Commit message (Collapse) | Author | Files | Lines | ||
---|---|---|---|---|---|
2018-06-22 | main: test poly1305 before chacha20poly1305 | Jason A. Donenfeld | 1 | -1/+1 | |
Since chacha20poly1305 relies on the correctness of poly1305, it's useful to have a failing poly1305 test first, to better pinpoint what's happening. | |||||
2018-06-22 | receive: don't toggle bh | Jason A. Donenfeld | 1 | -6/+0 | |
This had a bad performance impact. We'll probably need to revisit this later, but for now, let's not introduce a regression. Reported-by: Lonnie Abelbeck <lonnie@abelbeck.com> | |||||
2018-06-20 | version: bump snapshot0.0.20180620 | Jason A. Donenfeld | 2 | -2/+2 | |
2018-06-20 | poly1305: add missing string.h header | Jason A. Donenfeld | 1 | -0/+1 | |
Reported-by: Peter Korsgaard <peter@korsgaard.com> | |||||
2018-06-19 | compat: use stabler lkml links | Jason A. Donenfeld | 1 | -2/+2 | |
This will redirect to whichever archive kernel.org thinks is best. Suggested-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org> | |||||
2018-06-19 | ratelimiter: do not allow concurrent init and uninit | Jason A. Donenfeld | 1 | -0/+6 | |
2018-06-19 | ratelimiter: mitigate reference underflow | Jason A. Donenfeld | 2 | -1/+3 | |
2018-06-19 | receive: drop handshake packets if rng is not initialized | Jason A. Donenfeld | 2 | -2/+55 | |
Otherwise it's too easy to trigger cookie reply messages. | |||||
2018-06-18 | noise: wait for crng before taking locks | Jason A. Donenfeld | 1 | -0/+10 | |
Otherwise, get_random_bytes_wait gets called from curve25519_generate_secret, and at the same time, a user might use the wg(8) utility, which then wants to grab a read lock for what we're write locking. | |||||
2018-06-18 | netlink: maintain static_identity lock over entire private key update | Jason A. Donenfeld | 3 | -6/+5 | |
We don't want the local private key to not correspond with a precomputed ss or precomputed cookie hash at any intermediate point. | |||||
2018-06-18 | noise: take locks for ss precomputation | Jason A. Donenfeld | 1 | -3/+9 | |
Usually this is called from handshake_init, where locking doesn't matter because nothing references it yet, but it's also called when changing the device private key, so it's probably a good thing to not process a handshake with a ss precomputation that's part old and part new. | |||||
2018-06-17 | qemu: bump default kernel | Jason A. Donenfeld | 1 | -1/+1 | |
2018-06-17 | wg-quick: android: don't forget to free compiled regexes | Jason A. Donenfeld | 1 | -5/+6 | |
2018-06-17 | wg-quick: android: disable roaming to v6 networks when v4 is specified | Jason A. Donenfeld | 1 | -1/+54 | |
This works around an unfortunate bug in 464XLAT transitions. | |||||
2018-06-17 | dns-hatchet: apply resolv.conf's selinux context to new resolv.conf | Jason A. Donenfeld | 1 | -0/+2 | |
2018-06-17 | simd: no need to restore fpu state when no preemption | Jason A. Donenfeld | 1 | -0/+2 | |
2018-06-17 | simd: encapsulate fpu amortization into nice functions | Jason A. Donenfeld | 7 | -71/+83 | |
2018-06-16 | queueing: re-enable preemption periodically to lower latency | Jason A. Donenfeld | 2 | -0/+18 | |
2018-06-16 | queueing: remove useless spinlocks on sc | Jason A. Donenfeld | 3 | -5/+1 | |
Since these are the only consumers, there's no need for locking. | |||||
2018-06-14 | tools: getentropy requires 10.12 | Jason A. Donenfeld | 1 | -1/+7 | |
2018-06-14 | chacha20poly1305: use slow crypto on -rt kernels on arm too | Jason A. Donenfeld | 1 | -1/+1 | |
2018-06-13 | version: bump snapshot0.0.20180613 | Jason A. Donenfeld | 2 | -2/+2 | |
2018-06-13 | chacha20poly1305: use slow crypto on -rt kernels | Jason A. Donenfeld | 1 | -1/+1 | |
