1 /* $NetBSD: if_wg.c,v 1.65 2021/08/17 17:31:13 christos Exp $ */ 2 3 /* 4 * Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 /* 33 * This network interface aims to implement the WireGuard protocol. 34 * The implementation is based on the paper of WireGuard as of 35 * 2018-06-30 [1]. The paper is referred in the source code with label 36 * [W]. Also the specification of the Noise protocol framework as of 37 * 2018-07-11 [2] is referred with label [N]. 38 * 39 * [1] https://www.wireguard.com/papers/wireguard.pdf 40 * [2] http://noiseprotocol.org/noise.pdf 41 */ 42 43 #include <sys/cdefs.h> 44 __KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.65 2021/08/17 17:31:13 christos Exp $"); 45 46 #ifdef _KERNEL_OPT 47 #include "opt_altq_enabled.h" 48 #include "opt_inet.h" 49 #endif 50 51 #include <sys/param.h> 52 #include <sys/types.h> 53 54 #include <sys/atomic.h> 55 #include <sys/callout.h> 56 #include <sys/cprng.h> 57 #include <sys/cpu.h> 58 #include <sys/device.h> 59 #include <sys/domain.h> 60 #include <sys/errno.h> 61 #include <sys/intr.h> 62 #include <sys/ioctl.h> 63 #include <sys/kernel.h> 64 #include <sys/kmem.h> 65 #include <sys/mbuf.h> 66 #include <sys/module.h> 67 #include <sys/mutex.h> 68 #include <sys/once.h> 69 #include <sys/percpu.h> 70 #include <sys/pserialize.h> 71 #include <sys/psref.h> 72 #include <sys/queue.h> 73 #include <sys/rwlock.h> 74 #include <sys/socket.h> 75 #include <sys/socketvar.h> 76 #include <sys/sockio.h> 77 #include <sys/sysctl.h> 78 #include <sys/syslog.h> 79 #include <sys/systm.h> 80 #include <sys/thmap.h> 81 #include <sys/threadpool.h> 82 #include <sys/time.h> 83 #include <sys/timespec.h> 84 #include <sys/workqueue.h> 85 86 #include <net/bpf.h> 87 #include <net/if.h> 88 #include <net/if_types.h> 89 #include <net/if_wg.h> 90 #include <net/pktqueue.h> 91 #include <net/route.h> 92 93 #include <netinet/in.h> 94 #include <netinet/in_pcb.h> 95 #include <netinet/in_var.h> 96 #include <netinet/ip.h> 97 #include <netinet/ip_var.h> 98 #include <netinet/udp.h> 99 #include <netinet/udp_var.h> 100 101 #ifdef INET6 102 #include <netinet/ip6.h> 103 #include <netinet6/in6_pcb.h> 104 #include <netinet6/in6_var.h> 105 #include <netinet6/ip6_var.h> 106 #include <netinet6/udp6_var.h> 107 #endif /* INET6 */ 108 109 #include <prop/proplib.h> 110 111 #include <crypto/blake2/blake2s.h> 112 #include <crypto/sodium/crypto_aead_chacha20poly1305.h> 113 #include <crypto/sodium/crypto_aead_xchacha20poly1305.h> 114 #include <crypto/sodium/crypto_scalarmult.h> 115 116 #include "ioconf.h" 117 118 #ifdef WG_RUMPKERNEL 119 #include "wg_user.h" 120 #endif 121 122 /* 123 * Data structures 124 * - struct wg_softc is an instance of wg interfaces 125 * - It has a list of peers (struct wg_peer) 126 * - It has a threadpool job that sends/receives handshake messages and 127 * runs event handlers 128 * - It has its own two routing tables: one is for IPv4 and the other IPv6 129 * - struct wg_peer is a representative of a peer 130 * - It has a struct work to handle handshakes and timer tasks 131 * - It has a pair of session instances (struct wg_session) 132 * - It has a pair of endpoint instances (struct wg_sockaddr) 133 * - Normally one endpoint is used and the second one is used only on 134 * a peer migration (a change of peer's IP address) 135 * - It has a list of IP addresses and sub networks called allowedips 136 * (struct wg_allowedip) 137 * - A packets sent over a session is allowed if its destination matches 138 * any IP addresses or sub networks of the list 139 * - struct wg_session represents a session of a secure tunnel with a peer 140 * - Two instances of sessions belong to a peer; a stable session and a 141 * unstable session 142 * - A handshake process of a session always starts with a unstable instance 143 * - Once a session is established, its instance becomes stable and the 144 * other becomes unstable instead 145 * - Data messages are always sent via a stable session 146 * 147 * Locking notes: 148 * - Each wg has a mutex(9) wg_lock, and a rwlock(9) wg_rwlock 149 * - Changes to the peer list are serialized by wg_lock 150 * - The peer list may be read with pserialize(9) and psref(9) 151 * - The rwlock (wg_rwlock) protects the routing tables (wg_rtable_ipv[46]) 152 * => XXX replace by pserialize when routing table is psz-safe 153 * - Each peer (struct wg_peer, wgp) has a mutex wgp_lock, which can be taken 154 * only in thread context and serializes: 155 * - the stable and unstable session pointers 156 * - all unstable session state 157 * - Packet processing may be done in softint context: 158 * - The stable session can be read under pserialize(9) or psref(9) 159 * - The stable session is always ESTABLISHED 160 * - On a session swap, we must wait for all readers to release a 161 * reference to a stable session before changing wgs_state and 162 * session states 163 * - Lock order: wg_lock -> wgp_lock 164 */ 165 166 167 #define WGLOG(level, fmt, args...) \ 168 log(level, "%s: " fmt, __func__, ##args) 169 170 /* Debug options */ 171 #ifdef WG_DEBUG 172 /* Output debug logs */ 173 #ifndef WG_DEBUG_LOG 174 #define WG_DEBUG_LOG 175 #endif 176 /* Output trace logs */ 177 #ifndef WG_DEBUG_TRACE 178 #define WG_DEBUG_TRACE 179 #endif 180 /* Output hash values, etc. */ 181 #ifndef WG_DEBUG_DUMP 182 #define WG_DEBUG_DUMP 183 #endif 184 /* Make some internal parameters configurable for testing and debugging */ 185 #ifndef WG_DEBUG_PARAMS 186 #define WG_DEBUG_PARAMS 187 #endif 188 #endif 189 190 #ifdef WG_DEBUG_TRACE 191 #define WG_TRACE(msg) \ 192 log(LOG_DEBUG, "%s:%d: %s\n", __func__, __LINE__, (msg)) 193 #else 194 #define WG_TRACE(msg) __nothing 195 #endif 196 197 #ifdef WG_DEBUG_LOG 198 #define WG_DLOG(fmt, args...) log(LOG_DEBUG, "%s: " fmt, __func__, ##args) 199 #else 200 #define WG_DLOG(fmt, args...) __nothing 201 #endif 202 203 #define WG_LOG_RATECHECK(wgprc, level, fmt, args...) do { \ 204 if (ppsratecheck(&(wgprc)->wgprc_lasttime, \ 205 &(wgprc)->wgprc_curpps, 1)) { \ 206 log(level, fmt, ##args); \ 207 } \ 208 } while (0) 209 210 #ifdef WG_DEBUG_PARAMS 211 static bool wg_force_underload = false; 212 #endif 213 214 #ifdef WG_DEBUG_DUMP 215 216 static char * 217 gethexdump(const char *p, size_t n) 218 { 219 char *buf; 220 size_t i; 221 222 if (n > SIZE_MAX/3 - 1) 223 return NULL; 224 buf = kmem_alloc(3*n + 1, KM_NOSLEEP); 225 if (buf == NULL) 226 return NULL; 227 for (i = 0; i < n; i++) 228 snprintf(buf + 3*i, 3 + 1, " %02hhx", p[i]); 229 return buf; 230 } 231 232 static void 233 puthexdump(char *buf, const void *p, size_t n) 234 { 235 236 if (buf == NULL) 237 return; 238 kmem_free(buf, 3*n + 1); 239 } 240 241 #ifdef WG_RUMPKERNEL 242 static void 243 wg_dump_buf(const char *func, const char *buf, const size_t size) 244 { 245 char *hex = gethexdump(buf, size); 246 247 log(LOG_DEBUG, "%s: %s\n", func, hex ? hex : "(enomem)"); 248 puthexdump(hex, buf, size); 249 } 250 #endif 251 252 static void 253 wg_dump_hash(const uint8_t *func, const uint8_t *name, const uint8_t *hash, 254 const size_t size) 255 { 256 char *hex = gethexdump(hash, size); 257 258 log(LOG_DEBUG, "%s: %s: %s\n", func, name, hex ? hex : "(enomem)"); 259 puthexdump(hex, hash, size); 260 } 261 262 #define WG_DUMP_HASH(name, hash) \ 263 wg_dump_hash(__func__, name, hash, WG_HASH_LEN) 264 #define WG_DUMP_HASH48(name, hash) \ 265 wg_dump_hash(__func__, name, hash, 48) 266 #define WG_DUMP_BUF(buf, size) \ 267 wg_dump_buf(__func__, buf, size) 268 #else 269 #define WG_DUMP_HASH(name, hash) __nothing 270 #define WG_DUMP_HASH48(name, hash) __nothing 271 #define WG_DUMP_BUF(buf, size) __nothing 272 #endif /* WG_DEBUG_DUMP */ 273 274 #define WG_MTU 1420 275 #define WG_ALLOWEDIPS 16 276 277 #define CURVE25519_KEY_LEN 32 278 #define TAI64N_LEN sizeof(uint32_t) * 3 279 #define POLY1305_AUTHTAG_LEN 16 280 #define HMAC_BLOCK_LEN 64 281 282 /* [N] 4.1: "DHLEN must be 32 or greater." WireGuard chooses 32. */ 283 /* [N] 4.3: Hash functions */ 284 #define NOISE_DHLEN 32 285 /* [N] 4.3: "Must be 32 or 64." WireGuard chooses 32. */ 286 #define NOISE_HASHLEN 32 287 #define NOISE_BLOCKLEN 64 288 #define NOISE_HKDF_OUTPUT_LEN NOISE_HASHLEN 289 /* [N] 5.1: "k" */ 290 #define NOISE_CIPHER_KEY_LEN 32 291 /* 292 * [N] 9.2: "psk" 293 * "... psk is a 32-byte secret value provided by the application." 294 */ 295 #define NOISE_PRESHARED_KEY_LEN 32 296 297 #define WG_STATIC_KEY_LEN CURVE25519_KEY_LEN 298 #define WG_TIMESTAMP_LEN TAI64N_LEN 299 300 #define WG_PRESHARED_KEY_LEN NOISE_PRESHARED_KEY_LEN 301 302 #define WG_COOKIE_LEN 16 303 #define WG_MAC_LEN 16 304 #define WG_RANDVAL_LEN 24 305 306 #define WG_EPHEMERAL_KEY_LEN CURVE25519_KEY_LEN 307 /* [N] 5.2: "ck: A chaining key of HASHLEN bytes" */ 308 #define WG_CHAINING_KEY_LEN NOISE_HASHLEN 309 /* [N] 5.2: "h: A hash output of HASHLEN bytes" */ 310 #define WG_HASH_LEN NOISE_HASHLEN 311 #define WG_CIPHER_KEY_LEN NOISE_CIPHER_KEY_LEN 312 #define WG_DH_OUTPUT_LEN NOISE_DHLEN 313 #define WG_KDF_OUTPUT_LEN NOISE_HKDF_OUTPUT_LEN 314 #define WG_AUTHTAG_LEN POLY1305_AUTHTAG_LEN 315 #define WG_DATA_KEY_LEN 32 316 #define WG_SALT_LEN 24 317 318 /* 319 * The protocol messages 320 */ 321 struct wg_msg { 322 uint32_t wgm_type; 323 } __packed; 324 325 /* [W] 5.4.2 First Message: Initiator to Responder */ 326 struct wg_msg_init { 327 uint32_t wgmi_type; 328 uint32_t wgmi_sender; 329 uint8_t wgmi_ephemeral[WG_EPHEMERAL_KEY_LEN]; 330 uint8_t wgmi_static[WG_STATIC_KEY_LEN + WG_AUTHTAG_LEN]; 331 uint8_t wgmi_timestamp[WG_TIMESTAMP_LEN + WG_AUTHTAG_LEN]; 332 uint8_t wgmi_mac1[WG_MAC_LEN]; 333 uint8_t wgmi_mac2[WG_MAC_LEN]; 334 } __packed; 335 336 /* [W] 5.4.3 Second Message: Responder to Initiator */ 337 struct wg_msg_resp { 338 uint32_t wgmr_type; 339 uint32_t wgmr_sender; 340 uint32_t wgmr_receiver; 341 uint8_t wgmr_ephemeral[WG_EPHEMERAL_KEY_LEN]; 342 uint8_t wgmr_empty[0 + WG_AUTHTAG_LEN]; 343 uint8_t wgmr_mac1[WG_MAC_LEN]; 344 uint8_t wgmr_mac2[WG_MAC_LEN]; 345 } __packed; 346 347 /* [W] 5.4.6 Subsequent Messages: Transport Data Messages */ 348 struct wg_msg_data { 349 uint32_t wgmd_type; 350 uint32_t wgmd_receiver; 351 uint64_t wgmd_counter; 352 uint32_t wgmd_packet[0]; 353 } __packed; 354 355 /* [W] 5.4.7 Under Load: Cookie Reply Message */ 356 struct wg_msg_cookie { 357 uint32_t wgmc_type; 358 uint32_t wgmc_receiver; 359 uint8_t wgmc_salt[WG_SALT_LEN]; 360 uint8_t wgmc_cookie[WG_COOKIE_LEN + WG_AUTHTAG_LEN]; 361 } __packed; 362 363 #define WG_MSG_TYPE_INIT 1 364 #define WG_MSG_TYPE_RESP 2 365 #define WG_MSG_TYPE_COOKIE 3 366 #define WG_MSG_TYPE_DATA 4 367 #define WG_MSG_TYPE_MAX WG_MSG_TYPE_DATA 368 369 /* Sliding windows */ 370 371 #define SLIWIN_BITS 2048u 372 #define SLIWIN_TYPE uint32_t 373 #define SLIWIN_BPW NBBY*sizeof(SLIWIN_TYPE) 374 #define SLIWIN_WORDS howmany(SLIWIN_BITS, SLIWIN_BPW) 375 #define SLIWIN_NPKT (SLIWIN_BITS - NBBY*sizeof(SLIWIN_TYPE)) 376 377 struct sliwin { 378 SLIWIN_TYPE B[SLIWIN_WORDS]; 379 uint64_t T; 380 }; 381 382 static void 383 sliwin_reset(struct sliwin *W) 384 { 385 386 memset(W, 0, sizeof(*W)); 387 } 388 389 static int 390 sliwin_check_fast(const volatile struct sliwin *W, uint64_t S) 391 { 392 393 /* 394 * If it's more than one window older than the highest sequence 395 * number we've seen, reject. 396 */ 397 #ifdef __HAVE_ATOMIC64_LOADSTORE 398 if (S + SLIWIN_NPKT < atomic_load_relaxed(&W->T)) 399 return EAUTH; 400 #endif 401 402 /* 403 * Otherwise, we need to take the lock to decide, so don't 404 * reject just yet. Caller must serialize a call to 405 * sliwin_update in this case. 406 */ 407 return 0; 408 } 409 410 static int 411 sliwin_update(struct sliwin *W, uint64_t S) 412 { 413 unsigned word, bit; 414 415 /* 416 * If it's more than one window older than the highest sequence 417 * number we've seen, reject. 418 */ 419 if (S + SLIWIN_NPKT < W->T) 420 return EAUTH; 421 422 /* 423 * If it's higher than the highest sequence number we've seen, 424 * advance the window. 425 */ 426 if (S > W->T) { 427 uint64_t i = W->T / SLIWIN_BPW; 428 uint64_t j = S / SLIWIN_BPW; 429 unsigned k; 430 431 for (k = 0; k < MIN(j - i, SLIWIN_WORDS); k++) 432 W->B[(i + k + 1) % SLIWIN_WORDS] = 0; 433 #ifdef __HAVE_ATOMIC64_LOADSTORE 434 atomic_store_relaxed(&W->T, S); 435 #else 436 W->T = S; 437 #endif 438 } 439 440 /* Test and set the bit -- if already set, reject. */ 441 word = (S / SLIWIN_BPW) % SLIWIN_WORDS; 442 bit = S % SLIWIN_BPW; 443 if (W->B[word] & (1UL << bit)) 444 return EAUTH; 445 W->B[word] |= 1U << bit; 446 447 /* Accept! */ 448 return 0; 449 } 450 451 struct wg_session { 452 struct wg_peer *wgs_peer; 453 struct psref_target 454 wgs_psref; 455 456 int wgs_state; 457 #define WGS_STATE_UNKNOWN 0 458 #define WGS_STATE_INIT_ACTIVE 1 459 #define WGS_STATE_INIT_PASSIVE 2 460 #define WGS_STATE_ESTABLISHED 3 461 #define WGS_STATE_DESTROYING 4 462 463 time_t wgs_time_established; 464 time_t wgs_time_last_data_sent; 465 bool wgs_is_initiator; 466 467 uint32_t wgs_local_index; 468 uint32_t wgs_remote_index; 469 #ifdef __HAVE_ATOMIC64_LOADSTORE 470 volatile uint64_t 471 wgs_send_counter; 472 #else 473 kmutex_t wgs_send_counter_lock; 474 uint64_t wgs_send_counter; 475 #endif 476 477 struct { 478 kmutex_t lock; 479 struct sliwin window; 480 } *wgs_recvwin; 481 482 uint8_t wgs_handshake_hash[WG_HASH_LEN]; 483 uint8_t wgs_chaining_key[WG_CHAINING_KEY_LEN]; 484 uint8_t wgs_ephemeral_key_pub[WG_EPHEMERAL_KEY_LEN]; 485 uint8_t wgs_ephemeral_key_priv[WG_EPHEMERAL_KEY_LEN]; 486 uint8_t wgs_ephemeral_key_peer[WG_EPHEMERAL_KEY_LEN]; 487 uint8_t wgs_tkey_send[WG_DATA_KEY_LEN]; 488 uint8_t wgs_tkey_recv[WG_DATA_KEY_LEN]; 489 }; 490 491 struct wg_sockaddr { 492 union { 493 struct sockaddr_storage _ss; 494 struct sockaddr _sa; 495 struct sockaddr_in _sin; 496 struct sockaddr_in6 _sin6; 497 }; 498 struct psref_target wgsa_psref; 499 }; 500 501 #define wgsatoss(wgsa) (&(wgsa)->_ss) 502 #define wgsatosa(wgsa) (&(wgsa)->_sa) 503 #define wgsatosin(wgsa) (&(wgsa)->_sin) 504 #define wgsatosin6(wgsa) (&(wgsa)->_sin6) 505 506 #define wgsa_family(wgsa) (wgsatosa(wgsa)->sa_family) 507 508 struct wg_peer; 509 struct wg_allowedip { 510 struct radix_node wga_nodes[2]; 511 struct wg_sockaddr _wga_sa_addr; 512 struct wg_sockaddr _wga_sa_mask; 513 #define wga_sa_addr _wga_sa_addr._sa 514 #define wga_sa_mask _wga_sa_mask._sa 515 516 int wga_family; 517 uint8_t wga_cidr; 518 union { 519 struct in_addr _ip4; 520 struct in6_addr _ip6; 521 } wga_addr; 522 #define wga_addr4 wga_addr._ip4 523 #define wga_addr6 wga_addr._ip6 524 525 struct wg_peer *wga_peer; 526 }; 527 528 typedef uint8_t wg_timestamp_t[WG_TIMESTAMP_LEN]; 529 530 struct wg_ppsratecheck { 531 struct timeval wgprc_lasttime; 532 int wgprc_curpps; 533 }; 534 535 struct wg_softc; 536 struct wg_peer { 537 struct wg_softc *wgp_sc; 538 char wgp_name[WG_PEER_NAME_MAXLEN + 1]; 539 struct pslist_entry wgp_peerlist_entry; 540 pserialize_t wgp_psz; 541 struct psref_target wgp_psref; 542 kmutex_t *wgp_lock; 543 kmutex_t *wgp_intr_lock; 544 545 uint8_t wgp_pubkey[WG_STATIC_KEY_LEN]; 546 struct wg_sockaddr *wgp_endpoint; 547 struct wg_sockaddr *wgp_endpoint0; 548 volatile unsigned wgp_endpoint_changing; 549 bool wgp_endpoint_available; 550 551 /* The preshared key (optional) */ 552 uint8_t wgp_psk[WG_PRESHARED_KEY_LEN]; 553 554 struct wg_session *wgp_session_stable; 555 struct wg_session *wgp_session_unstable; 556 557 /* first outgoing packet awaiting session initiation */ 558 struct mbuf *wgp_pending; 559 560 /* timestamp in big-endian */ 561 wg_timestamp_t wgp_timestamp_latest_init; 562 563 struct timespec wgp_last_handshake_time; 564 565 callout_t wgp_rekey_timer; 566 callout_t wgp_handshake_timeout_timer; 567 callout_t wgp_session_dtor_timer; 568 569 time_t wgp_handshake_start_time; 570 571 int wgp_n_allowedips; 572 struct wg_allowedip wgp_allowedips[WG_ALLOWEDIPS]; 573 574 time_t wgp_latest_cookie_time; 575 uint8_t wgp_latest_cookie[WG_COOKIE_LEN]; 576 uint8_t wgp_last_sent_mac1[WG_MAC_LEN]; 577 bool wgp_last_sent_mac1_valid; 578 uint8_t wgp_last_sent_cookie[WG_COOKIE_LEN]; 579 bool wgp_last_sent_cookie_valid; 580 581 time_t wgp_last_msg_received_time[WG_MSG_TYPE_MAX]; 582 583 time_t wgp_last_genrandval_time; 584 uint32_t wgp_randval; 585 586 struct wg_ppsratecheck wgp_ppsratecheck; 587 588 struct work wgp_work; 589 unsigned int wgp_tasks; 590 #define WGP_TASK_SEND_INIT_MESSAGE __BIT(0) 591 #define WGP_TASK_RETRY_HANDSHAKE __BIT(1) 592 #define WGP_TASK_ESTABLISH_SESSION __BIT(2) 593 #define WGP_TASK_ENDPOINT_CHANGED __BIT(3) 594 #define WGP_TASK_SEND_KEEPALIVE_MESSAGE __BIT(4) 595 #define WGP_TASK_DESTROY_PREV_SESSION __BIT(5) 596 }; 597 598 struct wg_ops; 599 600 struct wg_softc { 601 struct ifnet wg_if; 602 LIST_ENTRY(wg_softc) wg_list; 603 kmutex_t *wg_lock; 604 kmutex_t *wg_intr_lock; 605 krwlock_t *wg_rwlock; 606 607 uint8_t wg_privkey[WG_STATIC_KEY_LEN]; 608 uint8_t wg_pubkey[WG_STATIC_KEY_LEN]; 609 610 int wg_npeers; 611 struct pslist_head wg_peers; 612 struct thmap *wg_peers_bypubkey; 613 struct thmap *wg_peers_byname; 614 struct thmap *wg_sessions_byindex; 615 uint16_t wg_listen_port; 616 617 struct threadpool *wg_threadpool; 618 619 struct threadpool_job wg_job; 620 int wg_upcalls; 621 #define WG_UPCALL_INET __BIT(0) 622 #define WG_UPCALL_INET6 __BIT(1) 623 624 #ifdef INET 625 struct socket *wg_so4; 626 struct radix_node_head *wg_rtable_ipv4; 627 #endif 628 #ifdef INET6 629 struct socket *wg_so6; 630 struct radix_node_head *wg_rtable_ipv6; 631 #endif 632 633 struct wg_ppsratecheck wg_ppsratecheck; 634 635 struct wg_ops *wg_ops; 636 637 #ifdef WG_RUMPKERNEL 638 struct wg_user *wg_user; 639 #endif 640 }; 641 642 /* [W] 6.1 Preliminaries */ 643 #define WG_REKEY_AFTER_MESSAGES (1ULL << 60) 644 #define WG_REJECT_AFTER_MESSAGES (UINT64_MAX - (1 << 13)) 645 #define WG_REKEY_AFTER_TIME 120 646 #define WG_REJECT_AFTER_TIME 180 647 #define WG_REKEY_ATTEMPT_TIME 90 648 #define WG_REKEY_TIMEOUT 5 649 #define WG_KEEPALIVE_TIMEOUT 10 650 651 #define WG_COOKIE_TIME 120 652 #define WG_RANDVAL_TIME (2 * 60) 653 654 static uint64_t wg_rekey_after_messages = WG_REKEY_AFTER_MESSAGES; 655 static uint64_t wg_reject_after_messages = WG_REJECT_AFTER_MESSAGES; 656 static unsigned wg_rekey_after_time = WG_REKEY_AFTER_TIME; 657 static unsigned wg_reject_after_time = WG_REJECT_AFTER_TIME; 658 static unsigned wg_rekey_attempt_time = WG_REKEY_ATTEMPT_TIME; 659 static unsigned wg_rekey_timeout = WG_REKEY_TIMEOUT; 660 static unsigned wg_keepalive_timeout = WG_KEEPALIVE_TIMEOUT; 661 662 static struct mbuf * 663 wg_get_mbuf(size_t, size_t); 664 665 static int wg_send_data_msg(struct wg_peer *, struct wg_session *, 666 struct mbuf *); 667 static