diff options
Diffstat (limited to 'gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch')
-rw-r--r-- | gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch | 119 |
1 files changed, 0 insertions, 119 deletions
diff --git a/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch b/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch deleted file mode 100644 index a6050499e1..0000000000 --- a/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 3ac1bf099766f1e9735883d5127148054cd5b30a Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" <Jason@zx2c4.com> -Date: Thu, 18 May 2023 03:08:44 +0200 -Subject: wireguard: netlink: send staged packets when setting initial private - key - -Packets bound for peers can queue up prior to the device private key -being set. For example, if persistent keepalive is set, a packet is -queued up to be sent as soon as the device comes up. However, if the -private key hasn't been set yet, the handshake message never sends, and -no timer is armed to retry, since that would be pointless. - -But, if a user later sets a private key, the expectation is that those -queued packets, such as a persistent keepalive, are actually sent. So -adjust the configuration logic to account for this edge case, and add a -test case to make sure this works. - -Maxim noticed this with a wg-quick(8) config to the tune of: - - [Interface] - PostUp = wg set %i private-key somefile - - [Peer] - PublicKey = ... - Endpoint = ... - PersistentKeepalive = 25 - -Here, the private key gets set after the device comes up using a PostUp -script, triggering the bug. - -Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") -Cc: stable@vger.kernel.org -Reported-by: Maxim Cournoyer <maxim.cournoyer@gmail.com> -Link: https://lore.kernel.org/wireguard/87fs7xtqrv.fsf@gmail.com/ -Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> ---- - drivers/net/wireguard/netlink.c | 14 +++++++++----- - tools/testing/selftests/wireguard/netns.sh | 30 ++++++++++++++++++++++++++---- - 2 files changed, 35 insertions(+), 9 deletions(-) - -diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c -index 43c8c84e7ea8..6d1bd9f52d02 100644 ---- a/drivers/net/wireguard/netlink.c -+++ b/drivers/net/wireguard/netlink.c -@@ -546,6 +546,7 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info) - u8 *private_key = nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]); - u8 public_key[NOISE_PUBLIC_KEY_LEN]; - struct wg_peer *peer, *temp; -+ bool send_staged_packets; - - if (!crypto_memneq(wg->static_identity.static_private, - private_key, NOISE_PUBLIC_KEY_LEN)) -@@ -564,14 +565,17 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info) - } - - down_write(&wg->static_identity.lock); -- wg_noise_set_static_identity_private_key(&wg->static_identity, -- private_key); -- list_for_each_entry_safe(peer, temp, &wg->peer_list, -- peer_list) { -+ send_staged_packets = !wg->static_identity.has_identity && netif_running(wg->dev); -+ wg_noise_set_static_identity_private_key(&wg->static_identity, private_key); -+ send_staged_packets = send_staged_packets && wg->static_identity.has_identity; -+ -+ wg_cookie_checker_precompute_device_keys(&wg->cookie_checker); -+ list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list) { - wg_noise_precompute_static_static(peer); - wg_noise_expire_current_peer_keypairs(peer); -+ if (send_staged_packets) -+ wg_packet_send_staged_packets(peer); - } -- wg_cookie_checker_precompute_device_keys(&wg->cookie_checker); - up_write(&wg->static_identity.lock); - } - skip_set_private_key: -diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh -index 69c7796c7ca9..405ff262ca93 100755 ---- a/tools/testing/selftests/wireguard/netns.sh -+++ b/tools/testing/selftests/wireguard/netns.sh -@@ -514,10 +514,32 @@ n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter' - n1 ping -W 1 -c 1 192.168.241.2 - [[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.3:1" ]] - --ip1 link del veth1 --ip1 link del veth3 --ip1 link del wg0 --ip2 link del wg0 -+ip1 link del dev veth3 -+ip1 link del dev wg0 -+ip2 link del dev wg0 -+ -+# Make sure persistent keep alives are sent when an adapter comes up -+ip1 link add dev wg0 type wireguard -+n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1 -+read _ _ tx_bytes < <(n1 wg show wg0 transfer) -+[[ $tx_bytes -eq 0 ]] -+ip1 link set dev wg0 up -+read _ _ tx_bytes < <(n1 wg show wg0 transfer) -+[[ $tx_bytes -gt 0 ]] -+ip1 link del dev wg0 -+# This should also happen even if the private key is set later -+ip1 link add dev wg0 type wireguard -+n1 wg set wg0 peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1 -+read _ _ tx_bytes < <(n1 wg show wg0 transfer) -+[[ $tx_bytes -eq 0 ]] -+ip1 link set dev wg0 up -+read _ _ tx_bytes < <(n1 wg show wg0 transfer) -+[[ $tx_bytes -eq 0 ]] -+n1 wg set wg0 private-key <(echo "$key1") -+read _ _ tx_bytes < <(n1 wg show wg0 transfer) -+[[ $tx_bytes -gt 0 ]] -+ip1 link del dev veth1 -+ip1 link del dev wg0 - - # We test that Netlink/IPC is working properly by doing things that usually cause split responses - ip0 link add dev wg0 type wireguard --- -cgit v1.2.3-59-g8ed1b - |