gitee.com/aurawing/surguard-go@v0.3.1-0.20240409071558-96509a61ecf3/device/peer.go (about) 1 /* SPDX-License-Identifier: MIT 2 * 3 * Copyright (C) 2017-2023 WireGuard LLC. All Rights Reserved. 4 */ 5 6 package device 7 8 import ( 9 "container/list" 10 "errors" 11 "sync" 12 "sync/atomic" 13 "time" 14 15 "gitee.com/aurawing/surguard-go/conn" 16 ) 17 18 type Peer struct { 19 isRunning atomic.Bool 20 keypairs Keypairs 21 handshake Handshake 22 device *Device 23 stopping sync.WaitGroup // routines pending stop 24 txBytes atomic.Uint64 // bytes send to peer (endpoint) 25 rxBytes atomic.Uint64 // bytes received from peer 26 lastHandshakeNano atomic.Int64 // nano seconds since epoch 27 28 endpoint struct { 29 sync.Mutex 30 val conn.Endpoint 31 clearSrcOnTx bool // signal to val.ClearSrc() prior to next packet transmission 32 disableRoaming bool 33 } 34 35 timers struct { 36 retransmitHandshake *Timer 37 sendKeepalive *Timer 38 newHandshake *Timer 39 zeroKeyMaterial *Timer 40 persistentKeepalive *Timer 41 handshakeAttempts atomic.Uint32 42 needAnotherKeepalive atomic.Bool 43 sentLastMinuteHandshake atomic.Bool 44 } 45 46 state struct { 47 sync.Mutex // protects against concurrent Start/Stop 48 } 49 50 queue struct { 51 staged chan *QueueOutboundElementsContainer // staged packets before a handshake is available 52 outbound *autodrainingOutboundQueue // sequential ordering of udp transmission 53 inbound *autodrainingInboundQueue // sequential ordering of tun writing 54 } 55 56 cookieGenerator CookieGenerator 57 trieEntries list.List 58 persistentKeepaliveInterval atomic.Uint32 59 } 60 61 func (device *Device) NewPeer(pk NoisePublicKey) (*Peer, error) { 62 if device.isClosed() { 63 return nil, errors.New("device closed") 64 } 65 66 // lock resources 67 device.staticIdentity.RLock() 68 defer device.staticIdentity.RUnlock() 69 70 device.peers.Lock() 71 defer device.peers.Unlock() 72 73 // check if over limit 74 if len(device.peers.keyMap) >= MaxPeers { 75 return nil, errors.New("too many peers") 76 } 77 78 // create peer 79 peer := new(Peer) 80 81 peer.cookieGenerator.Init(pk) 82 peer.device = device 83 peer.queue.outbound = newAutodrainingOutboundQueue(device) 84 peer.queue.inbound = newAutodrainingInboundQueue(device) 85 peer.queue.staged = make(chan *QueueOutboundElementsContainer, QueueStagedSize) 86 87 // map public key 88 _, ok := device.peers.keyMap[pk] 89 if ok { 90 return nil, errors.New("adding existing peer") 91 } 92 93 // pre-compute DH 94 handshake := &peer.handshake 95 handshake.mutex.Lock() 96 handshake.precomputedStaticStatic, _ = device.staticIdentity.privateKey.sharedSecret(pk) 97 handshake.remoteStatic = pk 98 handshake.mutex.Unlock() 99 100 // reset endpoint 101 peer.endpoint.Lock() 102 peer.endpoint.val = nil 103 peer.endpoint.disableRoaming = false 104 peer.endpoint.clearSrcOnTx = false 105 peer.endpoint.Unlock() 106 107 // init timers 108 peer.timersInit() 109 110 // add 111 device.peers.keyMap[pk] = peer 112 113 return peer, nil 114 } 115 116 func (peer *Peer) SendBuffers(buffers [][]byte) error { 117 peer.device.net.RLock() 118 defer peer.device.net.RUnlock() 119 120 if peer.device.isClosed() { 121 return nil 122 } 123 124 peer.endpoint.Lock() 125 endpoint := peer.endpoint.val 126 if endpoint == nil { 127 peer.endpoint.Unlock() 128 return errors.New("no known endpoint for peer") 129 } 130 if peer.endpoint.clearSrcOnTx { 131 endpoint.ClearSrc() 132 peer.endpoint.clearSrcOnTx = false 133 } 134 peer.endpoint.Unlock() 135 136 err := peer.device.net.bind.Send(buffers, endpoint) 137 if err == nil { 138 var totalLen uint64 139 for _, b := range buffers { 140 totalLen += uint64(len(b)) 141 } 142 peer.txBytes.Add(totalLen) 143 } 144 return err 145 } 146 147 func (peer *Peer) String() string { 148 // The awful goo that follows is identical to: 149 // 150 // base64Key := base64.StdEncoding.EncodeToString(peer.handshake.remoteStatic[:]) 151 // abbreviatedKey := base64Key[0:4] + "…" + base64Key[39:43] 152 // return fmt.Sprintf("peer(%s)", abbreviatedKey) 153 // 154 // except that it is considerably more efficient. 155 src := peer.handshake.remoteStatic 156 b64 := func(input byte) byte { 157 return input + 'A' + byte(((25-int(input))>>8)&6) - byte(((51-int(input))>>8)&75) - byte(((61-int(input))>>8)&15) + byte(((62-int(input))>>8)&3) 158 } 159 b := []byte("peer(____…____)") 160 const first = len("peer(") 161 const second = len("peer(____…") 162 b[first+0] = b64((src[0] >> 2) & 63) 163 b[first+1] = b64(((src[0] << 4) | (src[1] >> 4)) & 63) 164 b[first+2] = b64(((src[1] << 2) | (src[2] >> 6)) & 63) 165 b[first+3] = b64(src[2] & 63) 166 b[second+0] = b64(src[29] & 63) 167 b[second+1] = b64((src[30] >> 2) & 63) 168 b[second+2] = b64(((src[30] << 4) | (src[31] >> 4)) & 63) 169 b[second+3] = b64((src[31] << 2) & 63) 170 return string(b) 171 } 172 173 func (peer *Peer) Start() { 174 // should never start a peer on a closed device 175 if peer.device.isClosed() { 176 return 177 } 178 179 // prevent simultaneous start/stop operations 180 peer.state.Lock() 181 defer peer.state.Unlock() 182 183 if peer.isRunning.Load() { 184 return 185 } 186 187 device := peer.device 188 device.log.Verbosef("%v - Starting", peer) 189 190 // reset routine state 191 peer.stopping.Wait() 192 peer.stopping.Add(2) 193 194 peer.handshake.mutex.Lock() 195 peer.handshake.lastSentHandshake = time.Now().Add(-(RekeyTimeout + time.Second)) 196 peer.handshake.mutex.Unlock() 197 198 peer.device.queue.encryption.wg.Add(1) // keep encryption queue open for our writes 199 200 peer.timersStart() 201 202 device.flushInboundQueue(peer.queue.inbound) 203 device.flushOutboundQueue(peer.queue.outbound) 204 205 // Use the device batch size, not the bind batch size, as the device size is 206 // the size of the batch pools. 207 batchSize := peer.device.BatchSize() 208 go peer.RoutineSequentialSender(batchSize) 209 go peer.RoutineSequentialReceiver(batchSize) 210 211 peer.isRunning.Store(true) 212 } 213 214 func (peer *Peer) ZeroAndFlushAll() { 215 device := peer.device 216 217 // clear key pairs 218 219 keypairs := &peer.keypairs 220 keypairs.Lock() 221 device.DeleteKeypair(keypairs.previous) 222 device.DeleteKeypair(keypairs.current) 223 device.DeleteKeypair(keypairs.next.Load()) 224 keypairs.previous = nil 225 keypairs.current = nil 226 keypairs.next.Store(nil) 227 keypairs.Unlock() 228 229 // clear handshake state 230 231 handshake := &peer.handshake 232 handshake.mutex.Lock() 233 device.indexTable.Delete(handshake.localIndex) 234 handshake.Clear() 235 handshake.mutex.Unlock() 236 237 peer.FlushStagedPackets() 238 } 239 240 func (peer *Peer) ExpireCurrentKeypairs() { 241 handshake := &peer.handshake 242 handshake.mutex.Lock() 243 peer.device.indexTable.Delete(handshake.localIndex) 244 handshake.Clear() 245 peer.handshake.lastSentHandshake = time.Now().Add(-(RekeyTimeout + time.Second)) 246 handshake.mutex.Unlock() 247 248 keypairs := &peer.keypairs 249 keypairs.Lock() 250 if keypairs.current != nil { 251 keypairs.current.sendNonce.Store(RejectAfterMessages) 252 } 253 if next := keypairs.next.Load(); next != nil { 254 next.sendNonce.Store(RejectAfterMessages) 255 } 256 keypairs.Unlock() 257 } 258 259 func (peer *Peer) Stop() { 260 peer.state.Lock() 261 defer peer.state.Unlock() 262 263 if !peer.isRunning.Swap(false) { 264 return 265 } 266 267 peer.device.log.Verbosef("%v - Stopping", peer) 268 269 peer.timersStop() 270 // Signal that RoutineSequentialSender and RoutineSequentialReceiver should exit. 271 peer.queue.inbound.c <- nil 272 peer.queue.outbound.c <- nil 273 peer.stopping.Wait() 274 peer.device.queue.encryption.wg.Done() // no more writes to encryption queue from us 275 276 peer.ZeroAndFlushAll() 277 } 278 279 func (peer *Peer) SetEndpointFromPacket(endpoint conn.Endpoint) { 280 peer.endpoint.Lock() 281 defer peer.endpoint.Unlock() 282 if peer.endpoint.disableRoaming { 283 return 284 } 285 peer.endpoint.clearSrcOnTx = false 286 peer.endpoint.val = endpoint 287 } 288 289 func (peer *Peer) markEndpointSrcForClearing() { 290 peer.endpoint.Lock() 291 defer peer.endpoint.Unlock() 292 if peer.endpoint.val == nil { 293 return 294 } 295 peer.endpoint.clearSrcOnTx = true 296 }