aboutsummaryrefslogtreecommitdiffstatshomepage
Commit message (Collapse)AuthorAgeFilesLines
...
* queueing: ensure strictly ordered loads and storesJason A. Donenfeld2018-08-024-5/+33
| | | | | | | We don't want a consumer to read plaintext when it's supposed to be reading ciphertext, which means we need to synchronize across cores. Suggested-by: Jann Horn <jann@thejh.net>
* queueing: document double-adding and reference conditionsJason A. Donenfeld2018-08-011-0/+12
|
* peer: ensure resources are freed when creation failsJason A. Donenfeld2018-08-011-13/+19
| | | | And in general tighten up the logic of peer creation.
* queueing: keep reference to peer after setting atomic state bitJason A. Donenfeld2018-08-012-3/+8
| | | | | | | | After we atomic_set, the peer is allowed to be freed, which means if we want to continue to reference it, we need to bump the reference count. This was introduced a few commits ago by b713ab0e when implementing some simplification suggestions.
* allowedips: free root inside of RCU callbackJason A. Donenfeld2018-08-011-8/+10
| | | | | | This reduces the amount of call_rcu invocations considerably. Suggested-by: Stephen Hemminger <stephen@networkplumber.org>
* hashtables: document immediate zeroing semanticsJason A. Donenfeld2018-08-011-0/+6
| | | | Suggested-by: Jann Horn <jann@thejh.net>
* allowedips: avoid window of disappeared peerJann Horn2018-08-011-1/+5
| | | | | | | If a peer is removed, it's possible for a lookup to momentarily return NULL, resulting in needless -ENOKEY returns. Signed-off-by: Jann Horn <jannh@google.com>
* allowedips: prevent double read in krefJason A. Donenfeld2018-08-012-17/+17
| | | | | | | | | | | | | | | | | Blocks like: if (node_placement(*trie, key, cidr, bits, &node, lock)) { node->peer = peer; return 0; } May result in a double read when adjusting the refcount, in the highly unlikely case of LTO and an overly smart compiler. While we're at it, replace rcu_assign_pointer(X, NULL); with RCU_INIT_POINTER. Reported-by: Jann Horn <jann@thejh.net>
* chacha20poly1305: selftest: split up test vector constantsJason A. Donenfeld2018-07-311-69/+210
|
* version: bump snapshot0.0.20180731Jason A. Donenfeld2018-07-312-2/+2
|
* device: adjust commentJason A. Donenfeld2018-07-311-1/+1
| | | | Suggested-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
* noise: use hex constant for tai64n offsetJason A. Donenfeld2018-07-311-1/+1
| | | | Suggested-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
* main: properly name labelJason A. Donenfeld2018-07-311-2/+2
|
* noise: remove outdated commentJason A. Donenfeld2018-07-312-5/+0
| | | | docs/protocol.md hasn't existed for 3 years.
* send: address of variable is never nullJason A. Donenfeld2018-07-311-1/+1
| | | | Reported-by: Jann Horn <jann@thejh.net>
* peer: simplify rcu reference countsJason A. Donenfeld2018-07-319-30/+23
| | | | | | | Use RCU reference counts only when we must, and otherwise use a more reasonably named function. Reported-by: Jann Horn <jann@thejh.net>
* ratelimiter: prevent init/uninit raceJason A. Donenfeld2018-07-312-4/+8
| | | | | | | Fixes a classic ABA problem that isn't actually reachable because of rtnl_lock, but it's good to be correct anyway. Reported-by: Jann Horn <jann@thejh.net>
* main: add missing chacha20poly1305 headerJason A. Donenfeld2018-07-313-3/+2
|
* curve25519-x86_64: tighten reductions modulo 2^256-38Samuel Neves2018-07-281-21/+18
| | | | | | | | | At this stage the value if C[4] is at most ((2^256-1) + 38*(2^256-1)) / 2^256 = 38, so there is no need to use a wide multiplication. Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* curve25519-x86_64: simplify the final reduction by adding 19 beforehandSamuel Neves2018-07-281-40/+26
| | | | | | | | | | | | | | | | | | | | Correctness can be quickly verified with the following z3py script: >>> from z3 import * >>> x = BitVec("x", 256) # any 256-bit value >>> ref = URem(x, 2**255 - 19) # correct value >>> t = Extract(255, 255, x); x &= 2**255 - 1; # btrq $63, %3 >>> u = If(t != 0, BitVecVal(38, 256), BitVecVal(19, 256)) # cmovncl %k5, %k4 >>> x += u # addq %4, %0; adcq $0, %1; adcq $0, %2; adcq $0, %3; >>> t = Extract(255, 255, x); x &= 2**255 - 1; # btrq $63, %3 >>> u = If(t != 0, BitVecVal(0, 256), BitVecVal(19, 256)) # cmovncl %k5, %k4 >>> x -= u # subq %4, %0; sbbq $0, %1; sbbq $0, %2; sbbq $0, %3; >>> prove(x == ref) proved Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* curve25519-x86_64: tighten the x25519 assemblySamuel Neves2018-07-281-3/+3
| | | | | | | | | | The wide multiplication by 38 in mul_a24_eltfp25519_1w is redundant: (2^256-1) * 121666 / 2^256 is at most 121665, and therefore a 64-bit multiplication can never overflow. Change inspired by Andy Polyakov's OpenSSL implementation. Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
* qemu: update musl and kernelJason A. Donenfeld2018-07-241-2/+2
|
* wg-quick: android: remove compat codeJason A. Donenfeld2018-07-241-10/+0
|
* wg-quick: android: allow package to be overriddenJason A. Donenfeld2018-07-241-4/+9
|
* qemu: show log if process crashesJason A. Donenfeld2018-07-241-10/+16
|
* embeddable-wg-library: do not left shift negative numbersJason A. Donenfeld2018-07-241-7/+2
| | | | Otherwise we incur undefined behavior.
* receive: check against proper return value typeJason A. Donenfeld2018-07-241-1/+1
|
* version: bump snapshot0.0.20180718Jason A. Donenfeld2018-07-182-2/+2
|
* recieve: disable NAPI busy pollingThomas Gschwantner2018-07-182-0/+10
| | | | | | | | | | | | | | This avoids adding one reference per peer to the napi_hash hashtable, as normally done by netif_napi_add(). Since we potentially could have up to 2^20 peers this would make busy polling very slow globally. This approach is preferable to having only a single napi struct because we get one gro_list per peer, which means packets can be combined nicely even if we have a large number of peers. This is also done by gro_cells_init() in net/core/gro_cells.c . Signed-off-by: Thomas Gschwantner <tharre3@gmail.com>
* device: destroy workqueue before freeing queueJason A. Donenfeld2018-07-181-1/+1
|
* wg-quick: allow link local default gatewayJason A. Donenfeld2018-07-163-3/+0
| | | | | | | It's unclear why it was like this in the first place, but it apparently broke certain IPv6 setups. Reported-by: Jonas Blahut <j@die-blahuts.de>
* receive: use gro call instead of plain callJason A. Donenfeld2018-07-121-1/+1
|
* receive: account for zero or negative budgetJason A. Donenfeld2018-07-111-0/+3
| | | | Suggested-by: Thomas Gschwantner <tharre3@gmail.com>
* tools: only error on wg show if all interfaces failJason A. Donenfeld2018-07-081-1/+4
|
* version: bump snapshot0.0.20180708Jason A. Donenfeld2018-07-082-2/+2
|
* receive: use NAPI on the receive pathJonathan Neuschäfer2018-07-086-17/+45
| | | | | | Suggested-by: Jason A. Donenfeld <Jason@zx2c4.com> [Jason: fixed up the flushing of the rx_queue in peer_remove] Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
* qemu: decide debug kernel based on KERNEL_VERSIONJason A. Donenfeld2018-07-061-8/+8
| | | | | | | If KERNEL_VERSION ends in -debug, then automatically set DEBUG_KERNEL If DEBUG_KERNEL is set, now the debug kernel will be built in a separate directory from the normal kernel, so that it's easy to toggle back and forth.
* qemu: bump default kernel versionJason A. Donenfeld2018-07-061-1/+1
| | | | | This fixes DEBUG_KERNEL=yes due to dd275caf4a0d9b219fffe49288b6cc33cd564312 being backported to 4.17.4.
* selftest: ratelimiter: improve chance of success via retryJason A. Donenfeld2018-07-061-1/+6
|
* wg-quick: android: support excluding applicationsJason A. Donenfeld2018-07-051-9/+102
|
* receive: styleJason A. Donenfeld2018-07-041-1/+1
|
* device: print daddr not saddr in missing peer errorJason A. Donenfeld2018-07-041-1/+4
|
* version: bump snapshot0.0.20180625Jason A. Donenfeld2018-06-252-2/+2
|
* wg-quick: android: prevent outgoing handshake packets from being droppedJason A. Donenfeld2018-06-251-0/+4
|
* compat: more robust ktime backportJason A. Donenfeld2018-06-241-3/+8
| | | | This is needed for frankenkernels, like android-common.
* global: use fast boottime instead of normal boottimeJason A. Donenfeld2018-06-2312-26/+26
| | | | Generally if we're inaccurate by a few nanoseconds, it doesn't matter.
* global: use ktime boottime instead of jiffiesJason A. Donenfeld2018-06-2315-64/+69
| | | | | | | | Since this is a network protocol, expirations need to be accounted for, even across system suspend. On real systems, this isn't a problem, since we're clearing all keys before suspend. But on Android, where we don't do that, this is something of a problem. So, we switch to using boottime instead of jiffies.
* tools: fix misspelling of strchrnul in commentJonathan Neuschäfer2018-06-221-1/+1
| | | | Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
* manpages: eliminate whitespace at the end of the lineJonathan Neuschäfer2018-06-222-26/+26
| | | | | | This eliminates a few style warnings from "mandoc -T lint src/tools/wg*.8". Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
* global: fix a few typosJonathan Neuschäfer2018-06-222-2/+2
| | | | Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>