wireguard_if.c

Go to the documentation of this file.

/*
 * Copyright (c) 2020 Cisco and/or its affiliates.
 * Copyright (c) 2020 Doc.ai and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <vnet/adj/adj_midchain.h>
#include <vnet/udp/udp.h>

#include <wireguard/wireguard_messages.h>
#include <wireguard/wireguard_if.h>
#include <wireguard/wireguard.h>
#include <wireguard/wireguard_peer.h>

/* pool of interfaces */
wg_if_t *wg_if_pool;

/* bitmap of Allocated WG_ITF instances */
static uword *wg_if_instances;

/* vector of interfaces key'd on their sw_if_index */
static index_t *wg_if_index_by_sw_if_index;

/* vector of interfaces key'd on their UDP port (in network order) */
index_t *wg_if_index_by_port;

static u8 *
format_wg_if_name (u8 * s, va_list * args)
{
  u32 dev_instance = va_arg (*args, u32);
  return format (s, "wg%d", dev_instance);
}

u8 *
format_wg_if (u8 * s, va_list * args)
{
  index_t wgii = va_arg (*args, u32);
  wg_if_t *wgi = wg_if_get (wgii);
  noise_local_t *local = noise_local_get (wgi->local_idx);
  u8 key[NOISE_KEY_LEN_BASE64];


  s = format (s, "[%d] %U src:%U port:%d",
              wgii,
              format_vnet_sw_if_index_name, vnet_get_main (),
              wgi->sw_if_index, format_ip_address, &wgi->src_ip, wgi->port);

  key_to_base64 (local->l_private, NOISE_PUBLIC_KEY_LEN, key);

  s = format (s, " private-key:%s", key);
  s =
    format (s, " %U", format_hex_bytes, local->l_private,
            NOISE_PUBLIC_KEY_LEN);

  key_to_base64 (local->l_public, NOISE_PUBLIC_KEY_LEN, key);

  s = format (s, " public-key:%s", key);

  s =
    format (s, " %U", format_hex_bytes, local->l_public,
            NOISE_PUBLIC_KEY_LEN);

  s = format (s, " mac-key: %U", format_hex_bytes,
              &wgi->cookie_checker.cc_mac1_key, NOISE_PUBLIC_KEY_LEN);

  return (s);
}

index_t
wg_if_find_by_sw_if_index (u32 sw_if_index)
{
  if (vec_len (wg_if_index_by_sw_if_index) <= sw_if_index)
    return INDEX_INVALID;
  u32 ti = wg_if_index_by_sw_if_index[sw_if_index];
  if (ti == ~0)
    return INDEX_INVALID;

  return (ti);
}

static walk_rc_t
wg_if_find_peer_by_public_key (index_t peeri, void *data)
{
  uint8_t *public = data;
  wg_peer_t *peer = wg_peer_get (peeri);

  if (!memcmp (peer->remote.r_public, public, NOISE_PUBLIC_KEY_LEN))
    return (WALK_STOP);
  return (WALK_CONTINUE);
}

static noise_remote_t *
wg_remote_get (const uint8_t public[NOISE_PUBLIC_KEY_LEN])
{
  index_t peeri;

  peeri = wg_peer_walk (wg_if_find_peer_by_public_key, (void *) public);

  if (INDEX_INVALID != peeri)
    return &wg_peer_get (peeri)->remote;

  return NULL;
}

static uint32_t
wg_index_set (noise_remote_t * remote)
{
  wg_main_t *wmp = &wg_main;
  u32 rnd_seed = (u32) (vlib_time_now (wmp->vlib_main) * 1e6);
  u32 ret =
    wg_index_table_add (&wmp->index_table, remote->r_peer_idx, rnd_seed);
  return ret;
}

static void
wg_index_drop (uint32_t key)
{
  wg_main_t *wmp = &wg_main;
  wg_index_table_del (&wmp->index_table, key);
}

static clib_error_t *
wg_if_admin_up_down (vnet_main_t * vnm, u32 hw_if_index, u32 flags)
{
  vnet_hw_interface_t *hi;
  index_t wgii;
  u32 hw_flags;

  hi = vnet_get_hw_interface (vnm, hw_if_index);
  hw_flags = (flags & VNET_SW_INTERFACE_FLAG_ADMIN_UP ?
              VNET_HW_INTERFACE_FLAG_LINK_UP : 0);
  vnet_hw_interface_set_flags (vnm, hw_if_index, hw_flags);

  wgii = wg_if_find_by_sw_if_index (hi->sw_if_index);

  wg_if_peer_walk (wg_if_get (wgii), wg_peer_if_admin_state_change, NULL);

  return (NULL);
}

void
wg_if_update_adj (vnet_main_t * vnm, u32 sw_if_index, adj_index_t ai)
{
  /* The peers manage the adjacencies */
}


/* *INDENT-OFF* */
VNET_DEVICE_CLASS (wg_if_device_class) = {
  .name = "Wireguard Tunnel",
  .format_device_name = format_wg_if_name,
  .admin_up_down_function = wg_if_admin_up_down,
};

VNET_HW_INTERFACE_CLASS(wg_hw_interface_class) = {
  .name = "Wireguard",
  .update_adjacency = wg_if_update_adj,
  .flags = VNET_HW_INTERFACE_CLASS_FLAG_NBMA,
};
/* *INDENT-ON* */

/*
 * Maintain a bitmap of allocated wg_if instance numbers.
 */
#define WG_ITF_MAX_INSTANCE             (16 * 1024)

static u32
wg_if_instance_alloc (u32 want)
{
  /*
   * Check for dynamically allocated instance number.
   */
  if (~0 == want)
    {
      u32 bit;

      bit = clib_bitmap_first_clear (wg_if_instances);
      if (bit >= WG_ITF_MAX_INSTANCE)
        {
          return ~0;
        }
      wg_if_instances = clib_bitmap_set (wg_if_instances, bit, 1);
      return bit;
    }

  /*
   * In range?
   */
  if (want >= WG_ITF_MAX_INSTANCE)
    {
      return ~0;
    }

  /*
   * Already in use?
   */
  if (clib_bitmap_get (wg_if_instances, want))
    {
      return ~0;
    }

  /*
   * Grant allocation request.
   */
  wg_if_instances = clib_bitmap_set (wg_if_instances, want, 1);

  return want;
}

static int
wg_if_instance_free (u32 instance)
{
  if (instance >= WG_ITF_MAX_INSTANCE)
    {
      return -1;
    }

  if (clib_bitmap_get (wg_if_instances, instance) == 0)
    {
      return -1;
    }

  wg_if_instances = clib_bitmap_set (wg_if_instances, instance, 0);
  return 0;
}


int
wg_if_create (u32 user_instance,
              const u8 private_key[NOISE_PUBLIC_KEY_LEN],
              u16 port, const ip_address_t * src_ip, u32 * sw_if_indexp)
{
  vnet_main_t *vnm = vnet_get_main ();
  u32 instance, hw_if_index;
  vnet_hw_interface_t *hi;
  wg_if_t *wg_if;
  noise_local_t *local;

  ASSERT (sw_if_indexp);

  *sw_if_indexp = (u32) ~ 0;

  /*
   * Check if the required port is already in use
   */
  udp_dst_port_info_t *pi = udp_get_dst_port_info (&udp_main, port, UDP_IP4);
  if (pi)
    return VNET_API_ERROR_UDP_PORT_TAKEN;

  /*
   * Allocate a wg_if instance. Either select on dynamically
   * or try to use the desired user_instance number.
   */
  instance = wg_if_instance_alloc (user_instance);
  if (instance == ~0)
    return VNET_API_ERROR_INVALID_REGISTRATION;

  /* *INDENT-OFF* */
  struct noise_upcall upcall =  {
    .u_remote_get = wg_remote_get,
    .u_index_set = wg_index_set,
    .u_index_drop = wg_index_drop,
  };
  /* *INDENT-ON* */

  pool_get (noise_local_pool, local);

  noise_local_init (local, &upcall);
  if (!noise_local_set_private (local, private_key))
    {
      pool_put (noise_local_pool, local);
      wg_if_instance_free (instance);
      return VNET_API_ERROR_INVALID_REGISTRATION;
    }

  pool_get (wg_if_pool, wg_if);

  /* tunnel index (or instance) */
  u32 t_idx = wg_if - wg_if_pool;

  wg_if->user_instance = instance;
  if (~0 == wg_if->user_instance)
    wg_if->user_instance = t_idx;

  udp_register_dst_port (vlib_get_main (), port, wg_input_node.index, 1);

  vec_validate_init_empty (wg_if_index_by_port, port, INDEX_INVALID);
  wg_if_index_by_port[port] = wg_if - wg_if_pool;

  wg_if->port = port;
  wg_if->local_idx = local - noise_local_pool;
  cookie_checker_update (&wg_if->cookie_checker, local->l_public);

  hw_if_index = vnet_register_interface (vnm,
                                         wg_if_device_class.index,
                                         t_idx,
                                         wg_hw_interface_class.index, t_idx);

  hi = vnet_get_hw_interface (vnm, hw_if_index);

  vec_validate_init_empty (wg_if_index_by_sw_if_index, hi->sw_if_index,
                           INDEX_INVALID);
  wg_if_index_by_sw_if_index[hi->sw_if_index] = t_idx;

  ip_address_copy (&wg_if->src_ip, src_ip);
  wg_if->sw_if_index = *sw_if_indexp = hi->sw_if_index;

  return 0;
}

int
wg_if_delete (u32 sw_if_index)
{
  vnet_main_t *vnm = vnet_get_main ();

  if (pool_is_free_index (vnm->interface_main.sw_interfaces, sw_if_index))
    return VNET_API_ERROR_INVALID_SW_IF_INDEX;

  vnet_hw_interface_t *hw = vnet_get_sup_hw_interface (vnm, sw_if_index);
  if (hw == 0 || hw->dev_class_index != wg_if_device_class.index)
    return VNET_API_ERROR_INVALID_VALUE;

  wg_if_t *wg_if;
  wg_if = wg_if_get (wg_if_find_by_sw_if_index (sw_if_index));
  if (NULL == wg_if)
    return VNET_API_ERROR_INVALID_SW_IF_INDEX_2;

  if (wg_if_instance_free (wg_if->user_instance) < 0)
    return VNET_API_ERROR_INVALID_VALUE_2;

  udp_unregister_dst_port (vlib_get_main (), wg_if->port, 1);
  wg_if_index_by_port[wg_if->port] = INDEX_INVALID;
  vnet_delete_hw_interface (vnm, hw->hw_if_index);
  pool_put_index (noise_local_pool, wg_if->local_idx);
  pool_put (wg_if_pool, wg_if);

  return 0;
}

void
wg_if_peer_add (wg_if_t * wgi, index_t peeri)
{
  hash_set (wgi->peers, peeri, peeri);

  if (1 == hash_elts (wgi->peers))
    vnet_feature_enable_disable ("ip4-output", "wg-output-tun",
                                 wgi->sw_if_index, 1, 0, 0);
}

void
wg_if_peer_remove (wg_if_t * wgi, index_t peeri)
{
  hash_unset (wgi->peers, peeri);

  if (0 == hash_elts (wgi->peers))
    vnet_feature_enable_disable ("ip4-output", "wg-output-tun",
                                 wgi->sw_if_index, 0, 0, 0);
}

void
wg_if_walk (wg_if_walk_cb_t fn, void *data)
{
  index_t wgii;

  /* *INDENT-OFF* */
  pool_foreach_index (wgii, wg_if_pool)
  {
    if (WALK_STOP == fn(wgii, data))
      break;
  }
  /* *INDENT-ON* */
}

index_t
wg_if_peer_walk (wg_if_t * wgi, wg_if_peer_walk_cb_t fn, void *data)
{
  index_t peeri, val;

  /* *INDENT-OFF* */
  hash_foreach (peeri, val, wgi->peers,
  {
    if (WALK_STOP == fn(wgi, peeri, data))
      return peeri;
  });
  /* *INDENT-ON* */

  return INDEX_INVALID;
}


static void
wg_if_table_bind_v4 (ip4_main_t * im,
                     uword opaque,
                     u32 sw_if_index, u32 new_fib_index, u32 old_fib_index)
{
  wg_if_t *wg_if;

  wg_if = wg_if_get (wg_if_find_by_sw_if_index (sw_if_index));
  if (NULL == wg_if)
    return;

  wg_peer_table_bind_ctx_t ctx = {
    .af = AF_IP4,
    .old_fib_index = old_fib_index,
    .new_fib_index = new_fib_index,
  };

  wg_if_peer_walk (wg_if, wg_peer_if_table_change, &ctx);
}

static void
wg_if_table_bind_v6 (ip6_main_t * im,
                     uword opaque,
                     u32 sw_if_index, u32 new_fib_index, u32 old_fib_index)
{
  wg_if_t *wg_if;

  wg_if = wg_if_get (wg_if_find_by_sw_if_index (sw_if_index));
  if (NULL == wg_if)
    return;

  wg_peer_table_bind_ctx_t ctx = {
    .af = AF_IP6,
    .old_fib_index = old_fib_index,
    .new_fib_index = new_fib_index,
  };

  wg_if_peer_walk (wg_if, wg_peer_if_table_change, &ctx);
}

static clib_error_t *
wg_if_module_init (vlib_main_t * vm)
{
  {
    ip4_table_bind_callback_t cb = {
      .function = wg_if_table_bind_v4,
    };
    vec_add1 (ip4_main.table_bind_callbacks, cb);
  }
  {
    ip6_table_bind_callback_t cb = {
      .function = wg_if_table_bind_v6,
    };
    vec_add1 (ip6_main.table_bind_callbacks, cb);
  }

  return (NULL);
}

/* *INDENT-OFF* */
VLIB_INIT_FUNCTION (wg_if_module_init) =
{
  .runs_after = VLIB_INITS("ip_main_init"),
};
/* *INDENT-ON* */


/*
 * fd.io coding-style-patch-verification: ON
 *
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */