]>
Commit | Line | Data |
---|---|---|
d506b89c | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
e5719363 | 2 | /*** |
96b2fb93 | 3 | Copyright © 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. |
e5719363 JT |
4 | ***/ |
5 | ||
6 | #include <sys/ioctl.h> | |
7 | #include <net/if.h> | |
8 | ||
8173d1d0 YW |
9 | #include "sd-resolve.h" |
10 | ||
e5719363 | 11 | #include "alloc-util.h" |
85c987a8 | 12 | #include "event-util.h" |
e5719363 | 13 | #include "fd-util.h" |
76df7779 | 14 | #include "fileio.h" |
e5719363 | 15 | #include "hexdecoct.h" |
0a970718 | 16 | #include "memory-util.h" |
43409486 | 17 | #include "netlink-util.h" |
e5719363 | 18 | #include "networkd-link.h" |
e5719363 | 19 | #include "networkd-manager.h" |
a4c9ae40 YW |
20 | #include "networkd-util.h" |
21 | #include "parse-util.h" | |
76df7779 | 22 | #include "path-util.h" |
1061dab1 | 23 | #include "resolve-private.h" |
a4c9ae40 YW |
24 | #include "string-util.h" |
25 | #include "strv.h" | |
0a970718 | 26 | #include "wireguard.h" |
e5719363 JT |
27 | |
28 | static void resolve_endpoints(NetDev *netdev); | |
29 | ||
f1368a33 YW |
30 | static void wireguard_peer_free(WireguardPeer *peer) { |
31 | WireguardIPmask *mask; | |
32 | ||
33 | if (!peer) | |
34 | return; | |
35 | ||
36 | if (peer->wireguard) { | |
37 | LIST_REMOVE(peers, peer->wireguard->peers, peer); | |
38 | ||
39 | set_remove(peer->wireguard->peers_with_unresolved_endpoint, peer); | |
40 | set_remove(peer->wireguard->peers_with_failed_endpoint, peer); | |
41 | ||
42 | if (peer->section) | |
43 | hashmap_remove(peer->wireguard->peers_by_section, peer->section); | |
44 | } | |
45 | ||
46 | network_config_section_free(peer->section); | |
47 | ||
48 | while ((mask = peer->ipmasks)) { | |
49 | LIST_REMOVE(ipmasks, peer->ipmasks, mask); | |
50 | free(mask); | |
51 | } | |
52 | ||
53 | free(peer->endpoint_host); | |
54 | free(peer->endpoint_port); | |
a3945c63 | 55 | free(peer->preshared_key_file); |
6ef5c881 | 56 | explicit_bzero_safe(peer->preshared_key, WG_KEY_LEN); |
f1368a33 YW |
57 | |
58 | free(peer); | |
59 | } | |
60 | ||
61 | DEFINE_NETWORK_SECTION_FUNCTIONS(WireguardPeer, wireguard_peer_free); | |
62 | ||
63 | static int wireguard_peer_new_static(Wireguard *w, const char *filename, unsigned section_line, WireguardPeer **ret) { | |
64 | _cleanup_(network_config_section_freep) NetworkConfigSection *n = NULL; | |
65 | _cleanup_(wireguard_peer_freep) WireguardPeer *peer = NULL; | |
66 | int r; | |
e5719363 JT |
67 | |
68 | assert(w); | |
f1368a33 YW |
69 | assert(ret); |
70 | assert(filename); | |
71 | assert(section_line > 0); | |
e5719363 | 72 | |
f1368a33 YW |
73 | r = network_config_section_new(filename, section_line, &n); |
74 | if (r < 0) | |
75 | return r; | |
76 | ||
77 | peer = hashmap_get(w->peers_by_section, n); | |
78 | if (peer) { | |
79 | *ret = TAKE_PTR(peer); | |
80 | return 0; | |
81 | } | |
e5719363 | 82 | |
fc721553 | 83 | peer = new(WireguardPeer, 1); |
e5719363 | 84 | if (!peer) |
f1368a33 | 85 | return -ENOMEM; |
fc721553 YW |
86 | |
87 | *peer = (WireguardPeer) { | |
88 | .flags = WGPEER_F_REPLACE_ALLOWEDIPS, | |
f1368a33 YW |
89 | .wireguard = w, |
90 | .section = TAKE_PTR(n), | |
fc721553 | 91 | }; |
e5719363 JT |
92 | |
93 | LIST_PREPEND(peers, w->peers, peer); | |
e5719363 | 94 | |
f1368a33 YW |
95 | r = hashmap_ensure_allocated(&w->peers_by_section, &network_config_hash_ops); |
96 | if (r < 0) | |
97 | return r; | |
98 | ||
99 | r = hashmap_put(w->peers_by_section, peer->section, peer); | |
100 | if (r < 0) | |
101 | return r; | |
102 | ||
103 | *ret = TAKE_PTR(peer); | |
104 | return 0; | |
e5719363 JT |
105 | } |
106 | ||
e1f717d4 | 107 | static int wireguard_set_ipmask_one(NetDev *netdev, sd_netlink_message *message, const WireguardIPmask *mask, uint16_t index) { |
e5719363 | 108 | int r; |
e1f717d4 YW |
109 | |
110 | assert(message); | |
111 | assert(mask); | |
112 | assert(index > 0); | |
113 | ||
114 | /* This returns 1 on success, 0 on recoverable error, and negative errno on failure. */ | |
115 | ||
116 | r = sd_netlink_message_open_array(message, index); | |
117 | if (r < 0) | |
118 | return 0; | |
119 | ||
120 | r = sd_netlink_message_append_u16(message, WGALLOWEDIP_A_FAMILY, mask->family); | |
121 | if (r < 0) | |
122 | goto cancel; | |
123 | ||
43409486 | 124 | r = netlink_message_append_in_addr_union(message, WGALLOWEDIP_A_IPADDR, mask->family, &mask->ip); |
e1f717d4 YW |
125 | if (r < 0) |
126 | goto cancel; | |
127 | ||
128 | r = sd_netlink_message_append_u8(message, WGALLOWEDIP_A_CIDR_MASK, mask->cidr); | |
129 | if (r < 0) | |
130 | goto cancel; | |
131 | ||
132 | r = sd_netlink_message_close_container(message); | |
133 | if (r < 0) | |
134 | return log_netdev_error_errno(netdev, r, "Could not add wireguard allowed ip: %m"); | |
135 | ||
136 | return 1; | |
137 | ||
138 | cancel: | |
139 | r = sd_netlink_message_cancel_array(message); | |
140 | if (r < 0) | |
141 | return log_netdev_error_errno(netdev, r, "Could not cancel wireguard allowed ip message attribute: %m"); | |
142 | ||
143 | return 0; | |
144 | } | |
145 | ||
146 | static int wireguard_set_peer_one(NetDev *netdev, sd_netlink_message *message, const WireguardPeer *peer, uint16_t index, WireguardIPmask **mask_start) { | |
147 | WireguardIPmask *mask, *start; | |
148 | uint16_t j = 0; | |
149 | int r; | |
150 | ||
151 | assert(message); | |
152 | assert(peer); | |
153 | assert(index > 0); | |
154 | assert(mask_start); | |
155 | ||
156 | /* This returns 1 on success, 0 on recoverable error, and negative errno on failure. */ | |
157 | ||
158 | start = *mask_start ?: peer->ipmasks; | |
159 | ||
160 | r = sd_netlink_message_open_array(message, index); | |
161 | if (r < 0) | |
162 | return 0; | |
163 | ||
164 | r = sd_netlink_message_append_data(message, WGPEER_A_PUBLIC_KEY, &peer->public_key, sizeof(peer->public_key)); | |
165 | if (r < 0) | |
166 | goto cancel; | |
167 | ||
2301c54f | 168 | if (!*mask_start) { |
e1f717d4 YW |
169 | r = sd_netlink_message_append_data(message, WGPEER_A_PRESHARED_KEY, &peer->preshared_key, WG_KEY_LEN); |
170 | if (r < 0) | |
171 | goto cancel; | |
172 | ||
173 | r = sd_netlink_message_append_u32(message, WGPEER_A_FLAGS, peer->flags); | |
174 | if (r < 0) | |
175 | goto cancel; | |
176 | ||
177 | r = sd_netlink_message_append_u16(message, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, peer->persistent_keepalive_interval); | |
178 | if (r < 0) | |
179 | goto cancel; | |
180 | ||
43409486 YW |
181 | if (IN_SET(peer->endpoint.sa.sa_family, AF_INET, AF_INET6)) { |
182 | r = netlink_message_append_sockaddr_union(message, WGPEER_A_ENDPOINT, &peer->endpoint); | |
183 | if (r < 0) | |
184 | goto cancel; | |
185 | } | |
e1f717d4 YW |
186 | } |
187 | ||
188 | r = sd_netlink_message_open_container(message, WGPEER_A_ALLOWEDIPS); | |
189 | if (r < 0) | |
190 | goto cancel; | |
191 | ||
192 | LIST_FOREACH(ipmasks, mask, start) { | |
193 | r = wireguard_set_ipmask_one(netdev, message, mask, ++j); | |
194 | if (r < 0) | |
195 | return r; | |
196 | if (r == 0) | |
197 | break; | |
198 | } | |
199 | ||
200 | r = sd_netlink_message_close_container(message); | |
201 | if (r < 0) | |
202 | return log_netdev_error_errno(netdev, r, "Could not add wireguard allowed ip: %m"); | |
203 | ||
204 | r = sd_netlink_message_close_container(message); | |
205 | if (r < 0) | |
206 | return log_netdev_error_errno(netdev, r, "Could not add wireguard peer: %m"); | |
207 | ||
208 | *mask_start = mask; /* Start next cycle from this mask. */ | |
209 | return !mask; | |
210 | ||
211 | cancel: | |
212 | r = sd_netlink_message_cancel_array(message); | |
213 | if (r < 0) | |
214 | return log_netdev_error_errno(netdev, r, "Could not cancel wireguard peers: %m"); | |
215 | ||
216 | return 0; | |
217 | } | |
218 | ||
219 | static int wireguard_set_interface(NetDev *netdev) { | |
e5719363 | 220 | _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *message = NULL; |
e1f717d4 YW |
221 | WireguardIPmask *mask_start = NULL; |
222 | WireguardPeer *peer, *peer_start; | |
e5719363 | 223 | uint32_t serial; |
e1f717d4 YW |
224 | Wireguard *w; |
225 | int r; | |
e5719363 JT |
226 | |
227 | assert(netdev); | |
228 | w = WIREGUARD(netdev); | |
229 | assert(w); | |
230 | ||
e1f717d4 YW |
231 | for (peer_start = w->peers; peer_start; ) { |
232 | uint16_t i = 0; | |
e5719363 | 233 | |
e5719363 JT |
234 | message = sd_netlink_message_unref(message); |
235 | ||
236 | r = sd_genl_message_new(netdev->manager->genl, SD_GENL_WIREGUARD, WG_CMD_SET_DEVICE, &message); | |
237 | if (r < 0) | |
238 | return log_netdev_error_errno(netdev, r, "Failed to allocate generic netlink message: %m"); | |
239 | ||
240 | r = sd_netlink_message_append_string(message, WGDEVICE_A_IFNAME, netdev->ifname); | |
241 | if (r < 0) | |
242 | return log_netdev_error_errno(netdev, r, "Could not append wireguard interface name: %m"); | |
243 | ||
244 | if (peer_start == w->peers) { | |
245 | r = sd_netlink_message_append_data(message, WGDEVICE_A_PRIVATE_KEY, &w->private_key, WG_KEY_LEN); | |
246 | if (r < 0) | |
247 | return log_netdev_error_errno(netdev, r, "Could not append wireguard private key: %m"); | |
248 | ||
249 | r = sd_netlink_message_append_u16(message, WGDEVICE_A_LISTEN_PORT, w->port); | |
250 | if (r < 0) | |
251 | return log_netdev_error_errno(netdev, r, "Could not append wireguard port: %m"); | |
252 | ||
253 | r = sd_netlink_message_append_u32(message, WGDEVICE_A_FWMARK, w->fwmark); | |
254 | if (r < 0) | |
255 | return log_netdev_error_errno(netdev, r, "Could not append wireguard fwmark: %m"); | |
256 | ||
257 | r = sd_netlink_message_append_u32(message, WGDEVICE_A_FLAGS, w->flags); | |
258 | if (r < 0) | |
259 | return log_netdev_error_errno(netdev, r, "Could not append wireguard flags: %m"); | |
260 | } | |
261 | ||
262 | r = sd_netlink_message_open_container(message, WGDEVICE_A_PEERS); | |
263 | if (r < 0) | |
264 | return log_netdev_error_errno(netdev, r, "Could not append wireguard peer attributes: %m"); | |
265 | ||
e5719363 | 266 | LIST_FOREACH(peers, peer, peer_start) { |
e1f717d4 | 267 | r = wireguard_set_peer_one(netdev, message, peer, ++i, &mask_start); |
e5719363 | 268 | if (r < 0) |
e1f717d4 YW |
269 | return r; |
270 | if (r == 0) | |
e5719363 | 271 | break; |
e5719363 | 272 | } |
e1f717d4 | 273 | peer_start = peer; /* Start next cycle from this peer. */ |
e5719363 JT |
274 | |
275 | r = sd_netlink_message_close_container(message); | |
276 | if (r < 0) | |
277 | return log_netdev_error_errno(netdev, r, "Could not close wireguard container: %m"); | |
278 | ||
279 | r = sd_netlink_send(netdev->manager->genl, message, &serial); | |
280 | if (r < 0) | |
281 | return log_netdev_error_errno(netdev, r, "Could not set wireguard device: %m"); | |
e1f717d4 | 282 | } |
e5719363 JT |
283 | |
284 | return 0; | |
285 | } | |
286 | ||
f1368a33 YW |
287 | static void wireguard_peer_destroy_callback(WireguardPeer *peer) { |
288 | NetDev *netdev; | |
e5719363 | 289 | |
f1368a33 YW |
290 | assert(peer); |
291 | assert(peer->wireguard); | |
8173d1d0 | 292 | |
f1368a33 | 293 | netdev = NETDEV(peer->wireguard); |
8173d1d0 | 294 | |
f1368a33 YW |
295 | if (section_is_invalid(peer->section)) |
296 | wireguard_peer_free(peer); | |
297 | ||
298 | netdev_unref(netdev); | |
299 | } | |
e5719363 JT |
300 | |
301 | static int on_resolve_retry(sd_event_source *s, usec_t usec, void *userdata) { | |
302 | NetDev *netdev = userdata; | |
303 | Wireguard *w; | |
304 | ||
305 | assert(netdev); | |
306 | w = WIREGUARD(netdev); | |
307 | assert(w); | |
308 | ||
9e2bbf99 | 309 | if (!netdev_is_managed(netdev)) |
56ba90c2 | 310 | return 0; |
e5719363 | 311 | |
f1368a33 YW |
312 | assert(set_isempty(w->peers_with_unresolved_endpoint)); |
313 | ||
314 | SWAP_TWO(w->peers_with_unresolved_endpoint, w->peers_with_failed_endpoint); | |
e5719363 JT |
315 | |
316 | resolve_endpoints(netdev); | |
317 | ||
318 | return 0; | |
319 | } | |
320 | ||
321 | /* | |
322 | * Given the number of retries this function will return will an exponential | |
323 | * increasing time in milliseconds to wait starting at 200ms and capped at 25 seconds. | |
324 | */ | |
325 | static int exponential_backoff_milliseconds(unsigned n_retries) { | |
7232c1f9 | 326 | return (2 << MIN(n_retries, 7U)) * 100 * USEC_PER_MSEC; |
e5719363 JT |
327 | } |
328 | ||
329 | static int wireguard_resolve_handler(sd_resolve_query *q, | |
330 | int ret, | |
331 | const struct addrinfo *ai, | |
f1368a33 | 332 | WireguardPeer *peer) { |
1061dab1 | 333 | NetDev *netdev; |
e5719363 | 334 | Wireguard *w; |
e5719363 JT |
335 | int r; |
336 | ||
f1368a33 YW |
337 | assert(peer); |
338 | assert(peer->wireguard); | |
e5719363 | 339 | |
f1368a33 YW |
340 | w = peer->wireguard; |
341 | netdev = NETDEV(w); | |
e5719363 | 342 | |
9e2bbf99 | 343 | if (!netdev_is_managed(netdev)) |
8173d1d0 | 344 | return 0; |
e5719363 JT |
345 | |
346 | if (ret != 0) { | |
f1368a33 YW |
347 | log_netdev_error(netdev, "Failed to resolve host '%s:%s': %s", peer->endpoint_host, peer->endpoint_port, gai_strerror(ret)); |
348 | ||
349 | r = set_ensure_allocated(&w->peers_with_failed_endpoint, NULL); | |
350 | if (r < 0) { | |
351 | log_oom(); | |
352 | peer->section->invalid = true; | |
353 | goto resolve_next; | |
354 | } | |
355 | ||
356 | r = set_put(w->peers_with_failed_endpoint, peer); | |
357 | if (r < 0) { | |
358 | log_netdev_error(netdev, "Failed to save a peer, dropping the peer: %m"); | |
359 | peer->section->invalid = true; | |
360 | goto resolve_next; | |
361 | } | |
362 | ||
e5719363 | 363 | } else if ((ai->ai_family == AF_INET && ai->ai_addrlen == sizeof(struct sockaddr_in)) || |
8173d1d0 | 364 | (ai->ai_family == AF_INET6 && ai->ai_addrlen == sizeof(struct sockaddr_in6))) |
f1368a33 | 365 | memcpy(&peer->endpoint, ai->ai_addr, ai->ai_addrlen); |
e5719363 | 366 | else |
f1368a33 YW |
367 | log_netdev_error(netdev, "Neither IPv4 nor IPv6 address found for peer endpoint %s:%s, ignoring the address.", |
368 | peer->endpoint_host, peer->endpoint_port); | |
e5719363 | 369 | |
f1368a33 YW |
370 | resolve_next: |
371 | if (!set_isempty(w->peers_with_unresolved_endpoint)) { | |
e5719363 JT |
372 | resolve_endpoints(netdev); |
373 | return 0; | |
374 | } | |
375 | ||
e1f717d4 | 376 | (void) wireguard_set_interface(netdev); |
f1368a33 YW |
377 | |
378 | if (!set_isempty(w->peers_with_failed_endpoint)) { | |
85c987a8 | 379 | usec_t usec; |
56ba90c2 | 380 | |
e5719363 | 381 | w->n_retries++; |
85c987a8 YW |
382 | usec = usec_add(now(CLOCK_MONOTONIC), exponential_backoff_milliseconds(w->n_retries)); |
383 | r = event_reset_time(netdev->manager->event, &w->resolve_retry_event_source, | |
384 | CLOCK_MONOTONIC, usec, 0, on_resolve_retry, netdev, | |
385 | 0, "wireguard-resolve-retry", true); | |
56ba90c2 | 386 | if (r < 0) { |
e5719363 | 387 | log_netdev_warning_errno(netdev, r, "Could not arm resolve retry handler: %m"); |
56ba90c2 YW |
388 | return 0; |
389 | } | |
e5719363 JT |
390 | } |
391 | ||
392 | return 0; | |
393 | } | |
394 | ||
395 | static void resolve_endpoints(NetDev *netdev) { | |
e5719363 JT |
396 | static const struct addrinfo hints = { |
397 | .ai_family = AF_UNSPEC, | |
398 | .ai_socktype = SOCK_DGRAM, | |
399 | .ai_protocol = IPPROTO_UDP | |
400 | }; | |
f1368a33 | 401 | WireguardPeer *peer; |
8173d1d0 | 402 | Wireguard *w; |
f1368a33 | 403 | Iterator i; |
86e2be7b | 404 | int r; |
e5719363 JT |
405 | |
406 | assert(netdev); | |
407 | w = WIREGUARD(netdev); | |
408 | assert(w); | |
409 | ||
f1368a33 | 410 | SET_FOREACH(peer, w->peers_with_unresolved_endpoint, i) { |
1061dab1 YW |
411 | r = resolve_getaddrinfo(netdev->manager->resolve, |
412 | NULL, | |
f1368a33 YW |
413 | peer->endpoint_host, |
414 | peer->endpoint_port, | |
1061dab1 YW |
415 | &hints, |
416 | wireguard_resolve_handler, | |
f1368a33 YW |
417 | wireguard_peer_destroy_callback, |
418 | peer); | |
e5719363 JT |
419 | if (r == -ENOBUFS) |
420 | break; | |
8173d1d0 YW |
421 | if (r < 0) { |
422 | log_netdev_error_errno(netdev, r, "Failed to create resolver: %m"); | |
423 | continue; | |
424 | } | |
e5719363 | 425 | |
8173d1d0 YW |
426 | /* Avoid freeing netdev. It will be unrefed by the destroy callback. */ |
427 | netdev_ref(netdev); | |
428 | ||
f1368a33 | 429 | (void) set_remove(w->peers_with_unresolved_endpoint, peer); |
e5719363 JT |
430 | } |
431 | } | |
432 | ||
e5719363 | 433 | static int netdev_wireguard_post_create(NetDev *netdev, Link *link, sd_netlink_message *m) { |
e5719363 | 434 | assert(netdev); |
10c353e1 | 435 | assert(WIREGUARD(netdev)); |
e5719363 | 436 | |
e1f717d4 | 437 | (void) wireguard_set_interface(netdev); |
e5719363 JT |
438 | resolve_endpoints(netdev); |
439 | return 0; | |
440 | } | |
441 | ||
03fec543 YW |
442 | int config_parse_wireguard_listen_port( |
443 | const char *unit, | |
444 | const char *filename, | |
445 | unsigned line, | |
446 | const char *section, | |
447 | unsigned section_line, | |
448 | const char *lvalue, | |
449 | int ltype, | |
450 | const char *rvalue, | |
451 | void *data, | |
452 | void *userdata) { | |
453 | ||
e5719363 | 454 | uint16_t *s = data; |
e5719363 JT |
455 | int r; |
456 | ||
457 | assert(rvalue); | |
458 | assert(data); | |
459 | ||
a62b7bb7 YW |
460 | if (isempty(rvalue) || streq(rvalue, "auto")) { |
461 | *s = 0; | |
462 | return 0; | |
463 | } | |
464 | ||
465 | r = parse_ip_port(rvalue, s); | |
466 | if (r < 0) { | |
467 | log_syntax(unit, LOG_ERR, filename, line, r, | |
468 | "Invalid port specification, ignoring assignment: %s", rvalue); | |
469 | return 0; | |
e5719363 JT |
470 | } |
471 | ||
e5719363 JT |
472 | return 0; |
473 | } | |
474 | ||
fedcb4c3 YW |
475 | static int wireguard_decode_key_and_warn( |
476 | const char *rvalue, | |
2b942a92 | 477 | uint8_t ret[static WG_KEY_LEN], |
fedcb4c3 YW |
478 | const char *unit, |
479 | const char *filename, | |
480 | unsigned line, | |
481 | const char *lvalue) { | |
03fec543 | 482 | |
e5719363 JT |
483 | _cleanup_free_ void *key = NULL; |
484 | size_t len; | |
485 | int r; | |
486 | ||
e5719363 | 487 | assert(rvalue); |
fedcb4c3 YW |
488 | assert(ret); |
489 | assert(filename); | |
490 | assert(lvalue); | |
491 | ||
492 | if (isempty(rvalue)) { | |
493 | memzero(ret, WG_KEY_LEN); | |
494 | return 0; | |
495 | } | |
e5719363 | 496 | |
26f86d50 YW |
497 | if (!streq(lvalue, "PublicKey")) |
498 | (void) warn_file_is_world_accessible(filename, NULL, unit, line); | |
499 | ||
6ef5c881 | 500 | r = unbase64mem_full(rvalue, strlen(rvalue), true, &key, &len); |
86a3d44d YW |
501 | if (r < 0) |
502 | return log_syntax(unit, LOG_ERR, filename, line, r, | |
583eb170 | 503 | "Failed to decode wireguard key provided by %s=, ignoring assignment: %m", lvalue); |
e5719363 | 504 | if (len != WG_KEY_LEN) { |
86a3d44d YW |
505 | explicit_bzero_safe(key, len); |
506 | return log_syntax(unit, LOG_ERR, filename, line, 0, | |
583eb170 YW |
507 | "Wireguard key provided by %s= has invalid length (%zu bytes), ignoring assignment.", |
508 | lvalue, len); | |
e5719363 JT |
509 | } |
510 | ||
fedcb4c3 | 511 | memcpy(ret, key, WG_KEY_LEN); |
86a3d44d | 512 | return 0; |
e5719363 JT |
513 | } |
514 | ||
03fec543 YW |
515 | int config_parse_wireguard_private_key( |
516 | const char *unit, | |
517 | const char *filename, | |
518 | unsigned line, | |
519 | const char *section, | |
520 | unsigned section_line, | |
521 | const char *lvalue, | |
522 | int ltype, | |
523 | const char *rvalue, | |
524 | void *data, | |
525 | void *userdata) { | |
526 | ||
e5719363 JT |
527 | Wireguard *w; |
528 | ||
529 | assert(data); | |
e5719363 | 530 | w = WIREGUARD(data); |
e5719363 JT |
531 | assert(w); |
532 | ||
6ef5c881 YW |
533 | (void) wireguard_decode_key_and_warn(rvalue, w->private_key, unit, filename, line, lvalue); |
534 | return 0; | |
e5719363 JT |
535 | } |
536 | ||
76df7779 YW |
537 | int config_parse_wireguard_private_key_file( |
538 | const char *unit, | |
539 | const char *filename, | |
540 | unsigned line, | |
541 | const char *section, | |
542 | unsigned section_line, | |
543 | const char *lvalue, | |
544 | int ltype, | |
545 | const char *rvalue, | |
546 | void *data, | |
547 | void *userdata) { | |
548 | ||
549 | _cleanup_free_ char *path = NULL; | |
550 | Wireguard *w; | |
551 | ||
552 | assert(data); | |
553 | w = WIREGUARD(data); | |
554 | assert(w); | |
555 | ||
556 | if (isempty(rvalue)) { | |
557 | w->private_key_file = mfree(w->private_key_file); | |
558 | return 0; | |
559 | } | |
560 | ||
561 | path = strdup(rvalue); | |
562 | if (!path) | |
563 | return log_oom(); | |
564 | ||
565 | if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0) | |
566 | return 0; | |
567 | ||
568 | return free_and_replace(w->private_key_file, path); | |
569 | } | |
570 | ||
03fec543 YW |
571 | int config_parse_wireguard_preshared_key( |
572 | const char *unit, | |
573 | const char *filename, | |
574 | unsigned line, | |
575 | const char *section, | |
576 | unsigned section_line, | |
577 | const char *lvalue, | |
578 | int ltype, | |
579 | const char *rvalue, | |
580 | void *data, | |
581 | void *userdata) { | |
f1368a33 YW |
582 | |
583 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
e5719363 | 584 | Wireguard *w; |
f1368a33 | 585 | int r; |
e5719363 JT |
586 | |
587 | assert(data); | |
e5719363 | 588 | w = WIREGUARD(data); |
e5719363 JT |
589 | assert(w); |
590 | ||
f1368a33 YW |
591 | r = wireguard_peer_new_static(w, filename, section_line, &peer); |
592 | if (r < 0) | |
593 | return r; | |
e5719363 | 594 | |
fedcb4c3 | 595 | r = wireguard_decode_key_and_warn(rvalue, peer->preshared_key, unit, filename, line, lvalue); |
f1368a33 YW |
596 | if (r < 0) |
597 | return r; | |
598 | ||
599 | TAKE_PTR(peer); | |
600 | return 0; | |
e5719363 JT |
601 | } |
602 | ||
a3945c63 YW |
603 | int config_parse_wireguard_preshared_key_file( |
604 | const char *unit, | |
605 | const char *filename, | |
606 | unsigned line, | |
607 | const char *section, | |
608 | unsigned section_line, | |
609 | const char *lvalue, | |
610 | int ltype, | |
611 | const char *rvalue, | |
612 | void *data, | |
613 | void *userdata) { | |
614 | ||
615 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
616 | _cleanup_free_ char *path = NULL; | |
617 | Wireguard *w; | |
618 | int r; | |
619 | ||
620 | assert(data); | |
621 | w = WIREGUARD(data); | |
622 | assert(w); | |
623 | ||
624 | r = wireguard_peer_new_static(w, filename, section_line, &peer); | |
625 | if (r < 0) | |
626 | return r; | |
627 | ||
628 | if (isempty(rvalue)) { | |
629 | peer->preshared_key_file = mfree(peer->preshared_key_file); | |
630 | TAKE_PTR(peer); | |
631 | return 0; | |
632 | } | |
633 | ||
634 | path = strdup(rvalue); | |
635 | if (!path) | |
636 | return log_oom(); | |
637 | ||
638 | if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0) | |
639 | return 0; | |
640 | ||
641 | free_and_replace(peer->preshared_key_file, path); | |
642 | TAKE_PTR(peer); | |
643 | return 0; | |
644 | } | |
645 | ||
03fec543 YW |
646 | int config_parse_wireguard_public_key( |
647 | const char *unit, | |
648 | const char *filename, | |
649 | unsigned line, | |
650 | const char *section, | |
651 | unsigned section_line, | |
652 | const char *lvalue, | |
653 | int ltype, | |
654 | const char *rvalue, | |
655 | void *data, | |
656 | void *userdata) { | |
f1368a33 YW |
657 | |
658 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
e5719363 | 659 | Wireguard *w; |
f1368a33 | 660 | int r; |
e5719363 JT |
661 | |
662 | assert(data); | |
e5719363 | 663 | w = WIREGUARD(data); |
e5719363 JT |
664 | assert(w); |
665 | ||
f1368a33 YW |
666 | r = wireguard_peer_new_static(w, filename, section_line, &peer); |
667 | if (r < 0) | |
668 | return r; | |
669 | ||
fedcb4c3 | 670 | r = wireguard_decode_key_and_warn(rvalue, peer->public_key, unit, filename, line, lvalue); |
f1368a33 YW |
671 | if (r < 0) |
672 | return r; | |
e5719363 | 673 | |
f1368a33 YW |
674 | TAKE_PTR(peer); |
675 | return 0; | |
e5719363 JT |
676 | } |
677 | ||
03fec543 YW |
678 | int config_parse_wireguard_allowed_ips( |
679 | const char *unit, | |
680 | const char *filename, | |
681 | unsigned line, | |
682 | const char *section, | |
683 | unsigned section_line, | |
684 | const char *lvalue, | |
685 | int ltype, | |
686 | const char *rvalue, | |
687 | void *data, | |
688 | void *userdata) { | |
f1368a33 YW |
689 | |
690 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
e5719363 JT |
691 | union in_addr_union addr; |
692 | unsigned char prefixlen; | |
693 | int r, family; | |
694 | Wireguard *w; | |
e5719363 JT |
695 | WireguardIPmask *ipmask; |
696 | ||
697 | assert(rvalue); | |
698 | assert(data); | |
699 | ||
700 | w = WIREGUARD(data); | |
f1368a33 YW |
701 | assert(w); |
702 | ||
703 | r = wireguard_peer_new_static(w, filename, section_line, &peer); | |
704 | if (r < 0) | |
705 | return r; | |
e5719363 JT |
706 | |
707 | for (;;) { | |
708 | _cleanup_free_ char *word = NULL; | |
709 | ||
710 | r = extract_first_word(&rvalue, &word, "," WHITESPACE, 0); | |
711 | if (r == 0) | |
712 | break; | |
713 | if (r == -ENOMEM) | |
714 | return log_oom(); | |
715 | if (r < 0) { | |
f1368a33 YW |
716 | log_syntax(unit, LOG_ERR, filename, line, r, |
717 | "Failed to split allowed ips \"%s\" option: %m", rvalue); | |
e5719363 JT |
718 | break; |
719 | } | |
720 | ||
721 | r = in_addr_prefix_from_string_auto(word, &family, &addr, &prefixlen); | |
722 | if (r < 0) { | |
f1368a33 YW |
723 | log_syntax(unit, LOG_ERR, filename, line, r, |
724 | "Network address is invalid, ignoring assignment: %s", word); | |
725 | continue; | |
e5719363 JT |
726 | } |
727 | ||
fc721553 | 728 | ipmask = new(WireguardIPmask, 1); |
e5719363 JT |
729 | if (!ipmask) |
730 | return log_oom(); | |
fc721553 YW |
731 | |
732 | *ipmask = (WireguardIPmask) { | |
733 | .family = family, | |
734 | .ip.in6 = addr.in6, | |
735 | .cidr = prefixlen, | |
736 | }; | |
e5719363 JT |
737 | |
738 | LIST_PREPEND(ipmasks, peer->ipmasks, ipmask); | |
739 | } | |
740 | ||
f1368a33 | 741 | TAKE_PTR(peer); |
e5719363 JT |
742 | return 0; |
743 | } | |
744 | ||
03fec543 YW |
745 | int config_parse_wireguard_endpoint( |
746 | const char *unit, | |
747 | const char *filename, | |
748 | unsigned line, | |
749 | const char *section, | |
750 | unsigned section_line, | |
751 | const char *lvalue, | |
752 | int ltype, | |
753 | const char *rvalue, | |
754 | void *data, | |
755 | void *userdata) { | |
f1368a33 YW |
756 | |
757 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
758 | const char *begin, *end; | |
e5719363 | 759 | Wireguard *w; |
e5719363 | 760 | size_t len; |
f1368a33 | 761 | int r; |
e5719363 JT |
762 | |
763 | assert(data); | |
764 | assert(rvalue); | |
765 | ||
766 | w = WIREGUARD(data); | |
e5719363 JT |
767 | assert(w); |
768 | ||
f1368a33 YW |
769 | r = wireguard_peer_new_static(w, filename, section_line, &peer); |
770 | if (r < 0) | |
771 | return r; | |
e5719363 | 772 | |
e5719363 JT |
773 | if (rvalue[0] == '[') { |
774 | begin = &rvalue[1]; | |
775 | end = strchr(rvalue, ']'); | |
776 | if (!end) { | |
f1368a33 YW |
777 | log_syntax(unit, LOG_ERR, filename, line, 0, |
778 | "Unable to find matching brace of endpoint, ignoring assignment: %s", | |
779 | rvalue); | |
e5719363 JT |
780 | return 0; |
781 | } | |
782 | len = end - begin; | |
783 | ++end; | |
784 | if (*end != ':' || !*(end + 1)) { | |
f1368a33 YW |
785 | log_syntax(unit, LOG_ERR, filename, line, 0, |
786 | "Unable to find port of endpoint, ignoring assignment: %s", | |
787 | rvalue); | |
e5719363 JT |
788 | return 0; |
789 | } | |
790 | ++end; | |
791 | } else { | |
792 | begin = rvalue; | |
793 | end = strrchr(rvalue, ':'); | |
794 | if (!end || !*(end + 1)) { | |
f1368a33 YW |
795 | log_syntax(unit, LOG_ERR, filename, line, 0, |
796 | "Unable to find port of endpoint, ignoring assignment: %s", | |
797 | rvalue); | |
e5719363 JT |
798 | return 0; |
799 | } | |
800 | len = end - begin; | |
801 | ++end; | |
802 | } | |
803 | ||
5f07d640 YW |
804 | r = free_and_strndup(&peer->endpoint_host, begin, len); |
805 | if (r < 0) | |
e5719363 JT |
806 | return log_oom(); |
807 | ||
5f07d640 YW |
808 | r = free_and_strdup(&peer->endpoint_port, end); |
809 | if (r < 0) | |
e5719363 JT |
810 | return log_oom(); |
811 | ||
f1368a33 YW |
812 | r = set_ensure_allocated(&w->peers_with_unresolved_endpoint, NULL); |
813 | if (r < 0) | |
fc721553 YW |
814 | return log_oom(); |
815 | ||
f1368a33 YW |
816 | r = set_put(w->peers_with_unresolved_endpoint, peer); |
817 | if (r < 0) | |
818 | return r; | |
e5719363 | 819 | |
f1368a33 | 820 | TAKE_PTR(peer); |
e5719363 JT |
821 | return 0; |
822 | } | |
823 | ||
03fec543 YW |
824 | int config_parse_wireguard_keepalive( |
825 | const char *unit, | |
826 | const char *filename, | |
827 | unsigned line, | |
828 | const char *section, | |
829 | unsigned section_line, | |
830 | const char *lvalue, | |
831 | int ltype, | |
832 | const char *rvalue, | |
833 | void *data, | |
834 | void *userdata) { | |
f1368a33 YW |
835 | |
836 | _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL; | |
e5719363 JT |
837 | uint16_t keepalive = 0; |
838 | Wireguard *w; | |
f1368a33 | 839 | int r; |
e5719363 JT |
840 | |
841 | assert(rvalue); | |
842 | assert(data); | |
843 | ||
844 | w = WIREGUARD(data); | |
e5719363 JT |
845 | assert(w); |
846 | ||
f1368a33 YW |
847 | r = wireguard_peer_new_static(w, filename, section_line, &peer); |
848 | if (r < 0) | |
849 | return r; | |
e5719363 JT |
850 | |
851 | if (streq(rvalue, "off")) | |
852 | keepalive = 0; | |
853 | else { | |
854 | r = safe_atou16(rvalue, &keepalive); | |
f1368a33 YW |
855 | if (r < 0) { |
856 | log_syntax(unit, LOG_ERR, filename, line, r, | |
857 | "The persistent keepalive interval must be 0-65535. Ignore assignment: %s", | |
858 | rvalue); | |
859 | return 0; | |
860 | } | |
e5719363 JT |
861 | } |
862 | ||
863 | peer->persistent_keepalive_interval = keepalive; | |
f1368a33 YW |
864 | |
865 | TAKE_PTR(peer); | |
e5719363 JT |
866 | return 0; |
867 | } | |
868 | ||
869 | static void wireguard_init(NetDev *netdev) { | |
870 | Wireguard *w; | |
871 | ||
872 | assert(netdev); | |
e5719363 | 873 | w = WIREGUARD(netdev); |
e5719363 JT |
874 | assert(w); |
875 | ||
876 | w->flags = WGDEVICE_F_REPLACE_PEERS; | |
877 | } | |
878 | ||
879 | static void wireguard_done(NetDev *netdev) { | |
880 | Wireguard *w; | |
e5719363 JT |
881 | |
882 | assert(netdev); | |
883 | w = WIREGUARD(netdev); | |
c195364d | 884 | assert(w); |
e5719363 | 885 | |
85c987a8 YW |
886 | sd_event_source_unref(w->resolve_retry_event_source); |
887 | ||
6ef5c881 | 888 | explicit_bzero_safe(w->private_key, WG_KEY_LEN); |
76df7779 YW |
889 | free(w->private_key_file); |
890 | ||
f1368a33 YW |
891 | hashmap_free_with_destructor(w->peers_by_section, wireguard_peer_free); |
892 | set_free(w->peers_with_unresolved_endpoint); | |
893 | set_free(w->peers_with_failed_endpoint); | |
894 | } | |
c195364d | 895 | |
cb31e7c8 YW |
896 | static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_KEY_LEN]) { |
897 | _cleanup_free_ char *key = NULL; | |
898 | size_t key_len; | |
899 | int r; | |
76df7779 | 900 | |
cb31e7c8 | 901 | if (!filename) |
76df7779 YW |
902 | return 0; |
903 | ||
cb31e7c8 | 904 | r = read_full_file_full(filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64, &key, &key_len); |
76df7779 | 905 | if (r < 0) |
cb31e7c8 | 906 | return r; |
76df7779 | 907 | |
cb31e7c8 YW |
908 | if (key_len != WG_KEY_LEN) { |
909 | r = -EINVAL; | |
910 | goto finalize; | |
911 | } | |
76df7779 | 912 | |
cb31e7c8 YW |
913 | memcpy(dest, key, WG_KEY_LEN); |
914 | r = 0; | |
76df7779 | 915 | |
cb31e7c8 YW |
916 | finalize: |
917 | explicit_bzero_safe(key, key_len); | |
918 | return r; | |
76df7779 YW |
919 | } |
920 | ||
9cc9021a YW |
921 | static int wireguard_peer_verify(WireguardPeer *peer) { |
922 | NetDev *netdev = NETDEV(peer->wireguard); | |
a3945c63 | 923 | int r; |
9cc9021a YW |
924 | |
925 | if (section_is_invalid(peer->section)) | |
926 | return -EINVAL; | |
927 | ||
928 | if (eqzero(peer->public_key)) | |
929 | return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), | |
930 | "%s: WireGuardPeer section without PublicKey= configured. " | |
931 | "Ignoring [WireGuardPeer] section from line %u.", | |
932 | peer->section->filename, peer->section->line); | |
933 | ||
a3945c63 YW |
934 | r = wireguard_read_key_file(peer->preshared_key_file, peer->preshared_key); |
935 | if (r < 0) | |
936 | return log_netdev_error_errno(netdev, r, | |
937 | "%s: Failed to read preshared key from '%s'. " | |
938 | "Ignoring [WireGuardPeer] section from line %u.", | |
939 | peer->section->filename, peer->preshared_key_file, | |
940 | peer->section->line); | |
941 | ||
9cc9021a YW |
942 | return 0; |
943 | } | |
944 | ||
f1368a33 YW |
945 | static int wireguard_verify(NetDev *netdev, const char *filename) { |
946 | WireguardPeer *peer, *peer_next; | |
947 | Wireguard *w; | |
76df7779 | 948 | int r; |
c195364d | 949 | |
f1368a33 YW |
950 | assert(netdev); |
951 | w = WIREGUARD(netdev); | |
952 | assert(w); | |
953 | ||
cb31e7c8 YW |
954 | r = wireguard_read_key_file(w->private_key_file, w->private_key); |
955 | if (r < 0) | |
956 | return log_netdev_error_errno(netdev, r, | |
957 | "Failed to read private key from %s. Dropping network device %s.", | |
958 | w->private_key_file, netdev->ifname); | |
9cc9021a | 959 | |
cb31e7c8 YW |
960 | if (eqzero(w->private_key)) |
961 | return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), | |
962 | "%s: Missing PrivateKey= or PrivateKeyFile=, " | |
963 | "Dropping network device %s.", | |
964 | filename, netdev->ifname); | |
76df7779 | 965 | |
f1368a33 | 966 | LIST_FOREACH_SAFE(peers, peer, peer_next, w->peers) |
9cc9021a | 967 | if (wireguard_peer_verify(peer) < 0) |
f1368a33 YW |
968 | wireguard_peer_free(peer); |
969 | ||
970 | return 0; | |
e5719363 JT |
971 | } |
972 | ||
973 | const NetDevVTable wireguard_vtable = { | |
974 | .object_size = sizeof(Wireguard), | |
975 | .sections = "Match\0NetDev\0WireGuard\0WireGuardPeer\0", | |
976 | .post_create = netdev_wireguard_post_create, | |
977 | .init = wireguard_init, | |
978 | .done = wireguard_done, | |
979 | .create_type = NETDEV_CREATE_INDEPENDENT, | |
f1368a33 | 980 | .config_verify = wireguard_verify, |
e5719363 | 981 | }; |