From owner-svn-src-head@freebsd.org Tue Dec 1 13:24:21 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6E9BF4A9938; Tue, 1 Dec 2020 13:24:21 +0000 (UTC) (envelope-from o.hartmann@walstatt.org) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CljVr229Vz3nQr; Tue, 1 Dec 2020 13:24:19 +0000 (UTC) (envelope-from o.hartmann@walstatt.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1606829058; bh=kTA+zHEhpWeY1x/0Yo+mxjg80GSA27GUtenfVG5jA9E=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:In-Reply-To:References; b=eAeazuF7vEVTfKvtIEqJT7tgrvOe1Hmw0lDzHLVkcGOhttDefs/VPchSjCH//lof5 jx3IM9Hclo11KBukWAZfHkdMjNTZekjUx7bOfKXveIqNjqThuQfq960sckpi576RUi MNvxHKwlF4AGCHwMTrPV7ZYTulv25mRiLevtVJBE= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from freyja ([46.88.81.135]) by mail.gmx.com (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MvK4Z-1jtdg01QI5-00rJL3; Tue, 01 Dec 2020 14:24:17 +0100 Date: Tue, 1 Dec 2020 14:24:04 +0100 From: "O. Hartmann" To: Matt Macy Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r368163 - in head: sbin/ifconfig sys/dev/if_wg sys/dev/if_wg/include sys/dev/if_wg/include/crypto sys/dev/if_wg/include/sys sys/dev/if_wg/include/zinc sys/dev/if_wg/module sys/dev/if_wg... Message-ID: <20201201142358.57225902@freyja> In-Reply-To: <202011291938.0ATJc4Z3081193@repo.freebsd.org> References: <202011291938.0ATJc4Z3081193@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:JA+MlFen6J67gBDSDYTzJNHrUdphU1Cep+O+gTDt8EHg6ldZ/mc unL8ZYp1sKU2UvvNYkz6vbe6tFN+33bUAa1ugh5Ctw0nQgU+e658jjYW0Tyk53T1YH1qdCk TqdV6x6BdrTXVkkcmzExNLTlLPI6z7AzP0Po3NR0jq2hn8c5rLHx+sQJTNsHowJyt84g11H Aep+wmhYSAt/DE8pONTpw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:w0in/OfTLW8=:6WyBDZhjMM29B9HLg7R8XC ixLPmJJWPS8VKH6At8jsODXAQh4zNqFhqRmxhA35yqZbMW5/KX1UTxyz8foSrk5+FsHH6t1Tg y3nuRCifzRDk+giGDWWEexuYxWNW8115+zjIlpE3M/68BSf4ieBNOKPQT4rZ3iv+pF1D4x/uh j3aRuiZh2/fWnE4IJhl0MOhABV0aWhIuNX1LeLDtOYV4JRfb50TkgfJ7O3vM2qFSlgpJ7Gspz HpVD7X0JCp8umSf5P0XQwoRz4z0NEF6+d29j9omC5P28h0+h+hCeN7pP4LfCuf4IzM/g/Vazi bPbTz3lmmIQetRWjNrnwXKAWxrxyKtVzdD4ITxgBCDz9DE5H73oK0IhgaXKCWJYW+v/vKNEMW mywa5bT7EKYBSeo6CqDQwobIr9uDbsyHb3q/3r9e0WBcbmaAgIqPIZ6xTz9DLyEWZ5HhkhG0T OtXPs1oTI82r3+NA3k1hq/ET9IpVKI+MC9X4xK5e6ctZMzxHsVA+zM6zgjvFX28NG0xRq0XvU 1U1bdl19FWXSmScUDAAl6+qlcOFXYCS5tOW+REzGVKWSPfouljw0GWq8CN13Vy6Sr2SOvA4+4 9pvFualQJpJ9o7lKizUuKj8V9/XNY2hXI897/nEMBUUlXynhqbxtDBmcKsv7iWlVK1fYjgxJh oc1cdvDK00/oXvf2jmBe8NTTqRzWxEaFQ37XKeMsMeryIpdVKTZKNfwd5s3om6T37S9Q+eswn HU6edMf4H8b/Ngz+53AbxnMefrfF43uqK7jtridBfyf34vqVVP0onb2CesGkwU3/q+x9Lv/Hw 3IFEYioUaSCMtZ2zUG35VIW3wqu56DuVeSj1sguPcCthlOoVbZ72dM/uFup4h0sygJhNa4UHM D3JIrVe/b6MAstFmhQjw== X-Rspamd-Queue-Id: 4CljVr229Vz3nQr X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=eAeazuF7; dmarc=none; spf=none (mx1.freebsd.org: domain of o.hartmann@walstatt.org has no SPF policy when checking 212.227.15.18) smtp.mailfrom=o.hartmann@walstatt.org X-Spamd-Result: default: False [-2.90 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; DKIM_TRACE(0.00)[gmx.net:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.18:from]; FROM_EQ_ENVFROM(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[212.227.15.18:from]; RECEIVED_SPAMHAUS_PBL(0.00)[46.88.81.135:received]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[walstatt.org]; SPAMHAUS_ZRD(0.00)[212.227.15.18:from:127.0.2.255]; R_SPF_NA(0.00)[no SPF record]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.18:from]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[svn-src-all,svn-src-head] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2020 13:24:21 -0000 On Sun, 29 Nov 2020 19:38:04 +0000 (UTC) Matt Macy wrote: > Author: mmacy > Date: Sun Nov 29 19:38:03 2020 > New Revision: 368163 > URL: https://svnweb.freebsd.org/changeset/base/368163 > > Log: > Import kernel WireGuard support > > Data path largely shared with the OpenBSD implementation by > Matt Dunwoodie > > Reviewed by: grehan@freebsd.org > MFC after: 1 month > Sponsored by: Rubicon LLC, (Netgate) > Differential Revision: https://reviews.freebsd.org/D26137 > > Added: > head/sbin/ifconfig/ifwg.c (contents, props changed) > head/sys/dev/if_wg/ > head/sys/dev/if_wg/include/ > head/sys/dev/if_wg/include/crypto/blake2s.h (contents, props changed= ) > head/sys/dev/if_wg/include/crypto/curve25519.h (contents, props chan= ged) > head/sys/dev/if_wg/include/crypto/zinc.h (contents, props changed) > head/sys/dev/if_wg/include/sys/ > head/sys/dev/if_wg/include/sys/if_wg_session.h (contents, props chan= ged) > head/sys/dev/if_wg/include/sys/if_wg_session_vars.h (contents, props > changed) head/sys/dev/if_wg/include/sys/simd-x86_64.h (contents, props > changed) head/sys/dev/if_wg/include/sys/support.h (contents, props cha= nged) > head/sys/dev/if_wg/include/sys/wg_cookie.h (contents, props changed) > head/sys/dev/if_wg/include/sys/wg_module.h (contents, props changed) > head/sys/dev/if_wg/include/sys/wg_noise.h (contents, props changed) > head/sys/dev/if_wg/include/zinc/blake2s.h (contents, props changed) > head/sys/dev/if_wg/include/zinc/chacha20.h (contents, props changed) > head/sys/dev/if_wg/include/zinc/chacha20poly1305.h (contents, props > changed) head/sys/dev/if_wg/include/zinc/curve25519.h (contents, props > changed) head/sys/dev/if_wg/include/zinc/poly1305.h (contents, props > changed) head/sys/dev/if_wg/module/ > head/sys/dev/if_wg/module/blake2s.c (contents, props changed) > head/sys/dev/if_wg/module/blake2s.h (contents, props changed) > head/sys/dev/if_wg/module/chacha20-x86_64.S (contents, props changed= ) > head/sys/dev/if_wg/module/crypto/zinc/chacha20/chacha20-arm-glue.c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/chacha20/chacha20-arm.pl (conten= ts, > props changed) > head/sys/dev/if_wg/module/crypto/zinc/chacha20/chacha20-arm64.pl (cont= ents, > props changed) > head/sys/dev/if_wg/module/crypto/zinc/chacha20/chacha20-mips-glue.c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/chacha20/chacha20-mips.S (conten= ts, > props changed) > head/sys/dev/if_wg/module/crypto/zinc/chacha20/chacha20-unrolled-arm.S > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/chacha20/chacha20-x86_64-glue.c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/chacha20/chacha20-x86_64.pl > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/chacha20/chacha20.c (contents, p= rops > changed) head/sys/dev/if_wg/module/crypto/zinc/chacha20poly1305.c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/poly1305-arm-glue.c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/poly1305-arm.pl (conten= ts, > props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/poly1305-arm64.pl (cont= ents, > props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/poly1305-donna32.c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/poly1305-donna64.c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/poly1305-mips-glue.c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/poly1305-mips.S (conten= ts, > props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/poly1305-mips64.pl > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/poly1305-x86_64-glue.c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/poly1305-x86_64.pl > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/poly1305.c (contents, p= rops > changed) head/sys/dev/if_wg/module/crypto/zinc/selftest/blake2s.c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/selftest/chacha20.c (contents, p= rops > changed) head/sys/dev/if_wg/module/crypto/zinc/selftest/chacha20poly1305= .c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/selftest/curve25519.c (contents, > props changed) head/sys/dev/if_wg/module/crypto/zinc/selftest/poly1305.c > (contents, props changed) > head/sys/dev/if_wg/module/crypto/zinc/selftest/run.h (contents, props > changed) head/sys/dev/if_wg/module/curve25519.c (contents, props chang= ed) > head/sys/dev/if_wg/module/if_wg_session.c (contents, props changed) > head/sys/dev/if_wg/module/module.c (contents, props changed) > head/sys/dev/if_wg/module/poly1305-x86_64.S (contents, props changed) > head/sys/dev/if_wg/module/wg_cookie.c (contents, props changed) > head/sys/dev/if_wg/module/wg_noise.c (contents, props changed) > head/sys/modules/if_wg/ head/sys/modules/if_wg/Makefile (contents, pro= ps > changed) Directory Properties: head/sys/dev/if_wg/include/crypto/ (pro= ps > changed) head/sys/dev/if_wg/include/zinc/ (props changed) > head/sys/dev/if_wg/module/crypto/ (props changed) > head/sys/dev/if_wg/module/crypto/zinc/ (props changed) > head/sys/dev/if_wg/module/crypto/zinc/chacha20/ (props changed) > head/sys/dev/if_wg/module/crypto/zinc/poly1305/ (props changed) > head/sys/dev/if_wg/module/crypto/zinc/selftest/ (props changed) Modifi= ed: > head/sbin/ifconfig/Makefile head/sys/kern/subr_gtaskqueue.c > head/sys/modules/Makefile head/sys/net/iflib_clone.c head/sys/sys/gtaskq= ueue.h > > Modified: head/sbin/ifconfig/Makefile > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > --- head/sbin/ifconfig/Makefile Sun Nov 29 19:06:32 2020 > (r368162) +++ head/sbin/ifconfig/Makefile Sun Nov 29 19:38:03 > 2020 (r368163) @@ -35,6 +35,7 @@ SRCS+=3D ifvxlan.c > # VXLAN support SRCS+=3D ifgre.c # GRE > keys etc SRCS+=3D ifgif.c # GIF reversed header > workaround SRCS+=3D ifipsec.c # IPsec VTI > +SRCS+=3D ifwg.c # Wireguard > > SRCS+=3D sfp.c # SFP/SFP+ information > LIBADD+=3D ifconfig m util > @@ -68,6 +69,7 @@ CFLAGS+=3D -DINET > CFLAGS+=3D -DJAIL > LIBADD+=3D jail > .endif > +LIBADD+=3D nv > > MAN=3D ifconfig.8 > > > Added: head/sbin/ifconfig/ifwg.