git: b65d2c31b1de - stable/13 - base: remove if_wg(4) and associated utilities, manpage
Scott Long
scottl at FreeBSD.org
Thu Mar 18 07:15:47 UTC 2021
The branch stable/13 has been updated by scottl:
URL: https://cgit.FreeBSD.org/src/commit/?id=b65d2c31b1de93e697e6429b962d9fa0b78e4f70
commit b65d2c31b1de93e697e6429b962d9fa0b78e4f70
Author: Scott Long <scottl at FreeBSD.org>
AuthorDate: 2021-03-18 07:07:56 +0000
Commit: Scott Long <scottl at FreeBSD.org>
CommitDate: 2021-03-18 07:07:56 +0000
base: remove if_wg(4) and associated utilities, manpage
After length decisions, we've decided that the if_wg(4) driver and
related work is not yet ready to live in the tree. This driver has
larger security implications than many, and thus will be held to
more scrutiny than other drivers.
Requested by: secteam
Approved by: re
---
sbin/ifconfig/Makefile | 1 -
sbin/ifconfig/ifwg.c | 618 --
share/man/man4/Makefile | 1 -
share/man/man4/wg.4 | 255 -
sys/dev/if_wg/include/crypto/blake2s.h | 56 -
sys/dev/if_wg/include/crypto/curve25519.h | 74 -
sys/dev/if_wg/include/crypto/zinc.h | 15 -
sys/dev/if_wg/include/sys/if_wg_session.h | 89 -
sys/dev/if_wg/include/sys/if_wg_session_vars.h | 319 -
sys/dev/if_wg/include/sys/simd-x86_64.h | 74 -
sys/dev/if_wg/include/sys/support.h | 342 -
sys/dev/if_wg/include/sys/wg_cookie.h | 174 -
sys/dev/if_wg/include/sys/wg_module.h | 121 -
sys/dev/if_wg/include/sys/wg_noise.h | 286 -
sys/dev/if_wg/include/zinc/blake2s.h | 50 -
sys/dev/if_wg/include/zinc/chacha20.h | 68 -
sys/dev/if_wg/include/zinc/chacha20poly1305.h | 48 -
sys/dev/if_wg/include/zinc/curve25519.h | 28 -
sys/dev/if_wg/include/zinc/poly1305.h | 29 -
sys/dev/if_wg/module/blake2s.c | 256 -
sys/dev/if_wg/module/blake2s.h | 58 -
sys/dev/if_wg/module/chacha20-x86_64.S | 2834 -------
.../crypto/zinc/chacha20/chacha20-arm-glue.c | 98 -
.../module/crypto/zinc/chacha20/chacha20-arm.pl | 1227 ---
.../module/crypto/zinc/chacha20/chacha20-arm64.pl | 1163 ---
.../crypto/zinc/chacha20/chacha20-mips-glue.c | 27 -
.../module/crypto/zinc/chacha20/chacha20-mips.S | 424 -
.../crypto/zinc/chacha20/chacha20-x86_64-glue.c | 132 -
.../module/crypto/zinc/chacha20/chacha20-x86_64.pl | 4106 ----------
.../if_wg/module/crypto/zinc/chacha20/chacha20.c | 238 -
.../if_wg/module/crypto/zinc/chacha20poly1305.c | 196 -
.../crypto/zinc/poly1305/poly1305-arm-glue.c | 140 -
.../module/crypto/zinc/poly1305/poly1305-arm.pl | 1276 ---
.../module/crypto/zinc/poly1305/poly1305-arm64.pl | 974 ---
.../module/crypto/zinc/poly1305/poly1305-donna32.c | 205 -
.../module/crypto/zinc/poly1305/poly1305-donna64.c | 182 -
.../crypto/zinc/poly1305/poly1305-mips-glue.c | 37 -
.../module/crypto/zinc/poly1305/poly1305-mips.S | 407 -
.../module/crypto/zinc/poly1305/poly1305-mips64.pl | 467 --
.../crypto/zinc/poly1305/poly1305-x86_64-glue.c | 171 -
.../module/crypto/zinc/poly1305/poly1305-x86_64.pl | 4266 ----------
