]>
Commit | Line | Data |
---|---|---|
d506b89c | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
e5719363 | 2 | /*** |
96b2fb93 | 3 | Copyright © 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. |
e5719363 JT |
4 | ***/ |
5 | ||
6 | #include <sys/ioctl.h> | |
7 | #include <net/if.h> | |
8 | ||
8173d1d0 YW |
9 | #include "sd-resolve.h" |
10 | ||
e5719363 | 11 | #include "alloc-util.h" |
85c987a8 | 12 | #include "event-util.h" |
e5719363 | 13 | #include "fd-util.h" |
76df7779 | 14 | #include "fileio.h" |
e5719363 | 15 | #include "hexdecoct.h" |
0a970718 | 16 | #include "memory-util.h" |
43409486 | 17 | #include "netlink-util.h" |
e5719363 | 18 | #include "networkd-link.h" |
e5719363 | 19 | #include "networkd-manager.h" |
a4c9ae40 YW |
20 | #include "networkd-util.h" |
21 | #include "parse-util.h" | |
76df7779 | 22 | #include "path-util.h" |
1061dab1 | 23 | #include "resolve-private.h" |
a4c9ae40 YW |
24 | #include "string-util.h" |
25 | #include "strv.h" | |
e5719363 | 26 | #include "wireguard-netlink.h" |
0a970718 | 27 | #include "wireguard.h" |
e5719363 JT |
28 | |
29 | static void resolve_endpoints(NetDev *netdev); | |
30 | ||
f1368a33 YW |
31 | static void wireguard_peer_free(WireguardPeer *peer) { |
32 | WireguardIPmask *mask; | |
33 | ||
34 | if (!peer) | |
35 | return; | |
36 | ||
37 | if (peer->wireguard) { | |
38 | LIST_REMOVE(peers, peer->wireguard->peers, peer); | |
39 | ||
40 | set_remove(peer->wireguard->peers_with_unresolved_endpoint, peer); | |
41 | set_remove(peer->wireguard->peers_with_failed_endpoint, peer); | |
42 | ||
43 | if (peer->section) | |
44 | hashmap_remove(peer->wireguard->peers_by_section, peer->section); | |
45 | } | |
46 | ||
47 | network_config_section_free(peer->section); | |
48 | ||
49 | while ((mask = peer->ipmasks)) { | |
50 | LIST_REMOVE(ipmasks, peer->ipmasks, mask); | |
51 | free(mask); | |
52 | } | |
53 | ||
54 | free(peer->endpoint_host); | |
55 | free(peer->endpoint_port); | |
a3945c63 | 56 | free(peer->preshared_key_file); |
6ef5c881 | 57 | explicit_bzero_safe(peer->preshared_key, WG_KEY_LEN); |
f1368a33 YW |
58 | |
59 | free(peer); | |
60 | } | |
61 | ||
62 | DEFINE_NETWORK_SECTION_FUNCTIONS(WireguardPeer, wireguard_peer_free); | |
63 | ||
64 | static int wireguard_peer_new_static(Wireguard *w, const char *filename, unsigned section_line, WireguardPeer **ret) { | |
65 | _cleanup_(network_config_section_freep) NetworkConfigSection *n = NULL; | |
66 | _cleanup_(wireguard_peer_freep) WireguardPeer *peer = NULL; | |
67 | int r; | |
e5719363 JT |
68 | |
69 | assert(w); | |
f1368a33 YW |
70 | assert(ret); |
71 | assert(filename); | |
72 | assert(section_line > 0); | |
e5719363 | 73 | |
f1368a33 YW |
74 | r = network_config_section_new(filename, section_line, &n); |
75 | if (r < 0) | |
76 | return r; | |
77 | ||
78 | peer = hashmap_get(w->peers_by_section, n); | |
79 | if (peer) { | |
80 | *ret = TAKE_PTR(peer); | |
81 | return 0; | |
82 | } | |
e5719363 | 83 | |
fc721553 | 84 | peer = new(WireguardPeer, 1); |
e5719363 | 85 | if (!peer) |
f1368a33 | 86 | return -ENOMEM; |
fc721553 YW |
87 | |
88 | *peer = (WireguardPeer) { | |
89 | .flags = WGPEER_F_REPLACE_ALLOWEDIPS, | |
f1368a33 YW |
90 | .wireguard = w, |
91 | .section = TAKE_PTR(n), | |
fc721553 | 92 | }; |
e5719363 JT |
93 | |
94 | LIST_PREPEND(peers, w->peers, peer); | |
e5719363 | 95 | |
f1368a33 YW |
96 | r = hashmap_ensure_allocated(&w->peers_by_section, &network_config_hash_ops); |
97 | if (r < 0) | |
98 | return r; | |
99 | ||
100 | r = hashmap_put(w->peers_by_section, peer->section, peer); | |
101 | if (r < 0) | |
102 | return r; | |
103 | ||
104 | *ret = TAKE_PTR(peer); | |
105 | return 0; | |
e5719363 JT |
106 | } |
107 | ||
e1f717d4 | 108 | static int wireguard_set_ipmask_one(NetDev *netdev, sd_netlink_message *message, const WireguardIPmask *mask, uint16_t index) { |
e5719363 | 109 | int r; |
e1f717d4 YW |
110 | |
111 | assert(message); | |
112 | assert(mask); | |
113 | assert(index > 0); | |
114 | ||
115 | /* This returns 1 on success, 0 on recoverable error, and negative errno on failure. */ | |
116 | ||
117 | r = sd_netlink_message_open_array(message, index); | |
118 | if (r < 0) | |
119 | return 0; | |
120 | ||
121 | r = sd_netlink_message_append_u16(message, WGALLOWEDIP_A_FAMILY, mask->family); | |
