* Long outage when changing private key
@ 2019-01-24 21:22 Derrick Lyndon Pallas
2019-01-24 23:25 ` Derrick Lyndon Pallas
0 siblings, 1 reply; 5+ messages in thread
From: Derrick Lyndon Pallas @ 2019-01-24 21:22 UTC (permalink / raw)
To: WireGuard mailing list
With two peers, A with persistent keepalive & B without, I am trying to
change the private key on peer A. First I update the public key for A at
B, then `wg set wg0 private-key XXXX` on A. It takes roughly the length
of the persistent keepalive to reestablish pings from B to A.
If instead I update the public key for A at B, remove peer B at A,
change A's private key, and then re-add peer B at A, I am able to
reestablish pings almost immediately.
My guess was that there was a timer that needed to be reset when
wg_set_device processes WGDEVICE_A_PRIVATE_KEY, but an attempt to reset
timers was unsuccessful. I am new to this code and could use some
pointers/advice on where to look next.
~Derrick
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Long outage when changing private key
2019-01-24 21:22 Long outage when changing private key Derrick Lyndon Pallas
@ 2019-01-24 23:25 ` Derrick Lyndon Pallas
2019-01-24 23:59 ` Jason A. Donenfeld
0 siblings, 1 reply; 5+ messages in thread
From: Derrick Lyndon Pallas @ 2019-01-24 23:25 UTC (permalink / raw)
To: wireguard
I believe I found a solution to this problem. Will submit a patch once
I've done a bit more testing. ~Derrick
On 1/24/19 1:22 PM, Derrick Lyndon Pallas wrote:
> [snip]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Long outage when changing private key
2019-01-24 23:25 ` Derrick Lyndon Pallas
@ 2019-01-24 23:59 ` Jason A. Donenfeld
2019-01-25 0:00 ` Jason A. Donenfeld
0 siblings, 1 reply; 5+ messages in thread
From: Jason A. Donenfeld @ 2019-01-24 23:59 UTC (permalink / raw)
To: Derrick Lyndon Pallas; +Cc: wireguard
Hi Derrick,
The fix is probably this:
diff --git a/src/netlink.c b/src/netlink.c
index 3458c817..6b6a3f7a 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -539,6 +539,7 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
peer_list) {
if (!wg_noise_precompute_static_static(peer))
wg_peer_remove(peer);
+ wg_noise_keypairs_clear(&peer->keypairs);
}
wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
up_write(&wg->static_identity.lock);
But the idea was originally that we wouldn't clear transport sessions
when the private key or peer preshared key changes, to allow for various
types of negotiated rotations with a grace period, in particular the
case of preshared keys for post quantum protocols. However, I can see
how the private key case causes problems for you, since changing the
public key on a peer is akin to removing and adding a different peer,
and so those transport sessions are lost in the process. In other words,
you might have a point.
Regards,
Jason
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: Long outage when changing private key
2019-01-24 23:59 ` Jason A. Donenfeld
@ 2019-01-25 0:00 ` Jason A. Donenfeld
2019-01-25 1:55 ` Derrick Lyndon Pallas
0 siblings, 1 reply; 5+ messages in thread
From: Jason A. Donenfeld @ 2019-01-25 0:00 UTC (permalink / raw)
To: Derrick Lyndon Pallas; +Cc: WireGuard mailing list
On Fri, Jan 25, 2019 at 12:59 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> @@ -539,6 +539,7 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
> peer_list) {
> if (!wg_noise_precompute_static_static(peer))
> wg_peer_remove(peer);
else
> + wg_noise_keypairs_clear(&peer->keypairs);
> }
> wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
> up_write(&wg->static_identity.lock);
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Long outage when changing private key
2019-01-25 0:00 ` Jason A. Donenfeld
@ 2019-01-25 1:55 ` Derrick Lyndon Pallas
0 siblings, 0 replies; 5+ messages in thread
From: Derrick Lyndon Pallas @ 2019-01-25 1:55 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
Thanks for taking a look, I should have spent 30 more minutes
investigating myself. Please see the patch set I just submitted.
Resetting the handshake timer is also necessary or else it takes until
the expiration of that timer to actually happen in my setup. It seemed
worth putting into a utility function in peers.c, rather than all in
netdev.c, so I did that. I checked the preshared key case and that seems
to work fine still. ~Derrick
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-01-25 1:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-24 21:22 Long outage when changing private key Derrick Lyndon Pallas
2019-01-24 23:25 ` Derrick Lyndon Pallas
2019-01-24 23:59 ` Jason A. Donenfeld
2019-01-25 0:00 ` Jason A. Donenfeld
2019-01-25 1:55 ` Derrick Lyndon Pallas
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).