.../if_wg/module/crypto/zinc/poly1305/poly1305.c | 163 -
.../if_wg/module/crypto/zinc/selftest/blake2s.c | 2090 -----
.../if_wg/module/crypto/zinc/selftest/chacha20.c | 2703 -------
.../module/crypto/zinc/selftest/chacha20poly1305.c | 8443 --------------------
.../if_wg/module/crypto/zinc/selftest/curve25519.c | 1315 ---
.../if_wg/module/crypto/zinc/selftest/poly1305.c | 1110 ---
sys/dev/if_wg/module/crypto/zinc/selftest/run.h | 43 -
sys/dev/if_wg/module/curve25519.c | 867 --
sys/dev/if_wg/module/if_wg_session.c | 1983 -----
sys/dev/if_wg/module/module.c | 863 --
sys/dev/if_wg/module/poly1305-x86_64.S | 3021 -------
sys/dev/if_wg/module/wg_cookie.c | 399 -
sys/dev/if_wg/module/wg_noise.c | 958 ---
sys/kern/subr_gtaskqueue.c | 13 -
sys/modules/Makefile | 1 -
sys/modules/if_wg/Makefile | 38 -
sys/sys/gtaskqueue.h | 1 -
58 files changed, 45543 deletions(-)
diff --git a/sbin/ifconfig/Makefile b/sbin/ifconfig/Makefile
index 61cb8ab933fd..b178dc0c7e6a 100644
--- a/sbin/ifconfig/Makefile
+++ b/sbin/ifconfig/Makefile
@@ -35,7 +35,6 @@ SRCS+= ifvxlan.c # VXLAN support
SRCS+= ifgre.c # GRE keys etc
SRCS+= ifgif.c # GIF reversed header workaround
SRCS+= ifipsec.c # IPsec VTI
-SRCS+= ifwg.c # Wireguard
SRCS+= sfp.c # SFP/SFP+ information
LIBADD+= ifconfig m util
diff --git a/sbin/ifconfig/ifwg.c b/sbin/ifconfig/ifwg.c
deleted file mode 100644
index a2b22d2dfbef..000000000000
--- a/sbin/ifconfig/ifwg.c
+++ /dev/null
@@ -1,618 +0,0 @@
-/*-
- * SPDX-License-Identifier: BSD-2-Clause
- *
- * Copyright (c) 2020 Rubicon Communications, LLC (Netgate)
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
-#ifndef RESCUE
-#include <sys/param.h>
-#include <sys/ioctl.h>
-#include <sys/socket.h>
-#include <sys/sysctl.h>
-#include <sys/time.h>
-#include <sys/nv.h>
-
-#include <net/ethernet.h>
-#include <net/if.h>
-#include <net/if_dl.h>
-#include <net/if_types.h>
-#include <net/if_media.h>
-#include <net/route.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <assert.h>
-#include <ctype.h>
-#include <err.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <inttypes.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <netdb.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdarg.h>
-#include <stddef.h> /* NB: for offsetof */
-#include <locale.h>
-#include <langinfo.h>
-#include <resolv.h>
-
-#include "ifconfig.h"
-
-typedef enum {
- WGC_GET = 0x5,
- WGC_SET = 0x6,
-} wg_cmd_t;
-
-static nvlist_t *nvl_params;
-static bool do_peer;
-static int allowed_ips_count;
-static int allowed_ips_max;
-struct allowedip {
- struct sockaddr_storage a_addr;
- struct sockaddr_storage a_mask;
-};
-struct allowedip *allowed_ips;
-
-#define ALLOWEDIPS_START 16
-#define WG_KEY_LEN 32
-#define WG_KEY_LEN_BASE64 ((((WG_KEY_LEN) + 2) / 3) * 4 + 1)
-#define WG_KEY_LEN_HEX (WG_KEY_LEN * 2 + 1)
-#define WG_MAX_STRLEN 64
-
-static bool
-key_from_base64(uint8_t key[static WG_KEY_LEN], const char *base64)
-{
-
- if (strlen(base64) != WG_KEY_LEN_BASE64 - 1) {
- warnx("bad key len - need %d got %zu\n", WG_KEY_LEN_BASE64 - 1, strlen(base64));
- return false;
- }
- if (base64[WG_KEY_LEN_BASE64 - 2] != '=') {
- warnx("bad key terminator, expected '=' got '%c'", base64[WG_KEY_LEN_BASE64 - 2]);
- return false;
- }
- return (b64_pton(base64, key, WG_KEY_LEN));
-}
-
-static void
-parse_endpoint(const char *endpoint_)
-{
- int err;
- char *base, *endpoint, *port, *colon, *tmp;
- struct addrinfo hints, *res;
-
- endpoint = base = strdup(endpoint_);
- colon = rindex(endpoint, ':');
- if (colon == NULL)
- errx(1, "bad endpoint format %s - no port delimiter found", endpoint);
- *colon = '\0';
- port = colon + 1;
-
- /* [::]:<> */
- if (endpoint[0] == '[') {
- endpoint++;
- tmp = index(endpoint, ']');
- if (tmp == NULL)
- errx(1, "bad endpoint format %s - '[' found with no matching ']'", endpoint);
- *tmp = '\0';
- }
- bzero(&hints, sizeof(hints));
- hints.ai_family = AF_UNSPEC;
- err = getaddrinfo(endpoint, port, &hints, &res);
- if (err)
- errx(1, "%s", gai_strerror(err));
- nvlist_add_binary(nvl_params, "endpoint", res->ai_addr, res->ai_addrlen);
- freeaddrinfo(res);
- free(base);
-}
-
-static void
-in_len2mask(struct in_addr *mask, u_int len)
-{
- u_int i;
- u_char *p;
-
- p = (u_char *)mask;
- memset(mask, 0, sizeof(*mask));
- for (i = 0; i < len / NBBY; i++)
- p[i] = 0xff;
- if (len % NBBY)
- p[i] = (0xff00 >> (len % NBBY)) & 0xff;
-}
-
-static u_int
-in_mask2len(struct in_addr *mask)
-{
- u_int x, y;
- u_char *p;
-
- p = (u_char *)mask;
- for (x = 0; x < sizeof(*mask); x++) {
- if (p[x] != 0xff)
- break;
- }
- y = 0;
- if (x < sizeof(*mask)) {
- for (y = 0; y < NBBY; y++) {
- if ((p[x] & (0x80 >> y)) == 0)
- break;
- }
- }
- return x * NBBY + y;
-}
-
-static void
-in6_prefixlen2mask(struct in6_addr *maskp, int len)
-{
- static const u_char maskarray[NBBY] = {0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff};
- int bytelen, bitlen, i;
-
- /* sanity check */
- if (len < 0 || len > 128) {
- errx(1, "in6_prefixlen2mask: invalid prefix length(%d)\n",
- len);
- return;
- }
-
- memset(maskp, 0, sizeof(*maskp));
- bytelen = len / NBBY;
- bitlen = len % NBBY;
- for (i = 0; i < bytelen; i++)
- maskp->s6_addr[i] = 0xff;
- if (bitlen)
- maskp->s6_addr[bytelen] = maskarray[bitlen - 1];
-}
-
-static int
-in6_mask2len(struct in6_addr *mask, u_char *lim0)
-{
- int x = 0, y;
- u_char *lim = lim0, *p;
-
- /* ignore the scope_id part */
- if (lim0 == NULL || lim0 - (u_char *)mask > sizeof(*mask))
- lim = (u_char *)mask + sizeof(*mask);
- for (p = (u_char *)mask; p < lim; x++, p++) {
- if (*p != 0xff)
- break;
- }
- y = 0;
- if (p < lim) {
- for (y = 0; y < NBBY; y++) {
- if ((*p & (0x80 >> y)) == 0)
- break;
- }
- }
-
- /*
- * when the limit pointer is given, do a stricter check on the
- * remaining bits.
