netlink.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
  4. */
  5. #include "netlink.h"
  6. #include "device.h"
  7. #include "peer.h"
  8. #include "socket.h"
  9. #include "queueing.h"
  10. #include "messages.h"
  11. #include "generated/netlink.h"
  12. #include <uapi/linux/wireguard.h>
  13. #include <linux/if.h>
  14. #include <net/genetlink.h>
  15. #include <net/sock.h>
  16. #include <crypto/utils.h>
  17. static struct genl_family genl_family;
  18. static struct wg_device *lookup_interface(struct nlattr **attrs,
  19. struct sk_buff *skb)
  20. {
  21. struct net_device *dev = NULL;
  22. if (!attrs[WGDEVICE_A_IFINDEX] == !attrs[WGDEVICE_A_IFNAME])
  23. return ERR_PTR(-EBADR);
  24. if (attrs[WGDEVICE_A_IFINDEX])
  25. dev = dev_get_by_index(sock_net(skb->sk),
  26. nla_get_u32(attrs[WGDEVICE_A_IFINDEX]));
  27. else if (attrs[WGDEVICE_A_IFNAME])
  28. dev = dev_get_by_name(sock_net(skb->sk),
  29. nla_data(attrs[WGDEVICE_A_IFNAME]));
  30. if (!dev)
  31. return ERR_PTR(-ENODEV);
  32. if (!dev->rtnl_link_ops || !dev->rtnl_link_ops->kind ||
  33. strcmp(dev->rtnl_link_ops->kind, KBUILD_MODNAME)) {
  34. dev_put(dev);
  35. return ERR_PTR(-EOPNOTSUPP);
  36. }
  37. return netdev_priv(dev);
  38. }
  39. static int get_allowedips(struct sk_buff *skb, const u8 *ip, u8 cidr,
  40. int family)
  41. {
  42. struct nlattr *allowedip_nest;
  43. allowedip_nest = nla_nest_start(skb, 0);
  44. if (!allowedip_nest)
  45. return -EMSGSIZE;
  46. if (nla_put_u8(skb, WGALLOWEDIP_A_CIDR_MASK, cidr) ||
  47. nla_put_u16(skb, WGALLOWEDIP_A_FAMILY, family) ||
  48. nla_put(skb, WGALLOWEDIP_A_IPADDR, family == AF_INET6 ?
  49. sizeof(struct in6_addr) : sizeof(struct in_addr), ip)) {
  50. nla_nest_cancel(skb, allowedip_nest);
  51. return -EMSGSIZE;
  52. }
  53. nla_nest_end(skb, allowedip_nest);
  54. return 0;
  55. }
  56. struct dump_ctx {
  57. struct wg_device *wg;
  58. struct wg_peer *next_peer;
  59. u64 allowedips_seq;
  60. struct allowedips_node *next_allowedip;
  61. };
  62. #define DUMP_CTX(cb) ((struct dump_ctx *)(cb)->args)
  63. static int
  64. get_peer(struct wg_peer *peer, struct sk_buff *skb, struct dump_ctx *ctx)
  65. {
  66. struct nlattr *allowedips_nest, *peer_nest = nla_nest_start(skb, 0);
  67. struct allowedips_node *allowedips_node = ctx->next_allowedip;
  68. bool fail;
  69. if (!peer_nest)
  70. return -EMSGSIZE;
  71. down_read(&peer->handshake.lock);
  72. fail = nla_put(skb, WGPEER_A_PUBLIC_KEY, NOISE_PUBLIC_KEY_LEN,
  73. peer->handshake.remote_static);
  74. up_read(&peer->handshake.lock);
  75. if (fail)
  76. goto err;
  77. if (!allowedips_node) {
  78. const struct __kernel_timespec last_handshake = {
  79. .tv_sec = peer->walltime_last_handshake.tv_sec,
  80. .tv_nsec = peer->walltime_last_handshake.tv_nsec
  81. };
  82. down_read(&peer->handshake.lock);
  83. fail = nla_put(skb, WGPEER_A_PRESHARED_KEY,
  84. NOISE_SYMMETRIC_KEY_LEN,
  85. peer->handshake.preshared_key);
  86. up_read(&peer->handshake.lock);
  87. if (fail)
  88. goto err;
  89. if (nla_put(skb, WGPEER_A_LAST_HANDSHAKE_TIME,
  90. sizeof(last_handshake), &last_handshake) ||
  91. nla_put_u16(skb, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
