1 /* $NetBSD: if_wg.c,v 1.135 2024/12/27 16:42:28 riastradh Exp $ */ 2 3 /* 4 * Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 /* 33 * This network interface aims to implement the WireGuard protocol. 34 * The implementation is based on the paper of WireGuard as of 35 * 2018-06-30 [1]. The paper is referred in the source code with label 36 * [W]. Also the specification of the Noise protocol framework as of 37 * 2018-07-11 [2] is referred with label [N]. 38 * 39 * [1] https://www.wireguard.com/papers/wireguard.pdf 40 * https://web.archive.org/web/20180805103233/https://www.wireguard.com/papers/wireguard.pdf 41 * [2] http://noiseprotocol.org/noise.pdf 42 * https://web.archive.org/web/20180727193154/https://noiseprotocol.org/noise.pdf 43 */ 44 45 #include <sys/cdefs.h> 46 __KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.135 2024/12/27 16:42:28 riastradh Exp $"); 47 48 #ifdef _KERNEL_OPT 49 #include "opt_altq_enabled.h" 50 #include "opt_inet.h" 51 #endif 52 53 #include <sys/param.h> 54 #include <sys/types.h> 55 56 #include <sys/atomic.h> 57 #include <sys/callout.h> 58 #include <sys/cprng.h> 59 #include <sys/cpu.h> 60 #include <sys/device.h> 61 #include <sys/domain.h> 62 #include <sys/errno.h> 63 #include <sys/intr.h> 64 #include <sys/ioctl.h> 65 #include <sys/kernel.h> 66 #include <sys/kmem.h> 67 #include <sys/mbuf.h> 68 #include <sys/module.h> 69 #include <sys/mutex.h> 70 #include <sys/once.h> 71 #include <sys/percpu.h> 72 #include <sys/pserialize.h> 73 #include <sys/psref.h> 74 #include <sys/queue.h> 75 #include <sys/rwlock.h> 76 #include <sys/socket.h> 77 #include <sys/socketvar.h> 78 #include <sys/sockio.h> 79 #include <sys/sysctl.h> 80 #include <sys/syslog.h> 81 #include <sys/systm.h> 82 #include <sys/thmap.h> 83 #include <sys/threadpool.h> 84 #include <sys/time.h> 85 #include <sys/timespec.h> 86 #include <sys/workqueue.h> 87 88 #include <lib/libkern/libkern.h> 89 90 #include <net/bpf.h> 91 #include <net/if.h> 92 #include <net/if_types.h> 93 #include <net/if_wg.h> 94 #include <net/pktqueue.h> 95 #include <net/route.h> 96 97 #ifdef INET 98 #include <netinet/in.h> 99 #include <netinet/in_pcb.h> 100 #include <netinet/in_var.h> 101 #include <netinet/ip.h> 102 #include <netinet/ip_var.h> 103 #include <netinet/udp.h> 104 #include <netinet/udp_var.h> 105 #endif /* INET */ 106 107 #ifdef INET6 108 #include <netinet/ip6.h> 109 #include <netinet6/in6_pcb.h> 110 #include <netinet6/in6_var.h> 111 #include <netinet6/ip6_var.h> 112 #include <netinet6/udp6_var.h> 113 #endif /* INET6 */ 114 115 #include <prop/proplib.h> 116 117 #include <crypto/blake2/blake2s.h> 118 #include <crypto/sodium/crypto_aead_chacha20poly1305.h> 119 #include <crypto/sodium/crypto_aead_xchacha20poly1305.h> 120 #include <crypto/sodium/crypto_scalarmult.h> 121 122 #include "ioconf.h" 123 124 #ifdef WG_RUMPKERNEL 125 #include "wg_user.h" 126 #endif 127 128 #ifndef time_uptime32 129 #define time_uptime32 ((uint32_t)time_uptime) 130 #endif 131 132 /* 133 * Data structures 134 * - struct wg_softc is an instance of wg interfaces 135 * - It has a list of peers (struct wg_peer) 136 * - It has a threadpool job that sends/receives handshake messages and 137 * runs event handlers 138 * - It has its own two routing tables: one is for IPv4 and the other IPv6 139 * - struct wg_peer is a representative of a peer 140 * - It has a struct work to handle handshakes and timer tasks 141 * - It has a pair of session instances (struct wg_session) 142 * - It has a pair of endpoint instances (struct wg_sockaddr) 143 * - Normally one endpoint is used and the second one is used only on 144 * a peer migration (a change of peer's IP address) 145 * - It has a list of IP addresses and sub networks called allowedips 146 * (struct wg_allowedip) 147 * - A packets sent over a session is allowed if its destination matches 148 * any IP addresses or sub networks of the list 149 * - struct wg_session represents a session of a secure tunnel with a peer 150 * - Two instances of sessions belong to a peer; a stable session and a 151 * unstable session 152 * - A handshake process of a session always starts with a unstable instance 153 * - Once a session is established, its instance becomes stable and the 154 * other becomes unstable instead 155 * - Data messages are always sent via a stable session 156 * 157 * Locking notes: 158 * - Each wg has a mutex(9) wg_lock, and a rwlock(9) wg_rwlock 159 * - Changes to the peer list are serialized by wg_lock 160 * - The peer list may be read with pserialize(9) and psref(9) 161 * - The rwlock (wg_rwlock) protects the routing tables (wg_rtable_ipv[46]) 162 * => XXX replace by pserialize when routing table is psz-safe 163 * - Each peer (struct wg_peer, wgp) has a mutex wgp_lock, which can be taken 164 * only in thread context and serializes: 165 * - the stable and unstable session pointers 166 * - all unstable session state 167 * - Packet processing may be done in softint context: 168 * - The stable session can be read under pserialize(9) or psref(9) 169 * - The stable session is always ESTABLISHED 170 * - On a session swap, we must wait for all readers to release a 171 * reference to a stable session before changing wgs_state and 172 * session states 173 * - Lock order: wg_lock -> wgp_lock 174 */ 175 176 177 #define WGLOG(level, fmt, args...) \ 178 log(level, "%s: " fmt, __func__, ##args) 179 180 #define WG_DEBUG 181 182 /* Debug options */ 183 #ifdef WG_DEBUG 184 /* Output debug logs */ 185 #ifndef WG_DEBUG_LOG 186 #define WG_DEBUG_LOG 187 #endif 188 /* Output trace logs */ 189 #ifndef WG_DEBUG_TRACE 190 #define WG_DEBUG_TRACE 191 #endif 192 /* Output hash values, etc. */ 193 #ifndef WG_DEBUG_DUMP 194 #define WG_DEBUG_DUMP 195 #endif 196 /* Make some internal parameters configurable for testing and debugging */ 197 #ifndef WG_DEBUG_PARAMS 198 #define WG_DEBUG_PARAMS 199 #endif 200 #endif /* WG_DEBUG */ 201 202 #ifndef WG_DEBUG 203 # if defined(WG_DEBUG_LOG) || defined(WG_DEBUG_TRACE) || \ 204 defined(WG_DEBUG_DUMP) || defined(WG_DEBUG_PARAMS) 205 # define WG_DEBUG 206 # endif 207 #endif 208 209 #ifdef WG_DEBUG 210 int wg_debug; 211 #define WG_DEBUG_FLAGS_LOG 1 212 #define WG_DEBUG_FLAGS_TRACE 2 213 #define WG_DEBUG_FLAGS_DUMP 4 214 #endif 215 216 #ifdef WG_DEBUG_TRACE 217 #define WG_TRACE(msg) do { \ 218 if (wg_debug & WG_DEBUG_FLAGS_TRACE) \ 219 log(LOG_DEBUG, "%s:%d: %s\n", __func__, __LINE__, (msg)); \ 220 } while (0) 221 #else 222 #define WG_TRACE(msg) __nothing 223 #endif 224 225 #ifdef WG_DEBUG_LOG 226 #define WG_DLOG(fmt, args...) do { \ 227 if (wg_debug & WG_DEBUG_FLAGS_LOG) \ 228 log(LOG_DEBUG, "%s: " fmt, __func__, ##args); \ 229 } while (0) 230 #else 231 #define WG_DLOG(fmt, args...) __nothing 232 #endif 233 234 #define WG_LOG_RATECHECK(wgprc, level, fmt, args...) do { \ 235 if (ppsratecheck(&(wgprc)->wgprc_lasttime, \ 236 &(wgprc)->wgprc_curpps, 1)) { \ 237 log(level, fmt, ##args); \ 238 } \ 239 } while (0) 240 241 #ifdef WG_DEBUG_PARAMS 242 static bool wg_force_underload = false; 243 #endif 244 245 #ifdef WG_DEBUG_DUMP 246 247 static char enomem[10] = "[enomem]"; 248 249 #define MAX_HDUMP_LEN 10000 /* large enough */ 250 251 /* 252 * gethexdump(p, n) 253 * 254 * Allocate a string returning a hexdump of bytes p[0..n), 255 * truncated to MAX_HDUMP_LEN. Must be freed with puthexdump. 256 * 257 * We use this instead of libkern hexdump() because the result is 258 * logged with log(LOG_DEBUG, ...), which puts a priority tag on 259 * every message, so it can't be done incrementally. 260 */ 261 static char * 262 gethexdump(const void *vp, size_t n) 263 { 264 char *buf; 265 const uint8_t *p = vp; 266 size_t i, alloc; 267 268 alloc = n; 269 if (n > MAX_HDUMP_LEN) 270 alloc = MAX_HDUMP_LEN; 271 buf = kmem_alloc(3*alloc + 5, KM_NOSLEEP); 272 if (buf == NULL) 273 return enomem; 274 for (i = 0; i < alloc; i++) 275 snprintf(buf + 3*i, 3 + 1, " %02hhx", p[i]); 276 if (alloc != n) 277 snprintf(buf + 3*i, 4 + 1, " ..."); 278 return buf; 279 } 280 281 static void 282 puthexdump(char *buf, const void *p, size_t n) 283 { 284 285 if (buf == NULL || buf == enomem) 286 return; 287 if (n > MAX_HDUMP_LEN) 288 n = MAX_HDUMP_LEN; 289 kmem_free(buf, 3*n + 5); 290 } 291 292 #ifdef WG_RUMPKERNEL 293 static void 294 wg_dump_buf(const char *func, const char *buf, const size_t size) 295 { 296 if ((wg_debug & WG_DEBUG_FLAGS_DUMP) == 0) 297 return; 298 299 char *hex = gethexdump(buf, size); 300 301 log(LOG_DEBUG, "%s: %s\n", func, hex); 302 puthexdump(hex, buf, size); 303 } 304 #endif 305 306 static void 307 wg_dump_hash(const uint8_t *func, const uint8_t *name, const uint8_t *hash, 308 const size_t size) 309 { 310 if ((wg_debug & WG_DEBUG_FLAGS_DUMP) == 0) 311 return; 312 313 char *hex = gethexdump(hash, size); 314 315 log(LOG_DEBUG, "%s: %s: %s\n", func, name, hex); 316 puthexdump(hex, hash, size); 317 } 318 319 #define WG_DUMP_HASH(name, hash) \ 320 wg_dump_hash(__func__, name, hash, WG_HASH_LEN) 321 #define WG_DUMP_HASH48(name, hash) \ 322 wg_dump_hash(__func__, name, hash, 48) 323 #define WG_DUMP_BUF(buf, size) \ 324 wg_dump_buf(__func__, buf, size) 325 #else 326 #define WG_DUMP_HASH(name, hash) __nothing 327 #define WG_DUMP_HASH48(name, hash) __nothing 328 #define WG_DUMP_BUF(buf, size) __nothing 329 #endif /* WG_DEBUG_DUMP */ 330 331 /* chosen somewhat arbitrarily -- fits in signed 16 bits NUL-terminated */ 332 #define WG_MAX_PROPLEN 32766 333 334 #define WG_MTU 1420 335 #define WG_ALLOWEDIPS 16 336 337 #define CURVE25519_KEY_LEN 32 338 #define TAI64N_LEN (sizeof(uint32_t) * 3) 339 #define POLY1305_AUTHTAG_LEN 16 340 #define HMAC_BLOCK_LEN 64 341 342 /* [N] 4.1: "DHLEN must be 32 or greater." WireGuard chooses 32. */ 343 /* [N] 4.3: Hash functions */ 344 #define NOISE_DHLEN 32 345 /* [N] 4.3: "Must be 32 or 64." WireGuard chooses 32. */ 346 #define NOISE_HASHLEN 32 347 #define NOISE_BLOCKLEN 64 348 #define NOISE_HKDF_OUTPUT_LEN NOISE_HASHLEN 349 /* [N] 5.1: "k" */ 350 #define NOISE_CIPHER_KEY_LEN 32 351 /* 352 * [N] 9.2: "psk" 353 * "... psk is a 32-byte secret value provided by the application." 354 */ 355 #define NOISE_PRESHARED_KEY_LEN 32 356 357 #define WG_STATIC_KEY_LEN CURVE25519_KEY_LEN 358 #define WG_TIMESTAMP_LEN TAI64N_LEN 359 360 #define WG_PRESHARED_KEY_LEN NOISE_PRESHARED_KEY_LEN 361 362 #define WG_COOKIE_LEN 16 363 #define WG_MAC_LEN 16 364 #define WG_COOKIESECRET_LEN 32 365 366 #define WG_EPHEMERAL_KEY_LEN CURVE25519_KEY_LEN 367 /* [N] 5.2: "ck: A chaining key of HASHLEN bytes" */ 368 #define WG_CHAINING_KEY_LEN NOISE_HASHLEN 369 /* [N] 5.2: "h: A hash output of HASHLEN bytes" */ 370 #define WG_HASH_LEN NOISE_HASHLEN 371 #define WG_CIPHER_KEY_LEN NOISE_CIPHER_KEY_LEN 372 #define WG_DH_OUTPUT_LEN NOISE_DHLEN 373 #define WG_KDF_OUTPUT_LEN NOISE_HKDF_OUTPUT_LEN 374 #define WG_AUTHTAG_LEN POLY1305_AUTHTAG_LEN 375 #define WG_DATA_KEY_LEN 32 376 #define WG_SALT_LEN 24 377 378 /* 379 * The protocol messages 380 */ 381 struct wg_msg { 382 uint32_t wgm_type; 383 } __packed; 384 385 /* [W] 5.4.2 First Message: Initiator to Responder */ 386 struct wg_msg_init { 387 uint32_t wgmi_type; 388 uint32_t wgmi_sender; 389 uint8_t wgmi_ephemeral[WG_EPHEMERAL_KEY_LEN]; 390 uint8_t wgmi_static[WG_STATIC_KEY_LEN + WG_AUTHTAG_LEN]; 391 uint8_t wgmi_timestamp[WG_TIMESTAMP_LEN + WG_AUTHTAG_LEN]; 392 uint8_t wgmi_mac1[WG_MAC_LEN]; 393 uint8_t wgmi_mac2[WG_MAC_LEN]; 394 } __packed; 395 396 /* [W] 5.4.3 Second Message: Responder to Initiator */ 397 struct wg_msg_resp { 398 uint32_t wgmr_type; 399 uint32_t wgmr_sender; 400 uint32_t wgmr_receiver; 401 uint8_t wgmr_ephemeral[WG_EPHEMERAL_KEY_LEN]; 402 uint8_t wgmr_empty[0 + WG_AUTHTAG_LEN]; 403 uint8_t wgmr_mac1[WG_MAC_LEN]; 404 uint8_t wgmr_mac2[WG_MAC_LEN]; 405 } __packed; 406 407 /* [W] 5.4.6 Subsequent Messages: Transport Data Messages */ 408 struct wg_msg_data { 409 uint32_t wgmd_type; 410 uint32_t wgmd_receiver; 411 uint64_t wgmd_counter; 412 uint32_t wgmd_packet[]; 413 } __packed; 414 415 /* [W] 5.4.7 Under Load: Cookie Reply Message */ 416 struct wg_msg_cookie { 417 uint32_t wgmc_type; 418 uint32_t wgmc_receiver; 419 uint8_t wgmc_salt[WG_SALT_LEN]; 420 uint8_t wgmc_cookie[WG_COOKIE_LEN + WG_AUTHTAG_LEN]; 421 } __packed; 422 423 #define WG_MSG_TYPE_INIT 1 424 #define WG_MSG_TYPE_RESP 2 425 #define WG_MSG_TYPE_COOKIE 3 426 #define WG_MSG_TYPE_DATA 4 427 #define WG_MSG_TYPE_MAX WG_MSG_TYPE_DATA 428 429 /* Sliding windows */ 430 431 #define SLIWIN_BITS 2048u 432 #define SLIWIN_TYPE uint32_t 433 #define SLIWIN_BPW (NBBY*sizeof(SLIWIN_TYPE)) 434 #define SLIWIN_WORDS howmany(SLIWIN_BITS, SLIWIN_BPW) 435 #define SLIWIN_NPKT (SLIWIN_BITS - NBBY*sizeof(SLIWIN_TYPE)) 436 437 struct sliwin { 438 SLIWIN_TYPE B[SLIWIN_WORDS]; 439 uint64_t T; 440 }; 441 442 /* 443 * sliwin_reset(W) 444 * 445 * Reset sliding window state to a blank history with no observed 446 * sequence numbers. 447 * 448 * Caller must have exclusive access to W. 449 */ 450 static void 451 sliwin_reset(struct sliwin *W) 452 { 453 454 memset(W, 0, sizeof(*W)); 455 } 456 457 /* 458 * sliwin_check_fast(W, S) 459 * 460 * Do a fast check of the sliding window W to validate sequence 461 * number S. No state is recorded. Return 0 on accept, nonzero 462 * error code on reject. 463 * 464 * May be called concurrently with other calls to 465 * sliwin_check_fast and sliwin_update. 466 */ 467 static int 468 sliwin_check_fast(const volatile struct sliwin *W, uint64_t S) 469 { 470 471 /* 472 * If it's more than one window older than the highest sequence 473 * number we've seen, reject. 474 */ 475 #ifdef __HAVE_ATOMIC64_LOADSTORE 476 if (S + SLIWIN_NPKT < atomic_load_relaxed(&W->T)) 477 return EAUTH; 478 #endif 479 480 /* 481 * Otherwise, we need to take the lock to decide, so don't 482 * reject just yet. Caller must serialize a call to 483 * sliwin_update in this case. 484 */ 485 return 0; 486 } 487 488 /* 489 * sliwin_update(W, S) 490 * 491 * Check the sliding window W to validate sequence number S, and 492 * if accepted, update it to reflect having observed S. Return 0 493 * on accept, nonzero error code on reject. 494 * 495 * May be called concurrently with other calls to 496 * sliwin_check_fast, but caller must exclude other calls to 497 * sliwin_update. 498 */ 499 static int 500 sliwin_update(struct sliwin *W, uint64_t S) 501 { 502 unsigned word, bit; 503 504 /* 505 * If it's more than one window older than the highest sequence 506 * number we've seen, reject. 507 */ 508 if (S + SLIWIN_NPKT < W->T) 509 return EAUTH; 510 511 /* 512 * If it's higher than the highest sequence number we've seen, 513 * advance the window. 514 */ 515 if (S > W->T) { 516 uint64_t i = W->T / SLIWIN_BPW; 517 uint64_t j = S / SLIWIN_BPW; 518 unsigned k; 519 520 for (k = 0; k < MIN(j - i, SLIWIN_WORDS); k++) 521 W->B[(i + k + 1) % SLIWIN_WORDS] = 0; 522 #ifdef __HAVE_ATOMIC64_LOADSTORE 523 atomic_store_relaxed(&W->T, S); 524 #else 525 W->T = S; 526 #endif 527 } 528 529 /* Test and set the bit -- if already set, reject. */ 530 word = (S / SLIWIN_BPW) % SLIWIN_WORDS; 531 bit = S % SLIWIN_BPW; 532 if (W->B[word] & (1UL << bit)) 533 return EAUTH; 534 W->B[word] |= 1U << bit; 535 536 /* Accept! */ 537 return 0; 538 } 539 540 struct wg_session { 541 struct wg_peer *wgs_peer; 542 struct psref_target 543 wgs_psref; 544 545 volatile int wgs_state; 546 #define WGS_STATE_UNKNOWN 0 547 #define WGS_STATE_INIT_ACTIVE 1 548 #define WGS_STATE_INIT_PASSIVE 2 549 #define WGS_STATE_ESTABLISHED 3 550 #define WGS_STATE_DESTROYING 4 551 552 uint32_t wgs_time_established; 553 volatile uint32_t 554 wgs_time_last_data_sent; 555 volatile bool wgs_force_rekey; 556 bool wgs_is_initiator; 557 558 uint32_t wgs_local_index; 559 uint32_t wgs_remote_index; 560 #ifdef __HAVE_ATOMIC64_LOADSTORE 561 volatile uint64_t 562 wgs_send_counter; 563 #else 564 kmutex_t wgs_send_counter_lock; 565 uint64_t wgs_send_counter; 566 #endif 567 568 struct { 569 kmutex_t lock; 570 struct sliwin window; 571 } *wgs_recvwin; 572 573 uint8_t wgs_handshake_hash[WG_HASH_LEN]; 574 uint8_t wgs_chaining_key[WG_CHAINING_KEY_LEN]; 575 uint8_t wgs_ephemeral_key_pub[WG_EPHEMERAL_KEY_LEN]; 576 uint8_t wgs_ephemeral_key_priv[WG_EPHEMERAL_KEY_LEN]; 577 uint8_t wgs_ephemeral_key_peer[WG_EPHEMERAL_KEY_LEN]; 578 uint8_t wgs_tkey_send[WG_DATA_KEY_LEN]; 579 uint8_t wgs_tkey_recv[WG_DATA_KEY_LEN]; 580 }; 581 582 struct wg_sockaddr { 583 union { 584 struct sockaddr_storage _ss; 585 struct sockaddr _sa; 586 struct sockaddr_in _sin; 587 struct sockaddr_in6 _sin6; 588 }; 589 struct psref_target wgsa_psref; 590 }; 591 592 #define wgsatoss(wgsa) (&(wgsa)->_ss) 593 #define wgsatosa(wgsa) (&(wgsa)->_sa) 594 #define wgsatosin(wgsa) (&(wgsa)->_sin) 595 #define wgsatosin6(wgsa) (&(wgsa)->_sin6) 596 597 #define wgsa_family(wgsa) (wgsatosa(wgsa)->sa_family) 598 599 struct wg_peer; 600 struct wg_allowedip { 601 struct radix_node wga_nodes[2]; 602 struct wg_sockaddr _wga_sa_addr; 603 struct wg_sockaddr _wga_sa_mask; 604 #define wga_sa_addr _wga_sa_addr._sa 605 #define wga_sa_mask _wga_sa_mask._sa 606 607 int wga_family; 608 uint8_t wga_cidr; 609 union { 610 struct in_addr _ip4; 611 struct in6_addr _ip6; 612 } wga_addr; 613 #define wga_addr4 wga_addr._ip4 614 #define wga_addr6 wga_addr._ip6 615 616 struct wg_peer *wga_peer; 617 }; 618 619 typedef uint8_t wg_timestamp_t[WG_TIMESTAMP_LEN]; 620 621 struct wg_ppsratecheck { 622 struct timeval wgprc_lasttime; 623 int wgprc_curpps; 624 }; 625 626 struct wg_softc; 627 struct wg_peer { 628 struct wg_softc *wgp_sc; 629 char wgp_name[WG_PEER_NAME_MAXLEN + 1]; 630 struct pslist_entry wgp_peerlist_entry; 631 pserialize_t wgp_psz; 632 struct psref_target wgp_psref; 633 kmutex_t *wgp_lock; 634 kmutex_t *wgp_intr_lock; 635 636 uint8_t wgp_pubkey[WG_STATIC_KEY_LEN]; 637 struct wg_sockaddr *volatile wgp_endpoint; 638 struct wg_sockaddr *wgp_endpoint0; 639 volatile unsigned wgp_endpoint_changing; 640 volatile bool wgp_endpoint_available; 641 642 /* The preshared key (optional) */ 643 uint8_t wgp_psk[WG_PRESHARED_KEY_LEN]; 644 645 struct wg_session *volatile wgp_session_stable; 646 struct wg_session *wgp_session_unstable; 647 648 /* first outgoing packet awaiting session initiation */ 649 struct mbuf *volatile wgp_pending; 650 651 /* timestamp in big-endian */ 652 wg_timestamp_t wgp_timestamp_latest_init; 653 654 struct timespec wgp_last_handshake_time; 655 656 callout_t wgp_handshake_timeout_timer; 657 callout_t wgp_session_dtor_timer; 658 659 time_t wgp_handshake_start_time; 660 661 int wgp_n_allowedips; 662 struct wg_allowedip wgp_allowedips[WG_ALLOWEDIPS]; 663 664 time_t wgp_latest_cookie_time; 665 uint8_t wgp_latest_cookie[WG_COOKIE_LEN]; 666 uint8_t wgp_last_sent_mac1[WG_MAC_LEN]; 667 bool wgp_last_sent_mac1_valid; 668 uint8_t wgp_last_sent_cookie[WG_COOKIE_LEN]; 669 bool wgp_last_sent_cookie_valid; 670 671 time_t wgp_last_msg_received_time[WG_MSG_TYPE_MAX]; 672 673 time_t wgp_last_cookiesecret_time; 674 uint8_t wgp_cookiesecret[WG_COOKIESECRET_LEN]; 675 676 struct wg_ppsratecheck wgp_ppsratecheck; 677 678 struct work wgp_work; 679 unsigned int wgp_tasks; 680 #define WGP_TASK_SEND_INIT_MESSAGE __BIT(0) 681 #define WGP_TASK_RETRY_HANDSHAKE __BIT(1) 682 #define WGP_TASK_ESTABLISH_SESSION __BIT(2) 683 #define WGP_TASK_ENDPOINT_CHANGED __BIT(3) 684 #define WGP_TASK_SEND_KEEPALIVE_MESSAGE __BIT(4) 685 #define WGP_TASK_DESTROY_PREV_SESSION __BIT(5) 686 }; 687 688 struct wg_ops; 689 690 struct wg_softc { 691 struct ifnet wg_if; 692 LIST_ENTRY(wg_softc) wg_list; 693 kmutex_t *wg_lock; 694 kmutex_t *wg_intr_lock; 695 krwlock_t *wg_rwlock; 696 697 uint8_t wg_privkey[WG_STATIC_KEY_LEN]; 698 uint8_t wg_pubkey[WG_STATIC_KEY_LEN]; 699 700 int wg_npeers; 701 struct pslist_head wg_peers; 702 struct thmap *wg_peers_bypubkey; 703 struct thmap *wg_peers_byname; 704 struct thmap *wg_sessions_byindex; 705 uint16_t wg_listen_port; 706 707 struct threadpool *wg_threadpool; 708 709 struct threadpool_job wg_job; 710 int wg_upcalls; 711 #define WG_UPCALL_INET __BIT(0) 712 #define WG_UPCALL_INET6 __BIT(1) 713 714 #ifdef INET 715 struct socket *wg_so4; 716 struct radix_node_head *wg_rtable_ipv4; 717 #endif 718 #ifdef INET6 719 struct socket *wg_so6; 720 struct radix_node_head *wg_rtable_ipv6; 721 #endif 722 723 struct wg_ppsratecheck wg_ppsratecheck; 724 725 struct wg_ops *wg_ops; 726 727 #ifdef WG_RUMPKERNEL 728 struct wg_user *wg_user; 729 #endif 730 }; 731 732 /* [W] 6.1 Preliminaries */ 733 #define WG_REKEY_AFTER_MESSAGES (1ULL << 60) 734 #define WG_REJECT_AFTER_MESSAGES (UINT64_MAX - (1 << 13)) 735 #define WG_REKEY_AFTER_TIME 120 736 #define WG_REJECT_AFTER_TIME 180 737 #define WG_REKEY_ATTEMPT_TIME 90 738 #define WG_REKEY_TIMEOUT 5 739 #define WG_KEEPALIVE_TIMEOUT 10 740 741 #define WG_COOKIE_TIME 120 742 #define WG_COOKIESECRET_TIME (2 * 60) 743 744 static uint64_t wg_rekey_after_messages = WG_REKEY_AFTER_MESSAGES; 745 static uint64_t wg_reject_after_messages = WG_REJECT_AFTER_MESSAGES; 746 static unsigned wg_rekey_after_time = WG_REKEY_AFTER_TIME; 747 static unsigned wg_reject_after_time = WG_REJECT_AFTER_TIME; 748 static unsigned wg_rekey_attempt_time = WG_REKEY_ATTEMPT_TIME; 749 static unsigned wg_rekey_timeout = WG_REKEY_TIMEOUT; 750 static unsigned wg_keepalive_timeout = WG_KEEPALIVE_TIMEOUT; 751 752 static struct mbuf * 753 wg_get_mbuf(size_t, size_t); 754 755 static void wg_send_data_msg(struct wg_peer *, struct wg_session *, 756 struct mbuf *); 757 static void wg_send_cookie_msg(struct wg_softc *, struct wg_peer *, 758 const uint32_t, const uint8_t[static WG_MAC_LEN], 759 const struct sockaddr *); 760 static void wg_send_handshake_msg_resp(struct wg_softc *, struct wg_peer *, 761 struct wg_session *, const struct wg_msg_init *); 762 static void wg_send_keepalive_msg(struct wg_peer *, struct wg_session *); 763 764 static struct wg_peer * 765 wg_pick_peer_by_sa(struct wg_softc *, const struct sockaddr *, 766 struct psref *); 767 static struct wg_peer * 768 wg_lookup_peer_by_pubkey(struct wg_softc *, 769 const uint8_t[static WG_STATIC_KEY_LEN], struct psref *); 770 771 static struct wg_session * 772 wg_lookup_session_by_index(struct wg_softc *, 773 const uint32_t, struct psref *); 774 775 static void wg_update_endpoint_if_necessary(struct wg_peer *, 776 const struct sockaddr *); 777 778 static void wg_schedule_session_dtor_timer(struct wg_peer *); 779 780 static bool wg_is_underload(struct wg_softc *, struct wg_peer *, int); 781 static void wg_calculate_keys(struct wg_session *, const bool); 782 783 static void wg_clear_states(struct wg_session *); 784 785 static void wg_get_peer(struct wg_peer *, struct psref *); 786 static void wg_put_peer(struct wg_peer *, struct psref *); 787 788 static int wg_send_hs(struct wg_peer *, struct mbuf *); 789 static int wg_send_data(struct wg_peer *, struct mbuf *); 790 static int wg_output(struct ifnet *, struct mbuf *, 791 const struct sockaddr *, const struct rtentry *); 792 static void wg_input(struct ifnet *, struct mbuf *, const int); 793 static int wg_ioctl(struct ifnet *, u_long, void *); 794 static int wg_bind_port(struct wg_softc *, const uint16_t); 795 static int wg_init(struct ifnet *); 796 #ifdef ALTQ 797 static void wg_start(struct ifnet *); 798 #endif 799 static void wg_stop(struct ifnet *, int); 800 801 static void wg_peer_work(struct work *, void *); 802 static void wg_job(struct threadpool_job *); 803 static void wgintr(void *); 804 static void wg_purge_pending_packets(struct wg_peer *); 805 806 static int wg_clone_create(struct if_clone *, int); 807 static int wg_clone_destroy(struct ifnet *); 808 809 struct wg_ops { 810 int (*send_hs_msg)(struct wg_peer *, struct mbuf *); 811 int (*send_data_msg)(struct wg_peer *, struct mbuf *); 812 void (*input)(struct ifnet *, struct mbuf *, const int); 813 int (*bind_port)(struct wg_softc *, const uint16_t); 814 }; 815 816 struct wg_ops wg_ops_rumpkernel = { 817 .send_hs_msg = wg_send_hs, 818 .send_data_msg = wg_send_data, 819 .input = wg_input, 820 .bind_port = wg_bind_port, 821 }; 822 823 #ifdef WG_RUMPKERNEL 824 static bool wg_user_mode(struct wg_softc *); 825 static int wg_ioctl_linkstr(struct wg_softc *, struct ifdrv *); 826 827 static int wg_send_hs_user(struct wg_peer *, struct mbuf *); 828 static int wg_send_data_user(struct wg_peer *, struct mbuf *); 829 static void wg_input_user(struct ifnet *, struct mbuf *, const int); 830 static int wg_bind_port_user(struct wg_softc *, const uint16_t); 831 832 struct wg_ops wg_ops_rumpuser = { 833 .send_hs_msg = wg_send_hs_user, 834 .send_data_msg = wg_send_data_user, 835 .input = wg_input_user, 836 .bind_port = wg_bind_port_user, 837 }; 838 #endif 839 840 #define WG_PEER_READER_FOREACH(wgp, wg) \ 841 PSLIST_READER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer, \ 842 wgp_peerlist_entry) 843 #define WG_PEER_WRITER_FOREACH(wgp, wg) \ 844 PSLIST_WRITER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer, \ 845 wgp_peerlist_entry) 846 #define WG_PEER_WRITER_INSERT_HEAD(wgp, wg) \ 847 PSLIST_WRITER_INSERT_HEAD(&(wg)->wg_peers, (wgp), wgp_peerlist_entry) 848 #define WG_PEER_WRITER_REMOVE(wgp) \ 849 PSLIST_WRITER_REMOVE((wgp), wgp_peerlist_entry) 850 851 struct wg_route { 852 struct radix_node wgr_nodes[2]; 853 struct wg_peer *wgr_peer; 854 }; 855 856 static struct radix_node_head * 857 wg_rnh(struct wg_softc *wg, const int family) 858 { 859 860 switch (family) { 861 #ifdef INET 862 case AF_INET: 863 return wg->wg_rtable_ipv4; 864 #endif 865 #ifdef INET6 866 case AF_INET6: 867 return wg->wg_rtable_ipv6; 868 #endif 869 default: 870 return NULL; 871 } 872 } 873 874 875 /* 876 * Global variables 877 */ 878 static volatile unsigned wg_count __cacheline_aligned; 879 880 struct psref_class *wg_psref_class __read_mostly; 881 882 static struct if_clone wg_cloner = 883 IF_CLONE_INITIALIZER("wg", wg_clone_create, wg_clone_destroy); 884 885 static struct pktqueue *wg_pktq __read_mostly; 886 static struct workqueue *wg_wq __read_mostly; 887 888 void wgattach(int); 889 /* ARGSUSED */ 890 void 891 wgattach(int count) 892 { 893 /* 894 * Nothing to do here, initialization is handled by the 895 * module initialization code in wginit() below). 896 */ 897 } 898 899 static void 900 wginit(void) 901 { 902 903 wg_psref_class = psref_class_create("wg", IPL_SOFTNET); 904 905 if_clone_attach(&wg_cloner); 906 } 907 908 /* 909 * XXX Kludge: This should just happen in wginit, but workqueue_create 910 * cannot be run until after CPUs have been detected, and wginit runs 911 * before configure. 912 */ 913 static int 914 wginitqueues(void) 915 { 916 int error __diagused; 917 918 wg_pktq = pktq_create(IFQ_MAXLEN, wgintr, NULL); 919 KASSERT(wg_pktq != NULL); 920 921 error = workqueue_create(&wg_wq, "wgpeer", wg_peer_work, NULL, 922 PRI_NONE, IPL_SOFTNET, WQ_MPSAFE|WQ_PERCPU); 923 KASSERTMSG(error == 0, "error=%d", error); 924 925 return 0; 926 } 927 928 static void 929 wg_guarantee_initialized(void) 930 { 931 static ONCE_DECL(init); 932 int error __diagused; 933 934 error = RUN_ONCE(&init, wginitqueues); 935 KASSERTMSG(error == 0, "error=%d", error); 936 } 937 938 static int 939 wg_count_inc(void) 940 { 941 unsigned o, n; 942 943 do { 944 o = atomic_load_relaxed(&wg_count); 945 if (o == UINT_MAX) 946 return ENFILE; 947 n = o + 1; 948 } while (atomic_cas_uint(&wg_count, o, n) != o); 949 950 return 0; 951 } 952 953 static void 954 wg_count_dec(void) 955 { 956 unsigned c __diagused; 957 958 membar_release(); /* match atomic_load_acquire in wgdetach */ 959 c = atomic_dec_uint_nv(&wg_count); 960 KASSERT(c != UINT_MAX); 961 } 962 963 static int 964 wgdetach(void) 965 { 966 967 /* Prevent new interface creation. */ 968 if_clone_detach(&wg_cloner); 969 970 /* 971 * Check whether there are any existing interfaces. Matches 972 * membar_release and atomic_dec_uint_nv in wg_count_dec. 973 */ 974 if (atomic_load_acquire(&wg_count)) { 975 /* Back out -- reattach the cloner. */ 976 if_clone_attach(&wg_cloner); 977 return EBUSY; 978 } 979 980 /* No interfaces left. Nuke it. */ 981 if (wg_wq) 982 workqueue_destroy(wg_wq); 983 if (wg_pktq) 984 pktq_destroy(wg_pktq); 985 psref_class_destroy(wg_psref_class); 986 987 return 0; 988 } 989 990 static void 991 wg_init_key_and_hash(uint8_t ckey[static WG_CHAINING_KEY_LEN], 992 uint8_t hash[static WG_HASH_LEN]) 993 { 994 /* [W] 5.4: CONSTRUCTION */ 995 const char *signature = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"; 996 /* [W] 5.4: IDENTIFIER */ 997 const char *id = "WireGuard v1 zx2c4 Jason@zx2c4.com"; 998 struct blake2s state; 999 1000 blake2s(ckey, WG_CHAINING_KEY_LEN, NULL, 0, 1001 signature, strlen(signature)); 1002 1003 CTASSERT(WG_HASH_LEN == WG_CHAINING_KEY_LEN); 1004 memcpy(hash, ckey, WG_CHAINING_KEY_LEN); 1005 1006 blake2s_init(&state, WG_HASH_LEN, NULL, 0); 1007 blake2s_update(&state, ckey, WG_CHAINING_KEY_LEN); 1008 blake2s_update(&state, id, strlen(id)); 1009 blake2s_final(&state, hash); 1010 1011 WG_DUMP_HASH("ckey", ckey); 1012 WG_DUMP_HASH("hash", hash); 1013 } 1014 1015 static void 1016 wg_algo_hash(uint8_t hash[static WG_HASH_LEN], const uint8_t input[], 1017 const size_t inputsize) 1018 { 1019 struct blake2s state; 1020 1021 blake2s_init(&state, WG_HASH_LEN, NULL, 0); 1022 blake2s_update(&state, hash, WG_HASH_LEN); 1023 blake2s_update(&state, input, inputsize); 1024 blake2s_final(&state, hash); 1025 } 1026 1027 static void 1028 wg_algo_mac(uint8_t out[], const size_t outsize, 1029 const uint8_t key[], const size_t keylen, 1030 const uint8_t input1[], const size_t input1len, 1031 const uint8_t input2[], const size_t input2len) 1032 { 1033 struct blake2s state; 1034 1035 blake2s_init(&state, outsize, key, keylen); 1036 1037 blake2s_update(&state, input1, input1len); 1038 if (input2 != NULL) 1039 blake2s_update(&state, input2, input2len); 1040 blake2s_final(&state, out); 1041 } 1042 1043 static void 1044 wg_algo_mac_mac1(uint8_t out[], const size_t outsize, 1045 const uint8_t input1[], const size_t input1len, 1046 const uint8_t input2[], const size_t input2len) 1047 { 1048 struct blake2s state; 1049 /* [W] 5.4: LABEL-MAC1 */ 1050 const char *label = "mac1----"; 1051 uint8_t key[WG_HASH_LEN]; 1052 1053 blake2s_init(&state, sizeof(key), NULL, 0); 1054 blake2s_update(&state, label, strlen(label)); 1055 blake2s_update(&state, input1, input1len); 1056 blake2s_final(&state, key); 1057 1058 blake2s_init(&state, outsize, key, sizeof(key)); 1059 if (input2 != NULL) 1060 blake2s_update(&state, input2, input2len); 1061 blake2s_final(&state, out); 1062 } 1063 1064 static void 1065 wg_algo_mac_cookie(uint8_t out[], const size_t outsize, 1066 const uint8_t input1[], const size_t input1len) 1067 { 1068 struct blake2s state; 1069 /* [W] 5.4: LABEL-COOKIE */ 1070 const char *label = "cookie--"; 1071 1072 blake2s_init(&state, outsize, NULL, 0); 1073 blake2s_update(&state, label, strlen(label)); 1074 blake2s_update(&state, input1, input1len); 1075 blake2s_final(&state, out); 1076 } 1077 1078 static void 1079 wg_algo_generate_keypair(uint8_t pubkey[static WG_EPHEMERAL_KEY_LEN], 1080 uint8_t privkey[static WG_EPHEMERAL_KEY_LEN]) 1081 { 1082 1083 CTASSERT(WG_EPHEMERAL_KEY_LEN == crypto_scalarmult_curve25519_BYTES); 1084 1085 cprng_strong(kern_cprng, privkey, WG_EPHEMERAL_KEY_LEN, 0); 1086 crypto_scalarmult_base(pubkey, privkey); 1087 } 1088 1089 static void 1090 wg_algo_dh(uint8_t out[static WG_DH_OUTPUT_LEN], 1091 const uint8_t privkey[static WG_STATIC_KEY_LEN], 1092 const uint8_t pubkey[static WG_STATIC_KEY_LEN]) 1093 { 1094 1095 CTASSERT(WG_STATIC_KEY_LEN == crypto_scalarmult_curve25519_BYTES); 1096 1097 int ret __diagused = crypto_scalarmult(out, privkey, pubkey); 1098 KASSERT(ret == 0); 1099 } 1100 1101 static void 1102 wg_algo_hmac(uint8_t out[], const size_t outlen, 1103 const uint8_t key[], const size_t keylen, 1104 const uint8_t in[], const size_t inlen) 1105 { 1106 #define IPAD 0x36 1107 #define OPAD 0x5c 1108 uint8_t hmackey[HMAC_BLOCK_LEN] = {0}; 1109 uint8_t ipad[HMAC_BLOCK_LEN]; 1110 uint8_t opad[HMAC_BLOCK_LEN]; 1111 size_t i; 1112 struct blake2s state; 1113 1114 KASSERT(outlen == WG_HASH_LEN); 1115 KASSERT(keylen <= HMAC_BLOCK_LEN); 1116 1117 memcpy(hmackey, key, keylen); 1118 1119 for (i = 0; i < sizeof(hmackey); i++) { 1120 ipad[i] = hmackey[i] ^ IPAD; 1121 opad[i] = hmackey[i] ^ OPAD; 1122 } 1123 1124 blake2s_init(&state, WG_HASH_LEN, NULL, 0); 1125 blake2s_update(&state, ipad, sizeof(ipad)); 1126 blake2s_update(&state, in, inlen); 1127 blake2s_final(&state, out); 1128 1129 blake2s_init(&state, WG_HASH_LEN, NULL, 0); 1130 blake2s_update(&state, opad, sizeof(opad)); 1131 blake2s_update(&state, out, WG_HASH_LEN); 1132 blake2s_final(&state, out); 1133 #undef IPAD 1134 #undef OPAD 1135 } 1136 1137 static void 1138 wg_algo_kdf(uint8_t out1[static WG_KDF_OUTPUT_LEN], 1139 uint8_t out2[WG_KDF_OUTPUT_LEN], 1140 uint8_t out3[WG_KDF_OUTPUT_LEN], 1141 const uint8_t ckey[static WG_CHAINING_KEY_LEN], 1142 const uint8_t input[], const size_t inputlen) 1143 { 1144 uint8_t tmp1[WG_KDF_OUTPUT_LEN], tmp2[WG_KDF_OUTPUT_LEN + 1]; 1145 uint8_t one[1]; 1146 1147 /* 1148 * [N] 4.3: "an input_key_material byte sequence with length 1149 * either zero bytes, 32 bytes, or DHLEN bytes." 1150 */ 1151 KASSERT(inputlen == 0 || inputlen == 32 || inputlen == NOISE_DHLEN); 1152 1153 WG_DUMP_HASH("ckey", ckey); 1154 if (input != NULL) 1155 WG_DUMP_HASH("input", input); 1156 wg_algo_hmac(tmp1, sizeof(tmp1), ckey, WG_CHAINING_KEY_LEN, 1157 input, inputlen); 1158 WG_DUMP_HASH("tmp1", tmp1); 1159 one[0] = 1; 1160 wg_algo_hmac(out1, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), 1161 one, sizeof(one)); 1162 WG_DUMP_HASH("out1", out1); 1163 if (out2 == NULL) 1164 return; 1165 memcpy(tmp2, out1, WG_KDF_OUTPUT_LEN); 1166 tmp2[WG_KDF_OUTPUT_LEN] = 2; 1167 wg_algo_hmac(out2, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), 1168 tmp2, sizeof(tmp2)); 1169 WG_DUMP_HASH("out2", out2); 1170 if (out3 == NULL) 1171 return; 1172 memcpy(tmp2, out2, WG_KDF_OUTPUT_LEN); 1173 tmp2[WG_KDF_OUTPUT_LEN] = 3; 1174 wg_algo_hmac(out3, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), 1175 tmp2, sizeof(tmp2)); 1176 WG_DUMP_HASH("out3", out3); 1177 } 1178 1179 static void __noinline 1180 wg_algo_dh_kdf(uint8_t ckey[static WG_CHAINING_KEY_LEN], 1181 uint8_t cipher_key[WG_CIPHER_KEY_LEN], 1182 const uint8_t local_key[static WG_STATIC_KEY_LEN], 1183 const uint8_t remote_key[static WG_STATIC_KEY_LEN]) 1184 { 1185 uint8_t dhout[WG_DH_OUTPUT_LEN]; 1186 1187 wg_algo_dh(dhout, local_key, remote_key); 1188 wg_algo_kdf(ckey, cipher_key, NULL, ckey, dhout, sizeof(dhout)); 1189 1190 WG_DUMP_HASH("dhout", dhout); 1191 WG_DUMP_HASH("ckey", ckey); 1192 if (cipher_key != NULL) 1193 WG_DUMP_HASH("cipher_key", cipher_key); 1194 } 1195 1196 static void 1197 wg_algo_aead_enc(uint8_t out[], size_t expected_outsize, 1198 const uint8_t key[static crypto_aead_chacha20poly1305_ietf_KEYBYTES], 1199 const uint64_t counter, 1200 const uint8_t plain[], const size_t plainsize, 1201 const uint8_t auth[], size_t authlen) 1202 { 1203 uint8_t nonce[(32 + 64) / 8] = {0}; 1204 long long unsigned int outsize; 1205 int error __diagused; 1206 1207 le64enc(&nonce[4], counter); 1208 1209 error = crypto_aead_chacha20poly1305_ietf_encrypt(out, &outsize, plain, 1210 plainsize, auth, authlen, NULL, nonce, key); 1211 KASSERT(error == 0); 1212 KASSERT(outsize == expected_outsize); 1213 } 1214 1215 static int 1216 wg_algo_aead_dec(uint8_t out[], size_t expected_outsize, 1217 const uint8_t key[static crypto_aead_chacha20poly1305_ietf_KEYBYTES], 1218 const uint64_t counter, 1219 const uint8_t encrypted[], const size_t encryptedsize, 1220 const uint8_t auth[], size_t authlen) 1221 { 1222 uint8_t nonce[(32 + 64) / 8] = {0}; 1223 long long unsigned int outsize; 1224 int error; 1225 1226 le64enc(&nonce[4], counter); 1227 1228 error = crypto_aead_chacha20poly1305_ietf_decrypt(out, &outsize, NULL, 1229 encrypted, encryptedsize, auth, authlen, nonce, key); 1230 if (error == 0) 1231 KASSERT(outsize == expected_outsize); 1232 return error; 1233 } 1234 1235 static void 1236 wg_algo_xaead_enc(uint8_t out[], const size_t expected_outsize, 1237 const uint8_t key[static crypto_aead_xchacha20poly1305_ietf_KEYBYTES], 1238 const uint8_t plain[], const size_t plainsize, 1239 const uint8_t auth[], size_t authlen, 1240 const uint8_t nonce[static WG_SALT_LEN]) 1241 { 1242 long long unsigned int outsize; 1243 int error __diagused; 1244 1245 CTASSERT(WG_SALT_LEN == crypto_aead_xchacha20poly1305_ietf_NPUBBYTES); 1246 error = crypto_aead_xchacha20poly1305_ietf_encrypt(out, &outsize, 1247 plain, plainsize, auth, authlen, NULL, nonce, key); 1248 KASSERT(error == 0); 1249 KASSERT(outsize == expected_outsize); 1250 } 1251 1252 static int 1253 wg_algo_xaead_dec(uint8_t out[], const size_t expected_outsize, 1254 const uint8_t key[static crypto_aead_xchacha20poly1305_ietf_KEYBYTES], 1255 const uint8_t encrypted[], const size_t encryptedsize, 1256 const uint8_t auth[], size_t authlen, 1257 const uint8_t nonce[static WG_SALT_LEN]) 1258 { 1259 long long unsigned int outsize; 1260 int error; 1261 1262 error = crypto_aead_xchacha20poly1305_ietf_decrypt(out, &outsize, NULL, 1263 encrypted, encryptedsize, auth, authlen, nonce, key); 1264 if (error == 0) 1265 KASSERT(outsize == expected_outsize); 1266 return error; 1267 } 1268 1269 static void 1270 wg_algo_tai64n(wg_timestamp_t timestamp) 1271 { 1272 struct timespec ts; 1273 1274 /* FIXME strict TAI64N (https://cr.yp.to/libtai/tai64.html) */ 1275 getnanotime(&ts); 1276 /* TAI64 label in external TAI64 format */ 1277 be32enc(timestamp, 0x40000000U + (uint32_t)(ts.tv_sec >> 32)); 1278 /* second beginning from 1970 TAI */ 1279 be32enc(timestamp + 4, (uint32_t)(ts.tv_sec & 0xffffffffU)); 1280 /* nanosecond in big-endian format */ 1281 be32enc(timestamp + 8, (uint32_t)ts.tv_nsec); 1282 } 1283 1284 /* 1285 * wg_get_stable_session(wgp, psref) 1286 * 1287 * Get a passive reference to the current stable session, or 1288 * return NULL if there is no current stable session. 1289 * 1290 * The pointer is always there but the session is not necessarily 1291 * ESTABLISHED; if it is not ESTABLISHED, return NULL. However, 1292 * the session may transition from ESTABLISHED to DESTROYING while 1293 * holding the passive reference. 1294 */ 1295 static struct wg_session * 1296 wg_get_stable_session(struct wg_peer *wgp, struct psref *psref) 1297 { 1298 int s; 1299 struct wg_session *wgs; 1300 1301 s = pserialize_read_enter(); 1302 wgs = atomic_load_consume(&wgp->wgp_session_stable); 1303 if (__predict_false(atomic_load_relaxed(&wgs->wgs_state) != 1304 WGS_STATE_ESTABLISHED)) 1305 wgs = NULL; 1306 else 1307 psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); 1308 pserialize_read_exit(s); 1309 1310 return wgs; 1311 } 1312 1313 static void 1314 wg_put_session(struct wg_session *wgs, struct psref *psref) 1315 { 1316 1317 psref_release(psref, &wgs->wgs_psref, wg_psref_class); 1318 } 1319 1320 static void 1321 wg_destroy_session(struct wg_softc *wg, struct wg_session *wgs) 1322 { 1323 struct wg_peer *wgp = wgs->wgs_peer; 1324 struct wg_session *wgs0 __diagused; 1325 void *garbage; 1326 1327 KASSERT(mutex_owned(wgp->wgp_lock)); 1328 KASSERT(wgs->wgs_state != WGS_STATE_UNKNOWN); 1329 1330 /* Remove the session from the table. */ 1331 wgs0 = thmap_del(wg->wg_sessions_byindex, 1332 &wgs->wgs_local_index, sizeof(wgs->wgs_local_index)); 1333 KASSERT(wgs0 == wgs); 1334 garbage = thmap_stage_gc(wg->wg_sessions_byindex); 1335 1336 /* Wait for passive references to drain. */ 1337 pserialize_perform(wgp->wgp_psz); 1338 psref_target_destroy(&wgs->wgs_psref, wg_psref_class); 1339 1340 /* 1341 * Free memory, zero state, and transition to UNKNOWN. We have 1342 * exclusive access to the session now, so there is no need for 1343 * an atomic store. 1344 */ 1345 thmap_gc(wg->wg_sessions_byindex, garbage); 1346 WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"] -> WGS_STATE_UNKNOWN\n", 1347 wgs->wgs_local_index, wgs->wgs_remote_index); 1348 wgs->wgs_local_index = 0; 1349 wgs->wgs_remote_index = 0; 1350 wg_clear_states(wgs); 1351 wgs->wgs_state = WGS_STATE_UNKNOWN; 1352 wgs->wgs_force_rekey = false; 1353 } 1354 1355 /* 1356 * wg_get_session_index(wg, wgs) 1357 * 1358 * Choose a session index for wgs->wgs_local_index, and store it 1359 * in wg's table of sessions by index. 1360 * 1361 * wgs must be the unstable session of its peer, and must be 1362 * transitioning out of the UNKNOWN state. 1363 */ 1364 static void 1365 wg_get_session_index(struct wg_softc *wg, struct wg_session *wgs) 1366 { 1367 struct wg_peer *wgp __diagused = wgs->wgs_peer; 1368 struct wg_session *wgs0; 1369 uint32_t index; 1370 1371 KASSERT(mutex_owned(wgp->wgp_lock)); 1372 KASSERT(wgs == wgp->wgp_session_unstable); 1373 KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", 1374 wgs->wgs_state); 1375 1376 do { 1377 /* Pick a uniform random index. */ 1378 index = cprng_strong32(); 1379 1380 /* Try to take it. */ 1381 wgs->wgs_local_index = index; 1382 wgs0 = thmap_put(wg->wg_sessions_byindex, 1383 &wgs->wgs_local_index, sizeof wgs->wgs_local_index, wgs); 1384 1385 /* If someone else beat us, start over. */ 1386 } while (__predict_false(wgs0 != wgs)); 1387 } 1388 1389 /* 1390 * wg_put_session_index(wg, wgs) 1391 * 1392 * Remove wgs from the table of sessions by index, wait for any 1393 * passive references to drain, and transition the session to the 1394 * UNKNOWN state. 1395 * 1396 * wgs must be the unstable session of its peer, and must not be 1397 * UNKNOWN or ESTABLISHED. 1398 */ 1399 static void 1400 wg_put_session_index(struct wg_softc *wg, struct wg_session *wgs) 1401 { 1402 struct wg_peer *wgp __diagused = wgs->wgs_peer; 1403 1404 KASSERT(mutex_owned(wgp->wgp_lock)); 1405 KASSERT(wgs->wgs_state != WGS_STATE_UNKNOWN); 1406 KASSERT(wgs->wgs_state != WGS_STATE_ESTABLISHED); 1407 1408 wg_destroy_session(wg, wgs); 1409 psref_target_init(&wgs->wgs_psref, wg_psref_class); 1410 } 1411 1412 /* 1413 * Handshake patterns 1414 * 1415 * [W] 5: "These messages use the "IK" pattern from Noise" 1416 * [N] 7.5. Interactive handshake patterns (fundamental) 1417 * "The first character refers to the initiator’s static key:" 1418 * "I = Static key for initiator Immediately transmitted to responder, 1419 * despite reduced or absent identity hiding" 1420 * "The second character refers to the responder’s static key:" 1421 * "K = Static key for responder Known to initiator" 1422 * "IK: 1423 * <- s 1424 * ... 1425 * -> e, es, s, ss 1426 * <- e, ee, se" 1427 * [N] 9.4. Pattern modifiers 1428 * "IKpsk2: 1429 * <- s 1430 * ... 1431 * -> e, es, s, ss 1432 * <- e, ee, se, psk" 1433 */ 1434 static void 1435 wg_fill_msg_init(struct wg_softc *wg, struct wg_peer *wgp, 1436 struct wg_session *wgs, struct wg_msg_init *wgmi) 1437 { 1438 uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */ 1439 uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */ 1440 uint8_t cipher_key[WG_CIPHER_KEY_LEN]; 1441 uint8_t pubkey[WG_EPHEMERAL_KEY_LEN]; 1442 uint8_t privkey[WG_EPHEMERAL_KEY_LEN]; 1443 1444 KASSERT(mutex_owned(wgp->wgp_lock)); 1445 KASSERT(wgs == wgp->wgp_session_unstable); 1446 KASSERTMSG(wgs->wgs_state == WGS_STATE_INIT_ACTIVE, "state=%d", 1447 wgs->wgs_state); 1448 1449 wgmi->wgmi_type = htole32(WG_MSG_TYPE_INIT); 1450 wgmi->wgmi_sender = wgs->wgs_local_index; 1451 1452 /* [W] 5.4.2: First Message: Initiator to Responder */ 1453 1454 /* Ci := HASH(CONSTRUCTION) */ 1455 /* Hi := HASH(Ci || IDENTIFIER) */ 1456 wg_init_key_and_hash(ckey, hash); 1457 /* Hi := HASH(Hi || Sr^pub) */ 1458 wg_algo_hash(hash, wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey)); 1459 1460 WG_DUMP_HASH("hash", hash); 1461 1462 /* [N] 2.2: "e" */ 1463 /* Ei^priv, Ei^pub := DH-GENERATE() */ 1464 wg_algo_generate_keypair(pubkey, privkey); 1465 /* Ci := KDF1(Ci, Ei^pub) */ 1466 wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey)); 1467 /* msg.ephemeral := Ei^pub */ 1468 memcpy(wgmi->wgmi_ephemeral, pubkey, sizeof(wgmi->wgmi_ephemeral)); 1469 /* Hi := HASH(Hi || msg.ephemeral) */ 1470 wg_algo_hash(hash, pubkey, sizeof(pubkey)); 1471 1472 WG_DUMP_HASH("ckey", ckey); 1473 WG_DUMP_HASH("hash", hash); 1474 1475 /* [N] 2.2: "es" */ 1476 /* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */ 1477 wg_algo_dh_kdf(ckey, cipher_key, privkey, wgp->wgp_pubkey); 1478 1479 /* [N] 2.2: "s" */ 1480 /* msg.static := AEAD(k, 0, Si^pub, Hi) */ 1481 wg_algo_aead_enc(wgmi->wgmi_static, sizeof(wgmi->wgmi_static), 1482 cipher_key, 0, wg->wg_pubkey, sizeof(wg->wg_pubkey), 1483 hash, sizeof(hash)); 1484 /* Hi := HASH(Hi || msg.static) */ 1485 wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static)); 1486 1487 WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static); 1488 1489 /* [N] 2.2: "ss" */ 1490 /* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */ 1491 wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey); 1492 1493 /* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */ 1494 wg_timestamp_t timestamp; 1495 wg_algo_tai64n(timestamp); 1496 wg_algo_aead_enc(wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp), 1497 cipher_key, 0, timestamp, sizeof(timestamp), hash, sizeof(hash)); 1498 /* Hi := HASH(Hi || msg.timestamp) */ 1499 wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp)); 1500 1501 /* [W] 5.4.4 Cookie MACs */ 1502 wg_algo_mac_mac1(wgmi->wgmi_mac1, sizeof(wgmi->wgmi_mac1), 1503 wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey), 1504 (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1)); 1505 /* Need mac1 to decrypt a cookie from a cookie message */ 1506 memcpy(wgp->wgp_last_sent_mac1, wgmi->wgmi_mac1, 1507 sizeof(wgp->wgp_last_sent_mac1)); 1508 wgp->wgp_last_sent_mac1_valid = true; 1509 1510 if (wgp->wgp_latest_cookie_time == 0 || 1511 (time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME) 1512 memset(wgmi->wgmi_mac2, 0, sizeof(wgmi->wgmi_mac2)); 1513 else { 1514 wg_algo_mac(wgmi->wgmi_mac2, sizeof(wgmi->wgmi_mac2), 1515 wgp->wgp_latest_cookie, WG_COOKIE_LEN, 1516 (const uint8_t *)wgmi, 1517 offsetof(struct wg_msg_init, wgmi_mac2), 1518 NULL, 0); 1519 } 1520 1521 memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey)); 1522 memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey)); 1523 memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); 1524 memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); 1525 WG_DLOG("%s: sender=%x\n", __func__, wgs->wgs_local_index); 1526 } 1527 1528 /* 1529 * wg_initiator_priority(wg, wgp) 1530 * 1531 * Return true if we claim priority over peer wgp as initiator at 1532 * the moment, false if not. That is, if we and our peer are 1533 * trying to initiate a session, do we ignore the peer's attempt 1534 * and barge ahead with ours, or discard our attempt and accept 1535 * the peer's? 1536 * 1537 * We jointly flip a coin by computing 1538 * 1539 * H(pubkey A) ^ H(pubkey B) ^ H(posix minutes as le64), 1540 * 1541 * and taking the low-order bit. If our public key hash, as a 1542 * 256-bit integer in little-endian, is less than the peer's 1543 * public key hash, also as a 256-bit integer in little-endian, we 1544 * claim priority iff the bit is 0; otherwise we claim priority 1545 * iff the bit is 1. 1546 * 1547 * This way, it is essentially arbitrary who claims priority, and 1548 * it may change (by a coin toss) minute to minute, but both 1549 * parties agree at any given moment -- except possibly at the 1550 * boundary of a minute -- who will take priority. 1551 * 1552 * This is an extension to the WireGuard protocol -- as far as I 1553 * can tell, the protocol whitepaper has no resolution to this 1554 * deadlock scenario. According to the author, `the deadlock 1555 * doesn't happen because of some additional state machine logic, 1556 * and on very small chances that it does, it quickly undoes 1557 * itself.', but this additional state machine logic does not 1558 * appear to be anywhere in the whitepaper, and I don't see how it 1559 * can undo itself until both sides have given up and one side is 1560 * quicker to initiate the next time around. 1561 * 1562 * XXX It might be prudent to put a prefix in the hash input, so 1563 * we avoid accidentally colliding with any other uses of the same 1564 * hash on the same input. But it's best if any changes are 1565 * coordinated, so that peers generally agree on what coin is 1566 * being tossed, instead of tossing their own independent coins 1567 * (which will also converge to working but more slowly over more 1568 * handshake retries). 1569 */ 1570 static bool 1571 wg_initiator_priority(struct wg_softc *wg, struct wg_peer *wgp) 1572 { 1573 const uint64_t now = time_second/60, now_le = htole64(now); 1574 uint8_t h_min; 1575 uint8_t h_local[BLAKE2S_MAX_DIGEST]; 1576 uint8_t h_peer[BLAKE2S_MAX_DIGEST]; 1577 int borrow; 1578 unsigned i; 1579 1580 blake2s(&h_min, 1, NULL, 0, &now_le, sizeof(now_le)); 1581 blake2s(h_local, sizeof(h_local), NULL, 0, 1582 wg->wg_pubkey, sizeof(wg->wg_pubkey)); 1583 blake2s(h_peer, sizeof(h_peer), NULL, 0, 1584 wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey)); 1585 1586 for (borrow = 0, i = 0; i < BLAKE2S_MAX_DIGEST; i++) 1587 borrow = (h_local[i] - h_peer[i] + borrow) >> 8; 1588 1589 return 1 & (h_local[0] ^ h_peer[0] ^ h_min ^ borrow); 1590 } 1591 1592 static void __noinline 1593 wg_handle_msg_init(struct wg_softc *wg, const struct wg_msg_init *wgmi, 1594 const struct sockaddr *src) 1595 { 1596 uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */ 1597 uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */ 1598 uint8_t cipher_key[WG_CIPHER_KEY_LEN]; 1599 uint8_t peer_pubkey[WG_STATIC_KEY_LEN]; 1600 struct wg_peer *wgp; 1601 struct wg_session *wgs; 1602 int error, ret; 1603 struct psref psref_peer; 1604 uint8_t mac1[WG_MAC_LEN]; 1605 1606 WG_TRACE("init msg received"); 1607 1608 wg_algo_mac_mac1(mac1, sizeof(mac1), 1609 wg->wg_pubkey, sizeof(wg->wg_pubkey), 1610 (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1)); 1611 1612 /* 1613 * [W] 5.3: Denial of Service Mitigation & Cookies 1614 * "the responder, ..., must always reject messages with an invalid 1615 * msg.mac1" 1616 */ 1617 if (!consttime_memequal(mac1, wgmi->wgmi_mac1, sizeof(mac1))) { 1618 WG_DLOG("mac1 is invalid\n"); 1619 return; 1620 } 1621 1622 /* 1623 * [W] 5.4.2: First Message: Initiator to Responder 1624 * "When the responder receives this message, it does the same 1625 * operations so that its final state variables are identical, 1626 * replacing the operands of the DH function to produce equivalent 1627 * values." 1628 * Note that the following comments of operations are just copies of 1629 * the initiator's ones. 1630 */ 1631 1632 /* Ci := HASH(CONSTRUCTION) */ 1633 /* Hi := HASH(Ci || IDENTIFIER) */ 1634 wg_init_key_and_hash(ckey, hash); 1635 /* Hi := HASH(Hi || Sr^pub) */ 1636 wg_algo_hash(hash, wg->wg_pubkey, sizeof(wg->wg_pubkey)); 1637 1638 /* [N] 2.2: "e" */ 1639 /* Ci := KDF1(Ci, Ei^pub) */ 1640 wg_algo_kdf(ckey, NULL, NULL, ckey, wgmi->wgmi_ephemeral, 1641 sizeof(wgmi->wgmi_ephemeral)); 1642 /* Hi := HASH(Hi || msg.ephemeral) */ 1643 wg_algo_hash(hash, wgmi->wgmi_ephemeral, sizeof(wgmi->wgmi_ephemeral)); 1644 1645 WG_DUMP_HASH("ckey", ckey); 1646 1647 /* [N] 2.2: "es" */ 1648 /* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */ 1649 wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgmi->wgmi_ephemeral); 1650 1651 WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static); 1652 1653 /* [N] 2.2: "s" */ 1654 /* msg.static := AEAD(k, 0, Si^pub, Hi) */ 1655 error = wg_algo_aead_dec(peer_pubkey, WG_STATIC_KEY_LEN, cipher_key, 0, 1656 wgmi->wgmi_static, sizeof(wgmi->wgmi_static), hash, sizeof(hash)); 1657 if (error != 0) { 1658 WG_LOG_RATECHECK(&wg->wg_ppsratecheck, LOG_DEBUG, 1659 "%s: wg_algo_aead_dec for secret key failed\n", 1660 if_name(&wg->wg_if)); 1661 return; 1662 } 1663 /* Hi := HASH(Hi || msg.static) */ 1664 wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static)); 1665 1666 wgp = wg_lookup_peer_by_pubkey(wg, peer_pubkey, &psref_peer); 1667 if (wgp == NULL) { 1668 WG_DLOG("peer not found\n"); 1669 return; 1670 } 1671 1672 /* 1673 * Lock the peer to serialize access to cookie state. 1674 * 1675 * XXX Can we safely avoid holding the lock across DH? Take it 1676 * just to verify mac2 and then unlock/DH/lock? 1677 */ 1678 mutex_enter(wgp->wgp_lock); 1679 1680 if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_INIT))) { 1681 WG_TRACE("under load"); 1682 /* 1683 * [W] 5.3: Denial of Service Mitigation & Cookies 1684 * "the responder, ..., and when under load may reject messages 1685 * with an invalid msg.mac2. If the responder receives a 1686 * message with a valid msg.mac1 yet with an invalid msg.mac2, 1687 * and is under load, it may respond with a cookie reply 1688 * message" 1689 */ 1690 uint8_t zero[WG_MAC_LEN] = {0}; 1691 if (consttime_memequal(wgmi->wgmi_mac2, zero, sizeof(zero))) { 1692 WG_TRACE("sending a cookie message: no cookie included"); 1693 wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender, 1694 wgmi->wgmi_mac1, src); 1695 goto out; 1696 } 1697 if (!wgp->wgp_last_sent_cookie_valid) { 1698 WG_TRACE("sending a cookie message: no cookie sent ever"); 1699 wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender, 1700 wgmi->wgmi_mac1, src); 1701 goto out; 1702 } 1703 uint8_t mac2[WG_MAC_LEN]; 1704 wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie, 1705 WG_COOKIE_LEN, (const uint8_t *)wgmi, 1706 offsetof(struct wg_msg_init, wgmi_mac2), NULL, 0); 1707 if (!consttime_memequal(mac2, wgmi->wgmi_mac2, sizeof(mac2))) { 1708 WG_DLOG("mac2 is invalid\n"); 1709 goto out; 1710 } 1711 WG_TRACE("under load, but continue to sending"); 1712 } 1713 1714 /* [N] 2.2: "ss" */ 1715 /* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */ 1716 wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey); 1717 1718 /* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */ 1719 wg_timestamp_t timestamp; 1720 error = wg_algo_aead_dec(timestamp, sizeof(timestamp), cipher_key, 0, 1721 wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp), 1722 hash, sizeof(hash)); 1723 if (error != 0) { 1724 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 1725 "%s: peer %s: wg_algo_aead_dec for timestamp failed\n", 1726 if_name(&wg->wg_if), wgp->wgp_name); 1727 goto out; 1728 } 1729 /* Hi := HASH(Hi || msg.timestamp) */ 1730 wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp)); 1731 1732 /* 1733 * [W] 5.1 "The responder keeps track of the greatest timestamp 1734 * received per peer and discards packets containing 1735 * timestamps less than or equal to it." 1736 */ 1737 ret = memcmp(timestamp, wgp->wgp_timestamp_latest_init, 1738 sizeof(timestamp)); 1739 if (ret <= 0) { 1740 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 1741 "%s: peer %s: invalid init msg: timestamp is old\n", 1742 if_name(&wg->wg_if), wgp->wgp_name); 1743 goto out; 1744 } 1745 memcpy(wgp->wgp_timestamp_latest_init, timestamp, sizeof(timestamp)); 1746 1747 /* 1748 * Message is good -- we're committing to handle it now, unless 1749 * we were already initiating a session. 1750 */ 1751 wgs = wgp->wgp_session_unstable; 1752 switch (wgs->wgs_state) { 1753 case WGS_STATE_UNKNOWN: /* new session initiated by peer */ 1754 break; 1755 case WGS_STATE_INIT_ACTIVE: /* we're already initiating */ 1756 if (wg_initiator_priority(wg, wgp)) { 1757 WG_TRACE("Session already initializing," 1758 " ignoring the message"); 1759 goto out; 1760 } 1761 WG_TRACE("Yielding session initiation to peer"); 1762 wg_put_session_index(wg, wgs); 1763 KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", 1764 wgs->wgs_state); 1765 break; 1766 case WGS_STATE_INIT_PASSIVE: /* peer is retrying, start over */ 1767 WG_TRACE("Session already initializing, destroying old states"); 1768 /* 1769 * XXX Avoid this -- just resend our response -- if the 1770 * INIT message is identical to the previous one. 1771 */ 1772 wg_put_session_index(wg, wgs); 1773 KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", 1774 wgs->wgs_state); 1775 break; 1776 case WGS_STATE_ESTABLISHED: /* can't happen */ 1777 panic("unstable session can't be established"); 1778 case WGS_STATE_DESTROYING: /* rekey initiated by peer */ 1779 WG_TRACE("Session destroying, but force to clear"); 1780 wg_put_session_index(wg, wgs); 1781 KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", 1782 wgs->wgs_state); 1783 break; 1784 default: 1785 panic("invalid session state: %d", wgs->wgs_state); 1786 } 1787 1788 /* 1789 * Assign a fresh session index. 1790 */ 1791 KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", 1792 wgs->wgs_state); 1793 wg_get_session_index(wg, wgs); 1794 1795 memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); 1796 memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); 1797 memcpy(wgs->wgs_ephemeral_key_peer, wgmi->wgmi_ephemeral, 1798 sizeof(wgmi->wgmi_ephemeral)); 1799 1800 /* 1801 * The packet is genuine. Update the peer's endpoint if the 1802 * source address changed. 1803 * 1804 * XXX How to prevent DoS by replaying genuine packets from the 1805 * wrong source address? 1806 */ 1807 wg_update_endpoint_if_necessary(wgp, src); 1808 1809 /* 1810 * Even though we don't transition from INIT_PASSIVE to 1811 * ESTABLISHED until we receive the first data packet from the 1812 * initiator, we count the time of the INIT message as the time 1813 * of establishment -- this is used to decide when to erase 1814 * keys, and we want to start counting as soon as we have 1815 * generated keys. 1816 */ 1817 wgs->wgs_time_established = time_uptime32; 1818 wg_schedule_session_dtor_timer(wgp); 1819 1820 /* 1821 * Respond to the initiator with our ephemeral public key. 1822 */ 1823 wg_send_handshake_msg_resp(wg, wgp, wgs, wgmi); 1824 1825 WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]:" 1826 " calculate keys as responder\n", 1827 wgs->wgs_local_index, wgs->wgs_remote_index); 1828 wg_calculate_keys(wgs, false); 1829 wg_clear_states(wgs); 1830 1831 /* 1832 * Session is ready to receive data now that we have received 1833 * the peer initiator's ephemeral key pair, generated our 1834 * responder's ephemeral key pair, and derived a session key. 1835 * 1836 * Transition from UNKNOWN to INIT_PASSIVE to publish it to the 1837 * data rx path, wg_handle_msg_data, where the 1838 * atomic_load_acquire matching this atomic_store_release 1839 * happens. 1840 * 1841 * (Session is not, however, ready to send data until the peer 1842 * has acknowledged our response by sending its first data 1843 * packet. So don't swap the sessions yet.) 1844 */ 1845 WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"] -> WGS_STATE_INIT_PASSIVE\n", 1846 wgs->wgs_local_index, wgs->wgs_remote_index); 1847 atomic_store_release(&wgs->wgs_state, WGS_STATE_INIT_PASSIVE); 1848 WG_TRACE("WGS_STATE_INIT_PASSIVE"); 1849 1850 out: 1851 mutex_exit(wgp->wgp_lock); 1852 wg_put_peer(wgp, &psref_peer); 1853 } 1854 1855 static struct socket * 1856 wg_get_so_by_af(struct wg_softc *wg, const int af) 1857 { 1858 1859 switch (af) { 1860 #ifdef INET 1861 case AF_INET: 1862 return wg->wg_so4; 1863 #endif 1864 #ifdef INET6 1865 case AF_INET6: 1866 return wg->wg_so6; 1867 #endif 1868 default: 1869 panic("wg: no such af: %d", af); 1870 } 1871 } 1872 1873 static struct socket * 1874 wg_get_so_by_peer(struct wg_peer *wgp, struct wg_sockaddr *wgsa) 1875 { 1876 1877 return wg_get_so_by_af(wgp->wgp_sc, wgsa_family(wgsa)); 1878 } 1879 1880 static struct wg_sockaddr * 1881 wg_get_endpoint_sa(struct wg_peer *wgp, struct psref *psref) 1882 { 1883 struct wg_sockaddr *wgsa; 1884 int s; 1885 1886 s = pserialize_read_enter(); 1887 wgsa = atomic_load_consume(&wgp->wgp_endpoint); 1888 psref_acquire(psref, &wgsa->wgsa_psref, wg_psref_class); 1889 pserialize_read_exit(s); 1890 1891 return wgsa; 1892 } 1893 1894 static void 1895 wg_put_sa(struct wg_peer *wgp, struct wg_sockaddr *wgsa, struct psref *psref) 1896 { 1897 1898 psref_release(psref, &wgsa->wgsa_psref, wg_psref_class); 1899 } 1900 1901 static int 1902 wg_send_hs(struct wg_peer *wgp, struct mbuf *m) 1903 { 1904 int error; 1905 struct socket *so; 1906 struct psref psref; 1907 struct wg_sockaddr *wgsa; 1908 1909 wgsa = wg_get_endpoint_sa(wgp, &psref); 1910 #ifdef WG_DEBUG_LOG 1911 char addr[128]; 1912 sockaddr_format(wgsatosa(wgsa), addr, sizeof(addr)); 1913 WG_DLOG("send handshake msg to %s\n", addr); 1914 #endif 1915 so = wg_get_so_by_peer(wgp, wgsa); 1916 error = sosend(so, wgsatosa(wgsa), NULL, m, NULL, 0, curlwp); 1917 wg_put_sa(wgp, wgsa, &psref); 1918 1919 return error; 1920 } 1921 1922 static void 1923 wg_send_handshake_msg_init(struct wg_softc *wg, struct wg_peer *wgp) 1924 { 1925 int error; 1926 struct mbuf *m; 1927 struct wg_msg_init *wgmi; 1928 struct wg_session *wgs; 1929 1930 KASSERT(mutex_owned(wgp->wgp_lock)); 1931 1932 wgs = wgp->wgp_session_unstable; 1933 /* XXX pull dispatch out into wg_task_send_init_message */ 1934 switch (wgs->wgs_state) { 1935 case WGS_STATE_UNKNOWN: /* new session initiated by us */ 1936 break; 1937 case WGS_STATE_INIT_ACTIVE: /* we're already initiating, stop */ 1938 WG_TRACE("Session already initializing, skip starting new one"); 1939 return; 1940 case WGS_STATE_INIT_PASSIVE: /* peer was trying -- XXX what now? */ 1941 WG_TRACE("Session already initializing, waiting for peer"); 1942 return; 1943 case WGS_STATE_ESTABLISHED: /* can't happen */ 1944 panic("unstable session can't be established"); 1945 case WGS_STATE_DESTROYING: /* rekey initiated by us too early */ 1946 WG_TRACE("Session destroying"); 1947 wg_put_session_index(wg, wgs); 1948 KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", 1949 wgs->wgs_state); 1950 break; 1951 } 1952 1953 /* 1954 * Assign a fresh session index. 1955 */ 1956 KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", 1957 wgs->wgs_state); 1958 wg_get_session_index(wg, wgs); 1959 1960 /* 1961 * We have initiated a session. Transition to INIT_ACTIVE. 1962 * This doesn't publish it for use in the data rx path, 1963 * wg_handle_msg_data, or in the data tx path, wg_output -- we 1964 * have to wait for the peer to respond with their ephemeral 1965 * public key before we can derive a session key for tx/rx. 1966 * Hence only atomic_store_relaxed. 1967 */ 1968 WG_DLOG("session[L=%"PRIx32" R=(unknown)] -> WGS_STATE_INIT_ACTIVE\n", 1969 wgs->wgs_local_index); 1970 atomic_store_relaxed(&wgs->wgs_state, WGS_STATE_INIT_ACTIVE); 1971 1972 m = m_gethdr(M_WAIT, MT_DATA); 1973 if (sizeof(*wgmi) > MHLEN) { 1974 m_clget(m, M_WAIT); 1975 CTASSERT(sizeof(*wgmi) <= MCLBYTES); 1976 } 1977 m->m_pkthdr.len = m->m_len = sizeof(*wgmi); 1978 wgmi = mtod(m, struct wg_msg_init *); 1979 wg_fill_msg_init(wg, wgp, wgs, wgmi); 1980 1981 error = wg->wg_ops->send_hs_msg(wgp, m); /* consumes m */ 1982 if (error) { 1983 /* 1984 * Sending out an initiation packet failed; give up on 1985 * this session and toss packet waiting for it if any. 1986 * 1987 * XXX Why don't we just let the periodic handshake 1988 * retry logic work in this case? 1989 */ 1990 WG_DLOG("send_hs_msg failed, error=%d\n", error); 1991 wg_put_session_index(wg, wgs); 1992 m = atomic_swap_ptr(&wgp->wgp_pending, NULL); 1993 membar_acquire(); /* matches membar_release in wgintr */ 1994 m_freem(m); 1995 return; 1996 } 1997 1998 WG_TRACE("init msg sent"); 1999 if (wgp->wgp_handshake_start_time == 0) 2000 wgp->wgp_handshake_start_time = time_uptime; 2001 callout_schedule(&wgp->wgp_handshake_timeout_timer, 2002 MIN(wg_rekey_timeout, (unsigned)(INT_MAX / hz)) * hz); 2003 } 2004 2005 static void 2006 wg_fill_msg_resp(struct wg_softc *wg, struct wg_peer *wgp, 2007 struct wg_session *wgs, struct wg_msg_resp *wgmr, 2008 const struct wg_msg_init *wgmi) 2009 { 2010 uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */ 2011 uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Hr */ 2012 uint8_t cipher_key[WG_KDF_OUTPUT_LEN]; 2013 uint8_t pubkey[WG_EPHEMERAL_KEY_LEN]; 2014 uint8_t privkey[WG_EPHEMERAL_KEY_LEN]; 2015 2016 KASSERT(mutex_owned(wgp->wgp_lock)); 2017 KASSERT(wgs == wgp->wgp_session_unstable); 2018 KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", 2019 wgs->wgs_state); 2020 2021 memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash)); 2022 memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey)); 2023 2024 wgmr->wgmr_type = htole32(WG_MSG_TYPE_RESP); 2025 wgmr->wgmr_sender = wgs->wgs_local_index; 2026 wgmr->wgmr_receiver = wgmi->wgmi_sender; 2027 2028 /* [W] 5.4.3 Second Message: Responder to Initiator */ 2029 2030 /* [N] 2.2: "e" */ 2031 /* Er^priv, Er^pub := DH-GENERATE() */ 2032 wg_algo_generate_keypair(pubkey, privkey); 2033 /* Cr := KDF1(Cr, Er^pub) */ 2034 wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey)); 2035 /* msg.ephemeral := Er^pub */ 2036 memcpy(wgmr->wgmr_ephemeral, pubkey, sizeof(wgmr->wgmr_ephemeral)); 2037 /* Hr := HASH(Hr || msg.ephemeral) */ 2038 wg_algo_hash(hash, pubkey, sizeof(pubkey)); 2039 2040 WG_DUMP_HASH("ckey", ckey); 2041 WG_DUMP_HASH("hash", hash); 2042 2043 /* [N] 2.2: "ee" */ 2044 /* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */ 2045 wg_algo_dh_kdf(ckey, NULL, privkey, wgs->wgs_ephemeral_key_peer); 2046 2047 /* [N] 2.2: "se" */ 2048 /* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */ 2049 wg_algo_dh_kdf(ckey, NULL, privkey, wgp->wgp_pubkey); 2050 2051 /* [N] 9.2: "psk" */ 2052 { 2053 uint8_t kdfout[WG_KDF_OUTPUT_LEN]; 2054 /* Cr, r, k := KDF3(Cr, Q) */ 2055 wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk, 2056 sizeof(wgp->wgp_psk)); 2057 /* Hr := HASH(Hr || r) */ 2058 wg_algo_hash(hash, kdfout, sizeof(kdfout)); 2059 } 2060 2061 /* msg.empty := AEAD(k, 0, e, Hr) */ 2062 wg_algo_aead_enc(wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty), 2063 cipher_key, 0, NULL, 0, hash, sizeof(hash)); 2064 /* Hr := HASH(Hr || msg.empty) */ 2065 wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty)); 2066 2067 WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty); 2068 2069 /* [W] 5.4.4: Cookie MACs */ 2070 /* msg.mac1 := MAC(HASH(LABEL-MAC1 || Sm'^pub), msg_a) */ 2071 wg_algo_mac_mac1(wgmr->wgmr_mac1, sizeof(wgmi->wgmi_mac1), 2072 wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey), 2073 (const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1)); 2074 /* Need mac1 to decrypt a cookie from a cookie message */ 2075 memcpy(wgp->wgp_last_sent_mac1, wgmr->wgmr_mac1, 2076 sizeof(wgp->wgp_last_sent_mac1)); 2077 wgp->wgp_last_sent_mac1_valid = true; 2078 2079 if (wgp->wgp_latest_cookie_time == 0 || 2080 (time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME) 2081 /* msg.mac2 := 0^16 */ 2082 memset(wgmr->wgmr_mac2, 0, sizeof(wgmr->wgmr_mac2)); 2083 else { 2084 /* msg.mac2 := MAC(Lm, msg_b) */ 2085 wg_algo_mac(wgmr->wgmr_mac2, sizeof(wgmi->wgmi_mac2), 2086 wgp->wgp_latest_cookie, WG_COOKIE_LEN, 2087 (const uint8_t *)wgmr, 2088 offsetof(struct wg_msg_resp, wgmr_mac2), 2089 NULL, 0); 2090 } 2091 2092 memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); 2093 memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); 2094 memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey)); 2095 memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey)); 2096 wgs->wgs_remote_index = wgmi->wgmi_sender; 2097 WG_DLOG("sender=%x\n", wgs->wgs_local_index); 2098 WG_DLOG("receiver=%x\n", wgs->wgs_remote_index); 2099 } 2100 2101 /* 2102 * wg_swap_sessions(wg, wgp) 2103 * 2104 * Caller has just finished establishing the unstable session in 2105 * wg for peer wgp. Publish it as the stable session, send queued 2106 * packets or keepalives as necessary to kick off the session, 2107 * move the previously stable session to unstable, and begin 2108 * destroying it. 2109 */ 2110 static void 2111 wg_swap_sessions(struct wg_softc *wg, struct wg_peer *wgp) 2112 { 2113 struct wg_session *wgs, *wgs_prev; 2114 struct mbuf *m; 2115 2116 KASSERT(mutex_owned(wgp->wgp_lock)); 2117 2118 /* 2119 * Get the newly established session, to become the new 2120 * session. Caller must have transitioned from INIT_ACTIVE to 2121 * INIT_PASSIVE or to ESTABLISHED already. This will become 2122 * the stable session. 2123 */ 2124 wgs = wgp->wgp_session_unstable; 2125 KASSERTMSG(wgs->wgs_state == WGS_STATE_ESTABLISHED, "state=%d", 2126 wgs->wgs_state); 2127 2128 /* 2129 * Get the stable session, which is either the previously 2130 * established session in the ESTABLISHED state, or has not 2131 * been established at all and is UNKNOWN. This will become 2132 * the unstable session. 2133 */ 2134 wgs_prev = wgp->wgp_session_stable; 2135 KASSERTMSG((wgs_prev->wgs_state == WGS_STATE_ESTABLISHED || 2136 wgs_prev->wgs_state == WGS_STATE_UNKNOWN), 2137 "state=%d", wgs_prev->wgs_state); 2138 2139 /* 2140 * Publish the newly established session for the tx path to use 2141 * and make the other one the unstable session to handle 2142 * stragglers in the rx path and later be used for the next 2143 * session's handshake. 2144 */ 2145 atomic_store_release(&wgp->wgp_session_stable, wgs); 2146 wgp->wgp_session_unstable = wgs_prev; 2147 2148 /* 2149 * Record the handshake time and reset the handshake state. 2150 */ 2151 getnanotime(&wgp->wgp_last_handshake_time); 2152 wgp->wgp_handshake_start_time = 0; 2153 wgp->wgp_last_sent_mac1_valid = false; 2154 wgp->wgp_last_sent_cookie_valid = false; 2155 2156 /* 2157 * If we had a data packet queued up, send it. 2158 * 2159 * If not, but we're the initiator, send a keepalive message -- 2160 * if we're the initiator we have to send something immediately 2161 * or else the responder will never answer. 2162 */ 2163 if ((m = atomic_swap_ptr(&wgp->wgp_pending, NULL)) != NULL) { 2164 membar_acquire(); /* matches membar_release in wgintr */ 2165 wg_send_data_msg(wgp, wgs, m); /* consumes m */ 2166 m = NULL; 2167 } else if (wgs->wgs_is_initiator) { 2168 wg_send_keepalive_msg(wgp, wgs); 2169 } 2170 2171 /* 2172 * If the previous stable session was established, begin to 2173 * destroy it. 2174 */ 2175 if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { 2176 /* 2177 * Transition ESTABLISHED->DESTROYING. The session 2178 * will remain usable for the data rx path to process 2179 * packets still in flight to us, but we won't use it 2180 * for data tx. 2181 */ 2182 WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]" 2183 " -> WGS_STATE_DESTROYING\n", 2184 wgs_prev->wgs_local_index, wgs_prev->wgs_remote_index); 2185 atomic_store_relaxed(&wgs_prev->wgs_state, 2186 WGS_STATE_DESTROYING); 2187 } else { 2188 KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN, 2189 "state=%d", wgs_prev->wgs_state); 2190 wgs_prev->wgs_local_index = 0; /* paranoia */ 2191 wgs_prev->wgs_remote_index = 0; /* paranoia */ 2192 wg_clear_states(wgs_prev); /* paranoia */ 2193 wgs_prev->wgs_state = WGS_STATE_UNKNOWN; 2194 } 2195 } 2196 2197 static void __noinline 2198 wg_handle_msg_resp(struct wg_softc *wg, const struct wg_msg_resp *wgmr, 2199 const struct sockaddr *src) 2200 { 2201 uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */ 2202 uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Kr */ 2203 uint8_t cipher_key[WG_KDF_OUTPUT_LEN]; 2204 struct wg_peer *wgp; 2205 struct wg_session *wgs; 2206 struct psref psref; 2207 int error; 2208 uint8_t mac1[WG_MAC_LEN]; 2209 2210 wg_algo_mac_mac1(mac1, sizeof(mac1), 2211 wg->wg_pubkey, sizeof(wg->wg_pubkey), 2212 (const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1)); 2213 2214 /* 2215 * [W] 5.3: Denial of Service Mitigation & Cookies 2216 * "the responder, ..., must always reject messages with an invalid 2217 * msg.mac1" 2218 */ 2219 if (!consttime_memequal(mac1, wgmr->wgmr_mac1, sizeof(mac1))) { 2220 WG_DLOG("mac1 is invalid\n"); 2221 return; 2222 } 2223 2224 WG_TRACE("resp msg received"); 2225 wgs = wg_lookup_session_by_index(wg, wgmr->wgmr_receiver, &psref); 2226 if (wgs == NULL) { 2227 WG_TRACE("No session found"); 2228 return; 2229 } 2230 2231 wgp = wgs->wgs_peer; 2232 2233 mutex_enter(wgp->wgp_lock); 2234 2235 /* If we weren't waiting for a handshake response, drop it. */ 2236 if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE) { 2237 WG_TRACE("peer sent spurious handshake response, ignoring"); 2238 goto out; 2239 } 2240 2241 if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_RESP))) { 2242 WG_TRACE("under load"); 2243 /* 2244 * [W] 5.3: Denial of Service Mitigation & Cookies 2245 * "the responder, ..., and when under load may reject messages 2246 * with an invalid msg.mac2. If the responder receives a 2247 * message with a valid msg.mac1 yet with an invalid msg.mac2, 2248 * and is under load, it may respond with a cookie reply 2249 * message" 2250 */ 2251 uint8_t zero[WG_MAC_LEN] = {0}; 2252 if (consttime_memequal(wgmr->wgmr_mac2, zero, sizeof(zero))) { 2253 WG_TRACE("sending a cookie message: no cookie included"); 2254 wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender, 2255 wgmr->wgmr_mac1, src); 2256 goto out; 2257 } 2258 if (!wgp->wgp_last_sent_cookie_valid) { 2259 WG_TRACE("sending a cookie message: no cookie sent ever"); 2260 wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender, 2261 wgmr->wgmr_mac1, src); 2262 goto out; 2263 } 2264 uint8_t mac2[WG_MAC_LEN]; 2265 wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie, 2266 WG_COOKIE_LEN, (const uint8_t *)wgmr, 2267 offsetof(struct wg_msg_resp, wgmr_mac2), NULL, 0); 2268 if (!consttime_memequal(mac2, wgmr->wgmr_mac2, sizeof(mac2))) { 2269 WG_DLOG("mac2 is invalid\n"); 2270 goto out; 2271 } 2272 WG_TRACE("under load, but continue to sending"); 2273 } 2274 2275 memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash)); 2276 memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey)); 2277 2278 /* 2279 * [W] 5.4.3 Second Message: Responder to Initiator 2280 * "When the initiator receives this message, it does the same 2281 * operations so that its final state variables are identical, 2282 * replacing the operands of the DH function to produce equivalent 2283 * values." 2284 * Note that the following comments of operations are just copies of 2285 * the initiator's ones. 2286 */ 2287 2288 /* [N] 2.2: "e" */ 2289 /* Cr := KDF1(Cr, Er^pub) */ 2290 wg_algo_kdf(ckey, NULL, NULL, ckey, wgmr->wgmr_ephemeral, 2291 sizeof(wgmr->wgmr_ephemeral)); 2292 /* Hr := HASH(Hr || msg.ephemeral) */ 2293 wg_algo_hash(hash, wgmr->wgmr_ephemeral, sizeof(wgmr->wgmr_ephemeral)); 2294 2295 WG_DUMP_HASH("ckey", ckey); 2296 WG_DUMP_HASH("hash", hash); 2297 2298 /* [N] 2.2: "ee" */ 2299 /* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */ 2300 wg_algo_dh_kdf(ckey, NULL, wgs->wgs_ephemeral_key_priv, 2301 wgmr->wgmr_ephemeral); 2302 2303 /* [N] 2.2: "se" */ 2304 /* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */ 2305 wg_algo_dh_kdf(ckey, NULL, wg->wg_privkey, wgmr->wgmr_ephemeral); 2306 2307 /* [N] 9.2: "psk" */ 2308 { 2309 uint8_t kdfout[WG_KDF_OUTPUT_LEN]; 2310 /* Cr, r, k := KDF3(Cr, Q) */ 2311 wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk, 2312 sizeof(wgp->wgp_psk)); 2313 /* Hr := HASH(Hr || r) */ 2314 wg_algo_hash(hash, kdfout, sizeof(kdfout)); 2315 } 2316 2317 { 2318 uint8_t out[sizeof(wgmr->wgmr_empty)]; /* for safety */ 2319 /* msg.empty := AEAD(k, 0, e, Hr) */ 2320 error = wg_algo_aead_dec(out, 0, cipher_key, 0, wgmr->wgmr_empty, 2321 sizeof(wgmr->wgmr_empty), hash, sizeof(hash)); 2322 WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty); 2323 if (error != 0) { 2324 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 2325 "%s: peer %s: wg_algo_aead_dec for empty message failed\n", 2326 if_name(&wg->wg_if), wgp->wgp_name); 2327 goto out; 2328 } 2329 /* Hr := HASH(Hr || msg.empty) */ 2330 wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty)); 2331 } 2332 2333 memcpy(wgs->wgs_handshake_hash, hash, sizeof(wgs->wgs_handshake_hash)); 2334 memcpy(wgs->wgs_chaining_key, ckey, sizeof(wgs->wgs_chaining_key)); 2335 wgs->wgs_remote_index = wgmr->wgmr_sender; 2336 WG_DLOG("receiver=%x\n", wgs->wgs_remote_index); 2337 2338 /* 2339 * The packet is genuine. Update the peer's endpoint if the 2340 * source address changed. 2341 * 2342 * XXX How to prevent DoS by replaying genuine packets from the 2343 * wrong source address? 2344 */ 2345 wg_update_endpoint_if_necessary(wgp, src); 2346 2347 KASSERTMSG(wgs->wgs_state == WGS_STATE_INIT_ACTIVE, "state=%d", 2348 wgs->wgs_state); 2349 wgs->wgs_time_established = time_uptime32; 2350 wg_schedule_session_dtor_timer(wgp); 2351 wgs->wgs_time_last_data_sent = 0; 2352 wgs->wgs_is_initiator = true; 2353 WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]:" 2354 " calculate keys as initiator\n", 2355 wgs->wgs_local_index, wgs->wgs_remote_index); 2356 wg_calculate_keys(wgs, true); 2357 wg_clear_states(wgs); 2358 2359 /* 2360 * Session is ready to receive data now that we have received 2361 * the responder's response. 2362 * 2363 * Transition from INIT_ACTIVE to ESTABLISHED to publish it to 2364 * the data rx path, wg_handle_msg_data. 2365 */ 2366 WG_DLOG("session[L=%"PRIx32" R=%"PRIx32" -> WGS_STATE_ESTABLISHED\n", 2367 wgs->wgs_local_index, wgs->wgs_remote_index); 2368 atomic_store_release(&wgs->wgs_state, WGS_STATE_ESTABLISHED); 2369 WG_TRACE("WGS_STATE_ESTABLISHED"); 2370 2371 callout_halt(&wgp->wgp_handshake_timeout_timer, NULL); 2372 2373 /* 2374 * Session is ready to send data now that we have received the 2375 * responder's response. 2376 * 2377 * Swap the sessions to publish the new one as the stable 2378 * session for the data tx path, wg_output. 2379 */ 2380 wg_swap_sessions(wg, wgp); 2381 KASSERT(wgs == wgp->wgp_session_stable); 2382 2383 out: 2384 mutex_exit(wgp->wgp_lock); 2385 wg_put_session(wgs, &psref); 2386 } 2387 2388 static void 2389 wg_send_handshake_msg_resp(struct wg_softc *wg, struct wg_peer *wgp, 2390 struct wg_session *wgs, const struct wg_msg_init *wgmi) 2391 { 2392 int error; 2393 struct mbuf *m; 2394 struct wg_msg_resp *wgmr; 2395 2396 KASSERT(mutex_owned(wgp->wgp_lock)); 2397 KASSERT(wgs == wgp->wgp_session_unstable); 2398 KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", 2399 wgs->wgs_state); 2400 2401 m = m_gethdr(M_WAIT, MT_DATA); 2402 if (sizeof(*wgmr) > MHLEN) { 2403 m_clget(m, M_WAIT); 2404 CTASSERT(sizeof(*wgmr) <= MCLBYTES); 2405 } 2406 m->m_pkthdr.len = m->m_len = sizeof(*wgmr); 2407 wgmr = mtod(m, struct wg_msg_resp *); 2408 wg_fill_msg_resp(wg, wgp, wgs, wgmr, wgmi); 2409 2410 error = wg->wg_ops->send_hs_msg(wgp, m); /* consumes m */ 2411 if (error) { 2412 WG_DLOG("send_hs_msg failed, error=%d\n", error); 2413 return; 2414 } 2415 2416 WG_TRACE("resp msg sent"); 2417 } 2418 2419 static struct wg_peer * 2420 wg_lookup_peer_by_pubkey(struct wg_softc *wg, 2421 const uint8_t pubkey[static WG_STATIC_KEY_LEN], struct psref *psref) 2422 { 2423 struct wg_peer *wgp; 2424 2425 int s = pserialize_read_enter(); 2426 wgp = thmap_get(wg->wg_peers_bypubkey, pubkey, WG_STATIC_KEY_LEN); 2427 if (wgp != NULL) 2428 wg_get_peer(wgp, psref); 2429 pserialize_read_exit(s); 2430 2431 return wgp; 2432 } 2433 2434 static void 2435 wg_fill_msg_cookie(struct wg_softc *wg, struct wg_peer *wgp, 2436 struct wg_msg_cookie *wgmc, const uint32_t sender, 2437 const uint8_t mac1[static WG_MAC_LEN], const struct sockaddr *src) 2438 { 2439 uint8_t cookie[WG_COOKIE_LEN]; 2440 uint8_t key[WG_HASH_LEN]; 2441 uint8_t addr[sizeof(struct in6_addr)]; 2442 size_t addrlen; 2443 uint16_t uh_sport; /* be */ 2444 2445 KASSERT(mutex_owned(wgp->wgp_lock)); 2446 2447 wgmc->wgmc_type = htole32(WG_MSG_TYPE_COOKIE); 2448 wgmc->wgmc_receiver = sender; 2449 cprng_fast(wgmc->wgmc_salt, sizeof(wgmc->wgmc_salt)); 2450 2451 /* 2452 * [W] 5.4.7: Under Load: Cookie Reply Message 2453 * "The secret variable, Rm, changes every two minutes to a 2454 * random value" 2455 */ 2456 if ((time_uptime - wgp->wgp_last_cookiesecret_time) > 2457 WG_COOKIESECRET_TIME) { 2458 cprng_strong(kern_cprng, wgp->wgp_cookiesecret, 2459 sizeof(wgp->wgp_cookiesecret), 0); 2460 wgp->wgp_last_cookiesecret_time = time_uptime; 2461 } 2462 2463 switch (src->sa_family) { 2464 #ifdef INET 2465 case AF_INET: { 2466 const struct sockaddr_in *sin = satocsin(src); 2467 addrlen = sizeof(sin->sin_addr); 2468 memcpy(addr, &sin->sin_addr, addrlen); 2469 uh_sport = sin->sin_port; 2470 break; 2471 } 2472 #endif 2473 #ifdef INET6 2474 case AF_INET6: { 2475 const struct sockaddr_in6 *sin6 = satocsin6(src); 2476 addrlen = sizeof(sin6->sin6_addr); 2477 memcpy(addr, &sin6->sin6_addr, addrlen); 2478 uh_sport = sin6->sin6_port; 2479 break; 2480 } 2481 #endif 2482 default: 2483 panic("invalid af=%d", src->sa_family); 2484 } 2485 2486 wg_algo_mac(cookie, sizeof(cookie), 2487 wgp->wgp_cookiesecret, sizeof(wgp->wgp_cookiesecret), 2488 addr, addrlen, (const uint8_t *)&uh_sport, sizeof(uh_sport)); 2489 wg_algo_mac_cookie(key, sizeof(key), wg->wg_pubkey, 2490 sizeof(wg->wg_pubkey)); 2491 wg_algo_xaead_enc(wgmc->wgmc_cookie, sizeof(wgmc->wgmc_cookie), key, 2492 cookie, sizeof(cookie), mac1, WG_MAC_LEN, wgmc->wgmc_salt); 2493 2494 /* Need to store to calculate mac2 */ 2495 memcpy(wgp->wgp_last_sent_cookie, cookie, sizeof(cookie)); 2496 wgp->wgp_last_sent_cookie_valid = true; 2497 } 2498 2499 static void 2500 wg_send_cookie_msg(struct wg_softc *wg, struct wg_peer *wgp, 2501 const uint32_t sender, const uint8_t mac1[static WG_MAC_LEN], 2502 const struct sockaddr *src) 2503 { 2504 int error; 2505 struct mbuf *m; 2506 struct wg_msg_cookie *wgmc; 2507 2508 KASSERT(mutex_owned(wgp->wgp_lock)); 2509 2510 m = m_gethdr(M_WAIT, MT_DATA); 2511 if (sizeof(*wgmc) > MHLEN) { 2512 m_clget(m, M_WAIT); 2513 CTASSERT(sizeof(*wgmc) <= MCLBYTES); 2514 } 2515 m->m_pkthdr.len = m->m_len = sizeof(*wgmc); 2516 wgmc = mtod(m, struct wg_msg_cookie *); 2517 wg_fill_msg_cookie(wg, wgp, wgmc, sender, mac1, src); 2518 2519 error = wg->wg_ops->send_hs_msg(wgp, m); /* consumes m */ 2520 if (error) { 2521 WG_DLOG("send_hs_msg failed, error=%d\n", error); 2522 return; 2523 } 2524 2525 WG_TRACE("cookie msg sent"); 2526 } 2527 2528 static bool 2529 wg_is_underload(struct wg_softc *wg, struct wg_peer *wgp, int msgtype) 2530 { 2531 #ifdef WG_DEBUG_PARAMS 2532 if (wg_force_underload) 2533 return true; 2534 #endif 2535 2536 /* 2537 * XXX we don't have a means of a load estimation. The purpose of 2538 * the mechanism is a DoS mitigation, so we consider frequent handshake 2539 * messages as (a kind of) load; if a message of the same type comes 2540 * to a peer within 1 second, we consider we are under load. 2541 */ 2542 time_t last = wgp->wgp_last_msg_received_time[msgtype]; 2543 wgp->wgp_last_msg_received_time[msgtype] = time_uptime; 2544 return (time_uptime - last) == 0; 2545 } 2546 2547 static void 2548 wg_calculate_keys(struct wg_session *wgs, const bool initiator) 2549 { 2550 2551 KASSERT(mutex_owned(wgs->wgs_peer->wgp_lock)); 2552 2553 /* 2554 * [W] 5.4.5: Ti^send = Tr^recv, Ti^recv = Tr^send := KDF2(Ci = Cr, e) 2555 */ 2556 if (initiator) { 2557 wg_algo_kdf(wgs->wgs_tkey_send, wgs->wgs_tkey_recv, NULL, 2558 wgs->wgs_chaining_key, NULL, 0); 2559 } else { 2560 wg_algo_kdf(wgs->wgs_tkey_recv, wgs->wgs_tkey_send, NULL, 2561 wgs->wgs_chaining_key, NULL, 0); 2562 } 2563 WG_DUMP_HASH("wgs_tkey_send", wgs->wgs_tkey_send); 2564 WG_DUMP_HASH("wgs_tkey_recv", wgs->wgs_tkey_recv); 2565 } 2566 2567 static uint64_t 2568 wg_session_get_send_counter(struct wg_session *wgs) 2569 { 2570 #ifdef __HAVE_ATOMIC64_LOADSTORE 2571 return atomic_load_relaxed(&wgs->wgs_send_counter); 2572 #else 2573 uint64_t send_counter; 2574 2575 mutex_enter(&wgs->wgs_send_counter_lock); 2576 send_counter = wgs->wgs_send_counter; 2577 mutex_exit(&wgs->wgs_send_counter_lock); 2578 2579 return send_counter; 2580 #endif 2581 } 2582 2583 static uint64_t 2584 wg_session_inc_send_counter(struct wg_session *wgs) 2585 { 2586 #ifdef __HAVE_ATOMIC64_LOADSTORE 2587 return atomic_inc_64_nv(&wgs->wgs_send_counter) - 1; 2588 #else 2589 uint64_t send_counter; 2590 2591 mutex_enter(&wgs->wgs_send_counter_lock); 2592 send_counter = wgs->wgs_send_counter++; 2593 mutex_exit(&wgs->wgs_send_counter_lock); 2594 2595 return send_counter; 2596 #endif 2597 } 2598 2599 static void 2600 wg_clear_states(struct wg_session *wgs) 2601 { 2602 2603 KASSERT(mutex_owned(wgs->wgs_peer->wgp_lock)); 2604 2605 wgs->wgs_send_counter = 0; 2606 sliwin_reset(&wgs->wgs_recvwin->window); 2607 2608 #define wgs_clear(v) explicit_memset(wgs->wgs_##v, 0, sizeof(wgs->wgs_##v)) 2609 wgs_clear(handshake_hash); 2610 wgs_clear(chaining_key); 2611 wgs_clear(ephemeral_key_pub); 2612 wgs_clear(ephemeral_key_priv); 2613 wgs_clear(ephemeral_key_peer); 2614 #undef wgs_clear 2615 } 2616 2617 static struct wg_session * 2618 wg_lookup_session_by_index(struct wg_softc *wg, const uint32_t index, 2619 struct psref *psref) 2620 { 2621 struct wg_session *wgs; 2622 2623 int s = pserialize_read_enter(); 2624 wgs = thmap_get(wg->wg_sessions_byindex, &index, sizeof index); 2625 if (wgs != NULL) { 2626 KASSERTMSG(index == wgs->wgs_local_index, 2627 "index=%"PRIx32" wgs->wgs_local_index=%"PRIx32, 2628 index, wgs->wgs_local_index); 2629 psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); 2630 } 2631 pserialize_read_exit(s); 2632 2633 return wgs; 2634 } 2635 2636 static void 2637 wg_send_keepalive_msg(struct wg_peer *wgp, struct wg_session *wgs) 2638 { 2639 struct mbuf *m; 2640 2641 /* 2642 * [W] 6.5 Passive Keepalive 2643 * "A keepalive message is simply a transport data message with 2644 * a zero-length encapsulated encrypted inner-packet." 