wireguard: Fix for tunnel encap
Type: fix add UT for sneding handshale init and transport packets Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Iab1ed8864c666d5a0ae0b2364a9ca4de3c8770dc (cherry picked from commit d75a2d12c431fcffba2a2b4d59f18c9cec483ed9)
This commit is contained in:
Neale Ranns
committed by
Andrew Yourtchenko
Andrew Yourtchenko
parent
21cbdc75f2
commit
6efd393965
File diff suppressed because it is too large
Load Diff
@ -86,7 +86,7 @@ cookie_checker_validate_macs (vlib_main_t * vm, cookie_checker_t * cc,
|
||||
len = len - sizeof (message_macs_t);
|
||||
cookie_macs_mac1 (&our_cm, buf, len, cc->cc_mac1_key);
|
||||
|
||||
/* If mac1 is invald, we want to drop the packet */
|
||||
/* If mac1 is invalid, we want to drop the packet */
|
||||
if (clib_memcmp (our_cm.mac1, cm->mac1, COOKIE_MAC_SIZE) != 0)
|
||||
return INVALID_MAC;
|
||||
|
||||
|
||||
@ -42,11 +42,21 @@ format_wg_if (u8 * s, va_list * args)
|
||||
key_to_base64 (wgi->local.l_private, NOISE_PUBLIC_KEY_LEN, key);
|
||||
|
||||
s = format (s, " private-key:%s", key);
|
||||
s =
|
||||
format (s, " %U", format_hex_bytes, wgi->local.l_private,
|
||||
NOISE_PUBLIC_KEY_LEN);
|
||||
|
||||
key_to_base64 (wgi->local.l_public, NOISE_PUBLIC_KEY_LEN, key);
|
||||
|
||||
s = format (s, " public-key:%s", key);
|
||||
|
||||
s =
|
||||
format (s, " %U", format_hex_bytes, wgi->local.l_public,
|
||||
NOISE_PUBLIC_KEY_LEN);
|
||||
|
||||
s = format (s, " mac-key: %U", format_hex_bytes,
|
||||
&wgi->cookie_checker.cc_mac1_key, NOISE_PUBLIC_KEY_LEN);
|
||||
|
||||
return (s);
|
||||
}
|
||||
|
||||
@ -235,9 +245,6 @@ wg_if_create (u32 user_instance,
|
||||
if (~0 == wg_if->user_instance)
|
||||
wg_if->user_instance = t_idx;
|
||||
|
||||
udp_dst_port_info_t *pi = udp_get_dst_port_info (&udp_main, port, UDP_IP4);
|
||||
if (pi)
|
||||
return (VNET_API_ERROR_VALUE_EXIST);
|
||||
udp_register_dst_port (vlib_get_main (), port, wg_input_node.index, 1);
|
||||
|
||||
vec_validate_init_empty (wg_if_index_by_port, port, INDEX_INVALID);
|
||||
@ -284,16 +291,17 @@ wg_if_delete (u32 sw_if_index)
|
||||
|
||||
vnet_hw_interface_t *hw = vnet_get_sup_hw_interface (vnm, sw_if_index);
|
||||
if (hw == 0 || hw->dev_class_index != wg_if_device_class.index)
|
||||
return VNET_API_ERROR_INVALID_SW_IF_INDEX;
|
||||
return VNET_API_ERROR_INVALID_VALUE;
|
||||
|
||||
wg_if_t *wg_if;
|
||||
wg_if = wg_if_get (wg_if_find_by_sw_if_index (sw_if_index));
|
||||
if (NULL == wg_if)
|
||||
return VNET_API_ERROR_INVALID_SW_IF_INDEX;
|
||||
return VNET_API_ERROR_INVALID_SW_IF_INDEX_2;
|
||||
|
||||
if (wg_if_instance_free (hw->dev_instance) < 0)
|
||||
return VNET_API_ERROR_INVALID_SW_IF_INDEX;
|
||||
if (wg_if_instance_free (wg_if->user_instance) < 0)
|
||||
return VNET_API_ERROR_INVALID_VALUE_2;
|
||||
|
||||
udp_unregister_dst_port (vlib_get_main (), wg_if->port, 1);
|
||||
wg_if_index_by_port[wg_if->port] = INDEX_INVALID;
|
||||
vnet_delete_hw_interface (vnm, hw->hw_if_index);
|
||||
pool_put (wg_if_pool, wg_if);
|
||||
|
||||
@ -313,12 +313,12 @@ VLIB_NODE_FN (wg_input_node) (vlib_main_t * vm,
|
||||
if (entry)
|
||||
{
|
||||
peer = pool_elt_at_index (wmp->peers, *entry);
|
||||
if (!peer)
|
||||
{
|
||||
next[0] = WG_INPUT_NEXT_ERROR;
|
||||
b[0]->error = node->errors[WG_INPUT_ERROR_PEER];
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
next[0] = WG_INPUT_NEXT_ERROR;
|
||||
b[0]->error = node->errors[WG_INPUT_ERROR_PEER];
|
||||
goto out;
|
||||
}
|
||||
|
||||
u16 encr_len = b[0]->current_length - sizeof (message_data_t);
|
||||
|
||||
@ -536,7 +536,7 @@ noise_remote_ready (noise_remote_t * r)
|
||||
return ret;
|
||||
}
|
||||
|
||||
static void
|
||||
static bool
|
||||
chacha20poly1305_calc (vlib_main_t * vm,
|
||||
u8 * src,
|
||||
u32 src_len,
|
||||
@ -580,6 +580,8 @@ chacha20poly1305_calc (vlib_main_t * vm,
|
||||
{
|
||||
clib_memcpy (dst + src_len, op->tag, NOISE_AUTHTAG_LEN);
|
||||
}
|
||||
|
||||
return (op->status == VNET_CRYPTO_OP_STATUS_COMPLETED);
|
||||
}
|
||||
|
||||
enum noise_state_crypt
|
||||
@ -668,9 +670,10 @@ noise_remote_decrypt (vlib_main_t * vm, noise_remote_t * r, uint32_t r_idx,
|
||||
/* Decrypt, then validate the counter. We don't want to validate the
|
||||
* counter before decrypting as we do not know the message is authentic
|
||||
* prior to decryption. */
|
||||
chacha20poly1305_calc (vm, src, srclen, dst, NULL, 0, nonce,
|
||||
VNET_CRYPTO_OP_CHACHA20_POLY1305_DEC,
|
||||
kp->kp_recv_index);
|
||||
if (!chacha20poly1305_calc (vm, src, srclen, dst, NULL, 0, nonce,
|
||||
VNET_CRYPTO_OP_CHACHA20_POLY1305_DEC,
|
||||
kp->kp_recv_index))
|
||||
goto error;
|
||||
|
||||
if (!noise_counter_recv (&kp->kp_ctr, nonce))
|
||||
goto error;
|
||||
@ -936,8 +939,9 @@ noise_msg_decrypt (vlib_main_t * vm, uint8_t * dst, uint8_t * src,
|
||||
uint8_t hash[NOISE_HASH_LEN])
|
||||
{
|
||||
/* Nonce always zero for Noise_IK */
|
||||
chacha20poly1305_calc (vm, src, src_len, dst, hash, NOISE_HASH_LEN, 0,
|
||||
VNET_CRYPTO_OP_CHACHA20_POLY1305_DEC, key_idx);
|
||||
if (!chacha20poly1305_calc (vm, src, src_len, dst, hash, NOISE_HASH_LEN, 0,
|
||||
VNET_CRYPTO_OP_CHACHA20_POLY1305_DEC, key_idx))
|
||||
return false;
|
||||
noise_mix_hash (hash, src, src_len);
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -115,7 +115,8 @@ VLIB_NODE_FN (wg_output_tun_node) (vlib_main_t * vm,
|
||||
while (n_left_from > 0)
|
||||
{
|
||||
ip4_udp_header_t *hdr = vlib_buffer_get_current (b[0]);
|
||||
u8 *plain_data = vlib_buffer_get_current (b[0]) + sizeof (ip4_header_t);
|
||||
u8 *plain_data = (vlib_buffer_get_current (b[0]) +
|
||||
sizeof (ip4_udp_header_t));
|
||||
u16 plain_data_len =
|
||||
clib_net_to_host_u16 (((ip4_header_t *) plain_data)->length);
|
||||
|
||||
@ -144,8 +145,8 @@ VLIB_NODE_FN (wg_output_tun_node) (vlib_main_t * vm,
|
||||
* Ensure there is enough space to write the encrypted data
|
||||
* into the packet
|
||||
*/
|
||||
if (PREDICT_FALSE (encrypted_packet_len > WG_OUTPUT_SCRATCH_SIZE) ||
|
||||
PREDICT_FALSE ((b[0]->current_data + encrypted_packet_len) <
|
||||
if (PREDICT_FALSE (encrypted_packet_len >= WG_OUTPUT_SCRATCH_SIZE) ||
|
||||
PREDICT_FALSE ((b[0]->current_data + encrypted_packet_len) >=
|
||||
vlib_buffer_get_default_data_size (vm)))
|
||||
{
|
||||
b[0]->error = node->errors[WG_OUTPUT_ERROR_TOO_BIG];
|
||||
|
||||
@ -380,15 +380,16 @@ format_wg_peer (u8 * s, va_list * va)
|
||||
peer = wg_peer_get (peeri);
|
||||
key_to_base64 (peer->remote.r_public, NOISE_PUBLIC_KEY_LEN, key);
|
||||
|
||||
s = format (s, "[%d] key:%=45s endpoint:[%U->%U] %U keep-alive:%d adj:%d",
|
||||
s = format (s, "[%d] endpoint:[%U->%U] %U keep-alive:%d adj:%d",
|
||||
peeri,
|
||||
key,
|
||||
format_wg_peer_endpoint, &peer->src,
|
||||
format_wg_peer_endpoint, &peer->dst,
|
||||
format_vnet_sw_if_index_name, vnet_get_main (),
|
||||
peer->wg_sw_if_index,
|
||||
peer->persistent_keepalive_interval, peer->adj_index);
|
||||
|
||||
s = format (s, "\n key:%=s %U",
|
||||
key, format_hex_bytes, peer->remote.r_public,
|
||||
NOISE_PUBLIC_KEY_LEN);
|
||||
s = format (s, "\n allowed-ips:");
|
||||
vec_foreach (allowed_ip, peer->allowed_ips)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user