diff options
Diffstat (limited to 'src')
49 files changed, 1383 insertions, 312 deletions
diff --git a/src/Makefile b/src/Makefile index 157153e..0533910 100644 --- a/src/Makefile +++ b/src/Makefile @@ -48,18 +48,29 @@ CFLAGS += -DRUNSTATEDIR="\"$(RUNSTATEDIR)\"" ifeq ($(DEBUG),yes) CFLAGS += -g endif -WIREGUARD_TOOLS_VERSION = $(patsubst v%,%,$(shell GIT_CEILING_DIRECTORIES="$(PWD)/../.." git describe --dirty 2>/dev/null)) +WIREGUARD_TOOLS_VERSION = $(patsubst v%,%,$(shell GIT_DIR="$(PWD)/../.git" git describe --dirty 2>/dev/null)) ifneq ($(WIREGUARD_TOOLS_VERSION),) CFLAGS += -D'WIREGUARD_TOOLS_VERSION="$(WIREGUARD_TOOLS_VERSION)"' endif +ifeq ($(PLATFORM),freebsd) +LDLIBS += -lnv +endif ifeq ($(PLATFORM),haiku) LDLIBS += -lnetwork -lbsd endif ifeq ($(PLATFORM),windows) -CC := x86_64-w64-mingw32-gcc -CFLAGS += -Iwincompat/include -include wincompat/compat.h -LDLIBS += -lws2_32 -wg: wincompat/libc.o wincompat/init.o +CC := x86_64-w64-mingw32-clang +WINDRES := $(shell $(CC) $(CFLAGS) -print-prog-name=windres 2>/dev/null) +CFLAGS += -Iwincompat/include -include wincompat/compat.h -DWINVER=0x0601 -D_WIN32_WINNT=0x0601 -flto +LDLIBS += -lws2_32 -lsetupapi -lole32 -ladvapi32 -lntdll -Lwincompat +LDFLAGS += -flto -Wl,--dynamicbase -Wl,--nxcompat -Wl,--tsaware -mconsole +LDFLAGS += -Wl,--major-os-version=6 -Wl,--minor-os-version=1 -Wl,--major-subsystem-version=6 -Wl,--minor-subsystem-version=1 +# The use of -Wl,/delayload: here implies we're using llvm-mingw +LDFLAGS += -Wl,/delayload:ws2_32.dll -Wl,/delayload:setupapi.dll -Wl,/delayload:ole32.dll -Wl,/delayload:advapi32.dll +VERSION := $(patsubst "%",%,$(filter "%",$(file < version.h))) +wg: wincompat/libc.o wincompat/init.o wincompat/loader.o wincompat/resources.o +wincompat/resources.o: wincompat/resources.rc wincompat/manifest.xml + $(WINDRES) -DVERSION_STR=$(VERSION) -O coff -c 65001 -i $< -o $@ endif ifneq ($(V),1) @@ -71,12 +82,13 @@ COMPILE.c = @echo " CC $@"; COMPILE.c += $(BUILT_IN_COMPILE.c) BUILT_IN_RM := $(RM) RM := @a() { echo " CLEAN $$@"; $(BUILT_IN_RM) "$$@"; }; a +WINDRES := @a() { echo " WINDRES $${@: -1}"; $(WINDRES) "$$@"; }; a endif wg: $(sort $(patsubst %.c,%.o,$(wildcard *.c))) clean: - $(RM) wg *.o *.d + $(RM) wg *.o *.d $(wildcard wincompat/*.o wincompat/*.lib wincompat/*.dll) install: wg @install -v -d "$(DESTDIR)$(BINDIR)" && install -v -m 0755 wg "$(DESTDIR)$(BINDIR)/wg" diff --git a/src/completion/wg.bash-completion b/src/completion/wg.bash-completion index 445f0e8..3c062b4 100644 --- a/src/completion/wg.bash-completion +++ b/src/completion/wg.bash-completion @@ -5,12 +5,12 @@ _wg_completion() { local a if [[ $COMP_CWORD -eq 1 ]]; then - COMPREPLY+=( $(compgen -W "show showconf set setconf addconf genkey genpsk pubkey" -- "${COMP_WORDS[1]}") ) + COMPREPLY+=( $(compgen -W "help show showconf set setconf addconf syncconf genkey genpsk pubkey" -- "${COMP_WORDS[1]}") ) return fi case "${COMP_WORDS[1]}" in genkey|genpsk|pubkey|help) return; ;; - show|showconf|set|setconf|addconf) ;; + show|showconf|set|setconf|addconf|syncconf) ;; *) return; esac @@ -26,7 +26,7 @@ _wg_completion() { return fi - if [[ $COMP_CWORD -eq 3 && ( ${COMP_WORDS[1]} == setconf || ${COMP_WORDS[1]} == addconf ) ]]; then + if [[ $COMP_CWORD -eq 3 && ( ${COMP_WORDS[1]} == setconf || ${COMP_WORDS[1]} == addconf || ${COMP_WORDS[1]} == syncconf) ]]; then compopt -o filenames mapfile -t a < <(compgen -f -- "${COMP_WORDS[3]}") COMPREPLY+=( "${a[@]}" ) diff --git a/src/config.c b/src/config.c index b8394a5..81ccb47 100644 --- a/src/config.c +++ b/src/config.c @@ -1,11 +1,10 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ #include <arpa/inet.h> #include <limits.h> -#include <ctype.h> #include <netdb.h> #include <stdio.h> #include <stdlib.h> @@ -19,6 +18,7 @@ #include "containers.h" #include "ipc.h" #include "encoding.h" +#include "ctype.h" #define COMMENT_CHAR '#' @@ -86,7 +86,7 @@ static inline bool parse_fwmark(uint32_t *fwmark, uint32_t *flags, const char *v return true; } - if (!isdigit(value[0])) + if (!char_is_digit(value[0])) goto err; if (strlen(value) > 2 && value[0] == '0' && value[1] == 'x') @@ -141,7 +141,7 @@ static bool parse_keyfile(uint8_t key[static WG_KEY_LEN], const char *path) dst[WG_KEY_LEN_BASE64 - 1] = '\0'; while ((c = getc(f)) != EOF) { - if (!isspace(c)) { + if (!char_is_space(c)) { fprintf(stderr, "Found trailing character in key file: `%c'\n", c); goto out; } @@ -290,7 +290,7 @@ static inline bool parse_persistent_keepalive(uint16_t *interval, uint32_t *flag return true; } - if (!isdigit(value[0])) + if (!char_is_digit(value[0])) goto err; ret = strtoul(value, &end, 10); @@ -375,7 +375,7 @@ static inline bool parse_allowedips(struct wgpeer *peer, struct wgallowedip **la } if (mask) { - if (!isdigit(mask[0])) + if (!char_is_digit(mask[0])) goto err; cidr = strtoul(mask, &end, 10); if (*end || (cidr > 32 && new_allowedip->family == AF_INET) || (cidr > 128 && new_allowedip->family == AF_INET6)) @@ -501,7 +501,7 @@ bool config_read_line(struct config_ctx *ctx, const char *input) } for (size_t i = 0; i < len; ++i) { - if (!isspace(input[i])) + if (!char_is_space(input[i])) line[cleaned_len++] = input[i]; } if (!cleaned_len) @@ -555,13 +555,13 @@ static char *strip_spaces(const char *in) return NULL; } for (i = 0, l = 0; i < t; ++i) { - if (!isspace(in[i])) + if (!char_is_space(in[i])) out[l++] = in[i]; } return out; } -struct wgdevice *config_read_cmd(char *argv[], int argc) +struct wgdevice *config_read_cmd(const char *argv[], int argc) { struct wgdevice *device = calloc(1, sizeof(*device)); struct wgpeer *peer = NULL; diff --git a/src/config.h b/src/config.h index 8bbe236..443cf21 100644 --- a/src/config.h +++ b/src/config.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -19,7 +19,7 @@ struct config_ctx { bool is_peer_section, is_device_section; }; -struct wgdevice *config_read_cmd(char *argv[], int argc); +struct wgdevice *config_read_cmd(const char *argv[], int argc); bool config_read_init(struct config_ctx *ctx, bool append); bool config_read_line(struct config_ctx *ctx, const char *line); struct wgdevice *config_read_finish(struct config_ctx *ctx); diff --git a/src/containers.h b/src/containers.h index fb5434f..a82e8dd 100644 --- a/src/containers.h +++ b/src/containers.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/ctype.h b/src/ctype.h new file mode 100644 index 0000000..7c9942c --- /dev/null +++ b/src/ctype.h @@ -0,0 +1,29 @@ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ +/* + * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. + * + * Specialized constant-time ctype.h reimplementations that aren't locale-specific. + */ + +#ifndef CTYPE_H +#define CTYPE_H + +#include <stdbool.h> + +static inline bool char_is_space(int c) +{ + unsigned char d = c - 9; + return (0x80001FU >> (d & 31)) & (1U >> (d >> 5)); +} + +static inline bool char_is_digit(int c) +{ + return (unsigned int)(('0' - 1 - c) & (c - ('9' + 1))) >> (sizeof(c) * 8 - 1); +} + +static inline bool char_is_alpha(int c) +{ + return (unsigned int)(('a' - 1 - (c | 32)) & ((c | 32) - ('z' + 1))) >> (sizeof(c) * 8 - 1); +} + +#endif diff --git a/src/curve25519.c b/src/curve25519.c index 1739a9e..7121d1e 100644 --- a/src/curve25519.c +++ b/src/curve25519.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2018-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/curve25519.h b/src/curve25519.h index 1569824..b05432f 100644 --- a/src/curve25519.h +++ b/src/curve25519.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/encoding.c b/src/encoding.c index 2540e5b..9b2cda5 100644 --- a/src/encoding.c +++ b/src/encoding.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. * diff --git a/src/encoding.h b/src/encoding.h index 2d2c1e0..3cabe9c 100644 --- a/src/encoding.h +++ b/src/encoding.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/genkey.c b/src/genkey.c index d1bb643..0201b28 100644 --- a/src/genkey.c +++ b/src/genkey.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -28,7 +28,7 @@ #include "encoding.h" #include "subcommands.h" -#ifndef WINCOMPAT +#ifndef _WIN32 static inline bool __attribute__((__warn_unused_result__)) get_random_bytes(uint8_t *out, size_t len) { ssize_t ret = 0; @@ -65,10 +65,14 @@ static inline bool __attribute__((__warn_unused_result__)) get_random_bytes(uint return i == len; } #else -#include "wincompat/getrandom.c" +#include <ntsecapi.h> +static inline bool __attribute__((__warn_unused_result__)) get_random_bytes(uint8_t *out, size_t len) +{ + return RtlGenRandom(out, len); +} #endif -int genkey_main(int argc, char *argv[]) +int genkey_main(int argc, const char *argv[]) { uint8_t key[WG_KEY_LEN]; char base64[WG_KEY_LEN_BASE64]; diff --git a/src/ipc-freebsd.h b/src/ipc-freebsd.h new file mode 100644 index 0000000..fa74edd --- /dev/null +++ b/src/ipc-freebsd.h @@ -0,0 +1,360 @@ +// SPDX-License-Identifier: MIT +/* + * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. + * + */ + +#include <assert.h> +#include <sys/nv.h> +#include <sys/sockio.h> +#include <dev/wg/if_wg.h> + +#define IPC_SUPPORTS_KERNEL_INTERFACE + +static int get_dgram_socket(void) +{ + static int sock = -1; + if (sock < 0) + sock = socket(AF_INET, SOCK_DGRAM, 0); + return sock; +} + +static int kernel_get_wireguard_interfaces(struct string_list *list) +{ + struct ifgroupreq ifgr = { .ifgr_name = "wg" }; + struct ifg_req *ifg; + int s = get_dgram_socket(), ret = 0; + + if (s < 0) + return -errno; + + if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) < 0) + return errno == ENOENT ? 0 : -errno; + + ifgr.ifgr_groups = calloc(1, ifgr.ifgr_len); + if (!ifgr.ifgr_groups) + return -errno; + if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) < 0) { + ret = -errno; + goto out; + } + + for (ifg = ifgr.ifgr_groups; ifg && ifgr.ifgr_len > 0; ++ifg) { + if ((ret = string_list_add(list, ifg->ifgrq_member)) < 0) + goto out; + ifgr.ifgr_len -= sizeof(struct ifg_req); + } + +out: + free(ifgr.ifgr_groups); + return ret; +} + +static int kernel_get_device(struct wgdevice **device, const char *ifname) +{ + struct wg_data_io wgd = { 0 }; + nvlist_t *nvl_device = NULL; + const nvlist_t *const *nvl_peers; + struct wgdevice *dev = NULL; + size_t size, peer_count, i; + uint64_t number; + const void *binary; + int ret = 0, s; + + *device = NULL; + s = get_dgram_socket(); + if (s < 0) + goto err; + + strlcpy(wgd.wgd_name, ifname, sizeof(wgd.wgd_name)); + if (ioctl(s, SIOCGWG, &wgd) < 0) + goto err; + + wgd.wgd_data = malloc(wgd.wgd_size); + if (!wgd.wgd_data) + goto err; + if (ioctl(s, SIOCGWG, &wgd) < 0) + goto err; + + dev = calloc(1, sizeof(*dev)); + if (!dev) + goto err; + strlcpy(dev->name, ifname, sizeof(dev->name)); + nvl_device = nvlist_unpack(wgd.wgd_data, wgd.wgd_size, 0); + if (!nvl_device) + goto err; + + if (nvlist_exists_number(nvl_device, "listen-port")) { + number = nvlist_get_number(nvl_device, "listen-port"); + if (number <= UINT16_MAX) { + dev->listen_port = number; + dev->flags |= WGDEVICE_HAS_LISTEN_PORT; + } + } + if (nvlist_exists_number(nvl_device, "user-cookie")) { + number = nvlist_get_number(nvl_device, "user-cookie"); + if (number <= UINT32_MAX) { + dev->fwmark = number; + dev->flags |= WGDEVICE_HAS_FWMARK; + } + } + if (nvlist_exists_binary(nvl_device, "public-key")) { + binary = nvlist_get_binary(nvl_device, "public-key", &size); + if (binary && size == sizeof(dev->public_key)) { + memcpy(dev->public_key, binary, sizeof(dev->public_key)); + dev->flags |= WGDEVICE_HAS_PUBLIC_KEY; + } + } + if (nvlist_exists_binary(nvl_device, "private-key")) { + binary = nvlist_get_binary(nvl_device, "private-key", &size); + if (binary && size == sizeof(dev->private_key)) { + memcpy(dev->private_key, binary, sizeof(dev->private_key)); + dev->flags |= WGDEVICE_HAS_PRIVATE_KEY; + } + } + if (!nvlist_exists_nvlist_array(nvl_device, "peers")) + goto skip_peers; + nvl_peers = nvlist_get_nvlist_array(nvl_device, "peers", &peer_count); + if (!nvl_peers) + goto skip_peers; + for (i = 0; i < peer_count; ++i) { + struct wgpeer *peer; + struct wgallowedip *aip = NULL; + const nvlist_t *const *nvl_aips; + size_t aip_count, j; + + peer = calloc(1, sizeof(*peer)); + if (!peer) + goto err_peer; + if (nvlist_exists_binary(nvl_peers[i], "public-key")) { + binary = nvlist_get_binary(nvl_peers[i], "public-key", &size); + if (binary && size == sizeof(peer->public_key)) { + memcpy(peer->public_key, binary, sizeof(peer->public_key)); + peer->flags |= WGPEER_HAS_PUBLIC_KEY; + } + } + if (nvlist_exists_binary(nvl_peers[i], "preshared-key")) { + binary = nvlist_get_binary(nvl_peers[i], "preshared-key", &size); + if (binary && size == sizeof(peer->preshared_key)) { + memcpy(peer->preshared_key, binary, sizeof(peer->preshared_key)); + if (!key_is_zero(peer->preshared_key)) + peer->flags |= WGPEER_HAS_PRESHARED_KEY; + } + } + if (nvlist_exists_number(nvl_peers[i], "persistent-keepalive-interval")) { + number = nvlist_get_number(nvl_peers[i], "persistent-keepalive-interval"); + if (number <= UINT16_MAX) { + peer->persistent_keepalive_interval = number; + peer->flags |= WGPEER_HAS_PERSISTENT_KEEPALIVE_INTERVAL; + } + } + if (nvlist_exists_binary(nvl_peers[i], "endpoint")) { + const struct sockaddr *endpoint = nvlist_get_binary(nvl_peers[i], "endpoint", &size); + if (endpoint && size <= sizeof(peer->endpoint) && size >= sizeof(peer->endpoint.addr) && + (endpoint->sa_family == AF_INET || endpoint->sa_family == AF_INET6)) + memcpy(&peer->endpoint.addr, endpoint, size); + } + if (nvlist_exists_number(nvl_peers[i], "rx-bytes")) + peer->rx_bytes = nvlist_get_number(nvl_peers[i], "rx-bytes"); + if (nvlist_exists_number(nvl_peers[i], "tx-bytes")) + peer->tx_bytes = nvlist_get_number(nvl_peers[i], "tx-bytes"); + if (nvlist_exists_binary(nvl_peers[i], "last-handshake-time")) { + binary = nvlist_get_binary(nvl_peers[i], "last-handshake-time", &size); + if (binary && size == sizeof(peer->last_handshake_time)) + memcpy(&peer->last_handshake_time, binary, sizeof(peer->last_handshake_time)); + } + + if (!nvlist_exists_nvlist_array(nvl_peers[i], "allowed-ips")) + goto skip_allowed_ips; + nvl_aips = nvlist_get_nvlist_array(nvl_peers[i], "allowed-ips", &aip_count); + if (!aip_count || !nvl_aips) + goto skip_allowed_ips; + for (j = 0; j < aip_count; ++j) { + if (!nvlist_exists_number(nvl_aips[j], "cidr")) + continue; + if (!nvlist_exists_binary(nvl_aips[j], "ipv4") && !nvlist_exists_binary(nvl_aips[j], "ipv6")) + continue; + aip = calloc(1, sizeof(*aip)); + if (!aip) + goto err_allowed_ips; + number = nvlist_get_number(nvl_aips[j], "cidr"); + if (nvlist_exists_binary(nvl_aips[j], "ipv4")) { + binary = nvlist_get_binary(nvl_aips[j], "ipv4", &size); + if (!binary || number > 32) { + ret = EINVAL; + goto err_allowed_ips; + } + aip->family = AF_INET; + aip->cidr = number; + memcpy(&aip->ip4, binary, sizeof(aip->ip4)); + } else { + assert(nvlist_exists_binary(nvl_aips[j], "ipv6")); + binary = nvlist_get_binary(nvl_aips[j], "ipv6", &size); + if (!binary || number > 128) { + ret = EINVAL; + goto err_allowed_ips; + } + aip->family = AF_INET6; + aip->cidr = number; + memcpy(&aip->ip6, binary, sizeof(aip->ip6)); + } + + if (!peer->first_allowedip) + peer->first_allowedip = aip; + else + peer->last_allowedip->next_allowedip = aip; + peer->last_allowedip = aip; + aip = NULL; + continue; + + err_allowed_ips: + if (!ret) + ret = -errno; + free(aip); + goto err_peer; + } + + /* Nothing leaked, hopefully -- ownership transferred or aip freed. */ + assert(aip == NULL); + skip_allowed_ips: + if (!dev->first_peer) + dev->first_peer = peer; + else + dev->last_peer->next_peer = peer; + dev->last_peer = peer; + continue; + + err_peer: + if (!ret) + ret = -errno; + free(peer); + goto err; + } + +skip_peers: + free(wgd.wgd_data); + nvlist_destroy(nvl_device); + *device = dev; + return 0; + +err: + if (!ret) + ret = -errno; + free(wgd.wgd_data); + nvlist_destroy(nvl_device); + free(dev); + return ret; +} + + +static int kernel_set_device(struct wgdevice *dev) +{ + struct wg_data_io wgd = { 0 }; + nvlist_t *nvl_device = NULL, **nvl_peers = NULL; + size_t peer_count = 0, i = 0; + struct wgpeer *peer; + int ret = 0, s; + + strlcpy(wgd.wgd_name, dev->name, sizeof(wgd.wgd_name)); + + nvl_device = nvlist_create(0); + if (!nvl_device) + goto err; + + for_each_wgpeer(dev, peer) + ++peer_count; + if (peer_count) { + nvl_peers = calloc(peer_count, sizeof(*nvl_peers)); + if (!nvl_peers) + goto err; + } + if (dev->flags & WGDEVICE_HAS_PRIVATE_KEY) + nvlist_add_binary(nvl_device, "private-key", dev->private_key, sizeof(dev->private_key)); + if (dev->flags & WGDEVICE_HAS_LISTEN_PORT) + nvlist_add_number(nvl_device, "listen-port", dev->listen_port); + if (dev->flags & WGDEVICE_HAS_FWMARK) + nvlist_add_number(nvl_device, "user-cookie", dev->fwmark); + if (dev->flags & WGDEVICE_REPLACE_PEERS) + nvlist_add_bool(nvl_device, "replace-peers", true); + + for_each_wgpeer(dev, peer) { + size_t aip_count = 0, j = 0; + nvlist_t **nvl_aips = NULL; + struct wgallowedip *aip; + + nvl_peers[i] = nvlist_create(0); + if (!nvl_peers[i]) + goto err_peer; + for_each_wgallowedip(peer, aip) + ++aip_count; + if (aip_count) { + nvl_aips = calloc(aip_count, sizeof(*nvl_aips)); + if (!nvl_aips) + goto err_peer; + } + nvlist_add_binary(nvl_peers[i], "public-key", peer->public_key, sizeof(peer->public_key)); + if (peer->flags & WGPEER_HAS_PRESHARED_KEY) + nvlist_add_binary(nvl_peers[i], "preshared-key", peer->preshared_key, sizeof(peer->preshared_key)); + if (peer->flags & WGPEER_HAS_PERSISTENT_KEEPALIVE_INTERVAL) + nvlist_add_number(nvl_peers[i], "persistent-keepalive-interval", peer->persistent_keepalive_interval); + if (peer->endpoint.addr.sa_family == AF_INET || peer->endpoint.addr.sa_family == AF_INET6) + nvlist_add_binary(nvl_peers[i], "endpoint", &peer->endpoint.addr, peer->endpoint.addr.sa_len); + if (peer->flags & WGPEER_REPLACE_ALLOWEDIPS) + nvlist_add_bool(nvl_peers[i], "replace-allowedips", true); + if (peer->flags & WGPEER_REMOVE_ME) + nvlist_add_bool(nvl_peers[i], "remove", true); + for_each_wgallowedip(peer, aip) { + nvl_aips[j] = nvlist_create(0); + if (!nvl_aips[j]) + goto err_peer; + nvlist_add_number(nvl_aips[j], "cidr", aip->cidr); + if (aip->family == AF_INET) + nvlist_add_binary(nvl_aips[j], "ipv4", &aip->ip4, sizeof(aip->ip4)); + else if (aip->family == AF_INET6) + nvlist_add_binary(nvl_aips[j], "ipv6", &aip->ip6, sizeof(aip->ip6)); + ++j; + } + if (j) { + nvlist_add_nvlist_array(nvl_peers[i], "allowed-ips", (const nvlist_t *const *)nvl_aips, j); + for (j = 0; j < aip_count; ++j) + nvlist_destroy(nvl_aips[j]); + free(nvl_aips); + } + ++i; + continue; + + err_peer: + ret = -errno; + for (j = 0; j < aip_count && nvl_aips; ++j) + nvlist_destroy(nvl_aips[j]); + free(nvl_aips); + nvlist_destroy(nvl_peers[i]); + nvl_peers[i] = NULL; + goto err; + } + if (i) { + nvlist_add_nvlist_array(nvl_device, "peers", (const nvlist_t *const *)nvl_peers, i); + for (i = 0; i < peer_count; ++i) + nvlist_destroy(nvl_peers[i]); + free(nvl_peers); + nvl_peers = NULL; + } + wgd.wgd_data = nvlist_pack(nvl_device, &wgd.wgd_size); + nvlist_destroy(nvl_device); + nvl_device = NULL; + if (!wgd.wgd_data) + goto err; + s = get_dgram_socket(); + if (s < 0) + return -errno; + return ioctl(s, SIOCSWG, &wgd); + +err: + if (!ret) + ret = -errno; + for (i = 0; i < peer_count && nvl_peers; ++i) + nvlist_destroy(nvl_peers[i]); + free(nvl_peers); + nvlist_destroy(nvl_device); + return ret; +} diff --git a/src/ipc-linux.h b/src/ipc-linux.h index 5883ffe..d29c0c5 100644 --- a/src/ipc-linux.h +++ b/src/ipc-linux.h @@ -479,6 +479,12 @@ static int kernel_get_device(struct wgdevice **device, const char *iface) struct nlmsghdr *nlh; struct mnlg_socket *nlg; + /* libmnl doesn't check the buffer size, so enforce that before using. */ + if (strlen(iface) >= IFNAMSIZ) { + errno = ENAMETOOLONG; + return -ENAMETOOLONG; + } + try_again: ret = 0; *device = calloc(1, sizeof(**device)); diff --git a/src/ipc-openbsd.h b/src/ipc-openbsd.h index 30554b1..03fbdb5 100644 --- a/src/ipc-openbsd.h +++ b/src/ipc-openbsd.h @@ -129,7 +129,8 @@ static int kernel_get_device(struct wgdevice **device, const char *iface) if (wg_peer->p_flags & WG_PEER_HAS_PSK) { memcpy(peer->preshared_key, wg_peer->p_psk, sizeof(peer->preshared_key)); - peer->flags |= WGPEER_HAS_PRESHARED_KEY; + if (!key_is_zero(peer->preshared_key)) + peer->flags |= WGPEER_HAS_PRESHARED_KEY; } if (wg_peer->p_flags & WG_PEER_HAS_PKA) { @@ -254,13 +255,12 @@ static int kernel_set_device(struct wgdevice *dev) wg_aip->a_af = aip->family; wg_aip->a_cidr = aip->cidr; - if (aip->family == AF_INET) { + if (aip->family == AF_INET) memcpy(&wg_aip->a_ipv4, &aip->ip4, sizeof(wg_aip->a_ipv4)); - } else if (aip->family == AF_INET6) { + else if (aip->family == AF_INET6) memcpy(&wg_aip->a_ipv6, &aip->ip6, sizeof(wg_aip->a_ipv6)); - } else { + else continue; - } ++aip_count; ++wg_aip; } diff --git a/src/ipc-uapi-windows.h b/src/ipc-uapi-windows.h index 86fab07..8ea4f75 100644 --- a/src/ipc-uapi-windows.h +++ b/src/ipc-uapi-windows.h @@ -10,126 +10,96 @@ #include <stdio.h> #include <stdbool.h> #include <fcntl.h> +#include <hashtable.h> static FILE *userspace_interface_file(const char *iface) { - char fname[MAX_PATH], error_message[1024 * 128] = { 0 }; - HANDLE thread_token, process_snapshot, winlogon_process, winlogon_token, duplicated_token, pipe_handle = INVALID_HANDLE_VALUE; - PROCESSENTRY32 entry = { .dwSize = sizeof(PROCESSENTRY32) }; - PSECURITY_DESCRIPTOR pipe_sd; - PSID pipe_sid; + char fname[MAX_PATH]; + HANDLE pipe_handle; SID expected_sid; - BOOL ret; + DWORD bytes = sizeof(expected_sid); + PSID pipe_sid; + PSECURITY_DESCRIPTOR pipe_sd; + bool equal; int fd; - DWORD last_error = ERROR_SUCCESS, bytes = sizeof(expected_sid); - TOKEN_PRIVILEGES privileges = { - .PrivilegeCount = 1, - .Privileges = {{ .Attributes = SE_PRIVILEGE_ENABLED }} - }; - if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &privileges.Privileges[0].Luid)) - goto err; if (!CreateWellKnownSid(WinLocalSystemSid, NULL, &expected_sid, &bytes)) goto err; - process_snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (process_snapshot == INVALID_HANDLE_VALUE) - goto err; - for (ret = Process32First(process_snapshot, &entry); ret; last_error = GetLastError(), ret = Process32Next(process_snapshot, &entry)) { - if (strcasecmp(entry.szExeFile, "winlogon.exe")) - continue; - - RevertToSelf(); - if (!ImpersonateSelf(SecurityImpersonation)) - continue; - if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, FALSE, &thread_token)) - continue; - if (!AdjustTokenPrivileges(thread_token, FALSE, &privileges, sizeof(privileges), NULL, NULL)) { - last_error = GetLastError(); - CloseHandle(thread_token); - continue; - } - CloseHandle(thread_token); - - winlogon_process = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, entry.th32ProcessID); - if (!winlogon_process) - continue; - if (!OpenProcessToken(winlogon_process, TOKEN_IMPERSONATE | TOKEN_DUPLICATE, &winlogon_token)) - continue; - CloseHandle(winlogon_process); - if (!DuplicateToken(winlogon_token, SecurityImpersonation, &duplicated_token)) { - last_error = GetLastError(); - RevertToSelf(); - continue; - } - CloseHandle(winlogon_token); - if (!SetThreadToken(NULL, duplicated_token)) { - last_error = GetLastError(); - CloseHandle(duplicated_token); - continue; - } - CloseHandle(duplicated_token); - - snprintf(fname, sizeof(fname), "\\\\.\\pipe\\ProtectedPrefix\\Administrators\\WireGuard\\%s", iface); - pipe_handle = CreateFile(fname, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); - last_error = GetLastError(); - if (pipe_handle == INVALID_HANDLE_VALUE) - continue; - last_error = GetSecurityInfo(pipe_handle, SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION, &pipe_sid, NULL, NULL, NULL, &pipe_sd); - if (last_error != ERROR_SUCCESS) { - CloseHandle(pipe_handle); - continue; - } - last_error = EqualSid(&expected_sid, pipe_sid) ? ERROR_SUCCESS : ERROR_ACCESS_DENIED; - LocalFree(pipe_sd); - if (last_error != ERROR_SUCCESS) { - CloseHandle(pipe_handle); - continue; - } - last_error = ERROR_SUCCESS; - break; - } - RevertToSelf(); - CloseHandle(process_snapshot); - - if (last_error != ERROR_SUCCESS || pipe_handle == INVALID_HANDLE_VALUE) + snprintf(fname, sizeof(fname), "\\\\.\\pipe\\ProtectedPrefix\\Administrators\\WireGuard\\%s", iface); + pipe_handle = CreateFileA(fname, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); + if (pipe_handle == INVALID_HANDLE_VALUE) goto err; + if (GetSecurityInfo(pipe_handle, SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION, &pipe_sid, NULL, NULL, NULL, &pipe_sd) != ERROR_SUCCESS) + goto err_close; + equal = EqualSid(&expected_sid, pipe_sid); + LocalFree(pipe_sd); + if (!equal) + goto err_close; fd = _open_osfhandle((intptr_t)pipe_handle, _O_RDWR); if (fd == -1) { - last_error = GetLastError(); CloseHandle(pipe_handle); - goto err; + return NULL; } return _fdopen(fd, "r+"); - +err_close: + CloseHandle(pipe_handle); err: - if (last_error == ERROR_SUCCESS) - last_error = GetLastError(); - if (last_error == ERROR_SUCCESS) - last_error = ERROR_ACCESS_DENIED; - FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, last_error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), error_message, sizeof(error_message) - 1, NULL); - fprintf(stderr, "Error: Unable to open IPC handle via SYSTEM impersonation: %ld: %s\n", last_error, error_message); errno = EACCES; return NULL; } +static bool have_cached_interfaces; +static struct hashtable cached_interfaces; + +static bool userspace_has_wireguard_interface(const char *iface) +{ + char fname[MAX_PATH]; + WIN32_FIND_DATA find_data; + HANDLE find_handle; + bool ret = false; + + if (have_cached_interfaces) + return hashtable_find_entry(&cached_interfaces, iface) != NULL; + + snprintf(fname, sizeof(fname), "ProtectedPrefix\\Administrators\\WireGuard\\%s", iface); + find_handle = FindFirstFile("\\\\.\\pipe\\*", &find_data); + if (find_handle == INVALID_HANDLE_VALUE) + return -EIO; + do { + if (!strcmp(fname, find_data.cFileName)) { + ret = true; + break; + } + } while (FindNextFile(find_handle, &find_data)); + FindClose(find_handle); + return ret; +} + static int userspace_get_wireguard_interfaces(struct string_list *list) { static const char prefix[] = "ProtectedPrefix\\Administrators\\WireGuard\\"; WIN32_FIND_DATA find_data; HANDLE find_handle; + char *iface; int ret = 0; find_handle = FindFirstFile("\\\\.\\pipe\\*", &find_data); if (find_handle == INVALID_HANDLE_VALUE) - return -GetLastError(); + return -EIO; do { if (strncmp(prefix, find_data.cFileName, strlen(prefix))) continue; - ret = string_list_add(list, find_data.cFileName + strlen(prefix)); + iface = find_data.cFileName + strlen(prefix); + ret = string_list_add(list, iface); if (ret < 0) goto out; + if (!hashtable_find_or_insert_entry(&cached_interfaces, iface)) { + ret = -errno; + goto out; + } } while (FindNextFile(find_handle, &find_data)); + have_cached_interfaces = true; out: FindClose(find_handle); diff --git a/src/ipc-uapi.h b/src/ipc-uapi.h index 3b1fff3..f582916 100644 --- a/src/ipc-uapi.h +++ b/src/ipc-uapi.h @@ -4,8 +4,8 @@ */ #include <arpa/inet.h> -#include <ctype.h> #include <errno.h> +#include <limits.h> #include <net/if.h> #include <netdb.h> #include <netinet/in.h> @@ -17,6 +17,7 @@ #include "containers.h" #include "curve25519.h" #include "encoding.h" +#include "ctype.h" #ifdef _WIN32 #include "ipc-uapi-windows.h" @@ -30,8 +31,10 @@ static int userspace_set_device(struct wgdevice *dev) struct wgpeer *peer; struct wgallowedip *allowedip; FILE *f; - int ret; + int ret, set_errno = -EPROTO; socklen_t addr_len; + size_t line_buffer_len = 0, line_len; + char *key = NULL, *value; f = userspace_interface_file(dev->name); if (!f) @@ -92,8 +95,30 @@ static int userspace_set_device(struct wgdevice *dev) fprintf(f, "\n"); fflush(f); - if (fscanf(f, "errno=%d\n\n", &ret) != 1) - ret = errno ? -errno : -EPROTO; + while (getline(&key, &line_buffer_len, f) > 0) { + line_len = strlen(key); + ret = set_errno; + if (line_len == 1 && key[0] == '\n') + goto out; + value = strchr(key, '='); + if (!value || line_len == 0 || key[line_len - 1] != '\n') + break; + *value++ = key[--line_len] = '\0'; + + if (!strcmp(key, "errno")) { + long long num; + char *end; + if (value[0] != '-' && !char_is_digit(value[0])) + break; + num = strtoll(value, &end, 10); + if (*end || num > INT_MAX || num < INT_MIN) + break; + set_errno = num; + } + } + ret = errno ? -errno : -EPROTO; +out: + free(key); fclose(f); errno = -ret; return ret; @@ -102,7 +127,7 @@ static int userspace_set_device(struct wgdevice *dev) #define NUM(max) ({ \ unsigned long long num; \ char *end; \ - if (!isdigit(value[0])) \ + if (!char_is_digit(value[0])) \ break; \ num = strtoull(value, &end, 10); \ if (*end || num > max) \ @@ -223,7 +248,7 @@ static int userspace_get_device(struct wgdevice **out, const char *iface) struct wgallowedip *new_allowedip; char *end, *mask = value, *ip = strsep(&mask, "/"); - if (!mask || !isdigit(mask[0])) + if (!mask || !char_is_digit(mask[0])) break; new_allowedip = calloc(1, sizeof(*new_allowedip)); if (!new_allowedip) { diff --git a/src/ipc-windows.h b/src/ipc-windows.h new file mode 100644 index 0000000..d237fc9 --- /dev/null +++ b/src/ipc-windows.h @@ -0,0 +1,450 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. + */ + +#include "containers.h" +#include <windows.h> +#include <setupapi.h> +#include <cfgmgr32.h> +#include <iphlpapi.h> +#include <initguid.h> +#include <devguid.h> +#include <ddk/ndisguid.h> +#include <wireguard.h> +#include <hashtable.h> + +#define IPC_SUPPORTS_KERNEL_INTERFACE + +static bool have_cached_kernel_interfaces; +static struct hashtable cached_kernel_interfaces; +static const DEVPROPKEY devpkey_name = DEVPKEY_WG_NAME; +extern bool is_win7; + +static int kernel_get_wireguard_interfaces(struct string_list *list) +{ + HDEVINFO dev_info = SetupDiGetClassDevsExW(&GUID_DEVCLASS_NET, is_win7 ? L"ROOT\\WIREGUARD" : L"SWD\\WireGuard", NULL, DIGCF_PRESENT, NULL, NULL, NULL); + bool will_have_cached_kernel_interfaces = true; + + if (dev_info == INVALID_HANDLE_VALUE) { + errno = EACCES; + return -errno; + } + + for (DWORD i = 0;; ++i) { + DWORD buf_len; + WCHAR adapter_name[MAX_ADAPTER_NAME]; + SP_DEVINFO_DATA dev_info_data = { .cbSize = sizeof(SP_DEVINFO_DATA) }; + DEVPROPTYPE prop_type; + ULONG status, problem_code; + char *interface_name; + struct hashtable_entry *entry; + + if (!SetupDiEnumDeviceInfo(dev_info, i, &dev_info_data)) { + if (GetLastError() == ERROR_NO_MORE_ITEMS) + break; + continue; + } + + if (!SetupDiGetDevicePropertyW(dev_info, &dev_info_data, &devpkey_name, + &prop_type, (PBYTE)adapter_name, + sizeof(adapter_name), NULL, 0) || + prop_type != DEVPROP_TYPE_STRING) + continue; + adapter_name[_countof(adapter_name) - 1] = L'0'; + if (!adapter_name[0]) + continue; + buf_len = WideCharToMultiByte(CP_UTF8, 0, adapter_name, -1, NULL, 0, NULL, NULL); + if (!buf_len) + continue; + interface_name = malloc(buf_len); + if (!interface_name) + continue; + buf_len = WideCharToMultiByte(CP_UTF8, 0, adapter_name, -1, interface_name, buf_len, NULL, NULL); + if (!buf_len) { + free(interface_name); + continue; + } + + if (CM_Get_DevNode_Status(&status, &problem_code, dev_info_data.DevInst, 0) == CR_SUCCESS && + (status & (DN_DRIVER_LOADED | DN_STARTED)) == (DN_DRIVER_LOADED | DN_STARTED)) + string_list_add(list, interface_name); + + entry = hashtable_find_or_insert_entry(&cached_kernel_interfaces, interface_name); + free(interface_name); + if (!entry) + continue; + + if (SetupDiGetDeviceInstanceIdW(dev_info, &dev_info_data, NULL, 0, &buf_len) || GetLastError() != ERROR_INSUFFICIENT_BUFFER) + continue; + entry->value = calloc(sizeof(WCHAR), buf_len); + if (!entry->value) + continue; + if (!SetupDiGetDeviceInstanceIdW(dev_info, &dev_info_data, entry->value, buf_len, &buf_len)) { + free(entry->value); + entry->value = NULL; + continue; + } + + will_have_cached_kernel_interfaces = true; + } + SetupDiDestroyDeviceInfoList(dev_info); + have_cached_kernel_interfaces = will_have_cached_kernel_interfaces; + return 0; +} + +static HANDLE kernel_interface_handle(const char *iface) +{ + HDEVINFO dev_info; + WCHAR *interfaces = NULL; + HANDLE handle; + + if (have_cached_kernel_interfaces) { + struct hashtable_entry *entry = hashtable_find_entry(&cached_kernel_interfaces, iface); + if (entry) { + DWORD buf_len; + if (CM_Get_Device_Interface_List_SizeW( + &buf_len, (GUID *)&GUID_DEVINTERFACE_NET, (DEVINSTID_W)entry->value, + CM_GET_DEVICE_INTERFACE_LIST_PRESENT) != CR_SUCCESS) + goto err_hash; + interfaces = calloc(buf_len, sizeof(*interfaces)); + if (!interfaces) + goto err_hash; + if (CM_Get_Device_Interface_ListW( + (GUID *)&GUID_DEVINTERFACE_NET, (DEVINSTID_W)entry->value, interfaces, buf_len, + CM_GET_DEVICE_INTERFACE_LIST_PRESENT) != CR_SUCCESS || !interfaces[0]) { + free(interfaces); + interfaces = NULL; + goto err_hash; + } + handle = CreateFileW(interfaces, GENERIC_READ | GENERIC_WRITE, + FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, + OPEN_EXISTING, 0, NULL); + free(interfaces); + if (handle == INVALID_HANDLE_VALUE) + goto err_hash; + return handle; +err_hash: + errno = EACCES; + return NULL; + } + } + + dev_info = SetupDiGetClassDevsExW(&GUID_DEVCLASS_NET, is_win7 ? L"ROOT\\WIREGUARD" : L"SWD\\WireGuard", NULL, DIGCF_PRESENT, NULL, NULL, NULL); + if (dev_info == INVALID_HANDLE_VALUE) + return NULL; + + for (DWORD i = 0; !interfaces; ++i) { + bool found; + DWORD buf_len; + WCHAR *buf, adapter_name[MAX_ADAPTER_NAME]; + SP_DEVINFO_DATA dev_info_data = { .cbSize = sizeof(SP_DEVINFO_DATA) }; + DEVPROPTYPE prop_type; + char *interface_name; + + if (!SetupDiEnumDeviceInfo(dev_info, i, &dev_info_data)) { + if (GetLastError() == ERROR_NO_MORE_ITEMS) + break; + continue; + } + + if (!SetupDiGetDevicePropertyW(dev_info, &dev_info_data, &devpkey_name, + &prop_type, (PBYTE)adapter_name, + sizeof(adapter_name), NULL, 0) || + prop_type != DEVPROP_TYPE_STRING) + continue; + adapter_name[_countof(adapter_name) - 1] = L'0'; + if (!adapter_name[0]) + continue; + buf_len = WideCharToMultiByte(CP_UTF8, 0, adapter_name, -1, NULL, 0, NULL, NULL); + if (!buf_len) + continue; + interface_name = malloc(buf_len); + if (!interface_name) + continue; + buf_len = WideCharToMultiByte(CP_UTF8, 0, adapter_name, -1, interface_name, buf_len, NULL, NULL); + if (!buf_len) { + free(interface_name); + continue; + } + found = !strcmp(interface_name, iface); + free(interface_name); + if (!found) + continue; + + if (SetupDiGetDeviceInstanceIdW(dev_info, &dev_info_data, NULL, 0, &buf_len) || GetLastError() != ERROR_INSUFFICIENT_BUFFER) + continue; + buf = calloc(sizeof(*buf), buf_len); + if (!buf) + continue; + if (!SetupDiGetDeviceInstanceIdW(dev_info, &dev_info_data, buf, buf_len, &buf_len)) + goto cleanup_instance_id; + if (CM_Get_Device_Interface_List_SizeW( + &buf_len, (GUID *)&GUID_DEVINTERFACE_NET, (DEVINSTID_W)buf, + CM_GET_DEVICE_INTERFACE_LIST_PRESENT) != CR_SUCCESS) + goto cleanup_instance_id; + interfaces = calloc(buf_len, sizeof(*interfaces)); + if (!interfaces) + goto cleanup_instance_id; + if (CM_Get_Device_Interface_ListW( + (GUID *)&GUID_DEVINTERFACE_NET, (DEVINSTID_W)buf, interfaces, buf_len, + CM_GET_DEVICE_INTERFACE_LIST_PRESENT) != CR_SUCCESS || !interfaces[0]) { + free(interfaces); + interfaces = NULL; + goto cleanup_instance_id; + } +cleanup_instance_id: + free(buf); + } + SetupDiDestroyDeviceInfoList(dev_info); + if (!interfaces) { + errno = ENOENT; + return NULL; + } + handle = CreateFileW(interfaces, GENERIC_READ | GENERIC_WRITE, + FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, + OPEN_EXISTING, 0, NULL); + free(interfaces); + if (handle == INVALID_HANDLE_VALUE) { + errno = EACCES; + return NULL; + } + return handle; +} + +static int kernel_get_device(struct wgdevice **device, const char *iface) +{ + WG_IOCTL_INTERFACE *wg_iface; + WG_IOCTL_PEER *wg_peer; + WG_IOCTL_ALLOWED_IP *wg_aip; + void *buf = NULL; + DWORD buf_len = 0; + HANDLE handle = kernel_interface_handle(iface); + struct wgdevice *dev; + struct wgpeer *peer; + struct wgallowedip *aip; + int ret; + + *device = NULL; + + if (!handle) + return -errno; + + while (!DeviceIoControl(handle, WG_IOCTL_GET, NULL, 0, buf, buf_len, &buf_len, NULL)) { + free(buf); + if (GetLastError() != ERROR_MORE_DATA) { + errno = EACCES; + return -errno; + } + buf = malloc(buf_len); + if (!buf) + return -errno; + } + + wg_iface = (WG_IOCTL_INTERFACE *)buf; + dev = calloc(1, sizeof(*dev)); + if (!dev) + goto out; + strncpy(dev->name, iface, sizeof(dev->name)); + dev->name[sizeof(dev->name) - 1] = '\0'; + + if (wg_iface->Flags & WG_IOCTL_INTERFACE_HAS_LISTEN_PORT) { + dev->listen_port = wg_iface->ListenPort; + dev->flags |= WGDEVICE_HAS_LISTEN_PORT; + } + + if (wg_iface->Flags & WG_IOCTL_INTERFACE_HAS_PUBLIC_KEY) { + memcpy(dev->public_key, wg_iface->PublicKey, sizeof(dev->public_key)); + dev->flags |= WGDEVICE_HAS_PUBLIC_KEY; + } + + if (wg_iface->Flags & WG_IOCTL_INTERFACE_HAS_PRIVATE_KEY) { + memcpy(dev->private_key, wg_iface->PrivateKey, sizeof(dev->private_key)); + dev->flags |= WGDEVICE_HAS_PRIVATE_KEY; + } + + wg_peer = buf + sizeof(WG_IOCTL_INTERFACE); + for (ULONG i = 0; i < wg_iface->PeersCount; ++i) { + peer = calloc(1, sizeof(*peer)); + if (!peer) + goto out; + + if (dev->first_peer == NULL) + dev->first_peer = peer; + else + dev->last_peer->next_peer = peer; + dev->last_peer = peer; + + if (wg_peer->Flags & WG_IOCTL_PEER_HAS_PUBLIC_KEY) { + memcpy(peer->public_key, wg_peer->PublicKey, sizeof(peer->public_key)); + peer->flags |= WGPEER_HAS_PUBLIC_KEY; + } + + if (wg_peer->Flags & WG_IOCTL_PEER_HAS_PRESHARED_KEY) { + memcpy(peer->preshared_key, wg_peer->PresharedKey, sizeof(peer->preshared_key)); + if (!key_is_zero(peer->preshared_key)) + peer->flags |= WGPEER_HAS_PRESHARED_KEY; + } + + if (wg_peer->Flags & WG_IOCTL_PEER_HAS_PERSISTENT_KEEPALIVE) { + peer->persistent_keepalive_interval = wg_peer->PersistentKeepalive; + peer->flags |= WGPEER_HAS_PERSISTENT_KEEPALIVE_INTERVAL; + } + + if (wg_peer->Flags & WG_IOCTL_PEER_HAS_ENDPOINT) { + if (wg_peer->Endpoint.si_family == AF_INET) + peer->endpoint.addr4 = wg_peer->Endpoint.Ipv4; + else if (wg_peer->Endpoint.si_family == AF_INET6) + peer->endpoint.addr6 = wg_peer->Endpoint.Ipv6; + } + + peer->rx_bytes = wg_peer->RxBytes; + peer->tx_bytes = wg_peer->TxBytes; + + if (wg_peer->LastHandshake) { + peer->last_handshake_time.tv_sec = wg_peer->LastHandshake / 10000000 - 11644473600LL; + peer->last_handshake_time.tv_nsec = wg_peer->LastHandshake % 10000000 * 100; + } + + wg_aip = (void *)wg_peer + sizeof(WG_IOCTL_PEER); + for (ULONG j = 0; j < wg_peer->AllowedIPsCount; ++j) { + aip = calloc(1, sizeof(*aip)); + if (!aip) + goto out; + + if (peer->first_allowedip == NULL) + peer->first_allowedip = aip; + else + peer->last_allowedip->next_allowedip = aip; + peer->last_allowedip = aip; + + aip->family = wg_aip->AddressFamily; + if (wg_aip->AddressFamily == AF_INET) { + memcpy(&aip->ip4, &wg_aip->Address.V4, sizeof(aip->ip4)); + aip->cidr = wg_aip->Cidr; + } else if (wg_aip->AddressFamily == AF_INET6) { + memcpy(&aip->ip6, &wg_aip->Address.V6, sizeof(aip->ip6)); + aip->cidr = wg_aip->Cidr; + } + ++wg_aip; + } + wg_peer = (WG_IOCTL_PEER *)wg_aip; + } + *device = dev; + errno = 0; +out: + ret = -errno; + free(buf); + CloseHandle(handle); + return ret; +} + +static int kernel_set_device(struct wgdevice *dev) +{ + WG_IOCTL_INTERFACE *wg_iface = NULL; + WG_IOCTL_PEER *wg_peer; + WG_IOCTL_ALLOWED_IP *wg_aip; + DWORD buf_len = sizeof(WG_IOCTL_INTERFACE); + HANDLE handle = kernel_interface_handle(dev->name); + struct wgpeer *peer; + struct wgallowedip *aip; + size_t peer_count, aip_count; + int ret = 0; + + if (!handle) + return -errno; + + for_each_wgpeer(dev, peer) { + if (DWORD_MAX - buf_len < sizeof(WG_IOCTL_PEER)) { + errno = EOVERFLOW; + goto out; + } + buf_len += sizeof(WG_IOCTL_PEER); + for_each_wgallowedip(peer, aip) { + if (DWORD_MAX - buf_len < sizeof(WG_IOCTL_ALLOWED_IP)) { + errno = EOVERFLOW; + goto out; + } + buf_len += sizeof(WG_IOCTL_ALLOWED_IP); + } + } + wg_iface = calloc(1, buf_len); + if (!wg_iface) + goto out; + + if (dev->flags & WGDEVICE_HAS_PRIVATE_KEY) { + memcpy(wg_iface->PrivateKey, dev->private_key, sizeof(wg_iface->PrivateKey)); + wg_iface->Flags |= WG_IOCTL_INTERFACE_HAS_PRIVATE_KEY; + } + + if (dev->flags & WGDEVICE_HAS_LISTEN_PORT) { + wg_iface->ListenPort = dev->listen_port; + wg_iface->Flags |= WG_IOCTL_INTERFACE_HAS_LISTEN_PORT; + } + + if (dev->flags & WGDEVICE_REPLACE_PEERS) + wg_iface->Flags |= WG_IOCTL_INTERFACE_REPLACE_PEERS; + + peer_count = 0; + wg_peer = (void *)wg_iface + sizeof(WG_IOCTL_INTERFACE); + for_each_wgpeer(dev, peer) { + wg_peer->Flags = WG_IOCTL_PEER_HAS_PUBLIC_KEY; + memcpy(wg_peer->PublicKey, peer->public_key, sizeof(wg_peer->PublicKey)); + + if (peer->flags & WGPEER_HAS_PRESHARED_KEY) { + memcpy(wg_peer->PresharedKey, peer->preshared_key, sizeof(wg_peer->PresharedKey)); + wg_peer->Flags |= WG_IOCTL_PEER_HAS_PRESHARED_KEY; + } + + if (peer->flags & WGPEER_HAS_PERSISTENT_KEEPALIVE_INTERVAL) { + wg_peer->PersistentKeepalive = peer->persistent_keepalive_interval; + wg_peer->Flags |= WG_IOCTL_PEER_HAS_PERSISTENT_KEEPALIVE; + } + + if (peer->endpoint.addr.sa_family == AF_INET) { + wg_peer->Endpoint.Ipv4 = peer->endpoint.addr4; + wg_peer->Flags |= WG_IOCTL_PEER_HAS_ENDPOINT; + } else if (peer->endpoint.addr.sa_family == AF_INET6) { + wg_peer->Endpoint.Ipv6 = peer->endpoint.addr6; + wg_peer->Flags |= WG_IOCTL_PEER_HAS_ENDPOINT; + } + + if (peer->flags & WGPEER_REPLACE_ALLOWEDIPS) + wg_peer->Flags |= WG_IOCTL_PEER_REPLACE_ALLOWED_IPS; + + if (peer->flags & WGPEER_REMOVE_ME) + wg_peer->Flags |= WG_IOCTL_PEER_REMOVE; + + aip_count = 0; + wg_aip = (void *)wg_peer + sizeof(WG_IOCTL_PEER); + for_each_wgallowedip(peer, aip) { + wg_aip->AddressFamily = aip->family; + wg_aip->Cidr = aip->cidr; + + if (aip->family == AF_INET) + wg_aip->Address.V4 = aip->ip4; + else if (aip->family == AF_INET6) + wg_aip->Address.V6 = aip->ip6; + else + continue; + ++aip_count; + ++wg_aip; + } + wg_peer->AllowedIPsCount = aip_count; + ++peer_count; + wg_peer = (WG_IOCTL_PEER *)wg_aip; + } + wg_iface->PeersCount = peer_count; + + if (!DeviceIoControl(handle, WG_IOCTL_SET, NULL, 0, wg_iface, buf_len, &buf_len, NULL)) { + errno = EACCES; + goto out; + } + errno = 0; + +out: + ret = -errno; + free(wg_iface); + CloseHandle(handle); + return ret; +} @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -7,6 +7,7 @@ #include <stdlib.h> #include <errno.h> #include "containers.h" +#include "ipc.h" struct string_list { char *buffer; @@ -44,6 +45,10 @@ static int string_list_add(struct string_list *list, const char *str) #include "ipc-linux.h" #elif defined(__OpenBSD__) #include "ipc-openbsd.h" +#elif defined(__FreeBSD__) +#include "ipc-freebsd.h" +#elif defined(_WIN32) +#include "ipc-windows.h" #endif /* first\0second\0third\0forth\0last\0\0 */ @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/man/wg-quick.8 b/src/man/wg-quick.8 index c693a89..bc9e145 100644 --- a/src/man/wg-quick.8 +++ b/src/man/wg-quick.8 @@ -168,7 +168,7 @@ sockets, which bypass Netfilter.) When IPv6 is in use, additional similar lines Or, perhaps it is desirable to store private keys in encrypted form, such as through use of .BR pass (1): - \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP + \fBPreUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP .br For use on a server, the following is a more complicated example involving multiple peers: @@ -254,9 +254,7 @@ This will load the configuration file `/etc/wireguard/wgnet0.conf'. The \fIstrip\fP command is useful for reloading configuration files without disrupting active sessions: -\fB # wg addconf wgnet0 <(wg-quick strip wgnet0)\fP - -(Note that the above command will add and update peers but will not remove peers.) +\fB # wg syncconf wgnet0 <(wg-quick strip wgnet0)\fP .SH SEE ALSO .BR wg (8), diff --git a/src/man/wg.8 b/src/man/wg.8 index 2786623..7984539 100644 --- a/src/man/wg.8 +++ b/src/man/wg.8 @@ -219,7 +219,14 @@ by running as root: \fB # modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control\fP -On userspace implementations, it is customary to set the \fILOG_LEVEL\fP environment variable to \fIdebug\fP. +On OpenBSD and FreeBSD, debugging information can be written into +.BR dmesg (1) +on a per-interface basis by using +.BR ifconfig (1): + +\fB # ifconfig wg0 debug + +On userspace implementations, it is customary to set the \fILOG_LEVEL\fP environment variable to \fIverbose\fP. .SH ENVIRONMENT VARIABLES .TP diff --git a/src/pubkey.c b/src/pubkey.c index 19235fc..f191592 100644 --- a/src/pubkey.c +++ b/src/pubkey.c @@ -1,17 +1,17 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ #include <errno.h> #include <stdio.h> -#include <ctype.h> #include "curve25519.h" #include "encoding.h" #include "subcommands.h" +#include "ctype.h" -int pubkey_main(int argc, char *argv[]) +int pubkey_main(int argc, const char *argv[]) { uint8_t key[WG_KEY_LEN] __attribute__((aligned(sizeof(uintptr_t)))); char base64[WG_KEY_LEN_BASE64]; @@ -31,7 +31,7 @@ int pubkey_main(int argc, char *argv[]) for (;;) { trailing_char = getc(stdin); - if (!trailing_char || isspace(trailing_char) || isblank(trailing_char)) + if (!trailing_char || char_is_space(trailing_char)) continue; if (trailing_char == EOF) break; @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -12,7 +12,7 @@ #include "ipc.h" #include "subcommands.h" -int set_main(int argc, char *argv[]) +int set_main(int argc, const char *argv[]) { struct wgdevice *device = NULL; int ret = 1; diff --git a/src/setconf.c b/src/setconf.c index 89b3023..1c5b138 100644 --- a/src/setconf.c +++ b/src/setconf.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -98,7 +98,7 @@ static bool sync_conf(struct wgdevice *file) return true; } -int setconf_main(int argc, char *argv[]) +int setconf_main(int argc, const char *argv[]) { struct wgdevice *device = NULL; struct config_ctx ctx; @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -27,7 +27,7 @@ static int peer_cmp(const void *first, const void *second) { time_t diff; - const struct wgpeer *a = *(const void **)first, *b = *(const void **)second; + const struct wgpeer *a = *(void *const *)first, *b = *(void *const *)second; if (!a->last_handshake_time.tv_sec && !a->last_handshake_time.tv_nsec && (b->last_handshake_time.tv_sec || b->last_handshake_time.tv_nsec)) return 1; @@ -75,14 +75,14 @@ static char *key(const uint8_t key[static WG_KEY_LEN]) return base64; } -static char *maybe_key(const uint8_t maybe_key[static WG_KEY_LEN], bool have_it) +static const char *maybe_key(const uint8_t maybe_key[static WG_KEY_LEN], bool have_it) { if (!have_it) return "(none)"; return key(maybe_key); } -static char *masked_key(const uint8_t masked_key[static WG_KEY_LEN]) +static const char *masked_key(const uint8_t masked_key[static WG_KEY_LEN]) { const char *var = getenv("WG_HIDE_KEYS"); @@ -312,9 +312,9 @@ static bool ugly_print(struct wgdevice *device, const char *param, bool with_int else printf("off\n"); } else if (!strcmp(param, "endpoints")) { - if (with_interface) - printf("%s\t", device->name); for_each_wgpeer(device, peer) { + if (with_interface) + printf("%s\t", device->name); printf("%s\t", key(peer->public_key)); if (peer->endpoint.addr.sa_family == AF_INET || peer->endpoint.addr.sa_family == AF_INET6) printf("%s\n", endpoint(&peer->endpoint.addr)); @@ -376,7 +376,7 @@ static bool ugly_print(struct wgdevice *device, const char *param, bool with_int return true; } -int show_main(int argc, char *argv[]) +int show_main(int argc, const char *argv[]) { int ret = 0; diff --git a/src/showconf.c b/src/showconf.c index 6e6a4a5..62070dc 100644 --- a/src/showconf.c +++ b/src/showconf.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -18,7 +18,7 @@ #include "ipc.h" #include "subcommands.h" -int showconf_main(int argc, char *argv[]) +int showconf_main(int argc, const char *argv[]) { char base64[WG_KEY_LEN_BASE64]; char ip[INET6_ADDRSTRLEN]; diff --git a/src/subcommands.h b/src/subcommands.h index 68e9334..4308b5b 100644 --- a/src/subcommands.h +++ b/src/subcommands.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -7,11 +7,11 @@ #define SUBCOMMANDS_H extern const char *PROG_NAME; -int show_main(int argc, char *argv[]); -int showconf_main(int argc, char *argv[]); -int set_main(int argc, char *argv[]); -int setconf_main(int argc, char *argv[]); -int genkey_main(int argc, char *argv[]); -int pubkey_main(int argc, char *argv[]); +int show_main(int argc, const char *argv[]); +int showconf_main(int argc, const char *argv[]); +int set_main(int argc, const char *argv[]); +int setconf_main(int argc, const char *argv[]); +int genkey_main(int argc, const char *argv[]); +int pubkey_main(int argc, const char *argv[]); #endif diff --git a/src/systemd/wg-quick@.service b/src/systemd/wg-quick@.service index a9cbb58..dbdab44 100644 --- a/src/systemd/wg-quick@.service +++ b/src/systemd/wg-quick@.service @@ -15,6 +15,7 @@ Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/wg-quick up %i ExecStop=/usr/bin/wg-quick down %i +ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)' Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity [Install] diff --git a/src/terminal.c b/src/terminal.c index bea27ba..d3e6611 100644 --- a/src/terminal.c +++ b/src/terminal.c @@ -1,9 +1,8 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ -#include <ctype.h> #include <stdarg.h> #include <stddef.h> #include <stdio.h> @@ -11,6 +10,8 @@ #include <string.h> #include <stdbool.h> #include <unistd.h> +#include "ctype.h" +#include "terminal.h" static bool color_mode(void) { @@ -46,7 +47,7 @@ static void filter_ansi(const char *fmt, va_list args) if (str[i] == '\x1b' && str[i + 1] == '[') { str[i] = str[i + 1] = '\0'; for (j = i + 2; j < len; ++j) { - if (isalpha(str[j])) + if (char_is_alpha(str[j])) break; str[j] = '\0'; } diff --git a/src/terminal.h b/src/terminal.h index 58697fa..50b1686 100644 --- a/src/terminal.h +++ b/src/terminal.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/uapi/freebsd/dev/wg/if_wg.h b/src/uapi/freebsd/dev/wg/if_wg.h new file mode 100644 index 0000000..a4b3b13 --- /dev/null +++ b/src/uapi/freebsd/dev/wg/if_wg.h @@ -0,0 +1,16 @@ +#ifndef __IF_WG_H__ +#define __IF_WG_H__ + +#include <net/if.h> +#include <netinet/in.h> + +struct wg_data_io { + char wgd_name[IFNAMSIZ]; + void *wgd_data; + size_t wgd_size; +}; + +#define SIOCSWG _IOWR('i', 210, struct wg_data_io) +#define SIOCGWG _IOWR('i', 211, struct wg_data_io) + +#endif diff --git a/src/uapi/windows/wireguard.h b/src/uapi/windows/wireguard.h new file mode 100644 index 0000000..5c5938e --- /dev/null +++ b/src/uapi/windows/wireguard.h @@ -0,0 +1,80 @@ +/* SPDX-License-Identifier: GPL-2.0 + * + * Copyright (C) 2021 WireGuard LLC. All Rights Reserved. + */ + +#ifndef _WIREGUARD_NT_H +#define _WIREGUARD_NT_H + +#include <ntdef.h> +#include <ws2def.h> +#include <ws2ipdef.h> +#include <inaddr.h> +#include <in6addr.h> + +#define WG_KEY_LEN 32 + +typedef struct _WG_IOCTL_ALLOWED_IP +{ + union + { + IN_ADDR V4; + IN6_ADDR V6; + } Address; + ADDRESS_FAMILY AddressFamily; + UCHAR Cidr; +} __attribute__((aligned(8))) WG_IOCTL_ALLOWED_IP; + +typedef enum +{ + WG_IOCTL_PEER_HAS_PUBLIC_KEY = 1 << 0, + WG_IOCTL_PEER_HAS_PRESHARED_KEY = 1 << 1, + WG_IOCTL_PEER_HAS_PERSISTENT_KEEPALIVE = 1 << 2, + WG_IOCTL_PEER_HAS_ENDPOINT = 1 << 3, + WG_IOCTL_PEER_HAS_PROTOCOL_VERSION = 1 << 4, + WG_IOCTL_PEER_REPLACE_ALLOWED_IPS = 1 << 5, + WG_IOCTL_PEER_REMOVE = 1 << 6, + WG_IOCTL_PEER_UPDATE = 1 << 7 +} WG_IOCTL_PEER_FLAG; + +typedef struct _WG_IOCTL_PEER +{ + WG_IOCTL_PEER_FLAG Flags; + ULONG ProtocolVersion; /* 0 = latest protocol, 1 = this protocol. */ + UCHAR PublicKey[WG_KEY_LEN]; + UCHAR PresharedKey[WG_KEY_LEN]; + USHORT PersistentKeepalive; + SOCKADDR_INET Endpoint; + ULONG64 TxBytes; + ULONG64 RxBytes; + ULONG64 LastHandshake; + ULONG AllowedIPsCount; +} __attribute__((aligned(8))) WG_IOCTL_PEER; + +typedef enum +{ + WG_IOCTL_INTERFACE_HAS_PUBLIC_KEY = 1 << 0, + WG_IOCTL_INTERFACE_HAS_PRIVATE_KEY = 1 << 1, + WG_IOCTL_INTERFACE_HAS_LISTEN_PORT = 1 << 2, + WG_IOCTL_INTERFACE_REPLACE_PEERS = 1 << 3 +} WG_IOCTL_INTERFACE_FLAG; + +typedef struct _WG_IOCTL_INTERFACE +{ + WG_IOCTL_INTERFACE_FLAG Flags; + USHORT ListenPort; + UCHAR PrivateKey[WG_KEY_LEN]; + UCHAR PublicKey[WG_KEY_LEN]; + ULONG PeersCount; +} __attribute__((aligned(8))) WG_IOCTL_INTERFACE; + +#define WG_IOCTL_GET CTL_CODE(45208U, 321, METHOD_OUT_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA) +#define WG_IOCTL_SET CTL_CODE(45208U, 322, METHOD_IN_DIRECT, FILE_READ_DATA | FILE_WRITE_DATA) + +#define DEVPKEY_WG_NAME (DEVPROPKEY) { \ + { 0x65726957, 0x7547, 0x7261, { 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x4b, 0x65, 0x79 } }, \ + DEVPROPID_FIRST_USABLE + 1 \ + } + + +#endif diff --git a/src/version.h b/src/version.h index 31cfae2..c3ca131 100644 --- a/src/version.h +++ b/src/version.h @@ -1,3 +1,3 @@ #ifndef WIREGUARD_TOOLS_VERSION -#define WIREGUARD_TOOLS_VERSION "1.0.20200513" +#define WIREGUARD_TOOLS_VERSION "1.0.20210914" #endif diff --git a/src/wg-quick/android.c b/src/wg-quick/android.c index 49ae1e3..1263ee4 100644 --- a/src/wg-quick/android.c +++ b/src/wg-quick/android.c @@ -1,6 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 /* - * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. + * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. * * This is a shell script written in C. It very intentionally still functions like * a shell script, calling out to external executables such as ip(8). @@ -25,6 +25,7 @@ #include <sys/stat.h> #include <sys/wait.h> #include <sys/param.h> +#include <sys/system_properties.h> #ifndef WG_PACKAGE_NAME #define WG_PACKAGE_NAME "com.wireguard.android" @@ -39,6 +40,7 @@ static bool is_exiting = false; static bool binder_available = false; +static unsigned int sdk_version; static void *xmalloc(size_t size) { @@ -726,8 +728,8 @@ static void up_if(unsigned int *netid, const char *iface, uint16_t listen_port) cmd("iptables -I INPUT 1 -p udp --dport %u -j ACCEPT -m comment --comment \"wireguard rule %s\"", listen_port, iface); cmd("ip6tables -I INPUT 1 -p udp --dport %u -j %s -m comment --comment \"wireguard rule %s\"", listen_port, should_block_ipv6(iface) ? "DROP" : "ACCEPT", iface); } - cndc("interface setcfg %s up", iface); - cndc("network create %u vpn 1 1", *netid); + cmd("ip link set up dev %s", iface); + cndc(sdk_version < 31 ? "network create %u vpn 1 1" : "network create %u vpn 1", *netid); cndc("network interface add %u %s", *netid, iface); } @@ -785,6 +787,7 @@ static uid_t *get_uid_list(const char *selected_applications) static void set_users(unsigned int netid, const char *excluded_applications, const char *included_applications) { _cleanup_free_ uid_t *uids = NULL; + uid_t *uid; unsigned int args_per_command = 0; _cleanup_free_ char *ranges = NULL; char range[22]; @@ -796,14 +799,14 @@ static void set_users(unsigned int netid, const char *excluded_applications, con } if (excluded_applications || !included_applications) { - uids = get_uid_list(excluded_applications); - for (start = 0; *uids; start = *uids + 1, ++uids) { - if (start > *uids - 1) + uid = uids = get_uid_list(excluded_applications); + for (start = 0; *uid; start = *uid + 1, ++uid) { + if (start > *uid - 1) continue; - else if (start == *uids - 1) + else if (start == *uid - 1) snprintf(range, sizeof(range), "%u", start); else - snprintf(range, sizeof(range), "%u-%u", start, *uids - 1); + snprintf(range, sizeof(range), "%u-%u", start, *uid - 1); ranges = concat_and_free(ranges, " ", range); if (++args_per_command % 18 == 0) { cndc("network users add %u %s", netid, ranges); @@ -816,8 +819,8 @@ static void set_users(unsigned int netid, const char *excluded_applications, con ranges = concat_and_free(ranges, " ", range); } } else { - for (uids = get_uid_list(included_applications); *uids; ++uids) { - snprintf(range, sizeof(range), "%u", *uids); + for (uid = uids = get_uid_list(included_applications); *uid; ++uid) { + snprintf(range, sizeof(range), "%u", *uid); ranges = concat_and_free(ranges, " ", range); if (++args_per_command % 18 == 0) { cndc("network users add %u %s", netid, ranges); @@ -852,7 +855,7 @@ static void set_dnses(unsigned int netid, const char *dnses) if (!len) return; - xregcomp(®ex_ipnothost, "^[a-zA-Z0-9_=+.-]{1,15}$", REG_EXTENDED | REG_NOSUB); + xregcomp(®ex_ipnothost, "(^[0-9.]+$)|(^.*:.*$)", REG_EXTENDED | REG_NOSUB); for (char *dns = strtok(mutable, ", \t\n"); dns; dns = strtok(NULL, ", \t\n")) { if (strchr(dns, '\'') || strchr(dns, '\\')) continue; @@ -1277,6 +1280,10 @@ int main(int argc, char *argv[]) _cleanup_free_ char *excluded_applications = NULL; _cleanup_free_ char *included_applications = NULL; unsigned int mtu; + char prop[PROP_VALUE_MAX + 1]; + + if (__system_property_get("ro.build.version.sdk", prop)) + sdk_version = atoi(prop); if (argc == 2 && (!strcmp(argv[1], "help") || !strcmp(argv[1], "--help") || !strcmp(argv[1], "-h"))) cmd_usage(argv[0]); diff --git a/src/wg-quick/darwin.bash b/src/wg-quick/darwin.bash index cde1b54..c938112 100755 --- a/src/wg-quick/darwin.bash +++ b/src/wg-quick/darwin.bash @@ -194,14 +194,14 @@ collect_gateways() { GATEWAY4="" while read -r destination gateway _; do - [[ $destination == default ]] || continue + [[ $destination == default && $gateway != "link#"* ]] || continue GATEWAY4="$gateway" break done < <(netstat -nr -f inet) GATEWAY6="" while read -r destination gateway _; do - [[ $destination == default ]] || continue + [[ $destination == default && $gateway != "link#"* ]] || continue GATEWAY6="$gateway" break done < <(netstat -nr -f inet6) @@ -324,22 +324,24 @@ monitor_daemon() { echo "[+] Backgrounding route monitor" >&2 (trap 'del_routes; del_dns; exit 0' INT TERM EXIT exec >/dev/null 2>&1 - local event pid=$BASHPID + exec 19< <(exec route -n monitor) + local event bpid=$BASHPID mpid=$! [[ ${#DNS[@]} -gt 0 ]] && trap set_dns ALRM # TODO: this should also