2 * Copyright (c) 2020 Doc.ai and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlibmemory/api.h>
17 #include <wireguard/wireguard.h>
18 #include <wireguard/wireguard_send.h>
19 #include <wireguard/wireguard_timer.h>
22 get_random_u32_max (u32 max)
24 vlib_main_t *vm = vlib_get_main ();
25 u32 seed = (u32) (vlib_time_now (vm) * 1e6);
26 return random_u32 (&seed) % max;
30 get_random_u32_max_opt (u32 max, f64 time)
32 u32 seed = (u32) (time * 1e6);
33 return random_u32 (&seed) % max;
37 stop_timer (wg_peer_t * peer, u32 timer_id)
39 if (peer->timers[timer_id] != ~0)
41 tw_timer_stop_16t_2w_512sl (peer->timer_wheel, peer->timers[timer_id]);
42 peer->timers[timer_id] = ~0;
47 start_timer (wg_peer_t * peer, u32 timer_id, u32 interval_ticks)
49 ASSERT (vlib_get_thread_index () == 0);
51 if (peer->timers[timer_id] == ~0)
53 peer->timers[timer_id] =
54 tw_timer_start_16t_2w_512sl (peer->timer_wheel, peer - wg_peer_pool,
55 timer_id, interval_ticks);
68 start_timer_thread_fn (void *arg)
70 wg_timers_args *a = arg;
71 wg_peer_t *peer = wg_peer_get (a->peer_idx);
72 start_timer (peer, a->timer_id, a->interval_ticks);
76 static_always_inline void
77 start_timer_from_mt (u32 peer_idx, u32 timer_id, u32 interval_ticks)
82 .interval_ticks = interval_ticks,
84 wg_peer_t *peer = wg_peer_get (peer_idx);
85 if (PREDICT_FALSE (!peer->timers_dispatched[timer_id]))
86 if (!clib_atomic_cmp_and_swap (&peer->timers_dispatched[timer_id], 0, 1))
87 vl_api_rpc_call_main_thread (start_timer_thread_fn, (u8 *) &a,
92 timer_ticks_left (vlib_main_t * vm, f64 init_time_sec, u32 interval_ticks)
94 static const int32_t rounding = (int32_t) (WHZ / 2);
97 ticks_remain = (init_time_sec - vlib_time_now (vm)) * WHZ + interval_ticks;
98 return (ticks_remain > rounding) ? (u32) ticks_remain : 0;
102 wg_expired_retransmit_handshake (vlib_main_t * vm, wg_peer_t * peer)
104 if (peer->rehandshake_started == ~0)
107 u32 ticks = timer_ticks_left (vm, peer->rehandshake_started,
108 peer->rehandshake_interval_tick);
111 start_timer (peer, WG_TIMER_RETRANSMIT_HANDSHAKE, ticks);
115 if (peer->timer_handshake_attempts > MAX_TIMER_HANDSHAKES)
117 stop_timer (peer, WG_TIMER_SEND_KEEPALIVE);
119 /* We set a timer for destroying any residue that might be left
120 * of a partial exchange.
122 start_timer (peer, WG_TIMER_KEY_ZEROING, REJECT_AFTER_TIME * 3 * WHZ);
127 ++peer->timer_handshake_attempts;
128 wg_send_handshake (vm, peer, true);
133 wg_expired_send_keepalive (vlib_main_t * vm, wg_peer_t * peer)
135 if (peer->last_sent_packet < peer->last_received_packet)
137 u32 ticks = timer_ticks_left (vm, peer->last_received_packet,
138 KEEPALIVE_TIMEOUT * WHZ);
141 start_timer (peer, WG_TIMER_SEND_KEEPALIVE, ticks);
145 wg_send_keepalive (vm, peer);
146 if (peer->timer_need_another_keepalive)
148 peer->timer_need_another_keepalive = false;
149 start_timer (peer, WG_TIMER_SEND_KEEPALIVE,
150 KEEPALIVE_TIMEOUT * WHZ);
156 wg_expired_send_persistent_keepalive (vlib_main_t * vm, wg_peer_t * peer)
158 if (peer->persistent_keepalive_interval)
160 f64 latest_time = peer->last_sent_packet > peer->last_received_packet
161 ? peer->last_sent_packet : peer->last_received_packet;
163 u32 ticks = timer_ticks_left (vm, latest_time,
164 peer->persistent_keepalive_interval *
168 start_timer (peer, WG_TIMER_PERSISTENT_KEEPALIVE, ticks);
172 wg_send_keepalive (vm, peer);
177 wg_expired_new_handshake (vlib_main_t * vm, wg_peer_t * peer)
179 u32 ticks = timer_ticks_left (vm, peer->last_sent_packet,
180 peer->new_handshake_interval_tick);
183 start_timer (peer, WG_TIMER_NEW_HANDSHAKE, ticks);
187 wg_send_handshake (vm, peer, false);
191 wg_expired_zero_key_material (vlib_main_t * vm, wg_peer_t * peer)
194 timer_ticks_left (vm, peer->session_derived, REJECT_AFTER_TIME * 3 * WHZ);
197 start_timer (peer, WG_TIMER_KEY_ZEROING, ticks);
201 if (!wg_peer_is_dead (peer))
203 noise_remote_clear (vm, &peer->remote);
208 wg_timers_any_authenticated_packet_traversal (wg_peer_t *peer)
210 if (peer->persistent_keepalive_interval)
212 start_timer_from_mt (peer - wg_peer_pool,
213 WG_TIMER_PERSISTENT_KEEPALIVE,
214 peer->persistent_keepalive_interval * WHZ);
219 wg_timers_any_authenticated_packet_sent (wg_peer_t * peer)
221 peer->last_sent_packet = vlib_time_now (vlib_get_main ());
225 wg_timers_any_authenticated_packet_sent_opt (wg_peer_t *peer, f64 time)
227 peer->last_sent_packet = time;
231 wg_timers_handshake_initiated (wg_peer_t * peer)
233 peer->rehandshake_started = vlib_time_now (vlib_get_main ());
234 peer->rehandshake_interval_tick =
235 REKEY_TIMEOUT * WHZ + get_random_u32_max (REKEY_TIMEOUT_JITTER);
237 start_timer_from_mt (peer - wg_peer_pool, WG_TIMER_RETRANSMIT_HANDSHAKE,
238 peer->rehandshake_interval_tick);
242 wg_timers_send_first_handshake (wg_peer_t *peer)
244 // zero value is not allowed
245 peer->new_handshake_interval_tick =
246 get_random_u32_max (REKEY_TIMEOUT_JITTER) + 1;
247 start_timer_from_mt (peer - wg_peer_pool, WG_TIMER_NEW_HANDSHAKE,
248 peer->new_handshake_interval_tick);
252 wg_timers_session_derived (wg_peer_t * peer)
254 peer->session_derived = vlib_time_now (vlib_get_main ());
256 start_timer_from_mt (peer - wg_peer_pool, WG_TIMER_KEY_ZEROING,
257 REJECT_AFTER_TIME * 3 * WHZ);
260 /* Should be called after an authenticated data packet is sent. */
262 wg_timers_data_sent (wg_peer_t * peer)
264 peer->new_handshake_interval_tick =
265 (KEEPALIVE_TIMEOUT + REKEY_TIMEOUT) * WHZ +
266 get_random_u32_max (REKEY_TIMEOUT_JITTER);
268 start_timer_from_mt (peer - wg_peer_pool, WG_TIMER_NEW_HANDSHAKE,
269 peer->new_handshake_interval_tick);
273 wg_timers_data_sent_opt (wg_peer_t *peer, f64 time)
275 peer->new_handshake_interval_tick =
276 (KEEPALIVE_TIMEOUT + REKEY_TIMEOUT) * WHZ +
277 get_random_u32_max_opt (REKEY_TIMEOUT_JITTER, time);
279 start_timer_from_mt (peer - wg_peer_pool, WG_TIMER_NEW_HANDSHAKE,
280 peer->new_handshake_interval_tick);
283 /* Should be called after an authenticated data packet is received. */
285 wg_timers_data_received (wg_peer_t * peer)
287 if (peer->timers[WG_TIMER_SEND_KEEPALIVE] == ~0)
289 start_timer_from_mt (peer - wg_peer_pool, WG_TIMER_SEND_KEEPALIVE,
290 KEEPALIVE_TIMEOUT * WHZ);
293 peer->timer_need_another_keepalive = true;
296 /* Should be called after a handshake response message is received and processed
297 * or when getting key confirmation via the first data message.
300 wg_timers_handshake_complete (wg_peer_t * peer)
302 peer->rehandshake_started = ~0;
303 peer->timer_handshake_attempts = 0;
307 wg_timers_any_authenticated_packet_received (wg_peer_t * peer)
309 peer->last_received_packet = vlib_time_now (vlib_get_main ());
313 wg_timers_any_authenticated_packet_received_opt (wg_peer_t *peer, f64 time)
315 peer->last_received_packet = time;
318 static vlib_node_registration_t wg_timer_mngr_node;
321 expired_timer_callback (u32 * expired_timers)
327 wg_main_t *wmp = &wg_main;
328 vlib_main_t *vm = wmp->vlib_main;
332 /* Need to invalidate all of them because one can restart other */
333 for (i = 0; i < vec_len (expired_timers); i++)
335 pool_index = expired_timers[i] & 0x0FFFFFFF;
336 timer_id = expired_timers[i] >> 28;
338 peer = wg_peer_get (pool_index);
339 peer->timers[timer_id] = ~0;
341 /* Under barrier, no sync needed */
342 peer->timers_dispatched[timer_id] = 0;
345 for (i = 0; i < vec_len (expired_timers); i++)
347 pool_index = expired_timers[i] & 0x0FFFFFFF;
348 timer_id = expired_timers[i] >> 28;
350 peer = wg_peer_get (pool_index);
353 case WG_TIMER_RETRANSMIT_HANDSHAKE:
354 wg_expired_retransmit_handshake (vm, peer);
356 case WG_TIMER_PERSISTENT_KEEPALIVE:
357 wg_expired_send_persistent_keepalive (vm, peer);
359 case WG_TIMER_SEND_KEEPALIVE:
360 wg_expired_send_keepalive (vm, peer);
362 case WG_TIMER_NEW_HANDSHAKE:
363 wg_expired_new_handshake (vm, peer);
365 case WG_TIMER_KEY_ZEROING:
366 wg_expired_zero_key_material (vm, peer);
375 wg_timer_wheel_init ()
377 wg_main_t *wmp = &wg_main;
378 tw_timer_wheel_16t_2w_512sl_t *tw = &wmp->timer_wheel;
379 tw_timer_wheel_init_16t_2w_512sl (tw,
380 expired_timer_callback,
381 WG_TICK /* timer period in s */ , ~0);
385 wg_timer_mngr_fn (vlib_main_t * vm, vlib_node_runtime_t * rt,
388 wg_main_t *wmp = &wg_main;
389 uword event_type = 0;
391 /* Park the process until the feature is configured */
394 vlib_process_wait_for_event (vm);
395 event_type = vlib_process_get_events (vm, 0);
396 if (event_type == WG_START_EVENT)
402 clib_warning ("Unknown event type %d", event_type);
406 * Reset the timer wheel time so it won't try to
407 * expire Avogadro's number of time slots.
409 wmp->timer_wheel.last_run_time = vlib_time_now (vm);
413 vlib_process_wait_for_event_or_clock (vm, WG_TICK);
414 vlib_process_get_events (vm, NULL);
416 tw_timer_expire_timers_16t_2w_512sl (&wmp->timer_wheel,
424 wg_timers_stop (wg_peer_t * peer)
426 ASSERT (vlib_get_thread_index () == 0);
427 if (peer->timer_wheel)
429 stop_timer (peer, WG_TIMER_RETRANSMIT_HANDSHAKE);
430 stop_timer (peer, WG_TIMER_PERSISTENT_KEEPALIVE);
431 stop_timer (peer, WG_TIMER_SEND_KEEPALIVE);
432 stop_timer (peer, WG_TIMER_NEW_HANDSHAKE);
433 stop_timer (peer, WG_TIMER_KEY_ZEROING);
437 VLIB_REGISTER_NODE (wg_timer_mngr_node, static) = {
438 .function = wg_timer_mngr_fn,
439 .type = VLIB_NODE_TYPE_PROCESS,
445 wg_feature_init (wg_main_t * wmp)
447 if (wmp->feature_init)
449 vlib_process_signal_event (wmp->vlib_main, wg_timer_mngr_node.index,
451 wmp->feature_init = 1;
457 * fd.io coding-style-patch-verification: ON
460 * eval: (c-set-style "gnu")