| @@ -1,2516 +1,2512 @@ | | | @@ -1,2516 +1,2512 @@ |
1 | /* $NetBSD: if_wg.c,v 1.42 2020/08/31 20:26:21 riastradh Exp $ */ | | 1 | /* $NetBSD: if_wg.c,v 1.43 2020/08/31 20:26:46 riastradh Exp $ */ |
2 | | | 2 | |
3 | /* | | 3 | /* |
4 | * Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com> | | 4 | * Copyright (C) Ryota Ozaki <ozaki.ryota@gmail.com> |
5 | * All rights reserved. | | 5 | * All rights reserved. |
6 | * | | 6 | * |
7 | * Redistribution and use in source and binary forms, with or without | | 7 | * Redistribution and use in source and binary forms, with or without |
8 | * modification, are permitted provided that the following conditions | | 8 | * modification, are permitted provided that the following conditions |
9 | * are met: | | 9 | * are met: |
10 | * 1. Redistributions of source code must retain the above copyright | | 10 | * 1. Redistributions of source code must retain the above copyright |
11 | * notice, this list of conditions and the following disclaimer. | | 11 | * notice, this list of conditions and the following disclaimer. |
12 | * 2. Redistributions in binary form must reproduce the above copyright | | 12 | * 2. Redistributions in binary form must reproduce the above copyright |
13 | * notice, this list of conditions and the following disclaimer in the | | 13 | * notice, this list of conditions and the following disclaimer in the |
14 | * documentation and/or other materials provided with the distribution. | | 14 | * documentation and/or other materials provided with the distribution. |
15 | * 3. Neither the name of the project nor the names of its contributors | | 15 | * 3. Neither the name of the project nor the names of its contributors |
16 | * may be used to endorse or promote products derived from this software | | 16 | * may be used to endorse or promote products derived from this software |
17 | * without specific prior written permission. | | 17 | * without specific prior written permission. |
18 | * | | 18 | * |
19 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND | | 19 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
20 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | | 20 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
21 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | | 21 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
22 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | | 22 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
23 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | | 23 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
24 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | | 24 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
25 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | | 25 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
26 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | | 26 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
27 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | | 27 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
28 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | | 28 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
29 | * SUCH DAMAGE. | | 29 | * SUCH DAMAGE. |
30 | */ | | 30 | */ |
31 | | | 31 | |
32 | /* | | 32 | /* |
33 | * This network interface aims to implement the WireGuard protocol. | | 33 | * This network interface aims to implement the WireGuard protocol. |
34 | * The implementation is based on the paper of WireGuard as of | | 34 | * The implementation is based on the paper of WireGuard as of |
35 | * 2018-06-30 [1]. The paper is referred in the source code with label | | 35 | * 2018-06-30 [1]. The paper is referred in the source code with label |
36 | * [W]. Also the specification of the Noise protocol framework as of | | 36 | * [W]. Also the specification of the Noise protocol framework as of |
37 | * 2018-07-11 [2] is referred with label [N]. | | 37 | * 2018-07-11 [2] is referred with label [N]. |
38 | * | | 38 | * |
39 | * [1] https://www.wireguard.com/papers/wireguard.pdf | | 39 | * [1] https://www.wireguard.com/papers/wireguard.pdf |
40 | * [2] http://noiseprotocol.org/noise.pdf | | 40 | * [2] http://noiseprotocol.org/noise.pdf |
41 | */ | | 41 | */ |
42 | | | 42 | |
43 | #include <sys/cdefs.h> | | 43 | #include <sys/cdefs.h> |
44 | __KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.42 2020/08/31 20:26:21 riastradh Exp $"); | | 44 | __KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.43 2020/08/31 20:26:46 riastradh Exp $"); |
45 | | | 45 | |
46 | #ifdef _KERNEL_OPT | | 46 | #ifdef _KERNEL_OPT |
47 | #include "opt_inet.h" | | 47 | #include "opt_inet.h" |
48 | #endif | | 48 | #endif |
49 | | | 49 | |
50 | #include <sys/param.h> | | 50 | #include <sys/param.h> |
51 | #include <sys/types.h> | | 51 | #include <sys/types.h> |
52 | | | 52 | |
53 | #include <sys/atomic.h> | | 53 | #include <sys/atomic.h> |
54 | #include <sys/callout.h> | | 54 | #include <sys/callout.h> |
55 | #include <sys/cprng.h> | | 55 | #include <sys/cprng.h> |
56 | #include <sys/cpu.h> | | 56 | #include <sys/cpu.h> |
57 | #include <sys/device.h> | | 57 | #include <sys/device.h> |
58 | #include <sys/domain.h> | | 58 | #include <sys/domain.h> |
59 | #include <sys/errno.h> | | 59 | #include <sys/errno.h> |
60 | #include <sys/intr.h> | | 60 | #include <sys/intr.h> |
61 | #include <sys/ioctl.h> | | 61 | #include <sys/ioctl.h> |
62 | #include <sys/kernel.h> | | 62 | #include <sys/kernel.h> |
63 | #include <sys/kmem.h> | | 63 | #include <sys/kmem.h> |
64 | #include <sys/kthread.h> | | 64 | #include <sys/kthread.h> |
65 | #include <sys/mbuf.h> | | 65 | #include <sys/mbuf.h> |
66 | #include <sys/module.h> | | 66 | #include <sys/module.h> |
67 | #include <sys/mutex.h> | | 67 | #include <sys/mutex.h> |
68 | #include <sys/pcq.h> | | 68 | #include <sys/pcq.h> |
69 | #include <sys/percpu.h> | | 69 | #include <sys/percpu.h> |
70 | #include <sys/pserialize.h> | | 70 | #include <sys/pserialize.h> |
71 | #include <sys/psref.h> | | 71 | #include <sys/psref.h> |
72 | #include <sys/queue.h> | | 72 | #include <sys/queue.h> |
73 | #include <sys/rwlock.h> | | 73 | #include <sys/rwlock.h> |
74 | #include <sys/socket.h> | | 74 | #include <sys/socket.h> |
75 | #include <sys/socketvar.h> | | 75 | #include <sys/socketvar.h> |
76 | #include <sys/sockio.h> | | 76 | #include <sys/sockio.h> |
77 | #include <sys/sysctl.h> | | 77 | #include <sys/sysctl.h> |
78 | #include <sys/syslog.h> | | 78 | #include <sys/syslog.h> |
79 | #include <sys/systm.h> | | 79 | #include <sys/systm.h> |
80 | #include <sys/thmap.h> | | 80 | #include <sys/thmap.h> |
81 | #include <sys/time.h> | | 81 | #include <sys/time.h> |
82 | #include <sys/timespec.h> | | 82 | #include <sys/timespec.h> |
83 | | | 83 | |
84 | #include <net/bpf.h> | | 84 | #include <net/bpf.h> |
85 | #include <net/if.h> | | 85 | #include <net/if.h> |
86 | #include <net/if_types.h> | | 86 | #include <net/if_types.h> |
87 | #include <net/if_wg.h> | | 87 | #include <net/if_wg.h> |
88 | #include <net/route.h> | | 88 | #include <net/route.h> |
89 | | | 89 | |
90 | #include <netinet/in.h> | | 90 | #include <netinet/in.h> |
91 | #include <netinet/in_pcb.h> | | 91 | #include <netinet/in_pcb.h> |
92 | #include <netinet/in_var.h> | | 92 | #include <netinet/in_var.h> |
93 | #include <netinet/ip.h> | | 93 | #include <netinet/ip.h> |
94 | #include <netinet/ip_var.h> | | 94 | #include <netinet/ip_var.h> |
95 | #include <netinet/udp.h> | | 95 | #include <netinet/udp.h> |
96 | #include <netinet/udp_var.h> | | 96 | #include <netinet/udp_var.h> |
97 | | | 97 | |
98 | #ifdef INET6 | | 98 | #ifdef INET6 |
99 | #include <netinet/ip6.h> | | 99 | #include <netinet/ip6.h> |
100 | #include <netinet6/in6_pcb.h> | | 100 | #include <netinet6/in6_pcb.h> |
101 | #include <netinet6/in6_var.h> | | 101 | #include <netinet6/in6_var.h> |
102 | #include <netinet6/ip6_var.h> | | 102 | #include <netinet6/ip6_var.h> |
103 | #include <netinet6/udp6_var.h> | | 103 | #include <netinet6/udp6_var.h> |
104 | #endif /* INET6 */ | | 104 | #endif /* INET6 */ |
105 | | | 105 | |
106 | #include <prop/proplib.h> | | 106 | #include <prop/proplib.h> |
107 | | | 107 | |
108 | #include <crypto/blake2/blake2s.h> | | 108 | #include <crypto/blake2/blake2s.h> |
109 | #include <crypto/sodium/crypto_aead_chacha20poly1305.h> | | 109 | #include <crypto/sodium/crypto_aead_chacha20poly1305.h> |
110 | #include <crypto/sodium/crypto_aead_xchacha20poly1305.h> | | 110 | #include <crypto/sodium/crypto_aead_xchacha20poly1305.h> |
111 | #include <crypto/sodium/crypto_scalarmult.h> | | 111 | #include <crypto/sodium/crypto_scalarmult.h> |
112 | | | 112 | |
113 | #include "ioconf.h" | | 113 | #include "ioconf.h" |
114 | | | 114 | |
115 | #ifdef WG_RUMPKERNEL | | 115 | #ifdef WG_RUMPKERNEL |
116 | #include "wg_user.h" | | 116 | #include "wg_user.h" |
117 | #endif | | 117 | #endif |
118 | | | 118 | |
119 | /* | | 119 | /* |
120 | * Data structures | | 120 | * Data structures |
121 | * - struct wg_softc is an instance of wg interfaces | | 121 | * - struct wg_softc is an instance of wg interfaces |
122 | * - It has a list of peers (struct wg_peer) | | 122 | * - It has a list of peers (struct wg_peer) |
123 | * - It has a kthread that sends/receives handshake messages and | | 123 | * - It has a kthread that sends/receives handshake messages and |
124 | * runs event handlers | | 124 | * runs event handlers |
125 | * - It has its own two routing tables: one is for IPv4 and the other IPv6 | | 125 | * - It has its own two routing tables: one is for IPv4 and the other IPv6 |
126 | * - struct wg_peer is a representative of a peer | | 126 | * - struct wg_peer is a representative of a peer |
127 | * - It has a softint that is used to send packets over an wg interface | | 127 | * - It has a softint that is used to send packets over an wg interface |
128 | * to a peer | | 128 | * to a peer |
129 | * - It has a pair of session instances (struct wg_session) | | 129 | * - It has a pair of session instances (struct wg_session) |
130 | * - It has a pair of endpoint instances (struct wg_sockaddr) | | 130 | * - It has a pair of endpoint instances (struct wg_sockaddr) |
131 | * - Normally one endpoint is used and the second one is used only on | | 131 | * - Normally one endpoint is used and the second one is used only on |
132 | * a peer migration (a change of peer's IP address) | | 132 | * a peer migration (a change of peer's IP address) |
133 | * - It has a list of IP addresses and sub networks called allowedips | | 133 | * - It has a list of IP addresses and sub networks called allowedips |
134 | * (struct wg_allowedip) | | 134 | * (struct wg_allowedip) |
135 | * - A packets sent over a session is allowed if its destination matches | | 135 | * - A packets sent over a session is allowed if its destination matches |
136 | * any IP addresses or sub networks of the list | | 136 | * any IP addresses or sub networks of the list |
137 | * - struct wg_session represents a session of a secure tunnel with a peer | | 137 | * - struct wg_session represents a session of a secure tunnel with a peer |
138 | * - Two instances of sessions belong to a peer; a stable session and a | | 138 | * - Two instances of sessions belong to a peer; a stable session and a |
139 | * unstable session | | 139 | * unstable session |
140 | * - A handshake process of a session always starts with a unstable instace | | 140 | * - A handshake process of a session always starts with a unstable instace |
141 | * - Once a session is established, its instance becomes stable and the | | 141 | * - Once a session is established, its instance becomes stable and the |
142 | * other becomes unstable instead | | 142 | * other becomes unstable instead |
143 | * - Data messages are always sent via a stable session | | 143 | * - Data messages are always sent via a stable session |
144 | * | | 144 | * |
145 | * Locking notes: | | 145 | * Locking notes: |
146 | * - wg interfaces (struct wg_softc, wg) is listed in wg_softcs.list and | | 146 | * - wg interfaces (struct wg_softc, wg) is listed in wg_softcs.list and |
147 | * protected by wg_softcs.lock | | 147 | * protected by wg_softcs.lock |
148 | * - Each wg has a mutex(9) and a rwlock(9) | | 148 | * - Each wg has a mutex(9) and a rwlock(9) |
149 | * - The mutex (wg_lock) protects its peer list (wg_peers) | | 149 | * - The mutex (wg_lock) protects its peer list (wg_peers) |
150 | * - A peer on the list is also protected by pserialize(9) or psref(9) | | 150 | * - A peer on the list is also protected by pserialize(9) or psref(9) |
151 | * - The rwlock (wg_rwlock) protects the routing tables (wg_rtable_ipv[46]) | | 151 | * - The rwlock (wg_rwlock) protects the routing tables (wg_rtable_ipv[46]) |
152 | * - Each peer (struct wg_peer, wgp) has a mutex | | 152 | * - Each peer (struct wg_peer, wgp) has a mutex |
153 | * - The mutex (wgp_lock) protects wgp_session_unstable and wgp_state | | 153 | * - The mutex (wgp_lock) protects wgp_session_unstable and wgp_state |
154 | * - Each session (struct wg_session, wgs) has a mutex | | 154 | * - Each session (struct wg_session, wgs) has a mutex |
155 | * - The mutex (wgs_lock) protects its state (wgs_state) and its handshake | | 155 | * - The mutex (wgs_lock) protects its state (wgs_state) and its handshake |
156 | * states | | 156 | * states |
157 | * - wgs_state of a unstable session can be changed while it never be | | 157 | * - wgs_state of a unstable session can be changed while it never be |
158 | * changed on a stable session, so once get a session instace via | | 158 | * changed on a stable session, so once get a session instace via |
159 | * wgp_session_stable we can safely access wgs_state without | | 159 | * wgp_session_stable we can safely access wgs_state without |
160 | * holding wgs_lock | | 160 | * holding wgs_lock |
161 | * - A session is protected by pserialize or psref like wgp | | 161 | * - A session is protected by pserialize or psref like wgp |
162 | * - On a session swap, we must wait for all readers to release a | | 162 | * - On a session swap, we must wait for all readers to release a |
163 | * reference to a stable session before changing wgs_state and | | 163 | * reference to a stable session before changing wgs_state and |
164 | * session states | | 164 | * session states |
165 | * | | 165 | * |
166 | * Lock order: wg_lock -> wgp_lock -> wgs_lock | | 166 | * Lock order: wg_lock -> wgp_lock -> wgs_lock |
167 | */ | | 167 | */ |
168 | | | 168 | |
169 | | | 169 | |
170 | #define WGLOG(level, fmt, args...) \ | | 170 | #define WGLOG(level, fmt, args...) \ |
171 | log(level, "%s: " fmt, __func__, ##args) | | 171 | log(level, "%s: " fmt, __func__, ##args) |
172 | | | 172 | |
173 | /* Debug options */ | | 173 | /* Debug options */ |
174 | #ifdef WG_DEBUG | | 174 | #ifdef WG_DEBUG |
175 | /* Output debug logs */ | | 175 | /* Output debug logs */ |
176 | #ifndef WG_DEBUG_LOG | | 176 | #ifndef WG_DEBUG_LOG |
177 | #define WG_DEBUG_LOG | | 177 | #define WG_DEBUG_LOG |
178 | #endif | | 178 | #endif |
179 | /* Output trace logs */ | | 179 | /* Output trace logs */ |
180 | #ifndef WG_DEBUG_TRACE | | 180 | #ifndef WG_DEBUG_TRACE |
181 | #define WG_DEBUG_TRACE | | 181 | #define WG_DEBUG_TRACE |
182 | #endif | | 182 | #endif |
183 | /* Output hash values, etc. */ | | 183 | /* Output hash values, etc. */ |
184 | #ifndef WG_DEBUG_DUMP | | 184 | #ifndef WG_DEBUG_DUMP |
185 | #define WG_DEBUG_DUMP | | 185 | #define WG_DEBUG_DUMP |
186 | #endif | | 186 | #endif |
187 | /* Make some internal parameters configurable for testing and debugging */ | | 187 | /* Make some internal parameters configurable for testing and debugging */ |
188 | #ifndef WG_DEBUG_PARAMS | | 188 | #ifndef WG_DEBUG_PARAMS |
189 | #define WG_DEBUG_PARAMS | | 189 | #define WG_DEBUG_PARAMS |
190 | #endif | | 190 | #endif |
191 | #endif | | 191 | #endif |
192 | | | 192 | |
193 | #ifdef WG_DEBUG_TRACE | | 193 | #ifdef WG_DEBUG_TRACE |
194 | #define WG_TRACE(msg) \ | | 194 | #define WG_TRACE(msg) \ |
195 | log(LOG_DEBUG, "%s:%d: %s\n", __func__, __LINE__, (msg)) | | 195 | log(LOG_DEBUG, "%s:%d: %s\n", __func__, __LINE__, (msg)) |
196 | #else | | 196 | #else |
197 | #define WG_TRACE(msg) __nothing | | 197 | #define WG_TRACE(msg) __nothing |
198 | #endif | | 198 | #endif |
199 | | | 199 | |
200 | #ifdef WG_DEBUG_LOG | | 200 | #ifdef WG_DEBUG_LOG |
201 | #define WG_DLOG(fmt, args...) log(LOG_DEBUG, "%s: " fmt, __func__, ##args) | | 201 | #define WG_DLOG(fmt, args...) log(LOG_DEBUG, "%s: " fmt, __func__, ##args) |
202 | #else | | 202 | #else |
203 | #define WG_DLOG(fmt, args...) __nothing | | 203 | #define WG_DLOG(fmt, args...) __nothing |
204 | #endif | | 204 | #endif |
205 | | | 205 | |
206 | #define WG_LOG_RATECHECK(wgprc, level, fmt, args...) do { \ | | 206 | #define WG_LOG_RATECHECK(wgprc, level, fmt, args...) do { \ |
207 | if (ppsratecheck(&(wgprc)->wgprc_lasttime, \ | | 207 | if (ppsratecheck(&(wgprc)->wgprc_lasttime, \ |
208 | &(wgprc)->wgprc_curpps, 1)) { \ | | 208 | &(wgprc)->wgprc_curpps, 1)) { \ |
209 | log(level, fmt, ##args); \ | | 209 | log(level, fmt, ##args); \ |
210 | } \ | | 210 | } \ |
211 | } while (0) | | 211 | } while (0) |
212 | | | 212 | |
213 | #ifdef WG_DEBUG_PARAMS | | 213 | #ifdef WG_DEBUG_PARAMS |
214 | static bool wg_force_underload = false; | | 214 | static bool wg_force_underload = false; |
215 | #endif | | 215 | #endif |
216 | | | 216 | |
217 | #ifdef WG_DEBUG_DUMP | | 217 | #ifdef WG_DEBUG_DUMP |
218 | | | 218 | |
219 | #ifdef WG_RUMPKERNEL | | 219 | #ifdef WG_RUMPKERNEL |
220 | static void | | 220 | static void |
221 | wg_dump_buf(const char *func, const char *buf, const size_t size) | | 221 | wg_dump_buf(const char *func, const char *buf, const size_t size) |
222 | { | | 222 | { |
223 | | | 223 | |
224 | log(LOG_DEBUG, "%s: ", func); | | 224 | log(LOG_DEBUG, "%s: ", func); |
225 | for (int i = 0; i < size; i++) | | 225 | for (int i = 0; i < size; i++) |
226 | log(LOG_DEBUG, "%02x ", (int)(0xff & buf[i])); | | 226 | log(LOG_DEBUG, "%02x ", (int)(0xff & buf[i])); |
227 | log(LOG_DEBUG, "\n"); | | 227 | log(LOG_DEBUG, "\n"); |
228 | } | | 228 | } |
229 | #endif | | 229 | #endif |
230 | | | 230 | |
231 | static void | | 231 | static void |
232 | wg_dump_hash(const uint8_t *func, const uint8_t *name, const uint8_t *hash, | | 232 | wg_dump_hash(const uint8_t *func, const uint8_t *name, const uint8_t *hash, |
233 | const size_t size) | | 233 | const size_t size) |
234 | { | | 234 | { |
235 | | | 235 | |
236 | log(LOG_DEBUG, "%s: %s: ", func, name); | | 236 | log(LOG_DEBUG, "%s: %s: ", func, name); |
237 | for (int i = 0; i < size; i++) | | 237 | for (int i = 0; i < size; i++) |
238 | log(LOG_DEBUG, "%02x ", (int)(0xff & hash[i])); | | 238 | log(LOG_DEBUG, "%02x ", (int)(0xff & hash[i])); |
239 | log(LOG_DEBUG, "\n"); | | 239 | log(LOG_DEBUG, "\n"); |
240 | } | | 240 | } |
241 | | | 241 | |
242 | #define WG_DUMP_HASH(name, hash) \ | | 242 | #define WG_DUMP_HASH(name, hash) \ |
243 | wg_dump_hash(__func__, name, hash, WG_HASH_LEN) | | 243 | wg_dump_hash(__func__, name, hash, WG_HASH_LEN) |
244 | #define WG_DUMP_HASH48(name, hash) \ | | 244 | #define WG_DUMP_HASH48(name, hash) \ |
245 | wg_dump_hash(__func__, name, hash, 48) | | 245 | wg_dump_hash(__func__, name, hash, 48) |
246 | #define WG_DUMP_BUF(buf, size) \ | | 246 | #define WG_DUMP_BUF(buf, size) \ |
247 | wg_dump_buf(__func__, buf, size) | | 247 | wg_dump_buf(__func__, buf, size) |
248 | #else | | 248 | #else |
249 | #define WG_DUMP_HASH(name, hash) __nothing | | 249 | #define WG_DUMP_HASH(name, hash) __nothing |
250 | #define WG_DUMP_HASH48(name, hash) __nothing | | 250 | #define WG_DUMP_HASH48(name, hash) __nothing |
251 | #define WG_DUMP_BUF(buf, size) __nothing | | 251 | #define WG_DUMP_BUF(buf, size) __nothing |
252 | #endif /* WG_DEBUG_DUMP */ | | 252 | #endif /* WG_DEBUG_DUMP */ |
253 | | | 253 | |
254 | #define WG_MTU 1420 | | 254 | #define WG_MTU 1420 |
255 | #define WG_ALLOWEDIPS 16 | | 255 | #define WG_ALLOWEDIPS 16 |
256 | | | 256 | |
257 | #define CURVE25519_KEY_LEN 32 | | 257 | #define CURVE25519_KEY_LEN 32 |
258 | #define TAI64N_LEN sizeof(uint32_t) * 3 | | 258 | #define TAI64N_LEN sizeof(uint32_t) * 3 |
259 | #define POLY1305_AUTHTAG_LEN 16 | | 259 | #define POLY1305_AUTHTAG_LEN 16 |
260 | #define HMAC_BLOCK_LEN 64 | | 260 | #define HMAC_BLOCK_LEN 64 |
261 | | | 261 | |
262 | /* [N] 4.1: "DHLEN must be 32 or greater." WireGuard chooses 32. */ | | 262 | /* [N] 4.1: "DHLEN must be 32 or greater." WireGuard chooses 32. */ |
263 | /* [N] 4.3: Hash functions */ | | 263 | /* [N] 4.3: Hash functions */ |
264 | #define NOISE_DHLEN 32 | | 264 | #define NOISE_DHLEN 32 |
265 | /* [N] 4.3: "Must be 32 or 64." WireGuard chooses 32. */ | | 265 | /* [N] 4.3: "Must be 32 or 64." WireGuard chooses 32. */ |
266 | #define NOISE_HASHLEN 32 | | 266 | #define NOISE_HASHLEN 32 |
267 | #define NOISE_BLOCKLEN 64 | | 267 | #define NOISE_BLOCKLEN 64 |
268 | #define NOISE_HKDF_OUTPUT_LEN NOISE_HASHLEN | | 268 | #define NOISE_HKDF_OUTPUT_LEN NOISE_HASHLEN |
269 | /* [N] 5.1: "k" */ | | 269 | /* [N] 5.1: "k" */ |
270 | #define NOISE_CIPHER_KEY_LEN 32 | | 270 | #define NOISE_CIPHER_KEY_LEN 32 |
271 | /* | | 271 | /* |
272 | * [N] 9.2: "psk" | | 272 | * [N] 9.2: "psk" |
273 | * "... psk is a 32-byte secret value provided by the application." | | 273 | * "... psk is a 32-byte secret value provided by the application." |
274 | */ | | 274 | */ |
275 | #define NOISE_PRESHARED_KEY_LEN 32 | | 275 | #define NOISE_PRESHARED_KEY_LEN 32 |
276 | | | 276 | |
277 | #define WG_STATIC_KEY_LEN CURVE25519_KEY_LEN | | 277 | #define WG_STATIC_KEY_LEN CURVE25519_KEY_LEN |
278 | #define WG_TIMESTAMP_LEN TAI64N_LEN | | 278 | #define WG_TIMESTAMP_LEN TAI64N_LEN |
279 | | | 279 | |
280 | #define WG_PRESHARED_KEY_LEN NOISE_PRESHARED_KEY_LEN | | 280 | #define WG_PRESHARED_KEY_LEN NOISE_PRESHARED_KEY_LEN |
281 | | | 281 | |
282 | #define WG_COOKIE_LEN 16 | | 282 | #define WG_COOKIE_LEN 16 |
283 | #define WG_MAC_LEN 16 | | 283 | #define WG_MAC_LEN 16 |
284 | #define WG_RANDVAL_LEN 24 | | 284 | #define WG_RANDVAL_LEN 24 |
285 | | | 285 | |
286 | #define WG_EPHEMERAL_KEY_LEN CURVE25519_KEY_LEN | | 286 | #define WG_EPHEMERAL_KEY_LEN CURVE25519_KEY_LEN |
287 | /* [N] 5.2: "ck: A chaining key of HASHLEN bytes" */ | | 287 | /* [N] 5.2: "ck: A chaining key of HASHLEN bytes" */ |
288 | #define WG_CHAINING_KEY_LEN NOISE_HASHLEN | | 288 | #define WG_CHAINING_KEY_LEN NOISE_HASHLEN |
289 | /* [N] 5.2: "h: A hash output of HASHLEN bytes" */ | | 289 | /* [N] 5.2: "h: A hash output of HASHLEN bytes" */ |
290 | #define WG_HASH_LEN NOISE_HASHLEN | | 290 | #define WG_HASH_LEN NOISE_HASHLEN |
291 | #define WG_CIPHER_KEY_LEN NOISE_CIPHER_KEY_LEN | | 291 | #define WG_CIPHER_KEY_LEN NOISE_CIPHER_KEY_LEN |
292 | #define WG_DH_OUTPUT_LEN NOISE_DHLEN | | 292 | #define WG_DH_OUTPUT_LEN NOISE_DHLEN |
293 | #define WG_KDF_OUTPUT_LEN NOISE_HKDF_OUTPUT_LEN | | 293 | #define WG_KDF_OUTPUT_LEN NOISE_HKDF_OUTPUT_LEN |
294 | #define WG_AUTHTAG_LEN POLY1305_AUTHTAG_LEN | | 294 | #define WG_AUTHTAG_LEN POLY1305_AUTHTAG_LEN |
295 | #define WG_DATA_KEY_LEN 32 | | 295 | #define WG_DATA_KEY_LEN 32 |
296 | #define WG_SALT_LEN 24 | | 296 | #define WG_SALT_LEN 24 |
297 | | | 297 | |
298 | /* | | 298 | /* |
299 | * The protocol messages | | 299 | * The protocol messages |
300 | */ | | 300 | */ |
301 | struct wg_msg { | | 301 | struct wg_msg { |
302 | uint32_t wgm_type; | | 302 | uint32_t wgm_type; |
303 | } __packed; | | 303 | } __packed; |
304 | | | 304 | |
305 | /* [W] 5.4.2 First Message: Initiator to Responder */ | | 305 | /* [W] 5.4.2 First Message: Initiator to Responder */ |
306 | struct wg_msg_init { | | 306 | struct wg_msg_init { |
307 | uint32_t wgmi_type; | | 307 | uint32_t wgmi_type; |
308 | uint32_t wgmi_sender; | | 308 | uint32_t wgmi_sender; |
309 | uint8_t wgmi_ephemeral[WG_EPHEMERAL_KEY_LEN]; | | 309 | uint8_t wgmi_ephemeral[WG_EPHEMERAL_KEY_LEN]; |
310 | uint8_t wgmi_static[WG_STATIC_KEY_LEN + WG_AUTHTAG_LEN]; | | 310 | uint8_t wgmi_static[WG_STATIC_KEY_LEN + WG_AUTHTAG_LEN]; |
311 | uint8_t wgmi_timestamp[WG_TIMESTAMP_LEN + WG_AUTHTAG_LEN]; | | 311 | uint8_t wgmi_timestamp[WG_TIMESTAMP_LEN + WG_AUTHTAG_LEN]; |
312 | uint8_t wgmi_mac1[WG_MAC_LEN]; | | 312 | uint8_t wgmi_mac1[WG_MAC_LEN]; |
313 | uint8_t wgmi_mac2[WG_MAC_LEN]; | | 313 | uint8_t wgmi_mac2[WG_MAC_LEN]; |
314 | } __packed; | | 314 | } __packed; |
315 | | | 315 | |
316 | /* [W] 5.4.3 Second Message: Responder to Initiator */ | | 316 | /* [W] 5.4.3 Second Message: Responder to Initiator */ |
317 | struct wg_msg_resp { | | 317 | struct wg_msg_resp { |
318 | uint32_t wgmr_type; | | 318 | uint32_t wgmr_type; |
319 | uint32_t wgmr_sender; | | 319 | uint32_t wgmr_sender; |
320 | uint32_t wgmr_receiver; | | 320 | uint32_t wgmr_receiver; |
321 | uint8_t wgmr_ephemeral[WG_EPHEMERAL_KEY_LEN]; | | 321 | uint8_t wgmr_ephemeral[WG_EPHEMERAL_KEY_LEN]; |
322 | uint8_t wgmr_empty[0 + WG_AUTHTAG_LEN]; | | 322 | uint8_t wgmr_empty[0 + WG_AUTHTAG_LEN]; |
323 | uint8_t wgmr_mac1[WG_MAC_LEN]; | | 323 | uint8_t wgmr_mac1[WG_MAC_LEN]; |
324 | uint8_t wgmr_mac2[WG_MAC_LEN]; | | 324 | uint8_t wgmr_mac2[WG_MAC_LEN]; |
325 | } __packed; | | 325 | } __packed; |
326 | | | 326 | |
327 | /* [W] 5.4.6 Subsequent Messages: Transport Data Messages */ | | 327 | /* [W] 5.4.6 Subsequent Messages: Transport Data Messages */ |
328 | struct wg_msg_data { | | 328 | struct wg_msg_data { |
329 | uint32_t wgmd_type; | | 329 | uint32_t wgmd_type; |
330 | uint32_t wgmd_receiver; | | 330 | uint32_t wgmd_receiver; |
331 | uint64_t wgmd_counter; | | 331 | uint64_t wgmd_counter; |
332 | uint32_t wgmd_packet[0]; | | 332 | uint32_t wgmd_packet[0]; |
333 | } __packed; | | 333 | } __packed; |
334 | | | 334 | |
335 | /* [W] 5.4.7 Under Load: Cookie Reply Message */ | | 335 | /* [W] 5.4.7 Under Load: Cookie Reply Message */ |
336 | struct wg_msg_cookie { | | 336 | struct wg_msg_cookie { |
337 | uint32_t wgmc_type; | | 337 | uint32_t wgmc_type; |
338 | uint32_t wgmc_receiver; | | 338 | uint32_t wgmc_receiver; |
339 | uint8_t wgmc_salt[WG_SALT_LEN]; | | 339 | uint8_t wgmc_salt[WG_SALT_LEN]; |
340 | uint8_t wgmc_cookie[WG_COOKIE_LEN + WG_AUTHTAG_LEN]; | | 340 | uint8_t wgmc_cookie[WG_COOKIE_LEN + WG_AUTHTAG_LEN]; |
341 | } __packed; | | 341 | } __packed; |
342 | | | 342 | |
343 | #define WG_MSG_TYPE_INIT 1 | | 343 | #define WG_MSG_TYPE_INIT 1 |
344 | #define WG_MSG_TYPE_RESP 2 | | 344 | #define WG_MSG_TYPE_RESP 2 |
345 | #define WG_MSG_TYPE_COOKIE 3 | | 345 | #define WG_MSG_TYPE_COOKIE 3 |
346 | #define WG_MSG_TYPE_DATA 4 | | 346 | #define WG_MSG_TYPE_DATA 4 |
347 | #define WG_MSG_TYPE_MAX WG_MSG_TYPE_DATA | | 347 | #define WG_MSG_TYPE_MAX WG_MSG_TYPE_DATA |
348 | | | 348 | |
349 | /* Sliding windows */ | | 349 | /* Sliding windows */ |
350 | | | 350 | |
351 | #define SLIWIN_BITS 2048u | | 351 | #define SLIWIN_BITS 2048u |
352 | #define SLIWIN_TYPE uint32_t | | 352 | #define SLIWIN_TYPE uint32_t |
353 | #define SLIWIN_BPW NBBY*sizeof(SLIWIN_TYPE) | | 353 | #define SLIWIN_BPW NBBY*sizeof(SLIWIN_TYPE) |
354 | #define SLIWIN_WORDS howmany(SLIWIN_BITS, SLIWIN_BPW) | | 354 | #define SLIWIN_WORDS howmany(SLIWIN_BITS, SLIWIN_BPW) |
355 | #define SLIWIN_NPKT (SLIWIN_BITS - NBBY*sizeof(SLIWIN_TYPE)) | | 355 | #define SLIWIN_NPKT (SLIWIN_BITS - NBBY*sizeof(SLIWIN_TYPE)) |
356 | | | 356 | |
357 | struct sliwin { | | 357 | struct sliwin { |
358 | SLIWIN_TYPE B[SLIWIN_WORDS]; | | 358 | SLIWIN_TYPE B[SLIWIN_WORDS]; |
359 | uint64_t T; | | 359 | uint64_t T; |
360 | }; | | 360 | }; |
361 | | | 361 | |
362 | static void | | 362 | static void |
363 | sliwin_reset(struct sliwin *W) | | 363 | sliwin_reset(struct sliwin *W) |
364 | { | | 364 | { |
365 | | | 365 | |
366 | memset(W, 0, sizeof(*W)); | | 366 | memset(W, 0, sizeof(*W)); |
367 | } | | 367 | } |
368 | | | 368 | |
369 | static int | | 369 | static int |
370 | sliwin_check_fast(const volatile struct sliwin *W, uint64_t S) | | 370 | sliwin_check_fast(const volatile struct sliwin *W, uint64_t S) |
371 | { | | 371 | { |
372 | | | 372 | |
373 | /* | | 373 | /* |
374 | * If it's more than one window older than the highest sequence | | 374 | * If it's more than one window older than the highest sequence |
375 | * number we've seen, reject. | | 375 | * number we've seen, reject. |
376 | */ | | 376 | */ |
377 | #ifdef __HAVE_ATOMIC64_LOADSTORE | | 377 | #ifdef __HAVE_ATOMIC64_LOADSTORE |
378 | if (S + SLIWIN_NPKT < atomic_load_relaxed(&W->T)) | | 378 | if (S + SLIWIN_NPKT < atomic_load_relaxed(&W->T)) |
379 | return EAUTH; | | 379 | return EAUTH; |
380 | #endif | | 380 | #endif |
381 | | | 381 | |
382 | /* | | 382 | /* |
383 | * Otherwise, we need to take the lock to decide, so don't | | 383 | * Otherwise, we need to take the lock to decide, so don't |
384 | * reject just yet. Caller must serialize a call to | | 384 | * reject just yet. Caller must serialize a call to |
385 | * sliwin_update in this case. | | 385 | * sliwin_update in this case. |
386 | */ | | 386 | */ |
387 | return 0; | | 387 | return 0; |
388 | } | | 388 | } |
389 | | | 389 | |
390 | static int | | 390 | static int |
391 | sliwin_update(struct sliwin *W, uint64_t S) | | 391 | sliwin_update(struct sliwin *W, uint64_t S) |
392 | { | | 392 | { |
393 | unsigned word, bit; | | 393 | unsigned word, bit; |
394 | | | 394 | |
395 | /* | | 395 | /* |
396 | * If it's more than one window older than the highest sequence | | 396 | * If it's more than one window older than the highest sequence |
397 | * number we've seen, reject. | | 397 | * number we've seen, reject. |
398 | */ | | 398 | */ |
399 | if (S + SLIWIN_NPKT < W->T) | | 399 | if (S + SLIWIN_NPKT < W->T) |
400 | return EAUTH; | | 400 | return EAUTH; |
401 | | | 401 | |
402 | /* | | 402 | /* |
403 | * If it's higher than the highest sequence number we've seen, | | 403 | * If it's higher than the highest sequence number we've seen, |
404 | * advance the window. | | 404 | * advance the window. |
405 | */ | | 405 | */ |
406 | if (S > W->T) { | | 406 | if (S > W->T) { |
407 | uint64_t i = W->T / SLIWIN_BPW; | | 407 | uint64_t i = W->T / SLIWIN_BPW; |
408 | uint64_t j = S / SLIWIN_BPW; | | 408 | uint64_t j = S / SLIWIN_BPW; |
409 | unsigned k; | | 409 | unsigned k; |
410 | | | 410 | |
411 | for (k = 0; k < MIN(j - i, SLIWIN_WORDS); k++) | | 411 | for (k = 0; k < MIN(j - i, SLIWIN_WORDS); k++) |
412 | W->B[(i + k + 1) % SLIWIN_WORDS] = 0; | | 412 | W->B[(i + k + 1) % SLIWIN_WORDS] = 0; |
413 | #ifdef __HAVE_ATOMIC64_LOADSTORE | | 413 | #ifdef __HAVE_ATOMIC64_LOADSTORE |
414 | atomic_store_relaxed(&W->T, S); | | 414 | atomic_store_relaxed(&W->T, S); |
415 | #else | | 415 | #else |
416 | W->T = S; | | 416 | W->T = S; |
417 | #endif | | 417 | #endif |
418 | } | | 418 | } |
419 | | | 419 | |
420 | /* Test and set the bit -- if already set, reject. */ | | 420 | /* Test and set the bit -- if already set, reject. */ |
421 | word = (S / SLIWIN_BPW) % SLIWIN_WORDS; | | 421 | word = (S / SLIWIN_BPW) % SLIWIN_WORDS; |
422 | bit = S % SLIWIN_BPW; | | 422 | bit = S % SLIWIN_BPW; |
423 | if (W->B[word] & (1UL << bit)) | | 423 | if (W->B[word] & (1UL << bit)) |
424 | return EAUTH; | | 424 | return EAUTH; |
425 | W->B[word] |= 1UL << bit; | | 425 | W->B[word] |= 1UL << bit; |
426 | | | 426 | |
427 | /* Accept! */ | | 427 | /* Accept! */ |
428 | return 0; | | 428 | return 0; |
429 | } | | 429 | } |
430 | | | 430 | |
431 | struct wg_worker { | | 431 | struct wg_worker { |
432 | kmutex_t wgw_lock; | | 432 | kmutex_t wgw_lock; |
433 | kcondvar_t wgw_cv; | | 433 | kcondvar_t wgw_cv; |
434 | bool wgw_todie; | | 434 | bool wgw_todie; |
435 | struct socket *wgw_so4; | | 435 | struct socket *wgw_so4; |
436 | struct socket *wgw_so6; | | 436 | struct socket *wgw_so6; |
437 | int wgw_wakeup_reasons; | | 437 | int wgw_wakeup_reasons; |
438 | #define WG_WAKEUP_REASON_RECEIVE_PACKETS_IPV4 __BIT(0) | | 438 | #define WG_WAKEUP_REASON_RECEIVE_PACKETS_IPV4 __BIT(0) |
439 | #define WG_WAKEUP_REASON_RECEIVE_PACKETS_IPV6 __BIT(1) | | 439 | #define WG_WAKEUP_REASON_RECEIVE_PACKETS_IPV6 __BIT(1) |
440 | #define WG_WAKEUP_REASON_PEER __BIT(2) | | 440 | #define WG_WAKEUP_REASON_PEER __BIT(2) |
441 | }; | | 441 | }; |
442 | | | 442 | |
443 | struct wg_session { | | 443 | struct wg_session { |
444 | struct wg_peer *wgs_peer; | | 444 | struct wg_peer *wgs_peer; |
445 | struct psref_target | | 445 | struct psref_target |
446 | wgs_psref; | | 446 | wgs_psref; |
447 | kmutex_t *wgs_lock; | | 447 | kmutex_t *wgs_lock; |
448 | | | 448 | |
449 | int wgs_state; | | 449 | int wgs_state; |
450 | #define WGS_STATE_UNKNOWN 0 | | 450 | #define WGS_STATE_UNKNOWN 0 |
451 | #define WGS_STATE_INIT_ACTIVE 1 | | 451 | #define WGS_STATE_INIT_ACTIVE 1 |
452 | #define WGS_STATE_INIT_PASSIVE 2 | | 452 | #define WGS_STATE_INIT_PASSIVE 2 |
453 | #define WGS_STATE_ESTABLISHED 3 | | 453 | #define WGS_STATE_ESTABLISHED 3 |
454 | #define WGS_STATE_DESTROYING 4 | | 454 | #define WGS_STATE_DESTROYING 4 |
455 | | | 455 | |
456 | time_t wgs_time_established; | | 456 | time_t wgs_time_established; |
457 | time_t wgs_time_last_data_sent; | | 457 | time_t wgs_time_last_data_sent; |
458 | bool wgs_is_initiator; | | 458 | bool wgs_is_initiator; |
459 | | | 459 | |
460 | uint32_t wgs_sender_index; | | 460 | uint32_t wgs_sender_index; |
461 | uint32_t wgs_receiver_index; | | 461 | uint32_t wgs_receiver_index; |
462 | #ifdef __HAVE_ATOMIC64_LOADSTORE | | 462 | #ifdef __HAVE_ATOMIC64_LOADSTORE |
463 | volatile uint64_t | | 463 | volatile uint64_t |
464 | wgs_send_counter; | | 464 | wgs_send_counter; |
465 | #else | | 465 | #else |
466 | kmutex_t wgs_send_counter_lock; | | 466 | kmutex_t wgs_send_counter_lock; |
467 | uint64_t wgs_send_counter; | | 467 | uint64_t wgs_send_counter; |
468 | #endif | | 468 | #endif |
469 | | | 469 | |
470 | struct { | | 470 | struct { |
471 | kmutex_t lock; | | 471 | kmutex_t lock; |
472 | struct sliwin window; | | 472 | struct sliwin window; |
473 | } *wgs_recvwin; | | 473 | } *wgs_recvwin; |
474 | | | 474 | |
475 | uint8_t wgs_handshake_hash[WG_HASH_LEN]; | | 475 | uint8_t wgs_handshake_hash[WG_HASH_LEN]; |
476 | uint8_t wgs_chaining_key[WG_CHAINING_KEY_LEN]; | | 476 | uint8_t wgs_chaining_key[WG_CHAINING_KEY_LEN]; |
477 | uint8_t wgs_ephemeral_key_pub[WG_EPHEMERAL_KEY_LEN]; | | 477 | uint8_t wgs_ephemeral_key_pub[WG_EPHEMERAL_KEY_LEN]; |
478 | uint8_t wgs_ephemeral_key_priv[WG_EPHEMERAL_KEY_LEN]; | | 478 | uint8_t wgs_ephemeral_key_priv[WG_EPHEMERAL_KEY_LEN]; |
479 | uint8_t wgs_ephemeral_key_peer[WG_EPHEMERAL_KEY_LEN]; | | 479 | uint8_t wgs_ephemeral_key_peer[WG_EPHEMERAL_KEY_LEN]; |
480 | uint8_t wgs_tkey_send[WG_DATA_KEY_LEN]; | | 480 | uint8_t wgs_tkey_send[WG_DATA_KEY_LEN]; |
481 | uint8_t wgs_tkey_recv[WG_DATA_KEY_LEN]; | | 481 | uint8_t wgs_tkey_recv[WG_DATA_KEY_LEN]; |
482 | }; | | 482 | }; |
483 | | | 483 | |
484 | struct wg_sockaddr { | | 484 | struct wg_sockaddr { |
485 | union { | | 485 | union { |
486 | struct sockaddr_storage _ss; | | 486 | struct sockaddr_storage _ss; |
487 | struct sockaddr _sa; | | 487 | struct sockaddr _sa; |
488 | struct sockaddr_in _sin; | | 488 | struct sockaddr_in _sin; |
489 | struct sockaddr_in6 _sin6; | | 489 | struct sockaddr_in6 _sin6; |
490 | }; | | 490 | }; |
491 | struct psref_target wgsa_psref; | | 491 | struct psref_target wgsa_psref; |
492 | }; | | 492 | }; |
493 | | | 493 | |
494 | #define wgsatosa(wgsa) (&(wgsa)->_sa) | | 494 | #define wgsatosa(wgsa) (&(wgsa)->_sa) |
495 | #define wgsatosin(wgsa) (&(wgsa)->_sin) | | 495 | #define wgsatosin(wgsa) (&(wgsa)->_sin) |
496 | #define wgsatosin6(wgsa) (&(wgsa)->_sin6) | | 496 | #define wgsatosin6(wgsa) (&(wgsa)->_sin6) |
497 | | | 497 | |
498 | struct wg_peer; | | 498 | struct wg_peer; |
499 | struct wg_allowedip { | | 499 | struct wg_allowedip { |
500 | struct radix_node wga_nodes[2]; | | 500 | struct radix_node wga_nodes[2]; |
501 | struct wg_sockaddr _wga_sa_addr; | | 501 | struct wg_sockaddr _wga_sa_addr; |
502 | struct wg_sockaddr _wga_sa_mask; | | 502 | struct wg_sockaddr _wga_sa_mask; |
503 | #define wga_sa_addr _wga_sa_addr._sa | | 503 | #define wga_sa_addr _wga_sa_addr._sa |
504 | #define wga_sa_mask _wga_sa_mask._sa | | 504 | #define wga_sa_mask _wga_sa_mask._sa |
505 | | | 505 | |
506 | int wga_family; | | 506 | int wga_family; |
507 | uint8_t wga_cidr; | | 507 | uint8_t wga_cidr; |
508 | union { | | 508 | union { |
509 | struct in_addr _ip4; | | 509 | struct in_addr _ip4; |
510 | struct in6_addr _ip6; | | 510 | struct in6_addr _ip6; |
511 | } wga_addr; | | 511 | } wga_addr; |
512 | #define wga_addr4 wga_addr._ip4 | | 512 | #define wga_addr4 wga_addr._ip4 |
513 | #define wga_addr6 wga_addr._ip6 | | 513 | #define wga_addr6 wga_addr._ip6 |
514 | | | 514 | |
515 | struct wg_peer *wga_peer; | | 515 | struct wg_peer *wga_peer; |
516 | }; | | 516 | }; |
517 | | | 517 | |
518 | typedef uint8_t wg_timestamp_t[WG_TIMESTAMP_LEN]; | | 518 | typedef uint8_t wg_timestamp_t[WG_TIMESTAMP_LEN]; |
519 | | | 519 | |
520 | struct wg_ppsratecheck { | | 520 | struct wg_ppsratecheck { |
521 | struct timeval wgprc_lasttime; | | 521 | struct timeval wgprc_lasttime; |
522 | int wgprc_curpps; | | 522 | int wgprc_curpps; |
523 | }; | | 523 | }; |
524 | | | 524 | |
525 | struct wg_softc; | | 525 | struct wg_softc; |
526 | struct wg_peer { | | 526 | struct wg_peer { |
527 | struct wg_softc *wgp_sc; | | 527 | struct wg_softc *wgp_sc; |
528 | char wgp_name[WG_PEER_NAME_MAXLEN + 1]; | | 528 | char wgp_name[WG_PEER_NAME_MAXLEN + 1]; |
529 | struct pslist_entry wgp_peerlist_entry; | | 529 | struct pslist_entry wgp_peerlist_entry; |
530 | pserialize_t wgp_psz; | | 530 | pserialize_t wgp_psz; |
531 | struct psref_target wgp_psref; | | 531 | struct psref_target wgp_psref; |
532 | kmutex_t *wgp_lock; | | 532 | kmutex_t *wgp_lock; |
533 | | | 533 | |
534 | uint8_t wgp_pubkey[WG_STATIC_KEY_LEN]; | | 534 | uint8_t wgp_pubkey[WG_STATIC_KEY_LEN]; |
535 | struct wg_sockaddr *wgp_endpoint; | | 535 | struct wg_sockaddr *wgp_endpoint; |
536 | #define wgp_ss wgp_endpoint->_ss | | 536 | #define wgp_ss wgp_endpoint->_ss |
537 | #define wgp_sa wgp_endpoint->_sa | | 537 | #define wgp_sa wgp_endpoint->_sa |
538 | #define wgp_sin wgp_endpoint->_sin | | 538 | #define wgp_sin wgp_endpoint->_sin |
539 | #define wgp_sin6 wgp_endpoint->_sin6 | | 539 | #define wgp_sin6 wgp_endpoint->_sin6 |
540 | struct wg_sockaddr *wgp_endpoint0; | | 540 | struct wg_sockaddr *wgp_endpoint0; |
541 | bool wgp_endpoint_changing; | | 541 | bool wgp_endpoint_changing; |
542 | bool wgp_endpoint_available; | | 542 | bool wgp_endpoint_available; |
543 | | | 543 | |
544 | /* The preshared key (optional) */ | | 544 | /* The preshared key (optional) */ |
545 | uint8_t wgp_psk[WG_PRESHARED_KEY_LEN]; | | 545 | uint8_t wgp_psk[WG_PRESHARED_KEY_LEN]; |
546 | | | 546 | |
547 | int wgp_state; | | 547 | int wgp_state; |
548 | #define WGP_STATE_INIT 0 | | 548 | #define WGP_STATE_INIT 0 |
549 | #define WGP_STATE_ESTABLISHED 1 | | 549 | #define WGP_STATE_ESTABLISHED 1 |
550 | #define WGP_STATE_GIVEUP 2 | | 550 | #define WGP_STATE_GIVEUP 2 |
551 | #define WGP_STATE_DESTROYING 3 | | 551 | #define WGP_STATE_DESTROYING 3 |
552 | | | 552 | |
553 | void *wgp_si; | | 553 | void *wgp_si; |
554 | pcq_t *wgp_q; | | 554 | pcq_t *wgp_q; |
555 | | | 555 | |
556 | struct wg_session *wgp_session_stable; | | 556 | struct wg_session *wgp_session_stable; |
557 | struct wg_session *wgp_session_unstable; | | 557 | struct wg_session *wgp_session_unstable; |
558 | | | 558 | |
559 | /* timestamp in big-endian */ | | 559 | /* timestamp in big-endian */ |
560 | wg_timestamp_t wgp_timestamp_latest_init; | | 560 | wg_timestamp_t wgp_timestamp_latest_init; |
561 | | | 561 | |
562 | struct timespec wgp_last_handshake_time; | | 562 | struct timespec wgp_last_handshake_time; |
563 | | | 563 | |
564 | callout_t wgp_rekey_timer; | | 564 | callout_t wgp_rekey_timer; |
565 | callout_t wgp_handshake_timeout_timer; | | 565 | callout_t wgp_handshake_timeout_timer; |
566 | callout_t wgp_session_dtor_timer; | | 566 | callout_t wgp_session_dtor_timer; |
567 | | | 567 | |
568 | time_t wgp_handshake_start_time; | | 568 | time_t wgp_handshake_start_time; |
569 | | | 569 | |
570 | int wgp_n_allowedips; | | 570 | int wgp_n_allowedips; |
571 | struct wg_allowedip wgp_allowedips[WG_ALLOWEDIPS]; | | 571 | struct wg_allowedip wgp_allowedips[WG_ALLOWEDIPS]; |
572 | | | 572 | |
573 | time_t wgp_latest_cookie_time; | | 573 | time_t wgp_latest_cookie_time; |
574 | uint8_t wgp_latest_cookie[WG_COOKIE_LEN]; | | 574 | uint8_t wgp_latest_cookie[WG_COOKIE_LEN]; |
575 | uint8_t wgp_last_sent_mac1[WG_MAC_LEN]; | | 575 | uint8_t wgp_last_sent_mac1[WG_MAC_LEN]; |
576 | bool wgp_last_sent_mac1_valid; | | 576 | bool wgp_last_sent_mac1_valid; |
577 | uint8_t wgp_last_sent_cookie[WG_COOKIE_LEN]; | | 577 | uint8_t wgp_last_sent_cookie[WG_COOKIE_LEN]; |
578 | bool wgp_last_sent_cookie_valid; | | 578 | bool wgp_last_sent_cookie_valid; |
579 | | | 579 | |
580 | time_t wgp_last_msg_received_time[WG_MSG_TYPE_MAX]; | | 580 | time_t wgp_last_msg_received_time[WG_MSG_TYPE_MAX]; |
581 | | | 581 | |
582 | time_t wgp_last_genrandval_time; | | 582 | time_t wgp_last_genrandval_time; |
583 | uint32_t wgp_randval; | | 583 | uint32_t wgp_randval; |
584 | | | 584 | |
585 | struct wg_ppsratecheck wgp_ppsratecheck; | | 585 | struct wg_ppsratecheck wgp_ppsratecheck; |
586 | | | 586 | |
587 | volatile unsigned int wgp_tasks; | | 587 | volatile unsigned int wgp_tasks; |
588 | #define WGP_TASK_SEND_INIT_MESSAGE __BIT(0) | | 588 | #define WGP_TASK_SEND_INIT_MESSAGE __BIT(0) |
589 | #define WGP_TASK_ENDPOINT_CHANGED __BIT(1) | | 589 | #define WGP_TASK_ENDPOINT_CHANGED __BIT(1) |
590 | #define WGP_TASK_SEND_KEEPALIVE_MESSAGE __BIT(2) | | 590 | #define WGP_TASK_SEND_KEEPALIVE_MESSAGE __BIT(2) |
591 | #define WGP_TASK_DESTROY_PREV_SESSION __BIT(3) | | 591 | #define WGP_TASK_DESTROY_PREV_SESSION __BIT(3) |
592 | }; | | 592 | }; |
593 | | | 593 | |
594 | struct wg_ops; | | 594 | struct wg_ops; |
595 | | | 595 | |
596 | struct wg_softc { | | 596 | struct wg_softc { |
597 | struct ifnet wg_if; | | 597 | struct ifnet wg_if; |
598 | LIST_ENTRY(wg_softc) wg_list; | | 598 | LIST_ENTRY(wg_softc) wg_list; |
599 | kmutex_t *wg_lock; | | 599 | kmutex_t *wg_lock; |
600 | krwlock_t *wg_rwlock; | | 600 | krwlock_t *wg_rwlock; |
601 | | | 601 | |
602 | uint8_t wg_privkey[WG_STATIC_KEY_LEN]; | | 602 | uint8_t wg_privkey[WG_STATIC_KEY_LEN]; |
603 | uint8_t wg_pubkey[WG_STATIC_KEY_LEN]; | | 603 | uint8_t wg_pubkey[WG_STATIC_KEY_LEN]; |
604 | | | 604 | |
605 | int wg_npeers; | | 605 | int wg_npeers; |
606 | struct pslist_head wg_peers; | | 606 | struct pslist_head wg_peers; |
607 | struct thmap *wg_peers_bypubkey; | | 607 | struct thmap *wg_peers_bypubkey; |
608 | struct thmap *wg_peers_byname; | | 608 | struct thmap *wg_peers_byname; |
609 | struct thmap *wg_sessions_byindex; | | 609 | struct thmap *wg_sessions_byindex; |
610 | uint16_t wg_listen_port; | | 610 | uint16_t wg_listen_port; |
611 | | | 611 | |
612 | struct wg_worker *wg_worker; | | 612 | struct wg_worker *wg_worker; |
613 | lwp_t *wg_worker_lwp; | | 613 | lwp_t *wg_worker_lwp; |
614 | | | 614 | |
615 | struct radix_node_head *wg_rtable_ipv4; | | 615 | struct radix_node_head *wg_rtable_ipv4; |
616 | struct radix_node_head *wg_rtable_ipv6; | | 616 | struct radix_node_head *wg_rtable_ipv6; |
617 | | | 617 | |
618 | struct wg_ppsratecheck wg_ppsratecheck; | | 618 | struct wg_ppsratecheck wg_ppsratecheck; |
619 | | | 619 | |
620 | struct wg_ops *wg_ops; | | 620 | struct wg_ops *wg_ops; |
621 | | | 621 | |
622 | #ifdef WG_RUMPKERNEL | | 622 | #ifdef WG_RUMPKERNEL |
623 | struct wg_user *wg_user; | | 623 | struct wg_user *wg_user; |
624 | #endif | | 624 | #endif |
625 | }; | | 625 | }; |
626 | | | 626 | |
627 | /* [W] 6.1 Preliminaries */ | | 627 | /* [W] 6.1 Preliminaries */ |
628 | #define WG_REKEY_AFTER_MESSAGES (1ULL << 60) | | 628 | #define WG_REKEY_AFTER_MESSAGES (1ULL << 60) |
629 | #define WG_REJECT_AFTER_MESSAGES (UINT64_MAX - (1 << 13)) | | 629 | #define WG_REJECT_AFTER_MESSAGES (UINT64_MAX - (1 << 13)) |
630 | #define WG_REKEY_AFTER_TIME 120 | | 630 | #define WG_REKEY_AFTER_TIME 120 |
631 | #define WG_REJECT_AFTER_TIME 180 | | 631 | #define WG_REJECT_AFTER_TIME 180 |
632 | #define WG_REKEY_ATTEMPT_TIME 90 | | 632 | #define WG_REKEY_ATTEMPT_TIME 90 |
633 | #define WG_REKEY_TIMEOUT 5 | | 633 | #define WG_REKEY_TIMEOUT 5 |
634 | #define WG_KEEPALIVE_TIMEOUT 10 | | 634 | #define WG_KEEPALIVE_TIMEOUT 10 |
635 | | | 635 | |
636 | #define WG_COOKIE_TIME 120 | | 636 | #define WG_COOKIE_TIME 120 |
637 | #define WG_RANDVAL_TIME (2 * 60) | | 637 | #define WG_RANDVAL_TIME (2 * 60) |
638 | | | 638 | |
639 | static uint64_t wg_rekey_after_messages = WG_REKEY_AFTER_MESSAGES; | | 639 | static uint64_t wg_rekey_after_messages = WG_REKEY_AFTER_MESSAGES; |
640 | static uint64_t wg_reject_after_messages = WG_REJECT_AFTER_MESSAGES; | | 640 | static uint64_t wg_reject_after_messages = WG_REJECT_AFTER_MESSAGES; |
641 | static unsigned wg_rekey_after_time = WG_REKEY_AFTER_TIME; | | 641 | static unsigned wg_rekey_after_time = WG_REKEY_AFTER_TIME; |
642 | static unsigned wg_reject_after_time = WG_REJECT_AFTER_TIME; | | 642 | static unsigned wg_reject_after_time = WG_REJECT_AFTER_TIME; |
643 | static unsigned wg_rekey_attempt_time = WG_REKEY_ATTEMPT_TIME; | | 643 | static unsigned wg_rekey_attempt_time = WG_REKEY_ATTEMPT_TIME; |
644 | static unsigned wg_rekey_timeout = WG_REKEY_TIMEOUT; | | 644 | static unsigned wg_rekey_timeout = WG_REKEY_TIMEOUT; |
645 | static unsigned wg_keepalive_timeout = WG_KEEPALIVE_TIMEOUT; | | 645 | static unsigned wg_keepalive_timeout = WG_KEEPALIVE_TIMEOUT; |
646 | | | 646 | |
647 | static struct mbuf * | | 647 | static struct mbuf * |
648 | wg_get_mbuf(size_t, size_t); | | 648 | wg_get_mbuf(size_t, size_t); |
649 | | | 649 | |
650 | static void wg_wakeup_worker(struct wg_worker *, int); | | 650 | static void wg_wakeup_worker(struct wg_worker *, int); |
651 | | | 651 | |
652 | static int wg_send_data_msg(struct wg_peer *, struct wg_session *, | | 652 | static int wg_send_data_msg(struct wg_peer *, struct wg_session *, |
653 | struct mbuf *); | | 653 | struct mbuf *); |
654 | static int wg_send_cookie_msg(struct wg_softc *, struct wg_peer *, | | 654 | static int wg_send_cookie_msg(struct wg_softc *, struct wg_peer *, |
655 | const uint32_t, const uint8_t [], const struct sockaddr *); | | 655 | const uint32_t, const uint8_t [], const struct sockaddr *); |
656 | static int wg_send_handshake_msg_resp(struct wg_softc *, | | 656 | static int wg_send_handshake_msg_resp(struct wg_softc *, |
657 | struct wg_peer *, const struct wg_msg_init *); | | 657 | struct wg_peer *, const struct wg_msg_init *); |
658 | static void wg_send_keepalive_msg(struct wg_peer *, struct wg_session *); | | 658 | static void wg_send_keepalive_msg(struct wg_peer *, struct wg_session *); |
659 | | | 659 | |
660 | static struct wg_peer * | | 660 | static struct wg_peer * |
661 | wg_pick_peer_by_sa(struct wg_softc *, const struct sockaddr *, | | 661 | wg_pick_peer_by_sa(struct wg_softc *, const struct sockaddr *, |
662 | struct psref *); | | 662 | struct psref *); |
663 | static struct wg_peer * | | 663 | static struct wg_peer * |
664 | wg_lookup_peer_by_pubkey(struct wg_softc *, | | 664 | wg_lookup_peer_by_pubkey(struct wg_softc *, |
665 | const uint8_t [], struct psref *); | | 665 | const uint8_t [], struct psref *); |
666 | | | 666 | |
667 | static struct wg_session * | | 667 | static struct wg_session * |
668 | wg_lookup_session_by_index(struct wg_softc *, | | 668 | wg_lookup_session_by_index(struct wg_softc *, |
669 | const uint32_t, struct psref *); | | 669 | const uint32_t, struct psref *); |
670 | | | 670 | |
671 | static void wg_update_endpoint_if_necessary(struct wg_peer *, | | 671 | static void wg_update_endpoint_if_necessary(struct wg_peer *, |
672 | const struct sockaddr *); | | 672 | const struct sockaddr *); |
673 | | | 673 | |
674 | static void wg_schedule_rekey_timer(struct wg_peer *); | | 674 | static void wg_schedule_rekey_timer(struct wg_peer *); |
675 | static void wg_schedule_session_dtor_timer(struct wg_peer *); | | 675 | static void wg_schedule_session_dtor_timer(struct wg_peer *); |
676 | | | 676 | |
677 | static bool wg_is_underload(struct wg_softc *, struct wg_peer *, int); | | 677 | static bool wg_is_underload(struct wg_softc *, struct wg_peer *, int); |
678 | static void wg_calculate_keys(struct wg_session *, const bool); | | 678 | static void wg_calculate_keys(struct wg_session *, const bool); |
679 | | | 679 | |
680 | static void wg_clear_states(struct wg_session *); | | 680 | static void wg_clear_states(struct wg_session *); |
681 | | | 681 | |
682 | static void wg_get_peer(struct wg_peer *, struct psref *); | | 682 | static void wg_get_peer(struct wg_peer *, struct psref *); |
683 | static void wg_put_peer(struct wg_peer *, struct psref *); | | 683 | static void wg_put_peer(struct wg_peer *, struct psref *); |
684 | | | 684 | |
685 | static int wg_send_so(struct wg_peer *, struct mbuf *); | | 685 | static int wg_send_so(struct wg_peer *, struct mbuf *); |
686 | static int wg_send_udp(struct wg_peer *, struct mbuf *); | | 686 | static int wg_send_udp(struct wg_peer *, struct mbuf *); |
687 | static int wg_output(struct ifnet *, struct mbuf *, | | 687 | static int wg_output(struct ifnet *, struct mbuf *, |
688 | const struct sockaddr *, const struct rtentry *); | | 688 | const struct sockaddr *, const struct rtentry *); |
689 | static void wg_input(struct ifnet *, struct mbuf *, const int); | | 689 | static void wg_input(struct ifnet *, struct mbuf *, const int); |
690 | static int wg_ioctl(struct ifnet *, u_long, void *); | | 690 | static int wg_ioctl(struct ifnet *, u_long, void *); |
691 | static int wg_bind_port(struct wg_softc *, const uint16_t); | | 691 | static int wg_bind_port(struct wg_softc *, const uint16_t); |
692 | static int wg_init(struct ifnet *); | | 692 | static int wg_init(struct ifnet *); |
693 | static void wg_stop(struct ifnet *, int); | | 693 | static void wg_stop(struct ifnet *, int); |
694 | | | 694 | |
695 | static int wg_clone_create(struct if_clone *, int); | | 695 | static int wg_clone_create(struct if_clone *, int); |
696 | static int wg_clone_destroy(struct ifnet *); | | 696 | static int wg_clone_destroy(struct ifnet *); |
697 | | | 697 | |
698 | struct wg_ops { | | 698 | struct wg_ops { |
699 | int (*send_hs_msg)(struct wg_peer *, struct mbuf *); | | 699 | int (*send_hs_msg)(struct wg_peer *, struct mbuf *); |
700 | int (*send_data_msg)(struct wg_peer *, struct mbuf *); | | 700 | int (*send_data_msg)(struct wg_peer *, struct mbuf *); |
701 | void (*input)(struct ifnet *, struct mbuf *, const int); | | 701 | void (*input)(struct ifnet *, struct mbuf *, const int); |
702 | int (*bind_port)(struct wg_softc *, const uint16_t); | | 702 | int (*bind_port)(struct wg_softc *, const uint16_t); |
703 | }; | | 703 | }; |
704 | | | 704 | |
705 | struct wg_ops wg_ops_rumpkernel = { | | 705 | struct wg_ops wg_ops_rumpkernel = { |
706 | .send_hs_msg = wg_send_so, | | 706 | .send_hs_msg = wg_send_so, |
707 | .send_data_msg = wg_send_udp, | | 707 | .send_data_msg = wg_send_udp, |
708 | .input = wg_input, | | 708 | .input = wg_input, |
709 | .bind_port = wg_bind_port, | | 709 | .bind_port = wg_bind_port, |
710 | }; | | 710 | }; |
711 | | | 711 | |
712 | #ifdef WG_RUMPKERNEL | | 712 | #ifdef WG_RUMPKERNEL |
713 | static bool wg_user_mode(struct wg_softc *); | | 713 | static bool wg_user_mode(struct wg_softc *); |
714 | static int wg_ioctl_linkstr(struct wg_softc *, struct ifdrv *); | | 714 | static int wg_ioctl_linkstr(struct wg_softc *, struct ifdrv *); |
715 | | | 715 | |
716 | static int wg_send_user(struct wg_peer *, struct mbuf *); | | 716 | static int wg_send_user(struct wg_peer *, struct mbuf *); |
717 | static void wg_input_user(struct ifnet *, struct mbuf *, const int); | | 717 | static void wg_input_user(struct ifnet *, struct mbuf *, const int); |
718 | static int wg_bind_port_user(struct wg_softc *, const uint16_t); | | 718 | static int wg_bind_port_user(struct wg_softc *, const uint16_t); |
719 | | | 719 | |
720 | struct wg_ops wg_ops_rumpuser = { | | 720 | struct wg_ops wg_ops_rumpuser = { |
721 | .send_hs_msg = wg_send_user, | | 721 | .send_hs_msg = wg_send_user, |
722 | .send_data_msg = wg_send_user, | | 722 | .send_data_msg = wg_send_user, |
723 | .input = wg_input_user, | | 723 | .input = wg_input_user, |
724 | .bind_port = wg_bind_port_user, | | 724 | .bind_port = wg_bind_port_user, |
725 | }; | | 725 | }; |
726 | #endif | | 726 | #endif |
727 | | | 727 | |
728 | #define WG_PEER_READER_FOREACH(wgp, wg) \ | | 728 | #define WG_PEER_READER_FOREACH(wgp, wg) \ |
729 | PSLIST_READER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer, \ | | 729 | PSLIST_READER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer, \ |
730 | wgp_peerlist_entry) | | 730 | wgp_peerlist_entry) |
731 | #define WG_PEER_WRITER_FOREACH(wgp, wg) \ | | 731 | #define WG_PEER_WRITER_FOREACH(wgp, wg) \ |
732 | PSLIST_WRITER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer, \ | | 732 | PSLIST_WRITER_FOREACH((wgp), &(wg)->wg_peers, struct wg_peer, \ |
733 | wgp_peerlist_entry) | | 733 | wgp_peerlist_entry) |
734 | #define WG_PEER_WRITER_INSERT_HEAD(wgp, wg) \ | | 734 | #define WG_PEER_WRITER_INSERT_HEAD(wgp, wg) \ |
735 | PSLIST_WRITER_INSERT_HEAD(&(wg)->wg_peers, (wgp), wgp_peerlist_entry) | | 735 | PSLIST_WRITER_INSERT_HEAD(&(wg)->wg_peers, (wgp), wgp_peerlist_entry) |
736 | #define WG_PEER_WRITER_REMOVE(wgp) \ | | 736 | #define WG_PEER_WRITER_REMOVE(wgp) \ |
737 | PSLIST_WRITER_REMOVE((wgp), wgp_peerlist_entry) | | 737 | PSLIST_WRITER_REMOVE((wgp), wgp_peerlist_entry) |
738 | | | 738 | |
739 | struct wg_route { | | 739 | struct wg_route { |
740 | struct radix_node wgr_nodes[2]; | | 740 | struct radix_node wgr_nodes[2]; |
741 | struct wg_peer *wgr_peer; | | 741 | struct wg_peer *wgr_peer; |
742 | }; | | 742 | }; |
743 | | | 743 | |
744 | static struct radix_node_head * | | 744 | static struct radix_node_head * |
745 | wg_rnh(struct wg_softc *wg, const int family) | | 745 | wg_rnh(struct wg_softc *wg, const int family) |
746 | { | | 746 | { |
747 | | | 747 | |
748 | switch (family) { | | 748 | switch (family) { |
749 | case AF_INET: | | 749 | case AF_INET: |
750 | return wg->wg_rtable_ipv4; | | 750 | return wg->wg_rtable_ipv4; |
751 | #ifdef INET6 | | 751 | #ifdef INET6 |
752 | case AF_INET6: | | 752 | case AF_INET6: |
753 | return wg->wg_rtable_ipv6; | | 753 | return wg->wg_rtable_ipv6; |
754 | #endif | | 754 | #endif |
755 | default: | | 755 | default: |
756 | return NULL; | | 756 | return NULL; |
757 | } | | 757 | } |
758 | } | | 758 | } |
759 | | | 759 | |
760 | | | 760 | |
761 | /* | | 761 | /* |
762 | * Global variables | | 762 | * Global variables |
763 | */ | | 763 | */ |
764 | LIST_HEAD(wg_sclist, wg_softc); | | 764 | LIST_HEAD(wg_sclist, wg_softc); |
765 | static struct { | | 765 | static struct { |
766 | struct wg_sclist list; | | 766 | struct wg_sclist list; |
767 | kmutex_t lock; | | 767 | kmutex_t lock; |
768 | } wg_softcs __cacheline_aligned; | | 768 | } wg_softcs __cacheline_aligned; |
769 | | | 769 | |
770 | struct psref_class *wg_psref_class __read_mostly; | | 770 | struct psref_class *wg_psref_class __read_mostly; |
771 | | | 771 | |
772 | static struct if_clone wg_cloner = | | 772 | static struct if_clone wg_cloner = |
773 | IF_CLONE_INITIALIZER("wg", wg_clone_create, wg_clone_destroy); | | 773 | IF_CLONE_INITIALIZER("wg", wg_clone_create, wg_clone_destroy); |
774 | | | 774 | |
775 | | | 775 | |
776 | void wgattach(int); | | 776 | void wgattach(int); |
777 | /* ARGSUSED */ | | 777 | /* ARGSUSED */ |
778 | void | | 778 | void |
779 | wgattach(int count) | | 779 | wgattach(int count) |
780 | { | | 780 | { |
781 | /* | | 781 | /* |
782 | * Nothing to do here, initialization is handled by the | | 782 | * Nothing to do here, initialization is handled by the |
783 | * module initialization code in wginit() below). | | 783 | * module initialization code in wginit() below). |
784 | */ | | 784 | */ |
785 | } | | 785 | } |
786 | | | 786 | |
787 | static void | | 787 | static void |
788 | wginit(void) | | 788 | wginit(void) |
789 | { | | 789 | { |
790 | | | 790 | |
791 | wg_psref_class = psref_class_create("wg", IPL_SOFTNET); | | 791 | wg_psref_class = psref_class_create("wg", IPL_SOFTNET); |
792 | | | 792 | |
793 | mutex_init(&wg_softcs.lock, MUTEX_DEFAULT, IPL_NONE); | | 793 | mutex_init(&wg_softcs.lock, MUTEX_DEFAULT, IPL_NONE); |
794 | LIST_INIT(&wg_softcs.list); | | 794 | LIST_INIT(&wg_softcs.list); |
795 | if_clone_attach(&wg_cloner); | | 795 | if_clone_attach(&wg_cloner); |
796 | } | | 796 | } |
797 | | | 797 | |
798 | static int | | 798 | static int |
799 | wgdetach(void) | | 799 | wgdetach(void) |
800 | { | | 800 | { |
801 | int error = 0; | | 801 | int error = 0; |
802 | | | 802 | |
803 | mutex_enter(&wg_softcs.lock); | | 803 | mutex_enter(&wg_softcs.lock); |
804 | if (!LIST_EMPTY(&wg_softcs.list)) { | | 804 | if (!LIST_EMPTY(&wg_softcs.list)) { |
805 | mutex_exit(&wg_softcs.lock); | | 805 | mutex_exit(&wg_softcs.lock); |
806 | error = EBUSY; | | 806 | error = EBUSY; |
807 | } | | 807 | } |
808 | | | 808 | |
809 | if (error == 0) { | | 809 | if (error == 0) { |
810 | psref_class_destroy(wg_psref_class); | | 810 | psref_class_destroy(wg_psref_class); |
811 | | | 811 | |
812 | if_clone_detach(&wg_cloner); | | 812 | if_clone_detach(&wg_cloner); |
813 | } | | 813 | } |
814 | | | 814 | |
815 | return error; | | 815 | return error; |
816 | } | | 816 | } |
817 | | | 817 | |
818 | static void | | 818 | static void |
819 | wg_init_key_and_hash(uint8_t ckey[WG_CHAINING_KEY_LEN], | | 819 | wg_init_key_and_hash(uint8_t ckey[WG_CHAINING_KEY_LEN], |
820 | uint8_t hash[WG_HASH_LEN]) | | 820 | uint8_t hash[WG_HASH_LEN]) |
821 | { | | 821 | { |
822 | /* [W] 5.4: CONSTRUCTION */ | | 822 | /* [W] 5.4: CONSTRUCTION */ |
823 | const char *signature = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"; | | 823 | const char *signature = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"; |
824 | /* [W] 5.4: IDENTIFIER */ | | 824 | /* [W] 5.4: IDENTIFIER */ |
825 | const char *id = "WireGuard v1 zx2c4 Jason@zx2c4.com"; | | 825 | const char *id = "WireGuard v1 zx2c4 Jason@zx2c4.com"; |
826 | struct blake2s state; | | 826 | struct blake2s state; |
827 | | | 827 | |
828 | blake2s(ckey, WG_CHAINING_KEY_LEN, NULL, 0, | | 828 | blake2s(ckey, WG_CHAINING_KEY_LEN, NULL, 0, |
829 | signature, strlen(signature)); | | 829 | signature, strlen(signature)); |
830 | | | 830 | |
831 | CTASSERT(WG_HASH_LEN == WG_CHAINING_KEY_LEN); | | 831 | CTASSERT(WG_HASH_LEN == WG_CHAINING_KEY_LEN); |
832 | memcpy(hash, ckey, WG_CHAINING_KEY_LEN); | | 832 | memcpy(hash, ckey, WG_CHAINING_KEY_LEN); |
833 | | | 833 | |
834 | blake2s_init(&state, WG_HASH_LEN, NULL, 0); | | 834 | blake2s_init(&state, WG_HASH_LEN, NULL, 0); |
835 | blake2s_update(&state, ckey, WG_CHAINING_KEY_LEN); | | 835 | blake2s_update(&state, ckey, WG_CHAINING_KEY_LEN); |
836 | blake2s_update(&state, id, strlen(id)); | | 836 | blake2s_update(&state, id, strlen(id)); |
837 | blake2s_final(&state, hash); | | 837 | blake2s_final(&state, hash); |
838 | | | 838 | |
839 | WG_DUMP_HASH("ckey", ckey); | | 839 | WG_DUMP_HASH("ckey", ckey); |
840 | WG_DUMP_HASH("hash", hash); | | 840 | WG_DUMP_HASH("hash", hash); |
841 | } | | 841 | } |
842 | | | 842 | |
843 | static void | | 843 | static void |
844 | wg_algo_hash(uint8_t hash[WG_HASH_LEN], const uint8_t input[], | | 844 | wg_algo_hash(uint8_t hash[WG_HASH_LEN], const uint8_t input[], |
845 | const size_t inputsize) | | 845 | const size_t inputsize) |
846 | { | | 846 | { |
847 | struct blake2s state; | | 847 | struct blake2s state; |
848 | | | 848 | |
849 | blake2s_init(&state, WG_HASH_LEN, NULL, 0); | | 849 | blake2s_init(&state, WG_HASH_LEN, NULL, 0); |
850 | blake2s_update(&state, hash, WG_HASH_LEN); | | 850 | blake2s_update(&state, hash, WG_HASH_LEN); |
851 | blake2s_update(&state, input, inputsize); | | 851 | blake2s_update(&state, input, inputsize); |
852 | blake2s_final(&state, hash); | | 852 | blake2s_final(&state, hash); |
853 | } | | 853 | } |
854 | | | 854 | |
855 | static void | | 855 | static void |
856 | wg_algo_mac(uint8_t out[], const size_t outsize, | | 856 | wg_algo_mac(uint8_t out[], const size_t outsize, |
857 | const uint8_t key[], const size_t keylen, | | 857 | const uint8_t key[], const size_t keylen, |
858 | const uint8_t input1[], const size_t input1len, | | 858 | const uint8_t input1[], const size_t input1len, |
859 | const uint8_t input2[], const size_t input2len) | | 859 | const uint8_t input2[], const size_t input2len) |
860 | { | | 860 | { |
861 | struct blake2s state; | | 861 | struct blake2s state; |
862 | | | 862 | |
863 | blake2s_init(&state, outsize, key, keylen); | | 863 | blake2s_init(&state, outsize, key, keylen); |
864 | | | 864 | |
865 | blake2s_update(&state, input1, input1len); | | 865 | blake2s_update(&state, input1, input1len); |
866 | if (input2 != NULL) | | 866 | if (input2 != NULL) |
867 | blake2s_update(&state, input2, input2len); | | 867 | blake2s_update(&state, input2, input2len); |
868 | blake2s_final(&state, out); | | 868 | blake2s_final(&state, out); |
869 | } | | 869 | } |
870 | | | 870 | |
871 | static void | | 871 | static void |
872 | wg_algo_mac_mac1(uint8_t out[], const size_t outsize, | | 872 | wg_algo_mac_mac1(uint8_t out[], const size_t outsize, |
873 | const uint8_t input1[], const size_t input1len, | | 873 | const uint8_t input1[], const size_t input1len, |
874 | const uint8_t input2[], const size_t input2len) | | 874 | const uint8_t input2[], const size_t input2len) |
875 | { | | 875 | { |
876 | struct blake2s state; | | 876 | struct blake2s state; |
877 | /* [W] 5.4: LABEL-MAC1 */ | | 877 | /* [W] 5.4: LABEL-MAC1 */ |
878 | const char *label = "mac1----"; | | 878 | const char *label = "mac1----"; |
879 | uint8_t key[WG_HASH_LEN]; | | 879 | uint8_t key[WG_HASH_LEN]; |
880 | | | 880 | |
881 | blake2s_init(&state, sizeof(key), NULL, 0); | | 881 | blake2s_init(&state, sizeof(key), NULL, 0); |
882 | blake2s_update(&state, label, strlen(label)); | | 882 | blake2s_update(&state, label, strlen(label)); |
883 | blake2s_update(&state, input1, input1len); | | 883 | blake2s_update(&state, input1, input1len); |
884 | blake2s_final(&state, key); | | 884 | blake2s_final(&state, key); |
885 | | | 885 | |
886 | blake2s_init(&state, outsize, key, sizeof(key)); | | 886 | blake2s_init(&state, outsize, key, sizeof(key)); |
887 | if (input2 != NULL) | | 887 | if (input2 != NULL) |
888 | blake2s_update(&state, input2, input2len); | | 888 | blake2s_update(&state, input2, input2len); |
889 | blake2s_final(&state, out); | | 889 | blake2s_final(&state, out); |
890 | } | | 890 | } |
891 | | | 891 | |
892 | static void | | 892 | static void |
893 | wg_algo_mac_cookie(uint8_t out[], const size_t outsize, | | 893 | wg_algo_mac_cookie(uint8_t out[], const size_t outsize, |
894 | const uint8_t input1[], const size_t input1len) | | 894 | const uint8_t input1[], const size_t input1len) |
895 | { | | 895 | { |
896 | struct blake2s state; | | 896 | struct blake2s state; |
897 | /* [W] 5.4: LABEL-COOKIE */ | | 897 | /* [W] 5.4: LABEL-COOKIE */ |
898 | const char *label = "cookie--"; | | 898 | const char *label = "cookie--"; |
899 | | | 899 | |
900 | blake2s_init(&state, outsize, NULL, 0); | | 900 | blake2s_init(&state, outsize, NULL, 0); |
901 | blake2s_update(&state, label, strlen(label)); | | 901 | blake2s_update(&state, label, strlen(label)); |
902 | blake2s_update(&state, input1, input1len); | | 902 | blake2s_update(&state, input1, input1len); |
903 | blake2s_final(&state, out); | | 903 | blake2s_final(&state, out); |
904 | } | | 904 | } |
905 | | | 905 | |
906 | static void | | 906 | static void |
907 | wg_algo_generate_keypair(uint8_t pubkey[WG_EPHEMERAL_KEY_LEN], | | 907 | wg_algo_generate_keypair(uint8_t pubkey[WG_EPHEMERAL_KEY_LEN], |
908 | uint8_t privkey[WG_EPHEMERAL_KEY_LEN]) | | 908 | uint8_t privkey[WG_EPHEMERAL_KEY_LEN]) |
909 | { | | 909 | { |
910 | | | 910 | |
911 | CTASSERT(WG_EPHEMERAL_KEY_LEN == crypto_scalarmult_curve25519_BYTES); | | 911 | CTASSERT(WG_EPHEMERAL_KEY_LEN == crypto_scalarmult_curve25519_BYTES); |
912 | | | 912 | |
913 | cprng_strong(kern_cprng, privkey, WG_EPHEMERAL_KEY_LEN, 0); | | 913 | cprng_strong(kern_cprng, privkey, WG_EPHEMERAL_KEY_LEN, 0); |
914 | crypto_scalarmult_base(pubkey, privkey); | | 914 | crypto_scalarmult_base(pubkey, privkey); |
915 | } | | 915 | } |
916 | | | 916 | |
917 | static void | | 917 | static void |
918 | wg_algo_dh(uint8_t out[WG_DH_OUTPUT_LEN], | | 918 | wg_algo_dh(uint8_t out[WG_DH_OUTPUT_LEN], |
919 | const uint8_t privkey[WG_STATIC_KEY_LEN], | | 919 | const uint8_t privkey[WG_STATIC_KEY_LEN], |
920 | const uint8_t pubkey[WG_STATIC_KEY_LEN]) | | 920 | const uint8_t pubkey[WG_STATIC_KEY_LEN]) |
921 | { | | 921 | { |
922 | | | 922 | |
923 | CTASSERT(WG_STATIC_KEY_LEN == crypto_scalarmult_curve25519_BYTES); | | 923 | CTASSERT(WG_STATIC_KEY_LEN == crypto_scalarmult_curve25519_BYTES); |
924 | | | 924 | |
925 | int ret __diagused = crypto_scalarmult(out, privkey, pubkey); | | 925 | int ret __diagused = crypto_scalarmult(out, privkey, pubkey); |
926 | KASSERT(ret == 0); | | 926 | KASSERT(ret == 0); |
927 | } | | 927 | } |
928 | | | 928 | |
929 | static void | | 929 | static void |
930 | wg_algo_hmac(uint8_t out[], const size_t outlen, | | 930 | wg_algo_hmac(uint8_t out[], const size_t outlen, |
931 | const uint8_t key[], const size_t keylen, | | 931 | const uint8_t key[], const size_t keylen, |
932 | const uint8_t in[], const size_t inlen) | | 932 | const uint8_t in[], const size_t inlen) |
933 | { | | 933 | { |
934 | #define IPAD 0x36 | | 934 | #define IPAD 0x36 |
935 | #define OPAD 0x5c | | 935 | #define OPAD 0x5c |
936 | uint8_t hmackey[HMAC_BLOCK_LEN] = {0}; | | 936 | uint8_t hmackey[HMAC_BLOCK_LEN] = {0}; |
937 | uint8_t ipad[HMAC_BLOCK_LEN]; | | 937 | uint8_t ipad[HMAC_BLOCK_LEN]; |
938 | uint8_t opad[HMAC_BLOCK_LEN]; | | 938 | uint8_t opad[HMAC_BLOCK_LEN]; |
939 | int i; | | 939 | int i; |
940 | struct blake2s state; | | 940 | struct blake2s state; |
941 | | | 941 | |
942 | KASSERT(outlen == WG_HASH_LEN); | | 942 | KASSERT(outlen == WG_HASH_LEN); |
943 | KASSERT(keylen <= HMAC_BLOCK_LEN); | | 943 | KASSERT(keylen <= HMAC_BLOCK_LEN); |
944 | | | 944 | |
945 | memcpy(hmackey, key, keylen); | | 945 | memcpy(hmackey, key, keylen); |
946 | | | 946 | |
947 | for (i = 0; i < sizeof(hmackey); i++) { | | 947 | for (i = 0; i < sizeof(hmackey); i++) { |
948 | ipad[i] = hmackey[i] ^ IPAD; | | 948 | ipad[i] = hmackey[i] ^ IPAD; |
949 | opad[i] = hmackey[i] ^ OPAD; | | 949 | opad[i] = hmackey[i] ^ OPAD; |
950 | } | | 950 | } |
951 | | | 951 | |
952 | blake2s_init(&state, WG_HASH_LEN, NULL, 0); | | 952 | blake2s_init(&state, WG_HASH_LEN, NULL, 0); |
953 | blake2s_update(&state, ipad, sizeof(ipad)); | | 953 | blake2s_update(&state, ipad, sizeof(ipad)); |
954 | blake2s_update(&state, in, inlen); | | 954 | blake2s_update(&state, in, inlen); |
955 | blake2s_final(&state, out); | | 955 | blake2s_final(&state, out); |
956 | | | 956 | |
957 | blake2s_init(&state, WG_HASH_LEN, NULL, 0); | | 957 | blake2s_init(&state, WG_HASH_LEN, NULL, 0); |
958 | blake2s_update(&state, opad, sizeof(opad)); | | 958 | blake2s_update(&state, opad, sizeof(opad)); |
959 | blake2s_update(&state, out, WG_HASH_LEN); | | 959 | blake2s_update(&state, out, WG_HASH_LEN); |
960 | blake2s_final(&state, out); | | 960 | blake2s_final(&state, out); |
961 | #undef IPAD | | 961 | #undef IPAD |
962 | #undef OPAD | | 962 | #undef OPAD |
963 | } | | 963 | } |
964 | | | 964 | |
965 | static void | | 965 | static void |
966 | wg_algo_kdf(uint8_t out1[WG_KDF_OUTPUT_LEN], uint8_t out2[WG_KDF_OUTPUT_LEN], | | 966 | wg_algo_kdf(uint8_t out1[WG_KDF_OUTPUT_LEN], uint8_t out2[WG_KDF_OUTPUT_LEN], |
967 | uint8_t out3[WG_KDF_OUTPUT_LEN], const uint8_t ckey[WG_CHAINING_KEY_LEN], | | 967 | uint8_t out3[WG_KDF_OUTPUT_LEN], const uint8_t ckey[WG_CHAINING_KEY_LEN], |
968 | const uint8_t input[], const size_t inputlen) | | 968 | const uint8_t input[], const size_t inputlen) |
969 | { | | 969 | { |
970 | uint8_t tmp1[WG_KDF_OUTPUT_LEN], tmp2[WG_KDF_OUTPUT_LEN + 1]; | | 970 | uint8_t tmp1[WG_KDF_OUTPUT_LEN], tmp2[WG_KDF_OUTPUT_LEN + 1]; |
971 | uint8_t one[1]; | | 971 | uint8_t one[1]; |
972 | | | 972 | |
973 | /* | | 973 | /* |
974 | * [N] 4.3: "an input_key_material byte sequence with length | | 974 | * [N] 4.3: "an input_key_material byte sequence with length |
975 | * either zero bytes, 32 bytes, or DHLEN bytes." | | 975 | * either zero bytes, 32 bytes, or DHLEN bytes." |
976 | */ | | 976 | */ |
977 | KASSERT(inputlen == 0 || inputlen == 32 || inputlen == NOISE_DHLEN); | | 977 | KASSERT(inputlen == 0 || inputlen == 32 || inputlen == NOISE_DHLEN); |
978 | | | 978 | |
979 | WG_DUMP_HASH("ckey", ckey); | | 979 | WG_DUMP_HASH("ckey", ckey); |
980 | if (input != NULL) | | 980 | if (input != NULL) |
981 | WG_DUMP_HASH("input", input); | | 981 | WG_DUMP_HASH("input", input); |
982 | wg_algo_hmac(tmp1, sizeof(tmp1), ckey, WG_CHAINING_KEY_LEN, | | 982 | wg_algo_hmac(tmp1, sizeof(tmp1), ckey, WG_CHAINING_KEY_LEN, |
983 | input, inputlen); | | 983 | input, inputlen); |
984 | WG_DUMP_HASH("tmp1", tmp1); | | 984 | WG_DUMP_HASH("tmp1", tmp1); |
985 | one[0] = 1; | | 985 | one[0] = 1; |
986 | wg_algo_hmac(out1, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), | | 986 | wg_algo_hmac(out1, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), |
987 | one, sizeof(one)); | | 987 | one, sizeof(one)); |
988 | WG_DUMP_HASH("out1", out1); | | 988 | WG_DUMP_HASH("out1", out1); |
989 | if (out2 == NULL) | | 989 | if (out2 == NULL) |
990 | return; | | 990 | return; |
991 | memcpy(tmp2, out1, WG_KDF_OUTPUT_LEN); | | 991 | memcpy(tmp2, out1, WG_KDF_OUTPUT_LEN); |
992 | tmp2[WG_KDF_OUTPUT_LEN] = 2; | | 992 | tmp2[WG_KDF_OUTPUT_LEN] = 2; |
993 | wg_algo_hmac(out2, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), | | 993 | wg_algo_hmac(out2, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), |
994 | tmp2, sizeof(tmp2)); | | 994 | tmp2, sizeof(tmp2)); |
995 | WG_DUMP_HASH("out2", out2); | | 995 | WG_DUMP_HASH("out2", out2); |
996 | if (out3 == NULL) | | 996 | if (out3 == NULL) |
997 | return; | | 997 | return; |
998 | memcpy(tmp2, out2, WG_KDF_OUTPUT_LEN); | | 998 | memcpy(tmp2, out2, WG_KDF_OUTPUT_LEN); |
999 | tmp2[WG_KDF_OUTPUT_LEN] = 3; | | 999 | tmp2[WG_KDF_OUTPUT_LEN] = 3; |
1000 | wg_algo_hmac(out3, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), | | 1000 | wg_algo_hmac(out3, WG_KDF_OUTPUT_LEN, tmp1, sizeof(tmp1), |
1001 | tmp2, sizeof(tmp2)); | | 1001 | tmp2, sizeof(tmp2)); |
1002 | WG_DUMP_HASH("out3", out3); | | 1002 | WG_DUMP_HASH("out3", out3); |
1003 | } | | 1003 | } |
1004 | | | 1004 | |
1005 | static void | | 1005 | static void |
1006 | wg_algo_dh_kdf(uint8_t ckey[WG_CHAINING_KEY_LEN], | | 1006 | wg_algo_dh_kdf(uint8_t ckey[WG_CHAINING_KEY_LEN], |
1007 | uint8_t cipher_key[WG_CIPHER_KEY_LEN], | | 1007 | uint8_t cipher_key[WG_CIPHER_KEY_LEN], |
1008 | const uint8_t local_key[WG_STATIC_KEY_LEN], | | 1008 | const uint8_t local_key[WG_STATIC_KEY_LEN], |
1009 | const uint8_t remote_key[WG_STATIC_KEY_LEN]) | | 1009 | const uint8_t remote_key[WG_STATIC_KEY_LEN]) |
1010 | { | | 1010 | { |
1011 | uint8_t dhout[WG_DH_OUTPUT_LEN]; | | 1011 | uint8_t dhout[WG_DH_OUTPUT_LEN]; |
1012 | | | 1012 | |
1013 | wg_algo_dh(dhout, local_key, remote_key); | | 1013 | wg_algo_dh(dhout, local_key, remote_key); |
1014 | wg_algo_kdf(ckey, cipher_key, NULL, ckey, dhout, sizeof(dhout)); | | 1014 | wg_algo_kdf(ckey, cipher_key, NULL, ckey, dhout, sizeof(dhout)); |
1015 | | | 1015 | |
1016 | WG_DUMP_HASH("dhout", dhout); | | 1016 | WG_DUMP_HASH("dhout", dhout); |
1017 | WG_DUMP_HASH("ckey", ckey); | | 1017 | WG_DUMP_HASH("ckey", ckey); |
1018 | if (cipher_key != NULL) | | 1018 | if (cipher_key != NULL) |
1019 | WG_DUMP_HASH("cipher_key", cipher_key); | | 1019 | WG_DUMP_HASH("cipher_key", cipher_key); |
1020 | } | | 1020 | } |
1021 | | | 1021 | |
1022 | static void | | 1022 | static void |
1023 | wg_algo_aead_enc(uint8_t out[], size_t expected_outsize, const uint8_t key[], | | 1023 | wg_algo_aead_enc(uint8_t out[], size_t expected_outsize, const uint8_t key[], |
1024 | const uint64_t counter, const uint8_t plain[], const size_t plainsize, | | 1024 | const uint64_t counter, const uint8_t plain[], const size_t plainsize, |
1025 | const uint8_t auth[], size_t authlen) | | 1025 | const uint8_t auth[], size_t authlen) |
1026 | { | | 1026 | { |
1027 | uint8_t nonce[(32 + 64) / 8] = {0}; | | 1027 | uint8_t nonce[(32 + 64) / 8] = {0}; |
1028 | long long unsigned int outsize; | | 1028 | long long unsigned int outsize; |
1029 | int error __diagused; | | 1029 | int error __diagused; |
1030 | | | 1030 | |
1031 | le64enc(&nonce[4], counter); | | 1031 | le64enc(&nonce[4], counter); |
1032 | | | 1032 | |
1033 | error = crypto_aead_chacha20poly1305_ietf_encrypt(out, &outsize, plain, | | 1033 | error = crypto_aead_chacha20poly1305_ietf_encrypt(out, &outsize, plain, |
1034 | plainsize, auth, authlen, NULL, nonce, key); | | 1034 | plainsize, auth, authlen, NULL, nonce, key); |
1035 | KASSERT(error == 0); | | 1035 | KASSERT(error == 0); |
1036 | KASSERT(outsize == expected_outsize); | | 1036 | KASSERT(outsize == expected_outsize); |
1037 | } | | 1037 | } |
1038 | | | 1038 | |
1039 | static int | | 1039 | static int |
1040 | wg_algo_aead_dec(uint8_t out[], size_t expected_outsize, const uint8_t key[], | | 1040 | wg_algo_aead_dec(uint8_t out[], size_t expected_outsize, const uint8_t key[], |
1041 | const uint64_t counter, const uint8_t encrypted[], | | 1041 | const uint64_t counter, const uint8_t encrypted[], |
1042 | const size_t encryptedsize, const uint8_t auth[], size_t authlen) | | 1042 | const size_t encryptedsize, const uint8_t auth[], size_t authlen) |
1043 | { | | 1043 | { |
1044 | uint8_t nonce[(32 + 64) / 8] = {0}; | | 1044 | uint8_t nonce[(32 + 64) / 8] = {0}; |
1045 | long long unsigned int outsize; | | 1045 | long long unsigned int outsize; |
1046 | int error; | | 1046 | int error; |
1047 | | | 1047 | |
1048 | le64enc(&nonce[4], counter); | | 1048 | le64enc(&nonce[4], counter); |
1049 | | | 1049 | |
1050 | error = crypto_aead_chacha20poly1305_ietf_decrypt(out, &outsize, NULL, | | 1050 | error = crypto_aead_chacha20poly1305_ietf_decrypt(out, &outsize, NULL, |
1051 | encrypted, encryptedsize, auth, authlen, nonce, key); | | 1051 | encrypted, encryptedsize, auth, authlen, nonce, key); |
1052 | if (error == 0) | | 1052 | if (error == 0) |
1053 | KASSERT(outsize == expected_outsize); | | 1053 | KASSERT(outsize == expected_outsize); |
1054 | return error; | | 1054 | return error; |
1055 | } | | 1055 | } |
1056 | | | 1056 | |
1057 | static void | | 1057 | static void |
1058 | wg_algo_xaead_enc(uint8_t out[], const size_t expected_outsize, | | 1058 | wg_algo_xaead_enc(uint8_t out[], const size_t expected_outsize, |
1059 | const uint8_t key[], const uint8_t plain[], const size_t plainsize, | | 1059 | const uint8_t key[], const uint8_t plain[], const size_t plainsize, |
1060 | const uint8_t auth[], size_t authlen, | | 1060 | const uint8_t auth[], size_t authlen, |
1061 | const uint8_t nonce[WG_SALT_LEN]) | | 1061 | const uint8_t nonce[WG_SALT_LEN]) |
1062 | { | | 1062 | { |
1063 | long long unsigned int outsize; | | 1063 | long long unsigned int outsize; |
1064 | int error __diagused; | | 1064 | int error __diagused; |
1065 | | | 1065 | |
1066 | CTASSERT(WG_SALT_LEN == crypto_aead_xchacha20poly1305_ietf_NPUBBYTES); | | 1066 | CTASSERT(WG_SALT_LEN == crypto_aead_xchacha20poly1305_ietf_NPUBBYTES); |
1067 | error = crypto_aead_xchacha20poly1305_ietf_encrypt(out, &outsize, | | 1067 | error = crypto_aead_xchacha20poly1305_ietf_encrypt(out, &outsize, |
1068 | plain, plainsize, auth, authlen, NULL, nonce, key); | | 1068 | plain, plainsize, auth, authlen, NULL, nonce, key); |
1069 | KASSERT(error == 0); | | 1069 | KASSERT(error == 0); |
1070 | KASSERT(outsize == expected_outsize); | | 1070 | KASSERT(outsize == expected_outsize); |
1071 | } | | 1071 | } |
1072 | | | 1072 | |
1073 | static int | | 1073 | static int |
1074 | wg_algo_xaead_dec(uint8_t out[], const size_t expected_outsize, | | 1074 | wg_algo_xaead_dec(uint8_t out[], const size_t expected_outsize, |
1075 | const uint8_t key[], const uint8_t encrypted[], const size_t encryptedsize, | | 1075 | const uint8_t key[], const uint8_t encrypted[], const size_t encryptedsize, |
1076 | const uint8_t auth[], size_t authlen, | | 1076 | const uint8_t auth[], size_t authlen, |
1077 | const uint8_t nonce[WG_SALT_LEN]) | | 1077 | const uint8_t nonce[WG_SALT_LEN]) |
1078 | { | | 1078 | { |
1079 | long long unsigned int outsize; | | 1079 | long long unsigned int outsize; |
1080 | int error; | | 1080 | int error; |
1081 | | | 1081 | |
1082 | error = crypto_aead_xchacha20poly1305_ietf_decrypt(out, &outsize, NULL, | | 1082 | error = crypto_aead_xchacha20poly1305_ietf_decrypt(out, &outsize, NULL, |
1083 | encrypted, encryptedsize, auth, authlen, nonce, key); | | 1083 | encrypted, encryptedsize, auth, authlen, nonce, key); |
1084 | if (error == 0) | | 1084 | if (error == 0) |
1085 | KASSERT(outsize == expected_outsize); | | 1085 | KASSERT(outsize == expected_outsize); |
1086 | return error; | | 1086 | return error; |
1087 | } | | 1087 | } |
1088 | | | 1088 | |
1089 | static void | | 1089 | static void |
1090 | wg_algo_tai64n(wg_timestamp_t timestamp) | | 1090 | wg_algo_tai64n(wg_timestamp_t timestamp) |
1091 | { | | 1091 | { |
1092 | struct timespec ts; | | 1092 | struct timespec ts; |
1093 | | | 1093 | |
1094 | /* FIXME strict TAI64N (https://cr.yp.to/libtai/tai64.html) */ | | 1094 | /* FIXME strict TAI64N (https://cr.yp.to/libtai/tai64.html) */ |
1095 | getnanotime(&ts); | | 1095 | getnanotime(&ts); |
1096 | /* TAI64 label in external TAI64 format */ | | 1096 | /* TAI64 label in external TAI64 format */ |
1097 | be32enc(timestamp, 0x40000000UL + (ts.tv_sec >> 32)); | | 1097 | be32enc(timestamp, 0x40000000UL + (ts.tv_sec >> 32)); |
1098 | /* second beginning from 1970 TAI */ | | 1098 | /* second beginning from 1970 TAI */ |
1099 | be32enc(timestamp + 4, ts.tv_sec & 0xffffffffU); | | 1099 | be32enc(timestamp + 4, ts.tv_sec & 0xffffffffU); |
1100 | /* nanosecond in big-endian format */ | | 1100 | /* nanosecond in big-endian format */ |
1101 | be32enc(timestamp + 8, ts.tv_nsec); | | 1101 | be32enc(timestamp + 8, ts.tv_nsec); |
1102 | } | | 1102 | } |
1103 | | | 1103 | |
1104 | static struct wg_session * | | 1104 | static struct wg_session * |
1105 | wg_get_unstable_session(struct wg_peer *wgp, struct psref *psref) | | 1105 | wg_get_unstable_session(struct wg_peer *wgp, struct psref *psref) |
1106 | { | | 1106 | { |
1107 | int s; | | 1107 | int s; |
1108 | struct wg_session *wgs; | | 1108 | struct wg_session *wgs; |
1109 | | | 1109 | |
1110 | s = pserialize_read_enter(); | | 1110 | s = pserialize_read_enter(); |
1111 | wgs = wgp->wgp_session_unstable; | | 1111 | wgs = wgp->wgp_session_unstable; |
1112 | psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); | | 1112 | psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); |
1113 | pserialize_read_exit(s); | | 1113 | pserialize_read_exit(s); |
1114 | return wgs; | | 1114 | return wgs; |
1115 | } | | 1115 | } |
1116 | | | 1116 | |
1117 | static struct wg_session * | | 1117 | static struct wg_session * |
1118 | wg_get_stable_session(struct wg_peer *wgp, struct psref *psref) | | 1118 | wg_get_stable_session(struct wg_peer *wgp, struct psref *psref) |
1119 | { | | 1119 | { |
1120 | int s; | | 1120 | int s; |
1121 | struct wg_session *wgs; | | 1121 | struct wg_session *wgs; |
1122 | | | 1122 | |
1123 | s = pserialize_read_enter(); | | 1123 | s = pserialize_read_enter(); |
1124 | wgs = wgp->wgp_session_stable; | | 1124 | wgs = wgp->wgp_session_stable; |
1125 | psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); | | 1125 | psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); |
1126 | pserialize_read_exit(s); | | 1126 | pserialize_read_exit(s); |
1127 | return wgs; | | 1127 | return wgs; |
1128 | } | | 1128 | } |
1129 | | | 1129 | |
1130 | static void | | 1130 | static void |
1131 | wg_get_session(struct wg_session *wgs, struct psref *psref) | | 1131 | wg_get_session(struct wg_session *wgs, struct psref *psref) |
1132 | { | | 1132 | { |
1133 | | | 1133 | |
1134 | psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); | | 1134 | psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); |
1135 | } | | 1135 | } |
1136 | | | 1136 | |
1137 | static void | | 1137 | static void |
1138 | wg_put_session(struct wg_session *wgs, struct psref *psref) | | 1138 | wg_put_session(struct wg_session *wgs, struct psref *psref) |
1139 | { | | 1139 | { |
1140 | | | 1140 | |
1141 | psref_release(psref, &wgs->wgs_psref, wg_psref_class); | | 1141 | psref_release(psref, &wgs->wgs_psref, wg_psref_class); |
1142 | } | | 1142 | } |
1143 | | | 1143 | |
1144 | static struct wg_session * | | 1144 | static struct wg_session * |
1145 | wg_lock_unstable_session(struct wg_peer *wgp) | | 1145 | wg_lock_unstable_session(struct wg_peer *wgp) |
1146 | { | | 1146 | { |
1147 | struct wg_session *wgs; | | 1147 | struct wg_session *wgs; |
1148 | | | 1148 | |
1149 | mutex_enter(wgp->wgp_lock); | | 1149 | mutex_enter(wgp->wgp_lock); |
1150 | wgs = wgp->wgp_session_unstable; | | 1150 | wgs = wgp->wgp_session_unstable; |
1151 | mutex_enter(wgs->wgs_lock); | | 1151 | mutex_enter(wgs->wgs_lock); |
1152 | mutex_exit(wgp->wgp_lock); | | 1152 | mutex_exit(wgp->wgp_lock); |
1153 | return wgs; | | 1153 | return wgs; |
1154 | } | | 1154 | } |
1155 | | | 1155 | |
1156 | #if 0 | | 1156 | #if 0 |
1157 | static void | | 1157 | static void |
1158 | wg_unlock_session(struct wg_peer *wgp, struct wg_session *wgs) | | 1158 | wg_unlock_session(struct wg_peer *wgp, struct wg_session *wgs) |
1159 | { | | 1159 | { |
1160 | | | 1160 | |
1161 | mutex_exit(wgs->wgs_lock); | | 1161 | mutex_exit(wgs->wgs_lock); |
1162 | } | | 1162 | } |
1163 | #endif | | 1163 | #endif |
1164 | | | 1164 | |
1165 | static uint32_t | | 1165 | static uint32_t |
1166 | wg_assign_sender_index(struct wg_softc *wg, struct wg_session *wgs) | | 1166 | wg_assign_sender_index(struct wg_softc *wg, struct wg_session *wgs) |
1167 | { | | 1167 | { |
1168 | struct wg_peer *wgp = wgs->wgs_peer; | | 1168 | struct wg_peer *wgp = wgs->wgs_peer; |
1169 | struct wg_session *wgs0; | | 1169 | struct wg_session *wgs0; |
1170 | uint32_t index; | | 1170 | uint32_t index; |
1171 | void *garbage; | | 1171 | void *garbage; |
1172 | | | 1172 | |
1173 | mutex_enter(wgs->wgs_lock); | | 1173 | mutex_enter(wgs->wgs_lock); |
1174 | | | 1174 | |
1175 | /* Release the current index, if there is one. */ | | 1175 | /* Release the current index, if there is one. */ |
1176 | while ((index = wgs->wgs_sender_index) != 0) { | | 1176 | while ((index = wgs->wgs_sender_index) != 0) { |
1177 | /* Remove the session by index. */ | | 1177 | /* Remove the session by index. */ |
1178 | thmap_del(wg->wg_sessions_byindex, &index, sizeof index); | | 1178 | thmap_del(wg->wg_sessions_byindex, &index, sizeof index); |
1179 | wgs->wgs_sender_index = 0; | | 1179 | wgs->wgs_sender_index = 0; |
1180 | mutex_exit(wgs->wgs_lock); | | 1180 | mutex_exit(wgs->wgs_lock); |
1181 | | | 1181 | |
1182 | /* Wait for all thmap_gets to complete, and GC. */ | | 1182 | /* Wait for all thmap_gets to complete, and GC. */ |
1183 | garbage = thmap_stage_gc(wg->wg_sessions_byindex); | | 1183 | garbage = thmap_stage_gc(wg->wg_sessions_byindex); |
1184 | mutex_enter(wgs->wgs_peer->wgp_lock); | | 1184 | mutex_enter(wgs->wgs_peer->wgp_lock); |
1185 | pserialize_perform(wgp->wgp_psz); | | 1185 | pserialize_perform(wgp->wgp_psz); |
1186 | mutex_exit(wgs->wgs_peer->wgp_lock); | | 1186 | mutex_exit(wgs->wgs_peer->wgp_lock); |
1187 | thmap_gc(wg->wg_sessions_byindex, garbage); | | 1187 | thmap_gc(wg->wg_sessions_byindex, garbage); |
1188 | | | 1188 | |
1189 | mutex_enter(wgs->wgs_lock); | | 1189 | mutex_enter(wgs->wgs_lock); |
1190 | } | | 1190 | } |
1191 | | | 1191 | |
1192 | restart: | | 1192 | restart: |
1193 | /* Pick a uniform random nonzero index. */ | | 1193 | /* Pick a uniform random nonzero index. */ |
1194 | while (__predict_false((index = cprng_strong32()) == 0)) | | 1194 | while (__predict_false((index = cprng_strong32()) == 0)) |
1195 | continue; | | 1195 | continue; |
1196 | | | 1196 | |
1197 | /* Try to take it. */ | | 1197 | /* Try to take it. */ |
1198 | wgs->wgs_sender_index = index; | | 1198 | wgs->wgs_sender_index = index; |
1199 | wgs0 = thmap_put(wg->wg_sessions_byindex, | | 1199 | wgs0 = thmap_put(wg->wg_sessions_byindex, |
1200 | &wgs->wgs_sender_index, sizeof wgs->wgs_sender_index, wgs); | | 1200 | &wgs->wgs_sender_index, sizeof wgs->wgs_sender_index, wgs); |
1201 | | | 1201 | |
1202 | /* If someone else beat us, start over. */ | | 1202 | /* If someone else beat us, start over. */ |
1203 | if (__predict_false(wgs0 != wgs)) | | 1203 | if (__predict_false(wgs0 != wgs)) |
1204 | goto restart; | | 1204 | goto restart; |
1205 | | | 1205 | |
1206 | mutex_exit(wgs->wgs_lock); | | 1206 | mutex_exit(wgs->wgs_lock); |
1207 | | | 1207 | |
1208 | return index; | | 1208 | return index; |
1209 | } | | 1209 | } |
1210 | | | 1210 | |
1211 | /* | | 1211 | /* |
1212 | * Handshake patterns | | 1212 | * Handshake patterns |
1213 | * | | 1213 | * |
1214 | * [W] 5: "These messages use the "IK" pattern from Noise" | | 1214 | * [W] 5: "These messages use the "IK" pattern from Noise" |
1215 | * [N] 7.5. Interactive handshake patterns (fundamental) | | 1215 | * [N] 7.5. Interactive handshake patterns (fundamental) |
1216 | * "The first character refers to the initiator’s static key:" | | 1216 | * "The first character refers to the initiator’s static key:" |
1217 | * "I = Static key for initiator Immediately transmitted to responder, | | 1217 | * "I = Static key for initiator Immediately transmitted to responder, |
1218 | * despite reduced or absent identity hiding" | | 1218 | * despite reduced or absent identity hiding" |
1219 | * "The second character refers to the responder’s static key:" | | 1219 | * "The second character refers to the responder’s static key:" |
1220 | * "K = Static key for responder Known to initiator" | | 1220 | * "K = Static key for responder Known to initiator" |
1221 | * "IK: | | 1221 | * "IK: |
1222 | * <- s | | 1222 | * <- s |
1223 | * ... | | 1223 | * ... |
1224 | * -> e, es, s, ss | | 1224 | * -> e, es, s, ss |
1225 | * <- e, ee, se" | | 1225 | * <- e, ee, se" |
1226 | * [N] 9.4. Pattern modifiers | | 1226 | * [N] 9.4. Pattern modifiers |
1227 | * "IKpsk2: | | 1227 | * "IKpsk2: |
1228 | * <- s | | 1228 | * <- s |
1229 | * ... | | 1229 | * ... |
1230 | * -> e, es, s, ss | | 1230 | * -> e, es, s, ss |
1231 | * <- e, ee, se, psk" | | 1231 | * <- e, ee, se, psk" |
1232 | */ | | 1232 | */ |
1233 | static void | | 1233 | static void |
1234 | wg_fill_msg_init(struct wg_softc *wg, struct wg_peer *wgp, | | 1234 | wg_fill_msg_init(struct wg_softc *wg, struct wg_peer *wgp, |
1235 | struct wg_session *wgs, struct wg_msg_init *wgmi) | | 1235 | struct wg_session *wgs, struct wg_msg_init *wgmi) |
1236 | { | | 1236 | { |
1237 | uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */ | | 1237 | uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */ |
1238 | uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */ | | 1238 | uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */ |
1239 | uint8_t cipher_key[WG_CIPHER_KEY_LEN]; | | 1239 | uint8_t cipher_key[WG_CIPHER_KEY_LEN]; |
1240 | uint8_t pubkey[WG_EPHEMERAL_KEY_LEN]; | | 1240 | uint8_t pubkey[WG_EPHEMERAL_KEY_LEN]; |
1241 | uint8_t privkey[WG_EPHEMERAL_KEY_LEN]; | | 1241 | uint8_t privkey[WG_EPHEMERAL_KEY_LEN]; |
1242 | | | 1242 | |
1243 | wgmi->wgmi_type = htole32(WG_MSG_TYPE_INIT); | | 1243 | wgmi->wgmi_type = htole32(WG_MSG_TYPE_INIT); |
1244 | wgmi->wgmi_sender = wg_assign_sender_index(wg, wgs); | | 1244 | wgmi->wgmi_sender = wg_assign_sender_index(wg, wgs); |
1245 | | | 1245 | |
1246 | /* [W] 5.4.2: First Message: Initiator to Responder */ | | 1246 | /* [W] 5.4.2: First Message: Initiator to Responder */ |
1247 | | | 1247 | |
1248 | /* Ci := HASH(CONSTRUCTION) */ | | 1248 | /* Ci := HASH(CONSTRUCTION) */ |
1249 | /* Hi := HASH(Ci || IDENTIFIER) */ | | 1249 | /* Hi := HASH(Ci || IDENTIFIER) */ |
1250 | wg_init_key_and_hash(ckey, hash); | | 1250 | wg_init_key_and_hash(ckey, hash); |
1251 | /* Hi := HASH(Hi || Sr^pub) */ | | 1251 | /* Hi := HASH(Hi || Sr^pub) */ |
1252 | wg_algo_hash(hash, wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey)); | | 1252 | wg_algo_hash(hash, wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey)); |
1253 | | | 1253 | |
1254 | WG_DUMP_HASH("hash", hash); | | 1254 | WG_DUMP_HASH("hash", hash); |
1255 | | | 1255 | |
1256 | /* [N] 2.2: "e" */ | | 1256 | /* [N] 2.2: "e" */ |
1257 | /* Ei^priv, Ei^pub := DH-GENERATE() */ | | 1257 | /* Ei^priv, Ei^pub := DH-GENERATE() */ |
1258 | wg_algo_generate_keypair(pubkey, privkey); | | 1258 | wg_algo_generate_keypair(pubkey, privkey); |
1259 | /* Ci := KDF1(Ci, Ei^pub) */ | | 1259 | /* Ci := KDF1(Ci, Ei^pub) */ |
1260 | wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey)); | | 1260 | wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey)); |
1261 | /* msg.ephemeral := Ei^pub */ | | 1261 | /* msg.ephemeral := Ei^pub */ |
1262 | memcpy(wgmi->wgmi_ephemeral, pubkey, sizeof(wgmi->wgmi_ephemeral)); | | 1262 | memcpy(wgmi->wgmi_ephemeral, pubkey, sizeof(wgmi->wgmi_ephemeral)); |
1263 | /* Hi := HASH(Hi || msg.ephemeral) */ | | 1263 | /* Hi := HASH(Hi || msg.ephemeral) */ |
1264 | wg_algo_hash(hash, pubkey, sizeof(pubkey)); | | 1264 | wg_algo_hash(hash, pubkey, sizeof(pubkey)); |
1265 | | | 1265 | |
1266 | WG_DUMP_HASH("ckey", ckey); | | 1266 | WG_DUMP_HASH("ckey", ckey); |
1267 | WG_DUMP_HASH("hash", hash); | | 1267 | WG_DUMP_HASH("hash", hash); |
1268 | | | 1268 | |
1269 | /* [N] 2.2: "es" */ | | 1269 | /* [N] 2.2: "es" */ |
1270 | /* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */ | | 1270 | /* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */ |
1271 | wg_algo_dh_kdf(ckey, cipher_key, privkey, wgp->wgp_pubkey); | | 1271 | wg_algo_dh_kdf(ckey, cipher_key, privkey, wgp->wgp_pubkey); |
1272 | | | 1272 | |
1273 | /* [N] 2.2: "s" */ | | 1273 | /* [N] 2.2: "s" */ |
1274 | /* msg.static := AEAD(k, 0, Si^pub, Hi) */ | | 1274 | /* msg.static := AEAD(k, 0, Si^pub, Hi) */ |
1275 | wg_algo_aead_enc(wgmi->wgmi_static, sizeof(wgmi->wgmi_static), | | 1275 | wg_algo_aead_enc(wgmi->wgmi_static, sizeof(wgmi->wgmi_static), |
1276 | cipher_key, 0, wg->wg_pubkey, sizeof(wg->wg_pubkey), | | 1276 | cipher_key, 0, wg->wg_pubkey, sizeof(wg->wg_pubkey), |
1277 | hash, sizeof(hash)); | | 1277 | hash, sizeof(hash)); |
1278 | /* Hi := HASH(Hi || msg.static) */ | | 1278 | /* Hi := HASH(Hi || msg.static) */ |
1279 | wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static)); | | 1279 | wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static)); |
1280 | | | 1280 | |
1281 | WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static); | | 1281 | WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static); |
1282 | | | 1282 | |
1283 | /* [N] 2.2: "ss" */ | | 1283 | /* [N] 2.2: "ss" */ |
1284 | /* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */ | | 1284 | /* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */ |
1285 | wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey); | | 1285 | wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey); |
1286 | | | 1286 | |
1287 | /* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */ | | 1287 | /* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */ |
1288 | wg_timestamp_t timestamp; | | 1288 | wg_timestamp_t timestamp; |
1289 | wg_algo_tai64n(timestamp); | | 1289 | wg_algo_tai64n(timestamp); |
1290 | wg_algo_aead_enc(wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp), | | 1290 | wg_algo_aead_enc(wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp), |
1291 | cipher_key, 0, timestamp, sizeof(timestamp), hash, sizeof(hash)); | | 1291 | cipher_key, 0, timestamp, sizeof(timestamp), hash, sizeof(hash)); |
1292 | /* Hi := HASH(Hi || msg.timestamp) */ | | 1292 | /* Hi := HASH(Hi || msg.timestamp) */ |
1293 | wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp)); | | 1293 | wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp)); |
1294 | | | 1294 | |
1295 | /* [W] 5.4.4 Cookie MACs */ | | 1295 | /* [W] 5.4.4 Cookie MACs */ |
1296 | wg_algo_mac_mac1(wgmi->wgmi_mac1, sizeof(wgmi->wgmi_mac1), | | 1296 | wg_algo_mac_mac1(wgmi->wgmi_mac1, sizeof(wgmi->wgmi_mac1), |
1297 | wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey), | | 1297 | wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey), |
1298 | (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1)); | | 1298 | (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1)); |
1299 | /* Need mac1 to decrypt a cookie from a cookie message */ | | 1299 | /* Need mac1 to decrypt a cookie from a cookie message */ |
1300 | memcpy(wgp->wgp_last_sent_mac1, wgmi->wgmi_mac1, | | 1300 | memcpy(wgp->wgp_last_sent_mac1, wgmi->wgmi_mac1, |
1301 | sizeof(wgp->wgp_last_sent_mac1)); | | 1301 | sizeof(wgp->wgp_last_sent_mac1)); |
1302 | wgp->wgp_last_sent_mac1_valid = true; | | 1302 | wgp->wgp_last_sent_mac1_valid = true; |
1303 | | | 1303 | |
1304 | if (wgp->wgp_latest_cookie_time == 0 || | | 1304 | if (wgp->wgp_latest_cookie_time == 0 || |
1305 | (time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME) | | 1305 | (time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME) |
1306 | memset(wgmi->wgmi_mac2, 0, sizeof(wgmi->wgmi_mac2)); | | 1306 | memset(wgmi->wgmi_mac2, 0, sizeof(wgmi->wgmi_mac2)); |
1307 | else { | | 1307 | else { |
1308 | wg_algo_mac(wgmi->wgmi_mac2, sizeof(wgmi->wgmi_mac2), | | 1308 | wg_algo_mac(wgmi->wgmi_mac2, sizeof(wgmi->wgmi_mac2), |
1309 | wgp->wgp_latest_cookie, WG_COOKIE_LEN, | | 1309 | wgp->wgp_latest_cookie, WG_COOKIE_LEN, |
1310 | (const uint8_t *)wgmi, | | 1310 | (const uint8_t *)wgmi, |
1311 | offsetof(struct wg_msg_init, wgmi_mac2), | | 1311 | offsetof(struct wg_msg_init, wgmi_mac2), |
1312 | NULL, 0); | | 1312 | NULL, 0); |
1313 | } | | 1313 | } |
1314 | | | 1314 | |
1315 | memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey)); | | 1315 | memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey)); |
1316 | memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey)); | | 1316 | memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey)); |
1317 | memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); | | 1317 | memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); |
1318 | memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); | | 1318 | memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); |
1319 | WG_DLOG("%s: sender=%x\n", __func__, wgs->wgs_sender_index); | | 1319 | WG_DLOG("%s: sender=%x\n", __func__, wgs->wgs_sender_index); |
1320 | } | | 1320 | } |
1321 | | | 1321 | |
1322 | static void | | 1322 | static void |
1323 | wg_handle_msg_init(struct wg_softc *wg, const struct wg_msg_init *wgmi, | | 1323 | wg_handle_msg_init(struct wg_softc *wg, const struct wg_msg_init *wgmi, |
1324 | const struct sockaddr *src) | | 1324 | const struct sockaddr *src) |
1325 | { | | 1325 | { |
1326 | uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */ | | 1326 | uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.2: Ci */ |
1327 | uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */ | | 1327 | uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.2: Hi */ |
1328 | uint8_t cipher_key[WG_CIPHER_KEY_LEN]; | | 1328 | uint8_t cipher_key[WG_CIPHER_KEY_LEN]; |
1329 | uint8_t peer_pubkey[WG_STATIC_KEY_LEN]; | | 1329 | uint8_t peer_pubkey[WG_STATIC_KEY_LEN]; |
1330 | struct wg_peer *wgp; | | 1330 | struct wg_peer *wgp; |
1331 | struct wg_session *wgs; | | 1331 | struct wg_session *wgs; |
1332 | bool reset_state_on_error = false; | | | |
1333 | int error, ret; | | 1332 | int error, ret; |
1334 | struct psref psref_peer; | | 1333 | struct psref psref_peer; |
1335 | struct psref psref_session; | | 1334 | struct psref psref_session; |
1336 | uint8_t mac1[WG_MAC_LEN]; | | 1335 | uint8_t mac1[WG_MAC_LEN]; |
1337 | | | 1336 | |
1338 | WG_TRACE("init msg received"); | | 1337 | WG_TRACE("init msg received"); |
1339 | | | 1338 | |
1340 | /* | | 1339 | /* |
1341 | * [W] 5.4.2: First Message: Initiator to Responder | | 1340 | * [W] 5.4.2: First Message: Initiator to Responder |
1342 | * "When the responder receives this message, it does the same | | 1341 | * "When the responder receives this message, it does the same |
1343 | * operations so that its final state variables are identical, | | 1342 | * operations so that its final state variables are identical, |
1344 | * replacing the operands of the DH function to produce equivalent | | 1343 | * replacing the operands of the DH function to produce equivalent |
1345 | * values." | | 1344 | * values." |
1346 | * Note that the following comments of operations are just copies of | | 1345 | * Note that the following comments of operations are just copies of |
1347 | * the initiator's ones. | | 1346 | * the initiator's ones. |
1348 | */ | | 1347 | */ |
1349 | | | 1348 | |
1350 | /* Ci := HASH(CONSTRUCTION) */ | | 1349 | /* Ci := HASH(CONSTRUCTION) */ |
1351 | /* Hi := HASH(Ci || IDENTIFIER) */ | | 1350 | /* Hi := HASH(Ci || IDENTIFIER) */ |
1352 | wg_init_key_and_hash(ckey, hash); | | 1351 | wg_init_key_and_hash(ckey, hash); |
1353 | /* Hi := HASH(Hi || Sr^pub) */ | | 1352 | /* Hi := HASH(Hi || Sr^pub) */ |
1354 | wg_algo_hash(hash, wg->wg_pubkey, sizeof(wg->wg_pubkey)); | | 1353 | wg_algo_hash(hash, wg->wg_pubkey, sizeof(wg->wg_pubkey)); |
1355 | | | 1354 | |
1356 | /* [N] 2.2: "e" */ | | 1355 | /* [N] 2.2: "e" */ |
1357 | /* Ci := KDF1(Ci, Ei^pub) */ | | 1356 | /* Ci := KDF1(Ci, Ei^pub) */ |
1358 | wg_algo_kdf(ckey, NULL, NULL, ckey, wgmi->wgmi_ephemeral, | | 1357 | wg_algo_kdf(ckey, NULL, NULL, ckey, wgmi->wgmi_ephemeral, |
1359 | sizeof(wgmi->wgmi_ephemeral)); | | 1358 | sizeof(wgmi->wgmi_ephemeral)); |
1360 | /* Hi := HASH(Hi || msg.ephemeral) */ | | 1359 | /* Hi := HASH(Hi || msg.ephemeral) */ |
1361 | wg_algo_hash(hash, wgmi->wgmi_ephemeral, sizeof(wgmi->wgmi_ephemeral)); | | 1360 | wg_algo_hash(hash, wgmi->wgmi_ephemeral, sizeof(wgmi->wgmi_ephemeral)); |
1362 | | | 1361 | |
1363 | WG_DUMP_HASH("ckey", ckey); | | 1362 | WG_DUMP_HASH("ckey", ckey); |
1364 | | | 1363 | |
1365 | /* [N] 2.2: "es" */ | | 1364 | /* [N] 2.2: "es" */ |
1366 | /* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */ | | 1365 | /* Ci, k := KDF2(Ci, DH(Ei^priv, Sr^pub)) */ |
1367 | wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgmi->wgmi_ephemeral); | | 1366 | wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgmi->wgmi_ephemeral); |
1368 | | | 1367 | |
1369 | WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static); | | 1368 | WG_DUMP_HASH48("wgmi_static", wgmi->wgmi_static); |
1370 | | | 1369 | |
1371 | /* [N] 2.2: "s" */ | | 1370 | /* [N] 2.2: "s" */ |
1372 | /* msg.static := AEAD(k, 0, Si^pub, Hi) */ | | 1371 | /* msg.static := AEAD(k, 0, Si^pub, Hi) */ |
1373 | error = wg_algo_aead_dec(peer_pubkey, WG_STATIC_KEY_LEN, cipher_key, 0, | | 1372 | error = wg_algo_aead_dec(peer_pubkey, WG_STATIC_KEY_LEN, cipher_key, 0, |
1374 | wgmi->wgmi_static, sizeof(wgmi->wgmi_static), hash, sizeof(hash)); | | 1373 | wgmi->wgmi_static, sizeof(wgmi->wgmi_static), hash, sizeof(hash)); |
1375 | if (error != 0) { | | 1374 | if (error != 0) { |
1376 | WG_LOG_RATECHECK(&wg->wg_ppsratecheck, LOG_DEBUG, | | 1375 | WG_LOG_RATECHECK(&wg->wg_ppsratecheck, LOG_DEBUG, |
1377 | "wg_algo_aead_dec for secret key failed\n"); | | 1376 | "wg_algo_aead_dec for secret key failed\n"); |
1378 | return; | | 1377 | return; |
1379 | } | | 1378 | } |
1380 | /* Hi := HASH(Hi || msg.static) */ | | 1379 | /* Hi := HASH(Hi || msg.static) */ |
1381 | wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static)); | | 1380 | wg_algo_hash(hash, wgmi->wgmi_static, sizeof(wgmi->wgmi_static)); |
1382 | | | 1381 | |
1383 | wgp = wg_lookup_peer_by_pubkey(wg, peer_pubkey, &psref_peer); | | 1382 | wgp = wg_lookup_peer_by_pubkey(wg, peer_pubkey, &psref_peer); |
1384 | if (wgp == NULL) { | | 1383 | if (wgp == NULL) { |
1385 | WG_DLOG("peer not found\n"); | | 1384 | WG_DLOG("peer not found\n"); |
1386 | return; | | 1385 | return; |
1387 | } | | 1386 | } |
1388 | | | 1387 | |
1389 | wgs = wg_lock_unstable_session(wgp); | | 1388 | wgs = wg_lock_unstable_session(wgp); |
1390 | if (wgs->wgs_state == WGS_STATE_DESTROYING) { | | 1389 | if (wgs->wgs_state == WGS_STATE_DESTROYING) { |
1391 | /* | | 1390 | /* |
1392 | * We can assume that the peer doesn't have an | | 1391 | * We can assume that the peer doesn't have an |
1393 | * established session, so clear it now. If the timer | | 1392 | * established session, so clear it now. If the timer |
1394 | * fired, tough -- it won't have any effect unless we | | 1393 | * fired, tough -- it won't have any effect unless we |
1395 | * manage to transition back to WGS_STATE_DESTROYING. | | 1394 | * manage to transition back to WGS_STATE_DESTROYING. |
1396 | */ | | 1395 | */ |
1397 | WG_TRACE("Session destroying, but force to clear"); | | 1396 | WG_TRACE("Session destroying, but force to clear"); |
1398 | callout_stop(&wgp->wgp_session_dtor_timer); | | 1397 | callout_stop(&wgp->wgp_session_dtor_timer); |
1399 | wg_clear_states(wgs); | | 1398 | wg_clear_states(wgs); |
1400 | wgs->wgs_state = WGS_STATE_UNKNOWN; | | 1399 | wgs->wgs_state = WGS_STATE_UNKNOWN; |
1401 | } | | 1400 | } |
1402 | if (wgs->wgs_state == WGS_STATE_INIT_ACTIVE) { | | 1401 | if (wgs->wgs_state == WGS_STATE_INIT_ACTIVE) { |
1403 | WG_TRACE("Sesssion already initializing, ignoring the message"); | | 1402 | WG_TRACE("Sesssion already initializing, ignoring the message"); |
1404 | mutex_exit(wgs->wgs_lock); | | 1403 | mutex_exit(wgs->wgs_lock); |
1405 | goto out_wgp; | | 1404 | goto out_wgp; |
1406 | } | | 1405 | } |
1407 | if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) { | | 1406 | if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) { |
1408 | WG_TRACE("Sesssion already initializing, destroying old states"); | | 1407 | WG_TRACE("Sesssion already initializing, destroying old states"); |
1409 | wg_clear_states(wgs); | | 1408 | wg_clear_states(wgs); |
1410 | } | | 1409 | } |
1411 | wgs->wgs_state = WGS_STATE_INIT_PASSIVE; | | 1410 | wgs->wgs_state = WGS_STATE_INIT_PASSIVE; |
1412 | reset_state_on_error = true; | | | |
1413 | wg_get_session(wgs, &psref_session); | | 1411 | wg_get_session(wgs, &psref_session); |
1414 | mutex_exit(wgs->wgs_lock); | | 1412 | mutex_exit(wgs->wgs_lock); |
1415 | | | 1413 | |
1416 | wg_algo_mac_mac1(mac1, sizeof(mac1), | | 1414 | wg_algo_mac_mac1(mac1, sizeof(mac1), |
1417 | wg->wg_pubkey, sizeof(wg->wg_pubkey), | | 1415 | wg->wg_pubkey, sizeof(wg->wg_pubkey), |
1418 | (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1)); | | 1416 | (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1)); |
1419 | | | 1417 | |
1420 | /* | | 1418 | /* |
1421 | * [W] 5.3: Denial of Service Mitigation & Cookies | | 1419 | * [W] 5.3: Denial of Service Mitigation & Cookies |
1422 | * "the responder, ..., must always reject messages with an invalid | | 1420 | * "the responder, ..., must always reject messages with an invalid |
1423 | * msg.mac1" | | 1421 | * msg.mac1" |
1424 | */ | | 1422 | */ |
1425 | if (!consttime_memequal(mac1, wgmi->wgmi_mac1, sizeof(mac1))) { | | 1423 | if (!consttime_memequal(mac1, wgmi->wgmi_mac1, sizeof(mac1))) { |
1426 | WG_DLOG("mac1 is invalid\n"); | | 1424 | WG_DLOG("mac1 is invalid\n"); |
1427 | goto out; | | 1425 | goto out; |
1428 | } | | 1426 | } |
1429 | | | 1427 | |
1430 | if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_INIT))) { | | 1428 | if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_INIT))) { |
1431 | WG_TRACE("under load"); | | 1429 | WG_TRACE("under load"); |
1432 | /* | | 1430 | /* |
1433 | * [W] 5.3: Denial of Service Mitigation & Cookies | | 1431 | * [W] 5.3: Denial of Service Mitigation & Cookies |
1434 | * "the responder, ..., and when under load may reject messages | | 1432 | * "the responder, ..., and when under load may reject messages |
1435 | * with an invalid msg.mac2. If the responder receives a | | 1433 | * with an invalid msg.mac2. If the responder receives a |
1436 | * message with a valid msg.mac1 yet with an invalid msg.mac2, | | 1434 | * message with a valid msg.mac1 yet with an invalid msg.mac2, |
1437 | * and is under load, it may respond with a cookie reply | | 1435 | * and is under load, it may respond with a cookie reply |
1438 | * message" | | 1436 | * message" |
1439 | */ | | 1437 | */ |
1440 | uint8_t zero[WG_MAC_LEN] = {0}; | | 1438 | uint8_t zero[WG_MAC_LEN] = {0}; |
1441 | if (consttime_memequal(wgmi->wgmi_mac2, zero, sizeof(zero))) { | | 1439 | if (consttime_memequal(wgmi->wgmi_mac2, zero, sizeof(zero))) { |
1442 | WG_TRACE("sending a cookie message: no cookie included"); | | 1440 | WG_TRACE("sending a cookie message: no cookie included"); |
1443 | (void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender, | | 1441 | (void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender, |
1444 | wgmi->wgmi_mac1, src); | | 1442 | wgmi->wgmi_mac1, src); |
1445 | goto out; | | 1443 | goto out; |
1446 | } | | 1444 | } |
1447 | if (!wgp->wgp_last_sent_cookie_valid) { | | 1445 | if (!wgp->wgp_last_sent_cookie_valid) { |
1448 | WG_TRACE("sending a cookie message: no cookie sent ever"); | | 1446 | WG_TRACE("sending a cookie message: no cookie sent ever"); |
1449 | (void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender, | | 1447 | (void)wg_send_cookie_msg(wg, wgp, wgmi->wgmi_sender, |
1450 | wgmi->wgmi_mac1, src); | | 1448 | wgmi->wgmi_mac1, src); |
1451 | goto out; | | 1449 | goto out; |
1452 | } | | 1450 | } |
1453 | uint8_t mac2[WG_MAC_LEN]; | | 1451 | uint8_t mac2[WG_MAC_LEN]; |
1454 | wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie, | | 1452 | wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie, |
1455 | WG_COOKIE_LEN, (const uint8_t *)wgmi, | | 1453 | WG_COOKIE_LEN, (const uint8_t *)wgmi, |
1456 | offsetof(struct wg_msg_init, wgmi_mac2), NULL, 0); | | 1454 | offsetof(struct wg_msg_init, wgmi_mac2), NULL, 0); |
1457 | if (!consttime_memequal(mac2, wgmi->wgmi_mac2, sizeof(mac2))) { | | 1455 | if (!consttime_memequal(mac2, wgmi->wgmi_mac2, sizeof(mac2))) { |
1458 | WG_DLOG("mac2 is invalid\n"); | | 1456 | WG_DLOG("mac2 is invalid\n"); |
1459 | goto out; | | 1457 | goto out; |
1460 | } | | 1458 | } |
1461 | WG_TRACE("under load, but continue to sending"); | | 1459 | WG_TRACE("under load, but continue to sending"); |
1462 | } | | 1460 | } |
1463 | | | 1461 | |
1464 | /* [N] 2.2: "ss" */ | | 1462 | /* [N] 2.2: "ss" */ |
1465 | /* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */ | | 1463 | /* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */ |
1466 | wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey); | | 1464 | wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey); |
1467 | | | 1465 | |
1468 | /* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */ | | 1466 | /* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */ |
1469 | wg_timestamp_t timestamp; | | 1467 | wg_timestamp_t timestamp; |
1470 | error = wg_algo_aead_dec(timestamp, sizeof(timestamp), cipher_key, 0, | | 1468 | error = wg_algo_aead_dec(timestamp, sizeof(timestamp), cipher_key, 0, |
1471 | wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp), | | 1469 | wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp), |
1472 | hash, sizeof(hash)); | | 1470 | hash, sizeof(hash)); |
1473 | if (error != 0) { | | 1471 | if (error != 0) { |
1474 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, | | 1472 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, |
1475 | "wg_algo_aead_dec for timestamp failed\n"); | | 1473 | "wg_algo_aead_dec for timestamp failed\n"); |
1476 | goto out; | | 1474 | goto out; |
1477 | } | | 1475 | } |
1478 | /* Hi := HASH(Hi || msg.timestamp) */ | | 1476 | /* Hi := HASH(Hi || msg.timestamp) */ |
1479 | wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp)); | | 1477 | wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp)); |
1480 | | | 1478 | |
1481 | /* | | 1479 | /* |
1482 | * [W] 5.1 "The responder keeps track of the greatest timestamp | | 1480 | * [W] 5.1 "The responder keeps track of the greatest timestamp |
1483 | * received per peer and discards packets containing | | 1481 | * received per peer and discards packets containing |
1484 | * timestamps less than or equal to it." | | 1482 | * timestamps less than or equal to it." |
1485 | */ | | 1483 | */ |
1486 | ret = memcmp(timestamp, wgp->wgp_timestamp_latest_init, | | 1484 | ret = memcmp(timestamp, wgp->wgp_timestamp_latest_init, |
1487 | sizeof(timestamp)); | | 1485 | sizeof(timestamp)); |
1488 | if (ret <= 0) { | | 1486 | if (ret <= 0) { |
1489 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, | | 1487 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, |
1490 | "invalid init msg: timestamp is old\n"); | | 1488 | "invalid init msg: timestamp is old\n"); |
1491 | goto out; | | 1489 | goto out; |
1492 | } | | 1490 | } |
1493 | memcpy(wgp->wgp_timestamp_latest_init, timestamp, sizeof(timestamp)); | | 1491 | memcpy(wgp->wgp_timestamp_latest_init, timestamp, sizeof(timestamp)); |
1494 | | | 1492 | |
1495 | memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); | | 1493 | memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); |
1496 | memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); | | 1494 | memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); |
1497 | memcpy(wgs->wgs_ephemeral_key_peer, wgmi->wgmi_ephemeral, | | 1495 | memcpy(wgs->wgs_ephemeral_key_peer, wgmi->wgmi_ephemeral, |
1498 | sizeof(wgmi->wgmi_ephemeral)); | | 1496 | sizeof(wgmi->wgmi_ephemeral)); |
1499 | | | 1497 | |
1500 | wg_update_endpoint_if_necessary(wgp, src); | | 1498 | wg_update_endpoint_if_necessary(wgp, src); |
1501 | | | 1499 | |
1502 | (void)wg_send_handshake_msg_resp(wg, wgp, wgmi); | | 1500 | (void)wg_send_handshake_msg_resp(wg, wgp, wgmi); |
1503 | | | 1501 | |
1504 | wg_calculate_keys(wgs, false); | | 1502 | wg_calculate_keys(wgs, false); |
1505 | wg_clear_states(wgs); | | 1503 | wg_clear_states(wgs); |
1506 | | | 1504 | |
1507 | wg_put_session(wgs, &psref_session); | | 1505 | wg_put_session(wgs, &psref_session); |
1508 | wg_put_peer(wgp, &psref_peer); | | 1506 | wg_put_peer(wgp, &psref_peer); |
1509 | return; | | 1507 | return; |
1510 | | | 1508 | |
1511 | out: | | 1509 | out: |
1512 | if (reset_state_on_error) { | | 1510 | mutex_enter(wgs->wgs_lock); |
1513 | mutex_enter(wgs->wgs_lock); | | 1511 | KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE); |
1514 | KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE); | | 1512 | wgs->wgs_state = WGS_STATE_UNKNOWN; |
1515 | wgs->wgs_state = WGS_STATE_UNKNOWN; | | 1513 | mutex_exit(wgs->wgs_lock); |
1516 | mutex_exit(wgs->wgs_lock); | | | |
1517 | } | | | |
1518 | wg_put_session(wgs, &psref_session); | | 1514 | wg_put_session(wgs, &psref_session); |
1519 | out_wgp: | | 1515 | out_wgp: |
1520 | wg_put_peer(wgp, &psref_peer); | | 1516 | wg_put_peer(wgp, &psref_peer); |
1521 | } | | 1517 | } |
1522 | | | 1518 | |
1523 | static void | | 1519 | static void |
1524 | wg_schedule_handshake_timeout_timer(struct wg_peer *wgp) | | 1520 | wg_schedule_handshake_timeout_timer(struct wg_peer *wgp) |
1525 | { | | 1521 | { |
1526 | | | 1522 | |
1527 | mutex_enter(wgp->wgp_lock); | | 1523 | mutex_enter(wgp->wgp_lock); |
1528 | if (__predict_true(wgp->wgp_state != WGP_STATE_DESTROYING)) { | | 1524 | if (__predict_true(wgp->wgp_state != WGP_STATE_DESTROYING)) { |
1529 | callout_schedule(&wgp->wgp_handshake_timeout_timer, | | 1525 | callout_schedule(&wgp->wgp_handshake_timeout_timer, |
1530 | MIN(wg_rekey_timeout, INT_MAX/hz) * hz); | | 1526 | MIN(wg_rekey_timeout, INT_MAX/hz) * hz); |
1531 | } | | 1527 | } |
1532 | mutex_exit(wgp->wgp_lock); | | 1528 | mutex_exit(wgp->wgp_lock); |
1533 | } | | 1529 | } |
1534 | | | 1530 | |
1535 | static struct socket * | | 1531 | static struct socket * |
1536 | wg_get_so_by_af(struct wg_worker *wgw, const int af) | | 1532 | wg_get_so_by_af(struct wg_worker *wgw, const int af) |
1537 | { | | 1533 | { |
1538 | | | 1534 | |
1539 | return (af == AF_INET) ? wgw->wgw_so4 : wgw->wgw_so6; | | 1535 | return (af == AF_INET) ? wgw->wgw_so4 : wgw->wgw_so6; |
1540 | } | | 1536 | } |
1541 | | | 1537 | |
1542 | static struct socket * | | 1538 | static struct socket * |
1543 | wg_get_so_by_peer(struct wg_peer *wgp) | | 1539 | wg_get_so_by_peer(struct wg_peer *wgp) |
1544 | { | | 1540 | { |
1545 | | | 1541 | |
1546 | return wg_get_so_by_af(wgp->wgp_sc->wg_worker, wgp->wgp_sa.sa_family); | | 1542 | return wg_get_so_by_af(wgp->wgp_sc->wg_worker, wgp->wgp_sa.sa_family); |
1547 | } | | 1543 | } |
1548 | | | 1544 | |
1549 | static struct wg_sockaddr * | | 1545 | static struct wg_sockaddr * |
1550 | wg_get_endpoint_sa(struct wg_peer *wgp, struct psref *psref) | | 1546 | wg_get_endpoint_sa(struct wg_peer *wgp, struct psref *psref) |
1551 | { | | 1547 | { |
1552 | struct wg_sockaddr *wgsa; | | 1548 | struct wg_sockaddr *wgsa; |
1553 | int s; | | 1549 | int s; |
1554 | | | 1550 | |
1555 | s = pserialize_read_enter(); | | 1551 | s = pserialize_read_enter(); |
1556 | wgsa = wgp->wgp_endpoint; | | 1552 | wgsa = wgp->wgp_endpoint; |
1557 | psref_acquire(psref, &wgsa->wgsa_psref, wg_psref_class); | | 1553 | psref_acquire(psref, &wgsa->wgsa_psref, wg_psref_class); |
1558 | pserialize_read_exit(s); | | 1554 | pserialize_read_exit(s); |
1559 | | | 1555 | |
1560 | return wgsa; | | 1556 | return wgsa; |
1561 | } | | 1557 | } |
1562 | | | 1558 | |
1563 | static void | | 1559 | static void |
1564 | wg_put_sa(struct wg_peer *wgp, struct wg_sockaddr *wgsa, struct psref *psref) | | 1560 | wg_put_sa(struct wg_peer *wgp, struct wg_sockaddr *wgsa, struct psref *psref) |
1565 | { | | 1561 | { |
1566 | | | 1562 | |
1567 | psref_release(psref, &wgsa->wgsa_psref, wg_psref_class); | | 1563 | psref_release(psref, &wgsa->wgsa_psref, wg_psref_class); |
1568 | } | | 1564 | } |
1569 | | | 1565 | |
1570 | static int | | 1566 | static int |
1571 | wg_send_so(struct wg_peer *wgp, struct mbuf *m) | | 1567 | wg_send_so(struct wg_peer *wgp, struct mbuf *m) |
1572 | { | | 1568 | { |
1573 | int error; | | 1569 | int error; |
1574 | struct socket *so; | | 1570 | struct socket *so; |
1575 | struct psref psref; | | 1571 | struct psref psref; |
1576 | struct wg_sockaddr *wgsa; | | 1572 | struct wg_sockaddr *wgsa; |
1577 | | | 1573 | |
1578 | so = wg_get_so_by_peer(wgp); | | 1574 | so = wg_get_so_by_peer(wgp); |
1579 | wgsa = wg_get_endpoint_sa(wgp, &psref); | | 1575 | wgsa = wg_get_endpoint_sa(wgp, &psref); |
1580 | error = sosend(so, wgsatosa(wgsa), NULL, m, NULL, 0, curlwp); | | 1576 | error = sosend(so, wgsatosa(wgsa), NULL, m, NULL, 0, curlwp); |
1581 | wg_put_sa(wgp, wgsa, &psref); | | 1577 | wg_put_sa(wgp, wgsa, &psref); |
1582 | | | 1578 | |
1583 | return error; | | 1579 | return error; |
1584 | } | | 1580 | } |
1585 | | | 1581 | |
1586 | static int | | 1582 | static int |
1587 | wg_send_handshake_msg_init(struct wg_softc *wg, struct wg_peer *wgp) | | 1583 | wg_send_handshake_msg_init(struct wg_softc *wg, struct wg_peer *wgp) |
1588 | { | | 1584 | { |
1589 | int error; | | 1585 | int error; |
1590 | struct mbuf *m; | | 1586 | struct mbuf *m; |
1591 | struct wg_msg_init *wgmi; | | 1587 | struct wg_msg_init *wgmi; |
1592 | struct wg_session *wgs; | | 1588 | struct wg_session *wgs; |
1593 | struct psref psref; | | 1589 | struct psref psref; |
1594 | | | 1590 | |
1595 | wgs = wg_lock_unstable_session(wgp); | | 1591 | wgs = wg_lock_unstable_session(wgp); |
1596 | if (wgs->wgs_state == WGS_STATE_DESTROYING) { | | 1592 | if (wgs->wgs_state == WGS_STATE_DESTROYING) { |
1597 | WG_TRACE("Session destroying"); | | 1593 | WG_TRACE("Session destroying"); |
1598 | mutex_exit(wgs->wgs_lock); | | 1594 | mutex_exit(wgs->wgs_lock); |
1599 | /* XXX should wait? */ | | 1595 | /* XXX should wait? */ |
1600 | return EBUSY; | | 1596 | return EBUSY; |
1601 | } | | 1597 | } |
1602 | if (wgs->wgs_state == WGS_STATE_INIT_ACTIVE) { | | 1598 | if (wgs->wgs_state == WGS_STATE_INIT_ACTIVE) { |
1603 | WG_TRACE("Sesssion already initializing, skip starting a new one"); | | 1599 | WG_TRACE("Sesssion already initializing, skip starting a new one"); |
1604 | mutex_exit(wgs->wgs_lock); | | 1600 | mutex_exit(wgs->wgs_lock); |
1605 | return EBUSY; | | 1601 | return EBUSY; |
1606 | } | | 1602 | } |
1607 | if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) { | | 1603 | if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) { |
1608 | WG_TRACE("Sesssion already initializing, destroying old states"); | | 1604 | WG_TRACE("Sesssion already initializing, destroying old states"); |
1609 | wg_clear_states(wgs); | | 1605 | wg_clear_states(wgs); |
1610 | } | | 1606 | } |
1611 | wgs->wgs_state = WGS_STATE_INIT_ACTIVE; | | 1607 | wgs->wgs_state = WGS_STATE_INIT_ACTIVE; |
1612 | wg_get_session(wgs, &psref); | | 1608 | wg_get_session(wgs, &psref); |
1613 | mutex_exit(wgs->wgs_lock); | | 1609 | mutex_exit(wgs->wgs_lock); |
1614 | | | 1610 | |
1615 | m = m_gethdr(M_WAIT, MT_DATA); | | 1611 | m = m_gethdr(M_WAIT, MT_DATA); |
1616 | m->m_pkthdr.len = m->m_len = sizeof(*wgmi); | | 1612 | m->m_pkthdr.len = m->m_len = sizeof(*wgmi); |
1617 | wgmi = mtod(m, struct wg_msg_init *); | | 1613 | wgmi = mtod(m, struct wg_msg_init *); |
1618 | wg_fill_msg_init(wg, wgp, wgs, wgmi); | | 1614 | wg_fill_msg_init(wg, wgp, wgs, wgmi); |
1619 | | | 1615 | |
1620 | error = wg->wg_ops->send_hs_msg(wgp, m); | | 1616 | error = wg->wg_ops->send_hs_msg(wgp, m); |
1621 | if (error == 0) { | | 1617 | if (error == 0) { |
1622 | WG_TRACE("init msg sent"); | | 1618 | WG_TRACE("init msg sent"); |
1623 | | | 1619 | |
1624 | if (wgp->wgp_handshake_start_time == 0) | | 1620 | if (wgp->wgp_handshake_start_time == 0) |
1625 | wgp->wgp_handshake_start_time = time_uptime; | | 1621 | wgp->wgp_handshake_start_time = time_uptime; |
1626 | wg_schedule_handshake_timeout_timer(wgp); | | 1622 | wg_schedule_handshake_timeout_timer(wgp); |
1627 | } else { | | 1623 | } else { |
1628 | mutex_enter(wgs->wgs_lock); | | 1624 | mutex_enter(wgs->wgs_lock); |
1629 | KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); | | 1625 | KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); |
1630 | wgs->wgs_state = WGS_STATE_UNKNOWN; | | 1626 | wgs->wgs_state = WGS_STATE_UNKNOWN; |
1631 | mutex_exit(wgs->wgs_lock); | | 1627 | mutex_exit(wgs->wgs_lock); |
1632 | } | | 1628 | } |
1633 | wg_put_session(wgs, &psref); | | 1629 | wg_put_session(wgs, &psref); |
1634 | | | 1630 | |
1635 | return error; | | 1631 | return error; |
1636 | } | | 1632 | } |
1637 | | | 1633 | |
1638 | static void | | 1634 | static void |
1639 | wg_fill_msg_resp(struct wg_softc *wg, struct wg_peer *wgp, | | 1635 | wg_fill_msg_resp(struct wg_softc *wg, struct wg_peer *wgp, |
1640 | struct wg_msg_resp *wgmr, const struct wg_msg_init *wgmi) | | 1636 | struct wg_msg_resp *wgmr, const struct wg_msg_init *wgmi) |
1641 | { | | 1637 | { |
1642 | uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */ | | 1638 | uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */ |
1643 | uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Hr */ | | 1639 | uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Hr */ |
1644 | uint8_t cipher_key[WG_KDF_OUTPUT_LEN]; | | 1640 | uint8_t cipher_key[WG_KDF_OUTPUT_LEN]; |
1645 | uint8_t pubkey[WG_EPHEMERAL_KEY_LEN]; | | 1641 | uint8_t pubkey[WG_EPHEMERAL_KEY_LEN]; |
1646 | uint8_t privkey[WG_EPHEMERAL_KEY_LEN]; | | 1642 | uint8_t privkey[WG_EPHEMERAL_KEY_LEN]; |
1647 | struct wg_session *wgs; | | 1643 | struct wg_session *wgs; |
1648 | struct psref psref; | | 1644 | struct psref psref; |
1649 | | | 1645 | |
1650 | wgs = wg_get_unstable_session(wgp, &psref); | | 1646 | wgs = wg_get_unstable_session(wgp, &psref); |
1651 | memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash)); | | 1647 | memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash)); |
1652 | memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey)); | | 1648 | memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey)); |
1653 | | | 1649 | |
1654 | wgmr->wgmr_type = htole32(WG_MSG_TYPE_RESP); | | 1650 | wgmr->wgmr_type = htole32(WG_MSG_TYPE_RESP); |
1655 | wgmr->wgmr_sender = wg_assign_sender_index(wg, wgs); | | 1651 | wgmr->wgmr_sender = wg_assign_sender_index(wg, wgs); |
1656 | wgmr->wgmr_receiver = wgmi->wgmi_sender; | | 1652 | wgmr->wgmr_receiver = wgmi->wgmi_sender; |
1657 | | | 1653 | |
1658 | /* [W] 5.4.3 Second Message: Responder to Initiator */ | | 1654 | /* [W] 5.4.3 Second Message: Responder to Initiator */ |
1659 | | | 1655 | |
1660 | /* [N] 2.2: "e" */ | | 1656 | /* [N] 2.2: "e" */ |
1661 | /* Er^priv, Er^pub := DH-GENERATE() */ | | 1657 | /* Er^priv, Er^pub := DH-GENERATE() */ |
1662 | wg_algo_generate_keypair(pubkey, privkey); | | 1658 | wg_algo_generate_keypair(pubkey, privkey); |
1663 | /* Cr := KDF1(Cr, Er^pub) */ | | 1659 | /* Cr := KDF1(Cr, Er^pub) */ |
1664 | wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey)); | | 1660 | wg_algo_kdf(ckey, NULL, NULL, ckey, pubkey, sizeof(pubkey)); |
1665 | /* msg.ephemeral := Er^pub */ | | 1661 | /* msg.ephemeral := Er^pub */ |
1666 | memcpy(wgmr->wgmr_ephemeral, pubkey, sizeof(wgmr->wgmr_ephemeral)); | | 1662 | memcpy(wgmr->wgmr_ephemeral, pubkey, sizeof(wgmr->wgmr_ephemeral)); |
1667 | /* Hr := HASH(Hr || msg.ephemeral) */ | | 1663 | /* Hr := HASH(Hr || msg.ephemeral) */ |
1668 | wg_algo_hash(hash, pubkey, sizeof(pubkey)); | | 1664 | wg_algo_hash(hash, pubkey, sizeof(pubkey)); |
1669 | | | 1665 | |
1670 | WG_DUMP_HASH("ckey", ckey); | | 1666 | WG_DUMP_HASH("ckey", ckey); |
1671 | WG_DUMP_HASH("hash", hash); | | 1667 | WG_DUMP_HASH("hash", hash); |
1672 | | | 1668 | |
1673 | /* [N] 2.2: "ee" */ | | 1669 | /* [N] 2.2: "ee" */ |
1674 | /* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */ | | 1670 | /* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */ |
1675 | wg_algo_dh_kdf(ckey, NULL, privkey, wgs->wgs_ephemeral_key_peer); | | 1671 | wg_algo_dh_kdf(ckey, NULL, privkey, wgs->wgs_ephemeral_key_peer); |
1676 | | | 1672 | |
1677 | /* [N] 2.2: "se" */ | | 1673 | /* [N] 2.2: "se" */ |
1678 | /* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */ | | 1674 | /* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */ |
1679 | wg_algo_dh_kdf(ckey, NULL, privkey, wgp->wgp_pubkey); | | 1675 | wg_algo_dh_kdf(ckey, NULL, privkey, wgp->wgp_pubkey); |
1680 | | | 1676 | |
1681 | /* [N] 9.2: "psk" */ | | 1677 | /* [N] 9.2: "psk" */ |
1682 | { | | 1678 | { |
1683 | uint8_t kdfout[WG_KDF_OUTPUT_LEN]; | | 1679 | uint8_t kdfout[WG_KDF_OUTPUT_LEN]; |
1684 | /* Cr, r, k := KDF3(Cr, Q) */ | | 1680 | /* Cr, r, k := KDF3(Cr, Q) */ |
1685 | wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk, | | 1681 | wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk, |
1686 | sizeof(wgp->wgp_psk)); | | 1682 | sizeof(wgp->wgp_psk)); |
1687 | /* Hr := HASH(Hr || r) */ | | 1683 | /* Hr := HASH(Hr || r) */ |
1688 | wg_algo_hash(hash, kdfout, sizeof(kdfout)); | | 1684 | wg_algo_hash(hash, kdfout, sizeof(kdfout)); |
1689 | } | | 1685 | } |
1690 | | | 1686 | |
1691 | /* msg.empty := AEAD(k, 0, e, Hr) */ | | 1687 | /* msg.empty := AEAD(k, 0, e, Hr) */ |
1692 | wg_algo_aead_enc(wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty), | | 1688 | wg_algo_aead_enc(wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty), |
1693 | cipher_key, 0, NULL, 0, hash, sizeof(hash)); | | 1689 | cipher_key, 0, NULL, 0, hash, sizeof(hash)); |
1694 | /* Hr := HASH(Hr || msg.empty) */ | | 1690 | /* Hr := HASH(Hr || msg.empty) */ |
1695 | wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty)); | | 1691 | wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty)); |
1696 | | | 1692 | |
1697 | WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty); | | 1693 | WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty); |
1698 | | | 1694 | |
1699 | /* [W] 5.4.4: Cookie MACs */ | | 1695 | /* [W] 5.4.4: Cookie MACs */ |
1700 | /* msg.mac1 := MAC(HASH(LABEL-MAC1 || Sm'^pub), msg_a) */ | | 1696 | /* msg.mac1 := MAC(HASH(LABEL-MAC1 || Sm'^pub), msg_a) */ |
1701 | wg_algo_mac_mac1(wgmr->wgmr_mac1, sizeof(wgmi->wgmi_mac1), | | 1697 | wg_algo_mac_mac1(wgmr->wgmr_mac1, sizeof(wgmi->wgmi_mac1), |
1702 | wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey), | | 1698 | wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey), |
1703 | (const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1)); | | 1699 | (const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1)); |
1704 | /* Need mac1 to decrypt a cookie from a cookie message */ | | 1700 | /* Need mac1 to decrypt a cookie from a cookie message */ |
1705 | memcpy(wgp->wgp_last_sent_mac1, wgmr->wgmr_mac1, | | 1701 | memcpy(wgp->wgp_last_sent_mac1, wgmr->wgmr_mac1, |
1706 | sizeof(wgp->wgp_last_sent_mac1)); | | 1702 | sizeof(wgp->wgp_last_sent_mac1)); |
1707 | wgp->wgp_last_sent_mac1_valid = true; | | 1703 | wgp->wgp_last_sent_mac1_valid = true; |
1708 | | | 1704 | |
1709 | if (wgp->wgp_latest_cookie_time == 0 || | | 1705 | if (wgp->wgp_latest_cookie_time == 0 || |
1710 | (time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME) | | 1706 | (time_uptime - wgp->wgp_latest_cookie_time) >= WG_COOKIE_TIME) |
1711 | /* msg.mac2 := 0^16 */ | | 1707 | /* msg.mac2 := 0^16 */ |
1712 | memset(wgmr->wgmr_mac2, 0, sizeof(wgmr->wgmr_mac2)); | | 1708 | memset(wgmr->wgmr_mac2, 0, sizeof(wgmr->wgmr_mac2)); |
1713 | else { | | 1709 | else { |
1714 | /* msg.mac2 := MAC(Lm, msg_b) */ | | 1710 | /* msg.mac2 := MAC(Lm, msg_b) */ |
1715 | wg_algo_mac(wgmr->wgmr_mac2, sizeof(wgmi->wgmi_mac2), | | 1711 | wg_algo_mac(wgmr->wgmr_mac2, sizeof(wgmi->wgmi_mac2), |
1716 | wgp->wgp_latest_cookie, WG_COOKIE_LEN, | | 1712 | wgp->wgp_latest_cookie, WG_COOKIE_LEN, |
1717 | (const uint8_t *)wgmr, | | 1713 | (const uint8_t *)wgmr, |
1718 | offsetof(struct wg_msg_resp, wgmr_mac2), | | 1714 | offsetof(struct wg_msg_resp, wgmr_mac2), |
1719 | NULL, 0); | | 1715 | NULL, 0); |
1720 | } | | 1716 | } |
1721 | | | 1717 | |
1722 | memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); | | 1718 | memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); |
1723 | memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); | | 1719 | memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); |
1724 | memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey)); | | 1720 | memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey)); |
1725 | memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey)); | | 1721 | memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey)); |
1726 | wgs->wgs_receiver_index = wgmi->wgmi_sender; | | 1722 | wgs->wgs_receiver_index = wgmi->wgmi_sender; |
1727 | WG_DLOG("sender=%x\n", wgs->wgs_sender_index); | | 1723 | WG_DLOG("sender=%x\n", wgs->wgs_sender_index); |
1728 | WG_DLOG("receiver=%x\n", wgs->wgs_receiver_index); | | 1724 | WG_DLOG("receiver=%x\n", wgs->wgs_receiver_index); |
1729 | wg_put_session(wgs, &psref); | | 1725 | wg_put_session(wgs, &psref); |
1730 | } | | 1726 | } |
1731 | | | 1727 | |
1732 | static void | | 1728 | static void |
1733 | wg_swap_sessions(struct wg_peer *wgp) | | 1729 | wg_swap_sessions(struct wg_peer *wgp) |
1734 | { | | 1730 | { |
1735 | | | 1731 | |
1736 | KASSERT(mutex_owned(wgp->wgp_lock)); | | 1732 | KASSERT(mutex_owned(wgp->wgp_lock)); |
1737 | | | 1733 | |
1738 | wgp->wgp_session_unstable = atomic_swap_ptr(&wgp->wgp_session_stable, | | 1734 | wgp->wgp_session_unstable = atomic_swap_ptr(&wgp->wgp_session_stable, |
1739 | wgp->wgp_session_unstable); | | 1735 | wgp->wgp_session_unstable); |
1740 | KASSERT(wgp->wgp_session_stable->wgs_state == WGS_STATE_ESTABLISHED); | | 1736 | KASSERT(wgp->wgp_session_stable->wgs_state == WGS_STATE_ESTABLISHED); |
1741 | } | | 1737 | } |
1742 | | | 1738 | |
1743 | static void | | 1739 | static void |
1744 | wg_handle_msg_resp(struct wg_softc *wg, const struct wg_msg_resp *wgmr, | | 1740 | wg_handle_msg_resp(struct wg_softc *wg, const struct wg_msg_resp *wgmr, |
1745 | const struct sockaddr *src) | | 1741 | const struct sockaddr *src) |
1746 | { | | 1742 | { |
1747 | uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */ | | 1743 | uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */ |
1748 | uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Kr */ | | 1744 | uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Kr */ |
1749 | uint8_t cipher_key[WG_KDF_OUTPUT_LEN]; | | 1745 | uint8_t cipher_key[WG_KDF_OUTPUT_LEN]; |
1750 | struct wg_peer *wgp; | | 1746 | struct wg_peer *wgp; |
1751 | struct wg_session *wgs; | | 1747 | struct wg_session *wgs; |
1752 | struct psref psref; | | 1748 | struct psref psref; |
1753 | int error; | | 1749 | int error; |
1754 | uint8_t mac1[WG_MAC_LEN]; | | 1750 | uint8_t mac1[WG_MAC_LEN]; |
1755 | struct wg_session *wgs_prev; | | 1751 | struct wg_session *wgs_prev; |
1756 | | | 1752 | |
1757 | WG_TRACE("resp msg received"); | | 1753 | WG_TRACE("resp msg received"); |
1758 | wgs = wg_lookup_session_by_index(wg, wgmr->wgmr_receiver, &psref); | | 1754 | wgs = wg_lookup_session_by_index(wg, wgmr->wgmr_receiver, &psref); |
1759 | if (wgs == NULL) { | | 1755 | if (wgs == NULL) { |
1760 | WG_TRACE("No session found"); | | 1756 | WG_TRACE("No session found"); |
1761 | return; | | 1757 | return; |
1762 | } | | 1758 | } |
1763 | | | 1759 | |
1764 | wgp = wgs->wgs_peer; | | 1760 | wgp = wgs->wgs_peer; |
1765 | | | 1761 | |
1766 | wg_algo_mac_mac1(mac1, sizeof(mac1), | | 1762 | wg_algo_mac_mac1(mac1, sizeof(mac1), |
1767 | wg->wg_pubkey, sizeof(wg->wg_pubkey), | | 1763 | wg->wg_pubkey, sizeof(wg->wg_pubkey), |
1768 | (const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1)); | | 1764 | (const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1)); |
1769 | | | 1765 | |
1770 | /* | | 1766 | /* |
1771 | * [W] 5.3: Denial of Service Mitigation & Cookies | | 1767 | * [W] 5.3: Denial of Service Mitigation & Cookies |
1772 | * "the responder, ..., must always reject messages with an invalid | | 1768 | * "the responder, ..., must always reject messages with an invalid |
1773 | * msg.mac1" | | 1769 | * msg.mac1" |
1774 | */ | | 1770 | */ |
1775 | if (!consttime_memequal(mac1, wgmr->wgmr_mac1, sizeof(mac1))) { | | 1771 | if (!consttime_memequal(mac1, wgmr->wgmr_mac1, sizeof(mac1))) { |
1776 | WG_DLOG("mac1 is invalid\n"); | | 1772 | WG_DLOG("mac1 is invalid\n"); |
1777 | goto out; | | 1773 | goto out; |
1778 | } | | 1774 | } |
1779 | | | 1775 | |
1780 | if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_RESP))) { | | 1776 | if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_RESP))) { |
1781 | WG_TRACE("under load"); | | 1777 | WG_TRACE("under load"); |
1782 | /* | | 1778 | /* |
1783 | * [W] 5.3: Denial of Service Mitigation & Cookies | | 1779 | * [W] 5.3: Denial of Service Mitigation & Cookies |
1784 | * "the responder, ..., and when under load may reject messages | | 1780 | * "the responder, ..., and when under load may reject messages |
1785 | * with an invalid msg.mac2. If the responder receives a | | 1781 | * with an invalid msg.mac2. If the responder receives a |
1786 | * message with a valid msg.mac1 yet with an invalid msg.mac2, | | 1782 | * message with a valid msg.mac1 yet with an invalid msg.mac2, |
1787 | * and is under load, it may respond with a cookie reply | | 1783 | * and is under load, it may respond with a cookie reply |
1788 | * message" | | 1784 | * message" |
1789 | */ | | 1785 | */ |
1790 | uint8_t zero[WG_MAC_LEN] = {0}; | | 1786 | uint8_t zero[WG_MAC_LEN] = {0}; |
1791 | if (consttime_memequal(wgmr->wgmr_mac2, zero, sizeof(zero))) { | | 1787 | if (consttime_memequal(wgmr->wgmr_mac2, zero, sizeof(zero))) { |
1792 | WG_TRACE("sending a cookie message: no cookie included"); | | 1788 | WG_TRACE("sending a cookie message: no cookie included"); |
1793 | (void)wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender, | | 1789 | (void)wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender, |
1794 | wgmr->wgmr_mac1, src); | | 1790 | wgmr->wgmr_mac1, src); |
1795 | goto out; | | 1791 | goto out; |
1796 | } | | 1792 | } |
1797 | if (!wgp->wgp_last_sent_cookie_valid) { | | 1793 | if (!wgp->wgp_last_sent_cookie_valid) { |
1798 | WG_TRACE("sending a cookie message: no cookie sent ever"); | | 1794 | WG_TRACE("sending a cookie message: no cookie sent ever"); |
1799 | (void)wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender, | | 1795 | (void)wg_send_cookie_msg(wg, wgp, wgmr->wgmr_sender, |
1800 | wgmr->wgmr_mac1, src); | | 1796 | wgmr->wgmr_mac1, src); |
1801 | goto out; | | 1797 | goto out; |
1802 | } | | 1798 | } |
1803 | uint8_t mac2[WG_MAC_LEN]; | | 1799 | uint8_t mac2[WG_MAC_LEN]; |
1804 | wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie, | | 1800 | wg_algo_mac(mac2, sizeof(mac2), wgp->wgp_last_sent_cookie, |
1805 | WG_COOKIE_LEN, (const uint8_t *)wgmr, | | 1801 | WG_COOKIE_LEN, (const uint8_t *)wgmr, |
1806 | offsetof(struct wg_msg_resp, wgmr_mac2), NULL, 0); | | 1802 | offsetof(struct wg_msg_resp, wgmr_mac2), NULL, 0); |
1807 | if (!consttime_memequal(mac2, wgmr->wgmr_mac2, sizeof(mac2))) { | | 1803 | if (!consttime_memequal(mac2, wgmr->wgmr_mac2, sizeof(mac2))) { |
1808 | WG_DLOG("mac2 is invalid\n"); | | 1804 | WG_DLOG("mac2 is invalid\n"); |
1809 | goto out; | | 1805 | goto out; |
1810 | } | | 1806 | } |
1811 | WG_TRACE("under load, but continue to sending"); | | 1807 | WG_TRACE("under load, but continue to sending"); |
1812 | } | | 1808 | } |
1813 | | | 1809 | |
1814 | memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash)); | | 1810 | memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash)); |
1815 | memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey)); | | 1811 | memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey)); |
1816 | | | 1812 | |
1817 | /* | | 1813 | /* |
1818 | * [W] 5.4.3 Second Message: Responder to Initiator | | 1814 | * [W] 5.4.3 Second Message: Responder to Initiator |
1819 | * "When the initiator receives this message, it does the same | | 1815 | * "When the initiator receives this message, it does the same |
1820 | * operations so that its final state variables are identical, | | 1816 | * operations so that its final state variables are identical, |
1821 | * replacing the operands of the DH function to produce equivalent | | 1817 | * replacing the operands of the DH function to produce equivalent |
1822 | * values." | | 1818 | * values." |
1823 | * Note that the following comments of operations are just copies of | | 1819 | * Note that the following comments of operations are just copies of |
1824 | * the initiator's ones. | | 1820 | * the initiator's ones. |
1825 | */ | | 1821 | */ |
1826 | | | 1822 | |
1827 | /* [N] 2.2: "e" */ | | 1823 | /* [N] 2.2: "e" */ |
1828 | /* Cr := KDF1(Cr, Er^pub) */ | | 1824 | /* Cr := KDF1(Cr, Er^pub) */ |
1829 | wg_algo_kdf(ckey, NULL, NULL, ckey, wgmr->wgmr_ephemeral, | | 1825 | wg_algo_kdf(ckey, NULL, NULL, ckey, wgmr->wgmr_ephemeral, |
1830 | sizeof(wgmr->wgmr_ephemeral)); | | 1826 | sizeof(wgmr->wgmr_ephemeral)); |
1831 | /* Hr := HASH(Hr || msg.ephemeral) */ | | 1827 | /* Hr := HASH(Hr || msg.ephemeral) */ |
1832 | wg_algo_hash(hash, wgmr->wgmr_ephemeral, sizeof(wgmr->wgmr_ephemeral)); | | 1828 | wg_algo_hash(hash, wgmr->wgmr_ephemeral, sizeof(wgmr->wgmr_ephemeral)); |
1833 | | | 1829 | |
1834 | WG_DUMP_HASH("ckey", ckey); | | 1830 | WG_DUMP_HASH("ckey", ckey); |
1835 | WG_DUMP_HASH("hash", hash); | | 1831 | WG_DUMP_HASH("hash", hash); |
1836 | | | 1832 | |
1837 | /* [N] 2.2: "ee" */ | | 1833 | /* [N] 2.2: "ee" */ |
1838 | /* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */ | | 1834 | /* Cr := KDF1(Cr, DH(Er^priv, Ei^pub)) */ |
1839 | wg_algo_dh_kdf(ckey, NULL, wgs->wgs_ephemeral_key_priv, | | 1835 | wg_algo_dh_kdf(ckey, NULL, wgs->wgs_ephemeral_key_priv, |
1840 | wgmr->wgmr_ephemeral); | | 1836 | wgmr->wgmr_ephemeral); |
1841 | | | 1837 | |
1842 | /* [N] 2.2: "se" */ | | 1838 | /* [N] 2.2: "se" */ |
1843 | /* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */ | | 1839 | /* Cr := KDF1(Cr, DH(Er^priv, Si^pub)) */ |
1844 | wg_algo_dh_kdf(ckey, NULL, wg->wg_privkey, wgmr->wgmr_ephemeral); | | 1840 | wg_algo_dh_kdf(ckey, NULL, wg->wg_privkey, wgmr->wgmr_ephemeral); |
1845 | | | 1841 | |
1846 | /* [N] 9.2: "psk" */ | | 1842 | /* [N] 9.2: "psk" */ |
1847 | { | | 1843 | { |
1848 | uint8_t kdfout[WG_KDF_OUTPUT_LEN]; | | 1844 | uint8_t kdfout[WG_KDF_OUTPUT_LEN]; |
1849 | /* Cr, r, k := KDF3(Cr, Q) */ | | 1845 | /* Cr, r, k := KDF3(Cr, Q) */ |
1850 | wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk, | | 1846 | wg_algo_kdf(ckey, kdfout, cipher_key, ckey, wgp->wgp_psk, |
1851 | sizeof(wgp->wgp_psk)); | | 1847 | sizeof(wgp->wgp_psk)); |
1852 | /* Hr := HASH(Hr || r) */ | | 1848 | /* Hr := HASH(Hr || r) */ |
1853 | wg_algo_hash(hash, kdfout, sizeof(kdfout)); | | 1849 | wg_algo_hash(hash, kdfout, sizeof(kdfout)); |
1854 | } | | 1850 | } |
1855 | | | 1851 | |
1856 | { | | 1852 | { |
1857 | uint8_t out[sizeof(wgmr->wgmr_empty)]; /* for safety */ | | 1853 | uint8_t out[sizeof(wgmr->wgmr_empty)]; /* for safety */ |
1858 | /* msg.empty := AEAD(k, 0, e, Hr) */ | | 1854 | /* msg.empty := AEAD(k, 0, e, Hr) */ |
1859 | error = wg_algo_aead_dec(out, 0, cipher_key, 0, wgmr->wgmr_empty, | | 1855 | error = wg_algo_aead_dec(out, 0, cipher_key, 0, wgmr->wgmr_empty, |
1860 | sizeof(wgmr->wgmr_empty), hash, sizeof(hash)); | | 1856 | sizeof(wgmr->wgmr_empty), hash, sizeof(hash)); |
1861 | WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty); | | 1857 | WG_DUMP_HASH("wgmr_empty", wgmr->wgmr_empty); |
1862 | if (error != 0) { | | 1858 | if (error != 0) { |
1863 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, | | 1859 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, |
1864 | "wg_algo_aead_dec for empty message failed\n"); | | 1860 | "wg_algo_aead_dec for empty message failed\n"); |
1865 | goto out; | | 1861 | goto out; |
1866 | } | | 1862 | } |
1867 | /* Hr := HASH(Hr || msg.empty) */ | | 1863 | /* Hr := HASH(Hr || msg.empty) */ |
1868 | wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty)); | | 1864 | wg_algo_hash(hash, wgmr->wgmr_empty, sizeof(wgmr->wgmr_empty)); |
1869 | } | | 1865 | } |
1870 | | | 1866 | |
1871 | memcpy(wgs->wgs_handshake_hash, hash, sizeof(wgs->wgs_handshake_hash)); | | 1867 | memcpy(wgs->wgs_handshake_hash, hash, sizeof(wgs->wgs_handshake_hash)); |
1872 | memcpy(wgs->wgs_chaining_key, ckey, sizeof(wgs->wgs_chaining_key)); | | 1868 | memcpy(wgs->wgs_chaining_key, ckey, sizeof(wgs->wgs_chaining_key)); |
1873 | wgs->wgs_receiver_index = wgmr->wgmr_sender; | | 1869 | wgs->wgs_receiver_index = wgmr->wgmr_sender; |
1874 | WG_DLOG("receiver=%x\n", wgs->wgs_receiver_index); | | 1870 | WG_DLOG("receiver=%x\n", wgs->wgs_receiver_index); |
1875 | | | 1871 | |
1876 | wgs->wgs_state = WGS_STATE_ESTABLISHED; | | 1872 | wgs->wgs_state = WGS_STATE_ESTABLISHED; |
1877 | wgs->wgs_time_established = time_uptime; | | 1873 | wgs->wgs_time_established = time_uptime; |
1878 | wgs->wgs_time_last_data_sent = 0; | | 1874 | wgs->wgs_time_last_data_sent = 0; |
1879 | wgs->wgs_is_initiator = true; | | 1875 | wgs->wgs_is_initiator = true; |
1880 | wg_calculate_keys(wgs, true); | | 1876 | wg_calculate_keys(wgs, true); |
1881 | wg_clear_states(wgs); | | 1877 | wg_clear_states(wgs); |
1882 | WG_TRACE("WGS_STATE_ESTABLISHED"); | | 1878 | WG_TRACE("WGS_STATE_ESTABLISHED"); |
1883 | | | 1879 | |
1884 | callout_halt(&wgp->wgp_handshake_timeout_timer, NULL); | | 1880 | callout_halt(&wgp->wgp_handshake_timeout_timer, NULL); |
1885 | | | 1881 | |
1886 | mutex_enter(wgp->wgp_lock); | | 1882 | mutex_enter(wgp->wgp_lock); |
1887 | wg_swap_sessions(wgp); | | 1883 | wg_swap_sessions(wgp); |
1888 | wgs_prev = wgp->wgp_session_unstable; | | 1884 | wgs_prev = wgp->wgp_session_unstable; |
1889 | mutex_enter(wgs_prev->wgs_lock); | | 1885 | mutex_enter(wgs_prev->wgs_lock); |
1890 | | | 1886 | |
1891 | getnanotime(&wgp->wgp_last_handshake_time); | | 1887 | getnanotime(&wgp->wgp_last_handshake_time); |
1892 | wgp->wgp_handshake_start_time = 0; | | 1888 | wgp->wgp_handshake_start_time = 0; |
1893 | wgp->wgp_last_sent_mac1_valid = false; | | 1889 | wgp->wgp_last_sent_mac1_valid = false; |
1894 | wgp->wgp_last_sent_cookie_valid = false; | | 1890 | wgp->wgp_last_sent_cookie_valid = false; |
1895 | mutex_exit(wgp->wgp_lock); | | 1891 | mutex_exit(wgp->wgp_lock); |
1896 | | | 1892 | |
1897 | wg_schedule_rekey_timer(wgp); | | 1893 | wg_schedule_rekey_timer(wgp); |
1898 | | | 1894 | |
1899 | wg_update_endpoint_if_necessary(wgp, src); | | 1895 | wg_update_endpoint_if_necessary(wgp, src); |
1900 | | | 1896 | |
1901 | /* | | 1897 | /* |
1902 | * Send something immediately (same as the official implementation) | | 1898 | * Send something immediately (same as the official implementation) |
1903 | * XXX if there are pending data packets, we don't need to send | | 1899 | * XXX if there are pending data packets, we don't need to send |
1904 | * a keepalive message. | | 1900 | * a keepalive message. |
1905 | */ | | 1901 | */ |
1906 | wg_send_keepalive_msg(wgp, wgs); | | 1902 | wg_send_keepalive_msg(wgp, wgs); |
1907 | | | 1903 | |
1908 | /* Anyway run a softint to flush pending packets */ | | 1904 | /* Anyway run a softint to flush pending packets */ |
1909 | kpreempt_disable(); | | 1905 | kpreempt_disable(); |
1910 | softint_schedule(wgp->wgp_si); | | 1906 | softint_schedule(wgp->wgp_si); |
1911 | kpreempt_enable(); | | 1907 | kpreempt_enable(); |
1912 | WG_TRACE("softint scheduled"); | | 1908 | WG_TRACE("softint scheduled"); |
1913 | | | 1909 | |
1914 | if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { | | 1910 | if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { |
1915 | wgs_prev->wgs_state = WGS_STATE_DESTROYING; | | 1911 | wgs_prev->wgs_state = WGS_STATE_DESTROYING; |
1916 | /* We can't destroy the old session immediately */ | | 1912 | /* We can't destroy the old session immediately */ |
1917 | wg_schedule_session_dtor_timer(wgp); | | 1913 | wg_schedule_session_dtor_timer(wgp); |
1918 | } | | 1914 | } |
1919 | mutex_exit(wgs_prev->wgs_lock); | | 1915 | mutex_exit(wgs_prev->wgs_lock); |
1920 | | | 1916 | |
1921 | out: | | 1917 | out: |
1922 | wg_put_session(wgs, &psref); | | 1918 | wg_put_session(wgs, &psref); |
1923 | } | | 1919 | } |
1924 | | | 1920 | |
1925 | static int | | 1921 | static int |
1926 | wg_send_handshake_msg_resp(struct wg_softc *wg, struct wg_peer *wgp, | | 1922 | wg_send_handshake_msg_resp(struct wg_softc *wg, struct wg_peer *wgp, |
1927 | const struct wg_msg_init *wgmi) | | 1923 | const struct wg_msg_init *wgmi) |
1928 | { | | 1924 | { |
1929 | int error; | | 1925 | int error; |
1930 | struct mbuf *m; | | 1926 | struct mbuf *m; |
1931 | struct wg_msg_resp *wgmr; | | 1927 | struct wg_msg_resp *wgmr; |
1932 | | | 1928 | |
1933 | m = m_gethdr(M_WAIT, MT_DATA); | | 1929 | m = m_gethdr(M_WAIT, MT_DATA); |
1934 | m->m_pkthdr.len = m->m_len = sizeof(*wgmr); | | 1930 | m->m_pkthdr.len = m->m_len = sizeof(*wgmr); |
1935 | wgmr = mtod(m, struct wg_msg_resp *); | | 1931 | wgmr = mtod(m, struct wg_msg_resp *); |
1936 | wg_fill_msg_resp(wg, wgp, wgmr, wgmi); | | 1932 | wg_fill_msg_resp(wg, wgp, wgmr, wgmi); |
1937 | | | 1933 | |
1938 | error = wg->wg_ops->send_hs_msg(wgp, m); | | 1934 | error = wg->wg_ops->send_hs_msg(wgp, m); |
1939 | if (error == 0) | | 1935 | if (error == 0) |
1940 | WG_TRACE("resp msg sent"); | | 1936 | WG_TRACE("resp msg sent"); |
1941 | return error; | | 1937 | return error; |
1942 | } | | 1938 | } |
1943 | | | 1939 | |
1944 | static struct wg_peer * | | 1940 | static struct wg_peer * |
1945 | wg_lookup_peer_by_pubkey(struct wg_softc *wg, | | 1941 | wg_lookup_peer_by_pubkey(struct wg_softc *wg, |
1946 | const uint8_t pubkey[WG_STATIC_KEY_LEN], struct psref *psref) | | 1942 | const uint8_t pubkey[WG_STATIC_KEY_LEN], struct psref *psref) |
1947 | { | | 1943 | { |
1948 | struct wg_peer *wgp; | | 1944 | struct wg_peer *wgp; |
1949 | | | 1945 | |
1950 | int s = pserialize_read_enter(); | | 1946 | int s = pserialize_read_enter(); |
1951 | wgp = thmap_get(wg->wg_peers_bypubkey, pubkey, WG_STATIC_KEY_LEN); | | 1947 | wgp = thmap_get(wg->wg_peers_bypubkey, pubkey, WG_STATIC_KEY_LEN); |
1952 | if (wgp != NULL) | | 1948 | if (wgp != NULL) |
1953 | wg_get_peer(wgp, psref); | | 1949 | wg_get_peer(wgp, psref); |
1954 | pserialize_read_exit(s); | | 1950 | pserialize_read_exit(s); |
1955 | | | 1951 | |
1956 | return wgp; | | 1952 | return wgp; |
1957 | } | | 1953 | } |
1958 | | | 1954 | |
1959 | static void | | 1955 | static void |
1960 | wg_fill_msg_cookie(struct wg_softc *wg, struct wg_peer *wgp, | | 1956 | wg_fill_msg_cookie(struct wg_softc *wg, struct wg_peer *wgp, |
1961 | struct wg_msg_cookie *wgmc, const uint32_t sender, | | 1957 | struct wg_msg_cookie *wgmc, const uint32_t sender, |
1962 | const uint8_t mac1[WG_MAC_LEN], const struct sockaddr *src) | | 1958 | const uint8_t mac1[WG_MAC_LEN], const struct sockaddr *src) |
1963 | { | | 1959 | { |
1964 | uint8_t cookie[WG_COOKIE_LEN]; | | 1960 | uint8_t cookie[WG_COOKIE_LEN]; |
1965 | uint8_t key[WG_HASH_LEN]; | | 1961 | uint8_t key[WG_HASH_LEN]; |
1966 | uint8_t addr[sizeof(struct in6_addr)]; | | 1962 | uint8_t addr[sizeof(struct in6_addr)]; |
1967 | size_t addrlen; | | 1963 | size_t addrlen; |
1968 | uint16_t uh_sport; /* be */ | | 1964 | uint16_t uh_sport; /* be */ |
1969 | | | 1965 | |
1970 | wgmc->wgmc_type = htole32(WG_MSG_TYPE_COOKIE); | | 1966 | wgmc->wgmc_type = htole32(WG_MSG_TYPE_COOKIE); |
1971 | wgmc->wgmc_receiver = sender; | | 1967 | wgmc->wgmc_receiver = sender; |
1972 | cprng_fast(wgmc->wgmc_salt, sizeof(wgmc->wgmc_salt)); | | 1968 | cprng_fast(wgmc->wgmc_salt, sizeof(wgmc->wgmc_salt)); |
1973 | | | 1969 | |
1974 | /* | | 1970 | /* |
1975 | * [W] 5.4.7: Under Load: Cookie Reply Message | | 1971 | * [W] 5.4.7: Under Load: Cookie Reply Message |
1976 | * "The secret variable, Rm, changes every two minutes to a | | 1972 | * "The secret variable, Rm, changes every two minutes to a |
1977 | * random value" | | 1973 | * random value" |
1978 | */ | | 1974 | */ |
1979 | if ((time_uptime - wgp->wgp_last_genrandval_time) > WG_RANDVAL_TIME) { | | 1975 | if ((time_uptime - wgp->wgp_last_genrandval_time) > WG_RANDVAL_TIME) { |
1980 | wgp->wgp_randval = cprng_strong32(); | | 1976 | wgp->wgp_randval = cprng_strong32(); |
1981 | wgp->wgp_last_genrandval_time = time_uptime; | | 1977 | wgp->wgp_last_genrandval_time = time_uptime; |
1982 | } | | 1978 | } |
1983 | | | 1979 | |
1984 | switch (src->sa_family) { | | 1980 | switch (src->sa_family) { |
1985 | case AF_INET: { | | 1981 | case AF_INET: { |
1986 | const struct sockaddr_in *sin = satocsin(src); | | 1982 | const struct sockaddr_in *sin = satocsin(src); |
1987 | addrlen = sizeof(sin->sin_addr); | | 1983 | addrlen = sizeof(sin->sin_addr); |
1988 | memcpy(addr, &sin->sin_addr, addrlen); | | 1984 | memcpy(addr, &sin->sin_addr, addrlen); |
1989 | uh_sport = sin->sin_port; | | 1985 | uh_sport = sin->sin_port; |
1990 | break; | | 1986 | break; |
1991 | } | | 1987 | } |
1992 | #ifdef INET6 | | 1988 | #ifdef INET6 |
1993 | case AF_INET6: { | | 1989 | case AF_INET6: { |
1994 | const struct sockaddr_in6 *sin6 = satocsin6(src); | | 1990 | const struct sockaddr_in6 *sin6 = satocsin6(src); |
1995 | addrlen = sizeof(sin6->sin6_addr); | | 1991 | addrlen = sizeof(sin6->sin6_addr); |
1996 | memcpy(addr, &sin6->sin6_addr, addrlen); | | 1992 | memcpy(addr, &sin6->sin6_addr, addrlen); |
1997 | uh_sport = sin6->sin6_port; | | 1993 | uh_sport = sin6->sin6_port; |
1998 | break; | | 1994 | break; |
1999 | } | | 1995 | } |
2000 | #endif | | 1996 | #endif |
2001 | default: | | 1997 | default: |
2002 | panic("invalid af=%d", wgp->wgp_sa.sa_family); | | 1998 | panic("invalid af=%d", wgp->wgp_sa.sa_family); |
2003 | } | | 1999 | } |
2004 | | | 2000 | |
2005 | wg_algo_mac(cookie, sizeof(cookie), | | 2001 | wg_algo_mac(cookie, sizeof(cookie), |
2006 | (const uint8_t *)&wgp->wgp_randval, sizeof(wgp->wgp_randval), | | 2002 | (const uint8_t *)&wgp->wgp_randval, sizeof(wgp->wgp_randval), |
2007 | addr, addrlen, (const uint8_t *)&uh_sport, sizeof(uh_sport)); | | 2003 | addr, addrlen, (const uint8_t *)&uh_sport, sizeof(uh_sport)); |
2008 | wg_algo_mac_cookie(key, sizeof(key), wg->wg_pubkey, | | 2004 | wg_algo_mac_cookie(key, sizeof(key), wg->wg_pubkey, |
2009 | sizeof(wg->wg_pubkey)); | | 2005 | sizeof(wg->wg_pubkey)); |
2010 | wg_algo_xaead_enc(wgmc->wgmc_cookie, sizeof(wgmc->wgmc_cookie), key, | | 2006 | wg_algo_xaead_enc(wgmc->wgmc_cookie, sizeof(wgmc->wgmc_cookie), key, |
2011 | cookie, sizeof(cookie), mac1, WG_MAC_LEN, wgmc->wgmc_salt); | | 2007 | cookie, sizeof(cookie), mac1, WG_MAC_LEN, wgmc->wgmc_salt); |
2012 | | | 2008 | |
2013 | /* Need to store to calculate mac2 */ | | 2009 | /* Need to store to calculate mac2 */ |
2014 | memcpy(wgp->wgp_last_sent_cookie, cookie, sizeof(cookie)); | | 2010 | memcpy(wgp->wgp_last_sent_cookie, cookie, sizeof(cookie)); |
2015 | wgp->wgp_last_sent_cookie_valid = true; | | 2011 | wgp->wgp_last_sent_cookie_valid = true; |
2016 | } | | 2012 | } |
2017 | | | 2013 | |
2018 | static int | | 2014 | static int |
2019 | wg_send_cookie_msg(struct wg_softc *wg, struct wg_peer *wgp, | | 2015 | wg_send_cookie_msg(struct wg_softc *wg, struct wg_peer *wgp, |
2020 | const uint32_t sender, const uint8_t mac1[WG_MAC_LEN], | | 2016 | const uint32_t sender, const uint8_t mac1[WG_MAC_LEN], |
2021 | const struct sockaddr *src) | | 2017 | const struct sockaddr *src) |
2022 | { | | 2018 | { |
2023 | int error; | | 2019 | int error; |
2024 | struct mbuf *m; | | 2020 | struct mbuf *m; |
2025 | struct wg_msg_cookie *wgmc; | | 2021 | struct wg_msg_cookie *wgmc; |
2026 | | | 2022 | |
2027 | m = m_gethdr(M_WAIT, MT_DATA); | | 2023 | m = m_gethdr(M_WAIT, MT_DATA); |
2028 | m->m_pkthdr.len = m->m_len = sizeof(*wgmc); | | 2024 | m->m_pkthdr.len = m->m_len = sizeof(*wgmc); |
2029 | wgmc = mtod(m, struct wg_msg_cookie *); | | 2025 | wgmc = mtod(m, struct wg_msg_cookie *); |
2030 | wg_fill_msg_cookie(wg, wgp, wgmc, sender, mac1, src); | | 2026 | wg_fill_msg_cookie(wg, wgp, wgmc, sender, mac1, src); |
2031 | | | 2027 | |
2032 | error = wg->wg_ops->send_hs_msg(wgp, m); | | 2028 | error = wg->wg_ops->send_hs_msg(wgp, m); |
2033 | if (error == 0) | | 2029 | if (error == 0) |
2034 | WG_TRACE("cookie msg sent"); | | 2030 | WG_TRACE("cookie msg sent"); |
2035 | return error; | | 2031 | return error; |
2036 | } | | 2032 | } |
2037 | | | 2033 | |
2038 | static bool | | 2034 | static bool |
2039 | wg_is_underload(struct wg_softc *wg, struct wg_peer *wgp, int msgtype) | | 2035 | wg_is_underload(struct wg_softc *wg, struct wg_peer *wgp, int msgtype) |
2040 | { | | 2036 | { |
2041 | #ifdef WG_DEBUG_PARAMS | | 2037 | #ifdef WG_DEBUG_PARAMS |
2042 | if (wg_force_underload) | | 2038 | if (wg_force_underload) |
2043 | return true; | | 2039 | return true; |
2044 | #endif | | 2040 | #endif |
2045 | | | 2041 | |
2046 | /* | | 2042 | /* |
2047 | * XXX we don't have a means of a load estimation. The purpose of | | 2043 | * XXX we don't have a means of a load estimation. The purpose of |
2048 | * the mechanism is a DoS mitigation, so we consider frequent handshake | | 2044 | * the mechanism is a DoS mitigation, so we consider frequent handshake |
2049 | * messages as (a kind of) load; if a message of the same type comes | | 2045 | * messages as (a kind of) load; if a message of the same type comes |
2050 | * to a peer within 1 second, we consider we are under load. | | 2046 | * to a peer within 1 second, we consider we are under load. |
2051 | */ | | 2047 | */ |
2052 | time_t last = wgp->wgp_last_msg_received_time[msgtype]; | | 2048 | time_t last = wgp->wgp_last_msg_received_time[msgtype]; |
2053 | wgp->wgp_last_msg_received_time[msgtype] = time_uptime; | | 2049 | wgp->wgp_last_msg_received_time[msgtype] = time_uptime; |
2054 | return (time_uptime - last) == 0; | | 2050 | return (time_uptime - last) == 0; |
2055 | } | | 2051 | } |
2056 | | | 2052 | |
2057 | static void | | 2053 | static void |
2058 | wg_calculate_keys(struct wg_session *wgs, const bool initiator) | | 2054 | wg_calculate_keys(struct wg_session *wgs, const bool initiator) |
2059 | { | | 2055 | { |
2060 | | | 2056 | |
2061 | /* | | 2057 | /* |
2062 | * [W] 5.4.5: Ti^send = Tr^recv, Ti^recv = Tr^send := KDF2(Ci = Cr, e) | | 2058 | * [W] 5.4.5: Ti^send = Tr^recv, Ti^recv = Tr^send := KDF2(Ci = Cr, e) |
2063 | */ | | 2059 | */ |
2064 | if (initiator) { | | 2060 | if (initiator) { |
2065 | wg_algo_kdf(wgs->wgs_tkey_send, wgs->wgs_tkey_recv, NULL, | | 2061 | wg_algo_kdf(wgs->wgs_tkey_send, wgs->wgs_tkey_recv, NULL, |
2066 | wgs->wgs_chaining_key, NULL, 0); | | 2062 | wgs->wgs_chaining_key, NULL, 0); |
2067 | } else { | | 2063 | } else { |
2068 | wg_algo_kdf(wgs->wgs_tkey_recv, wgs->wgs_tkey_send, NULL, | | 2064 | wg_algo_kdf(wgs->wgs_tkey_recv, wgs->wgs_tkey_send, NULL, |
2069 | wgs->wgs_chaining_key, NULL, 0); | | 2065 | wgs->wgs_chaining_key, NULL, 0); |
2070 | } | | 2066 | } |
2071 | WG_DUMP_HASH("wgs_tkey_send", wgs->wgs_tkey_send); | | 2067 | WG_DUMP_HASH("wgs_tkey_send", wgs->wgs_tkey_send); |
2072 | WG_DUMP_HASH("wgs_tkey_recv", wgs->wgs_tkey_recv); | | 2068 | WG_DUMP_HASH("wgs_tkey_recv", wgs->wgs_tkey_recv); |
2073 | } | | 2069 | } |
2074 | | | 2070 | |
2075 | static uint64_t | | 2071 | static uint64_t |
2076 | wg_session_get_send_counter(struct wg_session *wgs) | | 2072 | wg_session_get_send_counter(struct wg_session *wgs) |
2077 | { | | 2073 | { |
2078 | #ifdef __HAVE_ATOMIC64_LOADSTORE | | 2074 | #ifdef __HAVE_ATOMIC64_LOADSTORE |
2079 | return atomic_load_relaxed(&wgs->wgs_send_counter); | | 2075 | return atomic_load_relaxed(&wgs->wgs_send_counter); |
2080 | #else | | 2076 | #else |
2081 | uint64_t send_counter; | | 2077 | uint64_t send_counter; |
2082 | | | 2078 | |
2083 | mutex_enter(&wgs->wgs_send_counter_lock); | | 2079 | mutex_enter(&wgs->wgs_send_counter_lock); |
2084 | send_counter = wgs->wgs_send_counter; | | 2080 | send_counter = wgs->wgs_send_counter; |
2085 | mutex_exit(&wgs->wgs_send_counter_lock); | | 2081 | mutex_exit(&wgs->wgs_send_counter_lock); |
2086 | | | 2082 | |
2087 | return send_counter; | | 2083 | return send_counter; |
2088 | #endif | | 2084 | #endif |
2089 | } | | 2085 | } |
2090 | | | 2086 | |
2091 | static uint64_t | | 2087 | static uint64_t |
2092 | wg_session_inc_send_counter(struct wg_session *wgs) | | 2088 | wg_session_inc_send_counter(struct wg_session *wgs) |
2093 | { | | 2089 | { |
2094 | #ifdef __HAVE_ATOMIC64_LOADSTORE | | 2090 | #ifdef __HAVE_ATOMIC64_LOADSTORE |
2095 | return atomic_inc_64_nv(&wgs->wgs_send_counter) - 1; | | 2091 | return atomic_inc_64_nv(&wgs->wgs_send_counter) - 1; |
2096 | #else | | 2092 | #else |
2097 | uint64_t send_counter; | | 2093 | uint64_t send_counter; |
2098 | | | 2094 | |
2099 | mutex_enter(&wgs->wgs_send_counter_lock); | | 2095 | mutex_enter(&wgs->wgs_send_counter_lock); |
2100 | send_counter = wgs->wgs_send_counter++; | | 2096 | send_counter = wgs->wgs_send_counter++; |
2101 | mutex_exit(&wgs->wgs_send_counter_lock); | | 2097 | mutex_exit(&wgs->wgs_send_counter_lock); |
2102 | | | 2098 | |
2103 | return send_counter; | | 2099 | return send_counter; |
2104 | #endif | | 2100 | #endif |
2105 | } | | 2101 | } |
2106 | | | 2102 | |
2107 | static void | | 2103 | static void |
2108 | wg_clear_states(struct wg_session *wgs) | | 2104 | wg_clear_states(struct wg_session *wgs) |
2109 | { | | 2105 | { |
2110 | | | 2106 | |
2111 | wgs->wgs_send_counter = 0; | | 2107 | wgs->wgs_send_counter = 0; |
2112 | sliwin_reset(&wgs->wgs_recvwin->window); | | 2108 | sliwin_reset(&wgs->wgs_recvwin->window); |
2113 | | | 2109 | |
2114 | #define wgs_clear(v) explicit_memset(wgs->wgs_##v, 0, sizeof(wgs->wgs_##v)) | | 2110 | #define wgs_clear(v) explicit_memset(wgs->wgs_##v, 0, sizeof(wgs->wgs_##v)) |
2115 | wgs_clear(handshake_hash); | | 2111 | wgs_clear(handshake_hash); |
2116 | wgs_clear(chaining_key); | | 2112 | wgs_clear(chaining_key); |
2117 | wgs_clear(ephemeral_key_pub); | | 2113 | wgs_clear(ephemeral_key_pub); |
2118 | wgs_clear(ephemeral_key_priv); | | 2114 | wgs_clear(ephemeral_key_priv); |
2119 | wgs_clear(ephemeral_key_peer); | | 2115 | wgs_clear(ephemeral_key_peer); |
2120 | #undef wgs_clear | | 2116 | #undef wgs_clear |
2121 | } | | 2117 | } |
2122 | | | 2118 | |
2123 | static struct wg_session * | | 2119 | static struct wg_session * |
2124 | wg_lookup_session_by_index(struct wg_softc *wg, const uint32_t index, | | 2120 | wg_lookup_session_by_index(struct wg_softc *wg, const uint32_t index, |
2125 | struct psref *psref) | | 2121 | struct psref *psref) |
2126 | { | | 2122 | { |
2127 | struct wg_session *wgs; | | 2123 | struct wg_session *wgs; |
2128 | | | 2124 | |
2129 | int s = pserialize_read_enter(); | | 2125 | int s = pserialize_read_enter(); |
2130 | wgs = thmap_get(wg->wg_sessions_byindex, &index, sizeof index); | | 2126 | wgs = thmap_get(wg->wg_sessions_byindex, &index, sizeof index); |
2131 | if (wgs != NULL) | | 2127 | if (wgs != NULL) |
2132 | psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); | | 2128 | psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); |
2133 | pserialize_read_exit(s); | | 2129 | pserialize_read_exit(s); |
2134 | | | 2130 | |
2135 | return wgs; | | 2131 | return wgs; |
2136 | } | | 2132 | } |
2137 | | | 2133 | |
2138 | static void | | 2134 | static void |
2139 | wg_schedule_rekey_timer(struct wg_peer *wgp) | | 2135 | wg_schedule_rekey_timer(struct wg_peer *wgp) |
2140 | { | | 2136 | { |
2141 | int timeout = MIN(wg_rekey_after_time, INT_MAX/hz); | | 2137 | int timeout = MIN(wg_rekey_after_time, INT_MAX/hz); |
2142 | | | 2138 | |
2143 | callout_schedule(&wgp->wgp_rekey_timer, timeout * hz); | | 2139 | callout_schedule(&wgp->wgp_rekey_timer, timeout * hz); |
2144 | } | | 2140 | } |
2145 | | | 2141 | |
2146 | static void | | 2142 | static void |
2147 | wg_send_keepalive_msg(struct wg_peer *wgp, struct wg_session *wgs) | | 2143 | wg_send_keepalive_msg(struct wg_peer *wgp, struct wg_session *wgs) |
2148 | { | | 2144 | { |
2149 | struct mbuf *m; | | 2145 | struct mbuf *m; |
2150 | | | 2146 | |
2151 | /* | | 2147 | /* |
2152 | * [W] 6.5 Passive Keepalive | | 2148 | * [W] 6.5 Passive Keepalive |
2153 | * "A keepalive message is simply a transport data message with | | 2149 | * "A keepalive message is simply a transport data message with |
2154 | * a zero-length encapsulated encrypted inner-packet." | | 2150 | * a zero-length encapsulated encrypted inner-packet." |
2155 | */ | | 2151 | */ |
2156 | m = m_gethdr(M_WAIT, MT_DATA); | | 2152 | m = m_gethdr(M_WAIT, MT_DATA); |
2157 | wg_send_data_msg(wgp, wgs, m); | | 2153 | wg_send_data_msg(wgp, wgs, m); |
2158 | } | | 2154 | } |
2159 | | | 2155 | |
2160 | static bool | | 2156 | static bool |
2161 | wg_need_to_send_init_message(struct wg_session *wgs) | | 2157 | wg_need_to_send_init_message(struct wg_session *wgs) |
2162 | { | | 2158 | { |
2163 | /* | | 2159 | /* |
2164 | * [W] 6.2 Transport Message Limits | | 2160 | * [W] 6.2 Transport Message Limits |
2165 | * "if a peer is the initiator of a current secure session, | | 2161 | * "if a peer is the initiator of a current secure session, |
2166 | * WireGuard will send a handshake initiation message to begin | | 2162 | * WireGuard will send a handshake initiation message to begin |
2167 | * a new secure session ... if after receiving a transport data | | 2163 | * a new secure session ... if after receiving a transport data |
2168 | * message, the current secure session is (REJECT-AFTER-TIME − | | 2164 | * message, the current secure session is (REJECT-AFTER-TIME − |
2169 | * KEEPALIVE-TIMEOUT − REKEY-TIMEOUT) seconds old and it has | | 2165 | * KEEPALIVE-TIMEOUT − REKEY-TIMEOUT) seconds old and it has |
2170 | * not yet acted upon this event." | | 2166 | * not yet acted upon this event." |
2171 | */ | | 2167 | */ |
2172 | return wgs->wgs_is_initiator && wgs->wgs_time_last_data_sent == 0 && | | 2168 | return wgs->wgs_is_initiator && wgs->wgs_time_last_data_sent == 0 && |
2173 | (time_uptime - wgs->wgs_time_established) >= | | 2169 | (time_uptime - wgs->wgs_time_established) >= |
2174 | (wg_reject_after_time - wg_keepalive_timeout - wg_rekey_timeout); | | 2170 | (wg_reject_after_time - wg_keepalive_timeout - wg_rekey_timeout); |
2175 | } | | 2171 | } |
2176 | | | 2172 | |
2177 | static void | | 2173 | static void |
2178 | wg_schedule_peer_task(struct wg_peer *wgp, int task) | | 2174 | wg_schedule_peer_task(struct wg_peer *wgp, int task) |
2179 | { | | 2175 | { |
2180 | | | 2176 | |
2181 | atomic_or_uint(&wgp->wgp_tasks, task); | | 2177 | atomic_or_uint(&wgp->wgp_tasks, task); |
2182 | WG_DLOG("tasks=%d, task=%d\n", wgp->wgp_tasks, task); | | 2178 | WG_DLOG("tasks=%d, task=%d\n", wgp->wgp_tasks, task); |
2183 | wg_wakeup_worker(wgp->wgp_sc->wg_worker, WG_WAKEUP_REASON_PEER); | | 2179 | wg_wakeup_worker(wgp->wgp_sc->wg_worker, WG_WAKEUP_REASON_PEER); |
2184 | } | | 2180 | } |
2185 | | | 2181 | |
2186 | static void | | 2182 | static void |
2187 | wg_change_endpoint(struct wg_peer *wgp, const struct sockaddr *new) | | 2183 | wg_change_endpoint(struct wg_peer *wgp, const struct sockaddr *new) |
2188 | { | | 2184 | { |
2189 | | | 2185 | |
2190 | KASSERT(mutex_owned(wgp->wgp_lock)); | | 2186 | KASSERT(mutex_owned(wgp->wgp_lock)); |
2191 | | | 2187 | |
2192 | WG_TRACE("Changing endpoint"); | | 2188 | WG_TRACE("Changing endpoint"); |
2193 | | | 2189 | |
2194 | memcpy(wgp->wgp_endpoint0, new, new->sa_len); | | 2190 | memcpy(wgp->wgp_endpoint0, new, new->sa_len); |
2195 | wgp->wgp_endpoint0 = atomic_swap_ptr(&wgp->wgp_endpoint, | | 2191 | wgp->wgp_endpoint0 = atomic_swap_ptr(&wgp->wgp_endpoint, |
2196 | wgp->wgp_endpoint0); | | 2192 | wgp->wgp_endpoint0); |
2197 | if (!wgp->wgp_endpoint_available) | | 2193 | if (!wgp->wgp_endpoint_available) |
2198 | wgp->wgp_endpoint_available = true; | | 2194 | wgp->wgp_endpoint_available = true; |
2199 | wgp->wgp_endpoint_changing = true; | | 2195 | wgp->wgp_endpoint_changing = true; |
2200 | wg_schedule_peer_task(wgp, WGP_TASK_ENDPOINT_CHANGED); | | 2196 | wg_schedule_peer_task(wgp, WGP_TASK_ENDPOINT_CHANGED); |
2201 | } | | 2197 | } |
2202 | | | 2198 | |
2203 | static bool | | 2199 | static bool |
2204 | wg_validate_inner_packet(const char *packet, size_t decrypted_len, int *af) | | 2200 | wg_validate_inner_packet(const char *packet, size_t decrypted_len, int *af) |
2205 | { | | 2201 | { |
2206 | uint16_t packet_len; | | 2202 | uint16_t packet_len; |
2207 | const struct ip *ip; | | 2203 | const struct ip *ip; |
2208 | | | 2204 | |
2209 | if (__predict_false(decrypted_len < sizeof(struct ip))) | | 2205 | if (__predict_false(decrypted_len < sizeof(struct ip))) |
2210 | return false; | | 2206 | return false; |
2211 | | | 2207 | |
2212 | ip = (const struct ip *)packet; | | 2208 | ip = (const struct ip *)packet; |
2213 | if (ip->ip_v == 4) | | 2209 | if (ip->ip_v == 4) |
2214 | *af = AF_INET; | | 2210 | *af = AF_INET; |
2215 | else if (ip->ip_v == 6) | | 2211 | else if (ip->ip_v == 6) |
2216 | *af = AF_INET6; | | 2212 | *af = AF_INET6; |
2217 | else | | 2213 | else |
2218 | return false; | | 2214 | return false; |
2219 | | | 2215 | |
2220 | WG_DLOG("af=%d\n", *af); | | 2216 | WG_DLOG("af=%d\n", *af); |
2221 | | | 2217 | |
2222 | if (*af == AF_INET) { | | 2218 | if (*af == AF_INET) { |
2223 | packet_len = ntohs(ip->ip_len); | | 2219 | packet_len = ntohs(ip->ip_len); |
2224 | } else { | | 2220 | } else { |
2225 | const struct ip6_hdr *ip6; | | 2221 | const struct ip6_hdr *ip6; |
2226 | | | 2222 | |
2227 | if (__predict_false(decrypted_len < sizeof(struct ip6_hdr))) | | 2223 | if (__predict_false(decrypted_len < sizeof(struct ip6_hdr))) |
2228 | return false; | | 2224 | return false; |
2229 | | | 2225 | |
2230 | ip6 = (const struct ip6_hdr *)packet; | | 2226 | ip6 = (const struct ip6_hdr *)packet; |
2231 | packet_len = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen); | | 2227 | packet_len = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen); |
2232 | } | | 2228 | } |
2233 | | | 2229 | |
2234 | WG_DLOG("packet_len=%u\n", packet_len); | | 2230 | WG_DLOG("packet_len=%u\n", packet_len); |
2235 | if (packet_len > decrypted_len) | | 2231 | if (packet_len > decrypted_len) |
2236 | return false; | | 2232 | return false; |
2237 | | | 2233 | |
2238 | return true; | | 2234 | return true; |
2239 | } | | 2235 | } |
2240 | | | 2236 | |
2241 | static bool | | 2237 | static bool |
2242 | wg_validate_route(struct wg_softc *wg, struct wg_peer *wgp_expected, | | 2238 | wg_validate_route(struct wg_softc *wg, struct wg_peer *wgp_expected, |
2243 | int af, char *packet) | | 2239 | int af, char *packet) |
2244 | { | | 2240 | { |
2245 | struct sockaddr_storage ss; | | 2241 | struct sockaddr_storage ss; |
2246 | struct sockaddr *sa; | | 2242 | struct sockaddr *sa; |
2247 | struct psref psref; | | 2243 | struct psref psref; |
2248 | struct wg_peer *wgp; | | 2244 | struct wg_peer *wgp; |
2249 | bool ok; | | 2245 | bool ok; |
2250 | | | 2246 | |
2251 | /* | | 2247 | /* |
2252 | * II CRYPTOKEY ROUTING | | 2248 | * II CRYPTOKEY ROUTING |
2253 | * "it will only accept it if its source IP resolves in the | | 2249 | * "it will only accept it if its source IP resolves in the |
2254 | * table to the public key used in the secure session for | | 2250 | * table to the public key used in the secure session for |
2255 | * decrypting it." | | 2251 | * decrypting it." |
2256 | */ | | 2252 | */ |
2257 | | | 2253 | |
2258 | if (af == AF_INET) { | | 2254 | if (af == AF_INET) { |
2259 | const struct ip *ip = (const struct ip *)packet; | | 2255 | const struct ip *ip = (const struct ip *)packet; |
2260 | struct sockaddr_in *sin = (struct sockaddr_in *)&ss; | | 2256 | struct sockaddr_in *sin = (struct sockaddr_in *)&ss; |
2261 | sockaddr_in_init(sin, &ip->ip_src, 0); | | 2257 | sockaddr_in_init(sin, &ip->ip_src, 0); |
2262 | sa = sintosa(sin); | | 2258 | sa = sintosa(sin); |
2263 | #ifdef INET6 | | 2259 | #ifdef INET6 |
2264 | } else { | | 2260 | } else { |
2265 | const struct ip6_hdr *ip6 = (const struct ip6_hdr *)packet; | | 2261 | const struct ip6_hdr *ip6 = (const struct ip6_hdr *)packet; |
2266 | struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss; | | 2262 | struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss; |
2267 | sockaddr_in6_init(sin6, &ip6->ip6_src, 0, 0, 0); | | 2263 | sockaddr_in6_init(sin6, &ip6->ip6_src, 0, 0, 0); |
2268 | sa = sin6tosa(sin6); | | 2264 | sa = sin6tosa(sin6); |
2269 | #endif | | 2265 | #endif |
2270 | } | | 2266 | } |
2271 | | | 2267 | |
2272 | wgp = wg_pick_peer_by_sa(wg, sa, &psref); | | 2268 | wgp = wg_pick_peer_by_sa(wg, sa, &psref); |
2273 | ok = (wgp == wgp_expected); | | 2269 | ok = (wgp == wgp_expected); |
2274 | if (wgp != NULL) | | 2270 | if (wgp != NULL) |
2275 | wg_put_peer(wgp, &psref); | | 2271 | wg_put_peer(wgp, &psref); |
2276 | | | 2272 | |
2277 | return ok; | | 2273 | return ok; |
2278 | } | | 2274 | } |
2279 | | | 2275 | |
2280 | static void | | 2276 | static void |
2281 | wg_session_dtor_timer(void *arg) | | 2277 | wg_session_dtor_timer(void *arg) |
2282 | { | | 2278 | { |
2283 | struct wg_peer *wgp = arg; | | 2279 | struct wg_peer *wgp = arg; |
2284 | | | 2280 | |
2285 | WG_TRACE("enter"); | | 2281 | WG_TRACE("enter"); |
2286 | | | 2282 | |
2287 | mutex_enter(wgp->wgp_lock); | | 2283 | mutex_enter(wgp->wgp_lock); |
2288 | if (__predict_false(wgp->wgp_state == WGP_STATE_DESTROYING)) { | | 2284 | if (__predict_false(wgp->wgp_state == WGP_STATE_DESTROYING)) { |
2289 | mutex_exit(wgp->wgp_lock); | | 2285 | mutex_exit(wgp->wgp_lock); |
2290 | return; | | 2286 | return; |
2291 | } | | 2287 | } |
2292 | mutex_exit(wgp->wgp_lock); | | 2288 | mutex_exit(wgp->wgp_lock); |
2293 | | | 2289 | |
2294 | wg_schedule_peer_task(wgp, WGP_TASK_DESTROY_PREV_SESSION); | | 2290 | wg_schedule_peer_task(wgp, WGP_TASK_DESTROY_PREV_SESSION); |
2295 | } | | 2291 | } |
2296 | | | 2292 | |
2297 | static void | | 2293 | static void |
2298 | wg_schedule_session_dtor_timer(struct wg_peer *wgp) | | 2294 | wg_schedule_session_dtor_timer(struct wg_peer *wgp) |
2299 | { | | 2295 | { |
2300 | | | 2296 | |
2301 | /* 1 second grace period */ | | 2297 | /* 1 second grace period */ |
2302 | callout_schedule(&wgp->wgp_session_dtor_timer, hz); | | 2298 | callout_schedule(&wgp->wgp_session_dtor_timer, hz); |
2303 | } | | 2299 | } |
2304 | | | 2300 | |
2305 | static bool | | 2301 | static bool |
2306 | sockaddr_port_match(const struct sockaddr *sa1, const struct sockaddr *sa2) | | 2302 | sockaddr_port_match(const struct sockaddr *sa1, const struct sockaddr *sa2) |
2307 | { | | 2303 | { |
2308 | if (sa1->sa_family != sa2->sa_family) | | 2304 | if (sa1->sa_family != sa2->sa_family) |
2309 | return false; | | 2305 | return false; |
2310 | | | 2306 | |
2311 | switch (sa1->sa_family) { | | 2307 | switch (sa1->sa_family) { |
2312 | case AF_INET: | | 2308 | case AF_INET: |
2313 | return satocsin(sa1)->sin_port == satocsin(sa2)->sin_port; | | 2309 | return satocsin(sa1)->sin_port == satocsin(sa2)->sin_port; |
2314 | case AF_INET6: | | 2310 | case AF_INET6: |
2315 | return satocsin6(sa1)->sin6_port == satocsin6(sa2)->sin6_port; | | 2311 | return satocsin6(sa1)->sin6_port == satocsin6(sa2)->sin6_port; |
2316 | default: | | 2312 | default: |
2317 | return true; | | 2313 | return true; |
2318 | } | | 2314 | } |
2319 | } | | 2315 | } |
2320 | | | 2316 | |
2321 | static void | | 2317 | static void |
2322 | wg_update_endpoint_if_necessary(struct wg_peer *wgp, | | 2318 | wg_update_endpoint_if_necessary(struct wg_peer *wgp, |
2323 | const struct sockaddr *src) | | 2319 | const struct sockaddr *src) |
2324 | { | | 2320 | { |
2325 | | | 2321 | |
2326 | #ifdef WG_DEBUG_LOG | | 2322 | #ifdef WG_DEBUG_LOG |
2327 | char oldaddr[128], newaddr[128]; | | 2323 | char oldaddr[128], newaddr[128]; |
2328 | sockaddr_format(&wgp->wgp_sa, oldaddr, sizeof(oldaddr)); | | 2324 | sockaddr_format(&wgp->wgp_sa, oldaddr, sizeof(oldaddr)); |
2329 | sockaddr_format(src, newaddr, sizeof(newaddr)); | | 2325 | sockaddr_format(src, newaddr, sizeof(newaddr)); |
2330 | WG_DLOG("old=%s, new=%s\n", oldaddr, newaddr); | | 2326 | WG_DLOG("old=%s, new=%s\n", oldaddr, newaddr); |
2331 | #endif | | 2327 | #endif |
2332 | | | 2328 | |
2333 | /* | | 2329 | /* |
2334 | * III: "Since the packet has authenticated correctly, the source IP of | | 2330 | * III: "Since the packet has authenticated correctly, the source IP of |
2335 | * the outer UDP/IP packet is used to update the endpoint for peer..." | | 2331 | * the outer UDP/IP packet is used to update the endpoint for peer..." |
2336 | */ | | 2332 | */ |
2337 | if (__predict_false(sockaddr_cmp(src, &wgp->wgp_sa) != 0 || | | 2333 | if (__predict_false(sockaddr_cmp(src, &wgp->wgp_sa) != 0 || |
2338 | !sockaddr_port_match(src, &wgp->wgp_sa))) { | | 2334 | !sockaddr_port_match(src, &wgp->wgp_sa))) { |
2339 | mutex_enter(wgp->wgp_lock); | | 2335 | mutex_enter(wgp->wgp_lock); |
2340 | /* XXX We can't change the endpoint twice in a short period */ | | 2336 | /* XXX We can't change the endpoint twice in a short period */ |
2341 | if (!wgp->wgp_endpoint_changing) { | | 2337 | if (!wgp->wgp_endpoint_changing) { |
2342 | wg_change_endpoint(wgp, src); | | 2338 | wg_change_endpoint(wgp, src); |
2343 | } | | 2339 | } |
2344 | mutex_exit(wgp->wgp_lock); | | 2340 | mutex_exit(wgp->wgp_lock); |
2345 | } | | 2341 | } |
2346 | } | | 2342 | } |
2347 | | | 2343 | |
2348 | static void | | 2344 | static void |
2349 | wg_handle_msg_data(struct wg_softc *wg, struct mbuf *m, | | 2345 | wg_handle_msg_data(struct wg_softc *wg, struct mbuf *m, |
2350 | const struct sockaddr *src) | | 2346 | const struct sockaddr *src) |
2351 | { | | 2347 | { |
2352 | struct wg_msg_data *wgmd; | | 2348 | struct wg_msg_data *wgmd; |
2353 | char *encrypted_buf = NULL, *decrypted_buf; | | 2349 | char *encrypted_buf = NULL, *decrypted_buf; |
2354 | size_t encrypted_len, decrypted_len; | | 2350 | size_t encrypted_len, decrypted_len; |
2355 | struct wg_session *wgs; | | 2351 | struct wg_session *wgs; |
2356 | struct wg_peer *wgp; | | 2352 | struct wg_peer *wgp; |
2357 | size_t mlen; | | 2353 | size_t mlen; |
2358 | struct psref psref; | | 2354 | struct psref psref; |
2359 | int error, af; | | 2355 | int error, af; |
2360 | bool success, free_encrypted_buf = false, ok; | | 2356 | bool success, free_encrypted_buf = false, ok; |
2361 | struct mbuf *n; | | 2357 | struct mbuf *n; |
2362 | | | 2358 | |
2363 | KASSERT(m->m_len >= sizeof(struct wg_msg_data)); | | 2359 | KASSERT(m->m_len >= sizeof(struct wg_msg_data)); |
2364 | wgmd = mtod(m, struct wg_msg_data *); | | 2360 | wgmd = mtod(m, struct wg_msg_data *); |
2365 | | | 2361 | |
2366 | KASSERT(wgmd->wgmd_type == htole32(WG_MSG_TYPE_DATA)); | | 2362 | KASSERT(wgmd->wgmd_type == htole32(WG_MSG_TYPE_DATA)); |
2367 | WG_TRACE("data"); | | 2363 | WG_TRACE("data"); |
2368 | | | 2364 | |
2369 | wgs = wg_lookup_session_by_index(wg, wgmd->wgmd_receiver, &psref); | | 2365 | wgs = wg_lookup_session_by_index(wg, wgmd->wgmd_receiver, &psref); |
2370 | if (wgs == NULL) { | | 2366 | if (wgs == NULL) { |
2371 | WG_TRACE("No session found"); | | 2367 | WG_TRACE("No session found"); |
2372 | m_freem(m); | | 2368 | m_freem(m); |
2373 | return; | | 2369 | return; |
2374 | } | | 2370 | } |
2375 | wgp = wgs->wgs_peer; | | 2371 | wgp = wgs->wgs_peer; |
2376 | | | 2372 | |
2377 | error = sliwin_check_fast(&wgs->wgs_recvwin->window, | | 2373 | error = sliwin_check_fast(&wgs->wgs_recvwin->window, |
2378 | le64toh(wgmd->wgmd_counter)); | | 2374 | le64toh(wgmd->wgmd_counter)); |
2379 | if (error) { | | 2375 | if (error) { |
2380 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, | | 2376 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, |
2381 | "out-of-window packet: %"PRIu64"\n", | | 2377 | "out-of-window packet: %"PRIu64"\n", |
2382 | le64toh(wgmd->wgmd_counter)); | | 2378 | le64toh(wgmd->wgmd_counter)); |
2383 | goto out; | | 2379 | goto out; |
2384 | } | | 2380 | } |
2385 | | | 2381 | |
2386 | mlen = m_length(m); | | 2382 | mlen = m_length(m); |
2387 | encrypted_len = mlen - sizeof(*wgmd); | | 2383 | encrypted_len = mlen - sizeof(*wgmd); |
2388 | | | 2384 | |
2389 | if (encrypted_len < WG_AUTHTAG_LEN) { | | 2385 | if (encrypted_len < WG_AUTHTAG_LEN) { |
2390 | WG_DLOG("Short encrypted_len: %lu\n", encrypted_len); | | 2386 | WG_DLOG("Short encrypted_len: %lu\n", encrypted_len); |
2391 | goto out; | | 2387 | goto out; |
2392 | } | | 2388 | } |
2393 | | | 2389 | |
2394 | success = m_ensure_contig(&m, sizeof(*wgmd) + encrypted_len); | | 2390 | success = m_ensure_contig(&m, sizeof(*wgmd) + encrypted_len); |
2395 | if (success) { | | 2391 | if (success) { |
2396 | encrypted_buf = mtod(m, char *) + sizeof(*wgmd); | | 2392 | encrypted_buf = mtod(m, char *) + sizeof(*wgmd); |
2397 | } else { | | 2393 | } else { |
2398 | encrypted_buf = kmem_intr_alloc(encrypted_len, KM_NOSLEEP); | | 2394 | encrypted_buf = kmem_intr_alloc(encrypted_len, KM_NOSLEEP); |
2399 | if (encrypted_buf == NULL) { | | 2395 | if (encrypted_buf == NULL) { |
2400 | WG_DLOG("failed to allocate encrypted_buf\n"); | | 2396 | WG_DLOG("failed to allocate encrypted_buf\n"); |
2401 | goto out; | | 2397 | goto out; |
2402 | } | | 2398 | } |
2403 | m_copydata(m, sizeof(*wgmd), encrypted_len, encrypted_buf); | | 2399 | m_copydata(m, sizeof(*wgmd), encrypted_len, encrypted_buf); |
2404 | free_encrypted_buf = true; | | 2400 | free_encrypted_buf = true; |
2405 | } | | 2401 | } |
2406 | /* m_ensure_contig may change m regardless of its result */ | | 2402 | /* m_ensure_contig may change m regardless of its result */ |
2407 | KASSERT(m->m_len >= sizeof(*wgmd)); | | 2403 | KASSERT(m->m_len >= sizeof(*wgmd)); |
2408 | wgmd = mtod(m, struct wg_msg_data *); | | 2404 | wgmd = mtod(m, struct wg_msg_data *); |
2409 | | | 2405 | |
2410 | decrypted_len = encrypted_len - WG_AUTHTAG_LEN; | | 2406 | decrypted_len = encrypted_len - WG_AUTHTAG_LEN; |
2411 | if (decrypted_len > MCLBYTES) { | | 2407 | if (decrypted_len > MCLBYTES) { |
2412 | /* FIXME handle larger data than MCLBYTES */ | | 2408 | /* FIXME handle larger data than MCLBYTES */ |
2413 | WG_DLOG("couldn't handle larger data than MCLBYTES\n"); | | 2409 | WG_DLOG("couldn't handle larger data than MCLBYTES\n"); |
2414 | goto out; | | 2410 | goto out; |
2415 | } | | 2411 | } |
2416 | | | 2412 | |
2417 | /* To avoid zero length */ | | 2413 | /* To avoid zero length */ |
2418 | n = wg_get_mbuf(0, decrypted_len + WG_AUTHTAG_LEN); | | 2414 | n = wg_get_mbuf(0, decrypted_len + WG_AUTHTAG_LEN); |
2419 | if (n == NULL) { | | 2415 | if (n == NULL) { |
2420 | WG_DLOG("wg_get_mbuf failed\n"); | | 2416 | WG_DLOG("wg_get_mbuf failed\n"); |
2421 | goto out; | | 2417 | goto out; |
2422 | } | | 2418 | } |
2423 | decrypted_buf = mtod(n, char *); | | 2419 | decrypted_buf = mtod(n, char *); |
2424 | | | 2420 | |
2425 | WG_DLOG("mlen=%lu, encrypted_len=%lu\n", mlen, encrypted_len); | | 2421 | WG_DLOG("mlen=%lu, encrypted_len=%lu\n", mlen, encrypted_len); |
2426 | error = wg_algo_aead_dec(decrypted_buf, | | 2422 | error = wg_algo_aead_dec(decrypted_buf, |
2427 | encrypted_len - WG_AUTHTAG_LEN /* can be 0 */, | | 2423 | encrypted_len - WG_AUTHTAG_LEN /* can be 0 */, |
2428 | wgs->wgs_tkey_recv, le64toh(wgmd->wgmd_counter), encrypted_buf, | | 2424 | wgs->wgs_tkey_recv, le64toh(wgmd->wgmd_counter), encrypted_buf, |
2429 | encrypted_len, NULL, 0); | | 2425 | encrypted_len, NULL, 0); |
2430 | if (error != 0) { | | 2426 | if (error != 0) { |
2431 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, | | 2427 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, |
2432 | "failed to wg_algo_aead_dec\n"); | | 2428 | "failed to wg_algo_aead_dec\n"); |
2433 | m_freem(n); | | 2429 | m_freem(n); |
2434 | goto out; | | 2430 | goto out; |
2435 | } | | 2431 | } |
2436 | WG_DLOG("outsize=%u\n", (u_int)decrypted_len); | | 2432 | WG_DLOG("outsize=%u\n", (u_int)decrypted_len); |
2437 | | | 2433 | |
2438 | mutex_enter(&wgs->wgs_recvwin->lock); | | 2434 | mutex_enter(&wgs->wgs_recvwin->lock); |
2439 | error = sliwin_update(&wgs->wgs_recvwin->window, | | 2435 | error = sliwin_update(&wgs->wgs_recvwin->window, |
2440 | le64toh(wgmd->wgmd_counter)); | | 2436 | le64toh(wgmd->wgmd_counter)); |
2441 | mutex_exit(&wgs->wgs_recvwin->lock); | | 2437 | mutex_exit(&wgs->wgs_recvwin->lock); |
2442 | if (error) { | | 2438 | if (error) { |
2443 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, | | 2439 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, |
2444 | "replay or out-of-window packet: %"PRIu64"\n", | | 2440 | "replay or out-of-window packet: %"PRIu64"\n", |
2445 | le64toh(wgmd->wgmd_counter)); | | 2441 | le64toh(wgmd->wgmd_counter)); |
2446 | m_freem(n); | | 2442 | m_freem(n); |
2447 | goto out; | | 2443 | goto out; |
2448 | } | | 2444 | } |
2449 | | | 2445 | |
2450 | m_freem(m); | | 2446 | m_freem(m); |
2451 | m = NULL; | | 2447 | m = NULL; |
2452 | wgmd = NULL; | | 2448 | wgmd = NULL; |
2453 | | | 2449 | |
2454 | ok = wg_validate_inner_packet(decrypted_buf, decrypted_len, &af); | | 2450 | ok = wg_validate_inner_packet(decrypted_buf, decrypted_len, &af); |
2455 | if (!ok) { | | 2451 | if (!ok) { |
2456 | /* something wrong... */ | | 2452 | /* something wrong... */ |
2457 | m_freem(n); | | 2453 | m_freem(n); |
2458 | goto out; | | 2454 | goto out; |
2459 | } | | 2455 | } |
2460 | | | 2456 | |
2461 | wg_update_endpoint_if_necessary(wgp, src); | | 2457 | wg_update_endpoint_if_necessary(wgp, src); |
2462 | | | 2458 | |
2463 | ok = wg_validate_route(wg, wgp, af, decrypted_buf); | | 2459 | ok = wg_validate_route(wg, wgp, af, decrypted_buf); |
2464 | if (ok) { | | 2460 | if (ok) { |
2465 | wg->wg_ops->input(&wg->wg_if, n, af); | | 2461 | wg->wg_ops->input(&wg->wg_if, n, af); |
2466 | } else { | | 2462 | } else { |
2467 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, | | 2463 | WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, |
2468 | "invalid source address\n"); | | 2464 | "invalid source address\n"); |
2469 | m_freem(n); | | 2465 | m_freem(n); |
2470 | /* | | 2466 | /* |
2471 | * The inner address is invalid however the session is valid | | 2467 | * The inner address is invalid however the session is valid |
2472 | * so continue the session processing below. | | 2468 | * so continue the session processing below. |
2473 | */ | | 2469 | */ |
2474 | } | | 2470 | } |
2475 | n = NULL; | | 2471 | n = NULL; |
2476 | | | 2472 | |
2477 | if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) { | | 2473 | if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) { |
2478 | struct wg_session *wgs_prev; | | 2474 | struct wg_session *wgs_prev; |
2479 | | | 2475 | |
2480 | KASSERT(wgs == wgp->wgp_session_unstable); | | 2476 | KASSERT(wgs == wgp->wgp_session_unstable); |
2481 | wgs->wgs_state = WGS_STATE_ESTABLISHED; | | 2477 | wgs->wgs_state = WGS_STATE_ESTABLISHED; |
2482 | wgs->wgs_time_established = time_uptime; | | 2478 | wgs->wgs_time_established = time_uptime; |
2483 | wgs->wgs_time_last_data_sent = 0; | | 2479 | wgs->wgs_time_last_data_sent = 0; |
2484 | wgs->wgs_is_initiator = false; | | 2480 | wgs->wgs_is_initiator = false; |
2485 | WG_TRACE("WGS_STATE_ESTABLISHED"); | | 2481 | WG_TRACE("WGS_STATE_ESTABLISHED"); |
2486 | | | 2482 | |
2487 | mutex_enter(wgp->wgp_lock); | | 2483 | mutex_enter(wgp->wgp_lock); |
2488 | wg_swap_sessions(wgp); | | 2484 | wg_swap_sessions(wgp); |
2489 | wgs_prev = wgp->wgp_session_unstable; | | 2485 | wgs_prev = wgp->wgp_session_unstable; |
2490 | mutex_enter(wgs_prev->wgs_lock); | | 2486 | mutex_enter(wgs_prev->wgs_lock); |
2491 | getnanotime(&wgp->wgp_last_handshake_time); | | 2487 | getnanotime(&wgp->wgp_last_handshake_time); |
2492 | wgp->wgp_handshake_start_time = 0; | | 2488 | wgp->wgp_handshake_start_time = 0; |
2493 | wgp->wgp_last_sent_mac1_valid = false; | | 2489 | wgp->wgp_last_sent_mac1_valid = false; |
2494 | wgp->wgp_last_sent_cookie_valid = false; | | 2490 | wgp->wgp_last_sent_cookie_valid = false; |
2495 | mutex_exit(wgp->wgp_lock); | | 2491 | mutex_exit(wgp->wgp_lock); |
2496 | | | 2492 | |
2497 | if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { | | 2493 | if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { |
2498 | wgs_prev->wgs_state = WGS_STATE_DESTROYING; | | 2494 | wgs_prev->wgs_state = WGS_STATE_DESTROYING; |
2499 | /* We can't destroy the old session immediately */ | | 2495 | /* We can't destroy the old session immediately */ |
2500 | wg_schedule_session_dtor_timer(wgp); | | 2496 | wg_schedule_session_dtor_timer(wgp); |
2501 | } else { | | 2497 | } else { |
2502 | wg_clear_states(wgs_prev); | | 2498 | wg_clear_states(wgs_prev); |
2503 | wgs_prev->wgs_state = WGS_STATE_UNKNOWN; | | 2499 | wgs_prev->wgs_state = WGS_STATE_UNKNOWN; |
2504 | } | | 2500 | } |
2505 | mutex_exit(wgs_prev->wgs_lock); | | 2501 | mutex_exit(wgs_prev->wgs_lock); |
2506 | | | 2502 | |
2507 | /* Anyway run a softint to flush pending packets */ | | 2503 | /* Anyway run a softint to flush pending packets */ |
2508 | kpreempt_disable(); | | 2504 | kpreempt_disable(); |
2509 | softint_schedule(wgp->wgp_si); | | 2505 | softint_schedule(wgp->wgp_si); |
2510 | kpreempt_enable(); | | 2506 | kpreempt_enable(); |
2511 | } else { | | 2507 | } else { |
2512 | if (__predict_false(wg_need_to_send_init_message(wgs))) { | | 2508 | if (__predict_false(wg_need_to_send_init_message(wgs))) { |
2513 | wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); | | 2509 | wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); |
2514 | } | | 2510 | } |
2515 | /* | | 2511 | /* |
2516 | * [W] 6.5 Passive Keepalive | | 2512 | * [W] 6.5 Passive Keepalive |