WireGuard Archive on lore.kernel.org
 help / Atom feed
* [PATCH 1/2] peer: add wg_peer_reset_keys
@ 2019-01-25  1:53 Derrick Pallas
  2019-01-25  1:53 ` [PATCH 2/2] netdev: reset peer keys when changing private key Derrick Pallas
  0 siblings, 1 reply; 5+ messages in thread
From: Derrick Pallas @ 2019-01-25  1:53 UTC (permalink / raw)
  To: wireguard

This function will clear the key state for the peer and reset its handshake
timer.  This is useful, for instance, if it is known that the current key
material is bad.  Currently, this happens when the private key is changed.

Signed-off-by: Derrick Pallas <derrick@pallas.us>
---
 src/peer.c | 14 ++++++++++++++
 src/peer.h |  1 +
 2 files changed, 15 insertions(+)

diff --git a/src/peer.c b/src/peer.c
index 020a97b..49af31f 100644
--- a/src/peer.c
+++ b/src/peer.c
@@ -87,6 +87,20 @@ struct wg_peer *wg_peer_get_maybe_zero(struct wg_peer *peer)
 	return peer;
 }
 
+void wg_peer_reset_keys(struct wg_peer *peer)
+{
+	if (unlikely(!peer))
+		return;
+	lockdep_assert_held(&peer->device->device_update_lock);
+
+	wg_noise_handshake_clear(&peer->handshake);
+	wg_noise_keypairs_clear(&peer->keypairs);
+	wg_cookie_checker_precompute_peer_keys(peer);
+	atomic64_set(&peer->last_sent_handshake,
+		ktime_get_boot_fast_ns() -
+			(u64)(REKEY_TIMEOUT + 1) * NSEC_PER_SEC);
+}
+
 /* We have a separate "remove" function make sure that all active places where
  * a peer is currently operating will eventually come to an end and not pass
  * their reference onto another context.
diff --git a/src/peer.h b/src/peer.h
index 2e04262..3800e6f 100644
--- a/src/peer.h
+++ b/src/peer.h
@@ -78,5 +78,6 @@ static inline struct wg_peer *wg_peer_get(struct wg_peer *peer)
 void wg_peer_put(struct wg_peer *peer);
 void wg_peer_remove(struct wg_peer *peer);
 void wg_peer_remove_all(struct wg_device *wg);
+void wg_peer_reset_keys(struct wg_peer *peer);
 
 #endif /* _WG_PEER_H */
-- 
2.19.2

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 2/2] netdev: reset peer keys when changing private key
  2019-01-25  1:53 [PATCH 1/2] peer: add wg_peer_reset_keys Derrick Pallas
@ 2019-01-25  1:53 ` Derrick Pallas
  0 siblings, 0 replies; 5+ messages in thread
From: Derrick Pallas @ 2019-01-25  1:53 UTC (permalink / raw)
  To: wireguard

Without this change, it can take until the handshake timeout period to
reestablish with the peer.  After this change, the handshake occurs as soon
as possible and the link is reestablished much more quickly.

Signed-off-by: Derrick Pallas <derrick@pallas.us>
---
 src/netlink.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/netlink.c b/src/netlink.c
index 3458c81..f6b10ad 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -539,6 +539,8 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
 					 peer_list) {
 			if (!wg_noise_precompute_static_static(peer))
 				wg_peer_remove(peer);
+			else
+				wg_peer_reset_keys(peer);
 		}
 		wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
 		up_write(&wg->static_identity.lock);
-- 
2.19.2

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] peer: add wg_peer_reset_keys
  2019-03-14  6:47 ` Triffid Hunter
@ 2019-04-04 19:20   ` Derrick Lyndon Pallas
  0 siblings, 0 replies; 5+ messages in thread
From: Derrick Lyndon Pallas @ 2019-04-04 19:20 UTC (permalink / raw)
  To: Triffid Hunter, Jason A. Donenfeld; +Cc: WireGuard mailing list

[-- Attachment #1.1: Type: text/plain, Size: 3003 bytes --]

Triffid, have you had a chance to test?

