Commit message (Collapse)AuthorAgeFilesLines
* tests: add test for transit-netjo/transit-namespaceJulian Orth2018-12-171-0/+40
* tools: allow modification of transit netJulian Orth2018-12-175-4/+24
| | | | | | | | | | | The command is wg set <device> [...] transit-netns <pid|file-path> [...] For example: wg set wg0 transit-netns 1 wg set wg0 transit-netns /proc/1/ns/net
* tools: allow specifying the device namespaceJulian Orth2018-12-1710-27/+155
| | | | | | | | | | | | | | | | | | | | The user can now use wg --netns <pid|file-path> <subcommand> to specify the network namespace in which wg should act. This sets the attribute WGDEVICE_A_DEV_NETNS_PID or WGDEVICE_A_DEV_NETNS_FD. In the case of wg --netns <pid|file-path> show all we have to try to enter the network namespace because the kernel interface does not allow us to list devices in a network namespace referenced by pid or fd. Since entering a network namespace requires CAP_SYS_ADMIN in the current user namespace and the target user namespace, this is almost useless. TODO: Add the missing functionality to the kernel.
* tools: add framework for shared optionsJulian Orth2018-12-179-19/+72
* netlink: allow modification of transit netJulian Orth2018-12-172-18/+50
| | | | | | | | | | | This commit adds two new attributes of which at most one may be provided: * WGDEVICE_A_TRANSIT_NETNS_PID: NLA_U32 * WGDEVICE_A_TRANSIT_NETNS_FD: NLA_U32 The transit namespace is then set to this namespace. The caller must either be in this namespace or have CAP_NET_ADMIN in it.
* socket: allow modification of transit_netJulian Orth2018-12-154-15/+17
* device: store a copy of the device netJulian Orth2018-12-152-11/+20
| | | | | This eliminates the need for have_transit_net_ref because have_transit_net_ref == true if and only if dev_net != transit_net.
* device: rename creating_net to transit_netJulian Orth2018-12-154-18/+18
* netlink: restrict access to the UDP socketJulian Orth2018-12-152-3/+25
| | | | | | To interact with the UDP socket the caller must either be in the network namespace of the socket or have CAP_NET_ADMIN in that network namespace.
* netlink: allow specifying the device namespaceJulian Orth2018-12-152-21/+87
| | | | | | | | | | | This commit adds two new attributes of which at most one may be provided: * WGDEVICE_A_DEV_NETNS_PID: NLA_U32 * WGDEVICE_A_DEV_NETNS_FD: NLA_U32 The Wireguard device is then looked up in this namespace instead of the namespace of the netlink socket.
* netlink: check for CAP_NET_ADMIN manuallyJulian Orth2018-12-151-3/+12
* compat: account for Clang CFIJason A. Donenfeld2018-12-121-1/+1
* chacha20: do not define unused asm functionJason A. Donenfeld2018-12-071-4/+2
| | | | | | This causes RAP to be unhappy, and we're not using it anyway. Reported-by: Ivan J. <parazyd@dyne.org>
* embeddable-wg-library: do not warn on unrecognized netlink attributesJason A. Donenfeld2018-12-071-15/+1
| | | | This is a follow up of bcf8684c9ec90fe0d283a67d1654d05fb3eae019.
* compat: don't undef BUILD_BUG_ON for Clang >=8Nathan Chancellor2018-12-071-1/+1
| | | | | | | | | | | | | | | | | This has been fixed upstream. To keep this hack working for toolchains that don't have it, use CONFIG_CLANG_VERSION, which was added in commit 469cb7376c06 ("kconfig: add CC_IS_CLANG and CLANG_VERSION"), introduced in 4.18. I have added the '!defined(CONFIG_CLANG_VERSION)' to keep the hack around for Android. Most custom kernel developers are using AOSP's Clang, which currently does not have the fix and might not for a while (although it is probably on Google's mind given that it has been an issue for ChromeOS on 4.19: https://crbug.com/897215). I have verified this change against my Pixel 2 kernel and 4.20-rc3 with the latest ToT Clang. Link: https://github.com/ClangBuiltLinux/linux/issues/7 Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
* chacha20,poly1305: simplify perlasm fancinessJason A. Donenfeld2018-12-073-75/+69
* jerry-rig: replace S_shipped with plJason A. Donenfeld2018-11-191-1/+1
* version: bump snapshot0.0.20181119Jason A. Donenfeld2018-11-192-2/+2
* chacha20,poly1305: do not use xlateJason A. Donenfeld2018-11-193-1496/+73
* poly1305: make frame pointers for auxiliary callsSamuel Neves2018-11-171-31/+43
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* crypto: better path resolution and more specific generated .SJason A. Donenfeld2018-11-162-14/+9
* chacha20,poly1305: don't do compiler testing in generator and remove xor helperJason A. Donenfeld2018-11-152-30/+39
* crypto: resolve target prefix on buggy kernelsJason A. Donenfeld2018-11-151-1/+6
| | | | | We also move to .SECONDARY, since older kernels don't use targets like that.
* poly1305: cleanup leftover debugging changesJason A. Donenfeld2018-11-151-3/+3
* poly1305: only export neon symbols when in useJason A. Donenfeld2018-11-151-2/+6
* chacha20,poly1305: fix up for win64Samuel Neves2018-11-152-27/+29
| | | | | | | These don't help us, but it is important to keep this working for when it's re-added to cryptogams. Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* version: bump snapshot0.0.20181115Jason A. Donenfeld2018-11-152-2/+2
* perlasm: avoid rep retJason A. Donenfeld2018-11-151-1/+1
| | | | | | | | The original hardcodes returns as .byte 0xf3,0xc3, aka "rep ret". We replace this by "ret". "rep ret" was meant to help with AMD K8 chips, cf. http://repzret.org/p/repzret. It makes no sense to continue to use this kludge for code that won't even run on ancient AMD chips.
* poly1305: specialize to wireguardJason A. Donenfeld2018-11-151-11/+20
* chacha20: specialize to wireguardJason A. Donenfeld2018-11-152-20/+38
* perlasm: cleanup whitespaceJason A. Donenfeld2018-11-151-5/+5
* poly1305: adjust to kernelSamuel Neves2018-11-151-220/+291
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* chacha20: cleaner function declarationsSamuel Neves2018-11-141-23/+23
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* chacha20: normalize namesSamuel Neves2018-11-141-71/+71
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* chacha20: fixup win64 stack offsetsSamuel Neves2018-11-141-129/+129
| | | | | | We don't need to do this for kernel purposes, but it's polite to leave things unbroken. Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* chacha20: simplify stack unwinding on ChaCha20_ctr32Samuel Neves2018-11-141-10/+8
| | | | | | objtool did not quite understand the stack arithmetic employed here. Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* chacha20: use DRAP idiomSamuel Neves2018-11-141-236/+235
| | | | | | This effectively means swapping the usage of %r9 and %r10 globally. Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* chacha20: add hchacha_ssse3Samuel Neves2018-11-141-0/+39
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* chacha20: begin adapting to kernel settingSamuel Neves2018-11-142-68/+116
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* chacha20,poly1305: switch to perlasm originals on x86_64Samuel Neves2018-11-145-5424/+9596
| | | | Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* chacha20,poly1305: use CONFIG_KERNEL_MODE_NEON in .pl on armJason A. Donenfeld2018-11-144-8/+11
| | | | | | While Andy is right to desire a separation between compiler defines and project defines, there are simply too many odd kernel configurations and we require testing for CONFIG_KERNEL_MODE_NEON.
* chacha20,poly1305: switch to perlasm originals on mips and armJason A. Donenfeld2018-11-1415-6107/+5573
| | | | | We also separate out Eric Biggers' Cortex A7 implementation into its own file.
* global: various formatting tweeksJason A. Donenfeld2018-11-1310-47/+44
* wg-quick: android: do not choke on empty allowed-ipsJason A. Donenfeld2018-11-111-1/+4
| | | | Reported-by: Samuel Holland <samuel@sholland.org>
* keygen-html: add missing glue macroJason A. Donenfeld2018-11-061-0/+1
* compat: csum_levels is new in 3.18 but backported to RHELJason A. Donenfeld2018-11-052-0/+3
* qemu: bump default kernelJason A. Donenfeld2018-10-271-1/+1
* send: calculate inner checksums for all protocolsAndrejs Hanins2018-10-271-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I'm using GRE tunnel (transparent Ethernet bridging flavor) over WireGuard interface to be able to bridge L2 network segments. The typical protocol chain looks like this IP->GRE->EthernetHeader->IP->UDP. UDP here is the packet sent from the L2 network segment which is tunneled using GRE over Wireguard. Indeed, there is a checksum inside UDP header which is, as a rule, kept partially calculated while packet travels through network stack and outer protocols are added until the packet reaches WG device which exposes NETIF_F_HW_CSUM feature meaning it can handle checksum offload for all protocols. But the problem here is that skb_checksum_setup called from encrypt_packet handles only TCP/UDP protocols under top level IP, but in my case there is a GRE protocol there, so skb_checksum_help is not called and packet continues its life with unfinished (broken) checksum and gets encrypted as-is. When such packet is received by other side and reaches L2 networks it's seen there with a broken checksum inside the UDP header. The fact that Wireguard on the receiving side sets skb->ip_summed to CHECKSUM_UNNECESSARY partially mitigates the problem by telling network stack on the receiving side that validation of the checksum is not necessary, so local TCP stack, for example, works fine. But it doesn't help in situations when packet needs to be forwarded further (sent out from the box). In this case there is no way we can tell next hop that checksum verification for this packet is not necessary, we just send it out with bad checksum and packet gets dropped on the next hop box. I think the issue of the original code was the wrong usage of skb_checksum_setup, simply because it's not needed in this case. Instead, we can just rely on ip_summed skb field to see if partial checksum needs to be finalized or not. Note that many other drivers in kernel follow this approach. In summary: - skb_checksum_setup can only handle TCP/UDP protocols under top level IP header, packets with other protocols (like GRE) are sent out by Wireguard with unfinished partial checksums which causes problems on receiving side (bad checksums). - encrypt_packet gets skb prepared by network stack, so there is no need to setup the checksum from scratch, but just perform hw checksum offload using software helper skb_checksum_help for packet which explicitly require it as denoted by CHECKSUM_PARTIAL. Signed-off-by: Andrejs Hanins <ahanins@gmail.com>
* receive: assume all levels have been checksumed, not just outerJason A. Donenfeld2018-10-271-0/+7
| | | | This means we do less computation on encapsulated payloads.
* device: do not clear keys on sleep for PM_AUTOSLEEPJason A. Donenfeld2018-10-271-4/+11
| | | | | | | | | | | This way other devices that use Android style wakelocks will also have the same semantics. We also move this logic into the handler so that it's slightly cleaner and gives us some opportunity to leave a normal comment. Suggested-by: Theodore Ts'o <tytso@mit.edu> Suggested-by: Andrew Lunn <andrew@lunn.ch> Suggested-by: Sultan Alsawaf <sultanxda@gmail.com>