src/plugins/wireguard/wireguard_timer.c

   1 /*
   2  * Copyright (c) 2020 Doc.ai and/or its affiliates.
   3  * Licensed under the Apache License, Version 2.0 (the "License");
   4  * you may not use this file except in compliance with the License.
   5  * You may obtain a copy of the License at:
   6  *
   7  *     http://www.apache.org/licenses/LICENSE-2.0
   8  *
   9  * Unless required by applicable law or agreed to in writing, software
  10  * distributed under the License is distributed on an "AS IS" BASIS,
  11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12  * See the License for the specific language governing permissions and
  13  * limitations under the License.
  14  */
  15
  16 #include <vlibmemory/api.h>
  17 #include <wireguard/wireguard.h>
  18 #include <wireguard/wireguard_send.h>
  19 #include <wireguard/wireguard_timer.h>
  20
  21 static u32
  22 get_random_u32_max (u32 max)
  23 {
  24   vlib_main_t *vm = vlib_get_main ();
  25   u32 seed = (u32) (vlib_time_now (vm) * 1e6);
  26   return random_u32 (&seed) % max;
  27 }
  28
  29 static void
  30 stop_timer (wg_peer_t * peer, u32 timer_id)
  31 {
  32   if (peer->timers[timer_id] != ~0)
  33     {
  34       tw_timer_stop_16t_2w_512sl (peer->timer_wheel, peer->timers[timer_id]);
  35       peer->timers[timer_id] = ~0;
  36     }
  37 }
  38
  39 static void
  40 start_timer (wg_peer_t * peer, u32 timer_id, u32 interval_ticks)
  41 {
  42   ASSERT (vlib_get_thread_index () == 0);
  43
  44   if (peer->timers[timer_id] == ~0)
  45     {
  46       peer->timers[timer_id] =
  47         tw_timer_start_16t_2w_512sl (peer->timer_wheel, peer - wg_peer_pool,
  48                                      timer_id, interval_ticks);
  49     }
  50 }
  51
  52 typedef struct
  53 {
  54   u32 peer_idx;
  55   u32 timer_id;
  56   u32 interval_ticks;
  57
  58 } wg_timers_args;
  59
  60 static void *
  61 start_timer_thread_fn (void *arg)
  62 {
  63   wg_timers_args *a = arg;
  64   wg_peer_t *peer = wg_peer_get (a->peer_idx);
  65
  66   start_timer (peer, a->timer_id, a->interval_ticks);
  67   return 0;
  68 }
  69
  70 static void
  71 start_timer_from_mt (u32 peer_idx, u32 timer_id, u32 interval_ticks)
  72 {
  73   wg_timers_args a = {
  74     .peer_idx = peer_idx,
  75     .timer_id = timer_id,
  76     .interval_ticks = interval_ticks,
  77   };
  78
  79   vl_api_rpc_call_main_thread (start_timer_thread_fn, (u8 *) & a, sizeof (a));
  80 }
  81
  82 static inline u32
  83 timer_ticks_left (vlib_main_t * vm, f64 init_time_sec, u32 interval_ticks)
  84 {
  85   static const int32_t rounding = (int32_t) (WHZ / 2);
  86   int32_t ticks_remain;
  87
  88   ticks_remain = (init_time_sec - vlib_time_now (vm)) * WHZ + interval_ticks;
  89   return (ticks_remain > rounding) ? (u32) ticks_remain : 0;
  90 }
  91
  92 static void
  93 wg_expired_retransmit_handshake (vlib_main_t * vm, wg_peer_t * peer)
  94 {
  95   if (peer->rehandshake_started == ~0)
  96     return;
  97
  98   u32 ticks = timer_ticks_left (vm, peer->rehandshake_started,
  99                                 peer->rehandshake_interval_tick);
 100   if (ticks)
 101     {
 102       start_timer (peer, WG_TIMER_RETRANSMIT_HANDSHAKE, ticks);
 103       return;
 104     }
 105
 106   if (peer->timer_handshake_attempts > MAX_TIMER_HANDSHAKES)
 107     {
 108       stop_timer (peer, WG_TIMER_SEND_KEEPALIVE);
 109
 110       /* We set a timer for destroying any residue that might be left
 111        * of a partial exchange.
 112        */
 113       start_timer (peer, WG_TIMER_KEY_ZEROING, REJECT_AFTER_TIME * 3 * WHZ);
 114
 115     }
 116   else
 117     {
 118       ++peer->timer_handshake_attempts;
 119       wg_send_handshake (vm, peer, true);
 120     }
 121 }
 122
 123 static void
 124 wg_expired_send_keepalive (vlib_main_t * vm, wg_peer_t * peer)
 125 {
 126   if (peer->last_sent_packet < peer->last_received_packet)
 127     {
 128       u32 ticks = timer_ticks_left (vm, peer->last_received_packet,
 129                                     KEEPALIVE_TIMEOUT * WHZ);
 130       if (ticks)
 131         {
 132           start_timer (peer, WG_TIMER_SEND_KEEPALIVE, ticks);
 133           return;
 134         }
 135
 136       wg_send_keepalive (vm, peer);
 137       if (peer->timer_need_another_keepalive)
 138         {
 139           peer->timer_need_another_keepalive = false;
 140           start_timer (peer, WG_TIMER_SEND_KEEPALIVE,
 141                        KEEPALIVE_TIMEOUT * WHZ);
 142         }
 143     }
 144 }
 145
 146 static void
 147 wg_expired_send_persistent_keepalive (vlib_main_t * vm, wg_peer_t * peer)
 148 {
 149   if (peer->persistent_keepalive_interval)
 150     {
 151       f64 latest_time = peer->last_sent_packet > peer->last_received_packet
 152         ? peer->last_sent_packet : peer->last_received_packet;
 153
 154       u32 ticks = timer_ticks_left (vm, latest_time,
 155                                     peer->persistent_keepalive_interval *
 156                                     WHZ);
 157       if (ticks)
 158         {
 159           start_timer (peer, WG_TIMER_PERSISTENT_KEEPALIVE, ticks);
 160           return;
 161         }
 162
 163       wg_send_keepalive (vm, peer);
 164     }
 165 }
 166
 167 static void
 168 wg_expired_new_handshake (vlib_main_t * vm, wg_peer_t * peer)
 169 {
 170   u32 ticks = timer_ticks_left (vm, peer->last_sent_packet,
 171                                 peer->new_handshake_interval_tick);
 172   if (ticks)
 173     {
 174       start_timer (peer, WG_TIMER_NEW_HANDSHAKE, ticks);
 175       return;
 176     }
 177
 178   wg_send_handshake (vm, peer, false);
 179 }
 180
 181 static void
 182 wg_expired_zero_key_material (vlib_main_t * vm, wg_peer_t * peer)
 183 {
 184   u32 ticks =
 185     timer_ticks_left (vm, peer->session_derived, REJECT_AFTER_TIME * 3 * WHZ);
 186   if (ticks)
 187     {
 188       start_timer (peer, WG_TIMER_KEY_ZEROING, ticks);
 189       return;
 190     }
 191
 192   if (!peer->is_dead)
 193     {
 194       noise_remote_clear (vm, &peer->remote);
 195     }
 196 }
 197
 198 void
 199 wg_timers_any_authenticated_packet_traversal (wg_peer_t * peer)
 200 {
 201   if (peer->persistent_keepalive_interval)
 202     {
 203       start_timer_from_mt (peer - wg_peer_pool,
 204                            WG_TIMER_PERSISTENT_KEEPALIVE,
 205                            peer->persistent_keepalive_interval * WHZ);
 206     }
 207 }
 208
 209 void
 210 wg_timers_any_authenticated_packet_sent (wg_peer_t * peer)
 211 {
 212   peer->last_sent_packet = vlib_time_now (vlib_get_main ());
 213 }
 214
 215 void
 216 wg_timers_handshake_initiated (wg_peer_t * peer)
 217 {
 218   peer->rehandshake_started = vlib_time_now (vlib_get_main ());
 219   peer->rehandshake_interval_tick =
 220     REKEY_TIMEOUT * WHZ + get_random_u32_max (REKEY_TIMEOUT_JITTER);
 221
 222   start_timer_from_mt (peer - wg_peer_pool, WG_TIMER_RETRANSMIT_HANDSHAKE,
 223                        peer->rehandshake_interval_tick);
 224 }
 225
 226 void
 227 wg_timers_session_derived (wg_peer_t * peer)
 228 {
 229   peer->session_derived = vlib_time_now (vlib_get_main ());
 230
 231   start_timer_from_mt (peer - wg_peer_pool, WG_TIMER_KEY_ZEROING,
 232                        REJECT_AFTER_TIME * 3 * WHZ);
 233 }
 234
 235 /* Should be called after an authenticated data packet is sent. */
 236 void
 237 wg_timers_data_sent (wg_peer_t * peer)
 238 {
 239   peer->new_handshake_interval_tick =
 240     (KEEPALIVE_TIMEOUT + REKEY_TIMEOUT) * WHZ +
 241     get_random_u32_max (REKEY_TIMEOUT_JITTER);
 242
 243   start_timer_from_mt (peer - wg_peer_pool, WG_TIMER_NEW_HANDSHAKE,
 244                        peer->new_handshake_interval_tick);
 245 }
 246
 247 /* Should be called after an authenticated data packet is received. */
 248 void
 249 wg_timers_data_received (wg_peer_t * peer)
 250 {
 251   if (peer->timers[WG_TIMER_SEND_KEEPALIVE] == ~0)
 252     {
 253       start_timer_from_mt (peer - wg_peer_pool, WG_TIMER_SEND_KEEPALIVE,
 254                            KEEPALIVE_TIMEOUT * WHZ);
 255     }
 256   else
 257     peer->timer_need_another_keepalive = true;
 258 }
 259
 260 /* Should be called after a handshake response message is received and processed
 261  * or when getting key confirmation via the first data message.
 262  */
 263 void
 264 wg_timers_handshake_complete (wg_peer_t * peer)
 265 {
 266   peer->rehandshake_started = ~0;
 267   peer->timer_handshake_attempts = 0;
 268 }
 269
 270 void
 271 wg_timers_any_authenticated_packet_received (wg_peer_t * peer)
 272 {
 273   peer->last_received_packet = vlib_time_now (vlib_get_main ());
 274 }
 275
 276 static vlib_node_registration_t wg_timer_mngr_node;
 277
 278 static void
 279 expired_timer_callback (u32 * expired_timers)
 280 {
 281   int i;
 282   u32 timer_id;
 283   u32 pool_index;
 284
 285   wg_main_t *wmp = &wg_main;
 286   vlib_main_t *vm = wmp->vlib_main;
 287
 288   wg_peer_t *peer;
 289
 290   /* Need to invalidate all of them because one can restart other */
 291   for (i = 0; i < vec_len (expired_timers); i++)
 292     {
 293       pool_index = expired_timers[i] & 0x0FFFFFFF;
 294       timer_id = expired_timers[i] >> 28;
 295
 296       peer = wg_peer_get (pool_index);
 297       peer->timers[timer_id] = ~0;
 298     }
 299
 300   for (i = 0; i < vec_len (expired_timers); i++)
 301     {
 302       pool_index = expired_timers[i] & 0x0FFFFFFF;
 303       timer_id = expired_timers[i] >> 28;
 304
 305       peer = wg_peer_get (pool_index);
 306       switch (timer_id)
 307         {
 308         case WG_TIMER_RETRANSMIT_HANDSHAKE:
 309           wg_expired_retransmit_handshake (vm, peer);
 310           break;
 311         case WG_TIMER_PERSISTENT_KEEPALIVE:
 312           wg_expired_send_persistent_keepalive (vm, peer);
 313           break;
 314         case WG_TIMER_SEND_KEEPALIVE:
 315           wg_expired_send_keepalive (vm, peer);
 316           break;
 317         case WG_TIMER_NEW_HANDSHAKE:
 318           wg_expired_new_handshake (vm, peer);
 319           break;
 320         case WG_TIMER_KEY_ZEROING:
 321           wg_expired_zero_key_material (vm, peer);
 322           break;
 323         default:
 324           break;
 325         }
 326     }
 327 }
 328
 329 void
 330 wg_timer_wheel_init ()
 331 {
 332   wg_main_t *wmp = &wg_main;
 333   tw_timer_wheel_16t_2w_512sl_t *tw = &wmp->timer_wheel;
 334   tw_timer_wheel_init_16t_2w_512sl (tw,
 335                                     expired_timer_callback,
 336                                     WG_TICK /* timer period in s */ , ~0);
 337   tw->last_run_time = vlib_time_now (wmp->vlib_main);
 338 }
 339
 340 static uword
 341 wg_timer_mngr_fn (vlib_main_t * vm, vlib_node_runtime_t * rt,
 342                   vlib_frame_t * f)
 343 {
 344   wg_main_t *wmp = &wg_main;
 345   while (1)
 346     {
 347       vlib_process_wait_for_event_or_clock (vm, WG_TICK);
 348       vlib_process_get_events (vm, NULL);
 349
 350       tw_timer_expire_timers_16t_2w_512sl (&wmp->timer_wheel,
 351                                            vlib_time_now (vm));
 352     }
 353
 354   return 0;
 355 }
 356
 357 void
 358 wg_timers_stop (wg_peer_t * peer)
 359 {
 360   ASSERT (vlib_get_thread_index () == 0);
 361   if (peer->timer_wheel)
 362     {
 363       stop_timer (peer, WG_TIMER_RETRANSMIT_HANDSHAKE);
 364       stop_timer (peer, WG_TIMER_PERSISTENT_KEEPALIVE);
 365       stop_timer (peer, WG_TIMER_SEND_KEEPALIVE);
 366       stop_timer (peer, WG_TIMER_NEW_HANDSHAKE);
 367       stop_timer (peer, WG_TIMER_KEY_ZEROING);
 368     }
 369 }
 370
 371 /* *INDENT-OFF* */
 372 VLIB_REGISTER_NODE (wg_timer_mngr_node, static) = {
 373     .function = wg_timer_mngr_fn,
 374     .type = VLIB_NODE_TYPE_PROCESS,
 375     .name =
 376     "wg-timer-manager",
 377 };
 378 /* *INDENT-ON* */
 379
 380 /*
 381  * fd.io coding-style-patch-verification: ON
 382  *
 383  * Local Variables:
 384  * eval: (c-set-style "gnu")
 385  * End:
 386  */