Jason, did you have any more thoughts? (You've clearly been busy given 
all the recent announcements!) This is the second version, which 
required a rebase but the code remained the same after verifying that 
the process did not change at all.

Thanks, ~Derrick


On 3/13/19 11:47 PM, Triffid Hunter wrote:
> This sounds interesting, as I often get long (10-30 minute) stalls 
> where wg is doing nothing but throwing keys back and forth. I'll let 
> you know if it helps when I have a chance to test properly.
>
> On Thu, 14 Mar 2019 at 06:44, <derrick@pallas.us 
> <mailto:derrick@pallas.us>> wrote:
>
>     From: Derrick Pallas <derrick@pallas.us <mailto:derrick@pallas.us>>
>
>     This function will clear the key state for the peer and reset its
>     handshake
>     timer.  This is useful, for instance, if it is known that the
>     current key
>     material is bad.  Currently, this happens when the private key is
>     changed.
>
>     Signed-off-by: Derrick Pallas <derrick@pallas.us
>     <mailto:derrick@pallas.us>>
>     ---
>      src/peer.c | 14 ++++++++++++++
>      src/peer.h |  1 +
>      2 files changed, 15 insertions(+)
>
>     diff --git a/src/peer.c b/src/peer.c
>     index 996f40b..be244a4 100644
>     --- a/src/peer.c
>     +++ b/src/peer.c
>     @@ -160,6 +160,20 @@ static void peer_remove_after_dead(struct
>     wg_peer *peer)
>             wg_peer_put(peer);
>      }
>
>     +void wg_peer_reset_keys(struct wg_peer *peer)
>     +{
>     +       if (unlikely(!peer))
>     +               return;
>     +  lockdep_assert_held(&peer->device->device_update_lock);
>     +
>     +       wg_noise_handshake_clear(&peer->handshake);
>     +       wg_noise_keypairs_clear(&peer->keypairs);
>     +       wg_cookie_checker_precompute_peer_keys(peer);
>     +       atomic64_set(&peer->last_sent_handshake,
>     +               ktime_get_boot_fast_ns() -
>     +                       (u64)(REKEY_TIMEOUT + 1) * NSEC_PER_SEC);
>     +}
>     +
>      /* We have a separate "remove" function make sure that all active
>     places where
>       * a peer is currently operating will eventually come to an end
>     and not pass
>       * their reference onto another context.
>     diff --git a/src/peer.h b/src/peer.h
>     index 23af409..f85817f 100644
>     --- a/src/peer.h
>     +++ b/src/peer.h
>     @@ -79,5 +79,6 @@ static inline struct wg_peer *wg_peer_get(struct
>     wg_peer *peer)
>      void wg_peer_put(struct wg_peer *peer);
>      void wg_peer_remove(struct wg_peer *peer);
>      void wg_peer_remove_all(struct wg_device *wg);
>     +void wg_peer_reset_keys(struct wg_peer *peer);
>
>      #endif /* _WG_PEER_H */
>     -- 
>     2.19.2
>
>     _______________________________________________
>     WireGuard mailing list
>     WireGuard@lists.zx2c4.com <mailto:WireGuard@lists.zx2c4.com>
>     https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 4776 bytes --]

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Triffid, have you had a chance to test?</p>
    <p>Jason, did you have any more thoughts? (You've clearly been busy
      given all the recent announcements!) This is the second version,
      which required a rebase but the code remained the same after
      verifying that the process did not change at all.<br>
    </p>
    <p>Thanks, ~Derrick<br>
    </p>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 3/13/19 11:47 PM, Triffid Hunter
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CACL3eKB7SLDoAbWc9+k5s4SE4jDKRu_FYSpUx0Co_83=cdfqog@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">This sounds interesting, as I often get long (10-30
        minute) stalls where wg is doing nothing but throwing keys back
        and forth. I'll let you know if it helps when I have a chance to
        test properly.<br>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Thu, 14 Mar 2019 at 06:44,
          &lt;<a href="mailto:derrick@pallas.us" moz-do-not-send="true">derrick@pallas.us</a>&gt;
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From:
          Derrick Pallas &lt;<a href="mailto:derrick@pallas.us"
            target="_blank" moz-do-not-send="true">derrick@pallas.us</a>&gt;<br>
          <br>
          This function will clear the key state for the peer and reset
          its handshake<br>
          timer.  This is useful, for instance, if it is known that the
          current key<br>
          material is bad.  Currently, this happens when the private key
          is changed.<br>
          <br>
          Signed-off-by: Derrick Pallas &lt;<a
            href="mailto:derrick@pallas.us" target="_blank"
            moz-do-not-send="true">derrick@pallas.us</a>&gt;<br>
          ---<br>
           src/peer.c | 14 ++++++++++++++<br>
           src/peer.h |  1 +<br>
           2 files changed, 15 insertions(+)<br>
          <br>
          diff --git a/src/peer.c b/src/peer.c<br>
          index 996f40b..be244a4 100644<br>
          --- a/src/peer.c<br>
          +++ b/src/peer.c<br>
          @@ -160,6 +160,20 @@ static void peer_remove_after_dead(struct
          wg_peer *peer)<br>
                  wg_peer_put(peer);<br>
           }<br>
          <br>
          +void wg_peer_reset_keys(struct wg_peer *peer)<br>
          +{<br>
          +       if (unlikely(!peer))<br>
          +               return;<br>
          +     
           lockdep_assert_held(&amp;peer-&gt;device-&gt;device_update_lock);<br>
          +<br>
          +       wg_noise_handshake_clear(&amp;peer-&gt;handshake);<br>
          +       wg_noise_keypairs_clear(&amp;peer-&gt;keypairs);<br>
          +       wg_cookie_checker_precompute_peer_keys(peer);<br>
          +       atomic64_set(&amp;peer-&gt;last_sent_handshake,<br>
          +               ktime_get_boot_fast_ns() -<br>
          +                       (u64)(REKEY_TIMEOUT + 1) *
          NSEC_PER_SEC);<br>
          +}<br>
          +<br>
           /* We have a separate "remove" function make sure that all
          active places where<br>
            * a peer is currently operating will eventually come to an
          end and not pass<br>
            * their reference onto another context.<br>
          diff --git a/src/peer.h b/src/peer.h<br>
          index 23af409..f85817f 100644<br>
          --- a/src/peer.h<br>
          +++ b/src/peer.h<br>
          @@ -79,5 +79,6 @@ static inline struct wg_peer
          *wg_peer_get(struct wg_peer *peer)<br>
           void wg_peer_put(struct wg_peer *peer);<br>
           void wg_peer_remove(struct wg_peer *peer);<br>
           void wg_peer_remove_all(struct wg_device *wg);<br>
          +void wg_peer_reset_keys(struct wg_peer *peer);<br>
          <br>
           #endif /* _WG_PEER_H */<br>
          -- <br>
          2.19.2<br>
          <br>
          _______________________________________________<br>
          WireGuard mailing list<br>
          <a href="mailto:WireGuard@lists.zx2c4.com" target="_blank"
            moz-do-not-send="true">WireGuard@lists.zx2c4.com</a><br>
          <a href="https://lists.zx2c4.com/mailman/listinfo/wireguard"
            rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
        </blockquote>
      </div>
    </blockquote>
  </body>
</html>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] peer: add wg_peer_reset_keys
  2019-03-13 22:46 [PATCH 1/2] peer: add wg_peer_reset_keys derrick
@ 2019-03-14  6:47 ` Triffid Hunter
  2019-04-04 19:20   ` Derrick Lyndon Pallas
  0 siblings, 1 reply; 5+ messages in thread
From: Triffid Hunter @ 2019-03-14  6:47 UTC (permalink / raw)
  To: derrick; +Cc: WireGuard mailing list

[-- Attachment #1.1: Type: text/plain, Size: 2225 bytes --]

This sounds interesting, as I often get long (10-30 minute) stalls where wg
is doing nothing but throwing keys back and forth. I'll let you know if it
helps when I have a chance to test properly.

On Thu, 14 Mar 2019 at 06:44, <derrick@pallas.us> wrote:

> From: Derrick Pallas <derrick@pallas.us>
>
> This function will clear the key state for the peer and reset its handshake
> timer.  This is useful, for instance, if it is known that the current key
> material is bad.  Currently, this happens when the private key is changed.
>
> Signed-off-by: Derrick Pallas <derrick@pallas.us>
> ---
>  src/peer.c | 14 ++++++++++++++
>  src/peer.h |  1 +
>  2 files changed, 15 insertions(+)
>
> diff --git a/src/peer.c b/src/peer.c
> index 996f40b..be244a4 100644
> --- a/src/peer.c
> +++ b/src/peer.c
> @@ -160,6 +160,20 @@ static void peer_remove_after_dead(struct wg_peer
> *peer)
>         wg_peer_put(peer);
>  }
>
> +void wg_peer_reset_keys(struct wg_peer *peer)
> +{
> +       if (unlikely(!peer))
> +               return;
> +       lockdep_assert_held(&peer->device->device_update_lock);
> +
> +       wg_noise_handshake_clear(&peer->handshake);
> +       wg_noise_keypairs_clear(&peer->keypairs);
> +       wg_cookie_checker_precompute_peer_keys(peer);
> +       atomic64_set(&peer->last_sent_handshake,
> +               ktime_get_boot_fast_ns() -
> +                       (u64)(REKEY_TIMEOUT + 1) * NSEC_PER_SEC);
> +}
> +
>  /* We have a separate "remove" function make sure that all active places
> where
>   * a peer is currently operating will eventually come to an end and not
> pass
>   * their reference onto another context.
> diff --git a/src/peer.h b/src/peer.h
> index 23af409..f85817f 100644
> --- a/src/peer.h
> +++ b/src/peer.h
> @@ -79,5 +79,6 @@ static inline struct wg_peer *wg_peer_get(struct wg_peer
> *peer)
>  void wg_peer_put(struct wg_peer *peer);
>  void wg_peer_remove(struct wg_peer *peer);
>  void wg_peer_remove_all(struct wg_device *wg);
> +void wg_peer_reset_keys(struct wg_peer *peer);
>
>  #endif /* _WG_PEER_H */
> --
> 2.19.2
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 3066 bytes --]

<div dir="ltr">This sounds interesting, as I often get long (10-30 minute) stalls where wg is doing nothing but throwing keys back and forth. I&#39;ll let you know if it helps when I have a chance to test properly.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 14 Mar 2019 at 06:44, &lt;<a href="mailto:derrick@pallas.us">derrick@pallas.us</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From: Derrick Pallas &lt;<a href="mailto:derrick@pallas.us" target="_blank">derrick@pallas.us</a>&gt;<br>
<br>
This function will clear the key state for the peer and reset its handshake<br>
timer.  This is useful, for instance, if it is known that the current key<br>
material is bad.  Currently, this happens when the private key is changed.<br>
<br>
Signed-off-by: Derrick Pallas &lt;<a href="mailto:derrick@pallas.us" target="_blank">derrick@pallas.us</a>&gt;<br>
---<br>
 src/peer.c | 14 ++++++++++++++<br>
 src/peer.h |  1 +<br>
 2 files changed, 15 insertions(+)<br>
<br>
diff --git a/src/peer.c b/src/peer.c<br>
index 996f40b..be244a4 100644<br>
--- a/src/peer.c<br>
+++ b/src/peer.c<br>
@@ -160,6 +160,20 @@ static void peer_remove_after_dead(struct wg_peer *peer)<br>
        wg_peer_put(peer);<br>
 }<br>
<br>
+void wg_peer_reset_keys(struct wg_peer *peer)<br>
+{<br>
+       if (unlikely(!peer))<br>
+               return;<br>
+       lockdep_assert_held(&amp;peer-&gt;device-&gt;device_update_lock);<br>
+<br>
+       wg_noise_handshake_clear(&amp;peer-&gt;handshake);<br>
+       wg_noise_keypairs_clear(&amp;peer-&gt;keypairs);<br>
+       wg_cookie_checker_precompute_peer_keys(peer);<br>
+       atomic64_set(&amp;peer-&gt;last_sent_handshake,<br>
+               ktime_get_boot_fast_ns() -<br>
+                       (u64)(REKEY_TIMEOUT + 1) * NSEC_PER_SEC);<br>
+}<br>
+<br>
 /* We have a separate &quot;remove&quot; function make sure that all active places where<br>
  * a peer is currently operating will eventually come to an end and not pass<br>
  * their reference onto another context.<br>
diff --git a/src/peer.h b/src/peer.h<br>
index 23af409..f85817f 100644<br>
--- a/src/peer.h<br>
+++ b/src/peer.h<br>
@@ -79,5 +79,6 @@ static inline struct wg_peer *wg_peer_get(struct wg_peer *peer)<br>
 void wg_peer_put(struct wg_peer *peer);<br>
 void wg_peer_remove(struct wg_peer *peer);<br>
 void wg_peer_remove_all(struct wg_device *wg);<br>
+void wg_peer_reset_keys(struct wg_peer *peer);<br>
<br>
 #endif /* _WG_PEER_H */<br>
-- <br>
2.19.2<br>
<br>
_______________________________________________<br>
WireGuard mailing list<br>
<a href="mailto:WireGuard@lists.zx2c4.com" target="_blank">WireGuard@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/wireguard" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/wireguard</a><br>
</blockquote></div>