check to see if the endpoint actually changes # in response to incoming packets, and then call set_endpoint_direct_route # then too. That function should be able to gracefully cleanup if the # endpoints change. - while read -r event; do + while read -u 19 -r event; do [[ $event == RTM_* ]] || continue ifconfig "$REAL_INTERFACE" >/dev/null 2>&1 || break [[ $AUTO_ROUTE4 -eq 1 || $AUTO_ROUTE6 -eq 1 ]] && set_endpoint_direct_route [[ -z $MTU ]] && set_mtu if [[ ${#DNS[@]} -gt 0 ]]; then set_dns - sleep 2 && kill -ALRM $pid 2>/dev/null & + sleep 2 && kill -ALRM $bpid 2>/dev/null & fi - done < <(route -n monitor)) & + done + kill $mpid) & [[ -n $LAUNCHED_BY_LAUNCHD ]] || disown } @@ -450,8 +452,8 @@ cmd_up() { local i get_real_interface && die "\`$INTERFACE' already exists as \`$REAL_INTERFACE'" trap 'del_if; del_routes; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" diff --git a/src/wg-quick/freebsd.bash b/src/wg-quick/freebsd.bash index e1ee67f..f72daf6 100755 --- a/src/wg-quick/freebsd.bash +++ b/src/wg-quick/freebsd.bash @@ -8,6 +8,7 @@ set -e -o pipefail shopt -s extglob export LC_ALL=C +exec 3>&2 SELF="$(readlink -f "${BASH_SOURCE[0]}")" export PATH="${SELF%/*}:$PATH" @@ -28,7 +29,7 @@ PROGRAM="${0##*/}" ARGS=( "$@" ) cmd() { - echo "[#] $*" >&2 + echo "[#] $*" >&3 "$@" } @@ -114,6 +115,16 @@ auto_su() { } add_if() { + local ret rc + if ret="$(cmd ifconfig wg create name "$INTERFACE" 2>&1 >/dev/null)"; then + return 0 + fi + rc=$? + if [[ $ret == *"ifconfig: ioctl SIOCSIFNAME (set name): File exists"* ]]; then + echo "$ret" >&3 + return $rc + fi + echo "[!] Missing WireGuard kernel support ($ret). Falling back to slow userspace implementation." >&3 cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" "$INTERFACE" } @@ -141,24 +152,14 @@ del_routes() { done } -if_exists() { - # HACK: The goal is simply to determine whether or not the interface exists. The - # straight-forward way of doing this would be `ifconfig $INTERFACE`, but this - # invokes the SIOCGIFSTATUS ioctl, which races with interface shutdown inside - # the tun driver, resulting in a kernel panic. So we work around it the stupid - # way by using the one utility that appears to call if_nametoindex fairly early - # and fails if it doesn't exist: `arp`. - if arp -i "$INTERFACE" -a -n >/dev/null 2>&1; then - return 0 - else - return 1 - fi -} - del_if() { [[ $HAVE_SET_DNS -eq 0 ]] || unset_dns - cmd rm -f "/var/run/wireguard/$INTERFACE.sock" - while if_exists; do + if [[ -S /var/run/wireguard/$INTERFACE.sock ]]; then + cmd rm -f "/var/run/wireguard/$INTERFACE.sock" + else + cmd ifconfig "$INTERFACE" destroy + fi + while ifconfig "$INTERFACE" >/dev/null 2>&1; do # HACK: it would be nice to `route monitor` here and wait for RTM_IFANNOUNCE # but it turns out that the announcement is made before the interface # disappears so we sometimes get a hang. So, we're instead left with polling @@ -175,7 +176,7 @@ add_addr() { if [[ $1 == *:* ]]; then cmd ifconfig "$INTERFACE" inet6 "$1" alias else - cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias + cmd ifconfig "$INTERFACE" inet "$1" alias fi } @@ -283,18 +284,19 @@ monitor_daemon() { (make_temp trap 'del_routes; clean_temp; exit 0' INT TERM EXIT exec >/dev/null 2>&1 - local event + exec 19< <(exec route -n monitor) + local event pid=$! # TODO: this should also check to see if the endpoint actually changes # in response to incoming packets, and then call set_endpoint_direct_route # then too. That function should be able to gracefully cleanup if the # endpoints change. - while read -r event; do + while read -u 19 -r event; do [[ $event == RTM_* ]] || continue - [[ -e /var/run/wireguard/$INTERFACE.sock ]] || break - if_exists || break + ifconfig "$INTERFACE" >/dev/null 2>&1 || break [[ $AUTO_ROUTE4 -eq 1 || $AUTO_ROUTE6 -eq 1 ]] && set_endpoint_direct_route # TODO: set the mtu as well, but only if up - done < <(route -n monitor)) & disown + done + kill $pid) & disown } HAVE_SET_DNS=0 @@ -335,7 +337,7 @@ add_route() { } set_config() { - cmd wg setconf "$INTERFACE" <(echo "$WG_CONFIG") + echo "$WG_CONFIG" | cmd wg setconf "$INTERFACE" /dev/stdin } save_config() { @@ -418,8 +420,8 @@ cmd_up() { local i [[ -z $(ifconfig "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists" trap 'del_if; del_routes; clean_temp; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash index e4d4c4f..4193ce5 100755 --- a/src/wg-quick/linux.bash +++ b/src/wg-quick/linux.bash @@ -220,9 +220,9 @@ add_default() { fi local proto=-4 iptables=iptables pf=ip [[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6 - cmd ip $proto route add "$1" dev "$INTERFACE" table $table cmd ip $proto rule add not fwmark $table table $table cmd ip $proto rule add table main suppress_prefixlength 0 + cmd ip $proto route add "$1" dev "$INTERFACE" table $table local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable" @@ -327,8 +327,8 @@ cmd_up() { local i [[ -z $(ip link show dev "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists" trap 'del_if; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" diff --git a/src/wg-quick/openbsd.bash b/src/wg-quick/openbsd.bash index ffd1834..b58ecf5 100755 --- a/src/wg-quick/openbsd.bash +++ b/src/wg-quick/openbsd.bash @@ -88,42 +88,33 @@ auto_su() { get_real_interface() { - local interface diff - wg show interfaces >/dev/null - [[ -f "/var/run/wireguard/$INTERFACE.name" ]] || return 1 - interface="$(< "/var/run/wireguard/$INTERFACE.name")" - if [[ $interface != wg* ]]; then - [[ -n $interface && -S "/var/run/wireguard/$interface.sock" ]] || return 1 - diff=$(( $(stat -f %m "/var/run/wireguard/$interface.sock" 2>/dev/null || echo 200) - $(stat -f %m "/var/run/wireguard/$INTERFACE.name" 2>/dev/null || echo 100) )) - [[ $diff -ge 2 || $diff -le -2 ]] && return 1 - echo "[+] Tun interface for $INTERFACE is $interface" >&2 - else - [[ " $(wg show interfaces) " == *" $interface "* ]] || return 1 - fi - REAL_INTERFACE="$interface" - return 0 + local interface line + while IFS= read -r line; do + if [[ $line =~ ^([a-z]+[0-9]+):\ .+ ]]; then + interface="${BASH_REMATCH[1]}" + continue + fi + if [[ $interface == wg* && $line =~ ^\ description:\ wg-quick:\ (.+) && ${BASH_REMATCH[1]} == "$INTERFACE" ]]; then + REAL_INTERFACE="$interface" + return 0 + fi + done < <(ifconfig) + return 1 } add_if() { - local index=0 ret while true; do - if ret="$(cmd ifconfig wg$index create 2>&1)"; then - mkdir -p "/var/run/wireguard/" - echo wg$index > /var/run/wireguard/$INTERFACE.name - get_real_interface + local -A existing_ifs="( $(wg show interfaces | sed 's/\([^ ]*\)/[\1]=1/g') )" + local index ret + for ((index=0; index <= 2147483647; ++index)); do [[ -v existing_ifs[wg$index] ]] || break; done + if ret="$(cmd ifconfig wg$index create description "wg-quick: $INTERFACE" 2>&1)"; then + REAL_INTERFACE="wg$index" return 0 fi - if [[ $ret != *"ifconfig: SIOCIFCREATE: File exists"* ]]; then - echo "[!] Missing WireGuard kernel support ($ret). Falling back to slow userspace implementation." >&3 - break - fi - echo "[+] wg$index in use, trying next" - ((++index)) + [[ $ret == *"ifconfig: SIOCIFCREATE: File exists"* ]] && continue + echo "$ret" >&3 + return 1 done - export WG_TUN_NAME_FILE="/var/run/wireguard/$INTERFACE.name" - mkdir -p "/var/run/wireguard/" - cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" tun - get_real_interface } del_routes() { @@ -153,12 +144,7 @@ del_routes() { del_if() { unset_dns - if [[ -n $REAL_INTERFACE && $REAL_INTERFACE != wg* ]]; then - cmd rm -f "/var/run/wireguard/$REAL_INTERFACE.sock" - else - cmd ifconfig $REAL_INTERFACE destroy - fi - cmd rm -f "/var/run/wireguard/$INTERFACE.name" + [[ -n $REAL_INTERFACE ]] && cmd ifconfig $REAL_INTERFACE destroy } up_if() { @@ -280,30 +266,42 @@ monitor_daemon() { echo "[+] Backgrounding route monitor" >&2 (trap 'del_routes; exit 0' INT TERM EXIT exec >/dev/null 2>&1 - local event + exec 19< <(exec route -n monitor) + local event pid=$! # TODO: this should also check to see if the endpoint actually changes # in response to incoming packets, and then call set_endpoint_direct_route # then too. That function should be able to gracefully cleanup if the # endpoints change. - while read -r event; do + while read -u 19 -r event; do [[ $event == RTM_* ]] || continue ifconfig "$REAL_INTERFACE" >/dev/null 2>&1 || break [[ $AUTO_ROUTE4 -eq 1 || $AUTO_ROUTE6 -eq 1 ]] && set_endpoint_direct_route # TODO: set the mtu as well, but only if up - done < <(route -n monitor)) & disown + done + kill $pid) & disown } set_dns() { [[ ${#DNS[@]} -gt 0 ]] || return 0 - # TODO: this is a horrible way of doing it. Has OpenBSD no resolvconf? + + # TODO: add exclusive support for nameservers + if pgrep -qx unwind; then + echo "[!] WARNING: unwind will leak DNS queries" >&2 + elif pgrep -qx resolvd; then + echo "[!] WARNING: resolvd may leak DNS queries" >&2 + else + echo "[+] resolvd is not running, DNS will not be configured" >&2 + return 0 + fi + cmd cp /etc/resolv.conf "/etc/resolv.conf.wg-quick-backup.$INTERFACE" - { cmd printf 'nameserver %s\n' "${DNS[@]}" - [[ ${#DNS_SEARCH[@]} -eq 0 ]] || cmd printf 'search %s\n' "${DNS_SEARCH[*]}" - } > /etc/resolv.conf + [[ ${#DNS_SEARCH[@]} -eq 0 ]] || cmd printf 'search %s\n' "${DNS_SEARCH[*]}" > /etc/resolv.conf + route nameserver ${REAL_INTERFACE} ${DNS[@]} } unset_dns() { [[ -f "/etc/resolv.conf.wg-quick-backup.$INTERFACE" ]] || return 0 + route nameserver ${REAL_INTERFACE} cmd mv "/etc/resolv.conf.wg-quick-backup.