aboutsummaryrefslogtreecommitdiffstatshomepage
Commit message (Collapse)AuthorAgeFilesLines
...
* simd: add missing headerJason A. Donenfeld2018-06-221-0/+1
| | | | Suggested-by: Shlomi Steinberg <shlomi@shlomisteinberg.com>
* poly1305: give linker the correct constant data section sizeJason A. Donenfeld2018-06-221-1/+1
| | | | | | Otherwise these constants will be merged wrong or excluded, and we'll wind up with wrong calculations. While bfd (the normal kernel linker) doesn't seem to mind, recent versions of gold do bad things.
* main: test poly1305 before chacha20poly1305Jason A. Donenfeld2018-06-221-1/+1
| | | | | | Since chacha20poly1305 relies on the correctness of poly1305, it's useful to have a failing poly1305 test first, to better pinpoint what's happening.
* receive: don't toggle bhJason A. Donenfeld2018-06-221-6/+0
| | | | | | | This had a bad performance impact. We'll probably need to revisit this later, but for now, let's not introduce a regression. Reported-by: Lonnie Abelbeck <lonnie@abelbeck.com>
* version: bump snapshot0.0.20180620Jason A. Donenfeld2018-06-202-2/+2
|
* poly1305: add missing string.h headerJason A. Donenfeld2018-06-201-0/+1
| | | | Reported-by: Peter Korsgaard <peter@korsgaard.com>
* compat: use stabler lkml linksJason A. Donenfeld2018-06-191-2/+2
| | | | | | This will redirect to whichever archive kernel.org thinks is best. Suggested-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
* ratelimiter: do not allow concurrent init and uninitJason A. Donenfeld2018-06-191-0/+6
|
* ratelimiter: mitigate reference underflowJason A. Donenfeld2018-06-192-1/+3
|
* receive: drop handshake packets if rng is not initializedJason A. Donenfeld2018-06-192-2/+55
| | | | Otherwise it's too easy to trigger cookie reply messages.
* noise: wait for crng before taking locksJason A. Donenfeld2018-06-181-0/+10
| | | | | | | Otherwise, get_random_bytes_wait gets called from curve25519_generate_secret, and at the same time, a user might use the wg(8) utility, which then wants to grab a read lock for what we're write locking.
* netlink: maintain static_identity lock over entire private key updateJason A. Donenfeld2018-06-183-6/+5
| | | | | We don't want the local private key to not correspond with a precomputed ss or precomputed cookie hash at any intermediate point.
* noise: take locks for ss precomputationJason A. Donenfeld2018-06-181-3/+9
| | | | | | | Usually this is called from handshake_init, where locking doesn't matter because nothing references it yet, but it's also called when changing the device private key, so it's probably a good thing to not process a handshake with a ss precomputation that's part old and part new.
* qemu: bump default kernelJason A. Donenfeld2018-06-171-1/+1
|
* wg-quick: android: don't forget to free compiled regexesJason A. Donenfeld2018-06-171-5/+6
|
* wg-quick: android: disable roaming to v6 networks when v4 is specifiedJason A. Donenfeld2018-06-171-1/+54
| | | | This works around an unfortunate bug in 464XLAT transitions.
* dns-hatchet: apply resolv.conf's selinux context to new resolv.confJason A. Donenfeld2018-06-171-0/+2
|
* simd: no need to restore fpu state when no preemptionJason A. Donenfeld2018-06-171-0/+2
|
* simd: encapsulate fpu amortization into nice functionsJason A. Donenfeld2018-06-177-71/+83
|
* queueing: re-enable preemption periodically to lower latencyJason A. Donenfeld2018-06-162-0/+18
|
* queueing: remove useless spinlocks on scJason A. Donenfeld2018-06-163-5/+1
| | | | Since these are the only consumers, there's no need for locking.
* tools: getentropy requires 10.12Jason A. Donenfeld2018-06-141-1/+7
|
* chacha20poly1305: use slow crypto on -rt kernels on arm tooJason A. Donenfeld2018-06-141-1/+1
|
* version: bump snapshot0.0.20180613Jason A. Donenfeld2018-06-132-2/+2
|
* chacha20poly1305: use slow crypto on -rt kernelsJason A. Donenfeld2018-06-131-1/+1
| | | | | | | | | | | | | | In rt kernels, spinlocks call schedule(), which means preemption can't be disabled. The FPU disables preemption. Hence, we can either restructure things to move the calls to kernel_fpu_begin/end to be really close to the actual crypto routines, or we can do the slower lazier solution of just not using the FPU at all on -rt kernels. This patch goes with the latter lazy solution. The reason why we don't place the calls to kernel_fpu_begin/end close to the crypto routines in the first place is that they're very expensive, as it usually involves a call to XSAVE. So on sane kernels, we benefit from only having to call it once.
* tools: support getentropy(3)Jason A. Donenfeld2018-06-081-0/+11
|
* tools: encoding: add missing static array constraintsJason A. Donenfeld2018-06-063-5/+5
|
* wg-quick: android: change name of intentJason A. Donenfeld2018-06-041-1/+1
|
* chacha20: add missing include to headerJason A. Donenfeld2018-06-021-0/+1
|
* wg-quick: android: delay setting users until endJason A. Donenfeld2018-05-311-1/+6
| | | | | | | `ndc users add` eventually invokes SOCK_DESTROY on user sockets, causing them to reconnect. By delaying this until after routes are set, we ensure that the sockets reconnect using the tunnel, rather than the old route.
* version: bump snapshot0.0.20180531Jason A. Donenfeld2018-05-312-2/+2
|
* qemu: bump default versionJason A. Donenfeld2018-05-311-1/+1
|
* tools: constanter time encodingJason A. Donenfeld2018-05-312-22/+28
|
* device: do not assume dst is always validJason A. Donenfeld2018-05-311-1/+1
| | | | | | The new flow offloading feature at the moment does not set the dst. We have a patch pending to fix this upstream, but in the meantime, work around it here.
* poly1305: mips: compute S on flyRené van Dorst2018-05-311-31/+22
| | | | | | This reduces memory access and the total opaque size. Signed-off-by: René van Dorst <opensource@vdorst.com>
* chacha20poly1305: test for authtag failureJason A. Donenfeld2018-05-311-3/+21
|
* chacha20poly1305: test scattergather functions tooJason A. Donenfeld2018-05-311-2/+44
|
* crypto: consistent constificationJason A. Donenfeld2018-05-316-23/+23
|
* wg-quick: darwin: set DNS servers after delay on route changeJason A. Donenfeld2018-05-311-2/+6
| | | | | | This works around a race condition in macOS's network daemons, while also adding one in the form of possibly calling kill -ALRM on a stale PID; unfortunately bash can't wait from a trap.
* chacha20poly1305: combine stack variables into unionJason A. Donenfeld2018-05-312-62/+64
|
* chacha20poly1305: split up into separate filesJason A. Donenfeld2018-05-3110-627/+740
|
* curve25519: x86_64: make symbol staticJason A. Donenfeld2018-05-291-2/+2
|
* curve25519: x86_64: satisfy sparseJason A. Donenfeld2018-05-291-260/+260
|
* wg-quick: freebsd: configure as p2p linkJason A. Donenfeld2018-05-271-3/+5
|
* wg-quick: darwin: add multiple IP addressesJason A. Donenfeld2018-05-271-2/+2
|
* wg-quick: determine IPs when saving interfaceJason A. Donenfeld2018-05-273-12/+14
|
* compat: don't clash with get_random_u32 backportsJason A. Donenfeld2018-05-241-3/+2
| | | | | | Our previous heuristic wasn't good enough, since CopperheadOS backported CANARY_MASK without backporting get_random_u32, as Qualcomm did, so now we just entirely rename all invocations of the function.
* version: bump snapshot0.0.20180524Jason A. Donenfeld2018-05-242-2/+2
|
* wg-quick: freebsd: work around security vulnerabilities in bashJason A. Donenfeld2018-05-241-7/+29
|
* wg-quick: allow enumeration of socket filesJason A. Donenfeld2018-05-232-2/+2
| | | | | These OSes have an unpriv'd ifconfig, so this isn't an even larger info leak.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.