On 30-Jun-22 07:41, Jason A. Donenfeld wrote:
On Thu, Jun 30, 2022 at 06:47:38AM -0400, tlhackque wrote:
FWIW: Having watched the discussion about CONFIG_ANDROID, it occurs to
me that there's an alternative for WireGuard that sidesteps the issue.

  From the last patcheset, it seems that the only use in WireGuard is to
avoid clearing keys on every wake-up.
No, it clears keys before sleeping.

So: Why not timestamp key-clear events, and establish a minimum interval?
Because we don't know when we're going to wake up again, and the
objective is to maintain forward secrecy.


Thanks for the explanation.  One more attempt.

If I understand what's happening:

You're really trying to establish a maximum key lifetime - sleep being a proxy for "too long to keep using".  On conventional platforms, that's been good enough.  On these Android platforms, it's not.

You're clearing the key before sleeping so that after a presumably longish time, you'll negotiate a new one.  But on some platforms, the sleeps are so frequent that "longish" is inconveniently short.  And the renegotiations are expensive.  On those platforms, you don't clear the key to avoid the frequent renegotiations.  This keeps the old key in use across the sleeps.

Alternatively, why not make the maximum key lifetime explicit.  E.g. On all platforms you could set a renegotiate time when a key is established, and if it has expired on wake (or on use) trigger renegotiation.  This guarantees a maximum key lifetime, independent of the frequency or duration of sleeps.  And you don't need to know when you'll wake.

If you also want to make sure that the key isn't in memory longer than that time (e.g. to avoid capture on a dump or device loss), you could also set a timer (of the sort that wakes the CPU from sleep) that clears the key at that time.

There are obvious optimizations if necessary.

The point I'm trying to make is that rather than thinking about the annoying platform behavior's effect on the implementation, it's probably better to think about what WireGuard is really trying to do and express it in the implementation.

I hope this perspective helps.  I'll step out of your way now.

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to