aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* noise: use hex constant for tai64n offsetJason A. Donenfeld2018-07-311-1/+1
| | | | | Suggested-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* main: properly name labelJason A. Donenfeld2018-07-311-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* noise: remove outdated commentJason A. Donenfeld2018-07-312-5/+0
| | | | | | docs/protocol.md hasn't existed for 3 years. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* send: address of variable is never nullJason A. Donenfeld2018-07-311-1/+1
| | | | | Reported-by: Jann Horn <jann@thejh.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* peer: simplify rcu reference countsJason A. Donenfeld2018-07-319-30/+23
| | | | | | | | Use RCU reference counts only when we must, and otherwise use a more reasonably named function. Reported-by: Jann Horn <jann@thejh.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ratelimiter: prevent init/uninit raceJason A. Donenfeld2018-07-312-4/+8
| | | | | | | | Fixes a classic ABA problem that isn't actually reachable because of rtnl_lock, but it's good to be correct anyway. Reported-by: Jann Horn <jann@thejh.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* main: add missing chacha20poly1305 headerJason A. Donenfeld2018-07-313-3/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* curve25519-x86_64: tighten reductions modulo 2^256-38Samuel Neves2018-07-281-21/+18
| | | | | | | | | | At this stage the value if C[4] is at most ((2^256-1) + 38*(2^256-1)) / 2^256 = 38, so there is no need to use a wide multiplication. Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* curve25519-x86_64: simplify the final reduction by adding 19 beforehandSamuel Neves2018-07-281-38/+24
| | | | | | | | | | | | | | | | | | | | | Correctness can be quickly verified with the following z3py script: >>> from z3 import * >>> x = BitVec("x", 256) # any 256-bit value >>> ref = URem(x, 2**255 - 19) # correct value >>> t = Extract(255, 255, x); x &= 2**255 - 1; # btrq $63, %3 >>> u = If(t != 0, BitVecVal(38, 256), BitVecVal(19, 256)) # cmovncl %k5, %k4 >>> x += u # addq %4, %0; adcq $0, %1; adcq $0, %2; adcq $0, %3; >>> t = Extract(255, 255, x); x &= 2**255 - 1; # btrq $63, %3 >>> u = If(t != 0, BitVecVal(0, 256), BitVecVal(19, 256)) # cmovncl %k5, %k4 >>> x -= u # subq %4, %0; sbbq $0, %1; sbbq $0, %2; sbbq $0, %3; >>> prove(x == ref) proved Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* curve25519-x86_64: tighten the x25519 assemblySamuel Neves2018-07-281-3/+3
| | | | | | | | | | | The wide multiplication by 38 in mul_a24_eltfp25519_1w is redundant: (2^256-1) * 121666 / 2^256 is at most 121665, and therefore a 64-bit multiplication can never overflow. Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* qemu: update musl and kernelJason A. Donenfeld2018-07-241-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* qemu: show log if process crashesJason A. Donenfeld2018-07-241-10/+16
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* receive: check against proper return value typeJason A. Donenfeld2018-07-241-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* version: bump snapshotJason A. Donenfeld2018-07-182-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* recieve: disable NAPI busy pollingThomas Gschwantner2018-07-182-0/+10
| | | | | | | | | | | | | | | This avoids adding one reference per peer to the napi_hash hashtable, as normally done by netif_napi_add(). Since we potentially could have up to 2^20 peers this would make busy polling very slow globally. This approach is preferable to having only a single napi struct because we get one gro_list per peer, which means packets can be combined nicely even if we have a large number of peers. This is also done by gro_cells_init() in net/core/gro_cells.c . Signed-off-by: Thomas Gschwantner <tharre3@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: destroy workqueue before freeing queueJason A. Donenfeld2018-07-181-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* receive: use gro call instead of plain callJason A. Donenfeld2018-07-121-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* receive: account for zero or negative budgetJason A. Donenfeld2018-07-111-0/+3
| | | | | Suggested-by: Thomas Gschwantner <tharre3@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* version: bump snapshotJason A. Donenfeld2018-07-082-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* receive: use NAPI on the receive pathJonathan Neuschäfer2018-07-086-17/+45
| | | | | | | Suggested-by: Jason A. Donenfeld <Jason@zx2c4.com> [Jason: fixed up the flushing of the rx_queue in peer_remove] Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* qemu: decide debug kernel based on KERNEL_VERSIONJason A. Donenfeld2018-07-061-8/+8
| | | | | | | | | If KERNEL_VERSION ends in -debug, then automatically set DEBUG_KERNEL If DEBUG_KERNEL is set, now the debug kernel will be built in a separate directory from the normal kernel, so that it's easy to toggle back and forth. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* qemu: bump default kernel versionJason A. Donenfeld2018-07-061-1/+1
| | | | | | | This fixes DEBUG_KERNEL=yes due to dd275caf4a0d9b219fffe49288b6cc33cd564312 being backported to 4.17.4. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* selftest: ratelimiter: improve chance of success via retryJason A. Donenfeld2018-07-061-1/+6
