* [gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/, net-vpn/wireguard/files/
@ 2017-06-12 15:38 Jason Donenfeld
0 siblings, 0 replies; 2+ messages in thread
From: Jason Donenfeld @ 2017-06-12 15:38 UTC (permalink / raw
To: gentoo-commits
commit: 6f57db1dafdf1b7e27c90c34e99ecce17bf09739
Author: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 12 15:38:35 2017 +0000
Commit: Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Mon Jun 12 15:38:43 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f57db1d
net-vpn/wireguard: more archs, and backport fix
Package-Manager: Portage-2.3.6, Repoman-2.3.2
.../wireguard-0.0.20170612-wait-for-rng.patch | 94 ++++++++++++++++++++++
...612.ebuild => wireguard-0.0.20170612-r1.ebuild} | 4 +-
2 files changed, 97 insertions(+), 1 deletion(-)
diff --git a/net-vpn/wireguard/files/wireguard-0.0.20170612-wait-for-rng.patch b/net-vpn/wireguard/files/wireguard-0.0.20170612-wait-for-rng.patch
new file mode 100644
index 00000000000..0b5803c839d
--- /dev/null
+++ b/net-vpn/wireguard/files/wireguard-0.0.20170612-wait-for-rng.patch
@@ -0,0 +1,94 @@
+From 401294f7526de40a15c06997fceae58278807d22 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Mon, 12 Jun 2017 16:32:59 +0200
+Subject: [PATCH] random: wait for random bytes when generating nonces and
+ ephemerals
+
+We can let userspace configure wireguard interfaces before the RNG is
+fully initialized, since what we mostly care about is having good
+randomness for ephemerals and xchacha nonces. By deferring the wait to
+actually asking for the randomness, we give a lot more opportunity for
+gathering entropy. This won't cover entropy for hash table secrets or
+cookie secrets (which rotate anyway), but those have far less
+catastrophic failure modes, so ensuring good randomness for elliptic
+curve points and nonces should be sufficient.
+---
+ src/compat/compat.h | 10 ++++++++++
+ src/config.c | 5 -----
+ src/cookie.c | 2 +-
+ src/crypto/curve25519.c | 2 +-
+ 4 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/src/compat/compat.h b/src/compat/compat.h
+index 68d62b9..6c1bfa3 100644
+--- a/src/compat/compat.h
++++ b/src/compat/compat.h
+@@ -265,6 +265,16 @@ static inline int wait_for_random_bytes(void)
+ return 0;
+ }
+ #endif
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0)
++static inline int get_random_bytes_wait(void *buf, int nbytes)
++{
++ int ret = wait_for_random_bytes();
++ if (unlikely(ret))
++ return ret;
++ get_random_bytes(buf, nbytes);
++ return 0;
++}
++#endif
+
+ /* https://lkml.org/lkml/2015/6/12/415 */
+ #include <linux/netdevice.h>
+diff --git a/src/config.c b/src/config.c
+index 286c874..d3b6611 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -8,7 +8,6 @@
+ #include "hashtables.h"
+ #include "peer.h"
+ #include "uapi.h"
+-#include <linux/random.h>
+
+ static int set_device_port(struct wireguard_device *wg, u16 port)
+ {
+@@ -135,10 +134,6 @@ int config_set_device(struct wireguard_device *wg, void __user *user_device)
+ void __user *user_peer;
+ bool modified_static_identity = false;
+
+- /* It's important that the Linux RNG is fully seeded before we let the user
+- * actually configure the device, so that we're assured to have good ephemerals. */
+- wait_for_random_bytes();
+-
+ BUILD_BUG_ON(WG_KEY_LEN != NOISE_PUBLIC_KEY_LEN);
+ BUILD_BUG_ON(WG_KEY_LEN != NOISE_SYMMETRIC_KEY_LEN);
+
+diff --git a/src/cookie.c b/src/cookie.c
+index 21b7c7b..ce22b53 100644
+--- a/src/cookie.c
++++ b/src/cookie.c
+@@ -161,7 +161,7 @@ void cookie_message_create(struct message_handshake_cookie *dst, struct sk_buff
+
+ dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE);
+ dst->receiver_index = index;
+- get_random_bytes(dst->nonce, COOKIE_NONCE_LEN);
++ get_random_bytes_wait(dst->nonce, COOKIE_NONCE_LEN);
+
+ make_cookie(cookie, skb, checker);
+ xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN, macs->mac1, COOKIE_LEN, dst->nonce, checker->cookie_encryption_key);
+diff --git a/src/crypto/curve25519.c b/src/crypto/curve25519.c
+index f0e045e..119d41a 100644
+--- a/src/crypto/curve25519.c
++++ b/src/crypto/curve25519.c
+@@ -1545,7 +1545,7 @@ bool curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[C
+
+ void curve25519_generate_secret(u8 secret[CURVE25519_POINT_SIZE])
+ {
+- get_random_bytes(secret, CURVE25519_POINT_SIZE);
++ get_random_bytes_wait(secret, CURVE25519_POINT_SIZE);
+ normalize_secret(secret);
+ }
+
+--
+2.13.1
+
diff --git a/net-vpn/wireguard/wireguard-0.0.20170612.ebuild b/net-vpn/wireguard/wireguard-0.0.20170612-r1.ebuild
similarity index 96%
rename from net-vpn/wireguard/wireguard-0.0.20170612.ebuild
rename to net-vpn/wireguard/wireguard-0.0.20170612-r1.ebuild
index 1406c6d3ade..c4df19fc775 100644
--- a/net-vpn/wireguard/wireguard-0.0.20170612.ebuild
+++ b/net-vpn/wireguard/wireguard-0.0.20170612-r1.ebuild
@@ -15,7 +15,7 @@ if [[ ${PV} == 9999 ]]; then
else
SRC_URI="https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${PV}.tar.xz"
S="${WORKDIR}/WireGuard-${PV}"
- KEYWORDS="~amd64 ~x86 ~mips ~arm ~arm64"
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
fi
LICENSE="GPL-2"
@@ -32,6 +32,8 @@ CONFIG_CHECK="NET INET NET_UDP_TUNNEL NF_CONNTRACK NETFILTER_XT_MATCH_HASHLIMIT
WARNING_PADATA="If you're running a multicore system you likely should enable CONFIG_PADATA for improved performance and parallel crypto."
WARNING_IP6_NF_IPTABLES="If your kernel has CONFIG_IPV6, you need CONFIG_IP6_NF_IPTABLES; otherwise WireGuard will not insert."
+PATCHES=( "${FILESDIR}/${P}-wait-for-rng.patch" )
+
pkg_setup() {
if use module; then
linux-mod_pkg_setup
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/, net-vpn/wireguard/files/
@ 2018-07-10 21:20 Jason Donenfeld
0 siblings, 0 replies; 2+ messages in thread
From: Jason Donenfeld @ 2018-07-10 21:20 UTC (permalink / raw
To: gentoo-commits
commit: 84747f9cd8674344adc0215795e994899ed2ff3f
Author: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Tue Jul 10 21:18:03 2018 +0000
Commit: Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Tue Jul 10 21:20:30 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=84747f9c
net-vpn/wireguard: these have moved to netifrc
Package-Manager: Portage-2.3.41, Repoman-2.3.9
net-vpn/wireguard/files/wireguard-openrc.sh | 45 -------------------------
net-vpn/wireguard/wireguard-0.0.20180708.ebuild | 2 --
net-vpn/wireguard/wireguard-9999.ebuild | 2 --
3 files changed, 49 deletions(-)
diff --git a/net-vpn/wireguard/files/wireguard-openrc.sh b/net-vpn/wireguard/files/wireguard-openrc.sh
deleted file mode 100644
index 9c53ef0ffa7..00000000000
--- a/net-vpn/wireguard/files/wireguard-openrc.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-# Copyright (c) 2016 Gentoo Foundation
-# All rights reserved. Released under the 2-clause BSD license.
-
-wireguard_depend()
-{
- program /usr/bin/wg
- after interface
- before dhcp
-}
-
-wireguard_pre_start()
-{
- [[ $IFACE == wg* ]] || return 0
- ip link delete dev "$IFACE" type wireguard 2>/dev/null
- ebegin "Creating WireGuard interface $IFACE"
- if ! ip link add dev "$IFACE" type wireguard; then
- eend $?
- return $?
- fi
- eend 0
-
- ebegin "Configuring WireGuard interface $IFACE"
- set -- $(_get_array "wireguard_$IFVAR")
- if [[ -f $1 && $# -eq 1 ]]; then
- /usr/bin/wg setconf "$IFACE" "$1"
- else
- eval /usr/bin/wg set "$IFACE" "$@"
- fi
- if [ $? -eq 0 ]; then
- _up
- eend 0
- return
- fi
- e=$?
- ip link delete dev "$IFACE" type wireguard 2>/dev/null
- eend $e
-}
-
-wireguard_post_stop()
-{
- [[ $IFACE == wg* ]] || return 0
- ebegin "Removing WireGuard interface $IFACE"
- ip link delete dev "$IFACE" type wireguard
- eend $?
-}
diff --git a/net-vpn/wireguard/wireguard-0.0.20180708.ebuild b/net-vpn/wireguard/wireguard-0.0.20180708.ebuild
index 3a4681c656a..e7bf51b60e9 100644
--- a/net-vpn/wireguard/wireguard-0.0.20180708.ebuild
+++ b/net-vpn/wireguard/wireguard-0.0.20180708.ebuild
@@ -57,8 +57,6 @@ src_install() {
BASHCOMPDIR="$(get_bashcompdir)" \
PREFIX="${EPREFIX}/usr" \
-C src/tools install
- insinto /$(get_libdir)/netifrc/net
- newins "${FILESDIR}"/wireguard-openrc.sh wireguard.sh
fi
use module-src && emake DESTDIR="${D}" PREFIX="${EPREFIX}/usr" -C src dkms-install
}
diff --git a/net-vpn/wireguard/wireguard-9999.ebuild b/net-vpn/wireguard/wireguard-9999.ebuild
index 3a4681c656a..e7bf51b60e9 100644
--- a/net-vpn/wireguard/wireguard-9999.ebuild
+++ b/net-vpn/wireguard/wireguard-9999.ebuild
@@ -57,8 +57,6 @@ src_install() {
BASHCOMPDIR="$(get_bashcompdir)" \
PREFIX="${EPREFIX}/usr" \
-C src/tools install
- insinto /$(get_libdir)/netifrc/net
- newins "${FILESDIR}"/wireguard-openrc.sh wireguard.sh
fi
use module-src && emake DESTDIR="${D}" PREFIX="${EPREFIX}/usr" -C src dkms-install
}
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-07-10 21:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-12 15:38 [gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/, net-vpn/wireguard/files/ Jason Donenfeld
-- strict thread matches above, loose matches on Subject: below --
2018-07-10 21:20 Jason Donenfeld
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox