1 /*- 2 * SPDX-License-Identifier: ISC 3 * 4 * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. 5 * Copyright (C) 2019-2021 Matt Dunwoodie <ncon@noconroy.net> 6 * Copyright (c) 2019-2020 Rubicon Communications, LLC (Netgate) 7 * Copyright (c) 2021 Kyle Evans <kevans@FreeBSD.org> 8 * Copyright (c) 2022 The FreeBSD Foundation 9 * Copyright (c) 2023-2024 Aaron LI <aly@aaronly.me> 10 * 11 * Permission to use, copy, modify, and distribute this software for any 12 * purpose with or without fee is hereby granted, provided that the above 13 * copyright notice and this permission notice appear in all copies. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 16 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 17 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 18 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 19 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 20 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 21 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 22 */ 23 24 #include "opt_inet6.h" 25 26 #include <sys/param.h> 27 #include <sys/systm.h> 28 #include <sys/callout.h> 29 #include <sys/caps.h> 30 #include <sys/endian.h> 31 #include <sys/kernel.h> 32 #include <sys/lock.h> 33 #include <sys/malloc.h> 34 #include <sys/mbuf.h> 35 #include <sys/module.h> 36 #include <sys/objcache.h> 37 #include <sys/queue.h> 38 #include <sys/socket.h> 39 #include <sys/socketops.h> /* so_pru_*() functions */ 40 #include <sys/socketvar.h> 41 #include <sys/sockio.h> /* SIOC* ioctl commands */ 42 #include <sys/taskqueue.h> 43 #include <sys/time.h> 44 45 #include <machine/atomic.h> 46 47 #include <net/bpf.h> 48 #include <net/ethernet.h> /* ETHERMTU */ 49 #include <net/if.h> 50 #include <net/if_clone.h> 51 #include <net/if_types.h> /* IFT_WIREGUARD */ 52 #include <net/if_var.h> 53 #include <net/ifq_var.h> 54 #include <net/netisr.h> 55 #include <net/radix.h> 56 #include <net/route.h> /* struct rtentry */ 57 58 #include <netinet/in.h> 59 #include <netinet/ip.h> 60 #include <netinet/ip_icmp.h> 61 #include <netinet/ip6.h> 62 #include <netinet/icmp6.h> 63 #include <netinet6/in6_var.h> /* in6_mask2len() */ 64 #include <netinet6/nd6.h> /* ND_IFINFO() */ 65 66 #include "wg_cookie.h" 67 #include "wg_noise.h" 68 #include "if_wg.h" 69 70 CTASSERT(WG_KEY_SIZE >= NOISE_PUBLIC_KEY_LEN); 71 CTASSERT(WG_KEY_SIZE >= NOISE_SYMMETRIC_KEY_LEN); 72 73 #define DEFAULT_MTU (ETHERMTU - 80) 74 #define MAX_MTU (IF_MAXMTU - 80) 75 76 #ifndef ENOKEY 77 #define ENOKEY ENOENT 78 #endif 79 80 /* 81 * mbuf flags to clear after in-place encryption/decryption, so that the 82 * mbuf can be reused for re-entering the network stack or delivering to 83 * the remote peer. 84 * 85 * For example, the M_HASH and M_LENCHECKED flags must be cleared for an 86 * inbound packet; otherwise, panic is to be expected. 87 */ 88 #define MBUF_CLEARFLAGS (M_COPYFLAGS & ~(M_PKTHDR | M_EOR | M_PRIO)) 89 90 #define MAX_LOOPS 8 /* 0 means no loop allowed */ 91 #define MTAG_WGLOOP 0x77676c70 /* wglp; cookie for loop check */ 92 93 #define MAX_STAGED_PKT 128 94 #define MAX_QUEUED_PKT 1024 95 #define MAX_QUEUED_PKT_MASK (MAX_QUEUED_PKT - 1) 96 #define MAX_QUEUED_HANDSHAKES 4096 97 98 #define REKEY_TIMEOUT_JITTER (karc4random() % 334) /* msec */ 99 #define MAX_TIMER_HANDSHAKES (90 / REKEY_TIMEOUT) 100 #define NEW_HANDSHAKE_TIMEOUT (REKEY_TIMEOUT + KEEPALIVE_TIMEOUT) 101 #define UNDERLOAD_TIMEOUT 1 102 103 /* First byte indicating packet type on the wire */ 104 #define WG_PKT_INITIATION htole32(1) 105 #define WG_PKT_RESPONSE htole32(2) 106 #define WG_PKT_COOKIE htole32(3) 107 #define WG_PKT_DATA htole32(4) 108 109 #define WG_PKT_PADDING 16 110 #define WG_PKT_WITH_PADDING(n) \ 111 (((n) + (WG_PKT_PADDING - 1)) & ~(WG_PKT_PADDING - 1)) 112 #define WG_PKT_ENCRYPTED_LEN(n) \ 113 (offsetof(struct wg_pkt_data, buf[(n)]) + NOISE_AUTHTAG_LEN) 114 #define WG_PKT_IS_INITIATION(m) \ 115 (*mtod((m), uint32_t *) == WG_PKT_INITIATION && \ 116 (size_t)(m)->m_pkthdr.len == sizeof(struct wg_pkt_initiation)) 117 #define WG_PKT_IS_RESPONSE(m) \ 118 (*mtod((m), uint32_t *) == WG_PKT_RESPONSE && \ 119 (size_t)(m)->m_pkthdr.len == sizeof(struct wg_pkt_response)) 120 #define WG_PKT_IS_COOKIE(m) \ 121 (*mtod((m), uint32_t *) == WG_PKT_COOKIE && \ 122 (size_t)(m)->m_pkthdr.len == sizeof(struct wg_pkt_cookie)) 123 #define WG_PKT_IS_DATA(m) \ 124 (*mtod((m), uint32_t *) == WG_PKT_DATA && \ 125 (size_t)(m)->m_pkthdr.len >= WG_PKT_ENCRYPTED_LEN(0)) 126 127 128 #define DPRINTF(sc, fmt, ...) \ 129 if (sc->sc_ifp->if_flags & IFF_DEBUG) \ 130 if_printf(sc->sc_ifp, fmt, ##__VA_ARGS__) 131 132 133 struct wg_pkt_initiation { 134 uint32_t t; 135 uint32_t s_idx; 136 uint8_t ue[NOISE_PUBLIC_KEY_LEN]; 137 uint8_t es[NOISE_PUBLIC_KEY_LEN + NOISE_AUTHTAG_LEN]; 138 uint8_t ets[NOISE_TIMESTAMP_LEN + NOISE_AUTHTAG_LEN]; 139 struct cookie_macs m; 140 }; 141 142 struct wg_pkt_response { 143 uint32_t t; 144 uint32_t s_idx; 145 uint32_t r_idx; 146 uint8_t ue[NOISE_PUBLIC_KEY_LEN]; 147 uint8_t en[0 + NOISE_AUTHTAG_LEN]; 148 struct cookie_macs m; 149 }; 150 151 struct wg_pkt_cookie { 152 uint32_t t; 153 uint32_t r_idx; 154 uint8_t nonce[COOKIE_NONCE_SIZE]; 155 uint8_t ec[COOKIE_ENCRYPTED_SIZE]; 156 }; 157 158 struct wg_pkt_data { 159 uint32_t t; 160 uint32_t r_idx; 161 uint64_t counter; 162 uint8_t buf[]; 163 }; 164 165 struct wg_endpoint { 166 union { 167 struct sockaddr r_sa; 168 struct sockaddr_in r_sin; 169 #ifdef INET6 170 struct sockaddr_in6 r_sin6; 171 #endif 172 } e_remote; 173 /* 174 * NOTE: No 'e_local' on DragonFly, because the socket upcall 175 * and so_pru_soreceive() cannot provide the local 176 * (i.e., destination) address of a received packet. 177 */ 178 }; 179 180 struct aip_addr { 181 uint8_t length; /* required by the radix code */ 182 union { 183 uint8_t bytes[16]; 184 uint32_t ip; 185 uint32_t ip6[4]; 186 struct in_addr in; 187 struct in6_addr in6; 188 }; 189 }; 190 191 struct wg_aip { 192 struct radix_node a_nodes[2]; /* make the first for casting */ 193 LIST_ENTRY(wg_aip) a_entry; 194 struct aip_addr a_addr; 195 struct aip_addr a_mask; 196 struct wg_peer *a_peer; 197 sa_family_t a_af; 198 }; 199 200 enum wg_packet_state { 201 WG_PACKET_DEAD, /* to be dropped */ 202 WG_PACKET_UNCRYPTED, /* before encryption/decryption */ 203 WG_PACKET_CRYPTED, /* after encryption/decryption */ 204 }; 205 206 struct wg_packet { 207 STAILQ_ENTRY(wg_packet) p_serial; 208 STAILQ_ENTRY(wg_packet) p_parallel; 209 struct wg_endpoint p_endpoint; 210 struct noise_keypair *p_keypair; 211 uint64_t p_counter; 212 struct mbuf *p_mbuf; 213 int p_mtu; 214 sa_family_t p_af; 215 unsigned int p_state; /* atomic */ 216 }; 217 218 STAILQ_HEAD(wg_packet_list, wg_packet); 219 220 struct wg_queue { 221 struct lock q_mtx; 222 struct wg_packet_list q_queue; 223 size_t q_len; 224 }; 225 226 struct wg_peer { 227 TAILQ_ENTRY(wg_peer) p_entry; 228 unsigned long p_id; 229 struct wg_softc *p_sc; 230 231 char p_description[WG_PEER_DESCR_SIZE]; 232 233 struct noise_remote *p_remote; 234 struct cookie_maker *p_cookie; 235 236 struct lock p_endpoint_lock; 237 struct wg_endpoint p_endpoint; 238 239 struct wg_queue p_stage_queue; 240 struct wg_queue p_encrypt_serial; 241 struct wg_queue p_decrypt_serial; 242 243 bool p_enabled; 244 bool p_need_another_keepalive; 245 uint16_t p_persistent_keepalive_interval; 246 struct callout p_new_handshake; 247 struct callout p_send_keepalive; 248 struct callout p_retry_handshake; 249 struct callout p_zero_key_material; 250 struct callout p_persistent_keepalive; 251 252 struct lock p_handshake_mtx; 253 struct timespec p_handshake_complete; /* nanotime */ 254 int p_handshake_retries; 255 256 struct task p_send_task; 257 struct task p_recv_task; 258 struct taskqueue *p_send_taskqueue; 259 struct taskqueue *p_recv_taskqueue; 260 261 uint64_t *p_tx_bytes; 262 uint64_t *p_rx_bytes; 263 264 LIST_HEAD(, wg_aip) p_aips; 265 size_t p_aips_num; 266 }; 267 268 struct wg_socket { 269 struct lock so_lock; 270 struct socket *so_so4; 271 struct socket *so_so6; 272 uint32_t so_user_cookie; 273 in_port_t so_port; 274 }; 275 276 struct wg_softc { 277 LIST_ENTRY(wg_softc) sc_entry; 278 struct ifnet *sc_ifp; 279 int sc_flags; 280 281 struct wg_socket sc_socket; 282 283 TAILQ_HEAD(, wg_peer) sc_peers; 284 size_t sc_peers_num; 285 286 struct noise_local *sc_local; 287 struct cookie_checker *sc_cookie; 288 289 struct lock sc_aip_lock; 290 struct radix_node_head *sc_aip4; 291 struct radix_node_head *sc_aip6; 292 293 struct taskqueue *sc_handshake_taskqueue; 294 struct task sc_handshake_task; 295 struct wg_queue sc_handshake_queue; 296 297 struct task *sc_encrypt_tasks; /* one per CPU */ 298 struct task *sc_decrypt_tasks; /* one per CPU */ 299 struct wg_queue sc_encrypt_parallel; 300 struct wg_queue sc_decrypt_parallel; 301 int sc_encrypt_last_cpu; 302 int sc_decrypt_last_cpu; 303 304 struct lock sc_lock; 305 }; 306 307 308 static MALLOC_DEFINE(M_WG, "WG", "wireguard"); 309 static MALLOC_DEFINE(M_WG_PACKET, "WG packet", "wireguard packet"); 310 311 static const char wgname[] = "wg"; 312 313 static struct objcache *wg_packet_zone; 314 static struct lock wg_mtx; 315 static struct taskqueue **wg_taskqueues; /* one taskqueue per CPU */ 316 static struct radix_node_head *wg_maskhead; /* shared by all interfaces */ 317 static LIST_HEAD(, wg_softc) wg_list = LIST_HEAD_INITIALIZER(wg_list); 318 319 320 /* Timers */ 321 static void wg_timers_enable(struct wg_peer *); 322 static void wg_timers_disable(struct wg_peer *); 323 324 /* Allowed IP */ 325 static int wg_aip_add(struct wg_softc *, struct wg_peer *, sa_family_t, 326 const void *, uint8_t); 327 static struct wg_peer * 328 wg_aip_lookup(struct wg_softc *, sa_family_t, const void *); 329 static void wg_aip_remove_all(struct wg_softc *, struct wg_peer *); 330 331 /* Handshake */ 332 static void wg_send_initiation(struct wg_peer *); 333 static void wg_send_response(struct wg_peer *); 334 static void wg_send_cookie(struct wg_softc *, struct cookie_macs *, 335 uint32_t, struct wg_endpoint *); 336 static void wg_send_keepalive(struct wg_peer *); 337 338 /* Transport Packet Functions */ 339 static void wg_peer_send_staged(struct wg_peer *); 340 static void wg_deliver_out(void *, int); 341 static void wg_deliver_in(void *, int); 342 static void wg_upcall(struct socket *, void *, int); 343 344 /*----------------------------------------------------------------------------*/ 345 /* Packet */ 346 347 static struct wg_packet * 348 wg_packet_alloc(struct mbuf *m) 349 { 350 struct wg_packet *pkt; 351 352 if ((pkt = objcache_get(wg_packet_zone, M_NOWAIT)) == NULL) 353 return (NULL); 354 355 bzero(pkt, sizeof(*pkt)); /* objcache_get() doesn't ensure M_ZERO. */ 356 pkt->p_mbuf = m; 357 358 return (pkt); 359 } 360 361 static void 362 wg_packet_free(struct wg_packet *pkt) 363 { 364 if (pkt->p_keypair != NULL) 365 noise_keypair_put(pkt->p_keypair); 366 if (pkt->p_mbuf != NULL) 367 m_freem(pkt->p_mbuf); 368 objcache_put(wg_packet_zone, pkt); 369 } 370 371 /*----------------------------------------------------------------------------*/ 372 /* 373 * Packet Queue Functions 374 * 375 * WireGuard uses the following queues: 376 * - per-interface handshake queue: track incoming handshake packets 377 * - per-peer staged queue: track the outgoing packets sent by that peer 378 * - per-interface parallel encrypt and decrypt queues 379 * - per-peer serial encrypt and decrypt queues 380 * 381 * For one interface, the handshake packets are only tracked in the handshake 382 * queue and are processed in serial. However, all data packets are tracked 383 * in two queues: a serial queue and a parallel queue. Specifically, the 384 * outgoing packets (from the staged queue) will be queued in both the 385 * parallel encrypt and the serial encrypt queues; the incoming packets will 386 * be queued in both the parallel decrypt and the serial decrypt queues. 