1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 Copyright © 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
8 #include <netinet/in.h>
9 #include <linux/if_arp.h>
11 #include "sd-resolve.h"
13 #include "alloc-util.h"
14 #include "event-util.h"
17 #include "hexdecoct.h"
18 #include "memory-util.h"
19 #include "netlink-util.h"
20 #include "networkd-manager.h"
21 #include "networkd-util.h"
22 #include "parse-util.h"
23 #include "path-util.h"
24 #include "resolve-private.h"
25 #include "string-util.h"
27 #include "wireguard.h"
29 static void resolve_endpoints(NetDev
*netdev
);
31 static WireguardPeer
* wireguard_peer_free(WireguardPeer
*peer
) {
32 WireguardIPmask
*mask
;
37 if (peer
->wireguard
) {
38 LIST_REMOVE(peers
, peer
->wireguard
->peers
, peer
);
40 set_remove(peer
->wireguard
->peers_with_unresolved_endpoint
, peer
);
41 set_remove(peer
->wireguard
->peers_with_failed_endpoint
, peer
);
44 hashmap_remove(peer
->wireguard
->peers_by_section
, peer
->section
);
47 network_config_section_free(peer
->section
);
49 while ((mask
= peer
->ipmasks
)) {
50 LIST_REMOVE(ipmasks
, peer
->ipmasks
, mask
);
54 free(peer
->endpoint_host
);
55 free(peer
->endpoint_port
);
56 free(peer
->preshared_key_file
);
57 explicit_bzero_safe(peer
->preshared_key
, WG_KEY_LEN
);
62 DEFINE_NETWORK_SECTION_FUNCTIONS(WireguardPeer
, wireguard_peer_free
);
64 static int wireguard_peer_new_static(Wireguard
*w
, const char *filename
, unsigned section_line
, WireguardPeer
**ret
) {
65 _cleanup_(network_config_section_freep
) NetworkConfigSection
*n
= NULL
;
66 _cleanup_(wireguard_peer_freep
) WireguardPeer
*peer
= NULL
;
72 assert(section_line
> 0);
74 r
= network_config_section_new(filename
, section_line
, &n
);
78 peer
= hashmap_get(w
->peers_by_section
, n
);
80 *ret
= TAKE_PTR(peer
);
84 peer
= new(WireguardPeer
, 1);
88 *peer
= (WireguardPeer
) {
89 .flags
= WGPEER_F_REPLACE_ALLOWEDIPS
,
91 .section
= TAKE_PTR(n
),
94 LIST_PREPEND(peers
, w
->peers
, peer
);
96 r
= hashmap_ensure_put(&w
->peers_by_section
, &network_config_hash_ops
, peer
->section
, peer
);
100 *ret
= TAKE_PTR(peer
);
104 static int wireguard_set_ipmask_one(NetDev
*netdev
, sd_netlink_message
*message
, const WireguardIPmask
*mask
, uint16_t index
) {
111 /* This returns 1 on success, 0 on recoverable error, and negative errno on failure. */
113 r
= sd_netlink_message_open_array(message
, index
);
117 r
= sd_netlink_message_append_u16(message
, WGALLOWEDIP_A_FAMILY
, mask
->family
);
121 r
= netlink_message_append_in_addr_union(message
, WGALLOWEDIP_A_IPADDR
, mask
->family
, &mask
->ip
);
125 r
= sd_netlink_message_append_u8(message
, WGALLOWEDIP_A_CIDR_MASK
, mask
->cidr
);
129 r
= sd_netlink_message_close_container(message
);
131 return log_netdev_error_errno(netdev
, r
, "Could not add wireguard allowed ip: %m");
136 r
= sd_netlink_message_cancel_array(message
);
138 return log_netdev_error_errno(netdev
, r
, "Could not cancel wireguard allowed ip message attribute: %m");
143 static int wireguard_set_peer_one(NetDev
*netdev
, sd_netlink_message
*message
, const WireguardPeer
*peer
, uint16_t index
, WireguardIPmask
**mask_start
) {
144 WireguardIPmask
*mask
, *start
;
153 /* This returns 1 on success, 0 on recoverable error, and negative errno on failure. */
155 start
= *mask_start
?: peer
->ipmasks
;
157 r
= sd_netlink_message_open_array(message
, index
);
161 r
= sd_netlink_message_append_data(message
, WGPEER_A_PUBLIC_KEY
, &peer
->public_key
, sizeof(peer
->public_key
));
166 r
= sd_netlink_message_append_data(message
, WGPEER_A_PRESHARED_KEY
, &peer
->preshared_key
, WG_KEY_LEN
);
170 r
= sd_netlink_message_append_u32(message
, WGPEER_A_FLAGS
, peer
->flags
);
174 r
= sd_netlink_message_append_u16(message
, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL
, peer
->persistent_keepalive_interval
);
178 if (IN_SET(peer
->endpoint
.sa
.sa_family
, AF_INET
, AF_INET6
)) {
179 r
= netlink_message_append_sockaddr_union(message
, WGPEER_A_ENDPOINT
, &peer
->endpoint
);
185 r
= sd_netlink_message_open_container(message
, WGPEER_A_ALLOWEDIPS
);
189 LIST_FOREACH(ipmasks
, mask
, start
) {
190 r
= wireguard_set_ipmask_one(netdev
, message
, mask
, ++j
);
197 r
= sd_netlink_message_close_container(message
);
199 return log_netdev_error_errno(netdev
, r
, "Could not add wireguard allowed ip: %m");
201 r
= sd_netlink_message_close_container(message
);
203 return log_netdev_error_errno(netdev
, r
, "Could not add wireguard peer: %m");
205 *mask_start
= mask
; /* Start next cycle from this mask. */
209 r
= sd_netlink_message_cancel_array(message
);
211 return log_netdev_error_errno(netdev
, r
, "Could not cancel wireguard peers: %m");
216 static int wireguard_set_interface(NetDev
*netdev
) {
217 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*message
= NULL
;
218 WireguardIPmask
*mask_start
= NULL
;
219 WireguardPeer
*peer
, *peer_start
;
220 bool sent_once
= false;
226 w
= WIREGUARD(netdev
);
229 for (peer_start
= w
->peers
; peer_start
|| !sent_once
; ) {
232 message
= sd_netlink_message_unref(message
);
234 r
= sd_genl_message_new(netdev
->manager
->genl
, WG_GENL_NAME
, WG_CMD_SET_DEVICE
, &message
);
236 return log_netdev_error_errno(netdev
, r
, "Failed to allocate generic netlink message: %m");
238 r
= sd_netlink_message_append_string(message
, WGDEVICE_A_IFNAME
, netdev
->ifname
);
240 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard interface name: %m");
242 if (peer_start
== w
->peers
) {
243 r
= sd_netlink_message_append_data(message
, WGDEVICE_A_PRIVATE_KEY
, &w
->private_key
, WG_KEY_LEN
);
245 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard private key: %m");
247 r
= sd_netlink_message_append_u16(message
, WGDEVICE_A_LISTEN_PORT
, w
->port
);
249 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard port: %m");
251 r
= sd_netlink_message_append_u32(message
, WGDEVICE_A_FWMARK
, w
->fwmark
);
253 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard fwmark: %m");
255 r
= sd_netlink_message_append_u32(message
, WGDEVICE_A_FLAGS
, w
->flags
);
257 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard flags: %m");
260 r
= sd_netlink_message_open_container(message
, WGDEVICE_A_PEERS
);
262 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard peer attributes: %m");
264 LIST_FOREACH(peers
, peer
, peer_start
) {
265 r
= wireguard_set_peer_one(netdev
, message
, peer
, ++i
, &mask_start
);
271 peer_start
= peer
; /* Start next cycle from this peer. */
273 r
= sd_netlink_message_close_container(message
);
275 return log_netdev_error_errno(netdev
, r
, "Could not close wireguard container: %m");
277 r
= sd_netlink_send(netdev
->manager
->genl
, message
, &serial
);
279 return log_netdev_error_errno(netdev
, r
, "Could not set wireguard device: %m");
287 static void wireguard_peer_destroy_callback(WireguardPeer
*peer
) {
291 assert(peer
->wireguard
);
293 netdev
= NETDEV(peer
->wireguard
);
295 if (section_is_invalid(peer
->section
))
296 wireguard_peer_free(peer
);
298 netdev_unref(netdev
);
301 static int on_resolve_retry(sd_event_source
*s
, usec_t usec
, void *userdata
) {
302 NetDev
*netdev
= userdata
;
306 w
= WIREGUARD(netdev
);
309 if (!netdev_is_managed(netdev
))
312 assert(set_isempty(w
->peers_with_unresolved_endpoint
));
314 SWAP_TWO(w
->peers_with_unresolved_endpoint
, w
->peers_with_failed_endpoint
);
316 resolve_endpoints(netdev
);
322 * Given the number of retries this function will return will an exponential
323 * increasing time in milliseconds to wait starting at 200ms and capped at 25 seconds.
325 static int exponential_backoff_milliseconds(unsigned n_retries
) {
326 return (2 << MIN(n_retries
, 7U)) * 100 * USEC_PER_MSEC
;
329 static int wireguard_resolve_handler(sd_resolve_query
*q
,
331 const struct addrinfo
*ai
,
332 WireguardPeer
*peer
) {
338 assert(peer
->wireguard
);
343 if (!netdev_is_managed(netdev
))
347 log_netdev_error(netdev
, "Failed to resolve host '%s:%s': %s", peer
->endpoint_host
, peer
->endpoint_port
, gai_strerror(ret
));
349 r
= set_ensure_put(&w
->peers_with_failed_endpoint
, NULL
, peer
);
351 log_netdev_error(netdev
, "Failed to save a peer, dropping the peer: %m");
352 peer
->section
->invalid
= true;
356 } else if ((ai
->ai_family
== AF_INET
&& ai
->ai_addrlen
== sizeof(struct sockaddr_in
)) ||
357 (ai
->ai_family
== AF_INET6
&& ai
->ai_addrlen
== sizeof(struct sockaddr_in6
)))
358 memcpy(&peer
->endpoint
, ai
->ai_addr
, ai
->ai_addrlen
);
360 log_netdev_error(netdev
, "Neither IPv4 nor IPv6 address found for peer endpoint %s:%s, ignoring the address.",
361 peer
->endpoint_host
, peer
->endpoint_port
);
364 if (!set_isempty(w
->peers_with_unresolved_endpoint
)) {
365 resolve_endpoints(netdev
);
369 (void) wireguard_set_interface(netdev
);
371 if (!set_isempty(w
->peers_with_failed_endpoint
)) {
375 usec
= usec_add(now(CLOCK_MONOTONIC
), exponential_backoff_milliseconds(w
->n_retries
));
376 r
= event_reset_time(netdev
->manager
->event
, &w
->resolve_retry_event_source
,
377 CLOCK_MONOTONIC
, usec
, 0, on_resolve_retry
, netdev
,
378 0, "wireguard-resolve-retry", true);
380 log_netdev_warning_errno(netdev
, r
, "Could not arm resolve retry handler: %m");
388 static void resolve_endpoints(NetDev
*netdev
) {
389 static const struct addrinfo hints
= {
390 .ai_family
= AF_UNSPEC
,
391 .ai_socktype
= SOCK_DGRAM
,
392 .ai_protocol
= IPPROTO_UDP
399 w
= WIREGUARD(netdev
);
402 SET_FOREACH(peer
, w
->peers_with_unresolved_endpoint
) {
403 r
= resolve_getaddrinfo(netdev
->manager
->resolve
,
408 wireguard_resolve_handler
,
409 wireguard_peer_destroy_callback
,
414 log_netdev_error_errno(netdev
, r
, "Failed to create resolver: %m");
418 /* Avoid freeing netdev. It will be unrefed by the destroy callback. */
421 (void) set_remove(w
->peers_with_unresolved_endpoint
, peer
);
425 static int netdev_wireguard_post_create(NetDev
*netdev
, Link
*link
, sd_netlink_message
*m
) {
427 assert(WIREGUARD(netdev
));
429 (void) wireguard_set_interface(netdev
);
430 resolve_endpoints(netdev
);
434 int config_parse_wireguard_listen_port(
436 const char *filename
,
439 unsigned section_line
,
452 if (isempty(rvalue
) || streq(rvalue
, "auto")) {
457 r
= parse_ip_port(rvalue
, s
);
459 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
460 "Invalid port specification, ignoring assignment: %s", rvalue
);
467 static int wireguard_decode_key_and_warn(
469 uint8_t ret
[static WG_KEY_LEN
],
471 const char *filename
,
473 const char *lvalue
) {
475 _cleanup_(erase_and_freep
) void *key
= NULL
;
484 if (isempty(rvalue
)) {
485 memzero(ret
, WG_KEY_LEN
);
489 if (!streq(lvalue
, "PublicKey"))
490 (void) warn_file_is_world_accessible(filename
, NULL
, unit
, line
);
492 r
= unbase64mem_full(rvalue
, strlen(rvalue
), true, &key
, &len
);
496 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
497 "Failed to decode wireguard key provided by %s=, ignoring assignment: %m", lvalue
);
500 if (len
!= WG_KEY_LEN
) {
501 log_syntax(unit
, LOG_WARNING
, filename
, line
, 0,
502 "Wireguard key provided by %s= has invalid length (%zu bytes), ignoring assignment.",
507 memcpy(ret
, key
, WG_KEY_LEN
);
511 int config_parse_wireguard_private_key(
513 const char *filename
,
516 unsigned section_line
,
529 return wireguard_decode_key_and_warn(rvalue
, w
->private_key
, unit
, filename
, line
, lvalue
);
532 int config_parse_wireguard_private_key_file(
534 const char *filename
,
537 unsigned section_line
,
544 _cleanup_free_
char *path
= NULL
;
551 if (isempty(rvalue
)) {
552 w
->private_key_file
= mfree(w
->private_key_file
);
556 path
= strdup(rvalue
);
560 if (path_simplify_and_warn(path
, PATH_CHECK_ABSOLUTE
, unit
, filename
, line
, lvalue
) < 0)
563 return free_and_replace(w
->private_key_file
, path
);
566 int config_parse_wireguard_peer_key(
568 const char *filename
,
571 unsigned section_line
,
578 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
586 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
590 r
= wireguard_decode_key_and_warn(rvalue
,
591 streq(lvalue
, "PublicKey") ? peer
->public_key
: peer
->preshared_key
,
592 unit
, filename
, line
, lvalue
);
600 int config_parse_wireguard_preshared_key_file(
602 const char *filename
,
605 unsigned section_line
,
612 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
613 _cleanup_free_
char *path
= NULL
;
621 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
625 if (isempty(rvalue
)) {
626 peer
->preshared_key_file
= mfree(peer
->preshared_key_file
);
631 path
= strdup(rvalue
);
635 if (path_simplify_and_warn(path
, PATH_CHECK_ABSOLUTE
, unit
, filename
, line
, lvalue
) < 0)
638 free_and_replace(peer
->preshared_key_file
, path
);
643 int config_parse_wireguard_allowed_ips(
645 const char *filename
,
648 unsigned section_line
,
655 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
656 union in_addr_union addr
;
657 unsigned char prefixlen
;
660 WireguardIPmask
*ipmask
;
668 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
672 for (const char *p
= rvalue
;;) {
673 _cleanup_free_
char *word
= NULL
;
675 r
= extract_first_word(&p
, &word
, "," WHITESPACE
, 0);
681 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
682 "Failed to split allowed ips \"%s\" option: %m", rvalue
);
686 r
= in_addr_prefix_from_string_auto(word
, &family
, &addr
, &prefixlen
);
688 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
689 "Network address is invalid, ignoring assignment: %s", word
);
693 ipmask
= new(WireguardIPmask
, 1);
697 *ipmask
= (WireguardIPmask
) {
703 LIST_PREPEND(ipmasks
, peer
->ipmasks
, ipmask
);
710 int config_parse_wireguard_endpoint(
712 const char *filename
,
715 unsigned section_line
,
722 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
723 const char *begin
, *end
;
734 if (rvalue
[0] == '[') {
736 end
= strchr(rvalue
, ']');
738 log_syntax(unit
, LOG_WARNING
, filename
, line
, 0,
739 "Unable to find matching brace of endpoint, ignoring assignment: %s",
745 if (*end
!= ':' || !*(end
+ 1)) {
746 log_syntax(unit
, LOG_WARNING
, filename
, line
, 0,
747 "Unable to find port of endpoint, ignoring assignment: %s",
754 end
= strrchr(rvalue
, ':');
755 if (!end
|| !*(end
+ 1)) {
756 log_syntax(unit
, LOG_WARNING
, filename
, line
, 0,
757 "Unable to find port of endpoint, ignoring assignment: %s",
765 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
769 r
= free_and_strndup(&peer
->endpoint_host
, begin
, len
);
773 r
= free_and_strdup(&peer
->endpoint_port
, end
);
777 r
= set_ensure_put(&w
->peers_with_unresolved_endpoint
, NULL
, peer
);
780 TAKE_PTR(peer
); /* The peer may already have been in the hash map, that is fine too. */
785 int config_parse_wireguard_keepalive(
787 const char *filename
,
790 unsigned section_line
,
797 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
798 uint16_t keepalive
= 0;
808 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
812 if (streq(rvalue
, "off"))
815 r
= safe_atou16(rvalue
, &keepalive
);
817 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
818 "Failed to parse \"%s\" as keepalive interval (range 0–65535), ignoring assignment: %m",
824 peer
->persistent_keepalive_interval
= keepalive
;
830 static void wireguard_init(NetDev
*netdev
) {
834 w
= WIREGUARD(netdev
);
837 w
->flags
= WGDEVICE_F_REPLACE_PEERS
;
840 static void wireguard_done(NetDev
*netdev
) {
844 w
= WIREGUARD(netdev
);
847 sd_event_source_unref(w
->resolve_retry_event_source
);
849 explicit_bzero_safe(w
->private_key
, WG_KEY_LEN
);
850 free(w
->private_key_file
);
852 hashmap_free_with_destructor(w
->peers_by_section
, wireguard_peer_free
);
853 set_free(w
->peers_with_unresolved_endpoint
);
854 set_free(w
->peers_with_failed_endpoint
);
857 static int wireguard_read_key_file(const char *filename
, uint8_t dest
[static WG_KEY_LEN
]) {
858 _cleanup_(erase_and_freep
) char *key
= NULL
;
867 (void) warn_file_is_world_accessible(filename
, NULL
, NULL
, 0);
869 r
= read_full_file_full(
870 AT_FDCWD
, filename
, UINT64_MAX
, SIZE_MAX
,
871 READ_FULL_FILE_SECURE
| READ_FULL_FILE_UNBASE64
| READ_FULL_FILE_WARN_WORLD_READABLE
| READ_FULL_FILE_CONNECT_SOCKET
,
872 NULL
, &key
, &key_len
);
876 if (key_len
!= WG_KEY_LEN
)
879 memcpy(dest
, key
, WG_KEY_LEN
);
883 static int wireguard_peer_verify(WireguardPeer
*peer
) {
884 NetDev
*netdev
= NETDEV(peer
->wireguard
);
887 if (section_is_invalid(peer
->section
))
890 if (eqzero(peer
->public_key
))
891 return log_netdev_error_errno(netdev
, SYNTHETIC_ERRNO(EINVAL
),
892 "%s: WireGuardPeer section without PublicKey= configured. "
893 "Ignoring [WireGuardPeer] section from line %u.",
894 peer
->section
->filename
, peer
->section
->line
);
896 r
= wireguard_read_key_file(peer
->preshared_key_file
, peer
->preshared_key
);
898 return log_netdev_error_errno(netdev
, r
,
899 "%s: Failed to read preshared key from '%s'. "
900 "Ignoring [WireGuardPeer] section from line %u.",
901 peer
->section
->filename
, peer
->preshared_key_file
,
902 peer
->section
->line
);
907 static int wireguard_verify(NetDev
*netdev
, const char *filename
) {
908 WireguardPeer
*peer
, *peer_next
;
913 w
= WIREGUARD(netdev
);
916 r
= wireguard_read_key_file(w
->private_key_file
, w
->private_key
);
918 return log_netdev_error_errno(netdev
, r
,
919 "Failed to read private key from %s. Ignoring network device.",
920 w
->private_key_file
);
922 if (eqzero(w
->private_key
))
923 return log_netdev_error_errno(netdev
, SYNTHETIC_ERRNO(EINVAL
),
924 "%s: Missing PrivateKey= or PrivateKeyFile=, "
925 "Ignoring network device.", filename
);
927 LIST_FOREACH_SAFE(peers
, peer
, peer_next
, w
->peers
)
928 if (wireguard_peer_verify(peer
) < 0)
929 wireguard_peer_free(peer
);
934 const NetDevVTable wireguard_vtable
= {
935 .object_size
= sizeof(Wireguard
),
936 .sections
= NETDEV_COMMON_SECTIONS
"WireGuard\0WireGuardPeer\0",
937 .post_create
= netdev_wireguard_post_create
,
938 .init
= wireguard_init
,
939 .done
= wireguard_done
,
940 .create_type
= NETDEV_CREATE_INDEPENDENT
,
941 .config_verify
= wireguard_verify
,
942 .iftype
= ARPHRD_NONE
,