Openwrt/target/linux/generic/backport-5.4/080-wireguard-0104-wireguard-queueing-preserve-flow-hash-across-packet-.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Tue, 19 May 2020 22:49:29 -0600
Subject: [PATCH] wireguard: queueing: preserve flow hash across packet
 scrubbing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

commit c78a0b4a78839d572d8a80f6a62221c0d7843135 upstream.

It's important that we clear most header fields during encapsulation and
decapsulation, because the packet is substantially changed, and we don't
want any info leak or logic bug due to an accidental correlation. But,
for encapsulation, it's wrong to clear skb->hash, since it's used by
fq_codel and flow dissection in general. Without it, classification does
not proceed as usual. This change might make it easier to estimate the
number of innerflows by examining clustering of out of order packets,
but this shouldn't open up anything that can't already be inferred
otherwise (e.g. syn packet size inference), and fq_codel can be disabled
anyway.

Furthermore, it might be the case that the hash isn't used or queried at
all until after wireguard transmits the encrypted UDP packet, which
means skb->hash might still be zero at this point, and thus no hash
taken over the inner packet data. In order to address this situation, we
force a calculation of skb->hash before encrypting packet data.

Of course this means that fq_codel might transmit packets slightly more
out of order than usual. Toke did some testing on beefy machines with
high quantities of parallel flows and found that increasing the
reply-attack counter to 8192 takes care of the most pathological cases
pretty well.

Reported-by: Dave Taht <dave.taht@gmail.com>
Reviewed-and-tested-by: Toke Høiland-Jørgensen <toke@toke.dk>
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 drivers/net/wireguard/messages.h |  2 +-
 drivers/net/wireguard/queueing.h | 10 +++++++++-
 drivers/net/wireguard/receive.c  |  2 +-
 drivers/net/wireguard/send.c     |  7 ++++++-
 4 files changed, 17 insertions(+), 4 deletions(-)

--- a/drivers/net/wireguard/messages.h
+++ b/drivers/net/wireguard/messages.h
@@ -32,7 +32,7 @@ enum cookie_values {
 };
 
 enum counter_values {
-	COUNTER_BITS_TOTAL = 2048,
+	COUNTER_BITS_TOTAL = 8192,
 	COUNTER_REDUNDANT_BITS = BITS_PER_LONG,
 	COUNTER_WINDOW_SIZE = COUNTER_BITS_TOTAL - COUNTER_REDUNDANT_BITS
 };
--- a/drivers/net/wireguard/queueing.h
+++ b/drivers/net/wireguard/queueing.h
@@ -87,12 +87,20 @@ static inline bool wg_check_packet_proto
 	return real_protocol && skb->protocol == real_protocol;
 }
 
-static inline void wg_reset_packet(struct sk_buff *skb)
+static inline void wg_reset_packet(struct sk_buff *skb, bool encapsulating)
 {
+	u8 l4_hash = skb->l4_hash;
+	u8 sw_hash = skb->sw_hash;
+	u32 hash = skb->hash;
 	skb_scrub_packet(skb, true);
 	memset(&skb->headers_start, 0,
 	       offsetof(struct sk_buff, headers_end) -
 		       offsetof(struct sk_buff, headers_start));
+	if (encapsulating) {
+		skb->l4_hash = l4_hash;
+		skb->sw_hash = sw_hash;
+		skb->hash = hash;
+	}
 	skb->queue_mapping = 0;
 	skb->nohdr = 0;
 	skb->peeked = 0;
--- a/drivers/net/wireguard/receive.c
+++ b/drivers/net/wireguard/receive.c
@@ -484,7 +484,7 @@ int wg_packet_rx_poll(struct napi_struct
 		if (unlikely(wg_socket_endpoint_from_skb(&endpoint, skb)))
 			goto next;
 
-		wg_reset_packet(skb);
+		wg_reset_packet(skb, false);
 		wg_packet_consume_data_done(peer, skb, &endpoint);
 		free = false;
 
--- a/drivers/net/wireguard/send.c
+++ b/drivers/net/wireguard/send.c
@@ -167,6 +167,11 @@ static bool encrypt_packet(struct sk_buf
 	struct sk_buff *trailer;
 	int num_frags;
 
+	/* Force hash calculation before encryption so that flow analysis is
+	 * consistent over the inner packet.
+	 */
+	skb_get_hash(skb);
+
 	/* Calculate lengths. */
 	padding_len = calculate_skb_padding(skb);
 	trailer_len = padding_len + noise_encrypted_len(0);
@@ -295,7 +300,7 @@ void wg_packet_encrypt_worker(struct wor
 		skb_list_walk_safe(first, skb, next) {
 			if (likely(encrypt_packet(skb,
 					PACKET_CB(first)->keypair))) {
-				wg_reset_packet(skb);
+				wg_reset_packet(skb, true);
 			} else {
 				state = PACKET_STATE_DEAD;
 				break;
kernel-5.4: backport fd16931a2f51 for chacha neon Without this patch, the chacha block counter is not incremented on neon rounds, resulting in incorrect calculations and corrupt packets. This also switches to using `--no-numbered --zero-commit` so that future diffs are smaller. Reported-by: Hans Geiblinger <cybrnook2002@yahoo.com> Reviewed-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com> Cc: David Bauer <mail@david-bauer.net> Cc: Petr Štetiar <ynezz@true.cz> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-03-02 08:24:45 +00:00			`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
kernel: 5.4: import wireguard backport Rather than using the clunky, old, slower wireguard-linux-compat out of tree module, this commit does a patch-by-patch backport of upstream's wireguard to 5.4. This specific backport is in widespread use, being part of SUSE's enterprise kernel, Oracle's enterprise kernel, Google's Android kernel, Gentoo's distro kernel, and probably more I've forgotten about. It's definately the "more proper" way of adding wireguard to a kernel than the ugly compat.h hell of the wireguard-linux-compat repo. And most importantly for OpenWRT, it allows using the same module configuration code for 5.10 as for 5.4, with no need for bifurcation. These patches are from the backport tree which is maintained in the open here: https://git.zx2c4.com/wireguard-linux/log/?h=backport-5.4.y I'll be sending PRs to update this as needed. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-02-19 13:29:04 +00:00			`From: "Jason A. Donenfeld" <Jason@zx2c4.com>`
			`Date: Tue, 19 May 2020 22:49:29 -0600`
kernel-5.4: backport fd16931a2f51 for chacha neon Without this patch, the chacha block counter is not incremented on neon rounds, resulting in incorrect calculations and corrupt packets. This also switches to using `--no-numbered --zero-commit` so that future diffs are smaller. Reported-by: Hans Geiblinger <cybrnook2002@yahoo.com> Reviewed-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com> Cc: David Bauer <mail@david-bauer.net> Cc: Petr Štetiar <ynezz@true.cz> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-03-02 08:24:45 +00:00			`Subject: [PATCH] wireguard: queueing: preserve flow hash across packet`
kernel: 5.4: import wireguard backport Rather than using the clunky, old, slower wireguard-linux-compat out of tree module, this commit does a patch-by-patch backport of upstream's wireguard to 5.4. This specific backport is in widespread use, being part of SUSE's enterprise kernel, Oracle's enterprise kernel, Google's Android kernel, Gentoo's distro kernel, and probably more I've forgotten about. It's definately the "more proper" way of adding wireguard to a kernel than the ugly compat.h hell of the wireguard-linux-compat repo. And most importantly for OpenWRT, it allows using the same module configuration code for 5.10 as for 5.4, with no need for bifurcation. These patches are from the backport tree which is maintained in the open here: https://git.zx2c4.com/wireguard-linux/log/?h=backport-5.4.y I'll be sending PRs to update this as needed. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-02-19 13:29:04 +00:00			`scrubbing`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`commit c78a0b4a78839d572d8a80f6a62221c0d7843135 upstream.`

			`It's important that we clear most header fields during encapsulation and`
			`decapsulation, because the packet is substantially changed, and we don't`
			`want any info leak or logic bug due to an accidental correlation. But,`
			`for encapsulation, it's wrong to clear skb->hash, since it's used by`
			`fq_codel and flow dissection in general. Without it, classification does`
			`not proceed as usual. This change might make it easier to estimate the`
			`number of innerflows by examining clustering of out of order packets,`
			`but this shouldn't open up anything that can't already be inferred`
			`otherwise (e.g. syn packet size inference), and fq_codel can be disabled`
			`anyway.`

			`Furthermore, it might be the case that the hash isn't used or queried at`
			`all until after wireguard transmits the encrypted UDP packet, which`
			`means skb->hash might still be zero at this point, and thus no hash`
			`taken over the inner packet data. In order to address this situation, we`
			`force a calculation of skb->hash before encrypting packet data.`

