wg: Add and improve WG_PKT_* macros to help clean up the code
- Add WG_PKT_IS_INITIATION, WG_PKT_IS_RESPONSE, WG_PKT_IS_COOKIE,
and WG_PKT_IS_DATA macros.
- Extend the original WG_PKT_DATA_MINLEN macro to be
WG_PKT_ENCRYPTED_LEN(n).
- Add WG_PKT_IS_INITIATION, WG_PKT_IS_RESPONSE, WG_PKT_IS_COOKIE,
and WG_PKT_IS_DATA macros.
- Extend the original WG_PKT_DATA_MINLEN macro to be
WG_PKT_ENCRYPTED_LEN(n).
wg: Clean up and improve wg_deliver_{in,out}() logic
- Refactor the code flow and avoid the 'goto' cases.
- Add 'oerrors' increment statement to wg_send(), pairing with the
existing 'opackets' and 'obytes' increments; this make the code more
clear.
- Assign 'mycpuid' to a local variable, avoiding repeated fetches within
the loop.
- Add comment about why to always trigger the keepalive timers.
- Refactor the code flow and avoid the 'goto' cases.
- Add 'oerrors' increment statement to wg_send(), pairing with the
existing 'opackets' and 'obytes' increments; this make the code more
clear.
- Assign 'mycpuid' to a local variable, avoiding repeated fetches within
the loop.
- Add comment about why to always trigger the keepalive timers.
wg: Optimize wg_peer_{get,set}_endpoint()
Similar to wg_peer_set_endpoint(), perform a comparion before really
coping the endpoint, saving unnecessary lockings.
In addition, add __predict_true() for the comparions.
Similar to wg_peer_set_endpoint(), perform a comparion before really
coping the endpoint, saving unnecessary lockings.
In addition, add __predict_true() for the comparions.
wg: Fix panic of "user address access from kernel mode"
Well, it never happened on my development VirtualBox VM, but always
happened on my desktop. Fix it. Actually, I made this mistake when
porting the code from OpenBSD.
Well, it never happened on my development VirtualBox VM, but always
happened on my desktop. Fix it. Actually, I made this mistake when
porting the code from OpenBSD.
Bump copyright year
ifconfig(8): Minor code and style cleanups
No functional changes.
No functional changes.
ifconfig(8): Change some 'int' variables to 'bool' whenever possible
I'd like to change 'doalias' as well, but it seems to require 3 states,
so leave it alone this moment.
I'd like to change 'doalias' as well, but it seems to require 3 states,
so leave it alone this moment.
ifconfig(8): Fix bug in interface address configuration
When the interface name had a length of >= 8, the address configuration
would fail with the ENXIO error, i.e., "no such interface".
This bug was made by me in commit c29ec76. It was caused by the
interface was truncated because the destination buffer size was wrongly
determined, as I was using sizeof() on a 'void *' pointer instead of the
actual interface name buffer.
Fix it by directly using IFNAMSIZ instead of sizeof().
When the interface name had a length of >= 8, the address configuration
would fail with the ENXIO error, i.e., "no such interface".
This bug was made by me in commit c29ec76. It was caused by the
interface was truncated because the destination buffer size was wrongly
determined, as I was using sizeof() on a 'void *' pointer instead of the
actual interface name buffer.
Fix it by directly using IFNAMSIZ instead of sizeof().
wg: Flush v4 routes for v6 randomized test to reduce the test time
The validation method uses a simple list to store all the routes in a
sorted way so that it can be looked up and verify the lookup results
of the radix tree. The list method can be really slow when there are
many routes, so the randomized test can take ~80 minutes on my test box.
Separate the v4 and v6 tests to significantly reduce the test time (e.g.,
from ~80 minutes to ~15 minutes).
The validation method uses a simple list to store all the routes in a
sorted way so that it can be looked up and verify the lookup results
of the radix tree. The list method can be really slow when there are
many routes, so the randomized test can take ~80 minutes on my test box.
Separate the v4 and v6 tests to significantly reduce the test time (e.g.,
from ~80 minutes to ~15 minutes).
wg: Update makefile with (commented) selftest defines
wg: Refactor selftest allowedips.c
- Refactor multiple functions and macros to make the implementation read
better.
- Fix some memory free issues upon errors; e.g., kfree() panics if the
given pointer is NULL.
- Add progress reports for the randomized test as it can take really
long time (e.g., ~80 minutes on my test box).
- Various improvements and style cleanups.
- Refactor multiple functions and macros to make the implementation read
better.
- Fix some memory free issues upon errors; e.g., kfree() panics if the
given pointer is NULL.
- Add progress reports for the randomized test as it can take really
long time (e.g., ~80 minutes on my test box).
- Various improvements and style cleanups.
wg: Port selftest allowedips.c
wg: Style cleanups and minor updates to selftest cookie.c and counter.c
- Style cleanups to make them consistent.
- Add '#undef' to cleanup defines.
- Add MIT license contents to file headers.
- Tweak 'for' loops in noise_counter_selftest() to make them more clear.
- Rename 'rl' to be 'rl_test'; rename 'MESSAGE_LEN' to be
'T_MESSAGE_LEN'.
- Remove unnecessary '[0 ... INITIATIONS_BURSTABLE - 1]' initialization
designator, and thus save one GNU extension.
- Style cleanups to make them consistent.
- Add '#undef' to cleanup defines.
- Add MIT license contents to file headers.
- Tweak 'for' loops in noise_counter_selftest() to make them more clear.
- Rename 'rl' to be 'rl_test'; rename 'MESSAGE_LEN' to be
'T_MESSAGE_LEN'.
- Remove unnecessary '[0 ... INITIATIONS_BURSTABLE - 1]' initialization
designator, and thus save one GNU extension.
wg: Port selftest cookie.c and counter.c
Note that 'int sleep_time' would overflow in calculating the tsleep()
timeout ticks, so change it to 'uint64_t' type.
Note that 'int sleep_time' would overflow in calculating the tsleep()
timeout ticks, so change it to 'uint64_t' type.
wg: Import selftest code from wireguard-freebsd
URL: https://git.zx2c4.com/wireguard-freebsd/
Files:
- src/selftest/allowedips.c
- src/selftest/cookie.c
- src/selftest/counter.c
URL: https://git.zx2c4.com/wireguard-freebsd/
Files:
- src/selftest/allowedips.c
- src/selftest/cookie.c
- src/selftest/counter.c
kernel: Add the 'wg' option and list it in LINT64
wg: Hook to the build system
wg: Adapt the man page to match our version
wg: Rewrite the module Makefile
wg: Prevent wg_{cookie,noise}.h from including by userland
Since our build system currently would install all headers (i.e., '*.h')
in 'sys/net/wg' directory, but actually only the 'if_wg.h' is required
by userland, i.e., ifconfig(8). So add the '_KERNEL' guard to prevent
the other two headers from including by userland.
Nonetheless, the build system should be improved in the future.
Since our build system currently would install all headers (i.e., '*.h')
in 'sys/net/wg' directory, but actually only the 'if_wg.h' is required
by userland, i.e., ifconfig(8). So add the '_KERNEL' guard to prevent
the other two headers from including by userland.
Nonetheless, the build system should be improved in the future.
wg: Reset the obsolete version number to 1
The version number meant the snapshot date of the wireguard-freebsd [0],
but it's obsolete now, because there is no more active development
there. In addition, this port has been diverged a lot from the FreeBSD
version. So just reset the version number to 1 for simplicity.
[0] wireguard-freebsd: https://git.zx2c4.com/wireguard-freebsd
The version number meant the snapshot date of the wireguard-freebsd [0],
but it's obsolete now, because there is no more active development
there. In addition, this port has been diverged a lot from the FreeBSD
version. So just reset the version number to 1 for simplicity.
[0] wireguard-freebsd: https://git.zx2c4.com/wireguard-freebsd
wg: Fix noise_remote_alloc() to acquire 'l_identity_lock' lock
The 'l_identity_lock' lock must be acquired to access 'l_has_identity'
and 'l_private' members; i.e., noise_precompute_ss() must be called with
the 'l_identity_lock' locked. So fix noise_remote_alloc() to acquire
the lock before calling noise_precompute_ss(). Meanwhile, add an
assertion to the latter to assert the required lock is held.
The 'l_identity_lock' lock must be acquired to access 'l_has_identity'
and 'l_private' members; i.e., noise_precompute_ss() must be called with
the 'l_identity_lock' locked. So fix noise_remote_alloc() to acquire
the lock before calling noise_precompute_ss(). Meanwhile, add an
assertion to the latter to assert the required lock is held.
wg: Fix bug in calculate_padding()
The calculation for 'pkt->p_mtu == 0' case was wrong, but it didn't
cause actual harm because currently only keepalive packets have
'p_mtu = 0' but also have a zero length.
Fix the calculation and add a comment about the keepalive packets.
The calculation for 'pkt->p_mtu == 0' case was wrong, but it didn't
cause actual harm because currently only keepalive packets have
'p_mtu = 0' but also have a zero length.
Fix the calculation and add a comment about the keepalive packets.
wg: Fix build without INET6 option
wg: Remove INET option and the 'opt_inet.h' header
DragonFly generally assumes INET always available, and doesn't actually
support an IPv6-only setup. So remove the INET option to clean up the
code a bit.
DragonFly generally assumes INET always available, and doesn't actually
support an IPv6-only setup. So remove the INET option to clean up the
code a bit.
wg: Remove unsupported endpoint.e_local and clean up related code
On DragonFly, the socket upcall and so_pru_soreceive() cannot provide
the local (i.e., destination) address of a received packet. Even if
there is the 'IP_RECVDSTADDR' control option to obtain the dst address,
but it's unsafe to use it with the socket, because the packet is queued
by the socket layer and the original packet may have been freed then.
As a result, just remove the unsupported 'e_local' part from
wg_endpoint. Meanwhile, clean up the code related to the 'e_local'
endpoint.
Moreover, DragonFly by default sends UDP packets asynchronously, so
so_pru_sosend() may just return 0 even if the packet fails to send.
Therefore, there is no much point to check its return code and retry
the sending. Remove the retry code from wg_send_buf() and the
'EADDRNOTAVAIL' check code from wg_deliver_out().
On DragonFly, the socket upcall and so_pru_soreceive() cannot provide
the local (i.e., destination) address of a received packet. Even if
there is the 'IP_RECVDSTADDR' control option to obtain the dst address,
but it's unsafe to use it with the socket, because the packet is queued
by the socket layer and the original packet may have been freed then.
As a result, just remove the unsupported 'e_local' part from
wg_endpoint. Meanwhile, clean up the code related to the 'e_local'
endpoint.
Moreover, DragonFly by default sends UDP packets asynchronously, so
so_pru_sosend() may just return 0 even if the packet fails to send.
