diff --git a/contrib/embeddable-wg-library/wireguard.c b/contrib/embeddable-wg-library/wireguard.c index 26de0e9..802989d 100644 --- a/contrib/embeddable-wg-library/wireguard.c +++ b/contrib/embeddable-wg-library/wireguard.c @@ -74,8 +74,7 @@ enum wgdevice_attribute { enum wgpeer_flag { WGPEER_F_REMOVE_ME = 1U << 0, WGPEER_F_REPLACE_ALLOWEDIPS = 1U << 1, - WGPEER_F_HAS_ADVANCED_SECURITY = 1U << 3, - WGPEER_F_HAS_SPECIAL_HANDSHAKE = 1U << 4 + WGPEER_F_HAS_AWG = 1U << 3 }; enum wgpeer_attribute { WGPEER_A_UNSPEC, @@ -89,8 +88,7 @@ enum wgpeer_attribute { WGPEER_A_TX_BYTES, WGPEER_A_ALLOWEDIPS, WGPEER_A_PROTOCOL_VERSION, - WGPEER_A_ADVANCED_SECURITY, - WGPEER_A_SPECIAL_HANDSHAKE, + WGPEER_A_AWG, __WGPEER_A_LAST }; diff --git a/contrib/peer-approver/approve.sh b/contrib/peer-approver/approve.sh index e711a6c..e160856 100755 --- a/contrib/peer-approver/approve.sh +++ b/contrib/peer-approver/approve.sh @@ -4,8 +4,7 @@ ACCOUNTS_FILE=$1 INTERFACE_NAME=$2 PUBLIC_KEY=$3 ENDPOINT=$4 -ADVANCED_SECURITY=$5 -SPECIAL_HANDSHAKE=$6 +AWG=$5 ACCOUNT_STR=`grep "${PUBLIC_KEY}" "${ACCOUNTS_FILE}"` @@ -20,7 +19,7 @@ PSK=$(echo ${ACCOUNT[2]}|tr -d '"') PSK_FILE=$(tempfile) echo "${PSK}" > "${PSK_FILE}" -awg set "${INTERFACE_NAME}" peer "${PUBLIC_KEY}" allowed-ips "${ALLOWED_IPS}" endpoint "${ENDPOINT}" allowed-ips "${ALLOWED_IPS}" preshared-key "${PSK_FILE}" advanced-security "${ADVANCED_SECURITY}" special-handshake "${SPECIAL_HANDSHAKE}" +awg set "${INTERFACE_NAME}" peer "${PUBLIC_KEY}" allowed-ips "${ALLOWED_IPS}" endpoint "${ENDPOINT}" allowed-ips "${ALLOWED_IPS}" preshared-key "${PSK_FILE}" awg "${AWG}" EXIT_CODE=$? rm -f "{$PSK_FILE}" diff --git a/contrib/peer-approver/notification-listener.c b/contrib/peer-approver/notification-listener.c index 0057e71..5076975 100644 --- a/contrib/peer-approver/notification-listener.c +++ b/contrib/peer-approver/notification-listener.c @@ -116,19 +116,18 @@ static int get_endpoint(struct nlattr *peer[], char **endpoint_ip) return 0; } -static int run_callback(char *ifname, char *pubkey, char *endpoint_ip, bool advanced_security, bool special_handshake) +static int run_callback(char *ifname, char *pubkey, char *endpoint_ip, bool is_awg) { char** new_argv = malloc((cb_argc + 2) * sizeof *new_argv); new_argv[0] = cb_argv[1]; - for (int i = 2; i < cb_argc - 4; i++) { + for (int i = 2; i < cb_argc - 3; i++) { new_argv[i - 1] = cb_argv[i]; } - new_argv[cb_argc - 5] = ifname; - new_argv[cb_argc - 4] = pubkey; - new_argv[cb_argc - 3] = endpoint_ip; - new_argv[cb_argc - 2] = (advanced_security ? "on\0" : "off\0"); - new_argv[cb_argc - 1] = (special_handshake ? "on\0" : "off\0"); + new_argv[cb_argc - 4] = ifname; + new_argv[cb_argc - 3] = pubkey; + new_argv[cb_argc - 2] = endpoint_ip; + new_argv[cb_argc - 1] = (is_awg ? "on\0" : "off\0"); new_argv[cb_argc] = NULL; int child_pid = fork(), ret; @@ -156,8 +155,7 @@ static int netlink_callback(struct nl_msg *msg, void *arg) nla_parse(tb, WGDEVICE_A_MAX, genlmsg_attrdata(gnlh, 0), genlmsg_attrlen(gnlh, 0), NULL); char *ifname, *pubkey, *endpoint_ip; - bool advanced_security = false; - bool special_handshake = false; + bool is_awg = false; int cb_ret; switch (gnlh->cmd) { @@ -178,13 +176,10 @@ static int netlink_callback(struct nl_msg *msg, void *arg) prerr("invalid endpoint!