Openwrt/target/linux/generic/backport-5.4/080-wireguard-0096-wireguard-receive-use-tunnel-helpers-for-decapsulati.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>
Date: Wed, 29 Apr 2020 14:59:22 -0600
Subject: [PATCH] wireguard: receive: use tunnel helpers for decapsulating ECN
 markings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

commit eebabcb26ea1e3295704477c6cd4e772c96a9559 upstream.

WireGuard currently only propagates ECN markings on tunnel decap according
to the old RFC3168 specification. However, the spec has since been updated
in RFC6040 to recommend slightly different decapsulation semantics. This
was implemented in the kernel as a set of common helpers for ECN
decapsulation, so let's just switch over WireGuard to using those, so it
can benefit from this enhancement and any future tweaks. We do not drop
packets with invalid ECN marking combinations, because WireGuard is
frequently used to work around broken ISPs, which could be doing that.

Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Reported-by: Olivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
Cc: Dave Taht <dave.taht@gmail.com>
Cc: Rodney W. Grimes <ietf@gndrsh.dnsmgr.net>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 drivers/net/wireguard/receive.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/net/wireguard/receive.c
+++ b/drivers/net/wireguard/receive.c
@@ -393,13 +393,11 @@ static void wg_packet_consume_data_done(
 		len = ntohs(ip_hdr(skb)->tot_len);
 		if (unlikely(len < sizeof(struct iphdr)))
 			goto dishonest_packet_size;
-		if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
-			IP_ECN_set_ce(ip_hdr(skb));
+		INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ip_hdr(skb)->tos);
 	} else if (skb->protocol == htons(ETH_P_IPV6)) {
 		len = ntohs(ipv6_hdr(skb)->payload_len) +
 		      sizeof(struct ipv6hdr);
-		if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
-			IP6_ECN_set_ce(skb, ipv6_hdr(skb));
+		INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ipv6_get_dsfield(ipv6_hdr(skb)));
 	} else {
 		goto dishonest_packet_type;
 	}
kernel-5.4: backport fd16931a2f51 for chacha neon Without this patch, the chacha block counter is not incremented on neon rounds, resulting in incorrect calculations and corrupt packets. This also switches to using `--no-numbered --zero-commit` so that future diffs are smaller. Reported-by: Hans Geiblinger <cybrnook2002@yahoo.com> Reviewed-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com> Cc: David Bauer <mail@david-bauer.net> Cc: Petr Štetiar <ynezz@true.cz> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-03-02 08:24:45 +00:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
kernel: 5.4: import wireguard backport Rather than using the clunky, old, slower wireguard-linux-compat out of tree module, this commit does a patch-by-patch backport of upstream's wireguard to 5.4. This specific backport is in widespread use, being part of SUSE's enterprise kernel, Oracle's enterprise kernel, Google's Android kernel, Gentoo's distro kernel, and probably more I've forgotten about. It's definately the "more proper" way of adding wireguard to a kernel than the ugly compat.h hell of the wireguard-linux-compat repo. And most importantly for OpenWRT, it allows using the same module configuration code for 5.10 as for 5.4, with no need for bifurcation. These patches are from the backport tree which is maintained in the open here: https://git.zx2c4.com/wireguard-linux/log/?h=backport-5.4.y I'll be sending PRs to update this as needed. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-02-19 13:29:04 +00:00			`From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>`
			`Date: Wed, 29 Apr 2020 14:59:22 -0600`
kernel-5.4: backport fd16931a2f51 for chacha neon Without this patch, the chacha block counter is not incremented on neon rounds, resulting in incorrect calculations and corrupt packets. This also switches to using `--no-numbered --zero-commit` so that future diffs are smaller. Reported-by: Hans Geiblinger <cybrnook2002@yahoo.com> Reviewed-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com> Cc: David Bauer <mail@david-bauer.net> Cc: Petr Štetiar <ynezz@true.cz> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-03-02 08:24:45 +00:00			`Subject: [PATCH] wireguard: receive: use tunnel helpers for decapsulating ECN`
			`markings`
kernel: 5.4: import wireguard backport Rather than using the clunky, old, slower wireguard-linux-compat out of tree module, this commit does a patch-by-patch backport of upstream's wireguard to 5.4. This specific backport is in widespread use, being part of SUSE's enterprise kernel, Oracle's enterprise kernel, Google's Android kernel, Gentoo's distro kernel, and probably more I've forgotten about. It's definately the "more proper" way of adding wireguard to a kernel than the ugly compat.h hell of the wireguard-linux-compat repo. And most importantly for OpenWRT, it allows using the same module configuration code for 5.10 as for 5.4, with no need for bifurcation. These patches are from the backport tree which is maintained in the open here: https://git.zx2c4.com/wireguard-linux/log/?h=backport-5.4.y I'll be sending PRs to update this as needed. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-02-19 13:29:04 +00:00			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`commit eebabcb26ea1e3295704477c6cd4e772c96a9559 upstream.`

			`WireGuard currently only propagates ECN markings on tunnel decap according`
			`to the old RFC3168 specification. However, the spec has since been updated`
			`in RFC6040 to recommend slightly different decapsulation semantics. This`
			`was implemented in the kernel as a set of common helpers for ECN`
			`decapsulation, so let's just switch over WireGuard to using those, so it`
			`can benefit from this enhancement and any future tweaks. We do not drop`
			`packets with invalid ECN marking combinations, because WireGuard is`
			`frequently used to work around broken ISPs, which could be doing that.`

			`Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")`
			`Reported-by: Olivier Tilmans <olivier.tilmans@nokia-bell-labs.com>`
			`Cc: Dave Taht <dave.taht@gmail.com>`
			`Cc: Rodney W. Grimes <ietf@gndrsh.dnsmgr.net>`
			`Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>`
			`Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>`
			`Signed-off-by: David S. Miller <davem@davemloft.net>`
			`Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>`
			`---`
			`drivers/net/wireguard/receive.c \| 6 ++----`
			`1 file changed, 2 insertions(+), 4 deletions(-)`

			`--- a/drivers/net/wireguard/receive.c`
			`+++ b/drivers/net/wireguard/receive.c`
			`@@ -393,13 +393,11 @@ static void wg_packet_consume_data_done(`
			`len = ntohs(ip_hdr(skb)->tot_len);`
			`if (unlikely(len < sizeof(struct iphdr)))`
			`goto dishonest_packet_size;`
			`- if (INET_ECN_is_ce(PACKET_CB(skb)->ds))`
			`- IP_ECN_set_ce(ip_hdr(skb));`
			`+ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ip_hdr(skb)->tos);`
			`} else if (skb->protocol == htons(ETH_P_IPV6)) {`
			`len = ntohs(ipv6_hdr(skb)->payload_len) +`
			`sizeof(struct ipv6hdr);`
			`- if (INET_ECN_is_ce(PACKET_CB(skb)->ds))`
			`- IP6_ECN_set_ce(skb, ipv6_hdr(skb));`
			`+ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ipv6_get_dsfield(ipv6_hdr(skb)));`
			`} else {`
			`goto dishonest_packet_type;`
			`}`