387 * 388 * - The parallel queues are used to distribute the encryption/decryption work 389 * across all CPUs. The per-CPU wg_{encrypt,decrypt}_worker() work on the 390 * parallel queues. 391 * - The serial queues ensure that packets are not reordered and are 392 * delivered in sequence for each peer. The per-peer wg_deliver_{in,out}() 393 * work on the serial queues. 394 */ 395 396 static void wg_queue_purge(struct wg_queue *); 397 398 static void 399 wg_queue_init(struct wg_queue *queue, const char *name) 400 { 401 lockinit(&queue->q_mtx, name, 0, 0); 402 STAILQ_INIT(&queue->q_queue); 403 queue->q_len = 0; 404 } 405 406 static void 407 wg_queue_deinit(struct wg_queue *queue) 408 { 409 wg_queue_purge(queue); 410 lockuninit(&queue->q_mtx); 411 } 412 413 static size_t 414 wg_queue_len(const struct wg_queue *queue) 415 { 416 return (queue->q_len); 417 } 418 419 static bool 420 wg_queue_enqueue_handshake(struct wg_queue *hs, struct wg_packet *pkt) 421 { 422 bool ok = false; 423 424 lockmgr(&hs->q_mtx, LK_EXCLUSIVE); 425 if (hs->q_len < MAX_QUEUED_HANDSHAKES) { 426 STAILQ_INSERT_TAIL(&hs->q_queue, pkt, p_parallel); 427 hs->q_len++; 428 ok = true; 429 } 430 lockmgr(&hs->q_mtx, LK_RELEASE); 431 432 if (!ok) 433 wg_packet_free(pkt); 434 435 return (ok); 436 } 437 438 static struct wg_packet * 439 wg_queue_dequeue_handshake(struct wg_queue *hs) 440 { 441 struct wg_packet *pkt; 442 443 lockmgr(&hs->q_mtx, LK_EXCLUSIVE); 444 pkt = STAILQ_FIRST(&hs->q_queue); 445 if (pkt != NULL) { 446 STAILQ_REMOVE_HEAD(&hs->q_queue, p_parallel); 447 hs->q_len--; 448 } 449 lockmgr(&hs->q_mtx, LK_RELEASE); 450 451 return (pkt); 452 } 453 454 static void 455 wg_queue_push_staged(struct wg_queue *staged, struct wg_packet *pkt) 456 { 457 struct wg_packet *old = NULL; 458 459 lockmgr(&staged->q_mtx, LK_EXCLUSIVE); 460 if (staged->q_len >= MAX_STAGED_PKT) { 461 old = STAILQ_FIRST(&staged->q_queue); 462 STAILQ_REMOVE_HEAD(&staged->q_queue, p_parallel); 463 staged->q_len--; 464 } 465 STAILQ_INSERT_TAIL(&staged->q_queue, pkt, p_parallel); 466 staged->q_len++; 467 lockmgr(&staged->q_mtx, LK_RELEASE); 468 469 if (old != NULL) 470 wg_packet_free(old); 471 } 472 473 static void 474 wg_queue_enlist_staged(struct wg_queue *staged, struct wg_packet_list *list) 475 { 476 struct wg_packet *pkt, *tpkt; 477 478 STAILQ_FOREACH_MUTABLE(pkt, list, p_parallel, tpkt) 479 wg_queue_push_staged(staged, pkt); 480 STAILQ_INIT(list); 481 } 482 483 static void 484 wg_queue_delist_staged(struct wg_queue *staged, struct wg_packet_list *list) 485 { 486 STAILQ_INIT(list); 487 lockmgr(&staged->q_mtx, LK_EXCLUSIVE); 488 STAILQ_CONCAT(list, &staged->q_queue); 489 staged->q_len = 0; 490 lockmgr(&staged->q_mtx, LK_RELEASE); 491 } 492 493 static void 494 wg_queue_purge(struct wg_queue *staged) 495 { 496 struct wg_packet_list list; 497 struct wg_packet *pkt, *tpkt; 498 499 wg_queue_delist_staged(staged, &list); 500 STAILQ_FOREACH_MUTABLE(pkt, &list, p_parallel, tpkt) 501 wg_packet_free(pkt); 502 } 503 504 static bool 505 wg_queue_both(struct wg_queue *parallel, struct wg_queue *serial, 506 struct wg_packet *pkt) 507 { 508 pkt->p_state = WG_PACKET_UNCRYPTED; 509 510 lockmgr(&serial->q_mtx, LK_EXCLUSIVE); 511 if (serial->q_len < MAX_QUEUED_PKT) { 512 serial->q_len++; 513 STAILQ_INSERT_TAIL(&serial->q_queue, pkt, p_serial); 514 } else { 515 lockmgr(&serial->q_mtx, LK_RELEASE); 516 wg_packet_free(pkt); 517 return (false); 518 } 519 lockmgr(&serial->q_mtx, LK_RELEASE); 520 521 lockmgr(¶llel->q_mtx, LK_EXCLUSIVE); 522 if (parallel->q_len < MAX_QUEUED_PKT) { 523 parallel->q_len++; 524 STAILQ_INSERT_TAIL(¶llel->q_queue, pkt, p_parallel); 525 } else { 526 lockmgr(¶llel->q_mtx, LK_RELEASE); 527 /* 528 * Cannot just free the packet because it's already queued 529 * in the serial queue. Instead, set its state to DEAD and 530 * let the serial worker to free it. 531 */ 532 pkt->p_state = WG_PACKET_DEAD; 533 return (false); 534 } 535 lockmgr(¶llel->q_mtx, LK_RELEASE); 536 537 return (true); 538 } 539 540 static struct wg_packet * 541 wg_queue_dequeue_serial(struct wg_queue *serial) 542 { 543 struct wg_packet *pkt = NULL; 544 545 lockmgr(&serial->q_mtx, LK_EXCLUSIVE); 546 if (serial->q_len > 0 && 547 STAILQ_FIRST(&serial->q_queue)->p_state != WG_PACKET_UNCRYPTED) { 548 /* 549 * Dequeue both CRYPTED packets (to be delivered) and 550 * DEAD packets (to be freed). 551 */ 552 serial->q_len--; 553 pkt = STAILQ_FIRST(&serial->q_queue); 554 STAILQ_REMOVE_HEAD(&serial->q_queue, p_serial); 555 } 556 lockmgr(&serial->q_mtx, LK_RELEASE); 557 558 return (pkt); 559 } 560 561 static struct wg_packet * 562 wg_queue_dequeue_parallel(struct wg_queue *parallel) 563 { 564 struct wg_packet *pkt = NULL; 565 566 lockmgr(¶llel->q_mtx, LK_EXCLUSIVE); 567 if (parallel->q_len > 0) { 568 parallel->q_len--; 569 pkt = STAILQ_FIRST(¶llel->q_queue); 570 STAILQ_REMOVE_HEAD(¶llel->q_queue, p_parallel); 571 } 572 lockmgr(¶llel->q_mtx, LK_RELEASE); 573 574 return (pkt); 575 } 576 577 /*----------------------------------------------------------------------------*/ 578 /* Peer */ 579 580 static struct wg_peer * 581 wg_peer_create(struct wg_softc *sc, const uint8_t pub_key[WG_KEY_SIZE]) 582 { 583 static unsigned long peer_counter = 0; 584 struct wg_peer *peer; 585 586 KKASSERT(lockstatus(&sc->sc_lock, curthread) == LK_EXCLUSIVE); 587 588 peer = kmalloc(sizeof(*peer), M_WG, M_WAITOK | M_ZERO); 589 590 peer->p_remote = noise_remote_alloc(sc->sc_local, pub_key, peer); 591 if (noise_remote_enable(peer->p_remote) != 0) { 592 kfree(peer, M_WG); 593 return (NULL); 594 } 595 596 peer->p_cookie = cookie_maker_alloc(pub_key); 597 598 peer->p_id = ++peer_counter; 599 peer->p_sc = sc; 600 peer->p_tx_bytes = kmalloc(sizeof(*peer->p_tx_bytes) * ncpus, 601 M_WG, M_WAITOK | M_ZERO); 602 peer->p_rx_bytes = kmalloc(sizeof(*peer->p_rx_bytes) * ncpus, 603 M_WG, M_WAITOK | M_ZERO); 604 605 lockinit(&peer->p_endpoint_lock, "wg_peer_endpoint", 0, 0); 606 lockinit(&peer->p_handshake_mtx, "wg_peer_handshake", 0, 0); 607 608 wg_queue_init(&peer->p_stage_queue, "stageq"); 609 wg_queue_init(&peer->p_encrypt_serial, "txq"); 610 wg_queue_init(&peer->p_decrypt_serial, "rxq"); 611 612 callout_init_mp(&peer->p_new_handshake); 613 callout_init_mp(&peer->p_send_keepalive); 614 callout_init_mp(&peer->p_retry_handshake); 615 callout_init_mp(&peer->p_persistent_keepalive); 616 callout_init_mp(&peer->p_zero_key_material); 617 618 TASK_INIT(&peer->p_send_task, 0, wg_deliver_out, peer); 619 TASK_INIT(&peer->p_recv_task, 0, wg_deliver_in, peer); 620 621 /* Randomly choose the taskqueues to distribute the load. */ 622 peer->p_send_taskqueue = wg_taskqueues[karc4random() % ncpus]; 623 peer->p_recv_taskqueue = wg_taskqueues[karc4random() % ncpus]; 624 625 LIST_INIT(&peer->p_aips); 626 627 TAILQ_INSERT_TAIL(&sc->sc_peers, peer, p_entry); 628 sc->sc_peers_num++; 629 630 if (sc->sc_ifp->if_link_state == LINK_STATE_UP) 631 wg_timers_enable(peer); 632 633 DPRINTF(sc, "Peer %ld created\n", peer->p_id); 634 return (peer); 635 } 636 637 static void 638 wg_peer_destroy(struct wg_peer *peer) 639 { 640 struct wg_softc *sc = peer->p_sc; 641 642 KKASSERT(lockstatus(&sc->sc_lock, curthread) == LK_EXCLUSIVE); 643 644 /* 645 * Disable remote and timers. This will prevent any new handshakes 646 * from occuring. 647 */ 648 noise_remote_disable(peer->p_remote); 649 wg_timers_disable(peer); 650 651 /* 652 * Remove all allowed IPs, so no more packets will be routed to 653 * this peer. 654 */ 655 wg_aip_remove_all(sc, peer); 656 657 /* Remove peer from the interface, then free. */ 658 sc->sc_peers_num--; 659 TAILQ_REMOVE(&sc->sc_peers, peer, p_entry); 660 661 /* 662 * While there are no references remaining, we may still have 663 * p_{send,recv}_task executing (think empty queue, but 664 * wg_deliver_{in,out} needs to check the queue). We should wait 665 * for them and then free. 666 */ 667 taskqueue_drain(peer->p_recv_taskqueue, &peer->p_recv_task); 668 taskqueue_drain(peer->p_send_taskqueue, &peer->p_send_task); 669 670 wg_queue_deinit(&peer->p_decrypt_serial); 671 wg_queue_deinit(&peer->p_encrypt_serial); 672 wg_queue_deinit(&peer->p_stage_queue); 673 674 kfree(peer->p_tx_bytes, M_WG); 675 kfree(peer->p_rx_bytes, M_WG); 676 677 lockuninit(&peer->p_endpoint_lock); 678 lockuninit(&peer->p_handshake_mtx); 679 680 noise_remote_free(peer->p_remote); 681 cookie_maker_free(peer->p_cookie); 682 683 DPRINTF(sc, "Peer %ld destroyed\n", peer->p_id); 684 kfree(peer, M_WG); 685 } 686 687 static void 688 wg_peer_destroy_all(struct wg_softc *sc) 689 { 690 struct wg_peer *peer, *tpeer; 691 692 TAILQ_FOREACH_MUTABLE(peer, &sc->sc_peers, p_entry, tpeer) 693 wg_peer_destroy(peer); 694 } 695 696 static int 697 wg_peer_set_sockaddr(struct wg_peer *peer, const struct sockaddr *remote) 698 { 699 int ret = 0; 700 701 lockmgr(&peer->p_endpoint_lock, LK_EXCLUSIVE); 702 703 memcpy(&peer->p_endpoint.e_remote, remote, 704 sizeof(peer->p_endpoint.e_remote)); 705 if (remote->sa_family == AF_INET) 706 memcpy(&peer->p_endpoint.e_remote.r_sin, remote, 707 sizeof(peer->p_endpoint.e_remote.r_sin)); 708 #ifdef INET6 709 else if (remote->sa_family == AF_INET6) 710 memcpy(&peer->p_endpoint.e_remote.r_sin6, remote, 711 sizeof(peer->p_endpoint.e_remote.r_sin6)); 712 #endif 713 else 714 ret = EAFNOSUPPORT; 715 716 /* No 'e_local' to clear on DragonFly. */ 717 718 lockmgr(&peer->p_endpoint_lock, LK_RELEASE); 719 return (ret); 720 } 721 722 static int 723 wg_peer_get_sockaddr(struct wg_peer *peer, struct sockaddr *remote) 724 { 725 int ret = ENOENT; 726 727 lockmgr(&peer->p_endpoint_lock, LK_SHARED); 728 if (peer->p_endpoint.e_remote.r_sa.sa_family != AF_UNSPEC) { 729 memcpy(remote, &peer->p_endpoint.e_remote, 730 sizeof(peer->p_endpoint.e_remote)); 731 ret = 0; 732 } 733 lockmgr(&peer->p_endpoint_lock, LK_RELEASE); 734 return (ret); 735 } 736 737 static void 738 wg_peer_set_endpoint(struct wg_peer *peer, const struct wg_endpoint *e) 