clean:
rm -f wireguard-go
-cloc:
- cloc $(filter-out xchacha20.go $(wildcard *_test.go), $(wildcard *.go))
-
.PHONY: clean cloc
import (
"errors"
"net"
+ "sync"
)
-/* Binary trie
- *
- * The net.IPs used here are not formatted the
- * same way as those created by the "net" functions.
- * Here the IPs are slices of either 4 or 16 byte (not always 16)
- *
- * Synchronization done separately
- * See: routing.go
- */
-
-type Trie struct {
+type trieEntry struct {
cidr uint
- child [2]*Trie
+ child [2]*trieEntry
bits []byte
peer *Peer
return i * 8
}
-func (node *Trie) RemovePeer(p *Peer) *Trie {
+func (node *trieEntry) removeByPeer(p *Peer) *trieEntry {
if node == nil {
return node
}
// walk recursively
- node.child[0] = node.child[0].RemovePeer(p)
- node.child[1] = node.child[1].RemovePeer(p)
+ node.child[0] = node.child[0].removeByPeer(p)
+ node.child[1] = node.child[1].removeByPeer(p)
if node.peer != p {
return node
return node.child[0]
}
-func (node *Trie) choose(ip net.IP) byte {
+func (node *trieEntry) choose(ip net.IP) byte {
return (ip[node.bit_at_byte] >> node.bit_at_shift) & 1
}
-func (node *Trie) Insert(ip net.IP, cidr uint, peer *Peer) *Trie {
+func (node *trieEntry) insert(ip net.IP, cidr uint, peer *Peer) *trieEntry {
// at leaf
if node == nil {
- return &Trie{
+ return &trieEntry{
bits: ip,
peer: peer,
cidr: cidr,
return node
}
bit := node.choose(ip)
- node.child[bit] = node.child[bit].Insert(ip, cidr, peer)
+ node.child[bit] = node.child[bit].insert(ip, cidr, peer)
return node
}
// split node
- newNode := &Trie{
+ newNode := &trieEntry{
bits: ip,
peer: peer,
cidr: cidr,
// create new parent for node & newNode
- parent := &Trie{
+ parent := &trieEntry{
bits: ip,
peer: nil,
cidr: cidr,
return parent
}
-func (node *Trie) Lookup(ip net.IP) *Peer {
+func (node *trieEntry) lookup(ip net.IP) *Peer {
var found *Peer
size := uint(len(ip))
for node != nil && commonBits(node.bits, ip) >= node.cidr {
return found
}
-func (node *Trie) Count() uint {
- if node == nil {
- return 0
- }
- l := node.child[0].Count()
- r := node.child[1].Count()
- return l + r
-}
-
-func (node *Trie) AllowedIPs(p *Peer, results []net.IPNet) []net.IPNet {
+func (node *trieEntry) entriesForPeer(p *Peer, results []net.IPNet) []net.IPNet {
if node == nil {
return results
}
} else if len(node.bits) == net.IPv6len {
mask.IP = node.bits
} else {
- panic(errors.New("bug: unexpected address length"))
+ panic(errors.New("unexpected address length"))
}
results = append(results, mask)
}
- results = node.child[0].AllowedIPs(p, results)
- results = node.child[1].AllowedIPs(p, results)
+ results = node.child[0].entriesForPeer(p, results)
+ results = node.child[1].entriesForPeer(p, results)
return results
}
+
+type AllowedIPs struct {
+ IPv4 *trieEntry
+ IPv6 *trieEntry
+ mutex sync.RWMutex
+}
+
+func (table *AllowedIPs) EntriesForPeer(peer *Peer) []net.IPNet {
+ table.mutex.RLock()
+ defer table.mutex.RUnlock()
+
+ allowed := make([]net.IPNet, 0, 10)
+ allowed = table.IPv4.entriesForPeer(peer, allowed)
+ allowed = table.IPv6.entriesForPeer(peer, allowed)
+ return allowed
+}
+
+func (table *AllowedIPs) Reset() {
+ table.mutex.Lock()
+ defer table.mutex.Unlock()
+
+ table.IPv4 = nil
+ table.IPv6 = nil
+}
+
+func (table *AllowedIPs) RemoveByPeer(peer *Peer) {
+ table.mutex.Lock()
+ defer table.mutex.Unlock()
+
+ table.IPv4 = table.IPv4.removeByPeer(peer)
+ table.IPv6 = table.IPv6.removeByPeer(peer)
+}
+
+func (table *AllowedIPs) Insert(ip net.IP, cidr uint, peer *Peer) {
+ table.mutex.Lock()
+ defer table.mutex.Unlock()
+
+ switch len(ip) {
+ case net.IPv6len:
+ table.IPv6 = table.IPv6.insert(ip, cidr, peer)
+ case net.IPv4len:
+ table.IPv4 = table.IPv4.insert(ip, cidr, peer)
+ default:
+ panic(errors.New("inserting unknown address type"))
+ }
+}
+
+func (table *AllowedIPs) LookupIPv4(address []byte) *Peer {
+ table.mutex.RLock()
+ defer table.mutex.RUnlock()
+ return table.IPv4.lookup(address)
+}
+
+func (table *AllowedIPs) LookupIPv6(address []byte) *Peer {
+ table.mutex.RLock()
+ defer table.mutex.RUnlock()
+ return table.IPv6.lookup(address)
+}
}
func TestTrieRandomIPv4(t *testing.T) {
- var trie *Trie
+ var trie *trieEntry
var slow SlowRouter
var peers []*Peer
rand.Read(addr[:])
cidr := uint(rand.Uint32() % (AddressLength * 8))
index := rand.Int() % NumberOfPeers
- trie = trie.Insert(addr[:], cidr, peers[index])
+ trie = trie.insert(addr[:], cidr, peers[index])
slow = slow.Insert(addr[:], cidr, peers[index])
}
var addr [AddressLength]byte
rand.Read(addr[:])
peer1 := slow.Lookup(addr[:])
- peer2 := trie.Lookup(addr[:])
+ peer2 := trie.lookup(addr[:])
if peer1 != peer2 {
- t.Error("Trie did not match naive implementation, for:", addr)
+ t.Error("trieEntry did not match naive implementation, for:", addr)
}
}
}
func TestTrieRandomIPv6(t *testing.T) {
- var trie *Trie
+ var trie *trieEntry
var slow SlowRouter
var peers []*Peer
rand.Read(addr[:])
cidr := uint(rand.Uint32() % (AddressLength * 8))
index := rand.Int() % NumberOfPeers
- trie = trie.Insert(addr[:], cidr, peers[index])
+ trie = trie.insert(addr[:], cidr, peers[index])
slow = slow.Insert(addr[:], cidr, peers[index])
}
var addr [AddressLength]byte
rand.Read(addr[:])
peer1 := slow.Lookup(addr[:])
- peer2 := trie.Lookup(addr[:])
+ peer2 := trie.lookup(addr[:])
if peer1 != peer2 {
- t.Error("Trie did not match naive implementation, for:", addr)
+ t.Error("trieEntry did not match naive implementation, for:", addr)
}
}
}
peer *Peer
}
-func printTrie(t *testing.T, p *Trie) {
+func printTrie(t *testing.T, p *trieEntry) {
if p == nil {
return
}
}
func benchmarkTrie(peerNumber int, addressNumber int, addressLength int, b *testing.B) {
- var trie *Trie
+ var trie *trieEntry
var peers []*Peer
rand.Seed(1)
rand.Read(addr[:])
cidr := uint(rand.Uint32() % (AddressLength * 8))
index := rand.Int() % peerNumber
- trie = trie.Insert(addr[:], cidr, peers[index])
+ trie = trie.insert(addr[:], cidr, peers[index])
}
for n := 0; n < b.N; n += 1 {
var addr [AddressLength]byte
rand.Read(addr[:])
- trie.Lookup(addr[:])
+ trie.lookup(addr[:])
}
}
g := &Peer{}
h := &Peer{}
- var trie *Trie
+ var trie *trieEntry
insert := func(peer *Peer, a, b, c, d byte, cidr uint) {
- trie = trie.Insert([]byte{a, b, c, d}, cidr, peer)
+ trie = trie.insert([]byte{a, b, c, d}, cidr, peer)
}
assertEQ := func(peer *Peer, a, b, c, d byte) {
- p := trie.Lookup([]byte{a, b, c, d})
+ p := trie.lookup([]byte{a, b, c, d})
if p != peer {
t.Error("Assert EQ failed")
}
}
assertNEQ := func(peer *Peer, a, b, c, d byte) {
- p := trie.Lookup([]byte{a, b, c, d})
+ p := trie.lookup([]byte{a, b, c, d})
if p == peer {
t.Error("Assert NEQ failed")
}
assertEQ(a, 192, 0, 0, 0)
assertEQ(a, 255, 0, 0, 0)
- trie = trie.RemovePeer(a)
+ trie = trie.removeByPeer(a)
assertNEQ(a, 1, 0, 0, 0)
assertNEQ(a, 64, 0, 0, 0)
insert(a, 192, 168, 0, 0, 16)
insert(a, 192, 168, 0, 0, 24)
- trie = trie.RemovePeer(a)
+ trie = trie.removeByPeer(a)
assertNEQ(a, 192, 168, 0, 1)
}
g := &Peer{}
h := &Peer{}
- var trie *Trie
+ var trie *trieEntry
expand := func(a uint32) []byte {
var out [4]byte
addr = append(addr, expand(b)...)
addr = append(addr, expand(c)...)
addr = append(addr, expand(d)...)
- trie = trie.Insert(addr, cidr, peer)
+ trie = trie.insert(addr, cidr, peer)
}
assertEQ := func(peer *Peer, a, b, c, d uint32) {
addr = append(addr, expand(b)...)
addr = append(addr, expand(c)...)
addr = append(addr, expand(d)...)
- p := trie.Lookup(addr)
+ p := trie.lookup(addr)
if p != peer {
t.Error("Assert EQ failed")
}
routing struct {
mutex sync.RWMutex
- table RoutingTable
+ table AllowedIPs
}
peers struct {
// stop routing and processing of packets
- device.routing.table.RemovePeer(peer)
+ device.routing.table.RemoveByPeer(peer)
peer.Stop()
// remove from peer map
mutex sync.RWMutex
current *Keypair
previous *Keypair
- next *Keypair // not yet "confirmed by transport"
+ next *Keypair
}
func (kp *Keypairs) Current() *Keypair {
logger.Debug = log.New(logDebug,
"DEBUG: "+prepend,
- log.Ldate|log.Ltime|log.Lshortfile,
+ log.Ldate|log.Ltime,
)
logger.Info = log.New(logInfo,
return acc == 1
}
+/* This function is not used as pervasively as it should because this is mostly impossible in Go at the moment */
func setZero(arr []byte) {
for i := range arr {
arr[i] = 0
}
}
-/* curve25519 wrappers */
-
func newPrivateKey() (sk NoisePrivateKey, err error) {
// clamping: https://cr.yp.to/ecdh.html
_, err = rand.Read(sk[:])
return err
}
if len(slice) != len(dst) {
- return errors.New("Hex string does not fit the slice")
+ return errors.New("hex string does not fit the slice")
}
copy(dst, slice)
return nil
mutex sync.Mutex // held when stopping / starting routines
starting sync.WaitGroup // routines pending start
stopping sync.WaitGroup // routines pending stop
- stop chan struct{} // size 0, stop all go-routines in peer
+ stop chan struct{} // size 0, stop all go routines in peer
}
mac CookieGenerator
func (device *Device) NewPeer(pk NoisePublicKey) (*Peer, error) {
if device.isClosed.Get() {
- return nil, errors.New("Device closed")
+ return nil, errors.New("device closed")
}
// lock resources
// check if over limit
if len(device.peers.keyMap) >= MaxPeers {
- return nil, errors.New("Too many peers")
+ return nil, errors.New("too many peers")
}
// create peer
_, ok := device.peers.keyMap[pk]
if ok {
- return nil, errors.New("Adding existing peer")
+ return nil, errors.New("adding existing peer")
}
device.peers.keyMap[pk] = peer
defer peer.device.net.mutex.RUnlock()
if peer.device.net.bind == nil {
- return errors.New("No bind")
+ return errors.New("no bind")
}
peer.mutex.RLock()
defer peer.mutex.RUnlock()
if peer.endpoint == nil {
- return errors.New("No known endpoint for peer")
+ return errors.New("no known endpoint for peer")
}
return peer.device.net.bind.Send(buffer, peer.endpoint)
}
-/* Returns a short string identifier for logging
- */
func (peer *Peer) String() string {
- return fmt.Sprintf(
- "peer(%s)",
- base64.StdEncoding.EncodeToString(peer.handshake.remoteStatic[:]),
- )
+ base64Key := base64.StdEncoding.EncodeToString(peer.handshake.remoteStatic[:])
+ abbreviatedKey := "invalid"
+ if len(base64Key) == 44 {
+ abbreviatedKey = base64Key[0:4] + "..." + base64Key[40:44]
+ }
+ return fmt.Sprintf("peer(%s)", abbreviatedKey)
}
func (peer *Peer) Start() {
// check if using new key-pair
kp := &peer.keypairs
- kp.mutex.Lock() //TODO: make this into an RW lock to reduce contention here for the equality check which is rarely true
if kp.next == elem.keypair {
- old := kp.previous
- kp.previous = kp.current
- device.DeleteKeypair(old)
- kp.current = kp.next
- kp.next = nil
- peer.timersHandshakeComplete()
- select {
- case peer.signals.newKeypairArrived <- struct{}{}:
- default:
+ kp.mutex.Lock()
+ if kp.next != elem.keypair {
+ kp.mutex.Unlock()
+ } else {
+ old := kp.previous
+ kp.previous = kp.current
+ device.DeleteKeypair(old)
+ kp.current = kp.next
+ kp.next = nil
+ kp.mutex.Unlock()
+ peer.timersHandshakeComplete()
+ select {
+ case peer.signals.newKeypairArrived <- struct{}{}:
+ default:
+ }
}
}
- kp.mutex.Unlock()
peer.keepKeyFreshReceiving()
peer.timersAnyAuthenticatedPacketTraversal()
+++ /dev/null
-/* SPDX-License-Identifier: GPL-2.0
- *
- * Copyright (C) 2017-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
- */
-
-package main
-
-import (
- "errors"
- "net"
- "sync"
-)
-
-type RoutingTable struct {
- IPv4 *Trie
- IPv6 *Trie
- mutex sync.RWMutex
-}
-
-func (table *RoutingTable) AllowedIPs(peer *Peer) []net.IPNet {
- table.mutex.RLock()
- defer table.mutex.RUnlock()
-
- allowed := make([]net.IPNet, 0, 10)
- allowed = table.IPv4.AllowedIPs(peer, allowed)
- allowed = table.IPv6.AllowedIPs(peer, allowed)
- return allowed
-}
-
-func (table *RoutingTable) Reset() {
- table.mutex.Lock()
- defer table.mutex.Unlock()
-
- table.IPv4 = nil
- table.IPv6 = nil
-}
-
-func (table *RoutingTable) RemovePeer(peer *Peer) {
- table.mutex.Lock()
- defer table.mutex.Unlock()
-
- table.IPv4 = table.IPv4.RemovePeer(peer)
- table.IPv6 = table.IPv6.RemovePeer(peer)
-}
-
-func (table *RoutingTable) Insert(ip net.IP, cidr uint, peer *Peer) {
- table.mutex.Lock()
- defer table.mutex.Unlock()
-
- switch len(ip) {
- case net.IPv6len:
- table.IPv6 = table.IPv6.Insert(ip, cidr, peer)
- case net.IPv4len:
- table.IPv4 = table.IPv4.Insert(ip, cidr, peer)
- default:
- panic(errors.New("Inserting unknown address type"))
- }
-}
-
-func (table *RoutingTable) LookupIPv4(address []byte) *Peer {
- table.mutex.RLock()
- defer table.mutex.RUnlock()
- return table.IPv4.Lookup(address)
-}
-
-func (table *RoutingTable) LookupIPv6(address []byte) *Peer {
- table.mutex.RLock()
- defer table.mutex.RUnlock()
- return table.IPv6.Lookup(address)
-}
}
func (tun *NativeTun) Close() error {
- return tun.fd.Close()
+ err := tun.fd.Close()
+ close(tun.events)
+ return err
}
func (tun *NativeTun) setMTU(n int) error {
return err
}
tun.closingWriter.Write([]byte{0})
+ close(tun.events)
return nil
}
}
func (f *NativeTUN) Close() error {
- return windows.Close(f.fd)
+ close(f.events)
+ err := windows.Close(f.fd)
+ return err
}
func (f *NativeTUN) Write(b []byte) (int, error) {
send(fmt.Sprintf("rx_bytes=%d", peer.stats.rxBytes))
send(fmt.Sprintf("persistent_keepalive_interval=%d", peer.persistentKeepaliveInterval))
- for _, ip := range device.routing.table.AllowedIPs(peer) {
+ for _, ip := range device.routing.table.EntriesForPeer(peer) {
send("allowed_ip=" + ip.String())
}
case "replace_allowed_ips":
- logDebug.Println("UAPI: Removing all allowed IPs for peer:", peer)
+ logDebug.Println("UAPI: Removing all allowed EntriesForPeer for peer:", peer)
if value != "true" {
logError.Println("Failed to set replace_allowed_ips, invalid value:", value)
}
device.routing.mutex.Lock()
- device.routing.table.RemovePeer(peer)
+ device.routing.table.RemoveByPeer(peer)
device.routing.mutex.Unlock()
case "allowed_ip":
projects / thirdparty / wireguard-go.git / commitdiff
