The NetBSD Project

CVS log for src/sys/net/if_wg.c

[BACK] Up to [cvs.NetBSD.org] / src / sys / net

Request diff between arbitrary revisions


Keyword substitution: kv
Default branch: MAIN


Revision 1.133: download - view: text, markup, annotated - select for diffs
Thu Nov 28 15:35:27 2024 UTC (12 days, 9 hours ago) by riastradh
Branches: MAIN
CVS tags: HEAD
Diff to: previous 1.132: preferred, colored
Changes since revision 1.132: +4 -3 lines
wg(4): Avoid spurious kassert for harmless race in session retry.

If we have already transitioned away from INIT_ACTIVE by the time the
retry timer has fired, the handshake start time may have been zeroed,
but that's harmless.  So don't kassert about it until after we've
verified we're still in INIT_ACTIVE state.

PR kern/58859: KASSERT in wg_task_retry_handshake

Revision 1.71.2.4: download - view: text, markup, annotated - select for diffs
Wed Oct 9 11:15:39 2024 UTC (2 months ago) by martin
Branches: netbsd-10
Diff to: previous 1.71.2.3: preferred, colored; branchpoint 1.71: preferred, colored; next MAIN 1.72: preferred, colored
Changes since revision 1.71.2.3: +960 -422 lines
Pull up following revision(s) (requested by riastradh in ticket #934):

	sys/net/if_wg.c: revision 1.117
	sys/net/if_wg.c: revision 1.118
	sys/net/if_wg.c: revision 1.119
	sys/net/if_wg.c: revision 1.80
	sys/net/if_wg.c: revision 1.81
	tests/net/if_wg/t_misc.sh: revision 1.13
	sys/net/if_wg.c: revision 1.82
	sys/net/if_wg.c: revision 1.130
	tests/net/if_wg/t_misc.sh: revision 1.14
	sys/net/if_wg.c: revision 1.83
	sys/net/if_wg.c: revision 1.131
	tests/net/if_wg/t_misc.sh: revision 1.15
	sys/net/if_wg.c: revision 1.84
	sys/net/if_wg.c: revision 1.132
	tests/net/if_wg/t_misc.sh: revision 1.16
	sys/net/if_wg.c: revision 1.85
	sys/net/if_wg.c: revision 1.86
	tests/net/if_wg/t_basic.sh: revision 1.5
	sys/net/if_wg.c: revision 1.87
	tests/net/if_wg/t_basic.sh: revision 1.6
	sys/net/if_wg.c: revision 1.88
	sys/net/if_wg.c: revision 1.89
	sys/net/if_wg.c: revision 1.100
	sys/net/if_wg.c: revision 1.101
	sys/net/if_wg.c: revision 1.102
	sys/net/if_wg.c: revision 1.103
	sys/net/if_wg.c: revision 1.104
	sys/net/if_wg.c: revision 1.105
	sys/net/if_wg.c: revision 1.106
	sys/net/if_wg.c: revision 1.107
	sys/net/if_wg.c: revision 1.108
	sys/net/if_wg.c: revision 1.109
	sys/net/if_wg.c: revision 1.120
	sys/net/if_wg.c: revision 1.121
	sys/net/if_wg.c: revision 1.122
	sys/net/if_wg.c: revision 1.123
	sys/net/if_wg.c: revision 1.124
	sys/net/if_wg.c: revision 1.75
	sys/net/if_wg.c: revision 1.77
	sys/net/if_wg.c: revision 1.125
	sys/net/if_wg.c: revision 1.126
	sys/net/if_wg.c: revision 1.79
	sys/net/if_wg.c: revision 1.127
	sys/net/if_wg.c: revision 1.128
	sys/net/if_wg.c: revision 1.129
	sys/net/if_wg.c: revision 1.90
	sys/net/if_wg.c: revision 1.91
	sys/net/if_wg.c: revision 1.92
	sys/net/if_wg.c: revision 1.93
	sys/net/if_wg.c: revision 1.94
	sys/net/if_wg.c: revision 1.95
	sys/net/if_wg.c: revision 1.96
	sys/net/if_wg.c: revision 1.97
	sys/net/if_wg.c: revision 1.98
	sys/net/if_wg.c: revision 1.99
	sys/net/if_wg.c: revision 1.110
	sys/net/if_wg.c: revision 1.111
	sys/net/if_wg.c: revision 1.112
	sys/net/if_wg.c: revision 1.113
	sys/net/if_wg.c: revision 1.114
	sys/net/if_wg.c: revision 1.115
	sys/net/if_wg.c: revision 1.116

fix simple mis-matched function prototype and definitions.
most of these are like, eg
   void foo(int[2]);
with either of these
   void foo(int*) { ... }
   void foo(int[]) { ... }
in some cases (such as stat or utimes* calls found in our header files),
we now match standard definition from opengroup.
found by GCC 12.

sys: Drop redundant NULL check before m_freem(9)
m_freem(9) safely has accepted NULL argument at least since 4.2BSD:
https://www.tuhs.org/cgi-bin/utree.pl?file=4.2BSD/usr/src/sys/sys/uipc_mbuf.c
Compile-tested on amd64/ALL.
Suggested by knakahara@

Add a wg_debug variable to split between debug/trace/dump messages

Add more debugging in packet validation

If any of the WG_DEBUG_XXX symbols happens to be defined (say, from a
stray rump Makefile...) then we now must have WG_DEBUG also defined, so
if it wasn't, make it so.

While the previous change fixed the broken build, it wasn't the best
way, as defining any of the WG_DEBUG_XXX symbols then effectively
defined all of them - making them as seperate entities, pointless.

So, rearrange the way things are done a little to avoid doing that.

Add packet dump debugging
fix size limit calculation in dump and NULL checks
use hexdump...

Fix 32 bit (32 bit size_t) WG_DEBUG builds - use %zu rather than %lu
to print size_t values.

There's a new WG_DEBUG_XXX ( XXX==PACKET ) to deal with now.  That needs
WG_DEBUG defined as well, if set.

Make the debug (WG_DEBUG) func gethexdump() always return a valid
pointer, never NULL, so it doesn't need to be tested before being
printed, which was being done sometimes, but not always.

Add more debugging from Taylor

wg(4): Allow modunload before any interface creation.

The workqueue and pktq are both lazily created, for annoying module
initialization order reasons, so they may not have been created by
the time of modunload.
PR kern/58470

Limit the size of the packet, and print ... if it is bigger. (from kre@)
wg(4): Rework some details of internal session state machine.

This way:
- There is a clear transition between when a session is being set up,
  and when it is exposed to the data rx path (wg_handle_msg_data):
  atomic_store_release to set wgs->wgs_state to INIT_PASSIVE or
  ESTABLISHED.
  (The transition INIT_PASSIVE -> ESTABLISHED is immaterial to the
  data rx path, so that's just atomic_store_relaxed.  Similarly the
  transition to DESTROYING.)
- There is a clear transition between when a session is being set up,
  and when it is exposed to the data tx path (wg_output):
  atomic_store_release to set wgp->wgp_session_stable to it.
- Every path that reinitializes a session must go through
  wg_destroy_session via wg_put_index_session first.  This avoids
  races between session reuse and the data rx/tx paths.
- Add a log message at the time of every state transition.
Prompted by:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Fix logic to ensure session initiation is underway.

Previously, wg_task_send_init_message would call
wg_send_handshake_msg_init if either:
(a) the stable session is UNKNOWN, meaning a session has not yet been
    established, either by us or by the peer (but it could be in
    progress); or
(b) the stable session is not UNKNOWN but the unstable session is
    _not_ INIT_ACTIVE, meaning there is an established session and we
    are not currently initiating a new session.

If wg_output (or wgintr) found no established session while there was
already a session being initiated, we may only enter
wg_task_send_init_message after the session is already established,
and trigger spurious reinitiation.

Instead, create a separate flag to indicate whether it is mandatory
to rekey because limits have passed.  Then create a session only if:
(a) the stable session is not ESTABLISHED, or
(b) the mandatory rekey flag is not set,
and clear the mandatory rekey flag.

While here, arrange to do rekey-after-time on tx, not on callout.  If
there's no data to tx, we shouldn't reinitiate a session -- we should
stay quiet on the network.

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails

PR kern/56252: wg(4) state machine has race conditions

PR kern/58463: if_wg does not work when idle.

wg(4): Use callout_halt, not callout_stop.
It's possible that callout_stop might work here, but let's simplify
reasoning about it -- the timers in question only take the peer intr
lock, so it's safe to wait for them while holding the peer lock in
the handshake worker thread.

We may have to undo the task bit but that will take a bit more
analysis to determine.
Prompted by (but probably won't fix anything in):
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Omit needless pserialize_perform on transition to DESTROYING.

A session can still be used when it is in the DESTROYING state, so
there's no need to wait for users to drain here -- that's the whole
point of a separate DESTROYING state.

It is only the transition from DESTROYING back to UNKNOWN, after the
session has been unpublished so no new users can begin, that requires
waiting for all users to drain, and we already do that in
wg_destroy_session.

Prompted by (but won't fix anything in, because this is just a
performance optimization):
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Expand cookie secret to 32 bytes.
This is only relevant for denial of service mitigation, so it's not
that big a deal, and the spec doesn't say anything about the size,
but let's make it the standard key size.

PR kern/58479: experimental wg(4) uses 32-bit cookie secret, not
32-byte cookie secret

wg(4): Mark wgp_pending volatile to reflect its usage.
Prompted by (but won't fix any part of):
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Fix session destruction.
Schedule destruction as soon as the session is created, to ensure key
erasure within 2*reject-after-time seconds.  Previously, we would
schedule destruction of the previous session 1 second after the next
one has been established.  Combined with a failure to update the
state machine on keepalive packets, this led to temporary deadlock
scenarios.

To keep it simple, there's just one callout which runs every
reject-after-time seconds and erases keys in sessions older than
reject-after-time, so if a session is established the moment after it
runs, the keys might not be erased until (2-eps)*reject-after-time
seconds.
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Reject rx on sessions older than reject-after-time sec.
Prompted by (but won't fix anything in):
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): On rx of valid ciphertext, make sure to update state machine.

Previously, we also required the plaintext to be a plausible-looking
IP packet before updating the state machine.

But keepalive packets are empty -- and if the peer initiated the
session to rekey after last tx but had no more data to tx, it will
send a keepalive to finish session initiation.
If we didn't update the state machine in that case, we would stay in
INIT_PASSIVE state unable to tx on the session, which would make
things hang.

So make sure to always update the state machine once we have accepted
a packet as genuine, even if it's genuine garbage on the inside.
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Make sure to update endpoint on keepalive packets too.
Prompted by:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

tests/net/if_wg/t_misc: Tweak timeouts in wg_handshake_timeout.

Most of the timers in wg(4) have only 1sec resolution, which might be
rounded in either direction, so make sure there's a 2sec buffer on
either side of the event we care about (the point at which wg(4)
decides to stop retrying handshake).

Won't fix any bugs, but might make the tests slightly less flaky.
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions

tests/net/if_wg/t_misc: Elaborate in wg_rekey debug messages.

Helpful for following the test log when things go wrong.
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.
wg(4): Tests should pass now.

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Use 32-bit for times handled in rx/tx paths.

The rx and tx paths require unlocked access to wgs_time_established
(to decide whether it's time to rekey) and wgs_time_last_data_sent
(to decide whether we need to reply to incoming data with a keepalive
packet), so do it with atomic_load/store_*.

On 32-bit platforms, we may not be able to do that on time_t.

However, since sessions only last for a few minutes before
reject-after-time kicks in and they are erased, 32 bits is plenty to
record the durations that we need to record here, so this shouldn't
introduce any new bugs even on hosts that exceed 136 years of uptime.
Prompted by:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Make time_uptime32 work in netbsd<=10.

This is the low 32 bits of time_uptime.
Will simplify pullups to 10 for:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Fix quotation in comment.
Prompted by:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Process all altq'd packets when deleting peer.

Can't just drop them because we can only go through all packets on an
interface at a time, for all peers -- so we'd either have to drop all
peers' packets, or requeue the packets for other peers.  Probably not
worth the trouble, so let's just wait for all the packets currently
queued up to go through first.

This requires reordering teardown so that we wg_destroy_all_peers,
and thus wg_purge_pending_packets, _before_ we wg_if_detach, because
wg_if_detach -> if_detach destroys the lock that IFQ_DEQUEUE uses.

PR kern/58477: experimental wg(4) ALTQ support is probably buggy

wg(4): Tidy up error branches.
No functional change intended, except to add some log messages in
failure cases.
Cleanup after:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Be more consistent about #ifdef INET/INET6.
PR kern/58478: experimental wg(4) probably doesn't build with
INET6-only

wg(4): Parenthesize macro expansions properly.

PR kern/58480: experimental wg(4) sliding window logic has oopsie

wg(4): Delete temporary hacks to dump keys and packets.
No longer useful for:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Explain why gethexdump/puthexdump is there, and tidy.
This way I will not be tempted to replace it by in-line calls to
libkern hexdump.
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Put force_rekey state in the session, not the peer.
That way, there is a time when one thread has exclusive access to the
state, in wg_destroy_session under the peer lock, when we can clear
the state without racing against the data tx path.
This will work more reliably than the atomic_swap_uint I used before.
Noted by kre@.
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Sprinkle static on fixed-size array parameters.

Let's make the static size declarations useful.
No functional change intended.

wg(4): Queue pending packet in FIFO order, not LIFO order.

Sometimes the session takes a seconds to establish, for whatever
reason.  It is better if the pending packet, which we queue up to
send as soon as we get the responder's handshake response, is the
most recent packet, rather than the first packet.

That way, we don't wind up with a weird multi-second-delayed ping,
followed by a bunch of dropped, followed by normal ping timings, or
wind up sending the first TCP SYN instead of the most recent, or what
have you.  Senders need to be prepared to retransmit anyway if
packets are dropped.

PR kern/58508: experimental wg(4) queues LIFO, not FIFO, pending
first handshake
wg(4): Sprinkle comments into wg_swap_sessions.
No functional change intended.
Prompted by:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): No need for atomic access to wgs_time_established in tx/rx.

This is stable while the session is visible to the tx/rx paths -- it
is initialized before the session is exposed to tx/rx, and doesn't
change until the session is no longer used by any tx/rx path and has
been recycled.

When I sprinkled atomic access to wgs_time_established in if_wg.c
rev. 1.104, it was a vestige of an uncommitted draft that did the
transition from INIT_PASSIVE to ESTABLISHED in the tx path itself, in
an attempt to enable prompter tx on the new session as soon as it is
established.  This turned out to be unnecessary, so I reverted most
of it, but forgot that wgs_time_established no longer needed atomic
treatment.

We could go back to using time_t and time_uptime, now that there's no
need to do atomic loads and stores on these quantities. But there's
no point in 64-bit arithmetic when the time differences are all
guaranteed bounded by a few minutes, so keeping it 32-bit is probably
a slight performance improvement on 32-bit systems.
(In contrast, wgs_time_last_data_sent is both written and read in the
tx path, which may run in parallel on multiple CPUs, so it still
requires the atomic treatment.)
Tidying up for:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Fix memory ordering in detach.
PR kern/58510: experimental wg(4) lacks memory ordering between
wg_count_dec and module unload

wg(4): Fix typo in comment recently added.
Comment added in the service of:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Omit needless atomic_load.
wgs_local_index is only ever written to while only one thread has
access to it and it is not in the thmap -- before it is published in
wg_get_session_index, and after it is unpublished in
wg_destroy_session.  So no need for atomic_load -- it is stable if we
observe it in thmap_get result.
(Of course this is only for an assertion, which if tripped obviously
indicates a violation of our assumptions.  But if that happens, well,
in the worst case we'll see a weird assertion message claiming that
the index is not equal to itself, which from which we can conclude
there must have been a concurrent update, which is good enough to
help diagnose that problem without any atomic_load.)

Tidying some of the changes for:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Sprinkle comments on internal sliding window API.
Post-fix tidying for:
PR kern/58480: experimental wg(4) sliding window logic has oopsie

wg(4): Deduplicate session establishment actions.
The actions to
(a) record the last handshake time,
(b) clear some handshake state,
(c) transmit first data if queued, or (if initiator) keepalive, and
(d) begin destroying the old session,
were formerly duplicated between wg_handle_msg_resp (for when we're
the initiator) and wg_task_establish_session (for when we're the
responder).

Instead, let's factor this out into wg_swap_session so there's only
one copy of the logic.
This requires moving wg_update_endpoint_if_necessary a little earlier
in wg_handle_msg_resp -- which should be done anyway so that the
endpoint is updated _before_ the session is published for the data tx
path to use.

Other than moving wg_update_endpoint_if_necessary a little earlier,
no functional change intended.
Post-fix tidying for:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Read wgs_state atomically in wg_get_stable_session.
As noted in the comment above, it may concurrently transition from
ESTABLISHED to DESTROYING.
Post-fix tidying for:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Force rekey on tx if session is older than reject-after-time.
One more corner case for:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Add missing barriers around wgp_pending access.
PR kern/58520: experimental wg(4) lacks barriers around access to
packet pending initiation
wg(4): Trigger session initiation in wgintr, not in wg_output.

We have to look up the session in wgintr anyway, for
wg_send_data_msg.  By triggering session initiation in wgintr instead
of wg_output, we can skip the stable session lookup and reference in
wg_output -- simpler that way.
Post-fix tidying for:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Queue packet for post-handshake retransmit if limits are hit.
PR kern/58521: experimental wg(4) may drop packet after minutes of quiet
wg(4): When a session is established, send first packet directly.

Like we would do with the keepalive packet, if we had to send that
instead -- no need to defer it to the pktq.  Keep it simple.
Post-fix tidying for:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Sprinkle volatile on variables requiring atomic access.
No functional change intended, since the relevant access is always
done with atomic_* when it might race with concurrent access -- and
really this should be _Atomic or something.  But for now our
atomic_ops(9) API is still spelled with volatile, so we'll use that.
Post-fix tidying for:
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

wg(4): Make a rule for who wins when both peers send INIT at once.
The rule is that the peer with the numerically smaller public key
hash, in little-endian, takes priority iff the low order bit of
H(peer A pubkey) ^ H(peer B pubkey) ^ H(posix minutes as le64)
is 0, and the peer with the lexicographically larger public key takes
priority iff the low-order bit is 1.

Another case of:
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

This one is, as far as I can tell, simply a deadlock in the protocol
of the whitepaper -- until both sides give up on the handshake and
one of them (but not both) later decides to try sending data again.
(But not related to our t_misc:wg_rekey test, as far as I can tell,
and I haven't put enough thought into how to reliably trigger this
race to write a new automatic test for it.)
wg(4): Add Internet Archive links for the versions cited.
No functional change.

tests/net/if_wg/t_misc: Add some diagnostics.
PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails

wg(4): Test truncated UDP input from the network.
This triggers double-free in the IPv6 udp6_input path -- but,
confusingly, not the IPv4 udp_input path, even though the overudp_cb
interface ought to be the same:
/* udp_input -- no further use of m if return is -1 */
        if ((n = udp4_realinput(&src, &dst, &m, iphlen)) == -1) {
                UDP_STATINC(UDP_STAT_HDROPS);
                return;
        }
/* udp6_input -- m_freem if return is not 0 */
        if (udp6_realinput(AF_INET6, &src, &dst, &m, off) == 0) {
...
        }
bad:
        m_freem(m);
        return IPPROTO_DONE;

The subroutines udp4_realinput and udp6_realinput pass through the
return value of overudp_cb in essentially the same way:
/* udp4_realinput */
                if (inp->inp_overudp_cb != NULL) {
                        int ret;
                        ret = inp->inp_overudp_cb(mp, off, inp->inp_socket,
                            sintosa(src), inp->inp_overudp_arg);
                        switch (ret) {
                        case -1: /* Error, m was freed */
                                rcvcnt = -1;
                                goto bad;
...
bad:
        return rcvcnt;
/* udp6_realinput */
                if (inp->inp_overudp_cb != NULL) {
                        int ret;
                        ret = inp->inp_overudp_cb(mp, off, inp->inp_socket,
                            sin6tosa(src), inp->inp_overudp_arg);
                        switch (ret) {
                        case -1: /* Error, m was freed */
                                rcvcnt = -1;
                                goto bad;
...
bad:
        return rcvcnt;

PR kern/58688: userland panic of kernel via wg(4)

wg(4): Fix wg_overudp_cb drop paths to null out *mp as caller needs.
PR kern/58688: userland panic of kernel via wg(4)

Revision 1.132: download - view: text, markup, annotated - select for diffs
Tue Oct 8 02:29:40 2024 UTC (2 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.131: preferred, colored
Changes since revision 1.131: +30 -8 lines
wg(4): Fix wg_overudp_cb drop paths to null out *mp as caller needs.

PR kern/58688: userland panic of kernel via wg(4)

Revision 1.131: download - view: text, markup, annotated - select for diffs
Wed Jul 31 00:26:01 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.130: preferred, colored
Changes since revision 1.130: +4 -2 lines
wg(4): Add Internet Archive links for the versions cited.

No functional change.

Revision 1.130: download - view: text, markup, annotated - select for diffs
Wed Jul 31 00:25:47 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.129: preferred, colored
Changes since revision 1.129: +77 -6 lines
wg(4): Make a rule for who wins when both peers send INIT at once.

The rule is that the peer with the numerically smaller public key
hash, in little-endian, takes priority iff the low order bit of

H(peer A pubkey) ^ H(peer B pubkey) ^ H(posix minutes as le64)

is 0, and the peer with the lexicographically larger public key takes
priority iff the low-order bit is 1.

Another case of:

PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

This one is, as far as I can tell, simply a deadlock in the protocol
of the whitepaper -- until both sides give up on the handshake and
one of them (but not both) later decides to try sending data again.

(But not related to our t_misc:wg_rekey test, as far as I can tell,
and I haven't put enough thought into how to reliably trigger this
race to write a new automatic test for it.)

Revision 1.129: download - view: text, markup, annotated - select for diffs
Mon Jul 29 19:47:13 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.128: preferred, colored
Changes since revision 1.128: +6 -6 lines
wg(4): Sprinkle volatile on variables requiring atomic access.

No functional change intended, since the relevant access is always
done with atomic_* when it might race with concurrent access -- and
really this should be _Atomic or something.  But for now our
atomic_ops(9) API is still spelled with volatile, so we'll use that.

Post-fix tidying for:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.128: download - view: text, markup, annotated - select for diffs
Mon Jul 29 19:46:59 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.127: preferred, colored
Changes since revision 1.127: +4 -11 lines
wg(4): When a session is established, send first packet directly.

Like we would do with the keepalive packet, if we had to send that
instead -- no need to defer it to the pktq.  Keep it simple.

Post-fix tidying for:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.127: download - view: text, markup, annotated - select for diffs
Mon Jul 29 19:46:25 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.126: preferred, colored
Changes since revision 1.126: +16 -4 lines
wg(4): Queue packet for post-handshake retransmit if limits are hit.

PR kern/58521: experimental wg(4) may drop packet after minutes of quiet

Revision 1.126: download - view: text, markup, annotated - select for diffs
Mon Jul 29 19:45:56 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.125: preferred, colored
Changes since revision 1.125: +33 -41 lines
wg(4): Trigger session initiation in wgintr, not in wg_output.

We have to look up the session in wgintr anyway, for
wg_send_data_msg.  By triggering session initiation in wgintr instead
of wg_output, we can skip the stable session lookup and reference in
wg_output -- simpler that way.

Post-fix tidying for:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.125: download - view: text, markup, annotated - select for diffs
Mon Jul 29 19:44:22 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.124: preferred, colored
Changes since revision 1.124: +11 -2 lines
wg(4): Add missing barriers around wgp_pending access.

PR kern/58520: experimental wg(4) lacks barriers around access to
packet pending initiation

Revision 1.124: download - view: text, markup, annotated - select for diffs
Mon Jul 29 19:43:56 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.123: preferred, colored
Changes since revision 1.123: +3 -2 lines
wg(4): Force rekey on tx if session is older than reject-after-time.

One more corner case for:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.123: download - view: text, markup, annotated - select for diffs
Mon Jul 29 18:43:11 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.122: preferred, colored
Changes since revision 1.122: +4 -3 lines
wg(4): Read wgs_state atomically in wg_get_stable_session.

As noted in the comment above, it may concurrently transition from
ESTABLISHED to DESTROYING.

Post-fix tidying for:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.122: download - view: text, markup, annotated - select for diffs
Mon Jul 29 16:02:05 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.121: preferred, colored
Changes since revision 1.121: +86 -100 lines
wg(4): Deduplicate session establishment actions.

The actions to

(a) record the last handshake time,
(b) clear some handshake state,
(c) transmit first data if queued, or (if initiator) keepalive, and
(d) begin destroying the old session,

were formerly duplicated between wg_handle_msg_resp (for when we're
the initiator) and wg_task_establish_session (for when we're the
responder).

Instead, let's factor this out into wg_swap_session so there's only
one copy of the logic.

This requires moving wg_update_endpoint_if_necessary a little earlier
in wg_handle_msg_resp -- which should be done anyway so that the
endpoint is updated _before_ the session is published for the data tx
path to use.

Other than moving wg_update_endpoint_if_necessary a little earlier,
no functional change intended.

Post-fix tidying for:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.121: download - view: text, markup, annotated - select for diffs
Mon Jul 29 16:01:32 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.120: preferred, colored
Changes since revision 1.120: +31 -2 lines
wg(4): Sprinkle comments on internal sliding window API.

Post-fix tidying for:

PR kern/58480: experimental wg(4) sliding window logic has oopsie

Revision 1.120: download - view: text, markup, annotated - select for diffs
Mon Jul 29 16:01:13 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.119: preferred, colored
Changes since revision 1.119: +4 -6 lines
wg(4): Omit needless atomic_load.

wgs_local_index is only ever written to while only one thread has
access to it and it is not in the thmap -- before it is published in
wg_get_session_index, and after it is unpublished in
wg_destroy_session.  So no need for atomic_load -- it is stable if we
observe it in thmap_get result.

(Of course this is only for an assertion, which if tripped obviously
indicates a violation of our assumptions.  But if that happens, well,
in the worst case we'll see a weird assertion message claiming that
the index is not equal to itself, which from which we can conclude
there must have been a concurrent update, which is good enough to
help diagnose that problem without any atomic_load.)

Tidying some of the changes for:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.119: download - view: text, markup, annotated - select for diffs
Mon Jul 29 16:00:41 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.118: preferred, colored
Changes since revision 1.118: +4 -4 lines
wg(4): Fix typo in comment recently added.

Comment added in the service of:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.118: download - view: text, markup, annotated - select for diffs
Mon Jul 29 02:34:27 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.117: preferred, colored
Changes since revision 1.117: +8 -4 lines
wg(4): Fix memory ordering in detach.

PR kern/58510: experimental wg(4) lacks memory ordering between
wg_count_dec and module unload

Revision 1.117: download - view: text, markup, annotated - select for diffs
Mon Jul 29 02:33:58 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.116: preferred, colored
Changes since revision 1.116: +14 -25 lines
wg(4): No need for atomic access to wgs_time_established in tx/rx.

This is stable while the session is visible to the tx/rx paths -- it
is initialized before the session is exposed to tx/rx, and doesn't
change until the session is no longer used by any tx/rx path and has
been recycled.

When I sprinkled atomic access to wgs_time_established in if_wg.c
rev. 1.104, it was a vestige of an uncommitted draft that did the
transition from INIT_PASSIVE to ESTABLISHED in the tx path itself, in
an attempt to enable prompter tx on the new session as soon as it is
established.  This turned out to be unnecessary, so I reverted most
of it, but forgot that wgs_time_established no longer needed atomic
treatment.

We could go back to using time_t and time_uptime, now that there's no
need to do atomic loads and stores on these quantities. But there's
no point in 64-bit arithmetic when the time differences are all
guaranteed bounded by a few minutes, so keeping it 32-bit is probably
a slight performance improvement on 32-bit systems.

(In contrast, wgs_time_last_data_sent is both written and read in the
tx path, which may run in parallel on multiple CPUs, so it still
requires the atomic treatment.)

Tidying up for:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.116: download - view: text, markup, annotated - select for diffs
Mon Jul 29 02:33:44 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.115: preferred, colored
Changes since revision 1.115: +27 -2 lines
wg(4): Sprinkle comments into wg_swap_sessions.

No functional change intended.

Prompted by:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.115: download - view: text, markup, annotated - select for diffs
Mon Jul 29 02:33:27 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.114: preferred, colored
Changes since revision 1.114: +3 -4 lines
wg(4): Queue pending packet in FIFO order, not LIFO order.

