/*
 * Copyright (c) 2020 Doc.ai and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <vnet/vnet.h>
#include <vnet/fib/ip6_fib.h>
#include <vnet/fib/ip4_fib.h>
#include <vnet/fib/fib_entry.h>
#include <vnet/ip/ip6_link.h>
#include <vnet/pg/pg.h>
#include <vnet/udp/udp.h>
#include <vppinfra/error.h>
#include <wireguard/wireguard.h>
#include <wireguard/wireguard_send.h>

static int
ip46_enqueue_packet (vlib_main_t * vm, u32 bi0, int is_ip6)
{
  vlib_frame_t *f = 0;
  u32 lookup_node_index =
    is_ip6 ? ip6_lookup_node.index : ip4_lookup_node.index;

  f = vlib_get_frame_to_node (vm, lookup_node_index);
  /* f can not be NULL here - frame allocation failure causes panic */

  u32 *to_next = vlib_frame_vector_args (f);
  f->n_vectors = 1;
  to_next[0] = bi0;

  vlib_put_frame_to_node (vm, lookup_node_index, f);

  return f->n_vectors;
}

static void
wg_buffer_prepend_rewrite (vlib_buffer_t * b0, const wg_peer_t * peer)
{
  ip4_udp_header_t *hdr;

  vlib_buffer_advance (b0, -sizeof (*hdr));

  hdr = vlib_buffer_get_current (b0);
  clib_memcpy (hdr, peer->rewrite, vec_len (peer->rewrite));

  hdr->udp.length =
    clib_host_to_net_u16 (b0->current_length - sizeof (ip4_header_t));
  ip4_header_set_len_w_chksum (&hdr->ip4,
			       clib_host_to_net_u16 (b0->current_length));
}

static bool
wg_create_buffer (vlib_main_t * vm,
		  const wg_peer_t * peer,
		  const u8 * packet, u32 packet_len, u32 * bi)
{
  u32 n_buf0 = 0;
  vlib_buffer_t *b0;

  n_buf0 = vlib_buffer_alloc (vm, bi, 1);
  if (!n_buf0)
    return false;

  b0 = vlib_get_buffer (vm, *bi);

  u8 *payload = vlib_buffer_get_current (b0);
  clib_memcpy (payload, packet, packet_len);

  b0->current_length = packet_len;

  wg_buffer_prepend_rewrite (b0, peer);

  return true;
}

bool
wg_send_handshake (vlib_main_t * vm, wg_peer_t * peer, bool is_retry)
{
  wg_main_t *wmp = &wg_main;
  message_handshake_initiation_t packet;

  if (!is_retry)
    peer->timer_handshake_attempts = 0;

  if (!wg_birthdate_has_expired (peer->last_sent_handshake,
				 REKEY_TIMEOUT) || peer->is_dead)
    {
      return true;
    }
  if (noise_create_initiation (wmp->vlib_main,
			       &peer->remote,
			       &packet.sender_index,
			       packet.unencrypted_ephemeral,
			       packet.encrypted_static,
			       packet.encrypted_timestamp))
    {
      f64 now = vlib_time_now (vm);
      packet.header.type = MESSAGE_HANDSHAKE_INITIATION;
      cookie_maker_mac (&peer->cookie_maker, &packet.macs, &packet,
			sizeof (packet));
      wg_timers_any_authenticated_packet_traversal (peer);
      wg_timers_any_authenticated_packet_sent (peer);
      peer->last_sent_handshake = now;
      wg_timers_handshake_initiated (peer);
    }
  else
    return false;
  u32 bi0 = 0;
  if (!wg_create_buffer (vm, peer, (u8 *) & packet, sizeof (packet), &bi0))
    return false;
  ip46_enqueue_packet (vm, bi0, false);

  return true;
}

bool
wg_send_keepalive (vlib_main_t * vm, wg_peer_t * peer)
{
  wg_main_t *wmp = &wg_main;
  u32 size_of_packet = message_data_len (0);
  message_data_t *packet = clib_mem_alloc (size_of_packet);
  u32 bi0 = 0;
  bool ret = true;
  enum noise_state_crypt state;

  if (!peer->remote.r_current)
    {
      wg_send_handshake (vm, peer, false);
      goto out;
    }

  state =
    noise_remote_encrypt (wmp->vlib_main,
			  &peer->remote,
			  &packet->receiver_index,
			  &packet->counter, NULL, 0, packet->encrypted_data);
  switch (state)
    {
    case SC_OK:
      break;
    case SC_KEEP_KEY_FRESH:
      wg_send_handshake (vm, peer, false);
      break;
    case SC_FAILED:
      ret = false;
      goto out;
    default:
      break;
    }
  packet->header.type = MESSAGE_DATA;

  if (!wg_create_buffer (vm, peer, (u8 *) packet, size_of_packet, &bi0))
    {
      ret = false;
      goto out;
    }

  ip46_enqueue_packet (vm, bi0, false);
  wg_timers_any_authenticated_packet_traversal (peer);
  wg_timers_any_authenticated_packet_sent (peer);

out:
  clib_mem_free (packet);
  return ret;
}

bool
wg_send_handshake_response (vlib_main_t * vm, wg_peer_t * peer)
{
  wg_main_t *wmp = &wg_main;
  message_handshake_response_t packet;

  peer->last_sent_handshake = vlib_time_now (vm);

  if (noise_create_response (vm,
			     &peer->remote,
			     &packet.sender_index,
			     &packet.receiver_index,
			     packet.unencrypted_ephemeral,
			     packet.encrypted_nothing))
    {
      f64 now = vlib_time_now (vm);
      packet.header.type = MESSAGE_HANDSHAKE_RESPONSE;
      cookie_maker_mac (&peer->cookie_maker, &packet.macs, &packet,
			sizeof (packet));

      if (noise_remote_begin_session (wmp->vlib_main, &peer->remote))
	{
	  wg_timers_session_derived (peer);
	  wg_timers_any_authenticated_packet_traversal (peer);
	  wg_timers_any_authenticated_packet_sent (peer);
	  peer->last_sent_handshake = now;

	  u32 bi0 = 0;
	  if (!wg_create_buffer (vm, peer, (u8 *) & packet,
				 sizeof (packet), &bi0))
	    return false;

	  ip46_enqueue_packet (vm, bi0, false);
	}
      else
	return false;
    }
  else
    return false;
  return true;
}

/*
 * fd.io coding-style-patch-verification: ON
 *
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */