1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. |
4 | */ |
5 | |
6 | #include "netlink.h" |
7 | #include "device.h" |
8 | #include "peer.h" |
9 | #include "socket.h" |
10 | #include "queueing.h" |
11 | #include "messages.h" |
12 | |
13 | #include <uapi/linux/wireguard.h> |
14 | |
15 | #include <linux/if.h> |
16 | #include <net/genetlink.h> |
17 | #include <net/sock.h> |
18 | #include <crypto/utils.h> |
19 | |
20 | static struct genl_family genl_family; |
21 | |
22 | static const struct nla_policy device_policy[WGDEVICE_A_MAX + 1] = { |
23 | [WGDEVICE_A_IFINDEX] = { .type = NLA_U32 }, |
24 | [WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ - 1 }, |
25 | [WGDEVICE_A_PRIVATE_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN), |
26 | [WGDEVICE_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN), |
27 | [WGDEVICE_A_FLAGS] = { .type = NLA_U32 }, |
28 | [WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16 }, |
29 | [WGDEVICE_A_FWMARK] = { .type = NLA_U32 }, |
30 | [WGDEVICE_A_PEERS] = { .type = NLA_NESTED } |
31 | }; |
32 | |
33 | static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = { |
34 | [WGPEER_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN), |
35 | [WGPEER_A_PRESHARED_KEY] = NLA_POLICY_EXACT_LEN(NOISE_SYMMETRIC_KEY_LEN), |
36 | [WGPEER_A_FLAGS] = { .type = NLA_U32 }, |
37 | [WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(sizeof(struct sockaddr)), |
38 | [WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16 }, |
39 | [WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)), |
40 | [WGPEER_A_RX_BYTES] = { .type = NLA_U64 }, |
41 | [WGPEER_A_TX_BYTES] = { .type = NLA_U64 }, |
42 | [WGPEER_A_ALLOWEDIPS] = { .type = NLA_NESTED }, |
43 | [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 } |
44 | }; |
45 | |
46 | static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = { |
47 | [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 }, |
48 | [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)), |
49 | [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 } |
50 | }; |
51 | |
52 | static struct wg_device *lookup_interface(struct nlattr **attrs, |
53 | struct sk_buff *skb) |
54 | { |
55 | struct net_device *dev = NULL; |
56 | |
57 | if (!attrs[WGDEVICE_A_IFINDEX] == !attrs[WGDEVICE_A_IFNAME]) |
58 | return ERR_PTR(error: -EBADR); |
59 | if (attrs[WGDEVICE_A_IFINDEX]) |
60 | dev = dev_get_by_index(net: sock_net(sk: skb->sk), |
61 | ifindex: nla_get_u32(nla: attrs[WGDEVICE_A_IFINDEX])); |
62 | else if (attrs[WGDEVICE_A_IFNAME]) |
63 | dev = dev_get_by_name(net: sock_net(sk: skb->sk), |
64 | name: nla_data(nla: attrs[WGDEVICE_A_IFNAME])); |
65 | if (!dev) |
66 | return ERR_PTR(error: -ENODEV); |
67 | if (!dev->rtnl_link_ops || !dev->rtnl_link_ops->kind || |
68 | strcmp(dev->rtnl_link_ops->kind, KBUILD_MODNAME)) { |
69 | dev_put(dev); |
70 | return ERR_PTR(error: -EOPNOTSUPP); |
71 | } |
72 | return netdev_priv(dev); |
73 | } |
74 | |
75 | static int get_allowedips(struct sk_buff *skb, const u8 *ip, u8 cidr, |
76 | int family) |
77 | { |
78 | struct nlattr *allowedip_nest; |
79 | |
80 | allowedip_nest = nla_nest_start(skb, attrtype: 0); |
81 | if (!allowedip_nest) |
82 | return -EMSGSIZE; |
83 | |
84 | if (nla_put_u8(skb, attrtype: WGALLOWEDIP_A_CIDR_MASK, value: cidr) || |
85 | nla_put_u16(skb, attrtype: WGALLOWEDIP_A_FAMILY, value: family) || |
86 | nla_put(skb, attrtype: WGALLOWEDIP_A_IPADDR, attrlen: family == AF_INET6 ? |
87 | sizeof(struct in6_addr) : sizeof(struct in_addr), data: ip)) { |
88 | nla_nest_cancel(skb, start: allowedip_nest); |
89 | return -EMSGSIZE; |
90 | } |
91 | |
92 | nla_nest_end(skb, start: allowedip_nest); |
93 | return 0; |
94 | } |
95 | |
96 | struct dump_ctx { |
97 | struct wg_device *wg; |
98 | struct wg_peer *next_peer; |
99 | u64 allowedips_seq; |
100 | struct allowedips_node *next_allowedip; |
101 | }; |
102 | |
103 | #define DUMP_CTX(cb) ((struct dump_ctx *)(cb)->args) |
104 | |
105 | static int |
106 | get_peer(struct wg_peer *peer, struct sk_buff *skb, struct dump_ctx *ctx) |
107 | { |
108 | |
109 | struct nlattr *allowedips_nest, *peer_nest = nla_nest_start(skb, attrtype: 0); |
110 | struct allowedips_node *allowedips_node = ctx->next_allowedip; |
111 | bool fail; |
112 | |
113 | if (!peer_nest) |
114 | return -EMSGSIZE; |
115 | |
116 | down_read(sem: &peer->handshake.lock); |
117 | fail = nla_put(skb, attrtype: WGPEER_A_PUBLIC_KEY, attrlen: NOISE_PUBLIC_KEY_LEN, |
118 | data: peer->handshake.remote_static); |
119 | up_read(sem: &peer->handshake.lock); |
120 | if (fail) |
121 | goto err; |
122 | |
123 | if (!allowedips_node) { |
124 | const struct __kernel_timespec last_handshake = { |
125 | .tv_sec = peer->walltime_last_handshake.tv_sec, |
126 | .tv_nsec = peer->walltime_last_handshake.tv_nsec |
127 | }; |
128 | |
129 | down_read(sem: &peer->handshake.lock); |
130 | fail = nla_put(skb, attrtype: WGPEER_A_PRESHARED_KEY, |
131 | attrlen: NOISE_SYMMETRIC_KEY_LEN, |
132 | data: peer->handshake.preshared_key); |
133 | up_read(sem: &peer->handshake.lock); |
134 | if (fail) |
135 | goto err; |
136 | |
137 | if (nla_put(skb, attrtype: WGPEER_A_LAST_HANDSHAKE_TIME, |
138 | attrlen: sizeof(last_handshake), data: &last_handshake) || |
139 | nla_put_u16(skb, attrtype: WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL, |
140 | value: peer->persistent_keepalive_interval) || |
141 | nla_put_u64_64bit(skb, attrtype: WGPEER_A_TX_BYTES, value: peer->tx_bytes, |
142 | padattr: WGPEER_A_UNSPEC) || |
143 | nla_put_u64_64bit(skb, attrtype: WGPEER_A_RX_BYTES, value: peer->rx_bytes, |
144 | padattr: WGPEER_A_UNSPEC) || |
145 | nla_put_u32(skb, attrtype: WGPEER_A_PROTOCOL_VERSION, value: 1)) |
146 | goto err; |
147 | |
148 | read_lock_bh(&peer->endpoint_lock); |
149 | if (peer->endpoint.addr.sa_family == AF_INET) |
150 | fail = nla_put(skb, attrtype: WGPEER_A_ENDPOINT, |
151 | attrlen: sizeof(peer->endpoint.addr4), |
152 | data: &peer->endpoint.addr4); |
153 | else if (peer->endpoint.addr.sa_family == AF_INET6) |
154 | fail = nla_put(skb, attrtype: WGPEER_A_ENDPOINT, |
155 | attrlen: sizeof(peer->endpoint.addr6), |
156 | data: &peer->endpoint.addr6); |
157 | read_unlock_bh(&peer->endpoint_lock); |
158 | if (fail) |
159 | goto err; |
160 | allowedips_node = |
161 | list_first_entry_or_null(&peer->allowedips_list, |
162 | struct allowedips_node, peer_list); |
163 | } |
164 | if (!allowedips_node) |
165 | goto no_allowedips; |
166 | if (!ctx->allowedips_seq) |
167 | ctx->allowedips_seq = ctx->wg->peer_allowedips.seq; |
168 | else if (ctx->allowedips_seq != ctx->wg->peer_allowedips.seq) |
169 | goto no_allowedips; |
170 | |
171 | allowedips_nest = nla_nest_start(skb, attrtype: WGPEER_A_ALLOWEDIPS); |
172 | if (!allowedips_nest) |
173 | goto err; |
174 | |
175 | list_for_each_entry_from(allowedips_node, &peer->allowedips_list, |
176 | peer_list) { |
177 | u8 cidr, ip[16] __aligned(__alignof(u64)); |
178 | int family; |
179 | |
180 | family = wg_allowedips_read_node(node: allowedips_node, ip, cidr: &cidr); |
181 | if (get_allowedips(skb, ip, cidr, family)) { |
182 | nla_nest_end(skb, start: allowedips_nest); |
183 | nla_nest_end(skb, start: peer_nest); |
184 | ctx->next_allowedip = allowedips_node; |
185 | return -EMSGSIZE; |
186 | } |
187 | } |
188 | nla_nest_end(skb, start: allowedips_nest); |
189 | no_allowedips: |
190 | nla_nest_end(skb, start: peer_nest); |
191 | ctx->next_allowedip = NULL; |
192 | ctx->allowedips_seq = 0; |
193 | return 0; |
194 | err: |
195 | nla_nest_cancel(skb, start: peer_nest); |
196 | return -EMSGSIZE; |
197 | } |
198 | |
199 | static int wg_get_device_start(struct netlink_callback *cb) |
200 | { |
201 | struct wg_device *wg; |
202 | |
203 | wg = lookup_interface(attrs: genl_info_dump(cb)->attrs, skb: cb->skb); |
204 | if (IS_ERR(ptr: wg)) |
205 | return PTR_ERR(ptr: wg); |
206 | DUMP_CTX(cb)->wg = wg; |
207 | return 0; |
208 | } |
209 | |
210 | static int wg_get_device_dump(struct sk_buff *skb, struct netlink_callback *cb) |
211 | { |
212 | struct wg_peer *peer, *next_peer_cursor; |
213 | struct dump_ctx *ctx = DUMP_CTX(cb); |
214 | struct wg_device *wg = ctx->wg; |
215 | struct nlattr *peers_nest; |
216 | int ret = -EMSGSIZE; |
217 | bool done = true; |
218 | void *hdr; |
219 | |
220 | rtnl_lock(); |
221 | mutex_lock(&wg->device_update_lock); |
222 | cb->seq = wg->device_update_gen; |
223 | next_peer_cursor = ctx->next_peer; |
224 | |
225 | hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, seq: cb->nlh->nlmsg_seq, |
226 | family: &genl_family, NLM_F_MULTI, cmd: WG_CMD_GET_DEVICE); |
227 | if (!hdr) |
228 | goto out; |
229 | genl_dump_check_consistent(cb, user_hdr: hdr); |
230 | |
231 | if (!ctx->next_peer) { |
232 | if (nla_put_u16(skb, attrtype: WGDEVICE_A_LISTEN_PORT, |
233 | value: wg->incoming_port) || |
234 | nla_put_u32(skb, attrtype: WGDEVICE_A_FWMARK, value: wg->fwmark) || |
235 | nla_put_u32(skb, attrtype: WGDEVICE_A_IFINDEX, value: wg->dev->ifindex) || |
236 | nla_put_string(skb, attrtype: WGDEVICE_A_IFNAME, str: wg->dev->name)) |
237 | goto out; |
238 | |
239 | down_read(sem: &wg->static_identity.lock); |
240 | if (wg->static_identity.has_identity) { |
241 | if (nla_put(skb, attrtype: WGDEVICE_A_PRIVATE_KEY, |
242 | attrlen: NOISE_PUBLIC_KEY_LEN, |
243 | data: wg->static_identity.static_private) || |
244 | nla_put(skb, attrtype: WGDEVICE_A_PUBLIC_KEY, |
245 | attrlen: NOISE_PUBLIC_KEY_LEN, |
246 | data: wg->static_identity.static_public)) { |
247 | up_read(sem: &wg->static_identity.lock); |
248 | goto out; |
249 | } |
250 | } |
251 | up_read(sem: &wg->static_identity.lock); |
252 | } |
253 | |
254 | peers_nest = nla_nest_start(skb, attrtype: WGDEVICE_A_PEERS); |
255 | if (!peers_nest) |
256 | goto out; |
257 | ret = 0; |
258 | lockdep_assert_held(&wg->device_update_lock); |
259 | /* If the last cursor was removed in peer_remove or peer_remove_all, then |
260 | * we just treat this the same as there being no more peers left. The |
261 | * reason is that seq_nr should indicate to userspace that this isn't a |
262 | * coherent dump anyway, so they'll try again. |
263 | */ |
264 | if (list_empty(head: &wg->peer_list) || |
265 | (ctx->next_peer && ctx->next_peer->is_dead)) { |
266 | nla_nest_cancel(skb, start: peers_nest); |
267 | goto out; |
268 | } |
269 | peer = list_prepare_entry(ctx->next_peer, &wg->peer_list, peer_list); |
270 | list_for_each_entry_continue(peer, &wg->peer_list, peer_list) { |
271 | if (get_peer(peer, skb, ctx)) { |
272 | done = false; |
273 | break; |
274 | } |
275 | next_peer_cursor = peer; |
276 | } |
277 | nla_nest_end(skb, start: peers_nest); |
278 | |
279 | out: |
280 | if (!ret && !done && next_peer_cursor) |
281 | wg_peer_get(peer: next_peer_cursor); |
282 | wg_peer_put(peer: ctx->next_peer); |
283 | mutex_unlock(lock: &wg->device_update_lock); |
284 | rtnl_unlock(); |
285 | |
286 | if (ret) { |
287 | genlmsg_cancel(skb, hdr); |
288 | return ret; |
289 | } |
290 | genlmsg_end(skb, hdr); |
291 | if (done) { |
292 | ctx->next_peer = NULL; |
293 | return 0; |
294 | } |
295 | ctx->next_peer = next_peer_cursor; |
296 | return skb->len; |
297 | |
298 | /* At this point, we can't really deal ourselves with safely zeroing out |
299 | * the private key material after usage. This will need an additional API |
300 | * in the kernel for marking skbs as zero_on_free. |
301 | */ |
302 | } |
303 | |
304 | static int wg_get_device_done(struct netlink_callback *cb) |
305 | { |
306 | struct dump_ctx *ctx = DUMP_CTX(cb); |
307 | |
308 | if (ctx->wg) |
309 | dev_put(dev: ctx->wg->dev); |
310 | wg_peer_put(peer: ctx->next_peer); |
311 | return 0; |
312 | } |
313 | |
314 | static int set_port(struct wg_device *wg, u16 port) |
315 | { |
316 | struct wg_peer *peer; |
317 | |
318 | if (wg->incoming_port == port) |
319 | return 0; |
320 | list_for_each_entry(peer, &wg->peer_list, peer_list) |
321 | wg_socket_clear_peer_endpoint_src(peer); |
322 | if (!netif_running(dev: wg->dev)) { |
323 | wg->incoming_port = port; |
324 | return 0; |
325 | } |
326 | return wg_socket_init(wg, port); |
327 | } |
328 | |
329 | static int set_allowedip(struct wg_peer *peer, struct nlattr **attrs) |
330 | { |
331 | int ret = -EINVAL; |
332 | u16 family; |
333 | u8 cidr; |
334 | |
335 | if (!attrs[WGALLOWEDIP_A_FAMILY] || !attrs[WGALLOWEDIP_A_IPADDR] || |
336 | !attrs[WGALLOWEDIP_A_CIDR_MASK]) |
337 | return ret; |
338 | family = nla_get_u16(nla: attrs[WGALLOWEDIP_A_FAMILY]); |
339 | cidr = nla_get_u8(nla: attrs[WGALLOWEDIP_A_CIDR_MASK]); |
340 | |
341 | if (family == AF_INET && cidr <= 32 && |
342 | nla_len(nla: attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in_addr)) |
343 | ret = wg_allowedips_insert_v4( |
344 | table: &peer->device->peer_allowedips, |
345 | ip: nla_data(nla: attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer, |
346 | lock: &peer->device->device_update_lock); |
347 | else if (family == AF_INET6 && cidr <= 128 && |
348 | nla_len(nla: attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in6_addr)) |
349 | ret = wg_allowedips_insert_v6( |
350 | table: &peer->device->peer_allowedips, |
351 | ip: nla_data(nla: attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer, |
352 | lock: &peer->device->device_update_lock); |
353 | |
354 | return ret; |
355 | } |
356 | |
357 | static int set_peer(struct wg_device *wg, struct nlattr **attrs) |
358 | { |
359 | u8 *public_key = NULL, *preshared_key = NULL; |
360 | struct wg_peer *peer = NULL; |
361 | u32 flags = 0; |
362 | int ret; |
363 | |
364 | ret = -EINVAL; |
365 | if (attrs[WGPEER_A_PUBLIC_KEY] && |
366 | nla_len(nla: attrs[WGPEER_A_PUBLIC_KEY]) == NOISE_PUBLIC_KEY_LEN) |
367 | public_key = nla_data(nla: attrs[WGPEER_A_PUBLIC_KEY]); |
368 | else |
369 | goto out; |
370 | if (attrs[WGPEER_A_PRESHARED_KEY] && |
371 | nla_len(nla: attrs[WGPEER_A_PRESHARED_KEY]) == NOISE_SYMMETRIC_KEY_LEN) |
372 | preshared_key = nla_data(nla: attrs[WGPEER_A_PRESHARED_KEY]); |
373 | |
374 | if (attrs[WGPEER_A_FLAGS]) |
375 | flags = nla_get_u32(nla: attrs[WGPEER_A_FLAGS]); |
376 | ret = -EOPNOTSUPP; |
377 | if (flags & ~__WGPEER_F_ALL) |
378 | goto out; |
379 | |
380 | ret = -EPFNOSUPPORT; |
381 | if (attrs[WGPEER_A_PROTOCOL_VERSION]) { |
382 | if (nla_get_u32(nla: attrs[WGPEER_A_PROTOCOL_VERSION]) != 1) |
383 | goto out; |
384 | } |
385 | |
386 | peer = wg_pubkey_hashtable_lookup(table: wg->peer_hashtable, |
387 | pubkey: nla_data(nla: attrs[WGPEER_A_PUBLIC_KEY])); |
388 | ret = 0; |
389 | if (!peer) { /* Peer doesn't exist yet. Add a new one. */ |
390 | if (flags & (WGPEER_F_REMOVE_ME | WGPEER_F_UPDATE_ONLY)) |
391 | goto out; |
392 | |
393 | /* The peer is new, so there aren't allowed IPs to remove. */ |
394 | flags &= ~WGPEER_F_REPLACE_ALLOWEDIPS; |
395 | |
396 | down_read(sem: &wg->static_identity.lock); |
397 | if (wg->static_identity.has_identity && |
398 | !memcmp(p: nla_data(nla: attrs[WGPEER_A_PUBLIC_KEY]), |
399 | q: wg->static_identity.static_public, |
400 | size: NOISE_PUBLIC_KEY_LEN)) { |
401 | /* We silently ignore peers that have the same public |
402 | * key as the device. The reason we do it silently is |
403 | * that we'd like for people to be able to reuse the |
404 | * same set of API calls across peers. |
405 | */ |
406 | up_read(sem: &wg->static_identity.lock); |
407 | ret = 0; |
408 | goto out; |
409 | } |
410 | up_read(sem: &wg->static_identity.lock); |
411 | |
412 | peer = wg_peer_create(wg, public_key, preshared_key); |
413 | if (IS_ERR(ptr: peer)) { |
414 | ret = PTR_ERR(ptr: peer); |
415 | peer = NULL; |
416 | goto out; |
417 | } |
418 | /* Take additional reference, as though we've just been |
419 | * looked up. |
420 | */ |
421 | wg_peer_get(peer); |
422 | } |
423 | |
424 | if (flags & WGPEER_F_REMOVE_ME) { |
425 | wg_peer_remove(peer); |
426 | goto out; |
427 | } |
428 | |
429 | if (preshared_key) { |
430 | down_write(sem: &peer->handshake.lock); |
431 | memcpy(&peer->handshake.preshared_key, preshared_key, |
432 | NOISE_SYMMETRIC_KEY_LEN); |
433 | up_write(sem: &peer->handshake.lock); |
434 | } |
435 | |
436 | if (attrs[WGPEER_A_ENDPOINT]) { |
437 | struct sockaddr *addr = nla_data(nla: attrs[WGPEER_A_ENDPOINT]); |
438 | size_t len = nla_len(nla: attrs[WGPEER_A_ENDPOINT]); |
439 | struct endpoint endpoint = { { { 0 } } }; |
440 | |
441 | if (len == sizeof(struct sockaddr_in) && addr->sa_family == AF_INET) { |
442 | endpoint.addr4 = *(struct sockaddr_in *)addr; |
443 | wg_socket_set_peer_endpoint(peer, endpoint: &endpoint); |
444 | } else if (len == sizeof(struct sockaddr_in6) && addr->sa_family == AF_INET6) { |
445 | endpoint.addr6 = *(struct sockaddr_in6 *)addr; |
446 | wg_socket_set_peer_endpoint(peer, endpoint: &endpoint); |
447 | } |
448 | } |
449 | |
450 | if (flags & WGPEER_F_REPLACE_ALLOWEDIPS) |
451 | wg_allowedips_remove_by_peer(table: &wg->peer_allowedips, peer, |
452 | lock: &wg->device_update_lock); |
453 | |
454 | if (attrs[WGPEER_A_ALLOWEDIPS]) { |
455 | struct nlattr *attr, *allowedip[WGALLOWEDIP_A_MAX + 1]; |
456 | int rem; |
457 | |
458 | nla_for_each_nested(attr, attrs[WGPEER_A_ALLOWEDIPS], rem) { |
459 | ret = nla_parse_nested(tb: allowedip, WGALLOWEDIP_A_MAX, |
460 | nla: attr, policy: allowedip_policy, NULL); |
461 | if (ret < 0) |
462 | goto out; |
463 | ret = set_allowedip(peer, attrs: allowedip); |
464 | if (ret < 0) |
465 | goto out; |
466 | } |
467 | } |
468 | |
469 | if (attrs[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL]) { |
470 | const u16 persistent_keepalive_interval = nla_get_u16( |
471 | nla: attrs[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL]); |
472 | const bool send_keepalive = |
473 | !peer->persistent_keepalive_interval && |
474 | persistent_keepalive_interval && |
475 | netif_running(dev: wg->dev); |
476 | |
477 | peer->persistent_keepalive_interval = persistent_keepalive_interval; |
478 | if (send_keepalive) |
479 | wg_packet_send_keepalive(peer); |
480 | } |
481 | |
482 | if (netif_running(dev: wg->dev)) |
483 | wg_packet_send_staged_packets(peer); |
484 | |
485 | out: |
486 | wg_peer_put(peer); |
487 | if (attrs[WGPEER_A_PRESHARED_KEY]) |
488 | memzero_explicit(s: nla_data(nla: attrs[WGPEER_A_PRESHARED_KEY]), |
489 | count: nla_len(nla: attrs[WGPEER_A_PRESHARED_KEY])); |
490 | return ret; |
491 | } |
492 | |
493 | static int wg_set_device(struct sk_buff *skb, struct genl_info *info) |
494 | { |
495 | struct wg_device *wg = lookup_interface(attrs: info->attrs, skb); |
496 | u32 flags = 0; |
497 | int ret; |
498 | |
499 | if (IS_ERR(ptr: wg)) { |
500 | ret = PTR_ERR(ptr: wg); |
501 | goto out_nodev; |
502 | } |
503 | |
504 | rtnl_lock(); |
505 | mutex_lock(&wg->device_update_lock); |
506 | |
507 | if (info->attrs[WGDEVICE_A_FLAGS]) |
508 | flags = nla_get_u32(nla: info->attrs[WGDEVICE_A_FLAGS]); |
509 | ret = -EOPNOTSUPP; |
510 | if (flags & ~__WGDEVICE_F_ALL) |
511 | goto out; |
512 | |
513 | if (info->attrs[WGDEVICE_A_LISTEN_PORT] || info->attrs[WGDEVICE_A_FWMARK]) { |
514 | struct net *net; |
515 | rcu_read_lock(); |
516 | net = rcu_dereference(wg->creating_net); |
517 | ret = !net || !ns_capable(ns: net->user_ns, CAP_NET_ADMIN) ? -EPERM : 0; |
518 | rcu_read_unlock(); |
519 | if (ret) |
520 | goto out; |
521 | } |
522 | |
523 | ++wg->device_update_gen; |
524 | |
525 | if (info->attrs[WGDEVICE_A_FWMARK]) { |
526 | struct wg_peer *peer; |
527 | |
528 | wg->fwmark = nla_get_u32(nla: info->attrs[WGDEVICE_A_FWMARK]); |
529 | list_for_each_entry(peer, &wg->peer_list, peer_list) |
530 | wg_socket_clear_peer_endpoint_src(peer); |
531 | } |
532 | |
533 | if (info->attrs[WGDEVICE_A_LISTEN_PORT]) { |
534 | ret = set_port(wg, |
535 | port: nla_get_u16(nla: info->attrs[WGDEVICE_A_LISTEN_PORT])); |
536 | if (ret) |
537 | goto out; |
538 | } |
539 | |
540 | if (flags & WGDEVICE_F_REPLACE_PEERS) |
541 | wg_peer_remove_all(wg); |
542 | |
543 | if (info->attrs[WGDEVICE_A_PRIVATE_KEY] && |
544 | nla_len(nla: info->attrs[WGDEVICE_A_PRIVATE_KEY]) == |
545 | NOISE_PUBLIC_KEY_LEN) { |
546 | u8 *private_key = nla_data(nla: info->attrs[WGDEVICE_A_PRIVATE_KEY]); |
547 | u8 public_key[NOISE_PUBLIC_KEY_LEN]; |
548 | struct wg_peer *peer, *temp; |
549 | bool send_staged_packets; |
550 | |
551 | if (!crypto_memneq(a: wg->static_identity.static_private, |
552 | b: private_key, size: NOISE_PUBLIC_KEY_LEN)) |
553 | goto skip_set_private_key; |
554 | |
555 | /* We remove before setting, to prevent race, which means doing |
556 | * two 25519-genpub ops. |
557 | */ |
558 | if (curve25519_generate_public(pub: public_key, secret: private_key)) { |
559 | peer = wg_pubkey_hashtable_lookup(table: wg->peer_hashtable, |
560 | pubkey: public_key); |
561 | if (peer) { |
562 | wg_peer_put(peer); |
563 | wg_peer_remove(peer); |
564 | } |
565 | } |
566 | |
567 | down_write(sem: &wg->static_identity.lock); |
568 | send_staged_packets = !wg->static_identity.has_identity && netif_running(dev: wg->dev); |
569 | wg_noise_set_static_identity_private_key(static_identity: &wg->static_identity, private_key); |
570 | send_staged_packets = send_staged_packets && wg->static_identity.has_identity; |
571 | |
572 | wg_cookie_checker_precompute_device_keys(checker: &wg->cookie_checker); |
573 | list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list) { |
574 | wg_noise_precompute_static_static(peer); |
575 | wg_noise_expire_current_peer_keypairs(peer); |
576 | if (send_staged_packets) |
577 | wg_packet_send_staged_packets(peer); |
578 | } |
579 | up_write(sem: &wg->static_identity.lock); |
580 | } |
581 | skip_set_private_key: |
582 | |
583 | if (info->attrs[WGDEVICE_A_PEERS]) { |
584 | struct nlattr *attr, *peer[WGPEER_A_MAX + 1]; |
585 | int rem; |
586 | |
587 | nla_for_each_nested(attr, info->attrs[WGDEVICE_A_PEERS], rem) { |
588 | ret = nla_parse_nested(tb: peer, WGPEER_A_MAX, nla: attr, |
589 | policy: peer_policy, NULL); |
590 | if (ret < 0) |
591 | goto out; |
592 | ret = set_peer(wg, attrs: peer); |
593 | if (ret < 0) |
594 | goto out; |
595 | } |
596 | } |
597 | ret = 0; |
598 | |
599 | out: |
600 | mutex_unlock(lock: &wg->device_update_lock); |
601 | rtnl_unlock(); |
602 | dev_put(dev: wg->dev); |
603 | out_nodev: |
604 | if (info->attrs[WGDEVICE_A_PRIVATE_KEY]) |
605 | memzero_explicit(s: nla_data(nla: info->attrs[WGDEVICE_A_PRIVATE_KEY]), |
606 | count: nla_len(nla: info->attrs[WGDEVICE_A_PRIVATE_KEY])); |
607 | return ret; |
608 | } |
609 | |
610 | static const struct genl_ops genl_ops[] = { |
611 | { |
612 | .cmd = WG_CMD_GET_DEVICE, |
613 | .start = wg_get_device_start, |
614 | .dumpit = wg_get_device_dump, |
615 | .done = wg_get_device_done, |
616 | .flags = GENL_UNS_ADMIN_PERM |
617 | }, { |
618 | .cmd = WG_CMD_SET_DEVICE, |
619 | .doit = wg_set_device, |
620 | .flags = GENL_UNS_ADMIN_PERM |
621 | } |
622 | }; |
623 | |
624 | static struct genl_family genl_family __ro_after_init = { |
625 | .ops = genl_ops, |
626 | .n_ops = ARRAY_SIZE(genl_ops), |
627 | .resv_start_op = WG_CMD_SET_DEVICE + 1, |
628 | .name = WG_GENL_NAME, |
629 | .version = WG_GENL_VERSION, |
630 | .maxattr = WGDEVICE_A_MAX, |
631 | .module = THIS_MODULE, |
632 | .policy = device_policy, |
633 | .netnsok = true |
634 | }; |
635 | |
636 | int __init wg_genetlink_init(void) |
637 | { |
638 | return genl_register_family(family: &genl_family); |
639 | } |
640 | |
641 | void __exit wg_genetlink_uninit(void) |
642 | { |
643 | genl_unregister_family(family: &genl_family); |
644 | } |
645 | |