739 { 740 KKASSERT(e->e_remote.r_sa.sa_family != AF_UNSPEC); 741 742 if (__predict_true(memcmp(e, &peer->p_endpoint, sizeof(*e)) == 0)) 743 return; 744 745 lockmgr(&peer->p_endpoint_lock, LK_EXCLUSIVE); 746 peer->p_endpoint = *e; 747 lockmgr(&peer->p_endpoint_lock, LK_RELEASE); 748 } 749 750 static void 751 wg_peer_get_endpoint(struct wg_peer *peer, struct wg_endpoint *e) 752 { 753 if (__predict_true(memcmp(e, &peer->p_endpoint, sizeof(*e)) == 0)) 754 return; 755 756 lockmgr(&peer->p_endpoint_lock, LK_SHARED); 757 *e = peer->p_endpoint; 758 lockmgr(&peer->p_endpoint_lock, LK_RELEASE); 759 } 760 761 /*----------------------------------------------------------------------------*/ 762 /* Allowed IP */ 763 764 static int 765 wg_aip_add(struct wg_softc *sc, struct wg_peer *peer, sa_family_t af, 766 const void *addr, uint8_t cidr) 767 { 768 struct radix_node_head *head; 769 struct radix_node *node; 770 struct wg_aip *aip; 771 int ret = 0; 772 773 aip = kmalloc(sizeof(*aip), M_WG, M_WAITOK | M_ZERO); 774 aip->a_peer = peer; 775 aip->a_af = af; 776 777 switch (af) { 778 case AF_INET: 779 if (cidr > 32) 780 cidr = 32; 781 head = sc->sc_aip4; 782 aip->a_addr.in = *(const struct in_addr *)addr; 783 aip->a_mask.ip = 784 htonl(~((1LL << (32 - cidr)) - 1) & 0xffffffff); 785 aip->a_addr.ip &= aip->a_mask.ip; 786 aip->a_addr.length = aip->a_mask.length = 787 offsetof(struct aip_addr, in) + sizeof(struct in_addr); 788 break; 789 #ifdef INET6 790 case AF_INET6: 791 { 792 int i; 793 794 if (cidr > 128) 795 cidr = 128; 796 head = sc->sc_aip6; 797 aip->a_addr.in6 = *(const struct in6_addr *)addr; 798 in6_prefixlen2mask(&aip->a_mask.in6, cidr); 799 for (i = 0; i < 4; i++) 800 aip->a_addr.ip6[i] &= aip->a_mask.ip6[i]; 801 aip->a_addr.length = aip->a_mask.length = 802 offsetof(struct aip_addr, in6) + sizeof(struct in6_addr); 803 break; 804 } 805 #endif 806 default: 807 kfree(aip, M_WG); 808 return (EAFNOSUPPORT); 809 } 810 811 lockmgr(&sc->sc_aip_lock, LK_EXCLUSIVE); 812 node = head->rnh_addaddr(&aip->a_addr, &aip->a_mask, head, 813 aip->a_nodes); 814 if (node != NULL) { 815 KKASSERT(node == aip->a_nodes); 816 LIST_INSERT_HEAD(&peer->p_aips, aip, a_entry); 817 peer->p_aips_num++; 818 } else { 819 /* 820 * Two possibilities: 821 * - out of memory failure 822 * - entry already exists 823 */ 824 node = head->rnh_lookup(&aip->a_addr, &aip->a_mask, head); 825 if (node == NULL) { 826 kfree(aip, M_WG); 827 ret = ENOMEM; 828 } else { 829 KKASSERT(node != aip->a_nodes); 830 kfree(aip, M_WG); 831 aip = (struct wg_aip *)node; 832 if (aip->a_peer != peer) { 833 /* Replace the peer. */ 834 LIST_REMOVE(aip, a_entry); 835 aip->a_peer->p_aips_num--; 836 aip->a_peer = peer; 837 LIST_INSERT_HEAD(&peer->p_aips, aip, a_entry); 838 aip->a_peer->p_aips_num++; 839 } 840 } 841 } 842 lockmgr(&sc->sc_aip_lock, LK_RELEASE); 843 844 return (ret); 845 } 846 847 static struct wg_peer * 848 wg_aip_lookup(struct wg_softc *sc, sa_family_t af, const void *a) 849 { 850 struct radix_node_head *head; 851 struct radix_node *node; 852 struct wg_peer *peer; 853 struct aip_addr addr; 854 855 switch (af) { 856 case AF_INET: 857 head = sc->sc_aip4; 858 memcpy(&addr.in, a, sizeof(addr.in)); 859 addr.length = offsetof(struct aip_addr, in) + sizeof(addr.in); 860 break; 861 case AF_INET6: 862 head = sc->sc_aip6; 863 memcpy(&addr.in6, a, sizeof(addr.in6)); 864 addr.length = offsetof(struct aip_addr, in6) + sizeof(addr.in6); 865 break; 866 default: 867 return (NULL); 868 } 869 870 lockmgr(&sc->sc_aip_lock, LK_SHARED); 871 node = head->rnh_matchaddr(&addr, head); 872 if (node != NULL) { 873 peer = ((struct wg_aip *)node)->a_peer; 874 noise_remote_ref(peer->p_remote); 875 } else { 876 peer = NULL; 877 } 878 lockmgr(&sc->sc_aip_lock, LK_RELEASE); 879 880 return (peer); 881 } 882 883 static void 884 wg_aip_remove_all(struct wg_softc *sc, struct wg_peer *peer) 885 { 886 struct radix_node_head *head; 887 struct radix_node *node; 888 struct wg_aip *aip, *taip; 889 890 lockmgr(&sc->sc_aip_lock, LK_EXCLUSIVE); 891 892 LIST_FOREACH_MUTABLE(aip, &peer->p_aips, a_entry, taip) { 893 switch (aip->a_af) { 894 case AF_INET: 895 head = sc->sc_aip4; 896 break; 897 case AF_INET6: 898 head = sc->sc_aip6; 899 break; 900 default: 901 panic("%s: impossible aip %p", __func__, aip); 902 } 903 node = head->rnh_deladdr(&aip->a_addr, &aip->a_mask, head); 904 if (node == NULL) 905 panic("%s: failed to delete aip %p", __func__, aip); 906 LIST_REMOVE(aip, a_entry); 907 peer->p_aips_num--; 908 kfree(aip, M_WG); 909 } 910 911 if (!LIST_EMPTY(&peer->p_aips) || peer->p_aips_num != 0) 912 panic("%s: could not delete all aips for peer %ld", 913 __func__, peer->p_id); 914 915 lockmgr(&sc->sc_aip_lock, LK_RELEASE); 916 } 917 918 /*----------------------------------------------------------------------------*/ 919 /* Socket */ 920 921 static int wg_socket_open(struct socket **, sa_family_t, in_port_t *, 922 void *); 923 static int wg_socket_set_sockopt(struct socket *, struct socket *, 924 int, void *, size_t); 925 926 static int 927 wg_socket_init(struct wg_softc *sc, in_port_t port) 928 { 929 struct wg_socket *so = &sc->sc_socket; 930 struct socket *so4 = NULL, *so6 = NULL; 931 in_port_t bound_port = port; 932 uint32_t cookie; 933 int ret; 934 935 /* 936 * When a host or a jail doesn't support the AF, sobind() would 937 * return EADDRNOTAVAIL. Handle this case in order to support such 938 * IPv4-only or IPv6-only environments. 939 * 940 * However, in a dual-stack environment, both IPv4 and IPv6 sockets 941 * must bind the same port. 942 */ 943 ret = wg_socket_open(&so4, AF_INET, &bound_port, sc); 944 if (ret != 0 && ret != EADDRNOTAVAIL) 945 goto error; 946 947 #ifdef INET6 948 ret = wg_socket_open(&so6, AF_INET6, &bound_port, sc); 949 if (ret != 0 && ret != EADDRNOTAVAIL) 950 goto error; 951 #endif 952 953 if (so4 == NULL && so6 == NULL) { 954 ret = EAFNOSUPPORT; 955 goto error; 956 } 957 958 cookie = so->so_user_cookie; 959 if (cookie != 0) { 960 ret = wg_socket_set_sockopt(so4, so6, SO_USER_COOKIE, 961 &cookie, sizeof(cookie)); 962 if (ret != 0) 963 goto error; 964 } 965 966 KKASSERT(lockstatus(&sc->sc_lock, curthread) == LK_EXCLUSIVE); 967 968 lockinit(&so->so_lock, "wg socket lock", 0, 0); 969 970 if (so->so_so4 != NULL) 971 soclose(so->so_so4, 0); 972 if (so->so_so6 != NULL) 973 soclose(so->so_so6, 0); 974 so->so_so4 = so4; 975 so->so_so6 = so6; 976 so->so_port = bound_port; 977 978 return (0); 979 980 error: 981 if (so4 != NULL) 982 soclose(so4, 0); 983 if (so6 != NULL) 984 soclose(so6, 0); 985 return (ret); 986 } 987 988 static int 989 wg_socket_open(struct socket **so, sa_family_t af, in_port_t *port, 990 void *upcall_arg) 991 { 992 struct sockaddr_in sin; 993 #ifdef INET6 994 struct sockaddr_in6 sin6; 995 #endif 996 struct sockaddr *sa, *bound_sa; 997 int ret; 998 999 if (af == AF_INET) { 1000 bzero(&sin, sizeof(sin)); 1001 sin.sin_len = sizeof(struct sockaddr_in); 1002 sin.sin_family = AF_INET; 1003 sin.sin_port = htons(*port); 1004 sa = sintosa(&sin); 1005 #ifdef INET6 1006 } else if (af == AF_INET6) { 1007 bzero(&sin6, sizeof(sin6)); 1008 sin6.sin6_len = sizeof(struct sockaddr_in6); 1009 sin6.sin6_family = AF_INET6; 1010 sin6.sin6_port = htons(*port); 1011 sa = sintosa(&sin6); 1012 #endif 1013 } else { 1014 return (EAFNOSUPPORT); 1015 } 1016 1017 ret = socreate(af, so, SOCK_DGRAM, IPPROTO_UDP, curthread); 1018 if (ret != 0) 1019 return (ret); 1020 1021 (*so)->so_upcall = wg_upcall; 1022 (*so)->so_upcallarg = upcall_arg; 1023 atomic_set_int(&(*so)->so_rcv.ssb_flags, SSB_UPCALL); 1024 1025 ret = sobind(*so, sa, curthread); 1026 if (ret != 0) 1027 goto error; 1028 1029 if (*port == 0) { 1030 ret = so_pru_sockaddr(*so, &bound_sa); 1031 if (ret != 0) 1032 goto error; 1033 if (bound_sa->sa_family == AF_INET) 1034 *port = ntohs(satosin(bound_sa)->sin_port); 1035 else 1036 *port = ntohs(satosin6(bound_sa)->sin6_port); 1037 kfree(bound_sa, M_SONAME); 1038 } 1039 1040 return (0); 1041 1042 error: 1043 if (*so != NULL) { 1044 soclose(*so, 0); 1045 *so = NULL; 1046 } 1047 return (ret); 1048 } 1049 1050 static void 1051 wg_socket_uninit(struct wg_softc *sc) 1052 { 1053 struct wg_socket *so = &sc->sc_socket; 1054 1055 KKASSERT(lockstatus(&sc->sc_lock, curthread) == LK_EXCLUSIVE); 1056 1057 lockmgr(&so->so_lock, LK_EXCLUSIVE); 1058 1059 if (so->so_so4 != NULL) { 1060 soclose(so->so_so4, 0); 1061 so->so_so4 = NULL; 1062 } 1063 if (so->so_so6 != NULL) { 1064 soclose(so->so_so6, 0); 1065 so->so_so6 = NULL; 1066 } 1067 1068 lockmgr(&so->so_lock, LK_RELEASE); 1069 lockuninit(&so->so_lock); 1070 } 1071 1072 static int 1073 wg_socket_set_sockopt(struct socket *so4, struct socket *so6, 1074 int name, void *val, size_t len) 1075 { 1076 struct sockopt sopt = { 1077 .sopt_dir = SOPT_SET, 1078 .sopt_level = SOL_SOCKET, 1079 .sopt_name = name, 1080 .sopt_val = val, 1081 .sopt_valsize = len, 1082 }; 1083 int ret; 1084 1085 if (so4 != NULL) { 1086 ret = sosetopt(so4, &sopt); 1087 if (ret != 0) 1088 return (ret); 1089 } 1090 if (so6 != NULL) { 1091 ret = sosetopt(so6, &sopt); 1092 if (ret != 0) 1093 return (ret); 1094 } 1095 1096 return (0); 1097 } 1098 1099 static int 1100 wg_socket_set_cookie(struct wg_softc *sc, uint32_t user_cookie) 1101 { 1102 struct wg_socket *so; 1103 int ret; 1104 1105 KKASSERT(lockstatus(&sc->sc_lock, curthread) == LK_EXCLUSIVE); 1106 1107 so = &sc->sc_socket; 1108 lockmgr(&so->so_lock, LK_EXCLUSIVE); 1109 1110 ret = wg_socket_set_sockopt(so->so_so4, so->so_so6, SO_USER_COOKIE, 1111 &user_cookie, sizeof(user_cookie)); 1112 if (ret == 0) 1113 so->so_user_cookie = user_cookie; 1114 1115 lockmgr(&so->so_lock, LK_RELEASE); 1116 return (ret); 1117 } 1118 1119 static int 1120 wg_send(struct wg_softc *sc, struct wg_endpoint *e, struct mbuf *m) 1121 { 1122 struct wg_socket *so; 1123 struct sockaddr *sa; 1124 int len, ret; 1125 1126 so = &sc->sc_socket; 1127 sa = &e->e_remote.r_sa; 1128 len = m->m_pkthdr.len; 1129 ret = 0; 1130 1131 /* 1132 * NOTE: DragonFly by default sends UDP packets asynchronously, 1133 * unless the 'net.inet.udp.sosend_async' sysctl MIB is set 1134 * to 0 or the 'MSG_SYNC' flag is set for so_pru_sosend(). 1135 * And in the async mode, an error code cannot really be 1136 * replied to the caller. So so_pru_sosend() may return 0 1137 * even if the packet fails to send. 1138 */ 1139 lockmgr(&so->so_lock, LK_SHARED); 1140 if (sa->sa_family == AF_INET && so->so_so4 != NULL) { 1141 ret = so_pru_sosend(so->so_so4, sa, NULL /* uio */, 1142 m, NULL /* control */, 0 /* flags */, 1143 curthread); 1144 #ifdef INET6 1145 } else if (sa->sa_family == AF_INET6 && so->so_so6 != NULL) { 1146 ret = so_pru_sosend(so->so_so6, sa, NULL /* uio */, 1147 m, NULL /* control */, 0 /* flags */, 1148 curthread); 1149 #endif 1150 } else { 1151 ret = ENOTCONN; 1152 m_freem(m); 1153 } 1154 lockmgr(&so->so_lock, LK_RELEASE); 1155 1156 if (ret == 0) { 1157 IFNET_STAT_INC(sc->sc_ifp, opackets, 1); 1158 IFNET_STAT_INC(sc->sc_ifp, obytes, len); 1159 } else { 1160 IFNET_STAT_INC(sc->sc_ifp, oerrors, 1); 1161 } 1162 1163 return (ret); 1164 } 1165 1166 static void 1167 wg_send_buf(struct wg_softc *sc, struct wg_endpoint *e, const void *buf, 1168 size_t len) 1169 { 1170 struct mbuf *m; 1171 int ret; 1172 1173 /* 1174 * This function only sends handshake packets of known lengths that 1175 * are <= MHLEN, so it's safe to just use m_gethdr() and memcpy(). 1176 */ 1177 KKASSERT(len <= MHLEN); 1178 1179 m = m_gethdr(M_NOWAIT, MT_DATA); 1180 if (m == NULL) { 1181 DPRINTF(sc, "Unable to allocate mbuf\n"); 1182 return; 1183 } 1184 1185 /* Just plain copy as it's a single mbuf. */ 1186 memcpy(mtod(m, void *), buf, len); 1187 m->m_pkthdr.len = m->m_len = len; 1188 1189 /* Give high priority to the handshake packets. */ 1190 m->m_flags |= M_PRIO; 1191 1192 ret = wg_send(sc, e, m); 1193 if (ret != 0) 1194 DPRINTF(sc, "Unable to send packet: %d\n", ret); 1195 } 1196 1197 /*----------------------------------------------------------------------------*/ 1198 /* 1199 * Timers 1200 * 1201 * These functions handle the timeout callbacks for a WireGuard session, and 1202 * provide an "event-based" model for controlling WireGuard session timers. 1203 */ 1204 1205 static void wg_timers_run_send_initiation(struct wg_peer *, bool); 1206 static void wg_timers_run_retry_handshake(void *); 1207 static void wg_timers_run_send_keepalive(void *); 1208 static void wg_timers_run_new_handshake(void *); 1209 static void wg_timers_run_zero_key_material(void *); 1210 static void wg_timers_run_persistent_keepalive(void *); 1211 1212 static void 1213 wg_timers_enable(struct wg_peer *peer) 1214 { 1215 atomic_store_bool(&peer->p_enabled, true); 1216 wg_timers_run_persistent_keepalive(peer); 1217 } 1218 1219 static void 1220 wg_timers_disable(struct wg_peer *peer) 1221 { 1222 atomic_store_bool(&peer->p_enabled, false); 1223 atomic_store_bool(&peer->p_need_another_keepalive, false); 1224 1225 /* Cancel the callouts and wait for them to complete. */ 1226 callout_drain(&peer->p_new_handshake); 1227 callout_drain(&peer->p_send_keepalive); 1228 callout_drain(&peer->p_retry_handshake); 1229 callout_drain(&peer->p_persistent_keepalive); 1230 callout_drain(&peer->p_zero_key_material); 1231 } 1232 1233 static void 1234 wg_timers_set_persistent_keepalive(struct wg_peer *peer, uint16_t interval) 1235 { 1236 atomic_store_16(&peer->p_persistent_keepalive_interval, interval); 1237 if (atomic_load_bool(&peer->p_enabled)) 1238 wg_timers_run_persistent_keepalive(peer); 1239 } 1240 1241 static bool 1242 wg_timers_get_persistent_keepalive(struct wg_peer *peer, uint16_t *interval) 1243 { 1244 *interval = atomic_load_16(&peer->p_persistent_keepalive_interval); 1245 return (*interval > 0); 1246 } 1247 1248 static void 1249 wg_timers_get_last_handshake(struct wg_peer *peer, struct timespec *time) 1250 { 1251 lockmgr(&peer->p_handshake_mtx, LK_EXCLUSIVE); 1252 *time = peer->p_handshake_complete; 1253 lockmgr(&peer->p_handshake_mtx, LK_RELEASE); 1254 } 1255 1256 /* 1257 * Should be called after an authenticated data packet is sent. 1258 */ 1259 static void 1260 wg_timers_event_data_sent(struct wg_peer *peer) 1261 { 1262 int ticks; 1263 1264 if (atomic_load_bool(&peer->p_enabled) && 1265 !callout_pending(&peer->p_new_handshake)) { 1266 ticks = NEW_HANDSHAKE_TIMEOUT * hz + 1267 REKEY_TIMEOUT_JITTER * hz / 1000; 1268 callout_reset(&peer->p_new_handshake, ticks, 1269 wg_timers_run_new_handshake, peer); 1270 } 1271 } 1272 1273 /* 1274 * Should be called after an authenticated data packet is received. 1275 */ 1276 static void 1277 wg_timers_event_data_received(struct wg_peer *peer) 1278 { 1279 if (atomic_load_bool(&peer->p_enabled)) { 1280 if (!callout_pending(&peer->p_send_keepalive)) { 1281 callout_reset(&peer->p_send_keepalive, 1282 KEEPALIVE_TIMEOUT * hz, 1283 wg_timers_run_send_keepalive, peer); 1284 } else { 1285 atomic_store_bool(&peer->p_need_another_keepalive, 1286 true); 1287 } 1288 } 1289 } 1290 1291 /* 1292 * Should be called before any type of authenticated packet is to be sent, 1293 * whether keepalive, data, or handshake. 1294 */ 1295 static void 1296 wg_timers_event_any_authenticated_packet_sent(struct wg_peer *peer) 1297 { 1298 callout_stop(&peer->p_send_keepalive); 1299 } 1300 1301 /* 1302 * Should be called after any type of authenticated packet is received, 1303 * whether keepalive, data, or handshake. 1304 */ 1305 static void 1306 wg_timers_event_any_authenticated_packet_received(struct wg_peer *peer) 1307 { 1308 callout_stop(&peer->p_new_handshake); 1309 } 1310 1311 /* 1312 * Should be called before a packet with authentication (whether keepalive, 1313 * data, or handshakem) is sent, or after one is received. 1314 */ 1315 static void 1316 wg_timers_event_any_authenticated_packet_traversal(struct wg_peer *peer) 1317 { 1318 uint16_t interval; 1319 1320 interval = atomic_load_16(&peer->p_persistent_keepalive_interval); 1321 if (atomic_load_bool(&peer->p_enabled) && interval > 0) { 1322 callout_reset(&peer->p_persistent_keepalive, interval * hz, 1323 wg_timers_run_persistent_keepalive, peer); 1324 } 1325 } 1326 1327 /* 1328 * Should be called after a handshake initiation message is sent. 1329 */ 1330 static void 1331 wg_timers_event_handshake_initiated(struct wg_peer *peer) 1332 { 1333 int ticks; 1334 1335 if (atomic_load_bool(&peer->p_enabled)) { 1336 ticks = REKEY_TIMEOUT * hz + REKEY_TIMEOUT_JITTER * hz / 1000; 1337 callout_reset(&peer->p_retry_handshake, ticks, 1338 wg_timers_run_retry_handshake, peer); 1339 } 1340 } 1341 1342 /* 1343 * Should be called after a handshake response message is received and 1344 * processed, or when getting key confirmation via the first data message. 1345 */ 1346 static void 1347 wg_timers_event_handshake_complete(struct wg_peer *peer) 1348 { 1349 if (atomic_load_bool(&peer->p_enabled)) { 1350 lockmgr(&peer->p_handshake_mtx, LK_EXCLUSIVE); 1351 callout_stop(&peer->p_retry_handshake); 1352 peer->p_handshake_retries = 0; 1353 getnanotime(&peer->p_handshake_complete); 1354 lockmgr(&peer->p_handshake_mtx, LK_RELEASE); 1355 1356 wg_timers_run_send_keepalive(peer); 1357 } 1358 } 1359 1360 /* 1361 * Should be called after an ephemeral key is created, which is before sending 1362 * a handshake response or after receiving a handshake response. 1363 */ 1364 static void 1365 wg_timers_event_session_derived(struct wg_peer *peer) 1366 { 1367 if (atomic_load_bool(&peer->p_enabled)) { 1368 callout_reset(&peer->p_zero_key_material, 1369 REJECT_AFTER_TIME * 3 * hz, 1370 wg_timers_run_zero_key_material, peer); 1371 } 1372 } 1373 1374 /* 1375 * Should be called after data packet sending failure, or after the old 1376 * keypairs expiring (or near expiring). 1377 */ 1378 static void 1379 wg_timers_event_want_initiation(struct wg_peer *peer) 1380 { 1381 if (atomic_load_bool(&peer->p_enabled)) 1382 wg_timers_run_send_initiation(peer, false); 1383 } 1384 1385 static void 1386 wg_timers_run_send_initiation(struct wg_peer *peer, bool is_retry) 1387 { 1388 if (!is_retry) 1389 peer->p_handshake_retries = 0; 1390 if (noise_remote_initiation_expired(peer->p_remote)) 1391 wg_send_initiation(peer); 1392 } 1393 1394 static void 1395 wg_timers_run_retry_handshake(void *_peer) 1396 { 1397 struct wg_peer *peer = _peer; 1398 1399 lockmgr(&peer->p_handshake_mtx, LK_EXCLUSIVE); 1400 if (peer->p_handshake_retries <= MAX_TIMER_HANDSHAKES) { 1401 peer->p_handshake_retries++; 1402 lockmgr(&peer->p_handshake_mtx, LK_RELEASE); 1403 1404 DPRINTF(peer->p_sc, "Handshake for peer %ld did not complete " 1405 "after %d seconds, retrying (try %d)\n", peer->p_id, 1406 REKEY_TIMEOUT, peer->p_handshake_retries + 1); 1407 wg_timers_run_send_initiation(peer, true); 1408 } else { 1409 lockmgr(&peer->p_handshake_mtx, LK_RELEASE); 1410 1411 DPRINTF(peer->p_sc, "Handshake for peer %ld did not complete " 1412 "after %d retries, giving up\n", peer->p_id, 1413 MAX_TIMER_HANDSHAKES + 2); 1414 callout_stop(&peer->p_send_keepalive); 1415 wg_queue_purge(&peer->p_stage_queue); 1416 if (atomic_load_bool(&peer->p_enabled) && 1417 !callout_pending(&peer->p_zero_key_material)) { 1418 callout_reset(&peer->p_zero_key_material, 1419 REJECT_AFTER_TIME * 3 * hz, 1420 wg_timers_run_zero_key_material, peer); 1421 } 1422 } 1423 } 1424 1425 static void 1426 wg_timers_run_send_keepalive(void *_peer) 1427 { 1428 struct wg_peer *peer = _peer; 1429 1430 wg_send_keepalive(peer); 1431 1432 if (atomic_load_bool(&peer->p_enabled) && 1433 atomic_load_bool(&peer->p_need_another_keepalive)) { 1434 atomic_store_bool(&peer->p_need_another_keepalive, false); 1435 callout_reset(&peer->p_send_keepalive, KEEPALIVE_TIMEOUT * hz, 1436 wg_timers_run_send_keepalive, peer); 1437 } 1438 } 1439 1440 static void 1441 wg_timers_run_persistent_keepalive(void *_peer) 1442 { 1443 struct wg_peer *peer = _peer; 1444 1445 if (atomic_load_16(&peer->p_persistent_keepalive_interval) > 0) 1446 wg_send_keepalive(peer); 1447 } 1448 1449 static void 1450 wg_timers_run_new_handshake(void *_peer) 1451 { 1452 struct wg_peer *peer = _peer; 1453 1454 DPRINTF(peer->p_sc, "Retrying handshake with peer %ld, " 1455 "because we stopped hearing back after %d seconds\n", 1456 peer->p_id, NEW_HANDSHAKE_TIMEOUT); 1457 wg_timers_run_send_initiation(peer, false); 1458 } 1459 1460 static void 1461 wg_timers_run_zero_key_material(void *_peer) 1462 { 1463 struct wg_peer *peer = _peer; 1464 1465 DPRINTF(peer->p_sc, "Zeroing out keys for peer %ld, " 1466 "since we haven't received a new one in %d seconds\n", 1467 peer->p_id, REJECT_AFTER_TIME * 3); 1468 noise_remote_keypairs_clear(peer->p_remote); 1469 } 1470 1471 /*----------------------------------------------------------------------------*/ 1472 /* Handshake */ 1473 1474 static void 1475 wg_peer_send_buf(struct wg_peer *peer, const void *buf, size_t len) 1476 { 1477 struct wg_endpoint endpoint; 1478 1479 peer->p_tx_bytes[mycpuid] += len; 1480 1481 wg_timers_event_any_authenticated_packet_traversal(peer); 1482 wg_timers_event_any_authenticated_packet_sent(peer); 1483 1484 wg_peer_get_endpoint(peer, &endpoint); 1485 wg_send_buf(peer->p_sc, &endpoint, buf, len); 1486 } 1487 1488 static void 1489 wg_send_initiation(struct wg_peer *peer) 1490 { 1491 struct wg_pkt_initiation pkt; 1492 1493 if (!noise_create_initiation(peer->p_remote, &pkt.s_idx, pkt.ue, 1494 pkt.es, pkt.ets)) 1495 return; 1496 1497 DPRINTF(peer->p_sc, "Sending handshake initiation to peer %ld\n", 1498 peer->p_id); 1499 1500 pkt.t = WG_PKT_INITIATION; 1501 cookie_maker_mac(peer->p_cookie, &pkt.m, &pkt, 1502 sizeof(pkt) - sizeof(pkt.m)); 1503 wg_peer_send_buf(peer, &pkt, sizeof(pkt)); 1504 wg_timers_event_handshake_initiated(peer); 1505 } 1506 1507 static void 1508 wg_send_response(struct wg_peer *peer) 1509 { 1510 struct wg_pkt_response pkt; 1511 1512 if (!noise_create_response(peer->p_remote, &pkt.s_idx, &pkt.r_idx, 1513 pkt.ue, pkt.en)) 1514 return; 1515 1516 DPRINTF(peer->p_sc, "Sending handshake response to peer %ld\n", 1517 peer->p_id); 1518 1519 wg_timers_event_session_derived(peer); 1520 pkt.t = WG_PKT_RESPONSE; 1521 cookie_maker_mac(peer->p_cookie, &pkt.m, &pkt, 1522 sizeof(pkt) - sizeof(pkt.m)); 1523 wg_peer_send_buf(peer, &pkt, sizeof(pkt)); 1524 } 1525 1526 static void 1527 wg_send_cookie(struct wg_softc *sc, struct cookie_macs *cm, uint32_t idx, 1528 struct wg_endpoint *e) 1529 { 1530 struct wg_pkt_cookie pkt; 1531 1532 DPRINTF(sc, "Sending cookie response for denied handshake message\n"); 1533 1534 pkt.t = WG_PKT_COOKIE; 1535 pkt.r_idx = idx; 1536 1537 cookie_checker_create_payload(sc->sc_cookie, cm, pkt.nonce, 1538 pkt.ec, &e->e_remote.r_sa); 1539 wg_send_buf(sc, e, &pkt, sizeof(pkt)); 1540 } 1541 1542 static void 1543 wg_send_keepalive(struct wg_peer *peer) 1544 { 1545 struct wg_packet *pkt; 1546 struct mbuf *m; 1547 1548 if (wg_queue_len(&peer->p_stage_queue) > 0) 1549 goto send; 1550 if ((m = m_gethdr(M_NOWAIT, MT_DATA)) == NULL) 1551 return; 1552 if ((pkt = wg_packet_alloc(m)) == NULL) { 1553 m_freem(m); 1554 return; 1555 } 1556 1557 wg_queue_push_staged(&peer->p_stage_queue, pkt); 1558 DPRINTF(peer->p_sc, "Sending keepalive packet to peer %ld\n", 1559 peer->p_id); 1560 send: 1561 wg_peer_send_staged(peer); 1562 } 1563 1564 static bool 1565 wg_is_underload(struct wg_softc *sc) 1566 { 1567 /* 1568 * This is global, so that the load calculation applies to the 1569 * whole system. Don't care about races with it at all. 1570 */ 1571 static struct timespec last_underload; /* nanouptime */ 1572 struct timespec now; 1573 bool underload; 1574 1575 underload = (wg_queue_len(&sc->sc_handshake_queue) >= 1576 MAX_QUEUED_HANDSHAKES / 8); 1577 if (underload) { 1578 getnanouptime(&last_underload); 1579 } else if (timespecisset(&last_underload)) { 1580 getnanouptime(&now); 1581 now.tv_sec -= UNDERLOAD_TIMEOUT; 1582 underload = timespeccmp(&last_underload, &now, >); 1583 if (!underload) 1584 timespecclear(&last_underload); 1585 } 1586 1587 return (underload); 1588 } 1589 1590 static void 1591 wg_handshake(struct wg_softc *sc, struct wg_packet *pkt) 1592 { 1593 struct wg_pkt_initiation *init; 1594 struct wg_pkt_response *resp; 1595 struct wg_pkt_cookie *cook; 1596 struct wg_endpoint *e; 1597 struct wg_peer *peer; 1598 struct mbuf *m; 1599 struct noise_remote *remote = NULL; 1600 bool underload; 1601 int ret; 1602 1603 underload = wg_is_underload(sc); 1604 m = pkt->p_mbuf; 1605 e = &pkt->p_endpoint; 1606 1607 /* m_pullup() may change 'm', so must update 'pkt->p_mbuf'. */ 1608 if ((pkt->p_mbuf = m = m_pullup(m, m->m_pkthdr.len)) == NULL) 1609 goto error; 1610 1611 switch (*mtod(m, uint32_t *)) { 1612 case WG_PKT_INITIATION: 1613 init = mtod(m, struct wg_pkt_initiation *); 1614 1615 ret = cookie_checker_validate_macs(sc->sc_cookie, &init->m, 1616 init, sizeof(*init) - sizeof(init->m), underload, 1617 &e->e_remote.r_sa); 1618 if (ret != 0) { 1619 switch (ret) { 1620 case EINVAL: 1621 DPRINTF(sc, "Invalid initiation MAC\n"); 1622 break; 1623 case ECONNREFUSED: 1624 DPRINTF(sc, "Handshake ratelimited\n"); 1625 break; 1626 case EAGAIN: 1627 wg_send_cookie(sc, &init->m, init->s_idx, e); 1628 break; 1629 default: 1630 /* 1631 * cookie_checker_validate_macs() seems could 1632 * return EAFNOSUPPORT, but that is actually 1633 * impossible, because packets of unsupported 1634 * AF have been already dropped. 1635 */ 1636 panic("%s: unexpected return: %d", 1637 __func__, ret); 1638 } 1639 goto error; 1640 } 1641 1642 remote = noise_consume_initiation(sc->sc_local, init->s_idx, 1643 init->ue, init->es, 1644 init->ets); 1645 if (remote == NULL) { 1646 DPRINTF(sc, "Invalid handshake initiation\n"); 1647 goto error; 1648 } 1649 1650 peer = noise_remote_arg(remote); 1651 DPRINTF(sc, "Receiving handshake initiation from peer %ld\n", 1652 peer->p_id); 1653 1654 wg_peer_set_endpoint(peer, e); 1655 wg_send_response(peer); 1656 break; 1657 1658 case WG_PKT_RESPONSE: 1659 resp = mtod(m, struct wg_pkt_response *); 1660 1661 ret = cookie_checker_validate_macs(sc->sc_cookie, &resp->m, 1662 resp, sizeof(*resp) - sizeof(resp->m), underload, 1663 &e->e_remote.r_sa); 1664 if (ret != 0) { 1665 switch (ret) { 1666 case EINVAL: 1667 DPRINTF(sc, "Invalid response MAC\n"); 1668 break; 1669 case ECONNREFUSED: 1670 DPRINTF(sc, "Handshake ratelimited\n"); 1671 break; 1672 case EAGAIN: 1673 wg_send_cookie(sc, &resp->m, resp->s_idx, e); 1674 break; 1675 default: 1676 /* See also the comment above. */ 1677 panic("%s: unexpected return: %d", 1678 __func__, ret); 1679 } 1680 goto error; 1681 } 1682 1683 remote = noise_consume_response(sc->sc_local, resp->s_idx, 1684 resp->r_idx, resp->ue, 1685 resp->en); 1686 if (remote == NULL) { 1687 DPRINTF(sc, "Invalid handshake response\n"); 1688 goto error; 1689 } 1690 1691 peer = noise_remote_arg(remote); 1692 DPRINTF(sc, "Receiving handshake response from peer %ld\n", 1693 peer->p_id); 1694 1695 wg_peer_set_endpoint(peer, e); 1696 wg_timers_event_session_derived(peer); 1697 wg_timers_event_handshake_complete(peer); 1698 break; 1699 1700 case WG_PKT_COOKIE: 1701 cook = mtod(m, struct wg_pkt_cookie *); 1702 1703 /* 1704 * A cookie message can be a reply to an initiation message 1705 * or to a response message. In the latter case, the noise 1706 * index has been transformed from a remote entry to a 1707 * keypair entry. Therefore, we need to lookup the index 1708 * for both remote and keypair entries. 1709 */ 1710 remote = noise_remote_index(sc->sc_local, cook->r_idx); 1711 if (remote == NULL) { 1712 DPRINTF(sc, "Unknown cookie index\n"); 1713 goto error; 1714 } 1715 1716 peer = noise_remote_arg(remote); 1717 if (cookie_maker_consume_payload(peer->p_cookie, cook->nonce, 1718 cook->ec) == 0) { 1719 DPRINTF(sc, "Receiving cookie response\n"); 1720 } else { 1721 DPRINTF(sc, "Could not decrypt cookie response\n"); 1722 goto error; 1723 } 1724 1725 goto not_authenticated; 1726 1727 default: 1728 panic("%s: invalid packet in handshake queue", __func__); 1729 } 1730 1731 wg_timers_event_any_authenticated_packet_received(peer); 1732 wg_timers_event_any_authenticated_packet_traversal(peer); 1733 1734 not_authenticated: 1735 IFNET_STAT_INC(sc->sc_ifp, ipackets, 1); 1736 IFNET_STAT_INC(sc->sc_ifp, ibytes, m->m_pkthdr.len); 1737 peer->p_rx_bytes[mycpuid] += m->m_pkthdr.len; 1738 noise_remote_put(remote); 1739 wg_packet_free(pkt); 1740 1741 return; 1742 1743 error: 1744 IFNET_STAT_INC(sc->sc_ifp, ierrors, 1); 1745 if (remote != NULL) 1746 noise_remote_put(remote); 1747 wg_packet_free(pkt); 1748 } 1749 1750 static void 1751 wg_handshake_worker(void *arg, int pending __unused) 1752 { 1753 struct wg_softc *sc = arg; 1754 struct wg_queue *queue = &sc->sc_handshake_queue; 1755 struct wg_packet *pkt; 1756 1757 while ((pkt = wg_queue_dequeue_handshake(queue)) != NULL) 1758 wg_handshake(sc, pkt); 1759 } 1760 1761 /*----------------------------------------------------------------------------*/ 1762 /* Transport Packet Functions */ 1763 1764 static inline void 1765 wg_bpf_ptap(struct ifnet *ifp, struct mbuf *m, sa_family_t af) 1766 { 1767 uint32_t bpf_af; 1768 1769 if (ifp->if_bpf == NULL) 1770 return; 1771 1772 bpf_gettoken(); 1773 /* Double check after obtaining the token. */ 1774 if (ifp->if_bpf != NULL) { 1775 /* Prepend the AF as a 4-byte field for DLT_NULL. */ 1776 bpf_af = (uint32_t)af; 1777 bpf_ptap(ifp->if_bpf, m, &bpf_af, sizeof(bpf_af)); 1778 } 1779 bpf_reltoken(); 1780 } 1781 1782 static inline unsigned int 1783 calculate_padding(struct wg_packet *pkt) 1784 { 1785 unsigned int padded_size, last_unit; 1786 1787 last_unit = pkt->p_mbuf->m_pkthdr.len; 1788 1789 /* Keepalive packets don't set p_mtu, but also have a length of zero. */ 1790 if (__predict_false(pkt->p_mtu == 0)) 1791 return WG_PKT_WITH_PADDING(last_unit) - last_unit; 1792 1793 /* 1794 * Just in case the packet is bigger than the MTU and would cause 1795 * the final subtraction to overflow. 1796 */ 1797 if (__predict_false(last_unit > pkt->p_mtu)) 1798 last_unit %= pkt->p_mtu; 1799 1800 padded_size = MIN(pkt->p_mtu, WG_PKT_WITH_PADDING(last_unit)); 1801 return (padded_size - last_unit); 1802 } 1803 1804 static inline int 1805 determine_af_and_pullup(struct mbuf **m, sa_family_t *af) 1806 { 1807 const struct ip *ip; 1808 const struct ip6_hdr *ip6; 1809 int len; 1810 1811 ip = mtod(*m, const struct ip *); 1812 ip6 = mtod(*m, const struct ip6_hdr *); 1813 len = (*m)->m_pkthdr.len; 1814 1815 if (len >= sizeof(*ip) && ip->ip_v == IPVERSION) 1816 *af = AF_INET; 1817 #ifdef INET6 1818 else if (len >= sizeof(*ip6) && 1819 (ip6->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION) 1820 *af = AF_INET6; 1821 #endif 1822 else 1823 return (EAFNOSUPPORT); 1824 1825 *m = m_pullup(*m, (*af == AF_INET ? sizeof(*ip) : sizeof(*ip6))); 1826 if (*m == NULL) 1827 return (ENOBUFS); 1828 1829 return (0); 1830 } 1831 1832 static void 1833 wg_encrypt(struct wg_softc *sc, struct wg_packet *pkt) 1834 { 1835 static const uint8_t padding[WG_PKT_PADDING] = { 0 }; 1836 struct wg_pkt_data *data; 1837 struct wg_peer *peer; 1838 struct noise_remote *remote; 1839 struct mbuf *m; 1840 unsigned int padlen, state = WG_PACKET_DEAD; 1841 uint32_t idx; 1842 1843 remote = noise_keypair_remote(pkt->p_keypair); 1844 peer = noise_remote_arg(remote); 1845 m = pkt->p_mbuf; 1846 1847 padlen = calculate_padding(pkt); 1848 if (padlen != 0 && !m_append(m, padlen, padding)) 1849 goto out; 1850 1851 if (noise_keypair_encrypt(pkt->p_keypair, &idx, pkt->p_counter, m) != 0) 1852 goto out; 1853 1854 M_PREPEND(m, sizeof(struct wg_pkt_data), M_NOWAIT); 1855 if (m == NULL) 1856 goto out; 1857 data = mtod(m, struct wg_pkt_data *); 1858 data->t = WG_PKT_DATA; 1859 data->r_idx = idx; 1860 data->counter = htole64(pkt->p_counter); 1861 1862 state = WG_PACKET_CRYPTED; 1863 1864 out: 1865 pkt->p_mbuf = m; 1866 atomic_store_rel_int(&pkt->p_state, state); 1867 taskqueue_enqueue(peer->p_send_taskqueue, &peer->p_send_task); 1868 noise_remote_put(remote); 1869 } 1870 1871 static void 1872 wg_decrypt(struct wg_softc *sc, struct wg_packet *pkt) 1873 { 1874 struct wg_peer *peer, *allowed_peer; 1875 struct noise_remote *remote; 1876 struct mbuf *m; 1877 unsigned int state = WG_PACKET_DEAD; 1878 int len; 1879 1880 remote = noise_keypair_remote(pkt->p_keypair); 1881 peer = noise_remote_arg(remote); 1882 m = pkt->p_mbuf; 1883 1884 pkt->p_counter = le64toh(mtod(m, struct wg_pkt_data *)->counter); 1885 m_adj(m, sizeof(struct wg_pkt_data)); 1886 1887 if (noise_keypair_decrypt(pkt->p_keypair, pkt->p_counter, m) != 0) 1888 goto out; 1889 1890 /* A packet with a length of zero is a keepalive packet. */ 1891 if (__predict_false(m->m_pkthdr.len == 0)) { 1892 DPRINTF(sc, "Receiving keepalive packet from peer %ld\n", 1893 peer->p_id); 1894 state = WG_PACKET_CRYPTED; 1895 goto out; 1896 } 1897 1898 /* 1899 * Extract the source address for wg_aip_lookup(), and trim the 1900 * packet if it was padded before encryption. 