[PATCH] urandom-seed: go back to seeding with shell script temporarily
This reverts commit 2edc017a6e0cb92b72b768aaa46c6d336ad84eff. We shouldn't be using a shell script here, but the SeedRNG integration into OpenWRT requires a bit more thought. Etienne raised some important points immediately after this was merged and planned to send some follow up commits, but became busy with other things. The points he raised are important enough that we should actually back this out until it's ready to go, and then merge it as a cohesive unit. So let's revert this for now, and come back to it later on. Cc: Etienne Champetier Cc: Petr Štetiar Signed-off-by: Jason A. Donenfeld --- package/system/urandom-seed/Makefile | 5 +- .../files/etc/init.d/urandom_seed | 2 +- .../files/lib/preinit/81_urandom_seed | 16 +- .../urandom-seed/files/sbin/urandom_seed | 20 + package/system/urandom-seed/seedrng.c | 434 -- 5 files changed, 35 insertions(+), 442 deletions(-) create mode 100755 package/system/urandom-seed/files/sbin/urandom_seed delete mode 100644 package/system/urandom-seed/seedrng.c diff --git a/package/system/urandom-seed/Makefile b/package/system/urandom-seed/Makefile index 0c8d77f445..7c5524a9db 100644 --- a/package/system/urandom-seed/Makefile +++ b/package/system/urandom-seed/Makefile @@ -9,6 +9,7 @@ include $(INCLUDE_DIR)/package.mk define Package/urandom-seed SECTION:=base CATEGORY:=Base system + DEPENDS:=+getrandom TITLE:=/etc/urandom.seed handling for OpenWrt URL:=https://openwrt.org/ endef @@ -18,15 +19,11 @@ define Build/Prepare endef define Build/Compile/Default - $(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) $(TARGET_LDFLAGS) \ - -std=gnu99 -o $(PKG_BUILD_DIR)/seedrng seedrng.c endef Build/Compile = $(Build/Compile/Default) define Package/urandom-seed/install $(CP) ./files/* $(1)/ - $(INSTALL_DIR) $(1)/sbin - $(CP) $(PKG_BUILD_DIR)/seedrng $(1)/sbin/ endef $(eval $(call BuildPackage,urandom-seed)) diff --git a/package/system/urandom-seed/files/etc/init.d/urandom_seed b/package/system/urandom-seed/files/etc/init.d/urandom_seed index d6e81c6079..17d9c13400 100755 --- a/package/system/urandom-seed/files/etc/init.d/urandom_seed +++ b/package/system/urandom-seed/files/etc/init.d/urandom_seed @@ -5,7 +5,7 @@ USE_PROCD=1 start_service() { procd_open_instance "urandom_seed" -procd_set_param command "/sbin/seedrng" +procd_set_param command "/sbin/urandom_seed" procd_set_param stdout 1 procd_set_param stderr 1 procd_close_instance diff --git a/package/system/urandom-seed/files/lib/preinit/81_urandom_seed b/package/system/urandom-seed/files/lib/preinit/81_urandom_seed index b3014daeaf..2adc6c47f0 100644 --- a/package/system/urandom-seed/files/lib/preinit/81_urandom_seed +++ b/package/system/urandom-seed/files/lib/preinit/81_urandom_seed @@ -2,11 +2,21 @@ log_urandom_seed() { echo "urandom-seed: $1" > /dev/kmsg } +_do_urandom_seed() { +[ -f "$1" ] || { log_urandom_seed "Seed file not found ($1)"; return; } +[ -O "$1" -a -G "$1" -a ! -x "$1" ] || { log_urandom_seed "Wrong owner / permissions for $1"; return; } + +log_urandom_seed "Seeding with $1" +cat "$1" > /dev/urandom +} + do_urandom_seed() { [ -c /dev/urandom ] || { log_urandom_seed "Something is wrong with /dev/urandom"; return; } -seedrng 2>&1 | while read -r line; do -log_urandom_seed "$line" -done + +_do_urandom_seed "/etc/urandom.seed" + +SEED="$(uci -q get system.@system[0].urandom_seed)" +[ "${SEED:0:1}" = "/" -a "$SEED" != "/etc/urandom.seed" ] && _do_urandom_seed "$SEED" } boot_hook_add preinit_main do_urandom_seed diff --git a/package/system/urandom-seed/files/sbin/urandom_seed b/package/system/urandom-seed/files/sbin/urandom_seed new file mode 100755 index 00..7043e8af4e --- /dev/null +++ b/package/system/urandom-seed/files/sbin/urandom_seed @@ -0,0 +1,20 @@ +#!/bin/sh +set -e + +trap '[ "$?" -eq 0 ] || echo "An error occured" >&2' EXIT + +save() { +touch "$1.tmp" +chown root:root "$1.tmp" +chmod 600 "$1.tmp" +getrandom 512 > "$1.tmp" +mv "$1.tmp" "$1" +echo "Seed saved ($1)" +} + +SEED="$(uci -q get system.@system[0].urandom_seed || true)" +[ "${SEED:0:1}" = "/" ] && save "$SEED" + +SEED=/etc/urandom.seed +[ ! -f $SEED ] && save "$SEED" +true diff --git a/package/system/urandom-seed/seedrng.c b/package/system/urandom-seed/seedrng.c deleted file mode 100644 index 9a2cb10f55..00 --- a/package/system/urandom-seed/seedrng.c +++ /dev/null @@ -1,434 +0,
Re: [PATCH] urandom-seed: use seedrng for seeding the random number generator
Hey Etienne, On Tue, Mar 29, 2022 at 7:21 AM Jason A. Donenfeld wrote: > > Hi Etienne, > > On Tue, Mar 29, 2022 at 1:06 AM Etienne Champetier > wrote: > > > Oh that's an interesting set of considerations and it's possible I > > > didn't understand some aspect of this. Most OSes should call seedrng > > > once at boot and once at shutdown. > > > > As routers are always on devices, it's rare to have clean shutdown. > > Personally, my routers boot after an upgrade or after a power loss, > > so they almost never shutdown properly. > > That's a good point indeed. > > > > 1) read seed into memory, delete seed from disk, write into rng & > > > credit if good seed, write new seed to disk; repeat at shutdown/some > > > other time > > > 2) read seed into memory, write into rng w/o crediting, re-use the > > > same seed next boot > > > > Before this patch we had 2 and users could opt-in to renew seed on > > each boot, so closer to 1. > > I guess the issue is that the implementation of (1) was somewhat > non-optimal, but not exactly catastrophic either. > > > Looking at random.c, I would love add_device_randomness() behavior. > > Maybe it was already answered on LKML, > > but why can't writes to /dev/urandom from a process with CAP_SYS_ADMIN > > be mixed in right away a la add_device_randomness() without being credited ? > > This would not init the RNG faster, but this would make early > > /dev/urandom reads "safer". > > add_device_randomness() does not mix in immediately. It goes into the > entropy pool, but that doesn't get extracted into a new key until the > next reseeding. It does get mixed in directly for crng_init=0, but not > for crng_init=1 or crng_init=2, which is a big gap. Making > /dev/urandom writes behave like that for crng_init=0 doesn't address > the crng_init=1 and crng_init=2 cases, unfortunately. The bigger > problem, though, is that some users of /dev/urandom credit the entropy > via the RNDADDTOENTCNT ioctl _afterwards_. If we mixed it directly in, > then programs with the pattern of write 4 bytes, credit 32 bits, > writes 4 bytes, credit 32 bits, etc could have those 4 written bytes > brute forced each time in what's called a "premature next". For that > reason the key is only modified when 256 bits have accumulated first. > > > I'm fine with writing on each boot, but as we can't rely on shutdown, > > what we could do with the seeds: > > 1) load seed.no-credit, leave it on disk > > 2) mv seed.credit seed.no-credit && load seed.no-credit (and credit it) > > 3) read from getrandom a new seed.credit > > > > This would allow to always keep a seed on disk, only use seed.credit once, > > and actually write seed.credit. > > I would get rid of the whole hashing part as all our seeds would come > > from getrandom(). > > If possible, it's better to not leave a seed on disk after using it, > even if not credited. If that's the only entropy, it's better to > "forget" it after use, so that you can't compromise past secrets. At > the very least, if you have poor entropy, you can replace the seed > with HASH(seed), so at least it ratchets forward. Another thing to > consider is that if you _do_ credit it, that'll initialize the RNG, so > getrandom() automatically works without blocking. These two > observations have lead to seedrng's current scheme, where the sequence > is: > > - load > - delete > - seed & credit, or seed & don't credit, depending > - save new seed, which may be creditable or not, depending on whether > previous things made the rng init > > It sounds like maybe a modification of your suggestion might be to make this: > > - load > - delete > - seed & credit, or seed & don't credit, depending > - save new seed using getrandom(0), so that it's always creditable > > Would that satisfy your concerns? Or are you also trying to preserve a > mode where the filesystem doesn't need to be written to on each boot? > > > > > /var is a symlink to /tmp > > Oh, then in these cleanups, we should change that /tmp/run to /var/run > just to be more "correct". > > > > > > Is there a different place for it that would be good? > > > > Maybe we can leave it in etc and just make sure to exclude it from backups > > That seems like a good course of action. > > If you have a firm idea of what you want this to look like, would you > like to send a series and I'll take a look? I never heard back from you, but all the concerns you raised strike me as kind of important. Did you intend to move forward with those? Or should I just send a revert for this whole thing, so that you can address it some other time? Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] urandom-seed: use seedrng for seeding the random number generator
Hi Etienne, On Tue, Mar 29, 2022 at 1:06 AM Etienne Champetier wrote: > > Oh that's an interesting set of considerations and it's possible I > > didn't understand some aspect of this. Most OSes should call seedrng > > once at boot and once at shutdown. > > As routers are always on devices, it's rare to have clean shutdown. > Personally, my routers boot after an upgrade or after a power loss, > so they almost never shutdown properly. That's a good point indeed. > > 1) read seed into memory, delete seed from disk, write into rng & > > credit if good seed, write new seed to disk; repeat at shutdown/some > > other time > > 2) read seed into memory, write into rng w/o crediting, re-use the > > same seed next boot > > Before this patch we had 2 and users could opt-in to renew seed on > each boot, so closer to 1. I guess the issue is that the implementation of (1) was somewhat non-optimal, but not exactly catastrophic either. > Looking at random.c, I would love add_device_randomness() behavior. > Maybe it was already answered on LKML, > but why can't writes to /dev/urandom from a process with CAP_SYS_ADMIN > be mixed in right away a la add_device_randomness() without being credited ? > This would not init the RNG faster, but this would make early > /dev/urandom reads "safer". add_device_randomness() does not mix in immediately. It goes into the entropy pool, but that doesn't get extracted into a new key until the next reseeding. It does get mixed in directly for crng_init=0, but not for crng_init=1 or crng_init=2, which is a big gap. Making /dev/urandom writes behave like that for crng_init=0 doesn't address the crng_init=1 and crng_init=2 cases, unfortunately. The bigger problem, though, is that some users of /dev/urandom credit the entropy via the RNDADDTOENTCNT ioctl _afterwards_. If we mixed it directly in, then programs with the pattern of write 4 bytes, credit 32 bits, writes 4 bytes, credit 32 bits, etc could have those 4 written bytes brute forced each time in what's called a "premature next". For that reason the key is only modified when 256 bits have accumulated first. > I'm fine with writing on each boot, but as we can't rely on shutdown, > what we could do with the seeds: > 1) load seed.no-credit, leave it on disk > 2) mv seed.credit seed.no-credit && load seed.no-credit (and credit it) > 3) read from getrandom a new seed.credit > > This would allow to always keep a seed on disk, only use seed.credit once, > and actually write seed.credit. > I would get rid of the whole hashing part as all our seeds would come > from getrandom(). If possible, it's better to not leave a seed on disk after using it, even if not credited. If that's the only entropy, it's better to "forget" it after use, so that you can't compromise past secrets. At the very least, if you have poor entropy, you can replace the seed with HASH(seed), so at least it ratchets forward. Another thing to consider is that if you _do_ credit it, that'll initialize the RNG, so getrandom() automatically works without blocking. These two observations have lead to seedrng's current scheme, where the sequence is: - load - delete - seed & credit, or seed & don't credit, depending - save new seed, which may be creditable or not, depending on whether previous things made the rng init It sounds like maybe a modification of your suggestion might be to make this: - load - delete - seed & credit, or seed & don't credit, depending - save new seed using getrandom(0), so that it's always creditable Would that satisfy your concerns? Or are you also trying to preserve a mode where the filesystem doesn't need to be written to on each boot? > /var is a symlink to /tmp Oh, then in these cleanups, we should change that /tmp/run to /var/run just to be more "correct". > > > Is there a different place for it that would be good? > > Maybe we can leave it in etc and just make sure to exclude it from backups That seems like a good course of action. If you have a firm idea of what you want this to look like, would you like to send a series and I'll take a look? Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] urandom-seed: use seedrng for seeding the random number generator
Hey Etienne, On Mon, Mar 28, 2022 at 10:19 AM Etienne Champetier wrote: > > Hi All, Jason, > > @Petr Štetiar this merge was a bit too fast to get reviews ... > Some comments inline We can apply fixups on top, no big deal. > When urandom-seed was introduced in 2016 it was decided during review > that writing on each boot might cause too much wear to the flash. > Maybe we can say that 6 years later this is not a problem anymore, but > would love to have more devs comment > Old thread: > https://www.mail-archive.com/lede-dev@lists.infradead.org/msg01225.html > > Now if I understand correctly, with this patch we are writing a seed > to flash twice per boot, in preinit/81_urandom_seed and in > init.d/urandom_seed. > Also there are good chances we will never have a seed.credit at all on > many devices, > would be great if seedrng had an option "writeseed" that blocks on > getrandom(). Oh that's an interesting set of considerations and it's possible I didn't understand some aspect of this. Most OSes should call seedrng once at boot and once at shutdown. It's also fine to call seedrng at any other specific time during runtime too. Because it's involved with crediting, it always always removes the seed file after reading but before using, and after it's used, it immediately writes a new seed file. It sounds like what you might want here is, perhaps, the original behavior? Namely, the seed is never credited, but it never changes either? That won't help you initialize the RNG, but since you're not crediting it, you can argue that all new rng inputs are good inputs, even if they've been used before. So these are the two schemes to choose from: 1) read seed into memory, delete seed from disk, write into rng & credit if good seed, write new seed to disk; repeat at shutdown/some other time 2) read seed into memory, write into rng w/o crediting, re-use the same seed next boot If the second scheme is what you prefer, then your original bug report suggesting this was an issue for OpenWRT might not really be so, and we can just go back to what we were doing before. OTOH, if you want to have a good mechanism that actually initializes the RNG, perhaps we can move forward with some tweaks to seedrng. > > > + > > +#define SEED_DIR "/etc/seedrng" > > If we worry about seed reuse, we should not use /etc as it can be > restored from a backup Indeed you're right. Most other distros use /var/lib/seedrng; is /var/lib available on OpenWRT? Is there a different place for it that would be good? Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] urandom-seed: use seedrng for seeding the random number generator
The RNG can't actually be seeded from a shell script, due to the reliance on ioctls. For this reason, the seedrng project provides a basic script meant to be copy and pasted into projects like OpenWRT and tweaked as needed: <https://git.zx2c4.com/seedrng/about/>. This commit imports it into the urandom-seed package and wires up the init scripts to call it. This also is a significant improvement over the current init script, which does not robustly handle cleaning up of seeds and syncing to prevent reuse. Additionally, the existing script creates a new seed immediately after writing an old one, which means that the amount of entropy might actually regress, due to failing to credit the old seed. Closes: https://github.com/openwrt/openwrt/issues/9570 Signed-off-by: Jason A. Donenfeld --- package/system/urandom-seed/Makefile | 4 +- .../files/etc/init.d/urandom_seed | 2 +- .../files/lib/preinit/81_urandom_seed | 16 +- .../urandom-seed/files/sbin/urandom_seed | 20 - package/system/urandom-seed/seedrng.c | 434 ++ 5 files changed, 441 insertions(+), 35 deletions(-) delete mode 100755 package/system/urandom-seed/files/sbin/urandom_seed create mode 100644 package/system/urandom-seed/seedrng.c diff --git a/package/system/urandom-seed/Makefile b/package/system/urandom-seed/Makefile index 7c5524a9db..f890c0b10a 100644 --- a/package/system/urandom-seed/Makefile +++ b/package/system/urandom-seed/Makefile @@ -9,7 +9,6 @@ include $(INCLUDE_DIR)/package.mk define Package/urandom-seed SECTION:=base CATEGORY:=Base system - DEPENDS:=+getrandom TITLE:=/etc/urandom.seed handling for OpenWrt URL:=https://openwrt.org/ endef @@ -19,11 +18,14 @@ define Build/Prepare endef define Build/Compile/Default + $(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_CPPFLAGS) $(TARGET_LDFLAGS) \ + -std=gnu99 -o $(PKG_BUILD_DIR)/seedrng seedrng.c endef Build/Compile = $(Build/Compile/Default) define Package/urandom-seed/install $(CP) ./files/* $(1)/ + $(CP) $(PKG_BUILD_DIR)/seedrng $(1)/sbin/ endef $(eval $(call BuildPackage,urandom-seed)) diff --git a/package/system/urandom-seed/files/etc/init.d/urandom_seed b/package/system/urandom-seed/files/etc/init.d/urandom_seed index 17d9c13400..d6e81c6079 100755 --- a/package/system/urandom-seed/files/etc/init.d/urandom_seed +++ b/package/system/urandom-seed/files/etc/init.d/urandom_seed @@ -5,7 +5,7 @@ USE_PROCD=1 start_service() { procd_open_instance "urandom_seed" -procd_set_param command "/sbin/urandom_seed" +procd_set_param command "/sbin/seedrng" procd_set_param stdout 1 procd_set_param stderr 1 procd_close_instance diff --git a/package/system/urandom-seed/files/lib/preinit/81_urandom_seed b/package/system/urandom-seed/files/lib/preinit/81_urandom_seed index 2adc6c47f0..b3014daeaf 100644 --- a/package/system/urandom-seed/files/lib/preinit/81_urandom_seed +++ b/package/system/urandom-seed/files/lib/preinit/81_urandom_seed @@ -2,21 +2,11 @@ log_urandom_seed() { echo "urandom-seed: $1" > /dev/kmsg } -_do_urandom_seed() { -[ -f "$1" ] || { log_urandom_seed "Seed file not found ($1)"; return; } -[ -O "$1" -a -G "$1" -a ! -x "$1" ] || { log_urandom_seed "Wrong owner / permissions for $1"; return; } - -log_urandom_seed "Seeding with $1" -cat "$1" > /dev/urandom -} - do_urandom_seed() { [ -c /dev/urandom ] || { log_urandom_seed "Something is wrong with /dev/urandom"; return; } - -_do_urandom_seed "/etc/urandom.seed" - -SEED="$(uci -q get system.@system[0].urandom_seed)" -[ "${SEED:0:1}" = "/" -a "$SEED" != "/etc/urandom.seed" ] && _do_urandom_seed "$SEED" +seedrng 2>&1 | while read -r line; do +log_urandom_seed "$line" +done } boot_hook_add preinit_main do_urandom_seed diff --git a/package/system/urandom-seed/files/sbin/urandom_seed b/package/system/urandom-seed/files/sbin/urandom_seed deleted file mode 100755 index 7043e8af4e..00 --- a/package/system/urandom-seed/files/sbin/urandom_seed +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh -set -e - -trap '[ "$?" -eq 0 ] || echo "An error occured" >&2' EXIT - -save() { -touch "$1.tmp" -chown root:root "$1.tmp" -chmod 600 "$1.tmp" -getrandom 512 > "$1.tmp" -mv "$1.tmp" "$1" -echo "Seed saved ($1)" -} - -SEED="$(uci -q get system.@system[0].urandom_seed || true)" -[ "${SEED:0:1}" = "/" ] && save "$SEED" - -SEED=/etc/urandom.seed -[ ! -f $SEED ] && save "$SEED" -true diff --git a/package/system/urandom-seed/seedrng.
Re: [PATCH] kernel-5.4: backport latest patches for wireguard
Could somebody apply this please? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] kernel-5.4: backport latest patches for wireguard
Hi Ilya, > diff --git > a/target/linux/generic/backport-5.4/080-wireguard-0124-crypto-mips-poly1305-enable-for-all-MIPS-processors.patch > > b/target/linux/generic/backport-5.4/080-wireguard-0124-crypto-mips-poly1305-enable-for-all-MIPS-processors.patch > new file mode 100644 > index 00..c0ee841b02 > --- /dev/null > +++ > b/target/linux/generic/backport-5.4/080-wireguard-0124-crypto-mips-poly1305-enable-for-all-MIPS-processors.patch > @@ -0,0 +1,60 @@ > +From Mon Sep 17 00:00:00 2001 > +From: "Maciej W. Rozycki" > +Date: Thu, 11 Mar 2021 21:50:47 -0700 > +Subject: [PATCH] crypto: mips/poly1305 - enable for all MIPS processors > + > +commit 6c810cf20feef0d4338e9b424ab7f2644a8b353e upstream. > + > +The MIPS Poly1305 implementation is generic MIPS code written such as to > +support down to the original MIPS I and MIPS III ISA for the 32-bit and > +64-bit variant respectively. Lift the current limitation then to enable > +code for MIPSr1 ISA or newer processors only and have it available for > +all MIPS processors. I don't remember where we wound up with the MIPS dependency maze, but this patch here _might_ imply something can be simplified or needs changes. Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] kernel-5.4: backport latest patches for wireguard
These are the latest patches that just landed upstream for 5.13, will be backported by Greg into 5.10 (because of stable@), and are now in the 5.4 backport branch of wireguard: https://git.zx2c4.com/wireguard-linux/log/?h=backport-5.4.y Cc: Ilya Lipnitskiy Signed-off-by: Jason A. Donenfeld --- ...y1305-enable-for-all-MIPS-processors.patch | 60 ++ ...ps-add-poly1305-core.S-to-.gitignore.patch | 24 + ...fix-poly1305_core_setkey-declaration.patch | 172 ++ ...sts-remove-old-conntrack-kconfig-val.patch | 29 + ...sts-make-sure-rp_filter-is-disabled-.patch | 31 ++ ...reguard-0129-wireguard-do-not-use-O3.patch | 33 ++ ...nchronize_net-rather-than-synchroniz.patch | 66 +++ ...ireguard-peer-allocate-in-kmem_cache.patch | 125 + ...dips-initialize-list-head-in-selftes.patch | 43 ++ ...guard-allowedips-remove-nodes-in-O-1.patch | 237 ...owedips-allocate-nodes-in-kmem_cache.patch | 173 ++ ...dips-free-empty-intermediate-nodes-w.patch | 521 ++ 12 files changed, 1514 insertions(+) create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0124-crypto-mips-poly1305-enable-for-all-MIPS-processors.patch create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0125-crypto-mips-add-poly1305-core.S-to-.gitignore.patch create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0126-crypto-poly1305-fix-poly1305_core_setkey-declaration.patch create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0127-wireguard-selftests-remove-old-conntrack-kconfig-val.patch create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0128-wireguard-selftests-make-sure-rp_filter-is-disabled-.patch create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0129-wireguard-do-not-use-O3.patch create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0130-wireguard-use-synchronize_net-rather-than-synchroniz.patch create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0131-wireguard-peer-allocate-in-kmem_cache.patch create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0132-wireguard-allowedips-initialize-list-head-in-selftes.patch create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0133-wireguard-allowedips-remove-nodes-in-O-1.patch create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0134-wireguard-allowedips-allocate-nodes-in-kmem_cache.patch create mode 100644 target/linux/generic/backport-5.4/080-wireguard-0135-wireguard-allowedips-free-empty-intermediate-nodes-w.patch diff --git a/target/linux/generic/backport-5.4/080-wireguard-0124-crypto-mips-poly1305-enable-for-all-MIPS-processors.patch b/target/linux/generic/backport-5.4/080-wireguard-0124-crypto-mips-poly1305-enable-for-all-MIPS-processors.patch new file mode 100644 index 00..c0ee841b02 --- /dev/null +++ b/target/linux/generic/backport-5.4/080-wireguard-0124-crypto-mips-poly1305-enable-for-all-MIPS-processors.patch @@ -0,0 +1,60 @@ +From Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Thu, 11 Mar 2021 21:50:47 -0700 +Subject: [PATCH] crypto: mips/poly1305 - enable for all MIPS processors + +commit 6c810cf20feef0d4338e9b424ab7f2644a8b353e upstream. + +The MIPS Poly1305 implementation is generic MIPS code written such as to +support down to the original MIPS I and MIPS III ISA for the 32-bit and +64-bit variant respectively. Lift the current limitation then to enable +code for MIPSr1 ISA or newer processors only and have it available for +all MIPS processors. + +Signed-off-by: Maciej W. Rozycki +Fixes: a11d055e7a64 ("crypto: mips/poly1305 - incorporate OpenSSL/CRYPTOGAMS optimized implementation") +Cc: sta...@vger.kernel.org # v5.5+ +Acked-by: Jason A. Donenfeld +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Jason A. Donenfeld +--- + arch/mips/crypto/Makefile | 4 ++-- + crypto/Kconfig| 2 +- + drivers/net/Kconfig | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/crypto/Makefile b/arch/mips/crypto/Makefile +@@ -12,8 +12,8 @@ AFLAGS_chacha-core.o += -O2 # needed to + obj-$(CONFIG_CRYPTO_POLY1305_MIPS) += poly1305-mips.o + poly1305-mips-y := poly1305-core.o poly1305-glue.o + +-perlasm-flavour-$(CONFIG_CPU_MIPS32) := o32 +-perlasm-flavour-$(CONFIG_CPU_MIPS64) := 64 ++perlasm-flavour-$(CONFIG_32BIT) := o32 ++perlasm-flavour-$(CONFIG_64BIT) := 64 + + quiet_cmd_perlasm = PERLASM $@ + cmd_perlasm = $(PERL) $(<) $(perlasm-flavour-y) $(@) +--- a/crypto/Kconfig b/crypto/Kconfig +@@ -740,7 +740,7 @@ config CRYPTO_POLY1305_X86_64 + + config CRYPTO_POLY1305_MIPS + tristate "Poly1305 authenticator algorithm (MIPS optimized)" +- depends on CPU_MIPS32 || (CPU_MIPS64 && 64BIT) ++ depends on MIPS + select CRYPTO_ARCH_HAVE_LIB_POLY1305 + + config CRYPTO_MD4 +--- a/drivers/net/Kconfig b/drivers/net/Kc
Re: [PATCH v2] netfilter: remove no-op kconfig symbols
https://git.zx2c4.com/wireguard-linux/commit/?h=backport-5.4.y=ac8265d3b26e7c2674e066af6451c5a61d3f2e7a This will be included in the patchset next time I push a refresh of those. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: OpenWrt 21.02-rc1 (backport request, WireGuard, DSA roaming, iproute2 5.11)
Re:WireGuard - fine by me. Thanks for doing that. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: OpenWrt 21.02-rc1
On Tue, Apr 6, 2021 at 5:33 PM Ilya Lipnitskiy wrote: > > Hi Hauke, > > On Tue, Apr 6, 2021 at 3:43 PM Hauke Mehrtens wrote: > > > > Hi, > > > > How do we want to go forward with OpenWrt 21.02-rc1? > > > > * I think the base system is ok. > > * The http (original wolfssl) problem reported by jow is fixed > > * LuCI in the 21.02 branch still misses DSA support, this was merged > > into master some time ago as far as I understood. > > > > Jow reported this end of March: > > > I found some serious regressions in the luci device config support. > > > not sure yet how long it'll take to sort out. The netifd uci config > > > grew so complex that it'll take a while to try all cases > > > * changing interface settings after previously enabling certain > > > options results in a brick > > > * wireless networks with custom ifnames are improperly bridged > > > * option ipv6 for ppp based protocols is broken because it clashes > > > with option ipv6 in device sections > > > > I would like to merge this update of iproute2 if Russel is fine with it, > > but I do not see this blocking 21.02-rc1: > > https://github.com/openwrt/openwrt/pull/4025 > > > > If there are some other bugs in the 21.02 branch which are fixed in > > master, we can backport the fixed as long as they are not so big. If > > there is something missing, just ask on the mainling list. > Can we get a decision on the in-tree WireGuard migration PR? > https://github.com/openwrt/openwrt/pull/3960 Indeed this should happen for 21.02. I won't be supporting the prior compat module in OpenWRT any longer. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] kernel-5.10: backport chacha non block size optimizations
These make a big difference when doing WireGuard with small armv7 routers, and the 5.4 backport already has it. Suggested-by: Ilya Lipnitskiy Cc: David Bauer Cc: Petr Štetiar Signed-off-by: Jason A. Donenfeld --- ...a-neon-optimize-for-non-block-size-m.patch | 272 ++ ...a-neon-add-missing-counter-increment.patch | 38 +++ 2 files changed, 310 insertions(+) create mode 100644 target/linux/generic/backport-5.10/071-crypto-arm-chacha-neon-optimize-for-non-block-size-m.patch create mode 100644 target/linux/generic/backport-5.10/072-crypto-arm-chacha-neon-add-missing-counter-increment.patch diff --git a/target/linux/generic/backport-5.10/071-crypto-arm-chacha-neon-optimize-for-non-block-size-m.patch b/target/linux/generic/backport-5.10/071-crypto-arm-chacha-neon-optimize-for-non-block-size-m.patch new file mode 100644 index 00..b1f46e9af8 --- /dev/null +++ b/target/linux/generic/backport-5.10/071-crypto-arm-chacha-neon-optimize-for-non-block-size-m.patch @@ -0,0 +1,272 @@ +From 03662fcd41f4b764857f17b95f9a2a63c24bddd4 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Tue, 3 Nov 2020 17:28:09 +0100 +Subject: [PATCH 1/2] crypto: arm/chacha-neon - optimize for non-block size + multiples + +commit 86cd97ec4b943af35562a74688bc4e909b32c3d1 upstream. + +The current NEON based ChaCha implementation for ARM is optimized for +multiples of 4x the ChaCha block size (64 bytes). This makes sense for +block encryption, but given that ChaCha is also often used in the +context of networking, it makes sense to consider arbitrary length +inputs as well. + +For example, WireGuard typically uses 1420 byte packets, and performing +ChaCha encryption involves 5 invocations of chacha_4block_xor_neon() +and 3 invocations of chacha_block_xor_neon(), where the last one also +involves a memcpy() using a buffer on the stack to process the final +chunk of 1420 % 64 == 12 bytes. + +Let's optimize for this case as well, by letting chacha_4block_xor_neon() +deal with any input size between 64 and 256 bytes, using NEON permutation +instructions and overlapping loads and stores. This way, the 140 byte +tail of a 1420 byte input buffer can simply be processed in one go. + +This results in the following performance improvements for 1420 byte +blocks, without significant impact on power-of-2 input sizes. (Note +that Raspberry Pi is widely used in combination with a 32-bit kernel, +even though the core is 64-bit capable) + + Cortex-A8 (BeagleBone) : 7% + Cortex-A15 (Calxeda Midway) : 21% + Cortex-A53 (Raspberry Pi 3) : 3% + Cortex-A72 (Raspberry Pi 4) : 19% + +Cc: Eric Biggers +Cc: "Jason A . Donenfeld" +Signed-off-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Jason A. Donenfeld +--- + arch/arm/crypto/chacha-glue.c | 34 +-- + arch/arm/crypto/chacha-neon-core.S | 97 +++--- + 2 files changed, 107 insertions(+), 24 deletions(-) + +--- a/arch/arm/crypto/chacha-glue.c b/arch/arm/crypto/chacha-glue.c +@@ -23,7 +23,7 @@ + asmlinkage void chacha_block_xor_neon(const u32 *state, u8 *dst, const u8 *src, + int nrounds); + asmlinkage void chacha_4block_xor_neon(const u32 *state, u8 *dst, const u8 *src, +- int nrounds); ++ int nrounds, unsigned int nbytes); + asmlinkage void hchacha_block_arm(const u32 *state, u32 *out, int nrounds); + asmlinkage void hchacha_block_neon(const u32 *state, u32 *out, int nrounds); + +@@ -42,24 +42,24 @@ static void chacha_doneon(u32 *state, u8 + { + u8 buf[CHACHA_BLOCK_SIZE]; + +- while (bytes >= CHACHA_BLOCK_SIZE * 4) { +- chacha_4block_xor_neon(state, dst, src, nrounds); +- bytes -= CHACHA_BLOCK_SIZE * 4; +- src += CHACHA_BLOCK_SIZE * 4; +- dst += CHACHA_BLOCK_SIZE * 4; +- state[12] += 4; +- } +- while (bytes >= CHACHA_BLOCK_SIZE) { +- chacha_block_xor_neon(state, dst, src, nrounds); +- bytes -= CHACHA_BLOCK_SIZE; +- src += CHACHA_BLOCK_SIZE; +- dst += CHACHA_BLOCK_SIZE; +- state[12]++; ++ while (bytes > CHACHA_BLOCK_SIZE) { ++ unsigned int l = min(bytes, CHACHA_BLOCK_SIZE * 4U); ++ ++ chacha_4block_xor_neon(state, dst, src, nrounds, l); ++ bytes -= l; ++ src += l; ++ dst += l; ++ state[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE); + } + if (bytes) { +- memcpy(buf, src, bytes); +- chacha_block_xor_neon(state, buf, buf, nrounds); +- memcpy(dst, buf, bytes); ++ const u8 *s = src; ++ u8 *d = dst; ++ ++ if (bytes != CHACHA_BLOCK_SIZE) ++ s = d = memcpy(buf, src, bytes); ++ chacha_block_xor_neon(state, d, s, nrounds); ++
Re: [PATCH] kernel-5.4: backport fd16931a2f51 for chacha neon
On Tue, Mar 2, 2021 at 9:09 AM Petr Štetiar wrote: > > Jason A. Donenfeld [2021-03-02 00:08:56]: > > Hi, > > > 126 files changed, 288 insertions(+), 249 deletions(-) > > this is quite huge diff for such simple update, what about using `git > format-patch --no-numbered --zero-commit` for the series? > Good idea. I'll send a v2. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] kernel: backport pending fix to select CPU_MIPS64
The CPU_MIPS64 and CPU_MIPS32 variables are supposed to be able to distinguish broadly between 64-bit and 32-bit MIPS CPUs. However, they weren't selected by the specialty CPUs, Octeon and Loongson, which meant it was possible to hit a weird state of: MIPS=y, CONFIG_64BIT=y, CPU_MIPS64=n This commit rectifies the issue by having CPU_MIPS64 be selected when the missing Octeon or Loongson models are selected. In particular, this affects our octeonplus target. It has been posted to LKML here: https://lore.kernel.org/linux-mips/20210227122605.2680138-1-ja...@zx2c4.com/ Cc: Ilya Lipnitskiy Cc: David Bauer Signed-off-by: Jason A. Donenfeld --- ...CPU_MIPS64-for-remaining-MIPS64-CPUs.patch | 36 ++ ...CPU_MIPS64-for-remaining-MIPS64-CPUs.patch | 37 +++ 2 files changed, 73 insertions(+) create mode 100644 target/linux/generic/pending-5.10/103-MIPS-select-CPU_MIPS64-for-remaining-MIPS64-CPUs.patch create mode 100644 target/linux/generic/pending-5.4/103-MIPS-select-CPU_MIPS64-for-remaining-MIPS64-CPUs.patch diff --git a/target/linux/generic/pending-5.10/103-MIPS-select-CPU_MIPS64-for-remaining-MIPS64-CPUs.patch b/target/linux/generic/pending-5.10/103-MIPS-select-CPU_MIPS64-for-remaining-MIPS64-CPUs.patch new file mode 100644 index 00..cf79e9a449 --- /dev/null +++ b/target/linux/generic/pending-5.10/103-MIPS-select-CPU_MIPS64-for-remaining-MIPS64-CPUs.patch @@ -0,0 +1,36 @@ +From 6523061868212473f63812a0c477a161742bed42 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sat, 27 Feb 2021 13:20:24 +0100 +Subject: [PATCH] MIPS: select CPU_MIPS64 for remaining MIPS64 CPUs + +The CPU_MIPS64 and CPU_MIPS32 variables are supposed to be able to +distinguish broadly between 64-bit and 32-bit MIPS CPUs. However, they +weren't selected by the specialty CPUs, Octeon and Loongson, which meant +it was possible to hit a weird state of: + +MIPS=y, CONFIG_64BIT=y, CPU_MIPS64=n + +This commit rectifies the issue by having CPU_MIPS64 be selected when +the missing Octeon or Loongson models are selected. + +Cc: Thomas Bogendoerfer +Cc: Ralf Baechle +Cc: George Cherian +Cc: Huacai Chen +Cc: Jiaxun Yang +Signed-off-by: Jason A. Donenfeld +--- + arch/mips/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/Kconfig b/arch/mips/Kconfig +@@ -2075,7 +2075,7 @@ config CPU_MIPS32 + config CPU_MIPS64 + bool + default y if CPU_MIPS64_R1 || CPU_MIPS64_R2 || CPU_MIPS64_R5 || \ +- CPU_MIPS64_R6 ++ CPU_MIPS64_R6 || CPU_LOONGSON64 || CPU_CAVIUM_OCTEON + + # + # These indicate the revision of the architecture diff --git a/target/linux/generic/pending-5.4/103-MIPS-select-CPU_MIPS64-for-remaining-MIPS64-CPUs.patch b/target/linux/generic/pending-5.4/103-MIPS-select-CPU_MIPS64-for-remaining-MIPS64-CPUs.patch new file mode 100644 index 00..3b04316692 --- /dev/null +++ b/target/linux/generic/pending-5.4/103-MIPS-select-CPU_MIPS64-for-remaining-MIPS64-CPUs.patch @@ -0,0 +1,37 @@ +From 31ca877744d95713e4925de542e1c686ab08a542 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sat, 27 Feb 2021 13:20:24 +0100 +Subject: [PATCH] MIPS: select CPU_MIPS64 for remaining MIPS64 CPUs + +The CPU_MIPS64 and CPU_MIPS32 variables are supposed to be able to +distinguish broadly between 64-bit and 32-bit MIPS CPUs. However, they +weren't selected by the specialty CPUs, Octeon and Loongson, which meant +it was possible to hit a weird state of: + +MIPS=y, CONFIG_64BIT=y, CPU_MIPS64=n + +This commit rectifies the issue by having CPU_MIPS64 be selected when +the missing Octeon or Loongson models are selected. + +Cc: Thomas Bogendoerfer +Cc: Ralf Baechle +Cc: George Cherian +Cc: Huacai Chen +Cc: Jiaxun Yang +Signed-off-by: Jason A. Donenfeld +--- + arch/mips/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/mips/Kconfig b/arch/mips/Kconfig +@@ -2036,7 +2036,8 @@ config CPU_MIPS32 + + config CPU_MIPS64 + bool +- default y if CPU_MIPS64_R1 || CPU_MIPS64_R2 || CPU_MIPS64_R6 ++ default y if CPU_MIPS64_R1 || CPU_MIPS64_R2 || CPU_MIPS64_R6 || \ ++ CPU_LOONGSON64 || CPU_CAVIUM_OCTEON + + # + # These indicate the revision of the architecture -- 2.30.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] kernel: no chacha-mips.ko on mips32 r1 targets
On Fri, Feb 26, 2021 at 11:35 PM Ilya Lipnitskiy wrote: > > CHACHA_MIPS depends on CPU_MIPS32_R2. Therefore, > kmod-crypto-lib-chacha20 should not contain chacha-mips.ko on MIPS32 R1 > targets. Enforce that in the target-specific definition. > > Fixes bcm47xx, bcm63xx, lantiq/ase, ath25 builds. > > Fixes: 06351f1 ("kernel: migrate wireguard into the kernel tree") > Cc: Jason A. Donenfeld > Signed-off-by: Ilya Lipnitskiy > --- > package/kernel/linux/modules/crypto.mk | 7 +-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/package/kernel/linux/modules/crypto.mk > b/package/kernel/linux/modules/crypto.mk > index a64b91a8fe..cbaa8d3ce5 100644 > --- a/package/kernel/linux/modules/crypto.mk > +++ b/package/kernel/linux/modules/crypto.mk > @@ -485,12 +485,15 @@ define KernelPackage/crypto-lib-chacha20/aarch64 >FILES+=$(LINUX_DIR)/arch/arm64/crypto/chacha-neon.ko > endef > > -define KernelPackage/crypto-lib-chacha20/mips > +define KernelPackage/crypto-lib-chacha20/mips32r2 >KCONFIG+=CONFIG_CRYPTO_CHACHA_MIPS >FILES:=$(LINUX_DIR)/arch/mips/crypto/chacha-mips.ko > endef > > -KernelPackage/crypto-lib-chacha20/mipsel=$(KernelPackage/crypto-lib-chacha20/mips) > +ifeq ($(CONFIG_CPU_MIPS32_R2),y) > + KernelPackage/crypto-lib-chacha20/$(ARCH)=\ > + $(KernelPackage/crypto-lib-chacha20/mips32r2) > +endif > > ifdef KernelPackage/crypto-lib-chacha20/$(ARCH) >KernelPackage/crypto-lib-chacha20/$(CRYPTO_TARGET)=\ > -- > 2.30.1 > Reviewed-by: Jason A. Donenfeld Nice catch. Rene and I did this implementation for a little tplink mips32r2 router I found on amazon. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] wireguard-tools: Add dependency on kmod-wireguard
https://github.com/openwrt/openwrt/pull/3890 Voila -- here's a potentially much, much nicer approach in the long term. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] wireguard-tools: Add dependency on kmod-wireguard
On Fri, Feb 19, 2021 at 5:48 AM Rosen Penev wrote: > > On Thu, Feb 18, 2021 at 8:31 PM Ilya Lipnitskiy > wrote: > > > > Hi, > > On Thu, Feb 18, 2021 at 5:57 PM Jason A. Donenfeld wrote: > > > > > > I've backported WireGuard patch-by patch to 5.4, in a series that you > > > can simply apply to your existing 5.4 kernels. I can prepare that for > > > you guys tomorrow. That way, you'll have the kernel module in both 5.4 > > > and 5.10 through the same mechanisms with the same code. That might > > > save a lot of the complexity that this discussion is veering toward. > > > > > > How's that sound? > > I've implemented the virtual package way I proposed in an earlier > > email. The changes are part of this pull request: > > https://github.com/openwrt/openwrt/pull/3885 > > > > If the reviewers are happy with my changes I think we are done. > > Otherwise, please chime in if we'd rather go the backport way with > > Jason's help. > The backport route is annoying as it means it would need to be > maintained separately from the module. > > It's a moot point anyway. The release will be using the module. This > only concerns snapshot which will migrate to 5.10 eventually. I'm not sure I understand your logic. The suggestion here is to use the backported patches _instead of_ the module. Then, they'd be maintained alongside the kernel, and the wireguard package itself would be the same thing for both 5.4 and 5.10. There'd be one thing to maintain rather than two. This sounds like less work. Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] wireguard-tools: Add dependency on kmod-wireguard
I've backported WireGuard patch-by patch to 5.4, in a series that you can simply apply to your existing 5.4 kernels. I can prepare that for you guys tomorrow. That way, you'll have the kernel module in both 5.4 and 5.10 through the same mechanisms with the same code. That might save a lot of the complexity that this discussion is veering toward. How's that sound? Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wireguard: bump to 1.0.20201112
* noise: take lock when removing handshake entry from table This is a defense in depth patch backported from upstream to account for any future issues with list node lifecycles. * netns: check that route_me_harder packets use the right sk A test for an issue that goes back to before Linux's git history began. I've fixed this upstream, but it doesn't look possible to put it into the compat layer, as it's a core networking problem. But we still test for it in the netns test and warn on broken kernels. * qemu: drop build support for rhel 8.2 We now test 8.3+. * compat: SYM_FUNC_{START,END} were backported to 5.4 * qemu: bump default testing version The real motivation for this version bump: 5.4.76 made a change that broke our compat layer. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 7df219f..91bdb0d 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=1.0.20200908 +PKG_VERSION:=1.0.20201112 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=ad33b2d2267a37e0f65c97e65e7d4d926d5aef7d530c251b63fbf919048eead9 +PKG_HASH:=89eae7f0c0bd6c8df3ba2e090984974ff68741a9f26aa0922890f8ca727897e1 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.29.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] wireguard-tools: bump to 1.0.20200827
On Tue, Sep 8, 2020 at 6:30 PM Jason A. Donenfeld wrote: > > * ipc: split into separate files per-platform > > This is in preparation for FreeBSD support, which I had hoped to have this > release, but we're still waiting on some tooling fixes, so hopefully next > wg(8) will support that. Either way, the code base is now a lot more amenable > to adding more kernel platform support. > > * man: wg-quick: use syncconf instead of addconf for strip example > > Simple documentation fix. > > * pubkey: isblank is a subset of isspace > * ctype: use non-locale-specific ctype.h > > In addition to ensuring that isalpha() and such isn't locale-specific, we also > make these constant time, even though we're never distinguishing between bits > of a secret using them. From that perspective, though, this is markedly better > than the locale-specific table lookups in glibc, even though base64 characters > span two cache lines and valid private keys must hit both. This may be useful > for other projects too: https://git.zx2c4.com/wireguard-tools/tree/src/ctype.h > --- > package/network/utils/wireguard-tools/Makefile | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/network/utils/wireguard-tools/Makefile > b/package/network/utils/wireguard-tools/Makefile > index fb7c0b6..a5264a5 100644 > --- a/package/network/utils/wireguard-tools/Makefile > +++ b/package/network/utils/wireguard-tools/Makefile > @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk > > PKG_NAME:=wireguard-tools > > -PKG_VERSION:=1.0.20200513 > +PKG_VERSION:=1.0.20200827 > PKG_RELEASE:=2 > > PKG_SOURCE:=wireguard-tools-$(PKG_VERSION).tar.xz > PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-tools/snapshot/ > -PKG_HASH:=e73409a9fb8c90506db241d1e1a4e7372a60dbfa400e37f4ab2fd70a92ba495f > +PKG_HASH:=51bc85e33a5b3cf353786ae64b0f1216d7a871447f058b6137f793eb0f53b7fd > > PKG_LICENSE:=GPL-2.0 > PKG_LICENSE_FILES:=COPYING > -- > 2.28.0 Signed-off-by: Jason A. Donenfeld ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wireguard-tools: bump to 1.0.20200827
* ipc: split into separate files per-platform This is in preparation for FreeBSD support, which I had hoped to have this release, but we're still waiting on some tooling fixes, so hopefully next wg(8) will support that. Either way, the code base is now a lot more amenable to adding more kernel platform support. * man: wg-quick: use syncconf instead of addconf for strip example Simple documentation fix. * pubkey: isblank is a subset of isspace * ctype: use non-locale-specific ctype.h In addition to ensuring that isalpha() and such isn't locale-specific, we also make these constant time, even though we're never distinguishing between bits of a secret using them. From that perspective, though, this is markedly better than the locale-specific table lookups in glibc, even though base64 characters span two cache lines and valid private keys must hit both. This may be useful for other projects too: https://git.zx2c4.com/wireguard-tools/tree/src/ctype.h --- package/network/utils/wireguard-tools/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/utils/wireguard-tools/Makefile b/package/network/utils/wireguard-tools/Makefile index fb7c0b6..a5264a5 100644 --- a/package/network/utils/wireguard-tools/Makefile +++ b/package/network/utils/wireguard-tools/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard-tools -PKG_VERSION:=1.0.20200513 +PKG_VERSION:=1.0.20200827 PKG_RELEASE:=2 PKG_SOURCE:=wireguard-tools-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-tools/snapshot/ -PKG_HASH:=e73409a9fb8c90506db241d1e1a4e7372a60dbfa400e37f4ab2fd70a92ba495f +PKG_HASH:=51bc85e33a5b3cf353786ae64b0f1216d7a871447f058b6137f793eb0f53b7fd PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.28.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wireguard: bump to 1.0.20200908
* compat: backport kfree_sensitive and switch to it * netlink: consistently use NLA_POLICY_EXACT_LEN() * netlink: consistently use NLA_POLICY_MIN_LEN() * compat: backport NLA policy macros Backports from upstream changes. * peerlookup: take lock before checking hash in replace operation A fix for a race condition caught by syzkaller. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 8c408d0..7df219f 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=1.0.20200729 +PKG_VERSION:=1.0.20200908 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=690c7d9e115e2ff27386811cb495c9784678f717c8d6fc4cc7469dce373f252e +PKG_HASH:=ad33b2d2267a37e0f65c97e65e7d4d926d5aef7d530c251b63fbf919048eead9 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.28.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wireguard: bump to 1.0.20200729
* compat: rhel 8.3 beta removed nf_nat_core.h * compat: ipv6_dst_lookup_flow was ported to rhel 7.9 beta This compat tag adds support for RHEL 8.3 beta and RHEL 7.9 beta, in addition to RHEL 8.2 and RHEL 7.8. It also marks the first time that <https://www.wireguard.com/build-status/> is all green for all RHEL kernels. After quite a bit of trickery, we've finally got the RHEL kernels building automatically. * compat: allow override of depmod basedir When building in an environment with a different modules install path, it's not possible to override the depmod basedir flag by setting the DEPMODBASEDIR environment variable. * compat: add missing headers for ip_tunnel_parse_protocol This fixes compilation with some unusual configurations. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 19aea4b..8c408d0 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=1.0.20200712 +PKG_VERSION:=1.0.20200729 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=e15b3d4eb2cf186920a6ed13685187d6b846e59eb383c291913628682965ac95 +PKG_HASH:=690c7d9e115e2ff27386811cb495c9784678f717c8d6fc4cc7469dce373f252e PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.28.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] wireguard-tools: allow compiling with MIPS16 instructions
On Fri, Jul 24, 2020 at 11:05 AM Rui Salvaterra wrote: > > On Fri, 24 Jul 2020 at 09:53, Jason A. Donenfeld wrote: > > > > Testing the process once like that isn't a good testing methodology > > representative of anything at all. > > I completely agree, this wasn't an objective test at all. I was merely > illustrating what a normal user will do, generate a key pair to > configure a VPN. If it took more than two seconds, I'd be worried, but > it "feels" instantaneous. I could, of course, time 1000 key > generations in a loop, on a completely idle system, but that wouldn't > represent the typical use case. :) This might be a typical use case for you, but some people are running scripts that generate lots of keys. There may be a good argument that if you're doing that kind of thing, a tiny MIPS router isn't the right hardware for your use case. But, before going down that route, I'd still be interested in knowing if it _actually_ makes any difference at all. Maybe it's negligible, for example. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] wireguard-tools: allow compiling with MIPS16 instructions
On Fri, Jul 24, 2020 at 10:39 AM Rui Salvaterra wrote: > > Well… > > On Fri, 24 Jul 2020 at 09:32, Rosen Penev wrote: > > > > > On Jul 24, 2020, at 1:14 AM, Jason A. Donenfeld wrote: > > > > > > Seems probably fine to me, but would you let me know if the > > > performance of `wg pubkey` suffers as a result? > > Of course. I imagine it’s very tiny. Logging in to the router with ssh is > > much slower. > > root@heimdal:/tmp# time wg genkey | tee privatekey | wg pubkey > publickey > real0m 0.00s > user0m 0.00s > sys0m 0.00s > root@heimdal:/tmp# > > … yeah, I don't think performance will be an issue. :) > (This is a 775 MHz 74Kc router, mind you.) > > Thanks, > Rui Testing the process once like that isn't a good testing methodology representative of anything at all. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] wireguard-tools: allow compiling with MIPS16 instructions
On Fri, Jul 24, 2020 at 10:03 AM Rui Salvaterra wrote: > > The wg utility compiles and runs without issues in MIPS16 mode, despite > setting > PKG_USE_MIPS16:=0 in the makefile. Let's remove this, allowing for a > substantial > size reduction of the wg executable. Since wg is a just a configuration > utility, > it shouldn't be performance-critical, as the crypto heavy-lifting is done on > the > kernel side. > > wg sizes for both modes: > > MIPS32: 64309 bytes > MIPS16: 42501 bytes Seems probably fine to me, but would you let me know if the performance of `wg pubkey` suffers as a result? I'm far from home at the moment without any access to MIPS hardware to test myself. Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wireguard: bump to 1.0.20200712
This release brings parity with the commits Linus released a few hours ago into 5.8-rc5. * receive: account for napi_gro_receive never returning GRO_DROP The napi_gro_receive function no longer returns GRO_DROP ever, making handling GRO_DROP dead code. This commit removes that dead code. Further, it's not even clear that device drivers have any business in taking action after passing off received packets; that's arguably out of their hands. * device: implement header_ops->parse_protocol for AF_PACKET WireGuard uses skb->protocol to determine packet type, and bails out if it's not set or set to something it's not expecting. For AF_PACKET injection, we need to support its call chain of: packet_sendmsg -> packet_snd -> packet_parse_headers -> dev_parse_header_protocol -> parse_protocol Without a valid parse_protocol, this returns zero, and wireguard then rejects the skb. So, this wires up the ip_tunnel handler for layer 3 packets for that case. * queueing: make use of ip_tunnel_parse_protocol Now that wg_examine_packet_protocol has been added for general consumption as ip_tunnel_parse_protocol, it's possible to remove wg_examine_packet_protocol and simply use the new ip_tunnel_parse_protocol function directly. * compat: backport ip_tunnel_parse_protocol and ip_tunnel_header_ops These are required for moving wg_examine_packet_protocol out of wireguard and into upstream. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index b7adf27..19aea4b 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=1.0.20200623 +PKG_VERSION:=1.0.20200712 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=130937724515799edf05ff8216bc837df8acda879428f3a7f96a3287758f9445 +PKG_HASH:=e15b3d4eb2cf186920a6ed13685187d6b846e59eb383c291913628682965ac95 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.27.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] wireguard: bump to 1.0.20200623
* compat: drop centos 8.1 support as 8.2 is now out Of note, as well, is that we now have both RHEL7 and RHEL8 in our CI at <https://www.wireguard.com/build-status/>. * Kbuild: remove -fvisibility=hidden from cflags This fixes an issue when compiling wireguard as a module for ARM kernels in THUMB2 mode without the JUMP11 workaround. * noise: do not assign initiation time in if condition Style fix. * device: avoid circular netns references Fixes a circular reference issue with network namespaces. * netns: workaround bad 5.2.y backport This works around a back backport in the 5.2.y series. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index ce91fbe..b7adf27 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=1.0.20200520 +PKG_VERSION:=1.0.20200623 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=16e7ae4bef734b243428eea07f3b3c3d4721880c3ea8eb8f98628fd6ae5b77c3 +PKG_HASH:=130937724515799edf05ff8216bc837df8acda879428f3a7f96a3287758f9445 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.27.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org http://lists.infradead.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Any progress on R_ARM_THM_JUMP11 issues?
Looks as though in the end this is a binutils bug with -fvisibility=hidden. Details on https://sourceware.org/bugzilla/show_bug.cgi?id=12532#c9 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] wireguard: unknown relocation: 102 [ARMv7 Thumb-2]
Hey Rui, I fixed it! It turned out to be caused by -fvisibility=hidden undoing the effect of the binutils fix from a while back. Here's the patch that makes the problem go away: https://git.zx2c4.com/wireguard-linux-compat/commit/?id=178cdfffb99f2fd6fb4a5bfd2f9319461d93f53b This will be in the next compat release. Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] Any progress on R_ARM_THM_JUMP11 issues?
Hi ARM folks, Rui emailed the OpenWRT list and me about an issue he found when compiling WireGuard. He was compiling kernels with CONFIG_THUMB2_AVOID_R_ARM_THM_JUMP11=n -- which I'm well aware the Kconfig advices people not to do -- and got the dreaded "unknown relocation 102" error when trying to load the module. I figured out that I could "fix" it in the WireGuard code by either doing some extra stuff after the tail call, so that the B becomes a BL, or by moving the destination of the tail call a bit closer to the callsite, so that THUMB2's jump distance is shorter and fits within the B's limitations, thereby not needing the "JUMP11" relocation. Obviously reordering code for this reason isn't going to fly with upstream patches, nor would adding dummy code to avoid a tail call. And there's already CONFIG_THUMB2_AVOID_R_ARM_THM_JUMP11=y which seems like the right global solution for this. But I am wondering: has anybody heard about toolchain progress toward fixing this? Couldn't the compiler reorder functions itself more intelligently? Or avoid emitting the B in the case that the jump will be too far? Or does nobody care much about 32-bit ARM these days so it's just fallen by the wayside and CONFIG_THUMB2_AVOID_R_ARM_THM_JUMP11=y is the best we've got? Or something else? Jason On Wed, Jun 17, 2020 at 2:54 PM Jason A. Donenfeld wrote: > > On Wed, Jun 17, 2020 at 02:45:12PM -0600, Jason A. Donenfeld wrote: > > Looks like my explanation there wasn't 100% accurate, but it does seem > > like the issue occurs when gcc sees a clear tail call that it can > > optimize into a B instruction instead of a BL instruction. > > > > The below patch avoids that, and thus fixes your issue, using a pretty > > bad trick that's not really suitable for being committed anywhere, but > > it is perhaps leading us in the right direction: > > > > diff --git a/src/send.c b/src/send.c > > index 828b086a..4bb6911f 100644 > > --- a/src/send.c > > +++ b/src/send.c > > @@ -221,6 +221,8 @@ static bool encrypt_packet(struct sk_buff *skb, struct > > noise_keypair *keypair, > > simd_context); > > } > > > > +volatile char dummy; > > + > > void wg_packet_send_keepalive(struct wg_peer *peer) > > { > > struct sk_buff *skb; > > @@ -240,6 +242,7 @@ void wg_packet_send_keepalive(struct wg_peer *peer) > > } > > > > wg_packet_send_staged_packets(peer); > > + dummy = -1; > > } > > > > static void wg_packet_create_data_done(struct sk_buff *first, > > A better fix with more explanation: it looks like the issue doesn't have > to do with the multifile thing I pointed out before, but just that gcc > sees it can optimize the tail call into a B instruction, which seems to > have a ±2KB range, whereas BL has a ±4MB range. The solution is to just > move the location of the function in that file to be closer to the > destination of the tail call. I'm not a big fan of that and I'm slightly > worried davem will nack it because it makes backporting harder for a > fairly speculative gain (at least, I haven't yet taken measurements, > though I suppose I could). There's also the question of - why are we > doing goofy reordering things to the code to work around a toolchain > bug? Shouldn't we fix the toolchain? So, I'll keep thinking... > > diff --git a/src/send.c b/src/send.c > index 828b086a..f44aff8d 100644 > --- a/src/send.c > +++ b/src/send.c > @@ -221,27 +221,6 @@ static bool encrypt_packet(struct sk_buff *skb, struct > noise_keypair *keypair, >simd_context); > } > > -void wg_packet_send_keepalive(struct wg_peer *peer) > -{ > - struct sk_buff *skb; > - > - if (skb_queue_empty(>staged_packet_queue)) { > - skb = alloc_skb(DATA_PACKET_HEAD_ROOM + > MESSAGE_MINIMUM_LENGTH, > - GFP_ATOMIC); > - if (unlikely(!skb)) > - return; > - skb_reserve(skb, DATA_PACKET_HEAD_ROOM); > - skb->dev = peer->device->dev; > - PACKET_CB(skb)->mtu = skb->dev->mtu; > - skb_queue_tail(>staged_packet_queue, skb); > - net_dbg_ratelimited("%s: Sending keepalive packet to peer > %llu (%pISpfsc)\n", > - peer->device->dev->name, > peer->internal_id, > - >endpoint.addr); > - } > - > - wg_packet_send_staged_packets(peer); > -} > - > static void wg_packet_create_data_done(struct sk_buff *first, >struct wg_peer *peer) > { > @@
Re: [OpenWrt-Devel] wireguard: unknown relocation: 102 [ARMv7 Thumb-2]
On Wed, Jun 17, 2020 at 02:45:12PM -0600, Jason A. Donenfeld wrote: > Looks like my explanation there wasn't 100% accurate, but it does seem > like the issue occurs when gcc sees a clear tail call that it can > optimize into a B instruction instead of a BL instruction. > > The below patch avoids that, and thus fixes your issue, using a pretty > bad trick that's not really suitable for being committed anywhere, but > it is perhaps leading us in the right direction: > > diff --git a/src/send.c b/src/send.c > index 828b086a..4bb6911f 100644 > --- a/src/send.c > +++ b/src/send.c > @@ -221,6 +221,8 @@ static bool encrypt_packet(struct sk_buff *skb, struct > noise_keypair *keypair, > simd_context); > } > > +volatile char dummy; > + > void wg_packet_send_keepalive(struct wg_peer *peer) > { > struct sk_buff *skb; > @@ -240,6 +242,7 @@ void wg_packet_send_keepalive(struct wg_peer *peer) > } > > wg_packet_send_staged_packets(peer); > + dummy = -1; > } > > static void wg_packet_create_data_done(struct sk_buff *first, A better fix with more explanation: it looks like the issue doesn't have to do with the multifile thing I pointed out before, but just that gcc sees it can optimize the tail call into a B instruction, which seems to have a ±2KB range, whereas BL has a ±4MB range. The solution is to just move the location of the function in that file to be closer to the destination of the tail call. I'm not a big fan of that and I'm slightly worried davem will nack it because it makes backporting harder for a fairly speculative gain (at least, I haven't yet taken measurements, though I suppose I could). There's also the question of - why are we doing goofy reordering things to the code to work around a toolchain bug? Shouldn't we fix the toolchain? So, I'll keep thinking... diff --git a/src/send.c b/src/send.c index 828b086a..f44aff8d 100644 --- a/src/send.c +++ b/src/send.c @@ -221,27 +221,6 @@ static bool encrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair, simd_context); } -void wg_packet_send_keepalive(struct wg_peer *peer) -{ - struct sk_buff *skb; - - if (skb_queue_empty(>staged_packet_queue)) { - skb = alloc_skb(DATA_PACKET_HEAD_ROOM + MESSAGE_MINIMUM_LENGTH, - GFP_ATOMIC); - if (unlikely(!skb)) - return; - skb_reserve(skb, DATA_PACKET_HEAD_ROOM); - skb->dev = peer->device->dev; - PACKET_CB(skb)->mtu = skb->dev->mtu; - skb_queue_tail(>staged_packet_queue, skb); - net_dbg_ratelimited("%s: Sending keepalive packet to peer %llu (%pISpfsc)\n", - peer->device->dev->name, peer->internal_id, - >endpoint.addr); - } - - wg_packet_send_staged_packets(peer); -} - static void wg_packet_create_data_done(struct sk_buff *first, struct wg_peer *peer) { @@ -346,6 +325,27 @@ err: kfree_skb_list(first); } +void wg_packet_send_keepalive(struct wg_peer *peer) +{ + struct sk_buff *skb; + + if (skb_queue_empty(>staged_packet_queue)) { + skb = alloc_skb(DATA_PACKET_HEAD_ROOM + MESSAGE_MINIMUM_LENGTH, + GFP_ATOMIC); + if (unlikely(!skb)) + return; + skb_reserve(skb, DATA_PACKET_HEAD_ROOM); + skb->dev = peer->device->dev; + PACKET_CB(skb)->mtu = skb->dev->mtu; + skb_queue_tail(>staged_packet_queue, skb); + net_dbg_ratelimited("%s: Sending keepalive packet to peer %llu (%pISpfsc)\n", + peer->device->dev->name, peer->internal_id, + >endpoint.addr); + } + + wg_packet_send_staged_packets(peer); +} + void wg_packet_purge_staged_packets(struct wg_peer *peer) { spin_lock_bh(>staged_packet_queue.lock); ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] wireguard: unknown relocation: 102 [ARMv7 Thumb-2]
On Wed, Jun 17, 2020 at 02:33:49PM -0600, Jason A. Donenfeld wrote: > So, some more research: it looks like the R_ARM_THM_JUMP11 symbol is > actually wg_packet_send_staged_packets, a boring C function with > nothing fancy about it. That github issue you pointed to suggested > that it might have something to do with complex crypto functions, but > it looks like that's not the case. wg_packet_send_staged_packets is > plain old boring C. > > But there is one interesting thing about > wg_packet_send_staged_packets: it's defined in send.c, and called from > send.c, receive.c, device.c, and netlink.c -- four places. What I > suspect is happening is that the linker can't quite figure out how to > order the functions in the final executable so that the > wg_packet_send_staged_packets definition is sufficiently close to all > of its call sites, so it then needs to add that extra trampoline > midway to get to it. Stupid linker. I'm playing now if there's some > manual reordering I can do in the build system so that this isn't a > problem, but I'm not very optimistic that I'll succeed. Looks like my explanation there wasn't 100% accurate, but it does seem like the issue occurs when gcc sees a clear tail call that it can optimize into a B instruction instead of a BL instruction. The below patch avoids that, and thus fixes your issue, using a pretty bad trick that's not really suitable for being committed anywhere, but it is perhaps leading us in the right direction: diff --git a/src/send.c b/src/send.c index 828b086a..4bb6911f 100644 --- a/src/send.c +++ b/src/send.c @@ -221,6 +221,8 @@ static bool encrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair, simd_context); } +volatile char dummy; + void wg_packet_send_keepalive(struct wg_peer *peer) { struct sk_buff *skb; @@ -240,6 +242,7 @@ void wg_packet_send_keepalive(struct wg_peer *peer) } wg_packet_send_staged_packets(peer); + dummy = -1; } static void wg_packet_create_data_done(struct sk_buff *first, ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] wireguard: unknown relocation: 102 [ARMv7 Thumb-2]
So, some more research: it looks like the R_ARM_THM_JUMP11 symbol is actually wg_packet_send_staged_packets, a boring C function with nothing fancy about it. That github issue you pointed to suggested that it might have something to do with complex crypto functions, but it looks like that's not the case. wg_packet_send_staged_packets is plain old boring C. But there is one interesting thing about wg_packet_send_staged_packets: it's defined in send.c, and called from send.c, receive.c, device.c, and netlink.c -- four places. What I suspect is happening is that the linker can't quite figure out how to order the functions in the final executable so that the wg_packet_send_staged_packets definition is sufficiently close to all of its call sites, so it then needs to add that extra trampoline midway to get to it. Stupid linker. I'm playing now if there's some manual reordering I can do in the build system so that this isn't a problem, but I'm not very optimistic that I'll succeed. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] wireguard: unknown relocation: 102 [ARMv7 Thumb-2]
Hi Rui, On Wed, Jun 17, 2020 at 7:19 AM Rui Salvaterra wrote: > After a bit more digging [1], I believe I've narrowed it down. > CONFIG_THUMB2_AVOID_R_ARM_THM_JUMP11=y is required in order to avoid > the emission of R_ARM_THM_JUMP11 relocations in the WireGuard module. > I'm now wondering why the compat modules haven't exhibited the same > problem (maybe it was just a fluke), but since this kconfig option > effectively implies -fno-optimize-sibling-calls [2], it's quite a > hefty hammer. Is this something that can be solved in the WireGuard > build itself? > > Thanks in advance, > Rui > > [1] https://github.com/openwrt/openwrt/pull/3079#issuecomment-645297337 > [2] > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/arm/Makefile?h=linux-5.4.y#n125 Ahh hah, nice detective work. Reading the Kconfig description, it looks like this is actually a toolchain bug with modules in general: config THUMB2_AVOID_R_ARM_THM_JUMP11 bool "Work around buggy Thumb-2 short branch relocations in gas" depends on THUMB2_KERNEL && MODULES default y help Various binutils versions can resolve Thumb-2 branches to locally-defined, preemptible global symbols as short-range "b.n" branch instructions. This is a problem, because there's no guarantee the final destination of the symbol, or any candidate locations for a trampoline, are within range of the branch. For this reason, the kernel does not support fixing up the R_ARM_THM_JUMP11 (102) relocation in modules at all, and it makes little sense to add support. The symptom is that the kernel fails with an "unsupported relocation" error when loading some modules. Until fixed tools are available, passing -fno-optimize-sibling-calls to gcc should prevent gcc generating code which hits this problem, at the cost of a bit of extra runtime stack usage in some cases. The problem is described in more detail at: https://bugs.launchpad.net/binutils-linaro/+bug/725126 Only Thumb-2 kernels are affected. Unless you are sure your tools don't have this problem, say Y. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] wireguard: unknown relocation: 102 [ARMv7 Thumb-2]
On Wed, Jun 10, 2020 at 4:05 AM Rui Salvaterra wrote: > > Hi, Jason, > > On Wed, 10 Jun 2020 at 10:31, Rui Salvaterra wrote: > > > > Good question. :) You're testing in QEMU (which I personally never > > used), right? I don't know how familiar you are with OpenWrt, but I > > can surely send you my configuration (it's spread across multiple > > files, though). > > Ok, so this is what I do (on a pristine tree, after cloning the > buildroot and the packages feed): > > First, I change the CPU subtype to neon (sadly, the Armada 385 is > castrated upstream since the 370 only supports VFPv3-D16 :/). > > diff --git a/target/linux/mvebu/cortexa9/target.mk > b/target/linux/mvebu/cortexa9/target.mk > index cdd4d86e49..9af3c95d7b 100644 > --- a/target/linux/mvebu/cortexa9/target.mk > +++ b/target/linux/mvebu/cortexa9/target.mk > @@ -10,5 +10,5 @@ include $(TOPDIR)/rules.mk > ARCH:=arm > BOARDNAME:=Marvell Armada 37x/38x/XP > CPU_TYPE:=cortex-a9 > -CPU_SUBTYPE:=vfpv3-d16 > +CPU_SUBTYPE:=neon > KERNELNAME:=zImage dtbs > > Then, I use the attached configuration files. The .config (for > OpenWrt) in the buildroot, and config-default (for the kernel itself) > in target/linux/mvebu/cortexa9/. > > Let me know if you need anything else! Eventually I can probably get this building and testing and find some hardware for this and such. But if you'd like things to move faster, trying to reproduce the issue in the qemu test suite will result in a quicker fix. Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] wireguard: unknown relocation: 102 [ARMv7 Thumb-2]
Hi Rui, I'm unable to reproduce this: $ git clone https://git.zx2c4.com/wireguard-linux-compat $ ARCH=arm make -C wireguard-linux-compat/src test-qemu -j$(nproc) [... big test suite ...] $ vim wireguard-linux-compat/qemu-build/arm/linux-5.5.14/.config [... enable CONFIG_THUMB2_KERNEL=y ...] $ ARCH=arm make -C wireguard-linux-compat/src test-qemu -j$(nproc) [... big test suite ...] Is there some config combination you can stick into the test harness to repro what you're seeing? Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 1.0.20200520
This version has the various slew of bug fixes and compat fixes and such, but the most interesting thing from an OpenWRT perspective is that WireGuard now plays nicely with cake and fq_codel. I'll be very interested to hear from OpenWRT users whether this makes a measurable difference. Usual set of full changes follows. This release aligns with the changes I sent to DaveM for 5.7-rc7 and were pushed to net.git about 45 minutes ago. * qemu: use newer iproute2 for gcc-10 * qemu: add -fcommon for compiling ping with gcc-10 These enable the test suite to compile with gcc-10. * noise: read preshared key while taking lock Matt noticed a benign data race when porting the Linux code to OpenBSD. * queueing: preserve flow hash across packet scrubbing * noise: separate receive counter from send counter WireGuard now works with fq_codel, cake, and other qdiscs that make use of skb->hash. This should significantly improve latency spikes related to buffer bloat. Here's a before and after graph from some data Toke measured: https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png * compat: support RHEL 8 as 8.2, drop 8.1 support * compat: support CentOS 8 explicitly * compat: RHEL7 backported the skb hash renamings The usual RHEL churn. * compat: backport renamed/missing skb hash members The new support for fq_codel and friends meant more backporting work. * compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4 The main motivation for releasing this now: three stable kernels were released at the same time, with a patch that necessitated updating in our compat layer. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index b856d82..ce91fbe 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=1.0.20200506 +PKG_VERSION:=1.0.20200520 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=98a99f2b825a82d57a7213e666f1ee4f7cc02bddb09bf4908b4b09447a8f121e +PKG_HASH:=16e7ae4bef734b243428eea07f3b3c3d4721880c3ea8eb8f98628fd6ae5b77c3 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.26.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard-tools: bump to 1.0.20200513
* ipc: add support for openbsd kernel implementation * ipc: cleanup openbsd support * wg-quick: add support for openbsd kernel implementation * wg-quick: cleanup openbsd support Very exciting! wg(8) and wg-quick(8) now support the kernel implementation for OpenBSD. OpenBSD is the second kernel, after Linux, to receive full fledged and supported WireGuard kernel support. We'll probably send our patch set up to the list during this next week. `ifconfig wg0 create` to make an interface, and `wg ...` like usual to configure WireGuard aspects of it, like usual. * wg-quick: support dns search domains If DNS= has a non-IP in it, it is now treated as a search domain in resolv.conf. This new feature will be rolling out across our various GUI clients in the next week or so. * Makefile: simplify silent cleaning * ipc: remove extra space * git: add gitattributes so tarball doesn't have gitignore files * terminal: specialize color_mode to stdout only Small cleanups. * highlighter: insist on 256-bit keys, not 257-bit or 258-bit The highlighter's key checker is now stricter with base64 validation. * wg-quick: android: support application whitelist Android users can now have an application whitelist instead of application blacklist. * systemd: add wg-quick.target This enables all wg-quick at .services to be restarted or managed as a unit via wg-quick.target. * Makefile: remember to install all systemd units Signed-off-by: Jason A. Donenfeld --- package/network/utils/wireguard-tools/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/utils/wireguard-tools/Makefile b/package/network/utils/wireguard-tools/Makefile index 5493295..3232060 100644 --- a/package/network/utils/wireguard-tools/Makefile +++ b/package/network/utils/wireguard-tools/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard-tools -PKG_VERSION:=1.0.20200319 +PKG_VERSION:=1.0.20200513 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-tools-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-tools/snapshot/ -PKG_HASH:=757ed31d4d48d5fd7853bfd9bfa6a3a1b53c24a94fe617439948784a2c0ed987 +PKG_HASH:=e73409a9fb8c90506db241d1e1a4e7372a60dbfa400e37f4ab2fd70a92ba495f PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.26.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH v3] wireguard-tools: fix version indicator
Is this a patch you'd like to send upstream to wiregu...@lists.zx2c4.com? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 1.0.20200506
* compat: timeconst.h is a generated artifact Before we were trying to check for timeconst.h by looking in the kernel source directory. This isn't quite correct on configurations in which the object directory is separate from the kernel source directory, for example when using O="elsewhere" as a make option when building the kernel. The correct fix is to use $(CURDIR), which should point to where we want. * compat: use bash instead of bc for HZ-->USEC calculation This should make packaging somewhat easier, as bash is generally already available (at least for dkms), whereas bc isn't provided by distros by default in their build meta packages. * socket: remove errant restriction on looping to self It's already possible to create two different interfaces and loop packets between them. This has always been possible with tunnels in the kernel, and isn't specific to wireguard. Therefore, the networking stack already needs to deal with that. At the very least, the packet winds up exceeding the MTU and is discarded at that point. So, since this is already something that happens, there's no need to forbid the not very exceptional case of routing a packet back to the same interface; this loop is no different than others, and we shouldn't special case it, but rather rely on generic handling of loops in general. This also makes it easier to do interesting things with wireguard such as onion routing. At the same time, we add a selftest for this, ensuring that both onion routing works and infinite routing loops do not crash the kernel. We also add a test case for wireguard interfaces nesting packets and sending traffic between each other, as well as the loop in this case too. We make sure to send some throughput-heavy traffic for this use case, to stress out any possible recursion issues with the locks around workqueues. * send: cond_resched() when processing tx ringbuffers Users with pathological hardware reported CPU stalls on CONFIG_ PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning these workers would never terminate. That turned out not to be okay on systems without forced preemption. This commit adds a cond_resched() to the bottom of each loop iteration, so that these workers don't hog the core. We don't do this on encryption/decryption because the compat module here uses simd_relax, which already includes a call to schedule in preempt_enable. * selftests: initalize ipv6 members to NULL to squelch clang warning This fixes a worthless warning from clang. * send/receive: use explicit unlikely branch instead of implicit coalescing Some code readibility cleanups. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index f57cb9f..b856d82 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=1.0.20200429 +PKG_VERSION:=1.0.20200506 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=c0050a94c33c195d4129a75ab4dca05ba021c5265e40fce8b2dfda7d7055cda2 +PKG_HASH:=98a99f2b825a82d57a7213e666f1ee4f7cc02bddb09bf4908b4b09447a8f121e PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.26.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 1.0.20200429
* compat: support latest suse 15.1 and 15.2 * compat: support RHEL 7.8's faulty siphash backport * compat: error out if bc is missing * compat: backport hsiphash_1u32 for tests We now have improved support for RHEL 7.8, SUSE 15.[12], and Ubuntu 16.04. * compat: include sch_generic.h header for skb_reset_tc A fix for a compiler error on kernels with weird configs. * compat: import latest fixes for ptr_ring * compat: don't assume READ_ONCE barriers on old kernels * compat: kvmalloc_array is not required anyway ptr_ring.h from upstream was imported, with compat modifications, to our compat layer, to receive the latest fixes. * compat: prefix icmp[v6]_ndo_send with __compat Some distros that backported icmp[v6]_ndo_send still try to build the compat module in some corner case circumstances, resulting in errors. Work around this with the usual __compat games. * compat: ip6_dst_lookup_flow was backported to 3.16.83 * compat: ip6_dst_lookup_flow was backported to 4.19.119 Greg and Ben backported the ip6_dst_lookup_flow patches to stable kernels, causing breaking in our compat module, which these changes fix. * git: add gitattributes so tarball doesn't have gitignore files Distros won't need to clean this up manually now. * crypto: do not export symbols These don't do anything and only increased file size. * queueing: cleanup ptr_ring in error path of packet_queue_init Sultan Alsawaf reported a memory leak on an error path. * main: mark as in-tree Now that we're upstream, there's no need to set the taint flag. * receive: use tunnel helpers for decapsulating ECN markings ECN markings are now decapsulated using RFC6040 instead of the old RFC3168. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 2d8a766..f57cb9f 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=1.0.20200401 +PKG_VERSION:=1.0.20200429 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=7dfb4a8315e1d6ae406ff32d01c496175df558dd65968a19e5222d02c7cfb77a +PKG_HASH:=c0050a94c33c195d4129a75ab4dca05ba021c5265e40fce8b2dfda7d7055cda2 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.26.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 1.0.20200401
Recent backports to 5.5 and 5.4 broke our compat layer. This release is to keep things running with the latest upstream stable kernels. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 7e98f0b..2d8a766 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=1.0.20200330 +PKG_VERSION:=1.0.20200401 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=2d57b239605be2ee0e4c2da935ff1a23e9ed8bb3ee692e10ae032ae50f280bef +PKG_HASH:=7dfb4a8315e1d6ae406ff32d01c496175df558dd65968a19e5222d02c7cfb77a PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.26.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 1.0.20200330
* queueing: backport skb_reset_redirect change from 5.6 * version: bump This release has only one slight change, to put it closer to the 5.6 codebase, but its main purpose is to bump us to a 1.0.y version number. Now that WireGuard 1.0.0 has been released for Linux 5.6 [1], we can put the same number on the backport compat codebase. When OpenWRT bumps to Linux 5.6, we'll be able to drop this package entirely, which I look forward to seeing. [1] https://lists.zx2c4.com/pipermail/wireguard/2020-March/005206.html Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 4007fa5..7e98f0b 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20200318 +PKG_VERSION:=1.0.20200330 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=fa74a8627f731754fbf4ea7d6ae8f571a2cfe8cd4b744a5f165065619cb836a1 +PKG_HASH:=2d57b239605be2ee0e4c2da935ff1a23e9ed8bb3ee692e10ae032ae50f280bef PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.26.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard-tools: bump to 1.0.20200319
* netlink: initialize mostly unused field * curve25519: squelch warnings on clang Code quality improvements. * man: fix grammar in wg(8) and wg-quick(8) * man: backlink wg-quick(8) in wg(8) * man: add a warning to the SaveConfig description Man page improvements. We hope to rewrite our man pages in mdocml at some point soon. Signed-off-by: Jason A. Donenfeld --- package/network/utils/wireguard-tools/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/utils/wireguard-tools/Makefile b/package/network/utils/wireguard-tools/Makefile index b2b71ce..5493295 100644 --- a/package/network/utils/wireguard-tools/Makefile +++ b/package/network/utils/wireguard-tools/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard-tools -PKG_VERSION:=1.0.20200206 +PKG_VERSION:=1.0.20200319 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-tools-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-tools/snapshot/ -PKG_HASH:=f5207248c6a3c3e3bfc9ab30b91c1897b00802ed861e1f9faaed873366078c64 +PKG_HASH:=757ed31d4d48d5fd7853bfd9bfa6a3a1b53c24a94fe617439948784a2c0ed987 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.25.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20200318
WireGuard had a brief professional security audit. The auditors didn't find any vulnerabilities, but they did suggest one defense-in-depth suggestion to protect against potential API misuse down the road, mentioned below. This compat snapshot corresponds with the patches I just pushed to Dave for 5.6-rc7. * curve25519-x86_64: avoid use of r12 This buys us 100 extra cycles, which isn't much, but it winds up being even faster on PaX kernels, which use r12 as a RAP register. * wireguard: queueing: account for skb->protocol==0 This is the defense-in-depth change. We deal with skb->protocol==0 just fine, but the advice to deal explicitly with it seems like a good idea. * receive: remove dead code from default packet type case A default case of a particular switch statement should never be hit, so instead of printing a pretty debug message there, we full-on WARN(), so that we get bug reports. * noise: error out precomputed DH during handshake rather than config All peer keys will now be addable, even if they're low order. However, no handshake messages will be produced successfully. This is a more consistent behavior with other low order keys, where the handshake just won't complete if they're being used anywhere. * send: use normaler alignment formula from upstream We're trying to keep a minimal delta with upstream for the compat backport. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 231f1f4..4007fa5 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20200215 +PKG_VERSION:=0.0.20200318 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=0def6f3608ec06f6dfc454aa5281a7c38b06ff27096cb341448d20602da4e923 +PKG_HASH:=fa74a8627f731754fbf4ea7d6ae8f571a2cfe8cd4b744a5f165065619cb836a1 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.25.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20200215
* send: cleanup skb padding calculation * socket: remove useless synchronize_net Sorry for the back-to-back releases. This fixes a regression spotted by Eric Dumazet. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 6f9ae77..231f1f4 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20200205 +PKG_VERSION:=0.0.20200215 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=9669e165fc7252cab7f908ba57f160f6d57539b7cc81180f260cb675d2fd362b +PKG_HASH:=0def6f3608ec06f6dfc454aa5281a7c38b06ff27096cb341448d20602da4e923 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.25.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20200214
* chacha20poly1305: defensively protect against large inputs Defense-in-depth sort of check. * netns: ensure that icmp src address is correct with nat We finally upstreamed the last remaining compat.h hack in this patch series: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=803381f9f117493d6204d82445a530c834040fe6 That means we can port compat.h to use the new proper API. * receive: reset last_under_load to zero Matt found a small optimization while porting the Linux kernel module to OpenBSD's kernel. * send: account for mtu=0 devices This fixes issues related to setting the MTU of a device to zero. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 6f9ae77..776f375 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20200205 +PKG_VERSION:=0.0.20200214 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=9669e165fc7252cab7f908ba57f160f6d57539b7cc81180f260cb675d2fd362b +PKG_HASH:=6aaed62beb23803a456b7875a56e9462125a589c9dfb6d0b672c1a8f9f3f45ab PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.25.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard-tools: bump to 1.0.20200206
* wg-quick: android: split uids into multiple commands Newer android's ndc implementations have limits on uid size, so we have to break these into several lists. * man: document dynamic debug trick for Linux This comes up occasionally, so it may be useful to mention its possibility in the man page. At least the Arch Linux and Ubuntu kernels support dynamic debugging, so this advice will at least help somebody. So that you don't have to go digging into the commit, this adds this helpful tidbit to the man page for getting debug logs on Linux: # modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control * extract-{handshakes,keys}: rework for upstream kernel These tools will now use the source code from the running kernel instead of from the old monolithic repo. Essential for the functioning of Wireshark. * netlink: remove libmnl requirement We no longer require libmnl. It turns out that inlining the small subset of libmnl that we actually use results in a smaller binary than the overhead of linking to the external library. And we intend to gradually morph this code into something domain specific as a libwg emerges. Performance has also increased, thanks to the inliner. On all platforms, wg(8) only needs a normal libc. Compile time on my system is still less than one second. So all in all we have: smaller binary, zero dependencies, faster performance. Packagers should no longer have their wireguard-tools package depend on libmnl. * embeddable-wg-library: use newer string_list * netlink: don't pretend that sysconf isn't a function Small cleanups. Signed-off-by: Jason A. Donenfeld --- package/network/utils/wireguard-tools/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/network/utils/wireguard-tools/Makefile b/package/network/utils/wireguard-tools/Makefile index 4203045..b2b71ce 100644 --- a/package/network/utils/wireguard-tools/Makefile +++ b/package/network/utils/wireguard-tools/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard-tools -PKG_VERSION:=1.0.20200121 +PKG_VERSION:=1.0.20200206 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-tools-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-tools/snapshot/ -PKG_HASH:=15bfdbdbecbd3870ced9a7e68286c871bfcb2071d165f113808081f2e428faa3 +PKG_HASH:=f5207248c6a3c3e3bfc9ab30b91c1897b00802ed861e1f9faaed873366078c64 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING @@ -33,7 +33,7 @@ MAKE_VARS += PLATFORM=linux define Package/wireguard-tools $(call Package/wireguard/Default) TITLE:=WireGuard userspace control program (wg) - DEPENDS:=+libmnl +ip + DEPENDS:=+ip endef define Package/wireguard-tools/description -- 2.25.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20200205
* compat: support building for RHEL-8.2 * compat: remove RHEL-7.6 workaround Bleeding edge RHEL users should be content now (which includes the actual RedHat employees I've been talking to about getting this into the RHEL kernel itself). Also, we remove old hacks for versions we no longer support anyway. * allowedips: remove previously added list item when OOM fail * noise: reject peers with low order public keys With this now being upstream, we benefit from increased fuzzing coverage of the code, uncovering these two bugs. * netns: ensure non-addition of peers with failed precomputation * netns: tie socket waiting to target pid An added test to our test suite for the above and a small fix for high-load CI scenarios. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 435c50e..6f9ae77 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20200128 +PKG_VERSION:=0.0.20200205 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=8610c6d8712cfd885f50b1a8c572518edf318c094d68491ea218bb50566a9a8a +PKG_HASH:=9669e165fc7252cab7f908ba57f160f6d57539b7cc81180f260cb675d2fd362b PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.25.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20200128
This fixes a few small oversights for the 5.5 compat layer. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 7f0827a..435c50e 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20200121 +PKG_VERSION:=0.0.20200128 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=7726c2994d11913c4543fd3dc83636f7ce573ca689b15e11b83e980acc04422b +PKG_HASH:=8610c6d8712cfd885f50b1a8c572518edf318c094d68491ea218bb50566a9a8a PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.24.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/2] wireguard: bump to 0.0.20200121
* Makefile: strip prefixed v from version.h This fixes a mistake in dmesg output and when parsing the sysfs entry in the filesystem. * device: skb_list_walk_safe moved upstream This is a 5.6 change, which we won't support here, but it does make the code cleaner, so we make this change to keep things in sync. * curve25519: x86_64: replace with formally verified implementation This comes from INRIA's HACL*/Vale. It implements the same algorithm and implementation strategy as the code it replaces, only this code has been formally verified, sans the base point multiplication, which uses code similar to prior, only it uses the formally verified field arithmetic alongside reproducable ladder generation steps. This doesn't have a pure-bmi2 version, which means haswell no longer benefits, but the increased (doubled) code complexity is not worth it for a single generation of chips that's already old. Performance-wise, this is around 1% slower on older microarchitectures, and slightly faster on newer microarchitectures, mainly 10nm ones or backports of 10nm to 14nm. This implementation is "everest" below: Xeon E5-2680 v4 (Broadwell) armfazh: 133340 cycles per call everest: 133436 cycles per call Xeon Gold 5120 (Sky Lake Server) armfazh: 112636 cycles per call everest: 113906 cycles per call Core i5-6300U (Sky Lake Client) armfazh: 116810 cycles per call everest: 117916 cycles per call Core i7-7600U (Kaby Lake) armfazh: 119523 cycles per call everest: 119040 cycles per call Core i7-8750H (Coffee Lake) armfazh: 113914 cycles per call everest: 113650 cycles per call Core i9-9880H (Coffee Lake Refresh) armfazh: 112616 cycles per call everest: 114082 cycles per call Core i3-8121U (Cannon Lake) armfazh: 113202 cycles per call everest: 111382 cycles per call Core i7-8265U (Whiskey Lake) armfazh: 127307 cycles per call everest: 127697 cycles per call Core i7-8550U (Kaby Lake Refresh) armfazh: 127522 cycles per call everest: 127083 cycles per call Xeon Platinum 8275CL (Cascade Lake) armfazh: 114380 cycles per call everest: 114656 cycles per call Achieving these kind of results with formally verified code is quite remarkable, especialy considering that performance is favorable for newer chips. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 9593c1d..7f0827a 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20200105 +PKG_VERSION:=0.0.20200121 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=9f12f68e96f6865325995c38213e09b05751cd1ef03e0bbc9f1bdc3e5680b337 +PKG_HASH:=7726c2994d11913c4543fd3dc83636f7ce573ca689b15e11b83e980acc04422b PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.24.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/2] wireguard-tools: bump to 1.0.20200121
* Makefile: remove pwd from compile output * Makefile: add standard 'all' target * Makefile: evaluate git version lazily Quality of life improvements for packagers. * ipc: simplify inflatable buffer and add fuzzer * fuzz: add generic command argument fuzzer * fuzz: add set and setconf fuzzers More fuzzers and a slicker string list implementation. These fuzzers now find themselves configuring wireguard interfaces from scratch after several million mutations, which is fun to watch. * netlink: make sure to clear return value when trying again Prior, if a dump was interrupted by a concurrent set operation, we'd try again, but forget to reset an error flag, so we'd keep trying again forever. Now we do the right thing and succeed when we succeed. * Makefile: sort inputs to linker so that build is reproducible Earlier versions of make(1) passed GLOB_NOSORT to glob(3), resulting in the linker receiving its inputs in a filesystem-dependent order. This screwed up reproducible builds. Signed-off-by: Jason A. Donenfeld --- package/network/utils/wireguard-tools/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/utils/wireguard-tools/Makefile b/package/network/utils/wireguard-tools/Makefile index afde98a..4203045 100644 --- a/package/network/utils/wireguard-tools/Makefile +++ b/package/network/utils/wireguard-tools/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard-tools -PKG_VERSION:=1.0.20200102 +PKG_VERSION:=1.0.20200121 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-tools-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-tools/snapshot/ -PKG_HASH:=547cd1c2f8dca904faac9e8d3964f1ef956c24bb12e3498da88dde95243c7f08 +PKG_HASH:=15bfdbdbecbd3870ced9a7e68286c871bfcb2071d165f113808081f2e428faa3 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.24.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/2] wireguard-tools: bump to 1.0.20200102
* systemd: update documentation URL * global: bump copyright Usual house keeping. * Makefile: DEBUG_TOOLS -> DEBUG and document * Makefile: port static analysis check * dns-hatchet: adjust path for new repo layout * Makefile: rework automatic version.h mangling These are some important-ish cleanups for downstream package maintainers that should make packaging this a lot smoother. * man: add documentation about removing explicit listen-port Documentation improvement. * wg-quick: linux: quote ifname for nft This should fix issues with weirdly named ifnames and odd versions of nft(8). * fuzz: find bugs in the config syntax parser * fuzz: find bugs when parsing uapi input These are two fuzzers that have been laying around without a repo for a while. Perhaps somebody with enough compute power will find bugs with them. Signed-off-by: Jason A. Donenfeld --- package/network/utils/wireguard-tools/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/utils/wireguard-tools/Makefile b/package/network/utils/wireguard-tools/Makefile index 2f6d307..afde98a 100644 --- a/package/network/utils/wireguard-tools/Makefile +++ b/package/network/utils/wireguard-tools/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard-tools -PKG_VERSION:=1.0.20191226 +PKG_VERSION:=1.0.20200102 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-tools-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-tools/snapshot/ -PKG_HASH:=aa8af0fdc9872d369d8c890a84dbc2a2466b55795dccd5b47721b2d97644b04f +PKG_HASH:=547cd1c2f8dca904faac9e8d3964f1ef956c24bb12e3498da88dde95243c7f08 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.24.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/2] wireguard: bump to 0.0.20200105
* socket: mark skbs as not on list when receiving via gro Certain drivers will pass gro skbs to udp, at which point the udp driver simply iterates through them and passes them off to encap_rcv, which is where we pick up. At the moment, we're not attempting to coalesce these into bundles, but we also don't want to wind up having cascaded lists of skbs treated separately. The right behavior here, then, is to just mark each incoming one as not on a list. This can be seen in practice, for example, with Qualcomm's rmnet_perf driver. This lead to crashes on OnePlus devices and possibly other Qualcomm 4.14 devices. But I fear that it could lead to issues on other drivers on weird OpenWRT routers. This commit is upstream in net-next as: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=736775d06bac60d7a353e405398b48b2bd8b1e54 Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index c379b71..9593c1d 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20191226 +PKG_VERSION:=0.0.20200105 PKG_RELEASE:=1 PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ -PKG_HASH:=7c0e576459c6337bcdea692bdbec561719a15da207dc739e0e3e60ff821a5491 +PKG_HASH:=9f12f68e96f6865325995c38213e09b05751cd1ef03e0bbc9f1bdc3e5680b337 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -- 2.24.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 20191226
As announced on the mailing list, WireGuard will be in Linux 5.6. As a result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is moving to its own wireguard-tools repo. Meanwhile, the out-of-tree kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux- compat repo. Yesterday, releases were cut out of these repos, so this commit bumps packages to match. Since wg(8) and the compat kernel module are versioned and released separately, we create a wireguard-tools Makefile to contain the source for the new tools repo. Later, when OpenWRT moves permanently to Linux 5.6, we'll drop the original module package, leaving only the tools. So this commit shuffles the build definition around a bit but is basically the same idea as before. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 41 +++--- .../network/utils/wireguard-tools/Makefile| 54 +++ .../wireguard-tools}/files/wireguard.sh | 0 .../wireguard-tools}/files/wireguard_watchdog | 0 4 files changed, 61 insertions(+), 34 deletions(-) create mode 100644 package/network/utils/wireguard-tools/Makefile rename package/network/{services/wireguard => utils/wireguard-tools}/files/wireguard.sh (100%) rename package/network/{services/wireguard => utils/wireguard-tools}/files/wireguard_watchdog (100%) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 2849361733..c379b712dd 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2016-2018 Jason A. Donenfeld +# Copyright (C) 2016-2019 Jason A. Donenfeld # Copyright (C) 2016 Baptiste Jonglez # Copyright (C) 2016-2017 Dan Luedtke # @@ -11,17 +11,17 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20191219 +PKG_VERSION:=0.0.20191226 PKG_RELEASE:=1 -PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=5aba6f0c38e97faa0b155623ba594bb0e4bd5e29deacd8d5ed8bda8d8283b0e7 +PKG_SOURCE:=wireguard-linux-compat-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-linux-compat/snapshot/ +PKG_HASH:=7c0e576459c6337bcdea692bdbec561719a15da207dc739e0e3e60ff821a5491 -PKG_LICENSE:=GPL-2.0 Apache-2.0 +PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING -PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/WireGuard-$(PKG_VERSION) +PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/wireguard-linux-compat-$(PKG_VERSION) PKG_BUILD_PARALLEL:=1 PKG_USE_MIPS16:=0 @@ -56,13 +56,8 @@ endef include $(INCLUDE_DIR)/kernel-defaults.mk include $(INCLUDE_DIR)/package-defaults.mk -# Used by Build/Compile/Default -MAKE_PATH:=src/tools -MAKE_VARS += PLATFORM=linux - define Build/Compile $(MAKE) $(KERNEL_MAKEOPTS) M="$(PKG_BUILD_DIR)/src" modules - $(call Build/Compile/Default) endef define Package/wireguard/install @@ -73,27 +68,6 @@ define Package/wireguard/description $(call Package/wireguard/Default/description) endef -define Package/wireguard-tools - $(call Package/wireguard/Default) - TITLE:=WireGuard userspace control program (wg) - DEPENDS:=+libmnl +ip -endef - -define Package/wireguard-tools/description - $(call Package/wireguard/Default/description) - - This package provides the userspace control program for WireGuard, - `wg(8)`, a netifd protocol helper, and a re-resolve watchdog script. -endef - -define Package/wireguard-tools/install - $(INSTALL_DIR) $(1)/usr/bin/ - $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/tools/wg $(1)/usr/bin/ - $(INSTALL_BIN) ./files/wireguard_watchdog $(1)/usr/bin/ - $(INSTALL_DIR) $(1)/lib/netifd/proto/ - $(INSTALL_BIN) ./files/wireguard.sh $(1)/lib/netifd/proto/ -endef - define KernelPackage/wireguard SECTION:=kernel CATEGORY:=Kernel modules @@ -111,5 +85,4 @@ define KernelPackage/wireguard/description endef $(eval $(call BuildPackage,wireguard)) -$(eval $(call BuildPackage,wireguard-tools)) $(eval $(call KernelPackage,wireguard)) diff --git a/package/network/utils/wireguard-tools/Makefile b/package/network/utils/wireguard-tools/Makefile new file mode 100644 index 00..2f6d307094 --- /dev/null +++ b/package/network/utils/wireguard-tools/Makefile @@ -0,0 +1,54 @@ +# +# Copyright (C) 2016-2019 Jason A. Donenfeld +# Copyright (C) 2016 Baptiste Jonglez +# Copyright (C) 2016-2017 Dan Luedtke +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. + +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/kernel.mk + +PKG_NAME:=wireguard-tools + +PKG_VERSION:=1.0.20191226 +PKG_RELEASE:=1 + +PKG_SOURCE:=wireguard-tools-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL:=https://git.zx2c4.com/wireguard-tools/snapshot/ +PKG_HASH:=aa8af0fdc9872d369d8c890a84dbc2a2466b55795dccd5b47721b2d97644b04f + +PKG_LICENSE:=GPL-2.0 +PKG_LICENSE_FILES:=COPYING + +PKG_B
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20191205
* wg-quick: linux: suppress error when finding unused table This fixes a spurious warning messages seen with recent versions of iproute2 and kernels. * wg-quick: linux: ensure postdown hooks execute * wg-quick: linux: have remove_iptables return true * wg-quick: linux: iptables-* -w is not widely supported Adding in iptables had some hiccups. For the record, I'm very unhappy about having to put any firewalling code into wg-quick(8). We'll of course need to support nftables too at some point if this continues. I'm investigating with upstream the possibility of adding a sysctl to patch the issue that iptables is handling now, so hopefully at somepoint down the line we'll be able to shed this dependency once again. * send: use kfree_skb_list * device: prepare skb_list_walk_safe for upstreaming * send: avoid touching skb->{next,prev} directly Suggestions from LKML. * ipc: make sure userspace communication frees wgdevice Free things properly on error paths. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index ea34b75..7aac556 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20191127 +PKG_VERSION:=0.0.20191205 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=7d4e80a6f84564d4826dd05da2b59e8d17645072c0345d0fc0d197be176c3d06 +PKG_HASH:=4de4c0efa35f8eb170c27a0bc8977e5c0634b8e19c03915d03218cc88bb0adbe PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.24.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20191127
* messages: recalculate rekey max based on a one minute flood * allowedips: safely dereference rcu roots * socket: remove redundant check of new4 * allowedips: avoid double lock in selftest error case * tools: add syncconf command Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 87aad9d..ea34b75 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20191012 +PKG_VERSION:=0.0.20191127 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=93573193c9c1c22fde31eb1729ad428ca39da77a603a3d81561a9816ccecfa8e +PKG_HASH:=7d4e80a6f84564d4826dd05da2b59e8d17645072c0345d0fc0d197be176c3d06 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.24.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20190702
* curve25519: not all linkers support bmi2 and adx This should allow WireGuard to build on older toolchains. * global: switch to coarse ktime Our prior use of fast ktime before meant that sometimes, depending on how broken the motherboard was, we'd wind up calling into the HPET slow path. Here we move to coarse ktime which is always super speedy. In the process we had to fix the resolution of the clock, as well as introduce a new interface for it, landing in 5.3. Older kernels fall back to a fast-enough mechanism based on jiffies. https://lore.kernel.org/lkml/tip-e3ff9c3678b4d80e22d2557b68726174578ea...@git.kernel.org/ https://lore.kernel.org/lkml/20190621203249.3909-3-ja...@zx2c4.com/ * netlink: cast struct over cb->args for type safety This follow recent upstream changes such as: https://lore.kernel.org/lkml/20190628144022.31376-1-ja...@zx2c4.com/ * peer: use LIST_HEAD macro Style nit. * receive: queue dead packets to napi queue instead of empty rx_queue This mitigates a WARN_ON being triggered by the workqueue code. It was quite hard to trigger, except sporadically, or reliably with a PC Engines ALIX, an extremely slow board with an AMD LX800 that Ryan Whelan of Axatrax was kind enough to mail me. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 310d559..0516769 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20190601 +PKG_VERSION:=0.0.20190702 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=7528461824a0174bd7d4f15e68d8f0ce9a8ea318411502b80759438e8ef65568 +PKG_HASH:=1a1311bc71abd47a72c47d918be3bacc486b3de90734661858af75cc990dbaac PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.21.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20190601
There was an issue with the backport compat layer in yesterday's snapshot, causing issues on certain (mostly Atom) Intel chips on kernels older than 4.2, due to the use of xgetbv without checking cpu flags for xsave support. This manifested itself simply at module load time. Indeed it's somewhat tricky to support 33 different kernel versions (3.10+), plus weird distro frankenkernels. If OpenWRT doesn't support < 4.2, you probably don't need to apply this. But it also can't hurt, and probably best to stay updated. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index e3471d0..310d559 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20190531 +PKG_VERSION:=0.0.20190601 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=8b0280322ec4c46fd1a786af4db0c4d0c600053542c4563582baac478e4127b1 +PKG_HASH:=7528461824a0174bd7d4f15e68d8f0ce9a8ea318411502b80759438e8ef65568 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.21.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20190531
* tools: add wincompat layer to wg(8) Consistent with a lot of the Windows work we've been doing this last cycle, wg(8) now supports the WireGuard for Windows app by talking through a named pipe. You can compile this as `PLATFORM=windows make -C src/tools` with mingw. Because programming things for Windows is pretty ugly, we've done this via a separate standalone wincompat layer, so that we don't pollute our pretty *nix utility. * compat: udp_tunnel: force cast sk_data_ready This is a hack to work around broken Android kernel wrapper scripts. * wg-quick: freebsd: workaround SIOCGIFSTATUS race in FreeBSD kernel FreeBSD had a number of kernel race conditions, some of which we can vaguely work around. These are in the process of being fixed upstream, but probably people won't update for a while. * wg-quick: make darwin and freebsd path search strict like linux Correctness. * socket: set ignore_df=1 on xmit This was intended from early on but didn't work on IPv6 without the ignore_df flag. It allows sending fragments over IPv6. * qemu: use newer iproute2 and kernel * qemu: build iproute2 with libmnl support * qemu: do not check for alignment with ubsan The QEMU build system has been improved to compile newer versions. Linking against libmnl gives us better error messages. As well, enabling the alignment check on x86 UBSAN isn't realistic. * wg-quick: look up existing routes properly * wg-quick: specify protocol to ip(8), because of inconsistencies The route inclusion check was wrong prior, and Linux 5.1 made it break entirely. This makes a better invocation of `ip route show match`. * netlink: use new strict length types in policy for 5.2 * kbuild: account for recent upstream changes * zinc: arm64: use cpu_get_elf_hwcap accessor for 5.2 The usual churn of changes required for the upcoming 5.2. * timers: add jitter on ack failure reinitiation Correctness tweak in the timer system. * blake2s,chacha: latency tweak * blake2s: shorten ssse3 loop In every odd-numbered round, instead of operating over the state x00 x01 x02 x03 x05 x06 x07 x04 x10 x11 x08 x09 x15 x12 x13 x14 we operate over the rotated state x03 x00 x01 x02 x04 x05 x06 x07 x09 x10 x11 x08 x14 x15 x12 x13 The advantage here is that this requires no changes to the 'x04 x05 x06 x07' row, which is in the critical path. This results in a noticeable latency improvement of roughly R cycles, for R diagonal rounds in the primitive. As well, the blake2s AVX implementation is now SSSE3 and considerably shorter. * tools: allow setting WG_ENDPOINT_RESOLUTION_RETRIES System integrators can now specify things like WG_ENDPOINT_RESOLUTION_RETRIES=infinity when building wg(8)-based init scripts and services, or 0, or any other integer. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index c04762b..e3471d0 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20190406 +PKG_VERSION:=0.0.20190531 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=2f06f3adf70b95e74a7736a22dcf6e9ef623b311a15b7d55b5474e57c3d0415b +PKG_HASH:=8b0280322ec4c46fd1a786af4db0c4d0c600053542c4563582baac478e4127b1 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.21.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20190406
* allowedips: initialize list head when removing intermediate nodes Fix for an important regression in removing allowed IPs from the last snapshot. We have new test cases to catch these in the future as well. * tools: warn if an AllowedIP has a nonzero host part If you try to run `wg set wg0 peer ... allowed-ips 192.168.1.82/24`, wg(8) will now print a warning. Even though we mask this automatically down to 192.168.1.0/24, usually when people specify it like this, it's a mistake. * wg-quick: add 'strip' subcommand The new strip subcommand prints the config file to stdout after stripping it of all wg-quick-specific options. This enables tricks such as: `wg addconf $DEV <(wg-quick strip $DEV)`. * tools: avoid unneccessary next_peer assignments in sort_peers() Small C optimization the compiler was probably already doing. * peerlookup: rename from hashtables * allowedips: do not use __always_inline * device: use skb accessor functions where possible Suggested tweaks from Dave Miller. * blake2s: simplify * blake2s: remove outlen parameter from final The blake2s implementation has been simplified, since we don't use any of the fancy tree hashing parameters or the like. We also no longer separate the output length at initialization time from the output length at finalization time. * global: the _bh variety of rcu helpers have been unified * compat: nf_nat_core.h was removed upstream * compat: backport skb_mark_not_on_list The usual assortment of compat fixes for Linux 5.1. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index aab3e59..c04762b 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20190227 +PKG_VERSION:=0.0.20190406 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=fcdb26fd2692d9e1dee54d14418603c38fbb973a06ce89d08fbe45292ff37f79 +PKG_HASH:=2f06f3adf70b95e74a7736a22dcf6e9ef623b311a15b7d55b5474e57c3d0415b PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.21.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20190227
* wg-quick: freebsd: allow loopback to work FreeBSD adds a route for point-to-point destination addresses. We don't really want to specify any destination address, but unfortunately we have to. Before we tried to cheat by giving our own address as the destination, but this had the unfortunate effect of preventing loopback from working on our local ip address. We work around this with yet another kludge: we set the destination address to 127.0.0.1. Since 127.0.0.1 is already assigned to an interface, this has the same effect of not specifying a destination address, and therefore we accomplish the intended behavior. Note that the bad behavior is still present in Darwin, where such workaround does not exist. * tools: remove unused check phony declaration * highlighter: when subtracting char, cast to unsigned * chacha20: name enums * tools: fight compiler slightly harder * tools: c_acc doesn't need to be initialized * queueing: more reasonable allocator function convention Usual nits. * systemd: wg-quick should depend on nss-lookup.target Since wg-quick(8) calls wg(8) which does hostname lookups, we should probably only run this after we're allowed to look up hostnames. * compat: backport ALIGN_DOWN * noise: whiten the nanoseconds portion of the timestamp This mitigates unrelated sidechannel attacks that think they can turn WireGuard into a useful time oracle. * hashtables: decouple hashtable allocations from the main device allocation The hashtable allocations are quite large, and cause the device allocation in the net framework to stall sometimes while it tries to find a contiguous region that can fit the device struct. To fix the allocation stalls, decouple the hashtable allocations from the device allocation and allocate the hashtables with kvmalloc's implicit __GFP_NORETRY so that the allocations fall back to vmalloc with little resistance. * chacha20poly1305: permit unaligned strides on certain platforms The map allocations required to fix this are mostly slower than unaligned paths. * noise: store clamped key instead of raw key This causes `wg show` to now show the right thing. Useful for doing comparisons. * compat: ipv6_stub is sometimes null On ancient kernels, ipv6_stub is sometimes null in cases where IPv6 has been disabled with a command line flag or other failures. * Makefile: don't duplicate code in install and modules-install * Makefile: make the depmod path configurable * queueing: net-next has changed signature of skb_probe_transport_header A 5.1 change. This could change again, but for now it allows us to keep this snapshot aligned with our upstream submissions. * netlink: don't remove allowed ips for new peers * peer: only synchronize_rcu_bh and traverse trie once when removing all peers * allowedips: maintain per-peer list of allowedips This is a rather big and important change that makes it much much faster to do operations involving thousands of peers. Batch peer/allowedip addition and clearing is several orders of magnitude faster now. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 2e9f17e..aab3e59 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20190123 +PKG_VERSION:=0.0.20190227 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=edd13c7631af169e3838621b1a1bff3ef73cf7bc778eec2bd55f7c1089ffdf9b +PKG_HASH:=fcdb26fd2692d9e1dee54d14418603c38fbb973a06ce89d08fbe45292ff37f79 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20190123
* tools: curve25519: handle unaligned loads/stores safely This should fix sporadic crashes with `wg pubkey` on certain architectures. * netlink: auth socket changes against namespace of socket In WireGuard, the underlying UDP socket lives in the namespace where the interface was created and doesn't move if the interface is moved. This allows one to create the interface in some privileged place that has Internet access, and then move it into a container namespace that only has the WireGuard interface for egress. Consider the following situation: 1. Interface created in namespace A. Socket therefore lives in namespace A. 2. Interface moved to namespace B. Socket remains in namespace A. 3. Namespace B now has access to the interface and changes the listen port and/or fwmark of socket. Change is reflected in namespace A. This behavior is arguably _fine_ and perhaps even expected or acceptable. But there's also an argument to be made that B should have A's cred to do so. So, this patch adds a simple ns_capable check. * ratelimiter: build tests with !IPV6 Should reenable building in debug mode for systems without IPv6. * noise: replace getnstimeofday64 with ktime_get_real_ts64 * ratelimiter: totalram_pages is now a function * qemu: enable FP on MIPS Linux 5.0 support. * keygen-html: bring back pure javascript implementation Benoît Viguier has proofs that values will stay well within 2^53. We also have an improved carry function that's much simpler. Probably more constant time than emscripten's 64-bit integers. * contrib: introduce simple highlighter library This is the highlighter library being used in: - https://twitter.com/EdgeSecurity/status/1085294681003454465 - https://twitter.com/EdgeSecurity/status/1081953278248796165 It's included here as a contrib example, so that others can paste it into their own GUI clients for having the same strictly validating highlighting. * netlink: use __kernel_timespec for handshake time This readies us for Y2038. See https://lwn.net/Articles/776435/ for more info. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index f752d3b..2e9f17e 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20181218 +PKG_VERSION:=0.0.20190123 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=2e9f86acefa49dbfb7fa6f5e10d543f1885a2d5460cd5e102696901107675735 +PKG_HASH:=edd13c7631af169e3838621b1a1bff3ef73cf7bc778eec2bd55f7c1089ffdf9b PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.20.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20181119
* chacha20,poly1305: fix up for win64 * poly1305: only export neon symbols when in use * poly1305: cleanup leftover debugging changes * crypto: resolve target prefix on buggy kernels * chacha20,poly1305: don't do compiler testing in generator and remove xor helper * crypto: better path resolution and more specific generated .S * poly1305: make frame pointers for auxiliary calls * chacha20,poly1305: do not use xlate This should fix up the various build errors, warnings, and insertion errors introduced by the previous snapshot, where we added some significant refactoring. In short, we're trying to port to using Andy Polyakov's original perlasm files, and this means quite a lot of work to re-do that had stableized in our old .S. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 442938c..a193074 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20181115 +PKG_VERSION:=0.0.20181119 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=11292c7e86fce6fb0d9fd170389d2afc609bda963a7faf1fd713e11c2af53085 +PKG_HASH:=7d47f7996dd291069de4efb3097c42f769f60dc3ac6f850a4d5705f321e4406b PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.19.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20181115
* Zinc no longer ships generated assembly code. Rather, we now bundle in the original perlasm generator for it. The primary purpose of this snapshot is to get testing of this. * Clarify the peer removal logic and make lifetimes more precise. * Use READ_ONCE for is_valid and is_dead. * No need to use atomic when the recounter is mutex protected. * Fix up macros and annotations in allowedips. * Increment drop counter when staged packets are dropped. * Use static constants instead of enums for 64-bit values in selftest. * Mark large constants as ULL in poly1305-donna64. * Fix sparse warnings in allowedips debugging code. * Do not use wg_peer_get_maybe_zero in timer callbacks, since we now can carefully control the lifetime of these functions and ensure they never execute after dropping the last reference. * Cleanup hashing in ratelimiter. * Do not guard timer removals, since del_timer is always okay. * We now check for PM_AUTOSLEEP, which makes the clear*on-suspend decision a bit more general. * Set csum_level to ~0, since the poly1305 authenticator certainly means that no data was modified in transit. * Use CHECKSUM_PARTIAL check for skb_checksum_help instead of skb_checksum_setup check. * wg.8: specify that wg(8) shows runtime info too * wg.8: AllowedIPs isn't actually required * keygen-html: add missing glue macro * wg-quick: android: do not choke on empty allowed-ips Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 8a71ce2..442938c 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20181018 +PKG_VERSION:=0.0.20181115 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=af05824211b27cbeeea2b8d6b76be29552c0d80bfe716471215e4e43d259e327 +PKG_HASH:=11292c7e86fce6fb0d9fd170389d2afc609bda963a7faf1fd713e11c2af53085 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.19.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20181018
Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index dad430b..8a71ce2 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20181007 +PKG_VERSION:=0.0.20181018 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=d26e0d1216594871b5947e76d64c2fa50e9b34b68cdcfa3fdad588cbb314af89 +PKG_HASH:=af05824211b27cbeeea2b8d6b76be29552c0d80bfe716471215e4e43d259e327 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.19.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20181006
* Account for big-endian 2^26 conversion in Poly1305. * Account for big-endian NEON in Curve25519. * Fix macros in big-endian AArch64 code so that this will actually run there at all. * Prefer if (IS_ENABLED(...)) over ifdef mazes when possible. * Call simd_relax() within any preempt-disabling glue code every once in a while so as not to increase latency if folks pass in super long buffers. * Prefer compiler-defined architecture macros in assembly code, which puts us in closer alignment with upstream CRYPTOGAMS code, and is cleaner. * Non-static symbols are prefixed with wg_ to avoid polluting the global namespace. * Return a bool from simd_relax() indicating whether or not we were rescheduled. * Reflect the proper simd conditions on arm. * Do not reorder lines in Kbuild files for the simd asm-generic addition, since we don't want to cause merge conflicts. * WARN() if the selftests fail in Zinc, since if this is an initcall, it won't block module loading, so we want to be loud. * Document some interdependencies beside include statements. * Add missing static statement to fpu init functions. * Use union in chacha to access state words as a flat matrix, instead of casting a struct to a u8 and hoping all goes well. Then, by passing around that array as a struct for as long as possible, we can update counter[0] instead of state[12] in the generic blocks, which makes it clearer what's happening. * Remove __aligned(32) for chacha20_ctx since we no longer use vmovdqa on x86, and the other implementations do not require that kind of alignment either. * Submit patch to ARM tree for adjusting RiscPC's cflags to be -march=armv3 so that we can build code that uses umull. * Allow CONFIG_ARM[64] to imply [!]CONFIG_64BIT, and use zinc arch config variables consistently throughout. * Document rationale for the 2^26->2^64/32 conversion in code comments. * Convert all of remaining BUG_ON to WARN_ON. * Replace `bxeq lr` with `reteq lr` in ARM assembler to be compatible with old ISAs via the macro in . * Do not allow WireGuard to be a built-in if IPv6 is a module. * Writeback the base register and reorder multiplications in the NEON x25519 implementation. * Try all combinations of different implementations in selftests, so that potential bugs are more immediately unearthed. * Self tests and SIMD glue code work with #include, which lets the compiler optimize these. Previously these files were .h, because they were included, but a simple grep of the kernel tree shows 259 other files that carry out this same pattern. Only they prefer to instead name the files with a .c instead of a .h, so we now follow the convention. * Support many more platforms in QEMU, especially big endian ones. * Kernels < 3.17 don't have read_cpuid_part, so fix building there. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 29c7447..3544e34 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20180925 +PKG_VERSION:=0.0.20181006 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=4a0488a07e40ec17e798f3e40a85cedf55f0560b1c3a8fd95806c7d4266cb0e8 +PKG_HASH:=9fe7cd5767eda65647463ec29ed707f917f4a77babaaf247adc4be7acaab4665 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.19.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20180918
* blake2s-x86_64: fix whitespace errors * crypto: do not use compound literals in selftests * crypto: make sure UML is properly disabled * kconfig: make NEON depend on CPU_V7 * poly1305: rename finish to final * chacha20: add constant for words in block * curve25519-x86_64: remove useless define * poly1305: precompute 5*r in init instead of blocks * chacha20-arm: swap scalar and neon functions * simd: add __must_check annotation * poly1305: do not require simd context for arch * chacha20-x86_64: cascade down implementations * crypto: pass simd by reference * chacha20-x86_64: don't activate simd for small blocks * poly1305-x86_64: don't activate simd for small blocks * crypto: do not use -include trick * crypto: turn Zinc into individual modules * chacha20poly1305: relax simd between sg chunks * chacha20-x86_64: more limited cascade * crypto: allow for disabling simd in zinc modules * poly1305-x86_64: show full struct for state * chacha20-x86_64: use correct cut off for avx512-vl * curve25519-arm: only compile if symbols will be used * chacha20poly1305: add __init to selftest helper functions * chacha20: add independent self test Tons of improvements all around the board to our cryptography library, including some performance boosts with how we handle SIMD for small packets. * send/receive: reduce number of sg entries This quells a powerpc stack usage warning. * global: remove non-essential inline annotations We now allow the compiler to determine whether or not to inline certain functions, while still manually choosing so for a few performance-critical sections. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index ef00f80..a04004b 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20180910 +PKG_VERSION:=0.0.20180918 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=43481ac82d4889491e1ae761d4ef10688410975cc861db5d2ac1845ac62eae39 +PKG_HASH:=c0d931bdfce139a3678592ada463042c24f12dd01ba75badd3eeb0aee2211302 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.19.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20180910
* curve25519: arm: do not modify sp directly * compat: support neon.h on old kernels * compat: arch-namespace certain includes * compat: move simd.h from crypto to compat since it's going upstream This fixes a decent amount of compat breakage and thumb2-mode breakage introduced by our move to Zinc. * crypto: use CRYPTOGAMS license Rather than using code from OpenSSL, use code directly from AndyP. * poly1305: rewrite self tests from scratch * poly1305: switch to donna This makes our C Poly1305 implementation a bit more intensely tested and also faster, especially on 64-bit systems. It also sets the stage for moving to a HACL* implementation when that's ready. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index c9608ec..ef00f80 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20180904 +PKG_VERSION:=0.0.20180910 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=a38ead72994a7db7cda2d0085f410dfb4728db050a519883eda8f3fe38f1 +PKG_HASH:=43481ac82d4889491e1ae761d4ef10688410975cc861db5d2ac1845ac62eae39 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.18.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20180904
* Kconfig: use new-style help marker * global: run through clang-format * uapi: reformat * global: satisfy check_patch.pl errors * global: prefer sizeof(*pointer) when possible * global: always find OOM unlikely Tons of style cleanups. * crypto: use unaligned helpers We now avoid unaligned accesses for generic users of the crypto API. * crypto: import zinc More style cleanups and a rearrangement of the crypto routines to fit how this is going to work upstream. This required some fairly big changes to our build system, so there may be some build errors we'll have to address in subsequent snapshots. * compat: rng_is_initialized made it into 4.19 We therefore don't need it in the compat layer anymore. * curve25519-hacl64: use formally verified C for comparisons The previous code had been proved in Z3, but this new code from upstream KreMLin is directly generated from the F*, which is preferable. The assembly generated is identical. * curve25519-x86_64: let the compiler decide when/how to load constants Small performance boost. * curve25519-arm: reformat * curve25519-arm: cleanups from lkml * curve25519-arm: add spaces after commas * curve25519-arm: use ordinary prolog and epilogue * curve25519-arm: do not waste 32 bytes of stack * curve25519-arm: prefix immediates with # This incorporates ASM nits from upstream review. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 0f6fa1a..c9608ec 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20180809 +PKG_VERSION:=0.0.20180904 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=3e351c42d22de427713f1da06d21189c5896a694a66cf19233a7c33295676f19 +PKG_HASH:=a38ead72994a7db7cda2d0085f410dfb4728db050a519883eda8f3fe38f1 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.18.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20180809
* send: switch handshake stamp to an atomic Rather than abusing the handshake lock, we're much better off just using a boring atomic64 for this. It's simpler and performs better. Also, while we're at it, we set the handshake stamp both before and after the calculations, in case the calculations block for a really long time waiting for the RNG to initialize. * compat: better atomic acquire/release backport This should fix compilation and correctness on several platforms. * crypto: move simd context to specific type This was a suggestion from Andy Lutomirski on LKML. * chacha20poly1305: selftest: use arrays for test vectors We no longer have lines so long that they're rejected by SMTP servers. * qemu: add easy git harness This makes it a bit easier to use our qemu harness for testing our mainline integration tree. * curve25519-x86_64: avoid use of r12 This causes problems with RAP and KERNEXEC for PaX, as r12 is a reserved register. * chacha20: use memmove in case buffers overlap A small correctness fix that we never actually hit in WireGuard but is important especially for moving this into a general purpose library. * curve25519-hacl64: simplify u64_eq_mask * curve25519-hacl64: correct u64_gte_mask Two bitmath fixes from Samuel, which come complete with a z3 script proving their correctness. * timers: include header in right file This fixes compilation in some environments. * netlink: don't start over iteration on multipart non-first allowedips Matt Layher found a bug where a netlink dump of peers would never terminate in some circumstances, causing wg(8) to keep trying forever. We now have a fix as well as a unit test to mitigate this, and we'll be looking to create a fuzzer out of Matt's nice library. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 9f90115..0f6fa1a 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20180802 +PKG_VERSION:=0.0.20180809 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=cd1da34b377d58df760aadf69ced045081517570586fc2d4eed7f09f5d5a47c6 +PKG_HASH:=3e351c42d22de427713f1da06d21189c5896a694a66cf19233a7c33295676f19 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.18.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20180802
Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index a88dca1..d314cd5 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20180718 +PKG_VERSION:=0.0.20180802 PKG_RELEASE:=2 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=083c093a6948c8d38f92e7ea5533f9ff926019f24dc2612ea974851ed3e24705 +PKG_HASH:=cd1da34b377d58df760aadf69ced045081517570586fc2d4eed7f09f5d5a47c6 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.18.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20180718
Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 90ecae3..9965002 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20180708 +PKG_VERSION:=0.0.20180718 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=5e38d554f7d1e3a64e3a5319ca1a3b790c84ed89c896586c490a93ac1f953a91 +PKG_HASH:=083c093a6948c8d38f92e7ea5533f9ff926019f24dc2612ea974851ed3e24705 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.18.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20180708
* device: print daddr not saddr in missing peer error * receive: style Debug messages now make sense again. * wg-quick: android: support excluding applications Android now supports excluding certain apps (uids) from the tunnel. * selftest: ratelimiter: improve chance of success via retry * qemu: bump default kernel version * qemu: decide debug kernel based on KERNEL_VERSION Some improvements to our testing infrastructure. * receive: use NAPI on the receive path This is a big change that should both improve preemption latency (by not disabling it unconditionally) and vastly improve rx performance on most systems by using NAPI. The main purpose of this snapshot is to test out this technique. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 63aaf39405..90ecae3e64 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20180625 +PKG_VERSION:=0.0.20180708 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=d9bedeb22b1f83d48581608a6521fea1d429fbeb8809419d08703ef2ec570020 +PKG_HASH:=5e38d554f7d1e3a64e3a5319ca1a3b790c84ed89c896586c490a93ac1f953a91 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.18.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Wireguard & hw flow offload incompatibility
Hi Jaap, This should now be taken care of by http://lists.infradead.org/pipermail/openwrt-devel/2018-May/012675.html . Thanks for the useful bug report. Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 0.0.20180531 to fix flow offloading
This version bump was made upstream mostly for OpenWRT, and should fix an issue with a null dst when on the flow offloading path. While we're at it, Kevin and I are the only people actually taking care of this package, so trim the maintainer list a bit. Signed-off-by: Jason A. Donenfeld --- package/network/services/wireguard/Makefile | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index c9ade769a6..3a5fd9cf3b 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2016-2017 Jason A. Donenfeld +# Copyright (C) 2016-2018 Jason A. Donenfeld # Copyright (C) 2016 Baptiste Jonglez # Copyright (C) 2016-2017 Dan Luedtke # @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20180519 +PKG_VERSION:=0.0.20180531 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=8846b3006c3f7e079bb38a4c985ccc2981e259f56c927b4cf47cbc1420e1c462 +PKG_HASH:=ff653095cc0e4c491ab6cd095ddf5d1db207f48f947fb92873a73220363f423c PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING @@ -35,9 +35,8 @@ define Package/wireguard/Default CATEGORY:=Network SUBMENU:=VPN URL:=https://www.wireguard.com - MAINTAINER:=Baptiste Jonglez , \ - Dan Luedtke , \ - Jason A. Donenfeld + MAINTAINER:=Jason A. Donenfeld \ + Kevin Darbyshire-Bryant endef define Package/wireguard/Default/description -- 2.17.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Missing skb->dst with flow offloading
On Wed, May 30, 2018 at 8:24 PM, Pablo Neira Ayuso wrote: > May it crash the kernel because it's assuming is set? If so, then > I'd appreciate if you send us a patch to I suspect it won't crash, but the pmtu might wind up wrong / not calculated. > Please, use the nf-next.git tree to patch nf_flow_offload_ip_hook() > and nf_flow_offload_ip6_hook(), it's rather late, we'll request a > -stable submission for this if needed. Given the above, I'll submit a patch, though I don't suppose it will be necessary for -stable. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Missing skb->dst with flow offloading
Hey Pablo, On Wed, May 30, 2018 at 8:05 PM, Pablo Neira Ayuso wrote: > If there a more drivers in-tree that need this, we may add > skb_dst_set_noref() calls to _hook function in the flowtable codebase. Can I, then, take that as an implicit acknowledgement that this observed behavior on OpenWRT is to be expected with the current state of events, and that I should patch my driver accordingly? As one example of this in tree, take a look at vxlan -- it's using it for the mtu/pmtu exactly as WireGuard does. Regards, Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/listinfo/openwrt-devel
[OpenWrt-Devel] Missing skb->dst with flow offloading
Hey Pablo, Some OpenWRT people have reported to me that there's a crash when enabling flow offloading, because I rely on skb_dst(skb) being non-null in ndo_start_xmit. The fix in my code for this is very simple: - mtu = dst_mtu(skb_dst(skb)); + dst = skb_dst(skb); + mtu = dst ? dst_mtu(dst) : dev->mtu; I can make this change, but I wanted to be certain first that omitting the dst in the skb is intentional on your part. (If so, there might be other drivers to fix as well.) In tracing this, it looks like a packet that's forwarded from a flow offloaded interface to a virtual interface gets diverted immediately via neigh_xmit, where it is then passed to a virtual interface via dev_queue_xmit. I can't see anywhere along this path a call to skb_dst_set. Perhaps this is intended, as flow offloading is supposed to skip the routing table? Or is there an oversight in the new flow offloading code? I'd appreciate your input, so that I can make the appropriate change -- or not -- to my code. Regards, Jason ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Wireguard & hw flow offload incompatibility
Hey Felix, Per the below thread, I've been digging around trying to see what's going on. Apparently packets are hitting a virtual network interface's ndo_start_xmit with no dst when hardware offloading enabled. I assume that the path is something along the lines of a packet coming in on one of these hardware accelerated NICs and then being forwarded to the wireguard interface, which expects the dst. I found your ndo_flow_offload patchset, and I suspect that might have something to do with this. Any insights on dsts disappearing in skbs? Thanks, Jason On Tue, May 29, 2018 at 2:14 PM, Jason A. Donenfeld wrote: > Hi Jaap, > > Thanks for the clarification. I downloaded the binary for that > hardware and triaged where the bug occurs [1]. This patch [2] should > probably fix it, but I'm rather surprised to see situations in which a > skb is missing a dst entry in ndo_start_xmit; this might point to > deeper kernel bugs in this hardware offloading feature, or some > alternative mechanism for routing being used when hardware offloading > is on. So I'm hesitant to merge this just yet, because perhaps this is > better handled in the compat layer, if it is in fact vendor silliness. > Do you have a link to the kernel source of these boxes? I'd like to > see what exactly the vendor is doing. And if you could try [2] and see > if that still crashes, this would be most appreciated. > > Thanks, > Jason > > [1] https://data.zx2c4.com/openwrt-mips-offloading-bug.png > [2] https://א.cc/Am4tZ0n8 > > On Tue, May 29, 2018 at 1:59 PM, Jaap Buurman wrote: >> Dear Jason, >> >> This isn't a regression. This is simply the first time this has been >> observed. (hw) flow offload is a new feature, and hence this >> interaction with wireguard is also new. >> >> Yours sincerely, >> >> Jaap >> >> On Tue, May 29, 2018 at 1:54 PM, Jason A. Donenfeld wrote: >>> Hi Jaap, >>> >>> Thanks for the report. Is this a _new_ bug in _new_ version of >>> WireGuard that wasn't there before. Or is this the first time you've >>> observed this? >>> >>> Thanks, >>> Jason > > Original Mail == > >> Dear all, >> >> When running a wireguard interface on the latest Lede master branch, >> the router will crash as soon as traffic hits the wireguard interface >> while (hw) flow offloading is enabled. I am not sure whether this is a >> bug with wireguard, hw flow offload, both or neither, so I am >> reporting the bug to both mailinglists. A more detailed description >> plus a properly formatted stack trace can be found on Lede's bug >> tracker: https://bugs.openwrt.org/index.php?do=details_id=1539 >> >> If you require any additional information, please do not hesitate to >> contact me. Thank you very much in advance. >> >> Yours sincerely, >> >> Jaap Buurman ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Wireguard & hw flow offload incompatibility
Hi Jaap, Thanks for the clarification. I downloaded the binary for that hardware and triaged where the bug occurs [1]. This patch [2] should probably fix it, but I'm rather surprised to see situations in which a skb is missing a dst entry in ndo_start_xmit; this might point to deeper kernel bugs in this hardware offloading feature, or some alternative mechanism for routing being used when hardware offloading is on. So I'm hesitant to merge this just yet, because perhaps this is better handled in the compat layer, if it is in fact vendor silliness. Do you have a link to the kernel source of these boxes? I'd like to see what exactly the vendor is doing. And if you could try [2] and see if that still crashes, this would be most appreciated. Thanks, Jason [1] https://data.zx2c4.com/openwrt-mips-offloading-bug.png [2] https://א.cc/Am4tZ0n8 On Tue, May 29, 2018 at 1:59 PM, Jaap Buurman wrote: > Dear Jason, > > This isn't a regression. This is simply the first time this has been > observed. (hw) flow offload is a new feature, and hence this > interaction with wireguard is also new. > > Yours sincerely, > > Jaap > > On Tue, May 29, 2018 at 1:54 PM, Jason A. Donenfeld wrote: >> Hi Jaap, >> >> Thanks for the report. Is this a _new_ bug in _new_ version of >> WireGuard that wasn't there before. Or is this the first time you've >> observed this? >> >> Thanks, >> Jason Original Mail == > Dear all, > > When running a wireguard interface on the latest Lede master branch, > the router will crash as soon as traffic hits the wireguard interface > while (hw) flow offloading is enabled. I am not sure whether this is a > bug with wireguard, hw flow offload, both or neither, so I am > reporting the bug to both mailinglists. A more detailed description > plus a properly formatted stack trace can be found on Lede's bug > tracker: https://bugs.openwrt.org/index.php?do=details_id=1539 > > If you require any additional information, please do not hesitate to > contact me. Thank you very much in advance. > > Yours sincerely, > > Jaap Buurman ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] wireguard: bump to 20180519
* chacha20poly1305: add mips32 implementation "The OpenWRT Commit" - this significantly speeds up performance on cheap plastic MIPS routers, and presumably the remaining MIPS32r2 super computers out there. * timers: reinitialize state on init * timers: round up instead of down in slack_time * timers: remove slack_time * timers: clear send_keepalive timer on sending handshake response * timers: no need to clear keepalive in persistent keepalive Andrew He and I have helped simplify the timers and remove some old warts, making the whole system a bit easier to analyze. * tools: fix errno propagation and messages Error messages are now more coherent. * device: remove allowedips before individual peers This avoids an O(n^2) traversal in favor of an O(n) one. Before systems with many peers would grind when deleting the interface. Signed-off-by: Jason A. Donenfeld <ja...@zx2c4.com> --- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index 770efe4948..c9ade769a6 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20180514 +PKG_VERSION:=0.0.20180519 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=e895b65e06e85429403be3d1987577a6967476b069f0ff53caead6f682f466da +PKG_HASH:=8846b3006c3f7e079bb38a4c985ccc2981e259f56c927b4cf47cbc1420e1c462 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.17.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org http://lists.infradead.org/mailman/listinfo/openwrt-devel