summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* version: bump snapshot0.0.20220316Jason A. Donenfeld2022-03-161-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun/netstack: bump modJason A. Donenfeld2022-03-162-24/+17
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* mod: bump packages and remove compat netipJason A. Donenfeld2022-03-162-21/+9
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* all: use any in place of interface{}Josh Bleecher Snyder2022-03-164-15/+15
| | | | | | Enabled by using Go 1.18. A bit less verbose. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
* all: update to Go 1.18Josh Bleecher Snyder2022-03-1620-33/+23
| | | | | | | | | | Bump go.mod and README. Switch to upstream net/netip. Use strings.Cut. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
* tun/netstack: check error returned by SetDeadline()Alexander Neumann2022-03-091-1/+4
| | | | | | Signed-off-by: Alexander Neumann <alexander.neumann@redteam-pentesting.de> [Jason: don't wrap deadline error.] Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun/netstack: update to latest wireguard-goAlexander Neumann2022-03-093-24/+36
| | | | | | | | | This commit fixes all callsites of netip.AddrFromSlice(), which has changed its signature and now returns two values. Signed-off-by: Alexander Neumann <alexander.neumann@redteam-pentesting.de> [Jason: remove error handling from AddrFromSlice.] Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun/netstack: simplify read timeout on ping socketJason A. Donenfeld2022-02-021-43/+14
| | | | | | I'm not 100% sure this is correct, but it certainly is a lot simpler. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun/netstack: implement ICMP pingThomas H. Ptacek2022-02-022-24/+343
| | | | | | | | | | Provide a PacketConn interface for netstack's ICMP endpoint; netstack currently only provides EchoRequest/EchoResponse ICMP support, so this code exposes only an interface for doing ping. Signed-off-by: Thomas Ptacek <thomas@sockpuppet.org> [Jason: rework structure, match std go interfaces, add example code] Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* version: bump snapshot0.0.20220117Jason A. Donenfeld2022-01-171-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ipc: bsd: try again if kqueue returns EINTRJason A. Donenfeld2022-01-141-1/+1
| | | | | Reported-by: J. Michael McAtee <mmcatee@jumptrading.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: apply gofumptJason A. Donenfeld2021-12-0928-71/+56
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: handle peer post config on blank lineJason A. Donenfeld2021-11-291-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We missed a function exit point. This was exacerbated by e3134bf ("device: defer state machine transitions until configuration is complete"), but the bug existed prior. Minus provided the following useful reproducer script: #!/usr/bin/env bash set -eux make wireguard-go || exit 125 ip netns del test-ns || true ip netns add test-ns ip link add test-kernel type wireguard wg set test-kernel listen-port 0 private-key <(echo "QMCfZcp1KU27kEkpcMCgASEjDnDZDYsfMLHPed7+538=") peer "eDPZJMdfnb8ZcA/VSUnLZvLB2k8HVH12ufCGa7Z7rHI=" allowed-ips 10.51.234.10/32 ip link set test-kernel netns test-ns up ip -n test-ns addr add 10.51.234.1/24 dev test-kernel port=$(ip netns exec test-ns wg show test-kernel listen-port) ip link del test-go || true ./wireguard-go test-go wg set test-go private-key <(echo "WBM7qimR3vFk1QtWNfH+F4ggy/hmO+5hfIHKxxI4nF4=") peer "+nj9Dkqpl4phsHo2dQliGm5aEiWJJgBtYKbh7XjeNjg=" allowed-ips 0.0.0.0/0 endpoint 127.0.0.1:$port ip addr add 10.51.234.10/24 dev test-go ip link set test-go up ping -c2 -W1 10.51.234.1 Reported-by: minus <minus@mnus.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: reduce peer lock critical section in UAPIJosh Bleecher Snyder2021-11-231-26/+28
| | | | | | | | | The deferred RUnlock calls weren't executing until all peers had been processed. Add an anonymous function so that each peer may be unlocked as soon as it is completed. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: remove code using unsafeJosh Bleecher Snyder2021-11-231-33/+13
| | | | | | | | | | | | | There is no performance impact. name old time/op new time/op delta TrieIPv4Peers100Addresses1000-8 78.6ns ± 1% 79.4ns ± 3% ~ (p=0.604 n=10+9) TrieIPv4Peers10Addresses10-8 29.1ns ± 2% 28.8ns ± 1% -1.12% (p=0.014 n=10+9) TrieIPv6Peers100Addresses1000-8 78.9ns ± 1% 78.6ns ± 1% ~ (p=0.492 n=10+10) TrieIPv6Peers10Addresses10-8 29.3ns ± 2% 28.6ns ± 2% -2.16% (p=0.000 n=10+10) Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: use netip where possible nowJason A. Donenfeld2021-11-2322-285/+247
| | | | | | | | There are more places where we'll need to add it later, when Go 1.18 comes out with support for it in the "net" package. Also, allowedips still uses slices internally, which might be suboptimal. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: only propagate roaming value before peer is referenced elsewhereJason A. Donenfeld2021-11-161-1/+3
| | | | | | | | | A peer.endpoint never becomes nil after being not-nil, so creation is the only time we actually need to set this. This prevents a race from when the variable is actually used elsewhere, and allows us to avoid an expensive atomic. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: align 64-bit atomic member in DeviceJason A. Donenfeld2021-11-161-5/+6
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: start peers before running handshake testJason A. Donenfeld2021-11-161-0/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* Makefile: don't use test -v because it hides failures in scrollbackJason A. Donenfeld2021-11-161-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: fix nil pointer dereference in uapi readDavid Anderson2021-11-161-2/+2
| | | | | Signed-off-by: David Anderson <danderson@tailscale.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: make new peers inherit broken mobile semanticsJason A. Donenfeld2021-11-153-0/+5
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: defer state machine transitions until configuration is completeJason A. Donenfeld2021-11-153-15/+18
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: do not consume handshake messages if not runningJason A. Donenfeld2021-11-151-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: move wintun to its own repoJason A. Donenfeld2021-11-043-7/+10
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* namedpipe: rename from winpipe to keep in sync with CL299009Jason A. Donenfeld2021-11-047-475/+132
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: timers: use pre-seeded per-thread unlocked fastrandn for jitterJason A. Donenfeld2021-10-281-10/+5
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: timers: seed unsafe rng before use for jitterJason A. Donenfeld2021-10-281-3/+11
| | | | | | | Forgetting to seed the unsafe rng, the jitter before followed a fixed pattern, which didn't help when a fleet of computers all boot at once. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wintun: align 64-bit argument on ARM32Jason A. Donenfeld2021-10-261-1/+5
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* README: raise minimum Go to 1.17Jason A. Donenfeld2021-10-251-1/+1
| | | | | Suggested-by: Adam Bliss <abliss@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun/netstack: update gvisorMikael Magnusson2021-10-223-22/+403
| | | | | | | | | | | | | Update gvisor to v0.0.0-20211020211948-f76a604701b6, which requires some changes to tun.go: WriteRawPacket: Add function with not implemented error. CreateNetTUN: Replace stack.AddAddress with stack.AddProtocolAddress, and fix IPv6 address in error message. Signed-off-by: Mikael Magnusson <mikma@users.sourceforge.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ipc, rwcancel: compile on js/wasmBrad Fitzpatrick2021-10-203-1/+18
| | | | Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
* wintun: allow retrieving DLL versionJason A. Donenfeld2021-10-204-7/+37
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* version: bump snapshot0.0.20211016Jason A. Donenfeld2021-10-161-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wintun: remove memmod option for dll loadingJason A. Donenfeld2021-10-1613-1481/+39
| | | | | | Only wireguard-windows used this, and it's moving to wgnt exclusively. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: remove old-style build tagsJason A. Donenfeld2021-10-1224-24/+0
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: add newer-style build tagsJason A. Donenfeld2021-10-127-0/+7
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wintun: use new swdevice-based API for upcoming Wintun 0.14Jason A. Donenfeld2021-10-122-149/+61
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* conn,wintun: use unsafe.Slice instead of unsafeSliceJason A. Donenfeld2021-10-112-41/+3
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* memmod: import from wireguard-windowsJason A. Donenfeld2021-10-116-34/+96
| | | | | | | We'll eventually be getting rid of it here, but keep it sync'd up for now. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* rwcancel: use unix.Poll again but bump x/sys so it uses ppoll under the hoodJason A. Donenfeld2021-09-275-54/+14
| | | | | | | This reverts commit fcc601dbf0f6b626ec1d47a880cbe64f9c8fe385 but then bumps go.mod. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* rwcancel: use ppoll on Linux for AndroidJason A. Donenfeld2021-09-263-2/+34
| | | | | | | This is a temporary measure while we wait for https://go-review.googlesource.com/c/sys/+/352310 to land. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: make operateonfd.go build tags more specificTobias Klauser2021-09-231-2/+2
| | | | | | | | (*NativeTun).operateOnFd is only used on darwin and freebsd. Adjust the build tags accordingly. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* tun: avoid leaking sock fd in CreateTUN error casesTobias Klauser2021-09-232-6/+11
| | | | | | | | At these points, the socket file descriptor is not yet wrapped in an *os.File, so it needs to be closed explicitly on error. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: add new go 1.17 build commentsJason A. Donenfeld2021-09-0513-2/+15
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* memmod: register exception handler tablesJason A. Donenfeld2021-08-052-0/+19
| | | | | | | | Otherwise recent WDK binaries fail on ARM64, where an exception handler is used for trapping an illegal instruction when ARMv8.1 atomics are being tested for functionality. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* memmod: fix protected delayed load the right wayJason A. Donenfeld2021-07-292-9/+13
| | | | | | | | | | | The reason this was failing before is that dloadsup.h's DloadObtainSection was doing a linear search of sections to find which header corresponds with the IMAGE_DELAYLOAD_DESCRIPTOR section, and we were stupidly overwriting the VirtualSize field, so the linear search wound up matching the .text section, which then it found to not be marked writable and failed with FAST_FAIL_DLOAD_PROTECTION_FAILURE. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* memmod: disable protected delayed load for nowJason A. Donenfeld2021-07-294-2/+155
| | | | | | | Probably a bad idea, but we don't currently support it, and those huge windows.NewCallback trampolines make juicer targets anyway. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ipc: allow admins but require high integrity labelJason A. Donenfeld2021-06-241-2/+1
| | | | | | Might be more reasonable. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: zero out allowedip node pointers when removingJason A. Donenfeld2021-06-042-1/+22
| | | | | | This should make it a bit easier for the garbage collector. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.