From: "Jason Donenfeld" <zx2c4@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/files/, net-vpn/wireguard/
Date: Mon, 12 Jun 2017 22:27:31 +0000 (UTC) [thread overview]
Message-ID: <1497306425.c58b1895381f1fc0686da6770137bd48ba163392.zx2c4@gentoo> (raw)
commit: c58b1895381f1fc0686da6770137bd48ba163392
Author: Jason A. Donenfeld <zx2c4 <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 12 22:26:57 2017 +0000
Commit: Jason Donenfeld <zx2c4 <AT> gentoo <DOT> org>
CommitDate: Mon Jun 12 22:27:05 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c58b1895
net-vpn/wireguard: version bump
Package-Manager: Portage-2.3.6, Repoman-2.3.2
net-vpn/wireguard/Manifest | 2 +-
.../wireguard-0.0.20170612-wait-for-rng.patch | 94 ----------------------
...612-r1.ebuild => wireguard-0.0.20170613.ebuild} | 2 -
3 files changed, 1 insertion(+), 97 deletions(-)
diff --git a/net-vpn/wireguard/Manifest b/net-vpn/wireguard/Manifest
index 207265f427a..581050e5fb7 100644
--- a/net-vpn/wireguard/Manifest
+++ b/net-vpn/wireguard/Manifest
@@ -1 +1 @@
-DIST WireGuard-0.0.20170612.tar.xz 160712 SHA256 34efc70703f2b1ae38fd2bcc4c6031b4acc3f303c6e182a1958b7cf236a529ab SHA512 152642f7d1169947ec4c2619930f2e3756ab219113be15fc8f462edd234d1df4a50c297792e9fdef041b5e7729c2e3e72ceb80dfd1d0a7309dde16a13b3da99b WHIRLPOOL 8293879180a538279426dcfca3efb328f380413d1601997752e15ff8049bbe1d0f4112fe49fde0995695853e6e062c0fe7847e9db3d6bee9ba1ab5e4e1d71e28
+DIST WireGuard-0.0.20170613.tar.xz 160496 SHA256 88ac77569eeb79c517318d58a0954caa0a4d2a6a1694e74c2a3b1c14438ac941 SHA512 71b31900f8064415b54a023042a199f77ba212466ffa4f6fb13428f8acc592873e6f8d75063d6777464c6b13bfa86949be2036ff62179aaae2f63c0a99937987 WHIRLPOOL f10ed8c01b349ecd2a76db8022f3bf1ef0e2895382ee01f85b748cab3d99f3cd4546dd15eea695aa1e08aa34ad7856821df6039630f7569e14d64c3476a80aed
diff --git a/net-vpn/wireguard/files/wireguard-0.0.20170612-wait-for-rng.patch b/net-vpn/wireguard/files/wireguard-0.0.20170612-wait-for-rng.patch
deleted file mode 100644
index 0b5803c839d..00000000000
--- a/net-vpn/wireguard/files/wireguard-0.0.20170612-wait-for-rng.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 401294f7526de40a15c06997fceae58278807d22 Mon Sep 17 00:00:00 2001
-From: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Date: Mon, 12 Jun 2017 16:32:59 +0200
-Subject: [PATCH] random: wait for random bytes when generating nonces and
- ephemerals
-
-We can let userspace configure wireguard interfaces before the RNG is
-fully initialized, since what we mostly care about is having good
-randomness for ephemerals and xchacha nonces. By deferring the wait to
-actually asking for the randomness, we give a lot more opportunity for
-gathering entropy. This won't cover entropy for hash table secrets or
-cookie secrets (which rotate anyway), but those have far less
-catastrophic failure modes, so ensuring good randomness for elliptic
-curve points and nonces should be sufficient.
----
- src/compat/compat.h | 10 ++++++++++
- src/config.c | 5 -----
- src/cookie.c | 2 +-
- src/crypto/curve25519.c | 2 +-
- 4 files changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/src/compat/compat.h b/src/compat/compat.h
-index 68d62b9..6c1bfa3 100644
---- a/src/compat/compat.h
-+++ b/src/compat/compat.h
-@@ -265,6 +265,16 @@ static inline int wait_for_random_bytes(void)
- return 0;
- }
- #endif
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 13, 0)
-+static inline int get_random_bytes_wait(void *buf, int nbytes)
-+{
-+ int ret = wait_for_random_bytes();
-+ if (unlikely(ret))
-+ return ret;
-+ get_random_bytes(buf, nbytes);
-+ return 0;
-+}
-+#endif
-
- /* https://lkml.org/lkml/2015/6/12/415 */
- #include <linux/netdevice.h>
-diff --git a/src/config.c b/src/config.c
-index 286c874..d3b6611 100644
---- a/src/config.c
-+++ b/src/config.c
-@@ -8,7 +8,6 @@
- #include "hashtables.h"
- #include "peer.h"
- #include "uapi.h"
--#include <linux/random.h>
-
- static int set_device_port(struct wireguard_device *wg, u16 port)
- {
-@@ -135,10 +134,6 @@ int config_set_device(struct wireguard_device *wg, void __user *user_device)
- void __user *user_peer;
- bool modified_static_identity = false;
-
-- /* It's important that the Linux RNG is fully seeded before we let the user
-- * actually configure the device, so that we're assured to have good ephemerals. */
-- wait_for_random_bytes();
--
- BUILD_BUG_ON(WG_KEY_LEN != NOISE_PUBLIC_KEY_LEN);
- BUILD_BUG_ON(WG_KEY_LEN != NOISE_SYMMETRIC_KEY_LEN);
-
-diff --git a/src/cookie.c b/src/cookie.c
-index 21b7c7b..ce22b53 100644
---- a/src/cookie.c
-+++ b/src/cookie.c
-@@ -161,7 +161,7 @@ void cookie_message_create(struct message_handshake_cookie *dst, struct sk_buff
-
- dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE);
- dst->receiver_index = index;
-- get_random_bytes(dst->nonce, COOKIE_NONCE_LEN);
-+ get_random_bytes_wait(dst->nonce, COOKIE_NONCE_LEN);
-
- make_cookie(cookie, skb, checker);
- xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN, macs->mac1, COOKIE_LEN, dst->nonce, checker->cookie_encryption_key);
-diff --git a/src/crypto/curve25519.c b/src/crypto/curve25519.c
-index f0e045e..119d41a 100644
---- a/src/crypto/curve25519.c
-+++ b/src/crypto/curve25519.c
-@@ -1545,7 +1545,7 @@ bool curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[C
-
- void curve25519_generate_secret(u8 secret[CURVE25519_POINT_SIZE])
- {
-- get_random_bytes(secret, CURVE25519_POINT_SIZE);
-+ get_random_bytes_wait(secret, CURVE25519_POINT_SIZE);
- normalize_secret(secret);
- }
-
---
-2.13.1
-
diff --git a/net-vpn/wireguard/wireguard-0.0.20170612-r1.ebuild b/net-vpn/wireguard/wireguard-0.0.20170613.ebuild
similarity index 98%
rename from net-vpn/wireguard/wireguard-0.0.20170612-r1.ebuild
rename to net-vpn/wireguard/wireguard-0.0.20170613.ebuild
index c4df19fc775..2bc281b63b0 100644
--- a/net-vpn/wireguard/wireguard-0.0.20170612-r1.ebuild
+++ b/net-vpn/wireguard/wireguard-0.0.20170613.ebuild
@@ -32,8 +32,6 @@ CONFIG_CHECK="NET INET NET_UDP_TUNNEL NF_CONNTRACK NETFILTER_XT_MATCH_HASHLIMIT
WARNING_PADATA="If you're running a multicore system you likely should enable CONFIG_PADATA for improved performance and parallel crypto."
WARNING_IP6_NF_IPTABLES="If your kernel has CONFIG_IPV6, you need CONFIG_IP6_NF_IPTABLES; otherwise WireGuard will not insert."
-PATCHES=( "${FILESDIR}/${P}-wait-for-rng.patch" )
-
pkg_setup() {
if use module; then
linux-mod_pkg_setup
next reply other threads:[~2017-06-12 22:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-12 22:27 Jason Donenfeld [this message]
-- strict thread matches above, loose matches on Subject: below --
2017-11-11 3:41 [gentoo-commits] repo/gentoo:master commit in: net-vpn/wireguard/files/, net-vpn/wireguard/ Jason Donenfeld
2017-11-02 17:27 Jason Donenfeld
2017-10-31 17:35 Jason Donenfeld
2017-10-21 0:11 Jason Donenfeld
2017-06-12 3:45 Jason Donenfeld
2017-06-07 12:26 Jason Donenfeld
2017-06-01 18:15 Jason Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1497306425.c58b1895381f1fc0686da6770137bd48ba163392.zx2c4@gentoo \
--to=zx2c4@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox