[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
05/05: gnu: linux-libre: Apply wireguard patch fixing keep-alive bug.
|
From: |
guix-commits |
|
Subject: |
05/05: gnu: linux-libre: Apply wireguard patch fixing keep-alive bug. |
|
Date: |
Fri, 21 Jul 2023 12:12:31 -0400 (EDT) |
apteryx pushed a commit to branch master
in repository guix.
commit acbb9d2dadc7011bce7e022689633944e595e75b
Author: Maxim Cournoyer <maxim.cournoyer@gmail.com>
AuthorDate: Wed May 17 22:58:46 2023 -0400
gnu: linux-libre: Apply wireguard patch fixing keep-alive bug.
* gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch: New
patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/linux.scm (linux-libre-6.4-source, linux-libre-6.3-source)
(linux-libre-6.2-source, linux-libre-6.1-source, linux-libre-5.15-source)
(linux-libre-5.10-source): Apply it.
---
gnu/local.mk | 1 +
gnu/packages/linux.scm | 27 +++--
.../linux-libre-wireguard-postup-privkey.patch | 119 +++++++++++++++++++++
3 files changed, 139 insertions(+), 8 deletions(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index a56406ddd7..02a5b4721a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1544,6 +1544,7 @@ dist_patch_DATA =
\
%D%/packages/patches/linphone-desktop-without-sdk.patch \
%D%/packages/patches/linux-libre-infodocs-target.patch \
%D%/packages/patches/linux-libre-support-for-Pinebook-Pro.patch \
+ %D%/packages/patches/linux-libre-wireguard-postup-privkey.patch \
%D%/packages/patches/linux-pam-no-setfsuid.patch \
%D%/packages/patches/linux-pam-unix_chkpwd.patch \
%D%/packages/patches/linuxdcpp-openssl-1.1.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 67128524ff..aabbc7fc17 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -34,7 +34,7 @@
;;; Copyright © 2018 Vasile Dumitrascu <va511e@yahoo.com>
;;; Copyright © 2019 Tim Gesthuizen <tim.gesthuizen@yahoo.de>
;;; Copyright © 2019 mikadoZero <mikadozero@yandex.com>
-;;; Copyright © 2019, 2020, 2021, 2022 Maxim Cournoyer
<maxim.cournoyer@gmail.com>
+;;; Copyright © 2019, 2020, 2021, 2022, 2023 Maxim Cournoyer
<maxim.cournoyer@gmail.com>
;;; Copyright © 2019 Stefan Stefanović <stefanx2ovic@gmail.com>
;;; Copyright © 2019-2022 Brice Waegeneire <brice@waegenei.re>
;;; Copyright © 2019 Kei Kebreau <kkebreau@posteo.net>
@@ -641,28 +641,39 @@ corresponding UPSTREAM-SOURCE (an origin), using the
given DEBLOB-SCRIPTS."
(define-public linux-libre-6.4-source
(source-with-patches linux-libre-6.4-pristine-source
(list %boot-logo-patch
-
%linux-libre-arm-export-__sync_icache_dcache-patch)))
+ %linux-libre-arm-export-__sync_icache_dcache-patch
+ (search-patch
+ "linux-libre-wireguard-postup-privkey.patch"))))
(define-public linux-libre-6.3-source
(source-with-patches linux-libre-6.3-pristine-source
(list %boot-logo-patch
-
%linux-libre-arm-export-__sync_icache_dcache-patch)))
+ %linux-libre-arm-export-__sync_icache_dcache-patch
+ (search-patch
+ "linux-libre-wireguard-postup-privkey.patch"))))
(define-public linux-libre-6.1-source
(source-with-patches linux-libre-6.1-pristine-source
- (list %boot-logo-patch
- %linux-libre-arm-export-__sync_icache_dcache-patch
- (search-patch
"linux-libre-infodocs-target.patch"))))
+ (append
+ (list %boot-logo-patch
+
%linux-libre-arm-export-__sync_icache_dcache-patch)
+ (search-patches
+ "linux-libre-infodocs-target.patch"
+ "linux-libre-wireguard-postup-privkey.patch"))))
(define-public linux-libre-5.15-source
(source-with-patches linux-libre-5.15-pristine-source
(list %boot-logo-patch
-
%linux-libre-arm-export-__sync_icache_dcache-patch)))
+ %linux-libre-arm-export-__sync_icache_dcache-patch
+ (search-patch
+ "linux-libre-wireguard-postup-privkey.patch"))))
(define-public linux-libre-5.10-source
(source-with-patches linux-libre-5.10-pristine-source
(list %boot-logo-patch
-
%linux-libre-arm-export-__sync_icache_dcache-patch)))
+ %linux-libre-arm-export-__sync_icache_dcache-patch
+ (search-patch
+ "linux-libre-wireguard-postup-privkey.patch"))))
(define-public linux-libre-5.4-source
(source-with-patches linux-libre-5.4-pristine-source
diff --git a/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch
b/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch
new file mode 100644
index 0000000000..a6050499e1
--- /dev/null
+++ b/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch
@@ -0,0 +1,119 @@
+From 3ac1bf099766f1e9735883d5127148054cd5b30a Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 18 May 2023 03:08:44 +0200
+Subject: wireguard: netlink: send staged packets when setting initial private
+ key
+
+Packets bound for peers can queue up prior to the device private key
+being set. For example, if persistent keepalive is set, a packet is
+queued up to be sent as soon as the device comes up. However, if the
+private key hasn't been set yet, the handshake message never sends, and
+no timer is armed to retry, since that would be pointless.
+
+But, if a user later sets a private key, the expectation is that those
+queued packets, such as a persistent keepalive, are actually sent. So
+adjust the configuration logic to account for this edge case, and add a
+test case to make sure this works.
+
+Maxim noticed this with a wg-quick(8) config to the tune of:
+
+ [Interface]
+ PostUp = wg set %i private-key somefile
+
+ [Peer]
+ PublicKey = ...
+ Endpoint = ...
+ PersistentKeepalive = 25
+
+Here, the private key gets set after the device comes up using a PostUp
+script, triggering the bug.
+
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Cc: stable@vger.kernel.org
+Reported-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Link: https://lore.kernel.org/wireguard/87fs7xtqrv.fsf@gmail.com/
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+---
+ drivers/net/wireguard/netlink.c | 14 +++++++++-----
+ tools/testing/selftests/wireguard/netns.sh | 30 ++++++++++++++++++++++++++----
+ 2 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c
+index 43c8c84e7ea8..6d1bd9f52d02 100644
+--- a/drivers/net/wireguard/netlink.c
++++ b/drivers/net/wireguard/netlink.c
+@@ -546,6 +546,7 @@ static int wg_set_device(struct sk_buff *skb, struct
genl_info *info)
+ u8 *private_key = nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]);
+ u8 public_key[NOISE_PUBLIC_KEY_LEN];
+ struct wg_peer *peer, *temp;
++ bool send_staged_packets;
+
+ if (!crypto_memneq(wg->static_identity.static_private,
+ private_key, NOISE_PUBLIC_KEY_LEN))
+@@ -564,14 +565,17 @@ static int wg_set_device(struct sk_buff *skb, struct
genl_info *info)
+ }
+
+ down_write(&wg->static_identity.lock);
+- wg_noise_set_static_identity_private_key(&wg->static_identity,
+- private_key);
+- list_for_each_entry_safe(peer, temp, &wg->peer_list,
+- peer_list) {
++ send_staged_packets = !wg->static_identity.has_identity &&
netif_running(wg->dev);
++ wg_noise_set_static_identity_private_key(&wg->static_identity,
private_key);
++ send_staged_packets = send_staged_packets &&
wg->static_identity.has_identity;
++
++ wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
++ list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list)
{
+ wg_noise_precompute_static_static(peer);
+ wg_noise_expire_current_peer_keypairs(peer);
++ if (send_staged_packets)
++ wg_packet_send_staged_packets(peer);
+ }
+- wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
+ up_write(&wg->static_identity.lock);
+ }
+ skip_set_private_key:
+diff --git a/tools/testing/selftests/wireguard/netns.sh
b/tools/testing/selftests/wireguard/netns.sh
+index 69c7796c7ca9..405ff262ca93 100755
+--- a/tools/testing/selftests/wireguard/netns.sh
++++ b/tools/testing/selftests/wireguard/netns.sh
+@@ -514,10 +514,32 @@ n2 bash -c 'printf 0 >
/proc/sys/net/ipv4/conf/all/rp_filter'
+ n1 ping -W 1 -c 1 192.168.241.2
+ [[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.3:1" ]]
+
+-ip1 link del veth1
+-ip1 link del veth3
+-ip1 link del wg0
+-ip2 link del wg0
++ip1 link del dev veth3
++ip1 link del dev wg0
++ip2 link del dev wg0
++
++# Make sure persistent keep alives are sent when an adapter comes up
++ip1 link add dev wg0 type wireguard
++n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" endpoint 10.0.0.1:1
persistent-keepalive 1
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++ip1 link set dev wg0 up
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -gt 0 ]]
++ip1 link del dev wg0
++# This should also happen even if the private key is set later
++ip1 link add dev wg0 type wireguard
++n1 wg set wg0 peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++ip1 link set dev wg0 up
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++n1 wg set wg0 private-key <(echo "$key1")
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -gt 0 ]]
++ip1 link del dev veth1
++ip1 link del dev wg0
+
+ # We test that Netlink/IPC is working properly by doing things that usually
cause split responses
+ ip0 link add dev wg0 type wireguard
+--
+cgit v1.2.3-59-g8ed1b
+