Sometimes the session takes a seconds to establish, for whatever
reason.  It is better if the pending packet, which we queue up to
send as soon as we get the responder's handshake response, is the
most recent packet, rather than the first packet.

That way, we don't wind up with a weird multi-second-delayed ping,
followed by a bunch of dropped, followed by normal ping timings, or
wind up sending the first TCP SYN instead of the most recent, or what
have you.  Senders need to be prepared to retransmit anyway if
packets are dropped.

PR kern/58508: experimental wg(4) queues LIFO, not FIFO, pending
first handshake

Revision 1.114: download - view: text, markup, annotated - select for diffs
Mon Jul 29 02:29:11 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.113: preferred, colored
Changes since revision 1.113: +40 -32 lines
wg(4): Sprinkle static on fixed-size array parameters.

Let's make the static size declarations useful.

No functional change intended.

Revision 1.113: download - view: text, markup, annotated - select for diffs
Mon Jul 29 02:28:58 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.112: preferred, colored
Changes since revision 1.112: +7 -7 lines
wg(4): Put force_rekey state in the session, not the peer.

That way, there is a time when one thread has exclusive access to the
state, in wg_destroy_session under the peer lock, when we can clear
the state without racing against the data tx path.

This will work more reliably than the atomic_swap_uint I used before.

Noted by kre@.

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.112: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:55:30 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.111: preferred, colored
Changes since revision 1.111: +16 -8 lines
wg(4): Explain why gethexdump/puthexdump is there, and tidy.

This way I will not be tempted to replace it by in-line calls to
libkern hexdump.

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.111: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:50:31 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.110: preferred, colored
Changes since revision 1.110: +4 -61 lines
wg(4): Delete temporary hacks to dump keys and packets.

No longer useful for:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.110: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:50:05 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.109: preferred, colored
Changes since revision 1.109: +4 -4 lines
wg(4): Parenthesize macro expansions properly.

PR kern/58480: experimental wg(4) sliding window logic has oopsie

Revision 1.109: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:49:49 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.108: preferred, colored
Changes since revision 1.108: +78 -20 lines
wg(4): Be more consistent about #ifdef INET/INET6.

PR kern/58478: experimental wg(4) probably doesn't build with
INET6-only

Revision 1.108: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:49:31 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.107: preferred, colored
Changes since revision 1.107: +131 -88 lines
wg(4): Tidy up error branches.

No functional change intended, except to add some log messages in
failure cases.

Cleanup after:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.107: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:48:47 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.106: preferred, colored
Changes since revision 1.106: +8 -4 lines
wg(4): Process all altq'd packets when deleting peer.

Can't just drop them because we can only go through all packets on an
interface at a time, for all peers -- so we'd either have to drop all
peers' packets, or requeue the packets for other peers.  Probably not
worth the trouble, so let's just wait for all the packets currently
queued up to go through first.

This requires reordering teardown so that we wg_destroy_all_peers,
and thus wg_purge_pending_packets, _before_ we wg_if_detach, because
wg_if_detach -> if_detach destroys the lock that IFQ_DEQUEUE uses.

PR kern/58477: experimental wg(4) ALTQ support is probably buggy

Revision 1.106: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:48:13 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.105: preferred, colored
Changes since revision 1.105: +4 -4 lines
wg(4): Fix quotation in comment.

Prompted by:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.105: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:47:58 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.104: preferred, colored
Changes since revision 1.104: +6 -2 lines
wg(4): Make time_uptime32 work in netbsd<=10.

This is the low 32 bits of time_uptime.

Will simplify pullups to 10 for:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.104: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:47:37 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.103: preferred, colored
Changes since revision 1.103: +46 -29 lines
wg(4): Use 32-bit for times handled in rx/tx paths.

The rx and tx paths require unlocked access to wgs_time_established
(to decide whether it's time to rekey) and wgs_time_last_data_sent
(to decide whether we need to reply to incoming data with a keepalive
packet), so do it with atomic_load/store_*.

On 32-bit platforms, we may not be able to do that on time_t.
However, since sessions only last for a few minutes before
reject-after-time kicks in and they are erased, 32 bits is plenty to
record the durations that we need to record here, so this shouldn't
introduce any new bugs even on hosts that exceed 136 years of uptime.

Prompted by:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.103: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:46:16 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.102: preferred, colored
Changes since revision 1.102: +11 -11 lines
wg(4): Make sure to update endpoint on keepalive packets too.

Prompted by:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.102: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:45:51 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.101: preferred, colored
Changes since revision 1.101: +4 -3 lines
wg(4): On rx of valid ciphertext, make sure to update state machine.

Previously, we also required the plaintext to be a plausible-looking
IP packet before updating the state machine.

But keepalive packets are empty -- and if the peer initiated the
session to rekey after last tx but had no more data to tx, it will
send a keepalive to finish session initiation.

If we didn't update the state machine in that case, we would stay in
INIT_PASSIVE state unable to tx on the session, which would make
things hang.

So make sure to always update the state machine once we have accepted
a packet as genuine, even if it's genuine garbage on the inside.

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.101: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:45:33 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.100: preferred, colored
Changes since revision 1.100: +13 -2 lines
wg(4): Reject rx on sessions older than reject-after-time sec.

Prompted by (but won't fix anything in):

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.100: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:40:02 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.99: preferred, colored
Changes since revision 1.99: +73 -14 lines
wg(4): Fix session destruction.

Schedule destruction as soon as the session is created, to ensure key
erasure within 2*reject-after-time seconds.  Previously, we would
schedule destruction of the previous session 1 second after the next
one has been established.  Combined with a failure to update the
state machine on keepalive packets, this led to temporary deadlock
scenarios.

To keep it simple, there's just one callout which runs every
reject-after-time seconds and erases keys in sessions older than
reject-after-time, so if a session is established the moment after it
runs, the keys might not be erased until (2-eps)*reject-after-time
seconds.

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.99: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:39:35 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.98: preferred, colored
Changes since revision 1.98: +3 -3 lines
wg(4): Mark wgp_pending volatile to reflect its usage.

Prompted by (but won't fix any part of):

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.98: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:39:19 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.97: preferred, colored
Changes since revision 1.97: +12 -10 lines
wg(4): Expand cookie secret to 32 bytes.

This is only relevant for denial of service mitigation, so it's not
that big a deal, and the spec doesn't say anything about the size,
but let's make it the standard key size.

PR kern/58479: experimental wg(4) uses 32-bit cookie secret, not
32-byte cookie secret

Revision 1.97: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:39:00 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.96: preferred, colored
Changes since revision 1.96: +2 -8 lines
wg(4): Omit needless pserialize_perform on transition to DESTROYING.

A session can still be used when it is in the DESTROYING state, so
there's no need to wait for users to drain here -- that's the whole
point of a separate DESTROYING state.

It is only the transition from DESTROYING back to UNKNOWN, after the
session has been unpublished so no new users can begin, that requires
waiting for all users to drain, and we already do that in
wg_destroy_session.

Prompted by (but won't fix anything in, because this is just a
performance optimization):

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.96: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:38:42 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.95: preferred, colored
Changes since revision 1.95: +4 -4 lines
wg(4): Use callout_halt, not callout_stop.

It's possible that callout_stop might work here, but let's simplify
reasoning about it -- the timers in question only take the peer intr
lock, so it's safe to wait for them while holding the peer lock in
the handshake worker thread.

We may have to undo the task bit but that will take a bit more
analysis to determine.

Prompted by (but probably won't fix anything in):

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.95: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:38:19 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.94: preferred, colored
Changes since revision 1.94: +26 -36 lines
wg(4): Fix logic to ensure session initiation is underway.

Previously, wg_task_send_init_message would call
wg_send_handshake_msg_init if either:

(a) the stable session is UNKNOWN, meaning a session has not yet been
    established, either by us or by the peer (but it could be in
    progress); or

(b) the stable session is not UNKNOWN but the unstable session is
    _not_ INIT_ACTIVE, meaning there is an established session and we
    are not currently initiating a new session.

If wg_output (or wgintr) found no established session while there was
already a session being initiated, we may only enter
wg_task_send_init_message after the session is already established,
and trigger spurious reinitiation.

Instead, create a separate flag to indicate whether it is mandatory
to rekey because limits have passed.  Then create a session only if:

(a) the stable session is not ESTABLISHED, or
(b) the mandatory rekey flag is not set,

and clear the mandatory rekey flag.

While here, arrange to do rekey-after-time on tx, not on callout.  If
there's no data to tx, we shouldn't reinitiate a session -- we should
stay quiet on the network.

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.94: download - view: text, markup, annotated - select for diffs
Sun Jul 28 14:37:59 2024 UTC (4 months, 1 week ago) by riastradh
Branches: MAIN
Diff to: previous 1.93: preferred, colored
Changes since revision 1.93: +189 -42 lines
wg(4): Rework some details of internal session state machine.

This way:

- There is a clear transition between when a session is being set up,
  and when it is exposed to the data rx path (wg_handle_msg_data):
  atomic_store_release to set wgs->wgs_state to INIT_PASSIVE or
  ESTABLISHED.

  (The transition INIT_PASSIVE -> ESTABLISHED is immaterial to the
  data rx path, so that's just atomic_store_relaxed.  Similarly the
  transition to DESTROYING.)

- There is a clear transition between when a session is being set up,
  and when it is exposed to the data tx path (wg_output):
  atomic_store_release to set wgp->wgp_session_stable to it.

- Every path that reinitializes a session must go through
  wg_destroy_session via wg_put_index_session first.  This avoids
  races between session reuse and the data rx/tx paths.

- Add a log message at the time of every state transition.

Prompted by:

PR kern/55729: net/if_wg/t_misc:wg_rekey test case fails
PR kern/56252: wg(4) state machine has race conditions
PR kern/58463: if_wg does not work when idle.

Revision 1.93: download - view: text, markup, annotated - select for diffs
Sat Jul 27 15:45:20 2024 UTC (4 months, 2 weeks ago) by christos
Branches: MAIN
Diff to: previous 1.92: preferred, colored
Changes since revision 1.92: +16 -8 lines
Limit the size of the packet, and print ... if it is bigger. (from kre@)

Revision 1.92: download - view: text, markup, annotated - select for diffs
Fri Jul 26 18:34:35 2024 UTC (4 months, 2 weeks ago) by riastradh
Branches: MAIN
Diff to: previous 1.91: preferred, colored
Changes since revision 1.91: +6 -4 lines
wg(4): Allow modunload before any interface creation.

The workqueue and pktq are both lazily created, for annoying module
initialization order reasons, so they may not have been created by
the time of modunload.

PR kern/58470

Revision 1.91: download - view: text, markup, annotated - select for diffs
Thu Jul 25 16:45:36 2024 UTC (4 months, 2 weeks ago) by christos
Branches: MAIN
Diff to: previous 1.90: preferred, colored
Changes since revision 1.90: +11 -7 lines
consistently use printf instead of aprint_debug and print the tkeys with
the packet.

Revision 1.90: download - view: text, markup, annotated - select for diffs
Thu Jul 25 01:47:00 2024 UTC (4 months, 2 weeks ago) by christos
Branches: MAIN
Diff to: previous 1.89: preferred, colored
Changes since revision 1.89: +36 -2 lines
Add more debugging from Taylor

Revision 1.89: download - view: text, markup, annotated - select for diffs
Thu Jul 25 00:55:53 2024 UTC (4 months, 2 weeks ago) by kre
Branches: MAIN
Diff to: previous 1.88: preferred, colored
Changes since revision 1.88: +9 -7 lines

Make the debug (WG_DEBUG) func gethexdump() always return a valid
pointer, never NULL, so it doesn't need to be tested before being
printed, which was being done sometimes, but not always.

Revision 1.88: download - view: text, markup, annotated - select for diffs
Thu Jul 25 00:37:08 2024 UTC (4 months, 2 weeks ago) by kre
Branches: MAIN
Diff to: previous 1.87: preferred, colored
Changes since revision 1.87: +4 -3 lines

There's a new WG_DEBUG_XXX ( XXX==PACKET ) to deal with now.  That needs
WG_DEBUG defined as well, if set.

Revision 1.87: download - view: text, markup, annotated - select for diffs
Thu Jul 25 00:29:24 2024 UTC (4 months, 2 weeks ago) by kre
Branches: MAIN
Diff to: previous 1.86: preferred, colored
Changes since revision 1.86: +11 -11 lines

Fix 32 bit (32 bit size_t) WG_DEBUG builds - use %zu rather than %lu
to print size_t values.

Revision 1.86: download - view: text, markup, annotated - select for diffs
Thu Jul 25 00:24:02 2024 UTC (4 months, 2 weeks ago) by christos
Branches: MAIN
Diff to: previous 1.85: preferred, colored
Changes since revision 1.85: +10 -27 lines
use hexdump...

Revision 1.85: download - view: text, markup, annotated - select for diffs
Thu Jul 25 00:07:33 2024 UTC (4 months, 2 weeks ago) by christos
Branches: MAIN
Diff to: previous 1.84: preferred, colored
Changes since revision 1.84: +27 -18 lines
fix size limit calculation in dump and NULL checks

Revision 1.84: download - view: text, markup, annotated - select for diffs
Wed Jul 24 23:46:13 2024 UTC (4 months, 2 weeks ago) by christos
Branches: MAIN
Diff to: previous 1.83: preferred, colored
Changes since revision 1.83: +34 -4 lines
Add packet dump debugging

Revision 1.83: download - view: text, markup, annotated - select for diffs
Wed Jul 24 22:32:07 2024 UTC (4 months, 2 weeks ago) by kre
Branches: MAIN
Diff to: previous 1.82: preferred, colored
Changes since revision 1.82: +12 -9 lines

While the previous change fixed the broken build, it wasn't the best
way, as defining any of the WG_DEBUG_XXX symbols then effectively
defined all of them - making them as seperate entities, pointless.

So, rearrange the way things are done a little to avoid doing that.

Revision 1.82: download - view: text, markup, annotated - select for diffs
Wed Jul 24 22:17:21 2024 UTC (4 months, 2 weeks ago) by kre
Branches: MAIN
Diff to: previous 1.81: preferred, colored
Changes since revision 1.81: +9 -2 lines

If any of the WG_DEBUG_XXX symbols happens to be defined (say, from a
stray rump Makefile...) then we now must have WG_DEBUG also defined, so
if it wasn't, make it so.

Revision 1.81: download - view: text, markup, annotated - select for diffs
Wed Jul 24 20:54:43 2024 UTC (4 months, 2 weeks ago) by christos
Branches: MAIN
Diff to: previous 1.80: preferred, colored
Changes since revision 1.80: +19 -10 lines
Add more debugging in packet validation

Revision 1.80: download - view: text, markup, annotated - select for diffs
Wed Jul 24 20:29:43 2024 UTC (4 months, 2 weeks ago) by christos
Branches: MAIN
Diff to: previous 1.79: preferred, colored
Changes since revision 1.79: +47 -21 lines
Add a wg_debug variable to split between debug/trace/dump messages

Revision 1.79: download - view: text, markup, annotated - select for diffs
Fri Jul 5 04:31:53 2024 UTC (5 months ago) by rin
Branches: MAIN
Diff to: previous 1.78: preferred, colored
Changes since revision 1.78: +9 -12 lines
sys: Drop redundant NULL check before m_freem(9)

m_freem(9) safely has accepted NULL argument at least since 4.2BSD:
https://www.tuhs.org/cgi-bin/utree.pl?file=4.2BSD/usr/src/sys/sys/uipc_mbuf.c

Compile-tested on amd64/ALL.

Suggested by knakahara@

Revision 1.71.2.3: download - view: text, markup, annotated - select for diffs
Mon Mar 11 19:34:00 2024 UTC (9 months ago) by martin
Branches: netbsd-10
CVS tags: netbsd-10-0-RELEASE, netbsd-10-0-RC6
Diff to: previous 1.71.2.2: preferred, colored; branchpoint 1.71: preferred, colored
Changes since revision 1.71.2.2: +7 -2 lines
Pull up following revision(s) (requested by riastradh in ticket #628):

	sys/net/if_wg.c: revision 1.78

wg(4): Bind to CPU in wg_handle_packet.

Required by use of psref there.
Assert we're bound up front so we catch mistakes early, rather than
later on if we get unlucky in preemption and scheduling.

PR bin/58021

Revision 1.78: download - view: text, markup, annotated - select for diffs
Sun Mar 10 04:21:47 2024 UTC (9 months ago) by riastradh
Branches: MAIN
CVS tags: perseant-exfatfs-base-20240630, perseant-exfatfs-base, perseant-exfatfs
Diff to: previous 1.77: preferred, colored
Changes since revision 1.77: +7 -2 lines
wg(4): Bind to CPU in wg_handle_packet.

Required by use of psref there.

Assert we're bound up front so we catch mistakes early, rather than
later on if we get unlucky in preemption and scheduling.

PR bin/58021

Revision 1.77.2.1.2.1: download - view: text, markup, annotated - select for diffs
Wed Nov 15 12:39:46 2023 UTC (12 months, 3 weeks ago) by thorpej
Branches: thorpej-ifq
Diff to: previous 1.77.2.1: preferred, colored; next MAIN 1.78: preferred, colored
Changes since revision 1.77.2.1: +16 -15 lines
wg_output(): Use ifq_classify_packet(), and let that function check
for ALTQ-enabled.  Acquire KERNEL_LOCK before calling ALTQ_ENQUEUE().
XXX The ALTQ integration here is a mess.

Revision 1.77.2.1: download - view: text, markup, annotated - select for diffs
Tue Nov 14 02:29:11 2023 UTC (12 months, 3 weeks ago) by thorpej
Branches: thorpej-altq-separation
CVS tags: thorpej-ifq-base
Branch point for: thorpej-ifq
Diff to: previous 1.77: preferred, colored; next MAIN 1.78: preferred, colored
Changes since revision 1.77: +3 -3 lines
Update for the new location of altq_flags (not in if_snd directly).

Revision 1.77: download - view: text, markup, annotated - select for diffs
Tue Aug 1 07:04:16 2023 UTC (16 months, 1 week ago) by mrg
Branches: MAIN
CVS tags: thorpej-altq-separation-base
Branch point for: thorpej-altq-separation
Diff to: previous 1.76: preferred, colored
Changes since revision 1.76: +5 -4 lines
fix simple mis-matched function prototype and definitions.

most of these are like, eg

   void foo(int[2]);

with either of these

   void foo(int*) { ... }
   void foo(int[]) { ... }

in some cases (such as stat or utimes* calls found in our header files),
we now match standard definition from opengroup.

found by GCC 12.

Revision 1.71.2.2: download - view: text, markup, annotated - select for diffs
Fri Jul 7 19:02:22 2023 UTC (17 months ago) by martin
Branches: netbsd-10
CVS tags: netbsd-10-0-RC5, netbsd-10-0-RC4, netbsd-10-0-RC3, netbsd-10-0-RC2, netbsd-10-0-RC1
Diff to: previous 1.71.2.1: preferred, colored; branchpoint 1.71: preferred, colored
Changes since revision 1.71.2.1: +49 -19 lines
Pull up following revision(s) (requested by jakllsch in ticket #228):

	sys/net/if_wg.c: revision 1.76

Give scope and additional details to wg(4) diagnostic messages.

