aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/config.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* netlink: switch from ioctl to netlink for configurationJason A. Donenfeld2017-10-021-353/+0
|
* tools: use key_is_zero for comparing to zerosJason A. Donenfeld2017-09-241-2/+3
| | | | | | | Maybe an attacker on the system could use the infoleak in /proc to gauge how long a wg(8) process takes to complete and determine the number of leading zeros. This is somewhat ridiculous, but it's possible somebody somewhere might at somepoint care in the future, so alright.
* config: do not reset device portJason A. Donenfeld2017-09-241-0/+2
|
* timers: convert to use netif_runningJason A. Donenfeld2017-09-241-6/+4
|
* queue: entirely rework parallel systemJason A. Donenfeld2017-09-181-2/+2
| | | | | | | | | | This removes our dependency on padata and moves to a different mode of multiprocessing that is more efficient. This began as Samuel Holland's GSoC project and was gradually reworked/redesigned/rebased into this present commit, which is a combination of his initial contribution and my subsequent rewriting and redesigning.
* global: use pointer to net_deviceJason A. Donenfeld2017-07-201-6/+5
| | | | | | DaveM prefers it to be this way per [1]. [1] http://www.spinics.net/lists/netdev/msg443992.html
* random: wait for random bytes when generating nonces and ephemeralsJason A. Donenfeld2017-06-121-5/+0
| | | | | | | | | | | We can let userspace configure wireguard interfaces before the RNG is fully initialized, since what we mostly care about is having good randomness for ephemerals and xchacha nonces. By deferring the wait to actually asking for the randomness, we give a lot more opportunity for gathering entropy. This won't cover entropy for hash table secrets or cookie secrets (which rotate anyway), but those have far less catastrophic failure modes, so ensuring good randomness for elliptic curve points and nonces should be sufficient.
* config: ensure the RNG is initialized before settingJason A. Donenfeld2017-06-081-0/+5
| | | | | | | | It's possible that get_random_bytes() will return bad randomness if it hasn't been seeded. This patch makes configuration block until the RNG is properly initialized. Reference: http://www.openwall.com/lists/kernel-hardening/2017/06/02/2
* config: add new line for styleJason A. Donenfeld2017-05-311-0/+1
|
* config: it's faster to memcpy than strncpyJason A. Donenfeld2017-05-311-2/+1
| | | | IFNAMSIZ is 16, so this is two instructions on 64-bit.
* config: do not error out when getting if no peersJason A. Donenfeld2017-05-311-0/+1
|
* peer: use iterator macro instead of callbackJason A. Donenfeld2017-05-301-14/+18
|
* noise: precompute static-static ECDH operationJason A. Donenfeld2017-05-301-1/+4
|
* noise: redesign preshared key modeJason A. Donenfeld2017-05-171-13/+19
|
* routingtable: rewrite core functionsJason A. Donenfeld2017-04-211-15/+2
| | | | | | | | | | | | | | | | | | | | | When removing by peer, prev needs to be set to *nptr in order to traverse that part of the trie. The other remove by IP function can simply be removed, as it's not in use. The root freeing function can use pre-order traversal instead of post-order. The pre-order traversal code in general is now a nice iterator macro. The common bits function can use the fast fls instructions and the match function can be rewritten to simply compare common bits. While we're at it, let's add tons of new tests, randomized checking against a dumb implementation, and graphviz output. And in general, it's nice to clean things up.
* config: don't allow no-privatekey to mask presharedJason A. Donenfeld2017-04-211-1/+2
|
* curve25519: protect against potential invalid point attacksJason A. Donenfeld2017-03-301-1/+1
|
* config: do not allow peers with public keys the same as the interfaceJason A. Donenfeld2017-03-281-0/+20
|
* uapi: add version magicJason A. Donenfeld2017-03-241-15/+25
|
* config: satisfy sparseJason A. Donenfeld2017-03-191-1/+1
|
* socket: enable setting of fwmarkJason A. Donenfeld2017-02-131-0/+6
|
* config: useless newlineJason A. Donenfeld2017-01-121-2/+0
|
* Update copyrightJason A. Donenfeld2017-01-101-1/+1
|
* uapi: use sockaddr union instead of sockaddr_storageJason A. Donenfeld2017-01-101-8/+5
|
* uapi: use flag instead of C bitfield for portabilityJason A. Donenfeld2017-01-101-6/+6
|
* cookies: use xchacha20poly1305 instead of chacha20poly1305Jason A. Donenfeld2016-12-231-4/+14
| | | | | This allows us to precompute the blake2s calls and save cycles, since hchacha is fast.
* config: allow removing multiple peers at onceJason A. Donenfeld2016-12-231-1/+2
|
* config: cleanupsJason A. Donenfeld2016-12-161-33/+19
|
* peer: don't use sockaddr_storage to reduce memory usageJason A. Donenfeld2016-12-131-3/+10
|
* global: move to consistent use of uN instead of uintN_t for kernel codeJason A. Donenfeld2016-12-111-5/+5
|
* headers: cleanup noticesJason A. Donenfeld2016-11-211-1/+1
|
* socket: keep track of src address in sending packetsJason A. Donenfeld2016-11-151-4/+6
|
* socket: use dst_cache instead of handrolled cacheJason A. Donenfeld2016-11-041-1/+1
|
* timers: take reference like a lookup tableJason A. Donenfeld2016-11-031-8/+1
|
* Rework headers and includesJason A. Donenfeld2016-09-291-1/+0
|
* persistent-keepalive: change range to [1,65535]Jason A. Donenfeld2016-08-081-7/+4
|
* timers: upstream removed the slack conceptJason A. Donenfeld2016-07-231-5/+2
| | | | | No longer do we specify slack ourselves. Instead we need to add it directly in the main scheduling.
* timers: apply slack to hotpath timersJason A. Donenfeld2016-07-101-2/+5
| | | | | | | | | | | For timers in the hotpath, we don't want them to be rescheduled so aggressively, and since they don't need to be that precise, we can set a decent amount of slack. With the persistent keepalive timer, we have something of a special case. Since the timeout isn't fixed like the others, we don't want to make it more often than the kernel ordinarily would. So, instead, we make it a minimum.
* persistent keepalive: use unsigned long to avoid multiplication in hotpathJason A. Donenfeld2016-07-101-2/+2
|
* persistent keepalive: use authenticated keepalivesJason A. Donenfeld2016-07-101-1/+1
|
* persistent keepalive: start sending immediatelyexperimental-0.0.20160708.1Jason A. Donenfeld2016-07-081-1/+4
| | | | | | | | | | | | | | | Rather than only start sending the persistent keepalive packets when the device first sends data, this changes it to send the packets immediately on `ip link set up`. This makes things generally seem more stateless, since the administrator does not have to manually ping the endpoint. Of course, if you have a lot of peers and all of them have persistent keepalive enabled, this could cause a lot of unwanted immediate traffic. On the other hand, if all of those peers are at some point going to be sending packets, this would happen anyway. I suppose the moral of the story is that persistent keepalive is a feature really just for clients behind NAT, not for servers, and it should be used sparingly, which is why we've set it off by default in the first place.
* persistent keepalive: add kernel mechanismJason A. Donenfeld2016-07-081-0/+8
|
* Initial commitJason A. Donenfeld2016-06-251-0/+314
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.