Development discussion of WireGuard
 help / color / mirror / Atom feed
From: tlhackque <>
Cc: WireGuard Mailing list <>
Date: Thu, 30 Jun 2022 11:50:59 -0400	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

[-- Attachment #1.1: Type: text/plain, Size: 2293 bytes --]

On 30-Jun-22 07:41, Jason A. Donenfeld wrote:
> On Thu, Jun 30, 2022 at 06:47:38AM -0400, tlhackque wrote:
>> FWIW: Having watched the discussion about CONFIG_ANDROID, it occurs to
>> me that there's an alternative for WireGuard that sidesteps the issue.
>>   From the last patcheset, it seems that the only use in WireGuard is to
>> avoid clearing keys on every wake-up.
> No, it clears keys before sleeping.
>> So: Why not timestamp key-clear events, and establish a minimum interval?
> Because we don't know when we're going to wake up again, and the
> objective is to maintain forward secrecy.
> Jason

Thanks for the explanation.  One more attempt.

If I understand what's happening:

You're really trying to establish a maximum key lifetime - sleep being a 
proxy for "too long to keep using".  On conventional platforms, that's 
been good enough.  On these Android platforms, it's not.

You're clearing the key before sleeping so that after a presumably 
longish time, you'll negotiate a new one.  But on some platforms, the 
sleeps are so frequent that "longish" is inconveniently short.  And the 
renegotiations are expensive.  On those platforms, you don't clear the 
key to avoid the frequent renegotiations.  This keeps the old key in use 
across the sleeps.

Alternatively, why not make the maximum key lifetime explicit.  E.g. On 
all platforms you could set a renegotiate time when a key is 
established, and if it has expired on wake (or on use) trigger 
renegotiation.  This guarantees a maximum key lifetime, independent of 
the frequency or duration of sleeps.  And you don't need to know when 
you'll wake.

If you also want to make sure that the key isn't in memory longer than 
that time (e.g. to avoid capture on a dump or device loss), you could 
also set a timer (of the sort that wakes the CPU from sleep) that clears 
the key at that time.

There are obvious optimizations if necessary.

The point I'm trying to make is that rather than thinking about the 
annoying platform behavior's effect on the implementation, it's probably 
better to think about what WireGuard is really trying to do and express 
it in the implementation.

I hope this perspective helps.  I'll step out of your way now.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

  reply	other threads:[~2022-06-30 15:51 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <>
2022-06-30 10:47 ` CONFIG_ANDROID tlhackque
2022-06-30 11:41   ` CONFIG_ANDROID Jason A. Donenfeld
2022-06-30 15:50     ` tlhackque [this message]
2022-06-30 15:56       ` CONFIG_ANDROID Jason A. Donenfeld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).