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/sbin/ifconfig/ifwg.c Sun Nov 29 19:38:03 2020 (r368163) > @@ -0,0 +1,618 @@ > +/*- > + * SPDX-License-Identifier: BSD-2-Clause > + * > + * Copyright (c) 2020 Rubicon Communications, LLC (Netgate) > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * 1. Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * 2. Redistributions in binary form must reproduce the above copyrig= ht > + * notice, this list of conditions and the following disclaimer in= the > + * documentation and/or other materials provided with the distribu= tion. > + * > + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' A= ND > + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, TH= E > + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR P= URPOSE > + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIA= BLE > + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQU= ENTIAL > + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GO= ODS > + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION= ) > + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, = STRICT > + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN AN= Y WAY > + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY = OF > + * SUCH DAMAGE. > + */ > + > +#include > +__FBSDID("$FreeBSD$"); > + > +#ifndef RESCUE > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include > +#include > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include /* NB: for offsetof */ > +#include > +#include > +#include > + > +#include "ifconfig.h" > + > +typedef enum { > + WGC_GET =3D 0x5, > + WGC_SET =3D 0x6, > +} wg_cmd_t; > + > +static nvlist_t *nvl_params; > +static bool do_peer; > +static int allowed_ips_count; > +static int allowed_ips_max; > +struct allowedip { > + struct sockaddr_storage a_addr; > + struct sockaddr_storage a_mask; > +}; > +struct allowedip *allowed_ips; > + > +#define ALLOWEDIPS_START 16 > +#define WG_KEY_LEN 32 > +#define WG_KEY_LEN_BASE64 ((((WG_KEY_LEN) + 2) / 3) * 4 + 1) > +#define WG_KEY_LEN_HEX (WG_KEY_LEN * 2 + 1) > +#define WG_MAX_STRLEN 64 > + > +static bool > +key_from_base64(uint8_t key[static WG_KEY_LEN], const char *base64) > +{ > + > + if (strlen(base64) !=3D WG_KEY_LEN_BASE64 - 1) { > + warnx("bad key len - need %d got %zu\n", WG_KEY_LEN_BASE64 - > 1, strlen(base64)); > + return false; > + } > + if (base64[WG_KEY_LEN_BASE64 - 2] !=3D '=3D') { > + warnx("bad key terminator, expected '=3D' got '%c'", > base64[WG_KEY_LEN_BASE64 - 2]); > + return false; > + } > + return (b64_pton(base64, key, WG_KEY_LEN)); > +} > + > +static void > +parse_endpoint(const char *endpoint_) > +{ > + int err; > + char *base, *endpoint, *port, *colon, *tmp; > + struct addrinfo hints, *res; > + > + endpoint =3D base =3D strdup(endpoint_); > + colon =3D rindex(endpoint, ':'); > + if (colon =3D=3D NULL) > + errx(1, "bad endpoint format %s - no port delimiter found", > endpoint); > + *colon =3D '\0'; > + port =3D colon + 1; > + > + /* [::]:<> */ > + if (endpoint[0] =3D=3D '[') { > + endpoint++; > + tmp =3D index(endpoint, ']'); > + if (tmp =3D=3D NULL) > + errx(1, "bad endpoint format %s - '[' found with no > matching ']'", endpoint); > + *tmp =3D '\0'; > + } > + bzero(&hints, sizeof(hints)); > + hints.ai_family =3D AF_UNSPEC; > + err =3D getaddrinfo(endpoint, port, &hints, &res); > + if (err) > + errx(1, "%s", gai_strerror(err)); > + nvlist_add_binary(nvl_params, "endpoint", res->ai_addr, > res->ai_addrlen); > + freeaddrinfo(res); > + free(base); > +} > + > +static void > +in_len2mask(struct in_addr *mask, u_int len) > +{ > + u_int i; > + u_char *p; > + > + p =3D (u_char *)mask; > + memset(mask, 0, sizeof(*mask)); > + for (i =3D 0; i < len / NBBY; i++) > + p[i] =3D 0xff; > + if (len % NBBY) > + p[i] =3D (0xff00 >> (len % NBBY)) & 0xff; > +} > + > +static u_int > +in_mask2len(struct in_addr *mask) > +{ > + u_int x, y; > + u_char *p; > + > + p =3D (u_char *)mask; > + for (x =3D 0; x < sizeof(*mask); x++) { > + if (p[x] !=3D 0xff) > + break; > + } > + y =3D 0; > + if (x < sizeof(*mask)) { > + for (y =3D 0; y < NBBY; y++) { > + if ((p[x] & (0x80 >> y)) =3D=3D 0) > + break; > + } > + } > + return x * NBBY + y; > +} > + > +static void > +in6_prefixlen2mask(struct in6_addr *maskp, int len) > +{ > + static const u_char maskarray[NBBY] =3D {0x80, 0xc0, 0xe0, 0xf0, 0xf8, > 0xfc, 0xfe, 0xff}; > + int bytelen, bitlen, i; > + > + /* sanity check */ > + if (len < 0 || len > 128) { > + errx(1, "in6_prefixlen2mask: invalid prefix length(%d)\n", > + len); > + return; > + } > + > + memset(maskp, 0, sizeof(*maskp)); > + bytelen =3D len / NBBY; > + bitlen =3D len % NBBY; > + for (i =3D 0; i < bytelen; i++) > + maskp->s6_addr[i] =3D 0xff; > + if (bitlen) > + maskp->s6_addr[bytelen] =3D maskarray[bitlen - 1]; > +} > + > +static int > +in6_mask2len(struct in6_addr *mask, u_char *lim0) > +{ > + int x =3D 0, y; > + u_char *lim =3D lim0, *p; > + > + /* ignore the scope_id part */ > + if (lim0 =3D=3D NULL || lim0 - (u_char *)mask > sizeof(*mask)) > + lim =3D (u_char *)mask + sizeof(*mask); > + for (p =3D (u_char *)mask; p < lim; x++, p++) { > + if (*p !