$INTERFACE" /etc/resolv.conf } @@ -419,8 +417,8 @@ cmd_up() { local i get_real_interface && die "\`$INTERFACE' already exists as \`$REAL_INTERFACE'" trap 'del_if; del_routes; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" @@ -438,9 +436,7 @@ cmd_up() { } cmd_down() { - if ! get_real_interface || [[ " $(wg show interfaces) " != *" $REAL_INTERFACE "* ]]; then - die "\`$INTERFACE' is not a WireGuard interface" - fi + get_real_interface || die "\`$INTERFACE' is not a WireGuard interface" execute_hooks "${PRE_DOWN[@]}" [[ $SAVE_CONFIG -eq 0 ]] || save_config del_if @@ -449,9 +445,7 @@ cmd_down() { } cmd_save() { - if ! get_real_interface || [[ " $(wg show interfaces) " != *" $REAL_INTERFACE "* ]]; then - die "\`$INTERFACE' is not a WireGuard interface" - fi + get_real_interface || die "\`$INTERFACE' is not a WireGuard interface" save_config } @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -14,7 +14,7 @@ const char *PROG_NAME; static const struct { const char *subcommand; - int (*function)(int, char**); + int (*function)(int, const char**); const char *description; } subcommands[] = { { "show", show_main, "Shows the current configuration and device information" }, @@ -37,7 +37,7 @@ static void show_usage(FILE *file) fprintf(file, "You may pass `--help' to any of these subcommands to view usage.\n"); } -int main(int argc, char *argv[]) +int main(int argc, const char *argv[]) { PROG_NAME = argv[0]; @@ -51,7 +51,7 @@ int main(int argc, char *argv[]) } if (argc == 1) { - static char *new_argv[] = { "show", NULL }; + static const char *new_argv[] = { "show", NULL }; return show_main(1, new_argv); } diff --git a/src/wincompat/compat.h b/src/wincompat/compat.h index 5decc66..4c5b368 100644 --- a/src/wincompat/compat.h +++ b/src/wincompat/compat.h @@ -18,8 +18,6 @@ #undef min #undef max -#define WINCOMPAT - #define IFNAMSIZ 64 #define EAI_SYSTEM -99 @@ -27,5 +25,3 @@ char *strsep(char **str, const char *sep); ssize_t getdelim(char **buf, size_t *bufsiz, int delimiter, FILE *fp); ssize_t getline(char **buf, size_t *bufsiz, FILE *fp); -int inet_pton(int af, const char *src, void *dst); -const char *inet_ntop(int af, const void *src, char *dst, socklen_t size); diff --git a/src/wincompat/getrandom.c b/src/wincompat/getrandom.c deleted file mode 100644 index b064b04..0000000 --- a/src/wincompat/getrandom.c +++ /dev/null @@ -1,12 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 -/* - * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. - */ - -#include <stdbool.h> -#include <ntsecapi.h> - -static inline bool __attribute__((__warn_unused_result__)) get_random_bytes(uint8_t *out, size_t len) -{ - return RtlGenRandom(out, len); -} diff --git a/src/wincompat/include/hashtable.h b/src/wincompat/include/hashtable.h new file mode 100644 index 0000000..bd83bbb --- /dev/null +++ b/src/wincompat/include/hashtable.h @@ -0,0 +1,61 @@ +/* SPDX-License-Identifier: GPL-2.0 + * + * Copyright (C) 2018-2021 WireGuard LLC. All Rights Reserved. + */ + +#ifndef _HASHTABLE_H +#define _HASHTABLE_H + +#include <string.h> + +enum { HASHTABLE_ENTRY_BUCKETS_POW2 = 1 << 10 }; + +struct hashtable_entry { + char *key; + void *value; + struct hashtable_entry *next; +}; + +struct hashtable { + struct hashtable_entry *entry_buckets[HASHTABLE_ENTRY_BUCKETS_POW2]; +}; + +static unsigned int hashtable_bucket(const char *str) +{ + unsigned long hash = 5381; + char c; + while ((c = *str++)) + hash = ((hash << 5) + hash) ^ c; + return hash & (HASHTABLE_ENTRY_BUCKETS_POW2 - 1); +} + +static struct hashtable_entry *hashtable_find_entry(struct hashtable *hashtable, const char *key) +{ + struct hashtable_entry *entry; + for (entry = hashtable->entry_buckets[hashtable_bucket(key)]; entry; entry = entry->next) { + if (!strcmp(entry->key, key)) + return entry; + } + return NULL; +} + +static struct hashtable_entry *hashtable_find_or_insert_entry(struct hashtable *hashtable, const char *key) +{ + struct hashtable_entry **entry; + for (entry = &hashtable->entry_buckets[hashtable_bucket(key)]; *entry; entry = &(*entry)->next) { + if (!strcmp((*entry)->key, key)) + return *entry; + } + *entry = calloc(1, sizeof(**entry)); + if (!*entry) + return NULL; + (*entry)->key = strdup(key); + if (!(*entry)->key) { + free(*entry); + *entry = NULL; + return NULL; + } + return *entry; +} + +#endif diff --git a/src/wincompat/include/sys/ioctl.h b/src/wincompat/include/sys/ioctl.h deleted file mode 100644 index e69de29..0000000 --- a/src/wincompat/include/sys/ioctl.h +++ /dev/null diff --git a/src/wincompat/include/sys/un.h b/src/wincompat/include/sys/un.h deleted file mode 100644 index e69de29..0000000 --- a/src/wincompat/include/sys/un.h +++ /dev/null diff --git a/src/wincompat/init.c b/src/wincompat/init.c index 8943fff..f92c0a9 100644 --- a/src/wincompat/init.c +++ b/src/wincompat/init.c @@ -10,12 +10,22 @@ #define ENABLE_VIRTUAL_TERMINAL_PROCESSING 0x4 #endif +extern void NTAPI RtlGetNtVersionNumbers(DWORD *major, DWORD *minor, DWORD *build); +bool is_win7 = false; + __attribute__((constructor)) static void init(void) { char *colormode; - DWORD console_mode; + DWORD console_mode, major, minor; HANDLE stdout_handle; WSADATA wsaData; + + if (!SetDllDirectoryA("") || !SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32)) + abort(); + + RtlGetNtVersionNumbers(&major, &minor, NULL); + is_win7 = (major == 6 && minor <= 1) || major < 6; + WSAStartup(MAKEWORD(2, 2), &wsaData); stdout_handle = GetStdHandle(STD_OUTPUT_HANDLE); // We don't close this. diff --git a/src/wincompat/libc.c b/src/wincompat/libc.c index 870d913..3138370 100644 --- a/src/wincompat/libc.c +++ b/src/wincompat/libc.c @@ -6,8 +6,6 @@ #include <stdio.h> #include <stdbool.h> #include <stdint.h> -#include <winsock2.h> -#include <ws2tcpip.h> #include <windows.h> char *strsep(char **str, const char *sep) @@ -69,37 +67,3 @@ ssize_t getline(char **buf, size_t *bufsiz, FILE *fp) { return getdelim(buf, bufsiz, '\n', fp); } - -int inet_pton(int af, const char *src, void *dst) -{ - struct sockaddr_storage ss = { 0 }; - int size = sizeof(ss); - char s[INET6_ADDRSTRLEN + 1]; - - strncpy(s, src, INET6_ADDRSTRLEN + 1); - s[INET6_ADDRSTRLEN] = '\0'; - - if (WSAStringToAddress(s, af, NULL, (struct sockaddr *)&ss, &size)) - return 0; - if (af == AF_INET) - *(struct in_addr *)dst = ((struct sockaddr_in *)&ss)->sin_addr; - else if (af == AF_INET6) - *(struct in6_addr *)dst = ((struct sockaddr_in6 *)&ss)->sin6_addr; - else - return 0; - return 1; -} - -const char *inet_ntop(int af, const void *src, char *dst, socklen_t size) -{ - struct sockaddr_storage ss = { .ss_family = af }; - unsigned long s = size; - - if (af == AF_INET) - ((struct sockaddr_in *)&ss)->sin_addr = *(struct in_addr *)src; - else if (af == AF_INET6) - ((struct sockaddr_in6 *)&ss)->sin6_addr = *(struct in6_addr *)src; - else - return NULL; - return WSAAddressToString((struct sockaddr *)&ss, sizeof(ss), NULL, dst, &s) ? NULL : dst; -} diff --git a/src/wincompat/loader.c b/src/wincompat/loader.c new file mode 100644 index 0000000..72367b4 --- /dev/null +++ b/src/wincompat/loader.c @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2015-2021 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. + */ + +#include <windows.h> +#include <delayimp.h> + +static FARPROC WINAPI delayed_load_library_hook(unsigned dliNotify, PDelayLoadInfo pdli) +{ + HMODULE library; + if (dliNotify != dliNotePreLoadLibrary) + return NULL; + library = LoadLibraryExA(pdli->szDll, NULL, LOAD_LIBRARY_SEARCH_SYSTEM32); + if (!library) + abort(); + return (FARPROC)library; +} + +PfnDliHook __pfnDliNotifyHook2 = delayed_load_library_hook; diff --git a/src/wincompat/manifest.xml b/src/wincompat/manifest.xml new file mode 100644 index 0000000..fb9a1b4 --- /dev/null +++ b/src/wincompat/manifest.xml @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> + <assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="wg" type="win32" /> + <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> + <application> + <!-- Windows 10 --> + <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" /> + <!-- Windows 8.1 --> + <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" /> + <!-- Windows 8 --> + <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" /> + <!-- Windows 7 --> + <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /> + </application> + </compatibility> + <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> + <security> + <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> + <requestedExecutionLevel level="asInvoker" /> + </requestedPrivileges> + </security> + </trustInfo> +</assembly> diff --git a/src/wincompat/resources.rc b/src/wincompat/resources.rc new file mode 100644 index 0000000..2a0330c --- /dev/null +++ b/src/wincompat/resources.rc @@ -0,0 +1,40 @@ +/* SPDX-License-Identifier: GPL-2.0 + * + * Copyright (C) 2020 Jason A. Donenfeld. All Rights Reserved. + */ + +#include <windows.h> + +#pragma code_page(65001) // UTF-8 + +LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL +CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST manifest.xml + +#define STRINGIZE(x) #x +#define EXPAND(x) STRINGIZE(x) + +VS_VERSION_INFO VERSIONINFO +FILEOS VOS_NT_WINDOWS32 +FILETYPE VFT_APP +FILESUBTYPE VFT2_UNKNOWN +BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "040904b0" + BEGIN + VALUE "CompanyName", "WireGuard LLC" + VALUE "FileDescription", "WireGuard wg(8) CLI: Fast, Modern, Secure VPN Tunnel" + VALUE "FileVersion", EXPAND(VERSION_STR) + VALUE "InternalName", "wg" + VALUE "LegalCopyright", "Copyright © 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved." + VALUE "OriginalFilename", "wg.exe" + VALUE "ProductName", "WireGuard" + VALUE "ProductVersion", EXPAND(VERSION_STR) + VALUE "Comments", "https://www.wireguard.com/" + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x409, 0x4b0 + END +END |