- */
- if (p < lim) {
- if (y != 0 && (*p & (0x00ff >> y)) != 0)
- return -1;
- for (p = p + 1; p < lim; p++)
- if (*p != 0)
- return -1;
- }
-
- return x * NBBY + y;
-}
-
-static bool
-parse_ip(struct allowedip *aip, const char *value)
-{
- struct addrinfo hints, *res;
- int err;
-
- bzero(&aip->a_addr, sizeof(aip->a_addr));
- bzero(&hints, sizeof(hints));
- hints.ai_family = AF_UNSPEC;
- hints.ai_flags = AI_NUMERICHOST;
- err = getaddrinfo(value, NULL, &hints, &res);
- if (err)
- errx(1, "%s", gai_strerror(err));
-
- memcpy(&aip->a_addr, res->ai_addr, res->ai_addrlen);
-
- freeaddrinfo(res);
- return (true);
-}
-
-static void
-sa_ntop(const struct sockaddr *sa, char *buf, int *port)
-{
- const struct sockaddr_in *sin;
- const struct sockaddr_in6 *sin6;
- int err;
-
- err = getnameinfo(sa, sa->sa_len, buf, INET6_ADDRSTRLEN, NULL,
- 0, NI_NUMERICHOST);
-
- if (sa->sa_family == AF_INET) {
- sin = (const struct sockaddr_in *)sa;
- if (port)
- *port = sin->sin_port;
- } else if (sa->sa_family == AF_INET6) {
- sin6 = (const struct sockaddr_in6 *)sa;
- if (port)
- *port = sin6->sin6_port;
- }
-
- if (err)
- errx(1, "%s", gai_strerror(err));
-}
-
-static void
-dump_peer(const nvlist_t *nvl_peer)
-{
- const void *key;
- const struct allowedip *aips;
- const struct sockaddr *endpoint;
- char outbuf[WG_MAX_STRLEN];
- char addr_buf[INET6_ADDRSTRLEN];
- size_t size;
- int count, port;
-
- printf("[Peer]\n");
- if (nvlist_exists_binary(nvl_peer, "public-key")) {
- key = nvlist_get_binary(nvl_peer, "public-key", &size);
- b64_ntop((const uint8_t *)key, size, outbuf, WG_MAX_STRLEN);
- printf("PublicKey = %s\n", outbuf);
- }
- if (nvlist_exists_binary(nvl_peer, "endpoint")) {
- endpoint = nvlist_get_binary(nvl_peer, "endpoint", &size);
- sa_ntop(endpoint, addr_buf, &port);
- printf("Endpoint = %s:%d\n", addr_buf, ntohs(port));
- }
-
- if (!nvlist_exists_binary(nvl_peer, "allowed-ips"))
- return;
- aips = nvlist_get_binary(nvl_peer, "allowed-ips", &size);
- if (size == 0 || size % sizeof(struct allowedip) != 0) {
- errx(1, "size %zu not integer multiple of allowedip", size);
- }
- printf("AllowedIPs = ");
- count = size / sizeof(struct allowedip);
- for (int i = 0; i < count; i++) {
- int mask;
- sa_family_t family;
- void *bitmask;
- struct sockaddr *sa;
-
- sa = __DECONST(void *, &aips[i].a_addr);
- bitmask = __DECONST(void *,
- ((const struct sockaddr *)&(&aips[i])->a_mask)->sa_data);
- family = aips[i].a_addr.ss_family;
- getnameinfo(sa, sa->sa_len, addr_buf, INET6_ADDRSTRLEN, NULL,
- 0, NI_NUMERICHOST);
- if (family == AF_INET)
- mask = in_mask2len(bitmask);
- else if (family == AF_INET6)
- mask = in6_mask2len(bitmask, NULL);
- else
- errx(1, "bad family in peer %d\n", family);
- printf("%s/%d", addr_buf, mask);
- if (i < count -1)
- printf(", ");
- }
- printf("\n");
-}
-
-static int
-get_nvl_out_size(int sock, u_long op, size_t *size)
-{
- struct ifdrv ifd;
- int err;
-
- memset(&ifd, 0, sizeof(ifd));
-
- strlcpy(ifd.ifd_name, name, sizeof(ifd.ifd_name));
- ifd.ifd_cmd = op;
- ifd.ifd_len = 0;
- ifd.ifd_data = NULL;
-
- err = ioctl(sock, SIOCGDRVSPEC, &ifd);
- if (err)
- return (err);
- *size = ifd.ifd_len;
- return (0);
-}
-
-static int
-do_cmd(int sock, u_long op, void *arg, size_t argsize, int set)
-{
- struct ifdrv ifd;
-
- memset(&ifd, 0, sizeof(ifd));
-
- strlcpy(ifd.ifd_name, name, sizeof(ifd.ifd_name));
- ifd.ifd_cmd = op;
- ifd.ifd_len = argsize;
- ifd.ifd_data = arg;
-
- return (ioctl(sock, set ? SIOCSDRVSPEC : SIOCGDRVSPEC, &ifd));
-}
-
-static
-DECL_CMD_FUNC(peerlist, val, d)
-{
- size_t size, peercount;
- void *packed;
- const nvlist_t *nvl, *nvl_peer;
- const nvlist_t *const *nvl_peerlist;
-
- if (get_nvl_out_size(s, WGC_GET, &size))
- errx(1, "can't get peer list size");
- if ((packed = malloc(size)) == NULL)
- errx(1, "malloc failed for peer list");
- if (do_cmd(s, WGC_GET, packed, size, 0))
- errx(1, "failed to obtain peer list");
-
- nvl = nvlist_unpack(packed, size, 0);
- if (!nvlist_exists_nvlist_array(nvl, "peer-list"))
- return;
- nvl_peerlist = nvlist_get_nvlist_array(nvl, "peer-list", &peercount);
-
- for (int i = 0; i < peercount; i++, nvl_peerlist++) {
- nvl_peer = *nvl_peerlist;
- dump_peer(nvl_peer);
- }
-}
-
-static void
-peerfinish(int s, void *arg)
-{
- nvlist_t *nvl, **nvl_array;
- void *packed;
- size_t size;
-
- if ((nvl = nvlist_create(0)) == NULL)
- errx(1, "failed to allocate nvlist");
- if ((nvl_array = calloc(sizeof(void *), 1)) == NULL)
- errx(1, "failed to allocate nvl_array");
- if (!nvlist_exists_binary(nvl_params, "public-key"))
- errx(1, "must specify a public-key for adding peer");
- if (!nvlist_exists_binary(nvl_params, "endpoint"))
- errx(1, "must specify an endpoint for adding peer");
- if (allowed_ips_count == 0)
- errx(1, "must specify at least one range of allowed-ips to add a peer");
-
- nvl_array[0] = nvl_params;
- nvlist_add_nvlist_array(nvl, "peer-list", (const nvlist_t * const *)nvl_array, 1);
- packed = nvlist_pack(nvl, &size);
-
- if (do_cmd(s, WGC_SET, packed, size, true))
- errx(1, "failed to install peer");
-}
-
-static
-DECL_CMD_FUNC(peerstart, val, d)
-{
- do_peer = true;
- callback_register(peerfinish, NULL);
- allowed_ips = malloc(ALLOWEDIPS_START * sizeof(struct allowedip));
- allowed_ips_max = ALLOWEDIPS_START;
- if (allowed_ips == NULL)
- errx(1, "failed to allocate array for allowedips");
-}
-
-static
-DECL_CMD_FUNC(setwglistenport, val, d)
-{
- struct addrinfo hints, *res;
- const struct sockaddr_in *sin;
- const struct sockaddr_in6 *sin6;
-
- u_long ul;
- int err;
-
- bzero(&hints, sizeof(hints));
- hints.ai_family = AF_UNSPEC;
- hints.ai_flags = AI_NUMERICHOST;
- err = getaddrinfo(NULL, val, &hints, &res);
- if (err)
- errx(1, "%s", gai_strerror(err));
-
- if (res->ai_family == AF_INET) {
- sin = (struct sockaddr_in *)res->ai_addr;
- ul = sin->sin_port;
- } else if (res->ai_family == AF_INET6) {
- sin6 = (struct sockaddr_in6 *)res->ai_addr;
- ul = sin6->sin6_port;
- } else {
- errx(1, "unknown family");
- }
- ul = ntohs((u_short)ul);
- nvlist_add_number(nvl_params, "listen-port", ul);
-}
-
-static
-DECL_CMD_FUNC(setwgprivkey, val, d)
-{
- uint8_t key[WG_KEY_LEN];
-
- if (!key_from_base64(key, val))
- errx(1, "invalid key %s", val);
- nvlist_add_binary(nvl_params, "private-key", key, WG_KEY_LEN);
-}
-
-static
-DECL_CMD_FUNC(setwgpubkey, val, d)
-{
- uint8_t key[WG_KEY_LEN];
-
- if (!do_peer)
- errx(1, "setting public key only valid when adding peer");
-
- if (!key_from_base64(key, val))
- errx(1, "invalid key %s", val);
- nvlist_add_binary(nvl_params, "public-key", key, WG_KEY_LEN);
-}
-
-static
-DECL_CMD_FUNC(setallowedips, val, d)
-{
- char *base, *allowedip, *mask;
- u_long ul;
- char *endp;
- struct allowedip *aip;
-
- if (!do_peer)
- errx(1, "setting allowed ip only valid when adding peer");
- if (allowed_ips_count == allowed_ips_max) {
- /* XXX grow array */
- }
- aip = &allowed_ips[allowed_ips_count];
- base = allowedip = strdup(val);
- mask = index(allowedip, '/');
- if (mask == NULL)
- errx(1, "mask separator not found in allowedip %s", val);
- *mask = '\0';
- mask++;
- parse_ip(aip, allowedip);
- ul = strtoul(mask, &endp, 0);
- if (*endp != '\0')
- errx(1, "invalid value for allowedip mask");
- bzero(&aip->a_mask, sizeof(aip->a_mask));
- if (aip->a_addr.ss_family == AF_INET)
- in_len2mask((struct in_addr *)&((struct sockaddr *)&aip->a_mask)->sa_data, ul);
- else if (aip->a_addr.ss_family == AF_INET6)
- in6_prefixlen2mask((struct in6_addr *)&((struct sockaddr *)&aip->a_mask)->sa_data, ul);
- else
- errx(1, "invalid address family %d\n", aip->a_addr.ss_family);
- allowed_ips_count++;
- if (allowed_ips_count > 1)
- nvlist_free_binary(nvl_params, "allowed-ips");
- nvlist_add_binary(nvl_params, "allowed-ips", allowed_ips,
- allowed_ips_count*sizeof(*aip));
-
- dump_peer(nvl_params);
- free(base);
-}
-
-static
-DECL_CMD_FUNC(setendpoint, val, d)
-{
- if (!do_peer)
- errx(1, "setting endpoint only valid when adding peer");
- parse_endpoint(val);
-}
-
-static void
-wireguard_status(int s)
-{
- size_t size;
- void *packed;
- nvlist_t *nvl;
- char buf[WG_KEY_LEN_BASE64];
- const void *key;
- uint16_t listen_port;
-
- if (get_nvl_out_size(s, WGC_GET, &size))
- return;
- if ((packed = malloc(size)) == NULL)
- return;
- if (do_cmd(s, WGC_GET, packed, size, 0))
- return;
- nvl = nvlist_unpack(packed, size, 0);
- if (nvlist_exists_number(nvl, "listen-port")) {
- listen_port = nvlist_get_number(nvl, "listen-port");
- printf("\tlisten-port: %d\n", listen_port);
- }
- if (nvlist_exists_binary(nvl, "private-key")) {
- key = nvlist_get_binary(nvl, "private-key", &size);
- b64_ntop((const uint8_t *)key, size, buf, WG_MAX_STRLEN);
- printf("\tprivate-key: %s\n", buf);
- }
- if (nvlist_exists_binary(nvl, "public-key")) {
- key = nvlist_get_binary(nvl, "public-key", &size);
- b64_ntop((const uint8_t *)key, size, buf, WG_MAX_STRLEN);
- printf("\tpublic-key: %s\n", buf);
- }
-}
-
-static struct cmd wireguard_cmds[] = {
- DEF_CLONE_CMD_ARG("listen-port", setwglistenport),
- DEF_CLONE_CMD_ARG("private-key", setwgprivkey),
- DEF_CMD("peer-list", 0, peerlist),
- DEF_CMD("peer", 0, peerstart),
- DEF_CMD_ARG("public-key", setwgpubkey),
- DEF_CMD_ARG("allowed-ips", setallowedips),
- DEF_CMD_ARG("endpoint", setendpoint),
-};
-
-static struct afswtch af_wireguard = {
- .af_name = "af_wireguard",
- .af_af = AF_UNSPEC,
- .af_other_status = wireguard_status,
-};
-
-static void
-wg_create(int s, struct ifreq *ifr)
-{
- struct iovec iov;
- void *packed;
- size_t size;
-
- setproctitle("ifconfig %s create ...\n", name);
- if (!nvlist_exists_number(nvl_params, "listen-port"))
- goto legacy;
- if (!nvlist_exists_binary(nvl_params, "private-key"))
- goto legacy;
-
- packed = nvlist_pack(nvl_params, &size);
- if (packed == NULL)
- errx(1, "failed to setup create request");
- iov.iov_len = size;
- iov.iov_base = packed;
- ifr->ifr_data = (caddr_t)&iov;
- if (ioctl(s, SIOCIFCREATE2, ifr) < 0)
- err(1, "SIOCIFCREATE2");
- return;
-legacy:
- ifr->ifr_data == NULL;
- if (ioctl(s, SIOCIFCREATE, ifr) < 0)
- err(1, "SIOCIFCREATE");
-}
-
-static __constructor void
-wireguard_ctor(void)
-{
- int i;
-
- nvl_params = nvlist_create(0);
- for (i = 0; i < nitems(wireguard_cmds); i++)
- cmd_register(&wireguard_cmds[i]);
- af_register(&af_wireguard);
- clone_setdefcallback_prefix("wg", wg_create);
-}
-
-#endif
diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile
index 5ccb42181482..f3896d6516be 100644
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@@ -584,7 +584,6 @@ MAN= aac.4 \
vtnet.4 \
watchdog.4 \
${_wbwd.4} \
- wg.4 \
witness.4 \
wlan.4 \
wlan_acl.4 \
diff --git a/share/man/man4/wg.4 b/share/man/man4/wg.4
deleted file mode 100644
index 760584e3a386..000000000000
--- a/share/man/man4/wg.4
+++ /dev/null
@@ -1,255 +0,0 @@
-.\" Copyright (c) 2020 Gordon Bergling <gbe at FreeBSD.org>
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.\" $FreeBSD$
-.\"
-.Dd March 7, 2021
-.Dt WG 4
-.Os
-.Sh NAME
-.Nm wg
-.Nd "WireGuard - pseudo-device"
-.Sh SYNOPSIS
-To load the driver as a module at boot time, place the following line in
-.Xr loader.conf 5 :
-.Bd -literal -offset indent
-if_wg_load="YES"
-.Ed
-.Sh DESCRIPTION
-The
-.Nm
-driver provides Virtual Private Network (VPN) interfaces for the secure
-exchange of layer 3 traffic with other WireGuard peers using the WireGuard
-protocol.
-.Pp
-A
-.Nm
-interface recognises one or more peers, establishes a secure tunnel with
-each on demand, and tracks each peer's UDP endpoint for exchanging encrypted
-traffic with.
-.Pp
-The interfaces can be created at runtime using the
-.Ic ifconfig Cm wg Ns Ar N Cm create
-command.
-The interface itself can be configured with
-.Xr ifconfig 8 .
-.Pp
-The following parameters are available:
-.Bl -tag -width indent
-.It Cm listen-port
-The listing port of the
-.Nm
-interface.
-.It Cm public-key
-The public key of the
-.Nm
-interface.
-.It Cm private-key
-The private key of the
-.Nm
-interface.
-.It Cm pre-shared-key
-Defines a pre-shared key for the
-.Nm
-interface.
-.It Cm allowed-ips
-A list of allowed IP addresses.
-.It Cm endpoint
-The IP address of the WiredGuard to connect to.
-.It Cm peer-list
-A list of peering IP addresses to connect to.
-.El
-.Pp
-The
-.Nm
-interfaces support the following
-.Xr ioctl 2 Ns s :
-.Bl -tag -width Ds -offset indent
-.It Dv SIOCSWG Fa "struct wg_device_io *"
-Set the device configuration.
-.It Dv SIOCGWG Fa "struct wg_device_io *"
-Get the device configuration.
-.El
-.Pp
-The following glossary provides a brief overview of WireGuard
-terminology:
-.Bl -tag -width indent -offset 3n
-.It Peer
-Peers exchange IPv4 or IPv6 traffic over secure tunnels.
-Each
-.Nm
-interface may be configured to recognise one or more peers.
-.It Key
-Each peer uses its private key and corresponding public key to
-identify itself to others.
-A peer configures a
-.Nm
-interface with its own private key and with the public keys of its peers.
-.It Pre-shared key
-In addition to the public keys, each peer pair may be configured with a
-unique pre-shared symmetric key.
-This is used in their handshake to guard against future compromise of the
-peers' encrypted tunnel if a quantum-computational attack on their
-Diffie-Hellman exchange becomes feasible.
-It is optional, but recommended.
-.It Allowed IPs
-A single
-.Nm
-interface may maintain concurrent tunnels connecting diverse networks.
-The interface therefore implements rudimentary routing and reverse-path
-filtering functions for its tunneled traffic.
-These functions reference a set of allowed IP ranges configured against
-each peer.
-.Pp
-The interface will route outbound tunneled traffic to the peer configured
-with the most specific matching allowed IP address range, or drop it
-if no such match exists.
-.Pp
-The interface will accept tunneled traffic only from the peer
-configured with the most specific matching allowed IP address range
-for the incoming traffic, or drop it if no such match exists.
-That is, tunneled traffic routed to a given peer cannot return through
-another peer of the same
-.Nm
-interface.
-This ensures that peers cannot spoof another's traffic.
-.It Handshake
-Two peers handshake to mutually authenticate each other and to
-establish a shared series of secret ephemeral encryption keys.
-Any peer may initiate a handshake.
-Handshakes occur only when there is traffic to send, and recur every
-two minutes during transfers.
-.It Connectionless
-Due to the handshake behavior, there is no connected or disconnected
-state.
-.El
-.Ss Keys
-Private keys for WireGuard can be generated from any sufficiently
-secure random source.
-The Curve25519 keys and the pre-shared keys are both 32 bytes
-long and are commonly encoded in base64 for ease of use.
-.Pp
-Keys can be generated with
-.Xr openssl 1
-as follows:
-.Pp
-.Dl $ openssl rand -base64 32
-.Pp
-Although a valid Curve25519 key must have 5 bits set to
-specific values, this is done by the interface and so it
-will accept any random 32-byte base64 string.
-.Pp
-When an interface has a private key set with
-.Nm public-key ,
-the corresponding
-public key is shown in the status output of the interface:
-.Bd -literal -offset indent
-# ifconfig wg0 | grep public-key
- public-key: 7lWtsDdqaGB3EY9WNxRN3hVaHMtu1zXw71+bOjNOVUw=
-.Ed
-.Sh EXAMPLES
-Create a
-.Nm
-interface and set random private key.
-.Bd -literal -offset indent
-# ifconfig wg0 create listen-port 54321 private-key `openssl rand -base64 32`
-.Ed
-.Pp
-Retrieve the associated public key from a
-.Nm
-interface.
-.Bd -literal -offset indent
-$ ifconfig wg0 | awk '/public-key/ { print $2 }'`
-.Ed
-.Pp
-Connect to a specific endpoint using its public-key and set the allowed IP address
-.Bd -literal -offset indent
-# ifconfig wg0 peer public-key '7lWtsDdqaGB3EY9WNxRN3hVaHMtu1zXw71+bOjNOVUw=' endpoint 10.0.1.100:54321 allowed-ips 192.168.2.100/32
-.Ed
-.Sh DIAGNOSTICS
-The
-.Nm
-interface supports runtime debugging, which can be enabled with:
-.Pp
-.D1 Ic ifconfig Cm wg Ns Ar N Cm debug
-.Pp
-Some common error messages include:
-.Bl -diag
-.It "Handshake for peer X did not complete after 5 seconds, retrying"
-Peer X did not reply to our initiation packet, for example because:
-.Bl -bullet
-.It
-The peer does not have the local interface configured as a peer.
-Peers must be able to mutually authenticate each other.
-.It
-The peer endpoint IP address is incorrectly configured.
-.It
-There are firewall rules preventing communication between hosts.
-.El
-.It "Invalid handshake initiation"
-The incoming handshake packet could not be processed.
-This is likely due to the local interface not containing
-the correct public key for the peer.
-.It "Invalid initiation MAC"
-The incoming handshake initiation packet had an invalid MAC.
-This is likely because the initiation sender has the wrong public key
-for the handshake receiver.
-.It "Packet has unallowed src IP from peer X"
-After decryption, an incoming data packet has a source IP address that
-is not assigned to the allowed IPs of Peer X.
-.El
-.Sh SEE ALSO
-.Xr inet 4 ,
-.Xr ip 4 ,
-.Xr netintro 4 ,
-.Xr ipf 5 ,
-.Xr pf.conf 5 ,
-.Xr ifconfig 8 ,
-.Xr ipfw 8
-.Rs
-.%T WireGuard whitepaper
-.%U https://www.wireguard.com/papers/wireguard.pdf
-.Re
-.Sh HISTORY
-The
-.Nm
-device driver first appeared in
-.Fx 13.0 .
-.Sh AUTHORS
-The
-.Nm
-device driver was originally written for
-.Ox
-by
-.An Matt Dunwoodie Aq Mt ncon at nconroy.net
-and ported to
-.Fx
-by
-.An Matt Macy Aq Mt mmacy at FreeBSD.org .
-.Pp
-This manual page was written by
-.An Gordon Bergling Aq Mt gbe at FreeBSD.org
-and is based on the
-.Ox
*** 45006 LINES SKIPPED ***
More information about the dev-commits-src-all
mailing list