=3D 0xff) > + break; > + } > + y =3D 0; > + if (p < lim) { > + for (y =3D 0; y < NBBY; y++) { > + if ((*p & (0x80 >> y)) =3D=3D 0) > + break; > + } > + } > + > + /* > + * when the limit pointer is given, do a stricter check on the > + * remaining bits. > + */ > + if (p < lim) { > + if (y !=3D 0 && (*p & (0x00ff >> y)) !=3D 0) > + return -1; > + for (p =3D p + 1; p < lim; p++) > + if (*p !=3D 0) > + return -1; > + } > + > + return x * NBBY + y; > +} > + > +static bool > +parse_ip(struct allowedip *aip, const char *value) > +{ > + struct addrinfo hints, *res; > + int err; > + > + bzero(&aip->a_addr, sizeof(aip->a_addr)); > + bzero(&hints, sizeof(hints)); > + hints.ai_family =3D AF_UNSPEC; > + hints.ai_flags =3D AI_NUMERICHOST; > + err =3D getaddrinfo(value, NULL, &hints, &res); > + if (err) > + errx(1, "%s", gai_strerror(err)); > + > + memcpy(&aip->a_addr, res->ai_addr, res->ai_addrlen); > + > + freeaddrinfo(res); > + return (true); > +} > + > +static void > +sa_ntop(const struct sockaddr *sa, char *buf, int *port) > +{ > + const struct sockaddr_in *sin; > + const struct sockaddr_in6 *sin6; > + int err; > + > + err =3D getnameinfo(sa, sa->sa_len, buf, INET6_ADDRSTRLEN, NULL, > + 0, NI_NUMERICHOST); > + > + if (sa->sa_family =3D=3D AF_INET) { > + sin =3D (const struct sockaddr_in *)sa; > + if (port) > + *port =3D sin->sin_port; > + } else if (sa->sa_family =3D=3D AF_INET6) { > + sin6 =3D (const struct sockaddr_in6 *)sa; > + if (port) > + *port =3D sin6->sin6_port; > + } > + > + if (err) > + errx(1, "%s", gai_strerror(err)); > +} > + > +static void > +dump_peer(const nvlist_t *nvl_peer) > +{ > + const void *key; > + const struct allowedip *aips; > + const struct sockaddr *endpoint; > + char outbuf[WG_MAX_STRLEN]; > + char addr_buf[INET6_ADDRSTRLEN]; > + size_t size; > + int count, port; > + > + printf("[Peer]\n"); > + if (nvlist_exists_binary(nvl_peer, "public-key")) { > + key =3D nvlist_get_binary(nvl_peer, "public-key", &size); > + b64_ntop((const uint8_t *)key, size, outbuf, WG_MAX_STRLEN); > + printf("PublicKey =3D %s\n", outbuf); > + } > + if (nvlist_exists_binary(nvl_peer, "endpoint")) { > + endpoint =3D nvlist_get_binary(nvl_peer, "endpoint", &size); > + sa_ntop(endpoint, addr_buf, &port); > + printf("Endpoint =3D %s:%d\n", addr_buf, ntohs(port)); > + } > + > + if (!nvlist_exists_binary(nvl_peer, "allowed-ips")) > + return; > + aips =3D nvlist_get_binary(nvl_peer, "allowed-ips", &size); > + if (size =3D=3D 0 || size % sizeof(struct allowedip) !=3D 0) { > + errx(1, "size %zu not integer multiple of allowedip", size); > + } > + printf("AllowedIPs =3D "); > + count =3D size / sizeof(struct allowedip); > + for (int i =3D 0; i < count; i++) { > + int mask; > + sa_family_t family; > + void *bitmask; > + struct sockaddr *sa; > + > + sa =3D __DECONST(void *, &aips[i].a_addr); > + bitmask =3D __DECONST(void *, > + ((const struct sockaddr *)&aips->a_mask)->sa_data); > + family =3D aips[i].a_addr.ss_family; > + getnameinfo(sa, sa->sa_len, addr_buf, INET6_ADDRSTRLEN, NULL, > + 0, NI_NUMERICHOST); > + if (family =3D=3D AF_INET) > + mask =3D in_mask2len(bitmask); > + else if (family =3D=3D AF_INET6) > + mask =3D in6_mask2len(bitmask, NULL); > + else > + errx(1, "bad family in peer %d\n", family); > + printf("%s/%d", addr_buf, mask); > + if (i < count -1) > + printf(", "); > + } > + printf("\n"); > +} > + > +static int > +get_nvl_out_size(int sock, u_long op, size_t *size) > +{ > + struct ifdrv ifd; > + int err; > + > + memset(&ifd, 0, sizeof(ifd)); > + > + strlcpy(ifd.ifd_name, name, sizeof(ifd.ifd_name)); > + ifd.ifd_cmd =3D op; > + ifd.ifd_len =3D 0; > + ifd.ifd_data =3D NULL; > + > + err =3D ioctl(sock, SIOCGDRVSPEC, &ifd); > + if (err) > + return (err); > + *size =3D ifd.ifd_len; > + return (0); > +} > + > +static int > +do_cmd(int sock, u_long op, void *arg, size_t argsize, int set) > +{ > + struct ifdrv ifd; > + > + memset(&ifd, 0, sizeof(ifd)); > + > + strlcpy(ifd.ifd_name, name, sizeof(ifd.ifd_name)); > + ifd.ifd_cmd =3D op; > + ifd.ifd_len =3D argsize; > + ifd.ifd_data =3D arg; > + > + return (ioctl(sock, set ? SIOCSDRVSPEC : SIOCGDRVSPEC, &ifd)); > +} > + > +static > +DECL_CMD_FUNC(peerlist, val, d) > +{ > + size_t size, peercount; > + void *packed; > + const nvlist_t *nvl, *nvl_peer; > + const nvlist_t *const *nvl_peerlist; > + > + if (get_nvl_out_size(s, WGC_GET, &size)) > + errx(1, "can't get peer list size"); > + if ((packed =3D malloc(size)) =3D=3D NULL) > + errx(1, "malloc failed for peer list"); > + if (do_cmd(s, WGC_GET, packed, size, 0)) > + errx(1, "failed to obtain peer list"); > + > + nvl =3D nvlist_unpack(packed, size, 0); > + if (!nvlist_exists_nvlist_array(nvl, "peer-list")) > + return; > + nvl_peerlist =3D nvlist_get_nvlist_array(nvl, "peer-list", &peercount)= ; > + > + for (int i =3D 0; i < peercount; i++, nvl_peerlist++) { > + nvl_peer =3D *nvl_peerlist; > + dump_peer(nvl_peer); > + } > +} > + > +static void > +peerfinish(int s, void *arg) > +{ > + nvlist_t *nvl, **nvl_array; > + void *packed; > + size_t size; > + > + if ((nvl =3D nvlist_create(0)) =3D=3D NULL) > + errx(1, "failed to allocate nvlist"); > + if ((nvl_array =3D calloc(sizeof(void *), 1)) =3D=3D NULL) > + errx(1, "failed to allocate nvl_array"); > + if (!nvlist_exists_binary(nvl_params, "public-key")) > + errx(1, "must specify a public-key for adding peer"); > + if (!nvlist_exists_binary(nvl_params, "endpoint")) > + errx(1, "must specify an endpoint for adding peer"); > + if (allowed_ips_count =3D=3D 0) > + errx(1, "must specify at least one range of allowed-ips to > add a peer"); + > + nvl_array[0] =3D nvl_params; > + nvlist_add_nvlist_array(nvl, "peer-list", (const nvlist_t * const > *)nvl_array, 1); > + packed =3D nvlist_pack(nvl, &size); > + > + if (do_cmd(s, WGC_SET, packed, size, true)) > + errx(1, "failed to install peer"); > +} > + > +static > +DECL_CMD_FUNC(peerstart, val, d) > +{ > + do_peer =3D true; > + callback_register(peerfinish, NULL); > + allowed_ips =3D malloc(ALLOWEDIPS_START * sizeof(struct allowedip)); > + allowed_ips_max =3D ALLOWEDIPS_START; > + if (allowed_ips =3D=3D NULL) > + errx(1, "failed to allocate array for allowedips"); > +} > + > +static > +DECL_CMD_FUNC(setwglistenport, val, d) > +{ > + struct addrinfo hints, *res; > + const struct sockaddr_in *sin; > + const struct sockaddr_in6 *sin6; > + > + u_long ul; > + int err; > + > + bzero(&hints, sizeof(hints)); > + hints.ai_family =3D AF_UNSPEC; > + hints.ai_flags =3D AI_NUMERICHOST; > + err =3D getaddrinfo(NULL, val, &hints, &res); > + if (err) > + errx(1, "%s", gai_strerror(err)); > + > + if (res->ai_family =3D=3D AF_INET) { > + sin =3D (struct sockaddr_in *)res->ai_addr; > + ul =3D sin->sin_port; > + } else if (res->ai_family =3D=3D AF_INET6) { > + sin6 =3D (struct sockaddr_in6 *)res->ai_addr; > + ul =3D sin6->sin6_port; > + } else { > + errx(1, "unknown family"); > + } > + ul =3D ntohs((u_short)ul); > + nvlist_add_number(nvl_params, "listen-port", ul); > +} > + > +static > +DECL_CMD_FUNC(setwgprivkey, val, d) > +{ > + uint8_t key[WG_KEY_LEN]; > + > + if (!key_from_base64(key, val)) > + errx(1, "invalid key %s", val); > + nvlist_add_binary(nvl_params, "private-key", key, WG_KEY_LEN); > +} > + > +static > +DECL_CMD_FUNC(setwgpubkey, val, d) > +{ > + uint8_t key[WG_KEY_LEN]; > + > + if (!do_peer) > + errx(1, "setting public key only valid when adding peer"); > + > + if (!key_from_base64(key, val)) > + errx(1, "invalid key %s", val); > + nvlist_add_binary(nvl_params, "public-key", key, WG_KEY_LEN); > +} > + > +static > +DECL_CMD_FUNC(setallowedips, val, d) > +{ > + char *base, *allowedip, *mask; > + u_long ul; > + char *endp; > + struct allowedip *aip; > + > + if (!do_peer) > + errx(1, "setting allowed ip only valid when adding peer"); > + if (allowed_ips_count =3D=3D allowed_ips_max) { > + /* XXX grow array */ > + } > + aip =3D &allowed_ips[allowed_ips_count]; > + base =3D allowedip =3D strdup(val); > + mask =3D index(allowedip, '/'); > + if (mask =3D=3D NULL) > + errx(1, "mask separator not found in allowedip %s", val); > + *mask =3D '\0'; > + mask++; > + parse_ip(aip, allowedip); > + ul =3D strtoul(mask, &endp, 0); > + if (*endp !=3D '\0') > + errx(1, "invalid value for allowedip mask"); > + bzero(&aip->a_mask, sizeof(aip->a_mask)); > + if (aip->a_addr.ss_family =3D=3D AF_INET) > + in_len2mask((struct in_addr *)&((struct sockaddr > *)&aip->a_mask)->sa_data, ul); > + else if (aip->a_addr.ss_family =3D=3D AF_INET6) > + in6_prefixlen2mask((struct in6_addr *)&((struct sockaddr > *)&aip->a_mask)->sa_data, ul); > + else > + errx(1, "invalid address family %d\n", > aip->a_addr.ss_family); > + allowed_ips_count++; > + if (allowed_ips_count > 1) > + nvlist_free_binary(nvl_params, "allowed-ips"); > + nvlist_add_binary(nvl_params, "allowed-ips", allowed_ips, > + allowed_ips_count*sizeof(*aip)); > + > + dump_peer(nvl_params); > + free(base); > +} > + > +static > +DECL_CMD_FUNC(setendpoint, val, d) > +{ > + if (!do_peer) > + errx(1, "setting endpoint only valid when adding peer"); > + parse_endpoint(val); > +} > + > +static void > +wireguard_status(int s) > +{ > + size_t size; > + void *packed; > + nvlist_t *nvl; > + char buf[WG_KEY_LEN_BASE64]; > + const void *key; > + uint16_t listen_port; > + > + if (get_nvl_out_size(s, WGC_GET, &size)) > + return; > + if ((packed =3D malloc(size)) =3D=3D NULL) > + return; > + if (do_cmd(s, WGC_GET, packed, size, 0)) > + return; > + nvl =3D