Get the mbuf chain length. It is already guaranteed, by
* wg_overudp_cb, to be large enough for a struct wg_msg.
*/
mbuflen = m_length(m);
KASSERT(mbuflen >= sizeof(struct wg_msg));
/*
* Copy the message header (32-bit message type) out -- we'll
* worry about contiguity and alignment later.
*/
m_copydata(m, 0, sizeof(wgm), &wgm);
switch (le32toh(wgm.wgm_type)) {
case WG_MSG_TYPE_INIT:
msglen = sizeof(struct wg_msg_init);
break;
case WG_MSG_TYPE_RESP:
msglen = sizeof(struct wg_msg_resp);
break;
case WG_MSG_TYPE_COOKIE:
msglen = sizeof(struct wg_msg_cookie);
break;
case WG_MSG_TYPE_DATA:
msglen = sizeof(struct wg_msg_data);
break;
default:
WG_LOG_RATECHECK(&wg->wg_ppsratecheck, LOG_DEBUG,
"%s: Unexpected msg type: %u\n", if_name(&wg->wg_if),
le32toh(wgm.wgm_type));
goto error;
}
/* Verify the mbuf chain is long enough for this type of message. */
if (__predict_false(mbuflen < msglen)) {
WG_DLOG("Invalid msg size: mbuflen=%lu type=%u\n", mbuflen,
le32toh(wgm.wgm_type));
goto error;
}
/* Make the message header contiguous if necessary. */
if (__predict_false(m->m_len < msglen)) {
m = m_pullup(m, msglen);
if (m == NULL)
return NULL;
}
return m;
error:
m_freem(m);
return NULL;
}
static void
wg_handle_packet(struct wg_softc *wg, struct mbuf *m,
const struct sockaddr *src)
{
struct wg_msg *wgm;
m = wg_validate_msg_header(wg, m);
if (__predict_false(m == NULL))
return;
KASSERT(m->m_len >= sizeof(struct wg_msg));
wgm = mtod(m, struct wg_msg *);
switch (le32toh(wgm->wgm_type)) {
case WG_MSG_TYPE_INIT:
wg_handle_msg_init(wg, (struct wg_msg_init *)wgm, src);
break;
case WG_MSG_TYPE_RESP:
wg_handle_msg_resp(wg, (struct wg_msg_resp *)wgm, src);
break;
case WG_MSG_TYPE_COOKIE:
wg_handle_msg_cookie(wg, (struct wg_msg_cookie *)wgm);
break;
case WG_MSG_TYPE_DATA:
wg_handle_msg_data(wg, m, src);
/* wg_handle_msg_data frees m for us */
return;
default:
panic("invalid message type: %d", le32toh(wgm->wgm_type));
}
m_freem(m);
}
static void
wg_receive_packets(struct wg_softc *wg, const int af)
{
for (;;) {
int error, flags;
struct socket *so;
struct mbuf *m = NULL;
struct uio dummy_uio;
struct mbuf *paddr = NULL;
struct sockaddr *src;
so = wg_get_so_by_af(wg, af);
flags = MSG_DONTWAIT;
dummy_uio.uio_resid = 1000000000;
error = so->so_receive(so, &paddr, &dummy_uio, &m, NULL,
&flags);
if (error || m == NULL) {
//if (error == EWOULDBLOCK)
return;
}
KASSERT(paddr != NULL);
KASSERT(paddr->m_len >= sizeof(struct sockaddr));
src = mtod(paddr, struct sockaddr *);
wg_handle_packet(wg, m, src);
}
}
static void
wg_get_peer(struct wg_peer *wgp, struct psref *psref)
{
psref_acquire(psref, &wgp->wgp_psref, wg_psref_class);
}
static void
wg_put_peer(struct wg_peer *wgp, struct psref *psref)
{
psref_release(psref, &wgp->wgp_psref, wg_psref_class);
}
static void
wg_task_send_init_message(struct wg_softc *wg, struct wg_peer *wgp)
{
struct wg_session *wgs;
WG_TRACE("WGP_TASK_SEND_INIT_MESSAGE");
KASSERT(mutex_owned(wgp->wgp_lock));
if (!atomic_load_acquire(&wgp->wgp_endpoint_available)) {
WGLOG(LOG_DEBUG, "%s: No endpoint available\n",
if_name(&wg->wg_if));
/* XXX should do something? */
return;
}
wgs = wgp->wgp_session_stable;
if (wgs->wgs_state == WGS_STATE_UNKNOWN) {
/* XXX What if the unstable session is already INIT_ACTIVE? */
wg_send_handshake_msg_init(wg, wgp);
} else {
/* rekey */
wgs = wgp->wgp_session_unstable;
if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE)
wg_send_handshake_msg_init(wg, wgp);
}
}
static void
wg_task_retry_handshake(struct wg_softc *wg, struct wg_peer *wgp)
{
struct wg_session *wgs;
WG_TRACE("WGP_TASK_RETRY_HANDSHAKE");
KASSERT(mutex_owned(wgp->wgp_lock));
KASSERT(wgp->wgp_handshake_start_time != 0);
wgs = wgp->wgp_session_unstable;
if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE)
return;
/*
* XXX no real need to assign a new index here, but we do need
* to transition to UNKNOWN temporarily
*/
wg_put_session_index(wg, wgs);
/* [W] 6.4 Handshake Initiation Retransmission */
if ((time_uptime - wgp->wgp_handshake_start_time) >
wg_rekey_attempt_time) {
/* Give up handshaking */
wgp->wgp_handshake_start_time = 0;
WG_TRACE("give up");
/*
* If a new data packet comes, handshaking will be retried
* and a new session would be established at that time,
* however we don't want to send pending packets then.
*/
wg_purge_pending_packets(wgp);
return;
}
wg_task_send_init_message(wg, wgp);
}
static void
wg_task_establish_session(struct wg_softc *wg, struct wg_peer *wgp)
{
struct wg_session *wgs, *wgs_prev;
struct mbuf *m;
KASSERT(mutex_owned(wgp->wgp_lock));
wgs = wgp->wgp_session_unstable;
if (wgs->wgs_state != WGS_STATE_INIT_PASSIVE)
/* XXX Can this happen? */
return;
wgs->wgs_state = WGS_STATE_ESTABLISHED;
wgs->wgs_time_established = time_uptime;
wgs->wgs_time_last_data_sent = 0;
wgs->wgs_is_initiator = false;
WG_TRACE("WGS_STATE_ESTABLISHED");
wg_swap_sessions(wgp);
KASSERT(wgs == wgp->wgp_session_stable);
wgs_prev = wgp->wgp_session_unstable;
getnanotime(&wgp->wgp_last_handshake_time);
wgp->wgp_handshake_start_time = 0;
wgp->wgp_last_sent_mac1_valid = false;
wgp->wgp_last_sent_cookie_valid = false;
/* If we had a data packet queued up, send it. */
if ((m = atomic_swap_ptr(&wgp->wgp_pending, NULL)) != NULL) {
kpreempt_disable();
const uint32_t h = curcpu()->ci_index; // pktq_rps_hash(m)
M_SETCTX(m, wgp);
if (__predict_false(!pktq_enqueue(wg_pktq, m, h))) {
WGLOG(LOG_ERR, "%s: pktq full, dropping\n",
if_name(&wg->wg_if));
m_freem(m);
}
kpreempt_enable();
}
if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) {
/* Wait for wg_get_stable_session to drain. */
pserialize_perform(wgp->wgp_psz);
/* Transition ESTABLISHED->DESTROYING. */
wgs_prev->wgs_state = WGS_STATE_DESTROYING;
/* We can't destroy the old session immediately */
wg_schedule_session_dtor_timer(wgp);
} else {
KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN,
