void/amneziawg-go
2
0
Fork 0
mirror of https://github.com/amnezia-vpn/amneziawg-go.git synced 2025-06-05 04:43:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Manage advanced sec via uapi

Browse source
This commit is contained in:
Mazay B 2023-10-09 13:22:49 +01:00
parent 8f1a6a10b2
commit f30419e0d1
3 changed files with 52 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
device/device.go
View file

@ -98,6 +98,7 @@ type Device struct {
} }
type aSecCfgType struct { type aSecCfgType struct {
isSet bool
junkPacketCount int junkPacketCount int
junkPacketMinSize int junkPacketMinSize int
junkPacketMaxSize int junkPacketMaxSize int
@ -545,7 +546,7 @@ func (device *Device) BindUpdate() error {
// start receiving routines // start receiving routines
device.net.stopping.Add(len(recvFns)) device.net.stopping.Add(len(recvFns))
device.queue.decryption.wg.Add(len(recvFns)) // each RoutineReceiveIncoming goroutine writes to device.queue.decryption device.queue.decryption.wg.Add(len(recvFns)) // each RoutineReceiveIncoming goroutine writes to device.queue.decryption
device.queue.handshake.wg.Add(len(recvFns)) // each RoutineReceiveIncoming goroutine writes to device.queue.handshake device.queue.handshake.wg.Add(len(recvFns)) // each RoutineReceiveIncoming goroutine writes to device.queue.handshake
batchSize := netc.bind.BatchSize() batchSize := netc.bind.BatchSize()
for _, fn := range recvFns { for _, fn := range recvFns {
go device.RoutineReceiveIncoming(batchSize, fn) go device.RoutineReceiveIncoming(batchSize, fn)
@ -565,25 +566,17 @@ func (device *Device) isAdvancedSecurityOn() bool {
return device.isASecOn.IsSet() return device.isASecOn.IsSet()
} }
func (device *Device) handlePostConfig(tempASecCfg *aSecCfgType) (err error) { func (device *Device) handlePostConfig(tempASecCfg *aSecCfgType) (err error) {
if tempASecCfg.junkPacketCount == 0 && if !tempASecCfg.isSet {
tempASecCfg.junkPacketMaxSize == 0 &&
tempASecCfg.junkPacketMinSize == 0 &&
tempASecCfg.initPacketJunkSize == 0 &&
tempASecCfg.responsePacketJunkSize == 0 &&
tempASecCfg.initPacketMagicHeader == 0 &&
tempASecCfg.responsePacketMagicHeader == 0 &&
tempASecCfg.underloadPacketMagicHeader == 0 &&
tempASecCfg.transportPacketMagicHeader == 0 {
return err return err
} }
isASecOn := false isASecOn := false
device.aSecMux.Lock() device.aSecMux.Lock()
if tempASecCfg.junkPacketCount < 0 { if tempASecCfg.junkPacketCount < 0 {
err = ipcErrorf( err = ipcErrorf(
ipc.IpcErrorInvalid, ipc.IpcErrorInvalid,
"JunkPacketCount should be non negative", "JunkPacketCount should be non negative",
) )
} }
@ -591,24 +584,24 @@ func (device *Device) handlePostConfig(tempASecCfg *aSecCfgType) (err error) {
if tempASecCfg.junkPacketCount != 0 { if tempASecCfg.junkPacketCount != 0 {
isASecOn = true isASecOn = true
} }
device.aSecCfg.junkPacketMinSize = tempASecCfg.junkPacketMinSize device.aSecCfg.junkPacketMinSize = tempASecCfg.junkPacketMinSize
if tempASecCfg.junkPacketMinSize != 0 { if tempASecCfg.junkPacketMinSize != 0 {
isASecOn = true isASecOn = true
} }
if device.aSecCfg.junkPacketCount > 0 && if device.aSecCfg.junkPacketCount > 0 &&
tempASecCfg.junkPacketMaxSize == tempASecCfg.junkPacketMinSize { tempASecCfg.junkPacketMaxSize == tempASecCfg.junkPacketMinSize {
tempASecCfg.junkPacketMaxSize++ // to make rand gen work tempASecCfg.junkPacketMaxSize++ // to make rand gen work
} }
if tempASecCfg.junkPacketMaxSize >= MaxSegmentSize{ if tempASecCfg.junkPacketMaxSize >= MaxSegmentSize {
device.aSecCfg.junkPacketMinSize = 0 device.aSecCfg.junkPacketMinSize = 0
device.aSecCfg.junkPacketMaxSize = 1 device.aSecCfg.junkPacketMaxSize = 1
if err != nil { if err != nil {
err = ipcErrorf( err = ipcErrorf(
ipc.IpcErrorInvalid, ipc.IpcErrorInvalid,
"JunkPacketMaxSize: %d; should be smaller than maxSegmentSize: %d; %w", "JunkPacketMaxSize: %d; should be smaller than maxSegmentSize: %d; %w",
tempASecCfg.junkPacketMaxSize, tempASecCfg.junkPacketMaxSize,
MaxSegmentSize, MaxSegmentSize,
@ -616,7 +609,7 @@ func (device *Device) handlePostConfig(tempASecCfg *aSecCfgType) (err error) {
) )
} else { } else {
err = ipcErrorf( err = ipcErrorf(
ipc.IpcErrorInvalid, ipc.IpcErrorInvalid,
"JunkPacketMaxSize: %d; should be smaller than maxSegmentSize: %d", "JunkPacketMaxSize: %d; should be smaller than maxSegmentSize: %d",
tempASecCfg.junkPacketMaxSize, tempASecCfg.junkPacketMaxSize,
MaxSegmentSize, MaxSegmentSize,
@ -625,18 +618,18 @@ func (device *Device) handlePostConfig(tempASecCfg *aSecCfgType) (err error) {
} else if tempASecCfg.junkPacketMaxSize < tempASecCfg.junkPacketMinSize { } else if tempASecCfg.junkPacketMaxSize < tempASecCfg.junkPacketMinSize {
if err != nil { if err != nil {
err = ipcErrorf( err = ipcErrorf(
ipc.IpcErrorInvalid, ipc.IpcErrorInvalid,
"maxSize: %d; should be greater than minSize: %d; %w", "maxSize: %d; should be greater than minSize: %d; %w",
tempASecCfg.junkPacketMaxSize, tempASecCfg.junkPacketMaxSize,
tempASecCfg.junkPacketMinSize, tempASecCfg.junkPacketMinSize,
err, err,
) )
} else { } else {
err = ipcErrorf( err = ipcErrorf(
ipc.IpcErrorInvalid, ipc.IpcErrorInvalid,
"maxSize: %d; should be greater than minSize: %d", "maxSize: %d; should be greater than minSize: %d",
tempASecCfg.junkPacketMaxSize, tempASecCfg.junkPacketMaxSize,
tempASecCfg.junkPacketMinSize, tempASecCfg.junkPacketMinSize,
) )
} }
} else { } else {
@ -664,10 +657,10 @@ func (device *Device) handlePostConfig(tempASecCfg *aSecCfgType) (err error) {
MaxSegmentSize, MaxSegmentSize,
) )
} }
} else { } else {
device.aSecCfg.initPacketJunkSize = tempASecCfg.initPacketJunkSize device.aSecCfg.initPacketJunkSize = tempASecCfg.initPacketJunkSize
} }
if tempASecCfg.initPacketJunkSize != 0 { if tempASecCfg.initPacketJunkSize != 0 {
isASecOn = true isASecOn = true
} }
@ -689,7 +682,7 @@ func (device *Device) handlePostConfig(tempASecCfg *aSecCfgType) (err error) {
MaxSegmentSize, MaxSegmentSize,
) )
} }
} else { } else {
device.aSecCfg.responsePacketJunkSize = tempASecCfg.responsePacketJunkSize device.aSecCfg.responsePacketJunkSize = tempASecCfg.responsePacketJunkSize
} }
@ -706,7 +699,7 @@ func (device *Device) handlePostConfig(tempASecCfg *aSecCfgType) (err error) {
device.log.Verbosef("UAPI: Using default init type") device.log.Verbosef("UAPI: Using default init type")
MessageInitiationType = 1 MessageInitiationType = 1
} }
if tempASecCfg.responsePacketMagicHeader > 4 { if tempASecCfg.responsePacketMagicHeader > 4 {
isASecOn = true isASecOn = true
device.log.Verbosef("UAPI: Updating response_packet_magic_header") device.log.Verbosef("UAPI: Updating response_packet_magic_header")
@ -716,7 +709,7 @@ func (device *Device) handlePostConfig(tempASecCfg *aSecCfgType) (err error) {
device.log.Verbosef("UAPI: Using default response type") device.log.Verbosef("UAPI: Using default response type")
MessageResponseType = 2 MessageResponseType = 2
} }
if tempASecCfg.underloadPacketMagicHeader > 4 { if tempASecCfg.underloadPacketMagicHeader > 4 {
isASecOn = true isASecOn = true
device.log.Verbosef("UAPI: Updating underload_packet_magic_header") device.log.Verbosef("UAPI: Updating underload_packet_magic_header")
@ -787,14 +780,14 @@ func (device *Device) handlePostConfig(tempASecCfg *aSecCfgType) (err error) {
newResponseSize, newResponseSize,
) )
} }
} else { } else {
packetSizeToMsgType = map[int]uint32{ packetSizeToMsgType = map[int]uint32{
newInitSize: MessageInitiationType, newInitSize: MessageInitiationType,
newResponseSize: MessageResponseType, newResponseSize: MessageResponseType,
MessageCookieReplySize: MessageCookieReplyType, MessageCookieReplySize: MessageCookieReplyType,
MessageTransportSize: MessageTransportType, MessageTransportSize: MessageTransportType,
} }
msgTypeToJunkSize = map[uint32]int{ msgTypeToJunkSize = map[uint32]int{
MessageInitiationType: device.aSecCfg.initPacketJunkSize, MessageInitiationType: device.aSecCfg.initPacketJunkSize,
MessageResponseType: device.aSecCfg.responsePacketJunkSize, MessageResponseType: device.aSecCfg.responsePacketJunkSize,
@ -805,6 +798,6 @@ func (device *Device) handlePostConfig(tempASecCfg *aSecCfgType) (err error) {
device.isASecOn.SetTo(isASecOn) device.isASecOn.SetTo(isASecOn)
device.aSecMux.Unlock() device.aSecMux.Unlock()
return err return err
} }

20
device/send.go
View file

@ -126,25 +126,31 @@ func (peer *Peer) SendHandshakeInitiation(isRetry bool) error {
if peer.device.isAdvancedSecurityOn() { if peer.device.isAdvancedSecurityOn() {
peer.device.aSecMux.RLock() peer.device.aSecMux.RLock()
junks, err := peer.createJunkPackets() junks, err := peer.createJunkPackets()
peer.device.aSecMux.RUnlock()
if err != nil { if err != nil {
peer.device.aSecMux.RUnlock()
peer.device.log.Errorf("%v - %v", peer, err) peer.device.log.Errorf("%v - %v", peer, err)
return err return err
} }
sendBuffer = append(sendBuffer, junks...)
err = peer.SendBuffers(junks)
if err != nil {
peer.device.log.Errorf("%v - Failed to send junk packets: %v", peer, err)
return err
}
if peer.device.aSecCfg.initPacketJunkSize != 0 { if peer.device.aSecCfg.initPacketJunkSize != 0 {
buf := make([]byte, 0, peer.device.aSecCfg.initPacketJunkSize) buf := make([]byte, 0, peer.device.aSecCfg.initPacketJunkSize)
writer := bytes.NewBuffer(buf[:0]) writer := bytes.NewBuffer(buf[:0])
err = appendJunk(writer, peer.device.aSecCfg.initPacketJunkSize) err = appendJunk(writer, peer.device.aSecCfg.initPacketJunkSize)
if err != nil { if err != nil {
peer.device.aSecMux.RUnlock()
peer.device.log.Errorf("%v - %v", peer, err) peer.device.log.Errorf("%v - %v", peer, err)
return err return err
} }
junkedHeader = writer.Bytes() junkedHeader = writer.Bytes()
} }
peer.device.aSecMux.RUnlock()
} }
var buf [MessageInitiationSize]byte var buf [MessageInitiationSize]byte
writer := bytes.NewBuffer(buf[:0]) writer := bytes.NewBuffer(buf[:0])
binary.Write(writer, binary.LittleEndian, msg) binary.Write(writer, binary.LittleEndian, msg)
@ -154,9 +160,9 @@ func (peer *Peer) SendHandshakeInitiation(isRetry bool) error {
peer.timersAnyAuthenticatedPacketTraversal() peer.timersAnyAuthenticatedPacketTraversal()
peer.timersAnyAuthenticatedPacketSent() peer.timersAnyAuthenticatedPacketSent()
sendBuffer = append(sendBuffer, junkedHeader) sendBuffer = append(sendBuffer, junkedHeader)
err = peer.SendBuffers(sendBuffer) err = peer.SendBuffers(sendBuffer)
if err != nil { if err != nil {
peer.device.log.Errorf("%v - Failed to send handshake initiation: %v", peer, err) peer.device.log.Errorf("%v - Failed to send handshake initiation: %v", peer, err)
@ -191,7 +197,7 @@ func (peer *Peer) SendHandshakeResponse() error {
return err return err
} }
junkedHeader = writer.Bytes() junkedHeader = writer.Bytes()
} }
peer.device.aSecMux.RUnlock() peer.device.aSecMux.RUnlock()
} }
var buf [MessageResponseSize]byte var buf [MessageResponseSize]byte

14
device/uapi.go
View file

@ -295,6 +295,7 @@ func (device *Device) handleDeviceLine(key, value string, tempASecCfg *aSecCfgTy
} }
device.log.Verbosef("UAPI: Updating junk_packet_count") device.log.Verbosef("UAPI: Updating junk_packet_count")
tempASecCfg.junkPacketCount = junkPacketCount tempASecCfg.junkPacketCount = junkPacketCount
tempASecCfg.isSet = true
case "jmin": case "jmin":
junkPacketMinSize, err := strconv.Atoi(value) junkPacketMinSize, err := strconv.Atoi(value)
@ -303,6 +304,7 @@ func (device *Device) handleDeviceLine(key, value string, tempASecCfg *aSecCfgTy
} }
device.log.Verbosef("UAPI: Updating junk_packet_min_size") device.log.Verbosef("UAPI: Updating junk_packet_min_size")
tempASecCfg.junkPacketMinSize = junkPacketMinSize tempASecCfg.junkPacketMinSize = junkPacketMinSize
tempASecCfg.isSet = true
case "jmax": case "jmax":
junkPacketMaxSize, err := strconv.Atoi(value) junkPacketMaxSize, err := strconv.Atoi(value)
@ -311,6 +313,7 @@ func (device *Device) handleDeviceLine(key, value string, tempASecCfg *aSecCfgTy
} }
device.log.Verbosef("UAPI: Updating junk_packet_max_size") device.log.Verbosef("UAPI: Updating junk_packet_max_size")
tempASecCfg.junkPacketMaxSize = junkPacketMaxSize tempASecCfg.junkPacketMaxSize = junkPacketMaxSize
tempASecCfg.isSet = true
case "s1": case "s1":
initPacketJunkSize, err := strconv.Atoi(value) initPacketJunkSize, err := strconv.Atoi(value)
@ -319,6 +322,7 @@ func (device *Device) handleDeviceLine(key, value string, tempASecCfg *aSecCfgTy
} }
device.log.Verbosef("UAPI: Updating init_packet_junk_size") device.log.Verbosef("UAPI: Updating init_packet_junk_size")
tempASecCfg.initPacketJunkSize = initPacketJunkSize tempASecCfg.initPacketJunkSize = initPacketJunkSize
tempASecCfg.isSet = true
