build system: revamp building and configuration

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

kernel-tree-scripts/patch-kernel-builtin.sh

@@ -8,5 +8,5 @@ if [[ ! -e $K/net/Kconfig ]]; then
 	exit 1
 fi
 
-sed -i "/^if NET\$/a source \"$WG/Kconfig\"" "$K/net/Kconfig"
+sed -i "/^if INET\$/a source \"$WG/Kconfig\"" "$K/net/Kconfig"
 echo "obj-y += ../../../../../../../../../../../../../../../../../../../../../..$WG/" >> "$K/net/Makefile"

src/Kbuild

@@ -0,0 +1,18 @@
+ccflags-y := -O3 -fvisibility=hidden
+ccflags-$(CONFIG_WIREGUARD_DEBUG) := -DDEBUG -g
+ccflags-y += -Wframe-larger-than=8192
+wireguard-y := main.o noise.o device.o peer.o timers.o data.o send.o receive.o socket.o config.o hashtables.o routing-table.o ratelimiter.o cookie.o
+wireguard-y += crypto/curve25519.o crypto/chacha20poly1305.o crypto/blake2s.o crypto/siphash24.o
+ifeq ($(CONFIG_X86_64),y)
+	wireguard-y += crypto/chacha20-ssse3-x86_64.o crypto/poly1305-sse2-x86_64.o
+avx2_supported := $(call as-instr,vpgatherdd %ymm0$(comma)(%eax$(comma)%ymm1$(comma)4)$(comma)%ymm2,yes,no)
+ifeq ($(avx2_supported),yes)
+	wireguard-y += crypto/chacha20-avx2-x86_64.o crypto/poly1305-avx2-x86_64.o
+endif
+endif
+
+ifneq ($(KBUILD_EXTMOD),)
+include $(M)/tests/moduledeps.mk
+endif
+
+obj-$(CONFIG_WIREGUARD) := wireguard.o

src/Kconfig

@@ -1,8 +1,13 @@
 config WIREGUARD
-	bool "WireGuard secure VPN tunnel"
+	bool "IP: WireGuard secure network tunnel"
+	depends on NET && INET
 	select NET_UDP_TUNNEL
 	select NETFILTER_XT_MATCH_HASHLIMIT
-	select IPV6
+	select NETFILTER
+	select NETFILTER_XTABLES
+	select NETFILTER_ADVANCED
+	select NF_CONNTRACK
+	select CRYPTO_BLKCIPHER
 	default y
 	---help---
 	  WireGuard is a secure, fast, and easy to use replacement for IPSec
@@ -14,17 +19,6 @@ config WIREGUARD
 	  It's safe to say Y or M here, as the driver is very lightweight and
 	  is only in use when an administrator chooses to add an interface.
 
-config WIREGUARD_DEBUG
-	bool "Debugging checks and verbose messages for WireGuard"
-	depends on WIREGUARD
-	---help---
-	  This will write log messages for handshake and other events
-	  that occur for a WireGuard interface. It will also perform some
-	  extra validation checks and unit tests at various points. This is
-	  only useful for debugging.
-	  
-	  Say N here unless you know what you're doing.
-
 config WIREGUARD_PARALLEL
 	bool "Enable parallel engine"
 	depends on SMP && WIREGUARD
@@ -36,3 +30,14 @@ config WIREGUARD_PARALLEL
 	  
 	  It's safe to say Y here, and you probably should, as the performance
 	  improvements are substantial.
+
+config WIREGUARD_DEBUG
+	bool "Debugging checks and verbose messages"
+	depends on WIREGUARD
+	---help---
+	  This will write log messages for handshake and other events
+	  that occur for a WireGuard interface. It will also perform some
+	  extra validation checks and unit tests at various points. This is
+	  only useful for debugging.
+	  
+	  Say N here unless you know what you're doing.

src/Makefile

@@ -1,61 +1,3 @@
-ifneq ($(KERNELRELEASE),)
-ifneq ($(KBUILD_EXTMOD),)
-CONFIG_WIREGUARD := m
-endif
-
-obj-$(CONFIG_WIREGUARD) := wireguard.o
-ccflags-y := -O3 -fvisibility=hidden
-ccflags-$(CONFIG_WIREGUARD_DEBUG) := -DDEBUG -g
-ifneq ($(KBUILD_EXTMOD),)
-ifeq ($(CONFIG_WIREGUARD_PARALLEL),)
-ifneq (,$(filter $(CONFIG_PADATA),y m))
-ccflags-y += -DCONFIG_WIREGUARD_PARALLEL=y
-endif
-endif
-endif
-
-ifneq ($(KBUILD_EXTMOD),)
-ifneq ($(CONFIG_MODULES),)
-ifeq ($(CONFIG_NET_UDP_TUNNEL),)
-$(error "WireGuard requires CONFIG_NET_UDP_TUNNEL to be configured in your kernel. The easiest way to select it is: \
-    Networking support --> \
-        Networking options --> \
-            [*] IP: Foo (IP protocols) over UDP")
-endif
-ifeq ($(CONFIG_IPV6),)
-$(error "WireGuard requires CONFIG_IPV6 to be configured in your kernel. The easiest way to select it is: \
-    Networking support --> \
-        Networking options --> \
-            [*] The IPv6 protocol")
-endif
-ifeq ($(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT),)
-$(error "WireGuard requires CONFIG_NETFILTER_XT_MATCH_HASHLIMIT to be conifugred in your kernel. The easiest way to selectit is: \
-    Networking support --> \
-        Networking options --> \
-            Network packet filtering framework (Netfilter) --> \
-                Core Netfilter Configuration --> \
-                    [*] \"hashlimit\" match support")
-endif
-ifeq ($(CONFIG_PADATA),)
-ifneq ($(CONFIG_SMP),)
-$(warning "PEFORMANCE WARNING: WireGuard has enormous speed benefits when using CONFIG_PADATA on SMP systems. Please enable CONFIG_PADATA in your kernel configuration. The easiest way to select it is: \
-    Cryptographic API --> \
-        [*] Parallel crypto engine")
-endif
-endif
-endif
-endif
-
-wireguard-y := main.o noise.o device.o peer.o timers.o data.o send.o receive.o socket.o config.o hashtables.o routing-table.o ratelimiter.o cookie.o
-wireguard-y += crypto/curve25519.o crypto/chacha20poly1305.o crypto/blake2s.o crypto/siphash24.o
-ifeq ($(CONFIG_X86_64),y)
-	wireguard-y += crypto/chacha20-ssse3-x86_64.o crypto/poly1305-sse2-x86_64.o
-avx2_supported := $(call as-instr,vpgatherdd %ymm0$(comma)(%eax$(comma)%ymm1$(comma)4)$(comma)%ymm2,yes,no)
-ifeq ($(avx2_supported),yes)
-	wireguard-y += crypto/chacha20-avx2-x86_64.o crypto/poly1305-avx2-x86_64.o
-endif
-endif
-else
 KERNELDIR ?= /lib/modules/$(shell uname -r)/build
 PWD := $(shell pwd)
 
@@ -80,13 +22,9 @@ install:
 tools:
 	$(MAKE) -C tools
 
-core-cloc: clean
-	cloc ./*.c ./*.h
-
 check:
 	$(MAKE) -C $(KERNELDIR) M=$(PWD) C=2 CF="-D__CHECK_ENDIAN__" CONFIG_WIREGUARD_DEBUG=y
 
 include tests/debug.mk
 
 .PHONY: all module module-debug tools install clean core-cloc check
-endif

src/device.c

@@ -77,10 +77,9 @@ static void skb_unsendable(struct sk_buff *skb, struct net_device *dev)
 	/* This conntrack stuff is because the rate limiting needs to be applied
 	 * to the original src IP, so we have to restore saddr in the IP header. */
 	struct nf_conn *ct = NULL;
-#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 	enum ip_conntrack_info ctinfo;
+
 	ct = nf_ct_get(skb, &ctinfo);
-#endif
 	++dev->stats.tx_errors;
 
 	if (skb->len < sizeof(struct iphdr))

src/socket.c

@@ -62,6 +62,7 @@ static inline struct dst_entry *route(struct wireguard_device *wg, struct flowi4
 			dst = ERR_PTR(PTR_ERR(rt));
 		dst = &rt->dst;
 	} else if (addr->ss_family == AF_INET6) {
+#if IS_ENABLED(CONFIG_IPV6)
 		int ret;
 		struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr;
 
@@ -84,6 +85,7 @@ static inline struct dst_entry *route(struct wireguard_device *wg, struct flowi4
 #endif
 		if (unlikely(ret))
 			dst = ERR_PTR(ret);
+#endif
 	}
 	return dst;
 }
@@ -122,7 +124,7 @@ static inline int send(struct net_device *dev, struct sk_buff *skb, struct dst_e
 			ret = -ENONET;
 			goto err;
 		}
-
+#if IS_ENABLED(CONFIG_IPV6)
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 5, 0)
 		return udp_tunnel6_xmit_skb(dst, sock6, skb, dev,
 					    &fl6->saddr, &fl6->daddr,
@@ -143,6 +145,9 @@ static inline int send(struct net_device *dev, struct sk_buff *skb, struct dst_e
 				     fl6->fl6_sport, fl6->fl6_dport,
 				     false);
 		return 0;
+#endif
+#else
+		goto err;
 #endif
 	}
 
@@ -391,11 +396,14 @@ static inline void set_sock_opts(struct socket *sock)
 
 int socket_init(struct wireguard_device *wg)
 {
+	struct socket *new4 = NULL;
 	struct udp_port_cfg port4 = {
 		.family = AF_INET,
 		.local_ip.s_addr = htonl(INADDR_ANY),
 		.use_udp_checksums = true
 	};
+#if IS_ENABLED(CONFIG_IPV6)
+	struct socket *new6 = NULL;
 	struct udp_port_cfg port6 = {
 		.family = AF_INET6,
 		.local_ip6 = IN6ADDR_ANY_INIT,
@@ -405,6 +413,7 @@ int socket_init(struct wireguard_device *wg)
 		.ipv6_v6only = true
 #endif
 	};
+#endif
 	struct udp_tunnel_sock_cfg cfg = {
 		.sk_user_data = wg,
 		.encap_type = 1,
@@ -412,7 +421,6 @@ int socket_init(struct wireguard_device *wg)
 	};
 
 	int ret = 0;
-	struct socket *new4 = NULL, *new6 = NULL;
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 3, 0)
 	int old_bindv6only;
 #endif
@@ -427,7 +435,11 @@ int socket_init(struct wireguard_device *wg)
 
 	if (!wg->incoming_port)
 		wg->incoming_port = generate_default_incoming_port(wg);
-	port4.local_udp_port = port6.local_udp_port = htons(wg->incoming_port);
+	port4.local_udp_port =
+#if IS_ENABLED(CONFIG_IPV6)
+		port6.local_udp_port =
+#endif
+		htons(wg->incoming_port);
 
 	ret = udp_sock_create(wg->creating_net, &port4, &new4);
 	if (ret < 0) {
@@ -435,6 +447,11 @@ int socket_init(struct wireguard_device *wg)
 		goto out;
 	}
 
+	set_sock_opts(new4);
+	setup_udp_tunnel_sock(wg->creating_net, new4, &cfg);
+	rcu_assign_pointer(wg->sock4, new4->sk);
+
+#if IS_ENABLED(CONFIG_IPV6)
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 3, 0)
 	/* Since udp_port_cfg only learned of ipv6_v6only in 4.3, we do this horrible
 	 * hack here and set the sysctl variable temporarily to something that will
@@ -452,12 +469,10 @@ int socket_init(struct wireguard_device *wg)
 		goto out;
 	}
 
-	set_sock_opts(new4);
 	set_sock_opts(new6);
-	setup_udp_tunnel_sock(wg->creating_net, new4, &cfg);
 	setup_udp_tunnel_sock(wg->creating_net, new6, &cfg);
-	rcu_assign_pointer(wg->sock4, new4->sk);
 	rcu_assign_pointer(wg->sock6, new6->sk);
+#endif
 
 out:
 	mutex_unlock(&wg->socket_update_lock);

src/tests/moduledeps.mk

@@ -0,0 +1,17 @@
+CONFIG_WIREGUARD := m
+ifeq ($(CONFIG_WIREGUARD_PARALLEL),)
+ifneq (,$(filter $(CONFIG_PADATA),y m))
+ccflags-y += -DCONFIG_WIREGUARD_PARALLEL=y
+endif
+endif
+
+ifneq ($(CONFIG_MODULES),)
+ifeq ($(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT),)
+$(error "WireGuard requires CONFIG_NETFILTER_XT_MATCH_HASHLIMIT to be configured in your kernel. See https://www.wireguard.io/install/#kernel-requirements for more info")
+endif
+ifeq ($(CONFIG_PADATA),)
+ifneq ($(CONFIG_SMP),)
+$(warning "PEFORMANCE WARNING: WireGuard has enormous speed benefits when using CONFIG_PADATA on SMP systems. Please enable CONFIG_PADATA in your kernel configuration. See https://www.wireguard.io/install/#kernel-requirements for more info.")
+endif
+endif
+endif