int wg_send_cookie_msg(struct wg_softc *, struct wg_peer *, 668 const uint32_t, const uint8_t [], const struct sockaddr *); 669 static int wg_send_handshake_msg_resp(struct wg_softc *, struct wg_peer *, 670 struct wg_session *, const struct wg_msg_init *); 671 static void wg_send_keepalive_msg(struct wg_peer *, struct wg_session *); 672 673 static struct wg_peer * 674 wg_pick_peer_by_sa(struct wg_softc *, const struct sockaddr *, 675 struct psref *); 676 static struct wg_peer * 677 wg_lookup_peer_by_pubkey(struct wg_softc *, 678 const uint8_t [], struct psref *); 679 680 static struct wg_session * 681 wg_lookup_session_by_index(struct wg_softc *, 682 const uint32_t, struct psref *); 683 684 static void wg_update_endpoint_if_necessary(struct wg_peer *, 685 const struct sockaddr *); 686 687 static void wg_schedule_rekey_timer(struct wg_peer *); 688 static void wg_schedule_session_dtor_timer(struct wg_peer *); 689 690 static bool wg_is_underload(struct wg_softc *, struct wg_peer *, int); 691 static void wg_calculate_keys(struct wg_session *, const bool); 692 693 static void wg_clear_states(struct wg_session *); 694 695 static void wg_get_peer(struct wg_peer *, struct psref *); 696 static void wg_put_peer(struct wg_peer *, struct psref *); 697 698 static int wg_send_so(struct wg_peer *, struct mbuf *); 699 static int wg_send_udp(struct wg_peer *, struct mbuf *); 700 static int wg_output(struct ifnet *, struct mbuf *, 701 const struct sockaddr *, const struct rtentry *); 702 static void wg_input(struct ifnet *, struct mbuf *, const int); 703 static int wg_ioctl(struct ifnet *, u_long, void *); 704 static int wg_bind_port(struct wg_softc *, const uint16_t); 705 static int wg_init(struct ifnet *); 706 #ifdef ALTQ 707 static void wg_start(struct ifnet *); 708 #endif 709 static void wg_stop(struct ifnet *, int); 710 711 static void wg_peer_work(struct work *, void *); 712 static void wg_job(struct threadpool_job *); 713 static void wgintr(void *); 714 static void wg_purge_pending_packets(struct wg_peer *); 715 716 static int wg_clone_create(struct if_clone *, int); 717 static int wg_clone_destroy(struct ifnet *); 718 719 struct wg_ops { 720 int (*send_hs_msg)(struct wg_peer *, struct mbuf *); 721 int (*send_data_msg)(struct wg_peer *, struct mbuf *); 722 void (*input)(struct ifnet *, struct mbuf *, const int); 723 int (*bind_port)(struct wg_softc *, const uint16_t); 724 }; 725 726 struct wg_ops wg_ops_rumpkernel = { 727 .send_hs_msg = wg_send_so, 728 .send_data_msg = wg_send_udp, 729 .input = wg_input, 730 .bind_port = wg_bind_port, 731 }; 732 733 #ifdef WG_RUMPKERNEL 734 static bool wg_user_mode(struct wg_softc *); 735 static int wg_ioctl_linkstr(struct wg_softc *, struct ifdrv *); 736 737 static int wg_send_user(struct wg_peer *, struct mbuf *); 738 static void wg_input_user(struct ifnet *, struct mbuf *, const int); 739 static int wg_bind_port_user(struct wg_softc *, const uint16_t); 740 741 struct wg_ops wg_ops_rumpuser = { 742 .send_hs_msg = wg_send_user, 743 .send_data_msg = wg_send_user, 744 .input = wg_input_user, 745 .bind_port = wg_bind_port_user, 746 }; 747 #endif 748 749 #define WG_PEER_READER_FOREACH(wgp, wg) \ 750 PSLIST_READER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer, \ 751 wgp_peerlist_entry) 752 #define WG_PEER_WRITER_FOREACH(wgp, wg) \ 753 PSLIST_WRITER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer, \ 754 wgp_peerlist_entry) 755 #define WG_PEER_WRITER_INSERT_HEAD(wgp, wg) \ 756 PSLIST_WRITER_INSERT_HEAD(&(wg)->wg_peers, (wgp), wgp_peerlist_entry) 757 #define WG_PEER_WRITER_REMOVE(wgp) \ 758 PSLIST_WRITER_REMOVE((wgp), wgp_peerlist_entry) 759 760 struct wg_route { 761 struct radix_node wgr_nodes[2]; 762 struct wg_peer *wgr_peer; 763 }; 764 765 static struct radix_node_head * 766 wg_rnh(struct wg_softc *wg, const int family) 767 { 768 769 switch (family) { 770 case AF_INET: 771 return wg->wg_rtable_ipv4; 772 #ifdef INET6 773 case AF_INET6: 774 return wg->wg_rtable_ipv6; 775 #endif 776 default: 777 return NULL; 778 } 779 } 780 781 782 /* 783 * Global variables 784 */ 785 static volatile unsigned wg_count __cacheline_aligned; 786 787 struct psref_class *wg_psref_class __read_mostly; 788 789 static struct if_clone wg_cloner = 790 IF_CLONE_INITIALIZER("wg", wg_clone_create, wg_clone_destroy); 791 792 static struct pktqueue *wg_pktq __read_mostly; 793 static struct workqueue *wg_wq __read_mostly; 794 795 void wgattach(int); 796 /* ARGSUSED */ 797 void 798 wgattach(int count) 799 { 800 /* 801 * Nothing to do here, initialization is handled by the 802 * module initialization code in wginit() below). 803 */ 804 } 805 806 static void 807 wginit(void) 808 { 809 810 wg_psref_class = psref_class_create("wg", IPL_SOFTNET); 811 812 if_clone_attach(&wg_cloner); 813 } 814 815 /* 816 * XXX Kludge: This should just happen in wginit, but workqueue_create 817 * cannot be run until after CPUs have been detected, and wginit runs 818 * before configure. 819 */ 820 static int 821 wginitqueues(void) 822 { 823 int error __diagused; 824 825 wg_pktq = pktq_create(IFQ_MAXLEN, wgintr, NULL); 826 KASSERT(wg_pktq != NULL); 827 828 error = workqueue_create(&wg_wq, "wgpeer", wg_peer_work, NULL, 829 PRI_NONE, IPL_SOFTNET, WQ_MPSAFE|WQ_PERCPU); 830 KASSERT(error == 0); 831 832 return 0; 833 } 834 835 static void 836 wg_guarantee_initialized(void) 837 { 838 static ONCE_DECL(init); 839 int error __diagused; 840 841 error = RUN_ONCE(&init, wginitqueues); 842 KASSERT(error == 0); 843 } 844 845 static int 846 wg_count_inc(void) 847 { 848 unsigned o, n; 849 850 do { 851 o = atomic_load_relaxed(&wg_count); 852 if (o == UINT_MAX) 853 return ENFILE; 854 n = o + 1; 855 } while (atomic_cas_uint(&wg_count, o, n) != o); 856 857 return 0; 858 } 859 860 static void 861 wg_count_dec(void) 862 { 863 unsigned c __diagused; 864 865 c = atomic_dec_uint_nv(&wg_count); 866 KASSERT(c != UINT_MAX); 867 } 868 869 static int 870 wgdetach(void) 871 { 872 873 /* Prevent new interface creation. */ 874 if_clone_detach(&wg_cloner); 875 876 /* Check whether there are any existing interfaces. */ 877 if (atomic_load_relaxed(&wg_count)) { 878 /* Back out -- reattach the cloner. */ 879 if_clone_attach(&wg_cloner); 880 return EBUSY; 881 } 882 883 /* No interfaces left. Nuke it. */ 884 workqueue_destroy(wg_wq); 885 pktq_destroy(wg_pktq); 886 psref_class_destroy(wg_psref_class); 887 888 return 0; 889 } 890 891 static void 892 wg_init_key_and_hash(uint8_t ckey[WG_CHAINING_KEY_LEN], 893 uint8_t hash[WG_HASH_LEN]) 894 { 895 /* [W] 5.4: CONSTRUCTION */ 896 const char *signature = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"; 897 /* [W] 5.4: IDENTIFIER */ 898 const char *id = "WireGuard v1 zx2c4 Jason@zx2c4.com"; 899 struct blake2s state; 900 901 blake2s(ckey, WG_CHAINING_KEY_LEN, NULL, 0, 902 signature, strlen(signature)); 903 904 CTASSERT(WG_HASH_LEN == WG_CHAINING_KEY_LEN); 905 memcpy(hash, ckey, WG_CHAINING_KEY_LEN); 906 907 blake2s_init(&state, WG_HASH_LEN, NULL, 0); 908 blake2s_update(&state, ckey, WG_CHAINING_KEY_LEN); 909 blake2s_update(&state, id, strlen(id)); 910 blake2s_final(&state, hash); 911 912 WG_DUMP_HASH("ckey", ckey); 913 WG_DUMP_HASH("hash", hash); 914 } 915 916 static void 917 wg_algo_hash(uint8_t hash[WG_HASH_LEN], const uint8_t input[], 918 const size_t inputsize) 919 { 920 struct blake2s state; 921 922 blake2s_init(&state, WG_HASH_LEN, NULL, 0); 923 blake2s_update(&state, hash, WG_HASH_LEN); 924 blake2s_update(&state, input, inputsize); 925 blake2s_final(&state, hash); 926 } 927 928 static void 929 wg_algo_mac(uint8_t out[], const size_t outsize, 930 const uint8_t key[], const size_t keylen, 931 const uint8_t input1[], const size_t input1len, 932 const uint8_t input2[], const size_t input2len) 933 { 934 struct blake2s state; 935 936 blake2s_init(&state, outsize, key, keylen); 937 938 blake2s_update(&state, input1, input1len); 939 if (input2 != NULL) 940 blake2s_update(&state, input2, input2len); 941 blake2s_final(&state, out); 942 } 943 944 static void 945 wg_algo_mac_mac1(uint8_t out[], const size_t outsize, 946 const uint8_t input1[], const size_t input1len, 947 const uint8_t input2[], const size_t input2len) 948 { 949 struct blake2s state; 950 /* [W] 5.4: LABEL-MAC1 */ 951 const char *label = "mac1----"; 952 uint8_t key[WG_HASH_LEN]; 953 954 blake2s_init(&state, sizeof(key), NULL, 0); 955 blake2s_update(&state, label, strlen(label)); 956 blake2s_update(&state, input1, input1len); 957 blake2s_final(&state, key); 958 959 blake2s_init(&state, outsize, key, sizeof(key)); 960 if (input2 != NULL) 961 blake2s_update(&state, input2, input2len); 962 blake2s_final(&state, out); 963 } 964 965 static void 966 wg_algo_mac_cookie(uint8_t out[], const size_t outsize, 967 const uint8_t input1[], const size_t input1len) 968 { 969 struct blake2s state; 970 /* [W] 5.4: LABEL-COOKIE */ 971 const char *label = "cookie--"; 972 973 blake2s_init(&state, outsize, NULL, 0); 974 blake2s_update(&state, label, strlen(label)); 975 blake2s_update(&state, input1, input1len); 976 blake2s_final(&state, out); 977 } 978 979 static void 980 wg_algo_generate_keypair(uint8_t pubkey[WG_EPHEMERAL_KEY_LEN], 981 uint8_t privkey[WG_EPHEMERAL_KEY_LEN]) 982 { 983 984 CTASSERT(WG_EPHEMERAL_KEY_LEN == crypto_scalarmult_curve25519_BYTES); 985 986 cprng_strong(kern_cprng, privkey, WG_EPHEMERAL_KEY_LEN, 0); 987 crypto_scalarmult_base(pubkey, privkey); 988 } 989 990 static void 991 wg_algo_dh(uint8_t out[WG_DH_OUTPUT_LEN], 992 const uint8_t privkey[WG_STATIC_KEY_LEN], 993 const uint8_t pubkey[WG_STATIC_KEY_LEN]) 994 { 995 996 CTASSERT(WG_STATIC_KEY_LEN == crypto_scalarmult_curve25519_BYTES); 997 998 int ret __diagused = crypto_scalarmult(out, privkey, pubkey); 999 KASSERT(ret == 0); 1000 } 1001 1002 static void 1003 wg_algo_hmac(uint8_t out[], const size_t outlen, 1004 const uint8_t key[], const size_t keylen, 1005 const uint8_t in[], const size_t inlen) 1006 { 1007 #define IPAD 0x36 1008 #define OPAD 0x5c 1009 uint8_t hmackey[HMAC_BLOCK_LEN] = {0}; 1010 uint8_t ipad[HMAC_BLOCK_LEN]; 1011 uint8_t opad[HMAC_BLOCK_LEN]; 1012 size_t i; 1013 struct blake2s state; 1014 1015 KASSERT(outlen == WG_HASH_LEN); 1016 KASSERT(keylen <= HMAC_BLOCK_LEN); 1017 1018 memcpy(hmackey, key, keylen); 1019 1020 for (i = 0; i < sizeof(hmackey); i++) { 1021 ipad[i] = hmackey[i] ^ IPAD; 1022 opad[i] = hmackey[i] ^ OPAD; 1023 } 1024 1025 blake2s_init(&state, WG_HASH_LEN, NULL, 0); 1026 blake2s_update(&state, ipad, sizeof(ipad)); 1027 blake2s_update(&state, in, inlen); 1028 blake2s_final(&state, out); 1029 1030 blake2s_init(&state, WG_HASH_LEN, NULL, 0); 1031 blake2s_update(&state, opad, sizeof(opad)); 1032 blake2s_update(&state, out, WG_HASH_LEN); 1033 blake2s_final(&state, out); 1034 #undef IPAD 1035 #undef OPAD 1036 } 1037 1038 static void 1039 wg_algo_kdf(uint8_t out1[WG_KDF_OUTPUT_LEN], uint8_t out2[WG_KDF_OUTPUT_LEN], 1040 uint8_t out3[WG_KDF_OUTPUT_LEN], const uint8_t ckey[WG_CHAINING_KEY_LEN], 1041 const uint8_t input[], const size_t inputlen) 1042 { 1043 uint8_t tmp1[WG_KDF_OUTPUT_LEN], tmp2[WG_KDF_OUTPUT_LEN + 1]; 1044 uint8_t one[1]; 1045 1046 /* 1047 * [N] 4.3: "an input_key_material byte sequence with length 1048 * either zero bytes, 32 bytes, or DHLEN bytes." 1049 */ 1050 KASSERT(inputlen == 0 || inputlen == 32 || inputlen == NOISE_DHLEN); 1051 1052 WG_DUMP_HASH("ckey", ckey); 1053 if (input != NULL) 1054 WG_DUMP_HASH("input", input); 1055 wg_algo_hmac(tmp1, sizeof(tmp1), ckey, WG_CHAINING_KEY_LEN, 1056 input, inputlen); 1057 WG_DUMP_HASH("tmp1", tmp1); 1058 one[0] = 1; 1059 wg_algo_hmac(out1, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), 1060 one, sizeof(one)); 1061 WG_DUMP_HASH("out1", out1); 1062 if (out2 == NULL) 1063 return; 1064 memcpy(tmp2, out1, WG_KDF_OUTPUT_LEN); 1065 tmp2[WG_KDF_OUTPUT_LEN] = 2; 1066 wg_algo_hmac(out2, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), 1067 tmp2, sizeof(tmp2)); 1068 WG_DUMP_HASH("out2", out2); 1069 if (out3 == NULL) 1070 return; 1071 memcpy(tmp2, out2, WG_KDF_OUTPUT_LEN); 1072 tmp2[WG_KDF_OUTPUT_LEN] = 3; 1073 wg_algo_hmac(out3, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), 1074 tmp2, sizeof(tmp2)); 1075 WG_DUMP_HASH("out3", out3); 1076 } 1077 1078 static void __noinline 1079 wg_algo_dh_kdf(uint8_t ckey[WG_CHAINING_KEY_LEN], 1080 uint8_t cipher_key[WG_CIPHER_KEY_LEN], 1081 const uint8_t local_key[WG_STATIC_KEY_LEN], 1082 const uint8_t remote_key[WG_STATIC_KEY_LEN]) 1083 { 1084 uint8_t dhout[WG_DH_OUTPUT_LEN]; 1085 1086 wg_algo_dh(dhout, local_key, remote_key); 1087 wg_algo_kdf(ckey, cipher_key, NULL, ckey, dhout, sizeof(dhout)); 1088 1089 WG_DUMP_HASH("dhout", dhout); 1090 WG_DUMP_HASH("ckey", ckey); 1091 if (cipher_key != NULL) 1092 WG_DUMP_HASH("cipher_key", cipher_key); 1093 } 1094 1095 static void 1096 wg_algo_aead_enc(uint8_t out[], size_t expected_outsize, const uint8_t key[], 1097 const uint64_t counter, const uint8_t plain[], const size_t plainsize, 1098 const uint8_t auth[], size_t authlen) 1099 { 1100 uint8_t nonce[(32 + 64) / 8] = {0}; 1101 long long unsigned int outsize; 1102 int error __diagused; 1103 1104 le64enc(&nonce[4], counter); 1105 1106 error = crypto_aead_chacha20poly1305_ietf_encrypt(out, &outsize, plain, 1107 plainsize, auth, authlen, NULL, nonce, key); 1108 KASSERT(error == 0); 1109 KASSERT(outsize == expected_outsize); 1110 } 1111 1112 static int 1113 wg_algo_aead_dec(uint8_t out[], size_t expected_outsize, const uint8_t key[], 1114 const uint64_t counter, const uint8_t encrypted[], 1115 const size_t encryptedsize, const uint8_t auth[], size_t authlen) 1116 { 1117 uint8_t nonce[(32 + 64) / 8] = {0}; 1118 long long unsigned int outsize; 1119 int error; 1120 1121 le64enc(&nonce[4], counter); 1122 1123 error = crypto_aead_chacha20poly1305_ietf_decrypt(out, &outsize, NULL, 1124 encrypted, encryptedsize, auth, authlen, nonce, key); 1125 if (error == 0) 1126 KASSERT(outsize == expected_outsize); 1127 return error; 1128 } 1129 1130 static void 1131 wg_algo_xaead_enc(uint8_t out[], const size_t expected_outsize, 1132 const uint8_t key[], const uint8_t plain[], const size_t plainsize, 1133 const uint8_t auth[], size_t authlen, 1134 const uint8_t nonce[WG_SALT_LEN]) 1135 { 1136 long long unsigned int outsize; 1137 int error __diagused; 1138 1139 CTASSERT(WG_SALT_LEN == crypto_aead_xchacha20poly1305_ietf_NPUBBYTES); 1140 error = crypto_aead_xchacha20poly1305_ietf_encrypt(out, &outsize, 1141 plain, plainsize, auth, authlen, NULL, nonce, key); 1142 KASSERT(error == 0); 1143 KASSERT(outsize == expected_outsize); 1144 } 1145 1146 static int 1147 wg_algo_xaead_dec(uint8_t out[], const size_t expected_outsize, 1148 const uint8_t key[], const uint8_t encrypted[], const size_t encryptedsize, 1149 const uint8_t auth[], size_t authlen, 1150 const uint8_t nonce[WG_SALT_LEN]) 1151 { 1152 long long unsigned int outsize; 1153 int error; 1154 1155 error = crypto_aead_xchacha20poly1305_ietf_decrypt(out, &outsize, NULL, 1156 encrypted, encryptedsize, auth, authlen, nonce, key); 1157 if (error == 0) 1158 KASSERT(outsize == expected_outsize); 1159 return error; 1160 } 1161 1162 static void 1163 wg_algo_tai64n(wg_timestamp_t timestamp) 1164 { 1165 struct timespec ts; 1166 1167 /* FIXME strict TAI64N (https://cr.yp.to/libtai/tai64.html) */ 1168 getnanotime(&ts); 1169 /* TAI64 label in external TAI64 format */ 1170 be32enc(timestamp, 0x40000000U + (uint32_t)(ts.tv_sec >> 32)); 1171 /* second beginning from 1970 TAI */ 1172 be32enc(timestamp + 4, (uint32_t)(ts.tv_sec & 0xffffffffU)); 1173 /* nanosecond in big-endian format */ 1174 be32enc(timestamp + 8, (uint32_t)ts.tv_nsec); 1175 } 1176 1177 /* 1178 * wg_get_stable_session(wgp, psref) 1179 * 1180 * Get a passive reference to the current stable session, or 1181 * return NULL if there is no current stable session. 1182 * 1183 * The pointer is always there but the session is not necessarily 1184 * ESTABLISHED; if it is not ESTABLISHED, return NULL. However, 1185 * the session may transition from ESTABLISHED to DESTROYING while 1186 * holding the passive reference. 1187 */ 1188 static struct wg_session * 1189 wg_get_stable_session(struct wg_peer *wgp, struct psref *psref) 1190 { 1191 int s; 1192 struct wg_session *wgs; 1193 1194 s = pserialize_read_enter(); 1195 wgs = atomic_load_consume(&wgp->wgp_session_stable); 1196 if (__predict_false(wgs->wgs_state != WGS_STATE_ESTABLISHED)) 1197 wgs = NULL; 1198 else 1199 psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); 1200 pserialize_read_exit(s); 1201 1202 return wgs; 1203 } 1204 1205 static void 1206 wg_put_session(struct wg_session *wgs, struct psref *psref) 1207 { 1208 1209 psref_release(psref, &wgs->wgs_psref, wg_psref_class); 1210 } 1211 1212 static void 1213 wg_destroy_session(struct wg_softc *wg, struct wg_session *wgs) 1214 { 1215 struct wg_peer *wgp = wgs->wgs_peer; 1216 struct wg_session *wgs0 __diagused; 1217 void *garbage; 1218 1219 KASSERT(mutex_owned(wgp->wgp_lock)); 1220 KASSERT(wgs->wgs_state != WGS_STATE_UNKNOWN); 1221 1222 /* Remove the session from the table. */ 1223 wgs0 = thmap_del(wg->wg_sessions_byindex, 1224 &wgs->wgs_local_index, sizeof(wgs->wgs_local_index)); 1225 KASSERT(wgs0 == wgs); 1226 garbage = thmap_stage_gc(wg->wg_sessions_byindex); 1227 1228 /* Wait for passive references to drain. */ 1229 pserialize_perform(wgp->wgp_psz); 1230 psref_target_destroy(&wgs->wgs_psref, wg_psref_class); 1231 1232 /* Free memory, zero state, and transition to UNKNOWN. */ 1233 thmap_gc(wg->wg_sessions_byindex, garbage); 1234 wg_clear_states(wgs); 1235 wgs->wgs_state = WGS_STATE_UNKNOWN; 1236 } 1237 1238 /* 1239 * wg_get_session_index(wg, wgs) 1240 * 1241 * Choose a session index for wgs->wgs_local_index, and store it 1242 * in wg's table of sessions by index. 1243 * 1244 * wgs must be the unstable session of its peer, and must be 1245 * transitioning out of the UNKNOWN state. 1246 */ 1247 static void 1248 wg_get_session_index(struct wg_softc *wg, struct wg_session *wgs) 1249 { 1250 struct wg_peer *wgp __diagused = wgs->wgs_peer; 1251 struct wg_session *wgs0; 1252 uint32_t index; 1253 1254 KASSERT(mutex_owned(wgp->wgp_lock)); 1255 KASSERT(wgs == wgp->wgp_session_unstable); 1256 KASSERT(wgs->wgs_state == WGS_STATE_UNKNOWN); 1257 1258 do { 1259 /* Pick a uniform random index. */ 1260 index = cprng_strong32(); 1261 1262 /* Try to take it. */ 1263 wgs->wgs_local_index = index; 1264 wgs0 = thmap_put(wg->wg_sessions_byindex, 1265 &wgs->wgs_local_index, sizeof wgs->wgs_local_index, wgs); 1266 1267 /* If someone else beat us, start over. */ 1268 } while (__predict_false(wgs0 != wgs)); 1269 } 1270 1271 /* 1272 * wg_put_session_index(wg, wgs) 1273 * 1274 * Remove wgs from the table of sessions by index, wait for any 1275 * passive references to drain, and transition the session to the 1276 * UNKNOWN state. 1277 * 1278 * wgs must be the unstable session of its peer, and must not be 1279 * UNKNOWN or ESTABLISHED. 1280 */ 1281 static void 1282 wg_put_session_index(struct wg_softc *wg, struct wg_session *wgs) 1283 { 1284 struct wg_peer *wgp __diagused = wgs->wgs_peer; 1285 1286 KASSERT(mutex_owned(wgp->wgp_lock)); 1287 KASSERT(wgs == wgp->wgp_session_unstable); 1288 KASSERT(wgs->wgs_state != WGS_STATE_UNKNOWN); 1289 KASSERT(wgs->wgs_state != WGS_STATE_ESTABLISHED); 1290 1291 wg_destroy_session(wg, wgs); 1292 psref_target_init(&wgs->wgs_psref, wg_psref_class); 1293 } 1294 1295 /* 1296 * Handshake patterns 1297 * 1298 * [W] 5: "These messages use the "IK" pattern from Noise" 1299 * [N] 7.5. Interactive handshake patterns (fundamental) 1300 * "The first character refers to the initiator’s static key:" 1301 * "I = Static key for initiator Immediately transmitted to responder, 1302 * despite reduced or absent identity hiding" 1303 * "The second character refers to the responder’s static key:" 1304 * "K = Static key for responder Known to initiator" 1305 * "IK: 1306 * <- s 1307 * ... 1308 * -> e, es, s, ss 1309 * <- e, ee, se" 1310 * [N] 9.4. Pattern modifiers 1311 * "IKpsk2: 1312 * <- s 1313 * ... 1314 * -> e, es, s, ss 1315 * <- e, ee, se, psk" 1316 */ 1317 static void 1318 wg_fill_msg_init(struct wg_softc *wg, struct wg_peer *wgp, 1319 struct wg_session *wgs, struct wg_msg_init *wgmi) 1320 { 1321 uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */ 1322 uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */ 1323 uint8_t cipher_key[WG_CIPHER_KEY_LEN]; 1324 uint8_t pubkey[WG_EPHEMERAL_KEY_LEN]; 1325 uint8_t privkey[WG_EPHEMERAL_KEY_LEN]; 1326 1327 KASSERT(mutex_owned(wgp->wgp_lock)); 1328 KASSERT(wgs == wgp->wgp_session_unstable); 1329 KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); 1330 1331 wgmi->wgmi_type = htole32(WG_MSG_TYPE_INIT); 1332 wgmi->wgmi_sender = wgs->wgs_local_index; 1333 1334 /* [W] 5.4.2: First Message: Initiator to Responder */ 1335 1336 /* Ci := HASH(CONSTRUCTION) */ 1337 /* Hi := HASH(Ci || IDENTIFIER) */ 1338 wg_init_key_and_hash(ckey, hash); 1339 /* Hi := HASH(Hi || Sr^pub) */ 1340 wg_algo_hash(hash, wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey)); 1341 1342 WG_DUMP_HASH("hash", hash); 1343 1344 /* [N] 2.2: "e" */ 1345 /* Ei^priv, Ei^pub := DH-GENERATE() */ 1346 wg_algo_generate_keypair(pubkey, privkey); 1347 /* Ci := KDF1(Ci, Ei^pub) */ 1348 wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey)); 1349 /* msg.ephemeral := Ei^pub */ 1350 memcpy(wgmi->wgmi_ephemeral, pubkey, sizeof(wgmi->wgmi_ephemeral)); 1351 /* Hi := HASH(Hi || msg.ephemeral) */ 1352 wg_algo_hash(hash, pubkey, sizeof(pubkey)); 1353 1354 WG_DUMP_HASH("ckey", ckey); 1355 WG_DUMP_HASH("hash", hash); 1356 1357 /* [N] 2.2: "es" */ 1358 /* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */ 1359 wg_algo_dh_kdf(ckey, cipher_key, privkey, wgp->wgp_pubkey); 1360 1361 /* [N] 2.2: "s" */ 1362 /* msg.static := AEAD(k, 0, Si^pub, Hi) */ 1363 wg_algo_aead_enc(wgmi->wgmi_static, sizeof(wgmi->wgmi_static), 1364 cipher_key, 0, wg->wg_pubkey, sizeof(wg->wg_pubkey), 1365 hash, sizeof(hash)); 1366 /* Hi := HASH(Hi || msg.static) */ 1367 wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static)); 1368 1369 WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static); 1370 1371 /* [N] 2.2: "ss" */ 1372 /* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */ 1373 wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey); 1374 1375 /* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */ 1376 wg_timestamp_t timestamp; 1377 wg_algo_tai64n(timestamp); 1378 wg_algo_aead_enc(wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp), 1379 cipher_key, 0, timestamp, sizeof(timestamp), hash, sizeof(hash)); 1380 /* Hi := HASH(Hi || msg.timestamp) */ 1381 wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp)); 1382 1383 /* [W] 5.4.4 Cookie MACs */ 1384 wg_algo_mac_mac1(wgmi->wgmi_mac1, sizeof(wgmi->wgmi_mac1), 1385 wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey), 1386 (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1)); 1387 /* Need mac1 to decrypt a cookie from a cookie message */ 1388 memcpy(wgp->wgp_last_sent_mac1, wgmi->wgmi_mac1, 1389 sizeof(wgp->wgp_last_sent_mac1)); 1390 wgp->wgp_last_sent_mac1_valid = true; 1391 1392 if (wgp->wgp_latest_cookie_time == 0 || 1393 (time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME) 1394 memset(wgmi->wgmi_mac2, 0, sizeof(wgmi->wgmi_mac2)); 1395 else { 1396 wg_algo_mac(wgmi->wgmi_mac2, sizeof(wgmi->wgmi_mac2), 1397 wgp->wgp_latest_cookie, WG_COOKIE_LEN, 1398 (const uint8_t *)wgmi, 1399 offsetof(struct wg_msg_init, wgmi_mac2), 1400 NULL, 0); 1401 } 1402 1403 memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey)); 1404 memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey)); 1405 memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); 1406 memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); 1407 WG_DLOG("%s: sender=%x\n", __func__, wgs->wgs_local_index); 1408 } 1409 1410 static void __noinline 1411 wg_handle_msg_init(struct wg_softc *wg, const struct wg_msg_init *wgmi, 1412 const struct sockaddr *src) 1413 { 1414 uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */ 1415 uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */ 1416 uint8_t cipher_key[WG_CIPHER_KEY_LEN]; 1417 uint8_t peer_pubkey[WG_STATIC_KEY_LEN]; 1418 struct wg_peer *wgp; 1419 struct wg_session *wgs; 1420 int error, ret; 1421 struct psref psref_peer; 1422 uint8_t mac1[WG_MAC_LEN]; 1423 1424 WG_TRACE("init msg received"); 1425 1426 wg_algo_mac_mac1(mac1, sizeof(mac1), 1427 wg->wg_pubkey, sizeof(wg->wg_pubkey), 1428 (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1)); 1429 1430 /* 1431 * [W] 5.3: Denial of Service Mitigation & Cookies 1432 * "the responder, ..., must always reject messages with an invalid 1433 * msg.mac1" 1434 */ 1435 if (!consttime_memequal(mac1, wgmi->wgmi_mac1, sizeof(mac1))) { 1436 WG_DLOG("mac1 is invalid\n"); 1437 return; 1438 } 1439 1440 /* 1441 * [W] 5.4.2: First Message: Initiator to Responder 1442 * "When the responder receives this message, it does the same 1443 * operations so that its final state variables are identical, 1444 * replacing the operands of the DH function to produce equivalent 1445 * values." 1446 * Note that the following comments of operations are just copies of 1447 * the initiator's ones. 1448 */ 1449 1450 /* Ci := HASH(CONSTRUCTION) */ 1451 /* Hi := HASH(Ci || IDENTIFIER) */ 1452 wg_init_key_and_hash(ckey, hash); 1453 /* Hi := HASH(Hi || Sr^pub) */ 1454 wg_algo_hash(hash, wg->wg_pubkey, sizeof(wg->wg_pubkey)); 1455 1456 /* [N] 2.2: "e" */ 1457 /* Ci := KDF1(Ci, Ei^pub) */ 1458 wg_algo_kdf(ckey, NULL, NULL, ckey, wgmi->wgmi_ephemeral, 1459 sizeof(wgmi->wgmi_ephemeral)); 1460 /* Hi := HASH(Hi || msg.ephemeral) */ 1461 wg_algo_hash(hash, wgmi->wgmi_ephemeral, sizeof(wgmi->wgmi_ephemeral)); 1462 1463 WG_DUMP_HASH("ckey", ckey); 1464 1465 /* [N] 2.2: "es" */ 1466 /* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */ 1467 wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgmi->wgmi_ephemeral); 1468 1469 WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static); 1470 1471 /* [N] 2.2: "s" */ 1472 /* msg.static := AEAD(k, 0, Si^pub, Hi) */ 1473 error = wg_algo_aead_dec(peer_pubkey, WG_STATIC_KEY_LEN, cipher_key, 0, 1474 wgmi->wgmi_static, sizeof(wgmi->wgmi_static), hash, sizeof(hash)); 1475 if (error != 0) { 1476 WG_LOG_RATECHECK(&wg->wg_ppsratecheck, LOG_DEBUG, 1477 "wg_algo_aead_dec for secret key failed\n"); 1478 return; 1479 } 1480 /* Hi := HASH(Hi || msg.static) */ 1481 wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static)); 1482 1483 wgp = wg_lookup_peer_by_pubkey(wg, peer_pubkey, &psref_peer); 1484 if (wgp == NULL) { 1485 WG_DLOG("peer not found\n"); 1486 return; 1487 } 1488 1489 /* 1490 * Lock the peer to serialize access to cookie state. 1491 * 1492 * XXX Can we safely avoid holding the lock across DH? Take it 1493 * just to verify mac2 and then unlock/DH/lock? 1494 */ 1495 mutex_enter(wgp->wgp_lock); 1496 1497 if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_INIT))) { 1498 WG_TRACE("under load"); 1499 /* 1500 * [W] 5.3: Denial of Service Mitigation & Cookies 1501 * "the responder, ..., and when under load may reject messages 1502 * with an invalid msg.mac2. If the responder receives a 1503 * message with a valid msg.mac1 yet with an invalid msg.mac2, 1504 * and is under load, it may respond with a cookie reply 1505 * message" 1506 */ 1507 uint8_t zero[WG_MAC_LEN] = {0}; 1508 if (consttime_memequal(wgmi->wgmi_mac2, zero, sizeof(zero))) { 1509 WG_TRACE("sending a cookie message: no cookie included"); 1510 (void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender, 1511 wgmi->wgmi_mac1, src); 1512 goto out; 1513 } 1514 if (!wgp->wgp_last_sent_cookie_valid) { 1515 WG_TRACE("sending a cookie message: no cookie sent ever"); 1516 (void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender, 1517 wgmi->wgmi_mac1, src); 1518 goto out; 1519 } 1520 uint8_t mac2[WG_MAC_LEN]; 1521 wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie, 1522 WG_COOKIE_LEN, (const uint8_t *)wgmi, 1523 offsetof(struct wg_msg_init, wgmi_mac2), NULL, 0); 1524 if (!consttime_memequal(mac2, wgmi->wgmi_mac2, sizeof(mac2))) { 1525 WG_DLOG("mac2 is invalid\n"); 1526 goto out; 1527 } 1528 WG_TRACE("under load, but continue to sending"); 1529 } 1530 1531 /* [N] 2.2: "ss" */ 1532 /* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */ 1533 wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey); 1534 1535 /* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */ 1536 wg_timestamp_t timestamp; 1537 error = wg_algo_aead_dec(timestamp, sizeof(timestamp), cipher_key, 0, 1538 wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp), 1539 hash, sizeof(hash)); 1540 if (error != 0) { 1541 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 1542 "wg_algo_aead_dec for timestamp failed\n"); 1543 goto out; 1544 } 1545 /* Hi := HASH(Hi || msg.timestamp) */ 1546 wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp)); 1547 1548 /* 1549 * [W] 5.1 "The responder keeps track of the greatest timestamp 1550 * received per peer and discards packets containing 1551 * timestamps less than or equal to it." 1552 */ 1553 ret = memcmp(timestamp, wgp->wgp_timestamp_latest_init, 1554 sizeof(timestamp)); 1555 if (ret <= 0) { 1556 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 1557 "invalid init msg: timestamp is old\n"); 1558 goto out; 1559 } 1560 memcpy(wgp->wgp_timestamp_latest_init, timestamp, sizeof(timestamp)); 1561 1562 /* 1563 * Message is good -- we're committing to handle it now, unless 1564 * we were already initiating a session. 1565 */ 1566 wgs = wgp->wgp_session_unstable; 1567 switch (wgs->wgs_state) { 1568 case WGS_STATE_UNKNOWN: /* new session initiated by peer */ 1569 wg_get_session_index(wg, wgs); 1570 break; 1571 case WGS_STATE_INIT_ACTIVE: /* we're already initiating, drop */ 1572 WG_TRACE("Session already initializing, ignoring the message"); 1573 goto out; 1574 case WGS_STATE_INIT_PASSIVE: /* peer is retrying, start over */ 1575 WG_TRACE("Session already initializing, destroying old states"); 1576 wg_clear_states(wgs); 1577 /* keep session index */ 1578 break; 1579 case WGS_STATE_ESTABLISHED: /* can't happen */ 1580 panic("unstable session can't be established"); 1581 break; 1582 case WGS_STATE_DESTROYING: /* rekey initiated by peer */ 1583 WG_TRACE("Session destroying, but force to clear"); 1584 callout_stop(&wgp->wgp_session_dtor_timer); 1585 wg_clear_states(wgs); 1586 /* keep session index */ 1587 break; 1588 default: 1589 panic("invalid session state: %d", wgs->wgs_state); 1590 } 1591 wgs->wgs_state = WGS_STATE_INIT_PASSIVE; 1592 1593 memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); 1594 memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); 1595 memcpy(wgs->wgs_ephemeral_key_peer, wgmi->wgmi_ephemeral, 1596 sizeof(wgmi->wgmi_ephemeral)); 1597 1598 wg_update_endpoint_if_necessary(wgp, src); 1599 1600 (void)wg_send_handshake_msg_resp(wg, wgp, wgs, wgmi); 1601 1602 wg_calculate_keys(wgs, false); 1603 wg_clear_states(wgs); 1604 1605 out: 1606 mutex_exit(wgp->wgp_lock); 1607 wg_put_peer(wgp, &psref_peer); 1608 } 1609 1610 static struct socket * 1611 wg_get_so_by_af(struct wg_softc *wg, const int af) 1612 { 1613 1614 switch (af) { 1615 #ifdef INET 1616 case AF_INET: 1617 return wg->wg_so4; 1618 #endif 1619 #ifdef INET6 1620 case AF_INET6: 1621 return wg->wg_so6; 1622 #endif 1623 default: 1624 panic("wg: no such af: %d", af); 1625 } 1626 } 1627 1628 static struct socket * 1629 wg_get_so_by_peer(struct wg_peer *wgp, struct wg_sockaddr *wgsa) 1630 { 1631 1632 return wg_get_so_by_af(wgp->wgp_sc, wgsa_family(wgsa)); 1633 } 1634 1635 static struct wg_sockaddr * 1636 wg_get_endpoint_sa(struct wg_peer *wgp, struct psref *psref) 1637 { 1638 struct wg_sockaddr *wgsa; 1639 int s; 1640 1641 s = pserialize_read_enter(); 1642 wgsa = atomic_load_consume(&wgp->wgp_endpoint); 1643 psref_acquire(psref, &wgsa->wgsa_psref, wg_psref_class); 1644 pserialize_read_exit(s); 1645 1646 return wgsa; 1647 } 1648 1649 static void 1650 wg_put_sa(struct wg_peer *wgp, struct wg_sockaddr *wgsa, struct psref *psref) 1651 { 1652 1653 psref_release(psref, &wgsa->wgsa_psref, wg_psref_class); 1654 } 1655 1656 static int 1657 wg_send_so(struct wg_peer *wgp, struct mbuf *m) 1658 { 1659 int error; 1660 struct socket *so; 1661 struct psref psref; 1662 struct wg_sockaddr *wgsa; 1663 1664 wgsa = wg_get_endpoint_sa(wgp, &psref); 1665 so = wg_get_so_by_peer(wgp, wgsa); 1666 error = sosend(so, wgsatosa(wgsa), NULL, m, NULL, 0, curlwp); 1667 wg_put_sa(wgp, wgsa, &psref); 1668 1669 return error; 1670 } 1671 1672 static int 1673 wg_send_handshake_msg_init(struct wg_softc *wg, struct wg_peer *wgp) 1674 { 1675 int error; 1676 struct mbuf *m; 1677 struct wg_msg_init *wgmi; 1678 struct wg_session *wgs; 1679 1680 KASSERT(mutex_owned(wgp->wgp_lock)); 1681 1682 wgs = wgp->wgp_session_unstable; 1683 /* XXX pull dispatch out into wg_task_send_init_message */ 1684 switch (wgs->wgs_state) { 1685 case WGS_STATE_UNKNOWN: /* new session initiated by us */ 1686 wg_get_session_index(wg, wgs); 1687 break; 1688 case WGS_STATE_INIT_ACTIVE: /* we're already initiating, stop */ 1689 WG_TRACE("Session already initializing, skip starting new one"); 1690 return EBUSY; 1691 case WGS_STATE_INIT_PASSIVE: /* peer was trying -- XXX what now? */ 1692 WG_TRACE("Session already initializing, destroying old states"); 1693 wg_clear_states(wgs); 1694 /* keep session index */ 1695 break; 1696 case WGS_STATE_ESTABLISHED: /* can't happen */ 1697 panic("unstable session can't be established"); 1698 break; 1699 case WGS_STATE_DESTROYING: /* rekey initiated by us too early */ 1700 WG_TRACE("Session destroying"); 1701 /* XXX should wait? */ 1702 return EBUSY; 1703 } 1704 wgs->wgs_state = WGS_STATE_INIT_ACTIVE; 1705 1706 m = m_gethdr(M_WAIT, MT_DATA); 1707 m->m_pkthdr.len = m->m_len = sizeof(*wgmi); 1708 wgmi = mtod(m, struct wg_msg_init *); 1709 wg_fill_msg_init(wg, wgp, wgs, wgmi); 1710 1711 error = wg->wg_ops->send_hs_msg(wgp, m); 1712 if (error == 0) { 1713 WG_TRACE("init msg sent"); 1714 1715 if (wgp->wgp_handshake_start_time == 0) 1716 wgp->wgp_handshake_start_time = time_uptime; 1717 callout_schedule(&wgp->wgp_handshake_timeout_timer, 1718 MIN(wg_rekey_timeout, (unsigned)(INT_MAX / hz)) * hz); 1719 } else { 1720 wg_put_session_index(wg, wgs); 1721 /* Initiation failed; toss packet waiting for it if any. */ 1722 if ((m = atomic_swap_ptr(&wgp->wgp_pending, NULL)) != NULL) 1723 m_freem(m); 1724 } 1725 1726 return error; 1727 } 1728 1729 static void 1730 wg_fill_msg_resp(struct wg_softc *wg, struct wg_peer *wgp, 1731 struct wg_session *wgs, struct wg_msg_resp *wgmr, 1732 const struct wg_msg_init *wgmi) 1733 { 1734 uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */ 1735 uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Hr */ 1736 uint8_t cipher_key[WG_KDF_OUTPUT_LEN]; 1737 uint8_t pubkey[WG_EPHEMERAL_KEY_LEN]; 1738 uint8_t privkey[WG_EPHEMERAL_KEY_LEN]; 1739 1740 KASSERT(mutex_owned(wgp->wgp_lock)); 1741 KASSERT(wgs == wgp->wgp_session_unstable); 1742 KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE); 1743 1744 memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash)); 1745 memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey)); 1746 1747 wgmr->wgmr_type = htole32(WG_MSG_TYPE_RESP); 1748 wgmr->wgmr_sender = wgs->wgs_local_index; 1749 wgmr->wgmr_receiver = wgmi->wgmi_sender; 1750 1751 /* [W] 5.4.3 Second Message: Responder to Initiator */ 1752 1753 /* [N] 2.2: "e" */ 1754 /* Er^priv, Er^pub := DH-GENERATE() */ 1755 wg_algo_generate_keypair(pubkey, privkey); 1756 /* Cr := KDF1(Cr, Er^pub) */ 1757 wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey)); 1758 /* msg.ephemeral := Er^pub */ 1759 memcpy(wgmr->wgmr_ephemeral, pubkey, sizeof(wgmr->wgmr_ephemeral)); 1760 /* Hr := HASH(Hr || msg.ephemeral) */ 1761 wg_algo_hash(hash, pubkey, sizeof(pubkey)); 1762 1763 WG_DUMP_HASH("ckey", ckey); 1764 WG_DUMP_HASH("hash", hash); 1765 1766 /* [N] 2.2: "ee" */ 1767 /* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */ 1768 wg_algo_dh_kdf(ckey, NULL, privkey, wgs->wgs_ephemeral_key_peer); 1769 1770 /* [N] 2.2: "se" */ 1771 /* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */ 1772 wg_algo_dh_kdf(ckey, NULL, privkey, wgp->wgp_pubkey); 1773 1774 /* [N] 9.2: "psk" */ 1775 { 1776 uint8_t kdfout[WG_KDF_OUTPUT_LEN]; 1777 /* Cr, r, k := KDF3(Cr, Q) */ 1778 wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk, 1779 sizeof(wgp->wgp_psk)); 1780 /* Hr := HASH(Hr || r) */ 1781 wg_algo_hash(hash, kdfout, sizeof(kdfout)); 1782 } 1783 1784 /* msg.empty := AEAD(k, 0, e, Hr) */ 1785 wg_algo_aead_enc(wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty), 1786 cipher_key, 0, NULL, 0, hash, sizeof(hash)); 1787 /* Hr := HASH(Hr || msg.empty) */ 1788 wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty)); 1789 1790 WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty); 1791 1792 /* [W] 5.4.4: Cookie MACs */ 1793 /* msg.mac1 := MAC(HASH(LABEL-MAC1 || Sm'^pub), msg_a) */ 1794 wg_algo_mac_mac1(wgmr->wgmr_mac1, sizeof(wgmi->wgmi_mac1), 1795 wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey), 1796 (const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1)); 1797 /* Need mac1 to decrypt a cookie from a cookie message */ 1798 