Hello community, here is the log from the commit of package wireguard for openSUSE:Factory checked in at 2020-02-06 13:08:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/wireguard (Old) and /work/SRC/openSUSE:Factory/.wireguard.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "wireguard" Thu Feb 6 13:08:55 2020 rev:9 rq:770400 version:0.0.20200205 Changes: -------- --- /work/SRC/openSUSE:Factory/wireguard/wireguard.changes 2020-01-29 13:20:33.502236641 +0100 +++ /work/SRC/openSUSE:Factory/.wireguard.new.26092/wireguard.changes 2020-02-06 13:08:59.176360989 +0100 @@ -1,0 +2,9 @@ +Wed Feb 5 20:35:15 UTC 2020 - Martin Hauke <[email protected]> + +- Update to version 0.0.20200205 + * allowedips: remove previously added list item when OOM fail + * noise: reject peers with low order public keys + * netns: ensure non-addition of peers with failed precomputation + * netns: tie socket waiting to target pid + +------------------------------------------------------------------- Old: ---- wireguard-linux-compat-0.0.20200128.tar.asc wireguard-linux-compat-0.0.20200128.tar.xz New: ---- wireguard-linux-compat-0.0.20200205.tar.asc wireguard-linux-compat-0.0.20200205.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ wireguard.spec ++++++ --- /var/tmp/diff_new_pack.QDtg4W/_old 2020-02-06 13:09:00.112361498 +0100 +++ /var/tmp/diff_new_pack.QDtg4W/_new 2020-02-06 13:09:00.116361501 +0100 @@ -1,7 +1,7 @@ # # spec file for package wireguard # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # Copyright (c) 2017-2020, Martin Hauke <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -18,7 +18,7 @@ Name: wireguard -Version: 0.0.20200128 +Version: 0.0.20200205 Release: 0 Summary: Fast, modern, secure kernel VPN tunnel License: GPL-2.0-only ++++++ wireguard-linux-compat-0.0.20200128.tar.xz -> wireguard-linux-compat-0.0.20200205.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200128/src/allowedips.c new/wireguard-linux-compat-0.0.20200205/src/allowedips.c --- old/wireguard-linux-compat-0.0.20200128/src/allowedips.c 2020-01-28 16:37:17.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200205/src/allowedips.c 2020-02-05 14:37:40.000000000 +0100 @@ -268,6 +268,7 @@ } else { node = kzalloc(sizeof(*node), GFP_KERNEL); if (unlikely(!node)) { + list_del(&newnode->peer_list); kfree(newnode); return -ENOMEM; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200128/src/compat/compat.h new/wireguard-linux-compat-0.0.20200205/src/compat/compat.h --- old/wireguard-linux-compat-0.0.20200128/src/compat/compat.h 2020-01-28 16:37:17.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200205/src/compat/compat.h 2020-02-05 14:37:40.000000000 +0100 @@ -16,6 +16,11 @@ #define ISRHEL7 #elif RHEL_MAJOR == 8 #define ISRHEL8 +#ifdef RHEL_MINOR +#if RHEL_MINOR == 2 +#define ISRHEL82 +#endif +#endif #endif #endif #ifdef UTS_UBUNTU_RELEASE_ABI @@ -94,7 +99,7 @@ (LINUX_VERSION_CODE < KERNEL_VERSION(3, 18, 27) && LINUX_VERSION_CODE >= KERNEL_VERSION(3, 17, 0)) || \ (LINUX_VERSION_CODE < KERNEL_VERSION(3, 16, 8) && LINUX_VERSION_CODE >= KERNEL_VERSION(3, 15, 0)) || \ (LINUX_VERSION_CODE < KERNEL_VERSION(3, 14, 40) && LINUX_VERSION_CODE >= KERNEL_VERSION(3, 13, 0)) || \ - (LINUX_VERSION_CODE < KERNEL_VERSION(3, 12, 54))) && !defined(ISUBUNTU1404) && (!defined(ISRHEL7) || RHEL_MINOR < 7) /* TODO: remove < 7 workaround once CentOS 7.7 comes out. */ + (LINUX_VERSION_CODE < KERNEL_VERSION(3, 12, 54))) && !defined(ISUBUNTU1404) && !defined(ISRHEL7) #include <linux/if.h> #include <net/ip_tunnels.h> #define IP6_ECN_set_ce(a, b) IP6_ECN_set_ce(b) @@ -787,7 +792,7 @@ #endif #endif -#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 1, 0) +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 1, 0) && !defined(ISRHEL82) #include <linux/skbuff.h> #define skb_probe_transport_header(a) skb_probe_transport_header(a, 0) #endif @@ -796,7 +801,7 @@ #define ignore_df local_df #endif -#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 1, 0) +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 1, 0) && !defined(ISRHEL82) /* Note that all intentional uses of the non-_bh variety need to explicitly * undef these, conditionalized on COMPAT_CANNOT_DEPRECIATE_BH_RCU. */ @@ -838,7 +843,7 @@ #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 20, 0) && !defined(ISRHEL8) #define NLA_EXACT_LEN NLA_UNSPEC #endif -#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 2, 0) +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 2, 0) && !defined(ISRHEL82) #define NLA_MIN_LEN NLA_UNSPEC #define COMPAT_CANNOT_INDIVIDUAL_NETLINK_OPS_POLICY #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200128/src/dkms.conf new/wireguard-linux-compat-0.0.20200205/src/dkms.conf --- old/wireguard-linux-compat-0.0.20200128/src/dkms.conf 2020-01-28 16:37:17.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200205/src/dkms.conf 2020-02-05 14:37:40.000000000 +0100 @@ -1,5 +1,5 @@ PACKAGE_NAME="wireguard" -PACKAGE_VERSION="0.0.20200128" +PACKAGE_VERSION="0.0.20200205" AUTOINSTALL=yes BUILT_MODULE_NAME="wireguard" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200128/src/netlink.c new/wireguard-linux-compat-0.0.20200205/src/netlink.c --- old/wireguard-linux-compat-0.0.20200128/src/netlink.c 2020-01-28 16:37:17.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200205/src/netlink.c 2020-02-05 14:37:40.000000000 +0100 @@ -567,10 +567,8 @@ private_key); list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list) { - if (wg_noise_precompute_static_static(peer)) - wg_noise_expire_current_peer_keypairs(peer); - else - wg_peer_remove(peer); + BUG_ON(!wg_noise_precompute_static_static(peer)); + wg_noise_expire_current_peer_keypairs(peer); } wg_cookie_checker_precompute_device_keys(&wg->cookie_checker); up_write(&wg->static_identity.lock); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200128/src/noise.c new/wireguard-linux-compat-0.0.20200205/src/noise.c --- old/wireguard-linux-compat-0.0.20200128/src/noise.c 2020-01-28 16:37:17.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200205/src/noise.c 2020-02-05 14:37:40.000000000 +0100 @@ -46,17 +46,21 @@ /* Must hold peer->handshake.static_identity->lock */ bool wg_noise_precompute_static_static(struct wg_peer *peer) { - bool ret = true; + bool ret; down_write(&peer->handshake.lock); - if (peer->handshake.static_identity->has_identity) + if (peer->handshake.static_identity->has_identity) { ret = curve25519( peer->handshake.precomputed_static_static, peer->handshake.static_identity->static_private, peer->handshake.remote_static); - else + } else { + u8 empty[NOISE_PUBLIC_KEY_LEN] = { 0 }; + + ret = curve25519(empty, empty, peer->handshake.remote_static); memset(peer->handshake.precomputed_static_static, 0, NOISE_PUBLIC_KEY_LEN); + } up_write(&peer->handshake.lock); return ret; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200128/src/tests/netns.sh new/wireguard-linux-compat-0.0.20200205/src/tests/netns.sh --- old/wireguard-linux-compat-0.0.20200128/src/tests/netns.sh 2020-01-28 16:37:17.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200205/src/tests/netns.sh 2020-02-05 14:37:40.000000000 +0100 @@ -38,9 +38,8 @@ ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; } ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; } sleep() { read -t "$1" -N 1 || true; } -waitiperf() { pretty "${1//*-}" "wait for iperf:5201"; while [[ $(ss -N "$1" -tlp 'sport = 5201') != *iperf3* ]]; do sleep 0.1; done; } -waitncatudp() { pretty "${1//*-}" "wait for udp:1111"; while [[ $(ss -N "$1" -ulp 'sport = 1111') != *ncat* ]]; do sleep 0.1; done; } -waitncattcp() { pretty "${1//*-}" "wait for tcp:1111"; while [[ $(ss -N "$1" -tlp 'sport = 1111') != *ncat* ]]; do sleep 0.1; done; } +waitiperf() { pretty "${1//*-}" "wait for iperf:5201 pid $2"; while [[ $(ss -N "$1" -tlpH 'sport = 5201') != *\"iperf3\",pid=$2,fd=* ]]; do sleep 0.1; done; } +waitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = 1111') != *\"ncat\",pid=$2,fd=* ]]; do sleep 0.1; done; } waitiface() { pretty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ \$(< \"/sys/class/net/$2/operstate\") != up ]]; do read -t .1 -N 0 || true; done;"; } cleanup() { @@ -119,22 +118,22 @@ # TCP over IPv4 n2 iperf3 -s -1 -B 192.168.241.2 & - waitiperf $netns2 + waitiperf $netns2 $! n1 iperf3 -Z -t 3 -c 192.168.241.2 # TCP over IPv6 n1 iperf3 -s -1 -B fd00::1 & - waitiperf $netns1 + waitiperf $netns1 $! n2 iperf3 -Z -t 3 -c fd00::1 # UDP over IPv4 n1 iperf3 -s -1 -B 192.168.241.1 & - waitiperf $netns1 + waitiperf $netns1 $! n2 iperf3 -Z -t 3 -b 0 -u -c 192.168.241.1 # UDP over IPv6 n2 iperf3 -s -1 -B fd00::2 & - waitiperf $netns2 + waitiperf $netns2 $! n1 iperf3 -Z -t 3 -b 0 -u -c fd00::2 } @@ -207,7 +206,7 @@ n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24 exec 4< <(n1 ncat -l -u -p 1111) ncat_pid=$! -waitncatudp $netns1 +waitncatudp $netns1 $ncat_pid n2 ncat -u 192.168.241.1 1111 <<<"X" read -r -N 1 -t 1 out <&4 && [[ $out == "X" ]] kill $ncat_pid @@ -216,7 +215,7 @@ n2 wg set wg0 listen-port 9997 exec 4< <(n1 ncat -l -u -p 1111) ncat_pid=$! -waitncatudp $netns1 +waitncatudp $netns1 $ncat_pid n2 ncat -u 192.168.241.1 1111 <<<"X" ! read -r -N 1 -t 1 out <&4 || false kill $ncat_pid @@ -519,6 +518,12 @@ n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0 n0 wg set wg0 peer "$pub2" allowed-ips ::/0,1700::/111,5000::/4,e000::/37,9000::/75 n0 wg set wg0 peer "$pub2" allowed-ips ::/0 +n0 wg set wg0 peer "$pub2" remove +low_order_points=( AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= 4Ot6fDtBuK4WVuP68Z/EatoJjeucMrH9hmIFFl9JuAA= X5yVvKNQjCSx0LFVnIPvWwREXMRYHI6G2CJO3dCfEVc= 7P///////////////////////////////////////38= 7f///////////////////////////////////////38= 7v///////////////////////////////////////38= ) +n0 wg set wg0 private-key /dev/null ${low_order_points[@]/#/peer } +[[ -z $(n0 wg show wg0 peers) ]] +n0 wg set wg0 private-key <(echo "$key1") ${low_order_points[@]/#/peer } +[[ -z $(n0 wg show wg0 peers) ]] ip0 link del wg0 declare -A objects diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/wireguard-linux-compat-0.0.20200128/src/version.h new/wireguard-linux-compat-0.0.20200205/src/version.h --- old/wireguard-linux-compat-0.0.20200128/src/version.h 2020-01-28 16:37:17.000000000 +0100 +++ new/wireguard-linux-compat-0.0.20200205/src/version.h 2020-02-05 14:37:40.000000000 +0100 @@ -1,3 +1,3 @@ #ifndef WIREGUARD_VERSION -#define WIREGUARD_VERSION "0.0.20200128" +#define WIREGUARD_VERSION "0.0.20200205" #endif
