summaryrefslogtreecommitdiffstatshomepage
Commit message (Collapse)AuthorAgeFilesLines
* version: bump snapshot0.0.20180620Jason A. Donenfeld2018-06-202-2/+2
|
* poly1305: add missing string.h headerJason A. Donenfeld2018-06-201-0/+1
| | | | Reported-by: Peter Korsgaard <peter@korsgaard.com>
* compat: use stabler lkml linksJason A. Donenfeld2018-06-191-2/+2
| | | | | | This will redirect to whichever archive kernel.org thinks is best. Suggested-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
* ratelimiter: do not allow concurrent init and uninitJason A. Donenfeld2018-06-191-0/+6
|
* ratelimiter: mitigate reference underflowJason A. Donenfeld2018-06-192-1/+3
|
* receive: drop handshake packets if rng is not initializedJason A. Donenfeld2018-06-192-2/+55
| | | | Otherwise it's too easy to trigger cookie reply messages.
* noise: wait for crng before taking locksJason A. Donenfeld2018-06-181-0/+10
| | | | | | | Otherwise, get_random_bytes_wait gets called from curve25519_generate_secret, and at the same time, a user might use the wg(8) utility, which then wants to grab a read lock for what we're write locking.
* netlink: maintain static_identity lock over entire private key updateJason A. Donenfeld2018-06-183-6/+5
| | | | | We don't want the local private key to not correspond with a precomputed ss or precomputed cookie hash at any intermediate point.
* noise: take locks for ss precomputationJason A. Donenfeld2018-06-181-3/+9
| | | | | | | Usually this is called from handshake_init, where locking doesn't matter because nothing references it yet, but it's also called when changing the device private key, so it's probably a good thing to not process a handshake with a ss precomputation that's part old and part new.
* qemu: bump default kernelJason A. Donenfeld2018-06-171-1/+1
|
* wg-quick: android: don't forget to free compiled regexesJason A. Donenfeld2018-06-171-5/+6
|
* wg-quick: android: disable roaming to v6 networks when v4 is specifiedJason A. Donenfeld2018-06-171-1/+54
| | | | This works around an unfortunate bug in 464XLAT transitions.
* dns-hatchet: apply resolv.conf's selinux context to new resolv.confJason A. Donenfeld2018-06-171-0/+2
|
* simd: no need to restore fpu state when no preemptionJason A. Donenfeld2018-06-171-0/+2
|
* simd: encapsulate fpu amortization into nice functionsJason A. Donenfeld2018-06-177-71/+83
|
* queueing: re-enable preemption periodically to lower latencyJason A. Donenfeld2018-06-162-0/+18
|
* queueing: remove useless spinlocks on scJason A. Donenfeld2018-06-163-5/+1
| | | | Since these are the only consumers, there's no need for locking.
* tools: getentropy requires 10.12Jason A. Donenfeld2018-06-141-1/+7
|
* chacha20poly1305: use slow crypto on -rt kernels on arm tooJason A. Donenfeld2018-06-141-1/+1
|
* version: bump snapshot0.0.20180613Jason A. Donenfeld2018-06-132-2/+2
|
* chacha20poly1305: use slow crypto on -rt kernelsJason A. Donenfeld2018-06-131-1/+1
| | | | | | | | | | | | | | In rt kernels, spinlocks call schedule(), which means preemption can't be disabled. The FPU disables preemption. Hence, we can either restructure things to move the calls to kernel_fpu_begin/end to be really close to the actual crypto routines, or we can do the slower lazier solution of just not using the FPU at all on -rt kernels. This patch goes with the latter lazy solution. The reason why we don't place the calls to kernel_fpu_begin/end close to the crypto routines in the first place is that they're very expensive, as it usually involves a call to XSAVE. So on sane kernels, we benefit from only having to call it once.
* tools: support getentropy(3)Jason A. Donenfeld2018-06-081-0/+11
|
* tools: encoding: add missing static array constraintsJason A. Donenfeld2018-06-063-5/+5
|
* wg-quick: android: change name of intentJason A. Donenfeld2018-06-041-1/+1
|
* chacha20: add missing include to headerJason A. Donenfeld2018-06-021-0/+1
|
* wg-quick: android: delay setting users until endJason A. Donenfeld2018-05-311-1/+6
| | | | | | | `ndc users add` eventually invokes SOCK_DESTROY on user sockets, causing them to reconnect. By delaying this until after routes are set, we ensure that the sockets reconnect using the tunnel, rather than the old route.
* version: bump snapshot0.0.20180531Jason A. Donenfeld2018-05-312-2/+2
|
* qemu: bump default versionJason A. Donenfeld2018-05-311-1/+1
|
* tools: constanter time encodingJason A. Donenfeld2018-05-312-22/+28
|
* device: do not assume dst is always validJason A. Donenfeld2018-05-311-1/+1
| | | | | | The new flow offloading feature at the moment does not set the dst. We have a patch pending to fix this upstream, but in the meantime, work around it here.
* poly1305: mips: compute S on flyRené van Dorst2018-05-311-31/+22
| | | | | | This reduces memory access and the total opaque size. Signed-off-by: René van Dorst <opensource@vdorst.com>
* chacha20poly1305: test for authtag failureJason A. Donenfeld2018-05-311-3/+21
|
* chacha20poly1305: test scattergather functions tooJason A. Donenfeld2018-05-311-2/+44
|
* crypto: consistent constificationJason A. Donenfeld2018-05-316-23/+23
|
* wg-quick: darwin: set DNS servers after delay on route changeJason A. Donenfeld2018-05-311-2/+6
| | | | | | This works around a race condition in macOS's network daemons, while also adding one in the form of possibly calling kill -ALRM on a stale PID; unfortunately bash can't wait from a trap.
* chacha20poly1305: combine stack variables into unionJason A. Donenfeld2018-05-312-62/+64
|
* chacha20poly1305: split up into separate filesJason A. Donenfeld2018-05-3110-627/+740
|
* curve25519: x86_64: make symbol staticJason A. Donenfeld2018-05-291-2/+2
|
* curve25519: x86_64: satisfy sparseJason A. Donenfeld2018-05-291-260/+260
|
* wg-quick: freebsd: configure as p2p linkJason A. Donenfeld2018-05-271-3/+5
|
* wg-quick: darwin: add multiple IP addressesJason A. Donenfeld2018-05-271-2/+2
|
* wg-quick: determine IPs when saving interfaceJason A. Donenfeld2018-05-273-12/+14
|
* compat: don't clash with get_random_u32 backportsJason A. Donenfeld2018-05-241-3/+2
| | | | | | Our previous heuristic wasn't good enough, since CopperheadOS backported CANARY_MASK without backporting get_random_u32, as Qualcomm did, so now we just entirely rename all invocations of the function.
* version: bump snapshot0.0.20180524Jason A. Donenfeld2018-05-242-2/+2
|
* wg-quick: freebsd: work around security vulnerabilities in bashJason A. Donenfeld2018-05-241-7/+29
|
* wg-quick: allow enumeration of socket filesJason A. Donenfeld2018-05-232-2/+2
| | | | | These OSes have an unpriv'd ifconfig, so this isn't an even larger info leak.
* wg-quick: better bash completion for non-renaming OSesJason A. Donenfeld2018-05-231-5/+14
|
* wg-quick: support FreeBSD/Darwin search pathJason A. Donenfeld2018-05-234-16/+39
|
* tools: always pass -v as first argument to installJason A. Donenfeld2018-05-231-7/+7
| | | | This lets crippled OSes sed out our -v more easily.
* wg-quick: openbsd: add new implementationJason A. Donenfeld2018-05-221-0/+451
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.