Therefore, there is no much point to check its return code and retry
the sending. Remove the retry code from wg_send_buf() and the
'EADDRNOTAVAIL' check code from wg_deliver_out().
wg: Port #37: reimplement wg_mbuf_reset()
We define the 'MBUF_CLEARFLAGS' based on 'M_COPYFLAGS' for the mbuf
flags to be cleared. Since we don't make use of mbuf tag for loop
detection, the wg_mbuf_reset() function becomes really simple, so I just
do mbuf resetting in wg_encrypt()/wg_decrypt() and remove this function.
Referred-to: OpenBSD
We define the 'MBUF_CLEARFLAGS' based on 'M_COPYFLAGS' for the mbuf
flags to be cleared. Since we don't make use of mbuf tag for loop
detection, the wg_mbuf_reset() function becomes really simple, so I just
do mbuf resetting in wg_encrypt()/wg_decrypt() and remove this function.
Referred-to: OpenBSD
wg: Port #36: reimplement loop detection feature
The mbuf m_pkthdr has been extended to provide the 'loop_cnt' member to
help detect loops. Adapt the code to make use of it.
Referred-to: OpenBSD
The mbuf m_pkthdr has been extended to provide the 'loop_cnt' member to
help detect loops. Adapt the code to make use of it.
Referred-to: OpenBSD
wg: Assert 'sc_lock' acquired before LK_EXCLUSIVE 'so_lock'
So it's not needed to acquire the 'so_lock' in order to access the
'sc_socket' members. Comment this in wg_ioctl_get().
So it's not needed to acquire the 'so_lock' in order to access the
'sc_socket' members. Comment this in wg_ioctl_get().
wg: Add wg_timers_get_persistent_keepalive() to get PKA
In sync with wg_timers_set_persistent_keepalive(), the atomic ops is
used to get the pka value.
Referred-to: OpenBSD
In sync with wg_timers_set_persistent_keepalive(), the atomic ops is
used to get the pka value.
Referred-to: OpenBSD
wg: Implement wg_peer_{set,get}_endpoint() to set the remote endpoint
Moving the setting and getting the peer remote endpoint to their own
separate functions. This cleans up the already lengthy
wg_ioctl_{set,get}() functions.
In addition, these two functions fix the following two issues:
- The 'p_endpoint_lock' wasn't acquired before setting/getting the
endpoint address.
- The local address 'e_local' wasn't cleared when setting the remote
endpoint address.
Referred-to: OpenBSD
Moving the setting and getting the peer remote endpoint to their own
separate functions. This cleans up the already lengthy
wg_ioctl_{set,get}() functions.
In addition, these two functions fix the following two issues:
- The 'p_endpoint_lock' wasn't acquired before setting/getting the
endpoint address.
- The local address 'e_local' wasn't cleared when setting the remote
endpoint address.
Referred-to: OpenBSD
wg: Clean up wg_input() a bit and make return type 'void'
wg: Fix saving of local endpoint in wg_input()
The so_pru_soreceive() can only obtain the remote address and port, so
there is no local address to save in wg_input(). Remove the wrong code
of saving the local endpoint from wg_input().
In addition, rename 'sa' to 'from' in wg_upcall() to make this more
clear.
The so_pru_soreceive() can only obtain the remote address and port, so
there is no local address to save in wg_input(). Remove the wrong code
of saving the local endpoint from wg_input().
In addition, rename 'sa' to 'from' in wg_upcall() to make this more
clear.
wg: Treat zero birthdate as expired in noise's timer_expired()
wg: Change several noise functions to return boolean for clarity
wg: Remove unnecessary wg_init()
The ifp->if_init() routine is required only for Ethernet drivers, so
it's unnecessary and actually unused here. Just remove it to avoid any
confusion.
The ifp->if_init() routine is required only for Ethernet drivers, so
it's unnecessary and actually unused here. Just remove it to avoid any
confusion.
wg: Allow to set persistent-keepalive regardless of peer status
It was unable to set persistent-keepalive when the peer was disabled,
which was inconvenient and unnecessary. For example, one can configure
the interface and peers before finally making the interface UP.
It was unable to set persistent-keepalive when the peer was disabled,
which was inconvenient and unnecessary. For example, one can configure
the interface and peers before finally making the interface UP.
wg: Improve the return types of noise handshake functions
- Change noise_create_initiation() and noise_create_response() to return
a boolean.
- Change noise_consume_initiation() and noise_consume_response() to
return the corresponding remote, with another reference acquired.
As a result, the 'struct noise_remote **' parameter is obsolete and
removed.
- Update the callers in if_wg.c accordingly.
Referred to Linux's version.
- Change noise_create_initiation() and noise_create_response() to return
a boolean.
- Change noise_consume_initiation() and noise_consume_response() to
return the corresponding remote, with another reference acquired.
As a result, the 'struct noise_remote **' parameter is obsolete and
removed.
- Update the callers in if_wg.c accordingly.
Referred to Linux's version.
wg: Improve noise_begin_session()
- Merge noise_add_new_keypair() into noise_begin_session(), as it's only
used there.
- Add extra comments to explain the operations to the keypairs,
especially the index replacement in the hashtable. This helps a lot
in understanding the code.
- Change the function to return a boolean, making the callers easier to
use it.
- Merge noise_add_new_keypair() into noise_begin_session(), as it's only
used there.
- Add extra comments to explain the operations to the keypairs,
especially the index replacement in the hashtable. This helps a lot
in understanding the code.
- Change the function to return a boolean, making the callers easier to
use it.
wg: Update noise_remote_index_insert() to return the new index
This index is required by the caller, i.e., noise_create_initiation().
So make this change to help simplify the code a bit.
This index is required by the caller, i.e., noise_create_initiation().
So make this change to help simplify the code a bit.
wg: Rename keypair fields in 'noise_remote' struct for clarity
Rename keypair fields 'r_next', 'r_current' and 'r_previous' to
'r_keypair_next', 'r_keypair_current' and 'r_keypair_previous'.
Rename keypair fields 'r_next', 'r_current' and 'r_previous' to
'r_keypair_next', 'r_keypair_current' and 'r_keypair_previous'.
wg: Rename 'wg_lock' to 'wg_mtx' since shared lock is unused
wg: Don't acquire 'wg_lock' in wg_ioctl()
The ioctl() operation is already locked by the caller (interface layer),
and the 'wg_lock' is only used to protect the 'wg_list' structure, so
don't acquire this lock in wg_ioctl().
The ioctl() operation is already locked by the caller (interface layer),
and the 'wg_lock' is only used to protect the 'wg_list' structure, so
don't acquire this lock in wg_ioctl().
wg: Add 'const' qualifier to several functions in if_wg.c
wg: More style cleanups and minor updates to if_wg.c
- Clean up header inclusions.
- Add 'WG_PKT_WITH_PADDING()' and 'WG_PKT_DATA_MINLEN' macros to help
simplify some code.
- Remove unnecessary assignments that are already ensured by
kmalloc(M_ZERO).
- Rename some variables for consistency.
- Use 'int' instead of 'u_int' for cpu, in consistent with 'ncpus'.
- Use 'memcmp()' instead of 'bmcp()' for consistent with other parts.
- Remove the KKASSERT() of lock assertion from 'wg_aip_remove()', as
it's quite obvious and thus unnecessary.
- Various style adjustments and cleanups.
- Clean up header inclusions.
- Add 'WG_PKT_WITH_PADDING()' and 'WG_PKT_DATA_MINLEN' macros to help
simplify some code.
- Remove unnecessary assignments that are already ensured by
kmalloc(M_ZERO).
- Rename some variables for consistency.
- Use 'int' instead of 'u_int' for cpu, in consistent with 'ncpus'.
- Use 'memcmp()' instead of 'bmcp()' for consistent with other parts.
- Remove the KKASSERT() of lock assertion from 'wg_aip_remove()', as
it's quite obvious and thus unnecessary.
- Various style adjustments and cleanups.
wg: Style cleanups and minor updates to wg_noise.[ch]
- Remove unnecessary assignments that are already ensured by
kmalloc(M_ZERO).
- Use sizeof() in bzero()/explicit_bzero() to simplify the code.
- Improve noise_kdf() by adding KKASSERT() to check the arguments,
by adding comments to blake2s_hmac() arguments.
- Swap the 'arg' and 'public' parameters to look more sensible.
- Move inline functions to the file top.
- Rename noise_timer_expired() to timer_expired(), similar to the same
function in 'wg_cookie.c'.
- Change 'ENOSPC' to 'ENOMEM' for consistency.
- Add 'static' qualifier to the MALLOC_DEFINE().
- Fix and adjust the comments a bit.
- Adjust code style to align with ours.
- Remove unnecessary assignments that are already ensured by
kmalloc(M_ZERO).
- Use sizeof() in bzero()/explicit_bzero() to simplify the code.
- Improve noise_kdf() by adding KKASSERT() to check the arguments,
by adding comments to blake2s_hmac() arguments.
- Swap the 'arg' and 'public' parameters to look more sensible.
- Move inline functions to the file top.
- Rename noise_timer_expired() to timer_expired(), similar to the same
function in 'wg_cookie.c'.
- Change 'ENOSPC' to 'ENOMEM' for consistency.
- Add 'static' qualifier to the MALLOC_DEFINE().
- Fix and adjust the comments a bit.
- Adjust code style to align with ours.
wg: Change some functions to return boolean for clarity
These functions are used in 'if' conditional, so only a boolean return
value if necessary. Change them to return a boolean to make the code
read more clearly.
These functions are used in 'if' conditional, so only a boolean return
value if necessary. Change them to return a boolean to make the code
read more clearly.
wg: Simplify various COUNTER_* macros in wg_noise.c
wg: Improve noise_remote_keys() to copy PSK only if set
wg: Port #35: refactor noise keypair functions to avoid epoch
- Refactor the functions to avoid using epoch or deferred operations.
So noise_keypair_put() is simplified and remove the obsolete
noise_keypair_smr_free() function.
- Remove 'refcount_acquire_if_not_zero()' and use plain refcount instead,
since there's no more deferred frees.
- Use shared locks instead of epoch sections; meanwhile, rename
'r_keypair_mtx' to 'r_keypair_lock' because it now supports both
shared and exclusive locks.
- Refactor the functions to avoid using epoch or deferred operations.
So noise_keypair_put() is simplified and remove the obsolete
noise_keypair_smr_free() function.
- Remove 'refcount_acquire_if_not_zero()' and use plain refcount instead,
since there's no more deferred frees.
- Use shared locks instead of epoch sections; meanwhile, rename
'r_keypair_mtx' to 'r_keypair_lock' because it now supports both
shared and exclusive locks.
wg: Port #34: adapt if_wg.c to not use epoch
The relevant code is already using atomic operations. I don't think the
epoch, especially the NET global epoch, is actually required here. So I
decided to remove the epoch operations; however, wg_timers_disable() has
been changed to use callout_drain() instead of callout_stop() to wait
the callout cancellation to complete.
Meanwhile, simplify wg_timers_set_persistent_keepalive() by referring to
OpenBSD's code.
The relevant code is already using atomic operations. I don't think the
epoch, especially the NET global epoch, is actually required here. So I
decided to remove the epoch operations; however, wg_timers_disable() has
been changed to use callout_drain() instead of callout_stop() to wait
the callout cancellation to complete.
Meanwhile, simplify wg_timers_set_persistent_keepalive() by referring to
OpenBSD's code.
wg: Port #33: refactor noise remote functions to avoid epoch
- Refactor the functions to avoid using epoch or deferred operations.
So noise_remote_free() is simplified and no longer requires an async
cleanup function.
- Remove 'refcount_acquire_if_not_zero()' and use plain refcount instead,
since there's no more deferred frees.
- Use shared locks instead of epoch sections; meanwhile, rename
'l_remote_mtx'/'l_index_mtx' to 'l_remote_lock'/'l_index_lock' because
they now supports both shared and exclusive locks.
- Simplify noise_remote_index_insert() and remove the unnecessary
pre-trial.
- Merge wg_peer_free_deferred() into wg_peer_destroy() and remove it.
- Refactor the functions to avoid using epoch or deferred operations.
So noise_remote_free() is simplified and no longer requires an async
cleanup function.
- Remove 'refcount_acquire_if_not_zero()' and use plain refcount instead,
since there's no more deferred frees.
- Use shared locks instead of epoch sections; meanwhile, rename
'l_remote_mtx'/'l_index_mtx' to 'l_remote_lock'/'l_index_lock' because
they now supports both shared and exclusive locks.
- Simplify noise_remote_index_insert() and remove the unnecessary
pre-trial.
- Merge wg_peer_free_deferred() into wg_peer_destroy() and remove it.
wg: Port #32: refactor interface code and avoid deferred free
- Refactor wg_clone_destroy() to not use async/deferred free, and thus
avoid the async call of wg_clone_deferred_free() via noise_local_free().
As a consequence, remove the 'l_arg' and 'l_cleanup' members from
'noise_local' struct; also remove the noise_local_arg() API.
- Fix wg_clone_destroy() to not clear 'if_softc' at the beginning of the
destruction, which fixes a panic of NULL dereference in wg_output()
via the if_purgeaddrs_nolink() call.
- Remove the 'WGF_DYING' flag and the associated obsolete code.
- Remove the 'clone_count' global as it's no longer required.
- Refactor wg_clone_destroy() to not use async/deferred free, and thus
avoid the async call of wg_clone_deferred_free() via noise_local_free().
As a consequence, remove the 'l_arg' and 'l_cleanup' members from
'noise_local' struct; also remove the noise_local_arg() API.
- Fix wg_clone_destroy() to not clear 'if_softc' at the beginning of the
destruction, which fixes a panic of NULL dereference in wg_output()
via the if_purgeaddrs_nolink() call.
- Remove the 'WGF_DYING' flag and the associated obsolete code.
- Remove the 'clone_count' global as it's no longer required.
wg: Rename enum 'wg_ring_state' to 'wg_packet_state' for consistency
wg: Make noise_local_{ref,put}() static
They're not used by external code.
They're not used by external code.
wg: Remove unused noise_remote_local() function
wg: Replace strlen() with 'sizeof' in wg_{cookie,noise}.c
Get rid of unnecessary strlen() calls.
Get rid of unnecessary strlen() calls.
wg: Export the internal peer ID to userland for diagnostics
The auto-generated internal peer ID is used in various debug messages,
so exporting it to the userland (i.e., ifconfig(8)) can help with the
diagnostics.
Update ifconfig(8) to print the added peer ID.
The auto-generated internal peer ID is used in various debug messages,
so exporting it to the userland (i.e., ifconfig(8)) can help with the
diagnostics.
Update ifconfig(8) to print the added peer ID.
wg: Rename noise_local_private() and make it return the key status
- Rename noise_local_private() to noise_local_set_private() to make it
clearer.
- Update it to return the key/identity status, so the caller don't need
to make another call of noise_local_keys().
- Simplify the caller code accordingly, and update the comments.
Referred to OpenBSD.
- Rename noise_local_private() to noise_local_set_private() to make it
clearer.
- Update it to return the key/identity status, so the caller don't need
to make another call of noise_local_keys().
- Simplify the caller code accordingly, and update the comments.
Referred to OpenBSD.
wg: Refactor socket create/bind/close operations
- Add the wg_socket_open() function to do socket creation and binding
for one AF, and then use it to simplify the wg_socket_init() function.
Meanwhil, wg_socket_bind() thus becomes obsolete and is removed.
- Clean up wg_socket_uninit(), wg_socket_set_cookie() and
wg_socket_set_sockopt().
- Add the 'so_lock' lock to protect the 'struct wg_socket' fields.
Update wg_send() accordingly.
- Add a comment about EADDRNOTAVAIL and single-stack support.
Referred to OpenBSD.
- Add the wg_socket_open() function to do socket creation and binding
for one AF, and then use it to simplify the wg_socket_init() function.
Meanwhil, wg_socket_bind() thus becomes obsolete and is removed.
- Clean up wg_socket_uninit(), wg_socket_set_cookie() and
wg_socket_set_sockopt().
- Add the 'so_lock' lock to protect the 'struct wg_socket' fields.
Update wg_send() accordingly.
- Add a comment about EADDRNOTAVAIL and single-stack support.
Referred to OpenBSD.
wg: Change 'p_id' to use type 'unsigned long'
The 'peer_counter' that is used to generate the 'p_id' is also defined
as type 'unsigned long', so it's natural to use 'unsigned long' for
'p_id'. It also simplifies the printing by using '%ld' instead of
'% PRIu64'.
The 'peer_counter' that is used to generate the 'p_id' is also defined
as type 'unsigned long', so it's natural to use 'unsigned long' for
'p_id'. It also simplifies the printing by using '%ld' instead of
'% PRIu64'.
wg: Remove the unused 'sc_ucred' field and related code
This was used in FreeBSD to control the permissions of an WG interface
in an VNET, in order to achieve something similar to Linux's network
namespace.
However, DragonFly doesn't yet support this feature, so the 'sc_ucred'
field becomes unused and thus can be removed. It's easy to get it back
when we're ready to implement this feature in the future.
This was used in FreeBSD to control the permissions of an WG interface
in an VNET, in order to achieve something similar to Linux's network
namespace.
However, DragonFly doesn't yet support this feature, so the 'sc_ucred'
field becomes unused and thus can be removed. It's easy to get it back
when we're ready to implement this feature in the future.
wg: Use 'void *buf' instead of 'uint8_t *buf' to save some casting
wg: Port #31: adapt socket functions
- Use so_pru_sockaddr() function to obtain the bound address/port.
- Add flags=0 as the required second argument to soclose().
- Our sbcreatecontrol() function doesn't accept the 'how' mflags, so
remove the 'M_NOWAIT' argument.
- Use so_pru_sockaddr() function to obtain the bound address/port.
- Add flags=0 as the required second argument to soclose().
- Our sbcreatecontrol() function doesn't accept the 'how' mflags, so
remove the 'M_NOWAIT' argument.
wg: Style cleanups and minor updates to if_wg.c
- Add 'static' qualifier to MALLOC_DEFINE().
- Remove obsolete 'TODO' markers.
- Add '__func__' to several panic() messages.
- Compare the return value of noise_keypair_received_with() to 0 instead
of ECONNRESET, making it read clearer.
- Various style adjustments and cleanups.
- Add 'static' qualifier to MALLOC_DEFINE().
- Remove obsolete 'TODO' markers.
- Add '__func__' to several panic() messages.
- Compare the return value of noise_keypair_received_with() to 0 instead
of ECONNRESET, making it read clearer.
- Various style adjustments and cleanups.
wg: Further improve wg_send_buf()
- This function is only used to send handshake packets, which are of
known length and shorter than MHLEN, so we can just allocate an mbuf
of packet header type and use plain memcpy() to copy the data.
- Set 'M_PRIO' mbuf flag to give handshake packets high priority.
(referred to OpenBSD)
- Adjust the code a bit and remove the unnecessary 'retried' variable.
- This function is only used to send handshake packets, which are of
known length and shorter than MHLEN, so we can just allocate an mbuf
of packet header type and use plain memcpy() to copy the data.
- Set 'M_PRIO' mbuf flag to give handshake packets high priority.
(referred to OpenBSD)
- Adjust the code a bit and remove the unnecessary 'retried' variable.
wg: Port #30: replace m_get2() with m_getl()
Our m_getl() has the similar semantics to FreeBSD's m_get2(): it will
allocate an mbuf cluster if the requested size is big enough. However,
m_getl() wouldn't return NULL simply because the requested size exceeds
the cluster size (MCLBYTES), but FreeBSD's m_get2() would just return
NULL, which is OK because the wg_send_buf() only sends handshake packets
of known and limited lengths.
Our m_getl() has the similar semantics to FreeBSD's m_get2(): it will
allocate an mbuf cluster if the requested size is big enough. However,
m_getl() wouldn't return NULL simply because the requested size exceeds
the cluster size (MCLBYTES), but FreeBSD's m_get2() would just return
NULL, which is OK because the wg_send_buf() only sends handshake packets
of known and limited lengths.
wg: Use karc4random() to generate jitter
karc4random() should be enough; no need to use the more complex
karc4random_uniform().
karc4random() should be enough; no need to use the more complex
karc4random_uniform().
wg: Port #29: change 'ENOTCAPABLE' to 'ENOENT' for 'ENOKEY'
The 'ENOTCAPABLE' is FreeBSD-specific and means 'capabilities
insufficient'. We don't have that errno, so use ENOENT instead,
which I think is also reasonable.
The 'ENOTCAPABLE' is FreeBSD-specific and means 'capabilities
insufficient'. We don't have that errno, so use ENOENT instead,
which I think is also reasonable.
wg: Integrate version.h into if_wg.c
I think it's unnecessary to use the separate 'version.h' file to hold
the single 'WIREGUARD_VERSION' macro.
I think it's unnecessary to use the separate 'version.h' file to hold
the single 'WIREGUARD_VERSION' macro.
wg: Update copyright headers and inclusion guards
- Add the content of the ISC License to the copyright headers.
- Add a copyright of me to 'if_wg.c' and 'wg_noise.c', which have been
significantly updated by me.
- Rename the inclusion guards to match the style of our existing
headers.
- Add the content of the ISC License to the copyright headers.
- Add a copyright of me to 'if_wg.c' and 'wg_noise.c', which have been
significantly updated by me.
- Rename the inclusion guards to match the style of our existing
headers.
wg: Rename macro 'SELFTESTS' to 'WG_SELFTESTS'
To make it more clear and avoid possible conflicts with others.
To make it more clear and avoid possible conflicts with others.
wg: Fix and clean up header inclusions
wg: Style cleanups and minor updates to wg_cookie.[ch]
- Adjust code style to align with ours.
- Move inline functions to the file top.
- Add the 'const' qualifier to function parameters as much as possible.
- Move 'cookie_checker_validate_macs()' function to group the functions
better.
- Zero the input ratelimit struct in ratelimit_init().
- Fix and adjust the comments a bit.
- Adjust code style to align with ours.
- Move inline functions to the file top.
- Add the 'const' qualifier to function parameters as much as possible.
- Move 'cookie_checker_validate_macs()' function to group the functions
better.
- Zero the input ratelimit struct in ratelimit_init().
- Fix and adjust the comments a bit.
ifconfig.8: Add description for wg(4)
Note that the 'wgcookie' and '-wgcookie' parameters are commented out
for the moment, because they're ineffective yet.
Note that the 'wgcookie' and '-wgcookie' parameters are commented out
for the moment, because they're ineffective yet.
ifconfig(8): Show wg(4) private key and PSK if '-k' specified
ifconfig(8): Add WireGuard wg(4) support
Obtained from OpenBSD with significant modifications.
Obtained from OpenBSD with significant modifications.
wg: Port #28: adapt crypto code (chacha20poly1305)
Update to use the chacha20poly1305 implemention from
'crypto/chachapoly.[ch]'. Remove the obsolete code 'wg_crypto.c'.
Meanwhile, rename the original 'uint64_t nonce' to 'counter' to avoid
confusing with the 96-bit nonce (byte string) of ChaCha20-Poly1305.
Update to use the chacha20poly1305 implemention from
'crypto/chachapoly.[ch]'. Remove the obsolete code 'wg_crypto.c'.
Meanwhile, rename the original 'uint64_t nonce' to 'counter' to avoid
confusing with the 96-bit nonce (byte string) of ChaCha20-Poly1305.
wg: Port #27: adapt crypto code (curve25519, blake2s, siphash)
I've imported OpenBSD's blake2s implementation to 'crypto/blake2s', so
don't need the 'COMPAT_NEED_BLAKE2S' code in 'wg_crypto.c'.
I've imported OpenBSD's blake2s implementation to 'crypto/blake2s', so
don't need the 'COMPAT_NEED_BLAKE2S' code in 'wg_crypto.c'.
wg: Port #26: adapt the radix code for peer allowed IPs
- Create a global mask tree and share it with all peers' AIP trees.
- Add the 'sc_aip_lock' lock to protect both the IPv4 and IPv6 trees.
- Refactor the handling of various cases in wg_aip_add() to make the
logic more clear.
- Refactor wg_aip_remove_all() to simplify the code.
- Create a global mask tree and share it with all peers' AIP trees.
- Add the 'sc_aip_lock' lock to protect both the IPv4 and IPv6 trees.
- Refactor the handling of various cases in wg_aip_add() to make the
logic more clear.
- Refactor wg_aip_remove_all() to simplify the code.
wg: Port #25: replace wmb() with cpu_sfence()
Meanwhile, comment briefly about the memory fence usage.
Meanwhile, comment briefly about the memory fence usage.
wg: Port #24: replace netisr_dispatch() with netisr_queue()
While there, tweak a bit the assertion and conditional on 'pkt->p_af'.
While there, tweak a bit the assertion and conditional on 'pkt->p_af'.
wg: Port #23: replace gtaskqueue with taskqueue(9) API
While DragonFly has already imported FreeBSD gtaskqueue API, I
personally think its implementation is unnecessarily complex, so I
decided to replace it with the simpler taskqueue(9) API.
I emulate the gtaskqueue_drain() API by randomly choosing one taskqueue
among all CPUs for the task to distribute the work load. The randomly
chosen taskqueues are kept in the struct along with the task, so new
struct fields are added accordingly.
While DragonFly has already imported FreeBSD gtaskqueue API, I
personally think its implementation is unnecessarily complex, so I
decided to replace it with the simpler taskqueue(9) API.
I emulate the gtaskqueue_drain() API by randomly choosing one taskqueue
among all CPUs for the task to distribute the work load. The randomly
chosen taskqueues are kept in the struct along with the task, so new
struct fields are added accordingly.
wg: Port #22: replace udp_set_kernel_tunneling() with socket upcall
Implement the wg_upcall() function as the socket's so_upcall() method to
receive data from the kernel socket. Adjust the original wg_input()
function to process the received data from wg_upcall(). Since we
already read the UDP data from the socket, so there is no more UDP
header in the given mbuf packet.
Adjust the socreate() invocation; however, we still need to perform
extra ucred check to achieve the wanted permission controls.
Also replace sosend() with so_pru_sosend(), as suggested by its
description in <sys/socketops.h>.
Implement the wg_upcall() function as the socket's so_upcall() method to
receive data from the kernel socket. Adjust the original wg_input()
function to process the received data from wg_upcall(). Since we
already read the UDP data from the socket, so there is no more UDP
header in the given mbuf packet.
Adjust the socreate() invocation; however, we still need to perform
extra ucred check to achieve the wanted permission controls.