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* receive: styleJason A. Donenfeld2018-07-041-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* device: print daddr not saddr in missing peer errorJason A. Donenfeld2018-07-041-1/+4
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* version: bump snapshotJason A. Donenfeld2018-06-252-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* compat: more robust ktime backportJason A. Donenfeld2018-06-241-3/+8
| | | | | | This is needed for frankenkernels, like android-common. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: use fast boottime instead of normal boottimeJason A. Donenfeld2018-06-2312-26/+26
| | | | | | Generally if we're inaccurate by a few nanoseconds, it doesn't matter. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: use ktime boottime instead of jiffiesJason A. Donenfeld2018-06-2315-64/+69
| | | | | | | | | | Since this is a network protocol, expirations need to be accounted for, even across system suspend. On real systems, this isn't a problem, since we're clearing all keys before suspend. But on Android, where we don't do that, this is something of a problem. So, we switch to using boottime instead of jiffies. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: fix a few typosJonathan Neuschäfer2018-06-222-2/+2
| | | | | Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* simd: add missing headerJason A. Donenfeld2018-06-221-0/+1
| | | | | Suggested-by: Shlomi Steinberg <shlomi@shlomisteinberg.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* poly1305: give linker the correct constant data section sizeJason A. Donenfeld2018-06-221-1/+1
| | | | | | | | Otherwise these constants will be merged wrong or excluded, and we'll wind up with wrong calculations. While bfd (the normal kernel linker) doesn't seem to mind, recent versions of gold do bad things. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* main: test poly1305 before chacha20poly1305Jason A. Donenfeld2018-06-221-1/+1
| | | | | | | | Since chacha20poly1305 relies on the correctness of poly1305, it's useful to have a failing poly1305 test first, to better pinpoint what's happening. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* receive: don't toggle bhJason A. Donenfeld2018-06-221-6/+0
| | | | | | | | This had a bad performance impact. We'll probably need to revisit this later, but for now, let's not introduce a regression. Reported-by: Lonnie Abelbeck <lonnie@abelbeck.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* version: bump snapshotJason A. Donenfeld2018-06-202-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* poly1305: add missing string.h headerJason A. Donenfeld2018-06-201-0/+1
| | | | | Reported-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* compat: use stabler lkml linksJason A. Donenfeld2018-06-191-2/+2
| | | | | | | This will redirect to whichever archive kernel.org thinks is best. Suggested-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ratelimiter: do not allow concurrent init and uninitJason A. Donenfeld2018-06-191-0/+6
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ratelimiter: mitigate reference underflowJason A. Donenfeld2018-06-192-1/+3
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* receive: drop handshake packets if rng is not initializedJason A. Donenfeld2018-06-192-2/+55
| | | | | | Otherwise it's too easy to trigger cookie reply messages. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* noise: wait for crng before taking locksJason A. Donenfeld2018-06-181-0/+10
| | | | | | | | | Otherwise, get_random_bytes_wait gets called from curve25519_generate_secret, and at the same time, a user might use the wg(8) utility, which then wants to grab a read lock for what we're write locking. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* netlink: maintain static_identity lock over entire private key updateJason A. Donenfeld2018-06-183-6/+5
| | | | | | | We don't want the local private key to not correspond with a precomputed ss or precomputed cookie hash at any intermediate point. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* noise: take locks for ss precomputationJason A. Donenfeld2018-06-181-3/+9
| | | | | | | | | Usually this is called from handshake_init, where locking doesn't matter because nothing references it yet, but it's also called when changing the device private key, so it's probably a good thing to not process a handshake with a ss precomputation that's part old and part new. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* qemu: bump default kernelJason A. Donenfeld2018-06-171-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* simd: no need to restore fpu state when no preemptionJason A. Donenfeld2018-06-171-0/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* simd: encapsulate fpu amortization into nice functionsJason A. Donenfeld2018-06-177-71/+83
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* queueing: re-enable preemption periodically to lower latencyJason A. Donenfeld2018-06-162-0/+18
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* queueing: remove useless spinlocks on scJason A. Donenfeld2018-06-163-5/+1
| | | | | | Since these are the only consumers, there's no need for locking. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* chacha20poly1305: use slow crypto on -rt kernels on arm tooJason A. Donenfeld2018-06-141-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* version: bump snapshotJason A. Donenfeld2018-06-132-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>