summaryrefslogtreecommitdiffstats
path: root/src/plugins/wireguard/wireguard_input.c
AgeCommit message (Collapse)AuthorFilesLines
2023-06-08crypto: use fixed crypto frame poolgaoginskx1-0/+2
The async frames pool may be resized once drained. This will cause 2 problems: original pool pointer is invalidated and pool size changed, both problems will confuse the crypto infra user graph nodes (like IPsec and Wireguard) and crypto engines if they expect the pool pointers always valid and the pool size never changed (for performance reason). This patch introduces fixed size of the async frames pool. This helps zeroing surprise to the components shown above and avoiding segmentation fault when pool resizing happened. In addition, the crypto engine may take advantage of the feature to sync its own pool/vector with crypto infra. Type: improvement Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I2a71783b90149fa376848b9c4f84ce8c6c034bef
2023-06-02wireguard: add support for chained buffersAlexander Chernavin1-28/+166
Type: feature With this change, packets that are larger than a single buffer can fit will be able to be sent and received over a Wireguard tunnel. Also, cover this with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ifaf7325676d728580097bc389b51a9be39e44d88
2023-02-01wireguard: update ESTABLISHED flagArtem Glazychev1-5/+3
We cannot confidently say that if we have received and processed the handshake_initiation message, then the connection has been established. Because we also send a response. The fact that the connection is established can only be considered if a keepalive packet was received. Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I61731916071990f28cdebcd1d0e4d302fa1dee15
2023-01-16wireguard: add local variableGabriel Oginski1-17/+53
The current implementation of wireguard use dereference value from pointer, but between get and dereference the value from pointer can be occur change in pool memory, which means that this pointer can be invalid. Since current implementation doesn't handle with invalid pointers, segfault can occur. The fix add a local variable to keep index of peer from pool and also handle with null pointers from get pointer from pool. Type: fix Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: Ic161ab08266e584493338c682d827ea1fd754b98
2022-09-08wireguard: eliminate some calls to main threadMatthew Smith1-4/+10
Type: improvement Roaming functionality allows the peer address to change. The main thread was being called to update a peer's address if necessary after processing a received packet. Check in the worker whether this is necessary before incurring the overhead of the RPC to the main thread. Signed-off-by: Matthew Smith <mgsmith@netgate.com> Change-Id: I02184b92dc658e0f57dd39993a3b2f9944187b45
2022-08-09wireguard: add peers roaming supportAlexander Chernavin1-19/+42
Type: feature With this change, peers are able to roam between different external endpoints. Successfully authenticated handshake or data packet that is received from a new endpoint will cause the peer's endpoint to be updated accordingly. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib4eb7dfa3403f3fb9e8bbe19ba6237c4960c764c
2022-08-09wireguard: add handshake rate limiting supportAlexander Chernavin1-0/+3
Type: feature With this change, if being under load a handshake message with both valid mac1 and mac2 is received, the peer will be rate limited. Cover this with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Id8d58bb293a7975c3d922c48b4948fd25e20af4b
2022-08-08wireguard: add dos mitigation supportAlexander Chernavin1-6/+24
Type: feature With this change: - if the number of received handshake messages exceeds the limit calculated based on the peers number, under load state will activate; - if being under load a handshake message with a valid mac1 is received, but mac2 is invalid, a cookie reply will be sent. Also, cover these with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I3003570a9cf807cfb0b5145b89a085455c30e717
2022-08-03wireguard: add processing of received cookie messagesAlexander Chernavin1-1/+4
Type: feature Currently, if a handshake message is sent and a cookie message is received in reply, the cookie message will be ignored. Thus, further handshake messages will not have valid mac2 and handshake will not be able to be completed. With this change, process received cookie messages to be able to calculate mac2 for further handshake messages sent. Cover this with tests. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I6d51459778b7145be7077badec479b2aa85960b9
2022-06-08wireguard: increment interface RX countersMatthew Smith1-0/+15
Type: improvement When packets were received and processed successfully, increment the byte/packet counters for the tunnel interface. Change-Id: I42855607ac6916de641be42aac86c9942cc97140 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2022-02-23wireguard: fix dereferences null pointerGabriel Oginski1-4/+11
Type: fix Fixed coverity-issue CID 248517. Originally possible passing null pointer to one function and directly dereferences it. This patch fixes the issue by add a new condition to check this pointer. Change-Id: If506abaf08c9f003860b641971af291f68613c18 Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com>
2022-02-18wireguard: fix passing null pointerGabriel Oginski1-0/+1
Type: fix Fixed coverity-issue CID 248517. Originally possibly passing null pointer to one function and directly dereferences it. This patch fixes the problem by add a new condition. Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I02fc6fb5d1cfd6138ea4ba2b1946fd8a7ef34d3b
2022-01-21wireguard: add async mode for decryption packetsGabriel Oginski1-94/+420
Originally wireguard doesn't support async mode for decryption packets. This patch add async mode for decryption in wireguard. In addition, it contains some performance improvement such as prefetching packet header and reducing the number of current time function calls. Type: improvement Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: Ieba6ae0078f3ff140c05b517891afb57232b3b7d
2022-01-20wireguard: add burst modeGabriel Oginski1-84/+242
Originally wireguard does packet by packet encryption and decryption. This patch adds burst mode for encryption and decryption packets. In addition, it contains some performance improvement such as prefetching packet header and reducing the number of current time function calls. Type: improvement Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I04c7daa9b6dc56cd15c789661a64ec642b35aa3f
2021-11-22wireguard: add local variable in handshake processGabriel Oginski1-2/+4
Originally handshake process gets pointer to value of index peer. In the meantime this pointer can be invalid due to resize hash table for wireguard and passed poison value to another function. The fixes add local variable to keep index of peer instead of value from pointer. Type: fix Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I1b2535c44b4f987d19077c75c778aaa5ed71a457
2021-11-03wireguard: reduce memcopy and prefetch headerGabriel Oginski1-10/+4
Originally wireguard implementation does memory copy of the whole packet in encryption and decryption. This patch removes unnecessary packet copy in wireguard. In addition, it contains some performance improvement such as prefetching header and deleting unnecessary lock and unlock for decryption. Type: improvement Signed-off-by: Gabriel Oginski <gabrielx.oginski@intel.com> Change-Id: I1fe8e54d749e6922465341083b448c842e2b670f
2021-10-06wireguard: add events for peerArtem Glazychev1-1/+10
we can receive events from peer about its state: -WIREGUARD_PEER_STATUS_DEAD -WIREGUARD_PEER_ESTABLISHED Type: improvement Change-Id: Ide83fbe2cfafa79ded5bcf3f6a884c26a7583db0 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-10-06wireguard: add ipv6 supportArtem Glazychev1-25/+92
Type: improvement Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: If1a7e82ce163c4c4acaa5acf45ad2b88371396f6
2021-10-04wireguard: use the same udp-port for multi-tunnelArtem Glazychev1-9/+25
now we can reuse udp-port for many wireguard interfaces Type: improvement Change-Id: I14b5a9dbe917d83300ccb4d6907743d88355e5c5 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-09-30wireguard: move adjacency processing from wireguard_peer to wireguard_interfaceArtem Glazychev1-21/+2
now we should add routes manually Type: improvement Change-Id: I877511a18854efdfad02939267d38a216b2ccec3 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2021-02-24wireguard: coverity fixArtem Glazychev1-11/+12
explicit null dereferenced Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: Id1e4b0e048dbd0a68063c63374172ab6d3653aff
2021-02-15vlib: refactor checksum offload supportMohsin Kazmi1-1/+2
Type: refactor This patch refactors the offload flags in vlib_buffer_t. There are two main reasons behind this refactoring. First, offload flags are insufficient to represent outer and inner headers offloads. Second, room for these flags in first cacheline of vlib_buffer_t is also limited. This patch introduces a generic offload flag in first cacheline. And detailed offload flags in 2nd cacheline of the structure for performance optimization. Change-Id: Icc363a142fb9208ec7113ab5bbfc8230181f6004 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2020-10-07misc: Purge unused pg includesNeale Ranns1-1/+0
Type: style Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I26a19e42076e031ec5399d5ca05cb49fd6fbe1cd
2020-09-29wireguard: fix license headersArtem Glazychev1-0/+1
Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: If5cc8894e0d1785dd04ab1e460e017580c9b41ce
2020-09-23wireguard: add handoff nodeArtem Glazychev1-115/+140
All timer and control plane functions happen from main thread Type: fix Change-Id: I4fc333c644485cd17e6f426493feef91688d9b24 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
2020-09-12wireguard: Fix for tunnel encapNeale Ranns1-6/+6
Type: fix add UT for sneding handshale init and transport packets Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Iab1ed8864c666d5a0ae0b2364a9ca4de3c8770dc
2020-09-09wireguard: initial implementation of wireguard protocolArtem Glazychev1-0/+451
Type: feature The main information about plugin you can see in README.md vpp# wireguard ? wireguard create wireguard create listen-port <port> private-key <key> src <IP> [generate-key] wireguard delete wireguard delete <interface> wireguard peer add wireguard peer add <wg_int> public-key <pub_key_other>endpoint <ip4_dst> allowed-ip <prefix>dst-port [port_dst] persistent-keepalive [keepalive_interval] wireguard peer remove wireguard peer remove <index> Change-Id: I85eb0bfc033ccfb2045696398d8a108b1c64b8d9 Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Jim Thompson <jim@netgate.com> Signed-off-by: Neale Ranns <nranns@cisco.com> Signed-off-by: Damjan Marion <damarion@cisco.com>