[gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/files/, net-vpn/wireguard/

[gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/files/, net-vpn/wireguard/

[Jason Donenfeld]

commit:     98de0b375822da3d946004d292a03c050dfaa72d
Author:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Thu Jun  1 18:14:43 2017 +0000
Commit:     Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Thu Jun  1 18:14:56 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=98de0b37

net-vpn/wireguard: work around hotplug+!padata

Package-Manager: Portage-2.3.6, Repoman-2.3.2

 ...eguard-0.0.20170531-remove-padata-hotplug.patch | 188 +++++++++++++++++++++
 net-vpn/wireguard/wireguard-0.0.20170531-r1.ebuild | 115 +++++++++++++
 2 files changed, 303 insertions(+)

diff --git a/net-vpn/wireguard/files/wireguard-0.0.20170531-remove-padata-hotplug.patch b/net-vpn/wireguard/files/wireguard-0.0.20170531-remove-padata-hotplug.patch
new file mode 100644
index 00000000000..a1f4b80d01d
--- /dev/null
+++ b/net-vpn/wireguard/files/wireguard-0.0.20170531-remove-padata-hotplug.patch
@@ -0,0 +1,188 @@
+From 1e0405942cecfd6de2a7707f3027f326d6f2fdb4 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 1 Jun 2017 16:55:20 +0200
+Subject: compat: remove padata hotplug code
+
+It's different on different kernel versions, and we're not using it
+anyway, so it's easiest to just get rid of it, rather than having
+another ifdef maze.
+---
+ src/compat/padata/padata.c | 149 ---------------------------------------------
+ 1 file changed, 149 deletions(-)
+
+diff --git a/src/compat/padata/padata.c b/src/compat/padata/padata.c
+index 480c43f..25836db 100644
+--- a/src/compat/padata/padata.c
++++ b/src/compat/padata/padata.c
+@@ -677,131 +677,8 @@ void padata_stop(struct padata_instance *pinst)
+ 	mutex_unlock(&pinst->lock);
+ }
+ 
+-#ifdef CONFIG_HOTPLUG_CPU
+-
+-static int __padata_add_cpu(struct padata_instance *pinst, int cpu)
+-{
+-	struct parallel_data *pd;
+-
+-	if (cpumask_test_cpu(cpu, cpu_online_mask)) {
+-		pd = padata_alloc_pd(pinst, pinst->cpumask.pcpu,
+-				     pinst->cpumask.cbcpu);
+-		if (!pd)
+-			return -ENOMEM;
+-
+-		padata_replace(pinst, pd);
+-
+-		if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
+-		    padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
+-			__padata_start(pinst);
+-	}
+-
+-	return 0;
+-}
+-
+-static int __padata_remove_cpu(struct padata_instance *pinst, int cpu)
+-{
+-	struct parallel_data *pd = NULL;
+-
+-	if (cpumask_test_cpu(cpu, cpu_online_mask)) {
+-
+-		if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
+-		    !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
+-			__padata_stop(pinst);
+-
+-		pd = padata_alloc_pd(pinst, pinst->cpumask.pcpu,
+-				     pinst->cpumask.cbcpu);
+-		if (!pd)
+-			return -ENOMEM;
+-
+-		padata_replace(pinst, pd);
+-
+-		cpumask_clear_cpu(cpu, pd->cpumask.cbcpu);
+-		cpumask_clear_cpu(cpu, pd->cpumask.pcpu);
+-	}
+-
+-	return 0;
+-}
+-
+- /**
+- * padata_remove_cpu - remove a cpu from the one or both(serial and parallel)
+- *                     padata cpumasks.
+- *
+- * @pinst: padata instance
+- * @cpu: cpu to remove
+- * @mask: bitmask specifying from which cpumask @cpu should be removed
+- *        The @mask may be any combination of the following flags:
+- *          PADATA_CPU_SERIAL   - serial cpumask
+- *          PADATA_CPU_PARALLEL - parallel cpumask
+- */
+-int padata_remove_cpu(struct padata_instance *pinst, int cpu, int mask)
+-{
+-	int err;
+-
+-	if (!(mask & (PADATA_CPU_SERIAL | PADATA_CPU_PARALLEL)))
+-		return -EINVAL;
+-
+-	mutex_lock(&pinst->lock);
+-
+-	get_online_cpus();
+-	if (mask & PADATA_CPU_SERIAL)
+-		cpumask_clear_cpu(cpu, pinst->cpumask.cbcpu);
+-	if (mask & PADATA_CPU_PARALLEL)
+-		cpumask_clear_cpu(cpu, pinst->cpumask.pcpu);
+-
+-	err = __padata_remove_cpu(pinst, cpu);
+-	put_online_cpus();
+-
+-	mutex_unlock(&pinst->lock);
+-
+-	return err;
+-}
+-
+-static inline int pinst_has_cpu(struct padata_instance *pinst, int cpu)
+-{
+-	return cpumask_test_cpu(cpu, pinst->cpumask.pcpu) ||
+-		cpumask_test_cpu(cpu, pinst->cpumask.cbcpu);
+-}
+-
+-static int padata_cpu_online(unsigned int cpu, struct hlist_node *node)
+-{
+-	struct padata_instance *pinst;
+-	int ret;
+-
+-	pinst = hlist_entry_safe(node, struct padata_instance, node);
+-	if (!pinst_has_cpu(pinst, cpu))
+-		return 0;
+-
+-	mutex_lock(&pinst->lock);
+-	ret = __padata_add_cpu(pinst, cpu);
+-	mutex_unlock(&pinst->lock);
+-	return ret;
+-}
+-
+-static int padata_cpu_prep_down(unsigned int cpu, struct hlist_node *node)
+-{
+-	struct padata_instance *pinst;
+-	int ret;
+-
+-	pinst = hlist_entry_safe(node, struct padata_instance, node);
+-	if (!pinst_has_cpu(pinst, cpu))
+-		return 0;
+-
+-	mutex_lock(&pinst->lock);
+-	ret = __padata_remove_cpu(pinst, cpu);
+-	mutex_unlock(&pinst->lock);
+-	return ret;
+-}
+-
+-static enum cpuhp_state hp_online;
+-#endif
+-
+ static void __padata_free(struct padata_instance *pinst)
+ {
+-#ifdef CONFIG_HOTPLUG_CPU
+-	cpuhp_state_remove_instance_nocalls(hp_online, &pinst->node);
+-#endif
+-
+ 	padata_stop(pinst);
+ 	padata_free_pd(pinst->pd);
+ 	free_cpumask_var(pinst->cpumask.pcpu);
+@@ -995,9 +872,6 @@ struct padata_instance *padata_alloc(struct workqueue_struct *wq,
+ 	kobject_init(&pinst->kobj, &padata_attr_type);
+ 	mutex_init(&pinst->lock);
+ 
+-#ifdef CONFIG_HOTPLUG_CPU
+-	cpuhp_state_add_instance_nocalls(hp_online, &pinst->node);
+-#endif
+ 	return pinst;
+ 
+ err_free_masks:
+@@ -1019,26 +893,3 @@ void padata_free(struct padata_instance *pinst)
+ {
+ 	kobject_put(&pinst->kobj);
+ }
+-
+-#ifdef CONFIG_HOTPLUG_CPU
+-
+-static __init int padata_driver_init(void)
+-{
+-	int ret;
+-
+-	ret = cpuhp_setup_state_multi(CPUHP_AP_ONLINE_DYN, "padata:online",
+-				      padata_cpu_online,
+-				      padata_cpu_prep_down);
+-	if (ret < 0)
+-		return ret;
+-	hp_online = ret;
+-	return 0;
+-}
+-module_init(padata_driver_init);
+-
+-static __exit void padata_driver_exit(void)
+-{
+-	cpuhp_remove_multi_state(hp_online);
+-}
+-module_exit(padata_driver_exit);
+-#endif
+-- 
+cgit v1.1-9-ge9c1d
+

diff --git a/net-vpn/wireguard/wireguard-0.0.20170531-r1.ebuild b/net-vpn/wireguard/wireguard-0.0.20170531-r1.ebuild
new file mode 100644
index 00000000000..3d5b1b746f0
--- /dev/null
+++ b/net-vpn/wireguard/wireguard-0.0.20170531-r1.ebuild
@@ -0,0 +1,115 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit linux-mod bash-completion-r1
+
+DESCRIPTION="Simple yet fast and modern VPN that utilizes state-of-the-art cryptography."
+HOMEPAGE="https://www.wireguard.io/"
+
+if [[ ${PV} == 9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://git.zx2c4.com/WireGuard"
+	KEYWORDS=""
+else
+	SRC_URI="https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${PV}.tar.xz"
+	S="${WORKDIR}/WireGuard-${PV}"
+	KEYWORDS="~amd64 ~x86 ~mips ~arm ~arm64"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="debug +module +tools module-src"
+
+DEPEND="tools? ( net-libs/libmnl )"
+RDEPEND="${DEPEND}"
+
+MODULE_NAMES="wireguard(net:src)"
+BUILD_PARAMS="KERNELDIR=${KERNEL_DIR} V=1"
+BUILD_TARGETS="module"
+CONFIG_CHECK="NET INET NET_UDP_TUNNEL NF_CONNTRACK NETFILTER_XT_MATCH_HASHLIMIT CRYPTO_BLKCIPHER ~PADATA ~IP6_NF_IPTABLES"
+WARNING_PADATA="If you're running a multicore system you likely should enable CONFIG_PADATA for improved performance and parallel crypto."
+WARNING_IP6_NF_IPTABLES="If your kernel has CONFIG_IPV6, you need CONFIG_IP6_NF_IPTABLES; otherwise WireGuard will not insert."
+
+pkg_setup() {
+	if use module; then
+		linux-mod_pkg_setup
+		kernel_is -lt 3 10 0 && die "This version of ${PN} requires Linux >= 3.10"
+	fi
+}
+
+src_prepare() {
+	epatch "${FILESDIR}/${P}-remove-padata-hotplug.patch"
+	default
+}
+
+src_compile() {
+	use debug && BUILD_PARAMS="CONFIG_WIREGUARD_DEBUG=y ${BUILD_PARAMS}"
+	use module && linux-mod_src_compile
+	use tools && emake RUNSTATEDIR="${EPREFIX}/run" -C src/tools
+}
+
+src_install() {
+	use module && linux-mod_src_install
+	if use tools; then
+		dodoc README.md
+		dodoc -r contrib/examples
+		emake \
+			WITH_BASHCOMPLETION=yes \
+			WITH_SYSTEMDUNITS=yes \
+			WITH_WGQUICK=yes \
+			DESTDIR="${D}" \
+			BASHCOMPDIR="$(get_bashcompdir)" \
+			PREFIX="${EPREFIX}/usr" \
+			-C src/tools install
+		insinto /$(get_libdir)/netifrc/net
+		newins "${FILESDIR}"/wireguard-openrc.sh wireguard.sh
+	fi
+	use module-src && emake DESTDIR="${D}" PREFIX="${EPREFIX}/usr" -C src dkms-install
+}
+
+pkg_postinst() {
+	if use module-src && ! use module; then
+		einfo
+		einfo "You have enabled the module-src USE flag without the module USE"
+		einfo "flag. This means that sources are installed to"
+		einfo "${ROOT}usr/src/wireguard instead of having the"
+		einfo "kernel module compiled. You will need to compile the module"
+		einfo "yourself. Most likely, you don't want this USE flag, and should"
+		einfo "rather use USE=module"
+		einfo
+	fi
+	use module && linux-mod_pkg_postinst
+
+	ewarn
+	ewarn "This software is experimental and has not yet been released."
+	ewarn "As such, it may contain significant issues. Please do not file"
+	ewarn "bug reports with Gentoo, but rather direct them upstream to:"
+	ewarn
+	ewarn "    team@wireguard.io    security@wireguard.io"
+	ewarn
+
+	if use tools; then
+		einfo
+		einfo "After installing WireGuard, if you'd like to try sending some packets through"
+		einfo "WireGuard, you may use, for testing purposes only, the insecure client.sh"
+		einfo "test example script:"
+		einfo
+		einfo "  \$ bzcat ${ROOT}usr/share/doc/${PF}/examples/ncat-client-server/client.sh.bz2 | sudo bash -"
+		einfo
+		einfo "This will automatically setup interface wg0, through a very insecure transport"
+		einfo "that is only suitable for demonstration purposes. You can then try loading the"
+		einfo "hidden website or sending pings:"
+		einfo
+		einfo "  \$ chromium http://192.168.4.1"
+		einfo "  \$ ping 192.168.4.1"
+		einfo
+		einfo "If you'd like to redirect your internet traffic, you can run it with the"
+		einfo "\"default-route\" argument. You may not use this server for any abusive or illegal"
+		einfo "purposes. It is for quick testing only."
+		einfo
+		einfo "More info on getting started can be found at: https://www.wireguard.io/quickstart/"
+		einfo
+	fi
+}

[gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/files/, net-vpn/wireguard/

[Jason Donenfeld]

commit:     e57c17cb57dd02782bf241f0acfad80a4ff30854
Author:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Wed Jun  7 12:26:10 2017 +0000
Commit:     Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Wed Jun  7 12:26:43 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e57c17cb

net-vpn/wireguard: backport stability fix for lxd users

Package-Manager: Portage-2.3.6, Repoman-2.3.2

 ...wireguard-0.0.20170531-simultaneous-start.patch | 135 +++++++++++++++++++++
 ...-r1.ebuild => wireguard-0.0.20170531-r2.ebuild} |   8 +-
 net-vpn/wireguard/wireguard-0.0.20170531.ebuild    | 110 -----------------
 3 files changed, 139 insertions(+), 114 deletions(-)

diff --git a/net-vpn/wireguard/files/wireguard-0.0.20170531-simultaneous-start.patch b/net-vpn/wireguard/files/wireguard-0.0.20170531-simultaneous-start.patch
new file mode 100644
index 00000000000..5d5ef64333d
--- /dev/null
+++ b/net-vpn/wireguard/files/wireguard-0.0.20170531-simultaneous-start.patch
@@ -0,0 +1,135 @@
+From 156280bcb881915701b25ad57e1efe2dcef73c6b Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 6 Jun 2017 21:49:29 +0200
+Subject: noise: fix race when replacing handshake
+
+Replacing an entry that's already been replaced is something that could
+happen when processing handshake messages in parallel, when starting up
+multiple instances on the same machine.
+
+Reported-by: Hubert Goisern <zweizweizwoelf@gmail.com>
+---
+ src/hashtables.c |  5 ++++-
+ src/hashtables.h |  2 +-
+ src/noise.c      | 28 +++++++++++++++++++---------
+ 3 files changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/src/hashtables.c b/src/hashtables.c
+index db97f7e..a01a899 100644
+--- a/src/hashtables.c
++++ b/src/hashtables.c
+@@ -97,13 +97,16 @@ search_unused_slot:
+ 	return entry->index;
+ }
+ 
+-void index_hashtable_replace(struct index_hashtable *table, struct index_hashtable_entry *old, struct index_hashtable_entry *new)
++bool index_hashtable_replace(struct index_hashtable *table, struct index_hashtable_entry *old, struct index_hashtable_entry *new)
+ {
++	if (unlikely(hlist_unhashed(&old->index_hash)))
++		return false;
+ 	spin_lock_bh(&table->lock);
+ 	new->index = old->index;
+ 	hlist_replace_rcu(&old->index_hash, &new->index_hash);
+ 	INIT_HLIST_NODE(&old->index_hash);
+ 	spin_unlock_bh(&table->lock);
++	return true;
+ }
+ 
+ void index_hashtable_remove(struct index_hashtable *table, struct index_hashtable_entry *entry)
+diff --git a/src/hashtables.h b/src/hashtables.h
+index 9fa47d5..08a2a5d 100644
+--- a/src/hashtables.h
++++ b/src/hashtables.h
+@@ -40,7 +40,7 @@ struct index_hashtable_entry {
+ };
+ void index_hashtable_init(struct index_hashtable *table);
+ __le32 index_hashtable_insert(struct index_hashtable *table, struct index_hashtable_entry *entry);
+-void index_hashtable_replace(struct index_hashtable *table, struct index_hashtable_entry *old, struct index_hashtable_entry *new);
++bool index_hashtable_replace(struct index_hashtable *table, struct index_hashtable_entry *old, struct index_hashtable_entry *new);
+ void index_hashtable_remove(struct index_hashtable *table, struct index_hashtable_entry *entry);
+ struct index_hashtable_entry *index_hashtable_lookup(struct index_hashtable *table, const enum index_hashtable_type type_mask, const __le32 index);
+ 
+diff --git a/src/noise.c b/src/noise.c
+index 7ca2a67..9583ab1 100644
+--- a/src/noise.c
++++ b/src/noise.c
+@@ -59,16 +59,21 @@ bool noise_handshake_init(struct noise_handshake *handshake, struct noise_static
+ 	return noise_precompute_static_static(peer);
+ }
+ 
+-void noise_handshake_clear(struct noise_handshake *handshake)
++static void handshake_zero(struct noise_handshake *handshake)
+ {
+-	index_hashtable_remove(&handshake->entry.peer->device->index_hashtable, &handshake->entry);
+-	down_write(&handshake->lock);
+ 	memset(&handshake->ephemeral_private, 0, NOISE_PUBLIC_KEY_LEN);
+ 	memset(&handshake->remote_ephemeral, 0, NOISE_PUBLIC_KEY_LEN);
+ 	memset(&handshake->hash, 0, NOISE_HASH_LEN);
+ 	memset(&handshake->chaining_key, 0, NOISE_HASH_LEN);
+ 	handshake->remote_index = 0;
+ 	handshake->state = HANDSHAKE_ZEROED;
++}
++
++void noise_handshake_clear(struct noise_handshake *handshake)
++{
++	index_hashtable_remove(&handshake->entry.peer->device->index_hashtable, &handshake->entry);
++	down_write(&handshake->lock);
++	handshake_zero(handshake);
+ 	up_write(&handshake->lock);
+ 	index_hashtable_remove(&handshake->entry.peer->device->index_hashtable, &handshake->entry);
+ }
+@@ -371,8 +376,8 @@ bool noise_handshake_create_initiation(struct message_handshake_initiation *dst,
+ 
+ 	dst->sender_index = index_hashtable_insert(&handshake->entry.peer->device->index_hashtable, &handshake->entry);
+ 
+-	ret = true;
+ 	handshake->state = HANDSHAKE_CREATED_INITIATION;
++	ret = true;
+ 
+ out:
+ 	up_write(&handshake->lock);
+@@ -548,6 +553,11 @@ struct wireguard_peer *noise_handshake_consume_response(struct message_handshake
+ 
+ 	/* Success! Copy everything to peer */
+ 	down_write(&handshake->lock);
++	/* It's important to check that the state is still the same, while we have an exclusive lock */
++	if (handshake->state != state) {
++		up_write(&handshake->lock);
++		goto fail;
++	}
+ 	memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
+ 	memcpy(handshake->hash, hash, NOISE_HASH_LEN);
+ 	memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
+@@ -573,7 +583,7 @@ bool noise_handshake_begin_session(struct noise_handshake *handshake, struct noi
+ {
+ 	struct noise_keypair *new_keypair;
+ 
+-	down_read(&handshake->lock);
++	down_write(&handshake->lock);
+ 	if (handshake->state != HANDSHAKE_CREATED_RESPONSE && handshake->state != HANDSHAKE_CONSUMED_RESPONSE)
+ 		goto fail;
+ 
+@@ -587,16 +597,16 @@ bool noise_handshake_begin_session(struct noise_handshake *handshake, struct noi
+ 		derive_keys(&new_keypair->sending, &new_keypair->receiving, handshake->chaining_key);
+ 	else
+ 		derive_keys(&new_keypair->receiving, &new_keypair->sending, handshake->chaining_key);
+-	up_read(&handshake->lock);
+ 
++	handshake_zero(handshake);
+ 	add_new_keypair(keypairs, new_keypair);
+-	index_hashtable_replace(&handshake->entry.peer->device->index_hashtable, &handshake->entry, &new_keypair->entry);
+-	noise_handshake_clear(handshake);
+ 	net_dbg_ratelimited("%s: Keypair %Lu created for peer %Lu\n", netdev_pub(new_keypair->entry.peer->device)->name, new_keypair->internal_id, new_keypair->entry.peer->internal_id);
++	WARN_ON(!index_hashtable_replace(&handshake->entry.peer->device->index_hashtable, &handshake->entry, &new_keypair->entry));
++	up_write(&handshake->lock);
+ 
+ 	return true;
+ 
+ fail:
+-	up_read(&handshake->lock);
++	up_write(&handshake->lock);
+ 	return false;
+ }
+-- 
+cgit v1.1-9-ge9c1d
+

diff --git a/net-vpn/wireguard/wireguard-0.0.20170531-r1.ebuild b/net-vpn/wireguard/wireguard-0.0.20170531-r2.ebuild
similarity index 97%
rename from net-vpn/wireguard/wireguard-0.0.20170531-r1.ebuild
rename to net-vpn/wireguard/wireguard-0.0.20170531-r2.ebuild
index 3d5b1b746f0..db171b012c3 100644
--- a/net-vpn/wireguard/wireguard-0.0.20170531-r1.ebuild
+++ b/net-vpn/wireguard/wireguard-0.0.20170531-r2.ebuild
@@ -39,10 +39,10 @@ pkg_setup() {
 	fi
 }
 
-src_prepare() {
-	epatch "${FILESDIR}/${P}-remove-padata-hotplug.patch"
-	default
-}
+PATCHES=(
+	"${FILESDIR}/${P}-remove-padata-hotplug.patch"
+	"${FILESDIR}/${P}-simultaneous-start.patch"
+)
 
 src_compile() {
 	use debug && BUILD_PARAMS="CONFIG_WIREGUARD_DEBUG=y ${BUILD_PARAMS}"

diff --git a/net-vpn/wireguard/wireguard-0.0.20170531.ebuild b/net-vpn/wireguard/wireguard-0.0.20170531.ebuild
deleted file mode 100644
index 1406c6d3ade..00000000000
--- a/net-vpn/wireguard/wireguard-0.0.20170531.ebuild
+++ /dev/null
@@ -1,110 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit linux-mod bash-completion-r1
-
-DESCRIPTION="Simple yet fast and modern VPN that utilizes state-of-the-art cryptography."
-HOMEPAGE="https://www.wireguard.io/"
-
-if [[ ${PV} == 9999 ]]; then
-	inherit git-r3
-	EGIT_REPO_URI="https://git.zx2c4.com/WireGuard"
-	KEYWORDS=""
-else
-	SRC_URI="https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${PV}.tar.xz"
-	S="${WORKDIR}/WireGuard-${PV}"
-	KEYWORDS="~amd64 ~x86 ~mips ~arm ~arm64"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="debug +module +tools module-src"
-
-DEPEND="tools? ( net-libs/libmnl )"
-RDEPEND="${DEPEND}"
-
-MODULE_NAMES="wireguard(net:src)"
-BUILD_PARAMS="KERNELDIR=${KERNEL_DIR} V=1"
-BUILD_TARGETS="module"
-CONFIG_CHECK="NET INET NET_UDP_TUNNEL NF_CONNTRACK NETFILTER_XT_MATCH_HASHLIMIT CRYPTO_BLKCIPHER ~PADATA ~IP6_NF_IPTABLES"
-WARNING_PADATA="If you're running a multicore system you likely should enable CONFIG_PADATA for improved performance and parallel crypto."
-WARNING_IP6_NF_IPTABLES="If your kernel has CONFIG_IPV6, you need CONFIG_IP6_NF_IPTABLES; otherwise WireGuard will not insert."
-
-pkg_setup() {
-	if use module; then
-		linux-mod_pkg_setup
-		kernel_is -lt 3 10 0 && die "This version of ${PN} requires Linux >= 3.10"
-	fi
-}
-
-src_compile() {
-	use debug && BUILD_PARAMS="CONFIG_WIREGUARD_DEBUG=y ${BUILD_PARAMS}"
-	use module && linux-mod_src_compile
-	use tools && emake RUNSTATEDIR="${EPREFIX}/run" -C src/tools
-}
-
-src_install() {
-	use module && linux-mod_src_install
-	if use tools; then
-		dodoc README.md
-		dodoc -r contrib/examples
-		emake \
-			WITH_BASHCOMPLETION=yes \
-			WITH_SYSTEMDUNITS=yes \
-			WITH_WGQUICK=yes \
-			DESTDIR="${D}" \
-			BASHCOMPDIR="$(get_bashcompdir)" \
-			PREFIX="${EPREFIX}/usr" \
-			-C src/tools install
-		insinto /$(get_libdir)/netifrc/net
-		newins "${FILESDIR}"/wireguard-openrc.sh wireguard.sh
-	fi
-	use module-src && emake DESTDIR="${D}" PREFIX="${EPREFIX}/usr" -C src dkms-install
-}
-
-pkg_postinst() {
-	if use module-src && ! use module; then
-		einfo
-		einfo "You have enabled the module-src USE flag without the module USE"
-		einfo "flag. This means that sources are installed to"
-		einfo "${ROOT}usr/src/wireguard instead of having the"
-		einfo "kernel module compiled. You will need to compile the module"
-		einfo "yourself. Most likely, you don't want this USE flag, and should"
-		einfo "rather use USE=module"
-		einfo
-	fi
-	use module && linux-mod_pkg_postinst
-
-	ewarn
-	ewarn "This software is experimental and has not yet been released."
-	ewarn "As such, it may contain significant issues. Please do not file"
-	ewarn "bug reports with Gentoo, but rather direct them upstream to:"
-	ewarn
-	ewarn "    team@wireguard.io    security@wireguard.io"
-	ewarn
-
-	if use tools; then
-		einfo
-		einfo "After installing WireGuard, if you'd like to try sending some packets through"
-		einfo "WireGuard, you may use, for testing purposes only, the insecure client.sh"
-		einfo "test example script:"
-		einfo
-		einfo "  \$ bzcat ${ROOT}usr/share/doc/${PF}/examples/ncat-client-server/client.sh.bz2 | sudo bash -"
-		einfo
-		einfo "This will automatically setup interface wg0, through a very insecure transport"
-		einfo "that is only suitable for demonstration purposes. You can then try loading the"
-		einfo "hidden website or sending pings:"
-		einfo
-		einfo "  \$ chromium http://192.168.4.1"
-		einfo "  \$ ping 192.168.4.1"
-		einfo
-		einfo "If you'd like to redirect your internet traffic, you can run it with the"
-		einfo "\"default-route\" argument. You may not use this server for any abusive or illegal"
-		einfo "purposes. It is for quick testing only."
-		einfo
-		einfo "More info on getting started can be found at: https://www.wireguard.io/quickstart/"
-		einfo
-	fi
-}

[gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/files/, net-vpn/wireguard/

[Jason Donenfeld]

commit:     568950c856a4855cb371b0c52fe63356a39ce3f6
Author:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 12 03:45:34 2017 +0000
Commit:     Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Mon Jun 12 03:45:46 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=568950c8

net-vpn/wireguard: version bump

Package-Manager: Portage-2.3.6, Repoman-2.3.2

 net-vpn/wireguard/Manifest                         |   2 +-
 ...eguard-0.0.20170531-remove-padata-hotplug.patch | 188 ---------------------
 ...wireguard-0.0.20170531-simultaneous-start.patch | 135 ---------------
 ...531-r2.ebuild => wireguard-0.0.20170612.ebuild} |   5 -
 4 files changed, 1 insertion(+), 329 deletions(-)

diff --git a/net-vpn/wireguard/Manifest b/net-vpn/wireguard/Manifest
index 57562cde968..989d1ae06fd 100644
--- a/net-vpn/wireguard/Manifest
+++ b/net-vpn/wireguard/Manifest
@@ -1 +1 @@
-DIST WireGuard-0.0.20170531.tar.xz 162816 SHA256 2eb7d9aaf11dcb35e5066837bb1c768398ad3655744fdeb656bd7e7c7ad7cacc SHA512 82ad68e61ccd2844837f817065f7576839cb19e278d28c140d168620fe257f41f201de069105f3b4e2a104d9390460409e831581f2dc02a1bfda18c13c410bed WHIRLPOOL eabf39acf06ec88baa1ddbab31929bc48a48876cb26afe6129bb7dd30a712ed5230220c1bd832d43a546ccbb2b8229d4127af4767656c42d0e0a5e63c026bf73
+DIST WireGuard-0.0.20170612.tar.xz 160484 SHA256 842f338b0e8c3e79adb7a2b27a2c59fd73875d8bc1d6a9111e09a93538ed6f75 SHA512 9aecfcc5c3ef3987f8e9cf0350bd0522c8828ba2a07ced220da80cd93fc87d6b5d783ed788a4c882e1b70e64807e5e422d7dc8a90a8987a92c6bbfc98974eec6 WHIRLPOOL 63381926dc9556971ec3cd80fa4a176692a650aa7caaa08a4377f7910d5f818f0a582f127735a5a164a49ce5697d2db8889b61257b2b0f2b25fa60f725df052e

diff --git a/net-vpn/wireguard/files/wireguard-0.0.20170531-remove-padata-hotplug.patch b/net-vpn/wireguard/files/wireguard-0.0.20170531-remove-padata-hotplug.patch
deleted file mode 100644
index a1f4b80d01d..00000000000
--- a/net-vpn/wireguard/files/wireguard-0.0.20170531-remove-padata-hotplug.patch
+++ /dev/null
@@ -1,188 +0,0 @@
-From 1e0405942cecfd6de2a7707f3027f326d6f2fdb4 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Thu, 1 Jun 2017 16:55:20 +0200
-Subject: compat: remove padata hotplug code
-
-It's different on different kernel versions, and we're not using it
-anyway, so it's easiest to just get rid of it, rather than having
-another ifdef maze.
----
- src/compat/padata/padata.c | 149 ---------------------------------------------
- 1 file changed, 149 deletions(-)
-
-diff --git a/src/compat/padata/padata.c b/src/compat/padata/padata.c
-index 480c43f..25836db 100644
---- a/src/compat/padata/padata.c
-+++ b/src/compat/padata/padata.c
-@@ -677,131 +677,8 @@ void padata_stop(struct padata_instance *pinst)
- 	mutex_unlock(&pinst->lock);
- }
- 
--#ifdef CONFIG_HOTPLUG_CPU
--
--static int __padata_add_cpu(struct padata_instance *pinst, int cpu)
--{
--	struct parallel_data *pd;
--
--	if (cpumask_test_cpu(cpu, cpu_online_mask)) {
--		pd = padata_alloc_pd(pinst, pinst->cpumask.pcpu,
--				     pinst->cpumask.cbcpu);
--		if (!pd)
--			return -ENOMEM;
--
--		padata_replace(pinst, pd);
--
--		if (padata_validate_cpumask(pinst, pinst->cpumask.pcpu) &&
--		    padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
--			__padata_start(pinst);
--	}
--
--	return 0;
--}
--
--static int __padata_remove_cpu(struct padata_instance *pinst, int cpu)
--{
--	struct parallel_data *pd = NULL;
--
--	if (cpumask_test_cpu(cpu, cpu_online_mask)) {
--
--		if (!padata_validate_cpumask(pinst, pinst->cpumask.pcpu) ||
--		    !padata_validate_cpumask(pinst, pinst->cpumask.cbcpu))
--			__padata_stop(pinst);
--
--		pd = padata_alloc_pd(pinst, pinst->cpumask.pcpu,
--				     pinst->cpumask.cbcpu);
--		if (!pd)
--			return -ENOMEM;
--
--		padata_replace(pinst, pd);
--
--		cpumask_clear_cpu(cpu, pd->cpumask.cbcpu);
--		cpumask_clear_cpu(cpu, pd->cpumask.pcpu);
--	}
--
--	return 0;
--}
--
-- /**
-- * padata_remove_cpu - remove a cpu from the one or both(serial and parallel)
-- *                     padata cpumasks.
-- *
-- * @pinst: padata instance
-- * @cpu: cpu to remove
-- * @mask: bitmask specifying from which cpumask @cpu should be removed
-- *        The @mask may be any combination of the following flags:
-- *          PADATA_CPU_SERIAL   - serial cpumask
-- *          PADATA_CPU_PARALLEL - parallel cpumask
-- */
--int padata_remove_cpu(struct padata_instance *pinst, int cpu, int mask)
--{
--	int err;
--
--	if (!(mask & (PADATA_CPU_SERIAL | PADATA_CPU_PARALLEL)))
--		return -EINVAL;
--
--	mutex_lock(&pinst->lock);
--
--	get_online_cpus();
--	if (mask & PADATA_CPU_SERIAL)
--		cpumask_clear_cpu(cpu, pinst->cpumask.cbcpu);
--	if (mask & PADATA_CPU_PARALLEL)
--		cpumask_clear_cpu(cpu, pinst->cpumask.pcpu);
--
--	err = __padata_remove_cpu(pinst, cpu);
--	put_online_cpus();
--
--	mutex_unlock(&pinst->lock);
--
--	return err;
--}
--
--static inline int pinst_has_cpu(struct padata_instance *pinst, int cpu)
--{
--	return cpumask_test_cpu(cpu, pinst->cpumask.pcpu) ||
--		cpumask_test_cpu(cpu, pinst->cpumask.cbcpu);
--}
--
--static int padata_cpu_online(unsigned int cpu, struct hlist_node *node)
--{
--	struct padata_instance *pinst;
--	int ret;
--
--	pinst = hlist_entry_safe(node, struct padata_instance, node);
--	if (!pinst_has_cpu(pinst, cpu))
--		return 0;
--
--	mutex_lock(&pinst->lock);
--	ret = __padata_add_cpu(pinst, cpu);
--	mutex_unlock(&pinst->lock);
--	return ret;
--}
--
--static int padata_cpu_prep_down(unsigned int cpu, struct hlist_node *node)
--{
--	struct padata_instance *pinst;
--	int ret;
--
--	pinst = hlist_entry_safe(node, struct padata_instance, node);
--	if (!pinst_has_cpu(pinst, cpu))
--		return 0;
--
--	mutex_lock(&pinst->lock);
--	ret = __padata_remove_cpu(pinst, cpu);
--	mutex_unlock(&pinst->lock);
--	return ret;
--}
--
--static enum cpuhp_state hp_online;
--#endif
--
- static void __padata_free(struct padata_instance *pinst)
- {
--#ifdef CONFIG_HOTPLUG_CPU
--	cpuhp_state_remove_instance_nocalls(hp_online, &pinst->node);
--#endif
--
- 	padata_stop(pinst);
- 	padata_free_pd(pinst->pd);
- 	free_cpumask_var(pinst->cpumask.pcpu);
-@@ -995,9 +872,6 @@ struct padata_instance *padata_alloc(struct workqueue_struct *wq,
- 	kobject_init(&pinst->kobj, &padata_attr_type);
- 	mutex_init(&pinst->lock);
- 
--#ifdef CONFIG_HOTPLUG_CPU
--	cpuhp_state_add_instance_nocalls(hp_online, &pinst->node);
--#endif
- 	return pinst;
- 
- err_free_masks:
-@@ -1019,26 +893,3 @@ void padata_free(struct padata_instance *pinst)
- {
- 	kobject_put(&pinst->kobj);
- }
--
--#ifdef CONFIG_HOTPLUG_CPU
--
--static __init int padata_driver_init(void)
--{
--	int ret;
--
--	ret = cpuhp_setup_state_multi(CPUHP_AP_ONLINE_DYN, "padata:online",
--				      padata_cpu_online,
--				      padata_cpu_prep_down);
--	if (ret < 0)
--		return ret;
--	hp_online = ret;
--	return 0;
--}
--module_init(padata_driver_init);
--
--static __exit void padata_driver_exit(void)
--{
--	cpuhp_remove_multi_state(hp_online);
--}
--module_exit(padata_driver_exit);
--#endif
--- 
-cgit v1.1-9-ge9c1d
-

diff --git a/net-vpn/wireguard/files/wireguard-0.0.20170531-simultaneous-start.patch b/net-vpn/wireguard/files/wireguard-0.0.20170531-simultaneous-start.patch
deleted file mode 100644
index 5d5ef64333d..00000000000
--- a/net-vpn/wireguard/files/wireguard-0.0.20170531-simultaneous-start.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From 156280bcb881915701b25ad57e1efe2dcef73c6b Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Tue, 6 Jun 2017 21:49:29 +0200
-Subject: noise: fix race when replacing handshake
-
-Replacing an entry that's already been replaced is something that could
-happen when processing handshake messages in parallel, when starting up
-multiple instances on the same machine.
-
-Reported-by: Hubert Goisern <zweizweizwoelf@gmail.com>
----
- src/hashtables.c |  5 ++++-
- src/hashtables.h |  2 +-
- src/noise.c      | 28 +++++++++++++++++++---------
- 3 files changed, 24 insertions(+), 11 deletions(-)
-
-diff --git a/src/hashtables.c b/src/hashtables.c
-index db97f7e..a01a899 100644
---- a/src/hashtables.c
-+++ b/src/hashtables.c
-@@ -97,13 +97,16 @@ search_unused_slot:
- 	return entry->index;
- }
- 
--void index_hashtable_replace(struct index_hashtable *table, struct index_hashtable_entry *old, struct index_hashtable_entry *new)
-+bool index_hashtable_replace(struct index_hashtable *table, struct index_hashtable_entry *old, struct index_hashtable_entry *new)
- {
-+	if (unlikely(hlist_unhashed(&old->index_hash)))
-+		return false;
- 	spin_lock_bh(&table->lock);
- 	new->index = old->index;
- 	hlist_replace_rcu(&old->index_hash, &new->index_hash);
- 	INIT_HLIST_NODE(&old->index_hash);
- 	spin_unlock_bh(&table->lock);
-+	return true;
- }
- 
- void index_hashtable_remove(struct index_hashtable *table, struct index_hashtable_entry *entry)
-diff --git a/src/hashtables.h b/src/hashtables.h
-index 9fa47d5..08a2a5d 100644
---- a/src/hashtables.h
-+++ b/src/hashtables.h
-@@ -40,7 +40,7 @@ struct index_hashtable_entry {
- };
- void index_hashtable_init(struct index_hashtable *table);
- __le32 index_hashtable_insert(struct index_hashtable *table, struct index_hashtable_entry *entry);
--void index_hashtable_replace(struct index_hashtable *table, struct index_hashtable_entry *old, struct index_hashtable_entry *new);
-+bool index_hashtable_replace(struct index_hashtable *table, struct index_hashtable_entry *old, struct index_hashtable_entry *new);
- void index_hashtable_remove(struct index_hashtable *table, struct index_hashtable_entry *entry);
- struct index_hashtable_entry *index_hashtable_lookup(struct index_hashtable *table, const enum index_hashtable_type type_mask, const __le32 index);
- 
-diff --git a/src/noise.c b/src/noise.c
-index 7ca2a67..9583ab1 100644
---- a/src/noise.c
-+++ b/src/noise.c
-@@ -59,16 +59,21 @@ bool noise_handshake_init(struct noise_handshake *handshake, struct noise_static
- 	return noise_precompute_static_static(peer);
- }
- 
--void noise_handshake_clear(struct noise_handshake *handshake)
-+static void handshake_zero(struct noise_handshake *handshake)
- {
--	index_hashtable_remove(&handshake->entry.peer->device->index_hashtable, &handshake->entry);
--	down_write(&handshake->lock);
- 	memset(&handshake->ephemeral_private, 0, NOISE_PUBLIC_KEY_LEN);
- 	memset(&handshake->remote_ephemeral, 0, NOISE_PUBLIC_KEY_LEN);
- 	memset(&handshake->hash, 0, NOISE_HASH_LEN);
- 	memset(&handshake->chaining_key, 0, NOISE_HASH_LEN);
- 	handshake->remote_index = 0;
- 	handshake->state = HANDSHAKE_ZEROED;
-+}
-+
-+void noise_handshake_clear(struct noise_handshake *handshake)
-+{
-+	index_hashtable_remove(&handshake->entry.peer->device->index_hashtable, &handshake->entry);
-+	down_write(&handshake->lock);
-+	handshake_zero(handshake);
- 	up_write(&handshake->lock);
- 	index_hashtable_remove(&handshake->entry.peer->device->index_hashtable, &handshake->entry);
- }
-@@ -371,8 +376,8 @@ bool noise_handshake_create_initiation(struct message_handshake_initiation *dst,
- 
- 	dst->sender_index = index_hashtable_insert(&handshake->entry.peer->device->index_hashtable, &handshake->entry);
- 
--	ret = true;
- 	handshake->state = HANDSHAKE_CREATED_INITIATION;
-+	ret = true;
- 
- out:
- 	up_write(&handshake->lock);
-@@ -548,6 +553,11 @@ struct wireguard_peer *noise_handshake_consume_response(struct message_handshake
- 
- 	/* Success! Copy everything to peer */
- 	down_write(&handshake->lock);
-+	/* It's important to check that the state is still the same, while we have an exclusive lock */
-+	if (handshake->state != state) {
-+		up_write(&handshake->lock);
-+		goto fail;
-+	}
- 	memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
- 	memcpy(handshake->hash, hash, NOISE_HASH_LEN);
- 	memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
-@@ -573,7 +583,7 @@ bool noise_handshake_begin_session(struct noise_handshake *handshake, struct noi
- {
- 	struct noise_keypair *new_keypair;
- 
--	down_read(&handshake->lock);
-+	down_write(&handshake->lock);
- 	if (handshake->state != HANDSHAKE_CREATED_RESPONSE && handshake->state != HANDSHAKE_CONSUMED_RESPONSE)
- 		goto fail;
- 
-@@ -587,16 +597,16 @@ bool noise_handshake_begin_session(struct noise_handshake *handshake, struct noi
- 		derive_keys(&new_keypair->sending, &new_keypair->receiving, handshake->chaining_key);
- 	else
- 		derive_keys(&new_keypair->receiving, &new_keypair->sending, handshake->chaining_key);
--	up_read(&handshake->lock);
- 
-+	handshake_zero(handshake);
- 	add_new_keypair(keypairs, new_keypair);
--	index_hashtable_replace(&handshake->entry.peer->device->index_hashtable, &handshake->entry, &new_keypair->entry);
--	noise_handshake_clear(handshake);
- 	net_dbg_ratelimited("%s: Keypair %Lu created for peer %Lu\n", netdev_pub(new_keypair->entry.peer->device)->name, new_keypair->internal_id, new_keypair->entry.peer->internal_id);
-+	WARN_ON(!index_hashtable_replace(&handshake->entry.peer->device->index_hashtable, &handshake->entry, &new_keypair->entry));
-+	up_write(&handshake->lock);
- 
- 	return true;
- 
- fail:
--	up_read(&handshake->lock);
-+	up_write(&handshake->lock);
- 	return false;
- }
--- 
-cgit v1.1-9-ge9c1d
-

diff --git a/net-vpn/wireguard/wireguard-0.0.20170531-r2.ebuild b/net-vpn/wireguard/wireguard-0.0.20170612.ebuild
similarity index 97%
rename from net-vpn/wireguard/wireguard-0.0.20170531-r2.ebuild
rename to net-vpn/wireguard/wireguard-0.0.20170612.ebuild
index db171b012c3..1406c6d3ade 100644
--- a/net-vpn/wireguard/wireguard-0.0.20170531-r2.ebuild
+++ b/net-vpn/wireguard/wireguard-0.0.20170612.ebuild
@@ -39,11 +39,6 @@ pkg_setup() {
 	fi
 }
 
-PATCHES=(
-	"${FILESDIR}/${P}-remove-padata-hotplug.patch"
-	"${FILESDIR}/${P}-simultaneous-start.patch"
-)
-
 src_compile() {
 	use debug && BUILD_PARAMS="CONFIG_WIREGUARD_DEBUG=y ${BUILD_PARAMS}"
 	use module && linux-mod_src_compile

[gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/files/, net-vpn/wireguard/

[Jason Donenfeld]

commit:     c58b1895381f1fc0686da6770137bd48ba163392
Author:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 12 22:26:57 2017 +0000
Commit:     Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Mon Jun 12 22:27:05 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c58b1895

net-vpn/wireguard: version bump

Package-Manager: Portage-2.3.6, Repoman-2.3.2

 net-vpn/wireguard/Manifest                         |  2 +-
 .../wireguard-0.0.20170612-wait-for-rng.patch      | 94 ----------------------
 ...612-r1.ebuild => wireguard-0.0.20170613.ebuild} |  2 -
 3 files changed, 1 insertion(+), 97 deletions(-)

diff --git a/net-vpn/wireguard/Manifest b/net-vpn/wireguard/Manifest
index 207265f427a..581050e5fb7 100644
--- a/net-vpn/wireguard/Manifest
+++ b/net-vpn/wireguard/Manifest
@@ -1 +1 @@
-DIST WireGuard-0.0.20170612.tar.xz 160712 SHA256 34efc70703f2b1ae38fd2bcc4c6031b4acc3f303c6e182a1958b7cf236a529ab SHA512 152642f7d1169947ec4c2619930f2e3756ab219113be15fc8f462edd234d1df4a50c297792e9fdef041b5e7729c2e3e72ceb80dfd1d0a7309dde16a13b3da99b WHIRLPOOL 8293879180a538279426dcfca3efb328f380413d1601997752e15ff8049bbe1d0f4112fe49fde0995695853e6e062c0fe7847e9db3d6bee9ba1ab5e4e1d71e28
+DIST WireGuard-0.0.20170613.tar.xz 160496 SHA256 88ac77569eeb79c517318d58a0954caa0a4d2a6a1694e74c2a3b1c14438ac941 SHA512 71b31900f8064415b54a023042a199f77ba212466ffa4f6fb13428f8acc592873e6f8d75063d6777464c6b13bfa86949be2036ff62179aaae2f63c0a99937987 WHIRLPOOL f10ed8c01b349ecd2a76db8022f3bf1ef0e2895382ee01f85b748cab3d99f3cd4546dd15eea695aa1e08aa34ad7856821df6039630f7569e14d64c3476a80aed

diff --git a/net-vpn/wireguard/files/wireguard-0.0.20170612-wait-for-rng.patch b/net-vpn/wireguard/files/wireguard-0.0.20170612-wait-for-rng.patch
deleted file mode 100644
index 0b5803c839d..00000000000
--- a/net-vpn/wireguard/files/wireguard-0.0.20170612-wait-for-rng.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 401294f7526de40a15c06997fceae58278807d22 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Mon, 12 Jun 2017 16:32:59 +0200
-Subject: [PATCH] random: wait for random bytes when generating nonces and
- ephemerals
-
-We can let userspace configure wireguard interfaces before the RNG is
-fully initialized, since what we mostly care about is having good
-randomness for ephemerals and xchacha nonces. By deferring the wait to
-actually asking for the randomness, we give a lot more opportunity for
-gathering entropy. This won't cover entropy for hash table secrets or
-cookie secrets (which rotate anyway), but those have far less
-catastrophic failure modes, so ensuring good randomness for elliptic
-curve points and nonces should be sufficient.
----
- src/compat/compat.h     | 10 ++++++++++
- src/config.c            |  5 -----
- src/cookie.c            |  2 +-
- src/crypto/curve25519.c |  2 +-
- 4 files changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/src/compat/compat.h b/src/compat/compat.h
-index 68d62b9..6c1bfa3 100644
---- a/src/compat/compat.h
-+++ b/src/compat/compat.h
-@@ -265,6 +265,16 @@ static inline int wait_for_random_bytes(void)
- 	return 0;
- }
- #endif
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0)
-+static inline int get_random_bytes_wait(void *buf, int nbytes)
-+{
-+	int ret = wait_for_random_bytes();
-+	if (unlikely(ret))
-+		return ret;
-+	get_random_bytes(buf, nbytes);
-+	return 0;
-+}
-+#endif
- 
- /* https://lkml.org/lkml/2015/6/12/415 */
- #include <linux/netdevice.h>
-diff --git a/src/config.c b/src/config.c
-index 286c874..d3b6611 100644
---- a/src/config.c
-+++ b/src/config.c
-@@ -8,7 +8,6 @@
- #include "hashtables.h"
- #include "peer.h"
- #include "uapi.h"
--#include <linux/random.h>
- 
- static int set_device_port(struct wireguard_device *wg, u16 port)
- {
-@@ -135,10 +134,6 @@ int config_set_device(struct wireguard_device *wg, void __user *user_device)
- 	void __user *user_peer;
- 	bool modified_static_identity = false;
- 
--	/* It's important that the Linux RNG is fully seeded before we let the user
--	 * actually configure the device, so that we're assured to have good ephemerals. */
--	wait_for_random_bytes();
--
- 	BUILD_BUG_ON(WG_KEY_LEN != NOISE_PUBLIC_KEY_LEN);
- 	BUILD_BUG_ON(WG_KEY_LEN != NOISE_SYMMETRIC_KEY_LEN);
- 
-diff --git a/src/cookie.c b/src/cookie.c
-index 21b7c7b..ce22b53 100644
---- a/src/cookie.c
-+++ b/src/cookie.c
-@@ -161,7 +161,7 @@ void cookie_message_create(struct message_handshake_cookie *dst, struct sk_buff
- 
- 	dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE);
- 	dst->receiver_index = index;
--	get_random_bytes(dst->nonce, COOKIE_NONCE_LEN);
-+	get_random_bytes_wait(dst->nonce, COOKIE_NONCE_LEN);
- 
- 	make_cookie(cookie, skb, checker);
- 	xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN, macs->mac1, COOKIE_LEN, dst->nonce, checker->cookie_encryption_key);
-diff --git a/src/crypto/curve25519.c b/src/crypto/curve25519.c
-index f0e045e..119d41a 100644
---- a/src/crypto/curve25519.c
-+++ b/src/crypto/curve25519.c
-@@ -1545,7 +1545,7 @@ bool curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[C
- 
- void curve25519_generate_secret(u8 secret[CURVE25519_POINT_SIZE])
- {
--	get_random_bytes(secret, CURVE25519_POINT_SIZE);
-+	get_random_bytes_wait(secret, CURVE25519_POINT_SIZE);
- 	normalize_secret(secret);
- }
- 
--- 
-2.13.1
-

diff --git a/net-vpn/wireguard/wireguard-0.0.20170612-r1.ebuild b/net-vpn/wireguard/wireguard-0.0.20170613.ebuild
similarity index 98%
rename from net-vpn/wireguard/wireguard-0.0.20170612-r1.ebuild
rename to net-vpn/wireguard/wireguard-0.0.20170613.ebuild
index c4df19fc775..2bc281b63b0 100644
--- a/net-vpn/wireguard/wireguard-0.0.20170612-r1.ebuild
+++ b/net-vpn/wireguard/wireguard-0.0.20170613.ebuild
@@ -32,8 +32,6 @@ CONFIG_CHECK="NET INET NET_UDP_TUNNEL NF_CONNTRACK NETFILTER_XT_MATCH_HASHLIMIT
 WARNING_PADATA="If you're running a multicore system you likely should enable CONFIG_PADATA for improved performance and parallel crypto."
 WARNING_IP6_NF_IPTABLES="If your kernel has CONFIG_IPV6, you need CONFIG_IP6_NF_IPTABLES; otherwise WireGuard will not insert."
 
-PATCHES=( "${FILESDIR}/${P}-wait-for-rng.patch" )
-
 pkg_setup() {
 	if use module; then
 		linux-mod_pkg_setup

[gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/files/, net-vpn/wireguard/

[Jason Donenfeld]

commit:     544a669875539c09fa3702310a6ecbb1abf2d6d7
Author:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 21 00:10:40 2017 +0000
Commit:     Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Sat Oct 21 00:11:13 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=544a6698

net-vpn/wireguard: include headers for happy building

Package-Manager: Portage-2.3.11, Repoman-2.3.3

 .../wireguard-0.0.20171017-blake-headers.patch     | 25 ++++++++++++++++++++++
 net-vpn/wireguard/wireguard-0.0.20171017.ebuild    |  2 ++
 2 files changed, 27 insertions(+)

diff --git a/net-vpn/wireguard/files/wireguard-0.0.20171017-blake-headers.patch b/net-vpn/wireguard/files/wireguard-0.0.20171017-blake-headers.patch
new file mode 100644
index 00000000000..d083a80fb5b
--- /dev/null
+++ b/net-vpn/wireguard/files/wireguard-0.0.20171017-blake-headers.patch
@@ -0,0 +1,25 @@
+From cf21875fe39d21bff2028a78921e03d96dc56e5a Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 21 Oct 2017 01:30:45 +0200
+Subject: blake2: include headers for macros
+
+---
+ src/crypto/blake2s.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/crypto/blake2s.h b/src/crypto/blake2s.h
+index 615010f..99de9f9 100644
+--- a/src/crypto/blake2s.h
++++ b/src/crypto/blake2s.h
+@@ -4,6 +4,8 @@
+ #define _WG_BLAKE2S_H
+ 
+ #include <linux/types.h>
++#include <linux/kernel.h>
++#include <crypto/algapi.h>
+ 
+ enum blake2s_lengths {
+ 	BLAKE2S_BLOCKBYTES = 64,
+-- 
+cgit v1.1-31-g4243
+

diff --git a/net-vpn/wireguard/wireguard-0.0.20171017.ebuild b/net-vpn/wireguard/wireguard-0.0.20171017.ebuild
index fdc71975143..64a7738a1b8 100644
--- a/net-vpn/wireguard/wireguard-0.0.20171017.ebuild
+++ b/net-vpn/wireguard/wireguard-0.0.20171017.ebuild
@@ -30,6 +30,8 @@ MODULE_NAMES="wireguard(kernel/drivers/net:src)"
 BUILD_TARGETS="module"
 CONFIG_CHECK="NET INET NET_UDP_TUNNEL CRYPTO_BLKCIPHER"
 
+PATCHES=( "${FILESDIR}/${P}-blake-headers.patch" )
+
 pkg_setup() {
 	if use module; then
 		linux-mod_pkg_setup

[gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/files/, net-vpn/wireguard/

[Jason Donenfeld]

commit:     3b32a8f48a799318b5c06e42de40599dd71d0618
Author:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 31 17:35:03 2017 +0000
Commit:     Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Tue Oct 31 17:35:39 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b32a8f4

net-vpn/wireguard: version bump

Package-Manager: Portage-2.3.11, Repoman-2.3.3

 net-vpn/wireguard/Manifest                         |  2 +-
 .../wireguard-0.0.20171017-blake-headers.patch     | 25 ----------------------
 ...171017.ebuild => wireguard-0.0.20171031.ebuild} |  2 --
 3 files changed, 1 insertion(+), 28 deletions(-)

diff --git a/net-vpn/wireguard/Manifest b/net-vpn/wireguard/Manifest
index 2c365f899da..10c32c496ce 100644
--- a/net-vpn/wireguard/Manifest
+++ b/net-vpn/wireguard/Manifest
@@ -1 +1 @@
-DIST WireGuard-0.0.20171017.tar.xz 171724 SHA256 57b79a62874d9b99659a744513d4f6f9d88cb772deaa99e485b6fed3004a35cd SHA512 134a1cbcdae6f3fa56e2c557f08eaae89e14f6b8455ffb818e1bb4113905298f26c170b3ee73129f895089407e86809047ae6813cd7a31db55b6b9a89f361edb WHIRLPOOL 255c9b91aa80d0e92d92249665c995331c17d7ff1e3574184464c70a784aa21d837b2bf4d63997c777e3abd584715f7676f65e51243e8a2a41b1f2453df2f961
+DIST WireGuard-0.0.20171031.tar.xz 173560 SHA256 69b9787b7ae2c681532a7a346e170471f1a651359ed53ff9e6fb8b2c60b9f96a SHA512 08c0a584403ce5e210b928b8b459f3f99d16d949cbb2c5be1d8eae488a6f14c627b8004d9ec23ad3d38f1cc83115706e9328d382cb1fef4f18a22d589296bd19 WHIRLPOOL 0857e46461977c7faa66b65a39481bb7ccedd575cdd3fa2e1f33ee1491ad43e2e8cf9d1a79a269f67cd76179833ff19932255e84bcc7f59cf1573356f6c4aeee

diff --git a/net-vpn/wireguard/files/wireguard-0.0.20171017-blake-headers.patch b/net-vpn/wireguard/files/wireguard-0.0.20171017-blake-headers.patch
deleted file mode 100644
index d083a80fb5b..00000000000
--- a/net-vpn/wireguard/files/wireguard-0.0.20171017-blake-headers.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From cf21875fe39d21bff2028a78921e03d96dc56e5a Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Sat, 21 Oct 2017 01:30:45 +0200
-Subject: blake2: include headers for macros
-
----
- src/crypto/blake2s.h | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/crypto/blake2s.h b/src/crypto/blake2s.h
-index 615010f..99de9f9 100644
---- a/src/crypto/blake2s.h
-+++ b/src/crypto/blake2s.h
-@@ -4,6 +4,8 @@
- #define _WG_BLAKE2S_H
- 
- #include <linux/types.h>
-+#include <linux/kernel.h>
-+#include <crypto/algapi.h>
- 
- enum blake2s_lengths {
- 	BLAKE2S_BLOCKBYTES = 64,
--- 
-cgit v1.1-31-g4243
-

diff --git a/net-vpn/wireguard/wireguard-0.0.20171017.ebuild b/net-vpn/wireguard/wireguard-0.0.20171031.ebuild
similarity index 98%
rename from net-vpn/wireguard/wireguard-0.0.20171017.ebuild
rename to net-vpn/wireguard/wireguard-0.0.20171031.ebuild
index 64a7738a1b8..fdc71975143 100644
--- a/net-vpn/wireguard/wireguard-0.0.20171017.ebuild
+++ b/net-vpn/wireguard/wireguard-0.0.20171031.ebuild
@@ -30,8 +30,6 @@ MODULE_NAMES="wireguard(kernel/drivers/net:src)"
 BUILD_TARGETS="module"
 CONFIG_CHECK="NET INET NET_UDP_TUNNEL CRYPTO_BLKCIPHER"
 
-PATCHES=( "${FILESDIR}/${P}-blake-headers.patch" )
-
 pkg_setup() {
 	if use module; then
 		linux-mod_pkg_setup

[gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/files/, net-vpn/wireguard/

[Jason Donenfeld]

commit:     c06fba038a7fd27ef6bc684af127936bbd419b64
Author:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Thu Nov  2 17:27:35 2017 +0000
Commit:     Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Thu Nov  2 17:27:45 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c06fba03

net-vpn/wireguard: fix compilation on LOCKDEP machines

Package-Manager: Portage-2.3.11, Repoman-2.3.3

 .../files/wireguard-0.0.20171101-funcfix.patch     | 40 ++++++++++++++++++++++
 net-vpn/wireguard/wireguard-0.0.20171101.ebuild    |  2 ++
 2 files changed, 42 insertions(+)

diff --git a/net-vpn/wireguard/files/wireguard-0.0.20171101-funcfix.patch b/net-vpn/wireguard/files/wireguard-0.0.20171101-funcfix.patch
new file mode 100644
index 00000000000..fe74e48b5dd
--- /dev/null
+++ b/net-vpn/wireguard/files/wireguard-0.0.20171101-funcfix.patch
@@ -0,0 +1,40 @@
+From cc310a5dd1899417971e993d61d1230b14fe4f87 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 2 Nov 2017 16:07:26 +0100
+Subject: global: revert checkpatch.pl changes
+
+These changes were suggested by checkpatch.pl, but actually cause big
+problems depending on the options. Revert.
+---
+ src/noise.c | 2 +-
+ src/peer.c  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/noise.c b/src/noise.c
+index a0bea29..6ce9b78 100644
+--- a/src/noise.c
++++ b/src/noise.c
+@@ -118,7 +118,7 @@ void noise_keypair_put(struct noise_keypair *keypair)
+ 
+ struct noise_keypair *noise_keypair_get(struct noise_keypair *keypair)
+ {
+-	RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(), "Calling " __func__ " without holding the RCU BH read lock");
++	RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(), "Taking noise keypair reference without holding the RCU BH read lock");
+ 	if (unlikely(!keypair || !kref_get_unless_zero(&keypair->refcount)))
+ 		return NULL;
+ 	return keypair;
+diff --git a/src/peer.c b/src/peer.c
+index 1580262..81b71d4 100644
+--- a/src/peer.c
++++ b/src/peer.c
+@@ -58,7 +58,7 @@ struct wireguard_peer *peer_create(struct wireguard_device *wg, const u8 public_
+ 
+ struct wireguard_peer *peer_get(struct wireguard_peer *peer)
+ {
+-	RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(), "Calling " __func__ " without holding the RCU read lock");
++	RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(), "Taking peer reference without holding the RCU read lock");
+ 	if (unlikely(!peer || !kref_get_unless_zero(&peer->refcount)))
+ 		return NULL;
+ 	return peer;
+-- 
+cgit v1.1-33-gc3c0

diff --git a/net-vpn/wireguard/wireguard-0.0.20171101.ebuild b/net-vpn/wireguard/wireguard-0.0.20171101.ebuild
index fdc71975143..579c9736f07 100644
--- a/net-vpn/wireguard/wireguard-0.0.20171101.ebuild
+++ b/net-vpn/wireguard/wireguard-0.0.20171101.ebuild
@@ -30,6 +30,8 @@ MODULE_NAMES="wireguard(kernel/drivers/net:src)"
 BUILD_TARGETS="module"
 CONFIG_CHECK="NET INET NET_UDP_TUNNEL CRYPTO_BLKCIPHER"
 
+PATCHES=( "${FILESDIR}/${P}-funcfix.patch" )
+
 pkg_setup() {
 	if use module; then
 		linux-mod_pkg_setup

[gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/files/, net-vpn/wireguard/

[Jason Donenfeld]

commit:     eae80f7e0beb8630ed88f1aa24aabdd8ac8fec9c
Author:     Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Sat Nov 11 03:40:54 2017 +0000
Commit:     Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Sat Nov 11 03:41:21 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eae80f7e

net-vpn/wireguard: bump

Package-Manager: Portage-2.3.13, Repoman-2.3.4

 net-vpn/wireguard/Manifest                         |  2 +-
 .../files/wireguard-0.0.20171101-funcfix.patch     | 40 ----------------------
 ...171101.ebuild => wireguard-0.0.20171111.ebuild} |  2 --
 3 files changed, 1 insertion(+), 43 deletions(-)

diff --git a/net-vpn/wireguard/Manifest b/net-vpn/wireguard/Manifest
index e491b077f64..56ec1e0032e 100644
--- a/net-vpn/wireguard/Manifest
+++ b/net-vpn/wireguard/Manifest
@@ -1 +1 @@
-DIST WireGuard-0.0.20171101.tar.xz 173952 SHA256 096b6482a65e566c7bf8c059f5ee6aadb2de565b04b6d810c685f1c377540325 SHA512 c3a394256cf3cc2dce75dcb299f54969f74d4076a351b61972f10fb3e69191756c0c32552a5acc7e0cd5919c248f12035e6a33f15e43fdad64c6cf1230511ee3 WHIRLPOOL 0166c6e2c03a979719798332c8f6f0bae9f9586368d7d0f8cc9c3ee2ae7d6b15133caff1f665d1e99ab7e568a41dc1c64f94887f1461a1660a3c87b0d8a1f4a5
+DIST WireGuard-0.0.20171111.tar.xz 174184 SHA256 d9347786a9406ac276d86321ca64aadb1f0639cb0582c6e0519c634cf6e81157 SHA512 2424c3923555d72a0b5910fc86071b2554934267d4c6521bc40076770984173b2cef55f4276dd4b5a446ea62f7c52424cd89b046f205314cff2919ff7de30e6b WHIRLPOOL d484d92a76382bb52f71d4a589887bfb73d8a27f313a775da3ba2f0bd406f95cda80894c574ad1f0a9e73d3fe220f67393158f33b7cc86947882ec2eb4fe6533

diff --git a/net-vpn/wireguard/files/wireguard-0.0.20171101-funcfix.patch b/net-vpn/wireguard/files/wireguard-0.0.20171101-funcfix.patch
deleted file mode 100644
index fe74e48b5dd..00000000000
--- a/net-vpn/wireguard/files/wireguard-0.0.20171101-funcfix.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From cc310a5dd1899417971e993d61d1230b14fe4f87 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Thu, 2 Nov 2017 16:07:26 +0100
-Subject: global: revert checkpatch.pl changes
-
-These changes were suggested by checkpatch.pl, but actually cause big
-problems depending on the options. Revert.
----
- src/noise.c | 2 +-
- src/peer.c  | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/noise.c b/src/noise.c
-index a0bea29..6ce9b78 100644
---- a/src/noise.c
-+++ b/src/noise.c
-@@ -118,7 +118,7 @@ void noise_keypair_put(struct noise_keypair *keypair)
- 
- struct noise_keypair *noise_keypair_get(struct noise_keypair *keypair)
- {
--	RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(), "Calling " __func__ " without holding the RCU BH read lock");
-+	RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(), "Taking noise keypair reference without holding the RCU BH read lock");
- 	if (unlikely(!keypair || !kref_get_unless_zero(&keypair->refcount)))
- 		return NULL;
- 	return keypair;
-diff --git a/src/peer.c b/src/peer.c
-index 1580262..81b71d4 100644
---- a/src/peer.c
-+++ b/src/peer.c
-@@ -58,7 +58,7 @@ struct wireguard_peer *peer_create(struct wireguard_device *wg, const u8 public_
- 
- struct wireguard_peer *peer_get(struct wireguard_peer *peer)
- {
--	RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(), "Calling " __func__ " without holding the RCU read lock");
-+	RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(), "Taking peer reference without holding the RCU read lock");
- 	if (unlikely(!peer || !kref_get_unless_zero(&peer->refcount)))
- 		return NULL;
- 	return peer;
--- 
-cgit v1.1-33-gc3c0

diff --git a/net-vpn/wireguard/wireguard-0.0.20171101.ebuild b/net-vpn/wireguard/wireguard-0.0.20171111.ebuild
similarity index 99%
rename from net-vpn/wireguard/wireguard-0.0.20171101.ebuild
rename to net-vpn/wireguard/wireguard-0.0.20171111.ebuild
index 579c9736f07..fdc71975143 100644
--- a/net-vpn/wireguard/wireguard-0.0.20171101.ebuild
+++ b/net-vpn/wireguard/wireguard-0.0.20171111.ebuild
@@ -30,8 +30,6 @@ MODULE_NAMES="wireguard(kernel/drivers/net:src)"
 BUILD_TARGETS="module"
 CONFIG_CHECK="NET INET NET_UDP_TUNNEL CRYPTO_BLKCIPHER"
 
-PATCHES=( "${FILESDIR}/${P}-funcfix.patch" )
-
 pkg_setup() {
 	if use module; then
 		linux-mod_pkg_setup