			`Of course this means that fq_codel might transmit packets slightly more`
			`out of order than usual. Toke did some testing on beefy machines with`
			`high quantities of parallel flows and found that increasing the`
			`reply-attack counter to 8192 takes care of the most pathological cases`
			`pretty well.`

			`Reported-by: Dave Taht <dave.taht@gmail.com>`
			`Reviewed-and-tested-by: Toke Høiland-Jørgensen <toke@toke.dk>`
			`Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")`
			`Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>`
			`Signed-off-by: David S. Miller <davem@davemloft.net>`
			`Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>`
			`---`
			`drivers/net/wireguard/messages.h \| 2 +-`
			`drivers/net/wireguard/queueing.h \| 10 +++++++++-`
			`drivers/net/wireguard/receive.c \| 2 +-`
			`drivers/net/wireguard/send.c \| 7 ++++++-`
			`4 files changed, 17 insertions(+), 4 deletions(-)`

			`--- a/drivers/net/wireguard/messages.h`
			`+++ b/drivers/net/wireguard/messages.h`
			`@@ -32,7 +32,7 @@ enum cookie_values {`
			`};`

			`enum counter_values {`
			`- COUNTER_BITS_TOTAL = 2048,`
			`+ COUNTER_BITS_TOTAL = 8192,`
			`COUNTER_REDUNDANT_BITS = BITS_PER_LONG,`
			`COUNTER_WINDOW_SIZE = COUNTER_BITS_TOTAL - COUNTER_REDUNDANT_BITS`
			`};`
			`--- a/drivers/net/wireguard/queueing.h`
			`+++ b/drivers/net/wireguard/queueing.h`
			`@@ -87,12 +87,20 @@ static inline bool wg_check_packet_proto`
			`return real_protocol && skb->protocol == real_protocol;`
			`}`

			`-static inline void wg_reset_packet(struct sk_buff *skb)`
			`+static inline void wg_reset_packet(struct sk_buff *skb, bool encapsulating)`
			`{`
			`+ u8 l4_hash = skb->l4_hash;`
			`+ u8 sw_hash = skb->sw_hash;`
			`+ u32 hash = skb->hash;`
			`skb_scrub_packet(skb, true);`
			`memset(&skb->headers_start, 0,`
			`offsetof(struct sk_buff, headers_end) -`
			`offsetof(struct sk_buff, headers_start));`
			`+ if (encapsulating) {`
			`+ skb->l4_hash = l4_hash;`
			`+ skb->sw_hash = sw_hash;`
			`+ skb->hash = hash;`
			`+ }`
			`skb->queue_mapping = 0;`
			`skb->nohdr = 0;`
			`skb->peeked = 0;`
			`--- a/drivers/net/wireguard/receive.c`
			`+++ b/drivers/net/wireguard/receive.c`
			`@@ -484,7 +484,7 @@ int wg_packet_rx_poll(struct napi_struct`
			`if (unlikely(wg_socket_endpoint_from_skb(&endpoint, skb)))`
			`goto next;`

			`- wg_reset_packet(skb);`
			`+ wg_reset_packet(skb, false);`
			`wg_packet_consume_data_done(peer, skb, &endpoint);`
			`free = false;`

			`--- a/drivers/net/wireguard/send.c`
			`+++ b/drivers/net/wireguard/send.c`
			`@@ -167,6 +167,11 @@ static bool encrypt_packet(struct sk_buf`
			`struct sk_buff *trailer;`
			`int num_frags;`

			`+ /* Force hash calculation before encryption so that flow analysis is`
			`+ * consistent over the inner packet.`
			`+ */`
			`+ skb_get_hash(skb);`
			`+`
			`/* Calculate lengths. */`
			`padding_len = calculate_skb_padding(skb);`
			`trailer_len = padding_len + noise_encrypted_len(0);`
			`@@ -295,7 +300,7 @@ void wg_packet_encrypt_worker(struct wor`
			`skb_list_walk_safe(first, skb, next) {`
			`if (likely(encrypt_packet(skb,`
			`PACKET_CB(first)->keypair))) {`
			`- wg_reset_packet(skb);`
			`+ wg_reset_packet(skb, true);`
			`} else {`
			`state = PACKET_STATE_DEAD;`
			`break;`