From b9e391e7b08ed8f6f32401eae5d6525aab904737 Mon Sep 17 00:00:00 2001 From: Artem Glazychev Date: Tue, 25 Oct 2022 18:48:40 +0700 Subject: wireguard: compute checksum for outer ipv6 header Type: fix Signed-off-by: Artem Glazychev Change-Id: I477e92712e441c91789afdf9be389d967acfa799 --- src/plugins/wireguard/wireguard_output_tun.c | 31 ++++++++++++++++++++++++++++ src/plugins/wireguard/wireguard_send.c | 12 +++++++++-- 2 files changed, 41 insertions(+), 2 deletions(-) (limited to 'src/plugins') diff --git a/src/plugins/wireguard/wireguard_output_tun.c b/src/plugins/wireguard/wireguard_output_tun.c index d1b1d6bb8f0..f613d6c0c16 100644 --- a/src/plugins/wireguard/wireguard_output_tun.c +++ b/src/plugins/wireguard/wireguard_output_tun.c @@ -307,6 +307,22 @@ error: return ret; } +static_always_inline void +wg_calc_checksum (vlib_main_t *vm, vlib_buffer_t *b) +{ + int bogus = 0; + u8 ip_ver_out = (*((u8 *) vlib_buffer_get_current (b)) >> 4); + + /* IPv6 UDP checksum is mandatory */ + if (ip_ver_out == 6) + { + ip6_header_t *ip6 = + (ip6_header_t *) ((u8 *) vlib_buffer_get_current (b)); + udp_header_t *udp = ip6_next_header (ip6); + udp->checksum = ip6_tcp_udp_icmp_compute_checksum (vm, b, ip6, &bogus); + } +} + /* is_ip4 - inner header flag */ always_inline uword wg_output_tun_inline (vlib_main_t *vm, vlib_node_runtime_t *node, @@ -555,6 +571,14 @@ wg_output_tun_inline (vlib_main_t *vm, vlib_node_runtime_t *node, /* wg-output-process-ops */ wg_output_process_ops (vm, node, ptd->crypto_ops, sync_bufs, nexts, drop_next); + + int n_left_from_sync_bufs = n_sync; + while (n_left_from_sync_bufs > 0) + { + n_left_from_sync_bufs--; + wg_calc_checksum (vm, sync_bufs[n_left_from_sync_bufs]); + } + vlib_buffer_enqueue_to_next (vm, node, sync_bi, nexts, n_sync); } if (n_async) @@ -627,6 +651,11 @@ wg_output_tun_post (vlib_main_t *vm, vlib_node_runtime_t *node, next[2] = (wg_post_data (b[2]))->next_index; next[3] = (wg_post_data (b[3]))->next_index; + wg_calc_checksum (vm, b[0]); + wg_calc_checksum (vm, b[1]); + wg_calc_checksum (vm, b[2]); + wg_calc_checksum (vm, b[3]); + if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE)) { if (b[0]->flags & VLIB_BUFFER_IS_TRACED) @@ -671,6 +700,8 @@ wg_output_tun_post (vlib_main_t *vm, vlib_node_runtime_t *node, while (n_left > 0) { + wg_calc_checksum (vm, b[0]); + next[0] = (wg_post_data (b[0]))->next_index; if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) && (b[0]->flags & VLIB_BUFFER_IS_TRACED))) diff --git a/src/plugins/wireguard/wireguard_send.c b/src/plugins/wireguard/wireguard_send.c index adfa5cac3de..72fa11034bf 100644 --- a/src/plugins/wireguard/wireguard_send.c +++ b/src/plugins/wireguard/wireguard_send.c @@ -41,7 +41,8 @@ ip46_enqueue_packet (vlib_main_t *vm, u32 bi0, int is_ip4) } static void -wg_buffer_prepend_rewrite (vlib_buffer_t *b0, const u8 *rewrite, u8 is_ip4) +wg_buffer_prepend_rewrite (vlib_main_t *vm, vlib_buffer_t *b0, + const u8 *rewrite, u8 is_ip4) { if (is_ip4) { @@ -72,6 +73,13 @@ wg_buffer_prepend_rewrite (vlib_buffer_t *b0, const u8 *rewrite, u8 is_ip4) hdr6->ip6.payload_length = hdr6->udp.length = clib_host_to_net_u16 (b0->current_length - sizeof (ip6_header_t)); + + /* IPv6 UDP checksum is mandatory */ + int bogus = 0; + ip6_header_t *ip6_0 = &(hdr6->ip6); + hdr6->udp.checksum = + ip6_tcp_udp_icmp_compute_checksum (vm, b0, ip6_0, &bogus); + ASSERT (bogus == 0); } } @@ -93,7 +101,7 @@ wg_create_buffer (vlib_main_t *vm, const u8 *rewrite, const u8 *packet, b0->current_length = packet_len; - wg_buffer_prepend_rewrite (b0, rewrite, is_ip4); + wg_buffer_prepend_rewrite (vm, b0, rewrite, is_ip4); return true; } -- cgit 1.2.3-korg