Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gluon-mesh-vpn-wireguard: add fastd key migration #2601

Merged
merged 3 commits into from
Apr 25, 2023
Merged

gluon-mesh-vpn-wireguard: add fastd key migration #2601

merged 3 commits into from
Apr 25, 2023

Conversation

AiyionPrime
Copy link
Member

@AiyionPrime AiyionPrime commented Aug 9, 2022
edited
Loading

This reencodes an existing fastd private key as WireGuards private (X25519).
No key is migrated, when no fastd key exists.

We discussed whether it would be cleaner to put it in its own upgrade file, this would be one way of doing it, although writing to network-old appears bad to me. Open for discussion.

I have not tested the implementation of the upgrade yet.
Is tested. It updates missing or invalid WireGuard-keys based on the fastd secret key if it exists.

@github-actions github-actions bot added 3. topic: package Topic: Gluon Packages 3. topic: wireguard This is about wireguard, an in-kernel layer 3 VPN labels Aug 9, 2022
@mweinelt mweinelt mentioned this pull request Aug 9, 2022
Closed
@AiyionPrime AiyionPrime changed the title Key translate gluon-mesh-vpn-key-translate Aug 9, 2022
@AiyionPrime AiyionPrime requested a review from blocktrron August 9, 2022 20:44
@AiyionPrime
Copy link
Member Author

Other than the commit message which should contain a reference to gluon-mesh-vpn-key-translate instead of key-translate, @blocktrron and I are somewhat satisfied with this.
I will fix this upon rebase at the end.

@NeoRaider A review would be highly appreciated.

@lemoer lemoer requested a review from neocturne August 10, 2022 08:28
@T-X
Copy link
Contributor

T-X commented Aug 11, 2022

Just a thought, instead of operating on both UCI network_gluon-old and fastd, would it maybe make sense to have something like a generic gluon.mesh_vpn.secret? And derive both the fastd and wireguard secrets from it?

As the role based interface configuration is in /etc/config/gluon, too, maybe it would be a nice feature if for making a backup of your node configuration it would be sufficient to copy the high level /etc/config/gluon* files?

@AiyionPrime
Copy link
Member Author

@T-X I think that's a great idea and something I'd gladly implement,
but I'd favor getting this migration functionality in the simplest possible way done before 2022.1,
when we'll first release WireGuard into the wild.

Storing the mesh_vpn_secret in config.gluon would be way cleaner though and something I could write for 2022.1.1.

@AiyionPrime
Copy link
Member Author

aligned the Makefile definition to the existing one

@T-X
Copy link
Contributor

T-X commented Aug 18, 2022
edited
Loading

but I'd favor getting this migration functionality in the simplest possible way done before 2022.1, when we'll first release WireGuard into the wild.

Storing the mesh_vpn_secret in config.gluon would be way cleaner though and something I could write for 2022.1.1.

My preference/expectations for major vs. minor releases would be:

  • Major: New features, new OpenWrt release base, refactoring/cleanups, new hardware support
  • Minor: Bugfixes, new hardware revision support for an otherwise already supported device

So I'm wondering if it would be doable to do it in a clean(tm) way now? To avoid refactoring it in a minor release?

@AiyionPrime
Copy link
Member Author

I think adding other big changes like where this secret goes to this PR would not help getting it merged before 2022.1.
Maybe @blocktrron and @NeoRaider could share their thoughts as well?

@AiyionPrime AiyionPrime mentioned this pull request Aug 27, 2022
Merged
AiyionPrime added a commit to freifunkh/site that referenced this pull request Sep 6, 2022
@AiyionPrime
patches: add gluon-mesh-vpn-key-translate
012528c 
as well as the corresponding fastd eky conversion

can be removed once freifunk-gluon/gluon#2601 is merged
AiyionPrime added a commit to freifunkh/site that referenced this pull request Sep 7, 2022
@AiyionPrime
patches: add gluon-mesh-vpn-key-translate
7a39bbf 
as well as the corresponding fastd key conversion

can be removed once freifunk-gluon/gluon#2601 is merged
AiyionPrime added a commit to freifunkh/site that referenced this pull request Sep 8, 2022
@AiyionPrime
patches: add gluon-mesh-vpn-key-translate
498610c 
as well as the corresponding fastd key conversion

can be removed once freifunk-gluon/gluon#2601 is merged
Dark4MD pushed a commit to Dark4MD/site that referenced this pull request Sep 8, 2022
@AiyionPrime @Dark4MD
patches: add gluon-mesh-vpn-key-translate
bcf31c2 
as well as the corresponding fastd key conversion

can be removed once freifunk-gluon/gluon#2601 is merged
CodeFetch
CodeFetch reviewed Sep 9, 2022
View reviewed changes
Copy link
Contributor

@CodeFetch CodeFetch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some cosmetic suggestions...

package/gluon-mesh-vpn-wireguard/src/gluon-mesh-vpn-key-translate.c Outdated
fprintf(stderr, "Usage: gluon-mesh-vpn-key-translate [-n] <fastd secret>\n");
fprintf(stderr, "-n do not output the trailing newline\n");
exit(1);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One call of fprintf would be better and use a macro instead of inline functions like:

#define error(msg, ...)                                            \
	do {                                                                   \
		fprintf(stderr, "Error: " msg "\n", ##__VA_ARGS__);            \
		exit(1);                                                    \
	} while (0)

I don't think it harms code readability to directly include the error message in the main function instead of hiding it away in a separate one.

package/gluon-mesh-vpn-wireguard/src/gluon-mesh-vpn-key-translate.c Outdated
return false;

size_t i;
for (i = 0; i < 32; i++)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As "i" is only used in the for loop and is never going to reach size_t, just do
for (int i = 0; i < 32; i++)

package/gluon-mesh-vpn-wireguard/src/gluon-mesh-vpn-key-translate.c Outdated Show resolved Hide resolved
package/gluon-mesh-vpn-wireguard/src/gluon-mesh-vpn-key-translate.c Outdated Show resolved Hide resolved
@AiyionPrime
Copy link
Member Author

AiyionPrime commented Sep 9, 2022
edited
Loading

@CodeFetch thanks for your suggestions. Before I address

Some cosmetic suggestions...

though, I'll keep waiting for @NeoRaider to review the general idea, as @blocktrron suggested in the last developer meetup.

Leaving the code as is (just right now) has the benefit of it currently running successfully on 65 132 devices in Hanover.

Once he answers, whether and if - in what form - this can be merged, I'm happy to come back to your suggestions for improvements.

CodeFetch
CodeFetch reviewed Sep 9, 2022
View reviewed changes
package/gluon-mesh-vpn-wireguard/src/gluon-mesh-vpn-key-translate.c Outdated
}

static inline bool read_key(uint8_t key[32], const char *hexkey) {
if ((strlen(hexkey) != 64) || (strspn(hexkey, "0123456789abcdefABCDEF") != 64))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The braces are superfluous and don't contribute to code readability.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, there are braces one could've left out regarding precedence;
but I'd disagree on the readability. Both does not really matter though, what does is, that that's not my code, but actually @NeoRaider's, as attributed above.
https://github.com/NeoRaider/fastd/blob/d9dd14045c647736566c959855f154302eeff444/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c#L17-L27

But as I said earlier I'd really like to get some basic feedback from neoraider, before I address nitpicks.

Statistically speaking - looking at how my previous PR's went -there will likely be no line left unturned; really those braces will be the least of concerns, once he finds time, I'm afraid.

Not that I do not appreciate the engagement with the PR,
but beautifying is not the stage I'm currently at, yet,

@AiyionPrime AiyionPrime force-pushed the key-translate branch 2 times, most recently from a42950a to acce83e Compare November 3, 2022 12:21
@AiyionPrime AiyionPrime requested a review from neocturne November 3, 2022 12:25
@AiyionPrime
Copy link
Member Author

@NeoRaider I think the c code is fine as it is.
I might give the lua code another shot, wrapping the migration into a function, to get rid of the countless nested ifs.

@AiyionPrime
Copy link
Member Author

The Lua code is now reformatted, fixed (was missing unistd.read) and tested to be working again.
I'm not sure whether it is bad not to drain the pipe before closing it.

@AiyionPrime AiyionPrime added needs work 2. status: waiting-on-review Awaiting review from the assignee but also interested parties. and removed needs work labels Mar 22, 2023
@AiyionPrime
Copy link
Member Author

I hope that's it. Both checks were comparing out of bounds before.

Local build is running. Test result incoming.

@AiyionPrime
Copy link
Member Author

I just reset Eilenriede-Tester to 19.07 (thanks @1977er),
and migrated it again to the latest commit. Still works.

I did a round-trip-test using 5K digits of PI. Worked as well.

@lemoer and I tested it using /dev/urandom and hexdump, which does now work as well.

@AiyionPrime AiyionPrime removed the 5. needs: testing Testing of the changes is necessary label Mar 22, 2023
AiyionPrime
AiyionPrime commented Mar 25, 2023
View reviewed changes
Copy link
Member Author

@AiyionPrime AiyionPrime left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@NeoRaider I could provide you with an image from our community, which currently supports both fastd and WireGuard - so that you could watch the migration in action.
Let me know if that would help you reviewing this.

@blocktrron
Copy link
Member

  • Include documentation for conversion.
  • No conversion from wireguard to fastd possible
  • Link to tool for infrastructure side

@AiyionPrime
Copy link
Member Author

review evening:
needs three lines of documentation with a reference to https://github.com/AiyionPrime/gluon-mesh-vpn-key-translate

@AiyionPrime AiyionPrime added 2. status: waiting-on-author Waiting on some action from the author 2. status: waiting-on-review Awaiting review from the assignee but also interested parties. and removed 2. status: waiting-on-review Awaiting review from the assignee but also interested parties. 2. status: waiting-on-author Waiting on some action from the author labels Apr 19, 2023
@github-actions github-actions bot added the 3. topic: docs Topic: Documentation label Apr 19, 2023
@AiyionPrime AiyionPrime force-pushed the key-translate branch 2 times, most recently from 9a7d32a to 5fb640e Compare April 19, 2023 22:18
@AiyionPrime
gluon-mesh-vpn-wireguard: add gluon-hex-to-b64
759a343 
gluon-hex-to-b64 takes base64 content such as a fastd private key
in legacy form via stdin and emits it in base64 encoded (WireGuard) form.

Provides basic return codes.
@AiyionPrime
gluon-mesh-vpn-wireguard: add fastd key migration
e4d05e6
@AiyionPrime
docs: gluon-mesh-vpn-key-translate
276cd0e
@AiyionPrime AiyionPrime changed the title gluon-mesh-vpn-key-translate gluon-mesh-vpn-wireguard: add fastd key migration Apr 19, 2023
@AiyionPrime
Copy link
Member Author

AiyionPrime commented Apr 21, 2023
edited
Loading

Merging is blocked
@NeoRaider requested changes

I'd say you merge this, if you're satisfied with the docs as we are?

@blocktrron blocktrron dismissed neocturne’s stale review April 25, 2023 21:22

Discussed at meetup

@blocktrron blocktrron merged commit 75c62fd into freifunk-gluon:master Apr 25, 2023
@AiyionPrime AiyionPrime deleted the key-translate branch April 25, 2023 21:36
AiyionPrime added a commit to freifunkh/site that referenced this pull request Apr 25, 2023
@AiyionPrime
patches: remove key-tranlste patches
9ceaf36 
freifunk-gluon/gluon#2601 has been merged
AiyionPrime added a commit to freifunkh/site that referenced this pull request Apr 25, 2023
@AiyionPrime
patches: remove key-translate patches
16d13a5 
freifunk-gluon/gluon#2601 has been merged
@AiyionPrime AiyionPrime removed the 2. status: waiting-on-review Awaiting review from the assignee but also interested parties. label Apr 25, 2023
AiyionPrime added a commit to AiyionPrime/site that referenced this pull request May 10, 2023
@AiyionPrime
patches: remove key-translate patches
746fbaf 
freifunk-gluon/gluon#2601 has been merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CodeFetch CodeFetch CodeFetch left review comments

@blocktrron blocktrron blocktrron approved these changes

@lemoer lemoer lemoer approved these changes

@neocturne neocturne Awaiting requested review from neocturne

@mkg20001 mkg20001 Awaiting requested review from mkg20001

Assignees
No one assigned
Labels
3. topic: docs Topic: Documentation 3. topic: package Topic: Gluon Packages 3. topic: wireguard This is about wireguard, an in-kernel layer 3 VPN
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@AiyionPrime @T-X @CodeFetch @blocktrron @neocturne @lemoer @mkg20001