Revision 1.76: download - view: text, markup, annotated - select for diffs
Tue Apr 11 14:03:46 2023 UTC (20 months ago) by jakllsch
Branches: MAIN
Diff to: previous 1.75: preferred, colored
Changes since revision 1.75: +49 -19 lines
Give scope and additional details to wg(4) diagnostic messages.

Revision 1.75: download - view: text, markup, annotated - select for diffs
Wed Apr 5 19:56:27 2023 UTC (20 months ago) by andvar
Branches: MAIN
Diff to: previous 1.74: preferred, colored
Changes since revision 1.74: +3 -3 lines
s/termintaed/terminated/ in comment.

Revision 1.71.2.1: download - view: text, markup, annotated - select for diffs
Fri Jan 13 19:14:13 2023 UTC (22 months, 4 weeks ago) by martin
Branches: netbsd-10
Diff to: previous 1.71: preferred, colored
Changes since revision 1.71: +27 -9 lines
Pull up following revision(s) (requested by jakllsch in ticket #49):

	sys/secmodel/suser/secmodel_suser.c: revision 1.57
	sys/sys/kauth.h: revision 1.89
	sys/net/if_wg.c: revision 1.72
	sys/net/if_wg.c: revision 1.73
	sys/net/if_wg.c: revision 1.74

Check for authorization for SIOCSDRVSPEC and SIOCGDRVSPEC ioctls for wg(4).
Addresses PR 57161.

wg(4): Allow non-root to retrieve information other than the private
key and the peer preshared key.

Add kauth(9) enums for wg(4) and add use them in suser secmodel.

Refines fix for PR 57161.

centralize the kauth ugliness.

Revision 1.74: download - view: text, markup, annotated - select for diffs
Thu Jan 5 20:32:18 2023 UTC (23 months ago) by christos
Branches: MAIN
Diff to: previous 1.73: preferred, colored
Changes since revision 1.73: +16 -14 lines
centralize the kauth ugliness.

Revision 1.73: download - view: text, markup, annotated - select for diffs
Thu Jan 5 18:29:46 2023 UTC (23 months ago) by jakllsch
Branches: MAIN
Diff to: previous 1.72: preferred, colored
Changes since revision 1.72: +21 -17 lines
wg(4): Allow non-root to retrieve information other than the private
key and the peer preshared key.

Add kauth(9) enums for wg(4) and add use them in suser secmodel.

Refines fix for PR 57161.

Revision 1.72: download - view: text, markup, annotated - select for diffs
Thu Jan 5 02:38:51 2023 UTC (23 months ago) by jakllsch
Branches: MAIN
Diff to: previous 1.71: preferred, colored
Changes since revision 1.71: +14 -2 lines
Check for authorization for SIOCSDRVSPEC and SIOCGDRVSPEC ioctls for wg(4).

Addresses PR 57161.

Revision 1.71: download - view: text, markup, annotated - select for diffs
Fri Nov 4 09:00:58 2022 UTC (2 years, 1 month ago) by ozaki-r
Branches: MAIN
CVS tags: netbsd-10-base
Branch point for: netbsd-10
Diff to: previous 1.70: preferred, colored
Changes since revision 1.70: +3 -3 lines
inpcb: rename functions to inpcb_*

Inspired by rmind-smpnet patches.

Revision 1.70: download - view: text, markup, annotated - select for diffs
Fri Oct 28 05:20:08 2022 UTC (2 years, 1 month ago) by ozaki-r
Branches: MAIN
Diff to: previous 1.69: preferred, colored
Changes since revision 1.69: +4 -9 lines
Adjust pf, wg, dccp and sctp for struct inpcb integration

Revision 1.69: download - view: text, markup, annotated - select for diffs
Fri Mar 25 08:57:50 2022 UTC (2 years, 8 months ago) by hannken
Branches: MAIN
CVS tags: bouyer-sunxi-drm-base, bouyer-sunxi-drm
Diff to: previous 1.68: preferred, colored
Changes since revision 1.68: +14 -2 lines
Prevent memory corruption from wg_send_handshake_msg_init() on
LP64 machines with "MSIZE == 256", sparc64 for example.

wg_send_handshake_msg_init() tries to put 148 bytes into a buffer
of 144 bytes and overwrites 4 bytes following the mbuf.  Check
for "sizeof() > MHLEN" and use a cluster in this case.

With help from Taylor R Campbell <riastradh@>

Revision 1.68: download - view: text, markup, annotated - select for diffs
Sun Jan 16 20:43:20 2022 UTC (2 years, 10 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.67: preferred, colored
Changes since revision 1.67: +7 -2 lines
wg(4): Limit the size of ifdrv requests.

Avoids potential integer overflow or kernel memory exhaustion.

Reported by Thomas Leroy a while back.

Revision 1.67: download - view: text, markup, annotated - select for diffs
Fri Dec 31 14:25:24 2021 UTC (2 years, 11 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.66: preferred, colored
Changes since revision 1.66: +4 -4 lines
sys: Use if_init wrapper function.

Exception: Not in kern_pmf.c, for the kind of silly reason that it
avoids having kern_pmf.c refer to symbols defined only in net; this
avoids a pain in the rump.

Revision 1.66: download - view: text, markup, annotated - select for diffs
Fri Dec 31 14:24:38 2021 UTC (2 years, 11 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.65: preferred, colored
Changes since revision 1.65: +3 -3 lines
sys: Use if_stop wrapper function.

Exception: Not in kern_pmf.c, for the kind of silly reason that it
avoids having kern_pmf.c refer to symbols defined only in net; this
avoids a pain in the rump.

Revision 1.65: download - view: text, markup, annotated - select for diffs
Tue Aug 17 17:31:13 2021 UTC (3 years, 3 months ago) by christos
Branches: MAIN
Diff to: previous 1.64: preferred, colored
Changes since revision 1.64: +14 -14 lines
Some signnes, casts, and constant sizes.
Add module dependencies.

Revision 1.62.4.2: download - view: text, markup, annotated - select for diffs
Thu Jun 17 04:46:35 2021 UTC (3 years, 5 months ago) by thorpej
Branches: thorpej-i2c-spi-conf
Diff to: previous 1.62.4.1: preferred, colored; branchpoint 1.62: preferred, colored; next MAIN 1.63: preferred, colored
Changes since revision 1.62.4.1: +3 -7 lines
Sync w/ HEAD.

Revision 1.64: download - view: text, markup, annotated - select for diffs
Wed Jun 16 00:21:19 2021 UTC (3 years, 5 months ago) by riastradh
Branches: MAIN
CVS tags: thorpej-i2c-spi-conf2-base, thorpej-i2c-spi-conf2, thorpej-i2c-spi-conf-base, thorpej-futex2-base, thorpej-futex2, thorpej-cfargs2-base, thorpej-cfargs2
Diff to: previous 1.63: preferred, colored
Changes since revision 1.63: +3 -7 lines
if_attach and if_initialize cannot fail, don't test return value

These were originally made failable back in 2017 when if_initialize
allocated a softint in every interface for link state changes, so
that it could fail gracefully instead of panicking:

https://mail-index.NetBSD.org/source-changes/2017/10/23/msg089053.html

However, this spawned many seldom- or never-tested error branches,
which are risky to have around.  And that softint in every interface
has since been replaced by a single global workqueue, because link
state changes require thread context but not low latency or high
throughput:

https://mail-index.NetBSD.org/source-changes/2020/02/06/msg113759.html

So there is no longer any reason for if_initialize to fail.  (The
subroutine if_stats_init can't fail because percpu_alloc can't fail
either.)

There is a snag: the softint_establish in if_percpuq_create could
fail, potentially leading to bad consequences later on trying to use
the softint.  This change doesn't introduce any new bugs because of
the snag -- if_percpuq_attach was already broken.  However, the snag
can be better addressed without spawning error branches, either by
using a single softint or making softints less scarce.

(Separate commit will change the signatures of if_attach and
if_initialize to return void, scheduled to ride whatever is the next
convenient kernel bump.)

Patch and testing on amd64 and evbmips64-eb by maya@; commit message
soliloquy, and compile-testing on evbppc/i386/earmv7hf, by me.

Revision 1.62.4.1: download - view: text, markup, annotated - select for diffs
Thu May 13 00:47:33 2021 UTC (3 years, 7 months ago) by thorpej
Branches: thorpej-i2c-spi-conf
Diff to: previous 1.62: preferred, colored
Changes since revision 1.62: +7 -7 lines
Sync with HEAD.

Revision 1.63: download - view: text, markup, annotated - select for diffs
Thu Apr 29 17:55:51 2021 UTC (3 years, 7 months ago) by riastradh
Branches: MAIN
CVS tags: cjep_sun2x-base1, cjep_sun2x-base, cjep_sun2x, cjep_staticlib_x-base1, cjep_staticlib_x-base, cjep_staticlib_x
Diff to: previous 1.62: preferred, colored
Changes since revision 1.62: +7 -7 lines
Sprinkle __noinline to reduce gigantic stack frames in ALL kernels.

In principle this might just push a real problem around, but this is
unlikely to be a real problem because:

1. The large stack frames are really only in the setup state machine
   message handlers, which run at the top loop of a thread with a
   shallow stack anyway.

2. If these are inlined, gcc might create multiple nonoverlapping
   stack buffers, whereas if not inlined, the stack frames from
   consecutive or alternative procedure calls would overlap anyway.

(I haven't investigated exactly what's going on leading to ~5 KB-byte
stack frames, but this shuts gcc up, at least, and the hypotheses
sound plausible to me!)

Revision 1.61.2.1: download - view: text, markup, annotated - select for diffs
Mon Dec 14 14:38:15 2020 UTC (3 years, 11 months ago) by thorpej
Branches: thorpej-futex
Diff to: previous 1.61: preferred, colored; next MAIN 1.62: preferred, colored
Changes since revision 1.61: +32 -8 lines
Sync w/ HEAD.

Revision 1.62: download - view: text, markup, annotated - select for diffs
Wed Nov 11 18:08:34 2020 UTC (4 years ago) by riastradh
Branches: MAIN
CVS tags: thorpej-futex-base, thorpej-cfargs-base, thorpej-cfargs
Branch point for: thorpej-i2c-spi-conf
Diff to: previous 1.61: preferred, colored
Changes since revision 1.61: +32 -8 lines
wg: Sprinkle #ifdef INET6.  Avoid unconditional use of ip6 structs.

Fixes no-INET6 build.

Based on patch from Brad Spencer:

https://mail-index.NetBSD.org/current-users/2020/11/11/msg039883.html

Revision 1.61: download - view: text, markup, annotated - select for diffs
Thu Oct 15 10:09:49 2020 UTC (4 years, 1 month ago) by roy
Branches: MAIN
Branch point for: thorpej-futex
Diff to: previous 1.60: preferred, colored
Changes since revision 1.60: +8 -4 lines
wg: with no peers, the link status is DOWN, otherwise UP

This mirrors the recent changes to gif(4) where the link is UP when a
tunnel is set, otherwise DOWN.

Revision 1.60: download - view: text, markup, annotated - select for diffs
Mon Sep 14 04:57:20 2020 UTC (4 years, 2 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.59: preferred, colored
Changes since revision 1.59: +59 -5 lines
wg: Add altq hooks.

While here, remove the IFQ_CLASSIFY bottleneck (takes the ifq lock,
so it would serialize all transmission to all peers on a single wg(4)
interface).

altq can be disabled at compile-time or at run-time; even if included
at comple-time the run-time impact should be negligible if disabled.

Revision 1.59: download - view: text, markup, annotated - select for diffs
Sun Sep 13 17:18:54 2020 UTC (4 years, 2 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.58: preferred, colored
Changes since revision 1.58: +46 -33 lines
wg: Fix detach logic.

Not tested but this should be less of a rake to step on if anyone
made an unloadable wg module.

Revision 1.58: download - view: text, markup, annotated - select for diffs
Sun Sep 13 17:18:13 2020 UTC (4 years, 2 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.57: preferred, colored
Changes since revision 1.57: +29 -4 lines
wg: Use RUN_ONCE to defer workqueue_create until after configure.

Should really fix workqueue(9) so workqueue_create can be done before
CPUs have been detected in configure, but this will serve as a stop-
gap measure.

Revision 1.57: download - view: text, markup, annotated - select for diffs
Sun Sep 13 17:17:31 2020 UTC (4 years, 2 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.56: preferred, colored
Changes since revision 1.56: +8 -4 lines
wg: Add missing kpreempt_disable/enable around pktq_enqueue.

Revision 1.56: download - view: text, markup, annotated - select for diffs
Tue Sep 8 16:39:57 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.55: preferred, colored
Changes since revision 1.55: +4 -2 lines
wg: Drop wgp_lock while waiting for endpoint psref to drain.

- This is safe because wgp_endpoint_changing locks out any attempts
  to change the endpoint until the draining is complete.

- This is necessary to avoid a deadlock where the handshake thread
  holds a psref and awaits mutex_enter(wgp->wgp_lock).

XXX The same deadlock may occur in wg_destroy_session.  Not clear
that it's safe to just release wgp_lock there; may need to create a
new session state, say WGS_STATE_DRAINING, while we wait for
psref_target_destroy.  But this needs a little more thought; a new
state may not be necessary, and would be nice to avoid if not
necessary.

Revision 1.55: download - view: text, markup, annotated - select for diffs
Mon Sep 7 01:15:25 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.54: preferred, colored
Changes since revision 1.54: +163 -196 lines
wg: Use threadpool(9) and workqueue(9) for asynchronous tasks.

- Using threadpool(9) job per interface to receive incoming handshake
  messages gives the same concurrency for active interfaces but
  doesn't waste kthreads for inactive ones.

  => Can't really do this with a global workqueue(9) because there's
     no bound on the amount of time wg_receive_packets() might run
     for; we really need separate threads or threadpool jobs in order
     to avoid having one interface starve all the others.

- Using a global workqueue(9) for asynchronous peer tasks avoids
  creating unnecessary kthreads.

  => Each task does a more or less bounded amount of work, so it's OK
     to share a global workqueue -- there's no advantage to adding
     concurrency for what is almost certainly going to be CPU-bound
     asymmetric crypto.

  => This way we don't need a thread per peer or iteration over a
     list of all peers, so the task mechanism should no longer be a
     bottleneck to scaling to thousands of peers.

XXX This doesn't distribute the load across CPUs -- it keeps it on
the same CPU where the packet came in.  Should consider doing
something to balance the load -- maybe note if the current CPU is
loaded, and if so, sort CPUs by queue length or some other measure of
load and pick the least loaded one or something.

Revision 1.54: download - view: text, markup, annotated - select for diffs
Mon Sep 7 01:14:42 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.53: preferred, colored
Changes since revision 1.53: +142 -100 lines
wg: Use a global pktqueue rather than a per-peer pcq.

- Improves scalability -- won't hit limit on softints no matter how
  many peers there are.
- Improves parallelism -- softint was kernel-locked to serialize
  access to the pcq.
- Requires per-peer queue on handshake init to avoid dropping first
  packet.
  . Per-peer queue is currently a single packet -- should serve well
    enough for pings, dns queries, tcp connections, &c.

Revision 1.53: download - view: text, markup, annotated - select for diffs
Mon Sep 7 00:33:08 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.52: preferred, colored
Changes since revision 1.52: +48 -21 lines
wg: Fix debug output now that the priority is mixed into it.

Revision 1.52: download - view: text, markup, annotated - select for diffs
Mon Sep 7 00:32:20 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.51: preferred, colored
Changes since revision 1.51: +3 -3 lines
wg: Fix non-DIAGNOSTIC build.

Revision 1.51: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:34:43 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.50: preferred, colored
Changes since revision 1.50: +5 -3 lines
wg: Avoid memory leak if socreate fails.

Revision 1.50: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:34:18 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.49: preferred, colored
Changes since revision 1.49: +5 -4 lines
wg: Make it build with WG_DEBUG on 32-bit platforms.

Revision 1.49: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:33:58 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.48: preferred, colored
Changes since revision 1.48: +465 -385 lines
wg: Simplify locking.

Summary: Access to a stable established session is still allowed via
psref; all other access to peer and session state is now serialized
by struct wg_peer::wgp_lock, with no dancing around a per-session
lock.  This way, the handshake paths are locked, while the data
transmission paths are pserialized.

- Eliminate struct wg_session::wgs_lock.

- Eliminate wg_get_unstable_session -- access to the unstable session
  is allowed only with struct wgp_peer::wgp_lock held.

- Push INIT_PASSIVE->ESTABLISHED transition down into a thread task.

- Push rekey down into a thread task.

- Allocate session indices only on transition from UNKNOWN and free
  them only on transition back to UNKNOWN.

- Be a little more explicit about allowed state transitions, and
  reject some nonsensical ones.

- Sprinkle assertions and comments.

- Reduce atomic r/m/w swap operations that can just as well be
  store-release.

Revision 1.48: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:31:43 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.47: preferred, colored
Changes since revision 1.47: +4 -4 lines
wg: M_NOWAIT -> M_DONTWAIT

These happen to be aliases, but M_NOWAIT is part of the legacy malloc
API whereas M_DONTWAIT is part of the mbuf API.

Revision 1.47: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:31:03 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.46: preferred, colored
Changes since revision 1.46: +63 -62 lines
wg: wg_sockaddr audit.

- Ensure all access to struct wg_peer::wgp_endpoint happens while
  holding a psref.

- Simplify internalize/externalize logic and be more careful about
  verifying it before printing anything.

Revision 1.46: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:30:34 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.45: preferred, colored
Changes since revision 1.45: +19 -19 lines
wg: On INIT, do DH and decrypt timestamp before locking session.

This narrows the window when the session is unlocked.  Really there
should be no such window, but we'll finish getting rid of it later.

Revision 1.45: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:29:14 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.44: preferred, colored
Changes since revision 1.44: +31 -31 lines
wg: Verify or send cookie challenge before looking up session.

This step doesn't depend on the session, so let's avoid touching the
session state until we've passed it.

Revision 1.44: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:27:06 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.43: preferred, colored
Changes since revision 1.43: +26 -26 lines
wg: Verify mac1 as the first step on INIT and RESP messages.

This avoids the expensive DH computation before the sender has proven
knowledge of our public key.

Revision 1.43: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:26:46 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.42: preferred, colored
Changes since revision 1.42: +6 -10 lines
wg: Omit needless variable.

Revision 1.42: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:26:21 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.41: preferred, colored
Changes since revision 1.41: +7 -5 lines
wg: Switch to callout_stop for session destructor timer.

Can't release the lock here, and can't sleep waiting for the callout
while we hold it without risking deadlock.  But not waiting is fine;
after we transition out of WGS_STATE_UNKNOWN the timer has no effect.

Revision 1.41: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:25:33 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.40: preferred, colored
Changes since revision 1.40: +3 -3 lines
wg: Fix indentation.  No functional change.

Revision 1.40: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:25:11 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.39: preferred, colored
Changes since revision 1.39: +4 -19 lines
wg: Just call callout_halt directly.

No functional change, just makes it easier to read where callout_halt
happens.

Revision 1.39: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:24:49 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.38: preferred, colored
Changes since revision 1.38: +25 -24 lines
wg: Fix byte order on wire.

Give this a chance to work on big-endian systems.

Revision 1.38: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:24:19 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.37: preferred, colored
Changes since revision 1.37: +15 -5 lines
wg: mbuf m_freem audit.

1. wg_handle_msg_data frees m but the other wg_handle_msg_* just take
   a pointer to the mbuf content and not m itself, so free m in those
   cases.

2. Can't trivially prove that the pcq is empty by the time
   wg_destroy_peer runs pcq_destroy, so let's explicitly purge it
   just in case.

3. If wg_send_udp isn't doing udp_send or udp6_output, it still has
   to free m in the !INET6 error branch for IPv6 packets.

4. After rumpuser_wg_send_peer or rumpuser_wg_send_user, we still
   need to free the mbuf.

Revision 1.37: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:23:56 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.36: preferred, colored
Changes since revision 1.36: +131 -34 lines
wg: Use thmap(9) for peer and session lookup.

Make sure we also don't trip over our own shoelaces by choosing the
same session index twice.

Revision 1.36: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:21:30 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.35: preferred, colored
Changes since revision 1.35: +4 -5 lines
wg: XAEAD doesn't use a counter, so don't pass one.

Revision 1.35: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:21:09 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.34: preferred, colored
Changes since revision 1.34: +3 -2 lines
wg: Count down wg_npeers in wg_destroy_all_peers too.

Doesn't actually make a difference -- wg_destroy_all_peers is only
used when we're destroying the wg instance altogether -- but let's
not leave rakes to step on.

Revision 1.34: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:20:48 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.33: preferred, colored
Changes since revision 1.33: +4 -2 lines
wg: Note lock order.

Revision 1.33: download - view: text, markup, annotated - select for diffs
Mon Aug 31 20:20:22 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.32: preferred, colored
Changes since revision 1.32: +3 -3 lines
wg: Remove IFF_POINTOPOINT.

Unclear why this was set; setting it seems to have required a kludge
in netinet/in.c that broke ipsec tunnels.  Clearing it makes wg work
again after that kludge was reverted.

Revision 1.32: download - view: text, markup, annotated - select for diffs
Fri Aug 28 07:03:08 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.31: preferred, colored
Changes since revision 1.31: +31 -30 lines
wg: Sort includes.

Revision 1.31: download - view: text, markup, annotated - select for diffs
Thu Aug 27 19:21:14 2020 UTC (4 years, 3 months ago) by tih
Branches: MAIN
Diff to: previous 1.30: preferred, colored
Changes since revision 1.30: +3 -3 lines
Summary: let wg interfaces carry multicast traffic

Once a wg interface is up and running, it is useful to be able to run
a routing protocol over it.  Marking the interface multicast capable
enables this.  (One must also use the wgconfig --allowed-ips option to
explicitly permit the group one needs, e.g. 224.0.0.5/32 for OSPF.)

Revision 1.30: download - view: text, markup, annotated - select for diffs
Thu Aug 27 13:44:41 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.29: preferred, colored
Changes since revision 1.29: +5 -2 lines
wg: Assert MCLBYTES is enough for requested length in wg_get_mbuf.

Revision 1.29: download - view: text, markup, annotated - select for diffs
Thu Aug 27 03:05:34 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.28: preferred, colored
Changes since revision 1.28: +7 -2 lines
wg: Make sure all paths into wg_handle_msg_data guarantee enough m_len.

Earlier commit moved the m_pullup into wg_validate_msg_header, but
wg_overudp_cb doesn't go through that.

Revision 1.28: download - view: text, markup, annotated - select for diffs
Thu Aug 27 02:55:04 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.27: preferred, colored
Changes since revision 1.27: +12 -5 lines
wg: Drop invalid message types on the floor faster.

Don't even let them reach the thread -- drop them in softint.

Revision 1.27: download - view: text, markup, annotated - select for diffs
Thu Aug 27 02:54:31 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +9 -3 lines
wg: KASSERT m_len before mtod.

XXX We should really make mtod do this automagically, and use
something else for mtod(m, void *).

Revision 1.26: download - view: text, markup, annotated - select for diffs
Thu Aug 27 02:53:47 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.25: preferred, colored
Changes since revision 1.25: +49 -34 lines
wg: Use m_pullup to make message header contiguous before processing.

Revision 1.25: download - view: text, markup, annotated - select for diffs
Thu Aug 27 02:52:33 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.24: preferred, colored
Changes since revision 1.24: +18 -2 lines
wg: Check mbuf chain length before m_copydata.

Revision 1.24: download - view: text, markup, annotated - select for diffs
Wed Aug 26 16:03:41 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.23: preferred, colored
Changes since revision 1.23: +12 -14 lines
Clarify wg(4)'s relation to WireGuard, pending further discussion.

Still planning to replace wgconfig(8) and wg-keygen(8) by one wg(8)
tool compatible with wireguard-tools; update wg(4) for the minor
changes from the 2018-06-30 spec to the 2020-06-01 spec; &c.  This just
clarifies the current state of affairs as it exists in the development
tree for now.

Mark the man page EXPERIMENTAL for extra clarity.

Revision 1.23: download - view: text, markup, annotated - select for diffs
Sun Aug 23 18:52:53 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.22: preferred, colored
Changes since revision 1.22: +3 -3 lines
Initialize peers early on for error branch.

Revision 1.22: download - view: text, markup, annotated - select for diffs
Fri Aug 21 20:21:36 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.21: preferred, colored
Changes since revision 1.21: +56 -5 lines
Use lock rather than 64-bit atomics for platforms without the latter.

Revision 1.21: download - view: text, markup, annotated - select for diffs
Fri Aug 21 15:48:13 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.20: preferred, colored
Changes since revision 1.20: +15 -15 lines
Fix sysctl types.

- CTLTYPE_QUAD, not CTLTYPE_LONG, for uint64_t
- use unsigned rather than time_t -- these are all short durations
- clamp timeouts to be safe for conversion to int ticks in callout

Should fix 32-bit builds.

Revision 1.20: download - view: text, markup, annotated - select for diffs
Fri Aug 21 07:05:25 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.19: preferred, colored
Changes since revision 1.19: +8 -2 lines
Ifdef out fast path that relies on atomic 64-bit load/store.

(Really this sliding window business could probably be done with
32-bit sequence numbers and careful detection of wraparound, but
that's a little more effort to work out -- let's just unbreak the
builds for now.)

Revision 1.19: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:36:21 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.18: preferred, colored
Changes since revision 1.18: +3 -3 lines
Mark KASSERT-only variable as __diagused.

Revision 1.18: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:35:44 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.17: preferred, colored
Changes since revision 1.17: +4 -3 lines
Avoid callout_halt under lock.

- We could pass the lock in, except we hold another lock too.

- We could halt before taking the other lock, but it's not safe to
  sleep after getting the session pointer before taking its lock.

- We could halt before getting the session pointer, but then there's
  no point in doing it under the lock.

So just halt a little earlier instead.

Revision 1.17: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:35:33 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.16: preferred, colored
Changes since revision 1.16: +23 -21 lines
Sprinkle const.

Revision 1.16: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:35:24 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.15: preferred, colored
Changes since revision 1.15: +5 -5 lines
Use container_of rather than casts via void *.

Revision 1.15: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:35:13 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.14: preferred, colored
Changes since revision 1.14: +6 -7 lines
Use be32enc, rather than possibly unaligned uint32_t cast and htonl.

Revision 1.14: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:35:01 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +94 -80 lines
KNF

Revision 1.13: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:34:42 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.12: preferred, colored
Changes since revision 1.12: +12 -10 lines
Use consttime_memequal, not memcmp, to compare secrets for equality.

Revision 1.12: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:34:32 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.11: preferred, colored
Changes since revision 1.11: +69 -139 lines
Take advantage of prop_dictionary_util(3).

Revision 1.11: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:34:23 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.10: preferred, colored
Changes since revision 1.10: +90 -65 lines
Split up wg_process_peer_tasks into bite-size functions.

Revision 1.10: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:34:13 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.9: preferred, colored
Changes since revision 1.9: +11 -11 lines
Fix race in wg_worker kthread destruction.

Also allow the thread to migrate between CPUs -- just not while we're
in the middle of processing and holding onto things with psrefs.

Revision 1.9: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:34:03 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.8: preferred, colored
Changes since revision 1.8: +45 -39 lines
Update for proplib API changes.

Revision 1.8: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:33:52 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.7: preferred, colored
Changes since revision 1.7: +41 -56 lines
Use SYSCTL_SETUP for net.wireguard subtree.

Revision 1.7: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:31:47 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +5 -2 lines
Fix in-kernel debug build.

Revision 1.6: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:31:36 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.5: preferred, colored
Changes since revision 1.5: +109 -12 lines
Implement sliding window for wireguard replay detection.

Revision 1.5: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:31:16 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.4: preferred, colored
Changes since revision 1.4: +4 -3 lines
Don't falsely assert cpu_softintr_p().

Will fail in the following stack trace:

wg_worker (kthread)
wg_receive_packets
wg_handle_packet
wg_handle_msg_data
KASSERT(cpu_softintr_p())

Instead, use kpreempt_disable/enable around softint_schedule.

XXX Not clear that softint is the right place to do this!

Revision 1.4: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:31:06 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.3: preferred, colored
Changes since revision 1.3: +6 -6 lines
Convert wg(4) to if_stat.

Revision 1.3: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:30:56 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +3 -3 lines
Use cprng_strong, not cprng_fast, for ephemeral key.

Revision 1.2: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:29:44 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +104 -39 lines
[ozaki-r] Fix bugs found by maxv's audits

Revision 1.1: download - view: text, markup, annotated - select for diffs
Thu Aug 20 21:28:01 2020 UTC (4 years, 3 months ago) by riastradh
Branches: MAIN
[ozaki-r] Add wg files

Diff request

This form allows you to request diffs between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

Log view options

CVSweb <webmaster@jp.NetBSD.org>