SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for wireguard-tools-0.0.20170613-1.1.x86_64.rpm :
Sun Jun 18 14:00:00 2017 mardnhAATTgmx.de
- Update to version 0.0.20170613
Apologies for such a quick bump after yesterday\'s. Ivan Kozik noticed
that on systems with very little entropy in the RNG, systems would hang
when WireGuard interface configuration was a blocking item in the boot
sequence.
The previous snapshot added some checks to ensure that ephemeral keys and
nonces are not generated dangerously before the RNG has enough entropy. It
did this by simply making interface configuration block the caller until
it was ready. However, doing this while holding rtnl_lock() meant that it
would also block the configuration of other interfaces. This in turn meant
that everything would come to a halt, and enough entropy would only be
generated after many minutes, which could exceed particular udevd timeouts.
The solution is to move the waiting for entropy to be at exactly the moment
when entropy is needed: immediately before generating an ephemeral key or a
nonce. After quite a bit of testing, this works very well. A WireGuard
interface can be fully configured as early as possible in the boot sequence,
but it will only ever complete a handshake sometime later, after it has
gathered enough entropy. Since nothing except handshake processing itself is
blocked, the rest of the system is freed up to go gather lots of entropy from
its usual sources.
This is a continuation of the work begun on the upstream Linux kernel,
described in this LWN article:
https://lwn.net/SubscriberLink/724643/6a0cd411eefcce75/
Because this could be something of a large annoyance, I\'m releasing this
quick patch a day after the previous snapshot.
- Update to version 0.0.20170612

* timers: queue up killing ephemerals only if not already
We fix up a small detail in the timer logic that changed during the last
snapshot.

* receive: trim incoming packets to IP header length
Packets are now trimmed to their actual length, not their length+padding,
before handing to the rest of the network subsystem, so that packets look
pretty in tcpdump. This doesn\'t actually affect what userspace sees, since the
kernel trims it at a later stage, but it does make pcaps a bit nicer to use.

* curve25519: use more standard label convention in asm
This ensures that perf(1) shows the function name instead of the label name.

* compat: remove padata hotplug code
Fixes building on kernels that have HOTPLUG enabled but no PADATA support.

* config: add new line for style

* device: do-while assignment style

* peer: explicitly initialize atomic
Style.

* noise: fix race when replacing handshake
Handle a situation in which three peers, all running on the same system, begin
a handshake with all three of each other, at exactly the same time, on a
multi-CPU system.

* config: ensure the RNG is initialized before setting

* compat: use sys_getrandom instead of add_random_ready_callback
We\'ve been working with upstream to add a new API to the kernel for ensuring
that the RNG actually is seeded. Until they merge it for 4.13, we provide a
poly-fill to the compat code. This means that WireGuard will block during
configuration until the RNG has enough entropy, so that it\'s never in a
circumstance in which ephemeral keys are generated from bad randomness.

* go test: properly pad message

* go test: correct tai64n and formatting

* external-tests: add keepalive packet

* go test: use x/crypto for blake2s now that we have 128-bit mac

* external-tests: trim the fat
Improvements for the external tests.

* wg-quick: make sure we have empty table for both v6 and v4

* wg-quick: match ipv6 default route more broadly
Tiny nits with wg-quick, one of which should now allow multiple v6-only
wg-quick instances running at the same time.

Wed May 31 14:00:00 2017 mardnhAATTgmx.de
- update to version 0.0.20170517
This rather large snapshot touches quite a few sensitive areas, so I\'m
releasing it now rather than later to receive feedback on any possible issues.
It also contains fixes, so everybody should upgrade.

* man: fix psk mention in wg-quick man page

* man: update wg-quick(8) to show Debian resolvconf braindamage
Documentation cleanups.

* wg-quick: use src routing for default routes in v6
ip-rule(8) doesn\'t do the right thing with source addresses, unless we
explicitly set it inside the route. This fixes wg-quick on IPv6 systems.

* curve25519: actually, do some things on heap sometimes

* curve25519: align the basepoint to 32 bytes

* curve25519: add NEON versions for ARM

* data: enable BH during parallel crypto on ARM/NEON

* chacha20poly1305: move constants to rodata

* chacha20poly1305: add NEON versions for ARM and ARM64
We now have faster primitives on ARM and ARM64 processors, which should
improve performance.

* handshake: process in parallel
Handshakes are now processed in parallel using all cores, which should improve
throughput during a storm.

* noise: no need to store ephemeral public key

* noise: precompute static-static ECDH operation
We can precompute the ECDH(s, s) calculation, which improves handshake
initiation message performance by double.

* style: spaces after for loops

* peer: use iterator macro instead of callback
The most unreadable C ever produced. It might be wise to find a sexier-looking
alternative at some point.

* compat: remove warning for < 4.1

* compat: ship padata if kernel doesn\'t have it
The usual array of annoying compat things.

* rust test: convert screech test to snow

* rust test: add icmp ping
We now use Jake\'s snow library for Noise in the test, which we\'ve expanded to
complete a ping.

* config: do not error out when getting if no peers

* tools: allow creating device with no peers
Fixing some small things in the tool/config interaction.

* device: keep going when share_check fails

* routingtable: remove unnecessary check in node_placement()

* config: it\'s faster to memcpy than strncpy

* timers: fix typo in comment
Nits.

* debug: print interface name in dmesg
For those who compile with `make debug`, you\'ll be happy to see a bit better
information in dmesg.

* timers: rework handshake reply control flow

* timers: the completion of a handshake also is on key confirmation

* timers: reset retry-attempt counter when not retrying
Tightening up our timer implementation, which is quite important.

Wed May 17 14:00:00 2017 mardnhAATTgmx.de
- update to version 0.0.20170517
This is a substantial release, containing lots of changes and
fixes over last four weeks, including a major protocol improvement.
Since this is a lot of churn, I imagine there will be a considerable
amount of feedback, resulting in a new snapshot not too long after
this one.

* compat: use existing iptunnel_xmit function for stats

* compat: ssse3 support

* compat: work around ubnt offloading

* compat: use real crypto_memneq

* compat: remember to call iptunnel_xmit_stats
We\'ve made quite a few improvements to our compat layer, which
should add support to more platforms.

* tools: retry name resolution on temporary failure
If you\'re using wg(8) in an init script, you\'ll be happy about
this. If DNS resolution fails, we\'ll keep trying for a little
while before eventually giving up. This should allow for a looser
init service ordering, for those who like to use tunnels with DNS
endpoints.

* tools: wg-quick: auto MTU discovery
The wg-quick utility now makes a conservative guestiment on the
correct MTU, if you don\'t explicitly specify it yourself with the
new MTU= directive.

* chacha20poly1305: implement vectorized hchacha20
Our implementation of HChaCha20 is now optimized via SSSE3, which should
improve cookie encryption and decryption speed, which uses XChaCha20.

* qemu: new packages and better debugging

* qemu: new location for test kernels

* Kbuild: optimize debug builds too
The usual set of improvements to our testing and debugging facilities.

* jerry-rig: symlinks are better for tree patching
The jerry-rig script now uses symlinks, which should improve its
compatibility in more odd environments.

* tools: stricter key file reading
The wg(8) utility is now a bit stricter on garbage at the end of
key files.

* tests: check for stats counter increases
The test suite checks to see whether the interface stats are actually
being incremented.

* tools: check for proto error on set too

* tools: opt-in globally to GNU-isms to keep the BSDs happy
General improvements.

* noise: redesign preshared key mode
Preshared keys are now local to each peer rather than to each interface. This
allows different peers to have different preshared keys, which improves the
compromise model. This has been joint work with Trevor Perrin\'s Noise project,
and today revision 32 [1] has been published, which adds the handshake pattern
used by WireGuard -- IKpsk2. This is a protocol change -- an accepted
potentiality of a still experimental project -- and as such all peers will
need to be updated to this latest snapshot. The wg(8) utility has been
updated to account for the change of preshared-key being attached to the
interface to now being attached to each peer. The WireGuard paper [2],
protocol webpage [3], and Tamarin model all have been updated accordingly.

* tools: support text-based ipc
As discussed on the mailing list, the wg(8) tool now talks to userspace
WireGuard implementations using a text-based format [4] over a UNIX socket that
has been designed to be exceedingly easy to parse in all languages. The wg(8)
tool now runs fine on FreeBSD. [5]

Sat Apr 22 14:00:00 2017 mardnhAATTgmx.de
- update to version 0.0.20170421

* tools: check for malloc failure

* tools: argc is always 1

* tools: no hyphen in preshared, to keep uniformity

* device: use rcu_barrier_bh

* cookie: move the bangs

* config: don\'t allow no-privatekey to mask preshared

* receive: netif_rx consumes
General bug fixes.

* qemu: work on ARM64

* netns: cleanup and add diagram
Our QEMU test suite now works on ARM64.

* tools: side channel resistant base64
Our implementation of base64 in wg(8) no longer uses the
system base64 and instead uses a handrolled constant time
implementation, in order to avoid timing side-channel attacks
on private key data.

* compat: work on old 3.10
Supporting ancient 3.10 allows us to run on the Ubiquiti
EdgeRouter. There\'s now a package for this:
https://community.ubnt.com/t5/EdgeMAX/Release-WireGuard-for-EdgeRouter/td-p/1904764

* routingtable: rewrite core functions
The routing table has had some core utilities rewritten, bugs
fixed, and the test suite greatly expanded, complete with a
randomized comparison against a slow reference implementation
and a graphviz output option, which produced these amazing PDFs:
https://data.zx2c4.com/trie_v4.pdf
https://data.zx2c4.com/trie_v6.pdf

Sun Apr 9 14:00:00 2017 mardnhAATTgmx.de
- update to version 0.0.20170409

* compat: allow create-patch to work on debian-based builds

* main: add /sys/module/wireguard/version

* tools: do not use addrconfig with port in gai

* config: do not allow peers with public keys the same as the interface

* curve25519: protect against potential invalid point attacks

* chacha20poly1305: enforce authtag checking with compiler
While Noise is resilliant to invalid point attacks, it\'s still better to check
explicitly for NULLs from 25519. While we\'re at it, we make the compile warn
if we don\'t check the return value of sensitive crypto functions.

* locking: always use _bh

* chacha20poly1305: check return values of sgops

* data: simplify flow

* data: cleanup parallel workqueue and use two max_active

* data: alloca is actually as dangerous as they say
These should improve stability in certain cases, though this involved
some potentially big rewrites, so I\'ll keep an eye on incoming bug
reports.

* compat: support 3.16

* compat: support 3.14

* compat: support 3.12

* compat: support 3.10

* compat: careful with destructors

* compat: warn on < 4.1
We now experimentally support kernels going back to 3.10. This means
that WireGuard should run on nearly all Android devices, the Ubiquiti
EdgeRouter, and probably most other random Linux devices that you can
find. I\'m looking forward to seeing the community pick up the work
producing pre-compiled modules for various things.

Fri Mar 24 13:00:00 2017 mardnhAATTgmx.de
- update to version 0.0.20170324

* curve25519: 128-bit integer != x86_64
This will fix build problems on AArch64.

* tools: document # comments in wg(8) man page

* socket: avoid deadlock on port retry
Fixes systems under port exhaustion.

* wg-quick: various cleanups

* uapi: add version magic
While the problem will go away entirely when we switch (back) to
Netlink, for now it\'s nice to warn users when wg(8) is out of sync
with the module, so we do this by adding a version field.

Mon Mar 20 13:00:00 2017 mardnhAATTgmx.de
- update to 0.0.20170320.1
This is a critical same-day re-release for a bug affecting Sandy
Bridge systems. All packagers who updated to 20170320 should update
to this snapshot.

Mon Mar 20 13:00:00 2017 mardnhAATTgmx.de
- update to version 0.0.20170320

* device: 4.11 uses cnf for addr_gen_mode

* receive: last_rx use is discouraged and removed in recent kernels

* data: transition to skb_reset_tc for 4.11
This snapshot now should work with 4.11.

* create-patch: add context below to work with busybox patch
It turns out that busybox has a patch that doesn\'t do fuzzy matching.

* device: move sysctl toggling to open time

* compat: use maybe_unused macro over gcc-specific

* timers: elide enable check

* config: satisfy sparse
Cleanups.

* hashtables: get_random_int is now more secure, so expose directly

* cookie: no need to hash rng
We\'re trusting the Linux RNG to not be backdoored!

* tools: wg-quick: support old ip(8)
This should allow wg-quick usage with Ubuntu 16.04.

* data: big refactoring
A rather invasive refactoring that may bring bugs with it. Please report
strange behavior from this release, if any.

* blake2s: add AVX implementation

* curve25519: add AVX implementation

Mon Feb 27 13:00:00 2017 mardnhAATTgmx.de
- update to version 0.0.20170223

* device: disable ICMP redirects
We now no longer send ICMP redirect messages when forwarding packets between
two WireGuard peers on the same interface.

* socket: do not try to create v6 socket when disabled
This allows WireGuard to work on systems booted with ipv6.disable=1.

* wg-quick: allow config files without trailing newline

* tools: give \"off\" value for fwmark

* tools: fix bash completion spaces

* tools: add wg show [interface] dump
The wg(8) command learns a new way of dumping information, which should be a
boost for script writers.

* contrib: add wg-json utility
Using the aforementioned new dump command, it\'s trivial to transform into JSON
using a bash script, so this is provided as an example.

* extract-keys: respect compat directives
The extract-keys helper now builds with the new compat system, which should
enable wireshark dissectors and such to work.

Tue Feb 14 13:00:00 2017 mardnhAATTgmx.de
- update to version 0.0.20170214

* wg-quick: unquote fwmark for bash 4.3

Tue Feb 14 13:00:00 2017 mardnhAATTgmx.de
- update to version 0.0.20170213

* curve25519: do everything on the stack
Now that OpenWRT ships the MIPS SoftIRQ stack patch, and it\'s also made it
upstream, we no longer need to do the mallocing, which should improve
performance.

* tools: man: recommend correct port
Before we used 41414 in the documentation, which we should be suggesting the
use of 51820.

* tools: wg-quick: recommend using resolvconf in exclusive mode
- x prevents DNS leakage.

* timers: use setup_timer macro helper

* timers: use simpler uninit sync technique
Simplifies code a bit.

* socket: synchronize net on socket tear down

* device: shorter workqueue names to fit in ps

* main: add `wg` type alias

* socket: general ephemeral ports instead of name-based ports
If no port is specified, a port is selected ephemerally, instead of trying to
be overly clever with the interface name.

* socket: enable setting of fwmark
This is a nice new feature which enables policy-based routing on fwmarks, used
by Android and wg-quick.

* tools: setconf should remove existing psk

* tools: remove key for any empty file

* tools: wg-quick: support v6 dual stack

* tools: wg-quick: set LC_ALL for consistent regex

* Kconfig: can be a module

* create-patch: be sure it\'s actually after NETFILTER

* compat: backport siphash & dst_cache from mainline
Since siphash is upstream now, we use the mainline implementation. While we\'re
at it with reorganizing compat, we also backport dst_cache, so older kernels
can benefit from it.

Sun Jan 15 13:00:00 2017 mardnhAATTgmx.de
- update to version 0.0.20170115

* tools: wg-quick: enforce good permissions

* tools: wg-quick: parse IPv6 endpoints correctly

* tools: wg-quick: better removal of suppress_prefix rule
The former is good practice, in the likes of SSH\'s warnings. The
latter two are bug fixes.

* tools: error on short ret reads

* tools: ipc: read from socket incrementally

* uapi: add missing userspace headers

* uapi: use flag instead of C bitfield for portability

* uapi: use sockaddr union instead of sockaddr_storage
This makes the UAPI a bit more portable across languages, which assists
with the Go implementation efforts.

* config: useless newline

* Use __read_mostly attribute when possible
General code quality improvements.

* ratelimiter: 800ms too fast, decrease to 2s sustained rate
There\'s no need to allow 800ms handshakes, when there\'s already bursting
and when more than 1 every 5 seconds is already too much, when under DoS.

Thu Jan 5 13:00:00 2017 mardnhAATTgmx.de
- install wg-quick

Thu Jan 5 13:00:00 2017 mardnhAATTgmx.de
- update to version 0.0.20170105

* tools: add bash completion for wg(8)

* tools: add wg-quick

* tools: add makefile instructions

* tools: add systemd unit and auto-detection
This is an all-tools release. The new wg-quick tool
could use some testing and exposure, so we\'re posting
this snapshot a bit early to solicit feedback.

Fri Dec 30 13:00:00 2016 mardnhAATTgmx.de
- update to version 0.0.20161230
This is a fairly small release, and if you\'re a lazy package maintainer, you
can skip it if you don\'t have the time. The primary improvement and motivation
for making this snapshot is Android support.

* tools: rename \'bandwidth\' to \'transfer\' in output
Nice catch from Tomasz Torcz.

* external-tests: update to latest
The Go/Rust/Haskell examples have been updated.

* cookie: optimize

* blake2s: cleanup
Some nice optimizations and cleanups to increase code quality.

* wg-config: use ip rules instead of tungate
Rather than launching a routing daemon, we just use ip-rule(8). This should be
more straight-forward, and work on more systems, such as Android.

* tools: syscall.h should actually be sys/syscall.h

* compat: support 3.18, 3.19, 4.0

Fri Dec 23 13:00:00 2016 mardnhAATTgmx.de
- update to version 0.0.20161223

* config: allow removing multiple peers at once
Before, specifying several peers to remove on the command line at the same
time would not work. This is now fixed.

* routing-table: simplify and mask reparented root
Now reparented entries in the routing table are properly masked, so that you
don\'t wind up with strange entries like \"192.0.0.0/0\".

* tools: allowed-ips is easier to parse with spaces instead of \", \"
This is a slight change in the tools CLI that should make it easier to parse
with scripts.

* tools: do not use AI_ADDRCONFIG
It is now possible to configure IPv6 endpoints before IPv6 interfaces have
successfully gotten their IPs.

* wg-config: cleanup ip parsing

* wg-config: cleanups
General cleanups.

* cookies: use xchacha20poly1305 instead of chacha20poly1305
This is a big change. To simplify the security analysis, improve speed, and
simplify the code, we now use XChaChaPoly1305 with a random 24-byte nonce,
instead of using a random 32-byte salt.

Sun Dec 18 13:00:00 2016 mardnhAATTgmx.de
- update to version 0.0.20161218

* This is a quick snapshot to fix an error with the last one on big endian
systems. Probably only OpenWRT cares about this, and everybody else can
happily wait for the next more substantial snapshot.

Fri Dec 16 13:00:00 2016 mardnhAATTgmx.de
- update to version 0.0.20161216

* messages: increase header by 3 bytes for alignment
PACKAGERS PLEASE UPDATE, as this is a protocol-breaking change.

* device: disable ipv6 auto address generation
Now finally we have working tcpdump and no useless automatic IPv6 addresses.

* device: rc -> ret

* device: dellink is already implictly unregister_netdevice_queue

* device: simplify device_init, since it only returns -EEXIST

* main: consistent lines

* device: clean up xmit error path

* device: allocate tstats in newlink

* global: move to consistent use of uN instead of uintN_t for kernel code

* crypto: use kernel\'s bitops functions

* messages: remove unused constants

* blake2s: move self tests to correct directory

* tools: fix latest-handshake typo in documentation

* noise: update comments

* config: cleanups

* types: enforce consistency
Numerous code quality cleanups.

* device: ensure icmp skb length check is done for v6

* receive: simplify ip header checking logic
This adds a missing length check and generally simplifies length checks
throughout.

* peer: don\'t use sockaddr_storage to reduce memory usage
Now that we have struct endpoint, ditching sockaddr_storage is a no-brainer.
It has the affect of making parallel decryption faster because it requires
less of an allocation for the ctx, and thus our kmemcache can be merged.

* tests: avoid non-strict writes via printf
Finally fixing this silly old bug.

* ratelimiter: drop family from action for 4.10
We\'re getting ready for the first rc of Linux 4.10.

* siphash: update against upstream submission
I\'ve been preparing a big patch for upstream Linux to include SipHash, and in
the process I improved the implementation considerably.

* hashtables: use counter and int to ensure forward progress
This gives the best of both worlds between the two hashtable rng designs.

Sat Dec 10 13:00:00 2016 mardnhAATTgmx.de
- rebased patch: wireguard-remove-depmod.diff
- fix URL
- update to version 0.0.20161209

* hashtable: use random number each time
This reverts some hashtable changes from a while back.

* tests: make sure ncat gets killed

* tests: directly kill nmap

* qemu: bump kernel version
Now running `make test` cleans up some zombie ncat processes.

* build system: add dkms installation
This is a biggie for packagers. You can now run `make dkms-install` to install
the source and dkms.conf file to an environment-variable specified location.
Since the majority of downstreams are using dkms, providing it upstream makes
sense.

* data: reset tc when resetting skb
Correctness fix.

* device: clear all peer ephemeral keys on sleep

* device: make suspend code conditional on CONFIG_PM_SLEEP
WireGuard is now the only VPN software that will clear your ephemeral keys
before the computer goes into sleep. This is a nice security feature for
extreme cases.

* timers: add random jitter to handshake retry

* socket: clear src address when retrying handshake
This increases the reliability of reconnections succeeding in the case of
connection trouble.

* device: cleaner error teardown

* main: cleaner error teardown

* device: traditional if is cleaner than switch for this small

* compat: build dep errors belong here, since it\'s out of tree specific

* cookie: kill redundant forward declaration
Just code cleanups.

* contrib: add wg-config
This is a nice new example utility for adding a wireguard device and
configuring its IPs and routes all in one go. It\'s extensively documented in
its contrib directory and comes with a Makefile installer.

Wed Nov 30 13:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20161129

* send: send packet initiation only after requeuing to prevent race

* tests: be sure we get all messages

* tests: veth does not come up immediately
We\'ve made the internal testing suite a bit more reliable.

* main: add version to dmesg
The module insertion message now shows the snapshot build date or the git
revision, depending, which will help with more easily determining what\'s
happening from people\'s logs. Too many incompetent bug reporters have
inexplicably neglected to mention the version or commit being used when
reporting a bug. This commit works around this human error, requested by
Kalin Kozhuharov and others.

* device: conntrack is optional
WireGuard can now run on machines that do not have connection tracking,
requested by Willy Tarreau and Baptiste Jonglez.

* ratelimiter: load hashlimit at modinsert time
Alex Xu pointed out an interesting deadlock, and we were able to trace it to
internal kernel infrastructure locking things in opposing orders. To work
around these bugs, WireGuard now loads the hashlimit module at insertion time
rather than at interface creation time.

* tools: warn about clock going backward
In the event that some script on your system is making the clock go wild
backward, the tools should probably indicate that the \"last handshake
completed\" date can\'t be correct, and that subsequent connections might fail.
This was reported by W. Kennington.

Wed Nov 16 13:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20161116.1

* The earlier snapshot today broke some builds on kernels <= 4.3.
Packagers only need to bump versions for this single commit if
distribution kernels use <= 4.3.

Wed Nov 16 13:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20161116

* socket: keep track of src address in sending packets

* socket: ensure that saddr routing can deal with interface removal
This is a rather important change. WireGuard will now reply using the same
source address on which it received a packet. This improves compatibility with
multi-homed hosts.

* debug: cleanup skb printing

* compat: rearrange

* tests: use private ipv6 addresses

* tests: trim output

* various: nits from willy

* packets: consolidate constants

* device: better debug message
A whole series of cleanups.

* device: we need NONE for libpcap
In the previous snapshot, we switched to using a VOID device type, so that
IPv6 autoconfiguration wouldn\'t assign a useless IP. But this broke libpcap
and tcpdump. So, we\'re back to using the NONE type, and getting a useless v6
address. This requires upstream Linux fixes to solve.

* chacha20poly1305: rely on avx and avx2
This works around braindead VPS providers who disable random opcodes.

Thu Nov 10 13:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20161110

* data: we care about per-peer, not per-device, inflight encryptions

* data: squelch compiler warning on PARALLEL=n

* socket: release dst on routing loop
These are cleanups of the previous refactoring.

* qemu: use sparsemem always, for kasan

* qemu: kasan needs more memory
Automatically detecting memory corruption bugs should not be much easier.

* send: remove redundant time stamp

* cookie: avoid void pointer arithmatic

* debug: support dynamic debug on skb addr

* data: only uses kmem_cache for parallism

* chacha20poly1305: don\'t forget version header
General bug fixes.

* socket: use more reasonable skb padding
Rather than the somewhat arbitrary ETH_HLEN + VLAN_HLEN + 16, we now use
NET_SKB_PAD.

* chacha20poly1305: it\'s just as fast to use these more simple unaligned access helpers
This completes our fixup of chacha20poly1305 for platforms with slow unaligned
access, such as MIPS.

* send: simplify handshake initiation queueing and introduce lock
Rate limiting is now applied globally, and while locked, which should make it
impossible for two threads to simultaneously cause a new handshake.

* selftest: add routing table tests for small subnets

* routing-table: mask self for better IP display
Giving allowed IPs an address like 192.168.121.128/16 will now be normalized
to 192.168.0.0/16 automatically.

* curve25519: use kmalloc in order to not overflow stack
This is HUGE. And OPENWRT PEOPLE SHOULD UPDATE IMMEDIATELY. This is a major
fix for platforms that do not use a separate IRQ stack, such as MIPS. All MIPS
users should update immediately for improved stability. An interesting mailing
list thread crossposted to LKML is on this list.

Sun Nov 6 13:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20161105

* socket: use dst_cache instead of handrolled cache

* compat: stub out dst_cache for old kernels

* socket: route() returns an error pointer, not NULL on failure

* socket: big refactoring
Rather than our hand rolled routing cache, we now use the kernel\'s own
dst_cache, which was added to the kernel after 4.5 and wasn\'t available when
wireguard was first developed. The performance is on par with ours, but this
way we reduce complexity.

* data: take reference to peer

* data: use smaller types

* send: queue bundles on same CPU

* data: keep FPU on when possible

* data: use a memory cache for parallel ctx

* compat: fix variable assumptions
This series of optimizations is huge, resulting in
*doubled throughput
* on my
development laptop. This is a major performance win, achieved by batching up
sequential packets on the same processor core, with the observation that
waiting for cores to synchronize takes time and defeats multi-core
improvements. Wireguard should now scale better to systems with tons of cores.

* compat: some grsec have get_random_long; others do not
Wireguard now builds with the stable release of grsec that used to be testing.
In otherwords, distro stable grsec packages that are out of date and
unmaintained can now use wireguard without modification.

* qemu: move build outside of kernel dir to avoid kernel\'s make clean

* qemu: work around termio race condition

* qemu: move marker to top and flush

* qemu: fail if module selftests fail
The qemu test suite received more stability improvements and a workaround for
a virtio bug.

* tools: chill modern gcc out

* c89: the static keyword is okay in c99, but not in c89

* chacha20poly1305: cleanup magic constants
General code and compiler fixes.

Thu Nov 3 13:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20161102

* timers: take reference like a lookup table

* qemu: newer default kernel
Small improvements as usual.

* device: use ARPHDR_VOID instead of ARPHDR_NONE
We now avoid auto-assigning randomly generated IPv6 addresses to interfaces,
since this doesn\'t make sense in the context of cryptokey routing. This should
prevent those pesky log messages about trying to send to unrouted RA IPs.

* chacha20poly1305: src is different from dst on last piece
This is a critical patch and the reason why this snapshot is being cut so soon
after the previous. PACKAGERS: bump your packages.

Wed Nov 2 13:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20161102

* peer: kref is most likely to succeed

* data: do not allow usage of keypair just before hash removal

* kref: elide checks
These fix a potential race condition that could trigger kernel warning
messages.

* tools: everybody hates automatic stripping

* tools: abstract pkg-config to PKG_CONFIG

Sun Oct 30 13:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20161025

* noise: comment/document the key swapping
It turns out this is a bit interesting, and there\'s an interesting TODO item
in there now regarding a KPI choice that may or may not be an issue.

* debug: keep alive -> keepalive

* device: better debug message for unroutable packets
The latter should make it more clear why certain packets aren\'t being sent. In
most cases for properly configured interfaces, this will just show v6 RA
addresses.

* timers: avoid thundering herd for simultaneous initiation
By applying slack time to the initiation schedule, we can take advantage of
the fact that jiffies does not have the same exact start quantum on all
computers, giving us the natural jitter we need.

* timers: kill half-open handshakes after a while
This ensures partial ephemeral sessions are cleared, even if they\'re never
used.

* timers: always delay handshakes for responder

* timers: only have initiator rekey
These are two different solutions to the same problem. Namely, we don\'t want
the responder to reinitiate a handshake at the same time as the initiator, in
the case that a TCP SYN is sent after 120 seconds of the session. See the
individual commit messages for an in depth explanation of the two different
approaches and the one I ultimately chose.

* receive: always send confirmation, even if queue is empty
It\'s essential that the initiator always sends confirmation to the responder,
so that the responder can send packets using the new key ASAP. This is
required when handshakes roll-over during sparsely utilized links.

* compat: support PaX constify plugin

* data: reset all packet fields like tun.c

* compat: grsecurity backports get_random_long
WireGuard now compiles and runs fine on both grsecurity/PaX stable and testing.

Fri Oct 14 14:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20161014

* send: only avoid parallel path when there aren\'t inflight jobs

* send: requeue jobs for later if padata is full

* send: ensure that rekey retries are staggered

* device: show debug message when no peer has allowed-ips for packet

* compat: more functions moved upstream into 4.9

Sat Oct 1 14:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20161001

* poly1305: optimize unaligned access
This is a very appreciated fix from René van Dorst, adjusting the arithmetic
in Poly1305 to work fast on platforms with slow unaligned access, such as
MIPS. According to his calculation, this gives a 50% improvement on small MIPS
boxes.

* hashtables: use rdrand() instead of counter
Rather than incrementing a counter, we instead use rdrand, which gives us an
extremely fast source of random numbers. We\'re still running this through
siphash with a secret, so a backdoored rdrand implementation won\'t be a
problem.

* examples: add nat-hole-punching
https://lists.zx2c4.com/pipermail/wireguard/2016-August/000372.html
https://git.zx2c4.com/WireGuard/tree/contrib/examples/nat-hole-punching/README

* examples: add key extractor
https://lists.zx2c4.com/pipermail/wireguard/2016-August/000373.html
https://git.zx2c4.com/WireGuard/tree/contrib/examples/extract-keys/README

* tools: allow multiple AllowedIPs invocations
Multiple AllowedIPs= lines can now be specified, which could improve
readability of the config files.

* send: properly encapsulate ECN
Thanks to the guidance of Dave Taht, we now support ECN.

* Rework headers and includes

* compat: Isolate more functions
In anticipation of upstreaming WireGuard, we\'ve now moved most of our
version-specific #ifdefs to compat.h, where we use horrible macro tricks to
redefine functions for old versions. This allows us to keep the actual code as
clean as possible. When we merge to mainline, compat.h will be deleted
wholesale.

* tests: test jumbo frames with more transfer

* tests: add crypto-RP filter test

* qemu: enhancements
With this an numerous other commits, we\'ve further expanded the test suite.

Sun Aug 14 14:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20160808

* timers: upstream removed the slack concept
We now group timers ourselves, this time with the ability to round down. This
ensures that we don\'t wind up rescheduling timers for every packet, but
instead keeping things within a quarter second window.

* c: specify static array size in function params
See https://hamberg.no/erlend/posts/2013-02-18-static-array-indices.html

* contrib: move patchers to contrib/kernel-tree
There are now two patchers:
- contrib/kernel-tree/create-patch.sh This patcher simply spits out a patch
for use with `patch(1)` to stdout.
- contrib/kernel-tree/jerry-rig.sh This is the old hack that patches into
the kernel tree a reference to the WireGuard tree.

* tools: do not show private keys in pretty output
The `WG_HIDE_KEYS` environment variable now determines whether or not keys are
shown in the pretty `wg show` output.

* persistent-keepalive: change range to [1,65535]
Linux connection tracking is granular to 1 second, so it\'s important that we
do the same.

* selftest: move to subfolder

* Kbuild: move module deps out of tests/

* tests: use makefile and expand greatly
This is a big one. The entire testing subsystem has been entirely expanded.
With the help of Alex Xu and Naveen Nathan, the test suite is now hugely
expanded, and even does NAT testing with the persistent-keepalive feature. Not
only that, but the QEMU runner now builds from a Makefile and is much more
robust. We now build and run 7 kernels for every single commit, with the test
results published on https://www.wireguard.io/build-status/

* ratelimiter: do not require IPv6
CONFIG_IPV6 is no longer required at all for WireGuard.

Fri Jul 22 14:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20160722

* tools: abstract sockets are dangerous

* tools: Use seqpacket instead of dgram

* tools: use stream instead of seqpacket
* tools: propagate set errno

* tools: add default cflag

* tools: add -MP to makefile

* socket: simpler debug message

* socket: reset IPv4 socket to NULL after free

* socket: fix compat for 4.1 v6 sockets

* cookie: do not expose csprng directly

* index hashtable: run random indices through siphash

Thu Jul 21 14:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20160721

* tests: improve test suite and add qemu tester
You can now run `make test` to do some nice functional testing of the
module. As well, there\'s now src/tests/qemu.sh which builds and installs a
mini userspace and kernel, boots it up in qemu, and runs the tests. This
does not require root access, and provides a good way of testing for
packagers. Note that I very much would like to see some patches cleaning up
qemu.sh if anybody is interested.

* Kconfig: select IP6_NF_IPTABLES if using IPV6

* build system: revamp building and configuration
This build system is much more robust, and we\'ve gotten all the dependencies
worked out. Check out wireguard.io/install/ and scroll to the bottom to see
all the information about kernel dependencies.

* tools: fix numbering in man page

* tools: first additions of userspace integration

* tools: support horrible freebsd/osx/unix semantics

* tools: rename kernel to ipc
The wg(8) tool now implements the neccessary protocol to work with new
WireGuard userspace implementations! The extremely simple IPC protocol is
documented here -- wireguard.io/xplatform/ -- and is essentially the same
way in which wg(8) communicates with the kernel. This should be exceedingly
simple to implement, and we fully expect for all userspace implementation
efforts currently occurring to use this, so that wg(8) can administer any
kind of implementation with the same interface. It also compiles on OS X now
and there\'s a pull request for including this in Homebrew:
https://github.com/Homebrew/homebrew-core/pull/3183

Mon Jul 11 14:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20160711

* persistent keepalive: use authenticated keepalives
This is by far the biggest and most important change of this snapshot, and
indeed is the entire reason why we\'re releasing another one for folks to
test out. It was pointed out on the mailing list that if keepalives aren\'t
authenticated, it\'s impossible for the receiver to update the source IP/port
of the sender. So, we make them authenticated, which means turning on the
\"persistent-keepalive\" feature is basically saying \"always hold an active
session open\". WireGuard is by default non-chatty -- there won\'t be an active
session if you\'re not sending anything. So, if this is a problem with
wanting to receive connections while idle and behind NAT, then you can use
this feature for always maintaining an active session.

* timers: rename
*authorized
* functions to
*authenticated
*

* timers: do not consider keepalives to be data sent

* examples: update ncat-client-server readme

* keepalives: only queue keepalive when queue is empty

* persistent keepalive: use unsigned long to avoid multiplication in hotpath

* timers: document conditions for calling

* timers: move timer calls out of hot loop

* timers: apply slack to hotpath timers

* receive: no need to test for !len

* receive: assume we usually succeed with userspace

Fri Jul 8 14:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20160708.1

* persistent keepalive: start sending immediately -- the previously released
feature was not useful without this extra commit. So, getting this in here
now so that people can actually test this out. Sorry for the churn. Don\'t
bother packaging the previous snapshot.

Fri Jul 8 14:00:00 2016 mardnhAATTgmx.de
- update to version experimental-0.0.20160708

* Remove old development scripts and cruft from contrib/.

* Reorganize contrib/examples. Distribution packagers are now encouraged to
install contrib/examples to /usr/share/${pkg}/examples.

* Make sure we add 4611686018427387914 to TAI64N second stamps, to be in spec.

* Improve error reporting and detection in wg(8), ignoring extra input and
generally being more helpful.

* Enable always falling back to /dev/urandom when getrandom(2) fails.

* Add synergy example script.

* Use `pkg-config` for libmnl in tools Makefile if it exists. Otherwise we
fallback to just specifying -lmnl statically.

* Improve go test to send and receive ICMP ping packet through tunnel.

* Add the new persistent keepalive mechanism, as discussed on the mailing
list. This is available via `wg set wg0 peer ABCD persistent-keepalive 25`
as well as `PersistentKeepalive = 25` in the `[Peer]` section of
configuration files. This is off by default, as it\'s only useful for users
behind NAT or stateful firewall that expect to receive external VPN
connections while they are idle. This has been documented in the wg(8) man
page as well as a small blurb on the quick start page of the website.
- removed patch:

* wireguard-set-libmnl-includedir-with-pkgconfig.diff (fixed upstream)
- packaged examples from contrib/examples

Wed Jul 6 14:00:00 2016 mardnhAATTgmx.de
- renamed subpackage for the userspace-tool
wireguard -> wireguard-tools

Tue Jul 5 14:00:00 2016 mardnhAATTgmx.de
- use snapshot tags instead of of pulling from the git directly

Tue Jul 5 14:00:00 2016 mardnhAATTgmx.de
- initial package


  
ICM