139  * - struct wg_peer is a representative of a peer
144  *       a peer migration (a change of peer's IP address)
149  * - struct wg_session represents a session of a secure tunnel with a peer
150  *   - Two instances of sessions belong to a peer; a stable session and a
159  *   - Changes to the peer list are serialized by wg_lock
160  *   - The peer list may be read with pserialize(9) and psref(9)
163  * - Each peer (struct wg_peer, wgp) has a mutex wgp_lock, which can be taken
1361  *	wgs must be the unstable session of its peer, and must be
1396  *	wgs must be the unstable session of its peer, and must not be
1531  *	Return true if we claim priority over peer wgp as initiator at
1532  *	the moment, false if not.  That is, if we and our peer are
1533  *	trying to initiate a session, do we ignore the peer's attempt
1535  *	the peer's?
1542  *	256-bit integer in little-endian, is less than the peer's
1668 		WG_DLOG("peer not found\n");
1673 	 * Lock the peer to serialize access to cookie state.
1725 		    "%s: peer %s: wg_algo_aead_dec for timestamp failed\n",
1734 	 *      received per peer and discards packets containing
1741 		    "%s: peer %s: invalid init msg: timestamp is old\n",
1753 	case WGS_STATE_UNKNOWN:		/* new session initiated by peer */
1761 		WG_TRACE("Yielding session initiation to peer");
1766 	case WGS_STATE_INIT_PASSIVE:	/* peer is retrying, start over */
1778 	case WGS_STATE_DESTROYING:	/* rekey initiated by peer */
1801 	 * The packet is genuine.  Update the peer's endpoint if the
1833 	 * the peer initiator's ephemeral key pair, generated our
1841 	 * (Session is not, however, ready to send data until the peer
1940 	case WGS_STATE_INIT_PASSIVE:	/* peer was trying -- XXX what now? */
1941 		WG_TRACE("Session already initializing, waiting for peer");
1964 	 * have to wait for the peer to respond with their ephemeral
2105  *	wg for peer wgp.  Publish it as the stable session, send queued
2237 		WG_TRACE("peer sent spurious handshake response, ignoring");
2325 		    "%s: peer %s: wg_algo_aead_dec for empty message failed\n",
2339 	 * The packet is genuine.  Update the peer's endpoint if the
2540 	 * to a peer within 1 second, we consider we are under load.
2656 	 * "if a peer is the initiator of a current secure session,
2879 	 * the outer UDP/IP packet is used to update the endpoint for peer..."
2956 	 * Get the peer, for rate-limited logs (XXX MPSAFE, dtrace) and
2969 		    "%s: peer %s: out-of-window packet: %"PRIu64"\n",
3024 		    "%s: peer %s: failed to wg_algo_aead_dec\n",
3038 		    "%s: peer %s: replay or out-of-window packet: %"PRIu64"\n",
3051 	 * The packet is genuine.  Update the peer's endpoint if the
3096 		    "%s: peer %s: invalid source address (%s)\n",
3121 		 * "If a peer has received a validly-authenticated transport
3169 	/* Lock the peer so we can update the cookie state.  */
3196 		    "%s: peer %s: wg_algo_aead_dec for cookie failed: "
3460 	 * the peer initiator's first data packet.
3941 	/* Prevent new packets from this peer on any source address.  */
4360 		WG_TRACE("peer not found");
4554 		 * "if a peer is the initiator of a current secure
4656 wg_handle_prop_peer(struct wg_softc *wg, prop_dictionary_t peer,
4666 	if (prop_dictionary_get_string(peer, "name", &name)) {
4673 	if (!prop_dictionary_get_data(peer, "public_key",
4692 	if (prop_dictionary_get_data(peer, "preshared_key", &psk, &psk_len)) {
4704 	if (!prop_dictionary_get_data(peer, "endpoint", &addr, &addr_len))
4738 	allowedips = prop_dictionary_get(peer, "allowedips");
5482 	/* Send messages to a peer via an ordinary socket. */
5604  * Receive packets from a peer.

Indexes created Fri Dec 05 15:09:33 GMT 2025