memcpy(wgp->wgp_last_sent_mac1, wgmr->wgmr_mac1, 1799 sizeof(wgp->wgp_last_sent_mac1)); 1800 wgp->wgp_last_sent_mac1_valid = true; 1801 1802 if (wgp->wgp_latest_cookie_time == 0 || 1803 (time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME) 1804 /* msg.mac2 := 0^16 */ 1805 memset(wgmr->wgmr_mac2, 0, sizeof(wgmr->wgmr_mac2)); 1806 else { 1807 /* msg.mac2 := MAC(Lm, msg_b) */ 1808 wg_algo_mac(wgmr->wgmr_mac2, sizeof(wgmi->wgmi_mac2), 1809 wgp->wgp_latest_cookie, WG_COOKIE_LEN, 1810 (const uint8_t *)wgmr, 1811 offsetof(struct wg_msg_resp, wgmr_mac2), 1812 NULL, 0); 1813 } 1814 1815 memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); 1816 memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); 1817 memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey)); 1818 memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey)); 1819 wgs->wgs_remote_index = wgmi->wgmi_sender; 1820 WG_DLOG("sender=%x\n", wgs->wgs_local_index); 1821 WG_DLOG("receiver=%x\n", wgs->wgs_remote_index); 1822 } 1823 1824 static void 1825 wg_swap_sessions(struct wg_peer *wgp) 1826 { 1827 struct wg_session *wgs, *wgs_prev; 1828 1829 KASSERT(mutex_owned(wgp->wgp_lock)); 1830 1831 wgs = wgp->wgp_session_unstable; 1832 KASSERT(wgs->wgs_state == WGS_STATE_ESTABLISHED); 1833 1834 wgs_prev = wgp->wgp_session_stable; 1835 KASSERT(wgs_prev->wgs_state == WGS_STATE_ESTABLISHED || 1836 wgs_prev->wgs_state == WGS_STATE_UNKNOWN); 1837 atomic_store_release(&wgp->wgp_session_stable, wgs); 1838 wgp->wgp_session_unstable = wgs_prev; 1839 } 1840 1841 static void __noinline 1842 wg_handle_msg_resp(struct wg_softc *wg, const struct wg_msg_resp *wgmr, 1843 const struct sockaddr *src) 1844 { 1845 uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */ 1846 uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Kr */ 1847 uint8_t cipher_key[WG_KDF_OUTPUT_LEN]; 1848 struct wg_peer *wgp; 1849 struct wg_session *wgs; 1850 struct psref psref; 1851 int error; 1852 uint8_t mac1[WG_MAC_LEN]; 1853 struct wg_session *wgs_prev; 1854 struct mbuf *m; 1855 1856 wg_algo_mac_mac1(mac1, sizeof(mac1), 1857 wg->wg_pubkey, sizeof(wg->wg_pubkey), 1858 (const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1)); 1859 1860 /* 1861 * [W] 5.3: Denial of Service Mitigation & Cookies 1862 * "the responder, ..., must always reject messages with an invalid 1863 * msg.mac1" 1864 */ 1865 if (!consttime_memequal(mac1, wgmr->wgmr_mac1, sizeof(mac1))) { 1866 WG_DLOG("mac1 is invalid\n"); 1867 return; 1868 } 1869 1870 WG_TRACE("resp msg received"); 1871 wgs = wg_lookup_session_by_index(wg, wgmr->wgmr_receiver, &psref); 1872 if (wgs == NULL) { 1873 WG_TRACE("No session found"); 1874 return; 1875 } 1876 1877 wgp = wgs->wgs_peer; 1878 1879 mutex_enter(wgp->wgp_lock); 1880 1881 /* If we weren't waiting for a handshake response, drop it. */ 1882 if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE) { 1883 WG_TRACE("peer sent spurious handshake response, ignoring"); 1884 goto out; 1885 } 1886 1887 if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_RESP))) { 1888 WG_TRACE("under load"); 1889 /* 1890 * [W] 5.3: Denial of Service Mitigation & Cookies 1891 * "the responder, ..., and when under load may reject messages 1892 * with an invalid msg.mac2. If the responder receives a 1893 * message with a valid msg.mac1 yet with an invalid msg.mac2, 1894 * and is under load, it may respond with a cookie reply 1895 * message" 1896 */ 1897 uint8_t zero[WG_MAC_LEN] = {0}; 1898 if (consttime_memequal(wgmr->wgmr_mac2, zero, sizeof(zero))) { 1899 WG_TRACE("sending a cookie message: no cookie included"); 1900 (void)wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender, 1901 wgmr->wgmr_mac1, src); 1902 goto out; 1903 } 1904 if (!wgp->wgp_last_sent_cookie_valid) { 1905 WG_TRACE("sending a cookie message: no cookie sent ever"); 1906 (void)wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender, 1907 wgmr->wgmr_mac1, src); 1908 goto out; 1909 } 1910 uint8_t mac2[WG_MAC_LEN]; 1911 wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie, 1912 WG_COOKIE_LEN, (const uint8_t *)wgmr, 1913 offsetof(struct wg_msg_resp, wgmr_mac2), NULL, 0); 1914 if (!consttime_memequal(mac2, wgmr->wgmr_mac2, sizeof(mac2))) { 1915 WG_DLOG("mac2 is invalid\n"); 1916 goto out; 1917 } 1918 WG_TRACE("under load, but continue to sending"); 1919 } 1920 1921 memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash)); 1922 memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey)); 1923 1924 /* 1925 * [W] 5.4.3 Second Message: Responder to Initiator 1926 * "When the initiator receives this message, it does the same 1927 * operations so that its final state variables are identical, 1928 * replacing the operands of the DH function to produce equivalent 1929 * values." 1930 * Note that the following comments of operations are just copies of 1931 * the initiator's ones. 1932 */ 1933 1934 /* [N] 2.2: "e" */ 1935 /* Cr := KDF1(Cr, Er^pub) */ 1936 wg_algo_kdf(ckey, NULL, NULL, ckey, wgmr->wgmr_ephemeral, 1937 sizeof(wgmr->wgmr_ephemeral)); 1938 /* Hr := HASH(Hr || msg.ephemeral) */ 1939 wg_algo_hash(hash, wgmr->wgmr_ephemeral, sizeof(wgmr->wgmr_ephemeral)); 1940 1941 WG_DUMP_HASH("ckey", ckey); 1942 WG_DUMP_HASH("hash", hash); 1943 1944 /* [N] 2.2: "ee" */ 1945 /* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */ 1946 wg_algo_dh_kdf(ckey, NULL, wgs->wgs_ephemeral_key_priv, 1947 wgmr->wgmr_ephemeral); 1948 1949 /* [N] 2.2: "se" */ 1950 /* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */ 1951 wg_algo_dh_kdf(ckey, NULL, wg->wg_privkey, wgmr->wgmr_ephemeral); 1952 1953 /* [N] 9.2: "psk" */ 1954 { 1955 uint8_t kdfout[WG_KDF_OUTPUT_LEN]; 1956 /* Cr, r, k := KDF3(Cr, Q) */ 1957 wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk, 1958 sizeof(wgp->wgp_psk)); 1959 /* Hr := HASH(Hr || r) */ 1960 wg_algo_hash(hash, kdfout, sizeof(kdfout)); 1961 } 1962 1963 { 1964 uint8_t out[sizeof(wgmr->wgmr_empty)]; /* for safety */ 1965 /* msg.empty := AEAD(k, 0, e, Hr) */ 1966 error = wg_algo_aead_dec(out, 0, cipher_key, 0, wgmr->wgmr_empty, 1967 sizeof(wgmr->wgmr_empty), hash, sizeof(hash)); 1968 WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty); 1969 if (error != 0) { 1970 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 1971 "wg_algo_aead_dec for empty message failed\n"); 1972 goto out; 1973 } 1974 /* Hr := HASH(Hr || msg.empty) */ 1975 wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty)); 1976 } 1977 1978 memcpy(wgs->wgs_handshake_hash, hash, sizeof(wgs->wgs_handshake_hash)); 1979 memcpy(wgs->wgs_chaining_key, ckey, sizeof(wgs->wgs_chaining_key)); 1980 wgs->wgs_remote_index = wgmr->wgmr_sender; 1981 WG_DLOG("receiver=%x\n", wgs->wgs_remote_index); 1982 1983 KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); 1984 wgs->wgs_state = WGS_STATE_ESTABLISHED; 1985 wgs->wgs_time_established = time_uptime; 1986 wgs->wgs_time_last_data_sent = 0; 1987 wgs->wgs_is_initiator = true; 1988 wg_calculate_keys(wgs, true); 1989 wg_clear_states(wgs); 1990 WG_TRACE("WGS_STATE_ESTABLISHED"); 1991 1992 callout_stop(&wgp->wgp_handshake_timeout_timer); 1993 1994 wg_swap_sessions(wgp); 1995 KASSERT(wgs == wgp->wgp_session_stable); 1996 wgs_prev = wgp->wgp_session_unstable; 1997 getnanotime(&wgp->wgp_last_handshake_time); 1998 wgp->wgp_handshake_start_time = 0; 1999 wgp->wgp_last_sent_mac1_valid = false; 2000 wgp->wgp_last_sent_cookie_valid = false; 2001 2002 wg_schedule_rekey_timer(wgp); 2003 2004 wg_update_endpoint_if_necessary(wgp, src); 2005 2006 /* 2007 * If we had a data packet queued up, send it; otherwise send a 2008 * keepalive message -- either way we have to send something 2009 * immediately or else the responder will never answer. 2010 */ 2011 if ((m = atomic_swap_ptr(&wgp->wgp_pending, NULL)) != NULL) { 2012 kpreempt_disable(); 2013 const uint32_t h = curcpu()->ci_index; // pktq_rps_hash(m) 2014 M_SETCTX(m, wgp); 2015 if (__predict_false(!pktq_enqueue(wg_pktq, m, h))) { 2016 WGLOG(LOG_ERR, "pktq full, dropping\n"); 2017 m_freem(m); 2018 } 2019 kpreempt_enable(); 2020 } else { 2021 wg_send_keepalive_msg(wgp, wgs); 2022 } 2023 2024 if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { 2025 /* Wait for wg_get_stable_session to drain. */ 2026 pserialize_perform(wgp->wgp_psz); 2027 2028 /* Transition ESTABLISHED->DESTROYING. */ 2029 wgs_prev->wgs_state = WGS_STATE_DESTROYING; 2030 2031 /* We can't destroy the old session immediately */ 2032 wg_schedule_session_dtor_timer(wgp); 2033 } else { 2034 KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN, 2035 "state=%d", wgs_prev->wgs_state); 2036 } 2037 2038 out: 2039 mutex_exit(wgp->wgp_lock); 2040 wg_put_session(wgs, &psref); 2041 } 2042 2043 static int 2044 wg_send_handshake_msg_resp(struct wg_softc *wg, struct wg_peer *wgp, 2045 struct wg_session *wgs, const struct wg_msg_init *wgmi) 2046 { 2047 int error; 2048 struct mbuf *m; 2049 struct wg_msg_resp *wgmr; 2050 2051 KASSERT(mutex_owned(wgp->wgp_lock)); 2052 KASSERT(wgs == wgp->wgp_session_unstable); 2053 KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE); 2054 2055 m = m_gethdr(M_WAIT, MT_DATA); 2056 m->m_pkthdr.len = m->m_len = sizeof(*wgmr); 2057 wgmr = mtod(m, struct wg_msg_resp *); 2058 wg_fill_msg_resp(wg, wgp, wgs, wgmr, wgmi); 2059 2060 error = wg->wg_ops->send_hs_msg(wgp, m); 2061 if (error == 0) 2062 WG_TRACE("resp msg sent"); 2063 return error; 2064 } 2065 2066 static struct wg_peer * 2067 wg_lookup_peer_by_pubkey(struct wg_softc *wg, 2068 const uint8_t pubkey[WG_STATIC_KEY_LEN], struct psref *psref) 2069 { 2070 struct wg_peer *wgp; 2071 2072 int s = pserialize_read_enter(); 2073 wgp = thmap_get(wg->wg_peers_bypubkey, pubkey, WG_STATIC_KEY_LEN); 2074 if (wgp != NULL) 2075 wg_get_peer(wgp, psref); 2076 pserialize_read_exit(s); 2077 2078 return wgp; 2079 } 2080 2081 static void 2082 wg_fill_msg_cookie(struct wg_softc *wg, struct wg_peer *wgp, 2083 struct wg_msg_cookie *wgmc, const uint32_t sender, 2084 const uint8_t mac1[WG_MAC_LEN], const struct sockaddr *src) 2085 { 2086 uint8_t cookie[WG_COOKIE_LEN]; 2087 uint8_t key[WG_HASH_LEN]; 2088 uint8_t addr[sizeof(struct in6_addr)]; 2089 size_t addrlen; 2090 uint16_t uh_sport; /* be */ 2091 2092 KASSERT(mutex_owned(wgp->wgp_lock)); 2093 2094 wgmc->wgmc_type = htole32(WG_MSG_TYPE_COOKIE); 2095 wgmc->wgmc_receiver = sender; 2096 cprng_fast(wgmc->wgmc_salt, sizeof(wgmc->wgmc_salt)); 2097 2098 /* 2099 * [W] 5.4.7: Under Load: Cookie Reply Message 2100 * "The secret variable, Rm, changes every two minutes to a 2101 * random value" 2102 */ 2103 if ((time_uptime - wgp->wgp_last_genrandval_time) > WG_RANDVAL_TIME) { 2104 wgp->wgp_randval = cprng_strong32(); 2105 wgp->wgp_last_genrandval_time = time_uptime; 2106 } 2107 2108 switch (src->sa_family) { 2109 case AF_INET: { 2110 const struct sockaddr_in *sin = satocsin(src); 2111 addrlen = sizeof(sin->sin_addr); 2112 memcpy(addr, &sin->sin_addr, addrlen); 2113 uh_sport = sin->sin_port; 2114 break; 2115 } 2116 #ifdef INET6 2117 case AF_INET6: { 2118 const struct sockaddr_in6 *sin6 = satocsin6(src); 2119 addrlen = sizeof(sin6->sin6_addr); 2120 memcpy(addr, &sin6->sin6_addr, addrlen); 2121 uh_sport = sin6->sin6_port; 2122 break; 2123 } 2124 #endif 2125 default: 2126 panic("invalid af=%d", src->sa_family); 2127 } 2128 2129 wg_algo_mac(cookie, sizeof(cookie), 2130 (const uint8_t *)&wgp->wgp_randval, sizeof(wgp->wgp_randval), 2131 addr, addrlen, (const uint8_t *)&uh_sport, sizeof(uh_sport)); 2132 wg_algo_mac_cookie(key, sizeof(key), wg->wg_pubkey, 2133 sizeof(wg->wg_pubkey)); 2134 wg_algo_xaead_enc(wgmc->wgmc_cookie, sizeof(wgmc->wgmc_cookie), key, 2135 cookie, sizeof(cookie), mac1, WG_MAC_LEN, wgmc->wgmc_salt); 2136 2137 /* Need to store to calculate mac2 */ 2138 memcpy(wgp->wgp_last_sent_cookie, cookie, sizeof(cookie)); 2139 wgp->wgp_last_sent_cookie_valid = true; 2140 } 2141 2142 static int 2143 wg_send_cookie_msg(struct wg_softc *wg, struct wg_peer *wgp, 2144 const uint32_t sender, const uint8_t mac1[WG_MAC_LEN], 2145 const struct sockaddr *src) 2146 { 2147 int error; 2148 struct mbuf *m; 2149 struct wg_msg_cookie *wgmc; 2150 2151 KASSERT(mutex_owned(wgp->wgp_lock)); 2152 2153 m = m_gethdr(M_WAIT, MT_DATA); 2154 m->m_pkthdr.len = m->m_len = sizeof(*wgmc); 2155 wgmc = mtod(m, struct wg_msg_cookie *); 2156 wg_fill_msg_cookie(wg, wgp, wgmc, sender, mac1, src); 2157 2158 error = wg->wg_ops->send_hs_msg(wgp, m); 2159 if (error == 0) 2160 WG_TRACE("cookie msg sent"); 2161 return error; 2162 } 2163 2164 static bool 2165 wg_is_underload(struct wg_softc *wg, struct wg_peer *wgp, int msgtype) 2166 { 2167 #ifdef WG_DEBUG_PARAMS 2168 if (wg_force_underload) 2169 return true; 2170 #endif 2171 2172 /* 2173 * XXX we don't have a means of a load estimation. The purpose of 2174 * the mechanism is a DoS mitigation, so we consider frequent handshake 2175 * messages as (a kind of) load; if a message of the same type comes 2176 * to a peer within 1 second, we consider we are under load. 2177 */ 2178 time_t last = wgp->wgp_last_msg_received_time[msgtype]; 2179 wgp->wgp_last_msg_received_time[msgtype] = time_uptime; 2180 return (time_uptime - last) == 0; 2181 } 2182 2183 static void 2184 wg_calculate_keys(struct wg_session *wgs, const bool initiator) 2185 { 2186 2187 KASSERT(mutex_owned(wgs->wgs_peer->wgp_lock)); 2188 2189 /* 2190 * [W] 5.4.5: Ti^send = Tr^recv, Ti^recv = Tr^send := KDF2(Ci = Cr, e) 2191 */ 2192 if (initiator) { 2193 wg_algo_kdf(wgs->wgs_tkey_send, wgs->wgs_tkey_recv, NULL, 2194 wgs->wgs_chaining_key, NULL, 0); 2195 } else { 2196 wg_algo_kdf(wgs->wgs_tkey_recv, wgs->wgs_tkey_send, NULL, 2197 wgs->wgs_chaining_key, NULL, 0); 2198 } 2199 WG_DUMP_HASH("wgs_tkey_send", wgs->wgs_tkey_send); 2200 WG_DUMP_HASH("wgs_tkey_recv", wgs->wgs_tkey_recv); 2201 } 2202 2203 static uint64_t 2204 wg_session_get_send_counter(struct wg_session *wgs) 2205 { 2206 #ifdef __HAVE_ATOMIC64_LOADSTORE 2207 return atomic_load_relaxed(&wgs->wgs_send_counter); 2208 #else 2209 uint64_t send_counter; 2210 2211 mutex_enter(&wgs->wgs_send_counter_lock); 2212 send_counter = wgs->wgs_send_counter; 2213 mutex_exit(&wgs->wgs_send_counter_lock); 2214 2215 return send_counter; 2216 #endif 2217 } 2218 2219 static uint64_t 2220 wg_session_inc_send_counter(struct wg_session *wgs) 2221 { 2222 #ifdef __HAVE_ATOMIC64_LOADSTORE 2223 return atomic_inc_64_nv(&wgs->wgs_send_counter) - 1; 2224 #else 2225 uint64_t send_counter; 2226 2227 mutex_enter(&wgs->wgs_send_counter_lock); 2228 send_counter = wgs->wgs_send_counter++; 2229 mutex_exit(&wgs->wgs_send_counter_lock); 2230 2231 return send_counter; 2232 #endif 2233 } 2234 2235 static void 2236 wg_clear_states(struct wg_session *wgs) 2237 { 2238 2239 KASSERT(mutex_owned(wgs->wgs_peer->wgp_lock)); 2240 2241 wgs->wgs_send_counter = 0; 2242 sliwin_reset(&wgs->wgs_recvwin->window); 2243 2244 #define wgs_clear(v) explicit_memset(wgs->wgs_##v, 0, sizeof(wgs->wgs_##v)) 2245 wgs_clear(handshake_hash); 2246 wgs_clear(chaining_key); 2247 wgs_clear(ephemeral_key_pub); 2248 wgs_clear(ephemeral_key_priv); 2249 wgs_clear(ephemeral_key_peer); 2250 #undef wgs_clear 2251 } 2252 2253 static struct wg_session * 2254 wg_lookup_session_by_index(struct wg_softc *wg, const uint32_t index, 2255 struct psref *psref) 2256 { 2257 struct wg_session *wgs; 2258 2259 int s = pserialize_read_enter(); 2260 wgs = thmap_get(wg->wg_sessions_byindex, &index, sizeof index); 2261 if (wgs != NULL) { 2262 KASSERT(atomic_load_relaxed(&wgs->wgs_state) != 2263 WGS_STATE_UNKNOWN); 2264 psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); 2265 } 2266 pserialize_read_exit(s); 2267 2268 return wgs; 2269 } 2270 2271 static void 2272 wg_schedule_rekey_timer(struct wg_peer *wgp) 2273 { 2274 int timeout = MIN(wg_rekey_after_time, (unsigned)(INT_MAX / hz)); 2275 2276 callout_schedule(&wgp->wgp_rekey_timer, timeout * hz); 2277 } 2278 2279 static void 2280 wg_send_keepalive_msg(struct wg_peer *wgp, struct wg_session *wgs) 2281 { 2282 struct mbuf *m; 2283 2284 /* 2285 * [W] 6.5 Passive Keepalive 2286 * "A keepalive message is simply a transport data message with 2287 * a zero-length encapsulated encrypted inner-packet." 2288 */ 2289 m = m_gethdr(M_WAIT, MT_DATA); 2290 wg_send_data_msg(wgp, wgs, m); 2291 } 2292 2293 static bool 2294 wg_need_to_send_init_message(struct wg_session *wgs) 2295 { 2296 /* 2297 * [W] 6.2 Transport Message Limits 2298 * "if a peer is the initiator of a current secure session, 2299 * WireGuard will send a handshake initiation message to begin 2300 * a new secure session ... if after receiving a transport data 2301 * message, the current secure session is (REJECT-AFTER-TIME − 2302 * KEEPALIVE-TIMEOUT − REKEY-TIMEOUT) seconds old and it has 2303 * not yet acted upon this event." 2304 */ 2305 return wgs->wgs_is_initiator && wgs->wgs_time_last_data_sent == 0 && 2306 (time_uptime - wgs->wgs_time_established) >= 2307 (wg_reject_after_time - wg_keepalive_timeout - wg_rekey_timeout); 2308 } 2309 2310 static void 2311 wg_schedule_peer_task(struct wg_peer *wgp, unsigned int task) 2312 { 2313 2314 mutex_enter(wgp->wgp_intr_lock); 2315 WG_DLOG("tasks=%d, task=%d\n", wgp->wgp_tasks, task); 2316 if (wgp->wgp_tasks == 0) 2317 /* 2318 * XXX If the current CPU is already loaded -- e.g., if 2319 * there's already a bunch of handshakes queued up -- 2320 * consider tossing this over to another CPU to 2321 * distribute the load. 2322 */ 2323 workqueue_enqueue(wg_wq, &wgp->wgp_work, NULL); 2324 wgp->wgp_tasks |= task; 2325 mutex_exit(wgp->wgp_intr_lock); 2326 } 2327 2328 static void 2329 wg_change_endpoint(struct wg_peer *wgp, const struct sockaddr *new) 2330 { 2331 struct wg_sockaddr *wgsa_prev; 2332 2333 WG_TRACE("Changing endpoint"); 2334 2335 memcpy(wgp->wgp_endpoint0, new, new->sa_len); 2336 wgsa_prev = wgp->wgp_endpoint; 2337 atomic_store_release(&wgp->wgp_endpoint, wgp->wgp_endpoint0); 2338 wgp->wgp_endpoint0 = wgsa_prev; 2339 atomic_store_release(&wgp->wgp_endpoint_available, true); 2340 2341 wg_schedule_peer_task(wgp, WGP_TASK_ENDPOINT_CHANGED); 2342 } 2343 2344 static bool 2345 wg_validate_inner_packet(const char *packet, size_t decrypted_len, int *af) 2346 { 2347 uint16_t packet_len; 2348 const struct ip *ip; 2349 2350 if (__predict_false(decrypted_len < sizeof(struct ip))) 2351 return false; 2352 2353 ip = (const struct ip *)packet; 2354 if (ip->ip_v == 4) 2355 *af = AF_INET; 2356 else if (ip->ip_v == 6) 2357 *af = AF_INET6; 2358 else 2359 return false; 2360 2361 WG_DLOG("af=%d\n", *af); 2362 2363 switch (*af) { 2364 #ifdef INET 2365 case AF_INET: 2366 packet_len = ntohs(ip->ip_len); 2367 break; 2368 #endif 2369 #ifdef INET6 2370 case AF_INET6: { 2371 const struct ip6_hdr *ip6; 2372 2373 if (__predict_false(decrypted_len < sizeof(struct ip6_hdr))) 2374 return false; 2375 2376 ip6 = (const struct ip6_hdr *)packet; 2377 packet_len = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen); 2378 break; 2379 } 2380 #endif 2381 default: 2382 return false; 2383 } 2384 2385 WG_DLOG("packet_len=%u\n", packet_len); 2386 if (packet_len > decrypted_len) 2387 return false; 2388 2389 return true; 2390 } 2391 2392 static bool 2393 wg_validate_route(struct wg_softc *wg, struct wg_peer *wgp_expected, 2394 int af, char *packet) 2395 { 2396 struct sockaddr_storage ss; 2397 struct sockaddr *sa; 2398 struct psref psref; 2399 struct wg_peer *wgp; 2400 bool ok; 2401 2402 /* 2403 * II CRYPTOKEY ROUTING 2404 * "it will only accept it if its source IP resolves in the 2405 * table to the public key used in the secure session for 2406 * decrypting it." 2407 */ 2408 2409 if (af == AF_INET) { 2410 const struct ip *ip = (const struct ip *)packet; 2411 struct sockaddr_in *sin = (struct sockaddr_in *)&ss; 2412 sockaddr_in_init(sin, &ip->ip_src, 0); 2413 sa = sintosa(sin); 2414 #ifdef INET6 2415 } else { 2416 const struct ip6_hdr *ip6 = (const struct ip6_hdr *)packet; 2417 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss; 2418 sockaddr_in6_init(sin6, &ip6->ip6_src, 0, 0, 0); 2419 sa = sin6tosa(sin6); 2420 #endif 2421 } 2422 2423 wgp = wg_pick_peer_by_sa(wg, sa, &psref); 2424 ok = (wgp == wgp_expected); 2425 if (wgp != NULL) 2426 wg_put_peer(wgp, &psref); 2427 2428 return ok; 2429 } 2430 2431 static void 2432 wg_session_dtor_timer(void *arg) 2433 { 2434 struct wg_peer *wgp = arg; 2435 2436 WG_TRACE("enter"); 2437 2438 wg_schedule_peer_task(wgp, WGP_TASK_DESTROY_PREV_SESSION); 2439 } 2440 2441 static void 2442 wg_schedule_session_dtor_timer(struct wg_peer *wgp) 2443 { 2444 2445 /* 1 second grace period */ 2446 callout_schedule(&wgp->wgp_session_dtor_timer, hz); 2447 } 2448 2449 static bool 2450 sockaddr_port_match(const struct sockaddr *sa1, const struct sockaddr *sa2) 2451 { 2452 if (sa1->sa_family != sa2->sa_family) 2453 return false; 2454 2455 switch (sa1->sa_family) { 2456 #ifdef INET 2457 case AF_INET: 2458 return satocsin(sa1)->sin_port == satocsin(sa2)->sin_port; 2459 #endif 2460 #ifdef INET6 2461 case AF_INET6: 2462 return satocsin6(sa1)->sin6_port == satocsin6(sa2)->sin6_port; 2463 #endif 2464 default: 2465 return false; 2466 } 2467 } 2468 2469 static void 2470 wg_update_endpoint_if_necessary(struct wg_peer *wgp, 2471 const struct sockaddr *src) 2472 { 2473 struct wg_sockaddr *wgsa; 2474 struct psref psref; 2475 2476 wgsa = wg_get_endpoint_sa(wgp, &psref); 2477 2478 #ifdef WG_DEBUG_LOG 2479 char oldaddr[128], newaddr[128]; 2480 sockaddr_format(wgsatosa(wgsa), oldaddr, sizeof(oldaddr)); 2481 sockaddr_format(src, newaddr, sizeof(newaddr)); 2482 WG_DLOG("old=%s, new=%s\n", oldaddr, newaddr); 2483 #endif 2484 2485 /* 2486 * III: "Since the packet has authenticated correctly, the source IP of 2487 * the outer UDP/IP packet is used to update the endpoint for peer..." 2488 */ 2489 if (__predict_false(sockaddr_cmp(src, wgsatosa(wgsa)) != 0 || 2490 !sockaddr_port_match(src, wgsatosa(wgsa)))) { 2491 /* XXX We can't change the endpoint twice in a short period */ 2492 if (atomic_swap_uint(&wgp->wgp_endpoint_changing, 1) == 0) { 2493 wg_change_endpoint(wgp, src); 2494 } 2495 } 2496 2497 wg_put_sa(wgp, wgsa, &psref); 2498 } 2499 2500 static void __noinline 2501 wg_handle_msg_data(struct wg_softc *wg, struct mbuf *m, 2502 const struct sockaddr *src) 2503 { 2504 struct wg_msg_data *wgmd; 2505 char *encrypted_buf = NULL, *decrypted_buf; 2506 size_t encrypted_len, decrypted_len; 2507 struct wg_session *wgs; 2508 struct wg_peer *wgp; 2509 int state; 2510 size_t mlen; 2511 struct psref psref; 2512 int error, af; 2513 bool success, free_encrypted_buf = false, ok; 2514 struct mbuf *n; 2515 2516 KASSERT(m->m_len >= sizeof(struct wg_msg_data)); 2517 wgmd = mtod(m, struct wg_msg_data *); 2518 2519 KASSERT(wgmd->wgmd_type == htole32(WG_MSG_TYPE_DATA)); 2520 WG_TRACE("data"); 2521 2522 /* Find the putative session, or drop. */ 2523 wgs = wg_lookup_session_by_index(wg, wgmd->wgmd_receiver, &psref); 2524 if (wgs == NULL) { 2525 WG_TRACE("No session found"); 2526 m_freem(m); 2527 return; 2528 } 2529 2530 /* 2531 * We are only ready to handle data when in INIT_PASSIVE, 2532 * ESTABLISHED, or DESTROYING. All transitions out of that 2533 * state dissociate the session index and drain psrefs. 2534 */ 2535 state = atomic_load_relaxed(&wgs->wgs_state); 2536 switch (state) { 2537 case WGS_STATE_UNKNOWN: 2538 panic("wg session %p in unknown state has session index %u", 2539 wgs, wgmd->wgmd_receiver); 2540 case WGS_STATE_INIT_ACTIVE: 2541 WG_TRACE("not yet ready for data"); 2542 goto out; 2543 case WGS_STATE_INIT_PASSIVE: 2544 case WGS_STATE_ESTABLISHED: 2545 case WGS_STATE_DESTROYING: 2546 break; 2547 } 2548 2549 /* 2550 * Get the peer, for rate-limited logs (XXX MPSAFE, dtrace) and 2551 * to update the endpoint if authentication succeeds. 2552 */ 2553 wgp = wgs->wgs_peer; 2554 2555 /* 2556 * Reject outrageously wrong sequence numbers before doing any 2557 * crypto work or taking any locks. 2558 */ 2559 error = sliwin_check_fast(&wgs->wgs_recvwin->window, 2560 le64toh(wgmd->wgmd_counter)); 2561 if (error) { 2562 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 2563 "out-of-window packet: %"PRIu64"\n", 2564 le64toh(wgmd->wgmd_counter)); 2565 goto out; 2566 } 2567 2568 /* Ensure the payload and authenticator are contiguous. */ 2569 mlen = m_length(m); 2570 encrypted_len = mlen - sizeof(*wgmd); 2571 if (encrypted_len < WG_AUTHTAG_LEN) { 2572 WG_DLOG("Short encrypted_len: %lu\n", encrypted_len); 2573 goto out; 2574 } 2575 success = m_ensure_contig(&m, sizeof(*wgmd) + encrypted_len); 2576 if (success) { 2577 encrypted_buf = mtod(m, char *) + sizeof(*wgmd); 2578 } else { 2579 encrypted_buf = kmem_intr_alloc(encrypted_len, KM_NOSLEEP); 2580 if (encrypted_buf == NULL) { 2581 WG_DLOG("failed to allocate encrypted_buf\n"); 2582 goto out; 2583 } 2584 m_copydata(m, sizeof(*wgmd), encrypted_len, encrypted_buf); 2585 free_encrypted_buf = true; 2586 } 2587 /* m_ensure_contig may change m regardless of its result */ 2588 KASSERT(m->m_len >= sizeof(*wgmd)); 2589 wgmd = mtod(m, struct wg_msg_data *); 2590 2591 /* 2592 * Get a buffer for the plaintext. Add WG_AUTHTAG_LEN to avoid 2593 * a zero-length buffer (XXX). Drop if plaintext is longer 2594 * than MCLBYTES (XXX). 2595 */ 2596 decrypted_len = encrypted_len - WG_AUTHTAG_LEN; 2597 if (decrypted_len > MCLBYTES) { 2598 /* FIXME handle larger data than MCLBYTES */ 2599 WG_DLOG("couldn't handle larger data than MCLBYTES\n"); 2600 goto out; 2601 } 2602 n = wg_get_mbuf(0, decrypted_len + WG_AUTHTAG_LEN); 2603 if (n == NULL) { 2604 WG_DLOG("wg_get_mbuf failed\n"); 2605 goto out; 2606 } 2607 decrypted_buf = mtod(n, char *); 2608 2609 /* Decrypt and verify the packet. */ 2610 WG_DLOG("mlen=%lu, encrypted_len=%lu\n", mlen, encrypted_len); 2611 error = wg_algo_aead_dec(decrypted_buf, 2612 encrypted_len - WG_AUTHTAG_LEN /* can be 0 */, 2613 wgs->wgs_tkey_recv, le64toh(wgmd->wgmd_counter), encrypted_buf, 2614 encrypted_len, NULL, 0); 2615 if (error != 0) { 2616 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 2617 "failed to wg_algo_aead_dec\n"); 2618 m_freem(n); 2619 goto out; 2620 } 2621 WG_DLOG("outsize=%u\n", (u_int)decrypted_len); 2622 2623 /* Packet is genuine. Reject it if a replay or just too old. */ 2624 mutex_enter(&wgs->wgs_recvwin->lock); 2625 error = sliwin_update(&wgs->wgs_recvwin->window, 2626 le64toh(wgmd->wgmd_counter)); 2627 mutex_exit(&wgs->wgs_recvwin->lock); 2628 if (error) { 2629 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 2630 "replay or out-of-window packet: %"PRIu64"\n", 2631 le64toh(wgmd->wgmd_counter)); 2632 m_freem(n); 2633 goto out; 2634 } 2635 2636 /* We're done with m now; free it and chuck the pointers. */ 2637 m_freem(m); 2638 m = NULL; 2639 wgmd = NULL; 2640 2641 /* 2642 * Validate the encapsulated packet header and get the address 2643 * family, or drop. 2644 */ 2645 ok = wg_validate_inner_packet(decrypted_buf, decrypted_len, &af); 2646 if (!ok) { 2647 m_freem(n); 2648 goto out; 2649 } 2650 2651 /* 2652 * The packet is genuine. Update the peer's endpoint if the 2653 * source address changed. 2654 * 2655 * XXX How to prevent DoS by replaying genuine packets from the 2656 * wrong source address? 2657 */ 2658 wg_update_endpoint_if_necessary(wgp, src); 2659 2660 /* Submit it into our network stack if routable. */ 2661 ok = wg_validate_route(wg, wgp, af, decrypted_buf); 2662 if (ok) { 2663 wg->wg_ops->input(&wg->wg_if, n, af); 2664 } else { 2665 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 2666 "invalid source address\n"); 2667 m_freem(n); 2668 /* 2669 * The inner address is invalid however the session is valid 2670 * so continue the session processing below. 2671 */ 2672 } 2673 n = NULL; 2674 2675 /* Update the state machine if necessary. */ 2676 if (__predict_false(state == WGS_STATE_INIT_PASSIVE)) { 2677 /* 2678 * We were waiting for the initiator to send their 2679 * first data transport message, and that has happened. 2680 * Schedule a task to establish this session. 2681 */ 2682 wg_schedule_peer_task(wgp, WGP_TASK_ESTABLISH_SESSION); 2683 } else { 2684 if (__predict_false(wg_need_to_send_init_message(wgs))) { 2685 wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); 2686 } 2687 /* 2688 * [W] 6.5 Passive Keepalive 2689 * "If a peer has received a validly-authenticated transport 2690 * data message (section 5.4.6), but does not have any packets 2691 * itself to send back for KEEPALIVE-TIMEOUT seconds, it sends 2692 * a keepalive message." 2693 */ 2694 WG_DLOG("time_uptime=%ju wgs_time_last_data_sent=%ju\n", 2695 (uintmax_t)time_uptime, 2696 (uintmax_t)wgs->wgs_time_last_data_sent); 2697 if ((time_uptime - wgs->wgs_time_last_data_sent) >= 2698 wg_keepalive_timeout) { 2699 WG_TRACE("Schedule sending keepalive message"); 2700 /* 2701 * We can't send a keepalive message here to avoid 2702 * a deadlock; we already hold the solock of a socket 2703 * that is used to send the message. 2704 */ 2705 wg_schedule_peer_task(wgp, 2706 WGP_TASK_SEND_KEEPALIVE_MESSAGE); 2707 } 2708 } 2709 out: 2710 wg_put_session(wgs, &psref); 2711 if (m != NULL) 2712 m_freem(m); 2713 if (free_encrypted_buf) 2714 kmem_intr_free(encrypted_buf, encrypted_len); 2715 } 2716 2717 static void __noinline 2718 wg_handle_msg_cookie(struct wg_softc *wg, const struct wg_msg_cookie *wgmc) 2719 { 2720 struct wg_session *wgs; 2721 struct wg_peer *wgp; 2722 struct psref psref; 2723 int error; 2724 uint8_t key[WG_HASH_LEN]; 2725 uint8_t cookie[WG_COOKIE_LEN]; 2726 2727 WG_TRACE("cookie msg received"); 2728 2729 /* Find the putative session. */ 2730 wgs = wg_lookup_session_by_index(wg, wgmc->wgmc_receiver, &psref); 2731 if (wgs == NULL) { 2732 WG_TRACE("No session found"); 2733 return; 2734 } 2735 2736 /* Lock the peer so we can update the cookie state. */ 2737 wgp = wgs->wgs_peer; 2738 mutex_enter(wgp->wgp_lock); 2739 2740 if (!wgp->wgp_last_sent_mac1_valid) { 2741 WG_TRACE("No valid mac1 sent (or expired)"); 2742 goto out; 2743 } 2744 2745 /* Decrypt the cookie and store it for later handshake retry. */ 2746 wg_algo_mac_cookie(key, sizeof(key), wgp->wgp_pubkey, 2747 sizeof(wgp->wgp_pubkey)); 2748 error = wg_algo_xaead_dec(cookie, sizeof(cookie), key, 2749 wgmc->wgmc_cookie, sizeof(wgmc->wgmc_cookie), 2750 wgp->wgp_last_sent_mac1, sizeof(wgp->wgp_last_sent_mac1), 2751 wgmc->wgmc_salt); 2752 if (error != 0) { 2753 WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, 2754 "wg_algo_aead_dec for cookie failed: error=%d\n", error); 2755 goto out; 2756 } 2757 /* 2758 * [W] 6.6: Interaction with Cookie Reply System 2759 * "it should simply store the decrypted cookie value from the cookie 2760 * reply message, and wait for the expiration of the REKEY-TIMEOUT 2761 * timer for retrying a handshake initiation message." 2762 */ 2763 wgp->wgp_latest_cookie_time = time_uptime; 2764 memcpy(wgp->wgp_latest_cookie, cookie, sizeof(wgp->wgp_latest_cookie)); 2765 out: 2766 mutex_exit(wgp->wgp_lock); 2767 wg_put_session(wgs, &psref); 2768 } 2769 2770 static struct mbuf * 2771 wg_validate_msg_header(struct wg_softc *wg, struct mbuf *m) 2772 { 2773 struct wg_msg wgm; 2774 size_t mbuflen; 2775 size_t msglen; 2776 2777 /* 2778 * Get the mbuf chain length. It is already guaranteed, by 2779 * wg_overudp_cb, to be large enough for a struct wg_msg. 2780 */ 2781 mbuflen = m_length(m); 2782 KASSERT(mbuflen >= sizeof(struct wg_msg)); 2783 2784 /* 2785 * Copy the message header (32-bit message type) out -- we'll 2786 * worry about contiguity and alignment later. 2787 */ 2788 m_copydata(m, 0, sizeof(wgm), &wgm); 2789 switch (le32toh(wgm.wgm_type)) { 2790 case WG_MSG_TYPE_INIT: 2791 msglen = sizeof(struct wg_msg_init); 2792 break; 2793 case WG_MSG_TYPE_RESP: 2794 msglen = sizeof(struct wg_msg_resp); 2795 break; 2796 case WG_MSG_TYPE_COOKIE: 2797 msglen = sizeof(struct wg_msg_cookie); 2798 break; 2799 case WG_MSG_TYPE_DATA: 2800 msglen = sizeof(struct wg_msg_data); 2801 break; 2802 default: 2803 WG_LOG_RATECHECK(&wg->wg_ppsratecheck, LOG_DEBUG, 2804 "Unexpected msg type: %u\n", le32toh(wgm.wgm_type)); 2805 goto error; 2806 } 2807 2808 /* Verify the mbuf chain is long enough for this type of message. */ 2809 if (__predict_false(mbuflen < msglen)) { 2810 WG_DLOG("Invalid msg size: mbuflen=%lu type=%u\n", mbuflen, 2811 le32toh(wgm.wgm_type)); 2812 goto error; 2813 } 2814 2815 /* Make the message header contiguous if necessary. */ 2816 if (__predict_false(m->m_len < msglen)) { 2817 m = m_pullup(m, msglen); 2818 if (m == NULL) 2819 return NULL; 2820 } 2821 2822 return m; 2823 2824 error: 2825 m_freem(m); 2826 return NULL; 2827 } 2828 2829 static void 2830 wg_handle_packet(struct wg_softc *wg, struct mbuf *m, 2831 const struct sockaddr *src) 2832 { 2833 struct wg_msg *wgm; 2834 2835 m = wg_validate_msg_header(wg, m); 2836 if (__predict_false(m == NULL)) 2837 return; 2838 2839 KASSERT(m->m_len >= sizeof(struct wg_msg)); 2840 wgm = mtod(m, struct wg_msg *); 2841 switch (le32toh(wgm->wgm_type)) { 2842 case WG_MSG_TYPE_INIT: 2843 wg_handle_msg_init(wg, (struct wg_msg_init *)wgm, src); 2844 break; 2845 case WG_MSG_TYPE_RESP: 2846 wg_handle_msg_resp(wg, (struct wg_msg_resp *)wgm, src); 2847 break; 2848 case WG_MSG_TYPE_COOKIE: 2849 wg_handle_msg_cookie(wg, (struct wg_msg_cookie *)wgm); 2850 break; 2851 case WG_MSG_TYPE_DATA: 2852 wg_handle_msg_data(wg, m, src); 2853 /* wg_handle_msg_data frees m for us */ 2854 return; 2855 default: 2856 panic("invalid message type: %d", le32toh(wgm->wgm_type)); 2857 } 2858 2859 m_freem(m); 2860 } 2861 2862 static void 2863 wg_receive_packets(struct wg_softc *wg, const int af) 2864 { 2865 2866 for (;;) { 2867 int error, flags; 2868 struct socket *so; 2869 struct mbuf *m = NULL; 2870 struct uio dummy_uio; 2871 struct mbuf *paddr = NULL; 2872 struct sockaddr *src; 2873 2874 so = wg_get_so_by_af(wg, af); 2875 flags = MSG_DONTWAIT; 2876 dummy_uio.uio_resid = 1000000000; 2877 2878 error = so->so_receive(so, &paddr, &dummy_uio, &m, NULL, 2879 &flags); 2880 if (error || m == NULL) { 2881 //if (error == EWOULDBLOCK) 2882 return; 2883 } 2884 2885 KASSERT(paddr != NULL); 2886 KASSERT(paddr->m_len >= sizeof(struct sockaddr)); 2887 src = mtod(paddr, struct sockaddr *); 2888 2889 wg_handle_packet(wg, m, src); 2890 } 2891 } 2892 2893 static void 2894 wg_get_peer(struct wg_peer *wgp, struct psref *psref) 2895 { 2896 2897 psref_acquire(psref, &wgp->wgp_psref, wg_psref_class); 2898 } 2899 2900 static void 2901 wg_put_peer(struct wg_peer *wgp, struct psref *psref) 2902 { 2903 2904 psref_release(psref, &wgp->wgp_psref, wg_psref_class); 2905 } 2906 2907 static void 2908 wg_task_send_init_message(struct wg_softc *wg, struct wg_peer *wgp) 2909 { 2910 struct wg_session *wgs; 2911 2912 WG_TRACE("WGP_TASK_SEND_INIT_MESSAGE"); 2913 2914 KASSERT(mutex_owned(wgp->wgp_lock)); 2915 2916 if (!atomic_load_acquire(&wgp->wgp_endpoint_available)) { 2917 WGLOG(LOG_DEBUG, "No endpoint available\n"); 2918 /* XXX should do something? */ 2919 return; 2920 } 2921 2922 wgs = wgp->wgp_session_stable; 2923 if (wgs->wgs_state == WGS_STATE_UNKNOWN) { 2924 /* XXX What if the unstable session is already INIT_ACTIVE? */ 2925 wg_send_handshake_msg_init(wg, wgp); 2926 } else { 2927 /* rekey */ 2928 wgs = wgp->wgp_session_unstable; 2929 if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE) 2930 wg_send_handshake_msg_init(wg, wgp); 2931 } 2932 } 2933 2934 static void 2935 wg_task_retry_handshake(struct wg_softc *wg, struct wg_peer *wgp) 2936 { 2937 struct wg_session *wgs; 2938 2939 WG_TRACE("WGP_TASK_RETRY_HANDSHAKE"); 2940 2941 KASSERT(mutex_owned(wgp->wgp_lock)); 2942 KASSERT(wgp->wgp_handshake_start_time != 0); 2943 2944 wgs = wgp->wgp_session_unstable; 2945 if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE) 2946 return; 2947 2948 /* 2949 * XXX no real need to assign a new index here, but we do need 2950 * to transition to UNKNOWN temporarily 2951 */ 2952 wg_put_session_index(wg, wgs); 2953 2954 /* [W] 6.4 Handshake Initiation Retransmission */ 2955 if ((time_uptime - wgp->wgp_handshake_start_time) > 2956 wg_rekey_attempt_time) { 2957 /* Give up handshaking */ 2958 wgp->wgp_handshake_start_time = 0; 2959 WG_TRACE("give up"); 2960 2961 /* 2962 * If a new data packet comes, handshaking will be retried 2963 * and a new session would be established at that time, 2964 * however we don't want to send pending packets then. 2965 */ 2966 wg_purge_pending_packets(wgp); 2967 return; 2968 } 2969 2970 wg_task_send_init_message(wg, wgp); 2971 } 2972 2973 static void 2974 wg_task_establish_session(struct wg_softc *wg, struct wg_peer *wgp) 2975 { 2976 struct wg_session *wgs, *wgs_prev; 2977 struct mbuf *m; 2978 2979 KASSERT(mutex_owned(wgp->wgp_lock)); 2980 2981 wgs = wgp->wgp_session_unstable; 2982 if (wgs->wgs_state != WGS_STATE_INIT_PASSIVE) 2983 /* XXX Can this happen? */ 2984 return; 2985 2986 wgs->wgs_state = WGS_STATE_ESTABLISHED; 2987 wgs->wgs_time_established = time_uptime; 2988 wgs->wgs_time_last_data_sent = 0; 2989 wgs->wgs_is_initiator = false; 2990 WG_TRACE("WGS_STATE_ESTABLISHED"); 2991 2992 wg_swap_sessions(wgp); 2993 KASSERT(wgs == wgp->wgp_session_stable); 2994 wgs_prev = wgp->wgp_session_unstable; 2995 getnanotime(&wgp->wgp_last_handshake_time); 2996 wgp->wgp_handshake_start_time = 0; 2997 wgp->wgp_last_sent_mac1_valid = false; 2998 wgp->wgp_last_sent_cookie_valid = false; 2999 3000 /* If we had a data packet queued up, send it. */ 3001 if ((m = atomic_swap_ptr(&wgp->wgp_pending, NULL)) != NULL) { 3002 kpreempt_disable(); 3003 const uint32_t h = curcpu()->ci_index; // pktq_rps_hash(m) 3004 M_SETCTX(m, wgp); 3005 if (__predict_false(!pktq_enqueue(wg_pktq, m, h))) { 3006 WGLOG(LOG_ERR, "pktq full, dropping\n"); 3007 m_freem(m); 3008 } 3009 kpreempt_enable(); 3010 } 3011 3012 if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { 3013 /* Wait for wg_get_stable_session to drain. */ 3014 pserialize_perform(wgp->wgp_psz); 3015 3016 /* Transition ESTABLISHED->DESTROYING. */ 3017 wgs_prev->wgs_state = WGS_STATE_DESTROYING; 3018 3019 /* We can't destroy the old session immediately */ 3020 wg_schedule_session_dtor_timer(wgp); 3021 } else { 3022 KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN, 3023 "state=%d", wgs_prev->wgs_state); 3024 wg_clear_states(wgs_prev); 3025 wgs_prev->wgs_state = WGS_STATE_UNKNOWN; 3026 } 3027 } 3028 3029 static void 3030 wg_task_endpoint_changed(struct wg_softc *wg, struct wg_peer *wgp) 3031 { 3032 3033 WG_TRACE("WGP_TASK_ENDPOINT_CHANGED"); 3034 3035 KASSERT(mutex_owned(wgp->wgp_lock)); 3036 3037 if (atomic_load_relaxed(&wgp->wgp_endpoint_changing)) { 3038 pserialize_perform(wgp->wgp_psz); 3039 mutex_exit(wgp->wgp_lock); 3040 psref_target_destroy(&wgp->wgp_endpoint0->wgsa_psref, 3041 wg_psref_class); 3042 psref_target_init(&wgp->wgp_endpoint0->wgsa_psref, 3043 wg_psref_class); 3044 mutex_enter(wgp->wgp_lock); 3045 atomic_store_release(&wgp->wgp_endpoint_changing, 0); 3046 } 3047 } 3048 3049 static void 3050 wg_task_send_keepalive_message(struct wg_softc *wg, struct wg_peer *wgp) 3051 { 3052 struct wg_session *wgs; 3053 3054 WG_TRACE("WGP_TASK_SEND_KEEPALIVE_MESSAGE"); 3055 3056 KASSERT(mutex_owned(wgp->wgp_lock)); 3057 3058 wgs = wgp->wgp_session_stable; 3059 if (wgs->wgs_state != WGS_STATE_ESTABLISHED) 3060 return; 3061 3062 wg_send_keepalive_msg(wgp, wgs); 3063 } 3064 3065 static void 3066 wg_task_destroy_prev_session(struct wg_softc *wg, struct wg_peer *wgp) 3067 { 3068 struct wg_session *wgs; 3069 3070 WG_TRACE("WGP_TASK_DESTROY_PREV_SESSION"); 3071 3072 KASSERT(mutex_owned(wgp->wgp_lock)); 3073 3074 wgs = wgp->wgp_session_unstable; 3075 if (wgs->wgs_state == WGS_STATE_DESTROYING) { 3076 wg_put_session_index(wg, wgs); 3077 } 3078 } 3079 3080 static void 3081 wg_peer_work(struct work *wk, void *cookie) 3082 { 3083 struct wg_peer *wgp = container_of(wk, struct wg_peer, wgp_work); 3084 struct wg_softc *wg = wgp->wgp_sc; 3085 unsigned int tasks; 3086 3087 mutex_enter(wgp->wgp_intr_lock); 3088 while ((tasks = wgp->wgp_tasks) != 0) { 3089 wgp->wgp_tasks = 0; 3090 mutex_exit(wgp->wgp_intr_lock); 3091 3092 mutex_enter(wgp->wgp_lock); 3093 if (ISSET(tasks, WGP_TASK_SEND_INIT_MESSAGE)) 3094 wg_task_send_init_message(wg, wgp); 3095 if (ISSET(tasks, WGP_TASK_RETRY_HANDSHAKE)) 3096 wg_task_retry_handshake(wg, wgp); 3097 if (ISSET(tasks, WGP_TASK_ESTABLISH_SESSION)) 3098 wg_task_establish_session(wg, wgp); 3099 if (ISSET(tasks, WGP_TASK_ENDPOINT_CHANGED)) 3100 wg_task_endpoint_changed(wg, wgp); 3101 if (ISSET(tasks, WGP_TASK_SEND_KEEPALIVE_MESSAGE)) 3102 wg_task_send_keepalive_message(wg, wgp); 3103 if (ISSET(tasks, WGP_TASK_DESTROY_PREV_SESSION)) 3104 wg_task_destroy_prev_session(wg, wgp); 3105 mutex_exit(wgp->wgp_lock); 3106 3107 mutex_enter(wgp->wgp_intr_lock); 3108 } 3109 mutex_exit(wgp->wgp_intr_lock); 3110 } 3111 3112 static void 3113 wg_job(struct threadpool_job *job) 3114 { 3115 struct wg_softc *wg = container_of(job, struct wg_softc, wg_job); 3116 int bound, upcalls; 3117 3118 mutex_enter(wg->wg_intr_lock); 3119 while ((upcalls = wg->wg_upcalls) != 0) { 3120 wg->wg_upcalls = 0; 3121 mutex_exit(wg->wg_intr_lock); 3122 bound = curlwp_bind(); 3123 if (ISSET(upcalls, WG_UPCALL_INET)) 3124 wg_receive_packets(wg, AF_INET); 3125 if (ISSET(upcalls, WG_UPCALL_INET6)) 3126 wg_receive_packets(wg, AF_INET6); 3127 curlwp_bindx(bound); 3128 mutex_enter(wg->wg_intr_lock); 3129 } 3130 threadpool_job_done(job); 3131 mutex_exit(wg->wg_intr_lock); 3132 } 3133 3134 static int 3135 wg_bind_port(struct wg_softc *wg, const uint16_t port) 3136 { 3137 int error; 3138 uint16_t old_port = wg->wg_listen_port; 3139 3140 if (port != 0 && old_port == port) 3141 return 0; 3142 3143 struct sockaddr_in _sin, *sin = &_sin; 3144 sin->sin_len = sizeof(*sin); 3145 sin->sin_family = AF_INET; 3146 sin->sin_addr.s_addr = INADDR_ANY; 3147 sin->sin_port = htons(port); 3148 3149 error = sobind(wg->wg_so4, sintosa(sin), curlwp); 3150 if (error != 0) 3151 return error; 3152 3153 #ifdef INET6 3154 struct sockaddr_in6 _sin6, *sin6 = &_sin6; 3155 sin6->sin6_len = sizeof(*sin6); 3156 sin6->sin6_family = AF_INET6; 3157 sin6->sin6_addr = in6addr_any; 3158 sin6->sin6_port = htons(port); 3159 3160 error = sobind(wg->wg_so6, sin6tosa(sin6), curlwp); 3161 if (error != 0) 3162 return error; 3163 #endif 3164 3165 wg->wg_listen_port = port; 3166 3167 return 0; 3168 } 3169 3170 static void 3171 wg_so_upcall(struct socket *so, void *cookie, int events, int waitflag) 3172 { 3173 struct wg_softc *wg = cookie; 3174 int reason; 3175 3176 reason = (so->so_proto->pr_domain->dom_family == AF_INET) ? 3177 WG_UPCALL_INET : 3178 WG_UPCALL_INET6; 3179 3180 mutex_enter(wg->wg_intr_lock); 3181 wg->wg_upcalls |= reason; 3182 threadpool_schedule_job(wg->wg_threadpool, &wg->wg_job); 3183 mutex_exit(wg->wg_intr_lock); 3184 } 3185 3186 static int 3187 wg_overudp_cb(struct mbuf **mp, int offset, struct socket *so, 3188 struct sockaddr *src, void *arg) 3189 { 3190 struct wg_softc *wg = arg; 3191 struct wg_msg wgm; 3192 struct mbuf *m = *mp; 3193 3194 WG_TRACE("enter"); 3195 3196 /* Verify the mbuf chain is long enough to have a wg msg header. */ 3197 KASSERT(offset <= m_length(m)); 3198 if (__predict_false(m_length(m) - offset < sizeof(struct wg_msg))) { 3199 /* drop on the floor */ 3200 m_freem(m); 3201 return -1; 3202 } 3203 3204 /* 3205 * Copy the message header (32-bit message type) out -- we'll 3206 * worry about contiguity and alignment later. 3207 */ 3208 m_copydata(m, offset, sizeof(struct wg_msg), &wgm); 3209 WG_DLOG("type=%d\n", le32toh(wgm.wgm_type)); 3210 3211 /* 3212 * Handle DATA packets promptly as they arrive. Other packets 3213 * may require expensive public-key crypto and are not as 3214 * sensitive to latency, so defer them to the worker thread. 3215 */ 3216 switch (le32toh(wgm.wgm_type)) { 3217 case WG_MSG_TYPE_DATA: 3218 /* handle immediately */ 3219 m_adj(m, offset); 3220 if (__predict_false(m->m_len < sizeof(struct wg_msg_data))) { 3221 m = m_pullup(m, sizeof(struct wg_msg_data)); 3222 if (m == NULL) 3223 return -1; 3224 } 3225 wg_handle_msg_data(wg, m, src); 3226 *mp = NULL; 3227 return 1; 3228 case WG_MSG_TYPE_INIT: 3229 case WG_MSG_TYPE_RESP: 3230 case WG_MSG_TYPE_COOKIE: 3231 /* pass through to so_receive in wg_receive_packets */ 3232 return 0; 3233 default: 3234 /* drop on the floor */ 3235 m_freem(m); 3236 return -1; 3237 } 3238 } 3239 3240 static int 3241 wg_socreate(struct wg_softc *wg, int af, struct socket **sop) 3242 { 3243 int error; 3244 struct socket *so; 3245 3246 error = socreate(af, &so, SOCK_DGRAM, 0, curlwp, NULL); 3247 if (error != 0) 3248 return error; 3249 3250 solock(so); 3251 so->so_upcallarg = wg; 3252 so->so_upcall = wg_so_upcall; 3253 so->so_rcv.sb_flags |= SB_UPCALL; 3254 if (af == AF_INET) 3255 in_pcb_register_overudp_cb(sotoinpcb(so), wg_overudp_cb, wg); 3256 #if INET6 3257 else 3258 in6_pcb_register_overudp_cb(sotoin6pcb(so), wg_overudp_cb, wg); 3259 #endif 3260 sounlock(so); 3261 3262 *sop = so; 3263 3264 return 0; 3265 } 3266 3267 static bool 3268 wg_session_hit_limits(struct wg_session *wgs) 3269 { 3270 3271 /* 3272 * [W] 6.2: Transport Message Limits 3273 * "After REJECT-AFTER-MESSAGES transport data messages or after the 3274 * current secure session is REJECT-AFTER-TIME seconds old, whichever 3275 * comes first, WireGuard will refuse to send any more transport data 3276 * messages using the current secure session, ..." 3277 */ 3278 KASSERT(wgs->wgs_time_established != 0); 3279 if ((time_uptime - wgs->wgs_time_established) > wg_reject_after_time) { 3280 WG_DLOG("The session hits REJECT_AFTER_TIME\n"); 3281 return true; 3282 } else if (wg_session_get_send_counter(wgs) > 3283 wg_reject_after_messages) { 3284 WG_DLOG("The session hits REJECT_AFTER_MESSAGES\n"); 3285 return true; 3286 } 3287 3288 return false; 3289 } 3290 3291 static void 3292 wgintr(void *cookie) 3293 { 3294 struct wg_peer *wgp; 3295 struct wg_session *wgs; 3296 struct mbuf *m; 3297 struct psref psref; 3298 3299 while ((m = pktq_dequeue(wg_pktq)) != NULL) { 3300 wgp = M_GETCTX(m, struct wg_peer *); 3301 if ((wgs = wg_get_stable_session(wgp, &psref)) == NULL) { 3302 WG_TRACE("no stable session"); 3303 wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); 3304 goto next0; 3305 } 3306 if (__predict_false(wg_session_hit_limits(wgs))) { 3307 WG_TRACE("stable session hit limits"); 3308 wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); 3309 goto next1; 3310 } 3311 wg_send_data_msg(wgp, wgs, m); 3312 m = NULL; /* consumed */ 3313 next1: wg_put_session(wgs, &psref); 3314 next0: if (m) 3315 m_freem(m); 3316 /* XXX Yield to avoid userland starvation? */ 3317 } 3318 } 3319 3320 static void 3321 wg_rekey_timer(void *arg) 3322 { 3323 struct wg_peer *wgp = arg; 3324 3325 wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); 3326 } 3327 3328 static void 3329 wg_purge_pending_packets(struct wg_peer *wgp) 3330 { 3331 struct mbuf *m; 3332 3333 if ((m = atomic_swap_ptr(&wgp->wgp_pending, NULL)) != NULL) 3334 m_freem(m); 3335 pktq_barrier(wg_pktq); 3336 } 3337 3338 static void 3339 wg_handshake_timeout_timer(void *arg) 3340 { 3341 struct wg_peer *wgp = arg; 3342 3343 WG_TRACE("enter"); 3344 3345 wg_schedule_peer_task(wgp, WGP_TASK_RETRY_HANDSHAKE); 3346 } 3347 3348 static struct wg_peer * 3349 wg_alloc_peer(struct wg_softc *wg) 3350 { 3351 struct wg_peer *wgp; 3352 3353 wgp = kmem_zalloc(sizeof(*wgp), KM_SLEEP); 3354 3355 wgp->wgp_sc = wg; 3356 callout_init(&wgp->wgp_rekey_timer, CALLOUT_MPSAFE); 3357 callout_setfunc(&wgp->wgp_rekey_timer, wg_rekey_timer, wgp); 3358 callout_init(&wgp->wgp_handshake_timeout_timer, CALLOUT_MPSAFE); 3359 callout_setfunc(&wgp->wgp_handshake_timeout_timer, 3360 wg_handshake_timeout_timer, wgp); 3361 callout_init(&wgp->wgp_session_dtor_timer, CALLOUT_MPSAFE); 3362 callout_setfunc(&wgp->wgp_session_dtor_timer, 3363 wg_session_dtor_timer, wgp); 3364 PSLIST_ENTRY_INIT(wgp, wgp_peerlist_entry); 3365 wgp->wgp_endpoint_changing = false; 3366 wgp->wgp_endpoint_available = false; 3367 wgp->wgp_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE); 3368 wgp->wgp_intr_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 3369 wgp->wgp_psz = pserialize_create(); 3370 psref_target_init(&wgp->wgp_psref, wg_psref_class); 3371 3372 wgp->wgp_endpoint = kmem_zalloc(sizeof(*wgp->wgp_endpoint), KM_SLEEP); 3373 wgp->wgp_endpoint0 = kmem_zalloc(sizeof(*wgp->wgp_endpoint0), KM_SLEEP); 3374 psref_target_init(&wgp->wgp_endpoint->wgsa_psref, wg_psref_class); 3375 psref_target_init(&wgp->wgp_endpoint0->wgsa_psref, wg_psref_class); 3376 3377 struct wg_session *wgs; 3378 wgp->wgp_session_stable = 3379 kmem_zalloc(sizeof(*wgp->wgp_session_stable), KM_SLEEP); 3380 wgp->wgp_session_unstable = 3381 kmem_zalloc(sizeof(*wgp->wgp_session_unstable), KM_SLEEP); 3382 wgs = wgp->wgp_session_stable; 3383 wgs->wgs_peer = wgp; 3384 wgs->wgs_state = WGS_STATE_UNKNOWN; 3385 psref_target_init(&wgs->wgs_psref, wg_psref_class); 3386 #ifndef __HAVE_ATOMIC64_LOADSTORE 3387 mutex_init(&wgs->wgs_send_counter_lock, MUTEX_DEFAULT, IPL_SOFTNET); 3388 #endif 3389 wgs->wgs_recvwin = kmem_zalloc(sizeof(*wgs->wgs_recvwin), KM_SLEEP); 3390 mutex_init(&wgs->wgs_recvwin->lock, MUTEX_DEFAULT, IPL_SOFTNET); 3391 3392 wgs = wgp->wgp_session_unstable; 3393 wgs->wgs_peer = wgp; 3394 wgs->wgs_state = WGS_STATE_UNKNOWN; 3395 psref_target_init(&wgs->wgs_psref, wg_psref_class); 3396 #ifndef __HAVE_ATOMIC64_LOADSTORE 3397 mutex_init(&wgs->wgs_send_counter_lock, MUTEX_DEFAULT, IPL_SOFTNET); 3398 #endif 3399 wgs->wgs_recvwin = kmem_zalloc(sizeof(*wgs->wgs_recvwin), KM_SLEEP); 3400 mutex_init(&wgs->wgs_recvwin->lock, MUTEX_DEFAULT, IPL_SOFTNET); 3401 3402 return wgp; 3403 } 3404 3405 static void 3406 wg_destroy_peer(struct wg_peer *wgp) 3407 { 3408 struct wg_session *wgs; 3409 struct wg_softc *wg = wgp->wgp_sc; 3410 3411 /* Prevent new packets from this peer on any source address. */ 3412 rw_enter(wg->wg_rwlock, RW_WRITER); 3413 for (int i = 0; i < wgp->wgp_n_allowedips; i++) { 3414 struct wg_allowedip *wga = &wgp->wgp_allowedips[i]; 3415 struct radix_node_head *rnh = wg_rnh(wg, wga->wga_family); 3416 struct radix_node *rn; 3417 3418 KASSERT(rnh != NULL); 3419 rn = rnh->rnh_deladdr(&wga->wga_sa_addr, 3420 &wga->wga_sa_mask, rnh); 3421 if (rn == NULL) { 3422 char addrstr[128]; 3423 sockaddr_format(&wga->wga_sa_addr, addrstr, 3424 sizeof(addrstr)); 3425 WGLOG(LOG_WARNING, "Couldn't delete %s", addrstr); 3426 } 3427 } 3428 rw_exit(wg->wg_rwlock); 3429 3430 /* Purge pending packets. */ 3431 wg_purge_pending_packets(wgp); 3432 3433 /* Halt all packet processing and timeouts. */ 3434 callout_halt(&wgp->wgp_rekey_timer, NULL); 3435 callout_halt(&wgp->wgp_handshake_timeout_timer, NULL); 3436 callout_halt(&wgp->wgp_session_dtor_timer, NULL); 3437 3438 /* Wait for any queued work to complete. */ 3439 workqueue_wait(wg_wq, &wgp->wgp_work); 3440 3441 wgs = wgp->wgp_session_unstable; 3442 if (wgs->wgs_state != WGS_STATE_UNKNOWN) { 3443 mutex_enter(wgp->wgp_lock); 3444 wg_destroy_session(wg, wgs); 3445 mutex_exit(wgp->wgp_lock); 3446 } 3447 mutex_destroy(&wgs->wgs_recvwin->lock); 3448 kmem_free(wgs->wgs_recvwin, sizeof(*wgs->wgs_recvwin)); 3449 #ifndef __HAVE_ATOMIC64_LOADSTORE 3450 mutex_destroy(&wgs->wgs_send_counter_lock); 3451 #endif 3452 kmem_free(wgs, sizeof(*wgs)); 3453 3454 wgs = wgp->wgp_session_stable; 3455 if (wgs->wgs_state != WGS_STATE_UNKNOWN) { 3456 mutex_enter(wgp->wgp_lock); 3457 wg_destroy_session(wg, wgs); 3458 mutex_exit(wgp->wgp_lock); 3459 } 3460 mutex_destroy(&wgs->wgs_recvwin->lock); 3461 kmem_free(wgs->wgs_recvwin, sizeof(*wgs->wgs_recvwin)); 3462 #ifndef __HAVE_ATOMIC64_LOADSTORE 3463 mutex_destroy(&wgs->wgs_send_counter_lock); 3464 #endif 3465 kmem_free(wgs, sizeof(*wgs)); 3466 3467 psref_target_destroy(&wgp->wgp_endpoint->wgsa_psref, wg_psref_class); 3468 psref_target_destroy(&wgp->wgp_endpoint0->wgsa_psref, wg_psref_class); 3469 kmem_free(wgp->wgp_endpoint, sizeof(*wgp->wgp_endpoint)); 3470 kmem_free(wgp->wgp_endpoint0, sizeof(*wgp->wgp_endpoint0)); 3471 3472 pserialize_destroy(wgp->wgp_psz); 3473 mutex_obj_free(wgp->wgp_intr_lock); 3474 mutex_obj_free(wgp->wgp_lock); 3475 3476 kmem_free(wgp, sizeof(*wgp)); 3477 } 3478 3479 static void 3480 wg_destroy_all_peers(struct wg_softc *wg) 3481 { 3482 struct wg_peer *wgp, *wgp0 __diagused; 3483 void *garbage_byname, *garbage_bypubkey; 3484 3485 restart: 3486 garbage_byname = garbage_bypubkey = NULL; 3487 mutex_enter(wg->wg_lock); 3488 WG_PEER_WRITER_FOREACH(wgp, wg) { 3489 if (wgp->wgp_name[0]) { 3490 wgp0 = thmap_del(wg->wg_peers_byname, wgp->wgp_name, 3491 strlen(wgp->wgp_name)); 3492 KASSERT(wgp0 == wgp); 3493 garbage_byname = thmap_stage_gc(wg->wg_peers_byname); 3494 } 3495 wgp0 = thmap_del(wg->wg_peers_bypubkey, wgp->wgp_pubkey, 3496 sizeof(wgp->wgp_pubkey)); 3497 KASSERT(wgp0 == wgp); 3498 garbage_bypubkey = thmap_stage_gc(wg->wg_peers_bypubkey); 3499 WG_PEER_WRITER_REMOVE(wgp); 3500 wg->wg_npeers--; 3501 mutex_enter(wgp->wgp_lock); 3502 pserialize_perform(wgp->wgp_psz); 3503 mutex_exit(wgp->wgp_lock); 3504 PSLIST_ENTRY_DESTROY(wgp, wgp_peerlist_entry); 3505 break; 3506 } 3507 mutex_exit(wg->wg_lock); 3508 3509 if (wgp == NULL) 3510 return; 3511 3512 psref_target_destroy(&wgp->wgp_psref, wg_psref_class); 3513 3514 wg_destroy_peer(wgp); 3515 thmap_gc(wg->wg_peers_byname, garbage_byname); 3516 thmap_gc(wg->wg_peers_bypubkey, garbage_bypubkey); 3517 3518 goto restart; 3519 } 3520 3521 static int 3522 wg_destroy_peer_name(struct wg_softc *wg, const char *name) 3523 { 3524 struct wg_peer *wgp, *wgp0 __diagused; 3525 void *garbage_byname, *garbage_bypubkey; 3526 3527 mutex_enter(wg->wg_lock); 3528 wgp = thmap_del(wg->wg_peers_byname, name, strlen(name)); 3529 if (wgp != NULL) { 3530 wgp0 = thmap_del(wg->wg_peers_bypubkey, wgp->wgp_pubkey, 3531 sizeof(wgp->wgp_pubkey)); 3532 KASSERT(wgp0 == wgp); 3533 garbage_byname = thmap_stage_gc(wg->wg_peers_byname); 3534 garbage_bypubkey = thmap_stage_gc(wg->wg_peers_bypubkey); 3535 WG_PEER_WRITER_REMOVE(wgp); 3536 wg->wg_npeers--; 3537 if (wg->wg_npeers == 0) 3538 if_link_state_change(&wg->wg_if, LINK_STATE_DOWN); 3539 mutex_enter(wgp->wgp_lock); 3540 pserialize_perform(wgp->wgp_psz); 3541 mutex_exit(wgp->wgp_lock); 3542 PSLIST_ENTRY_DESTROY(wgp, wgp_peerlist_entry); 3543 } 3544 mutex_exit(wg->wg_lock); 3545 3546 if (wgp == NULL) 3547 return ENOENT; 3548 3549 psref_target_destroy(&wgp->wgp_psref, wg_psref_class); 3550 3551 wg_destroy_peer(wgp); 3552 thmap_gc(wg->wg_peers_byname, garbage_byname); 3553 thmap_gc(wg->wg_peers_bypubkey, garbage_bypubkey); 3554 3555 return 0; 3556 } 3557 3558 static int 3559 wg_if_attach(struct wg_softc *wg) 3560 { 3561 3562 wg->wg_if.if_addrlen = 0; 3563 wg->wg_if.if_mtu = WG_MTU; 3564 wg->wg_if.if_flags = IFF_MULTICAST; 3565 wg->wg_if.if_extflags = IFEF_MPSAFE; 3566 wg->wg_if.if_ioctl = wg_ioctl; 3567 wg->wg_if.if_output = wg_output; 3568 wg->wg_if.if_init = wg_init; 3569 #ifdef ALTQ 3570 wg->wg_if.if_start = wg_start; 3571 #endif 3572 wg->wg_if.if_stop = wg_stop; 3573 wg->wg_if.if_type = IFT_OTHER; 3574 wg->wg_if.if_dlt = DLT_NULL; 3575 wg->wg_if.if_softc = wg; 3576 #ifdef ALTQ 3577 IFQ_SET_READY(&wg->wg_if.if_snd); 3578 #endif 3579 if_initialize(&wg->wg_if); 3580 3581 wg->wg_if.if_link_state = LINK_STATE_DOWN; 3582 if_alloc_sadl(&wg->wg_if); 3583 if_register(&wg->wg_if); 3584 3585 bpf_attach(&wg->wg_if, DLT_NULL, sizeof(uint32_t)); 3586 3587 return 0; 3588 } 3589 3590 static void 3591 wg_if_detach(struct wg_softc *wg) 3592 { 3593 struct ifnet *ifp = &wg->wg_if; 3594 3595 bpf_detach(ifp); 3596 if_detach(ifp); 3597 } 3598 3599 static int 3600 wg_clone_create(struct if_clone *ifc, int unit) 3601 { 3602 struct wg_softc *wg; 3603 int error; 3604 3605 wg_guarantee_initialized(); 3606 3607 error = wg_count_inc(); 3608 if (error) 3609 return error; 3610 3611 wg = kmem_zalloc(sizeof(*wg), KM_SLEEP); 3612 3613 if_initname(&wg->wg_if, ifc->ifc_name, unit); 3614 3615 PSLIST_INIT(&wg->wg_peers); 3616 wg->wg_peers_bypubkey = thmap_create(0, NULL, THMAP_NOCOPY); 3617 wg->wg_peers_byname = thmap_create(0, NULL, THMAP_NOCOPY); 3618 wg->wg_sessions_byindex = thmap_create(0, NULL, THMAP_NOCOPY); 3619 wg->wg_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE); 3620 wg->wg_intr_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_SOFTNET); 3621 wg->wg_rwlock = rw_obj_alloc(); 3622 threadpool_job_init(&wg->wg_job, wg_job, wg->wg_intr_lock, 3623 "%s", if_name(&wg->wg_if)); 3624 wg->wg_ops = &wg_ops_rumpkernel; 3625 3626 error = threadpool_get(&wg->wg_threadpool, PRI_NONE); 3627 if (error) 3628 goto fail0; 3629 3630 #ifdef INET 3631 error = wg_socreate(wg, AF_INET, &wg->wg_so4); 3632 if (error) 3633 goto fail1; 3634 rn_inithead((void **)&wg->wg_rtable_ipv4, 3635 offsetof(struct sockaddr_in, sin_addr) * NBBY); 3636 #endif 3637 #ifdef INET6 3638 error = wg_socreate(wg, AF_INET6, &wg->wg_so6); 3639 if (error) 3640 goto fail2; 3641 rn_inithead((void **)&wg->wg_rtable_ipv6, 3642 offsetof(struct sockaddr_in6, sin6_addr) * NBBY); 3643 #endif 3644 3645 error = wg_if_attach(wg); 3646 if (error) 3647 goto fail3; 3648 3649 return 0; 3650 3651 fail4: __unused 3652 wg_if_detach(wg); 3653 fail3: wg_destroy_all_peers(wg); 3654 #ifdef INET6 3655 solock(wg->wg_so6); 3656 wg->wg_so6->so_rcv.sb_flags &= ~SB_UPCALL; 3657 sounlock(wg->wg_so6); 3658 #endif 3659 #ifdef INET 3660 solock(wg->wg_so4); 3661 wg->wg_so4->so_rcv.sb_flags &= ~SB_UPCALL; 3662 sounlock(wg->wg_so4); 3663 #endif 3664 mutex_enter(wg->wg_intr_lock); 3665 threadpool_cancel_job(wg->wg_threadpool, &wg->wg_job); 3666 mutex_exit(wg->wg_intr_lock); 3667 #ifdef INET6 3668 if (wg->wg_rtable_ipv6 != NULL) 3669 free(wg->wg_rtable_ipv6, M_RTABLE); 3670 soclose(wg->wg_so6); 3671 fail2: 3672 #endif 3673 #ifdef INET 3674 if (wg->wg_rtable_ipv4 != NULL) 3675 free(wg->wg_rtable_ipv4, M_RTABLE); 3676 soclose(wg->wg_so4); 3677 fail1: 3678 #endif 3679 threadpool_put(wg->wg_threadpool, PRI_NONE); 3680 fail0: threadpool_job_destroy(&wg->wg_job); 3681 rw_obj_free(wg->wg_rwlock); 3682 mutex_obj_free(wg->wg_intr_lock); 3683 mutex_obj_free(wg->wg_lock); 3684 thmap_destroy(wg->wg_sessions_byindex); 3685 thmap_destroy(wg->wg_peers_byname); 3686 thmap_destroy(wg->wg_peers_bypubkey); 3687 PSLIST_DESTROY(&wg->wg_peers); 3688 kmem_free(wg, sizeof(*wg)); 3689 wg_count_dec(); 3690 return error; 3691 } 3692 3693 static int 3694 wg_clone_destroy(struct ifnet *ifp) 3695 { 3696 struct wg_softc *wg = container_of(ifp, struct wg_softc, wg_if); 3697 3698 #ifdef WG_RUMPKERNEL 3699 if (wg_user_mode(wg)) { 3700 rumpuser_wg_destroy(wg->wg_user); 3701 wg->wg_user = NULL; 3702 } 3703 #endif 3704 3705 wg_if_detach(wg); 3706 wg_destroy_all_peers(wg); 3707 #ifdef INET6 3708 solock(wg->wg_so6); 3709 wg->wg_so6->so_rcv.sb_flags &= ~SB_UPCALL; 3710 sounlock(wg->wg_so6); 3711 #endif 3712 #ifdef INET 3713 solock(wg->wg_so4); 3714 wg->wg_so4->so_rcv.sb_flags &= ~SB_UPCALL; 3715 sounlock(wg->wg_so4); 3716 #endif 3717 mutex_enter(wg->wg_intr_lock); 3718 threadpool_cancel_job(wg->wg_threadpool, &wg->wg_job); 3719 mutex_exit(wg->wg_intr_lock); 3720 #ifdef INET6 3721 if (wg->wg_rtable_ipv6 != NULL) 3722 free(wg->wg_rtable_ipv6, M_RTABLE); 3723 soclose(wg->wg_so6); 3724 #endif 3725 #ifdef INET 3726 if (wg->wg_rtable_ipv4 != NULL) 3727 free(wg->wg_rtable_ipv4, M_RTABLE); 3728 soclose(wg->wg_so4); 3729 #endif 3730 threadpool_put(wg->wg_threadpool, PRI_NONE); 3731 threadpool_job_destroy(&wg->wg_job); 3732 rw_obj_free(wg->wg_rwlock); 3733 mutex_obj_free(wg->wg_intr_lock); 3734 mutex_obj_free(wg->wg_lock); 3735 thmap_destroy(wg->wg_sessions_byindex); 3736 thmap_destroy(wg->wg_peers_byname); 3737 thmap_destroy(wg->wg_peers_bypubkey); 3738 PSLIST_DESTROY(&wg->wg_peers); 3739 kmem_free(wg, sizeof(*wg)); 3740 wg_count_dec(); 3741 3742 return 0; 3743 } 3744 3745 static struct wg_peer * 3746 wg_pick_peer_by_sa(struct wg_softc *wg, const struct sockaddr *sa, 3747 struct psref *psref) 3748 { 3749 struct radix_node_head *rnh; 3750 struct radix_node *rn; 3751 struct wg_peer *wgp = NULL; 3752 struct wg_allowedip *wga; 3753 3754 #ifdef WG_DEBUG_LOG 3755 char addrstr[128]; 3756 sockaddr_format(sa, addrstr, sizeof(addrstr)); 3757 WG_DLOG("sa=%s\n", addrstr); 3758 #endif 3759 3760 rw_enter(wg->wg_rwlock, RW_READER); 3761 3762 rnh = wg_rnh(wg, sa->sa_family); 3763 if (rnh == NULL) 3764 goto out; 3765 3766 rn = rnh->rnh_matchaddr(sa, rnh); 3767 if (rn == NULL || (rn->rn_flags & RNF_ROOT) != 0) 3768 goto out; 3769 3770 WG_TRACE("success"); 3771 3772 wga = container_of(rn, struct wg_allowedip, wga_nodes[0]); 3773 wgp = wga->wga_peer; 3774 wg_get_peer(wgp, psref); 3775 3776 out: 3777 rw_exit(wg->wg_rwlock); 3778 return wgp; 3779 } 3780 3781 static void 3782 wg_fill_msg_data(struct wg_softc *wg, struct wg_peer *wgp, 3783 struct wg_session *wgs, struct wg_msg_data *wgmd) 3784 { 3785 3786 memset(wgmd, 0, sizeof(*wgmd)); 3787 wgmd->wgmd_type = htole32(WG_MSG_TYPE_DATA); 3788 wgmd->wgmd_receiver = wgs->wgs_remote_index; 3789 /* [W] 5.4.6: msg.counter := Nm^send */ 3790 /* [W] 5.4.6: Nm^send := Nm^send + 1 */ 3791 wgmd->wgmd_counter = htole64(wg_session_inc_send_counter(wgs)); 3792 WG_DLOG("counter=%"PRIu64"\n", le64toh(wgmd->wgmd_counter)); 3793 } 3794 3795 static int 3796 wg_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, 3797 const struct rtentry *rt) 3798 { 3799 struct wg_softc *wg = ifp->if_softc; 3800 struct wg_peer *wgp = NULL; 3801 struct wg_session *wgs = NULL; 3802 struct psref wgp_psref, wgs_psref; 3803 int bound; 3804 int error; 3805 3806 bound = curlwp_bind(); 3807 3808 /* TODO make the nest limit configurable via sysctl */ 3809 error = if_tunnel_check_nesting(ifp, m, 1); 3810 if (error) { 3811 WGLOG(LOG_ERR, "tunneling loop detected and packet dropped\n"); 3812 goto out0; 3813 } 3814 3815 #ifdef ALTQ 3816 bool altq = atomic_load_relaxed(&ifp->if_snd.altq_flags) 3817 & ALTQF_ENABLED; 3818 if (altq) 3819 IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); 3820 #endif 3821 3822 bpf_mtap_af(ifp, dst->sa_family, m, BPF_D_OUT); 3823 3824 m->m_flags &= ~(M_BCAST|M_MCAST); 3825 3826 wgp = wg_pick_peer_by_sa(wg, dst, &wgp_psref); 3827 if (wgp == NULL) { 3828 WG_TRACE("peer not found"); 3829 error = EHOSTUNREACH; 3830 goto out0; 3831 } 3832 3833 /* Clear checksum-offload flags. */ 3834 m->m_pkthdr.csum_flags = 0; 3835 m->m_pkthdr.csum_data = 0; 3836 3837 /* Check whether there's an established session. */ 3838 wgs = wg_get_stable_session(wgp, &wgs_psref); 3839 if (wgs == NULL) { 3840 /* 3841 * No established session. If we're the first to try 3842 * sending data, schedule a handshake and queue the 3843 * packet for when the handshake is done; otherwise 3844 * just drop the packet and let the ongoing handshake 3845 * attempt continue. We could queue more data packets 3846 * but it's not clear that's worthwhile. 3847 */ 3848 if (atomic_cas_ptr(&wgp->wgp_pending, NULL, m) == NULL) { 3849 m = NULL; /* consume */ 3850 WG_TRACE("queued first packet; init handshake"); 3851 wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); 3852 } else { 3853 WG_TRACE("first packet already queued, dropping"); 3854 } 3855 goto out1; 3856 } 3857 3858 /* There's an established session. Toss it in the queue. */ 3859 #ifdef ALTQ 3860 if (altq) { 3861 mutex_enter(ifp->if_snd.ifq_lock); 3862 if (ALTQ_IS_ENABLED(&ifp->if_snd)) { 3863 M_SETCTX(m, wgp); 3864 ALTQ_ENQUEUE(&ifp->if_snd, m, error); 3865 m = NULL; /* consume */ 3866 } 3867 mutex_exit(ifp->if_snd.ifq_lock); 3868 if (m == NULL) { 3869 wg_start(ifp); 3870 goto out2; 3871 } 3872 } 3873 #endif 3874 kpreempt_disable(); 3875 const uint32_t h = curcpu()->ci_index; // pktq_rps_hash(m) 3876 M_SETCTX(m, wgp); 3877 if (__predict_false(!pktq_enqueue(wg_pktq, m, h))) { 3878 WGLOG(LOG_ERR, "pktq full, dropping\n"); 3879 error = ENOBUFS; 3880 goto out3; 3881 } 3882 m = NULL; /* consumed */ 3883 error = 0; 3884 out3: kpreempt_enable(); 3885 3886 #ifdef ALTQ 3887 out2: 3888 #endif 3889 wg_put_session(wgs, &wgs_psref); 3890 out1: wg_put_peer(wgp, &wgp_psref); 3891 out0: if (m) 3892 m_freem(m); 3893 curlwp_bindx(bound); 3894 return error; 3895 } 3896 3897 static int 3898 wg_send_udp(struct wg_peer *wgp, struct mbuf *m) 3899 { 3900 struct psref psref; 3901 struct wg_sockaddr *wgsa; 3902 int error; 3903 struct socket *so; 3904 3905 wgsa = wg_get_endpoint_sa(wgp, &psref); 3906 so = wg_get_so_by_peer(wgp, wgsa); 3907 solock(so); 3908 if (wgsatosa(wgsa)->sa_family == AF_INET) { 3909 error = udp_send(so, m, wgsatosa(wgsa), NULL, curlwp); 3910 } else { 3911 #ifdef INET6 3912 error = udp6_output(sotoin6pcb(so), m, wgsatosin6(wgsa), 3913 NULL, curlwp); 3914 #else 3915 m_freem(m); 3916 error = EPFNOSUPPORT; 3917 #endif 3918 } 3919 sounlock(so); 3920 wg_put_sa(wgp, wgsa, &psref); 3921 3922 return error; 3923 } 3924 3925 /* Inspired by pppoe_get_mbuf */ 3926 static struct mbuf * 3927 wg_get_mbuf(size_t leading_len, size_t len) 3928 { 3929 struct mbuf *m; 3930 3931 KASSERT(leading_len <= MCLBYTES); 3932 KASSERT(len <= MCLBYTES - leading_len); 3933 3934 m = m_gethdr(M_DONTWAIT, MT_DATA); 3935 if (m == NULL) 3936 return NULL; 3937 if (len + leading_len > MHLEN) { 3938 m_clget(m, M_DONTWAIT); 3939 if ((m->m_flags & M_EXT) == 0) { 3940 m_free(m); 3941 return NULL; 3942 } 3943 } 3944 m->m_data += leading_len; 3945 m->m_pkthdr.len = m->m_len = len; 3946 3947 return m; 3948 } 3949 3950 static int 3951 wg_send_data_msg(struct wg_peer *wgp, struct wg_session *wgs, 3952 struct mbuf *m) 3953 { 3954 struct wg_softc *wg = wgp->wgp_sc; 3955 int error; 3956 size_t inner_len, padded_len, encrypted_len; 3957 char *padded_buf = NULL; 3958 size_t mlen; 3959 struct wg_msg_data *wgmd; 3960 bool free_padded_buf = false; 3961 struct mbuf *n; 3962 size_t leading_len = max_hdr + sizeof(struct udphdr); 3963 3964 mlen = m_length(m); 3965 inner_len = mlen; 3966 padded_len = roundup(mlen, 16); 3967 encrypted_len = padded_len + WG_AUTHTAG_LEN; 3968 WG_DLOG("inner=%lu, padded=%lu, encrypted_len=%lu\n", 3969 inner_len, padded_len, encrypted_len); 3970 if (mlen != 0) { 3971 bool success; 3972 success = m_ensure_contig(&m, padded_len); 3973 if (success) { 3974 padded_buf = mtod(m, char *); 3975 } else { 3976 padded_buf = kmem_intr_alloc(padded_len, KM_NOSLEEP); 3977 if (padded_buf == NULL) { 3978 error = ENOBUFS; 3979 goto end; 3980 } 3981 free_padded_buf = true; 3982 m_copydata(m, 0, mlen, padded_buf); 3983 } 3984 memset(padded_buf + mlen, 0, padded_len - inner_len); 3985 } 3986 3987 n = wg_get_mbuf(leading_len, sizeof(*wgmd) + encrypted_len); 3988 if (n == NULL) { 3989 error = ENOBUFS; 3990 goto end; 3991 } 3992 KASSERT(n->m_len >= sizeof(*wgmd)); 3993 wgmd = mtod(n, struct wg_msg_data *); 3994 wg_fill_msg_data(wg, wgp, wgs, wgmd); 3995 /* [W] 5.4.6: AEAD(Tm^send, Nm^send, P, e) */ 3996 wg_algo_aead_enc((char *)wgmd + sizeof(*wgmd), encrypted_len, 3997 wgs->wgs_tkey_send, le64toh(wgmd->wgmd_counter), 3998 padded_buf, padded_len, 3999 NULL, 0); 4000 4001 error = wg->wg_ops->send_data_msg(wgp, n); 4002 if (error == 0) { 4003 struct ifnet *ifp = &wg->wg_if; 4004 if_statadd(ifp, if_obytes, mlen); 4005 if_statinc(ifp, if_opackets); 4006 if (wgs->wgs_is_initiator && 4007 wgs->wgs_time_last_data_sent == 0) { 4008 /* 4009 * [W] 6.2 Transport Message Limits 4010 * "if a peer is the initiator of a current secure 4011 * session, WireGuard will send a handshake initiation 4012 * message to begin a new secure session if, after 4013 * transmitting a transport data message, the current 4014 * secure session is REKEY-AFTER-TIME seconds old," 4015 */ 4016 wg_schedule_rekey_timer(wgp); 4017 } 4018 wgs->wgs_time_last_data_sent = time_uptime; 4019 if (wg_session_get_send_counter(wgs) >= 4020 wg_rekey_after_messages) { 4021 /* 4022 * [W] 6.2 Transport Message Limits 4023 * "WireGuard will try to create a new session, by 4024 * sending a handshake initiation message (section 4025 * 5.4.2), after it has sent REKEY-AFTER-MESSAGES 4026 * transport data messages..." 4027 */ 4028 wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); 4029 } 4030 } 4031 end: 4032 m_freem(m); 4033 if (free_padded_buf) 4034 kmem_intr_free(padded_buf, padded_len); 4035 return error; 4036 } 4037 4038 static void 4039 wg_input(struct ifnet *ifp, struct mbuf *m, const int af) 4040 { 4041 pktqueue_t *pktq; 4042 size_t pktlen; 4043 4044 KASSERT(af == AF_INET || af == AF_INET6); 4045 4046 WG_TRACE(""); 4047 4048 m_set_rcvif(m, ifp); 4049 pktlen = m->m_pkthdr.len; 4050 4051 bpf_mtap_af(ifp, af, m, BPF_D_IN); 4052 4053 switch (af) { 4054 case AF_INET: 4055 pktq = ip_pktq; 4056 break; 4057 #ifdef INET6 4058 case AF_INET6: 4059 pktq = ip6_pktq; 4060 break; 4061 #endif 4062 default: 4063 panic("invalid af=%d", af); 4064 } 4065 4066 kpreempt_disable(); 4067 const u_int h = curcpu()->ci_index; 4068 if (__predict_true(pktq_enqueue(pktq, m, h))) { 4069 if_statadd(ifp, if_ibytes, pktlen); 4070 if_statinc(ifp, if_ipackets); 4071 } else { 4072 m_freem(m); 4073 } 4074 kpreempt_enable(); 4075 } 4076 4077 static void 4078 wg_calc_pubkey(uint8_t pubkey[WG_STATIC_KEY_LEN], 4079 const uint8_t privkey[WG_STATIC_KEY_LEN]) 4080 { 4081 4082 crypto_scalarmult_base(pubkey, privkey); 4083 } 4084 4085 static int 4086 wg_rtable_add_route(struct wg_softc *wg, struct wg_allowedip *wga) 4087 { 4088 struct radix_node_head *rnh; 4089 struct radix_node *rn; 4090 int error = 0; 4091 4092 rw_enter(wg->wg_rwlock, RW_WRITER); 4093 rnh = wg_rnh(wg, wga->wga_family); 4094 KASSERT(rnh != NULL); 4095 rn = rnh->rnh_addaddr(&wga->wga_sa_addr, &wga->wga_sa_mask, rnh, 4096 wga->wga_nodes); 4097 rw_exit(wg->wg_rwlock); 4098 4099 if (rn == NULL) 4100 error = EEXIST; 4101 4102 return error; 4103 } 4104 4105 static int 4106 wg_handle_prop_peer(struct wg_softc *wg, prop_dictionary_t peer, 4107 struct wg_peer **wgpp) 4108 { 4109 int error = 0; 4110 const void *pubkey; 4111 size_t pubkey_len; 4112 const void *psk; 4113 size_t psk_len; 4114 const char *name = NULL; 4115 4116 if (prop_dictionary_get_string(peer, "name", &name)) { 4117 if (strlen(name) > WG_PEER_NAME_MAXLEN) { 4118 error = EINVAL; 4119 goto out; 4120 } 4121 } 4122 4123 if (!prop_dictionary_get_data(peer, "public_key", 4124 &pubkey, &pubkey_len)) { 4125 error = EINVAL; 4126 goto out; 4127 } 4128 #ifdef WG_DEBUG_DUMP 4129 { 4130 char *hex = gethexdump(pubkey, pubkey_len); 4131 log(LOG_DEBUG, "pubkey=%p, pubkey_len=%lu\n%s\n", 4132 pubkey, pubkey_len, hex); 4133 puthexdump(hex, pubkey, pubkey_len); 4134 } 4135 #endif 4136 4137 struct wg_peer *wgp = wg_alloc_peer(wg); 4138 memcpy(wgp->wgp_pubkey, pubkey, sizeof(wgp->wgp_pubkey)); 4139 if (name != NULL) 4140 strncpy(wgp->wgp_name, name, sizeof(wgp->wgp_name)); 4141 4142 if (prop_dictionary_get_data(peer, "preshared_key", &psk, &psk_len)) { 4143 if (psk_len != sizeof(wgp->wgp_psk)) { 4144 error = EINVAL; 4145 goto out; 4146 } 4147 memcpy(wgp->wgp_psk, psk, sizeof(wgp->wgp_psk)); 4148 } 4149 4150 const void *addr; 4151 size_t addr_len; 4152 struct wg_sockaddr *wgsa = wgp->wgp_endpoint; 4153 4154 if (!prop_dictionary_get_data(peer, "endpoint", &addr, &addr_len)) 4155 goto skip_endpoint; 4156 if (addr_len < sizeof(*wgsatosa(wgsa)) || 4157 addr_len > sizeof(*wgsatoss(wgsa))) { 4158 error = EINVAL; 4159 goto out; 4160 } 4161 memcpy(wgsatoss(wgsa), addr, addr_len); 4162 switch (wgsa_family(wgsa)) { 4163 case AF_INET: 4164 #ifdef INET6 4165 case AF_INET6: 4166 #endif 4167 break; 4168 default: 4169 error = EPFNOSUPPORT; 4170 goto out; 4171 } 4172 if (addr_len != sockaddr_getsize_by_family(wgsa_family(wgsa))) { 4173 error = EINVAL; 4174 goto out; 4175 } 4176 { 4177 char addrstr[128]; 4178 sockaddr_format(wgsatosa(wgsa), addrstr, sizeof(addrstr)); 4179 WG_DLOG("addr=%s\n", addrstr); 4180 } 4181 wgp->wgp_endpoint_available = true; 4182 4183 prop_array_t allowedips; 4184 skip_endpoint: 4185 allowedips = prop_dictionary_get(peer, "allowedips"); 4186 if (allowedips == NULL) 4187 goto skip; 4188 4189 prop_object_iterator_t _it = prop_array_iterator(allowedips); 4190 prop_dictionary_t prop_allowedip; 4191 int j = 0; 4192 while ((prop_allowedip = prop_object_iterator_next(_it)) != NULL) { 4193 struct wg_allowedip *wga = &wgp->wgp_allowedips[j]; 4194 4195 if (!prop_dictionary_get_int(prop_allowedip, "family", 4196 &wga->wga_family)) 4197 continue; 4198 if (!prop_dictionary_get_data(prop_allowedip, "ip", 4199 &addr, &addr_len)) 4200 continue; 4201 if (!prop_dictionary_get_uint8(prop_allowedip, "cidr", 4202 &wga->wga_cidr)) 4203 continue; 4204 4205 switch (wga->wga_family) { 4206 case AF_INET: { 4207 struct sockaddr_in sin; 4208 char addrstr[128]; 4209 struct in_addr mask; 4210 struct sockaddr_in sin_mask; 4211 4212 if (addr_len != sizeof(struct in_addr)) 4213 return EINVAL; 4214 memcpy(&wga->wga_addr4, addr, addr_len); 4215 4216 sockaddr_in_init(&sin, (const struct in_addr *)addr, 4217 0); 4218 sockaddr_copy(&wga->wga_sa_addr, 4219 sizeof(sin), sintosa(&sin)); 4220 4221 sockaddr_format(sintosa(&sin), 4222 addrstr, sizeof(addrstr)); 4223 WG_DLOG("addr=%s/%d\n", addrstr, wga->wga_cidr); 4224 4225 in_len2mask(&mask, wga->wga_cidr); 4226 sockaddr_in_init(&sin_mask, &mask, 0); 4227 sockaddr_copy(&wga->wga_sa_mask, 4228 sizeof(sin_mask), sintosa(&sin_mask)); 4229 4230 break; 4231 } 4232 #ifdef INET6 4233 case AF_INET6: { 4234 struct sockaddr_in6 sin6; 4235 char addrstr[128]; 4236 struct in6_addr mask; 4237 struct sockaddr_in6 sin6_mask; 4238 4239 if (addr_len != sizeof(struct in6_addr)) 4240 return EINVAL; 4241 memcpy(&wga->wga_addr6, addr, addr_len); 4242 4243 sockaddr_in6_init(&sin6, (const struct in6_addr *)addr, 4244 0, 0, 0); 4245 sockaddr_copy(&wga->wga_sa_addr, 4246 sizeof(sin6), sin6tosa(&sin6)); 4247 4248 sockaddr_format(sin6tosa(&sin6), 4249 addrstr, sizeof(addrstr)); 4250 WG_DLOG("addr=%s/%d\n", addrstr, wga->wga_cidr); 4251 4252 in6_prefixlen2mask(&mask, wga->wga_cidr); 4253 sockaddr_in6_init(&sin6_mask, &mask, 0, 0, 0); 4254 sockaddr_copy(&wga->wga_sa_mask, 4255 sizeof(sin6_mask), sin6tosa(&sin6_mask)); 4256 4257 break; 4258 } 4259 #endif 4260 default: 4261 error = EINVAL; 4262 goto out; 4263 } 4264 wga->wga_peer = wgp; 4265 4266 error = wg_rtable_add_route(wg, wga); 4267 if (error != 0) 4268 goto out; 4269 4270 j++; 4271 } 4272 wgp->wgp_n_allowedips = j; 4273 skip: 4274 *wgpp = wgp; 4275 out: 4276 return error; 4277 } 4278 4279 static int 4280 wg_alloc_prop_buf(char **_buf, struct ifdrv *ifd) 4281 { 4282 int error; 4283 char *buf; 4284 4285 WG_DLOG("buf=%p, len=%lu\n", ifd->ifd_data, ifd->ifd_len); 4286 buf = kmem_alloc(ifd->ifd_len + 1, KM_SLEEP); 4287 error = copyin(ifd->ifd_data, buf, ifd->ifd_len); 4288 if (error != 0) 4289 return error; 4290 buf[ifd->ifd_len] = '\0'; 4291 #ifdef WG_DEBUG_DUMP 4292 log(LOG_DEBUG, "%.*s\n", 4293 (int)MIN(INT_MAX, ifd->ifd_len), 4294 (const char *)buf); 4295 #endif 4296 *_buf = buf; 4297 return 0; 4298 } 4299 4300 static int 4301 wg_ioctl_set_private_key(struct wg_softc *wg, struct ifdrv *ifd) 4302 { 4303 int error; 4304 prop_dictionary_t prop_dict; 4305 char *buf = NULL; 4306 const void *privkey; 4307 size_t privkey_len; 4308 4309 error = wg_alloc_prop_buf(&buf, ifd); 4310 if (error != 0) 4311 return error; 4312 error = EINVAL; 4313 prop_dict = prop_dictionary_internalize(buf); 4314 if (prop_dict == NULL) 4315 goto out; 4316 if (!prop_dictionary_get_data(prop_dict, "private_key", 4317 &privkey, &privkey_len)) 4318 goto out; 4319 #ifdef WG_DEBUG_DUMP 4320 { 4321 char *hex = gethexdump(privkey, privkey_len); 4322 log(LOG_DEBUG, "privkey=%p, privkey_len=%lu\n%s\n", 4323 privkey, privkey_len, hex); 4324 puthexdump(hex, privkey, privkey_len); 4325 } 4326 #endif 4327 if (privkey_len != WG_STATIC_KEY_LEN) 4328 goto out; 4329 memcpy(wg->wg_privkey, privkey, WG_STATIC_KEY_LEN); 4330 wg_calc_pubkey(wg->wg_pubkey, wg->wg_privkey); 4331 error = 0; 4332 4333 out: 4334 kmem_free(buf, ifd->ifd_len + 1); 4335 return error; 4336 } 4337 4338 static int 4339 wg_ioctl_set_listen_port(struct wg_softc *wg, struct ifdrv *ifd) 4340 { 4341 int error; 4342 prop_dictionary_t prop_dict; 4343 char *buf = NULL; 4344 uint16_t port; 4345 4346 error = wg_alloc_prop_buf(&buf, ifd); 4347 if (error != 0) 4348 return error; 4349 error = EINVAL; 4350 prop_dict = prop_dictionary_internalize(buf); 4351 if (prop_dict == NULL) 4352 goto out; 4353 if (!prop_dictionary_get_uint16(prop_dict, "listen_port", &port)) 4354 goto out; 4355 4356 error = wg->wg_ops->bind_port(wg, (uint16_t)port); 4357 4358 out: 4359 kmem_free(buf, ifd->ifd_len + 1); 4360 return error; 4361 } 4362 4363 static int 4364 wg_ioctl_add_peer(struct wg_softc *wg, struct ifdrv *ifd) 4365 { 4366 int error; 4367 prop_dictionary_t prop_dict; 4368 char *buf = NULL; 4369 struct wg_peer *wgp = NULL, *wgp0 __diagused; 4370 4371 error = wg_alloc_prop_buf(&buf, ifd); 4372 if (error != 0) 4373 return error; 4374 error = EINVAL; 4375 prop_dict = prop_dictionary_internalize(buf); 4376 if (prop_dict == NULL) 4377 goto out; 4378 4379 error = wg_handle_prop_peer(wg, prop_dict, &wgp); 4380 if (error != 0) 4381 goto out; 4382 4383 mutex_enter(wg->wg_lock); 4384 if (thmap_get(wg->wg_peers_bypubkey, wgp->wgp_pubkey, 4385 sizeof(wgp->wgp_pubkey)) != NULL || 4386 (wgp->wgp_name[0] && 4387 thmap_get(wg->wg_peers_byname, wgp->wgp_name, 4388 strlen(wgp->wgp_name)) != NULL)) { 4389 mutex_exit(wg->wg_lock); 4390 wg_destroy_peer(wgp); 4391 error = EEXIST; 4392 goto out; 4393 } 4394 wgp0 = thmap_put(wg->wg_peers_bypubkey, wgp->wgp_pubkey, 4395 sizeof(wgp->wgp_pubkey), wgp); 4396 KASSERT(wgp0 == wgp); 4397 if (wgp->wgp_name[0]) { 4398 wgp0 = thmap_put(wg->wg_peers_byname, wgp->wgp_name, 4399 strlen(wgp->wgp_name), wgp); 4400 KASSERT(wgp0 == wgp); 4401 } 4402 WG_PEER_WRITER_INSERT_HEAD(wgp, wg); 4403 wg->wg_npeers++; 4404 mutex_exit(wg->wg_lock); 4405 4406 if_link_state_change(&wg->wg_if, LINK_STATE_UP); 4407 4408 out: 4409 kmem_free(buf, ifd->ifd_len + 1); 4410 return error; 4411 } 4412 4413 static int 4414 wg_ioctl_delete_peer(struct wg_softc *wg, struct ifdrv *ifd) 4415 { 4416 int error; 4417 prop_dictionary_t prop_dict; 4418 char *buf = NULL; 4419 const char *name; 4420 4421 error = wg_alloc_prop_buf(&buf, ifd); 4422 if (error != 0) 4423 return error; 4424 error = EINVAL; 4425 prop_dict = prop_dictionary_internalize(buf); 4426 if (prop_dict == NULL) 4427 goto out; 4428 4429 if (!prop_dictionary_get_string(prop_dict, "name", &name)) 4430 goto out; 4431 if (strlen(name) > WG_PEER_NAME_MAXLEN) 4432 goto out; 4433 4434 error = wg_destroy_peer_name(wg, name); 4435 out: 4436 kmem_free(buf, ifd->ifd_len + 1); 4437 return error; 4438 } 4439 4440 static int 4441 wg_ioctl_get(struct wg_softc *wg, struct ifdrv *ifd) 4442 { 4443 int error = ENOMEM; 4444 prop_dictionary_t prop_dict; 4445 prop_array_t peers = NULL; 4446 char *buf; 4447 struct wg_peer *wgp; 4448 int s, i; 4449 4450 prop_dict = prop_dictionary_create(); 4451 if (prop_dict == NULL) 4452 goto error; 4453 4454 if (!prop_dictionary_set_data(prop_dict, "private_key", wg->wg_privkey, 4455 WG_STATIC_KEY_LEN)) 4456 goto error; 4457 4458 if (wg->wg_listen_port != 0) { 4459 if (!prop_dictionary_set_uint16(prop_dict, "listen_port", 4460 wg->wg_listen_port)) 4461 goto error; 4462 } 4463 4464 if (wg->wg_npeers == 0) 4465 goto skip_peers; 4466 4467 peers = prop_array_create(); 4468 if (peers == NULL) 4469 goto error; 4470 4471 s = pserialize_read_enter(); 4472 i = 0; 4473 WG_PEER_READER_FOREACH(wgp, wg) { 4474 struct wg_sockaddr *wgsa; 4475 struct psref wgp_psref, wgsa_psref; 4476 prop_dictionary_t prop_peer; 4477 4478 wg_get_peer(wgp, &wgp_psref); 4479 pserialize_read_exit(s); 4480 4481 prop_peer = prop_dictionary_create(); 4482 if (prop_peer == NULL) 4483 goto next; 4484 4485 if (strlen(wgp->wgp_name) > 0) { 4486 if (!prop_dictionary_set_string(prop_peer, "name", 4487 wgp->wgp_name)) 4488 goto next; 4489 } 4490 4491 if (!prop_dictionary_set_data(prop_peer, "public_key", 4492 wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey))) 4493 goto next; 4494 4495 uint8_t psk_zero[WG_PRESHARED_KEY_LEN] = {0}; 4496 if (!consttime_memequal(wgp->wgp_psk, psk_zero, 4497 sizeof(wgp->wgp_psk))) { 4498 if (!prop_dictionary_set_data(prop_peer, 4499 "preshared_key", 4500 wgp->wgp_psk, sizeof(wgp->wgp_psk))) 4501 goto next; 4502 } 4503 4504 wgsa = wg_get_endpoint_sa(wgp, &wgsa_psref); 4505 CTASSERT(AF_UNSPEC == 0); 4506 if (wgsa_family(wgsa) != 0 /*AF_UNSPEC*/ && 4507 !prop_dictionary_set_data(prop_peer, "endpoint", 4508 wgsatoss(wgsa), 4509 sockaddr_getsize_by_family(wgsa_family(wgsa)))) { 4510 wg_put_sa(wgp, wgsa, &wgsa_psref); 4511 goto next; 4512 } 4513 wg_put_sa(wgp, wgsa, &wgsa_psref); 4514 4515 const struct timespec *t = &wgp->wgp_last_handshake_time; 4516 4517 if (!prop_dictionary_set_uint64(prop_peer, 4518 "last_handshake_time_sec", (uint64_t)t->tv_sec)) 4519 goto next; 4520 if (!prop_dictionary_set_uint32(prop_peer, 4521 "last_handshake_time_nsec", (uint32_t)t->tv_nsec)) 4522 goto next; 4523 4524 if (wgp->wgp_n_allowedips == 0) 4525 goto skip_allowedips; 4526 4527 prop_array_t allowedips = prop_array_create(); 4528 if (allowedips == NULL) 4529 goto next; 4530 for (int j = 0; j < wgp->wgp_n_allowedips; j++) { 4531 struct wg_allowedip *wga = &wgp->wgp_allowedips[j]; 4532 prop_dictionary_t prop_allowedip; 4533 4534 prop_allowedip = prop_dictionary_create(); 4535 if (prop_allowedip == NULL) 4536 break; 4537 4538 if (!prop_dictionary_set_int(prop_allowedip, "family", 4539 wga->wga_family)) 4540 goto _next; 4541 if (!prop_dictionary_set_uint8(prop_allowedip, "cidr", 4542 wga->wga_cidr)) 4543 goto _next; 4544 4545 switch (wga->wga_family) { 4546 case AF_INET: 4547 if (!prop_dictionary_set_data(prop_allowedip, 4548 "ip", &wga->wga_addr4, 4549 sizeof(wga->wga_addr4))) 4550 goto _next; 4551 break; 4552 #ifdef INET6 4553 case AF_INET6: 4554 if (!prop_dictionary_set_data(prop_allowedip, 4555 "ip", &wga->wga_addr6, 4556 sizeof(wga->wga_addr6))) 4557 goto _next; 4558 break; 4559 #endif 4560 default: 4561 break; 4562 } 4563 prop_array_set(allowedips, j, prop_allowedip); 4564 _next: 4565 prop_object_release(prop_allowedip); 4566 } 4567 prop_dictionary_set(prop_peer, "allowedips", allowedips); 4568 prop_object_release(allowedips); 4569 4570 skip_allowedips: 4571 4572 prop_array_set(peers, i, prop_peer); 4573 next: 4574 if (prop_peer) 4575 prop_object_release(prop_peer); 4576 i++; 4577 4578 s = pserialize_read_enter(); 4579 wg_put_peer(wgp, &wgp_psref); 4580 } 4581 pserialize_read_exit(s); 4582 4583 prop_dictionary_set(prop_dict, "peers", peers); 4584 prop_object_release(peers); 4585 peers = NULL; 4586 4587 skip_peers: 4588 buf = prop_dictionary_externalize(prop_dict); 4589 if (buf == NULL) 4590 goto error; 4591 if (ifd->ifd_len < (strlen(buf) + 1)) { 4592 error = EINVAL; 4593 goto error; 4594 } 4595 error = copyout(buf, ifd->ifd_data, strlen(buf) + 1); 4596 4597 free(buf, 0); 4598 error: 4599 if (peers != NULL) 4600 prop_object_release(peers); 4601 if (prop_dict != NULL) 4602 prop_object_release(prop_dict); 4603 4604 return error; 4605 } 4606 4607 static int 4608 wg_ioctl(struct ifnet *ifp, u_long cmd, void *data) 4609 { 4610 struct wg_softc *wg = ifp->if_softc; 4611 struct ifreq *ifr = data; 4612 struct ifaddr *ifa = data; 4613 struct ifdrv *ifd = data; 4614 int error = 0; 4615 4616 switch (cmd) { 4617 case SIOCINITIFADDR: 4618 if (ifa->ifa_addr->sa_family != AF_LINK && 4619 (ifp->if_flags & (IFF_UP | IFF_RUNNING)) != 4620 (IFF_UP | IFF_RUNNING)) { 4621 ifp->if_flags |= IFF_UP; 4622 error = ifp->if_init(ifp); 4623 } 4624 return error; 4625 case SIOCADDMULTI: 4626 case SIOCDELMULTI: 4627 switch (ifr->ifr_addr.sa_family) { 4628 case AF_INET: /* IP supports Multicast */ 4629 break; 4630 #ifdef INET6 4631 case AF_INET6: /* IP6 supports Multicast */ 4632 break; 4633 #endif 4634 default: /* Other protocols doesn't support Multicast */ 4635 error = EAFNOSUPPORT; 4636 break; 4637 } 4638 return error; 4639 case SIOCSDRVSPEC: 4640 switch (ifd->ifd_cmd) { 4641 case WG_IOCTL_SET_PRIVATE_KEY: 4642 error = wg_ioctl_set_private_key(wg, ifd); 4643 break; 4644 case WG_IOCTL_SET_LISTEN_PORT: 4645 error = wg_ioctl_set_listen_port(wg, ifd); 4646 break; 4647 case WG_IOCTL_ADD_PEER: 4648 error = wg_ioctl_add_peer(wg, ifd); 4649 break; 4650 case WG_IOCTL_DELETE_PEER: 4651 error = wg_ioctl_delete_peer(wg, ifd); 4652 break; 4653 default: 4654 error = EINVAL; 4655 break; 4656 } 4657 return error; 4658 case SIOCGDRVSPEC: 4659 return wg_ioctl_get(wg, ifd); 4660 case SIOCSIFFLAGS: 4661 if ((error = ifioctl_common(ifp, cmd, data)) != 0) 4662 break; 4663 switch (ifp->if_flags & (IFF_UP|IFF_RUNNING)) { 4664 case IFF_RUNNING: 4665 /* 4666 * If interface is marked down and it is running, 4667 * then stop and disable it. 4668 */ 4669 (*ifp->if_stop)(ifp, 1); 4670 break; 4671 case IFF_UP: 4672 /* 4673 * If interface is marked up and it is stopped, then 4674 * start it. 4675 */ 4676 error = (*ifp->if_init)(ifp); 4677 break; 4678 default: 4679 break; 4680 } 4681 return error; 4682 #ifdef WG_RUMPKERNEL 4683 case SIOCSLINKSTR: 4684 error = wg_ioctl_linkstr(wg, ifd); 4685 if (error == 0) 4686 wg->wg_ops = &wg_ops_rumpuser; 4687 return error; 4688 #endif 4689 default: 4690 break; 4691 } 4692 4693 error = ifioctl_common(ifp, cmd, data); 4694 4695 #ifdef WG_RUMPKERNEL 4696 if (!wg_user_mode(wg)) 4697 return error; 4698 4699 /* Do the same to the corresponding tun device on the host */ 4700 /* 4701 * XXX Actually the command has not been handled yet. It 4702 * will be handled via pr_ioctl form doifioctl later. 4703 */ 4704 switch (cmd) { 4705 case SIOCAIFADDR: 4706 case SIOCDIFADDR: { 4707 struct in_aliasreq _ifra = *(const struct in_aliasreq *)data; 4708 struct in_aliasreq *ifra = &_ifra; 4709 KASSERT(error == ENOTTY); 4710 strncpy(ifra->ifra_name, rumpuser_wg_get_tunname(wg->wg_user), 4711 IFNAMSIZ); 4712 error = rumpuser_wg_ioctl(wg->wg_user, cmd, ifra, AF_INET); 4713 if (error == 0) 4714 error = ENOTTY; 4715 break; 4716 } 4717 #ifdef INET6 4718 case SIOCAIFADDR_IN6: 4719 case SIOCDIFADDR_IN6: { 4720 struct in6_aliasreq _ifra = *(const struct in6_aliasreq *)data; 4721 struct in6_aliasreq *ifra = &_ifra; 4722 KASSERT(error == ENOTTY); 4723 strncpy(ifra->ifra_name, rumpuser_wg_get_tunname(wg->wg_user), 4724 IFNAMSIZ); 4725 error = rumpuser_wg_ioctl(wg->wg_user, cmd, ifra, AF_INET6); 4726 if (error == 0) 4727 error = ENOTTY; 4728 break; 4729 } 4730 #endif 4731 } 4732 #endif /* WG_RUMPKERNEL */ 4733 4734 return error; 4735 } 4736 4737 static int 4738 wg_init(struct ifnet *ifp) 4739 { 4740 4741 ifp->if_flags |= IFF_RUNNING; 4742 4743 /* TODO flush pending packets. */ 4744 return 0; 4745 } 4746 4747 #ifdef ALTQ 4748 static void 4749 wg_start(struct ifnet *ifp) 4750 { 4751 struct mbuf *m; 4752 4753 for (;;) { 4754 IFQ_DEQUEUE(&ifp->if_snd, m); 4755 if (m == NULL) 4756 break; 4757 4758 kpreempt_disable(); 4759 const uint32_t h = curcpu()->ci_index; // pktq_rps_hash(m) 4760 if (__predict_false(!pktq_enqueue(wg_pktq, m, h))) { 4761 WGLOG(LOG_ERR, "pktq full, dropping\n"); 4762 m_freem(m); 4763 } 4764 kpreempt_enable(); 4765 } 4766 } 4767 #endif 4768 4769 static void 4770 wg_stop(struct ifnet *ifp, int disable) 4771 { 4772 4773 KASSERT((ifp->if_flags & IFF_RUNNING) != 0); 4774 ifp->if_flags &= ~IFF_RUNNING; 4775 4776 /* Need to do something? */ 4777 } 4778 4779 #ifdef WG_DEBUG_PARAMS 4780 SYSCTL_SETUP(sysctl_net_wg_setup, "sysctl net.wg setup") 4781 { 4782 const struct sysctlnode *node = NULL; 4783 4784 sysctl_createv(clog, 0, NULL, &node, 4785 CTLFLAG_PERMANENT, 4786 CTLTYPE_NODE, "wg", 4787 SYSCTL_DESCR("wg(4)"), 4788 NULL, 0, NULL, 0, 4789 CTL_NET, CTL_CREATE, CTL_EOL); 4790 sysctl_createv(clog, 0, &node, NULL, 4791 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 4792 CTLTYPE_QUAD, "rekey_after_messages", 4793 SYSCTL_DESCR("session liftime by messages"), 4794 NULL, 0, &wg_rekey_after_messages, 0, CTL_CREATE, CTL_EOL); 4795 sysctl_createv(clog, 0, &node, NULL, 4796 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 4797 CTLTYPE_INT, "rekey_after_time", 4798 SYSCTL_DESCR("session liftime"), 4799 NULL, 0, &wg_rekey_after_time, 0, CTL_CREATE, CTL_EOL); 4800 sysctl_createv(clog, 0, &node, NULL, 4801 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 4802 CTLTYPE_INT, "rekey_timeout", 4803 SYSCTL_DESCR("session handshake retry time"), 4804 NULL, 0, &wg_rekey_timeout, 0, CTL_CREATE, CTL_EOL); 4805 sysctl_createv(clog, 0, &node, NULL, 4806 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 4807 CTLTYPE_INT, "rekey_attempt_time", 4808 SYSCTL_DESCR("session handshake timeout"), 4809 NULL, 0, &wg_rekey_attempt_time, 0, CTL_CREATE, CTL_EOL); 4810 sysctl_createv(clog, 0, &node, NULL, 4811 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 4812 CTLTYPE_INT, "keepalive_timeout", 4813 SYSCTL_DESCR("keepalive timeout"), 4814 NULL, 0, &wg_keepalive_timeout, 0, CTL_CREATE, CTL_EOL); 4815 sysctl_createv(clog, 0, &node, NULL, 4816 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 4817 CTLTYPE_BOOL, "force_underload", 4818 SYSCTL_DESCR("force to detemine under load"), 4819 NULL, 0, &wg_force_underload, 0, CTL_CREATE, CTL_EOL); 4820 } 4821 #endif 4822 4823 #ifdef WG_RUMPKERNEL 4824 static bool 4825 wg_user_mode(struct wg_softc *wg) 4826 { 4827 4828 return wg->wg_user != NULL; 4829 } 4830 4831 static int 4832 wg_ioctl_linkstr(struct wg_softc *wg, struct ifdrv *ifd) 4833 { 4834 struct ifnet *ifp = &wg->wg_if; 4835 int error; 4836 4837 if (ifp->if_flags & IFF_UP) 4838 return EBUSY; 4839 4840 if (ifd->ifd_cmd == IFLINKSTR_UNSET) { 4841 /* XXX do nothing */ 4842 return 0; 4843 } else if (ifd->ifd_cmd != 0) { 4844 return EINVAL; 4845 } else if (wg->wg_user != NULL) { 4846 return EBUSY; 4847 } 4848 4849 /* Assume \0 included */ 4850 if (ifd->ifd_len > IFNAMSIZ) { 4851 return E2BIG; 4852 } else if (ifd->ifd_len < 1) { 4853 return EINVAL; 4854 } 4855 4856 char tun_name[IFNAMSIZ]; 4857 error = copyinstr(ifd->ifd_data, tun_name, ifd->ifd_len, NULL); 4858 if (error != 0) 4859 return error; 4860 4861 if (strncmp(tun_name, "tun", 3) != 0) 4862 return EINVAL; 4863 4864 error = rumpuser_wg_create(tun_name, wg, &wg->wg_user); 4865 4866 return error; 4867 } 4868 4869 static int 4870 wg_send_user(struct wg_peer *wgp, struct mbuf *m) 4871 { 4872 int error; 4873 struct psref psref; 4874 struct wg_sockaddr *wgsa; 4875 struct wg_softc *wg = wgp->wgp_sc; 4876 struct iovec iov[1]; 4877 4878 wgsa = wg_get_endpoint_sa(wgp, &psref); 4879 4880 iov[0].iov_base = mtod(m, void *); 4881 iov[0].iov_len = m->m_len; 4882 4883 /* Send messages to a peer via an ordinary socket. */ 4884 error = rumpuser_wg_send_peer(wg->wg_user, wgsatosa(wgsa), iov, 1); 4885 4886 wg_put_sa(wgp, wgsa, &psref); 4887 4888 m_freem(m); 4889 4890 return error; 4891 } 4892 4893 static void 4894 wg_input_user(struct ifnet *ifp, struct mbuf *m, const int af) 4895 { 4896 struct wg_softc *wg = ifp->if_softc; 4897 struct iovec iov[2]; 4898 struct sockaddr_storage ss; 4899 4900 KASSERT(af == AF_INET || af == AF_INET6); 4901 4902 WG_TRACE(""); 4903 4904 if (af == AF_INET) { 4905 struct sockaddr_in *sin = (struct sockaddr_in *)&ss; 4906 struct ip *ip; 4907 4908 KASSERT(m->m_len >= sizeof(struct ip)); 4909 ip = mtod(m, struct ip *); 4910 sockaddr_in_init(sin, &ip->ip_dst, 0); 4911 } else { 4912 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss; 4913 struct ip6_hdr *ip6; 4914 4915 KASSERT(m->m_len >= sizeof(struct ip6_hdr)); 4916 ip6 = mtod(m, struct ip6_hdr *); 4917 sockaddr_in6_init(sin6, &ip6->ip6_dst, 0, 0, 0); 4918 } 4919 4920 iov[0].iov_base = &ss; 4921 iov[0].iov_len = ss.ss_len; 4922 iov[1].iov_base = mtod(m, void *); 4923 iov[1].iov_len = m->m_len; 4924 4925 WG_DUMP_BUF(iov[1].iov_base, iov[1].iov_len); 4926 4927 /* Send decrypted packets to users via a tun. */ 4928 rumpuser_wg_send_user(wg->wg_user, iov, 2); 4929 4930 m_freem(m); 4931 } 4932 4933 static int 4934 wg_bind_port_user(struct wg_softc *wg, const uint16_t port) 4935 { 4936 int error; 4937 uint16_t old_port = wg->wg_listen_port; 4938 4939 if (port != 0 && old_port == port) 4940 return 0; 4941 4942 error = rumpuser_wg_sock_bind(wg->wg_user, port); 4943 if (error == 0) 4944 wg->wg_listen_port = port; 4945 return error; 4946 } 4947 4948 /* 4949 * Receive user packets. 4950 */ 4951 void 4952 rumpkern_wg_recv_user(struct wg_softc *wg, struct iovec *iov, size_t iovlen) 4953 { 4954 struct ifnet *ifp = &wg->wg_if; 4955 struct mbuf *m; 4956 const struct sockaddr *dst; 4957 4958 WG_TRACE(""); 4959 4960 dst = iov[0].iov_base; 4961 4962 m = m_gethdr(M_DONTWAIT, MT_DATA); 4963 if (m == NULL) 4964 return; 4965 m->m_len = m->m_pkthdr.len = 0; 4966 m_copyback(m, 0, iov[1].iov_len, iov[1].iov_base); 4967 4968 WG_DLOG("iov_len=%lu\n", iov[1].iov_len); 4969 WG_DUMP_BUF(iov[1].iov_base, iov[1].iov_len); 4970 4971 (void)wg_output(ifp, m, dst, NULL); 4972 } 4973 4974 /* 4975 * Receive packets from a peer. 4976 */ 4977 void 4978 rumpkern_wg_recv_peer(struct wg_softc *wg, struct iovec *iov, size_t iovlen) 4979 { 4980 struct mbuf *m; 4981 const struct sockaddr *src; 4982 4983 WG_TRACE(""); 4984 4985 src = iov[0].iov_base; 4986 4987 m = m_gethdr(M_DONTWAIT, MT_DATA); 4988 if (m == NULL) 4989 return; 4990 m->m_len = m->m_pkthdr.len = 0; 4991 m_copyback(m, 0, iov[1].iov_len, iov[1].iov_base); 4992 4993 WG_DLOG("iov_len=%lu\n", iov[1].iov_len); 4994 WG_DUMP_BUF(iov[1].iov_base, iov[1].iov_len); 4995 4996 wg_handle_packet(wg, m, src); 4997 } 4998 #endif /* WG_RUMPKERNEL */ 4999 5000 /* 5001 * Module infrastructure 5002 */ 5003 #include "if_module.h" 5004 5005 IF_MODULE(MODULE_CLASS_DRIVER, wg, "sodium,blake2s") 5006