Date: Wed, 17 Mar 2021 14:15:34 GMT From: Kyle Evans <kevans@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: f187d6dfbf63 - main - base: remove if_wg(4) and associated utilities, manpage Message-ID: <202103171415.12HEFYAh099753@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=f187d6dfbf633665ba6740fe22742aec60ce02a2 commit f187d6dfbf633665ba6740fe22742aec60ce02a2 Author: Kyle Evans <kevans@FreeBSD.org> AuthorDate: 2021-03-16 02:38:23 +0000 Commit: Kyle Evans <kevans@FreeBSD.org> CommitDate: 2021-03-17 14:14:48 +0000 base: remove if_wg(4) and associated utilities, manpage After length decisions, we've decided that the if_wg(4) driver and related work is not yet ready to live in the tree. This driver has larger security implications than many, and thus will be held to more scrutiny than other drivers. Please also see the related message sent to the freebsd-hackers@ and freebsd-arch@ lists by Kyle Evans <kevans@FreeBSD.org> on 2021/03/16, with the subject line "Removing WireGuard Support From Base" for additional context. --- etc/mtree/BSD.include.dist | 2 - include/Makefile | 9 +- sbin/ifconfig/Makefile | 1 - sbin/ifconfig/ifwg.c | 731 --------- share/man/man4/Makefile | 2 - share/man/man4/wg.4 | 259 --- sys/dev/if_wg/crypto.c | 1705 ------------------- sys/dev/if_wg/crypto.h | 114 -- sys/dev/if_wg/if_wg.c | 3462 --------------------------------------- sys/dev/if_wg/if_wg.h | 36 - sys/dev/if_wg/support.h | 56 - sys/dev/if_wg/wg_cookie.c | 438 ----- sys/dev/if_wg/wg_cookie.h | 125 -- sys/dev/if_wg/wg_noise.c | 963 ----------- sys/dev/if_wg/wg_noise.h | 191 --- sys/kern/kern_jail.c | 1 - sys/kern/uipc_socket.c | 11 - sys/kern/uipc_syscalls.c | 4 +- sys/modules/Makefile | 1 - sys/modules/if_wg/Makefile | 12 - sys/net/if_types.h | 1 - sys/netinet6/nd6.c | 4 +- sys/sys/priv.h | 1 - sys/sys/socketvar.h | 1 - tests/sys/netinet/Makefile | 10 +- tests/sys/netinet/if_wg_test.sh | 188 --- 26 files changed, 8 insertions(+), 8320 deletions(-) diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist index 0f85798815d5..e7784cbb0a47 100644 --- a/etc/mtree/BSD.include.dist +++ b/etc/mtree/BSD.include.dist @@ -64,8 +64,6 @@ .. iicbus .. - if_wg - .. io .. mfi diff --git a/include/Makefile b/include/Makefile index d47879e11c93..eebc7f0e121f 100644 --- a/include/Makefile +++ b/include/Makefile @@ -43,7 +43,7 @@ LDIRS= geom net net80211 netgraph netinet netinet6 \ LSUBDIRS= dev/acpica dev/agp dev/an dev/ciss dev/filemon dev/firewire \ dev/hwpmc dev/hyperv \ - dev/ic dev/iicbus dev/if_wg dev/io dev/mfi dev/mmc dev/nvme \ + dev/ic dev/iicbus dev/io dev/mfi dev/mmc dev/nvme \ dev/ofw dev/pbio dev/pci ${_dev_powermac_nvram} dev/ppbus dev/pwm \ dev/smbus dev/speaker dev/tcp_log dev/veriexec dev/vkbd \ fs/devfs fs/fdescfs fs/msdosfs fs/nfs fs/nullfs \ @@ -220,10 +220,6 @@ NVPAIRDIR= ${INCLUDEDIR}/sys MLX5= mlx5io.h MLX5DIR= ${INCLUDEDIR}/dev/mlx5 -.PATH: ${SRCTOP}/sys/dev/if_wg -WG= if_wg.h -WGDIR= ${INCLUDEDIR}/dev/if_wg - INCSGROUPS= INCS \ ACPICA \ AGP \ @@ -241,8 +237,7 @@ INCSGROUPS= INCS \ PCI \ RPC \ TEKEN \ - VERIEXEC \ - WG + VERIEXEC .if ${MK_AUDIT} != "no" INCSGROUPS+= BSM diff --git a/sbin/ifconfig/Makefile b/sbin/ifconfig/Makefile index 61cb8ab933fd..b178dc0c7e6a 100644 --- a/sbin/ifconfig/Makefile +++ b/sbin/ifconfig/Makefile @@ -35,7 +35,6 @@ SRCS+= ifvxlan.c # VXLAN support SRCS+= ifgre.c # GRE keys etc SRCS+= ifgif.c # GIF reversed header workaround SRCS+= ifipsec.c # IPsec VTI -SRCS+= ifwg.c # Wireguard SRCS+= sfp.c # SFP/SFP+ information LIBADD+= ifconfig m util diff --git a/sbin/ifconfig/ifwg.c b/sbin/ifconfig/ifwg.c deleted file mode 100644 index a102f392cf80..000000000000 --- a/sbin/ifconfig/ifwg.c +++ /dev/null @@ -1,731 +0,0 @@ -/*- - * SPDX-License-Identifier: BSD-2-Clause - * - * Copyright (c) 2020 Rubicon Communications, LLC (Netgate) - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#ifndef RESCUE -#include <sys/param.h> -#include <sys/ioctl.h> -#include <sys/socket.h> -#include <sys/sysctl.h> -#include <sys/time.h> -#include <sys/nv.h> - -#include <net/ethernet.h> -#include <net/if.h> -#include <net/if_dl.h> -#include <net/if_types.h> -#include <net/if_media.h> -#include <net/route.h> - -#include <netinet/in.h> -#include <arpa/inet.h> - -#include <dev/if_wg/if_wg.h> - -#include <assert.h> -#include <ctype.h> -#include <err.h> -#include <errno.h> -#include <fcntl.h> -#include <inttypes.h> -#include <stdio.h> -#include <stdlib.h> -#include <netdb.h> -#include <string.h> -#include <unistd.h> -#include <stdarg.h> -#include <stddef.h> /* NB: for offsetof */ -#include <locale.h> -#include <langinfo.h> -#include <resolv.h> - -#include "ifconfig.h" - -static void wgfinish(int s, void *arg); - -static bool wgfinish_registered; - -static int allowed_ips_count; -static int allowed_ips_max; -static nvlist_t **allowed_ips, *nvl_peer; - -#define ALLOWEDIPS_START 16 -#define WG_KEY_SIZE_BASE64 ((((WG_KEY_SIZE) + 2) / 3) * 4 + 1) -#define WG_KEY_SIZE_HEX (WG_KEY_SIZE * 2 + 1) -#define WG_MAX_STRLEN 64 - -struct allowedip { - union { - struct in_addr ip4; - struct in6_addr ip6; - }; -}; - -static void -register_wgfinish(void) -{ - - if (wgfinish_registered) - return; - callback_register(wgfinish, NULL); - wgfinish_registered = true; -} - -static nvlist_t * -nvl_device(void) -{ - static nvlist_t *_nvl_device; - - if (_nvl_device == NULL) - _nvl_device = nvlist_create(0); - register_wgfinish(); - return (_nvl_device); -} - -static bool -key_from_base64(uint8_t key[static WG_KEY_SIZE], const char *base64) -{ - - if (strlen(base64) != WG_KEY_SIZE_BASE64 - 1) { - warnx("bad key len - need %d got %zu\n", WG_KEY_SIZE_BASE64 - 1, strlen(base64)); - return false; - } - if (base64[WG_KEY_SIZE_BASE64 - 2] != '=') { - warnx("bad key terminator, expected '=' got '%c'", base64[WG_KEY_SIZE_BASE64 - 2]); - return false; - } - return (b64_pton(base64, key, WG_KEY_SIZE)); -} - -static void -parse_endpoint(const char *endpoint_) -{ - int err; - char *base, *endpoint, *port, *colon, *tmp; - struct addrinfo hints, *res; - - endpoint = base = strdup(endpoint_); - colon = rindex(endpoint, ':'); - if (colon == NULL) - errx(1, "bad endpoint format %s - no port delimiter found", endpoint); - *colon = '\0'; - port = colon + 1; - - /* [::]:<> */ - if (endpoint[0] == '[') { - endpoint++; - tmp = index(endpoint, ']'); - if (tmp == NULL) - errx(1, "bad endpoint format %s - '[' found with no matching ']'", endpoint); - *tmp = '\0'; - } - bzero(&hints, sizeof(hints)); - hints.ai_family = AF_UNSPEC; - err = getaddrinfo(endpoint, port, &hints, &res); - if (err) - errx(1, "%s", gai_strerror(err)); - nvlist_add_binary(nvl_peer, "endpoint", res->ai_addr, res->ai_addrlen); - freeaddrinfo(res); - free(base); -} - -static void -in_len2mask(struct in_addr *mask, u_int len) -{ - u_int i; - u_char *p; - - p = (u_char *)mask; - memset(mask, 0, sizeof(*mask)); - for (i = 0; i < len / NBBY; i++) - p[i] = 0xff; - if (len % NBBY) - p[i] = (0xff00 >> (len % NBBY)) & 0xff; -} - -static u_int -in_mask2len(struct in_addr *mask) -{ - u_int x, y; - u_char *p; - - p = (u_char *)mask; - for (x = 0; x < sizeof(*mask); x++) { - if (p[x] != 0xff) - break; - } - y = 0; - if (x < sizeof(*mask)) { - for (y = 0; y < NBBY; y++) { - if ((p[x] & (0x80 >> y)) == 0) - break; - } - } - return x * NBBY + y; -} - -static void -in6_prefixlen2mask(struct in6_addr *maskp, int len) -{ - static const u_char maskarray[NBBY] = {0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff}; - int bytelen, bitlen, i; - - /* sanity check */ - if (len < 0 || len > 128) { - errx(1, "in6_prefixlen2mask: invalid prefix length(%d)\n", - len); - return; - } - - memset(maskp, 0, sizeof(*maskp)); - bytelen = len / NBBY; - bitlen = len % NBBY; - for (i = 0; i < bytelen; i++) - maskp->s6_addr[i] = 0xff; - if (bitlen) - maskp->s6_addr[bytelen] = maskarray[bitlen - 1]; -} - -static int -in6_mask2len(struct in6_addr *mask, u_char *lim0) -{ - int x = 0, y; - u_char *lim = lim0, *p; - - /* ignore the scope_id part */ - if (lim0 == NULL || lim0 - (u_char *)mask > sizeof(*mask)) - lim = (u_char *)mask + sizeof(*mask); - for (p = (u_char *)mask; p < lim; x++, p++) { - if (*p != 0xff) - break; - } - y = 0; - if (p < lim) { - for (y = 0; y < NBBY; y++) { - if ((*p & (0x80 >> y)) == 0) - break; - } - } - - /* - * when the limit pointer is given, do a stricter check on the - * remaining bits. - */ - if (p < lim) { - if (y != 0 && (*p & (0x00ff >> y)) != 0) - return -1; - for (p = p + 1; p < lim; p++) - if (*p != 0) - return -1; - } - - return x * NBBY + y; -} - -static bool -parse_ip(struct allowedip *aip, uint16_t *family, const char *value) -{ - struct addrinfo hints, *res; - int err; - bool ret; - - ret = true; - bzero(aip, sizeof(*aip)); - bzero(&hints, sizeof(hints)); - hints.ai_family = AF_UNSPEC; - hints.ai_flags = AI_NUMERICHOST; - err = getaddrinfo(value, NULL, &hints, &res); - if (err) - errx(1, "%s", gai_strerror(err)); - - *family = res->ai_family; - if (res->ai_family == AF_INET) { - struct sockaddr_in *sin = (struct sockaddr_in *)res->ai_addr; - - aip->ip4 = sin->sin_addr; - } else if (res->ai_family == AF_INET6) { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)res->ai_addr; - - aip->ip6 = sin6->sin6_addr; - } else { - ret = false; - } - - freeaddrinfo(res); - return (ret); -} - -static void -sa_ntop(const struct sockaddr *sa, char *buf, int *port) -{ - const struct sockaddr_in *sin; - const struct sockaddr_in6 *sin6; - int err; - - err = getnameinfo(sa, sa->sa_len, buf, INET6_ADDRSTRLEN, NULL, - 0, NI_NUMERICHOST); - - if (sa->sa_family == AF_INET) { - sin = (const struct sockaddr_in *)sa; - if (port) - *port = sin->sin_port; - } else if (sa->sa_family == AF_INET6) { - sin6 = (const struct sockaddr_in6 *)sa; - if (port) - *port = sin6->sin6_port; - } - - if (err) - errx(1, "%s", gai_strerror(err)); -} - -static void -dump_peer(const nvlist_t *nvl_peer_cfg) -{ - const void *key; - const struct sockaddr *endpoint; - char outbuf[WG_MAX_STRLEN]; - char addr_buf[INET6_ADDRSTRLEN]; - size_t aip_count, size; - int port; - uint16_t persistent_keepalive; - const nvlist_t * const *nvl_aips; - - printf("[Peer]\n"); - if (nvlist_exists_binary(nvl_peer_cfg, "public-key")) { - key = nvlist_get_binary(nvl_peer_cfg, "public-key", &size); - b64_ntop((const uint8_t *)key, size, outbuf, WG_MAX_STRLEN); - printf("PublicKey = %s\n", outbuf); - } - if (nvlist_exists_binary(nvl_peer_cfg, "preshared-key")) { - key = nvlist_get_binary(nvl_peer_cfg, "preshared-key", &size); - b64_ntop((const uint8_t *)key, size, outbuf, WG_MAX_STRLEN); - printf("PresharedKey = %s\n", outbuf); - } - if (nvlist_exists_binary(nvl_peer_cfg, "endpoint")) { - endpoint = nvlist_get_binary(nvl_peer_cfg, "endpoint", &size); - sa_ntop(endpoint, addr_buf, &port); - printf("Endpoint = %s:%d\n", addr_buf, ntohs(port)); - } - if (nvlist_exists_number(nvl_peer_cfg, - "persistent-keepalive-interval")) { - persistent_keepalive = nvlist_get_number(nvl_peer_cfg, - "persistent-keepalive-interval"); - printf("PersistentKeepalive = %d\n", persistent_keepalive); - } - if (!nvlist_exists_nvlist_array(nvl_peer_cfg, "allowed-ips")) - return; - - nvl_aips = nvlist_get_nvlist_array(nvl_peer_cfg, "allowed-ips", &aip_count); - if (nvl_aips == NULL || aip_count == 0) - return; - - printf("AllowedIPs = "); - for (size_t i = 0; i < aip_count; i++) { - uint8_t cidr; - struct sockaddr_storage ss; - sa_family_t family; - - if (!nvlist_exists_number(nvl_aips[i], "cidr")) - continue; - cidr = nvlist_get_number(nvl_aips[i], "cidr"); - if (nvlist_exists_binary(nvl_aips[i], "ipv4")) { - struct sockaddr_in *sin = (struct sockaddr_in *)&ss; - const struct in_addr *ip4; - - ip4 = nvlist_get_binary(nvl_aips[i], "ipv4", &size); - if (ip4 == NULL || cidr > 32) - continue; - sin->sin_len = sizeof(*sin); - sin->sin_family = AF_INET; - sin->sin_addr = *ip4; - } else if (nvlist_exists_binary(nvl_aips[i], "ipv6")) { - struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss; - const struct in6_addr *ip6; - - ip6 = nvlist_get_binary(nvl_aips[i], "ipv6", &size); - if (ip6 == NULL || cidr > 128) - continue; - sin6->sin6_len = sizeof(*sin6); - sin6->sin6_family = AF_INET6; - sin6->sin6_addr = *ip6; - } else { - continue; - } - - family = ss.ss_family; - getnameinfo((struct sockaddr *)&ss, ss.ss_len, addr_buf, - INET6_ADDRSTRLEN, NULL, 0, NI_NUMERICHOST); - printf("%s/%d", addr_buf, cidr); - if (i < aip_count - 1) - printf(", "); - } - printf("\n"); -} - -static int -get_nvl_out_size(int sock, u_long op, size_t *size) -{ - struct wg_data_io wgd; - int err; - - memset(&wgd, 0, sizeof(wgd)); - - strlcpy(wgd.wgd_name, name, sizeof(wgd.wgd_name)); - wgd.wgd_size = 0; - wgd.wgd_data = NULL; - - err = ioctl(sock, op, &wgd); - if (err) - return (err); - *size = wgd.wgd_size; - return (0); -} - -static int -do_cmd(int sock, u_long op, void *arg, size_t argsize, int set) -{ - struct wg_data_io wgd; - - memset(&wgd, 0, sizeof(wgd)); - - strlcpy(wgd.wgd_name, name, sizeof(wgd.wgd_name)); - wgd.wgd_size = argsize; - wgd.wgd_data = arg; - - return (ioctl(sock, op, &wgd)); -} - -static -DECL_CMD_FUNC(peerlist, val, d) -{ - size_t size, peercount; - void *packed; - const nvlist_t *nvl; - const nvlist_t *const *nvl_peerlist; - - if (get_nvl_out_size(s, SIOCGWG, &size)) - errx(1, "can't get peer list size"); - if ((packed = malloc(size)) == NULL) - errx(1, "malloc failed for peer list"); - if (do_cmd(s, SIOCGWG, packed, size, 0)) - errx(1, "failed to obtain peer list"); - - nvl = nvlist_unpack(packed, size, 0); - if (!nvlist_exists_nvlist_array(nvl, "peers")) - return; - nvl_peerlist = nvlist_get_nvlist_array(nvl, "peers", &peercount); - - for (int i = 0; i < peercount; i++, nvl_peerlist++) { - dump_peer(*nvl_peerlist); - } -} - -static void -wgfinish(int s, void *arg) -{ - void *packed; - size_t size; - static nvlist_t *nvl_dev; - - nvl_dev = nvl_device(); - if (nvl_peer != NULL) { - if (!nvlist_exists_binary(nvl_peer, "public-key")) - errx(1, "must specify a public-key for adding peer"); - if (allowed_ips_count != 0) { - nvlist_add_nvlist_array(nvl_peer, "allowed-ips", - (const nvlist_t * const *)allowed_ips, - allowed_ips_count); - for (size_t i = 0; i < allowed_ips_count; i++) { - nvlist_destroy(allowed_ips[i]); - } - - free(allowed_ips); - } - - nvlist_add_nvlist_array(nvl_dev, "peers", - (const nvlist_t * const *)&nvl_peer, 1); - } - - packed = nvlist_pack(nvl_dev, &size); - - if (do_cmd(s, SIOCSWG, packed, size, true)) - errx(1, "failed to configure"); -} - -static -DECL_CMD_FUNC(peerstart, val, d) -{ - - if (nvl_peer != NULL) - errx(1, "cannot both add and remove a peer"); - register_wgfinish(); - nvl_peer = nvlist_create(0); - allowed_ips = calloc(ALLOWEDIPS_START, sizeof(*allowed_ips)); - allowed_ips_max = ALLOWEDIPS_START; - if (allowed_ips == NULL) - errx(1, "failed to allocate array for allowedips"); -} - -static -DECL_CMD_FUNC(peerdel, val, d) -{ - - if (nvl_peer != NULL) - errx(1, "cannot both add and remove a peer"); - register_wgfinish(); - nvl_peer = nvlist_create(0); - nvlist_add_bool(nvl_peer, "remove", true); -} - -static -DECL_CMD_FUNC(setwglistenport, val, d) -{ - struct addrinfo hints, *res; - const struct sockaddr_in *sin; - const struct sockaddr_in6 *sin6; - - u_long ul; - int err; - - bzero(&hints, sizeof(hints)); - hints.ai_family = AF_UNSPEC; - hints.ai_flags = AI_NUMERICHOST; - err = getaddrinfo(NULL, val, &hints, &res); - if (err) - errx(1, "%s", gai_strerror(err)); - - if (res->ai_family == AF_INET) { - sin = (struct sockaddr_in *)res->ai_addr; - ul = sin->sin_port; - } else if (res->ai_family == AF_INET6) { - sin6 = (struct sockaddr_in6 *)res->ai_addr; - ul = sin6->sin6_port; - } else { - errx(1, "unknown family"); - } - ul = ntohs((u_short)ul); - nvlist_add_number(nvl_device(), "listen-port", ul); -} - -static -DECL_CMD_FUNC(setwgprivkey, val, d) -{ - uint8_t key[WG_KEY_SIZE]; - - if (!key_from_base64(key, val)) - errx(1, "invalid key %s", val); - nvlist_add_binary(nvl_device(), "private-key", key, WG_KEY_SIZE); -} - -static -DECL_CMD_FUNC(setwgpubkey, val, d) -{ - uint8_t key[WG_KEY_SIZE]; - - if (nvl_peer == NULL) - errx(1, "setting public key only valid when adding peer"); - - if (!key_from_base64(key, val)) - errx(1, "invalid key %s", val); - nvlist_add_binary(nvl_peer, "public-key", key, WG_KEY_SIZE); -} - -static -DECL_CMD_FUNC(setwgpresharedkey, val, d) -{ - uint8_t key[WG_KEY_SIZE]; - - if (nvl_peer == NULL) - errx(1, "setting preshared-key only valid when adding peer"); - - if (!key_from_base64(key, val)) - errx(1, "invalid key %s", val); - nvlist_add_binary(nvl_peer, "preshared-key", key, WG_KEY_SIZE); -} - - -static -DECL_CMD_FUNC(setwgpersistentkeepalive, val, d) -{ - unsigned long persistent_keepalive; - char *endp; - - if (nvl_peer == NULL) - errx(1, "setting persistent keepalive only valid when adding peer"); - - errno = 0; - persistent_keepalive = strtoul(val, &endp, 0); - if (errno != 0 || *endp != '\0') - errx(1, "persistent-keepalive must be numeric (seconds)"); - if (persistent_keepalive > USHRT_MAX) - errx(1, "persistent-keepalive '%lu' too large", - persistent_keepalive); - nvlist_add_number(nvl_peer, "persistent-keepalive-interval", - persistent_keepalive); -} - -static -DECL_CMD_FUNC(setallowedips, val, d) -{ - char *base, *allowedip, *mask; - u_long ul; - char *endp; - struct allowedip aip; - nvlist_t *nvl_aip; - uint16_t family; - - if (nvl_peer == NULL) - errx(1, "setting allowed ip only valid when adding peer"); - if (allowed_ips_count == allowed_ips_max) { - allowed_ips_max *= 2; - allowed_ips = reallocarray(allowed_ips, allowed_ips_max, - sizeof(*allowed_ips)); - if (allowed_ips == NULL) - errx(1, "failed to grow allowed ip array"); - } - - allowed_ips[allowed_ips_count] = nvl_aip = nvlist_create(0); - if (nvl_aip == NULL) - errx(1, "failed to create new allowedip nvlist"); - - base = allowedip = strdup(val); - mask = index(allowedip, '/'); - if (mask == NULL) - errx(1, "mask separator not found in allowedip %s", val); - *mask = '\0'; - mask++; - - parse_ip(&aip, &family, allowedip); - ul = strtoul(mask, &endp, 0); - if (*endp != '\0') - errx(1, "invalid value for allowedip mask"); - - nvlist_add_number(nvl_aip, "cidr", ul); - if (family == AF_INET) { - nvlist_add_binary(nvl_aip, "ipv4", &aip.ip4, sizeof(aip.ip4)); - } else if (family == AF_INET6) { - nvlist_add_binary(nvl_aip, "ipv6", &aip.ip6, sizeof(aip.ip6)); - } else { - /* Shouldn't happen */ - nvlist_destroy(nvl_aip); - goto out; - } - - allowed_ips_count++; - -out: - free(base); -} - -static -DECL_CMD_FUNC(setendpoint, val, d) -{ - if (nvl_peer == NULL) - errx(1, "setting endpoint only valid when adding peer"); - parse_endpoint(val); -} - -static void -wireguard_status(int s) -{ - size_t size; - void *packed; - nvlist_t *nvl; - char buf[WG_KEY_SIZE_BASE64]; - const void *key; - uint16_t listen_port; - - if (get_nvl_out_size(s, SIOCGWG, &size)) - return; - if ((packed = malloc(size)) == NULL) - return; - if (do_cmd(s, SIOCGWG, packed, size, 0)) - return; - nvl = nvlist_unpack(packed, size, 0); - if (nvlist_exists_number(nvl, "listen-port")) { - listen_port = nvlist_get_number(nvl, "listen-port"); - printf("\tlisten-port: %d\n", listen_port); - } - if (nvlist_exists_binary(nvl, "private-key")) { - key = nvlist_get_binary(nvl, "private-key", &size); - b64_ntop((const uint8_t *)key, size, buf, WG_MAX_STRLEN); - printf("\tprivate-key: %s\n", buf); - } - if (nvlist_exists_binary(nvl, "public-key")) { - key = nvlist_get_binary(nvl, "public-key", &size); - b64_ntop((const uint8_t *)key, size, buf, WG_MAX_STRLEN); - printf("\tpublic-key: %s\n", buf); - } -} - -static struct cmd wireguard_cmds[] = { - DEF_CMD_ARG("listen-port", setwglistenport), - DEF_CMD_ARG("private-key", setwgprivkey), - /* XXX peer-list is deprecated. */ - DEF_CMD("peer-list", 0, peerlist), - DEF_CMD("peers", 0, peerlist), - DEF_CMD("peer", 0, peerstart), - DEF_CMD("-peer", 0, peerdel), - DEF_CMD_ARG("preshared-key", setwgpresharedkey), - DEF_CMD_ARG("public-key", setwgpubkey), - DEF_CMD_ARG("persistent-keepalive", setwgpersistentkeepalive), - DEF_CMD_ARG("allowed-ips", setallowedips), - DEF_CMD_ARG("endpoint", setendpoint), -}; - -static struct afswtch af_wireguard = { - .af_name = "af_wireguard", - .af_af = AF_UNSPEC, - .af_other_status = wireguard_status, -}; - -static void -wg_create(int s, struct ifreq *ifr) -{ - - setproctitle("ifconfig %s create ...\n", name); - - ifr->ifr_data = NULL; - if (ioctl(s, SIOCIFCREATE, ifr) < 0) - err(1, "SIOCIFCREATE"); -} - -static __constructor void -wireguard_ctor(void) -{ - int i; - - for (i = 0; i < nitems(wireguard_cmds); i++) - cmd_register(&wireguard_cmds[i]); - af_register(&af_wireguard); - clone_setdefcallback_prefix("wg", wg_create); -} - -#endif diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile index 54fd89fe7590..c29bb80c7a58 100644 --- a/share/man/man4/Makefile +++ b/share/man/man4/Makefile @@ -585,7 +585,6 @@ MAN= aac.4 \ vtnet.4 \ watchdog.4 \ ${_wbwd.4} \ - wg.4 \ witness.4 \ wlan.4 \ wlan_acl.4 \ @@ -768,7 +767,6 @@ MLINKS+=vr.4 if_vr.4 MLINKS+=vte.4 if_vte.4 MLINKS+=vtnet.4 if_vtnet.4 MLINKS+=watchdog.4 SW_WATCHDOG.4 -MLINKS+=wg.4 if_wg.4 MLINKS+=${_wpi.4} ${_if_wpi.4} MLINKS+=xl.4 if_xl.4 diff --git a/share/man/man4/wg.4 b/share/man/man4/wg.4 deleted file mode 100644 index 29215bd438ff..000000000000 --- a/share/man/man4/wg.4 +++ /dev/null @@ -1,259 +0,0 @@ -.\" Copyright (c) 2020 Gordon Bergling <gbe@FreeBSD.org> -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD$ -.\" -.Dd March 12, 2021 -.Dt WG 4 -.Os -.Sh NAME -.Nm wg -.Nd "WireGuard - pseudo-device" -.Sh SYNOPSIS -To load the driver as a module at boot time, place the following line in -.Xr loader.conf 5 : -.Bd -literal -offset indent -if_wg_load="YES" -.Ed -.Sh DESCRIPTION -The -.Nm -driver provides Virtual Private Network (VPN) interfaces for the secure -exchange of layer 3 traffic with other WireGuard peers using the WireGuard -protocol. -.Pp -A -.Nm -interface recognises one or more peers, establishes a secure tunnel with -each on demand, and tracks each peer's UDP endpoint for exchanging encrypted -traffic with. -.Pp -The interfaces can be created at runtime using the -.Ic ifconfig Cm wg Ns Ar N Cm create -command. -The interface itself can be configured with -.Xr ifconfig 8 . -.Pp -The following parameters are available: -.Bl -tag -width indent -.It Cm listen-port -The listing port of the -.Nm -interface. -.It Cm public-key -The public key of the -.Nm -interface. -.It Cm private-key -The private key of the -.Nm -interface. -.It Cm preshared-key -Defines a pre-shared key for the -.Nm -interface. -.It Cm allowed-ips -A list of allowed IP addresses. -.It Cm endpoint -The IP address of the WiredGuard to connect to. -.It Cm peers -A list of peering IP addresses to connect to. -.It Cm persistent-keepalive-interval -Interval, in seconds, at which to send persistent keepalive packets. -.El -.Pp -The -.Nm -interfaces support the following -.Xr ioctl 2 Ns s : -.Bl -tag -width Ds -offset indent -.It Dv SIOCSWG Fa "struct wg_device_io *" -Set the device configuration. -.It Dv SIOCGWG Fa "struct wg_device_io *" -Get the device configuration. -.El -.Pp -The following glossary provides a brief overview of WireGuard -terminology: -.Bl -tag -width indent -offset 3n -.It Peer -Peers exchange IPv4 or IPv6 traffic over secure tunnels. -Each -.Nm -interface may be configured to recognise one or more peers. -.It Key -Each peer uses its private key and corresponding public key to -identify itself to others. -A peer configures a -.Nm -interface with its own private key and with the public keys of its peers. -.It Pre-shared key -In addition to the public keys, each peer pair may be configured with a -unique pre-shared symmetric key. -This is used in their handshake to guard against future compromise of the -peers' encrypted tunnel if a quantum-computational attack on their -Diffie-Hellman exchange becomes feasible. *** 7633 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202103171415.12HEFYAh099753>