Added support for Realtek E2600 (Killer Ethernet Adapter E2600).
rc.d/wg: Simplify the quote() in the awk script
rc.d/wg: Fix issue in parsing a config file of no peers
A config file may have only the [interface] section but no [peer]
sections.
A config file may have only the [interface] section but no [peer]
sections.
rc.d/wg: Fix the mistake of the 'wg_config_dir' variable
Remove the local 'WG_CONFIG_DIR' variable that was used during the
development. Use the 'wg_config_dir' variable loaded from 'rc.conf'
instead.
Remove the local 'WG_CONFIG_DIR' variable that was used during the
development. Use the 'wg_config_dir' variable loaded from 'rc.conf'
instead.
crypto: Move blake2s_hmac() to its only user wg_noise.c
The blake2s_hmac() is simply an ad-hoc HMAC implementation using the
BLAKE2s hash algorithm. It's not generic; a proper solution is to
implement the HMAC construction that supports any hash algorithms.
Therefore, it's better to move blake2s_hmac() to wg_noise.c as
noise_hmac().
See also: https://git.zx2c4.com/wireguard-freebsd/commit/?id=5c5832279855722b939a381b9a291dc5ca2ee52e
The blake2s_hmac() is simply an ad-hoc HMAC implementation using the
BLAKE2s hash algorithm. It's not generic; a proper solution is to
implement the HMAC construction that supports any hash algorithms.
Therefore, it's better to move blake2s_hmac() to wg_noise.c as
noise_hmac().
See also: https://git.zx2c4.com/wireguard-freebsd/commit/?id=5c5832279855722b939a381b9a291dc5ca2ee52e
ifconfig(8): Minor cleanups to ifwg.c
Meanwhile, fix a minor typo in the error message of '-wgpka' command.
Meanwhile, fix a minor typo in the error message of '-wgpka' command.
wg: Write rc(8) script to easily manage wg(4) interfaces
This "wg" rc(8) script is somewhat similar to the "wg-quick" tool on
Linux/FreeBSD. It can be used to quickly start/stop the wg(4)
interfaces according to the wg.conf(5) configuration files in the
"/etc/wireguard" directory.
The syntax of wg.conf(5) configuration file is very similar to that
of "wg-quick" but with necessary changes and minor additions. See
wg.conf(5) for details.
On the one hand, the new "wg_enable" and "wg_interfaces" variables in
"/etc/rc.conf" can be used to auto-configure the wg(4) interfaces during
the system startup. See rc.conf(5) for more details.
On the other hand, this "wg" script can be manually called from the
command-line to start/stop the wg(4) interfaces.
Thanks to swildner for reviewing the man page.
This "wg" rc(8) script is somewhat similar to the "wg-quick" tool on
Linux/FreeBSD. It can be used to quickly start/stop the wg(4)
interfaces according to the wg.conf(5) configuration files in the
"/etc/wireguard" directory.
The syntax of wg.conf(5) configuration file is very similar to that
of "wg-quick" but with necessary changes and minor additions. See
wg.conf(5) for details.
On the one hand, the new "wg_enable" and "wg_interfaces" variables in
"/etc/rc.conf" can be used to auto-configure the wg(4) interfaces during
the system startup. See rc.conf(5) for more details.
On the other hand, this "wg" script can be manually called from the
command-line to start/stop the wg(4) interfaces.
Thanks to swildner for reviewing the man page.
rc.conf.5: Reorder "rc_conf_files" to group "rc_*" variables
wg: Change cpu_sfence() to release store + acquire load pair
Although DragonFly is currently x86-only and this is actually
unnecessary, update to use the store+load pairs for better
portability.
Although DragonFly is currently x86-only and this is actually
unnecessary, update to use the store+load pairs for better
portability.
wg: Convert BPF_MTAP_AF() macro to inline function wg_bpf_ptap()
wg: Add RXCSUM support to avoid unnecessary checksum validation
The packet that is about to be delivered in is authentic as ensured by
the AEAD tag, so we can tell the networking stack that this packet has
valid checksums and thus is unnecessary to check again.
Therefore, implement RXCSUM support for the wg interface, and update the
ioctl() to support to enable/disable this feature.
Meanwhile, move the mbuf flags clearance code just before the delivery,
i.e., netisr_queue() and wg_send().
The packet that is about to be delivered in is authentic as ensured by
the AEAD tag, so we can tell the networking stack that this packet has
valid checksums and thus is unnecessary to check again.
Therefore, implement RXCSUM support for the wg interface, and update the
ioctl() to support to enable/disable this feature.
Meanwhile, move the mbuf flags clearance code just before the delivery,
i.e., netisr_queue() and wg_send().
wg: Track noise_{local,remote,keypair} allocations to detect leaks
Use lists to track the allocations of noise_{local,remote,keypair}
structs, and then assert that all of them have been freed upon the
module deinitialization.
Enclose the code within 'INVARIANTS' macro, so that it can be just
ignored when performance is important.
Use lists to track the allocations of noise_{local,remote,keypair}
structs, and then assert that all of them have been freed upon the
module deinitialization.
Enclose the code within 'INVARIANTS' macro, so that it can be just
ignored when performance is important.
wg: Some code cleanups, minor improvements and comment updates
- Clean up some code logics to make the conditional flow and error
handling more smooth.
- Add and update various comments to make the code more understandable.
A large fraction of the comments are derived from the WireGuard code
in Linux/OpenBSD, and from commit messages.
- Clean up some code logics to make the conditional flow and error
handling more smooth.
- Add and update various comments to make the code more understandable.
A large fraction of the comments are derived from the WireGuard code
in Linux/OpenBSD, and from commit messages.
wg: Minor improvements to wg_ioctl_set()
- Skip allowed IPs removal for a new peer.
- Try and send staged packets if the interface is UP.
Referred to the Linux version of WireGuard.
- Skip allowed IPs removal for a new peer.
- Try and send staged packets if the interface is UP.
Referred to the Linux version of WireGuard.
wg: Improve noise_keypair_received_with()
- Optimize the check flow by directly returning if the keypair is of an
initiator.
- Add a brief function description and another comment.
- Optimize the check flow by directly returning if the keypair is of an
initiator.
- Add a brief function description and another comment.
wg: Refactor noise_keep_key_fresh_{send,recv}() functions
These two functions were derived from the Linux version where called
keep_key_fresh() in {send,receive}.c. However, they behaved differently
from their Linux version; i.e., they only checked whether the keypair
needed a refresh but didn't actually perform the refreshing. So their
name was actually misleading.
Refactor these two functions and combine them into a single function
called noise_keypair_should_refresh(), with an extra parameter to
distinguish between the sending and receiving cases.
These two functions were derived from the Linux version where called
keep_key_fresh() in {send,receive}.c. However, they behaved differently
from their Linux version; i.e., they only checked whether the keypair
needed a refresh but didn't actually perform the refreshing. So their
name was actually misleading.
Refactor these two functions and combine them into a single function
called noise_keypair_should_refresh(), with an extra parameter to
distinguish between the sending and receiving cases.
wg: Refactor cookie functions to make cookie_{checker,maker} opaque
- Rename cookie_{checker,maker}_init() to cookie_{checker,maker}_alloc(),
in symmetry with cookie_{checker,maker}_free().
- Make cookie_{checker,maker} structs opaque, and move them from
wg_cookie.h to wg_cookie.c.
- Update if_wg.c and selftest code accordingly.
- Rename cookie_{checker,maker}_init() to cookie_{checker,maker}_alloc(),
in symmetry with cookie_{checker,maker}_free().
- Make cookie_{checker,maker} structs opaque, and move them from
wg_cookie.h to wg_cookie.c.
- Update if_wg.c and selftest code accordingly.
wg: Refactor and improve determine_af_and_pullup() and xmit_err()
Meanwhile, clean up and improve wg_output(); simplifying the error
handling a lot.
Meanwhile, clean up and improve wg_output(); simplifying the error
handling a lot.
wg: Cleanup static function prototypes in if_wg.c
- Group the static function prototypes.
- Remove unnecessary prototypes.
- Style cleanups.
- Group the static function prototypes.
- Remove unnecessary prototypes.
- Style cleanups.
wg: Improve wg_clone_destroy() and wg_down()
- Move the cancellation of tasks from wg_clone_destroy() to wg_down(),
which is actually more appropriate.
- Just call wg_down() in wg_clone_destroy() to reduce duplicate code.
- No need to call if_purgeaddrs_nolink(), as it will be called by
if_detach().
- Detach and free the interface before destroying the aip radix trees,
in order to avoid possible panics.
- Move the cancellation of tasks from wg_clone_destroy() to wg_down(),
which is actually more appropriate.
- Just call wg_down() in wg_clone_destroy() to reduce duplicate code.
- No need to call if_purgeaddrs_nolink(), as it will be called by
if_detach().
- Detach and free the interface before destroying the aip radix trees,
in order to avoid possible panics.
wg: Simplify socket so_lock scope and init/uninit
Move the init/uninit of the so_lock to wg_socket_init() and
wg_socket_uninit() respectively, making its scope more clear.
Move the init/uninit of the so_lock to wg_socket_init() and
wg_socket_uninit() respectively, making its scope more clear.
wg: Clean up noise_keypair_counter_check() a bit
Remove '++recv' together with the '+ 1' calculation, so the code nows
becomes more understandable, and the conditional of
'kp->kp_counter_recv >= REJECT_AFTER_MESSAGES' also becomes the same as
the one in noise_keypair_decrypt(); so it reduces the confusion between
them. The selftest is also passed. (Referred to OpenBSD)
In addition, add brief comments to describe the 'kp_counter_send' and
'kp_counter_recv'.
Remove '++recv' together with the '+ 1' calculation, so the code nows
becomes more understandable, and the conditional of
'kp->kp_counter_recv >= REJECT_AFTER_MESSAGES' also becomes the same as
the one in noise_keypair_decrypt(); so it reduces the confusion between
them. The selftest is also passed. (Referred to OpenBSD)
In addition, add brief comments to describe the 'kp_counter_send' and
'kp_counter_recv'.
wg: Improve noise_keypair_counter_check() to return different errnos
Use different errnos (i.e., EINVAL, ESTALE, EEXIST) for different
failure cases in noise_keypair_counter_check(). Meanwhile, update the
selftest code to test this function more vigorously.
In addition, add function description and comments to help understand
it.
Use different errnos (i.e., EINVAL, ESTALE, EEXIST) for different
failure cases in noise_keypair_counter_check(). Meanwhile, update the
selftest code to test this function more vigorously.
In addition, add function description and comments to help understand
it.
wg: Reorganize wg_packet and wg_queue functions
- Move the wg_packet and wg_queue functions to the beginning part, which
seems more appropriate.
- Remove the unnecessary function prototypes.
- Add a brief description about the various queues, especially about the
parallel and serial queues.
- Add several more comments to help understand the code.
No functional changes.
- Move the wg_packet and wg_queue functions to the beginning part, which
seems more appropriate.
- Remove the unnecessary function prototypes.
- Add a brief description about the various queues, especially about the
parallel and serial queues.
- Add several more comments to help understand the code.
No functional changes.
wg: Make peer ID start from 1 (instead of 0)
Use '++peer_counter' instead of 'peer_counter++' to generate the peer
ID, so make it start from 1.
Since 'peer_counter' is only used in wg_peer_create(), so move it into
this function. In addition, drop the unnecessary 'volatile' qualifier,
because it's accessed with the 'sc_lock' exclusively hold.
Use '++peer_counter' instead of 'peer_counter++' to generate the peer
ID, so make it start from 1.
Since 'peer_counter' is only used in wg_peer_create(), so move it into
this function. In addition, drop the unnecessary 'volatile' qualifier,
because it's accessed with the 'sc_lock' exclusively hold.
wg: Rename wg_softc_*() functions to wg_*_worker()
This makes the code more understandable.
Referred-to: OpenBSD
This makes the code more understandable.
Referred-to: OpenBSD
wg: Add and improve WG_PKT_* macros to help clean up the code
- Add WG_PKT_IS_INITIATION, WG_PKT_IS_RESPONSE, WG_PKT_IS_COOKIE,
and WG_PKT_IS_DATA macros.
- Extend the original WG_PKT_DATA_MINLEN macro to be
WG_PKT_ENCRYPTED_LEN(n).
- Add WG_PKT_IS_INITIATION, WG_PKT_IS_RESPONSE, WG_PKT_IS_COOKIE,
and WG_PKT_IS_DATA macros.
- Extend the original WG_PKT_DATA_MINLEN macro to be
WG_PKT_ENCRYPTED_LEN(n).
wg: Clean up and improve wg_deliver_{in,out}() logic
- Refactor the code flow and avoid the 'goto' cases.
- Add 'oerrors' increment statement to wg_send(), pairing with the
existing 'opackets' and 'obytes' increments; this make the code more
clear.
- Assign 'mycpuid' to a local variable, avoiding repeated fetches within
the loop.
- Add comment about why to always trigger the keepalive timers.
- Refactor the code flow and avoid the 'goto' cases.
- Add 'oerrors' increment statement to wg_send(), pairing with the
existing 'opackets' and 'obytes' increments; this make the code more
clear.
- Assign 'mycpuid' to a local variable, avoiding repeated fetches within
the loop.
- Add comment about why to always trigger the keepalive timers.
wg: Optimize wg_peer_{get,set}_endpoint()
Similar to wg_peer_set_endpoint(), perform a comparion before really
coping the endpoint, saving unnecessary lockings.
In addition, add __predict_true() for the comparions.
Similar to wg_peer_set_endpoint(), perform a comparion before really
coping the endpoint, saving unnecessary lockings.
In addition, add __predict_true() for the comparions.
wg: Fix panic of "user address access from kernel mode"
Well, it never happened on my development VirtualBox VM, but always
happened on my desktop. Fix it. Actually, I made this mistake when
porting the code from OpenBSD.
Well, it never happened on my development VirtualBox VM, but always
happened on my desktop. Fix it. Actually, I made this mistake when
porting the code from OpenBSD.
Bump copyright year
ifconfig(8): Minor code and style cleanups
No functional changes.
No functional changes.
ifconfig(8): Change some 'int' variables to 'bool' whenever possible
I'd like to change 'doalias' as well, but it seems to require 3 states,
so leave it alone this moment.
I'd like to change 'doalias' as well, but it seems to require 3 states,
so leave it alone this moment.
ifconfig(8): Fix bug in interface address configuration
When the interface name had a length of >= 8, the address configuration
would fail with the ENXIO error, i.e., "no such interface".
This bug was made by me in commit c29ec76. It was caused by the
interface was truncated because the destination buffer size was wrongly
determined, as I was using sizeof() on a 'void *' pointer instead of the
actual interface name buffer.
Fix it by directly using IFNAMSIZ instead of sizeof().
When the interface name had a length of >= 8, the address configuration
would fail with the ENXIO error, i.e., "no such interface".
This bug was made by me in commit c29ec76. It was caused by the
interface was truncated because the destination buffer size was wrongly
determined, as I was using sizeof() on a 'void *' pointer instead of the
actual interface name buffer.
Fix it by directly using IFNAMSIZ instead of sizeof().
wg: Flush v4 routes for v6 randomized test to reduce the test time
The validation method uses a simple list to store all the routes in a
sorted way so that it can be looked up and verify the lookup results
of the radix tree. The list method can be really slow when there are
many routes, so the randomized test can take ~80 minutes on my test box.
Separate the v4 and v6 tests to significantly reduce the test time (e.g.,
from ~80 minutes to ~15 minutes).
The validation method uses a simple list to store all the routes in a
sorted way so that it can be looked up and verify the lookup results
of the radix tree. The list method can be really slow when there are
many routes, so the randomized test can take ~80 minutes on my test box.
Separate the v4 and v6 tests to significantly reduce the test time (e.g.,
from ~80 minutes to ~15 minutes).
wg: Update makefile with (commented) selftest defines
wg: Refactor selftest allowedips.c
- Refactor multiple functions and macros to make the implementation read
better.
- Fix some memory free issues upon errors; e.g., kfree() panics if the
given pointer is NULL.
- Add progress reports for the randomized test as it can take really
long time (e.g., ~80 minutes on my test box).
- Various improvements and style cleanups.
- Refactor multiple functions and macros to make the implementation read
better.
- Fix some memory free issues upon errors; e.g., kfree() panics if the
given pointer is NULL.
- Add progress reports for the randomized test as it can take really
long time (e.g., ~80 minutes on my test box).
- Various improvements and style cleanups.
wg: Port selftest allowedips.c
wg: Style cleanups and minor updates to selftest cookie.c and counter.c
- Style cleanups to make them consistent.
- Add '#undef' to cleanup defines.
- Add MIT license contents to file headers.
- Tweak 'for' loops in noise_counter_selftest() to make them more clear.
- Rename 'rl' to be 'rl_test'; rename 'MESSAGE_LEN' to be
'T_MESSAGE_LEN'.
- Remove unnecessary '[0 ... INITIATIONS_BURSTABLE - 1]' initialization
designator, and thus save one GNU extension.
- Style cleanups to make them consistent.
- Add '#undef' to cleanup defines.
- Add MIT license contents to file headers.
- Tweak 'for' loops in noise_counter_selftest() to make them more clear.
- Rename 'rl' to be 'rl_test'; rename 'MESSAGE_LEN' to be
'T_MESSAGE_LEN'.
- Remove unnecessary '[0 ... INITIATIONS_BURSTABLE - 1]' initialization
designator, and thus save one GNU extension.
wg: Port selftest cookie.c and counter.c
Note that 'int sleep_time' would overflow in calculating the tsleep()
timeout ticks, so change it to 'uint64_t' type.
Note that 'int sleep_time' would overflow in calculating the tsleep()
timeout ticks, so change it to 'uint64_t' type.
wg: Import selftest code from wireguard-freebsd
URL: https://git.zx2c4.com/wireguard-freebsd/
Files:
- src/selftest/allowedips.c
- src/selftest/cookie.c
- src/selftest/counter.c
URL: https://git.zx2c4.com/wireguard-freebsd/
Files:
- src/selftest/allowedips.c
- src/selftest/cookie.c
- src/selftest/counter.c
kernel: Add the 'wg' option and list it in LINT64
wg: Hook to the build system
wg: Adapt the man page to match our version
wg: Rewrite the module Makefile
wg: Prevent wg_{cookie,noise}.h from including by userland
Since our build system currently would install all headers (i.e., '*.h')
in 'sys/net/wg' directory, but actually only the 'if_wg.h' is required
by userland, i.e., ifconfig(8). So add the '_KERNEL' guard to prevent
the other two headers from including by userland.
Nonetheless, the build system should be improved in the future.
Since our build system currently would install all headers (i.e., '*.h')
in 'sys/net/wg' directory, but actually only the 'if_wg.h' is required
by userland, i.e., ifconfig(8). So add the '_KERNEL' guard to prevent
the other two headers from including by userland.
Nonetheless, the build system should be improved in the future.
wg: Reset the obsolete version number to 1
The version number meant the snapshot date of the wireguard-freebsd [0],
but it's obsolete now, because there is no more active development
there. In addition, this port has been diverged a lot from the FreeBSD
version. So just reset the version number to 1 for simplicity.
[0] wireguard-freebsd: https://git.zx2c4.com/wireguard-freebsd
The version number meant the snapshot date of the wireguard-freebsd [0],
but it's obsolete now, because there is no more active development
there. In addition, this port has been diverged a lot from the FreeBSD
version. So just reset the version number to 1 for simplicity.
[0] wireguard-freebsd: https://git.zx2c4.com/wireguard-freebsd
wg: Fix noise_remote_alloc() to acquire 'l_identity_lock' lock
The 'l_identity_lock' lock must be acquired to access 'l_has_identity'
and 'l_private' members; i.e., noise_precompute_ss() must be called with
the 'l_identity_lock' locked. So fix noise_remote_alloc() to acquire
the lock before calling noise_precompute_ss(). Meanwhile, add an
assertion to the latter to assert the required lock is held.
The 'l_identity_lock' lock must be acquired to access 'l_has_identity'
and 'l_private' members; i.e., noise_precompute_ss() must be called with
the 'l_identity_lock' locked. So fix noise_remote_alloc() to acquire
the lock before calling noise_precompute_ss(). Meanwhile, add an
assertion to the latter to assert the required lock is held.
wg: Fix bug in calculate_padding()
The calculation for 'pkt->p_mtu == 0' case was wrong, but it didn't
cause actual harm because currently only keepalive packets have
'p_mtu = 0' but also have a zero length.
Fix the calculation and add a comment about the keepalive packets.
The calculation for 'pkt->p_mtu == 0' case was wrong, but it didn't
cause actual harm because currently only keepalive packets have
'p_mtu = 0' but also have a zero length.
Fix the calculation and add a comment about the keepalive packets.
wg: Fix build without INET6 option
wg: Remove INET option and the 'opt_inet.h' header
DragonFly generally assumes INET always available, and doesn't actually
support an IPv6-only setup. So remove the INET option to clean up the
code a bit.
DragonFly generally assumes INET always available, and doesn't actually
support an IPv6-only setup. So remove the INET option to clean up the
code a bit.
wg: Remove unsupported endpoint.e_local and clean up related code
On DragonFly, the socket upcall and so_pru_soreceive() cannot provide
the local (i.e., destination) address of a received packet. Even if
there is the 'IP_RECVDSTADDR' control option to obtain the dst address,
but it's unsafe to use it with the socket, because the packet is queued
by the socket layer and the original packet may have been freed then.
As a result, just remove the unsupported 'e_local' part from
wg_endpoint. Meanwhile, clean up the code related to the 'e_local'
endpoint.
Moreover, DragonFly by default sends UDP packets asynchronously, so
so_pru_sosend() may just return 0 even if the packet fails to send.
Therefore, there is no much point to check its return code and retry
the sending. Remove the retry code from wg_send_buf() and the
'EADDRNOTAVAIL' check code from wg_deliver_out().
On DragonFly, the socket upcall and so_pru_soreceive() cannot provide
the local (i.e., destination) address of a received packet. Even if
there is the 'IP_RECVDSTADDR' control option to obtain the dst address,
but it's unsafe to use it with the socket, because the packet is queued
by the socket layer and the original packet may have been freed then.
As a result, just remove the unsupported 'e_local' part from
wg_endpoint. Meanwhile, clean up the code related to the 'e_local'
endpoint.
Moreover, DragonFly by default sends UDP packets asynchronously, so
so_pru_sosend() may just return 0 even if the packet fails to send.
Therefore, there is no much point to check its return code and retry
the sending. Remove the retry code from wg_send_buf() and the
'EADDRNOTAVAIL' check code from wg_deliver_out().
wg: Port #37: reimplement wg_mbuf_reset()
We define the 'MBUF_CLEARFLAGS' based on 'M_COPYFLAGS' for the mbuf
flags to be cleared. Since we don't make use of mbuf tag for loop
detection, the wg_mbuf_reset() function becomes really simple, so I just
do mbuf resetting in wg_encrypt()/wg_decrypt() and remove this function.
Referred-to: OpenBSD
We define the 'MBUF_CLEARFLAGS' based on 'M_COPYFLAGS' for the mbuf
flags to be cleared. Since we don't make use of mbuf tag for loop
detection, the wg_mbuf_reset() function becomes really simple, so I just
do mbuf resetting in wg_encrypt()/wg_decrypt() and remove this function.
Referred-to: OpenBSD
wg: Port #36: reimplement loop detection feature
The mbuf m_pkthdr has been extended to provide the 'loop_cnt' member to
help detect loops. Adapt the code to make use of it.
Referred-to: OpenBSD
The mbuf m_pkthdr has been extended to provide the 'loop_cnt' member to
help detect loops. Adapt the code to make use of it.
Referred-to: OpenBSD
wg: Assert 'sc_lock' acquired before LK_EXCLUSIVE 'so_lock'
So it's not needed to acquire the 'so_lock' in order to access the
'sc_socket' members. Comment this in wg_ioctl_get().
So it's not needed to acquire the 'so_lock' in order to access the
'sc_socket' members. Comment this in wg_ioctl_get().
wg: Add wg_timers_get_persistent_keepalive() to get PKA
In sync with wg_timers_set_persistent_keepalive(), the atomic ops is
used to get the pka value.
Referred-to: OpenBSD
In sync with wg_timers_set_persistent_keepalive(), the atomic ops is
used to get the pka value.
Referred-to: OpenBSD
wg: Implement wg_peer_{set,get}_endpoint() to set the remote endpoint
Moving the setting and getting the peer remote endpoint to their own
separate functions. This cleans up the already lengthy
wg_ioctl_{set,get}() functions.
In addition, these two functions fix the following two issues:
- The 'p_endpoint_lock' wasn't acquired before setting/getting the
endpoint address.
- The local address 'e_local' wasn't cleared when setting the remote
endpoint address.
Referred-to: OpenBSD
Moving the setting and getting the peer remote endpoint to their own
separate functions. This cleans up the already lengthy
wg_ioctl_{set,get}() functions.
In addition, these two functions fix the following two issues:
- The 'p_endpoint_lock' wasn't acquired before setting/getting the
endpoint address.
- The local address 'e_local' wasn't cleared when setting the remote
endpoint address.
Referred-to: OpenBSD
wg: Clean up wg_input() a bit and make return type 'void'
wg: Fix saving of local endpoint in wg_input()
The so_pru_soreceive() can only obtain the remote address and port, so
there is no local address to save in wg_input(). Remove the wrong code
of saving the local endpoint from wg_input().
In addition, rename 'sa' to 'from' in wg_upcall() to make this more
clear.
The so_pru_soreceive() can only obtain the remote address and port, so
there is no local address to save in wg_input(). Remove the wrong code
of saving the local endpoint from wg_input().
In addition, rename 'sa' to 'from' in wg_upcall() to make this more
clear.
wg: Treat zero birthdate as expired in noise's timer_expired()
wg: Change several noise functions to return boolean for clarity
wg: Remove unnecessary wg_init()
The ifp->if_init() routine is required only for Ethernet drivers, so
it's unnecessary and actually unused here. Just remove it to avoid any
confusion.
The ifp->if_init() routine is required only for Ethernet drivers, so
it's unnecessary and actually unused here. Just remove it to avoid any
confusion.
wg: Allow to set persistent-keepalive regardless of peer status
It was unable to set persistent-keepalive when the peer was disabled,
which was inconvenient and unnecessary. For example, one can configure
the interface and peers before finally making the interface UP.
It was unable to set persistent-keepalive when the peer was disabled,
which was inconvenient and unnecessary. For example, one can configure
the interface and peers before finally making the interface UP.
wg: Improve the return types of noise handshake functions
- Change noise_create_initiation() and noise_create_response() to return
a boolean.
- Change noise_consume_initiation() and noise_consume_response() to
return the corresponding remote, with another reference acquired.
As a result, the 'struct noise_remote **' parameter is obsolete and
removed.
- Update the callers in if_wg.c accordingly.
Referred to Linux's version.
- Change noise_create_initiation() and noise_create_response() to return
a boolean.
- Change noise_consume_initiation() and noise_consume_response() to
return the corresponding remote, with another reference acquired.
As a result, the 'struct noise_remote **' parameter is obsolete and
removed.
- Update the callers in if_wg.c accordingly.
Referred to Linux's version.
wg: Improve noise_begin_session()
- Merge noise_add_new_keypair() into noise_begin_session(), as it's only
used there.
- Add extra comments to explain the operations to the keypairs,
especially the index replacement in the hashtable. This helps a lot
in understanding the code.
- Change the function to return a boolean, making the callers easier to
use it.
- Merge noise_add_new_keypair() into noise_begin_session(), as it's only
used there.
- Add extra comments to explain the operations to the keypairs,
especially the index replacement in the hashtable. This helps a lot
in understanding the code.
- Change the function to return a boolean, making the callers easier to
use it.
wg: Update noise_remote_index_insert() to return the new index
This index is required by the caller, i.e., noise_create_initiation().
So make this change to help simplify the code a bit.
This index is required by the caller, i.e., noise_create_initiation().
So make this change to help simplify the code a bit.
wg: Rename keypair fields in 'noise_remote' struct for clarity
Rename keypair fields 'r_next', 'r_current' and 'r_previous' to
'r_keypair_next', 'r_keypair_current' and 'r_keypair_previous'.
Rename keypair fields 'r_next', 'r_current' and 'r_previous' to
'r_keypair_next', 'r_keypair_current' and 'r_keypair_previous'.
wg: Rename 'wg_lock' to 'wg_mtx' since shared lock is unused
wg: Don't acquire 'wg_lock' in wg_ioctl()
The ioctl() operation is already locked by the caller (interface layer),
and the 'wg_lock' is only used to protect the 'wg_list' structure, so
don't acquire this lock in wg_ioctl().
The ioctl() operation is already locked by the caller (interface layer),
and the 'wg_lock' is only used to protect the 'wg_list' structure, so
don't acquire this lock in wg_ioctl().
wg: Add 'const' qualifier to several functions in if_wg.c
wg: More style cleanups and minor updates to if_wg.c
- Clean up header inclusions.
- Add 'WG_PKT_WITH_PADDING()' and 'WG_PKT_DATA_MINLEN' macros to help
simplify some code.
- Remove unnecessary assignments that are already ensured by
kmalloc(M_ZERO).
- Rename some variables for consistency.
- Use 'int' instead of 'u_int' for cpu, in consistent with 'ncpus'.
- Use 'memcmp()' instead of 'bmcp()' for consistent with other parts.
- Remove the KKASSERT() of lock assertion from 'wg_aip_remove()', as
it's quite obvious and thus unnecessary.
- Various style adjustments and cleanups.
- Clean up header inclusions.
- Add 'WG_PKT_WITH_PADDING()' and 'WG_PKT_DATA_MINLEN' macros to help
simplify some code.
- Remove unnecessary assignments that are already ensured by
kmalloc(M_ZERO).
- Rename some variables for consistency.
- Use 'int' instead of 'u_int' for cpu, in consistent with 'ncpus'.
- Use 'memcmp()' instead of 'bmcp()' for consistent with other parts.
- Remove the KKASSERT() of lock assertion from 'wg_aip_remove()', as
it's quite obvious and thus unnecessary.
- Various style adjustments and cleanups.
wg: Style cleanups and minor updates to wg_noise.[ch]
- Remove unnecessary assignments that are already ensured by
kmalloc(M_ZERO).
- Use sizeof() in bzero()/explicit_bzero() to simplify the code.
- Improve noise_kdf() by adding KKASSERT() to check the arguments,
by adding comments to blake2s_hmac() arguments.
- Swap the 'arg' and 'public' parameters to look more sensible.
- Move inline functions to the file top.
- Rename noise_timer_expired() to timer_expired(), similar to the same
function in 'wg_cookie.c'.
- Change 'ENOSPC' to 'ENOMEM' for consistency.
- Add 'static' qualifier to the MALLOC_DEFINE().
- Fix and adjust the comments a bit.
- Adjust code style to align with ours.
- Remove unnecessary assignments that are already ensured by
kmalloc(M_ZERO).
- Use sizeof() in bzero()/explicit_bzero() to simplify the code.
- Improve noise_kdf() by adding KKASSERT() to check the arguments,
by adding comments to blake2s_hmac() arguments.
- Swap the 'arg' and 'public' parameters to look more sensible.
- Move inline functions to the file top.
- Rename noise_timer_expired() to timer_expired(), similar to the same
function in 'wg_cookie.c'.
- Change 'ENOSPC' to 'ENOMEM' for consistency.
- Add 'static' qualifier to the MALLOC_DEFINE().
- Fix and adjust the comments a bit.
- Adjust code style to align with ours.
wg: Change some functions to return boolean for clarity
These functions are used in 'if' conditional, so only a boolean return
value if necessary. Change them to return a boolean to make the code
read more clearly.
These functions are used in 'if' conditional, so only a boolean return
value if necessary. Change them to return a boolean to make the code
read more clearly.
wg: Simplify various COUNTER_* macros in wg_noise.c
wg: Improve noise_remote_keys() to copy PSK only if set
wg: Port #35: refactor noise keypair functions to avoid epoch
- Refactor the functions to avoid using epoch or deferred operations.
So noise_keypair_put() is simplified and remove the obsolete
noise_keypair_smr_free() function.
- Remove 'refcount_acquire_if_not_zero()' and use plain refcount instead,
since there's no more deferred frees.
- Use shared locks instead of epoch sections; meanwhile, rename
'r_keypair_mtx' to 'r_keypair_lock' because it now supports both
shared and exclusive locks.
- Refactor the functions to avoid using epoch or deferred operations.
So noise_keypair_put() is simplified and remove the obsolete
noise_keypair_smr_free() function.
- Remove 'refcount_acquire_if_not_zero()' and use plain refcount instead,
since there's no more deferred frees.
- Use shared locks instead of epoch sections; meanwhile, rename
'r_keypair_mtx' to 'r_keypair_lock' because it now supports both
shared and exclusive locks.
wg: Port #34: adapt if_wg.c to not use epoch
The relevant code is already using atomic operations. I don't think the
epoch, especially the NET global epoch, is actually required here. So I
decided to remove the epoch operations; however, wg_timers_disable() has
been changed to use callout_drain() instead of callout_stop() to wait
the callout cancellation to complete.
Meanwhile, simplify wg_timers_set_persistent_keepalive() by referring to
OpenBSD's code.
The relevant code is already using atomic operations. I don't think the
epoch, especially the NET global epoch, is actually required here. So I
decided to remove the epoch operations; however, wg_timers_disable() has
been changed to use callout_drain() instead of callout_stop() to wait
the callout cancellation to complete.
Meanwhile, simplify wg_timers_set_persistent_keepalive() by referring to
OpenBSD's code.
wg: Port #33: refactor noise remote functions to avoid epoch
- Refactor the functions to avoid using epoch or deferred operations.
So noise_remote_free() is simplified and no longer requires an async
cleanup function.
- Remove 'refcount_acquire_if_not_zero()' and use plain refcount instead,
since there's no more deferred frees.
- Use shared locks instead of epoch sections; meanwhile, rename
'l_remote_mtx'/'l_index_mtx' to 'l_remote_lock'/'l_index_lock' because
they now supports both shared and exclusive locks.
- Simplify noise_remote_index_insert() and remove the unnecessary
pre-trial.
- Merge wg_peer_free_deferred() into wg_peer_destroy() and remove it.
- Refactor the functions to avoid using epoch or deferred operations.
So noise_remote_free() is simplified and no longer requires an async
cleanup function.
- Remove 'refcount_acquire_if_not_zero()' and use plain refcount instead,
since there's no more deferred frees.
- Use shared locks instead of epoch sections; meanwhile, rename
'l_remote_mtx'/'l_index_mtx' to 'l_remote_lock'/'l_index_lock' because
they now supports both shared and exclusive locks.
- Simplify noise_remote_index_insert() and remove the unnecessary
pre-trial.
- Merge wg_peer_free_deferred() into wg_peer_destroy() and remove it.
wg: Port #32: refactor interface code and avoid deferred free
- Refactor wg_clone_destroy() to not use async/deferred free, and thus
avoid the async call of wg_clone_deferred_free() via noise_local_free().
As a consequence, remove the 'l_arg' and 'l_cleanup' members from
'noise_local' struct; also remove the noise_local_arg() API.
- Fix wg_clone_destroy() to not clear 'if_softc' at the beginning of the
destruction, which fixes a panic of NULL dereference in wg_output()
via the if_purgeaddrs_nolink() call.
- Remove the 'WGF_DYING' flag and the associated obsolete code.
- Remove the 'clone_count' global as it's no longer required.
- Refactor wg_clone_destroy() to not use async/deferred free, and thus
avoid the async call of wg_clone_deferred_free() via noise_local_free().
As a consequence, remove the 'l_arg' and 'l_cleanup' members from
'noise_local' struct; also remove the noise_local_arg() API.
- Fix wg_clone_destroy() to not clear 'if_softc' at the beginning of the
destruction, which fixes a panic of NULL dereference in wg_output()
via the if_purgeaddrs_nolink() call.
- Remove the 'WGF_DYING' flag and the associated obsolete code.
- Remove the 'clone_count' global as it's no longer required.
wg: Rename enum 'wg_ring_state' to 'wg_packet_state' for consistency
wg: Make noise_local_{ref,put}() static
They're not used by external code.
They're not used by external code.
wg: Remove unused noise_remote_local() function
wg: Replace strlen() with 'sizeof' in wg_{cookie,noise}.c
Get rid of unnecessary strlen() calls.
Get rid of unnecessary strlen() calls.
wg: Export the internal peer ID to userland for diagnostics
The auto-generated internal peer ID is used in various debug messages,
so exporting it to the userland (i.e., ifconfig(8)) can help with the
diagnostics.
Update ifconfig(8) to print the added peer ID.
The auto-generated internal peer ID is used in various debug messages,
so exporting it to the userland (i.e., ifconfig(8)) can help with the
diagnostics.
Update ifconfig(8) to print the added peer ID.
wg: Rename noise_local_private() and make it return the key status
- Rename noise_local_private() to noise_local_set_private() to make it
clearer.
- Update it to return the key/identity status, so the caller don't need
to make another call of noise_local_keys().
- Simplify the caller code accordingly, and update the comments.
Referred to OpenBSD.
- Rename noise_local_private() to noise_local_set_private() to make it
clearer.
- Update it to return the key/identity status, so the caller don't need
to make another call of noise_local_keys().
- Simplify the caller code accordingly, and update the comments.
Referred to OpenBSD.
wg: Refactor socket create/bind/close operations
- Add the wg_socket_open() function to do socket creation and binding
for one AF, and then use it to simplify the wg_socket_init() function.
Meanwhil, wg_socket_bind() thus becomes obsolete and is removed.
- Clean up wg_socket_uninit(), wg_socket_set_cookie() and
wg_socket_set_sockopt().
- Add the 'so_lock' lock to protect the 'struct wg_socket' fields.
Update wg_send() accordingly.
- Add a comment about EADDRNOTAVAIL and single-stack support.
Referred to OpenBSD.
- Add the wg_socket_open() function to do socket creation and binding
for one AF, and then use it to simplify the wg_socket_init() function.
Meanwhil, wg_socket_bind() thus becomes obsolete and is removed.
- Clean up wg_socket_uninit(), wg_socket_set_cookie() and
wg_socket_set_sockopt().
- Add the 'so_lock' lock to protect the 'struct wg_socket' fields.
Update wg_send() accordingly.
- Add a comment about EADDRNOTAVAIL and single-stack support.
Referred to OpenBSD.
wg: Change 'p_id' to use type 'unsigned long'
The 'peer_counter' that is used to generate the 'p_id' is also defined
as type 'unsigned long', so it's natural to use 'unsigned long' for
'p_id'. It also simplifies the printing by using '%ld' instead of
'% PRIu64'.
The 'peer_counter' that is used to generate the 'p_id' is also defined
as type 'unsigned long', so it's natural to use 'unsigned long' for
'p_id'. It also simplifies the printing by using '%ld' instead of
'% PRIu64'.
wg: Remove the unused 'sc_ucred' field and related code
This was used in FreeBSD to control the permissions of an WG interface
in an VNET, in order to achieve something similar to Linux's network
namespace.
However, DragonFly doesn't yet support this feature, so the 'sc_ucred'
field becomes unused and thus can be removed. It's easy to get it back
when we're ready to implement this feature in the future.
This was used in FreeBSD to control the permissions of an WG interface
in an VNET, in order to achieve something similar to Linux's network
namespace.
However, DragonFly doesn't yet support this feature, so the 'sc_ucred'
field becomes unused and thus can be removed. It's easy to get it back
when we're ready to implement this feature in the future.
wg: Use 'void *buf' instead of 'uint8_t *buf' to save some casting
wg: Port #31: adapt socket functions
- Use so_pru_sockaddr() function to obtain the bound address/port.
- Add flags=0 as the required second argument to soclose().
- Our sbcreatecontrol() function doesn't accept the 'how' mflags, so
remove the 'M_NOWAIT' argument.
- Use so_pru_sockaddr() function to obtain the bound address/port.
- Add flags=0 as the required second argument to soclose().
- Our sbcreatecontrol() function doesn't accept the 'how' mflags, so
remove the 'M_NOWAIT' argument.
wg: Style cleanups and minor updates to if_wg.c
- Add 'static' qualifier to MALLOC_DEFINE().
- Remove obsolete 'TODO' markers.
- Add '__func__' to several panic() messages.
- Compare the return value of noise_keypair_received_with() to 0 instead
of ECONNRESET, making it read clearer.
- Various style adjustments and cleanups.
- Add 'static' qualifier to MALLOC_DEFINE().
- Remove obsolete 'TODO' markers.
- Add '__func__' to several panic() messages.
- Compare the return value of noise_keypair_received_with() to 0 instead
of ECONNRESET, making it read clearer.
- Various style adjustments and cleanups.
wg: Further improve wg_send_buf()
- This function is only used to send handshake packets, which are of
known length and shorter than MHLEN, so we can just allocate an mbuf
of packet header type and use plain memcpy() to copy the data.
- Set 'M_PRIO' mbuf flag to give handshake packets high priority.
(referred to OpenBSD)
- Adjust the code a bit and remove the unnecessary 'retried' variable.
- This function is only used to send handshake packets, which are of
known length and shorter than MHLEN, so we can just allocate an mbuf
of packet header type and use plain memcpy() to copy the data.
- Set 'M_PRIO' mbuf flag to give handshake packets high priority.
(referred to OpenBSD)
- Adjust the code a bit and remove the unnecessary 'retried' variable.
wg: Port #30: replace m_get2() with m_getl()
Our m_getl() has the similar semantics to FreeBSD's m_get2(): it will
allocate an mbuf cluster if the requested size is big enough. However,
m_getl() wouldn't return NULL simply because the requested size exceeds
the cluster size (MCLBYTES), but FreeBSD's m_get2() would just return
NULL, which is OK because the wg_send_buf() only sends handshake packets
of known and limited lengths.
Our m_getl() has the similar semantics to FreeBSD's m_get2(): it will
allocate an mbuf cluster if the requested size is big enough. However,
m_getl() wouldn't return NULL simply because the requested size exceeds
the cluster size (MCLBYTES), but FreeBSD's m_get2() would just return
NULL, which is OK because the wg_send_buf() only sends handshake packets
of known and limited lengths.
wg: Use karc4random() to generate jitter
karc4random() should be enough; no need to use the more complex
karc4random_uniform().
karc4random() should be enough; no need to use the more complex
karc4random_uniform().
wg: Port #29: change 'ENOTCAPABLE' to 'ENOENT' for 'ENOKEY'
The 'ENOTCAPABLE' is FreeBSD-specific and means 'capabilities
insufficient'. We don't have that errno, so use ENOENT instead,
which I think is also reasonable.
The 'ENOTCAPABLE' is FreeBSD-specific and means 'capabilities
insufficient'. We don't have that errno, so use ENOENT instead,
which I think is also reasonable.
wg: Integrate version.h into if_wg.c
I think it's unnecessary to use the separate 'version.h' file to hold
the single 'WIREGUARD_VERSION' macro.
I think it's unnecessary to use the separate 'version.h' file to hold
the single 'WIREGUARD_VERSION' macro.
wg: Update copyright headers and inclusion guards
- Add the content of the ISC License to the copyright headers.
- Add a copyright of me to 'if_wg.c' and 'wg_noise.c', which have been
significantly updated by me.
- Rename the inclusion guards to match the style of our existing
headers.
- Add the content of the ISC License to the copyright headers.
- Add a copyright of me to 'if_wg.c' and 'wg_noise.c', which have been
significantly updated by me.
- Rename the inclusion guards to match the style of our existing
headers.
wg: Rename macro 'SELFTESTS' to 'WG_SELFTESTS'
To make it more clear and avoid possible conflicts with others.
To make it more clear and avoid possible conflicts with others.
wg: Fix and clean up header inclusions
wg: Style cleanups and minor updates to wg_cookie.[ch]
- Adjust code style to align with ours.
- Move inline functions to the file top.
- Add the 'const' qualifier to function parameters as much as possible.
- Move 'cookie_checker_validate_macs()' function to group the functions
better.
- Zero the input ratelimit struct in ratelimit_init().
- Fix and adjust the comments a bit.
- Adjust code style to align with ours.
- Move inline functions to the file top.
- Add the 'const' qualifier to function parameters as much as possible.
- Move 'cookie_checker_validate_macs()' function to group the functions
better.
- Zero the input ratelimit struct in ratelimit_init().
- Fix and adjust the comments a bit.