1901 */ 1902 if (determine_af_and_pullup(&m, &pkt->p_af) != 0) 1903 goto out; 1904 if (pkt->p_af == AF_INET) { 1905 const struct ip *ip = mtod(m, const struct ip *); 1906 allowed_peer = wg_aip_lookup(sc, AF_INET, &ip->ip_src); 1907 len = ntohs(ip->ip_len); 1908 if (len >= sizeof(struct ip) && len < m->m_pkthdr.len) 1909 m_adj(m, len - m->m_pkthdr.len); 1910 } else { 1911 const struct ip6_hdr *ip6 = mtod(m, const struct ip6_hdr *); 1912 allowed_peer = wg_aip_lookup(sc, AF_INET6, &ip6->ip6_src); 1913 len = ntohs(ip6->ip6_plen) + sizeof(struct ip6_hdr); 1914 if (len < m->m_pkthdr.len) 1915 m_adj(m, len - m->m_pkthdr.len); 1916 } 1917 1918 /* Drop the reference, since no need to dereference it. */ 1919 if (allowed_peer != NULL) 1920 noise_remote_put(allowed_peer->p_remote); 1921 1922 if (__predict_false(peer != allowed_peer)) { 1923 DPRINTF(sc, "Packet has disallowed src IP from peer %ld\n", 1924 peer->p_id); 1925 goto out; 1926 } 1927 1928 state = WG_PACKET_CRYPTED; 1929 1930 out: 1931 pkt->p_mbuf = m; 1932 atomic_store_rel_int(&pkt->p_state, state); 1933 taskqueue_enqueue(peer->p_recv_taskqueue, &peer->p_recv_task); 1934 noise_remote_put(remote); 1935 } 1936 1937 static void 1938 wg_encrypt_worker(void *arg, int pending __unused) 1939 { 1940 struct wg_softc *sc = arg; 1941 struct wg_queue *queue = &sc->sc_encrypt_parallel; 1942 struct wg_packet *pkt; 1943 1944 while ((pkt = wg_queue_dequeue_parallel(queue)) != NULL) 1945 wg_encrypt(sc, pkt); 1946 } 1947 1948 static void 1949 wg_decrypt_worker(void *arg, int pending __unused) 1950 { 1951 struct wg_softc *sc = arg; 1952 struct wg_queue *queue = &sc->sc_decrypt_parallel; 1953 struct wg_packet *pkt; 1954 1955 while ((pkt = wg_queue_dequeue_parallel(queue)) != NULL) 1956 wg_decrypt(sc, pkt); 1957 } 1958 1959 static void 1960 wg_encrypt_dispatch(struct wg_softc *sc) 1961 { 1962 int cpu; 1963 1964 /* 1965 * The update to encrypt_last_cpu is racy such that we may 1966 * reschedule the task for the same CPU multiple times, but 1967 * the race doesn't really matter. 1968 */ 1969 cpu = (sc->sc_encrypt_last_cpu + 1) % ncpus; 1970 sc->sc_encrypt_last_cpu = cpu; 1971 taskqueue_enqueue(wg_taskqueues[cpu], &sc->sc_encrypt_tasks[cpu]); 1972 } 1973 1974 static void 1975 wg_decrypt_dispatch(struct wg_softc *sc) 1976 { 1977 int cpu; 1978 1979 cpu = (sc->sc_decrypt_last_cpu + 1) % ncpus; 1980 sc->sc_decrypt_last_cpu = cpu; 1981 taskqueue_enqueue(wg_taskqueues[cpu], &sc->sc_decrypt_tasks[cpu]); 1982 } 1983 1984 static void 1985 wg_deliver_out(void *arg, int pending __unused) 1986 { 1987 struct wg_peer *peer = arg; 1988 struct wg_softc *sc = peer->p_sc; 1989 struct wg_queue *queue = &peer->p_encrypt_serial; 1990 struct wg_endpoint endpoint; 1991 struct wg_packet *pkt; 1992 struct mbuf *m; 1993 int len, cpu; 1994 1995 cpu = mycpuid; 1996 1997 while ((pkt = wg_queue_dequeue_serial(queue)) != NULL) { 1998 if (atomic_load_acq_int(&pkt->p_state) != WG_PACKET_CRYPTED) { 1999 IFNET_STAT_INC(sc->sc_ifp, oerrors, 1); 2000 wg_packet_free(pkt); 2001 continue; 2002 } 2003 2004 m = pkt->p_mbuf; 2005 m->m_flags &= ~MBUF_CLEARFLAGS; 2006 len = m->m_pkthdr.len; 2007 2008 pkt->p_mbuf = NULL; 2009 wg_packet_free(pkt); 2010 2011 /* 2012 * The keepalive timers -- both persistent and mandatory -- 2013 * are part of the internal state machine, which needs to be 2014 * cranked whether or not the packet was actually sent. 2015 */ 2016 wg_timers_event_any_authenticated_packet_traversal(peer); 2017 wg_timers_event_any_authenticated_packet_sent(peer); 2018 2019 wg_peer_get_endpoint(peer, &endpoint); 2020 if (wg_send(sc, &endpoint, m) == 0) { 2021 peer->p_tx_bytes[cpu] += len; 2022 if (len > WG_PKT_ENCRYPTED_LEN(0)) 2023 wg_timers_event_data_sent(peer); 2024 if (noise_keypair_should_refresh(peer->p_remote, true)) 2025 wg_timers_event_want_initiation(peer); 2026 } 2027 } 2028 } 2029 2030 static void 2031 wg_deliver_in(void *arg, int pending __unused) 2032 { 2033 struct wg_peer *peer = arg; 2034 struct wg_softc *sc = peer->p_sc; 2035 struct wg_queue *queue = &peer->p_decrypt_serial; 2036 struct wg_packet *pkt; 2037 struct ifnet *ifp; 2038 struct mbuf *m; 2039 size_t rx_bytes; 2040 int cpu; 2041 2042 cpu = mycpuid; 2043 ifp = sc->sc_ifp; 2044 2045 while ((pkt = wg_queue_dequeue_serial(queue)) != NULL) { 2046 if (atomic_load_acq_int(&pkt->p_state) != WG_PACKET_CRYPTED || 2047 noise_keypair_counter_check(pkt->p_keypair, pkt->p_counter) 2048 != 0) { 2049 IFNET_STAT_INC(ifp, ierrors, 1); 2050 wg_packet_free(pkt); 2051 continue; 2052 } 2053 2054 if (noise_keypair_received_with(pkt->p_keypair)) 2055 wg_timers_event_handshake_complete(peer); 2056 2057 wg_timers_event_any_authenticated_packet_received(peer); 2058 wg_timers_event_any_authenticated_packet_traversal(peer); 2059 wg_peer_set_endpoint(peer, &pkt->p_endpoint); 2060 2061 m = pkt->p_mbuf; 2062 rx_bytes = WG_PKT_ENCRYPTED_LEN(m->m_pkthdr.len); 2063 peer->p_rx_bytes[cpu] += rx_bytes; 2064 IFNET_STAT_INC(ifp, ipackets, 1); 2065 IFNET_STAT_INC(ifp, ibytes, rx_bytes); 2066 2067 if (m->m_pkthdr.len > 0) { 2068 if (ifp->if_capenable & IFCAP_RXCSUM) { 2069 /* 2070 * The packet is authentic as ensured by the 2071 * AEAD tag, so we can tell the networking 2072 * stack that this packet has valid checksums 2073 * and thus is unnecessary to check again. 2074 */ 2075 if (m->m_pkthdr.csum_flags & CSUM_IP) 2076 m->m_pkthdr.csum_flags |= 2077 (CSUM_IP_CHECKED | CSUM_IP_VALID); 2078 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 2079 m->m_pkthdr.csum_flags |= 2080 (CSUM_DATA_VALID | CSUM_PSEUDO_HDR); 2081 m->m_pkthdr.csum_data = 0xffff; 2082 } 2083 } 2084 m->m_flags &= ~MBUF_CLEARFLAGS; 2085 m->m_pkthdr.rcvif = ifp; 2086 2087 wg_bpf_ptap(ifp, m, pkt->p_af); 2088 2089 netisr_queue((pkt->p_af == AF_INET ? 2090 NETISR_IP : NETISR_IPV6), m); 2091 pkt->p_mbuf = NULL; 2092 2093 wg_timers_event_data_received(peer); 2094 } 2095 2096 wg_packet_free(pkt); 2097 2098 if (noise_keypair_should_refresh(peer->p_remote, false)) 2099 wg_timers_event_want_initiation(peer); 2100 } 2101 } 2102 2103 static void 2104 wg_input(struct wg_softc *sc, struct mbuf *m, const struct sockaddr *sa) 2105 { 2106 struct noise_remote *remote; 2107 struct wg_pkt_data *data; 2108 struct wg_packet *pkt; 2109 struct wg_peer *peer; 2110 struct mbuf *defragged; 2111 2112 /* 2113 * Defragment mbufs early on in order to: 2114 * - make the crypto a lot faster; 2115 * - make the subsequent m_pullup()'s no-ops. 2116 */ 2117 defragged = m_defrag(m, M_NOWAIT); 2118 if (defragged != NULL) 2119 m = defragged; /* The original mbuf chain is freed. */ 2120 2121 /* Ensure the packet is not shared before modifying it. */ 2122 m = m_unshare(m, M_NOWAIT); 2123 if (m == NULL) { 2124 IFNET_STAT_INC(sc->sc_ifp, iqdrops, 1); 2125 return; 2126 } 2127 2128 /* Pullup enough to read packet type */ 2129 if ((m = m_pullup(m, sizeof(uint32_t))) == NULL) { 2130 IFNET_STAT_INC(sc->sc_ifp, iqdrops, 1); 2131 return; 2132 } 2133 2134 if ((pkt = wg_packet_alloc(m)) == NULL) { 2135 IFNET_STAT_INC(sc->sc_ifp, iqdrops, 1); 2136 m_freem(m); 2137 return; 2138 } 2139 2140 /* Save the remote address and port for later use. */ 2141 switch (sa->sa_family) { 2142 case AF_INET: 2143 pkt->p_endpoint.e_remote.r_sin = 2144 *(const struct sockaddr_in *)sa; 2145 break; 2146 #ifdef INET6 2147 case AF_INET6: 2148 pkt->p_endpoint.e_remote.r_sin6 = 2149 *(const struct sockaddr_in6 *)sa; 2150 break; 2151 #endif 2152 default: 2153 DPRINTF(sc, "Unsupported packet address family\n"); 2154 goto error; 2155 } 2156 2157 if (WG_PKT_IS_INITIATION(m) || 2158 WG_PKT_IS_RESPONSE(m) || 2159 WG_PKT_IS_COOKIE(m)) { 2160 if (!wg_queue_enqueue_handshake(&sc->sc_handshake_queue, pkt)) { 2161 IFNET_STAT_INC(sc->sc_ifp, iqdrops, 1); 2162 DPRINTF(sc, "Dropping handshake packet\n"); 2163 } 2164 taskqueue_enqueue(sc->sc_handshake_taskqueue, 2165 &sc->sc_handshake_task); 2166 return; 2167 } 2168 2169 if (WG_PKT_IS_DATA(m)) { 2170 /* Pullup the whole header to read r_idx below. */ 2171 pkt->p_mbuf = m_pullup(m, sizeof(struct wg_pkt_data)); 2172 if (pkt->p_mbuf == NULL) 2173 goto error; 2174 2175 data = mtod(pkt->p_mbuf, struct wg_pkt_data *); 2176 pkt->p_keypair = noise_keypair_lookup(sc->sc_local, 2177 data->r_idx); 2178 if (pkt->p_keypair == NULL) 2179 goto error; 2180 2181 remote = noise_keypair_remote(pkt->p_keypair); 2182 peer = noise_remote_arg(remote); 2183 if (!wg_queue_both(&sc->sc_decrypt_parallel, 2184 &peer->p_decrypt_serial, pkt)) 2185 IFNET_STAT_INC(sc->sc_ifp, iqdrops, 1); 2186 2187 wg_decrypt_dispatch(sc); 2188 noise_remote_put(remote); 2189 return; 2190 } 2191 2192 error: 2193 IFNET_STAT_INC(sc->sc_ifp, ierrors, 1); 2194 wg_packet_free(pkt); 2195 } 2196 2197 static void 2198 wg_upcall(struct socket *so, void *arg, int waitflag __unused) 2199 { 2200 struct wg_softc *sc = arg; 2201 struct sockaddr *from; 2202 struct sockbuf sio; 2203 int ret, flags; 2204 2205 /* 2206 * For UDP, soreceive typically pulls just one packet, 2207 * so loop to get the whole batch. 2208 */ 2209 do { 2210 sbinit(&sio, 1000000000); /* really large to receive all */ 2211 flags = MSG_DONTWAIT; 2212 ret = so_pru_soreceive(so, &from, NULL, &sio, NULL, &flags); 2213 if (ret != 0 || sio.sb_mb == NULL) { 2214 if (from != NULL) 2215 kfree(from, M_SONAME); 2216 break; 2217 } 2218 wg_input(sc, sio.sb_mb, from); 2219 kfree(from, M_SONAME); 2220 } while (sio.sb_mb != NULL); 2221 } 2222 2223 static void 2224 wg_peer_send_staged(struct wg_peer *peer) 2225 { 2226 struct wg_softc *sc = peer->p_sc; 2227 struct wg_packet *pkt, *tpkt; 2228 struct wg_packet_list list; 2229 struct noise_keypair *keypair = NULL; 2230 2231 wg_queue_delist_staged(&peer->p_stage_queue, &list); 2232 2233 if (STAILQ_EMPTY(&list)) 2234 return; 2235 2236 if ((keypair = noise_keypair_current(peer->p_remote)) == NULL) 2237 goto error; 2238 2239 /* 2240 * We now try to assign counters to all of the packets in the queue. 2241 * If we can't assign counters for all of them, we just consider it 2242 * a failure and wait for the next handshake. 2243 */ 2244 STAILQ_FOREACH(pkt, &list, p_parallel) { 2245 if (!noise_keypair_counter_next(keypair, &pkt->p_counter)) 2246 goto error; 2247 } 2248 STAILQ_FOREACH_MUTABLE(pkt, &list, p_parallel, tpkt) { 2249 pkt->p_keypair = noise_keypair_ref(keypair); 2250 if (!wg_queue_both(&sc->sc_encrypt_parallel, 2251 &peer->p_encrypt_serial, pkt)) 2252 IFNET_STAT_INC(sc->sc_ifp, oqdrops, 1); 2253 } 2254 2255 wg_encrypt_dispatch(sc); 2256 noise_keypair_put(keypair); 2257 return; 2258 2259 error: 2260 if (keypair != NULL) 2261 noise_keypair_put(keypair); 2262 wg_queue_enlist_staged(&peer->p_stage_queue, &list); 2263 wg_timers_event_want_initiation(peer); 2264 } 2265 2266 static int 2267 wg_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, 2268 struct rtentry *rt) 2269 { 2270 struct wg_softc *sc = ifp->if_softc; 2271 struct wg_packet *pkt = NULL; 2272 struct wg_peer *peer = NULL; 2273 struct mbuf *defragged; 2274 sa_family_t af = AF_UNSPEC; 2275 int ret; 2276 2277 if (dst->sa_family == AF_UNSPEC) { 2278 /* 2279 * Specially handle packets written/injected by BPF. 2280 * The packets have the same DLT_NULL link-layer type 2281 * (i.e., 4-byte link-layer header in host byte order). 