"state=%d", wgs_prev->wgs_state);
wg_clear_states(wgs_prev);
wgs_prev->wgs_state = WGS_STATE_UNKNOWN;
}
}
static void
wg_task_endpoint_changed(struct wg_softc *wg, struct wg_peer *wgp)
{
WG_TRACE("WGP_TASK_ENDPOINT_CHANGED");
KASSERT(mutex_owned(wgp->wgp_lock));
if (atomic_load_relaxed(&wgp->wgp_endpoint_changing)) {
pserialize_perform(wgp->wgp_psz);
mutex_exit(wgp->wgp_lock);
psref_target_destroy(&wgp->wgp_endpoint0->wgsa_psref,
wg_psref_class);
psref_target_init(&wgp->wgp_endpoint0->wgsa_psref,
wg_psref_class);
mutex_enter(wgp->wgp_lock);
atomic_store_release(&wgp->wgp_endpoint_changing, 0);
}
}
static void
wg_task_send_keepalive_message(struct wg_softc *wg, struct wg_peer *wgp)
{
struct wg_session *wgs;
WG_TRACE("WGP_TASK_SEND_KEEPALIVE_MESSAGE");
KASSERT(mutex_owned(wgp->wgp_lock));
wgs = wgp->wgp_session_stable;
if (wgs->wgs_state != WGS_STATE_ESTABLISHED)
return;
wg_send_keepalive_msg(wgp, wgs);
}
static void
wg_task_destroy_prev_session(struct wg_softc *wg, struct wg_peer *wgp)
{
struct wg_session *wgs;
WG_TRACE("WGP_TASK_DESTROY_PREV_SESSION");
KASSERT(mutex_owned(wgp->wgp_lock));
wgs = wgp->wgp_session_unstable;
if (wgs->wgs_state == WGS_STATE_DESTROYING) {
wg_put_session_index(wg, wgs);
}
}
static void
wg_peer_work(struct work *wk, void *cookie)
{
struct wg_peer *wgp = container_of(wk, struct wg_peer, wgp_work);
struct wg_softc *wg = wgp->wgp_sc;
unsigned int tasks;
mutex_enter(wgp->wgp_intr_lock);
while ((tasks = wgp->wgp_tasks) != 0) {
wgp->wgp_tasks = 0;
mutex_exit(wgp->wgp_intr_lock);
mutex_enter(wgp->wgp_lock);
if (ISSET(tasks, WGP_TASK_SEND_INIT_MESSAGE))
wg_task_send_init_message(wg, wgp);
if (ISSET(tasks, WGP_TASK_RETRY_HANDSHAKE))
wg_task_retry_handshake(wg, wgp);
if (ISSET(tasks, WGP_TASK_ESTABLISH_SESSION))
wg_task_establish_session(wg, wgp);
if (ISSET(tasks, WGP_TASK_ENDPOINT_CHANGED))
wg_task_endpoint_changed(wg, wgp);
if (ISSET(tasks, WGP_TASK_SEND_KEEPALIVE_MESSAGE))
wg_task_send_keepalive_message(wg, wgp);
if (ISSET(tasks, WGP_TASK_DESTROY_PREV_SESSION))
wg_task_destroy_prev_session(wg, wgp);
mutex_exit(wgp->wgp_lock);
mutex_enter(wgp->wgp_intr_lock);
}
mutex_exit(wgp->wgp_intr_lock);
}
static void
wg_job(struct threadpool_job *job)
{
struct wg_softc *wg = container_of(job, struct wg_softc, wg_job);
int bound, upcalls;
mutex_enter(wg->wg_intr_lock);
while ((upcalls = wg->wg_upcalls) != 0) {
wg->wg_upcalls = 0;
mutex_exit(wg->wg_intr_lock);
bound = curlwp_bind();
if (ISSET(upcalls, WG_UPCALL_INET))
wg_receive_packets(wg, AF_INET);
if (ISSET(upcalls, WG_UPCALL_INET6))
wg_receive_packets(wg, AF_INET6);
curlwp_bindx(bound);
mutex_enter(wg->wg_intr_lock);
}
threadpool_job_done(job);
mutex_exit(wg->wg_intr_lock);
}
static int
wg_bind_port(struct wg_softc *wg, const uint16_t port)
{
int error;
uint16_t old_port = wg->wg_listen_port;
if (port != 0 && old_port == port)
return 0;
struct sockaddr_in _sin, *sin = &_sin;
sin->sin_len = sizeof(*sin);
sin->sin_family = AF_INET;
sin->sin_addr.s_addr = INADDR_ANY;
sin->sin_port = htons(port);
error = sobind(wg->wg_so4, sintosa(sin), curlwp);
if (error != 0)
return error;
#ifdef INET6
struct sockaddr_in6 _sin6, *sin6 = &_sin6;
sin6->sin6_len = sizeof(*sin6);
sin6->sin6_family = AF_INET6;
sin6->sin6_addr = in6addr_any;
sin6->sin6_port = htons(port);
error = sobind(wg->wg_so6, sin6tosa(sin6), curlwp);
if (error != 0)
return error;
#endif
wg->wg_listen_port = port;
return 0;
}
static void
wg_so_upcall(struct socket *so, void *cookie, int events, int waitflag)
{
struct wg_softc *wg = cookie;
int reason;
reason = (so->so_proto->pr_domain->dom_family == AF_INET) ?
WG_UPCALL_INET :
WG_UPCALL_INET6;
mutex_enter(wg->wg_intr_lock);
wg->wg_upcalls |= reason;
threadpool_schedule_job(wg->wg_threadpool, &wg->wg_job);
mutex_exit(wg->wg_intr_lock);
}
static int
wg_overudp_cb(struct mbuf **mp, int offset, struct socket *so,
struct sockaddr *src, void *arg)
{
struct wg_softc *wg = arg;
struct wg_msg wgm;
struct mbuf *m = *mp;
WG_TRACE("enter");
/* Verify the mbuf chain is long enough to have a wg msg header. */
KASSERT(offset <= m_length(m));
if (__predict_false(m_length(m) - offset < sizeof(struct wg_msg))) {
/* drop on the floor */
m_freem(m);
return -1;
}
/*
* Copy the message header (32-bit message type) out -- we'll
* worry about contiguity and alignment later.
*/
m_copydata(m, offset, sizeof(struct wg_msg), &wgm);
WG_DLOG("type=%d\n", le32toh(wgm.wgm_type));
/*
* Handle DATA packets promptly as they arrive. Other packets
* may require expensive public-key crypto and are not as
* sensitive to latency, so defer them to the worker thread.
*/
switch (le32toh(wgm.wgm_type)) {
case WG_MSG_TYPE_DATA:
/* handle immediately */
m_adj(m, offset);
if (__predict_false(m->m_len < sizeof(struct wg_msg_data))) {
m = m_pullup(m, sizeof(struct wg_msg_data));
if (m == NULL)
return -1;
}
wg_handle_msg_data(wg, m, src);
*mp = NULL;
return 1;
case WG_MSG_TYPE_INIT:
case WG_MSG_TYPE_RESP:
case WG_MSG_TYPE_COOKIE:
/* pass through to so_receive in wg_receive_packets */
return 0;
default:
/* drop on the floor */
m_freem(m);
return -1;
}
}
static int
wg_socreate(struct wg_softc *wg, int af, struct socket **sop)
{
int error;
struct socket *so;
error = socreate(af, &so, SOCK_DGRAM, 0, curlwp, NULL);
if (error != 0)
return error;
solock(so);
so->so_upcallarg = wg;
so->so_upcall = wg_so_upcall;
so->so_rcv.sb_flags |= SB_UPCALL;
inpcb_register_overudp_cb(sotoinpcb(so), wg_overudp_cb, wg);
sounlock(so);
*sop = so;
return 0;
}
static bool
wg_session_hit_limits(struct wg_session *wgs)
{
/*
* [W] 6.2: Transport Message Limits
* "After REJECT-AFTER-MESSAGES transport data messages or after the
* current secure session is REJECT-AFTER-TIME seconds old, whichever
* comes first, WireGuard will refuse to send any more transport data
* messages using the current secure session, ..."
*/
KASSERT(wgs->wgs_time_established != 0);
if ((time_uptime - wgs->wgs_time_established) > wg_reject_after_time) {
WG_DLOG("The session hits REJECT_AFTER_TIME\n");
return true;
} else if (wg_session_get_send_counter(wgs) >
wg_reject_after_messages) {
WG_DLOG("The session hits REJECT_AFTER_MESSAGES\n");
return true;
}
return false;
}
static void
wgintr(void *cookie)
{
struct wg_peer *wgp;
struct wg_session *wgs;
struct mbuf *m;
struct psref psref;
while ((m = pktq_dequeue(wg_pktq)) != NULL) {
wgp = M_GETCTX(m, struct wg_peer *);
if ((wgs = wg_get_stable_session(wgp, &psref)) == NULL) {
WG_TRACE("no stable session");
wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE);
goto next0;
}
if (__predict_false(wg_session_hit_limits(wgs))) {
WG_TRACE("stable session hit limits");
wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE);
goto next1;
}
wg_send_data_msg(wgp, wgs, m);
m = NULL; /* consumed */
next1: wg_put_session(wgs, &psref);
next0: if (m)
m_freem(m);
/* XXX Yield to avoid userland starvation? */
}
}
static void
wg_rekey_timer(void *arg)
{
struct wg_peer *wgp = arg;
wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE);
}
static void
wg_purge_pending_packets(struct wg_peer *wgp)
{
struct mbuf *m;
if ((m = atomic_swap_ptr(&wgp->wgp_pending, NULL)) != NULL)
m_freem(m);
pktq_barrier(wg_pktq);
}
static void
wg_handshake_timeout_timer(void *arg)
{
struct wg_peer *wgp = arg;
WG_TRACE("enter");
wg_schedule_peer_task(wgp, WGP_TASK_RETRY_HANDSHAKE);
}
static struct wg_peer *
wg_alloc_peer(struct wg_softc *wg)
{
struct wg_peer *wgp;
wgp = kmem_zalloc(sizeof(*wgp), KM_SLEEP);
wgp->wgp_sc = wg;
callout_init(&wgp->wgp_rekey_timer, CALLOUT_MPSAFE);
callout_setfunc(&wgp->wgp_rekey_timer, wg_rekey_timer, wgp);
callout_init(&wgp->wgp_handshake_timeout_timer, CALLOUT_MPSAFE);
callout_setfunc(&wgp->wgp_handshake_timeout_timer,
wg_handshake_timeout_timer, wgp);
callout_init(&wgp->wgp_session_dtor_timer, CALLOUT_MPSAFE);
callout_setfunc(&wgp->wgp_session_dtor_timer,
wg_session_dtor_timer, wgp);
PSLIST_ENTRY_INIT(wgp, wgp_peerlist_entry);
wgp->wgp_endpoint_changing = false;
wgp->wgp_endpoint_available = false;
wgp->wgp_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE);
wgp->wgp_intr_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET);
wgp->wgp_psz = pserialize_create();
psref_target_init(&wgp->wgp_psref, wg_psref_class);
wgp->wgp_endpoint = kmem_zalloc(sizeof(*wgp->wgp_endpoint), KM_SLEEP);
wgp->wgp_endpoint0 = kmem_zalloc(sizeof(*wgp->wgp_endpoint0), KM_SLEEP);
psref_target_init(&wgp->wgp_endpoint->wgsa_psref, wg_psref_class);
psref_target_init(&wgp->wgp_endpoint0->wgsa_psref, wg_psref_class);
struct wg_session *wgs;
wgp->wgp_session_stable =
kmem_zalloc(sizeof(*wgp->wgp_session_stable), KM_SLEEP);
wgp->wgp_session_unstable =
kmem_zalloc(sizeof(*wgp->wgp_session_unstable), KM_SLEEP);
wgs = wgp->wgp_session_stable;
wgs->wgs_peer = wgp;
wgs->wgs_state = WGS_STATE_UNKNOWN;
psref_target_init(&wgs->wgs_psref, wg_psref_class);
#ifndef __HAVE_ATOMIC64_LOADSTORE
mutex_init(&wgs->wgs_send_counter_lock, MUTEX_DEFAULT, IPL_SOFTNET);
#endif
wgs->wgs_recvwin = kmem_zalloc(sizeof(*wgs->wgs_recvwin), KM_SLEEP);
mutex_init(&wgs->wgs_recvwin->lock, MUTEX_DEFAULT, IPL_SOFTNET);
wgs = wgp->wgp_session_unstable;
wgs->wgs_peer = wgp;
wgs->wgs_state = WGS_STATE_UNKNOWN;
psref_target_init(&wgs->wgs_psref, wg_psref_class);
#ifndef __HAVE_ATOMIC64_LOADSTORE
mutex_init(&wgs->wgs_send_counter_lock, MUTEX_DEFAULT, IPL_SOFTNET);
#endif
wgs->wgs_recvwin = kmem_zalloc(sizeof(*wgs->wgs_recvwin), KM_SLEEP);
mutex_init(&wgs->wgs_recvwin->lock, MUTEX_DEFAULT, IPL_SOFTNET);
return wgp;
}
static void
wg_destroy_peer(struct wg_peer *wgp)
{
struct wg_session *wgs;
struct wg_softc *wg = wgp->wgp_sc;
/* Prevent new packets from this peer on any source address. */
rw_enter(wg->wg_rwlock, RW_WRITER);
for (int i = 0; i < wgp->wgp_n_allowedips; i++) {
struct wg_allowedip *wga = &wgp->wgp_allowedips[i];
struct radix_node_head *rnh = wg_rnh(wg, wga->wga_family);
struct radix_node *rn;
KASSERT(rnh != NULL);
rn = rnh->rnh_deladdr(&wga->wga_sa_addr,
&wga->wga_sa_mask, rnh);
if (rn == NULL) {
char addrstr[128];
sockaddr_format(&wga->wga_sa_addr, addrstr,
sizeof(addrstr));
WGLOG(LOG_WARNING, "%s: Couldn't delete %s",
if_name(&wg->wg_if), addrstr);
}
}
rw_exit(wg->wg_rwlock);
/* Purge pending packets. */
wg_purge_pending_packets(wgp);
/* Halt all packet processing and timeouts. */
callout_halt(&wgp->wgp_rekey_timer, NULL);
callout_halt(&wgp->wgp_handshake_timeout_timer, NULL);
callout_halt(&wgp->wgp_session_dtor_timer, NULL);
/* Wait for any queued work to complete. */
workqueue_wait(wg_wq, &wgp->wgp_work);
wgs = wgp->wgp_session_unstable;
if (wgs->wgs_state != WGS_STATE_UNKNOWN) {
mutex_enter(wgp->wgp_lock);
wg_destroy_session(wg, wgs);
mutex_exit(wgp->wgp_lock);
}
mutex_destroy(&wgs->wgs_recvwin->lock);
kmem_free(wgs->wgs_recvwin, sizeof(*wgs->wgs_recvwin));
#ifndef __HAVE_ATOMIC64_LOADSTORE
mutex_destroy(&wgs->wgs_send_counter_lock);
#endif
kmem_free(wgs, sizeof(*wgs));
wgs = wgp->wgp_session_stable;
if (wgs->wgs_state != WGS_STATE_UNKNOWN) {
mutex_enter(wgp->wgp_lock);
wg_destroy_session(wg, wgs);
mutex_exit(wgp->wgp_lock);
}
mutex_destroy(&wgs->wgs_recvwin->lock);
kmem_free(wgs->wgs_recvwin, sizeof(*wgs->wgs_recvwin));
#ifndef __HAVE_ATOMIC64_LOADSTORE
mutex_destroy(&wgs->wgs_send_counter_lock);
#endif
kmem_free(wgs, sizeof(*wgs));
psref_target_destroy(&wgp->wgp_endpoint->wgsa_psref, wg_psref_class);
psref_target_destroy(&wgp->wgp_endpoint0->wgsa_psref, wg_psref_class);
kmem_free(wgp->wgp_endpoint, sizeof(*wgp->wgp_endpoint));
kmem_free(wgp->wgp_endpoint0, sizeof(*wgp->wgp_endpoint0));
pserialize_destroy(wgp->wgp_psz);
mutex_obj_free(wgp->wgp_intr_lock);
mutex_obj_free(wgp->wgp_lock);
kmem_free(wgp, sizeof(*wgp));
}
static void
wg_destroy_all_peers(struct wg_softc *wg)
{
struct wg_peer *wgp, *wgp0 __diagused;
void *garbage_byname, *garbage_bypubkey;
restart:
garbage_byname = garbage_bypubkey = NULL;
mutex_enter(wg->wg_lock);
WG_PEER_WRITER_FOREACH(wgp, wg) {
if (wgp->wgp_name[0]) {
wgp0 = thmap_del(wg->wg_peers_byname, wgp->wgp_name,
strlen(wgp->wgp_name));
KASSERT(wgp0 == wgp);
garbage_byname = thmap_stage_gc(wg->wg_peers_byname);
}
wgp0 = thmap_del(wg->wg_peers_bypubkey, wgp->wgp_pubkey,
sizeof(wgp->wgp_pubkey));
KASSERT(wgp0 == wgp);
garbage_bypubkey = thmap_stage_gc(wg->wg_peers_bypubkey);
WG_PEER_WRITER_REMOVE(wgp);
wg->wg_npeers--;
mutex_enter(wgp->wgp_lock);
pserialize_perform(wgp->wgp_psz);
mutex_exit(wgp->wgp_lock);
PSLIST_ENTRY_DESTROY(wgp, wgp_peerlist_entry);
break;
}
mutex_exit(wg->wg_lock);
if (wgp == NULL)
return;
psref_target_destroy(&wgp->wgp_psref, wg_psref_class);
wg_destroy_peer(wgp);
thmap_gc(wg->wg_peers_byname, garbage_byname);
thmap_gc(wg->wg_peers_bypubkey, garbage_bypubkey);
goto restart;
}
static int
wg_destroy_peer_name(struct wg_softc *wg, const char *name)
{
struct wg_peer *wgp, *wgp0 __diagused;
void *garbage_byname, *garbage_bypubkey;
mutex_enter(wg->wg_lock);
wgp = thmap_del(wg->wg_peers_byname, name, strlen(name));
if (wgp != NULL) {
wgp0 = thmap_del(wg->wg_peers_bypubkey, wgp->wgp_pubkey,
sizeof(wgp->wgp_pubkey));
KASSERT(wgp0 == wgp);
garbage_byname = thmap_stage_gc(wg->wg_peers_byname);
garbage_bypubkey = thmap_stage_gc(wg->wg_peers_bypubkey);
WG_PEER_WRITER_REMOVE(wgp);
wg->wg_npeers--;
if (wg->wg_npeers == 0)
if_link_state_change(&wg->wg_if, LINK_STATE_DOWN);
mutex_enter(wgp->wgp_lock);
pserialize_perform(wgp->wgp_psz);
mutex_exit(wgp->wgp_lock);
PSLIST_ENTRY_DESTROY(wgp, wgp_peerlist_entry);
}
mutex_exit(wg->wg_lock);
if (wgp == NULL)
return ENOENT;
psref_target_destroy(&wgp->wgp_psref, wg_psref_class);
wg_destroy_peer(wgp);
thmap_gc(wg->wg_peers_byname, garbage_byname);
thmap_gc(wg->wg_peers_bypubkey, garbage_bypubkey);
return 0;
}
static int
wg_if_attach(struct wg_softc *wg)
{
wg->wg_if.if_addrlen = 0;
wg->wg_if.if_mtu = WG_MTU;
wg->wg_if.if_flags = IFF_MULTICAST;
wg->wg_if.if_extflags = IFEF_MPSAFE;
wg->wg_if.if_ioctl = wg_ioctl;
wg->wg_if.if_output = wg_output;
wg->wg_if.if_init = wg_init;
#ifdef ALTQ
wg->wg_if.if_start = wg_start;
#endif
wg->wg_if.if_stop = wg_stop;
wg->wg_if.if_type = IFT_OTHER;
wg->wg_if.if_dlt = DLT_NULL;
wg->wg_if.if_softc = wg;
#ifdef ALTQ
IFQ_SET_READY(&wg->wg_if.if_snd);
#endif
if_initialize(&wg->wg_if);
wg->wg_if.if_link_state = LINK_STATE_DOWN;
if_alloc_sadl(&wg->wg_if);
if_register(&wg->wg_if);
bpf_attach(&wg->wg_if, DLT_NULL, sizeof(uint32_t));
return 0;
}
static void
wg_if_detach(struct wg_softc *wg)
{
struct ifnet *ifp = &wg->wg_if;
bpf_detach(ifp);
if_detach(ifp);
}
static int
wg_clone_create(struct if_clone *ifc, int unit)
{
struct wg_softc *wg;
int error;
wg_guarantee_initialized();
error = wg_count_inc();
if (error)
return error;
wg = kmem_zalloc(sizeof(*wg), KM_SLEEP);
if_initname(&wg->wg_if, ifc->ifc_name, unit);
PSLIST_INIT(&wg->wg_peers);
wg->wg_peers_bypubkey = thmap_create(0, NULL, THMAP_NOCOPY);
wg->wg_peers_byname = thmap_create(0, NULL, THMAP_NOCOPY);
wg->wg_sessions_byindex = thmap_create(0, NULL, THMAP_NOCOPY);
wg->wg_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE);
wg->wg_intr_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET);
wg->wg_rwlock = rw_obj_alloc();
threadpool_job_init(&wg->wg_job, wg_job, wg->wg_intr_lock,
"%s", if_name(&wg->wg_if));
wg->wg_ops = &wg_ops_rumpkernel;
error = threadpool_get(&wg->wg_threadpool, PRI_NONE);
if (error)
goto fail0;
#ifdef INET
error = wg_socreate(wg, AF_INET, &wg->wg_so4);
if (error)
goto fail1;
rn_inithead((void **)&wg->wg_rtable_ipv4,
offsetof(struct sockaddr_in, sin_addr) * NBBY);
#endif
#ifdef INET6
error = wg_socreate(wg, AF_INET6, &wg->wg_so6);
if (error)
goto fail2;
rn_inithead((void **)&wg->wg_rtable_ipv6,
offsetof(struct sockaddr_in6, sin6_addr) * NBBY);
#endif
error = wg_if_attach(wg);
if (error)
goto fail3;
return 0;
fail4: __unused
wg_if_detach(wg);
fail3: wg_destroy_all_peers(wg);
#ifdef INET6
solock(wg->wg_so6);
wg->wg_so6->so_rcv.sb_flags &= ~SB_UPCALL;
sounlock(wg->wg_so6);
#endif
#ifdef INET
solock(wg->wg_so4);
wg->wg_so4->so_rcv.sb_flags &= ~SB_UPCALL;
sounlock(wg->wg_so4);
#endif
mutex_enter(wg->wg_intr_lock);
threadpool_cancel_job(wg->wg_threadpool, &wg->wg_job);
mutex_exit(wg->wg_intr_lock);
#ifdef INET6
if (wg->wg_rtable_ipv6 != NULL)
free(wg->wg_rtable_ipv6, M_RTABLE);
soclose(wg->wg_so6);
fail2:
#endif
#ifdef INET
if (wg->wg_rtable_ipv4 != NULL)
free(wg->wg_rtable_ipv4, M_RTABLE);
soclose(wg->wg_so4);
fail1:
#endif
threadpool_put(wg->wg_threadpool, PRI_NONE);
fail0: threadpool_job_destroy(&wg->wg_job);
rw_obj_free(wg->wg_rwlock);
mutex_obj_free(wg->wg_intr_lock);
mutex_obj_free(wg->wg_lock);
thmap_destroy(wg->wg_sessions_byindex);
thmap_destroy(wg->wg_peers_byname);
thmap_destroy(wg->wg_peers_bypubkey);
PSLIST_DESTROY(&wg->wg_peers);
kmem_free(wg, sizeof(*wg));
wg_count_dec();
return error;
}
static int
wg_clone_destroy(struct ifnet *ifp)
{
struct wg_softc *wg = container_of(ifp, struct wg_softc, wg_if);
#ifdef WG_RUMPKERNEL
if (wg_user_mode(wg)) {
rumpuser_wg_destroy(wg->wg_user);
wg->wg_user = NULL;
}
#endif
wg_if_detach(wg);
wg_destroy_all_peers(wg);
#ifdef INET6
solock(wg->wg_so6);
wg->wg_so6->so_rcv.sb_flags &= ~SB_UPCALL;
sounlock(wg->wg_so6);
#endif
#ifdef INET
solock(wg->wg_so4);
wg->wg_so4->so_rcv.sb_flags &= ~SB_UPCALL;
sounlock(wg->wg_so4);
#endif
mutex_enter(wg->wg_intr_lock);
threadpool_cancel_job(wg->wg_threadpool, &wg->wg_job);
mutex_exit(wg->wg_intr_lock);
#ifdef INET6
if (wg->wg_rtable_ipv6 != NULL)
free(wg->wg_rtable_ipv6, M_RTABLE);
soclose(wg->wg_so6);
#endif
#ifdef INET
if (wg->wg_rtable_ipv4 != NULL)
free(wg->wg_rtable_ipv4, M_RTABLE);
soclose(wg->wg_so4);
#endif
threadpool_put(wg->wg_threadpool, PRI_NONE);
threadpool_job_destroy(&wg->wg_job);
rw_obj_free(wg->wg_rwlock);
mutex_obj_free(wg->wg_intr_lock);
mutex_obj_free(wg->wg_lock);
thmap_destroy(wg->wg_sessions_byindex);
thmap_destroy(wg->wg_peers_byname);
thmap_destroy(wg->wg_peers_bypubkey);
PSLIST_DESTROY(&wg->wg_peers);
kmem_free(wg, sizeof(*wg));
wg_count_dec();
return 0;
}
static struct wg_peer *
wg_pick_peer_by_sa(struct wg_softc *wg, const struct sockaddr *sa,
struct psref *psref)
{
struct radix_node_head *rnh;
struct radix_node *rn;
struct wg_peer *wgp = NULL;
struct wg_allowedip *wga;
#ifdef WG_DEBUG_LOG
char addrstr[128];
sockaddr_format(sa, addrstr, sizeof(addrstr));
WG_DLOG("sa=%s\n", addrstr);
#endif
rw_enter(wg->wg_rwlock, RW_READER);
rnh = wg_rnh(wg, sa->sa_family);
if (rnh == NULL)
goto out;
rn = rnh->rnh_matchaddr(sa, rnh);
if (rn == NULL || (rn->rn_flags & RNF_ROOT) != 0)
goto out;
WG_TRACE("success");
wga = container_of(rn, struct wg_allowedip, wga_nodes[0]);
wgp = wga->wga_peer;
wg_get_peer(wgp, psref);
out:
rw_exit(wg->wg_rwlock);
return wgp;
}
static void
wg_fill_msg_data(struct wg_softc *wg, struct wg_peer *wgp,
struct wg_session *wgs, struct wg_msg_data *wgmd)
{
memset(wgmd, 0, sizeof(*wgmd));
wgmd->wgmd_type = htole32(WG_MSG_TYPE_DATA);
wgmd->wgmd_receiver = wgs->wgs_remote_index;
/* [W] 5.4.6: msg.counter := Nm^send */
/* [W] 5.4.6: Nm^send := Nm^send + 1 */
wgmd->wgmd_counter = htole64(wg_session_inc_send_counter(wgs));
WG_DLOG("counter=%"PRIu64"\n", le64toh(wgmd->wgmd_counter));
}
static int
wg_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
const struct rtentry *rt)
{
struct wg_softc *wg = ifp->if_softc;
struct wg_peer *wgp = NULL;
struct wg_session *wgs = NULL;
struct psref wgp_psref, wgs_psref;
int bound;
int error;
bound = curlwp_bind();
/* TODO make the nest limit configurable via sysctl */
error = if_tunnel_check_nesting(ifp, m, 1);
if (error) {
WGLOG(LOG_ERR,
"%s: tunneling loop detected and packet dropped\n",
if_name(&wg->wg_if));
goto out0;
}
#ifdef ALTQ
bool altq = atomic_load_relaxed(&ifp->if_snd.altq_flags)
& ALTQF_ENABLED;
if (altq)
IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family);
#endif
bpf_mtap_af(ifp, dst->sa_family, m, BPF_D_OUT);
m->m_flags &= ~(M_BCAST|M_MCAST);
wgp = wg_pick_peer_by_sa(wg, dst, &wgp_psref);
if (wgp == NULL) {
WG_TRACE("peer not found");
error = EHOSTUNREACH;
goto out0;
}
/* Clear checksum-offload flags. */
m->m_pkthdr.csum_flags = 0;
m->m_pkthdr.csum_data = 0;
/* Check whether there's an established session. */
wgs = wg_get_stable_session(wgp, &wgs_psref);
if (wgs == NULL) {
/*
* No established session. If we're the first to try
* sending data, schedule a handshake and queue the
* packet for when the handshake is done; otherwise
* just drop the packet and let the ongoing handshake
* attempt continue. We could queue more data packets
* but it's not clear that's worthwhile.
*/
if (atomic_cas_ptr(&wgp->wgp_pending, NULL, m) == NULL) {
m = NULL; /* consume */
WG_TRACE("queued first packet; init handshake");
wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE);
} else {
WG_TRACE("first packet already queued, dropping");
}
goto out1;
}
/* There's an established session. Toss it in the queue. */
#ifdef ALTQ
if (altq) {
mutex_enter(ifp->if_snd.ifq_lock);
if (ALTQ_IS_ENABLED(&ifp->if_snd)) {
M_SETCTX(m, wgp);
ALTQ_ENQUEUE(&ifp->if_snd, m, error);
m = NULL; /* consume */
}
mutex_exit(ifp->if_snd.ifq_lock);
if (m == NULL) {
wg_start(ifp);
goto out2;
}
}
#endif
kpreempt_disable();
const uint32_t h = curcpu()->ci_index; // pktq_rps_hash(m)
M_SETCTX(m, wgp);
if (__predict_false(!pktq_enqueue(wg_pktq, m, h))) {
WGLOG(LOG_ERR, "%s: pktq full, dropping\n",
if_name(&wg->wg_if));
error = ENOBUFS;
goto out3;
}
m = NULL; /* consumed */
error = 0;
out3: kpreempt_enable();
#ifdef ALTQ
out2:
#endif
wg_put_session(wgs, &wgs_psref);
out1: wg_put_peer(wgp, &wgp_psref);
out0: if (m)
m_freem(m);
curlwp_bindx(bound);
return error;
}
static int
wg_send_udp(struct wg_peer *wgp, struct mbuf *m)
{
struct psref psref;
struct wg_sockaddr *wgsa;
int error;
struct socket *so;
wgsa = wg_get_endpoint_sa(wgp, &psref);
so = wg_get_so_by_peer(wgp, wgsa);
solock(so);
if (wgsatosa(wgsa)->sa_family == AF_INET) {
error = udp_send(so, m, wgsatosa(wgsa), NULL, curlwp);
} else {
#ifdef INET6
error = udp6_output(sotoinpcb(so), m, wgsatosin6(wgsa),
NULL, curlwp);
#else
m_freem(m);
error = EPFNOSUPPORT;
#endif
}
sounlock(so);
wg_put_sa(wgp, wgsa, &psref);
return error;
}
/* Inspired by pppoe_get_mbuf */
static struct mbuf *
wg_get_mbuf(size_t leading_len, size_t len)
{
struct mbuf *m;
KASSERT(leading_len <= MCLBYTES);
KASSERT(len <= MCLBYTES - leading_len);
m = m_gethdr(M_DONTWAIT, MT_DATA);
if (m == NULL)
return NULL;
if (len + leading_len > MHLEN) {
m_clget(m, M_DONTWAIT);
if ((m->m_flags & M_EXT) == 0) {
m_free(m);
return NULL;
}
}
m->m_data += leading_len;
m->m_pkthdr.len = m->m_len = len;
return m;
}
static int
wg_send_data_msg(struct wg_peer *wgp, struct wg_session *wgs,
struct mbuf *m)
{
struct wg_softc *wg = wgp->wgp_sc;
int error;
size_t inner_len, padded_len, encrypted_len;
char *padded_buf = NULL;
size_t mlen;
struct wg_msg_data *wgmd;
bool free_padded_buf = false;
struct mbuf *n;
size_t leading_len = max_hdr + sizeof(struct udphdr);
mlen = m_length(m);
inner_len = mlen;
padded_len = roundup(mlen, 16);
encrypted_len = padded_len + WG_AUTHTAG_LEN;
WG_DLOG("inner=%lu, padded=%lu, encrypted_len=%lu\n",
inner_len, padded_len, encrypted_len);
if (mlen != 0) {
bool success;
success = m_ensure_contig(&m, padded_len);
if (success) {
padded_buf = mtod(m, char *);
} else {
padded_buf = kmem_intr_alloc(padded_len, KM_NOSLEEP);
if (padded_buf == NULL) {
error = ENOBUFS;
goto end;
}
free_padded_buf = true;
m_copydata(m, 0, mlen, padded_buf);
}
memset(padded_buf + mlen, 0, padded_len - inner_len);
}
n = wg_get_mbuf(leading_len, sizeof(*wgmd) + encrypted_len);
if (n == NULL) {
error = ENOBUFS;
goto end;
}
KASSERT(n->m_len >= sizeof(*wgmd));
wgmd = mtod(n, struct wg_msg_data *);
wg_fill_msg_data(wg, wgp, wgs, wgmd);
/* [W] 5.4.6: AEAD(Tm^send, Nm^send, P, e) */
wg_algo_aead_enc((char *)wgmd + sizeof(*wgmd), encrypted_len,
wgs->wgs_tkey_send, le64toh(wgmd->wgmd_counter),
padded_buf, padded_len,
NULL, 0);
error = wg->wg_ops->send_data_msg(wgp, n);
if (error == 0) {
struct ifnet *ifp = &wg->wg_if;
if_statadd(ifp, if_obytes, mlen);
if_statinc(ifp, if_opackets);
if (wgs->wgs_is_initiator &&
wgs->wgs_time_last_data_sent == 0) {
/*
* [W] 6.2 Transport Message Limits
* "if a peer is the initiator of a current secure
* session, WireGuard will send a handshake initiation
* message to begin a new secure session if, after
* transmitting a transport data message, the current
* secure session is REKEY-AFTER-TIME seconds old,"
*/
wg_schedule_rekey_timer(wgp);
}
wgs->wgs_time_last_data_sent = time_uptime;
if (wg_session_get_send_counter(wgs) >=
wg_rekey_after_messages) {
/*
* [W] 6.2 Transport Message Limits
* "WireGuard will try to create a new session, by
* sending a handshake initiation message (section
* 5.4.2), after it has sent REKEY-AFTER-MESSAGES
* transport data messages..."