  92. peer->persistent_keepalive_interval) ||
  93. nla_put_u64_64bit(skb, WGPEER_A_TX_BYTES, peer->tx_bytes,
  94. WGPEER_A_UNSPEC) ||
  95. nla_put_u64_64bit(skb, WGPEER_A_RX_BYTES, peer->rx_bytes,
  96. WGPEER_A_UNSPEC) ||
  97. nla_put_u32(skb, WGPEER_A_PROTOCOL_VERSION, 1))
  98. goto err;
  99. read_lock_bh(&peer->endpoint_lock);
  100. if (peer->endpoint.addr.sa_family == AF_INET)
  101. fail = nla_put(skb, WGPEER_A_ENDPOINT,
  102. sizeof(peer->endpoint.addr4),
  103. &peer->endpoint.addr4);
  104. else if (peer->endpoint.addr.sa_family == AF_INET6)
  105. fail = nla_put(skb, WGPEER_A_ENDPOINT,
  106. sizeof(peer->endpoint.addr6),
  107. &peer->endpoint.addr6);
  108. read_unlock_bh(&peer->endpoint_lock);
  109. if (fail)
  110. goto err;
  111. allowedips_node =
  112. list_first_entry_or_null(&peer->allowedips_list,
  113. struct allowedips_node, peer_list);
  114. }
  115. if (!allowedips_node)
  116. goto no_allowedips;
  117. if (!ctx->allowedips_seq)
  118. ctx->allowedips_seq = ctx->wg->peer_allowedips.seq;
  119. else if (ctx->allowedips_seq != ctx->wg->peer_allowedips.seq)
  120. goto no_allowedips;
  121. allowedips_nest = nla_nest_start(skb, WGPEER_A_ALLOWEDIPS);
  122. if (!allowedips_nest)
  123. goto err;
  124. list_for_each_entry_from(allowedips_node, &peer->allowedips_list,
  125. peer_list) {
  126. u8 cidr, ip[16] __aligned(__alignof(u64));
  127. int family;
  128. family = wg_allowedips_read_node(allowedips_node, ip, &cidr);
  129. if (get_allowedips(skb, ip, cidr, family)) {
  130. nla_nest_end(skb, allowedips_nest);
  131. nla_nest_end(skb, peer_nest);
  132. ctx->next_allowedip = allowedips_node;
  133. return -EMSGSIZE;
  134. }
  135. }
  136. nla_nest_end(skb, allowedips_nest);
  137. no_allowedips:
  138. nla_nest_end(skb, peer_nest);
  139. ctx->next_allowedip = NULL;
  140. ctx->allowedips_seq = 0;
  141. return 0;
  142. err:
  143. nla_nest_cancel(skb, peer_nest);
  144. return -EMSGSIZE;
  145. }
  146. int wg_get_device_start(struct netlink_callback *cb)
  147. {
  148. struct wg_device *wg;
  149. wg = lookup_interface(genl_info_dump(cb)->attrs, cb->skb);
  150. if (IS_ERR(wg))
  151. return PTR_ERR(wg);
  152. DUMP_CTX(cb)->wg = wg;
  153. return 0;
  154. }
  155. int wg_get_device_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
  156. {
  157. struct wg_peer *peer, *next_peer_cursor;
  158. struct dump_ctx *ctx = DUMP_CTX(cb);
  159. struct wg_device *wg = ctx->wg;
  160. struct nlattr *peers_nest;
  161. int ret = -EMSGSIZE;
  162. bool done = true;
  163. void *hdr;
  164. rtnl_lock();
  165. mutex_lock(&wg->device_update_lock);
  166. cb->seq = wg->device_update_gen;
  167. next_peer_cursor = ctx->next_peer;
  168. hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
  169. &genl_family, NLM_F_MULTI, WG_CMD_GET_DEVICE);
  170. if (!hdr)
  171. goto out;
  172. genl_dump_check_consistent(cb, hdr);
  173. if (!ctx->next_peer) {
  174. if (nla_put_u16(skb, WGDEVICE_A_LISTEN_PORT,
  175. wg->incoming_port) ||
  176. nla_put_u32(skb, WGDEVICE_A_FWMARK, wg->fwmark) ||
  177. nla_put_u32(skb, WGDEVICE_A_IFINDEX, wg->dev->ifindex) ||
  178. nla_put_string(skb, WGDEVICE_A_IFNAME, wg->dev->name))
  179. goto out;
  180. down_read(&wg->static_identity.lock);
  181. if (wg->static_identity.has_identity) {
  182. if (nla_put(skb, WGDEVICE_A_PRIVATE_KEY,
  183. NOISE_PUBLIC_KEY_LEN,
  184. wg->static_identity.static_private) ||
  185. nla_put(skb, WGDEVICE_A_PUBLIC_KEY,
  186. NOISE_PUBLIC_KEY_LEN,
  187. wg->static_identity.static_public)) {
  188. up_read(&wg->static_identity.lock);
  189. goto out;
  190. }
  191. }
  192. up_read(&wg->static_identity.lock);
  193. }
  194. peers_nest = nla_nest_start(skb, WGDEVICE_A_PEERS);
  195. if (!peers_nest)
  196. goto out;
  197. ret = 0;
  198. lockdep_assert_held(&wg->device_update_lock);
  199. /* If the last cursor was removed in peer_remove or peer_remove_all, then
  200. * we just treat this the same as there being no more peers left. The
  201. * reason is that seq_nr should indicate to userspace that this isn't a
  202. * coherent dump anyway, so they'll try again.
  203. */
  204. if (list_empty(&wg->peer_list) ||
  205. (ctx->next_peer && ctx->next_peer->is_dead)) {
  206. nla_nest_cancel(skb, peers_nest);
  207. goto out;
  208. }
  209. peer = list_prepare_entry(ctx->next_peer, &wg->peer_list, peer_list);
  210. list_for_each_entry_continue(peer, &wg->peer_list, peer_list) {
  211. if (get_peer(peer, skb, ctx)) {
  212. done = false;
  213. break;
  214. }
  215. next_peer_cursor = peer;
  216. }
  217. nla_nest_end(skb, peers_nest);
  218. out:
  219. if (!ret && !done && next_peer_cursor)
  220. wg_peer_get(next_peer_cursor);
  221. wg_peer_put(ctx->next_peer);
  222. mutex_unlock(&wg->device_update_lock);
  223. rtnl_unlock();
  224. if (ret) {
  225. genlmsg_cancel(skb, hdr);
  226. return ret;
  227. }
  228. genlmsg_end(skb, hdr);
  229. if (done) {
  230. ctx->next_peer = NULL;
  231. return 0;
  232. }
  233. ctx->next_peer = next_peer_cursor;
  234. return skb->len;
  235. /* At this point, we can't really deal ourselves with safely zeroing out
  236. * the private key material after usage. This will need an additional API
  237. * in the kernel for marking skbs as zero_on_free.
  238. */
  239. }
  240. int wg_get_device_done(struct netlink_callback *cb)
  241. {
  242. struct dump_ctx *ctx = DUMP_CTX(cb);
  243. if (ctx->wg)
  244. dev_put(ctx->wg->dev);
  245. wg_peer_put(ctx->next_peer);
  246. return 0;
  247. }
  248. static int set_port(struct wg_device *wg, u16 port)
  249. {
  250. struct wg_peer *peer;
  251. if (wg->incoming_port == port)
  252. return 0;
  253. list_for_each_entry(peer, &wg->peer_list, peer_list)
  254. wg_socket_clear_peer_endpoint_src(peer);
  255. if (!netif_running(wg->dev)) {
  256. wg->incoming_port = port;
  257. return 0;
  258. }
  259. return wg_socket_init(wg, port);
  260. }
  261. static int set_allowedip(struct wg_peer *peer, struct nlattr **attrs)
  262. {
  263. int ret = -EINVAL;
  264. u32 flags = 0;
  265. u16 family;
  266. u8 cidr;
  267. if (!attrs[WGALLOWEDIP_A_FAMILY] || !attrs[WGALLOWEDIP_A_IPADDR] ||
  268. !attrs[WGALLOWEDIP_A_CIDR_MASK])
  269. return ret;
  270. family = nla_get_u16(attrs[WGALLOWEDIP_A_FAMILY]);
  271. cidr = nla_get_u8(attrs[WGALLOWEDIP_A_CIDR_MASK]);
  272. if (attrs[WGALLOWEDIP_A_FLAGS])
  273. flags = nla_get_u32(attrs[WGALLOWEDIP_A_FLAGS]);
