2 * Copyright (c) 2020 Doc.ai and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vppinfra/error.h>
20 #include <wireguard/wireguard.h>
22 #include <wireguard/wireguard_send.h>
23 #include <wireguard/wireguard_if.h>
25 #define foreach_wg_input_error \
27 _(HANDSHAKE_MAC, "Invalid MAC handshake") \
28 _(PEER, "Peer error") \
29 _(INTERFACE, "Interface error") \
30 _(DECRYPTION, "Failed during decryption") \
31 _(KEEPALIVE_SEND, "Failed while sending Keepalive") \
32 _(HANDSHAKE_SEND, "Failed while sending Handshake") \
33 _(UNDEFINED, "Undefined error")
37 #define _(sym,str) WG_INPUT_ERROR_##sym,
38 foreach_wg_input_error
43 static char *wg_input_error_strings[] = {
44 #define _(sym,string) string,
45 foreach_wg_input_error
58 format_wg_message_type (u8 * s, va_list * args)
60 message_type_t type = va_arg (*args, message_type_t);
64 #define _(v,a) case MESSAGE_##v: return (format (s, "%s", a));
65 foreach_wg_message_type
68 return (format (s, "unknown"));
71 /* packet trace format function */
73 format_wg_input_trace (u8 * s, va_list * args)
75 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
76 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
78 wg_input_trace_t *t = va_arg (*args, wg_input_trace_t *);
80 s = format (s, "WG input: \n");
81 s = format (s, " Type: %U\n", format_wg_message_type, t->type);
82 s = format (s, " Length: %d\n", t->current_length);
83 s = format (s, " Keepalive: %s", t->is_keepalive ? "true" : "false");
90 WG_INPUT_NEXT_IP4_INPUT,
97 /* set_peer_address (wg_peer_t * peer, ip4_address_t ip4, u16 udp_port) */
101 /* ip46_address_set_ip4 (&peer->dst.addr, &ip4); */
102 /* peer->dst.port = udp_port; */
106 static wg_input_error_t
107 wg_handshake_process (vlib_main_t * vm, wg_main_t * wmp, vlib_buffer_t * b)
109 enum cookie_mac_state mac_state;
110 bool packet_needs_cookie;
113 wg_peer_t *peer = NULL;
115 void *current_b_data = vlib_buffer_get_current (b);
117 udp_header_t *uhd = current_b_data - sizeof (udp_header_t);
119 current_b_data - sizeof (udp_header_t) - sizeof (ip4_header_t);
120 ip4_address_t ip4_src = iph->src_address;
121 u16 udp_src_port = clib_host_to_net_u16 (uhd->src_port);;
122 u16 udp_dst_port = clib_host_to_net_u16 (uhd->dst_port);;
124 message_header_t *header = current_b_data;
127 wg_if = wg_if_get_by_port (udp_dst_port);
130 return WG_INPUT_ERROR_INTERFACE;
132 if (header->type == MESSAGE_HANDSHAKE_COOKIE)
134 message_handshake_cookie_t *packet =
135 (message_handshake_cookie_t *) current_b_data;
137 wg_index_table_lookup (&wmp->index_table, packet->receiver_index);
140 peer = pool_elt_at_index (wmp->peers, *entry);
143 return WG_INPUT_ERROR_PEER;
145 // TODO: Implement cookie_maker_consume_payload
147 return WG_INPUT_ERROR_NONE;
150 u32 len = (header->type == MESSAGE_HANDSHAKE_INITIATION ?
151 sizeof (message_handshake_initiation_t) :
152 sizeof (message_handshake_response_t));
154 message_macs_t *macs = (message_macs_t *)
155 ((u8 *) current_b_data + len - sizeof (*macs));
158 cookie_checker_validate_macs (vm, &wg_if->cookie_checker, macs,
159 current_b_data, len, under_load, ip4_src,
162 if ((under_load && mac_state == VALID_MAC_WITH_COOKIE)
163 || (!under_load && mac_state == VALID_MAC_BUT_NO_COOKIE))
164 packet_needs_cookie = false;
165 else if (under_load && mac_state == VALID_MAC_BUT_NO_COOKIE)
166 packet_needs_cookie = true;
168 return WG_INPUT_ERROR_HANDSHAKE_MAC;
170 switch (header->type)
172 case MESSAGE_HANDSHAKE_INITIATION:
174 message_handshake_initiation_t *message = current_b_data;
176 if (packet_needs_cookie)
178 // TODO: Add processing
182 if (noise_consume_initiation
183 (wmp->vlib_main, &wg_if->local, &rp, message->sender_index,
184 message->unencrypted_ephemeral, message->encrypted_static,
185 message->encrypted_timestamp))
187 peer = pool_elt_at_index (wmp->peers, rp->r_peer_idx);
191 return WG_INPUT_ERROR_PEER;
193 // set_peer_address (peer, ip4_src, udp_src_port);
194 if (PREDICT_FALSE (!wg_send_handshake_response (vm, peer)))
196 vlib_node_increment_counter (vm, wg_input_node.index,
197 WG_INPUT_ERROR_HANDSHAKE_SEND, 1);
201 case MESSAGE_HANDSHAKE_RESPONSE:
203 message_handshake_response_t *resp = current_b_data;
205 wg_index_table_lookup (&wmp->index_table, resp->receiver_index);
208 peer = pool_elt_at_index (wmp->peers, *entry);
209 if (!peer || peer->is_dead)
210 return WG_INPUT_ERROR_PEER;
213 if (!noise_consume_response
214 (wmp->vlib_main, &peer->remote, resp->sender_index,
215 resp->receiver_index, resp->unencrypted_ephemeral,
216 resp->encrypted_nothing))
218 return WG_INPUT_ERROR_PEER;
220 if (packet_needs_cookie)
222 // TODO: Add processing
225 // set_peer_address (peer, ip4_src, udp_src_port);
226 if (noise_remote_begin_session (wmp->vlib_main, &peer->remote))
228 wg_timers_session_derived (peer);
229 wg_timers_handshake_complete (peer);
230 if (PREDICT_FALSE (!wg_send_keepalive (vm, peer)))
232 vlib_node_increment_counter (vm, wg_input_node.index,
233 WG_INPUT_ERROR_KEEPALIVE_SEND,
243 wg_timers_any_authenticated_packet_received (peer);
244 wg_timers_any_authenticated_packet_traversal (peer);
245 return WG_INPUT_ERROR_NONE;
248 static_always_inline bool
249 fib_prefix_is_cover_addr_4 (const fib_prefix_t * p1,
250 const ip4_address_t * ip4)
252 switch (p1->fp_proto)
254 case FIB_PROTOCOL_IP4:
255 return (ip4_destination_matches_route (&ip4_main,
257 ip4, p1->fp_len) != 0);
258 case FIB_PROTOCOL_IP6:
260 case FIB_PROTOCOL_MPLS:
266 VLIB_NODE_FN (wg_input_node) (vlib_main_t * vm,
267 vlib_node_runtime_t * node,
268 vlib_frame_t * frame)
270 message_type_t header_type;
273 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
274 u16 nexts[VLIB_FRAME_SIZE], *next;
276 from = vlib_frame_vector_args (frame);
277 n_left_from = frame->n_vectors;
281 vlib_get_buffers (vm, from, bufs, n_left_from);
283 wg_main_t *wmp = &wg_main;
284 wg_peer_t *peer = NULL;
286 while (n_left_from > 0)
288 bool is_keepalive = false;
289 next[0] = WG_INPUT_NEXT_PUNT;
291 ((message_header_t *) vlib_buffer_get_current (b[0]))->type;
295 case MESSAGE_HANDSHAKE_INITIATION:
296 case MESSAGE_HANDSHAKE_RESPONSE:
297 case MESSAGE_HANDSHAKE_COOKIE:
299 wg_input_error_t ret = wg_handshake_process (vm, wmp, b[0]);
300 if (ret != WG_INPUT_ERROR_NONE)
302 next[0] = WG_INPUT_NEXT_ERROR;
303 b[0]->error = node->errors[ret];
309 message_data_t *data = vlib_buffer_get_current (b[0]);
311 wg_index_table_lookup (&wmp->index_table, data->receiver_index);
315 peer = pool_elt_at_index (wmp->peers, *entry);
318 next[0] = WG_INPUT_NEXT_ERROR;
319 b[0]->error = node->errors[WG_INPUT_ERROR_PEER];
324 u16 encr_len = b[0]->current_length - sizeof (message_data_t);
325 u16 decr_len = encr_len - NOISE_AUTHTAG_LEN;
326 u8 *decr_data = clib_mem_alloc (decr_len);
328 enum noise_state_crypt state_cr =
329 noise_remote_decrypt (wmp->vlib_main,
331 data->receiver_index,
333 data->encrypted_data,
342 wg_timers_handshake_complete (peer);
344 case SC_KEEP_KEY_FRESH:
345 if (PREDICT_FALSE (!wg_send_handshake (vm, peer, false)))
347 vlib_node_increment_counter (vm, wg_input_node.index,
348 WG_INPUT_ERROR_HANDSHAKE_SEND,
353 next[0] = WG_INPUT_NEXT_ERROR;
354 b[0]->error = node->errors[WG_INPUT_ERROR_DECRYPTION];
360 clib_memcpy (vlib_buffer_get_current (b[0]), decr_data, decr_len);
361 b[0]->current_length = decr_len;
362 b[0]->flags &= ~VNET_BUFFER_F_OFFLOAD_UDP_CKSUM;
364 clib_mem_free (decr_data);
366 wg_timers_any_authenticated_packet_received (peer);
367 wg_timers_any_authenticated_packet_traversal (peer);
375 wg_timers_data_received (peer);
377 ip4_header_t *iph = vlib_buffer_get_current (b[0]);
379 const wg_peer_allowed_ip_t *allowed_ip;
380 bool allowed = false;
383 * we could make this into an ACL, but the expectation
384 * is that there aren't many allowed IPs and thus a linear
385 * walk is fater than an ACL
387 vec_foreach (allowed_ip, peer->allowed_ips)
389 if (fib_prefix_is_cover_addr_4 (&allowed_ip->prefix,
398 vnet_buffer (b[0])->sw_if_index[VLIB_RX] =
399 peer->wg_sw_if_index;
400 next[0] = WG_INPUT_NEXT_IP4_INPUT;
409 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
410 && (b[0]->flags & VLIB_BUFFER_IS_TRACED)))
412 wg_input_trace_t *t = vlib_add_trace (vm, node, b[0], sizeof (*t));
413 t->type = header_type;
414 t->current_length = b[0]->current_length;
415 t->is_keepalive = is_keepalive;
421 vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors);
423 return frame->n_vectors;
427 VLIB_REGISTER_NODE (wg_input_node) =
430 .vector_size = sizeof (u32),
431 .format_trace = format_wg_input_trace,
432 .type = VLIB_NODE_TYPE_INTERNAL,
433 .n_errors = ARRAY_LEN (wg_input_error_strings),
434 .error_strings = wg_input_error_strings,
435 .n_next_nodes = WG_INPUT_N_NEXT,
436 /* edit / add dispositions here */
438 [WG_INPUT_NEXT_IP4_INPUT] = "ip4-input-no-checksum",
439 [WG_INPUT_NEXT_PUNT] = "error-punt",
440 [WG_INPUT_NEXT_ERROR] = "error-drop",
446 * fd.io coding-style-patch-verification: ON
449 * eval: (c-set-style "gnu")