*/
wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE);
}
}
end:
m_freem(m);
if (free_padded_buf)
kmem_intr_free(padded_buf, padded_len);
return error;
}
static void
wg_input(struct ifnet *ifp, struct mbuf *m, const int af)
{
pktqueue_t *pktq;
size_t pktlen;
KASSERT(af == AF_INET || af == AF_INET6);
WG_TRACE("");
m_set_rcvif(m, ifp);
pktlen = m->m_pkthdr.len;
bpf_mtap_af(ifp, af, m, BPF_D_IN);
switch (af) {
case AF_INET:
pktq = ip_pktq;
break;
#ifdef INET6
case AF_INET6:
pktq = ip6_pktq;
break;
#endif
default:
panic("invalid af=%d", af);
}
kpreempt_disable();
const u_int h = curcpu()->ci_index;
if (__predict_true(pktq_enqueue(pktq, m, h))) {
if_statadd(ifp, if_ibytes, pktlen);
if_statinc(ifp, if_ipackets);
} else {
m_freem(m);
}
kpreempt_enable();
}
static void
wg_calc_pubkey(uint8_t pubkey[WG_STATIC_KEY_LEN],
const uint8_t privkey[WG_STATIC_KEY_LEN])
{
crypto_scalarmult_base(pubkey, privkey);
}
static int
wg_rtable_add_route(struct wg_softc *wg, struct wg_allowedip *wga)
{
struct radix_node_head *rnh;
struct radix_node *rn;
int error = 0;
rw_enter(wg->wg_rwlock, RW_WRITER);
rnh = wg_rnh(wg, wga->wga_family);
KASSERT(rnh != NULL);
rn = rnh->rnh_addaddr(&wga->wga_sa_addr, &wga->wga_sa_mask, rnh,
wga->wga_nodes);
rw_exit(wg->wg_rwlock);
if (rn == NULL)
error = EEXIST;
return error;
}
static int
wg_handle_prop_peer(struct wg_softc *wg, prop_dictionary_t peer,
struct wg_peer **wgpp)
{
int error = 0;
const void *pubkey;
size_t pubkey_len;
const void *psk;
size_t psk_len;
const char *name = NULL;
if (prop_dictionary_get_string(peer, "name", &name)) {
if (strlen(name) > WG_PEER_NAME_MAXLEN) {
error = EINVAL;
goto out;
}
}
if (!prop_dictionary_get_data(peer, "public_key",
&pubkey, &pubkey_len)) {
error = EINVAL;
goto out;
}
#ifdef WG_DEBUG_DUMP
{
char *hex = gethexdump(pubkey, pubkey_len);
log(LOG_DEBUG, "pubkey=%p, pubkey_len=%lu\n%s\n",
pubkey, pubkey_len, hex);
puthexdump(hex, pubkey, pubkey_len);
}
#endif
struct wg_peer *wgp = wg_alloc_peer(wg);
memcpy(wgp->wgp_pubkey, pubkey, sizeof(wgp->wgp_pubkey));
if (name != NULL)
strncpy(wgp->wgp_name, name, sizeof(wgp->wgp_name));
if (prop_dictionary_get_data(peer, "preshared_key", &psk, &psk_len)) {
if (psk_len != sizeof(wgp->wgp_psk)) {
error = EINVAL;
goto out;
}
memcpy(wgp->wgp_psk, psk, sizeof(wgp->wgp_psk));
}
const void *addr;
size_t addr_len;
struct wg_sockaddr *wgsa = wgp->wgp_endpoint;
if (!prop_dictionary_get_data(peer, "endpoint", &addr, &addr_len))
goto skip_endpoint;
if (addr_len < sizeof(*wgsatosa(wgsa)) ||
addr_len > sizeof(*wgsatoss(wgsa))) {
error = EINVAL;
goto out;
}
memcpy(wgsatoss(wgsa), addr, addr_len);
switch (wgsa_family(wgsa)) {
case AF_INET:
#ifdef INET6
case AF_INET6:
#endif
break;
default:
error = EPFNOSUPPORT;
goto out;
}
if (addr_len != sockaddr_getsize_by_family(wgsa_family(wgsa))) {
error = EINVAL;
goto out;
}
{
char addrstr[128];
sockaddr_format(wgsatosa(wgsa), addrstr, sizeof(addrstr));
WG_DLOG("addr=%s\n", addrstr);
}
wgp->wgp_endpoint_available = true;
prop_array_t allowedips;
skip_endpoint:
allowedips = prop_dictionary_get(peer, "allowedips");
if (allowedips == NULL)
goto skip;
prop_object_iterator_t _it = prop_array_iterator(allowedips);
prop_dictionary_t prop_allowedip;
int j = 0;
while ((prop_allowedip = prop_object_iterator_next(_it)) != NULL) {
struct wg_allowedip *wga = &wgp->wgp_allowedips[j];
if (!prop_dictionary_get_int(prop_allowedip, "family",
&wga->wga_family))
continue;
if (!prop_dictionary_get_data(prop_allowedip, "ip",
&addr, &addr_len))
continue;
if (!prop_dictionary_get_uint8(prop_allowedip, "cidr",
&wga->wga_cidr))
continue;
switch (wga->wga_family) {
case AF_INET: {
struct sockaddr_in sin;
char addrstr[128];
struct in_addr mask;
struct sockaddr_in sin_mask;
if (addr_len != sizeof(struct in_addr))
return EINVAL;
memcpy(&wga->wga_addr4, addr, addr_len);
sockaddr_in_init(&sin, (const struct in_addr *)addr,
0);
sockaddr_copy(&wga->wga_sa_addr,
sizeof(sin), sintosa(&sin));
sockaddr_format(sintosa(&sin),
addrstr, sizeof(addrstr));
WG_DLOG("addr=%s/%d\n", addrstr, wga->wga_cidr);
in_len2mask(&mask, wga->wga_cidr);
sockaddr_in_init(&sin_mask, &mask, 0);
sockaddr_copy(&wga->wga_sa_mask,
sizeof(sin_mask), sintosa(&sin_mask));
break;
}
#ifdef INET6
case AF_INET6: {
struct sockaddr_in6 sin6;
char addrstr[128];
struct in6_addr mask;
struct sockaddr_in6 sin6_mask;
if (addr_len != sizeof(struct in6_addr))
return EINVAL;
memcpy(&wga->wga_addr6, addr, addr_len);
sockaddr_in6_init(&sin6, (const struct in6_addr *)addr,
0, 0, 0);
sockaddr_copy(&wga->wga_sa_addr,
sizeof(sin6), sin6tosa(&sin6));
sockaddr_format(sin6tosa(&sin6),
addrstr, sizeof(addrstr));
WG_DLOG("addr=%s/%d\n", addrstr, wga->wga_cidr);
in6_prefixlen2mask(&mask, wga->wga_cidr);
sockaddr_in6_init(&sin6_mask, &mask, 0, 0, 0);
sockaddr_copy(&wga->wga_sa_mask,
sizeof(sin6_mask), sin6tosa(&sin6_mask));
break;
}
#endif
default:
error = EINVAL;
goto out;
}
wga->wga_peer = wgp;
error = wg_rtable_add_route(wg, wga);
if (error != 0)
goto out;
j++;
}
wgp->wgp_n_allowedips = j;
skip:
*wgpp = wgp;
out:
return error;
}
static int
wg_alloc_prop_buf(char **_buf, struct ifdrv *ifd)
{
int error;
char *buf;
WG_DLOG("buf=%p, len=%lu\n", ifd->ifd_data, ifd->ifd_len);
if (ifd->ifd_len >= WG_MAX_PROPLEN)
return E2BIG;
buf = kmem_alloc(ifd->ifd_len + 1, KM_SLEEP);
error = copyin(ifd->ifd_data, buf, ifd->ifd_len);
if (error != 0)
return error;
buf[ifd->ifd_len] = '\0';
#ifdef WG_DEBUG_DUMP
log(LOG_DEBUG, "%.*s\n",
(int)MIN(INT_MAX, ifd->ifd_len),
(const char *)buf);
#endif
*_buf = buf;
return 0;
}
static int
wg_ioctl_set_private_key(struct wg_softc *wg, struct ifdrv *ifd)
{
int error;
prop_dictionary_t prop_dict;
char *buf = NULL;
const void *privkey;
size_t privkey_len;
error = wg_alloc_prop_buf(&buf, ifd);
if (error != 0)
return error;
error = EINVAL;
prop_dict = prop_dictionary_internalize(buf);
if (prop_dict == NULL)
goto out;
if (!prop_dictionary_get_data(prop_dict, "private_key",
&privkey, &privkey_len))
goto out;
#ifdef WG_DEBUG_DUMP
{
char *hex = gethexdump(privkey, privkey_len);
log(LOG_DEBUG, "privkey=%p, privkey_len=%lu\n%s\n",
privkey, privkey_len, hex);
puthexdump(hex, privkey, privkey_len);
}
#endif
if (privkey_len != WG_STATIC_KEY_LEN)
goto out;
memcpy(wg->wg_privkey, privkey, WG_STATIC_KEY_LEN);
wg_calc_pubkey(wg->wg_pubkey, wg->wg_privkey);
error = 0;
out:
kmem_free(buf, ifd->ifd_len + 1);
return error;
}
static int
wg_ioctl_set_listen_port(struct wg_softc *wg, struct ifdrv *ifd)
{
int error;
prop_dictionary_t prop_dict;
char *buf = NULL;
uint16_t port;
error = wg_alloc_prop_buf(&buf, ifd);
if (error != 0)
return error;
error = EINVAL;
prop_dict = prop_dictionary_internalize(buf);
if (prop_dict == NULL)
goto out;
if (!prop_dictionary_get_uint16(prop_dict, "listen_port", &port))
goto out;
error = wg->wg_ops->bind_port(wg, (uint16_t)port);
out:
kmem_free(buf, ifd->ifd_len + 1);
return error;
}
static int
wg_ioctl_add_peer(struct wg_softc *wg, struct ifdrv *ifd)
{
int error;
prop_dictionary_t prop_dict;
char *buf = NULL;
struct wg_peer *wgp = NULL, *wgp0 __diagused;
error = wg_alloc_prop_buf(&buf, ifd);
if (error != 0)
return error;
error = EINVAL;
prop_dict = prop_dictionary_internalize(buf);
if (prop_dict == NULL)
goto out;
error = wg_handle_prop_peer(wg, prop_dict, &wgp);
if (error != 0)
goto out;
mutex_enter(wg->wg_lock);
if (thmap_get(wg->wg_peers_bypubkey, wgp->wgp_pubkey,
sizeof(wgp->wgp_pubkey)) != NULL ||
(wgp->wgp_name[0] &&
thmap_get(wg->wg_peers_byname, wgp->wgp_name,
strlen(wgp->wgp_name)) != NULL)) {
mutex_exit(wg->wg_lock);
wg_destroy_peer(wgp);
error = EEXIST;
goto out;
}
wgp0 = thmap_put(wg->wg_peers_bypubkey, wgp->wgp_pubkey,
sizeof(wgp->wgp_pubkey), wgp);
KASSERT(wgp0 == wgp);
if (wgp->wgp_name[0]) {
wgp0 = thmap_put(wg->wg_peers_byname, wgp->wgp_name,
strlen(wgp->wgp_name), wgp);
KASSERT(wgp0 == wgp);
}
WG_PEER_WRITER_INSERT_HEAD(wgp, wg);
wg->wg_npeers++;
mutex_exit(wg->wg_lock);
if_link_state_change(&wg->wg_if, LINK_STATE_UP);
out:
kmem_free(buf, ifd->ifd_len + 1);
return error;
}
static int
wg_ioctl_delete_peer(struct wg_softc *wg, struct ifdrv *ifd)
{
int error;
prop_dictionary_t prop_dict;
char *buf = NULL;
const char *name;
error = wg_alloc_prop_buf(&buf, ifd);
if (error != 0)
return error;
error = EINVAL;
prop_dict = prop_dictionary_internalize(buf);
if (prop_dict == NULL)
goto out;
if (!prop_dictionary_get_string(prop_dict, "name", &name))
goto out;
if (strlen(name) > WG_PEER_NAME_MAXLEN)
goto out;
error = wg_destroy_peer_name(wg, name);
out:
kmem_free(buf, ifd->ifd_len + 1);
return error;
}
static bool
wg_is_authorized(struct wg_softc *wg, u_long cmd)
{
int au = cmd == SIOCGDRVSPEC ?
KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV :
KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV;
return kauth_authorize_network(kauth_cred_get(),
KAUTH_NETWORK_INTERFACE_WG, au, &wg->wg_if,
(void *)cmd, NULL) == 0;
}
static int
wg_ioctl_get(struct wg_softc *wg, struct ifdrv *ifd)
{
int error = ENOMEM;
prop_dictionary_t prop_dict;
prop_array_t peers = NULL;
char *buf;
struct wg_peer *wgp;
int s, i;
prop_dict = prop_dictionary_create();
if (prop_dict == NULL)
goto error;
if (wg_is_authorized(wg, SIOCGDRVSPEC)) {
if (!prop_dictionary_set_data(prop_dict, "private_key",
wg->wg_privkey, WG_STATIC_KEY_LEN))
goto error;
}
if (wg->wg_listen_port != 0) {
if (!prop_dictionary_set_uint16(prop_dict, "listen_port",
wg->wg_listen_port))
goto error;
}
if (wg->wg_npeers == 0)
goto skip_peers;
peers = prop_array_create();
if (peers == NULL)
goto error;
s = pserialize_read_enter();
i = 0;
WG_PEER_READER_FOREACH(wgp, wg) {
struct wg_sockaddr *wgsa;
struct psref wgp_psref, wgsa_psref;
prop_dictionary_t prop_peer;
wg_get_peer(wgp, &wgp_psref);
pserialize_read_exit(s);
prop_peer = prop_dictionary_create();
if (prop_peer == NULL)
goto next;
if (strlen(wgp->wgp_name) > 0) {
if (!prop_dictionary_set_string(prop_peer, "name",
wgp->wgp_name))
goto next;
}
if (!prop_dictionary_set_data(prop_peer, "public_key",
wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey)))
goto next;
uint8_t psk_zero[WG_PRESHARED_KEY_LEN] = {0};
if (!consttime_memequal(wgp->wgp_psk, psk_zero,
sizeof(wgp->wgp_psk))) {
if (wg_is_authorized(wg, SIOCGDRVSPEC)) {
if (!prop_dictionary_set_data(prop_peer,
"preshared_key",
wgp->wgp_psk, sizeof(wgp->wgp_psk)))
goto next;
}
}
wgsa = wg_get_endpoint_sa(wgp, &wgsa_psref);
CTASSERT(AF_UNSPEC == 0);
if (wgsa_family(wgsa) != 0 /*AF_UNSPEC*/ &&
!prop_dictionary_set_data(prop_peer, "endpoint",
wgsatoss(wgsa),
sockaddr_getsize_by_family(wgsa_family(wgsa)))) {
wg_put_sa(wgp, wgsa, &wgsa_psref);
goto next;
}
wg_put_sa(wgp, wgsa, &wgsa_psref);
const struct timespec *t = &wgp->wgp_last_handshake_time;
if (!prop_dictionary_set_uint64(prop_peer,
"last_handshake_time_sec", (uint64_t)t->tv_sec))
goto next;
if (!prop_dictionary_set_uint32(prop_peer,
"last_handshake_time_nsec", (uint32_t)t->tv_nsec))
goto next;
if (wgp->wgp_n_allowedips == 0)
goto skip_allowedips;
prop_array_t allowedips = prop_array_create();
if (allowedips == NULL)
goto next;
for (int j = 0; j < wgp->wgp_n_allowedips; j++) {
struct wg_allowedip *wga = &wgp->wgp_allowedips[j];
prop_dictionary_t prop_allowedip;
prop_allowedip = prop_dictionary_create();
if (prop_allowedip == NULL)
break;
if (!prop_dictionary_set_int(prop_allowedip, "family",
wga->wga_family))
goto _next;
if (!prop_dictionary_set_uint8(prop_allowedip, "cidr",
wga->wga_cidr))
goto _next;
switch (wga->wga_family) {
case AF_INET:
if (!prop_dictionary_set_data(prop_allowedip,
"ip", &wga->wga_addr4,
sizeof(wga->wga_addr4)))
goto _next;
break;
#ifdef INET6
case AF_INET6:
if (!prop_dictionary_set_data(prop_allowedip,
"ip", &wga->wga_addr6,
sizeof(wga->wga_addr6)))
goto _next;
break;
#endif
default:
break;
}
prop_array_set(allowedips, j, prop_allowedip);
_next:
prop_object_release(prop_allowedip);
}
prop_dictionary_set(prop_peer, "allowedips", allowedips);
prop_object_release(allowedips);
skip_allowedips:
prop_array_set(peers, i, prop_peer);
next:
if (prop_peer)
prop_object_release(prop_peer);
i++;
s = pserialize_read_enter();
wg_put_peer(wgp, &wgp_psref);
}
pserialize_read_exit(s);
prop_dictionary_set(prop_dict, "peers", peers);
prop_object_release(peers);
peers = NULL;
skip_peers:
buf = prop_dictionary_externalize(prop_dict);
if (buf == NULL)
goto error;
if (ifd->ifd_len < (strlen(buf) + 1)) {
error = EINVAL;
goto error;
}
error = copyout(buf, ifd->ifd_data, strlen(buf) + 1);
free(buf, 0);
error:
if (peers != NULL)
prop_object_release(peers);
if (prop_dict != NULL)
prop_object_release(prop_dict);
return error;
}
static int
wg_ioctl(struct ifnet *ifp, u_long cmd, void *data)
{
struct wg_softc *wg = ifp->if_softc;
struct ifreq *ifr = data;
struct ifaddr *ifa = data;
struct ifdrv *ifd = data;
int error = 0;
switch (cmd) {
case SIOCINITIFADDR:
if (ifa->ifa_addr->sa_family != AF_LINK &&
(ifp->if_flags & (IFF_UP | IFF_RUNNING)) !=
(IFF_UP | IFF_RUNNING)) {
ifp->if_flags |= IFF_UP;
error = if_init(ifp);
}
return error;
case SIOCADDMULTI:
case SIOCDELMULTI:
switch (ifr->ifr_addr.sa_family) {
case AF_INET: /* IP supports Multicast */
break;
#ifdef INET6
case AF_INET6: /* IP6 supports Multicast */
break;
#endif
default: /* Other protocols doesn't support Multicast */
error = EAFNOSUPPORT;
break;
}
return error;
case SIOCSDRVSPEC:
if (!wg_is_authorized(wg, cmd)) {
return EPERM;
}
switch (ifd->ifd_cmd) {
case WG_IOCTL_SET_PRIVATE_KEY:
error = wg_ioctl_set_private_key(wg, ifd);
break;
case WG_IOCTL_SET_LISTEN_PORT:
error = wg_ioctl_set_listen_port(wg, ifd);
break;
case WG_IOCTL_ADD_PEER:
error = wg_ioctl_add_peer(wg, ifd);
break;
case WG_IOCTL_DELETE_PEER:
error = wg_ioctl_delete_peer(wg, ifd);
break;
default:
error = EINVAL;
break;
}
return error;
case SIOCGDRVSPEC:
return wg_ioctl_get(wg, ifd);
case SIOCSIFFLAGS:
if ((error = ifioctl_common(ifp, cmd, data)) != 0)
break;
switch (ifp->if_flags & (IFF_UP|IFF_RUNNING)) {
case IFF_RUNNING:
/*
* If interface is marked down and it is running,
* then stop and disable it.
*/
if_stop(ifp, 1);
break;
case IFF_UP:
/*
* If interface is marked up and it is stopped, then
* start it.
*/
error = if_init(ifp);
break;
default:
break;
}
return error;
#ifdef WG_RUMPKERNEL
case SIOCSLINKSTR:
error = wg_ioctl_linkstr(wg, ifd);
if (error == 0)
wg->wg_ops = &wg_ops_rumpuser;
return error;
#endif
default:
break;
}
error = ifioctl_common(ifp, cmd, data);
#ifdef WG_RUMPKERNEL
if (!wg_user_mode(wg))
return error;
/* Do the same to the corresponding tun device on the host */
/*
* XXX Actually the command has not been handled yet. It
* will be handled via pr_ioctl form doifioctl later.
*/
switch (cmd) {
case SIOCAIFADDR:
case SIOCDIFADDR: {
struct in_aliasreq _ifra = *(const struct in_aliasreq *)data;
struct in_aliasreq *ifra = &_ifra;
KASSERT(error == ENOTTY);
strncpy(ifra->ifra_name, rumpuser_wg_get_tunname(wg->wg_user),
IFNAMSIZ);
error = rumpuser_wg_ioctl(wg->wg_user, cmd, ifra, AF_INET);
if (error == 0)
error = ENOTTY;
break;
}
#ifdef INET6
case SIOCAIFADDR_IN6:
case SIOCDIFADDR_IN6: {
struct in6_aliasreq _ifra = *(const struct in6_aliasreq *)data;
struct in6_aliasreq *ifra = &_ifra;
KASSERT(error == ENOTTY);
strncpy(ifra->ifra_name, rumpuser_wg_get_tunname(wg->wg_user),
IFNAMSIZ);
error = rumpuser_wg_ioctl(wg->wg_user, cmd, ifra, AF_INET6);
if (error == 0)
error = ENOTTY;
break;
}
#endif
}
#endif /* WG_RUMPKERNEL */
return error;
}
static int
wg_init(struct ifnet *ifp)
{
ifp->if_flags |= IFF_RUNNING;
/* TODO flush pending packets. */
return 0;
}
#ifdef ALTQ
static void
wg_start(struct ifnet *ifp)
{
struct mbuf *m;
for (;;) {
IFQ_DEQUEUE(&ifp->if_snd, m);
if (m == NULL)
break;
kpreempt_disable();
const uint32_t h = curcpu()->ci_index; // pktq_rps_hash(m)
if (__predict_false(!pktq_enqueue(wg_pktq, m, h))) {
WGLOG(LOG_ERR, "%s: pktq full, dropping\n",
if_name(ifp));
m_freem(m);
}
kpreempt_enable();
}
}
#endif
static void
wg_stop(struct ifnet *ifp, int disable)
{
KASSERT((ifp->if_flags & IFF_RUNNING) != 0);
ifp->if_flags &= ~IFF_RUNNING;
/* Need to do something? */
}
#ifdef WG_DEBUG_PARAMS
SYSCTL_SETUP(sysctl_net_wg_setup, "sysctl net.wg setup")
{
const struct sysctlnode *node = NULL;
sysctl_createv(clog, 0, NULL, &node,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "wg",
SYSCTL_DESCR("wg(4)"),
NULL, 0, NULL, 0,
CTL_NET, CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &node, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_QUAD, "rekey_after_messages",
SYSCTL_DESCR("session liftime by messages"),
NULL, 0, &wg_rekey_after_messages, 0, CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &node, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "rekey_after_time",
SYSCTL_DESCR("session liftime"),
NULL, 0, &wg_rekey_after_time, 0, CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &node, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "rekey_timeout",
SYSCTL_DESCR("session handshake retry time"),
NULL, 0, &wg_rekey_timeout, 0, CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &node, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "rekey_attempt_time",
SYSCTL_DESCR("session handshake timeout"),
NULL, 0, &wg_rekey_attempt_time, 0, CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &node, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "keepalive_timeout",
SYSCTL_DESCR("keepalive timeout"),
NULL, 0, &wg_keepalive_timeout, 0, CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &node, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_BOOL, "force_underload",
SYSCTL_DESCR("force to detemine under load"),
NULL, 0, &wg_force_underload, 0, CTL_CREATE, CTL_EOL);
}
#endif
#ifdef WG_RUMPKERNEL
static bool
wg_user_mode(struct wg_softc *wg)
{
return wg->wg_user != NULL;
}
static int
wg_ioctl_linkstr(struct wg_softc *wg, struct ifdrv *ifd)
{
struct ifnet *ifp = &wg->wg_if;
int error;
if (ifp->if_flags & IFF_UP)
return EBUSY;
if (ifd->ifd_cmd == IFLINKSTR_UNSET) {
/* XXX do nothing */
return 0;
} else if (ifd->ifd_cmd != 0) {
return EINVAL;
} else if (wg->wg_user != NULL) {
return EBUSY;
}
/* Assume \0 included */
if (ifd->ifd_len > IFNAMSIZ) {
return E2BIG;
} else if (ifd->ifd_len < 1) {
return EINVAL;
}
char tun_name[IFNAMSIZ];
error = copyinstr(ifd->ifd_data, tun_name, ifd->ifd_len, NULL);
if (error != 0)
return error;
if (strncmp(tun_name, "tun", 3) != 0)
return EINVAL;
error = rumpuser_wg_create(tun_name, wg, &wg->wg_user);
return error;
}
static int
wg_send_user(struct wg_peer *wgp, struct mbuf *m)
{
int error;
struct psref psref;
struct wg_sockaddr *wgsa;
struct wg_softc *wg = wgp->wgp_sc;
struct iovec iov[1];
wgsa = wg_get_endpoint_sa(wgp, &psref);
iov[0].iov_base = mtod(m, void *);
iov[0].iov_len = m->m_len;
/* Send messages to a peer via an ordinary socket. */
error = rumpuser_wg_send_peer(wg->wg_user, wgsatosa(wgsa), iov, 1);
wg_put_sa(wgp, wgsa, &psref);
m_freem(m);
return error;
}
static void
wg_input_user(struct ifnet *ifp, struct mbuf *m, const int af)
{
struct wg_softc *wg = ifp->if_softc;
struct iovec iov[2];
struct sockaddr_storage ss;
KASSERT(af == AF_INET || af == AF_INET6);
WG_TRACE("");
if (af == AF_INET) {
struct sockaddr_in *sin = (struct sockaddr_in *)&ss;
struct ip *ip;
KASSERT(m->m_len >= sizeof(struct ip));
ip = mtod(m, struct ip *);
sockaddr_in_init(sin, &ip->ip_dst, 0);
} else {
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss;
struct ip6_hdr *ip6;
KASSERT(m->m_len >= sizeof(struct ip6_hdr));
ip6 = mtod(m, struct ip6_hdr *);
sockaddr_in6_init(sin6, &ip6->ip6_dst, 0, 0, 0);
}
iov[0].iov_base = &ss;
iov[0].iov_len = ss.ss_len;
iov[1].iov_base = mtod(m, void *);
iov[1].iov_len = m->m_len;
WG_DUMP_BUF(iov[1].iov_base, iov[1].iov_len);
/* Send decrypted packets to users via a tun. */
rumpuser_wg_send_user(wg->wg_user, iov, 2);
m_freem(m);
}
static int
wg_bind_port_user(struct wg_softc *wg, const uint16_t port)
{
int error;
uint16_t old_port = wg->wg_listen_port;
if (port != 0 && old_port == port)
return 0;
error = rumpuser_wg_sock_bind(wg->wg_user, port);
if (error == 0)
wg->wg_listen_port = port;
return error;
}
/*
* Receive user packets.
*/
void
rumpkern_wg_recv_user(struct wg_softc *wg, struct iovec *iov, size_t iovlen)
{
struct ifnet *ifp = &wg->wg_if;
struct mbuf *m;
const struct sockaddr *dst;
WG_TRACE("");
dst = iov[0].iov_base;
m = m_gethdr(M_DONTWAIT, MT_DATA);
if (m == NULL)
return;
m->m_len = m->m_pkthdr.len = 0;
m_copyback(m, 0, iov[1].iov_len, iov[1].iov_base);
WG_DLOG("iov_len=%lu\n", iov[1].iov_len);
WG_DUMP_BUF(iov[1].iov_base, iov[1].iov_len);
(void)wg_output(ifp, m, dst, NULL);
}
/*
* Receive packets from a peer.
*/
void
rumpkern_wg_recv_peer(struct wg_softc *wg, struct iovec *iov, size_t iovlen)
{
struct mbuf *m;
const struct sockaddr *src;
WG_TRACE("");
src = iov[0].iov_base;
m = m_gethdr(M_DONTWAIT, MT_DATA);
if (m == NULL)
return;
m->m_len = m->m_pkthdr.len = 0;
m_copyback(m, 0, iov[1].iov_len, iov[1].iov_base);
WG_DLOG("iov_len=%lu\n", iov[1].iov_len);
WG_DUMP_BUF(iov[1].iov_base, iov[1].iov_len);
wg_handle_packet(wg, m, src);
}
#endif /* WG_RUMPKERNEL */
/*
* Module infrastructure
*/
#include "if_module.h"
IF_MODULE(MODULE_CLASS_DRIVER, wg, "sodium,blake2s")