diff -r aeca55f561e5 -r 4d8a91b5a3c0 sys/kern/subr_thmap.c --- a/sys/kern/subr_thmap.c Fri Aug 28 01:45:43 2020 +0000 +++ b/sys/kern/subr_thmap.c Sun Aug 30 22:12:24 2020 +0000 @@ -96,6 +96,7 @@ #include #include #include +#include #define THMAP_RCSID(a) __KERNEL_RCSID(0, a) #else #include @@ -113,6 +114,8 @@ THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.6 2020/05/23 19:52:12 rmind Exp $"); +#include + /* * NetBSD kernel wrappers */ @@ -135,6 +138,7 @@ THMAP_RCSID("$NetBSD: subr_thmap.c,v 1.6 * The hash function produces 32-bit values. */ +#define HASHVAL_SEEDLEN (16) #define HASHVAL_BITS (32) #define HASHVAL_MOD (HASHVAL_BITS - 1) #define HASHVAL_SHIFT (5) @@ -201,6 +205,7 @@ typedef struct { } thmap_leaf_t; typedef struct { + const uint8_t * seed; // secret seed unsigned rslot; // root-level slot index unsigned level; // current level in the tree unsigned hashidx; // current hash index (block of bits) @@ -221,6 +226,7 @@ struct thmap { unsigned flags; const thmap_ops_t * ops; thmap_gc_t * gc_list; // C11 _Atomic + uint8_t seed[HASHVAL_SEEDLEN]; }; static void stage_mem_gc(thmap_t *, uintptr_t, size_t); @@ -291,11 +297,41 @@ unlock_node(thmap_inode_t *node) * HASH VALUE AND KEY OPERATIONS. */ -static inline void -hashval_init(thmap_query_t *query, const void * restrict key, size_t len) +static inline uint32_t +hash(const uint8_t seed[static HASHVAL_SEEDLEN], const void *key, size_t len, + uint32_t level) { - const uint32_t hashval = murmurhash3(key, len, 0); + struct blake2s B; + uint32_t h; + + if (level == 0) + return murmurhash3(key, len, 0); + /* + * Byte order is not significant here because this is + * intentionally secret and independent for each thmap. + * + * XXX We get 32 bytes of output at a time; we could march + * through them sequentially rather than throwing away 28 bytes + * and recomputing BLAKE2 each time. But the number of + * iterations ought to be geometric in the collision + * probability at each level which should be very small anyway. + */ + blake2s_init(&B, sizeof h, seed, HASHVAL_SEEDLEN); + blake2s_update(&B, &level, sizeof level); + blake2s_update(&B, key, len); + blake2s_final(&B, &h); + + return h; +} + +static inline void +hashval_init(thmap_query_t *query, const uint8_t seed[static HASHVAL_SEEDLEN], + const void * restrict key, size_t len) +{ + const uint32_t hashval = hash(seed, key, len, 0); + + query->seed = seed; query->rslot = ((hashval >> ROOT_MSBITS) ^ len) & ROOT_MASK; query->level = 0; query->hashval = hashval; @@ -315,7 +351,7 @@ hashval_getslot(thmap_query_t *query, co if (query->hashidx != i) { /* Generate a hash value for a required range. */ - query->hashval = murmurhash3(key, len, i); + query->hashval = hash(query->seed, key, len, i); query->hashidx = i; } return (query->hashval >> shift) & LEVEL_MASK; @@ -330,7 +366,7 @@ hashval_getleafslot(const thmap_t *thmap const unsigned shift = offset & HASHVAL_MOD; const unsigned i = offset >> HASHVAL_SHIFT; - return (murmurhash3(key, leaf->len, i) >> shift) & LEVEL_MASK; + return (hash(thmap->seed, key, leaf->len, i) >> shift) & LEVEL_MASK; } static inline unsigned @@ -627,7 +663,7 @@ thmap_get(thmap_t *thmap, const void *ke thmap_leaf_t *leaf; unsigned slot; - hashval_init(&query, key, len); + hashval_init(&query, thmap->seed, key, len); parent = find_edge_node(thmap, &query, key, len, &slot); if (!parent) { return NULL; @@ -664,7 +700,7 @@ thmap_put(thmap_t *thmap, const void *ke if (__predict_false(!leaf)) { return NULL; } - hashval_init(&query, key, len); + hashval_init(&query, thmap->seed, key, len); retry: /* * Try to insert into the root first, if its slot is empty. @@ -780,7 +816,7 @@ thmap_del(thmap_t *thmap, const void *ke unsigned slot; void *val; - hashval_init(&query, key, len); + hashval_init(&query, thmap->seed, key, len); parent = find_edge_node_locked(thmap, &query, key, len, &slot); if (!parent) { /* Root slot empty: not found. */ @@ -954,6 +990,9 @@ thmap_create(uintptr_t baseptr, const th memset(thmap->root, 0, THMAP_ROOT_LEN); atomic_thread_fence(memory_order_release); /* XXX */ } + + cprng_strong(kern_cprng, thmap->seed, sizeof thmap->seed, 0); + return thmap; } diff -r aeca55f561e5 -r 4d8a91b5a3c0 sys/net/if_wg.c --- a/sys/net/if_wg.c Fri Aug 28 01:45:43 2020 +0000 +++ b/sys/net/if_wg.c Sun Aug 30 22:12:24 2020 +0000 @@ -77,6 +77,7 @@ #include #include #include +#include #include #include @@ -136,7 +137,7 @@ * - struct wg_session represents a session of a secure tunnel with a peer * - Two instances of sessions belong to a peer; a stable session and a * unstable session - * - A handshake process of a session always starts with a unstable instace + * - A handshake process of a session always starts with a unstable instance * - Once a session is established, its instance becomes stable and the * other becomes unstable instead * - Data messages are always sent via a stable session @@ -144,25 +145,22 @@ * Locking notes: * - wg interfaces (struct wg_softc, wg) is listed in wg_softcs.list and * protected by wg_softcs.lock - * - Each wg has a mutex(9) and a rwlock(9) - * - The mutex (wg_lock) protects its peer list (wg_peers) - * - A peer on the list is also protected by pserialize(9) or psref(9) + * - Each wg has a mutex(9) wg_lock, and a rwlock(9) wg_rwlock + * - Changes to the peer list are serialized by wg_lock + * - The peer list may be read with pserialize(9) and psref(9) * - The rwlock (wg_rwlock) protects the routing tables (wg_rtable_ipv[46]) - * - Each peer (struct wg_peer, wgp) has a mutex - * - The mutex (wgp_lock) protects wgp_session_unstable and wgp_state - * - Each session (struct wg_session, wgs) has a mutex - * - The mutex (wgs_lock) protects its state (wgs_state) and its handshake - * states - * - wgs_state of a unstable session can be changed while it never be - * changed on a stable session, so once get a session instace via - * wgp_session_stable we can safely access wgs_state without - * holding wgs_lock - * - A session is protected by pserialize or psref like wgp + * => XXX replace by pserialize when routing table is psz-safe + * - Each peer (struct wg_peer, wgp) has a mutex wgp_lock, which can be taken + * only in thread context and serializes: + * - the stable and unstable session pointers + * - all unstable session state + * - Packet processing may be done in softint context: + * - The stable session can be read under pserialize(9) or psref(9) + * - The stable session is always ESTABLISHED * - On a session swap, we must wait for all readers to release a * reference to a stable session before changing wgs_state and * session states - * - * Lock order: wg_lock -> wgp_lock -> wgs_lock + * - Lock order: wg_lock -> wgp_lock */ @@ -443,7 +441,6 @@ struct wg_session { struct wg_peer *wgs_peer; struct psref_target wgs_psref; - kmutex_t *wgs_lock; int wgs_state; #define WGS_STATE_UNKNOWN 0 @@ -456,8 +453,8 @@ struct wg_session { time_t wgs_time_last_data_sent; bool wgs_is_initiator; - uint32_t wgs_sender_index; - uint32_t wgs_receiver_index; + uint32_t wgs_local_index; + uint32_t wgs_remote_index; #ifdef __HAVE_ATOMIC64_LOADSTORE volatile uint64_t wgs_send_counter; @@ -490,10 +487,13 @@ struct wg_sockaddr { struct psref_target wgsa_psref; }; +#define wgsatoss(wgsa) (&(wgsa)->_ss) #define wgsatosa(wgsa) (&(wgsa)->_sa) #define wgsatosin(wgsa) (&(wgsa)->_sin) #define wgsatosin6(wgsa) (&(wgsa)->_sin6) +#define wgsa_family(wgsa) (wgsatosa(wgsa)->sa_family) + struct wg_peer; struct wg_allowedip { struct radix_node wga_nodes[2]; @@ -532,23 +532,13 @@ struct wg_peer { uint8_t wgp_pubkey[WG_STATIC_KEY_LEN]; struct wg_sockaddr *wgp_endpoint; -#define wgp_ss wgp_endpoint->_ss -#define wgp_sa wgp_endpoint->_sa -#define wgp_sin wgp_endpoint->_sin -#define wgp_sin6 wgp_endpoint->_sin6 struct wg_sockaddr *wgp_endpoint0; - bool wgp_endpoint_changing; + volatile unsigned wgp_endpoint_changing; bool wgp_endpoint_available; /* The preshared key (optional) */ uint8_t wgp_psk[WG_PRESHARED_KEY_LEN]; - int wgp_state; -#define WGP_STATE_INIT 0 -#define WGP_STATE_ESTABLISHED 1 -#define WGP_STATE_GIVEUP 2 -#define WGP_STATE_DESTROYING 3 - void *wgp_si; pcq_t *wgp_q; @@ -585,9 +575,11 @@ struct wg_peer { volatile unsigned int wgp_tasks; #define WGP_TASK_SEND_INIT_MESSAGE __BIT(0) -#define WGP_TASK_ENDPOINT_CHANGED __BIT(1) -#define WGP_TASK_SEND_KEEPALIVE_MESSAGE __BIT(2) -#define WGP_TASK_DESTROY_PREV_SESSION __BIT(3) +#define WGP_TASK_RETRY_HANDSHAKE __BIT(1) +#define WGP_TASK_ESTABLISH_SESSION __BIT(2) +#define WGP_TASK_ENDPOINT_CHANGED __BIT(3) +#define WGP_TASK_SEND_KEEPALIVE_MESSAGE __BIT(4) +#define WGP_TASK_DESTROY_PREV_SESSION __BIT(5) }; struct wg_ops; @@ -603,6 +595,9 @@ struct wg_softc { int wg_npeers; struct pslist_head wg_peers; + struct thmap *wg_peers_bypubkey; + struct thmap *wg_peers_byname; + struct thmap *wg_sessions_byindex; uint16_t wg_listen_port; struct wg_worker *wg_worker; @@ -649,8 +644,8 @@ static int wg_send_data_msg(struct wg_pe struct mbuf *); static int wg_send_cookie_msg(struct wg_softc *, struct wg_peer *, const uint32_t, const uint8_t [], const struct sockaddr *); -static int wg_send_handshake_msg_resp(struct wg_softc *, - struct wg_peer *, const struct wg_msg_init *); +static int wg_send_handshake_msg_resp(struct wg_softc *, struct wg_peer *, + struct wg_session *, const struct wg_msg_init *); static void wg_send_keepalive_msg(struct wg_peer *, struct wg_session *); static struct wg_peer * @@ -669,7 +664,6 @@ static void wg_update_endpoint_if_necess static void wg_schedule_rekey_timer(struct wg_peer *); static void wg_schedule_session_dtor_timer(struct wg_peer *); -static void wg_stop_session_dtor_timer(struct wg_peer *); static bool wg_is_underload(struct wg_softc *, struct wg_peer *, int); static void wg_calculate_keys(struct wg_session *, const bool); @@ -689,6 +683,8 @@ static int wg_bind_port(struct wg_softc static int wg_init(struct ifnet *); static void wg_stop(struct ifnet *, int); +static void wg_purge_pending_packets(struct wg_peer *); + static int wg_clone_create(struct if_clone *, int); static int wg_clone_destroy(struct ifnet *); @@ -1025,7 +1021,7 @@ wg_algo_aead_enc(uint8_t out[], size_t e long long unsigned int outsize; int error __diagused; - memcpy(&nonce[4], &counter, sizeof(counter)); + le64enc(&nonce[4], counter); error = crypto_aead_chacha20poly1305_ietf_encrypt(out, &outsize, plain, plainsize, auth, authlen, NULL, nonce, key); @@ -1042,7 +1038,7 @@ wg_algo_aead_dec(uint8_t out[], size_t e long long unsigned int outsize; int error; - memcpy(&nonce[4], &counter, sizeof(counter)); + le64enc(&nonce[4], counter); error = crypto_aead_chacha20poly1305_ietf_decrypt(out, &outsize, NULL, encrypted, encryptedsize, auth, authlen, nonce, key); @@ -1069,8 +1065,7 @@ wg_algo_xaead_enc(uint8_t out[], const s static int wg_algo_xaead_dec(uint8_t out[], const size_t expected_outsize, - const uint8_t key[], const uint64_t counter, - const uint8_t encrypted[], const size_t encryptedsize, + const uint8_t key[], const uint8_t encrypted[], const size_t encryptedsize, const uint8_t auth[], size_t authlen, const uint8_t nonce[WG_SALT_LEN]) { @@ -1099,19 +1094,17 @@ wg_algo_tai64n(wg_timestamp_t timestamp) be32enc(timestamp + 8, ts.tv_nsec); } -static struct wg_session * -wg_get_unstable_session(struct wg_peer *wgp, struct psref *psref) -{ - int s; - struct wg_session *wgs; - - s = pserialize_read_enter(); - wgs = wgp->wgp_session_unstable; - psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); - pserialize_read_exit(s); - return wgs; -} - +/* + * wg_get_stable_session(wgp, psref) + * + * Get a passive reference to the current stable session, or + * return NULL if there is no current stable session. + * + * The pointer is always there but the session is not necessarily + * ESTABLISHED; if it is not ESTABLISHED, return NULL. However, + * the session may transition from ESTABLISHED to DESTROYING while + * holding the passive reference. + */ static struct wg_session * wg_get_stable_session(struct wg_peer *wgp, struct psref *psref) { @@ -1119,46 +1112,105 @@ wg_get_stable_session(struct wg_peer *wg struct wg_session *wgs; s = pserialize_read_enter(); - wgs = wgp->wgp_session_stable; - psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); + wgs = atomic_load_consume(&wgp->wgp_session_stable); + if (__predict_false(wgs->wgs_state != WGS_STATE_ESTABLISHED)) + wgs = NULL; + else + psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); pserialize_read_exit(s); + return wgs; } static void -wg_get_session(struct wg_session *wgs, struct psref *psref) -{ - - psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); -} - -static void wg_put_session(struct wg_session *wgs, struct psref *psref) { psref_release(psref, &wgs->wgs_psref, wg_psref_class); } -static struct wg_session * -wg_lock_unstable_session(struct wg_peer *wgp) +static void +wg_destroy_session(struct wg_softc *wg, struct wg_session *wgs) +{ + struct wg_peer *wgp = wgs->wgs_peer; + struct wg_session *wgs0 __diagused; + void *garbage; + + KASSERT(mutex_owned(wgp->wgp_lock)); + KASSERT(wgs->wgs_state != WGS_STATE_UNKNOWN); + + /* Remove the session from the table. */ + wgs0 = thmap_del(wg->wg_sessions_byindex, + &wgs->wgs_local_index, sizeof(wgs->wgs_local_index)); + KASSERT(wgs0 == wgs); + garbage = thmap_stage_gc(wg->wg_sessions_byindex); + + /* Wait for passive references to drain. */ + pserialize_perform(wgp->wgp_psz); + psref_target_destroy(&wgs->wgs_psref, wg_psref_class); + + /* Free memory, zero state, and transition to UNKNOWN. */ + thmap_gc(wg->wg_sessions_byindex, garbage); + wg_clear_states(wgs); + wgs->wgs_state = WGS_STATE_UNKNOWN; +} + +/* + * wg_get_session_index(wg, wgs) + * + * Choose a session index for wgs->wgs_local_index, and store it + * in wg's table of sessions by index. + * + * wgs must be the unstable session of its peer, and must be + * transitioning out of the UNKNOWN state. + */ +static void +wg_get_session_index(struct wg_softc *wg, struct wg_session *wgs) { - struct wg_session *wgs; - - mutex_enter(wgp->wgp_lock); - wgs = wgp->wgp_session_unstable; - mutex_enter(wgs->wgs_lock); - mutex_exit(wgp->wgp_lock); - return wgs; + struct wg_peer *wgp __diagused = wgs->wgs_peer; + struct wg_session *wgs0; + uint32_t index; + + KASSERT(mutex_owned(wgp->wgp_lock)); + KASSERT(wgs == wgp->wgp_session_unstable); + KASSERT(wgs->wgs_state == WGS_STATE_UNKNOWN); + + do { + /* Pick a uniform random index. */ + index = cprng_strong32(); + + /* Try to take it. */ + wgs->wgs_local_index = index; + wgs0 = thmap_put(wg->wg_sessions_byindex, + &wgs->wgs_local_index, sizeof wgs->wgs_local_index, wgs); + + /* If someone else beat us, start over. */ + } while (__predict_false(wgs0 != wgs)); } -#if 0 +/* + * wg_put_session_index(wg, wgs) + * + * Remove wgs from the table of sessions by index, wait for any + * passive references to drain, and transition the session to the + * UNKNOWN state. + * + * wgs must be the unstable session of its peer, and must not be + * UNKNOWN or ESTABLISHED. + */ static void -wg_unlock_session(struct wg_peer *wgp, struct wg_session *wgs) +wg_put_session_index(struct wg_softc *wg, struct wg_session *wgs) { - - mutex_exit(wgs->wgs_lock); + struct wg_peer *wgp = wgs->wgs_peer; + + KASSERT(mutex_owned(wgp->wgp_lock)); + KASSERT(wgs == wgp->wgp_session_unstable); + KASSERT(wgs->wgs_state != WGS_STATE_UNKNOWN); + KASSERT(wgs->wgs_state != WGS_STATE_ESTABLISHED); + + wg_destroy_session(wg, wgs); + psref_target_init(&wgs->wgs_psref, wg_psref_class); } -#endif /* * Handshake patterns @@ -1192,8 +1244,12 @@ wg_fill_msg_init(struct wg_softc *wg, st uint8_t pubkey[WG_EPHEMERAL_KEY_LEN]; uint8_t privkey[WG_EPHEMERAL_KEY_LEN]; - wgmi->wgmi_type = WG_MSG_TYPE_INIT; - wgmi->wgmi_sender = cprng_strong32(); + KASSERT(mutex_owned(wgp->wgp_lock)); + KASSERT(wgs == wgp->wgp_session_unstable); + KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); + + wgmi->wgmi_type = htole32(WG_MSG_TYPE_INIT); + wgmi->wgmi_sender = wgs->wgs_local_index; /* [W] 5.4.2: First Message: Initiator to Responder */ @@ -1268,8 +1324,7 @@ wg_fill_msg_init(struct wg_softc *wg, st memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey)); memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); - wgs->wgs_sender_index = wgmi->wgmi_sender; - WG_DLOG("%s: sender=%x\n", __func__, wgs->wgs_sender_index); + WG_DLOG("%s: sender=%x\n", __func__, wgs->wgs_local_index); } static void @@ -1282,14 +1337,26 @@ wg_handle_msg_init(struct wg_softc *wg, uint8_t peer_pubkey[WG_STATIC_KEY_LEN]; struct wg_peer *wgp; struct wg_session *wgs; - bool reset_state_on_error = false; int error, ret; struct psref psref_peer; - struct psref psref_session; uint8_t mac1[WG_MAC_LEN]; WG_TRACE("init msg received"); + wg_algo_mac_mac1(mac1, sizeof(mac1), + wg->wg_pubkey, sizeof(wg->wg_pubkey), + (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1)); + + /* + * [W] 5.3: Denial of Service Mitigation & Cookies + * "the responder, ..., must always reject messages with an invalid + * msg.mac1" + */ + if (!consttime_memequal(mac1, wgmi->wgmi_mac1, sizeof(mac1))) { + WG_DLOG("mac1 is invalid\n"); + return; + } + /* * [W] 5.4.2: First Message: Initiator to Responder * "When the responder receives this message, it does the same @@ -1339,44 +1406,13 @@ wg_handle_msg_init(struct wg_softc *wg, return; } - wgs = wg_lock_unstable_session(wgp); - if (wgs->wgs_state == WGS_STATE_DESTROYING) { - /* - * We can assume that the peer doesn't have an established - * session, so clear it now. - */ - WG_TRACE("Session destroying, but force to clear"); - wg_stop_session_dtor_timer(wgp); - wg_clear_states(wgs); - wgs->wgs_state = WGS_STATE_UNKNOWN; - } - if (wgs->wgs_state == WGS_STATE_INIT_ACTIVE) { - WG_TRACE("Sesssion already initializing, ignoring the message"); - mutex_exit(wgs->wgs_lock); - goto out_wgp; - } - if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) { - WG_TRACE("Sesssion already initializing, destroying old states"); - wg_clear_states(wgs); - } - wgs->wgs_state = WGS_STATE_INIT_PASSIVE; - reset_state_on_error = true; - wg_get_session(wgs, &psref_session); - mutex_exit(wgs->wgs_lock); - - wg_algo_mac_mac1(mac1, sizeof(mac1), - wg->wg_pubkey, sizeof(wg->wg_pubkey), - (const uint8_t *)wgmi, offsetof(struct wg_msg_init, wgmi_mac1)); - /* - * [W] 5.3: Denial of Service Mitigation & Cookies - * "the responder, ..., must always reject messages with an invalid - * msg.mac1" + * Lock the peer to serialize access to cookie state. + * + * XXX Can we safely avoid holding the lock across DH? Take it + * just to verify mac2 and then unlock/DH/lock? */ - if (!consttime_memequal(mac1, wgmi->wgmi_mac1, sizeof(mac1))) { - WG_DLOG("mac1 is invalid\n"); - goto out; - } + mutex_enter(wgp->wgp_lock); if (__predict_false(wg_is_underload(wg, wgp, WG_MSG_TYPE_INIT))) { WG_TRACE("under load"); @@ -1443,6 +1479,37 @@ wg_handle_msg_init(struct wg_softc *wg, } memcpy(wgp->wgp_timestamp_latest_init, timestamp, sizeof(timestamp)); + /* + * Message is good -- we're committing to handle it now, unless + * we were already initiating a session. + */ + wgs = wgp->wgp_session_unstable; + switch (wgs->wgs_state) { + case WGS_STATE_UNKNOWN: /* new session initiated by peer */ + wg_get_session_index(wg, wgs); + break; + case WGS_STATE_INIT_ACTIVE: /* we're already initiating, drop */ + WG_TRACE("Session already initializing, ignoring the message"); + goto out; + case WGS_STATE_INIT_PASSIVE: /* peer is retrying, start over */ + WG_TRACE("Session already initializing, destroying old states"); + wg_clear_states(wgs); + /* keep session index */ + break; + case WGS_STATE_ESTABLISHED: /* can't happen */ + panic("unstable session can't be established"); + break; + case WGS_STATE_DESTROYING: /* rekey initiated by peer */ + WG_TRACE("Session destroying, but force to clear"); + callout_stop(&wgp->wgp_session_dtor_timer); + wg_clear_states(wgs); + /* keep session index */ + break; + default: + panic("invalid session state: %d", wgs->wgs_state); + } + wgs->wgs_state = WGS_STATE_INIT_PASSIVE; + memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); memcpy(wgs->wgs_ephemeral_key_peer, wgmi->wgmi_ephemeral, @@ -1450,46 +1517,16 @@ wg_handle_msg_init(struct wg_softc *wg, wg_update_endpoint_if_necessary(wgp, src); - (void)wg_send_handshake_msg_resp(wg, wgp, wgmi); + (void)wg_send_handshake_msg_resp(wg, wgp, wgs, wgmi); wg_calculate_keys(wgs, false); wg_clear_states(wgs); - wg_put_session(wgs, &psref_session); - wg_put_peer(wgp, &psref_peer); - return; - out: - if (reset_state_on_error) { - mutex_enter(wgs->wgs_lock); - KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE); - wgs->wgs_state = WGS_STATE_UNKNOWN; - mutex_exit(wgs->wgs_lock); - } - wg_put_session(wgs, &psref_session); -out_wgp: + mutex_exit(wgp->wgp_lock); wg_put_peer(wgp, &psref_peer); } -static void -wg_schedule_handshake_timeout_timer(struct wg_peer *wgp) -{ - - mutex_enter(wgp->wgp_lock); - if (__predict_true(wgp->wgp_state != WGP_STATE_DESTROYING)) { - callout_schedule(&wgp->wgp_handshake_timeout_timer, - MIN(wg_rekey_timeout, INT_MAX/hz) * hz); - } - mutex_exit(wgp->wgp_lock); -} - -static void -wg_stop_handshake_timeout_timer(struct wg_peer *wgp) -{ - - callout_halt(&wgp->wgp_handshake_timeout_timer, NULL); -} - static struct socket * wg_get_so_by_af(struct wg_worker *wgw, const int af) { @@ -1498,10 +1535,10 @@ wg_get_so_by_af(struct wg_worker *wgw, c } static struct socket * -wg_get_so_by_peer(struct wg_peer *wgp) +wg_get_so_by_peer(struct wg_peer *wgp, struct wg_sockaddr *wgsa) { - return wg_get_so_by_af(wgp->wgp_sc->wg_worker, wgp->wgp_sa.sa_family); + return wg_get_so_by_af(wgp->wgp_sc->wg_worker, wgsa_family(wgsa)); } static struct wg_sockaddr * @@ -1511,7 +1548,7 @@ wg_get_endpoint_sa(struct wg_peer *wgp, int s; s = pserialize_read_enter(); - wgsa = wgp->wgp_endpoint; + wgsa = atomic_load_consume(&wgp->wgp_endpoint); psref_acquire(psref, &wgsa->wgsa_psref, wg_psref_class); pserialize_read_exit(s); @@ -1533,8 +1570,8 @@ wg_send_so(struct wg_peer *wgp, struct m struct psref psref; struct wg_sockaddr *wgsa; - so = wg_get_so_by_peer(wgp); wgsa = wg_get_endpoint_sa(wgp, &psref); + so = wg_get_so_by_peer(wgp, wgsa); error = sosend(so, wgsatosa(wgsa), NULL, m, NULL, 0, curlwp); wg_put_sa(wgp, wgsa, &psref); @@ -1548,27 +1585,32 @@ wg_send_handshake_msg_init(struct wg_sof struct mbuf *m; struct wg_msg_init *wgmi; struct wg_session *wgs; - struct psref psref; - - wgs = wg_lock_unstable_session(wgp); - if (wgs->wgs_state == WGS_STATE_DESTROYING) { + + KASSERT(mutex_owned(wgp->wgp_lock)); + + wgs = wgp->wgp_session_unstable; + /* XXX pull dispatch out into wg_task_send_init_message */ + switch (wgs->wgs_state) { + case WGS_STATE_UNKNOWN: /* new session initiated by us */ + wg_get_session_index(wg, wgs); + break; + case WGS_STATE_INIT_ACTIVE: /* we're already initiating, stop */ + WG_TRACE("Session already initializing, skip starting new one"); + return EBUSY; + case WGS_STATE_INIT_PASSIVE: /* peer was trying -- XXX what now? */ + WG_TRACE("Session already initializing, destroying old states"); + wg_clear_states(wgs); + /* keep session index */ + break; + case WGS_STATE_ESTABLISHED: /* can't happen */ + panic("unstable session can't be established"); + break; + case WGS_STATE_DESTROYING: /* rekey initiated by us too early */ WG_TRACE("Session destroying"); - mutex_exit(wgs->wgs_lock); /* XXX should wait? */ return EBUSY; } - if (wgs->wgs_state == WGS_STATE_INIT_ACTIVE) { - WG_TRACE("Sesssion already initializing, skip starting a new one"); - mutex_exit(wgs->wgs_lock); - return EBUSY; - } - if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) { - WG_TRACE("Sesssion already initializing, destroying old states"); - wg_clear_states(wgs); - } wgs->wgs_state = WGS_STATE_INIT_ACTIVE; - wg_get_session(wgs, &psref); - mutex_exit(wgs->wgs_lock); m = m_gethdr(M_WAIT, MT_DATA); m->m_pkthdr.len = m->m_len = sizeof(*wgmi); @@ -1581,36 +1623,35 @@ wg_send_handshake_msg_init(struct wg_sof if (wgp->wgp_handshake_start_time == 0) wgp->wgp_handshake_start_time = time_uptime; - wg_schedule_handshake_timeout_timer(wgp); + callout_schedule(&wgp->wgp_handshake_timeout_timer, + MIN(wg_rekey_timeout, INT_MAX/hz) * hz); } else { - mutex_enter(wgs->wgs_lock); - KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); - wgs->wgs_state = WGS_STATE_UNKNOWN; - mutex_exit(wgs->wgs_lock); + wg_put_session_index(wg, wgs); } - wg_put_session(wgs, &psref); return error; } static void wg_fill_msg_resp(struct wg_softc *wg, struct wg_peer *wgp, - struct wg_msg_resp *wgmr, const struct wg_msg_init *wgmi) + struct wg_session *wgs, struct wg_msg_resp *wgmr, + const struct wg_msg_init *wgmi) { uint8_t ckey[WG_CHAINING_KEY_LEN]; /* [W] 5.4.3: Cr */ uint8_t hash[WG_HASH_LEN]; /* [W] 5.4.3: Hr */ uint8_t cipher_key[WG_KDF_OUTPUT_LEN]; uint8_t pubkey[WG_EPHEMERAL_KEY_LEN]; uint8_t privkey[WG_EPHEMERAL_KEY_LEN]; - struct wg_session *wgs; - struct psref psref; - - wgs = wg_get_unstable_session(wgp, &psref); + + KASSERT(mutex_owned(wgp->wgp_lock)); + KASSERT(wgs == wgp->wgp_session_unstable); + KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE); + memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash)); memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey)); - wgmr->wgmr_type = WG_MSG_TYPE_RESP; - wgmr->wgmr_sender = cprng_strong32(); + wgmr->wgmr_type = htole32(WG_MSG_TYPE_RESP); + wgmr->wgmr_sender = wgs->wgs_local_index; wgmr->wgmr_receiver = wgmi->wgmi_sender; /* [W] 5.4.3 Second Message: Responder to Initiator */ @@ -1681,22 +1722,26 @@ wg_fill_msg_resp(struct wg_softc *wg, st memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); memcpy(wgs->wgs_ephemeral_key_pub, pubkey, sizeof(pubkey)); memcpy(wgs->wgs_ephemeral_key_priv, privkey, sizeof(privkey)); - wgs->wgs_sender_index = wgmr->wgmr_sender; - wgs->wgs_receiver_index = wgmi->wgmi_sender; - WG_DLOG("sender=%x\n", wgs->wgs_sender_index); - WG_DLOG("receiver=%x\n", wgs->wgs_receiver_index); - wg_put_session(wgs, &psref); + wgs->wgs_remote_index = wgmi->wgmi_sender; + WG_DLOG("sender=%x\n", wgs->wgs_local_index); + WG_DLOG("receiver=%x\n", wgs->wgs_remote_index); } static void wg_swap_sessions(struct wg_peer *wgp) { + struct wg_session *wgs, *wgs_prev; KASSERT(mutex_owned(wgp->wgp_lock)); - wgp->wgp_session_unstable = atomic_swap_ptr(&wgp->wgp_session_stable, - wgp->wgp_session_unstable); - KASSERT(wgp->wgp_session_stable->wgs_state == WGS_STATE_ESTABLISHED); + wgs = wgp->wgp_session_unstable; + KASSERT(wgs->wgs_state == WGS_STATE_ESTABLISHED); + + wgs_prev = wgp->wgp_session_stable; + KASSERT(wgs_prev->wgs_state == WGS_STATE_ESTABLISHED || + wgs_prev->wgs_state == WGS_STATE_UNKNOWN); + atomic_store_release(&wgp->wgp_session_stable, wgs); + wgp->wgp_session_unstable = wgs_prev; } static void @@ -1713,15 +1758,6 @@ wg_handle_msg_resp(struct wg_softc *wg, uint8_t mac1[WG_MAC_LEN]; struct wg_session *wgs_prev; - WG_TRACE("resp msg received"); - wgs = wg_lookup_session_by_index(wg, wgmr->wgmr_receiver, &psref); - if (wgs == NULL) { - WG_TRACE("No session found"); - return; - } - - wgp = wgs->wgs_peer; - wg_algo_mac_mac1(mac1, sizeof(mac1), wg->wg_pubkey, sizeof(wg->wg_pubkey), (const uint8_t *)wgmr, offsetof(struct wg_msg_resp, wgmr_mac1)); @@ -1733,6 +1769,23 @@ wg_handle_msg_resp(struct wg_softc *wg, */ if (!consttime_memequal(mac1, wgmr->wgmr_mac1, sizeof(mac1))) { WG_DLOG("mac1 is invalid\n"); + return; + } + + WG_TRACE("resp msg received"); + wgs = wg_lookup_session_by_index(wg, wgmr->wgmr_receiver, &psref); + if (wgs == NULL) { + WG_TRACE("No session found"); + return; + } + + wgp = wgs->wgs_peer; + + mutex_enter(wgp->wgp_lock); + + /* If we weren't waiting for a handshake response, drop it. */ + if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE) { + WG_TRACE("peer sent spurious handshake response, ignoring"); goto out; } @@ -1829,9 +1882,10 @@ wg_handle_msg_resp(struct wg_softc *wg, memcpy(wgs->wgs_handshake_hash, hash, sizeof(wgs->wgs_handshake_hash)); memcpy(wgs->wgs_chaining_key, ckey, sizeof(wgs->wgs_chaining_key)); - wgs->wgs_receiver_index = wgmr->wgmr_sender; - WG_DLOG("receiver=%x\n", wgs->wgs_receiver_index); - + wgs->wgs_remote_index = wgmr->wgmr_sender; + WG_DLOG("receiver=%x\n", wgs->wgs_remote_index); + + KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); wgs->wgs_state = WGS_STATE_ESTABLISHED; wgs->wgs_time_established = time_uptime; wgs->wgs_time_last_data_sent = 0; @@ -1840,18 +1894,15 @@ wg_handle_msg_resp(struct wg_softc *wg, wg_clear_states(wgs); WG_TRACE("WGS_STATE_ESTABLISHED"); - wg_stop_handshake_timeout_timer(wgp); - - mutex_enter(wgp->wgp_lock); + callout_stop(&wgp->wgp_handshake_timeout_timer); + wg_swap_sessions(wgp); + KASSERT(wgs == wgp->wgp_session_stable); wgs_prev = wgp->wgp_session_unstable; - mutex_enter(wgs_prev->wgs_lock); - getnanotime(&wgp->wgp_last_handshake_time); wgp->wgp_handshake_start_time = 0; wgp->wgp_last_sent_mac1_valid = false; wgp->wgp_last_sent_cookie_valid = false; - mutex_exit(wgp->wgp_lock); wg_schedule_rekey_timer(wgp); @@ -1871,28 +1922,40 @@ wg_handle_msg_resp(struct wg_softc *wg, WG_TRACE("softint scheduled"); if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { + /* Wait for wg_get_stable_session to drain. */ + pserialize_perform(wgp->wgp_psz); + + /* Transition ESTABLISHED->DESTROYING. */ wgs_prev->wgs_state = WGS_STATE_DESTROYING; + /* We can't destroy the old session immediately */ wg_schedule_session_dtor_timer(wgp); + } else { + KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN, + "state=%d", wgs_prev->wgs_state); } - mutex_exit(wgs_prev->wgs_lock); out: + mutex_exit(wgp->wgp_lock); wg_put_session(wgs, &psref); } static int wg_send_handshake_msg_resp(struct wg_softc *wg, struct wg_peer *wgp, - const struct wg_msg_init *wgmi) + struct wg_session *wgs, const struct wg_msg_init *wgmi) { int error; struct mbuf *m; struct wg_msg_resp *wgmr; + KASSERT(mutex_owned(wgp->wgp_lock)); + KASSERT(wgs == wgp->wgp_session_unstable); + KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE); + m = m_gethdr(M_WAIT, MT_DATA); m->m_pkthdr.len = m->m_len = sizeof(*wgmr); wgmr = mtod(m, struct wg_msg_resp *); - wg_fill_msg_resp(wg, wgp, wgmr, wgmi); + wg_fill_msg_resp(wg, wgp, wgs, wgmr, wgmi); error = wg->wg_ops->send_hs_msg(wgp, m); if (error == 0) @@ -1907,12 +1970,7 @@ wg_lookup_peer_by_pubkey(struct wg_softc struct wg_peer *wgp; int s = pserialize_read_enter(); - /* XXX O(n) */ - WG_PEER_READER_FOREACH(wgp, wg) { - if (consttime_memequal(wgp->wgp_pubkey, pubkey, - sizeof(wgp->wgp_pubkey))) - break; - } + wgp = thmap_get(wg->wg_peers_bypubkey, pubkey, WG_STATIC_KEY_LEN); if (wgp != NULL) wg_get_peer(wgp, psref); pserialize_read_exit(s); @@ -1931,7 +1989,9 @@ wg_fill_msg_cookie(struct wg_softc *wg, size_t addrlen; uint16_t uh_sport; /* be */ - wgmc->wgmc_type = WG_MSG_TYPE_COOKIE; + KASSERT(mutex_owned(wgp->wgp_lock)); + + wgmc->wgmc_type = htole32(WG_MSG_TYPE_COOKIE); wgmc->wgmc_receiver = sender; cprng_fast(wgmc->wgmc_salt, sizeof(wgmc->wgmc_salt)); @@ -1963,7 +2023,7 @@ wg_fill_msg_cookie(struct wg_softc *wg, } #endif default: - panic("invalid af=%d", wgp->wgp_sa.sa_family); + panic("invalid af=%d", src->sa_family); } wg_algo_mac(cookie, sizeof(cookie), @@ -1988,6 +2048,8 @@ wg_send_cookie_msg(struct wg_softc *wg, struct mbuf *m; struct wg_msg_cookie *wgmc; + KASSERT(mutex_owned(wgp->wgp_lock)); + m = m_gethdr(M_WAIT, MT_DATA); m->m_pkthdr.len = m->m_len = sizeof(*wgmc); wgmc = mtod(m, struct wg_msg_cookie *); @@ -2022,6 +2084,8 @@ static void wg_calculate_keys(struct wg_session *wgs, const bool initiator) { + KASSERT(mutex_owned(wgs->wgs_peer->wgp_lock)); + /* * [W] 5.4.5: Ti^send = Tr^recv, Ti^recv = Tr^send := KDF2(Ci = Cr, e) */ @@ -2072,6 +2136,8 @@ static void wg_clear_states(struct wg_session *wgs) { + KASSERT(mutex_owned(wgs->wgs_peer->wgp_lock)); + wgs->wgs_send_counter = 0; sliwin_reset(&wgs->wgs_recvwin->window); @@ -2088,26 +2154,15 @@ static struct wg_session * wg_lookup_session_by_index(struct wg_softc *wg, const uint32_t index, struct psref *psref) { - struct wg_peer *wgp; struct wg_session *wgs; int s = pserialize_read_enter(); - /* XXX O(n) */ - WG_PEER_READER_FOREACH(wgp, wg) { - wgs = wgp->wgp_session_stable; - WG_DLOG("index=%x wgs_sender_index=%x\n", - index, wgs->wgs_sender_index); - if (wgs->wgs_sender_index == index) - break; - wgs = wgp->wgp_session_unstable; - WG_DLOG("index=%x wgs_sender_index=%x\n", - index, wgs->wgs_sender_index); - if (wgs->wgs_sender_index == index) - break; - wgs = NULL; + wgs = thmap_get(wg->wg_sessions_byindex, &index, sizeof index); + if (wgs != NULL) { + KASSERT(atomic_load_relaxed(&wgs->wgs_state) != + WGS_STATE_UNKNOWN); + psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); } - if (wgs != NULL) - psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); pserialize_read_exit(s); return wgs; @@ -2164,17 +2219,16 @@ wg_schedule_peer_task(struct wg_peer *wg static void wg_change_endpoint(struct wg_peer *wgp, const struct sockaddr *new) { - - KASSERT(mutex_owned(wgp->wgp_lock)); + struct wg_sockaddr *wgsa_prev; WG_TRACE("Changing endpoint"); memcpy(wgp->wgp_endpoint0, new, new->sa_len); - wgp->wgp_endpoint0 = atomic_swap_ptr(&wgp->wgp_endpoint, - wgp->wgp_endpoint0); - if (!wgp->wgp_endpoint_available) - wgp->wgp_endpoint_available = true; - wgp->wgp_endpoint_changing = true; + wgsa_prev = wgp->wgp_endpoint; + atomic_store_release(&wgp->wgp_endpoint, wgp->wgp_endpoint0); + wgp->wgp_endpoint0 = wgsa_prev; + atomic_store_release(&wgp->wgp_endpoint_available, true); + wg_schedule_peer_task(wgp, WGP_TASK_ENDPOINT_CHANGED); } @@ -2262,13 +2316,6 @@ wg_session_dtor_timer(void *arg) WG_TRACE("enter"); - mutex_enter(wgp->wgp_lock); - if (__predict_false(wgp->wgp_state == WGP_STATE_DESTROYING)) { - mutex_exit(wgp->wgp_lock); - return; - } - mutex_exit(wgp->wgp_lock); - wg_schedule_peer_task(wgp, WGP_TASK_DESTROY_PREV_SESSION); } @@ -2280,13 +2327,6 @@ wg_schedule_session_dtor_timer(struct wg callout_schedule(&wgp->wgp_session_dtor_timer, hz); } -static void -wg_stop_session_dtor_timer(struct wg_peer *wgp) -{ - - callout_halt(&wgp->wgp_session_dtor_timer, NULL); -} - static bool sockaddr_port_match(const struct sockaddr *sa1, const struct sockaddr *sa2) { @@ -2307,10 +2347,14 @@ static void wg_update_endpoint_if_necessary(struct wg_peer *wgp, const struct sockaddr *src) { + struct wg_sockaddr *wgsa; + struct psref psref; + + wgsa = wg_get_endpoint_sa(wgp, &psref); #ifdef WG_DEBUG_LOG char oldaddr[128], newaddr[128]; - sockaddr_format(&wgp->wgp_sa, oldaddr, sizeof(oldaddr)); + sockaddr_format(wgsatosa(wgsa), oldaddr, sizeof(oldaddr)); sockaddr_format(src, newaddr, sizeof(newaddr)); WG_DLOG("old=%s, new=%s\n", oldaddr, newaddr); #endif @@ -2319,15 +2363,15 @@ wg_update_endpoint_if_necessary(struct w * III: "Since the packet has authenticated correctly, the source IP of * the outer UDP/IP packet is used to update the endpoint for peer..." */ - if (__predict_false(sockaddr_cmp(src, &wgp->wgp_sa) != 0 || - !sockaddr_port_match(src, &wgp->wgp_sa))) { - mutex_enter(wgp->wgp_lock); + if (__predict_false(sockaddr_cmp(src, wgsatosa(wgsa)) != 0 || + !sockaddr_port_match(src, wgsatosa(wgsa)))) { /* XXX We can't change the endpoint twice in a short period */ - if (!wgp->wgp_endpoint_changing) { + if (atomic_swap_uint(&wgp->wgp_endpoint_changing, 1) == 0) { wg_change_endpoint(wgp, src); } - mutex_exit(wgp->wgp_lock); } + + wg_put_sa(wgp, wgsa, &psref); } static void @@ -2339,6 +2383,7 @@ wg_handle_msg_data(struct wg_softc *wg, size_t encrypted_len, decrypted_len; struct wg_session *wgs; struct wg_peer *wgp; + int state; size_t mlen; struct psref psref; int error, af; @@ -2348,34 +2393,62 @@ wg_handle_msg_data(struct wg_softc *wg, KASSERT(m->m_len >= sizeof(struct wg_msg_data)); wgmd = mtod(m, struct wg_msg_data *); - KASSERT(wgmd->wgmd_type == WG_MSG_TYPE_DATA); + KASSERT(wgmd->wgmd_type == htole32(WG_MSG_TYPE_DATA)); WG_TRACE("data"); + /* Find the putative session, or drop. */ wgs = wg_lookup_session_by_index(wg, wgmd->wgmd_receiver, &psref); if (wgs == NULL) { WG_TRACE("No session found"); m_freem(m); return; } + + /* + * We are only ready to handle data when in INIT_PASSIVE, + * ESTABLISHED, or DESTROYING. All transitions out of that + * state dissociate the session index and drain psrefs. + */ + state = atomic_load_relaxed(&wgs->wgs_state); + switch (state) { + case WGS_STATE_UNKNOWN: + panic("wg session %p in unknown state has session index %u", + wgs, wgmd->wgmd_receiver); + case WGS_STATE_INIT_ACTIVE: + WG_TRACE("not yet ready for data"); + goto out; + case WGS_STATE_INIT_PASSIVE: + case WGS_STATE_ESTABLISHED: + case WGS_STATE_DESTROYING: + break; + } + + /* + * Get the peer, for rate-limited logs (XXX MPSAFE, dtrace) and + * to update the endpoint if authentication succeeds. + */ wgp = wgs->wgs_peer; + /* + * Reject outrageously wrong sequence numbers before doing any + * crypto work or taking any locks. + */ error = sliwin_check_fast(&wgs->wgs_recvwin->window, - wgmd->wgmd_counter); + le64toh(wgmd->wgmd_counter)); if (error) { WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, "out-of-window packet: %"PRIu64"\n", - wgmd->wgmd_counter); + le64toh(wgmd->wgmd_counter)); goto out; } + /* Ensure the payload and authenticator are contiguous. */ mlen = m_length(m); encrypted_len = mlen - sizeof(*wgmd); - if (encrypted_len < WG_AUTHTAG_LEN) { WG_DLOG("Short encrypted_len: %lu\n", encrypted_len); goto out; } - success = m_ensure_contig(&m, sizeof(*wgmd) + encrypted_len); if (success) { encrypted_buf = mtod(m, char *) + sizeof(*wgmd); @@ -2392,14 +2465,17 @@ wg_handle_msg_data(struct wg_softc *wg, KASSERT(m->m_len >= sizeof(*wgmd)); wgmd = mtod(m, struct wg_msg_data *); + /* + * Get a buffer for the plaintext. Add WG_AUTHTAG_LEN to avoid + * a zero-length buffer (XXX). Drop if plaintext is longer + * than MCLBYTES (XXX). + */ decrypted_len = encrypted_len - WG_AUTHTAG_LEN; if (decrypted_len > MCLBYTES) { /* FIXME handle larger data than MCLBYTES */ WG_DLOG("couldn't handle larger data than MCLBYTES\n"); goto out; } - - /* To avoid zero length */ n = wg_get_mbuf(0, decrypted_len + WG_AUTHTAG_LEN); if (n == NULL) { WG_DLOG("wg_get_mbuf failed\n"); @@ -2407,10 +2483,11 @@ wg_handle_msg_data(struct wg_softc *wg, } decrypted_buf = mtod(n, char *); + /* Decrypt and verify the packet. */ WG_DLOG("mlen=%lu, encrypted_len=%lu\n", mlen, encrypted_len); error = wg_algo_aead_dec(decrypted_buf, encrypted_len - WG_AUTHTAG_LEN /* can be 0 */, - wgs->wgs_tkey_recv, wgmd->wgmd_counter, encrypted_buf, + wgs->wgs_tkey_recv, le64toh(wgmd->wgmd_counter), encrypted_buf, encrypted_len, NULL, 0); if (error != 0) { WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, @@ -2420,31 +2497,44 @@ wg_handle_msg_data(struct wg_softc *wg, } WG_DLOG("outsize=%u\n", (u_int)decrypted_len); + /* Packet is genuine. Reject it if a replay or just too old. */ mutex_enter(&wgs->wgs_recvwin->lock); error = sliwin_update(&wgs->wgs_recvwin->window, - wgmd->wgmd_counter); + le64toh(wgmd->wgmd_counter)); mutex_exit(&wgs->wgs_recvwin->lock); if (error) { WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG, "replay or out-of-window packet: %"PRIu64"\n", - wgmd->wgmd_counter); + le64toh(wgmd->wgmd_counter)); m_freem(n); goto out; } + /* We're done with m now; free it and chuck the pointers. */ m_freem(m); m = NULL; wgmd = NULL; + /* + * Validate the encapsulated packet header and get the address + * family, or drop. + */ ok = wg_validate_inner_packet(decrypted_buf, decrypted_len, &af); if (!ok) { - /* something wrong... */ m_freem(n); goto out; } + /* + * The packet is genuine. Update the peer's endpoint if the + * source address changed. + * + * XXX How to prevent DoS by replaying genuine packets from the + * wrong source address? + */ wg_update_endpoint_if_necessary(wgp, src); + /* Submit it into our network stack if routable. */ ok = wg_validate_route(wg, wgp, af, decrypted_buf); if (ok) { wg->wg_ops->input(&wg->wg_if, n, af); @@ -2459,40 +2549,14 @@ wg_handle_msg_data(struct wg_softc *wg, } n = NULL; - if (wgs->wgs_state == WGS_STATE_INIT_PASSIVE) { - struct wg_session *wgs_prev; - - KASSERT(wgs == wgp->wgp_session_unstable); - wgs->wgs_state = WGS_STATE_ESTABLISHED; - wgs->wgs_time_established = time_uptime; - wgs->wgs_time_last_data_sent = 0; - wgs->wgs_is_initiator = false; - WG_TRACE("WGS_STATE_ESTABLISHED"); - - mutex_enter(wgp->wgp_lock); - wg_swap_sessions(wgp); - wgs_prev = wgp->wgp_session_unstable; - mutex_enter(wgs_prev->wgs_lock); - getnanotime(&wgp->wgp_last_handshake_time); - wgp->wgp_handshake_start_time = 0; - wgp->wgp_last_sent_mac1_valid = false; - wgp->wgp_last_sent_cookie_valid = false; - mutex_exit(wgp->wgp_lock); - - if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { - wgs_prev->wgs_state = WGS_STATE_DESTROYING; - /* We can't destroy the old session immediately */ - wg_schedule_session_dtor_timer(wgp); - } else { - wg_clear_states(wgs_prev); - wgs_prev->wgs_state = WGS_STATE_UNKNOWN; - } - mutex_exit(wgs_prev->wgs_lock); - - /* Anyway run a softint to flush pending packets */ - kpreempt_disable(); - softint_schedule(wgp->wgp_si); - kpreempt_enable(); + /* Update the state machine if necessary. */ + if (__predict_false(state == WGS_STATE_INIT_PASSIVE)) { + /* + * We were waiting for the initiator to send their + * first data transport message, and that has happened. + * Schedule a task to establish this session. + */ + wg_schedule_peer_task(wgp, WGP_TASK_ESTABLISH_SESSION); } else { if (__predict_false(wg_need_to_send_init_message(wgs))) { wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); @@ -2504,8 +2568,9 @@ wg_handle_msg_data(struct wg_softc *wg, * itself to send back for KEEPALIVE-TIMEOUT seconds, it sends * a keepalive message." */ - WG_DLOG("time_uptime=%lu wgs_time_last_data_sent=%lu\n", - time_uptime, wgs->wgs_time_last_data_sent); + WG_DLOG("time_uptime=%ju wgs_time_last_data_sent=%ju\n", + (uintmax_t)time_uptime, + (uintmax_t)wgs->wgs_time_last_data_sent); if ((time_uptime - wgs->wgs_time_last_data_sent) >= wg_keepalive_timeout) { WG_TRACE("Schedule sending keepalive message"); @@ -2537,21 +2602,27 @@ wg_handle_msg_cookie(struct wg_softc *wg uint8_t cookie[WG_COOKIE_LEN]; WG_TRACE("cookie msg received"); + + /* Find the putative session. */ wgs = wg_lookup_session_by_index(wg, wgmc->wgmc_receiver, &psref); if (wgs == NULL) { WG_TRACE("No session found"); return; } + + /* Lock the peer so we can update the cookie state. */ wgp = wgs->wgs_peer; + mutex_enter(wgp->wgp_lock); if (!wgp->wgp_last_sent_mac1_valid) { WG_TRACE("No valid mac1 sent (or expired)"); goto out; } + /* Decrypt the cookie and store it for later handshake retry. */ wg_algo_mac_cookie(key, sizeof(key), wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey)); - error = wg_algo_xaead_dec(cookie, sizeof(cookie), key, 0, + error = wg_algo_xaead_dec(cookie, sizeof(cookie), key, wgmc->wgmc_cookie, sizeof(wgmc->wgmc_cookie), wgp->wgp_last_sent_mac1, sizeof(wgp->wgp_last_sent_mac1), wgmc->wgmc_salt); @@ -2569,6 +2640,7 @@ wg_handle_msg_cookie(struct wg_softc *wg wgp->wgp_latest_cookie_time = time_uptime; memcpy(wgp->wgp_latest_cookie, cookie, sizeof(wgp->wgp_latest_cookie)); out: + mutex_exit(wgp->wgp_lock); wg_put_session(wgs, &psref); } @@ -2591,7 +2663,7 @@ wg_validate_msg_header(struct wg_softc * * worry about contiguity and alignment later. */ m_copydata(m, 0, sizeof(wgm), &wgm); - switch (wgm.wgm_type) { + switch (le32toh(wgm.wgm_type)) { case WG_MSG_TYPE_INIT: msglen = sizeof(struct wg_msg_init); break; @@ -2606,14 +2678,14 @@ wg_validate_msg_header(struct wg_softc * break; default: WG_LOG_RATECHECK(&wg->wg_ppsratecheck, LOG_DEBUG, - "Unexpected msg type: %u\n", wgm.wgm_type); + "Unexpected msg type: %u\n", le32toh(wgm.wgm_type)); goto error; } /* Verify the mbuf chain is long enough for this type of message. */ if (__predict_false(mbuflen < msglen)) { WG_DLOG("Invalid msg size: mbuflen=%lu type=%u\n", mbuflen, - wgm.wgm_type); + le32toh(wgm.wgm_type)); goto error; } @@ -2643,7 +2715,7 @@ wg_handle_packet(struct wg_softc *wg, st KASSERT(m->m_len >= sizeof(struct wg_msg)); wgm = mtod(m, struct wg_msg *); - switch (wgm->wgm_type) { + switch (le32toh(wgm->wgm_type)) { case WG_MSG_TYPE_INIT: wg_handle_msg_init(wg, (struct wg_msg_init *)wgm, src); break; @@ -2655,11 +2727,13 @@ wg_handle_packet(struct wg_softc *wg, st break; case WG_MSG_TYPE_DATA: wg_handle_msg_data(wg, m, src); - break; + /* wg_handle_msg_data frees m for us */ + return; default: - /* wg_validate_msg_header should already reject this case */ - break; + panic("invalid message type: %d", le32toh(wgm->wgm_type)); } + + m_freem(m); } static void @@ -2710,29 +2784,115 @@ wg_put_peer(struct wg_peer *wgp, struct static void wg_task_send_init_message(struct wg_softc *wg, struct wg_peer *wgp) { - struct psref psref; struct wg_session *wgs; WG_TRACE("WGP_TASK_SEND_INIT_MESSAGE"); - if (!wgp->wgp_endpoint_available) { + KASSERT(mutex_owned(wgp->wgp_lock)); + + if (!atomic_load_relaxed(&wgp->wgp_endpoint_available)) { WGLOG(LOG_DEBUG, "No endpoint available\n"); /* XXX should do something? */ return; } - wgs = wg_get_stable_session(wgp, &psref); + wgs = wgp->wgp_session_stable; if (wgs->wgs_state == WGS_STATE_UNKNOWN) { - wg_put_session(wgs, &psref); + /* XXX What if the unstable session is already INIT_ACTIVE? */ wg_send_handshake_msg_init(wg, wgp); } else { - wg_put_session(wgs, &psref); /* rekey */ - wgs = wg_get_unstable_session(wgp, &psref); + wgs = wgp->wgp_session_unstable; if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE) wg_send_handshake_msg_init(wg, wgp); - wg_put_session(wgs, &psref); + } +} + +static void +wg_task_retry_handshake(struct wg_softc *wg, struct wg_peer *wgp) +{ + struct wg_session *wgs; + + WG_TRACE("WGP_TASK_RETRY_HANDSHAKE"); + + KASSERT(mutex_owned(wgp->wgp_lock)); + KASSERT(wgp->wgp_handshake_start_time != 0); + + wgs = wgp->wgp_session_unstable; + if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE) + return; + + /* + * XXX no real need to assign a new index here, but we do need + * to transition to UNKNOWN temporarily + */ + wg_put_session_index(wg, wgs); + + /* [W] 6.4 Handshake Initiation Retransmission */ + if ((time_uptime - wgp->wgp_handshake_start_time) > + wg_rekey_attempt_time) { + /* Give up handshaking */ + wgp->wgp_handshake_start_time = 0; + WG_TRACE("give up"); + + /* + * If a new data packet comes, handshaking will be retried + * and a new session would be established at that time, + * however we don't want to send pending packets then. + */ + wg_purge_pending_packets(wgp); + return; } + + wg_task_send_init_message(wg, wgp); +} + +static void +wg_task_establish_session(struct wg_softc *wg, struct wg_peer *wgp) +{ + struct wg_session *wgs, *wgs_prev; + + KASSERT(mutex_owned(wgp->wgp_lock)); + + wgs = wgp->wgp_session_unstable; + if (wgs->wgs_state != WGS_STATE_INIT_PASSIVE) + /* XXX Can this happen? */ + return; + + wgs->wgs_state = WGS_STATE_ESTABLISHED; + wgs->wgs_time_established = time_uptime; + wgs->wgs_time_last_data_sent = 0; + wgs->wgs_is_initiator = false; + WG_TRACE("WGS_STATE_ESTABLISHED"); + + wg_swap_sessions(wgp); + KASSERT(wgs == wgp->wgp_session_stable); + wgs_prev = wgp->wgp_session_unstable; + getnanotime(&wgp->wgp_last_handshake_time); + wgp->wgp_handshake_start_time = 0; + wgp->wgp_last_sent_mac1_valid = false; + wgp->wgp_last_sent_cookie_valid = false; + + if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { + /* Wait for wg_get_stable_session to drain. */ + pserialize_perform(wgp->wgp_psz); + + /* Transition ESTABLISHED->DESTROYING. */ + wgs_prev->wgs_state = WGS_STATE_DESTROYING; + + /* We can't destroy the old session immediately */ + wg_schedule_session_dtor_timer(wgp); + } else { + KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN, + "state=%d", wgs_prev->wgs_state); + wg_clear_states(wgs_prev); + wgs_prev->wgs_state = WGS_STATE_UNKNOWN; + } + + /* Anyway run a softint to flush pending packets */ + kpreempt_disable(); + softint_schedule(wgp->wgp_si); + kpreempt_enable(); } static void @@ -2741,29 +2901,32 @@ wg_task_endpoint_changed(struct wg_softc WG_TRACE("WGP_TASK_ENDPOINT_CHANGED"); - mutex_enter(wgp->wgp_lock); - if (wgp->wgp_endpoint_changing) { + KASSERT(mutex_owned(wgp->wgp_lock)); + + if (atomic_load_relaxed(&wgp->wgp_endpoint_changing)) { pserialize_perform(wgp->wgp_psz); psref_target_destroy(&wgp->wgp_endpoint0->wgsa_psref, wg_psref_class); psref_target_init(&wgp->wgp_endpoint0->wgsa_psref, wg_psref_class); - wgp->wgp_endpoint_changing = false; + atomic_store_release(&wgp->wgp_endpoint_changing, 0); } - mutex_exit(wgp->wgp_lock); } static void wg_task_send_keepalive_message(struct wg_softc *wg, struct wg_peer *wgp) { - struct psref psref; struct wg_session *wgs; WG_TRACE("WGP_TASK_SEND_KEEPALIVE_MESSAGE"); - wgs = wg_get_stable_session(wgp, &psref); + KASSERT(mutex_owned(wgp->wgp_lock)); + + wgs = wgp->wgp_session_stable; + if (wgs->wgs_state != WGS_STATE_ESTABLISHED) + return; + wg_send_keepalive_msg(wgp, wgs); - wg_put_session(wgs, &psref); } static void @@ -2773,18 +2936,12 @@ wg_task_destroy_prev_session(struct wg_s WG_TRACE("WGP_TASK_DESTROY_PREV_SESSION"); - mutex_enter(wgp->wgp_lock); + KASSERT(mutex_owned(wgp->wgp_lock)); + wgs = wgp->wgp_session_unstable; - mutex_enter(wgs->wgs_lock); if (wgs->wgs_state == WGS_STATE_DESTROYING) { - pserialize_perform(wgp->wgp_psz); - psref_target_destroy(&wgs->wgs_psref, wg_psref_class); - psref_target_init(&wgs->wgs_psref, wg_psref_class); - wg_clear_states(wgs); - wgs->wgs_state = WGS_STATE_UNKNOWN; + wg_put_session_index(wg, wgs); } - mutex_exit(wgs->wgs_lock); - mutex_exit(wgp->wgp_lock); } static void @@ -2811,14 +2968,20 @@ wg_process_peer_tasks(struct wg_softc *w WG_DLOG("tasks=%x\n", tasks); + mutex_enter(wgp->wgp_lock); if (ISSET(tasks, WGP_TASK_SEND_INIT_MESSAGE)) wg_task_send_init_message(wg, wgp); + if (ISSET(tasks, WGP_TASK_RETRY_HANDSHAKE)) + wg_task_retry_handshake(wg, wgp); + if (ISSET(tasks, WGP_TASK_ESTABLISH_SESSION)) + wg_task_establish_session(wg, wgp); if (ISSET(tasks, WGP_TASK_ENDPOINT_CHANGED)) wg_task_endpoint_changed(wg, wgp); if (ISSET(tasks, WGP_TASK_SEND_KEEPALIVE_MESSAGE)) wg_task_send_keepalive_message(wg, wgp); if (ISSET(tasks, WGP_TASK_DESTROY_PREV_SESSION)) wg_task_destroy_prev_session(wg, wgp); + mutex_exit(wgp->wgp_lock); /* New tasks may be scheduled during processing tasks */ WG_DLOG("wgp_tasks=%d\n", wgp->wgp_tasks); @@ -2947,14 +3110,14 @@ wg_overudp_cb(struct mbuf **mp, int offs * worry about contiguity and alignment later. */ m_copydata(m, offset, sizeof(struct wg_msg), &wgm); - WG_DLOG("type=%d\n", wgm.wgm_type); + WG_DLOG("type=%d\n", le32toh(wgm.wgm_type)); /* * Handle DATA packets promptly as they arrive. Other packets * may require expensive public-key crypto and are not as * sensitive to latency, so defer them to the worker thread. */ - switch (wgm.wgm_type) { + switch (le32toh(wgm.wgm_type)) { case WG_MSG_TYPE_DATA: /* handle immediately */ m_adj(m, offset); @@ -3016,7 +3179,7 @@ wg_worker_init(struct wg_softc *wg) wgw = kmem_zalloc(sizeof(struct wg_worker), KM_SLEEP); - mutex_init(&wgw->wgw_lock, MUTEX_DEFAULT, IPL_NONE); + mutex_init(&wgw->wgw_lock, MUTEX_DEFAULT, IPL_SOFTNET); cv_init(&wgw->wgw_cv, ifname); wgw->wgw_todie = false; wgw->wgw_wakeup_reasons = 0; @@ -3109,11 +3272,10 @@ wg_peer_softint(void *arg) struct mbuf *m; struct psref psref; - wgs = wg_get_stable_session(wgp, &psref); - if (wgs->wgs_state != WGS_STATE_ESTABLISHED) { + if ((wgs = wg_get_stable_session(wgp, &psref)) == NULL) { /* XXX how to treat? */ WG_TRACE("skipped"); - goto out; + return; } if (wg_session_hit_limits(wgs)) { wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); @@ -3133,11 +3295,7 @@ wg_rekey_timer(void *arg) { struct wg_peer *wgp = arg; - mutex_enter(wgp->wgp_lock); - if (__predict_true(wgp->wgp_state != WGP_STATE_DESTROYING)) { - wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); - } - mutex_exit(wgp->wgp_lock); + wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); } static void @@ -3154,47 +3312,10 @@ static void wg_handshake_timeout_timer(void *arg) { struct wg_peer *wgp = arg; - struct wg_session *wgs; - struct psref psref; WG_TRACE("enter"); - mutex_enter(wgp->wgp_lock); - if (__predict_false(wgp->wgp_state == WGP_STATE_DESTROYING)) { - mutex_exit(wgp->wgp_lock); - return; - } - mutex_exit(wgp->wgp_lock); - - KASSERT(wgp->wgp_handshake_start_time != 0); - wgs = wg_get_unstable_session(wgp, &psref); - KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); - - /* [W] 6.4 Handshake Initiation Retransmission */ - if ((time_uptime - wgp->wgp_handshake_start_time) > - wg_rekey_attempt_time) { - /* Give up handshaking */ - wgs->wgs_state = WGS_STATE_UNKNOWN; - wg_clear_states(wgs); - wgp->wgp_state = WGP_STATE_GIVEUP; - wgp->wgp_handshake_start_time = 0; - wg_put_session(wgs, &psref); - WG_TRACE("give up"); - /* - * If a new data packet comes, handshaking will be retried - * and a new session would be established at that time, - * however we don't want to send pending packets then. - */ - wg_purge_pending_packets(wgp); - return; - } - - /* No response for an initiation message sent, retry handshaking */ - wgs->wgs_state = WGS_STATE_UNKNOWN; - wg_clear_states(wgs); - wg_put_session(wgs, &psref); - - wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); + wg_schedule_peer_task(wgp, WGP_TASK_RETRY_HANDSHAKE); } static struct wg_peer * @@ -3205,7 +3326,6 @@ wg_alloc_peer(struct wg_softc *wg) wgp = kmem_zalloc(sizeof(*wgp), KM_SLEEP); wgp->wgp_sc = wg; - wgp->wgp_state = WGP_STATE_INIT; wgp->wgp_q = pcq_create(1024, KM_SLEEP); wgp->wgp_si = softint_establish(SOFTINT_NET, wg_peer_softint, wgp); callout_init(&wgp->wgp_rekey_timer, CALLOUT_MPSAFE); @@ -3237,23 +3357,21 @@ wg_alloc_peer(struct wg_softc *wg) wgs->wgs_peer = wgp; wgs->wgs_state = WGS_STATE_UNKNOWN; psref_target_init(&wgs->wgs_psref, wg_psref_class); - wgs->wgs_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE); #ifndef __HAVE_ATOMIC64_LOADSTORE mutex_init(&wgs->wgs_send_counter_lock, MUTEX_DEFAULT, IPL_SOFTNET); #endif wgs->wgs_recvwin = kmem_zalloc(sizeof(*wgs->wgs_recvwin), KM_SLEEP); - mutex_init(&wgs->wgs_recvwin->lock, MUTEX_DEFAULT, IPL_NONE); + mutex_init(&wgs->wgs_recvwin->lock, MUTEX_DEFAULT, IPL_SOFTNET); wgs = wgp->wgp_session_unstable; wgs->wgs_peer = wgp; wgs->wgs_state = WGS_STATE_UNKNOWN; psref_target_init(&wgs->wgs_psref, wg_psref_class); - wgs->wgs_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE); #ifndef __HAVE_ATOMIC64_LOADSTORE mutex_init(&wgs->wgs_send_counter_lock, MUTEX_DEFAULT, IPL_SOFTNET); #endif wgs->wgs_recvwin = kmem_zalloc(sizeof(*wgs->wgs_recvwin), KM_SLEEP); - mutex_init(&wgs->wgs_recvwin->lock, MUTEX_DEFAULT, IPL_NONE); + mutex_init(&wgs->wgs_recvwin->lock, MUTEX_DEFAULT, IPL_SOFTNET); return wgp; } @@ -3264,6 +3382,7 @@ wg_destroy_peer(struct wg_peer *wgp) struct wg_session *wgs; struct wg_softc *wg = wgp->wgp_sc; + /* Prevent new packets from this peer on any source address. */ rw_enter(wg->wg_rwlock, RW_WRITER); for (int i = 0; i < wgp->wgp_n_allowedips; i++) { struct wg_allowedip *wga = &wgp->wgp_allowedips[i]; @@ -3282,23 +3401,34 @@ wg_destroy_peer(struct wg_peer *wgp) } rw_exit(wg->wg_rwlock); + /* Purge pending packets. */ + wg_purge_pending_packets(wgp); + + /* Halt all packet processing and timeouts. */ softint_disestablish(wgp->wgp_si); callout_halt(&wgp->wgp_rekey_timer, NULL); callout_halt(&wgp->wgp_handshake_timeout_timer, NULL); callout_halt(&wgp->wgp_session_dtor_timer, NULL); wgs = wgp->wgp_session_unstable; - psref_target_destroy(&wgs->wgs_psref, wg_psref_class); - mutex_obj_free(wgs->wgs_lock); + if (wgs->wgs_state != WGS_STATE_UNKNOWN) { + mutex_enter(wgp->wgp_lock); + wg_destroy_session(wg, wgs); + mutex_exit(wgp->wgp_lock); + } mutex_destroy(&wgs->wgs_recvwin->lock); kmem_free(wgs->wgs_recvwin, sizeof(*wgs->wgs_recvwin)); #ifndef __HAVE_ATOMIC64_LOADSTORE mutex_destroy(&wgs->wgs_send_counter_lock); #endif kmem_free(wgs, sizeof(*wgs)); + wgs = wgp->wgp_session_stable; - psref_target_destroy(&wgs->wgs_psref, wg_psref_class); - mutex_obj_free(wgs->wgs_lock); + if (wgs->wgs_state != WGS_STATE_UNKNOWN) { + mutex_enter(wgp->wgp_lock); + wg_destroy_session(wg, wgs); + mutex_exit(wgp->wgp_lock); + } mutex_destroy(&wgs->wgs_recvwin->lock); kmem_free(wgs->wgs_recvwin, sizeof(*wgs->wgs_recvwin)); #ifndef __HAVE_ATOMIC64_LOADSTORE @@ -3321,14 +3451,26 @@ wg_destroy_peer(struct wg_peer *wgp) static void wg_destroy_all_peers(struct wg_softc *wg) { - struct wg_peer *wgp; + struct wg_peer *wgp, *wgp0 __diagused; + void *garbage_byname, *garbage_bypubkey; restart: + garbage_byname = garbage_bypubkey = NULL; mutex_enter(wg->wg_lock); WG_PEER_WRITER_FOREACH(wgp, wg) { + if (wgp->wgp_name[0]) { + wgp0 = thmap_del(wg->wg_peers_byname, wgp->wgp_name, + strlen(wgp->wgp_name)); + KASSERT(wgp0 == wgp); + garbage_byname = thmap_stage_gc(wg->wg_peers_byname); + } + wgp0 = thmap_del(wg->wg_peers_bypubkey, wgp->wgp_pubkey, + sizeof(wgp->wgp_pubkey)); + KASSERT(wgp0 == wgp); + garbage_bypubkey = thmap_stage_gc(wg->wg_peers_bypubkey); WG_PEER_WRITER_REMOVE(wgp); + wg->wg_npeers--; mutex_enter(wgp->wgp_lock); - wgp->wgp_state = WGP_STATE_DESTROYING; pserialize_perform(wgp->wgp_psz); mutex_exit(wgp->wgp_lock); PSLIST_ENTRY_DESTROY(wgp, wgp_peerlist_entry); @@ -3342,6 +3484,8 @@ restart: psref_target_destroy(&wgp->wgp_psref, wg_psref_class); wg_destroy_peer(wgp); + thmap_gc(wg->wg_peers_byname, garbage_byname); + thmap_gc(wg->wg_peers_bypubkey, garbage_bypubkey); goto restart; } @@ -3349,18 +3493,20 @@ restart: static int wg_destroy_peer_name(struct wg_softc *wg, const char *name) { - struct wg_peer *wgp; + struct wg_peer *wgp, *wgp0 __diagused; + void *garbage_byname, *garbage_bypubkey; mutex_enter(wg->wg_lock); - WG_PEER_WRITER_FOREACH(wgp, wg) { - if (strcmp(wgp->wgp_name, name) == 0) - break; - } + wgp = thmap_del(wg->wg_peers_byname, name, strlen(name)); if (wgp != NULL) { + wgp0 = thmap_del(wg->wg_peers_bypubkey, wgp->wgp_pubkey, + sizeof(wgp->wgp_pubkey)); + KASSERT(wgp0 == wgp); + garbage_byname = thmap_stage_gc(wg->wg_peers_byname); + garbage_bypubkey = thmap_stage_gc(wg->wg_peers_bypubkey); WG_PEER_WRITER_REMOVE(wgp); wg->wg_npeers--; mutex_enter(wgp->wgp_lock); - wgp->wgp_state = WGP_STATE_DESTROYING; pserialize_perform(wgp->wgp_psz); mutex_exit(wgp->wgp_lock); PSLIST_ENTRY_DESTROY(wgp, wgp_peerlist_entry); @@ -3373,6 +3519,8 @@ wg_destroy_peer_name(struct wg_softc *wg psref_target_destroy(&wgp->wgp_psref, wg_psref_class); wg_destroy_peer(wgp); + thmap_gc(wg->wg_peers_byname, garbage_byname); + thmap_gc(wg->wg_peers_bypubkey, garbage_bypubkey); return 0; } @@ -3432,6 +3580,9 @@ wg_clone_create(struct if_clone *ifc, in #endif PSLIST_INIT(&wg->wg_peers); + wg->wg_peers_bypubkey = thmap_create(0, NULL, THMAP_NOCOPY); + wg->wg_peers_byname = thmap_create(0, NULL, THMAP_NOCOPY); + wg->wg_sessions_byindex = thmap_create(0, NULL, THMAP_NOCOPY); wg->wg_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE); wg->wg_rwlock = rw_obj_alloc(); wg->wg_ops = &wg_ops_rumpkernel; @@ -3445,6 +3596,9 @@ wg_clone_create(struct if_clone *ifc, in free(wg->wg_rtable_ipv6, M_RTABLE); PSLIST_DESTROY(&wg->wg_peers); mutex_obj_free(wg->wg_lock); + thmap_destroy(wg->wg_sessions_byindex); + thmap_destroy(wg->wg_peers_byname); + thmap_destroy(wg->wg_peers_bypubkey); kmem_free(wg, sizeof(struct wg_softc)); return error; } @@ -3482,6 +3636,9 @@ wg_clone_destroy(struct ifnet *ifp) free(wg->wg_rtable_ipv6, M_RTABLE); PSLIST_DESTROY(&wg->wg_peers); + thmap_destroy(wg->wg_sessions_byindex); + thmap_destroy(wg->wg_peers_byname); + thmap_destroy(wg->wg_peers_bypubkey); mutex_obj_free(wg->wg_lock); rw_obj_free(wg->wg_rwlock); @@ -3532,12 +3689,12 @@ wg_fill_msg_data(struct wg_softc *wg, st { memset(wgmd, 0, sizeof(*wgmd)); - wgmd->wgmd_type = WG_MSG_TYPE_DATA; - wgmd->wgmd_receiver = wgs->wgs_receiver_index; + wgmd->wgmd_type = htole32(WG_MSG_TYPE_DATA); + wgmd->wgmd_receiver = wgs->wgs_remote_index; /* [W] 5.4.6: msg.counter := Nm^send */ /* [W] 5.4.6: Nm^send := Nm^send + 1 */ - wgmd->wgmd_counter = wg_session_inc_send_counter(wgs); - WG_DLOG("counter=%"PRIu64"\n", wgmd->wgmd_counter); + wgmd->wgmd_counter = htole64(wg_session_inc_send_counter(wgs)); + WG_DLOG("counter=%"PRIu64"\n", le64toh(wgmd->wgmd_counter)); } static int @@ -3545,31 +3702,32 @@ wg_output(struct ifnet *ifp, struct mbuf const struct rtentry *rt) { struct wg_softc *wg = ifp->if_softc; - int error = 0; + struct wg_peer *wgp = NULL; + struct wg_session *wgs = NULL; + struct psref wgp_psref, wgs_psref; int bound; - struct psref psref; + int error; + + bound = curlwp_bind(); /* TODO make the nest limit configurable via sysctl */ error = if_tunnel_check_nesting(ifp, m, 1); - if (error != 0) { - m_freem(m); + if (error) { WGLOG(LOG_ERR, "tunneling loop detected and packet dropped\n"); - return error; + goto out; } - bound = curlwp_bind(); - IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family); bpf_mtap_af(ifp, dst->sa_family, m, BPF_D_OUT); m->m_flags &= ~(M_BCAST|M_MCAST); - struct wg_peer *wgp = wg_pick_peer_by_sa(wg, dst, &psref); + wgp = wg_pick_peer_by_sa(wg, dst, &wgp_psref); if (wgp == NULL) { WG_TRACE("peer not found"); error = EHOSTUNREACH; - goto error; + goto out; } /* Clear checksum-offload flags. */ @@ -3578,14 +3736,12 @@ wg_output(struct ifnet *ifp, struct mbuf if (!pcq_put(wgp->wgp_q, m)) { error = ENOBUFS; - goto error; + goto out; } - - struct psref psref_wgs; - struct wg_session *wgs; - wgs = wg_get_stable_session(wgp, &psref_wgs); - if (wgs->wgs_state == WGS_STATE_ESTABLISHED && - !wg_session_hit_limits(wgs)) { + m = NULL; /* consumed */ + + wgs = wg_get_stable_session(wgp, &wgs_psref); + if (wgs != NULL && !wg_session_hit_limits(wgs)) { kpreempt_disable(); softint_schedule(wgp->wgp_si); kpreempt_enable(); @@ -3594,14 +3750,13 @@ wg_output(struct ifnet *ifp, struct mbuf wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); WG_TRACE("softint NOT scheduled"); } - wg_put_session(wgs, &psref_wgs); - wg_put_peer(wgp, &psref); - - return 0; - -error: + error = 0; + +out: + if (wgs != NULL) + wg_put_session(wgs, &wgs_psref); if (wgp != NULL) - wg_put_peer(wgp, &psref); + wg_put_peer(wgp, &wgp_psref); if (m != NULL) m_freem(m); curlwp_bindx(bound); @@ -3614,10 +3769,11 @@ wg_send_udp(struct wg_peer *wgp, struct struct psref psref; struct wg_sockaddr *wgsa; int error; - struct socket *so = wg_get_so_by_peer(wgp); - + struct socket *so; + + wgsa = wg_get_endpoint_sa(wgp, &psref); + so = wg_get_so_by_peer(wgp, wgsa); solock(so); - wgsa = wg_get_endpoint_sa(wgp, &psref); if (wgsatosa(wgsa)->sa_family == AF_INET) { error = udp_send(so, m, wgsatosa(wgsa), NULL, curlwp); } else { @@ -3625,11 +3781,12 @@ wg_send_udp(struct wg_peer *wgp, struct error = udp6_output(sotoin6pcb(so), m, wgsatosin6(wgsa), NULL, curlwp); #else - error = EPROTONOSUPPORT; + m_freem(m); + error = EPFNOSUPPORT; #endif } + sounlock(so); wg_put_sa(wgp, wgsa, &psref); - sounlock(so); return error; } @@ -3707,7 +3864,8 @@ wg_send_data_msg(struct wg_peer *wgp, st wg_fill_msg_data(wg, wgp, wgs, wgmd); /* [W] 5.4.6: AEAD(Tm^send, Nm^send, P, e) */ wg_algo_aead_enc((char *)wgmd + sizeof(*wgmd), encrypted_len, - wgs->wgs_tkey_send, wgmd->wgmd_counter, padded_buf, padded_len, + wgs->wgs_tkey_send, le64toh(wgmd->wgmd_counter), + padded_buf, padded_len, NULL, 0); error = wg->wg_ops->send_data_msg(wgp, n); @@ -3855,41 +4013,37 @@ wg_handle_prop_peer(struct wg_softc *wg, memcpy(wgp->wgp_psk, psk, sizeof(wgp->wgp_psk)); } - struct sockaddr_storage sockaddr; const void *addr; size_t addr_len; + struct wg_sockaddr *wgsa = wgp->wgp_endpoint; if (!prop_dictionary_get_data(peer, "endpoint", &addr, &addr_len)) goto skip_endpoint; - memcpy(&sockaddr, addr, addr_len); - switch (sockaddr.ss_family) { - case AF_INET: { - struct sockaddr_in sin; - sockaddr_copy(sintosa(&sin), sizeof(sin), - (const struct sockaddr *)&sockaddr); - sockaddr_copy(sintosa(&wgp->wgp_sin), - sizeof(wgp->wgp_sin), (const struct sockaddr *)&sockaddr); - char addrstr[128]; - sockaddr_format(sintosa(&sin), addrstr, sizeof(addrstr)); - WG_DLOG("addr=%s\n", addrstr); - break; - } + if (addr_len < sizeof(*wgsatosa(wgsa)) || + addr_len > sizeof(*wgsatoss(wgsa))) { + error = EINVAL; + goto out; + } + memcpy(wgsatoss(wgsa), addr, addr_len); + switch (wgsa_family(wgsa)) { + case AF_INET: #ifdef INET6 - case AF_INET6: { - struct sockaddr_in6 sin6; - char addrstr[128]; - sockaddr_copy(sintosa(&sin6), sizeof(sin6), - (const struct sockaddr *)&sockaddr); - sockaddr_format(sintosa(&sin6), addrstr, sizeof(addrstr)); - WG_DLOG("addr=%s\n", addrstr); - sockaddr_copy(sin6tosa(&wgp->wgp_sin6), - sizeof(wgp->wgp_sin6), (const struct sockaddr *)&sockaddr); + case AF_INET6: +#endif break; - } -#endif default: - break; + error = EPFNOSUPPORT; + goto out; } + if (addr_len != sockaddr_getsize_by_family(wgsa_family(wgsa))) { + error = EINVAL; + goto out; + } + { + char addrstr[128]; + sockaddr_format(wgsatosa(wgsa), addrstr, sizeof(addrstr)); + WG_DLOG("addr=%s\n", addrstr); + } wgp->wgp_endpoint_available = true; prop_array_t allowedips; @@ -4076,7 +4230,7 @@ wg_ioctl_add_peer(struct wg_softc *wg, s int error; prop_dictionary_t prop_dict; char *buf = NULL; - struct wg_peer *wgp = NULL; + struct wg_peer *wgp = NULL, *wgp0 __diagused; error = wg_alloc_prop_buf(&buf, ifd); if (error != 0) @@ -4091,6 +4245,24 @@ wg_ioctl_add_peer(struct wg_softc *wg, s goto out; mutex_enter(wg->wg_lock); + if (thmap_get(wg->wg_peers_bypubkey, wgp->wgp_pubkey, + sizeof(wgp->wgp_pubkey)) != NULL || + (wgp->wgp_name[0] && + thmap_get(wg->wg_peers_byname, wgp->wgp_name, + strlen(wgp->wgp_name)) != NULL)) { + mutex_exit(wg->wg_lock); + wg_destroy_peer(wgp); + error = EEXIST; + goto out; + } + wgp0 = thmap_put(wg->wg_peers_bypubkey, wgp->wgp_pubkey, + sizeof(wgp->wgp_pubkey), wgp); + KASSERT(wgp0 == wgp); + if (wgp->wgp_name[0]) { + wgp0 = thmap_put(wg->wg_peers_byname, wgp->wgp_name, + strlen(wgp->wgp_name), wgp); + KASSERT(wgp0 == wgp); + } WG_PEER_WRITER_INSERT_HEAD(wgp, wg); wg->wg_npeers++; mutex_exit(wg->wg_lock); @@ -4161,10 +4333,11 @@ wg_ioctl_get(struct wg_softc *wg, struct s = pserialize_read_enter(); i = 0; WG_PEER_READER_FOREACH(wgp, wg) { - struct psref psref; + struct wg_sockaddr *wgsa; + struct psref wgp_psref, wgsa_psref; prop_dictionary_t prop_peer; - wg_get_peer(wgp, &psref); + wg_get_peer(wgp, &wgp_psref); pserialize_read_exit(s); prop_peer = prop_dictionary_create(); @@ -4190,20 +4363,16 @@ wg_ioctl_get(struct wg_softc *wg, struct goto next; } - switch (wgp->wgp_sa.sa_family) { - case AF_INET: - if (!prop_dictionary_set_data(prop_peer, "endpoint", - &wgp->wgp_sin, sizeof(wgp->wgp_sin))) - goto next; - break; -#ifdef INET6 - case AF_INET6: - if (!prop_dictionary_set_data(prop_peer, "endpoint", - &wgp->wgp_sin6, sizeof(wgp->wgp_sin6))) - goto next; - break; -#endif + wgsa = wg_get_endpoint_sa(wgp, &wgsa_psref); + CTASSERT(AF_UNSPEC == 0); + if (wgsa_family(wgsa) != 0 /*AF_UNSPEC*/ && + !prop_dictionary_set_data(prop_peer, "endpoint", + wgsatoss(wgsa), + sockaddr_getsize_by_family(wgsa_family(wgsa)))) { + wg_put_sa(wgp, wgsa, &wgsa_psref); + goto next; } + wg_put_sa(wgp, wgsa, &wgsa_psref); const struct timespec *t = &wgp->wgp_last_handshake_time; @@ -4269,7 +4438,7 @@ wg_ioctl_get(struct wg_softc *wg, struct i++; s = pserialize_read_enter(); - wg_put_peer(wgp, &psref); + wg_put_peer(wgp, &wgp_psref); } pserialize_read_exit(s); @@ -4556,6 +4725,8 @@ wg_send_user(struct wg_peer *wgp, struct wg_put_sa(wgp, wgsa, &psref); + m_freem(m); + return error; } @@ -4595,6 +4766,8 @@ wg_input_user(struct ifnet *ifp, struct /* Send decrypted packets to users via a tun. */ rumpuser_wg_send_user(wg->wg_user, iov, 2); + + m_freem(m); } static int @@ -4626,7 +4799,7 @@ rumpkern_wg_recv_user(struct wg_softc *w dst = iov[0].iov_base; - m = m_gethdr(M_NOWAIT, MT_DATA); + m = m_gethdr(M_DONTWAIT, MT_DATA); if (m == NULL) return; m->m_len = m->m_pkthdr.len = 0; @@ -4651,7 +4824,7 @@ rumpkern_wg_recv_peer(struct wg_softc *w src = iov[0].iov_base; - m = m_gethdr(M_NOWAIT, MT_DATA); + m = m_gethdr(M_DONTWAIT, MT_DATA); if (m == NULL) return; m->m_len = m->m_pkthdr.len = 0; diff -r aeca55f561e5 -r 4d8a91b5a3c0 tests/net/if_wg/t_misc.sh --- a/tests/net/if_wg/t_misc.sh Fri Aug 28 01:45:43 2020 +0000 +++ b/tests/net/if_wg/t_misc.sh Sun Aug 30 22:12:24 2020 +0000 @@ -106,7 +106,7 @@ wg_rekey_body() $DEBUG && echo $latest_handshake # Wait for a reinitiation to be performed again - sleep $rekey_after_time + sleep $((rekey_after_time+1)) $ping $ip_wg_peer