case "s2": case "s2":
responsePacketJunkSize, err := strconv.Atoi(value) responsePacketJunkSize, err := strconv.Atoi(value)
@ -327,6 +331,7 @@ func (device *Device) handleDeviceLine(key, value string, tempASecCfg *aSecCfgTy
} }
device.log.Verbosef("UAPI: Updating response_packet_junk_size") device.log.Verbosef("UAPI: Updating response_packet_junk_size")
tempASecCfg.responsePacketJunkSize = responsePacketJunkSize tempASecCfg.responsePacketJunkSize = responsePacketJunkSize
tempASecCfg.isSet = true
case "h1": case "h1":
initPacketMagicHeader, err := strconv.ParseUint(value, 10, 32) initPacketMagicHeader, err := strconv.ParseUint(value, 10, 32)
@ -334,6 +339,7 @@ func (device *Device) handleDeviceLine(key, value string, tempASecCfg *aSecCfgTy
return ipcErrorf(ipc.IpcErrorInvalid, "faield to parse init_packet_magic_header %w", err) return ipcErrorf(ipc.IpcErrorInvalid, "faield to parse init_packet_magic_header %w", err)
} }
tempASecCfg.initPacketMagicHeader = uint32(initPacketMagicHeader) tempASecCfg.initPacketMagicHeader = uint32(initPacketMagicHeader)
tempASecCfg.isSet = true
case "h2": case "h2":
responsePacketMagicHeader, err := strconv.ParseUint(value, 10, 32) responsePacketMagicHeader, err := strconv.ParseUint(value, 10, 32)
@ -341,6 +347,7 @@ func (device *Device) handleDeviceLine(key, value string, tempASecCfg *aSecCfgTy
return ipcErrorf(ipc.IpcErrorInvalid, "faield to parse response_packet_magic_header %w", err) return ipcErrorf(ipc.IpcErrorInvalid, "faield to parse response_packet_magic_header %w", err)
} }
tempASecCfg.responsePacketMagicHeader = uint32(responsePacketMagicHeader) tempASecCfg.responsePacketMagicHeader = uint32(responsePacketMagicHeader)
tempASecCfg.isSet = true
case "h3": case "h3":
underloadPacketMagicHeader, err := strconv.ParseUint(value, 10, 32) underloadPacketMagicHeader, err := strconv.ParseUint(value, 10, 32)
@ -348,6 +355,7 @@ func (device *Device) handleDeviceLine(key, value string, tempASecCfg *aSecCfgTy
return ipcErrorf(ipc.IpcErrorInvalid, "faield to parse underload_packet_magic_header %w", err) return ipcErrorf(ipc.IpcErrorInvalid, "faield to parse underload_packet_magic_header %w", err)
} }
tempASecCfg.underloadPacketMagicHeader = uint32(underloadPacketMagicHeader) tempASecCfg.underloadPacketMagicHeader = uint32(underloadPacketMagicHeader)
tempASecCfg.isSet = true
case "h4": case "h4":
transportPacketMagicHeader, err := strconv.ParseUint(value, 10, 32) transportPacketMagicHeader, err := strconv.ParseUint(value, 10, 32)
@ -355,8 +363,10 @@ func (device *Device) handleDeviceLine(key, value string, tempASecCfg *aSecCfgTy
return ipcErrorf(ipc.IpcErrorInvalid, "faield to parse transport_packet_magic_header %w", err) return ipcErrorf(ipc.IpcErrorInvalid, "faield to parse transport_packet_magic_header %w", err)
} }
tempASecCfg.transportPacketMagicHeader = uint32(transportPacketMagicHeader) tempASecCfg.transportPacketMagicHeader = uint32(transportPacketMagicHeader)
tempASecCfg.isSet = true
default: default:
return ipcErrorf(ipc.IpcErrorInvalid, "invalid UAPI device key: %v",key) return ipcErrorf(ipc.IpcErrorInvalid, "invalid UAPI device key: %v", key)
} }
return nil return nil
@ -463,7 +473,7 @@ func (device *Device) handlePeerLine(
device.log.Verbosef("%v - UAPI: Updating endpoint", peer.Peer) device.log.Verbosef("%v - UAPI: Updating endpoint", peer.Peer)
endpoint, err := device.net.bind.ParseEndpoint(value) endpoint, err := device.net.bind.ParseEndpoint(value)
if err != nil { if err != nil {
return ipcErrorf(ipc.IpcErrorInvalid, "failed to set endpoint %v: %w", value, err) return ipcErrorf(ipc.IpcErrorInvalid, "failed to set endpoint %v: %w", value, err)
} }
peer.Lock() peer.Lock()
defer peer.Unlock() defer peer.Unlock()