nvlist_unpack(packed, size, 0); > + if (nvlist_exists_number(nvl, "listen-port")) { > + listen_port =3D nvlist_get_number(nvl, "listen-port"); > + printf("\tlisten-port: %d\n", listen_port); > + } > + if (nvlist_exists_binary(nvl, "private-key")) { > + key =3D nvlist_get_binary(nvl, "private-key", &size); > + b64_ntop((const uint8_t *)key, size, buf, WG_MAX_STRLEN); > + printf("\tprivate-key: %s\n", buf); > + } > + if (nvlist_exists_binary(nvl, "public-key")) { > + key =3D nvlist_get_binary(nvl, "public-key", &size); > + b64_ntop((const uint8_t *)key, size, buf, WG_MAX_STRLEN); > + printf("\tpublic-key: %s\n", buf); > + } > +} > + > +static struct cmd wireguard_cmds[] =3D { > + DEF_CLONE_CMD_ARG("listen-port", setwglistenport), > + DEF_CLONE_CMD_ARG("private-key", setwgprivkey), > + DEF_CMD("peer-list", 0, peerlist), > + DEF_CMD("peer", 0, peerstart), > + DEF_CMD_ARG("public-key", setwgpubkey), > + DEF_CMD_ARG("allowed-ips", setallowedips), > + DEF_CMD_ARG("endpoint", setendpoint), > +}; > + > +static struct afswtch af_wireguard =3D { > + .af_name =3D "af_wireguard", > + .af_af =3D AF_UNSPEC, > + .af_other_status =3D wireguard_status, > +}; > + > +static void > +wg_create(int s, struct ifreq *ifr) > +{ > + struct iovec iov; > + void *packed; > + size_t size; > + > + setproctitle("ifconfig %s create ...\n", name); > + if (!nvlist_exists_number(nvl_params, "listen-port")) > + goto legacy; > + if (!nvlist_exists_binary(nvl_params, "private-key")) > + goto legacy; > + > + packed =3D nvlist_pack(nvl_params, &size); > + if (packed =3D=3D NULL) > + errx(1, "failed to setup create request"); > + iov.iov_len =3D size; > + iov.iov_base =3D packed; > + ifr->ifr_data =3D (caddr_t)&iov; > + if (ioctl(s, SIOCIFCREATE2, ifr) < 0) > + err(1, "SIOCIFCREATE2"); > + return; > +legacy: > + ifr->ifr_data =3D=3D NULL; > + if (ioctl(s, SIOCIFCREATE, ifr) < 0) > + err(1, "SIOCIFCREATE"); > +} > + > +static __constructor void > +wireguard_ctor(void) > +{ > + int i; > + > + nvl_params =3D nvlist_create(0); > + for (i =3D 0; i < nitems(wireguard_cmds); i++) > + cmd_register(&wireguard_cmds[i]); > + af_register(&af_wireguard); > + clone_setdefcallback_prefix("wg", wg_create); > +} > + > +#endif > > Added: head/sys/dev/if_wg/include/crypto/blake2s.h > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/sys/dev/if_wg/include/crypto/blake2s.h Sun Nov 29 19:38:03 > 2020 (r368163) @@ -0,0 +1,56 @@ > +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ > +/* > + * Copyright (C) 2015-2019 Jason A. Donenfeld . All Ri= ghts > Reserved. > + */ > + > +#include > + > +#ifndef _BLAKE2S_H_ > +#define _BLAKE2S_H_ > + > + > +enum blake2s_lengths { > + BLAKE2S_BLOCK_SIZE =3D 64, > + BLAKE2S_HASH_SIZE =3D 32, > + BLAKE2S_KEY_SIZE =3D 32 > +}; > + > +struct blake2s_state { > + uint32_t h[8]; > + uint32_t t[2]; > + uint32_t f[2]; > + uint8_t buf[BLAKE2S_BLOCK_SIZE]; > + size_t buflen; > + uint8_t last_node; > +}; > + > +void blake2s_init(struct blake2s_state *state, const size_t outlen); > +void blake2s_init_key(struct blake2s_state *state, const size_t outlen, > + const void *key, const size_t keylen); > +void blake2s_update(struct blake2s_state *state, const uint8_t *in, siz= e_t > inlen); +void blake2s_final(struct blake2s_state *state, uint8_t *out, c= onst > size_t outlen); + > +static inline void blake2s(uint8_t *out, const uint8_t *in, const uint8= _t > *key, > + const size_t outlen, const size_t inlen, > + const size_t keylen) > +{ > + struct blake2s_state state; > +#ifdef __linux___ > + WARN_ON(IS_ENABLED(DEBUG) && ((!in && inlen > 0) || !out || !outlen > || > + outlen > BLAKE2S_HASH_SIZE || keylen > BLAKE2S_KEY_SIZE || > + (!key && keylen))); > +#endif > + > + if (keylen) > + blake2s_init_key(&state, outlen, key, keylen); > + else > + blake2s_init(&state, outlen); > + > + blake2s_update(&state, in, inlen); > + blake2s_final(&state, out, outlen); > +} > + > +void blake2s_hmac(uint8_t *out, const uint8_t *in, const uint8_t *key, > + const size_t outlen, const size_t inlen, const size_t > keylen); + > +#endif /* _BLAKE2S_H_ */ > > Added: head/sys/dev/if_wg/include/crypto/curve25519.h > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/sys/dev/if_wg/include/crypto/curve25519.h Sun Nov 29 19:38:03 > 2020 (r368163) @@ -0,0 +1,74 @@ > +/*- > + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD > + * > + * Copyright (c) 2019-2020 Rubicon Communications, LLC (Netgate) > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * 1. Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * 2. Redistributions in binary form must reproduce the above copyrig= ht > + * notice, this list of conditions and the following disclaimer in= the > + * documentation and/or other materials provided with the distribu= tion. > + * > + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' A= ND > + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, TH= E > + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR P= URPOSE > + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIA= BLE > + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQU= ENTIAL > + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GO= ODS > + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION= ) > + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, = STRICT > + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN AN= Y WAY > + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY = OF > + * SUCH DAMAGE. > + * > + * $FreeBSD$ > + */ > + > +#ifndef _CURVE25519_H_ > +#define _CURVE25519_H_ > + > +#include > + > +#define CURVE25519_KEY_SIZE 32 > + > +void curve25519_generic(u8 [CURVE25519_KEY_SIZE], > + const u8 [CURVE25519_KEY_SIZE], > + const u8 [CURVE25519_KEY_SIZE]); > + > +static inline void curve25519_clamp_secret(u8 secret[CURVE25519_KEY_SIZ= E]) > +{ > + secret[0] &=3D 248; > + secret[31] =3D (secret[31] & 127) | 64; > +} > + > +static const u8 null_point[CURVE25519_KEY_SIZE] =3D { 0 }; > + > +static inline int curve25519(u8 mypublic[CURVE25519_KEY_SIZE], > + const u8 secret[CURVE25519_KEY_SIZE], > + const u8 basepoint[CURVE25519_KEY_SIZE]) > +{ > + curve25519_generic(mypublic, secret, basepoint); > + return timingsafe_bcmp(mypublic, null_point, CURVE25519_KEY_SIZE); > +} > + > +static inline int curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE= ], > + const u8 secret[CURVE25519_KEY_SIZE]) > +{ > + static const u8 basepoint[CURVE25519_KEY_SIZE] __aligned(32) =3D { 9 }= ; > + > + if (timingsafe_bcmp(secret, null_point, CURVE25519_KEY_SIZE) =3D=3D 0) > + return 0; > + > + return curve25519(pub, secret, basepoint); > +} > + > +static inline void curve25519_generate_secret(u8 secret[CURVE25519_KEY_= SIZE]) > +{ > + arc4random_buf(secret, CURVE25519_KEY_SIZE); > + curve25519_clamp_secret(secret); > +} > + > +#endif /* _CURVE25519_H_ */ > > Added: head/sys/dev/if_wg/include/crypto/zinc.h > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/sys/dev/if_wg/include/crypto/zinc.h Sun Nov 29 19:38:03 > 2020 (r368163) @@ -0,0 +1,15 @@ > +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ > +/* > + * Copyright (C) 2015-2019 Jason A. Donenfeld . All Ri= ghts > Reserved. > + */ > + > +#ifndef _WG_ZINC_H > +#define _WG_ZINC_H > + > +int chacha20_mod_init(void); > +int poly1305_mod_init(void); > +int chacha20poly1305_mod_init(void); > +int blake2s_mod_init(void); > +int curve25519_mod_init(void); > + > +#endif > > Added: head/sys/dev/if_wg/include/sys/if_wg_session.h > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/sys/dev/if_wg/include/sys/if_wg_session.h Sun Nov 29 19:38:03 > 2020 (r368163) @@ -0,0 +1,89 @@ > +/* > + * Copyright (c) 2019 Matt Dunwoodie > + * > + * Permission to use, copy, modify, and distribute this software for an= y > + * purpose with or without fee is hereby granted, provided that the abo= ve > + * copyright notice and this permission notice appear in all copies. > + * > + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRAN= TIES > + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF > + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE = FOR > + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAG= ES > + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN A= N > + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT= OF > + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > + * > + * $FreeBSD$ > + */ > + > +#ifndef __IF_WG_H__ > +#define __IF_WG_H__ > + > +#include > +#include > + > +/* > + * This is the public interface to the WireGuard network interface. > + * > + * It is designed to be used by tools such as ifconfig(8) and wg(4). > + */ > + > +#define WG_KEY_SIZE 32 > + > +#define WG_DEVICE_HAS_PUBKEY (1 << 0) > +#define WG_DEVICE_HAS_PRIVKEY (1 << 1) > +#define WG_DEVICE_HAS_MASKED_PRIVKEY (1 << 2) > +#define WG_DEVICE_HAS_PORT (1 << 3) > +#define WG_DEVICE_HAS_RDOMAIN (1 << 4) > +#define WG_DEVICE_REPLACE_PEERS (1 << 5) > + > +#define WG_PEER_HAS_PUBKEY (1 << 0) > +#define WG_PEER_HAS_SHAREDKEY (1 << 1) > +#define WG_PEER_HAS_MASKED_SHAREDKEY (1 << 2) > +#define WG_PEER_HAS_ENDPOINT (1 << 3) > +#define WG_PEER_HAS_PERSISTENTKEEPALIVE (1 << 4) > +#define WG_PEER_REPLACE_CIDRS (1 << 5) > +#define WG_PEER_REMOVE (1 << 6) > + > +#define SIOCSWG _IOWR('i', 200, struct wg_device_io) > +#define SIOCGWG _IOWR('i', 201, struct wg_device_io) > + > +#define WG_PEERS_FOREACH(p, d) \ > + for (p =3D (d)->d_peers; p < (d)->d_peers + (d)->d_num_peers; p++) > +#define WG_CIDRS_FOREACH(c, p) \ > + for (c =3D (p)->p_cidrs; c < (p)->p_cidrs + (p)->p_num_cidrs; c++) > + > +struct wg_allowedip { > + struct sockaddr_storage a_addr; > + struct sockaddr_storage a_mask; > +}; > + > +enum { > + WG_PEER_CTR_TX_BYTES, > + WG_PEER_CTR_RX_BYTES, > + WG_PEER_CTR_NUM, > +}; > + > +struct wg_device_io { > + char d_name[IFNAMSIZ]; > + uint8_t d_flags; > + in_port_t d_port; > + int d_rdomain; > + uint8_t d_pubkey[WG_KEY_SIZE]; > + uint8_t d_privkey[WG_KEY_SIZE]; > + size_t d_num_peers; > + size_t d_num_cidrs; > + struct wg_peer_io *d_peers; > +}; > + > + > +#ifndef ENOKEY > +#define ENOKEY ENOTCAPABLE > +#endif > + > +typedef enum { > + WGC_GET =3D 0x5, > + WGC_SET =3D 0x6, > +} wg_cmd_t; > + > +#endif /* __IF_WG_H__ */ > > Added: head/sys/dev/if_wg/include/sys/if_wg_session_vars.h > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/sys/dev/if_wg/include/sys/if_wg_session_vars.h Sun Nov 29 > 19:38:03 2020 (r368163) @@ -0,0 +1,322 @@ > +/* > + * Copyright (c) 2019 Matt Dunwoodie > + * Copyright (c) 2019-2020 Rubicon Communications, LLC (Netgate) > + * > + * Permission to use, copy, modify, and distribute this software for an= y > + * purpose with or without fee is hereby granted, provided that the abo= ve > + * copyright notice and this permission notice appear in all copies. > + * > + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRAN= TIES > + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF > + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE = FOR > + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAG= ES > + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN A= N > + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT= OF > + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > + * > + * $FreeBSD$ > + */ > + > +#ifndef _IF_WG_VARS_H_ > +#define _IF_WG_VARS_H_ > + > +#include > +#include > +#include > + > +#include > +#include > +#include > + > + > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include > +#include > +/* This is only needed for wg_keypair. */ > +#include > + > +#define UNIMPLEMENTED() panic("%s not implemented\n", __func__) > + > +#define WG_KEY_SIZE 32 > +#define WG_MSG_PADDING_SIZE 16 > + > + > +/* Constant for session */ > +#define REKEY_TIMEOUT 5 > +#define REKEY_TIMEOUT_JITTER 500 /* TODO ok? jason */ > +#define REJECT_AFTER_TIME 180 > +#define KEEPALIVE_TIMEOUT 10 > +#define MAX_TIMER_HANDSHAKES (90 / REKEY_TIMEOUT) > +#define NEW_HANDSHAKE_TIMEOUT (REKEY_TIMEOUT + > KEEPALIVE_TIMEOUT) + > +#define MAX_QUEUED_INCOMING_HANDSHAKES 4096 /* TODO: replace this > with DQL */ +#define MAX_QUEUED_PACKETS 1024 /* TODO: replace > this with DQL */ + > +#define HASHTABLE_PEER_SIZE (1 << 6) > //1 << 11 +#define HASHTABLE_INDEX_SIZE (HASHTABLE_PEER_SIZE * > 3) //1 << 13 + > +#define PEER_MAGIC1 0xCAFEBABEB00FDADDULL > +#define PEER_MAGIC2 0xCAAFD0D0D00DBABEULL > +#define PEER_MAGIC3 0xD00DBABEF00DFADEULL > + > + > +enum message_type { > + MESSAGE_INVALID =3D 0, > + MESSAGE_HANDSHAKE_INITIATION =3D 1, > + MESSAGE_HANDSHAKE_RESPONSE =3D 2, > + MESSAGE_HANDSHAKE_COOKIE =3D 3, > + MESSAGE_DATA =3D 4 > +}; > + > +struct wg_softc; > + > +#if __FreeBSD_version > 1300000 > +typedef void timeout_t (void *); > +#endif > + > +/* Socket */ > +struct wg_endpoint { > + union wg_remote { > + struct sockaddr r_sa; > + struct sockaddr_in r_sin; > + struct sockaddr_in6 r_sin6; > + } e_remote; > + union wg_source { > + struct in_addr l_in; > + struct in6_pktinfo l_pktinfo6; > +#define l_in6 l_pktinfo6.ipi6_addr > + } e_local; > +}; > + > +struct wg_socket { > + struct mtx so_mtx; > + in_port_t so_port; > + struct socket *so_so4; > + struct socket *so_so6; > +}; > + > +struct wg_queue { > + struct mtx q_mtx; > + struct mbufq q; > +}; > + > +struct wg_index { > + LIST_ENTRY(wg_index) i_entry; > + SLIST_ENTRY(wg_index) i_unused_entry; > + uint32_t i_key; > > *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** > _______________________________________________ > svn-src-head@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-head > To unsubscribe, send any mail to "svn-src-head-unsubscribe@freebsd.org" "make installkernel" fails for me in a non-DEBUG environment with the erro= r shown below. Recent CURRENT source tree is r368226, failing systems are ru= nning at r368055 or r368226. [...] =3D=3D=3D> i2c/cyapa (install) =2D-- realinstall_subdir_if_wg --- install -T dbg -o root -g wheel -m 555 if_wg.ko.debug /usr/lib/debug/boot/kernel/ install: /usr/lib/debug/boot/kernel/: No such = file or directory --- realinstall_subdir_iflib --- =2D-- _kmodinstall --- =2D-- realinstall_subdir_if_wg --- *** [_kmodinstall] Error code 71 make[4]: stopped in /usr/src/sys/modules/if_wg 1 error make[4]: stopped in /usr/src/sys/modules/if_wg =2D-- realinstall_subdir_iflib --- install -T release -o root -g wheel -m 555 iflib.ko /boot/kernel/ =2D-- realinstall_subdir_if_wg --- =2D-- realinstall_subdir_geom --- =2D-- realinstall_subdir_iflib --- =2D-- realinstall_subdir_i2c --- *** [modules-install] Error code 2 [...]