keksvpn/vendor/golang.zx2c4.com/wireguard/wgctrl/internal/wgopenbsd/client_openbsd.go

372 lines
10 KiB
Go
Raw Normal View History

2022-02-27 03:22:11 +00:00
//go:build openbsd
// +build openbsd
package wgopenbsd
import (
"bytes"
"encoding/binary"
"fmt"
"net"
"os"
"runtime"
"time"
"unsafe"
"golang.org/x/sys/unix"
"golang.zx2c4.com/wireguard/wgctrl/internal/wginternal"
"golang.zx2c4.com/wireguard/wgctrl/internal/wgopenbsd/internal/wgh"
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
)
// ifGroupWG is the WireGuard interface group name passed to the kernel.
var ifGroupWG = [16]byte{0: 'w', 1: 'g'}
var _ wginternal.Client = &Client{}
// A Client provides access to OpenBSD WireGuard ioctl information.
type Client struct {
// Hooks which use system calls by default, but can also be swapped out
// during tests.
close func() error
ioctlIfgroupreq func(ifg *wgh.Ifgroupreq) error
ioctlWGDataIO func(data *wgh.WGDataIO) error
}
// New creates a new Client and returns whether or not the ioctl interface
// is available.
func New() (*Client, bool, error) {
// The OpenBSD ioctl interface operates on a generic AF_INET socket.
fd, err := unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0)
if err != nil {
return nil, false, err
}
// TODO(mdlayher): find a call to invoke here to probe for availability.
// c.Devices won't work because it returns a "not found" error when the
// kernel WireGuard implementation is available but the interface group
// has no members.
// By default, use system call implementations for all hook functions.
return &Client{
close: func() error { return unix.Close(fd) },
ioctlIfgroupreq: ioctlIfgroupreq(fd),
ioctlWGDataIO: ioctlWGDataIO(fd),
}, true, nil
}
// Close implements wginternal.Client.
func (c *Client) Close() error {
return c.close()
}
// Devices implements wginternal.Client.
func (c *Client) Devices() ([]*wgtypes.Device, error) {
ifg := wgh.Ifgroupreq{
// Query for devices in the "wg" group.
Name: ifGroupWG,
}
// Determine how many device names we must allocate memory for.
if err := c.ioctlIfgroupreq(&ifg); err != nil {
return nil, err
}
// ifg.Len is size in bytes; allocate enough memory for the correct number
// of wgh.Ifgreq and then store a pointer to the memory where the data
// should be written (ifgrs) in ifg.Groups.
//
// From a thread in golang-nuts, this pattern is valid:
// "It would be OK to pass a pointer to a struct to ioctl if the struct
// contains a pointer to other Go memory, but the struct field must have
// pointer type."
// See: https://groups.google.com/forum/#!topic/golang-nuts/FfasFTZvU_o.
ifgrs := make([]wgh.Ifgreq, ifg.Len/wgh.SizeofIfgreq)
ifg.Groups = &ifgrs[0]
// Now actually fetch the device names.
if err := c.ioctlIfgroupreq(&ifg); err != nil {
return nil, err
}
// Keep this alive until we're done doing the ioctl dance.
runtime.KeepAlive(&ifg)
devices := make([]*wgtypes.Device, 0, len(ifgrs))
for _, ifgr := range ifgrs {
// Remove any trailing NULL bytes from the interface names.
d, err := c.Device(string(bytes.TrimRight(ifgr.Ifgrqu[:], "\x00")))
if err != nil {
return nil, err
}
devices = append(devices, d)
}
return devices, nil
}
// Device implements wginternal.Client.
func (c *Client) Device(name string) (*wgtypes.Device, error) {
dname, err := deviceName(name)
if err != nil {
return nil, err
}
// First, specify the name of the device and determine how much memory
// must be allocated in order to store the WGInterfaceIO structure and
// any trailing WGPeerIO/WGAIPIOs.
data := wgh.WGDataIO{Name: dname}
// TODO: consider preallocating some memory to avoid a second system call
// if it proves to be a concern.
var mem []byte
for {
if err := c.ioctlWGDataIO(&data); err != nil {
// ioctl functions always return a wrapped unix.Errno value.
// Conform to the wgctrl contract by unwrapping some values:
// ENXIO: "no such device": (no such WireGuard device)
// ENOTTY: "inappropriate ioctl for device" (device is not a
// WireGuard device)
switch err.(*os.SyscallError).Err {
case unix.ENXIO, unix.ENOTTY:
return nil, os.ErrNotExist
default:
return nil, err
}
}
if len(mem) >= int(data.Size) {
// Allocated enough memory!
break
}
// Ensure we don't unsafe cast into uninitialized memory. We need at very
// least a single WGInterfaceIO with no peers.
if data.Size < wgh.SizeofWGInterfaceIO {
return nil, fmt.Errorf("wgopenbsd: kernel returned unexpected number of bytes for WGInterfaceIO: %d", data.Size)
}
// Allocate the appropriate amount of memory and point the kernel at
// the first byte of our slice's backing array. When the loop continues,
// we will check if we've allocated enough memory.
mem = make([]byte, data.Size)
data.Interface = (*wgh.WGInterfaceIO)(unsafe.Pointer(&mem[0]))
}
return parseDevice(name, data.Interface)
}
// parseDevice unpacks a Device from ifio, along with its associated peers
// and their allowed IPs.
func parseDevice(name string, ifio *wgh.WGInterfaceIO) (*wgtypes.Device, error) {
d := &wgtypes.Device{
Name: name,
Type: wgtypes.OpenBSDKernel,
}
// The kernel populates ifio.Flags to indicate which fields are present.
if ifio.Flags&wgh.WG_INTERFACE_HAS_PRIVATE != 0 {
d.PrivateKey = wgtypes.Key(ifio.Private)
}
if ifio.Flags&wgh.WG_INTERFACE_HAS_PUBLIC != 0 {
d.PublicKey = wgtypes.Key(ifio.Public)
}
if ifio.Flags&wgh.WG_INTERFACE_HAS_PORT != 0 {
d.ListenPort = int(ifio.Port)
}
if ifio.Flags&wgh.WG_INTERFACE_HAS_RTABLE != 0 {
d.FirewallMark = int(ifio.Rtable)
}
d.Peers = make([]wgtypes.Peer, 0, ifio.Peers_count)
// If there were no peers, exit early so we do not advance the pointer
// beyond the end of the WGInterfaceIO structure.
if ifio.Peers_count == 0 {
return d, nil
}
// Set our pointer to the beginning of the first peer's location in memory.
peer := (*wgh.WGPeerIO)(unsafe.Pointer(
uintptr(unsafe.Pointer(ifio)) + wgh.SizeofWGInterfaceIO,
))
for i := 0; i < int(ifio.Peers_count); i++ {
p := parsePeer(peer)
// Same idea, we know how many allowed IPs we need to account for, so
// reserve the space and advance the pointer through each WGAIP structure.
p.AllowedIPs = make([]net.IPNet, 0, peer.Aips_count)
for j := uintptr(0); j < uintptr(peer.Aips_count); j++ {
aip := (*wgh.WGAIPIO)(unsafe.Pointer(
uintptr(unsafe.Pointer(peer)) + wgh.SizeofWGPeerIO + j*wgh.SizeofWGAIPIO,
))
p.AllowedIPs = append(p.AllowedIPs, parseAllowedIP(aip))
}
// Prepare for the next iteration.
d.Peers = append(d.Peers, p)
peer = (*wgh.WGPeerIO)(unsafe.Pointer(
uintptr(unsafe.Pointer(peer)) + wgh.SizeofWGPeerIO +
uintptr(peer.Aips_count)*wgh.SizeofWGAIPIO,
))
}
return d, nil
}
// ConfigureDevice implements wginternal.Client.
func (c *Client) ConfigureDevice(name string, cfg wgtypes.Config) error {
// Currently read-only: we must determine if a device belongs to this driver,
// and if it does, return a sentinel so integration tests that configure a
// device can be skipped.
if _, err := c.Device(name); err != nil {
return err
}
return wginternal.ErrReadOnly
}
// deviceName converts an interface name string to the format required to pass
// with wgh.WGGetServ.
func deviceName(name string) ([16]byte, error) {
var out [unix.IFNAMSIZ]byte
if len(name) > unix.IFNAMSIZ {
return out, fmt.Errorf("wgopenbsd: interface name %q too long", name)
}
copy(out[:], name)
return out, nil
}
// parsePeer unpacks a wgtypes.Peer from a WGPeerIO structure.
func parsePeer(pio *wgh.WGPeerIO) wgtypes.Peer {
p := wgtypes.Peer{
ReceiveBytes: int64(pio.Rxbytes),
TransmitBytes: int64(pio.Txbytes),
ProtocolVersion: int(pio.Protocol_version),
}
// Only set last handshake if a non-zero timespec was provided, matching
// the time.Time.IsZero() behavior of internal/wglinux.
if pio.Last_handshake.Sec > 0 && pio.Last_handshake.Nsec > 0 {
p.LastHandshakeTime = time.Unix(
pio.Last_handshake.Sec,
// Conversion required for GOARCH=386.
int64(pio.Last_handshake.Nsec),
)
}
if pio.Flags&wgh.WG_PEER_HAS_PUBLIC != 0 {
p.PublicKey = wgtypes.Key(pio.Public)
}
if pio.Flags&wgh.WG_PEER_HAS_PSK != 0 {
p.PresharedKey = wgtypes.Key(pio.Psk)
}
if pio.Flags&wgh.WG_PEER_HAS_PKA != 0 {
p.PersistentKeepaliveInterval = time.Duration(pio.Pka) * time.Second
}
if pio.Flags&wgh.WG_PEER_HAS_ENDPOINT != 0 {
p.Endpoint = parseEndpoint(pio.Endpoint)
}
return p
}
// parseAllowedIP unpacks a net.IPNet from a WGAIP structure.
func parseAllowedIP(aip *wgh.WGAIPIO) net.IPNet {
switch aip.Af {
case unix.AF_INET:
return net.IPNet{
IP: net.IP(aip.Addr[:net.IPv4len]),
Mask: net.CIDRMask(int(aip.Cidr), 32),
}
case unix.AF_INET6:
return net.IPNet{
IP: net.IP(aip.Addr[:]),
Mask: net.CIDRMask(int(aip.Cidr), 128),
}
default:
panicf("wgopenbsd: invalid address family for allowed IP: %+v", aip)
return net.IPNet{}
}
}
// parseEndpoint parses a peer endpoint from a wgh.WGIP structure.
func parseEndpoint(ep [28]byte) *net.UDPAddr {
// sockaddr* structures have family at index 1.
switch ep[1] {
case unix.AF_INET:
sa := *(*unix.RawSockaddrInet4)(unsafe.Pointer(&ep[0]))
ep := &net.UDPAddr{
IP: make(net.IP, net.IPv4len),
Port: bePort(sa.Port),
}
copy(ep.IP, sa.Addr[:])
return ep
case unix.AF_INET6:
sa := *(*unix.RawSockaddrInet6)(unsafe.Pointer(&ep[0]))
// TODO(mdlayher): IPv6 zone?
ep := &net.UDPAddr{
IP: make(net.IP, net.IPv6len),
Port: bePort(sa.Port),
}
copy(ep.IP, sa.Addr[:])
return ep
default:
// No endpoint configured.
return nil
}
}
// bePort interprets a port integer stored in native endianness as a big
// endian value. This is necessary for proper endpoint port handling on
// little endian machines.
func bePort(port uint16) int {
b := *(*[2]byte)(unsafe.Pointer(&port))
return int(binary.BigEndian.Uint16(b[:]))
}
// ioctlIfgroupreq returns a function which performs the appropriate ioctl on
// fd to retrieve members of an interface group.
func ioctlIfgroupreq(fd int) func(*wgh.Ifgroupreq) error {
return func(ifg *wgh.Ifgroupreq) error {
return ioctl(fd, wgh.SIOCGIFGMEMB, unsafe.Pointer(ifg))
}
}
// ioctlWGDataIO returns a function which performs the appropriate ioctl on
// fd to issue a WireGuard data I/O.
func ioctlWGDataIO(fd int) func(*wgh.WGDataIO) error {
return func(data *wgh.WGDataIO) error {
return ioctl(fd, wgh.SIOCGWG, unsafe.Pointer(data))
}
}
// ioctl is a raw wrapper for the ioctl system call.
func ioctl(fd int, req uint, arg unsafe.Pointer) error {
_, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(req), uintptr(arg))
if errno != 0 {
return os.NewSyscallError("ioctl", errno)
}
return nil
}
func panicf(format string, a ...interface{}) {
panic(fmt.Sprintf(format, a...))
}