Hello community, here is the log from the commit of package wireguard for openSUSE:Factory checked in at 2019-11-28 10:16:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wireguard (Old) and /work/SRC/openSUSE:Factory/.wireguard.new.26869 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wireguard" Thu Nov 28 10:16:04 2019 rev:2 rq:751449 version:0.0.20191127 Changes: -------- --- /work/SRC/openSUSE:Factory/wireguard/wireguard.changes 2019-11-26 16:52:07.856254371 +0100 +++ /work/SRC/openSUSE:Factory/.wireguard.new.26869/wireguard.changes 2019-11-28 10:16:27.111638584 +0100 @@ -1,0 +2,14 @@ +Wed Nov 27 19:01:39 UTC 2019 - Martin Hauke <[email protected]> + +- Update to version 0.0.20191127 + * messages: recalculate rekey max based on a one minute flood + * allowedips: safely dereference rcu roots + * socket: remove redundant check of new4 + * allowedips: avoid double lock in selftest error case + * wg-quick: linux: only touch net.ipv4 for v4 + * wg-quick: linux: filter bogus injected packets and don't + disable rpfilter + * reresolve-dns: remove invalid anchors on regex match + * tools: add syncconf command + +------------------------------------------------------------------- Old: ---- WireGuard-0.0.20191012.tar.asc WireGuard-0.0.20191012.tar.xz New: ---- WireGuard-0.0.20191127.tar.asc WireGuard-0.0.20191127.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wireguard.spec ++++++ --- /var/tmp/diff_new_pack.lGZOkF/_old 2019-11-28 10:16:28.139638594 +0100 +++ /var/tmp/diff_new_pack.lGZOkF/_new 2019-11-28 10:16:28.139638594 +0100 @@ -1,7 +1,7 @@ # # spec file for package wireguard # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2017, Martin Hauke <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -13,12 +13,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: wireguard -Version: 0.0.20191012 +Version: 0.0.20191127 Release: 0 Summary: Fast, modern, secure kernel VPN tunnel License: GPL-2.0-only ++++++ WireGuard-0.0.20191012.tar.xz -> WireGuard-0.0.20191127.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/contrib/examples/reresolve-dns/reresolve-dns.sh new/WireGuard-0.0.20191127/contrib/examples/reresolve-dns/reresolve-dns.sh --- old/WireGuard-0.0.20191012/contrib/examples/reresolve-dns/reresolve-dns.sh 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/contrib/examples/reresolve-dns/reresolve-dns.sh 2019-11-27 15:39:16.000000000 +0100 @@ -15,7 +15,7 @@ process_peer() { [[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0 - [[ $(wg show "$INTERFACE" latest-handshakes) =~ ^${PUBLIC_KEY//+/\\+}\ ([0-9]+)$ ]] || return 0 + [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\ ([0-9]+) ]] || return 0 (( ($(date +%s) - ${BASH_REMATCH[1]}) > 135 )) || return 0 wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT" reset_peer_section diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/allowedips.c new/WireGuard-0.0.20191127/src/allowedips.c --- old/WireGuard-0.0.20191012/src/allowedips.c 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/allowedips.c 2019-11-27 15:39:16.000000000 +0100 @@ -299,14 +299,18 @@ RCU_INIT_POINTER(table->root4, NULL); RCU_INIT_POINTER(table->root6, NULL); if (rcu_access_pointer(old4)) { - root_remove_peer_lists(old4); - call_rcu(&rcu_dereference_protected(old4, - lockdep_is_held(lock))->rcu, root_free_rcu); + struct allowedips_node *node = rcu_dereference_protected(old4, + lockdep_is_held(lock)); + + root_remove_peer_lists(node); + call_rcu(&node->rcu, root_free_rcu); } if (rcu_access_pointer(old6)) { - root_remove_peer_lists(old6); - call_rcu(&rcu_dereference_protected(old6, - lockdep_is_held(lock))->rcu, root_free_rcu); + struct allowedips_node *node = rcu_dereference_protected(old6, + lockdep_is_held(lock)); + + root_remove_peer_lists(node); + call_rcu(&node->rcu, root_free_rcu); } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/dkms.conf new/WireGuard-0.0.20191127/src/dkms.conf --- old/WireGuard-0.0.20191012/src/dkms.conf 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/dkms.conf 2019-11-27 15:39:16.000000000 +0100 @@ -1,5 +1,5 @@ PACKAGE_NAME="wireguard" -PACKAGE_VERSION="0.0.20191012" +PACKAGE_VERSION="0.0.20191127" AUTOINSTALL=yes BUILT_MODULE_NAME="wireguard" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/messages.h new/WireGuard-0.0.20191127/src/messages.h --- old/WireGuard-0.0.20191012/src/messages.h 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/messages.h 2019-11-27 15:39:16.000000000 +0100 @@ -38,7 +38,7 @@ }; enum limits { - REKEY_AFTER_MESSAGES = U64_MAX - 0xffff, + REKEY_AFTER_MESSAGES = 1ULL << 60, REJECT_AFTER_MESSAGES = U64_MAX - COUNTER_WINDOW_SIZE - 1, REKEY_TIMEOUT = 5, REKEY_TIMEOUT_JITTER_MAX_JIFFIES = HZ / 3, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/selftest/allowedips.c new/WireGuard-0.0.20191127/src/selftest/allowedips.c --- old/WireGuard-0.0.20191012/src/selftest/allowedips.c 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/selftest/allowedips.c 2019-11-27 15:39:16.000000000 +0100 @@ -307,12 +307,12 @@ if (wg_allowedips_insert_v4(&t, (struct in_addr *)ip, cidr, peer, &mutex) < 0) { pr_err("allowedips random self-test malloc: FAIL\n"); - goto free; + goto free_locked; } if (horrible_allowedips_insert_v4(&h, (struct in_addr *)ip, cidr, peer) < 0) { pr_err("allowedips random self-test malloc: FAIL\n"); - goto free; + goto free_locked; } for (j = 0; j < NUM_MUTATED_ROUTES; ++j) { memcpy(mutated, ip, 4); @@ -334,12 +334,12 @@ (struct in_addr *)mutated, cidr, peer, &mutex) < 0) { pr_err("allowedips random malloc: FAIL\n"); - goto free; + goto free_locked; } if (horrible_allowedips_insert_v4(&h, (struct in_addr *)mutated, cidr, peer)) { pr_err("allowedips random self-test malloc: FAIL\n"); - goto free; + goto free_locked; } } } @@ -351,12 +351,12 @@ if (wg_allowedips_insert_v6(&t, (struct in6_addr *)ip, cidr, peer, &mutex) < 0) { pr_err("allowedips random self-test malloc: FAIL\n"); - goto free; + goto free_locked; } if (horrible_allowedips_insert_v6(&h, (struct in6_addr *)ip, cidr, peer) < 0) { pr_err("allowedips random self-test malloc: FAIL\n"); - goto free; + goto free_locked; } for (j = 0; j < NUM_MUTATED_ROUTES; ++j) { memcpy(mutated, ip, 16); @@ -378,13 +378,13 @@ (struct in6_addr *)mutated, cidr, peer, &mutex) < 0) { pr_err("allowedips random self-test malloc: FAIL\n"); - goto free; + goto free_locked; } if (horrible_allowedips_insert_v6( &h, (struct in6_addr *)mutated, cidr, peer)) { pr_err("allowedips random self-test malloc: FAIL\n"); - goto free; + goto free_locked; } } } @@ -417,6 +417,7 @@ free: mutex_lock(&mutex); +free_locked: wg_allowedips_free(&t, &mutex); mutex_unlock(&mutex); horrible_allowedips_free(&h); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/socket.c new/WireGuard-0.0.20191127/src/socket.c --- old/WireGuard-0.0.20191012/src/socket.c 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/socket.c 2019-11-27 15:39:16.000000000 +0100 @@ -410,7 +410,7 @@ } #endif - wg_socket_reinit(wg, new4 ? new4->sk : NULL, new6 ? new6->sk : NULL); + wg_socket_reinit(wg, new4->sk, new6 ? new6->sk : NULL); return 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/tests/qemu/Makefile new/WireGuard-0.0.20191127/src/tests/qemu/Makefile --- old/WireGuard-0.0.20191012/src/tests/qemu/Makefile 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/tests/qemu/Makefile 2019-11-27 15:39:16.000000000 +0100 @@ -6,7 +6,7 @@ CHOST := $(shell gcc -dumpmachine) ifneq (,$(ARCH)) -CBUILD := $(subst -gcc,,$(lastword $(subst /, ,$(firstword $(filter-out android,$(wildcard /usr/bin/$(ARCH)-*-gcc)))))) +CBUILD := $(subst -gcc,,$(lastword $(subst /, ,$(firstword $(filter-out android,$(wildcard $(foreach bindir,$(subst :, ,$(PATH)),$(bindir)/$(ARCH)-*-gcc))))))) endif ifeq (,$(CBUILD)) CBUILD := $(CHOST) @@ -14,7 +14,7 @@ ARCH := $(firstword $(subst -, ,$(CBUILD))) # Set these from the environment to override -KERNEL_VERSION ?= 5.3.5 +KERNEL_VERSION ?= 5.4 KERNEL_VERSION := $(KERNEL_VERSION)$(if $(DEBUG_KERNEL),$(if $(findstring -debug,$(KERNEL_VERSION)),,-debug),) BUILD_PATH ?= $(PWD)/../../../qemu-build/$(ARCH) DISTFILES_PATH ?= $(PWD)/distfiles diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/tests/qemu/arch/powerpc64le.config new/WireGuard-0.0.20191127/src/tests/qemu/arch/powerpc64le.config --- old/WireGuard-0.0.20191012/src/tests/qemu/arch/powerpc64le.config 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/tests/qemu/arch/powerpc64le.config 2019-11-27 15:39:16.000000000 +0100 @@ -3,6 +3,7 @@ CONFIG_ALTIVEC=y CONFIG_VSX=y CONFIG_PPC_OF_BOOT_TRAMPOLINE=y +CONFIG_PPC_RADIX_MMU=y CONFIG_HVC_CONSOLE=y CONFIG_CPU_LITTLE_ENDIAN=y CONFIG_CMDLINE_BOOL=y diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/tools/man/wg.8 new/WireGuard-0.0.20191127/src/tools/man/wg.8 --- old/WireGuard-0.0.20191012/src/tools/man/wg.8 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/tools/man/wg.8 2019-11-27 15:39:16.000000000 +0100 @@ -94,6 +94,14 @@ be in the format described by \fICONFIGURATION FILE FORMAT\fP below, to the current configuration of \fI<interface>\fP. .TP +\fBsyncconf\fP \fI<interface>\fP \fI<configuration-filename>\fP +Like \fBsetconf\fP, but reads back the existing configuration first +and only makes changes that are explicitly different between the configuration +file and the interface. This is much less efficient than \fBsetconf\fP, +but has the benefit of not disrupting current peer sessions. The contents of +\fI<configuration-filename>\fP must be in the format described by +\fICONFIGURATION FILE FORMAT\fP below. +.TP \fBgenkey\fP Generates a random \fIprivate\fP key in base64 and prints it to standard output. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/tools/setconf.c new/WireGuard-0.0.20191127/src/tools/setconf.c --- old/WireGuard-0.0.20191012/src/tools/setconf.c 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/tools/setconf.c 2019-11-27 15:39:16.000000000 +0100 @@ -13,6 +13,89 @@ #include "ipc.h" #include "subcommands.h" +struct pubkey_origin { + uint8_t *pubkey; + bool from_file; +}; + +static int pubkey_cmp(const void *first, const void *second) +{ + const struct pubkey_origin *a = first, *b = second; + int ret = memcmp(a->pubkey, b->pubkey, WG_KEY_LEN); + if (ret) + return ret; + return a->from_file - b->from_file; +} + +static bool sync_conf(struct wgdevice *file) +{ + struct wgdevice *runtime; + struct wgpeer *peer; + struct pubkey_origin *pubkeys; + size_t peer_count = 0, i = 0; + + if (!file->first_peer) + return true; + + for_each_wgpeer(file, peer) + ++peer_count; + + if (ipc_get_device(&runtime, file->name) != 0) { + perror("Unable to retrieve current interface configuration"); + return false; + } + + if (!runtime->first_peer) + return true; + + file->flags &= ~WGDEVICE_REPLACE_PEERS; + + for_each_wgpeer(runtime, peer) + ++peer_count; + + pubkeys = calloc(peer_count, sizeof(*pubkeys)); + if (!pubkeys) { + free_wgdevice(runtime); + perror("Public key allocation"); + return false; + } + + for_each_wgpeer(file, peer) { + pubkeys[i].pubkey = peer->public_key; + pubkeys[i].from_file = true; + ++i; + } + for_each_wgpeer(runtime, peer) { + pubkeys[i].pubkey = peer->public_key; + pubkeys[i].from_file = false; + ++i; + } + qsort(pubkeys, peer_count, sizeof(*pubkeys), pubkey_cmp); + + for (i = 0; i < peer_count; ++i) { + if (pubkeys[i].from_file) + continue; + if (i == peer_count - 1 || !pubkeys[i + 1].from_file || memcmp(pubkeys[i].pubkey, pubkeys[i + 1].pubkey, WG_KEY_LEN)) { + peer = calloc(1, sizeof(struct wgpeer)); + if (!peer) { + free_wgdevice(runtime); + free(pubkeys); + perror("Peer allocation"); + return false; + } + peer->flags = WGPEER_REMOVE_ME; + memcpy(peer->public_key, pubkeys[i].pubkey, WG_KEY_LEN); + peer->next_peer = file->first_peer; + file->first_peer = peer; + if (!file->last_peer) + file->last_peer = peer; + } + } + free_wgdevice(runtime); + free(pubkeys); + return true; +} + int setconf_main(int argc, char *argv[]) { struct wgdevice *device = NULL; @@ -50,6 +133,11 @@ strncpy(device->name, argv[1], IFNAMSIZ - 1); device->name[IFNAMSIZ - 1] = '\0'; + if (!strcmp(argv[0], "syncconf")) { + if (!sync_conf(device)) + goto cleanup; + } + if (ipc_set_device(device) != 0) { perror("Unable to modify interface"); goto cleanup; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/tools/wg-quick/android.c new/WireGuard-0.0.20191127/src/tools/wg-quick/android.c --- old/WireGuard-0.0.20191012/src/tools/wg-quick/android.c 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/tools/wg-quick/android.c 2019-11-27 15:39:16.000000000 +0100 @@ -358,15 +358,18 @@ static void cleanup_binder(AIBinder **binder) { - AIBinder_decStrong(*binder); + if (*binder) + AIBinder_decStrong(*binder); } static void cleanup_status(AStatus **status) { - AStatus_delete(*status); + if (*status) + AStatus_delete(*status); } static void cleanup_parcel(AParcel **parcel) { - AParcel_delete(*parcel); + if (*parcel) + AParcel_delete(*parcel); } #define _cleanup_status_ __attribute__((__cleanup__(cleanup_status))) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/tools/wg-quick/linux.bash new/WireGuard-0.0.20191127/src/tools/wg-quick/linux.bash --- old/WireGuard-0.0.20191012/src/tools/wg-quick/linux.bash 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/tools/wg-quick/linux.bash 2019-11-27 15:39:16.000000000 +0100 @@ -95,6 +95,7 @@ del_if() { local table [[ $HAVE_SET_DNS -eq 0 ]] || unset_dns + [[ $HAVE_SET_IPTABLES -eq 0 ]] || remove_iptables if [[ -z $TABLE || $TABLE == auto ]] && get_fwmark