2282 */ 2283 dst->sa_family = *(mtod(m, uint32_t *)); 2284 m_adj(m, sizeof(uint32_t)); 2285 } 2286 if (dst->sa_family == AF_UNSPEC) { 2287 ret = EAFNOSUPPORT; 2288 goto error; 2289 } 2290 2291 wg_bpf_ptap(ifp, m, dst->sa_family); 2292 2293 if (__predict_false(if_tunnel_check_nesting(ifp, m, MTAG_WGLOOP, 2294 MAX_LOOPS) != 0)) { 2295 DPRINTF(sc, "Packet looped\n"); 2296 ret = ELOOP; 2297 goto error; 2298 } 2299 2300 defragged = m_defrag(m, M_NOWAIT); 2301 if (defragged != NULL) 2302 m = defragged; 2303 2304 m = m_unshare(m, M_NOWAIT); 2305 if (m == NULL) { 2306 ret = ENOBUFS; 2307 goto error; 2308 } 2309 2310 if ((ret = determine_af_and_pullup(&m, &af)) != 0) 2311 goto error; 2312 if (af != dst->sa_family) { 2313 ret = EAFNOSUPPORT; 2314 goto error; 2315 } 2316 2317 if ((pkt = wg_packet_alloc(m)) == NULL) { 2318 ret = ENOBUFS; 2319 goto error; 2320 } 2321 2322 pkt->p_af = af; 2323 pkt->p_mtu = ifp->if_mtu; 2324 if (rt != NULL && rt->rt_rmx.rmx_mtu > 0 && 2325 rt->rt_rmx.rmx_mtu < pkt->p_mtu) 2326 pkt->p_mtu = rt->rt_rmx.rmx_mtu; 2327 2328 if (af == AF_INET) { 2329 peer = wg_aip_lookup(sc, AF_INET, 2330 &mtod(m, struct ip *)->ip_dst); 2331 } else { 2332 peer = wg_aip_lookup(sc, AF_INET6, 2333 &mtod(m, struct ip6_hdr *)->ip6_dst); 2334 } 2335 if (__predict_false(peer == NULL)) { 2336 ret = ENOKEY; 2337 goto error; 2338 } 2339 if (__predict_false(peer->p_endpoint.e_remote.r_sa.sa_family 2340 == AF_UNSPEC)) { 2341 DPRINTF(sc, "No valid endpoint has been configured or " 2342 "discovered for peer %ld\n", peer->p_id); 2343 ret = EHOSTUNREACH; 2344 goto error; 2345 } 2346 2347 wg_queue_push_staged(&peer->p_stage_queue, pkt); 2348 wg_peer_send_staged(peer); 2349 noise_remote_put(peer->p_remote); 2350 2351 return (0); 2352 2353 error: 2354 IFNET_STAT_INC(ifp, oerrors, 1); 2355 if (ret == ELOOP) { 2356 /* Skip ICMP error for ELOOP to avoid infinite loop. */ 2357 m_freem(m); /* m cannot be NULL */ 2358 m = NULL; 2359 } 2360 if (m != NULL) { 2361 if (af == AF_INET) 2362 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0); 2363 #ifdef INET6 2364 else if (af == AF_INET6) 2365 icmp6_error(m, ICMP6_DST_UNREACH, 0, 0); 2366 #endif 2367 else 2368 m_freem(m); 2369 } 2370 if (pkt != NULL) { 2371 pkt->p_mbuf = NULL; /* m already freed above */ 2372 wg_packet_free(pkt); 2373 } 2374 if (peer != NULL) 2375 noise_remote_put(peer->p_remote); 2376 return (ret); 2377 } 2378 2379 /*----------------------------------------------------------------------------*/ 2380 /* Interface Functions */ 2381 2382 static int wg_up(struct wg_softc *); 2383 static void wg_down(struct wg_softc *); 2384 2385 static int 2386 wg_ioctl_get(struct wg_softc *sc, struct wg_data_io *data, bool privileged) 2387 { 2388 struct wg_interface_io *iface_p, iface_o; 2389 struct wg_peer_io *peer_p, peer_o; 2390 struct wg_aip_io *aip_p, aip_o; 2391 struct wg_peer *peer; 2392 struct wg_aip *aip; 2393 size_t size, peer_count, aip_count; 2394 int cpu, ret = 0; 2395 2396 lockmgr(&sc->sc_lock, LK_SHARED); 2397 2398 /* Determine the required data size. */ 2399 size = sizeof(struct wg_interface_io); 2400 size += sizeof(struct wg_peer_io) * sc->sc_peers_num; 2401 TAILQ_FOREACH(peer, &sc->sc_peers, p_entry) 2402 size += sizeof(struct wg_aip_io) * peer->p_aips_num; 2403 2404 /* Return the required size for userland allocation. */ 2405 if (data->wgd_size < size) { 2406 data->wgd_size = size; 2407 lockmgr(&sc->sc_lock, LK_RELEASE); 2408 return (0); 2409 } 2410 2411 iface_p = data->wgd_interface; 2412 bzero(&iface_o, sizeof(iface_o)); 2413 /* 2414 * No need to acquire the 'sc_socket.so_lock', because 'sc_lock' 2415 * is acquired and that's enough to prevent modifications to 2416 * 'sc_socket' members. 2417 */ 2418 if (sc->sc_socket.so_port != 0) { 2419 iface_o.i_port = sc->sc_socket.so_port; 2420 iface_o.i_flags |= WG_INTERFACE_HAS_PORT; 2421 } 2422 if (sc->sc_socket.so_user_cookie != 0) { 2423 iface_o.i_cookie = sc->sc_socket.so_user_cookie; 2424 iface_o.i_flags |= WG_INTERFACE_HAS_COOKIE; 2425 } 2426 if (noise_local_keys(sc->sc_local, iface_o.i_public, 2427 iface_o.i_private)) { 2428 iface_o.i_flags |= WG_INTERFACE_HAS_PUBLIC; 2429 if (privileged) 2430 iface_o.i_flags |= WG_INTERFACE_HAS_PRIVATE; 2431 else 2432 bzero(iface_o.i_private, sizeof(iface_o.i_private)); 2433 } 2434 2435 peer_count = 0; 2436 peer_p = &iface_p->i_peers[0]; 2437 TAILQ_FOREACH(peer, &sc->sc_peers, p_entry) { 2438 bzero(&peer_o, sizeof(peer_o)); 2439 2440 peer_o.p_flags |= WG_PEER_HAS_PUBLIC; 2441 if (noise_remote_keys(peer->p_remote, peer_o.p_public, 2442 peer_o.p_psk)) { 2443 if (privileged) 2444 peer_o.p_flags |= WG_PEER_HAS_PSK; 2445 else 2446 bzero(peer_o.p_psk, sizeof(peer_o.p_psk)); 2447 } 2448 if (wg_timers_get_persistent_keepalive(peer, &peer_o.p_pka)) 2449 peer_o.p_flags |= WG_PEER_HAS_PKA; 2450 if (wg_peer_get_sockaddr(peer, &peer_o.p_sa) == 0) 2451 peer_o.p_flags |= WG_PEER_HAS_ENDPOINT; 2452 for (cpu = 0; cpu < ncpus; cpu++) { 2453 peer_o.p_rxbytes += peer->p_rx_bytes[cpu]; 2454 peer_o.p_txbytes += peer->p_tx_bytes[cpu]; 2455 } 2456 wg_timers_get_last_handshake(peer, &peer_o.p_last_handshake); 2457 peer_o.p_id = (uint64_t)peer->p_id; 2458 strlcpy(peer_o.p_description, peer->p_description, 2459 sizeof(peer_o.p_description)); 2460 2461 aip_count = 0; 2462 aip_p = &peer_p->p_aips[0]; 2463 LIST_FOREACH(aip, &peer->p_aips, a_entry) { 2464 bzero(&aip_o, sizeof(aip_o)); 2465 aip_o.a_af = aip->a_af; 2466 if (aip->a_af == AF_INET) { 2467 aip_o.a_cidr = bitcount32(aip->a_mask.ip); 2468 memcpy(&aip_o.a_ipv4, &aip->a_addr.in, 2469 sizeof(aip->a_addr.in)); 2470 } else if (aip->a_af == AF_INET6) { 2471 aip_o.a_cidr = in6_mask2len(&aip->a_mask.in6, 2472 NULL); 2473 memcpy(&aip_o.a_ipv6, &aip->a_addr.in6, 2474 sizeof(aip->a_addr.in6)); 2475 } 2476 2477 ret = copyout(&aip_o, aip_p, sizeof(aip_o)); 2478 if (ret != 0) 2479 goto out; 2480 2481 aip_p++; 2482 aip_count++; 2483 } 2484 KKASSERT(aip_count == peer->p_aips_num); 2485 peer_o.p_aips_count = aip_count; 2486 2487 ret = copyout(&peer_o, peer_p, sizeof(peer_o)); 2488 if (ret != 0) 2489 goto out; 2490 2491 peer_p = (struct wg_peer_io *)aip_p; 2492 peer_count++; 2493 } 2494 KKASSERT(peer_count == sc->sc_peers_num); 2495 iface_o.i_peers_count = peer_count; 2496 2497 ret = copyout(&iface_o, iface_p, sizeof(iface_o)); 2498 2499 out: 2500 lockmgr(&sc->sc_lock, LK_RELEASE); 2501 explicit_bzero(&iface_o, sizeof(iface_o)); 2502 explicit_bzero(&peer_o, sizeof(peer_o)); 2503 return (ret); 2504 } 2505 2506 static int 2507 wg_ioctl_set(struct wg_softc *sc, struct wg_data_io *data) 2508 { 2509 struct wg_interface_io *iface_p, iface_o; 2510 struct wg_peer_io *peer_p, peer_o; 2511 struct wg_aip_io *aip_p, aip_o; 2512 struct wg_peer *peer; 2513 struct noise_remote *remote; 2514 uint8_t public[WG_KEY_SIZE], private[WG_KEY_SIZE]; 2515 size_t i, j; 2516 int ret; 2517 2518 remote = NULL; 2519 lockmgr(&sc->sc_lock, LK_EXCLUSIVE); 2520 2521 iface_p = data->wgd_interface; 2522 if ((ret = copyin(iface_p, &iface_o, sizeof(iface_o))) != 0) 2523 goto error; 2524 2525 if (iface_o.i_flags & WG_INTERFACE_REPLACE_PEERS) 2526 wg_peer_destroy_all(sc); 2527 2528 if ((iface_o.i_flags & WG_INTERFACE_HAS_PRIVATE) && 2529 (!noise_local_keys(sc->sc_local, NULL, private) || 2530 timingsafe_bcmp(private, iface_o.i_private, WG_KEY_SIZE) != 0)) { 2531 if (curve25519_generate_public(public, iface_o.i_private)) { 2532 remote = noise_remote_lookup(sc->sc_local, public); 2533 if (remote != NULL) { 2534 /* Remove the conflicting peer. */ 2535 peer = noise_remote_arg(remote); 2536 wg_peer_destroy(peer); 2537 noise_remote_put(remote); 2538 } 2539 } 2540 2541 /* 2542 * Set the private key. 2543 * 2544 * Note: we might be removing the private key. 2545 */ 2546 if (noise_local_set_private(sc->sc_local, iface_o.i_private)) 2547 cookie_checker_update(sc->sc_cookie, public); 2548 else 2549 cookie_checker_update(sc->sc_cookie, NULL); 2550 } 2551 2552 if ((iface_o.i_flags & WG_INTERFACE_HAS_PORT) && 2553 iface_o.i_port != sc->sc_socket.so_port) { 2554 if (sc->sc_ifp->if_flags & IFF_RUNNING) { 2555 ret = wg_socket_init(sc, iface_o.i_port); 2556 if (ret != 0) 2557 goto error; 2558 } else { 2559 sc->sc_socket.so_port = iface_o.i_port; 2560 } 2561 } 2562 2563 if (iface_o.i_flags & WG_INTERFACE_HAS_COOKIE) { 2564 ret = wg_socket_set_cookie(sc, iface_o.i_cookie); 2565 if (ret != 0) 2566 goto error; 2567 } 2568 2569 peer_p = &iface_p->i_peers[0]; 2570 for (i = 0; i < iface_o.i_peers_count; i++) { 2571 if ((ret = copyin(peer_p, &peer_o, sizeof(peer_o))) != 0) 2572 goto error; 2573 2574 /* Peer must have public key. */ 2575 if ((peer_o.p_flags & WG_PEER_HAS_PUBLIC) == 0) 2576 goto next_peer; 2577 /* Ignore peer that has the same public key. */ 2578 if (noise_local_keys(sc->sc_local, public, NULL) && 2579 memcmp(public, peer_o.p_public, WG_KEY_SIZE) == 0) 2580 goto next_peer; 2581 2582 /* Lookup peer, or create if it doesn't exist. */ 2583 remote = noise_remote_lookup(sc->sc_local, peer_o.p_public); 2584 if (remote != NULL) { 2585 peer = noise_remote_arg(remote); 2586 } else { 2587 if (peer_o.p_flags & (WG_PEER_REMOVE | WG_PEER_UPDATE)) 2588 goto next_peer; 2589 2590 peer = wg_peer_create(sc, peer_o.p_public); 2591 if (peer == NULL) { 2592 ret = ENOMEM; 2593 goto error; 2594 } 2595 2596 /* No allowed IPs to remove for a new peer. */ 2597 peer_o.p_flags &= ~WG_PEER_REPLACE_AIPS; 2598 } 2599 2600 if (peer_o.p_flags & WG_PEER_REMOVE) { 2601 wg_peer_destroy(peer); 2602 goto next_peer; 2603 } 2604 2605 if (peer_o.p_flags & WG_PEER_HAS_ENDPOINT) { 2606 ret = wg_peer_set_sockaddr(peer, &peer_o.p_sa); 2607 if (ret != 0) 2608 goto error; 2609 } 2610 if (peer_o.p_flags & WG_PEER_HAS_PSK) 2611 noise_remote_set_psk(peer->p_remote, peer_o.p_psk); 2612 if (peer_o.p_flags & WG_PEER_HAS_PKA) 2613 wg_timers_set_persistent_keepalive(peer, peer_o.p_pka); 2614 if (peer_o.p_flags & WG_PEER_SET_DESCRIPTION) 2615 strlcpy(peer->p_description, peer_o.p_description, 2616 sizeof(peer->p_description)); 2617 2618 if (peer_o.p_flags & WG_PEER_REPLACE_AIPS) 2619 wg_aip_remove_all(sc, peer); 2620 2621 for (j = 0; j < peer_o.p_aips_count; j++) { 2622 aip_p = &peer_p->p_aips[j]; 2623 if ((ret = copyin(aip_p, &aip_o, sizeof(aip_o))) != 0) 2624 goto error; 2625 ret = wg_aip_add(sc, peer, aip_o.a_af, &aip_o.a_addr, 2626 aip_o.a_cidr); 2627 if (ret != 0) 2628 goto error; 2629 } 2630 2631 if (sc->sc_ifp->if_link_state == LINK_STATE_UP) 2632 wg_peer_send_staged(peer); 2633 2634 next_peer: 2635 if (remote != NULL) { 2636 noise_remote_put(remote); 2637 remote = NULL; 2638 } 2639 aip_p = &peer_p->p_aips[peer_o.p_aips_count]; 2640 peer_p = (struct wg_peer_io *)aip_p; 2641 } 2642 2643 error: 2644 if (remote != NULL) 2645 noise_remote_put(remote); 2646 lockmgr(&sc->sc_lock, LK_RELEASE); 2647 explicit_bzero(&iface_o, sizeof(iface_o)); 2648 explicit_bzero(&peer_o, sizeof(peer_o)); 2649 explicit_bzero(&aip_o, sizeof(aip_o)); 2650 explicit_bzero(public, sizeof(public)); 2651 explicit_bzero(private, sizeof(private)); 2652 return (ret); 2653 } 2654 2655 static int 2656 wg_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cred) 2657 { 2658 struct wg_data_io *wgd; 2659 struct wg_softc *sc; 2660 struct ifreq *ifr; 2661 bool privileged; 2662 int ret, mask; 2663 2664 sc = ifp->if_softc; 2665 ifr = (struct ifreq *)data; 2666 ret = 0; 2667 2668 switch (cmd) { 2669 case SIOCSWG: 2670 ret = caps_priv_check(cred, SYSCAP_RESTRICTEDROOT); 2671 if (ret == 0) { 2672 wgd = (struct wg_data_io *)data; 2673 ret = wg_ioctl_set(sc, wgd); 2674 } 2675 break; 2676 case SIOCGWG: 2677 privileged = 2678 (caps_priv_check(cred, SYSCAP_RESTRICTEDROOT) == 0); 2679 wgd = (struct wg_data_io *)data; 2680 ret = wg_ioctl_get(sc, wgd, privileged); 2681 break; 2682 /* Interface IOCTLs */ 2683 case SIOCSIFADDR: 2684 /* 2685 * This differs from *BSD norms, but is more uniform with how 2686 * WireGuard behaves elsewhere. 2687 */ 2688 break; 2689 case SIOCSIFFLAGS: 2690 if (ifp->if_flags & IFF_UP) 2691 ret = wg_up(sc); 2692 else 2693 wg_down(sc); 2694 break; 2695 case SIOCSIFMTU: 2696 if (ifr->ifr_mtu <= 0 || ifr->ifr_mtu > MAX_MTU) 2697 ret = EINVAL; 2698 else 2699 ifp->if_mtu = ifr->ifr_mtu; 2700 break; 2701 case SIOCSIFCAP: 2702 mask = ifp->if_capenable ^ ifr->ifr_reqcap; 2703 if (mask & IFCAP_RXCSUM) 2704 ifp->if_capenable ^= IFCAP_RXCSUM; 2705 break; 2706 case SIOCADDMULTI: 2707 case SIOCDELMULTI: 2708 break; 2709 default: 2710 ret = ENOTTY; 2711 } 2712 2713 return (ret); 2714 } 2715 2716 static int 2717 wg_up(struct wg_softc *sc) 2718 { 2719 struct ifnet *ifp = sc->sc_ifp; 2720 struct wg_peer *peer; 2721 int ret = 0; 2722 2723 lockmgr(&sc->sc_lock, LK_EXCLUSIVE); 2724 2725 /* Silent success if we're already running. */ 2726 if (ifp->if_flags & IFF_RUNNING) 2727 goto out; 2728 ifp->if_flags |= IFF_RUNNING; 2729 2730 ret = wg_socket_init(sc, sc->sc_socket.so_port); 2731 if (ret == 0) { 2732 TAILQ_FOREACH(peer, &sc->sc_peers, p_entry) 2733 wg_timers_enable(peer); 2734 ifp->if_link_state = LINK_STATE_UP; 2735 if_link_state_change(ifp); 2736 } else { 2737 ifp->if_flags &= ~IFF_RUNNING; 2738 DPRINTF(sc, "Unable to initialize sockets: %d\n", ret); 2739 } 2740 2741 out: 2742 lockmgr(&sc->sc_lock, LK_RELEASE); 2743 return (ret); 2744 } 2745 2746 static void 2747 wg_down(struct wg_softc *sc) 2748 { 2749 struct ifnet *ifp = sc->sc_ifp; 2750 struct wg_peer *peer; 2751 int i; 2752 2753 lockmgr(&sc->sc_lock, LK_EXCLUSIVE); 2754 2755 if ((ifp->if_flags & IFF_RUNNING) == 0) { 2756 lockmgr(&sc->sc_lock, LK_RELEASE); 2757 return; 2758 } 2759 ifp->if_flags &= ~IFF_RUNNING; 2760 2761 /* Cancel all tasks. */ 2762 while (taskqueue_cancel(sc->sc_handshake_taskqueue, 2763 &sc->sc_handshake_task, NULL) != 0) { 2764 taskqueue_drain(sc->sc_handshake_taskqueue, 2765 &sc->sc_handshake_task); 2766 } 2767 for (i = 0; i < ncpus; i++) { 2768 while (taskqueue_cancel(wg_taskqueues[i], 2769 &sc->sc_encrypt_tasks[i], NULL) != 0) { 2770 taskqueue_drain(wg_taskqueues[i], 2771 &sc->sc_encrypt_tasks[i]); 2772 } 2773 while (taskqueue_cancel(wg_taskqueues[i], 2774 &sc->sc_decrypt_tasks[i], NULL) != 0) { 2775 taskqueue_drain(wg_taskqueues[i], 2776 &sc->sc_decrypt_tasks[i]); 2777 } 2778 } 2779 2780 TAILQ_FOREACH(peer, &sc->sc_peers, p_entry) { 2781 wg_queue_purge(&peer->p_stage_queue); 2782 wg_timers_disable(peer); 2783 } 2784 2785 wg_queue_purge(&sc->sc_handshake_queue); 2786 2787 TAILQ_FOREACH(peer, &sc->sc_peers, p_entry) { 2788 noise_remote_handshake_clear(peer->p_remote); 2789 noise_remote_keypairs_clear(peer->p_remote); 2790 } 2791 2792 ifp->if_link_state = LINK_STATE_DOWN; 2793 if_link_state_change(ifp); 2794 wg_socket_uninit(sc); 2795 2796 lockmgr(&sc->sc_lock, LK_RELEASE); 2797 } 2798 2799 static int 2800 wg_clone_create(struct if_clone *ifc __unused, int unit, 2801 caddr_t params __unused, caddr_t data __unused) 2802 { 2803 struct wg_softc *sc; 2804 struct ifnet *ifp; 2805 int i; 2806 2807 sc = kmalloc(sizeof(*sc), M_WG, M_WAITOK | M_ZERO); 2808 2809 if (!rn_inithead(&sc->sc_aip4, wg_maskhead, 2810 offsetof(struct aip_addr, in)) || 2811 !rn_inithead(&sc->sc_aip6, wg_maskhead, 2812 offsetof(struct aip_addr, in6))) { 2813 if (sc->sc_aip4 != NULL) 2814 rn_freehead(sc->sc_aip4); 2815 if (sc->sc_aip6 != NULL) 2816 rn_freehead(sc->sc_aip6); 2817 kfree(sc, M_WG); 2818 return (ENOMEM); 2819 } 2820 2821 lockinit(&sc->sc_lock, "wg softc lock", 0, 0); 2822 lockinit(&sc->sc_aip_lock, "wg aip lock", 0, 0); 2823 2824 sc->sc_local = noise_local_alloc(); 2825 sc->sc_cookie = cookie_checker_alloc(); 2826 2827 TAILQ_INIT(&sc->sc_peers); 2828 2829 sc->sc_handshake_taskqueue = wg_taskqueues[karc4random() % ncpus]; 2830 TASK_INIT(&sc->sc_handshake_task, 0, wg_handshake_worker, sc); 2831 wg_queue_init(&sc->sc_handshake_queue, "hsq"); 2832 2833 sc->sc_encrypt_tasks = kmalloc(sizeof(*sc->sc_encrypt_tasks) * ncpus, 2834 M_WG, M_WAITOK | M_ZERO); 2835 sc->sc_decrypt_tasks = kmalloc(sizeof(*sc->sc_decrypt_tasks) * ncpus, 2836 M_WG, M_WAITOK | M_ZERO); 2837 for (i = 0; i < ncpus; i++) { 2838 TASK_INIT(&sc->sc_encrypt_tasks[i], 0, wg_encrypt_worker, sc); 2839 TASK_INIT(&sc->sc_decrypt_tasks[i], 0, wg_decrypt_worker, sc); 2840 } 2841 wg_queue_init(&sc->sc_encrypt_parallel, "encp"); 2842 wg_queue_init(&sc->sc_decrypt_parallel, "decp"); 2843 2844 ifp = sc->sc_ifp = if_alloc(IFT_WIREGUARD); 2845 if_initname(ifp, wgname, unit); 2846 ifp->if_softc = sc; 2847 ifp->if_mtu = DEFAULT_MTU; 2848 ifp->if_flags = IFF_NOARP | IFF_MULTICAST; 2849 ifp->if_capabilities = ifp->if_capenable = IFCAP_RXCSUM; 2850 ifp->if_output = wg_output; 2851 ifp->if_ioctl = wg_ioctl; 2852 ifq_set_maxlen(&ifp->if_snd, ifqmaxlen); 2853 ifq_set_ready(&ifp->if_snd); 2854 2855 if_attach(ifp, NULL); 2856 2857 /* DLT_NULL link-layer header: a 4-byte field in host byte order */ 2858 bpfattach(ifp, DLT_NULL, sizeof(uint32_t)); 2859 2860 #ifdef INET6 2861 /* NOTE: ND_IFINFO() is only available after if_attach(). */ 2862 ND_IFINFO(ifp)->flags &= ~ND6_IFF_AUTO_LINKLOCAL; 2863 ND_IFINFO(ifp)->flags |= ND6_IFF_NO_DAD; 2864 #endif 2865 2866 lockmgr(&wg_mtx, LK_EXCLUSIVE); 2867 LIST_INSERT_HEAD(&wg_list, sc, sc_entry); 2868 lockmgr(&wg_mtx, LK_RELEASE); 2869 2870 return (0); 2871 } 2872 2873 static int 2874 wg_clone_destroy(struct ifnet *ifp) 2875 { 2876 struct wg_softc *sc = ifp->if_softc; 2877 2878 wg_down(sc); 2879 2880 lockmgr(&sc->sc_lock, LK_EXCLUSIVE); 2881 2882 kfree(sc->sc_encrypt_tasks, M_WG); 2883 kfree(sc->sc_decrypt_tasks, M_WG); 2884 wg_queue_deinit(&sc->sc_handshake_queue); 2885 wg_queue_deinit(&sc->sc_encrypt_parallel); 2886 wg_queue_deinit(&sc->sc_decrypt_parallel); 2887 2888 wg_peer_destroy_all(sc); 2889 2890 /* 2891 * Detach and free the interface before the sc_aip4 and sc_aip6 radix 2892 * trees, because the purge of interface's IPv6 addresses can cause 2893 * packet transmission and thus wg_aip_lookup() calls. 2894 */ 2895 bpfdetach(ifp); 2896 if_detach(ifp); 2897 if_free(ifp); 2898 2899 /* 2900 * All peers have been removed, so the sc_aip4 and sc_aip6 radix trees 2901 * must be empty now. 2902 */ 2903 rn_freehead(sc->sc_aip4); 2904 rn_freehead(sc->sc_aip6); 2905 lockuninit(&sc->sc_aip_lock); 2906 2907 cookie_checker_free(sc->sc_cookie); 2908 noise_local_free(sc->sc_local); 2909 2910 lockmgr(&wg_mtx, LK_EXCLUSIVE); 2911 LIST_REMOVE(sc, sc_entry); 2912 lockmgr(&wg_mtx, LK_RELEASE); 2913 2914 lockmgr(&sc->sc_lock, LK_RELEASE); 2915 lockuninit(&sc->sc_lock); 2916 kfree(sc, M_WG); 2917 2918 return (0); 2919 } 2920 2921 /*----------------------------------------------------------------------------*/ 2922 /* Module Interface */ 2923 2924 #ifdef WG_SELFTESTS 2925 #include "selftest/allowedips.c" 2926 static bool 2927 wg_run_selftests(void) 2928 { 2929 bool ret = true; 2930 2931 ret &= wg_allowedips_selftest(); 2932 ret &= noise_counter_selftest(); 2933 ret &= cookie_selftest(); 2934 2935 kprintf("%s: %s\n", __func__, ret ? "pass" : "FAIL"); 2936 return (ret); 2937 } 2938 #else /* !WG_SELFTESTS */ 2939 static inline bool 2940 wg_run_selftests(void) 2941 { 2942 return (true); 2943 } 2944 #endif /* WG_SELFTESTS */ 2945 2946 static struct if_clone wg_cloner = IF_CLONE_INITIALIZER( 2947 wgname, wg_clone_create, wg_clone_destroy, 0, IF_MAXUNIT); 2948 2949 static int 2950 wg_module_init(void) 2951 { 2952 int i, ret; 2953 2954 lockinit(&wg_mtx, "wg mtx lock", 0, 0); 2955 2956 wg_packet_zone = objcache_create_simple(M_WG_PACKET, 2957 sizeof(struct wg_packet)); 2958 if (wg_packet_zone == NULL) 2959 return (ENOMEM); 2960 2961 wg_taskqueues = kmalloc(sizeof(*wg_taskqueues) * ncpus, M_WG, 2962 M_WAITOK | M_ZERO); 2963 for (i = 0; i < ncpus; i++) { 2964 wg_taskqueues[i] = taskqueue_create("wg_taskq", M_WAITOK, 2965 taskqueue_thread_enqueue, 2966 &wg_taskqueues[i]); 2967 taskqueue_start_threads(&wg_taskqueues[i], 1, 2968 TDPRI_KERN_DAEMON, i, 2969 "wg_taskq_cpu_%d", i); 2970 } 2971 2972 if (!rn_inithead(&wg_maskhead, NULL, 0)) 2973 return (ENOMEM); 2974 2975 ret = cookie_init(); 2976 if (ret != 0) 2977 return (ret); 2978 ret = noise_init(); 2979 if (ret != 0) 2980 return (ret); 2981 2982 ret = if_clone_attach(&wg_cloner); 2983 if (ret != 0) 2984 return (ret); 2985 2986 if (!wg_run_selftests()) 2987 return (ENOTRECOVERABLE); 2988 2989 return (0); 2990 } 2991 2992 static int 2993 wg_module_deinit(void) 2994 { 2995 int i; 2996 2997 lockmgr(&wg_mtx, LK_EXCLUSIVE); 2998 2999 if (!LIST_EMPTY(&wg_list)) { 3000 lockmgr(&wg_mtx, LK_RELEASE); 3001 return (EBUSY); 3002 } 3003 3004 if_clone_detach(&wg_cloner); 3005 3006 noise_deinit(); 3007 cookie_deinit(); 3008 3009 for (i = 0; i < ncpus; i++) 3010 taskqueue_free(wg_taskqueues[i]); 3011 kfree(wg_taskqueues, M_WG); 3012 3013 rn_flush(wg_maskhead, rn_freemask); 3014 rn_freehead(wg_maskhead); 3015 3016 if (wg_packet_zone != NULL) 3017 objcache_destroy(wg_packet_zone); 3018 3019 lockmgr(&wg_mtx, LK_RELEASE); 3020 lockuninit(&wg_mtx); 3021 3022 return (0); 3023 } 3024 3025 static int 3026 wg_module_event_handler(module_t mod __unused, int what, void *arg __unused) 3027 { 3028 switch (what) { 3029 case MOD_LOAD: 3030 return wg_module_init(); 3031 case MOD_UNLOAD: 3032 return wg_module_deinit(); 3033 default: 3034 return (EOPNOTSUPP); 3035 } 3036 } 3037 3038 static moduledata_t wg_moduledata = { 3039 "if_wg", 3040 wg_module_event_handler, 3041 NULL 3042 }; 3043 3044 DECLARE_MODULE(if_wg, wg_moduledata, SI_SUB_PSEUDO, SI_ORDER_ANY); 3045 MODULE_VERSION(if_wg, 1); /* WireGuard version */ 3046 MODULE_DEPEND(if_wg, crypto, 1, 1, 1); 3047