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/2] peer: add wg_peer_reset_keys
@ 2019-03-13 22:46 derrick
  2019-03-14  6:47 ` Triffid Hunter
  0 siblings, 1 reply; 5+ messages in thread
From: derrick @ 2019-03-13 22:46 UTC (permalink / raw)
  To: wireguard

From: Derrick Pallas <derrick@pallas.us>

This function will clear the key state for the peer and reset its handshake
timer.  This is useful, for instance, if it is known that the current key
material is bad.  Currently, this happens when the private key is changed.

Signed-off-by: Derrick Pallas <derrick@pallas.us>
---
 src/peer.c | 14 ++++++++++++++
 src/peer.h |  1 +
 2 files changed, 15 insertions(+)

diff --git a/src/peer.c b/src/peer.c
index 996f40b..be244a4 100644
--- a/src/peer.c
+++ b/src/peer.c
@@ -160,6 +160,20 @@ static void peer_remove_after_dead(struct wg_peer *peer)
 	wg_peer_put(peer);
 }
 
+void wg_peer_reset_keys(struct wg_peer *peer)
+{
+	if (unlikely(!peer))
+		return;
+	lockdep_assert_held(&peer->device->device_update_lock);
+
+	wg_noise_handshake_clear(&peer->handshake);
+	wg_noise_keypairs_clear(&peer->keypairs);
+	wg_cookie_checker_precompute_peer_keys(peer);
+	atomic64_set(&peer->last_sent_handshake,
+		ktime_get_boot_fast_ns() -
+			(u64)(REKEY_TIMEOUT + 1) * NSEC_PER_SEC);
+}
+
 /* We have a separate "remove" function make sure that all active places where
  * a peer is currently operating will eventually come to an end and not pass
  * their reference onto another context.
diff --git a/src/peer.h b/src/peer.h
index 23af409..f85817f 100644
--- a/src/peer.h
+++ b/src/peer.h
@@ -79,5 +79,6 @@ static inline struct wg_peer *wg_peer_get(struct wg_peer *peer)
 void wg_peer_put(struct wg_peer *peer);
 void wg_peer_remove(struct wg_peer *peer);
 void wg_peer_remove_all(struct wg_device *wg);
+void wg_peer_reset_keys(struct wg_peer *peer);
 
 #endif /* _WG_PEER_H */
-- 
2.19.2

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-25  1:53 [PATCH 1/2] peer: add wg_peer_reset_keys Derrick Pallas
2019-01-25  1:53 ` [PATCH 2/2] netdev: reset peer keys when changing private key Derrick Pallas
2019-03-13 22:46 [PATCH 1/2] peer: add wg_peer_reset_keys derrick
2019-03-14  6:47 ` Triffid Hunter
2019-04-04 19:20   ` Derrick Lyndon Pallas

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox