1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 Copyright © 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
9 #include "sd-resolve.h"
11 #include "alloc-util.h"
12 #include "event-util.h"
15 #include "hexdecoct.h"
16 #include "memory-util.h"
17 #include "netlink-util.h"
18 #include "networkd-link.h"
19 #include "networkd-manager.h"
20 #include "networkd-util.h"
21 #include "parse-util.h"
22 #include "path-util.h"
23 #include "resolve-private.h"
24 #include "string-util.h"
26 #include "wireguard-netlink.h"
27 #include "wireguard.h"
29 static void resolve_endpoints(NetDev
*netdev
);
31 static void wireguard_peer_free(WireguardPeer
*peer
) {
32 WireguardIPmask
*mask
;
37 if (peer
->wireguard
) {
38 LIST_REMOVE(peers
, peer
->wireguard
->peers
, peer
);
40 set_remove(peer
->wireguard
->peers_with_unresolved_endpoint
, peer
);
41 set_remove(peer
->wireguard
->peers_with_failed_endpoint
, peer
);
44 hashmap_remove(peer
->wireguard
->peers_by_section
, peer
->section
);
47 network_config_section_free(peer
->section
);
49 while ((mask
= peer
->ipmasks
)) {
50 LIST_REMOVE(ipmasks
, peer
->ipmasks
, mask
);
54 free(peer
->endpoint_host
);
55 free(peer
->endpoint_port
);
60 DEFINE_NETWORK_SECTION_FUNCTIONS(WireguardPeer
, wireguard_peer_free
);
62 static int wireguard_peer_new_static(Wireguard
*w
, const char *filename
, unsigned section_line
, WireguardPeer
**ret
) {
63 _cleanup_(network_config_section_freep
) NetworkConfigSection
*n
= NULL
;
64 _cleanup_(wireguard_peer_freep
) WireguardPeer
*peer
= NULL
;
70 assert(section_line
> 0);
72 r
= network_config_section_new(filename
, section_line
, &n
);
76 peer
= hashmap_get(w
->peers_by_section
, n
);
78 *ret
= TAKE_PTR(peer
);
82 peer
= new(WireguardPeer
, 1);
86 *peer
= (WireguardPeer
) {
87 .flags
= WGPEER_F_REPLACE_ALLOWEDIPS
,
89 .section
= TAKE_PTR(n
),
92 LIST_PREPEND(peers
, w
->peers
, peer
);
94 r
= hashmap_ensure_allocated(&w
->peers_by_section
, &network_config_hash_ops
);
98 r
= hashmap_put(w
->peers_by_section
, peer
->section
, peer
);
102 *ret
= TAKE_PTR(peer
);
106 static int wireguard_set_ipmask_one(NetDev
*netdev
, sd_netlink_message
*message
, const WireguardIPmask
*mask
, uint16_t index
) {
113 /* This returns 1 on success, 0 on recoverable error, and negative errno on failure. */
115 r
= sd_netlink_message_open_array(message
, index
);
119 r
= sd_netlink_message_append_u16(message
, WGALLOWEDIP_A_FAMILY
, mask
->family
);
123 r
= netlink_message_append_in_addr_union(message
, WGALLOWEDIP_A_IPADDR
, mask
->family
, &mask
->ip
);
127 r
= sd_netlink_message_append_u8(message
, WGALLOWEDIP_A_CIDR_MASK
, mask
->cidr
);
131 r
= sd_netlink_message_close_container(message
);
133 return log_netdev_error_errno(netdev
, r
, "Could not add wireguard allowed ip: %m");
138 r
= sd_netlink_message_cancel_array(message
);
140 return log_netdev_error_errno(netdev
, r
, "Could not cancel wireguard allowed ip message attribute: %m");
145 static int wireguard_set_peer_one(NetDev
*netdev
, sd_netlink_message
*message
, const WireguardPeer
*peer
, uint16_t index
, WireguardIPmask
**mask_start
) {
146 WireguardIPmask
*mask
, *start
;
155 /* This returns 1 on success, 0 on recoverable error, and negative errno on failure. */
157 start
= *mask_start
?: peer
->ipmasks
;
159 r
= sd_netlink_message_open_array(message
, index
);
163 r
= sd_netlink_message_append_data(message
, WGPEER_A_PUBLIC_KEY
, &peer
->public_key
, sizeof(peer
->public_key
));
168 r
= sd_netlink_message_append_data(message
, WGPEER_A_PRESHARED_KEY
, &peer
->preshared_key
, WG_KEY_LEN
);
172 r
= sd_netlink_message_append_u32(message
, WGPEER_A_FLAGS
, peer
->flags
);
176 r
= sd_netlink_message_append_u16(message
, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL
, peer
->persistent_keepalive_interval
);
180 if (IN_SET(peer
->endpoint
.sa
.sa_family
, AF_INET
, AF_INET6
)) {
181 r
= netlink_message_append_sockaddr_union(message
, WGPEER_A_ENDPOINT
, &peer
->endpoint
);
187 r
= sd_netlink_message_open_container(message
, WGPEER_A_ALLOWEDIPS
);
191 LIST_FOREACH(ipmasks
, mask
, start
) {
192 r
= wireguard_set_ipmask_one(netdev
, message
, mask
, ++j
);
199 r
= sd_netlink_message_close_container(message
);
201 return log_netdev_error_errno(netdev
, r
, "Could not add wireguard allowed ip: %m");
203 r
= sd_netlink_message_close_container(message
);
205 return log_netdev_error_errno(netdev
, r
, "Could not add wireguard peer: %m");
207 *mask_start
= mask
; /* Start next cycle from this mask. */
211 r
= sd_netlink_message_cancel_array(message
);
213 return log_netdev_error_errno(netdev
, r
, "Could not cancel wireguard peers: %m");
218 static int wireguard_set_interface(NetDev
*netdev
) {
219 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*message
= NULL
;
220 WireguardIPmask
*mask_start
= NULL
;
221 WireguardPeer
*peer
, *peer_start
;
227 w
= WIREGUARD(netdev
);
230 for (peer_start
= w
->peers
; peer_start
; ) {
233 message
= sd_netlink_message_unref(message
);
235 r
= sd_genl_message_new(netdev
->manager
->genl
, SD_GENL_WIREGUARD
, WG_CMD_SET_DEVICE
, &message
);
237 return log_netdev_error_errno(netdev
, r
, "Failed to allocate generic netlink message: %m");
239 r
= sd_netlink_message_append_string(message
, WGDEVICE_A_IFNAME
, netdev
->ifname
);
241 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard interface name: %m");
243 if (peer_start
== w
->peers
) {
244 r
= sd_netlink_message_append_data(message
, WGDEVICE_A_PRIVATE_KEY
, &w
->private_key
, WG_KEY_LEN
);
246 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard private key: %m");
248 r
= sd_netlink_message_append_u16(message
, WGDEVICE_A_LISTEN_PORT
, w
->port
);
250 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard port: %m");
252 r
= sd_netlink_message_append_u32(message
, WGDEVICE_A_FWMARK
, w
->fwmark
);
254 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard fwmark: %m");
256 r
= sd_netlink_message_append_u32(message
, WGDEVICE_A_FLAGS
, w
->flags
);
258 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard flags: %m");
261 r
= sd_netlink_message_open_container(message
, WGDEVICE_A_PEERS
);
263 return log_netdev_error_errno(netdev
, r
, "Could not append wireguard peer attributes: %m");
265 LIST_FOREACH(peers
, peer
, peer_start
) {
266 r
= wireguard_set_peer_one(netdev
, message
, peer
, ++i
, &mask_start
);
272 peer_start
= peer
; /* Start next cycle from this peer. */
274 r
= sd_netlink_message_close_container(message
);
276 return log_netdev_error_errno(netdev
, r
, "Could not close wireguard container: %m");
278 r
= sd_netlink_send(netdev
->manager
->genl
, message
, &serial
);
280 return log_netdev_error_errno(netdev
, r
, "Could not set wireguard device: %m");
286 static void wireguard_peer_destroy_callback(WireguardPeer
*peer
) {
290 assert(peer
->wireguard
);
292 netdev
= NETDEV(peer
->wireguard
);
294 if (section_is_invalid(peer
->section
))
295 wireguard_peer_free(peer
);
297 netdev_unref(netdev
);
300 static int on_resolve_retry(sd_event_source
*s
, usec_t usec
, void *userdata
) {
301 NetDev
*netdev
= userdata
;
305 w
= WIREGUARD(netdev
);
308 if (!netdev_is_managed(netdev
))
311 assert(set_isempty(w
->peers_with_unresolved_endpoint
));
313 SWAP_TWO(w
->peers_with_unresolved_endpoint
, w
->peers_with_failed_endpoint
);
315 resolve_endpoints(netdev
);
321 * Given the number of retries this function will return will an exponential
322 * increasing time in milliseconds to wait starting at 200ms and capped at 25 seconds.
324 static int exponential_backoff_milliseconds(unsigned n_retries
) {
325 return (2 << MIN(n_retries
, 7U)) * 100 * USEC_PER_MSEC
;
328 static int wireguard_resolve_handler(sd_resolve_query
*q
,
330 const struct addrinfo
*ai
,
331 WireguardPeer
*peer
) {
337 assert(peer
->wireguard
);
342 if (!netdev_is_managed(netdev
))
346 log_netdev_error(netdev
, "Failed to resolve host '%s:%s': %s", peer
->endpoint_host
, peer
->endpoint_port
, gai_strerror(ret
));
348 r
= set_ensure_allocated(&w
->peers_with_failed_endpoint
, NULL
);
351 peer
->section
->invalid
= true;
355 r
= set_put(w
->peers_with_failed_endpoint
, peer
);
357 log_netdev_error(netdev
, "Failed to save a peer, dropping the peer: %m");
358 peer
->section
->invalid
= true;
362 } else if ((ai
->ai_family
== AF_INET
&& ai
->ai_addrlen
== sizeof(struct sockaddr_in
)) ||
363 (ai
->ai_family
== AF_INET6
&& ai
->ai_addrlen
== sizeof(struct sockaddr_in6
)))
364 memcpy(&peer
->endpoint
, ai
->ai_addr
, ai
->ai_addrlen
);
366 log_netdev_error(netdev
, "Neither IPv4 nor IPv6 address found for peer endpoint %s:%s, ignoring the address.",
367 peer
->endpoint_host
, peer
->endpoint_port
);
370 if (!set_isempty(w
->peers_with_unresolved_endpoint
)) {
371 resolve_endpoints(netdev
);
375 (void) wireguard_set_interface(netdev
);
377 if (!set_isempty(w
->peers_with_failed_endpoint
)) {
381 usec
= usec_add(now(CLOCK_MONOTONIC
), exponential_backoff_milliseconds(w
->n_retries
));
382 r
= event_reset_time(netdev
->manager
->event
, &w
->resolve_retry_event_source
,
383 CLOCK_MONOTONIC
, usec
, 0, on_resolve_retry
, netdev
,
384 0, "wireguard-resolve-retry", true);
386 log_netdev_warning_errno(netdev
, r
, "Could not arm resolve retry handler: %m");
394 static void resolve_endpoints(NetDev
*netdev
) {
395 static const struct addrinfo hints
= {
396 .ai_family
= AF_UNSPEC
,
397 .ai_socktype
= SOCK_DGRAM
,
398 .ai_protocol
= IPPROTO_UDP
406 w
= WIREGUARD(netdev
);
409 SET_FOREACH(peer
, w
->peers_with_unresolved_endpoint
, i
) {
410 r
= resolve_getaddrinfo(netdev
->manager
->resolve
,
415 wireguard_resolve_handler
,
416 wireguard_peer_destroy_callback
,
421 log_netdev_error_errno(netdev
, r
, "Failed to create resolver: %m");
425 /* Avoid freeing netdev. It will be unrefed by the destroy callback. */
428 (void) set_remove(w
->peers_with_unresolved_endpoint
, peer
);
432 static int netdev_wireguard_post_create(NetDev
*netdev
, Link
*link
, sd_netlink_message
*m
) {
434 assert(WIREGUARD(netdev
));
436 (void) wireguard_set_interface(netdev
);
437 resolve_endpoints(netdev
);
441 int config_parse_wireguard_listen_port(
443 const char *filename
,
446 unsigned section_line
,
460 if (!streq(rvalue
, "auto")) {
461 r
= parse_ip_port(rvalue
, s
);
463 log_syntax(unit
, LOG_ERR
, filename
, line
, r
,
464 "Invalid port specification, ignoring assignment: %s", rvalue
);
473 static int wireguard_decode_key_and_warn(
477 const char *filename
,
479 const char *lvalue
) {
481 _cleanup_free_
void *key
= NULL
;
490 if (isempty(rvalue
)) {
491 memzero(ret
, WG_KEY_LEN
);
495 r
= unbase64mem(rvalue
, strlen(rvalue
), &key
, &len
);
497 log_syntax(unit
, LOG_ERR
, filename
, line
, r
,
498 "Failed to decode wireguard key provided by %s=, ignoring assignment: %m", lvalue
);
501 if (len
!= WG_KEY_LEN
) {
502 log_syntax(unit
, LOG_ERR
, filename
, line
, 0,
503 "Wireguard key provided by %s= has invalid length (%zu bytes), ignoring assignment.",
508 memcpy(ret
, key
, WG_KEY_LEN
);
512 int config_parse_wireguard_private_key(
514 const char *filename
,
517 unsigned section_line
,
530 return wireguard_decode_key_and_warn(rvalue
, w
->private_key
, unit
, filename
, line
, lvalue
);
534 int config_parse_wireguard_private_key_file(
536 const char *filename
,
539 unsigned section_line
,
546 _cleanup_free_
char *path
= NULL
;
553 if (isempty(rvalue
)) {
554 w
->private_key_file
= mfree(w
->private_key_file
);
558 path
= strdup(rvalue
);
562 if (path_simplify_and_warn(path
, PATH_CHECK_ABSOLUTE
, unit
, filename
, line
, lvalue
) < 0)
565 return free_and_replace(w
->private_key_file
, path
);
568 int config_parse_wireguard_preshared_key(
570 const char *filename
,
573 unsigned section_line
,
580 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
588 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
592 r
= wireguard_decode_key_and_warn(rvalue
, peer
->preshared_key
, unit
, filename
, line
, lvalue
);
600 int config_parse_wireguard_public_key(
602 const char *filename
,
605 unsigned section_line
,
612 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
620 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
624 r
= wireguard_decode_key_and_warn(rvalue
, peer
->public_key
, unit
, filename
, line
, lvalue
);
632 int config_parse_wireguard_allowed_ips(
634 const char *filename
,
637 unsigned section_line
,
644 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
645 union in_addr_union addr
;
646 unsigned char prefixlen
;
649 WireguardIPmask
*ipmask
;
657 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
662 _cleanup_free_
char *word
= NULL
;
664 r
= extract_first_word(&rvalue
, &word
, "," WHITESPACE
, 0);
670 log_syntax(unit
, LOG_ERR
, filename
, line
, r
,
671 "Failed to split allowed ips \"%s\" option: %m", rvalue
);
675 r
= in_addr_prefix_from_string_auto(word
, &family
, &addr
, &prefixlen
);
677 log_syntax(unit
, LOG_ERR
, filename
, line
, r
,
678 "Network address is invalid, ignoring assignment: %s", word
);
682 ipmask
= new(WireguardIPmask
, 1);
686 *ipmask
= (WireguardIPmask
) {
692 LIST_PREPEND(ipmasks
, peer
->ipmasks
, ipmask
);
699 int config_parse_wireguard_endpoint(
701 const char *filename
,
704 unsigned section_line
,
711 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
712 const char *begin
, *end
;
723 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
727 if (rvalue
[0] == '[') {
729 end
= strchr(rvalue
, ']');
731 log_syntax(unit
, LOG_ERR
, filename
, line
, 0,
732 "Unable to find matching brace of endpoint, ignoring assignment: %s",
738 if (*end
!= ':' || !*(end
+ 1)) {
739 log_syntax(unit
, LOG_ERR
, filename
, line
, 0,
740 "Unable to find port of endpoint, ignoring assignment: %s",
747 end
= strrchr(rvalue
, ':');
748 if (!end
|| !*(end
+ 1)) {
749 log_syntax(unit
, LOG_ERR
, filename
, line
, 0,
750 "Unable to find port of endpoint, ignoring assignment: %s",
758 r
= free_and_strndup(&peer
->endpoint_host
, begin
, len
);
762 r
= free_and_strdup(&peer
->endpoint_port
, end
);
766 r
= set_ensure_allocated(&w
->peers_with_unresolved_endpoint
, NULL
);
770 r
= set_put(w
->peers_with_unresolved_endpoint
, peer
);
778 int config_parse_wireguard_keepalive(
780 const char *filename
,
783 unsigned section_line
,
790 _cleanup_(wireguard_peer_free_or_set_invalidp
) WireguardPeer
*peer
= NULL
;
791 uint16_t keepalive
= 0;
801 r
= wireguard_peer_new_static(w
, filename
, section_line
, &peer
);
805 if (streq(rvalue
, "off"))
808 r
= safe_atou16(rvalue
, &keepalive
);
810 log_syntax(unit
, LOG_ERR
, filename
, line
, r
,
811 "The persistent keepalive interval must be 0-65535. Ignore assignment: %s",
817 peer
->persistent_keepalive_interval
= keepalive
;
823 static void wireguard_init(NetDev
*netdev
) {
827 w
= WIREGUARD(netdev
);
830 w
->flags
= WGDEVICE_F_REPLACE_PEERS
;
833 static void wireguard_done(NetDev
*netdev
) {
837 w
= WIREGUARD(netdev
);
840 sd_event_source_unref(w
->resolve_retry_event_source
);
842 free(w
->private_key_file
);
844 hashmap_free_with_destructor(w
->peers_by_section
, wireguard_peer_free
);
845 set_free(w
->peers_with_unresolved_endpoint
);
846 set_free(w
->peers_with_failed_endpoint
);
849 static int wireguard_read_key_file(const char *filename
, uint8_t dest
[static WG_KEY_LEN
]) {
850 _cleanup_free_
char *key
= NULL
;
857 r
= read_full_file_full(filename
, READ_FULL_FILE_SECURE
| READ_FULL_FILE_UNBASE64
, &key
, &key_len
);
861 if (key_len
!= WG_KEY_LEN
) {
866 memcpy(dest
, key
, WG_KEY_LEN
);
870 explicit_bzero_safe(key
, key_len
);
874 static int wireguard_peer_verify(WireguardPeer
*peer
) {
875 NetDev
*netdev
= NETDEV(peer
->wireguard
);
877 if (section_is_invalid(peer
->section
))
880 if (eqzero(peer
->public_key
))
881 return log_netdev_error_errno(netdev
, SYNTHETIC_ERRNO(EINVAL
),
882 "%s: WireGuardPeer section without PublicKey= configured. "
883 "Ignoring [WireGuardPeer] section from line %u.",
884 peer
->section
->filename
, peer
->section
->line
);
889 static int wireguard_verify(NetDev
*netdev
, const char *filename
) {
890 WireguardPeer
*peer
, *peer_next
;
895 w
= WIREGUARD(netdev
);
898 r
= wireguard_read_key_file(w
->private_key_file
, w
->private_key
);
900 return log_netdev_error_errno(netdev
, r
,
901 "Failed to read private key from %s. Dropping network device %s.",
902 w
->private_key_file
, netdev
->ifname
);
904 if (eqzero(w
->private_key
))
905 return log_netdev_error_errno(netdev
, SYNTHETIC_ERRNO(EINVAL
),
906 "%s: Missing PrivateKey= or PrivateKeyFile=, "
907 "Dropping network device %s.",
908 filename
, netdev
->ifname
);
910 LIST_FOREACH_SAFE(peers
, peer
, peer_next
, w
->peers
)
911 if (wireguard_peer_verify(peer
) < 0)
912 wireguard_peer_free(peer
);
917 const NetDevVTable wireguard_vtable
= {
918 .object_size
= sizeof(Wireguard
),
919 .sections
= "Match\0NetDev\0WireGuard\0WireGuardPeer\0",
920 .post_create
= netdev_wireguard_post_create
,
921 .init
= wireguard_init
,
922 .done
= wireguard_done
,
923 .create_type
= NETDEV_CREATE_INDEPENDENT
,
924 .config_verify
= wireguard_verify
,