In rt kernels, spinlocks call schedule(), which means preemption can't be disabled. The FPU disables preemption. Hence, we can either restructure things to move the calls to kernel_fpu_begin/end to be really close to the actual crypto routines, or we can do the slower lazier solution of just not using the FPU at all on -rt kernels. This patch goes with the latter lazy solution. The reason why we don't place the calls to kernel_fpu_begin/end close to the crypto routines in the first place is that they're very expensive, as it usually involves a call to XSAVE. So on sane kernels, we benefit from only having to call it once. | |||||
2018-06-08 | tools: support getentropy(3) | Jason A. Donenfeld | 1 | -0/+11 | |
2018-06-06 | tools: encoding: add missing static array constraints | Jason A. Donenfeld | 3 | -5/+5 | |
2018-06-04 | wg-quick: android: change name of intent | Jason A. Donenfeld | 1 | -1/+1 | |
2018-06-02 | chacha20: add missing include to header | Jason A. Donenfeld | 1 | -0/+1 | |
2018-05-31 | wg-quick: android: delay setting users until end | Jason A. Donenfeld | 1 | -1/+6 | |
`ndc users add` eventually invokes SOCK_DESTROY on user sockets, causing them to reconnect. By delaying this until after routes are set, we ensure that the sockets reconnect using the tunnel, rather than the old route. | |||||
2018-05-31 | version: bump snapshot0.0.20180531 | Jason A. Donenfeld | 2 | -2/+2 | |
2018-05-31 | qemu: bump default version | Jason A. Donenfeld | 1 | -1/+1 | |
2018-05-31 | tools: constanter time encoding | Jason A. Donenfeld | 2 | -22/+28 | |
2018-05-31 | device: do not assume dst is always valid | Jason A. Donenfeld | 1 | -1/+1 | |
The new flow offloading feature at the moment does not set the dst. We have a patch pending to fix this upstream, but in the meantime, work around it here. | |||||
2018-05-31 | poly1305: mips: compute S on fly | René van Dorst | 1 | -31/+22 | |
This reduces memory access and the total opaque size. Signed-off-by: René van Dorst <opensource@vdorst.com> | |||||
2018-05-31 | chacha20poly1305: test for authtag failure | Jason A. Donenfeld | 1 | -3/+21 | |
2018-05-31 | chacha20poly1305: test scattergather functions too | Jason A. Donenfeld | 1 | -2/+44 | |
2018-05-31 | crypto: consistent constification | Jason A. Donenfeld | 6 | -23/+23 | |
2018-05-31 | wg-quick: darwin: set DNS servers after delay on route change | Jason A. Donenfeld | 1 | -2/+6 | |
This works around a race condition in macOS's network daemons, while also adding one in the form of possibly calling kill -ALRM on a stale PID; unfortunately bash can't wait from a trap. | |||||
2018-05-31 | chacha20poly1305: combine stack variables into union | Jason A. Donenfeld | 2 | -62/+64 | |
2018-05-31 | chacha20poly1305: split up into separate files | Jason A. Donenfeld | 10 | -627/+740 | |
2018-05-29 | curve25519: x86_64: make symbol static | Jason A. Donenfeld | 1 | -2/+2 | |
2018-05-29 | curve25519: x86_64: satisfy sparse | Jason A. Donenfeld | 1 | -260/+260 | |
2018-05-27 | wg-quick: freebsd: configure as p2p link | Jason A. Donenfeld | 1 | -3/+5 | |
2018-05-27 | wg-quick: darwin: add multiple IP addresses | Jason A. Donenfeld | 1 | -2/+2 | |
2018-05-27 | wg-quick: determine IPs when saving interface | Jason A. Donenfeld | 3 | -12/+14 | |
2018-05-24 | compat: don't clash with get_random_u32 backports | Jason A. Donenfeld | 1 | -3/+2 | |
Our previous heuristic wasn't good enough, since CopperheadOS backported CANARY_MASK without backporting get_random_u32, as Qualcomm did, so now we just entirely rename all invocations of the function. | |||||
2018-05-24 | version: bump snapshot0.0.20180524 | Jason A. Donenfeld | 2 | -2/+2 | |
2018-05-24 | wg-quick: freebsd: work around security vulnerabilities in bash | Jason A. Donenfeld | 1 | -7/+29 | |
2018-05-23 | wg-quick: allow enumeration of socket files | Jason A. Donenfeld | 2 | -2/+2 | |
These OSes have an unpriv'd ifconfig, so this isn't an even larger info leak. | |||||
2018-05-23 | wg-quick: better bash completion for non-renaming OSes | Jason A. Donenfeld | 1 | -5/+14 | |
2018-05-23 | wg-quick: support FreeBSD/Darwin search path | Jason A. Donenfeld | 4 | -16/+39 | |