From patchwork Thu May 18 17:48:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Maxim Cournoyer X-Patchwork-Id: 50133 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 1F8F927BBE9; Thu, 18 May 2023 18:50:43 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1395D27BBE2 for ; Thu, 18 May 2023 18:50:41 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pzhlU-0001JQ-5Z; Thu, 18 May 2023 13:50:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzhlM-0001HD-Lq for guix-patches@gnu.org; Thu, 18 May 2023 13:50:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pzhlM-0001Kg-0I for guix-patches@gnu.org; Thu, 18 May 2023 13:50:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pzhlL-0001i7-SG; Thu, 18 May 2023 13:50:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63402] [PATCH v4 4/4] gnu: linux-libre: Apply wireguard patch fixing keep-alive bug. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: leo@famulari.name, me@tobias.gr, guix-patches@gnu.org Resent-Date: Thu, 18 May 2023 17:50:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63402 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63402@debbugs.gnu.org Cc: Maxim Cournoyer , Leo Famulari , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Leo Famulari , Tobias Geerinckx-Rice Received: via spool by 63402-submit@debbugs.gnu.org id=B63402.16844321496482 (code B ref 63402); Thu, 18 May 2023 17:50:03 +0000 Received: (at 63402) by debbugs.gnu.org; 18 May 2023 17:49:09 +0000 Received: from localhost ([127.0.0.1]:54410 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzhkS-0001gP-TM for submit@debbugs.gnu.org; Thu, 18 May 2023 13:49:09 -0400 Received: from mail-qv1-f45.google.com ([209.85.219.45]:42231) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzhkP-0001f0-0j for 63402@debbugs.gnu.org; Thu, 18 May 2023 13:49:05 -0400 Received: by mail-qv1-f45.google.com with SMTP id 6a1803df08f44-62385de2d40so7466936d6.0 for <63402@debbugs.gnu.org>; Thu, 18 May 2023 10:49:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684432139; x=1687024139; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Qg03Fbiq3xmc+Z90K1Ru5CLtjdVMJPdv1lfOn+t0kwQ=; b=BL3fr38G5vJEqi4sHFmwXgjuPDceHUX76p4Rcd3UgZ2fYdnOEwr+IMp995QXCLBQbv t88gZJE6SIvd+gegN8UXeiDzJLPsEHNohWuoXj2uVsf77zE5yf8pytkihGrSAwK+scEJ UjGSJtTgSelcJHkaEEZxhuQa+AAylkRNk+T8sU6+0TpSvcO+x/qBp8pi3qUuml7Z7+UK mWgNGWYpejVdU6DMyBdtYE1m/TDAdthp4sNrlHMNiNvK7RBkRLv+giTSSutYypDH8vfP eGJL+Uz0KHKfhtGRf4Ee9Pgkfrtf1uDAU69Vy1UXgoOwqun81+1iyeIqYjvuP9YNcL/B B+cQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684432139; x=1687024139; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Qg03Fbiq3xmc+Z90K1Ru5CLtjdVMJPdv1lfOn+t0kwQ=; b=l/HVUGuBHfreqAViRaKLpwt0gsBICKrxdJo2RZ1lhKNdfkUQw387dsnbBuVuI4FbC7 msw9eNYyLjMpcRglJM0RcoxFHQwONmQhCit9rzACakXoj6jxNMwbcgIisQGW00ibxOc/ RRNTzDownJ/eigYQih4PZp/CR1nE+KnIn67OcmISGQM27YKAOwuAGzetMIEkqUs1N7NU //KKShYl/78GHOrtthuN2dbfWf0QtQjZw+2YMFrE+nMg6bkS6EIVGJ6mbepI2bAIxzTA lK1SnjJ96iJNRj99QQRtHSm8Dagccdl3rm60Xct0qEjx1DY2QGi2GCEPS10QU0NNQylE qZjg== X-Gm-Message-State: AC+VfDzIi0MFaV9JYpuvzmdZqqBF9RbTbhlAYfT6o26WVFWRMTt8jJ68 5pZTDNNP8AbuFXyeSBXUtoN0EBMPCKigxA== X-Google-Smtp-Source: ACHHUZ4DmCwCGx0GArh8fzl2Y6BJUIum03TxHFkvHhFFudo3PW6QJ5Cas4TIAazKht4ISDU7pwXMVA== X-Received: by 2002:ad4:5d4e:0:b0:616:49fe:f150 with SMTP id jk14-20020ad45d4e000000b0061649fef150mr928699qvb.18.1684432139174; Thu, 18 May 2023 10:48:59 -0700 (PDT) Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33]) by smtp.gmail.com with ESMTPSA id ml7-20020a056214584700b0061a0f7fb340sm689006qvb.6.2023.05.18.10.48.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 May 2023 10:48:58 -0700 (PDT) From: Maxim Cournoyer Date: Thu, 18 May 2023 13:48:42 -0400 Message-Id: <4f49bf6c8952680bd5e017f90b3e7478fe338111.1684431342.git.maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/linux.scm (linux-libre-6.3-source, linux-libre-6.2-source) (linux-libre-6.1-source, linux-libre-5.15-source) (linux-libre-5.10-source): Apply it. --- gnu/local.mk | 1 + gnu/packages/linux.scm | 27 ++-- ...linux-libre-wireguard-postup-privkey.patch | 119 ++++++++++++++++++ 3 files changed, 139 insertions(+), 8 deletions(-) create mode 100644 gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch diff --git a/gnu/local.mk b/gnu/local.mk index 42514ded8e..0b0aafa016 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1515,6 +1515,7 @@ dist_patch_DATA = \ %D%/packages/patches/linphone-desktop-without-sdk.patch \ %D%/packages/patches/linux-libre-infodocs-target.patch \ %D%/packages/patches/linux-libre-support-for-Pinebook-Pro.patch \ + %D%/packages/patches/linux-libre-wireguard-postup-privkey.patch \ %D%/packages/patches/linux-pam-no-setfsuid.patch \ %D%/packages/patches/linux-pam-unix_chkpwd.patch \ %D%/packages/patches/linuxdcpp-openssl-1.1.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index c38287e16b..6440e358c0 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -34,7 +34,7 @@ ;;; Copyright © 2018 Vasile Dumitrascu ;;; Copyright © 2019 Tim Gesthuizen ;;; Copyright © 2019 mikadoZero -;;; Copyright © 2019, 2020, 2021, 2022 Maxim Cournoyer +;;; Copyright © 2019, 2020, 2021, 2022, 2023 Maxim Cournoyer ;;; Copyright © 2019 Stefan Stefanović ;;; Copyright © 2019-2022 Brice Waegeneire ;;; Copyright © 2019 Kei Kebreau @@ -639,28 +639,39 @@ (define (source-with-patches source patches) (define-public linux-libre-6.3-source (source-with-patches linux-libre-6.3-pristine-source (list %boot-logo-patch - %linux-libre-arm-export-__sync_icache_dcache-patch))) + %linux-libre-arm-export-__sync_icache_dcache-patch + (search-patch + "linux-libre-wireguard-postup-privkey.patch")))) (define-public linux-libre-6.2-source (source-with-patches linux-libre-6.2-pristine-source (list %boot-logo-patch - %linux-libre-arm-export-__sync_icache_dcache-patch))) + %linux-libre-arm-export-__sync_icache_dcache-patch + (search-patch + "linux-libre-wireguard-postup-privkey.patch")))) (define-public linux-libre-6.1-source (source-with-patches linux-libre-6.1-pristine-source - (list %boot-logo-patch - %linux-libre-arm-export-__sync_icache_dcache-patch - (search-patch "linux-libre-infodocs-target.patch")))) + (append + (list %boot-logo-patch + %linux-libre-arm-export-__sync_icache_dcache-patch) + (search-patches + "linux-libre-infodocs-target.patch" + "linux-libre-wireguard-postup-privkey.patch")))) (define-public linux-libre-5.15-source (source-with-patches linux-libre-5.15-pristine-source (list %boot-logo-patch - %linux-libre-arm-export-__sync_icache_dcache-patch))) + %linux-libre-arm-export-__sync_icache_dcache-patch + (search-patch + "linux-libre-wireguard-postup-privkey.patch")))) (define-public linux-libre-5.10-source (source-with-patches linux-libre-5.10-pristine-source (list %boot-logo-patch - %linux-libre-arm-export-__sync_icache_dcache-patch))) + %linux-libre-arm-export-__sync_icache_dcache-patch + (search-patch + "linux-libre-wireguard-postup-privkey.patch")))) (define-public linux-libre-5.4-source (source-with-patches linux-libre-5.4-pristine-source diff --git a/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch b/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch new file mode 100644 index 0000000000..a6050499e1 --- /dev/null +++ b/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch @@ -0,0 +1,119 @@ +From 3ac1bf099766f1e9735883d5127148054cd5b30a Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Thu, 18 May 2023 03:08:44 +0200 +Subject: wireguard: netlink: send staged packets when setting initial private + key + +Packets bound for peers can queue up prior to the device private key +being set. For example, if persistent keepalive is set, a packet is +queued up to be sent as soon as the device comes up. However, if the +private key hasn't been set yet, the handshake message never sends, and +no timer is armed to retry, since that would be pointless. + +But, if a user later sets a private key, the