# HG changeset patch # User Taylor R Campbell # Date 1722119342 0 # Sat Jul 27 22:29:02 2024 +0000 # Branch trunk # Node ID e96cb0a52048e040411ba2021a8bdb1e82bcf6b3 # Parent 339526e66e4aea955f909bb1f1d564c86e26962f # EXP-Topic riastradh-pr58463-wgidle wg(4): Rework some details of internal session state machine. This way: - There is a clear transition between when a session is being set up, and when it is exposed to the data rx path (wg_handle_msg_data): atomic_store_release to set wgs->wgs_state to INIT_PASSIVE or ESTABLISHED. (The transition INIT_PASSIVE -> ESTABLISHED is immaterial to the data rx path, so that's just atomic_store_relaxed. Similarly the transition to DESTROYING.) - There is a clear transition between when a session is being set up, and when it is exposed to the data tx path (wg_output): atomic_store_release to set wgp->wgp_session_stable to it. - Every path that reinitializes a session must go through wg_destroy_session via wg_put_index_session first. This avoids races between session reuse and the data rx/tx paths. - Add a log message at the time of every state transition. PR kern/56252 PR kern/58463 diff -r 339526e66e4a -r e96cb0a52048 sys/net/if_wg.c --- a/sys/net/if_wg.c Fri Jul 26 18:54:49 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 22:29:02 2024 +0000 @@ -1274,8 +1274,16 @@ wg_destroy_session(struct wg_softc *wg, pserialize_perform(wgp->wgp_psz); psref_target_destroy(&wgs->wgs_psref, wg_psref_class); - /* Free memory, zero state, and transition to UNKNOWN. */ + /* + * Free memory, zero state, and transition to UNKNOWN. We have + * exclusive access to the session now, so there is no need for + * an atomic store. + */ thmap_gc(wg->wg_sessions_byindex, garbage); + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"] -> WGS_STATE_UNKNOWN\n", + wgs->wgs_local_index, wgs->wgs_remote_index); + wgs->wgs_local_index = 0; + wgs->wgs_remote_index = 0; wg_clear_states(wgs); wgs->wgs_state = WGS_STATE_UNKNOWN; } @@ -1298,7 +1306,8 @@ wg_get_session_index(struct wg_softc *wg KASSERT(mutex_owned(wgp->wgp_lock)); KASSERT(wgs == wgp->wgp_session_unstable); - KASSERT(wgs->wgs_state == WGS_STATE_UNKNOWN); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); do { /* Pick a uniform random index. */ @@ -1371,7 +1380,8 @@ wg_fill_msg_init(struct wg_softc *wg, st KASSERT(mutex_owned(wgp->wgp_lock)); KASSERT(wgs == wgp->wgp_session_unstable); - KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); + KASSERTMSG(wgs->wgs_state == WGS_STATE_INIT_ACTIVE, "state=%d", + wgs->wgs_state); wgmi->wgmi_type = htole32(WG_MSG_TYPE_INIT); wgmi->wgmi_sender = wgs->wgs_local_index; @@ -1614,29 +1624,40 @@ wg_handle_msg_init(struct wg_softc *wg, wgs = wgp->wgp_session_unstable; switch (wgs->wgs_state) { case WGS_STATE_UNKNOWN: /* new session initiated by peer */ - wg_get_session_index(wg, wgs); break; case WGS_STATE_INIT_ACTIVE: /* we're already initiating, drop */ + /* XXX {TODO5} Who wins if both sides send INIT? */ WG_TRACE("Session already initializing, ignoring the message"); goto out; case WGS_STATE_INIT_PASSIVE: /* peer is retrying, start over */ WG_TRACE("Session already initializing, destroying old states"); - wg_clear_states(wgs); - /* keep session index */ + /* + * XXX Avoid this -- just resend our response -- if the + * INIT message is identical to the previous one. + */ + wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); break; case WGS_STATE_ESTABLISHED: /* can't happen */ panic("unstable session can't be established"); - break; case WGS_STATE_DESTROYING: /* rekey initiated by peer */ WG_TRACE("Session destroying, but force to clear"); callout_stop(&wgp->wgp_session_dtor_timer); - wg_clear_states(wgs); - /* keep session index */ + wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); break; default: panic("invalid session state: %d", wgs->wgs_state); } - wgs->wgs_state = WGS_STATE_INIT_PASSIVE; + + /* + * Assign a fresh session index. + */ + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); + wg_get_session_index(wg, wgs); memcpy(wgs->wgs_handshake_hash, hash, sizeof(hash)); memcpy(wgs->wgs_chaining_key, ckey, sizeof(ckey)); @@ -1645,11 +1666,36 @@ wg_handle_msg_init(struct wg_softc *wg, wg_update_endpoint_if_necessary(wgp, src); + /* + * Respond to the initiator with our ephemeral public key. + */ (void)wg_send_handshake_msg_resp(wg, wgp, wgs, wgmi); + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]:" + " calculate keys as responder\n", + wgs->wgs_local_index, wgs->wgs_remote_index); wg_calculate_keys(wgs, false); wg_clear_states(wgs); + /* + * Session is ready to receive data now that we have received + * the peer initiator's ephemeral key pair, generated our + * responder's ephemeral key pair, and derived a session key. + * + * Transition from UNKNOWN to INIT_PASSIVE to publish it to the + * data rx path, wg_handle_msg_data, where the + * atomic_load_acquire matching this atomic_store_release + * happens. + * + * (Session is not, however, ready to send data until the peer + * has acknowledged our response by sending its first data + * packet. So don't swap the sessions yet.) + */ + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"] -> WGS_STATE_INIT_PASSIVE\n", + wgs->wgs_local_index, wgs->wgs_remote_index); + atomic_store_release(&wgs->wgs_state, WGS_STATE_INIT_PASSIVE); + WG_TRACE("WGS_STATE_INIT_PASSIVE"); + out: mutex_exit(wgp->wgp_lock); wg_put_peer(wgp, &psref_peer); @@ -1731,25 +1777,50 @@ wg_send_handshake_msg_init(struct wg_sof /* XXX pull dispatch out into wg_task_send_init_message */ switch (wgs->wgs_state) { case WGS_STATE_UNKNOWN: /* new session initiated by us */ - wg_get_session_index(wg, wgs); break; case WGS_STATE_INIT_ACTIVE: /* we're already initiating, stop */ WG_TRACE("Session already initializing, skip starting new one"); return EBUSY; case WGS_STATE_INIT_PASSIVE: /* peer was trying -- XXX what now? */ + /* XXX {TODO5} Who wins if both sides send INIT? Coin toss? */ +#if 1 + WG_TRACE("Session already initializing, waiting for peer"); + return EBUSY; +#else WG_TRACE("Session already initializing, destroying old states"); - wg_clear_states(wgs); - /* keep session index */ + wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); +#endif break; case WGS_STATE_ESTABLISHED: /* can't happen */ panic("unstable session can't be established"); - break; case WGS_STATE_DESTROYING: /* rekey initiated by us too early */ WG_TRACE("Session destroying"); - /* XXX should wait? */ - return EBUSY; + wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); + break; } - wgs->wgs_state = WGS_STATE_INIT_ACTIVE; + + /* + * Assign a fresh session index. + */ + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); + wg_get_session_index(wg, wgs); + + /* + * We have initiated a session. Transition to INIT_ACTIVE. + * This doesn't publish it for use in the data rx path, + * wg_handle_msg_data, or in the data tx path, wg_output -- we + * have to wait for the peer to respond with their ephemeral + * public key before we can derive a session key for tx/rx. + * Hence only atomic_store_relaxed. + */ + WG_DLOG("session[L=%"PRIx32" R=(unknown)] -> WGS_STATE_INIT_ACTIVE\n", + wgs->wgs_local_index); + atomic_store_relaxed(&wgs->wgs_state, WGS_STATE_INIT_ACTIVE); m = m_gethdr(M_WAIT, MT_DATA); if (sizeof(*wgmi) > MHLEN) { @@ -1791,7 +1862,8 @@ wg_fill_msg_resp(struct wg_softc *wg, st KASSERT(mutex_owned(wgp->wgp_lock)); KASSERT(wgs == wgp->wgp_session_unstable); - KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); memcpy(hash, wgs->wgs_handshake_hash, sizeof(hash)); memcpy(ckey, wgs->wgs_chaining_key, sizeof(ckey)); @@ -1881,11 +1953,13 @@ wg_swap_sessions(struct wg_peer *wgp) KASSERT(mutex_owned(wgp->wgp_lock)); wgs = wgp->wgp_session_unstable; - KASSERT(wgs->wgs_state == WGS_STATE_ESTABLISHED); + KASSERTMSG(wgs->wgs_state == WGS_STATE_ESTABLISHED, "state=%d", + wgs->wgs_state); wgs_prev = wgp->wgp_session_stable; - KASSERT(wgs_prev->wgs_state == WGS_STATE_ESTABLISHED || - wgs_prev->wgs_state == WGS_STATE_UNKNOWN); + KASSERTMSG((wgs_prev->wgs_state == WGS_STATE_ESTABLISHED || + wgs_prev->wgs_state == WGS_STATE_UNKNOWN), + "state=%d", wgs_prev->wgs_state); atomic_store_release(&wgp->wgp_session_stable, wgs); wgp->wgp_session_unstable = wgs_prev; } @@ -2033,17 +2107,38 @@ wg_handle_msg_resp(struct wg_softc *wg, wgs->wgs_remote_index = wgmr->wgmr_sender; WG_DLOG("receiver=%x\n", wgs->wgs_remote_index); - KASSERT(wgs->wgs_state == WGS_STATE_INIT_ACTIVE); - wgs->wgs_state = WGS_STATE_ESTABLISHED; + KASSERTMSG(wgs->wgs_state == WGS_STATE_INIT_ACTIVE, "state=%d", + wgs->wgs_state); wgs->wgs_time_established = time_uptime; wgs->wgs_time_last_data_sent = 0; wgs->wgs_is_initiator = true; + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]:" + " calculate keys as initiator\n", + wgs->wgs_local_index, wgs->wgs_remote_index); wg_calculate_keys(wgs, true); wg_clear_states(wgs); + + /* + * Session is ready to receive data now that we have received + * the responder's response. + * + * Transition from INIT_ACTIVE to ESTABLISHED to publish it to + * the data rx path, wg_handle_msg_data. + */ + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32" -> WGS_STATE_ESTABLISHED\n", + wgs->wgs_local_index, wgs->wgs_remote_index); + atomic_store_release(&wgs->wgs_state, WGS_STATE_ESTABLISHED); WG_TRACE("WGS_STATE_ESTABLISHED"); callout_stop(&wgp->wgp_handshake_timeout_timer); + /* + * Session is ready to send data now that we have received the + * responder's response. + * + * Swap the sessions to publish the new one as the stable + * session for the data tx path, wg_output. + */ wg_swap_sessions(wgp); KASSERT(wgs == wgp->wgp_session_stable); wgs_prev = wgp->wgp_session_unstable; @@ -2077,10 +2172,20 @@ wg_handle_msg_resp(struct wg_softc *wg, if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { /* Wait for wg_get_stable_session to drain. */ + /* XXX {TODO6} pserialize_perform only in wg_destroy_session */ pserialize_perform(wgp->wgp_psz); - /* Transition ESTABLISHED->DESTROYING. */ - wgs_prev->wgs_state = WGS_STATE_DESTROYING; + /* + * Transition ESTABLISHED->DESTROYING. The session + * will remain usable for the data rx path to process + * packets still in flight to us, but we won't use it + * for data tx. + */ + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]" + " -> WGS_STATE_DESTROYING\n", + wgs_prev->wgs_local_index, wgs_prev->wgs_remote_index); + atomic_store_relaxed(&wgs_prev->wgs_state, + WGS_STATE_DESTROYING); /* We can't destroy the old session immediately */ wg_schedule_session_dtor_timer(wgp); @@ -2104,7 +2209,8 @@ wg_send_handshake_msg_resp(struct wg_sof KASSERT(mutex_owned(wgp->wgp_lock)); KASSERT(wgs == wgp->wgp_session_unstable); - KASSERT(wgs->wgs_state == WGS_STATE_INIT_PASSIVE); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); m = m_gethdr(M_WAIT, MT_DATA); if (sizeof(*wgmr) > MHLEN) { @@ -2321,8 +2427,11 @@ wg_lookup_session_by_index(struct wg_sof int s = pserialize_read_enter(); wgs = thmap_get(wg->wg_sessions_byindex, &index, sizeof index); if (wgs != NULL) { - KASSERT(atomic_load_relaxed(&wgs->wgs_state) != - WGS_STATE_UNKNOWN); + uint32_t oindex __diagused = + atomic_load_relaxed(&wgs->wgs_local_index); + KASSERTMSG(index == oindex, + "index=%"PRIx32" wgs->wgs_local_index=%"PRIx32, + index, oindex); psref_acquire(psref, &wgs->wgs_psref, wg_psref_class); } pserialize_read_exit(s); @@ -2604,12 +2713,15 @@ wg_handle_msg_data(struct wg_softc *wg, * We are only ready to handle data when in INIT_PASSIVE, * ESTABLISHED, or DESTROYING. All transitions out of that * state dissociate the session index and drain psrefs. + * + * atomic_load_acquire matches atomic_store_release in either + * wg_handle_msg_init or wg_handle_msg_resp. (The transition + * INIT_PASSIVE to ESTABLISHED in wg_task_establish_session + * doesn't make a difference for this rx path.) */ - state = atomic_load_relaxed(&wgs->wgs_state); + state = atomic_load_acquire(&wgs->wgs_state); switch (state) { case WGS_STATE_UNKNOWN: - panic("wg session %p in unknown state has session index %u", - wgs, wgmd->wgmd_receiver); case WGS_STATE_INIT_ACTIVE: WG_TRACE("not yet ready for data"); goto out; @@ -2783,6 +2895,7 @@ wg_handle_msg_data(struct wg_softc *wg, * first data transport message, and that has happened. * Schedule a task to establish this session. */ + /* XXX {TODO4} Do most of this synchronously. */ wg_schedule_peer_task(wgp, WGP_TASK_ESTABLISH_SESSION); } else { if (__predict_false(wg_need_to_send_init_message(wgs))) { @@ -2845,6 +2958,15 @@ wg_handle_msg_cookie(struct wg_softc *wg goto out; } + /* + * wgp_last_sent_mac1_valid is only set to true when we are + * transitioning to INIT_ACTIVE or INIT_PASSIVE, and always + * cleared on transition out of them. + */ + KASSERTMSG((wgs->wgs_state == WGS_STATE_INIT_ACTIVE || + wgs->wgs_state == WGS_STATE_INIT_PASSIVE), + "state=%d", wgs->wgs_state); + /* Decrypt the cookie and store it for later handshake retry. */ wg_algo_mac_cookie(key, sizeof(key), wgp->wgp_pubkey, sizeof(wgp->wgp_pubkey)); @@ -3027,6 +3149,7 @@ wg_task_send_init_message(struct wg_soft return; } + /* XXX {TODO4} */ wgs = wgp->wgp_session_stable; if (wgs->wgs_state == WGS_STATE_UNKNOWN) { /* XXX What if the unstable session is already INIT_ACTIVE? */ @@ -3091,12 +3214,33 @@ wg_task_establish_session(struct wg_soft /* XXX Can this happen? */ return; - wgs->wgs_state = WGS_STATE_ESTABLISHED; wgs->wgs_time_established = time_uptime; wgs->wgs_time_last_data_sent = 0; wgs->wgs_is_initiator = false; + + /* + * Session was already ready to receive data. Transition from + * INIT_PASSIVE to ESTABLISHED just so we can swap the + * sessions. + * + * atomic_store_relaxed because this doesn't affect the data rx + * path, wg_handle_msg_data -- changing from INIT_PASSIVE to + * ESTABLISHED makes no difference to the data rx path, and the + * transition to INIT_PASSIVE with