122 | if (r < 0) | |
123 | goto cancel; | |
124 | ||
43409486 | 125 | r = netlink_message_append_in_addr_union(message, WGALLOWEDIP_A_IPADDR, mask->family, &mask->ip); |
e1f717d4 YW |
126 | if (r < 0) |
127 | goto cancel; | |
128 | ||
129 | r = sd_netlink_message_append_u8(message, WGALLOWEDIP_A_CIDR_MASK, mask->cidr); | |
130 | if (r < 0) | |
131 | goto cancel; | |
132 | ||
133 | r = sd_netlink_message_close_container(message); | |
134 | if (r < 0) | |
135 | return log_netdev_error_errno(netdev, r, "Could not add wireguard allowed ip: %m"); | |
136 | ||
137 | return 1; | |
138 | ||
139 | cancel: | |
140 | r = sd_netlink_message_cancel_array(message); | |
141 | if (r < 0) | |
142 | return log_netdev_error_errno(netdev, r, "Could not cancel wireguard allowed ip message attribute: %m"); | |
143 | ||
144 | return 0; | |
145 | } | |
146 | ||
147 | static int wireguard_set_peer_one(NetDev *netdev, sd_netlink_message *message, const WireguardPeer *peer, uint16_t index, WireguardIPmask **mask_start) { | |
148 | WireguardIPmask *mask, *start; | |
149 | uint16_t j = 0; | |
150 | int r; | |
151 | ||
152 | assert(message); | |
153 | assert(peer); | |
154 | assert(index > 0); | |
155 | assert(mask_start); | |
156 | ||
157 | /* This returns 1 on success, 0 on recoverable error, and negative errno on failure. */ | |
158 | ||
159 | start = *mask_start ?: peer->ipmasks; | |
160 | ||
161 | r = sd_netlink_message_open_array(message, index); | |
162 | if (r < 0) | |
163 | return 0; | |
164 | ||
165 | r = sd_netlink_message_append_data(message, WGPEER_A_PUBLIC_KEY, &peer->public_key, sizeof(peer->public_key)); | |
166 | if (r < 0) | |
167 | goto cancel; | |
168 | ||
2301c54f | 169 | if (!*mask_start) { |
e1f717d4 YW |
170 | r = sd_netlink_message_append_data(message, WGPEER_A_PRESHARED_KEY, &peer->preshared_key, WG_KEY_LEN); |
171 | if (r < 0) | |
172 | goto cancel; | |
173 | ||
174 | r = sd_netlink_message_append_u32(message, WGPEER_A_FLAGS, peer->flags); | |
175 | if (r < 0) | |
176 | goto cancel; | |
177 | ||
178 | r = sd_netlink_message_append_u16(message, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, peer->persistent_keepalive_interval); | |
179 | if (r < 0) | |
180 | goto cancel; | |
181 | ||
43409486 YW |
182 | if (IN_SET(peer->endpoint.sa.sa_family, AF_INET, AF_INET6)) { |
183 | r = netlink_message_append_sockaddr_union(message, WGPEER_A_ENDPOINT, &peer->endpoint); | |
184 | if (r < 0) | |
185 | goto cancel; | |
186 | } | |
e1f717d4 YW |
187 | } |
188 | ||
189 | r = sd_netlink_message_open_container(message, WGPEER_A_ALLOWEDIPS); | |
190 | if (r < 0) | |
191 | goto cancel; | |
192 | ||
193 | LIST_FOREACH(ipmasks, mask, start) { | |
194 | r = wireguard_set_ipmask_one(netdev, message, mask, ++j); | |
195 | if (r < 0) | |
196 | return r; | |
197 | if (r == 0) | |
198 | break; | |
199 | } | |
200 | ||
201 | r = sd_netlink_message_close_container(message); | |
202 | if (r < 0) | |
203 | return log_netdev_error_errno(netdev, r, "Could not add wireguard allowed ip: %m"); | |
204 | ||
205 | r = sd_netlink_message_close_container(message); | |
206 | if (r < 0) | |
207 | return log_netdev_error_errno(netdev, r, "Could not add wireguard peer: %m"); | |
208 | ||
209 | *mask_start = mask; /* Start next cycle from this mask. */ | |
210 | return !mask; | |
211 | ||
212 | cancel: | |
213 | r = sd_netlink_message_cancel_array(message); | |
214 | if (r < 0) | |
215 | return log_netdev_error_errno(netdev, r, "Could not cancel wireguard peers: %m"); | |
216 | ||
217 | return 0; | |
218 | } | |
219 | ||
220 | static int wireguard_set_interface(NetDev *netdev) { | |
e5719363 | 221 | _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *message = NULL; |
e1f717d4 YW |
222 | WireguardIPmask *mask_start = NULL; |
223 | WireguardPeer *peer, *peer_start; | |
e5719363 | 224 | uint32_t serial; |
e1f717d4 YW |
225 | Wireguard *w; |
226 | int r; | |
e5719363 JT |
227 | |
228 | assert(netdev); | |
229 | w = WIREGUARD(netdev); | |
230 | assert(w); | |
231 | ||
e1f717d4 YW |
232 | for (peer_start = w->peers; peer_start; ) { |
233 | uint16_t i = 0; | |
e5719363 | 234 | |
e5719363 JT |
235 | message = sd_netlink_message_unref(message); |
236 | ||
237 | r = sd_genl_message_new(netdev->manager->genl, SD_GENL_WIREGUARD, WG_CMD_SET_DEVICE, &message); | |
238 | if (r < 0) | |
239 | return log_netdev_error_errno(netdev, r, "Failed to allocate generic netlink message: %m"); | |
240 | ||
241 | r = sd_netlink_message_append_string(message, WGDEVICE_A_IFNAME, netdev->ifname); | |
242 | if (r < 0) | |
243 | return log_netdev_error_errno(netdev, r, "Could not append wireguard interface name: %m"); | |
244 | ||
245 | if (peer_start == w->peers) { | |
246 | r = sd_netlink_message_append_data(message, WGDEVICE_A_PRIVATE_KEY, &w->private_key, WG_KEY_LEN); | |
247 | if (r < 0) | |
248 | return log_netdev_error_errno(netdev, r, "Could not append wireguard private key: %m"); | |
249 | ||
250 | r = sd_netlink_message_append_u16(message, WGDEVICE_A_LISTEN_PORT, w->port); | |
251 | if (r < 0) | |
252 | return log_netdev_error_errno(netdev, r, "Could not append wireguard port: %m"); | |
253 | ||
254 | r = sd_netlink_message_append_u32(message, WGDEVICE_A_FWMARK, w->fwmark); | |
255 | if (r < 0) | |
256 | return log_netdev_error_errno(netdev, r, "Could not append wireguard fwmark: %m"); | |
257 | ||
258 | r = sd_netlink_message_append_u32(message, WGDEVICE_A_FLAGS, w->flags); | |
259 | if (r < 0) | |
260 | return log_netdev_error_errno(netdev, r, "Could not append wireguard flags: %m"); | |
261 | } | |
262 | ||
263 | r = sd_netlink_message_open_container(message, WGDEVICE_A_PEERS); | |
264 | if (r < 0) | |
265 | return log_netdev_error_errno(netdev, r, "Could not append wireguard peer attributes: %m"); | |
266 | ||
e5719363 | 267 | LIST_FOREACH(peers, peer, peer_start) { |
e1f717d4 | 268 | r = wireguard_set_peer_one(netdev, message, peer, ++i, &mask_start); |
e5719363 | 269 | if (r < 0) |
e1f717d4 YW |
270 | return r; |
271 | if (r == 0) | |
e5719363 | 272 | break; |
e5719363 | 273 | } |
e1f717d4 | 274 | peer_start = peer; /* Start next cycle from this peer. */ |
e5719363 JT |
275 | |
276 | r = sd_netlink_message_close_container(message); | |
277 | if (r < 0) | |
278 | return log_netdev_error_errno(netdev, r, "Could not close wireguard container: %m"); | |
279 | ||
280 | r = sd_netlink_send(netdev->manager->genl, message, &serial); | |
281 | if (r < 0) | |
282 | return log_netdev_error_errno(netdev, r, "Could not set wireguard device: %m"); | |
e1f717d4 | 283 | } |
e5719363 JT |
284 | |
285 | return 0; | |
286 | } | |
287 | ||
f1368a33 YW |
288 | static void wireguard_peer_destroy_callback(WireguardPeer *peer) { |
289 | NetDev *netdev; | |
e5719363 | 290 | |
f1368a33 YW |
291 | assert(peer); |
292 | assert(peer->wireguard); | |
8173d1d0 | 293 | |
f1368a33 | 294 | netdev = NETDEV(peer->wireguard); |
8173d1d0 | 295 | |
f1368a33 YW |
296 | if (section_is_invalid(peer->section)) |
297 | wireguard_peer_free(peer); | |
298 | ||
299 | netdev_unref(netdev); | |
300 | } | |
e5719363 JT |
301 | |
302 | static int on_resolve_retry(sd_event_source *s, usec_t usec, void *userdata) { | |
303 | NetDev *netdev = userdata; | |
304 | Wireguard *w; | |
305 | ||
306 | assert(netdev); | |
307 | w = WIREGUARD(netdev); | |
308 | assert(w); | |
309 | ||
9e2bbf99 | 310 | if (!netdev_is_managed(netdev)) |
56ba90c2 | 311 | return 0; |
e5719363 | 312 | |
f1368a33 YW |
313 | assert(set_isempty(w->peers_with_unresolved_endpoint)); |
314 | ||
315 | SWAP_TWO(w->peers_with_unresolved_endpoint, w->peers_with_failed_endpoint); | |
e5719363 JT |
316 | |
317 | resolve_endpoints(netdev); | |
318 | ||
319 | return 0; | |
320 | } | |
321 | ||
322 | /* | |
323 | * Given the number of retries this function will return will an exponential | |
324 | * increasing time in milliseconds to wait starting at 200ms and capped at 25 seconds. | |
325 | */ | |
326 | static int exponential_backoff_milliseconds(unsigned n_retries) { | |
7232c1f9 | 327 | return (2 << MIN(n_retries, 7U)) * 100 * USEC_PER_MSEC; |
e5719363 JT |
328 | } |
329 | ||
330 | static int wireguard_resolve_handler(sd_resolve_query *q, | |
331 | int ret, | |
332 | const struct addrinfo *ai, | |
f1368a33 | 333 | WireguardPeer *peer) { |
1061dab1 | 334 | NetDev *netdev; |
e5719363 | 335 | Wireguard *w; |
e5719363 JT |
336 | int r; |
337 | ||
f1368a33 YW |
338 | assert(peer); |
339 | assert(peer->wireguard); | |
e5719363 | 340 | |
f1368a33 YW |
341 | w = peer->wireguard; |
342 | netdev = NETDEV(w); | |
e5719363 | 343 | |
9e2bbf99 | 344 | if (!netdev_is_managed(netdev)) |
8173d1d0 | 345 | return 0; |
e5719363 JT |
346 | |
347 | if (ret != 0) { | |
f1368a33 YW |
348 | log_netdev_error(netdev, "Failed to resolve host '%s:%s': %s", peer->endpoint_host, peer->endpoint_port, gai_strerror(ret)); |
349 | ||
350 | r = set_ensure_allocated(&w->peers_with_failed_endpoint, NULL); | |
351 | if (r < 0) { | |
352 | log_oom(); | |
353 | peer->section->invalid = true; | |
354 | goto resolve_next; | |
355 | } | |
356 | ||
357 | r = set_put(w->peers_with_failed_endpoint, peer); | |
358 | if (r < 0) { | |
359 | log_netdev_error(netdev, "Failed to save a peer, dropping the peer: %m"); | |
360 | peer->section->invalid = true; | |
361 | goto resolve_next; | |
362 | } | |
363 | ||
e5719363 | 364 | } else if ((ai->ai_family == AF_INET && ai->ai_addrlen == sizeof(struct sockaddr_in)) || |
8173d1d0 | 365 | (ai->ai_family == AF_INET6 && ai->ai_addrlen == sizeof(struct sockaddr_in6))) |
f1368a33 | 366 | memcpy(&peer->endpoint, ai->ai_addr, ai->ai_addrlen); |
e5719363 | 367 | else |
f1368a33 YW |
368 | log_netdev_error(netdev, "Neither IPv4 nor IPv6 address found for peer endpoint %s:%s, ignoring the address.", |
369 | peer->endpoint_host, peer->endpoint_port); | |
e5719363 | 370 | |
f1368a33 YW |
371 | resolve_next: |
372 | if (!set_isempty(w->peers_with_unresolved_endpoint)) { | |
e5719363 JT |
373 | resolve_endpoints(netdev); |
374 | return 0; | |
375 | } | |
376 | ||
e1f717d4 | 377 | (void) wireguard_set_interface(netdev); |
f1368a33 YW |
378 | |
379 | if (!set_isempty(w->peers_with_failed_endpoint)) { | |
85c987a8 | 380 | usec_t usec; |
56ba90c2 | 381 | |
e5719363 | 382 | w->n_retries++; |
85c987a8 YW |
383 | usec = usec_add(now(CLOCK_MONOTONIC), exponential_backoff_milliseconds(w->n_retries)); |
384 | r = event_reset_time(netdev->manager->event, &w->resolve_retry_event_source, | |
385 | CLOCK_MONOTONIC, usec, 0, on_resolve_retry, netdev, | |
386 | 0, "wireguard-resolve-retry", true); | |
56ba90c2 | 387 | if (r < 0) { |
e5719363 | 388 | log_netdev_warning_errno(netdev, r, "Could not arm resolve retry handler: %m"); |
56ba90c2 YW |
389 | return 0; |
390 | } | |
e5719363 JT |
391 | } |
392 | ||
393 | return 0; | |
394 | } | |
395 | ||
396 | static void resolve_endpoints(NetDev *netdev) { | |
e5719363 JT |
397 | static const struct addrinfo hints = { |
398 | .ai_family = AF_UNSPEC, | |
399 | .ai_socktype = SOCK_DGRAM, | |
400 | .ai_protocol = IPPROTO_UDP | |
401 | }; | |
f1368a33 | 402 | WireguardPeer *peer; |
8173d1d0 | 403 | Wireguard *w; |
f1368a33 | 404 | Iterator i; |
8173d1d0 | 405 | int r = 0; |
e5719363 JT |
406 | |
407 | assert(netdev); | |
408 | w = WIREGUARD(netdev); | |
409 | assert(w); | |
410 | ||
f1368a33 | 411 | SET_FOREACH(peer, w->peers_with_unresolved_endpoint, i) { |
1061dab1 YW |
412 | r = resolve_getaddrinfo(netdev->manager->resolve, |
413 | NULL, | |
f1368a33 YW |
414 | peer->endpoint_host, |
415 | peer->endpoint_port, | |
1061dab1 YW |
416 | &hints, |
417 | wireguard_resolve_handler, | |
f1368a33 YW |
418 | wireguard_peer_destroy_callback, |
419 | peer); | |
e5719363 JT |
420 | if (r == -ENOBUFS) |
421 | break; | |
8173d1d0 YW |
422 | if (r < 0) { |
423 | log_netdev_error_errno(netdev, r, "Failed to create resolver: %m"); | |
424 | continue; | |
425 | } | |
e5719363 | 426 | |
8173d1d0 YW |
427 | /* Avoid freeing netdev. It will be unrefed by the destroy callback. */ |
428 | netdev_ref(netdev); | |
429 | ||
f1368a33 | 430 | (void) set_remove(w->peers_with_unresolved_endpoint, peer); |
e5719363 JT |
431 | } |
432 | } | |
433 | ||
e5719363 | 434 | static int netdev_wireguard_post_create(NetDev *netdev, Link *link, sd_netlink_message *m) { |
e5719363 | 435 | assert(netdev); |
10c353e1 | 436 | assert(WIREGUARD(netdev)); |
e5719363 | 437 | |
e1f717d4 | 438 | (void) wireguard_set_interface(netdev); |
e5719363 JT |
439 | resolve_endpoints(netdev); |
440 | return 0; | |
441 | } | |
442 | ||
03fec543 YW |
443 | int config_parse_wireguard_listen_port( |
444 | const char *unit, | |
445 | const char *filename, | |
446 | unsigned line, | |
447 | const char *section, | |
448 | unsigned section_line, | |
449 | const char *lvalue, | |
450 | int ltype, | |
451 | const char *rvalue, | |
452 | void *data, | |
453 | void *userdata) { | |
454 | ||
e5719363 JT |
455 | uint16_t *s = data; |
456 | uint16_t port = 0; | |
457 | int r; | |
458 | ||
459 | assert(rvalue); | |
460 | assert(data); | |
461 | ||
462 | if (!streq(rvalue, "auto")) { | |
f1368a33 YW |
463 | r = parse_ip_port(rvalue, s); |
464 | if (r < 0) { | |
465 | log_syntax(unit, LOG_ERR, filename, line, r, | |
466 | "Invalid port specification, ignoring assignment: %s", rvalue); | |
467 | return 0; | |
468 | } | |
e5719363 JT |
469 | } |
470 | ||
471 | *s = port; | |
e5719363 JT |
472 | return 0; |
473 | } | |
474 | ||
fedcb4c3 YW |
475 | static int wireguard_decode_key_and_warn( |
476 | const char *rvalue, | |
477 | uint8_t *ret, | |
478 | const char *unit, | |
479 | const char *filename, | |
480 | unsigned line, | |
481 | const char *lvalue) { | |
03fec543 | 482 | |
e5719363 JT |
483 | _cleanup_free_ void *key = NULL; |
484 | size_t len; | |
485 | int r; | |
486 | ||
e5719363 | 487 | assert(rvalue); |
fedcb4c3 YW |
488 | assert(ret); |
489 | assert(filename); | |
490 | assert(lvalue); | |
491 | ||
492 | if (isempty(rvalue)) { | |
493 | memzero(ret, WG_KEY_LEN); | |
494 | return 0; | |
495 | } | |
e5719363 | 496 | |
6ef5c881 | 497 | r = unbase64mem_full(rvalue, strlen(rvalue), true, &key, &len); |
e5719363 | 498 | if (r < 0) { |
f1368a33 | 499 | log_syntax(unit, LOG_ERR, filename, line, r, |
583eb170 | 500 | "Failed to decode wireguard key provided by %s=, ignoring assignment: %m", lvalue); |
6ef5c881 | 501 | goto finalize; |
e5719363 JT |
502 | } |
503 | if (len != WG_KEY_LEN) { | |
583eb170 YW |
504 | log_syntax(unit, LOG_ERR, filename, line, 0, |
505 | "Wireguard key provided by %s= has invalid length (%zu bytes), ignoring assignment.", | |
506 | lvalue, len); | |
6ef5c881 | 507 | goto finalize; |
e5719363 JT |
508 | } |
509 | ||
fedcb4c3 | 510 | memcpy(ret, key, WG_KEY_LEN); |
6ef5c881 YW |
511 | r = 0; |
512 | ||
513 | finalize: | |
514 | explicit_bzero_safe(key, len); | |
515 | return r; | |
e5719363 JT |
516 | } |
517 | ||
03fec543 YW |
518 | int config_parse_wireguard_private_key( |
519 | const char *unit, | |
520 | const char *filename, | |
521 | unsigned line, | |
522 | const char *section, | |
523 | unsigned section_line, | |
524 | const char *lvalue, | |
525 | int ltype, | |
526 | const char *rvalue, | |
527 | void *data, | |
528 | void *userdata) { | |
529 | ||
e5719363 JT |
530 | Wireguard *w; |
531 | ||
532 | assert(data); | |
e5719363 | 533 | w = WIREGUARD(data); |
e5719363 JT |
534 | assert(w); |
535 | ||
6ef5c881 YW |
536 | (void) wireguard_decode_key_and_warn(rvalue, w->private_key, unit, filename, line, lvalue); |
537 | return 0; | |
e5719363 JT |
538 | } |
539 | ||
76df7779 YW |
540 | int config_parse_wireguard_private_key_file( |
541 | const char *unit, | |
542 | const char *filename, | |
543 | unsigned line, | |
544 | const char *section, | |
545 | unsigned section_line, | |
546 | const char *lvalue, | |
547 | int ltype, | |
548 | const char *rvalue, | |
549 | void *data, | |
550 | void *userdata) { | |
551 | ||
552 | _cleanup_free_ char *path = NULL; | |
553 | Wireguard *w; | |
554 | ||
555 | assert(data); | |
556 | w = WIREGUARD(data); | |
557 | assert(w); | |
558 | ||
559 | if (isempty(rvalue)) { | |
560 | w->private_key_file = mfree(w->private_key_file); | |
561 | return 0; | |
562 | } | |
563 | ||
564 | path = strdup(rvalue); | |
565 | if (!path) | |
566 | return log_oom(); | |
567 | ||
568 | if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0) | |
569 | return 0; | |
570 | ||
571 | return free_and_replace(w->private_key_file, path); | |
572 | } | |
573 | ||
03fec543 YW |
574 | int config_parse_wireguard_preshared_key( |
575 | const char *unit, | |
576 | const char *filename, | |
577 | unsigned line, | |
578 | const char *section, | |
579 | unsigned section_line, | |
580 | const char *lvalue, | |
581 | int ltype, | |
582 | const char *rvalue, | |
583 | void *data, | |
584 | void *userdata) { | |
f1368a33 YW |
585 | |
586 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
e5719363 | 587 | Wireguard *w; |
f1368a33 | 588 | int r; |
e5719363 JT |
589 | |
590 | assert(data); | |
e5719363 | 591 | w = WIREGUARD(data); |
e5719363 JT |
592 | assert(w); |
593 | ||
f1368a33 YW |
594 | r = wireguard_peer_new_static(w, filename, section_line, &peer); |
595 | if (r < 0) | |
596 | return r; | |
e5719363 | 597 | |
fedcb4c3 | 598 | r = wireguard_decode_key_and_warn(rvalue, peer->preshared_key, unit, filename, line, lvalue); |
f1368a33 YW |
599 | if (r < 0) |
600 | return r; | |
601 | ||
602 | TAKE_PTR(peer); | |
603 | return 0; | |
e5719363 JT |
604 | } |
605 | ||
a3945c63 YW |
606 | int config_parse_wireguard_preshared_key_file( |
607 | const char *unit, | |
608 | const char *filename, | |
609 | unsigned line, | |
610 | const char *section, | |
611 | unsigned section_line, | |
612 | const char *lvalue, | |
613 | int ltype, | |
614 | const char *rvalue, | |
615 | void *data, | |
616 | void *userdata) { | |
617 | ||
618 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
619 | _cleanup_free_ char *path = NULL; | |
620 | Wireguard *w; | |
621 | int r; | |
622 | ||
623 | assert(data); | |
624 | w = WIREGUARD(data); | |
625 | assert(w); | |
626 | ||
627 | r = wireguard_peer_new_static(w, filename, section_line, &peer); | |
628 | if (r < 0) | |
629 | return r; | |
630 | ||
631 | if (isempty(rvalue)) { | |
632 | peer->preshared_key_file = mfree(peer->preshared_key_file); | |
633 | TAKE_PTR(peer); | |
634 | return 0; | |
635 | } | |
636 | ||
637 | path = strdup(rvalue); | |
638 | if (!path) | |
639 | return log_oom(); | |
640 | ||
641 | if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0) | |
642 | return 0; | |
643 | ||
644 | free_and_replace(peer->preshared_key_file, path); | |
645 | TAKE_PTR(peer); | |
646 | return 0; | |
647 | } | |
648 | ||
03fec543 YW |
649 | int config_parse_wireguard_public_key( |
650 | const char *unit, | |
651 | const char *filename, | |
652 | unsigned line, | |
653 | const char *section, | |
654 | unsigned section_line, | |
655 | const char *lvalue, | |
656 | int ltype, | |
657 | const char *rvalue, | |
658 | void *data, | |
659 | void *userdata) { | |
f1368a33 YW |
660 | |
661 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
e5719363 | 662 | Wireguard *w; |
f1368a33 | 663 | int r; |
e5719363 JT |
664 | |
665 | assert(data); | |
e5719363 | 666 | w = WIREGUARD(data); |
e5719363 JT |
667 | assert(w); |
668 | ||
f1368a33 YW |
669 | r = wireguard_peer_new_static(w, filename, section_line, &peer); |
670 | if (r < 0) | |
671 | return r; | |
672 | ||
fedcb4c3 | 673 | r = wireguard_decode_key_and_warn(rvalue, peer->public_key, unit, filename, line, lvalue); |
f1368a33 YW |
674 | if (r < 0) |
675 | return r; | |
e5719363 | 676 | |
f1368a33 YW |
677 | TAKE_PTR(peer); |
678 | return 0; | |
e5719363 JT |
679 | } |
680 | ||
03fec543 YW |
681 | int config_parse_wireguard_allowed_ips( |
682 | const char *unit, | |
683 | const char *filename, | |
684 | unsigned line, | |
685 | const char *section, | |
686 | unsigned section_line, | |
687 | const char *lvalue, | |
688 | int ltype, | |
689 | const char *rvalue, | |
690 | void *data, | |
691 | void *userdata) { | |
f1368a33 YW |
692 | |
693 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
e5719363 JT |
694 | union in_addr_union addr; |
695 | unsigned char prefixlen; | |
696 | int r, family; | |
697 | Wireguard *w; | |
e5719363 JT |
698 | WireguardIPmask *ipmask; |
699 | ||
700 | assert(rvalue); | |
701 | assert(data); | |
702 | ||
703 | w = WIREGUARD(data); | |
f1368a33 YW |
704 | assert(w); |
705 | ||
706 | r = wireguard_peer_new_static(w, filename, section_line, &peer); | |
707 | if (r < 0) | |
708 | return r; | |
e5719363 JT |
709 | |
710 | for (;;) { | |
711 | _cleanup_free_ char *word = NULL; | |
712 | ||
713 | r = extract_first_word(&rvalue, &word, "," WHITESPACE, 0); | |
714 | if (r == 0) | |
715 | break; | |
716 | if (r == -ENOMEM) | |
717 | return log_oom(); | |
718 | if (r < 0) { | |
f1368a33 YW |
719 | log_syntax(unit, LOG_ERR, filename, line, r, |
720 | "Failed to split allowed ips \"%s\" option: %m", rvalue); | |
e5719363 JT |
721 | break; |
722 | } | |
723 | ||
724 | r = in_addr_prefix_from_string_auto(word, &family, &addr, &prefixlen); | |
725 | if (r < 0) { | |
f1368a33 YW |
726 | log_syntax(unit, LOG_ERR, filename, line, r, |
727 | "Network address is invalid, ignoring assignment: %s", word); | |
728 | continue; | |
e5719363 JT |
729 | } |
730 | ||
fc721553 | 731 | ipmask = new(WireguardIPmask, 1); |
e5719363 JT |
732 | if (!ipmask) |
733 | return log_oom(); | |
fc721553 YW |
734 | |
735 | *ipmask = (WireguardIPmask) { | |
736 | .family = family, | |
737 | .ip.in6 = addr.in6, | |
738 | .cidr = prefixlen, | |
739 | }; | |
e5719363 JT |
740 | |
741 | LIST_PREPEND(ipmasks, peer->ipmasks, ipmask); | |
742 | } | |
743 | ||
f1368a33 | 744 | TAKE_PTR(peer); |
e5719363 JT |
745 | return 0; |
746 | } | |
747 | ||
03fec543 YW |
748 | int config_parse_wireguard_endpoint( |
749 | const char *unit, | |
750 | const char *filename, | |
751 | unsigned line, | |
752 | const char *section, | |
753 | unsigned section_line, | |
754 | const char *lvalue, | |
755 | int ltype, | |
756 | const char *rvalue, | |
757 | void *data, | |
758 | void *userdata) { | |
f1368a33 YW |
759 | |
760 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
761 | const char *begin, *end; | |
e5719363 | 762 | Wireguard *w; |
e5719363 | 763 | size_t len; |
f1368a33 | 764 | int r; |
e5719363 JT |
765 | |
766 | assert(data); | |
767 | assert(rvalue); | |
768 | ||
769 | w = WIREGUARD(data); | |
e5719363 JT |
770 | assert(w); |
771 | ||
f1368a33 YW |
772 | r = wireguard_peer_new_static(w, filename, section_line, &peer); |
773 | if (r < 0) | |
774 | return r; | |
e5719363 | 775 | |
e5719363 JT |
776 | if (rvalue[0] == '[') { |
777 | begin = &rvalue[1]; | |
778 | end = strchr(rvalue, ']'); | |
779 | if (!end) { | |
f1368a33 YW |
780 | log_syntax(unit, LOG_ERR, filename, line, 0, |
781 | "Unable to find matching brace of endpoint, ignoring assignment: %s", | |
782 | rvalue); | |
e5719363 JT |
783 | return 0; |
784 | } | |
785 | len = end - begin; | |
786 | ++end; | |
787 | if (*end != ':' || !*(end + 1)) { | |
f1368a33 YW |
788 | log_syntax(unit, LOG_ERR, filename, line, 0, |
789 | "Unable to find port of endpoint, ignoring assignment: %s", | |
790 | rvalue); | |
e5719363 JT |
791 | return 0; |
792 | } | |
793 | ++end; | |
794 | } else { | |
795 | begin = rvalue; | |
796 | end = strrchr(rvalue, ':'); | |
797 | if (!end || !*(end + 1)) { | |
f1368a33 YW |
798 | log_syntax(unit, LOG_ERR, filename, line, 0, |
799 | "Unable to find port of endpoint, ignoring assignment: %s", | |
800 | rvalue); | |
e5719363 JT |
801 | return 0; |
802 | } | |
803 | len = end - begin; | |
804 | ++end; | |
805 | } | |
806 | ||
5f07d640 YW |
807 | r = free_and_strndup(&peer->endpoint_host, begin, len); |
808 | if (r < 0) | |
e5719363 JT |
809 | return log_oom(); |
810 | ||
5f07d640 YW |
811 | r = free_and_strdup(&peer->endpoint_port, end); |
812 | if (r < 0) | |
e5719363 JT |
813 | return log_oom(); |
814 | ||
f1368a33 YW |
815 | r = set_ensure_allocated(&w->peers_with_unresolved_endpoint, NULL); |
816 | if (r < 0) | |
fc721553 YW |
817 | return log_oom(); |
818 | ||
f1368a33 YW |
819 | r = set_put(w->peers_with_unresolved_endpoint, peer); |
820 | if (r < 0) | |
821 | return r; | |
e5719363 | 822 | |
f1368a33 | 823 | TAKE_PTR(peer); |
e5719363 JT |
824 | return 0; |
825 | } | |
826 | ||
03fec543 YW |
827 | int config_parse_wireguard_keepalive( |
828 | const char *unit, | |
829 | const char *filename, | |
830 | unsigned line, | |
831 | const char *section, | |
832 | unsigned section_line, | |
833 | const char *lvalue, | |
834 | int ltype, | |
835 | const char *rvalue, | |
836 | void *data, | |
837 | void *userdata) { | |
f1368a33 YW |
838 | |
839 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
e5719363 JT |
840 | uint16_t keepalive = 0; |
841 | Wireguard *w; | |
f1368a33 | 842 | int r; |
e5719363 JT |
843 | |
844 | assert(rvalue); | |
845 | assert(data); | |
846 | ||
847 | w = WIREGUARD(data); | |
e5719363 JT |
848 | assert(w); |
849 | ||
f1368a33 YW |
850 | r = wireguard_peer_new_static(w, filename, section_line, &peer); |
851 | if (r < 0) | |
852 | return r; | |
e5719363 JT |
853 | |
854 | if (streq(rvalue, "off")) | |
855 | keepalive = 0; | |
856 | else { | |
857 | r = safe_atou16(rvalue, &keepalive); | |
f1368a33 YW |
858 | if (r < 0) { |
859 | log_syntax(unit, LOG_ERR, filename, line, r, | |
860 | "The persistent keepalive interval must be 0-65535. Ignore assignment: %s", | |
861 | rvalue); | |
862 | return 0; | |
863 | } | |
e5719363 JT |
864 | } |
865 | ||
866 | peer->persistent_keepalive_interval = keepalive; | |
f1368a33 YW |
867 | |
868 | TAKE_PTR(peer); | |
e5719363 JT |
869 | return 0; |
870 | } | |
871 | ||
872 | static void wireguard_init(NetDev *netdev) { | |
873 | Wireguard *w; | |
874 | ||
875 | assert(netdev); | |
e5719363 | 876 | w = WIREGUARD(netdev); |
e5719363 JT |
877 | assert(w); |
878 | ||
879 | w->flags = WGDEVICE_F_REPLACE_PEERS; | |
880 | } | |
881 | ||
882 | static void wireguard_done(NetDev *netdev) { | |
883 | Wireguard *w; | |
e5719363 JT |
884 | |
885 | assert(netdev); | |
886 | w = WIREGUARD(netdev); | |
c195364d | 887 | assert(w); |
e5719363 | 888 | |
85c987a8 YW |
889 | sd_event_source_unref(w->resolve_retry_event_source); |
890 | ||
6ef5c881 | 891 | explicit_bzero_safe(w->private_key, WG_KEY_LEN); |
76df7779 YW |
892 | free(w->private_key_file); |
893 | ||
f1368a33 YW |
894 | hashmap_free_with_destructor(w->peers_by_section, wireguard_peer_free); |
895 | set_free(w->peers_with_unresolved_endpoint); | |
896 | set_free(w->peers_with_failed_endpoint); | |
897 | } | |
c195364d | 898 | |
cb31e7c8 YW |
899 | static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_KEY_LEN]) { |
900 | _cleanup_free_ char *key = NULL; | |
901 | size_t key_len; | |
902 | int r; | |
76df7779 | 903 | |
cb31e7c8 | 904 | if (!filename) |
76df7779 YW |
905 | return 0; |
906 | ||
cb31e7c8 | 907 | r = read_full_file_full(filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64, &key, &key_len); |
76df7779 | 908 | if (r < 0) |
cb31e7c8 | 909 | return r; |
76df7779 | 910 | |
cb31e7c8 YW |
911 | if (key_len != WG_KEY_LEN) { |
912 | r = -EINVAL; | |
913 | goto finalize; | |
914 | } | |
76df7779 | 915 | |
cb31e7c8 YW |
916 | memcpy(dest, key, WG_KEY_LEN); |
917 | r = 0; | |
76df7779 | 918 | |
cb31e7c8 YW |
919 | finalize: |
920 | explicit_bzero_safe(key, key_len); | |
921 | return r; | |
76df7779 YW |
922 | } |
923 | ||
9cc9021a YW |
924 | static int wireguard_peer_verify(WireguardPeer *peer) { |
925 | NetDev *netdev = NETDEV(peer->wireguard); | |
a3945c63 | 926 | int r; |
9cc9021a YW |
927 | |
928 | if (section_is_invalid(peer->section)) | |
929 | return -EINVAL; | |
930 | ||
931 | if (eqzero(peer->public_key)) | |
932 | return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), | |
933 | "%s: WireGuardPeer section without PublicKey= configured. " | |
934 | "Ignoring [WireGuardPeer] section from line %u.", | |
935 | peer->section->filename, peer->section->line); | |
936 | ||
a3945c63 YW |
937 | r = wireguard_read_key_file(peer->preshared_key_file, peer->preshared_key); |
938 | if (r < 0) | |
939 | return log_netdev_error_errno(netdev, r, | |
940 | "%s: Failed to read preshared key from '%s'. " | |
941 | "Ignoring [WireGuardPeer] section from line %u.", | |
942 | peer->section->filename, peer->preshared_key_file, | |
943 | peer->section->line); | |
944 | ||
9cc9021a YW |
945 | return 0; |
946 | } | |
947 | ||
f1368a33 YW |
948 | static int wireguard_verify(NetDev *netdev, const char *filename) { |
949 | WireguardPeer *peer, *peer_next; | |
950 | Wireguard *w; | |
76df7779 | 951 | int r; |
c195364d | 952 | |
f1368a33 YW |
953 | assert(netdev); |
954 | w = WIREGUARD(netdev); | |
955 | assert(w); | |
956 | ||
cb31e7c8 YW |
957 | r = wireguard_read_key_file(w->private_key_file, w->private_key); |
958 | if (r < 0) | |
959 | return log_netdev_error_errno(netdev, r, | |
960 | "Failed to read private key from %s. Dropping network device %s.", | |
961 | w->private_key_file, netdev->ifname); | |
9cc9021a | 962 | |
cb31e7c8 YW |
963 | if (eqzero(w->private_key)) |
964 | return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), | |
965 | "%s: Missing PrivateKey= or PrivateKeyFile=, " | |
966 | "Dropping network device %s.", | |
967 | filename, netdev->ifname); | |
76df7779 | 968 | |
f1368a33 | 969 | LIST_FOREACH_SAFE(peers, peer, peer_next, w->peers) |
9cc9021a | 970 | if (wireguard_peer_verify(peer) < 0) |
f1368a33 YW |
971 | wireguard_peer_free(peer); |
972 | ||
973 | return 0; | |
e5719363 JT |
974 | } |
975 | ||
976 | const NetDevVTable wireguard_vtable = { | |
977 | .object_size = sizeof(Wireguard), | |
978 | .sections = "Match\0NetDev\0WireGuard\0WireGuardPeer\0", | |
979 | .post_create = netdev_wireguard_post_create, | |
980 | .init = wireguard_init, | |
981 | .done = wireguard_done, | |
982 | .create_type = NETDEV_CREATE_INDEPENDENT, | |
f1368a33 | 983 | .config_verify = wireguard_verify, |
e5719363 | 984 | }; |