diff -r 339526e66e4a sys/modules/if_wg/Makefile --- a/sys/modules/if_wg/Makefile Fri Jul 26 18:54:49 2024 +0000 +++ b/sys/modules/if_wg/Makefile Sat Jul 27 23:33:43 2024 +0000 @@ -11,6 +11,7 @@ SRCS= if_wg.c CPPFLAGS+= -DINET CPPFLAGS+= -DINET6 #CPPFLAGS+= -DALTQ +CPPFLAGS+= -DDIAGNOSTIC WARNS= 3 diff -r 339526e66e4a sys/net/if_wg.c --- a/sys/net/if_wg.c Fri Jul 26 18:54:49 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 23:33:43 2024 +0000 @@ -121,6 +121,10 @@ #include "wg_user.h" #endif +#ifndef time_uptime32 +#define time_uptime32 ((uint32_t)time_uptime) +#endif + /* * Data structures * - struct wg_softc is an instance of wg interfaces @@ -343,7 +347,7 @@ wg_dump_hash(const uint8_t *func, const #define WG_COOKIE_LEN 16 #define WG_MAC_LEN 16 -#define WG_RANDVAL_LEN 24 +#define WG_COOKIESECRET_LEN 32 #define WG_EPHEMERAL_KEY_LEN CURVE25519_KEY_LEN /* [N] 5.2: "ck: A chaining key of HASHLEN bytes" */ @@ -502,8 +506,10 @@ struct wg_session { #define WGS_STATE_ESTABLISHED 3 #define WGS_STATE_DESTROYING 4 - time_t wgs_time_established; - time_t wgs_time_last_data_sent; + volatile uint32_t + wgs_time_established; + volatile uint32_t + wgs_time_last_data_sent; bool wgs_is_initiator; uint32_t wgs_local_index; @@ -597,19 +603,20 @@ struct wg_peer { struct wg_session *wgp_session_unstable; /* first outgoing packet awaiting session initiation */ - struct mbuf *wgp_pending; + struct mbuf *volatile wgp_pending; /* timestamp in big-endian */ wg_timestamp_t wgp_timestamp_latest_init; struct timespec wgp_last_handshake_time; - callout_t wgp_rekey_timer; callout_t wgp_handshake_timeout_timer; callout_t wgp_session_dtor_timer; time_t wgp_handshake_start_time; + volatile unsigned wgp_force_rekey; + int wgp_n_allowedips; struct wg_allowedip wgp_allowedips[WG_ALLOWEDIPS]; @@ -622,8 +629,8 @@ struct wg_peer { time_t wgp_last_msg_received_time[WG_MSG_TYPE_MAX]; - time_t wgp_last_genrandval_time; - uint32_t wgp_randval; + time_t wgp_last_cookiesecret_time; + uint8_t wgp_cookiesecret[WG_COOKIESECRET_LEN]; struct wg_ppsratecheck wgp_ppsratecheck; @@ -691,7 +698,7 @@ struct wg_softc { #define WG_KEEPALIVE_TIMEOUT 10 #define WG_COOKIE_TIME 120 -#define WG_RANDVAL_TIME (2 * 60) +#define WG_COOKIESECRET_TIME (2 * 60) static uint64_t wg_rekey_after_messages = WG_REKEY_AFTER_MESSAGES; static uint64_t wg_reject_after_messages = WG_REJECT_AFTER_MESSAGES; @@ -727,7 +734,6 @@ static struct wg_session * static void wg_update_endpoint_if_necessary(struct wg_peer *, const struct sockaddr *); -static void wg_schedule_rekey_timer(struct wg_peer *); static void wg_schedule_session_dtor_timer(struct wg_peer *); static bool wg_is_underload(struct wg_softc *, struct wg_peer *, int); @@ -1274,8 +1280,16 @@ wg_destroy_session(struct wg_softc *wg, pserialize_perform(wgp->wgp_psz); psref_target_destroy(&wgs->wgs_psref, wg_psref_class); - /* Free memory, zero state, and transition to UNKNOWN. */ + /* + * Free memory, zero state, and transition to UNKNOWN. We have + * exclusive access to the session now, so there is no need for + * an atomic store. + */ thmap_gc(wg->wg_sessions_byindex, garbage); + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"] -> WGS_STATE_UNKNOWN\n", + wgs->wgs_local_index, wgs->wgs_remote_index); + wgs->wgs_local_index = 0; + wgs->wgs_remote_index = 0; wg_clear_states(wgs); wgs->wgs_state = WGS_STATE_UNKNOWN; } @@ -1298,7 +1312,8 @@ wg_get_session_index(struct wg_softc *wg KASSERT(mutex_owned(wgp->wgp_lock)); KASSERT(wgs == wgp->wgp_session_unstable); - KASSERT(wgs->wgs_state == WGS_STATE_UNKNOWN); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); do { /* Pick a uniform random index. */ @@ -1329,7 +1344,6 @@ wg_put_session_index(struct wg_softc *wg struct wg_peer *wgp __diagused = wgs->wgs_peer; KASSERT(mutex_owned(wgp->wgp_lock)); - KASSERT(wgs == wgp->wgp_session_unstable); KASSERT(wgs->wgs_state != WGS_STATE_UNKNOWN); KASSERT(wgs->wgs_state != WGS_STATE_ESTABLISHED); @@ -1371,7 +1385,8 @@ wg_fill_msg_init(struct wg_softc *wg, st KASSERT(mutex_owned(wgp->wgp_lock)); KASSERT(wgs == wgp->wgp_session_unstable); - KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); + KASSERTMSG(wgs->wgs_state == WGS_STATE_INIT_ACTIVE, "state=%d", + wgs->wgs_state); wgmi->wgmi_type = htole32(WG_MSG_TYPE_INIT); wgmi->wgmi_sender = wgs->wgs_local_index; @@ -1614,29 +1629,39 @@ wg_handle_msg_init(struct wg_softc *wg, wgs = wgp->wgp_session_unstable; switch (wgs->wgs_state) { case WGS_STATE_UNKNOWN: /* new session initiated by peer */ - wg_get_session_index(wg, wgs); break; case WGS_STATE_INIT_ACTIVE: /* we're already initiating, drop */ + /* XXX {TODO5} Who wins if both sides send INIT? */ WG_TRACE("Session already initializing, ignoring the message"); goto out; case WGS_STATE_INIT_PASSIVE: /* peer is retrying, start over */ WG_TRACE("Session already initializing, destroying old states"); - wg_clear_states(wgs); - /* keep session index */ + /* + * XXX Avoid this -- just resend our response -- if the + * INIT message is identical to the previous one. + */ + wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); break; case WGS_STATE_ESTABLISHED: /* can't happen */ panic("unstable session can't be established"); - break; case WGS_STATE_DESTROYING: /* rekey initiated by peer */ WG_TRACE("Session destroying, but force to clear"); - callout_stop(&wgp->wgp_session_dtor_timer); - wg_clear_states(wgs); - /* keep session index */ + wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); break; default: panic("invalid session state: %d", wgs->wgs_state); } - wgs->wgs_state = WGS_STATE_INIT_PASSIVE; + + /* + * Assign a fresh session index. + */ + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); + wg_get_session_index(wg, wgs); memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); @@ -1645,11 +1670,49 @@ wg_handle_msg_init(struct wg_softc *wg, wg_update_endpoint_if_necessary(wgp, src); + /* + * Count the time of the INIT message as the time of + * establishment -- this is used to decide when to erase keys, + * and we want to start counting as soon as we have generated + * keys. + * + * No need for atomic store because the session can't be used + * in the rx or tx paths yet -- not until we transition to + * INTI_PASSIVE. + */ + wgs->wgs_time_established = time_uptime32; + wg_schedule_session_dtor_timer(wgp); + + /* + * Respond to the initiator with our ephemeral public key. + */ (void)wg_send_handshake_msg_resp(wg, wgp, wgs, wgmi); + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]:" + " calculate keys as responder\n", + wgs->wgs_local_index, wgs->wgs_remote_index); wg_calculate_keys(wgs, false); wg_clear_states(wgs); + /* + * Session is ready to receive data now that we have received + * the peer initiator's ephemeral key pair, generated our + * responder's ephemeral key pair, and derived a session key. + * + * Transition from UNKNOWN to INIT_PASSIVE to publish it to the + * data rx path, wg_handle_msg_data, where the + * atomic_load_acquire matching this atomic_store_release + * happens. + * + * (Session is not, however, ready to send data until the peer + * has acknowledged our response by sending its first data + * packet. So don't swap the sessions yet.) + */ + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"] -> WGS_STATE_INIT_PASSIVE\n", + wgs->wgs_local_index, wgs->wgs_remote_index); + atomic_store_release(&wgs->wgs_state, WGS_STATE_INIT_PASSIVE); + WG_TRACE("WGS_STATE_INIT_PASSIVE"); + out: mutex_exit(wgp->wgp_lock); wg_put_peer(wgp, &psref_peer); @@ -1731,25 +1794,50 @@ wg_send_handshake_msg_init(struct wg_sof /* XXX pull dispatch out into wg_task_send_init_message */ switch (wgs->wgs_state) { case WGS_STATE_UNKNOWN: /* new session initiated by us */ - wg_get_session_index(wg, wgs); break; case WGS_STATE_INIT_ACTIVE: /* we're already initiating, stop */ WG_TRACE("Session already initializing, skip starting new one"); return EBUSY; case WGS_STATE_INIT_PASSIVE: /* peer was trying -- XXX what now? */ + /* XXX {TODO5} Who wins if both sides send INIT? Coin toss? */ +#if 1 + WG_TRACE("Session already initializing, waiting for peer"); + return EBUSY; +#else WG_TRACE("Session already initializing, destroying old states"); - wg_clear_states(wgs); - /* keep session index */ + wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); +#endif break; case WGS_STATE_ESTABLISHED: /* can't happen */ panic("unstable session can't be established"); - break; case WGS_STATE_DESTROYING: /* rekey initiated by us too early */ WG_TRACE("Session destroying"); - /* XXX should wait? */ - return EBUSY; + wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); + break; } - wgs->wgs_state = WGS_STATE_INIT_ACTIVE; + + /* + * Assign a fresh session index. + */ + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); + wg_get_session_index(wg, wgs); + + /* + * We have initiated a session. Transition to INIT_ACTIVE. + * This doesn't publish it for use in the data rx path, + * wg_handle_msg_data, or in the data tx path, wg_output -- we + * have to wait for the peer to respond with their ephemeral + * public key before we can derive a session key for tx/rx. + * Hence only atomic_store_relaxed. + */ + WG_DLOG("session[L=%"PRIx32" R=(unknown)] -> WGS_STATE_INIT_ACTIVE\n", + wgs->wgs_local_index); + atomic_store_relaxed(&wgs->wgs_state, WGS_STATE_INIT_ACTIVE); m = m_gethdr(M_WAIT, MT_DATA); if (sizeof(*wgmi) > MHLEN) { @@ -1791,7 +1879,8 @@ wg_fill_msg_resp(struct wg_softc *wg, st KASSERT(mutex_owned(wgp->wgp_lock)); KASSERT(wgs == wgp->wgp_session_unstable); - KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash)); memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey)); @@ -1881,11 +1970,13 @@ wg_swap_sessions(struct wg_peer *wgp) KASSERT(mutex_owned(wgp->wgp_lock)); wgs = wgp->wgp_session_unstable; - KASSERT(wgs->wgs_state == WGS_STATE_ESTABLISHED); + KASSERTMSG(wgs->wgs_state == WGS_STATE_ESTABLISHED, "state=%d", + wgs->wgs_state); wgs_prev = wgp->wgp_session_stable; - KASSERT(wgs_prev->wgs_state == WGS_STATE_ESTABLISHED || - wgs_prev->wgs_state == WGS_STATE_UNKNOWN); + KASSERTMSG((wgs_prev->wgs_state == WGS_STATE_ESTABLISHED || + wgs_prev->wgs_state == WGS_STATE_UNKNOWN), + "state=%d", wgs_prev->wgs_state); atomic_store_release(&wgp->wgp_session_stable, wgs); wgp->wgp_session_unstable = wgs_prev; } @@ -2033,17 +2124,39 @@ wg_handle_msg_resp(struct wg_softc *wg, wgs->wgs_remote_index = wgmr->wgmr_sender; WG_DLOG("receiver=%x\n", wgs->wgs_remote_index); - KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); - wgs->wgs_state = WGS_STATE_ESTABLISHED; - wgs->wgs_time_established = time_uptime; + KASSERTMSG(wgs->wgs_state == WGS_STATE_INIT_ACTIVE, "state=%d", + wgs->wgs_state); + wgs->wgs_time_established = time_uptime32; + wg_schedule_session_dtor_timer(wgp); wgs->wgs_time_last_data_sent = 0; wgs->wgs_is_initiator = true; + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]:" + " calculate keys as initiator\n", + wgs->wgs_local_index, wgs->wgs_remote_index); wg_calculate_keys(wgs, true); wg_clear_states(wgs); + + /* + * Session is ready to receive data now that we have received + * the responder's response. + * + * Transition from INIT_ACTIVE to ESTABLISHED to publish it to + * the data rx path, wg_handle_msg_data. + */ + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32" -> WGS_STATE_ESTABLISHED\n", + wgs->wgs_local_index, wgs->wgs_remote_index); + atomic_store_release(&wgs->wgs_state, WGS_STATE_ESTABLISHED); WG_TRACE("WGS_STATE_ESTABLISHED"); - callout_stop(&wgp->wgp_handshake_timeout_timer); - + callout_halt(&wgp->wgp_handshake_timeout_timer, NULL); + + /* + * Session is ready to send data now that we have received the + * responder's response. + * + * Swap the sessions to publish the new one as the stable + * session for the data tx path, wg_output. + */ wg_swap_sessions(wgp); KASSERT(wgs == wgp->wgp_session_stable); wgs_prev = wgp->wgp_session_unstable; @@ -2052,8 +2165,6 @@ wg_handle_msg_resp(struct wg_softc *wg, wgp->wgp_last_sent_mac1_valid = false; wgp->wgp_last_sent_cookie_valid = false; - wg_schedule_rekey_timer(wgp); - wg_update_endpoint_if_necessary(wgp, src); /* @@ -2076,14 +2187,17 @@ wg_handle_msg_resp(struct wg_softc *wg, } if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { - /* Wait for wg_get_stable_session to drain. */ - pserialize_perform(wgp->wgp_psz); - - /* Transition ESTABLISHED->DESTROYING. */ - wgs_prev->wgs_state = WGS_STATE_DESTROYING; - - /* We can't destroy the old session immediately */ - wg_schedule_session_dtor_timer(wgp); + /* + * Transition ESTABLISHED->DESTROYING. The session + * will remain usable for the data rx path to process + * packets still in flight to us, but we won't use it + * for data tx. + */ + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]" + " -> WGS_STATE_DESTROYING\n", + wgs_prev->wgs_local_index, wgs_prev->wgs_remote_index); + atomic_store_relaxed(&wgs_prev->wgs_state, + WGS_STATE_DESTROYING); } else { KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN, "state=%d", wgs_prev->wgs_state); @@ -2104,7 +2218,8 @@ wg_send_handshake_msg_resp(struct wg_sof KASSERT(mutex_owned(wgp->wgp_lock)); KASSERT(wgs == wgp->wgp_session_unstable); - KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); m = m_gethdr(M_WAIT, MT_DATA); if (sizeof(*wgmr) > MHLEN) { @@ -2158,9 +2273,11 @@ wg_fill_msg_cookie(struct wg_softc *wg, * "The secret variable, Rm, changes every two minutes to a * random value" */ - if ((time_uptime - wgp->wgp_last_genrandval_time) > WG_RANDVAL_TIME) { - wgp->wgp_randval = cprng_strong32(); - wgp->wgp_last_genrandval_time = time_uptime; + if ((time_uptime - wgp->wgp_last_cookiesecret_time) > + WG_COOKIESECRET_TIME) { + cprng_strong(kern_cprng, wgp->wgp_cookiesecret, + sizeof(wgp->wgp_cookiesecret), 0); + wgp->wgp_last_cookiesecret_time = time_uptime; } switch (src->sa_family) { @@ -2185,7 +2302,7 @@ wg_fill_msg_cookie(struct wg_softc *wg, } wg_algo_mac(cookie, sizeof(cookie), - (const uint8_t *)&wgp->wgp_randval, sizeof(wgp->wgp_randval), + wgp->wgp_cookiesecret, sizeof(wgp->wgp_cookiesecret), addr, addrlen, (const uint8_t *)&uh_sport, sizeof(uh_sport)); wg_algo_mac_cookie(key, sizeof(key), wg->wg_pubkey, sizeof(wg->wg_pubkey)); @@ -2321,8 +2438,11 @@ wg_lookup_session_by_index(struct wg_sof int s = pserialize_read_enter(); wgs = thmap_get(wg->wg_sessions_byindex, &index, sizeof index); if (wgs != NULL) { - KASSERT(atomic_load_relaxed(&wgs->wgs_state) != - WGS_STATE_UNKNOWN); + uint32_t oindex __diagused = + atomic_load_relaxed(&wgs->wgs_local_index); + KASSERTMSG(index == oindex, + "index=%"PRIx32" wgs->wgs_local_index=%"PRIx32, + index, oindex); psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); } pserialize_read_exit(s); @@ -2331,14 +2451,6 @@ wg_lookup_session_by_index(struct wg_sof } static void -wg_schedule_rekey_timer(struct wg_peer *wgp) -{ - int timeout = MIN(wg_rekey_after_time, (unsigned)(INT_MAX / hz)); - - callout_schedule(&wgp->wgp_rekey_timer, timeout * hz); -} - -static void wg_send_keepalive_msg(struct wg_peer *wgp, struct wg_session *wgs) { struct mbuf *m; @@ -2365,9 +2477,12 @@ wg_need_to_send_init_message(struct wg_s * KEEPALIVE-TIMEOUT − REKEY-TIMEOUT) seconds old and it has * not yet acted upon this event." */ - return wgs->wgs_is_initiator && wgs->wgs_time_last_data_sent == 0 && - (time_uptime - wgs->wgs_time_established) >= - (wg_reject_after_time - wg_keepalive_timeout - wg_rekey_timeout); + return wgs->wgs_is_initiator && + atomic_load_relaxed(&wgs->wgs_time_last_data_sent) == 0 && + ((time_uptime32 - + atomic_load_relaxed(&wgs->wgs_time_established)) >= + (wg_reject_after_time - wg_keepalive_timeout - + wg_rekey_timeout)); } static void @@ -2508,6 +2623,7 @@ wg_session_dtor_timer(void *arg) WG_TRACE("enter"); + wg_schedule_session_dtor_timer(wgp); wg_schedule_peer_task(wgp, WGP_TASK_DESTROY_PREV_SESSION); } @@ -2515,8 +2631,19 @@ static void wg_schedule_session_dtor_timer(struct wg_peer *wgp) { - /* 1 second grace period */ - callout_schedule(&wgp->wgp_session_dtor_timer, hz); + /* + * If the periodic session destructor is already pending to + * handle the previous session, that's fine -- leave it in + * place; it will be scheduled again. + */ + if (callout_pending(&wgp->wgp_session_dtor_timer)) { + WG_DLOG("session dtor already pending\n"); + return; + } + + WG_DLOG("scheduling session dtor in %u secs\n", wg_reject_after_time); + callout_schedule(&wgp->wgp_session_dtor_timer, + wg_reject_after_time*hz); } static bool @@ -2580,6 +2707,7 @@ wg_handle_msg_data(struct wg_softc *wg, struct wg_session *wgs; struct wg_peer *wgp; int state; + uint32_t age; size_t mlen; struct psref psref; int error, af; @@ -2604,12 +2732,15 @@ wg_handle_msg_data(struct wg_softc *wg, * We are only ready to handle data when in INIT_PASSIVE, * ESTABLISHED, or DESTROYING. All transitions out of that * state dissociate the session index and drain psrefs. + * + * atomic_load_acquire matches atomic_store_release in either + * wg_handle_msg_init or wg_handle_msg_resp. (The transition + * INIT_PASSIVE to ESTABLISHED in wg_task_establish_session + * doesn't make a difference for this rx path.) */ - state = atomic_load_relaxed(&wgs->wgs_state); + state = atomic_load_acquire(&wgs->wgs_state); switch (state) { case WGS_STATE_UNKNOWN: - panic("wg session %p in unknown state has session index %u", - wgs, wgmd->wgmd_receiver); case WGS_STATE_INIT_ACTIVE: WG_TRACE("not yet ready for data"); goto out; @@ -2620,6 +2751,16 @@ wg_handle_msg_data(struct wg_softc *wg, } /* + * Reject if the session is too old. + */ + age = time_uptime32 - atomic_load_relaxed(&wgs->wgs_time_established); + if (__predict_false(age >= wg_reject_after_time)) { + WG_DLOG("session %"PRIx32" too old, %"PRIu32" sec\n", + wgmd->wgmd_receiver, age); + goto out; + } + + /* * Get the peer, for rate-limited logs (XXX MPSAFE, dtrace) and * to update the endpoint if authentication succeeds. */ @@ -2730,16 +2871,6 @@ wg_handle_msg_data(struct wg_softc *wg, wgmd = NULL; /* - * Validate the encapsulated packet header and get the address - * family, or drop. - */ - ok = wg_validate_inner_packet(decrypted_buf, decrypted_len, &af); - if (!ok) { - m_freem(n); - goto out; - } - - /* * The packet is genuine. Update the peer's endpoint if the * source address changed. * @@ -2748,6 +2879,16 @@ wg_handle_msg_data(struct wg_softc *wg, */ wg_update_endpoint_if_necessary(wgp, src); + /* + * Validate the encapsulated packet header and get the address + * family, or drop. + */ + ok = wg_validate_inner_packet(decrypted_buf, decrypted_len, &af); + if (!ok) { + m_freem(n); + goto update_state; + } + /* Submit it into our network stack if routable. */ ok = wg_validate_route(wg, wgp, af, decrypted_buf); if (ok) { @@ -2776,6 +2917,7 @@ wg_handle_msg_data(struct wg_softc *wg, } n = NULL; +update_state: /* Update the state machine if necessary. */ if (__predict_false(state == WGS_STATE_INIT_PASSIVE)) { /* @@ -2783,6 +2925,7 @@ wg_handle_msg_data(struct wg_softc *wg, * first data transport message, and that has happened. * Schedule a task to establish this session. */ + /* XXX {TODO4} Do most of this synchronously. */ wg_schedule_peer_task(wgp, WGP_TASK_ESTABLISH_SESSION); } else { if (__predict_false(wg_need_to_send_init_message(wgs))) { @@ -2795,11 +2938,13 @@ wg_handle_msg_data(struct wg_softc *wg, * itself to send back for KEEPALIVE-TIMEOUT seconds, it sends * a keepalive message." */ - WG_DLOG("time_uptime=%ju wgs_time_last_data_sent=%ju\n", - (uintmax_t)time_uptime, - (uintmax_t)wgs->wgs_time_last_data_sent); - if ((time_uptime - wgs->wgs_time_last_data_sent) >= - wg_keepalive_timeout) { + const uint32_t now = time_uptime32; + const uint32_t time_last_data_sent = + atomic_load_relaxed(&wgs->wgs_time_last_data_sent); + WG_DLOG("time_uptime32=%"PRIu32 + " wgs_time_last_data_sent=%"PRIu32"\n", + now, time_last_data_sent); + if ((now - time_last_data_sent) >= wg_keepalive_timeout) { WG_TRACE("Schedule sending keepalive message"); /* * We can't send a keepalive message here to avoid @@ -2845,6 +2990,15 @@ wg_handle_msg_cookie(struct wg_softc *wg goto out; } + /* + * wgp_last_sent_mac1_valid is only set to true when we are + * transitioning to INIT_ACTIVE or INIT_PASSIVE, and always + * cleared on transition out of them. + */ + KASSERTMSG((wgs->wgs_state == WGS_STATE_INIT_ACTIVE || + wgs->wgs_state == WGS_STATE_INIT_PASSIVE), + "state=%d", wgs->wgs_state); + /* Decrypt the cookie and store it for later handshake retry. */ wg_algo_mac_cookie(key, sizeof(key), wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey)); @@ -3027,16 +3181,22 @@ wg_task_send_init_message(struct wg_soft return; } + /* + * If we already have an established session for data tx, + * there's no need to initiate a new one -- unless the + * rekey-after-time or rekey-after-messages limits have passed. + */ wgs = wgp->wgp_session_stable; - if (wgs->wgs_state == WGS_STATE_UNKNOWN) { - /* XXX What if the unstable session is already INIT_ACTIVE? */ - wg_send_handshake_msg_init(wg, wgp); - } else { - /* rekey */ - wgs = wgp->wgp_session_unstable; - if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE) - wg_send_handshake_msg_init(wg, wgp); - } + if (wgs->wgs_state == WGS_STATE_ESTABLISHED && + !atomic_swap_uint(&wgp->wgp_force_rekey, 0)) + return; + + /* + * Ensure we're initiating a new session. If the unstable + * session is already INIT_ACTIVE or INIT_PASSIVE, this does + * nothing. + */ + wg_send_handshake_msg_init(wg, wgp); } static void @@ -3091,12 +3251,32 @@ wg_task_establish_session(struct wg_soft /* XXX Can this happen? */ return; - wgs->wgs_state = WGS_STATE_ESTABLISHED; - wgs->wgs_time_established = time_uptime; wgs->wgs_time_last_data_sent = 0; wgs->wgs_is_initiator = false; + + /* + * Session was already ready to receive data. Transition from + * INIT_PASSIVE to ESTABLISHED just so we can swap the + * sessions. + * + * atomic_store_relaxed because this doesn't affect the data rx + * path, wg_handle_msg_data -- changing from INIT_PASSIVE to + * ESTABLISHED makes no difference to the data rx path, and the + * transition to INIT_PASSIVE with store-release already + * published the state needed by the data rx path. + */ + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"] -> WGS_STATE_ESTABLISHED\n", + wgs->wgs_local_index, wgs->wgs_remote_index); + atomic_store_relaxed(&wgs->wgs_state, WGS_STATE_ESTABLISHED); WG_TRACE("WGS_STATE_ESTABLISHED"); + /* + * Session is ready to send data too now that we have received + * the peer initiator's first data packet. + * + * Swap the sessions to publish the new one as the stable + * session for the data tx path, wg_output. + */ wg_swap_sessions(wgp); KASSERT(wgs == wgp->wgp_session_stable); wgs_prev = wgp->wgp_session_unstable; @@ -3119,18 +3299,26 @@ wg_task_establish_session(struct wg_soft } if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { - /* Wait for wg_get_stable_session to drain. */ - pserialize_perform(wgp->wgp_psz); - - /* Transition ESTABLISHED->DESTROYING. */ - wgs_prev->wgs_state = WGS_STATE_DESTROYING; - - /* We can't destroy the old session immediately */ - wg_schedule_session_dtor_timer(wgp); + /* + * Transition ESTABLISHED->DESTROYING. The session + * will remain usable for the data rx path to process + * packets still in flight to us, but we won't use it + * for data tx. + */ + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]" + " -> WGS_STATE_DESTROYING\n", + wgs_prev->wgs_local_index, wgs_prev->wgs_remote_index); + atomic_store_relaxed(&wgs_prev->wgs_state, + WGS_STATE_DESTROYING); } else { KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN, "state=%d", wgs_prev->wgs_state); - wg_clear_states(wgs_prev); + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]" + " -> WGS_STATE_UNKNOWN\n", + wgs_prev->wgs_local_index, wgs_prev->wgs_remote_index); + wgs->wgs_local_index = 0; /* paranoia */ + wgs->wgs_remote_index = 0; /* paranoia */ + wg_clear_states(wgs_prev); /* paranoia */ wgs_prev->wgs_state = WGS_STATE_UNKNOWN; } } @@ -3175,15 +3363,62 @@ static void wg_task_destroy_prev_session(struct wg_softc *wg, struct wg_peer *wgp) { struct wg_session *wgs; + uint32_t age; WG_TRACE("WGP_TASK_DESTROY_PREV_SESSION"); KASSERT(mutex_owned(wgp->wgp_lock)); + /* + * If theres's any previous unstable session, i.e., one that + * was ESTABLISHED and is now DESTROYING, older than + * reject-after-time, destroy it. Upcoming sessions are still + * in INIT_ACTIVE or INIT_PASSIVE -- we don't touch those here. + * + * No atomic for access to wgs_time_established because it is + * only updated under wgp_lock. + */ wgs = wgp->wgp_session_unstable; - if (wgs->wgs_state == WGS_STATE_DESTROYING) { + KASSERT(wgs->wgs_state != WGS_STATE_ESTABLISHED); + if (wgs->wgs_state == WGS_STATE_DESTROYING && + ((age = (time_uptime32 - wgs->wgs_time_established)) >= + wg_reject_after_time)) { + WG_DLOG("destroying past session %"PRIu32" sec old\n", age); wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); } + + /* + * If theres's any ESTABLISHED stable session older than + * reject-after-time, destroy it. (The stable session can also + * be in UNKNOWN state -- nothing to do in that case) + */ + wgs = wgp->wgp_session_stable; + KASSERT(wgs->wgs_state != WGS_STATE_INIT_ACTIVE); + KASSERT(wgs->wgs_state != WGS_STATE_INIT_PASSIVE); + KASSERT(wgs->wgs_state != WGS_STATE_DESTROYING); + if (wgs->wgs_state == WGS_STATE_ESTABLISHED && + ((age = (time_uptime32 - wgs->wgs_time_established)) >= + wg_reject_after_time)) { + WG_DLOG("destroying current session %"PRIu32" sec old\n", age); + atomic_store_relaxed(&wgs->wgs_state, WGS_STATE_DESTROYING); + wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); + } + + /* + * If there's no sessions left, no need to have the timer run + * until the next time around -- halt it. + * + * It is only ever scheduled with wgp_lock held or in the + * callout itself, and callout_halt prevents rescheudling + * itself, so this never races with rescheduling. + */ + if (wgp->wgp_session_unstable->wgs_state == WGS_STATE_UNKNOWN && + wgp->wgp_session_stable->wgs_state == WGS_STATE_UNKNOWN) + callout_halt(&wgp->wgp_session_dtor_timer, NULL); } static void @@ -3318,9 +3553,10 @@ wg_overudp_cb(struct mbuf **mp, int offs WG_DLOG("type=%d\n", le32toh(wgm.wgm_type)); /* - * Handle DATA packets promptly as they arrive. Other packets - * may require expensive public-key crypto and are not as - * sensitive to latency, so defer them to the worker thread. + * Handle DATA packets promptly as they arrive, if they are in + * an active session. Other packets may require expensive + * public-key crypto and are not as sensitive to latency, so + * defer them to the worker thread. */ switch (le32toh(wgm.wgm_type)) { case WG_MSG_TYPE_DATA: @@ -3371,16 +3607,18 @@ wg_socreate(struct wg_softc *wg, int af, static bool wg_session_hit_limits(struct wg_session *wgs) { + uint32_t time_established = + atomic_load_relaxed(&wgs->wgs_time_established); /* * [W] 6.2: Transport Message Limits * "After REJECT-AFTER-MESSAGES transport data messages or after the * current secure session is REJECT-AFTER-TIME seconds old, whichever - * comes first, WireGuard will refuse to send any more transport data - * messages using the current secure session, ..." + * comes first, WireGuard will refuse to send or receive any more + * transport data messages using the current secure session, ..." */ - KASSERT(wgs->wgs_time_established != 0); - if ((time_uptime - wgs->wgs_time_established) > wg_reject_after_time) { + KASSERT(time_established != 0 || time_uptime > UINT32_MAX); + if ((time_uptime32 - time_established) > wg_reject_after_time) { WG_DLOG("The session hits REJECT_AFTER_TIME\n"); return true; } else if (wg_session_get_send_counter(wgs) > @@ -3421,20 +3659,15 @@ next0: m_freem(m); } static void -wg_rekey_timer(void *arg) -{ - struct wg_peer *wgp = arg; - - wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); -} - -static void wg_purge_pending_packets(struct wg_peer *wgp) { struct mbuf *m; m = atomic_swap_ptr(&wgp->wgp_pending, NULL); m_freem(m); +#ifdef ALTQ + wg_start(&wgp->wgp_sc->wg_if); +#endif pktq_barrier(wg_pktq); } @@ -3456,8 +3689,6 @@ wg_alloc_peer(struct wg_softc *wg) wgp = kmem_zalloc(sizeof(*wgp), KM_SLEEP); wgp->wgp_sc = wg; - callout_init(&wgp->wgp_rekey_timer, CALLOUT_MPSAFE); - callout_setfunc(&wgp->wgp_rekey_timer, wg_rekey_timer, wgp); callout_init(&wgp->wgp_handshake_timeout_timer, CALLOUT_MPSAFE); callout_setfunc(&wgp->wgp_handshake_timeout_timer, wg_handshake_timeout_timer, wgp); @@ -3535,7 +3766,6 @@ wg_destroy_peer(struct wg_peer *wgp) wg_purge_pending_packets(wgp); /* Halt all packet processing and timeouts. */ - callout_halt(&wgp->wgp_rekey_timer, NULL); callout_halt(&wgp->wgp_handshake_timeout_timer, NULL); callout_halt(&wgp->wgp_session_dtor_timer, NULL); @@ -4147,7 +4377,9 @@ wg_send_data_msg(struct wg_peer *wgp, st if_statadd(ifp, if_obytes, mlen); if_statinc(ifp, if_opackets); if (wgs->wgs_is_initiator && - wgs->wgs_time_last_data_sent == 0) { + ((time_uptime32 - + atomic_load_relaxed(&wgs->wgs_time_established)) >= + wg_rekey_after_time)) { /* * [W] 6.2 Transport Message Limits * "if a peer is the initiator of a current secure @@ -4156,9 +4388,13 @@ wg_send_data_msg(struct wg_peer *wgp, st * transmitting a transport data message, the current * secure session is REKEY-AFTER-TIME seconds old," */ - wg_schedule_rekey_timer(wgp); + WG_TRACE("rekey after time"); + atomic_store_relaxed(&wgp->wgp_force_rekey, 1); + wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); } - wgs->wgs_time_last_data_sent = time_uptime; + const uint32_t now = time_uptime32; + atomic_store_relaxed(&wgs->wgs_time_last_data_sent, + MAX(now, 1)); if (wg_session_get_send_counter(wgs) >= wg_rekey_after_messages) { /* @@ -4168,6 +4404,8 @@ wg_send_data_msg(struct wg_peer *wgp, st * 5.4.2), after it has sent REKEY-AFTER-MESSAGES * transport data messages..." */ + WG_TRACE("rekey after messages"); + atomic_store_relaxed(&wgp->wgp_force_rekey, 1); wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); } } diff -r 339526e66e4a tests/net/if_wg/t_misc.sh --- a/tests/net/if_wg/t_misc.sh Fri Jul 26 18:54:49 2024 +0000 +++ b/tests/net/if_wg/t_misc.sh Sat Jul 27 23:33:43 2024 +0000 @@ -80,14 +80,12 @@ wg_rekey_body() latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ | awk -F ': ' '/latest-handshake/ {print $2;}') - $DEBUG && echo $latest_handshake + $DEBUG && echo handshake1=$latest_handshake sleep 1 $ping $ip_wg_peer - atf_expect_fail "PR kern/56252" - # No reinitiation is performed atf_check -s exit:0 -o match:"$latest_handshake" \ $HIJACKING wgconfig wg0 show peer peer0 @@ -103,7 +101,7 @@ wg_rekey_body() latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ | awk -F ': ' '/latest-handshake/ {print $2;}') - $DEBUG && echo $latest_handshake + $DEBUG && echo handshake2=$latest_handshake # Wait for a reinitiation to be performed again sleep $((rekey_after_time+1)) @@ -115,8 +113,6 @@ wg_rekey_body() $HIJACKING wgconfig wg0 show peer peer0 destroy_wg_interfaces - - atf_fail "failed to trigger PR kern/56252" } wg_rekey_cleanup() @@ -143,10 +139,9 @@ wg_handshake_timeout_body() local ip_wg_local=10.0.0.1 local ip_wg_peer=10.0.0.2 local port=51820 - local rekey_after_time=3 local outfile=./out - local rekey_timeout=3 - local rekey_attempt_time=8 + local rekey_timeout=4 + local rekey_attempt_time=10 local n= setup_servers @@ -198,8 +193,6 @@ wg_handshake_timeout_body() n=$(grep "$ip_local.$port > $ip_peer.$port" $outfile |wc -l) - atf_expect_fail "PR kern/56252" - # Give up handshaking after three attempts atf_check_equal $n 3 @@ -208,8 +201,6 @@ wg_handshake_timeout_body() export RUMP_SERVER=$SOCK_LOCAL destroy_wg_interfaces - - atf_fail "failed to trigger PR kern/56252" } wg_handshake_timeout_cleanup() @@ -271,8 +262,6 @@ wg_cookie_body() # and a session doesn't start $ping_fail $ip_wg_peer - atf_expect_fail "PR kern/56252" - extract_new_packets $BUS > $outfile $DEBUG && cat $outfile # XXX length 64 indicates the message is a cookie message @@ -296,8 +285,6 @@ wg_cookie_body() $HIJACKING wgconfig wg0 destroy_wg_interfaces - - atf_fail "failed to trigger PR kern/56252" } wg_cookie_cleanup() @@ -354,8 +341,6 @@ wg_mobility_body() export RUMP_SERVER=$SOCK_LOCAL $ping_fail $ip_wg_peer - atf_expect_fail "PR kern/56252" - extract_new_packets $BUS > $outfile $DEBUG && cat $outfile @@ -394,8 +379,6 @@ wg_mobility_body() atf_check -s exit:0 -o not-match:"$ip_local.$port > $ip_peer.$port" cat $outfile destroy_wg_interfaces - - atf_fail "failed to trigger PR kern/56252" } wg_mobility_cleanup()