  274. if (family == AF_INET && cidr <= 32 &&
  275. nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in_addr)) {
  276. if (flags & WGALLOWEDIP_F_REMOVE_ME)
  277. ret = wg_allowedips_remove_v4(&peer->device->peer_allowedips,
  278. nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr,
  279. peer, &peer->device->device_update_lock);
  280. else
  281. ret = wg_allowedips_insert_v4(&peer->device->peer_allowedips,
  282. nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr,
  283. peer, &peer->device->device_update_lock);
  284. } else if (family == AF_INET6 && cidr <= 128 &&
  285. nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in6_addr)) {
  286. if (flags & WGALLOWEDIP_F_REMOVE_ME)
  287. ret = wg_allowedips_remove_v6(&peer->device->peer_allowedips,
  288. nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr,
  289. peer, &peer->device->device_update_lock);
  290. else
  291. ret = wg_allowedips_insert_v6(&peer->device->peer_allowedips,
  292. nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr,
  293. peer, &peer->device->device_update_lock);
  294. }
  295. return ret;
  296. }
  297. static int set_peer(struct wg_device *wg, struct nlattr **attrs)
  298. {
  299. u8 *public_key = NULL, *preshared_key = NULL;
  300. struct wg_peer *peer = NULL;
  301. u32 flags = 0;
  302. int ret;
  303. ret = -EINVAL;
  304. if (attrs[WGPEER_A_PUBLIC_KEY] &&
  305. nla_len(attrs[WGPEER_A_PUBLIC_KEY]) == NOISE_PUBLIC_KEY_LEN)
  306. public_key = nla_data(attrs[WGPEER_A_PUBLIC_KEY]);
  307. else
  308. goto out;
  309. if (attrs[WGPEER_A_PRESHARED_KEY] &&
  310. nla_len(attrs[WGPEER_A_PRESHARED_KEY]) == NOISE_SYMMETRIC_KEY_LEN)
  311. preshared_key = nla_data(attrs[WGPEER_A_PRESHARED_KEY]);
  312. if (attrs[WGPEER_A_FLAGS])
  313. flags = nla_get_u32(attrs[WGPEER_A_FLAGS]);
  314. ret = -EPFNOSUPPORT;
  315. if (attrs[WGPEER_A_PROTOCOL_VERSION]) {
  316. if (nla_get_u32(attrs[WGPEER_A_PROTOCOL_VERSION]) != 1)
  317. goto out;
  318. }
  319. peer = wg_pubkey_hashtable_lookup(wg->peer_hashtable,
  320. nla_data(attrs[WGPEER_A_PUBLIC_KEY]));
  321. ret = 0;
  322. if (!peer) { /* Peer doesn't exist yet. Add a new one. */
  323. if (flags & (WGPEER_F_REMOVE_ME | WGPEER_F_UPDATE_ONLY))
  324. goto out;
  325. /* The peer is new, so there aren't allowed IPs to remove. */
  326. flags &= ~WGPEER_F_REPLACE_ALLOWEDIPS;
  327. down_read(&wg->static_identity.lock);
  328. if (wg->static_identity.has_identity &&
  329. !memcmp(nla_data(attrs[WGPEER_A_PUBLIC_KEY]),
  330. wg->static_identity.static_public,
  331. NOISE_PUBLIC_KEY_LEN)) {
  332. /* We silently ignore peers that have the same public
  333. * key as the device. The reason we do it silently is
  334. * that we'd like for people to be able to reuse the
  335. * same set of API calls across peers.
  336. */
  337. up_read(&wg->static_identity.lock);
  338. ret = 0;
  339. goto out;
  340. }
  341. up_read(&wg->static_identity.lock);
  342. peer = wg_peer_create(wg, public_key, preshared_key);
  343. if (IS_ERR(peer)) {
  344. ret = PTR_ERR(peer);
  345. peer = NULL;
  346. goto out;
  347. }
  348. /* Take additional reference, as though we've just been
  349. * looked up.
  350. */
  351. wg_peer_get(peer);
  352. }
  353. if (flags & WGPEER_F_REMOVE_ME) {
  354. wg_peer_remove(peer);
  355. goto out;
  356. }
  357. if (preshared_key) {
  358. down_write(&peer->handshake.lock);
  359. memcpy(&peer->handshake.preshared_key, preshared_key,
  360. NOISE_SYMMETRIC_KEY_LEN);
  361. up_write(&peer->handshake.lock);
  362. }
  363. if (attrs[WGPEER_A_ENDPOINT]) {
  364. struct sockaddr *addr = nla_data(attrs[WGPEER_A_ENDPOINT]);
  365. size_t len = nla_len(attrs[WGPEER_A_ENDPOINT]);
  366. struct endpoint endpoint = { { { 0 } } };
  367. if (len == sizeof(struct sockaddr_in) && addr->sa_family == AF_INET) {
  368. endpoint.addr4 = *(struct sockaddr_in *)addr;
  369. wg_socket_set_peer_endpoint(peer, &endpoint);
  370. } else if (len == sizeof(struct sockaddr_in6) && addr->sa_family == AF_INET6) {
  371. endpoint.addr6 = *(struct sockaddr_in6 *)addr;
  372. wg_socket_set_peer_endpoint(peer, &endpoint);
  373. }
  374. }
  375. if (flags & WGPEER_F_REPLACE_ALLOWEDIPS)
  376. wg_allowedips_remove_by_peer(&wg->peer_allowedips, peer,
  377. &wg->device_update_lock);
  378. if (attrs[WGPEER_A_ALLOWEDIPS]) {
  379. struct nlattr *attr, *allowedip[WGALLOWEDIP_A_MAX + 1];
  380. int rem;
  381. nla_for_each_nested(attr, attrs[WGPEER_A_ALLOWEDIPS], rem) {
  382. ret = nla_parse_nested(allowedip, WGALLOWEDIP_A_MAX,
  383. attr, NULL, NULL);
  384. if (ret < 0)
  385. goto out;
  386. ret = set_allowedip(peer, allowedip);
  387. if (ret < 0)
  388. goto out;
  389. }
  390. }
  391. if (attrs[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL]) {
  392. const u16 persistent_keepalive_interval = nla_get_u16(
  393. attrs[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL]);
  394. const bool send_keepalive =
  395. !peer->persistent_keepalive_interval &&
  396. persistent_keepalive_interval &&
  397. netif_running(wg->dev);
  398. peer->persistent_keepalive_interval = persistent_keepalive_interval;
  399. if (send_keepalive)
  400. wg_packet_send_keepalive(peer);
  401. }
  402. if (netif_running(wg->dev))
  403. wg_packet_send_staged_packets(peer);
  404. out:
  405. wg_peer_put(peer);
  406. if (attrs[WGPEER_A_PRESHARED_KEY])
  407. memzero_explicit(nla_data(attrs[WGPEER_A_PRESHARED_KEY]),
  408. nla_len(attrs[WGPEER_A_PRESHARED_KEY]));
  409. return ret;
  410. }
  411. int wg_set_device_doit(struct sk_buff *skb, struct genl_info *info)
  412. {
  413. struct wg_device *wg = lookup_interface(info->attrs, skb);
  414. u32 flags = 0;
  415. int ret;
  416. if (IS_ERR(wg)) {
  417. ret = PTR_ERR(wg);
  418. goto out_nodev;
  419. }
  420. rtnl_lock();
  421. mutex_lock(&wg->device_update_lock);
  422. if (info->attrs[WGDEVICE_A_FLAGS])
  423. flags = nla_get_u32(info->attrs[WGDEVICE_A_FLAGS]);
  424. if (info->attrs[WGDEVICE_A_LISTEN_PORT] || info->attrs[WGDEVICE_A_FWMARK]) {
  425. struct net *net;
  426. rcu_read_lock();
  427. net = rcu_dereference(wg->creating_net);
  428. ret = !net || !ns_capable(net->user_ns, CAP_NET_ADMIN) ? -EPERM : 0;
  429. rcu_read_unlock();
  430. if (ret)
  431. goto out;
  432. }
  433. ++wg->device_update_gen;
  434. if (info->attrs[WGDEVICE_A_FWMARK]) {
  435. struct wg_peer *peer;
  436. wg->fwmark = nla_get_u32(info->attrs[WGDEVICE_A_FWMARK]);
  437. list_for_each_entry(peer, &wg->peer_list, peer_list)
  438. wg_socket_clear_peer_endpoint_src(peer);
  439. }
  440. if (info->attrs[WGDEVICE_A_LISTEN_PORT]) {
  441. ret = set_port(wg,
  442. nla_get_u16(info->attrs[WGDEVICE_A_LISTEN_PORT]));
  443. if (ret)
  444. goto out;
  445. }
  446. if (flags & WGDEVICE_F_REPLACE_PEERS)
  447. wg_peer_remove_all(wg);
  448. if (info->attrs[WGDEVICE_A_PRIVATE_KEY] &&
  449. nla_len(info->attrs[WGDEVICE_A_PRIVATE_KEY]) ==
  450. NOISE_PUBLIC_KEY_LEN) {
  451. u8 *private_key = nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]);
  452. u8 public_key[NOISE_PUBLIC_KEY_LEN];
  453. struct wg_peer *peer, *temp;
  454. bool send_staged_packets;
  455. if (!crypto_memneq(wg->static_identity.static_private,
  456. private_key, NOISE_PUBLIC_KEY_LEN))
  457. goto skip_set_private_key;
  458. /* We remove before setting, to prevent race, which means doing
  459. * two 25519-genpub ops.
  460. */
  461. if (curve25519_generate_public(public_key, private_key)) {
  462. peer = wg_pubkey_hashtable_lookup(wg->peer_hashtable,
  463. public_key);
  464. if (peer) {
  465. wg_peer_put(peer);
  466. wg_peer_remove(peer);
  467. }
  468. }
  469. down_write(&wg->static_identity.lock);
  470. send_staged_packets = !wg->static_identity.has_identity && netif_running(wg->dev);
  471. wg_noise_set_static_identity_private_key(&wg->static_identity, private_key);
  472. send_staged_packets = send_staged_packets && wg->static_identity.has_identity;
  473. wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
  474. list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list) {
  475. wg_noise_precompute_static_static(peer);
  476. wg_noise_expire_current_peer_keypairs(peer);
  477. if (send_staged_packets)
  478. wg_packet_send_staged_packets(peer);
  479. }
  480. up_write(&wg->static_identity.lock);
  481. }
  482. skip_set_private_key:
  483. if (info->attrs[WGDEVICE_A_PEERS]) {
  484. struct nlattr *attr, *peer[WGPEER_A_MAX + 1];
  485. int rem;
  486. nla_for_each_nested(attr, info->attrs[WGDEVICE_A_PEERS], rem) {
  487. ret = nla_parse_nested(peer, WGPEER_A_MAX, attr,
  488. NULL, NULL);
  489. if (ret < 0)
  490. goto out;
  491. ret = set_peer(wg, peer);
  492. if (ret < 0)
  493. goto out;
  494. }
  495. }
  496. ret = 0;
  497. out:
  498. mutex_unlock(&wg->device_update_lock);
  499. rtnl_unlock();
  500. dev_put(wg->dev);
  501. out_nodev:
  502. if (info->attrs[WGDEVICE_A_PRIVATE_KEY])
  503. memzero_explicit(nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]),
  504. nla_len(info->attrs[WGDEVICE_A_PRIVATE_KEY]));
  505. return ret;
  506. }
  507. static struct genl_family genl_family __ro_after_init = {
  508. .split_ops = wireguard_nl_ops,
  509. .n_split_ops = ARRAY_SIZE(wireguard_nl_ops),
  510. .name = WG_GENL_NAME,
  511. .version = WG_GENL_VERSION,
  512. .module = THIS_MODULE,
  513. .netnsok = true
  514. };
  515. int __init wg_genetlink_init(void)
  516. {
  517. BUILD_BUG_ON(WG_KEY_LEN != NOISE_PUBLIC_KEY_LEN);
  518. BUILD_BUG_ON(WG_KEY_LEN != NOISE_SYMMETRIC_KEY_LEN);
  519. return genl_register_family(&genl_family);
  520. }
  521. void __exit wg_genetlink_uninit(void)
  522. {
  523. genl_unregister_family(&genl_family);
  524. }