Hello community,
here is the log from the commit of package wireguard for openSUSE:Factory
checked in at 2020-02-15 22:25:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/wireguard (Old)
and /work/SRC/openSUSE:Factory/.wireguard.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wireguard"
Sat Feb 15 22:25:49 2020 rev:10 rq:774408 version:0.0.20200214
Changes:
--------
--- /work/SRC/openSUSE:Factory/wireguard/wireguard.changes 2020-02-06
13:08:59.176360989 +0100
+++ /work/SRC/openSUSE:Factory/.wireguard.new.26092/wireguard.changes
2020-02-15 22:25:58.687327821 +0100
@@ -1,0 +2,9 @@
+Fri Feb 14 16:08:24 UTC 2020 - Martin Hauke <mar...@gmx.de>
+
+- Update to version 0.0.20200214
+ * chacha20poly1305: defensively protect against large inputs
+ * netns: ensure that icmp src address is correct with nat
+ * receive: reset last_under_load to zero
+ * send: account for mtu=0 devices
+
+-------------------------------------------------------------------
Old:
----
wireguard-linux-compat-0.0.20200205.tar.asc
wireguard-linux-compat-0.0.20200205.tar.xz
New:
----
wireguard-linux-compat-0.0.20200214.tar.asc
wireguard-linux-compat-0.0.20200214.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ wireguard.spec ++++++
--- /var/tmp/diff_new_pack.qbNheu/_old 2020-02-15 22:25:59.227328113 +0100
+++ /var/tmp/diff_new_pack.qbNheu/_new 2020-02-15 22:25:59.227328113 +0100
@@ -18,7 +18,7 @@
Name: wireguard
-Version: 0.0.20200205
+Version: 0.0.20200214
Release: 0
Summary: Fast, modern, secure kernel VPN tunnel
License: GPL-2.0-only
++++++ wireguard-linux-compat-0.0.20200205.tar.xz ->
wireguard-linux-compat-0.0.20200214.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/wireguard-linux-compat-0.0.20200205/src/compat/compat.h
new/wireguard-linux-compat-0.0.20200214/src/compat/compat.h
--- old/wireguard-linux-compat-0.0.20200205/src/compat/compat.h 2020-02-05
14:37:40.000000000 +0100
+++ new/wireguard-linux-compat-0.0.20200214/src/compat/compat.h 2020-02-14
14:33:05.000000000 +0100
@@ -932,6 +932,98 @@
#define chacha20_neon zinc_chacha20_neon
#endif
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 19, 0)
+#include <linux/skbuff.h>
+static inline int skb_ensure_writable(struct sk_buff *skb, int write_len)
+{
+ if (!pskb_may_pull(skb, write_len))
+ return -ENOMEM;
+
+ if (!skb_cloned(skb) || skb_clone_writable(skb, write_len))
+ return 0;
+
+ return pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
+}
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)
+#if IS_ENABLED(CONFIG_NF_NAT)
+#include <linux/ip.h>
+#include <linux/icmpv6.h>
+#include <net/ipv6.h>
+#include <net/icmp.h>
+#include <net/netfilter/nf_conntrack.h>
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 1, 0)
+#include <net/netfilter/nf_nat_core.h>
+#endif
+static inline void icmp_ndo_send(struct sk_buff *skb_in, int type, int code,
__be32 info)
+{
+ struct sk_buff *cloned_skb = NULL;
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn *ct;
+ __be32 orig_ip;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+ if (!ct || !(ct->status & IPS_SRC_NAT)) {
+ icmp_send(skb_in, type, code, info);
+ return;
+ }
+
+ if (skb_shared(skb_in))
+ skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC);
+
+ if (unlikely(!skb_in || skb_network_header(skb_in) < skb_in->head ||
+ (skb_network_header(skb_in) + sizeof(struct iphdr)) >
+ skb_tail_pointer(skb_in) || skb_ensure_writable(skb_in,
+ skb_network_offset(skb_in) + sizeof(struct iphdr))))
+ goto out;
+
+ orig_ip = ip_hdr(skb_in)->saddr;
+ ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
+ icmp_send(skb_in, type, code, info);
+ ip_hdr(skb_in)->saddr = orig_ip;
+out:
+ consume_skb(cloned_skb);
+}
+static inline void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code,
__u32 info)
+{
+ struct sk_buff *cloned_skb = NULL;
+ enum ip_conntrack_info ctinfo;
+ struct in6_addr orig_ip;
+ struct nf_conn *ct;
+
+ ct = nf_ct_get(skb_in, &ctinfo);
+ if (!ct || !(ct->status & IPS_SRC_NAT)) {
+ icmpv6_send(skb_in, type, code, info);
+ return;
+ }
+
+ if (skb_shared(skb_in))
+ skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC);
+
+ if (unlikely(!skb_in || skb_network_header(skb_in) < skb_in->head ||
+ (skb_network_header(skb_in) + sizeof(struct ipv6hdr)) >
+ skb_tail_pointer(skb_in) || skb_ensure_writable(skb_in,
+ skb_network_offset(skb_in) + sizeof(struct ipv6hdr))))
+ goto out;
+
+ orig_ip = ipv6_hdr(skb_in)->saddr;
+ ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
+ icmpv6_send(skb_in, type, code, info);
+ ipv6_hdr(skb_in)->saddr = orig_ip;
+out:
+ consume_skb(cloned_skb);
+}
+#else
+#define icmp_ndo_send icmp_send
+#define icmpv6_ndo_send icmpv6_send
+#endif
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+#define COMPAT_CANNOT_USE_MAX_MTU
+#endif
+
#if defined(ISUBUNTU1604)
#include <linux/siphash.h>
#ifndef _WG_LINUX_SIPHASH_H
@@ -956,40 +1048,6 @@
#define BUILD_BUG_ON(x)
#endif
-/* https://lkml.kernel.org/r/20170624021727.17835-1-ja...@zx2c4.com */
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
-#include <linux/ip.h>
-#include <linux/icmpv6.h>
-#include <net/ipv6.h>
-#include <net/icmp.h>
-#include <net/netfilter/nf_conntrack.h>
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 1, 0)
-#include <net/netfilter/nf_nat_core.h>
-#endif
-static inline void new_icmp_send(struct sk_buff *skb_in, int type, int code,
__be32 info)
-{
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb_in, &ctinfo);
- if (skb_network_header(skb_in) < skb_in->head ||
(skb_network_header(skb_in) + sizeof(struct iphdr)) > skb_tail_pointer(skb_in))
- return;
- if (ct)
- ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
- icmp_send(skb_in, type, code, info);
-}
-static inline void new_icmpv6_send(struct sk_buff *skb, u8 type, u8 code,
__u32 info)
-{
- enum ip_conntrack_info ctinfo;
- struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
- if (skb_network_header(skb) < skb->head || (skb_network_header(skb) +
sizeof(struct ipv6hdr)) > skb_tail_pointer(skb))
- return;
- if (ct)
- ipv6_hdr(skb)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
- icmpv6_send(skb, type, code, info);
-}
-#define icmp_send(a,b,c,d) new_icmp_send(a,b,c,d)
-#define icmpv6_send(a,b,c,d) new_icmpv6_send(a,b,c,d)
-#endif
-
/* PaX compatibility */
#ifdef CONSTIFY_PLUGIN
#include <linux/cache.h>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/wireguard-linux-compat-0.0.20200205/src/crypto/zinc/chacha20poly1305.c
new/wireguard-linux-compat-0.0.20200214/src/crypto/zinc/chacha20poly1305.c
--- old/wireguard-linux-compat-0.0.20200205/src/crypto/zinc/chacha20poly1305.c
2020-02-05 14:37:40.000000000 +0100
+++ new/wireguard-linux-compat-0.0.20200214/src/crypto/zinc/chacha20poly1305.c
2020-02-14 14:33:05.000000000 +0100
@@ -92,6 +92,8 @@
__le64 lens[2];
} b __aligned(16) = { { 0 } };
+ if (WARN_ON(src_len > INT_MAX))
+ return false;
chacha20_init(&chacha20_state, key, nonce);
chacha20(&chacha20_state, b.block0, b.block0, sizeof(b.block0),
@@ -253,7 +255,7 @@
} b __aligned(16) = { { 0 } };
bool ret = false;
- if (unlikely(src_len < POLY1305_MAC_SIZE))
+ if (unlikely(src_len < POLY1305_MAC_SIZE || WARN_ON(src_len > INT_MAX)))
return ret;
src_len -= POLY1305_MAC_SIZE;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/device.c
new/wireguard-linux-compat-0.0.20200214/src/device.c
--- old/wireguard-linux-compat-0.0.20200205/src/device.c 2020-02-05
14:37:40.000000000 +0100
+++ new/wireguard-linux-compat-0.0.20200214/src/device.c 2020-02-14
14:33:05.000000000 +0100
@@ -211,9 +211,9 @@
err:
++dev->stats.tx_errors;
if (skb->protocol == htons(ETH_P_IP))
- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
+ icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
else if (skb->protocol == htons(ETH_P_IPV6))
- icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0);
+ icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH,
0);
kfree_skb(skb);
return ret;
}
@@ -266,6 +266,8 @@
enum { WG_NETDEV_FEATURES = NETIF_F_HW_CSUM | NETIF_F_RXCSUM |
NETIF_F_SG | NETIF_F_GSO |
NETIF_F_GSO_SOFTWARE | NETIF_F_HIGHDMA };
+ const int overhead = MESSAGE_MINIMUM_LENGTH + sizeof(struct udphdr) +
+ max(sizeof(struct ipv6hdr), sizeof(struct iphdr));
