1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 Copyright © 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
6 /* Make sure the net/if.h header is included before any linux/ one */
8 #include <linux/if_arp.h>
9 #include <linux/ipv6_route.h>
10 #include <netinet/in.h>
11 #include <sys/ioctl.h>
13 #include "sd-resolve.h"
15 #include "alloc-util.h"
16 #include "creds-util.h"
17 #include "dns-domain.h"
18 #include "event-util.h"
21 #include "hexdecoct.h"
22 #include "memory-util.h"
23 #include "netlink-util.h"
24 #include "networkd-manager.h"
25 #include "networkd-route-util.h"
26 #include "networkd-route.h"
27 #include "networkd-util.h"
28 #include "parse-helpers.h"
29 #include "parse-util.h"
30 #include "path-util.h"
31 #include "random-util.h"
32 #include "resolve-private.h"
33 #include "string-util.h"
35 #include "wireguard.h"
37 static void wireguard_resolve_endpoints(NetDev
*netdev
);
38 static int peer_resolve_endpoint(WireguardPeer
*peer
);
40 static void wireguard_peer_clear_ipmasks(WireguardPeer
*peer
) {
43 LIST_CLEAR(ipmasks
, peer
->ipmasks
, free
);
46 static WireguardPeer
* wireguard_peer_free(WireguardPeer
*peer
) {
50 if (peer
->wireguard
) {
51 LIST_REMOVE(peers
, peer
->wireguard
->peers
, peer
);
54 hashmap_remove(peer
->wireguard
->peers_by_section
, peer
->section
);
57 config_section_free(peer
->section
);
59 wireguard_peer_clear_ipmasks(peer
);
61 free(peer
->endpoint_host
);
62 free(peer
->endpoint_port
);
63 free(peer
->public_key_file
);
64 free(peer
->preshared_key_file
);
65 explicit_bzero_safe(peer
->preshared_key
, WG_KEY_LEN
);
67 sd_event_source_disable_unref(peer
->resolve_retry_event_source
);
68 sd_resolve_query_unref(peer
->resolve_query
);
73 DEFINE_SECTION_CLEANUP_FUNCTIONS(WireguardPeer
, wireguard_peer_free
);
75 static int wireguard_peer_new_static(Wireguard
*w
, const char *filename
, unsigned section_line
, WireguardPeer
**ret
) {
76 _cleanup_(config_section_freep
) ConfigSection
*n
= NULL
;
77 _cleanup_(wireguard_peer_freep
) WireguardPeer
*peer
= NULL
;
83 assert(section_line
> 0);
85 r
= config_section_new(filename
, section_line
, &n
);
89 peer
= hashmap_get(w
->peers_by_section
, n
);
91 *ret
= TAKE_PTR(peer
);
95 peer
= new(WireguardPeer
, 1);
99 *peer
= (WireguardPeer
) {
100 .flags
= WGPEER_F_REPLACE_ALLOWEDIPS
,
102 .section
= TAKE_PTR(n
),
105 LIST_PREPEND(peers
, w
->peers
, peer
);
107 r
= hashmap_ensure_put(&w
->peers_by_section
, &config_section_hash_ops
, peer
->section
, peer
);
111 *ret
= TAKE_PTR(peer
);
115 static int wireguard_set_ipmask_one(NetDev
*netdev
, sd_netlink_message
*message
, const WireguardIPmask
*mask
, uint16_t index
) {
122 /* This returns 1 on success, 0 on recoverable error, and negative errno on failure. */
124 r
= sd_netlink_message_open_array(message
, index
);
128 r
= sd_netlink_message_append_u16(message
, WGALLOWEDIP_A_FAMILY
, mask
->family
);
132 r
= netlink_message_append_in_addr_union(message
, WGALLOWEDIP_A_IPADDR
, mask
->family
, &mask
->ip
);
136 r
= sd_netlink_message_append_u8(message
, WGALLOWEDIP_A_CIDR_MASK
, mask
->cidr
);
140 r
= sd_netlink_message_close_container(message
);
142 return log_netdev_error_errno(netdev
, r
, "Could not add wireguard allowed ip: %m");
147 r
= sd_netlink_message_cancel_array(message
);
149 return log_netdev_error_errno(netdev
, r
, "Could not cancel wireguard allowed ip message attribute: %m");
154 static int wireguard_set_peer_one(NetDev
*netdev
, sd_netlink_message
*message
, const WireguardPeer
*peer
, uint16_t index
, WireguardIPmask
**mask_start
) {
155 WireguardIPmask
*start
, *last
= NULL
;
164 /* This returns 1 on success, 0 on recoverable error, and negative errno on failure. */
166 start
= *mask_start
?: peer
->ipmasks
;
168 r
= sd_netlink_message_open_array(message
, index
);
172 r
= sd_netlink_message_append_data(message
, WGPEER_A_PUBLIC_KEY
, &peer
->public_key
, sizeof(peer
->public_key
));
177 r
= sd_netlink_message_append_data(message
, WGPEER_A_PRESHARED_KEY
, &peer
->preshared_key
, WG_KEY_LEN
);
181 r
= sd_netlink_message_append_u32(message
, WGPEER_A_FLAGS
, peer
->flags
);
185 r
= sd_netlink_message_append_u16(message
, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL
, peer
->persistent_keepalive_interval
);
189 if (IN_SET(peer
->endpoint
.sa
.sa_family
, AF_INET
, AF_INET6
)) {
190 r
= netlink_message_append_sockaddr_union(message
, WGPEER_A_ENDPOINT
, &peer
->endpoint
);
196 r
= sd_netlink_message_open_container(message
, WGPEER_A_ALLOWEDIPS
);
200 LIST_FOREACH(ipmasks
, mask
, start
) {
201 r
= wireguard_set_ipmask_one(netdev
, message
, mask
, ++j
);
210 r
= sd_netlink_message_close_container(message
);
212 return log_netdev_error_errno(netdev
, r
, "Could not add wireguard allowed ip: %m");
214 r
= sd_netlink_message_close_container(message
);
216 return log_netdev_error_errno(netdev
, r
, "Could not add wireguard peer: %m");
218 *mask_start
= last
; /* Start next cycle from this mask. */
222 r
= sd_netlink_message_cancel_array(message
);
224 return log_netdev_error_errno(netdev
, r
, "Could not cancel wireguard peers: %m");
229 static int wireguard_set_interface(NetDev
*netdev
) {
230 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*message
= NULL
;
231 WireguardIPmask
*mask_start
= NULL
;
232 bool sent_once
= false;
234 Wireguard
*w
= WIREGUARD(netdev
);
237 for (WireguardPeer
*peer_start
= w
->peers
; peer_start
|| !sent_once
; ) {
240 message
= sd_netlink_message_unref(message
);
242 r
= sd_genl_message_new(netdev
->manager
->genl
, WG_GENL_NAME
, WG_CMD_SET_DEVICE
, &message
);
244 return log_netdev_error_errno(netdev
, r
, "Failed to allocate generic netlink message: %m");
246 r
= sd_netlink_message_append_string(message
, WGDEVICE_A_IFNAME
, netdev
->ifname
);
248 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard interface name: %m");
250 if (peer_start
== w
->peers
) {
251 r
= sd_netlink_message_append_data(message
, WGDEVICE_A_PRIVATE_KEY
, &w
->private_key
, WG_KEY_LEN
);
253 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard private key: %m");
255 r
= sd_netlink_message_append_u16(message
, WGDEVICE_A_LISTEN_PORT
, w
->port
);
257 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard port: %m");
259 r
= sd_netlink_message_append_u32(message
, WGDEVICE_A_FWMARK
, w
->fwmark
);
261 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard fwmark: %m");
263 r
= sd_netlink_message_append_u32(message
, WGDEVICE_A_FLAGS
, w
->flags
);
265 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard flags: %m");
268 r
= sd_netlink_message_open_container(message
, WGDEVICE_A_PEERS
);
270 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard peer attributes: %m");
272 WireguardPeer
*peer_last
= NULL
;
273 LIST_FOREACH(peers
, peer
, peer_start
) {
274 r
= wireguard_set_peer_one(netdev
, message
, peer
, ++i
, &mask_start
);
282 peer_start
= peer_last
; /* Start next cycle from this peer. */
284 r
= sd_netlink_message_close_container(message
);
286 return log_netdev_error_errno(netdev
, r
, "Could not close wireguard container: %m");
288 r
= sd_netlink_send(netdev
->manager
->genl
, message
, &serial
);
290 return log_netdev_error_errno(netdev
, r
, "Could not set wireguard device: %m");
298 static int on_resolve_retry(sd_event_source
*s
, usec_t usec
, void *userdata
) {
299 WireguardPeer
*peer
= ASSERT_PTR(userdata
);
302 assert(peer
->wireguard
);
304 netdev
= NETDEV(peer
->wireguard
);
306 if (!netdev_is_managed(netdev
))
309 peer
->resolve_query
= sd_resolve_query_unref(peer
->resolve_query
);
311 (void) peer_resolve_endpoint(peer
);
315 static usec_t
peer_next_resolve_usec(WireguardPeer
*peer
) {
318 /* Given the number of retries this function will return an exponential increasing amount of
319 * milliseconds to wait starting at 200ms and capped at 25 seconds. */
323 usec
= (2 << MIN(peer
->n_retries
, 7U)) * 100 * USEC_PER_MSEC
;
325 return random_u64_range(usec
/ 10) + usec
* 9 / 10;
328 static int wireguard_peer_resolve_handler(
331 const struct addrinfo
*ai
,
334 WireguardPeer
*peer
= ASSERT_PTR(userdata
);
338 assert(peer
->wireguard
);
340 netdev
= NETDEV(peer
->wireguard
);
342 if (!netdev_is_managed(netdev
))
346 log_netdev_warning(netdev
, "Failed to resolve host '%s:%s', ignoring: %s",
347 peer
->endpoint_host
, peer
->endpoint_port
, gai_strerror(ret
));
352 for (; ai
; ai
= ai
->ai_next
) {
353 if (!IN_SET(ai
->ai_family
, AF_INET
, AF_INET6
))
356 if (ai
->ai_addrlen
!= (ai
->ai_family
== AF_INET
? sizeof(struct sockaddr_in
) : sizeof(struct sockaddr_in6
)))
359 memcpy(&peer
->endpoint
, ai
->ai_addr
, ai
->ai_addrlen
);
360 (void) wireguard_set_interface(netdev
);
367 log_netdev_warning(netdev
, "Neither IPv4 nor IPv6 address found for peer endpoint %s:%s, ignoring the endpoint.",
368 peer
->endpoint_host
, peer
->endpoint_port
);
373 if (peer
->n_retries
> 0) {
374 r
= event_reset_time_relative(netdev
->manager
->event
,
375 &peer
->resolve_retry_event_source
,
377 peer_next_resolve_usec(peer
), 0,
378 on_resolve_retry
, peer
, 0, "wireguard-resolve-retry", true);
380 log_netdev_warning_errno(netdev
, r
, "Could not arm resolve retry handler for endpoint %s:%s, ignoring: %m",
381 peer
->endpoint_host
, peer
->endpoint_port
);
384 wireguard_resolve_endpoints(netdev
);
388 static int peer_resolve_endpoint(WireguardPeer
*peer
) {
389 static const struct addrinfo hints
= {
390 .ai_family
= AF_UNSPEC
,
391 .ai_socktype
= SOCK_DGRAM
,
392 .ai_protocol
= IPPROTO_UDP
398 assert(peer
->wireguard
);
400 netdev
= NETDEV(peer
->wireguard
);
402 if (!peer
->endpoint_host
|| !peer
->endpoint_port
)
403 /* Not necessary to resolve the endpoint. */
406 if (sd_event_source_get_enabled(peer
->resolve_retry_event_source
, NULL
) > 0)
407 /* Timer event source is enabled. The endpoint will be resolved later. */
410 if (peer
->resolve_query
)
411 /* Being resolved, or already resolved. */
414 r
= sd_resolve_getaddrinfo(netdev
->manager
->resolve
,
415 &peer
->resolve_query
,
419 wireguard_peer_resolve_handler
,
422 return log_netdev_full_errno(netdev
, r
== -ENOBUFS
? LOG_DEBUG
: LOG_WARNING
, r
,
423 "Failed to create endpoint resolver for %s:%s, ignoring: %m",
424 peer
->endpoint_host
, peer
->endpoint_port
);
429 static void wireguard_resolve_endpoints(NetDev
*netdev
) {
430 Wireguard
*w
= WIREGUARD(netdev
);
432 LIST_FOREACH(peers
, peer
, w
->peers
)
433 if (peer_resolve_endpoint(peer
) == -ENOBUFS
)
434 /* Too many requests. Let's resolve remaining endpoints later. */
438 static int netdev_wireguard_post_create(NetDev
*netdev
, Link
*link
) {
439 assert(WIREGUARD(netdev
));
441 (void) wireguard_set_interface(netdev
);
442 wireguard_resolve_endpoints(netdev
);
446 int config_parse_wireguard_listen_port(
448 const char *filename
,
451 unsigned section_line
,
458 uint16_t *s
= ASSERT_PTR(data
);
463 if (isempty(rvalue
) || streq(rvalue
, "auto")) {
468 r
= parse_ip_port(rvalue
, s
);
470 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
471 "Invalid port specification, ignoring assignment: %s", rvalue
);
478 static int wireguard_decode_key_and_warn(
480 uint8_t ret
[static WG_KEY_LEN
],
482 const char *filename
,
484 const char *lvalue
) {
486 _cleanup_(erase_and_freep
) void *key
= NULL
;
487 _cleanup_(erase_and_freep
) char *cred
= NULL
;
488 const char *cred_name
;
497 if (isempty(rvalue
)) {
498 memzero(ret
, WG_KEY_LEN
);
502 cred_name
= startswith(rvalue
, "@");
504 r
= read_credential(cred_name
, (void**) &cred
, /* ret_size = */ NULL
);
508 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
509 "Failed to read credential for wireguard key (%s=), ignoring assignment: %m",
514 } else if (!streq(lvalue
, "PublicKey"))
515 (void) warn_file_is_world_accessible(filename
, NULL
, unit
, line
);
517 r
= unbase64mem_full(cred
?: rvalue
, SIZE_MAX
, /* secure = */ true, &key
, &len
);
521 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
522 "Failed to decode wireguard key provided by %s=, ignoring assignment: %m", lvalue
);
525 if (len
!= WG_KEY_LEN
) {
526 log_syntax(unit
, LOG_WARNING
, filename
, line
, 0,
527 "Wireguard key provided by %s= has invalid length (%zu bytes), ignoring assignment.",
532 memcpy(ret
, key
, WG_KEY_LEN
);
536 int config_parse_wireguard_private_key(
538 const char *filename
,
541 unsigned section_line
,
548 Wireguard
*w
= WIREGUARD(data
);
550 return wireguard_decode_key_and_warn(rvalue
, w
->private_key
, unit
, filename
, line
, lvalue
);
553 int config_parse_wireguard_private_key_file(
555 const char *filename
,
558 unsigned section_line
,
565 Wireguard
*w
= WIREGUARD(data
);
566 _cleanup_free_
char *path
= NULL
;
568 if (isempty(rvalue
)) {
569 w
->private_key_file
= mfree(w
->private_key_file
);
573 path
= strdup(rvalue
);
577 if (path_simplify_and_warn(path
, PATH_CHECK_ABSOLUTE
|PATH_CHECK_NON_API_VFS
, unit
, filename
, line
, lvalue
) < 0)
580 return free_and_replace(w
->private_key_file
, path
);
583 int config_parse_wireguard_peer_key(
585 const char *filename
,
588 unsigned section_line
,
595 Wireguard
*w
= WIREGUARD(data
);
596 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
599 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
603 r
= wireguard_decode_key_and_warn(rvalue
,
604 streq(lvalue
, "PublicKey") ? peer
->public_key
: peer
->preshared_key
,
605 unit
, filename
, line
, lvalue
);
613 int config_parse_wireguard_peer_key_file(
615 const char *filename
,
618 unsigned section_line
,
625 Wireguard
*w
= WIREGUARD(data
);
626 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
627 _cleanup_free_
char *path
= NULL
;
634 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
638 if (streq(lvalue
, "PublicKeyFile"))
639 key_file
= &peer
->public_key_file
;
640 else if (streq(lvalue
, "PresharedKeyFile"))
641 key_file
= &peer
->preshared_key_file
;
643 assert_not_reached();
645 if (isempty(rvalue
)) {
646 *key_file
= mfree(*key_file
);
651 path
= strdup(rvalue
);
655 if (path_simplify_and_warn(path
, PATH_CHECK_ABSOLUTE
|PATH_CHECK_NON_API_VFS
, unit
, filename
, line
, lvalue
) < 0)
658 free_and_replace(*key_file
, path
);
663 int config_parse_wireguard_allowed_ips(
665 const char *filename
,
668 unsigned section_line
,
677 Wireguard
*w
= WIREGUARD(data
);
678 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
679 union in_addr_union addr
;
680 unsigned char prefixlen
;
682 WireguardIPmask
*ipmask
;
684 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
688 if (isempty(rvalue
)) {
689 wireguard_peer_clear_ipmasks(peer
);
694 for (const char *p
= rvalue
;;) {
695 _cleanup_free_
char *word
= NULL
;
696 union in_addr_union masked
;
698 r
= extract_first_word(&p
, &word
, "," WHITESPACE
, 0);
704 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
705 "Failed to split allowed ips \"%s\" option: %m", rvalue
);
709 r
= in_addr_prefix_from_string_auto(word
, &family
, &addr
, &prefixlen
);
711 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
712 "Network address is invalid, ignoring assignment: %s", word
);
717 assert_se(in_addr_mask(family
, &masked
, prefixlen
) >= 0);
718 if (!in_addr_equal(family
, &masked
, &addr
))
719 log_syntax(unit
, LOG_WARNING
, filename
, line
, 0,
720 "Specified address '%s' is not properly masked, assuming '%s'.",
722 IN_ADDR_PREFIX_TO_STRING(family
, &masked
, prefixlen
));
724 ipmask
= new(WireguardIPmask
, 1);
728 *ipmask
= (WireguardIPmask
) {
734 LIST_PREPEND(ipmasks
, peer
->ipmasks
, ipmask
);
741 int config_parse_wireguard_endpoint(
743 const char *filename
,
746 unsigned section_line
,
753 Wireguard
*w
= WIREGUARD(userdata
);
754 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
755 _cleanup_free_
char *cred
= NULL
;
756 const char *cred_name
, *endpoint
;
763 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
767 cred_name
= startswith(rvalue
, "@");
769 r
= read_credential(cred_name
, (void**) &cred
, /* ret_size = */ NULL
);
773 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
774 "Failed to read credential for wireguard endpoint, ignoring assignment: %m");
778 endpoint
= strstrip(cred
);
782 union in_addr_union addr
;
785 r
= in_addr_port_ifindex_name_from_string_auto(endpoint
, &family
, &addr
, &port
, NULL
, NULL
);
787 if (family
== AF_INET
)
788 peer
->endpoint
.in
= (struct sockaddr_in
) {
789 .sin_family
= AF_INET
,
791 .sin_port
= htobe16(port
),
793 else if (family
== AF_INET6
)
794 peer
->endpoint
.in6
= (struct sockaddr_in6
) {
795 .sin6_family
= AF_INET6
,
796 .sin6_addr
= addr
.in6
,
797 .sin6_port
= htobe16(port
),
800 assert_not_reached();
802 peer
->endpoint_host
= mfree(peer
->endpoint_host
);
803 peer
->endpoint_port
= mfree(peer
->endpoint_port
);
809 _cleanup_free_
char *host
= NULL
;
812 p
= strrchr(endpoint
, ':');
814 log_syntax(unit
, LOG_WARNING
, filename
, line
, 0,
815 "Unable to find port of endpoint, ignoring assignment: %s",
816 rvalue
); /* We log the original assignment instead of resolved credential here,
817 as the latter might be previously encrypted and we'd expose them in
818 unprotected logs otherwise. */
822 host
= strndup(endpoint
, p
- endpoint
);
827 if (!dns_name_is_valid(host
)) {
828 log_syntax(unit
, LOG_WARNING
, filename
, line
, 0,
829 "Invalid domain name of endpoint, ignoring assignment: %s",
834 r
= parse_ip_port(p
, &port
);
836 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
837 "Invalid port of endpoint, ignoring assignment: %s",
842 peer
->endpoint
= (union sockaddr_union
) {};
844 free_and_replace(peer
->endpoint_host
, host
);
846 r
= free_and_strdup(&peer
->endpoint_port
, p
);
850 TAKE_PTR(peer
); /* The peer may already have been in the hash map, that is fine too. */
854 int config_parse_wireguard_keepalive(
856 const char *filename
,
859 unsigned section_line
,
868 Wireguard
*w
= WIREGUARD(data
);
869 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
870 uint16_t keepalive
= 0;
873 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
877 if (streq(rvalue
, "off"))
880 r
= safe_atou16(rvalue
, &keepalive
);
882 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
883 "Failed to parse \"%s\" as keepalive interval (range 0–65535), ignoring assignment: %m",
889 peer
->persistent_keepalive_interval
= keepalive
;
895 int config_parse_wireguard_route_table(
897 const char *filename
,
900 unsigned section_line
,
907 NetDev
*netdev
= ASSERT_PTR(userdata
);
908 uint32_t *table
= ASSERT_PTR(data
);
915 if (isempty(rvalue
) || parse_boolean(rvalue
) == 0) {
916 *table
= 0; /* Disabled. */
920 r
= manager_get_route_table_from_string(netdev
->manager
, rvalue
, table
);
922 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
923 "Failed to parse %s=, ignoring assignment: %s",
931 int config_parse_wireguard_peer_route_table(
933 const char *filename
,
936 unsigned section_line
,
943 Wireguard
*w
= WIREGUARD(userdata
);
944 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
950 assert(NETDEV(w
)->manager
);
952 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
956 if (isempty(rvalue
)) {
957 peer
->route_table_set
= false; /* Use the table specified in [WireGuard] section. */
962 if (parse_boolean(rvalue
) == 0) {
963 peer
->route_table
= 0; /* Disabled. */
964 peer
->route_table_set
= true;
969 r
= manager_get_route_table_from_string(NETDEV(w
)->manager
, rvalue
, &peer
->route_table
);
971 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
972 "Failed to parse %s=, ignoring assignment: %s",
977 peer
->route_table_set
= true;
982 int config_parse_wireguard_route_priority(
984 const char *filename
,
987 unsigned section_line
,
994 uint32_t *priority
= ASSERT_PTR(data
);
1001 if (isempty(rvalue
)) {
1006 r
= safe_atou32(rvalue
, priority
);
1008 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
1009 "Could not parse route priority \"%s\", ignoring assignment: %m", rvalue
);
1016 int config_parse_wireguard_peer_route_priority(
1018 const char *filename
,
1020 const char *section
,
1021 unsigned section_line
,
1028 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
1037 w
= WIREGUARD(userdata
);
1040 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
1044 if (isempty(rvalue
)) {
1045 peer
->route_priority_set
= false; /* Use the priority specified in [WireGuard] section. */
1050 r
= safe_atou32(rvalue
, &peer
->route_priority
);
1052 log_syntax(unit
, LOG_WARNING
, filename
, line
, r
,
1053 "Could not parse route priority \"%s\", ignoring assignment: %m", rvalue
);
1057 peer
->route_priority_set
= true;
1062 static void wireguard_init(NetDev
*netdev
) {
1063 Wireguard
*w
= WIREGUARD(netdev
);
1065 w
->flags
= WGDEVICE_F_REPLACE_PEERS
;
1068 static void wireguard_done(NetDev
*netdev
) {
1069 Wireguard
*w
= WIREGUARD(netdev
);
1071 explicit_bzero_safe(w
->private_key
, WG_KEY_LEN
);
1072 free(w
->private_key_file
);
1074 hashmap_free_with_destructor(w
->peers_by_section
, wireguard_peer_free
);
1076 set_free(w
->routes
);
1079 static int wireguard_read_key_file(const char *filename
, uint8_t dest
[static WG_KEY_LEN
]) {
1080 _cleanup_(erase_and_freep
) char *key
= NULL
;
1089 r
= read_full_file_full(
1090 AT_FDCWD
, filename
, UINT64_MAX
, WG_KEY_LEN
,
1091 READ_FULL_FILE_SECURE
|
1092 READ_FULL_FILE_UNBASE64
|
1093 READ_FULL_FILE_WARN_WORLD_READABLE
|
1094 READ_FULL_FILE_CONNECT_SOCKET
|
1095 READ_FULL_FILE_FAIL_WHEN_LARGER
,
1096 NULL
, &key
, &key_len
);
1100 if (key_len
!= WG_KEY_LEN
)
1103 memcpy(dest
, key
, WG_KEY_LEN
);
1107 static int wireguard_peer_verify(WireguardPeer
*peer
) {
1108 NetDev
*netdev
= NETDEV(peer
->wireguard
);
1111 if (section_is_invalid(peer
->section
))
1114 r
= wireguard_read_key_file(peer
->public_key_file
, peer
->public_key
);
1116 return log_netdev_error_errno(netdev
, r
,
1117 "%s: Failed to read public key from '%s'. "
1118 "Ignoring [WireGuardPeer] section from line %u.",
1119 peer
->section
->filename
, peer
->public_key_file
,
1120 peer
->section
->line
);
1122 if (eqzero(peer
->public_key
))
1123 return log_netdev_error_errno(netdev
, SYNTHETIC_ERRNO(EINVAL
),
1124 "%s: WireGuardPeer section without PublicKey= configured. "
1125 "Ignoring [WireGuardPeer] section from line %u.",
1126 peer
->section
->filename
, peer
->section
->line
);
1128 r
= wireguard_read_key_file(peer
->preshared_key_file
, peer
->preshared_key
);
1130 return log_netdev_error_errno(netdev
, r
,
1131 "%s: Failed to read preshared key from '%s'. "
1132 "Ignoring [WireGuardPeer] section from line %u.",
1133 peer
->section
->filename
, peer
->preshared_key_file
,
1134 peer
->section
->line
);
1139 static int wireguard_read_default_key_cred(NetDev
*netdev
, const char *filename
) {
1140 Wireguard
*w
= WIREGUARD(netdev
);
1141 _cleanup_free_
char *config_name
= NULL
;
1146 r
= path_extract_filename(filename
, &config_name
);
1148 return log_netdev_error_errno(netdev
, r
,
1149 "%s: Failed to extract config name, ignoring network device: %m",
1152 char *p
= endswith(config_name
, ".netdev");
1154 /* Fuzzer run? Then we just ignore this device. */
1155 return log_netdev_error_errno(netdev
, SYNTHETIC_ERRNO(EINVAL
),
1156 "%s: Invalid netdev config name, refusing default key lookup.",
1160 _cleanup_(erase_and_freep
) char *cred
= NULL
;
1162 r
= read_credential(strjoina("network.wireguard.private.", config_name
), (void**) &cred
, /* ret_size = */ NULL
);
1164 return log_netdev_error_errno(netdev
, r
,
1165 "%s: No private key specified and default key isn't available, "
1166 "ignoring network device: %m",
1169 _cleanup_(erase_and_freep
) void *key
= NULL
;
1172 r
= unbase64mem_full(cred
, SIZE_MAX
, /* secure = */ true, &key
, &len
);
1174 return log_netdev_error_errno(netdev
, r
,
1175 "%s: No private key specified and default key cannot be parsed, "
1176 "ignoring network device: %m",
1178 if (len
!= WG_KEY_LEN
|| memeqzero(key
, len
))
1179 return log_netdev_error_errno(netdev
, SYNTHETIC_ERRNO(EINVAL
),
1180 "%s: No private key specified and default key is invalid. "
1181 "Ignoring network device.",
1184 memcpy(w
->private_key
, key
, WG_KEY_LEN
);
1188 static int wireguard_verify(NetDev
*netdev
, const char *filename
) {
1189 Wireguard
*w
= WIREGUARD(netdev
);
1192 r
= wireguard_read_key_file(w
->private_key_file
, w
->private_key
);
1194 return log_netdev_error_errno(netdev
, r
,
1195 "Failed to read private key from %s. Ignoring network device.",
1196 w
->private_key_file
);
1198 if (eqzero(w
->private_key
)) {
1199 r
= wireguard_read_default_key_cred(netdev
, filename
);
1204 LIST_FOREACH(peers
, peer
, w
->peers
) {
1205 if (wireguard_peer_verify(peer
) < 0) {
1206 wireguard_peer_free(peer
);
1210 if ((peer
->route_table_set
? peer
->route_table
: w
->route_table
) == 0)
1213 LIST_FOREACH(ipmasks
, ipmask
, peer
->ipmasks
) {
1214 _cleanup_(route_unrefp
) Route
*route
= NULL
;
1216 r
= route_new(&route
);
1220 /* For route_section_verify() below. */
1221 r
= config_section_new(peer
->section
->filename
, peer
->section
->line
, &route
->section
);
1225 route
->source
= NETWORK_CONFIG_SOURCE_STATIC
;
1226 route
->family
= ipmask
->family
;
1227 route
->dst
= ipmask
->ip
;
1228 route
->dst_prefixlen
= ipmask
->cidr
;
1229 route
->protocol
= RTPROT_STATIC
;
1230 route
->protocol_set
= true;
1231 route
->table
= peer
->route_table_set
? peer
->route_table
: w
->route_table
;
1232 route
->table_set
= true;
1233 route
->priority
= peer
->route_priority_set
? peer
->route_priority
: w
->route_priority
;
1234 route
->priority_set
= true;
1236 if (route_section_verify(route
) < 0)
1239 r
= set_ensure_put(&w
->routes
, &route_hash_ops
, route
);
1245 route
->wireguard
= w
;
1253 const NetDevVTable wireguard_vtable
= {
1254 .object_size
= sizeof(Wireguard
),
1255 .sections
= NETDEV_COMMON_SECTIONS
"WireGuard\0WireGuardPeer\0",
1256 .post_create
= netdev_wireguard_post_create
,
1257 .init
= wireguard_init
,
1258 .done
= wireguard_done
,
1259 .create_type
= NETDEV_CREATE_INDEPENDENT
,
1260 .config_verify
= wireguard_verify
,
1261 .iftype
= ARPHRD_NONE
,