diff options
| -rwxr-xr-x | contrib/reresolve-dns/reresolve-dns.sh | 2 | ||||
| -rw-r--r-- | src/config.c | 2 | ||||
| -rw-r--r-- | src/config.h | 2 | ||||
| -rw-r--r-- | src/containers.h | 2 | ||||
| -rw-r--r-- | src/ctype.h | 2 | ||||
| -rw-r--r-- | src/curve25519.c | 2 | ||||
| -rw-r--r-- | src/curve25519.h | 2 | ||||
| -rw-r--r-- | src/encoding.c | 2 | ||||
| -rw-r--r-- | src/encoding.h | 2 | ||||
| -rw-r--r-- | src/genkey.c | 2 | ||||
| -rw-r--r-- | src/ipc-freebsd.h | 24 | ||||
| -rw-r--r-- | src/ipc-linux.h | 6 | ||||
| -rw-r--r-- | src/ipc.c | 2 | ||||
| -rw-r--r-- | src/ipc.h | 2 | ||||
| -rw-r--r-- | src/man/wg-quick.8 | 2 | ||||
| -rw-r--r-- | src/pubkey.c | 2 | ||||
| -rw-r--r-- | src/set.c | 2 | ||||
| -rw-r--r-- | src/setconf.c | 2 | ||||
| -rw-r--r-- | src/show.c | 8 | ||||
| -rw-r--r-- | src/showconf.c | 2 | ||||
| -rw-r--r-- | src/subcommands.h | 2 | ||||
| -rw-r--r-- | src/terminal.c | 2 | ||||
| -rw-r--r-- | src/terminal.h | 2 | ||||
| -rw-r--r-- | src/uapi/freebsd/dev/wg/if_wg.h (renamed from src/uapi/freebsd/dev/if_wg/if_wg.h) | 0 | ||||
| -rw-r--r-- | src/wg-quick/android.c | 2 | ||||
| -rwxr-xr-x | src/wg-quick/darwin.bash | 2 | ||||
| -rwxr-xr-x | src/wg-quick/freebsd.bash | 2 | ||||
| -rwxr-xr-x | src/wg-quick/linux.bash | 4 | ||||
| -rwxr-xr-x | src/wg-quick/openbsd.bash | 2 | ||||
| -rw-r--r-- | src/wg.c | 2 |
30 files changed, 54 insertions, 38 deletions
diff --git a/contrib/reresolve-dns/reresolve-dns.sh b/contrib/reresolve-dns/reresolve-dns.sh index fd38cd4..711c332 100755 --- a/contrib/reresolve-dns/reresolve-dns.sh +++ b/contrib/reresolve-dns/reresolve-dns.sh @@ -16,7 +16,7 @@ INTERFACE="${BASH_REMATCH[1]}" process_peer() { [[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0 [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\ ([0-9]+) ]] || return 0 - (( ($(date +%s) - ${BASH_REMATCH[1]}) > 135 )) || return 0 + (( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0 wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT" reset_peer_section } diff --git a/src/config.c b/src/config.c index 211e887..81ccb47 100644 --- a/src/config.c +++ b/src/config.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/config.h b/src/config.h index c52b9ea..443cf21 100644 --- a/src/config.h +++ b/src/config.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/containers.h b/src/containers.h index fb5434f..a82e8dd 100644 --- a/src/containers.h +++ b/src/containers.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/ctype.h b/src/ctype.h index 98b2283..7c9942c 100644 --- a/src/ctype.h +++ b/src/ctype.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. * diff --git a/src/curve25519.c b/src/curve25519.c index 1739a9e..7121d1e 100644 --- a/src/curve25519.c +++ b/src/curve25519.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2018-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/curve25519.h b/src/curve25519.h index 1569824..b05432f 100644 --- a/src/curve25519.h +++ b/src/curve25519.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/encoding.c b/src/encoding.c index 2540e5b..9b2cda5 100644 --- a/src/encoding.c +++ b/src/encoding.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. * diff --git a/src/encoding.h b/src/encoding.h index 2d2c1e0..3cabe9c 100644 --- a/src/encoding.h +++ b/src/encoding.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/genkey.c b/src/genkey.c index 759a89d..0201b28 100644 --- a/src/genkey.c +++ b/src/genkey.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/ipc-freebsd.h b/src/ipc-freebsd.h index 2c10c10..fa74edd 100644 --- a/src/ipc-freebsd.h +++ b/src/ipc-freebsd.h @@ -4,9 +4,10 @@ * */ +#include <assert.h> #include <sys/nv.h> #include <sys/sockio.h> -#include <dev/if_wg/if_wg.h> +#include <dev/wg/if_wg.h> #define IPC_SUPPORTS_KERNEL_INTERFACE @@ -118,7 +119,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) goto skip_peers; for (i = 0; i < peer_count; ++i) { struct wgpeer *peer; - struct wgallowedip *aip; + struct wgallowedip *aip = NULL; const nvlist_t *const *nvl_aips; size_t aip_count, j; @@ -169,11 +170,13 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) if (!aip_count || !nvl_aips) goto skip_allowed_ips; for (j = 0; j < aip_count; ++j) { + if (!nvlist_exists_number(nvl_aips[j], "cidr")) + continue; + if (!nvlist_exists_binary(nvl_aips[j], "ipv4") && !nvlist_exists_binary(nvl_aips[j], "ipv6")) + continue; aip = calloc(1, sizeof(*aip)); if (!aip) goto err_allowed_ips; - if (!nvlist_exists_number(nvl_aips[j], "cidr")) - continue; number = nvlist_get_number(nvl_aips[j], "cidr"); if (nvlist_exists_binary(nvl_aips[j], "ipv4")) { binary = nvlist_get_binary(nvl_aips[j], "ipv4", &size); @@ -184,7 +187,8 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) aip->family = AF_INET; aip->cidr = number; memcpy(&aip->ip4, binary, sizeof(aip->ip4)); - } else if (nvlist_exists_binary(nvl_aips[j], "ipv6")) { + } else { + assert(nvlist_exists_binary(nvl_aips[j], "ipv6")); binary = nvlist_get_binary(nvl_aips[j], "ipv6", &size); if (!binary || number > 128) { ret = EINVAL; @@ -193,14 +197,14 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) aip->family = AF_INET6; aip->cidr = number; memcpy(&aip->ip6, binary, sizeof(aip->ip6)); - } else - continue; + } if (!peer->first_allowedip) peer->first_allowedip = aip; else peer->last_allowedip->next_allowedip = aip; peer->last_allowedip = aip; + aip = NULL; continue; err_allowed_ips: @@ -209,6 +213,9 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) free(aip); goto err_peer; } + + /* Nothing leaked, hopefully -- ownership transferred or aip freed. */ + assert(aip == NULL); skip_allowed_ips: if (!dev->first_peer) dev->first_peer = peer; @@ -322,6 +329,7 @@ static int kernel_set_device(struct wgdevice *dev) nvlist_destroy(nvl_aips[j]); free(nvl_aips); nvlist_destroy(nvl_peers[i]); + nvl_peers[i] = NULL; goto err; } if (i) { @@ -329,9 +337,11 @@ static int kernel_set_device(struct wgdevice *dev) for (i = 0; i < peer_count; ++i) nvlist_destroy(nvl_peers[i]); free(nvl_peers); + nvl_peers = NULL; } wgd.wgd_data = nvlist_pack(nvl_device, &wgd.wgd_size); nvlist_destroy(nvl_device); + nvl_device = NULL; if (!wgd.wgd_data) goto err; s = get_dgram_socket(); diff --git a/src/ipc-linux.h b/src/ipc-linux.h index 5883ffe..d29c0c5 100644 --- a/src/ipc-linux.h +++ b/src/ipc-linux.h @@ -479,6 +479,12 @@ static int kernel_get_device(struct wgdevice **device, const char *iface) struct nlmsghdr *nlh; struct mnlg_socket *nlg; + /* libmnl doesn't check the buffer size, so enforce that before using. */ + if (strlen(iface) >= IFNAMSIZ) { + errno = ENAMETOOLONG; + return -ENAMETOOLONG; + } + try_again: ret = 0; *device = calloc(1, sizeof(**device)); @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/man/wg-quick.8 b/src/man/wg-quick.8 index b84eb64..bc9e145 100644 --- a/src/man/wg-quick.8 +++ b/src/man/wg-quick.8 @@ -168,7 +168,7 @@ sockets, which bypass Netfilter.) When IPv6 is in use, additional similar lines Or, perhaps it is desirable to store private keys in encrypted form, such as through use of .BR pass (1): - \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP + \fBPreUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP .br For use on a server, the following is a more complicated example involving multiple peers: diff --git a/src/pubkey.c b/src/pubkey.c index b55c1fe..f191592 100644 --- a/src/pubkey.c +++ b/src/pubkey.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/setconf.c b/src/setconf.c index bfd0a3a..1c5b138 100644 --- a/src/setconf.c +++ b/src/setconf.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ @@ -27,7 +27,7 @@ static int peer_cmp(const void *first, const void *second) { time_t diff; - const struct wgpeer *a = *(const void **)first, *b = *(const void **)second; + const struct wgpeer *a = *(void *const *)first, *b = *(void *const *)second; if (!a->last_handshake_time.tv_sec && !a->last_handshake_time.tv_nsec && (b->last_handshake_time.tv_sec || b->last_handshake_time.tv_nsec)) return 1; @@ -312,9 +312,9 @@ static bool ugly_print(struct wgdevice *device, const char *param, bool with_int else printf("off\n"); } else if (!strcmp(param, "endpoints")) { - if (with_interface) - printf("%s\t", device->name); for_each_wgpeer(device, peer) { + if (with_interface) + printf("%s\t", device->name); printf("%s\t", key(peer->public_key)); if (peer->endpoint.addr.sa_family == AF_INET || peer->endpoint.addr.sa_family == AF_INET6) printf("%s\n", endpoint(&peer->endpoint.addr)); diff --git a/src/showconf.c b/src/showconf.c index 64f8b6e..62070dc 100644 --- a/src/showconf.c +++ b/src/showconf.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/subcommands.h b/src/subcommands.h index 7c4ed88..4308b5b 100644 --- a/src/subcommands.h +++ b/src/subcommands.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/terminal.c b/src/terminal.c index c10b9f1..d3e6611 100644 --- a/src/terminal.c +++ b/src/terminal.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/terminal.h b/src/terminal.h index 58697fa..50b1686 100644 --- a/src/terminal.h +++ b/src/terminal.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ diff --git a/src/uapi/freebsd/dev/if_wg/if_wg.h b/src/uapi/freebsd/dev/wg/if_wg.h index a4b3b13..a4b3b13 100644 --- a/src/uapi/freebsd/dev/if_wg/if_wg.h +++ b/src/uapi/freebsd/dev/wg/if_wg.h diff --git a/src/wg-quick/android.c b/src/wg-quick/android.c index a5a789a..1263ee4 100644 --- a/src/wg-quick/android.c +++ b/src/wg-quick/android.c @@ -855,7 +855,7 @@ static void set_dnses(unsigned int netid, const char *dnses) if (!len) return; - xregcomp(®ex_ipnothost, "^[a-zA-Z0-9_=+.-]{1,15}$", REG_EXTENDED | REG_NOSUB); + xregcomp(®ex_ipnothost, "(^[0-9.]+$)|(^.*:.*$)", REG_EXTENDED | REG_NOSUB); for (char *dns = strtok(mutable, ", \t\n"); dns; dns = strtok(NULL, ", \t\n")) { if (strchr(dns, '\'') || strchr(dns, '\\')) continue; diff --git a/src/wg-quick/darwin.bash b/src/wg-quick/darwin.bash index 8e46818..c938112 100755 --- a/src/wg-quick/darwin.bash +++ b/src/wg-quick/darwin.bash @@ -452,8 +452,8 @@ cmd_up() { local i get_real_interface && die "\`$INTERFACE' already exists as \`$REAL_INTERFACE'" trap 'del_if; del_routes; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" diff --git a/src/wg-quick/freebsd.bash b/src/wg-quick/freebsd.bash index b529ab2..f72daf6 100755 --- a/src/wg-quick/freebsd.bash +++ b/src/wg-quick/freebsd.bash @@ -420,8 +420,8 @@ cmd_up() { local i [[ -z $(ifconfig "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists" trap 'del_if; del_routes; clean_temp; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash index e4d4c4f..4193ce5 100755 --- a/src/wg-quick/linux.bash +++ b/src/wg-quick/linux.bash @@ -220,9 +220,9 @@ add_default() { fi local proto=-4 iptables=iptables pf=ip [[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6 - cmd ip $proto route add "$1" dev "$INTERFACE" table $table cmd ip $proto rule add not fwmark $table table $table cmd ip $proto rule add table main suppress_prefixlength 0 + cmd ip $proto route add "$1" dev "$INTERFACE" table $table local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable" @@ -327,8 +327,8 @@ cmd_up() { local i [[ -z $(ip link show dev "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists" trap 'del_if; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" diff --git a/src/wg-quick/openbsd.bash b/src/wg-quick/openbsd.bash index 2adfe46..b58ecf5 100755 --- a/src/wg-quick/openbsd.bash +++ b/src/wg-quick/openbsd.bash @@ -417,8 +417,8 @@ cmd_up() { local i get_real_interface && die "\`$INTERFACE' already exists as \`$REAL_INTERFACE'" trap 'del_if; del_routes; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. */ |