expectation is that those +queued packets, such as a persistent keepalive, are actually sent. So +adjust the configuration logic to account for this edge case, and add a +test case to make sure this works. + +Maxim noticed this with a wg-quick(8) config to the tune of: + + [Interface] + PostUp = wg set %i private-key somefile + + [Peer] + PublicKey = ... + Endpoint = ... + PersistentKeepalive = 25 + +Here, the private key gets set after the device comes up using a PostUp +script, triggering the bug. + +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Cc: stable@vger.kernel.org +Reported-by: Maxim Cournoyer +Link: https://lore.kernel.org/wireguard/87fs7xtqrv.fsf@gmail.com/ +Signed-off-by: Jason A. Donenfeld +--- + drivers/net/wireguard/netlink.c | 14 +++++++++----- + tools/testing/selftests/wireguard/netns.sh | 30 ++++++++++++++++++++++++++---- + 2 files changed, 35 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c +index 43c8c84e7ea8..6d1bd9f52d02 100644 +--- a/drivers/net/wireguard/netlink.c ++++ b/drivers/net/wireguard/netlink.c +@@ -546,6 +546,7 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info) + u8 *private_key = nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]); + u8 public_key[NOISE_PUBLIC_KEY_LEN]; + struct wg_peer *peer, *temp; ++ bool send_staged_packets; + + if (!crypto_memneq(wg->static_identity.static_private, + private_key, NOISE_PUBLIC_KEY_LEN)) +@@ -564,14 +565,17 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info) + } + + down_write(&wg->static_identity.lock); +- wg_noise_set_static_identity_private_key(&wg->static_identity, +- private_key); +- list_for_each_entry_safe(peer, temp, &wg->peer_list, +- peer_list) { ++ send_staged_packets = !wg->static_identity.has_identity && netif_running(wg->dev); ++ wg_noise_set_static_identity_private_key(&wg->static_identity, private_key); ++ send_staged_packets = send_staged_packets && wg->static_identity.has_identity; ++ ++ wg_cookie_checker_precompute_device_keys(&wg->cookie_checker); ++ list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list) { + wg_noise_precompute_static_static(peer); + wg_noise_expire_current_peer_keypairs(peer); ++ if (send_staged_packets) ++ wg_packet_send_staged_packets(peer); + } +- wg_cookie_checker_precompute_device_keys(&wg->cookie_checker); + up_write(&wg->static_identity.lock); + } + skip_set_private_key: +diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh +index 69c7796c7ca9..405ff262ca93 100755 +--- a/tools/testing/selftests/wireguard/netns.sh ++++ b/tools/testing/selftests/wireguard/netns.sh +@@ -514,10 +514,32 @@ n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter' + n1 ping -W 1 -c 1 192.168.241.2 + [[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.3:1" ]] + +-ip1 link del veth1 +-ip1 link del veth3 +-ip1 link del wg0 +-ip2 link del wg0 ++ip1 link del dev veth3 ++ip1 link del dev wg0 ++ip2 link del dev wg0 ++ ++# Make sure persistent keep alives are sent when an adapter comes up ++ip1 link add dev wg0 type wireguard ++n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1 ++read _ _ tx_bytes < <(n1 wg show wg0 transfer) ++[[ $tx_bytes -eq 0 ]] ++ip1 link set dev wg0 up ++read _ _ tx_bytes < <(n1 wg show wg0 transfer) ++[[ $tx_bytes -gt 0 ]] ++ip1 link del dev wg0 ++# This should also happen even if the private key is set later ++ip1 link add dev wg0 type wireguard ++n1 wg set wg0 peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1 ++read _ _ tx_bytes < <(n1 wg show wg0 transfer) ++[[ $tx_bytes -eq 0 ]] ++ip1 link set dev wg0 up ++read _ _ tx_bytes < <(n1 wg show wg0 transfer) ++[[ $tx_bytes -eq 0 ]] ++n1 wg set wg0 private-key <(echo "$key1") ++read _ _ tx_bytes < <(n1 wg show wg0 transfer) ++[[ $tx_bytes -gt 0 ]] ++ip1 link del dev veth1 ++ip1 link del dev wg0 + + # We test that Netlink/IPC is working properly by doing things that usually cause split responses + ip0 link add dev wg0 type wireguard +-- +cgit v1.2.3-59-g8ed1b +