Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | ratelimiter: use IPv6 /64 instead of /96 | Jason A. Donenfeld | 2017-07-04 | 1 | -8/+8 | |
| | ||||||
* | ratelimiter: use kvzalloc for hash table allocation | Jason A. Donenfeld | 2017-07-04 | 2 | -9/+41 | |
| | ||||||
* | compat: workaround Ubuntu 16.10 kernel weirdness | Jason A. Donenfeld | 2017-07-03 | 1 | -0/+1 | |
| | ||||||
* | compat: support OpenSUSE's backports | Jason A. Donenfeld | 2017-07-03 | 1 | -1/+6 | |
| | ||||||
* | receive: cleanup error handlers | Jason A. Donenfeld | 2017-06-29 | 1 | -21/+23 | |
| | ||||||
* | version: bump snapshot0.0.20170629 | Jason A. Donenfeld | 2017-06-29 | 2 | -2/+2 | |
| | ||||||
* | receive: pull IP header into head | Jason A. Donenfeld | 2017-06-29 | 1 | -0/+4 | |
| | ||||||
* | receive: fix off-by-one in packet length checking | Jason A. Donenfeld | 2017-06-29 | 1 | -1/+1 | |
| | | | | | | | | | | | | This caused certain packets to be rejected that shouldn't be rejected, in the case of certain scatter-gather ethernet drivers doing GRO pulling right up to the UDP bounds but not beyond. This caused certain TCP connections to fail. Thanks very much to Reuben for providing access to the machine to debug this regression. Reported-by: Reuben Martin <reuben.m@gmail.com> | |||||
* | tools: remove double include in ipc | Jason A. Donenfeld | 2017-06-29 | 1 | -1/+0 | |
| | ||||||
* | version: bump snapshot0.0.20170628 | Jason A. Donenfeld | 2017-06-28 | 2 | -2/+2 | |
| | ||||||
* | compat: support Ubuntu 14.04 | Jason A. Donenfeld | 2017-06-28 | 1 | -4/+10 | |
| | ||||||
* | compat: support EL7.3 | Jason A. Donenfeld | 2017-06-28 | 1 | -16/+21 | |
| | ||||||
* | wg-quick: use printf -v instead of namerefs for bash 4.2 | Jason A. Donenfeld | 2017-06-28 | 1 | -3/+2 | |
| | | | | I'm not happy about this. | |||||
* | compat: do not export symbols unnecessarily | Jason A. Donenfeld | 2017-06-28 | 4 | -34/+0 | |
| | ||||||
* | global: cleanup IP header checking | Jason A. Donenfeld | 2017-06-26 | 7 | -77/+46 | |
| | | | | This way is more correct and ensures we're within the skb head. | |||||
* | device: remove icmp conntrack hacks | Jason A. Donenfeld | 2017-06-26 | 3 | -35/+37 | |
| | | | | This logic belongs upstream. | |||||
* | compat: clean up cruft | Jason A. Donenfeld | 2017-06-26 | 1 | -4/+2 | |
| | ||||||
* | device: avoid double icmp send on routing loop | Jason A. Donenfeld | 2017-06-26 | 1 | -1/+0 | |
| | ||||||
* | socket: use ip_rt_put instead of dst_release | Jason A. Donenfeld | 2017-06-26 | 1 | -2/+2 | |
| | ||||||
* | socket: verify saddr belongs to interface | Jason A. Donenfeld | 2017-06-26 | 2 | -1/+9 | |
| | | | | | This helps "unstick" stuck source addresses, when changing routes dynamically. | |||||
* | ratelimiter: rewrite from scratch | Jason A. Donenfeld | 2017-06-26 | 11 | -159/+179 | |
| | | | | | | | This not only removes the depenency on x_tables, but it also gives us much better performance and memory usage. Now, systems are able to have millions of WireGuard interfaces, without having to worry about a thundering herd of garbage collection. | |||||
* | curve25519: keep certain sandy2x functions in C | Jason A. Donenfeld | 2017-06-25 | 2 | -232/+84 | |
| | | | | We can let the compiler optimize how it sees fit. | |||||
* | curve25519: satisfy sparse and use short types | Jason A. Donenfeld | 2017-06-24 | 1 | -26/+26 | |
| | ||||||
* | receive: extend rate limiting to 1 second after under load detection | Jason A. Donenfeld | 2017-06-24 | 1 | -0/+5 | |
| | ||||||
* | device: only use one sleep notifier | Jason A. Donenfeld | 2017-06-24 | 2 | -23/+27 | |
| | | | | | This greatly improves performance when adding and removing interfaces, since the power registration function does a linear search each time. | |||||
* | device: netdevice destruction logic change for 4.12 | Jason A. Donenfeld | 2017-06-24 | 1 | -4/+13 | |
| | ||||||
* | wg-quick: properly match IPv6 endpoint | Jason A. Donenfeld | 2017-06-24 | 1 | -1/+1 | |
| | ||||||
* | selftest: remove antique siphash self test | Jason A. Donenfeld | 2017-06-24 | 1 | -89/+0 | |
| | ||||||
* | main: annotate init/exit functions to save memory | Jason A. Donenfeld | 2017-06-24 | 11 | -39/+39 | |
| | ||||||
* | version: bump snapshot0.0.20170613 | Jason A. Donenfeld | 2017-06-13 | 2 | -2/+2 | |
| | ||||||
* | tools: use proper __linux__ ifdef | Jason A. Donenfeld | 2017-06-12 | 1 | -1/+1 | |
| | ||||||
* | random: wait for random bytes when generating nonces and ephemerals | Jason A. Donenfeld | 2017-06-12 | 4 | -7/+12 | |
| | | | | | | | | | | | We can let userspace configure wireguard interfaces before the RNG is fully initialized, since what we mostly care about is having good randomness for ephemerals and xchacha nonces. By deferring the wait to actually asking for the randomness, we give a lot more opportunity for gathering entropy. This won't cover entropy for hash table secrets or cookie secrets (which rotate anyway), but those have far less catastrophic failure modes, so ensuring good randomness for elliptic curve points and nonces should be sufficient. | |||||
* | version: bump snapshot0.0.20170612 | Jason A. Donenfeld | 2017-06-12 | 2 | -2/+2 | |
| | ||||||
* | wg-quick: match ipv6 default route more broadly | Jason A. Donenfeld | 2017-06-12 | 1 | -1/+1 | |
| | ||||||
* | wg-quick: make sure we have empty table for both v6 and v4 | Jason A. Donenfeld | 2017-06-11 | 1 | -1/+3 | |
| | | | | | | | Otherwise, we wind up not doing the right thing in the v6-only case, or doing something totally borked when v4 and v6 are filled unevenly. Reported-by: Roelf Wichertjes <contact@roelf.org> | |||||
* | config: ensure the RNG is initialized before setting | Jason A. Donenfeld | 2017-06-08 | 2 | -0/+48 | |
| | | | | | | | | It's possible that get_random_bytes() will return bad randomness if it hasn't been seeded. This patch makes configuration block until the RNG is properly initialized. Reference: http://www.openwall.com/lists/kernel-hardening/2017/06/02/2 | |||||
* | noise: fix race when replacing handshake | Jason A. Donenfeld | 2017-06-08 | 3 | -11/+24 | |
| | | | | | | | | Replacing an entry that's already been replaced is something that could happen when processing handshake messages in parallel, when starting up multiple instances on the same machine. Reported-by: Hubert Goisern <zweizweizwoelf@gmail.com> | |||||
* | peer: explicitly initialize atomic | Jason A. Donenfeld | 2017-06-05 | 1 | -0/+3 | |
| | ||||||
* | compat: remove padata hotplug code | Jason A. Donenfeld | 2017-06-01 | 1 | -149/+0 | |
| | | | | | | It's different on different kernel versions, and we're not using it anyway, so it's easiest to just get rid of it, rather than having another ifdef maze. | |||||
* | curve25519: use more standard label convention in asm | Jason A. Donenfeld | 2017-06-01 | 2 | -24/+24 | |
| | ||||||
* | device: do-while assignment style | Jason A. Donenfeld | 2017-06-01 | 1 | -1/+1 | |
| | ||||||
* | receive: trim incoming packets to IP header length | Jason A. Donenfeld | 2017-06-01 | 3 | -2/+17 | |
| | ||||||
* | timers: queue up killing ephemerals only if not already | Jason A. Donenfeld | 2017-05-31 | 1 | -1/+1 | |
| | ||||||
* | config: add new line for style | Jason A. Donenfeld | 2017-05-31 | 1 | -0/+1 | |
| | ||||||
* | version: bump snapshot0.0.20170531 | Jason A. Donenfeld | 2017-05-31 | 2 | -2/+2 | |
| | ||||||
* | timers: reset retry-attempt counter when not retrying | Jason A. Donenfeld | 2017-05-31 | 4 | -7/+10 | |
| | ||||||
* | timers: the completion of a handshake also is on key confirmation | Jason A. Donenfeld | 2017-05-31 | 2 | -2/+3 | |
| | ||||||
* | timers: rework handshake reply control flow | Jason A. Donenfeld | 2017-05-31 | 1 | -9/+8 | |
| | ||||||
* | debug: print interface name in dmesg | Jason A. Donenfeld | 2017-05-31 | 11 | -50/+52 | |
| | ||||||
* | compat: remove warning for < 4.1 | Jason A. Donenfeld | 2017-05-31 | 1 | -2/+0 | |
| | | | | | | | | | | | | It still is sort of experimental, I suppose, especially this part in the udp_tunnel drop-in: skb_orphan(skb); sk_mem_reclaim(sk); It seems like sometimes this won't do what we want, but it's hard to diagnose exactly what's happening. In any case, nobody paid attention to that warning anyway, so let's just get rid of it. |