\n"); return NL_SKIP; } - if (nla_get_flag(peer[WGPEER_A_ADVANCED_SECURITY])) { - advanced_security = true; + if (nla_get_flag(peer[WGPEER_A_AWG])) { + is_awg = true; } - if (nla_get_flag(peer[WGPEER_A_SPECIAL_HANDSHAKE])) { - special_handshake = true; - } - if (cb_ret = run_callback(ifname, pubkey, endpoint_ip, advanced_security, special_handshake)) { + if (cb_ret = run_callback(ifname, pubkey, endpoint_ip, is_awg)) { prerr("failed to execute callback script: %d!\n", cb_ret); return NL_SKIP; } diff --git a/src/config.c b/src/config.c index 6aa31b0..80d098d 100644 --- a/src/config.c +++ b/src/config.c @@ -425,8 +425,8 @@ static inline bool parse_awg_string(char **device_value, const char *name, const return true; } - if (len >= MAX_AWG_JUNK_LEN) { - fprintf(stderr, "Unable to process string for: %s; longer than: %d\n", name, MAX_AWG_JUNK_LEN); + if (len >= MAX_AWG_STRING_LEN) { + fprintf(stderr, "Unable to process string for: %s; longer than: %d\n", name, MAX_AWG_STRING_LEN); return false; } *device_value = strdup(value); @@ -645,13 +645,9 @@ static bool process_line(struct config_ctx *ctx, const char *line) if (ret) ctx->last_peer->flags |= WGPEER_HAS_PRESHARED_KEY; } else if (key_match("AdvancedSecurity")) { - ret = parse_bool(&ctx->last_peer->advanced_security, "AdvancedSecurity", value); + ret = parse_bool(&ctx->last_peer->awg, "AdvancedSecurity", value); if (ret) - ctx->last_peer->flags |= WGPEER_HAS_ADVANCED_SECURITY; - } else if (key_match("SpecialHandshake")) { - ret = parse_bool(&ctx->last_peer->special_handshake, "SpecialHandshake", value); - if (ret) - ctx->last_peer->flags |= WGPEER_HAS_SPECIAL_HANDSHAKE; + ctx->last_peer->flags |= WGPEER_HAS_AWG; } else goto error; } else @@ -1017,15 +1013,9 @@ struct wgdevice *config_read_cmd(const char *argv[], int argc) argv += 2; argc -= 2; } else if (!strcmp(argv[0], "advanced-security") && argc >= 2 && peer) { - if (!parse_bool(&peer->advanced_security, "AdvancedSecurity", argv[1])) + if (!parse_bool(&peer->awg, "AdvancedSecurity", argv[1])) goto error; - peer->flags |= WGPEER_HAS_ADVANCED_SECURITY; - argv += 2; - argc -= 2; - } else if (!strcmp(argv[0], "special-handshake") && argc >= 2 && peer) { - if (!parse_bool(&peer->special_handshake, "SpecialHandshake", argv[1])) - goto error; - peer->flags |= WGPEER_HAS_SPECIAL_HANDSHAKE; + peer->flags |= WGPEER_HAS_AWG; argv += 2; argc -= 2; } else { diff --git a/src/containers.h b/src/containers.h index 21f22a0..fa722bc 100644 --- a/src/containers.h +++ b/src/containers.h @@ -23,8 +23,8 @@ #define WG_KEY_LEN 32 #endif -#ifndef MAX_AWG_JUNK_LEN -#define MAX_AWG_JUNK_LEN 5 * 1024 +#ifndef MAX_AWG_STRING_LEN +#define MAX_AWG_STRING_LEN 5 * 1024 #endif /* Cross platform __kernel_timespec */ @@ -49,8 +49,7 @@ enum { WGPEER_HAS_PUBLIC_KEY = 1U << 2, WGPEER_HAS_PRESHARED_KEY = 1U << 3, WGPEER_HAS_PERSISTENT_KEEPALIVE_INTERVAL = 1U << 4, - WGPEER_HAS_ADVANCED_SECURITY = 1U << 5, - WGPEER_HAS_SPECIAL_HANDSHAKE = 1U << 6 + WGPEER_HAS_AWG = 1U << 5 }; struct wgpeer { @@ -69,8 +68,7 @@ struct wgpeer { uint64_t rx_bytes, tx_bytes; uint16_t persistent_keepalive_interval; - bool advanced_security; - bool special_handshake; + bool awg; struct wgallowedip *first_allowedip, *last_allowedip; struct wgpeer *next_peer; diff --git a/src/ipc-freebsd.h b/src/ipc-freebsd.h index 5773937..170d74c 100644 --- a/src/ipc-freebsd.h +++ b/src/ipc-freebsd.h @@ -142,7 +142,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) } if (nvlist_exists_number(nvl_device, "h1")) { binary = nvlist_get_binary(nvl_device, "h1", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->init_packet_magic_header = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_H1; @@ -150,7 +150,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) } if (nvlist_exists_number(nvl_device, "h2")) { binary = nvlist_get_binary(nvl_device, "h2", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->response_packet_magic_header = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_H2; @@ -158,7 +158,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) } if (nvlist_exists_number(nvl_device, "h3")) { binary = nvlist_get_binary(nvl_device, "h3", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->underload_packet_magic_header = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_H3; @@ -166,7 +166,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) } if (nvlist_exists_number(nvl_device, "h4")) { binary = nvlist_get_binary(nvl_device, "h4", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->transport_packet_magic_header = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_H4; @@ -175,7 +175,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) if (nvlist_exists_binary(nvl_device, "i1")) { binary = nvlist_get_binary(nvl_device, "i1", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->i1 = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_I1; @@ -184,7 +184,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) if (nvlist_exists_binary(nvl_device, "i2")) { binary = nvlist_get_binary(nvl_device, "i2", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->i2 = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_I2; @@ -193,7 +193,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) if (nvlist_exists_binary(nvl_device, "i3")) { binary = nvlist_get_binary(nvl_device, "i3", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->i3 = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_I3; @@ -202,7 +202,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) if (nvlist_exists_binary(nvl_device, "i4")) { binary = nvlist_get_binary(nvl_device, "i4", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->i4 = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_I4; @@ -211,7 +211,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) if (nvlist_exists_binary(nvl_device, "i5")) { binary = nvlist_get_binary(nvl_device, "i5", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->i5 = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_I5; @@ -220,7 +220,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) if (nvlist_exists_binary(nvl_device, "j1")) { binary = nvlist_get_binary(nvl_device, "j1", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->j1 = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_J1; @@ -229,7 +229,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) if (nvlist_exists_binary(nvl_device, "j2")) { binary = nvlist_get_binary(nvl_device, "j2", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->j2 = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_J2; @@ -238,7 +238,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) if (nvlist_exists_binary(nvl_device, "j3")) { binary = nvlist_get_binary(nvl_device, "j3", &size); - if (binary && size < MAX_AWG_JUNK_LEN) + if (binary && size < MAX_AWG_STRING_LEN) { dev->j3 = strdup((const char*)binary); dev->flags |= WGDEVICE_HAS_J3; diff --git a/src/ipc-linux.h b/src/ipc-linux.h index 09bf48a..77542c1 100644 --- a/src/ipc-linux.h +++ b/src/ipc-linux.h @@ -243,17 +243,10 @@ again: goto toobig_peers; } } - if (peer->flags & WGPEER_HAS_ADVANCED_SECURITY) { - if (peer->advanced_security) - mnl_attr_put_check(nlh, SOCKET_BUFFER_SIZE, WGPEER_A_ADVANCED_SECURITY, 0, NULL); - flags |= WGPEER_F_HAS_ADVANCED_SECURITY; - } - if (peer->flags & WGPEER_HAS_SPECIAL_HANDSHAKE) - { - if (peer->special_handshake) - mnl_attr_put_check( - nlh, SOCKET_BUFFER_SIZE, WGPEER_A_SPECIAL_HANDSHAKE, 0, NULL); - flags |= WGPEER_F_HAS_SPECIAL_HANDSHAKE; + if (peer->flags & WGPEER_HAS_AWG) { + if (peer->awg) + mnl_attr_put_check(nlh, SOCKET_BUFFER_SIZE, WGPEER_A_AWG, 0, NULL); + flags |= WGPEER_F_HAS_AWG; } if (flags) { if (!mnl_attr_put_u32_check(nlh, SOCKET_BUFFER_SIZE, WGPEER_A_FLAGS, flags)) @@ -427,36 +420,18 @@ static int parse_peer(const struct nlattr *attr, void *data) if (!mnl_attr_validate(attr, MNL_TYPE_U32)) { uint32_t flags = mnl_attr_get_u32(attr); - if (flags & WGPEER_F_HAS_ADVANCED_SECURITY && !(peer->flags & WGPEER_HAS_ADVANCED_SECURITY)) { - peer->flags |= WGPEER_HAS_ADVANCED_SECURITY; - peer->advanced_security = false; - } - if ( - flags & WGPEER_F_HAS_SPECIAL_HANDSHAKE && - !(peer->flags & WGPEER_HAS_SPECIAL_HANDSHAKE)) - { - peer->flags |= WGPEER_HAS_SPECIAL_HANDSHAKE; - peer->special_handshake = false; + if (flags & WGPEER_F_HAS_AWG && !(peer->flags & WGPEER_HAS_AWG)) { + peer->flags |= WGPEER_HAS_AWG; + peer->awg = false; } } break; - case WGPEER_A_ADVANCED_SECURITY: + case WGPEER_A_AWG: if (!mnl_attr_validate(attr, MNL_TYPE_FLAG)) { - peer->advanced_security = true; + peer->awg = true; - if (!(peer->flags & WGPEER_HAS_ADVANCED_SECURITY)) { - peer->flags |= WGPEER_HAS_ADVANCED_SECURITY; - } - } - break; - case WGPEER_A_SPECIAL_HANDSHAKE: - if (!mnl_attr_validate(attr, MNL_TYPE_FLAG)) - { - peer->special_handshake = true; - - if (!(peer->flags & WGPEER_HAS_SPECIAL_HANDSHAKE)) - { - peer->flags |= WGPEER_HAS_SPECIAL_HANDSHAKE; + if (!(peer->flags & WGPEER_HAS_AWG)) { + peer->flags |= WGPEER_HAS_AWG; } } break; diff --git a/src/ipc-uapi.h b/src/ipc-uapi.h index 74640a6..b6cfafb 100644 --- a/src/ipc-uapi.h +++ b/src/ipc-uapi.h @@ -96,12 +96,7 @@ static int userspace_set_device(struct wgdevice *dev) for_each_wgpeer(dev, peer) { key_to_hex(hex, peer->public_key); fprintf(f, "public_key=%s\n", hex); - if (peer->flags & WGPEER_HAS_ADVANCED_SECURITY) { - ret = -EINVAL; - goto out; - } - if (peer->flags & WGPEER_HAS_SPECIAL_HANDSHAKE) - { + if (peer->flags & WGPEER_HAS_AWG) { ret = -EINVAL; goto out; } diff --git a/src/showconf.c b/src/showconf.c index 11952cb..81d5354 100644 --- a/src/showconf.c +++ b/src/showconf.c @@ -95,11 +95,8 @@ int showconf_main(int argc, const char *argv[]) key_to_base64(base64, peer->preshared_key); printf("PresharedKey = %s\n", base64); } - if (peer->flags & WGPEER_HAS_ADVANCED_SECURITY) { - printf("AdvancedSecurity = %s\n", peer->advanced_security ? "on" : "off"); - } - if (peer->flags & WGPEER_HAS_SPECIAL_HANDSHAKE) { - printf("SpecialHandshake = %s\n", peer->special_handshake ? "on" : "off"); + if (peer->flags & WGPEER_HAS_AWG) { + printf("AdvancedSecurity = %s\n", peer->awg ? "on" : "off"); } if (peer->first_allowedip) printf("AllowedIPs = "); diff --git a/src/uapi/linux/linux/wireguard.h b/src/uapi/linux/linux/wireguard.h index 4438e83..927a1ea 100644 --- a/src/uapi/linux/linux/wireguard.h +++ b/src/uapi/linux/linux/wireguard.h @@ -111,10 +111,7 @@ * most recent protocol will be used when * this is unset. Otherwise, must be set * to 1. - * WGPEER_A_ADVANCED_SECURITY: flag indicating that advanced security - * techniques provided by AmneziaWG should - * be used. - * WGPEER_A_SPECIAL_HANDSHAKE: flag indicating that special handshake + * WGPEER_A_AWG: flag indicating that advanced security * techniques provided by AmneziaWG should * be used. * 0: NLA_NESTED @@ -147,10 +144,7 @@ * WGDEVICE_A_PEER: NLA_NESTED * WGPEER_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN * WGPEER_A_ENDPOINT: NLA_MIN_LEN(struct sockaddr), struct sockaddr_in or struct sockaddr_in6 - * WGPEER_A_ADVANCED_SECURITY: flag indicating that advanced security - * techniques provided by AmneziaWG should - * be used. - * WGPEER_A_SPECIAL_HANDSHAKE: flag indicating that special handshake + * WGPEER_A_AWG: flag indicating that advanced security * techniques provided by AmneziaWG should * be used. * @@ -217,8 +211,7 @@ enum wgpeer_flag { WGPEER_F_REMOVE_ME = 1U << 0, WGPEER_F_REPLACE_ALLOWEDIPS = 1U << 1, WGPEER_F_UPDATE_ONLY = 1U << 2, - WGPEER_F_HAS_ADVANCED_SECURITY = 1U << 3, - WGPEER_F_HAS_SPECIAL_HANDSHAKE = 1U << 4, + WGPEER_F_HAS_AWG = 1U << 3, __WGPEER_F_ALL = WGPEER_F_REMOVE_ME | WGPEER_F_REPLACE_ALLOWEDIPS | WGPEER_F_UPDATE_ONLY }; @@ -234,8 +227,7 @@ enum wgpeer_attribute { WGPEER_A_TX_BYTES, WGPEER_A_ALLOWEDIPS, WGPEER_A_PROTOCOL_VERSION, - WGPEER_A_ADVANCED_SECURITY, - WGPEER_A_SPECIAL_HANDSHAKE, + WGPEER_A_AWG, __WGPEER_A_LAST }; #define WGPEER_A_MAX (__WGPEER_A_LAST - 1)