table && [[ $(wg show "$INTERFACE" allowed-ips) =~ /0(\ |$'\n'|$) ]]; then while [[ $(ip -4 rule show) == *"lookup $table"* ]]; do cmd ip -4 rule delete table $table @@ -180,8 +181,22 @@ return 0 } +remove_iptables() { + local line iptables found restore + for iptables in iptables ip6tables; do + restore="" found=0 + while read -r line; do + [[ $line == "*"* || $line == COMMIT || $line == "-A "*"-m comment --comment \"wg-quick(8) rule for $INTERFACE\""* ]] || continue + [[ $line == "-A"* ]] && found=1 + printf -v restore '%s\n%s' "$restore" "${line/#-A/-D}" + done < <($iptables-save) + [[ $found -eq 1 ]] && echo "$restore" | cmd $iptables-restore -nw + done +} + +HAVE_SET_IPTABLES=0 add_default() { - local table proto key value + local table proto i iptables if ! get_fwmark table; then table=51820 while [[ -n $(ip -4 route show table $table) || -n $(ip -6 route show table $table) ]]; do @@ -189,14 +204,21 @@ done cmd wg set "$INTERFACE" fwmark $table fi - proto=-4 - [[ $1 == *:* ]] && proto=-6 + proto=-4 iptables=iptables + [[ $1 == *:* ]] && proto=-6 iptables=ip6tables cmd ip $proto route add "$1" dev "$INTERFACE" table $table cmd ip $proto rule add not fwmark $table table $table cmd ip $proto rule add table main suppress_prefixlength 0 - while read -r key _ value; do - [[ $value -eq 1 ]] && sysctl -q "$key=2" - done < <(sysctl -a -r '^net\.ipv4.conf\.[^ .=]+\.rp_filter$') + + local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore="*raw" + for i in "${ADDRESSES[@]}"; do + [[ ( $proto == -4 && $i != *:* ) || ( $proto == -6 && $i == *:* ) ]] || continue + printf -v restore '%s\n-I PREROUTING ! -i %s -d %s -m addrtype ! --src-type LOCAL -j DROP %s\n' "$restore" "$INTERFACE" "${i%/*}" "$marker" + done + printf -v restore '%s\nCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker" + [[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1 + echo "$restore" | cmd $iptables-restore -nw + HAVE_SET_IPTABLES=1 return 0 } @@ -301,6 +323,7 @@ [[ $SAVE_CONFIG -eq 0 ]] || save_config del_if unset_dns + remove_iptables execute_hooks "${POST_DOWN[@]}" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/tools/wg.c new/WireGuard-0.0.20191127/src/tools/wg.c --- old/WireGuard-0.0.20191012/src/tools/wg.c 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/tools/wg.c 2019-11-27 15:39:16.000000000 +0100 @@ -21,6 +21,7 @@ { "set", set_main, "Change the current configuration, add peers, remove peers, or change peers" }, { "setconf", setconf_main, "Applies a configuration file to a WireGuard interface" }, { "addconf", setconf_main, "Appends a configuration file to a WireGuard interface" }, + { "syncconf", setconf_main, "Synchronizes a configuration file to a WireGuard interface" }, { "genkey", genkey_main, "Generates a new private key and writes it to stdout" }, { "genpsk", genkey_main, "Generates a new preshared key and writes it to stdout" }, { "pubkey", pubkey_main, "Reads a private key from stdin and writes a public key to stdout" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/WireGuard-0.0.20191012/src/version.h new/WireGuard-0.0.20191127/src/version.h --- old/WireGuard-0.0.20191012/src/version.h 2019-10-12 16:55:11.000000000 +0200 +++ new/WireGuard-0.0.20191127/src/version.h 2019-11-27 15:39:16.000000000 +0100 @@ -1 +1 @@ -#define WIREGUARD_VERSION "0.0.20191012" +#define WIREGUARD_VERSION "0.0.20191127"
