From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, HTML_MESSAGE,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D784FC4360F for ; Thu, 4 Apr 2019 19:20:58 +0000 (UTC) Received: from krantz.zx2c4.com (krantz.zx2c4.com [192.95.5.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 376C52075E for ; Thu, 4 Apr 2019 19:20:57 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 376C52075E Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=pallas.us Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=wireguard-bounces@lists.zx2c4.com Received: from krantz.zx2c4.com (localhost [IPv6:::1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 135ea69e; Thu, 4 Apr 2019 19:18:41 +0000 (UTC) Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id b36a8773 for ; Thu, 4 Apr 2019 19:18:38 +0000 (UTC) Received: from telperion.info (2600:3c01::f03c:91ff:fe96:a052 [IPv6:2600:3c01::f03c:91ff:fe96:a052]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 97e97c2f for ; Thu, 4 Apr 2019 19:18:38 +0000 (UTC) Received: from [192.168.123.161] (1piece.static.monkeybrains.net [::ffff:208.90.213.83]) (AUTH: LOGIN pallas, ) by telperion.info with ESMTPSA id 00000000000489FC.000000005CA65A2D.0000499C; Thu, 04 Apr 2019 12:25:33 -0700 Subject: Re: [PATCH 1/2] peer: add wg_peer_reset_keys To: Triffid Hunter , "Jason A. Donenfeld" References: <20190313224643.17904-1-derrick@pallas.us> From: Derrick Lyndon Pallas Message-ID: Date: Thu, 4 Apr 2019 12:20:21 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Cc: WireGuard mailing list X-BeenThere: wireguard@lists.zx2c4.com X-Mailman-Version: 2.1.15 Precedence: list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============2473570167874652498==" Errors-To: wireguard-bounces@lists.zx2c4.com Sender: "WireGuard" This is a multi-part message in MIME format. --===============2473570167874652498== Content-Type: multipart/alternative; boundary="------------17499F4A6AFD27EB49EE67F9" Content-Language: en-US This is a multi-part message in MIME format. --------------17499F4A6AFD27EB49EE67F9 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Triffid, have you had a chance to test? Jason, did you have any more thoughts? (You've clearly been busy given all the recent announcements!) This is the second version, which required a rebase but the code remained the same after verifying that the process did not change at all. Thanks, ~Derrick On 3/13/19 11:47 PM, Triffid Hunter wrote: > This sounds interesting, as I often get long (10-30 minute) stalls > where wg is doing nothing but throwing keys back and forth. I'll let > you know if it helps when I have a chance to test properly. > > On Thu, 14 Mar 2019 at 06:44, > wrote: > > From: Derrick Pallas > > > This function will clear the key state for the peer and reset its > handshake > timer.  This is useful, for instance, if it is known that the > current key > material is bad.  Currently, this happens when the private key is > changed. > > Signed-off-by: Derrick Pallas > > --- >  src/peer.c | 14 ++++++++++++++ >  src/peer.h |  1 + >  2 files changed, 15 insertions(+) > > diff --git a/src/peer.c b/src/peer.c > index 996f40b..be244a4 100644 > --- a/src/peer.c > +++ b/src/peer.c > @@ -160,6 +160,20 @@ static void peer_remove_after_dead(struct > wg_peer *peer) >         wg_peer_put(peer); >  } > > +void wg_peer_reset_keys(struct wg_peer *peer) > +{ > +       if (unlikely(!peer)) > +               return; > +  lockdep_assert_held(&peer->device->device_update_lock); > + > +       wg_noise_handshake_clear(&peer->handshake); > +       wg_noise_keypairs_clear(&peer->keypairs); > +       wg_cookie_checker_precompute_peer_keys(peer); > +       atomic64_set(&peer->last_sent_handshake, > +               ktime_get_boot_fast_ns() - > +                       (u64)(REKEY_TIMEOUT + 1) * NSEC_PER_SEC); > +} > + >  /* We have a separate "remove" function make sure that all active > places where >   * a peer is currently operating will eventually come to an end > and not pass >   * their reference onto another context. > diff --git a/src/peer.h b/src/peer.h > index 23af409..f85817f 100644 > --- a/src/peer.h > +++ b/src/peer.h > @@ -79,5 +79,6 @@ static inline struct wg_peer *wg_peer_get(struct > wg_peer *peer) >  void wg_peer_put(struct wg_peer *peer); >  void wg_peer_remove(struct wg_peer *peer); >  void wg_peer_remove_all(struct wg_device *wg); > +void wg_peer_reset_keys(struct wg_peer *peer); > >  #endif /* _WG_PEER_H */ > -- > 2.19.2 > > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > --------------17499F4A6AFD27EB49EE67F9 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Triffid, have you had a chance to test?

Jason, did you have any more thoughts? (You've clearly been busy given all the recent announcements!) This is the second version, which required a rebase but the code remained the same after verifying that the process did not change at all.

Thanks, ~Derrick


On 3/13/19 11:47 PM, Triffid Hunter wrote:
This sounds interesting, as I often get long (10-30 minute) stalls where wg is doing nothing but throwing keys back and forth. I'll let you know if it helps when I have a chance to test properly.

On Thu, 14 Mar 2019 at 06:44, <derrick@pallas.us> wrote:
From: Derrick Pallas <derrick@pallas.us>

This function will clear the key state for the peer and reset its handshake
timer.  This is useful, for instance, if it is known that the current key
material is bad.  Currently, this happens when the private key is changed.

Signed-off-by: Derrick Pallas <derrick@pallas.us>
---
 src/peer.c | 14 ++++++++++++++
 src/peer.h |  1 +
 2 files changed, 15 insertions(+)

diff --git a/src/peer.c b/src/peer.c
index 996f40b..be244a4 100644
--- a/src/peer.c
+++ b/src/peer.c
@@ -160,6 +160,20 @@ static void peer_remove_after_dead(struct wg_peer *peer)
        wg_peer_put(peer);
 }

+void wg_peer_reset_keys(struct wg_peer *peer)
+{
+       if (unlikely(!peer))
+               return;
+       lockdep_assert_held(&peer->device->device_update_lock);
+
+       wg_noise_handshake_clear(&peer->handshake);
+       wg_noise_keypairs_clear(&peer->keypairs);
+       wg_cookie_checker_precompute_peer_keys(peer);
+       atomic64_set(&peer->last_sent_handshake,
+               ktime_get_boot_fast_ns() -
+                       (u64)(REKEY_TIMEOUT + 1) * NSEC_PER_SEC);
+}
+
 /* We have a separate "remove" function make sure that all active places where
  * a peer is currently operating will eventually come to an end and not pass
  * their reference onto another context.
diff --git a/src/peer.h b/src/peer.h
index 23af409..f85817f 100644
--- a/src/peer.h
+++ b/src/peer.h
@@ -79,5 +79,6 @@ static inline struct wg_peer *wg_peer_get(struct wg_peer *peer)
 void wg_peer_put(struct wg_peer *peer);
 void wg_peer_remove(struct wg_peer *peer);
 void wg_peer_remove_all(struct wg_device *wg);
+void wg_peer_reset_keys(struct wg_peer *peer);

 #endif /* _WG_PEER_H */
--
2.19.2

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
--------------17499F4A6AFD27EB49EE67F9-- --===============2473570167874652498== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard --===============2473570167874652498==--