2645 */ 2646 WG_TRACE(""); 2647 m = m_gethdr(M_WAIT, MT_DATA); 2648 wg_send_data_msg(wgp, wgs, m); 2649 } 2650 2651 static bool 2652 wg_need_to_send_init_message(struct wg_session *wgs) 2653 { 2654 /* 2655 * [W] 6.2 Transport Message Limits 2656 * "if a peer is the initiator of a current secure session, 2657 * WireGuard will send a handshake initiation message to begin 2658 * a new secure session ... if after receiving a transport data 2659 * message, the current secure session is (REJECT-AFTER-TIME − 2660 * KEEPALIVE-TIMEOUT − REKEY-TIMEOUT) seconds old and it has 2661 * not yet acted upon this event." 2662 */ 2663 return wgs->wgs_is_initiator && 2664 atomic_load_relaxed(&wgs->wgs_time_last_data_sent) == 0 && 2665 (time_uptime32 - wgs->wgs_time_established >= 2666 (wg_reject_after_time - wg_keepalive_timeout - 2667 wg_rekey_timeout)); 2668 } 2669 2670 static void 2671 wg_schedule_peer_task(struct wg_peer *wgp, unsigned int task) 2672 { 2673 2674 mutex_enter(wgp->wgp_intr_lock); 2675 WG_DLOG("tasks=%d, task=%d\n", wgp->wgp_tasks, task); 2676 if (wgp->wgp_tasks == 0) 2677 /* 2678 * XXX If the current CPU is already loaded -- e.g., if 2679 * there's already a bunch of handshakes queued up -- 2680 * consider tossing this over to another CPU to 2681 * distribute the load. 2682 */ 2683 workqueue_enqueue(wg_wq, &wgp->wgp_work, NULL); 2684 wgp->wgp_tasks |= task; 2685 mutex_exit(wgp->wgp_intr_lock); 2686 } 2687 2688 static void 2689 wg_change_endpoint(struct wg_peer *wgp, const struct sockaddr *new) 2690 { 2691 struct wg_sockaddr *wgsa_prev; 2692 2693 WG_TRACE("Changing endpoint"); 2694 2695 memcpy(wgp->wgp_endpoint0, new, new->sa_len); 2696 wgsa_prev = wgp->wgp_endpoint; 2697 atomic_store_release(&wgp->wgp_endpoint, wgp->wgp_endpoint0); 2698 wgp->wgp_endpoint0 = wgsa_prev; 2699 atomic_store_release(&wgp->wgp_endpoint_available, true); 2700 2701 wg_schedule_peer_task(wgp, WGP_TASK_ENDPOINT_CHANGED); 2702 } 2703 2704 static bool 2705 wg_validate_inner_packet(const char *packet, size_t decrypted_len, int *af) 2706 { 2707 uint16_t packet_len; 2708 const struct ip *ip; 2709 2710 if (__predict_false(decrypted_len < sizeof(*ip))) { 2711 WG_DLOG("decrypted_len=%zu < %zu\n", decrypted_len, 2712 sizeof(*ip)); 2713 return false; 2714 } 2715 2716 ip = (const struct ip *)packet; 2717 if (ip->ip_v == 4) 2718 *af = AF_INET; 2719 else if (ip->ip_v == 6) 2720 *af = AF_INET6; 2721 else { 2722 WG_DLOG("ip_v=%d\n", ip->ip_v); 2723 return false; 2724 } 2725 2726 WG_DLOG("af=%d\n", *af); 2727 2728 switch (*af) { 2729 #ifdef INET 2730 case AF_INET: 2731 packet_len = ntohs(ip->ip_len); 2732 break; 2733 #endif 2734 #ifdef INET6 2735 case AF_INET6: { 2736 const struct ip6_hdr *ip6; 2737 2738 if (__predict_false(decrypted_len < sizeof(*ip6))) { 2739 WG_DLOG("decrypted_len=%zu < %zu\n", decrypted_len, 2740 sizeof(*ip6)); 2741 return false; 2742 } 2743 2744 ip6 = (const struct ip6_hdr *)packet; 2745 packet_len = sizeof(*ip6) + ntohs(ip6->ip6_plen); 2746 break; 2747 } 2748 #endif 2749 default: 2750 return false; 2751 } 2752 2753 if (packet_len > decrypted_len) { 2754 WG_DLOG("packet_len %u > decrypted_len %zu\n", packet_len, 2755 decrypted_len); 2756 return false; 2757 } 2758 2759 return true; 2760 } 2761 2762 static bool 2763 wg_validate_route(struct wg_softc *wg, struct wg_peer *wgp_expected, 2764 int af, char *packet) 2765 { 2766 struct sockaddr_storage ss; 2767 struct sockaddr *sa; 2768 struct psref psref; 2769 struct wg_peer *wgp; 2770 bool ok; 2771 2772 /* 2773 * II CRYPTOKEY ROUTING 2774 * "it will only accept it if its source IP resolves in the 2775 * table to the public key used in the secure session for 2776 * decrypting it." 2777 */ 2778 2779 switch (af) { 2780 #ifdef INET 2781 case AF_INET: { 2782 const struct ip *ip = (const struct ip *)packet; 2783 struct sockaddr_in *sin = (struct sockaddr_in *)&ss; 2784 sockaddr_in_init(sin, &ip->ip_src, 0); 2785 sa = sintosa(sin); 2786 break; 2787 } 2788 #endif 2789 #ifdef INET6 2790 case AF_INET6: { 2791 const struct ip6_hdr *ip6 = (const struct ip6_hdr *)packet; 2792 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss; 2793 sockaddr_in6_init(sin6, &ip6->ip6_src, 0, 0, 0); 2794 sa = sin6tosa(sin6); 2795 break; 2796 } 2797 #endif 2798 default: 2799 __USE(ss); 2800 return false; 2801 } 2802 2803 wgp = wg_pick_peer_by_sa(wg, sa, &psref); 2804 ok = (wgp == wgp_expected); 2805 if (wgp != NULL) 2806 wg_put_peer(wgp, &psref); 2807 2808 return ok; 2809 } 2810 2811 static void 2812 wg_session_dtor_timer(void *arg) 2813 { 2814 struct wg_peer *wgp = arg; 2815 2816 WG_TRACE("enter"); 2817 2818 wg_schedule_session_dtor_timer(wgp); 2819 wg_schedule_peer_task(wgp, WGP_TASK_DESTROY_PREV_SESSION); 2820 } 2821 2822 static void 2823 wg_schedule_session_dtor_timer(struct wg_peer *wgp) 2824 { 2825 2826 /* 2827 * If the periodic session destructor is already pending to 2828 * handle the previous session, that's fine -- leave it in 2829 * place; it will be scheduled again. 2830 */ 2831 if (callout_pending(&wgp->wgp_session_dtor_timer)) { 2832 WG_DLOG("session dtor already pending\n"); 2833 return; 2834 } 2835 2836 WG_DLOG("scheduling session dtor in %u secs\n", wg_reject_after_time); 2837 callout_schedule(&wgp->wgp_session_dtor_timer, 2838 wg_reject_after_time*hz); 2839 } 2840 2841 static bool 2842 sockaddr_port_match(const struct sockaddr *sa1, const struct sockaddr *sa2) 2843 { 2844 if (sa1->sa_family != sa2->sa_family) 2845 return false; 2846 2847 switch (sa1->sa_family) { 2848 #ifdef INET 2849 case AF_INET: 2850 return satocsin(sa1)->sin_port == satocsin(sa2)->sin_port; 2851 #endif 2852 #ifdef INET6 2853 case AF_INET6: 2854 return satocsin6(sa1)->sin6_port == satocsin6(sa2)->sin6_port; 2855 #endif 2856 default: 2857 return false; 2858 } 2859 } 2860 2861 static void 2862 wg_update_endpoint_if_necessary(struct wg_peer *wgp, 2863 const struct sockaddr *src) 2864 { 2865 struct wg_sockaddr *wgsa; 2866 struct psref psref; 2867 2868 wgsa = wg_get_endpoint_sa(wgp, &psref); 2869 2870 #ifdef WG_DEBUG_LOG 2871 char oldaddr[128], newaddr[128]; 2872 sockaddr_format(wgsatosa(wgsa), oldaddr, sizeof(oldaddr)); 2873 sockaddr_format(src, newaddr, sizeof(newaddr)); 2874 WG_DLOG("old=%s, new=%s\n", oldaddr, newaddr); 2875 #endif 2876 2877 /* 2878 * III: "Since the packet has authenticated correctly, the source IP of 2879 * the outer UDP/IP packet is used to update the endpoint for peer..." 2880 */ 2881 if (__predict_false(sockaddr_cmp(src, wgsatosa(wgsa)) != 0 || 2882 !sockaddr_port_match(src, wgsatosa(wgsa)))) { 2883 /* XXX We can't change the endpoint twice in a short period */ 2884 if (atomic_swap_uint(&wgp->wgp_endpoint_changing, 1) == 0) { 2885 wg_change_endpoint(wgp, src); 2886 } 2887 } 2888 2889 wg_put_sa(wgp, wgsa, &psref); 2890 } 2891 2892 static void __noinline 2893 wg_handle_msg_data(struct wg_softc *wg, struct mbuf *m, 2894 const struct sockaddr *src) 2895 { 2896 struct wg_msg_data *wgmd; 2897 char *encrypted_buf = NULL, *decrypted_buf; 2898 size_t encrypted_len, decrypted_len; 2899 struct wg_session *wgs; 2900 struct wg_peer *wgp; 2901 int state; 2902 uint32_t age; 2903 size_t mlen; 2904 struct psref psref; 2905 int error, af; 2906 bool success, free_encrypted_buf = false, ok; 2907 struct mbuf *n; 2908 2909 KASSERT(m->m_len >= sizeof(struct wg_msg_data)); 2910 wgmd = mtod(m, struct wg_msg_data *); 2911 2912 KASSERT(wgmd->wgmd_type == htole32(WG_MSG_TYPE_DATA)); 2913 WG_TRACE("data"); 2914 2915 /* Find the putative session, or drop. */ 2916 wgs = wg_lookup_session_by_index(wg, wgmd->wgmd_receiver, &psref); 2917 if (wgs == NULL) { 2918 WG_TRACE("No session found"); 2919 m_freem(m); 2920 return; 2921 } 2922 2923 /* 2924 * We are only ready to handle data when in INIT_PASSIVE, 2925 * ESTABLISHED, or DESTROYING. All transitions out of that 2926 * state dissociate the session index and drain psrefs. 2927 * 2928 * atomic_load_acquire matches atomic_store_release in either 2929 * wg_handle_msg_init or wg_handle_msg_resp. (The transition 2930 * INIT_PASSIVE to ESTABLISHED in wg_task_establish_session 2931 * doesn't make a difference for this rx path.) 2932 */ 2933 state = atomic_load_acquire(&wgs->wgs_state); 2934 switch (state) { 2935 case WGS_STATE_UNKNOWN: 2936 case WGS_STATE_INIT_ACTIVE: 2937 WG_TRACE("not yet ready for data"); 2938 goto out; 2939 case WGS_STATE_INIT_PASSIVE: 2940 case WGS_STATE_ESTABLISHED: 2941 case WGS_STATE_DESTROYING: 2942 break; 2943 } 2944 2945 /* 2946 * Reject if the session is too old. 2947 */ 2948 age = time_uptime32 - wgs->wgs_time_established; 2949 if (__predict_false(age >= wg_reject_after_time)) { 2950 WG_DLOG("session %"PRIx32" too old, %"PRIu32" sec\n", 2951 wgmd->wgmd_receiver, age); 2952 goto out; 2953 } 2954 2955 /* 2956 * Get the peer, for rate-limited logs (XXX MPSAFE, dtrace) and 2957 * to update the endpoint if authentication succeeds. 2958 */ 2959 wgp = wgs->wgs_peer; 2960 2961 /* 2962 * Reject outrageously wrong sequence numbers before doing any 2963 * crypto work or taking any locks. 2964 */ 2965 error = sliwin_check_fast(&wgs->wgs_recvwin->window, 2966 le64toh(wgmd->wgmd_counter)); 2967 if (error) { 2968 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 2969 "%s: peer %s: out-of-window packet: %"PRIu64"\n", 2970 if_name(&wg->wg_if), wgp->wgp_name, 2971 le64toh(wgmd->wgmd_counter)); 2972 goto out; 2973 } 2974 2975 /* Ensure the payload and authenticator are contiguous. */ 2976 mlen = m_length(m); 2977 encrypted_len = mlen - sizeof(*wgmd); 2978 if (encrypted_len < WG_AUTHTAG_LEN) { 2979 WG_DLOG("Short encrypted_len: %zu\n", encrypted_len); 2980 goto out; 2981 } 2982 success = m_ensure_contig(&m, sizeof(*wgmd) + encrypted_len); 2983 if (success) { 2984 encrypted_buf = mtod(m, char *) + sizeof(*wgmd); 2985 } else { 2986 encrypted_buf = kmem_intr_alloc(encrypted_len, KM_NOSLEEP); 2987 if (encrypted_buf == NULL) { 2988 WG_DLOG("failed to allocate encrypted_buf\n"); 2989 goto out; 2990 } 2991 m_copydata(m, sizeof(*wgmd), encrypted_len, encrypted_buf); 2992 free_encrypted_buf = true; 2993 } 2994 /* m_ensure_contig may change m regardless of its result */ 2995 KASSERT(m->m_len >= sizeof(*wgmd)); 2996 wgmd = mtod(m, struct wg_msg_data *); 2997 2998 /* 2999 * Get a buffer for the plaintext. Add WG_AUTHTAG_LEN to avoid 3000 * a zero-length buffer (XXX). Drop if plaintext is longer 3001 * than MCLBYTES (XXX). 3002 */ 3003 decrypted_len = encrypted_len - WG_AUTHTAG_LEN; 3004 if (decrypted_len > MCLBYTES) { 3005 /* FIXME handle larger data than MCLBYTES */ 3006 WG_DLOG("couldn't handle larger data than MCLBYTES\n"); 3007 goto out; 3008 } 3009 n = wg_get_mbuf(0, decrypted_len + WG_AUTHTAG_LEN); 3010 if (n == NULL) { 3011 WG_DLOG("wg_get_mbuf failed\n"); 3012 goto out; 3013 } 3014 decrypted_buf = mtod(n, char *); 3015 3016 /* Decrypt and verify the packet. */ 3017 WG_DLOG("mlen=%zu, encrypted_len=%zu\n", mlen, encrypted_len); 3018 error = wg_algo_aead_dec(decrypted_buf, 3019 encrypted_len - WG_AUTHTAG_LEN /* can be 0 */, 3020 wgs->wgs_tkey_recv, le64toh(wgmd->wgmd_counter), encrypted_buf, 3021 encrypted_len, NULL, 0); 3022 if (error != 0) { 3023 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 3024 "%s: peer %s: failed to wg_algo_aead_dec\n", 3025 if_name(&wg->wg_if), wgp->wgp_name); 3026 m_freem(n); 3027 goto out; 3028 } 3029 WG_DLOG("outsize=%u\n", (u_int)decrypted_len); 3030 3031 /* Packet is genuine. Reject it if a replay or just too old. */ 3032 mutex_enter(&wgs->wgs_recvwin->lock); 3033 error = sliwin_update(&wgs->wgs_recvwin->window, 3034 le64toh(wgmd->wgmd_counter)); 3035 mutex_exit(&wgs->wgs_recvwin->lock); 3036 if (error) { 3037 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 3038 "%s: peer %s: replay or out-of-window packet: %"PRIu64"\n", 3039 if_name(&wg->wg_if), wgp->wgp_name, 3040 le64toh(wgmd->wgmd_counter)); 3041 m_freem(n); 3042 goto out; 3043 } 3044 3045 /* We're done with m now; free it and chuck the pointers. */ 3046 m_freem(m); 3047 m = NULL; 3048 wgmd = NULL; 3049 3050 /* 3051 * The packet is genuine. Update the peer's endpoint if the 3052 * source address changed. 3053 * 3054 * XXX How to prevent DoS by replaying genuine packets from the 3055 * wrong source address? 3056 */ 3057 wg_update_endpoint_if_necessary(wgp, src); 3058 3059 /* 3060 * Validate the encapsulated packet header and get the address 3061 * family, or drop. 3062 */ 3063 ok = wg_validate_inner_packet(decrypted_buf, decrypted_len, &af); 3064 if (!ok) { 3065 m_freem(n); 3066 goto update_state; 3067 } 3068 3069 /* Submit it into our network stack if routable. */ 3070 ok = wg_validate_route(wg, wgp, af, decrypted_buf); 3071 if (ok) { 3072 wg->wg_ops->input(&wg->wg_if, n, af); 3073 } else { 3074 char addrstr[INET6_ADDRSTRLEN]; 3075 memset(addrstr, 0, sizeof(addrstr)); 3076 switch (af) { 3077 #ifdef INET 3078 case AF_INET: { 3079 const struct ip *ip = (const struct ip *)decrypted_buf; 3080 IN_PRINT(addrstr, &ip->ip_src); 3081 break; 3082 } 3083 #endif 3084 #ifdef INET6 3085 case AF_INET6: { 3086 const struct ip6_hdr *ip6 = 3087 (const struct ip6_hdr *)decrypted_buf; 3088 IN6_PRINT(addrstr, &ip6->ip6_src); 3089 break; 3090 } 3091 #endif 3092 default: 3093 panic("invalid af=%d", af); 3094 } 3095 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 3096 "%s: peer %s: invalid source address (%s)\n", 3097 if_name(&wg->wg_if), wgp->wgp_name, addrstr); 3098 m_freem(n); 3099 /* 3100 * The inner address is invalid however the session is valid 3101 * so continue the session processing below. 3102 */ 3103 } 3104 n = NULL; 3105 3106 update_state: 3107 /* Update the state machine if necessary. */ 3108 if (__predict_false(state == WGS_STATE_INIT_PASSIVE)) { 3109 /* 3110 * We were waiting for the initiator to send their 3111 * first data transport message, and that has happened. 3112 * Schedule a task to establish this session. 3113 */ 3114 wg_schedule_peer_task(wgp, WGP_TASK_ESTABLISH_SESSION); 3115 } else { 3116 if (__predict_false(wg_need_to_send_init_message(wgs))) { 3117 wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); 3118 } 3119 /* 3120 * [W] 6.5 Passive Keepalive 3121 * "If a peer has received a validly-authenticated transport 3122 * data message (section 5.4.6), but does not have any packets 3123 * itself to send back for KEEPALIVE-TIMEOUT seconds, it sends 3124 * a keepalive message." 3125 */ 3126 const uint32_t now = time_uptime32; 3127 const uint32_t time_last_data_sent = 3128 atomic_load_relaxed(&wgs->wgs_time_last_data_sent); 3129 WG_DLOG("time_uptime32=%"PRIu32 3130 " wgs_time_last_data_sent=%"PRIu32"\n", 3131 now, time_last_data_sent); 3132 if ((now - time_last_data_sent) >= wg_keepalive_timeout) { 3133 WG_TRACE("Schedule sending keepalive message"); 3134 /* 3135 * We can't send a keepalive message here to avoid 3136 * a deadlock; we already hold the solock of a socket 3137 * that is used to send the message. 3138 */ 3139 wg_schedule_peer_task(wgp, 3140 WGP_TASK_SEND_KEEPALIVE_MESSAGE); 3141 } 3142 } 3143 out: 3144 wg_put_session(wgs, &psref); 3145 m_freem(m); 3146 if (free_encrypted_buf) 3147 kmem_intr_free(encrypted_buf, encrypted_len); 3148 } 3149 3150 static void __noinline 3151 wg_handle_msg_cookie(struct wg_softc *wg, const struct wg_msg_cookie *wgmc) 3152 { 3153 struct wg_session *wgs; 3154 struct wg_peer *wgp; 3155 struct psref psref; 3156 int error; 3157 uint8_t key[WG_HASH_LEN]; 3158 uint8_t cookie[WG_COOKIE_LEN]; 3159 3160 WG_TRACE("cookie msg received"); 3161 3162 /* Find the putative session. */ 3163 wgs = wg_lookup_session_by_index(wg, wgmc->wgmc_receiver, &psref); 3164 if (wgs == NULL) { 3165 WG_TRACE("No session found"); 3166 return; 3167 } 3168 3169 /* Lock the peer so we can update the cookie state. */ 3170 wgp = wgs->wgs_peer; 3171 mutex_enter(wgp->wgp_lock); 3172 3173 if (!wgp->wgp_last_sent_mac1_valid) { 3174 WG_TRACE("No valid mac1 sent (or expired)"); 3175 goto out; 3176 } 3177 3178 /* 3179 * wgp_last_sent_mac1_valid is only set to true when we are 3180 * transitioning to INIT_ACTIVE or INIT_PASSIVE, and always 3181 * cleared on transition out of them. 3182 */ 3183 KASSERTMSG((wgs->wgs_state == WGS_STATE_INIT_ACTIVE || 3184 wgs->wgs_state == WGS_STATE_INIT_PASSIVE), 3185 "state=%d", wgs->wgs_state); 3186 3187 /* Decrypt the cookie and store it for later handshake retry. */ 3188 wg_algo_mac_cookie(key, sizeof(key), wgp->wgp_pubkey, 3189 sizeof(wgp->wgp_pubkey)); 3190 error = wg_algo_xaead_dec(cookie, sizeof(cookie), key, 3191 wgmc->wgmc_cookie, sizeof(wgmc->wgmc_cookie), 3192 wgp->wgp_last_sent_mac1, sizeof(wgp->wgp_last_sent_mac1), 3193 wgmc->wgmc_salt); 3194 if (error != 0) { 3195 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 3196 "%s: peer %s: wg_algo_aead_dec for cookie failed: " 3197 "error=%d\n", if_name(&wg->wg_if), wgp->wgp_name, error); 3198 goto out; 3199 } 3200 /* 3201 * [W] 6.6: Interaction with Cookie Reply System 3202 * "it should simply store the decrypted cookie value from the cookie 3203 * reply message, and wait for the expiration of the REKEY-TIMEOUT 3204 * timer for retrying a handshake initiation message." 3205 */ 3206 wgp->wgp_latest_cookie_time = time_uptime; 3207 memcpy(wgp->wgp_latest_cookie, cookie, sizeof(wgp->wgp_latest_cookie)); 3208 out: 3209 mutex_exit(wgp->wgp_lock); 3210 wg_put_session(wgs, &psref); 3211 } 3212 3213 static struct mbuf * 3214 wg_validate_msg_header(struct wg_softc *wg, struct mbuf *m) 3215 { 3216 struct wg_msg wgm; 3217 size_t mbuflen; 3218 size_t msglen; 3219 3220 /* 3221 * Get the mbuf chain length. It is already guaranteed, by 3222 * wg_overudp_cb, to be large enough for a struct wg_msg. 3223 */ 3224 mbuflen = m_length(m); 3225 KASSERT(mbuflen >= sizeof(struct wg_msg)); 3226 3227 /* 3228 * Copy the message header (32-bit message type) out -- we'll 3229 * worry about contiguity and alignment later. 3230 */ 3231 m_copydata(m, 0, sizeof(wgm), &wgm); 3232 switch (le32toh(wgm.wgm_type)) { 3233 case WG_MSG_TYPE_INIT: 3234 msglen = sizeof(struct wg_msg_init); 3235 break; 3236 case WG_MSG_TYPE_RESP: 3237 msglen = sizeof(struct wg_msg_resp); 3238 break; 3239 case WG_MSG_TYPE_COOKIE: 3240 msglen = sizeof(struct wg_msg_cookie); 3241 break; 3242 case WG_MSG_TYPE_DATA: 3243 msglen = sizeof(struct wg_msg_data); 3244 break; 3245 default: 3246 WG_LOG_RATECHECK(&wg->wg_ppsratecheck, LOG_DEBUG, 3247 "%s: Unexpected msg type: %u\n", if_name(&wg->wg_if), 3248 le32toh(wgm.wgm_type)); 3249 goto error; 3250 } 3251 3252 /* Verify the mbuf chain is long enough for this type of message. */ 3253 if (__predict_false(mbuflen < msglen)) { 3254 WG_DLOG("Invalid msg size: mbuflen=%zu type=%u\n", mbuflen, 3255 le32toh(wgm.wgm_type)); 3256 goto error; 3257 } 3258 3259 /* Make the message header contiguous if necessary. */ 3260 if (__predict_false(m->m_len < msglen)) { 3261 m = m_pullup(m, msglen); 3262 if (m == NULL) 3263 return NULL; 3264 } 3265 3266 return m; 3267 3268 error: 3269 m_freem(m); 3270 return NULL; 3271 } 3272 3273 static void 3274 wg_handle_packet(struct wg_softc *wg, struct mbuf *m, 3275 const struct sockaddr *src) 3276 { 3277 struct wg_msg *wgm; 3278 3279 KASSERT(curlwp->l_pflag & LP_BOUND); 3280 3281 m = wg_validate_msg_header(wg, m); 3282 if (__predict_false(m == NULL)) 3283 return; 3284 3285 KASSERT(m->m_len >= sizeof(struct wg_msg)); 3286 wgm = mtod(m, struct wg_msg *); 3287 switch (le32toh(wgm->wgm_type)) { 3288 case WG_MSG_TYPE_INIT: 3289 wg_handle_msg_init(wg, (struct wg_msg_init *)wgm, src); 3290 break; 3291 case WG_MSG_TYPE_RESP: 3292 wg_handle_msg_resp(wg, (struct wg_msg_resp *)wgm, src); 3293 break; 3294 case WG_MSG_TYPE_COOKIE: 3295 wg_handle_msg_cookie(wg, (struct wg_msg_cookie *)wgm); 3296 break; 3297 case WG_MSG_TYPE_DATA: 3298 wg_handle_msg_data(wg, m, src); 3299 /* wg_handle_msg_data frees m for us */ 3300 return; 3301 default: 3302 panic("invalid message type: %d", le32toh(wgm->wgm_type)); 3303 } 3304 3305 m_freem(m); 3306 } 3307 3308 static void 3309 wg_receive_packets(struct wg_softc *wg, const int af) 3310 { 3311 3312 for (;;) { 3313 int error, flags; 3314 struct socket *so; 3315 struct mbuf *m = NULL; 3316 struct uio dummy_uio; 3317 struct mbuf *paddr = NULL; 3318 struct sockaddr *src; 3319 3320 so = wg_get_so_by_af(wg, af); 3321 flags = MSG_DONTWAIT; 3322 dummy_uio.uio_resid = 1000000000; 3323 3324 error = so->so_receive(so, &paddr, &dummy_uio, &m, NULL, 3325 &flags); 3326 if (error || m == NULL) { 3327 //if (error == EWOULDBLOCK) 3328 return; 3329 } 3330 3331 KASSERT(paddr != NULL); 3332 KASSERT(paddr->m_len >= sizeof(struct sockaddr)); 3333 src = mtod(paddr, struct sockaddr *); 3334 3335 wg_handle_packet(wg, m, src); 3336 } 3337 } 3338 3339 static void 3340 wg_get_peer(struct wg_peer *wgp, struct psref *psref) 3341 { 3342 3343 psref_acquire(psref, &wgp->wgp_psref, wg_psref_class); 3344 } 3345 3346 static void 3347 wg_put_peer(struct wg_peer *wgp, struct psref *psref) 3348 { 3349 3350 psref_release(psref, &wgp->wgp_psref, wg_psref_class); 3351 } 3352 3353 static void 3354 wg_task_send_init_message(struct wg_softc *wg, struct wg_peer *wgp) 3355 { 3356 struct wg_session *wgs; 3357 3358 WG_TRACE("WGP_TASK_SEND_INIT_MESSAGE"); 3359 3360 KASSERT(mutex_owned(wgp->wgp_lock)); 3361 3362 if (!atomic_load_acquire(&wgp->wgp_endpoint_available)) { 3363 WGLOG(LOG_DEBUG, "%s: No endpoint available\n", 3364 if_name(&wg->wg_if)); 3365 /* XXX should do something? */ 3366 return; 3367 } 3368 3369 /* 3370 * If we already have an established session, there's no need 3371 * to initiate a new one -- unless the rekey-after-time or 3372 * rekey-after-messages limits have passed. 3373 */ 3374 wgs = wgp->wgp_session_stable; 3375 if (wgs->wgs_state == WGS_STATE_ESTABLISHED && 3376 !atomic_load_relaxed(&wgs->wgs_force_rekey)) 3377 return; 3378 3379 /* 3380 * Ensure we're initiating a new session. If the unstable 3381 * session is already INIT_ACTIVE or INIT_PASSIVE, this does 3382 * nothing. 3383 */ 3384 wg_send_handshake_msg_init(wg, wgp); 3385 } 3386 3387 static void 3388 wg_task_retry_handshake(struct wg_softc *wg, struct wg_peer *wgp) 3389 { 3390 struct wg_session *wgs; 3391 3392 WG_TRACE("WGP_TASK_RETRY_HANDSHAKE"); 3393 3394 KASSERT(mutex_owned(wgp->wgp_lock)); 3395 3396 wgs = wgp->wgp_session_unstable; 3397 if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE) 3398 return; 3399 3400 KASSERT(wgp->wgp_handshake_start_time != 0); 3401 3402 /* 3403 * XXX no real need to assign a new index here, but we do need 3404 * to transition to UNKNOWN temporarily 3405 */ 3406 wg_put_session_index(wg, wgs); 3407 3408 /* [W] 6.4 Handshake Initiation Retransmission */ 3409 if ((time_uptime - wgp->wgp_handshake_start_time) > 3410 wg_rekey_attempt_time) { 3411 /* Give up handshaking */ 3412 wgp->wgp_handshake_start_time = 0; 3413 WG_TRACE("give up"); 3414 3415 /* 3416 * If a new data packet comes, handshaking will be retried 3417 * and a new session would be established at that time, 3418 * however we don't want to send pending packets then. 3419 */ 3420 wg_purge_pending_packets(wgp); 3421 return; 3422 } 3423 3424 wg_task_send_init_message(wg, wgp); 3425 } 3426 3427 static void 3428 wg_task_establish_session(struct wg_softc *wg, struct wg_peer *wgp) 3429 { 3430 struct wg_session *wgs; 3431 3432 KASSERT(mutex_owned(wgp->wgp_lock)); 3433 3434 wgs = wgp->wgp_session_unstable; 3435 if (wgs->wgs_state != WGS_STATE_INIT_PASSIVE) 3436 /* XXX Can this happen? */ 3437 return; 3438 3439 wgs->wgs_time_last_data_sent = 0; 3440 wgs->wgs_is_initiator = false; 3441 3442 /* 3443 * Session was already ready to receive data. Transition from 3444 * INIT_PASSIVE to ESTABLISHED just so we can swap the 3445 * sessions. 3446 * 3447 * atomic_store_relaxed because this doesn't affect the data rx 3448 * path, wg_handle_msg_data -- changing from INIT_PASSIVE to 3449 * ESTABLISHED makes no difference to the data rx path, and the 3450 * transition to INIT_PASSIVE with store-release already 3451 * published the state needed by the data rx path. 3452 */ 3453 WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"] -> WGS_STATE_ESTABLISHED\n", 3454 wgs->wgs_local_index, wgs->wgs_remote_index); 3455 atomic_store_relaxed(&wgs->wgs_state, WGS_STATE_ESTABLISHED); 3456 WG_TRACE("WGS_STATE_ESTABLISHED"); 3457 3458 /* 3459 * Session is ready to send data too now that we have received 3460 * the peer initiator's first data packet. 3461 * 3462 * Swap the sessions to publish the new one as the stable 3463 * session for the data tx path, wg_output. 3464 */ 3465 wg_swap_sessions(wg, wgp); 3466 KASSERT(wgs == wgp->wgp_session_stable); 3467 } 3468 3469 static void 3470 wg_task_endpoint_changed(struct wg_softc *wg, struct wg_peer *wgp) 3471 { 3472 3473 WG_TRACE("WGP_TASK_ENDPOINT_CHANGED"); 3474 3475 KASSERT(mutex_owned(wgp->wgp_lock)); 3476 3477 if (atomic_load_relaxed(&wgp->wgp_endpoint_changing)) { 3478 pserialize_perform(wgp->wgp_psz); 3479 mutex_exit(wgp->wgp_lock); 3480 psref_target_destroy(&wgp->wgp_endpoint0->wgsa_psref, 3481 wg_psref_class); 3482 psref_target_init(&wgp->wgp_endpoint0->wgsa_psref, 3483 wg_psref_class); 3484 mutex_enter(wgp->wgp_lock); 3485 atomic_store_release(&wgp->wgp_endpoint_changing, 0); 3486 } 3487 } 3488 3489 static void 3490 wg_task_send_keepalive_message(struct wg_softc *wg, struct wg_peer *wgp) 3491 { 3492 struct wg_session *wgs; 3493 3494 WG_TRACE("WGP_TASK_SEND_KEEPALIVE_MESSAGE"); 3495 3496 KASSERT(mutex_owned(wgp->wgp_lock)); 3497 3498 wgs = wgp->wgp_session_stable; 3499 if (wgs->wgs_state != WGS_STATE_ESTABLISHED) 3500 return; 3501 3502 wg_send_keepalive_msg(wgp, wgs); 3503 } 3504 3505 static void 3506 wg_task_destroy_prev_session(struct wg_softc *wg, struct wg_peer *wgp) 3507 { 3508 struct wg_session *wgs; 3509 uint32_t age; 3510 3511 WG_TRACE("WGP_TASK_DESTROY_PREV_SESSION"); 3512 3513 KASSERT(mutex_owned(wgp->wgp_lock)); 3514 3515 /* 3516 * If theres's any previous unstable session, i.e., one that 3517 * was ESTABLISHED and is now DESTROYING, older than 3518 * reject-after-time, destroy it. Upcoming sessions are still 3519 * in INIT_ACTIVE or INIT_PASSIVE -- we don't touch those here. 3520 */ 3521 wgs = wgp->wgp_session_unstable; 3522 KASSERT(wgs->wgs_state != WGS_STATE_ESTABLISHED); 3523 if (wgs->wgs_state == WGS_STATE_DESTROYING && 3524 ((age = (time_uptime32 - wgs->wgs_time_established)) >= 3525 wg_reject_after_time)) { 3526 WG_DLOG("destroying past session %"PRIu32" sec old\n", age); 3527 wg_put_session_index(wg, wgs); 3528 KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", 3529 wgs->wgs_state); 3530 } 3531 3532 /* 3533 * If theres's any ESTABLISHED stable session older than 3534 * reject-after-time, destroy it. (The stable session can also 3535 * be in UNKNOWN state -- nothing to do in that case) 3536 */ 3537 wgs = wgp->wgp_session_stable; 3538 KASSERT(wgs->wgs_state != WGS_STATE_INIT_ACTIVE); 3539 KASSERT(wgs->wgs_state != WGS_STATE_INIT_PASSIVE); 3540 KASSERT(wgs->wgs_state != WGS_STATE_DESTROYING); 3541 if (wgs->wgs_state == WGS_STATE_ESTABLISHED && 3542 ((age = (time_uptime32 - wgs->wgs_time_established)) >= 3543 wg_reject_after_time)) { 3544 WG_DLOG("destroying current session %"PRIu32" sec old\n", age); 3545 atomic_store_relaxed(&wgs->wgs_state, WGS_STATE_DESTROYING); 3546 wg_put_session_index(wg, wgs); 3547 KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", 3548 wgs->wgs_state); 3549 } 3550 3551 /* 3552 * If there's no sessions left, no need to have the timer run 3553 * until the next time around -- halt it. 3554 * 3555 * It is only ever scheduled with wgp_lock held or in the 3556 * callout itself, and callout_halt prevents rescheudling 3557 * itself, so this never races with rescheduling. 3558 */ 3559 if (wgp->wgp_session_unstable->wgs_state == WGS_STATE_UNKNOWN && 3560 wgp->wgp_session_stable->wgs_state == WGS_STATE_UNKNOWN) 3561 callout_halt(&wgp->wgp_session_dtor_timer, NULL); 3562 } 3563 3564 static void 3565 wg_peer_work(struct work *wk, void *cookie) 3566 { 3567 struct wg_peer *wgp = container_of(wk, struct wg_peer, wgp_work); 3568 struct wg_softc *wg = wgp->wgp_sc; 3569 unsigned int tasks; 3570 3571 mutex_enter(wgp->wgp_intr_lock); 3572 while ((tasks = wgp->wgp_tasks) != 0) { 3573 wgp->wgp_tasks = 0; 3574 mutex_exit(wgp->wgp_intr_lock); 3575 3576 mutex_enter(wgp->wgp_lock); 3577 if (ISSET(tasks, WGP_TASK_SEND_INIT_MESSAGE)) 3578 wg_task_send_init_message(wg, wgp); 3579 if (ISSET(tasks, WGP_TASK_RETRY_HANDSHAKE)) 3580 wg_task_retry_handshake(wg, wgp); 3581 if (ISSET(tasks, WGP_TASK_ESTABLISH_SESSION)) 3582 wg_task_establish_session(wg, wgp); 3583 if (ISSET(tasks, WGP_TASK_ENDPOINT_CHANGED)) 3584 wg_task_endpoint_changed(wg, wgp); 3585 if (ISSET(tasks, WGP_TASK_SEND_KEEPALIVE_MESSAGE)) 3586 wg_task_send_keepalive_message(wg, wgp); 3587 if (ISSET(tasks, WGP_TASK_DESTROY_PREV_SESSION)) 3588 wg_task_destroy_prev_session(wg, wgp); 3589 mutex_exit(wgp->wgp_lock); 3590 3591 mutex_enter(wgp->wgp_intr_lock); 3592 } 3593 mutex_exit(wgp->wgp_intr_lock); 3594 } 3595 3596 static void 3597 wg_job(struct threadpool_job *job) 3598 { 3599 struct wg_softc *wg = container_of(job, struct wg_softc, wg_job); 3600 int bound, upcalls; 3601 3602 mutex_enter(wg->wg_intr_lock); 3603 while ((upcalls = wg->wg_upcalls) != 0) { 3604 wg->wg_upcalls = 0; 3605 mutex_exit(wg->wg_intr_lock); 3606 bound = curlwp_bind(); 3607 if (ISSET(upcalls, WG_UPCALL_INET)) 3608 wg_receive_packets(wg, AF_INET); 3609 if (ISSET(upcalls, WG_UPCALL_INET6)) 3610 wg_receive_packets(wg, AF_INET6); 3611 curlwp_bindx(bound); 3612 mutex_enter(wg->wg_intr_lock); 3613 } 3614 threadpool_job_done(job); 3615 mutex_exit(wg->wg_intr_lock); 3616 } 3617 3618 static int 3619 wg_bind_port(struct wg_softc *wg, const uint16_t port) 3620 { 3621 int error = 0; 3622 uint16_t old_port = wg->wg_listen_port; 3623 3624 if (port != 0 && old_port == port) 3625 return 0; 3626 3627 #ifdef INET 3628 struct sockaddr_in _sin, *sin = &_sin; 3629 sin->sin_len = sizeof(*sin); 3630 sin->sin_family = AF_INET; 3631 sin->sin_addr.s_addr = INADDR_ANY; 3632 sin->sin_port = htons(port); 3633 3634 error = sobind(wg->wg_so4, sintosa(sin), curlwp); 3635 if (error) 3636 return error; 3637 #endif 3638 3639 #ifdef INET6 3640 struct sockaddr_in6 _sin6, *sin6 = &_sin6; 3641 sin6->sin6_len = sizeof(*sin6); 3642 sin6->sin6_family = AF_INET6; 3643 sin6->sin6_addr = in6addr_any; 3644 sin6->sin6_port = htons(port); 3645 3646 error = sobind(wg->wg_so6, sin6tosa(sin6), curlwp); 3647 if (error) 3648 return error; 3649 #endif 3650 3651 wg->wg_listen_port = port; 3652 3653 return error; 3654 } 3655 3656 static void 3657 wg_so_upcall(struct socket *so, void *cookie, int events, int waitflag) 3658 { 3659 struct wg_softc *wg = cookie; 3660 int reason; 3661 3662 reason = (so->so_proto->pr_domain->dom_family == AF_INET) ? 3663 WG_UPCALL_INET : 3664 WG_UPCALL_INET6; 3665 3666 mutex_enter(wg->wg_intr_lock); 3667 wg->wg_upcalls |= reason; 3668 threadpool_schedule_job(wg->wg_threadpool, &wg->wg_job); 3669 mutex_exit(wg->wg_intr_lock); 3670 } 3671 3672 /* 3673 * wg_overudp_cb(&m, offset, so, src, arg) 3674 * 3675 * Callback for incoming UDP packets in high-priority 3676 * packet-processing path. 3677 * 3678 * Three cases: 3679 * 3680 * - Data packet. Consumed here for high-priority handling. 3681 * => Returns 1 and takes ownership of m. 3682 * 3683 * - Handshake packet. Defer to thread context via so_receive in 3684 * wg_receive_packets. 3685 * => Returns 0 and leaves caller with ownership of m. 3686 * 3687 * - Invalid. Dropped on the floor and freed. 3688 * => Returns -1 and takes ownership of m (frees m). 3689 */ 3690 static int 3691 wg_overudp_cb(struct mbuf **mp, int offset, struct socket *so, 3692 struct sockaddr *src, void *arg) 3693 { 3694 struct wg_softc *wg = arg; 3695 struct wg_msg wgm; 3696 struct mbuf *m = *mp; 3697 3698 WG_TRACE("enter"); 3699 3700 /* Verify the mbuf chain is long enough to have a wg msg header. */ 3701 KASSERT(offset <= m_length(m)); 3702 if (__predict_false(m_length(m) - offset < sizeof(struct wg_msg))) { 3703 /* drop on the floor */ 3704 m_freem(m); 3705 *mp = NULL; 3706 return -1; /* dropped */ 3707 } 3708 3709 /* 3710 * Copy the message header (32-bit message type) out -- we'll 3711 * worry about contiguity and alignment later. 3712 */ 3713 m_copydata(m, offset, sizeof(struct wg_msg), &wgm); 3714 WG_DLOG("type=%d\n", le32toh(wgm.wgm_type)); 3715 3716 /* 3717 * Handle DATA packets promptly as they arrive, if they are in 3718 * an active session. Other packets may require expensive 3719 * public-key crypto and are not as sensitive to latency, so 3720 * defer them to the worker thread. 3721 */ 3722 switch (le32toh(wgm.wgm_type)) { 3723 case WG_MSG_TYPE_DATA: 3724 /* handle immediately */ 3725 m_adj(m, offset); 3726 if (__predict_false(m->m_len < sizeof(struct wg_msg_data))) { 3727 m = m_pullup(m, sizeof(struct wg_msg_data)); 3728 if (m == NULL) { 3729 *mp = NULL; 3730 return -1; /* dropped */ 3731 } 3732 } 3733 wg_handle_msg_data(wg, m, src); 3734 *mp = NULL; 3735 return 1; /* consumed */ 3736 case WG_MSG_TYPE_INIT: 3737 case WG_MSG_TYPE_RESP: 3738 case WG_MSG_TYPE_COOKIE: 3739 /* pass through to so_receive in wg_receive_packets */ 3740 return 0; /* passthrough */ 3741 default: 3742 /* drop on the floor */ 3743 m_freem(m); 3744 *mp = NULL; 3745 return -1; /* dropped */ 3746 } 3747 } 3748 3749 static int 3750 wg_socreate(struct wg_softc *wg, int af, struct socket **sop) 3751 { 3752 int error; 3753 struct socket *so; 3754 3755 error = socreate(af, &so, SOCK_DGRAM, 0, curlwp, NULL); 3756 if (error != 0) 3757 return error; 3758 3759 solock(so); 3760 so->so_upcallarg = wg; 3761 so->so_upcall = wg_so_upcall; 3762 so->so_rcv.sb_flags |= SB_UPCALL; 3763 inpcb_register_overudp_cb(sotoinpcb(so), wg_overudp_cb, wg); 3764 sounlock(so); 3765 3766 *sop = so; 3767 3768 return 0; 3769 } 3770 3771 static bool 3772 wg_session_hit_limits(struct wg_session *wgs) 3773 { 3774 3775 /* 3776 * [W] 6.2: Transport Message Limits 3777 * "After REJECT-AFTER-MESSAGES transport data messages or after the 3778 * current secure session is REJECT-AFTER-TIME seconds old, whichever 3779 * comes first, WireGuard will refuse to send or receive any more 3780 * transport data messages using the current secure session, ..." 3781 */ 3782 KASSERT(wgs->wgs_time_established != 0 || time_uptime > UINT32_MAX); 3783 if (time_uptime32 - wgs->wgs_time_established > wg_reject_after_time) { 3784 WG_DLOG("The session hits REJECT_AFTER_TIME\n"); 3785 return true; 3786 } else if (wg_session_get_send_counter(wgs) > 3787 wg_reject_after_messages) { 3788 WG_DLOG("The session hits REJECT_AFTER_MESSAGES\n"); 3789 return true; 3790 } 3791 3792 return false; 3793 } 3794 3795 static void 3796 wgintr(void *cookie) 3797 { 3798 struct wg_peer *wgp; 3799 struct wg_session *wgs; 3800 struct mbuf *m; 3801 struct psref psref; 3802 3803 while ((m = pktq_dequeue(wg_pktq)) != NULL) { 3804 wgp = M_GETCTX(m, struct wg_peer *); 3805 if ((wgs = wg_get_stable_session(wgp, &psref)) == NULL) { 3806 /* 3807 * No established session. If we're the first 3808 * to try sending data, schedule a handshake 3809 * and queue the packet for when the handshake 3810 * is done; otherwise just drop the packet and 3811 * let the ongoing handshake attempt continue. 3812 * We could queue more data packets but it's 3813 * not clear that's worthwhile. 3814 */ 3815 WG_TRACE("no stable session"); 3816 membar_release(); 3817 if ((m = atomic_swap_ptr(&wgp->wgp_pending, m)) == 3818 NULL) { 3819 WG_TRACE("queued first packet;" 3820 " init handshake"); 3821 wg_schedule_peer_task(wgp, 3822 WGP_TASK_SEND_INIT_MESSAGE); 3823 } else { 3824 membar_acquire(); 3825 WG_TRACE("first packet already queued," 3826 " dropping"); 3827 } 3828 goto next0; 3829 } 3830 if (__predict_false(wg_session_hit_limits(wgs))) { 3831 WG_TRACE("stable session hit limits"); 3832 membar_release(); 3833 if ((m = atomic_swap_ptr(&wgp->wgp_pending, m)) == 3834 NULL) { 3835 WG_TRACE("queued first packet in a while;" 3836 " reinit handshake"); 3837 atomic_store_relaxed(&wgs->wgs_force_rekey, 3838 true); 3839 wg_schedule_peer_task(wgp, 3840 WGP_TASK_SEND_INIT_MESSAGE); 3841 } else { 3842 membar_acquire(); 3843 WG_TRACE("first packet in already queued," 3844 " dropping"); 3845 } 3846 goto next1; 3847 } 3848 wg_send_data_msg(wgp, wgs, m); 3849 m = NULL; /* consumed */ 3850 next1: wg_put_session(wgs, &psref); 3851 next0: m_freem(m); 3852 /* XXX Yield to avoid userland starvation? */ 3853 } 3854 } 3855 3856 static void 3857 wg_purge_pending_packets(struct wg_peer *wgp) 3858 { 3859 struct mbuf *m; 3860 3861 m = atomic_swap_ptr(&wgp->wgp_pending, NULL); 3862 membar_acquire(); /* matches membar_release in wgintr */ 3863 m_freem(m); 3864 #ifdef ALTQ 3865 wg_start(&wgp->wgp_sc->wg_if); 3866 #endif 3867 pktq_barrier(wg_pktq); 3868 } 3869 3870 static void 3871 wg_handshake_timeout_timer(void *arg) 3872 { 3873 struct wg_peer *wgp = arg; 3874 3875 WG_TRACE("enter"); 3876 3877 wg_schedule_peer_task(wgp, WGP_TASK_RETRY_HANDSHAKE); 3878 } 3879 3880 static struct wg_peer * 3881 wg_alloc_peer(struct wg_softc *wg) 3882 { 3883 struct wg_peer *wgp; 3884 3885 wgp = kmem_zalloc(sizeof(*wgp), KM_SLEEP); 3886 3887 wgp->wgp_sc = wg; 3888 callout_init(&wgp->wgp_handshake_timeout_timer, CALLOUT_MPSAFE); 3889 callout_setfunc(&wgp->wgp_handshake_timeout_timer, 3890 wg_handshake_timeout_timer, wgp); 3891 callout_init(&wgp->wgp_session_dtor_timer, CALLOUT_MPSAFE); 3892 callout_setfunc(&wgp->wgp_session_dtor_timer, 3893 wg_session_dtor_timer, wgp); 3894 PSLIST_ENTRY_INIT(wgp, wgp_peerlist_entry); 3895 wgp->wgp_endpoint_changing = false; 3896 wgp->wgp_endpoint_available = false; 3897 wgp->wgp_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE); 3898 wgp->wgp_intr_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 3899 wgp->wgp_psz = pserialize_create(); 3900 psref_target_init(&wgp->wgp_psref, wg_psref_class); 3901 3902 wgp->wgp_endpoint = kmem_zalloc(sizeof(*wgp->wgp_endpoint), KM_SLEEP); 3903 wgp->wgp_endpoint0 = kmem_zalloc(sizeof(*wgp->wgp_endpoint0), KM_SLEEP); 3904 psref_target_init(&wgp->wgp_endpoint->wgsa_psref, wg_psref_class); 3905 psref_target_init(&wgp->wgp_endpoint0->wgsa_psref, wg_psref_class); 3906 3907 struct wg_session *wgs; 3908 wgp->wgp_session_stable = 3909 kmem_zalloc(sizeof(*wgp->wgp_session_stable), KM_SLEEP); 3910 wgp->wgp_session_unstable = 3911 kmem_zalloc(sizeof(*wgp->wgp_session_unstable), KM_SLEEP); 3912 wgs = wgp->wgp_session_stable; 3913 wgs->wgs_peer = wgp; 3914 wgs->wgs_state = WGS_STATE_UNKNOWN; 3915 psref_target_init(&wgs->wgs_psref, wg_psref_class); 3916 #ifndef __HAVE_ATOMIC64_LOADSTORE 3917 mutex_init(&wgs->wgs_send_counter_lock, MUTEX_DEFAULT, IPL_SOFTNET); 3918 #endif 3919 wgs->wgs_recvwin = kmem_zalloc(sizeof(*wgs->wgs_recvwin), KM_SLEEP); 3920 mutex_init(&wgs->wgs_recvwin->lock, MUTEX_DEFAULT, IPL_SOFTNET); 3921 3922 wgs = wgp->wgp_session_unstable; 3923 wgs->wgs_peer = wgp; 3924 wgs->wgs_state = WGS_STATE_UNKNOWN; 3925 psref_target_init(&wgs->wgs_psref, wg_psref_class); 3926 #ifndef __HAVE_ATOMIC64_LOADSTORE 3927 mutex_init(&wgs->wgs_send_counter_lock, MUTEX_DEFAULT, IPL_SOFTNET); 3928 #endif 3929 wgs->wgs_recvwin = kmem_zalloc(sizeof(*wgs->wgs_recvwin), KM_SLEEP); 3930 mutex_init(&wgs->wgs_recvwin->lock, MUTEX_DEFAULT, IPL_SOFTNET); 3931 3932 return wgp; 3933 } 3934 3935 static void 3936 wg_destroy_peer(struct wg_peer *wgp) 3937 { 3938 struct wg_session *wgs; 3939 struct wg_softc *wg = wgp->wgp_sc; 3940 3941 /* Prevent new packets from this peer on any source address. */ 3942 rw_enter(wg->wg_rwlock, RW_WRITER); 3943 for (int i = 0; i < wgp->wgp_n_allowedips; i++) { 3944 struct wg_allowedip *wga = &wgp->wgp_allowedips[i]; 3945 struct radix_node_head *rnh = wg_rnh(wg, wga->wga_family); 3946 struct radix_node *rn; 3947 3948 KASSERT(rnh != NULL); 3949 rn = rnh->rnh_deladdr(&wga->wga_sa_addr, 3950 &wga->wga_sa_mask, rnh); 3951 if (rn == NULL) { 3952 char addrstr[128]; 3953 sockaddr_format(&wga->wga_sa_addr, addrstr, 3954 sizeof(addrstr)); 3955 WGLOG(LOG_WARNING, "%s: Couldn't delete %s", 3956 if_name(&wg->wg_if), addrstr); 3957 } 3958 } 3959 rw_exit(wg->wg_rwlock); 3960 3961 /* Purge pending packets. */ 3962 wg_purge_pending_packets(wgp); 3963 3964 /* Halt all packet processing and timeouts. */ 3965 callout_halt(&wgp->wgp_handshake_timeout_timer, NULL); 3966 callout_halt(&wgp->wgp_session_dtor_timer, NULL); 3967 3968 /* Wait for any queued work to complete. */ 3969 workqueue_wait(wg_wq, &wgp->wgp_work); 3970 3971 wgs = wgp->wgp_session_unstable; 3972 if (wgs->wgs_state != WGS_STATE_UNKNOWN) { 3973 mutex_enter(wgp->wgp_lock); 3974 wg_destroy_session(wg, wgs); 3975 mutex_exit(wgp->wgp_lock); 3976 } 3977 mutex_destroy(&wgs->wgs_recvwin->lock); 3978 kmem_free(wgs->wgs_recvwin, sizeof(*wgs->wgs_recvwin)); 3979 #ifndef __HAVE_ATOMIC64_LOADSTORE 3980 mutex_destroy(&wgs->wgs_send_counter_lock); 3981 #endif 3982 kmem_free(wgs, sizeof(*wgs)); 3983 3984 wgs = wgp->wgp_session_stable; 3985 if (wgs->wgs_state != WGS_STATE_UNKNOWN) { 3986 mutex_enter(wgp->wgp_lock); 3987 wg_destroy_session(wg, wgs); 3988 mutex_exit(wgp->wgp_lock); 3989 } 3990 mutex_destroy(&wgs->wgs_recvwin->lock); 3991 kmem_free(wgs->wgs_recvwin, sizeof(*wgs->wgs_recvwin)); 3992 #ifndef __HAVE_ATOMIC64_LOADSTORE 3993 mutex_destroy(&wgs->wgs_send_counter_lock); 3994 #endif 3995 kmem_free(wgs, sizeof(*wgs)); 3996 3997 psref_target_destroy(&wgp->wgp_endpoint->wgsa_psref, wg_psref_class); 3998 psref_target_destroy(&wgp->wgp_endpoint0->wgsa_psref, wg_psref_class); 3999 kmem_free(wgp->wgp_endpoint, sizeof(*wgp->wgp_endpoint)); 4000 kmem_free(wgp->wgp_endpoint0, sizeof(*wgp->wgp_endpoint0)); 4001 4002 pserialize_destroy(wgp->wgp_psz); 4003 mutex_obj_free(wgp->wgp_intr_lock); 4004 mutex_obj_free(wgp->wgp_lock); 4005 4006 kmem_free(wgp, sizeof(*wgp)); 4007 } 4008 4009 static void 4010 wg_destroy_all_peers(struct wg_softc *wg) 4011 { 4012 struct wg_peer *wgp, *wgp0 __diagused; 4013 void *garbage_byname, *garbage_bypubkey; 4014 4015 restart: 4016 garbage_byname = garbage_bypubkey = NULL; 4017 mutex_enter(wg->wg_lock); 4018 WG_PEER_WRITER_FOREACH(wgp, wg) { 4019 if (wgp->wgp_name[0]) { 4020 wgp0 = thmap_del(wg->wg_peers_byname, wgp->wgp_name, 4021 strlen(wgp->wgp_name)); 4022 KASSERT(wgp0 == wgp); 4023 garbage_byname = thmap_stage_gc(wg->wg_peers_byname); 4024 } 4025 wgp0 = thmap_del(wg->wg_peers_bypubkey, wgp->wgp_pubkey, 4026 sizeof(wgp->wgp_pubkey)); 4027 KASSERT(wgp0 == wgp); 4028 garbage_bypubkey = thmap_stage_gc(wg->wg_peers_bypubkey); 4029 WG_PEER_WRITER_REMOVE(wgp); 4030 wg->wg_npeers--; 4031 mutex_enter(wgp->wgp_lock); 4032 pserialize_perform(wgp->wgp_psz); 4033 mutex_exit(wgp->wgp_lock); 4034 PSLIST_ENTRY_DESTROY(wgp, wgp_peerlist_entry); 4035 break; 4036 } 4037 mutex_exit(wg->wg_lock); 4038 4039 if (wgp == NULL) 4040 return; 4041 4042 psref_target_destroy(&wgp->wgp_psref, wg_psref_class); 4043 4044 wg_destroy_peer(wgp); 4045 thmap_gc(wg->wg_peers_byname, garbage_byname); 4046 thmap_gc(wg->wg_peers_bypubkey, garbage_bypubkey); 4047 4048 goto restart; 4049 } 4050 4051 static int 4052 wg_destroy_peer_name(struct wg_softc *wg, const char *name) 4053 { 4054 struct wg_peer *wgp, *wgp0 __diagused; 4055 void *garbage_byname, *garbage_bypubkey; 4056 4057 mutex_enter(wg->wg_lock); 4058 wgp = thmap_del(wg->wg_peers_byname, name, strlen(name)); 4059 if (wgp != NULL) { 4060 wgp0 = thmap_del(wg->wg_peers_bypubkey, wgp->wgp_pubkey, 4061 sizeof(wgp->wgp_pubkey)); 4062 KASSERT(wgp0 == wgp); 4063 garbage_byname = thmap_stage_gc(wg->wg_peers_byname); 4064 garbage_bypubkey = thmap_stage_gc(wg->wg_peers_bypubkey); 4065 WG_PEER_WRITER_REMOVE(wgp); 4066 wg->wg_npeers--; 4067 if (wg->wg_npeers == 0) 4068 if_link_state_change(&wg->wg_if, LINK_STATE_DOWN); 4069 mutex_enter(wgp->wgp_lock); 4070 pserialize_perform(wgp->wgp_psz); 4071 mutex_exit(wgp->wgp_lock); 4072 PSLIST_ENTRY_DESTROY(wgp, wgp_peerlist_entry); 4073 } 4074 mutex_exit(wg->wg_lock); 4075 4076 if (wgp == NULL) 4077 return ENOENT; 4078 4079 psref_target_destroy(&wgp->wgp_psref, wg_psref_class); 4080 4081 wg_destroy_peer(wgp); 4082 thmap_gc(wg->wg_peers_byname, garbage_byname); 4083 thmap_gc(wg->wg_peers_bypubkey, garbage_bypubkey); 4084 4085 return 0; 4086 } 4087 4088 static int 4089 wg_if_attach(struct wg_softc *wg) 4090 { 4091 4092 wg->wg_if.if_addrlen = 0; 4093 wg->wg_if.if_mtu = WG_MTU; 4094 wg->wg_if.if_flags = IFF_MULTICAST; 4095 wg->wg_if.if_extflags = IFEF_MPSAFE; 4096 wg->wg_if.if_ioctl = wg_ioctl; 4097 wg->wg_if.if_output = wg_output; 4098 wg->wg_if.if_init = wg_init; 4099 #ifdef ALTQ 4100 wg->wg_if.if_start = wg_start; 4101 #endif 4102 wg->wg_if.if_stop = wg_stop; 4103 wg->wg_if.if_type = IFT_OTHER; 4104 wg->wg_if.if_dlt = DLT_NULL; 4105 wg->wg_if.if_softc = wg; 4106 #ifdef ALTQ 4107 IFQ_SET_READY(&wg->wg_if.if_snd); 4108 #endif 4109 if_initialize(&wg->wg_if); 4110 4111 wg->wg_if.if_link_state = LINK_STATE_DOWN; 4112 if_alloc_sadl(&wg->wg_if); 4113 if_register(&wg->wg_if); 4114 4115 bpf_attach(&wg->wg_if, DLT_NULL, sizeof(uint32_t)); 4116 4117 return 0; 4118 } 4119 4120 static void 4121 wg_if_detach(struct wg_softc *wg) 4122 { 4123 struct ifnet *ifp = &wg->wg_if; 4124 4125 bpf_detach(ifp); 4126 if_detach(ifp); 4127 } 4128 4129 static int 4130 wg_clone_create(struct if_clone *ifc, int unit) 4131 { 4132 struct wg_softc *wg; 4133 int error; 4134 4135 wg_guarantee_initialized(); 4136 4137 error = wg_count_inc(); 4138 if (error) 4139 return error; 4140 4141 wg = kmem_zalloc(sizeof(*wg), KM_SLEEP); 4142 4143 if_initname(&wg->wg_if, ifc->ifc_name, unit); 4144 4145 PSLIST_INIT(&wg->wg_peers); 4146 wg->wg_peers_bypubkey = thmap_create(0, NULL, THMAP_NOCOPY); 4147 wg->wg_peers_byname = thmap_create(0, NULL, THMAP_NOCOPY); 4148 wg->wg_sessions_byindex = thmap_create(0, NULL, THMAP_NOCOPY); 4149 wg->wg_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE); 4150 wg->wg_intr_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 4151 wg->wg_rwlock = rw_obj_alloc(); 4152 threadpool_job_init(&wg->wg_job, wg_job, wg->wg_intr_lock, 4153 "%s", if_name(&wg->wg_if)); 4154 wg->wg_ops = &wg_ops_rumpkernel; 4155 4156 error = threadpool_get(&wg->wg_threadpool, PRI_NONE); 4157 if (error) 4158 goto fail0; 4159 4160 #ifdef INET 4161 error = wg_socreate(wg, AF_INET, &wg->wg_so4); 4162 if (error) 4163 goto fail1; 4164 rn_inithead((void **)&wg->wg_rtable_ipv4, 4165 offsetof(struct sockaddr_in, sin_addr) * NBBY); 4166 #endif 4167 #ifdef INET6 4168 error = wg_socreate(wg, AF_INET6, &wg->wg_so6); 4169 if (error) 4170 goto fail2; 4171 rn_inithead((void **)&wg->wg_rtable_ipv6, 4172 offsetof(struct sockaddr_in6, sin6_addr) * NBBY); 4173 #endif 4174 4175 error = wg_if_attach(wg); 4176 if (error) 4177 goto fail3; 4178 4179 return 0; 4180 4181 fail4: __unused 4182 wg_destroy_all_peers(wg); 4183 wg_if_detach(wg); 4184 fail3: 4185 #ifdef INET6 4186 solock(wg->wg_so6); 4187 wg->wg_so6->so_rcv.sb_flags &= ~SB_UPCALL; 4188 sounlock(wg->wg_so6); 4189 #endif 4190 #ifdef INET 4191 solock(wg->wg_so4); 4192 wg->wg_so4->so_rcv.sb_flags &= ~SB_UPCALL; 4193 sounlock(wg->wg_so4); 4194 #endif 4195 mutex_enter(wg->wg_intr_lock); 4196 threadpool_cancel_job(wg->wg_threadpool, &wg->wg_job); 4197 mutex_exit(wg->wg_intr_lock); 4198 #ifdef INET6 4199 if (wg->wg_rtable_ipv6 != NULL) 4200 free(wg->wg_rtable_ipv6, M_RTABLE); 4201 soclose(wg->wg_so6); 4202 fail2: 4203 #endif 4204 #ifdef INET 4205 if (wg->wg_rtable_ipv4 != NULL) 4206 free(wg->wg_rtable_ipv4, M_RTABLE); 4207 soclose(wg->wg_so4); 4208 fail1: 4209 #endif 4210 threadpool_put(wg->wg_threadpool, PRI_NONE); 4211 fail0: threadpool_job_destroy(&wg->wg_job); 4212 rw_obj_free(wg->wg_rwlock); 4213 mutex_obj_free(wg->wg_intr_lock); 4214 mutex_obj_free(wg->wg_lock); 4215 thmap_destroy(wg->wg_sessions_byindex); 4216 thmap_destroy(wg->wg_peers_byname); 4217 thmap_destroy(wg->wg_peers_bypubkey); 4218 PSLIST_DESTROY(&wg->wg_peers); 4219 kmem_free(wg, sizeof(*wg)); 4220 wg_count_dec(); 4221 return error; 4222 } 4223 4224 static int 4225 wg_clone_destroy(struct ifnet *ifp) 4226 { 4227 struct wg_softc *wg = container_of(ifp, struct wg_softc, wg_if); 4228 4229 #ifdef WG_RUMPKERNEL 4230 if (wg_user_mode(wg)) { 4231 rumpuser_wg_destroy(wg->wg_user); 4232 wg->wg_user = NULL; 4233 } 4234 #endif 4235 4236 wg_destroy_all_peers(wg); 4237 wg_if_detach(wg); 4238 #ifdef INET6 4239 solock(wg->wg_so6); 4240 wg->wg_so6->so_rcv.sb_flags &= ~SB_UPCALL; 4241 sounlock(wg->wg_so6); 4242 #endif 4243 #ifdef INET 4244 solock(wg->wg_so4); 4245 wg->wg_so4->so_rcv.sb_flags &= ~SB_UPCALL; 4246 sounlock(wg->wg_so4); 4247 #endif 4248 mutex_enter(wg->wg_intr_lock); 4249 threadpool_cancel_job(wg->wg_threadpool, &wg->wg_job); 4250 mutex_exit(wg->wg_intr_lock); 4251 #ifdef INET6 4252 if (wg->wg_rtable_ipv6 != NULL) 4253 free(wg->wg_rtable_ipv6, M_RTABLE); 4254 soclose(wg->wg_so6); 4255 #endif 4256 #ifdef INET 4257 if (wg->wg_rtable_ipv4 != NULL) 4258 free(wg->wg_rtable_ipv4, M_RTABLE); 4259 soclose(wg->wg_so4); 4260 #endif 4261 threadpool_put(wg->wg_threadpool, PRI_NONE); 4262 threadpool_job_destroy(&wg->wg_job); 4263 rw_obj_free(wg->wg_rwlock); 4264 mutex_obj_free(wg->wg_intr_lock); 4265 mutex_obj_free(wg->wg_lock); 4266 thmap_destroy(wg->wg_sessions_byindex); 4267 thmap_destroy(wg->wg_peers_byname); 4268 thmap_destroy(wg->wg_peers_bypubkey); 4269 PSLIST_DESTROY(&wg->wg_peers); 4270 kmem_free(wg, sizeof(*wg)); 4271 wg_count_dec(); 4272 4273 return 0; 4274 } 4275 4276 static struct wg_peer * 4277 wg_pick_peer_by_sa(struct wg_softc *wg, const struct sockaddr *sa, 4278 struct psref *psref) 4279 { 4280 struct radix_node_head *rnh; 4281 struct radix_node *rn; 4282 struct wg_peer *wgp = NULL; 4283 struct wg_allowedip *wga; 4284 4285 #ifdef WG_DEBUG_LOG 4286 char addrstr[128]; 4287 sockaddr_format(sa, addrstr, sizeof(addrstr)); 4288 WG_DLOG("sa=%s\n", addrstr); 4289 #endif 4290 4291 rw_enter(wg->wg_rwlock, RW_READER); 4292 4293 rnh = wg_rnh(wg, sa->sa_family); 4294 if (rnh == NULL) 4295 goto out; 4296 4297 rn = rnh->rnh_matchaddr(sa, rnh); 4298 if (rn == NULL || (rn->rn_flags & RNF_ROOT) != 0) 4299 goto out; 4300 4301 WG_TRACE("success"); 4302 4303 wga = container_of(rn, struct wg_allowedip, wga_nodes[0]); 4304 wgp = wga->wga_peer; 4305 wg_get_peer(wgp, psref); 4306 4307 out: 4308 rw_exit(wg->wg_rwlock); 4309 return wgp; 4310 } 4311 4312 static void 4313 wg_fill_msg_data(struct wg_softc *wg, struct wg_peer *wgp, 4314 struct wg_session *wgs, struct wg_msg_data *wgmd) 4315 { 4316 4317 memset(wgmd, 0, sizeof(*wgmd)); 4318 wgmd->wgmd_type = htole32(WG_MSG_TYPE_DATA); 4319 wgmd->wgmd_receiver = wgs->wgs_remote_index; 4320 /* [W] 5.4.6: msg.counter := Nm^send */ 4321 /* [W] 5.4.6: Nm^send := Nm^send + 1 */ 4322 wgmd->wgmd_counter = htole64(wg_session_inc_send_counter(wgs)); 4323 WG_DLOG("counter=%"PRIu64"\n", le64toh(wgmd->wgmd_counter)); 4324 } 4325 4326 static int 4327 wg_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 4328 const struct rtentry *rt) 4329 { 4330 struct wg_softc *wg = ifp->if_softc; 4331 struct wg_peer *wgp = NULL; 4332 struct psref wgp_psref; 4333 int bound; 4334 int error; 4335 4336 bound = curlwp_bind(); 4337 4338 /* TODO make the nest limit configurable via sysctl */ 4339 error = if_tunnel_check_nesting(ifp, m, 1); 4340 if (error) { 4341 WGLOG(LOG_ERR, 4342 "%s: tunneling loop detected and packet dropped\n", 4343 if_name(&wg->wg_if)); 4344 goto out0; 4345 } 4346 4347 #ifdef ALTQ 4348 bool altq = atomic_load_relaxed(&ifp->if_snd.altq_flags) 4349 & ALTQF_ENABLED; 4350 if (altq) 4351 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 4352 #endif 4353 4354 bpf_mtap_af(ifp, dst->sa_family, m, BPF_D_OUT); 4355 4356 m->m_flags &= ~(M_BCAST|M_MCAST); 4357 4358 wgp = wg_pick_peer_by_sa(wg, dst, &wgp_psref); 4359 if (wgp == NULL) { 4360 WG_TRACE("peer not found"); 4361 error = EHOSTUNREACH; 4362 goto out0; 4363 } 4364 4365 /* Clear checksum-offload flags. */ 4366 m->m_pkthdr.csum_flags = 0; 4367 m->m_pkthdr.csum_data = 0; 4368 4369 /* Toss it in the queue. */ 4370 #ifdef ALTQ 4371 if (altq) { 4372 mutex_enter(ifp->if_snd.ifq_lock); 4373 if (ALTQ_IS_ENABLED(&ifp->if_snd)) { 4374 M_SETCTX(m, wgp); 4375 ALTQ_ENQUEUE(&ifp->if_snd, m, error); 4376 m = NULL; /* consume */ 4377 } 4378 mutex_exit(ifp->if_snd.ifq_lock); 4379 if (m == NULL) { 4380 wg_start(ifp); 4381 goto out1; 4382 } 4383 } 4384 #endif 4385 kpreempt_disable(); 4386 const uint32_t h = curcpu()->ci_index; // pktq_rps_hash(m) 4387 M_SETCTX(m, wgp); 4388 if (__predict_false(!pktq_enqueue(wg_pktq, m, h))) { 4389 WGLOG(LOG_ERR, "%s: pktq full, dropping\n", 4390 if_name(&wg->wg_if)); 4391 error = ENOBUFS; 4392 goto out2; 4393 } 4394 m = NULL; /* consumed */ 4395 error = 0; 4396 out2: kpreempt_enable(); 4397 4398 #ifdef ALTQ 4399 out1: 4400 #endif 4401 wg_put_peer(wgp, &wgp_psref); 4402 out0: m_freem(m); 4403 curlwp_bindx(bound); 4404 return error; 4405 } 4406 4407 static int 4408 wg_send_data(struct wg_peer *wgp, struct mbuf *m) 4409 { 4410 struct psref psref; 4411 struct wg_sockaddr *wgsa; 4412 int error; 4413 struct socket *so; 4414 4415 wgsa = wg_get_endpoint_sa(wgp, &psref); 4416 so = wg_get_so_by_peer(wgp, wgsa); 4417 solock(so); 4418 switch (wgsatosa(wgsa)->sa_family) { 4419 #ifdef INET 4420 case AF_INET: 4421 error = udp_send(so, m, wgsatosa(wgsa), NULL, curlwp); 4422 break; 4423 #endif 4424 #ifdef INET6 4425 case AF_INET6: 4426 error = udp6_output(sotoinpcb(so), m, wgsatosin6(wgsa), 4427 NULL, curlwp); 4428 break; 4429 #endif 4430 default: 4431 m_freem(m); 4432 error = EPFNOSUPPORT; 4433 } 4434 sounlock(so); 4435 wg_put_sa(wgp, wgsa, &psref); 4436 4437 return error; 4438 } 4439 4440 /* Inspired by pppoe_get_mbuf */ 4441 static struct mbuf * 4442 wg_get_mbuf(size_t leading_len, size_t len) 4443 { 4444 struct mbuf *m; 4445 4446 KASSERT(leading_len <= MCLBYTES); 4447 KASSERT(len <= MCLBYTES - leading_len); 4448 4449 m = m_gethdr(M_DONTWAIT, MT_DATA); 4450 if (m == NULL) 4451 return NULL; 4452 if (len + leading_len > MHLEN) { 4453 m_clget(m, M_DONTWAIT); 4454 if ((m->m_flags & M_EXT) == 0) { 4455 m_free(m); 4456 return NULL; 4457 } 4458 } 4459 m->m_data += leading_len; 4460 m->m_pkthdr.len = m->m_len = len; 4461 4462 return m; 4463 } 4464 4465 static void 4466 wg_send_data_msg(struct wg_peer *wgp, struct wg_session *wgs, struct mbuf *m) 4467 { 4468 struct wg_softc *wg = wgp->wgp_sc; 4469 int error; 4470 size_t inner_len, padded_len, encrypted_len; 4471 char *padded_buf = NULL; 4472 size_t mlen; 4473 struct wg_msg_data *wgmd; 4474 bool free_padded_buf = false; 4475 struct mbuf *n; 4476 size_t leading_len = max_hdr + sizeof(struct udphdr); 4477 4478 mlen = m_length(m); 4479 inner_len = mlen; 4480 padded_len = roundup(mlen, 16); 4481 encrypted_len = padded_len + WG_AUTHTAG_LEN; 4482 WG_DLOG("inner=%zu, padded=%zu, encrypted_len=%zu\n", 4483 inner_len, padded_len, encrypted_len); 4484 if (mlen != 0) { 4485 bool success; 4486 success = m_ensure_contig(&m, padded_len); 4487 if (success) { 4488 padded_buf = mtod(m, char *); 4489 } else { 4490 padded_buf = kmem_intr_alloc(padded_len, KM_NOSLEEP); 4491 if (padded_buf == NULL) { 4492 error = ENOBUFS; 4493 goto out; 4494 } 4495 free_padded_buf = true; 4496 m_copydata(m, 0, mlen, padded_buf); 4497 } 4498 memset(padded_buf + mlen, 0, padded_len - inner_len); 4499 } 4500 4501 n = wg_get_mbuf(leading_len, sizeof(*wgmd) + encrypted_len); 4502 if (n == NULL) { 4503 error = ENOBUFS; 4504 goto out; 4505 } 4506 KASSERT(n->m_len >= sizeof(*wgmd)); 4507 wgmd = mtod(n, struct wg_msg_data *); 4508 wg_fill_msg_data(wg, wgp, wgs, wgmd); 4509 4510 /* [W] 5.4.6: AEAD(Tm^send, Nm^send, P, e) */ 4511 wg_algo_aead_enc((char *)wgmd + sizeof(*wgmd), encrypted_len, 4512 wgs->wgs_tkey_send, le64toh(wgmd->wgmd_counter), 4513 padded_buf, padded_len, 4514 NULL, 0); 4515 4516 error = wg->wg_ops->send_data_msg(wgp, n); /* consumes n */ 4517 if (error) { 4518 WG_DLOG("send_data_msg failed, error=%d\n", error); 4519 goto out; 4520 } 4521 4522 /* 4523 * Packet was sent out -- count it in the interface statistics. 4524 */ 4525 if_statadd(&wg->wg_if, if_obytes, mlen); 4526 if_statinc(&wg->wg_if, if_opackets); 4527 4528 /* 4529 * Record when we last sent data, for determining when we need 4530 * to send a passive keepalive. 4531 * 4532 * Other logic assumes that wgs_time_last_data_sent is zero iff 4533 * we have never sent data on this session. Early at boot, if 4534 * wg(4) starts operating within <1sec, or after 136 years of 4535 * uptime, we may observe time_uptime32 = 0. In that case, 4536 * pretend we observed 1 instead. That way, we correctly 4537 * indicate we have sent data on this session; the only logic 4538 * this might adversely affect is the keepalive timeout 4539 * detection, which might spuriously send a keepalive during 4540 * one second every 136 years. All of this is very silly, of 4541 * course, but the cost to guaranteeing wgs_time_last_data_sent 4542 * is nonzero is negligible here. 4543 */ 4544 const uint32_t now = time_uptime32; 4545 atomic_store_relaxed(&wgs->wgs_time_last_data_sent, MAX(now, 1)); 4546 4547 /* 4548 * Check rekey-after-time. 4549 */ 4550 if (wgs->wgs_is_initiator && 4551 now - wgs->wgs_time_established >= wg_rekey_after_time) { 4552 /* 4553 * [W] 6.2 Transport Message Limits 4554 * "if a peer is the initiator of a current secure 4555 * session, WireGuard will send a handshake initiation 4556 * message to begin a new secure session if, after 4557 * transmitting a transport data message, the current 4558 * secure session is REKEY-AFTER-TIME seconds old," 4559 */ 4560 WG_TRACE("rekey after time"); 4561 atomic_store_relaxed(&wgs->wgs_force_rekey, true); 4562 wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); 4563 } 4564 4565 /* 4566 * Check rekey-after-messages. 4567 */ 4568 if (wg_session_get_send_counter(wgs) >= wg_rekey_after_messages) { 4569 /* 4570 * [W] 6.2 Transport Message Limits 4571 * "WireGuard will try to create a new session, by 4572 * sending a handshake initiation message (section 4573 * 5.4.2), after it has sent REKEY-AFTER-MESSAGES 4574 * transport data messages..." 4575 */ 4576 WG_TRACE("rekey after messages"); 4577 atomic_store_relaxed(&wgs->wgs_force_rekey, true); 4578 wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); 4579 } 4580 4581 out: m_freem(m); 4582 if (free_padded_buf) 4583 kmem_intr_free(padded_buf, padded_len); 4584 } 4585 4586 static void 4587 wg_input(struct ifnet *ifp, struct mbuf *m, const int af) 4588 { 4589 pktqueue_t *pktq; 4590 size_t pktlen; 4591 4592 KASSERT(af == AF_INET || af == AF_INET6); 4593 4594 WG_TRACE(""); 4595 4596 m_set_rcvif(m, ifp); 4597 pktlen = m->m_pkthdr.len; 4598 4599 bpf_mtap_af(ifp, af, m, BPF_D_IN); 4600 4601 switch (af) { 4602 #ifdef INET 4603 case AF_INET: 4604 pktq = ip_pktq; 4605 break; 4606 #endif 4607 #ifdef INET6 4608 case AF_INET6: 4609 pktq = ip6_pktq; 4610 break; 4611 #endif 4612 default: 4613 panic("invalid af=%d", af); 4614 } 4615 4616 kpreempt_disable(); 4617 const u_int h = curcpu()->ci_index; 4618 if (__predict_true(pktq_enqueue(pktq, m, h))) { 4619 if_statadd(ifp, if_ibytes, pktlen); 4620 if_statinc(ifp, if_ipackets); 4621 } else { 4622 m_freem(m); 4623 } 4624 kpreempt_enable(); 4625 } 4626 4627 static void 4628 wg_calc_pubkey(uint8_t pubkey[static WG_STATIC_KEY_LEN], 4629 const uint8_t privkey[static WG_STATIC_KEY_LEN]) 4630 { 4631 4632 crypto_scalarmult_base(pubkey, privkey); 4633 } 4634 4635 static int 4636 wg_rtable_add_route(struct wg_softc *wg, struct wg_allowedip *wga) 4637 { 4638 struct radix_node_head *rnh; 4639 struct radix_node *rn; 4640 int error = 0; 4641 4642 rw_enter(wg->wg_rwlock, RW_WRITER); 4643 rnh = wg_rnh(wg, wga->wga_family); 4644 KASSERT(rnh != NULL); 4645 rn = rnh->rnh_addaddr(&wga->wga_sa_addr, &wga->wga_sa_mask, rnh, 4646 wga->wga_nodes); 4647 rw_exit(wg->wg_rwlock); 4648 4649 if (rn == NULL) 4650 error = EEXIST; 4651 4652 return error; 4653 } 4654 4655 static int 4656 wg_handle_prop_peer(struct wg_softc *wg, prop_dictionary_t peer, 4657 struct wg_peer **wgpp) 4658 { 4659 int error = 0; 4660 const void *pubkey; 4661 size_t pubkey_len; 4662 const void *psk; 4663 size_t psk_len; 4664 const char *name = NULL; 4665 4666 if (prop_dictionary_get_string(peer, "name", &name)) { 4667 if (strlen(name) > WG_PEER_NAME_MAXLEN) { 4668 error = EINVAL; 4669 goto out; 4670 } 4671 } 4672 4673 if (!prop_dictionary_get_data(peer, "public_key", 4674 &pubkey, &pubkey_len)) { 4675 error = EINVAL; 4676 goto out; 4677 } 4678 #ifdef WG_DEBUG_DUMP 4679 if (wg_debug & WG_DEBUG_FLAGS_DUMP) { 4680 char *hex = gethexdump(pubkey, pubkey_len); 4681 log(LOG_DEBUG, "pubkey=%p, pubkey_len=%zu\n%s\n", 4682 pubkey, pubkey_len, hex); 4683 puthexdump(hex, pubkey, pubkey_len); 4684 } 4685 #endif 4686 4687 struct wg_peer *wgp = wg_alloc_peer(wg); 4688 memcpy(wgp->wgp_pubkey, pubkey, sizeof(wgp->wgp_pubkey)); 4689 if (name != NULL) 4690 strncpy(wgp->wgp_name, name, sizeof(wgp->wgp_name)); 4691 4692 if (prop_dictionary_get_data(peer, "preshared_key", &psk, &psk_len)) { 4693 if (psk_len != sizeof(wgp->wgp_psk)) { 4694 error = EINVAL; 4695 goto out; 4696 } 4697 memcpy(wgp->wgp_psk, psk, sizeof(wgp->wgp_psk)); 4698 } 4699 4700 const void *addr; 4701 size_t addr_len; 4702 struct wg_sockaddr *wgsa = wgp->wgp_endpoint; 4703 4704 if (!prop_dictionary_get_data(peer, "endpoint", &addr, &addr_len)) 4705 goto skip_endpoint; 4706 if (addr_len < sizeof(*wgsatosa(wgsa)) || 4707 addr_len > sizeof(*wgsatoss(wgsa))) { 4708 error = EINVAL; 4709 goto out; 4710 } 4711 memcpy(wgsatoss(wgsa), addr, addr_len); 4712 switch (wgsa_family(wgsa)) { 4713 #ifdef INET 4714 case AF_INET: 4715 break; 4716 #endif 4717 #ifdef INET6 4718 case AF_INET6: 4719 break; 4720 #endif 4721 default: 4722 error = EPFNOSUPPORT; 4723 goto out; 4724 } 4725 if (addr_len != sockaddr_getsize_by_family(wgsa_family(wgsa))) { 4726 error = EINVAL; 4727 goto out; 4728 } 4729 { 4730 char addrstr[128]; 4731 sockaddr_format(wgsatosa(wgsa), addrstr, sizeof(addrstr)); 4732 WG_DLOG("addr=%s\n", addrstr); 4733 } 4734 wgp->wgp_endpoint_available = true; 4735 4736 prop_array_t allowedips; 4737 skip_endpoint: 4738 allowedips = prop_dictionary_get(peer, "allowedips"); 4739 if (allowedips == NULL) 4740 goto skip; 4741 4742 prop_object_iterator_t _it = prop_array_iterator(allowedips); 4743 prop_dictionary_t prop_allowedip; 4744 int j = 0; 4745 while ((prop_allowedip = prop_object_iterator_next(_it)) != NULL) { 4746 struct wg_allowedip *wga = &wgp->wgp_allowedips[j]; 4747 4748 if (!prop_dictionary_get_int(prop_allowedip, "family", 4749 &wga->wga_family)) 4750 continue; 4751 if (!prop_dictionary_get_data(prop_allowedip, "ip", 4752 &addr, &addr_len)) 4753 continue; 4754 if (!prop_dictionary_get_uint8(prop_allowedip, "cidr", 4755 &wga->wga_cidr)) 4756 continue; 4757 4758 switch (wga->wga_family) { 4759 #ifdef INET 4760 case AF_INET: { 4761 struct sockaddr_in sin; 4762 char addrstr[128]; 4763 struct in_addr mask; 4764 struct sockaddr_in sin_mask; 4765 4766 if (addr_len != sizeof(struct in_addr)) 4767 return EINVAL; 4768 memcpy(&wga->wga_addr4, addr, addr_len); 4769 4770 sockaddr_in_init(&sin, (const struct in_addr *)addr, 4771 0); 4772 sockaddr_copy(&wga->wga_sa_addr, 4773 sizeof(sin), sintosa(&sin)); 4774 4775 sockaddr_format(sintosa(&sin), 4776 addrstr, sizeof(addrstr)); 4777 WG_DLOG("addr=%s/%d\n", addrstr, wga->wga_cidr); 4778 4779 in_len2mask(&mask, wga->wga_cidr); 4780 sockaddr_in_init(&sin_mask, &mask, 0); 4781 sockaddr_copy(&wga->wga_sa_mask, 4782 sizeof(sin_mask), sintosa(&sin_mask)); 4783 4784 break; 4785 } 4786 #endif 4787 #ifdef INET6 4788 case AF_INET6: { 4789 struct sockaddr_in6 sin6; 4790 char addrstr[128]; 4791 struct in6_addr mask; 4792 struct sockaddr_in6 sin6_mask; 4793 4794 if (addr_len != sizeof(struct in6_addr)) 4795 return EINVAL; 4796 memcpy(&wga->wga_addr6, addr, addr_len); 4797 4798 sockaddr_in6_init(&sin6, (const struct in6_addr *)addr, 4799 0, 0, 0); 4800 sockaddr_copy(&wga->wga_sa_addr, 4801 sizeof(sin6), sin6tosa(&sin6)); 4802 4803 sockaddr_format(sin6tosa(&sin6), 4804 addrstr, sizeof(addrstr)); 4805 WG_DLOG("addr=%s/%d\n", addrstr, wga->wga_cidr); 4806 4807 in6_prefixlen2mask(&mask, wga->wga_cidr); 4808 sockaddr_in6_init(&sin6_mask, &mask, 0, 0, 0); 4809 sockaddr_copy(&wga->wga_sa_mask, 4810 sizeof(sin6_mask), sin6tosa(&sin6_mask)); 4811 4812 break; 4813 } 4814 #endif 4815 default: 4816 error = EINVAL; 4817 goto out; 4818 } 4819 wga->wga_peer = wgp; 4820 4821 error = wg_rtable_add_route(wg, wga); 4822 if (error != 0) 4823 goto out; 4824 4825 j++; 4826 } 4827 wgp->wgp_n_allowedips = j; 4828 skip: 4829 *wgpp = wgp; 4830 out: 4831 return error; 4832 } 4833 4834 static int 4835 wg_alloc_prop_buf(char **_buf, struct ifdrv *ifd) 4836 { 4837 int error; 4838 char *buf; 4839 4840 WG_DLOG("buf=%p, len=%zu\n", ifd->ifd_data, ifd->ifd_len); 4841 if (ifd->ifd_len >= WG_MAX_PROPLEN) 4842 return E2BIG; 4843 buf = kmem_alloc(ifd->ifd_len + 1, KM_SLEEP); 4844 error = copyin(ifd->ifd_data, buf, ifd->ifd_len); 4845 if (error != 0) 4846 return error; 4847 buf[ifd->ifd_len] = '\0'; 4848 #ifdef WG_DEBUG_DUMP 4849 if (wg_debug & WG_DEBUG_FLAGS_DUMP) { 4850 log(LOG_DEBUG, "%.*s\n", (int)MIN(INT_MAX, ifd->ifd_len), 4851 (const char *)buf); 4852 } 4853 #endif 4854 *_buf = buf; 4855 return 0; 4856 } 4857 4858 static int 4859 wg_ioctl_set_private_key(struct wg_softc *wg, struct ifdrv *ifd) 4860 { 4861 int error; 4862 prop_dictionary_t prop_dict; 4863 char *buf = NULL; 4864 const void *privkey; 4865 size_t privkey_len; 4866 4867 error = wg_alloc_prop_buf(&buf, ifd); 4868 if (error != 0) 4869 return error; 4870 error = EINVAL; 4871 prop_dict = prop_dictionary_internalize(buf); 4872 if (prop_dict == NULL) 4873 goto out; 4874 if (!prop_dictionary_get_data(prop_dict, "private_key", 4875 &privkey, &privkey_len)) 4876 goto out; 4877 #ifdef WG_DEBUG_DUMP 4878 if (wg_debug & WG_DEBUG_FLAGS_DUMP) { 4879 char *hex = gethexdump(privkey, privkey_len); 4880 log(LOG_DEBUG, "privkey=%p, privkey_len=%zu\n%s\n", 4881 privkey, privkey_len, hex); 4882 puthexdump(hex, privkey, privkey_len); 4883 } 4884 #endif 4885 if (privkey_len != WG_STATIC_KEY_LEN) 4886 goto out; 4887 memcpy(wg->wg_privkey, privkey, WG_STATIC_KEY_LEN); 4888 wg_calc_pubkey(wg->wg_pubkey, wg->wg_privkey); 4889 error = 0; 4890 4891 out: 4892 kmem_free(buf, ifd->ifd_len + 1); 4893 return error; 4894 } 4895 4896 static int 4897 wg_ioctl_set_listen_port(struct wg_softc *wg, struct ifdrv *ifd) 4898 { 4899 int error; 4900 prop_dictionary_t prop_dict; 4901 char *buf = NULL; 4902 uint16_t port; 4903 4904 error = wg_alloc_prop_buf(&buf, ifd); 4905 if (error != 0) 4906 return error; 4907 error = EINVAL; 4908 prop_dict = prop_dictionary_internalize(buf); 4909 if (prop_dict == NULL) 4910 goto out; 4911 if (!prop_dictionary_get_uint16(prop_dict, "listen_port", &port)) 4912 goto out; 4913 4914 error = wg->wg_ops->bind_port(wg, (uint16_t)port); 4915 4916 out: 4917 kmem_free(buf, ifd->ifd_len + 1); 4918 return error; 4919 } 4920 4921 static int 4922 wg_ioctl_add_peer(struct wg_softc *wg, struct ifdrv *ifd) 4923 { 4924 int error; 4925 prop_dictionary_t prop_dict; 4926 char *buf = NULL; 4927 struct wg_peer *wgp = NULL, *wgp0 __diagused; 4928 4929 error = wg_alloc_prop_buf(&buf, ifd); 4930 if (error != 0) 4931 return error; 4932 error = EINVAL; 4933 prop_dict = prop_dictionary_internalize(buf); 4934 if (prop_dict == NULL) 4935 goto out; 4936 4937 error = wg_handle_prop_peer(wg, prop_dict, &wgp); 4938 if (error != 0) 4939 goto out; 4940 4941 mutex_enter(wg->wg_lock); 4942 if (thmap_get(wg->wg_peers_bypubkey, wgp->wgp_pubkey, 4943 sizeof(wgp->wgp_pubkey)) != NULL || 4944 (wgp->wgp_name[0] && 4945 thmap_get(wg->wg_peers_byname, wgp->wgp_name, 4946 strlen(wgp->wgp_name)) != NULL)) { 4947 mutex_exit(wg->wg_lock); 4948 wg_destroy_peer(wgp); 4949 error = EEXIST; 4950 goto out; 4951 } 4952 wgp0 = thmap_put(wg->wg_peers_bypubkey, wgp->wgp_pubkey, 4953 sizeof(wgp->wgp_pubkey), wgp); 4954 KASSERT(wgp0 == wgp); 4955 if (wgp->wgp_name[0]) { 4956 wgp0 = thmap_put(wg->wg_peers_byname, wgp->wgp_name, 4957 strlen(wgp->wgp_name), wgp); 4958 KASSERT(wgp0 == wgp); 4959 } 4960 WG_PEER_WRITER_INSERT_HEAD(wgp, wg); 4961 wg->wg_npeers++; 4962 mutex_exit(wg->wg_lock); 4963 4964 if_link_state_change(&wg->wg_if, LINK_STATE_UP); 4965 4966 out: 4967 kmem_free(buf, ifd->ifd_len + 1); 4968 return error; 4969 } 4970 4971 static int 4972 wg_ioctl_delete_peer(struct wg_softc *wg, struct ifdrv *ifd) 4973 { 4974 int error; 4975 prop_dictionary_t prop_dict; 4976 char *buf = NULL; 4977 const char *name; 4978 4979 error = wg_alloc_prop_buf(&buf, ifd); 4980 if (error != 0) 4981 return error; 4982 error = EINVAL; 4983 prop_dict = prop_dictionary_internalize(buf); 4984 if (prop_dict == NULL) 4985 goto out; 4986 4987 if (!prop_dictionary_get_string(prop_dict, "name", &name)) 4988 goto out; 4989 if (strlen(name) > WG_PEER_NAME_MAXLEN) 4990 goto out; 4991 4992 error = wg_destroy_peer_name(wg, name); 4993 out: 4994 kmem_free(buf, ifd->ifd_len + 1); 4995 return error; 4996 } 4997 4998 static bool 4999 wg_is_authorized(struct wg_softc *wg, u_long cmd) 5000 { 5001 int au = cmd == SIOCGDRVSPEC ? 5002 KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV : 5003 KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV; 5004 return kauth_authorize_network(kauth_cred_get(), 5005 KAUTH_NETWORK_INTERFACE_WG, au, &wg->wg_if, 5006 (void *)cmd, NULL) == 0; 5007 } 5008 5009 static int 5010 wg_ioctl_get(struct wg_softc *wg, struct ifdrv *ifd) 5011 { 5012 int error = ENOMEM; 5013 prop_dictionary_t prop_dict; 5014 prop_array_t peers = NULL; 5015 char *buf; 5016 struct wg_peer *wgp; 5017 int s, i; 5018 5019 prop_dict = prop_dictionary_create(); 5020 if (prop_dict == NULL) 5021 goto error; 5022 5023 if (wg_is_authorized(wg, SIOCGDRVSPEC)) { 5024 if (!prop_dictionary_set_data(prop_dict, "private_key", 5025 wg->wg_privkey, WG_STATIC_KEY_LEN)) 5026 goto error; 5027 } 5028 5029 if (wg->wg_listen_port != 0) { 5030 if (!prop_dictionary_set_uint16(prop_dict, "listen_port", 5031 wg->wg_listen_port)) 5032 goto error; 5033 } 5034 5035 if (wg->wg_npeers == 0) 5036 goto skip_peers; 5037 5038 peers = prop_array_create(); 5039 if (peers == NULL) 5040 goto error; 5041 5042 s = pserialize_read_enter(); 5043 i = 0; 5044 WG_PEER_READER_FOREACH(wgp, wg) { 5045 struct wg_sockaddr *wgsa; 5046 struct psref wgp_psref, wgsa_psref; 5047 prop_dictionary_t prop_peer; 5048 5049 wg_get_peer(wgp, &wgp_psref); 5050 pserialize_read_exit(s); 5051 5052 prop_peer = prop_dictionary_create(); 5053 if (prop_peer == NULL) 5054 goto next; 5055 5056 if (strlen(wgp->wgp_name) > 0) { 5057 if (!prop_dictionary_set_string(prop_peer, "name", 5058 wgp->wgp_name)) 5059 goto next; 5060 } 5061 5062 if (!prop_dictionary_set_data(prop_peer, "public_key", 5063 wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey))) 5064 goto next; 5065 5066 uint8_t psk_zero[WG_PRESHARED_KEY_LEN] = {0}; 5067 if (!consttime_memequal(wgp->wgp_psk, psk_zero, 5068 sizeof(wgp->wgp_psk))) { 5069 if (wg_is_authorized(wg, SIOCGDRVSPEC)) { 5070 if (!prop_dictionary_set_data(prop_peer, 5071 "preshared_key", 5072 wgp->wgp_psk, sizeof(wgp->wgp_psk))) 5073 goto next; 5074 } 5075 } 5076 5077 wgsa = wg_get_endpoint_sa(wgp, &wgsa_psref); 5078 CTASSERT(AF_UNSPEC == 0); 5079 if (wgsa_family(wgsa) != 0 /*AF_UNSPEC*/ && 5080 !prop_dictionary_set_data(prop_peer, "endpoint", 5081 wgsatoss(wgsa), 5082 sockaddr_getsize_by_family(wgsa_family(wgsa)))) { 5083 wg_put_sa(wgp, wgsa, &wgsa_psref); 5084 goto next; 5085 } 5086 wg_put_sa(wgp, wgsa, &wgsa_psref); 5087 5088 const struct timespec *t = &wgp->wgp_last_handshake_time; 5089 5090 if (!prop_dictionary_set_uint64(prop_peer, 5091 "last_handshake_time_sec", (uint64_t)t->tv_sec)) 5092 goto next; 5093 if (!prop_dictionary_set_uint32(prop_peer, 5094 "last_handshake_time_nsec", (uint32_t)t->tv_nsec)) 5095 goto next; 5096 5097 if (wgp->wgp_n_allowedips == 0) 5098 goto skip_allowedips; 5099 5100 prop_array_t allowedips = prop_array_create(); 5101 if (allowedips == NULL) 5102 goto next; 5103 for (int j = 0; j < wgp->wgp_n_allowedips; j++) { 5104 struct wg_allowedip *wga = &wgp->wgp_allowedips[j]; 5105 prop_dictionary_t prop_allowedip; 5106 5107 prop_allowedip = prop_dictionary_create(); 5108 if (prop_allowedip == NULL) 5109 break; 5110 5111 if (!prop_dictionary_set_int(prop_allowedip, "family", 5112 wga->wga_family)) 5113 goto _next; 5114 if (!prop_dictionary_set_uint8(prop_allowedip, "cidr", 5115 wga->wga_cidr)) 5116 goto _next; 5117 5118 switch (wga->wga_family) { 5119 #ifdef INET 5120 case AF_INET: 5121 if (!prop_dictionary_set_data(prop_allowedip, 5122 "ip", &wga->wga_addr4, 5123 sizeof(wga->wga_addr4))) 5124 goto _next; 5125 break; 5126 #endif 5127 #ifdef INET6 5128 case AF_INET6: 5129 if (!prop_dictionary_set_data(prop_allowedip, 5130 "ip", &wga->wga_addr6, 5131 sizeof(wga->wga_addr6))) 5132 goto _next; 5133 break; 5134 #endif 5135 default: 5136 panic("invalid af=%d", wga->wga_family); 5137 } 5138 prop_array_set(allowedips, j, prop_allowedip); 5139 _next: 5140 prop_object_release(prop_allowedip); 5141 } 5142 prop_dictionary_set(prop_peer, "allowedips", allowedips); 5143 prop_object_release(allowedips); 5144 5145 skip_allowedips: 5146 5147 prop_array_set(peers, i, prop_peer); 5148 next: 5149 if (prop_peer) 5150 prop_object_release(prop_peer); 5151 i++; 5152 5153 s = pserialize_read_enter(); 5154 wg_put_peer(wgp, &wgp_psref); 5155 } 5156 pserialize_read_exit(s); 5157 5158 prop_dictionary_set(prop_dict, "peers", peers); 5159 prop_object_release(peers); 5160 peers = NULL; 5161 5162 skip_peers: 5163 buf = prop_dictionary_externalize(prop_dict); 5164 if (buf == NULL) 5165 goto error; 5166 if (ifd->ifd_len < (strlen(buf) + 1)) { 5167 error = EINVAL; 5168 goto error; 5169 } 5170 error = copyout(buf, ifd->ifd_data, strlen(buf) + 1); 5171 5172 free(buf, 0); 5173 error: 5174 if (peers != NULL) 5175 prop_object_release(peers); 5176 if (prop_dict != NULL) 5177 prop_object_release(prop_dict); 5178 5179 return error; 5180 } 5181 5182 static int 5183 wg_ioctl(struct ifnet *ifp, u_long cmd, void *data) 5184 { 5185 struct wg_softc *wg = ifp->if_softc; 5186 struct ifreq *ifr = data; 5187 struct ifaddr *ifa = data; 5188 struct ifdrv *ifd = data; 5189 int error = 0; 5190 5191 switch (cmd) { 5192 case SIOCINITIFADDR: 5193 if (ifa->ifa_addr->sa_family != AF_LINK && 5194 (ifp->if_flags & (IFF_UP | IFF_RUNNING)) != 5195 (IFF_UP | IFF_RUNNING)) { 5196 ifp->if_flags |= IFF_UP; 5197 error = if_init(ifp); 5198 } 5199 return error; 5200 case SIOCADDMULTI: 5201 case SIOCDELMULTI: 5202 switch (ifr->ifr_addr.sa_family) { 5203 #ifdef INET 5204 case AF_INET: /* IP supports Multicast */ 5205 break; 5206 #endif 5207 #ifdef INET6 5208 case AF_INET6: /* IP6 supports Multicast */ 5209 break; 5210 #endif 5211 default: /* Other protocols doesn't support Multicast */ 5212 error = EAFNOSUPPORT; 5213 break; 5214 } 5215 return error; 5216 case SIOCSDRVSPEC: 5217 if (!wg_is_authorized(wg, cmd)) { 5218 return EPERM; 5219 } 5220 switch (ifd->ifd_cmd) { 5221 case WG_IOCTL_SET_PRIVATE_KEY: 5222 error = wg_ioctl_set_private_key(wg, ifd); 5223 break; 5224 case WG_IOCTL_SET_LISTEN_PORT: 5225 error = wg_ioctl_set_listen_port(wg, ifd); 5226 break; 5227 case WG_IOCTL_ADD_PEER: 5228 error = wg_ioctl_add_peer(wg, ifd); 5229 break; 5230 case WG_IOCTL_DELETE_PEER: 5231 error = wg_ioctl_delete_peer(wg, ifd); 5232 break; 5233 default: 5234 error = EINVAL; 5235 break; 5236 } 5237 return error; 5238 case SIOCGDRVSPEC: 5239 return wg_ioctl_get(wg, ifd); 5240 case SIOCSIFFLAGS: 5241 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 5242 break; 5243 switch (ifp->if_flags & (IFF_UP|IFF_RUNNING)) { 5244 case IFF_RUNNING: 5245 /* 5246 * If interface is marked down and it is running, 5247 * then stop and disable it. 5248 */ 5249 if_stop(ifp, 1); 5250 break; 5251 case IFF_UP: 5252 /* 5253 * If interface is marked up and it is stopped, then 5254 * start it. 5255 */ 5256 error = if_init(ifp); 5257 break; 5258 default: 5259 break; 5260 } 5261 return error; 5262 #ifdef WG_RUMPKERNEL 5263 case SIOCSLINKSTR: 5264 error = wg_ioctl_linkstr(wg, ifd); 5265 if (error) 5266 return error; 5267 wg->wg_ops = &wg_ops_rumpuser; 5268 return 0; 5269 #endif 5270 default: 5271 break; 5272 } 5273 5274 error = ifioctl_common(ifp, cmd, data); 5275 5276 #ifdef WG_RUMPKERNEL 5277 if (!wg_user_mode(wg)) 5278 return error; 5279 5280 /* Do the same to the corresponding tun device on the host */ 5281 /* 5282 * XXX Actually the command has not been handled yet. It 5283 * will be handled via pr_ioctl form doifioctl later. 5284 */ 5285 switch (cmd) { 5286 #ifdef INET 5287 case SIOCAIFADDR: 5288 case SIOCDIFADDR: { 5289 struct in_aliasreq _ifra = *(const struct in_aliasreq *)data; 5290 struct in_aliasreq *ifra = &_ifra; 5291 KASSERT(error == ENOTTY); 5292 strncpy(ifra->ifra_name, rumpuser_wg_get_tunname(wg->wg_user), 5293 IFNAMSIZ); 5294 error = rumpuser_wg_ioctl(wg->wg_user, cmd, ifra, AF_INET); 5295 if (error == 0) 5296 error = ENOTTY; 5297 break; 5298 } 5299 #endif 5300 #ifdef INET6 5301 case SIOCAIFADDR_IN6: 5302 case SIOCDIFADDR_IN6: { 5303 struct in6_aliasreq _ifra = *(const struct in6_aliasreq *)data; 5304 struct in6_aliasreq *ifra = &_ifra; 5305 KASSERT(error == ENOTTY); 5306 strncpy(ifra->ifra_name, rumpuser_wg_get_tunname(wg->wg_user), 5307 IFNAMSIZ); 5308 error = rumpuser_wg_ioctl(wg->wg_user, cmd, ifra, AF_INET6); 5309 if (error == 0) 5310 error = ENOTTY; 5311 break; 5312 } 5313 #endif 5314 default: 5315 break; 5316 } 5317 #endif /* WG_RUMPKERNEL */ 5318 5319 return error; 5320 } 5321 5322 static int 5323 wg_init(struct ifnet *ifp) 5324 { 5325 5326 ifp->if_flags |= IFF_RUNNING; 5327 5328 /* TODO flush pending packets. */ 5329 return 0; 5330 } 5331 5332 #ifdef ALTQ 5333 static void 5334 wg_start(struct ifnet *ifp) 5335 { 5336 struct mbuf *m; 5337 5338 for (;;) { 5339 IFQ_DEQUEUE(&ifp->if_snd, m); 5340 if (m == NULL) 5341 break; 5342 5343 kpreempt_disable(); 5344 const uint32_t h = curcpu()->ci_index; // pktq_rps_hash(m) 5345 if (__predict_false(!pktq_enqueue(wg_pktq, m, h))) { 5346 WGLOG(LOG_ERR, "%s: pktq full, dropping\n", 5347 if_name(ifp)); 5348 m_freem(m); 5349 } 5350 kpreempt_enable(); 5351 } 5352 } 5353 #endif 5354 5355 static void 5356 wg_stop(struct ifnet *ifp, int disable) 5357 { 5358 5359 KASSERT((ifp->if_flags & IFF_RUNNING) != 0); 5360 ifp->if_flags &= ~IFF_RUNNING; 5361 5362 /* Need to do something? */ 5363 } 5364 5365 #ifdef WG_DEBUG_PARAMS 5366 SYSCTL_SETUP(sysctl_net_wg_setup, "sysctl net.wg setup") 5367 { 5368 const struct sysctlnode *node = NULL; 5369 5370 sysctl_createv(clog, 0, NULL, &node, 5371 CTLFLAG_PERMANENT, 5372 CTLTYPE_NODE, "wg", 5373 SYSCTL_DESCR("wg(4)"), 5374 NULL, 0, NULL, 0, 5375 CTL_NET, CTL_CREATE, CTL_EOL); 5376 sysctl_createv(clog, 0, &node, NULL, 5377 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 5378 CTLTYPE_QUAD, "rekey_after_messages", 5379 SYSCTL_DESCR("session liftime by messages"), 5380 NULL, 0, &wg_rekey_after_messages, 0, CTL_CREATE, CTL_EOL); 5381 sysctl_createv(clog, 0, &node, NULL, 5382 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 5383 CTLTYPE_INT, "rekey_after_time", 5384 SYSCTL_DESCR("session liftime"), 5385 NULL, 0, &wg_rekey_after_time, 0, CTL_CREATE, CTL_EOL); 5386 sysctl_createv(clog, 0, &node, NULL, 5387 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 5388 CTLTYPE_INT, "rekey_timeout", 5389 SYSCTL_DESCR("session handshake retry time"), 5390 NULL, 0, &wg_rekey_timeout, 0, CTL_CREATE, CTL_EOL); 5391 sysctl_createv(clog, 0, &node, NULL, 5392 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 5393 CTLTYPE_INT, "rekey_attempt_time", 5394 SYSCTL_DESCR("session handshake timeout"), 5395 NULL, 0, &wg_rekey_attempt_time, 0, CTL_CREATE, CTL_EOL); 5396 sysctl_createv(clog, 0, &node, NULL, 5397 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 5398 CTLTYPE_INT, "keepalive_timeout", 5399 SYSCTL_DESCR("keepalive timeout"), 5400 NULL, 0, &wg_keepalive_timeout, 0, CTL_CREATE, CTL_EOL); 5401 sysctl_createv(clog, 0, &node, NULL, 5402 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 5403 CTLTYPE_BOOL, "force_underload", 5404 SYSCTL_DESCR("force to detemine under load"), 5405 NULL, 0, &wg_force_underload, 0, CTL_CREATE, CTL_EOL); 5406 sysctl_createv(clog, 0, &node, NULL, 5407 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 5408 CTLTYPE_INT, "debug", 5409 SYSCTL_DESCR("set debug flags 1=log 2=trace 4=dump 8=packet"), 5410 NULL, 0, &wg_debug, 0, CTL_CREATE, CTL_EOL); 5411 } 5412 #endif 5413 5414 #ifdef WG_RUMPKERNEL 5415 static bool 5416 wg_user_mode(struct wg_softc *wg) 5417 { 5418 5419 return wg->wg_user != NULL; 5420 } 5421 5422 static int 5423 wg_ioctl_linkstr(struct wg_softc *wg, struct ifdrv *ifd) 5424 { 5425 struct ifnet *ifp = &wg->wg_if; 5426 int error; 5427 5428 if (ifp->if_flags & IFF_UP) 5429 return EBUSY; 5430 5431 if (ifd->ifd_cmd == IFLINKSTR_UNSET) { 5432 /* XXX do nothing */ 5433 return 0; 5434 } else if (ifd->ifd_cmd != 0) { 5435 return EINVAL; 5436 } else if (wg->wg_user != NULL) { 5437 return EBUSY; 5438 } 5439 5440 /* Assume \0 included */ 5441 if (ifd->ifd_len > IFNAMSIZ) { 5442 return E2BIG; 5443 } else if (ifd->ifd_len < 1) { 5444 return EINVAL; 5445 } 5446 5447 char tun_name[IFNAMSIZ]; 5448 error = copyinstr(ifd->ifd_data, tun_name, ifd->ifd_len, NULL); 5449 if (error != 0) 5450 return error; 5451 5452 if (strncmp(tun_name, "tun", 3) != 0) 5453 return EINVAL; 5454 5455 error = rumpuser_wg_create(tun_name, wg, &wg->wg_user); 5456 5457 return error; 5458 } 5459 5460 static int 5461 wg_send_user(struct wg_peer *wgp, struct mbuf *m, bool handshake) 5462 { 5463 int error; 5464 struct psref psref; 5465 struct wg_sockaddr *wgsa; 5466 struct wg_softc *wg = wgp->wgp_sc; 5467 struct iovec iov[1]; 5468 5469 wgsa = wg_get_endpoint_sa(wgp, &psref); 5470 5471 #ifdef WG_DEBUG_LOG 5472 if (handshake) { 5473 char addr[128]; 5474 sockaddr_format(wgsatosa(wgsa), addr, sizeof(addr)); 5475 WG_DLOG("send handshake msg to %s\n", addr); 5476 } 5477 #endif 5478 5479 iov[0].iov_base = mtod(m, void *); 5480 iov[0].iov_len = m->m_len; 5481 5482 /* Send messages to a peer via an ordinary socket. */ 5483 error = rumpuser_wg_send_peer(wg->wg_user, wgsatosa(wgsa), iov, 1); 5484 5485 wg_put_sa(wgp, wgsa, &psref); 5486 5487 m_freem(m); 5488 5489 return error; 5490 } 5491 5492 static int 5493 wg_send_hs_user(struct wg_peer *wgp, struct mbuf *m) 5494 { 5495 5496 return wg_send_user(wgp, m, /*handshake*/true); 5497 } 5498 5499 static int 5500 wg_send_data_user(struct wg_peer *wgp, struct mbuf *m) 5501 { 5502 5503 return wg_send_user(wgp, m, /*handshake*/false); 5504 } 5505 5506 static void 5507 wg_input_user(struct ifnet *ifp, struct mbuf *m, const int af) 5508 { 5509 struct wg_softc *wg = ifp->if_softc; 5510 struct iovec iov[2]; 5511 struct sockaddr_storage ss; 5512 5513 KASSERT(af == AF_INET || af == AF_INET6); 5514 5515 WG_TRACE(""); 5516 5517 switch (af) { 5518 #ifdef INET 5519 case AF_INET: { 5520 struct sockaddr_in *sin = (struct sockaddr_in *)&ss; 5521 struct ip *ip; 5522 5523 KASSERT(m->m_len >= sizeof(struct ip)); 5524 ip = mtod(m, struct ip *); 5525 sockaddr_in_init(sin, &ip->ip_dst, 0); 5526 break; 5527 } 5528 #endif 5529 #ifdef INET6 5530 case AF_INET6: { 5531 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss; 5532 struct ip6_hdr *ip6; 5533 5534 KASSERT(m->m_len >= sizeof(struct ip6_hdr)); 5535 ip6 = mtod(m, struct ip6_hdr *); 5536 sockaddr_in6_init(sin6, &ip6->ip6_dst, 0, 0, 0); 5537 break; 5538 } 5539 #endif 5540 default: 5541 goto out; 5542 } 5543 5544 iov[0].iov_base = &ss; 5545 iov[0].iov_len = ss.ss_len; 5546 iov[1].iov_base = mtod(m, void *); 5547 iov[1].iov_len = m->m_len; 5548 5549 WG_DUMP_BUF(iov[1].iov_base, iov[1].iov_len); 5550 5551 /* Send decrypted packets to users via a tun. */ 5552 rumpuser_wg_send_user(wg->wg_user, iov, 2); 5553 5554 out: m_freem(m); 5555 } 5556 5557 static int 5558 wg_bind_port_user(struct wg_softc *wg, const uint16_t port) 5559 { 5560 int error; 5561 uint16_t old_port = wg->wg_listen_port; 5562 5563 if (port != 0 && old_port == port) 5564 return 0; 5565 5566 error = rumpuser_wg_sock_bind(wg->wg_user, port); 5567 if (error) 5568 return error; 5569 5570 wg->wg_listen_port = port; 5571 return 0; 5572 } 5573 5574 /* 5575 * Receive user packets. 5576 */ 5577 void 5578 rumpkern_wg_recv_user(struct wg_softc *wg, struct iovec *iov, size_t iovlen) 5579 { 5580 struct ifnet *ifp = &wg->wg_if; 5581 struct mbuf *m; 5582 const struct sockaddr *dst; 5583 int error; 5584 5585 WG_TRACE(""); 5586 5587 dst = iov[0].iov_base; 5588 5589 m = m_gethdr(M_DONTWAIT, MT_DATA); 5590 if (m == NULL) 5591 return; 5592 m->m_len = m->m_pkthdr.len = 0; 5593 m_copyback(m, 0, iov[1].iov_len, iov[1].iov_base); 5594 5595 WG_DLOG("iov_len=%zu\n", iov[1].iov_len); 5596 WG_DUMP_BUF(iov[1].iov_base, iov[1].iov_len); 5597 5598 error = wg_output(ifp, m, dst, NULL); /* consumes m */ 5599 if (error) 5600 WG_DLOG("wg_output failed, error=%d\n", error); 5601 } 5602 5603 /* 5604 * Receive packets from a peer. 5605 */ 5606 void 5607 rumpkern_wg_recv_peer(struct wg_softc *wg, struct iovec *iov, size_t iovlen) 5608 { 5609 struct mbuf *m; 5610 const struct sockaddr *src; 5611 int bound; 5612 5613 WG_TRACE(""); 5614 5615 src = iov[0].iov_base; 5616 5617 m = m_gethdr(M_DONTWAIT, MT_DATA); 5618 if (m == NULL) 5619 return; 5620 m->m_len = m->m_pkthdr.len = 0; 5621 m_copyback(m, 0, iov[1].iov_len, iov[1].iov_base); 5622 5623 WG_DLOG("iov_len=%zu\n", iov[1].iov_len); 5624 WG_DUMP_BUF(iov[1].iov_base, iov[1].iov_len); 5625 5626 bound = curlwp_bind(); 5627 wg_handle_packet(wg, m, src); 5628 curlwp_bindx(bound); 5629 } 5630 #endif /* WG_RUMPKERNEL */ 5631 5632 /* 5633 * Module infrastructure 5634 */ 5635 #include "if_module.h" 5636 5637 IF_MODULE(MODULE_CLASS_DRIVER, wg, "sodium,blake2s") 5638