dev->netdev_ops = &netdev_ops;
dev->hard_header_len = 0;
@@ -283,9 +285,10 @@
dev->features |= WG_NETDEV_FEATURES;
dev->hw_features |= WG_NETDEV_FEATURES;
dev->hw_enc_features |= WG_NETDEV_FEATURES;
- dev->mtu = ETH_DATA_LEN - MESSAGE_MINIMUM_LENGTH -
- sizeof(struct udphdr) -
- max(sizeof(struct ipv6hdr), sizeof(struct iphdr));
+ dev->mtu = ETH_DATA_LEN - overhead;
+#ifndef COMPAT_CANNOT_USE_MAX_MTU
+ dev->max_mtu = round_down(INT_MAX, MESSAGE_PADDING_MULTIPLE) - overhead;
+#endif
SET_NETDEV_DEVTYPE(dev, &device_type);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/dkms.conf
new/wireguard-linux-compat-0.0.20200214/src/dkms.conf
--- old/wireguard-linux-compat-0.0.20200205/src/dkms.conf 2020-02-05
14:37:40.000000000 +0100
+++ new/wireguard-linux-compat-0.0.20200214/src/dkms.conf 2020-02-14
14:33:05.000000000 +0100
@@ -1,5 +1,5 @@
PACKAGE_NAME="wireguard"
-PACKAGE_VERSION="0.0.20200205"
+PACKAGE_VERSION="0.0.20200214"
AUTOINSTALL=yes
BUILT_MODULE_NAME="wireguard"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/receive.c
new/wireguard-linux-compat-0.0.20200214/src/receive.c
--- old/wireguard-linux-compat-0.0.20200205/src/receive.c 2020-02-05
14:37:40.000000000 +0100
+++ new/wireguard-linux-compat-0.0.20200214/src/receive.c 2020-02-14
14:33:05.000000000 +0100
@@ -119,10 +119,13 @@
under_load = skb_queue_len(&wg->incoming_handshakes) >=
MAX_QUEUED_INCOMING_HANDSHAKES / 8;
- if (under_load)
+ if (under_load) {
last_under_load = ktime_get_coarse_boottime_ns();
- else if (last_under_load)
+ } else if (last_under_load) {
under_load = !wg_birthdate_has_expired(last_under_load, 1);
+ if (!under_load)
+ last_under_load = 0;
+ }
mac_state = wg_cookie_validate_packet(&wg->cookie_checker, skb,
under_load);
if ((under_load && mac_state == VALID_MAC_WITH_COOKIE) ||
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/send.c
new/wireguard-linux-compat-0.0.20200214/src/send.c
--- old/wireguard-linux-compat-0.0.20200205/src/send.c 2020-02-05
14:37:40.000000000 +0100
+++ new/wireguard-linux-compat-0.0.20200214/src/send.c 2020-02-14
14:33:05.000000000 +0100
@@ -149,7 +149,8 @@
* wouldn't want the final subtraction to overflow in the case of the
* padded_size being clamped.
*/
- unsigned int last_unit = skb->len % PACKET_CB(skb)->mtu;
+ unsigned int last_unit = PACKET_CB(skb)->mtu ?
+ skb->len % PACKET_CB(skb)->mtu : skb->len;
unsigned int padded_size = ALIGN(last_unit, MESSAGE_PADDING_MULTIPLE);
if (padded_size > PACKET_CB(skb)->mtu)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/wireguard-linux-compat-0.0.20200205/src/tests/netns.sh
new/wireguard-linux-compat-0.0.20200214/src/tests/netns.sh
--- old/wireguard-linux-compat-0.0.20200205/src/tests/netns.sh 2020-02-05
14:37:40.000000000 +0100
+++ new/wireguard-linux-compat-0.0.20200214/src/tests/netns.sh 2020-02-14
14:33:05.000000000 +0100
@@ -24,6 +24,7 @@
set -e
exec 3>&1
+export LANG=C
export WG_HIDE_KEYS=never
netns0="wg-test-$$-0"
netns1="wg-test-$$-1"
@@ -300,7 +301,17 @@
n1 ping -W 1 -c 100 -f abab::1111
fi
+# Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the
right route.
+n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT
--to 192.168.241.2
+n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual
rpfilter just to be explicit.
+n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
+ip0 -4 route add 192.168.241.1 via 10.0.0.100
+n2 wg set wg0 peer "$pub1" remove
+[[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100
icmp_seq=1 Destination Host Unreachable"* ]]
+
n0 iptables -t nat -F
+n0 iptables -t filter -F
+n2 iptables -t nat -F
ip0 link del vethrc
ip0 link del vethrs
ip1 link del wg0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200205/src/version.h
new/wireguard-linux-compat-0.0.20200214/src/version.h
--- old/wireguard-linux-compat-0.0.20200205/src/version.h 2020-02-05
14:37:40.000000000 +0100
+++ new/wireguard-linux-compat-0.0.20200214/src/version.h 2020-02-14
14:33:05.000000000 +0100
@@ -1,3 +1,3 @@
#ifndef WIREGUARD_VERSION
-#define WIREGUARD_VERSION "0.0.20200205"
+#define WIREGUARD_VERSION "0.0.20200214"
#endif