store-release already + * published the state needed by the data rx path. + */ + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"] -> WGS_STATE_ESTABLISHED\n", + wgs->wgs_local_index, wgs->wgs_remote_index); + atomic_store_relaxed(&wgs->wgs_state, WGS_STATE_ESTABLISHED); WG_TRACE("WGS_STATE_ESTABLISHED"); + /* + * Session is ready to send data too now that we have received + * the peer initiator's first data packet. + * + * Swap the sessions to publish the new one as the stable + * session for the data tx path, wg_output. + */ wg_swap_sessions(wgp); KASSERT(wgs == wgp->wgp_session_stable); wgs_prev = wgp->wgp_session_unstable; @@ -3120,17 +3264,32 @@ wg_task_establish_session(struct wg_soft if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { /* Wait for wg_get_stable_session to drain. */ + /* XXX {TODO6} pserialize_perform only in wg_destroy_session */ pserialize_perform(wgp->wgp_psz); - /* Transition ESTABLISHED->DESTROYING. */ - wgs_prev->wgs_state = WGS_STATE_DESTROYING; + /* + * Transition ESTABLISHED->DESTROYING. The session + * will remain usable for the data rx path to process + * packets still in flight to us, but we won't use it + * for data tx. + */ + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]" + " -> WGS_STATE_DESTROYING\n", + wgs_prev->wgs_local_index, wgs_prev->wgs_remote_index); + atomic_store_relaxed(&wgs_prev->wgs_state, + WGS_STATE_DESTROYING); /* We can't destroy the old session immediately */ wg_schedule_session_dtor_timer(wgp); } else { KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN, "state=%d", wgs_prev->wgs_state); - wg_clear_states(wgs_prev); + WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]" + " -> WGS_STATE_UNKNOWN\n", + wgs_prev->wgs_local_index, wgs_prev->wgs_remote_index); + wgs->wgs_local_index = 0; /* paranoia */ + wgs->wgs_remote_index = 0; /* paranoia */ + wg_clear_states(wgs_prev); /* paranoia */ wgs_prev->wgs_state = WGS_STATE_UNKNOWN; } } @@ -3318,9 +3477,10 @@ wg_overudp_cb(struct mbuf **mp, int offs WG_DLOG("type=%d\n", le32toh(wgm.wgm_type)); /* - * Handle DATA packets promptly as they arrive. Other packets - * may require expensive public-key crypto and are not as - * sensitive to latency, so defer them to the worker thread. + * Handle DATA packets promptly as they arrive, if they are in + * an active session. Other packets may require expensive + * public-key crypto and are not as sensitive to latency, so + * defer them to the worker thread. */ switch (le32toh(wgm.wgm_type)) { case WG_MSG_TYPE_DATA: # HG changeset patch # User Taylor R Campbell # Date 1722100781 0 # Sat Jul 27 17:19:41 2024 +0000 # Branch trunk # Node ID e74f6d3a25bdfb5d4632cc93a0c74802794a2116 # Parent e96cb0a52048e040411ba2021a8bdb1e82bcf6b3 # EXP-Topic riastradh-pr58463-wgidle wg(4): Simplify logic to ensure session initiation is underway. Related to: PR kern/56252 PR kern/58463 diff -r e96cb0a52048 -r e74f6d3a25bd sys/net/if_wg.c --- a/sys/net/if_wg.c Sat Jul 27 22:29:02 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 17:19:41 2024 +0000 @@ -610,6 +610,8 @@ struct wg_peer { time_t wgp_handshake_start_time; + volatile bool wgp_rekey_after_time; + int wgp_n_allowedips; struct wg_allowedip wgp_allowedips[WG_ALLOWEDIPS]; @@ -3149,17 +3151,22 @@ wg_task_send_init_message(struct wg_soft return; } - /* XXX {TODO4} */ + /* + * If we already have an established session for data tx, + * there's no need to initiate a new one -- unless the + * rekey-after-time has passed. + */ wgs = wgp->wgp_session_stable; - if (wgs->wgs_state == WGS_STATE_UNKNOWN) { - /* XXX What if the unstable session is already INIT_ACTIVE? */ - wg_send_handshake_msg_init(wg, wgp); - } else { - /* rekey */ - wgs = wgp->wgp_session_unstable; - if (wgs->wgs_state != WGS_STATE_INIT_ACTIVE) - wg_send_handshake_msg_init(wg, wgp); - } + if (wgs->wgs_state == WGS_STATE_ESTABLISHED && + !atomic_load_relaxed(&wgp->wgp_rekey_after_time)) + return; + + /* + * Ensure we're initiating a new session. If the unstable + * session is already INIT_ACTIVE or INIT_PASSIVE, this does + * nothing. + */ + wg_send_handshake_msg_init(wg, wgp); } static void @@ -3585,6 +3592,7 @@ wg_rekey_timer(void *arg) { struct wg_peer *wgp = arg; + atomic_store_relaxed(&wgp->wgp_rekey_after_time, true); wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); } # HG changeset patch # User Taylor R Campbell # Date 1721996896 0 # Fri Jul 26 12:28:16 2024 +0000 # Branch trunk # Node ID 1c49af7c338cf08fd3d229077e35cd801ae275d7 # Parent e74f6d3a25bdfb5d4632cc93a0c74802794a2116 # EXP-Topic riastradh-pr58463-wgidle wg(4): Use callout_halt, not callout_stop. It's possible that callout_stop might work here, but let's simplify reasoning about it -- the timers in question only take the peer intr lock, so it's safe to wait for them while holding the peer lock in the handshake worker thread. We may have to undo the task bit but that will take a bit more analysis to determine. Prompted by: PR kern/56252 PR kern/58463 diff -r e74f6d3a25bd -r 1c49af7c338c sys/net/if_wg.c --- a/sys/net/if_wg.c Sat Jul 27 17:19:41 2024 +0000 +++ b/sys/net/if_wg.c Fri Jul 26 12:28:16 2024 +0000 @@ -1645,7 +1645,7 @@ wg_handle_msg_init(struct wg_softc *wg, panic("unstable session can't be established"); case WGS_STATE_DESTROYING: /* rekey initiated by peer */ WG_TRACE("Session destroying, but force to clear"); - callout_stop(&wgp->wgp_session_dtor_timer); + callout_halt(&wgp->wgp_session_dtor_timer, NULL); wg_put_session_index(wg, wgs); KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", wgs->wgs_state); @@ -2132,7 +2132,7 @@ wg_handle_msg_resp(struct wg_softc *wg, atomic_store_release(&wgs->wgs_state, WGS_STATE_ESTABLISHED); WG_TRACE("WGS_STATE_ESTABLISHED"); - callout_stop(&wgp->wgp_handshake_timeout_timer); + callout_halt(&wgp->wgp_handshake_timeout_timer, NULL); /* * Session is ready to send data now that we have received the # HG changeset patch # User Taylor R Campbell # Date 1721997005 0 # Fri Jul 26 12:30:05 2024 +0000 # Branch trunk # Node ID 2825d780d3ccdb5fee4716ef819dc5bdcd46522e # Parent 1c49af7c338cf08fd3d229077e35cd801ae275d7 # EXP-Topic riastradh-pr58463-wgidle wg(4): Omit needless pserialize_perform on transition to DESTROYING. A session can still be used when it is in the DESTROYING state, so there's no need to wait for users to drain here -- that's the whole point of a separate DESTROYING state. It is only the transition from DESTROYING back to UNKNOWN, after the session has been unpublished so no new users can begin, that requires waiting for all users to drain, and we already do that in wg_destroy_session. Prompted by: PR kern/56252 PR kern/58463 diff -r 1c49af7c338c -r 2825d780d3cc sys/net/if_wg.c --- a/sys/net/if_wg.c Fri Jul 26 12:28:16 2024 +0000 +++ b/sys/net/if_wg.c Fri Jul 26 12:30:05 2024 +0000 @@ -2173,10 +2173,6 @@ wg_handle_msg_resp(struct wg_softc *wg, } if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { - /* Wait for wg_get_stable_session to drain. */ - /* XXX {TODO6} pserialize_perform only in wg_destroy_session */ - pserialize_perform(wgp->wgp_psz); - /* * Transition ESTABLISHED->DESTROYING. The session * will remain usable for the data rx path to process @@ -3270,10 +3266,6 @@ wg_task_establish_session(struct wg_soft } if (wgs_prev->wgs_state == WGS_STATE_ESTABLISHED) { - /* Wait for wg_get_stable_session to drain. */ - /* XXX {TODO6} pserialize_perform only in wg_destroy_session */ - pserialize_perform(wgp->wgp_psz); - /* * Transition ESTABLISHED->DESTROYING. The session * will remain usable for the data rx path to process # HG changeset patch # User Taylor R Campbell # Date 1722001306 0 # Fri Jul 26 13:41:46 2024 +0000 # Branch trunk # Node ID 46f22ae9f0563ec7c2797d45453efa46a086dadd # Parent 2825d780d3ccdb5fee4716ef819dc5bdcd46522e # EXP-Topic riastradh-pr58463-wgidle wg(4): Trace rekey decisions. Prompted by: PR kern/56252 PR kern/58463 diff -r 2825d780d3cc -r 46f22ae9f056 sys/net/if_wg.c --- a/sys/net/if_wg.c Fri Jul 26 12:30:05 2024 +0000 +++ b/sys/net/if_wg.c Fri Jul 26 13:41:46 2024 +0000 @@ -3584,6 +3584,7 @@ wg_rekey_timer(void *arg) { struct wg_peer *wgp = arg; + WG_TRACE("rekey after time"); atomic_store_relaxed(&wgp->wgp_rekey_after_time, true); wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); } @@ -4328,6 +4329,7 @@ wg_send_data_msg(struct wg_peer *wgp, st * 5.4.2), after it has sent REKEY-AFTER-MESSAGES * transport data messages..." */ + WG_TRACE("rekey after messages"); wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); } } # HG changeset patch # User Taylor R Campbell # Date 1722023661 0 # Fri Jul 26 19:54:21 2024 +0000 # Branch trunk # Node ID 388362ef717bd437df2afdf41730eca4aa11a3ab # Parent 46f22ae9f0563ec7c2797d45453efa46a086dadd # EXP-Topic riastradh-pr58463-wgidle wg(4): Expand cookie secret to 32 bytes. This is only relevant for denial of service mitigation, so it's not that big a deal, and the spec doesn't say anything about the size, but let's make it the standard key size. diff -r 46f22ae9f056 -r 388362ef717b sys/net/if_wg.c --- a/sys/net/if_wg.c Fri Jul 26 13:41:46 2024 +0000 +++ b/sys/net/if_wg.c Fri Jul 26 19:54:21 2024 +0000 @@ -343,7 +343,7 @@ wg_dump_hash(const uint8_t *func, const #define WG_COOKIE_LEN 16 #define WG_MAC_LEN 16 -#define WG_RANDVAL_LEN 24 +#define WG_COOKIESECRET_LEN 32 #define WG_EPHEMERAL_KEY_LEN CURVE25519_KEY_LEN /* [N] 5.2: "ck: A chaining key of HASHLEN bytes" */ @@ -624,8 +624,8 @@ struct wg_peer { time_t wgp_last_msg_received_time[WG_MSG_TYPE_MAX]; - time_t wgp_last_genrandval_time; - uint32_t wgp_randval; + time_t wgp_last_cookiesecret_time; + uint8_t wgp_cookiesecret[WG_COOKIESECRET_LEN]; struct wg_ppsratecheck wgp_ppsratecheck; @@ -693,7 +693,7 @@ struct wg_softc { #define WG_KEEPALIVE_TIMEOUT 10 #define WG_COOKIE_TIME 120 -#define WG_RANDVAL_TIME (2 * 60) +#define WG_COOKIESECRET_TIME (2 * 60) static uint64_t wg_rekey_after_messages = WG_REKEY_AFTER_MESSAGES; static uint64_t wg_reject_after_messages = WG_REJECT_AFTER_MESSAGES; @@ -2262,9 +2262,11 @@ wg_fill_msg_cookie(struct wg_softc *wg, * "The secret variable, Rm, changes every two minutes to a * random value" */ - if ((time_uptime - wgp->wgp_last_genrandval_time) > WG_RANDVAL_TIME) { - wgp->wgp_randval = cprng_strong32(); - wgp->wgp_last_genrandval_time = time_uptime; + if ((time_uptime - wgp->wgp_last_cookiesecret_time) > + WG_COOKIESECRET_TIME) { + cprng_strong(kern_cprng, wgp->wgp_cookiesecret, + sizeof(wgp->wgp_cookiesecret), 0); + wgp->wgp_last_cookiesecret_time = time_uptime; } switch (src->sa_family) { @@ -2289,7 +2291,7 @@ wg_fill_msg_cookie(struct wg_softc *wg, } wg_algo_mac(cookie, sizeof(cookie), - (const uint8_t *)&wgp->wgp_randval, sizeof(wgp->wgp_randval), + wgp->wgp_cookiesecret, sizeof(wgp->wgp_cookiesecret), addr, addrlen, (const uint8_t *)&uh_sport, sizeof(uh_sport)); wg_algo_mac_cookie(key, sizeof(key), wg->wg_pubkey, sizeof(wg->wg_pubkey)); # HG changeset patch # User Taylor R Campbell # Date 1722087961 0 # Sat Jul 27 13:46:01 2024 +0000 # Branch trunk # Node ID d40c3cc3b8236d583c33ad84a4ca5b234f753f33 # Parent 388362ef717bd437df2afdf41730eca4aa11a3ab # EXP-Topic riastradh-pr58463-wgidle wg(4): Mark wgp_pending volatile to reflect its usage. diff -r 388362ef717b -r d40c3cc3b823 sys/net/if_wg.c --- a/sys/net/if_wg.c Fri Jul 26 19:54:21 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 13:46:01 2024 +0000 @@ -597,7 +597,7 @@ struct wg_peer { struct wg_session *wgp_session_unstable; /* first outgoing packet awaiting session initiation */ - struct mbuf *wgp_pending; + struct mbuf *volatile wgp_pending; /* timestamp in big-endian */ wg_timestamp_t wgp_timestamp_latest_init; # HG changeset patch # User Taylor R Campbell # Date 1722103706 0 # Sat Jul 27 18:08:26 2024 +0000 # Branch trunk # Node ID 09088f30869be5590f7723b9ab9f047a14a3a4dd # Parent d40c3cc3b8236d583c33ad84a4ca5b234f753f33 # EXP-Topic riastradh-pr58463-wgidle wg(4): Fix session destruction. Schedule destruction as soon as the session is created, to ensure key erasure within 2*reject-after-time seconds. Previously, we would schedule destruction of the previous session 1 second after the next one has been established -- which may be too short to receive queued packets from the network. (XXX Is this true?) To keep it simple, there's just one callout which runs every reject-after-time seconds and erases keys in sessions older than reject-after-time, so if a session is established the moment after it runs, the keys might not be erased until (2-eps)*reject-after-time seconds. PR kern/56252 PR kern/58463 diff -r d40c3cc3b823 -r 09088f30869b sys/net/if_wg.c --- a/sys/net/if_wg.c Sat Jul 27 13:46:01 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 18:08:26 2024 +0000 @@ -1340,7 +1340,6 @@ wg_put_session_index(struct wg_softc *wg struct wg_peer *wgp __diagused = wgs->wgs_peer; KASSERT(mutex_owned(wgp->wgp_lock)); - KASSERT(wgs == wgp->wgp_session_unstable); KASSERT(wgs->wgs_state != WGS_STATE_UNKNOWN); KASSERT(wgs->wgs_state != WGS_STATE_ESTABLISHED); @@ -1645,7 +1644,6 @@ wg_handle_msg_init(struct wg_softc *wg, panic("unstable session can't be established"); case WGS_STATE_DESTROYING: /* rekey initiated by peer */ WG_TRACE("Session destroying, but force to clear"); - callout_halt(&wgp->wgp_session_dtor_timer, NULL); wg_put_session_index(wg, wgs); KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", wgs->wgs_state); @@ -1669,6 +1667,15 @@ wg_handle_msg_init(struct wg_softc *wg, wg_update_endpoint_if_necessary(wgp, src); /* + * Count the time of the INIT message as the time of + * establishment -- this is used to decide when to erase keys, + * and we want to start counting as soon as we have generated + * keys. + */ + wgs->wgs_time_established = time_uptime; + wg_schedule_session_dtor_timer(wgp); + + /* * Respond to the initiator with our ephemeral public key. */ (void)wg_send_handshake_msg_resp(wg, wgp, wgs, wgmi); @@ -2112,6 +2119,7 @@ wg_handle_msg_resp(struct wg_softc *wg, KASSERTMSG(wgs->wgs_state == WGS_STATE_INIT_ACTIVE, "state=%d", wgs->wgs_state); wgs->wgs_time_established = time_uptime; + wg_schedule_session_dtor_timer(wgp); wgs->wgs_time_last_data_sent = 0; wgs->wgs_is_initiator = true; WG_DLOG("session[L=%"PRIx32" R=%"PRIx32"]:" @@ -2184,9 +2192,6 @@ wg_handle_msg_resp(struct wg_softc *wg, wgs_prev->wgs_local_index, wgs_prev->wgs_remote_index); atomic_store_relaxed(&wgs_prev->wgs_state, WGS_STATE_DESTROYING); - - /* We can't destroy the old session immediately */ - wg_schedule_session_dtor_timer(wgp); } else { KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN, "state=%d", wgs_prev->wgs_state); @@ -2617,6 +2622,7 @@ wg_session_dtor_timer(void *arg) WG_TRACE("enter"); + wg_schedule_session_dtor_timer(wgp); wg_schedule_peer_task(wgp, WGP_TASK_DESTROY_PREV_SESSION); } @@ -2624,8 +2630,19 @@ static void wg_schedule_session_dtor_timer(struct wg_peer *wgp) { - /* 1 second grace period */ - callout_schedule(&wgp->wgp_session_dtor_timer, hz); + /* + * If the periodic session destructor is already pending to + * handle the previous session, that's fine -- leave it in + * place; it will be scheduled again. + */ + if (callout_pending(&wgp->wgp_session_dtor_timer)) { + WG_DLOG("session dtor already pending\n"); + return; + } + + WG_DLOG("scheduling session dtor in %u secs\n", wg_reject_after_time); + callout_schedule(&wgp->wgp_session_dtor_timer, + wg_reject_after_time*hz); } static bool @@ -3219,7 +3236,6 @@ wg_task_establish_session(struct wg_soft /* XXX Can this happen? */ return; - wgs->wgs_time_established = time_uptime; wgs->wgs_time_last_data_sent = 0; wgs->wgs_is_initiator = false; @@ -3279,9 +3295,6 @@ wg_task_establish_session(struct wg_soft wgs_prev->wgs_local_index, wgs_prev->wgs_remote_index); atomic_store_relaxed(&wgs_prev->wgs_state, WGS_STATE_DESTROYING); - - /* We can't destroy the old session immediately */ - wg_schedule_session_dtor_timer(wgp); } else { KASSERTMSG(wgs_prev->wgs_state == WGS_STATE_UNKNOWN, "state=%d", wgs_prev->wgs_state); @@ -3335,15 +3348,61 @@ static void wg_task_destroy_prev_session(struct wg_softc *wg, struct wg_peer *wgp) { struct wg_session *wgs; + time_t age; WG_TRACE("WGP_TASK_DESTROY_PREV_SESSION"); KASSERT(mutex_owned(wgp->wgp_lock)); + /* + * If theres's any previous unstable session, i.e., one that + * was ESTABLISHED and is now DESTROYING, older than + * reject-after-time, destroy it. Upcoming sessions are still + * in INIT_ACTIVE or INIT_PASSIVE -- we don't touch those here. + */ wgs = wgp->wgp_session_unstable; - if (wgs->wgs_state == WGS_STATE_DESTROYING) { + KASSERT(wgs->wgs_state != WGS_STATE_ESTABLISHED); + if (wgs->wgs_state == WGS_STATE_DESTROYING && + ((age = (time_uptime - wgs->wgs_time_established)) >= + wg_reject_after_time)) { + WG_DLOG("destroying past session %"PRIuMAX" sec old\n", + (uintmax_t)age); wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); } + + /* + * If theres's any ESTABLISHED stable session older than + * reject-after-time, destroy it. (The stable session can also + * be in UNKNOWN state -- nothing to do in that case) + */ + wgs = wgp->wgp_session_stable; + KASSERT(wgs->wgs_state != WGS_STATE_INIT_ACTIVE); + KASSERT(wgs->wgs_state != WGS_STATE_INIT_PASSIVE); + KASSERT(wgs->wgs_state != WGS_STATE_DESTROYING); + if (wgs->wgs_state == WGS_STATE_ESTABLISHED && + ((age = (time_uptime - wgs->wgs_time_established)) >= + wg_reject_after_time)) { + WG_DLOG("destroying current session %"PRIuMAX" sec old\n", + (uintmax_t)age); + atomic_store_relaxed(&wgs->wgs_state, WGS_STATE_DESTROYING); + wg_put_session_index(wg, wgs); + KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", + wgs->wgs_state); + } + + /* + * If there's no sessions left, no need to have the timer run + * until the next time around -- halt it. + * + * It is only ever scheduled with wgp_lock held or in the + * callout itself, and callout_halt prevents rescheudling + * itself, so this never races with rescheduling. + */ + if (wgp->wgp_session_unstable->wgs_state == WGS_STATE_UNKNOWN && + wgp->wgp_session_stable->wgs_state == WGS_STATE_UNKNOWN) + callout_halt(&wgp->wgp_session_dtor_timer, NULL); } static void # HG changeset patch # User Taylor R Campbell # Date 1722103810 0 # Sat Jul 27 18:10:10 2024 +0000 # Branch trunk # Node ID e5b62813a28908b8be33de135ba246ff7794b41d # Parent 09088f30869be5590f7723b9ab9f047a14a3a4dd # EXP-Topic riastradh-pr58463-wgidle wg(4): Reject rx on sessions older than reject-after-time sec. Prompted by: PR kern/56252 PR kern/58463 diff -r 09088f30869b -r e5b62813a289 sys/net/if_wg.c --- a/sys/net/if_wg.c Sat Jul 27 18:08:26 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 18:10:10 2024 +0000 @@ -2706,6 +2706,7 @@ wg_handle_msg_data(struct wg_softc *wg, struct wg_session *wgs; struct wg_peer *wgp; int state; + time_t age; size_t mlen; struct psref psref; int error, af; @@ -2749,6 +2750,16 @@ wg_handle_msg_data(struct wg_softc *wg, } /* + * Reject if the session is too old. + */ + age = time_uptime - wgs->wgs_time_established; + if (__predict_false(age >= wg_reject_after_time)) { + WG_DLOG("session %"PRIx32" too old, %"PRIuMAX" sec\n", + wgmd->wgmd_receiver, (uintmax_t)age); + goto out; + } + + /* * Get the peer, for rate-limited logs (XXX MPSAFE, dtrace) and * to update the endpoint if authentication succeeds. */ # HG changeset patch # User Taylor R Campbell # Date 1722106611 0 # Sat Jul 27 18:56:51 2024 +0000 # Branch trunk # Node ID d671b939096e6b8bf986e9c3bd499a7eec508620 # Parent e5b62813a28908b8be33de135ba246ff7794b41d # EXP-Topic riastradh-pr58463-wgidle wg(4): Do rekey-after-time on tx, not on callout. If there's no data to tx, we shouldn't reinitiate a session -- we should stay quiet on the network. Prompted by: PR kern/56252 PR kern/58463 diff -r e5b62813a289 -r d671b939096e sys/net/if_wg.c --- a/sys/net/if_wg.c Sat Jul 27 18:10:10 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 18:56:51 2024 +0000 @@ -604,13 +604,12 @@ struct wg_peer { struct timespec wgp_last_handshake_time; - callout_t wgp_rekey_timer; callout_t wgp_handshake_timeout_timer; callout_t wgp_session_dtor_timer; time_t wgp_handshake_start_time; - volatile bool wgp_rekey_after_time; + volatile unsigned wgp_force_rekey; int wgp_n_allowedips; struct wg_allowedip wgp_allowedips[WG_ALLOWEDIPS]; @@ -729,7 +728,6 @@ static struct wg_session * static void wg_update_endpoint_if_necessary(struct wg_peer *, const struct sockaddr *); -static void wg_schedule_rekey_timer(struct wg_peer *); static void wg_schedule_session_dtor_timer(struct wg_peer *); static bool wg_is_underload(struct wg_softc *, struct wg_peer *, int); @@ -2157,8 +2155,6 @@ wg_handle_msg_resp(struct wg_softc *wg, wgp->wgp_last_sent_mac1_valid = false; wgp->wgp_last_sent_cookie_valid = false; - wg_schedule_rekey_timer(wgp); - wg_update_endpoint_if_necessary(wgp, src); /* @@ -2445,14 +2441,6 @@ wg_lookup_session_by_index(struct wg_sof } static void -wg_schedule_rekey_timer(struct wg_peer *wgp) -{ - int timeout = MIN(wg_rekey_after_time, (unsigned)(INT_MAX / hz)); - - callout_schedule(&wgp->wgp_rekey_timer, timeout * hz); -} - -static void wg_send_keepalive_msg(struct wg_peer *wgp, struct wg_session *wgs) { struct mbuf *m; @@ -3180,11 +3168,11 @@ wg_task_send_init_message(struct wg_soft /* * If we already have an established session for data tx, * there's no need to initiate a new one -- unless the - * rekey-after-time has passed. + * rekey-after-time or rekey-after-messages limits have passed. */ wgs = wgp->wgp_session_stable; if (wgs->wgs_state == WGS_STATE_ESTABLISHED && - !atomic_load_relaxed(&wgp->wgp_rekey_after_time)) + !atomic_swap_uint(&wgp->wgp_force_rekey, 0)) return; /* @@ -3652,16 +3640,6 @@ next0: m_freem(m); } static void -wg_rekey_timer(void *arg) -{ - struct wg_peer *wgp = arg; - - WG_TRACE("rekey after time"); - atomic_store_relaxed(&wgp->wgp_rekey_after_time, true); - wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); -} - -static void wg_purge_pending_packets(struct wg_peer *wgp) { struct mbuf *m; @@ -3689,8 +3667,6 @@ wg_alloc_peer(struct wg_softc *wg) wgp = kmem_zalloc(sizeof(*wgp), KM_SLEEP); wgp->wgp_sc = wg; - callout_init(&wgp->wgp_rekey_timer, CALLOUT_MPSAFE); - callout_setfunc(&wgp->wgp_rekey_timer, wg_rekey_timer, wgp); callout_init(&wgp->wgp_handshake_timeout_timer, CALLOUT_MPSAFE); callout_setfunc(&wgp->wgp_handshake_timeout_timer, wg_handshake_timeout_timer, wgp); @@ -3768,7 +3744,6 @@ wg_destroy_peer(struct wg_peer *wgp) wg_purge_pending_packets(wgp); /* Halt all packet processing and timeouts. */ - callout_halt(&wgp->wgp_rekey_timer, NULL); callout_halt(&wgp->wgp_handshake_timeout_timer, NULL); callout_halt(&wgp->wgp_session_dtor_timer, NULL); @@ -4380,7 +4355,8 @@ wg_send_data_msg(struct wg_peer *wgp, st if_statadd(ifp, if_obytes, mlen); if_statinc(ifp, if_opackets); if (wgs->wgs_is_initiator && - wgs->wgs_time_last_data_sent == 0) { + ((time_uptime - wgs->wgs_time_established) >= + wg_rekey_after_time)) { /* * [W] 6.2 Transport Message Limits * "if a peer is the initiator of a current secure @@ -4389,7 +4365,9 @@ wg_send_data_msg(struct wg_peer *wgp, st * transmitting a transport data message, the current * secure session is REKEY-AFTER-TIME seconds old," */ - wg_schedule_rekey_timer(wgp); + WG_TRACE("rekey after time"); + atomic_store_relaxed(&wgp->wgp_force_rekey, 1); + wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); } wgs->wgs_time_last_data_sent = time_uptime; if (wg_session_get_send_counter(wgs) >= @@ -4402,6 +4380,7 @@ wg_send_data_msg(struct wg_peer *wgp, st * transport data messages..." */ WG_TRACE("rekey after messages"); + atomic_store_relaxed(&wgp->wgp_force_rekey, 1); wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); } } # HG changeset patch # User Taylor R Campbell # Date 1722111038 0 # Sat Jul 27 20:10:38 2024 +0000 # Branch trunk # Node ID be6416af8eaf1ad3f4148c56fb24b5cd0d262637 # Parent d671b939096e6b8bf986e9c3bd499a7eec508620 # EXP-Topic riastradh-pr58463-wgidle wg(4): On rx of valid ciphertext, make sure to update state machine. Previously, we also required the plaintext to be a plausible-looking IP packet before updating the state machine. But keepalive packets are empty -- and if the peer initiated the session to rekey after last tx but had no more data to tx, it will send a keepalive to finish session initiation. If we didn't update the state machine in that case, we would stay in INIT_PASSIVE state unable to tx on the session, which would make things hang. So make sure to always update the state machine once we have accepted a packet as genuine, even if it's genuine garbage on the inside. PR kern/56252 PR kern/58463 diff -r d671b939096e -r be6416af8eaf sys/net/if_wg.c --- a/sys/net/if_wg.c Sat Jul 27 18:56:51 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 20:10:38 2024 +0000 @@ -2864,7 +2864,7 @@ wg_handle_msg_data(struct wg_softc *wg, ok = wg_validate_inner_packet(decrypted_buf, decrypted_len, &af); if (!ok) { m_freem(n); - goto out; + goto update_state; } /* @@ -2904,6 +2904,7 @@ wg_handle_msg_data(struct wg_softc *wg, } n = NULL; +update_state: /* Update the state machine if necessary. */ if (__predict_false(state == WGS_STATE_INIT_PASSIVE)) { /* # HG changeset patch # User Taylor R Campbell # Date 1722111162 0 # Sat Jul 27 20:12:42 2024 +0000 # Branch trunk # Node ID ef71d9714ee43e90fd808eafde36f14a442b6698 # Parent be6416af8eaf1ad3f4148c56fb24b5cd0d262637 # EXP-Topic riastradh-pr58463-wgidle wg(4): Make sure to update endpoint on keepalive packets too. Prompted by: PR kern/56252 PR kern/58463 diff -r be6416af8eaf -r ef71d9714ee4 sys/net/if_wg.c --- a/sys/net/if_wg.c Sat Jul 27 20:10:38 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 20:12:42 2024 +0000 @@ -2858,6 +2858,15 @@ wg_handle_msg_data(struct wg_softc *wg, wgmd = NULL; /* + * The packet is genuine. Update the peer's endpoint if the + * source address changed. + * + * XXX How to prevent DoS by replaying genuine packets from the + * wrong source address? + */ + wg_update_endpoint_if_necessary(wgp, src); + + /* * Validate the encapsulated packet header and get the address * family, or drop. */ @@ -2867,15 +2876,6 @@ wg_handle_msg_data(struct wg_softc *wg, goto update_state; } - /* - * The packet is genuine. Update the peer's endpoint if the - * source address changed. - * - * XXX How to prevent DoS by replaying genuine packets from the - * wrong source address? - */ - wg_update_endpoint_if_necessary(wgp, src); - /* Submit it into our network stack if routable. */ ok = wg_validate_route(wg, wgp, af, decrypted_buf); if (ok) { # HG changeset patch # User Taylor R Campbell # Date 1722099922 0 # Sat Jul 27 17:05:22 2024 +0000 # Branch trunk # Node ID 010c79c5ef37d87eeb2f1dce30967a49468bd4c6 # Parent ef71d9714ee43e90fd808eafde36f14a442b6698 # EXP-Topic riastradh-pr58463-wgidle tests/net/if_wg/t_misc: Tweak timeouts in wg_handshake_timeout. Most of the timers in wg(4) have only 1sec resolution, which might be rounded in either direction, so make sure there's a 2sec buffer on either side of the event we care about (the point at which wg(4) decides to stop retrying handshake). PR kern/56252 diff -r ef71d9714ee4 -r 010c79c5ef37 tests/net/if_wg/t_misc.sh --- a/tests/net/if_wg/t_misc.sh Sat Jul 27 20:12:42 2024 +0000 +++ b/tests/net/if_wg/t_misc.sh Sat Jul 27 17:05:22 2024 +0000 @@ -143,10 +143,9 @@ wg_handshake_timeout_body() local ip_wg_local=10.0.0.1 local ip_wg_peer=10.0.0.2 local port=51820 - local rekey_after_time=3 local outfile=./out - local rekey_timeout=3 - local rekey_attempt_time=8 + local rekey_timeout=4 + local rekey_attempt_time=10 local n= setup_servers # HG changeset patch # User Taylor R Campbell # Date 1722100843 0 # Sat Jul 27 17:20:43 2024 +0000 # Branch trunk # Node ID 1cb80209e487d1a2bc79db423c6774207fea23b1 # Parent 010c79c5ef37d87eeb2f1dce30967a49468bd4c6 # EXP-Topic riastradh-pr58463-wgidle tests/net/if_wg/t_misc: Elaborate in wg_rekey debug messages. Helpful for following the test log when things go wrong. PR kern/56252 diff -r 010c79c5ef37 -r 1cb80209e487 tests/net/if_wg/t_misc.sh --- a/tests/net/if_wg/t_misc.sh Sat Jul 27 17:05:22 2024 +0000 +++ b/tests/net/if_wg/t_misc.sh Sat Jul 27 17:20:43 2024 +0000 @@ -80,7 +80,7 @@ wg_rekey_body() latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ | awk -F ': ' '/latest-handshake/ {print $2;}') - $DEBUG && echo $latest_handshake + $DEBUG && echo handshake1=$latest_handshake sleep 1 @@ -103,7 +103,7 @@ wg_rekey_body() latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ | awk -F ': ' '/latest-handshake/ {print $2;}') - $DEBUG && echo $latest_handshake + $DEBUG && echo handshake2=$latest_handshake # Wait for a reinitiation to be performed again sleep $((rekey_after_time+1)) # HG changeset patch # User Taylor R Campbell # Date 1722001514 0 # Fri Jul 26 13:45:14 2024 +0000 # Branch trunk # Node ID 7ffb6d88376f080d67146ddaf6b811b86425e957 # Parent 1cb80209e487d1a2bc79db423c6774207fea23b1 # EXP-Topic riastradh-pr58463-wgidle wg(4): Tests should pass now. PR kern/56252 PR kern/58463 diff -r 1cb80209e487 -r 7ffb6d88376f tests/net/if_wg/t_misc.sh --- a/tests/net/if_wg/t_misc.sh Sat Jul 27 17:20:43 2024 +0000 +++ b/tests/net/if_wg/t_misc.sh Fri Jul 26 13:45:14 2024 +0000 @@ -86,8 +86,6 @@ wg_rekey_body() $ping $ip_wg_peer - atf_expect_fail "PR kern/56252" - # No reinitiation is performed atf_check -s exit:0 -o match:"$latest_handshake" \ $HIJACKING wgconfig wg0 show peer peer0 @@ -115,8 +113,6 @@ wg_rekey_body() $HIJACKING wgconfig wg0 show peer peer0 destroy_wg_interfaces - - atf_fail "failed to trigger PR kern/56252" } wg_rekey_cleanup() @@ -197,8 +193,6 @@ wg_handshake_timeout_body() n=$(grep "$ip_local.$port > $ip_peer.$port" $outfile |wc -l) - atf_expect_fail "PR kern/56252" - # Give up handshaking after three attempts atf_check_equal $n 3 @@ -207,8 +201,6 @@ wg_handshake_timeout_body() export RUMP_SERVER=$SOCK_LOCAL destroy_wg_interfaces - - atf_fail "failed to trigger PR kern/56252" } wg_handshake_timeout_cleanup() @@ -270,8 +262,6 @@ wg_cookie_body() # and a session doesn't start $ping_fail $ip_wg_peer - atf_expect_fail "PR kern/56252" - extract_new_packets $BUS > $outfile $DEBUG && cat $outfile # XXX length 64 indicates the message is a cookie message @@ -295,8 +285,6 @@ wg_cookie_body() $HIJACKING wgconfig wg0 destroy_wg_interfaces - - atf_fail "failed to trigger PR kern/56252" } wg_cookie_cleanup() @@ -353,8 +341,6 @@ wg_mobility_body() export RUMP_SERVER=$SOCK_LOCAL $ping_fail $ip_wg_peer - atf_expect_fail "PR kern/56252" - extract_new_packets $BUS > $outfile $DEBUG && cat $outfile @@ -393,8 +379,6 @@ wg_mobility_body() atf_check -s exit:0 -o not-match:"$ip_local.$port > $ip_peer.$port" cat $outfile destroy_wg_interfaces - - atf_fail "failed to trigger PR kern/56252" } wg_mobility_cleanup() # HG changeset patch # User Taylor R Campbell # Date 1722118644 0 # Sat Jul 27 22:17:24 2024 +0000 # Branch trunk # Node ID 1c415112f2fea0c2b812f3c7f6ad8aba999e7bec # Parent 7ffb6d88376f080d67146ddaf6b811b86425e957 # EXP-Topic riastradh-pr58463-wgidle wg(4): Use 32-bit for times handled in rx/tx paths. The rx and tx paths require unlocked access to wgs_time_established (to decide whether it's time to rekey) and wgs_time_last_data_sent (to decide whether we need to reply to incoming data with a keepalive packet), so do it with atomic_load/store_*. On 32-bit platforms, we may not be able to do that on time_t. However, since sessions only last for a few minutes before reject-after-time kicks in and they are erased, 32 bits is plenty to record the durations that we need to record here, so this shouldn't introduce any new bugs even on hosts that exceed 136 years of uptime. Prompted by: PR kern/56252 PR kern/58463 diff -r 7ffb6d88376f -r 1c415112f2fe sys/net/if_wg.c --- a/sys/net/if_wg.c Fri Jul 26 13:45:14 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 22:17:24 2024 +0000 @@ -502,8 +502,10 @@ struct wg_session { #define WGS_STATE_ESTABLISHED 3 #define WGS_STATE_DESTROYING 4 - time_t wgs_time_established; - time_t wgs_time_last_data_sent; + volatile uint32_t + wgs_time_established; + volatile uint32_t + wgs_time_last_data_sent; bool wgs_is_initiator; uint32_t wgs_local_index; @@ -1669,8 +1671,12 @@ wg_handle_msg_init(struct wg_softc *wg, * establishment -- this is used to decide when to erase keys, * and we want to start counting as soon as we have generated * keys. + * + * No need for atomic store because the session can't be used + * in the rx or tx paths yet -- not until we transition to + * INTI_PASSIVE. */ - wgs->wgs_time_established = time_uptime; + wgs->wgs_time_established = time_uptime32; wg_schedule_session_dtor_timer(wgp); /* @@ -2116,7 +2122,7 @@ wg_handle_msg_resp(struct wg_softc *wg, KASSERTMSG(wgs->wgs_state == WGS_STATE_INIT_ACTIVE, "state=%d", wgs->wgs_state); - wgs->wgs_time_established = time_uptime; + wgs->wgs_time_established = time_uptime32; wg_schedule_session_dtor_timer(wgp); wgs->wgs_time_last_data_sent = 0; wgs->wgs_is_initiator = true; @@ -2467,9 +2473,12 @@ wg_need_to_send_init_message(struct wg_s * KEEPALIVE-TIMEOUT − REKEY-TIMEOUT) seconds old and it has * not yet acted upon this event." */ - return wgs->wgs_is_initiator && wgs->wgs_time_last_data_sent == 0 && - (time_uptime - wgs->wgs_time_established) >= - (wg_reject_after_time - wg_keepalive_timeout - wg_rekey_timeout); + return wgs->wgs_is_initiator && + atomic_load_relaxed(&wgs->wgs_time_last_data_sent) == 0 && + ((time_uptime32 - + atomic_load_relaxed(&wgs->wgs_time_established)) >= + (wg_reject_after_time - wg_keepalive_timeout - + wg_rekey_timeout)); } static void @@ -2694,7 +2703,7 @@ wg_handle_msg_data(struct wg_softc *wg, struct wg_session *wgs; struct wg_peer *wgp; int state; - time_t age; + uint32_t age; size_t mlen; struct psref psref; int error, af; @@ -2740,10 +2749,10 @@ wg_handle_msg_data(struct wg_softc *wg, /* * Reject if the session is too old. */ - age = time_uptime - wgs->wgs_time_established; + age = time_uptime32 - atomic_load_relaxed(&wgs->wgs_time_established); if (__predict_false(age >= wg_reject_after_time)) { - WG_DLOG("session %"PRIx32" too old, %"PRIuMAX" sec\n", - wgmd->wgmd_receiver, (uintmax_t)age); + WG_DLOG("session %"PRIx32" too old, %"PRIu32" sec\n", + wgmd->wgmd_receiver, age); goto out; } @@ -2925,11 +2934,13 @@ update_state: * itself to send back for KEEPALIVE-TIMEOUT seconds, it sends * a keepalive message." */ - WG_DLOG("time_uptime=%ju wgs_time_last_data_sent=%ju\n", - (uintmax_t)time_uptime, - (uintmax_t)wgs->wgs_time_last_data_sent); - if ((time_uptime - wgs->wgs_time_last_data_sent) >= - wg_keepalive_timeout) { + const uint32_t now = time_uptime32; + const uint32_t time_last_data_sent = + atomic_load_relaxed(&wgs->wgs_time_last_data_sent); + WG_DLOG("time_uptime32=%"PRIu32 + " wgs_time_last_data_sent=%"PRIu32"\n", + now, time_last_data_sent); + if ((now - time_last_data_sent) >= wg_keepalive_timeout) { WG_TRACE("Schedule sending keepalive message"); /* * We can't send a keepalive message here to avoid @@ -3348,7 +3359,7 @@ static void wg_task_destroy_prev_session(struct wg_softc *wg, struct wg_peer *wgp) { struct wg_session *wgs; - time_t age; + uint32_t age; WG_TRACE("WGP_TASK_DESTROY_PREV_SESSION"); @@ -3359,14 +3370,16 @@ wg_task_destroy_prev_session(struct wg_s * was ESTABLISHED and is now DESTROYING, older than * reject-after-time, destroy it. Upcoming sessions are still * in INIT_ACTIVE or INIT_PASSIVE -- we don't touch those here. + * + * No atomic for access to wgs_time_established because it is + * only updated under wgp_lock. */ wgs = wgp->wgp_session_unstable; KASSERT(wgs->wgs_state != WGS_STATE_ESTABLISHED); if (wgs->wgs_state == WGS_STATE_DESTROYING && - ((age = (time_uptime - wgs->wgs_time_established)) >= + ((age = (time_uptime32 - wgs->wgs_time_established)) >= wg_reject_after_time)) { - WG_DLOG("destroying past session %"PRIuMAX" sec old\n", - (uintmax_t)age); + WG_DLOG("destroying past session %"PRIu32" sec old\n", age); wg_put_session_index(wg, wgs); KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", wgs->wgs_state); @@ -3382,10 +3395,9 @@ wg_task_destroy_prev_session(struct wg_s KASSERT(wgs->wgs_state != WGS_STATE_INIT_PASSIVE); KASSERT(wgs->wgs_state != WGS_STATE_DESTROYING); if (wgs->wgs_state == WGS_STATE_ESTABLISHED && - ((age = (time_uptime - wgs->wgs_time_established)) >= + ((age = (time_uptime32 - wgs->wgs_time_established)) >= wg_reject_after_time)) { - WG_DLOG("destroying current session %"PRIuMAX" sec old\n", - (uintmax_t)age); + WG_DLOG("destroying current session %"PRIu32" sec old\n", age); atomic_store_relaxed(&wgs->wgs_state, WGS_STATE_DESTROYING); wg_put_session_index(wg, wgs); KASSERTMSG(wgs->wgs_state == WGS_STATE_UNKNOWN, "state=%d", @@ -3591,6 +3603,8 @@ wg_socreate(struct wg_softc *wg, int af, static bool wg_session_hit_limits(struct wg_session *wgs) { + uint32_t time_established = + atomic_load_relaxed(&wgs->wgs_time_established); /* * [W] 6.2: Transport Message Limits @@ -3599,8 +3613,8 @@ wg_session_hit_limits(struct wg_session * comes first, WireGuard will refuse to send any more transport data * messages using the current secure session, ..." */ - KASSERT(wgs->wgs_time_established != 0); - if ((time_uptime - wgs->wgs_time_established) > wg_reject_after_time) { + KASSERT(time_established != 0 || time_uptime > UINT32_MAX); + if ((time_uptime32 - time_established) > wg_reject_after_time) { WG_DLOG("The session hits REJECT_AFTER_TIME\n"); return true; } else if (wg_session_get_send_counter(wgs) > @@ -4356,7 +4370,8 @@ wg_send_data_msg(struct wg_peer *wgp, st if_statadd(ifp, if_obytes, mlen); if_statinc(ifp, if_opackets); if (wgs->wgs_is_initiator && - ((time_uptime - wgs->wgs_time_established) >= + ((time_uptime32 - + atomic_load_relaxed(&wgs->wgs_time_established)) >= wg_rekey_after_time)) { /* * [W] 6.2 Transport Message Limits @@ -4370,7 +4385,9 @@ wg_send_data_msg(struct wg_peer *wgp, st atomic_store_relaxed(&wgp->wgp_force_rekey, 1); wg_schedule_peer_task(wgp, WGP_TASK_SEND_INIT_MESSAGE); } - wgs->wgs_time_last_data_sent = time_uptime; + const uint32_t now = time_uptime32; + atomic_store_relaxed(&wgs->wgs_time_last_data_sent, + MAX(now, 1)); if (wg_session_get_send_counter(wgs) >= wg_rekey_after_messages) { /* # HG changeset patch # User Taylor R Campbell # Date 1722025102 0 # Fri Jul 26 20:18:22 2024 +0000 # Branch trunk # Node ID 39b21530e35127194845a6c0ecf195299ad9adb3 # Parent 1c415112f2fea0c2b812f3c7f6ad8aba999e7bec # EXP-Topic riastradh-pr58463-wgidle wg(4): Make time_uptime32 work in netbsd<=10. This is the low 32 bits of time_uptime. diff -r 1c415112f2fe -r 39b21530e351 sys/net/if_wg.c --- a/sys/net/if_wg.c Sat Jul 27 22:17:24 2024 +0000 +++ b/sys/net/if_wg.c Fri Jul 26 20:18:22 2024 +0000 @@ -121,6 +121,10 @@ #include "wg_user.h" #endif +#ifndef time_uptime32 +#define time_uptime32 ((uint32_t)time_uptime) +#endif + /* * Data structures * - struct wg_softc is an instance of wg interfaces # HG changeset patch # User Taylor R Campbell # Date 1722119540 0 # Sat Jul 27 22:32:20 2024 +0000 # Branch trunk # Node ID 4cb6c61d5e29bc63fb760fadcad4615f5f0cbb47 # Parent 39b21530e35127194845a6c0ecf195299ad9adb3 # EXP-Topic riastradh-pr58463-wgidle wg(4): Fix quotation in comment. Prompted by: PR kern/56252 PR kern/58463 diff -r 39b21530e351 -r 4cb6c61d5e29 sys/net/if_wg.c --- a/sys/net/if_wg.c Fri Jul 26 20:18:22 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 22:32:20 2024 +0000 @@ -3614,8 +3614,8 @@ wg_session_hit_limits(struct wg_session * [W] 6.2: Transport Message Limits * "After REJECT-AFTER-MESSAGES transport data messages or after the * current secure session is REJECT-AFTER-TIME seconds old, whichever - * comes first, WireGuard will refuse to send any more transport data - * messages using the current secure session, ..." + * comes first, WireGuard will refuse to send or receive any more + * transport data messages using the current secure session, ..." */ KASSERT(time_established != 0 || time_uptime > UINT32_MAX); if ((time_uptime32 - time_established) > wg_reject_after_time) { # HG changeset patch # User Taylor R Campbell # Date 1722119696 0 # Sat Jul 27 22:34:56 2024 +0000 # Branch trunk # Node ID 4c4eb6c5f50a24e25f8281f88ae0316241617cdd # Parent 4cb6c61d5e29bc63fb760fadcad4615f5f0cbb47 # EXP-Topic riastradh-pr58463-wgidle wg(4): Process all altq'd packets when deleting peer. Can't just drop them because we can only go through all packets on an interface at a time, for all peers -- so we'd either have to drop all peers' packets, or requeue the packets for other peers. Probably not worth the trouble, so let's just wait for all the packets currently queued up to go through first. diff -r 4cb6c61d5e29 -r 4c4eb6c5f50a sys/net/if_wg.c --- a/sys/net/if_wg.c Sat Jul 27 22:32:20 2024 +0000 +++ b/sys/net/if_wg.c Sat Jul 27 22:34:56 2024 +0000 @@ -3665,6 +3665,9 @@ wg_purge_pending_packets(struct wg_peer m = atomic_swap_ptr(&wgp->wgp_pending, NULL); m_freem(m); +#ifdef ALTQ + wg_start(&wgp->wgp_sc->wg_if); +#endif pktq_barrier(wg_pktq); } # HG changeset patch # User Taylor R Campbell # Date 1721995635 0 # Fri Jul 26 12:07:15 2024 +0000 # Branch trunk # Node ID 1c4cfffffde6cbd6f16e312aefe4156a440bc731 # Parent 4c4eb6c5f50a24e25f8281f88ae0316241617cdd # EXP-Topic riastradh-pr58463-wgidle WIP: wg(4): Enable DIAGNOSTIC in module build. diff -r 4c4eb6c5f50a -r 1c4cfffffde6 sys/modules/if_wg/Makefile --- a/sys/modules/if_wg/Makefile Sat Jul 27 22:34:56 2024 +0000 +++ b/sys/modules/if_wg/Makefile Fri Jul 26 12:07:15 2024 +0000 @@ -11,6 +11,7 @@ SRCS= if_wg.c CPPFLAGS+= -DINET CPPFLAGS+= -DINET6 #CPPFLAGS+= -DALTQ +CPPFLAGS+= -DDIAGNOSTIC WARNS= 3