Also replace sosend() with so_pru_sosend(), as suggested by its
description in <sys/socketops.h>.
wg: Port #21: replace sbintime_t with timespec/getnanouptime()
Partially based on OpenBSD's wg code.
Partially based on OpenBSD's wg code.
wg: Improve wg_peer_alloc() to simplify the calling
Move the necessary extra logics (i.e., noise_remote_enable() and
TAILQ_INSERT_TAIL()) from wg_ioctl_set() to wg_peer_alloc(), and thus
make it easier to be called. Actually, the updated version is more
asymmetric to wg_peer_destroy() and thus less likely to be misused.
Meanwhile, rename it to wg_peer_create() to look more consistent with
wg_peer_destroy().
Referred-to: OpenBSD
Move the necessary extra logics (i.e., noise_remote_enable() and
TAILQ_INSERT_TAIL()) from wg_ioctl_set() to wg_peer_alloc(), and thus
make it easier to be called. Actually, the updated version is more
asymmetric to wg_peer_destroy() and thus less likely to be misused.
Meanwhile, rename it to wg_peer_create() to look more consistent with
wg_peer_destroy().
Referred-to: OpenBSD
wg: Port #20: rewrite ioctl API based on OpenBSD's version
DragonFly doesn't support the nv(9) API and I don't want to port it from
FreeBSD. So rewrite the ioctl API based on OpenBSD's version, which
uses the wg_interface_io/wg_peer_io/wg_aip_io structs and is more
straightforward.
- Replace if_wg.h with OpenBSD's version, with minor style adjustments.
- Replace 'WG_INTERFACE_HAS_RTABLE' with 'WG_INTERFACE_HAS_COOKIE', as
the FreeBSD WG supports the latter.
- Add compile-time assertions to make sure WG_KEY_SIZE is big enough.
- Replace 'wg_timespec64' struct with the standard 'timespec' struct
since the former is no longer needed.
- Bring in custom peer description support from OpenBSD.
I'll later port the WG support to ifconfig(8) from OpenBSD as well.
DragonFly doesn't support the nv(9) API and I don't want to port it from
FreeBSD. So rewrite the ioctl API based on OpenBSD's version, which
uses the wg_interface_io/wg_peer_io/wg_aip_io structs and is more
straightforward.
- Replace if_wg.h with OpenBSD's version, with minor style adjustments.
- Replace 'WG_INTERFACE_HAS_RTABLE' with 'WG_INTERFACE_HAS_COOKIE', as
the FreeBSD WG supports the latter.
- Add compile-time assertions to make sure WG_KEY_SIZE is big enough.
- Replace 'wg_timespec64' struct with the standard 'timespec' struct
since the former is no longer needed.
- Bring in custom peer description support from OpenBSD.
I'll later port the WG support to ifconfig(8) from OpenBSD as well.
wg: Port #19: adjust callout(9) API and replace MSEC_2_TICKS() macro
wg: Port #18: adjust arc4random* functions
wg: Port #17: adapt ifp->if_output() routine
Remove the original unsupported/unnecessary wg_transmit() routine, and
combine the wg_xmit() routine into wg_output() routine, and then adapt
it to our if_output() API.
WireGuard already implements the wg_queue API to queue the output
packets for encryption before sending, so we don't have to use any
if_snd/ifq/ifaltq_subque, thus ifp->if_start() can also be ignored.
However, we still need to call ifq_set_maxlen() and ifq_set_ready()
to suppress the warning "driver didn't set altq_maxlen".
Remove the original unsupported/unnecessary wg_transmit() routine, and
combine the wg_xmit() routine into wg_output() routine, and then adapt
it to our if_output() API.
WireGuard already implements the wg_queue API to queue the output
packets for encryption before sending, so we don't have to use any
if_snd/ifq/ifaltq_subque, thus ifp->if_start() can also be ignored.
However, we still need to call ifq_set_maxlen() and ifq_set_ready()
to suppress the warning "driver didn't set altq_maxlen".
wg: Port #16: remove unsupported IFCAP_LINKSTATE
wg: Port #15: adapt 'struct ifnet' related code and routines
Remove unsupported routines, like wg_qflush() and wg_reassign().
Also remove the unsupported 'IFF_DYING' workaround for IPv6. If we also
have such an issue, should fix the IPv6 code.
TODO: rework the if_output() and if_start() routines.
Remove unsupported routines, like wg_qflush() and wg_reassign().
Also remove the unsupported 'IFF_DYING' workaround for IPv6. If we also
have such an issue, should fix the IPv6 code.
TODO: rework the if_output() and if_start() routines.
wg: Port #14: replace MPASS() macro with KKASSERT()
wg: Add a missing bpfdetach() in wg_clone_destroy()
wg: Port #13: adjust the BPF tap macro
wg: Port #12: remove unsupported vnet code and use if_clone only
In addition, change the module unloading logic a bit: prevent from
unloading and return the EBUSY error if the module is still in use.
In addition, change the module unloading logic a bit: prevent from
unloading and return the EBUSY error if the module is still in use.
wg: Port #11: remove unsupported FIB code
We don't support multiple FIBs (forwarding information base), i.e.,
routing tables.
We don't support multiple FIBs (forwarding information base), i.e.,
routing tables.
wg: Port #10: replace if_inc_counter() with IFNET_STAT_INC()
wg: Port #9: replace 'mp_ncpus' with 'ncpus'
wg: Port #8: remove unsupported jail code