2 * Copyright (c) 2020 Doc.ai and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vnet/vnet.h>
17 #include <vnet/fib/ip6_fib.h>
18 #include <vnet/fib/ip4_fib.h>
19 #include <vnet/fib/fib_entry.h>
20 #include <vnet/ip/ip6_link.h>
21 #include <vnet/pg/pg.h>
22 #include <vnet/udp/udp.h>
23 #include <vppinfra/error.h>
24 #include <wireguard/wireguard.h>
25 #include <wireguard/wireguard_send.h>
28 ip46_enqueue_packet (vlib_main_t * vm, u32 bi0, int is_ip6)
31 u32 lookup_node_index =
32 is_ip6 ? ip6_lookup_node.index : ip4_lookup_node.index;
34 f = vlib_get_frame_to_node (vm, lookup_node_index);
35 /* f can not be NULL here - frame allocation failure causes panic */
37 u32 *to_next = vlib_frame_vector_args (f);
41 vlib_put_frame_to_node (vm, lookup_node_index, f);
47 wg_buffer_prepend_rewrite (vlib_buffer_t * b0, const wg_peer_t * peer)
49 ip4_udp_header_t *hdr;
51 vlib_buffer_advance (b0, -sizeof (*hdr));
53 hdr = vlib_buffer_get_current (b0);
54 clib_memcpy (hdr, peer->rewrite, vec_len (peer->rewrite));
57 clib_host_to_net_u16 (b0->current_length - sizeof (ip4_header_t));
58 ip4_header_set_len_w_chksum (&hdr->ip4,
59 clib_host_to_net_u16 (b0->current_length));
63 wg_create_buffer (vlib_main_t * vm,
64 const wg_peer_t * peer,
65 const u8 * packet, u32 packet_len, u32 * bi)
70 n_buf0 = vlib_buffer_alloc (vm, bi, 1);
74 b0 = vlib_get_buffer (vm, *bi);
76 u8 *payload = vlib_buffer_get_current (b0);
77 clib_memcpy (payload, packet, packet_len);
79 b0->current_length = packet_len;
81 wg_buffer_prepend_rewrite (b0, peer);
87 wg_send_handshake (vlib_main_t * vm, wg_peer_t * peer, bool is_retry)
89 wg_main_t *wmp = &wg_main;
90 message_handshake_initiation_t packet;
93 peer->timer_handshake_attempts = 0;
95 if (!wg_birthdate_has_expired (peer->last_sent_handshake,
96 REKEY_TIMEOUT) || peer->is_dead)
100 if (noise_create_initiation (wmp->vlib_main,
102 &packet.sender_index,
103 packet.unencrypted_ephemeral,
104 packet.encrypted_static,
105 packet.encrypted_timestamp))
107 f64 now = vlib_time_now (vm);
108 packet.header.type = MESSAGE_HANDSHAKE_INITIATION;
109 cookie_maker_mac (&peer->cookie_maker, &packet.macs, &packet,
111 wg_timers_any_authenticated_packet_traversal (peer);
112 wg_timers_any_authenticated_packet_sent (peer);
113 peer->last_sent_handshake = now;
114 wg_timers_handshake_initiated (peer);
119 if (!wg_create_buffer (vm, peer, (u8 *) & packet, sizeof (packet), &bi0))
121 ip46_enqueue_packet (vm, bi0, false);
127 wg_send_keepalive (vlib_main_t * vm, wg_peer_t * peer)
129 wg_main_t *wmp = &wg_main;
130 u32 size_of_packet = message_data_len (0);
131 message_data_t *packet = clib_mem_alloc (size_of_packet);
134 enum noise_state_crypt state;
136 if (!peer->remote.r_current)
138 wg_send_handshake (vm, peer, false);
143 noise_remote_encrypt (wmp->vlib_main,
145 &packet->receiver_index,
146 &packet->counter, NULL, 0, packet->encrypted_data);
151 case SC_KEEP_KEY_FRESH:
152 wg_send_handshake (vm, peer, false);
160 packet->header.type = MESSAGE_DATA;
162 if (!wg_create_buffer (vm, peer, (u8 *) packet, size_of_packet, &bi0))
168 ip46_enqueue_packet (vm, bi0, false);
169 wg_timers_any_authenticated_packet_traversal (peer);
170 wg_timers_any_authenticated_packet_sent (peer);
173 clib_mem_free (packet);
178 wg_send_handshake_response (vlib_main_t * vm, wg_peer_t * peer)
180 wg_main_t *wmp = &wg_main;
181 message_handshake_response_t packet;
183 peer->last_sent_handshake = vlib_time_now (vm);
185 if (noise_create_response (vm,
187 &packet.sender_index,
188 &packet.receiver_index,
189 packet.unencrypted_ephemeral,
190 packet.encrypted_nothing))
192 f64 now = vlib_time_now (vm);
193 packet.header.type = MESSAGE_HANDSHAKE_RESPONSE;
194 cookie_maker_mac (&peer->cookie_maker, &packet.macs, &packet,
197 if (noise_remote_begin_session (wmp->vlib_main, &peer->remote))
199 wg_timers_session_derived (peer);
200 wg_timers_any_authenticated_packet_traversal (peer);
201 wg_timers_any_authenticated_packet_sent (peer);
202 peer->last_sent_handshake = now;
205 if (!wg_create_buffer (vm, peer, (u8 *) & packet,
206 sizeof (packet), &bi0))
209 ip46_enqueue_packet (vm, bi0, false);
220 * fd.io coding-style-patch-verification: ON
223 * eval: (c-set-style "gnu")