unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: 63402@debbugs.gnu.org
Cc: Maxim Cournoyer <maxim.cournoyer@gmail.com>,
	Leo Famulari <leo@famulari.name>,
	Tobias Geerinckx-Rice <me@tobias.gr>
Subject: [bug#63402] [PATCH v5 5/5] gnu: linux-libre: Apply wireguard patch fixing keep-alive bug.
Date: Thu, 18 May 2023 21:59:17 -0400	[thread overview]
Message-ID: <7ad316feb164d04c47c9f61257f771a1a33209ba.1684461197.git.maxim.cournoyer@gmail.com> (raw)
In-Reply-To: <cover.1684461197.git.maxim.cournoyer@gmail.com>

* gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/linux.scm (linux-libre-6.3-source, linux-libre-6.2-source)
(linux-libre-6.1-source, linux-libre-5.15-source)
(linux-libre-5.10-source): Apply it.
---
 gnu/local.mk                                  |   1 +
 gnu/packages/linux.scm                        |  27 ++--
 ...linux-libre-wireguard-postup-privkey.patch | 119 ++++++++++++++++++
 3 files changed, 139 insertions(+), 8 deletions(-)
 create mode 100644 gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 42514ded8e..0b0aafa016 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1515,6 +1515,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/linphone-desktop-without-sdk.patch	\
   %D%/packages/patches/linux-libre-infodocs-target.patch	\
   %D%/packages/patches/linux-libre-support-for-Pinebook-Pro.patch \
+  %D%/packages/patches/linux-libre-wireguard-postup-privkey.patch \
   %D%/packages/patches/linux-pam-no-setfsuid.patch		\
   %D%/packages/patches/linux-pam-unix_chkpwd.patch		\
   %D%/packages/patches/linuxdcpp-openssl-1.1.patch		\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 1aa87d3965..2780aa47dc 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -34,7 +34,7 @@
 ;;; Copyright © 2018 Vasile Dumitrascu <va511e@yahoo.com>
 ;;; Copyright © 2019 Tim Gesthuizen <tim.gesthuizen@yahoo.de>
 ;;; Copyright © 2019 mikadoZero <mikadozero@yandex.com>
-;;; Copyright © 2019, 2020, 2021, 2022 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2019, 2020, 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2019 Stefan Stefanović <stefanx2ovic@gmail.com>
 ;;; Copyright © 2019-2022 Brice Waegeneire <brice@waegenei.re>
 ;;; Copyright © 2019 Kei Kebreau <kkebreau@posteo.net>
@@ -639,28 +639,39 @@ (define (source-with-patches source patches)
 (define-public linux-libre-6.3-source
   (source-with-patches linux-libre-6.3-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-6.2-source
   (source-with-patches linux-libre-6.2-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-6.1-source
   (source-with-patches linux-libre-6.1-pristine-source
-                       (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch
-                             (search-patch "linux-libre-infodocs-target.patch"))))
+                       (append
+                        (list %boot-logo-patch
+                              %linux-libre-arm-export-__sync_icache_dcache-patch)
+                        (search-patches
+                         "linux-libre-infodocs-target.patch"
+                         "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-5.15-source
   (source-with-patches linux-libre-5.15-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-5.10-source
   (source-with-patches linux-libre-5.10-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-5.4-source
   (source-with-patches linux-libre-5.4-pristine-source
diff --git a/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch b/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch
new file mode 100644
index 0000000000..a6050499e1
--- /dev/null
+++ b/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch
@@ -0,0 +1,119 @@
+From 3ac1bf099766f1e9735883d5127148054cd5b30a Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 18 May 2023 03:08:44 +0200
+Subject: wireguard: netlink: send staged packets when setting initial private
+ key
+
+Packets bound for peers can queue up prior to the device private key
+being set. For example, if persistent keepalive is set, a packet is
+queued up to be sent as soon as the device comes up. However, if the
+private key hasn't been set yet, the handshake message never sends, and
+no timer is armed to retry, since that would be pointless.
+
+But, if a user later sets a private key, the expectation is that those
+queued packets, such as a persistent keepalive, are actually sent. So
+adjust the configuration logic to account for this edge case, and add a
+test case to make sure this works.
+
+Maxim noticed this with a wg-quick(8) config to the tune of:
+
+    [Interface]
+    PostUp = wg set %i private-key somefile
+
+    [Peer]
+    PublicKey = ...
+    Endpoint = ...
+    PersistentKeepalive = 25
+
+Here, the private key gets set after the device comes up using a PostUp
+script, triggering the bug.
+
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Cc: stable@vger.kernel.org
+Reported-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Link: https://lore.kernel.org/wireguard/87fs7xtqrv.fsf@gmail.com/
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+---
+ drivers/net/wireguard/netlink.c            | 14 +++++++++-----
+ tools/testing/selftests/wireguard/netns.sh | 30 ++++++++++++++++++++++++++----
+ 2 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c
+index 43c8c84e7ea8..6d1bd9f52d02 100644
+--- a/drivers/net/wireguard/netlink.c
++++ b/drivers/net/wireguard/netlink.c
+@@ -546,6 +546,7 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
+ 		u8 *private_key = nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]);
+ 		u8 public_key[NOISE_PUBLIC_KEY_LEN];
+ 		struct wg_peer *peer, *temp;
++		bool send_staged_packets;
+ 
+ 		if (!crypto_memneq(wg->static_identity.static_private,
+ 				   private_key, NOISE_PUBLIC_KEY_LEN))
+@@ -564,14 +565,17 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
+ 		}
+ 
+ 		down_write(&wg->static_identity.lock);
+-		wg_noise_set_static_identity_private_key(&wg->static_identity,
+-							 private_key);
+-		list_for_each_entry_safe(peer, temp, &wg->peer_list,
+-					 peer_list) {
++		send_staged_packets = !wg->static_identity.has_identity && netif_running(wg->dev);
++		wg_noise_set_static_identity_private_key(&wg->static_identity, private_key);
++		send_staged_packets = send_staged_packets && wg->static_identity.has_identity;
++
++		wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
++		list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list) {
+ 			wg_noise_precompute_static_static(peer);
+ 			wg_noise_expire_current_peer_keypairs(peer);
++			if (send_staged_packets)
++				wg_packet_send_staged_packets(peer);
+ 		}
+-		wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
+ 		up_write(&wg->static_identity.lock);
+ 	}
+ skip_set_private_key:
+diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh
+index 69c7796c7ca9..405ff262ca93 100755
+--- a/tools/testing/selftests/wireguard/netns.sh
++++ b/tools/testing/selftests/wireguard/netns.sh
+@@ -514,10 +514,32 @@ n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
+ n1 ping -W 1 -c 1 192.168.241.2
+ [[ $(n2 wg show wg0 endpoints) == "$pub1	10.0.0.3:1" ]]
+ 
+-ip1 link del veth1
+-ip1 link del veth3
+-ip1 link del wg0
+-ip2 link del wg0
++ip1 link del dev veth3
++ip1 link del dev wg0
++ip2 link del dev wg0
++
++# Make sure persistent keep alives are sent when an adapter comes up
++ip1 link add dev wg0 type wireguard
++n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++ip1 link set dev wg0 up
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -gt 0 ]]
++ip1 link del dev wg0
++# This should also happen even if the private key is set later
++ip1 link add dev wg0 type wireguard
++n1 wg set wg0 peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++ip1 link set dev wg0 up
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++n1 wg set wg0 private-key <(echo "$key1")
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -gt 0 ]]
++ip1 link del dev veth1
++ip1 link del dev wg0
+ 
+ # We test that Netlink/IPC is working properly by doing things that usually cause split responses
+ ip0 link add dev wg0 type wireguard
+-- 
+cgit v1.2.3-59-g8ed1b
+
-- 
2.40.1





      parent reply	other threads:[~2023-05-19  2:02 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-10  1:08 [bug#63402] [PATCH 0/1] Add a dynamic IP monitoring option to Wireguard service Maxim Cournoyer
2023-05-10  1:09 ` [bug#63403] [PATCH 1/1] services: wireguard: Implement a dynamic IP monitoring feature Maxim Cournoyer
2023-05-15 15:57   ` Maxim Cournoyer
2023-05-15 16:13 ` [bug#63402] [PATCH v2] " Maxim Cournoyer
2023-05-16  4:09 ` [bug#63402] [PATCH v3 1/3] " Maxim Cournoyer
2023-05-16  4:09   ` [bug#63402] [PATCH v3 2/3] services: wireguard: Clean-up configuration file serializer Maxim Cournoyer
2023-05-16  4:09   ` [bug#63402] [PATCH v3 3/3] services: wireguard: Workaround keep-alives bug Maxim Cournoyer
2023-05-18 17:48 ` [bug#63402] [PATCH v4 0/4] Implement a dynamic IP monitoring feature Maxim Cournoyer
2023-05-18 17:48   ` [bug#63402] [PATCH v4 1/4] services: wireguard: " Maxim Cournoyer
2023-05-18 17:48   ` [bug#63402] [PATCH v4 2/4] services: wireguard: Clean-up configuration file serializer Maxim Cournoyer
2023-05-18 17:48   ` [bug#63402] [PATCH v4 3/4] services: wireguard: Add a 'configuration' action Maxim Cournoyer
2023-05-18 17:48   ` [bug#63402] [PATCH v4 4/4] gnu: linux-libre: Apply wireguard patch fixing keep-alive bug Maxim Cournoyer
2023-05-19  1:59 ` [bug#63402] [PATCH v5 0/5] Implement a dynamic IP monitoring feature Maxim Cournoyer
2023-05-19  1:59   ` [bug#63402] [PATCH v5 1/5] services: herd: Add a new 'current-service' procedure Maxim Cournoyer
2023-05-22 15:00     ` [bug#63403] [PATCH 1/1] services: wireguard: Implement a dynamic IP monitoring feature Ludovic Courtès
2023-05-22 23:22       ` [bug#63402] bug#63403: " Maxim Cournoyer
2023-05-24 14:44         ` [bug#63403] " Ludovic Courtès
2023-07-21  2:15           ` Maxim Cournoyer
2023-05-19  1:59   ` [bug#63402] [PATCH v5 2/5] " Maxim Cournoyer
2023-05-22 15:03     ` [bug#63402] bug#63403: [PATCH 1/1] " Ludovic Courtès
2023-05-22 23:32       ` Maxim Cournoyer
2023-05-24 14:53         ` [bug#63403] " Ludovic Courtès
2023-05-24 22:12           ` Bruno Victal
2023-05-25 15:13           ` Maxim Cournoyer
2023-05-24 17:25     ` [bug#63402] [PATCH v5 2/5] " Bruno Victal
2023-07-21  3:55       ` Maxim Cournoyer
2023-07-21 13:23         ` Bruno Victal
2023-07-21 15:56           ` Maxim Cournoyer
2023-07-21 16:18           ` bug#63402: " Maxim Cournoyer
2023-05-19  1:59   ` [bug#63402] [PATCH v5 3/5] services: wireguard: Clean-up configuration file serializer Maxim Cournoyer
2023-05-19  1:59   ` [bug#63402] [PATCH v5 4/5] services: wireguard: Add a 'configuration' action Maxim Cournoyer
2023-05-19  1:59   ` Maxim Cournoyer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7ad316feb164d04c47c9f61257f771a1a33209ba.1684461197.git.maxim.cournoyer@gmail.com \
    --to=maxim.cournoyer@gmail.com \
    --cc=63402@debbugs.gnu.org \
    --cc=leo@famulari.name \
    --cc=me@tobias.gr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).