UDavid Miller (), obhekele uhlelo olungaphansi lwenethiwekhi ye-Linux kernel, egatsheni lenetha elilandelayo ngokusebenzisa isikhombimsebenzisi se-VPN kusuka kuphrojekthi . Ekuqaleni konyaka ozayo, izinguquko eziqoqwe egatsheni elilandelayo zizokwakha isisekelo sokukhishwa kwe-Linux kernel 5.6.
Imizamo yokuphusha ikhodi ye-WireGuard ku-kernel eyinhloko yenziwe eminyakeni embalwa edlule, kodwa yahlala ingaphumelelanga ngenxa yokuboshelwa ekusetshenzisweni kobunikazi bemisebenzi yokufihla ulwazi eyayisetshenziselwa ukuthuthukisa ukusebenza. Ekuqaleni, le misebenzi yayikhona ku-kernel njenge-API ye-Zinc eyengeziwe yezinga eliphansi, engagcina ithathele indawo ye-Crypto API evamile.
Kulandela izingxoxo engqungqutheleni Yamaresiphi e-Kernel, abadali be-WireGuard ngoSepthemba dlulisa ama-patches akho ukuze usebenzise i-Crypto API etholakala kumongo, lapho abathuthukisi be-WireGuard benezikhalazo emkhakheni wokusebenza nokuphepha okuvamile. Kunqunywe ukuqhubeka nokuthuthukisa i-Zinc API, kodwa njengephrojekthi ehlukile.
NgoNovemba, abathuthukisi be-kernel ekuphenduleni ukuvumelana futhi wavuma ukudlulisa ingxenye yekhodi isuka ku-Zinc iye ku-kernel eyinhloko. Empeleni, ezinye izingxenye ze-Zinc zizothuthelwa emnyombweni, kodwa hhayi njenge-API ehlukile, kodwa njengengxenye ye-Crypto API subsystem. Isibonelo, i-Crypto API kakade ukuqaliswa okusheshayo kwe-ChaCha20 kanye ne-Poly1305 algorithms elungiselelwe ku-WireGuard.
Mayelana nokulethwa okuzayo kwe-WireGuard emnyombweni oyinhloko, umsunguli wephrojekthi mayelana nokuhlela kabusha inqolobane. Ukwenza intuthuko ibe lula, inqolobane ye-monolithic "WireGuard.git", eyaklanywa ukuba ibe khona yodwa, izothathelwa indawo amakhosombe amathathu ahlukene, afaneleka kangcono ukuhlela umsebenzi ngekhodi ku-kernel enkulu:
- - isihlahla se-kernel esiphelele esinezinguquko ezivela kuphrojekthi ye-Wireguard, ama-patches azobuyekezwa ukuze afakwe ku-kernel futhi adluliselwe njalo kuma-net/net-amagatsha alandelayo.
- - inqolobane yezinsiza kanye nemibhalo esetshenziswa endaweni yomsebenzisi, njenge-wg kanye ne-wg-quick. Indawo yokugcina ingasetshenziselwa ukudala amaphakheji okusabalalisa.
- - inqolobane enokwehluka kwemojula, ehlinzekwe ngokuhlukile ku-kernel futhi kuhlanganisa nongqimba lwe-comat.h ukuze kuqinisekiswe ukuhambisana nezikhwebu ezindala. Ukuthuthukiswa okuyinhloko kuzokwenziwa endaweni yokugcina ye-wireguard-linux.git, kodwa inqobo nje uma kunethuba nesidingo phakathi kwabasebenzisi, inguqulo ehlukile yama-patches nayo izosekelwa ngendlela yokusebenza.
Ake sikukhumbuze ukuthi i-VPN WireGuard isetshenziswa ngesisekelo sezindlela zesimanje zokubethela, ihlinzeka ngokusebenza okuphezulu kakhulu, kulula ukuyisebenzisa, ayinazo izinkinga futhi izitholele yona enanini lokuthunyelwa okukhulu okucubungula umthamo omkhulu wethrafikhi. Lo msebenzi ubulokhu uthuthukiswa kusukela ngo-2015, ucwaningwe futhi izindlela zokubethela ezisetshenzisiwe. Ukusekelwa kwe-WireGuard sekuvele kuhlanganiswe ku-NetworkManager naku-systemd, futhi ama-kernel patches afakiwe ekusatshalalisweni kwesisekelo. , Mageia, Alpine, Arch, Gentoo, OpenWrt, NixOS, и .
I-WireGuard isebenzisa umqondo womzila wokhiye wokubethela, obandakanya ukunamathisela ukhiye oyimfihlo kusixhumi esibonakalayo senethiwekhi ngasinye futhi siwusebenzise ukubopha okhiye basesidlangalaleni. Okhiye basesidlangalaleni bayashintshaniswa ukuze kusungulwe uxhumano ngendlela efanayo neye-SSH. Ukuze uxoxisane ngokhiye futhi uxhume ngaphandle kokusebenzisa i-daemon ehlukile endaweni yomsebenzisi, indlela ye-Noise_IK esuka ku- kufana nokugcina okhiye_abagunyaziwe ku-SSH. Ukudluliswa kwedatha kwenziwa ngokusebenzisa i-encapsulation kumaphakethe e-UDP. Isekela ukushintsha ikheli le-IP leseva ye-VPN (ukuzulazula) ngaphandle kokunqamula uxhumano nokumisa kabusha iklayenti ngokuzenzakalelayo.
Okokubethela stream cipher kanye ne-algorithm yokuqinisekisa umlayezo (MAC) , eyakhiwe nguDaniel Bernstein (), Tanya Lange
(Tanja Lange) noPeter Schwabe. I-ChaCha20 ne-Poly1305 zibekwe njengama-analogue asheshayo naphephile we-AES-256-CTR ne-HMAC, ukuqaliswa kwesofthiwe okuvumela ukufeza isikhathi esinqunyiwe sokwenza ngaphandle kokusebenzisa ukusekelwa okukhethekile kwehadiwe. Ukuze ukhiqize ukhiye oyimfihlo owabiwe, i-elliptic curve Diffie-Hellman protocol isetshenziswa ekusetshenzisweni , futhi ehlongozwa nguDaniel Bernstein. I-algorithm esetshenziselwa i-hashing ithi .
ngesikhathi I-Performance WireGuard ibonise ukusebenza okuphezulu izikhathi ezingu-3.9 kanye nokusabela okuphezulu izikhathi ezingu-3.8 uma kuqhathaniswa ne-OpenVPN (256-bit AES ne-HMAC-SHA2-256). Uma kuqhathaniswa ne-IPsec (256-bit ChaCha20+Poly1305 kanye ne-AES-256-GCM-128), i-WireGuard ibonisa ukuthuthukiswa kokusebenza okuncane (13-18%) nokubambezeleka okuphansi (21-23%). Ukuhlola kwenziwe kusetshenziswa ukuqaliswa okusheshayo kwama-algorithms wokubethela athuthukiswe iphrojekthi - ukudlulisela ku-Crypto API evamile ye-kernel kungase kuholele ekusebenzeni okubi kakhulu.
Source: opennet.ru